diff options
| author | Sam Hartman <hartmans@mit.edu> | 2007-04-29 21:55:04 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2007-04-29 21:55:04 +0000 |
| commit | 49f4a6eb0d473ea6cc866bb8f7f17d2911aadcbb (patch) | |
| tree | 49f15b2e2b6034df7d9a43b91ac099f8f3a769c5 /src | |
| parent | 973b2b635f3de9ae9cd3a79872cb5f70b9745760 (diff) | |
| download | krb5-49f4a6eb0d473ea6cc866bb8f7f17d2911aadcbb.tar.gz krb5-49f4a6eb0d473ea6cc866bb8f7f17d2911aadcbb.tar.xz krb5-49f4a6eb0d473ea6cc866bb8f7f17d2911aadcbb.zip | |
rd_req_decoded needs to deal with referral realms
* Fix handling of null realm in krb5_rd_req_decoded; now we treat a
null realm as a default realm there, as we do in the keytab code.
ticket: new
Target_Version: 1.6.2
Tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19536 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/krb5/krb/rd_req_dec.c | 26 |
1 files changed, 21 insertions, 5 deletions
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index a2b275cbef..a4f825a76a 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -95,7 +95,19 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, { krb5_error_code retval = 0; krb5_timestamp currenttime; - + krb5_principal_data princ_data; + + req->ticket->enc_part2 == NULL; + if (server && krb5_is_referral_realm(&server->realm)) { + char *realm; + princ_data = *server; + server = &princ_data; + retval = krb5_get_default_realm(context, &realm); + if (retval) + return retval; + princ_data.realm.data = realm; + princ_data.realm.length = strlen(realm); + } if (server && !krb5_principal_compare(context, server, req->ticket->server)) { char *found_name = 0, *wanted_name = 0; if (krb5_unparse_name(context, server, &wanted_name) == 0 @@ -105,7 +117,8 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, found_name, wanted_name); krb5_free_unparsed_name(context, wanted_name); krb5_free_unparsed_name(context, found_name); - return KRB5KRB_AP_WRONG_PRINC; + retval = KRB5KRB_AP_WRONG_PRINC; + goto cleanup; } /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY) @@ -115,12 +128,12 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, if ((*auth_context)->keyblock) { /* User to User authentication */ if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock, req->ticket))) - return retval; +goto cleanup; krb5_free_keyblock(context, (*auth_context)->keyblock); (*auth_context)->keyblock = NULL; } else { if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, keytab))) - return retval; + goto cleanup; } /* XXX this is an evil hack. check_valid_flag is set iff the call @@ -365,10 +378,13 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, retval = 0; cleanup: + if (server == &princ_data) + krb5_free_default_realm(context, princ_data.realm.data); if (retval) { /* only free if we're erroring out...otherwise some applications will need the output. */ - krb5_free_enc_tkt_part(context, req->ticket->enc_part2); + if (req->ticket->enc_part2) + krb5_free_enc_tkt_part(context, req->ticket->enc_part2); req->ticket->enc_part2 = NULL; } return retval; |