Make krb5int_check_clockskew() public?
Chris Hecker
checker at d6.com
Fri Oct 28 18:42:32 EDT 2011
Yes please! You can't check ticket expiration without it, so I had to
hack it for this:
krb5_error_code check_ticket_duration( krb5_context context,
krb5_ticket_times tkt_times, krb5_timestamp duration )
{
// stolen from ksu/ccache.c
krb5_error_code retval = 0;
krb5_timestamp currenttime;
if((retval = krb5_timeofday(context, ¤ttime))) {
return retval;
}
int clockskew = 5*60; // @todo lame! in context, but in k5-int.h
if((currenttime + duration - tkt_times.endtime) > clockskew) {
retval = KRB5KRB_AP_ERR_TKT_EXPIRED;
return retval;
}
return 0;
}
Chris
On 2011/10/28 15:00, Linus Nordberg wrote:
> Hi,
>
> I'd like krb5int_check_clockskew() to be made public in order to not
> have to peek into the krb5_context for clockskew.
>
> The OTP plugin does this today, checking both sec and usec:
>
> --8<---------------cut here---------------start------------->8---
> ts_sec = ntohl(*((uint32_t *) (decrypted_data.data + armor_key->length)));
> ts_usec = ntohl(*((uint32_t *) (decrypted_data.data + armor_key->length + 4)));
> if (labs(now_sec - ts_sec) > context->clockskew
> || (labs(now_sec - ts_sec) == context->clockskew
> && ((now_sec > ts_sec && now_usec > ts_usec)
> || (now_sec < ts_sec && now_usec < ts_usec)))) {
> SERVER_DEBUG("Bad timestamp in PA-OTP-ENC-REQUEST.");
> retval = KRB5KRB_AP_ERR_SKEW;
> goto errout;
> }
> --8<---------------cut here---------------end--------------->8---
>
> If y'all think usec is important enough, I'd like to see a variant of
> krb5int_check_clockskew() taking usec into account as well.
>
> Thanks,
> Linus
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
More information about the krbdev
mailing list