* krb_auth_su.c (krb5_verify_tkt_def): If using a pre-existing

	credential cache, ensure that the host ticket has not yet
	expired.  Patch from vwelch@ncsa.uiuc.edu [krb5-clients/545].

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10404 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/clients/ksu/ChangeLog b/src/clients/ksu/ChangeLog
index 85fbfb2746b178bdb5f2ed92157c45d30fbeb2c8..896dab8a44594cb647e752d58d1d2f352f7f588c 100644 (file)
--- a/src/clients/ksu/ChangeLog
+++ b/src/clients/ksu/ChangeLog
@@ -1,3 +1,9 @@
+Wed Feb  4 20:46:49 1998  Tom Yu  <tlyu@mit.edu>
+
+       * krb_auth_su.c (krb5_verify_tkt_def): If using a pre-existing
+       credential cache, ensure that the host ticket has not yet
+       expired.  Patch from vwelch@ncsa.uiuc.edu [krb5-clients/545].
+
 Mon Jan 27 16:56:07 1997  Tom Yu  <tlyu@mit.edu>
 
        * Makefile.in:

diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c
index b089fa113c24543cd1f139e6dc0298de42141ebe..e5a489f911500018d11fa25d76c8ab12c4198d77 100644 (file)
--- a/src/clients/ksu/krb_auth_su.c
+++ b/src/clients/ksu/krb_auth_su.c
@@ -341,7 +341,17 @@ krb5_keyblock *    tkt_ses_key;
                return(retval);
        }
 
-
+       /* Check to make sure ticket hasn't expired */
+       if (retval = krb5_check_exp(context, tkt->enc_part2->times)) {
+               if (auth_debug && (retval == KRB5KRB_AP_ERR_TKT_EXPIRED)) {
+                       fprintf(stderr,
+                               "krb5_verify_tkt_def: ticket has expired");
+               }
+               krb5_free_ticket(context, tkt); 
+               krb5_kt_free_entry(context, &ktentry);
+               krb5_free_keyblock(context, tkt_key);
+               return KRB5KRB_AP_ERR_TKT_EXPIRED;
+       }
 
        if (!krb5_principal_compare(context, client, tkt->enc_part2->client)) {
                        krb5_free_ticket(context, tkt);