From 7c5b49f8287af62961670fbef8f394aaa4e9d770 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 18 Jul 2019 12:49:23 -0400 Subject: [PATCH] Filter enctypes in gss_set_allowable_enctypes() --- ...ctypes-in-gss_set_allowable_enctypes.patch | 70 +++++++++++++++++++ krb5.spec | 6 +- 2 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 Filter-enctypes-in-gss_set_allowable_enctypes.patch diff --git a/Filter-enctypes-in-gss_set_allowable_enctypes.patch b/Filter-enctypes-in-gss_set_allowable_enctypes.patch new file mode 100644 index 0000000..2c7b0d6 --- /dev/null +++ b/Filter-enctypes-in-gss_set_allowable_enctypes.patch @@ -0,0 +1,70 @@ +From 6aeef2d2e19109cc97f6b1f4621fb97247edfa73 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 16 Jul 2019 00:15:42 -0400 +Subject: [PATCH] Filter enctypes in gss_set_allowable_enctypes() + +Instead of erroring out when any invalid enctypes are present in the +caller's list, filter out the invalid ones and only error if no +enctypes remain. + +ticket: 8819 +(cherry picked from commit 37ab7ea128a4c2aa2dad65ab9006baded5335bc7) +--- + src/lib/gssapi/krb5/set_allowable_enctypes.c | 29 ++++++++++---------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +diff --git a/src/lib/gssapi/krb5/set_allowable_enctypes.c b/src/lib/gssapi/krb5/set_allowable_enctypes.c +index d9fd279ed..a74b161cb 100644 +--- a/src/lib/gssapi/krb5/set_allowable_enctypes.c ++++ b/src/lib/gssapi/krb5/set_allowable_enctypes.c +@@ -66,7 +66,7 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, + const gss_OID desired_oid, + const gss_buffer_t value) + { +- unsigned int i; ++ unsigned int i, j; + krb5_enctype * new_ktypes; + OM_uint32 major_status; + krb5_gss_cred_id_t cred; +@@ -83,14 +83,7 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, + /* verify and valildate cred handle */ + cred = (krb5_gss_cred_id_t) *cred_handle; + +- if (req->ktypes) { +- for (i = 0; i < req->num_ktypes && req->ktypes[i]; i++) { +- if (!krb5_c_valid_enctype(req->ktypes[i])) { +- kerr = KRB5_PROG_ETYPE_NOSUPP; +- goto error_out; +- } +- } +- } else { ++ if (req->ktypes == NULL) { + k5_mutex_lock(&cred->lock); + if (cred->req_enctypes) + free(cred->req_enctypes); +@@ -99,13 +92,19 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, + return GSS_S_COMPLETE; + } + +- /* Copy the requested ktypes into the cred structure */ +- if ((new_ktypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * (i + 1)))) { +- memcpy(new_ktypes, req->ktypes, sizeof(krb5_enctype) * i); +- new_ktypes[i] = 0; /* "null-terminate" the list */ ++ /* Copy the requested enctypes into the cred structure. Filter out the ++ * ones we don't consider valid. Error out if no enctypes are valid. */ ++ new_ktypes = k5calloc(req->num_ktypes + 1, sizeof(*new_ktypes), &kerr); ++ if (new_ktypes == NULL) ++ goto error_out; ++ for (i = 0, j = 0; i < req->num_ktypes && req->ktypes[i]; i++) { ++ if (krb5_c_valid_enctype(req->ktypes[i])) ++ new_ktypes[j++] = req->ktypes[i]; + } +- else { +- kerr = ENOMEM; ++ new_ktypes[j] = 0; ++ if (j == 0) { ++ free(new_ktypes); ++ kerr = KRB5_PROG_ETYPE_NOSUPP; + goto error_out; + } + k5_mutex_lock(&cred->lock); diff --git a/krb5.spec b/krb5.spec index 373bf85..82ac301 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.17 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 35%{?dist} +Release: 36%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz @@ -112,6 +112,7 @@ Patch149: Remove-PKINIT-draft-9-ASN.1-code-and-types.patch Patch150: Remove-3des-support.patch Patch151: Remove-now-unused-checksum-functions.patch Patch152: Don-t-error-on-invalid-enctypes-in-keytab.patch +Patch153: Filter-enctypes-in-gss_set_allowable_enctypes.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -721,6 +722,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Thu Jul 18 2019 Robbie Harwood - 1.17-36 +- Filter enctypes in gss_set_allowable_enctypes() + * Mon Jul 15 2019 Robbie Harwood - 1.17-35 - Don't error on invalid enctypes in keytab - Resolves: #1724380