diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-09-28 17:03:15 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-09-28 17:03:15 +0000 |
| commit | b72aef2c1cbcc76f7fba14ddc54a4e66e7a4e66c (patch) | |
| tree | 37a80969b8a7c84a14d189f4bd803c97235a9c6c /src/lib/krb5/krb/walk_rtree.c | |
| parent | e3a33e5bb36c02c6646f80e3a8dd17532f4e3756 (diff) | |
| download | krb5-b72aef2c1cbcc76f7fba14ddc54a4e66e7a4e66c.tar.gz krb5-b72aef2c1cbcc76f7fba14ddc54a4e66e7a4e66c.tar.xz krb5-b72aef2c1cbcc76f7fba14ddc54a4e66e7a4e66c.zip | |
Eliminate domain-based client realm walk
For a very long time, KDCs have known how to perform a domain-based
realm walk when serving requests for TGTs. (So if a KDC for A.B.C
receives a request for krbtgt/X.B.C and doesn't have that principal,
it can return one for krbtgt/B.C instead.) Performing the same
heuristic on the client is unnecessary and inefficient in common
cases.
Add a new function k5_client_realm_path to walk_rtree.c which uses
capaths values only, and returns a list of realms (as desired by
get_creds.c) instead of TGT names.
ticket: 6966
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25241 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5/krb/walk_rtree.c')
| -rw-r--r-- | src/lib/krb5/krb/walk_rtree.c | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/src/lib/krb5/krb/walk_rtree.c b/src/lib/krb5/krb/walk_rtree.c index 6aba24f8a..10711f1d6 100644 --- a/src/lib/krb5/krb/walk_rtree.c +++ b/src/lib/krb5/krb/walk_rtree.c @@ -122,6 +122,50 @@ krb5_walk_realm_tree( krb5_context context, return retval; } +krb5_error_code +k5_client_realm_path(krb5_context context, const krb5_data *client, + const krb5_data *server, krb5_data **rpath_out) +{ + krb5_error_code retval; + char **capvals; + size_t i; + krb5_data *rpath = NULL, d; + + retval = rtree_capath_vals(context, client, server, &capvals); + if (retval) + return retval; + + /* Count capaths (if any) and allocate space. Leave room for the client + * realm, server realm, and terminator. */ + for (i = 0; capvals != NULL && capvals[i] != NULL; i++); + rpath = calloc(i + 3, sizeof(*rpath)); + if (rpath == NULL) + return ENOMEM; + + /* Populate rpath with the client realm, capaths, and server realm. */ + retval = krb5int_copy_data_contents(context, client, &rpath[0]); + if (retval) + goto cleanup; + for (i = 0; capvals != NULL && capvals[i] != NULL; i++) { + d = make_data(capvals[i], strcspn(capvals[i], "\t ")); + retval = krb5int_copy_data_contents(context, &d, &rpath[i + 1]); + if (retval) + goto cleanup; + } + retval = krb5int_copy_data_contents(context, server, &rpath[i + 1]); + if (retval) + goto cleanup; + + /* Terminate rpath and return it. */ + rpath[i + 2] = empty_data(); + *rpath_out = rpath; + rpath = NULL; + +cleanup: + krb5int_free_data_list(context, rpath); + return retval; +} + /* ANL - Modified to allow Configurable Authentication Paths. * This modification removes the restriction on the choice of realm * names, i.e. they nolonger have to be hierarchical. This |