From 4b7a75238735d5202760d188926d54b2add5241e Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Thu, 18 Jan 2007 12:43:58 +0000
Subject: [PATCH] NIM Kerberos 5 Provider corrections

	When validating a Kerberos 5 principal name, the request
	to the KDC should not request forwardable, renewable, or
	proxiable options as these may be blocked by policy and
	will result in the return of an error.

	Always treat the Kerberos 5 principal name as valid
	unless the KDC returns an error that clearly indicates that
	the principal name does not exist.

	Use a MEMORY: ccache for temporary storage instead of an
	API: ccache.

	Initialize pointer values with NULL instead of 0.

ticket: new
tags: pullup
component: windows

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19069 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/windows/identity/plugins/krb5/krb5funcs.c | 23 ++++++++++---------
 .../identity/plugins/krb5/krb5identpro.c      |  2 --
 .../identity/plugins/krb5/krb5newcreds.c      |  9 ++++----
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/src/windows/identity/plugins/krb5/krb5funcs.c b/src/windows/identity/plugins/krb5/krb5funcs.c
index 3bd090f4e..8cf2b86fd 100644
--- a/src/windows/identity/plugins/krb5/krb5funcs.c
+++ b/src/windows/identity/plugins/krb5/krb5funcs.c
@@ -1,5 +1,6 @@
 /*
 * Copyright (c) 2005 Massachusetts Institute of Technology
+* Copyright (c) 2006,2007 Secure Endpoints Inc.
 *
 * Permission is hereby granted, free of charge, to any person
 * obtaining a copy of this software and associated documentation
@@ -25,7 +26,7 @@
 /* $Id$ */
 
 /* Originally this was krb5routines.c in Leash sources.  Subsequently
-modified and adapted for NetIDMgr */
+ * modified and adapted for NetIDMgr */
 
 #include<krbcred.h>
 #include<kherror.h>
@@ -360,11 +361,11 @@ static long get_tickets_from_cache(krb5_context ctx,
     krb5_cc_cursor  KRBv5Cursor;
     krb5_creds	    KRBv5Credentials;
     krb5_ticket    *tkt=NULL;
-    char	   *ClientName;
-    char	   *PrincipalName;
+    char	   *ClientName = NULL;
+    char	   *PrincipalName = NULL;
     wchar_t         wbuf[256];  /* temporary conversion buffer */
     wchar_t         wcc_name[KRB5_MAXCCH_CCNAME]; /* credential cache name */
-    char	   *sServerName;
+    char	   *sServerName = NULL;
     khm_handle      ident = NULL;
     khm_handle      cred = NULL;
     time_t          tt;
@@ -731,9 +732,9 @@ long
 khm_krb5_list_tickets(krb5_context *krbv5Context)
 {
     krb5_context	ctx = NULL;
-    krb5_ccache		cache = 0;
+    krb5_ccache		cache = NULL;
     krb5_error_code	code = 0;
-    apiCB *             cc_ctx = 0;
+    apiCB *             cc_ctx = NULL;
     struct _infoNC **   pNCi = NULL;
     int                 i;
     khm_int32           t;
@@ -1108,10 +1109,10 @@ khm_krb5_kinit(krb5_context       alt_ctx,
                void *             p_data)
 {
     krb5_error_code		        code = 0;
-    krb5_context		        ctx = 0;
-    krb5_ccache			        cc = 0;
-    krb5_principal		        me = 0;
-    char*                       name = 0;
+    krb5_context		        ctx = NULL;
+    krb5_ccache			        cc = NULL;
+    krb5_principal		        me = NULL;
+    char*                       name = NULL;
     krb5_creds			        my_creds;
     krb5_get_init_creds_opt     options;
     krb5_address **             addrs = NULL;
@@ -2602,7 +2603,7 @@ khm_krb5_get_temp_ccache(krb5_context ctx,
     long code = 0;
     krb5_ccache cc = 0;
 
-    StringCbPrintfA(ccname, sizeof(ccname), "API:TempCache%8x", rnd);
+    StringCbPrintfA(ccname, sizeof(ccname), "MEMORY:TempCache%8x", rnd);
 
     code = pkrb5_cc_resolve(ctx, ccname, &cc);
 
diff --git a/src/windows/identity/plugins/krb5/krb5identpro.c b/src/windows/identity/plugins/krb5/krb5identpro.c
index a8c91f955..43d6d3d9d 100644
--- a/src/windows/identity/plugins/krb5/krb5identpro.c
+++ b/src/windows/identity/plugins/krb5/krb5identpro.c
@@ -824,8 +824,6 @@ k5_ident_set_default(khm_int32 msg_type,
         DWORD dwSize;
         wchar_t reg_ccname[KRB5_MAXCCH_CCNAME];
 
-        assert(FALSE);
-
 #ifdef DEBUG
         assert(def_ident != NULL);
 #endif
diff --git a/src/windows/identity/plugins/krb5/krb5newcreds.c b/src/windows/identity/plugins/krb5/krb5newcreds.c
index 9be8c896a..087d937f4 100644
--- a/src/windows/identity/plugins/krb5/krb5newcreds.c
+++ b/src/windows/identity/plugins/krb5/krb5newcreds.c
@@ -641,9 +641,9 @@ k5_kinit_fiber_proc(PVOID lpParameter)
                                g_fjob.password,
                                g_fjob.ccache,
                                g_fjob.lifetime,
-                               g_fjob.forwardable,
-                               g_fjob.proxiable,
-                               (g_fjob.renewable ? g_fjob.renew_life : 0),
+				g_fjob.valid_principal ? g_fjob.forwardable : 0,
+				g_fjob.valid_principal ? g_fjob.proxiable : 0,
+                               (g_fjob.valid_principal && g_fjob.renewable ? g_fjob.renew_life : 0),
                                g_fjob.addressless,
                                g_fjob.publicIP,
                                k5_kinit_prompter,
@@ -2058,7 +2058,8 @@ k5_msg_cred_dialog(khm_int32 msg_type,
 
                     /* we can't possibly have succeeded without a
                        password */
-                    if(g_fjob.code && is_k5_identpro) {
+                    if(g_fjob.code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN && 
+		       is_k5_identpro) {
                         kcdb_identity_set_flags(ident,
                                                 KCDB_IDENT_FLAG_INVALID,
                                                 KCDB_IDENT_FLAG_INVALID);
-- 
2.26.2