krb5 commit: Allow validation of PACs with enterprise names
Greg Hudson
ghudson at mit.edu
Wed Mar 14 11:59:08 EDT 2018
https://github.com/krb5/krb5/commit/f876aab80a69f9b934cd7f4e2339e3815aa8c4bf
commit f876aab80a69f9b934cd7f4e2339e3815aa8c4bf
Author: Isaac Boukris <iboukris at gmail.com>
Date: Wed Mar 14 01:19:17 2018 +0200
Allow validation of PACs with enterprise names
In k5_pac_validate_client(), if we are verifying against an enterprise
principal, parse the PAC_CLIENT_INFO field as an enterprise principal.
This scenario may arise in the response to an S4U2Self request for an
enterprise principal, as the KDC does not appear to canonicalize the
client principal requested in PA-FOR-USER.
[ghudson at mit.edu: rewrote commit message; adjusted style]
ticket: 8649 (new)
tags: pullup
target_version: 1.16-next
src/lib/krb5/krb/pac.c | 9 +++++++--
1 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 0eb19e6..c9b5de3 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -413,6 +413,7 @@ k5_pac_validate_client(krb5_context context,
krb5_ui_2 pac_princname_length;
int64_t pac_nt_authtime;
krb5_principal pac_principal;
+ int flags;
ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
&client_info);
@@ -440,8 +441,12 @@ k5_pac_validate_client(krb5_context context,
if (ret != 0)
return ret;
- ret = krb5_parse_name_flags(context, pac_princname,
- KRB5_PRINCIPAL_PARSE_NO_REALM, &pac_principal);
+ /* Parse the UTF-8 name as an enterprise principal if we are matching
+ * against one; otherwise parse it as a regular principal with no realm. */
+ flags = KRB5_PRINCIPAL_PARSE_NO_REALM;
+ if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL)
+ flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
+ ret = krb5_parse_name_flags(context, pac_princname, flags, &pac_principal);
if (ret != 0) {
free(pac_princname);
return ret;
More information about the cvs-krb5
mailing list