krb5 commit: Use krb5_check_clockskew() in KDC preauth mechs
Greg Hudson
ghudson at mit.edu
Mon Apr 24 17:32:57 EDT 2017
https://github.com/krb5/krb5/commit/ac0236d33f07d3a6ba977471502ce6c6a3d142da
commit ac0236d33f07d3a6ba977471502ce6c6a3d142da
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Apr 24 01:45:11 2017 -0400
Use krb5_check_clockskew() in KDC preauth mechs
src/kdc/kdc_preauth_ec.c | 31 +++++++++++++------------------
src/kdc/kdc_preauth_encts.c | 9 ++-------
2 files changed, 15 insertions(+), 25 deletions(-)
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
index d29ab53..7e636b3 100644
--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
@@ -56,7 +56,6 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
krb5_kdcpreauth_verify_respond_fn respond, void *arg)
{
krb5_error_code retval = 0;
- krb5_timestamp now;
krb5_enc_data *enc = NULL;
krb5_data scratch, plain;
krb5_keyblock *armor_key = cb->fast_armor(context, rock);
@@ -124,24 +123,20 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
if (retval == 0)
retval = decode_krb5_pa_enc_ts(&plain, &ts);
if (retval == 0)
- retval = krb5_timeofday(context, &now);
+ retval = krb5_check_clockskew(context, ts->patimestamp);
if (retval == 0) {
- if (labs(now-ts->patimestamp) < context->clockskew) {
- enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
- /*
- * If this fails, we won't generate a reply to the client. That
- * may cause the client to fail, but at this point the KDC has
- * considered this a success, so the return value is ignored.
- */
- if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
- &client_keys[i], "challengelongterm",
- &kdc_challenge_key) == 0) {
- modreq = (krb5_kdcpreauth_modreq)kdc_challenge_key;
- if (ai != NULL)
- cb->add_auth_indicator(context, rock, ai);
- }
- } else { /*skew*/
- retval = KRB5KRB_AP_ERR_SKEW;
+ enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
+ /*
+ * If this fails, we won't generate a reply to the client. That may
+ * cause the client to fail, but at this point the KDC has considered
+ * this a success, so the return value is ignored.
+ */
+ if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
+ &client_keys[i], "challengelongterm",
+ &kdc_challenge_key) == 0) {
+ modreq = (krb5_kdcpreauth_modreq)kdc_challenge_key;
+ if (ai != NULL)
+ cb->add_auth_indicator(context, rock, ai);
}
}
cb->free_keys(context, rock, client_keys);
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
index e80dc12..25fc784 100644
--- a/src/kdc/kdc_preauth_encts.c
+++ b/src/kdc/kdc_preauth_encts.c
@@ -58,7 +58,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
krb5_keyblock key;
krb5_key_data * client_key;
krb5_int32 start;
- krb5_timestamp timenow;
scratch.data = (char *)pa->contents;
scratch.length = pa->length;
@@ -95,14 +94,10 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
goto cleanup;
- if ((retval = krb5_timeofday(context, &timenow)) != 0)
+ retval = krb5_check_clockskew(context, pa_enc->patimestamp);
+ if (retval)
goto cleanup;
- if (labs(timenow - pa_enc->patimestamp) > context->clockskew) {
- retval = KRB5KRB_AP_ERR_SKEW;
- goto cleanup;
- }
-
setflag(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH);
retval = 0;
More information about the cvs-krb5
mailing list