[krbdev.mit.edu #8642] git commit
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Mon Mar 19 20:01:23 EDT 2018
Always use AS-REP enctype in PKINIT client
The get_etype() callback originally only returned the AS-REP enctype
for PKINIT, but was changed for encrypted challenge to sometimes
return the enctype from etype-info. (Encrypted challenge no longer
uses the callback; PKINIT is currently the only known consumer.) Make
sure to always return the AS-REP enctype if an AS-REP has been
received, so that the PKINIT clpreauth module uses the correct enctype
even if the KDC sends a different enctype in etype-info in violation
of RFC 4120.
https://github.com/krb5/krb5/commit/0a9bd34b97ebf794b6ddbeb17c274623b445cca4
Author: Greg Hudson <ghudson at mit.edu>
Commit: 0a9bd34b97ebf794b6ddbeb17c274623b445cca4
Branch: master
src/include/krb5/clpreauth_plugin.h | 7 +++----
src/lib/krb5/krb/preauth2.c | 6 +++++-
2 files changed, 8 insertions(+), 5 deletions(-)
More information about the krb5-bugs
mailing list