From 840dc40574530b1608d87411fdcde8eff1029b97 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Fri, 20 May 2016 10:10:14 +0000 Subject: [PATCH] Refine name canonicalization When storing credentials whose ticket principal is not equal to the requested principal, store the ticket under both names not only when the original realm is the referral realm, but more generally for any difference at all. This matches MIT behaviour. Allow explicit name_canon rules to specify a realm to go with the canonicalized hostname, if that realm is empty the effect is the same "use-referrals" Also fix segfault when no creds and debugging --- lib/krb5/get_cred.c | 7 +++---- lib/krb5/principal.c | 2 +- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c index 54fcdc097..527811da3 100644 --- a/lib/krb5/get_cred.c +++ b/lib/krb5/get_cred.c @@ -1218,7 +1218,7 @@ static void store_cred(krb5_context context, krb5_ccache ccache, krb5_const_principal server_princ, krb5_creds *creds) { - if (strcmp(server_princ->realm, "") == 0) { + if (!krb5_principal_compare(context, creds->server, server_princ)) { krb5_principal tmp_princ = creds->server; /* * Store the cred with the pre-canon server princ first so it @@ -1229,7 +1229,6 @@ store_cred(krb5_context context, krb5_ccache ccache, creds->server = tmp_princ; /* Then store again with the canonicalized server princ */ } - krb5_cc_store_cred(context, ccache, creds); } @@ -1333,7 +1332,7 @@ next_rule: if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0) store_cred(context, ccache, in_creds->server, *out_creds); - if (_krb5_have_debug(context, 5)) { + if (ret == 0 && _krb5_have_debug(context, 5)) { char *unparsed; ret = krb5_unparse_name(context, (*out_creds)->server, &unparsed); @@ -1595,7 +1594,7 @@ next_rule: if (ret == 0 && (options & KRB5_GC_NO_STORE) == 0) store_cred(context, ccache, inprinc, *out_creds); - if (_krb5_have_debug(context, 5)) { + if (ret == 0 && _krb5_have_debug(context, 5)) { char *unparsed; ret = krb5_unparse_name(context, (*out_creds)->server, &unparsed); diff --git a/lib/krb5/principal.c b/lib/krb5/principal.c index 93ecde1f9..ced80a529 100644 --- a/lib/krb5/principal.c +++ b/lib/krb5/principal.c @@ -1563,7 +1563,7 @@ parse_name_canon_rules(krb5_context context, char **rulestrs, /* Validate parsed rule */ if (r[k].type == KRB5_NCRT_BOGUS || (r[k].type == KRB5_NCRT_QUALIFY && !r[k].domain) || - (r[k].type == KRB5_NCRT_NSS && (r[k].domain || r[k].realm))) { + (r[k].type == KRB5_NCRT_NSS && r[k].domain)) { /* Invalid rule; mark it so and clean up */ r[k].type = KRB5_NCRT_BOGUS; free(r[k].match_domain);