oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: pass down the server hdb_entry_ex to check_constrained_delegation()

Browse Source 
This way we can compare the already canonicalized principals,
while still passing the client specified target principal down
to the backend specific constrained_delegation() hook.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
This commit is contained in:
Stefan Metzmacher
2011-06-24 11:53:37 +02:00
committed by Love Hörnquist Åstrand
parent d6a56b847b
commit 6cb0e81760
1 changed files with 19 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
kdc/krb5tgs.c
View File

@@ -505,18 +505,32 @@ check_constrained_delegation(krb5_context context,
krb5_kdc_configuration *config,
HDB *clientdb,
hdb_entry_ex *client,
krb5_const_principal server)
hdb_entry_ex *server,
krb5_const_principal target)
{
const HDB_Ext_Constrained_delegation_acl *acl;
krb5_error_code ret;
size_t i;
/*
* constrained_delegation (S4U2Proxy) only works within
* the same realm. We use the already canonicalized version
* of the principals here, while "target" is the principal
* provided by the client.
*/
if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 0,
"Bad request for constrained delegation");
return ret;
}
/* if client delegates to itself, that ok */
if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
return 0;
if (clientdb->hdb_check_constrained_delegation) {
ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server);
ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
if (ret == 0)
return 0;
} else {
@@ -528,7 +542,7 @@ check_constrained_delegation(krb5_context context,
if (acl) {
for (i = 0; i < acl->len; i++) {
if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
return 0;
}
}
@@ -2029,7 +2043,7 @@ server_lookup:
}
ret = check_constrained_delegation(context, config, clientdb,
client, sp);
client, server, sp);
if (ret) {
kdc_log(context, config, 0,
"constrained delegation from %s as %s to %s not allowed",