Document logic in _krb5_is_anon_request

describe why we look at the different bits and fields
2014-07-06 14:37:49 -04:00
parent c2e2de7384
commit f3789f8cc5
1 changed files with 4 additions and 0 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2329,6 +2329,10 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
 krb5_boolean
 _kdc_is_anon_request(const KDC_REQ_BODY *b)
 {
+	/* some versions of heimdal use bit 14 instead of 16 for
+	   request_anonymous, as indicated in the anonymous draft prior to
+	   version 11. Bit 14 is assigned to S4U2Proxy, but all S4U2Proxy
+	   requests will have a second ticket; don't consider those anonymous */
 	return (b->kdc_options.request_anonymous ||
 		(b->kdc_options.constrained_delegation && !b->additional_tickets));
 }