diff options
author | Greg Hudson <ghudson@mit.edu> | 2011-04-07 15:20:37 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2011-04-07 15:20:37 +0000 |
commit | b7208a8261ed15d9e3136c75ce7c252d9717effb (patch) | |
tree | e706d06dbd5718085f054520e53806ae9385becc | |
parent | 8b720c6a96ea21572adb9b73d23e7e8e99489bb9 (diff) | |
download | krb5-b7208a8261ed15d9e3136c75ce7c252d9717effb.tar.gz krb5-b7208a8261ed15d9e3136c75ce7c252d9717effb.tar.xz krb5-b7208a8261ed15d9e3136c75ce7c252d9717effb.zip |
In the authdata framework, determine which authdata sources to query
based on the module's usage flags. From r24794 in
users/lhoward/moonshot-mechglue-fixes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24853 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/lib/krb5/krb/authdata.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c index 3664b66d08..351762eb1d 100644 --- a/src/lib/krb5/krb/authdata.c +++ b/src/lib/krb5/krb/authdata.c @@ -571,7 +571,8 @@ krb5int_authdata_verify(krb5_context kcontext, if (module->ftable->import_authdata == NULL) continue; - if (kdc_issued_authdata != NULL) { + if (kdc_issued_authdata != NULL && + (module->flags & AD_USAGE_KDC_ISSUED)) { code = krb5int_find_authdata(kcontext, kdc_issued_authdata, NULL, @@ -584,9 +585,23 @@ krb5int_authdata_verify(krb5_context kcontext, } if (authdata == NULL) { + krb5_boolean ticket_usage = FALSE; + krb5_boolean authen_usage = FALSE; + + /* + * Determine which authdata sources to interrogate based on the + * module's usage. This is important if the authdata is signed + * by the KDC with the TGT key (as the user can forge that in + * the AP-REQ). + */ + if (module->flags & (AD_USAGE_AS_REQ | AD_USAGE_TGS_REQ)) + ticket_usage = TRUE; + if (module->flags & AD_USAGE_AP_REQ) + authen_usage = TRUE; + code = krb5int_find_authdata(kcontext, - ticket_authdata, - authen_authdata, + ticket_usage ? ticket_authdata : NULL, + authen_usage ? authen_authdata : NULL, module->ad_type, &authdata); if (code != 0) |