[27913] in CVS-changelog-for-Kerberos-V5
krb5 commit: Tighten up referral recognition in KDC TGS code
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Sep 3 23:30:34 2013
Date: Tue, 3 Sep 2013 23:30:27 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201309040330.r843UR2C002373@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/2f37634ae89f8bd13ec64120fce56ba5613c498c
commit 2f37634ae89f8bd13ec64120fce56ba5613c498c
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Aug 29 18:17:29 2013 -0400
Tighten up referral recognition in KDC TGS code
In do_tgs_req(), treat the search_sprinc() result as a referral only
if it is a cross-TGS principal and it doesn't match the requested
server principal. This change fixes two corner cases: (1) when a
client requests a cross-realm TGT, we won't squash the name type in
the response; and (2) if we are serving multiple realms out of the
same KDB, we will properly handle aliases to any local-realm TGT, not
just the one for the configured realm name.
ticket: 7555
src/kdc/do_tgs_req.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 85f07f1..2402036 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -217,8 +217,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
if (errcode != 0)
goto cleanup;
sprinc = server->princ;
- is_referral = krb5_is_tgs_principal(server->princ) &&
- !krb5_principal_compare(kdc_context, tgs_server, server->princ);
+
+ /* If we got a cross-realm TGS which is not the requested server, we are
+ * issuing a referral (or alternate TGT, which we treat similarly). */
+ is_referral = is_cross_tgs_principal(server->princ) &&
+ !krb5_principal_compare(kdc_context, request->server, server->princ);
+
if (is_referral) {
/*
* We may be issuing an alternate TGT or a referral to another realm,
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5