From 42d27600e070b22ceaf20d35128b0678f91bf146 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 29 Dec 2022 11:16:06 +0100 Subject: [PATCH 1/3] HEIMDAL: kdc: don't announce KRB5_PADATA_FX_FAST unless fast is enabled BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273 Signed-off-by: Stefan Metzmacher --- third_party/heimdal/kdc/kerberos5.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c index b089547f7851..f89951da707e 100644 --- a/third_party/heimdal/kdc/kerberos5.c +++ b/third_party/heimdal/kdc/kerberos5.c @@ -2271,7 +2271,10 @@ add_enc_pa_rep(astgs_request_t r) KRB5_PADATA_REQ_ENC_PA_REP, cdata.data, cdata.length); if (ret) return ret; - + + if (!r->config->enable_fast) + return 0; + return krb5_padata_add(r->context, r->ek.encrypted_pa_data, KRB5_PADATA_FX_FAST, NULL, 0); } @@ -2586,6 +2589,8 @@ _kdc_as_rep(astgs_request_t r) if (!r->armor_crypto && !r->config->enable_unarmored_pa_enc_timestamp) continue; } + if (pat[n].type == KRB5_PADATA_FX_FAST && !r->config->enable_fast) + continue; ret = krb5_padata_add(r->context, r->rep.padata, pat[n].type, NULL, 0); -- 2.34.1 From b5a91ca1c8eeb2fb892c79a24e9565af21decb62 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 29 Dec 2022 11:18:22 +0100 Subject: [PATCH 2/3] HEIMDAL: kdc: don't announce KRB5_PADATA_PKINIT_KX unless anonymous is allowed BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273 Signed-off-by: Stefan Metzmacher --- third_party/heimdal/kdc/kerberos5.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c index f89951da707e..3ff42244ffd8 100644 --- a/third_party/heimdal/kdc/kerberos5.c +++ b/third_party/heimdal/kdc/kerberos5.c @@ -2583,6 +2583,8 @@ _kdc_as_rep(astgs_request_t r) if (!r->armor_crypto && (pat[n].flags & PA_REQ_FAST)) continue; + if (pat[n].type == KRB5_PADATA_PKINIT_KX && !r->config->allow_anonymous) + continue; if (pat[n].type == KRB5_PADATA_ENC_TIMESTAMP) { if (r->armor_crypto && !r->config->enable_armored_pa_enc_timestamp) continue; -- 2.34.1 From 2b9bc6ea9642402eb2f284213286bdd9b170f7eb Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 29 Dec 2022 11:19:02 +0100 Subject: [PATCH 3/3] HEIMDAL: kdc: don't announce KRB5_PADATA_GSS unless gss_preauth is enabled BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273 Signed-off-by: Stefan Metzmacher --- third_party/heimdal/kdc/kerberos5.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c index 3ff42244ffd8..b35d272d3f3b 100644 --- a/third_party/heimdal/kdc/kerberos5.c +++ b/third_party/heimdal/kdc/kerberos5.c @@ -2593,6 +2593,8 @@ _kdc_as_rep(astgs_request_t r) } if (pat[n].type == KRB5_PADATA_FX_FAST && !r->config->enable_fast) continue; + if (pat[n].type == KRB5_PADATA_GSS && !r->config->enable_gss_preauth) + continue; ret = krb5_padata_add(r->context, r->rep.padata, pat[n].type, NULL, 0); -- 2.34.1