Make krb5int_check_clockskew() public?
Linus Nordberg
linus at nordu.net
Fri Oct 28 18:00:55 EDT 2011
Hi,
I'd like krb5int_check_clockskew() to be made public in order to not
have to peek into the krb5_context for clockskew.
The OTP plugin does this today, checking both sec and usec:
--8<---------------cut here---------------start------------->8---
ts_sec = ntohl(*((uint32_t *) (decrypted_data.data + armor_key->length)));
ts_usec = ntohl(*((uint32_t *) (decrypted_data.data + armor_key->length + 4)));
if (labs(now_sec - ts_sec) > context->clockskew
|| (labs(now_sec - ts_sec) == context->clockskew
&& ((now_sec > ts_sec && now_usec > ts_usec)
|| (now_sec < ts_sec && now_usec < ts_usec)))) {
SERVER_DEBUG("Bad timestamp in PA-OTP-ENC-REQUEST.");
retval = KRB5KRB_AP_ERR_SKEW;
goto errout;
}
--8<---------------cut here---------------end--------------->8---
If y'all think usec is important enough, I'd like to see a variant of
krb5int_check_clockskew() taking usec into account as well.
Thanks,
Linus
More information about the krbdev
mailing list