diff options
author | Luke Howard <lukeh@padl.com> | 2009-01-02 23:53:55 +0000 |
---|---|---|
committer | Luke Howard <lukeh@padl.com> | 2009-01-02 23:53:55 +0000 |
commit | e28f611781d30c4d8f7ae6120e63c6b064b7c16e (patch) | |
tree | 619723f2b002606fbab34cdc884a31fb6c3fb8a8 | |
parent | 82f20312a362d7ea2d4c2be990ad484a3fa97a29 (diff) | |
download | krb5-e28f611781d30c4d8f7ae6120e63c6b064b7c16e.zip krb5-e28f611781d30c4d8f7ae6120e63c6b064b7c16e.tar.gz krb5-e28f611781d30c4d8f7ae6120e63c6b064b7c16e.tar.bz2 |
Handle KDC_ERR_WRONG_REALM in krb5_get_in_tkt() - needs review, not
completely tested yet
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21672 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 39 |
1 files changed, 38 insertions, 1 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 5dbbc43..f5ac97d 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -671,8 +671,12 @@ krb5_get_in_tkt(krb5_context context, } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { if (++referral_count > KRB5_REFERRAL_MAXHOPS || err_reply->client == NULL || - err_reply->client->realm.length == 0) + err_reply->client->realm.length == 0) { + retval = (krb5_error_code) err_reply->error + + ERROR_TABLE_BASE_krb5; + krb5_free_error(context, err_reply); goto cleanup; + } /* Rewrite request.client with realm from error reply */ if (referred_client.realm.data) { krb5_free_data_contents(context, &referred_client.realm); @@ -970,6 +974,8 @@ krb5_get_init_creds(krb5_context context, krb5_timestamp time_now; krb5_enctype etype = 0; krb5_preauth_client_rock get_data_rock; + int canon_flag = 0; + krb5_principal_data referred_client; /* initialize everything which will be freed at cleanup */ @@ -994,6 +1000,11 @@ krb5_get_init_creds(krb5_context context, err_reply = NULL; + /* referred_client is used to rewrite the client realm for referrals */ + referred_client = *client; + referred_client.realm.data = NULL; + referred_client.realm.length = 0; + /* * Set up the basic request structure */ @@ -1103,6 +1114,10 @@ krb5_get_init_creds(krb5_context context, request.client = client; + /* per referrals draft, enterprise principals imply canonicalization */ + canon_flag = ((request.kdc_options & KDC_OPT_CANONICALIZE) != 0) || + client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; + /* service */ if (in_tkt_service) { @@ -1311,6 +1326,26 @@ krb5_get_init_creds(krb5_context context, if (ret) goto cleanup; /* continue to next iteration */ + } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { + if (err_reply->client == NULL || + err_reply->client->realm.length == 0) { + ret = (krb5_error_code) err_reply->error + + ERROR_TABLE_BASE_krb5; + krb5_free_error(context, err_reply); + goto cleanup; + } + /* Rewrite request.client with realm from error reply */ + if (referred_client.realm.data) { + krb5_free_data_contents(context, &referred_client.realm); + referred_client.realm.data = NULL; + } + ret = krb5int_copy_data_contents(context, + &err_reply->client->realm, + &referred_client.realm); + krb5_free_error(context, err_reply); + if (ret) + goto cleanup; + request.client = &referred_client; } else { if (err_reply->e_data.length > 0) { /* continue to next iteration */ @@ -1461,6 +1496,8 @@ cleanup: *as_reply = local_as_reply; else if (local_as_reply) krb5_free_kdc_rep(context, local_as_reply); + if (referred_client.realm.data) + krb5_free_data_contents(context, &referred_client.realm); return(ret); } |