git.ipfire.org Git - thirdparty/krb5.git/commit

author	Julien Rische <jrische@redhat.com>
	Thu, 22 Aug 2024 15:15:50 +0000 (17:15 +0200)
committer	Greg Hudson <ghudson@mit.edu>
	Wed, 16 Oct 2024 19:50:22 +0000 (15:50 -0400)
commit	871125fea8ce0370a972bf65f7d1de63f619b06c
tree	c0e7e9192a2fdf27a5e370852207000e8ab0aef8	tree
parent	331e393c6def46c00b6b54e1b2a0d1080c2af9e0	commit \| diff

Generate and verify message MACs in libkrad

Implement some of the measures specified in
draft-ietf-radext-deprecating-radius-03 for mitigating the BlastRADIUS
attack (CVE-2024-3596):

* Include a Message-Authenticator MAC as the first attribute when
  generating a packet of type Access-Request, Access-Reject,
  Access-Accept, or Access-Challenge (sections 5.2.1 and 5.2.4), if
  the secret is non-empty.  (An empty secret indicates the use of Unix
  domain socket transport.)

* Validate the Message-Authenticator MAC in received packets, if
  present.

FreeRADIUS enforces Message-Authenticator as of versions 3.2.5 and
3.0.27.  libkrad must generate Message-Authenticator attributes in
order to remain compatible with these implementations.

[ghudson@mit.edu: adjusted style and naming; simplified some
functions; edited commit message]

ticket: 9142 (new)
tags: pullup
target_version: 1.21-next

src/include/k5-int.h		diff \| blob \| blame \| history
src/lib/crypto/krb/checksum_hmac_md5.c		diff \| blob \| blame \| history
src/lib/crypto/libk5crypto.exports		diff \| blob \| blame \| history
src/lib/krad/attr.c		diff \| blob \| blame \| history
src/lib/krad/attrset.c		diff \| blob \| blame \| history
src/lib/krad/internal.h		diff \| blob \| blame \| history
src/lib/krad/packet.c		diff \| blob \| blame \| history
src/lib/krad/t_attrset.c		diff \| blob \| blame \| history
src/lib/krad/t_daemon.py		diff \| blob \| blame \| history
src/lib/krad/t_packet.c		diff \| blob \| blame \| history
src/tests/t_otp.py		diff \| blob \| blame \| history