From: Tom Yu Date: Mon, 7 Nov 2011 22:51:36 +0000 (+0000) Subject: pull up r25424 from trunk X-Git-Tag: krb5-1.10-alpha2~25 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=606058b1fda291fedfb525520c1817e9f6ca9956;p=krb5.git pull up r25424 from trunk ------------------------------------------------------------------------ r25424 | ghudson | 2011-10-31 12:43:40 -0400 (Mon, 31 Oct 2011) | 9 lines ticket: 6996 subject: Make krb5_check_clockskew public target_version: 1.10 tags: pullup Rename krb5int_check_clockskew to krb5_check_clockskew and make it public, in order to give kdcpreauth plugins a way to check timestamps against the configured clock skew. ticket: 6996 version_fixed: 1.10 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25456 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 92cbe87f5..fec4a7f80 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -2693,7 +2693,6 @@ krb5_error_code krb5_set_debugging_time(krb5_context, krb5_timestamp, krb5_error_code krb5_use_natural_time(krb5_context); krb5_error_code krb5_set_time_offsets(krb5_context, krb5_timestamp, krb5_int32); -krb5_error_code krb5int_check_clockskew(krb5_context, krb5_timestamp); /* * The realm iterator functions */ diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 28f83d5ae..5f667cee2 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -4749,6 +4749,21 @@ krb5_us_timeofday(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_timeofday(krb5_context context, register krb5_timestamp *timeret); +/** + * Check if a timestamp is within the allowed clock skew of the current time. + * + * @param [in] context Library context + * @param [in] date Timestamp to check + * + * This function checks if @a date is close enough to the current time + * according to the configured allowable clock skew. + * + * @retval 0 Success + * @retval KRB5KRB_AP_ERR_SKEW @a date is not within allowable clock skew + */ +krb5_error_code KRB5_CALLCONV +krb5_check_clockskew(krb5_context context, krb5_timestamp date); + /** * Return all interface addresses for this host. * diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index 22eb4ec7c..8be7f81d6 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -222,7 +222,7 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; - if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) + if ((retval = krb5_check_clockskew(context, replaydata.timestamp))) goto error; if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 93259680e..6724586a9 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -150,7 +150,7 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; - if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) + if ((retval = krb5_check_clockskew(context, replaydata.timestamp))) goto error; if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 8696a155b..261ac4619 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -414,7 +414,7 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, if (retval != 0) goto cleanup; - if ((retval = krb5int_check_clockskew(context, (*auth_context)->authentp->ctime))) + if ((retval = krb5_check_clockskew(context, (*auth_context)->authentp->ctime))) goto cleanup; if (check_valid_flag) { diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index c879f331f..13ba064cf 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -166,7 +166,7 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; - if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) + if ((retval = krb5_check_clockskew(context, replaydata.timestamp))) goto error; if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 0afcab121..5da2d2360 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -224,6 +224,7 @@ krb5_cccol_cursor_new krb5_cccol_cursor_next krb5_change_cache krb5_change_password +krb5_check_clockskew krb5_check_transited_list krb5_chpw_result_code_string krb5_clear_error_message diff --git a/src/lib/krb5/os/timeofday.c b/src/lib/krb5/os/timeofday.c index b22d92a1a..fddb12142 100644 --- a/src/lib/krb5/os/timeofday.c +++ b/src/lib/krb5/os/timeofday.c @@ -51,8 +51,8 @@ krb5_timeofday(krb5_context context, register krb5_timestamp *timeret) return 0; } -krb5_error_code -krb5int_check_clockskew(krb5_context context, krb5_timestamp date) +krb5_error_code KRB5_CALLCONV +krb5_check_clockskew(krb5_context context, krb5_timestamp date) { krb5_timestamp currenttime; krb5_error_code retval; diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def index d7ac5c464..d5922d2d1 100644 --- a/src/lib/krb5_32.def +++ b/src/lib/krb5_32.def @@ -420,3 +420,4 @@ EXPORTS krb5_cc_select @394 krb5_pac_sign @395 krb5_find_authdata @396 + krb5_check_clockskew @397