From 4281165e025620782ea39bdca77aaf65cd704899 Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Fri, 20 Jul 2007 08:51:58 +0000 Subject: [PATCH] Pull out code for looking up the current time, comparing the offset of a supplied timestamp against the configured maximum clock skew, and possibly generating an error message, into a separate routine. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19722 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/k5-int.h | 1 + src/lib/krb5/krb/rd_cred.c | 10 +--------- src/lib/krb5/krb/rd_priv.c | 12 ++---------- src/lib/krb5/krb/rd_req_dec.c | 22 ++++++++++++++-------- src/lib/krb5/krb/rd_safe.c | 12 ++---------- 5 files changed, 20 insertions(+), 37 deletions(-) diff --git a/src/include/k5-int.h b/src/include/k5-int.h index b5791a926..197dc6367 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -2450,6 +2450,7 @@ krb5_error_code krb5_use_natural_time (krb5_context); krb5_error_code krb5_set_time_offsets (krb5_context, krb5_timestamp, krb5_int32); +krb5_error_code krb5int_check_clockskew(krb5_context, krb5_timestamp); /* * The realm iterator functions */ diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index 965ed9a81..19370d37b 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -158,8 +158,6 @@ cleanup_cred: /*----------------------- krb5_rd_cred -----------------------*/ -#define in_clock_skew(date) (labs((date)-currenttime) < context->clockskew) - /* * This functions takes as input an KRB_CRED message, validates it, and * outputs the nonce and an array of the forwarded credentials. @@ -204,15 +202,9 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; - krb5_timestamp currenttime; - - if ((retval = krb5_timeofday(context, ¤ttime))) - goto error; - if (!in_clock_skew(replaydata.timestamp)) { - retval = KRB5KRB_AP_ERR_SKEW; + if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) goto error; - } if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, "_forw", &replay.client))) diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 9d934972f..66cee8538 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -1,7 +1,7 @@ /* * lib/krb5/krb/rd_priv.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2007 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -31,8 +31,6 @@ #include "cleanup.h" #include "auth_con.h" -#define in_clock_skew(date) (labs((date)-currenttime) < context->clockskew) - /* Parses a KRB_PRIV message from inbuf, placing the confidential user @@ -228,15 +226,9 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; - krb5_timestamp currenttime; - - if ((retval = krb5_timeofday(context, ¤ttime))) - goto error; - if (!in_clock_skew(replaydata.timestamp)) { - retval = KRB5KRB_AP_ERR_SKEW; + if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) goto error; - } if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, "_priv", &replay.client))) diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 6d68cd922..d672b8b7e 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -63,7 +63,19 @@ static krb5_error_code decrypt_authenticator (krb5_context, const krb5_ap_req *, krb5_authenticator **, int); -#define in_clock_skew(date) (labs((date)-currenttime) < context->clockskew) +krb5_error_code +krb5int_check_clockskew(krb5_context context, krb5_timestamp date) +{ + krb5_timestamp currenttime; + krb5_error_code retval; + + retval = krb5_timeofday(context, ¤ttime); + if (retval) + return retval; + if (!(labs((date)-currenttime) < context->clockskew)) + return KRB5KRB_AP_ERR_SKEW; + return 0; +} static krb5_error_code krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req, @@ -94,7 +106,6 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, krb5_ticket **ticket, int check_valid_flag) { krb5_error_code retval = 0; - krb5_timestamp currenttime; krb5_principal_data princ_data; req->ticket->enc_part2 = NULL; @@ -246,13 +257,8 @@ goto cleanup; if (retval != 0) goto cleanup; - if ((retval = krb5_timeofday(context, ¤ttime))) - goto cleanup; - - if (!in_clock_skew((*auth_context)->authentp->ctime)) { - retval = KRB5KRB_AP_ERR_SKEW; + if ((retval = krb5int_check_clockskew(context, (*auth_context)->authentp->ctime))) goto cleanup; - } if (check_valid_flag) { if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) { diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index 2fa8ec43c..3eae17269 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -1,7 +1,7 @@ /* * lib/krb5/krb/rd_safe.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2007 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -31,8 +31,6 @@ #include "cleanup.h" #include "auth_con.h" -#define in_clock_skew(date) (labs((date)-currenttime) < context->clockskew) - /* parses a KRB_SAFE message from inbuf, placing the integrity-protected user data in *outbuf. @@ -231,15 +229,9 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; - krb5_timestamp currenttime; - - if ((retval = krb5_timeofday(context, ¤ttime))) - goto error; - if (!in_clock_skew(replaydata.timestamp)) { - retval = KRB5KRB_AP_ERR_SKEW; + if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) goto error; - } if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, "_safe", &replay.client))) -- 2.26.2