[16325] in Kerberos-V5-bugs
[krbdev.mit.edu #8815] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Tue Jun 11 00:07:17 2019
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: Greg Hudson via RT <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8815@krbdev.mit.edu>
Message-ID: <rt-8815-49485.5.96612631419951@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8815'":;
Date: Tue, 11 Jun 2019 00:07:08 -0400
MIME-Version: 1.0
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Verify PAC client name independently of name-type
In krb5_pac_verify(), unparse the provided principal name and compare
using strcmp(), instead of parsing pac principal, in order to avoid
relying on the provided name type.
This change is needed for tickets issued with cross-realm S4U2Proxy
(with resource-based constrained delegation), because the final
request uses a cross-TGT as the evidence ticket, so the ticket client
name is taken from the PAC and does not preserve the name type.
Microsoft KDCs use NT-MS-PRINCIPAL as the ticket client name type in
this case, regardless of the original name type.
[ghudson@mit.edu: rewrote commit message; made minor style edits]
https://github.com/krb5/krb5/commit/e935913a4dc9461c129e373bfd752e8a6c795e28
Author: Isaac Boukris <iboukris@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: e935913a4dc9461c129e373bfd752e8a6c795e28
Branch: master
src/lib/krb5/krb/pac.c | 29 +++++++-------------------
src/lib/krb5/krb/t_pac.c | 49 +++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 56 insertions(+), 22 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
