From e10ca0a3d844b5acc99b6cf84a3c5e20199ac3c2 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Wed, 20 Jun 2007 01:40:52 +0000 Subject: [PATCH] pull up r19536 from trunk r19536@cathode-dark-space: hartmans | 2007-04-29 17:55:04 -0400 ticket: new subject: rd_req_decoded needs to deal with referral realms Target_Version: 1.6.2 Tags: pullup * Fix handling of null realm in krb5_rd_req_decoded; now we treat a null realm as a default realm there, as we do in the keytab code. ticket: 5551 version_fixed: 1.6.2 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19598 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/rd_req_dec.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 6f53b11c9..d23ab6b10 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -94,7 +94,19 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, { krb5_error_code retval = 0; krb5_timestamp currenttime; - + krb5_principal_data princ_data; + + req->ticket->enc_part2 == NULL; + if (server && krb5_is_referral_realm(&server->realm)) { + char *realm; + princ_data = *server; + server = &princ_data; + retval = krb5_get_default_realm(context, &realm); + if (retval) + return retval; + princ_data.realm.data = realm; + princ_data.realm.length = strlen(realm); + } if (server && !krb5_principal_compare(context, server, req->ticket->server)) { char *found_name = 0, *wanted_name = 0; if (krb5_unparse_name(context, server, &wanted_name) == 0 @@ -104,7 +116,8 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, found_name, wanted_name); krb5_free_unparsed_name(context, wanted_name); krb5_free_unparsed_name(context, found_name); - return KRB5KRB_AP_WRONG_PRINC; + retval = KRB5KRB_AP_WRONG_PRINC; + goto cleanup; } /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY) @@ -114,12 +127,12 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, if ((*auth_context)->keyblock) { /* User to User authentication */ if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock, req->ticket))) - return retval; +goto cleanup; krb5_free_keyblock(context, (*auth_context)->keyblock); (*auth_context)->keyblock = NULL; } else { if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, keytab))) - return retval; + goto cleanup; } /* XXX this is an evil hack. check_valid_flag is set iff the call @@ -364,10 +377,13 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, retval = 0; cleanup: + if (server == &princ_data) + krb5_free_default_realm(context, princ_data.realm.data); if (retval) { /* only free if we're erroring out...otherwise some applications will need the output. */ - krb5_free_enc_tkt_part(context, req->ticket->enc_part2); + if (req->ticket->enc_part2) + krb5_free_enc_tkt_part(context, req->ticket->enc_part2); req->ticket->enc_part2 = NULL; } return retval; -- 2.26.2