rpms / krb5

Clone
Source Code
GIT

Blame 2010-007-patch.txt

embargo f10 f11 f12 f13 f14 f15 f16 f16-s4u f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main master-f15-1.9 master-f15-nss rawhide
  1.   78b3a524da7219e99f0d09ce05159c6f68c1b561
  2.   2010-007-patch.txt
Blob History Raw
786702d 
Index: krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c
786702d 
===================================================================
483e8c5 
--- krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c	(revision 24455)
483e8c5 
+++ krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c	(working copy)
786702d 
@@ -691,8 +691,7 @@
786702d 
     krb5_reply_key_pack *key_pack = NULL;
786702d 
     krb5_reply_key_pack_draft9 *key_pack9 = NULL;
786702d 
     krb5_data *encoded_key_pack = NULL;
786702d 
-    unsigned int num_types;
786702d 
-    krb5_cksumtype *cksum_types = NULL;
786702d 
+    krb5_cksumtype cksum_type;
786702d
786702d 
     pkinit_kdc_context plgctx;
786702d 
     pkinit_kdc_req_context reqctx;
786702d 
@@ -882,14 +881,25 @@
786702d 
                 retval = ENOMEM;
786702d 
                 goto cleanup;
786702d 
             }
786702d 
-            /* retrieve checksums for a given enctype of the reply key */
786702d 
-            retval = krb5_c_keyed_checksum_types(context,
786702d 
-                                                 encrypting_key->enctype, &num_types, &cksum_types);
786702d 
-            if (retval)
786702d 
-                goto cleanup;
786702d
786702d 
-            /* pick the first of acceptable enctypes for the checksum */
786702d 
-            retval = krb5_c_make_checksum(context, cksum_types[0],
786702d 
+            switch (encrypting_key->enctype) {
786702d 
+            case ENCTYPE_DES_CBC_MD4:
786702d 
+                cksum_type = CKSUMTYPE_RSA_MD4_DES;
786702d 
+                break;
786702d 
+            case ENCTYPE_DES_CBC_MD5:
786702d 
+            case ENCTYPE_DES_CBC_CRC:
786702d 
+                cksum_type = CKSUMTYPE_RSA_MD5_DES;
786702d 
+                break;
786702d 
+            default:
786702d 
+                retval = krb5int_c_mandatory_cksumtype(context,
786702d 
+                                                       encrypting_key->enctype,
786702d 
+                                                       &cksum_type);
786702d 
+                if (retval)
786702d 
+                    goto cleanup;
786702d 
+                break;
786702d 
+            }
786702d 
+
786702d 
+            retval = krb5_c_make_checksum(context, cksum_type,
786702d 
                                           encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
786702d 
                                           req_pkt, &key_pack->asChecksum);
786702d 
             if (retval) {
786702d 
@@ -1033,7 +1043,6 @@
786702d 
         krb5_free_data(context, encoded_key_pack);
786702d 
     free(dh_pubkey);
786702d 
     free(server_key);
786702d 
-    free(cksum_types);
786702d
786702d 
     switch ((int)padata->pa_type) {
786702d 
     case KRB5_PADATA_PK_AS_REQ:
786702d 
Index: krb5-1.8/src/lib/crypto/krb/cksumtypes.c
786702d 
===================================================================
483e8c5 
--- krb5-1.8/src/lib/crypto/krb/cksumtypes.c	(revision 24455)
483e8c5 
+++ krb5-1.8/src/lib/crypto/krb/cksumtypes.c	(working copy)
786702d 
@@ -101,7 +101,7 @@
786702d
786702d 
     { CKSUMTYPE_MD5_HMAC_ARCFOUR,
786702d 
       "md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC",
786702d 
-      NULL, &krb5int_hash_md5,
786702d 
+      &krb5int_enc_arcfour, &krb5int_hash_md5,
786702d 
       krb5int_hmacmd5_checksum, NULL,
786702d 
       16, 16, 0 },
786702d 
 };
786702d 
Index: krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c
786702d 
===================================================================
483e8c5 
--- krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c	(revision 24455)
483e8c5 
+++ krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c	(working copy)
786702d 
@@ -35,6 +35,13 @@
786702d 
 {
786702d 
     if (ctp->flags & CKSUM_UNKEYED)
786702d 
         return FALSE;
786702d 
+    /* Stream ciphers do not play well with RFC 3961 key derivation, so be
786702d 
+     * conservative with RC4. */
786702d 
+    if ((ktp->etype == ENCTYPE_ARCFOUR_HMAC ||
786702d 
+         ktp->etype == ENCTYPE_ARCFOUR_HMAC_EXP) &&
786702d 
+        ctp->ctype != CKSUMTYPE_HMAC_MD5_ARCFOUR &&
786702d 
+        ctp->ctype != CKSUMTYPE_MD5_HMAC_ARCFOUR)
786702d 
+        return FALSE;
786702d 
     return (!ctp->enc || ktp->enc == ctp->enc);
786702d 
 }
786702d
786702d 
Index: krb5-1.8/src/lib/crypto/krb/dk/derive.c
786702d 
===================================================================
483e8c5 
--- krb5-1.8/src/lib/crypto/krb/dk/derive.c	(revision 24455)
483e8c5 
+++ krb5-1.8/src/lib/crypto/krb/dk/derive.c	(working copy)
786702d 
@@ -91,6 +91,8 @@
786702d 
     blocksize = enc->block_size;
786702d 
     keybytes = enc->keybytes;
786702d
786702d 
+    if (blocksize == 1)
786702d 
+        return KRB5_BAD_ENCTYPE;
786702d 
     if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes)
786702d 
         return KRB5_CRYPTO_INTERNAL;
786702d
786702d 
Index: krb5-1.8/src/lib/gssapi/krb5/util_crypt.c
786702d 
===================================================================
483e8c5 
--- krb5-1.8/src/lib/gssapi/krb5/util_crypt.c	(revision 24455)
483e8c5 
+++ krb5-1.8/src/lib/gssapi/krb5/util_crypt.c	(working copy)
786702d 
@@ -119,10 +119,22 @@
786702d 
     if (code != 0)
786702d 
         return code;
786702d
786702d 
-    code = (*kaccess.mandatory_cksumtype)(context, subkey->keyblock.enctype,
786702d 
-                                          cksumtype);
786702d 
-    if (code != 0)
786702d 
-        return code;
786702d 
+    switch (subkey->keyblock.enctype) {
786702d 
+    case ENCTYPE_DES_CBC_MD4:
786702d 
+        *cksumtype = CKSUMTYPE_RSA_MD4_DES;
786702d 
+        break;
786702d 
+    case ENCTYPE_DES_CBC_MD5:
786702d 
+    case ENCTYPE_DES_CBC_CRC:
786702d 
+        *cksumtype = CKSUMTYPE_RSA_MD5_DES;
786702d 
+        break;
786702d 
+    default:
786702d 
+        code = (*kaccess.mandatory_cksumtype)(context,
786702d 
+                                              subkey->keyblock.enctype,
786702d 
+                                              cksumtype);
786702d 
+        if (code != 0)
786702d 
+            return code;
786702d 
+        break;
786702d 
+    }
786702d
786702d 
     switch (subkey->keyblock.enctype) {
786702d 
     case ENCTYPE_DES_CBC_MD5:
786702d 
Index: krb5-1.8/src/lib/krb5/krb/pac.c
786702d 
===================================================================
483e8c5 
--- krb5-1.8/src/lib/krb5/krb/pac.c	(revision 24455)
483e8c5 
+++ krb5-1.8/src/lib/krb5/krb/pac.c	(working copy)
786702d 
@@ -582,6 +582,8 @@
786702d 
     checksum.checksum_type = load_32_le(p);
786702d 
     checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH;
786702d 
     checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;
786702d 
+    if (!krb5_c_is_keyed_cksum(checksum.checksum_type))
786702d 
+        return KRB5KRB_AP_ERR_INAPP_CKSUM;
786702d
786702d 
     pac_data.length = pac->data.length;
786702d 
     pac_data.data = malloc(pac->data.length);
786702d 
Index: krb5-1.8/src/lib/krb5/krb/preauth2.c
786702d 
===================================================================
483e8c5 
--- krb5-1.8/src/lib/krb5/krb/preauth2.c	(revision 24455)
483e8c5 
+++ krb5-1.8/src/lib/krb5/krb/preauth2.c	(working copy)
786702d 
@@ -1578,7 +1578,9 @@
786702d
786702d 
     cksum = sc2->sam_cksum;
786702d
786702d 
-    while (*cksum) {
786702d 
+    for (; *cksum; cksum++) {
786702d 
+        if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type))
786702d 
+            continue;
786702d 
         /* Check this cksum */
786702d 
         retval = krb5_c_verify_checksum(context, as_key,
786702d 
                                         KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM,
786702d 
@@ -1592,7 +1594,6 @@
786702d 
         }
786702d 
         if (valid_cksum)
786702d 
             break;
786702d 
-        cksum++;
786702d 
     }
786702d
786702d 
     if (!valid_cksum) {
786702d 
Index: krb5-1.8/src/lib/krb5/krb/mk_safe.c
786702d 
===================================================================
483e8c5 
--- krb5-1.8/src/lib/krb5/krb/mk_safe.c	(revision 24455)
483e8c5 
+++ krb5-1.8/src/lib/krb5/krb/mk_safe.c	(working copy)
786702d 
@@ -215,10 +215,28 @@
786702d 
             for (i = 0; i < nsumtypes; i++)
786702d 
                 if (auth_context->safe_cksumtype == sumtypes[i])
786702d 
                     break;
786702d 
-            if (i == nsumtypes)
786702d 
-                i = 0;
786702d 
-            sumtype = sumtypes[i];
786702d 
             krb5_free_cksumtypes (context, sumtypes);
786702d 
+            if (i < nsumtypes)
786702d 
+                sumtype = auth_context->safe_cksumtype;
786702d 
+            else {
786702d 
+                switch (enctype) {
786702d 
+                case ENCTYPE_DES_CBC_MD4:
786702d 
+                    sumtype = CKSUMTYPE_RSA_MD4_DES;
786702d 
+                    break;
786702d 
+                case ENCTYPE_DES_CBC_MD5:
786702d 
+                case ENCTYPE_DES_CBC_CRC:
786702d 
+                    sumtype = CKSUMTYPE_RSA_MD5_DES;
786702d 
+                    break;
786702d 
+                default:
786702d 
+                    retval = krb5int_c_mandatory_cksumtype(context, enctype,
786702d 
+                                                           &sumtype);
786702d 
+                    if (retval) {
786702d 
+                        CLEANUP_DONE();
786702d 
+                        goto error;
786702d 
+                    }
786702d 
+                    break;
786702d 
+                }
786702d 
+            }
786702d 
         }
786702d 
         if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata,
786702d 
                                          plocal_fulladdr, premote_fulladdr,
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.