diff options
| author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2012-04-18 14:01:39 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-08-06 16:19:04 -0400 |
| commit | f1783431cb8f146095067f5e2531e9155a8787bb (patch) | |
| tree | d8fd0a3160171d88694103f99eb11e8b43c15c7b | |
| parent | 22881a18581623cd4742d9197c90b106645d67a9 (diff) | |
| download | krb5-f1783431cb8f146095067f5e2531e9155a8787bb.tar.gz krb5-f1783431cb8f146095067f5e2531e9155a8787bb.tar.xz krb5-f1783431cb8f146095067f5e2531e9155a8787bb.zip | |
Turn off replay cache in krb5_verify_init_creds()
The library isn't attempting a replay attack on itself, so any detected
replays are only going to be false-positives.
ticket: 7229 (new)
| -rw-r--r-- | src/lib/krb5/krb/vfy_increds.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c index 14acb0a444..e88a37f80a 100644 --- a/src/lib/krb5/krb/vfy_increds.c +++ b/src/lib/krb5/krb/vfy_increds.c @@ -149,6 +149,15 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server, authcon = NULL; } + /* Build an auth context that won't bother with replay checks -- it's + * not as if we're going to mount a replay attack on ourselves here. */ + ret = krb5_auth_con_init(context, &authcon); + if (ret) + goto cleanup; + ret = krb5_auth_con_setflags(context, authcon, 0); + if (ret) + goto cleanup; + /* Verify the ap_req. */ ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL); if (ret) |