svn rev #21668: branches/mskrb-integ/src/lib/krb5/krb/
hartmans@MIT.EDU
hartmans at MIT.EDU
Fri Jan 2 15:35:22 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=21668
Commit By: hartmans
Log Message:
Using the server name as a hint
is inappropriate. The server name is a security constraint.
If set, it must constrain the principals
that can be authenticated to; otherwise applications may get behavior that breaks security policy.
It is a goal that applications need to change to take advantage of any server search.
Remove dead code
Changed Files:
U branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c
Modified: branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c
===================================================================
--- branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c 2009-01-02 20:14:49 UTC (rev 21667)
+++ branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c 2009-01-02 20:35:22 UTC (rev 21668)
@@ -110,9 +110,7 @@
(void) krb5_free_keytab_entry_contents(context, &ktent);
}
- }
-
- if (retval == KRB5_KT_NOTFOUND && keytab->ops->start_seq_get != NULL) {
+ } else {
krb5_error_code code;
krb5_kt_cursor cursor;
@@ -203,25 +201,8 @@
princ_data.realm.data = realm;
princ_data.realm.length = strlen(realm);
}
- /*
- * The following code is commented out now that match based on
- * key rather than name.
- */
-#if 0
- if (server && !krb5_principal_compare(context, server, req->ticket->server)) {
- char *found_name = 0, *wanted_name = 0;
- if (krb5_unparse_name(context, server, &wanted_name) == 0
- && krb5_unparse_name(context, req->ticket->server, &found_name) == 0)
- krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC,
- "Wrong principal in request (found %s, wanted %s)",
- found_name, wanted_name);
- krb5_free_unparsed_name(context, wanted_name);
- krb5_free_unparsed_name(context, found_name);
- retval = KRB5KRB_AP_WRONG_PRINC;
- goto cleanup;
- }
-#endif
+
/* if (req->ap_options & AP_OPTS_USE_SESSION_KEY)
do we need special processing here ? */
More information about the cvs-krb5
mailing list