diff options
author | Luke Howard <lukeh@padl.com> | 2009-08-22 09:02:48 +0000 |
---|---|---|
committer | Luke Howard <lukeh@padl.com> | 2009-08-22 09:02:48 +0000 |
commit | e17efaab7e997fae8769d79f8eb8e39c2184dff9 (patch) | |
tree | eb6781e9ca273edffbdce7c328548d8a9ee8ef99 | |
parent | 48948b10a24e7d85edc1a81fb4d5f1187bca2bd6 (diff) | |
download | krb5-e17efaab7e997fae8769d79f8eb8e39c2184dff9.zip krb5-e17efaab7e997fae8769d79f8eb8e39c2184dff9.tar.gz krb5-e17efaab7e997fae8769d79f8eb8e39c2184dff9.tar.bz2 |
Cleanup, and don't return a "proxy" credential for use with constrained
delegation, if the client's credentials are not forwardable, because
constrained delegation requires forwadable tickets. Instead, just return
an ordinary credential.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/s4u@22576 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 2 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/gssapiP_krb5.h | 2 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/s4u_gss_glue.c | 100 |
3 files changed, 40 insertions, 64 deletions
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 69963d6..5fb98f5 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -146,7 +146,7 @@ create_constrained_deleg_creds(OM_uint32 *minor_status, krb_creds.ticket = *data; - major_status = kg_compose_proxy_cred(minor_status, + major_status = kg_compose_deleg_cred(minor_status, verifier_cred_handle, ticket->enc_part2->client, &krb_creds, diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 7d48600..67bc6b8 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -838,7 +838,7 @@ int gss_krb5int_rotate_left (void *ptr, size_t bufsiz, size_t rc); /* s4u_gss_glue.c */ OM_uint32 -kg_compose_proxy_cred(OM_uint32 *minor_status, +kg_compose_deleg_cred(OM_uint32 *minor_status, krb5_gss_cred_id_t impersonator_cred, krb5_const_principal subject_name, krb5_creds *subject_creds, diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c index fda101a..20e1593 100644 --- a/src/lib/gssapi/krb5/s4u_gss_glue.c +++ b/src/lib/gssapi/krb5/s4u_gss_glue.c @@ -140,7 +140,7 @@ kg_impersonate_name(OM_uint32 *minor_status, return GSS_S_FAILURE; } - major_status = kg_compose_proxy_cred(minor_status, + major_status = kg_compose_deleg_cred(minor_status, impersonator_cred, user, out_creds, @@ -244,40 +244,8 @@ kg_get_evidence_ticket(krb5_context context, KRB5_TC_MATCH_TIMES, &mcreds, ncreds); } -static krb5_error_code -kg_duplicate_ccache(krb5_context context, - krb5_gss_cred_id_t impersonator_cred, - krb5_ccache *out_ccache) -{ - krb5_error_code code; - krb5_ccache ccache; - - if (!kg_is_initiator_cred(impersonator_cred)) - return EINVAL; - - code = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache); - if (code != 0) - return code; - - code = krb5_cc_initialize(context, ccache, impersonator_cred->princ); - if (code != 0) { - krb5_cc_destroy(context, ccache); - return code; - } - - code = krb5_cc_copy_creds(context, impersonator_cred->ccache, ccache); - if (code != 0) { - krb5_cc_destroy(context, ccache); - return code; - } - - *out_ccache = ccache; - - return 0; -} - OM_uint32 -kg_compose_proxy_cred(OM_uint32 *minor_status, +kg_compose_deleg_cred(OM_uint32 *minor_status, krb5_gss_cred_id_t impersonator_cred, krb5_const_principal subject_name, krb5_creds *subject_creds, @@ -296,8 +264,7 @@ kg_compose_proxy_cred(OM_uint32 *minor_status, if (!kg_is_initiator_cred(impersonator_cred) || impersonator_cred->princ == NULL) { - *minor_status = (OM_uint32)G_BAD_USAGE; - major_status = GSS_S_FAILURE; + code = G_BAD_USAGE; goto cleanup; } @@ -306,21 +273,23 @@ kg_compose_proxy_cred(OM_uint32 *minor_status, cred = (krb5_gss_cred_id_t)xmalloc(sizeof(*cred)); if (cred == NULL) { - *minor_status = ENOMEM; - major_status = GSS_S_FAILURE; + code = ENOMEM; goto cleanup; } memset(cred, 0, sizeof(*cred)); code = k5_mutex_init(&cred->lock); - if (code != 0) { - *minor_status = code; - major_status = GSS_S_FAILURE; + if (code != 0) goto cleanup; - } + /* + * Only return a "proxy" credential for use with constrained + * delegation if the subject credentials are forwardable. + * Submitting non-forwardable credentials to the KDC for use + * with constrained delegation will only return an error. + */ cred->usage = GSS_C_INITIATE; - cred->proxy_cred = 1; + cred->proxy_cred = (subject_creds->ticket_flags & TKT_FLG_FORWARDABLE) != 0; major_status = kg_set_desired_mechs(minor_status, desired_mechs, cred); if (GSS_ERROR(major_status)) @@ -329,35 +298,37 @@ kg_compose_proxy_cred(OM_uint32 *minor_status, cred->tgt_expire = impersonator_cred->tgt_expire; code = krb5_copy_principal(context, subject_name, &cred->princ); - if (code != 0) { - *minor_status = code; - major_status = GSS_S_FAILURE; + if (code != 0) goto cleanup; - } - code = kg_duplicate_ccache(context, impersonator_cred, &cred->ccache); - if (code != 0) { - *minor_status = code; - major_status = GSS_S_FAILURE; + code = krb5_cc_new_unique(context, "MEMORY", NULL, &cred->ccache); + if (code != 0) + goto cleanup; + + code = krb5_cc_initialize(context, cred->ccache, + cred->proxy_cred ? impersonator_cred->princ : + (krb5_principal)subject_name); + if (code != 0) goto cleanup; + + if (cred->proxy_cred) { + /* Impersonator's TGT will be necessary for S4U2Proxy */ + code = krb5_cc_copy_creds(context, impersonator_cred->ccache, + cred->ccache); + if (code != 0) + goto cleanup; } code = krb5_cc_store_cred(context, cred->ccache, subject_creds); - if (code != 0) { - *minor_status = code; - major_status = GSS_S_FAILURE; + if (code != 0) goto cleanup; - } if (time_rec != NULL) { krb5_timestamp now; code = krb5_timeofday(context, &now); - if (code != 0) { - *minor_status = code; - major_status = GSS_S_FAILURE; + if (code != 0) goto cleanup; - } *time_rec = cred->tgt_expire - now; } @@ -367,15 +338,20 @@ kg_compose_proxy_cred(OM_uint32 *minor_status, goto cleanup; if (!kg_save_cred_id((gss_cred_id_t)cred)) { - *minor_status = (OM_uint32)G_VALIDATE_FAILED; - major_status = GSS_S_FAILURE; + code = G_VALIDATE_FAILED; goto cleanup; } major_status = GSS_S_COMPLETE; + *minor_status = 0; *output_cred = cred; cleanup: + if (code != 0) { + *minor_status = code; + major_status = GSS_S_FAILURE; + } + if (GSS_ERROR(major_status) && cred != NULL) { k5_mutex_destroy(&cred->lock); if (cred->ccache != NULL) @@ -421,7 +397,7 @@ kg_impersonate_cred(OM_uint32 *minor_status, return GSS_S_FAILURE; } - major_status = kg_compose_proxy_cred(minor_status, + major_status = kg_compose_deleg_cred(minor_status, impersonator_cred, subject_cred->princ, &evidence_creds, |