From 5cc4d5d2bd2e817e81d9d33192cfd1769ca90bdb Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 29 Sep 2010 06:44:33 +1000 Subject: [PATCH] heimdal Use a seperate krb5_auth_context for the delegated credentials This makes it much more clear that the timestamp written here is not used in mutual authentication. Andrew Bartlett Signed-off-by: Love Hornquist Astrand --- lib/gssapi/krb5/delete_sec_context.c | 1 + lib/gssapi/krb5/gsskrb5_locl.h | 1 + lib/gssapi/krb5/init_sec_context.c | 34 +++++++++++++++++++++++++++++++++- 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/lib/gssapi/krb5/delete_sec_context.c b/lib/gssapi/krb5/delete_sec_context.c index 7a9855881..83a66cc0c 100644 --- a/lib/gssapi/krb5/delete_sec_context.c +++ b/lib/gssapi/krb5/delete_sec_context.c @@ -59,6 +59,7 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status, HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); krb5_auth_con_free (context, ctx->auth_context); + krb5_auth_con_free (context, ctx->deleg_auth_context); if (ctx->kcred) krb5_free_creds(context, ctx->kcred); if(ctx->source) diff --git a/lib/gssapi/krb5/gsskrb5_locl.h b/lib/gssapi/krb5/gsskrb5_locl.h index d91670821..6b9b03f34 100644 --- a/lib/gssapi/krb5/gsskrb5_locl.h +++ b/lib/gssapi/krb5/gsskrb5_locl.h @@ -55,6 +55,7 @@ struct gss_msg_order; typedef struct gsskrb5_ctx { struct krb5_auth_context_data *auth_context; + struct krb5_auth_context_data *deleg_auth_context; krb5_principal source, target; #define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0) OM_uint32 flags; diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c index c2bd31dad..f4e103a7a 100644 --- a/lib/gssapi/krb5/init_sec_context.c +++ b/lib/gssapi/krb5/init_sec_context.c @@ -117,6 +117,7 @@ _gsskrb5_create_ctx( return GSS_S_FAILURE; } ctx->auth_context = NULL; + ctx->deleg_auth_context = NULL; ctx->source = NULL; ctx->target = NULL; ctx->kcred = NULL; @@ -139,13 +140,34 @@ _gsskrb5_create_ctx( return GSS_S_FAILURE; } + kret = krb5_auth_con_init (context, &ctx->deleg_auth_context); + if (kret) { + *minor_status = kret; + krb5_auth_con_free(context, ctx->auth_context); + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); + return GSS_S_FAILURE; + } + kret = set_addresses(context, ctx->auth_context, input_chan_bindings); if (kret) { *minor_status = kret; + krb5_auth_con_free(context, ctx->auth_context); + krb5_auth_con_free(context, ctx->deleg_auth_context); + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); + return GSS_S_BAD_BINDINGS; + } + + kret = set_addresses(context, ctx->deleg_auth_context, input_chan_bindings); + if (kret) { + *minor_status = kret; + krb5_auth_con_free(context, ctx->auth_context); + krb5_auth_con_free(context, ctx->deleg_auth_context); + + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); return GSS_S_BAD_BINDINGS; } @@ -160,6 +182,16 @@ _gsskrb5_create_ctx( KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED, NULL); + /* + * We need a sequence number + */ + + krb5_auth_con_addflags(context, + ctx->deleg_auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE | + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED, + NULL); + *context_handle = (gss_ctx_id_t)ctx; return GSS_S_COMPLETE; @@ -538,7 +570,7 @@ init_auth_restart ap_options = 0; if (flagmask & GSS_C_DELEG_FLAG) { do_delegation (context, - ctx->auth_context, + ctx->deleg_auth_context, ctx->ccache, ctx->kcred, ctx->target, &fwd_data, flagmask, &flags); } -- 2.11.4.GIT