svn rev #22327: branches/krb5-1-7/src/lib/krb5/krb/
tlyu@MIT.EDU
tlyu at MIT.EDU
Mon May 11 16:55:19 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22327
Commit By: tlyu
Log Message:
ticket: 6473
version_fixed: 1.7
pull up r22272 from trunk
------------------------------------------------------------------------
r22272 | ghudson | 2009-04-23 04:42:40 -0400 (Thu, 23 Apr 2009) | 7 lines
Changed paths:
M /trunk/src/lib/krb5/krb/gc_via_tkt.c
ticket: 6473
tags: pullup
In krb5_get_cred_via_tkt, strip the ok-as-delegate flag from
credentials obtained using a foreign TGT, unless the TGT also has
ok-as-delegate set.
Changed Files:
U branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c
Modified: branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c
===================================================================
--- branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c 2009-05-11 16:57:45 UTC (rev 22326)
+++ branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c 2009-05-11 20:55:19 UTC (rev 22327)
@@ -144,6 +144,16 @@
return 0;
}
+/* Return true if a TGS credential is for the client's local realm. */
+static inline int
+tgt_is_local_realm(krb5_creds *tgt)
+{
+ return (tgt->server->length == 2
+ && data_eq_string(tgt->server->data[0], KRB5_TGS_NAME)
+ && data_eq(tgt->server->data[1], tgt->client->realm)
+ && data_eq(tgt->server->realm, tgt->client->realm));
+}
+
krb5_error_code
krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt,
krb5_flags kdcoptions, krb5_address *const *address,
@@ -289,6 +299,14 @@
goto error_3;
}
+ /*
+ * Don't trust the ok-as-delegate flag from foreign KDCs unless the
+ * cross-realm TGT also had the ok-as-delegate flag set.
+ */
+ if (!tgt_is_local_realm(tkt)
+ && !(tkt->ticket_flags & TKT_FLG_OK_AS_DELEGATE))
+ dec_rep->enc_part2->flags &= ~TKT_FLG_OK_AS_DELEGATE;
+
/* make sure the response hasn't been tampered with..... */
retval = 0;
More information about the cvs-krb5
mailing list