diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-04-17 04:07:34 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-04-17 04:07:34 +0000 |
| commit | 5f39a4438eafd693a3eb8366bbc3901efe62e538 (patch) | |
| tree | fc738c1ef2b58474b2622c5e1937a22bd1eaeffa /src/include/k5-int.h | |
| parent | 8d689cea3561d5912db218a4fdf9bdf3c1c6d3b0 (diff) | |
| download | krb5-5f39a4438eafd693a3eb8366bbc3901efe62e538.tar.gz krb5-5f39a4438eafd693a3eb8366bbc3901efe62e538.tar.xz krb5-5f39a4438eafd693a3eb8366bbc3901efe62e538.zip | |
Allow preauth mechs to work with clock skew
Add a clpreauth callback which gets the time of day using an offset
determined by the preauth-required error, and use it in encrypted
timestamp and encrypted challenge. This timestamp is not necessarily
authenticated, but the security consequences for those preauth mechs
are minor (and can be mitigated by turning off kdc_timesync on
clients).
Based on a patch from Stef Walter.
ticket: 7114
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25808 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include/k5-int.h')
| -rw-r--r-- | src/include/k5-int.h | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 7ef421d2d..752b40efc 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -665,6 +665,12 @@ typedef struct _krb5_os_context { char * default_ccname; } *krb5_os_context; +/* Get the current time of day plus a specified offset. */ +krb5_error_code k5_time_with_offset(krb5_timestamp offset, + krb5_int32 offset_usec, + krb5_timestamp *time_out, + krb5_int32 *usec_out); + /* * Flags for the os_flags field * @@ -753,6 +759,11 @@ struct krb5_clpreauth_rock_st { krb5_principal client; krb5_prompter_fct prompter; void *prompter_data; + + /* Discovered offset of server time during preauth */ + krb5_timestamp pa_offset; + krb5_int32 pa_offset_usec; + enum { NO_OFFSET = 0, UNAUTH_OFFSET, AUTH_OFFSET } pa_offset_state; }; typedef struct _krb5_pa_enc_ts { |