diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-09-29 06:44:33 +1000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2010-09-28 19:25:50 -0700 |
| commit | f84bdf91d865ab176dcc0d829944821b89b88074 (patch) | |
| tree | db797ee743904ba8dfb4568cb3688bc647ccb3a0 /source4/heimdal/lib/gssapi/krb5/init_sec_context.c | |
| parent | e2c305deb1553ab8ba11fa687dcf1c08f2acd88a (diff) | |
| download | samba-f84bdf91d865ab176dcc0d829944821b89b88074.tar.gz samba-f84bdf91d865ab176dcc0d829944821b89b88074.tar.bz2 samba-f84bdf91d865ab176dcc0d829944821b89b88074.zip | |
heimdal Use a seperate krb5_auth_context for the delegated credentials
If we re-use this context, we overwrite the timestamp while talking
to the KDC and fail the mutual authentiation with the target server.
Andrew Bartlett
Diffstat (limited to 'source4/heimdal/lib/gssapi/krb5/init_sec_context.c')
| -rw-r--r-- | source4/heimdal/lib/gssapi/krb5/init_sec_context.c | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c index fd9934a9e4..b513bd2d65 100644 --- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c @@ -117,6 +117,7 @@ _gsskrb5_create_ctx( return GSS_S_FAILURE; } ctx->auth_context = NULL; + ctx->deleg_auth_context = NULL; ctx->source = NULL; ctx->target = NULL; ctx->kcred = NULL; @@ -139,13 +140,34 @@ _gsskrb5_create_ctx( return GSS_S_FAILURE; } + kret = krb5_auth_con_init (context, &ctx->deleg_auth_context); + if (kret) { + *minor_status = kret; + krb5_auth_con_free(context, ctx->auth_context); + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); + return GSS_S_FAILURE; + } + kret = set_addresses(context, ctx->auth_context, input_chan_bindings); if (kret) { *minor_status = kret; + krb5_auth_con_free(context, ctx->auth_context); + krb5_auth_con_free(context, ctx->deleg_auth_context); + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); + return GSS_S_BAD_BINDINGS; + } + + kret = set_addresses(context, ctx->deleg_auth_context, input_chan_bindings); + if (kret) { + *minor_status = kret; + krb5_auth_con_free(context, ctx->auth_context); + krb5_auth_con_free(context, ctx->deleg_auth_context); + + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); return GSS_S_BAD_BINDINGS; } @@ -160,6 +182,16 @@ _gsskrb5_create_ctx( KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED, NULL); + /* + * We need a sequence number + */ + + krb5_auth_con_addflags(context, + ctx->deleg_auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE | + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED, + NULL); + *context_handle = (gss_ctx_id_t)ctx; return GSS_S_COMPLETE; @@ -538,7 +570,7 @@ init_auth_restart ap_options = 0; if (flagmask & GSS_C_DELEG_FLAG) { do_delegation (context, - ctx->auth_context, + ctx->deleg_auth_context, ctx->ccache, ctx->kcred, ctx->target, &fwd_data, flagmask, &flags); } |