Diffusion FreeBSD src repository b1b256dd0f4d

heimdal: always confirm PA-PKINIT-KX for anon PKINIT
b1b256dd0f4d
Actions

Description

heimdal: always confirm PA-PKINIT-KX for anon PKINIT

Import upstream 38c797e1a.

Upstream notes:

RFC8062 Section 7 requires verification of the PA-PKINIT-KX key
excahnge when anonymous PKINIT is used.  Failure to do so can
permit an active attacker to become a man-in-the-middle.

Reported by: emaste
Obtained from: upstream 38c797e1a
Security: CVE-2019-12098

(cherry picked from commit 60616b445eb5b01597092fef5b14549f95000130)

Details

Provenance

cy	Authored on Feb 15 2024, 1:58 AM

Parents

rG5482dc8b9eaf: Heimdal: CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum

Branches

Unknown

Tags

Unknown

Event Timeline

cy committed rGb1b256dd0f4d: heimdal: always confirm PA-PKINIT-KX for anon PKINIT (authored by cy).Feb 21 2024, 1:42 PM

Changes (2)

Path

Size

crypto/

heimdal/

lib/

krb5/

krb5_locl.h

pkinit.c

rGb1b256dd0f4d

View Options

crypto/heimdal/lib/krb5/krb5_locl.h