svn rev #21552: branches/mskrb-integ/src/kdc/

lhoward@MIT.EDU lhoward at MIT.EDU
Fri Dec 19 09:45:10 EST 2008 

http://src.mit.edu/fisheye/changelog/krb5/?cs=21552
Commit By: lhoward
Log Message:
don't return TGS referrals if canonicalize flag unset


Changed Files:
U   branches/mskrb-integ/src/kdc/do_tgs_req.c
U   branches/mskrb-integ/src/kdc/kdc_util.c
U   branches/mskrb-integ/src/kdc/kdc_util.h
Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c
===================================================================
--- branches/mskrb-integ/src/kdc/do_tgs_req.c	2008-12-19 01:50:24 UTC (rev 21551)
+++ branches/mskrb-integ/src/kdc/do_tgs_req.c	2008-12-19 14:45:08 UTC (rev 21552)
@@ -195,18 +195,9 @@
     nprincs = 1;
     if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
 	setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
+	setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
     }
 
-    /*
-     * TGS-REP canonicalization matches Windows 2003 rather
-     * than Windows 2000. This means that we should indicate
-     * to the backend to always return referrals by setting
-     * KDB_FLAG_CANONICALIZE, and we should also always
-     * return the requested SPN in the reply regardless of
-     * whether KDC_OPT_CANONICALIZE was set or not.
-     */
-    setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
-
     errcode = krb5_db_get_principal_ext(kdc_context,
 					request->server,
 					s_flags,
@@ -265,7 +256,8 @@
     if (!is_local_principal(header_enc_tkt->client))
 	setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
 
-    is_referral = is_tgs_referral(kdc_context, request, &server);
+    is_referral = isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) &&
+	krb5_is_tgs_principal(server.princ);
 
     /* Check for protocol transition */
     errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client,
@@ -300,11 +292,11 @@
 	 * Get the key for the second ticket, and decrypt it.
 	 */
 	if ((errcode = kdc_get_server_key(request->second_ticket[st_idx],
-					 c_flags,
-					 &st_client,
-					 &st_nprincs,
-					 &st_sealing_key,
-					 &st_srv_kvno))) {
+					  c_flags,
+					  &st_client,
+					  &st_nprincs,
+					  &st_sealing_key,
+					  &st_srv_kvno))) {
 	    status = "2ND_TKT_SERVER";
 	    goto cleanup;
 	}

Modified: branches/mskrb-integ/src/kdc/kdc_util.c
===================================================================
--- branches/mskrb-integ/src/kdc/kdc_util.c	2008-12-19 01:50:24 UTC (rev 21551)
+++ branches/mskrb-integ/src/kdc/kdc_util.c	2008-12-19 14:45:08 UTC (rev 21552)
@@ -439,7 +439,7 @@
     }
     retval = krb5_dbe_find_enctype(kdc_context, server,
 				   ticket->enc_part.enctype, -1,
-				   ticket->enc_part.kvno, &server_key);
+				   (krb5_int32)ticket->enc_part.kvno, &server_key);
     if (retval)
 	goto errout;
     if (!server_key) {
@@ -739,7 +739,7 @@
 
 	/* Note that the second test here is an unsigned comparison,
 	   so the first half (or a cast) is also required.  */
-      assert(nlst < 0 || nlst < sizeof(next));
+      assert(nlst < 0 || nlst < (int)sizeof(next));
       if ((nlst < 0 || next[nlst] != '.') &&
 	  (next[0] != '/') &&
 	  (pl = subrealm(exp, realm))) {
@@ -1119,7 +1119,7 @@
             lastlevel = tag; 
             if (levels == level) {
 	        /* in our context-dependent class, is this the one we're looking for ? */
-	        if (tag == field) {
+	        if (tag == (int)field) {
 		    /* return length and data */ 
 		    astream++;
 		    savelen = *astream;
@@ -2224,20 +2224,3 @@
     return 0;
 }
 
-krb5_boolean
-is_tgs_referral(krb5_context context,
-		krb5_kdc_req *request,
-		krb5_db_entry *server)
-{
-    krb5_tl_data tl_data;
-
-    tl_data.tl_data_type = KRB5_TL_SVR_REFERRAL_DATA;
-    tl_data.tl_data_contents = NULL;
-
-    if (krb5_dbe_lookup_tl_data(context, server, &tl_data) == 0 &&
-	tl_data.tl_data_length != 0) {
-	return TRUE;
-    }
-
-    return FALSE;
-}

Modified: branches/mskrb-integ/src/kdc/kdc_util.h
===================================================================
--- branches/mskrb-integ/src/kdc/kdc_util.h	2008-12-19 01:50:24 UTC (rev 21551)
+++ branches/mskrb-integ/src/kdc/kdc_util.h	2008-12-19 14:45:08 UTC (rev 21552)
@@ -266,11 +266,6 @@
 		krb5_db_entry *server,
 		krb5_db_entry *krbtgt);
 
-krb5_boolean
-is_tgs_referral(krb5_context context,
-	krb5_kdc_req *request,
-	krb5_db_entry *server);
-
 #define isflagset(flagfield, flag) (flagfield & (flag))
 #define setflag(flagfield, flag) (flagfield |= (flag))
 #define clear(flagfield, flag) (flagfield &= ~(flag))

More information about the cvs-krb5 mailing list