Allow validation of PACs with enterprise names

In k5_pac_validate_client(), if we are verifying against an enterprise
principal, parse the PAC_CLIENT_INFO field as an enterprise principal.
This scenario may arise in the response to an S4U2Self request for an
enterprise principal, as the KDC does not appear to canonicalize the
client principal requested in PA-FOR-USER.

[ghudson@mit.edu: rewrote commit message; adjusted style]

ticket: 8649 (new)
tags: pullup
target_version: 1.16-next

diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 0eb19e6bb464efaaba3b3cb2cd1e9275d58f7b06..c9b5de30a29813cf30405286812b807cb2925407 100644 (file)
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -413,6 +413,7 @@ k5_pac_validate_client(krb5_context context,
     krb5_ui_2 pac_princname_length;
     int64_t pac_nt_authtime;
     krb5_principal pac_principal;
+    int flags;
 
     ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
                                &client_info);
@@ -440,8 +441,12 @@ k5_pac_validate_client(krb5_context context,
     if (ret != 0)
         return ret;
 
-    ret = krb5_parse_name_flags(context, pac_princname,
-                                KRB5_PRINCIPAL_PARSE_NO_REALM, &pac_principal);
+    /* Parse the UTF-8 name as an enterprise principal if we are matching
+     * against one; otherwise parse it as a regular principal with no realm. */
+    flags = KRB5_PRINCIPAL_PARSE_NO_REALM;
+    if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL)
+        flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
+    ret = krb5_parse_name_flags(context, pac_princname, flags, &pac_principal);
     if (ret != 0) {
         free(pac_princname);
         return ret;