aboutsummaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2013-06-02 01:22:38 -0400
committerGreg Hudson <ghudson@mit.edu>2013-06-05 16:26:06 -0400
commit73cec24defdc9bf203a39f2e1059ec74e5a32dd9 (patch)
tree038abd06025f34956e444fa75d9d6a5ef76a9023 /src/lib
parentf2600131fb358339ceccecb1c80af7d471c0501b (diff)
downloadkrb5-73cec24defdc9bf203a39f2e1059ec74e5a32dd9.zip
krb5-73cec24defdc9bf203a39f2e1059ec74e5a32dd9.tar.gz
krb5-73cec24defdc9bf203a39f2e1059ec74e5a32dd9.tar.bz2
Use KDC clock skew for AS-REQ timestamps
Calculate request timestamps each time we encode a request, and use the adjusted current time when calculating them, including adjustments resulting from preauth-required errors early in the AS exchange. As a side effect, this reverts one of the changes in commit 37b0e55e21926c7875b7176e24e13005920915a6 (#7063); we will once again use the time adjustment from any ccache we read before the AS exchange, if we don't have a more specific adjustment from a preauth-required error. Based on a patch from Stef Walter. ticket: 7657 (new)
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/krb5/krb/get_in_tkt.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index b422d91..f8f3801 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -689,7 +689,13 @@ pick_nonce(krb5_context context, krb5_init_creds_context ctx)
static krb5_error_code
set_request_times(krb5_context context, krb5_init_creds_context ctx)
{
- krb5_timestamp from, now = time(NULL);
+ krb5_error_code code;
+ krb5_timestamp from, now;
+ krb5_int32 now_ms;
+
+ code = k5_init_creds_current_time(context, ctx, TRUE, &now, &now_ms);
+ if (code != 0)
+ return code;
/* Omit request start time unless the caller explicitly asked for one. */
from = krb5int_addint32(now, ctx->start_time);
@@ -751,10 +757,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
goto cleanup;
}
- code = set_request_times(context, ctx);
- if (code != 0)
- goto cleanup;
-
krb5_free_principal(context, ctx->request->server);
ctx->request->server = NULL;
@@ -1229,6 +1231,11 @@ init_creds_step_request(krb5_context context,
if (code != 0)
goto cleanup;
+ /* Reset the request timestamps, possibly adjusting to the KDC time. */
+ code = set_request_times(context, ctx);
+ if (code != 0)
+ goto cleanup;
+
krb5_free_data(context, ctx->inner_request_body);
ctx->inner_request_body = NULL;
code = encode_krb5_kdc_req_body(ctx->request, &ctx->inner_request_body);
generated by cgit v1.1 at 2024-07-09 15:20:41 +0000