From d893207413e294096a3daf8ba5f25518884cca6f Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Wed, 1 Sep 2010 21:56:17 -0700 Subject: [PATCH] add check-rd-req-server --- lib/krb5/context.c | 10 +++++++++- lib/krb5/krb5.conf.5 | 5 +++++ lib/krb5/krb5_locl.h | 1 + lib/krb5/rd_req.c | 2 +- 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/lib/krb5/context.c b/lib/krb5/context.c index adcbb703e..60ef67536 100644 --- a/lib/krb5/context.c +++ b/lib/krb5/context.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -215,6 +215,14 @@ init_context_from_config_file(krb5_context context) krb5_config_free_strings(s); } + tmp = krb5_config_get_string(context, NULL, "libdefaults", + "check-rd-req-server", NULL); + if (tmp == NULL && !issuid()) + tmp = getenv("KRB5_CHECK_RD_REQ_SERVER"); + if(tmp) { + if (strcasecmp(tmp, "ignore") == 0) + context->flags |= KRB5_CTX_F_RD_REQ_IGNORE; + } return 0; } diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 8b5c4c302..8e02eb126 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -248,6 +248,11 @@ older than Heimdal 0.7. Setting this flag to .Dv TRUE make it store the MIT way, this is default for Heimdal 0.7. +.It Li check-rd-req-server +If set to "ignore", the framework will ignore any the server input to +.Xr krb5_rd_req 3, +this is very useful when the GSS-API server input the +wrong server name into the gss_accept_sec_context call. .El .It Li [domain_realm] This is a list of mappings from DNS domain to Kerberos realm. diff --git a/lib/krb5/krb5_locl.h b/lib/krb5/krb5_locl.h index 6acaa2c66..2fdb76d75 100644 --- a/lib/krb5/krb5_locl.h +++ b/lib/krb5/krb5_locl.h @@ -274,6 +274,7 @@ typedef struct krb5_context_data { #define KRB5_CTX_F_CHECK_PAC 2 #define KRB5_CTX_F_HOMEDIR_ACCESS 4 #define KRB5_CTX_F_SOCKETS_INITIALIZED 8 +#define KRB5_CTX_F_RD_REQ_IGNORE 16 struct send_to_kdc *send_to_kdc; #ifdef PKINIT hx509_context hx509ctx; diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c index 9f6a85b1a..30387a994 100644 --- a/lib/krb5/rd_req.c +++ b/lib/krb5/rd_req.c @@ -926,7 +926,7 @@ krb5_rd_req_ctx(krb5_context context, &o->keyblock); if (ret) { /* If caller specified a server, fail. */ - if (service == NULL) + if (service == NULL && (context->flags & KRB5_CTX_F_RD_REQ_IGNORE) == 0) goto out; /* Otherwise, fall back to iterating over the keytab. This * have serious performace issues for larger keytab. -- 2.11.4.GIT