From: Theodore Tso Date: Sat, 16 Jul 1994 06:00:59 +0000 (+0000) Subject: Fix error return codes for sanity's sake X-Git-Tag: krb5-1.0-beta4.2~129 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=4bf79de2efe91758d9befa0d21770aae1ac95be8;p=krb5.git Fix error return codes for sanity's sake Fix error handling for bugs TGS renew/forward/etc requests. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@3988 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index dc477717a..928df0c32 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,9 @@ +Sat Jul 16 01:59:02 1994 Theodore Y. Ts'o (tytso at tsx-11) + + * do_as_req.c: Sanitie error return codes + * kdc_util.c (validate_tgs_request): Fix error handling for bogus + TGS renew/forward/etc. requests. Sanitize error return codes. + Fri Jul 8 00:33:45 1994 Tom Yu (tlyu at dragons-lair) * configure.in: diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index abab6e65f..b99018001 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -356,7 +356,7 @@ krb5_data **response; /* filled in with a response packet */ #else retval -= ERROR_TABLE_BASE_krb5; if ((retval < 0) || (retval > 127)) - retval = KDC_PREAUTH_FAILED; + retval = KDC_ERR_PREAUTH_FAILED; retval = prepare_error_as(request, retval, response); #endif goto errout; diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index a85466714..25b110a89 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -793,7 +793,7 @@ char **status; #ifdef KRBCONF_VAGUE_ERRORS return KRB_ERR_GENERIC; #else - return KDC_PREAUTH_FAILED; + return KDC_ERR_PREAUTH_REQUIRED; #endif } @@ -967,6 +967,9 @@ krb5_data *data; KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_RENEW | \ KDC_OPT_VALIDATE) +#define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | \ + KDC_OPT_VALIDATE) + int validate_tgs_request(request, server, ticket, kdc_time, status) register krb5_kdc_req *request; @@ -997,50 +1000,55 @@ char **status; * (either the ticket granting service or the service that was * originally requested) */ - if (!krb5_principal_compare(ticket->server, request->server)) { - /* - * OK, we need to validate the krbtgt service in the ticket. - * - * The krbtgt service is of the form: - * krbtgt/realm-A@realm-B - * - * Realm A is the "server realm"; the realm of the - * server of the requested ticket must match this realm. - * Of course, it should be a realm serviced by this KDC. - * - * Realm B is the "client realm"; this is what should be - * added to the transited field. (which is done elsewhere) - */ - char *destination_realm; - - /* Make sure there are two components... */ - if (krb5_princ_size(ticket->server) != 2) { - *status = "BAD TGS SERVER LENGTH"; - return KRB_AP_ERR_NOT_US; - } - /* ...that the first component is krbtgt... */ - if (!krb5_is_tgs_principal(ticket->server)) { - *status = "BAD TGS SERVER NAME"; - return KRB_AP_ERR_NOT_US; - } - /* ...and that the second component matches the server realm... */ - if ((krb5_princ_component(ticket->server, 1)->length != - krb5_princ_realm(request->server)->length) || - memcmp(krb5_princ_component(ticket->server, 1)->data, - krb5_princ_realm(request->server)->data, - krb5_princ_realm(request->server)->length)) { - *status = "BAD TGS SERVER INSTANCE"; - return KRB_AP_ERR_NOT_US; - } - /* XXX add check that second component must match locally - * supported realm? - */ - - /* Server must allow TGS based issuances */ - if (isflagset(server.attributes, KRB5_KDB_DISALLOW_TGT_BASED)) { - *status = "TGT BASED NOT ALLOWED"; - return(KDC_ERR_POLICY); - } + if (request->kdc_options & NO_TGT_OPTION) { + if (!krb5_principal_compare(ticket->server, request->server)) { + *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; + return(KDC_ERR_SERVER_NOMATCH); + } + } else { + /* + * OK, we need to validate the krbtgt service in the ticket. + * + * The krbtgt service is of the form: + * krbtgt/realm-A@realm-B + * + * Realm A is the "server realm"; the realm of the + * server of the requested ticket must match this realm. + * Of course, it should be a realm serviced by this KDC. + * + * Realm B is the "client realm"; this is what should be + * added to the transited field. (which is done elsewhere) + */ + char *destination_realm; + + /* Make sure there are two components... */ + if (krb5_princ_size(ticket->server) != 2) { + *status = "BAD TGS SERVER LENGTH"; + return KRB_AP_ERR_NOT_US; + } + /* ...that the first component is krbtgt... */ + if (!krb5_is_tgs_principal(ticket->server)) { + *status = "BAD TGS SERVER NAME"; + return KRB_AP_ERR_NOT_US; + } + /* ...and that the second component matches the server realm... */ + if ((krb5_princ_component(ticket->server, 1)->length != + krb5_princ_realm(request->server)->length) || + memcmp(krb5_princ_component(ticket->server, 1)->data, + krb5_princ_realm(request->server)->data, + krb5_princ_realm(request->server)->length)) { + *status = "BAD TGS SERVER INSTANCE"; + return KRB_AP_ERR_NOT_US; + } + /* XXX add check that second component must match locally + * supported realm? + */ + + /* Server must allow TGS based issuances */ + if (isflagset(server.attributes, KRB5_KDB_DISALLOW_TGT_BASED)) { + *status = "TGT BASED NOT ALLOWED"; + return(KDC_ERR_POLICY); + } } /* TGS must be forwardable to get forwarded or forwardable ticket */