From d2f77298520e688d31cd260f4d1a41f401575495 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <campbell+heimdal@mumble.net>
Date: Tue, 2 Jan 2024 22:59:43 +0000
Subject: [PATCH] krb5_set_password: Use target principal for SOCKS4a userid.

This enables Tor stream isolation.
---
 lib/krb5/changepw.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/krb5/changepw.c b/lib/krb5/changepw.c
index c5de9e373b..c004a79c42 100644
--- a/lib/krb5/changepw.c
+++ b/lib/krb5/changepw.c
@@ -520,6 +520,7 @@ change_password_loop (krb5_context	context,
     krb5_krbhst_handle handle = NULL;
     krb5_krbhst_info *hi;
     struct addrinfo *proxy_ai = NULL;
+    char *proxy_userid = NULL;
     rk_socket_t sock;
     unsigned int i;
     int done = 0;
@@ -577,6 +578,13 @@ change_password_loop (krb5_context	context,
 	    ret = krb5_eai_to_heim_errno(ret, errno);
 	    goto out;
 	}
+
+	/*
+	 * Get the userid for stream isolation.
+	 */
+	ret = krb5_unparse_name(context, targprinc, &proxy_userid);
+	if (ret)
+	    goto out;
     }
 
     while (!done && (ret = krb5_krbhst_next(context, handle, &hi)) == 0) {
@@ -641,7 +649,7 @@ change_password_loop (krb5_context	context,
 		 * Set up the SOCKS4a proxy connection request.
 		 */
 		ret = _socks4a_connect(sock, sock, hi->hostname, hi->port,
-		    /*userid*/NULL, &socks4a);
+		    proxy_userid, &socks4a);
 		if (ret)
 		    continue;
 
@@ -753,6 +761,8 @@ change_password_loop (krb5_context	context,
     krb5_auth_con_free (context, auth_context);
     if (proxy_ai)
 	freeaddrinfo(proxy_ai);
+    if (proxy_userid)
+	free(proxy_userid);
 
     if (ret == KRB5_KDC_UNREACH) {
 	krb5_set_error_message(context,