From: Tom Yu <tlyu@mit.edu>
Date: Mon, 28 Sep 2009 21:22:43 +0000 (+0000)
Subject: pull up r22423, r22422 from trunk
X-Git-Tag: krb5-1.7.1-beta1~36
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=ba1ae9f6beb87375ebc79276354f374f8b7582aa;p=krb5.git

pull up r22423, r22422 from trunk

 ------------------------------------------------------------------------
 r22423 | tlyu | 2009-06-25 22:44:41 -0400 (Thu, 25 Jun 2009) | 4 lines

 ticket: 6428

 Add test case omitted in last commit.
 ------------------------------------------------------------------------
 r22422 | tlyu | 2009-06-25 22:43:21 -0400 (Thu, 25 Jun 2009) | 8 lines

 ticket: 6428
 version_reported: 1.7
 target_version: 1.7.1
 tags: pullup

 Check for principal expiration prior to checking for password
 expiration.  Reported by Phil Pishioneri.

ticket: 6428
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22802 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 607108a99..3662f2359 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -938,25 +938,25 @@ validate_as_request(register krb5_kdc_req *request, krb5_db_entry client,
 	return KDC_ERR_BADOPTION;
     }
 
-    /* The client's password must not be expired, unless the server is
-      a KRB5_KDC_PWCHANGE_SERVICE. */
-    if (client.pw_expiration && client.pw_expiration < kdc_time &&
-	!isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
-	*status = "CLIENT KEY EXPIRED";
+    /* The client must not be expired */
+    if (client.expiration && client.expiration < kdc_time) {
+	*status = "CLIENT EXPIRED";
 #ifdef KRBCONF_VAGUE_ERRORS
 	return(KRB_ERR_GENERIC);
 #else
-	return(KDC_ERR_KEY_EXP);
+	return(KDC_ERR_NAME_EXP);
 #endif
     }
 
-    /* The client must not be expired */
-    if (client.expiration && client.expiration < kdc_time) {
-	*status = "CLIENT EXPIRED";
+    /* The client's password must not be expired, unless the server is
+      a KRB5_KDC_PWCHANGE_SERVICE. */
+    if (client.pw_expiration && client.pw_expiration < kdc_time &&
+	!isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
+	*status = "CLIENT KEY EXPIRED";
 #ifdef KRBCONF_VAGUE_ERRORS
 	return(KRB_ERR_GENERIC);
 #else
-	return(KDC_ERR_NAME_EXP);
+	return(KDC_ERR_KEY_EXP);
 #endif
     }
 
@@ -1870,6 +1870,12 @@ validate_s4u2self_request(krb5_kdc_req *request,
     int				errcode;
     krb5_db_entry		server = { 0 };
  
+    /* The client must not be expired */
+    if (client->expiration && client->expiration < kdc_time) {
+	*status = "CLIENT EXPIRED";
+	return KDC_ERR_NAME_EXP;
+    }
+
     /* The client's password must not be expired, unless the server is
       a KRB5_KDC_PWCHANGE_SERVICE. */
     if (client->pw_expiration && client->pw_expiration < kdc_time) {
@@ -1877,12 +1883,6 @@ validate_s4u2self_request(krb5_kdc_req *request,
 	return KDC_ERR_KEY_EXP;
     }
 
-    /* The client must not be expired */
-    if (client->expiration && client->expiration < kdc_time) {
-	*status = "CLIENT EXPIRED";
-	return KDC_ERR_NAME_EXP;
-    }
-
     /*
      * If the client requires password changing, then return an
      * error; S4U2Self cannot be used to change a password.
diff --git a/src/tests/dejagnu/krb-standalone/princexpire.exp b/src/tests/dejagnu/krb-standalone/princexpire.exp
new file mode 100644
index 000000000..5228141ed
--- /dev/null
+++ b/src/tests/dejagnu/krb-standalone/princexpire.exp
@@ -0,0 +1,105 @@
+proc doit { } {
+    global REALMNAME
+    global KLIST
+    global KINIT
+    global KDESTROY
+    global KEY
+    global KADMIN_LOCAL
+    global KTUTIL
+    global hostname
+    global tmppwd
+    global spawn_id
+    global supported_enctypes
+    global KRBIV
+    global portbase
+    global mode
+
+    set princ "expiredprinc"
+
+    # Start up the kerberos and kadmind daemons.
+    if ![start_kerberos_daemons 0] {
+	return 1
+    }
+
+    # Use kadmin to add a key.
+    if ![add_kerberos_key $princ 0] {
+	return 1
+    }
+
+    setup_kerberos_env kdc
+
+    set test "kadmin.local modprinc -expire"
+    spawn $KADMIN_LOCAL -q "modprinc -expire \"2 days ago\" $princ"
+    catch expect_after
+    expect {
+	timeout {
+	    fail $test
+	}
+	eof {
+	    pass $test
+	}
+    }
+    set k_stat [wait -i $spawn_id]
+    verbose "wait -i $spawn_id returned $k_stat ($test)"
+    catch "close -i $spawn_id"
+
+    set test "kadmin.local -pwexpire"
+    spawn $KADMIN_LOCAL -q "modprinc -pwexpire \"2 days ago\" $princ"
+    catch expect_after
+    expect {
+	timeout {
+	    fail $test
+	}
+	eof {
+	    pass $test
+	}
+    }
+    set k_stat [wait -i $spawn_id]
+    verbose "wait -i $spawn_id returned $k_stat ($test)"
+    catch "close -i $spawn_id"
+
+    setup_kerberos_env client
+    spawn $KINIT -5 -k -t /dev/null $princ
+    expect {
+	"entry in database has expired" {
+	    pass $test
+	}
+	"Password has expired" {
+	    fail "$test (inappropriate password expiration message)"
+	}
+	timeout {
+	    expect eof
+	    fail "$test (timeout)"
+	    return 0
+	}
+	eof {
+	    fail "$test (eof)"
+	    return 0
+	}
+    }
+    expect eof
+    return 0
+}
+
+run_once princexpire {
+    # Set up the Kerberos files and environment.
+    if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} {
+	return
+    }
+    # Initialize the Kerberos database.  The argument tells
+    # setup_kerberos_db that it is not being called from
+    # standalone.exp.
+    if ![setup_kerberos_db 0] {
+	return
+    }
+
+    set status [catch doit msg]
+
+    stop_kerberos_daemons
+
+    if { $status != 0 } {
+	send_error "ERROR: error in pwchange.exp\n"
+	send_error "$msg\n"
+	exit 1
+    }
+}