From: Ken Raeburn Date: Tue, 7 May 1996 22:23:12 +0000 (+0000) Subject: Mark's changes for ticket validation X-Git-Tag: krb5-1.0-beta6~128 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=458cb46ab42b7cc368cb4bae446e70ae493a7d21;p=krb5.git Mark's changes for ticket validation git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7918 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 4e0096aa1..417cc0bae 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,13 @@ +Tue May 7 18:19:59 1996 Ken Raeburn + + Thu May 2 22:52:56 1996 Mark Eichin + + * kdc_util.c (kdc_process_tgs_req): call + krb5_rd_req_decoded_anyflag instead of krb5_rd_req_decoded, so + that invalid tickets can be used to validate themselves. Add + explicit check that if the ticket is TKT_FLG_INVALID, then + KDC_OPT_VALIDATE was requested. + Mon May 6 12:15:36 1996 Richard Basch * main.c: Fixed various abstraction violations where the code knew diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 7e57c5fa1..7acb4aa6a 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -228,7 +228,7 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey) goto cleanup_auth_context; */ - if ((retval = krb5_rd_req_decoded(kdc_context, &auth_context, apreq, + if ((retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq, apreq->ticket->server, kdc_active_realm->realm_keytab, NULL, ticket))) { @@ -247,7 +247,7 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey) if (!(retval = kdc_initialize_rcache(kdc_context, (char *) NULL))) { if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context, kdc_rcache)) || - (retval = krb5_rd_req_decoded(kdc_context, &auth_context, + (retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq, apreq->ticket->server, kdc_active_realm->realm_keytab, NULL, ticket)) @@ -258,6 +258,13 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey) goto cleanup_auth_context; } + /* "invalid flag" tickets can must be used to validate */ + if (isflagset((*ticket)->enc_part2->flags, TKT_FLG_INVALID) + && !isflagset(request->kdc_options, KDC_OPT_VALIDATE)) { + retval = KRB5KRB_AP_ERR_TKT_INVALID; + goto cleanup_auth_context; + } + if ((retval = krb5_auth_con_getremotesubkey(kdc_context, auth_context, subkey))) goto cleanup_auth_context;