diff options
| author | Greg Hudson <ghudson@mit.edu> | 2017-04-24 01:45:11 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2017-04-24 17:09:27 -0400 |
| commit | ac0236d33f07d3a6ba977471502ce6c6a3d142da (patch) | |
| tree | a194a93349ec9847e5d25f4339bc70e19df4744a /src | |
| parent | b0a072e6431261734e7350996a363801f180e8ea (diff) | |
| download | krb5-ac0236d33f07d3a6ba977471502ce6c6a3d142da.zip krb5-ac0236d33f07d3a6ba977471502ce6c6a3d142da.tar.gz krb5-ac0236d33f07d3a6ba977471502ce6c6a3d142da.tar.bz2 | |
Use krb5_check_clockskew() in KDC preauth mechs
Diffstat (limited to 'src')
| -rw-r--r-- | src/kdc/kdc_preauth_ec.c | 31 | ||||
| -rw-r--r-- | src/kdc/kdc_preauth_encts.c | 9 |
2 files changed, 15 insertions, 25 deletions
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c index d29ab53..7e636b3 100644 --- a/src/kdc/kdc_preauth_ec.c +++ b/src/kdc/kdc_preauth_ec.c @@ -56,7 +56,6 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdcpreauth_verify_respond_fn respond, void *arg) { krb5_error_code retval = 0; - krb5_timestamp now; krb5_enc_data *enc = NULL; krb5_data scratch, plain; krb5_keyblock *armor_key = cb->fast_armor(context, rock); @@ -124,24 +123,20 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, if (retval == 0) retval = decode_krb5_pa_enc_ts(&plain, &ts); if (retval == 0) - retval = krb5_timeofday(context, &now); + retval = krb5_check_clockskew(context, ts->patimestamp); if (retval == 0) { - if (labs(now-ts->patimestamp) < context->clockskew) { - enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; - /* - * If this fails, we won't generate a reply to the client. That - * may cause the client to fail, but at this point the KDC has - * considered this a success, so the return value is ignored. - */ - if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", - &client_keys[i], "challengelongterm", - &kdc_challenge_key) == 0) { - modreq = (krb5_kdcpreauth_modreq)kdc_challenge_key; - if (ai != NULL) - cb->add_auth_indicator(context, rock, ai); - } - } else { /*skew*/ - retval = KRB5KRB_AP_ERR_SKEW; + enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; + /* + * If this fails, we won't generate a reply to the client. That may + * cause the client to fail, but at this point the KDC has considered + * this a success, so the return value is ignored. + */ + if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", + &client_keys[i], "challengelongterm", + &kdc_challenge_key) == 0) { + modreq = (krb5_kdcpreauth_modreq)kdc_challenge_key; + if (ai != NULL) + cb->add_auth_indicator(context, rock, ai); } } cb->free_keys(context, rock, client_keys); diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c index e80dc12..25fc784 100644 --- a/src/kdc/kdc_preauth_encts.c +++ b/src/kdc/kdc_preauth_encts.c @@ -58,7 +58,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, krb5_keyblock key; krb5_key_data * client_key; krb5_int32 start; - krb5_timestamp timenow; scratch.data = (char *)pa->contents; scratch.length = pa->length; @@ -95,14 +94,10 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0) goto cleanup; - if ((retval = krb5_timeofday(context, &timenow)) != 0) + retval = krb5_check_clockskew(context, pa_enc->patimestamp); + if (retval) goto cleanup; - if (labs(timenow - pa_enc->patimestamp) > context->clockskew) { - retval = KRB5KRB_AP_ERR_SKEW; - goto cleanup; - } - setflag(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH); retval = 0; |