From f73f08eef17101a21c8161444cbd28f5079ce9f5 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Sun, 15 Aug 2021 09:12:13 +1000
Subject: [PATCH] kdc: ensure GSS-API pre-auth acceptor name is TGS

The target (acceptor) name for GSS-API pre-authentication should be the name of
the TGS, not the server name in the AS-REQ, as it is the KDC which is being
mutually authenticated. If the client is not requesting a TGT, they may differ.
---
 kdc/gss_preauth.c              |  9 ++++++++-
 lib/gssapi/preauth/pa_client.c | 10 +++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/kdc/gss_preauth.c b/kdc/gss_preauth.c
index 8259d29db..d4d673f50 100644
--- a/kdc/gss_preauth.c
+++ b/kdc/gss_preauth.c
@@ -140,6 +140,7 @@ pa_gss_acquire_acceptor_cred(astgs_request_t r,
                              gss_cred_id_t *cred)
 {
     krb5_error_code ret;
+    krb5_principal tgs_name;
 
     OM_uint32 major, minor;
     gss_name_t target_name = GSS_C_NO_NAME;
@@ -148,7 +149,13 @@ pa_gss_acquire_acceptor_cred(astgs_request_t r,
 
     *cred = GSS_C_NO_CREDENTIAL;
 
-    ret = _krb5_gss_pa_unparse_name(r->context, r->server_princ, &target_name);
+    ret = krb5_make_principal(r->context, &tgs_name, r->req.req_body.realm,
+                              KRB5_TGS_NAME, r->req.req_body.realm, NULL);
+    if (ret)
+        return ret;
+
+    ret = _krb5_gss_pa_unparse_name(r->context, tgs_name, &target_name);
+    krb5_free_principal(r->context, tgs_name);
     if (ret)
         return ret;
 
diff --git a/lib/gssapi/preauth/pa_client.c b/lib/gssapi/preauth/pa_client.c
index bd6f4f754..cb1b6fc95 100644
--- a/lib/gssapi/preauth/pa_client.c
+++ b/lib/gssapi/preauth/pa_client.c
@@ -88,6 +88,7 @@ pa_gss_step(krb5_context context,
             krb5_data *out)
 {
     krb5_error_code ret;
+    krb5_principal tgs_name = NULL;
 
     OM_uint32 major, minor;
     gss_cred_id_t cred;
@@ -115,7 +116,12 @@ pa_gss_step(krb5_context context,
 
     ctx = (gss_ctx_id_t)_krb5_init_creds_get_gss_context(context, gssic);
 
-    ret = _krb5_gss_pa_unparse_name(context, kcred->server, &target_name);
+    ret = krb5_make_principal(context, &tgs_name, kcred->server->realm,
+                              KRB5_TGS_NAME, kcred->server->realm, NULL);
+    if (ret)
+        goto out;
+
+    ret = _krb5_gss_pa_unparse_name(context, tgs_name, &target_name);
     if (ret)
         goto out;
 
@@ -154,6 +160,7 @@ pa_gss_step(krb5_context context,
 out:
     gss_release_name(&minor, &target_name);
     gss_release_buffer(&minor, &output_token);
+    krb5_free_principal(context, tgs_name);
 
     return ret;
 }
@@ -162,6 +169,7 @@ static krb5_error_code KRB5_LIB_CALL
 pa_gss_finish(krb5_context context,
               krb5_gss_init_ctx gssic,
               const krb5_creds *kcred,
+              gss_ctx_id_t ctx,
               krb5int32 nonce,
               krb5_enctype enctype,
               krb5_principal *client_p,