https://orpheus-lyre.info/design/index.html

6dd3eb836b In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. XXX: pullup 6, 7, 8.
2017-07-11 17:45:31 +00:00 · 2017-07-11 17:45:31 +00:00 · 5dd54c880f
commit 5dd54c880f
parent b04f4542f2
1 changed files with 3 additions and 3 deletions
--- a/crypto/external/bsd/heimdal/dist/lib/krb5/ticket.c
+++ b/crypto/external/bsd/heimdal/dist/lib/krb5/ticket.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ticket.c,v 1.2 2017/01/28 21:31:49 christos Exp $	*/
+/*	$NetBSD: ticket.c,v 1.3 2017/07/11 17:45:31 christos Exp $	*/

 /*
 * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
@ -707,8 +707,8 @@ _krb5_extract_ticket(krb5_context context,
    /* check server referral and save principal */
    ret = _krb5_principalname2krb5_principal (context,
 					      &tmp_principal,
-					      rep->kdc_rep.ticket.sname,
-					      rep->kdc_rep.ticket.realm);
+					      rep->enc_part.sname,
+					      rep->enc_part.realm);
    if (ret)
 	goto out;
    if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){