diff options
Diffstat (limited to 'src/lib/krb5/krb/get_in_tkt.c')
-rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 2c2b654a6..aebef8309 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1387,6 +1387,22 @@ is_empty_crealm(krb5_error *err) return (err->client == NULL || err->client->realm.length == 0); } +/* Determine whether the client realm in a KRB-ERROR does not match the + * requested one. */ +static krb5_boolean +is_different_crealm(krb5_context context, krb5_error *err, + krb5_const_principal sent_princ) +{ + + if (is_empty_crealm(err)) + return FALSE; + + if (krb5_realm_compare(context, err->client, sent_princ)) + return FALSE; + + return TRUE; +} + /* * Determine whether a KRB-ERROR is a referral to another realm. * @@ -1397,7 +1413,7 @@ is_empty_crealm(krb5_error *err) * such responses. */ static krb5_boolean -is_referral(krb5_init_creds_context ctx) +is_referral(krb5_context context, krb5_init_creds_context ctx) { krb5_error *err = ctx->err_reply; @@ -1405,7 +1421,7 @@ is_referral(krb5_init_creds_context ctx) return TRUE; if (err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN) return FALSE; - return !is_empty_crealm(err); + return is_different_crealm(context, err, ctx->request->client); } static krb5_error_code @@ -1467,7 +1483,7 @@ init_creds_step_reply(krb5_context context, ctx->preauth_to_use); ctx->preauth_required = TRUE; - } else if (canon_flag && is_referral(ctx)) { + } else if (canon_flag && is_referral(context, ctx)) { if (is_empty_crealm(ctx->err_reply)) { /* Only WRONG_REALM referral types can reach this. */ code = KRB5KDC_ERR_WRONG_REALM; |