svn rev #21677: branches/mskrb-integ/src/lib/krb5/krb/

Fri Jan 2 20:28:32 EST 2009

http://src.mit.edu/fisheye/changelog/krb5/?cs=21677
Commit By: hartmans
Log Message:
krb5_rd_req: Don't set server to ticket->server
krb5_rd_rec_decoded: change ticket->server to the principal we actually match from the keytab; this produces
    better application  behavior although is somewhat non-intuitive.
    Set up the replay cache here because we have the server principal


Changed Files:
U   branches/mskrb-integ/src/lib/krb5/krb/rd_req.c
U   branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c
Modified: branches/mskrb-integ/src/lib/krb5/krb/rd_req.c
===================================================================

--- branches/mskrb-integ/src/lib/krb5/krb/rd_req.c	2009-01-03 01:28:18 UTC (rev 21676)
+++ branches/mskrb-integ/src/lib/krb5/krb/rd_req.c	2009-01-03 01:28:31 UTC (rev 21677)
@@ -77,19 +77,6 @@
         *auth_context = new_auth_context;
     }
 
-    if (!server) {
-	server = request->ticket->server;
-    }
-    /* Get an rcache if necessary. */
-    if (((*auth_context)->rcache == NULL)
-	&& ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
-	&& server) {
-	if ((retval = krb5_get_server_rcache(context,
-					     krb5_princ_component(context,
-								  server,0),
-					     &(*auth_context)->rcache)))
-	    goto cleanup_auth_context;
-    }
 
 #ifndef LEAN_CLIENT 
     /* Get a keytab if necessary. */

Modified: branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c
===================================================================
--- branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c	2009-01-03 01:28:18 UTC (rev 21676)
+++ branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c	2009-01-03 01:28:31 UTC (rev 21677)
@@ -126,10 +126,25 @@
 	    retval = krb5_decrypt_tkt_part(context, &ktent.key,
 					   req->ticket);
 
+	    if (retval == 0 ) {
+		/*
+		 * We overwrite ticket->server to be the principal
+		 * that we match in the keytab.  The reason for doing
+		 * this is that GSS-API and other consumers look at
+		 * that principal to make authorization decisions
+		 * about whether the appropriate server is contacted.
+		 * It might be cleaner to create a new API and store
+		 * the server in the auth_context, but doing so would
+		 * probably miss existing uses of the server. Instead,
+		 * perhaps an API should be created to retrieve the
+		 * server as it appeared in the ticket.
+		 */
+		krb5_free_principal(context, req->ticket->server);
+		retval = krb5_copy_principal(context, ktent.principal, &req->ticket->server);
+		(void) krb5_free_keytab_entry_contents(context, &ktent);
+		break;
+	    }
 	    (void) krb5_free_keytab_entry_contents(context, &ktent);
-
-	    if (retval == 0)
-		break;
 	}
 
 	code = krb5_kt_end_seq_get(context, keytab, &cursor);
@@ -240,6 +255,19 @@
 	goto cleanup;
     }
 
+    if (!server) {
+	server = req->ticket->server;
+    }
+    /* Get an rcache if necessary. */
+    if (((*auth_context)->rcache == NULL)
+	&& ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
+	&& server) {
+	if ((retval = krb5_get_server_rcache(context,
+					     krb5_princ_component(context,
+								  server,0),
+					     &(*auth_context)->rcache)))
+	  goto cleanup;
+    }
     /* okay, now check cross-realm policy */
 
 #if defined(_SINGLE_HOP_ONLY)


