oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: always confirm PA-PKINIT-KX for anon PKINIT

Browse Source 
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge
when anonymous PKINIT is used.  Failure to do so can permit an active
attacker to become a man-in-the-middle.

Introduced by a1ef548600.  First tagged
release Heimdal 1.4.0.

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8)

Change-Id: I6cc1c0c24985936468af08693839ac6c3edda133
Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
Approved-by: Jeffrey Altman <jaltman@auritor.com>
This commit is contained in:
Luke Howard
2019-05-07 13:15:15 +10:00
committed by Jeffrey Altman
parent c6257cc2c8
commit 38c797e1ae
3 changed files with 113 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
lib/krb5/init_creds_pw.c
View File

@@ -2280,6 +2280,26 @@ krb5_init_creds_step(krb5_context context,
&ctx->req_buffer,
NULL,
NULL);
if (ret == 0 && ctx->pk_init_ctx) {
PA_DATA *pa_pkinit_kx;
int idx = 0;
pa_pkinit_kx =
krb5_find_padata(rep.kdc_rep.padata->val,
rep.kdc_rep.padata->len,
KRB5_PADATA_PKINIT_KX,
&idx);
ret = _krb5_pk_kx_confirm(context, ctx->pk_init_ctx,
ctx->fast_state.reply_key,
&ctx->cred.session,
pa_pkinit_kx);
if (ret)
krb5_set_error_message(context, ret,
N_("Failed to confirm PA-PKINIT-KX", ""));
else if (pa_pkinit_kx != NULL)
ctx->ic_flags |= KRB5_INIT_CREDS_PKINIT_KX_VALID;
}
if (ret == 0)
ret = copy_EncKDCRepPart(&rep.enc_part, &ctx->enc_part);