From 3d88bdcd00abac812e86eeb07e4e6114f7e8775e Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Mon, 6 Dec 2010 23:23:17 +0000 Subject: [PATCH] SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others) Apply patch for MITKRB5-SA-2010-007. Fix multiple checksum handling bugs, as described in: CVE-2010-1324 CVE-2010-1323 CVE-2010-4020 CVE-2010-4021 * Return the correct (keyed) checksums as the mandatory checksum type for DES enctypes. * Restrict simplified-profile checksums to their corresponding etypes. * Add internal checks to reduce the risk of stream ciphers being used with simplified-profile key derivation or other algorithms relying on the block encryption primitive. * Use the mandatory checksum type for the PKINIT KDC signature, instead of the first-listed keyed checksum. * Use the mandatory checksum type when sending KRB-SAFE messages by default, instead of the first-listed keyed checksum. * Use the mandatory checksum type for the t_kperf test program. * Use the mandatory checksum type (without additional logic) for the FAST request checksum. * Preserve the existing checksum choices (unkeyed checksums for DES enctypes) for the authenticator checksum, using explicit logic. * Ensure that SAM checksums received from the KDC are keyed. * Ensure that PAC checksums are keyed. ticket: 6837 target_version: 1.7.2 version_fixed: 1.7.2 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@24562 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/crypto/dk/derive.c | 2 ++ src/lib/crypto/keyed_checksum_types.c | 10 ++++++++ src/lib/gssapi/krb5/util_crypt.c | 20 ++++++++++++---- src/lib/krb5/krb/mk_safe.c | 25 +++++++++++++++++--- src/lib/krb5/krb/pac.c | 2 ++ src/lib/krb5/krb/preauth2.c | 5 ++-- src/plugins/preauth/pkinit/pkinit_srv.c | 31 +++++++++++++++---------- 7 files changed, 74 insertions(+), 21 deletions(-) diff --git a/src/lib/crypto/dk/derive.c b/src/lib/crypto/dk/derive.c index 77b05fa1a..7f5fd5a96 100644 --- a/src/lib/crypto/dk/derive.c +++ b/src/lib/crypto/dk/derive.c @@ -40,6 +40,8 @@ krb5_derive_key(const struct krb5_enc_provider *enc, keybytes = enc->keybytes; keylength = enc->keylength; + if (blocksize == 1) + return(KRB5_BAD_ENCTYPE); if ((inkey->length != keylength) || (outkey->length != keylength)) return(KRB5_CRYPTO_INTERNAL); diff --git a/src/lib/crypto/keyed_checksum_types.c b/src/lib/crypto/keyed_checksum_types.c index 04aa44757..d4673569e 100644 --- a/src/lib/crypto/keyed_checksum_types.c +++ b/src/lib/crypto/keyed_checksum_types.c @@ -51,6 +51,16 @@ krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, { unsigned int i, c; + if (enctype == ENCTYPE_ARCFOUR_HMAC || + enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { + *count = 2; + if ((*cksumtypes = malloc(2*sizeof(krb5_cksumtype))) == NULL) + return(ENOMEM); + (*cksumtypes)[0] = CKSUMTYPE_HMAC_MD5_ARCFOUR; + (*cksumtypes)[1] = CKSUMTYPE_MD5_HMAC_ARCFOUR; + return(0); + } + c = 0; for (i=0; ienctype, - cksumtype); - if (code != 0) - return code; + switch (subkey->enctype) { + case ENCTYPE_DES_CBC_MD4: + *cksumtype = CKSUMTYPE_RSA_MD4_DES; + break; + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES_CBC_CRC: + *cksumtype = CKSUMTYPE_RSA_MD5_DES; + break; + default: + code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, + subkey->enctype, + cksumtype); + if (code != 0) + return code; + break; + } switch (subkey->enctype) { case ENCTYPE_DES_CBC_MD5: diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c index 0afa61e85..f36587da3 100644 --- a/src/lib/krb5/krb/mk_safe.c +++ b/src/lib/krb5/krb/mk_safe.c @@ -213,10 +213,29 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, for (i = 0; i < nsumtypes; i++) if (auth_context->safe_cksumtype == sumtypes[i]) break; - if (i == nsumtypes) - i = 0; - sumtype = sumtypes[i]; krb5_free_cksumtypes (context, sumtypes); + if (i < nsumtypes) + sumtype = auth_context->safe_cksumtype; + else { + switch (keyblock->enctype) { + case ENCTYPE_DES_CBC_MD4: + sumtype = CKSUMTYPE_RSA_MD4_DES; + break; + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES_CBC_CRC: + sumtype = CKSUMTYPE_RSA_MD5_DES; + break; + default: + retval = krb5int_c_mandatory_cksumtype(context, + keyblock->enctype, + &sumtype); + if (retval) { + CLEANUP_DONE(); + goto error; + } + break; + } + } } if ((retval = krb5_mk_safe_basic(context, userdata, keyblock, &replaydata, plocal_fulladdr, premote_fulladdr, diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index c5a706562..21f2ca3a3 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -524,6 +524,8 @@ k5_pac_verify_server_checksum(krb5_context context, checksum.checksum_type = load_32_le(p); checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH; checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH; + if (!krb5_c_is_keyed_cksum(checksum.checksum_type)) + return KRB5KRB_AP_ERR_INAPP_CKSUM; pac_data.length = pac->data.length; pac_data.data = malloc(pac->data.length); diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index ed05babe3..96abaa492 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -1579,7 +1579,9 @@ krb5_error_code pa_sam_2(krb5_context context, cksum = sc2->sam_cksum; - while (*cksum) { + for (; *cksum; cksum++) { + if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type)) + continue; /* Check this cksum */ retval = krb5_c_verify_checksum(context, as_key, KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM, @@ -1593,7 +1595,6 @@ krb5_error_code pa_sam_2(krb5_context context, } if (valid_cksum) break; - cksum++; } if (!valid_cksum) { diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index b9a23d7cc..0c7c6a033 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -664,8 +664,7 @@ pkinit_server_return_padata(krb5_context context, krb5_reply_key_pack *key_pack = NULL; krb5_reply_key_pack_draft9 *key_pack9 = NULL; krb5_data *encoded_key_pack = NULL; - unsigned int num_types; - krb5_cksumtype *cksum_types = NULL; + krb5_cksumtype cksum_type; pkinit_kdc_context plgctx; pkinit_kdc_req_context reqctx; @@ -851,14 +850,24 @@ pkinit_server_return_padata(krb5_context context, retval = ENOMEM; goto cleanup; } - /* retrieve checksums for a given enctype of the reply key */ - retval = krb5_c_keyed_checksum_types(context, - encrypting_key->enctype, &num_types, &cksum_types); - if (retval) - goto cleanup; - - /* pick the first of acceptable enctypes for the checksum */ - retval = krb5_c_make_checksum(context, cksum_types[0], + switch (encrypting_key->enctype) { + case ENCTYPE_DES_CBC_MD4: + cksum_type = CKSUMTYPE_RSA_MD4_DES; + break; + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES_CBC_CRC: + cksum_type = CKSUMTYPE_RSA_MD5_DES; + break; + default: + retval = krb5int_c_mandatory_cksumtype(context, + encrypting_key->enctype, + &cksum_type); + if (retval) + goto cleanup; + break; + } + + retval = krb5_c_make_checksum(context, cksum_type, encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, req_pkt, &key_pack->asChecksum); if (retval) { @@ -1006,8 +1015,6 @@ pkinit_server_return_padata(krb5_context context, free(dh_pubkey); if (server_key != NULL) free(server_key); - if (cksum_types != NULL) - free(cksum_types); switch ((int)padata->pa_type) { case KRB5_PADATA_PK_AS_REQ: -- 2.26.2