diff options
| author | Luke Howard <lukeh@padl.com> | 2009-08-18 19:40:04 +0000 |
|---|---|---|
| committer | Luke Howard <lukeh@padl.com> | 2009-08-18 19:40:04 +0000 |
| commit | f43520768e94acd727041e24355e35749acdf945 (patch) | |
| tree | 60506e2ef0a9abff8be3942ab86750396f60816f | |
| parent | 5d7fc55cebe02cddcdfde8eed4940f466c5a2f8a (diff) | |
| download | krb5-f43520768e94acd727041e24355e35749acdf945.zip krb5-f43520768e94acd727041e24355e35749acdf945.tar.gz krb5-f43520768e94acd727041e24355e35749acdf945.tar.bz2 | |
Refactor code for setting TKT_FLG_FORWARDABLE for S4U2Self. The logic was difficult to understand before
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/s4u@22539 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/kdc/do_tgs_req.c | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 3627cf1..5576396 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -438,14 +438,29 @@ tgt_again: /* processing of any of these flags. For example, some */ /* realms may refuse to issue renewable tickets */ - if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) + if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) { setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); - if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) { - if (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE) || - !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) - clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); - } - if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) { + + if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) { + /* + * If S4U2Self principal is not forwardable, then mark ticket as + * unforwardable. Note that handle_authdata() may also clear + * this flag. + */ + if (c_nprincs && + isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) + clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); + /* + * OK_TO_AUTH_AS_DELEGATE must be set on the service requesting + * S4U2Self in order for forwardable tickets to be returned. + */ + else if (!is_referral && + !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) + clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); + } + } + + if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) { setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED); /* include new addresses in ticket & reply */ |