Skip Menu |

Subject: git commit
Download (untitled) / with headers
text/plain 1.7KiB

Cache S4U2Proxy requests by second ticket

krb5_get_credentials() does not know the client principal for an
S4U2Proxy request until the end, because it is in the encrypted part
of the evidence ticket. However, we can check the cache by second
ticket, since all S4U2Proxy requests in a cache will generally be made
with the same evidence ticket.

In the ccache types, allow mcreds->client and mcreds->server to be
NULL (as Heimdal does) to ignore them for the purpose of matching. In
krb5int_construct_matching_creds(), set mcreds->client to NULL for
S4U2Proxy requests. Add a cache check to
k5_get_proxy_cred_from_kdc(), and remove the cache check from
krb5_get_credentials_for_proxy() and the krb5 mech's

In get_proxy_cred_from_kdc(), fix a bug where cross-realm S4U2Proxy
would cache the evidence ticket used in the final request, rather than
the original evidence ticket.

[ debugged cache check and cross-realm caching;
switched from new flag to null matching cred principals; wrote commit
Author: Isaac Boukris <>
Committer: Greg Hudson <>
Commit: 148b317e1eb5df28dad96679cb4b8a07c62d4786
Branch: master
src/lib/gssapi/krb5/init_sec_context.c | 61 ++++++++++++++------------------
src/lib/krb5/ccache/cc_retr.c | 13 +++----
src/lib/krb5/ccache/ccapi/stdcc_util.c | 30 ++++++++--------
src/lib/krb5/ccache/ccfns.c | 3 +-
src/lib/krb5/krb/get_creds.c | 5 +++
src/lib/krb5/krb/s4u_creds.c | 58 +++++++++++++++--------------
src/tests/s4u2proxy.c | 3 ++
7 files changed, 88 insertions(+), 85 deletions(-)