[SERVER-39202] Improve deterministic calculation of key container names Created: 25/Jan/19 Updated: 29/Oct/23 Resolved: 30/Jan/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 4.0.5, 4.1.7 |
| Fix Version/s: | 4.0.7, 4.1.8 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Mark Benvenuto | Assignee: | Mark Benvenuto |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Operating System: | ALL | ||||||||||||
| Backport Requested: |
v4.0
|
||||||||||||
| Sprint: | Security 2019-02-11 | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
When Windows mongo servers use a log file, they use that log file to calculate the private key container name. Unfortunately, if two private keys are loaded in the same key container, then SChannel will use the wrong private key for signing in the server key exchange. To fix this, we need to use a unique deterministic calculation for all key containers. The simplest solution is to append an incrementing integer to uniquify the key containers. This ensures the key container names are unique without leaking an unbounded number on each restart. |
| Comments |
| Comment by Githook User [ 08/Feb/19 ] |
|
Author: {'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}Message: (cherry picked from commit 6658305fbf6942f1f1294d0bffeaec9adb1bf03a) |
| Comment by Githook User [ 31/Jan/19 ] |
|
Author: {'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto'}Message: |