Adjust KDC alias helper function contract

Change the name of is_client_alias() to is_client_db_alias(), and change the contract so that the already-canonical principal name comes from a DB entry (which is less flexible, but clearer since DB entries always contain canonical principal names). Make the function available outside of kdc_util.c. [ghudson@mit.edu: clarified commit message]
krb5 · Sep 22, 2020 · 9fb5f57 · 9fb5f57
1 parent 0c08879
commit 9fb5f57
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
@@ -1425,10 +1425,10 @@ kdc_make_s4u2self_rep(krb5_context context,
     return code;
 }
 
-/* Return true if princ canonicalizes to the same principal as canon. */
-static krb5_boolean
-is_client_alias(krb5_context context, krb5_const_principal canon,
-                krb5_const_principal princ)
+/* Return true if princ canonicalizes to the same principal as entry's. */
+krb5_boolean
+is_client_db_alias(krb5_context context, const krb5_db_entry *entry,
+                   krb5_const_principal princ)
 {
     krb5_error_code ret;
     krb5_db_entry *self;
@@ -1437,7 +1437,7 @@ is_client_alias(krb5_context context, krb5_const_principal canon,
     ret = krb5_db_get_principal(context, princ,
                                 KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY, &self);
     if (!ret) {
-        is_self = krb5_principal_compare(context, canon, self->princ);
+        is_self = krb5_principal_compare(context, entry->princ, self->princ);
         krb5_db_free_principal(context, self);
     }
 
@@ -1497,7 +1497,7 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
 
     /* If the server is local, check that the request is for self. */
     if (!isflagset(c_flags, KRB5_KDB_FLAG_ISSUING_REFERRAL) &&
-        !is_client_alias(kdc_context, server->princ, client_princ)) {
+        !is_client_db_alias(kdc_context, server, client_princ)) {
         *status = "INVALID_S4U2SELF_REQUEST_SERVER_MISMATCH";
         return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error */
     }
@@ -1690,7 +1690,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags,
         }
 
         client_princ = *stkt_authdata_client;
-    } else if (!is_client_alias(kdc_context, server->princ, server_princ)) {
+    } else if (!is_client_db_alias(kdc_context, server, server_princ)) {
         *status = "EVIDENCE_TICKET_MISMATCH";
         return KRB5KDC_ERR_SERVER_NOMATCH;
     }

diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
@@ -343,6 +343,10 @@ log_tgs_badtrans(krb5_context ctx, krb5_principal cprinc,
 void
 log_tgs_alt_tgt(krb5_context context, krb5_principal p);
 
+krb5_boolean
+is_client_db_alias(krb5_context context, const krb5_db_entry *entry,
+                   krb5_const_principal princ);
+
 /* FAST*/
 enum krb5_fast_kdc_flags {
     KRB5_FAST_REPLY_KEY_USED = 0x1,