From 4ececcde1a339993971d9722eae335a21cfed0ea Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Fri, 1 Apr 2011 05:56:33 +0000
Subject: s4u2proxy_set_attribute should only return EPERM for its own
 attribute

Failure to do this breaks other attribute providers' set_attribute()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24775 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/krb5/krb/s4u_authdata.c | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

(limited to 'src/lib/krb5')

diff --git a/src/lib/krb5/krb/s4u_authdata.c b/src/lib/krb5/krb/s4u_authdata.c
index 1c6194350..54713cc85 100644
--- a/src/lib/krb5/krb/s4u_authdata.c
+++ b/src/lib/krb5/krb/s4u_authdata.c
@@ -232,14 +232,6 @@ s4u2proxy_request_fini(krb5_context kcontext,
  * interoperability
  */
 
-#if 0
-static krb5_data s4u2proxy_proxy_target_attr = {
-    KV5M_DATA,
-    sizeof("urn:constrained-delegation:proxy-target") - 1,
-    "urn:constrained-delegation:proxy-target"
-};
-#endif
-
 static krb5_data s4u2proxy_transited_services_attr = {
     KV5M_DATA,
     sizeof("urn:constrained-delegation:transited-services") - 1,
@@ -360,6 +352,8 @@ s4u2proxy_set_attribute(krb5_context kcontext,
                         const krb5_data *value)
 {
     /* Only the KDC can set this attribute. */
+    if (!data_eq(*attribute, s4u2proxy_transited_services_attr))
+        return ENOENT;
 
     return EPERM;
 }
-- 
cgit