diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-06-02 01:22:38 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-06-05 16:26:06 -0400 |
commit | 73cec24defdc9bf203a39f2e1059ec74e5a32dd9 (patch) | |
tree | 038abd06025f34956e444fa75d9d6a5ef76a9023 | |
parent | f2600131fb358339ceccecb1c80af7d471c0501b (diff) | |
download | krb5-73cec24defdc9bf203a39f2e1059ec74e5a32dd9.tar.gz krb5-73cec24defdc9bf203a39f2e1059ec74e5a32dd9.tar.xz krb5-73cec24defdc9bf203a39f2e1059ec74e5a32dd9.zip |
Use KDC clock skew for AS-REQ timestamps
Calculate request timestamps each time we encode a request, and use
the adjusted current time when calculating them, including adjustments
resulting from preauth-required errors early in the AS exchange.
As a side effect, this reverts one of the changes in commit
37b0e55e21926c7875b7176e24e13005920915a6 (#7063); we will once again
use the time adjustment from any ccache we read before the AS
exchange, if we don't have a more specific adjustment from a
preauth-required error.
Based on a patch from Stef Walter.
ticket: 7657 (new)
-rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index b422d916a2..f8f38014b6 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -689,7 +689,13 @@ pick_nonce(krb5_context context, krb5_init_creds_context ctx) static krb5_error_code set_request_times(krb5_context context, krb5_init_creds_context ctx) { - krb5_timestamp from, now = time(NULL); + krb5_error_code code; + krb5_timestamp from, now; + krb5_int32 now_ms; + + code = k5_init_creds_current_time(context, ctx, TRUE, &now, &now_ms); + if (code != 0) + return code; /* Omit request start time unless the caller explicitly asked for one. */ from = krb5int_addint32(now, ctx->start_time); @@ -751,10 +757,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, goto cleanup; } - code = set_request_times(context, ctx); - if (code != 0) - goto cleanup; - krb5_free_principal(context, ctx->request->server); ctx->request->server = NULL; @@ -1229,6 +1231,11 @@ init_creds_step_request(krb5_context context, if (code != 0) goto cleanup; + /* Reset the request timestamps, possibly adjusting to the KDC time. */ + code = set_request_times(context, ctx); + if (code != 0) + goto cleanup; + krb5_free_data(context, ctx->inner_request_body); ctx->inner_request_body = NULL; code = encode_krb5_kdc_req_body(ctx->request, &ctx->inner_request_body); |