diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-02-05 03:43:54 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-02-05 03:43:54 +0000 |
| commit | 6581735ddea7215935e91c34a2103de1acfe3952 (patch) | |
| tree | 4903c4e428d912a25124525c7fe8a0e5a9250f25 /src/kdc/kdc_util.c | |
| parent | bebdddf413bc4edbe6a738f6f01aa3428d2e8381 (diff) | |
| download | krb5-6581735ddea7215935e91c34a2103de1acfe3952.tar.gz krb5-6581735ddea7215935e91c34a2103de1acfe3952.tar.xz krb5-6581735ddea7215935e91c34a2103de1acfe3952.zip | |
Fix cross-realm handling of AD-SIGNEDPATH
Avoid setting AD-SIGNEDPATH when returning a cross-realm TGT.
Previously we were avoiding it when answering a cross-realm client,
which was wrong.
Don't fail out on an invalid AD-SIGNEDPATH checksum; just don't trust
the ticket for S4U2Proxy (as if AD-SIGNEDPATH weren't present).
ticket: 6655
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23697 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc/kdc_util.c')
| -rw-r--r-- | src/kdc/kdc_util.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 6ee96b2665..281bcc8eef 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -192,6 +192,17 @@ krb5_is_tgs_principal(krb5_const_principal principal) return FALSE; } +/* Returns TRUE if principal is the name of a cross-realm TGS. */ +krb5_boolean +is_cross_tgs_principal(krb5_const_principal principal) +{ + return (krb5_princ_size(kdc_context, principal) >= 2 && + data_eq_string(*krb5_princ_component(kdc_context, principal, 0), + KRB5_TGS_NAME) && + !data_eq(*krb5_princ_component(kdc_context, principal, 1), + *krb5_princ_realm(kcd_context, principal))); +} + /* * given authentication data (provides seed for checksum), verify checksum * for source data. |