]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 776fe3c) | patch
heimdal: always confirm PA-PKINIT-KX for anon PKINIT
authorCy Schubert <cy@FreeBSD.org>
Thu, 15 Feb 2024 01:58:06 +0000 (17:58 -0800)
committerCy Schubert <cy@FreeBSD.org>
Wed, 21 Feb 2024 14:01:48 +0000 (06:01 -0800)
commit9f2e70a87d6ed48df418e1f7a3ccc09b469c2dad
tree495e13d3e737bb8d39a512b29151db18200db98dtree | snapshot
parent776fe3ce57994f404a12a7b74e27fb50d6d530afcommit | diff
heimdal: always confirm PA-PKINIT-KX for anon PKINIT

Import upstream 38c797e1a.

Upstream notes:

    RFC8062 Section 7 requires verification of the PA-PKINIT-KX key
    excahnge when anonymous PKINIT is used.  Failure to do so can
    permit an active attacker to become a man-in-the-middle.

Reported by: emaste
Obtained from: upstream 38c797e1a
Security: CVE-2019-12098
MFS requested by: re (cperciva)
Approved by:  re (cperciva)

(cherry picked from commit 60616b445eb5b01597092fef5b14549f95000130)
(cherry picked from commit a311b9d70863f78c232d5622ee579c6cd45bb1d8)
crypto/heimdal/lib/krb5/krb5_locl.h diff | blob | history
crypto/heimdal/lib/krb5/pkinit.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.