From 6cf58d81088f831683bca1133085f14a9f12c08c Mon Sep 17 00:00:00 2001 From: Mark Eichin Date: Sat, 24 Feb 1996 00:34:56 +0000 Subject: [PATCH] Fri Jan 12 04:37:23 1996 Mark Eichin * cnv_tkt_skey.c (krb524_convert_tkt_skey): rather than apply fit an extended v5 lifetime into a v4 range, give out a v4 ticket with as much of the v5 lifetime is available "now" instead. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7509 dc483132-0cff-0310-8789-dd5450dbe970 --- src/krb524/ChangeLog | 6 ++++++ src/krb524/cnv_tkt_skey.c | 28 +++++++++++++++++++++++++--- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog index 359d7a608..282941e2d 100644 --- a/src/krb524/ChangeLog +++ b/src/krb524/ChangeLog @@ -1,3 +1,9 @@ +Fri Jan 12 04:37:23 1996 Mark Eichin + + * cnv_tkt_skey.c (krb524_convert_tkt_skey): rather than apply fit + an extended v5 lifetime into a v4 range, give out a v4 ticket with + as much of the v5 lifetime is available "now" instead. + Sat Jan 27 01:31:12 1996 Sam Hartman * krb524d.c (kdc_get_server_key): If an enctype is given, then use diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c index f4d97f83a..338cf22be 100644 --- a/src/krb524/cnv_tkt_skey.c +++ b/src/krb524/cnv_tkt_skey.c @@ -1,4 +1,3 @@ - /* * Copyright 1994 by OpenVision Technologies, Inc. * @@ -45,6 +44,7 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey) char sname[ANAME_SZ], sinst[INST_SZ]; krb5_enc_tkt_part *v5etkt; int ret, lifetime; + krb5_timestamp server_time; v5tkt->enc_part2 = NULL; if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) { @@ -77,8 +77,30 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey) /* V4 lifetime is 1 byte, in 5 minute increments */ if (v5etkt->times.starttime == 0) v5etkt->times.starttime = v5etkt->times.authtime; - lifetime = 0xff & - ((v5etkt->times.endtime - v5etkt->times.authtime) / 300); + /* rather than apply fit an extended v5 lifetime into a v4 range, + give out a v4 ticket with as much of the v5 lifetime is available + "now" instead. */ + if ((ret = krb5_timeofday(context, &server_time))) { + if (krb524_debug) + fprintf(stderr, "krb5_timeofday failed!\n"); + krb5_free_enc_tkt_part(context, v5etkt); + v5tkt->enc_part2 = NULL; + return ret; + } + if ( (server_time >= v5etkt->times.starttime) + && (server_time <= v5etkt->times.endtime) ) { + lifetime = ((v5etkt->times.endtime - server_time) / 300); + if (lifetime > 255) lifetime = 255; + } else { + if (krb524_debug) + fprintf(stderr, "v5 ticket time out of bounds\n"); + krb5_free_enc_tkt_part(context, v5etkt); + v5tkt->enc_part2 = NULL; + if (server_time < v5etkt->times.starttime) + return KRB5KRB_AP_ERR_TKT_NYV; + else if (server_time > v5etkt->times.endtime) + return KRB5KRB_AP_ERR_TKT_EXPIRED; + } /* XXX perhaps we should use the addr of the client host if */ /* v5creds contains more than one addr. Q: Does V4 support */ -- 2.26.2