From 4bf79de2efe91758d9befa0d21770aae1ac95be8 Mon Sep 17 00:00:00 2001 From: Theodore Tso Date: Sat, 16 Jul 1994 06:00:59 +0000 Subject: Fix error return codes for sanity's sake Fix error handling for bugs TGS renew/forward/etc requests. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@3988 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/kdc_util.c | 98 +++++++++++++++++++++++++++++------------------------- 1 file changed, 53 insertions(+), 45 deletions(-) (limited to 'src/kdc/kdc_util.c') diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index a85466714..25b110a89 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -793,7 +793,7 @@ char **status; #ifdef KRBCONF_VAGUE_ERRORS return KRB_ERR_GENERIC; #else - return KDC_PREAUTH_FAILED; + return KDC_ERR_PREAUTH_REQUIRED; #endif } @@ -967,6 +967,9 @@ krb5_data *data; KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_RENEW | \ KDC_OPT_VALIDATE) +#define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | \ + KDC_OPT_VALIDATE) + int validate_tgs_request(request, server, ticket, kdc_time, status) register krb5_kdc_req *request; @@ -997,50 +1000,55 @@ char **status; * (either the ticket granting service or the service that was * originally requested) */ - if (!krb5_principal_compare(ticket->server, request->server)) { - /* - * OK, we need to validate the krbtgt service in the ticket. - * - * The krbtgt service is of the form: - * krbtgt/realm-A@realm-B - * - * Realm A is the "server realm"; the realm of the - * server of the requested ticket must match this realm. - * Of course, it should be a realm serviced by this KDC. - * - * Realm B is the "client realm"; this is what should be - * added to the transited field. (which is done elsewhere) - */ - char *destination_realm; - - /* Make sure there are two components... */ - if (krb5_princ_size(ticket->server) != 2) { - *status = "BAD TGS SERVER LENGTH"; - return KRB_AP_ERR_NOT_US; - } - /* ...that the first component is krbtgt... */ - if (!krb5_is_tgs_principal(ticket->server)) { - *status = "BAD TGS SERVER NAME"; - return KRB_AP_ERR_NOT_US; - } - /* ...and that the second component matches the server realm... */ - if ((krb5_princ_component(ticket->server, 1)->length != - krb5_princ_realm(request->server)->length) || - memcmp(krb5_princ_component(ticket->server, 1)->data, - krb5_princ_realm(request->server)->data, - krb5_princ_realm(request->server)->length)) { - *status = "BAD TGS SERVER INSTANCE"; - return KRB_AP_ERR_NOT_US; - } - /* XXX add check that second component must match locally - * supported realm? - */ - - /* Server must allow TGS based issuances */ - if (isflagset(server.attributes, KRB5_KDB_DISALLOW_TGT_BASED)) { - *status = "TGT BASED NOT ALLOWED"; - return(KDC_ERR_POLICY); - } + if (request->kdc_options & NO_TGT_OPTION) { + if (!krb5_principal_compare(ticket->server, request->server)) { + *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; + return(KDC_ERR_SERVER_NOMATCH); + } + } else { + /* + * OK, we need to validate the krbtgt service in the ticket. + * + * The krbtgt service is of the form: + * krbtgt/realm-A@realm-B + * + * Realm A is the "server realm"; the realm of the + * server of the requested ticket must match this realm. + * Of course, it should be a realm serviced by this KDC. + * + * Realm B is the "client realm"; this is what should be + * added to the transited field. (which is done elsewhere) + */ + char *destination_realm; + + /* Make sure there are two components... */ + if (krb5_princ_size(ticket->server) != 2) { + *status = "BAD TGS SERVER LENGTH"; + return KRB_AP_ERR_NOT_US; + } + /* ...that the first component is krbtgt... */ + if (!krb5_is_tgs_principal(ticket->server)) { + *status = "BAD TGS SERVER NAME"; + return KRB_AP_ERR_NOT_US; + } + /* ...and that the second component matches the server realm... */ + if ((krb5_princ_component(ticket->server, 1)->length != + krb5_princ_realm(request->server)->length) || + memcmp(krb5_princ_component(ticket->server, 1)->data, + krb5_princ_realm(request->server)->data, + krb5_princ_realm(request->server)->length)) { + *status = "BAD TGS SERVER INSTANCE"; + return KRB_AP_ERR_NOT_US; + } + /* XXX add check that second component must match locally + * supported realm? + */ + + /* Server must allow TGS based issuances */ + if (isflagset(server.attributes, KRB5_KDB_DISALLOW_TGT_BASED)) { + *status = "TGT BASED NOT ALLOWED"; + return(KDC_ERR_POLICY); + } } /* TGS must be forwardable to get forwarded or forwardable ticket */ -- cgit