svn rev #23895: branches/iakerb/src/lib/krb5/krb/

Tue Apr 13 23:36:43 EDT 2010

http://src.mit.edu/fisheye/changelog/krb5/?cs=23895
Commit By: ghudson
Log Message:
Move the cache store and check for non-forwardable constrained
delegation creds from krb5_get_credentials into krb5_tkt_creds.



Changed Files:
U   branches/iakerb/src/lib/krb5/krb/gc_frm_kdc.c
U   branches/iakerb/src/lib/krb5/krb/get_creds.c
Modified: branches/iakerb/src/lib/krb5/krb/gc_frm_kdc.c
===================================================================

--- branches/iakerb/src/lib/krb5/krb/gc_frm_kdc.c	2010-04-14 03:16:18 UTC (rev 23894)
+++ branches/iakerb/src/lib/krb5/krb/gc_frm_kdc.c	2010-04-14 03:36:42 UTC (rev 23895)
@@ -340,6 +340,36 @@
     return FALSE;
 }
 
+/***** STATE_COMPLETE *****/
+
+/* Check and cache the desired credential when we receive it.  Expects the
+ * received credential to be in ctx->reply_creds. */
+static krb5_error_code
+complete(krb5_context context, krb5_tkt_creds_context ctx)
+{
+    krb5_error_code code;
+
+    /* Note the authdata we asked for in the output creds. */
+    ctx->reply_creds->authdata = ctx->authdata;
+    ctx->authdata = NULL;
+
+    /* Cache the credential if desired. */
+    if (!(ctx->req_options & KRB5_GC_NO_STORE)) {
+        code = krb5_cc_store_cred(context, ctx->ccache, ctx->reply_creds);
+        if (code != 0)
+            return code;
+    }
+
+    /* If we were doing constrained delegation, make sure we got a forwardable
+     * ticket, or it won't work. */
+    if ((ctx->req_options & KRB5_GC_CONSTRAINED_DELEGATION)
+        && (ctx->reply_creds->ticket_flags & TKT_FLG_FORWARDABLE) == 0)
+        return KRB5_TKT_NOT_FORWARDABLE;
+
+    ctx->state = STATE_COMPLETE;
+    return 0;
+}
+
 /***** STATE_NON_REFERRAL *****/
 
 /* Process the response to a non-referral request. */
@@ -350,11 +380,7 @@
     if (ctx->reply_code)
         return ctx->reply_code;
 
-    /* Note the authdata we asked for in the output creds. */
-    ctx->reply_creds->authdata = ctx->authdata;
-    ctx->authdata = NULL;
-    ctx->state = STATE_COMPLETE;
-    return 0;
+    return complete(context, ctx);
 }
 
 /* Make a non-referrals request for the desired service ticket. */
@@ -446,10 +472,7 @@
             return begin_non_referral(context, ctx);
 
         /* Note the authdata we asked for in the output creds. */
-        ctx->reply_creds->authdata = ctx->authdata;
-        ctx->authdata = NULL;
-        ctx->state = STATE_COMPLETE;
-        return 0;
+        return complete(context, ctx);
     }
 
     /* Old versions of Active Directory can rewrite the server name instead of

Modified: branches/iakerb/src/lib/krb5/krb/get_creds.c
===================================================================
--- branches/iakerb/src/lib/krb5/krb/get_creds.c	2010-04-14 03:16:18 UTC (rev 23894)
+++ branches/iakerb/src/lib/krb5/krb/get_creds.c	2010-04-14 03:36:42 UTC (rev 23895)
@@ -151,17 +151,6 @@
     if (retval != 0)
         goto cleanup;
 
-    /* Attempt to cache the returned ticket. */
-    if (!(options & KRB5_GC_NO_STORE))
-        (void) krb5_cc_store_cred(context, ccache, ncreds);
-
-    if ((options & KRB5_GC_CONSTRAINED_DELEGATION)
-        && (ncreds->ticket_flags & TKT_FLG_FORWARDABLE) == 0) {
-        /* This ticket won't work for constrained delegation. */
-        retval = KRB5_TKT_NOT_FORWARDABLE;
-        goto cleanup;
-    }
-
     *out_creds = ncreds;
     ncreds = NULL;
 


