Do not loop on principal unknown errors

If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.

Check that this is really a referral by testing that the returned
client realm differs from the requested one.

[ghudson@mit.edu: simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm.  Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]

ticket: 8060
target_version: 1.13.1
tags: pullup

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 2c2b654a66b0d687ba4272bfad25f96e36f46eef..f9bc027aaa78cbb57aaf86a3fb776b5e2a069a08 100644 (file)
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1379,33 +1379,23 @@ note_req_timestamp(krb5_context context, krb5_init_creds_context ctx,
         AUTH_OFFSET : UNAUTH_OFFSET;
 }
 
-/* Determine whether the client realm in a KRB-ERROR is empty. */
-static krb5_boolean
-is_empty_crealm(krb5_error *err)
-{
-
-    return (err->client == NULL || err->client->realm.length == 0);
-}
-
 /*
- * Determine whether a KRB-ERROR is a referral to another realm.
+ * Determine whether err is a client referral to another realm, given the
+ * previously requested client principal name.
  *
- * RFC 6806 Section 7 requires that KDCs return the referral realm in
- * an error type WRONG_REALM, but Microsoft Windows Server 2003 (and
- * possibly others) return the realm in a PRINCIPAL_UNKNOWN message.
- * Detect this case by looking for a non-empty client.realm field in
- * such responses.
+ * RFC 6806 Section 7 requires that KDCs return the referral realm in an error
+ * type WRONG_REALM, but Microsoft Windows Server 2003 (and possibly others)
+ * return the realm in a PRINCIPAL_UNKNOWN message.
  */
 static krb5_boolean
-is_referral(krb5_init_creds_context ctx)
+is_referral(krb5_context context, krb5_error *err, krb5_principal client)
 {
-    krb5_error *err = ctx->err_reply;
-
-    if (err->error == KDC_ERR_WRONG_REALM)
-        return TRUE;
-    if (err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
+    if (err->error != KDC_ERR_WRONG_REALM &&
+        err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
+        return FALSE;
+    if (err->client == NULL)
         return FALSE;
-    return !is_empty_crealm(err);
+    return !krb5_realm_compare(context, err->client, client);
 }
 
 static krb5_error_code
@@ -1467,12 +1457,8 @@ init_creds_step_reply(krb5_context context,
                                              ctx->preauth_to_use);
             ctx->preauth_required = TRUE;
 
-        } else if (canon_flag && is_referral(ctx)) {
-            if (is_empty_crealm(ctx->err_reply)) {
-                /* Only WRONG_REALM referral types can reach this. */
-                code = KRB5KDC_ERR_WRONG_REALM;
-                goto cleanup;
-            }
+        } else if (canon_flag && is_referral(context, ctx->err_reply,
+                                             ctx->request->client)) {
             TRACE_INIT_CREDS_REFERRAL(context, &ctx->err_reply->client->realm);
             /* Rewrite request.client with realm from error reply */
             krb5_free_data_contents(context, &ctx->request->client->realm);