krb5_ap_req *ap_req,
krb5_const_principal server,
krb5_keytab keytab,
- krb5_keyblock **out_key)
+ krb5_keyblock **out_key,
+ uint32_t *out_kte_flags)
{
krb5_keytab_entry entry;
krb5_error_code ret;
&entry);
if(ret == 0) {
ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
+ *out_kte_flags = entry.flags;
krb5_kt_free_entry(context, &entry);
}
if(keytab == NULL)
*/
o->keyblock = NULL;
} else {
+ uint32_t kte_flags = 0;
if(id == NULL) {
krb5_kt_default(context, &keytab);
&ap_req,
server,
id,
- &o->keyblock);
+ &o->keyblock,
+ &kte_flags);
if (ret) {
/* If caller specified a server, fail. */
if (service == NULL && (context->flags & KRB5_CTX_F_RD_REQ_IGNORE) == 0)
* have serious performace issues for larger keytab.
*/
o->keyblock = NULL;
+ } else {
+ if (kte_flags & KRB5_KTE_FLAG_ACCEPTOR_IGNORE_VNO)
+ o->keyblock = NULL;
+ else if (kte_flags & KRB5_KTE_FLAG_ACCEPTOR_IGNORE_TRANSITED)
+ verify_ap_req_flags |= KRB5_VERIFY_AP_REQ_SKIP_TRANSITED_CHECK;
}
}
done = 0;
while (!done) {
+ krb5_flags tmp_verify_ap_req_flags = verify_ap_req_flags;
krb5_principal p;
ret = krb5_kt_next_entry(context, id, &entry, &cursor);
continue;
}
+ if (entry.flags & KRB5_KTE_FLAG_ACCEPTOR_IGNORE_TRANSITED)
+ tmp_verify_ap_req_flags |= KRB5_VERIFY_AP_REQ_SKIP_TRANSITED_CHECK;
+
ret = krb5_verify_ap_req2(context,
auth_context,
&ap_req,
server,
&entry.keyblock,
- verify_ap_req_flags,
+ tmp_verify_ap_req_flags,
&o->ap_req_options,
&o->ticket,
KRB5_KU_AP_REQ_AUTH);