[27913] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Tighten up referral recognition in KDC TGS code

daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Sep 3 23:30:34 2013

Date: Tue, 3 Sep 2013 23:30:27 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201309040330.r843UR2C002373@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/2f37634ae89f8bd13ec64120fce56ba5613c498c
commit 2f37634ae89f8bd13ec64120fce56ba5613c498c
Author: Greg Hudson <ghudson@mit.edu>
Date:   Thu Aug 29 18:17:29 2013 -0400

    Tighten up referral recognition in KDC TGS code
    
    In do_tgs_req(), treat the search_sprinc() result as a referral only
    if it is a cross-TGS principal and it doesn't match the requested
    server principal.  This change fixes two corner cases: (1) when a
    client requests a cross-realm TGT, we won't squash the name type in
    the response; and (2) if we are serving multiple realms out of the
    same KDB, we will properly handle aliases to any local-realm TGT, not
    just the one for the configured realm name.
    
    ticket: 7555

 src/kdc/do_tgs_req.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 85f07f1..2402036 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -217,8 +217,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     if (errcode != 0)
         goto cleanup;
     sprinc = server->princ;
-    is_referral = krb5_is_tgs_principal(server->princ) &&
-        !krb5_principal_compare(kdc_context, tgs_server, server->princ);
+
+    /* If we got a cross-realm TGS which is not the requested server, we are
+     * issuing a referral (or alternate TGT, which we treat similarly). */
+    is_referral = is_cross_tgs_principal(server->princ) &&
+        !krb5_principal_compare(kdc_context, request->server, server->princ);
+
     if (is_referral) {
         /*
          * We may be issuing an alternate TGT or a referral to another realm,
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5

home help back first fref pref prev next nref lref last post