summaryrefslogtreecommitdiffstats
path: root/src/lib/krb5/krb/gc_via_tkt.c
diff options
context:
space:
mode:
authorTheodore Tso <tytso@mit.edu>1995-09-02 03:24:58 +0000
committerTheodore Tso <tytso@mit.edu>1995-09-02 03:24:58 +0000
commit2dfb67c918a60af2373f764ae12b418716b2a260 (patch)
tree9689d35773211e16d1622817f09eb94476162e12 /src/lib/krb5/krb/gc_via_tkt.c
parent90937700790b57c31560d53193f373d666fa39c8 (diff)
downloadkrb5-2dfb67c918a60af2373f764ae12b418716b2a260.tar.gz
krb5-2dfb67c918a60af2373f764ae12b418716b2a260.tar.xz
krb5-2dfb67c918a60af2373f764ae12b418716b2a260.zip
get_in_tkt.c (krb5_get_in_tkt): If kdc_settime is enabled, then set
the time_offset fields from the returned ticket's authtime value. init_ctx.c (krb5_init_context): Initialize new fields in krb5_context (clockskew, kdc_req_sumtype, and kdc_default_options). gc_via_tkt.c (krb5_get_cred_via_tkt): Perform the necessary sanity checking on the KDC response to make sure we detect tampering. send_tgs.c (krb5_send_tgs): Set the expected nonce in the response structure. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6653 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5/krb/gc_via_tkt.c')
-rw-r--r--src/lib/krb5/krb/gc_via_tkt.c64
1 files changed, 26 insertions, 38 deletions
diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
index c2f531f489..5dbbaed428 100644
--- a/src/lib/krb5/krb/gc_via_tkt.c
+++ b/src/lib/krb5/krb/gc_via_tkt.c
@@ -28,6 +28,9 @@
#include "k5-int.h"
#include "int-proto.h"
+extern krb5_deltat krb5_clockskew;
+#define in_clock_skew(date, now) (labs((date)-(now)) < krb5_clockskew)
+
static krb5_error_code
krb5_kdcrep2creds(context, pkdcrep, address, psectkt, ppcreds)
krb5_context context;
@@ -162,16 +165,7 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred)
if (retval) /* neither proper reply nor error! */
goto error_4;
-#if 0
- /* XXX need access to the actual assembled request...
- need a change to send_tgs */
- if ((err_reply->ctime != request.ctime) ||
- !krb5_principal_compare(context,err_reply->server,request.server) ||
- !krb5_principal_compare(context, err_reply->client, request.client))
- retval = KRB5_KDCREP_MODIFIED;
- else
-#endif
- retval = err_reply->error + ERROR_TABLE_BASE_krb5;
+ retval = err_reply->error + ERROR_TABLE_BASE_krb5;
krb5_free_error(context, err_reply);
goto error_4;
@@ -187,42 +181,36 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred)
goto error_3;
}
- /* now it's decrypted and ready for prime time */
- if (!krb5_principal_compare(context, dec_rep->client, tkt->client)) {
+ /* make sure the response hasn't been tampered with..... */
+ if (!krb5_principal_compare(context, dec_rep->client, tkt->client) ||
+ !krb5_principal_compare(context, dec_rep->enc_part2->server,
+ in_cred->server) ||
+ !krb5_principal_compare(context, dec_rep->ticket->server,
+ in_cred->server) ||
+ (dec_rep->enc_part2->nonce != tgsrep.expected_nonce) ||
+ ((in_cred->times.starttime != 0) &&
+ (in_cred->times.starttime != dec_rep->enc_part2->times.starttime)) ||
+ ((in_cred->times.endtime != 0) &&
+ (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) ||
+ ((kdcoptions & KDC_OPT_RENEWABLE) &&
+ (in_cred->times.renew_till != 0) &&
+ (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) ||
+ ((kdcoptions & KDC_OPT_RENEWABLE_OK) &&
+ (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) &&
+ (in_cred->times.endtime != 0) &&
+ (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime))
+ ) {
retval = KRB5_KDCREP_MODIFIED;
goto error_3;
}
-#if 0
- /* XXX probably need access to the request */
- /* check the contents for sanity: */
- if (!krb5_principal_compare(context, dec_rep->client, request.client)
- || !krb5_principal_compare(context, dec_rep->enc_part2->server, request.server)
- || !krb5_principal_compare(context, dec_rep->ticket->server, request.server)
- || (request.nonce != dec_rep->enc_part2->nonce)
- /* XXX check for extraneous flags */
- /* XXX || (!krb5_addresses_compare(context, addrs, dec_rep->enc_part2->caddrs)) */
- || ((request.from != 0) &&
- (request.from != dec_rep->enc_part2->times.starttime))
- || ((request.till != 0) &&
- (dec_rep->enc_part2->times.endtime > request.till))
- || ((request.kdc_options & KDC_OPT_RENEWABLE) &&
- (request.rtime != 0) &&
- (dec_rep->enc_part2->times.renew_till > request.rtime))
- || ((request.kdc_options & KDC_OPT_RENEWABLE_OK) &&
- (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) &&
- (request.till != 0) &&
- (dec_rep->enc_part2->times.renew_till > request.till))
- )
- retval = KRB5_KDCREP_MODIFIED;
-
- if (!request.from && !in_clock_skew(dec_rep->enc_part2->times.starttime)) {
+ if (!in_cred->times.starttime &&
+ !in_clock_skew(dec_rep->enc_part2->times.starttime,
+ tgsrep.request_time)) {
retval = KRB5_KDCREP_SKEW;
goto error_3;
}
-#endif
-
retval = krb5_kdcrep2creds(context, dec_rep, address,
&in_cred->second_ticket, out_cred);
generated by cgit (git 2.34.1) at 2024-06-02 07:47:19 +0000