oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Use principal not found in keytab code.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24267 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2009-01-11 21:46:26 +00:00
parent 251266e7e2
commit e8648d75b0
1 changed files with 22 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
lib/krb5/rd_req.c
View File

@@ -803,8 +803,7 @@ out:
* that will verify the reply. * that will verify the reply.
* @param inctx control the behavior of the function, if NULL, the * @param inctx control the behavior of the function, if NULL, the
* default behavior is used. * default behavior is used.
* @param outctx the return outctx,can be NULL. If set and function * @param outctx the return outctx, free with krb5_rd_req_out_ctx_free().
* returns 0, free with krb5_rd_req_out_ctx_free()
* @return Kerberos 5 error code, see krb5_get_error_message(). * @return Kerberos 5 error code, see krb5_get_error_message().
* *
* @ingroup krb5_auth * @ingroup krb5_auth
@@ -842,6 +841,14 @@ krb5_rd_req_ctx(krb5_context context,
if(ret) if(ret)
goto out; goto out;
/* Save that principal that was in the request */
ret = _krb5_principalname2krb5_principal(context,
&o->server,
ap_req.ticket.sname,
ap_req.ticket.realm);
if (ret)
goto out;
if (ap_req.ap_options.use_session_key && if (ap_req.ap_options.use_session_key &&
(*auth_context)->keyblock == NULL) { (*auth_context)->keyblock == NULL) {
ret = KRB5KRB_AP_ERR_NOKEY; ret = KRB5KRB_AP_ERR_NOKEY;
@@ -879,10 +886,11 @@ krb5_rd_req_ctx(krb5_context context,
goto out; goto out;
} }
/*
* If we got an exact keymatch, use that.
*/
if (o->keyblock) { if (o->keyblock) {
/*
* We got an exact keymatch, use that.
*/
ret = krb5_verify_ap_req2(context, ret = krb5_verify_ap_req2(context,
auth_context, auth_context,
&ap_req, &ap_req,
@@ -897,6 +905,10 @@ krb5_rd_req_ctx(krb5_context context,
goto out; goto out;
} else { } else {
/*
* Interate over keytab to find a key that can decrypt the request.
*/
krb5_keytab_entry entry; krb5_keytab_entry entry;
krb5_kt_cursor cursor; krb5_kt_cursor cursor;
krb5_keytab id = NULL; krb5_keytab id = NULL;
@@ -921,17 +933,17 @@ krb5_rd_req_ctx(krb5_context context,
if (ret) if (ret)
goto out; goto out;
/*
* Interate over keytab to find a key that can decrypt the request.
*/
done = 0; done = 0;
while (!done) { while (!done) {
krb5_principal p; krb5_principal p;
ret = krb5_kt_next_entry(context, id, &entry, &cursor); ret = krb5_kt_next_entry(context, id, &entry, &cursor);
if (ret) if (ret) {
_krb5_kt_principal_not_found(context, ret, id, o->server,
ap_req.ticket.enc_part.etype,
kvno);
goto out; goto out;
}
if (entry.keyblock.keytype != ap_req.ticket.enc_part.etype || if (entry.keyblock.keytype != ap_req.ticket.enc_part.etype ||
(kvno && kvno != entry.vno)) { (kvno && kvno != entry.vno)) {
@@ -982,15 +994,6 @@ krb5_rd_req_ctx(krb5_context context,
krb5_kt_end_seq_get (context, id, &cursor); krb5_kt_end_seq_get (context, id, &cursor);
} }
/* Save that principal that was in the request */
ret = _krb5_principalname2krb5_principal(context,
&o->server,
ap_req.ticket.sname,
ap_req.ticket.realm);
if (ret)
goto out;
/* If there is a PAC, verify its server signature */ /* If there is a PAC, verify its server signature */
if (inctx == NULL || inctx->check_pac) { if (inctx == NULL || inctx->check_pac) {
krb5_pac pac; krb5_pac pac;