This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new c48ae4bfdf Extend clock-skew protection
c48ae4bfdf is described below
commit c48ae4bfdfa4490de65603b361331346482ed776
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Jun 17 18:53:39 2026 +0100
Extend clock-skew protection
---
.../tribes/group/interceptors/EncryptInterceptor.java | 11 +++++------
webapps/docs/config/cluster-interceptor.xml | 11 ++++++-----
2 files changed, 11 insertions(+), 11 deletions(-)
diff --git
a/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
index 0616ab03c0..7d48f51ce9 100644
--- a/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
+++ b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
@@ -160,12 +160,7 @@ public class EncryptInterceptor extends
ChannelInterceptorBase implements Encryp
if (data.length < 8) {
throw new
GeneralSecurityException(sm.getString("encryptInterceptor.decrypt.error.short-message"));
}
- /*
- * This is trusted since it was encrypted.
- *
- * Excessive clock skew will cause problems here. Can't address
that without creating risks of replay
- * attacks.
- */
+ // Time stamp is trusted since it was encrypted.
long trustedTimstamp = XByteBuffer.toLong(data, 0);
if (!encryptionManager.checkIncomingMessage(encryptedData,
trustedTimstamp)) {
log.error(sm.getString("encryptInterceptor.decrypt.replay"));
@@ -568,6 +563,10 @@ public class EncryptInterceptor extends
ChannelInterceptorBase implements Encryp
if (messageTimestamp < (System.currentTimeMillis() -
replayWindowTime)) {
return false;
}
+ // Shouldn't happen but provide some mitigation against excessive
clock skew.
+ if (messageTimestamp > (System.currentTimeMillis() +
replayWindowTime)) {
+ return false;
+ }
if (messageTimestamp <= lastRemovedTimestamp) {
return false;
}
diff --git a/webapps/docs/config/cluster-interceptor.xml
b/webapps/docs/config/cluster-interceptor.xml
index 9b26c8ed73..cdb623e8c7 100644
--- a/webapps/docs/config/cluster-interceptor.xml
+++ b/webapps/docs/config/cluster-interceptor.xml
@@ -244,11 +244,12 @@
AES-128, 32 bytes / 64 characters / 256 bits for AES-256, etc.).</p>
</attribute>
<attribute name="replayWindowTime" required="false">
- <p>Messages with a timestamp before the current time less this window
- will be rejected. This needs to account for clock skew across the
cluster
- as well as the expected maximum delay between messages being sent and
- received. Specified in milliseconds. If not specified, the default value
- of 10000 (10 seconds) will be used.</p>
+ <p>Messages with a timestamp before the current time less this window or
+ after the current time plus this window will be rejected. This window
+ needs to account for clock skew across the cluster as well as the
+ expected maximum delay between messages being sent and received.
+ Specified in milliseconds. If not specified, the default value of 10000
+ (10 seconds) will be used.</p>
</attribute>
<attribute name="replayWindowMessageCount" required="false">
<p>The number of past messages for which the nonces will be tracked to
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
