diff --git a/krb5-1.14.1-interpose-accept_sec_context.patch b/krb5-1.14.1-interpose-accept_sec_context.patch new file mode 100644 index 0000000..333d388 --- /dev/null +++ b/krb5-1.14.1-interpose-accept_sec_context.patch @@ -0,0 +1,39 @@ +From 0b43d10333f4c4b29896cebc9447d8866b661217 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 16 Dec 2015 19:31:22 -0500 +Subject: [PATCH] Fix interposed gss_accept_sec_context() + +If gss_accept_sec_context() is interposed, selected_mech will be an +interposer OID. In this situation, pass the corresponding public OID +to gss_inquire_attrs_for_mech() to determine whether the mech is +allowed by default. + +[ghudson@mit.edu: pared down from larger commit; rewrote commit message] + +ticket: 8338 (new) +target_version: 1.14-next +tags: pullup +--- + src/lib/gssapi/mechglue/g_accept_sec_context.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c +index 6c72d1f..ddaf874 100644 +--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c ++++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c +@@ -94,6 +94,12 @@ allow_mech_by_default(gss_OID mech) + gss_OID_set attrs; + int reject = 0, p; + ++ /* Whether we accept an interposer mech depends on whether we accept the ++ * mech it interposes. */ ++ mech = gssint_get_public_oid(mech); ++ if (mech == GSS_C_NO_OID) ++ return 0; ++ + status = gss_inquire_attrs_for_mech(&minor, mech, &attrs, NULL); + if (status) + return 0; +-- +2.7.0 + diff --git a/krb5-1.14.1-interpose-enable-inquire_attrs_for_mech.patch b/krb5-1.14.1-interpose-enable-inquire_attrs_for_mech.patch new file mode 100644 index 0000000..c18765d --- /dev/null +++ b/krb5-1.14.1-interpose-enable-inquire_attrs_for_mech.patch @@ -0,0 +1,54 @@ +From 3be2b486058758cfcd16c8af0a8f560159e77cda Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 11 Jan 2016 17:50:39 -0500 +Subject: [PATCH] Enable interposing gss_inquire_attrs_for_mech() + +Use gssint_select_mech_type() to locate an interposer mechanism, and +pass the public mech OID to the mech. Also call map_error() on the +resulting minor code. + +ticket: 8330 (new) +--- + src/lib/gssapi/mechglue/g_mechattr.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c +index e9299f4..57c0e52 100644 +--- a/src/lib/gssapi/mechglue/g_mechattr.c ++++ b/src/lib/gssapi/mechglue/g_mechattr.c +@@ -160,6 +160,7 @@ gss_inquire_attrs_for_mech( + gss_OID_set *known_mech_attrs) + { + OM_uint32 status, tmpMinor; ++ gss_OID selected_mech, public_mech; + gss_mechanism mech; + + if (minor == NULL) +@@ -173,14 +174,20 @@ gss_inquire_attrs_for_mech( + if (known_mech_attrs != NULL) + *known_mech_attrs = GSS_C_NO_OID_SET; + +- mech = gssint_get_mechanism((gss_OID)mech_oid); ++ status = gssint_select_mech_type(minor, mech_oid, &selected_mech); ++ if (status != GSS_S_COMPLETE) ++ return status; ++ ++ mech = gssint_get_mechanism(selected_mech); + if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) { +- status = mech->gss_inquire_attrs_for_mech(minor, +- mech_oid, ++ public_mech = gssint_get_public_oid(selected_mech); ++ status = mech->gss_inquire_attrs_for_mech(minor, public_mech, + mech_attrs, + known_mech_attrs); +- if (GSS_ERROR(status)) ++ if (GSS_ERROR(status)) { ++ map_error(minor, mech); + return status; ++ } + } + + if (known_mech_attrs != NULL && *known_mech_attrs == GSS_C_NO_OID_SET) { +-- +2.7.0 + diff --git a/krb5-1.14.1-interpose-fix-inquire_attrs_for_mech.patch b/krb5-1.14.1-interpose-fix-inquire_attrs_for_mech.patch new file mode 100644 index 0000000..d23f45b --- /dev/null +++ b/krb5-1.14.1-interpose-fix-inquire_attrs_for_mech.patch @@ -0,0 +1,49 @@ +From 030a4a03a0480969d6acf1591f39fd194642805a Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 27 Jan 2016 18:48:04 -0500 +Subject: [PATCH] Report inquire_attrs_for_mech mech failures + +Previously, gss_inquire_attrs_for_mech() would return a list of mech +attributes that it knew about when given a bad mech oid or a mechanism +which did not provide a gss_inquire_attrs_for_mech() method. It seems +more useful to just report the failure to the application rather than +allowing it to continue with a faulty mechanism. + +ticket: 8358 (new) +--- + src/lib/gssapi/mechglue/g_mechattr.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c +index 57c0e52..08a6008 100644 +--- a/src/lib/gssapi/mechglue/g_mechattr.c ++++ b/src/lib/gssapi/mechglue/g_mechattr.c +@@ -179,15 +179,16 @@ gss_inquire_attrs_for_mech( + return status; + + mech = gssint_get_mechanism(selected_mech); +- if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) { +- public_mech = gssint_get_public_oid(selected_mech); +- status = mech->gss_inquire_attrs_for_mech(minor, public_mech, +- mech_attrs, +- known_mech_attrs); +- if (GSS_ERROR(status)) { +- map_error(minor, mech); +- return status; +- } ++ if (mech == NULL) ++ return GSS_S_BAD_MECH; ++ else if (mech->gss_inquire_attrs_for_mech == NULL) ++ return GSS_S_UNAVAILABLE; ++ public_mech = gssint_get_public_oid(selected_mech); ++ status = mech->gss_inquire_attrs_for_mech(minor, public_mech, mech_attrs, ++ known_mech_attrs); ++ if (GSS_ERROR(status)) { ++ map_error(minor, mech); ++ return status; + } + + if (known_mech_attrs != NULL && *known_mech_attrs == GSS_C_NO_OID_SET) { +-- +2.7.0 + diff --git a/krb5-1.14.1-interpose-inquire_saslname_for_mech.patch b/krb5-1.14.1-interpose-inquire_saslname_for_mech.patch new file mode 100644 index 0000000..417cd4d --- /dev/null +++ b/krb5-1.14.1-interpose-inquire_saslname_for_mech.patch @@ -0,0 +1,75 @@ +From 92dbcf2eb436933f769c17e6a10f671992636e5f Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 12 Jan 2016 11:13:09 -0500 +Subject: [PATCH] Enable interposing gss_inquire_saslname_for_mech + +The behavior of gss_inquire_saslname_for_mech() changes slightly, to +report GSS_S_BAD_MECH when an unsupported mech oid is given. Also +call map_error() on the minor code resulting from the mech. + +Note that gss_inquire_mech_for_saslname() cannot be interposed, as +mech_type is specified as output-only in RFC 5801. + +ticket: 8359 (new) +--- + src/lib/gssapi/mechglue/g_saslname.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +diff --git a/src/lib/gssapi/mechglue/g_saslname.c b/src/lib/gssapi/mechglue/g_saslname.c +index b025d9c..48060c3 100644 +--- a/src/lib/gssapi/mechglue/g_saslname.c ++++ b/src/lib/gssapi/mechglue/g_saslname.c +@@ -113,7 +113,8 @@ OM_uint32 KRB5_CALLCONV gss_inquire_saslname_for_mech( + gss_buffer_t mech_name, + gss_buffer_t mech_description) + { +- OM_uint32 status = GSS_S_BAD_MECH; ++ OM_uint32 status; ++ gss_OID selected_mech, public_mech; + gss_mechanism mech; + + if (minor_status == NULL) +@@ -136,15 +137,26 @@ OM_uint32 KRB5_CALLCONV gss_inquire_saslname_for_mech( + mech_description->value = NULL; + } + ++ status = gssint_select_mech_type(minor_status, desired_mech, ++ &selected_mech); ++ if (status != GSS_S_COMPLETE) ++ return status; ++ + mech = gssint_get_mechanism(desired_mech); +- if (mech != NULL && mech->gss_inquire_saslname_for_mech != NULL) { +- status = mech->gss_inquire_saslname_for_mech(minor_status, +- desired_mech, +- sasl_mech_name, +- mech_name, ++ if (mech == NULL) { ++ return GSS_S_BAD_MECH; ++ } else if (mech->gss_inquire_saslname_for_mech == NULL) { ++ status = GSS_S_UNAVAILABLE; ++ } else { ++ public_mech = gssint_get_public_oid(selected_mech); ++ status = mech->gss_inquire_saslname_for_mech(minor_status, public_mech, ++ sasl_mech_name, mech_name, + mech_description); ++ if (status != GSS_S_COMPLETE) ++ map_error(minor_status, mech); + } +- if (status == GSS_S_BAD_MECH) { ++ ++ if (status == GSS_S_UNAVAILABLE) { + if (sasl_mech_name != GSS_C_NO_BUFFER) + status = oidToSaslNameAlloc(minor_status, desired_mech, + sasl_mech_name); +@@ -155,6 +167,7 @@ OM_uint32 KRB5_CALLCONV gss_inquire_saslname_for_mech( + return status; + } + ++/* We cannot interpose this function as mech_type is an output parameter. */ + OM_uint32 KRB5_CALLCONV gss_inquire_mech_for_saslname( + OM_uint32 *minor_status, + const gss_buffer_t sasl_mech_name, +-- +2.7.0 + diff --git a/krb5-1.14.1-interpose-public_oid_fixups.patch b/krb5-1.14.1-interpose-public_oid_fixups.patch new file mode 100644 index 0000000..82f63a2 --- /dev/null +++ b/krb5-1.14.1-interpose-public_oid_fixups.patch @@ -0,0 +1,152 @@ +From fe73f1130695880bd83cf811c37131b12711be23 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 12 Jan 2016 15:59:49 -0500 +Subject: [PATCH] Use public OID for interposing several functions + +This resolves an issue where an interposer would receive the private +OID, and be unable to call back into krb5 in the expected manner in +gss_inquire_names_for_mech(), gss_inquire_cred_by_mech(), +gss_localname(), gss_store_cred(), and gss_store_cred_into(). + +Also change the return code of gss_localname() to GSS_S_BAD_MECH +instead of GSS_S_UNAVAILABLE on mech lookup failure, for consistency +with other functions. + +ticket: 8360 (new) +--- + src/lib/gssapi/mechglue/g_inq_cred.c | 5 +++-- + src/lib/gssapi/mechglue/g_inq_names.c | 28 +++++++++++----------------- + src/lib/gssapi/mechglue/g_store_cred.c | 6 ++++-- + src/lib/gssapi/mechglue/gssd_pname_to_uid.c | 7 ++++--- + 4 files changed, 22 insertions(+), 24 deletions(-) + +diff --git a/src/lib/gssapi/mechglue/g_inq_cred.c b/src/lib/gssapi/mechglue/g_inq_cred.c +index c8e45fe..c5577d4 100644 +--- a/src/lib/gssapi/mechglue/g_inq_cred.c ++++ b/src/lib/gssapi/mechglue/g_inq_cred.c +@@ -169,7 +169,7 @@ gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name, + gss_mechanism mech; + OM_uint32 status, temp_minor_status; + gss_name_t internal_name; +- gss_OID selected_mech; ++ gss_OID selected_mech, public_mech; + + if (minor_status != NULL) + *minor_status = 0; +@@ -198,8 +198,9 @@ gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name, + return (GSS_S_DEFECTIVE_CREDENTIAL); + #endif + ++ public_mech = gssint_get_public_oid(selected_mech); + status = mech->gss_inquire_cred_by_mech(minor_status, +- mech_cred, selected_mech, ++ mech_cred, public_mech, + name ? &internal_name : NULL, + initiator_lifetime, + acceptor_lifetime, cred_usage); +diff --git a/src/lib/gssapi/mechglue/g_inq_names.c b/src/lib/gssapi/mechglue/g_inq_names.c +index b44fd6c..d22af8b 100644 +--- a/src/lib/gssapi/mechglue/g_inq_names.c ++++ b/src/lib/gssapi/mechglue/g_inq_names.c +@@ -40,7 +40,7 @@ gss_OID_set * name_types; + + { + OM_uint32 status; +- gss_OID selected_mech = GSS_C_NO_OID; ++ gss_OID selected_mech = GSS_C_NO_OID, public_mech; + gss_mechanism mech; + + /* Initialize outputs. */ +@@ -70,23 +70,17 @@ gss_OID_set * name_types; + return (status); + + mech = gssint_get_mechanism(selected_mech); ++ if (mech == NULL) ++ return GSS_S_BAD_MECH; ++ else if (mech->gss_inquire_names_for_mech == NULL) ++ return GSS_S_UNAVAILABLE; ++ public_mech = gssint_get_public_oid(selected_mech); ++ status = mech->gss_inquire_names_for_mech(minor_status, public_mech, ++ name_types); ++ if (status != GSS_S_COMPLETE) ++ map_error(minor_status, mech); + +- if (mech) { +- +- if (mech->gss_inquire_names_for_mech) { +- status = mech->gss_inquire_names_for_mech( +- minor_status, +- selected_mech, +- name_types); +- if (status != GSS_S_COMPLETE) +- map_error(minor_status, mech); +- } else +- status = GSS_S_UNAVAILABLE; +- +- return(status); +- } +- +- return (GSS_S_BAD_MECH); ++ return status; + } + + static OM_uint32 +diff --git a/src/lib/gssapi/mechglue/g_store_cred.c b/src/lib/gssapi/mechglue/g_store_cred.c +index 030c73f..c2b6ddf 100644 +--- a/src/lib/gssapi/mechglue/g_store_cred.c ++++ b/src/lib/gssapi/mechglue/g_store_cred.c +@@ -24,15 +24,17 @@ store_cred_fallback( + gss_OID_set *elements_stored, + gss_cred_usage_t *cred_usage_stored) + { ++ gss_OID public_mech = gssint_get_public_oid(desired_mech); ++ + if (mech->gss_store_cred_into != NULL) { + return mech->gss_store_cred_into(minor_status, mech_cred, +- cred_usage, desired_mech, ++ cred_usage, public_mech, + overwrite_cred, default_cred, + cred_store, elements_stored, + cred_usage_stored); + } else if (cred_store == GSS_C_NO_CRED_STORE) { + return mech->gss_store_cred(minor_status, mech_cred, +- cred_usage, desired_mech, ++ cred_usage, public_mech, + overwrite_cred, default_cred, + elements_stored, + cred_usage_stored); +diff --git a/src/lib/gssapi/mechglue/gssd_pname_to_uid.c b/src/lib/gssapi/mechglue/gssd_pname_to_uid.c +index 4e7b644..4caa751 100644 +--- a/src/lib/gssapi/mechglue/gssd_pname_to_uid.c ++++ b/src/lib/gssapi/mechglue/gssd_pname_to_uid.c +@@ -123,7 +123,7 @@ gss_localname(OM_uint32 *minor, + gss_mechanism mech; + gss_union_name_t unionName; + gss_name_t mechName = GSS_C_NO_NAME, mechNameP; +- gss_OID selected_mech = GSS_C_NO_OID; ++ gss_OID selected_mech = GSS_C_NO_OID, public_mech; + + if (localname != GSS_C_NO_BUFFER) { + localname->length = 0; +@@ -152,7 +152,7 @@ gss_localname(OM_uint32 *minor, + mech = gssint_get_mechanism(unionName->mech_type); + + if (mech == NULL) +- return GSS_S_UNAVAILABLE; ++ return GSS_S_BAD_MECH; + + /* may need to create a mechanism specific name */ + if (unionName->mech_type == GSS_C_NO_OID || +@@ -170,7 +170,8 @@ gss_localname(OM_uint32 *minor, + major = GSS_S_UNAVAILABLE; + + if (mech->gss_localname != NULL) { +- major = mech->gss_localname(minor, mechNameP, mech_type, localname); ++ public_mech = gssint_get_public_oid(selected_mech); ++ major = mech->gss_localname(minor, mechNameP, public_mech, localname); + if (GSS_ERROR(major)) + map_error(minor, mech); + } +-- +2.7.0 + diff --git a/krb5-mechglue_inqure_attrs.patch b/krb5-mechglue_inqure_attrs.patch deleted file mode 100644 index d55febb..0000000 --- a/krb5-mechglue_inqure_attrs.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 26f94f6e8fd99ee0dfc2f71afb38c74a12482601 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Wed, 16 Dec 2015 19:31:22 -0500 -Subject: [PATCH] Fix mechglue on gss_inquire_attrs_for_mech() - -This includes proper mechanism selection in gss_inquire_attrs_for_mech() -itself as well as passing the correct mech down from gss_accept_sec_context() -through allow_mech_by_default(). - -Also-authored-by: Simo Sorce ---- - src/lib/gssapi/mechglue/g_accept_sec_context.c | 2 +- - src/lib/gssapi/mechglue/g_mechattr.c | 7 ++++++- - 2 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c -index 6c72d1f..4a86024 100644 ---- a/src/lib/gssapi/mechglue/g_accept_sec_context.c -+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c -@@ -245,7 +245,7 @@ gss_cred_id_t * d_cred; - status = GSS_S_NO_CRED; - goto error_out; - } -- } else if (!allow_mech_by_default(selected_mech)) { -+ } else if (!allow_mech_by_default(gssint_get_public_oid(selected_mech))) { - status = GSS_S_NO_CRED; - goto error_out; - } -diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c -index e9299f4..4bd44b5 100644 ---- a/src/lib/gssapi/mechglue/g_mechattr.c -+++ b/src/lib/gssapi/mechglue/g_mechattr.c -@@ -161,6 +161,7 @@ gss_inquire_attrs_for_mech( - { - OM_uint32 status, tmpMinor; - gss_mechanism mech; -+ gss_OID selected_mech; - - if (minor == NULL) - return GSS_S_CALL_INACCESSIBLE_WRITE; -@@ -173,7 +174,11 @@ gss_inquire_attrs_for_mech( - if (known_mech_attrs != NULL) - *known_mech_attrs = GSS_C_NO_OID_SET; - -- mech = gssint_get_mechanism((gss_OID)mech_oid); -+ status = gssint_select_mech_type(minor, mech_oid, &selected_mech); -+ if (status != GSS_S_COMPLETE) -+ return (status); -+ -+ mech = gssint_get_mechanism(selected_mech); - if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) { - status = mech->gss_inquire_attrs_for_mech(minor, - mech_oid, --- -2.6.4 - diff --git a/krb5.spec b/krb5.spec index 624fecc..4b4df2b 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14 -Release: 21%{?dist} +Release: 22%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -58,13 +58,18 @@ Patch129: krb5-1.11-run_user_0.patch Patch134: krb5-1.11-kpasswdtest.patch Patch148: krb5-disable_ofd_locks.patch Patch150: krb5-fix_interposer.patch -Patch151: krb5-mechglue_inqure_attrs.patch Patch152: krb5-init_context_null_spnego.patch Patch153: krb5-1.14.1-log_file_permissions.patch Patch154: krb5-CVE-2015-8629.patch Patch155: krb5-CVE-2015-8630.patch Patch156: krb5-CVE-2015-8631.patch +Patch157: krb5-1.14.1-interpose-accept_sec_context.patch +Patch158: krb5-1.14.1-interpose-enable-inquire_attrs_for_mech.patch +Patch159: krb5-1.14.1-interpose-fix-inquire_attrs_for_mech.patch +Patch160: krb5-1.14.1-interpose-inquire_saslname_for_mech.patch +Patch161: krb5-1.14.1-interpose-public_oid_fixups.patch + License: MIT URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -238,7 +243,6 @@ ln NOTICE LICENSE %patch148 -p1 -b .disable_ofd_locks %patch150 -p1 -b .fix_interposer -%patch151 -p1 -b .mechglue_inqure_attrs %patch152 -p1 -b .init_context_null_spnego %patch153 -p1 -b .log_file_permissions @@ -246,6 +250,12 @@ ln NOTICE LICENSE %patch155 -p1 -b .CVE-2015-8630 %patch156 -p1 -b .CVE-2015-8631 +%patch157 -p1 -b .interpose-accept_sec_context +%patch158 -p1 -b .interpose-enable-inquire_attrs_for_mech +%patch159 -p1 -b .interpose-fix-inquire_attrs_for_mech +%patch160 -p1 -b .interpose-inquire_saslname_for_mech +%patch161 -p1 -b .interpose-public_oid_fixups + # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -767,6 +777,10 @@ exit 0 %changelog +* Fri Feb 19 2016 Robbie Harwood - 1.14-22 +- Backport my interposer fixes from upstream + - Supersedes krb5-mechglue_inqure_attrs.patch + * Tue Feb 16 2016 Robbie Harwood - 1.14-21 - Adjust dependency on crypto-polices to be just the file we want - Patch courtesy of lslebodn