svn rev #22255: branches/krb5-1-7/src/lib/gssapi/ generic/ krb5/

tlyu@MIT.EDU tlyu at MIT.EDU
Wed Apr 15 16:07:48 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22255
Commit By: tlyu
Log Message:
ticket: 6203
version_fixed: 1.7

pull up r22185 from trunk

 ------------------------------------------------------------------------
 r22185 | ghudson | 2009-04-08 12:39:33 -0400 (Wed, 08 Apr 2009) | 8 lines
 Changed paths:
    M /trunk/src/lib/gssapi/generic/gssapi.hin
    M /trunk/src/lib/gssapi/krb5/init_sec_context.c

 ticket: 6203
 tags: pullup
 target_version: 1.7

 Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG,
 which requests delegation only if the ok-as-delegate ticket flag is
 set.


Changed Files:
U   branches/krb5-1-7/src/lib/gssapi/generic/gssapi.hin
U   branches/krb5-1-7/src/lib/gssapi/krb5/init_sec_context.c
Modified: branches/krb5-1-7/src/lib/gssapi/generic/gssapi.hin
===================================================================
--- branches/krb5-1-7/src/lib/gssapi/generic/gssapi.hin	2009-04-15 20:07:45 UTC (rev 22254)
+++ branches/krb5-1-7/src/lib/gssapi/generic/gssapi.hin	2009-04-15 20:07:48 UTC (rev 22255)
@@ -141,6 +141,7 @@
 #define GSS_C_ANON_FLAG         64
 #define GSS_C_PROT_READY_FLAG   128
 #define GSS_C_TRANS_FLAG        256
+#define GSS_C_DELEG_POLICY_FLAG 32768
 
 /*
  * Credential usage options

Modified: branches/krb5-1-7/src/lib/gssapi/krb5/init_sec_context.c
===================================================================
--- branches/krb5-1-7/src/lib/gssapi/krb5/init_sec_context.c	2009-04-15 20:07:45 UTC (rev 22254)
+++ branches/krb5-1-7/src/lib/gssapi/krb5/init_sec_context.c	2009-04-15 20:07:48 UTC (rev 22255)
@@ -208,7 +208,8 @@
         if (code) {
             /* don't fail here; just don't accept/do the delegation
                request */
-            data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG;
+            data->ctx->gss_flags &= ~(GSS_C_DELEG_FLAG |
+                                      GSS_C_DELEG_POLICY_FLAG);
 
             data->checksum_data.length = 24;
         } else {
@@ -494,6 +495,14 @@
 
     ctx->krb_times = k_cred->times;
 
+    /*
+     * GSS_C_DELEG_POLICY_FLAG means to delegate only if the
+     * ok-as-delegate ticket flag is set.
+     */
+    if ((req_flags & GSS_C_DELEG_POLICY_FLAG)
+        && (k_cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE))
+        ctx->gss_flags |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG;
+
     if (default_mech) {
         mech_type = (gss_OID) gss_mech_krb5;
     }

More information about the cvs-krb5 mailing list