[26814] in CVS-changelog-for-Kerberos-V5
krb5 commit: Turn off replay cache in krb5_verify_init_creds()
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Aug 6 16:19:40 2012
Date: Mon, 6 Aug 2012 16:19:32 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201208062019.q76KJWrF008709@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/f1783431cb8f146095067f5e2531e9155a8787bb
commit f1783431cb8f146095067f5e2531e9155a8787bb
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Wed Apr 18 14:01:39 2012 -0400
Turn off replay cache in krb5_verify_init_creds()
The library isn't attempting a replay attack on itself, so any detected
replays are only going to be false-positives.
ticket: 7229 (new)
src/lib/krb5/krb/vfy_increds.c | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
index 14acb0a..e88a37f 100644
--- a/src/lib/krb5/krb/vfy_increds.c
+++ b/src/lib/krb5/krb/vfy_increds.c
@@ -149,6 +149,15 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server,
authcon = NULL;
}
+ /* Build an auth context that won't bother with replay checks -- it's
+ * not as if we're going to mount a replay attack on ourselves here. */
+ ret = krb5_auth_con_init(context, &authcon);
+ if (ret)
+ goto cleanup;
+ ret = krb5_auth_con_setflags(context, authcon, 0);
+ if (ret)
+ goto cleanup;
+
/* Verify the ap_req. */
ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL);
if (ret)
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
