add check-rd-req-server

lib/krb5/context.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -215,6 +215,14 @@ init_context_from_config_file(krb5_context context)
 	krb5_config_free_strings(s);
     }
 
+    tmp = krb5_config_get_string(context, NULL, "libdefaults",
+				 "check-rd-req-server", NULL);
+    if (tmp == NULL && !issuid())
+	tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
+    if(tmp) {
+	if (strcasecmp(tmp, "ignore") == 0)
+	    context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
+    }
 
     return 0;
 }

lib/krb5/krb5.conf.5

@@ -248,6 +248,11 @@ older than Heimdal 0.7.
 Setting this flag to
 .Dv TRUE
 make it store the MIT way, this is default for Heimdal 0.7.
+.It Li check-rd-req-server
+If set to "ignore", the framework will ignore any the server input to
+.Xr krb5_rd_req 3, 
+this is very useful when the GSS-API server input the
+wrong server name into the gss_accept_sec_context call.
 .El
 .It Li [domain_realm]
 This is a list of mappings from DNS domain to Kerberos realm.

lib/krb5/krb5_locl.h

@@ -274,6 +274,7 @@ typedef struct krb5_context_data {
 #define KRB5_CTX_F_CHECK_PAC			2
 #define KRB5_CTX_F_HOMEDIR_ACCESS		4
 #define KRB5_CTX_F_SOCKETS_INITIALIZED          8
+#define KRB5_CTX_F_RD_REQ_IGNORE		16
     struct send_to_kdc *send_to_kdc;
 #ifdef PKINIT
     hx509_context hx509ctx;

lib/krb5/rd_req.c

@@ -926,7 +926,7 @@ krb5_rd_req_ctx(krb5_context context,
 				  &o->keyblock);
 	if (ret) {
 	    /* If caller specified a server, fail. */
-	    if (service == NULL)
+	    if (service == NULL && (context->flags & KRB5_CTX_F_RD_REQ_IGNORE) == 0)
 		goto out;
 	    /* Otherwise, fall back to iterating over the keytab. This
 	     * have serious performace issues for larger keytab.