diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-12-06 21:40:05 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-12-06 21:40:53 -0500 |
| commit | ee0d5eac353a13a194759b72cb44203fda1bf0fa (patch) | |
| tree | 78a94f29d1e3baae8184d5c7dda48c8ad3d44d8f | |
| parent | de80646215b623b1ce16fe8a2c2db85bba531532 (diff) | |
| download | krb5-ee0d5eac353a13a194759b72cb44203fda1bf0fa.zip krb5-ee0d5eac353a13a194759b72cb44203fda1bf0fa.tar.gz krb5-ee0d5eac353a13a194759b72cb44203fda1bf0fa.tar.bz2 | |
Don't return a host referral to the service realm
A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst. Don't
respond with one in the KDC.
ticket: 7483
target_version: 1.11
tags: pullup
| -rw-r--r-- | src/kdc/do_tgs_req.c | 4 | ||||
| -rw-r--r-- | src/tests/Makefile.in | 1 | ||||
| -rw-r--r-- | src/tests/t_referral.py | 21 |
3 files changed, 25 insertions, 1 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index b77c9eb..d41bc5d 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1148,7 +1148,9 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request, kdc_err(kdc_context, retval, "unable to find realm of host"); goto cleanup; } - if (realms == NULL || realms[0] == '\0') { + /* Don't return a referral to the empty realm or the service realm. */ + if (realms == NULL || realms[0] == '\0' || + data_eq_string(srealm, realms[0])) { retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto cleanup; } diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 8886959..1eac9e6 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -82,6 +82,7 @@ check-pytests:: hist kdbtest $(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_sesskeynego.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_crossrealm.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_keytab.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS) diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py new file mode 100644 index 0000000..6654d71 --- /dev/null +++ b/src/tests/t_referral.py @@ -0,0 +1,21 @@ +#!/usr/bin/python +from k5test import * + +# We should have a comprehensive suite of KDC host referral tests +# here, based on the tests in the kdc_realm subdir. For now, we just +# have a regression test for #7483. + +# A KDC should not return a host referral to its own realm. +krb5_conf = {'master': {'domain_realm': {'y': 'KRBTEST.COM'}}} +kdc_conf = {'master': {'realms': {'$realm': {'host_based_services': 'x'}}}} +realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False) +tracefile = os.path.join(realm.testdir, 'trace') +realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'], + expected_code=1) +f = open(tracefile, 'r') +trace = f.read() +f.close() +if 'back to same realm' in trace: + fail('KDC returned referral to service realm') + +success('KDC host referral tests') |