diff options
author | Isaac Boukris <iboukris@gmail.com> | 2020-09-22 01:11:39 +0300 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2020-09-22 13:55:46 -0400 |
commit | 9fb5f572dd6ce808b234cb60a573eac48136d7ca (patch) | |
tree | 18c436fbb5f91771ecb8a9782b0b8674a35cfde9 | |
parent | 0c0887988d937bb797139e449c5da845ea5b1a85 (diff) | |
download | krb5-9fb5f572dd6ce808b234cb60a573eac48136d7ca.zip krb5-9fb5f572dd6ce808b234cb60a573eac48136d7ca.tar.gz krb5-9fb5f572dd6ce808b234cb60a573eac48136d7ca.tar.bz2 |
Adjust KDC alias helper function contract
Change the name of is_client_alias() to is_client_db_alias(), and
change the contract so that the already-canonical principal name comes
from a DB entry (which is less flexible, but clearer since DB entries
always contain canonical principal names). Make the function
available outside of kdc_util.c.
[ghudson@mit.edu: clarified commit message]
-rw-r--r-- | src/kdc/kdc_util.c | 14 | ||||
-rw-r--r-- | src/kdc/kdc_util.h | 4 |
2 files changed, 11 insertions, 7 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index d5e7e4b..fcfe276 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1425,10 +1425,10 @@ cleanup: return code; } -/* Return true if princ canonicalizes to the same principal as canon. */ -static krb5_boolean -is_client_alias(krb5_context context, krb5_const_principal canon, - krb5_const_principal princ) +/* Return true if princ canonicalizes to the same principal as entry's. */ +krb5_boolean +is_client_db_alias(krb5_context context, const krb5_db_entry *entry, + krb5_const_principal princ) { krb5_error_code ret; krb5_db_entry *self; @@ -1437,7 +1437,7 @@ is_client_alias(krb5_context context, krb5_const_principal canon, ret = krb5_db_get_principal(context, princ, KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY, &self); if (!ret) { - is_self = krb5_principal_compare(context, canon, self->princ); + is_self = krb5_principal_compare(context, entry->princ, self->princ); krb5_db_free_principal(context, self); } @@ -1497,7 +1497,7 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, /* If the server is local, check that the request is for self. */ if (!isflagset(c_flags, KRB5_KDB_FLAG_ISSUING_REFERRAL) && - !is_client_alias(kdc_context, server->princ, client_princ)) { + !is_client_db_alias(kdc_context, server, client_princ)) { *status = "INVALID_S4U2SELF_REQUEST_SERVER_MISMATCH"; return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error */ } @@ -1690,7 +1690,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags, } client_princ = *stkt_authdata_client; - } else if (!is_client_alias(kdc_context, server->princ, server_princ)) { + } else if (!is_client_db_alias(kdc_context, server, server_princ)) { *status = "EVIDENCE_TICKET_MISMATCH"; return KRB5KDC_ERR_SERVER_NOMATCH; } diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index ff87cd6..a3fde3d 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -343,6 +343,10 @@ log_tgs_badtrans(krb5_context ctx, krb5_principal cprinc, void log_tgs_alt_tgt(krb5_context context, krb5_principal p); +krb5_boolean +is_client_db_alias(krb5_context context, const krb5_db_entry *entry, + krb5_const_principal princ); + /* FAST*/ enum krb5_fast_kdc_flags { KRB5_FAST_REPLY_KEY_USED = 0x1, |