[gentoo-commits] gentoo-x86 commit in app-crypt/mit-krb5/files: mit-krb5_testsuite.patch CVE-2010-1323.1324.4020.patch - gentoo-commits

From:	"Eray Aslan (eras)" <eras@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in app-crypt/mit-krb5/files: mit-krb5_testsuite.patch CVE-2010-1323.1324.4020.patch
Date:	Wed, 01 Dec 2010 07:22:56
Message-Id:	`20101201072244.A246320057@flycatcher.gentoo.org`

1

eras        10/12/01 07:22:44

2

3

  Added:                mit-krb5_testsuite.patch

4

                        CVE-2010-1323.1324.4020.patch

5

  Log:

6

  Security bump for CVE-2010-{1323,1324,4020}.  Working test suite and test USE flag added.

7

8

  (Portage version: 2.1.9.25/cvs/Linux x86_64)

9

10

Revision  Changes    Path

11

1.1                  app-crypt/mit-krb5/files/mit-krb5_testsuite.patch

12

13

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch?rev=1.1&view=markup

14

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch?rev=1.1&content-type=text/plain

15

16

Index: mit-krb5_testsuite.patch

17

===================================================================

18

--- a/src/tests/dejagnu/config/default.exp	2010-04-21 01:37:22.000000000 +0300

19

+++ b/src/tests/dejagnu/config/default.exp	2010-11-24 16:51:53.000000000 +0200

20

@@ -1619,7 +1619,7 @@

21

     set spawnid $spawn_id

22

     set pid [exp_pid]

23

24

-    set markstr "===MARK $pid [clock format [clock seconds]] ==="

25

+    set markstr "===MARK $pid [clock seconds] ==="

26

     puts $f $markstr

27

     flush $f

28

29

--- a/src/tests/dejagnu/krb-standalone/gssapi.exp	2009-06-11 20:27:45.000000000 +0300

30

+++ b/src/tests/dejagnu/krb-standalone/gssapi.exp	2010-11-24 16:52:21.000000000 +0200

31

@@ -182,7 +182,7 @@

32

}

33

}

34

     catch "expect_after"

35

-    if ![check_exit_status $test] {

36

+    if { [check_exit_status $test] == 0 } {

37

 	# check_exit_staus already calls fail for us

38

 	return

39

}

40

@@ -209,59 +209,59 @@

41

     global portbase

42

43

     # Start up the kerberos and kadmind daemons.

44

-    if ![start_kerberos_daemons 0] {

45

+    if { [start_kerberos_daemons 0] == 0 } {

46

 	perror "failed to start kerberos daemons"

47

}

48

49

     # Use kadmin to add a key for us.

50

-    if ![add_kerberos_key gsstest0 0] {

51

+    if { [add_kerberos_key gsstest0 0] == 0 } {

52

 	perror "failed to set up gsstest0 key"

53

}

54

55

     # Use kadmin to add a key for us.

56

-    if ![add_kerberos_key gsstest1 0] {

57

+    if { [add_kerberos_key gsstest1 0] ==0 } {

58

 	perror "failed to set up gsstest1 key"

59

}

60

61

     # Use kadmin to add a key for us.

62

-    if ![add_kerberos_key gsstest2 0] {

63

+    if { [add_kerberos_key gsstest2 0] == 0 } {

64

 	perror "failed to set up gsstest2 key"

65

}

66

67

     # Use kadmin to add a key for us.

68

-    if ![add_kerberos_key gsstest3 0] {

69

+    if { [add_kerberos_key gsstest3 0] == 0 } {

70

 	perror "failed to set up gsstest3 key"

71

}

72

73

     # Use kadmin to add a service key for us.

74

-    if ![add_random_key gssservice/$hostname 0] {

75

+    if { [add_random_key gssservice/$hostname 0] == 0 } {

76

 	perror "failed to set up gssservice/$hostname key"

77

}

78

79

     # Use kdb5_edit to create a srvtab entry for gssservice

80

-    if ![setup_srvtab 0 gssservice] {

81

+    if { [setup_srvtab 0 gssservice] == 0 } {

82

 	perror "failed to set up gssservice srvtab"

83

}

84

85

     catch "exec rm -f $tmppwd/gss_tk_0 $tmppwd/gss_tk_1 $tmppwd/gss_tk_2 $tmppwd/gss_tk_3"

86

87

     # Use kinit to get a ticket.

88

-    if ![our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] {

89

+    if { [our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] == 0 } {

90

 	perror "failed to kinit gsstest0"

91

}

92

93

     # Use kinit to get a ticket.

94

-    if ![our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] {

95

+    if { [our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] == 0 } {

96

 	perror "failed to kinit gsstest1"

97

}

98

99

     # Use kinit to get a ticket.

100

-    if ![our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] {

101

+    if { [our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] == 0 } {

102

 	perror "failed to kinit gsstest2"

103

}

104

105

     # Use kinit to get a ticket.

106

-    if ![our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] {

107

+    if { [our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] == 0 } {

108

 	perror "failed to kinit gsstest3"

109

}

1.1                  app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch

115

116

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch?rev=1.1&view=markup

117

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch?rev=1.1&content-type=text/plain

118

119

Index: CVE-2010-1323.1324.4020.patch

120

===================================================================

121

Index: krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c

122

===================================================================

123

--- krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c	(revision 24455)

124

+++ krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c	(working copy)

125

@@ -691,8 +691,7 @@

126

     krb5_reply_key_pack *key_pack = NULL;

127

     krb5_reply_key_pack_draft9 *key_pack9 = NULL;

128

     krb5_data *encoded_key_pack = NULL;

129

-    unsigned int num_types;

130

-    krb5_cksumtype *cksum_types = NULL;

131

+    krb5_cksumtype cksum_type;

132

133

     pkinit_kdc_context plgctx;

134

     pkinit_kdc_req_context reqctx;

135

@@ -882,14 +881,25 @@

136

                 retval = ENOMEM;

137

                 goto cleanup;

138

}

139

-            /* retrieve checksums for a given enctype of the reply key */

140

-            retval = krb5_c_keyed_checksum_types(context,

141

-                                                 encrypting_key->enctype, &num_types, &cksum_types);

142

-            if (retval)

143

-                goto cleanup;

144

145

-            /* pick the first of acceptable enctypes for the checksum */

146

-            retval = krb5_c_make_checksum(context, cksum_types[0],

147

+            switch (encrypting_key->enctype) {

148

+            case ENCTYPE_DES_CBC_MD4:

149

+                cksum_type = CKSUMTYPE_RSA_MD4_DES;

150

+                break;

151

+            case ENCTYPE_DES_CBC_MD5:

152

+            case ENCTYPE_DES_CBC_CRC:

153

+                cksum_type = CKSUMTYPE_RSA_MD5_DES;

154

+                break;

155

+            default:

156

+                retval = krb5int_c_mandatory_cksumtype(context,

157

+                                                       encrypting_key->enctype,

158

+                                                       &cksum_type);

159

+                if (retval)

160

+                    goto cleanup;

161

+                break;

162

+            }

163

+

164

+            retval = krb5_c_make_checksum(context, cksum_type,

165

                                           encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,

166

                                           req_pkt, &key_pack->asChecksum);

167

             if (retval) {

168

@@ -1033,7 +1043,6 @@

169

         krb5_free_data(context, encoded_key_pack);

170

     free(dh_pubkey);

171

     free(server_key);

172

-    free(cksum_types);

173

174

     switch ((int)padata->pa_type) {

175

     case KRB5_PADATA_PK_AS_REQ:

176

Index: krb5-1.8/src/lib/crypto/krb/cksumtypes.c

177

===================================================================

178

--- krb5-1.8/src/lib/crypto/krb/cksumtypes.c	(revision 24455)

179

+++ krb5-1.8/src/lib/crypto/krb/cksumtypes.c	(working copy)

180

@@ -101,7 +101,7 @@

181

182

     { CKSUMTYPE_MD5_HMAC_ARCFOUR,

183

       "md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC",

184

-      NULL, &krb5int_hash_md5,

185

+      &krb5int_enc_arcfour, &krb5int_hash_md5,

186

       krb5int_hmacmd5_checksum, NULL,

187

       16, 16, 0 },

188

};

189

Index: krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c

190

===================================================================

191

--- krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c	(revision 24455)

192

+++ krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c	(working copy)

193

@@ -35,6 +35,13 @@

194

{

195

     if (ctp->flags & CKSUM_UNKEYED)

196

         return FALSE;

197

+    /* Stream ciphers do not play well with RFC 3961 key derivation, so be

198

+     * conservative with RC4. */

199

+    if ((ktp->etype == ENCTYPE_ARCFOUR_HMAC ||

200

+         ktp->etype == ENCTYPE_ARCFOUR_HMAC_EXP) &&

201

+        ctp->ctype != CKSUMTYPE_HMAC_MD5_ARCFOUR &&

202

+        ctp->ctype != CKSUMTYPE_MD5_HMAC_ARCFOUR)

203

+        return FALSE;

204

     return (!ctp->enc || ktp->enc == ctp->enc);

205

}

206

207

Index: krb5-1.8/src/lib/crypto/krb/dk/derive.c

208

===================================================================

209

--- krb5-1.8/src/lib/crypto/krb/dk/derive.c	(revision 24455)

210

+++ krb5-1.8/src/lib/crypto/krb/dk/derive.c	(working copy)

211

@@ -91,6 +91,8 @@

212

     blocksize = enc->block_size;

213

     keybytes = enc->keybytes;

214

215

+    if (blocksize == 1)

216

+        return KRB5_BAD_ENCTYPE;

217

     if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes)

218

         return KRB5_CRYPTO_INTERNAL;

219

220

Index: krb5-1.8/src/lib/gssapi/krb5/util_crypt.c

221

===================================================================

222

--- krb5-1.8/src/lib/gssapi/krb5/util_crypt.c	(revision 24455)

223

+++ krb5-1.8/src/lib/gssapi/krb5/util_crypt.c	(working copy)

224

@@ -119,10 +119,22 @@

225

     if (code != 0)

226

         return code;

227

228

-    code = (*kaccess.mandatory_cksumtype)(context, subkey->keyblock.enctype,

229

-                                          cksumtype);

230

-    if (code != 0)

231

-        return code;

232

+    switch (subkey->keyblock.enctype) {

233

+    case ENCTYPE_DES_CBC_MD4:

234

+        *cksumtype = CKSUMTYPE_RSA_MD4_DES;

235

+        break;

236

+    case ENCTYPE_DES_CBC_MD5:

237

+    case ENCTYPE_DES_CBC_CRC:

238

+        *cksumtype = CKSUMTYPE_RSA_MD5_DES;

239

+        break;

240

+    default:

241

+        code = (*kaccess.mandatory_cksumtype)(context,

242

+                                              subkey->keyblock.enctype,

243

+                                              cksumtype);

244

+        if (code != 0)

245

+            return code;

246

+        break;

247

+    }

248

249

     switch (subkey->keyblock.enctype) {

250

     case ENCTYPE_DES_CBC_MD5:

251

Index: krb5-1.8/src/lib/krb5/krb/pac.c

252

===================================================================

253

--- krb5-1.8/src/lib/krb5/krb/pac.c	(revision 24455)

254

+++ krb5-1.8/src/lib/krb5/krb/pac.c	(working copy)

255

@@ -582,6 +582,8 @@

256

     checksum.checksum_type = load_32_le(p);

257

     checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH;

258

     checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;

259

+    if (!krb5_c_is_keyed_cksum(checksum.checksum_type))

260

+        return KRB5KRB_AP_ERR_INAPP_CKSUM;

261

262

     pac_data.length = pac->data.length;

263

     pac_data.data = malloc(pac->data.length);

264

Index: krb5-1.8/src/lib/krb5/krb/preauth2.c

265

===================================================================

266

--- krb5-1.8/src/lib/krb5/krb/preauth2.c	(revision 24455)

267

+++ krb5-1.8/src/lib/krb5/krb/preauth2.c	(working copy)

268

@@ -1578,7 +1578,9 @@

269

270

     cksum = sc2->sam_cksum;

271

272

-    while (*cksum) {

273

+    for (; *cksum; cksum++) {

274

+        if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type))

275

+            continue;

276

         /* Check this cksum */

277

         retval = krb5_c_verify_checksum(context, as_key,

278

                                         KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM,

279

@@ -1592,7 +1594,6 @@

280

}

281

         if (valid_cksum)

282

             break;

283

-        cksum++;

284

}

285

286

     if (!valid_cksum) {

287

Index: krb5-1.8/src/lib/krb5/krb/mk_safe.c

288

===================================================================

289

--- krb5-1.8/src/lib/krb5/krb/mk_safe.c	(revision 24455)

290

+++ krb5-1.8/src/lib/krb5/krb/mk_safe.c	(working copy)

291

@@ -215,10 +215,28 @@

292

             for (i = 0; i < nsumtypes; i++)

293

                 if (auth_context->safe_cksumtype == sumtypes[i])

294

                     break;

295

-            if (i == nsumtypes)

296

-                i = 0;

297

-            sumtype = sumtypes[i];

298

             krb5_free_cksumtypes (context, sumtypes);

299

+            if (i < nsumtypes)

300

+                sumtype = auth_context->safe_cksumtype;

301

+            else {

302

+                switch (enctype) {

303

+                case ENCTYPE_DES_CBC_MD4:

304

+                    sumtype = CKSUMTYPE_RSA_MD4_DES;

305

+                    break;

306

+                case ENCTYPE_DES_CBC_MD5:

307

+                case ENCTYPE_DES_CBC_CRC:

308

+                    sumtype = CKSUMTYPE_RSA_MD5_DES;

309

+                    break;

310

+                default:

311

+                    retval = krb5int_c_mandatory_cksumtype(context, enctype,

312

+                                                           &sumtype);

313

+                    if (retval) {

314

+                        CLEANUP_DONE();

315

+                        goto error;

316

+                    }

317

+                    break;

318

+                }

319

+            }

320

}

321

         if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata,

322

                                          plocal_fulladdr, premote_fulladdr,

1	eras 10/12/01 07:22:44
2
3	Added: mit-krb5_testsuite.patch
4	CVE-2010-1323.1324.4020.patch
5	Log:
6	Security bump for CVE-2010-{1323,1324,4020}. Working test suite and test USE flag added.
7
8	(Portage version: 2.1.9.25/cvs/Linux x86_64)
9
10	Revision Changes Path
11	1.1 app-crypt/mit-krb5/files/mit-krb5_testsuite.patch
12
13	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch?rev=1.1&view=markup
14	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch?rev=1.1&content-type=text/plain
15
16	Index: mit-krb5_testsuite.patch
17	===================================================================
18	--- a/src/tests/dejagnu/config/default.exp 2010-04-21 01:37:22.000000000 +0300
19	+++ b/src/tests/dejagnu/config/default.exp 2010-11-24 16:51:53.000000000 +0200
20	@@ -1619,7 +1619,7 @@
21	set spawnid $spawn_id
22	set pid [exp_pid]
23
24	- set markstr "===MARK $pid [clock format [clock seconds]] ==="
25	+ set markstr "===MARK $pid [clock seconds] ==="
26	puts $f $markstr
27	flush $f
28
29	--- a/src/tests/dejagnu/krb-standalone/gssapi.exp 2009-06-11 20:27:45.000000000 +0300
30	+++ b/src/tests/dejagnu/krb-standalone/gssapi.exp 2010-11-24 16:52:21.000000000 +0200
31	@@ -182,7 +182,7 @@
32	}
33	}
34	catch "expect_after"
35	- if ![check_exit_status $test] {
36	+ if { [check_exit_status $test] == 0 } {
37	# check_exit_staus already calls fail for us
38	return
39	}
40	@@ -209,59 +209,59 @@
41	global portbase
42
43	# Start up the kerberos and kadmind daemons.
44	- if ![start_kerberos_daemons 0] {
45	+ if { [start_kerberos_daemons 0] == 0 } {
46	perror "failed to start kerberos daemons"
47	}
48
49	# Use kadmin to add a key for us.
50	- if ![add_kerberos_key gsstest0 0] {
51	+ if { [add_kerberos_key gsstest0 0] == 0 } {
52	perror "failed to set up gsstest0 key"
53	}
54
55	# Use kadmin to add a key for us.
56	- if ![add_kerberos_key gsstest1 0] {
57	+ if { [add_kerberos_key gsstest1 0] ==0 } {
58	perror "failed to set up gsstest1 key"
59	}
60
61	# Use kadmin to add a key for us.
62	- if ![add_kerberos_key gsstest2 0] {
63	+ if { [add_kerberos_key gsstest2 0] == 0 } {
64	perror "failed to set up gsstest2 key"
65	}
66
67	# Use kadmin to add a key for us.
68	- if ![add_kerberos_key gsstest3 0] {
69	+ if { [add_kerberos_key gsstest3 0] == 0 } {
70	perror "failed to set up gsstest3 key"
71	}
72
73	# Use kadmin to add a service key for us.
74	- if ![add_random_key gssservice/$hostname 0] {
75	+ if { [add_random_key gssservice/$hostname 0] == 0 } {
76	perror "failed to set up gssservice/$hostname key"
77	}
78
79	# Use kdb5_edit to create a srvtab entry for gssservice
80	- if ![setup_srvtab 0 gssservice] {
81	+ if { [setup_srvtab 0 gssservice] == 0 } {
82	perror "failed to set up gssservice srvtab"
83	}
84
85	catch "exec rm -f $tmppwd/gss_tk_0 $tmppwd/gss_tk_1 $tmppwd/gss_tk_2 $tmppwd/gss_tk_3"
86
87	# Use kinit to get a ticket.
88	- if ![our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] {
89	+ if { [our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] == 0 } {
90	perror "failed to kinit gsstest0"
91	}
92
93	# Use kinit to get a ticket.
94	- if ![our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] {
95	+ if { [our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] == 0 } {
96	perror "failed to kinit gsstest1"
97	}
98
99	# Use kinit to get a ticket.
100	- if ![our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] {
101	+ if { [our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] == 0 } {
102	perror "failed to kinit gsstest2"
103	}
104
105	# Use kinit to get a ticket.
106	- if ![our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] {
107	+ if { [our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] == 0 } {
108	perror "failed to kinit gsstest3"
109	}
110
111
112
113
114	1.1 app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch
115
116	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch?rev=1.1&view=markup
117	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch?rev=1.1&content-type=text/plain
118
119	Index: CVE-2010-1323.1324.4020.patch
120	===================================================================
121	Index: krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c
122	===================================================================
123	--- krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (revision 24455)
124	+++ krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (working copy)
125	@@ -691,8 +691,7 @@
126	krb5_reply_key_pack *key_pack = NULL;
127	krb5_reply_key_pack_draft9 *key_pack9 = NULL;
128	krb5_data *encoded_key_pack = NULL;
129	- unsigned int num_types;
130	- krb5_cksumtype *cksum_types = NULL;
131	+ krb5_cksumtype cksum_type;
132
133	pkinit_kdc_context plgctx;
134	pkinit_kdc_req_context reqctx;
135	@@ -882,14 +881,25 @@
136	retval = ENOMEM;
137	goto cleanup;
138	}
139	- /* retrieve checksums for a given enctype of the reply key */
140	- retval = krb5_c_keyed_checksum_types(context,
141	- encrypting_key->enctype, &num_types, &cksum_types);
142	- if (retval)
143	- goto cleanup;
144
145	- /* pick the first of acceptable enctypes for the checksum */
146	- retval = krb5_c_make_checksum(context, cksum_types[0],
147	+ switch (encrypting_key->enctype) {
148	+ case ENCTYPE_DES_CBC_MD4:
149	+ cksum_type = CKSUMTYPE_RSA_MD4_DES;
150	+ break;
151	+ case ENCTYPE_DES_CBC_MD5:
152	+ case ENCTYPE_DES_CBC_CRC:
153	+ cksum_type = CKSUMTYPE_RSA_MD5_DES;
154	+ break;
155	+ default:
156	+ retval = krb5int_c_mandatory_cksumtype(context,
157	+ encrypting_key->enctype,
158	+ &cksum_type);
159	+ if (retval)
160	+ goto cleanup;
161	+ break;
162	+ }
163	+
164	+ retval = krb5_c_make_checksum(context, cksum_type,
165	encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
166	req_pkt, &key_pack->asChecksum);
167	if (retval) {
168	@@ -1033,7 +1043,6 @@
169	krb5_free_data(context, encoded_key_pack);
170	free(dh_pubkey);
171	free(server_key);
172	- free(cksum_types);
173
174	switch ((int)padata->pa_type) {
175	case KRB5_PADATA_PK_AS_REQ:
176	Index: krb5-1.8/src/lib/crypto/krb/cksumtypes.c
177	===================================================================
178	--- krb5-1.8/src/lib/crypto/krb/cksumtypes.c (revision 24455)
179	+++ krb5-1.8/src/lib/crypto/krb/cksumtypes.c (working copy)
180	@@ -101,7 +101,7 @@
181
182	{ CKSUMTYPE_MD5_HMAC_ARCFOUR,
183	"md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC",
184	- NULL, &krb5int_hash_md5,
185	+ &krb5int_enc_arcfour, &krb5int_hash_md5,
186	krb5int_hmacmd5_checksum, NULL,
187	16, 16, 0 },
188	};
189	Index: krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c
190	===================================================================
191	--- krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (revision 24455)
192	+++ krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (working copy)
193	@@ -35,6 +35,13 @@
194	{
195	if (ctp->flags & CKSUM_UNKEYED)
196	return FALSE;
197	+ /* Stream ciphers do not play well with RFC 3961 key derivation, so be
198	+ * conservative with RC4. */
199	+ if ((ktp->etype == ENCTYPE_ARCFOUR_HMAC \|\|
200	+ ktp->etype == ENCTYPE_ARCFOUR_HMAC_EXP) &&
201	+ ctp->ctype != CKSUMTYPE_HMAC_MD5_ARCFOUR &&
202	+ ctp->ctype != CKSUMTYPE_MD5_HMAC_ARCFOUR)
203	+ return FALSE;
204	return (!ctp->enc \|\| ktp->enc == ctp->enc);
205	}
206
207	Index: krb5-1.8/src/lib/crypto/krb/dk/derive.c
208	===================================================================
209	--- krb5-1.8/src/lib/crypto/krb/dk/derive.c (revision 24455)
210	+++ krb5-1.8/src/lib/crypto/krb/dk/derive.c (working copy)
211	@@ -91,6 +91,8 @@
212	blocksize = enc->block_size;
213	keybytes = enc->keybytes;
214
215	+ if (blocksize == 1)
216	+ return KRB5_BAD_ENCTYPE;
217	if (inkey->keyblock.length != enc->keylength \|\| outrnd->length != keybytes)
218	return KRB5_CRYPTO_INTERNAL;
219
220	Index: krb5-1.8/src/lib/gssapi/krb5/util_crypt.c
221	===================================================================
222	--- krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (revision 24455)
223	+++ krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (working copy)
224	@@ -119,10 +119,22 @@
225	if (code != 0)
226	return code;
227
228	- code = (*kaccess.mandatory_cksumtype)(context, subkey->keyblock.enctype,
229	- cksumtype);
230	- if (code != 0)
231	- return code;
232	+ switch (subkey->keyblock.enctype) {
233	+ case ENCTYPE_DES_CBC_MD4:
234	+ *cksumtype = CKSUMTYPE_RSA_MD4_DES;
235	+ break;
236	+ case ENCTYPE_DES_CBC_MD5:
237	+ case ENCTYPE_DES_CBC_CRC:
238	+ *cksumtype = CKSUMTYPE_RSA_MD5_DES;
239	+ break;
240	+ default:
241	+ code = (*kaccess.mandatory_cksumtype)(context,
242	+ subkey->keyblock.enctype,
243	+ cksumtype);
244	+ if (code != 0)
245	+ return code;
246	+ break;
247	+ }
248
249	switch (subkey->keyblock.enctype) {
250	case ENCTYPE_DES_CBC_MD5:
251	Index: krb5-1.8/src/lib/krb5/krb/pac.c
252	===================================================================
253	--- krb5-1.8/src/lib/krb5/krb/pac.c (revision 24455)
254	+++ krb5-1.8/src/lib/krb5/krb/pac.c (working copy)
255	@@ -582,6 +582,8 @@
256	checksum.checksum_type = load_32_le(p);
257	checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH;
258	checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;
259	+ if (!krb5_c_is_keyed_cksum(checksum.checksum_type))
260	+ return KRB5KRB_AP_ERR_INAPP_CKSUM;
261
262	pac_data.length = pac->data.length;
263	pac_data.data = malloc(pac->data.length);
264	Index: krb5-1.8/src/lib/krb5/krb/preauth2.c
265	===================================================================
266	--- krb5-1.8/src/lib/krb5/krb/preauth2.c (revision 24455)
267	+++ krb5-1.8/src/lib/krb5/krb/preauth2.c (working copy)
268	@@ -1578,7 +1578,9 @@
269
270	cksum = sc2->sam_cksum;
271
272	- while (*cksum) {
273	+ for (; *cksum; cksum++) {
274	+ if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type))
275	+ continue;
276	/* Check this cksum */
277	retval = krb5_c_verify_checksum(context, as_key,
278	KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM,
279	@@ -1592,7 +1594,6 @@
280	}
281	if (valid_cksum)
282	break;
283	- cksum++;
284	}
285
286	if (!valid_cksum) {
287	Index: krb5-1.8/src/lib/krb5/krb/mk_safe.c
288	===================================================================
289	--- krb5-1.8/src/lib/krb5/krb/mk_safe.c (revision 24455)
290	+++ krb5-1.8/src/lib/krb5/krb/mk_safe.c (working copy)
291	@@ -215,10 +215,28 @@
292	for (i = 0; i < nsumtypes; i++)
293	if (auth_context->safe_cksumtype == sumtypes[i])
294	break;
295	- if (i == nsumtypes)
296	- i = 0;
297	- sumtype = sumtypes[i];
298	krb5_free_cksumtypes (context, sumtypes);
299	+ if (i < nsumtypes)
300	+ sumtype = auth_context->safe_cksumtype;
301	+ else {
302	+ switch (enctype) {
303	+ case ENCTYPE_DES_CBC_MD4:
304	+ sumtype = CKSUMTYPE_RSA_MD4_DES;
305	+ break;
306	+ case ENCTYPE_DES_CBC_MD5:
307	+ case ENCTYPE_DES_CBC_CRC:
308	+ sumtype = CKSUMTYPE_RSA_MD5_DES;
309	+ break;
310	+ default:
311	+ retval = krb5int_c_mandatory_cksumtype(context, enctype,
312	+ &sumtype);
313	+ if (retval) {
314	+ CLEANUP_DONE();
315	+ goto error;
316	+ }
317	+ break;
318	+ }
319	+ }
320	}
321	if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata,
322	plocal_fulladdr, premote_fulladdr,

Gentoo Archives: gentoo-commits