* Fri Feb 13 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-1
- Update to krb5-1.13.1 - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1 - drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1 - drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1 - Minor spec cleanup
This commit is contained in:
parent
03981c354e
commit
570cb5eeb3
@ -1,118 +0,0 @@
|
|||||||
From d5755694b620570defeecee772def90a2733c6cc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simo Sorce <simo@redhat.com>
|
|
||||||
Date: Tue, 20 Jan 2015 13:48:34 -0500
|
|
||||||
Subject: [PATCH 1/2] Do not loop on principal unknown errors
|
|
||||||
|
|
||||||
If the canonicalize flag is set, the MIT KDC always return the client
|
|
||||||
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
|
|
||||||
|
|
||||||
Check that this is really a referral by testing that the returned
|
|
||||||
client realm differs from the requested one.
|
|
||||||
|
|
||||||
[ghudson@mit.edu: simplified and narrowed is_referral() contract.
|
|
||||||
Note that a WRONG_REALM response with e-data or FAST error padata
|
|
||||||
could now be passed through k5_preauth_tryagain() if it has an empty
|
|
||||||
crealm or a crealm equal to the requested client realm. Such a
|
|
||||||
response is unexpected in practice and there is nothing dangerous
|
|
||||||
about handling it this way.]
|
|
||||||
|
|
||||||
ticket: 8060
|
|
||||||
target_version: 1.13.1
|
|
||||||
tags: pullup
|
|
||||||
---
|
|
||||||
src/lib/krb5/krb/get_in_tkt.c | 40 +++++++++++++---------------------------
|
|
||||||
1 file changed, 13 insertions(+), 27 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
|
||||||
index 2c2b654..f9bc027 100644
|
|
||||||
--- a/src/lib/krb5/krb/get_in_tkt.c
|
|
||||||
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
|
||||||
@@ -1379,33 +1379,23 @@ note_req_timestamp(krb5_context context, krb5_init_creds_context ctx,
|
|
||||||
AUTH_OFFSET : UNAUTH_OFFSET;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/* Determine whether the client realm in a KRB-ERROR is empty. */
|
|
||||||
-static krb5_boolean
|
|
||||||
-is_empty_crealm(krb5_error *err)
|
|
||||||
-{
|
|
||||||
-
|
|
||||||
- return (err->client == NULL || err->client->realm.length == 0);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
- * Determine whether a KRB-ERROR is a referral to another realm.
|
|
||||||
+ * Determine whether err is a client referral to another realm, given the
|
|
||||||
+ * previously requested client principal name.
|
|
||||||
*
|
|
||||||
- * RFC 6806 Section 7 requires that KDCs return the referral realm in
|
|
||||||
- * an error type WRONG_REALM, but Microsoft Windows Server 2003 (and
|
|
||||||
- * possibly others) return the realm in a PRINCIPAL_UNKNOWN message.
|
|
||||||
- * Detect this case by looking for a non-empty client.realm field in
|
|
||||||
- * such responses.
|
|
||||||
+ * RFC 6806 Section 7 requires that KDCs return the referral realm in an error
|
|
||||||
+ * type WRONG_REALM, but Microsoft Windows Server 2003 (and possibly others)
|
|
||||||
+ * return the realm in a PRINCIPAL_UNKNOWN message.
|
|
||||||
*/
|
|
||||||
static krb5_boolean
|
|
||||||
-is_referral(krb5_init_creds_context ctx)
|
|
||||||
+is_referral(krb5_context context, krb5_error *err, krb5_principal client)
|
|
||||||
{
|
|
||||||
- krb5_error *err = ctx->err_reply;
|
|
||||||
-
|
|
||||||
- if (err->error == KDC_ERR_WRONG_REALM)
|
|
||||||
- return TRUE;
|
|
||||||
- if (err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
|
|
||||||
+ if (err->error != KDC_ERR_WRONG_REALM &&
|
|
||||||
+ err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
|
|
||||||
+ return FALSE;
|
|
||||||
+ if (err->client == NULL)
|
|
||||||
return FALSE;
|
|
||||||
- return !is_empty_crealm(err);
|
|
||||||
+ return !krb5_realm_compare(context, err->client, client);
|
|
||||||
}
|
|
||||||
|
|
||||||
static krb5_error_code
|
|
||||||
@@ -1467,12 +1457,8 @@ init_creds_step_reply(krb5_context context,
|
|
||||||
ctx->preauth_to_use);
|
|
||||||
ctx->preauth_required = TRUE;
|
|
||||||
|
|
||||||
- } else if (canon_flag && is_referral(ctx)) {
|
|
||||||
- if (is_empty_crealm(ctx->err_reply)) {
|
|
||||||
- /* Only WRONG_REALM referral types can reach this. */
|
|
||||||
- code = KRB5KDC_ERR_WRONG_REALM;
|
|
||||||
- goto cleanup;
|
|
||||||
- }
|
|
||||||
+ } else if (canon_flag && is_referral(context, ctx->err_reply,
|
|
||||||
+ ctx->request->client)) {
|
|
||||||
TRACE_INIT_CREDS_REFERRAL(context, &ctx->err_reply->client->realm);
|
|
||||||
/* Rewrite request.client with realm from error reply */
|
|
||||||
krb5_free_data_contents(context, &ctx->request->client->realm);
|
|
||||||
|
|
||||||
From c0778ab2252ece4c3510788d9b72f7f5e3bb05dd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Fri, 23 Jan 2015 12:52:31 -0500
|
|
||||||
Subject: [PATCH 2/2] Add test for kinit -C WRONG_REALM response
|
|
||||||
|
|
||||||
ticket: 8060
|
|
||||||
---
|
|
||||||
src/tests/t_general.py | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/tests/t_general.py b/src/tests/t_general.py
|
|
||||||
index 98e77a2..5349b05 100755
|
|
||||||
--- a/src/tests/t_general.py
|
|
||||||
+++ b/src/tests/t_general.py
|
|
||||||
@@ -33,6 +33,13 @@
|
|
||||||
|
|
||||||
realm = K5Realm(create_host=False)
|
|
||||||
|
|
||||||
+# Test that WRONG_REALM responses aren't treated as referrals unless
|
|
||||||
+# they contain a crealm field pointing to a different realm.
|
|
||||||
+# (Regression test for #8060.)
|
|
||||||
+out = realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1)
|
|
||||||
+if 'not found in Kerberos database' not in out:
|
|
||||||
+ fail('Expected error message not seen in kinit -C output')
|
|
||||||
+
|
|
||||||
# Spot-check KRB5_TRACE output
|
|
||||||
tracefile = os.path.join(realm.testdir, 'trace')
|
|
||||||
realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, realm.user_princ],
|
|
@ -1,63 +0,0 @@
|
|||||||
From d1f707024f1d0af6e54a18885322d70fa15ec4d3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Fri, 5 Dec 2014 14:01:39 -0500
|
|
||||||
Subject: [PATCH] Fix LDAP misused policy name crash [CVE-2014-5353]
|
|
||||||
|
|
||||||
In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
|
|
||||||
successfully with no results, return KRB5_KDB_NOENTRY instead of
|
|
||||||
returning success with a zeroed-out policy object. This fixes a null
|
|
||||||
dereference when an admin attempts to use an LDAP ticket policy name
|
|
||||||
as a password policy name.
|
|
||||||
|
|
||||||
CVE-2014-5353:
|
|
||||||
|
|
||||||
In MIT krb5, when kadmind is configured to use LDAP for the KDC
|
|
||||||
database, an authenticated remote attacker can cause a NULL dereference
|
|
||||||
by attempting to use a named ticket policy object as a password policy
|
|
||||||
for a principal. The attacker needs to be authenticated as a user who
|
|
||||||
has the elevated privilege for setting password policy by adding or
|
|
||||||
modifying principals.
|
|
||||||
|
|
||||||
Queries to LDAP scoped to the krbPwdPolicy object class will correctly
|
|
||||||
not return entries of other classes, such as ticket policy objects, but
|
|
||||||
may return success with no returned elements if an object with the
|
|
||||||
requested DN exists in a different object class. In this case, the
|
|
||||||
routine to retrieve a password policy returned success with a password
|
|
||||||
policy object that consisted entirely of zeroed memory. In particular,
|
|
||||||
accesses to the policy name will dereference a NULL pointer. KDC
|
|
||||||
operation does not access the policy name field, but most kadmin
|
|
||||||
operations involving the principal with incorrect password policy
|
|
||||||
will trigger the crash.
|
|
||||||
|
|
||||||
Thanks to Patrik Kis for reporting this problem.
|
|
||||||
|
|
||||||
CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
|
|
||||||
|
|
||||||
[kaduk@mit.edu: CVE description and CVSS score]
|
|
||||||
|
|
||||||
ticket: 8051 (new)
|
|
||||||
target_version: 1.13.1
|
|
||||||
tags: pullup
|
|
||||||
---
|
|
||||||
src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++---
|
|
||||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
|
|
||||||
index 522773e..6779f51 100644
|
|
||||||
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
|
|
||||||
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
|
|
||||||
@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
|
|
||||||
LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);
|
|
||||||
|
|
||||||
ent=ldap_first_entry(ld, result);
|
|
||||||
- if (ent != NULL) {
|
|
||||||
- if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)
|
|
||||||
- goto cleanup;
|
|
||||||
+ if (ent == NULL) {
|
|
||||||
+ st = KRB5_KDB_NOENTRY;
|
|
||||||
+ goto cleanup;
|
|
||||||
}
|
|
||||||
+ st = populate_policy(context, ld, ent, pol_name, *policy);
|
|
||||||
|
|
||||||
cleanup:
|
|
||||||
ldap_msgfree(result);
|
|
@ -1,113 +0,0 @@
|
|||||||
From 04038bf3633c4b909b5ded3072dc88c8c419bf16 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ben Kaduk <kaduk@mit.edu>
|
|
||||||
Date: Wed, 19 Nov 2014 12:04:46 -0500
|
|
||||||
Subject: [PATCH] Support keyless principals in LDAP [CVE-2014-5354]
|
|
||||||
|
|
||||||
Operations like "kadmin -q 'addprinc -nokey foo'" or
|
|
||||||
"kadmin -q 'purgekeys -all foo'" result in principal entries with
|
|
||||||
no keys present, so krb5_encode_krbsecretkey() would just return
|
|
||||||
NULL, which then got unconditionally dereferenced in
|
|
||||||
krb5_add_ber_mem_ldap_mod().
|
|
||||||
|
|
||||||
Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key
|
|
||||||
principals better, correct the test for an allocation failure, and
|
|
||||||
slightly restructure the cleanup handler to be shorter and more
|
|
||||||
appropriate for the usage. Once it no longer short-circuits when
|
|
||||||
n_key_data is zero, it will produce an array of length two with both
|
|
||||||
entries NULL, which is treated as an empty list by the LDAP library,
|
|
||||||
the correct behavior for a keyless principal.
|
|
||||||
|
|
||||||
However, attributes with empty values are only handled by the LDAP
|
|
||||||
library for Modify operations, not Add operations (which only get
|
|
||||||
a sequence of Attribute, with no operation field). Therefore, only
|
|
||||||
add an empty krbprincipalkey to the modlist when we will be performing a
|
|
||||||
Modify, and not when we will be performing an Add, which is conditional
|
|
||||||
on the (misspelled) create_standalone_prinicipal boolean.
|
|
||||||
|
|
||||||
CVE-2014-5354:
|
|
||||||
|
|
||||||
In MIT krb5, when kadmind is configured to use LDAP for the KDC
|
|
||||||
database, an authenticated remote attacker can cause a NULL
|
|
||||||
dereference by inserting into the database a principal entry which
|
|
||||||
contains no long-term keys.
|
|
||||||
|
|
||||||
In order for the LDAP KDC backend to translate a principal entry
|
|
||||||
from the database abstraction layer into the form expected by the
|
|
||||||
LDAP schema, the principal's keys are encoded into a
|
|
||||||
NULL-terminated array of length-value entries to be stored in the
|
|
||||||
LDAP database. However, the subroutine which produced this array
|
|
||||||
did not correctly handle the case where no keys were present,
|
|
||||||
returning NULL instead of an empty array, and the array was
|
|
||||||
unconditionally dereferenced while adding to the list of LDAP
|
|
||||||
operations to perform.
|
|
||||||
|
|
||||||
Versions of MIT krb5 prior to 1.12 did not expose a way for
|
|
||||||
principal entries to have no long-term key material, and
|
|
||||||
therefore are not vulnerable.
|
|
||||||
|
|
||||||
CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C
|
|
||||||
|
|
||||||
ticket: 8041 (new)
|
|
||||||
tags: pullup
|
|
||||||
target_version: 1.13.1
|
|
||||||
subject: kadmind with ldap backend crashes when putting keyless entries
|
|
||||||
---
|
|
||||||
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 25 +++++++++++++++-------
|
|
||||||
1 file changed, 17 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
|
||||||
index 3e560d9..10b5982 100644
|
|
||||||
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
|
||||||
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
|
||||||
@@ -406,14 +406,14 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
|
|
||||||
int num_versions = 1;
|
|
||||||
int i, j, last;
|
|
||||||
krb5_error_code err = 0;
|
|
||||||
- krb5_key_data *key_data;
|
|
||||||
+ krb5_key_data *key_data = NULL;
|
|
||||||
|
|
||||||
- if (n_key_data <= 0)
|
|
||||||
+ if (n_key_data < 0)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
/* Make a shallow copy of the key data so we can alter it. */
|
|
||||||
key_data = k5calloc(n_key_data, sizeof(*key_data), &err);
|
|
||||||
- if (key_data_in == NULL)
|
|
||||||
+ if (key_data == NULL)
|
|
||||||
goto cleanup;
|
|
||||||
memcpy(key_data, key_data_in, n_key_data * sizeof(*key_data));
|
|
||||||
|
|
||||||
@@ -467,9 +467,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
|
|
||||||
free(key_data);
|
|
||||||
if (err != 0) {
|
|
||||||
if (ret != NULL) {
|
|
||||||
- for (i = 0; i <= num_versions; i++)
|
|
||||||
- if (ret[i] != NULL)
|
|
||||||
- free (ret[i]);
|
|
||||||
+ for (i = 0; ret[i] != NULL; i++)
|
|
||||||
+ free (ret[i]);
|
|
||||||
free (ret);
|
|
||||||
ret = NULL;
|
|
||||||
}
|
|
||||||
@@ -1036,9 +1035,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
|
|
||||||
bersecretkey = krb5_encode_krbsecretkey (entry->key_data,
|
|
||||||
entry->n_key_data, mkvno);
|
|
||||||
|
|
||||||
- if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
|
|
||||||
- LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
|
|
||||||
+ if (bersecretkey == NULL) {
|
|
||||||
+ st = ENOMEM;
|
|
||||||
goto cleanup;
|
|
||||||
+ }
|
|
||||||
+ /* An empty list of bervals is only accepted for modify operations,
|
|
||||||
+ * not add operations. */
|
|
||||||
+ if (bersecretkey[0] != NULL || !create_standalone_prinicipal) {
|
|
||||||
+ st = krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
|
|
||||||
+ LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,
|
|
||||||
+ bersecretkey);
|
|
||||||
+ if (st != 0)
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (!(entry->mask & KADM5_PRINCIPAL)) {
|
|
||||||
memset(strval, 0, sizeof(strval));
|
|
@ -1,324 +0,0 @@
|
|||||||
diff -r -u krb5-1.13/src/kadmin/server/kadm_rpc_svc.c krb5-1.13/src/kadmin/server/kadm_rpc_svc.c
|
|
||||||
--- krb5-1.13/src/kadmin/server/kadm_rpc_svc.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/kadmin/server/kadm_rpc_svc.c 2015-02-04 11:29:00.891062971 +0100
|
|
||||||
@@ -4,7 +4,7 @@
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
-#include <k5-platform.h>
|
|
||||||
+#include <k5-int.h>
|
|
||||||
#include <gssrpc/rpc.h>
|
|
||||||
#include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */
|
|
||||||
#include <syslog.h>
|
|
||||||
@@ -296,14 +296,8 @@
|
|
||||||
c1 = krb5_princ_component(kctx, princ, 0);
|
|
||||||
c2 = krb5_princ_component(kctx, princ, 1);
|
|
||||||
realm = krb5_princ_realm(kctx, princ);
|
|
||||||
- if (strncmp(handle->params.realm, realm->data, realm->length) == 0
|
|
||||||
- && strncmp("kadmin", c1->data, c1->length) == 0) {
|
|
||||||
-
|
|
||||||
- if (strncmp("history", c2->data, c2->length) == 0)
|
|
||||||
- goto fail_princ;
|
|
||||||
- else
|
|
||||||
- success = 1;
|
|
||||||
- }
|
|
||||||
+ success = data_eq_string(*realm, handle->params.realm) &&
|
|
||||||
+ data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history");
|
|
||||||
|
|
||||||
fail_princ:
|
|
||||||
if (!success) {
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/krb5/context_time.c krb5-1.13/src/lib/gssapi/krb5/context_time.c
|
|
||||||
--- krb5-1.13/src/lib/gssapi/krb5/context_time.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/krb5/context_time.c 2015-02-04 11:29:00.891062971 +0100
|
|
||||||
@@ -40,7 +40,7 @@
|
|
||||||
|
|
||||||
ctx = (krb5_gss_ctx_id_rec *) context_handle;
|
|
||||||
|
|
||||||
- if (! ctx->established) {
|
|
||||||
+ if (ctx->terminated || !ctx->established) {
|
|
||||||
*minor_status = KG_CTX_INCOMPLETE;
|
|
||||||
return(GSS_S_NO_CONTEXT);
|
|
||||||
}
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/krb5/export_sec_context.c krb5-1.13/src/lib/gssapi/krb5/export_sec_context.c
|
|
||||||
--- krb5-1.13/src/lib/gssapi/krb5/export_sec_context.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/krb5/export_sec_context.c 2015-02-04 11:29:00.892063013 +0100
|
|
||||||
@@ -45,6 +45,11 @@
|
|
||||||
*minor_status = 0;
|
|
||||||
|
|
||||||
ctx = (krb5_gss_ctx_id_t) *context_handle;
|
|
||||||
+ if (ctx->terminated) {
|
|
||||||
+ *minor_status = KG_CTX_INCOMPLETE;
|
|
||||||
+ return (GSS_S_NO_CONTEXT);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
context = ctx->k5_context;
|
|
||||||
kret = krb5_gss_ser_init(context);
|
|
||||||
if (kret)
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/krb5/gssapi_krb5.c krb5-1.13/src/lib/gssapi/krb5/gssapi_krb5.c
|
|
||||||
--- krb5-1.13/src/lib/gssapi/krb5/gssapi_krb5.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/krb5/gssapi_krb5.c 2015-02-04 11:29:00.893063056 +0100
|
|
||||||
@@ -369,7 +369,7 @@
|
|
||||||
|
|
||||||
ctx = (krb5_gss_ctx_id_rec *) context_handle;
|
|
||||||
|
|
||||||
- if (!ctx->established)
|
|
||||||
+ if (ctx->terminated || !ctx->established)
|
|
||||||
return GSS_S_NO_CONTEXT;
|
|
||||||
|
|
||||||
for (i = 0; i < sizeof(krb5_gss_inquire_sec_context_by_oid_ops)/
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/krb5/gssapiP_krb5.h krb5-1.13/src/lib/gssapi/krb5/gssapiP_krb5.h
|
|
||||||
--- krb5-1.13/src/lib/gssapi/krb5/gssapiP_krb5.h 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/krb5/gssapiP_krb5.h 2015-02-04 11:29:00.893063056 +0100
|
|
||||||
@@ -206,6 +206,7 @@
|
|
||||||
unsigned int established : 1;
|
|
||||||
unsigned int have_acceptor_subkey : 1;
|
|
||||||
unsigned int seed_init : 1; /* XXX tested but never actually set */
|
|
||||||
+ unsigned int terminated : 1;
|
|
||||||
OM_uint32 gss_flags;
|
|
||||||
unsigned char seed[16];
|
|
||||||
krb5_gss_name_t here;
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/krb5/inq_context.c krb5-1.13/src/lib/gssapi/krb5/inq_context.c
|
|
||||||
--- krb5-1.13/src/lib/gssapi/krb5/inq_context.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/krb5/inq_context.c 2015-02-04 11:29:00.895063144 +0100
|
|
||||||
@@ -105,7 +105,7 @@
|
|
||||||
|
|
||||||
ctx = (krb5_gss_ctx_id_rec *) context_handle;
|
|
||||||
|
|
||||||
- if (! ctx->established) {
|
|
||||||
+ if (ctx->terminated || !ctx->established) {
|
|
||||||
*minor_status = KG_CTX_INCOMPLETE;
|
|
||||||
return(GSS_S_NO_CONTEXT);
|
|
||||||
}
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/krb5/k5seal.c krb5-1.13/src/lib/gssapi/krb5/k5seal.c
|
|
||||||
--- krb5-1.13/src/lib/gssapi/krb5/k5seal.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/krb5/k5seal.c 2015-02-04 11:29:00.896063191 +0100
|
|
||||||
@@ -342,7 +342,7 @@
|
|
||||||
|
|
||||||
ctx = (krb5_gss_ctx_id_rec *) context_handle;
|
|
||||||
|
|
||||||
- if (! ctx->established) {
|
|
||||||
+ if (ctx->terminated || !ctx->established) {
|
|
||||||
*minor_status = KG_CTX_INCOMPLETE;
|
|
||||||
return(GSS_S_NO_CONTEXT);
|
|
||||||
}
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/krb5/k5sealiov.c krb5-1.13/src/lib/gssapi/krb5/k5sealiov.c
|
|
||||||
--- krb5-1.13/src/lib/gssapi/krb5/k5sealiov.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/krb5/k5sealiov.c 2015-02-04 11:29:00.896063191 +0100
|
|
||||||
@@ -281,7 +281,7 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx = (krb5_gss_ctx_id_rec *)context_handle;
|
|
||||||
- if (!ctx->established) {
|
|
||||||
+ if (ctx->terminated || !ctx->established) {
|
|
||||||
*minor_status = KG_CTX_INCOMPLETE;
|
|
||||||
return GSS_S_NO_CONTEXT;
|
|
||||||
}
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/krb5/k5unseal.c krb5-1.13/src/lib/gssapi/krb5/k5unseal.c
|
|
||||||
--- krb5-1.13/src/lib/gssapi/krb5/k5unseal.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/krb5/k5unseal.c 2015-02-04 11:29:00.897063240 +0100
|
|
||||||
@@ -492,7 +492,7 @@
|
|
||||||
|
|
||||||
ctx = (krb5_gss_ctx_id_rec *) context_handle;
|
|
||||||
|
|
||||||
- if (! ctx->established) {
|
|
||||||
+ if (ctx->terminated || !ctx->established) {
|
|
||||||
*minor_status = KG_CTX_INCOMPLETE;
|
|
||||||
return(GSS_S_NO_CONTEXT);
|
|
||||||
}
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/krb5/k5unsealiov.c krb5-1.13/src/lib/gssapi/krb5/k5unsealiov.c
|
|
||||||
--- krb5-1.13/src/lib/gssapi/krb5/k5unsealiov.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/krb5/k5unsealiov.c 2015-02-04 11:29:00.897063240 +0100
|
|
||||||
@@ -625,7 +625,7 @@
|
|
||||||
OM_uint32 code;
|
|
||||||
|
|
||||||
ctx = (krb5_gss_ctx_id_rec *)context_handle;
|
|
||||||
- if (!ctx->established) {
|
|
||||||
+ if (ctx->terminated || !ctx->established) {
|
|
||||||
*minor_status = KG_CTX_INCOMPLETE;
|
|
||||||
return GSS_S_NO_CONTEXT;
|
|
||||||
}
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/krb5/lucid_context.c krb5-1.13/src/lib/gssapi/krb5/lucid_context.c
|
|
||||||
--- krb5-1.13/src/lib/gssapi/krb5/lucid_context.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/krb5/lucid_context.c 2015-02-04 11:29:00.897063240 +0100
|
|
||||||
@@ -75,6 +75,11 @@
|
|
||||||
*minor_status = 0;
|
|
||||||
*data_set = GSS_C_NO_BUFFER_SET;
|
|
||||||
|
|
||||||
+ if (ctx->terminated || !ctx->established) {
|
|
||||||
+ *minor_status = KG_CTX_INCOMPLETE;
|
|
||||||
+ return GSS_S_NO_CONTEXT;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
retval = generic_gss_oid_decompose(minor_status,
|
|
||||||
GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID,
|
|
||||||
GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH,
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/krb5/prf.c krb5-1.13/src/lib/gssapi/krb5/prf.c
|
|
||||||
--- krb5-1.13/src/lib/gssapi/krb5/prf.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/krb5/prf.c 2015-02-04 11:29:00.899063344 +0100
|
|
||||||
@@ -58,6 +58,10 @@
|
|
||||||
ns.data = NULL;
|
|
||||||
|
|
||||||
ctx = (krb5_gss_ctx_id_t)context;
|
|
||||||
+ if (ctx->terminated || !ctx->established) {
|
|
||||||
+ *minor_status = KG_CTX_INCOMPLETE;
|
|
||||||
+ return GSS_S_NO_CONTEXT;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
switch (prf_key) {
|
|
||||||
case GSS_C_PRF_KEY_FULL:
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/krb5/process_context_token.c krb5-1.13/src/lib/gssapi/krb5/process_context_token.c
|
|
||||||
--- krb5-1.13/src/lib/gssapi/krb5/process_context_token.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/krb5/process_context_token.c 2015-02-04 11:29:00.899063344 +0100
|
|
||||||
@@ -39,11 +39,18 @@
|
|
||||||
|
|
||||||
ctx = (krb5_gss_ctx_id_t) context_handle;
|
|
||||||
|
|
||||||
- if (! ctx->established) {
|
|
||||||
+ if (ctx->terminated || !ctx->established) {
|
|
||||||
*minor_status = KG_CTX_INCOMPLETE;
|
|
||||||
return(GSS_S_NO_CONTEXT);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* We only support context deletion tokens for now, and RFC 4121 does not
|
|
||||||
+ * define a context deletion token. */
|
|
||||||
+ if (ctx->proto) {
|
|
||||||
+ *minor_status = 0;
|
|
||||||
+ return(GSS_S_DEFECTIVE_TOKEN);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* "unseal" the token */
|
|
||||||
|
|
||||||
if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle,
|
|
||||||
@@ -52,8 +59,8 @@
|
|
||||||
KG_TOK_DEL_CTX)))
|
|
||||||
return(majerr);
|
|
||||||
|
|
||||||
- /* that's it. delete the context */
|
|
||||||
-
|
|
||||||
- return(krb5_gss_delete_sec_context(minor_status, &context_handle,
|
|
||||||
- GSS_C_NO_BUFFER));
|
|
||||||
+ /* Mark the context as terminated, but do not delete it (as that would
|
|
||||||
+ * leave the caller with a dangling context handle). */
|
|
||||||
+ ctx->terminated = 1;
|
|
||||||
+ return(GSS_S_COMPLETE);
|
|
||||||
}
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/krb5/wrap_size_limit.c krb5-1.13/src/lib/gssapi/krb5/wrap_size_limit.c
|
|
||||||
--- krb5-1.13/src/lib/gssapi/krb5/wrap_size_limit.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/krb5/wrap_size_limit.c 2015-02-04 11:29:00.899063344 +0100
|
|
||||||
@@ -95,7 +95,7 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx = (krb5_gss_ctx_id_rec *) context_handle;
|
|
||||||
- if (! ctx->established) {
|
|
||||||
+ if (ctx->terminated || !ctx->established) {
|
|
||||||
*minor_status = KG_CTX_INCOMPLETE;
|
|
||||||
return(GSS_S_NO_CONTEXT);
|
|
||||||
}
|
|
||||||
diff -r -u krb5-1.13/src/lib/gssapi/mechglue/mglueP.h krb5-1.13/src/lib/gssapi/mechglue/mglueP.h
|
|
||||||
--- krb5-1.13/src/lib/gssapi/mechglue/mglueP.h 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/gssapi/mechglue/mglueP.h 2015-02-04 11:29:00.901063453 +0100
|
|
||||||
@@ -25,7 +25,6 @@
|
|
||||||
*/
|
|
||||||
typedef struct gss_union_ctx_id_struct {
|
|
||||||
struct gss_union_ctx_id_struct *loopback;
|
|
||||||
- struct gss_union_ctx_id_struct *interposer;
|
|
||||||
gss_OID mech_type;
|
|
||||||
gss_ctx_id_t internal_ctx_id;
|
|
||||||
} gss_union_ctx_id_desc, *gss_union_ctx_id_t;
|
|
||||||
diff -r -u krb5-1.13/src/lib/kadm5/kadm_rpc_xdr.c krb5-1.13/src/lib/kadm5/kadm_rpc_xdr.c
|
|
||||||
--- krb5-1.13/src/lib/kadm5/kadm_rpc_xdr.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/kadm5/kadm_rpc_xdr.c 2015-02-04 11:29:00.901063453 +0100
|
|
||||||
@@ -320,6 +320,7 @@
|
|
||||||
free(tl);
|
|
||||||
tl = tl2;
|
|
||||||
}
|
|
||||||
+ *tl_data_head = NULL;
|
|
||||||
break;
|
|
||||||
|
|
||||||
case XDR_ENCODE:
|
|
||||||
@@ -1096,6 +1097,7 @@
|
|
||||||
case XDR_FREE:
|
|
||||||
if(*objp != NULL)
|
|
||||||
krb5_free_principal(context, *objp);
|
|
||||||
+ *objp = NULL;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
return TRUE;
|
|
||||||
diff -r -u krb5-1.13/src/lib/rpc/auth_gssapi_misc.c krb5-1.13/src/lib/rpc/auth_gssapi_misc.c
|
|
||||||
--- krb5-1.13/src/lib/rpc/auth_gssapi_misc.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/rpc/auth_gssapi_misc.c 2015-02-04 11:29:00.901063453 +0100
|
|
||||||
@@ -322,7 +322,6 @@
|
|
||||||
if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) {
|
|
||||||
PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n"));
|
|
||||||
gss_release_buffer(minor, &out_buf);
|
|
||||||
- xdr_free(xdr_func, xdr_ptr);
|
|
||||||
XDR_DESTROY(&temp_xdrs);
|
|
||||||
return FALSE;
|
|
||||||
}
|
|
||||||
diff -r -u krb5-1.13/src/lib/rpc/svc_auth_gss.c krb5-1.13/src/lib/rpc/svc_auth_gss.c
|
|
||||||
--- krb5-1.13/src/lib/rpc/svc_auth_gss.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/lib/rpc/svc_auth_gss.c 2015-02-04 11:29:00.903063567 +0100
|
|
||||||
@@ -65,16 +65,6 @@
|
|
||||||
|
|
||||||
extern SVCAUTH svc_auth_none;
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * from mit-krb5-1.2.1 mechglue/mglueP.h:
|
|
||||||
- * Array of context IDs typed by mechanism OID
|
|
||||||
- */
|
|
||||||
-typedef struct gss_union_ctx_id_t {
|
|
||||||
- gss_OID mech_type;
|
|
||||||
- gss_ctx_id_t internal_ctx_id;
|
|
||||||
-} gss_union_ctx_id_desc, *gss_union_ctx_id_t;
|
|
||||||
-
|
|
||||||
-
|
|
||||||
static auth_gssapi_log_badauth_func log_badauth = NULL;
|
|
||||||
static caddr_t log_badauth_data = NULL;
|
|
||||||
static auth_gssapi_log_badauth2_func log_badauth2 = NULL;
|
|
||||||
@@ -239,16 +229,8 @@
|
|
||||||
gd->ctx = GSS_C_NO_CONTEXT;
|
|
||||||
goto errout;
|
|
||||||
}
|
|
||||||
- /*
|
|
||||||
- * ANDROS: krb5 mechglue returns ctx of size 8 - two pointers,
|
|
||||||
- * one to the mechanism oid, one to the internal_ctx_id
|
|
||||||
- */
|
|
||||||
- if ((gr->gr_ctx.value = mem_alloc(sizeof(gss_union_ctx_id_desc))) == NULL) {
|
|
||||||
- fprintf(stderr, "svcauth_gss_accept_context: out of memory\n");
|
|
||||||
- goto errout;
|
|
||||||
- }
|
|
||||||
- memcpy(gr->gr_ctx.value, gd->ctx, sizeof(gss_union_ctx_id_desc));
|
|
||||||
- gr->gr_ctx.length = sizeof(gss_union_ctx_id_desc);
|
|
||||||
+ gr->gr_ctx.value = "xxxx";
|
|
||||||
+ gr->gr_ctx.length = 4;
|
|
||||||
|
|
||||||
/* gr->gr_win = 0x00000005; ANDROS: for debugging linux kernel version... */
|
|
||||||
gr->gr_win = sizeof(gd->seqmask) * 8;
|
|
||||||
@@ -520,8 +502,6 @@
|
|
||||||
|
|
||||||
if (!svcauth_gss_nextverf(rqst, htonl(gr.gr_win))) {
|
|
||||||
gss_release_buffer(&min_stat, &gr.gr_token);
|
|
||||||
- mem_free(gr.gr_ctx.value,
|
|
||||||
- sizeof(gss_union_ctx_id_desc));
|
|
||||||
ret_freegc (AUTH_FAILED);
|
|
||||||
}
|
|
||||||
*no_dispatch = TRUE;
|
|
||||||
@@ -531,7 +511,6 @@
|
|
||||||
|
|
||||||
gss_release_buffer(&min_stat, &gr.gr_token);
|
|
||||||
gss_release_buffer(&min_stat, &gd->checksum);
|
|
||||||
- mem_free(gr.gr_ctx.value, sizeof(gss_union_ctx_id_desc));
|
|
||||||
if (!call_stat)
|
|
||||||
ret_freegc (AUTH_FAILED);
|
|
||||||
|
|
||||||
diff -r -u krb5-1.13/src/tests/gssapi/t_prf.c krb5-1.13/src/tests/gssapi/t_prf.c
|
|
||||||
--- krb5-1.13/src/tests/gssapi/t_prf.c 2014-10-16 01:55:10.000000000 +0200
|
|
||||||
+++ krb5-1.13/src/tests/gssapi/t_prf.c 2015-02-04 11:29:00.903063567 +0100
|
|
||||||
@@ -127,6 +127,7 @@
|
|
||||||
uctx.mech_type = &mech_krb5;
|
|
||||||
uctx.internal_ctx_id = (gss_ctx_id_t)&kgctx;
|
|
||||||
kgctx.k5_context = NULL;
|
|
||||||
+ kgctx.established = 1;
|
|
||||||
kgctx.have_acceptor_subkey = 1;
|
|
||||||
kb1.contents = k1buf;
|
|
||||||
kb2.contents = k2buf;
|
|
Loading…
Reference in New Issue
Block a user