From 5abaad70a4b167de05829a142c75bad660b898b5 Mon Sep 17 00:00:00 2001 From: Mark Eichin Date: Tue, 9 Apr 1996 22:46:22 +0000 Subject: [PATCH] add transarc-afs cmu-style long-lived ticket timestamp support handle clockskew properly git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7767 dc483132-0cff-0310-8789-dd5450dbe970 --- src/krb524/cnv_tkt_skey.c | 47 ++++++++++++++++++++++++++++++++------- 1 file changed, 39 insertions(+), 8 deletions(-) diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c index 338cf22be..a7d5e54ed 100644 --- a/src/krb524/cnv_tkt_skey.c +++ b/src/krb524/cnv_tkt_skey.c @@ -20,7 +20,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -#include "krb5.h" +#include "k5-int.h" /* we need krb5_context::clockskew */ #include #include #include @@ -30,6 +30,28 @@ #include #include "krb524.h" +/* rather than copying the cmu code, these values are derived from + a calculation based on the table and comments found there. + the expression (in elisp) is: + (defun cmu-to-secs2 (j) + (if (< j 128) (* j 5 60) + (round (* 38400 (expt 1.06914489 (- j 128)))))) + and is low by one for 16 values but is exact for the others. + */ + +static long cmu_seconds[] = +{ + 38400, 41055, 43894, 46929, 50174, 53643, 57352, 61318, + 65558, 70091, 74937, 80119, 85658, 91581, 97914, 104684, + 111922, 119661, 127935, 136781, 146239, 156350, 167161, 178720, + 191077, 204289, 218415, 233517, 249663, 266926, 285383, 305116, + 326213, 348769, 372885, 398668, 426233, 455705, 487215, 520903, + 556921, 595430, 636600, 680618, 727679, 777995, 831789, 889303, + 950794, 1016536, 1086825, 1161973, 1242317, 1328217, 1420057, 1518246, + 1623225, 1735463, 1855462, 1983757, 2120924, 2267575, 2424366, 2591999, + 0 +}; + /* * Convert a v5 ticket for server to a v4 ticket, using service key * skey for both. @@ -43,7 +65,7 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey) char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; char sname[ANAME_SZ], sinst[INST_SZ]; krb5_enc_tkt_part *v5etkt; - int ret, lifetime; + int ret, lifetime, deltatime; krb5_timestamp server_time; v5tkt->enc_part2 = NULL; @@ -87,19 +109,28 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey) v5tkt->enc_part2 = NULL; return ret; } - if ( (server_time >= v5etkt->times.starttime) - && (server_time <= v5etkt->times.endtime) ) { - lifetime = ((v5etkt->times.endtime - server_time) / 300); - if (lifetime > 255) lifetime = 255; + if ( (server_time+context->clockskew >= v5etkt->times.starttime) + && (server_time-context->clockskew <= v5etkt->times.endtime)) { + deltatime = v5etkt->times.endtime - (server_time-context->clockskew); + lifetime = deltatime / 300; + /* if (lifetime > 255) lifetime = 255; */ + if (lifetime > 127) { + /* use the CMU algorithm instead: */ + long *clist = cmu_seconds; + while(*clist && *clist < deltatime) clist++; + lifetime = 128 + (clist - cmu_seconds); + } } else { if (krb524_debug) fprintf(stderr, "v5 ticket time out of bounds\n"); krb5_free_enc_tkt_part(context, v5etkt); v5tkt->enc_part2 = NULL; - if (server_time < v5etkt->times.starttime) + if (server_time+context->clockskew < v5etkt->times.starttime) return KRB5KRB_AP_ERR_TKT_NYV; - else if (server_time > v5etkt->times.endtime) + else if (server_time-context->clockskew > v5etkt->times.endtime) return KRB5KRB_AP_ERR_TKT_EXPIRED; + else /* shouldn't happen, but just in case... */ + return KRB5KRB_AP_ERR_TKT_NYV; } /* XXX perhaps we should use the addr of the client host if */ -- 2.26.2