diff options
| author | Greg Hudson <ghudson@mit.edu> | 2015-01-26 18:38:16 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2015-02-02 12:11:18 -0500 |
| commit | b0661f9176f5eb2644ba459e1b1e87d3dd502174 (patch) | |
| tree | 8a248da4a927172b7e7a7192f7ff3c3f84dc592f /src/lib/krb5/asn.1/asn1_k_encode.c | |
| parent | 922f7d1230fe647821d9767fafef3774c5cfd2fc (diff) | |
| download | krb5-b0661f9176f5eb2644ba459e1b1e87d3dd502174.zip krb5-b0661f9176f5eb2644ba459e1b1e87d3dd502174.tar.gz krb5-b0661f9176f5eb2644ba459e1b1e87d3dd502174.tar.bz2 | |
Remove starttime hack in EncTicketPart decoder
The EncTicketPart decoder sets starttime to authtime if it wasn't
included in the ASN.1 value. This is problematic for upcoming CAMMAC
work, as we will need to re-encode a received EncTicketPart to check
the KDC verifier. Remove that behavior and just use opt_kerberos_time
for the starttime field. Adjust krb5_decode_test.c to match the new
decoder behavior.
Similarly, remove the process_tgs_req() code which sets starttime in
the header ticket if it isn't set. Add a comment explaining the
unrelated code adjacent to it.
check_tgs_times() used the ticket starttime without checking if it was
present. Add a fallback to times->authtime, and narrow the function
contract to make the implementation more concise.
There is a similar hack in the EncKDCRepPart decoder; leave that alone
for now.
Diffstat (limited to 'src/lib/krb5/asn.1/asn1_k_encode.c')
| -rw-r--r-- | src/lib/krb5/asn.1/asn1_k_encode.c | 16 |
1 files changed, 1 insertions, 15 deletions
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c index f6de0b7..25b825c 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.c +++ b/src/lib/krb5/asn.1/asn1_k_encode.c @@ -713,27 +713,13 @@ static const struct atype_info *authenticator_fields[] = { DEFSEQTYPE(untagged_authenticator, krb5_authenticator, authenticator_fields); DEFAPPTAGGEDTYPE(authenticator, 2, untagged_authenticator); -static int -is_enc_tkt_start_set(const void *p) -{ - const krb5_enc_tkt_part *val = p; - return (val->times.starttime != 0); -} -static void -init_enc_tkt_start(void *p) -{ - krb5_enc_tkt_part *val = p; - val->times.starttime = val->times.authtime; -} DEFFIELD(enc_tkt_0, krb5_enc_tkt_part, flags, 0, krb5_flags); DEFFIELD(enc_tkt_1, krb5_enc_tkt_part, session, 1, ptr_encryption_key); DEFFIELD(enc_tkt_2, krb5_enc_tkt_part, client, 2, realm_of_principal); DEFFIELD(enc_tkt_3, krb5_enc_tkt_part, client, 3, principal); DEFFIELD(enc_tkt_4, krb5_enc_tkt_part, transited, 4, transited); DEFFIELD(enc_tkt_5, krb5_enc_tkt_part, times.authtime, 5, kerberos_time); -DEFFIELD(enc_tkt_6_def, krb5_enc_tkt_part, times.starttime, 6, kerberos_time); -DEFOPTIONALTYPE(enc_tkt_6, is_enc_tkt_start_set, init_enc_tkt_start, - enc_tkt_6_def); +DEFFIELD(enc_tkt_6, krb5_enc_tkt_part, times.starttime, 6, opt_kerberos_time); DEFFIELD(enc_tkt_7, krb5_enc_tkt_part, times.endtime, 7, kerberos_time); DEFFIELD(enc_tkt_8, krb5_enc_tkt_part, times.renew_till, 8, opt_kerberos_time); DEFFIELD(enc_tkt_9, krb5_enc_tkt_part, caddrs, 9, |