To: | "krb5-bugs@mit.edu" <krb5-bugs@mit.edu> |
Date: | Fri, 23 Aug 2024 17:38:37 +0000 |
Subject: | kg_acceptor_princ behavior |
From: | "Hascall, John P [ITS]" <john@mail.iastate.edu> |
In kg_acceptor_princ() [ found in lib/gssapi/krb5/naming_exts.c ]
exists the following:
if (name->host != NULL && name->princ->length == 2) {
/* If a host was given, we have to use the canonicalized form of it (as
* given by krb5_sname_to_principal) for backward compatibility. */
const krb5_data *d = &name->princ->data[1];
tmp = k5memdup0(d->data, d->length, &code);
if (tmp == NULL)
return ENOMEM;
host = tmp;
} else ...
This is seriously annoying (esp as krb5_sname_to_principal() gives you the OPTION to canonicalize or not).
What exactly is it we are being backwards compatible with?
Grumpily yours,
John
John Hascall
Sr Security Architect
IT Services
Iowa State University
john@iastate.edu