From 3b3ffff06d5beb8df9ada0f33d14695e91abddc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Thu, 14 Aug 2008 23:29:29 +0000
Subject: [PATCH] Only strip DELEG_FLAG if there is a realm setting, simplify
 the GSS_C_DELEG_POLICY_FLAG handling.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23527 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/gssapi/krb5/init_sec_context.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index 98d11201b..333b47e3d 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -271,6 +271,7 @@ do_delegation (krb5_context context,
 	       krb5_creds *cred,
 	       krb5_const_principal name,
 	       krb5_data *fwd_data,
+	       uint32_t flagmask,
 	       uint32_t *flags)
 {
     krb5_creds creds;
@@ -314,9 +315,9 @@ do_delegation (krb5_context context,
        
  out:
     if (kret)
-	*flags &= ~GSS_C_DELEG_FLAG;
+	*flags &= ~flagmask;
     else
-	*flags |= GSS_C_DELEG_FLAG;
+	*flags |= flagmask;
        
     if (creds.client)
 	krb5_free_principal(context, creds.client);
@@ -479,7 +480,7 @@ init_auth_restart
     krb5_enctype enctype;
     krb5_data fwd_data, timedata;
     int32_t offset = 0, oldoffset;
-    int delegate = 0;
+    uint32_t flagmask;
 
     krb5_data_zero(&outbuf);
     krb5_data_zero(&fwd_data);
@@ -491,36 +492,37 @@ init_auth_restart
      * is a realm setting and use that.
      */
     if (!ctx->kcred->flags.b.ok_as_delegate) {
-	krb5_boolean realm_setting = FALSE;
 	krb5_data data;
 	
 	ret = krb5_cc_get_config(context, ctx->ccache, NULL,
 				 "realm-config", &data);
 	if (ret == 0) {
 	    /* XXX 1 is use ok-as-delegate */
-	    if (data.length > 0 && (((unsigned char *)data.data)[0]) & 1)
-		realm_setting = TRUE;
+	    if (data.length < 1 || ((((unsigned char *)data.data)[0]) & 1) == 0)
+		req_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
 	    krb5_data_free(&data);
 	}
-	if (!realm_setting)
-	    req_flags &= ~GSS_C_DELEG_FLAG;
     }
 
+    flagmask = 0;
+
     /* if we used GSS_C_DELEG_POLICY_FLAG, trust KDC */
-    if (req_flags & GSS_C_DELEG_POLICY_FLAG)
-	delegate = ctx->kcred->flags.b.ok_as_delegate;
+    if ((req_flags & GSS_C_DELEG_POLICY_FLAG)
+	&& ctx->kcred->flags.b.ok_as_delegate)
+	flagmask |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG;
     /* if there still is a GSS_C_DELEG_FLAG, use that */
     if (req_flags & GSS_C_DELEG_FLAG)
-	delegate = 1;
+	flagmask |= GSS_C_DELEG_FLAG;
 
 
     flags = 0;
     ap_options = 0;
-    if (delegate)
+    if (flagmask & GSS_C_DELEG_FLAG) {
 	do_delegation (context,
 		       ctx->auth_context,
 		       ctx->ccache, ctx->kcred, ctx->target,
-		       &fwd_data, &flags);
+		       &fwd_data, flagmask, &flags);
+    }
     
     if (req_flags & GSS_C_MUTUAL_FLAG) {
 	flags |= GSS_C_MUTUAL_FLAG;