krb5 commit: Use KDC clock skew for AS-REQ timestamps

Greg Hudson ghudson at MIT.EDU
Wed Jun 5 18:28:56 EDT 2013 

https://github.com/krb5/krb5/commit/73cec24defdc9bf203a39f2e1059ec74e5a32dd9
commit 73cec24defdc9bf203a39f2e1059ec74e5a32dd9
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sun Jun 2 01:22:38 2013 -0400

    Use KDC clock skew for AS-REQ timestamps
    
    Calculate request timestamps each time we encode a request, and use
    the adjusted current time when calculating them, including adjustments
    resulting from preauth-required errors early in the AS exchange.
    
    As a side effect, this reverts one of the changes in commit
    37b0e55e21926c7875b7176e24e13005920915a6 (#7063); we will once again
    use the time adjustment from any ccache we read before the AS
    exchange, if we don't have a more specific adjustment from a
    preauth-required error.
    
    Based on a patch from Stef Walter.
    
    ticket: 7657 (new)

 src/lib/krb5/krb/get_in_tkt.c |   17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index b422d91..f8f3801 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -689,7 +689,13 @@ pick_nonce(krb5_context context, krb5_init_creds_context ctx)
 static krb5_error_code
 set_request_times(krb5_context context, krb5_init_creds_context ctx)
 {
-    krb5_timestamp from, now = time(NULL);
+    krb5_error_code code;
+    krb5_timestamp from, now;
+    krb5_int32 now_ms;
+
+    code = k5_init_creds_current_time(context, ctx, TRUE, &now, &now_ms);
+    if (code != 0)
+        return code;
 
     /* Omit request start time unless the caller explicitly asked for one. */
     from = krb5int_addint32(now, ctx->start_time);
@@ -751,10 +757,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
             goto cleanup;
     }
 
-    code = set_request_times(context, ctx);
-    if (code != 0)
-        goto cleanup;
-
     krb5_free_principal(context, ctx->request->server);
     ctx->request->server = NULL;
 
@@ -1229,6 +1231,11 @@ init_creds_step_request(krb5_context context,
     if (code != 0)
         goto cleanup;
 
+    /* Reset the request timestamps, possibly adjusting to the KDC time. */
+    code = set_request_times(context, ctx);
+    if (code != 0)
+        goto cleanup;
+
     krb5_free_data(context, ctx->inner_request_body);
     ctx->inner_request_body = NULL;
     code = encode_krb5_kdc_req_body(ctx->request, &ctx->inner_request_body);

More information about the cvs-krb5 mailing list