From e3670f5b6ae971edd43550cab93d14093f154a87 Mon Sep 17 00:00:00 2001
From: Theodore Tso <tytso@mit.edu>
Date: Thu, 29 Sep 1994 19:39:52 +0000
Subject: [PATCH] Return new error codes KRB5_IN_TKT_REALM_MISTCH and
 KRB5_KDCREP_SKEW instead of more generic error codes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@4378 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/krb5/krb/ChangeLog    | 10 +++++++++-
 src/lib/krb5/krb/gc_via_tgt.c | 14 ++++++++++----
 src/lib/krb5/krb/get_in_tkt.c | 11 +++++++++--
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 720529402..023a2a019 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,4 +1,12 @@
-Thu Sep 29 15:10:42 1994  Theodore Y. Ts'o  (tytso@dcl)
+Thu Sep 29 15:31:10 1994  Theodore Y. Ts'o  (tytso@dcl)
+
+	* get_in_tkt.c (krb5_get_in_tkt): Return KRB5_IN_TKT_REALM_MISATCH
+		if the client and server realms don't match.  Return
+		KRB5_KDCREP_SKEW if the KDC reply has an unacceptible
+		clock skew (instead of KDCREP_MODIFIED.)
+
+	* gc_via_tgt.c (krb5_get_cred_via_tgt): Use a distinct error code
+		for KDC skew separate from the standard KDCREP_MODIFIED
 
 	* princ_comp.c (krb5_realm_compare): Added new function from
 		OpenVision.
diff --git a/src/lib/krb5/krb/gc_via_tgt.c b/src/lib/krb5/krb/gc_via_tgt.c
index 7141521fb..2390d6b52 100644
--- a/src/lib/krb5/krb/gc_via_tgt.c
+++ b/src/lib/krb5/krb/gc_via_tgt.c
@@ -169,8 +169,6 @@ OLDDECLARG(krb5_creds *, cred)
 	|| (request.nonce != dec_rep->enc_part2->nonce)
 	/* XXX check for extraneous flags */
 	/* XXX || (!krb5_addresses_compare(addrs, dec_rep->enc_part2->caddrs)) */
-	|| ((request.from == 0) &&
-	    !in_clock_skew(dec_rep->enc_part2->times.starttime))
 	|| ((request.from != 0) &&
 	    (request.from != dec_rep->enc_part2->times.starttime))
 	|| ((request.till != 0) &&
@@ -182,10 +180,18 @@ OLDDECLARG(krb5_creds *, cred)
 	    (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) &&
 	    (request.till != 0) &&
 	    (dec_rep->enc_part2->times.renew_till > request.till))
-	) {
+	)
+	retval = KRB5_KDCREP_MODIFIED;
+
+    if ((request.from == 0) &&
+	!in_clock_skew(dec_rep->enc_part2->times.starttime))
+	retval = KRB5_KDCREP_SKEW;
+    
+    if (retval) {
 	cleanup();
-	return KRB5_KDCREP_MODIFIED;
+	return retval;
     }
+    
 #endif
 
     cred->ticket_flags = dec_rep->enc_part2->flags;
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index ed7b486cb..f9366a6ab 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -113,6 +113,9 @@ OLDDECLARG(krb5_kdc_rep **, ret_as_reply)
     krb5_timestamp time_now;
     krb5_pa_data	*padata;
 
+    if (! krb5_realm_compare(creds->client, creds->server))
+	return KRB5_IN_TKT_REALM_MISMATCH;
+
     if (ret_as_reply)
 	*ret_as_reply = 0;
     
@@ -248,8 +251,6 @@ OLDDECLARG(krb5_kdc_rep **, ret_as_reply)
 	|| (request.nonce != as_reply->enc_part2->nonce)
 	/* XXX check for extraneous flags */
 	/* XXX || (!krb5_addresses_compare(addrs, as_reply->enc_part2->caddrs)) */
-	|| ((request.from == 0) &&
-	    !in_clock_skew(as_reply->enc_part2->times.starttime))
 	|| ((request.from != 0) &&
 	    (request.from != as_reply->enc_part2->times.starttime))
 	|| ((request.till != 0) &&
@@ -265,6 +266,12 @@ OLDDECLARG(krb5_kdc_rep **, ret_as_reply)
 	retval = KRB5_KDCREP_MODIFIED;
 	goto cleanup;
     }
+    if ((request.from == 0) &&
+	!in_clock_skew(as_reply->enc_part2->times.starttime)) {
+	retval = KRB5_KDCREP_MODIFIED;
+	goto cleanup;
+    }
+    
 
     /* XXX issue warning if as_reply->enc_part2->key_exp is nearby */
 	
-- 
2.26.2