diff options
author | Simo Sorce <simo@redhat.com> | 2015-01-20 13:48:34 -0500 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2015-02-06 22:19:39 -0500 |
commit | caf779261b782ca59fa4f6f2914ea43ffc1987bd (patch) | |
tree | a49c3373c258a69251c618a4786a5ee65cdf6f47 | |
parent | 34fbf2dbecbaac417625aad46d20e97ddc40c164 (diff) | |
download | krb5-caf779261b782ca59fa4f6f2914ea43ffc1987bd.zip krb5-caf779261b782ca59fa4f6f2914ea43ffc1987bd.tar.gz krb5-caf779261b782ca59fa4f6f2914ea43ffc1987bd.tar.bz2 |
Do not loop on principal unknown errors
If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
Check that this is really a referral by testing that the returned
client realm differs from the requested one.
[ghudson@mit.edu: simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm. Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]
(cherry picked from commit d5755694b620570defeecee772def90a2733c6cc)
ticket: 8122 (new)
subject: kinit -C loops chasing realm referrals against MIT KDC
version_fixed: 1.11.6
status: resolved
-rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 40 |
1 files changed, 13 insertions, 27 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 98851d8..f0f4ac8 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1421,33 +1421,23 @@ note_req_timestamp(krb5_context kcontext, krb5_clpreauth_rock rock, AUTH_OFFSET : UNAUTH_OFFSET; } -/* Determine whether the client realm in a KRB-ERROR is empty. */ -static krb5_boolean -is_empty_crealm(krb5_error *err) -{ - - return (err->client == NULL || err->client->realm.length == 0); -} - /* - * Determine whether a KRB-ERROR is a referral to another realm. + * Determine whether err is a client referral to another realm, given the + * previously requested client principal name. * - * RFC 6806 Section 7 requires that KDCs return the referral realm in - * an error type WRONG_REALM, but Microsoft Windows Server 2003 (and - * possibly others) return the realm in a PRINCIPAL_UNKNOWN message. - * Detect this case by looking for a non-empty client.realm field in - * such responses. + * RFC 6806 Section 7 requires that KDCs return the referral realm in an error + * type WRONG_REALM, but Microsoft Windows Server 2003 (and possibly others) + * return the realm in a PRINCIPAL_UNKNOWN message. */ static krb5_boolean -is_referral(krb5_init_creds_context ctx) +is_referral(krb5_context context, krb5_error *err, krb5_principal client) { - krb5_error *err = ctx->err_reply; - - if (err->error == KDC_ERR_WRONG_REALM) - return TRUE; - if (err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN) + if (err->error != KDC_ERR_WRONG_REALM && + err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN) + return FALSE; + if (err->client == NULL) return FALSE; - return !is_empty_crealm(err); + return !krb5_realm_compare(context, err->client, client); } static krb5_error_code @@ -1507,12 +1497,8 @@ init_creds_step_reply(krb5_context context, ctx->preauth_to_use); ctx->preauth_required = TRUE; - } else if (canon_flag && is_referral(ctx)) { - if (is_empty_crealm(ctx->err_reply)) { - /* Only WRONG_REALM referral types can reach this. */ - code = KRB5KDC_ERR_WRONG_REALM; - goto cleanup; - } + } else if (canon_flag && is_referral(context, ctx->err_reply, + ctx->request->client)) { TRACE_INIT_CREDS_REFERRAL(context, &ctx->err_reply->client->realm); /* Rewrite request.client with realm from error reply */ krb5_free_data_contents(context, &ctx->request->client->realm); |