[27905] in CVS-changelog-for-Kerberos-V5
krb5 commit: Fix KDC reply service principal for aliases
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Aug 28 13:51:40 2013
Date: Wed, 28 Aug 2013 13:51:30 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201308281751.r7SHpUx8030771@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/24a29f8c0f9f78f96e3795410e202b139fce6236
commit 24a29f8c0f9f78f96e3795410e202b139fce6236
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Aug 28 12:11:40 2013 -0400
Fix KDC reply service principal for aliases
If a client requests a service ticket for the alias of a service
principal, RFC 6806 section 6 requires that the KDC issue a ticket
which appears to be for the alias and not for the canonical name.
After calling search_sprinc(), only replace request->server with
server->princ if the latter is a TGT; this will be the case for an
alternate cross-realm TGT or a host referral, but not for a simple
service alias.
ticket: 7698
target_version: 1.11.4
tags: pullup
src/kdc/do_tgs_req.c | 23 +++++++++++++++--------
1 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 2d5fcee..6710912 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -217,14 +217,21 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
if (errcode != 0)
goto cleanup;
sprinc = server->princ;
- /* XXX until nothing depends on request being mutated */
- krb5_free_principal(kdc_context, request->server);
- request->server = NULL;
- errcode = krb5_copy_principal(kdc_context, server->princ,
- &request->server);
- if (errcode != 0) {
- status = "COPYING RESOLVED SERVER";
- goto cleanup;
+ if (krb5_is_tgs_principal(server->princ)) {
+ /*
+ * We may be issuing an alternate TGT or host referral, in which case
+ * we should use the canonical name in the reply. XXX We should track
+ * the reply server separately instead of modifying request->server,
+ * but that requires a bunch of code changes.
+ */
+ krb5_free_principal(kdc_context, request->server);
+ request->server = NULL;
+ errcode = krb5_copy_principal(kdc_context, server->princ,
+ &request->server);
+ if (errcode != 0) {
+ status = "COPYING RESOLVED SERVER";
+ goto cleanup;
+ }
}
if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5