[krbdev.mit.edu #7222] gss_accept_sec_context doesn't allow for clock skew
Arlene Berry via RT
rt-comment at krbdev.mit.edu
Mon Jul 30 16:30:09 EDT 2012
Kg_accept_krb5 in src/lib/gssapi/krb5/accept_sec_context.c doesn't allow
for clock skew when checking the context end time (line 983) which RFC
4120 section 3.2.3 "Receipt of KRB5_AP_REQ Message" states should be
done and we've seen failures because of it. Our current patch just adds
the skew to the end time at about line 952 but I'm not certain whether
that's the best solution. It's not sufficient to include the skew when
checking the end time because the calculation of time_rec also needs to
take it into account so as not to have a negative result. Kg_accept_dce
has the same issue.
More information about the krb5-bugs
mailing list