From 8a2ceda87107973ec10fec532c095cf347ec050c Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 14 Mar 2018 01:19:17 +0200 Subject: [PATCH] Allow validation of PACs with enterprise names In k5_pac_validate_client(), if we are verifying against an enterprise principal, parse the PAC_CLIENT_INFO field as an enterprise principal. This scenario may arise in the response to an S4U2Self request for an enterprise principal, as the KDC does not appear to canonicalize the client principal requested in PA-FOR-USER. [ghudson@mit.edu: rewrote commit message; adjusted style] ticket: 8649 (new) tags: pullup target_version: 1.16-next (cherry picked from commit f876aab80a69f9b934cd7f4e2339e3815aa8c4bf) --- src/lib/krb5/krb/pac.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 0eb19e6bb..c9b5de30a 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -413,6 +413,7 @@ k5_pac_validate_client(krb5_context context, krb5_ui_2 pac_princname_length; int64_t pac_nt_authtime; krb5_principal pac_principal; + int flags; ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO, &client_info); @@ -440,8 +441,12 @@ k5_pac_validate_client(krb5_context context, if (ret != 0) return ret; - ret = krb5_parse_name_flags(context, pac_princname, - KRB5_PRINCIPAL_PARSE_NO_REALM, &pac_principal); + /* Parse the UTF-8 name as an enterprise principal if we are matching + * against one; otherwise parse it as a regular principal with no realm. */ + flags = KRB5_PRINCIPAL_PARSE_NO_REALM; + if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL) + flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE; + ret = krb5_parse_name_flags(context, pac_princname, flags, &pac_principal); if (ret != 0) { free(pac_princname); return ret;