From f643967982471b098ec279fa0a5503dd4416e340 Mon Sep 17 00:00:00 2001
From: Assar Westerlund <assar@sics.se>
Date: Mon, 17 Mar 2003 05:35:47 +0000
Subject: [PATCH] (encode_524_response): check the enable_v4_cross_realm flag
 before giving out v4 tickets for foreign v5 principals

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11806 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/524.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/kdc/524.c b/kdc/524.c
index f5dbbb35f..97cea409a 100644
--- a/kdc/524.c
+++ b/kdc/524.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -234,6 +234,12 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
 	unsigned char buf[MAX_KTXT_LEN + 4 * 4];
 	Key *skey;
 	
+	if (!enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
+	    kdc_log(0, "524 cross-realm %s -> %s disabled", et.crealm,
+		    t->realm);
+	    return KRB5KDC_ERR_POLICY;
+	}
+
 	ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
 			       &et, &t->sname, &len);
 	if(ret){