diff options
author | Sam Hartman <hartmans@mit.edu> | 2003-05-22 20:26:59 +0000 |
---|---|---|
committer | Sam Hartman <hartmans@mit.edu> | 2003-05-22 20:26:59 +0000 |
commit | 2395e7df0d58c6cbd2753fc66dc1bfa10889331b (patch) | |
tree | 403ee8d0086874e4df6b080a1ffa66a14776f518 /src/kdc | |
parent | aed25fe148d68ca2302a3c69e68d15642f060ac1 (diff) | |
download | krb5-2395e7df0d58c6cbd2753fc66dc1bfa10889331b.tar.gz krb5-2395e7df0d58c6cbd2753fc66dc1bfa10889331b.tar.xz krb5-2395e7df0d58c6cbd2753fc66dc1bfa10889331b.zip |
Provide an explicit list of options not to be allowed in AS requests
rather than disallowing all unknown options.
Ticket: 1202
Tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15467 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc')
-rw-r--r-- | src/kdc/ChangeLog | 6 | ||||
-rw-r--r-- | src/kdc/kdc_util.c | 9 |
2 files changed, 10 insertions, 5 deletions
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index e4cbd73306..99c544a6c8 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,9 @@ +2003-05-22 Sam Hartman <hartmans@mit.edu> + + * kdc_util.c (validate_as_request): Only reject options we + understand and believe are inappropriate for AS requests. Per + spec, unknown options are ignored. + 2003-05-14 Sam Hartman <hartmans@mit.edu> * kdc_preauth.c (check_padata): Allow bad_integrity to be returned to a client diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 753f84a0a9..f0baf474fb 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -828,9 +828,8 @@ fail: * Returns a Kerberos protocol error number, which is _not_ the same * as a com_err error number! */ -#define AS_OPTIONS_HANDLED (KDC_OPT_FORWARDABLE | KDC_OPT_PROXIABLE | \ - KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED | \ - KDC_OPT_RENEWABLE | KDC_OPT_RENEWABLE_OK) +#define AS_INVALID_OPTIONS (KDC_OPT_FORWARDED | KDC_OPT_PROXY |\ +KDC_OPT_VALIDATE | KDC_OPT_RENEW | KDC_OPT_ENC_TKT_IN_SKEY) int validate_as_request(register krb5_kdc_req *request, krb5_db_entry client, krb5_db_entry server, krb5_timestamp kdc_time, @@ -839,9 +838,9 @@ validate_as_request(register krb5_kdc_req *request, krb5_db_entry client, int errcode; /* - * If an illegal option is set, complain. + * If an option is set that is only allowed in TGS requests, complain. */ - if (request->kdc_options & ~(AS_OPTIONS_HANDLED)) { + if (request->kdc_options & AS_INVALID_OPTIONS) { *status = "INVALID AS OPTIONS"; return KDC_ERR_BADOPTION; } |