[17037] in Kerberos-V5-bugs
[krbdev.mit.edu #9142] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Aug 4 18:32:12 2025
From: "Greg Hudson via RT" <rt@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-1713595-1754346726-252.9142-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9142":;
Date: Mon, 04 Aug 2025 18:32:06 -0400
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9142 >
Generate and verify message MACs in libkrad
Implement some of the measures specified in
draft-ietf-radext-deprecating-radius-03 for mitigating the BlastRADIUS
attack (CVE-2024-3596):
* Include a Message-Authenticator MAC as the first attribute when
generating a packet of type Access-Request, Access-Reject,
Access-Accept, or Access-Challenge (sections 5.2.1 and 5.2.4), if
the secret is non-empty. (An empty secret indicates the use of Unix
domain socket transport.)
* Validate the Message-Authenticator MAC in received packets, if
present.
FreeRADIUS enforces Message-Authenticator as of versions 3.2.5 and
3.0.27. libkrad must generate Message-Authenticator attributes in
order to remain compatible with these implementations.
[ghudson@mit.edu: adjusted style and naming; simplified some
functions; edited commit message]
(cherry picked from commit 871125fea8ce0370a972bf65f7d1de63f619b06c)
https://github.com/krb5/krb5/commit/9c42d20fdc622c022262a4ff677237a1656ce8b6
Author: Julien Rische <jrische@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 9c42d20fdc622c022262a4ff677237a1656ce8b6
Branch: krb5-1.21
src/include/k5-int.h | 5 +
src/lib/crypto/krb/checksum_hmac_md5.c | 28 +++++
src/lib/crypto/libk5crypto.exports | 1 +
src/lib/krad/attr.c | 17 +++
src/lib/krad/attrset.c | 58 +++++++---
src/lib/krad/internal.h | 7 +-
src/lib/krad/packet.c | 205 ++++++++++++++++++++++++++++++---
src/lib/krad/t_attrset.c | 2 +-
src/lib/krad/t_daemon.py | 3 +-
src/lib/krad/t_packet.c | 11 ++
src/tests/t_otp.py | 3 +
11 files changed, 309 insertions(+), 31 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
