diff options
| author | Tom Yu <tlyu@mit.edu> | 2013-04-22 18:18:12 -0400 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2013-04-22 18:29:57 -0400 |
| commit | 80b56a792f1e45c44747c3092ea3602fb1b80a55 (patch) | |
| tree | 74e1968a27463ce935527379a5840dd66e6e3f77 | |
| parent | 9ae208f189a68fd84d69842b6ec631149ea956bb (diff) | |
| download | krb5-80b56a792f1e45c44747c3092ea3602fb1b80a55.zip krb5-80b56a792f1e45c44747c3092ea3602fb1b80a55.tar.gz krb5-80b56a792f1e45c44747c3092ea3602fb1b80a55.tar.bz2 | |
Don't return a host referral to the service realm
A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst. Don't
respond with one in the KDC.
(back ported from commit ee0d5eac353a13a194759b72cb44203fda1bf0fa)
(cherry picked from commit 745c0194ee93318cf4d44f6f8ccb7739523d448e)
ticket: 7609 (new)
version_fixed: 1.9.5
status: resolved
| -rw-r--r-- | src/kdc/do_tgs_req.c | 6 | ||||
| -rw-r--r-- | src/tests/Makefile.in | 1 | ||||
| -rw-r--r-- | src/tests/t_referral.py | 21 |
3 files changed, 27 insertions, 1 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 840a2ef..d5f34b6 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1172,7 +1172,11 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) retval = KRB5KRB_AP_ERR_BADMATCH; goto cleanup; } - if (realms[0] == 0) { + /* Don't return a referral to the null realm or the service + * realm. */ + if (realms[0] == 0 || + data_eq_string(request->server->realm, realms[0])) { + free(realms[0]); free(realms); retval = KRB5KRB_AP_ERR_BADMATCH; goto cleanup; diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index edbfc1c..b1ba997 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -70,6 +70,7 @@ check-pytests:: hist $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS) clean:: diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py new file mode 100644 index 0000000..6654d71 --- /dev/null +++ b/src/tests/t_referral.py @@ -0,0 +1,21 @@ +#!/usr/bin/python +from k5test import * + +# We should have a comprehensive suite of KDC host referral tests +# here, based on the tests in the kdc_realm subdir. For now, we just +# have a regression test for #7483. + +# A KDC should not return a host referral to its own realm. +krb5_conf = {'master': {'domain_realm': {'y': 'KRBTEST.COM'}}} +kdc_conf = {'master': {'realms': {'$realm': {'host_based_services': 'x'}}}} +realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False) +tracefile = os.path.join(realm.testdir, 'trace') +realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'], + expected_code=1) +f = open(tracefile, 'r') +trace = f.read() +f.close() +if 'back to same realm' in trace: + fail('KDC returned referral to service realm') + +success('KDC host referral tests') |