Fix cross-realm handling of AD-SIGNEDPATH

Avoid setting AD-SIGNEDPATH when returning a cross-realm TGT. Previously we were avoiding it when answering a cross-realm client, which was wrong. Don't fail out on an invalid AD-SIGNEDPATH checksum; just don't trust the ticket for S4U2Proxy (as if AD-SIGNEDPATH weren't present). ticket: 6655 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23697 dc483132-0cff-0310-8789-dd5450dbe970
author: Greg Hudson <ghudson@mit.edu> 2010-02-05 03:43:54 +0000
committer: Greg Hudson <ghudson@mit.edu> 2010-02-05 03:43:54 +0000
commit: 6581735ddea7215935e91c34a2103de1acfe3952 (patch)
tree: 4903c4e428d912a25124525c7fe8a0e5a9250f25 /src/kdc/kdc_util.c
parent: bebdddf413bc4edbe6a738f6f01aa3428d2e8381 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 6ee96b266..281bcc8ee 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -192,6 +192,17 @@ krb5_is_tgs_principal(krb5_const_principal principal)
     return FALSE;
 }
 
+/* Returns TRUE if principal is the name of a cross-realm TGS. */
+krb5_boolean
+is_cross_tgs_principal(krb5_const_principal principal)
+{
+    return (krb5_princ_size(kdc_context, principal) >= 2 &&
+            data_eq_string(*krb5_princ_component(kdc_context, principal, 0),
+                           KRB5_TGS_NAME) &&
+            !data_eq(*krb5_princ_component(kdc_context, principal, 1),
+                     *krb5_princ_realm(kcd_context, principal)));
+}
+
 /*
  * given authentication data (provides seed for checksum), verify checksum
  * for source data.
author	Greg Hudson <ghudson@mit.edu>	2010-02-05 03:43:54 +0000
committer	Greg Hudson <ghudson@mit.edu>	2010-02-05 03:43:54 +0000
commit	6581735ddea7215935e91c34a2103de1acfe3952 (patch)
tree	4903c4e428d912a25124525c7fe8a0e5a9250f25 /src/kdc/kdc_util.c
parent	bebdddf413bc4edbe6a738f6f01aa3428d2e8381 (diff)