oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gsskrb5: Fix dead code issues in deleg cred path

Browse Source
This commit is contained in:
Nicolas Williams
2022-01-17 18:10:08 -06:00
parent 82b8c906e9
commit 00dd104b96
1 changed files with 59 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

134
lib/gssapi/krb5/accept_sec_context.c
View File

@@ -157,39 +157,31 @@ gsskrb5_accept_delegated_token(OM_uint32 *minor_status,
krb5_ccache ccache = NULL; krb5_ccache ccache = NULL;
krb5_error_code kret; krb5_error_code kret;
int32_t ac_flags, ret = GSS_S_COMPLETE; int32_t ac_flags, ret = GSS_S_COMPLETE;
gsskrb5_cred handle;
*minor_status = 0; *minor_status = 0;
/* XXX Create a new delegated_cred_handle? */ /* XXX Create a new delegated_cred_handle? */
if (delegated_cred_handle == NULL) { if (delegated_cred_handle == NULL)
ret = GSS_S_COMPLETE; return GSS_S_COMPLETE;
goto out;
}
*delegated_cred_handle = NULL; *delegated_cred_handle = NULL;
kret = krb5_cc_resolve(context, "MEMORY:anonymous", &ccache); kret = krb5_cc_resolve(context, "MEMORY:anonymous", &ccache);
if (kret) { if (kret == 0)
ctx->flags &= ~GSS_C_DELEG_FLAG; kret = krb5_cc_initialize(context, ccache, ctx->source);
goto out; if (kret == 0) {
(void) krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_TIME,
&ac_flags);
kret = krb5_rd_cred2(context,
ctx->auth_context,
ccache,
&ctx->fwd_data);
(void) krb5_auth_con_setflags(context,
ctx->auth_context,
ac_flags);
} }
kret = krb5_cc_initialize(context, ccache, ctx->source);
if (kret) {
ctx->flags &= ~GSS_C_DELEG_FLAG;
goto out;
}
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_TIME,
&ac_flags);
kret = krb5_rd_cred2(context,
ctx->auth_context,
ccache,
&ctx->fwd_data);
krb5_auth_con_setflags(context,
ctx->auth_context,
ac_flags);
if (kret) { if (kret) {
ctx->flags &= ~GSS_C_DELEG_FLAG; ctx->flags &= ~GSS_C_DELEG_FLAG;
ret = GSS_S_FAILURE; ret = GSS_S_FAILURE;
@@ -197,62 +189,54 @@ gsskrb5_accept_delegated_token(OM_uint32 *minor_status,
goto out; goto out;
} }
if (delegated_cred_handle) { ret = _gsskrb5_krb5_import_cred(minor_status,
gsskrb5_cred handle; &ccache,
NULL,
NULL,
delegated_cred_handle);
if (ret != GSS_S_COMPLETE)
goto out;
ret = _gsskrb5_krb5_import_cred(minor_status, handle = (gsskrb5_cred) *delegated_cred_handle;
&ccache, handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
NULL,
NULL,
delegated_cred_handle);
if (ret != GSS_S_COMPLETE)
goto out;
handle = (gsskrb5_cred) *delegated_cred_handle; /*
handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; * A root TGT is one of the form krbtgt/REALM@SAME-REALM.
*
/* * A destination TGT is a root TGT for the same realm as the acceptor
* A root TGT is one of the form krbtgt/REALM@SAME-REALM. * service's realm.
* *
* A destination TGT is a root TGT for the same realm as the acceptor * Normally clients delegate a root TGT for the client's realm.
* service's realm. *
* * In some deployments clients may want to delegate destination TGTs as
* Normally clients delegate a root TGT for the client's realm. * a form of constrained delegation: so that the destination service
* * cannot use the delegated credential to impersonate the client
* In some deployments clients may want to delegate destination TGTs as * principal to services in its home realm (due to KDC lineage/transit
* a form of constrained delegation: so that the destination service * checks). In those deployments there may not even be a route back to
* cannot use the delegated credential to impersonate the client * the KDCs of the client's realm, and attempting to use a
* principal to services in its home realm (due to KDC lineage/transit * non-destination TGT might even lead to timeouts.
* checks). In those deployments there may not even be a route back to *
* the KDCs of the client's realm, and attempting to use a * We could simply pretend not to have obtained a credential, except
* non-destination TGT might even lead to timeouts. * that a) we don't (yet) have an app name here for the appdefault we
* * need to check, b) the application really wants to be able to log a
* We could simply pretend not to have obtained a credential, except * message about the delegated credential being no good.
* that a) we don't (yet) have an app name here for the appdefault we *
* need to check, b) the application really wants to be able to log a * Thus we leave it to _gsskrb5_store_cred_into2() to decide what to do
* message about the delegated credential being no good. * with non-destination TGTs. To do that, it needs the realm of the
* * acceptor service, which we record here.
* Thus we leave it to _gsskrb5_store_cred_into2() to decide what to do */
* with non-destination TGTs. To do that, it needs the realm of the handle->destination_realm =
* acceptor service, which we record here. strdup(krb5_principal_get_realm(context, ctx->target));
*/ if (handle->destination_realm == NULL) {
handle->destination_realm = _gsskrb5_release_cred(minor_status, delegated_cred_handle);
strdup(krb5_principal_get_realm(context, ctx->target)); *minor_status = krb5_enomem(context);
if (handle->destination_realm == NULL) { ret = GSS_S_FAILURE;
_gsskrb5_release_cred(minor_status, delegated_cred_handle); goto out;
*minor_status = krb5_enomem(context);
ret = GSS_S_FAILURE;
goto out;
}
} }
out: out:
if (ccache) { if (ccache) {
/* Don't destroy the default cred cache */ krb5_cc_close(context, ccache);
if (delegated_cred_handle == NULL)
krb5_cc_close(context, ccache);
else
krb5_cc_destroy(context, ccache);
} }
return ret; return ret;
} }