diff options
| author | Tom Yu <tlyu@mit.edu> | 2009-06-26 02:43:21 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2009-06-26 02:43:21 +0000 |
| commit | 36031a837ed7a6716682febf97efbf5eb2a8bc5b (patch) | |
| tree | 9cc55402ce9abc4df647ce4eefaa282e7bbf2b91 /src/kdc/kdc_util.c | |
| parent | adbc54bb6cccb3aff8cb54dd2f7f71076e3a18bb (diff) | |
| download | krb5-36031a837ed7a6716682febf97efbf5eb2a8bc5b.zip krb5-36031a837ed7a6716682febf97efbf5eb2a8bc5b.tar.gz krb5-36031a837ed7a6716682febf97efbf5eb2a8bc5b.tar.bz2 | |
Check for principal expiration prior to checking for password
expiration. Reported by Phil Pishioneri.
ticket: 6428
version_reported: 1.7
target_version: 1.7.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22422 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc/kdc_util.c')
| -rw-r--r-- | src/kdc/kdc_util.c | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 3361443..53adfbb 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -936,25 +936,25 @@ validate_as_request(register krb5_kdc_req *request, krb5_db_entry client, return KDC_ERR_BADOPTION; } - /* The client's password must not be expired, unless the server is - a KRB5_KDC_PWCHANGE_SERVICE. */ - if (client.pw_expiration && client.pw_expiration < kdc_time && - !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { - *status = "CLIENT KEY EXPIRED"; + /* The client must not be expired */ + if (client.expiration && client.expiration < kdc_time) { + *status = "CLIENT EXPIRED"; #ifdef KRBCONF_VAGUE_ERRORS return(KRB_ERR_GENERIC); #else - return(KDC_ERR_KEY_EXP); + return(KDC_ERR_NAME_EXP); #endif } - /* The client must not be expired */ - if (client.expiration && client.expiration < kdc_time) { - *status = "CLIENT EXPIRED"; + /* The client's password must not be expired, unless the server is + a KRB5_KDC_PWCHANGE_SERVICE. */ + if (client.pw_expiration && client.pw_expiration < kdc_time && + !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { + *status = "CLIENT KEY EXPIRED"; #ifdef KRBCONF_VAGUE_ERRORS return(KRB_ERR_GENERIC); #else - return(KDC_ERR_NAME_EXP); + return(KDC_ERR_KEY_EXP); #endif } @@ -1868,6 +1868,12 @@ validate_s4u2self_request(krb5_kdc_req *request, int errcode; krb5_db_entry server = { 0 }; + /* The client must not be expired */ + if (client->expiration && client->expiration < kdc_time) { + *status = "CLIENT EXPIRED"; + return KDC_ERR_NAME_EXP; + } + /* The client's password must not be expired, unless the server is a KRB5_KDC_PWCHANGE_SERVICE. */ if (client->pw_expiration && client->pw_expiration < kdc_time) { @@ -1875,12 +1881,6 @@ validate_s4u2self_request(krb5_kdc_req *request, return KDC_ERR_KEY_EXP; } - /* The client must not be expired */ - if (client->expiration && client->expiration < kdc_time) { - *status = "CLIENT EXPIRED"; - return KDC_ERR_NAME_EXP; - } - /* * If the client requires password changing, then return an * error; S4U2Self cannot be used to change a password. |