(krb5_get_forwarded_creds): honor

KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED and create unencrypted (ENCTYPE_NULL) credentials. for use with old mit server and java based ones as they can't handle encrypted KRB-CRED. Note that the option needs to turned on because if the consumer sends the KRB-CRED in clear bad things will happen. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15150 ec53bebd-3082-4978-b11e-865c3cabbd6b
2005-05-17 08:12:29 +00:00
parent 682ff3fef0
commit 2dd7796261
1 changed files with 33 additions and 25 deletions
--- a/lib/krb5/get_for_creds.c
+++ b/lib/krb5/get_for_creds.c
@@ -173,7 +173,6 @@ krb5_get_forwarded_creds (krb5_context	    context,
    krb5_crypto crypto;
    struct addrinfo *ai;
    int save_errno;
-    krb5_keyblock *key;
    krb5_creds *ticket;
    char *realm;

@@ -216,7 +215,7 @@ krb5_get_forwarded_creds (krb5_context	    context,
 	    return ret;
    }
    
-    kdc_flags.i = flags;
+    kdc_flags.b = int2KDCOptions(flags);

    ret = krb5_get_kdc_cred (context,
 			     ccache,
@@ -373,6 +372,14 @@ krb5_get_forwarded_creds (krb5_context	    context,
    if(buf_size != len)
 	krb5_abortx(context, "internal error in ASN.1 encoder");

+    if (auth_context->flags & KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED) {
+	cred.enc_part.etype = ENCTYPE_NULL;
+	cred.enc_part.kvno = NULL;
+	cred.enc_part.cipher.data = buf;
+	cred.enc_part.cipher.length = buf_size;
+    } else {
+	krb5_keyblock *key;
+
 	if (auth_context->local_subkey)
 	    key = auth_context->local_subkey;
 	else if (auth_context->remote_subkey)
@@ -399,6 +406,7 @@ krb5_get_forwarded_creds (krb5_context	    context,
 	    free_KRB_CRED(&cred);
 	    return ret;
 	}
+    }

    ASN1_MALLOC_ENCODE(KRB_CRED, buf, buf_size, &cred, &len, ret);
    free_KRB_CRED (&cred);