[krbdev.mit.edu #9181] git commit
Greg Hudson via RT
rt at krbdev.mit.edu
Wed Aug 20 14:31:01 EDT 2025
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9181 >
Fix GSS per-message token edge cases
Change g_verify_token_header() not to modify *in when the ASN.1 length
does not match the expected value. This edge case could result in
accepting an invalid ASN.1 wrapper when processing an RFC 1964 MIC or
wrap token.
Change decrypt_v3() to return GSS_S_BAD_SIG instead of GSS_S_FAILURE
when decryption fails, for specificity and consistency with previous
versions.
(cherry picked from commit a82922e097563aed650f9a3b17a52e3df12aa49b)
https://github.com/krb5/krb5/commit/39505dd399e35ff2812304073e54cac017667698
Author: Greg Hudson <ghudson at mit.edu>
Commit: 39505dd399e35ff2812304073e54cac017667698
Branch: krb5-1.22
src/lib/gssapi/generic/util_token.c | 5 +-
src/lib/gssapi/krb5/unwrap.c | 2 +-
src/tests/gssapi/t_invalid.c | 177 +++++++++++++++++++++++++++++++++---
3 files changed, 167 insertions(+), 17 deletions(-)
More information about the krb5-bugs
mailing list