diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2012-04-18 14:01:39 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2012-08-06 16:19:04 -0400 |
commit | f1783431cb8f146095067f5e2531e9155a8787bb (patch) | |
tree | d8fd0a3160171d88694103f99eb11e8b43c15c7b | |
parent | 22881a18581623cd4742d9197c90b106645d67a9 (diff) | |
download | krb5-f1783431cb8f146095067f5e2531e9155a8787bb.tar.gz krb5-f1783431cb8f146095067f5e2531e9155a8787bb.tar.xz krb5-f1783431cb8f146095067f5e2531e9155a8787bb.zip |
Turn off replay cache in krb5_verify_init_creds()
The library isn't attempting a replay attack on itself, so any detected
replays are only going to be false-positives.
ticket: 7229 (new)
-rw-r--r-- | src/lib/krb5/krb/vfy_increds.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c index 14acb0a444..e88a37f80a 100644 --- a/src/lib/krb5/krb/vfy_increds.c +++ b/src/lib/krb5/krb/vfy_increds.c @@ -149,6 +149,15 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server, authcon = NULL; } + /* Build an auth context that won't bother with replay checks -- it's + * not as if we're going to mount a replay attack on ourselves here. */ + ret = krb5_auth_con_init(context, &authcon); + if (ret) + goto cleanup; + ret = krb5_auth_con_setflags(context, authcon, 0); + if (ret) + goto cleanup; + /* Verify the ap_req. */ ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL); if (ret) |