diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index b418699d7..c7f918129 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -314,64 +314,68 @@ check_flags(hdb_entry *client, const char *client_name, krb5_boolean is_as_req) { /* check client */ - if (client->flags.invalid) { - kdc_log(0, "Client (%s) has invalid bit set", client_name); - return KRB5KDC_ERR_POLICY; - } + if (client != NULL) { + if (client->flags.invalid) { + kdc_log(0, "Client (%s) has invalid bit set", client_name); + return KRB5KDC_ERR_POLICY; + } - if(!client->flags.client){ - kdc_log(0, "Principal may not act as client -- %s", - client_name); - return KRB5KDC_ERR_POLICY; - } + if(!client->flags.client){ + kdc_log(0, "Principal may not act as client -- %s", + client_name); + return KRB5KDC_ERR_POLICY; + } - if (client->valid_start && *client->valid_start > kdc_time) { - kdc_log(0, "Client not yet valid -- %s", client_name); - return KRB5KDC_ERR_CLIENT_NOTYET; - } + if (client->valid_start && *client->valid_start > kdc_time) { + kdc_log(0, "Client not yet valid -- %s", client_name); + return KRB5KDC_ERR_CLIENT_NOTYET; + } - if (client->valid_end && *client->valid_end < kdc_time) { - kdc_log(0, "Client expired -- %s", client_name); - return KRB5KDC_ERR_NAME_EXP; - } + if (client->valid_end && *client->valid_end < kdc_time) { + kdc_log(0, "Client expired -- %s", client_name); + return KRB5KDC_ERR_NAME_EXP; + } - if (client->pw_end && *client->pw_end < kdc_time - && !server->flags.change_pw) { - kdc_log(0, "Client's key has expired -- %s", client_name); - return KRB5KDC_ERR_KEY_EXPIRED; + if (client->pw_end && *client->pw_end < kdc_time + && !server->flags.change_pw) { + kdc_log(0, "Client's key has expired -- %s", client_name); + return KRB5KDC_ERR_KEY_EXPIRED; + } } /* check server */ - if (server->flags.invalid) { - kdc_log(0, "Server has invalid flag set -- %s", server_name); - return KRB5KDC_ERR_POLICY; - } + if (server != NULL) { + if (server->flags.invalid) { + kdc_log(0, "Server has invalid flag set -- %s", server_name); + return KRB5KDC_ERR_POLICY; + } - if(!server->flags.server){ - kdc_log(0, "Principal may not act as server -- %s", - server_name); - return KRB5KDC_ERR_POLICY; - } + if(!server->flags.server){ + kdc_log(0, "Principal may not act as server -- %s", + server_name); + return KRB5KDC_ERR_POLICY; + } - if(!is_as_req && server->flags.initial) { - kdc_log(0, "AS-REQ is required for server -- %s", server_name); - return KRB5KDC_ERR_POLICY; - } + if(!is_as_req && server->flags.initial) { + kdc_log(0, "AS-REQ is required for server -- %s", server_name); + return KRB5KDC_ERR_POLICY; + } - if (server->valid_start && *server->valid_start > kdc_time) { - kdc_log(0, "Server not yet valid -- %s", server_name); - return KRB5KDC_ERR_SERVICE_NOTYET; - } + if (server->valid_start && *server->valid_start > kdc_time) { + kdc_log(0, "Server not yet valid -- %s", server_name); + return KRB5KDC_ERR_SERVICE_NOTYET; + } - if (server->valid_end && *server->valid_end < kdc_time) { - kdc_log(0, "Server expired -- %s", server_name); - return KRB5KDC_ERR_SERVICE_EXP; - } + if (server->valid_end && *server->valid_end < kdc_time) { + kdc_log(0, "Server expired -- %s", server_name); + return KRB5KDC_ERR_SERVICE_EXP; + } - if (server->pw_end && *server->pw_end < kdc_time) { - kdc_log(0, "Server's key has expired -- %s", server_name); - return KRB5KDC_ERR_KEY_EXPIRED; + if (server->pw_end && *server->pw_end < kdc_time) { + kdc_log(0, "Server's key has expired -- %s", server_name); + return KRB5KDC_ERR_KEY_EXPIRED; + } } return 0; }