diff options
-rw-r--r-- | source4/heimdal/lib/krb5/get_in_tkt.c | 74 |
1 files changed, 52 insertions, 22 deletions
diff --git a/source4/heimdal/lib/krb5/get_in_tkt.c b/source4/heimdal/lib/krb5/get_in_tkt.c index ebc96f2279..e140011413 100644 --- a/source4/heimdal/lib/krb5/get_in_tkt.c +++ b/source4/heimdal/lib/krb5/get_in_tkt.c @@ -131,12 +131,21 @@ _krb5_extract_ticket(krb5_context context, krb5_const_pointer decryptarg) { krb5_error_code ret; - krb5_principal tmp_principal; + krb5_principal tmp_principal, srv_principal = NULL; int tmp; size_t len; time_t tmp_time; krb5_timestamp sec_now; +/* + * HACK: + * this is really a ugly hack, to support using the Netbios Domain Name + * as realm against windows KDC's, they always return the full realm + * based on the DNS Name. + */ +allow_server_mismatch = 1; +ignore_cname = 1; + ret = _krb5_principalname2krb5_principal (context, &tmp_principal, rep->kdc_rep.cname, @@ -168,44 +177,63 @@ _krb5_extract_ticket(krb5_context context, krb5_abortx(context, "internal error in ASN.1 encoder"); creds->second_ticket.length = 0; creds->second_ticket.data = NULL; + + /* decrypt */ + + if (decrypt_proc == NULL) + decrypt_proc = decrypt_tkt; + + ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep); + if (ret) + goto out; + +#if 0 + /* XXX should this decode be here, or in the decrypt_proc? */ + ret = krb5_decode_keyblock(context, &rep->enc_part.key, 1); + if(ret) + goto out; +#endif /* compare server */ ret = _krb5_principalname2krb5_principal (context, - &tmp_principal, + &srv_principal, rep->kdc_rep.ticket.sname, rep->kdc_rep.ticket.realm); if (ret) goto out; + + ret = _krb5_principalname2krb5_principal (context, + &tmp_principal, + rep->enc_part.sname, + rep->enc_part.srealm); + if (ret) + goto out; + + /* + * see if the service principal matches in the ticket + * and in the enc_part + */ + tmp = krb5_principal_compare (context, tmp_principal, srv_principal); + krb5_free_principal (context, tmp_principal); + if (!tmp) { + ret = KRB5KRB_AP_ERR_MODIFIED; + krb5_clear_error_string (context); + goto out; + } + if(allow_server_mismatch){ krb5_free_principal(context, creds->server); - creds->server = tmp_principal; - tmp_principal = NULL; + creds->server = srv_principal; + srv_principal = NULL; }else{ - tmp = krb5_principal_compare (context, tmp_principal, creds->server); - krb5_free_principal (context, tmp_principal); + tmp = krb5_principal_compare (context, srv_principal, creds->server); if (!tmp) { ret = KRB5KRB_AP_ERR_MODIFIED; krb5_clear_error_string (context); goto out; } } - - /* decrypt */ - - if (decrypt_proc == NULL) - decrypt_proc = decrypt_tkt; - - ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep); - if (ret) - goto out; - -#if 0 - /* XXX should this decode be here, or in the decrypt_proc? */ - ret = krb5_decode_keyblock(context, &rep->enc_part.key, 1); - if(ret) - goto out; -#endif /* compare nonces */ @@ -301,6 +329,8 @@ _krb5_extract_ticket(krb5_context context, out: memset (rep->enc_part.key.keyvalue.data, 0, rep->enc_part.key.keyvalue.length); + if (srv_principal) + krb5_free_principal (context, srv_principal); return ret; } |