]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
projects / thirdparty / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f260013)
Use KDC clock skew for AS-REQ timestamps
authorGreg Hudson <ghudson@mit.edu>
Sun, 2 Jun 2013 05:22:38 +0000 (01:22 -0400)
committerGreg Hudson <ghudson@mit.edu>
Wed, 5 Jun 2013 20:26:06 +0000 (16:26 -0400)
Calculate request timestamps each time we encode a request, and use
the adjusted current time when calculating them, including adjustments
resulting from preauth-required errors early in the AS exchange.

As a side effect, this reverts one of the changes in commit
37b0e55e21926c7875b7176e24e13005920915a6 (#7063); we will once again
use the time adjustment from any ccache we read before the AS
exchange, if we don't have a more specific adjustment from a
preauth-required error.

Based on a patch from Stef Walter.

ticket: 7657 (new)

src/lib/krb5/krb/get_in_tkt.c patch | blob | blame | history

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index b422d916a2f6ec882ba508b9d7aa7869b782c89f..f8f38014b62890bc2d9e5d25fcf138b300cbf18c 100644 (file)
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -689,7 +689,13 @@ pick_nonce(krb5_context context, krb5_init_creds_context ctx)
 static krb5_error_code
 set_request_times(krb5_context context, krb5_init_creds_context ctx)
 {
-    krb5_timestamp from, now = time(NULL);
+    krb5_error_code code;
+    krb5_timestamp from, now;
+    krb5_int32 now_ms;
+
+    code = k5_init_creds_current_time(context, ctx, TRUE, &now, &now_ms);
+    if (code != 0)
+        return code;
 
     /* Omit request start time unless the caller explicitly asked for one. */
     from = krb5int_addint32(now, ctx->start_time);
@@ -751,10 +757,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
             goto cleanup;
     }
 
-    code = set_request_times(context, ctx);
-    if (code != 0)
-        goto cleanup;
-
     krb5_free_principal(context, ctx->request->server);
     ctx->request->server = NULL;
 
@@ -1229,6 +1231,11 @@ init_creds_step_request(krb5_context context,
     if (code != 0)
         goto cleanup;
 
+    /* Reset the request timestamps, possibly adjusting to the KDC time. */
+    code = set_request_times(context, ctx);
+    if (code != 0)
+        goto cleanup;
+
     krb5_free_data(context, ctx->inner_request_body);
     ctx->inner_request_body = NULL;
     code = encode_krb5_kdc_req_body(ctx->request, &ctx->inner_request_body);
Mirror of https://github.com/krb5/krb5.git