From 3d15cfc3ca8fb159e8b4a22717a3d53421e3c88a Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@mit.edu>
Date: Sun, 17 Oct 2004 21:24:19 +0000
Subject: [PATCH] krb5-no-dot-20041017

Generate error in the client if a krb5 principal contains a dot in the
first component.
---
 src/WINNT/afsd/afskfw.c | 24 ++++++++++++++++--------
 src/WINNT/aklog/aklog.c | 16 +++++++++++-----
 2 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c
index 823c60cf1..743374a28 100644
--- a/src/WINNT/afsd/afskfw.c
+++ b/src/WINNT/afsd/afskfw.c
@@ -927,11 +927,11 @@ KFW_import_windows_lsa(void)
 
     princ_realm = krb5_princ_realm(ctx, princ);
     for ( i=0; i<princ_realm->length; i++ ) {
-		realm[i] = princ_realm->data[i];
+        realm[i] = princ_realm->data[i];
         cell[i] = tolower(princ_realm->data[i]);
     }
-	cell[i] = '\0';
-	realm[i] = '\0';
+    cell[i] = '\0';
+    realm[i] = '\0';
 
     code = KFW_AFS_klog(ctx, cc, "afs", cell, realm, pLeash_get_default_lifetime(),NULL);
     if ( IsDebuggerPresent() ) {
@@ -2583,10 +2583,10 @@ KFW_AFS_klog(
     memset(ServiceName, '\0', sizeof(ServiceName));
     memset(realm_of_user, '\0', sizeof(realm_of_user));
     memset(realm_of_cell, '\0', sizeof(realm_of_cell));
-	if (cell && cell[0])
-		strcpy(Dmycell, cell);
-	else
-		memset(Dmycell, '\0', sizeof(Dmycell));
+    if (cell && cell[0])
+        strcpy(Dmycell, cell);
+    else
+        memset(Dmycell, '\0', sizeof(Dmycell));
 
     // NULL or empty cell returns information on local cell
     if (rc = KFW_AFS_get_cellconfig(Dmycell, &ak_cellconfig, local_cell))
@@ -2612,13 +2612,21 @@ KFW_AFS_klog(
     memset((char *)&increds, 0, sizeof(increds));
 
     code = pkrb5_cc_get_principal(ctx, cc, &client_principal);
-	if (code) {
+    if (code) {
         if ( code == KRB5_CC_NOTFOUND && IsDebuggerPresent() ) 
         {
             OutputDebugString("Principal Not Found for ccache\n");
         }
         goto skip_krb5_init;
     }
+
+    if ( strchr(krb5_princ_component(ctx,client_principal,0),'.') != NULL )
+    {
+        OutputDebugString("Illegal Principal name contains dot in first component\n");
+        rc = KRB5KRB_ERR_GENERIC;
+        goto cleanup;
+    }
+
     i = krb5_princ_realm(ctx, client_principal)->length;
     if (i > REALM_SZ-1) 
         i = REALM_SZ-1;
diff --git a/src/WINNT/aklog/aklog.c b/src/WINNT/aklog/aklog.c
index 27ce5b08f..a226d3a15 100644
--- a/src/WINNT/aklog/aklog.c
+++ b/src/WINNT/aklog/aklog.c
@@ -390,11 +390,11 @@ static int get_v5cred(krb5_context context,
 
     memset((char *)&increds, 0, sizeof(increds));
 
-	if ((r = krb5_build_principal(context, &increds.server,
-                     strlen(realm), realm,
-                     name,
-           (inst && strlen(inst)) ? inst : 0,
-                     0))) {
+    if ((r = krb5_build_principal(context, &increds.server,
+                                  strlen(realm), realm,
+                                  name,
+                                  (inst && strlen(inst)) ? inst : 0,
+                                  0))) {
         return((int)r);
     }
 
@@ -624,6 +624,12 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
     { /* using krb5 */
         int retry = 1;
 
+        if ( strchr(name,'.') != NULL ) {
+            fprintf(stderr, "%s: Can't support principal names including a dot.\n",
+                    progname);
+            return(AKLOG_MISC);
+        }
+
       try_v5:
         if (dflag)
             printf("Getting v5 tickets: %s/%s@%s\n", name, instance, realm_of_cell);
-- 
2.39.5