diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-11-30 21:20:49 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-11-30 21:20:49 +0000 |
| commit | 1c411f836063e4e6d67390d205e043149302fdd9 (patch) | |
| tree | a8909e74c2c23b7b1c5b1282cf8dd4119c92c989 /src/lib/gssapi/generic/util_errmap.c | |
| parent | a87789f75f1a7563982953e088927135bb5d6e85 (diff) | |
| download | krb5-1c411f836063e4e6d67390d205e043149302fdd9.tar.gz krb5-1c411f836063e4e6d67390d205e043149302fdd9.tar.xz krb5-1c411f836063e4e6d67390d205e043149302fdd9.zip | |
SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
Fix multiple checksum handling bugs, as described in:
CVE-2010-1324
CVE-2010-1323
CVE-2010-4020
CVE-2010-4021
* Return the correct (keyed) checksums as the mandatory checksum type
for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
with simplified-profile key derivation or other algorithms relying
on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.
ticket: 6827
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24538 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/gssapi/generic/util_errmap.c')
0 files changed, 0 insertions, 0 deletions