Make krb5int_check_clockskew() public?
Sam Hartman
hartmans at MIT.EDU
Sat Oct 29 18:35:08 EDT 2011
>>>>> "Linus" == Linus Nordberg <linus at nordu.net> writes:
Linus> ntohl(*((uint32_t *) (decrypted_data.data +
Linus> armor_key->length))); ts_usec = ntohl(*((uint32_t *)
Linus> (decrypted_data.data + armor_key->length + 4))); if
Linus> (labs(now_sec - ts_sec) > context->clockskew || (labs(now_sec
Linus> - ts_sec) == context->clockskew && ((now_sec > ts_sec &&
Linus> now_usec > ts_usec) || (now_sec < ts_sec && now_usec <
Linus> ts_usec)))) { SERVER_DEBUG("Bad timestamp in
Linus> PA-OTP-ENC-REQUEST."); retval = KRB5KRB_AP_ERR_SKEW; goto
I don't object to exposing a way to check skew to plugins. However,
Your ASN.1 decoder is mighty strange if it produces a structure
depending on size of the armor key from an encrypted timestamp preauth.
I'd expect the encoding of the following sequence:
PA-ENC-TS-ENC ::= SEQUENCE {
patimestamp [0] KerberosTime -- client's time --,
pausec [1] Microseconds OPTIONAL
}
So I'm surprised if the code you describe is correct.
More information about the krbdev
mailing list