[16979] in Kerberos-V5-bugs


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[krbdev.mit.edu #9142] git commit

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Wed Oct 16 16:03:49 2024

From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To: 
Message-ID: <rt-4.4.3-2-3974722-1729109014-1297.9142-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9142":;
Date: Wed, 16 Oct 2024 16:03:34 -0400
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu


Wed Oct 16 16:03:34 2024: Request 9142 was acted upon.
 Transaction: Ticket created by ghudson@mit.edu
       Queue: krb5
     Subject: git commit
       Owner: ghudson@mit.edu
  Requestors: 
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9142 >



Generate and verify message MACs in libkrad

Implement some of the measures specified in
draft-ietf-radext-deprecating-radius-03 for mitigating the BlastRADIUS
attack (CVE-2024-3596):

* Include a Message-Authenticator MAC as the first attribute when
  generating a packet of type Access-Request, Access-Reject,
  Access-Accept, or Access-Challenge (sections 5.2.1 and 5.2.4), if
  the secret is non-empty.  (An empty secret indicates the use of Unix
  domain socket transport.)

* Validate the Message-Authenticator MAC in received packets, if
  present.

FreeRADIUS enforces Message-Authenticator as of versions 3.2.5 and
3.0.27.  libkrad must generate Message-Authenticator attributes in
order to remain compatible with these implementations.

[ghudson@mit.edu: adjusted style and naming; simplified some
functions; edited commit message]

https://github.com/krb5/krb5/commit/871125fea8ce0370a972bf65f7d1de63f619b06c
Author: Julien Rische <jrische@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 871125fea8ce0370a972bf65f7d1de63f619b06c
Branch: master
 src/include/k5-int.h                   |   5 +
 src/lib/crypto/krb/checksum_hmac_md5.c |  28 +++++
 src/lib/crypto/libk5crypto.exports     |   1 +
 src/lib/krad/attr.c                    |  17 +++
 src/lib/krad/attrset.c                 |  58 +++++++---
 src/lib/krad/internal.h                |   7 +-
 src/lib/krad/packet.c                  | 205 ++++++++++++++++++++++++++++++---
 src/lib/krad/t_attrset.c               |   2 +-
 src/lib/krad/t_daemon.py               |   3 +-
 src/lib/krad/t_packet.c                |  11 ++
 src/tests/t_otp.py                     |   3 +
 11 files changed, 309 insertions(+), 31 deletions(-)

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[16979] in Kerberos-V5-bugs

[krbdev.mit.edu #9142] git commit

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)Wed Oct 16 16:03:49 2024

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Wed Oct 16 16:03:49 2024