[27905] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Fix KDC reply service principal for aliases

daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Aug 28 13:51:40 2013

Date: Wed, 28 Aug 2013 13:51:30 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201308281751.r7SHpUx8030771@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/24a29f8c0f9f78f96e3795410e202b139fce6236
commit 24a29f8c0f9f78f96e3795410e202b139fce6236
Author: Greg Hudson <ghudson@mit.edu>
Date:   Wed Aug 28 12:11:40 2013 -0400

    Fix KDC reply service principal for aliases
    
    If a client requests a service ticket for the alias of a service
    principal, RFC 6806 section 6 requires that the KDC issue a ticket
    which appears to be for the alias and not for the canonical name.
    After calling search_sprinc(), only replace request->server with
    server->princ if the latter is a TGT; this will be the case for an
    alternate cross-realm TGT or a host referral, but not for a simple
    service alias.
    
    ticket: 7698
    target_version: 1.11.4
    tags: pullup

 src/kdc/do_tgs_req.c |   23 +++++++++++++++--------
 1 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 2d5fcee..6710912 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -217,14 +217,21 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     if (errcode != 0)
         goto cleanup;
     sprinc = server->princ;
-    /* XXX until nothing depends on request being mutated */
-    krb5_free_principal(kdc_context, request->server);
-    request->server = NULL;
-    errcode = krb5_copy_principal(kdc_context, server->princ,
-                                  &request->server);
-    if (errcode != 0) {
-        status = "COPYING RESOLVED SERVER";
-        goto cleanup;
+    if (krb5_is_tgs_principal(server->princ)) {
+        /*
+         * We may be issuing an alternate TGT or host referral, in which case
+         * we should use the canonical name in the reply.  XXX We should track
+         * the reply server separately instead of modifying request->server,
+         * but that requires a bunch of code changes.
+         */
+        krb5_free_principal(kdc_context, request->server);
+        request->server = NULL;
+        errcode = krb5_copy_principal(kdc_context, server->princ,
+                                      &request->server);
+        if (errcode != 0) {
+            status = "COPYING RESOLVED SERVER";
+            goto cleanup;
+        }
     }
 
     if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5

home help back first fref pref prev next nref lref last post