[27914] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Stop modifying TGS requests for referrals

daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Sep 3 23:30:35 2013

Date: Tue, 3 Sep 2013 23:30:29 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201309040330.r843UTXN002440@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/9e37d01a0122904776fada43ec65425c375414d8
commit 9e37d01a0122904776fada43ec65425c375414d8
Author: Greg Hudson <ghudson@mit.edu>
Date:   Fri Aug 30 12:19:44 2013 -0400

    Stop modifying TGS requests for referrals
    
    It is no longer necessary to modify request->server when we receive a
    referral.  The uses of request->server break down as follows:
    
    * Matching against previously issued tickets (e.g. for renewals).  We
      now explicitly disallow referrals for requests where we need to do
      that.
    
    * Using only the realm (e.g. for transited checking).  Referrals are
      cross-realm TGS entries within the same realm as the requested
      server principal, so this does not change.
    
    * Comparing to a local TGS principal (for restrict_anonymous_to_tgt
      enforcement).  Local TGS principals are not treated as referrals, so
      the sense of this comparison will not change if we use the original
      request.
    
    * Setting the sname and realm fields of a KRB-ERROR response.  RFC
      4120 and 6806 do not specify what we should put here for referrals
      or aliases and we are not aware of any uses of this field by
      clients, so putting the requested server principal here should be
      okay.

 src/kdc/do_tgs_req.c |   17 -----------------
 1 files changed, 0 insertions(+), 17 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index a71c01c..f047dd8 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -223,23 +223,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     is_referral = is_cross_tgs_principal(server->princ) &&
         !krb5_principal_compare(kdc_context, request->server, server->princ);
 
-    if (is_referral) {
-        /*
-         * We may be issuing an alternate TGT or a referral to another realm,
-         * in which case we should use the canonical name in the reply.  XXX We
-         * should track the reply server separately instead of modifying
-         * request->server, but that requires a bunch of code changes.
-         */
-        krb5_free_principal(kdc_context, request->server);
-        request->server = NULL;
-        errcode = krb5_copy_principal(kdc_context, server->princ,
-                                      &request->server);
-        if (errcode != 0) {
-            status = "COPYING RESOLVED SERVER";
-            goto cleanup;
-        }
-    }
-
     if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
         status = "TIME_OF_DAY";
         goto cleanup;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5

home help back first fref pref prev next nref lref last post