Allow clock skew in krb5 gss_accept_sec_context()

Remove an unnecessarily strict check for ticket expiration from
kg_accept_krb5() and kg_accept_dce().  Instead, add the maximum
allowable clock skew to the reported lifetime of acceptor contexts.

ticket: 8268
target_version: 1.14
tags: pullup

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 44ff65a887c50f085fadb9753d37d1068db6737a..b7fffeb3c72a893c10335f5518a98508fb5cbd79 100644 (file)
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -325,12 +325,6 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,
         goto fail;
     }
 
-    if (ctx->krb_times.endtime < now) {
-        code = 0;
-        major_status = GSS_S_CREDENTIALS_EXPIRED;
-        goto fail;
-    }
-
     ap_rep.data = input_token->value;
     ap_rep.length = input_token->length;
 
@@ -358,7 +352,7 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,
         *mech_type = ctx->mech_used;
 
     if (time_rec)
-        *time_rec = ctx->krb_times.endtime - now;
+        *time_rec = ctx->krb_times.endtime + ctx->k5_context->clockskew - now;
 
     /* Never return GSS_C_DELEG_FLAG since we don't support DCE credential
      * delegation yet. */
@@ -983,12 +977,6 @@ kg_accept_krb5(minor_status, context_handle,
         goto fail;
     }
 
-    if (ctx->krb_times.endtime < now) {
-        code = 0;
-        major_status = GSS_S_CREDENTIALS_EXPIRED;
-        goto fail;
-    }
-
     code = g_seqstate_init(&ctx->seqstate, ctx->seq_recv,
                            (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
                            (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0,
@@ -1152,8 +1140,10 @@ kg_accept_krb5(minor_status, context_handle,
     if (mech_type)
         *mech_type = (gss_OID) mech_used;
 
+    /* Add the maximum allowable clock skew as a grace period for context
+     * expiration, just as we do for the ticket. */
     if (time_rec)
-        *time_rec = ctx->krb_times.endtime - now;
+        *time_rec = ctx->krb_times.endtime + context->clockskew - now;
 
     if (ret_flags)
         *ret_flags = ctx->gss_flags;

diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c
index cc06a939afa268245741664463a93b645cf09b4e..9024b3c7ea9cc8d9c82ed876aa1a09f369ab22a6 100644 (file)
--- a/src/lib/gssapi/krb5/inq_context.c
+++ b/src/lib/gssapi/krb5/inq_context.c
@@ -118,7 +118,12 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
             return(GSS_S_FAILURE);
         }
 
-        if ((lifetime = ctx->krb_times.endtime - now) < 0)
+        /* Add the maximum allowable clock skew as a grace period for context
+         * expiration, just as we do for the ticket during authentication. */
+        lifetime = ctx->krb_times.endtime - now;
+        if (!ctx->initiate)
+            lifetime += context->clockskew;
+        if (lifetime < 0)
             lifetime = 0;
 
         if (initiator_name) {