[11258] in Kerberos-V5-bugs
[krbdev.mit.edu #6587] SVN Commit
daemon@ATHENA.MIT.EDU (Sam Hartman via RT)
Wed Dec 23 16:10:21 2009
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Sam Hartman via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6587@krbdev.mit.edu>
Message-ID: <rt-6587-31935.19.6405421344777@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6587'":;"'AdminCc of krbdev.mit.edu Ticket #6587'":;@MIT.EDU
Date: Wed, 23 Dec 2009 21:09:50 +0000 (UTC)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
In the initial pkinit implementation, the server plugin generates an
incorrect encoding for ad-initial-verified-cas. In particular, it
assumes that ad-if-relevant takes a single authorization data element
not a sequence of authorization data elements. Nothing looked at the
authorization data in 1.6.3 so this was not noticed. However in 1.7,
the FAST implementation looks for authorization data. In 1.8 several
more parts of the KDC examine authorization data. The net result is
that the KDC fails to process the TGT it issues.
However on top of this bug, there is a spec problem. For many of its intended uses, ad-initial-verified-cas needs to be integrity protected by the KDC in order to prevent a client from injecting it. So, it should be contained in kdc-issued not ad-if-relevant.
For now we're simply removing the generation of this AD element until the spec is clarified.
http://src.mit.edu/fisheye/changelog/krb5/?cs=23492
Commit By: hartmans
Revision: 23492
Changed Files:
U branches/anonymous/src/plugins/preauth/pkinit/pkinit_srv.c
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
