git.ipfire.org Git - thirdparty/krb5.git/commit

author	Isaac Boukris <iboukris@gmail.com>
	Mon, 10 Jun 2019 12:33:06 +0000 (15:33 +0300)
committer	Greg Hudson <ghudson@mit.edu>
	Tue, 11 Jun 2019 03:18:46 +0000 (23:18 -0400)
commit	e935913a4dc9461c129e373bfd752e8a6c795e28
tree	20c791af26e1afb5bea0b7eb6ee9f0ea4ffb5b2e	tree
parent	154551ad22e90d2e5f60103059fbaaadac017420	commit \| diff

Verify PAC client name independently of name-type

In krb5_pac_verify(), unparse the provided principal name and compare
using strcmp(), instead of parsing pac principal, in order to avoid
relying on the provided name type.

This change is needed for tickets issued with cross-realm S4U2Proxy
(with resource-based constrained delegation), because the final
request uses a cross-TGT as the evidence ticket, so the ticket client
name is taken from the PAC and does not preserve the name type.
Microsoft KDCs use NT-MS-PRINCIPAL as the ticket client name type in
this case, regardless of the original name type.

[ghudson@mit.edu: rewrote commit message; made minor style edits]

ticket: 8815 (new)

src/lib/krb5/krb/pac.c		diff \| blob \| blame \| history
src/lib/krb5/krb/t_pac.c		diff \| blob \| blame \| history