* Fri Feb 13 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-1

- Update to krb5-1.13.1
  - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1
  - drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1
  - drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1
- Minor spec cleanup
This commit is contained in:
Roland Mainz 2015-02-13 17:40:35 +01:00
parent 03981c354e
commit 570cb5eeb3
4 changed files with 0 additions and 618 deletions

View File

@ -1,118 +0,0 @@
From d5755694b620570defeecee772def90a2733c6cc Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 20 Jan 2015 13:48:34 -0500
Subject: [PATCH 1/2] Do not loop on principal unknown errors
If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
Check that this is really a referral by testing that the returned
client realm differs from the requested one.
[ghudson@mit.edu: simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm. Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]
ticket: 8060
target_version: 1.13.1
tags: pullup
---
src/lib/krb5/krb/get_in_tkt.c | 40 +++++++++++++---------------------------
1 file changed, 13 insertions(+), 27 deletions(-)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 2c2b654..f9bc027 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1379,33 +1379,23 @@ note_req_timestamp(krb5_context context, krb5_init_creds_context ctx,
AUTH_OFFSET : UNAUTH_OFFSET;
}
-/* Determine whether the client realm in a KRB-ERROR is empty. */
-static krb5_boolean
-is_empty_crealm(krb5_error *err)
-{
-
- return (err->client == NULL || err->client->realm.length == 0);
-}
-
/*
- * Determine whether a KRB-ERROR is a referral to another realm.
+ * Determine whether err is a client referral to another realm, given the
+ * previously requested client principal name.
*
- * RFC 6806 Section 7 requires that KDCs return the referral realm in
- * an error type WRONG_REALM, but Microsoft Windows Server 2003 (and
- * possibly others) return the realm in a PRINCIPAL_UNKNOWN message.
- * Detect this case by looking for a non-empty client.realm field in
- * such responses.
+ * RFC 6806 Section 7 requires that KDCs return the referral realm in an error
+ * type WRONG_REALM, but Microsoft Windows Server 2003 (and possibly others)
+ * return the realm in a PRINCIPAL_UNKNOWN message.
*/
static krb5_boolean
-is_referral(krb5_init_creds_context ctx)
+is_referral(krb5_context context, krb5_error *err, krb5_principal client)
{
- krb5_error *err = ctx->err_reply;
-
- if (err->error == KDC_ERR_WRONG_REALM)
- return TRUE;
- if (err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
+ if (err->error != KDC_ERR_WRONG_REALM &&
+ err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
+ return FALSE;
+ if (err->client == NULL)
return FALSE;
- return !is_empty_crealm(err);
+ return !krb5_realm_compare(context, err->client, client);
}
static krb5_error_code
@@ -1467,12 +1457,8 @@ init_creds_step_reply(krb5_context context,
ctx->preauth_to_use);
ctx->preauth_required = TRUE;
- } else if (canon_flag && is_referral(ctx)) {
- if (is_empty_crealm(ctx->err_reply)) {
- /* Only WRONG_REALM referral types can reach this. */
- code = KRB5KDC_ERR_WRONG_REALM;
- goto cleanup;
- }
+ } else if (canon_flag && is_referral(context, ctx->err_reply,
+ ctx->request->client)) {
TRACE_INIT_CREDS_REFERRAL(context, &ctx->err_reply->client->realm);
/* Rewrite request.client with realm from error reply */
krb5_free_data_contents(context, &ctx->request->client->realm);
From c0778ab2252ece4c3510788d9b72f7f5e3bb05dd Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 23 Jan 2015 12:52:31 -0500
Subject: [PATCH 2/2] Add test for kinit -C WRONG_REALM response
ticket: 8060
---
src/tests/t_general.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/tests/t_general.py b/src/tests/t_general.py
index 98e77a2..5349b05 100755
--- a/src/tests/t_general.py
+++ b/src/tests/t_general.py
@@ -33,6 +33,13 @@
realm = K5Realm(create_host=False)
+# Test that WRONG_REALM responses aren't treated as referrals unless
+# they contain a crealm field pointing to a different realm.
+# (Regression test for #8060.)
+out = realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1)
+if 'not found in Kerberos database' not in out:
+ fail('Expected error message not seen in kinit -C output')
+
# Spot-check KRB5_TRACE output
tracefile = os.path.join(realm.testdir, 'trace')
realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, realm.user_princ],

View File

@ -1,63 +0,0 @@
From d1f707024f1d0af6e54a18885322d70fa15ec4d3 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 5 Dec 2014 14:01:39 -0500
Subject: [PATCH] Fix LDAP misused policy name crash [CVE-2014-5353]
In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
successfully with no results, return KRB5_KDB_NOENTRY instead of
returning success with a zeroed-out policy object. This fixes a null
dereference when an admin attempts to use an LDAP ticket policy name
as a password policy name.
CVE-2014-5353:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal. The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals.
Queries to LDAP scoped to the krbPwdPolicy object class will correctly
not return entries of other classes, such as ticket policy objects, but
may return success with no returned elements if an object with the
requested DN exists in a different object class. In this case, the
routine to retrieve a password policy returned success with a password
policy object that consisted entirely of zeroed memory. In particular,
accesses to the policy name will dereference a NULL pointer. KDC
operation does not access the policy name field, but most kadmin
operations involving the principal with incorrect password policy
will trigger the crash.
Thanks to Patrik Kis for reporting this problem.
CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
[kaduk@mit.edu: CVE description and CVSS score]
ticket: 8051 (new)
target_version: 1.13.1
tags: pullup
---
src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
index 522773e..6779f51 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);
ent=ldap_first_entry(ld, result);
- if (ent != NULL) {
- if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)
- goto cleanup;
+ if (ent == NULL) {
+ st = KRB5_KDB_NOENTRY;
+ goto cleanup;
}
+ st = populate_policy(context, ld, ent, pol_name, *policy);
cleanup:
ldap_msgfree(result);

View File

@ -1,113 +0,0 @@
From 04038bf3633c4b909b5ded3072dc88c8c419bf16 Mon Sep 17 00:00:00 2001
From: Ben Kaduk <kaduk@mit.edu>
Date: Wed, 19 Nov 2014 12:04:46 -0500
Subject: [PATCH] Support keyless principals in LDAP [CVE-2014-5354]
Operations like "kadmin -q 'addprinc -nokey foo'" or
"kadmin -q 'purgekeys -all foo'" result in principal entries with
no keys present, so krb5_encode_krbsecretkey() would just return
NULL, which then got unconditionally dereferenced in
krb5_add_ber_mem_ldap_mod().
Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key
principals better, correct the test for an allocation failure, and
slightly restructure the cleanup handler to be shorter and more
appropriate for the usage. Once it no longer short-circuits when
n_key_data is zero, it will produce an array of length two with both
entries NULL, which is treated as an empty list by the LDAP library,
the correct behavior for a keyless principal.
However, attributes with empty values are only handled by the LDAP
library for Modify operations, not Add operations (which only get
a sequence of Attribute, with no operation field). Therefore, only
add an empty krbprincipalkey to the modlist when we will be performing a
Modify, and not when we will be performing an Add, which is conditional
on the (misspelled) create_standalone_prinicipal boolean.
CVE-2014-5354:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL
dereference by inserting into the database a principal entry which
contains no long-term keys.
In order for the LDAP KDC backend to translate a principal entry
from the database abstraction layer into the form expected by the
LDAP schema, the principal's keys are encoded into a
NULL-terminated array of length-value entries to be stored in the
LDAP database. However, the subroutine which produced this array
did not correctly handle the case where no keys were present,
returning NULL instead of an empty array, and the array was
unconditionally dereferenced while adding to the list of LDAP
operations to perform.
Versions of MIT krb5 prior to 1.12 did not expose a way for
principal entries to have no long-term key material, and
therefore are not vulnerable.
CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C
ticket: 8041 (new)
tags: pullup
target_version: 1.13.1
subject: kadmind with ldap backend crashes when putting keyless entries
---
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 25 +++++++++++++++-------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 3e560d9..10b5982 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -406,14 +406,14 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
int num_versions = 1;
int i, j, last;
krb5_error_code err = 0;
- krb5_key_data *key_data;
+ krb5_key_data *key_data = NULL;
- if (n_key_data <= 0)
+ if (n_key_data < 0)
return NULL;
/* Make a shallow copy of the key data so we can alter it. */
key_data = k5calloc(n_key_data, sizeof(*key_data), &err);
- if (key_data_in == NULL)
+ if (key_data == NULL)
goto cleanup;
memcpy(key_data, key_data_in, n_key_data * sizeof(*key_data));
@@ -467,9 +467,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
free(key_data);
if (err != 0) {
if (ret != NULL) {
- for (i = 0; i <= num_versions; i++)
- if (ret[i] != NULL)
- free (ret[i]);
+ for (i = 0; ret[i] != NULL; i++)
+ free (ret[i]);
free (ret);
ret = NULL;
}
@@ -1036,9 +1035,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
bersecretkey = krb5_encode_krbsecretkey (entry->key_data,
entry->n_key_data, mkvno);
- if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
- LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
+ if (bersecretkey == NULL) {
+ st = ENOMEM;
goto cleanup;
+ }
+ /* An empty list of bervals is only accepted for modify operations,
+ * not add operations. */
+ if (bersecretkey[0] != NULL || !create_standalone_prinicipal) {
+ st = krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
+ LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,
+ bersecretkey);
+ if (st != 0)
+ goto cleanup;
+ }
if (!(entry->mask & KADM5_PRINCIPAL)) {
memset(strval, 0, sizeof(strval));

View File

@ -1,324 +0,0 @@
diff -r -u krb5-1.13/src/kadmin/server/kadm_rpc_svc.c krb5-1.13/src/kadmin/server/kadm_rpc_svc.c
--- krb5-1.13/src/kadmin/server/kadm_rpc_svc.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/kadmin/server/kadm_rpc_svc.c 2015-02-04 11:29:00.891062971 +0100
@@ -4,7 +4,7 @@
*
*/
-#include <k5-platform.h>
+#include <k5-int.h>
#include <gssrpc/rpc.h>
#include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */
#include <syslog.h>
@@ -296,14 +296,8 @@
c1 = krb5_princ_component(kctx, princ, 0);
c2 = krb5_princ_component(kctx, princ, 1);
realm = krb5_princ_realm(kctx, princ);
- if (strncmp(handle->params.realm, realm->data, realm->length) == 0
- && strncmp("kadmin", c1->data, c1->length) == 0) {
-
- if (strncmp("history", c2->data, c2->length) == 0)
- goto fail_princ;
- else
- success = 1;
- }
+ success = data_eq_string(*realm, handle->params.realm) &&
+ data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history");
fail_princ:
if (!success) {
diff -r -u krb5-1.13/src/lib/gssapi/krb5/context_time.c krb5-1.13/src/lib/gssapi/krb5/context_time.c
--- krb5-1.13/src/lib/gssapi/krb5/context_time.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/krb5/context_time.c 2015-02-04 11:29:00.891062971 +0100
@@ -40,7 +40,7 @@
ctx = (krb5_gss_ctx_id_rec *) context_handle;
- if (! ctx->established) {
+ if (ctx->terminated || !ctx->established) {
*minor_status = KG_CTX_INCOMPLETE;
return(GSS_S_NO_CONTEXT);
}
diff -r -u krb5-1.13/src/lib/gssapi/krb5/export_sec_context.c krb5-1.13/src/lib/gssapi/krb5/export_sec_context.c
--- krb5-1.13/src/lib/gssapi/krb5/export_sec_context.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/krb5/export_sec_context.c 2015-02-04 11:29:00.892063013 +0100
@@ -45,6 +45,11 @@
*minor_status = 0;
ctx = (krb5_gss_ctx_id_t) *context_handle;
+ if (ctx->terminated) {
+ *minor_status = KG_CTX_INCOMPLETE;
+ return (GSS_S_NO_CONTEXT);
+ }
+
context = ctx->k5_context;
kret = krb5_gss_ser_init(context);
if (kret)
diff -r -u krb5-1.13/src/lib/gssapi/krb5/gssapi_krb5.c krb5-1.13/src/lib/gssapi/krb5/gssapi_krb5.c
--- krb5-1.13/src/lib/gssapi/krb5/gssapi_krb5.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/krb5/gssapi_krb5.c 2015-02-04 11:29:00.893063056 +0100
@@ -369,7 +369,7 @@
ctx = (krb5_gss_ctx_id_rec *) context_handle;
- if (!ctx->established)
+ if (ctx->terminated || !ctx->established)
return GSS_S_NO_CONTEXT;
for (i = 0; i < sizeof(krb5_gss_inquire_sec_context_by_oid_ops)/
diff -r -u krb5-1.13/src/lib/gssapi/krb5/gssapiP_krb5.h krb5-1.13/src/lib/gssapi/krb5/gssapiP_krb5.h
--- krb5-1.13/src/lib/gssapi/krb5/gssapiP_krb5.h 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/krb5/gssapiP_krb5.h 2015-02-04 11:29:00.893063056 +0100
@@ -206,6 +206,7 @@
unsigned int established : 1;
unsigned int have_acceptor_subkey : 1;
unsigned int seed_init : 1; /* XXX tested but never actually set */
+ unsigned int terminated : 1;
OM_uint32 gss_flags;
unsigned char seed[16];
krb5_gss_name_t here;
diff -r -u krb5-1.13/src/lib/gssapi/krb5/inq_context.c krb5-1.13/src/lib/gssapi/krb5/inq_context.c
--- krb5-1.13/src/lib/gssapi/krb5/inq_context.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/krb5/inq_context.c 2015-02-04 11:29:00.895063144 +0100
@@ -105,7 +105,7 @@
ctx = (krb5_gss_ctx_id_rec *) context_handle;
- if (! ctx->established) {
+ if (ctx->terminated || !ctx->established) {
*minor_status = KG_CTX_INCOMPLETE;
return(GSS_S_NO_CONTEXT);
}
diff -r -u krb5-1.13/src/lib/gssapi/krb5/k5seal.c krb5-1.13/src/lib/gssapi/krb5/k5seal.c
--- krb5-1.13/src/lib/gssapi/krb5/k5seal.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/krb5/k5seal.c 2015-02-04 11:29:00.896063191 +0100
@@ -342,7 +342,7 @@
ctx = (krb5_gss_ctx_id_rec *) context_handle;
- if (! ctx->established) {
+ if (ctx->terminated || !ctx->established) {
*minor_status = KG_CTX_INCOMPLETE;
return(GSS_S_NO_CONTEXT);
}
diff -r -u krb5-1.13/src/lib/gssapi/krb5/k5sealiov.c krb5-1.13/src/lib/gssapi/krb5/k5sealiov.c
--- krb5-1.13/src/lib/gssapi/krb5/k5sealiov.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/krb5/k5sealiov.c 2015-02-04 11:29:00.896063191 +0100
@@ -281,7 +281,7 @@
}
ctx = (krb5_gss_ctx_id_rec *)context_handle;
- if (!ctx->established) {
+ if (ctx->terminated || !ctx->established) {
*minor_status = KG_CTX_INCOMPLETE;
return GSS_S_NO_CONTEXT;
}
diff -r -u krb5-1.13/src/lib/gssapi/krb5/k5unseal.c krb5-1.13/src/lib/gssapi/krb5/k5unseal.c
--- krb5-1.13/src/lib/gssapi/krb5/k5unseal.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/krb5/k5unseal.c 2015-02-04 11:29:00.897063240 +0100
@@ -492,7 +492,7 @@
ctx = (krb5_gss_ctx_id_rec *) context_handle;
- if (! ctx->established) {
+ if (ctx->terminated || !ctx->established) {
*minor_status = KG_CTX_INCOMPLETE;
return(GSS_S_NO_CONTEXT);
}
diff -r -u krb5-1.13/src/lib/gssapi/krb5/k5unsealiov.c krb5-1.13/src/lib/gssapi/krb5/k5unsealiov.c
--- krb5-1.13/src/lib/gssapi/krb5/k5unsealiov.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/krb5/k5unsealiov.c 2015-02-04 11:29:00.897063240 +0100
@@ -625,7 +625,7 @@
OM_uint32 code;
ctx = (krb5_gss_ctx_id_rec *)context_handle;
- if (!ctx->established) {
+ if (ctx->terminated || !ctx->established) {
*minor_status = KG_CTX_INCOMPLETE;
return GSS_S_NO_CONTEXT;
}
diff -r -u krb5-1.13/src/lib/gssapi/krb5/lucid_context.c krb5-1.13/src/lib/gssapi/krb5/lucid_context.c
--- krb5-1.13/src/lib/gssapi/krb5/lucid_context.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/krb5/lucid_context.c 2015-02-04 11:29:00.897063240 +0100
@@ -75,6 +75,11 @@
*minor_status = 0;
*data_set = GSS_C_NO_BUFFER_SET;
+ if (ctx->terminated || !ctx->established) {
+ *minor_status = KG_CTX_INCOMPLETE;
+ return GSS_S_NO_CONTEXT;
+ }
+
retval = generic_gss_oid_decompose(minor_status,
GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID,
GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH,
diff -r -u krb5-1.13/src/lib/gssapi/krb5/prf.c krb5-1.13/src/lib/gssapi/krb5/prf.c
--- krb5-1.13/src/lib/gssapi/krb5/prf.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/krb5/prf.c 2015-02-04 11:29:00.899063344 +0100
@@ -58,6 +58,10 @@
ns.data = NULL;
ctx = (krb5_gss_ctx_id_t)context;
+ if (ctx->terminated || !ctx->established) {
+ *minor_status = KG_CTX_INCOMPLETE;
+ return GSS_S_NO_CONTEXT;
+ }
switch (prf_key) {
case GSS_C_PRF_KEY_FULL:
diff -r -u krb5-1.13/src/lib/gssapi/krb5/process_context_token.c krb5-1.13/src/lib/gssapi/krb5/process_context_token.c
--- krb5-1.13/src/lib/gssapi/krb5/process_context_token.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/krb5/process_context_token.c 2015-02-04 11:29:00.899063344 +0100
@@ -39,11 +39,18 @@
ctx = (krb5_gss_ctx_id_t) context_handle;
- if (! ctx->established) {
+ if (ctx->terminated || !ctx->established) {
*minor_status = KG_CTX_INCOMPLETE;
return(GSS_S_NO_CONTEXT);
}
+ /* We only support context deletion tokens for now, and RFC 4121 does not
+ * define a context deletion token. */
+ if (ctx->proto) {
+ *minor_status = 0;
+ return(GSS_S_DEFECTIVE_TOKEN);
+ }
+
/* "unseal" the token */
if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle,
@@ -52,8 +59,8 @@
KG_TOK_DEL_CTX)))
return(majerr);
- /* that's it. delete the context */
-
- return(krb5_gss_delete_sec_context(minor_status, &context_handle,
- GSS_C_NO_BUFFER));
+ /* Mark the context as terminated, but do not delete it (as that would
+ * leave the caller with a dangling context handle). */
+ ctx->terminated = 1;
+ return(GSS_S_COMPLETE);
}
diff -r -u krb5-1.13/src/lib/gssapi/krb5/wrap_size_limit.c krb5-1.13/src/lib/gssapi/krb5/wrap_size_limit.c
--- krb5-1.13/src/lib/gssapi/krb5/wrap_size_limit.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/krb5/wrap_size_limit.c 2015-02-04 11:29:00.899063344 +0100
@@ -95,7 +95,7 @@
}
ctx = (krb5_gss_ctx_id_rec *) context_handle;
- if (! ctx->established) {
+ if (ctx->terminated || !ctx->established) {
*minor_status = KG_CTX_INCOMPLETE;
return(GSS_S_NO_CONTEXT);
}
diff -r -u krb5-1.13/src/lib/gssapi/mechglue/mglueP.h krb5-1.13/src/lib/gssapi/mechglue/mglueP.h
--- krb5-1.13/src/lib/gssapi/mechglue/mglueP.h 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/gssapi/mechglue/mglueP.h 2015-02-04 11:29:00.901063453 +0100
@@ -25,7 +25,6 @@
*/
typedef struct gss_union_ctx_id_struct {
struct gss_union_ctx_id_struct *loopback;
- struct gss_union_ctx_id_struct *interposer;
gss_OID mech_type;
gss_ctx_id_t internal_ctx_id;
} gss_union_ctx_id_desc, *gss_union_ctx_id_t;
diff -r -u krb5-1.13/src/lib/kadm5/kadm_rpc_xdr.c krb5-1.13/src/lib/kadm5/kadm_rpc_xdr.c
--- krb5-1.13/src/lib/kadm5/kadm_rpc_xdr.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/kadm5/kadm_rpc_xdr.c 2015-02-04 11:29:00.901063453 +0100
@@ -320,6 +320,7 @@
free(tl);
tl = tl2;
}
+ *tl_data_head = NULL;
break;
case XDR_ENCODE:
@@ -1096,6 +1097,7 @@
case XDR_FREE:
if(*objp != NULL)
krb5_free_principal(context, *objp);
+ *objp = NULL;
break;
}
return TRUE;
diff -r -u krb5-1.13/src/lib/rpc/auth_gssapi_misc.c krb5-1.13/src/lib/rpc/auth_gssapi_misc.c
--- krb5-1.13/src/lib/rpc/auth_gssapi_misc.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/rpc/auth_gssapi_misc.c 2015-02-04 11:29:00.901063453 +0100
@@ -322,7 +322,6 @@
if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) {
PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n"));
gss_release_buffer(minor, &out_buf);
- xdr_free(xdr_func, xdr_ptr);
XDR_DESTROY(&temp_xdrs);
return FALSE;
}
diff -r -u krb5-1.13/src/lib/rpc/svc_auth_gss.c krb5-1.13/src/lib/rpc/svc_auth_gss.c
--- krb5-1.13/src/lib/rpc/svc_auth_gss.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/lib/rpc/svc_auth_gss.c 2015-02-04 11:29:00.903063567 +0100
@@ -65,16 +65,6 @@
extern SVCAUTH svc_auth_none;
-/*
- * from mit-krb5-1.2.1 mechglue/mglueP.h:
- * Array of context IDs typed by mechanism OID
- */
-typedef struct gss_union_ctx_id_t {
- gss_OID mech_type;
- gss_ctx_id_t internal_ctx_id;
-} gss_union_ctx_id_desc, *gss_union_ctx_id_t;
-
-
static auth_gssapi_log_badauth_func log_badauth = NULL;
static caddr_t log_badauth_data = NULL;
static auth_gssapi_log_badauth2_func log_badauth2 = NULL;
@@ -239,16 +229,8 @@
gd->ctx = GSS_C_NO_CONTEXT;
goto errout;
}
- /*
- * ANDROS: krb5 mechglue returns ctx of size 8 - two pointers,
- * one to the mechanism oid, one to the internal_ctx_id
- */
- if ((gr->gr_ctx.value = mem_alloc(sizeof(gss_union_ctx_id_desc))) == NULL) {
- fprintf(stderr, "svcauth_gss_accept_context: out of memory\n");
- goto errout;
- }
- memcpy(gr->gr_ctx.value, gd->ctx, sizeof(gss_union_ctx_id_desc));
- gr->gr_ctx.length = sizeof(gss_union_ctx_id_desc);
+ gr->gr_ctx.value = "xxxx";
+ gr->gr_ctx.length = 4;
/* gr->gr_win = 0x00000005; ANDROS: for debugging linux kernel version... */
gr->gr_win = sizeof(gd->seqmask) * 8;
@@ -520,8 +502,6 @@
if (!svcauth_gss_nextverf(rqst, htonl(gr.gr_win))) {
gss_release_buffer(&min_stat, &gr.gr_token);
- mem_free(gr.gr_ctx.value,
- sizeof(gss_union_ctx_id_desc));
ret_freegc (AUTH_FAILED);
}
*no_dispatch = TRUE;
@@ -531,7 +511,6 @@
gss_release_buffer(&min_stat, &gr.gr_token);
gss_release_buffer(&min_stat, &gd->checksum);
- mem_free(gr.gr_ctx.value, sizeof(gss_union_ctx_id_desc));
if (!call_stat)
ret_freegc (AUTH_FAILED);
diff -r -u krb5-1.13/src/tests/gssapi/t_prf.c krb5-1.13/src/tests/gssapi/t_prf.c
--- krb5-1.13/src/tests/gssapi/t_prf.c 2014-10-16 01:55:10.000000000 +0200
+++ krb5-1.13/src/tests/gssapi/t_prf.c 2015-02-04 11:29:00.903063567 +0100
@@ -127,6 +127,7 @@
uctx.mech_type = &mech_krb5;
uctx.internal_ctx_id = (gss_ctx_id_t)&kgctx;
kgctx.k5_context = NULL;
+ kgctx.established = 1;
kgctx.have_acceptor_subkey = 1;
kb1.contents = k1buf;
kb2.contents = k2buf;