Move the cache store and check for non-forwardable constrained

delegation creds from krb5_get_credentials into krb5_tkt_creds.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/iakerb@23895 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c
index e7c060ecba175d0ab548a7f97d95dea5cfea1ca9..af825beec60844c2d867928622135c5e6f502e3f 100644 (file)
--- a/src/lib/krb5/krb/gc_frm_kdc.c
+++ b/src/lib/krb5/krb/gc_frm_kdc.c
@@ -340,6 +340,36 @@ seen_realm_before(krb5_context context, krb5_tkt_creds_context ctx,
     return FALSE;
 }
 
+/***** STATE_COMPLETE *****/
+
+/* Check and cache the desired credential when we receive it.  Expects the
+ * received credential to be in ctx->reply_creds. */
+static krb5_error_code
+complete(krb5_context context, krb5_tkt_creds_context ctx)
+{
+    krb5_error_code code;
+
+    /* Note the authdata we asked for in the output creds. */
+    ctx->reply_creds->authdata = ctx->authdata;
+    ctx->authdata = NULL;
+
+    /* Cache the credential if desired. */
+    if (!(ctx->req_options & KRB5_GC_NO_STORE)) {
+        code = krb5_cc_store_cred(context, ctx->ccache, ctx->reply_creds);
+        if (code != 0)
+            return code;
+    }
+
+    /* If we were doing constrained delegation, make sure we got a forwardable
+     * ticket, or it won't work. */
+    if ((ctx->req_options & KRB5_GC_CONSTRAINED_DELEGATION)
+        && (ctx->reply_creds->ticket_flags & TKT_FLG_FORWARDABLE) == 0)
+        return KRB5_TKT_NOT_FORWARDABLE;
+
+    ctx->state = STATE_COMPLETE;
+    return 0;
+}
+
 /***** STATE_NON_REFERRAL *****/
 
 /* Process the response to a non-referral request. */
@@ -350,11 +380,7 @@ step_non_referral(krb5_context context, krb5_tkt_creds_context ctx)
     if (ctx->reply_code)
         return ctx->reply_code;
 
-    /* Note the authdata we asked for in the output creds. */
-    ctx->reply_creds->authdata = ctx->authdata;
-    ctx->authdata = NULL;
-    ctx->state = STATE_COMPLETE;
-    return 0;
+    return complete(context, ctx);
 }
 
 /* Make a non-referrals request for the desired service ticket. */
@@ -446,10 +472,7 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx)
             return begin_non_referral(context, ctx);
 
         /* Note the authdata we asked for in the output creds. */
-        ctx->reply_creds->authdata = ctx->authdata;
-        ctx->authdata = NULL;
-        ctx->state = STATE_COMPLETE;
-        return 0;
+        return complete(context, ctx);
     }
 
     /* Old versions of Active Directory can rewrite the server name instead of

diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index 3a28b1babd4fb3b753b6a1cdd6e07aa883f8a277..813b6804044587a8945e5f887c458a28e5234c26 100644 (file)
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -151,17 +151,6 @@ krb5_get_credentials(krb5_context context, krb5_flags options,
     if (retval != 0)
         goto cleanup;
 
-    /* Attempt to cache the returned ticket. */
-    if (!(options & KRB5_GC_NO_STORE))
-        (void) krb5_cc_store_cred(context, ccache, ncreds);
-
-    if ((options & KRB5_GC_CONSTRAINED_DELEGATION)
-        && (ncreds->ticket_flags & TKT_FLG_FORWARDABLE) == 0) {
-        /* This ticket won't work for constrained delegation. */
-        retval = KRB5_TKT_NOT_FORWARDABLE;
-        goto cleanup;
-    }
-
     *out_creds = ncreds;
     ncreds = NULL;