From 14900c24c52fd799082d66bff1f52d4ee0338f7e Mon Sep 17 00:00:00 2001 From: Theodore Tso Date: Sat, 24 Jan 1998 03:09:56 +0000 Subject: [PATCH] init_sec_context.c (make_ap_req): Enforce a stricter requirement on the ticket expiration time of the credentials, since accept_sec_context doesn't use the timeskew fudge for checking ticket expirations. (krb5_gss_init_sec_context): Return GSS_S_NO_CRED when appropriate. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10374 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/krb5/ChangeLog | 9 +++++++++ src/lib/gssapi/krb5/init_sec_context.c | 20 ++++++++++++++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 5602578da..0e4650f08 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,12 @@ +Wed Dec 3 02:16:18 1997 Theodore Y. Ts'o + + * init_sec_context.c (make_ap_req): Enforce a stricter requirement + on the ticket expiration time of the credentials, since + accept_sec_context doesn't use the timeskew fudge for + checking ticket expirations. + (krb5_gss_init_sec_context): Return GSS_S_NO_CRED when + appropriate. + Wed Jan 21 19:14:09 1998 Tom Yu * gssapiP_krb5.h: Add rcache member to the creds diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 2edf1b072..69192e919 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -29,12 +29,13 @@ */ static krb5_error_code -make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, +make_ap_req(context, auth_context, cred, server, now, endtime, chan_bindings, req_flags, krb_flags, mech_type, token) krb5_context context; krb5_auth_context * auth_context; krb5_gss_cred_id_t cred; krb5_principal server; + krb5_timestamp now; krb5_timestamp *endtime; gss_channel_bindings_t chan_bindings; OM_uint32 *req_flags; @@ -152,6 +153,16 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, &in_creds, &out_creds))) goto cleanup; + /* + * Enforce a stricter limit (without timeskew forgiveness at the + * boundaries) because accept_sec_context code is also similarly + * non-forgiving. + */ + if (out_creds->times.endtime < now) { + code = KRB5KRB_AP_ERR_TKT_EXPIRED; + goto cleanup; + } + /* call mk_req. subkey and ap_req need to be used or destroyed */ mk_req_flags = AP_OPTS_USE_SUBKEY; @@ -363,13 +374,18 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, } if ((code = make_ap_req(context, &(ctx->auth_context), cred, - ctx->there, &ctx->endtime, input_chan_bindings, + ctx->there, now, &ctx->endtime, + input_chan_bindings, &ctx->gss_flags, &ctx->krb_flags, mech_type, &token))) { krb5_free_principal(context, ctx->here); krb5_free_principal(context, ctx->there); xfree(ctx); *minor_status = code; + + if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) || + (code == KG_EMPTY_CCACHE)) + return GSS_S_NO_CRED; if (code == KRB5KRB_AP_ERR_TKT_EXPIRED) return GSS_S_CREDENTIALS_EXPIRED; return(GSS_S_FAILURE); -- 2.26.2