diff options
author | Greg Hudson <ghudson@mit.edu> | 2017-08-29 11:19:36 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2017-08-29 11:19:36 -0400 |
commit | aff489766e8541bee59d0aa7b9cc7e62f5ca8232 (patch) | |
tree | b90461dffb46949de43f86df83728734dd81c419 | |
parent | 56f7b1bc95a2a3eeb420e069e7655fb181ade5cf (diff) | |
download | krb5-aff489766e8541bee59d0aa7b9cc7e62f5ca8232.zip krb5-aff489766e8541bee59d0aa7b9cc7e62f5ca8232.tar.gz krb5-aff489766e8541bee59d0aa7b9cc7e62f5ca8232.tar.bz2 |
Don't set ctime in KDC error replies
Setting the error ctime field to the client nonce assumes that the
client used its system time as the nonce, which is not recommended by
RFC 1510 and is prohibited by RFC 4120. Omit the field instead, by
setting the structure field to 0.
ticket: 8610 (new)
-rw-r--r-- | src/kdc/do_as_req.c | 2 | ||||
-rw-r--r-- | src/kdc/do_tgs_req.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 8cfb4ef..7c8da63 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -840,7 +840,7 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request, e_data[count] = cookie; } - errpkt.ctime = request->nonce; + errpkt.ctime = 0; errpkt.cusec = 0; retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec); diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index b9b1073..cc5a692 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -896,7 +896,7 @@ prepare_error_tgs (struct kdc_request_state *state, kdc_realm_t *kdc_active_realm = state->realm_data; errpkt.magic = KV5M_ERROR; - errpkt.ctime = request->nonce; + errpkt.ctime = 0; errpkt.cusec = 0; if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime, |