Turn off replay cache in krb5_verify_init_creds()

The library isn't attempting a replay attack on itself, so any detected replays are only going to be false-positives. ticket: 7229 (new)
author: Nalin Dahyabhai <nalin@dahyabhai.net> 2012-04-18 14:01:39 -0400
committer: Greg Hudson <ghudson@mit.edu> 2012-08-06 16:19:04 -0400
commit: f1783431cb8f146095067f5e2531e9155a8787bb (patch)
tree: d8fd0a3160171d88694103f99eb11e8b43c15c7b /src/lib
parent: 22881a18581623cd4742d9197c90b106645d67a9 (diff)
download: krb5-f1783431cb8f146095067f5e2531e9155a8787bb.tar.gz
krb5-f1783431cb8f146095067f5e2531e9155a8787bb.tar.xz
krb5-f1783431cb8f146095067f5e2531e9155a8787bb.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
index 14acb0a44..e88a37f80 100644
--- a/src/lib/krb5/krb/vfy_increds.c
+++ b/src/lib/krb5/krb/vfy_increds.c
@@ -149,6 +149,15 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server,
         authcon = NULL;
     }
 
+    /* Build an auth context that won't bother with replay checks -- it's
+     * not as if we're going to mount a replay attack on ourselves here. */
+    ret = krb5_auth_con_init(context, &authcon);
+    if (ret)
+        goto cleanup;
+    ret = krb5_auth_con_setflags(context, authcon, 0);
+    if (ret)
+        goto cleanup;
+
     /* Verify the ap_req. */
     ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL);
     if (ret)
author	Nalin Dahyabhai <nalin@dahyabhai.net>	2012-04-18 14:01:39 -0400
committer	Greg Hudson <ghudson@mit.edu>	2012-08-06 16:19:04 -0400
commit	f1783431cb8f146095067f5e2531e9155a8787bb (patch)
tree	d8fd0a3160171d88694103f99eb11e8b43c15c7b /src/lib
parent	22881a18581623cd4742d9197c90b106645d67a9 (diff)
download	krb5-f1783431cb8f146095067f5e2531e9155a8787bb.tar.gz krb5-f1783431cb8f146095067f5e2531e9155a8787bb.tar.xz krb5-f1783431cb8f146095067f5e2531e9155a8787bb.zip