From 5fae28918b5097cf10203b45a079a722be8357e2 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 16 Apr 2021 01:37:11 -0400
Subject: [PATCH] Check for undefined kadm5 policy mask bits

For symmetry with the libkadm5srv functions to create and modify
principals, check for undefined mask bits when creating or modifying
policies.

ticket: 9002 (new)
---
 src/lib/kadm5/server_internal.h | 4 +++-
 src/lib/kadm5/srv/svr_policy.c  | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/lib/kadm5/server_internal.h b/src/lib/kadm5/server_internal.h
index dc79c786b9..433f4915b2 100644
--- a/src/lib/kadm5/server_internal.h
+++ b/src/lib/kadm5/server_internal.h
@@ -139,7 +139,9 @@ extern  krb5_principal  current_caller;
     (KADM5_POLICY | KADM5_PW_MAX_LIFE | KADM5_PW_MIN_LIFE |             \
      KADM5_PW_MIN_LENGTH | KADM5_PW_MIN_CLASSES | KADM5_PW_HISTORY_NUM | \
      KADM5_REF_COUNT | KADM5_PW_MAX_FAILURE | KADM5_PW_FAILURE_COUNT_INTERVAL | \
-     KADM5_PW_LOCKOUT_DURATION )
+     KADM5_PW_LOCKOUT_DURATION | KADM5_POLICY_ATTRIBUTES |              \
+     KADM5_POLICY_MAX_LIFE | KADM5_POLICY_MAX_RLIFE |                   \
+     KADM5_POLICY_ALLOWED_KEYSALTS | KADM5_POLICY_TL_DATA)
 
 #define SERVER_CHECK_HANDLE(handle)             \
     {                                           \
diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c
index dbf0a245db..d7940efe10 100644
--- a/src/lib/kadm5/srv/svr_policy.c
+++ b/src/lib/kadm5/srv/svr_policy.c
@@ -71,7 +71,7 @@ kadm5_create_policy(void *server_handle, kadm5_policy_ent_t entry, long mask)
         return EINVAL;
     if(strlen(entry->policy) == 0)
         return KADM5_BAD_POLICY;
-    if (!(mask & KADM5_POLICY))
+    if (!(mask & KADM5_POLICY) || (mask & ~ALL_POLICY_MASK))
         return KADM5_BAD_MASK;
     if ((mask & KADM5_POLICY_ALLOWED_KEYSALTS) &&
         entry->allowed_keysalts != NULL) {
@@ -258,7 +258,7 @@ kadm5_modify_policy(void *server_handle, kadm5_policy_ent_t entry, long mask)
         return EINVAL;
     if(strlen(entry->policy) == 0)
         return KADM5_BAD_POLICY;
-    if((mask & KADM5_POLICY))
+    if ((mask & KADM5_POLICY) || (mask & ~ALL_POLICY_MASK))
         return KADM5_BAD_MASK;
     if ((mask & KADM5_POLICY_ALLOWED_KEYSALTS) &&
         entry->allowed_keysalts != NULL) {
-- 
2.47.2