diff options
author | Greg Hudson <ghudson@mit.edu> | 2010-11-30 21:20:49 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2010-11-30 21:20:49 +0000 |
commit | 1c411f836063e4e6d67390d205e043149302fdd9 (patch) | |
tree | a8909e74c2c23b7b1c5b1282cf8dd4119c92c989 /src/plugins | |
parent | a87789f75f1a7563982953e088927135bb5d6e85 (diff) | |
download | krb5-1c411f836063e4e6d67390d205e043149302fdd9.zip krb5-1c411f836063e4e6d67390d205e043149302fdd9.tar.gz krb5-1c411f836063e4e6d67390d205e043149302fdd9.tar.bz2 |
SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
Fix multiple checksum handling bugs, as described in:
CVE-2010-1324
CVE-2010-1323
CVE-2010-4020
CVE-2010-4021
* Return the correct (keyed) checksums as the mandatory checksum type
for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
with simplified-profile key derivation or other algorithms relying
on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.
ticket: 6827
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24538 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_srv.c | 11 |
1 files changed, 1 insertions, 10 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 719b01c..5a7a5ad 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -691,8 +691,6 @@ pkinit_server_return_padata(krb5_context context, krb5_reply_key_pack *key_pack = NULL; krb5_reply_key_pack_draft9 *key_pack9 = NULL; krb5_data *encoded_key_pack = NULL; - unsigned int num_types; - krb5_cksumtype *cksum_types = NULL; pkinit_kdc_context plgctx; pkinit_kdc_req_context reqctx; @@ -882,14 +880,8 @@ pkinit_server_return_padata(krb5_context context, retval = ENOMEM; goto cleanup; } - /* retrieve checksums for a given enctype of the reply key */ - retval = krb5_c_keyed_checksum_types(context, - encrypting_key->enctype, &num_types, &cksum_types); - if (retval) - goto cleanup; - /* pick the first of acceptable enctypes for the checksum */ - retval = krb5_c_make_checksum(context, cksum_types[0], + retval = krb5_c_make_checksum(context, 0, encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, req_pkt, &key_pack->asChecksum); if (retval) { @@ -1033,7 +1025,6 @@ cleanup: krb5_free_data(context, encoded_key_pack); free(dh_pubkey); free(server_key); - free(cksum_types); switch ((int)padata->pa_type) { case KRB5_PADATA_PK_AS_REQ: |