diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-04-17 04:07:34 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-04-17 04:07:34 +0000 |
| commit | 5f39a4438eafd693a3eb8366bbc3901efe62e538 (patch) | |
| tree | fc738c1ef2b58474b2622c5e1937a22bd1eaeffa /src/include | |
| parent | 8d689cea3561d5912db218a4fdf9bdf3c1c6d3b0 (diff) | |
| download | krb5-5f39a4438eafd693a3eb8366bbc3901efe62e538.tar.gz krb5-5f39a4438eafd693a3eb8366bbc3901efe62e538.tar.xz krb5-5f39a4438eafd693a3eb8366bbc3901efe62e538.zip | |
Allow preauth mechs to work with clock skew
Add a clpreauth callback which gets the time of day using an offset
determined by the preauth-required error, and use it in encrypted
timestamp and encrypted challenge. This timestamp is not necessarily
authenticated, but the security consequences for those preauth mechs
are minor (and can be mitigated by turning off kdc_timesync on
clients).
Based on a patch from Stef Walter.
ticket: 7114
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25808 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/k5-int.h | 11 | ||||
| -rw-r--r-- | src/include/krb5/preauth_plugin.h | 18 |
2 files changed, 29 insertions, 0 deletions
diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 7ef421d2d..752b40efc 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -665,6 +665,12 @@ typedef struct _krb5_os_context { char * default_ccname; } *krb5_os_context; +/* Get the current time of day plus a specified offset. */ +krb5_error_code k5_time_with_offset(krb5_timestamp offset, + krb5_int32 offset_usec, + krb5_timestamp *time_out, + krb5_int32 *usec_out); + /* * Flags for the os_flags field * @@ -753,6 +759,11 @@ struct krb5_clpreauth_rock_st { krb5_principal client; krb5_prompter_fct prompter; void *prompter_data; + + /* Discovered offset of server time during preauth */ + krb5_timestamp pa_offset; + krb5_int32 pa_offset_usec; + enum { NO_OFFSET = 0, UNAUTH_OFFSET, AUTH_OFFSET } pa_offset_state; }; typedef struct _krb5_pa_enc_ts { diff --git a/src/include/krb5/preauth_plugin.h b/src/include/krb5/preauth_plugin.h index f732b947d..72fd92d26 100644 --- a/src/include/krb5/preauth_plugin.h +++ b/src/include/krb5/preauth_plugin.h @@ -176,6 +176,24 @@ typedef struct krb5_clpreauth_callbacks_st { const krb5_keyblock *keyblock); /* End of version 1 clpreauth callbacks. */ + + /* + * Get the current time for use in a preauth response. If + * allow_unauth_time is true and the library has been configured to allow + * it, the current time will be offset using unauthenticated timestamp + * information received from the KDC in the preauth-required error, if one + * has been received. Otherwise, the timestamp in a preauth-required error + * will only be used if it is protected by a FAST channel. Only set + * allow_unauth_time if using an unauthenticated time offset would not + * create a security issue. + */ + krb5_error_code (*get_preauth_time)(krb5_context context, + krb5_clpreauth_rock rock, + krb5_boolean allow_unauth_time, + krb5_timestamp *time_out, + krb5_int32 *usec_out); + + /* End of version 2 clpreauth callbacks (added in 1.11). */ } *krb5_clpreauth_callbacks; /* |