svn rev #22185: trunk/src/lib/gssapi/ generic/ krb5/
ghudson@MIT.EDU
ghudson at MIT.EDU
Wed Apr 8 12:39:34 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22185
Commit By: ghudson
Log Message:
ticket: 6203
tags: pullup
target_version: 1.7
Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG,
which requests delegation only if the ok-as-delegate ticket flag is
set.
Changed Files:
U trunk/src/lib/gssapi/generic/gssapi.hin
U trunk/src/lib/gssapi/krb5/init_sec_context.c
Modified: trunk/src/lib/gssapi/generic/gssapi.hin
===================================================================
--- trunk/src/lib/gssapi/generic/gssapi.hin 2009-04-08 15:58:24 UTC (rev 22184)
+++ trunk/src/lib/gssapi/generic/gssapi.hin 2009-04-08 16:39:33 UTC (rev 22185)
@@ -141,6 +141,7 @@
#define GSS_C_ANON_FLAG 64
#define GSS_C_PROT_READY_FLAG 128
#define GSS_C_TRANS_FLAG 256
+#define GSS_C_DELEG_POLICY_FLAG 32768
/*
* Credential usage options
Modified: trunk/src/lib/gssapi/krb5/init_sec_context.c
===================================================================
--- trunk/src/lib/gssapi/krb5/init_sec_context.c 2009-04-08 15:58:24 UTC (rev 22184)
+++ trunk/src/lib/gssapi/krb5/init_sec_context.c 2009-04-08 16:39:33 UTC (rev 22185)
@@ -209,7 +209,8 @@
if (code) {
/* don't fail here; just don't accept/do the delegation
request */
- data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG;
+ data->ctx->gss_flags &= ~(GSS_C_DELEG_FLAG |
+ GSS_C_DELEG_POLICY_FLAG);
data->checksum_data.length = 24;
} else {
@@ -495,6 +496,14 @@
ctx->krb_times = k_cred->times;
+ /*
+ * GSS_C_DELEG_POLICY_FLAG means to delegate only if the
+ * ok-as-delegate ticket flag is set.
+ */
+ if ((req_flags & GSS_C_DELEG_POLICY_FLAG)
+ && (k_cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE))
+ ctx->gss_flags |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG;
+
if (default_mech) {
mech_type = (gss_OID) gss_mech_krb5;
}
More information about the cvs-krb5
mailing list