rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0055-ipa-kdb-do-not-fetch-client-principal-if-it-is-the-s.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   9991ea9fc231af2a9fba34c25f15d020211db6d2
  2.   SOURCES
  3.   0055-ipa-kdb-do-not-fetch-client-principal-if-it-is-the-s.patch
Blob History Raw
9991ea 
From 278b347c6f84140b4fc58d7c11749bbf6c44a50c Mon Sep 17 00:00:00 2001
9991ea 
From: Alexander Bokovoy <abokovoy@redhat.com>
9991ea 
Date: Thu, 6 Mar 2014 10:26:29 +0200
9991ea 
Subject: [PATCH] ipa-kdb: do not fetch client principal if it is the same as
9991ea 
 existing entry
9991ea
9991ea 
When client principal is the same as supplied client entry, don't fetch it
9991ea 
again.
9991ea
9991ea 
Note that when client principal is not NULL, client entry might be NULL for
9991ea 
cross-realm case, so we need to make sure to not dereference NULL pointer here.
9991ea
9991ea 
Also fix reverted condition for case when we didn't find the client principal
9991ea 
in the database, preventing a memory leak.
9991ea
9991ea 
https://fedorahosted.org/freeipa/ticket/4223
9991ea
9991ea 
Reviewed-By: Sumit Bose <sbose@redhat.com>
9991ea 
---
9991ea 
 daemons/ipa-kdb/ipa_kdb_mspac.c | 19 +++++++++++++------
9991ea 
 1 file changed, 13 insertions(+), 6 deletions(-)
9991ea
9991ea 
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
9991ea 
index 68f27f0e2d9028cdaece80c4bd3440d0438d20db..8481278760aba2d5dec5c337813f394633d67e46 100644
9991ea 
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
9991ea 
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
9991ea 
@@ -2002,6 +2002,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
9991ea 
     bool with_pad;
9991ea 
     int result;
9991ea 
     krb5_db_entry *client_entry = NULL;
9991ea 
+    krb5_boolean is_equal;
9991ea
9991ea
9991ea 
     is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
9991ea 
@@ -2012,12 +2013,18 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
9991ea 
     if (client_princ != NULL) {
9991ea 
         ks_client_princ = client_princ;
9991ea 
         if (!is_as_req) {
9991ea 
-            kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
9991ea 
-            /* If we didn't find client_princ in our database, it might be:
9991ea 
-             * - a principal from another realm, handle it down in ipadb_get/verify_pac()
9991ea 
-             */
9991ea 
-            if (!kerr) {
9991ea 
-                client_entry = NULL;
9991ea 
+            is_equal = false;
9991ea 
+            if ((client != NULL) && (client->princ != NULL)) {
9991ea 
+                is_equal = krb5_principal_compare(context, client_princ, client->princ);
9991ea 
+            }
9991ea 
+            if (!is_equal) {
9991ea 
+                kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
9991ea 
+                /* If we didn't find client_princ in our database, it might be:
9991ea 
+                 * - a principal from another realm, handle it down in ipadb_get/verify_pac()
9991ea 
+                 */
9991ea 
+                if (kerr != 0) {
9991ea 
+                    client_entry = NULL;
9991ea 
+                }
9991ea 
             }
9991ea 
         }
9991ea 
     } else {
9991ea 
--
9991ea 
1.8.5.3
9991ea

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation