heimdal Use a seperate krb5_auth_context for the delegated credentials

This makes it much more clear that the timestamp written here is not
used in mutual authentication.

Andrew Bartlett

diff --git a/lib/gssapi/krb5/delete_sec_context.c b/lib/gssapi/krb5/delete_sec_context.c
index 7a9855881c11cb26779aeffb022711cbcfddf359..83a66cc0ca01cdef0aeebea2319379014291cfdb 100644 (file)
--- a/lib/gssapi/krb5/delete_sec_context.c
+++ b/lib/gssapi/krb5/delete_sec_context.c
@@ -59,6 +59,7 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
     HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
 
     krb5_auth_con_free (context, ctx->auth_context);
+    krb5_auth_con_free (context, ctx->deleg_auth_context);
     if (ctx->kcred)
        krb5_free_creds(context, ctx->kcred);
     if(ctx->source)

diff --git a/lib/gssapi/krb5/gsskrb5_locl.h b/lib/gssapi/krb5/gsskrb5_locl.h
index d91670821a4cb57d2554dc06df98c2833e1f35a2..6b9b03f3490899bc81b1417f986e29c22bd5eaec 100644 (file)
--- a/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/lib/gssapi/krb5/gsskrb5_locl.h
@@ -55,6 +55,7 @@ struct gss_msg_order;
 
 typedef struct gsskrb5_ctx {
   struct krb5_auth_context_data *auth_context;
+  struct krb5_auth_context_data *deleg_auth_context;
   krb5_principal source, target;
 #define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0)
   OM_uint32 flags;

diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index c2bd31dad93bc545f7169ff289b531c0c883287b..f4e103a7a5163a9cd209a54e328d5ad2933bed5e 100644 (file)
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -117,6 +117,7 @@ _gsskrb5_create_ctx(
        return GSS_S_FAILURE;
     }
     ctx->auth_context          = NULL;
+    ctx->deleg_auth_context    = NULL;
     ctx->source                        = NULL;
     ctx->target                        = NULL;
     ctx->kcred                 = NULL;
@@ -139,13 +140,34 @@ _gsskrb5_create_ctx(
        return GSS_S_FAILURE;
     }
 
+    kret = krb5_auth_con_init (context, &ctx->deleg_auth_context);
+    if (kret) {
+       *minor_status = kret;
+       krb5_auth_con_free(context, ctx->auth_context);
+       HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
+       return GSS_S_FAILURE;
+    }
+
     kret = set_addresses(context, ctx->auth_context, input_chan_bindings);
     if (kret) {
        *minor_status = kret;
 
+       krb5_auth_con_free(context, ctx->auth_context);
+       krb5_auth_con_free(context, ctx->deleg_auth_context);
+
        HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
 
+       return GSS_S_BAD_BINDINGS;
+    }
+
+    kret = set_addresses(context, ctx->deleg_auth_context, input_chan_bindings);
+    if (kret) {
+       *minor_status = kret;
+
        krb5_auth_con_free(context, ctx->auth_context);
+       krb5_auth_con_free(context, ctx->deleg_auth_context);
+
+       HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
 
        return GSS_S_BAD_BINDINGS;
     }
@@ -160,6 +182,16 @@ _gsskrb5_create_ctx(
                           KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED,
                           NULL);
 
+    /*
+     * We need a sequence number
+     */
+
+    krb5_auth_con_addflags(context,
+                          ctx->deleg_auth_context,
+                          KRB5_AUTH_CONTEXT_DO_SEQUENCE |
+                          KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED,
+                          NULL);
+
     *context_handle = (gss_ctx_id_t)ctx;
 
     return GSS_S_COMPLETE;
@@ -538,7 +570,7 @@ init_auth_restart
     ap_options = 0;
     if (flagmask & GSS_C_DELEG_FLAG) {
        do_delegation (context,
-                      ctx->auth_context,
+                      ctx->deleg_auth_context,
                       ctx->ccache, ctx->kcred, ctx->target,
                       &fwd_data, flagmask, &flags);
     }