[30992] in CVS-changelog-for-Kerberos-V5
krb5 commit: Check for undefined kadm5 policy mask bits
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon May 10 16:34:31 2021
Date: Mon, 10 May 2021 16:34:17 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202105102034.14AKYHV2003524@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/5fae28918b5097cf10203b45a079a722be8357e2
commit 5fae28918b5097cf10203b45a079a722be8357e2
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Apr 16 01:37:11 2021 -0400
Check for undefined kadm5 policy mask bits
For symmetry with the libkadm5srv functions to create and modify
principals, check for undefined mask bits when creating or modifying
policies.
ticket: 9002 (new)
src/lib/kadm5/server_internal.h | 4 +++-
src/lib/kadm5/srv/svr_policy.c | 4 ++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/lib/kadm5/server_internal.h b/src/lib/kadm5/server_internal.h
index dc79c78..433f491 100644
--- a/src/lib/kadm5/server_internal.h
+++ b/src/lib/kadm5/server_internal.h
@@ -139,7 +139,9 @@ extern krb5_principal current_caller;
(KADM5_POLICY | KADM5_PW_MAX_LIFE | KADM5_PW_MIN_LIFE | \
KADM5_PW_MIN_LENGTH | KADM5_PW_MIN_CLASSES | KADM5_PW_HISTORY_NUM | \
KADM5_REF_COUNT | KADM5_PW_MAX_FAILURE | KADM5_PW_FAILURE_COUNT_INTERVAL | \
- KADM5_PW_LOCKOUT_DURATION )
+ KADM5_PW_LOCKOUT_DURATION | KADM5_POLICY_ATTRIBUTES | \
+ KADM5_POLICY_MAX_LIFE | KADM5_POLICY_MAX_RLIFE | \
+ KADM5_POLICY_ALLOWED_KEYSALTS | KADM5_POLICY_TL_DATA)
#define SERVER_CHECK_HANDLE(handle) \
{ \
diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c
index dbf0a24..d7940ef 100644
--- a/src/lib/kadm5/srv/svr_policy.c
+++ b/src/lib/kadm5/srv/svr_policy.c
@@ -71,7 +71,7 @@ kadm5_create_policy(void *server_handle, kadm5_policy_ent_t entry, long mask)
return EINVAL;
if(strlen(entry->policy) == 0)
return KADM5_BAD_POLICY;
- if (!(mask & KADM5_POLICY))
+ if (!(mask & KADM5_POLICY) || (mask & ~ALL_POLICY_MASK))
return KADM5_BAD_MASK;
if ((mask & KADM5_POLICY_ALLOWED_KEYSALTS) &&
entry->allowed_keysalts != NULL) {
@@ -258,7 +258,7 @@ kadm5_modify_policy(void *server_handle, kadm5_policy_ent_t entry, long mask)
return EINVAL;
if(strlen(entry->policy) == 0)
return KADM5_BAD_POLICY;
- if((mask & KADM5_POLICY))
+ if ((mask & KADM5_POLICY) || (mask & ~ALL_POLICY_MASK))
return KADM5_BAD_MASK;
if ((mask & KADM5_POLICY_ALLOWED_KEYSALTS) &&
entry->allowed_keysalts != NULL) {
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
