From 286b215bd829075f04576b65d55993fdc8e11b47 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 31 Oct 2011 16:43:40 +0000 Subject: [PATCH] Make krb5_check_clockskew public Rename krb5int_check_clockskew to krb5_check_clockskew and make it public, in order to give kdcpreauth plugins a way to check timestamps against the configured clock skew. ticket: 6996 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25424 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/k5-int.h | 1 - src/include/krb5/krb5.hin | 15 +++++++++++++++ src/lib/krb5/krb/rd_cred.c | 2 +- src/lib/krb5/krb/rd_priv.c | 2 +- src/lib/krb5/krb/rd_req_dec.c | 2 +- src/lib/krb5/krb/rd_safe.c | 2 +- src/lib/krb5/libkrb5.exports | 1 + src/lib/krb5/os/timeofday.c | 4 ++-- src/lib/krb5_32.def | 1 + 9 files changed, 23 insertions(+), 7 deletions(-) diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 92cbe87f5..fec4a7f80 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -2693,7 +2693,6 @@ krb5_error_code krb5_set_debugging_time(krb5_context, krb5_timestamp, krb5_error_code krb5_use_natural_time(krb5_context); krb5_error_code krb5_set_time_offsets(krb5_context, krb5_timestamp, krb5_int32); -krb5_error_code krb5int_check_clockskew(krb5_context, krb5_timestamp); /* * The realm iterator functions */ diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 28f83d5ae..5f667cee2 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -4749,6 +4749,21 @@ krb5_us_timeofday(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_timeofday(krb5_context context, register krb5_timestamp *timeret); +/** + * Check if a timestamp is within the allowed clock skew of the current time. + * + * @param [in] context Library context + * @param [in] date Timestamp to check + * + * This function checks if @a date is close enough to the current time + * according to the configured allowable clock skew. + * + * @retval 0 Success + * @retval KRB5KRB_AP_ERR_SKEW @a date is not within allowable clock skew + */ +krb5_error_code KRB5_CALLCONV +krb5_check_clockskew(krb5_context context, krb5_timestamp date); + /** * Return all interface addresses for this host. * diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index 22eb4ec7c..8be7f81d6 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -222,7 +222,7 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; - if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) + if ((retval = krb5_check_clockskew(context, replaydata.timestamp))) goto error; if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 93259680e..6724586a9 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -150,7 +150,7 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; - if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) + if ((retval = krb5_check_clockskew(context, replaydata.timestamp))) goto error; if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 8696a155b..261ac4619 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -414,7 +414,7 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, if (retval != 0) goto cleanup; - if ((retval = krb5int_check_clockskew(context, (*auth_context)->authentp->ctime))) + if ((retval = krb5_check_clockskew(context, (*auth_context)->authentp->ctime))) goto cleanup; if (check_valid_flag) { diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index c879f331f..13ba064cf 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -166,7 +166,7 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; - if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) + if ((retval = krb5_check_clockskew(context, replaydata.timestamp))) goto error; if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 0afcab121..5da2d2360 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -224,6 +224,7 @@ krb5_cccol_cursor_new krb5_cccol_cursor_next krb5_change_cache krb5_change_password +krb5_check_clockskew krb5_check_transited_list krb5_chpw_result_code_string krb5_clear_error_message diff --git a/src/lib/krb5/os/timeofday.c b/src/lib/krb5/os/timeofday.c index b22d92a1a..fddb12142 100644 --- a/src/lib/krb5/os/timeofday.c +++ b/src/lib/krb5/os/timeofday.c @@ -51,8 +51,8 @@ krb5_timeofday(krb5_context context, register krb5_timestamp *timeret) return 0; } -krb5_error_code -krb5int_check_clockskew(krb5_context context, krb5_timestamp date) +krb5_error_code KRB5_CALLCONV +krb5_check_clockskew(krb5_context context, krb5_timestamp date) { krb5_timestamp currenttime; krb5_error_code retval; diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def index d7ac5c464..d5922d2d1 100644 --- a/src/lib/krb5_32.def +++ b/src/lib/krb5_32.def @@ -420,3 +420,4 @@ EXPORTS krb5_cc_select @394 krb5_pac_sign @395 krb5_find_authdata @396 + krb5_check_clockskew @397 -- 2.26.2