kdc: check for cname-in-addl-tkt flag in constrained delegation

Before accepting an additional ticket for use with constrained delegation, verify the cname-in-addl-tkt flag was set. If not, ignore the request.
heimdal · Jun 3, 2019 · 7381a28 · 7381a28
1 parent cf940e1
commit 7381a28
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
@@ -2183,6 +2183,7 @@ tgs_build_reply(krb5_context context,
     if (client != NULL
 	&& b->additional_tickets != NULL
 	&& b->additional_tickets->len != 0
+	&& b->kdc_options.cname_in_addl_tkt
 	&& b->kdc_options.enc_tkt_in_skey == 0)
     {
 	int ad_signedpath = 0;