ticket times to krb5_validate_times.
valid_times.c (krb5_validate_times): New function which determines
whether or not the ticket times are valid.
mk_req_ext.c (krb5_mk_req_extended): Call krb5_validate_time() to
determine whether or not the ticket in passed-in credentials is valid.
If it isn't, return an error right away.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7777
dc483132-0cff-0310-8789-
dd5450dbe970
+Wed Apr 3 16:04:36 1996 Theodore Y. Ts'o <tytso@dcl>
+
+ * rd_req_dec.c (krb5_rd_req_decoded): Move code which
+ validated the ticket times to krb5_validate_times.
+
+ * valid_times.c (krb5_validate_times): New function which
+ determines whether or not the ticket times are valid.
+
+ * mk_req_ext.c (krb5_mk_req_extended): Call krb5_validate_time()
+ to determine whether or not the ticket in passed-in
+ credentials is valid. If it isn't, return an error right
+ away.
+
Tue Mar 26 14:45:03 1996 Richard Basch <basch@lehman.com>
* conv_princ.c: added "imap" service to the conversion list as
str_conv.$(OBJEXT) \
tgtname.$(OBJEXT) \
unparse.$(OBJEXT) \
+ valid_times.$(OBJEXT) \
walk_rtree.$(OBJEXT)
SRCS= $(srcdir)/addr_comp.c \
$(srcdir)/str_conv.c \
$(srcdir)/tgtname.c \
$(srcdir)/unparse.c \
+ $(srcdir)/valid_times.c \
$(srcdir)/walk_rtree.c
all-unix:: shared $(OBJS)
goto cleanup;
}
+ /* verify that the ticket is not expired */
+ if ((retval = krb5_validate_times(context, &in_creds->times)) != 0)
+ goto cleanup;
+
/* generate auth_context if needed */
if (*auth_context == NULL) {
if ((retval = krb5_auth_con_init(context, &new_auth_context)))
krb5_ticket ** ticket;
{
krb5_error_code retval = 0;
- krb5_timestamp currenttime, starttime;
+ krb5_timestamp currenttime;
if (server && !krb5_principal_compare(context, server, req->ticket->server))
return KRB5KRB_AP_WRONG_PRINC;
goto cleanup;
}
- /* if starttime is not in ticket, then treat it as authtime */
- if (req->ticket->enc_part2->times.starttime != 0)
- starttime = req->ticket->enc_part2->times.starttime;
- else
- starttime = req->ticket->enc_part2->times.authtime;
+ retval = krb5_validate_times(context, &req->ticket->enc_part2->times);
+ if (retval != 0)
+ goto cleanup;
if ((retval = krb5_timeofday(context, ¤ttime)))
goto cleanup;
- if (starttime - currenttime > context->clockskew) {
- retval = KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */
- goto cleanup;
- }
+
if (!in_clock_skew((*auth_context)->authentp->ctime)) {
retval = KRB5KRB_AP_ERR_SKEW;
goto cleanup;
}
- if ((currenttime - req->ticket->enc_part2->times.endtime) >
- context->clockskew) {
- retval = KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */
- goto cleanup;
- }
+
if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) {
retval = KRB5KRB_AP_ERR_TKT_INVALID;
goto cleanup;
--- /dev/null
+/*
+ * lib/krb5/krb/valid_times.c
+ *
+ * Copyright 1995 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * krb5_validate_times()
+ */
+
+#include "k5-int.h"
+
+#define in_clock_skew(date) (labs((date)-currenttime) < context->clockskew)
+
+/*
+ * This is an internal routine which validates the krb5_timestamps
+ * field in a krb5_ticket.
+ */
+
+krb5_error_code krb5_validate_times(context, times)
+ krb5_context context;
+ krb5_ticket_times * times;
+{
+ krb5_timestamp currenttime, starttime;
+ krb5_error_code retval;
+
+ if ((retval = krb5_timeofday(context, ¤ttime)))
+ return retval;
+
+ /* if starttime is not in ticket, then treat it as authtime */
+ if (times->starttime != 0)
+ starttime = times->starttime;
+ else
+ starttime = times->authtime;
+
+ if (starttime - currenttime > context->clockskew)
+ return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */
+
+ if ((currenttime - times->endtime) > context->clockskew)
+ return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */
+
+ return 0;
+}
+
+
+
projects / krb5.git / commitdiff