krb5 commit: Allow clock skew in krb5 gss_accept_sec_context()

Greg Hudson ghudson at mit.edu
Fri Oct 23 12:40:36 EDT 2015


https://github.com/krb5/krb5/commit/b496ce4095133536e0ace36b74130e4b9ecb5e11
commit b496ce4095133536e0ace36b74130e4b9ecb5e11
Author: Greg Hudson <ghudson at mit.edu>
Date:   Thu Oct 8 08:53:37 2015 -0400

    Allow clock skew in krb5 gss_accept_sec_context()
    
    Remove an unnecessarily strict check for ticket expiration from
    kg_accept_krb5() and kg_accept_dce().  Instead, add the maximum
    allowable clock skew to the reported lifetime of acceptor contexts.
    
    ticket: 8268
    target_version: 1.14
    tags: pullup

 src/lib/gssapi/krb5/accept_sec_context.c |   18 ++++--------------
 src/lib/gssapi/krb5/inq_context.c        |    7 ++++++-
 2 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 44ff65a..b7fffeb 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -325,12 +325,6 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,
         goto fail;
     }
 
-    if (ctx->krb_times.endtime < now) {
-        code = 0;
-        major_status = GSS_S_CREDENTIALS_EXPIRED;
-        goto fail;
-    }
-
     ap_rep.data = input_token->value;
     ap_rep.length = input_token->length;
 
@@ -358,7 +352,7 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,
         *mech_type = ctx->mech_used;
 
     if (time_rec)
-        *time_rec = ctx->krb_times.endtime - now;
+        *time_rec = ctx->krb_times.endtime + ctx->k5_context->clockskew - now;
 
     /* Never return GSS_C_DELEG_FLAG since we don't support DCE credential
      * delegation yet. */
@@ -983,12 +977,6 @@ kg_accept_krb5(minor_status, context_handle,
         goto fail;
     }
 
-    if (ctx->krb_times.endtime < now) {
-        code = 0;
-        major_status = GSS_S_CREDENTIALS_EXPIRED;
-        goto fail;
-    }
-
     code = g_seqstate_init(&ctx->seqstate, ctx->seq_recv,
                            (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
                            (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0,
@@ -1152,8 +1140,10 @@ kg_accept_krb5(minor_status, context_handle,
     if (mech_type)
         *mech_type = (gss_OID) mech_used;
 
+    /* Add the maximum allowable clock skew as a grace period for context
+     * expiration, just as we do for the ticket. */
     if (time_rec)
-        *time_rec = ctx->krb_times.endtime - now;
+        *time_rec = ctx->krb_times.endtime + context->clockskew - now;
 
     if (ret_flags)
         *ret_flags = ctx->gss_flags;
diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c
index cc06a93..9024b3c 100644
--- a/src/lib/gssapi/krb5/inq_context.c
+++ b/src/lib/gssapi/krb5/inq_context.c
@@ -118,7 +118,12 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
             return(GSS_S_FAILURE);
         }
 
-        if ((lifetime = ctx->krb_times.endtime - now) < 0)
+        /* Add the maximum allowable clock skew as a grace period for context
+         * expiration, just as we do for the ticket during authentication. */
+        lifetime = ctx->krb_times.endtime - now;
+        if (!ctx->initiate)
+            lifetime += context->clockskew;
+        if (lifetime < 0)
             lifetime = 0;
 
         if (initiator_name) {


More information about the cvs-krb5 mailing list