oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: check KDC supports anonymous if requested

Browse Source 
Verify the KDC recognized the request-anonymous flag by validating the returned
client principal name.
This commit is contained in:
Luke Howard
2019-05-18 13:55:36 +10:00
committed by Jeffrey Altman
parent 5c70e5015e
commit 014e318d6b
5 changed files with 45 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/krb5/get_cred.c
View File

@@ -560,6 +560,8 @@ get_cred_kdc(krb5_context context,
/* XXX should do better testing */ /* XXX should do better testing */
if (flags.b.constrained_delegation || impersonate_principal) if (flags.b.constrained_delegation || impersonate_principal)
eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH; eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
if (flags.b.request_anonymous)
eflags |= EXTRACT_TICKET_MATCH_ANON;
ret = _krb5_extract_ticket(context, ret = _krb5_extract_ticket(context,
&rep, &rep,

2
lib/krb5/get_in_tkt.c
View File

@@ -489,7 +489,7 @@ krb5_get_in_cred(krb5_context context,
{ {
unsigned flags = EXTRACT_TICKET_TIMESYNC; unsigned flags = EXTRACT_TICKET_TIMESYNC;
if (opts.request_anonymous) if (opts.request_anonymous)
flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH; flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH | EXTRACT_TICKET_MATCH_ANON;
ret = _krb5_extract_ticket(context, ret = _krb5_extract_ticket(context,
&rep, &rep,

2
lib/krb5/init_creds_pw.c
View File

@@ -2257,6 +2257,8 @@ krb5_init_creds_step(krb5_context context,
} }
if (ctx->ic_flags & KRB5_INIT_CREDS_NO_C_CANON_CHECK) if (ctx->ic_flags & KRB5_INIT_CREDS_NO_C_CANON_CHECK)
eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH; eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
if (ctx->flags.request_anonymous)
eflags |= EXTRACT_TICKET_MATCH_ANON;
ret = process_pa_data_to_key(context, ctx, &ctx->cred, ret = process_pa_data_to_key(context, ctx, &ctx->cred,
&ctx->as_req, &rep.kdc_rep, &ctx->as_req, &rep.kdc_rep,

1
lib/krb5/krb5_locl.h
View File

@@ -310,6 +310,7 @@ typedef struct krb5_context_data {
#define EXTRACT_TICKET_MATCH_REALM 4 #define EXTRACT_TICKET_MATCH_REALM 4
#define EXTRACT_TICKET_AS_REQ 8 #define EXTRACT_TICKET_AS_REQ 8
#define EXTRACT_TICKET_TIMESYNC 16 #define EXTRACT_TICKET_TIMESYNC 16
#define EXTRACT_TICKET_MATCH_ANON 32
/* /*
* Configurable options * Configurable options

40
lib/krb5/ticket.c
View File

@@ -526,6 +526,33 @@ noreferral:
return 0; return 0;
} }
/*
* Verify KDC supported anonymous if requested
*/
static krb5_error_code
check_client_anonymous(krb5_context context,
krb5_kdc_rep *rep,
krb5_const_principal requested,
krb5_const_principal mapped,
krb5_boolean is_tgs_rep)
{
int flags;
if (!rep->enc_part.flags.anonymous)
return KRB5KDC_ERR_BADOPTION;
if (is_tgs_rep)
flags = KRB5_ANON_MATCH_ANY;
else if (krb5_principal_is_anonymous(context, requested, KRB5_ANON_MATCH_ANY))
flags = KRB5_ANON_MATCH_UNAUTHENTICATED;
else
flags = KRB5_ANON_MATCH_AUTHENTICATED;
if (!krb5_principal_is_anonymous(context, mapped, flags))
return KRB5KRB_AP_ERR_MODIFIED;
return 0;
}
/* /*
* Verify returned client principal name in anonymous/referral case * Verify returned client principal name in anonymous/referral case
@@ -695,8 +722,19 @@ _krb5_extract_ticket(krb5_context context,
if (ret) if (ret)
goto out; goto out;
/* check KDC supported anonymous if it was requested */
if (flags & EXTRACT_TICKET_MATCH_ANON) {
ret = check_client_anonymous(context,rep,
creds->client,
tmp_principal,
request == NULL); /* is TGS */
if (ret) {
krb5_free_principal(context, tmp_principal);
goto out;
}
}
/* check client referral and save principal */ /* check client referral and save principal */
/* anonymous here ? */
if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) { if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) {
ret = check_client_mismatch(context, rep, ret = check_client_mismatch(context, rep,
creds->client, creds->client,