diff options
| author | Ken Raeburn <raeburn@mit.edu> | 1996-05-07 22:23:12 +0000 |
|---|---|---|
| committer | Ken Raeburn <raeburn@mit.edu> | 1996-05-07 22:23:12 +0000 |
| commit | 458cb46ab42b7cc368cb4bae446e70ae493a7d21 (patch) | |
| tree | 498afe239fda586a3b27856488029f1c79d46c44 /src | |
| parent | 464bfee1105595caaff55f93158e85225b0c5438 (diff) | |
| download | krb5-458cb46ab42b7cc368cb4bae446e70ae493a7d21.tar.gz krb5-458cb46ab42b7cc368cb4bae446e70ae493a7d21.tar.xz krb5-458cb46ab42b7cc368cb4bae446e70ae493a7d21.zip | |
Mark's changes for ticket validation
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7918 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/kdc/ChangeLog | 10 | ||||
| -rw-r--r-- | src/kdc/kdc_util.c | 11 |
2 files changed, 19 insertions, 2 deletions
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 4e0096aa1..417cc0bae 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,13 @@ +Tue May 7 18:19:59 1996 Ken Raeburn <raeburn@cygnus.com> + + Thu May 2 22:52:56 1996 Mark Eichin <eichin@cygnus.com> + + * kdc_util.c (kdc_process_tgs_req): call + krb5_rd_req_decoded_anyflag instead of krb5_rd_req_decoded, so + that invalid tickets can be used to validate themselves. Add + explicit check that if the ticket is TKT_FLG_INVALID, then + KDC_OPT_VALIDATE was requested. + Mon May 6 12:15:36 1996 Richard Basch <basch@lehman.com> * main.c: Fixed various abstraction violations where the code knew diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 7e57c5fa1..7acb4aa6a 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -228,7 +228,7 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey) goto cleanup_auth_context; */ - if ((retval = krb5_rd_req_decoded(kdc_context, &auth_context, apreq, + if ((retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq, apreq->ticket->server, kdc_active_realm->realm_keytab, NULL, ticket))) { @@ -247,7 +247,7 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey) if (!(retval = kdc_initialize_rcache(kdc_context, (char *) NULL))) { if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context, kdc_rcache)) || - (retval = krb5_rd_req_decoded(kdc_context, &auth_context, + (retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq, apreq->ticket->server, kdc_active_realm->realm_keytab, NULL, ticket)) @@ -258,6 +258,13 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey) goto cleanup_auth_context; } + /* "invalid flag" tickets can must be used to validate */ + if (isflagset((*ticket)->enc_part2->flags, TKT_FLG_INVALID) + && !isflagset(request->kdc_options, KDC_OPT_VALIDATE)) { + retval = KRB5KRB_AP_ERR_TKT_INVALID; + goto cleanup_auth_context; + } + if ((retval = krb5_auth_con_getremotesubkey(kdc_context, auth_context, subkey))) goto cleanup_auth_context; |