diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-06-06 14:44:30 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-06-06 20:09:46 -0400 |
commit | 4f551a7ec126c52ee1f8fea4c3954015b70987bd (patch) | |
tree | cee645af15058887e48a9d054c806b9db4be3715 /src/kdc/kdc_util.c | |
parent | 6936d2792fda4d92cb78bcb12fd51d6ea23a746a (diff) | |
download | krb5-4f551a7ec126c52ee1f8fea4c3954015b70987bd.tar.gz krb5-4f551a7ec126c52ee1f8fea4c3954015b70987bd.tar.xz krb5-4f551a7ec126c52ee1f8fea4c3954015b70987bd.zip |
Refactor KDC renewable ticket handling
Create a new helper to compute the renewable lifetime for AS and TGS
requests. This has some minor behavior differences:
* We only issue a renewable ticket if the renewable lifetime is greater
than the normal ticket lifetime.
* We give RENEWABLE precedence over RENEWABLE-OK in determining the
requested renewable lifetime, instead of sometimes doing the
reverse.
* We use the client's maximum renewable life for TGS requests if we
have looked up its DB entry.
* Instead of rejecting requests for renewable tickets (if the client
or server principal doesn't allow it, or a TGS request's TGT isn't
renewable), issue non-renewable tickets.
ticket: 7661 (new)
Diffstat (limited to 'src/kdc/kdc_util.c')
-rw-r--r-- | src/kdc/kdc_util.c | 56 |
1 files changed, 48 insertions, 8 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 9948e1bbe3..e61a867d60 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -662,14 +662,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm, * contents of which were previously below). */ - /* Client and server must allow renewable tickets */ - if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE) && - (isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) || - isflagset(server.attributes, KRB5_KDB_DISALLOW_RENEWABLE))) { - *status = "RENEWABLE NOT ALLOWED"; - return(KDC_ERR_POLICY); - } - /* Client and server must allow proxiable tickets */ if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE) && (isflagset(client.attributes, KRB5_KDB_DISALLOW_PROXIABLE) || @@ -1898,6 +1890,54 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm, *out_endtime = starttime + life; } +/* + * Set tkt->renew_till to the requested renewable lifetime as modified by + * policy. Set the TKT_FLG_RENEWABLE flag if we set a nonzero renew_till. + * client and tgt may be NULL. + */ +void +kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request, + krb5_enc_tkt_part *tgt, krb5_db_entry *client, + krb5_db_entry *server, krb5_enc_tkt_part *tkt) +{ + krb5_timestamp rtime, max_rlife; + + tkt->times.renew_till = 0; + + /* Don't issue renewable tickets if the client or server don't allow it, + * or if this is a TGS request and the TGT isn't renewable. */ + if (server->attributes & KRB5_KDB_DISALLOW_RENEWABLE) + return; + if (client != NULL && (client->attributes & KRB5_KDB_DISALLOW_RENEWABLE)) + return; + if (tgt != NULL && !(tgt->flags & TKT_FLG_RENEWABLE)) + return; + + /* Determine the requested renewable time. */ + if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) + rtime = request->rtime ? request->rtime : kdc_infinity; + else if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) && + tkt->times.endtime < request->till) + rtime = request->till; + else + return; + + /* Truncate it to the allowable renewable time. */ + if (tgt != NULL) + rtime = min(rtime, tgt->times.renew_till); + max_rlife = min(server->max_renewable_life, realm->realm_maxrlife); + if (client != NULL) + max_rlife = min(max_rlife, client->max_renewable_life); + rtime = min(rtime, tkt->times.starttime + max_rlife); + + /* Make the ticket renewable if the truncated requested time is larger than + * the ticket end time. */ + if (rtime > tkt->times.endtime) { + setflag(tkt->flags, TKT_FLG_RENEWABLE); + tkt->times.renew_till = rtime; + } +} + /** * Handle protected negotiation of FAST using enc_padata * - If ENCPADATA_REQ_ENC_PA_REP is present, then: |