From 0524889196c42d81dcc4c74277522b46f987cabb Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 14 Nov 2009 04:46:30 +0000
Subject: Constrained delegation without PAC support

Merge Luke's users/lhoward/s4u2proxy branch to trunk.  Implements a
Heimdal-compatible mechanism for allowing constrained delegation
without back-end support for PACs.  Back-end support exists in LDAP
only (via a new krbAllowedToDelegateTo attribute), not DB2.

ticket: 6580

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23160 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/plugins/authdata/greet_server/greet_auth.c | 33 ++++++++++++++------------
 1 file changed, 18 insertions(+), 15 deletions(-)

(limited to 'src/plugins/authdata')

diff --git a/src/plugins/authdata/greet_server/greet_auth.c b/src/plugins/authdata/greet_server/greet_auth.c
index 9a0533286..fad044a55 100644
--- a/src/plugins/authdata/greet_server/greet_auth.c
+++ b/src/plugins/authdata/greet_server/greet_auth.c
@@ -69,7 +69,7 @@ greet_kdc_verify(krb5_context context,
                                  NULL,
                                  KRB5_AUTHDATA_KDC_ISSUED,
                                  &tgt_authdata);
-    if (code != 0)
+    if (code != 0 || tgt_authdata == NULL)
         return 0;
 
     code = krb5_verify_authdata_kdc_issued(context,
@@ -113,6 +113,7 @@ greet_kdc_sign(krb5_context context,
     krb5_error_code code;
     krb5_authdata ad_datum, *ad_data[2], **kdc_issued = NULL;
     krb5_authdata **if_relevant = NULL;
+    krb5_authdata **tkt_authdata;
 
     ad_datum.ad_type = -42;
     ad_datum.contents = (krb5_octet *)greeting->data;
@@ -138,13 +139,20 @@ greet_kdc_sign(krb5_context context,
         return code;
     }
 
-    /* this isn't very friendly to other plugins... */
-    krb5_free_authdata(context, enc_tkt_reply->authorization_data);
-    enc_tkt_reply->authorization_data = if_relevant;
+    code = krb5_merge_authdata(context,
+                               if_relevant,
+                               enc_tkt_reply->authorization_data,
+                               &tkt_authdata);
+    if (code == 0) {
+        krb5_free_authdata(context, enc_tkt_reply->authorization_data);
+        enc_tkt_reply->authorization_data = tkt_authdata;
+    } else {
+        krb5_free_authdata(context, if_relevant);
+    }
 
     krb5_free_authdata(context, kdc_issued);
 
-    return 0;
+    return code;
 }
 
 static krb5_error_code
@@ -165,17 +173,12 @@ greet_authdata(krb5_context context,
     krb5_error_code code;
     krb5_data *greeting = NULL;
 
-    if (request->msg_type == KRB5_TGS_REQ) {
-        code = greet_kdc_verify(context, enc_tkt_request, &greeting);
-        if (code != 0)
-            return code;
-    }
+    if (request->msg_type != KRB5_TGS_REQ)
+	return 0;
 
-    if (greeting == NULL) {
-        code = greet_hello(context, &greeting);
-        if (code != 0)
-            return code;
-    }
+    code = greet_hello(context, &greeting);
+    if (code != 0)
+        return code;
 
     code = greet_kdc_sign(context, enc_tkt_reply, tgs->princ, greeting);
 
-- 
cgit