summaryrefslogtreecommitdiffstats
path: root/krb5-master-init_referral.patch
blob: ae3d3b84ce4d6dc0d9fca460b2453c89b49d8262 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
commit a12a5ddb9b932061bad7b83df058c7c6e2e4b044
Author: Greg Hudson <ghudson@mit.edu>
Date:   Thu May 30 11:39:54 2013 -0400

    Properly handle use_master in k5_init_creds_get
    
    If we make multiple requests in an initial creds exchange, the
    krb5_sendto_kdc call in k5_init_creds_get may flip the use_master
    value from 0 to 1 if it detects that the response was from a master
    KDC.  Don't turn this into a requirement for future requests during
    the same exchange, or we may have trouble following AS referrals.
    Reported by Sumit Bose.
    
    ticket: 7650

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 20bc689..ff455d3 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -521,7 +521,7 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
     krb5_data reply;
     krb5_data realm;
     unsigned int flags = 0;
-    int tcp_only = 0;
+    int tcp_only = 0, master = *use_master;
 
     request.length = 0;
     request.data = NULL;
@@ -545,8 +545,9 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
 
         krb5_free_data_contents(context, &reply);
 
+        master = *use_master;
         code = krb5_sendto_kdc(context, &request, &realm,
-                               &reply, use_master, tcp_only);
+                               &reply, &master, tcp_only);
         if (code != 0)
             break;
 
@@ -558,6 +559,7 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
     krb5_free_data_contents(context, &reply);
     krb5_free_data_contents(context, &realm);
 
+    *use_master = master;
     return code;
 }