From dddacbd40e6e2a78f87557c8f517778d6ff6bc81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Mon, 28 Jul 2008 15:01:11 +0000
Subject: [PATCH] x

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23476 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 ChangeLog | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index fd3de883c..f49fddb92 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,24 @@
+2008-07-28  Love Hornquist Astrand  <lha@10a96laptop.meeting.ietf.org>
+
+	* lib/krb5/v4_glue.c: The "kaserver" part of Heimdal occasionally
+	issues invalid AFS tokens
+	(here "occasionally" means for certain users in certain realms).
+	
+	In lib/krb5/v4_glue.c, in the routine storage_to_etext the ticket
+	is padded to a multiple of 8 bytes. If it is already a multiple of
+	8 bytes, 8 additional 0-bytes are added.
+	
+	This catches the AFS krb4 ticket decoder by surprise: unless the
+	ticket is exactly 56 bytes, it only supports the minimum necessary
+	padding.  It detects the superfluous padding by comparing the
+	ticket length decoded to the advertised ticket length.
+	
+	Hence a 7-letter userid in "cern.ch" which resulted in a ticket of
+	40 bytes, got "padded" to 48 bytes which the rxkad decoder
+	rejected.
+	
+	From Rainer Toebbicke.
+
 2008-07-25  Love Hörnquist Åstrand  <lha@h5l.org>
 
 	* kuser/kinit.c: add --ok-as-delegate and --windows flags