svn rev #24853: trunk/src/lib/krb5/krb/
ghudson@MIT.EDU
ghudson at MIT.EDU
Thu Apr 7 11:20:37 EDT 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=24853
Commit By: ghudson
Log Message:
In the authdata framework, determine which authdata sources to query
based on the module's usage flags. From r24794 in
users/lhoward/moonshot-mechglue-fixes.
Changed Files:
U trunk/src/lib/krb5/krb/authdata.c
Modified: trunk/src/lib/krb5/krb/authdata.c
===================================================================
--- trunk/src/lib/krb5/krb/authdata.c 2011-04-06 20:06:50 UTC (rev 24852)
+++ trunk/src/lib/krb5/krb/authdata.c 2011-04-07 15:20:37 UTC (rev 24853)
@@ -571,7 +571,8 @@
if (module->ftable->import_authdata == NULL)
continue;
- if (kdc_issued_authdata != NULL) {
+ if (kdc_issued_authdata != NULL &&
+ (module->flags & AD_USAGE_KDC_ISSUED)) {
code = krb5int_find_authdata(kcontext,
kdc_issued_authdata,
NULL,
@@ -584,9 +585,23 @@
}
if (authdata == NULL) {
+ krb5_boolean ticket_usage = FALSE;
+ krb5_boolean authen_usage = FALSE;
+
+ /*
+ * Determine which authdata sources to interrogate based on the
+ * module's usage. This is important if the authdata is signed
+ * by the KDC with the TGT key (as the user can forge that in
+ * the AP-REQ).
+ */
+ if (module->flags & (AD_USAGE_AS_REQ | AD_USAGE_TGS_REQ))
+ ticket_usage = TRUE;
+ if (module->flags & AD_USAGE_AP_REQ)
+ authen_usage = TRUE;
+
code = krb5int_find_authdata(kcontext,
- ticket_authdata,
- authen_authdata,
+ ticket_usage ? ticket_authdata : NULL,
+ authen_usage ? authen_authdata : NULL,
module->ad_type,
&authdata);
if (code != 0)
More information about the cvs-krb5
mailing list