Fix error return codes for sanity's sake
authorTheodore Tso <tytso@mit.edu>
Sat, 16 Jul 1994 06:00:59 +0000 (06:00 +0000)
committerTheodore Tso <tytso@mit.edu>
Sat, 16 Jul 1994 06:00:59 +0000 (06:00 +0000)
Fix error handling for bugs TGS renew/forward/etc requests.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@3988 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/ChangeLog
src/kdc/do_as_req.c
src/kdc/kdc_util.c

index dc477717ac7dc0550ea14951e0927e2aaf1215ee..928df0c328b981629f1074ee4382e9d7b4d14f17 100644 (file)
@@ -1,3 +1,9 @@
+Sat Jul 16 01:59:02 1994  Theodore Y. Ts'o  (tytso at tsx-11)
+
+       * do_as_req.c: Sanitie error return codes
+       * kdc_util.c (validate_tgs_request): Fix error handling for bogus
+       TGS renew/forward/etc. requests.  Sanitize error return codes.
+
 Fri Jul  8 00:33:45 1994  Tom Yu  (tlyu at dragons-lair)
 
        * configure.in:
index abab6e65fb3a4c42c129908583c052e03140358a..b9901800109d9648cebaa8e03699b916dd29ee46 100644 (file)
@@ -356,7 +356,7 @@ krb5_data **response;                       /* filled in with a response packet */
 #else
            retval -= ERROR_TABLE_BASE_krb5;
            if ((retval < 0) || (retval > 127))
-                   retval = KDC_PREAUTH_FAILED;
+                   retval = KDC_ERR_PREAUTH_FAILED;
             retval = prepare_error_as(request, retval, response);
 #endif
            goto errout;
index a85466714972490c6092d68f443b8b7d94785d69..25b110a89518ae925dce19aa18913a62a4d8dbef 100644 (file)
@@ -793,7 +793,7 @@ char        **status;
 #ifdef KRBCONF_VAGUE_ERRORS
        return KRB_ERR_GENERIC;
 #else
-       return KDC_PREAUTH_FAILED;
+       return KDC_ERR_PREAUTH_REQUIRED;
 #endif
     }
 
@@ -967,6 +967,9 @@ krb5_data *data;
                             KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_RENEW | \
                             KDC_OPT_VALIDATE)
 
+#define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | \
+                      KDC_OPT_VALIDATE)
+
 int
 validate_tgs_request(request, server, ticket, kdc_time, status)
 register krb5_kdc_req *request;
@@ -997,50 +1000,55 @@ char **status;
      * (either the ticket granting service or the service that was
      * originally requested)
      */
-    if (!krb5_principal_compare(ticket->server, request->server)) {
-           /*
-            * OK, we need to validate the krbtgt service in the ticket.
-            *
-            * The krbtgt service is of the form:
-            *          krbtgt/realm-A@realm-B
-            *
-            * Realm A is the "server realm"; the realm of the
-            * server of the requested ticket must match this realm.
-            * Of course, it should be a realm serviced by this KDC.
-            *
-            * Realm B is the "client realm"; this is what should be
-            * added to the transited field.  (which is done elsewhere)
-            */
-           char        *destination_realm;
-
-           /* Make sure there are two components... */
-           if (krb5_princ_size(ticket->server) != 2) {
-                   *status = "BAD TGS SERVER LENGTH";
-                   return KRB_AP_ERR_NOT_US;
-           }
-           /* ...that the first component is krbtgt... */
-           if (!krb5_is_tgs_principal(ticket->server)) {
-                   *status = "BAD TGS SERVER NAME";
-                   return KRB_AP_ERR_NOT_US;
-           }
-           /* ...and that the second component matches the server realm... */
-           if ((krb5_princ_component(ticket->server, 1)->length !=
-                krb5_princ_realm(request->server)->length) ||
-               memcmp(krb5_princ_component(ticket->server, 1)->data,
-                      krb5_princ_realm(request->server)->data,
-                      krb5_princ_realm(request->server)->length)) {
-                   *status = "BAD TGS SERVER INSTANCE";
-                   return KRB_AP_ERR_NOT_US;
-           }
-           /* XXX add check that second component must match locally
-            * supported realm?
-            */
-
-           /* Server must allow TGS based issuances */
-           if (isflagset(server.attributes, KRB5_KDB_DISALLOW_TGT_BASED)) {
-                   *status = "TGT BASED NOT ALLOWED";
-                   return(KDC_ERR_POLICY);
-           }
+    if (request->kdc_options & NO_TGT_OPTION) {
+       if (!krb5_principal_compare(ticket->server, request->server)) {
+           *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC";
+           return(KDC_ERR_SERVER_NOMATCH);
+       }
+    } else {
+       /*
+        * OK, we need to validate the krbtgt service in the ticket.
+        *
+        * The krbtgt service is of the form:
+        *              krbtgt/realm-A@realm-B
+        *
+        * Realm A is the "server realm"; the realm of the
+        * server of the requested ticket must match this realm.
+        * Of course, it should be a realm serviced by this KDC.
+        *
+        * Realm B is the "client realm"; this is what should be
+        * added to the transited field.  (which is done elsewhere)
+        */
+       char    *destination_realm;
+
+       /* Make sure there are two components... */
+       if (krb5_princ_size(ticket->server) != 2) {
+           *status = "BAD TGS SERVER LENGTH";
+           return KRB_AP_ERR_NOT_US;
+       }
+       /* ...that the first component is krbtgt... */
+       if (!krb5_is_tgs_principal(ticket->server)) {
+           *status = "BAD TGS SERVER NAME";
+           return KRB_AP_ERR_NOT_US;
+       }
+       /* ...and that the second component matches the server realm... */
+       if ((krb5_princ_component(ticket->server, 1)->length !=
+            krb5_princ_realm(request->server)->length) ||
+           memcmp(krb5_princ_component(ticket->server, 1)->data,
+                  krb5_princ_realm(request->server)->data,
+                  krb5_princ_realm(request->server)->length)) {
+           *status = "BAD TGS SERVER INSTANCE";
+           return KRB_AP_ERR_NOT_US;
+       }
+       /* XXX add check that second component must match locally
+        * supported realm?
+        */
+
+       /* Server must allow TGS based issuances */
+       if (isflagset(server.attributes, KRB5_KDB_DISALLOW_TGT_BASED)) {
+           *status = "TGT BASED NOT ALLOWED";
+           return(KDC_ERR_POLICY);
+       }
     }
            
     /* TGS must be forwardable to get forwarded or forwardable ticket */