Pull out code for looking up the current time, comparing the offset of

a supplied timestamp against the configured maximum clock skew, and
possibly generating an error message, into a separate routine.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19722 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 19 insertions, 37 deletions

diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c
index 965ed9a81..19370d37b 100644
--- a/src/lib/krb5/krb/rd_cred.c
+++ b/src/lib/krb5/krb/rd_cred.c
@@ -158,8 +158,6 @@ cleanup_cred:
 
 /*----------------------- krb5_rd_cred -----------------------*/
 
-#define in_clock_skew(date) (labs((date)-currenttime) < context->clockskew)
-
 /*
  * This functions takes as input an KRB_CRED message, validates it, and
  * outputs the nonce and an array of the forwarded credentials.
@@ -204,15 +202,9 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context,
 
     if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) {
         krb5_donot_replay replay;
-        krb5_timestamp currenttime;
-
-        if ((retval = krb5_timeofday(context, &currenttime)))
-            goto error;
 
-        if (!in_clock_skew(replaydata.timestamp)) {
-            retval =  KRB5KRB_AP_ERR_SKEW;
+        if ((retval = krb5int_check_clockskew(context, replaydata.timestamp)))
             goto error;
-        }
 
         if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr,
 					   "_forw", &replay.client)))
diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c
index 9d934972f..66cee8538 100644
--- a/src/lib/krb5/krb/rd_priv.c
+++ b/src/lib/krb5/krb/rd_priv.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/krb/rd_priv.c
  *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2007 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -31,8 +31,6 @@
 #include "cleanup.h"
 #include "auth_con.h"
 
-#define in_clock_skew(date) (labs((date)-currenttime) < context->clockskew)
-
 /*
 
 Parses a KRB_PRIV message from inbuf, placing the confidential user
@@ -228,15 +226,9 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context,
 
     if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) {
 	krb5_donot_replay replay;
-    	krb5_timestamp currenttime;
-
-	if ((retval = krb5_timeofday(context, &currenttime)))
-	    goto error;
 
-	if (!in_clock_skew(replaydata.timestamp)) {
-	    retval =  KRB5KRB_AP_ERR_SKEW;
+	if ((retval = krb5int_check_clockskew(context, replaydata.timestamp)))
 	    goto error;
-	}
 
 	if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, 
 					   "_priv", &replay.client)))
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index 6d68cd922..d672b8b7e 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -63,7 +63,19 @@ static krb5_error_code decrypt_authenticator
 	(krb5_context, const krb5_ap_req *, krb5_authenticator **,
 	 int);
 
-#define in_clock_skew(date) (labs((date)-currenttime) < context->clockskew)
+krb5_error_code
+krb5int_check_clockskew(krb5_context context, krb5_timestamp date)
+{
+    krb5_timestamp currenttime;
+    krb5_error_code retval;
+
+    retval = krb5_timeofday(context, &currenttime);
+    if (retval)
+	return retval;
+    if (!(labs((date)-currenttime) < context->clockskew))
+	return KRB5KRB_AP_ERR_SKEW;
+    return 0;
+}
 
 static krb5_error_code
 krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req,
@@ -94,7 +106,6 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
 			krb5_ticket **ticket, int check_valid_flag)
 {
     krb5_error_code 	  retval = 0;
-    krb5_timestamp 	  currenttime;
     krb5_principal_data princ_data;
     
     req->ticket->enc_part2 = NULL;
@@ -246,13 +257,8 @@ goto cleanup;
     if (retval != 0)
 	    goto cleanup;
 
-    if ((retval = krb5_timeofday(context, &currenttime)))
-	goto cleanup;
-
-    if (!in_clock_skew((*auth_context)->authentp->ctime)) {
-	retval = KRB5KRB_AP_ERR_SKEW;
+    if ((retval = krb5int_check_clockskew(context, (*auth_context)->authentp->ctime)))
 	goto cleanup;
-    }
 
     if (check_valid_flag) {
       if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) {
diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c
index 2fa8ec43c..3eae17269 100644
--- a/src/lib/krb5/krb/rd_safe.c
+++ b/src/lib/krb5/krb/rd_safe.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/krb/rd_safe.c
  *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2007 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -31,8 +31,6 @@
 #include "cleanup.h"
 #include "auth_con.h"
 
-#define in_clock_skew(date) (labs((date)-currenttime) < context->clockskew)
-
 /*
  parses a KRB_SAFE message from inbuf, placing the integrity-protected user
  data in *outbuf.
@@ -231,15 +229,9 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context,
 
     if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) {
 	krb5_donot_replay replay;
-    	krb5_timestamp currenttime;
-
-	if ((retval = krb5_timeofday(context, &currenttime)))
-	    goto error;
 
-	if (!in_clock_skew(replaydata.timestamp)) {
-	    retval =  KRB5KRB_AP_ERR_SKEW;
+	if ((retval = krb5int_check_clockskew(context, replaydata.timestamp)))
 	    goto error;
-	}
 
 	if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, 
 					   "_safe", &replay.client)))