From 6cf58d81088f831683bca1133085f14a9f12c08c Mon Sep 17 00:00:00 2001
From: Mark Eichin <eichin@mit.edu>
Date: Sat, 24 Feb 1996 00:34:56 +0000
Subject: [PATCH] Fri Jan 12 04:37:23 1996  Mark Eichin  <eichin@cygnus.com>

	* cnv_tkt_skey.c (krb524_convert_tkt_skey): rather than apply fit
 	an extended v5 lifetime into a v4 range, give out a v4 ticket with
 	as much of the v5 lifetime is available "now" instead.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7509 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/krb524/ChangeLog      |  6 ++++++
 src/krb524/cnv_tkt_skey.c | 28 +++++++++++++++++++++++++---
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog
index 359d7a608..282941e2d 100644
--- a/src/krb524/ChangeLog
+++ b/src/krb524/ChangeLog
@@ -1,3 +1,9 @@
+Fri Jan 12 04:37:23 1996  Mark Eichin  <eichin@cygnus.com>
+
+	* cnv_tkt_skey.c (krb524_convert_tkt_skey): rather than apply fit
+ 	an extended v5 lifetime into a v4 range, give out a v4 ticket with
+ 	as much of the v5 lifetime is available "now" instead.
+
 Sat Jan 27 01:31:12 1996  Sam Hartman  <hartmans@tertius.mit.edu>
 
 	* krb524d.c (kdc_get_server_key): If an enctype is given, then use
diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c
index f4d97f83a..338cf22be 100644
--- a/src/krb524/cnv_tkt_skey.c
+++ b/src/krb524/cnv_tkt_skey.c
@@ -1,4 +1,3 @@
-
 /*
  * Copyright 1994 by OpenVision Technologies, Inc.
  * 
@@ -45,6 +44,7 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey)
      char sname[ANAME_SZ], sinst[INST_SZ];
      krb5_enc_tkt_part *v5etkt;
      int ret, lifetime;
+     krb5_timestamp server_time;
 
      v5tkt->enc_part2 = NULL;
      if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) {
@@ -77,8 +77,30 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey)
      /* V4 lifetime is 1 byte, in 5 minute increments */
      if (v5etkt->times.starttime == 0)
 	  v5etkt->times.starttime = v5etkt->times.authtime;
-     lifetime = 0xff &
-	  ((v5etkt->times.endtime - v5etkt->times.authtime) / 300);
+     /* rather than apply fit an extended v5 lifetime into a v4 range,
+	give out a v4 ticket with as much of the v5 lifetime is available
+	"now" instead. */
+     if ((ret = krb5_timeofday(context, &server_time))) {
+         if (krb524_debug)
+	      fprintf(stderr, "krb5_timeofday failed!\n");
+	 krb5_free_enc_tkt_part(context, v5etkt);
+	 v5tkt->enc_part2 = NULL;
+	 return ret;       
+     }
+     if (   (server_time >= v5etkt->times.starttime)
+	 && (server_time <= v5etkt->times.endtime) ) {
+          lifetime = ((v5etkt->times.endtime - server_time) / 300);
+	  if (lifetime > 255) lifetime = 255;
+     } else {
+          if (krb524_debug)
+	       fprintf(stderr, "v5 ticket time out of bounds\n");
+	  krb5_free_enc_tkt_part(context, v5etkt);
+	  v5tkt->enc_part2 = NULL;
+	  if (server_time < v5etkt->times.starttime)
+	       return KRB5KRB_AP_ERR_TKT_NYV;
+	  else if (server_time > v5etkt->times.endtime)
+	       return KRB5KRB_AP_ERR_TKT_EXPIRED;
+     }
 
      /* XXX perhaps we should use the addr of the client host if */
      /* v5creds contains more than one addr.  Q: Does V4 support */
-- 
2.26.2