| commit | 38c797e1ae9b9c8f99ae4aa2e73957679031fd2b | |
| author | Luke Howard <lukeh@padl.com> | |
| Tue, 7 May 2019 03:15:15 +0000 (7 13:15 +1000) | ||
| committer | Jeffrey Altman <jaltman@auristor.com> | |
| Tue, 14 May 2019 19:52:24 +0000 (14 15:52 -0400) | ||
| tree | 6416126fc0f8127ce3036167291c143e178db9d7 | treesnapshot (tar.gz zip) |
| parent | c6257cc2c842c0faaeb4ef34e33890ee88c4cbba | commitdiff |
krb5: always confirm PA-PKINIT-KX for anon PKINIT
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge
when anonymous PKINIT is used. Failure to do so can permit an active
attacker to become a man-in-the-middle.
Introduced by a1ef548600c5bb51cf52a9a9ea12676506ede19f. First tagged
release Heimdal 1.4.0.
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8)
Change-Id: I6cc1c0c24985936468af08693839ac6c3edda133
Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
Approved-by: Jeffrey Altman <jaltman@auritor.com>
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge
when anonymous PKINIT is used. Failure to do so can permit an active
attacker to become a man-in-the-middle.
Introduced by a1ef548600c5bb51cf52a9a9ea12676506ede19f. First tagged
release Heimdal 1.4.0.
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8)
Change-Id: I6cc1c0c24985936468af08693839ac6c3edda133
Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
Approved-by: Jeffrey Altman <jaltman@auritor.com>
| lib/krb5/init_creds_pw.c | diffblobblamehistory | |
| lib/krb5/krb5_locl.h | diffblobblamehistory | |
| lib/krb5/pkinit.c | diffblobblamehistory |