From 512f5ae8817eb378d5d3bdf6ba08c50c8dc3bf8c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 6 Nov 2005 01:46:12 +0000 Subject: r11529: Disable DNS lookups for forwarded credentials, unless really, really wanted. There is nothing that suggests that the host we forward credentials to will not have other interfaces, unassoicated with their service name. Likewise, the name may be a netbios, not DNS name. This should avoid some nasty DNS lookups. Andrew Bartlett (This used to be commit da0ff19856a8f41eb64787990d47d2961824711d) --- source4/heimdal/lib/krb5/get_for_creds.c | 75 +++++++++++++++++--------------- 1 file changed, 41 insertions(+), 34 deletions(-) (limited to 'source4/heimdal/lib/krb5/get_for_creds.c') diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c index adb6000cd6..7bc8942f66 100644 --- a/source4/heimdal/lib/krb5/get_for_creds.c +++ b/source4/heimdal/lib/krb5/get_for_creds.c @@ -162,7 +162,8 @@ krb5_get_forwarded_creds (krb5_context context, { krb5_error_code ret; krb5_creds *out_creds; - krb5_addresses addrs, *paddrs; + krb5_addresses *paddrs = NULL; + krb5_addresses addrs; KRB_CRED cred; KrbCredInfo *krb_cred_info; EncKrbCredPart enc_krb_cred_part; @@ -171,50 +172,56 @@ krb5_get_forwarded_creds (krb5_context context, size_t buf_size; krb5_kdc_flags kdc_flags; krb5_crypto crypto; - struct addrinfo *ai; int save_errno; krb5_creds *ticket; char *realm; + krb5_boolean noaddr_ever; + + addrs.len = 0; + addrs.val = NULL; if (in_creds->client && in_creds->client->realm) realm = in_creds->client->realm; else realm = in_creds->server->realm; - addrs.len = 0; - addrs.val = NULL; - paddrs = &addrs; - - /* - * If tickets are address-less, forward address-less tickets. - */ - - ret = _krb5_get_krbtgt (context, - ccache, - realm, - &ticket); - if(ret == 0) { - if (ticket->addresses.len == 0) - paddrs = NULL; - krb5_free_creds (context, ticket); + krb5_appdefault_boolean(context, NULL, realm, "no-addresses-ever", + TRUE, &noaddr_ever); + if (!noaddr_ever) { + struct addrinfo *ai; + paddrs = &addrs; + + /* + * If tickets are address-less, forward address-less tickets. + */ + + ret = _krb5_get_krbtgt (context, + ccache, + realm, + &ticket); + if(ret == 0) { + if (ticket->addresses.len == 0) + paddrs = NULL; + krb5_free_creds (context, ticket); + } + + if (paddrs != NULL) { + + ret = getaddrinfo (hostname, NULL, NULL, &ai); + if (ret) { + save_errno = errno; + krb5_set_error_string(context, "resolving %s: %s", + hostname, gai_strerror(ret)); + return krb5_eai_to_heim_errno(ret, save_errno); + } + + ret = add_addrs (context, &addrs, ai); + freeaddrinfo (ai); + if (ret) + return ret; + } } - - if (paddrs != NULL) { - ret = getaddrinfo (hostname, NULL, NULL, &ai); - if (ret) { - save_errno = errno; - krb5_set_error_string(context, "resolving %s: %s", - hostname, gai_strerror(ret)); - return krb5_eai_to_heim_errno(ret, save_errno); - } - - ret = add_addrs (context, &addrs, ai); - freeaddrinfo (ai); - if (ret) - return ret; - } - kdc_flags.b = int2KDCOptions(flags); ret = krb5_get_kdc_cred (context, -- cgit