Recognize anonymous AS requests using bit 14

Check KDC Option bit 14 in addition to 16 when identifying anonymous
AS-REQs. This provides compatibility with older heimdal releases.
This commit is contained in:
Chaskiel Grundman
2014-07-02 20:39:38 -04:00
parent 86554f5a7f
commit 5f2a93f5ca
2 changed files with 17 additions and 10 deletions

View File

@@ -432,7 +432,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
heim_assert(r->armor_crypto != NULL, "ENC-CHAL called for non FAST");
if (b->kdc_options.request_anonymous) {
if (_kdc_is_anon_request(b)) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(r->context, r->config, 0, "ENC-CHALL doesn't support anon");
return ret;
@@ -555,7 +555,7 @@ pa_enc_ts_validate(kdc_request_t r, const PA_DATA *pa)
Key *pa_key;
char *str;
if (r->req.req_body.kdc_options.request_anonymous) {
if (_kdc_is_anon_request(&r->req.req_body)) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
_kdc_set_e_text(r, "ENC-TS doesn't support anon");
goto out;
@@ -1656,12 +1656,12 @@ _kdc_as_rep(kdc_request_t r,
*/
if (_kdc_is_anonymous(context, r->client_princ)) {
if (!b->kdc_options.request_anonymous) {
if (!_kdc_is_anon_request(b)) {
kdc_log(context, config, 0, "Anonymous ticket w/o anonymous flag");
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
} else if (b->kdc_options.request_anonymous) {
} else if (_kdc_is_anon_request(b)) {
kdc_log(context, config, 0,
"Request for a anonymous ticket with non "
"anonymous client name: %s", r->client_name);
@@ -1810,7 +1810,7 @@ _kdc_as_rep(kdc_request_t r,
* send requre preauth is its required or anon is requested,
* anon is today only allowed via preauth mechanisms.
*/
if (require_preauth_p(r) || b->kdc_options.request_anonymous) {
if (require_preauth_p(r) || _kdc_is_anon_request(b)) {
ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
_kdc_set_e_text(r, "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ");
goto out;
@@ -1854,7 +1854,7 @@ _kdc_as_rep(kdc_request_t r,
goto out;
if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
|| (f.request_anonymous && !config->allow_anonymous)) {
|| (_kdc_is_anon_request(b) && !config->allow_anonymous)) {
ret = KRB5KDC_ERR_BADOPTION;
_kdc_set_e_text(r, "Bad KDC options");
goto out;
@@ -1973,7 +1973,7 @@ _kdc_as_rep(kdc_request_t r,
}
}
if (f.request_anonymous)
if (_kdc_is_anon_request(b))
r->et.flags.anonymous = 1;
if(b->addresses){
@@ -2320,3 +2320,10 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
return 0;
}
krb5_boolean
_kdc_is_anon_request(const KDC_REQ_BODY *b)
{
return (b->kdc_options.request_anonymous ||
(b->kdc_options.constrained_delegation && !b->additional_tickets));
}

View File

@@ -573,7 +573,7 @@ _kdc_pk_rd_padata(krb5_context context,
type = "PK-INIT-Win2k";
if (req->req_body.kdc_options.request_anonymous) {
if (_kdc_is_anon_request(&req->req_body)) {
ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
krb5_set_error_message(context, ret,
"Anon not supported in RSA mode");
@@ -719,7 +719,7 @@ _kdc_pk_rd_padata(krb5_context context,
hx509_certs signer_certs;
int flags = HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; /* BTMM */
if (req->req_body.kdc_options.request_anonymous)
if (_kdc_is_anon_request(&req->req_body))
flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
ret = hx509_cms_verify_signed(context->hx509ctx,
@@ -804,7 +804,7 @@ _kdc_pk_rd_padata(krb5_context context,
goto out;
}
if (req->req_body.kdc_options.request_anonymous &&
if (_kdc_is_anon_request(&req->req_body) &&
ap.clientPublicValue == NULL) {
free_AuthPack(&ap);
ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;