Fixed bug in TGS validation logic which prevented you from getting a

forwarded ticket from a TGT git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2526 dc483132-0cff-0310-8789-dd5450dbe970
aadamowski · Mar 12, 1993 · 28a67c2 · 28a67c2
1 parent 76a4ce8
commit 28a67c2
Showing 1 changed file with 7 additions and 28 deletions.
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
@@ -762,9 +762,6 @@ char	**status;
 			     KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_RENEW | \
 			     KDC_OPT_VALIDATE)
 
-#define TGS_SPECIAL_OPTS	(KDC_OPT_FORWARDED | KDC_OPT_PROXY | \
-				 KDC_OPT_RENEW | KDC_OPT_VALIDATE)
-
 int
 validate_tgs_request(request, server, ticket, kdc_time, status)
 register krb5_kdc_req *request;
@@ -795,36 +792,18 @@ char **status;
      * (either the ticket granting service or the service we're
      * looking for)
      */
-
-    if (request->kdc_options & TGS_SPECIAL_OPTS) {
-	/*
-	 * This is one of the KDC options which allow a non-TGT ticket
-	 * for the purposes of renewing, forwarding, proxying, or
-	 * validating it.
-	 *
-	 * We just make sure the service in the ticket matches service
-	 * the user is request.
-	 */
-	if (!krb5_principal_compare(ticket->server,
-				    request->server)) {
-	    *status = "SERVER MISMATCH";
-	    return KRB5KDC_SERVER_NOMATCH;
-	}
-    } else {
-	/*
-	 * This is a normal TGS request; the ticket must belong to the
-	 * TGS server
-	 */
-	if (!krb5_principal_compare(ticket->server, tgs_server)) {
-	    *status = "NOT TGS TICKET";
-	    return KRB5KRB_AP_ERR_NOT_US;
-	}
-
+    if (krb5_principal_compare(ticket->server, tgs_server)) {
 	/* Server must allow TGS based issuances */
 	if (isflagset(server.attributes, KRB5_KDB_DISALLOW_TGT_BASED)) {
 	    *status = "TGT BASED NOT ALLOWED";
 	    return(KDC_ERR_POLICY);
 	}
+    } else {
+	if (!krb5_principal_compare(ticket->server,
+				    request->server)) {
+	    *status = "BAD SERVER IN TKT";
+	    return KRB5KRB_AP_ERR_NOT_US;
+	}
     }
 
     /* TGS must be forwardable to get forwarded or forwardable ticket */