KDC policy handling for anonymous tickets:

* In TGS, set the anonymous flag if the anonymous flag is set in the AS * Only authdata systems that support anonymous are called for anonymous tickets * Currently we copy authdata from request and TGT buth nothing else Note that if we support anonymous TGS requests in the future, copying authdata from the TGT would be the wrong thing to do in that case. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23500 dc483132-0cff-0310-8789-dd5450dbe970
aadamowski · Dec 23, 2009 · 5865528 · 5865528
1 parent dd25e7c
commit 5865528
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
@@ -593,7 +593,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
     } else {
         enc_tkt_reply.times.renew_till = 0;
     }
-
+    if (isflagset(header_enc_tkt->flags, TKT_FLG_ANONYMOUS))
+        setflag(enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
     /*
      * Set authtime to be the same as header or evidence ticket's
      */

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
@@ -128,6 +128,7 @@ typedef struct _krb5_authdata_systems {
     int         type;
 #define AUTHDATA_FLAG_CRITICAL  0x1
 #define AUTHDATA_FLAG_PRE_PLUGIN 0x2
+#define AUTHDATA_FLAG_ANONYMOUS 0x4 /*Use this plugin even for anonymous tickets*/
     int         flags;
     void       *plugin_context;
     init_proc   init;
@@ -143,7 +144,7 @@ static krb5_authdata_systems static_authdata_systems[] = {
         /* Propagate client-submitted authdata */
         "tgs_req",
         AUTHDATA_SYSTEM_V2,
-        AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_PRE_PLUGIN,
+        AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_PRE_PLUGIN|AUTHDATA_FLAG_ANONYMOUS,
         NULL,
         NULL,
         NULL,
@@ -153,7 +154,7 @@ static krb5_authdata_systems static_authdata_systems[] = {
         /* Propagate TGT authdata */
         "tgt",
         AUTHDATA_SYSTEM_V2,
-        AUTHDATA_FLAG_CRITICAL,
+        AUTHDATA_FLAG_CRITICAL|AUTHDATA_FLAG_ANONYMOUS,
         NULL,
         NULL,
         NULL,
@@ -765,6 +766,9 @@ handle_authdata (krb5_context context,
 
     for (i = 0; i < n_authdata_systems; i++) {
         const krb5_authdata_systems *asys = &authdata_systems[i];
+        if (isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS) &&
+            !isflagset(asys->flags, AUTHDATA_FLAG_ANONYMOUS))
+            continue;
 
         switch (asys->type) {
         case AUTHDATA_SYSTEM_V0: