[27468] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.10]: Don't return a host referral to the service
daemon@ATHENA.MIT.EDU (Tom Yu)
Tue Jan 8 18:18:17 2013
Date: Tue, 8 Jan 2013 18:18:08 -0500
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201301082318.r08NI81Z006131@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/745c0194ee93318cf4d44f6f8ccb7739523d448e
commit 745c0194ee93318cf4d44f6f8ccb7739523d448e
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Dec 6 21:40:05 2012 -0500
Don't return a host referral to the service realm
A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst. Don't
respond with one in the KDC.
(back ported from commit ee0d5eac353a13a194759b72cb44203fda1bf0fa)
ticket: 7536 (new)
version_fixed: 1.10.4
status: resolved
src/kdc/do_tgs_req.c | 6 +++++-
src/tests/Makefile.in | 1 +
src/tests/t_referral.py | 21 +++++++++++++++++++++
3 files changed, 27 insertions(+), 1 deletions(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 56d9869..9ff80cf 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1176,7 +1176,11 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
retval = KRB5KRB_AP_ERR_BADMATCH;
goto cleanup;
}
- if (realms[0] == 0) {
+ /* Don't return a referral to the null realm or the service
+ * realm. */
+ if (realms[0] == 0 ||
+ data_eq_string(request->server->realm, realms[0])) {
+ free(realms[0]);
free(realms);
retval = KRB5KRB_AP_ERR_BADMATCH;
goto cleanup;
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index a8ca464..793f312 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -73,6 +73,7 @@ check-pytests:: hist
$(RUNPYTEST) $(srcdir)/t_renprinc.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_cccol.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS)
# $(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_cve-2012-1014.py $(PYTESTFLAGS)
diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
new file mode 100644
index 0000000..6654d71
--- /dev/null
+++ b/src/tests/t_referral.py
@@ -0,0 +1,21 @@
+#!/usr/bin/python
+from k5test import *
+
+# We should have a comprehensive suite of KDC host referral tests
+# here, based on the tests in the kdc_realm subdir. For now, we just
+# have a regression test for #7483.
+
+# A KDC should not return a host referral to its own realm.
+krb5_conf = {'master': {'domain_realm': {'y': 'KRBTEST.COM'}}}
+kdc_conf = {'master': {'realms': {'$realm': {'host_based_services': 'x'}}}}
+realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False)
+tracefile = os.path.join(realm.testdir, 'trace')
+realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'],
+ expected_code=1)
+f = open(tracefile, 'r')
+trace = f.read()
+f.close()
+if 'back to same realm' in trace:
+ fail('KDC returned referral to service realm')
+
+success('KDC host referral tests')
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
