From: Isaac Boukris Date: Tue, 13 Mar 2018 23:19:17 +0000 (+0200) Subject: Allow validation of PACs with enterprise names X-Git-Tag: krb5-1.17-beta1~168 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f876aab80a69f9b934cd7f4e2339e3815aa8c4bf;p=thirdparty%2Fkrb5.git Allow validation of PACs with enterprise names In k5_pac_validate_client(), if we are verifying against an enterprise principal, parse the PAC_CLIENT_INFO field as an enterprise principal. This scenario may arise in the response to an S4U2Self request for an enterprise principal, as the KDC does not appear to canonicalize the client principal requested in PA-FOR-USER. [ghudson@mit.edu: rewrote commit message; adjusted style] ticket: 8649 (new) tags: pullup target_version: 1.16-next --- diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 0eb19e6bb4..c9b5de30a2 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -413,6 +413,7 @@ k5_pac_validate_client(krb5_context context, krb5_ui_2 pac_princname_length; int64_t pac_nt_authtime; krb5_principal pac_principal; + int flags; ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO, &client_info); @@ -440,8 +441,12 @@ k5_pac_validate_client(krb5_context context, if (ret != 0) return ret; - ret = krb5_parse_name_flags(context, pac_princname, - KRB5_PRINCIPAL_PARSE_NO_REALM, &pac_principal); + /* Parse the UTF-8 name as an enterprise principal if we are matching + * against one; otherwise parse it as a regular principal with no realm. */ + flags = KRB5_PRINCIPAL_PARSE_NO_REALM; + if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL) + flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE; + ret = krb5_parse_name_flags(context, pac_princname, flags, &pac_principal); if (ret != 0) { free(pac_princname); return ret;