Move checking of principal flags to new function `check_flags'.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4638 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
158
kdc/kerberos5.c
158
kdc/kerberos5.c
@@ -308,6 +308,74 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client)
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
check_flags(hdb_entry *client, const char *client_name,
|
||||
hdb_entry *server, const char *server_name,
|
||||
krb5_boolean is_as_req)
|
||||
{
|
||||
/* check client */
|
||||
if (client->flags.invalid) {
|
||||
kdc_log(0, "Client (%s) has invalid bit set", client_name);
|
||||
return KRB5KDC_ERR_POLICY;
|
||||
}
|
||||
|
||||
if(!client->flags.client){
|
||||
kdc_log(0, "Principal may not act as client -- %s",
|
||||
client_name);
|
||||
return KRB5KDC_ERR_POLICY;
|
||||
}
|
||||
|
||||
if (client->valid_start && *client->valid_start > kdc_time) {
|
||||
kdc_log(0, "Client not yet valid -- %s", client_name);
|
||||
return KRB5KDC_ERR_CLIENT_NOTYET;
|
||||
}
|
||||
|
||||
if (client->valid_end && *client->valid_end < kdc_time) {
|
||||
kdc_log(0, "Client expired -- %s", client_name);
|
||||
return KRB5KDC_ERR_NAME_EXP;
|
||||
}
|
||||
|
||||
if (client->pw_end && *client->pw_end < kdc_time
|
||||
&& !server->flags.change_pw) {
|
||||
kdc_log(0, "Client's key has expired -- %s", client_name);
|
||||
return KRB5KDC_ERR_KEY_EXPIRED;
|
||||
}
|
||||
|
||||
/* check server */
|
||||
|
||||
if (server->flags.invalid) {
|
||||
kdc_log(0, "Server has invalid flag set -- %s", server_name);
|
||||
return KRB5KDC_ERR_POLICY;
|
||||
}
|
||||
|
||||
if(!server->flags.server){
|
||||
kdc_log(0, "Principal may not act as server -- %s",
|
||||
server_name);
|
||||
return KRB5KDC_ERR_POLICY;
|
||||
}
|
||||
|
||||
if(!is_as_req && server->flags.initial) {
|
||||
kdc_log(0, "AS-REQ is required for server -- %s", server_name);
|
||||
return KRB5KDC_ERR_POLICY;
|
||||
}
|
||||
|
||||
if (server->valid_start && *server->valid_start > kdc_time) {
|
||||
kdc_log(0, "Server not yet valid -- %s", server_name);
|
||||
return KRB5KDC_ERR_SERVICE_NOTYET;
|
||||
}
|
||||
|
||||
if (server->valid_end && *server->valid_end < kdc_time) {
|
||||
kdc_log(0, "Server expired -- %s", server_name);
|
||||
return KRB5KDC_ERR_SERVICE_EXP;
|
||||
}
|
||||
|
||||
if (server->pw_end && *server->pw_end < kdc_time) {
|
||||
kdc_log(0, "Server's key has expired -- %s", server_name);
|
||||
return KRB5KDC_ERR_KEY_EXPIRED;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
krb5_error_code
|
||||
as_rep(KDC_REQ *req,
|
||||
krb5_data *reply,
|
||||
@@ -362,31 +430,6 @@ as_rep(KDC_REQ *req,
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (client->valid_start && *client->valid_start > kdc_time) {
|
||||
kdc_log(0, "Client not yet valid -- %s", client_name);
|
||||
ret = KRB5KDC_ERR_CLIENT_NOTYET;
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (client->valid_end && *client->valid_end < kdc_time) {
|
||||
kdc_log(0, "Client expired -- %s", client_name);
|
||||
ret = KRB5KDC_ERR_NAME_EXP;
|
||||
goto out;
|
||||
}
|
||||
|
||||
if(!client->flags.client){
|
||||
ret = KRB5KDC_ERR_POLICY;
|
||||
kdc_log(0, "Principal may not act as client -- %s",
|
||||
client_name);
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (client->flags.invalid) {
|
||||
ret = KRB5KDC_ERR_POLICY;
|
||||
kdc_log(0, "Client (%s) has invalid bit set", client_name);
|
||||
goto out;
|
||||
}
|
||||
|
||||
server = db_fetch(server_princ);
|
||||
|
||||
if(server == NULL){
|
||||
@@ -395,43 +438,9 @@ as_rep(KDC_REQ *req,
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (server->valid_start && *server->valid_start > kdc_time) {
|
||||
kdc_log(0, "Server not yet valid -- %s", server_name);
|
||||
ret = KRB5KDC_ERR_SERVICE_NOTYET;
|
||||
ret = check_flags(client, client_name, server, server_name, TRUE);
|
||||
if(ret)
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (server->valid_end && *server->valid_end < kdc_time) {
|
||||
kdc_log(0, "Server expired -- %s", server_name);
|
||||
ret = KRB5KDC_ERR_SERVICE_EXP;
|
||||
goto out;
|
||||
}
|
||||
|
||||
if(!server->flags.server){
|
||||
ret = KRB5KDC_ERR_POLICY;
|
||||
kdc_log(0, "Principal (%s) may not act as server -- %s",
|
||||
server_name, client_name);
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (server->flags.invalid) {
|
||||
ret = KRB5KDC_ERR_POLICY;
|
||||
kdc_log(0, "Server's (%s) has invalid bit set", server_name);
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (server->pw_end && *server->pw_end < kdc_time) {
|
||||
ret = KRB5KDC_ERR_KEY_EXPIRED;
|
||||
kdc_log(0, "Servers key has expired", server_name);
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (client->pw_end && *client->pw_end < kdc_time
|
||||
&& !server->flags.change_pw) {
|
||||
ret = KRB5KDC_ERR_KEY_EXPIRED;
|
||||
kdc_log(0, "Client's (%s) key has expired", client_name);
|
||||
goto out;
|
||||
}
|
||||
|
||||
memset(&et, 0, sizeof(et));
|
||||
memset(&ek, 0, sizeof(ek));
|
||||
@@ -1465,32 +1474,9 @@ tgs_rep2(KDC_REQ_BODY *b,
|
||||
}
|
||||
#endif
|
||||
|
||||
/* check principal flags */
|
||||
if(server->flags.invalid) {
|
||||
kdc_log(0, "%s has `invalid' flag set", spn);
|
||||
ret = KRB5KDC_ERR_SERVICE_NOTYET;
|
||||
ret = check_flags(client, cpn, server, spn, FALSE);
|
||||
if(ret)
|
||||
goto out;
|
||||
}
|
||||
if(!server->flags.server) {
|
||||
kdc_log(0, "%s may not act as server", spn);
|
||||
ret = KRB5KDC_ERR_POLICY;
|
||||
goto out;
|
||||
}
|
||||
if(server->flags.initial) {
|
||||
kdc_log(0, "%s has `initial' flag set", spn);
|
||||
ret = KRB5KDC_ERR_POLICY;
|
||||
goto out;
|
||||
}
|
||||
if(client->flags.invalid) {
|
||||
kdc_log(0, "%s has `invalid' flag set", cpn);
|
||||
ret = KRB5KDC_ERR_CLIENT_NOTYET;
|
||||
goto out;
|
||||
}
|
||||
if(!client->flags.client) {
|
||||
kdc_log(0, "%s may not act as client", cpn);
|
||||
ret = KRB5KDC_ERR_POLICY;
|
||||
goto out;
|
||||
}
|
||||
|
||||
if((b->kdc_options.validate || b->kdc_options.renew) &&
|
||||
!krb5_principal_compare(context,
|
||||
|
||||
Reference in New Issue
Block a user