oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Only strip DELEG_FLAG if there is a realm setting, simplify the

Browse Source 
GSS_C_DELEG_POLICY_FLAG handling.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23527 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2008-08-14 23:29:29 +00:00
parent ba72581a0f
commit 3b3ffff06d
1 changed files with 15 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
lib/gssapi/krb5/init_sec_context.c
View File

@@ -271,6 +271,7 @@ do_delegation (krb5_context context,
krb5_creds *cred, krb5_creds *cred,
krb5_const_principal name, krb5_const_principal name,
krb5_data *fwd_data, krb5_data *fwd_data,
uint32_t flagmask,
uint32_t *flags) uint32_t *flags)
{ {
krb5_creds creds; krb5_creds creds;
@@ -314,9 +315,9 @@ do_delegation (krb5_context context,
out: out:
if (kret) if (kret)
*flags &= ~GSS_C_DELEG_FLAG; *flags &= ~flagmask;
else else
*flags |= GSS_C_DELEG_FLAG; *flags |= flagmask;
if (creds.client) if (creds.client)
krb5_free_principal(context, creds.client); krb5_free_principal(context, creds.client);
@@ -479,7 +480,7 @@ init_auth_restart
krb5_enctype enctype; krb5_enctype enctype;
krb5_data fwd_data, timedata; krb5_data fwd_data, timedata;
int32_t offset = 0, oldoffset; int32_t offset = 0, oldoffset;
int delegate = 0; uint32_t flagmask;
krb5_data_zero(&outbuf); krb5_data_zero(&outbuf);
krb5_data_zero(&fwd_data); krb5_data_zero(&fwd_data);
@@ -491,36 +492,37 @@ init_auth_restart
* is a realm setting and use that. * is a realm setting and use that.
*/ */
if (!ctx->kcred->flags.b.ok_as_delegate) { if (!ctx->kcred->flags.b.ok_as_delegate) {
krb5_boolean realm_setting = FALSE;
krb5_data data; krb5_data data;
ret = krb5_cc_get_config(context, ctx->ccache, NULL, ret = krb5_cc_get_config(context, ctx->ccache, NULL,
"realm-config", &data); "realm-config", &data);
if (ret == 0) { if (ret == 0) {
/* XXX 1 is use ok-as-delegate */ /* XXX 1 is use ok-as-delegate */
if (data.length > 0 && (((unsigned char *)data.data)[0]) & 1) if (data.length < 1 || ((((unsigned char *)data.data)[0]) & 1) == 0)
realm_setting = TRUE; req_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
krb5_data_free(&data); krb5_data_free(&data);
} }
if (!realm_setting)
req_flags &= ~GSS_C_DELEG_FLAG;
} }
flagmask = 0;
/* if we used GSS_C_DELEG_POLICY_FLAG, trust KDC */ /* if we used GSS_C_DELEG_POLICY_FLAG, trust KDC */
if (req_flags & GSS_C_DELEG_POLICY_FLAG) if ((req_flags & GSS_C_DELEG_POLICY_FLAG)
delegate = ctx->kcred->flags.b.ok_as_delegate; && ctx->kcred->flags.b.ok_as_delegate)
flagmask |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG;
/* if there still is a GSS_C_DELEG_FLAG, use that */ /* if there still is a GSS_C_DELEG_FLAG, use that */
if (req_flags & GSS_C_DELEG_FLAG) if (req_flags & GSS_C_DELEG_FLAG)
delegate = 1; flagmask |= GSS_C_DELEG_FLAG;
flags = 0; flags = 0;
ap_options = 0; ap_options = 0;
if (delegate) if (flagmask & GSS_C_DELEG_FLAG) {
do_delegation (context, do_delegation (context,
ctx->auth_context, ctx->auth_context,
ctx->ccache, ctx->kcred, ctx->target, ctx->ccache, ctx->kcred, ctx->target,
&fwd_data, &flags); &fwd_data, flagmask, &flags);
}
if (req_flags & GSS_C_MUTUAL_FLAG) { if (req_flags & GSS_C_MUTUAL_FLAG) {
flags |= GSS_C_MUTUAL_FLAG; flags |= GSS_C_MUTUAL_FLAG;