diff options
| author | Simo Sorce <simo@redhat.com> | 2015-01-20 13:48:34 -0500 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-01-20 14:27:06 -0500 |
| commit | fa32f6c018e8894ece11c0d32d5f666644239ca2 (patch) | |
| tree | 0f9d261fb5aade45f40d1ac4aec980eacf6134b7 | |
| parent | 9a343200d305e7c8df6e556d63afaee42194175f (diff) | |
| download | krb5-kinit-c.tar.gz krb5-kinit-c.tar.xz krb5-kinit-c.zip | |
Do not loop on principal unknown errorskinit-c
If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
Check that this is really a referral by testing that the returned
client realm differs from the requested one.
Signed-off-by: Simo Sorce <simo@redhat.com>
| -rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 2c2b654a6..aebef8309 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1387,6 +1387,22 @@ is_empty_crealm(krb5_error *err) return (err->client == NULL || err->client->realm.length == 0); } +/* Determine whether the client realm in a KRB-ERROR does not match the + * requested one. */ +static krb5_boolean +is_different_crealm(krb5_context context, krb5_error *err, + krb5_const_principal sent_princ) +{ + + if (is_empty_crealm(err)) + return FALSE; + + if (krb5_realm_compare(context, err->client, sent_princ)) + return FALSE; + + return TRUE; +} + /* * Determine whether a KRB-ERROR is a referral to another realm. * @@ -1397,7 +1413,7 @@ is_empty_crealm(krb5_error *err) * such responses. */ static krb5_boolean -is_referral(krb5_init_creds_context ctx) +is_referral(krb5_context context, krb5_init_creds_context ctx) { krb5_error *err = ctx->err_reply; @@ -1405,7 +1421,7 @@ is_referral(krb5_init_creds_context ctx) return TRUE; if (err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN) return FALSE; - return !is_empty_crealm(err); + return is_different_crealm(context, err, ctx->request->client); } static krb5_error_code @@ -1467,7 +1483,7 @@ init_creds_step_reply(krb5_context context, ctx->preauth_to_use); ctx->preauth_required = TRUE; - } else if (canon_flag && is_referral(ctx)) { + } else if (canon_flag && is_referral(context, ctx)) { if (is_empty_crealm(ctx->err_reply)) { /* Only WRONG_REALM referral types can reach this. */ code = KRB5KDC_ERR_WRONG_REALM; |