[krbdev.mit.edu #5924] SVN Commit

Tom Yu via RT rt-comment at krbdev.mit.edu
Mon Jul 14 18:12:14 EDT 2008


pull up r20413 from trunk

 r20413 at cathode-dark-space:  jaltman | 2008-06-18 15:36:49 -0400
 ticket: 5924
 tags: pullup
 
 This patch is derived from a patch originally submitted to RT
 by: Nik Conwell <nik at bu.edu>
 
 krb5_set_real_time() accepts as input the time of the KDC
 or an application server as a combination of seconds and 
 microseconds.  Often it is the case that the time source 
 does not provide the real time with less than one second
 granularity.  Up until this patch such a caller would fill
 in the microseconds parameter as zero.   krb5_set_real_time() 
 would treat the zero microseconds as the actual reported 
 time and compute a microsecond based offset.  
 
 During a one second window subsequent calls to 
 krb5_set_real_time() would have an ever increasing offset 
 size until the number of seconds is incremented.  This
 in turn produces a side effect in which the microseconds
 value of the local clock is effectively erased.
 
 If there are multiple processes or threads on the same
 machine each requesting service tickets using the same
 client principal for the same service principal where
 the number of seconds reported by the KDC are equivalent,
 then they will now all create authenticators with 
 exactly the same timestamp.  As a result, the authenticating
 service will detect a replay attack even though the 
 authenticators are actually unique.  The replay cache
 only maintains a tuple of client, server and timestamp.
 
 This patch modifies the interpretation of the microseconds
 parameter.  If -1 is specified, the microseconds offset is
 ignored.
 
 


Commit By: tlyu



Revision: 20519
Changed Files:
_U  branches/krb5-1-6/
U   branches/krb5-1-6/src/lib/krb5/krb/get_in_tkt.c
U   branches/krb5-1-6/src/lib/krb5/os/toffset.c




More information about the krb5-bugs mailing list