diff options
Diffstat (limited to 'src/kdc/kdc_util.c')
-rw-r--r-- | src/kdc/kdc_util.c | 56 |
1 files changed, 48 insertions, 8 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 9948e1bbe3..e61a867d60 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -662,14 +662,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm, * contents of which were previously below). */ - /* Client and server must allow renewable tickets */ - if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE) && - (isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) || - isflagset(server.attributes, KRB5_KDB_DISALLOW_RENEWABLE))) { - *status = "RENEWABLE NOT ALLOWED"; - return(KDC_ERR_POLICY); - } - /* Client and server must allow proxiable tickets */ if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE) && (isflagset(client.attributes, KRB5_KDB_DISALLOW_PROXIABLE) || @@ -1898,6 +1890,54 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm, *out_endtime = starttime + life; } +/* + * Set tkt->renew_till to the requested renewable lifetime as modified by + * policy. Set the TKT_FLG_RENEWABLE flag if we set a nonzero renew_till. + * client and tgt may be NULL. + */ +void +kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request, + krb5_enc_tkt_part *tgt, krb5_db_entry *client, + krb5_db_entry *server, krb5_enc_tkt_part *tkt) +{ + krb5_timestamp rtime, max_rlife; + + tkt->times.renew_till = 0; + + /* Don't issue renewable tickets if the client or server don't allow it, + * or if this is a TGS request and the TGT isn't renewable. */ + if (server->attributes & KRB5_KDB_DISALLOW_RENEWABLE) + return; + if (client != NULL && (client->attributes & KRB5_KDB_DISALLOW_RENEWABLE)) + return; + if (tgt != NULL && !(tgt->flags & TKT_FLG_RENEWABLE)) + return; + + /* Determine the requested renewable time. */ + if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) + rtime = request->rtime ? request->rtime : kdc_infinity; + else if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) && + tkt->times.endtime < request->till) + rtime = request->till; + else + return; + + /* Truncate it to the allowable renewable time. */ + if (tgt != NULL) + rtime = min(rtime, tgt->times.renew_till); + max_rlife = min(server->max_renewable_life, realm->realm_maxrlife); + if (client != NULL) + max_rlife = min(max_rlife, client->max_renewable_life); + rtime = min(rtime, tkt->times.starttime + max_rlife); + + /* Make the ticket renewable if the truncated requested time is larger than + * the ticket end time. */ + if (rtime > tkt->times.endtime) { + setflag(tkt->flags, TKT_FLG_RENEWABLE); + tkt->times.renew_till = rtime; + } +} + /** * Handle protected negotiation of FAST using enc_padata * - If ENCPADATA_REQ_ENC_PA_REP is present, then: |