Omit start time in common AS requests

MIT and Heimdal KDCs ignore the start time for non-postdated ticket
requests, but AD yields an error if the start time is in the KDC's
future, defeating the kdc_timesync option.  Omit the start time if the
caller did not specify a start time offset.

This change reenables the client check for too much clock skew in the
KDC reply in the non-timesync configuration.  That check had been
unintentionally suppressed since the introduction of the
get_init_creds interfaces.  Adjust the t_skew test script to expect
the new error behavior.

Code changes from stefw@gnome.org with slight modifications.

ticket: 7130

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25864 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 21b92e033e120024d4c72b3717aebec71b69dce3..1ae8021a7ebe21a2b08f6f765dd480f6b563a10e 100644 (file)
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -666,6 +666,8 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
     krb5_error_code code = 0;
     unsigned char random_buf[4];
     krb5_data random_data;
+    krb5_timestamp from;
+
     if (ctx->preauth_to_use) {
         krb5_free_pa_data(context, ctx->preauth_to_use);
         ctx->preauth_to_use = NULL;
@@ -728,14 +730,16 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
     /* give the preauth plugins a chance to prep the request body */
     krb5_preauth_prepare_request(context, ctx->opte, ctx->request);
 
-    ctx->request->from = krb5int_addint32(ctx->request_time,
-                                          ctx->start_time);
-    ctx->request->till = krb5int_addint32(ctx->request->from,
-                                          ctx->tkt_life);
+    /* Omit request start time in the common case.  MIT and Heimdal KDCs will
+     * ignore it for non-postdated tickets anyway. */
+    from = krb5int_addint32(ctx->request_time, ctx->start_time);
+    if (ctx->start_time != 0)
+        ctx->request->from = from;
+    ctx->request->till = krb5int_addint32(from, ctx->tkt_life);
 
     if (ctx->renew_life > 0) {
         ctx->request->rtime =
-            krb5int_addint32(ctx->request->from, ctx->renew_life);
+            krb5int_addint32(from, ctx->renew_life);
         if (ctx->request->rtime < ctx->request->till) {
             /* don't ask for a smaller renewable time than the lifetime */
             ctx->request->rtime = ctx->request->till;

diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py
index 668e553a15e2914a7204e620958173c5cec9eeb8..18bd9228742c0b61b1fdd56dc7ce463d0bd0d5b5 100644 (file)
--- a/src/tests/t_skew.py
+++ b/src/tests/t_skew.py
@@ -28,17 +28,31 @@ conf = {'all': {'libdefaults': {'kdc_timesync': '0'}}}
 realm = K5Realm(start_kdc=False, krb5_conf=conf)
 realm.start_kdc(['-T', '-3600'])
 
-# kinit (no preauth) should work, but kvno should not.  kinit with
-# FAST should also fail since the armor AP-REQ won't be valid.
-realm.kinit(realm.user_princ, password('user'))
-realm.run_as_client([kvno, realm.host_princ], expected_code=1)
-realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache],
-            expected_code=1)
-
-# kinit (with preauth) should fail, with or without FAST.
+# Get tickets to use for FAST kinit tests.  The start time offset is
+# ignored by the KDC since we aren't getting postdatable tickets, but
+# serves to suppress the client clock skew check on the KDC reply.
+fast_cache = realm.ccache + '.fast'
+realm.kinit(realm.user_princ, password('user'),
+            flags=['-s', '-3600s', '-c', fast_cache])
+
+# kinit should detect too much skew in the KDC response.  kinit with
+# FAST should fail from the KDC since the armor AP-REQ won't be valid.
+out = realm.kinit(realm.user_princ, password('user'), expected_code=1)
+if 'Clock skew too great in KDC reply' not in out:
+    fail('Expected error message not seen in kinit skew case')
+out = realm.kinit(realm.user_princ, password('user'), flags=['-T', fast_cache],
+                  expected_code=1)
+if 'Clock skew too great while' not in out:
+    fail('Expected error message not seen in kinit FAST skew case')
+
+# kinit (with preauth) should fail from the KDC, with or without FAST.
 realm.run_kadminl('modprinc +requires_preauth user')
-realm.kinit(realm.user_princ, password('user'), expected_code=1)
-realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache],
+out = realm.kinit(realm.user_princ, password('user'), expected_code=1)
+if 'Clock skew too great while' not in out:
+    fail('Expected error message not seen in kinit skew case (preauth)')
+realm.kinit(realm.user_princ, password('user'), flags=['-T', fast_cache],
             expected_code=1)
+if 'Clock skew too great while' not in out:
+    fail('Expected error message not seen in kinit FAST skew case (preauth)')
 
 success('Clock skew tests')