summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/heimdal/lib/krb5/get_in_tkt.c74
1 files changed, 52 insertions, 22 deletions
diff --git a/source4/heimdal/lib/krb5/get_in_tkt.c b/source4/heimdal/lib/krb5/get_in_tkt.c
index ebc96f2279..e140011413 100644
--- a/source4/heimdal/lib/krb5/get_in_tkt.c
+++ b/source4/heimdal/lib/krb5/get_in_tkt.c
@@ -131,12 +131,21 @@ _krb5_extract_ticket(krb5_context context,
krb5_const_pointer decryptarg)
{
krb5_error_code ret;
- krb5_principal tmp_principal;
+ krb5_principal tmp_principal, srv_principal = NULL;
int tmp;
size_t len;
time_t tmp_time;
krb5_timestamp sec_now;
+/*
+ * HACK:
+ * this is really a ugly hack, to support using the Netbios Domain Name
+ * as realm against windows KDC's, they always return the full realm
+ * based on the DNS Name.
+ */
+allow_server_mismatch = 1;
+ignore_cname = 1;
+
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
rep->kdc_rep.cname,
@@ -168,44 +177,63 @@ _krb5_extract_ticket(krb5_context context,
krb5_abortx(context, "internal error in ASN.1 encoder");
creds->second_ticket.length = 0;
creds->second_ticket.data = NULL;
+
+ /* decrypt */
+
+ if (decrypt_proc == NULL)
+ decrypt_proc = decrypt_tkt;
+
+ ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
+ if (ret)
+ goto out;
+
+#if 0
+ /* XXX should this decode be here, or in the decrypt_proc? */
+ ret = krb5_decode_keyblock(context, &rep->enc_part.key, 1);
+ if(ret)
+ goto out;
+#endif
/* compare server */
ret = _krb5_principalname2krb5_principal (context,
- &tmp_principal,
+ &srv_principal,
rep->kdc_rep.ticket.sname,
rep->kdc_rep.ticket.realm);
if (ret)
goto out;
+
+ ret = _krb5_principalname2krb5_principal (context,
+ &tmp_principal,
+ rep->enc_part.sname,
+ rep->enc_part.srealm);
+ if (ret)
+ goto out;
+
+ /*
+ * see if the service principal matches in the ticket
+ * and in the enc_part
+ */
+ tmp = krb5_principal_compare (context, tmp_principal, srv_principal);
+ krb5_free_principal (context, tmp_principal);
+ if (!tmp) {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ krb5_clear_error_string (context);
+ goto out;
+ }
+
if(allow_server_mismatch){
krb5_free_principal(context, creds->server);
- creds->server = tmp_principal;
- tmp_principal = NULL;
+ creds->server = srv_principal;
+ srv_principal = NULL;
}else{
- tmp = krb5_principal_compare (context, tmp_principal, creds->server);
- krb5_free_principal (context, tmp_principal);
+ tmp = krb5_principal_compare (context, srv_principal, creds->server);
if (!tmp) {
ret = KRB5KRB_AP_ERR_MODIFIED;
krb5_clear_error_string (context);
goto out;
}
}
-
- /* decrypt */
-
- if (decrypt_proc == NULL)
- decrypt_proc = decrypt_tkt;
-
- ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
- if (ret)
- goto out;
-
-#if 0
- /* XXX should this decode be here, or in the decrypt_proc? */
- ret = krb5_decode_keyblock(context, &rep->enc_part.key, 1);
- if(ret)
- goto out;
-#endif
/* compare nonces */
@@ -301,6 +329,8 @@ _krb5_extract_ticket(krb5_context context,
out:
memset (rep->enc_part.key.keyvalue.data, 0,
rep->enc_part.key.keyvalue.length);
+ if (srv_principal)
+ krb5_free_principal (context, srv_principal);
return ret;
}