svn rev #22802: branches/krb5-1-7/src/ kdc/ tests/dejagnu/krb-standalone/

tlyu@MIT.EDU tlyu at MIT.EDU
Mon Sep 28 17:22:44 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22802
Commit By: tlyu
Log Message:
ticket: 6428
version_fixed: 1.7.1
status: resolved

pull up r22423, r22422 from trunk

 ------------------------------------------------------------------------
 r22423 | tlyu | 2009-06-25 22:44:41 -0400 (Thu, 25 Jun 2009) | 4 lines

 ticket: 6428

 Add test case omitted in last commit.
 ------------------------------------------------------------------------
 r22422 | tlyu | 2009-06-25 22:43:21 -0400 (Thu, 25 Jun 2009) | 8 lines

 ticket: 6428
 version_reported: 1.7
 target_version: 1.7.1
 tags: pullup

 Check for principal expiration prior to checking for password
 expiration.  Reported by Phil Pishioneri.


Changed Files:
U   branches/krb5-1-7/src/kdc/kdc_util.c
A   branches/krb5-1-7/src/tests/dejagnu/krb-standalone/princexpire.exp
Modified: branches/krb5-1-7/src/kdc/kdc_util.c
===================================================================
--- branches/krb5-1-7/src/kdc/kdc_util.c	2009-09-28 20:58:56 UTC (rev 22801)
+++ branches/krb5-1-7/src/kdc/kdc_util.c	2009-09-28 21:22:43 UTC (rev 22802)
@@ -938,6 +938,16 @@
 	return KDC_ERR_BADOPTION;
     }
 
+    /* The client must not be expired */
+    if (client.expiration && client.expiration < kdc_time) {
+	*status = "CLIENT EXPIRED";
+#ifdef KRBCONF_VAGUE_ERRORS
+	return(KRB_ERR_GENERIC);
+#else
+	return(KDC_ERR_NAME_EXP);
+#endif
+    }
+
     /* The client's password must not be expired, unless the server is
       a KRB5_KDC_PWCHANGE_SERVICE. */
     if (client.pw_expiration && client.pw_expiration < kdc_time &&
@@ -950,16 +960,6 @@
 #endif
     }
 
-    /* The client must not be expired */
-    if (client.expiration && client.expiration < kdc_time) {
-	*status = "CLIENT EXPIRED";
-#ifdef KRBCONF_VAGUE_ERRORS
-	return(KRB_ERR_GENERIC);
-#else
-	return(KDC_ERR_NAME_EXP);
-#endif
-    }
-
     /* The server must not be expired */
     if (server.expiration && server.expiration < kdc_time) {
 	*status = "SERVICE EXPIRED";
@@ -1870,6 +1870,12 @@
     int				errcode;
     krb5_db_entry		server = { 0 };
  
+    /* The client must not be expired */
+    if (client->expiration && client->expiration < kdc_time) {
+	*status = "CLIENT EXPIRED";
+	return KDC_ERR_NAME_EXP;
+    }
+
     /* The client's password must not be expired, unless the server is
       a KRB5_KDC_PWCHANGE_SERVICE. */
     if (client->pw_expiration && client->pw_expiration < kdc_time) {
@@ -1877,12 +1883,6 @@
 	return KDC_ERR_KEY_EXP;
     }
 
-    /* The client must not be expired */
-    if (client->expiration && client->expiration < kdc_time) {
-	*status = "CLIENT EXPIRED";
-	return KDC_ERR_NAME_EXP;
-    }
-
     /*
      * If the client requires password changing, then return an
      * error; S4U2Self cannot be used to change a password.

Added: branches/krb5-1-7/src/tests/dejagnu/krb-standalone/princexpire.exp
===================================================================
--- branches/krb5-1-7/src/tests/dejagnu/krb-standalone/princexpire.exp	2009-09-28 20:58:56 UTC (rev 22801)
+++ branches/krb5-1-7/src/tests/dejagnu/krb-standalone/princexpire.exp	2009-09-28 21:22:43 UTC (rev 22802)
@@ -0,0 +1,105 @@
+proc doit { } {
+    global REALMNAME
+    global KLIST
+    global KINIT
+    global KDESTROY
+    global KEY
+    global KADMIN_LOCAL
+    global KTUTIL
+    global hostname
+    global tmppwd
+    global spawn_id
+    global supported_enctypes
+    global KRBIV
+    global portbase
+    global mode
+
+    set princ "expiredprinc"
+
+    # Start up the kerberos and kadmind daemons.
+    if ![start_kerberos_daemons 0] {
+	return 1
+    }
+
+    # Use kadmin to add a key.
+    if ![add_kerberos_key $princ 0] {
+	return 1
+    }
+
+    setup_kerberos_env kdc
+
+    set test "kadmin.local modprinc -expire"
+    spawn $KADMIN_LOCAL -q "modprinc -expire \"2 days ago\" $princ"
+    catch expect_after
+    expect {
+	timeout {
+	    fail $test
+	}
+	eof {
+	    pass $test
+	}
+    }
+    set k_stat [wait -i $spawn_id]
+    verbose "wait -i $spawn_id returned $k_stat ($test)"
+    catch "close -i $spawn_id"
+
+    set test "kadmin.local -pwexpire"
+    spawn $KADMIN_LOCAL -q "modprinc -pwexpire \"2 days ago\" $princ"
+    catch expect_after
+    expect {
+	timeout {
+	    fail $test
+	}
+	eof {
+	    pass $test
+	}
+    }
+    set k_stat [wait -i $spawn_id]
+    verbose "wait -i $spawn_id returned $k_stat ($test)"
+    catch "close -i $spawn_id"
+
+    setup_kerberos_env client
+    spawn $KINIT -5 -k -t /dev/null $princ
+    expect {
+	"entry in database has expired" {
+	    pass $test
+	}
+	"Password has expired" {
+	    fail "$test (inappropriate password expiration message)"
+	}
+	timeout {
+	    expect eof
+	    fail "$test (timeout)"
+	    return 0
+	}
+	eof {
+	    fail "$test (eof)"
+	    return 0
+	}
+    }
+    expect eof
+    return 0
+}
+
+run_once princexpire {
+    # Set up the Kerberos files and environment.
+    if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} {
+	return
+    }
+    # Initialize the Kerberos database.  The argument tells
+    # setup_kerberos_db that it is not being called from
+    # standalone.exp.
+    if ![setup_kerberos_db 0] {
+	return
+    }
+
+    set status [catch doit msg]
+
+    stop_kerberos_daemons
+
+    if { $status != 0 } {
+	send_error "ERROR: error in pwchange.exp\n"
+	send_error "$msg\n"
+	exit 1
+    }
+}

More information about the cvs-krb5 mailing list