Fix capaths "." values on client

Commit b72aef2 (ticket 6966) introduced k5_client_realm_path() for use on the client in place of krb5_walk_realm_tree(), but failed to handle the special case of a capaths "." value as is done in the latter function. Correct that omission and add a test case. ticket: 8646 (new) tags: pullup target_version: 1.16-next target_version: 1.15-next
krb5 · Mar 7, 2018 · f8d0877 · f8d0877
1 parent ec58ba0
commit f8d0877
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/src/lib/krb5/krb/walk_rtree.c b/src/lib/krb5/krb/walk_rtree.c
@@ -133,6 +133,12 @@ k5_client_realm_path(krb5_context context, const krb5_data *client,
     if (retval)
         return retval;
 
+    /* A capaths value of "." means no intermediates. */
+    if (capvals != NULL && capvals[0] != NULL && *capvals[0] == '.') {
+        profile_free_list(capvals);
+        capvals = NULL;
+    }
+
     /* Count capaths (if any) and allocate space.  Leave room for the client
      * realm, server realm, and terminator. */
     for (i = 0; capvals != NULL && capvals[i] != NULL; i++);

diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py
@@ -109,6 +109,16 @@ def tgt(r1, r2):
 check_klist(r1, (tgt(r1, r1), tgt(r4, r3), r4.host_princ))
 stop(r1, r2, r3, r4)
 
+# A capaths value of '.' should enforce direct cross-realm, with no
+# intermediate.
+capaths = {'capaths': {'A.X': {'B.X': '.'}}}
+r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
+                          args=({'realm': 'A.X', 'krb5_conf': capaths},
+                                {'realm': 'X'}, {'realm': 'B.X'}))
+r1.run([kvno, r3.host_princ], expected_code=1,
+       expected_msg='Server krbtgt/B.X@A.X not found in Kerberos database')
+stop(r1, r2, r3)
+
 # Test transited error.  The KDC for C does not recognize B as an
 # intermediate realm for A->C, so it refuses to issue a service
 # ticket.