rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport my interposer fixes from upstream

Browse Source 
Supersedes krb5-mechglue_inqure_attrs.patch
This commit is contained in:
Robbie Harwood 2016-02-19 20:11:23 +00:00
parent 5d016a51a3
commit 96d71f74f7
7 changed files with 386 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
krb5-1.14.1-interpose-accept_sec_context.patch Normal file
View File

@ -0,0 +1,39 @@
From 0b43d10333f4c4b29896cebc9447d8866b661217 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 16 Dec 2015 19:31:22 -0500
Subject: [PATCH] Fix interposed gss_accept_sec_context()
If gss_accept_sec_context() is interposed, selected_mech will be an
interposer OID. In this situation, pass the corresponding public OID
to gss_inquire_attrs_for_mech() to determine whether the mech is
allowed by default.
[ghudson@mit.edu: pared down from larger commit; rewrote commit message]
ticket: 8338 (new)
target_version: 1.14-next
tags: pullup
---
src/lib/gssapi/mechglue/g_accept_sec_context.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index 6c72d1f..ddaf874 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -94,6 +94,12 @@ allow_mech_by_default(gss_OID mech)
gss_OID_set attrs;
int reject = 0, p;
+ /* Whether we accept an interposer mech depends on whether we accept the
+ * mech it interposes. */
+ mech = gssint_get_public_oid(mech);
+ if (mech == GSS_C_NO_OID)
+ return 0;
+
status = gss_inquire_attrs_for_mech(&minor, mech, &attrs, NULL);
if (status)
return 0;
--
2.7.0

54
krb5-1.14.1-interpose-enable-inquire_attrs_for_mech.patch Normal file
View File

@ -0,0 +1,54 @@
From 3be2b486058758cfcd16c8af0a8f560159e77cda Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 11 Jan 2016 17:50:39 -0500
Subject: [PATCH] Enable interposing gss_inquire_attrs_for_mech()
Use gssint_select_mech_type() to locate an interposer mechanism, and
pass the public mech OID to the mech. Also call map_error() on the
resulting minor code.
ticket: 8330 (new)
---
src/lib/gssapi/mechglue/g_mechattr.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c
index e9299f4..57c0e52 100644
--- a/src/lib/gssapi/mechglue/g_mechattr.c
+++ b/src/lib/gssapi/mechglue/g_mechattr.c
@@ -160,6 +160,7 @@ gss_inquire_attrs_for_mech(
gss_OID_set *known_mech_attrs)
{
OM_uint32 status, tmpMinor;
+ gss_OID selected_mech, public_mech;
gss_mechanism mech;
if (minor == NULL)
@@ -173,14 +174,20 @@ gss_inquire_attrs_for_mech(
if (known_mech_attrs != NULL)
*known_mech_attrs = GSS_C_NO_OID_SET;
- mech = gssint_get_mechanism((gss_OID)mech_oid);
+ status = gssint_select_mech_type(minor, mech_oid, &selected_mech);
+ if (status != GSS_S_COMPLETE)
+ return status;
+
+ mech = gssint_get_mechanism(selected_mech);
if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) {
- status = mech->gss_inquire_attrs_for_mech(minor,
- mech_oid,
+ public_mech = gssint_get_public_oid(selected_mech);
+ status = mech->gss_inquire_attrs_for_mech(minor, public_mech,
mech_attrs,
known_mech_attrs);
- if (GSS_ERROR(status))
+ if (GSS_ERROR(status)) {
+ map_error(minor, mech);
return status;
+ }
}
if (known_mech_attrs != NULL && *known_mech_attrs == GSS_C_NO_OID_SET) {
--
2.7.0

49
krb5-1.14.1-interpose-fix-inquire_attrs_for_mech.patch Normal file
View File

@ -0,0 +1,49 @@
From 030a4a03a0480969d6acf1591f39fd194642805a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 27 Jan 2016 18:48:04 -0500
Subject: [PATCH] Report inquire_attrs_for_mech mech failures
Previously, gss_inquire_attrs_for_mech() would return a list of mech
attributes that it knew about when given a bad mech oid or a mechanism
which did not provide a gss_inquire_attrs_for_mech() method. It seems
more useful to just report the failure to the application rather than
allowing it to continue with a faulty mechanism.
ticket: 8358 (new)
---
src/lib/gssapi/mechglue/g_mechattr.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c
index 57c0e52..08a6008 100644
--- a/src/lib/gssapi/mechglue/g_mechattr.c
+++ b/src/lib/gssapi/mechglue/g_mechattr.c
@@ -179,15 +179,16 @@ gss_inquire_attrs_for_mech(
return status;
mech = gssint_get_mechanism(selected_mech);
- if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) {
- public_mech = gssint_get_public_oid(selected_mech);
- status = mech->gss_inquire_attrs_for_mech(minor, public_mech,
- mech_attrs,
- known_mech_attrs);
- if (GSS_ERROR(status)) {
- map_error(minor, mech);
- return status;
- }
+ if (mech == NULL)
+ return GSS_S_BAD_MECH;
+ else if (mech->gss_inquire_attrs_for_mech == NULL)
+ return GSS_S_UNAVAILABLE;
+ public_mech = gssint_get_public_oid(selected_mech);
+ status = mech->gss_inquire_attrs_for_mech(minor, public_mech, mech_attrs,
+ known_mech_attrs);
+ if (GSS_ERROR(status)) {
+ map_error(minor, mech);
+ return status;
}
if (known_mech_attrs != NULL && *known_mech_attrs == GSS_C_NO_OID_SET) {
--
2.7.0

75
krb5-1.14.1-interpose-inquire_saslname_for_mech.patch Normal file
View File

@ -0,0 +1,75 @@
From 92dbcf2eb436933f769c17e6a10f671992636e5f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 12 Jan 2016 11:13:09 -0500
Subject: [PATCH] Enable interposing gss_inquire_saslname_for_mech
The behavior of gss_inquire_saslname_for_mech() changes slightly, to
report GSS_S_BAD_MECH when an unsupported mech oid is given. Also
call map_error() on the minor code resulting from the mech.
Note that gss_inquire_mech_for_saslname() cannot be interposed, as
mech_type is specified as output-only in RFC 5801.
ticket: 8359 (new)
---
src/lib/gssapi/mechglue/g_saslname.c | 27 ++++++++++++++++++++-------
1 file changed, 20 insertions(+), 7 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_saslname.c b/src/lib/gssapi/mechglue/g_saslname.c
index b025d9c..48060c3 100644
--- a/src/lib/gssapi/mechglue/g_saslname.c
+++ b/src/lib/gssapi/mechglue/g_saslname.c
@@ -113,7 +113,8 @@ OM_uint32 KRB5_CALLCONV gss_inquire_saslname_for_mech(
gss_buffer_t mech_name,
gss_buffer_t mech_description)
{
- OM_uint32 status = GSS_S_BAD_MECH;
+ OM_uint32 status;
+ gss_OID selected_mech, public_mech;
gss_mechanism mech;
if (minor_status == NULL)
@@ -136,15 +137,26 @@ OM_uint32 KRB5_CALLCONV gss_inquire_saslname_for_mech(
mech_description->value = NULL;
}
+ status = gssint_select_mech_type(minor_status, desired_mech,
+ &selected_mech);
+ if (status != GSS_S_COMPLETE)
+ return status;
+
mech = gssint_get_mechanism(desired_mech);
- if (mech != NULL && mech->gss_inquire_saslname_for_mech != NULL) {
- status = mech->gss_inquire_saslname_for_mech(minor_status,
- desired_mech,
- sasl_mech_name,
- mech_name,
+ if (mech == NULL) {
+ return GSS_S_BAD_MECH;
+ } else if (mech->gss_inquire_saslname_for_mech == NULL) {
+ status = GSS_S_UNAVAILABLE;
+ } else {
+ public_mech = gssint_get_public_oid(selected_mech);
+ status = mech->gss_inquire_saslname_for_mech(minor_status, public_mech,
+ sasl_mech_name, mech_name,
mech_description);
+ if (status != GSS_S_COMPLETE)
+ map_error(minor_status, mech);
}
- if (status == GSS_S_BAD_MECH) {
+
+ if (status == GSS_S_UNAVAILABLE) {
if (sasl_mech_name != GSS_C_NO_BUFFER)
status = oidToSaslNameAlloc(minor_status, desired_mech,
sasl_mech_name);
@@ -155,6 +167,7 @@ OM_uint32 KRB5_CALLCONV gss_inquire_saslname_for_mech(
return status;
}
+/* We cannot interpose this function as mech_type is an output parameter. */
OM_uint32 KRB5_CALLCONV gss_inquire_mech_for_saslname(
OM_uint32 *minor_status,
const gss_buffer_t sasl_mech_name,
--
2.7.0

152
krb5-1.14.1-interpose-public_oid_fixups.patch Normal file
View File

@ -0,0 +1,152 @@
From fe73f1130695880bd83cf811c37131b12711be23 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 12 Jan 2016 15:59:49 -0500
Subject: [PATCH] Use public OID for interposing several functions
This resolves an issue where an interposer would receive the private
OID, and be unable to call back into krb5 in the expected manner in
gss_inquire_names_for_mech(), gss_inquire_cred_by_mech(),
gss_localname(), gss_store_cred(), and gss_store_cred_into().
Also change the return code of gss_localname() to GSS_S_BAD_MECH
instead of GSS_S_UNAVAILABLE on mech lookup failure, for consistency
with other functions.
ticket: 8360 (new)
---
src/lib/gssapi/mechglue/g_inq_cred.c | 5 +++--
src/lib/gssapi/mechglue/g_inq_names.c | 28 +++++++++++-----------------
src/lib/gssapi/mechglue/g_store_cred.c | 6 ++++--
src/lib/gssapi/mechglue/gssd_pname_to_uid.c | 7 ++++---
4 files changed, 22 insertions(+), 24 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_inq_cred.c b/src/lib/gssapi/mechglue/g_inq_cred.c
index c8e45fe..c5577d4 100644
--- a/src/lib/gssapi/mechglue/g_inq_cred.c
+++ b/src/lib/gssapi/mechglue/g_inq_cred.c
@@ -169,7 +169,7 @@ gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name,
gss_mechanism mech;
OM_uint32 status, temp_minor_status;
gss_name_t internal_name;
- gss_OID selected_mech;
+ gss_OID selected_mech, public_mech;
if (minor_status != NULL)
*minor_status = 0;
@@ -198,8 +198,9 @@ gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name,
return (GSS_S_DEFECTIVE_CREDENTIAL);
#endif
+ public_mech = gssint_get_public_oid(selected_mech);
status = mech->gss_inquire_cred_by_mech(minor_status,
- mech_cred, selected_mech,
+ mech_cred, public_mech,
name ? &internal_name : NULL,
initiator_lifetime,
acceptor_lifetime, cred_usage);
diff --git a/src/lib/gssapi/mechglue/g_inq_names.c b/src/lib/gssapi/mechglue/g_inq_names.c
index b44fd6c..d22af8b 100644
--- a/src/lib/gssapi/mechglue/g_inq_names.c
+++ b/src/lib/gssapi/mechglue/g_inq_names.c
@@ -40,7 +40,7 @@ gss_OID_set * name_types;
{
OM_uint32 status;
- gss_OID selected_mech = GSS_C_NO_OID;
+ gss_OID selected_mech = GSS_C_NO_OID, public_mech;
gss_mechanism mech;
/* Initialize outputs. */
@@ -70,23 +70,17 @@ gss_OID_set * name_types;
return (status);
mech = gssint_get_mechanism(selected_mech);
+ if (mech == NULL)
+ return GSS_S_BAD_MECH;
+ else if (mech->gss_inquire_names_for_mech == NULL)
+ return GSS_S_UNAVAILABLE;
+ public_mech = gssint_get_public_oid(selected_mech);
+ status = mech->gss_inquire_names_for_mech(minor_status, public_mech,
+ name_types);
+ if (status != GSS_S_COMPLETE)
+ map_error(minor_status, mech);
- if (mech) {
-
- if (mech->gss_inquire_names_for_mech) {
- status = mech->gss_inquire_names_for_mech(
- minor_status,
- selected_mech,
- name_types);
- if (status != GSS_S_COMPLETE)
- map_error(minor_status, mech);
- } else
- status = GSS_S_UNAVAILABLE;
-
- return(status);
- }
-
- return (GSS_S_BAD_MECH);
+ return status;
}
static OM_uint32
diff --git a/src/lib/gssapi/mechglue/g_store_cred.c b/src/lib/gssapi/mechglue/g_store_cred.c
index 030c73f..c2b6ddf 100644
--- a/src/lib/gssapi/mechglue/g_store_cred.c
+++ b/src/lib/gssapi/mechglue/g_store_cred.c
@@ -24,15 +24,17 @@ store_cred_fallback(
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored)
{
+ gss_OID public_mech = gssint_get_public_oid(desired_mech);
+
if (mech->gss_store_cred_into != NULL) {
return mech->gss_store_cred_into(minor_status, mech_cred,
- cred_usage, desired_mech,
+ cred_usage, public_mech,
overwrite_cred, default_cred,
cred_store, elements_stored,
cred_usage_stored);
} else if (cred_store == GSS_C_NO_CRED_STORE) {
return mech->gss_store_cred(minor_status, mech_cred,
- cred_usage, desired_mech,
+ cred_usage, public_mech,
overwrite_cred, default_cred,
elements_stored,
cred_usage_stored);
diff --git a/src/lib/gssapi/mechglue/gssd_pname_to_uid.c b/src/lib/gssapi/mechglue/gssd_pname_to_uid.c
index 4e7b644..4caa751 100644
--- a/src/lib/gssapi/mechglue/gssd_pname_to_uid.c
+++ b/src/lib/gssapi/mechglue/gssd_pname_to_uid.c
@@ -123,7 +123,7 @@ gss_localname(OM_uint32 *minor,
gss_mechanism mech;
gss_union_name_t unionName;
gss_name_t mechName = GSS_C_NO_NAME, mechNameP;
- gss_OID selected_mech = GSS_C_NO_OID;
+ gss_OID selected_mech = GSS_C_NO_OID, public_mech;
if (localname != GSS_C_NO_BUFFER) {
localname->length = 0;
@@ -152,7 +152,7 @@ gss_localname(OM_uint32 *minor,
mech = gssint_get_mechanism(unionName->mech_type);
if (mech == NULL)
- return GSS_S_UNAVAILABLE;
+ return GSS_S_BAD_MECH;
/* may need to create a mechanism specific name */
if (unionName->mech_type == GSS_C_NO_OID ||
@@ -170,7 +170,8 @@ gss_localname(OM_uint32 *minor,
major = GSS_S_UNAVAILABLE;
if (mech->gss_localname != NULL) {
- major = mech->gss_localname(minor, mechNameP, mech_type, localname);
+ public_mech = gssint_get_public_oid(selected_mech);
+ major = mech->gss_localname(minor, mechNameP, public_mech, localname);
if (GSS_ERROR(major))
map_error(minor, mech);
}
--
2.7.0

56
krb5-mechglue_inqure_attrs.patch
View File

@ -1,56 +0,0 @@
From 26f94f6e8fd99ee0dfc2f71afb38c74a12482601 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 16 Dec 2015 19:31:22 -0500
Subject: [PATCH] Fix mechglue on gss_inquire_attrs_for_mech()
This includes proper mechanism selection in gss_inquire_attrs_for_mech()
itself as well as passing the correct mech down from gss_accept_sec_context()
through allow_mech_by_default().
Also-authored-by: Simo Sorce <simo@redhat.com>
---
src/lib/gssapi/mechglue/g_accept_sec_context.c | 2 +-
src/lib/gssapi/mechglue/g_mechattr.c | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index 6c72d1f..4a86024 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -245,7 +245,7 @@ gss_cred_id_t * d_cred;
status = GSS_S_NO_CRED;
goto error_out;
}
- } else if (!allow_mech_by_default(selected_mech)) {
+ } else if (!allow_mech_by_default(gssint_get_public_oid(selected_mech))) {
status = GSS_S_NO_CRED;
goto error_out;
}
diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c
index e9299f4..4bd44b5 100644
--- a/src/lib/gssapi/mechglue/g_mechattr.c
+++ b/src/lib/gssapi/mechglue/g_mechattr.c
@@ -161,6 +161,7 @@ gss_inquire_attrs_for_mech(
{
OM_uint32 status, tmpMinor;
gss_mechanism mech;
+ gss_OID selected_mech;
if (minor == NULL)
return GSS_S_CALL_INACCESSIBLE_WRITE;
@@ -173,7 +174,11 @@ gss_inquire_attrs_for_mech(
if (known_mech_attrs != NULL)
*known_mech_attrs = GSS_C_NO_OID_SET;
- mech = gssint_get_mechanism((gss_OID)mech_oid);
+ status = gssint_select_mech_type(minor, mech_oid, &selected_mech);
+ if (status != GSS_S_COMPLETE)
+ return (status);
+
+ mech = gssint_get_mechanism(selected_mech);
if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) {
status = mech->gss_inquire_attrs_for_mech(minor,
mech_oid,
--
2.6.4

20
krb5.spec
View File

@ -13,7 +13,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.14
Release: 21%{?dist}
Release: 22%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
@ -58,13 +58,18 @@ Patch129: krb5-1.11-run_user_0.patch
Patch134: krb5-1.11-kpasswdtest.patch
Patch148: krb5-disable_ofd_locks.patch
Patch150: krb5-fix_interposer.patch
Patch151: krb5-mechglue_inqure_attrs.patch
Patch152: krb5-init_context_null_spnego.patch
Patch153: krb5-1.14.1-log_file_permissions.patch
Patch154: krb5-CVE-2015-8629.patch
Patch155: krb5-CVE-2015-8630.patch
Patch156: krb5-CVE-2015-8631.patch
Patch157: krb5-1.14.1-interpose-accept_sec_context.patch
Patch158: krb5-1.14.1-interpose-enable-inquire_attrs_for_mech.patch
Patch159: krb5-1.14.1-interpose-fix-inquire_attrs_for_mech.patch
Patch160: krb5-1.14.1-interpose-inquire_saslname_for_mech.patch
Patch161: krb5-1.14.1-interpose-public_oid_fixups.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
Group: System Environment/Libraries
@ -238,7 +243,6 @@ ln NOTICE LICENSE
%patch148 -p1 -b .disable_ofd_locks
%patch150 -p1 -b .fix_interposer
%patch151 -p1 -b .mechglue_inqure_attrs
%patch152 -p1 -b .init_context_null_spnego
%patch153 -p1 -b .log_file_permissions
@ -246,6 +250,12 @@ ln NOTICE LICENSE
%patch155 -p1 -b .CVE-2015-8630
%patch156 -p1 -b .CVE-2015-8631
%patch157 -p1 -b .interpose-accept_sec_context
%patch158 -p1 -b .interpose-enable-inquire_attrs_for_mech
%patch159 -p1 -b .interpose-fix-inquire_attrs_for_mech
%patch160 -p1 -b .interpose-inquire_saslname_for_mech
%patch161 -p1 -b .interpose-public_oid_fixups
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -767,6 +777,10 @@ exit 0
%changelog
* Fri Feb 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-22
- Backport my interposer fixes from upstream
- Supersedes krb5-mechglue_inqure_attrs.patch
* Tue Feb 16 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-21
- Adjust dependency on crypto-polices to be just the file we want
- Patch courtesy of lslebodn