krb5_set_password: Use target principal for SOCKS4a userid.

This enables Tor stream isolation.
heimdal · Jan 3, 2024 · d2f7729 · d2f7729
1 parent 50e21ae
commit d2f7729
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/lib/krb5/changepw.c b/lib/krb5/changepw.c
@@ -520,6 +520,7 @@ change_password_loop (krb5_context	context,
     krb5_krbhst_handle handle = NULL;
     krb5_krbhst_info *hi;
     struct addrinfo *proxy_ai = NULL;
+    char *proxy_userid = NULL;
     rk_socket_t sock;
     unsigned int i;
     int done = 0;
@@ -577,6 +578,13 @@ change_password_loop (krb5_context	context,
 	    ret = krb5_eai_to_heim_errno(ret, errno);
 	    goto out;
 	}
+
+	/*
+	 * Get the userid for stream isolation.
+	 */
+	ret = krb5_unparse_name(context, targprinc, &proxy_userid);
+	if (ret)
+	    goto out;
     }
 
     while (!done && (ret = krb5_krbhst_next(context, handle, &hi)) == 0) {
@@ -641,7 +649,7 @@ change_password_loop (krb5_context	context,
 		 * Set up the SOCKS4a proxy connection request.
 		 */
 		ret = _socks4a_connect(sock, sock, hi->hostname, hi->port,
-		    /*userid*/NULL, &socks4a);
+		    proxy_userid, &socks4a);
 		if (ret)
 		    continue;
 
@@ -753,6 +761,8 @@ change_password_loop (krb5_context	context,
     krb5_auth_con_free (context, auth_context);
     if (proxy_ai)
 	freeaddrinfo(proxy_ai);
+    if (proxy_userid)
+	free(proxy_userid);
 
     if (ret == KRB5_KDC_UNREACH) {
 	krb5_set_error_message(context,