summaryrefslogtreecommitdiff
path: root/source4/kdc
diff options
context:
space:
mode:
authorIsaac Boukris <iboukris@gmail.com>2019-11-21 11:12:48 +0100
committerKarolin Seeger <kseeger@samba.org>2019-12-03 13:10:21 +0100
commit1ccab20c59b651173e76918a6b84290a5be4a27d (patch)
tree0c157f299e8f34960168c430c8e55168c839c900 /source4/kdc
parentfbc1f000cf76f2172d63c9cdf4889fd83a087b14 (diff)
downloadsamba-1ccab20c59b651173e76918a6b84290a5be4a27d.tar.gz
CVE-2019-14870: mit-kdc: enforce delegation_not_allowed flag
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/mit_samba.c5
-rw-r--r--source4/kdc/sdb_to_kdb.c17
2 files changed, 11 insertions, 11 deletions
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 54dcd545ea1..5a4f6e73e97 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -304,6 +304,11 @@ fetch_referral_principal:
sdb_free_entry(&sentry);
+ if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) {
+ kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE;
+ kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE;
+ }
+
done:
krb5_free_principal(ctx->context, referral_principal);
referral_principal = NULL;
diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c
index 1411b0f5f66..2981f180333 100644
--- a/source4/kdc/sdb_to_kdb.c
+++ b/source4/kdc/sdb_to_kdb.c
@@ -36,18 +36,13 @@ static int SDBFlags_to_kflags(const struct SDBFlags *s,
if (s->initial) {
*k |= KRB5_KDB_DISALLOW_TGT_BASED;
}
- /*
- * Do not set any disallow rules for forwardable, proxiable,
- * renewable, postdate and server.
- *
- * The KDC will take care setting the flags based on the incoming
- * ticket.
- */
- if (s->forwardable) {
- ;
+ /* The forwardable and proxiable flags are set according to client and
+ * server attributes. */
+ if (!s->forwardable) {
+ *k |= KRB5_KDB_DISALLOW_FORWARDABLE;
}
- if (s->proxiable) {
- ;
+ if (!s->proxiable) {
+ *k |= KRB5_KDB_DISALLOW_PROXIABLE;
}
if (s->renewable) {
;
View Lorry Controller Status