krb5: rename constrained-delegatiom to cname-in-addl-tkt

For consistency with [MS-SFU] rename the constrained-delegation KDC option to
cname-in-addl-tkt (client name in additional ticket).
This commit is contained in:
Luke Howard
2019-06-02 14:44:11 +10:00
parent ea7615ade3
commit cf940e15f4
3 changed files with 5 additions and 5 deletions

View File

@@ -2439,5 +2439,5 @@ _kdc_is_anon_request(const KDC_REQ_BODY *b)
version 11. Bit 14 is assigned to S4U2Proxy, but all S4U2Proxy
requests will have a second ticket; don't consider those anonymous */
return (b->kdc_options.request_anonymous ||
(b->kdc_options.constrained_delegation && !b->additional_tickets));
(b->kdc_options.cname_in_addl_tkt && !b->additional_tickets));
}

View File

@@ -355,7 +355,7 @@ KDCOptions ::= BIT STRING {
allow-postdate(5),
postdated(6),
renewable(8),
constrained-delegation(14), -- ms extension (aka cname-in-addl-tkt)
cname-in-addl-tkt(14), -- ms extension
canonicalize(15),
request-anonymous(16),
disable-transited-check(26),

View File

@@ -558,7 +558,7 @@ get_cred_kdc(krb5_context context,
out_creds->times.endtime = in_creds->times.endtime;
/* XXX should do better testing */
if (flags.b.constrained_delegation || impersonate_principal)
if (flags.b.cname_in_addl_tkt || impersonate_principal)
eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
if (flags.b.request_anonymous)
eflags |= EXTRACT_TICKET_MATCH_ANON;
@@ -1062,7 +1062,7 @@ get_cred_kdc_referral(krb5_context context,
char *referral_realm;
/* Use cache if we are not doing impersonation or contrained deleg */
if (impersonate_principal == NULL || flags.b.constrained_delegation) {
if (impersonate_principal == NULL || flags.b.cname_in_addl_tkt) {
krb5_cc_clear_mcred(&mcreds);
mcreds.server = referral.server;
krb5_timeofday(context, &mcreds.times.endtime);
@@ -1645,7 +1645,7 @@ next_rule:
if (options & KRB5_GC_NO_TRANSIT_CHECK)
flags.b.disable_transited_check = 1;
if (options & KRB5_GC_CONSTRAINED_DELEGATION)
flags.b.constrained_delegation = 1;
flags.b.cname_in_addl_tkt = 1;
if (options & KRB5_GC_ANONYMOUS)
flags.b.request_anonymous = 1;