s4u2proxy_set_attribute should only return EPERM for its own attribute
authorLuke Howard <lukeh@padl.com>
Fri, 1 Apr 2011 05:56:33 +0000 (05:56 +0000)
committerLuke Howard <lukeh@padl.com>
Fri, 1 Apr 2011 05:56:33 +0000 (05:56 +0000)
Failure to do this breaks other attribute providers' set_attribute()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24775 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/krb/s4u_authdata.c

index 1c6194350f713a8d367dab0162ce531809cc976d..54713cc85496d7d77baa23842ba279e08eaeb9bf 100644 (file)
@@ -232,14 +232,6 @@ s4u2proxy_request_fini(krb5_context kcontext,
  * interoperability
  */
 
-#if 0
-static krb5_data s4u2proxy_proxy_target_attr = {
-    KV5M_DATA,
-    sizeof("urn:constrained-delegation:proxy-target") - 1,
-    "urn:constrained-delegation:proxy-target"
-};
-#endif
-
 static krb5_data s4u2proxy_transited_services_attr = {
     KV5M_DATA,
     sizeof("urn:constrained-delegation:transited-services") - 1,
@@ -360,6 +352,8 @@ s4u2proxy_set_attribute(krb5_context kcontext,
                         const krb5_data *value)
 {
     /* Only the KDC can set this attribute. */
+    if (!data_eq(*attribute, s4u2proxy_transited_services_attr))
+        return ENOENT;
 
     return EPERM;
 }