CVE-2019-14870: mit-kdc: enforce delegation_not_allowed flag

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Tue Dec 10 10:44:01 UTC 2019 on sn-devel-184

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 54dcd545ea12df70a0a257ae7c3e6719879e86cb..5a4f6e73e97cb914c1074bfd5e24b9146f9b92c3 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -304,6 +304,11 @@ fetch_referral_principal:
 
        sdb_free_entry(&sentry);
 
+       if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) {
+               kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE;
+               kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE;
+       }
+
 done:
        krb5_free_principal(ctx->context, referral_principal);
        referral_principal = NULL;

diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c
index 1411b0f5f66b462b0da852643d74df6332a351f1..2981f1803338b8e95e605e3933cbbb7222853b38 100644 (file)
--- a/source4/kdc/sdb_to_kdb.c
+++ b/source4/kdc/sdb_to_kdb.c
@@ -36,18 +36,13 @@ static int SDBFlags_to_kflags(const struct SDBFlags *s,
        if (s->initial) {
                *k |= KRB5_KDB_DISALLOW_TGT_BASED;
        }
-       /*
-        * Do not set any disallow rules for forwardable, proxiable,
-        * renewable, postdate and server.
-        *
-        * The KDC will take care setting the flags based on the incoming
-        * ticket.
-        */
-       if (s->forwardable) {
-               ;
+       /* The forwardable and proxiable flags are set according to client and
+        * server attributes. */
+       if (!s->forwardable) {
+               *k |= KRB5_KDB_DISALLOW_FORWARDABLE;
        }
-       if (s->proxiable) {
-               ;
+       if (!s->proxiable) {
+               *k |= KRB5_KDB_DISALLOW_PROXIABLE;
        }
        if (s->renewable) {
                ;