diff --git a/kdc/kx509.c b/kdc/kx509.c index a943699fb..2e1977837 100644 --- a/kdc/kx509.c +++ b/kdc/kx509.c @@ -338,6 +338,7 @@ _kdc_do_kx509(krb5_context context, krb5_auth_context ac = NULL; krb5_keytab id = NULL; krb5_principal sprincipal = NULL, cprincipal = NULL; + krb5_principal principal = NULL; char *cname = NULL; Kx509Response rep; size_t size; @@ -398,36 +399,31 @@ _kdc_do_kx509(krb5_context context, if (ret) goto out; - { - krb5_principal principal = NULL; + ret = krb5_ticket_get_server(context, ticket, &principal); + if (ret) + goto out; - ret = krb5_ticket_get_server(context, ticket, &principal); + ret = krb5_principal_compare(context, sprincipal, principal); + if (ret != TRUE) { + char *expected, *used; + + ret = krb5_unparse_name(context, sprincipal, &expected); if (ret) goto out; - - ret = krb5_principal_compare(context, sprincipal, principal); - krb5_free_principal(context, principal); - if (ret != TRUE) { - char *expected, *used; - - ret = krb5_unparse_name(context, sprincipal, &expected); - if (ret) - goto out; - ret = krb5_unparse_name(context, principal, &used); - if (ret) { - krb5_xfree(expected); - goto out; - } - - ret = KRB5KDC_ERR_SERVER_NOMATCH; - krb5_set_error_message(context, ret, - "User %s used wrong Kx509 service " - "principal, expected: %s, used %s", - cname, expected, used); + ret = krb5_unparse_name(context, principal, &used); + if (ret) { krb5_xfree(expected); - krb5_xfree(used); goto out; } + + ret = KRB5KDC_ERR_SERVER_NOMATCH; + krb5_set_error_message(context, ret, + "User %s used wrong Kx509 service " + "principal, expected: %s, used %s", + cname, expected, used); + krb5_xfree(expected); + krb5_xfree(used); + goto out; } ret = krb5_auth_con_getkey(context, ac, &key); @@ -519,6 +515,8 @@ out: krb5_free_principal(context, sprincipal); if (cprincipal) krb5_free_principal(context, cprincipal); + if (principal) + krb5_free_principal(context, principal); if (key) krb5_free_keyblock (context, key); if (cname)