Add PAC full checksums

A paper by Tom Tervoort noted that computing the PAC privsvr checksum over only the server checksum is vulnerable to collision attacks (CVE-2022-37967). In response, Microsoft has added a second KDC checksum over the full contents of the PAC. Generate and verify full KDC checksums in PACs for service tickets. Update the t_pac.c ticket test case to use a ticket issued by a recent version of Active Directory (provided by Stefan Metzmacher). ticket: 9084 (new)
author: Greg Hudson <ghudson@mit.edu> 2022-12-22 03:05:23 -0500
committer: Greg Hudson <ghudson@mit.edu> 2023-01-24 02:42:58 -0500
commit: 4602a10dbe380d75d1ec00f7d34479ac9d503735 (patch)
tree: 28ced82101154c459d0b576fbeec38b736b81b22 /doc
parent: 1b57a4d134bbd0e7c52d5885a92eccc815726463 (diff)
download: krb5-4602a10dbe380d75d1ec00f7d34479ac9d503735.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
index a0d4f2670..db9891838 100644
--- a/doc/appdev/refs/macros/index.rst
+++ b/doc/appdev/refs/macros/index.rst
@@ -248,6 +248,7 @@ Public
    KRB5_PAC_SERVER_CHECKSUM.rst
    KRB5_PAC_TICKET_CHECKSUM.rst
    KRB5_PAC_UPN_DNS_INFO.rst
+   KRB5_PAC_FULL_CHECKSUM.rst
    KRB5_PADATA_AFS3_SALT.rst
    KRB5_PADATA_AP_REQ.rst
    KRB5_PADATA_AS_CHECKSUM.rst
author	Greg Hudson <ghudson@mit.edu>	2022-12-22 03:05:23 -0500
committer	Greg Hudson <ghudson@mit.edu>	2023-01-24 02:42:58 -0500
commit	4602a10dbe380d75d1ec00f7d34479ac9d503735 (patch)
tree	28ced82101154c459d0b576fbeec38b736b81b22 /doc
parent	1b57a4d134bbd0e7c52d5885a92eccc815726463 (diff)
download	krb5-4602a10dbe380d75d1ec00f7d34479ac9d503735.tar.gz