From: Matt Rogers <mrogers@redhat.com>
Date: Wed, 5 Apr 2017 20:48:55 +0000 (-0400)
Subject: Use the canonical client principal name for OTP
X-Git-Tag: krb5-1.16-beta1~114
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F628%2Fhead;p=thirdparty%2Fkrb5.git

Use the canonical client principal name for OTP

In the OTP module, when constructing the RADIUS request, use the
canonicalized client principal (using the new client_name kdcpreauth
callback) instead of the request client principal.

ticket: 8571 (new)
---

diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c
index 2649e9a90d..a1b6816824 100644
--- a/src/plugins/preauth/otp/main.c
+++ b/src/plugins/preauth/otp/main.c
@@ -331,7 +331,8 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
 
     /* Send the request. */
     otp_state_verify((otp_state *)moddata, cb->event_context(context, rock),
-                     request->client, config, req, on_response, rs);
+                     cb->client_name(context, rock), config, req, on_response,
+                     rs);
     cb->free_string(context, rock, config);
 
     k5_free_pa_otp_req(context, req);