From: Tom Yu Date: Fri, 26 Jun 2009 02:43:21 +0000 (+0000) Subject: Check for principal expiration prior to checking for password X-Git-Tag: krb5-1.8-alpha1~425 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=36031a837ed7a6716682febf97efbf5eb2a8bc5b;p=krb5.git Check for principal expiration prior to checking for password expiration. Reported by Phil Pishioneri. ticket: 6428 version_reported: 1.7 target_version: 1.7.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22422 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 33614437a..53adfbb91 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -936,25 +936,25 @@ validate_as_request(register krb5_kdc_req *request, krb5_db_entry client, return KDC_ERR_BADOPTION; } - /* The client's password must not be expired, unless the server is - a KRB5_KDC_PWCHANGE_SERVICE. */ - if (client.pw_expiration && client.pw_expiration < kdc_time && - !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { - *status = "CLIENT KEY EXPIRED"; + /* The client must not be expired */ + if (client.expiration && client.expiration < kdc_time) { + *status = "CLIENT EXPIRED"; #ifdef KRBCONF_VAGUE_ERRORS return(KRB_ERR_GENERIC); #else - return(KDC_ERR_KEY_EXP); + return(KDC_ERR_NAME_EXP); #endif } - /* The client must not be expired */ - if (client.expiration && client.expiration < kdc_time) { - *status = "CLIENT EXPIRED"; + /* The client's password must not be expired, unless the server is + a KRB5_KDC_PWCHANGE_SERVICE. */ + if (client.pw_expiration && client.pw_expiration < kdc_time && + !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { + *status = "CLIENT KEY EXPIRED"; #ifdef KRBCONF_VAGUE_ERRORS return(KRB_ERR_GENERIC); #else - return(KDC_ERR_NAME_EXP); + return(KDC_ERR_KEY_EXP); #endif } @@ -1868,6 +1868,12 @@ validate_s4u2self_request(krb5_kdc_req *request, int errcode; krb5_db_entry server = { 0 }; + /* The client must not be expired */ + if (client->expiration && client->expiration < kdc_time) { + *status = "CLIENT EXPIRED"; + return KDC_ERR_NAME_EXP; + } + /* The client's password must not be expired, unless the server is a KRB5_KDC_PWCHANGE_SERVICE. */ if (client->pw_expiration && client->pw_expiration < kdc_time) { @@ -1875,12 +1881,6 @@ validate_s4u2self_request(krb5_kdc_req *request, return KDC_ERR_KEY_EXP; } - /* The client must not be expired */ - if (client->expiration && client->expiration < kdc_time) { - *status = "CLIENT EXPIRED"; - return KDC_ERR_NAME_EXP; - } - /* * If the client requires password changing, then return an * error; S4U2Self cannot be used to change a password.