diff options
| author | Greg Hudson <ghudson@mit.edu> | 2009-11-14 04:46:30 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2009-11-14 04:46:30 +0000 |
| commit | 0524889196c42d81dcc4c74277522b46f987cabb (patch) | |
| tree | 9f906eb1a4a32346ae94837c4fe199410e2dd10f /src/plugins/authdata | |
| parent | 26044e2a3c3104b9c3f32a6ae58145e7e6394672 (diff) | |
| download | krb5-0524889196c42d81dcc4c74277522b46f987cabb.tar.gz krb5-0524889196c42d81dcc4c74277522b46f987cabb.tar.xz krb5-0524889196c42d81dcc4c74277522b46f987cabb.zip | |
Constrained delegation without PAC support
Merge Luke's users/lhoward/s4u2proxy branch to trunk. Implements a
Heimdal-compatible mechanism for allowing constrained delegation
without back-end support for PACs. Back-end support exists in LDAP
only (via a new krbAllowedToDelegateTo attribute), not DB2.
ticket: 6580
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23160 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/authdata')
| -rw-r--r-- | src/plugins/authdata/greet_server/greet_auth.c | 33 |
1 files changed, 18 insertions, 15 deletions
diff --git a/src/plugins/authdata/greet_server/greet_auth.c b/src/plugins/authdata/greet_server/greet_auth.c index 9a0533286e..fad044a55d 100644 --- a/src/plugins/authdata/greet_server/greet_auth.c +++ b/src/plugins/authdata/greet_server/greet_auth.c @@ -69,7 +69,7 @@ greet_kdc_verify(krb5_context context, NULL, KRB5_AUTHDATA_KDC_ISSUED, &tgt_authdata); - if (code != 0) + if (code != 0 || tgt_authdata == NULL) return 0; code = krb5_verify_authdata_kdc_issued(context, @@ -113,6 +113,7 @@ greet_kdc_sign(krb5_context context, krb5_error_code code; krb5_authdata ad_datum, *ad_data[2], **kdc_issued = NULL; krb5_authdata **if_relevant = NULL; + krb5_authdata **tkt_authdata; ad_datum.ad_type = -42; ad_datum.contents = (krb5_octet *)greeting->data; @@ -138,13 +139,20 @@ greet_kdc_sign(krb5_context context, return code; } - /* this isn't very friendly to other plugins... */ - krb5_free_authdata(context, enc_tkt_reply->authorization_data); - enc_tkt_reply->authorization_data = if_relevant; + code = krb5_merge_authdata(context, + if_relevant, + enc_tkt_reply->authorization_data, + &tkt_authdata); + if (code == 0) { + krb5_free_authdata(context, enc_tkt_reply->authorization_data); + enc_tkt_reply->authorization_data = tkt_authdata; + } else { + krb5_free_authdata(context, if_relevant); + } krb5_free_authdata(context, kdc_issued); - return 0; + return code; } static krb5_error_code @@ -165,17 +173,12 @@ greet_authdata(krb5_context context, krb5_error_code code; krb5_data *greeting = NULL; - if (request->msg_type == KRB5_TGS_REQ) { - code = greet_kdc_verify(context, enc_tkt_request, &greeting); - if (code != 0) - return code; - } + if (request->msg_type != KRB5_TGS_REQ) + return 0; - if (greeting == NULL) { - code = greet_hello(context, &greeting); - if (code != 0) - return code; - } + code = greet_hello(context, &greeting); + if (code != 0) + return code; code = greet_kdc_sign(context, enc_tkt_reply, tgs->princ, greeting); |