diff options
| author | Mark Eichin <eichin@mit.edu> | 1996-02-24 00:34:56 +0000 |
|---|---|---|
| committer | Mark Eichin <eichin@mit.edu> | 1996-02-24 00:34:56 +0000 |
| commit | 6cf58d81088f831683bca1133085f14a9f12c08c (patch) | |
| tree | 711357e147811d73923a2bfbfa9f9aef789bf715 /src | |
| parent | f5fa22f5e8bca7eb2548669daf998aa34d9fdc84 (diff) | |
Fri Jan 12 04:37:23 1996 Mark Eichin <eichin@cygnus.com>
* cnv_tkt_skey.c (krb524_convert_tkt_skey): rather than apply fit
an extended v5 lifetime into a v4 range, give out a v4 ticket with
as much of the v5 lifetime is available "now" instead.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7509 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/krb524/ChangeLog | 6 | ||||
| -rw-r--r-- | src/krb524/cnv_tkt_skey.c | 28 |
2 files changed, 31 insertions, 3 deletions
diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog index 359d7a608..282941e2d 100644 --- a/src/krb524/ChangeLog +++ b/src/krb524/ChangeLog @@ -1,3 +1,9 @@ +Fri Jan 12 04:37:23 1996 Mark Eichin <eichin@cygnus.com> + + * cnv_tkt_skey.c (krb524_convert_tkt_skey): rather than apply fit + an extended v5 lifetime into a v4 range, give out a v4 ticket with + as much of the v5 lifetime is available "now" instead. + Sat Jan 27 01:31:12 1996 Sam Hartman <hartmans@tertius.mit.edu> * krb524d.c (kdc_get_server_key): If an enctype is given, then use diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c index f4d97f83a..338cf22be 100644 --- a/src/krb524/cnv_tkt_skey.c +++ b/src/krb524/cnv_tkt_skey.c @@ -1,4 +1,3 @@ - /* * Copyright 1994 by OpenVision Technologies, Inc. * @@ -45,6 +44,7 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey) char sname[ANAME_SZ], sinst[INST_SZ]; krb5_enc_tkt_part *v5etkt; int ret, lifetime; + krb5_timestamp server_time; v5tkt->enc_part2 = NULL; if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) { @@ -77,8 +77,30 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey) /* V4 lifetime is 1 byte, in 5 minute increments */ if (v5etkt->times.starttime == 0) v5etkt->times.starttime = v5etkt->times.authtime; - lifetime = 0xff & - ((v5etkt->times.endtime - v5etkt->times.authtime) / 300); + /* rather than apply fit an extended v5 lifetime into a v4 range, + give out a v4 ticket with as much of the v5 lifetime is available + "now" instead. */ + if ((ret = krb5_timeofday(context, &server_time))) { + if (krb524_debug) + fprintf(stderr, "krb5_timeofday failed!\n"); + krb5_free_enc_tkt_part(context, v5etkt); + v5tkt->enc_part2 = NULL; + return ret; + } + if ( (server_time >= v5etkt->times.starttime) + && (server_time <= v5etkt->times.endtime) ) { + lifetime = ((v5etkt->times.endtime - server_time) / 300); + if (lifetime > 255) lifetime = 255; + } else { + if (krb524_debug) + fprintf(stderr, "v5 ticket time out of bounds\n"); + krb5_free_enc_tkt_part(context, v5etkt); + v5tkt->enc_part2 = NULL; + if (server_time < v5etkt->times.starttime) + return KRB5KRB_AP_ERR_TKT_NYV; + else if (server_time > v5etkt->times.endtime) + return KRB5KRB_AP_ERR_TKT_EXPIRED; + } /* XXX perhaps we should use the addr of the client host if */ /* v5creds contains more than one addr. Q: Does V4 support */ |