diff options
author | Greg Hudson <ghudson@mit.edu> | 2022-12-22 03:05:23 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2023-01-24 02:42:58 -0500 |
commit | 4602a10dbe380d75d1ec00f7d34479ac9d503735 (patch) | |
tree | 28ced82101154c459d0b576fbeec38b736b81b22 /doc/appdev | |
parent | 1b57a4d134bbd0e7c52d5885a92eccc815726463 (diff) | |
download | krb5-4602a10dbe380d75d1ec00f7d34479ac9d503735.zip krb5-4602a10dbe380d75d1ec00f7d34479ac9d503735.tar.gz krb5-4602a10dbe380d75d1ec00f7d34479ac9d503735.tar.bz2 |
Add PAC full checksums
A paper by Tom Tervoort noted that computing the PAC privsvr checksum
over only the server checksum is vulnerable to collision attacks
(CVE-2022-37967). In response, Microsoft has added a second KDC
checksum over the full contents of the PAC. Generate and verify full
KDC checksums in PACs for service tickets. Update the t_pac.c ticket
test case to use a ticket issued by a recent version of Active
Directory (provided by Stefan Metzmacher).
ticket: 9084 (new)
Diffstat (limited to 'doc/appdev')
-rw-r--r-- | doc/appdev/refs/macros/index.rst | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst index a0d4f26..db98918 100644 --- a/doc/appdev/refs/macros/index.rst +++ b/doc/appdev/refs/macros/index.rst @@ -248,6 +248,7 @@ Public KRB5_PAC_SERVER_CHECKSUM.rst KRB5_PAC_TICKET_CHECKSUM.rst KRB5_PAC_UPN_DNS_INFO.rst + KRB5_PAC_FULL_CHECKSUM.rst KRB5_PADATA_AFS3_SALT.rst KRB5_PADATA_AP_REQ.rst KRB5_PADATA_AS_CHECKSUM.rst |