diff options
Diffstat (limited to 'third_party/heimdal/kdc')
| -rw-r--r-- | third_party/heimdal/kdc/fast.c | 5 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/kerberos5.c | 15 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/krb5tgs.c | 2 |
3 files changed, 14 insertions, 8 deletions
diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c index e6c523ced95..a037331261a 100644 --- a/third_party/heimdal/kdc/fast.c +++ b/third_party/heimdal/kdc/fast.c @@ -834,10 +834,9 @@ _kdc_free_fast_state(KDCFastState *state) } krb5_error_code -_kdc_fast_check_armor_pac(astgs_request_t r) +_kdc_fast_check_armor_pac(astgs_request_t r, int flags) { krb5_error_code ret; - int flags; krb5_boolean ad_kdc_issued = FALSE; krb5_pac mspac = NULL; krb5_principal armor_client_principal = NULL; @@ -845,7 +844,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r) hdb_entry *armor_client = NULL; char *armor_client_principal_name = NULL; - flags = HDB_F_FOR_TGS_REQ; + flags |= HDB_F_ARMOR_PRINCIPAL; if (_kdc_synthetic_princ_used_p(r->context, r->armor_ticket)) flags |= HDB_F_SYNTHETIC_OK; if (r->req.req_body.kdc_options.canonicalize) diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c index ecca52cdcdd..416fd29f553 100644 --- a/third_party/heimdal/kdc/kerberos5.c +++ b/third_party/heimdal/kdc/kerberos5.c @@ -2561,11 +2561,11 @@ _kdc_as_rep(astgs_request_t r) */ if (r->pa_max_life > 0) t = rk_time_add(start, min(rk_time_sub(t, start), r->pa_max_life)); - else if (r->client->max_life && *r->client->max_life) + else if (r->client->max_life) t = rk_time_add(start, min(rk_time_sub(t, start), *r->client->max_life)); - if (r->server->max_life && *r->server->max_life) + if (r->server->max_life) t = rk_time_add(start, min(rk_time_sub(t, start), *r->server->max_life)); @@ -2576,6 +2576,13 @@ _kdc_as_rep(astgs_request_t r) t = min(t, rk_time_add(start, realm->max_life)); #endif r->et.endtime = t; + + if (start > r->et.endtime) { + _kdc_set_e_text(r, "Requested effective lifetime is negative or too short"); + ret = KRB5KDC_ERR_NEVER_VALID; + goto out; + } + if(f.renewable_ok && r->et.endtime < *b->till){ f.renewable = 1; if(b->rtime == NULL){ @@ -2589,10 +2596,10 @@ _kdc_as_rep(astgs_request_t r) t = *b->rtime; if(t == 0) t = MAX_TIME; - if(r->client->max_renew && *r->client->max_renew) + if(r->client->max_renew) t = rk_time_add(start, min(rk_time_sub(t, start), *r->client->max_renew)); - if(r->server->max_renew && *r->server->max_renew) + if(r->server->max_renew) t = rk_time_add(start, min(rk_time_sub(t, start), *r->server->max_renew)); #if 0 diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c index 0bad42aa3b7..1ded41616dc 100644 --- a/third_party/heimdal/kdc/krb5tgs.c +++ b/third_party/heimdal/kdc/krb5tgs.c @@ -1908,7 +1908,7 @@ server_lookup: /* Validate armor TGT before potentially including device claims */ if (priv->armor_ticket) { - ret = _kdc_fast_check_armor_pac(priv); + ret = _kdc_fast_check_armor_pac(priv, HDB_F_FOR_TGS_REQ); if (ret) goto out; } |