[30694] in CVS-changelog-for-Kerberos-V5
krb5 commit: Check cross-realm TGT name for RBCD requests
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jan 13 20:13:52 2020
Date: Mon, 13 Jan 2020 20:13:46 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202001140113.00E1DkmK025596@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/deb64d5eca602c7147b4253e51976c45f58b465f
commit deb64d5eca602c7147b4253e51976c45f58b465f
Author: Isaac Boukris <iboukris@gmail.com>
Date: Sun Jan 12 17:32:09 2020 +0100
Check cross-realm TGT name for RBCD requests
ticket: 8865 (new)
tags: pullup
target_version: 1.18
src/kdc/kdc_util.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index d0fd5d7..221bde1 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1699,11 +1699,13 @@ check_rbcd_policy(kdc_realm_t *kdc_active_realm, unsigned int flags,
if (isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM)) {
/*
* Check that the proxy server is local, that the second ticket is a
- * cross realm TGT, and that the second ticket client matches the
- * header ticket client.
+ * cross-realm TGT for us, and that the second ticket client matches
+ * the header ticket client.
*/
if (isflagset(flags, KRB5_KDB_FLAG_ISSUING_REFERRAL) ||
!is_cross_tgs_principal(stkt_server->princ) ||
+ !krb5_principal_compare_any_realm(kdc_context, stkt_server->princ,
+ tgs_server) ||
!krb5_principal_compare(kdc_context, stkt_client_princ,
header_client_princ)) {
return KRB5KDC_ERR_BADOPTION;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
