krb5: rename constrained-delegatiom to cname-in-addl-tkt

For consistency with [MS-SFU] rename the constrained-delegation KDC option to cname-in-addl-tkt (client name in additional ticket).
2019-06-02 14:44:11 +10:00
parent ea7615ade3
commit cf940e15f4
3 changed files with 5 additions and 5 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2439,5 +2439,5 @@ _kdc_is_anon_request(const KDC_REQ_BODY *b)
 	   version 11. Bit 14 is assigned to S4U2Proxy, but all S4U2Proxy
 	   requests will have a second ticket; don't consider those anonymous */
 	return (b->kdc_options.request_anonymous ||
-		(b->kdc_options.constrained_delegation && !b->additional_tickets));
+		(b->kdc_options.cname_in_addl_tkt && !b->additional_tickets));
 }
--- a/lib/asn1/krb5.asn1
+++ b/lib/asn1/krb5.asn1
@@ -355,7 +355,7 @@ KDCOptions ::= BIT STRING {
 	allow-postdate(5),
 	postdated(6),
 	renewable(8),
-	constrained-delegation(14), -- ms extension (aka cname-in-addl-tkt)
+	cname-in-addl-tkt(14), -- ms extension
 	canonicalize(15),
 	request-anonymous(16),
 	disable-transited-check(26),
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -558,7 +558,7 @@ get_cred_kdc(krb5_context context,
 	out_creds->times.endtime = in_creds->times.endtime;

 	/* XXX should do better testing */
-	if (flags.b.constrained_delegation || impersonate_principal)
+	if (flags.b.cname_in_addl_tkt || impersonate_principal)
 	    eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
 	if (flags.b.request_anonymous)
 	    eflags |= EXTRACT_TICKET_MATCH_ANON;
@@ -1062,7 +1062,7 @@ get_cred_kdc_referral(krb5_context context,
 	char *referral_realm;

 	/* Use cache if we are not doing impersonation or contrained deleg */
-	if (impersonate_principal == NULL || flags.b.constrained_delegation) {
+	if (impersonate_principal == NULL || flags.b.cname_in_addl_tkt) {
 	    krb5_cc_clear_mcred(&mcreds);
 	    mcreds.server = referral.server;
 	    krb5_timeofday(context, &mcreds.times.endtime);
@@ -1645,7 +1645,7 @@ next_rule:
    if (options & KRB5_GC_NO_TRANSIT_CHECK)
 	flags.b.disable_transited_check = 1;
    if (options & KRB5_GC_CONSTRAINED_DELEGATION)
-	flags.b.constrained_delegation = 1;
+	flags.b.cname_in_addl_tkt = 1;
    if (options & KRB5_GC_ANONYMOUS)
 	flags.b.request_anonymous = 1;