diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-12-07 19:38:13 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-12-07 19:38:13 +0000 |
| commit | 38de4804776a1a1a255b89b104b983fa1f10a664 (patch) | |
| tree | 0cd78ce54249e399b882762b8c9d356f0b5794e0 /src/lib/gssapi/krb5/acquire_cred.c | |
| parent | 8d6a83d1163fafb8e9308313c83ce0472864abbb (diff) | |
| download | krb5-38de4804776a1a1a255b89b104b983fa1f10a664.zip krb5-38de4804776a1a1a255b89b104b983fa1f10a664.tar.gz krb5-38de4804776a1a1a255b89b104b983fa1f10a664.tar.bz2 | |
Allow S4U2Proxy delegated credentials to be saved
The initial implementation of client-side S4U2Proxy support did not
allow delegated proxy credentials to be stored (gss_store_cred would
error out, and gss_krb5_copy_ccache would generate a non-working
cache). To make this work, we save the impersonator name in a cache
config variable and in a cred structure field (replacing the
proxy_cred flag), and make the default principal of the proxy cache
the subject principal as the caller would expect for a regular
delegated cred.
ticket: 7046
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/gssapi/krb5/acquire_cred.c')
| -rw-r--r-- | src/lib/gssapi/krb5/acquire_cred.c | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index c815b35..c08e059 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -417,6 +417,34 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred, return 0; } +/* If an impersonator config entry exists in ccache, set *impersonator_out to + * the parsed principal. Otherwise set *impersonator_out to NULL. */ +static krb5_error_code +get_impersonator(krb5_context context, krb5_ccache ccache, + krb5_principal *impersonator_out) +{ + krb5_error_code code; + krb5_data data = empty_data(), data0 = empty_data(); + + *impersonator_out = NULL; + + code = krb5_cc_get_config(context, ccache, NULL, + KRB5_CONF_PROXY_IMPERSONATOR, &data); + if (code) + return (code == KRB5_CC_NOTFOUND) ? 0 : code; + + code = krb5int_copy_data_contents_add0(context, &data, &data0); + if (code) + goto cleanup; + + code = krb5_parse_name(context, data0.data, impersonator_out); + +cleanup: + krb5_free_data_contents(context, &data); + krb5_free_data_contents(context, &data0); + return code; +} + /* Check ccache and scan it for its expiry time. On success, cred takes * ownership of ccache. */ static krb5_error_code @@ -493,6 +521,10 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred, goto cleanup; } + code = get_impersonator(context, ccache, &cred->impersonator); + if (code) + goto cleanup; + (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE); cred->ccache = ccache; @@ -622,6 +654,7 @@ acquire_cred(OM_uint32 *minor_status, cred->usage = args->cred_usage; cred->name = NULL; + cred->impersonator = NULL; cred->iakerb_mech = args->iakerb; cred->default_identity = (name == NULL); #ifndef LEAN_CLIENT |