Return new error codes KRB5_IN_TKT_REALM_MISTCH and KRB5_KDCREP_SKEW

instead of more generic error codes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@4378 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 720529402c33c291772c0d4b8bd928826ad9b461..023a2a0191a532ff92c86b8327a1582b2920d3b4 100644 (file)
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,4 +1,12 @@
-Thu Sep 29 15:10:42 1994  Theodore Y. Ts'o  (tytso@dcl)
+Thu Sep 29 15:31:10 1994  Theodore Y. Ts'o  (tytso@dcl)
+
+       * get_in_tkt.c (krb5_get_in_tkt): Return KRB5_IN_TKT_REALM_MISATCH
+               if the client and server realms don't match.  Return
+               KRB5_KDCREP_SKEW if the KDC reply has an unacceptible
+               clock skew (instead of KDCREP_MODIFIED.)
+
+       * gc_via_tgt.c (krb5_get_cred_via_tgt): Use a distinct error code
+               for KDC skew separate from the standard KDCREP_MODIFIED
 
        * princ_comp.c (krb5_realm_compare): Added new function from
                OpenVision.

diff --git a/src/lib/krb5/krb/gc_via_tgt.c b/src/lib/krb5/krb/gc_via_tgt.c
index 7141521fb59b044bea4d59d979ebe657e8b2bfed..2390d6b521c792fa5d8de432e26bfaefc073619f 100644 (file)
--- a/src/lib/krb5/krb/gc_via_tgt.c
+++ b/src/lib/krb5/krb/gc_via_tgt.c
@@ -169,8 +169,6 @@ OLDDECLARG(krb5_creds *, cred)
        || (request.nonce != dec_rep->enc_part2->nonce)
        /* XXX check for extraneous flags */
        /* XXX || (!krb5_addresses_compare(addrs, dec_rep->enc_part2->caddrs)) */
-       || ((request.from == 0) &&
-           !in_clock_skew(dec_rep->enc_part2->times.starttime))
        || ((request.from != 0) &&
            (request.from != dec_rep->enc_part2->times.starttime))
        || ((request.till != 0) &&
@@ -182,10 +180,18 @@ OLDDECLARG(krb5_creds *, cred)
            (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) &&
            (request.till != 0) &&
            (dec_rep->enc_part2->times.renew_till > request.till))
-       ) {
+       )
+       retval = KRB5_KDCREP_MODIFIED;
+
+    if ((request.from == 0) &&
+       !in_clock_skew(dec_rep->enc_part2->times.starttime))
+       retval = KRB5_KDCREP_SKEW;
+    
+    if (retval) {
        cleanup();
-       return KRB5_KDCREP_MODIFIED;
+       return retval;
     }
+    
 #endif
 
     cred->ticket_flags = dec_rep->enc_part2->flags;

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index ed7b486cbddc450d738c5a290694f3f23915cb79..f9366a6ab21683eb61e8941de4a23ce687c791e1 100644 (file)
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -113,6 +113,9 @@ OLDDECLARG(krb5_kdc_rep **, ret_as_reply)
     krb5_timestamp time_now;
     krb5_pa_data       *padata;
 
+    if (! krb5_realm_compare(creds->client, creds->server))
+       return KRB5_IN_TKT_REALM_MISMATCH;
+
     if (ret_as_reply)
        *ret_as_reply = 0;
     
@@ -248,8 +251,6 @@ OLDDECLARG(krb5_kdc_rep **, ret_as_reply)
        || (request.nonce != as_reply->enc_part2->nonce)
        /* XXX check for extraneous flags */
        /* XXX || (!krb5_addresses_compare(addrs, as_reply->enc_part2->caddrs)) */
-       || ((request.from == 0) &&
-           !in_clock_skew(as_reply->enc_part2->times.starttime))
        || ((request.from != 0) &&
            (request.from != as_reply->enc_part2->times.starttime))
        || ((request.till != 0) &&
@@ -265,6 +266,12 @@ OLDDECLARG(krb5_kdc_rep **, ret_as_reply)
        retval = KRB5_KDCREP_MODIFIED;
        goto cleanup;
     }
+    if ((request.from == 0) &&
+       !in_clock_skew(as_reply->enc_part2->times.starttime)) {
+       retval = KRB5_KDCREP_MODIFIED;
+       goto cleanup;
+    }
+    
 
     /* XXX issue warning if as_reply->enc_part2->key_exp is nearby */