From cf940e15f4eac71d7b739bbb6672d7be9f9b98cb Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Sun, 2 Jun 2019 14:44:11 +1000
Subject: [PATCH] krb5: rename constrained-delegatiom to cname-in-addl-tkt

For consistency with [MS-SFU] rename the constrained-delegation KDC option to
cname-in-addl-tkt (client name in additional ticket).
---
 kdc/kerberos5.c     | 2 +-
 lib/asn1/krb5.asn1  | 2 +-
 lib/krb5/get_cred.c | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 1b0d0f8df..f11b2984b 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2439,5 +2439,5 @@ _kdc_is_anon_request(const KDC_REQ_BODY *b)
 	   version 11. Bit 14 is assigned to S4U2Proxy, but all S4U2Proxy
 	   requests will have a second ticket; don't consider those anonymous */
 	return (b->kdc_options.request_anonymous ||
-		(b->kdc_options.constrained_delegation && !b->additional_tickets));
+		(b->kdc_options.cname_in_addl_tkt && !b->additional_tickets));
 }
diff --git a/lib/asn1/krb5.asn1 b/lib/asn1/krb5.asn1
index 12986ea4e..9183fc19a 100644
--- a/lib/asn1/krb5.asn1
+++ b/lib/asn1/krb5.asn1
@@ -355,7 +355,7 @@ KDCOptions ::= BIT STRING {
 	allow-postdate(5),
 	postdated(6),
 	renewable(8),
-	constrained-delegation(14), -- ms extension (aka cname-in-addl-tkt)
+	cname-in-addl-tkt(14), -- ms extension
 	canonicalize(15),
 	request-anonymous(16),
 	disable-transited-check(26),
diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index 8285ac7f6..87add0527 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -558,7 +558,7 @@ get_cred_kdc(krb5_context context,
 	out_creds->times.endtime = in_creds->times.endtime;
 
 	/* XXX should do better testing */
-	if (flags.b.constrained_delegation || impersonate_principal)
+	if (flags.b.cname_in_addl_tkt || impersonate_principal)
 	    eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
 	if (flags.b.request_anonymous)
 	    eflags |= EXTRACT_TICKET_MATCH_ANON;
@@ -1062,7 +1062,7 @@ get_cred_kdc_referral(krb5_context context,
 	char *referral_realm;
 
 	/* Use cache if we are not doing impersonation or contrained deleg */
-	if (impersonate_principal == NULL || flags.b.constrained_delegation) {
+	if (impersonate_principal == NULL || flags.b.cname_in_addl_tkt) {
 	    krb5_cc_clear_mcred(&mcreds);
 	    mcreds.server = referral.server;
 	    krb5_timeofday(context, &mcreds.times.endtime);
@@ -1645,7 +1645,7 @@ next_rule:
     if (options & KRB5_GC_NO_TRANSIT_CHECK)
 	flags.b.disable_transited_check = 1;
     if (options & KRB5_GC_CONSTRAINED_DELEGATION)
-	flags.b.constrained_delegation = 1;
+	flags.b.cname_in_addl_tkt = 1;
     if (options & KRB5_GC_ANONYMOUS)
 	flags.b.request_anonymous = 1;