oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Make server referral work.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22761 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2008-03-24 12:08:55 +00:00
parent 090f16f717
commit 2dd8a03423
1 changed files with 40 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
lib/krb5/get_in_tkt.c
View File

@@ -75,12 +75,12 @@ cleanup:
static krb5_error_code static krb5_error_code
check_server_referral(krb5_context context, check_server_referral(krb5_context context,
krb5_kdc_rep *rep, krb5_kdc_rep *rep,
unsigned flags,
krb5_const_principal requested, krb5_const_principal requested,
krb5_const_principal returned, krb5_const_principal returned,
const krb5_keyblock const * key) const krb5_keyblock const * key)
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_principal principal;
PA_ServerReferralData ref; PA_ServerReferralData ref;
krb5_crypto session; krb5_crypto session;
EncryptedData ed; EncryptedData ed;
@@ -133,20 +133,46 @@ check_server_referral(krb5_context context,
} }
krb5_data_free(&data); krb5_data_free(&data);
if (ref.requested_principal_name == NULL || ref.referred_realm == NULL) { if (strcmp(requested->realm, returned->realm) != 0) {
free_PA_ServerReferralData(&ref); free_PA_ServerReferralData(&ref);
krb5_set_error_string(context, "req princ missing"); krb5_set_error_string(context, "server ref realm mismatch");
return KRB5KRB_AP_ERR_MODIFIED; return KRB5KRB_AP_ERR_MODIFIED;
} }
cmp = _krb5_principal_compare_PrincipalName(context, if (returned->name.name_string.len == 2 &&
*ref.requested_principal_name, strcmp(returned->name.name_string.val[0], KRB5_TGS_NAME) == 0)
requested); {
const char *realm = returned->name.name_string.val[1];
if (ref.referred_realm == NULL
|| strcmp(*ref.referred_realm, realm) != 0)
{
free_PA_ServerReferralData(&ref);
krb5_set_error_string(context, "tgt returned with wrong ref");
return KRB5KRB_AP_ERR_MODIFIED;
}
} else if (krb5_principal_compare(context, returned, requested) == 0) {
free_PA_ServerReferralData(&ref);
krb5_set_error_string(context, "req princ no same as returned");
return KRB5KRB_AP_ERR_MODIFIED;
}
if (ref.requested_principal_name) {
cmp = _krb5_principal_compare_PrincipalName(context,
requested,
ref.requested_principal_name);
if (!cmp) {
free_PA_ServerReferralData(&ref);
krb5_set_error_string(context, "compare requested failed");
return KRB5KRB_AP_ERR_MODIFIED;
}
} else if (flags & EXTRACT_TICKET_AS_REQ) {
free_PA_ServerReferralData(&ref);
krb5_set_error_string(context, "Requested principal missing on AS-REQ");
return KRB5KRB_AP_ERR_MODIFIED;
}
free_PA_ServerReferralData(&ref); free_PA_ServerReferralData(&ref);
if (!cmp) {
krb5_set_error_string(context, "krb5_principal_compare princ missing");
return KRB5KRB_AP_ERR_MODIFIED;
}
return ret; return ret;
noreferral: noreferral:
@@ -372,7 +398,9 @@ _krb5_extract_ticket(krb5_context context,
if (ret) if (ret)
goto out; goto out;
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
ret = check_server_referral(context, rep, ret = check_server_referral(context,
rep,
flags,
creds->server, creds->server,
tmp_principal, tmp_principal,
&creds->session); &creds->session);