[17326] in Kerberos_V5_Development
Make krb5int_check_clockskew() public?
daemon@ATHENA.MIT.EDU (Linus Nordberg)
Fri Oct 28 18:01:17 2011
To: krbdev@mit.edu
From: Linus Nordberg <linus@nordu.net>
Date: Fri, 28 Oct 2011 18:00:55 -0400
Message-ID: <ysz7h3ohj3c.fsf@nordberg.se>
Mime-Version: 1.0
X-Complaints-To: usenet@dough.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi,
I'd like krb5int_check_clockskew() to be made public in order to not
have to peek into the krb5_context for clockskew.
The OTP plugin does this today, checking both sec and usec:
--8<---------------cut here---------------start------------->8---
ts_sec = ntohl(*((uint32_t *) (decrypted_data.data + armor_key->length)));
ts_usec = ntohl(*((uint32_t *) (decrypted_data.data + armor_key->length + 4)));
if (labs(now_sec - ts_sec) > context->clockskew
|| (labs(now_sec - ts_sec) == context->clockskew
&& ((now_sec > ts_sec && now_usec > ts_usec)
|| (now_sec < ts_sec && now_usec < ts_usec)))) {
SERVER_DEBUG("Bad timestamp in PA-OTP-ENC-REQUEST.");
retval = KRB5KRB_AP_ERR_SKEW;
goto errout;
}
--8<---------------cut here---------------end--------------->8---
If y'all think usec is important enough, I'd like to see a variant of
krb5int_check_clockskew() taking usec into account as well.
Thanks,
Linus
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
