2004-02-02 Jeffrey Altman <jaltman@mit.edu>

   * cc_msla.c:
     GetMSCacheTicketFromCacheInfo() uses the tktinfo->TicketFlags as the
     value to assign to TicketRequest->TicketFlags.  This field is blindly
     inserted into the kdc-options[0] field of the TGS_REQ.  If there are
     bits such as TRANSIT_POLICY_CHECKED in the TicketFlags, this will result
     in an unknown TGS_OPTION being processed by the KDC.

     This has been fixed by mapping the Ticket Flags to KDC options.
     We only map Forwardable, Forwarded, Proxiable, and Renewable.  The others
     should not be used.

ticket: 2190
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16013 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/ccache/ChangeLog b/src/lib/krb5/ccache/ChangeLog
index e3b86e6eebe7485dd81f2a328041d0376941b42e..e869f913bf95e38ccec8069537d3a1ad4a33c811 100644 (file)
--- a/src/lib/krb5/ccache/ChangeLog
+++ b/src/lib/krb5/ccache/ChangeLog
@@ -1,3 +1,16 @@
+2004-02-02  Jeffrey Altman <jaltman@mit.edu>
+
+   * cc_msla.c: 
+     GetMSCacheTicketFromCacheInfo() uses the tktinfo->TicketFlags as the
+     value to assign to TicketRequest->TicketFlags.  This field is blindly
+     inserted into the kdc-options[0] field of the TGS_REQ.  If there are
+     bits such as TRANSIT_POLICY_CHECKED in the TicketFlags, this will result
+     in an unknown TGS_OPTION being processed by the KDC.
+
+     This has been fixed by mapping the Ticket Flags to KDC options.
+     We only map Forwardable, Forwarded, Proxiable, and Renewable.  The others
+     should not be used.
+
 2004-02-02  Jeffrey Altman <jaltman@mit.edu>
 
    * cc_mslsa.c: the MSLSA code was crashing on Pismere machines when 

diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index 9c3a57bb9d5dcd37e3a68ad1828eb12a2774c618..a1970a2d6d8c7ad86467492e4fc6a2e126a4bfb3 100644 (file)
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -975,7 +975,15 @@ GetMSCacheTicketFromCacheInfo( HANDLE LogonHandle, ULONG PackageId,
     memcpy(pTicketRequest->TargetName.Buffer,tktinfo->ServerName.Buffer, tktinfo->ServerName.Length);
     pTicketRequest->CacheOptions = 0;
     pTicketRequest->EncryptionType = tktinfo->EncryptionType;
-    pTicketRequest->TicketFlags = tktinfo->TicketFlags;
+    pTicketRequest->TicketFlags = 0;
+    if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_forwardable )
+        pTicketRequest->TicketFlags |= KDC_OPT_FORWARDABLE;
+    if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_forwarded )
+        pTicketRequest->TicketFlags |= KDC_OPT_FORWARDED;
+    if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_proxiable )
+        pTicketRequest->TicketFlags |= KDC_OPT_PROXIABLE;
+    if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_renewable )
+        pTicketRequest->TicketFlags |= KDC_OPT_RENEWABLE;
 
     Status = LsaCallAuthenticationPackage(
         LogonHandle,