NIM Kerberos 5 Provider corrections

When validating a Kerberos 5 principal name, the request to the KDC should not request forwardable, renewable, or proxiable options as these may be blocked by policy and will result in the return of an error. Always treat the Kerberos 5 principal name as valid unless the KDC returns an error that clearly indicates that the principal name does not exist. Use a MEMORY: ccache for temporary storage instead of an API: ccache. Initialize pointer values with NULL instead of 0. ticket: new tags: pullup component: windows git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19069 dc483132-0cff-0310-8789-dd5450dbe970
author: Jeffrey Altman <jaltman@secure-endpoints.com> 2007-01-18 12:43:58 +0000
committer: Jeffrey Altman <jaltman@secure-endpoints.com> 2007-01-18 12:43:58 +0000
commit: 4b7a75238735d5202760d188926d54b2add5241e (patch)
tree: a9513b0970a8d5a0bc516353a3313ca82706b3d1 /src
parent: a329ba8882b7abec1b144db28a2eb1ceef17b2b2 (diff)
3 files changed, 17 insertions, 17 deletions
diff --git a/src/windows/identity/plugins/krb5/krb5funcs.c b/src/windows/identity/plugins/krb5/krb5funcs.c
index 3bd090f4e..8cf2b86fd 100644
--- a/src/windows/identity/plugins/krb5/krb5funcs.c
+++ b/src/windows/identity/plugins/krb5/krb5funcs.c
@@ -1,5 +1,6 @@
 /*
 * Copyright (c) 2005 Massachusetts Institute of Technology
+* Copyright (c) 2006,2007 Secure Endpoints Inc.
 *
 * Permission is hereby granted, free of charge, to any person
 * obtaining a copy of this software and associated documentation
@@ -25,7 +26,7 @@
 /* $Id$ */
 
 /* Originally this was krb5routines.c in Leash sources.  Subsequently
-modified and adapted for NetIDMgr */
+ * modified and adapted for NetIDMgr */
 
 #include<krbcred.h>
 #include<kherror.h>
@@ -360,11 +361,11 @@ static long get_tickets_from_cache(krb5_context ctx,
     krb5_cc_cursor  KRBv5Cursor;
     krb5_creds	    KRBv5Credentials;
     krb5_ticket    *tkt=NULL;
-    char	   *ClientName;
-    char	   *PrincipalName;
+    char	   *ClientName = NULL;
+    char	   *PrincipalName = NULL;
     wchar_t         wbuf[256];  /* temporary conversion buffer */
     wchar_t         wcc_name[KRB5_MAXCCH_CCNAME]; /* credential cache name */
-    char	   *sServerName;
+    char	   *sServerName = NULL;
     khm_handle      ident = NULL;
     khm_handle      cred = NULL;
     time_t          tt;
@@ -731,9 +732,9 @@ long
 khm_krb5_list_tickets(krb5_context *krbv5Context)
 {
     krb5_context	ctx = NULL;
-    krb5_ccache		cache = 0;
+    krb5_ccache		cache = NULL;
     krb5_error_code	code = 0;
-    apiCB *             cc_ctx = 0;
+    apiCB *             cc_ctx = NULL;
     struct _infoNC **   pNCi = NULL;
     int                 i;
     khm_int32           t;
@@ -1108,10 +1109,10 @@ khm_krb5_kinit(krb5_context       alt_ctx,
                void *             p_data)
 {
     krb5_error_code		        code = 0;
-    krb5_context		        ctx = 0;
-    krb5_ccache			        cc = 0;
-    krb5_principal		        me = 0;
-    char*                       name = 0;
+    krb5_context		        ctx = NULL;
+    krb5_ccache			        cc = NULL;
+    krb5_principal		        me = NULL;
+    char*                       name = NULL;
     krb5_creds			        my_creds;
     krb5_get_init_creds_opt     options;
     krb5_address **             addrs = NULL;
@@ -2602,7 +2603,7 @@ khm_krb5_get_temp_ccache(krb5_context ctx,
     long code = 0;
     krb5_ccache cc = 0;
 
-    StringCbPrintfA(ccname, sizeof(ccname), "API:TempCache%8x", rnd);
+    StringCbPrintfA(ccname, sizeof(ccname), "MEMORY:TempCache%8x", rnd);
 
     code = pkrb5_cc_resolve(ctx, ccname, &cc);
 
diff --git a/src/windows/identity/plugins/krb5/krb5identpro.c b/src/windows/identity/plugins/krb5/krb5identpro.c
index a8c91f955..43d6d3d9d 100644
--- a/src/windows/identity/plugins/krb5/krb5identpro.c
+++ b/src/windows/identity/plugins/krb5/krb5identpro.c
@@ -824,8 +824,6 @@ k5_ident_set_default(khm_int32 msg_type,
         DWORD dwSize;
         wchar_t reg_ccname[KRB5_MAXCCH_CCNAME];
 
-        assert(FALSE);
-
 #ifdef DEBUG
         assert(def_ident != NULL);
 #endif
diff --git a/src/windows/identity/plugins/krb5/krb5newcreds.c b/src/windows/identity/plugins/krb5/krb5newcreds.c
index 9be8c896a..087d937f4 100644
--- a/src/windows/identity/plugins/krb5/krb5newcreds.c
+++ b/src/windows/identity/plugins/krb5/krb5newcreds.c
@@ -641,9 +641,9 @@ k5_kinit_fiber_proc(PVOID lpParameter)
                                g_fjob.password,
                                g_fjob.ccache,
                                g_fjob.lifetime,
-                               g_fjob.forwardable,
-                               g_fjob.proxiable,
-                               (g_fjob.renewable ? g_fjob.renew_life : 0),
+				g_fjob.valid_principal ? g_fjob.forwardable : 0,
+				g_fjob.valid_principal ? g_fjob.proxiable : 0,
+                               (g_fjob.valid_principal && g_fjob.renewable ? g_fjob.renew_life : 0),
                                g_fjob.addressless,
                                g_fjob.publicIP,
                                k5_kinit_prompter,
@@ -2058,7 +2058,8 @@ k5_msg_cred_dialog(khm_int32 msg_type,
 
                     /* we can't possibly have succeeded without a
                        password */
-                    if(g_fjob.code && is_k5_identpro) {
+                    if(g_fjob.code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN && 
+		       is_k5_identpro) {
                         kcdb_identity_set_flags(ident,
                                                 KCDB_IDENT_FLAG_INVALID,
                                                 KCDB_IDENT_FLAG_INVALID);
author	Jeffrey Altman <jaltman@secure-endpoints.com>	2007-01-18 12:43:58 +0000
committer	Jeffrey Altman <jaltman@secure-endpoints.com>	2007-01-18 12:43:58 +0000
commit	4b7a75238735d5202760d188926d54b2add5241e (patch)
tree	a9513b0970a8d5a0bc516353a3313ca82706b3d1 /src
parent	a329ba8882b7abec1b144db28a2eb1ceef17b2b2 (diff)