svn rev #25644: trunk/src/lib/krb5/krb/

ghudson@MIT.EDU ghudson at MIT.EDU
Wed Jan 11 16:20:08 EST 2012 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25644
Commit By: ghudson
Log Message:
ticket: 7063

Fix spurious clock skew caused by gak_fct delay

In get_in_tkt.c, a time offset is computed between the KDC's auth_time
and the current system time after the reply is decrypted.  Time may
have elapsed between these events because of a gak_fct invocation
which blocks on user input.  The resulting spurious time offset can
cause subsequent TGS-REQs to fail and can also cause the end time of
the next AS request to be in the past (issue #889) in cases where the
old ccache is opened to find the default principal.

Use the system time, without offset, for the request time of an AS
request, for more predictable kinit behavior.  Use this request time,
rather than the current time, when computing the clock skew after the
reply is decrypted.


Changed Files:
U   trunk/src/lib/krb5/krb/get_in_tkt.c
Modified: trunk/src/lib/krb5/krb/get_in_tkt.c
===================================================================
--- trunk/src/lib/krb5/krb/get_in_tkt.c	2012-01-11 05:12:47 UTC (rev 25643)
+++ trunk/src/lib/krb5/krb/get_in_tkt.c	2012-01-11 21:20:08 UTC (rev 25644)
@@ -154,6 +154,7 @@
     krb5_error_code             retval;
     int                         canon_req;
     int                         canon_ok;
+    krb5_timestamp              time_offset;
 
     /* check the contents for sanity: */
     if (!as_reply->enc_part2->times.starttime)
@@ -216,8 +217,8 @@
     }
 
     if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) {
-        retval = krb5_set_real_time(context,
-                                    as_reply->enc_part2->times.authtime, -1);
+        time_offset = as_reply->enc_part2->times.authtime - time_now;
+        retval = krb5_set_time_offsets(context, time_offset, 0);
         if (retval)
             return retval;
     } else {
@@ -742,9 +743,7 @@
     if (code != 0)
         goto cleanup;
 
-    code = krb5_timeofday(context, &ctx->request_time);
-    if (code != 0)
-        goto cleanup;
+    ctx->request_time = time(NULL);
 
     code = krb5int_fast_as_armor(context, ctx->fast_state,
                                  ctx->opte, ctx->request);

More information about the cvs-krb5 mailing list