--- krb5-1.3/src/kdc/do_as_req.c +++ krb5-1.3/src/kdc/do_as_req.c @@ -158,7 +158,7 @@ goto errout; } - if ((errcode = validate_as_request(request, client, server, + if ((errcode = validate_as_request(request, &client, &server, kdc_time, &status))) { if (!status) status = "UNKNOWN_REASON"; --- krb5-1.3/src/kdc/do_tgs_req.c +++ krb5-1.3/src/kdc/do_tgs_req.c @@ -194,7 +194,7 @@ goto cleanup; } - if ((retval = validate_tgs_request(request, server, header_ticket, + if ((retval = validate_tgs_request(request, &server, header_ticket, kdc_time, &status))) { if (!status) status = "UNKNOWN_REASON"; --- krb5-1.3/src/kdc/kdc_util.c +++ krb5-1.3/src/kdc/kdc_util.c @@ -831,8 +831,8 @@ #define AS_INVALID_OPTIONS (KDC_OPT_FORWARDED | KDC_OPT_PROXY |\ KDC_OPT_VALIDATE | KDC_OPT_RENEW | KDC_OPT_ENC_TKT_IN_SKEY) int -validate_as_request(register krb5_kdc_req *request, krb5_db_entry client, - krb5_db_entry server, krb5_timestamp kdc_time, +validate_as_request(register krb5_kdc_req *request, const krb5_db_entry *client, + const krb5_db_entry *server, krb5_timestamp kdc_time, const char **status) { int errcode; @@ -847,8 +847,8 @@ /* The client's password must not be expired, unless the server is a KRB5_KDC_PWCHANGE_SERVICE. */ - if (client.pw_expiration && client.pw_expiration < kdc_time && - !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { + if (client->pw_expiration && client->pw_expiration < kdc_time && + !isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE)) { *status = "CLIENT KEY EXPIRED"; #ifdef KRBCONF_VAGUE_ERRORS return(KRB_ERR_GENERIC); @@ -858,7 +858,7 @@ } /* The client must not be expired */ - if (client.expiration && client.expiration < kdc_time) { + if (client->expiration && client->expiration < kdc_time) { *status = "CLIENT EXPIRED"; #ifdef KRBCONF_VAGUE_ERRORS return(KRB_ERR_GENERIC); @@ -868,7 +868,7 @@ } /* The server must not be expired */ - if (server.expiration && server.expiration < kdc_time) { + if (server->expiration && server->expiration < kdc_time) { *status = "SERVICE EXPIRED"; return(KDC_ERR_SERVICE_EXP); } @@ -877,8 +877,8 @@ * If the client requires password changing, then only allow the * pwchange service. */ - if (isflagset(client.attributes, KRB5_KDB_REQUIRES_PWCHANGE) && - !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { + if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PWCHANGE) && + !isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE)) { *status = "REQUIRED PWCHANGE"; return(KDC_ERR_KEY_EXP); } @@ -886,50 +886,50 @@ /* Client and server must allow postdating tickets */ if ((isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE) || isflagset(request->kdc_options, KDC_OPT_POSTDATED)) && - (isflagset(client.attributes, KRB5_KDB_DISALLOW_POSTDATED) || - isflagset(server.attributes, KRB5_KDB_DISALLOW_POSTDATED))) { + (isflagset(client->attributes, KRB5_KDB_DISALLOW_POSTDATED) || + isflagset(server->attributes, KRB5_KDB_DISALLOW_POSTDATED))) { *status = "POSTDATE NOT ALLOWED"; return(KDC_ERR_CANNOT_POSTDATE); } /* Client and server must allow forwardable tickets */ if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE) && - (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE) || - isflagset(server.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))) { + (isflagset(client->attributes, KRB5_KDB_DISALLOW_FORWARDABLE) || + isflagset(server->attributes, KRB5_KDB_DISALLOW_FORWARDABLE))) { *status = "FORWARDABLE NOT ALLOWED"; return(KDC_ERR_POLICY); } /* Client and server must allow renewable tickets */ if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE) && - (isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) || - isflagset(server.attributes, KRB5_KDB_DISALLOW_RENEWABLE))) { + (isflagset(client->attributes, KRB5_KDB_DISALLOW_RENEWABLE) || + isflagset(server->attributes, KRB5_KDB_DISALLOW_RENEWABLE))) { *status = "RENEWABLE NOT ALLOWED"; return(KDC_ERR_POLICY); } /* Client and server must allow proxiable tickets */ if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE) && - (isflagset(client.attributes, KRB5_KDB_DISALLOW_PROXIABLE) || - isflagset(server.attributes, KRB5_KDB_DISALLOW_PROXIABLE))) { + (isflagset(client->attributes, KRB5_KDB_DISALLOW_PROXIABLE) || + isflagset(server->attributes, KRB5_KDB_DISALLOW_PROXIABLE))) { *status = "PROXIABLE NOT ALLOWED"; return(KDC_ERR_POLICY); } /* Check to see if client is locked out */ - if (isflagset(client.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { + if (isflagset(client->attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { *status = "CLIENT LOCKED OUT"; return(KDC_ERR_C_PRINCIPAL_UNKNOWN); } /* Check to see if server is locked out */ - if (isflagset(server.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { + if (isflagset(server->attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { *status = "SERVICE LOCKED OUT"; return(KDC_ERR_S_PRINCIPAL_UNKNOWN); } /* Check to see if server is allowed to be a service */ - if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) { + if (isflagset(server->attributes, KRB5_KDB_DISALLOW_SVR)) { *status = "SERVICE NOT ALLOWED"; return(KDC_ERR_S_PRINCIPAL_UNKNOWN); } @@ -937,7 +937,7 @@ /* * Check against local policy */ - errcode = against_local_policy_as(request, server, client, + errcode = against_local_policy_as(request, *server, *client, kdc_time, status); if (errcode) return errcode; @@ -1105,7 +1105,7 @@ KDC_OPT_VALIDATE) int -validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server, +validate_tgs_request(register krb5_kdc_req *request, const krb5_db_entry *server, krb5_ticket *ticket, krb5_timestamp kdc_time, const char **status) { @@ -1121,7 +1121,7 @@ } /* Check to see if server has expired */ - if (server.expiration && server.expiration < kdc_time) { + if (server->expiration && server->expiration < kdc_time) { *status = "SERVICE EXPIRED"; return(KDC_ERR_SERVICE_EXP); } @@ -1176,7 +1176,7 @@ */ /* Server must allow TGS based issuances */ - if (isflagset(server.attributes, KRB5_KDB_DISALLOW_TGT_BASED)) { + if (isflagset(server->attributes, KRB5_KDB_DISALLOW_TGT_BASED)) { *status = "TGT BASED NOT ALLOWED"; return(KDC_ERR_POLICY); } @@ -1234,47 +1234,47 @@ /* Server must allow forwardable tickets */ if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE) && - isflagset(server.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) { + isflagset(server->attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) { *status = "NON-FORWARDABLE TICKET"; return(KDC_ERR_POLICY); } /* Server must allow renewable tickets */ if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE) && - isflagset(server.attributes, KRB5_KDB_DISALLOW_RENEWABLE)) { + isflagset(server->attributes, KRB5_KDB_DISALLOW_RENEWABLE)) { *status = "NON-RENEWABLE TICKET"; return(KDC_ERR_POLICY); } /* Server must allow proxiable tickets */ if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE) && - isflagset(server.attributes, KRB5_KDB_DISALLOW_PROXIABLE)) { + isflagset(server->attributes, KRB5_KDB_DISALLOW_PROXIABLE)) { *status = "NON-PROXIABLE TICKET"; return(KDC_ERR_POLICY); } /* Server must allow postdated tickets */ if (isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE) && - isflagset(server.attributes, KRB5_KDB_DISALLOW_POSTDATED)) { + isflagset(server->attributes, KRB5_KDB_DISALLOW_POSTDATED)) { *status = "NON-POSTDATABLE TICKET"; return(KDC_ERR_CANNOT_POSTDATE); } /* Server must allow DUP SKEY requests */ if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) && - isflagset(server.attributes, KRB5_KDB_DISALLOW_DUP_SKEY)) { + isflagset(server->attributes, KRB5_KDB_DISALLOW_DUP_SKEY)) { *status = "DUP_SKEY DISALLOWED"; return(KDC_ERR_POLICY); } /* Server must not be locked out */ - if (isflagset(server.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { + if (isflagset(server->attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { *status = "SERVER LOCKED OUT"; return(KDC_ERR_S_PRINCIPAL_UNKNOWN); } /* Server must be allowed to be a service */ - if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) { + if (isflagset(server->attributes, KRB5_KDB_DISALLOW_SVR)) { *status = "SERVER NOT ALLOWED"; return(KDC_ERR_S_PRINCIPAL_UNKNOWN); } @@ -1324,14 +1324,14 @@ } /* Check for hardware preauthentication */ - if (isflagset(server.attributes, KRB5_KDB_REQUIRES_HW_AUTH) && + if (isflagset(server->attributes, KRB5_KDB_REQUIRES_HW_AUTH) && !isflagset(ticket->enc_part2->flags,TKT_FLG_HW_AUTH)) { *status = "NO HW PREAUTH"; return KRB_ERR_GENERIC; } /* Check for any kind of preauthentication */ - if (isflagset(server.attributes, KRB5_KDB_REQUIRES_PRE_AUTH) && + if (isflagset(server->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) && !isflagset(ticket->enc_part2->flags, TKT_FLG_PRE_AUTH)) { *status = "NO PREAUTH"; return KRB_ERR_GENERIC; @@ -1340,7 +1340,7 @@ /* * Check local policy */ - errcode = against_local_policy_tgs(request, server, ticket, status); + errcode = against_local_policy_tgs(request, *server, ticket, status); if (errcode) return errcode; --- krb5-1.3/src/kdc/kdc_util.h +++ krb5-1.3/src/kdc/kdc_util.h @@ -65,11 +65,11 @@ krb5_keyblock **, krb5_kvno *); -int validate_as_request (krb5_kdc_req *, krb5_db_entry, - krb5_db_entry, krb5_timestamp, +int validate_as_request (krb5_kdc_req *, const krb5_db_entry *, + const krb5_db_entry *, krb5_timestamp, const char **); -int validate_tgs_request (krb5_kdc_req *, krb5_db_entry, +int validate_tgs_request (krb5_kdc_req *, const krb5_db_entry *, krb5_ticket *, krb5_timestamp, const char **);