From ae0fee058ad883b2e82fa2b34f4e5f059e827a1b Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Wed, 14 Mar 2007 00:35:06 +0000 Subject: * include/k5-platform.h: Add load_{16,32,64}_n for loading values from (possibly unaligned) memory in native order. * lib/krb5/krb/get_in_tkt.c (krb5_get_init_creds): Fetch four random bytes from the crypto library and generate a 31-bit (non-negative) nonce, instead of using the timestamp. ticket: 5425 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19223 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/get_in_tkt.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'src/lib') diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 937cdc4c9f..81f97dac8c 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1084,8 +1084,21 @@ krb5_get_init_creds(krb5_context context, * XXX we know they are the same size... and we should do * something better than just the current time */ - request.nonce = (krb5_int32) time_now; - + { + unsigned char random_buf[4]; + krb5_data random_data; + + random_data.length = 4; + random_data.data = random_buf; + if (krb5_c_random_make_octets(context, &random_data) == 0) + /* See RT ticket 3196 at MIT. If we set the high bit, we + may have compatibility problems with Heimdal, because + we (incorrectly) encode this value as signed. */ + request.nonce = 0x7fffffff & load_32_n(random_buf); + else + /* XXX Yuck. Old version. */ + request.nonce = (krb5_int32) time_now; + } /* give the preauth plugins a chance to prep the request body */ krb5_preauth_prepare_request(context, options, &request); ret = encode_krb5_kdc_req_body(&request, &encoded_request_body); -- cgit