krb5: support for anonymous TGS requests

Add support to krb5_get_creds() for requesting anonymous service tickets using a TGT, using the flag KRB5_GC_ANONYMOUS.
2019-05-03 16:04:10 +10:00
parent af63541515
commit 55ee6c1282
3 changed files with 55 additions and 21 deletions
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -1239,21 +1239,31 @@ check_cc(krb5_context context, krb5_flags options, krb5_ccache ccache,
 {
    krb5_error_code ret;
    krb5_timestamp now;
-    krb5_times save_times = in_creds->times;
-    NAME_TYPE save_type = in_creds->server->name.name_type;
+    krb5_creds mcreds = *in_creds;

    krb5_timeofday(context, &now);

    if (!(options & KRB5_GC_EXPIRED_OK) &&
-	in_creds->times.endtime < now) {
-	in_creds->times.renew_till = 0;
-	krb5_timeofday(context, &in_creds->times.endtime);
+	mcreds.times.endtime < now) {
+	mcreds.times.renew_till = 0;
+	krb5_timeofday(context, &mcreds.times.endtime);
 	options |= KRB5_TC_MATCH_TIMES;
    }

-    if (save_type == KRB5_NT_SRV_HST_NEEDS_CANON) {
+    if (mcreds.server->name.name_type == KRB5_NT_SRV_HST_NEEDS_CANON) {
        /* Avoid name canonicalization in krb5_cc_retrieve_cred() */
-        krb5_principal_set_type(context, in_creds->server, KRB5_NT_SRV_HST);
+        krb5_principal_set_type(context, mcreds.server, KRB5_NT_SRV_HST);
+    }
+
+    if (options & KRB5_GC_ANONYMOUS) {
+	ret = krb5_make_principal(context,
+				  &mcreds.client,
+				  krb5_principal_get_realm(context, mcreds.client),
+				  KRB5_WELLKNOWN_NAME,
+				  KRB5_ANON_NAME,
+				  NULL);
+	if (ret)
+	    return ret;
    }

    ret = krb5_cc_retrieve_cred(context, ccache,
@@ -1261,10 +1271,11 @@ check_cc(krb5_context context, krb5_flags options, krb5_ccache ccache,
 				 (KRB5_TC_DONT_MATCH_REALM |
                                  KRB5_TC_MATCH_KEYTYPE |
 				  KRB5_TC_MATCH_TIMES)),
-				in_creds, out_creds);
+				&mcreds, out_creds);
+
+    if (options & KRB5_GC_ANONYMOUS)
+	krb5_free_principal(context, mcreds.client);

-    in_creds->server->name.name_type = save_type;
-    in_creds->times = save_times;
    return ret;
 }

@@ -1635,6 +1646,8 @@ next_rule:
 	flags.b.request_anonymous = 1; /* XXX ARGH confusion */
 	flags.b.constrained_delegation = 1;
    }
+    if (options & KRB5_GC_ANONYMOUS)
+	flags.b.request_anonymous = 1;

    tgts = NULL;
    ret = _krb5_get_cred_kdc_any(context, flags, ccache,