[28814] in CVS-changelog-for-Kerberos-V5
krb5 commit: Check timestamp in PKINIT kdcpreauth module
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Feb 19 13:41:08 2015
Date: Thu, 19 Feb 2015 13:40:59 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201502191840.t1JIex28001237@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/54984d618e01027abe73e6772fe7049c79938518
commit 54984d618e01027abe73e6772fe7049c79938518
Author: Thomas Calderon <thomas.calderon@ssi.gouv.fr>
Date: Fri Feb 6 15:55:34 2015 +0100
Check timestamp in PKINIT kdcpreauth module
RFC 4556 requires the KDC to check the PKAuthenticator timestamp in
order to prevent replays after the five-minute clock skew window. (A
replay attack has minimal value; it only causes the KDC to issue a
ticket which an attacker cannot decrypt.)
[ghudson@mit.edu: rewrote commit message; squashed with typo fix;
style fixes]
ticket: 8123 (new)
src/plugins/preauth/pkinit/pkinit_srv.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 5639fca..b472741 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -429,6 +429,11 @@ pkinit_server_verify_padata(krb5_context context,
goto cleanup;
}
+ retval = krb5_check_clockskew(context,
+ auth_pack->pkAuthenticator.ctime);
+ if (retval)
+ goto cleanup;
+
/* check dh parameters */
if (auth_pack->clientPublicValue != NULL) {
retval = server_check_dh(context, plgctx->cryptoctx,
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
