[28815] in CVS-changelog-for-Kerberos-V5
krb5 commit: Use preauth timestamp in PKINIT clpreauth module
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Feb 19 13:41:09 2015
Date: Thu, 19 Feb 2015 13:41:00 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201502191841.t1JIf07d001346@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/fcc1076541a3bd9a5fa4db0be6f74888b3f5f193
commit fcc1076541a3bd9a5fa4db0be6f74888b3f5f193
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon Feb 9 12:38:06 2015 -0500
Use preauth timestamp in PKINIT clpreauth module
Use the timestamp from the KDC's preauth-required error when
generating a PKAuthenticator in pa_pkinit_gen_req(), to allow PKINIT
authentication to succeed despite client clock skew if kdc_timesync is
set.
Because this timestamp is unauthenticated (unless FAST is used), an
attacker could induce a legitimate client to generate a
PKAuthenticator for a future timestamp. But replaying this request in
the future would only cause the KDC to issue a ticket which the
attacker cannot decrypt.
ticket: 8124 (new)
src/plugins/preauth/pkinit/pkinit_clnt.c | 12 +++++++-----
1 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 5ad735a..61dc1de 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -75,6 +75,8 @@ static krb5_error_code
pa_pkinit_gen_req(krb5_context context,
pkinit_context plgctx,
pkinit_req_context reqctx,
+ krb5_clpreauth_callbacks cb,
+ krb5_clpreauth_rock rock,
krb5_kdc_req * request,
krb5_preauthtype pa_type,
krb5_pa_data *** out_padata,
@@ -127,7 +129,7 @@ pa_pkinit_gen_req(krb5_context context,
print_buffer(der_req->data, der_req->length);
#endif
- retval = krb5_us_timeofday(context, &ctsec, &cusec);
+ retval = cb->get_preauth_time(context, rock, TRUE, &ctsec, &cusec);
if (retval)
goto cleanup;
@@ -1238,7 +1240,7 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
retval, error_message(retval));
return retval;
}
- retval = pa_pkinit_gen_req(context, plgctx, reqctx, request,
+ retval = pa_pkinit_gen_req(context, plgctx, reqctx, cb, rock, request,
in_padata->pa_type, out_padata, prompter,
prompter_data, gic_opt);
} else {
@@ -1327,9 +1329,9 @@ pkinit_client_tryagain(krb5_context context, krb5_clpreauth_moddata moddata,
if (do_again) {
TRACE_PKINIT_CLIENT_TRYAGAIN(context);
- retval = pa_pkinit_gen_req(context, plgctx, reqctx, request, pa_type,
- out_padata, prompter, prompter_data,
- gic_opt);
+ retval = pa_pkinit_gen_req(context, plgctx, reqctx, cb, rock, request,
+ pa_type, out_padata, prompter,
+ prompter_data, gic_opt);
if (retval)
goto cleanup;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
