diff options
Diffstat (limited to 'src/kdc/policy.c')
-rw-r--r-- | src/kdc/policy.c | 101 |
1 files changed, 96 insertions, 5 deletions
diff --git a/src/kdc/policy.c b/src/kdc/policy.c index 8c0b69272..58b26f73d 100644 --- a/src/kdc/policy.c +++ b/src/kdc/policy.c @@ -25,15 +25,49 @@ * * Policy decision routines for KDC. */ +/* + * Copyright (c) 2006-2008, Novell, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * The copyright holder's name is not used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ #include "k5-int.h" #include "kdc_util.h" +#include "extern.h" int against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client, krb5_db_entry server, krb5_timestamp kdc_time, const char **status) { + krb5_error_code code; + kdb_check_policy_as_req req; + kdb_check_policy_as_rep rep; + krb5_data req_data; + krb5_data rep_data; + #if 0 /* An AS request must include the addresses field */ if (request->addresses == 0) { @@ -41,8 +75,37 @@ against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client, return KRB5KDC_ERR_POLICY; } #endif - - return 0; /* not against policy */ + + memset(&req, 0, sizeof(req)); + memset(&rep, 0, sizeof(rep)); + + req.request = request; + req.client = &client; + req.server = &server; + req.kdc_time = kdc_time; + + req_data.data = (void *)&req; + req_data.length = sizeof(req); + + rep_data.data = (void *)&rep; + rep_data.length = sizeof(rep); + + code = krb5_db_invoke(kdc_context, + KRB5_KDB_METHOD_CHECK_POLICY_AS, + &req_data, + &rep_data); + if (code == KRB5_KDB_DBTYPE_NOSUP) + return 0; + + *status = rep.status; + + if (code != 0) { + code -= ERROR_TABLE_BASE_krb5; + if (code < 0 || code > 128) + code = KRB_ERR_GENERIC; + } + + return code; } /* @@ -52,6 +115,12 @@ krb5_error_code against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server, krb5_ticket *ticket, const char **status) { + krb5_error_code code; + kdb_check_policy_tgs_req req; + kdb_check_policy_tgs_rep rep; + krb5_data req_data; + krb5_data rep_data; + #if 0 /* * For example, if your site wants to disallow ticket forwarding, @@ -63,13 +132,35 @@ against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server, return KRB5KDC_ERR_POLICY; } #endif - - return 0; /* not against policy */ -} + memset(&req, 0, sizeof(req)); + memset(&rep, 0, sizeof(rep)); + + req.request = request; + req.server = &server; + req.ticket = ticket; + req_data.data = (void *)&req; + req_data.length = sizeof(req); + rep_data.data = (void *)&rep; + rep_data.length = sizeof(rep); + code = krb5_db_invoke(kdc_context, + KRB5_KDB_METHOD_CHECK_POLICY_TGS, + &req_data, + &rep_data); + if (code == KRB5_KDB_DBTYPE_NOSUP) + return 0; + *status = rep.status; + if (code != 0) { + code -= ERROR_TABLE_BASE_krb5; + if (code < 0 || code > 128) + code = KRB_ERR_GENERIC; + } + + return code; +} |