From 357e4592b9ac6af9b44aa827f55bf389c3d936b2 Mon Sep 17 00:00:00 2001 From: Johan Danielsson Date: Tue, 21 Oct 2003 11:16:43 +0000 Subject: [PATCH] always check transited policy if flag set either globally or on principal git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13037 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/kerberos5.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index e50acbeb2..291188a3f 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -1206,9 +1206,9 @@ check_tgs_flags(KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et) } static krb5_error_code -fix_transited_encoding(TransitedEncoding *tr, +fix_transited_encoding(krb5_boolean check_policy, + TransitedEncoding *tr, EncTicketPart *et, - KDCOptions *f, const char *client_realm, const char *server_realm, const char *tgt_realm) @@ -1252,7 +1252,7 @@ fix_transited_encoding(TransitedEncoding *tr, } num_realms++; } - if(!f->disable_transited_check) { + if(check_policy) { ret = krb5_check_transited(context, client_realm, server_realm, realms, num_realms, NULL); @@ -1353,7 +1353,10 @@ tgs_make_reply(KDC_REQ_BODY *b, if(ret) goto out; - ret = fix_transited_encoding(&tgt->transited, &et, &f, + ret = fix_transited_encoding(enforce_transited_policy + || server->flags.enforce_transited_policy + || !f.disable_transited_check, + &tgt->transited, &et, *krb5_princ_realm(context, client_principal), *krb5_princ_realm(context, server->principal), *krb5_princ_realm(context, krbtgt->principal));