[krbdev.mit.edu #6587] SVN Commit
Tom Yu via RT
rt-comment at krbdev.mit.edu
Tue Jan 12 18:04:33 EST 2010
Pull up r23492 from branches/anonymous.
------------------------------------------------------------------------
r23492 | hartmans | 2009-12-23 16:09:50 -0500 (Wed, 23 Dec 2009) | 17 lines
Subject: ad-initial-verified-cas logic broken
ticket: 6587
status: open
In the initial pkinit implementation, the server plugin generates an
incorrect encoding for ad-initial-verified-cas. In particular, it
assumes that ad-if-relevant takes a single authorization data element
not a sequence of authorization data elements. Nothing looked at the
authorization data in 1.6.3 so this was not noticed. However in 1.7,
the FAST implementation looks for authorization data. In 1.8 several
more parts of the KDC examine authorization data. The net result is
that the KDC fails to process the TGT it issues.
However on top of this bug, there is a spec problem. For many of its
intended uses, ad-initial-verified-cas needs to be integrity
protected by the KDC in order to prevent a client from injecting it.
So, it should be contained in kdc-issued not ad-if-relevant.
For now we're simply removing the generation of this AD element until
the spec is clarified.
------------------------------------------------------------------------
http://src.mit.edu/fisheye/changelog/krb5/?cs=23654
Commit By: tlyu
Revision: 23654
Changed Files:
U branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c
More information about the krb5-bugs
mailing list