Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
From: tlyu@mit.edu
Subject: SVN Commit
X-RT-Original-Encoding: iso-8859-1
Content-Length: 1677


Apply patch for MITKRB5-SA-2010-007.

Fix multiple checksum handling bugs, as described in:
  CVE-2010-1324
  CVE-2010-1323
  CVE-2010-4020
  CVE-2010-4021

* Return the correct (keyed) checksums as the mandatory checksum type
  for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
  with simplified-profile key derivation or other algorithms relying
  on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
  instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
  default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
  FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
  enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.

https://github.com/krb5/krb5/commit/bac36d1fd252ac8b3cb8bfa3855f20762635cd50
Commit By: tlyu
Revision: 24560
Changed Files:
U   branches/krb5-1-8/src/lib/crypto/krb/cksumtypes.c
U   branches/krb5-1-8/src/lib/crypto/krb/dk/derive.c
U   branches/krb5-1-8/src/lib/crypto/krb/keyed_checksum_types.c
U   branches/krb5-1-8/src/lib/gssapi/krb5/util_crypt.c
U   branches/krb5-1-8/src/lib/krb5/krb/mk_safe.c
U   branches/krb5-1-8/src/lib/krb5/krb/pac.c
U   branches/krb5-1-8/src/lib/krb5/krb/preauth2.c
U   branches/krb5-1-8/src/plugins/preauth/pkinit/pkinit_srv.c