From: Thomas Calderon <thomas.calderon@ssi.gouv.fr>
Date: Fri, 6 Feb 2015 14:55:34 +0000 (+0100)
Subject: Check timestamp in PKINIT kdcpreauth module
X-Git-Tag: krb5-1.14-alpha1~161
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=54984d618e01027abe73e6772fe7049c79938518;p=thirdparty%2Fkrb5.git

Check timestamp in PKINIT kdcpreauth module

RFC 4556 requires the KDC to check the PKAuthenticator timestamp in
order to prevent replays after the five-minute clock skew window.  (A
replay attack has minimal value; it only causes the KDC to issue a
ticket which an attacker cannot decrypt.)

[ghudson@mit.edu: rewrote commit message; squashed with typo fix;
style fixes]

ticket: 8123 (new)
---

diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 5639fca951..b472741293 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -429,6 +429,11 @@ pkinit_server_verify_padata(krb5_context context,
             goto cleanup;
         }
 
+        retval = krb5_check_clockskew(context,
+                                      auth_pack->pkAuthenticator.ctime);
+        if (retval)
+            goto cleanup;
+
         /* check dh parameters */
         if (auth_pack->clientPublicValue != NULL) {
             retval = server_check_dh(context, plgctx->cryptoctx,