1 files changed, 86 insertions, 0 deletions
diff --git a/security/krb5/files/patch-lib::kdb::keytab.c b/security/krb5/files/patch-lib::kdb::keytab.c
new file mode 100644
index 000000000000..a77f4bc32718
--- /dev/null
+++ b/security/krb5/files/patch-lib::kdb::keytab.c
@@ -0,0 +1,86 @@
+Index: lib/kdb/keytab.c
+===================================================================
+RCS file: /cvs/krbdev/krb5/src/lib/kdb/keytab.c,v
+retrieving revision 5.11.4.2
+diff -u -r5.11.4.2 keytab.c
+--- lib/kdb/keytab.c	2002/08/15 21:27:34	5.11.4.2
++++ lib/kdb/keytab.c	2002/10/15 23:32:46
+@@ -28,6 +28,8 @@
+ #include "k5-int.h"
+ #include "kdb_kt.h"
+ 
++static int
++is_xrealm_tgt(krb5_context, krb5_const_principal);
+ krb5_error_code krb5_ktkdb_close KRB5_PROTOTYPE((krb5_context, krb5_keytab));
+ 
+ krb5_error_code krb5_ktkdb_get_entry KRB5_PROTOTYPE((krb5_context, krb5_keytab, krb5_const_principal,
+@@ -98,6 +100,8 @@
+     krb5_db_entry 	  db_entry;
+     krb5_boolean 	  more = 0;
+     int 	 	  n = 0;
++    int xrealm_tgt = is_xrealm_tgt(context, principal);
++    int similar;
+ 
+     /* Open database */
+     /* krb5_db_init(context); */
+@@ -127,16 +131,31 @@
+     if (kerror)
+ 	goto error;
+ 
++    /* For cross realm tgts, we match whatever enctype is provided;
++     * for other principals, we only match the first enctype that is
++     * found.  Since the TGS and AS code do the same thing, then we
++     * will only successfully decrypt  tickets we have issued.*/
+     kerror = krb5_dbe_find_enctype(context, &db_entry,
+-				   enctype, -1, kvno, &key_data);
++				   xrealm_tgt?enctype:-1,
++				   -1, kvno, &key_data);
+     if (kerror)
+ 	goto error;
+ 
++
+     kerror = krb5_dbekd_decrypt_key_data(context, master_key,
+ 					 key_data, &entry->key, NULL);
+     if (kerror)
+ 	goto error;
+ 
++    kerror = krb5_c_enctype_compare(context, enctype, entry->key.enctype, &similar);
++    if (kerror)
++	goto error;
++
++    if (!similar) {
++		kerror = KRB5_KDB_NO_PERMITTED_KEY;
++	goto error;
++    }
++
+     /*
+      * Coerce the enctype of the output keyblock in case we got an
+      * inexact match on the enctype; this behavior will go away when
+@@ -154,3 +173,27 @@
+     krb5_db_close_database(context);
+     return(kerror);
+ }
++
++/*
++ * is_xrealm_tgt: Returns true if the principal is a cross-realm  TGT
++ * principal-- a principal with first component  krbtgt and second
++ * component not equal to realm.
++ */
++static int
++is_xrealm_tgt(krb5_context context, krb5_const_principal princ)
++{
++    krb5_data *dat;
++    if (krb5_princ_size(context, princ) != 2)
++	return 0;
++    dat = krb5_princ_component(context, princ, 0);
++    if (strncmp("krbtgt", dat->data, dat->length) != 0)
++	return 0;
++    dat = krb5_princ_component(context, princ, 1);
++    if (dat->length != princ->realm.length)
++	return 1;
++    if (strcmp(dat->data, princ->realm.data) == 0)
++	return 0;
++    return 1;
++
++}
++