diff --git a/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch b/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch new file mode 100644 index 0000000..4698963 --- /dev/null +++ b/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch @@ -0,0 +1,49 @@ +From bedbb5ee1ad821b91f00d30361985e6863c0e6ba Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sat, 11 Jul 2020 21:57:30 -0400 +Subject: [PATCH] Allow gss_unwrap_iov() of unpadded RC4 tokens + +Windows Remote Management, when used with an RC4 session key, appears +to generate GSS wrap tokens with no padding instead of the expected +one byte (RFC 4757 section 7.3). These tokens cannot be decoded with +gss_unwrap() or a STREAM buffer (even with Microsoft SSPI), but SSPI +allows them to be decoded using explicit IOVs with either a +zero-length padding buffer or no padding buffer. Allow these cases to +work in kg_fixup_padding_iov(). (It is already possible to make this +work with HEADER | DATA | DATA, but only by +accident--kg_fixup_padding_iov() doesn't find a data buffer because +kg_locate_iov() only looks for singleton buffers, so it exits early.) + +ticket: 8926 (new) +tags: pullup +target_version: 1.18-next + +(cherry picked from commit 3f204ddd567715ef360b4bb0b32961b6a9877f9d) +--- + src/lib/gssapi/krb5/util_crypt.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c +index f7d3e92c4..d6c71aeb8 100644 +--- a/src/lib/gssapi/krb5/util_crypt.c ++++ b/src/lib/gssapi/krb5/util_crypt.c +@@ -638,16 +638,13 @@ kg_fixup_padding_iov(OM_uint32 *minor_status, gss_iov_buffer_desc *iov, + data = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_DATA); + padding = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING); + +- if (data == NULL) { ++ /* Do nothing if padding is absent or empty, to allow unwrapping of WinRM ++ * unpadded RC4 tokens using an explicit IOV array. */ ++ if (data == NULL || padding == NULL || padding->buffer.length == 0) { + *minor_status = 0; + return GSS_S_COMPLETE; + } + +- if (padding == NULL || padding->buffer.length == 0) { +- *minor_status = EINVAL; +- return GSS_S_FAILURE; +- } +- + p = (unsigned char *)padding->buffer.value; + padlength = p[padding->buffer.length - 1]; + diff --git a/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch b/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch index 9b80631..2bdd0a3 100644 --- a/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch +++ b/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch @@ -1,4 +1,4 @@ -From f9c314847c999727679a9e8ad4fb565001e47fd2 Mon Sep 17 00:00:00 2001 +From 3f873868fb08b77da2d30e164a0ef6c71c17c607 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 15 Jul 2020 15:42:20 -0400 Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts() @@ -6,13 +6,19 @@ Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts() Fixes a problem where the presence of legacy/unrecognized keysalts in supported_enctypes would prevent the kadmin programs from starting. -(cherry picked from commit 860b411d441e4a486f6714762605c42997b8946a) +[ghudson@mit.edu: ideally we would put a warning in the kadmind log, +but that is difficult to do when the parsing is done inside a library. +Even adding a trace log is difficult because the kadm5 str_conv +functions do not accept contexts.] + +ticket: 8929 (new) +(cherry picked from commit be5396ada0e8dabd68bd0aceb733cfca39a609bc) --- src/lib/kadm5/str_conv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/lib/kadm5/str_conv.c b/src/lib/kadm5/str_conv.c -index 7cf51d316..0abfa845c 100644 +index 7cf51d316..798295606 100644 --- a/src/lib/kadm5/str_conv.c +++ b/src/lib/kadm5/str_conv.c @@ -340,9 +340,10 @@ krb5_string_to_keysalts(const char *string, const char *tupleseps, @@ -24,7 +30,7 @@ index 7cf51d316..0abfa845c 100644 - goto cleanup; + + /* Discard unrecognized keysalts. */ -+ if (string_to_keysalt(ksp, ksaltseps, &etype, &stype)) ++ if (string_to_keysalt(ksp, ksaltseps, &etype, &stype) != 0) + continue; /* Ignore duplicate keysalts if caller asks. */ diff --git a/krb5.spec b/krb5.spec index 013c443..2596330 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 11%{?dist} +Release: 12%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -68,7 +68,8 @@ Patch29: Add-client_aware_channel_bindings-option.patch Patch30: Pass-channel-bindings-through-SPNEGO.patch Patch31: Add-channel-bindings-tests.patch Patch32: Use-two-queues-for-concurrent-t_otp.py-daemons.patch -Patch33: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch +Patch33: Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch +Patch34: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -623,6 +624,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Jul 22 2020 Robbie Harwood - 1.18.2-12 +- Ignore bad enctypes in krb5_string_to_keysalts() +- Allow gss_unwrap_iov() of unpadded RC4 tokens + * Wed Jul 15 2020 Robbie Harwood - 1.18.2-11 - Ignore bad enctypes in krb5_string_to_keysalts()