Fix capaths "." values on client

Commit b72aef2c1cbcc76f7fba14ddc54a4e66e7a4e66c (ticket 6966)
introduced k5_client_realm_path() for use on the client in place of
krb5_walk_realm_tree(), but failed to handle the special case of a
capaths "." value as is done in the latter function.  Correct that
omission and add a test case.

(cherry picked from commit f8d0877f848563d07152a0ee191fe82846fdb8f1)

ticket: 8646
version_fixed: 1.15.3

diff --git a/src/lib/krb5/krb/walk_rtree.c b/src/lib/krb5/krb/walk_rtree.c
index 0566a55f1f2e86a2f6fca6309db866d94f0e670c..f4e8e35f5333bc1b423648635063cc50ee743be7 100644 (file)
--- a/src/lib/krb5/krb/walk_rtree.c
+++ b/src/lib/krb5/krb/walk_rtree.c
@@ -133,6 +133,12 @@ k5_client_realm_path(krb5_context context, const krb5_data *client,
     if (retval)
         return retval;
 
+    /* A capaths value of "." means no intermediates. */
+    if (capvals != NULL && capvals[0] != NULL && *capvals[0] == '.') {
+        profile_free_list(capvals);
+        capvals = NULL;
+    }
+
     /* Count capaths (if any) and allocate space.  Leave room for the client
      * realm, server realm, and terminator. */
     for (i = 0; capvals != NULL && capvals[i] != NULL; i++);

diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py
index 0d967b8a50f20d811a9eeef2e64f34dd702f8a14..cd4facfa5e6d0a4d7d165b298389631b10401389 100755 (executable)
--- a/src/tests/t_crossrealm.py
+++ b/src/tests/t_crossrealm.py
@@ -78,6 +78,17 @@ r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)),
 test_kvno(r1, r4.host_princ, 'KDC capaths')
 stop(r1, r2, r3, r4)
 
+# A capaths value of '.' should enforce direct cross-realm, with no
+# intermediate.
+capaths = {'capaths': {'A.X': {'B.X': '.'}}}
+r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
+                          args=({'realm': 'A.X', 'krb5_conf': capaths},
+                                {'realm': 'X'}, {'realm': 'B.X'}))
+output = r1.run([kvno, r3.host_princ], expected_code=1)
+if 'Server krbtgt/B.X@A.X not found in Kerberos database' not in output:
+    fail('capaths ".": Expected error message not in output')
+stop(r1, r2, r3)
+
 # Test transited error.  The KDC for C does not recognize B as an
 # intermediate realm for A->C, so it refuses to issue a service
 # ticket.