Check timestamp in PKINIT kdcpreauth module

RFC 4556 requires the KDC to check the PKAuthenticator timestamp in order to prevent replays after the five-minute clock skew window. (A replay attack has minimal value; it only causes the KDC to issue a ticket which an attacker cannot decrypt.) [ghudson@mit.edu: rewrote commit message; squashed with typo fix; style fixes] ticket: 8123 (new)
krb5 · Feb 19, 2015 · 54984d6 · 54984d6
1 parent 60516bb
commit 54984d6
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -429,6 +429,11 @@ pkinit_server_verify_padata(krb5_context context,
             goto cleanup;
         }
 
+        retval = krb5_check_clockskew(context,
+                                      auth_pack->pkAuthenticator.ctime);
+        if (retval)
+            goto cleanup;
+
         /* check dh parameters */
         if (auth_pack->clientPublicValue != NULL) {
             retval = server_check_dh(context, plgctx->cryptoctx,