diff options
| author | Theodore Tso <tytso@mit.edu> | 1992-09-30 14:08:14 +0000 |
|---|---|---|
| committer | Theodore Tso <tytso@mit.edu> | 1992-09-30 14:08:14 +0000 |
| commit | 34db5edc73984f1a02e5dfcf81f1b157f3b5a346 (patch) | |
| tree | ec1e083f81f7c9fe28b4c882d085716b07be744c /src/kdc/policy.c | |
| parent | b32b9b5ff08d5ed2059b0551adaaeaef4ac71379 (diff) | |
| download | krb5-34db5edc73984f1a02e5dfcf81f1b157f3b5a346.tar.gz krb5-34db5edc73984f1a02e5dfcf81f1b157f3b5a346.tar.xz krb5-34db5edc73984f1a02e5dfcf81f1b157f3b5a346.zip | |
Massive changes to do_as_req.c, do_tgs_req.c, kdc_util.c, and policy.c
Fixed bug so that renewable/forwardable/proxiable/tickets work on all
tickets, not just the TGS server. Fixed bug so that proxiable tickets
don't work on TGT tickets.
Revamped structure to make things cleaner, and easier to understand. Nearly
all of the validation routines have been moved to a validate_as_request
and a validate_tgs_request subroutine in kdc_util.c.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2451 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc/policy.c')
| -rw-r--r-- | src/kdc/policy.c | 77 |
1 files changed, 30 insertions, 47 deletions
diff --git a/src/kdc/policy.c b/src/kdc/policy.c index 4010c54208..79229827a4 100644 --- a/src/kdc/policy.c +++ b/src/kdc/policy.c @@ -37,62 +37,45 @@ static char rcsid_policy_c[] = #include "kdc_util.h" -/*ARGSUSED*/ -krb5_boolean -against_postdate_policy(fromtime) -krb5_timestamp fromtime; +int +against_local_policy_as(request, client, server, kdc_time, status) +register krb5_kdc_req *request; +krb5_db_entry client; +krb5_db_entry server; +krb5_timestamp kdc_time; +char **status; { - return FALSE; + return 0; /* not against policy */ } -krb5_boolean -against_flag_policy_as(request) -const register krb5_kdc_req *request; +/* + * This is where local policy restrictions for the TGS should placed. + */ +krb5_error_code +against_local_policy_tgs(request, server, ticket, status) +register krb5_kdc_req *request; +krb5_db_entry server; +krb5_ticket *ticket; +char **status; { - if (isflagset(request->kdc_options, KDC_OPT_FORWARDED) || - isflagset(request->kdc_options, KDC_OPT_PROXY) || - isflagset(request->kdc_options, KDC_OPT_RENEW) || - isflagset(request->kdc_options, KDC_OPT_VALIDATE) || - isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) - return TRUE; /* against policy */ - - return FALSE; /* not against policy */ +#ifdef 0 + /* + * For example, if your site wants to disallow ticket forwarding, + * you might do something like this: + */ + + if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) { + *status = "FORWARD POLICY"; + return KRB5KDC_ERR_POLICY; + } +#endif + + return 0; /* not against policy */ } -krb5_boolean -against_flag_policy_tgs(request, ticket) -const register krb5_kdc_req *request; -const register krb5_ticket *ticket; -{ - if (((isflagset(request->kdc_options, KDC_OPT_FORWARDED) || - isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) && - !isflagset(ticket->enc_part2->flags, - TKT_FLG_FORWARDABLE)) || /* TGS must be forwardable to get - forwarded or forwardable ticket */ - ((isflagset(request->kdc_options, KDC_OPT_PROXY) || - isflagset(request->kdc_options, KDC_OPT_PROXIABLE)) && - !isflagset(ticket->enc_part2->flags, - TKT_FLG_PROXIABLE)) || /* TGS must be proxiable to get - proxiable ticket */ - ((isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE) || - isflagset(request->kdc_options, KDC_OPT_POSTDATED)) && - !isflagset(ticket->enc_part2->flags, - TKT_FLG_MAY_POSTDATE)) || /* TGS must allow postdating to get - postdated ticket */ - - (isflagset(request->kdc_options, KDC_OPT_VALIDATE) && - !isflagset(ticket->enc_part2->flags, - TKT_FLG_INVALID)) || /* can only validate invalid tix */ - ((isflagset(request->kdc_options, KDC_OPT_RENEW) || - isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) && - !isflagset(ticket->enc_part2->flags, - TKT_FLG_RENEWABLE))) /* can only renew renewable tix */ - return TRUE; /* against policy */ - return FALSE; /* XXX not against policy */ -} |