oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: refactor anonymous checks in KDC

Browse Source 
_kdc_is_anon_request() is only used by the AS, so make it static.

Centralize anonymous poilcy checks shared between AS and TGS into a shared
function, _kdc_check_anon_policy().

When issuing an anonymous ticket, set the ticket flag early and test that
rather than re-testing the request.
This commit is contained in:
Luke Howard
2019-06-03 12:33:28 +10:00
parent 7381a280c8
commit 27c6cf7a9f
2 changed files with 62 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
kdc/kerberos5.c
View File

@@ -116,6 +116,22 @@ is_default_salt_p(const krb5_salt *default_salt, const Key *key)
return TRUE; return TRUE;
} }
static krb5_boolean
is_anon_request_p(kdc_request_t r)
{
KDC_REQ_BODY *b = &r->req.req_body;
/*
* Some versions of heimdal use bit 14 instead of 16 for
* request_anonymous, as indicated in the anonymous draft prior to
* version 11. Bit 14 is assigned to S4U2Proxy, but all S4U2Proxy
* requests will have a second ticket; don't consider those anonymous
*/
return b->kdc_options.request_anonymous ||
(b->kdc_options.cname_in_addl_tkt && !b->additional_tickets);
}
/* /*
* return the first appropriate key of `princ' in `ret_key'. Look for * return the first appropriate key of `princ' in `ret_key'. Look for
* all the etypes in (`etypes', `len'), stopping as soon as we find * all the etypes in (`etypes', `len'), stopping as soon as we find
@@ -437,7 +453,6 @@ static krb5_error_code
pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa) pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
{ {
krb5_data pepper1, pepper2, ts_data; krb5_data pepper1, pepper2, ts_data;
KDC_REQ_BODY *b = &r->req.req_body;
int invalidPassword = 0; int invalidPassword = 0;
EncryptedData enc_data; EncryptedData enc_data;
krb5_enctype aenctype; krb5_enctype aenctype;
@@ -448,7 +463,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
heim_assert(r->armor_crypto != NULL, "ENC-CHAL called for non FAST"); heim_assert(r->armor_crypto != NULL, "ENC-CHAL called for non FAST");
if (_kdc_is_anon_request(b)) { if (is_anon_request_p(r)) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(r->context, r->config, 0, "ENC-CHALL doesn't support anon"); kdc_log(r->context, r->config, 0, "ENC-CHALL doesn't support anon");
return ret; return ret;
@@ -1537,6 +1552,24 @@ _kdc_check_addresses(krb5_context context,
return result; return result;
} }
/*
*
*/
krb5_error_code
_kdc_check_anon_policy (krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *client,
hdb_entry_ex *server)
{
if (!config->allow_anonymous){
kdc_log(context, config, 0,
"Request for anonymous ticket denied by local policy");
return KRB5KDC_ERR_POLICY;
}
return 0;
}
/* /*
* *
*/ */
@@ -1760,12 +1793,11 @@ _kdc_as_rep(kdc_request_t r,
* *
*/ */
if (_kdc_is_anonymous(context, r->client_princ)) { if (_kdc_is_anonymous(context, r->client_princ) &&
if (!_kdc_is_anon_request(b)) { !is_anon_request_p(r)) {
kdc_log(context, config, 0, "Anonymous client w/o anonymous flag"); kdc_log(context, config, 0, "Anonymous client w/o anonymous flag");
ret = KRB5KDC_ERR_BADOPTION; ret = KRB5KDC_ERR_BADOPTION;
goto out; goto out;
}
} }
/* /*
@@ -1936,7 +1968,7 @@ _kdc_as_rep(kdc_request_t r,
* send requre preauth is its required or anon is requested, * send requre preauth is its required or anon is requested,
* anon is today only allowed via preauth mechanisms. * anon is today only allowed via preauth mechanisms.
*/ */
if (require_preauth_p(r) || _kdc_is_anon_request(b)) { if (require_preauth_p(r) || is_anon_request_p(r)) {
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
_kdc_set_e_text(r, "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ"); _kdc_set_e_text(r, "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ");
goto out; goto out;
@@ -1969,6 +2001,16 @@ _kdc_as_rep(kdc_request_t r,
if(ret) if(ret)
goto out; goto out;
if (is_anon_request_p(r)) {
ret = _kdc_check_anon_policy(context, config, r->client, r->server);
if (ret) {
_kdc_set_e_text(r, "Anonymous ticket requests are disabled");
goto out;
}
r->et.flags.anonymous = 1;
}
/* /*
* Select the best encryption type for the KDC with out regard to * Select the best encryption type for the KDC with out regard to
* the client since the client never needs to read that data. * the client since the client never needs to read that data.
@@ -1980,8 +2022,7 @@ _kdc_as_rep(kdc_request_t r,
if(ret) if(ret)
goto out; goto out;
if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey) {
|| (_kdc_is_anon_request(b) && !config->allow_anonymous)) {
ret = KRB5KDC_ERR_BADOPTION; ret = KRB5KDC_ERR_BADOPTION;
_kdc_set_e_text(r, "Bad KDC options"); _kdc_set_e_text(r, "Bad KDC options");
goto out; goto out;
@@ -2003,7 +2044,7 @@ _kdc_as_rep(kdc_request_t r,
ret = copy_Realm(&r->client_princ->realm, &rep.crealm); ret = copy_Realm(&r->client_princ->realm, &rep.crealm);
if (ret) if (ret)
goto out; goto out;
if (_kdc_is_anon_request(b)) if (r->et.flags.anonymous)
ret = _kdc_make_anonymous_principalname(&rep.cname); ret = _kdc_make_anonymous_principalname(&rep.cname);
else if (f.canonicalize || r->client->entry.flags.force_canonicalize) else if (f.canonicalize || r->client->entry.flags.force_canonicalize)
ret = _krb5_principal2principalname(&rep.cname, r->client->entry.principal); ret = _krb5_principal2principalname(&rep.cname, r->client->entry.principal);
@@ -2120,9 +2161,6 @@ _kdc_as_rep(kdc_request_t r,
} }
} }
if (_kdc_is_anon_request(b))
r->et.flags.anonymous = 1;
if(b->addresses){ if(b->addresses){
ALLOC(r->et.caddr); ALLOC(r->et.caddr);
copy_HostAddresses(b->addresses, r->et.caddr); copy_HostAddresses(b->addresses, r->et.caddr);
@@ -2235,7 +2273,7 @@ _kdc_as_rep(kdc_request_t r,
} }
/* Add the PAC */ /* Add the PAC */
if (send_pac_p(context, req) && !_kdc_is_anon_request(b)) { if (send_pac_p(context, req) && !r->et.flags.anonymous) {
generate_pac(r, skey); generate_pac(r, skey);
} }
@@ -2430,14 +2468,3 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
return 0; return 0;
} }
krb5_boolean
_kdc_is_anon_request(const KDC_REQ_BODY *b)
{
/* some versions of heimdal use bit 14 instead of 16 for
request_anonymous, as indicated in the anonymous draft prior to
version 11. Bit 14 is assigned to S4U2Proxy, but all S4U2Proxy
requests will have a second ticket; don't consider those anonymous */
return (b->kdc_options.request_anonymous ||
(b->kdc_options.cname_in_addl_tkt && !b->additional_tickets));
}

16
kdc/krb5tgs.c
View File

@@ -506,15 +506,8 @@ check_tgs_flags(krb5_context context,
* anonymous KDC option SHOULD be set, but it is not required. * anonymous KDC option SHOULD be set, but it is not required.
* Treat an anonymous TGT as if the anonymous flag was set. * Treat an anonymous TGT as if the anonymous flag was set.
*/ */
if (tgt->flags.anonymous || f.request_anonymous) { if (tgt->flags.anonymous || f.request_anonymous)
if (!config->allow_anonymous){
kdc_log(context, config, 0,
"Request for anonymous ticket");
return KRB5KDC_ERR_BADOPTION;
}
et->flags.anonymous = 1; et->flags.anonymous = 1;
}
return 0; return 0;
} }
@@ -2352,6 +2345,13 @@ server_lookup:
goto out; goto out;
} }
/* check local and per-principal anonymous ticket issuance policy */
if (tgt->flags.anonymous || b->kdc_options.request_anonymous) {
ret = _kdc_check_anon_policy(context, config, client, server);
if (ret)
goto out;
}
/* /*
* If this is an referral, add server referral data to the * If this is an referral, add server referral data to the
* auth_data reply . * auth_data reply .