kdc: perform AS-REQ canonicalization in kdc
Mirroring the logic recently introduced in the TGS, this patch modifies the KDC to perform client and server canonicalization itself rather than relying on the backend to do so. Per RFC 6806, the behavior is slightly different for the AS in that the setting of the canonicalize flag in the AS-REQ does impact the returned names in the ticket. In order to support realm canonicalization or other custom behavior, we allow the backend to force the KDC to canonicalize by setting the force-canonicalize flag in the returned client or server entries.
This commit is contained in:
Luke Howard
@@ -1956,20 +1956,32 @@ _kdc_as_rep(kdc_request_t r,
|
||||
if (_kdc_is_anonymous(context, r->client_princ)) {
|
||||
Realm anon_realm=KRB5_ANON_REALM;
|
||||
ret = copy_Realm(&anon_realm, &rep.crealm);
|
||||
} else
|
||||
} else if (f.canonicalize || r->client->entry.flags.force_canonicalize)
|
||||
ret = copy_Realm(&r->client->entry.principal->realm, &rep.crealm);
|
||||
else
|
||||
ret = copy_Realm(&r->client_princ->realm, &rep.crealm);
|
||||
if (ret)
|
||||
goto out;
|
||||
ret = _krb5_principal2principalname(&rep.cname, r->client->entry.principal);
|
||||
if (f.canonicalize || r->client->entry.flags.force_canonicalize)
|
||||
ret = _krb5_principal2principalname(&rep.cname, r->client->entry.principal);
|
||||
else
|
||||
ret = _krb5_principal2principalname(&rep.cname, r->client_princ);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
rep.ticket.tkt_vno = 5;
|
||||
ret = copy_Realm(&r->server->entry.principal->realm, &rep.ticket.realm);
|
||||
if (f.canonicalize || r->server->entry.flags.force_canonicalize)
|
||||
ret = copy_Realm(&r->server->entry.principal->realm, &rep.ticket.realm);
|
||||
else
|
||||
ret = copy_Realm(&r->server_princ->realm, &rep.ticket.realm);
|
||||
if (ret)
|
||||
goto out;
|
||||
_krb5_principal2principalname(&rep.ticket.sname,
|
||||
r->server->entry.principal);
|
||||
if (f.canonicalize || r->server->entry.flags.force_canonicalize)
|
||||
_krb5_principal2principalname(&rep.ticket.sname,
|
||||
r->server->entry.principal);
|
||||
else
|
||||
_krb5_principal2principalname(&rep.ticket.sname,
|
||||
r->server_princ);
|
||||
/* java 1.6 expects the name to be the same type, lets allow that
|
||||
* uncomplicated name-types. */
|
||||
#define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t)
|
||||
|
||||
@@ -155,19 +155,6 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
|
||||
krb5_data_free(&value);
|
||||
return ret;
|
||||
}
|
||||
|
||||
if ((flags & HDB_F_GET_ANY) && (flags & HDB_F_CANON) == 0) {
|
||||
krb5_principal tmp;
|
||||
|
||||
/* "hard" alias: return the principal the client asked for */
|
||||
ret = krb5_copy_principal(context, principal, &tmp);
|
||||
if (ret) {
|
||||
krb5_data_free(&value);
|
||||
return ret;
|
||||
}
|
||||
krb5_free_principal(context, entry->entry.principal);
|
||||
entry->entry.principal = tmp;
|
||||
}
|
||||
}
|
||||
krb5_data_free(&value);
|
||||
if ((flags & HDB_F_DECRYPT) && (flags & HDB_F_ALL_KVNOS)) {
|
||||
|
||||
Reference in New Issue
Block a user