From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 24 Apr 2017 05:45:11 +0000 (-0400)
Subject: Use krb5_check_clockskew() in KDC preauth mechs
X-Git-Tag: krb5-1.16-beta1~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ac0236d33f07d3a6ba977471502ce6c6a3d142da;p=thirdparty%2Fkrb5.git

Use krb5_check_clockskew() in KDC preauth mechs
---

diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
index d29ab53818..7e636b3f9f 100644
--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
@@ -56,7 +56,6 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
           krb5_kdcpreauth_verify_respond_fn respond, void *arg)
 {
     krb5_error_code retval = 0;
-    krb5_timestamp now;
     krb5_enc_data *enc = NULL;
     krb5_data scratch, plain;
     krb5_keyblock *armor_key = cb->fast_armor(context, rock);
@@ -124,24 +123,20 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
     if (retval == 0)
         retval = decode_krb5_pa_enc_ts(&plain, &ts);
     if (retval == 0)
-        retval = krb5_timeofday(context, &now);
+        retval = krb5_check_clockskew(context, ts->patimestamp);
     if (retval == 0) {
-        if (labs(now-ts->patimestamp) < context->clockskew) {
-            enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
-            /*
-             * If this fails, we won't generate a reply to the client.  That
-             * may cause the client to fail, but at this point the KDC has
-             * considered this a success, so the return value is ignored.
-             */
-            if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
-                                     &client_keys[i], "challengelongterm",
-                                     &kdc_challenge_key) == 0) {
-                modreq = (krb5_kdcpreauth_modreq)kdc_challenge_key;
-                if (ai != NULL)
-                    cb->add_auth_indicator(context, rock, ai);
-            }
-        } else { /*skew*/
-            retval = KRB5KRB_AP_ERR_SKEW;
+        enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
+        /*
+         * If this fails, we won't generate a reply to the client.  That may
+         * cause the client to fail, but at this point the KDC has considered
+         * this a success, so the return value is ignored.
+         */
+        if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
+                                 &client_keys[i], "challengelongterm",
+                                 &kdc_challenge_key) == 0) {
+            modreq = (krb5_kdcpreauth_modreq)kdc_challenge_key;
+            if (ai != NULL)
+                cb->add_auth_indicator(context, rock, ai);
         }
     }
     cb->free_keys(context, rock, client_keys);
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
index e80dc12a8c..25fc784576 100644
--- a/src/kdc/kdc_preauth_encts.c
+++ b/src/kdc/kdc_preauth_encts.c
@@ -58,7 +58,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
     krb5_keyblock               key;
     krb5_key_data *             client_key;
     krb5_int32                  start;
-    krb5_timestamp              timenow;
 
     scratch.data = (char *)pa->contents;
     scratch.length = pa->length;
@@ -95,14 +94,10 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
     if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
         goto cleanup;
 
-    if ((retval = krb5_timeofday(context, &timenow)) != 0)
+    retval = krb5_check_clockskew(context, pa_enc->patimestamp);
+    if (retval)
         goto cleanup;
 
-    if (labs(timenow - pa_enc->patimestamp) > context->clockskew) {
-        retval = KRB5KRB_AP_ERR_SKEW;
-        goto cleanup;
-    }
-
     setflag(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH);
 
     retval = 0;