1 |
eras 10/12/01 07:22:44 |
2 |
|
3 |
Added: mit-krb5_testsuite.patch |
4 |
CVE-2010-1323.1324.4020.patch |
5 |
Log: |
6 |
Security bump for CVE-2010-{1323,1324,4020}. Working test suite and test USE flag added. |
7 |
|
8 |
(Portage version: 2.1.9.25/cvs/Linux x86_64) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 app-crypt/mit-krb5/files/mit-krb5_testsuite.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: mit-krb5_testsuite.patch |
17 |
=================================================================== |
18 |
--- a/src/tests/dejagnu/config/default.exp 2010-04-21 01:37:22.000000000 +0300 |
19 |
+++ b/src/tests/dejagnu/config/default.exp 2010-11-24 16:51:53.000000000 +0200 |
20 |
@@ -1619,7 +1619,7 @@ |
21 |
set spawnid $spawn_id |
22 |
set pid [exp_pid] |
23 |
|
24 |
- set markstr "===MARK $pid [clock format [clock seconds]] ===" |
25 |
+ set markstr "===MARK $pid [clock seconds] ===" |
26 |
puts $f $markstr |
27 |
flush $f |
28 |
|
29 |
--- a/src/tests/dejagnu/krb-standalone/gssapi.exp 2009-06-11 20:27:45.000000000 +0300 |
30 |
+++ b/src/tests/dejagnu/krb-standalone/gssapi.exp 2010-11-24 16:52:21.000000000 +0200 |
31 |
@@ -182,7 +182,7 @@ |
32 |
} |
33 |
} |
34 |
catch "expect_after" |
35 |
- if ![check_exit_status $test] { |
36 |
+ if { [check_exit_status $test] == 0 } { |
37 |
# check_exit_staus already calls fail for us |
38 |
return |
39 |
} |
40 |
@@ -209,59 +209,59 @@ |
41 |
global portbase |
42 |
|
43 |
# Start up the kerberos and kadmind daemons. |
44 |
- if ![start_kerberos_daemons 0] { |
45 |
+ if { [start_kerberos_daemons 0] == 0 } { |
46 |
perror "failed to start kerberos daemons" |
47 |
} |
48 |
|
49 |
# Use kadmin to add a key for us. |
50 |
- if ![add_kerberos_key gsstest0 0] { |
51 |
+ if { [add_kerberos_key gsstest0 0] == 0 } { |
52 |
perror "failed to set up gsstest0 key" |
53 |
} |
54 |
|
55 |
# Use kadmin to add a key for us. |
56 |
- if ![add_kerberos_key gsstest1 0] { |
57 |
+ if { [add_kerberos_key gsstest1 0] ==0 } { |
58 |
perror "failed to set up gsstest1 key" |
59 |
} |
60 |
|
61 |
# Use kadmin to add a key for us. |
62 |
- if ![add_kerberos_key gsstest2 0] { |
63 |
+ if { [add_kerberos_key gsstest2 0] == 0 } { |
64 |
perror "failed to set up gsstest2 key" |
65 |
} |
66 |
|
67 |
# Use kadmin to add a key for us. |
68 |
- if ![add_kerberos_key gsstest3 0] { |
69 |
+ if { [add_kerberos_key gsstest3 0] == 0 } { |
70 |
perror "failed to set up gsstest3 key" |
71 |
} |
72 |
|
73 |
# Use kadmin to add a service key for us. |
74 |
- if ![add_random_key gssservice/$hostname 0] { |
75 |
+ if { [add_random_key gssservice/$hostname 0] == 0 } { |
76 |
perror "failed to set up gssservice/$hostname key" |
77 |
} |
78 |
|
79 |
# Use kdb5_edit to create a srvtab entry for gssservice |
80 |
- if ![setup_srvtab 0 gssservice] { |
81 |
+ if { [setup_srvtab 0 gssservice] == 0 } { |
82 |
perror "failed to set up gssservice srvtab" |
83 |
} |
84 |
|
85 |
catch "exec rm -f $tmppwd/gss_tk_0 $tmppwd/gss_tk_1 $tmppwd/gss_tk_2 $tmppwd/gss_tk_3" |
86 |
|
87 |
# Use kinit to get a ticket. |
88 |
- if ![our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] { |
89 |
+ if { [our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] == 0 } { |
90 |
perror "failed to kinit gsstest0" |
91 |
} |
92 |
|
93 |
# Use kinit to get a ticket. |
94 |
- if ![our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] { |
95 |
+ if { [our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] == 0 } { |
96 |
perror "failed to kinit gsstest1" |
97 |
} |
98 |
|
99 |
# Use kinit to get a ticket. |
100 |
- if ![our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] { |
101 |
+ if { [our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] == 0 } { |
102 |
perror "failed to kinit gsstest2" |
103 |
} |
104 |
|
105 |
# Use kinit to get a ticket. |
106 |
- if ![our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] { |
107 |
+ if { [our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] == 0 } { |
108 |
perror "failed to kinit gsstest3" |
109 |
} |
110 |
|
111 |
|
112 |
|
113 |
|
114 |
1.1 app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch |
115 |
|
116 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch?rev=1.1&view=markup |
117 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch?rev=1.1&content-type=text/plain |
118 |
|
119 |
Index: CVE-2010-1323.1324.4020.patch |
120 |
=================================================================== |
121 |
Index: krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c |
122 |
=================================================================== |
123 |
--- krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (revision 24455) |
124 |
+++ krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (working copy) |
125 |
@@ -691,8 +691,7 @@ |
126 |
krb5_reply_key_pack *key_pack = NULL; |
127 |
krb5_reply_key_pack_draft9 *key_pack9 = NULL; |
128 |
krb5_data *encoded_key_pack = NULL; |
129 |
- unsigned int num_types; |
130 |
- krb5_cksumtype *cksum_types = NULL; |
131 |
+ krb5_cksumtype cksum_type; |
132 |
|
133 |
pkinit_kdc_context plgctx; |
134 |
pkinit_kdc_req_context reqctx; |
135 |
@@ -882,14 +881,25 @@ |
136 |
retval = ENOMEM; |
137 |
goto cleanup; |
138 |
} |
139 |
- /* retrieve checksums for a given enctype of the reply key */ |
140 |
- retval = krb5_c_keyed_checksum_types(context, |
141 |
- encrypting_key->enctype, &num_types, &cksum_types); |
142 |
- if (retval) |
143 |
- goto cleanup; |
144 |
|
145 |
- /* pick the first of acceptable enctypes for the checksum */ |
146 |
- retval = krb5_c_make_checksum(context, cksum_types[0], |
147 |
+ switch (encrypting_key->enctype) { |
148 |
+ case ENCTYPE_DES_CBC_MD4: |
149 |
+ cksum_type = CKSUMTYPE_RSA_MD4_DES; |
150 |
+ break; |
151 |
+ case ENCTYPE_DES_CBC_MD5: |
152 |
+ case ENCTYPE_DES_CBC_CRC: |
153 |
+ cksum_type = CKSUMTYPE_RSA_MD5_DES; |
154 |
+ break; |
155 |
+ default: |
156 |
+ retval = krb5int_c_mandatory_cksumtype(context, |
157 |
+ encrypting_key->enctype, |
158 |
+ &cksum_type); |
159 |
+ if (retval) |
160 |
+ goto cleanup; |
161 |
+ break; |
162 |
+ } |
163 |
+ |
164 |
+ retval = krb5_c_make_checksum(context, cksum_type, |
165 |
encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, |
166 |
req_pkt, &key_pack->asChecksum); |
167 |
if (retval) { |
168 |
@@ -1033,7 +1043,6 @@ |
169 |
krb5_free_data(context, encoded_key_pack); |
170 |
free(dh_pubkey); |
171 |
free(server_key); |
172 |
- free(cksum_types); |
173 |
|
174 |
switch ((int)padata->pa_type) { |
175 |
case KRB5_PADATA_PK_AS_REQ: |
176 |
Index: krb5-1.8/src/lib/crypto/krb/cksumtypes.c |
177 |
=================================================================== |
178 |
--- krb5-1.8/src/lib/crypto/krb/cksumtypes.c (revision 24455) |
179 |
+++ krb5-1.8/src/lib/crypto/krb/cksumtypes.c (working copy) |
180 |
@@ -101,7 +101,7 @@ |
181 |
|
182 |
{ CKSUMTYPE_MD5_HMAC_ARCFOUR, |
183 |
"md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC", |
184 |
- NULL, &krb5int_hash_md5, |
185 |
+ &krb5int_enc_arcfour, &krb5int_hash_md5, |
186 |
krb5int_hmacmd5_checksum, NULL, |
187 |
16, 16, 0 }, |
188 |
}; |
189 |
Index: krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c |
190 |
=================================================================== |
191 |
--- krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (revision 24455) |
192 |
+++ krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (working copy) |
193 |
@@ -35,6 +35,13 @@ |
194 |
{ |
195 |
if (ctp->flags & CKSUM_UNKEYED) |
196 |
return FALSE; |
197 |
+ /* Stream ciphers do not play well with RFC 3961 key derivation, so be |
198 |
+ * conservative with RC4. */ |
199 |
+ if ((ktp->etype == ENCTYPE_ARCFOUR_HMAC || |
200 |
+ ktp->etype == ENCTYPE_ARCFOUR_HMAC_EXP) && |
201 |
+ ctp->ctype != CKSUMTYPE_HMAC_MD5_ARCFOUR && |
202 |
+ ctp->ctype != CKSUMTYPE_MD5_HMAC_ARCFOUR) |
203 |
+ return FALSE; |
204 |
return (!ctp->enc || ktp->enc == ctp->enc); |
205 |
} |
206 |
|
207 |
Index: krb5-1.8/src/lib/crypto/krb/dk/derive.c |
208 |
=================================================================== |
209 |
--- krb5-1.8/src/lib/crypto/krb/dk/derive.c (revision 24455) |
210 |
+++ krb5-1.8/src/lib/crypto/krb/dk/derive.c (working copy) |
211 |
@@ -91,6 +91,8 @@ |
212 |
blocksize = enc->block_size; |
213 |
keybytes = enc->keybytes; |
214 |
|
215 |
+ if (blocksize == 1) |
216 |
+ return KRB5_BAD_ENCTYPE; |
217 |
if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes) |
218 |
return KRB5_CRYPTO_INTERNAL; |
219 |
|
220 |
Index: krb5-1.8/src/lib/gssapi/krb5/util_crypt.c |
221 |
=================================================================== |
222 |
--- krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (revision 24455) |
223 |
+++ krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (working copy) |
224 |
@@ -119,10 +119,22 @@ |
225 |
if (code != 0) |
226 |
return code; |
227 |
|
228 |
- code = (*kaccess.mandatory_cksumtype)(context, subkey->keyblock.enctype, |
229 |
- cksumtype); |
230 |
- if (code != 0) |
231 |
- return code; |
232 |
+ switch (subkey->keyblock.enctype) { |
233 |
+ case ENCTYPE_DES_CBC_MD4: |
234 |
+ *cksumtype = CKSUMTYPE_RSA_MD4_DES; |
235 |
+ break; |
236 |
+ case ENCTYPE_DES_CBC_MD5: |
237 |
+ case ENCTYPE_DES_CBC_CRC: |
238 |
+ *cksumtype = CKSUMTYPE_RSA_MD5_DES; |
239 |
+ break; |
240 |
+ default: |
241 |
+ code = (*kaccess.mandatory_cksumtype)(context, |
242 |
+ subkey->keyblock.enctype, |
243 |
+ cksumtype); |
244 |
+ if (code != 0) |
245 |
+ return code; |
246 |
+ break; |
247 |
+ } |
248 |
|
249 |
switch (subkey->keyblock.enctype) { |
250 |
case ENCTYPE_DES_CBC_MD5: |
251 |
Index: krb5-1.8/src/lib/krb5/krb/pac.c |
252 |
=================================================================== |
253 |
--- krb5-1.8/src/lib/krb5/krb/pac.c (revision 24455) |
254 |
+++ krb5-1.8/src/lib/krb5/krb/pac.c (working copy) |
255 |
@@ -582,6 +582,8 @@ |
256 |
checksum.checksum_type = load_32_le(p); |
257 |
checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH; |
258 |
checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH; |
259 |
+ if (!krb5_c_is_keyed_cksum(checksum.checksum_type)) |
260 |
+ return KRB5KRB_AP_ERR_INAPP_CKSUM; |
261 |
|
262 |
pac_data.length = pac->data.length; |
263 |
pac_data.data = malloc(pac->data.length); |
264 |
Index: krb5-1.8/src/lib/krb5/krb/preauth2.c |
265 |
=================================================================== |
266 |
--- krb5-1.8/src/lib/krb5/krb/preauth2.c (revision 24455) |
267 |
+++ krb5-1.8/src/lib/krb5/krb/preauth2.c (working copy) |
268 |
@@ -1578,7 +1578,9 @@ |
269 |
|
270 |
cksum = sc2->sam_cksum; |
271 |
|
272 |
- while (*cksum) { |
273 |
+ for (; *cksum; cksum++) { |
274 |
+ if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type)) |
275 |
+ continue; |
276 |
/* Check this cksum */ |
277 |
retval = krb5_c_verify_checksum(context, as_key, |
278 |
KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM, |
279 |
@@ -1592,7 +1594,6 @@ |
280 |
} |
281 |
if (valid_cksum) |
282 |
break; |
283 |
- cksum++; |
284 |
} |
285 |
|
286 |
if (!valid_cksum) { |
287 |
Index: krb5-1.8/src/lib/krb5/krb/mk_safe.c |
288 |
=================================================================== |
289 |
--- krb5-1.8/src/lib/krb5/krb/mk_safe.c (revision 24455) |
290 |
+++ krb5-1.8/src/lib/krb5/krb/mk_safe.c (working copy) |
291 |
@@ -215,10 +215,28 @@ |
292 |
for (i = 0; i < nsumtypes; i++) |
293 |
if (auth_context->safe_cksumtype == sumtypes[i]) |
294 |
break; |
295 |
- if (i == nsumtypes) |
296 |
- i = 0; |
297 |
- sumtype = sumtypes[i]; |
298 |
krb5_free_cksumtypes (context, sumtypes); |
299 |
+ if (i < nsumtypes) |
300 |
+ sumtype = auth_context->safe_cksumtype; |
301 |
+ else { |
302 |
+ switch (enctype) { |
303 |
+ case ENCTYPE_DES_CBC_MD4: |
304 |
+ sumtype = CKSUMTYPE_RSA_MD4_DES; |
305 |
+ break; |
306 |
+ case ENCTYPE_DES_CBC_MD5: |
307 |
+ case ENCTYPE_DES_CBC_CRC: |
308 |
+ sumtype = CKSUMTYPE_RSA_MD5_DES; |
309 |
+ break; |
310 |
+ default: |
311 |
+ retval = krb5int_c_mandatory_cksumtype(context, enctype, |
312 |
+ &sumtype); |
313 |
+ if (retval) { |
314 |
+ CLEANUP_DONE(); |
315 |
+ goto error; |
316 |
+ } |
317 |
+ break; |
318 |
+ } |
319 |
+ } |
320 |
} |
321 |
if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata, |
322 |
plocal_fulladdr, premote_fulladdr, |