rxkad-server-bad-ticket-part-two-20061103

FIXES 43862

Ensure that tkt_DecodeTicket and rxkad_CheckResponse return the right
RXKAD errors for ticket expiration or invalidity.  Avoid calling
tkt_CheckTimes twice in rxkad_CheckResponse

diff --git a/src/rxkad/rxkad_server.c b/src/rxkad/rxkad_server.c
index 86608296eeaf394fe7a2614876dbe93220a88d7f..85576dce1d0e1e88b28780c30c5d751e018af116 100644 (file)
--- a/src/rxkad/rxkad_server.c
+++ b/src/rxkad/rxkad_server.c
@@ -352,11 +352,15 @@ rxkad_CheckResponse(struct rx_securityClass *aobj,
                             client.instance, client.cell, &sessionkey, &host,
                             &start, &end);
        if (code)
-           return RXKADBADTICKET;
+           return code;
     }
     code = tkt_CheckTimes(start, end, time(0));
-    if (code == -1)
+    if (code == 0) 
+       return RXKADNOAUTH;
+    else if (code == -1)
        return RXKADEXPIRED;
+    else if (code < -1)
+       return RXKADBADTICKET;
     else if (code <= 0)
        return RXKADBADTICKET;
 

diff --git a/src/rxkad/ticket.c b/src/rxkad/ticket.c
index 2dbcce9a5213f66ec15849d26fd2954220483339..e8300b9764c3acffd02d1670c6044d2a22b62871 100644 (file)
--- a/src/rxkad/ticket.c
+++ b/src/rxkad/ticket.c
@@ -148,7 +148,13 @@ tkt_DecodeTicket(char *asecret, afs_int32 ticketLen,
 
     if (code)
        return RXKADBADTICKET;
-    if (tkt_CheckTimes(*start, *end, time(0)) < -1)
+
+    code = tkt_CheckTimes(*start, *end, time(0));
+    if (code == 0)
+       return RXKADNOAUTH;
+    else if (code == -1)
+       return RXKADEXPIRED;
+    else if (code < -1)
        return RXKADBADTICKET;
 
     return 0;