add support for anonyous tickets

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8013 ec53bebd-3082-4978-b11e-865c3cabbd6b
2000-03-04 15:55:38 +00:00
parent 6304efeecc
commit 653d311970
4 changed files with 70 additions and 20 deletions
--- a/kdc/config.c
+++ b/kdc/config.c
@@ -58,6 +58,7 @@ krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */

 krb5_boolean check_ticket_addresses;
 krb5_boolean allow_null_ticket_addresses;
+krb5_boolean allow_anonymous;

 static struct getarg_strings addresses_str;	/* addresses to listen on */
 krb5_addresses explicit_addresses;
@@ -297,6 +298,10 @@ configure(int argc, char **argv)
    allow_null_ticket_addresses = 
 	krb5_config_get_bool(context, cf, "kdc", 
 			     "allow-null-ticket-addresses", NULL);
+
+    allow_anonymous = 
+	krb5_config_get_bool(context, cf, "kdc", 
+			     "allow-anonymous", NULL);
 #ifdef KRB4
    if(v4_realm == NULL){
 	p = krb5_config_get_string (context, cf, 
--- a/kdc/kdc.8
+++ b/kdc/kdc.8
@@ -121,6 +121,8 @@ default is FALSE.
 .It Li allow-null-ticket-addresses = Va boolean
 Permit tickets with no addresses.  This option is only relevant when
 check-ticket-addresses is TRUE.
+.It Li allow-anonymous = Va boolean
+Permit anonymous tickets with no addresses.
 .It encode_as_rep_as_tgs_rep = Va boolean
 Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.  The
 Heimdal clients allow both.
--- a/kdc/kdc_locl.h
+++ b/kdc/kdc_locl.h
@@ -61,6 +61,7 @@ extern int enable_http;
 extern krb5_boolean encode_as_rep_as_tgs_rep;
 extern krb5_boolean check_ticket_addresses;
 extern krb5_boolean allow_null_ticket_addresses;
+extern krb5_boolean allow_anonymous;

 #ifdef KRB4
 extern char *v4_realm;
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@@ -165,6 +165,23 @@ find_keys(hdb_entry *client,
 }
 #endif

+static krb5_error_code
+make_anonymous_principalname (PrincipalName *pn)
+{
+    pn->name_type = KRB5_NT_PRINCIPAL;
+    pn->name_string.len = 1;
+    pn->name_string.val = malloc(sizeof(*pn->name_string.val));
+    if (pn->name_string.val == NULL)
+	return ENOMEM;
+    pn->name_string.val[0] = strdup("anonymous");
+    if (pn->name_string.val[0] == NULL) {
+	free(pn->name_string.val);
+	pn->name_string.val = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
+
 static krb5_error_code
 encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek, 
 	     krb5_enctype etype, 
@@ -321,6 +338,12 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client)
    return 0;
 }

+/*
+ * verify the flags on `client' and `server', returning 0
+ * if they are OK and generating an error messages and returning
+ * and error code otherwise.
+ */
+
 static int
 check_flags(hdb_entry *client, const char *client_name,
 	    hdb_entry *server, const char *server_name,
@@ -393,11 +416,18 @@ check_flags(hdb_entry *client, const char *client_name,
    return 0;
 }

+/*
+ * Return TRUE if `from' is part of `addresses' taking into consideration
+ * the configuration variables that tells us how strict we should be about
+ * these checks
+ */
+
 static krb5_boolean
-check_addresses(HostAddresses *addresses, struct sockaddr *from)
+check_addresses(HostAddresses *addresses, const struct sockaddr *from)
 {
    krb5_error_code ret;
    krb5_address addr;
+    krb5_boolean result;
    
    if(check_ticket_addresses == 0)
 	return TRUE;
@@ -409,7 +439,9 @@ check_addresses(HostAddresses *addresses, struct sockaddr *from)
    if(ret)
 	return FALSE;

-    return krb5_address_search(context, &addr, addresses);
+    result = krb5_address_search(context, &addr, addresses);
+    krb5_free_address (context, &addr);
+    return result;
 }

 krb5_error_code
@@ -430,9 +462,10 @@ as_rep(KDC_REQ *req,
    krb5_error_code ret = 0;
    const char *e_text = NULL;
    krb5_crypto crypto;
-
    Key *ckey, *skey;

+    memset(&rep, 0, sizeof(rep));
+
    if(b->sname == NULL){
 	server_name = "<unknown server>";
 	ret = KRB5KRB_ERR_GENERIC;
@@ -634,16 +667,6 @@ as_rep(KDC_REQ *req,
 	free(set);
    }
    
-
-    memset(&rep, 0, sizeof(rep));
-    rep.pvno = 5;
-    rep.msg_type = krb_as_rep;
-    copy_Realm(&b->realm, &rep.crealm);
-    copy_PrincipalName(b->cname, &rep.cname);
-    rep.ticket.tkt_vno = 5;
-    copy_Realm(&b->realm, &rep.ticket.realm);
-    copy_PrincipalName(b->sname, &rep.ticket.sname);
-
    {
 	char str[128];
 	unparse_flags(KDCOptions2int(f), KDCOptions_units, str, sizeof(str));
@@ -651,13 +674,25 @@ as_rep(KDC_REQ *req,
 	    kdc_log(2, "Requested flags: %s", str);
    }
    
-    if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey || 
-       f.request_anonymous){
+
+    if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
+       || (f.request_anonymous && !allow_anonymous)) {
 	ret = KRB5KDC_ERR_BADOPTION;
 	kdc_log(0, "Bad KDC options -- %s", client_name);
 	goto out;
    }
    
+    rep.pvno = 5;
+    rep.msg_type = krb_as_rep;
+    copy_Realm(&b->realm, &rep.crealm);
+    if (f.request_anonymous)
+	make_anonymous_principalname (&rep.cname);
+    else
+	copy_PrincipalName(b->cname, &rep.cname);
+    rep.ticket.tkt_vno = 5;
+    copy_Realm(&b->realm, &rep.ticket.realm);
+    copy_PrincipalName(b->sname, &rep.ticket.sname);
+
    et.flags.initial = 1;
    if(client->flags.forwardable && server->flags.forwardable)
 	et.flags.forwardable = f.forwardable;
@@ -689,7 +724,7 @@ as_rep(KDC_REQ *req,
    }

    krb5_generate_random_keyblock(context, setype, &et.key);
-    copy_PrincipalName(b->cname, &et.cname);
+    copy_PrincipalName(&rep.cname, &et.cname);
    copy_Realm(&b->realm, &et.crealm);
    
    {
@@ -739,6 +774,9 @@ as_rep(KDC_REQ *req,
 	    et.flags.renewable = 1;
 	}
    }
+
+    if (f.request_anonymous)
+	et.flags.anonymous = 1;
    
    if(b->addresses){
 	ALLOC(et.caddr);
@@ -952,7 +990,7 @@ check_tgs_flags(KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et)
    }	    
    
    /* checks for excess flags */
-    if(f.request_anonymous){
+    if(f.request_anonymous && !allow_anonymous){
 	kdc_log(0, "Request for anonymous ticket");
 	return KRB5KDC_ERR_BADOPTION;
    }
@@ -1089,7 +1127,10 @@ tgs_make_reply(KDC_REQ_BODY *b,
 	       &rep.ticket.realm);
    krb5_principal2principalname(&rep.ticket.sname, server->principal);
    copy_Realm(&tgt->crealm, &rep.crealm);
-    copy_PrincipalName(&tgt->cname, &rep.cname);
+    if (f.request_anonymous)
+	make_anonymous_principalname (&tgt->cname);
+    else
+	copy_PrincipalName(&tgt->cname, &rep.cname);
    rep.ticket.tkt_vno = 5;

    ek.caddr = et.caddr;
@@ -1140,7 +1181,8 @@ tgs_make_reply(KDC_REQ_BODY *b,
    }
    
    et.flags.pre_authent = tgt->flags.pre_authent;
-    et.flags.hw_authent = tgt->flags.hw_authent;
+    et.flags.hw_authent  = tgt->flags.hw_authent;
+    et.flags.anonymous   = tgt->flags.anonymous;
 	    
    /* XXX Check enc-authorization-data */
    et.authorization_data = auth_data;