diff options
| author | Keith Vetter <keithv@fusion.com> | 1995-09-11 19:06:45 +0000 |
|---|---|---|
| committer | Keith Vetter <keithv@fusion.com> | 1995-09-11 19:06:45 +0000 |
| commit | cdd6c33b9ae48076999e33ffa70e2365ecc5eb8c (patch) | |
| tree | 84682f14e77a844dfab2174318ebccb9067c829f /src/lib/krb5/krb/gc_via_tkt.c | |
| parent | a66029e852781fa0333dc92bd88bd8184f6feeb1 (diff) | |
| download | krb5-cdd6c33b9ae48076999e33ffa70e2365ecc5eb8c.tar.gz krb5-cdd6c33b9ae48076999e33ffa70e2365ecc5eb8c.tar.xz krb5-cdd6c33b9ae48076999e33ffa70e2365ecc5eb8c.zip | |
Mac Beta 1 submission
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6749 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5/krb/gc_via_tkt.c')
| -rw-r--r-- | src/lib/krb5/krb/gc_via_tkt.c | 68 |
1 files changed, 41 insertions, 27 deletions
diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index 643bca5661..c2f531f489 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -28,9 +28,6 @@ #include "k5-int.h" #include "int-proto.h" -extern krb5_deltat krb5_clockskew; -#define in_clock_skew(date, now) (labs((date)-(now)) < krb5_clockskew) - static krb5_error_code krb5_kdcrep2creds(context, pkdcrep, address, psectkt, ppcreds) krb5_context context; @@ -66,6 +63,7 @@ krb5_kdcrep2creds(context, pkdcrep, address, psectkt, ppcreds) (*ppcreds)->second_ticket = *pdata; krb5_xfree(pdata); + (*ppcreds)->keyblock.etype = pkdcrep->ticket->enc_part.etype; (*ppcreds)->ticket_flags = pkdcrep->enc_part2->flags; (*ppcreds)->times = pkdcrep->enc_part2->times; (*ppcreds)->magic = KV5M_CREDS; @@ -164,14 +162,24 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred) if (retval) /* neither proper reply nor error! */ goto error_4; - retval = err_reply->error + ERROR_TABLE_BASE_krb5; +#if 0 + /* XXX need access to the actual assembled request... + need a change to send_tgs */ + if ((err_reply->ctime != request.ctime) || + !krb5_principal_compare(context,err_reply->server,request.server) || + !krb5_principal_compare(context, err_reply->client, request.client)) + retval = KRB5_KDCREP_MODIFIED; + else +#endif + retval = err_reply->error + ERROR_TABLE_BASE_krb5; krb5_free_error(context, err_reply); goto error_4; } if ((retval = krb5_decode_kdc_rep(context, &tgsrep.response, - &tkt->keyblock, &dec_rep))) + &tkt->keyblock, + tkt->keyblock.etype, &dec_rep))) goto error_4; if (dec_rep->msg_type != KRB5_TGS_REP) { @@ -179,36 +187,42 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred) goto error_3; } - /* make sure the response hasn't been tampered with..... */ - if (!krb5_principal_compare(context, dec_rep->client, tkt->client) || - !krb5_principal_compare(context, dec_rep->enc_part2->server, - in_cred->server) || - !krb5_principal_compare(context, dec_rep->ticket->server, - in_cred->server) || - (dec_rep->enc_part2->nonce != tgsrep.expected_nonce) || - ((in_cred->times.starttime != 0) && - (in_cred->times.starttime != dec_rep->enc_part2->times.starttime)) || - ((in_cred->times.endtime != 0) && - (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) || - ((kdcoptions & KDC_OPT_RENEWABLE) && - (in_cred->times.renew_till != 0) && - (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) || - ((kdcoptions & KDC_OPT_RENEWABLE_OK) && - (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && - (in_cred->times.endtime != 0) && - (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime)) - ) { + /* now it's decrypted and ready for prime time */ + if (!krb5_principal_compare(context, dec_rep->client, tkt->client)) { retval = KRB5_KDCREP_MODIFIED; goto error_3; } - if (!in_cred->times.starttime && - !in_clock_skew(dec_rep->enc_part2->times.starttime, - tgsrep.request_time)) { +#if 0 + /* XXX probably need access to the request */ + /* check the contents for sanity: */ + if (!krb5_principal_compare(context, dec_rep->client, request.client) + || !krb5_principal_compare(context, dec_rep->enc_part2->server, request.server) + || !krb5_principal_compare(context, dec_rep->ticket->server, request.server) + || (request.nonce != dec_rep->enc_part2->nonce) + /* XXX check for extraneous flags */ + /* XXX || (!krb5_addresses_compare(context, addrs, dec_rep->enc_part2->caddrs)) */ + || ((request.from != 0) && + (request.from != dec_rep->enc_part2->times.starttime)) + || ((request.till != 0) && + (dec_rep->enc_part2->times.endtime > request.till)) + || ((request.kdc_options & KDC_OPT_RENEWABLE) && + (request.rtime != 0) && + (dec_rep->enc_part2->times.renew_till > request.rtime)) + || ((request.kdc_options & KDC_OPT_RENEWABLE_OK) && + (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && + (request.till != 0) && + (dec_rep->enc_part2->times.renew_till > request.till)) + ) + retval = KRB5_KDCREP_MODIFIED; + + if (!request.from && !in_clock_skew(dec_rep->enc_part2->times.starttime)) { retval = KRB5_KDCREP_SKEW; goto error_3; } +#endif + retval = krb5_kdcrep2creds(context, dec_rep, address, &in_cred->second_ticket, out_cred); |