kdc: perform AS-REQ canonicalization in kdc

Mirroring the logic recently introduced in the TGS, this patch modifies the KDC to perform client and server canonicalization itself rather than relying on the backend to do so. Per RFC 6806, the behavior is slightly different for the AS in that the setting of the canonicalize flag in the AS-REQ does impact the returned names in the ticket. In order to support realm canonicalization or other custom behavior, we allow the backend to force the KDC to canonicalize by setting the force-canonicalize flag in the returned client or server entries.
heimdal · Jan 5, 2019 · c623229 · c623229
1 parent 6bb8eac
commit c623229
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 18 deletions.
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
@@ -1956,20 +1956,32 @@ _kdc_as_rep(kdc_request_t r,
     if (_kdc_is_anonymous(context, r->client_princ)) {
 	Realm anon_realm=KRB5_ANON_REALM;
 	ret = copy_Realm(&anon_realm, &rep.crealm);
-    } else
+    } else if (f.canonicalize || r->client->entry.flags.force_canonicalize)
 	ret = copy_Realm(&r->client->entry.principal->realm, &rep.crealm);
+    else
+	ret = copy_Realm(&r->client_princ->realm, &rep.crealm);
     if (ret)
 	goto out;
-    ret = _krb5_principal2principalname(&rep.cname, r->client->entry.principal);
+    if (f.canonicalize || r->client->entry.flags.force_canonicalize)
+	ret = _krb5_principal2principalname(&rep.cname, r->client->entry.principal);
+    else
+	ret = _krb5_principal2principalname(&rep.cname, r->client_princ);
     if (ret)
 	goto out;
 
     rep.ticket.tkt_vno = 5;
-    ret = copy_Realm(&r->server->entry.principal->realm, &rep.ticket.realm);
+    if (f.canonicalize || r->server->entry.flags.force_canonicalize)
+	ret = copy_Realm(&r->server->entry.principal->realm, &rep.ticket.realm);
+    else
+	ret = copy_Realm(&r->server_princ->realm, &rep.ticket.realm);
     if (ret)
 	goto out;
-    _krb5_principal2principalname(&rep.ticket.sname,
-				  r->server->entry.principal);
+    if (f.canonicalize || r->server->entry.flags.force_canonicalize)
+	_krb5_principal2principalname(&rep.ticket.sname,
+				      r->server->entry.principal);
+    else
+	_krb5_principal2principalname(&rep.ticket.sname,
+				      r->server_princ);
     /* java 1.6 expects the name to be the same type, lets allow that
      * uncomplicated name-types. */
 #define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t)

diff --git a/lib/hdb/common.c b/lib/hdb/common.c
@@ -155,19 +155,6 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
 	    krb5_data_free(&value);
 	    return ret;
 	}
-
-	if ((flags & HDB_F_GET_ANY) && (flags & HDB_F_CANON) == 0) {
-	    krb5_principal tmp;
-
-	    /* "hard" alias: return the principal the client asked for */
-	    ret = krb5_copy_principal(context, principal, &tmp);
-	    if (ret) {
-		krb5_data_free(&value);
-		return ret;
-	    }
-	    krb5_free_principal(context, entry->entry.principal);
-	    entry->entry.principal = tmp;
-	}
     }
     krb5_data_free(&value);
     if ((flags & HDB_F_DECRYPT) && (flags & HDB_F_ALL_KVNOS)) {