kdc: handle kdc_options bit 14 confusion

Drafts 0 through 10 of the Kerberos anonymity draft specified the TicketFlags.anonymous flag as bit 14. This was changed to bit 16 after it was discovered that Microsoft used bit 14 for S4U2Proxy. d5bb7a7 ("(krb5_get_creds): if KRB5_GC_CONSTRAINED_DELEGATION is set, set both") set both the anonymous and constrained_delegation TicketFlags when issuing a S4U2Proxy request. The setting of the anonymous TicketFlag was removed by ea7615a("Do not set anonymous flag in S4U2Proxy request"). 014e318 ("krb5: check KDC supports anonymous if requested") introduced a client side check to ensure that an anonymous request is responded to with an anonymized ticket. The combination of setting the anonymous TicketFlag and the anonymized ticket validation broke S4U2Proxy requests to Windows KDCs because they ignore the anonymous TicketFlag when constrained_delegation is requested. The Heimdal KDC includes fallback logic to handle Heimdal clients that set the anonymous TicketFlag as bit 14 in _kdc_is_anon_request(). However, it failed to adjust the kdc_options flags when it determined that the request came from an old Heimdal client. This change clears the constrained_delegation flag and sets the request_anonymous flag when an old Heimdal client is detected. It also clears the request_anonymous flag if both bit 14 and 16 are set. Change-Id: If57b6f9fe95fdba0109c4450dba5548b4ae6eba9
heimdal · Jun 1, 2019 · cad699a · cad699a
1 parent ea7615a
commit cad699a
Showing 1 changed file with 23 additions and 6 deletions.
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
@@ -2434,10 +2434,27 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
 krb5_boolean
 _kdc_is_anon_request(const KDC_REQ_BODY *b)
 {
-	/* some versions of heimdal use bit 14 instead of 16 for
-	   request_anonymous, as indicated in the anonymous draft prior to
-	   version 11. Bit 14 is assigned to S4U2Proxy, but all S4U2Proxy
-	   requests will have a second ticket; don't consider those anonymous */
-	return (b->kdc_options.request_anonymous ||
-		(b->kdc_options.constrained_delegation && !b->additional_tickets));
+    if (b->kdc_options.constrained_delegation) {
+	if (!b->additional_tickets) {
+	    /*
+	     * some versions of heimdal use bit 14 instead of 16 for
+	     * request_anonymous, as indicated in the anonymous draft prior
+	     * to version 11. Bit 14 is assigned to S4U2Proxy, but all
+	     * S4U2Proxy requests will have a second ticket.  Use the missing
+	     * second ticket as an indicator that this is a pre-draft 11
+	     * client. */
+	    b->kdc_options.constrained_delegation = 0;
+	    b->kdc_options.request_anonymous = 1;
+	}
+	else if (b->request_anonymous) {
+	    /*
+	     * Heimdal versions between 1.0 and 7.6 set the anonymous_request
+	     * bit (16) in addition to constrained_delegation (14) when
+	     * requesting S4U2Proxy.  The Windows KDC ignores the
+	     * anonymous_request bit when satisfying a S4U2Proxy request.
+	     */
+	    b->kdc_options.request_anonymous = 0;
+	}
+    }
+    return b->kdc_options.request_anonymous;
 }