FreeBSD Errata Notices
2014-Jun-24 19:33 UTC
[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:08.heimdal
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================FreeBSD-EN-14:08.heimdal Errata Notice The FreeBSD Project Topic: gss_pseudo_random interoperability issue Category: contrib Module: heimdal Announced: 2014-06-24 Credits: Marc Dionne, Nico Williams, and Benjamin Kaduk Affects: All supported versions of FreeBSD prior to 9.2-RELEASE. Corrected: 2013-12-16 06:52:30 UTC (stable/9, 9.2-STABLE) 2014-06-24 19:05:36 UTC (releng/9.2, 9.2-RELEASE-p9) 2014-06-24 19:05:36 UTC (releng/9.1, 9.1-RELEASE-p16) 2013-12-16 06:56:38 UTC (stable/8, 8.4-STABLE) 2014-06-24 19:05:47 UTC (releng/8.4, 8.4-RELEASE-p13) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.freebsd.org/>. I. Background Heimdal provides an implementation of Kerberos 5, the Generic Security Service API (GSS-API), and the krb5 GSS-API mechanism. The GSS-API is an abstract API that provides a unified interface for security services that wraps many underlying security mechanisms. Application protocols using the GSS-API exchange context tokens to establish a security context. Once the security context has successfully been established, it can be used to checksum and/or encrypt messages between the two parties of the context, securely generate an identical pseudorandom bitstring at both endpoints, and other security-related functionality. Kerberos 5 permits the use of different encryption types for encryption keys; part of the specification for each encryption type is a pseudo-random function that uses an encryption key and some optional seed data to produce a pseudo-random bitstring of a fixed length. The GSS_Pseudo_random function uses an established security context and some optional seed data to produce a pseudo-random bitstring of (nearly) arbitrary lengh. The specification for GSS_Pseudo_random for the krb5 mechanism (RFC 4402) uses a counter mode to produce the arbitrary length output from the fixed-length output of the underlying enctype's pseudo-random output. II. Problem Description RFC 4402 specifies that the counter which is prepended to the seed data must be encoded in network (big-endian) byte order before being input to the encryption type's pseudo-random function. All released versions of Heimdal that include a GSS_Pseudo_random implementation for the krb5 mechanism encode the counter as a little-endian integer. III. Impact Only applications using the GSS_Pseudo_random functionality with the krb5 mechanism are affected; the number of such applications is believed to be small. (RFC 4402 was published in 2006.) Since the first value used for the counter is zero, the first block of output is correct, but the second and all subsequent blocks of output are incorrect. Old versions of Heimdal will interoperate over the network with each other, but will not interoperate with MIT krb5 peers or other implementations of RFC 4402, if producing more than one block of pseudo-random output. For the commonly used AES encryption types, the first 128 bits of output are correct but the subsequent output differs. IV. Workaround Applications which do not use the GSS_Pseudo_random functionality are not affected. Applications which can reduce their pseudo-random needs to a single block length (e.g., 128 bits for AES) will interoperate with all known implementations. V. Solution Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your present system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch # fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch.asc # gpg --verify heimdal.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. Restart all deamons using the library, or reboot the system. 3) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r259452 releng/8.4/ r267832 stable/9/ r259451 releng/9.1/ r267831 releng/9.2/ r267831 stable/10/ r259447 releng/10.0/ r259758 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References The discussion of this interoperability issue in the IETF kitten working group archives may be found here: http://www.ietf.org/mail-archive/web/kitten/current/msg04479.html The latest revision of this Errata Notice is available at http://security.FreeBSD.org/advisories/FreeBSD-EN-14:08.heimdal.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnk2wP/RXxr1lgWeKY1wCusB/wlkLO 6cVsvZwIkvTvKNglkqY4dEvJJ1mdy25xP2yoft+ChM9ugTiGs5gfxsROXLCufobP 0ycnbl0pxL00aNwU3nXaejPhfblwwLmnwZAb3JuxF795BH/7z4a9vdC0mEn86RbQ efeu3hqxJJxDL65xUntlgzWiFSWB+DZUjBU9DAFWlOPnbVR2T3n5w4sFSWMDtmv+ AxqKjNVLgIHQKECTYjyFV2UjXCn6Np2m0dWHSpYM5MsdSaUolOqDRRxzAK5LKHg0 ieHTf1OgBpfe/iBuSwybtEv/4cagDvN82Vsni8MbLEeDMa4DSsKorea1SIrCTcBv CW4ugln7bBWgm3hnCEIWsy0wwhSVQetGFjYgimZySI5/nO2Jnh1Ung705MPCYpb7 +X+G/oLqp04Bq81sWY4KFN8cfcmM2fQyL0zYOS72VPjXEvwcHnsbjZ/yO8eekO+J oxkd8FaXR4b21HCh5cdlwWNNU4mu9wId8CLJW0y9l15zloTQvjW8+MSlEhAm9KUl nYq/qHGiLTvxmsHlnQumay8lhtRJf0r3pNih+xchxy7JCVeu84aZHSIDrklZoiAr LjOWagYFP9qHqhmmRxVoHKBeHgUaDWiJ9J0a0R44GadowrstYT7cYCzfSQr1KkDz HPlEHgAxXm0shG0bbEA5 =tTXE -----END PGP SIGNATURE-----