From 5f2a93f5ca529bc38c465fe2d3eed22e8a4b9722 Mon Sep 17 00:00:00 2001 From: Chaskiel Grundman Date: Wed, 2 Jul 2014 20:39:38 -0400 Subject: [PATCH] Recognize anonymous AS requests using bit 14 Check KDC Option bit 14 in addition to 16 when identifying anonymous AS-REQs. This provides compatibility with older heimdal releases. --- kdc/kerberos5.c | 21 ++++++++++++++------- kdc/pkinit.c | 6 +++--- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 6b6ea7d49..f30875903 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -432,7 +432,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa) heim_assert(r->armor_crypto != NULL, "ENC-CHAL called for non FAST"); - if (b->kdc_options.request_anonymous) { + if (_kdc_is_anon_request(b)) { ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; kdc_log(r->context, r->config, 0, "ENC-CHALL doesn't support anon"); return ret; @@ -555,7 +555,7 @@ pa_enc_ts_validate(kdc_request_t r, const PA_DATA *pa) Key *pa_key; char *str; - if (r->req.req_body.kdc_options.request_anonymous) { + if (_kdc_is_anon_request(&r->req.req_body)) { ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; _kdc_set_e_text(r, "ENC-TS doesn't support anon"); goto out; @@ -1656,12 +1656,12 @@ _kdc_as_rep(kdc_request_t r, */ if (_kdc_is_anonymous(context, r->client_princ)) { - if (!b->kdc_options.request_anonymous) { + if (!_kdc_is_anon_request(b)) { kdc_log(context, config, 0, "Anonymous ticket w/o anonymous flag"); ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto out; } - } else if (b->kdc_options.request_anonymous) { + } else if (_kdc_is_anon_request(b)) { kdc_log(context, config, 0, "Request for a anonymous ticket with non " "anonymous client name: %s", r->client_name); @@ -1810,7 +1810,7 @@ _kdc_as_rep(kdc_request_t r, * send requre preauth is its required or anon is requested, * anon is today only allowed via preauth mechanisms. */ - if (require_preauth_p(r) || b->kdc_options.request_anonymous) { + if (require_preauth_p(r) || _kdc_is_anon_request(b)) { ret = KRB5KDC_ERR_PREAUTH_REQUIRED; _kdc_set_e_text(r, "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ"); goto out; @@ -1854,7 +1854,7 @@ _kdc_as_rep(kdc_request_t r, goto out; if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey - || (f.request_anonymous && !config->allow_anonymous)) { + || (_kdc_is_anon_request(b) && !config->allow_anonymous)) { ret = KRB5KDC_ERR_BADOPTION; _kdc_set_e_text(r, "Bad KDC options"); goto out; @@ -1973,7 +1973,7 @@ _kdc_as_rep(kdc_request_t r, } } - if (f.request_anonymous) + if (_kdc_is_anon_request(b)) r->et.flags.anonymous = 1; if(b->addresses){ @@ -2320,3 +2320,10 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context, return 0; } + +krb5_boolean +_kdc_is_anon_request(const KDC_REQ_BODY *b) +{ + return (b->kdc_options.request_anonymous || + (b->kdc_options.constrained_delegation && !b->additional_tickets)); +} diff --git a/kdc/pkinit.c b/kdc/pkinit.c index cd2067532..87621e371 100644 --- a/kdc/pkinit.c +++ b/kdc/pkinit.c @@ -573,7 +573,7 @@ _kdc_pk_rd_padata(krb5_context context, type = "PK-INIT-Win2k"; - if (req->req_body.kdc_options.request_anonymous) { + if (_kdc_is_anon_request(&req->req_body)) { ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED; krb5_set_error_message(context, ret, "Anon not supported in RSA mode"); @@ -719,7 +719,7 @@ _kdc_pk_rd_padata(krb5_context context, hx509_certs signer_certs; int flags = HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; /* BTMM */ - if (req->req_body.kdc_options.request_anonymous) + if (_kdc_is_anon_request(&req->req_body)) flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER; ret = hx509_cms_verify_signed(context->hx509ctx, @@ -804,7 +804,7 @@ _kdc_pk_rd_padata(krb5_context context, goto out; } - if (req->req_body.kdc_options.request_anonymous && + if (_kdc_is_anon_request(&req->req_body) && ap.clientPublicValue == NULL) { free_AuthPack(&ap); ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;