oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Make KRB5SignedPath less fragile, only sign trivial parts of the encTicketPart

Browse Source 
Sign the client and auth time (like its done in the PAC) and let that
be ehough for now. Add a Typed hole so that we don't break wireprotocol
next time.
This commit is contained in:
Love Hornquist Astrand
2009-08-12 23:05:36 +02:00
parent 1011050f65
commit c1a54a5e37
3 changed files with 22 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
lib/asn1/krb5.asn1
View File

@@ -645,8 +645,10 @@ PA-S4U2Self ::= SEQUENCE {
-- never encoded on the wire, just used to checksum over
KRB5SignedPathData ::= SEQUENCE {
encticket[0] EncTicketPart,
delegated[1] Principals OPTIONAL
client[0] Principal OPTIONAL,
authtime[1] KerberosTime,
delegated[2] Principals OPTIONAL,
method_data[3] METHOD-DATA OPTIONAL
}
KRB5SignedPath ::= SEQUENCE {
@@ -655,7 +657,8 @@ KRB5SignedPath ::= SEQUENCE {
etype[0] ENCTYPE,
cksum[1] Checksum,
-- srvs delegated though
delegated[2] Principals OPTIONAL
delegated[2] Principals OPTIONAL,
method_data[3] METHOD-DATA OPTIONAL
}
PA-ClientCanonicalizedNames ::= SEQUENCE{