projects / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: aed25fe)
Provide an explicit list of options not to be allowed in AS requests
authorSam Hartman <hartmans@mit.edu>
Thu, 22 May 2003 20:26:59 +0000 (20:26 +0000)
committerSam Hartman <hartmans@mit.edu>
Thu, 22 May 2003 20:26:59 +0000 (20:26 +0000)
rather than disallowing all unknown options.

Ticket: 1202
Tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15467 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/ChangeLog patch | blob | history
src/kdc/kdc_util.c patch | blob | history

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index e4cbd7330688f4b1e4d284bc2aef15e735c40e0e..99c544a6c84bc38d01647183d5685f2094cc6dd2 100644 (file)
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,9 @@
+2003-05-22  Sam Hartman  <hartmans@mit.edu>
+
+       * kdc_util.c (validate_as_request): Only reject options we
+       understand and believe are inappropriate for AS requests. Per
+       spec, unknown options are ignored.
+
 2003-05-14  Sam Hartman  <hartmans@mit.edu>
 
        * kdc_preauth.c (check_padata): Allow bad_integrity to be returned to a client
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 753f84a0a947cd91db9fb860525ef7611a77f66d..f0baf474fb1aa36c5b84b86e2c7aa81cc95d1e03 100644 (file)
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -828,9 +828,8 @@ fail:
  * Returns a Kerberos protocol error number, which is _not_ the same
  * as a com_err error number!
  */
-#define AS_OPTIONS_HANDLED (KDC_OPT_FORWARDABLE | KDC_OPT_PROXIABLE | \
-                            KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED | \
-                            KDC_OPT_RENEWABLE | KDC_OPT_RENEWABLE_OK)
+#define AS_INVALID_OPTIONS (KDC_OPT_FORWARDED | KDC_OPT_PROXY |\
+KDC_OPT_VALIDATE | KDC_OPT_RENEW | KDC_OPT_ENC_TKT_IN_SKEY)
 int
 validate_as_request(register krb5_kdc_req *request, krb5_db_entry client,
                    krb5_db_entry server, krb5_timestamp kdc_time,
@@ -839,9 +838,9 @@ validate_as_request(register krb5_kdc_req *request, krb5_db_entry client,
     int                errcode;
     
     /*
-     * If an illegal option is set, complain.
+     * If an option is set that is only allowed in TGS requests, complain.
      */
-    if (request->kdc_options & ~(AS_OPTIONS_HANDLED)) {
+    if (request->kdc_options & AS_INVALID_OPTIONS) {
        *status = "INVALID AS OPTIONS";
        return KDC_ERR_BADOPTION;
     }
MIT implementation of the Kerberos network authentication protocol. This repo may be rebased, so don't base your work on it. Use git://github.com/krb5/krb5 instead.