[27915] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Explicitly prevent referrals for certain requests

daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Sep 3 23:30:35 2013

Date: Tue, 3 Sep 2013 23:30:29 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201309040330.r843UTM5002399@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/8a9909ff9ef6b51c5ed09ead6713888fbb34072f
commit 8a9909ff9ef6b51c5ed09ead6713888fbb34072f
Author: Greg Hudson <ghudson@mit.edu>
Date:   Fri Aug 30 12:14:00 2013 -0400

    Explicitly prevent referrals for certain requests
    
    For ticket modification requests (such as renewals), u2u requests, and
    S4U2Self requests, the requested server principal is expected to match
    a previously issued ticket.  If that principal no longer exists, we
    must fail the request; we cannot issue a referral.  We are currently
    doing that by rewriting request->server to the referral principal,
    which causes the match against the ticket to fail.  Since we would
    like to stop modifying the request, we must explicitly prevent
    referrals in these cases.
    
    We don't find out whether a request is S4U2Self until after we've
    looked up the server principal, so for now we have to make a
    retroactive check for a referral after calling
    kdc_process_s4u2self_req.

 src/kdc/do_tgs_req.c |   19 +++++++++++++++++--
 src/kdc/kdc_util.h   |    4 ++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 2402036..a71c01c 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -270,8 +270,16 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
                                        &status);
     if (errcode)
         goto cleanup;
-    if (s4u_x509_user != NULL)
+    if (s4u_x509_user != NULL) {
         setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
+        if (is_referral) {
+            /* The requesting server appears to no longer exist, and we found
+             * a referral instead.  Treat this as a server lookup failure. */
+            errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+            status = "LOOKING_UP_SERVER";
+            goto cleanup;
+        }
+    }
 
     errcode = decrypt_2ndtkt(kdc_active_realm, request, c_flags,
                              &stkt_server, &status);
@@ -1191,9 +1199,16 @@ search_sprinc(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
     krb5_error_code ret;
     krb5_principal princ = req->server;
     krb5_principal reftgs = NULL;
+    krb5_boolean allow_referral;
+
+    /* Do not allow referrals for u2u or ticket modification requests, because
+     * the server is supposed to match an already-issued ticket. */
+    allow_referral = !(req->kdc_options & NO_REFERRAL_OPTION);
+    if (!allow_referral)
+        flags &= ~KRB5_KDB_FLAG_CANONICALIZE;
 
     ret = db_get_svc_princ(kdc_context, princ, flags, server, status);
-    if (ret == 0 || ret != KRB5_KDB_NOENTRY)
+    if (ret == 0 || ret != KRB5_KDB_NOENTRY || !allow_referral)
         goto cleanup;
 
     if (!is_cross_tgs_principal(req->server)) {
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index c50ee84..6c54333 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -410,6 +410,10 @@ struct krb5_kdcpreauth_rock_st {
 
 #define NON_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | \
                         KDC_OPT_VALIDATE)
+
+/* TGS-REQ options which are not compatible with referrals */
+#define NO_REFERRAL_OPTION (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)
+
 int check_anon(kdc_realm_t *kdc_active_realm,
                krb5_principal client, krb5_principal server);
 int errcode_to_protocol(krb5_error_code code);
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5

home help back first fref pref prev next nref lref last post