From 6cb0e817603b5598aaa9892ec640650092310290 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 24 Jun 2011 11:53:37 +0200
Subject: [PATCH] kdc: pass down the server hdb_entry_ex to
 check_constrained_delegation()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This way we can compare the already canonicalized principals,
while still passing the client specified target principal down
to the backend specific constrained_delegation() hook.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
---
 kdc/krb5tgs.c | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 6ff668aec..51b198446 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -505,18 +505,32 @@ check_constrained_delegation(krb5_context context,
 			     krb5_kdc_configuration *config,
 			     HDB *clientdb,
 			     hdb_entry_ex *client,
-			     krb5_const_principal server)
+			     hdb_entry_ex *server,
+			     krb5_const_principal target)
 {
     const HDB_Ext_Constrained_delegation_acl *acl;
     krb5_error_code ret;
     size_t i;
 
+    /*
+     * constrained_delegation (S4U2Proxy) only works within
+     * the same realm. We use the already canonicalized version
+     * of the principals here, while "target" is the principal
+     * provided by the client.
+     */
+    if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
+	ret = KRB5KDC_ERR_BADOPTION;
+	kdc_log(context, config, 0,
+	    "Bad request for constrained delegation");
+	return ret;
+    }
+
     /* if client delegates to itself, that ok */
-    if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
+    if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
 	return 0;
 
     if (clientdb->hdb_check_constrained_delegation) {
-	ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server);
+	ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
 	if (ret == 0)
 	    return 0;
     } else {
@@ -528,7 +542,7 @@ check_constrained_delegation(krb5_context context,
 
 	if (acl) {
 	    for (i = 0; i < acl->len; i++) {
-		if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
+		if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
 		    return 0;
 	    }
 	}
@@ -2029,7 +2043,7 @@ server_lookup:
 	}
 
 	ret = check_constrained_delegation(context, config, clientdb,
-					   client, sp);
+					   client, server, sp);
 	if (ret) {
 	    kdc_log(context, config, 0,
 		    "constrained delegation from %s as %s to %s not allowed",