oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: make keyed checksums mandatory where possible

Browse Source 
Make keyed checksums mandatory when generating and verifying checksums, with
the following exceptions:

* the checksum is being generated or verified as part of encrypting data for
  a legacy (DES) encryption type

* the KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM flag was set on the crypto
  context, used to allow unkeyed checksums in krb5 authenticators

By making unkeyed checksums opt-in, we eliminate a class of potential
vulnerabilities where callers could pass unkeyed checksums.

Any code that uses the mandatory checksum type for a given non-legacy
encryption type should not be affected by this change. It could potentially
break, say, a client trying to do FAST with DES keys but, that should not be
supported (because FAST KDCs also support AES).

Closes: #835
This commit is contained in:
Luke Howard
2021-09-17 11:03:35 +10:00
parent 7fbe7be675
commit 85756bd228
7 changed files with 97 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/krb5/version-script.map
View File

@@ -823,6 +823,7 @@ HEIMDAL_KRB5_2.0 {
_krb5_put_int;
_krb5_s4u2self_to_checksumdata;
_krb5_HMAC_MD5_checksum;
_krb5_crypto_set_flags;
# kinit helper
krb5_get_init_creds_opt_set_pkinit_user_certs;