svn rev #22422: trunk/src/kdc/

tlyu@MIT.EDU tlyu at MIT.EDU
Thu Jun 25 22:43:21 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22422
Commit By: tlyu
Log Message:
ticket: 6428
version_reported: 1.7
target_version: 1.7.1
tags: pullup

Check for principal expiration prior to checking for password
expiration.  Reported by Phil Pishioneri.


Changed Files:
U   trunk/src/kdc/kdc_util.c
Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c	2009-06-23 04:26:14 UTC (rev 22421)
+++ trunk/src/kdc/kdc_util.c	2009-06-26 02:43:21 UTC (rev 22422)
@@ -936,6 +936,16 @@
 	return KDC_ERR_BADOPTION;
     }
 
+    /* The client must not be expired */
+    if (client.expiration && client.expiration < kdc_time) {
+	*status = "CLIENT EXPIRED";
+#ifdef KRBCONF_VAGUE_ERRORS
+	return(KRB_ERR_GENERIC);
+#else
+	return(KDC_ERR_NAME_EXP);
+#endif
+    }
+
     /* The client's password must not be expired, unless the server is
       a KRB5_KDC_PWCHANGE_SERVICE. */
     if (client.pw_expiration && client.pw_expiration < kdc_time &&
@@ -948,16 +958,6 @@
 #endif
     }
 
-    /* The client must not be expired */
-    if (client.expiration && client.expiration < kdc_time) {
-	*status = "CLIENT EXPIRED";
-#ifdef KRBCONF_VAGUE_ERRORS
-	return(KRB_ERR_GENERIC);
-#else
-	return(KDC_ERR_NAME_EXP);
-#endif
-    }
-
     /* The server must not be expired */
     if (server.expiration && server.expiration < kdc_time) {
 	*status = "SERVICE EXPIRED";
@@ -1868,6 +1868,12 @@
     int				errcode;
     krb5_db_entry		server = { 0 };
  
+    /* The client must not be expired */
+    if (client->expiration && client->expiration < kdc_time) {
+	*status = "CLIENT EXPIRED";
+	return KDC_ERR_NAME_EXP;
+    }
+
     /* The client's password must not be expired, unless the server is
       a KRB5_KDC_PWCHANGE_SERVICE. */
     if (client->pw_expiration && client->pw_expiration < kdc_time) {
@@ -1875,12 +1881,6 @@
 	return KDC_ERR_KEY_EXP;
     }
 
-    /* The client must not be expired */
-    if (client->expiration && client->expiration < kdc_time) {
-	*status = "CLIENT EXPIRED";
-	return KDC_ERR_NAME_EXP;
-    }
-
     /*
      * If the client requires password changing, then return an
      * error; S4U2Self cannot be used to change a password.

More information about the cvs-krb5 mailing list