diff options
| author | Luke Howard <lukeh@padl.com> | 2009-08-21 17:45:21 +0000 |
|---|---|---|
| committer | Luke Howard <lukeh@padl.com> | 2009-08-21 17:45:21 +0000 |
| commit | d7ca984fd8e5bb237047eccf419f4d62345434c3 (patch) | |
| tree | 97beb7dd85773dfd214b9c9c81c98387e0bd7e7b | |
| parent | a37c7dfe55c526b5420213646d327fe4e2ec8002 (diff) | |
| download | krb5-d7ca984fd8e5bb237047eccf419f4d62345434c3.zip krb5-d7ca984fd8e5bb237047eccf419f4d62345434c3.tar.gz krb5-d7ca984fd8e5bb237047eccf419f4d62345434c3.tar.bz2 | |
When returning constrained delegation creds, don't require they
be explicitly passed to gss_acquire_cred_impersonate_cred();
they can now be passed directly to gss_init_sec_context().
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/s4u@22565 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 15 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/gssapiP_krb5.h | 6 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/s4u_gss_glue.c | 2 | ||||
| -rw-r--r-- | src/tests/gssapi/t_s4u.c | 22 |
4 files changed, 17 insertions, 28 deletions
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 9ae0b0b..d61fc4c 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -115,8 +115,9 @@ #ifndef LEAN_CLIENT static krb5_error_code -create_constrained_deleg_creds(context, ticket, out_cred) +create_constrained_deleg_creds(context, verifier_cred, ticket, out_cred) krb5_context context; + krb5_gss_cred_id_t verifier_cred; krb5_ticket *ticket; krb5_gss_cred_id_t *out_cred; { @@ -144,19 +145,12 @@ create_constrained_deleg_creds(context, ticket, out_cred) krb_creds.ticket = *data; - retval = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache); + retval = kg_duplicate_ccache(context, verifier_cred, &ccache); if (retval) { krb5_free_data(context, data); return retval; } - retval = krb5_cc_initialize(context, ccache, ticket->enc_part2->client); - if (retval) { - krb5_cc_destroy(context, ccache); - krb5_free_data(context, data); - return retval; - } - retval = krb5_cc_store_cred(context, ccache, &krb_creds); if (retval) { krb5_cc_destroy(context, ccache); @@ -193,6 +187,7 @@ create_constrained_deleg_creds(context, ticket, out_cred) /* cred->princ already set */ cred->prerfc_mech = 1; /* this cred will work with all three mechs */ cred->rfc_mech = 1; + cred->proxy_cred = 1; cred->keytab = NULL; /* no keytab associated with this... */ cred->tgt_expire = krb_creds.times.endtime; /* store the end time */ cred->ccache = ccache; /* the ccache containing the credential */ @@ -960,7 +955,7 @@ kg_accept_krb5(minor_status, context_handle, * containing the service ticket to ourselves, which can be * used for S4U2Proxy. */ - code = create_constrained_deleg_creds(context, ticket, &deleg_cred); + code = create_constrained_deleg_creds(context, cred, ticket, &deleg_cred); if (code) { major_status = GSS_S_FAILURE; goto fail; diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 3aef499..767bfbe 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -836,6 +836,12 @@ OM_uint32 gss_krb5int_unseal_token_v3(krb5_context *contextptr, int gss_krb5int_rotate_left (void *ptr, size_t bufsiz, size_t rc); +/* s4u_gss_glue.c */ +krb5_error_code +kg_duplicate_ccache(krb5_context context, + krb5_gss_cred_id_t impersonator_cred, + krb5_ccache *out_ccache); + /* * These take unglued krb5-mech-specific contexts. */ diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c index ea7e0c9..f426d9d 100644 --- a/src/lib/gssapi/krb5/s4u_gss_glue.c +++ b/src/lib/gssapi/krb5/s4u_gss_glue.c @@ -332,7 +332,7 @@ kg_get_evidence_ticket(krb5_context context, KRB5_TC_MATCH_TIMES, &mcreds, ncreds); } -static krb5_error_code +krb5_error_code kg_duplicate_ccache(krb5_context context, krb5_gss_cred_id_t impersonator_cred, krb5_ccache *out_ccache) diff --git a/src/tests/gssapi/t_s4u.c b/src/tests/gssapi/t_s4u.c index 5c8f66d..eabde22 100644 --- a/src/tests/gssapi/t_s4u.c +++ b/src/tests/gssapi/t_s4u.c @@ -199,7 +199,6 @@ constrainedDelegate(OM_uint32 *minor, gss_cred_id_t verifier_cred_handle) { OM_uint32 major, tmp; - gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_name_t cred_name = GSS_C_NO_NAME; OM_uint32 time_rec, lifetime; @@ -209,20 +208,6 @@ constrainedDelegate(OM_uint32 *minor, printf("Constrained delegation tests follow\n"); printf("-----------------------------------\n\n"); - major = gss_acquire_cred_impersonate_cred(minor, - verifier_cred_handle, - delegated_cred_handle, - GSS_C_INDEFINITE, - desired_mechs, - GSS_C_INITIATE, - &cred, - NULL, - &time_rec); - if (GSS_ERROR(major)) { - displayStatus("gss_acquire_cred_impersonate_cred", major, minor); - return major; - } - if (gss_inquire_cred(minor, verifier_cred_handle, &cred_name, &lifetime, &usage, NULL) == GSS_S_COMPLETE) { displayCanonName(minor, cred_name, "Proxy name"); @@ -238,10 +223,14 @@ constrainedDelegate(OM_uint32 *minor, printf("\n"); major = gss_init_sec_context(minor, - cred, + delegated_cred_handle, &initiator_context, target, +#if 0 (gss_OID)&spnego_mech, +#else + (gss_OID)gss_mech_krb5, +#endif GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, @@ -255,7 +244,6 @@ constrainedDelegate(OM_uint32 *minor, (void) gss_release_buffer(&tmp, &token); (void) gss_delete_sec_context(&tmp, &initiator_context, NULL); - (void) gss_release_cred(&tmp, &cred); return major; } |