stop the client from renewing tickets into the future

From: Jeffrey Hutzelman <jhutz@cmu.edu> git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13646 ec53bebd-3082-4978-b11e-865c3cabbd6b
2004-03-30 09:19:14 +00:00
parent 2b82583ac9
commit 3ea2077af8
1 changed files with 20 additions and 14 deletions
--- a/kdc/kerberos4.c
+++ b/kdc/kerberos4.c
@@ -133,7 +133,7 @@ do_version4(unsigned char *buf,
    char *name = NULL, *inst = NULL, *realm = NULL;
    char *sname = NULL, *sinst = NULL;
    int32_t req_time;
-    time_t max_life;
+    time_t max_life, max_end, actual_end, issue_time;
    u_int8_t life;
    char client_name[256];
    char server_name[256];
@@ -425,17 +425,22 @@ do_version4(unsigned char *buf,
 	    goto out2;
 	}

-	max_life = krb_life_to_time(ad.time_sec, ad.life);
-	max_life = min(max_life, krb_life_to_time(kdc_time, life));
-	life = min(life, krb_time_to_life(kdc_time, max_life));
-	max_life = krb_life_to_time(0, life);
-#if 0
-	if(client->max_life)
-	    max_life = min(max_life, *client->max_life);
-#endif
-	if(server->max_life)
-	    max_life = min(max_life, *server->max_life);
+	max_end = krb_life_to_time(ad.time_sec, ad.life);
+	max_end = min(max_end, krb_life_to_time(kdc_time, life));
+	life = min(life, krb_time_to_life(kdc_time, max_end));
 	
+	issue_time = kdc_time;
+	actual_end = krb_life_to_time(issue_time, life);
+	while (actual_end > max_end && life > 1) {
+	    /* move them into the next earlier lifetime bracket */
+	    life--;
+	    actual_end = krb_life_to_time(issue_time, life);
+	}
+	if (actual_end > max_end) {
+	    /* if life <= 1 and it's still too long, backdate the ticket */
+	    issue_time -= actual_end - max_end;
+	}
+
 	{
 	    KTEXT_ST cipher, ticket;
 	    KTEXT r;
@@ -443,13 +448,14 @@ do_version4(unsigned char *buf,
 	    des_new_random_key(&session);

 	    krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
-			      addr->sin_addr.s_addr, &session, life, kdc_time,
+			      addr->sin_addr.s_addr, &session, life, 
+			      issue_time,
 			      sname, sinst, skey->key.keyvalue.data);
 	    
 	    create_ciph(&cipher, session, sname, sinst, v4_realm,
 			life, server->kvno % 256, &ticket,
-			kdc_time, &ad.session);
-
+			issue_time, &ad.session);
+	    
 	    memset(&session, 0, sizeof(session));
 	    memset(ad.session, 0, sizeof(ad.session));