From f1783431cb8f146095067f5e2531e9155a8787bb Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Wed, 18 Apr 2012 14:01:39 -0400
Subject: Turn off replay cache in krb5_verify_init_creds()

The library isn't attempting a replay attack on itself, so any detected
replays are only going to be false-positives.

ticket: 7229 (new)
---
 src/lib/krb5/krb/vfy_increds.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
index 14acb0a444..e88a37f80a 100644
--- a/src/lib/krb5/krb/vfy_increds.c
+++ b/src/lib/krb5/krb/vfy_increds.c
@@ -149,6 +149,15 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server,
         authcon = NULL;
     }
 
+    /* Build an auth context that won't bother with replay checks -- it's
+     * not as if we're going to mount a replay attack on ourselves here. */
+    ret = krb5_auth_con_init(context, &authcon);
+    if (ret)
+        goto cleanup;
+    ret = krb5_auth_con_setflags(context, authcon, 0);
+    if (ret)
+        goto cleanup;
+
     /* Verify the ap_req. */
     ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL);
     if (ret)
-- 
cgit