oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Compare pac timestamp to unix timestamp right when neither are set

Browse Source 
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This commit is contained in:
Viktor Dukhovni
2013-03-11 23:33:40 +00:00
committed by Love Hornquist Astrand
parent eface6d31f
commit 435c02fa26
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/krb5/pac.c
View File

@@ -615,7 +615,13 @@ verify_logonname(krb5_context context,
uint64_t t1, t2; uint64_t t1, t2;
t1 = unix2nttime(authtime); t1 = unix2nttime(authtime);
t2 = ((uint64_t)time2 << 32) | time1; t2 = ((uint64_t)time2 << 32) | time1;
if (t1 != t2) { /*
* When neither the ticket nor the PAC set an explicit authtime,
* both times are zero, but relative to different time scales.
* So we must compare "not set" values without converting to a
* common time reference.
*/
if (t1 != t2 && (t2 != 0 && authtime != 0)) {
krb5_storage_free(sp); krb5_storage_free(sp);
krb5_set_error_message(context, EINVAL, "PAC timestamp mismatch"); krb5_set_error_message(context, EINVAL, "PAC timestamp mismatch");
return EINVAL; return EINVAL;