[11804] in Kerberos-V5-bugs
[krbdev.mit.edu #6827] SVN Commit
daemon@ATHENA.MIT.EDU (Tom Yu via RT)
Tue Nov 30 21:15:51 2010
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Tom Yu via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6827@krbdev.mit.edu>
Message-ID: <rt-6827-33519.15.440138788729@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6827'":;"'AdminCc of krbdev.mit.edu Ticket #6827'":;@MIT.EDU
Date: Tue, 30 Nov 2010 21:15:47 -0500 (EST)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
pull up r24538 from trunk
------------------------------------------------------------------------
r24538 | ghudson | 2010-11-30 16:20:49 -0500 (Tue, 30 Nov 2010) | 27 lines
ticket: 6827
subject: SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
Fix multiple checksum handling bugs, as described in:
CVE-2010-1324
CVE-2010-1323
CVE-2010-4020
CVE-2010-4021
* Return the correct (keyed) checksums as the mandatory checksum type
for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
with simplified-profile key derivation or other algorithms relying
on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.
http://src.mit.edu/fisheye/changelog/krb5/?cs=24540
Commit By: tlyu
Revision: 24540
Changed Files:
U branches/krb5-1-9/src/lib/crypto/crypto_tests/t_kperf.c
U branches/krb5-1-9/src/lib/crypto/krb/cksumtypes.c
U branches/krb5-1-9/src/lib/crypto/krb/dk/checksum_hmac.c
U branches/krb5-1-9/src/lib/crypto/krb/dk/derive.c
U branches/krb5-1-9/src/lib/crypto/krb/etypes.c
U branches/krb5-1-9/src/lib/crypto/krb/etypes.h
U branches/krb5-1-9/src/lib/krb5/krb/fast.c
U branches/krb5-1-9/src/lib/krb5/krb/mk_req_ext.c
U branches/krb5-1-9/src/lib/krb5/krb/mk_safe.c
U branches/krb5-1-9/src/lib/krb5/krb/pac.c
U branches/krb5-1-9/src/lib/krb5/krb/preauth2.c
U branches/krb5-1-9/src/plugins/preauth/pkinit/pkinit_srv.c
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
