From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 31 Aug 2013 15:46:58 +0000 (-0400)
Subject: Fix FAST critical option bit checking
X-Git-Tag: krb5-1.12-alpha1~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95b03a6fef4b86d1f8fac0a6ef92e86d836e261f;p=thirdparty%2Fkrb5.git

Fix FAST critical option bit checking

The FAST option bits 0-15 are intended to be critical--if they are
present and a KDC does not support them, the KDC is supposed to fail
the request.  Because of an incorrect constant, we were erroneously
recognizing bits 24-31 as critical.  Fix the constant.

ticket: 7701 (new)
---

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index d6f9325eb6..5119e66da6 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -776,8 +776,8 @@ typedef struct _krb5_fast_req {
     krb5_kdc_req *req_body;
 } krb5_fast_req;
 
-/* Bits 0-15 are critical in fast options.*/
-#define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff
+/* Bits 0-15 are critical in FAST options (RFC 6113 section 7.3). */
+#define UNSUPPORTED_CRITICAL_FAST_OPTIONS   0xbfff0000
 #define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES  0x40000000
 
 typedef struct _krb5_fast_finished {