From 11ffd80c635caf7b611c309fcb485bfba25471e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Sat, 20 Sep 2008 11:16:33 +0000
Subject: [PATCH] Strip of ok-as-delegate for the tgt/service if the cross
 ticket didn't have one.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23846 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/krb5/get_cred.c | 33 ++++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index 104b402bb..5dcfee743 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -748,6 +748,7 @@ get_cred_kdc_capath(krb5_context context,
     krb5_error_code ret;
     krb5_creds *tgt, tmp_creds;
     krb5_const_realm client_realm, server_realm, try_realm;
+    int ok_as_delegate = 1;
 
     *out_creds = NULL;
 
@@ -779,10 +780,14 @@ get_cred_kdc_capath(krb5_context context,
 	ret = find_cred(context, ccache, tmp_creds.server,
 			*ret_tgts, &tgts);
 	if(ret == 0){
+	    if (try_realm != client_realm)
+		ok_as_delegate = tgts.flags.b.ok_as_delegate;
+
 	    *out_creds = calloc(1, sizeof(**out_creds));
 	    if(*out_creds == NULL) {
 		ret = ENOMEM;
-		krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+		krb5_set_error_message(context, ret,
+				       N_("malloc: out of memory", ""));
 	    } else {
 		ret = get_cred_kdc_address(context, ccache, flags, NULL,
 					   in_creds, &tgts,
@@ -792,7 +797,8 @@ get_cred_kdc_capath(krb5_context context,
 		if (ret) {
 		    free (*out_creds);
 		    *out_creds = NULL;
-		}
+		} else if (ok_as_delegate == 0)
+		    (*out_creds)->flags.b.ok_as_delegate = 0;
 	    }
 	    krb5_free_cred_contents(context, &tgts);
 	    krb5_free_principal(context, tmp_creds.server);
@@ -814,6 +820,15 @@ get_cred_kdc_capath(krb5_context context,
 	    krb5_free_principal(context, tmp_creds.client);
 	    return ret;
 	}
+	/* 
+	 * if either of the chain or the ok_as_delegate was stripped
+	 * by the kdc, make sure we strip it too.
+	 */
+	if (ok_as_delegate == 0 || tgt->flags.b.ok_as_delegate == 0) {
+	    ok_as_delegate = 0;
+	    tgt->flags.b.ok_as_delegate = 0;
+	}
+
 	ret = add_cred(context, tgt, ret_tgts);
 	if(ret) {
 	    krb5_free_principal(context, tmp_creds.server);
@@ -872,6 +887,7 @@ get_cred_kdc_referral(krb5_context context,
     krb5_error_code ret;
     krb5_creds tgt, referral, ticket;
     int loop = 0;
+    int ok_as_delegate = 1;
 
     memset(&tgt, 0, sizeof(tgt));
     memset(&ticket, 0, sizeof(ticket));
@@ -964,7 +980,8 @@ get_cred_kdc_referral(krb5_context context,
 				  *tickets))
 	    {
 		krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
-				       N_("Referral from %s loops back to realm %s", ""),
+				       N_("Referral from %s "
+					  "loops back to realm %s", ""),
 				       tgt.server->realm,
 				       referral_realm);
 		krb5_free_cred_contents(context, &ticket);
@@ -973,6 +990,16 @@ get_cred_kdc_referral(krb5_context context,
 	    tickets++;
 	}	
 
+	/* 
+	 * if either of the chain or the ok_as_delegate was stripped
+	 * by the kdc, make sure we strip it too.
+	 */
+
+	if (ok_as_delegate == 0 || ticket.flags.b.ok_as_delegate == 0) {
+	    ok_as_delegate = 0;
+	    ticket.flags.b.ok_as_delegate = 0;
+	}
+
 	ret = add_cred(context, &ticket, ret_tgts);
 	if (ret) {
 	    krb5_free_cred_contents(context, &ticket);