oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

change logic for when to check transited policy to a tri-state model

Browse Source 
involving per principal flags (to be implemented)


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13070 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
2003-10-22 18:22:24 +00:00
parent 3ddd0c11e7
commit 1461770557
1 changed files with 26 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
kdc/kerberos5.c
View File

@@ -1358,13 +1358,31 @@ tgs_make_reply(KDC_REQ_BODY *b,
if(ret) if(ret)
goto out; goto out;
ret = fix_transited_encoding(enforce_transited_policy /* We should check the transited encoding if:
|| server->flags.enforce_transited_policy 1) the request doesn't ask not to be checked
|| !f.disable_transited_check, 2) globally enforcing a check
&tgt->transited, &et, 3) principal requires checking
*krb5_princ_realm(context, client_principal), 4) we allow non-check per-principal, but principal isn't marked as allowing this
*krb5_princ_realm(context, server->principal), 5) we don't globally allow this
*krb5_princ_realm(context, krbtgt->principal)); */
#define GLOBAL_FORCE_TRANSITED_CHECK (trpolicy == TRPOLICY_ALWAYS_CHECK)
#define GLOBAL_ALLOW_PER_PRINCIPAL (trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
#define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK (trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
/* these will consult the database in future release */
#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
ret = fix_transited_encoding(!f.disable_transited_check ||
GLOBAL_FORCE_TRANSITED_CHECK ||
PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
!((GLOBAL_ALLOW_PER_PRINCIPAL &&
PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
&tgt->transited, &et,
*krb5_princ_realm(context, client_principal),
*krb5_princ_realm(context, server->principal),
*krb5_princ_realm(context, krbtgt->principal));
if(ret) if(ret)
goto out; goto out;
@@ -1461,7 +1479,7 @@ tgs_make_reply(KDC_REQ_BODY *b,
DES3? */ DES3? */
ret = encode_reply(&rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey, ret = encode_reply(&rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey,
0, &tgt->key, e_text, reply); 0, &tgt->key, e_text, reply);
out: out:
free_TGS_REP(&rep); free_TGS_REP(&rep);
free_TransitedEncoding(&et.transited); free_TransitedEncoding(&et.transited);
if(et.starttime) if(et.starttime)