From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Sat, 4 Nov 2006 23:49:45 +0000 (+0000)
Subject: rxkad-server-bad-ticket-part-two-20061103
X-Git-Tag: BP-openafs-windows-kdfs-ifs~958
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=bf5bfc06638b028335ecdc19ce35315195fc6ffe;p=packages%2Fo%2Fopenafs.git

rxkad-server-bad-ticket-part-two-20061103

FIXES 43862

Ensure that tkt_DecodeTicket and rxkad_CheckResponse return the right
RXKAD errors for ticket expiration or invalidity.  Avoid calling
tkt_CheckTimes twice in rxkad_CheckResponse
---

diff --git a/src/rxkad/rxkad_server.c b/src/rxkad/rxkad_server.c
index 86608296e..85576dce1 100644
--- a/src/rxkad/rxkad_server.c
+++ b/src/rxkad/rxkad_server.c
@@ -352,11 +352,15 @@ rxkad_CheckResponse(struct rx_securityClass *aobj,
 			     client.instance, client.cell, &sessionkey, &host,
 			     &start, &end);
 	if (code)
-	    return RXKADBADTICKET;
+	    return code;
     }
     code = tkt_CheckTimes(start, end, time(0));
-    if (code == -1)
+    if (code == 0) 
+	return RXKADNOAUTH;
+    else if (code == -1)
 	return RXKADEXPIRED;
+    else if (code < -1)
+	return RXKADBADTICKET;
     else if (code <= 0)
 	return RXKADBADTICKET;
 
diff --git a/src/rxkad/ticket.c b/src/rxkad/ticket.c
index 2dbcce9a5..e8300b976 100644
--- a/src/rxkad/ticket.c
+++ b/src/rxkad/ticket.c
@@ -148,7 +148,13 @@ tkt_DecodeTicket(char *asecret, afs_int32 ticketLen,
 
     if (code)
 	return RXKADBADTICKET;
-    if (tkt_CheckTimes(*start, *end, time(0)) < -1)
+
+    code = tkt_CheckTimes(*start, *end, time(0));
+    if (code == 0)
+	return RXKADNOAUTH;
+    else if (code == -1)
+	return RXKADEXPIRED;
+    else if (code < -1)
 	return RXKADBADTICKET;
 
     return 0;