From 458cb46ab42b7cc368cb4bae446e70ae493a7d21 Mon Sep 17 00:00:00 2001
From: Ken Raeburn <raeburn@mit.edu>
Date: Tue, 7 May 1996 22:23:12 +0000
Subject: [PATCH] Mark's changes for ticket validation

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7918 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/kdc/ChangeLog  | 10 ++++++++++
 src/kdc/kdc_util.c | 11 +++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index 4e0096aa1..417cc0bae 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,13 @@
+Tue May  7 18:19:59 1996  Ken Raeburn  <raeburn@cygnus.com>
+
+	Thu May  2 22:52:56 1996  Mark Eichin  <eichin@cygnus.com>
+
+	* kdc_util.c (kdc_process_tgs_req): call
+	krb5_rd_req_decoded_anyflag instead of krb5_rd_req_decoded, so
+	that invalid tickets can be used to validate themselves. Add
+	explicit check that if the ticket is TKT_FLG_INVALID, then
+	KDC_OPT_VALIDATE was requested.
+
 Mon May  6 12:15:36 1996  Richard Basch  <basch@lehman.com>
 
 	* main.c: Fixed various abstraction violations where the code knew
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 7e57c5fa1..7acb4aa6a 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -228,7 +228,7 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey)
 	goto cleanup_auth_context;
 */
 
-    if ((retval = krb5_rd_req_decoded(kdc_context, &auth_context, apreq, 
+    if ((retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq, 
 				      apreq->ticket->server, 
 				      kdc_active_realm->realm_keytab,
 				      NULL, ticket))) {
@@ -247,7 +247,7 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey)
 	    if (!(retval = kdc_initialize_rcache(kdc_context, (char *) NULL))) {
 		if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context,
 						      kdc_rcache)) ||
-		    (retval = krb5_rd_req_decoded(kdc_context, &auth_context,
+		    (retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context,
 						  apreq, apreq->ticket->server,
 				      		 kdc_active_realm->realm_keytab,
 						  NULL, ticket))
@@ -258,6 +258,13 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey)
 	    goto cleanup_auth_context;
     }
 
+    /* "invalid flag" tickets can must be used to validate */
+    if (isflagset((*ticket)->enc_part2->flags, TKT_FLG_INVALID)
+	&& !isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
+        retval = KRB5KRB_AP_ERR_TKT_INVALID;
+	goto cleanup_auth_context;
+    }
+
     if ((retval = krb5_auth_con_getremotesubkey(kdc_context,
 						auth_context, subkey)))
 	goto cleanup_auth_context;
-- 
2.26.2