diff options
author | Greg Hudson <ghudson@mit.edu> | 2009-04-08 16:39:33 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2009-04-08 16:39:33 +0000 |
commit | 45875a4d7bbd6bb8a943572d84fef5ca2bb18291 (patch) | |
tree | 56d7df499470dad1bd551abf43dc2b3017598f49 /src | |
parent | 40e425b53b10f753fb62caff577d2679cdd6325b (diff) | |
download | krb5-45875a4d7bbd6bb8a943572d84fef5ca2bb18291.zip krb5-45875a4d7bbd6bb8a943572d84fef5ca2bb18291.tar.gz krb5-45875a4d7bbd6bb8a943572d84fef5ca2bb18291.tar.bz2 |
Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG,
which requests delegation only if the ok-as-delegate ticket flag is
set.
ticket: 6203
tags: pullup
target_version: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22185 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/gssapi/generic/gssapi.hin | 1 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/init_sec_context.c | 11 |
2 files changed, 11 insertions, 1 deletions
diff --git a/src/lib/gssapi/generic/gssapi.hin b/src/lib/gssapi/generic/gssapi.hin index d33a0b5..422b4db 100644 --- a/src/lib/gssapi/generic/gssapi.hin +++ b/src/lib/gssapi/generic/gssapi.hin @@ -141,6 +141,7 @@ typedef int gss_cred_usage_t; #define GSS_C_ANON_FLAG 64 #define GSS_C_PROT_READY_FLAG 128 #define GSS_C_TRANS_FLAG 256 +#define GSS_C_DELEG_POLICY_FLAG 32768 /* * Credential usage options diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 631cbe0..5559fad 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -209,7 +209,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, if (code) { /* don't fail here; just don't accept/do the delegation request */ - data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG; + data->ctx->gss_flags &= ~(GSS_C_DELEG_FLAG | + GSS_C_DELEG_POLICY_FLAG); data->checksum_data.length = 24; } else { @@ -495,6 +496,14 @@ new_connection( ctx->krb_times = k_cred->times; + /* + * GSS_C_DELEG_POLICY_FLAG means to delegate only if the + * ok-as-delegate ticket flag is set. + */ + if ((req_flags & GSS_C_DELEG_POLICY_FLAG) + && (k_cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) + ctx->gss_flags |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG; + if (default_mech) { mech_type = (gss_OID) gss_mech_krb5; } |