diff options
| author | John Kohl <jtkohl@mit.edu> | 1990-09-28 15:43:06 +0000 |
|---|---|---|
| committer | John Kohl <jtkohl@mit.edu> | 1990-09-28 15:43:06 +0000 |
| commit | b545838a325c08c36e6dbfa388090acb40e441a8 (patch) | |
| tree | c35cebf5fc96445d5913ad88ab5ee302261ce2d0 /src | |
| parent | e58174285ab6d014af32229682a63f82ac59eddf (diff) | |
add some sanity checking
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1158 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 40 |
1 files changed, 37 insertions, 3 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 1becacccc..5be249913 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -51,6 +51,9 @@ static char rcsid_get_in_tkt_c[] = */ +extern krb5_deltat krb5_clockskew; +#define in_clock_skew(date) (abs((date)-request.ctime) < krb5_clockskew) + /* some typedef's for the function args to make things look a bit cleaner */ typedef krb5_error_code (*git_key_proc) PROTOTYPE((const krb5_keytype, @@ -117,9 +120,15 @@ OLDDECLARG(krb5_ccache, ccache) return retval; /* some other reply--??? */ /* it was an error */ - /* XXX check to make sure the timestamps match, etc. */ + if ((err_reply->ctime != request.ctime) || + !krb5_principal_compare(err_reply->server, request.server) || + !krb5_principal_compare(err_reply->client, request.client)) + retval = KRB5_KDCREP_MODIFIED; + else + retval = err_reply->error + ERROR_TABLE_BASE_krb5; + + /* XXX somehow make error msg text available to application? */ - retval = err_reply->error + ERROR_TABLE_BASE_krb5; krb5_free_error(err_reply); return retval; } @@ -139,8 +148,33 @@ OLDDECLARG(krb5_ccache, ccache) return retval; } - /* XXX check the contents for sanity... */ + /* check the contents for sanity: */ + if (!krb5_principal_compare(as_reply->client, request.client) + || !krb5_principal_compare(as_reply->enc_part2->server, request.server) + || !krb5_principal_compare(as_reply->ticket->server, request.server) + || (request.ctime != as_reply->enc_part2->ctime) + /* XXX check for extraneous flags */ + /* XXX || (!krb5_addresses_compare(addrs, as_reply->enc_part2->caddrs)) */ + || ((request.from == 0) && + !in_clock_skew(as_reply->enc_part2->times.starttime)) + || ((request.from != 0) && + (request.from != as_reply->enc_part2->times.starttime)) + || ((request.till != 0) && + (as_reply->enc_part2->times.endtime > request.till)) + || ((request.kdc_options & KDC_OPT_RENEWABLE) && + (request.rtime != 0) && + (as_reply->enc_part2->times.renew_till > request.rtime)) + || ((request.kdc_options & KDC_OPT_RENEWABLE_OK) && + (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) && + (request.till != 0) && + (as_reply->enc_part2->times.renew_till > request.till)) + ) { + krb5_free_kdc_rep(as_reply); + return KRB5_KDCREP_MODIFIED; + } + /* XXX issue warning if as_reply->enc_part2->key_exp is nearby */ + /* fill in the credentials */ if (retval = krb5_copy_keyblock(as_reply->enc_part2->session, &creds->keyblock)) { |