From aff489766e8541bee59d0aa7b9cc7e62f5ca8232 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 29 Aug 2017 11:19:36 -0400
Subject: [PATCH] Don't set ctime in KDC error replies

Setting the error ctime field to the client nonce assumes that the
client used its system time as the nonce, which is not recommended by
RFC 1510 and is prohibited by RFC 4120.  Omit the field instead, by
setting the structure field to 0.

ticket: 8610 (new)
---
 src/kdc/do_as_req.c  | 2 +-
 src/kdc/do_tgs_req.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 8cfb4ef82f..7c8da63e18 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -840,7 +840,7 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
         e_data[count] = cookie;
     }
 
-    errpkt.ctime = request->nonce;
+    errpkt.ctime = 0;
     errpkt.cusec = 0;
 
     retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index b9b1073fd4..cc5a692362 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -896,7 +896,7 @@ prepare_error_tgs (struct kdc_request_state *state,
     kdc_realm_t *kdc_active_realm = state->realm_data;
 
     errpkt.magic = KV5M_ERROR;
-    errpkt.ctime = request->nonce;
+    errpkt.ctime = 0;
     errpkt.cusec = 0;
 
     if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
-- 
2.47.2