svn rev #22963: trunk/src/ include/ kdc/

Wed Oct 21 14:21:50 EDT 2009

http://src.mit.edu/fisheye/changelog/krb5/?cs=22963
Commit By: lhoward
Log Message:
Allow the constrained delegation authorization method to use the evidence ticket client name as input to the authorization decision


Changed Files:
U   trunk/src/include/kdb_ext.h
U   trunk/src/kdc/kdc_util.c
Modified: trunk/src/include/kdb_ext.h
===================================================================

--- trunk/src/include/kdb_ext.h	2009-10-21 17:24:37 UTC (rev 22962)
+++ trunk/src/include/kdb_ext.h	2009-10-21 18:21:50 UTC (rev 22963)
@@ -159,6 +159,7 @@
     krb5_magic magic;
     const krb5_db_entry *server;
     krb5_const_principal proxy;
+    krb5_const_principal client;
 } kdb_check_allowed_to_delegate_req;
 
 #endif /* KRB5_KDB5_EXT__ */

Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c	2009-10-21 17:24:37 UTC (rev 22962)
+++ trunk/src/kdc/kdc_util.c	2009-10-21 18:21:50 UTC (rev 22963)
@@ -2238,6 +2238,7 @@
 
 static krb5_error_code
 check_allowed_to_delegate_to(krb5_context context,
+			     krb5_const_principal client,
 			     const krb5_db_entry *server,
 			     krb5_const_principal proxy)
 {
@@ -2258,6 +2259,7 @@
 
     req.server = server;
     req.proxy = proxy;
+    req.client = client;
 
     req_data.data = (void *)&req;
     req_data.length = sizeof(req);
@@ -2312,7 +2314,9 @@
 
     /* Backend policy check */
     errcode = check_allowed_to_delegate_to(kdc_context,
-					   server, proxy_princ);
+					   t2enc->client,
+					   server,
+					   proxy_princ);
     if (errcode) {
 	*status = "NOT_ALLOWED_TO_DELEGATE";
 	return errcode;


