From 8df202e9f06b58a590b33665d701ef2dd34317f3 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Wed, 21 Oct 2009 18:21:50 +0000 Subject: [PATCH] Allow the constrained delegation authorization method to use the evidence ticket client name as input to the authorization decision git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22963 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/kdb_ext.h | 1 + src/kdc/kdc_util.c | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/include/kdb_ext.h b/src/include/kdb_ext.h index dfa2e0b71..f51d46500 100644 --- a/src/include/kdb_ext.h +++ b/src/include/kdb_ext.h @@ -159,6 +159,7 @@ typedef struct _kdb_check_allowed_to_delegate_req { krb5_magic magic; const krb5_db_entry *server; krb5_const_principal proxy; + krb5_const_principal client; } kdb_check_allowed_to_delegate_req; #endif /* KRB5_KDB5_EXT__ */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index ba2c4b53f..9ad832e8a 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -2238,6 +2238,7 @@ kdc_process_s4u2self_req(krb5_context context, static krb5_error_code check_allowed_to_delegate_to(krb5_context context, + krb5_const_principal client, const krb5_db_entry *server, krb5_const_principal proxy) { @@ -2258,6 +2259,7 @@ check_allowed_to_delegate_to(krb5_context context, req.server = server; req.proxy = proxy; + req.client = client; req_data.data = (void *)&req; req_data.length = sizeof(req); @@ -2312,7 +2314,9 @@ kdc_process_s4u2proxy_req(krb5_context context, /* Backend policy check */ errcode = check_allowed_to_delegate_to(kdc_context, - server, proxy_princ); + t2enc->client, + server, + proxy_princ); if (errcode) { *status = "NOT_ALLOWED_TO_DELEGATE"; return errcode; -- 2.26.2