krb5 commit: Allow clock skew in krb5 gss_accept_sec_context()
Greg Hudson
ghudson at mit.edu
Fri Oct 23 12:40:36 EDT 2015
https://github.com/krb5/krb5/commit/b496ce4095133536e0ace36b74130e4b9ecb5e11
commit b496ce4095133536e0ace36b74130e4b9ecb5e11
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Oct 8 08:53:37 2015 -0400
Allow clock skew in krb5 gss_accept_sec_context()
Remove an unnecessarily strict check for ticket expiration from
kg_accept_krb5() and kg_accept_dce(). Instead, add the maximum
allowable clock skew to the reported lifetime of acceptor contexts.
ticket: 8268
target_version: 1.14
tags: pullup
src/lib/gssapi/krb5/accept_sec_context.c | 18 ++++--------------
src/lib/gssapi/krb5/inq_context.c | 7 ++++++-
2 files changed, 10 insertions(+), 15 deletions(-)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 44ff65a..b7fffeb 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -325,12 +325,6 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,
goto fail;
}
- if (ctx->krb_times.endtime < now) {
- code = 0;
- major_status = GSS_S_CREDENTIALS_EXPIRED;
- goto fail;
- }
-
ap_rep.data = input_token->value;
ap_rep.length = input_token->length;
@@ -358,7 +352,7 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,
*mech_type = ctx->mech_used;
if (time_rec)
- *time_rec = ctx->krb_times.endtime - now;
+ *time_rec = ctx->krb_times.endtime + ctx->k5_context->clockskew - now;
/* Never return GSS_C_DELEG_FLAG since we don't support DCE credential
* delegation yet. */
@@ -983,12 +977,6 @@ kg_accept_krb5(minor_status, context_handle,
goto fail;
}
- if (ctx->krb_times.endtime < now) {
- code = 0;
- major_status = GSS_S_CREDENTIALS_EXPIRED;
- goto fail;
- }
-
code = g_seqstate_init(&ctx->seqstate, ctx->seq_recv,
(ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
(ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0,
@@ -1152,8 +1140,10 @@ kg_accept_krb5(minor_status, context_handle,
if (mech_type)
*mech_type = (gss_OID) mech_used;
+ /* Add the maximum allowable clock skew as a grace period for context
+ * expiration, just as we do for the ticket. */
if (time_rec)
- *time_rec = ctx->krb_times.endtime - now;
+ *time_rec = ctx->krb_times.endtime + context->clockskew - now;
if (ret_flags)
*ret_flags = ctx->gss_flags;
diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c
index cc06a93..9024b3c 100644
--- a/src/lib/gssapi/krb5/inq_context.c
+++ b/src/lib/gssapi/krb5/inq_context.c
@@ -118,7 +118,12 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
return(GSS_S_FAILURE);
}
- if ((lifetime = ctx->krb_times.endtime - now) < 0)
+ /* Add the maximum allowable clock skew as a grace period for context
+ * expiration, just as we do for the ticket during authentication. */
+ lifetime = ctx->krb_times.endtime - now;
+ if (!ctx->initiate)
+ lifetime += context->clockskew;
+ if (lifetime < 0)
lifetime = 0;
if (initiator_name) {
More information about the cvs-krb5
mailing list