diff options
author | Greg Hudson <ghudson@mit.edu> | 2018-03-03 13:44:00 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2018-05-01 20:16:08 -0400 |
commit | 6df6f46877cdec83944aa1e3579b77e5b0083f01 (patch) | |
tree | 94889a3674b68d3555131781d9134d2ec15233a6 | |
parent | b294627169fba270dbd78cff5e1408a21051b266 (diff) | |
download | krb5-6df6f46877cdec83944aa1e3579b77e5b0083f01.zip krb5-6df6f46877cdec83944aa1e3579b77e5b0083f01.tar.gz krb5-6df6f46877cdec83944aa1e3579b77e5b0083f01.tar.bz2 |
Fix capaths "." values on client
Commit b72aef2c1cbcc76f7fba14ddc54a4e66e7a4e66c (ticket 6966)
introduced k5_client_realm_path() for use on the client in place of
krb5_walk_realm_tree(), but failed to handle the special case of a
capaths "." value as is done in the latter function. Correct that
omission and add a test case.
(cherry picked from commit f8d0877f848563d07152a0ee191fe82846fdb8f1)
ticket: 8646
version_fixed: 1.15.3
-rw-r--r-- | src/lib/krb5/krb/walk_rtree.c | 6 | ||||
-rwxr-xr-x | src/tests/t_crossrealm.py | 11 |
2 files changed, 17 insertions, 0 deletions
diff --git a/src/lib/krb5/krb/walk_rtree.c b/src/lib/krb5/krb/walk_rtree.c index 0566a55..f4e8e35 100644 --- a/src/lib/krb5/krb/walk_rtree.c +++ b/src/lib/krb5/krb/walk_rtree.c @@ -133,6 +133,12 @@ k5_client_realm_path(krb5_context context, const krb5_data *client, if (retval) return retval; + /* A capaths value of "." means no intermediates. */ + if (capvals != NULL && capvals[0] != NULL && *capvals[0] == '.') { + profile_free_list(capvals); + capvals = NULL; + } + /* Count capaths (if any) and allocate space. Leave room for the client * realm, server realm, and terminator. */ for (i = 0; capvals != NULL && capvals[i] != NULL; i++); diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py index 0d967b8..cd4facf 100755 --- a/src/tests/t_crossrealm.py +++ b/src/tests/t_crossrealm.py @@ -78,6 +78,17 @@ r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), test_kvno(r1, r4.host_princ, 'KDC capaths') stop(r1, r2, r3, r4) +# A capaths value of '.' should enforce direct cross-realm, with no +# intermediate. +capaths = {'capaths': {'A.X': {'B.X': '.'}}} +r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)), + args=({'realm': 'A.X', 'krb5_conf': capaths}, + {'realm': 'X'}, {'realm': 'B.X'})) +output = r1.run([kvno, r3.host_princ], expected_code=1) +if 'Server krbtgt/B.X@A.X not found in Kerberos database' not in output: + fail('capaths ".": Expected error message not in output') +stop(r1, r2, r3) + # Test transited error. The KDC for C does not recognize B as an # intermediate realm for A->C, so it refuses to issue a service # ticket. |