From cc20011567b123fa933efa42ddafc8ce93aabddd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Wed, 4 Feb 2009 22:03:27 +0000
Subject: [PATCH] deny non valid use of anonymous requests.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24574 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/pkinit.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 7ae590945..2a5b9ba2c 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -394,6 +394,13 @@ _kdc_pk_rd_padata(krb5_context context,
 
 	type = "PK-INIT-Win2k";
 
+	if (req->req_body.kdc_options.request_anonymous) {
+	    ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
+	    krb5_set_error_message(context, ret, 
+				   "Anon not supported in RSA mode");
+	    goto out;
+	}
+
 	ret = decode_PA_PK_AS_REQ_Win2k(pa->padata_value.data,
 					pa->padata_value.length,
 					&r,
@@ -605,6 +612,15 @@ _kdc_pk_rd_padata(krb5_context context,
 	    goto out;
 	}
 
+	if (req->req_body.kdc_options.request_anonymous &&
+	    ap.clientPublicValue == NULL) {
+	    free_AuthPack(&ap);
+	    ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
+	    krb5_set_error_message(context, ret, 
+				   "Anon not supported in RSA mode");
+	    goto out;
+	}
+
 	ret = pk_check_pkauthenticator(context,
 				       &ap.pkAuthenticator,
 				       req);