diff options
| author | Sam Hartman <hartmans@mit.edu> | 2006-09-21 01:48:50 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2006-09-21 01:48:50 +0000 |
| commit | 25860eac35980ab0d8d786fe1d06ced26a04d2db (patch) | |
| tree | 74e4b87fee38208ea1378bb6868c009964e9cf3f /src/lib/krb5/krb/gc_via_tkt.c | |
| parent | b2239415f139c8822715180716e41b4f9606232e (diff) | |
| download | krb5-25860eac35980ab0d8d786fe1d06ced26a04d2db.tar.gz krb5-25860eac35980ab0d8d786fe1d06ced26a04d2db.tar.xz krb5-25860eac35980ab0d8d786fe1d06ced26a04d2db.zip | |
Set the canonicalize flag in TGS requests and accept cross-realm referral tickets.
We do not yet accept tickets in which the server name changes.
* krb5_sname_to_principal: If there is no domain realm mapping return null realm
*krb5_get_cred_via_tkt: New behavior as described below
1) the referrals case:
- check for TGT for initial realm
- if a remote realm was specified (which must have happened via a
domain_realm mapping), obtain a TGT for it the standard way and
start with that.
- use client realm for server if not specified
- iterate through this loop:
- request ticket with referrals turned on
- if that fails:
- if this was the first request, punt to non-referrals case
- otherwise, retry once without referrals turned on then terminate
either way
- if it works, either use the service ticket or follow the referral path
- if loop count exceeded, hardfail
2) the nonreferrals case
- this is mostly the old walk_realm_tree TGT-finding (which allows
limited shortcut referrals per 4120) followed by a standard tgs-req.
- originally requested principal is used for this, although if we were
handed something without a realm, determine a fallback realm based on
DNS TXT records or a truncation of the domain name.
ticket: 2652
Owner: amb
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18598 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5/krb/gc_via_tkt.c')
| -rw-r--r-- | src/lib/krb5/krb/gc_via_tkt.c | 45 |
1 files changed, 37 insertions, 8 deletions
diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index a1ed6e90d2..d96f84aaa5 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -50,7 +50,7 @@ krb5_kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *con goto cleanup; if ((retval = krb5_copy_principal(context, pkdcrep->enc_part2->server, - &(*ppcreds)->server))) + &(*ppcreds)->server))) goto cleanup; if ((retval = krb5_copy_keyblock_contents(context, @@ -107,6 +107,12 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, krb5_response tgsrep; krb5_enctype *enctypes = 0; +#ifdef DEBUG_REFERRALS + printf("krb5_get_cred_via_tkt starting; referral flag is %s\n", kdcoptions&KDC_OPT_CANONICALIZE?"on":"off"); + krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt requested ticket", in_cred->server); + krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt TGT in use", tkt->server); +#endif + /* tkt->client must be equal to in_cred->client */ if (!krb5_principal_compare(context, tkt->client, in_cred->client)) return KRB5_PRINC_NOMATCH; @@ -154,8 +160,13 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, tkt, &tgsrep); if (enctypes) free(enctypes); - if (retval) + if (retval) { +#ifdef DEBUG_REFERRALS + printf("krb5_get_cred_via_tkt ending early after send_tgs with: %s\n", + error_message(retval)); +#endif return retval; + } switch (tgsrep.message_type) { case KRB5_TGS_REP: @@ -167,7 +178,7 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, else retval = KRB5KRB_AP_ERR_MSG_TYPE; - if (retval) /* neither proper reply nor error! */ + if (retval) /* neither proper reply nor error! */ goto error_4; retval = (krb5_error_code) err_reply->error + ERROR_TABLE_BASE_krb5; @@ -218,11 +229,26 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, if (!krb5_principal_compare(context, dec_rep->client, tkt->client)) retval = KRB5_KDCREP_MODIFIED; - if (!krb5_principal_compare(context, dec_rep->enc_part2->server, in_cred->server)) - retval = KRB5_KDCREP_MODIFIED; - - if (!krb5_principal_compare(context, dec_rep->ticket->server, in_cred->server)) - retval = KRB5_KDCREP_MODIFIED; + if ((!krb5_principal_compare(context, dec_rep->enc_part2->server, in_cred->server)) || + (!krb5_principal_compare(context, dec_rep->ticket->server, in_cred->server))) { + if (krb5_principal_compare(context, dec_rep->ticket->server, dec_rep->enc_part2->server) + && (kdcoptions&KDC_OPT_CANONICALIZE) ) { + /* in_cred server differs from ticket returned, but ticket + returned is consistent and we requested canonicalization. */ +#if 0 +#ifdef DEBUG_REFERRALS + printf("gc_via_tkt: in_cred and encoding don't match but referrals requested\n"); + krb5int_dbgref_dump_principal("gc_via_tkt: in_cred",in_cred->server); + krb5int_dbgref_dump_principal("gc_via_tkt: encoded server",dec_rep->enc_part2->server); +#endif +#endif + } + else { + /* in_cred server differs from ticket returned, and ticket + returned is *not* consistent. */ + retval = KRB5_KDCREP_MODIFIED; + } + } if (dec_rep->enc_part2->nonce != tgsrep.expected_nonce) retval = KRB5_KDCREP_MODIFIED; @@ -267,5 +293,8 @@ error_3:; error_4:; free(tgsrep.response.data); +#ifdef DEBUG_REFERRALS + printf("krb5_get_cred_via_tkt ending; %s\n", retval?error_message(retval):"no error"); +#endif return retval; } |