[30182] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit [krb5-1.16]: Allow validation of PACs with enterprise

daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed May 2 01:29:39 2018

Date: Wed, 2 May 2018 01:25:37 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201805020525.w425PbQq030831@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/dccffae20a818466650f23230294e9c9ee4e0e5a
commit dccffae20a818466650f23230294e9c9ee4e0e5a
Author: Isaac Boukris <iboukris@gmail.com>
Date:   Wed Mar 14 01:19:17 2018 +0200

    Allow validation of PACs with enterprise names
    
    In k5_pac_validate_client(), if we are verifying against an enterprise
    principal, parse the PAC_CLIENT_INFO field as an enterprise principal.
    This scenario may arise in the response to an S4U2Self request for an
    enterprise principal, as the KDC does not appear to canonicalize the
    client principal requested in PA-FOR-USER.
    
    [ghudson@mit.edu: rewrote commit message; adjusted style]
    
    (cherry picked from commit f876aab80a69f9b934cd7f4e2339e3815aa8c4bf)
    
    ticket: 8649
    version_fixed: 1.16.1

 src/lib/krb5/krb/pac.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 0eb19e6..c9b5de3 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -413,6 +413,7 @@ k5_pac_validate_client(krb5_context context,
     krb5_ui_2 pac_princname_length;
     int64_t pac_nt_authtime;
     krb5_principal pac_principal;
+    int flags;
 
     ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
                                &client_info);
@@ -440,8 +441,12 @@ k5_pac_validate_client(krb5_context context,
     if (ret != 0)
         return ret;
 
-    ret = krb5_parse_name_flags(context, pac_princname,
-                                KRB5_PRINCIPAL_PARSE_NO_REALM, &pac_principal);
+    /* Parse the UTF-8 name as an enterprise principal if we are matching
+     * against one; otherwise parse it as a regular principal with no realm. */
+    flags = KRB5_PRINCIPAL_PARSE_NO_REALM;
+    if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL)
+        flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
+    ret = krb5_parse_name_flags(context, pac_princname, flags, &pac_principal);
     if (ret != 0) {
         free(pac_princname);
         return ret;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post