diff options
author | Andrew Boardman <amb@mit.edu> | 2006-08-25 06:46:33 +0000 |
---|---|---|
committer | Andrew Boardman <amb@mit.edu> | 2006-08-25 06:46:33 +0000 |
commit | e8f1612f71d6507b0611ec3e8a92ed17baf269a1 (patch) | |
tree | 066e1537bb915f42a83de4a286a000207e6d189e | |
parent | 736b0dc1b7c502d68c30df0eb679941297f3f867 (diff) | |
download | krb5-e8f1612f71d6507b0611ec3e8a92ed17baf269a1.zip krb5-e8f1612f71d6507b0611ec3e8a92ed17baf269a1.tar.gz krb5-e8f1612f71d6507b0611ec3e8a92ed17baf269a1.tar.bz2 |
Conditionalize acceptance of referral tickets on a request for same being made
git-svn-id: svn://anonsvn.mit.edu/krb5/users/amb/referrals@18536 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/lib/krb5/krb/gc_via_tkt.c | 33 |
1 files changed, 21 insertions, 12 deletions
diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index 20c2443..441a781 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -107,7 +107,9 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, krb5_response tgsrep; krb5_enctype *enctypes = 0; +#ifdef DEBUG_REFERRALS printf("krb5_get_cred_via_tkt starting; referral flag is %s\n", kdcoptions&KDC_OPT_CANONICALIZE?"on":"off"); +#endif /* tkt->client must be equal to in_cred->client */ if (!krb5_principal_compare(context, tkt->client, in_cred->client)) @@ -156,8 +158,13 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, tkt, &tgsrep); if (enctypes) free(enctypes); - if (retval) + if (retval) { +#ifdef DEBUG_REFERRALS + printf("krb5_get_cred_via_tkt ending early after send_tgs with: %s\n", + error_message(retval)); +#endif return retval; + } switch (tgsrep.message_type) { case KRB5_TGS_REP: @@ -222,17 +229,17 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, if ((!krb5_principal_compare(context, dec_rep->enc_part2->server, in_cred->server)) || (!krb5_principal_compare(context, dec_rep->ticket->server, in_cred->server))) { - if (krb5_principal_compare(context, dec_rep->ticket->server, dec_rep->enc_part2->server)) { - /* in_cred server differs from ticket returned, but ticket returned is consistent. */ - /* Contrary to draft-ietf-krb-wg-kerberos-referrals-08.txt we - do *not* require padata. */ - /* XXX: also check for: return flags from KDC? ticket type? whether it's a krbtgt? */ - /* - printf("in_cred and encoding don't match; should be a referral\n"); - amb_dump_principal("server principal from in_cred",in_cred->server); - amb_dump_principal("encoded server",dec_rep->enc_part2->server); - printf("reply referral flag is %s\n",dec_rep->enc_part2->flags&KDC_OPT_CANONICALIZE?"on":"off"); - */ + if (krb5_principal_compare(context, dec_rep->ticket->server, dec_rep->enc_part2->server) + && (kdcoptions&KDC_OPT_CANONICALIZE) ) { + /* in_cred server differs from ticket returned, but ticket + returned is consistent and we requested canonicalization. */ +#if 0 +#ifdef DEBUG_REFERRALS + printf("gc_via_tkt: in_cred and encoding don't match but referrals requested\n"); + amb_dump_principal("gc_via_tkt: in_cred",in_cred->server); + amb_dump_principal("gc_via_tkt: encoded server",dec_rep->enc_part2->server); +#endif +#endif } else { /* in_cred server differs from ticket returned, and ticket @@ -284,6 +291,8 @@ error_3:; error_4:; free(tgsrep.response.data); +#ifdef DEBUG_REFERRALS printf("krb5_get_cred_via_tkt ending; %s\n", retval?error_message(retval):"no error"); +#endif return retval; } |