(krb5_decrypt_ticket): add flags and
KRB5_VERIFY_AP_REQ_IGNORE_INVALID for ignoring that the ticket is invalid git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@6017 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1997, 1998 Kungliga Tekniska H<>gskolan
|
* Copyright (c) 1997, 1998, 1999 Kungliga Tekniska H<>gskolan
|
||||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
@@ -123,7 +123,8 @@ krb5_error_code
|
|||||||
krb5_decrypt_ticket(krb5_context context,
|
krb5_decrypt_ticket(krb5_context context,
|
||||||
Ticket *ticket,
|
Ticket *ticket,
|
||||||
krb5_keyblock *key,
|
krb5_keyblock *key,
|
||||||
EncTicketPart *out)
|
EncTicketPart *out,
|
||||||
|
krb5_flags flags)
|
||||||
{
|
{
|
||||||
EncTicketPart t;
|
EncTicketPart t;
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
@@ -138,7 +139,9 @@ krb5_decrypt_ticket(krb5_context context,
|
|||||||
krb5_timeofday (context, &now);
|
krb5_timeofday (context, &now);
|
||||||
if(t.starttime)
|
if(t.starttime)
|
||||||
start = *t.starttime;
|
start = *t.starttime;
|
||||||
if(start - now > context->max_skew || t.flags.invalid)
|
if(start - now > context->max_skew
|
||||||
|
|| (t.flags.invalid
|
||||||
|
&& !(flags & KRB5_VERIFY_AP_REQ_IGNORE_INVALID)))
|
||||||
return KRB5KRB_AP_ERR_TKT_NYV;
|
return KRB5KRB_AP_ERR_TKT_NYV;
|
||||||
if(now - t.endtime > context->max_skew)
|
if(now - t.endtime > context->max_skew)
|
||||||
return KRB5KRB_AP_ERR_TKT_EXPIRED;
|
return KRB5KRB_AP_ERR_TKT_EXPIRED;
|
||||||
@@ -196,6 +199,7 @@ krb5_verify_ap_req(krb5_context context,
|
|||||||
krb5_ap_req *ap_req,
|
krb5_ap_req *ap_req,
|
||||||
krb5_const_principal server,
|
krb5_const_principal server,
|
||||||
krb5_keyblock *keyblock,
|
krb5_keyblock *keyblock,
|
||||||
|
krb5_flags flags,
|
||||||
krb5_flags *ap_req_options,
|
krb5_flags *ap_req_options,
|
||||||
krb5_ticket **ticket)
|
krb5_ticket **ticket)
|
||||||
{
|
{
|
||||||
@@ -215,15 +219,15 @@ krb5_verify_ap_req(krb5_context context,
|
|||||||
if (ap_req->ap_options.use_session_key && ac->keyblock){
|
if (ap_req->ap_options.use_session_key && ac->keyblock){
|
||||||
ret = krb5_decrypt_ticket(context, &ap_req->ticket,
|
ret = krb5_decrypt_ticket(context, &ap_req->ticket,
|
||||||
ac->keyblock,
|
ac->keyblock,
|
||||||
&t.ticket);
|
&t.ticket,
|
||||||
|
flags);
|
||||||
krb5_free_keyblock(context, ac->keyblock);
|
krb5_free_keyblock(context, ac->keyblock);
|
||||||
ac->keyblock = NULL;
|
ac->keyblock = NULL;
|
||||||
}else
|
}else
|
||||||
ret = krb5_decrypt_ticket(context, &ap_req->ticket,
|
ret = krb5_decrypt_ticket(context, &ap_req->ticket,
|
||||||
keyblock,
|
keyblock,
|
||||||
&t.ticket);
|
&t.ticket,
|
||||||
|
flags);
|
||||||
|
|
||||||
|
|
||||||
if(ret)
|
if(ret)
|
||||||
return ret;
|
return ret;
|
||||||
@@ -330,6 +334,7 @@ krb5_rd_req_with_keyblock(krb5_context context,
|
|||||||
&ap_req,
|
&ap_req,
|
||||||
server,
|
server,
|
||||||
keyblock,
|
keyblock,
|
||||||
|
0,
|
||||||
ap_req_options,
|
ap_req_options,
|
||||||
ticket);
|
ticket);
|
||||||
|
|
||||||
@@ -426,6 +431,7 @@ krb5_rd_req(krb5_context context,
|
|||||||
&ap_req,
|
&ap_req,
|
||||||
server,
|
server,
|
||||||
keyblock,
|
keyblock,
|
||||||
|
0,
|
||||||
ap_req_options,
|
ap_req_options,
|
||||||
ticket);
|
ticket);
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user