[krbdev.mit.edu #8668] KDC-REQ-BODY server name isn't optional for user-to-user TGS requests
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Thu Apr 19 22:05:04 EDT 2018
Per RFC 4120 section 5.4.1, the KDC-REQ-BODY sname field is optional
and "may only be absent when the ENC-TKT-IN-SKEY option is specified.
If the sname is absent, the name of the server is taken from the name
of the client in the ticket passed as additional-tickets." The realm
field (applying to both cname and sname) is mandatory.
If the sname is omitted in an incoming KDC-REQ-BODY for a TGS
request, our ASN.1 decoder hack (decode_kdc_req_body) throws out the
realm (or applies it to the client if one is present, but for a TGS
request it generally won't be). This makes it hard to set up the KDC
realm state; we could pull the realm from second_ticket[0]->server-
>realm but we would be omitting a sanity check to do so. At present
we fail just after the call to setup_server_realm() in
process_tgs_req(), because request->server is NULL and that causes
setup_server_realm() to return NULL.
It is not clear that we need to fix this problem. Fixing it would be
somewhat difficult, because we would have to figure out how to
preserve the kdc-req-body realm field in a kdc_req structure with no
client and no server. It would also be somewhat risky, as there are
at least 28 uses of request->server in the KDC code and many of them
don't handle null values.
More information about the krb5-bugs
mailing list