diff options
author | Nalin Dahyabhai <nalin@redhat.com> | 2010-11-30 14:17:42 -0500 |
---|---|---|
committer | Nalin Dahyabhai <nalin@redhat.com> | 2010-11-30 14:17:42 -0500 |
commit | 4ea64b866f2bb14ecf69282d9cd6bfc3db1d566e (patch) | |
tree | 907c4203ac5033ed4993a85dc33f5acf7699b41c | |
parent | c1d9e749c9273ac042a7ac7690a55c70c8ad9a6a (diff) | |
download | krb5-4ea64b866f2bb14ecf69282d9cd6bfc3db1d566e.tar.gz krb5-4ea64b866f2bb14ecf69282d9cd6bfc3db1d566e.tar.xz krb5-4ea64b866f2bb14ecf69282d9cd6bfc3db1d566e.zip |
switch to the final patch
-rw-r--r-- | 2010-007-patch-r17.txt (renamed from krb5-1.7-MITKRB5SA-2010-007.patch) | 80 | ||||
-rw-r--r-- | krb5.spec | 2 |
2 files changed, 41 insertions, 41 deletions
diff --git a/krb5-1.7-MITKRB5SA-2010-007.patch b/2010-007-patch-r17.txt index 9be516f..0060820 100644 --- a/krb5-1.7-MITKRB5SA-2010-007.patch +++ b/2010-007-patch-r17.txt @@ -1,7 +1,7 @@ Index: krb5-1.7/src/plugins/preauth/pkinit/pkinit_srv.c =================================================================== ---- krb5-1.7/src/plugins/preauth/pkinit/pkinit_srv.c (revision 24455) -+++ krb5-1.7/src/plugins/preauth/pkinit/pkinit_srv.c (working copy) +--- krb5-1.7/src/plugins/preauth/pkinit/pkinit_srv.c (revision 24455) ++++ krb5-1.7/src/plugins/preauth/pkinit/pkinit_srv.c (working copy) @@ -664,8 +664,7 @@ krb5_reply_key_pack *key_pack = NULL; krb5_reply_key_pack_draft9 *key_pack9 = NULL; @@ -21,26 +21,26 @@ Index: krb5-1.7/src/plugins/preauth/pkinit/pkinit_srv.c - encrypting_key->enctype, &num_types, &cksum_types); - if (retval) - goto cleanup; -+ switch (encrypting_key->enctype) { -+ case ENCTYPE_DES_CBC_MD4: -+ cksum_type = CKSUMTYPE_RSA_MD4_DES; -+ break; -+ case ENCTYPE_DES_CBC_MD5: -+ case ENCTYPE_DES_CBC_CRC: -+ cksum_type = CKSUMTYPE_RSA_MD5_DES; -+ break; -+ default: -+ retval = krb5int_c_mandatory_cksumtype(context, -+ encrypting_key->enctype, -+ &cksum_type); -+ if (retval) -+ goto cleanup; -+ break; -+ } ++ switch (encrypting_key->enctype) { ++ case ENCTYPE_DES_CBC_MD4: ++ cksum_type = CKSUMTYPE_RSA_MD4_DES; ++ break; ++ case ENCTYPE_DES_CBC_MD5: ++ case ENCTYPE_DES_CBC_CRC: ++ cksum_type = CKSUMTYPE_RSA_MD5_DES; ++ break; ++ default: ++ retval = krb5int_c_mandatory_cksumtype(context, ++ encrypting_key->enctype, ++ &cksum_type); ++ if (retval) ++ goto cleanup; ++ break; ++ } - /* pick the first of acceptable enctypes for the checksum */ - retval = krb5_c_make_checksum(context, cksum_types[0], -+ retval = krb5_c_make_checksum(context, cksum_type, ++ retval = krb5_c_make_checksum(context, cksum_type, encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, req_pkt, &key_pack->asChecksum); if (retval) { @@ -55,20 +55,20 @@ Index: krb5-1.7/src/plugins/preauth/pkinit/pkinit_srv.c case KRB5_PADATA_PK_AS_REQ: Index: krb5-1.7/src/lib/crypto/keyed_checksum_types.c =================================================================== ---- krb5-1.7/src/lib/crypto/keyed_checksum_types.c (revision 24455) -+++ krb5-1.7/src/lib/crypto/keyed_checksum_types.c (working copy) +--- krb5-1.7/src/lib/crypto/keyed_checksum_types.c (revision 24455) ++++ krb5-1.7/src/lib/crypto/keyed_checksum_types.c (working copy) @@ -51,6 +51,16 @@ { unsigned int i, c; + if (enctype == ENCTYPE_ARCFOUR_HMAC || -+ enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { -+ *count = 2; -+ if ((*cksumtypes = malloc(2*sizeof(krb5_cksumtype))) == NULL) -+ return(ENOMEM); -+ (*cksumtypes)[0] = CKSUMTYPE_HMAC_MD5_ARCFOUR; -+ (*cksumtypes)[1] = CKSUMTYPE_MD5_HMAC_ARCFOUR; -+ return(0); ++ enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { ++ *count = 2; ++ if ((*cksumtypes = malloc(2*sizeof(krb5_cksumtype))) == NULL) ++ return(ENOMEM); ++ (*cksumtypes)[0] = CKSUMTYPE_HMAC_MD5_ARCFOUR; ++ (*cksumtypes)[1] = CKSUMTYPE_MD5_HMAC_ARCFOUR; ++ return(0); + } + c = 0; @@ -76,8 +76,8 @@ Index: krb5-1.7/src/lib/crypto/keyed_checksum_types.c if ((krb5_cksumtypes_list[i].keyhash && Index: krb5-1.7/src/lib/crypto/dk/derive.c =================================================================== ---- krb5-1.7/src/lib/crypto/dk/derive.c (revision 24455) -+++ krb5-1.7/src/lib/crypto/dk/derive.c (working copy) +--- krb5-1.7/src/lib/crypto/dk/derive.c (revision 24455) ++++ krb5-1.7/src/lib/crypto/dk/derive.c (working copy) @@ -40,6 +40,8 @@ keybytes = enc->keybytes; keylength = enc->keylength; @@ -89,8 +89,8 @@ Index: krb5-1.7/src/lib/crypto/dk/derive.c return(KRB5_CRYPTO_INTERNAL); Index: krb5-1.7/src/lib/gssapi/krb5/util_crypt.c =================================================================== ---- krb5-1.7/src/lib/gssapi/krb5/util_crypt.c (revision 24455) -+++ krb5-1.7/src/lib/gssapi/krb5/util_crypt.c (working copy) +--- krb5-1.7/src/lib/gssapi/krb5/util_crypt.c (revision 24455) ++++ krb5-1.7/src/lib/gssapi/krb5/util_crypt.c (working copy) @@ -109,10 +109,22 @@ if (code != 0) return code; @@ -120,8 +120,8 @@ Index: krb5-1.7/src/lib/gssapi/krb5/util_crypt.c case ENCTYPE_DES_CBC_MD5: Index: krb5-1.7/src/lib/krb5/krb/pac.c =================================================================== ---- krb5-1.7/src/lib/krb5/krb/pac.c (revision 24455) -+++ krb5-1.7/src/lib/krb5/krb/pac.c (working copy) +--- krb5-1.7/src/lib/krb5/krb/pac.c (revision 24455) ++++ krb5-1.7/src/lib/krb5/krb/pac.c (working copy) @@ -524,6 +524,8 @@ checksum.checksum_type = load_32_le(p); checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH; @@ -133,16 +133,16 @@ Index: krb5-1.7/src/lib/krb5/krb/pac.c pac_data.data = malloc(pac->data.length); Index: krb5-1.7/src/lib/krb5/krb/preauth2.c =================================================================== ---- krb5-1.7/src/lib/krb5/krb/preauth2.c (revision 24455) -+++ krb5-1.7/src/lib/krb5/krb/preauth2.c (working copy) +--- krb5-1.7/src/lib/krb5/krb/preauth2.c (revision 24455) ++++ krb5-1.7/src/lib/krb5/krb/preauth2.c (working copy) @@ -1579,7 +1579,9 @@ cksum = sc2->sam_cksum; - while (*cksum) { + for (; *cksum; cksum++) { -+ if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type)) -+ continue; ++ if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type)) ++ continue; /* Check this cksum */ retval = krb5_c_verify_checksum(context, as_key, KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM, @@ -156,8 +156,8 @@ Index: krb5-1.7/src/lib/krb5/krb/preauth2.c if (!valid_cksum) { Index: krb5-1.7/src/lib/krb5/krb/mk_safe.c =================================================================== ---- krb5-1.7/src/lib/krb5/krb/mk_safe.c (revision 24455) -+++ krb5-1.7/src/lib/krb5/krb/mk_safe.c (working copy) +--- krb5-1.7/src/lib/krb5/krb/mk_safe.c (revision 24455) ++++ krb5-1.7/src/lib/krb5/krb/mk_safe.c (working copy) @@ -213,10 +213,29 @@ for (i = 0; i < nsumtypes; i++) if (auth_context->safe_cksumtype == sumtypes[i]) @@ -91,7 +91,7 @@ Patch101: http://web.mit.edu/kerberos/advisories/2010-004-patch.txt Patch102: krb5-CVE-2010-1321-1.7.1.patch Patch103: krb5-1.7.1-24139.patch Patch104: krb5-1.7.1-explife.patch -Patch105: krb5-1.7-MITKRB5SA-2010-007.patch +Patch105: http://web.mit.edu/kerberos/advisories/2010-007-patch-r17.txt License: MIT URL: http://web.mit.edu/kerberos/www/ |