rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Filter enctypes in gss_set_allowable_enctypes()

Browse Source
This commit is contained in:
Robbie Harwood 2019-07-18 12:49:23 -04:00
parent 4c8ed38666
commit 7c5b49f828
2 changed files with 75 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
Filter-enctypes-in-gss_set_allowable_enctypes.patch Normal file
View File

@ -0,0 +1,70 @@
From 6aeef2d2e19109cc97f6b1f4621fb97247edfa73 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 16 Jul 2019 00:15:42 -0400
Subject: [PATCH] Filter enctypes in gss_set_allowable_enctypes()
Instead of erroring out when any invalid enctypes are present in the
caller's list, filter out the invalid ones and only error if no
enctypes remain.
ticket: 8819
(cherry picked from commit 37ab7ea128a4c2aa2dad65ab9006baded5335bc7)
---
src/lib/gssapi/krb5/set_allowable_enctypes.c | 29 ++++++++++----------
1 file changed, 14 insertions(+), 15 deletions(-)
diff --git a/src/lib/gssapi/krb5/set_allowable_enctypes.c b/src/lib/gssapi/krb5/set_allowable_enctypes.c
index d9fd279ed..a74b161cb 100644
--- a/src/lib/gssapi/krb5/set_allowable_enctypes.c
+++ b/src/lib/gssapi/krb5/set_allowable_enctypes.c
@@ -66,7 +66,7 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
const gss_OID desired_oid,
const gss_buffer_t value)
{
- unsigned int i;
+ unsigned int i, j;
krb5_enctype * new_ktypes;
OM_uint32 major_status;
krb5_gss_cred_id_t cred;
@@ -83,14 +83,7 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
/* verify and valildate cred handle */
cred = (krb5_gss_cred_id_t) *cred_handle;
- if (req->ktypes) {
- for (i = 0; i < req->num_ktypes && req->ktypes[i]; i++) {
- if (!krb5_c_valid_enctype(req->ktypes[i])) {
- kerr = KRB5_PROG_ETYPE_NOSUPP;
- goto error_out;
- }
- }
- } else {
+ if (req->ktypes == NULL) {
k5_mutex_lock(&cred->lock);
if (cred->req_enctypes)
free(cred->req_enctypes);
@@ -99,13 +92,19 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
- /* Copy the requested ktypes into the cred structure */
- if ((new_ktypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * (i + 1)))) {
- memcpy(new_ktypes, req->ktypes, sizeof(krb5_enctype) * i);
- new_ktypes[i] = 0; /* "null-terminate" the list */
+ /* Copy the requested enctypes into the cred structure. Filter out the
+ * ones we don't consider valid. Error out if no enctypes are valid. */
+ new_ktypes = k5calloc(req->num_ktypes + 1, sizeof(*new_ktypes), &kerr);
+ if (new_ktypes == NULL)
+ goto error_out;
+ for (i = 0, j = 0; i < req->num_ktypes && req->ktypes[i]; i++) {
+ if (krb5_c_valid_enctype(req->ktypes[i]))
+ new_ktypes[j++] = req->ktypes[i];
}
- else {
- kerr = ENOMEM;
+ new_ktypes[j] = 0;
+ if (j == 0) {
+ free(new_ktypes);
+ kerr = KRB5_PROG_ETYPE_NOSUPP;
goto error_out;
}
k5_mutex_lock(&cred->lock);

6
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.17
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 35%{?dist}
Release: 36%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -112,6 +112,7 @@ Patch149: Remove-PKINIT-draft-9-ASN.1-code-and-types.patch
Patch150: Remove-3des-support.patch
Patch151: Remove-now-unused-checksum-functions.patch
Patch152: Don-t-error-on-invalid-enctypes-in-keytab.patch
Patch153: Filter-enctypes-in-gss_set_allowable_enctypes.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -721,6 +722,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Thu Jul 18 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-36
- Filter enctypes in gss_set_allowable_enctypes()
* Mon Jul 15 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-35
- Don't error on invalid enctypes in keytab
- Resolves: #1724380