Turn off replay cache in krb5_verify_init_creds()

The library isn't attempting a replay attack on itself, so any detected
replays are only going to be false-positives.

ticket: 7229 (new)

diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
index 14acb0a444956907ec1826edfe29e00e6e815307..e88a37f80a9275c9b5992cf46791e4e207d5664c 100644 (file)
--- a/src/lib/krb5/krb/vfy_increds.c
+++ b/src/lib/krb5/krb/vfy_increds.c
@@ -149,6 +149,15 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server,
         authcon = NULL;
     }
 
+    /* Build an auth context that won't bother with replay checks -- it's
+     * not as if we're going to mount a replay attack on ourselves here. */
+    ret = krb5_auth_con_init(context, &authcon);
+    if (ret)
+        goto cleanup;
+    ret = krb5_auth_con_setflags(context, authcon, 0);
+    if (ret)
+        goto cleanup;
+
     /* Verify the ap_req. */
     ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL);
     if (ret)