Ticket History #8124: Use preauth timestamp in PKINIT clpreauth module

# Thu Feb 19 13:41:01 2015 ghudson@mit.edu (Greg Hudson) - Ticket created

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 834B

Use preauth timestamp in PKINIT clpreauth module

Use the timestamp from the KDC's preauth-required error when
generating a PKAuthenticator in pa_pkinit_gen_req(), to allow PKINIT
authentication to succeed despite client clock skew if kdc_timesync is
set.

Because this timestamp is unauthenticated (unless FAST is used), an
attacker could induce a legitimate client to generate a
PKAuthenticator for a future timestamp. But replaying this request in
the future would only cause the KDC to issue a ticket which the
attacker cannot decrypt.

https://github.com/krb5/krb5/commit/fcc1076541a3bd9a5fa4db0be6f74888b3f5f193
Author: Greg Hudson <ghudson@mit.edu>
Commit: fcc1076541a3bd9a5fa4db0be6f74888b3f5f193
Branch: master
src/plugins/preauth/pkinit/pkinit_clnt.c | 12 +++++++-----
1 files changed, 7 insertions(+), 5 deletions(-)

# Thu Feb 19 13:41:02 2015 ghudson@mit.edu (Greg Hudson) - Requestor ghudson@mit.edu (Greg Hudson) added

# Thu Feb 19 13:41:02 2015 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Fri Sep 18 12:54:13 2015 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Fri Sep 18 12:54:13 2015 tlyu (Taylor Yu) - Version_Fixed 1.14 added