krb5 commit [krb5-1.10]: Fix spurious clock skew caused by gak_fct delay

Wed Jan 2 18:59:32 EST 2013

https://github.com/krb5/krb5/commit/d6a6cd0e84154c782975955784678ebeebfee488
commit d6a6cd0e84154c782975955784678ebeebfee488
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Jan 11 21:20:08 2012 +0000

    Fix spurious clock skew caused by gak_fct delay
    
    In get_in_tkt.c, a time offset is computed between the KDC's auth_time
    and the current system time after the reply is decrypted.  Time may
    have elapsed between these events because of a gak_fct invocation
    which blocks on user input.  The resulting spurious time offset can
    cause subsequent TGS-REQs to fail and can also cause the end time of
    the next AS request to be in the past (issue #889) in cases where the
    old ccache is opened to find the default principal.
    
    Use the system time, without offset, for the request time of an AS
    request, for more predictable kinit behavior.  Use this request time,
    rather than the current time, when computing the clock skew after the
    reply is decrypted.
    
    (cherry picked from commit 37b0e55e21926c7875b7176e24e13005920915a6)
    
    ticket: 7528 (new)
    version_fixed: 1.10.4
    status: resolved

 src/lib/krb5/krb/get_in_tkt.c |    9 ++++-----
 1 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 11782ad..3bee93e 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -154,6 +154,7 @@ verify_as_reply(krb5_context            context,
     krb5_error_code             retval;
     int                         canon_req;
     int                         canon_ok;
+    krb5_timestamp              time_offset;
 
     /* check the contents for sanity: */
     if (!as_reply->enc_part2->times.starttime)
@@ -216,8 +217,8 @@ verify_as_reply(krb5_context            context,
     }
 
     if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) {
-        retval = krb5_set_real_time(context,
-                                    as_reply->enc_part2->times.authtime, -1);
+        time_offset = as_reply->enc_part2->times.authtime - time_now;
+        retval = krb5_set_time_offsets(context, time_offset, 0);
         if (retval)
             return retval;
     } else {
@@ -747,9 +748,7 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
     if (code != 0)
         goto cleanup;
 
-    code = krb5_timeofday(context, &ctx->request_time);
-    if (code != 0)
-        goto cleanup;
+    ctx->request_time = time(NULL);
 
     code = krb5int_fast_as_armor(context, ctx->fast_state,
                                  ctx->opte, ctx->request);
