krb5 commit: Explicitly prevent referrals for certain requests

Tue Sep 3 23:30:29 EDT 2013

https://github.com/krb5/krb5/commit/8a9909ff9ef6b51c5ed09ead6713888fbb34072f
commit 8a9909ff9ef6b51c5ed09ead6713888fbb34072f
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Aug 30 12:14:00 2013 -0400

    Explicitly prevent referrals for certain requests
    
    For ticket modification requests (such as renewals), u2u requests, and
    S4U2Self requests, the requested server principal is expected to match
    a previously issued ticket.  If that principal no longer exists, we
    must fail the request; we cannot issue a referral.  We are currently
    doing that by rewriting request->server to the referral principal,
    which causes the match against the ticket to fail.  Since we would
    like to stop modifying the request, we must explicitly prevent
    referrals in these cases.
    
    We don't find out whether a request is S4U2Self until after we've
    looked up the server principal, so for now we have to make a
    retroactive check for a referral after calling
    kdc_process_s4u2self_req.

 src/kdc/do_tgs_req.c |   19 +++++++++++++++++--
 src/kdc/kdc_util.h   |    4 ++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 2402036..a71c01c 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -270,8 +270,16 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
                                        &status);
     if (errcode)
         goto cleanup;
-    if (s4u_x509_user != NULL)
+    if (s4u_x509_user != NULL) {
         setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
+        if (is_referral) {
+            /* The requesting server appears to no longer exist, and we found
+             * a referral instead.  Treat this as a server lookup failure. */
+            errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+            status = "LOOKING_UP_SERVER";
+            goto cleanup;
+        }
+    }
 
     errcode = decrypt_2ndtkt(kdc_active_realm, request, c_flags,
                              &stkt_server, &status);
@@ -1191,9 +1199,16 @@ search_sprinc(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
     krb5_error_code ret;
     krb5_principal princ = req->server;
     krb5_principal reftgs = NULL;
+    krb5_boolean allow_referral;
+
+    /* Do not allow referrals for u2u or ticket modification requests, because
+     * the server is supposed to match an already-issued ticket. */
+    allow_referral = !(req->kdc_options & NO_REFERRAL_OPTION);
+    if (!allow_referral)
+        flags &= ~KRB5_KDB_FLAG_CANONICALIZE;
 
     ret = db_get_svc_princ(kdc_context, princ, flags, server, status);
-    if (ret == 0 || ret != KRB5_KDB_NOENTRY)
+    if (ret == 0 || ret != KRB5_KDB_NOENTRY || !allow_referral)
         goto cleanup;
 
     if (!is_cross_tgs_principal(req->server)) {
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index c50ee84..6c54333 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -410,6 +410,10 @@ struct krb5_kdcpreauth_rock_st {
 
 #define NON_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | \
                         KDC_OPT_VALIDATE)
+
+/* TGS-REQ options which are not compatible with referrals */
+#define NO_REFERRAL_OPTION (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)
+
 int check_anon(kdc_realm_t *kdc_active_realm,
                krb5_principal client, krb5_principal server);
 int errcode_to_protocol(krb5_error_code code);
