pull up r19069 from trunk
authorTom Yu <tlyu@mit.edu>
Fri, 30 Mar 2007 00:34:11 +0000 (00:34 +0000)
committerTom Yu <tlyu@mit.edu>
Fri, 30 Mar 2007 00:34:11 +0000 (00:34 +0000)
 r19069@cathode-dark-space:  jaltman | 2007-01-18 07:43:58 -0500
 ticket: new
 subject: NIM Kerberos 5 Provider corrections
 tags: pullup
 component: windows

  When validating a Kerberos 5 principal name, the request
  to the KDC should not request forwardable, renewable, or
  proxiable options as these may be blocked by policy and
  will result in the return of an error.

  Always treat the Kerberos 5 principal name as valid
  unless the KDC returns an error that clearly indicates that
  the principal name does not exist.

  Use a MEMORY: ccache for temporary storage instead of an
  API: ccache.

  Initialize pointer values with NULL instead of 0.

ticket: 5400
version_fixed: 1.6.1

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19318 dc483132-0cff-0310-8789-dd5450dbe970

src/windows/identity/plugins/krb5/krb5funcs.c
src/windows/identity/plugins/krb5/krb5identpro.c
src/windows/identity/plugins/krb5/krb5newcreds.c

index 3bd090f4ee6bdc3ed9e23b766d9bc170189cab82..8cf2b86fdfb5b2414ae79e7f9bf935ac03d18769 100644 (file)
@@ -1,5 +1,6 @@
 /*\r
 * Copyright (c) 2005 Massachusetts Institute of Technology\r
+* Copyright (c) 2006,2007 Secure Endpoints Inc.\r
 *\r
 * Permission is hereby granted, free of charge, to any person\r
 * obtaining a copy of this software and associated documentation\r
@@ -25,7 +26,7 @@
 /* $Id$ */\r
 \r
 /* Originally this was krb5routines.c in Leash sources.  Subsequently\r
-modified and adapted for NetIDMgr */\r
+ * modified and adapted for NetIDMgr */\r
 \r
 #include<krbcred.h>\r
 #include<kherror.h>\r
@@ -360,11 +361,11 @@ static long get_tickets_from_cache(krb5_context ctx,
     krb5_cc_cursor  KRBv5Cursor;\r
     krb5_creds     KRBv5Credentials;\r
     krb5_ticket    *tkt=NULL;\r
-    char          *ClientName;\r
-    char          *PrincipalName;\r
+    char          *ClientName = NULL;\r
+    char          *PrincipalName = NULL;\r
     wchar_t         wbuf[256];  /* temporary conversion buffer */\r
     wchar_t         wcc_name[KRB5_MAXCCH_CCNAME]; /* credential cache name */\r
-    char          *sServerName;\r
+    char          *sServerName = NULL;\r
     khm_handle      ident = NULL;\r
     khm_handle      cred = NULL;\r
     time_t          tt;\r
@@ -731,9 +732,9 @@ long
 khm_krb5_list_tickets(krb5_context *krbv5Context)\r
 {\r
     krb5_context       ctx = NULL;\r
-    krb5_ccache                cache = 0;\r
+    krb5_ccache                cache = NULL;\r
     krb5_error_code    code = 0;\r
-    apiCB *             cc_ctx = 0;\r
+    apiCB *             cc_ctx = NULL;\r
     struct _infoNC **   pNCi = NULL;\r
     int                 i;\r
     khm_int32           t;\r
@@ -1108,10 +1109,10 @@ khm_krb5_kinit(krb5_context       alt_ctx,
                void *             p_data)\r
 {\r
     krb5_error_code                    code = 0;\r
-    krb5_context                       ctx = 0;\r
-    krb5_ccache                                cc = 0;\r
-    krb5_principal                     me = 0;\r
-    char*                       name = 0;\r
+    krb5_context                       ctx = NULL;\r
+    krb5_ccache                                cc = NULL;\r
+    krb5_principal                     me = NULL;\r
+    char*                       name = NULL;\r
     krb5_creds                         my_creds;\r
     krb5_get_init_creds_opt     options;\r
     krb5_address **             addrs = NULL;\r
@@ -2602,7 +2603,7 @@ khm_krb5_get_temp_ccache(krb5_context ctx,
     long code = 0;\r
     krb5_ccache cc = 0;\r
 \r
-    StringCbPrintfA(ccname, sizeof(ccname), "API:TempCache%8x", rnd);\r
+    StringCbPrintfA(ccname, sizeof(ccname), "MEMORY:TempCache%8x", rnd);\r
 \r
     code = pkrb5_cc_resolve(ctx, ccname, &cc);\r
 \r
index a8c91f955ba0b7e1e10b8e246c9244e565353c34..43d6d3d9dd308c3b04b8373f41a7f38ae0b8b1b9 100644 (file)
@@ -824,8 +824,6 @@ k5_ident_set_default(khm_int32 msg_type,
         DWORD dwSize;\r
         wchar_t reg_ccname[KRB5_MAXCCH_CCNAME];\r
 \r
-        assert(FALSE);\r
-\r
 #ifdef DEBUG\r
         assert(def_ident != NULL);\r
 #endif\r
index 9be8c896a43c88602f9b82c0034dc24d43cc0029..087d937f4c040b8a2b0fc8ac760dcb9d352cd74c 100644 (file)
@@ -641,9 +641,9 @@ k5_kinit_fiber_proc(PVOID lpParameter)
                                g_fjob.password,\r
                                g_fjob.ccache,\r
                                g_fjob.lifetime,\r
-                               g_fjob.forwardable,\r
-                               g_fjob.proxiable,\r
-                               (g_fjob.renewable ? g_fjob.renew_life : 0),\r
+                               g_fjob.valid_principal ? g_fjob.forwardable : 0,\r
+                               g_fjob.valid_principal ? g_fjob.proxiable : 0,\r
+                               (g_fjob.valid_principal && g_fjob.renewable ? g_fjob.renew_life : 0),\r
                                g_fjob.addressless,\r
                                g_fjob.publicIP,\r
                                k5_kinit_prompter,\r
@@ -2058,7 +2058,8 @@ k5_msg_cred_dialog(khm_int32 msg_type,
 \r
                     /* we can't possibly have succeeded without a\r
                        password */\r
-                    if(g_fjob.code && is_k5_identpro) {\r
+                    if(g_fjob.code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN && \r
+                      is_k5_identpro) {\r
                         kcdb_identity_set_flags(ident,\r
                                                 KCDB_IDENT_FLAG_INVALID,\r
                                                 KCDB_IDENT_FLAG_INVALID);\r