diff options
author | Isaac Boukris <iboukris@gmail.com> | 2019-11-21 11:12:48 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2019-11-29 12:18:28 +0100 |
commit | 277ab21fcf31bf60458410994e188d9c236963a3 (patch) | |
tree | 8e6fa08f8b44bfa8eec29cc8af08cfa8656c5a67 | |
parent | d0d4954b9b4643678b6f465959dd69de0faafd07 (diff) | |
download | samba-277ab21fcf31bf60458410994e188d9c236963a3.tar.gz |
CVE-2019-14870: mit-kdc: enforce delegation_not_allowed flag
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14187
Signed-off-by: Isaac Boukris <iboukris@samba.org>
-rw-r--r-- | source4/kdc/mit_samba.c | 5 | ||||
-rw-r--r-- | source4/kdc/sdb_to_kdb.c | 17 |
2 files changed, 11 insertions, 11 deletions
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index eacca0903ec..06e680b60e2 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -304,6 +304,11 @@ fetch_referral_principal: sdb_free_entry(&sentry); + if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) { + kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE; + kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE; + } + done: krb5_free_principal(ctx->context, referral_principal); referral_principal = NULL; diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c index 74d882738f8..b7253ade122 100644 --- a/source4/kdc/sdb_to_kdb.c +++ b/source4/kdc/sdb_to_kdb.c @@ -36,18 +36,13 @@ static int SDBFlags_to_kflags(const struct SDBFlags *s, if (s->initial) { *k |= KRB5_KDB_DISALLOW_TGT_BASED; } - /* - * Do not set any disallow rules for forwardable, proxiable, - * renewable, postdate and server. - * - * The KDC will take care setting the flags based on the incoming - * ticket. - */ - if (s->forwardable) { - ; + /* The forwardable and proxiable flags are set according to client and + * server attributes. */ + if (!s->forwardable) { + *k |= KRB5_KDB_DISALLOW_FORWARDABLE; } - if (s->proxiable) { - ; + if (!s->proxiable) { + *k |= KRB5_KDB_DISALLOW_PROXIABLE; } if (s->renewable) { ; |