-Thu Sep 29 15:10:42 1994 Theodore Y. Ts'o (tytso@dcl)
+Thu Sep 29 15:31:10 1994 Theodore Y. Ts'o (tytso@dcl)
+
+ * get_in_tkt.c (krb5_get_in_tkt): Return KRB5_IN_TKT_REALM_MISATCH
+ if the client and server realms don't match. Return
+ KRB5_KDCREP_SKEW if the KDC reply has an unacceptible
+ clock skew (instead of KDCREP_MODIFIED.)
+
+ * gc_via_tgt.c (krb5_get_cred_via_tgt): Use a distinct error code
+ for KDC skew separate from the standard KDCREP_MODIFIED
* princ_comp.c (krb5_realm_compare): Added new function from
OpenVision.
|| (request.nonce != dec_rep->enc_part2->nonce)
/* XXX check for extraneous flags */
/* XXX || (!krb5_addresses_compare(addrs, dec_rep->enc_part2->caddrs)) */
- || ((request.from == 0) &&
- !in_clock_skew(dec_rep->enc_part2->times.starttime))
|| ((request.from != 0) &&
(request.from != dec_rep->enc_part2->times.starttime))
|| ((request.till != 0) &&
(dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) &&
(request.till != 0) &&
(dec_rep->enc_part2->times.renew_till > request.till))
- ) {
+ )
+ retval = KRB5_KDCREP_MODIFIED;
+
+ if ((request.from == 0) &&
+ !in_clock_skew(dec_rep->enc_part2->times.starttime))
+ retval = KRB5_KDCREP_SKEW;
+
+ if (retval) {
cleanup();
- return KRB5_KDCREP_MODIFIED;
+ return retval;
}
+
#endif
cred->ticket_flags = dec_rep->enc_part2->flags;
krb5_timestamp time_now;
krb5_pa_data *padata;
+ if (! krb5_realm_compare(creds->client, creds->server))
+ return KRB5_IN_TKT_REALM_MISMATCH;
+
if (ret_as_reply)
*ret_as_reply = 0;
|| (request.nonce != as_reply->enc_part2->nonce)
/* XXX check for extraneous flags */
/* XXX || (!krb5_addresses_compare(addrs, as_reply->enc_part2->caddrs)) */
- || ((request.from == 0) &&
- !in_clock_skew(as_reply->enc_part2->times.starttime))
|| ((request.from != 0) &&
(request.from != as_reply->enc_part2->times.starttime))
|| ((request.till != 0) &&
retval = KRB5_KDCREP_MODIFIED;
goto cleanup;
}
+ if ((request.from == 0) &&
+ !in_clock_skew(as_reply->enc_part2->times.starttime)) {
+ retval = KRB5_KDCREP_MODIFIED;
+ goto cleanup;
+ }
+
/* XXX issue warning if as_reply->enc_part2->key_exp is nearby */