s4u2proxy_set_attribute should only return EPERM for its own attribute

author Luke Howard <lukeh@padl.com>

Fri, 1 Apr 2011 05:56:33 +0000 (05:56 +0000)

committer Luke Howard <lukeh@padl.com>

Fri, 1 Apr 2011 05:56:33 +0000 (05:56 +0000)
author Luke Howard <lukeh@padl.com>
Fri, 1 Apr 2011 05:56:33 +0000 (05:56 +0000)
committer Luke Howard <lukeh@padl.com>
Fri, 1 Apr 2011 05:56:33 +0000 (05:56 +0000)
diff --git a/src/lib/krb5/krb/s4u_authdata.c b/src/lib/krb5/krb/s4u_authdata.c

index 1c6194350f713a8d367dab0162ce531809cc976d..54713cc85496d7d77baa23842ba279e08eaeb9bf 100644 (file)
--- a/src/lib/krb5/krb/s4u_authdata.c
+++ b/src/lib/krb5/krb/s4u_authdata.c
@@ -232,14 +232,6 @@ s4u2proxy_request_fini(krb5_context kcontext,
   * interoperability
   */
  
-#if 0
-static krb5_data s4u2proxy_proxy_target_attr = {
-    KV5M_DATA,
-    sizeof("urn:constrained-delegation:proxy-target") - 1,
-    "urn:constrained-delegation:proxy-target"
-};
-#endif
-
  static krb5_data s4u2proxy_transited_services_attr = {
      KV5M_DATA,
      sizeof("urn:constrained-delegation:transited-services") - 1,
@@ -360,6 +352,8 @@ s4u2proxy_set_attribute(krb5_context kcontext,
                          const krb5_data *value)
  {
      /* Only the KDC can set this attribute. */
+    if (!data_eq(*attribute, s4u2proxy_transited_services_attr))
+        return ENOENT;
  
      return EPERM;
  }
author	Luke Howard <lukeh@padl.com>
	Fri, 1 Apr 2011 05:56:33 +0000 (05:56 +0000)
committer	Luke Howard <lukeh@padl.com>
	Fri, 1 Apr 2011 05:56:33 +0000 (05:56 +0000)