kdc: Add function to get current KDC time

Assists Samba to address CVE-2022-2031

This allows the plugin to check the endtime of a ticket against the
KDC's current time, to see if the ticket will expire in the next two
minutes.

Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/kdc/libkdc-exports.def b/kdc/libkdc-exports.def
index 2c4564bcadccb6448c366cc4f66868336e19f0bb..fc4fb812a77ba71a61698cd3d7907bfd8a6000c3 100644 (file)
--- a/kdc/libkdc-exports.def
+++ b/kdc/libkdc-exports.def
@@ -10,6 +10,7 @@ EXPORTS
        kdc_validate_token
        krb5_kdc_plugin_init
        krb5_kdc_get_config
+       krb5_kdc_get_time
        krb5_kdc_pkinit_config
        krb5_kdc_set_dbinfo
        krb5_kdc_process_krb5_request

diff --git a/kdc/process.c b/kdc/process.c
index 8f1eb5377a4ac776f2308e1de4c79c808e007d0d..9142d68b24b0ac2d564a6be7da5d369468332db0 100644 (file)
--- a/kdc/process.c
+++ b/kdc/process.c
@@ -243,6 +243,12 @@ krb5_kdc_update_time(struct timeval *tv)
        _kdc_now = *tv;
 }
 
+KDC_LIB_FUNCTION struct timeval KDC_LIB_CALL
+krb5_kdc_get_time(void)
+{
+    return _kdc_now;
+}
+
 
 #define EXTEND_REQUEST_T(LHS, RHS) do {                        \
        RHS = realloc(LHS, sizeof(*RHS));               \

diff --git a/kdc/version-script.map b/kdc/version-script.map
index 72a21e629506d236cdcc8cb3378e18c6cc71acea..55dc91e74be76e13488e1bba56ccbdff5b6e6f2e 100644 (file)
--- a/kdc/version-script.map
+++ b/kdc/version-script.map
@@ -13,6 +13,7 @@ HEIMDAL_KDC_1.0 {
                kdc_validate_token;
                krb5_kdc_plugin_init;
                krb5_kdc_get_config;
+               krb5_kdc_get_time;
                krb5_kdc_pkinit_config;
                krb5_kdc_set_dbinfo;
                krb5_kdc_process_krb5_request;