CVE-2019-14870: mit-kdc: enforce delegation_not_allowed flag

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14187

Signed-off-by: Isaac Boukris <iboukris@samba.org>

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index eacca0903ec56e264413a8478cb924077e88a4b6..06e680b60e20089728e1e2355a7abe51b4802196 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -304,6 +304,11 @@ fetch_referral_principal:
 
        sdb_free_entry(&sentry);
 
+       if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) {
+               kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE;
+               kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE;
+       }
+
 done:
        krb5_free_principal(ctx->context, referral_principal);
        referral_principal = NULL;

diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c
index 74d882738f816ad216a0d258fe785d58ca914c64..b7253ade122375742a7dc0f34502748b2e23e72b 100644 (file)
--- a/source4/kdc/sdb_to_kdb.c
+++ b/source4/kdc/sdb_to_kdb.c
@@ -36,18 +36,13 @@ static int SDBFlags_to_kflags(const struct SDBFlags *s,
        if (s->initial) {
                *k |= KRB5_KDB_DISALLOW_TGT_BASED;
        }
-       /*
-        * Do not set any disallow rules for forwardable, proxiable,
-        * renewable, postdate and server.
-        *
-        * The KDC will take care setting the flags based on the incoming
-        * ticket.
-        */
-       if (s->forwardable) {
-               ;
+       /* The forwardable and proxiable flags are set according to client and
+        * server attributes. */
+       if (!s->forwardable) {
+               *k |= KRB5_KDB_DISALLOW_FORWARDABLE;
        }
-       if (s->proxiable) {
-               ;
+       if (!s->proxiable) {
+               *k |= KRB5_KDB_DISALLOW_PROXIABLE;
        }
        if (s->renewable) {
                ;