Mark's changes for ticket validation
authorKen Raeburn <raeburn@mit.edu>
Tue, 7 May 1996 22:23:12 +0000 (22:23 +0000)
committerKen Raeburn <raeburn@mit.edu>
Tue, 7 May 1996 22:23:12 +0000 (22:23 +0000)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7918 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/ChangeLog
src/kdc/kdc_util.c

index 4e0096aa1b47f2adbc320f0c15641683e5ec374b..417cc0bae565bf340c52da2c079b6b7dea8f5cba 100644 (file)
@@ -1,3 +1,13 @@
+Tue May  7 18:19:59 1996  Ken Raeburn  <raeburn@cygnus.com>
+
+       Thu May  2 22:52:56 1996  Mark Eichin  <eichin@cygnus.com>
+
+       * kdc_util.c (kdc_process_tgs_req): call
+       krb5_rd_req_decoded_anyflag instead of krb5_rd_req_decoded, so
+       that invalid tickets can be used to validate themselves. Add
+       explicit check that if the ticket is TKT_FLG_INVALID, then
+       KDC_OPT_VALIDATE was requested.
+
 Mon May  6 12:15:36 1996  Richard Basch  <basch@lehman.com>
 
        * main.c: Fixed various abstraction violations where the code knew
index 7e57c5fa17ee217e28c303d0723b2c0b28062116..7acb4aa6ad6f4f28ec255f2f18a2501a1088b17e 100644 (file)
@@ -228,7 +228,7 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey)
        goto cleanup_auth_context;
 */
 
-    if ((retval = krb5_rd_req_decoded(kdc_context, &auth_context, apreq, 
+    if ((retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq, 
                                      apreq->ticket->server, 
                                      kdc_active_realm->realm_keytab,
                                      NULL, ticket))) {
@@ -247,7 +247,7 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey)
            if (!(retval = kdc_initialize_rcache(kdc_context, (char *) NULL))) {
                if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context,
                                                      kdc_rcache)) ||
-                   (retval = krb5_rd_req_decoded(kdc_context, &auth_context,
+                   (retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context,
                                                  apreq, apreq->ticket->server,
                                                 kdc_active_realm->realm_keytab,
                                                  NULL, ticket))
@@ -258,6 +258,13 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey)
            goto cleanup_auth_context;
     }
 
+    /* "invalid flag" tickets can must be used to validate */
+    if (isflagset((*ticket)->enc_part2->flags, TKT_FLG_INVALID)
+       && !isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
+        retval = KRB5KRB_AP_ERR_TKT_INVALID;
+       goto cleanup_auth_context;
+    }
+
     if ((retval = krb5_auth_con_getremotesubkey(kdc_context,
                                                auth_context, subkey)))
        goto cleanup_auth_context;