aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2017-08-29 11:19:36 -0400
committerGreg Hudson <ghudson@mit.edu>2017-08-29 11:19:36 -0400
commitaff489766e8541bee59d0aa7b9cc7e62f5ca8232 (patch)
treeb90461dffb46949de43f86df83728734dd81c419
parent56f7b1bc95a2a3eeb420e069e7655fb181ade5cf (diff)
downloadkrb5-aff489766e8541bee59d0aa7b9cc7e62f5ca8232.zip
krb5-aff489766e8541bee59d0aa7b9cc7e62f5ca8232.tar.gz
krb5-aff489766e8541bee59d0aa7b9cc7e62f5ca8232.tar.bz2
Don't set ctime in KDC error replies
Setting the error ctime field to the client nonce assumes that the client used its system time as the nonce, which is not recommended by RFC 1510 and is prohibited by RFC 4120. Omit the field instead, by setting the structure field to 0. ticket: 8610 (new)
Diffstat
-rw-r--r--src/kdc/do_as_req.c2
-rw-r--r--src/kdc/do_tgs_req.c2
2 files changed, 2 insertions, 2 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 8cfb4ef..7c8da63 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -840,7 +840,7 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
e_data[count] = cookie;
}
- errpkt.ctime = request->nonce;
+ errpkt.ctime = 0;
errpkt.cusec = 0;
retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index b9b1073..cc5a692 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -896,7 +896,7 @@ prepare_error_tgs (struct kdc_request_state *state,
kdc_realm_t *kdc_active_realm = state->realm_data;
errpkt.magic = KV5M_ERROR;
- errpkt.ctime = request->nonce;
+ errpkt.ctime = 0;
errpkt.cusec = 0;
if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
generated by cgit v1.1 at 2024-08-01 12:37:04 +0000