krb5 commit: Check cross-realm TGT name for RBCD requests
Greg Hudson
ghudson at mit.edu
Mon Jan 13 20:13:46 EST 2020
https://github.com/krb5/krb5/commit/deb64d5eca602c7147b4253e51976c45f58b465f
commit deb64d5eca602c7147b4253e51976c45f58b465f
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sun Jan 12 17:32:09 2020 +0100
Check cross-realm TGT name for RBCD requests
ticket: 8865 (new)
tags: pullup
target_version: 1.18
src/kdc/kdc_util.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index d0fd5d7..221bde1 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1699,11 +1699,13 @@ check_rbcd_policy(kdc_realm_t *kdc_active_realm, unsigned int flags,
if (isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM)) {
/*
* Check that the proxy server is local, that the second ticket is a
- * cross realm TGT, and that the second ticket client matches the
- * header ticket client.
+ * cross-realm TGT for us, and that the second ticket client matches
+ * the header ticket client.
*/
if (isflagset(flags, KRB5_KDB_FLAG_ISSUING_REFERRAL) ||
!is_cross_tgs_principal(stkt_server->princ) ||
+ !krb5_principal_compare_any_realm(kdc_context, stkt_server->princ,
+ tgs_server) ||
!krb5_principal_compare(kdc_context, stkt_client_princ,
header_client_princ)) {
return KRB5KDC_ERR_BADOPTION;
More information about the cvs-krb5
mailing list