From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 14 Apr 2010 03:36:42 +0000 (+0000)
Subject: Move the cache store and check for non-forwardable constrained
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b66b61ab5934006b4a1d15348ee9b94aa6b5c156;p=thirdparty%2Fkrb5.git

Move the cache store and check for non-forwardable constrained
delegation creds from krb5_get_credentials into krb5_tkt_creds.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/iakerb@23895 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c
index e7c060ecba..af825beec6 100644
--- a/src/lib/krb5/krb/gc_frm_kdc.c
+++ b/src/lib/krb5/krb/gc_frm_kdc.c
@@ -340,6 +340,36 @@ seen_realm_before(krb5_context context, krb5_tkt_creds_context ctx,
     return FALSE;
 }
 
+/***** STATE_COMPLETE *****/
+
+/* Check and cache the desired credential when we receive it.  Expects the
+ * received credential to be in ctx->reply_creds. */
+static krb5_error_code
+complete(krb5_context context, krb5_tkt_creds_context ctx)
+{
+    krb5_error_code code;
+
+    /* Note the authdata we asked for in the output creds. */
+    ctx->reply_creds->authdata = ctx->authdata;
+    ctx->authdata = NULL;
+
+    /* Cache the credential if desired. */
+    if (!(ctx->req_options & KRB5_GC_NO_STORE)) {
+        code = krb5_cc_store_cred(context, ctx->ccache, ctx->reply_creds);
+        if (code != 0)
+            return code;
+    }
+
+    /* If we were doing constrained delegation, make sure we got a forwardable
+     * ticket, or it won't work. */
+    if ((ctx->req_options & KRB5_GC_CONSTRAINED_DELEGATION)
+        && (ctx->reply_creds->ticket_flags & TKT_FLG_FORWARDABLE) == 0)
+        return KRB5_TKT_NOT_FORWARDABLE;
+
+    ctx->state = STATE_COMPLETE;
+    return 0;
+}
+
 /***** STATE_NON_REFERRAL *****/
 
 /* Process the response to a non-referral request. */
@@ -350,11 +380,7 @@ step_non_referral(krb5_context context, krb5_tkt_creds_context ctx)
     if (ctx->reply_code)
         return ctx->reply_code;
 
-    /* Note the authdata we asked for in the output creds. */
-    ctx->reply_creds->authdata = ctx->authdata;
-    ctx->authdata = NULL;
-    ctx->state = STATE_COMPLETE;
-    return 0;
+    return complete(context, ctx);
 }
 
 /* Make a non-referrals request for the desired service ticket. */
@@ -446,10 +472,7 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx)
             return begin_non_referral(context, ctx);
 
         /* Note the authdata we asked for in the output creds. */
-        ctx->reply_creds->authdata = ctx->authdata;
-        ctx->authdata = NULL;
-        ctx->state = STATE_COMPLETE;
-        return 0;
+        return complete(context, ctx);
     }
 
     /* Old versions of Active Directory can rewrite the server name instead of
diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index 3a28b1babd..813b680404 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -151,17 +151,6 @@ krb5_get_credentials(krb5_context context, krb5_flags options,
     if (retval != 0)
         goto cleanup;
 
-    /* Attempt to cache the returned ticket. */
-    if (!(options & KRB5_GC_NO_STORE))
-        (void) krb5_cc_store_cred(context, ccache, ncreds);
-
-    if ((options & KRB5_GC_CONSTRAINED_DELEGATION)
-        && (ncreds->ticket_flags & TKT_FLG_FORWARDABLE) == 0) {
-        /* This ticket won't work for constrained delegation. */
-        retval = KRB5_TKT_NOT_FORWARDABLE;
-        goto cleanup;
-    }
-
     *out_creds = ncreds;
     ncreds = NULL;