krb5 commit: Check for undefined kadm5 policy mask bits
Greg Hudson
ghudson at mit.edu
Mon May 10 16:34:17 EDT 2021
https://github.com/krb5/krb5/commit/5fae28918b5097cf10203b45a079a722be8357e2
commit 5fae28918b5097cf10203b45a079a722be8357e2
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Apr 16 01:37:11 2021 -0400
Check for undefined kadm5 policy mask bits
For symmetry with the libkadm5srv functions to create and modify
principals, check for undefined mask bits when creating or modifying
policies.
ticket: 9002 (new)
src/lib/kadm5/server_internal.h | 4 +++-
src/lib/kadm5/srv/svr_policy.c | 4 ++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/lib/kadm5/server_internal.h b/src/lib/kadm5/server_internal.h
index dc79c78..433f491 100644
--- a/src/lib/kadm5/server_internal.h
+++ b/src/lib/kadm5/server_internal.h
@@ -139,7 +139,9 @@ extern krb5_principal current_caller;
(KADM5_POLICY | KADM5_PW_MAX_LIFE | KADM5_PW_MIN_LIFE | \
KADM5_PW_MIN_LENGTH | KADM5_PW_MIN_CLASSES | KADM5_PW_HISTORY_NUM | \
KADM5_REF_COUNT | KADM5_PW_MAX_FAILURE | KADM5_PW_FAILURE_COUNT_INTERVAL | \
- KADM5_PW_LOCKOUT_DURATION )
+ KADM5_PW_LOCKOUT_DURATION | KADM5_POLICY_ATTRIBUTES | \
+ KADM5_POLICY_MAX_LIFE | KADM5_POLICY_MAX_RLIFE | \
+ KADM5_POLICY_ALLOWED_KEYSALTS | KADM5_POLICY_TL_DATA)
#define SERVER_CHECK_HANDLE(handle) \
{ \
diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c
index dbf0a24..d7940ef 100644
--- a/src/lib/kadm5/srv/svr_policy.c
+++ b/src/lib/kadm5/srv/svr_policy.c
@@ -71,7 +71,7 @@ kadm5_create_policy(void *server_handle, kadm5_policy_ent_t entry, long mask)
return EINVAL;
if(strlen(entry->policy) == 0)
return KADM5_BAD_POLICY;
- if (!(mask & KADM5_POLICY))
+ if (!(mask & KADM5_POLICY) || (mask & ~ALL_POLICY_MASK))
return KADM5_BAD_MASK;
if ((mask & KADM5_POLICY_ALLOWED_KEYSALTS) &&
entry->allowed_keysalts != NULL) {
@@ -258,7 +258,7 @@ kadm5_modify_policy(void *server_handle, kadm5_policy_ent_t entry, long mask)
return EINVAL;
if(strlen(entry->policy) == 0)
return KADM5_BAD_POLICY;
- if((mask & KADM5_POLICY))
+ if ((mask & KADM5_POLICY) || (mask & ~ALL_POLICY_MASK))
return KADM5_BAD_MASK;
if ((mask & KADM5_POLICY_ALLOWED_KEYSALTS) &&
entry->allowed_keysalts != NULL) {
More information about the cvs-krb5
mailing list