don't return delegated S4U creds unless evidence ticket was forwardable

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/s4u@22639 dc483132-0cff-0310-8789-dd5450dbe970
author: Luke Howard <lukeh@padl.com> 2009-08-27 20:16:52 +0000
committer: Luke Howard <lukeh@padl.com> 2009-08-27 20:16:52 +0000
commit: c043ef5fea784cb7c242aa4ae40ba774fbc67ed4 (patch)
tree: ffd596ab81f1cfc1c479af7c94385da206c47e67
parent: 4ac98ca88045be8db4df829b9051bc9476c18af3 (diff)
download: krb5-c043ef5fea784cb7c242aa4ae40ba774fbc67ed4.zip
krb5-c043ef5fea784cb7c242aa4ae40ba774fbc67ed4.tar.gz
krb5-c043ef5fea784cb7c242aa4ae40ba774fbc67ed4.tar.bz2
1 files changed, 2 insertions, 1 deletions
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index afdffc9..d340db7 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -915,7 +915,8 @@ kg_accept_krb5(minor_status, context_handle,
 
     if (delegated_cred_handle != NULL &&
         deleg_cred == NULL && /* no unconstrained delegation */
-        cred->usage == GSS_C_BOTH) {
+        cred->usage == GSS_C_BOTH &&
+        (ticket->enc_part2->flags & TKT_FLG_FORWARDABLE)) {
         /*
          * Now, we always fabricate a delegated credentials handle
          * containing the service ticket to ourselves, which can be
author	Luke Howard <lukeh@padl.com>	2009-08-27 20:16:52 +0000
committer	Luke Howard <lukeh@padl.com>	2009-08-27 20:16:52 +0000
commit	c043ef5fea784cb7c242aa4ae40ba774fbc67ed4 (patch)
tree	ffd596ab81f1cfc1c479af7c94385da206c47e67
parent	4ac98ca88045be8db4df829b9051bc9476c18af3 (diff)
download	krb5-c043ef5fea784cb7c242aa4ae40ba774fbc67ed4.zip krb5-c043ef5fea784cb7c242aa4ae40ba774fbc67ed4.tar.gz krb5-c043ef5fea784cb7c242aa4ae40ba774fbc67ed4.tar.bz2