HomeFreeBSD

heimdal: always confirm PA-PKINIT-KX for anon PKINIT

Description

heimdal: always confirm PA-PKINIT-KX for anon PKINIT

Import upstream 38c797e1a.

Upstream notes:

RFC8062 Section 7 requires verification of the PA-PKINIT-KX key
excahnge when anonymous PKINIT is used.  Failure to do so can
permit an active attacker to become a man-in-the-middle.

Reported by: emaste
Obtained from: upstream 38c797e1a
Security: CVE-2019-12098

(cherry picked from commit 60616b445eb5b01597092fef5b14549f95000130)

Details

Provenance
cyAuthored on Feb 15 2024, 1:58 AM
Parents
rG143a962d0e87: Heimdal: CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum
Branches
Unknown
Tags
Unknown