kdc: don't misidentify constrained delegation requests as anonymous
Earlier (pre-7.6) Heimdal clients would send both the request-anonymous and cname-in-addl-tkt flags for constrained delegation requests. A true anonymous TGS request will only have the former flag set. Do not treat TGS requests with both flags set as anonymous requests.
This commit is contained in:
@@ -118,15 +118,16 @@ is_default_salt_p(const krb5_salt *default_salt, const Key *key)
|
||||
|
||||
|
||||
static krb5_boolean
|
||||
is_anon_request_p(kdc_request_t r)
|
||||
is_anon_as_request_p(kdc_request_t r)
|
||||
{
|
||||
KDC_REQ_BODY *b = &r->req.req_body;
|
||||
|
||||
/*
|
||||
* Some versions of heimdal use bit 14 instead of 16 for
|
||||
* request_anonymous, as indicated in the anonymous draft prior to
|
||||
* version 11. Bit 14 is assigned to S4U2Proxy, but all S4U2Proxy
|
||||
* requests will have a second ticket; don't consider those anonymous
|
||||
* version 11. Bit 14 is assigned to S4U2Proxy, but S4U2Proxy requests
|
||||
* are only sent to the TGS and, in any case, would have an additional
|
||||
* ticket present.
|
||||
*/
|
||||
return b->kdc_options.request_anonymous ||
|
||||
(b->kdc_options.cname_in_addl_tkt && !b->additional_tickets);
|
||||
@@ -463,7 +464,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
|
||||
|
||||
heim_assert(r->armor_crypto != NULL, "ENC-CHAL called for non FAST");
|
||||
|
||||
if (is_anon_request_p(r)) {
|
||||
if (is_anon_as_request_p(r)) {
|
||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
|
||||
kdc_log(r->context, r->config, 0, "ENC-CHALL doesn't support anon");
|
||||
return ret;
|
||||
@@ -1794,7 +1795,7 @@ _kdc_as_rep(kdc_request_t r,
|
||||
*/
|
||||
|
||||
if (_kdc_is_anonymous(context, r->client_princ) &&
|
||||
!is_anon_request_p(r)) {
|
||||
!is_anon_as_request_p(r)) {
|
||||
kdc_log(context, config, 0, "Anonymous client w/o anonymous flag");
|
||||
ret = KRB5KDC_ERR_BADOPTION;
|
||||
goto out;
|
||||
@@ -1968,7 +1969,7 @@ _kdc_as_rep(kdc_request_t r,
|
||||
* send requre preauth is its required or anon is requested,
|
||||
* anon is today only allowed via preauth mechanisms.
|
||||
*/
|
||||
if (require_preauth_p(r) || is_anon_request_p(r)) {
|
||||
if (require_preauth_p(r) || is_anon_as_request_p(r)) {
|
||||
ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
|
||||
_kdc_set_e_text(r, "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ");
|
||||
goto out;
|
||||
@@ -2001,7 +2002,7 @@ _kdc_as_rep(kdc_request_t r,
|
||||
if(ret)
|
||||
goto out;
|
||||
|
||||
if (is_anon_request_p(r)) {
|
||||
if (is_anon_as_request_p(r)) {
|
||||
ret = _kdc_check_anon_policy(context, config, r->client, r->server);
|
||||
if (ret) {
|
||||
_kdc_set_e_text(r, "Anonymous ticket requests are disabled");
|
||||
|
@@ -366,6 +366,24 @@ check_PAC(krb5_context context,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static krb5_boolean
|
||||
is_anon_tgs_request_p(const KDC_REQ_BODY *b,
|
||||
const EncTicketPart *tgt)
|
||||
{
|
||||
KDCOptions f = b->kdc_options;
|
||||
|
||||
/*
|
||||
* Earlier (pre-7.6) versions of Heimdal would send both the
|
||||
* request-anonymous and cname-in-addl-tkt flags for constrained
|
||||
* delegation requests. A true anonymous TGS request will only
|
||||
* have the request-anonymous flag set. (A corollary of this is
|
||||
* that it is not possible to support anonymous constrained
|
||||
* delegation requests, although they would be of limited utility.)
|
||||
*/
|
||||
return tgt->flags.anonymous ||
|
||||
(f.request_anonymous && !f.cname_in_addl_tkt && !b->additional_tickets);
|
||||
}
|
||||
|
||||
/*
|
||||
*
|
||||
*/
|
||||
@@ -506,7 +524,7 @@ check_tgs_flags(krb5_context context,
|
||||
* anonymous KDC option SHOULD be set, but it is not required.
|
||||
* Treat an anonymous TGT as if the anonymous flag was set.
|
||||
*/
|
||||
if (tgt->flags.anonymous || f.request_anonymous)
|
||||
if (is_anon_tgs_request_p(b, tgt))
|
||||
et->flags.anonymous = 1;
|
||||
|
||||
return 0;
|
||||
@@ -2346,7 +2364,7 @@ server_lookup:
|
||||
}
|
||||
|
||||
/* check local and per-principal anonymous ticket issuance policy */
|
||||
if (tgt->flags.anonymous || b->kdc_options.request_anonymous) {
|
||||
if (is_anon_tgs_request_p(b, tgt)) {
|
||||
ret = _kdc_check_anon_policy(context, config, client, server);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
Reference in New Issue
Block a user