From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 22 Apr 2017 20:51:23 +0000 (-0400)
Subject: Allow clock skew in krb5 gss_context_time()
X-Git-Tag: krb5-1.15.2-final~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ea1b4dec15f26352da9e3f261cc0b4ea563beda;p=thirdparty%2Fkrb5.git

Allow clock skew in krb5 gss_context_time()

Commit b496ce4095133536e0ace36b74130e4b9ecb5e11 (ticket #8268) adds
the clock skew to krb5 acceptor context lifetimes for
gss_accept_sec_context() and gss_inquire_context(), but not for
gss_context_time().  Add the clock skew in gss_context_time() as well.

(cherry picked from commit b0a072e6431261734e7350996a363801f180e8ea)

ticket: 8581
version_fixed: 1.15.2
---

diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c
index a18cfb05b7..450593288c 100644
--- a/src/lib/gssapi/krb5/context_time.c
+++ b/src/lib/gssapi/krb5/context_time.c
@@ -51,7 +51,10 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)
         return(GSS_S_FAILURE);
     }
 
-    if ((lifetime = ctx->krb_times.endtime - now) <= 0) {
+    lifetime = ctx->krb_times.endtime - now;
+    if (!ctx->initiate)
+        lifetime += ctx->k5_context->clockskew;
+    if (lifetime <= 0) {
         *time_rec = 0;
         *minor_status = 0;
         return(GSS_S_CONTEXT_EXPIRED);