From: Sam Hartman <hartmans@mit.edu>
Date: Wed, 23 Dec 2009 21:10:16 +0000 (+0000)
Subject: KDC policy handling for anonymous tickets:
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf4a1c8d7ae3979344f1cf36fbf53845e46b3ff3;p=thirdparty%2Fkrb5.git

KDC policy handling for anonymous tickets:

* In TGS, set the anonymous flag if the anonymous flag is set in the AS
* Only authdata systems that support anonymous are called for anonymous tickets
* Currently we copy authdata from request and TGT buth nothing else

Note that if we support anonymous TGS requests in the future, copying
authdata from the TGT would be the wrong thing to do in that case.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23500 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 75d4132509..4a778f4120 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -593,7 +593,8 @@ tgt_again:
     } else {
         enc_tkt_reply.times.renew_till = 0;
     }
-
+    if (isflagset(header_enc_tkt->flags, TKT_FLG_ANONYMOUS))
+        setflag(enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
     /*
      * Set authtime to be the same as header or evidence ticket's
      */
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index 03bfe29c4f..8821674430 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -128,6 +128,7 @@ typedef struct _krb5_authdata_systems {
     int         type;
 #define AUTHDATA_FLAG_CRITICAL  0x1
 #define AUTHDATA_FLAG_PRE_PLUGIN 0x2
+#define AUTHDATA_FLAG_ANONYMOUS 0x4 /*Use this plugin even for anonymous tickets*/
     int         flags;
     void       *plugin_context;
     init_proc   init;
@@ -143,7 +144,7 @@ static krb5_authdata_systems static_authdata_systems[] = {
         /* Propagate client-submitted authdata */
         "tgs_req",
         AUTHDATA_SYSTEM_V2,
-        AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_PRE_PLUGIN,
+        AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_PRE_PLUGIN|AUTHDATA_FLAG_ANONYMOUS,
         NULL,
         NULL,
         NULL,
@@ -153,7 +154,7 @@ static krb5_authdata_systems static_authdata_systems[] = {
         /* Propagate TGT authdata */
         "tgt",
         AUTHDATA_SYSTEM_V2,
-        AUTHDATA_FLAG_CRITICAL,
+        AUTHDATA_FLAG_CRITICAL|AUTHDATA_FLAG_ANONYMOUS,
         NULL,
         NULL,
         NULL,
@@ -765,6 +766,9 @@ handle_authdata (krb5_context context,
 
     for (i = 0; i < n_authdata_systems; i++) {
         const krb5_authdata_systems *asys = &authdata_systems[i];
+        if (isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS) &&
+            !isflagset(asys->flags, AUTHDATA_FLAG_ANONYMOUS))
+            continue;
 
         switch (asys->type) {
         case AUTHDATA_SYSTEM_V0: