}
- if (ts_delta(currenttime, tkt_time.endtime) > context->clockskew) {
+ if (ts_after(currenttime, ts_incr(tkt_time.endtime, context->clockskew))) {
retval = KRB5KRB_AP_ERR_TKT_EXPIRED ;
return retval;
}
return (uint32_t)a > (uint32_t)b;
}
+/* Return true if a and b are within d seconds. */
+static inline krb5_boolean
+ts_within(krb5_timestamp a, krb5_timestamp b, krb5_deltat d)
+{
+ return !ts_after(a, ts_incr(b, d)) && !ts_after(b, ts_incr(a, d));
+}
+
krb5_error_code KRB5_CALLCONV
krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
krb5_ccache ccache,
krb5_db_entry *server,
krb5_timestamp *out_endtime)
{
- krb5_timestamp until, life;
+ krb5_timestamp until;
+ krb5_deltat life;
if (till == 0)
till = kdc_infinity;
until = ts_min(till, endtime);
+ /* Determine the requested lifetime, capped at the maximum valid time
+ * interval. */
life = ts_delta(until, starttime);
+ if (ts_after(until, starttime) && life < 0)
+ life = INT32_MAX;
if (client != NULL && client->max_life != 0)
life = min(life, client->max_life);
static krb5_ui_4 seed;
#define STALE_TIME (2*60) /* two minutes */
-#define STALE(ptr, now) (labs(ts_delta((ptr)->timein, now)) >= STALE_TIME)
+#define STALE(ptr, now) (ts_after(now, ts_incr((ptr)->timein, STALE_TIME)))
/* Return x rotated to the left by r bits. */
static inline krb5_ui_4
assert_non_null(e);
e->num_hits = 5;
- time_return(STALE_TIME, 0);
+ time_return(STALE_TIME + 1, 0);
kdc_insert_lookaside(context, &req2, NULL);
assert_null(K5_LIST_FIRST(&hash_table[req_hash1]));
goto cleanup;
if (!in_cred->times.starttime &&
- !in_clock_skew(context, dec_rep->enc_part2->times.starttime,
- timestamp)) {
+ !ts_within(dec_rep->enc_part2->times.starttime, timestamp,
+ context->clockskew)) {
retval = KRB5_KDCREP_SKEW;
goto cleanup;
}
return retval;
} else {
if ((request->from == 0) &&
- !in_clock_skew(context, as_reply->enc_part2->times.starttime,
- time_now))
+ !ts_within(as_reply->enc_part2->times.starttime, time_now,
+ context->clockskew))
return (KRB5_KDCREP_SKEW);
}
return 0;
if (ctx->renew_life > 0) {
/* Don't ask for a smaller renewable time than the lifetime. */
ctx->request->rtime = ts_incr(from, ctx->renew_life);
- if (ctx->request->rtime < ctx->request->till)
+ if (ts_after(ctx->request->till, ctx->request->rtime))
ctx->request->rtime = ctx->request->till;
ctx->request->kdc_options &= ~KDC_OPT_RENEWABLE_OK;
} else {
krb5_creds *in_creds, krb5_creds *mcreds,
krb5_flags *fields);
-#define in_clock_skew(context, date, now) \
- (labs(ts_delta(date, now)) < (context)->clockskew)
-
#define IS_TGS_PRINC(p) ((p)->length == 2 && \
data_eq_string((p)->data[0], KRB5_TGS_NAME))
else
starttime = times->authtime;
- if (ts_delta(starttime, currenttime) > context->clockskew)
+ if (ts_after(starttime, ts_incr(currenttime, context->clockskew)))
return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */
- if (ts_delta(currenttime, times->endtime) > context->clockskew)
+ if (ts_after(currenttime, ts_incr(times->endtime, context->clockskew)))
return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */
return 0;
retval = krb5_timeofday(context, ¤ttime);
if (retval)
return retval;
- if (labs(ts_delta(date, currenttime)) >= context->clockskew)
+ if (!ts_within(date, currenttime, context->clockskew))
return KRB5KRB_AP_ERR_SKEW;
return 0;
projects / thirdparty / krb5.git / commitdiff
