svn commit: lorikeet r491 - in trunk/heimdal/lib: gssapi krb5
abartlet at samba.org
abartlet at samba.org
Wed Nov 2 04:30:39 GMT 2005
Author: abartlet
Date: 2005-11-02 04:30:38 +0000 (Wed, 02 Nov 2005)
New Revision: 491
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=491
Log:
Merge from Samba4 fixes for delegated credentials, as well as a typo fix in reference to RFC4120 (not 2140, TCP Control Block Interdependence ;-).
Andrew Bartlett
Modified:
trunk/heimdal/lib/gssapi/init_sec_context.c
trunk/heimdal/lib/krb5/get_for_creds.c
trunk/heimdal/lib/krb5/rd_cred.c
Changeset:
Modified: trunk/heimdal/lib/gssapi/init_sec_context.c
===================================================================
--- trunk/heimdal/lib/gssapi/init_sec_context.c 2005-11-02 02:23:40 UTC (rev 490)
+++ trunk/heimdal/lib/gssapi/init_sec_context.c 2005-11-02 04:30:38 UTC (rev 491)
@@ -275,7 +275,7 @@
krb5_creds *cred,
const gss_name_t target_name,
krb5_data *fwd_data,
- int *flags)
+ u_int32_t *flags)
{
krb5_creds creds;
krb5_kdc_flags fwd_flags;
@@ -406,9 +406,26 @@
flags = 0;
ap_options = 0;
+ /*
+ * If the realm policy approves a delegation, lets check local
+ * policy if the credentials should be delegated, defafult to
+ * false.
+ */
+ if (cred->flags.b.ok_as_delegate) {
+ krb5_boolean delegate = FALSE;
+
+ _gss_check_compat(NULL, target_name, "ok-as-delegate",
+ &delegate, TRUE);
+ krb5_appdefault_boolean(gssapi_krb5_context,
+ "gssapi", target_name->realm,
+ "ok-as-delegate", delegate, &delegate);
+ if (delegate)
+ req_flags |= GSS_C_DELEG_FLAG;
+ }
+
if (req_flags & GSS_C_DELEG_FLAG) {
do_delegation((*context_handle)->auth_context,
- ccache, cred, target_name, &fwd_data, &flags);
+ ccache, cred, target_name, &fwd_data, &flags);
}
if (req_flags & GSS_C_MUTUAL_FLAG) {
@@ -542,8 +559,8 @@
krb5_error_code kret;
krb5_data inbuf;
u_int32_t flags = (*context_handle)->flags;
- OM_uint32 l_seq_number;
- OM_uint32 r_seq_number;
+ int32_t l_seq_number;
+ int32_t r_seq_number;
/* We need to decapsulate the AP_REP if GSS_C_DCE_STYLE isn't in use */
{
Modified: trunk/heimdal/lib/krb5/get_for_creds.c
===================================================================
--- trunk/heimdal/lib/krb5/get_for_creds.c 2005-11-02 02:23:40 UTC (rev 490)
+++ trunk/heimdal/lib/krb5/get_for_creds.c 2005-11-02 04:30:38 UTC (rev 491)
@@ -378,16 +378,18 @@
cred.enc_part.cipher.data = buf;
cred.enc_part.cipher.length = buf_size;
} else {
- krb5_keyblock *key;
+ /*
+ * RFC4120 claims we should use the session key, but Heimdal
+ * before 0.8 used the remote subkey if it was send in the
+ * auth_context.
+ *
+ * Lorikeet-Heimdal is interested in windows compatiblity
+ * more than Heimdal compatability, so we must choose the
+ * session key, and break forwarding credentials to older
+ * Heimdal servers.
+ */
- if (auth_context->local_subkey)
- key = auth_context->local_subkey;
- else if (auth_context->remote_subkey)
- key = auth_context->remote_subkey;
- else
- key = auth_context->keyblock;
-
- ret = krb5_crypto_init(context, key, 0, &crypto);
+ ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
if (ret) {
free(buf);
free_KRB_CRED(&cred);
Modified: trunk/heimdal/lib/krb5/rd_cred.c
===================================================================
--- trunk/heimdal/lib/krb5/rd_cred.c 2005-11-02 02:23:40 UTC (rev 490)
+++ trunk/heimdal/lib/krb5/rd_cred.c 2005-11-02 04:30:38 UTC (rev 491)
@@ -101,7 +101,7 @@
} else {
/* Try both subkey and session key.
*
- * RFC2140 claims we should use the session key, but Heimdal
+ * RFC4120 claims we should use the session key, but Heimdal
* before 0.8 used the remote subkey if it was send in the
* auth_context.
*/
More information about the samba-cvs
mailing list