Compare pac timestamp to unix timestamp right when neither are set

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This commit is contained in:
Viktor Dukhovni
2013-03-11 23:33:40 +00:00
committed by Love Hornquist Astrand
parent eface6d31f
commit 435c02fa26

View File

@@ -615,7 +615,13 @@ verify_logonname(krb5_context context,
uint64_t t1, t2;
t1 = unix2nttime(authtime);
t2 = ((uint64_t)time2 << 32) | time1;
if (t1 != t2) {
/*
* When neither the ticket nor the PAC set an explicit authtime,
* both times are zero, but relative to different time scales.
* So we must compare "not set" values without converting to a
* common time reference.
*/
if (t1 != t2 && (t2 != 0 && authtime != 0)) {
krb5_storage_free(sp);
krb5_set_error_message(context, EINVAL, "PAC timestamp mismatch");
return EINVAL;