As you will note, this doesn't apply cleanly to the 1.6 branch.
Personally I'd just pull up the difference too as it is improved error
messaging handling.
If you don't want to do that here's a 1.6 patch I'm using for Debian:
----------------------------------------------------------------------
r2783 (orig r2731): hartmans | 2007-04-28 16:19:23 -0400
* Fix handling of null realm in krb5_rd_req_decoded; now we treat a null realm as a default realm there.
----------------------------------------------------------------------
=== remote/krb5/branches/experimental/krb5/debian/changelog
==================================================================
--- remote/krb5/branches/experimental/krb5/debian/changelog (revision 2782)
+++ remote/krb5/branches/experimental/krb5/debian/changelog (revision 2783)
@@ -4,8 +4,9 @@
* New Portuguese translation, thanks Miguel Figueiredo , Closes: #409318
* New Upstream release
- Update shlibs for new API
+ * Fix handling of null realm in krb5_rd_req_decoded; now we treat a null realm as a default realm there.
- -- Sam Hartman <hartmans@debian.org> Sun, 22 Apr 2007 05:52:49 -0400
+ -- Sam Hartman <hartmans@debian.org> Sat, 28 Apr 2007 16:21:03 -0400
krb5 (1.6.dfsg-1) experimental; urgency=low
=== remote/krb5/branches/experimental/krb5/src/lib/krb5/krb/rd_req_dec.c
==================================================================
--- remote/krb5/branches/experimental/krb5/src/lib/krb5/krb/rd_req_dec.c (revision 2782)
+++ remote/krb5/branches/experimental/krb5/src/lib/krb5/krb/rd_req_dec.c (revision 2783)
@@ -91,10 +91,24 @@
{
krb5_error_code retval = 0;
krb5_timestamp currenttime;
+ krb5_principal_data princ_data;
+
+ req->ticket->enc_part2 == NULL;
+ if (server && krb5_is_referral_realm(&server->realm)) {
+ char *realm;
+ princ_data = *server;
+ server = &princ_data;
+ retval = krb5_get_default_realm(context, &realm);
+ if (retval)
+ return retval;
+ princ_data.realm.data = realm;
+ princ_data.realm.length = strlen(realm);
+ }
+ if (server && !krb5_principal_compare(context, server, req->ticket->server)) {
+ retval = KRB5KRB_AP_WRONG_PRINC;
+ goto cleanup;
+ }
- if (server && !krb5_principal_compare(context, server, req->ticket->server))
- return KRB5KRB_AP_WRONG_PRINC;
-
/* if (req->ap_options & AP_OPTS_USE_SESSION_KEY)
do we need special processing here ? */
@@ -102,12 +116,12 @@
if ((*auth_context)->keyblock) { /* User to User authentication */
if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock,
req->ticket)))
- return retval;
+goto cleanup;
krb5_free_keyblock(context, (*auth_context)->keyblock);
(*auth_context)->keyblock = NULL;
} else {
if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, keytab)))
- return retval;
+ goto cleanup;
}
/* XXX this is an evil hack. check_valid_flag is set iff the call
@@ -327,10 +341,13 @@
retval = 0;
cleanup:
+ if (server == &princ_data)
+ krb5_free_default_realm(context, princ_data.realm.data);
if (retval) {
/* only free if we're erroring out...otherwise some
applications will need the output. */
- krb5_free_enc_tkt_part(context, req->ticket->enc_part2);
+ if (req->ticket->enc_part2)
+ krb5_free_enc_tkt_part(context, req->ticket->enc_part2);
req->ticket->enc_part2 = NULL;
}
return retval;
