-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-14:08.heimdal                                        Errata Notice
                                                          The FreeBSD Project

Topic:          gss_pseudo_random interoperability issue

Category:       contrib
Module:         heimdal
Announced:      2014-06-24
Credits:        Marc Dionne, Nico Williams, and Benjamin Kaduk
Affects:        All supported versions of FreeBSD prior to 9.2-RELEASE.
Corrected:	2013-12-16 06:52:30 UTC (stable/9, 9.2-STABLE)
                2014-06-24 19:05:36 UTC (releng/9.2, 9.2-RELEASE-p9)
                2014-06-24 19:05:36 UTC (releng/9.1, 9.1-RELEASE-p16)
                2013-12-16 06:56:38 UTC (stable/8, 8.4-STABLE)
                2014-06-24 19:05:47 UTC (releng/8.4, 8.4-RELEASE-p13)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.

I.   Background

Heimdal provides an implementation of Kerberos 5, the Generic Security
Service API (GSS-API), and the krb5 GSS-API mechanism.  The GSS-API is
an abstract API that provides a unified interface for security services
that wraps many underlying security mechanisms.  Application protocols
using the GSS-API exchange context tokens to establish a security context.
Once the security context has successfully been established, it can be
used to checksum and/or encrypt messages between the two parties of
the context, securely generate an identical pseudorandom bitstring at
both endpoints, and other security-related functionality.

Kerberos 5 permits the use of different encryption types for encryption
keys; part of the specification for each encryption type is a pseudo-random
function that uses an encryption key and some optional seed data to
produce a pseudo-random bitstring of a fixed length.  The GSS_Pseudo_random
function uses an established security context and some optional seed
data to produce a pseudo-random bitstring of (nearly) arbitrary lengh.
The specification for GSS_Pseudo_random for the krb5 mechanism (RFC 4402)
uses a counter mode to produce the arbitrary length output from the
fixed-length output of the underlying enctype's pseudo-random output.

II.  Problem Description

RFC 4402 specifies that the counter which is prepended to the seed data
must be encoded in network (big-endian) byte order before being input to the
encryption type's pseudo-random function.  All released versions of Heimdal
that include a GSS_Pseudo_random implementation for the krb5 mechanism
encode the counter as a little-endian integer.

III. Impact

Only applications using the GSS_Pseudo_random functionality with the krb5
mechanism are affected; the number of such applications is believed to
be small.  (RFC 4402 was published in 2006.)  Since the first value
used for the counter is zero, the first block of output is correct, but
the second and all subsequent blocks of output are incorrect.
Old versions of Heimdal will interoperate over the network with each
other, but will not interoperate with MIT krb5 peers or other implementations
of RFC 4402, if producing more than one block of pseudo-random output.
For the commonly used AES encryption types, the first 128 bits of output
are correct but the subsequent output differs.

IV.  Workaround

Applications which do not use the GSS_Pseudo_random functionality
are not affected.

Applications which can reduce their pseudo-random needs to a single
block length (e.g., 128 bits for AES) will interoperate with all
known implementations.

V.   Solution

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

2) To update your present system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch
# fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch.asc
# gpg --verify heimdal.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.

Restart all deamons using the library, or reboot the system.

3) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/8/                                                         r259452
releng/8.4/                                                       r267832
stable/9/                                                         r259451
releng/9.1/                                                       r267831
releng/9.2/                                                       r267831
stable/10/                                                        r259447
releng/10.0/                                                      r259758
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

The discussion of this interoperability issue in the IETF kitten working
group archives may be found here:
http://www.ietf.org/mail-archive/web/kitten/current/msg04479.html

The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:08.heimdal.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnk2wP/RXxr1lgWeKY1wCusB/wlkLO
6cVsvZwIkvTvKNglkqY4dEvJJ1mdy25xP2yoft+ChM9ugTiGs5gfxsROXLCufobP
0ycnbl0pxL00aNwU3nXaejPhfblwwLmnwZAb3JuxF795BH/7z4a9vdC0mEn86RbQ
efeu3hqxJJxDL65xUntlgzWiFSWB+DZUjBU9DAFWlOPnbVR2T3n5w4sFSWMDtmv+
AxqKjNVLgIHQKECTYjyFV2UjXCn6Np2m0dWHSpYM5MsdSaUolOqDRRxzAK5LKHg0
ieHTf1OgBpfe/iBuSwybtEv/4cagDvN82Vsni8MbLEeDMa4DSsKorea1SIrCTcBv
CW4ugln7bBWgm3hnCEIWsy0wwhSVQetGFjYgimZySI5/nO2Jnh1Ung705MPCYpb7
+X+G/oLqp04Bq81sWY4KFN8cfcmM2fQyL0zYOS72VPjXEvwcHnsbjZ/yO8eekO+J
oxkd8FaXR4b21HCh5cdlwWNNU4mu9wId8CLJW0y9l15zloTQvjW8+MSlEhAm9KUl
nYq/qHGiLTvxmsHlnQumay8lhtRJf0r3pNih+xchxy7JCVeu84aZHSIDrklZoiAr
LjOWagYFP9qHqhmmRxVoHKBeHgUaDWiJ9J0a0R44GadowrstYT7cYCzfSQr1KkDz
HPlEHgAxXm0shG0bbEA5
=tTXE
-----END PGP SIGNATURE-----