[16967] in Kerberos-V5-bugs
[krbdev.mit.edu #9137] kg_acceptor_princ behavior
daemon@ATHENA.MIT.EDU (Hascall, John P [ITS] via RT)
Sat Aug 24 02:10:45 2024
From: "Hascall, John P [ITS] via RT" <rt-comment@kerborg-prod-app-1.mit.edu>
In-Reply-To: <LV3PR04MB899171DFEA6411FE49AACFD9FB882@LV3PR04MB8991.namprd04.prod.outlook.com>
Message-ID: <rt-4.4.3-2-259714-1724479838-331.9137-4-0@kerborg-prod-app-1.mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9137":;
Date: Sat, 24 Aug 2024 02:10:38 -0400
MIME-Version: 1.0
Reply-To: rt-comment@kerborg-prod-app-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Sat Aug 24 02:10:38 2024: Request 9137 was acted upon.
Transaction: Ticket created by john@mail.iastate.edu
Queue: krb5
Subject: kg_acceptor_princ behavior
Owner: Nobody
Requestors: john@mail.iastate.edu
Status: new
Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9137 >
In kg_acceptor_princ() [ found in lib/gssapi/krb5/naming_exts.c ]
exists the following:
if (name->host != NULL && name->princ->length == 2) {
/* If a host was given, we have to use the canonicalized form of it (as
* given by krb5_sname_to_principal) for backward compatibility. */
const krb5_data *d = &name->princ->data[1];
tmp = k5memdup0(d->data, d->length, &code);
if (tmp == NULL)
return ENOMEM;
host = tmp;
} else ...
This is seriously annoying (esp as krb5_sname_to_principal() gives you the OPTION to canonicalize or not).
What exactly is it we are being backwards compatible with?
Grumpily yours,
John
John Hascall
Sr Security Architect
IT Services
Iowa State University
john@iastate.edu
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
