Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG,

which requests delegation only if the ok-as-delegate ticket flag is
set.

ticket: 6203
tags: pullup
target_version: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22185 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 10 insertions, 1 deletions

diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 631cbe0..5559fad 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -209,7 +209,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
         if (code) {
             /* don't fail here; just don't accept/do the delegation
                request */
-            data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG;
+            data->ctx->gss_flags &= ~(GSS_C_DELEG_FLAG |
+                                      GSS_C_DELEG_POLICY_FLAG);
 
             data->checksum_data.length = 24;
         } else {
@@ -495,6 +496,14 @@ new_connection(
 
     ctx->krb_times = k_cred->times;
 
+    /*
+     * GSS_C_DELEG_POLICY_FLAG means to delegate only if the
+     * ok-as-delegate ticket flag is set.
+     */
+    if ((req_flags & GSS_C_DELEG_POLICY_FLAG)
+        && (k_cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE))
+        ctx->gss_flags |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG;
+
     if (default_mech) {
         mech_type = (gss_OID) gss_mech_krb5;
     }