Diffusion FreeBSD src repository 9f2e70a87d6e

heimdal: always confirm PA-PKINIT-KX for anon PKINIT
9f2e70a87d6e
Actions

Description

heimdal: always confirm PA-PKINIT-KX for anon PKINIT

Import upstream 38c797e1a.

Upstream notes:

RFC8062 Section 7 requires verification of the PA-PKINIT-KX key
excahnge when anonymous PKINIT is used.  Failure to do so can
permit an active attacker to become a man-in-the-middle.

Reported by: emaste
Obtained from: upstream 38c797e1a
Security: CVE-2019-12098
MFS requested by: re (cperciva)
Approved by: re (cperciva)

(cherry picked from commit 60616b445eb5b01597092fef5b14549f95000130)
(cherry picked from commit a311b9d70863f78c232d5622ee579c6cd45bb1d8)

Details

Provenance

cy	Authored on Feb 15 2024, 1:58 AM

Parents

rG776fe3ce5799: Heimdal: CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum

Branches

Unknown

Tags

Unknown

Event Timeline

cy committed rG9f2e70a87d6e: heimdal: always confirm PA-PKINIT-KX for anon PKINIT (authored by cy).Feb 21 2024, 2:01 PM

Changes (2)

Path

Size

crypto/

heimdal/

lib/

krb5/

krb5_locl.h

pkinit.c

rG9f2e70a87d6e

View Options

crypto/heimdal/lib/krb5/krb5_locl.h