diff options
Diffstat (limited to 'src/kdc')
| -rw-r--r-- | src/kdc/kdc_util.c | 20 | ||||
| -rw-r--r-- | src/kdc/policy.c | 75 |
2 files changed, 16 insertions, 79 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index db5434d..b892a27 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1051,9 +1051,13 @@ validate_as_request(register krb5_kdc_req *request, krb5_db_entry client, return(KDC_ERR_MUST_USE_USER2USER); } - /* - * Check against local policy - */ + /* Perform KDB module policy checks. */ + errcode = krb5_db_check_policy_as(kdc_context, request, &client, &server, + kdc_time, status, e_data); + if (errcode && errcode != KRB5_PLUGIN_OP_NOTSUPP) + return errcode; + + /* Check against local policy. */ errcode = against_local_policy_as(request, client, server, kdc_time, status, e_data); if (errcode) @@ -1468,9 +1472,13 @@ validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server, return KRB_ERR_GENERIC; } - /* - * Check local policy - */ + /* Perform KDB module policy checks. */ + errcode = krb5_db_check_policy_tgs(kdc_context, request, &server, + ticket, status, e_data); + if (errcode && errcode != KRB5_PLUGIN_OP_NOTSUPP) + return errcode; + + /* Check local policy. */ errcode = against_local_policy_tgs(request, server, ticket, status, e_data); if (errcode) diff --git a/src/kdc/policy.c b/src/kdc/policy.c index fa403e5..939ddb0 100644 --- a/src/kdc/policy.c +++ b/src/kdc/policy.c @@ -63,12 +63,6 @@ against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client, krb5_db_entry server, krb5_timestamp kdc_time, const char **status, krb5_data *e_data) { - krb5_error_code code; - kdb_check_policy_as_req req; - kdb_check_policy_as_rep rep; - krb5_data req_data; - krb5_data rep_data; - #if 0 /* An AS request must include the addresses field */ if (request->addresses == 0) { @@ -77,37 +71,7 @@ against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client, } #endif - memset(&req, 0, sizeof(req)); - memset(&rep, 0, sizeof(rep)); - - req.request = request; - req.client = &client; - req.server = &server; - req.kdc_time = kdc_time; - - req_data.data = (void *)&req; - req_data.length = sizeof(req); - - rep_data.data = (void *)&rep; - rep_data.length = sizeof(rep); - - code = krb5_db_invoke(kdc_context, - KRB5_KDB_METHOD_CHECK_POLICY_AS, - &req_data, - &rep_data); - if (code == KRB5_PLUGIN_OP_NOTSUPP) - return 0; - - *status = rep.status; - *e_data = rep.e_data; - - if (code != 0) { - code -= ERROR_TABLE_BASE_krb5; - if (code < 0 || code > 128) - code = KRB_ERR_GENERIC; - } - - return code; + return 0; /* not against policy */ } /* @@ -118,12 +82,6 @@ against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server, krb5_ticket *ticket, const char **status, krb5_data *e_data) { - krb5_error_code code; - kdb_check_policy_tgs_req req; - kdb_check_policy_tgs_rep rep; - krb5_data req_data; - krb5_data rep_data; - #if 0 /* * For example, if your site wants to disallow ticket forwarding, @@ -136,34 +94,5 @@ against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server, } #endif - memset(&req, 0, sizeof(req)); - memset(&rep, 0, sizeof(rep)); - - req.request = request; - req.server = &server; - req.ticket = ticket; - - req_data.data = (void *)&req; - req_data.length = sizeof(req); - - rep_data.data = (void *)&rep; - rep_data.length = sizeof(rep); - - code = krb5_db_invoke(kdc_context, - KRB5_KDB_METHOD_CHECK_POLICY_TGS, - &req_data, - &rep_data); - if (code == KRB5_PLUGIN_OP_NOTSUPP) - return 0; - - *status = rep.status; - *e_data = rep.e_data; - - if (code != 0) { - code -= ERROR_TABLE_BASE_krb5; - if (code < 0 || code > 128) - code = KRB_ERR_GENERIC; - } - - return code; + return 0; /* not against policy */ } |