diff options
-rw-r--r-- | network/krb5/README | 10 | ||||
-rw-r--r-- | network/krb5/krb5.SlackBuild | 29 | ||||
-rw-r--r-- | network/krb5/krb5.info | 8 | ||||
-rw-r--r-- | network/krb5/patches/2009-003-patch.txt | 27 | ||||
-rw-r--r-- | network/krb5/patches/2009-004-patch_1.7.txt | 377 |
5 files changed, 17 insertions, 434 deletions
diff --git a/network/krb5/README b/network/krb5/README index 1cc2092fff..cf7ab7dde3 100644 --- a/network/krb5/README +++ b/network/krb5/README @@ -3,13 +3,3 @@ provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well. - -This package includes patches for security advisories: - -MITKRB5-SA-2009-004 - integer underflow in AES and RC4 decryption -MITKRB5-SA-2009-003 - KDC denial of service in cross-realm referral processing - -For further information about these advisories, please see -http://web.mit.edu/kerberos/advisories/ diff --git a/network/krb5/krb5.SlackBuild b/network/krb5/krb5.SlackBuild index 90515f8892..233c43482f 100644 --- a/network/krb5/krb5.SlackBuild +++ b/network/krb5/krb5.SlackBuild @@ -6,13 +6,13 @@ # All rights reserved. # # Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions +# modification, are permitted provided that the following conditions # are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials # provided with the distribution. # * Neither the name of Tom Canich nor the names of other contributors # may be used to endorse or promote products derived from this @@ -20,18 +20,18 @@ # # THIS SOFTWARE IS PROVIDED BY Tom Canich ''AS IS'' AND ANY # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Tom Canich BE LIABLE FOR +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Tom Canich BE LIABLE FOR # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE -# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER -# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE +# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER +# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PRGNAM=krb5 -VERSION=${VERSION:-1.7} +VERSION=${VERSION:-1.7.1} ARCH=${ARCH:-i486} BUILD=${BUILD:-2} TAG=${TAG:-_SBo} @@ -63,9 +63,6 @@ tar xvf $CWD/$PRGNAM-$VERSION-signed.tar -C $TMP tar xvf $TMP/$PRGNAM-$VERSION.tar.gz cd $PRGNAM-$VERSION/src -patch -p2 -i $CWD/patches/2009-003-patch.txt -patch -p1 -i $CWD/patches/2009-004-patch_1.7.txt - CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ ./configure \ @@ -90,7 +87,7 @@ chmod 0755 $PKG/etc/profile.d/* find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | \ xargs strip --strip-unneeded 2> /dev/null || true find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | \ - xargs strip --strip-unneeded 2> /dev/null + xargs strip --strip-unneeded 2> /dev/null || true ) ( cd $PKG/usr/kerberos/man @@ -100,7 +97,7 @@ chmod 0755 $PKG/etc/profile.d/* mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION cp -a \ - $CWD/README $CWD/README.krb5 $CWD/EXPORT $CWD/patches \ + $CWD/README $CWD/README.krb5 $CWD/EXPORT \ $PKG/usr/doc/$PRGNAM-$VERSION cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild chown -R root:root $PKG/usr/doc diff --git a/network/krb5/krb5.info b/network/krb5/krb5.info index 30d96bb3c7..a978adea5d 100644 --- a/network/krb5/krb5.info +++ b/network/krb5/krb5.info @@ -1,10 +1,10 @@ PRGNAM="krb5" -VERSION="1.7" +VERSION="1.7.1" HOMEPAGE="http://web.mit.edu/kerberos/" -DOWNLOAD="http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7-signed.tar" -MD5SUM="9f7b3402b4731a7fa543db193bf1b564" +DOWNLOAD="http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar" +MD5SUM="4206991cb65e0d0ab69748e63ca67388" DOWNLOAD_x86_64="" MD5SUM_x86_64="" MAINTAINER="Tom Canich" EMAIL="tcanich@canich.net" -APPROVED="Erik Hanson" +APPROVED="dsomero" diff --git a/network/krb5/patches/2009-003-patch.txt b/network/krb5/patches/2009-003-patch.txt deleted file mode 100644 index 0319cd1c97..0000000000 --- a/network/krb5/patches/2009-003-patch.txt +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 298e132..12180ff 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) - free(temp_buf); - if (retval) { - /* no match found */ -- kdc_err(kdc_context, retval, 0); -+ kdc_err(kdc_context, retval, "unable to find realm of host"); - goto cleanup; - } - if (realms == 0) { -diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c -index efff818..ef3735a 100644 ---- a/src/lib/kadm5/logger.c -+++ b/src/lib/kadm5/logger.c -@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list - char *cp; - char *syslogp; - -+ if (whoami == NULL || format == NULL) -+ return; -+ - /* Make the header */ - snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); - /* diff --git a/network/krb5/patches/2009-004-patch_1.7.txt b/network/krb5/patches/2009-004-patch_1.7.txt deleted file mode 100644 index df2edcade2..0000000000 --- a/network/krb5/patches/2009-004-patch_1.7.txt +++ /dev/null @@ -1,377 +0,0 @@ -Index: src/lib/crypto/Makefile.in -=================================================================== ---- src/lib/crypto/Makefile.in (revision 23398) -+++ src/lib/crypto/Makefile.in (working copy) -@@ -18,6 +18,7 @@ - $(srcdir)/t_nfold.c \ - $(srcdir)/t_cf2.c \ - $(srcdir)/t_encrypt.c \ -+ $(srcdir)/t_short.c \ - $(srcdir)/t_prf.c \ - $(srcdir)/t_prng.c \ - $(srcdir)/t_hmac.c \ -@@ -206,7 +207,7 @@ - - clean-unix:: clean-liblinks clean-libs clean-libobjs - --check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 -+check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 t_short - $(RUN_SETUP) $(VALGRIND) ./t_nfold - $(RUN_SETUP) $(VALGRIND) ./t_encrypt - $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \ -@@ -216,6 +217,7 @@ - diff t_prf.output $(srcdir)/t_prf.expected - $(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output - diff t_cf2.output $(srcdir)/t_cf2.expected -+ $(RUN_SETUP) $(VALGRIND) ./t_short - - - # $(RUN_SETUP) $(VALGRIND) ./t_pkcs5 -@@ -249,10 +251,15 @@ - $(CC_LINK) -o $@ t_cts.$(OBJEXT) \ - $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) - -+t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) -+ $(CC_LINK) -o $@ t_short.$(OBJEXT) \ -+ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) - -+ - clean:: - $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \ -- t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o -+ t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \ -+ t_cf2 t_cf2.o t_short t_short.o - -$(RM) t_prng.output - - all-windows:: -Index: src/lib/crypto/arcfour/arcfour.c -=================================================================== ---- src/lib/crypto/arcfour/arcfour.c (revision 23398) -+++ src/lib/crypto/arcfour/arcfour.c (working copy) -@@ -199,6 +199,12 @@ - keylength = enc->keylength; - hashsize = hash->hashsize; - -+ /* Verify input and output lengths. */ -+ if (input->length < hashsize + CONFOUNDERLENGTH) -+ return KRB5_BAD_MSIZE; -+ if (output->length < input->length - hashsize - CONFOUNDERLENGTH) -+ return KRB5_BAD_MSIZE; -+ - d1.length=keybytes; - d1.data=malloc(d1.length); - if (d1.data == NULL) -Index: src/lib/crypto/enc_provider/aes.c -=================================================================== ---- src/lib/crypto/enc_provider/aes.c (revision 23398) -+++ src/lib/crypto/enc_provider/aes.c (working copy) -@@ -105,9 +105,11 @@ - nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; - - if (nblocks == 1) { -- /* XXX Used for DK function. */ -+ /* Used when deriving keys. */ -+ if (input->length < BLOCK_SIZE) -+ return KRB5_BAD_MSIZE; - enc(output->data, input->data, &ctx); -- } else { -+ } else if (nblocks > 1) { - unsigned int nleft; - - for (blockno = 0; blockno < nblocks - 2; blockno++) { -@@ -160,9 +162,9 @@ - - if (nblocks == 1) { - if (input->length < BLOCK_SIZE) -- abort(); -+ return KRB5_BAD_MSIZE; - dec(output->data, input->data, &ctx); -- } else { -+ } else if (nblocks > 1) { - - for (blockno = 0; blockno < nblocks - 2; blockno++) { - dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx); -@@ -208,6 +210,7 @@ - char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE]; - int nblocks = 0, blockno; - size_t input_length, i; -+ struct iov_block_state input_pos, output_pos; - - if (aes_enc_key(key->contents, key->length, &ctx) != aes_good) - abort(); -@@ -224,18 +227,20 @@ - input_length += iov->data.length; - } - -+ IOV_BLOCK_STATE_INIT(&input_pos); -+ IOV_BLOCK_STATE_INIT(&output_pos); -+ - nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; -- -- assert(nblocks > 1); -- -- { -+ if (nblocks == 1) { -+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, -+ data, num_data, &input_pos); -+ enc(tmp2, tmp, &ctx); -+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, -+ BLOCK_SIZE, &output_pos); -+ } else if (nblocks > 1) { - char blockN2[BLOCK_SIZE]; /* second last */ - char blockN1[BLOCK_SIZE]; /* last block */ -- struct iov_block_state input_pos, output_pos; - -- IOV_BLOCK_STATE_INIT(&input_pos); -- IOV_BLOCK_STATE_INIT(&output_pos); -- - for (blockno = 0; blockno < nblocks - 2; blockno++) { - char blockN[BLOCK_SIZE]; - -@@ -288,6 +293,7 @@ - char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; - int nblocks = 0, blockno, i; - size_t input_length; -+ struct iov_block_state input_pos, output_pos; - - CHECK_SIZES; - -@@ -306,18 +312,20 @@ - input_length += iov->data.length; - } - -+ IOV_BLOCK_STATE_INIT(&input_pos); -+ IOV_BLOCK_STATE_INIT(&output_pos); -+ - nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; -- -- assert(nblocks > 1); -- -- { -+ if (nblocks == 1) { -+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, -+ data, num_data, &input_pos); -+ dec(tmp2, tmp, &ctx); -+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, -+ BLOCK_SIZE, &output_pos); -+ } else if (nblocks > 1) { - char blockN2[BLOCK_SIZE]; /* second last */ - char blockN1[BLOCK_SIZE]; /* last block */ -- struct iov_block_state input_pos, output_pos; - -- IOV_BLOCK_STATE_INIT(&input_pos); -- IOV_BLOCK_STATE_INIT(&output_pos); -- - for (blockno = 0; blockno < nblocks - 2; blockno++) { - char blockN[BLOCK_SIZE]; - -Index: src/lib/crypto/dk/dk_aead.c -=================================================================== ---- src/lib/crypto/dk/dk_aead.c (revision 23398) -+++ src/lib/crypto/dk/dk_aead.c (working copy) -@@ -248,7 +248,7 @@ - for (i = 0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; - -- if (ENCRYPT_DATA_IOV(iov)) -+ if (ENCRYPT_IOV(iov)) - cipherlen += iov->data.length; - } - -Index: src/lib/crypto/dk/dk_decrypt.c -=================================================================== ---- src/lib/crypto/dk/dk_decrypt.c (revision 23398) -+++ src/lib/crypto/dk/dk_decrypt.c (working copy) -@@ -89,6 +89,12 @@ - else if (hmacsize > hashsize) - return KRB5KRB_AP_ERR_BAD_INTEGRITY; - -+ /* Verify input and output lengths. */ -+ if (input->length < blocksize + hmacsize) -+ return KRB5_BAD_MSIZE; -+ if (output->length < input->length - blocksize - hmacsize) -+ return KRB5_BAD_MSIZE; -+ - enclen = input->length - hmacsize; - - if ((kedata = (unsigned char *) malloc(keylength)) == NULL) -Index: src/lib/crypto/raw/raw_decrypt.c -=================================================================== ---- src/lib/crypto/raw/raw_decrypt.c (revision 23398) -+++ src/lib/crypto/raw/raw_decrypt.c (working copy) -@@ -34,5 +34,7 @@ - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) - { -+ if (output->length < input->length) -+ return KRB5_BAD_MSIZE; - return((*(enc->decrypt))(key, ivec, input, output)); - } -Index: src/lib/crypto/deps -=================================================================== ---- src/lib/crypto/deps (revision 23398) -+++ src/lib/crypto/deps (working copy) -@@ -463,6 +463,16 @@ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h etypes.h t_encrypt.c -+t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ -+ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ -+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ -+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ -+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ -+ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ -+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ -+ t_short.c - t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ -Index: src/lib/crypto/t_short.c -=================================================================== ---- src/lib/crypto/t_short.c (revision 0) -+++ src/lib/crypto/t_short.c (revision 0) -@@ -0,0 +1,126 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* -+ * lib/crypto/crypto_tests/t_short.c -+ * -+ * Copyright (C) 2009 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Export of this software from the United States of America may -+ * require a specific license from the United States Government. -+ * It is the responsibility of any person or organization contemplating -+ * export to obtain such a license before exporting. -+ * -+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -+ * distribute this software and its documentation for any purpose and -+ * without fee is hereby granted, provided that the above copyright -+ * notice appear in all copies and that both that copyright notice and -+ * this permission notice appear in supporting documentation, and that -+ * the name of M.I.T. not be used in advertising or publicity pertaining -+ * to distribution of the software without specific, written prior -+ * permission. Furthermore if you modify this software you must label -+ * your software as modified software and not distribute it in such a -+ * fashion that it might be confused with the original M.I.T. software. -+ * M.I.T. makes no representations about the suitability of -+ * this software for any purpose. It is provided "as is" without express -+ * or implied warranty. -+ * -+ * Tests the outcome of decrypting overly short tokens. This program can be -+ * run under a tool like valgrind to detect bad memory accesses; when run -+ * normally by the test suite, it verifies that each operation returns -+ * KRB5_BAD_MSIZE. -+ */ -+ -+#include "k5-int.h" -+ -+krb5_enctype interesting_enctypes[] = { -+ ENCTYPE_DES_CBC_CRC, -+ ENCTYPE_DES_CBC_MD4, -+ ENCTYPE_DES_CBC_MD5, -+ ENCTYPE_DES3_CBC_SHA1, -+ ENCTYPE_ARCFOUR_HMAC, -+ ENCTYPE_ARCFOUR_HMAC_EXP, -+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, -+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, -+ 0 -+}; -+ -+/* Abort if an operation unexpectedly fails. */ -+static void -+x(krb5_error_code code) -+{ -+ if (code != 0) -+ abort(); -+} -+ -+/* Abort if a decrypt operation doesn't have the expected result. */ -+static void -+check_decrypt_result(krb5_error_code code, size_t len, size_t min_len) -+{ -+ if (len < min_len) { -+ /* Undersized tokens should always result in BAD_MSIZE. */ -+ if (code != KRB5_BAD_MSIZE) -+ abort(); -+ } else { -+ /* Min-size tokens should succeed or fail the integrity check. */ -+ if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY) -+ abort(); -+ } -+} -+ -+static void -+test_enctype(krb5_enctype enctype) -+{ -+ krb5_error_code ret; -+ krb5_keyblock keyblock; -+ krb5_enc_data input; -+ krb5_data output; -+ krb5_crypto_iov iov[2]; -+ unsigned int dummy; -+ size_t min_len, len; -+ -+ printf("Testing enctype %d\n", (int) enctype); -+ x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len)); -+ x(krb5_c_make_random_key(NULL, enctype, &keyblock)); -+ input.enctype = enctype; -+ -+ /* Try each length up to the minimum length. */ -+ for (len = 0; len <= min_len; len++) { -+ input.ciphertext.data = calloc(len, 1); -+ input.ciphertext.length = len; -+ output.data = calloc(len, 1); -+ output.length = len; -+ -+ /* Attempt a normal decryption. */ -+ ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output); -+ check_decrypt_result(ret, len, min_len); -+ -+ if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER, -+ &dummy) == 0) { -+ /* Attempt an IOV stream decryption. */ -+ iov[0].flags = KRB5_CRYPTO_TYPE_STREAM; -+ iov[0].data = input.ciphertext; -+ iov[1].flags = KRB5_CRYPTO_TYPE_DATA; -+ iov[1].data.data = NULL; -+ iov[1].data.length = 0; -+ ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2); -+ check_decrypt_result(ret, len, min_len); -+ } -+ -+ free(input.ciphertext.data); -+ free(output.data); -+ } -+} -+ -+int -+main(int argc, char **argv) -+{ -+ int i; -+ krb5_data notrandom; -+ -+ notrandom.data = "notrandom"; -+ notrandom.length = 9; -+ krb5_c_random_seed(NULL, ¬random); -+ for (i = 0; interesting_enctypes[i]; i++) -+ test_enctype(interesting_enctypes[i]); -+ return 0; -+} -Index: src/lib/crypto/old/old_decrypt.c -=================================================================== ---- src/lib/crypto/old/old_decrypt.c (revision 23398) -+++ src/lib/crypto/old/old_decrypt.c (working copy) -@@ -45,8 +45,10 @@ - blocksize = enc->block_size; - hashsize = hash->hashsize; - -+ /* Verify input and output lengths. */ -+ if (input->length < blocksize + hashsize || input->length % blocksize != 0) -+ return(KRB5_BAD_MSIZE); - plainsize = input->length - blocksize - hashsize; -- - if (arg_output->length < plainsize) - return(KRB5_BAD_MSIZE); - |