Add an error to be returned by a preauth mechanism indicating that the KDC should not respond to a packet

* Do not generate an error response in this case
* Drop a TCP connection if we are not going to respond to it.

kdc: add KRB5KDC_ERR_DISCARD

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24406 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 7 insertions, 2 deletions

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 557ae3dea3..46b5fa1fb1 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -633,6 +633,8 @@ egress:
         if (status == 0) {
             status = emsg;
         }
+        if (errcode == KRB5KDC_ERR_DISCARD)
+            goto discard;
         errcode -= ERROR_TABLE_BASE_krb5;
         if (errcode < 0 || errcode > 128)
             errcode = KRB_ERR_GENERIC;
@@ -643,7 +645,7 @@ egress:
         status = 0;
     }
 
-    if (emsg)
+discard: if (emsg)
         krb5_free_error_message(kdc_context, emsg);
     if (enc_tkt_reply.authorization_data != NULL)
         krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 0c477266b3..957ac23031 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1202,6 +1202,7 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
     case KRB5KDC_ERR_REVOCATION_STATUS_UNAVAILABLE:
         /* This value is shared with KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. */
         /* case KRB5KDC_ERR_KEY_TOO_WEAK: */
+    case KRB5KDC_ERR_DISCARD:
         return retval;
     default:
         return KRB5KDC_ERR_PREAUTH_FAILED;
diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
index 9d3daea40e..c63ab8e36b 100644
--- a/src/lib/apputils/net-server.c
+++ b/src/lib/apputils/net-server.c
@@ -1759,6 +1759,8 @@ process_tcp_connection(void *handle, struct connection *conn, const char *prog,
                 com_err(prog, err, "while dispatching (tcp)");
                 goto kill_tcp_connection;
             }
+            if (conn->u.tcp.response == NULL)
+                goto kill_tcp_connection;
         have_response:
             queue_tcp_outgoing_response(conn);
             FD_CLR(conn->fd, &sstate.rfds);
diff --git a/src/lib/krb5/error_tables/k5e1_err.et b/src/lib/krb5/error_tables/k5e1_err.et
index 7fe4cc6fc4..af28710498 100644
--- a/src/lib/krb5/error_tables/k5e1_err.et
+++ b/src/lib/krb5/error_tables/k5e1_err.et
@@ -33,5 +33,5 @@ error_table k5e1
 error_code KRB5_PLUGIN_VER_NOTSUPP, "Plugin does not support interface version"
 error_code KRB5_PLUGIN_BAD_MODULE_SPEC, "Invalid module specifier"
 error_code KRB5_PLUGIN_NAME_NOTFOUND, "Plugin module name not found"
-
+error_code KRB5KDC_ERR_DISCARD, "The KDC should discard this request"
 end