diff options
| author | Sam Hartman <hartmans@mit.edu> | 2009-12-23 21:09:56 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2009-12-23 21:09:56 +0000 |
| commit | 8d3ccb41a40a1a1d91474946678bfd5ac23f931a (patch) | |
| tree | 2bbb70df843b8e446ca553de5062a6f1d6ab6421 | |
| parent | f72bffe690f55f18ca6ed419e67f184a209b0ca5 (diff) | |
| download | krb5-8d3ccb41a40a1a1d91474946678bfd5ac23f931a.zip krb5-8d3ccb41a40a1a1d91474946678bfd5ac23f931a.tar.gz krb5-8d3ccb41a40a1a1d91474946678bfd5ac23f931a.tar.bz2 | |
Because there is only one realm field in the kdc request, the KDC
remaps WELLKNOWN/ANONYMOUS@realm to
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS.
In the client pkinit plugin, do not require that the anonymous realm be used for the anonymous principal.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23494 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/kdc/do_as_req.c | 16 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_identity.c | 2 |
2 files changed, 17 insertions, 1 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 23f1ddc..4a845ce 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -389,6 +389,22 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, enc_tkt_reply.caddrs = request->addresses; enc_tkt_reply.authorization_data = 0; + /* If anonymous requests are being used, adjust the realm of the client principal*/ + if (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS) { + if (!krb5_principal_compare_any_realm(kdc_context, request->client, + krb5_anonymous_principal())) { + errcode = KRB5KDC_ERR_BADOPTION; + status = "Anonymous requested but anonymous principal not used."; + goto errout; + } + krb5_free_principal(kdc_context, request->client); + errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(), + &request->client); + if (errcode) { + status = "Copying anonymous principal"; + goto errout; + } + } /* * Check the preauthentication if it is there. */ diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index dfb9dd7..0ab214c 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -505,7 +505,7 @@ pkinit_identity_initialize(krb5_context context, int i; pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx); - if (!krb5_principal_compare (context, princ, krb5_anonymous_principal())) { + if (!krb5_principal_compare_any_realm (context, princ, krb5_anonymous_principal())) { if (idopts == NULL || id_cryptoctx == NULL) goto errout; |