diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/kdc/do_tgs_req.c | 4 | ||||
| -rw-r--r-- | src/tests/Makefile.in | 1 | ||||
| -rw-r--r-- | src/tests/t_referral.py | 21 |
3 files changed, 25 insertions, 1 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index b77c9eb54..d41bc5d4e 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1148,7 +1148,9 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request, kdc_err(kdc_context, retval, "unable to find realm of host"); goto cleanup; } - if (realms == NULL || realms[0] == '\0') { + /* Don't return a referral to the empty realm or the service realm. */ + if (realms == NULL || realms[0] == '\0' || + data_eq_string(srealm, realms[0])) { retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto cleanup; } diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 888695947..1eac9e66d 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -82,6 +82,7 @@ check-pytests:: hist kdbtest $(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_sesskeynego.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_crossrealm.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_keytab.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS) diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py new file mode 100644 index 000000000..6654d71e8 --- /dev/null +++ b/src/tests/t_referral.py @@ -0,0 +1,21 @@ +#!/usr/bin/python +from k5test import * + +# We should have a comprehensive suite of KDC host referral tests +# here, based on the tests in the kdc_realm subdir. For now, we just +# have a regression test for #7483. + +# A KDC should not return a host referral to its own realm. +krb5_conf = {'master': {'domain_realm': {'y': 'KRBTEST.COM'}}} +kdc_conf = {'master': {'realms': {'$realm': {'host_based_services': 'x'}}}} +realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False) +tracefile = os.path.join(realm.testdir, 'trace') +realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'], + expected_code=1) +f = open(tracefile, 'r') +trace = f.read() +f.close() +if 'back to same realm' in trace: + fail('KDC returned referral to service realm') + +success('KDC host referral tests') |