summaryrefslogtreecommitdiffstats
path: root/src/kdc/kdc_preauth.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/kdc/kdc_preauth.c')
-rw-r--r--src/kdc/kdc_preauth.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index db358d283b..cc957016ba 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1267,11 +1267,17 @@ verify_sam_response(context, client, request, enc_tkt_reply, pa)
#ifdef USE_RCACHE
{
krb5_donot_replay rep;
+ krb5_deltat rc_lifetime;
/*
* Verify this response came back in a timely manner.
* We do this b/c otherwise very old (expunged from the rcache)
* psr's would be able to be replayed.
*/
+ retval = krb5_rc_get_lifespan(kdc_context, kdc_rcache, &rc_lifetime);
+ if (retval) {
+ com_err("krb5kdc", retval, "while getting rcache lifespan");
+ goto cleanup;
+ }
if (timenow - psr->stime > rc_lifetime) {
com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED,
"SAM psr came back too late! -- replay attack?");
generated by cgit (git 2.34.1) at 2024-06-30 14:50:16 +0000