From: Sam Hartman Date: Thu, 22 May 2003 20:26:59 +0000 (+0000) Subject: Provide an explicit list of options not to be allowed in AS requests X-Git-Tag: krb5-1.4-beta1~938 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=2395e7df0d58c6cbd2753fc66dc1bfa10889331b;p=krb5.git Provide an explicit list of options not to be allowed in AS requests rather than disallowing all unknown options. Ticket: 1202 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15467 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index e4cbd7330..99c544a6c 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,9 @@ +2003-05-22 Sam Hartman + + * kdc_util.c (validate_as_request): Only reject options we + understand and believe are inappropriate for AS requests. Per + spec, unknown options are ignored. + 2003-05-14 Sam Hartman * kdc_preauth.c (check_padata): Allow bad_integrity to be returned to a client diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 753f84a0a..f0baf474f 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -828,9 +828,8 @@ fail: * Returns a Kerberos protocol error number, which is _not_ the same * as a com_err error number! */ -#define AS_OPTIONS_HANDLED (KDC_OPT_FORWARDABLE | KDC_OPT_PROXIABLE | \ - KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED | \ - KDC_OPT_RENEWABLE | KDC_OPT_RENEWABLE_OK) +#define AS_INVALID_OPTIONS (KDC_OPT_FORWARDED | KDC_OPT_PROXY |\ +KDC_OPT_VALIDATE | KDC_OPT_RENEW | KDC_OPT_ENC_TKT_IN_SKEY) int validate_as_request(register krb5_kdc_req *request, krb5_db_entry client, krb5_db_entry server, krb5_timestamp kdc_time, @@ -839,9 +838,9 @@ validate_as_request(register krb5_kdc_req *request, krb5_db_entry client, int errcode; /* - * If an illegal option is set, complain. + * If an option is set that is only allowed in TGS requests, complain. */ - if (request->kdc_options & ~(AS_OPTIONS_HANDLED)) { + if (request->kdc_options & AS_INVALID_OPTIONS) { *status = "INVALID AS OPTIONS"; return KDC_ERR_BADOPTION; }