krb5 commit [krb5-1.11]: Do not loop on principal unknown errors
Tom Yu
tlyu at mit.edu
Fri Feb 6 22:20:31 EST 2015
https://github.com/krb5/krb5/commit/caf779261b782ca59fa4f6f2914ea43ffc1987bd
commit caf779261b782ca59fa4f6f2914ea43ffc1987bd
Author: Simo Sorce <simo at redhat.com>
Date: Tue Jan 20 13:48:34 2015 -0500
Do not loop on principal unknown errors
If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
Check that this is really a referral by testing that the returned
client realm differs from the requested one.
[ghudson at mit.edu: simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm. Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]
(cherry picked from commit d5755694b620570defeecee772def90a2733c6cc)
ticket: 8122 (new)
subject: kinit -C loops chasing realm referrals against MIT KDC
version_fixed: 1.11.6
status: resolved
src/lib/krb5/krb/get_in_tkt.c | 40 +++++++++++++---------------------------
1 files changed, 13 insertions(+), 27 deletions(-)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 98851d8..f0f4ac8 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1421,33 +1421,23 @@ note_req_timestamp(krb5_context kcontext, krb5_clpreauth_rock rock,
AUTH_OFFSET : UNAUTH_OFFSET;
}
-/* Determine whether the client realm in a KRB-ERROR is empty. */
-static krb5_boolean
-is_empty_crealm(krb5_error *err)
-{
-
- return (err->client == NULL || err->client->realm.length == 0);
-}
-
/*
- * Determine whether a KRB-ERROR is a referral to another realm.
+ * Determine whether err is a client referral to another realm, given the
+ * previously requested client principal name.
*
- * RFC 6806 Section 7 requires that KDCs return the referral realm in
- * an error type WRONG_REALM, but Microsoft Windows Server 2003 (and
- * possibly others) return the realm in a PRINCIPAL_UNKNOWN message.
- * Detect this case by looking for a non-empty client.realm field in
- * such responses.
+ * RFC 6806 Section 7 requires that KDCs return the referral realm in an error
+ * type WRONG_REALM, but Microsoft Windows Server 2003 (and possibly others)
+ * return the realm in a PRINCIPAL_UNKNOWN message.
*/
static krb5_boolean
-is_referral(krb5_init_creds_context ctx)
+is_referral(krb5_context context, krb5_error *err, krb5_principal client)
{
- krb5_error *err = ctx->err_reply;
-
- if (err->error == KDC_ERR_WRONG_REALM)
- return TRUE;
- if (err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
+ if (err->error != KDC_ERR_WRONG_REALM &&
+ err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
+ return FALSE;
+ if (err->client == NULL)
return FALSE;
- return !is_empty_crealm(err);
+ return !krb5_realm_compare(context, err->client, client);
}
static krb5_error_code
@@ -1507,12 +1497,8 @@ init_creds_step_reply(krb5_context context,
ctx->preauth_to_use);
ctx->preauth_required = TRUE;
- } else if (canon_flag && is_referral(ctx)) {
- if (is_empty_crealm(ctx->err_reply)) {
- /* Only WRONG_REALM referral types can reach this. */
- code = KRB5KDC_ERR_WRONG_REALM;
- goto cleanup;
- }
+ } else if (canon_flag && is_referral(context, ctx->err_reply,
+ ctx->request->client)) {
TRACE_INIT_CREDS_REFERRAL(context, &ctx->err_reply->client->realm);
/* Rewrite request.client with realm from error reply */
krb5_free_data_contents(context, &ctx->request->client->realm);
More information about the cvs-krb5
mailing list