Don't set ctime in KDC error replies

Setting the error ctime field to the client nonce assumes that the
client used its system time as the nonce, which is not recommended by
RFC 1510 and is prohibited by RFC 4120.  Omit the field instead, by
setting the structure field to 0.

ticket: 8610 (new)

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 8cfb4ef82f5495485c11ad9aefc13a2e2310f721..7c8da63e1861ac7d492020fef5cc6d8bcf601e90 100644 (file)
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -840,7 +840,7 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
         e_data[count] = cookie;
     }
 
-    errpkt.ctime = request->nonce;
+    errpkt.ctime = 0;
     errpkt.cusec = 0;
 
     retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index b9b1073fd44b0f61dfb6906622261952fa622c56..cc5a6923629a111cf07c63897881652f6c1437b6 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -896,7 +896,7 @@ prepare_error_tgs (struct kdc_request_state *state,
     kdc_realm_t *kdc_active_realm = state->realm_data;
 
     errpkt.magic = KV5M_ERROR;
-    errpkt.ctime = request->nonce;
+    errpkt.ctime = 0;
     errpkt.cusec = 0;
 
     if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,