kdc: don't misidentify constrained delegation requests as anonymous

Earlier (pre-7.6) Heimdal clients would send both the request-anonymous and
cname-in-addl-tkt flags for constrained delegation requests. A true anonymous
TGS request will only have the former flag set. Do not treat TGS requests with
both flags set as anonymous requests.
This commit is contained in:
Luke Howard
2019-06-03 14:36:36 +10:00
parent 27c6cf7a9f
commit cdd0b70d37
2 changed files with 28 additions and 9 deletions

View File

@@ -118,15 +118,16 @@ is_default_salt_p(const krb5_salt *default_salt, const Key *key)
static krb5_boolean
is_anon_request_p(kdc_request_t r)
is_anon_as_request_p(kdc_request_t r)
{
KDC_REQ_BODY *b = &r->req.req_body;
/*
* Some versions of heimdal use bit 14 instead of 16 for
* request_anonymous, as indicated in the anonymous draft prior to
* version 11. Bit 14 is assigned to S4U2Proxy, but all S4U2Proxy
* requests will have a second ticket; don't consider those anonymous
* version 11. Bit 14 is assigned to S4U2Proxy, but S4U2Proxy requests
* are only sent to the TGS and, in any case, would have an additional
* ticket present.
*/
return b->kdc_options.request_anonymous ||
(b->kdc_options.cname_in_addl_tkt && !b->additional_tickets);
@@ -463,7 +464,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
heim_assert(r->armor_crypto != NULL, "ENC-CHAL called for non FAST");
if (is_anon_request_p(r)) {
if (is_anon_as_request_p(r)) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(r->context, r->config, 0, "ENC-CHALL doesn't support anon");
return ret;
@@ -1794,7 +1795,7 @@ _kdc_as_rep(kdc_request_t r,
*/
if (_kdc_is_anonymous(context, r->client_princ) &&
!is_anon_request_p(r)) {
!is_anon_as_request_p(r)) {
kdc_log(context, config, 0, "Anonymous client w/o anonymous flag");
ret = KRB5KDC_ERR_BADOPTION;
goto out;
@@ -1968,7 +1969,7 @@ _kdc_as_rep(kdc_request_t r,
* send requre preauth is its required or anon is requested,
* anon is today only allowed via preauth mechanisms.
*/
if (require_preauth_p(r) || is_anon_request_p(r)) {
if (require_preauth_p(r) || is_anon_as_request_p(r)) {
ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
_kdc_set_e_text(r, "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ");
goto out;
@@ -2001,7 +2002,7 @@ _kdc_as_rep(kdc_request_t r,
if(ret)
goto out;
if (is_anon_request_p(r)) {
if (is_anon_as_request_p(r)) {
ret = _kdc_check_anon_policy(context, config, r->client, r->server);
if (ret) {
_kdc_set_e_text(r, "Anonymous ticket requests are disabled");

View File

@@ -366,6 +366,24 @@ check_PAC(krb5_context context,
return 0;
}
static krb5_boolean
is_anon_tgs_request_p(const KDC_REQ_BODY *b,
const EncTicketPart *tgt)
{
KDCOptions f = b->kdc_options;
/*
* Earlier (pre-7.6) versions of Heimdal would send both the
* request-anonymous and cname-in-addl-tkt flags for constrained
* delegation requests. A true anonymous TGS request will only
* have the request-anonymous flag set. (A corollary of this is
* that it is not possible to support anonymous constrained
* delegation requests, although they would be of limited utility.)
*/
return tgt->flags.anonymous ||
(f.request_anonymous && !f.cname_in_addl_tkt && !b->additional_tickets);
}
/*
*
*/
@@ -506,7 +524,7 @@ check_tgs_flags(krb5_context context,
* anonymous KDC option SHOULD be set, but it is not required.
* Treat an anonymous TGT as if the anonymous flag was set.
*/
if (tgt->flags.anonymous || f.request_anonymous)
if (is_anon_tgs_request_p(b, tgt))
et->flags.anonymous = 1;
return 0;
@@ -2346,7 +2364,7 @@ server_lookup:
}
/* check local and per-principal anonymous ticket issuance policy */
if (tgt->flags.anonymous || b->kdc_options.request_anonymous) {
if (is_anon_tgs_request_p(b, tgt)) {
ret = _kdc_check_anon_policy(context, config, client, server);
if (ret)
goto out;