svn commit: lorikeet r650 - in trunk/heimdal/lib: gssapi/krb5 krb5

abartlet at samba.org abartlet at samba.org
Mon Nov 6 00:41:48 GMT 2006 

Author: abartlet
Date: 2006-11-06 00:41:47 +0000 (Mon, 06 Nov 2006)
New Revision: 650

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=650

Log:
Add another error message, if there is no ticket to get the authz data from.

Fix extraction of authz data from the AuthorizationData sequence:  

Where we had
 IF-RELEVENT::
	WIN2K-PAC
 IF-RELEVENT::
	SIGNED-PATH

The recursion into find_type_in_ad() for the second element would set
ret = ENOENT, and therefore the tail would set *found = FALSE, despite
the data already being found.

Andrew Bartlett

Modified:
   trunk/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
   trunk/heimdal/lib/krb5/ticket.c


Changeset:
Modified: trunk/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
===================================================================
--- trunk/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c	2006-11-05 23:39:19 UTC (rev 649)
+++ trunk/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c	2006-11-06 00:41:47 UTC (rev 650)
@@ -188,6 +188,7 @@
     if (context_handle->ticket == NULL) {
 	HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
 	*minor_status = EINVAL;
+	_gsskrb5_set_status("No ticket to obtain authz data from");
 	return GSS_S_FAILURE;
     }
 

Modified: trunk/heimdal/lib/krb5/ticket.c
===================================================================
--- trunk/heimdal/lib/krb5/ticket.c	2006-11-05 23:39:19 UTC (rev 649)
+++ trunk/heimdal/lib/krb5/ticket.c	2006-11-06 00:41:47 UTC (rev 650)
@@ -107,7 +107,11 @@
 		const AuthorizationData *ad,
 		int level)
 {
-    krb5_error_code ret = ENOENT;
+    /* It is not an error if nothing in here, that is reported by *found */
+    /* Setting a default error causes found to be set to FALSE, on
+     * recursion to an second embedded authz data even if the first
+     * element contains the required type */
+    krb5_error_code ret = 0;
     int i;
 
     if (level > 9) {
@@ -117,10 +121,6 @@
 	goto out;
     }
 
-    /* Default case to match ret = ENOENT above */
-    krb5_set_error_string(context, "Authorization data does not contain element of type %d", 
-			  type);
-
     /*
      * Only copy out the element the first time we get to it, we need
      * to run over the whole authorization data fields to check if
@@ -228,9 +228,6 @@
 	    krb5_data_free(data);
 	    *found = 0;
 	}
-    } else {
-	    /* clear default error string from above */
-	    krb5_clear_error_string(context);
     }
     return ret;
 }

More information about the samba-cvs mailing list