Stop modifying TGS requests for referrals

It is no longer necessary to modify request->server when we receive a referral. The uses of request->server break down as follows: * Matching against previously issued tickets (e.g. for renewals). We now explicitly disallow referrals for requests where we need to do that. * Using only the realm (e.g. for transited checking). Referrals are cross-realm TGS entries within the same realm as the requested server principal, so this does not change. * Comparing to a local TGS principal (for restrict_anonymous_to_tgt enforcement). Local TGS principals are not treated as referrals, so the sense of this comparison will not change if we use the original request. * Setting the sname and realm fields of a KRB-ERROR response. RFC 4120 and 6806 do not specify what we should put here for referrals or aliases and we are not aware of any uses of this field by clients, so putting the requested server principal here should be okay.
krb5 · Sep 4, 2013 · 9e37d01 · 9e37d01
1 parent 8a9909f
commit 9e37d01
Showing 1 changed file with 0 additions and 17 deletions.
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
@@ -223,23 +223,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     is_referral = is_cross_tgs_principal(server->princ) &&
         !krb5_principal_compare(kdc_context, request->server, server->princ);
 
-    if (is_referral) {
-        /*
-         * We may be issuing an alternate TGT or a referral to another realm,
-         * in which case we should use the canonical name in the reply.  XXX We
-         * should track the reply server separately instead of modifying
-         * request->server, but that requires a bunch of code changes.
-         */
-        krb5_free_principal(kdc_context, request->server);
-        request->server = NULL;
-        errcode = krb5_copy_principal(kdc_context, server->princ,
-                                      &request->server);
-        if (errcode != 0) {
-            status = "COPYING RESOLVED SERVER";
-            goto cleanup;
-        }
-    }
-
     if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
         status = "TIME_OF_DAY";
         goto cleanup;