[17330] in Kerberos_V5_Development
Re: Make krb5int_check_clockskew() public?
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sat Oct 29 18:35:15 2011
From: Sam Hartman <hartmans@mit.edu>
To: Linus Nordberg <linus@nordu.net>
Date: Sat, 29 Oct 2011 18:35:08 -0400
Message-ID: <tsl4nyr4ear.fsf@mit.edu>
MIME-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>>>>> "Linus" == Linus Nordberg <linus@nordu.net> writes:
Linus> ntohl(*((uint32_t *) (decrypted_data.data +
Linus> armor_key->length))); ts_usec = ntohl(*((uint32_t *)
Linus> (decrypted_data.data + armor_key->length + 4))); if
Linus> (labs(now_sec - ts_sec) > context->clockskew || (labs(now_sec
Linus> - ts_sec) == context->clockskew && ((now_sec > ts_sec &&
Linus> now_usec > ts_usec) || (now_sec < ts_sec && now_usec <
Linus> ts_usec)))) { SERVER_DEBUG("Bad timestamp in
Linus> PA-OTP-ENC-REQUEST."); retval = KRB5KRB_AP_ERR_SKEW; goto
I don't object to exposing a way to check skew to plugins. However,
Your ASN.1 decoder is mighty strange if it produces a structure
depending on size of the armor key from an encrypted timestamp preauth.
I'd expect the encoding of the following sequence:
PA-ENC-TS-ENC ::= SEQUENCE {
patimestamp [0] KerberosTime -- client's time --,
pausec [1] Microseconds OPTIONAL
}
So I'm surprised if the code you describe is correct.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
