From ea377475eac5d807f87061312db70fcd48d304c8 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Fri, 30 Mar 2007 00:34:11 +0000 Subject: [PATCH] pull up r19069 from trunk r19069@cathode-dark-space: jaltman | 2007-01-18 07:43:58 -0500 ticket: new subject: NIM Kerberos 5 Provider corrections tags: pullup component: windows When validating a Kerberos 5 principal name, the request to the KDC should not request forwardable, renewable, or proxiable options as these may be blocked by policy and will result in the return of an error. Always treat the Kerberos 5 principal name as valid unless the KDC returns an error that clearly indicates that the principal name does not exist. Use a MEMORY: ccache for temporary storage instead of an API: ccache. Initialize pointer values with NULL instead of 0. ticket: 5400 version_fixed: 1.6.1 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19318 dc483132-0cff-0310-8789-dd5450dbe970 --- src/windows/identity/plugins/krb5/krb5funcs.c | 23 ++++++++++--------- .../identity/plugins/krb5/krb5identpro.c | 2 -- .../identity/plugins/krb5/krb5newcreds.c | 9 ++++---- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/src/windows/identity/plugins/krb5/krb5funcs.c b/src/windows/identity/plugins/krb5/krb5funcs.c index 3bd090f4e..8cf2b86fd 100644 --- a/src/windows/identity/plugins/krb5/krb5funcs.c +++ b/src/windows/identity/plugins/krb5/krb5funcs.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2005 Massachusetts Institute of Technology +* Copyright (c) 2006,2007 Secure Endpoints Inc. * * Permission is hereby granted, free of charge, to any person * obtaining a copy of this software and associated documentation @@ -25,7 +26,7 @@ /* $Id$ */ /* Originally this was krb5routines.c in Leash sources. Subsequently -modified and adapted for NetIDMgr */ + * modified and adapted for NetIDMgr */ #include #include @@ -360,11 +361,11 @@ static long get_tickets_from_cache(krb5_context ctx, krb5_cc_cursor KRBv5Cursor; krb5_creds KRBv5Credentials; krb5_ticket *tkt=NULL; - char *ClientName; - char *PrincipalName; + char *ClientName = NULL; + char *PrincipalName = NULL; wchar_t wbuf[256]; /* temporary conversion buffer */ wchar_t wcc_name[KRB5_MAXCCH_CCNAME]; /* credential cache name */ - char *sServerName; + char *sServerName = NULL; khm_handle ident = NULL; khm_handle cred = NULL; time_t tt; @@ -731,9 +732,9 @@ long khm_krb5_list_tickets(krb5_context *krbv5Context) { krb5_context ctx = NULL; - krb5_ccache cache = 0; + krb5_ccache cache = NULL; krb5_error_code code = 0; - apiCB * cc_ctx = 0; + apiCB * cc_ctx = NULL; struct _infoNC ** pNCi = NULL; int i; khm_int32 t; @@ -1108,10 +1109,10 @@ khm_krb5_kinit(krb5_context alt_ctx, void * p_data) { krb5_error_code code = 0; - krb5_context ctx = 0; - krb5_ccache cc = 0; - krb5_principal me = 0; - char* name = 0; + krb5_context ctx = NULL; + krb5_ccache cc = NULL; + krb5_principal me = NULL; + char* name = NULL; krb5_creds my_creds; krb5_get_init_creds_opt options; krb5_address ** addrs = NULL; @@ -2602,7 +2603,7 @@ khm_krb5_get_temp_ccache(krb5_context ctx, long code = 0; krb5_ccache cc = 0; - StringCbPrintfA(ccname, sizeof(ccname), "API:TempCache%8x", rnd); + StringCbPrintfA(ccname, sizeof(ccname), "MEMORY:TempCache%8x", rnd); code = pkrb5_cc_resolve(ctx, ccname, &cc); diff --git a/src/windows/identity/plugins/krb5/krb5identpro.c b/src/windows/identity/plugins/krb5/krb5identpro.c index a8c91f955..43d6d3d9d 100644 --- a/src/windows/identity/plugins/krb5/krb5identpro.c +++ b/src/windows/identity/plugins/krb5/krb5identpro.c @@ -824,8 +824,6 @@ k5_ident_set_default(khm_int32 msg_type, DWORD dwSize; wchar_t reg_ccname[KRB5_MAXCCH_CCNAME]; - assert(FALSE); - #ifdef DEBUG assert(def_ident != NULL); #endif diff --git a/src/windows/identity/plugins/krb5/krb5newcreds.c b/src/windows/identity/plugins/krb5/krb5newcreds.c index 9be8c896a..087d937f4 100644 --- a/src/windows/identity/plugins/krb5/krb5newcreds.c +++ b/src/windows/identity/plugins/krb5/krb5newcreds.c @@ -641,9 +641,9 @@ k5_kinit_fiber_proc(PVOID lpParameter) g_fjob.password, g_fjob.ccache, g_fjob.lifetime, - g_fjob.forwardable, - g_fjob.proxiable, - (g_fjob.renewable ? g_fjob.renew_life : 0), + g_fjob.valid_principal ? g_fjob.forwardable : 0, + g_fjob.valid_principal ? g_fjob.proxiable : 0, + (g_fjob.valid_principal && g_fjob.renewable ? g_fjob.renew_life : 0), g_fjob.addressless, g_fjob.publicIP, k5_kinit_prompter, @@ -2058,7 +2058,8 @@ k5_msg_cred_dialog(khm_int32 msg_type, /* we can't possibly have succeeded without a password */ - if(g_fjob.code && is_k5_identpro) { + if(g_fjob.code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN && + is_k5_identpro) { kcdb_identity_set_flags(ident, KCDB_IDENT_FLAG_INVALID, KCDB_IDENT_FLAG_INVALID); -- 2.26.2