From: Sam Hartman <hartmans@mit.edu>
Date: Wed, 23 Dec 2009 21:09:46 +0000 (+0000)
Subject: Revert "In case of anonymous client principal, use the realm of the server"
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4bc0770ed397b04b06bc021d1aed1fc5c5b87c0b;p=thirdparty%2Fkrb5.git

Revert "In case of anonymous client principal, use the realm of the server"

This reverts commit 34d2748e9052debc6a061911c2c786b46507b531.  As the
entire working group has apparently forgotten, the KDC-REQ body only
has one realm field.  That's used in an AS REQ for both the server and
client realm .  So, in the anonymous pkinit case, I think we want to
send using a client of WELLKNOWN/ANONYMOUS@REAL_REALM.  Waiting to
hear back from the WG on this.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23491 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 7875e758aa..b13c9a94c8 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1047,47 +1047,37 @@ build_in_tkt_name(krb5_context context,
     *server = NULL;
 
     if (in_tkt_service) {
+        /* this is ugly, because so are the data structures involved.  I'm
+           in the library, so I'm going to manipulate the data structures
+           directly, otherwise, it will be worse. */
 
         if ((ret = krb5_parse_name(context, in_tkt_service, server)))
             return ret;
 
-        /* stuff the client realm into the server principal. unless using anonymous
+        /* stuff the client realm into the server principal.
            realloc if necessary */
-        if (!krb5_principal_compare( context, client, krb5_anonymous_principal())) {
-            if ((*server)->realm.length < client->realm.length) {
-                char *p = realloc((*server)->realm.data,
-                                  client->realm.length);
-                if (p == NULL) {
-                    krb5_free_principal(context, *server);
-                    *server = NULL;
-                    return ENOMEM;
-                }
-                (*server)->realm.data = p;
+        if ((*server)->realm.length < client->realm.length) {
+            char *p = realloc((*server)->realm.data,
+                              client->realm.length);
+            if (p == NULL) {
+                krb5_free_principal(context, *server);
+                *server = NULL;
+                return ENOMEM;
             }
-
-            (*server)->realm.length = client->realm.length;
-            memcpy((*server)->realm.data, client->realm.data, client->realm.length);
+            (*server)->realm.data = p;
         }
+
+        (*server)->realm.length = client->realm.length;
+        memcpy((*server)->realm.data, client->realm.data, client->realm.length);
     } else {
-        krb5_data realm = (krb5_data ) client->realm;
-        char *free_realm = NULL;
-        if (krb5_principal_compare(context, client, krb5_anonymous_principal())) {
-            ret = krb5_get_default_realm( context, &free_realm);
-            if (ret != 0)
-                return ret;
-            realm.data = free_realm;
-            realm.length = strlen(free_realm);
-        }
         ret = krb5_build_principal_ext(context, server,
-                                       realm.length,
-                                       realm.data,
+                                       client->realm.length,
+                                       client->realm.data,
                                        KRB5_TGS_NAME_SIZE,
                                        KRB5_TGS_NAME,
-                                       realm.length,
-                                       realm.data,
+                                       client->realm.length,
+                                       client->realm.data,
                                        0);
-        if (free_realm)
-            krb5_free_default_realm( context, free_realm);
     }
     return ret;
 }