From: Greg Hudson Date: Fri, 7 Dec 2012 02:40:05 +0000 (-0500) Subject: Don't return a host referral to the service realm X-Git-Tag: krb5-1.10.4-final~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=745c0194ee93318cf4d44f6f8ccb7739523d448e;p=thirdparty%2Fkrb5.git Don't return a host referral to the service realm A host referral to the same realm we just looked up the principal in is useless at best and confusing to the client at worst. Don't respond with one in the KDC. (back ported from commit ee0d5eac353a13a194759b72cb44203fda1bf0fa) ticket: 7536 (new) version_fixed: 1.10.4 status: resolved --- diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 56d9869c16..9ff80cfd0e 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1176,7 +1176,11 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) retval = KRB5KRB_AP_ERR_BADMATCH; goto cleanup; } - if (realms[0] == 0) { + /* Don't return a referral to the null realm or the service + * realm. */ + if (realms[0] == 0 || + data_eq_string(request->server->realm, realms[0])) { + free(realms[0]); free(realms); retval = KRB5KRB_AP_ERR_BADMATCH; goto cleanup; diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index a8ca4641d9..793f312c8a 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -73,6 +73,7 @@ check-pytests:: hist $(RUNPYTEST) $(srcdir)/t_renprinc.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_cccol.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS) # $(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_cve-2012-1014.py $(PYTESTFLAGS) diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py new file mode 100644 index 0000000000..6654d71e8e --- /dev/null +++ b/src/tests/t_referral.py @@ -0,0 +1,21 @@ +#!/usr/bin/python +from k5test import * + +# We should have a comprehensive suite of KDC host referral tests +# here, based on the tests in the kdc_realm subdir. For now, we just +# have a regression test for #7483. + +# A KDC should not return a host referral to its own realm. +krb5_conf = {'master': {'domain_realm': {'y': 'KRBTEST.COM'}}} +kdc_conf = {'master': {'realms': {'$realm': {'host_based_services': 'x'}}}} +realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False) +tracefile = os.path.join(realm.testdir, 'trace') +realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'], + expected_code=1) +f = open(tracefile, 'r') +trace = f.read() +f.close() +if 'back to same realm' in trace: + fail('KDC returned referral to service realm') + +success('KDC host referral tests')