From 38bccc6e79c555c9cda8ad63bbd8f0c6b87c0770 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Thu, 24 Aug 2006 11:05:55 +0000
Subject: [PATCH] Simply the disabled-service case. Check the allow-digest flag
 in the HDB entry for the client.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17930 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/digest.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/kdc/digest.c b/kdc/digest.c
index 7cf50054b..fdacf95fe 100644
--- a/kdc/digest.c
+++ b/kdc/digest.c
@@ -61,10 +61,8 @@ _kdc_do_digest(krb5_context context,
     krb5_data serverNonce;
 
     if(!config->enable_digest) {
-	ret = KRB5KDC_ERR_POLICY;
-	kdc_log(context, config, 0,
-		"Rejected digest request from %s", from);
-	return ret;
+	kdc_log(context, config, 0, "Rejected digest request from %s", from);
+	return KRB5KDC_ERR_POLICY;
     }
 
     krb5_data_zero(&buf);
@@ -152,8 +150,13 @@ _kdc_do_digest(krb5_context context,
 	if (ret)
 	    goto out;
 
-	/* XXX add acl check here */
-
+	if (client->entry.flags.allow_digest == 0) {
+	    krb5_set_error_string(context, 
+				  "server is not permitted to use digest");
+	    ret = KRB5KDC_ERR_POLICY;
+	    _kdc_free_ent (context, client);
+	    goto out;
+	}
 	_kdc_free_ent (context, client);
     }