+Tue May 7 18:19:59 1996 Ken Raeburn <raeburn@cygnus.com>
+
+ Thu May 2 22:52:56 1996 Mark Eichin <eichin@cygnus.com>
+
+ * kdc_util.c (kdc_process_tgs_req): call
+ krb5_rd_req_decoded_anyflag instead of krb5_rd_req_decoded, so
+ that invalid tickets can be used to validate themselves. Add
+ explicit check that if the ticket is TKT_FLG_INVALID, then
+ KDC_OPT_VALIDATE was requested.
+
Mon May 6 12:15:36 1996 Richard Basch <basch@lehman.com>
* main.c: Fixed various abstraction violations where the code knew
goto cleanup_auth_context;
*/
- if ((retval = krb5_rd_req_decoded(kdc_context, &auth_context, apreq,
+ if ((retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq,
apreq->ticket->server,
kdc_active_realm->realm_keytab,
NULL, ticket))) {
if (!(retval = kdc_initialize_rcache(kdc_context, (char *) NULL))) {
if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context,
kdc_rcache)) ||
- (retval = krb5_rd_req_decoded(kdc_context, &auth_context,
+ (retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context,
apreq, apreq->ticket->server,
kdc_active_realm->realm_keytab,
NULL, ticket))
goto cleanup_auth_context;
}
+ /* "invalid flag" tickets can must be used to validate */
+ if (isflagset((*ticket)->enc_part2->flags, TKT_FLG_INVALID)
+ && !isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
+ retval = KRB5KRB_AP_ERR_TKT_INVALID;
+ goto cleanup_auth_context;
+ }
+
if ((retval = krb5_auth_con_getremotesubkey(kdc_context,
auth_context, subkey)))
goto cleanup_auth_context;