oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Move checking of principal flags to new function `check_flags'.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4638 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
1998-03-21 21:57:08 +00:00
parent 3101223e1c
commit 3acaa32a3d
1 changed files with 72 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

158
kdc/kerberos5.c
View File

@@ -308,6 +308,74 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client)
return 0; return 0;
} }
int
check_flags(hdb_entry *client, const char *client_name,
hdb_entry *server, const char *server_name,
krb5_boolean is_as_req)
{
/* check client */
if (client->flags.invalid) {
kdc_log(0, "Client (%s) has invalid bit set", client_name);
return KRB5KDC_ERR_POLICY;
}
if(!client->flags.client){
kdc_log(0, "Principal may not act as client -- %s",
client_name);
return KRB5KDC_ERR_POLICY;
}
if (client->valid_start && *client->valid_start > kdc_time) {
kdc_log(0, "Client not yet valid -- %s", client_name);
return KRB5KDC_ERR_CLIENT_NOTYET;
}
if (client->valid_end && *client->valid_end < kdc_time) {
kdc_log(0, "Client expired -- %s", client_name);
return KRB5KDC_ERR_NAME_EXP;
}
if (client->pw_end && *client->pw_end < kdc_time
&& !server->flags.change_pw) {
kdc_log(0, "Client's key has expired -- %s", client_name);
return KRB5KDC_ERR_KEY_EXPIRED;
}
/* check server */
if (server->flags.invalid) {
kdc_log(0, "Server has invalid flag set -- %s", server_name);
return KRB5KDC_ERR_POLICY;
}
if(!server->flags.server){
kdc_log(0, "Principal may not act as server -- %s",
server_name);
return KRB5KDC_ERR_POLICY;
}
if(!is_as_req && server->flags.initial) {
kdc_log(0, "AS-REQ is required for server -- %s", server_name);
return KRB5KDC_ERR_POLICY;
}
if (server->valid_start && *server->valid_start > kdc_time) {
kdc_log(0, "Server not yet valid -- %s", server_name);
return KRB5KDC_ERR_SERVICE_NOTYET;
}
if (server->valid_end && *server->valid_end < kdc_time) {
kdc_log(0, "Server expired -- %s", server_name);
return KRB5KDC_ERR_SERVICE_EXP;
}
if (server->pw_end && *server->pw_end < kdc_time) {
kdc_log(0, "Server's key has expired -- %s", server_name);
return KRB5KDC_ERR_KEY_EXPIRED;
}
return 0;
}
krb5_error_code krb5_error_code
as_rep(KDC_REQ *req, as_rep(KDC_REQ *req,
krb5_data *reply, krb5_data *reply,
@@ -362,31 +430,6 @@ as_rep(KDC_REQ *req,
goto out; goto out;
} }
if (client->valid_start && *client->valid_start > kdc_time) {
kdc_log(0, "Client not yet valid -- %s", client_name);
ret = KRB5KDC_ERR_CLIENT_NOTYET;
goto out;
}
if (client->valid_end && *client->valid_end < kdc_time) {
kdc_log(0, "Client expired -- %s", client_name);
ret = KRB5KDC_ERR_NAME_EXP;
goto out;
}
if(!client->flags.client){
ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Principal may not act as client -- %s",
client_name);
goto out;
}
if (client->flags.invalid) {
ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Client (%s) has invalid bit set", client_name);
goto out;
}
server = db_fetch(server_princ); server = db_fetch(server_princ);
if(server == NULL){ if(server == NULL){
@@ -395,43 +438,9 @@ as_rep(KDC_REQ *req,
goto out; goto out;
} }
if (server->valid_start && *server->valid_start > kdc_time) { ret = check_flags(client, client_name, server, server_name, TRUE);
kdc_log(0, "Server not yet valid -- %s", server_name); if(ret)
ret = KRB5KDC_ERR_SERVICE_NOTYET;
goto out; goto out;
}
if (server->valid_end && *server->valid_end < kdc_time) {
kdc_log(0, "Server expired -- %s", server_name);
ret = KRB5KDC_ERR_SERVICE_EXP;
goto out;
}
if(!server->flags.server){
ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Principal (%s) may not act as server -- %s",
server_name, client_name);
goto out;
}
if (server->flags.invalid) {
ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Server's (%s) has invalid bit set", server_name);
goto out;
}
if (server->pw_end && *server->pw_end < kdc_time) {
ret = KRB5KDC_ERR_KEY_EXPIRED;
kdc_log(0, "Servers key has expired", server_name);
goto out;
}
if (client->pw_end && *client->pw_end < kdc_time
&& !server->flags.change_pw) {
ret = KRB5KDC_ERR_KEY_EXPIRED;
kdc_log(0, "Client's (%s) key has expired", client_name);
goto out;
}
memset(&et, 0, sizeof(et)); memset(&et, 0, sizeof(et));
memset(&ek, 0, sizeof(ek)); memset(&ek, 0, sizeof(ek));
@@ -1465,32 +1474,9 @@ tgs_rep2(KDC_REQ_BODY *b,
} }
#endif #endif
/* check principal flags */ ret = check_flags(client, cpn, server, spn, FALSE);
if(server->flags.invalid) { if(ret)
kdc_log(0, "%s has `invalid' flag set", spn);
ret = KRB5KDC_ERR_SERVICE_NOTYET;
goto out; goto out;
}
if(!server->flags.server) {
kdc_log(0, "%s may not act as server", spn);
ret = KRB5KDC_ERR_POLICY;
goto out;
}
if(server->flags.initial) {
kdc_log(0, "%s has `initial' flag set", spn);
ret = KRB5KDC_ERR_POLICY;
goto out;
}
if(client->flags.invalid) {
kdc_log(0, "%s has `invalid' flag set", cpn);
ret = KRB5KDC_ERR_CLIENT_NOTYET;
goto out;
}
if(!client->flags.client) {
kdc_log(0, "%s may not act as client", cpn);
ret = KRB5KDC_ERR_POLICY;
goto out;
}
if((b->kdc_options.validate || b->kdc_options.renew) && if((b->kdc_options.validate || b->kdc_options.renew) &&
!krb5_principal_compare(context, !krb5_principal_compare(context,