svn rev #23500: branches/anonymous/src/kdc/

[hartmans@MIT.EDU]

http://src.mit.edu/fisheye/changelog/krb5/?cs=23500
Commit By: hartmans
Log Message:
KDC policy handling for anonymous tickets:

* In TGS, set the anonymous flag if the anonymous flag is set in the AS
* Only authdata systems that support anonymous are called for anonymous tickets
* Currently we copy authdata from request and TGT buth nothing else

Note that if we support anonymous TGS requests in the future, copying
authdata from the TGT would be the wrong thing to do in that case.


Changed Files:
U   branches/anonymous/src/kdc/do_tgs_req.c
U   branches/anonymous/src/kdc/kdc_authdata.c
Modified: branches/anonymous/src/kdc/do_tgs_req.c
===================================================================
--- branches/anonymous/src/kdc/do_tgs_req.c	2009-12-23 21:10:13 UTC (rev 23499)
+++ branches/anonymous/src/kdc/do_tgs_req.c	2009-12-23 21:10:16 UTC (rev 23500)
@@ -593,7 +593,8 @@
     } else {
         enc_tkt_reply.times.renew_till = 0;
     }
-
+    if (isflagset(header_enc_tkt->flags, TKT_FLG_ANONYMOUS))
+        setflag(enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
     /*
      * Set authtime to be the same as header or evidence ticket's
      */

Modified: branches/anonymous/src/kdc/kdc_authdata.c
===================================================================
--- branches/anonymous/src/kdc/kdc_authdata.c	2009-12-23 21:10:13 UTC (rev 23499)
+++ branches/anonymous/src/kdc/kdc_authdata.c	2009-12-23 21:10:16 UTC (rev 23500)
@@ -128,6 +128,7 @@
     int         type;
 #define AUTHDATA_FLAG_CRITICAL  0x1
 #define AUTHDATA_FLAG_PRE_PLUGIN 0x2
+#define AUTHDATA_FLAG_ANONYMOUS 0x4 /*Use this plugin even for anonymous tickets*/
     int         flags;
     void       *plugin_context;
     init_proc   init;
@@ -143,7 +144,7 @@
         /* Propagate client-submitted authdata */
         "tgs_req",
         AUTHDATA_SYSTEM_V2,
-        AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_PRE_PLUGIN,
+        AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_PRE_PLUGIN|AUTHDATA_FLAG_ANONYMOUS,
         NULL,
         NULL,
         NULL,
@@ -153,7 +154,7 @@
         /* Propagate TGT authdata */
         "tgt",
         AUTHDATA_SYSTEM_V2,
-        AUTHDATA_FLAG_CRITICAL,
+        AUTHDATA_FLAG_CRITICAL|AUTHDATA_FLAG_ANONYMOUS,
         NULL,
         NULL,
         NULL,
@@ -765,6 +766,9 @@
 
     for (i = 0; i < n_authdata_systems; i++) {
         const krb5_authdata_systems *asys = &authdata_systems[i];
+        if (isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS) &&
+            !isflagset(asys->flags, AUTHDATA_FLAG_ANONYMOUS))
+            continue;
 
         switch (asys->type) {
         case AUTHDATA_SYSTEM_V0: