diff options
| author | Theodore Tso <tytso@mit.edu> | 1998-01-24 03:09:56 +0000 |
|---|---|---|
| committer | Theodore Tso <tytso@mit.edu> | 1998-01-24 03:09:56 +0000 |
| commit | 14900c24c52fd799082d66bff1f52d4ee0338f7e (patch) | |
| tree | 8328be984785152bdecfe248fb72bc6c1550a342 /src/lib/gssapi | |
| parent | 709551961a737844ff3f695632c4d9a449cf89f0 (diff) | |
init_sec_context.c (make_ap_req): Enforce a stricter requirement on
the ticket expiration time of the credentials, since
accept_sec_context doesn't use the timeskew fudge for checking ticket
expirations.
(krb5_gss_init_sec_context): Return GSS_S_NO_CRED when appropriate.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10374 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/gssapi')
| -rw-r--r-- | src/lib/gssapi/krb5/ChangeLog | 9 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/init_sec_context.c | 20 |
2 files changed, 27 insertions, 2 deletions
diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 5602578da..0e4650f08 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,12 @@ +Wed Dec 3 02:16:18 1997 Theodore Y. Ts'o <tytso@mit.edu> + + * init_sec_context.c (make_ap_req): Enforce a stricter requirement + on the ticket expiration time of the credentials, since + accept_sec_context doesn't use the timeskew fudge for + checking ticket expirations. + (krb5_gss_init_sec_context): Return GSS_S_NO_CRED when + appropriate. + Wed Jan 21 19:14:09 1998 Tom Yu <tlyu@mit.edu> * gssapiP_krb5.h: Add rcache member to the creds diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 2edf1b072..69192e919 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -29,12 +29,13 @@ */ static krb5_error_code -make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, +make_ap_req(context, auth_context, cred, server, now, endtime, chan_bindings, req_flags, krb_flags, mech_type, token) krb5_context context; krb5_auth_context * auth_context; krb5_gss_cred_id_t cred; krb5_principal server; + krb5_timestamp now; krb5_timestamp *endtime; gss_channel_bindings_t chan_bindings; OM_uint32 *req_flags; @@ -152,6 +153,16 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, &in_creds, &out_creds))) goto cleanup; + /* + * Enforce a stricter limit (without timeskew forgiveness at the + * boundaries) because accept_sec_context code is also similarly + * non-forgiving. + */ + if (out_creds->times.endtime < now) { + code = KRB5KRB_AP_ERR_TKT_EXPIRED; + goto cleanup; + } + /* call mk_req. subkey and ap_req need to be used or destroyed */ mk_req_flags = AP_OPTS_USE_SUBKEY; @@ -363,13 +374,18 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, } if ((code = make_ap_req(context, &(ctx->auth_context), cred, - ctx->there, &ctx->endtime, input_chan_bindings, + ctx->there, now, &ctx->endtime, + input_chan_bindings, &ctx->gss_flags, &ctx->krb_flags, mech_type, &token))) { krb5_free_principal(context, ctx->here); krb5_free_principal(context, ctx->there); xfree(ctx); *minor_status = code; + + if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) || + (code == KG_EMPTY_CCACHE)) + return GSS_S_NO_CRED; if (code == KRB5KRB_AP_ERR_TKT_EXPIRED) return GSS_S_CREDENTIALS_EXPIRED; return(GSS_S_FAILURE); |