rd_req_dec.c (krb5_rd_req_decoded): Move code which validated the

ticket times to krb5_validate_times. valid_times.c (krb5_validate_times): New function which determines whether or not the ticket times are valid. mk_req_ext.c (krb5_mk_req_extended): Call krb5_validate_time() to determine whether or not the ticket in passed-in credentials is valid. If it isn't, return an error right away. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7777 dc483132-0cff-0310-8789-dd5450dbe970
author: Theodore Tso <tytso@mit.edu> 1996-04-10 14:39:36 +0000
committer: Theodore Tso <tytso@mit.edu> 1996-04-10 14:39:36 +0000
commit: 6f5f29a4fe2724e0a18dd91464a25bb45b952532 (patch)
tree: 4527dcb590877f258df53449d960832b4fc6db9b
parent: aa0a6f486cd26c6c01bd3d58df6d0dd6b9a07a76 (diff)
download: krb5-6f5f29a4fe2724e0a18dd91464a25bb45b952532.tar.gz
krb5-6f5f29a4fe2724e0a18dd91464a25bb45b952532.tar.xz
krb5-6f5f29a4fe2724e0a18dd91464a25bb45b952532.zip
5 files changed, 87 insertions, 15 deletions
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index ba9bc2a2e..1cefc3b73 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,16 @@
+Wed Apr  3 16:04:36 1996  Theodore Y. Ts'o  <tytso@dcl>
+
+	* rd_req_dec.c (krb5_rd_req_decoded): Move code which
+	        validated the ticket times to krb5_validate_times.
+
+	* valid_times.c (krb5_validate_times): New function which
+		determines whether or not the ticket times are valid.
+
+	* mk_req_ext.c (krb5_mk_req_extended): Call krb5_validate_time()
+		to determine whether or not the ticket in passed-in
+		credentials is valid.  If it isn't, return an error right
+		away. 
+
 Tue Mar 26 14:45:03 1996  Richard Basch  <basch@lehman.com>
 
 	* conv_princ.c: added "imap" service to the conversion list as
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
index 7737f2e5f..ebeedb082 100644
--- a/src/lib/krb5/krb/Makefile.in
+++ b/src/lib/krb5/krb/Makefile.in
@@ -78,6 +78,7 @@ OBJS=	addr_comp.$(OBJEXT)	\
 	str_conv.$(OBJEXT)	\
 	tgtname.$(OBJEXT)	\
 	unparse.$(OBJEXT)	\
+	valid_times.$(OBJEXT)	\
 	walk_rtree.$(OBJEXT)
 
 SRCS=	$(srcdir)/addr_comp.c	\
@@ -150,6 +151,7 @@ SRCS=	$(srcdir)/addr_comp.c	\
 	$(srcdir)/str_conv.c	\
 	$(srcdir)/tgtname.c	\
 	$(srcdir)/unparse.c	\
+	$(srcdir)/valid_times.c	\
 	$(srcdir)/walk_rtree.c
 
 all-unix:: shared $(OBJS)
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index 451bbe680..dfff907c2 100644
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -104,6 +104,10 @@ krb5_mk_req_extended(context, auth_context, ap_req_options, in_data, in_creds,
 	goto cleanup;
     }
 
+    /* verify that the ticket is not expired */
+    if ((retval = krb5_validate_times(context, &in_creds->times)) != 0)
+	goto cleanup;
+
     /* generate auth_context if needed */
     if (*auth_context == NULL) {
 	if ((retval = krb5_auth_con_init(context, &new_auth_context)))
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index bca603e4c..6585cb3ea 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -98,7 +98,7 @@ krb5_rd_req_decoded(context, auth_context, req, server, keytab,
     krb5_ticket	       ** ticket;
 {
     krb5_error_code 	  retval = 0;
-    krb5_timestamp 	  currenttime, starttime;
+    krb5_timestamp 	  currenttime;
 
     if (server && !krb5_principal_compare(context, server, req->ticket->server))
 	return KRB5KRB_AP_WRONG_PRINC;
@@ -223,27 +223,18 @@ krb5_rd_req_decoded(context, auth_context, req, server, keytab,
 	    goto cleanup;
     }
 
-    /* if starttime is not in ticket, then treat it as authtime */
-    if (req->ticket->enc_part2->times.starttime != 0)
-	starttime = req->ticket->enc_part2->times.starttime;
-    else
-	starttime = req->ticket->enc_part2->times.authtime;
+    retval = krb5_validate_times(context, &req->ticket->enc_part2->times);
+    if (retval != 0)
+	    goto cleanup;
 
     if ((retval = krb5_timeofday(context, &currenttime)))
 	goto cleanup;
-    if (starttime - currenttime > context->clockskew) {
-	retval = KRB5KRB_AP_ERR_TKT_NYV;	/* ticket not yet valid */
-	goto cleanup;
-    }	
+
     if (!in_clock_skew((*auth_context)->authentp->ctime)) {
 	retval = KRB5KRB_AP_ERR_SKEW;
 	goto cleanup;
     }
-    if ((currenttime - req->ticket->enc_part2->times.endtime) >
-	context->clockskew) {
-	retval = KRB5KRB_AP_ERR_TKT_EXPIRED;	/* ticket expired */
-	goto cleanup;
-    }	
+
     if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) {
 	retval = KRB5KRB_AP_ERR_TKT_INVALID;
 	goto cleanup;
diff --git a/src/lib/krb5/krb/valid_times.c b/src/lib/krb5/krb/valid_times.c
new file mode 100644
index 000000000..b1e26ced7
--- /dev/null
+++ b/src/lib/krb5/krb/valid_times.c
@@ -0,0 +1,62 @@
+/*
+ * lib/krb5/krb/valid_times.c
+ *
+ * Copyright 1995 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * krb5_validate_times()
+ */
+
+#include "k5-int.h"
+
+#define in_clock_skew(date) (labs((date)-currenttime) < context->clockskew)
+
+/*
+ * This is an internal routine which validates the krb5_timestamps
+ * field in a krb5_ticket.
+ */
+
+krb5_error_code krb5_validate_times(context, times)
+	krb5_context		context;
+	krb5_ticket_times *	times;
+{
+	krb5_timestamp 	  	currenttime, starttime;
+	krb5_error_code		retval;
+
+	if ((retval = krb5_timeofday(context, &currenttime)))
+		return retval;
+
+	/* if starttime is not in ticket, then treat it as authtime */
+	if (times->starttime != 0)
+		starttime = times->starttime;
+	else
+		starttime = times->authtime;
+
+	if (starttime - currenttime > context->clockskew)
+		return KRB5KRB_AP_ERR_TKT_NYV;	/* ticket not yet valid */
+
+	if ((currenttime - times->endtime) > context->clockskew)
+		return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */
+
+	return 0;
+}
+
+       
+
author	Theodore Tso <tytso@mit.edu>	1996-04-10 14:39:36 +0000
committer	Theodore Tso <tytso@mit.edu>	1996-04-10 14:39:36 +0000
commit	6f5f29a4fe2724e0a18dd91464a25bb45b952532 (patch)
tree	4527dcb590877f258df53449d960832b4fc6db9b
parent	aa0a6f486cd26c6c01bd3d58df6d0dd6b9a07a76 (diff)
download	krb5-6f5f29a4fe2724e0a18dd91464a25bb45b952532.tar.gz krb5-6f5f29a4fe2724e0a18dd91464a25bb45b952532.tar.xz krb5-6f5f29a4fe2724e0a18dd91464a25bb45b952532.zip