7f06579f48
- backport patch to disable replay detection in krb5_verify_init_creds() while reading the AP-REQ that's generated in the same function (RT#7229)
32 lines
1.1 KiB
Diff
32 lines
1.1 KiB
Diff
commit f1783431cb8f146095067f5e2531e9155a8787bb
|
|
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
|
|
Date: Wed Apr 18 14:01:39 2012 -0400
|
|
|
|
Turn off replay cache in krb5_verify_init_creds()
|
|
|
|
The library isn't attempting a replay attack on itself, so any detected
|
|
replays are only going to be false-positives.
|
|
|
|
ticket: 7229 (new)
|
|
|
|
diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
|
|
index 14acb0a..e88a37f 100644
|
|
--- a/src/lib/krb5/krb/vfy_increds.c
|
|
+++ b/src/lib/krb5/krb/vfy_increds.c
|
|
@@ -149,6 +149,15 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server,
|
|
authcon = NULL;
|
|
}
|
|
|
|
+ /* Build an auth context that won't bother with replay checks -- it's
|
|
+ * not as if we're going to mount a replay attack on ourselves here. */
|
|
+ ret = krb5_auth_con_init(context, &authcon);
|
|
+ if (ret)
|
|
+ goto cleanup;
|
|
+ ret = krb5_auth_con_setflags(context, authcon, 0);
|
|
+ if (ret)
|
|
+ goto cleanup;
|
|
+
|
|
/* Verify the ap_req. */
|
|
ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL);
|
|
if (ret)
|