cleanup();
return retval; /* neither proper reply nor error! */
}
- /* XXX check to make sure the timestamps match, etc. */
- retval = err_reply->error + ERROR_TABLE_BASE_krb5;
+#if 0
+ /* XXX need access to the actual assembled request...
+ need a change to send_tgs */
+ if ((err_reply->ctime != request.ctime) ||
+ !krb5_principal_compare(err_reply->server, request.server) ||
+ !krb5_principal_compare(err_reply->client, request.client))
+ retval = KRB5_KDCREP_MODIFIED;
+ else
+#endif
+ retval = err_reply->error + ERROR_TABLE_BASE_krb5;
+
krb5_free_error(err_reply);
cleanup();
return retval;
if (retval)
return retval;
#undef cleanup
-#define cleanup() krb5_free_kdc_rep(dec_rep)
+#define cleanup() {\
+ bzero((char *)dec_rep->enc_part2->session.contents,\
+ dec_rep->enc_part2->session.length);\
+ krb5_free_kdc_rep(dec_rep); }
/* now it's decrypted and ready for prime time */
cleanup();
return retval;
}
+ bzero((char *)dec_rep->enc_part2->session.contents,
+ dec_rep->enc_part2->session.length);
+
+#undef cleanup
+#define cleanup() {\
+ bzero((char *)cred->keyblock.contents, cred->keyblock.length);\
+ krb5_free_kdc_rep(dec_rep); }
+
cred->times = dec_rep->enc_part2->times;
- /* check compatibility here first ? XXX */
+
+#if 0
+ /* XXX probably need access to the request */
+ /* check the contents for sanity: */
+ if (!krb5_principal_compare(dec_rep->client, request.client)
+ || !krb5_principal_compare(dec_rep->enc_part2->server, request.server)
+ || !krb5_principal_compare(dec_rep->ticket->server, request.server)
+ || (request.nonce != dec_rep->enc_part2->nonce)
+ /* XXX check for extraneous flags */
+ /* XXX || (!krb5_addresses_compare(addrs, dec_rep->enc_part2->caddrs)) */
+ || ((request.from == 0) &&
+ !in_clock_skew(dec_rep->enc_part2->times.starttime))
+ || ((request.from != 0) &&
+ (request.from != dec_rep->enc_part2->times.starttime))
+ || ((request.till != 0) &&
+ (dec_rep->enc_part2->times.endtime > request.till))
+ || ((request.kdc_options & KDC_OPT_RENEWABLE) &&
+ (request.rtime != 0) &&
+ (dec_rep->enc_part2->times.renew_till > request.rtime))
+ || ((request.kdc_options & KDC_OPT_RENEWABLE_OK) &&
+ (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) &&
+ (request.till != 0) &&
+ (dec_rep->enc_part2->times.renew_till > request.till))
+ ) {
+ cleanup();
+ return KRB5_KDCREP_MODIFIED;
+ }
+#endif
+
cred->ticket_flags = dec_rep->enc_part2->flags;
cred->is_skey = FALSE;
if (retval = krb5_copy_addresses(dec_rep->enc_part2->caddrs,
return retval;
}
- if (retval = encode_krb5_ticket(dec_rep->ticket, &scratch))
+ if (retval = encode_krb5_ticket(dec_rep->ticket, &scratch)) {
+ cleanup();
krb5_free_address(cred->addresses);
- else {
- cred->ticket = *scratch;
- free((char *)scratch);
+ return retval;
}
- cleanup();
+ cred->ticket = *scratch;
+ free((char *)scratch);
+
+ krb5_free_kdc_rep(dec_rep);
return retval;
}