[17327] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Make krb5int_check_clockskew() public?

daemon@ATHENA.MIT.EDU (Chris Hecker)
Fri Oct 28 18:42:37 2011

Message-ID: <4EAB2FD8.6010108@d6.com>
Date: Fri, 28 Oct 2011 15:42:32 -0700
From: Chris Hecker <checker@d6.com>
MIME-Version: 1.0
To: Linus Nordberg <linus@nordu.net>
In-Reply-To: <ysz7h3ohj3c.fsf@nordberg.se>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu


Yes please!  You can't check ticket expiration without it, so I had to
hack it for this:

krb5_error_code check_ticket_duration( krb5_context context,
krb5_ticket_times tkt_times, krb5_timestamp duration )
{
    // stolen from ksu/ccache.c
    krb5_error_code retval = 0;
    krb5_timestamp currenttime;
    if((retval = krb5_timeofday(context, &currenttime))) {
        return retval;
    }
    int clockskew = 5*60;  // @todo lame! in context, but in k5-int.h
    if((currenttime + duration - tkt_times.endtime) > clockskew) {
        retval = KRB5KRB_AP_ERR_TKT_EXPIRED;
        return retval;
    }
    return 0;
}

Chris


On 2011/10/28 15:00, Linus Nordberg wrote:
> Hi,
> 
> I'd like krb5int_check_clockskew() to be made public in order to not
> have to peek into the krb5_context for clockskew.
> 
> The OTP plugin does this today, checking both sec and usec:
> 
> --8<---------------cut here---------------start------------->8---
> ts_sec = ntohl(*((uint32_t *) (decrypted_data.data + armor_key->length)));
> ts_usec = ntohl(*((uint32_t *) (decrypted_data.data + armor_key->length + 4)));
> if (labs(now_sec - ts_sec) > context->clockskew
>     || (labs(now_sec - ts_sec) == context->clockskew
>         && ((now_sec > ts_sec && now_usec > ts_usec)
>             || (now_sec < ts_sec && now_usec < ts_usec)))) {
>     SERVER_DEBUG("Bad timestamp in PA-OTP-ENC-REQUEST.");
>     retval = KRB5KRB_AP_ERR_SKEW;
>     goto errout;
> }
> --8<---------------cut here---------------end--------------->8---
> 
> If y'all think usec is important enough, I'd like to see a variant of
> krb5int_check_clockskew() taking usec into account as well.
> 
> Thanks,
> Linus
> 
> _______________________________________________
> krbdev mailing list             krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
> 
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
home help back first fref pref prev next nref lref last post