]> git.ipfire.org Git - thirdparty/krb5.git/commit
projects / thirdparty / krb5.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4bc0770) | patch
ad-initial-verified-cas logic broken
authorSam Hartman <hartmans@mit.edu>
Wed, 23 Dec 2009 21:09:50 +0000 (21:09 +0000)
committerSam Hartman <hartmans@mit.edu>
Wed, 23 Dec 2009 21:09:50 +0000 (21:09 +0000)
commit4f8a0a259a82af2f89cbb00092cff9a480ebcfd8
tree9c1f2d2cea1cf860ed2a025baff000fa126e42bdtree
parent4bc0770ed397b04b06bc021d1aed1fc5c5b87c0bcommit | diff
ad-initial-verified-cas logic broken

In the initial pkinit implementation, the server plugin generates an
incorrect encoding for ad-initial-verified-cas.  In particular, it
assumes that ad-if-relevant takes a single authorization data element
not a sequence of authorization data elements.  Nothing looked at the
authorization data in 1.6.3 so this was not noticed.  However in 1.7,
the FAST implementation looks for authorization data.  In 1.8 several
more parts of the KDC examine authorization data.  The net result is
that the KDC fails to process the TGT it issues.

However on top of this bug, there is a spec problem.  For many of its intended uses, ad-initial-verified-cas needs to be integrity protected by the KDC in order to prevent a client from injecting it.  So, it should be contained in kdc-issued not ad-if-relevant.

For now we're simply removing the generation of this AD element until the spec is clarified.

ticket: 6587
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23492 dc483132-0cff-0310-8789-dd5450dbe970
src/plugins/preauth/pkinit/pkinit_srv.c diff | blob | blame | history
Mirror of https://github.com/krb5/krb5.git