From b496ce4095133536e0ace36b74130e4b9ecb5e11 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 8 Oct 2015 08:53:37 -0400 Subject: [PATCH] Allow clock skew in krb5 gss_accept_sec_context() Remove an unnecessarily strict check for ticket expiration from kg_accept_krb5() and kg_accept_dce(). Instead, add the maximum allowable clock skew to the reported lifetime of acceptor contexts. ticket: 8268 target_version: 1.14 tags: pullup --- src/lib/gssapi/krb5/accept_sec_context.c | 18 ++++-------------- src/lib/gssapi/krb5/inq_context.c | 7 ++++++- 2 files changed, 10 insertions(+), 15 deletions(-) diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 44ff65a887..b7fffeb3c7 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -325,12 +325,6 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle, goto fail; } - if (ctx->krb_times.endtime < now) { - code = 0; - major_status = GSS_S_CREDENTIALS_EXPIRED; - goto fail; - } - ap_rep.data = input_token->value; ap_rep.length = input_token->length; @@ -358,7 +352,7 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle, *mech_type = ctx->mech_used; if (time_rec) - *time_rec = ctx->krb_times.endtime - now; + *time_rec = ctx->krb_times.endtime + ctx->k5_context->clockskew - now; /* Never return GSS_C_DELEG_FLAG since we don't support DCE credential * delegation yet. */ @@ -983,12 +977,6 @@ kg_accept_krb5(minor_status, context_handle, goto fail; } - if (ctx->krb_times.endtime < now) { - code = 0; - major_status = GSS_S_CREDENTIALS_EXPIRED; - goto fail; - } - code = g_seqstate_init(&ctx->seqstate, ctx->seq_recv, (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, @@ -1152,8 +1140,10 @@ kg_accept_krb5(minor_status, context_handle, if (mech_type) *mech_type = (gss_OID) mech_used; + /* Add the maximum allowable clock skew as a grace period for context + * expiration, just as we do for the ticket. */ if (time_rec) - *time_rec = ctx->krb_times.endtime - now; + *time_rec = ctx->krb_times.endtime + context->clockskew - now; if (ret_flags) *ret_flags = ctx->gss_flags; diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c index cc06a939af..9024b3c7ea 100644 --- a/src/lib/gssapi/krb5/inq_context.c +++ b/src/lib/gssapi/krb5/inq_context.c @@ -118,7 +118,12 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name, return(GSS_S_FAILURE); } - if ((lifetime = ctx->krb_times.endtime - now) < 0) + /* Add the maximum allowable clock skew as a grace period for context + * expiration, just as we do for the ticket during authentication. */ + lifetime = ctx->krb_times.endtime - now; + if (!ctx->initiate) + lifetime += context->clockskew; + if (lifetime < 0) lifetime = 0; if (initiator_name) { -- 2.47.2