deny non valid use of anonymous requests.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24574 ec53bebd-3082-4978-b11e-865c3cabbd6b

diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 7ae590945b09c3e38929513a2b594e1cba106071..2a5b9ba2cab7a712d863f771e95edff85a38a9f5 100644 (file)
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -394,6 +394,13 @@ _kdc_pk_rd_padata(krb5_context context,
 
        type = "PK-INIT-Win2k";
 
+       if (req->req_body.kdc_options.request_anonymous) {
+           ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
+           krb5_set_error_message(context, ret, 
+                                  "Anon not supported in RSA mode");
+           goto out;
+       }
+
        ret = decode_PA_PK_AS_REQ_Win2k(pa->padata_value.data,
                                        pa->padata_value.length,
                                        &r,
@@ -605,6 +612,15 @@ _kdc_pk_rd_padata(krb5_context context,
            goto out;
        }
 
+       if (req->req_body.kdc_options.request_anonymous &&
+           ap.clientPublicValue == NULL) {
+           free_AuthPack(&ap);
+           ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
+           krb5_set_error_message(context, ret, 
+                                  "Anon not supported in RSA mode");
+           goto out;
+       }
+
        ret = pk_check_pkauthenticator(context,
                                       &ap.pkAuthenticator,
                                       req);