oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
fd3f463152ca93fda22a45bdfd3b9c2d7034db92
heimdal/lib
History
Luke Howard 85756bd228 krb5: make keyed checksums mandatory where possible 
Make keyed checksums mandatory when generating and verifying checksums, with
the following exceptions:

* the checksum is being generated or verified as part of encrypting data for
  a legacy (DES) encryption type

* the KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM flag was set on the crypto
  context, used to allow unkeyed checksums in krb5 authenticators

By making unkeyed checksums opt-in, we eliminate a class of potential
vulnerabilities where callers could pass unkeyed checksums.

Any code that uses the mandatory checksum type for a given non-legacy
encryption type should not be affected by this change. It could potentially
break, say, a client trying to do FAST with DES keys but, that should not be
supported (because FAST KDCs also support AES).

Closes: #835
2021-09-21 18:02:25 +10:00
..
asn1
kdc: remove KRB5SignedPath, to be replaced with PAC
2021-09-19 13:02:12 +10:00
base
base: use correct calling convention for log_file()
2021-08-11 19:09:08 +10:00
com_err
yyerror: update to POSIX standard
2021-09-10 09:11:23 +10:00
gss_preauth
gss_preauth: Fix build race
2021-08-29 13:50:39 -05:00
gssapi
Only #include <malloc.h> if it is available.
2021-09-07 12:49:19 +10:00
hcrypto
hcrypto: Disable errors for now that should be fixed
2020-09-07 22:04:59 -05:00
hdb
kdc: Provide flag to hint to KDC that this is a FAST key lookup
2021-08-06 12:43:17 +10:00
heimdal
lib/krb5: krb5_get_instance does not work on Windows 7
2020-05-27 23:22:40 -05:00
hx509
hx509: For times before 2050 use UTCTime (fix pasto)
2021-08-25 22:54:25 -05:00
ipc
ipc: Get socket dir via secure_getenv()
2019-11-02 18:49:42 -05:00
kadm5
kadmin: Add disallow-client attribute
2021-06-22 13:01:24 -05:00
kafs
Generic: Fix warnings (fallthrough mosty)
2020-09-07 22:04:59 -05:00
kdfs
Minor typo/grammar fixes
2017-03-10 15:47:43 -05:00
krb5
krb5: make keyed checksums mandatory where possible
2021-09-21 18:02:25 +10:00
libedit
[libedit/configure.ac] Refactor tgetent message to reflect libraries searched
2020-05-31 11:59:33 -04:00
ntlm
Generic: Fix warnings (fallthrough mosty)
2020-09-07 22:04:59 -05:00
otp
Prefer BDB3/4/5 to BDB1/2
2016-11-08 15:48:40 -05:00
roken
roken: check strdup succeeds in roken_gethostby_setup()
2021-09-20 17:58:19 +10:00
sl
yyerror: update to POSIX standard
2021-09-10 09:11:23 +10:00
sqlite
sqlite: Upgrade to SQLite3 3.33.0
2020-10-27 13:30:57 -05:00
vers
Fix make dist missing files (#228)
2016-12-15 12:15:56 -06:00
wind
Fix switch fallthrough warnings/errors
2020-09-07 22:04:59 -05:00
Makefile.am
gss: move GSS pre-auth helpers to convenience lib
2021-08-27 15:20:07 +10:00
NTMakefile
gss: move GSS pre-auth helpers to convenience lib
2021-08-27 15:20:07 +10:00