svn rev #23494: branches/anonymous/src/ kdc/ plugins/preauth/pkinit/

hartmans@MIT.EDU hartmans at MIT.EDU
Wed Dec 23 16:09:57 EST 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=23494
Commit By: hartmans
Log Message:
Because there is only one realm field in the kdc request, the KDC
remaps WELLKNOWN/ANONYMOUS at realm to
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS.

In the client pkinit plugin, do not require that the anonymous realm be used for the anonymous principal.


Changed Files:
U   branches/anonymous/src/kdc/do_as_req.c
U   branches/anonymous/src/plugins/preauth/pkinit/pkinit_identity.c
Modified: branches/anonymous/src/kdc/do_as_req.c
===================================================================
--- branches/anonymous/src/kdc/do_as_req.c	2009-12-23 21:09:53 UTC (rev 23493)
+++ branches/anonymous/src/kdc/do_as_req.c	2009-12-23 21:09:56 UTC (rev 23494)
@@ -389,6 +389,22 @@
     enc_tkt_reply.caddrs = request->addresses;
     enc_tkt_reply.authorization_data = 0;
 
+    /* If anonymous requests are being used, adjust the realm of the client principal*/
+    if (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS) {
+        if (!krb5_principal_compare_any_realm(kdc_context, request->client,
+                                              krb5_anonymous_principal())) {
+            errcode = KRB5KDC_ERR_BADOPTION;
+            status = "Anonymous requested but anonymous principal not used.";
+            goto errout;
+        }
+        krb5_free_principal(kdc_context, request->client);
+        errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(),
+                                      &request->client);
+        if (errcode) {
+            status = "Copying anonymous principal";
+            goto errout;
+        }
+    }
     /*
      * Check the preauthentication if it is there.
      */

Modified: branches/anonymous/src/plugins/preauth/pkinit/pkinit_identity.c
===================================================================
--- branches/anonymous/src/plugins/preauth/pkinit/pkinit_identity.c	2009-12-23 21:09:53 UTC (rev 23493)
+++ branches/anonymous/src/plugins/preauth/pkinit/pkinit_identity.c	2009-12-23 21:09:56 UTC (rev 23494)
@@ -505,7 +505,7 @@
     int i;
 
     pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx);
-    if (!krb5_principal_compare (context, princ, krb5_anonymous_principal())) {
+    if (!krb5_principal_compare_any_realm (context, princ, krb5_anonymous_principal())) {
         if (idopts == NULL || id_cryptoctx == NULL)
             goto errout;

More information about the cvs-krb5 mailing list