mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-04-20 11:38:34 +00:00
krb5: upgrade to 1.13.6
* fix CVEs: CVE-2015-8629, CVE-2015-8630, CVE-2015-8631 * update LIC_FILES_CHKSUM, only Copyright changed in NOTICE file: -Copyright (C) 1985-2015 by the Massachusetts Institute of Technology. +Copyright (C) 1985-2016 by the Massachusetts Institute of Technology. * remove useless functions: krb5_do_unpack(), do_unpack() * remove patches that included by new release: - 0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch - Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch - Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch - Fix-build_principal-memory-bug-CVE-2015-2697.patch - Fix-IAKERB-context-export-import-CVE-2015-2698.patch - krb5-CVE-2016-3119.patch - krb5-CVE-2016-3120.patch Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This commit is contained in:
Wenzong Fan
committed by
Martin Jansa
Martin Jansa
parent
dd0f1adc98
commit
2ed5ad2e40
@@ -1,37 +0,0 @@
|
||||
From f1b681a44d28946e6d8fc0080f3efe94228d7dfe Mon Sep 17 00:00:00 2001
|
||||
From: Tom Yu <tlyu@mit.edu>
|
||||
Date: Wed, 6 Jan 2016 15:24:16 -0500
|
||||
Subject: [PATCH] Work around uninitialized warning in cc_kcm.c
|
||||
|
||||
Some versions of clang erroneously detect use of an uninitialized
|
||||
variable reply_len in kcmio_call() when building on non-Mac platforms.
|
||||
Initialize it to work around this warning.
|
||||
|
||||
(cherry picked from commit 40b007c0d8e2a12c6f4205ac111dee731c9d970c)
|
||||
|
||||
ticket: 8335
|
||||
version_fixed: 1.13.4
|
||||
tags: -pullup
|
||||
status: resolved
|
||||
|
||||
Upstream-Status: backport
|
||||
---
|
||||
src/lib/krb5/ccache/cc_kcm.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
|
||||
index b763ea4..6337b57 100644
|
||||
--- a/src/lib/krb5/ccache/cc_kcm.c
|
||||
+++ b/src/lib/krb5/ccache/cc_kcm.c
|
||||
@@ -377,7 +377,7 @@ static krb5_error_code
|
||||
kcmio_call(krb5_context context, struct kcmio *io, struct kcmreq *req)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
- size_t reply_len;
|
||||
+ size_t reply_len = 0;
|
||||
|
||||
if (k5_buf_status(&req->reqbuf) != 0)
|
||||
return ENOMEM;
|
||||
--
|
||||
2.8.2
|
||||
|
||||
@@ -1,739 +0,0 @@
|
||||
From f6e57c402688f4bc386d1a39512657a30f0bafd3 Mon Sep 17 00:00:00 2001
|
||||
From: Nicolas Williams <nico@twosigma.com>
|
||||
Date: Mon, 14 Sep 2015 12:28:36 -0400
|
||||
Subject: [PATCH 2/4] Fix IAKERB context aliasing bugs [CVE-2015-2696]
|
||||
|
||||
The IAKERB mechanism currently replaces its context handle with the
|
||||
krb5 mechanism handle upon establishment, under the assumption that
|
||||
most GSS functions are only called after context establishment. This
|
||||
assumption is incorrect, and can lead to aliasing violations for some
|
||||
programs. Maintain the IAKERB context structure after context
|
||||
establishment and add new IAKERB entry points to refer to it with that
|
||||
type. Add initiate and established flags to the IAKERB context
|
||||
structure for use in gss_inquire_context() prior to context
|
||||
establishment.
|
||||
|
||||
CVE-2015-2696:
|
||||
|
||||
In MIT krb5 1.9 and later, applications which call
|
||||
gss_inquire_context() on a partially-established IAKERB context can
|
||||
cause the GSS-API library to read from a pointer using the wrong type,
|
||||
generally causing a process crash. Java server applications using the
|
||||
native JGSS provider are vulnerable to this bug. A carefully crafted
|
||||
IAKERB packet might allow the gss_inquire_context() call to succeed
|
||||
with attacker-determined results, but applications should not make
|
||||
access control decisions based on gss_inquire_context() results prior
|
||||
to context establishment.
|
||||
|
||||
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
|
||||
|
||||
[ghudson@mit.edu: several bugfixes, style changes, and edge-case
|
||||
behavior changes; commit message and CVE description]
|
||||
|
||||
ticket: 8244
|
||||
target_version: 1.14
|
||||
tags: pullup
|
||||
|
||||
Backport upstream commit:
|
||||
https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a
|
||||
|
||||
Upstream-Status: Backport
|
||||
---
|
||||
src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++
|
||||
src/lib/gssapi/krb5/gssapi_krb5.c | 105 +++++++++--
|
||||
src/lib/gssapi/krb5/iakerb.c | 351 +++++++++++++++++++++++++++++++++----
|
||||
3 files changed, 529 insertions(+), 41 deletions(-)
|
||||
|
||||
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||
index a0e8625..05dc321 100644
|
||||
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||
@@ -620,6 +620,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext
|
||||
);
|
||||
#endif /* LEAN_CLIENT */
|
||||
|
||||
+OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid
|
||||
+(OM_uint32*, /* minor_status */
|
||||
+ const gss_ctx_id_t,
|
||||
+ /* context_handle */
|
||||
+ const gss_OID, /* desired_object */
|
||||
+ gss_buffer_set_t* /* data_set */
|
||||
+);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option
|
||||
+(OM_uint32*, /* minor_status */
|
||||
+ gss_ctx_id_t*, /* context_handle */
|
||||
+ const gss_OID, /* desired_object */
|
||||
+ const gss_buffer_t/* value */
|
||||
+);
|
||||
+
|
||||
OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token
|
||||
(OM_uint32*, /* minor_status */
|
||||
gss_ctx_id_t, /* context_handle */
|
||||
@@ -1301,6 +1316,105 @@ OM_uint32 KRB5_CALLCONV
|
||||
krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token,
|
||||
gss_cred_id_t *cred_handle);
|
||||
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_process_context_token(OM_uint32 *minor_status,
|
||||
+ const gss_ctx_id_t context_handle,
|
||||
+ const gss_buffer_t token_buffer);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ OM_uint32 *time_rec);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_inquire_context(OM_uint32 *minor_status,
|
||||
+ gss_ctx_id_t context_handle, gss_name_t *src_name,
|
||||
+ gss_name_t *targ_name, OM_uint32 *lifetime_rec,
|
||||
+ gss_OID *mech_type, OM_uint32 *ctx_flags,
|
||||
+ int *locally_initiated, int *opened);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ gss_qop_t qop_req, gss_buffer_t message_buffer,
|
||||
+ gss_buffer_t message_token);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ gss_qop_t qop_req, gss_iov_buffer_desc *iov,
|
||||
+ int iov_count);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
|
||||
+ gss_ctx_id_t context_handle, gss_qop_t qop_req,
|
||||
+ gss_iov_buffer_desc *iov, int iov_count);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
|
||||
+ gss_qop_t *qop_state);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
|
||||
+ int iov_count);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ int conf_req_flag, gss_qop_t qop_req,
|
||||
+ gss_buffer_t input_message_buffer, int *conf_state,
|
||||
+ gss_buffer_t output_message_buffer);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ int conf_req_flag, gss_qop_t qop_req, int *conf_state,
|
||||
+ gss_iov_buffer_desc *iov, int iov_count);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
|
||||
+ gss_ctx_id_t context_handle, int conf_req_flag,
|
||||
+ gss_qop_t qop_req, int *conf_state,
|
||||
+ gss_iov_buffer_desc *iov, int iov_count);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ gss_buffer_t input_message_buffer,
|
||||
+ gss_buffer_t output_message_buffer, int *conf_state,
|
||||
+ gss_qop_t *qop_state);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ int *conf_state, gss_qop_t *qop_state,
|
||||
+ gss_iov_buffer_desc *iov, int iov_count);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
|
||||
+ gss_ctx_id_t context_handle, int conf_req_flag,
|
||||
+ gss_qop_t qop_req, OM_uint32 req_output_size,
|
||||
+ OM_uint32 *max_input_size);
|
||||
+
|
||||
+#ifndef LEAN_CLIENT
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_export_sec_context(OM_uint32 *minor_status,
|
||||
+ gss_ctx_id_t *context_handle,
|
||||
+ gss_buffer_t interprocess_token);
|
||||
+#endif /* LEAN_CLIENT */
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
|
||||
+ const gss_ctx_id_t context_handle,
|
||||
+ const gss_OID desired_object,
|
||||
+ gss_buffer_set_t *data_set);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
|
||||
+ gss_ctx_id_t *context_handle,
|
||||
+ const gss_OID desired_object,
|
||||
+ const gss_buffer_t value);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ int prf_key, const gss_buffer_t prf_in,
|
||||
+ ssize_t desired_output_len, gss_buffer_t prf_out);
|
||||
+
|
||||
/* Magic string to identify exported krb5 GSS credentials. Increment this if
|
||||
* the format changes. */
|
||||
#define CRED_EXPORT_MAGIC "K5C1"
|
||||
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
|
||||
index 77b7fff..9a23656 100644
|
||||
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
|
||||
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
|
||||
@@ -345,7 +345,7 @@ static struct {
|
||||
}
|
||||
};
|
||||
|
||||
-static OM_uint32 KRB5_CALLCONV
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
|
||||
const gss_ctx_id_t context_handle,
|
||||
const gss_OID desired_object,
|
||||
@@ -459,7 +459,7 @@ static struct {
|
||||
};
|
||||
#endif
|
||||
|
||||
-static OM_uint32 KRB5_CALLCONV
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
krb5_gss_set_sec_context_option (OM_uint32 *minor_status,
|
||||
gss_ctx_id_t *context_handle,
|
||||
const gss_OID desired_object,
|
||||
@@ -904,20 +904,103 @@ static struct gss_config krb5_mechanism = {
|
||||
krb5_gss_get_mic_iov_length,
|
||||
};
|
||||
|
||||
+/* Functions which use security contexts or acquire creds are IAKERB-specific;
|
||||
+ * other functions can borrow from the krb5 mech. */
|
||||
+static struct gss_config iakerb_mechanism = {
|
||||
+ { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID },
|
||||
+ NULL,
|
||||
+ iakerb_gss_acquire_cred,
|
||||
+ krb5_gss_release_cred,
|
||||
+ iakerb_gss_init_sec_context,
|
||||
+#ifdef LEAN_CLIENT
|
||||
+ NULL,
|
||||
+#else
|
||||
+ iakerb_gss_accept_sec_context,
|
||||
+#endif
|
||||
+ iakerb_gss_process_context_token,
|
||||
+ iakerb_gss_delete_sec_context,
|
||||
+ iakerb_gss_context_time,
|
||||
+ iakerb_gss_get_mic,
|
||||
+ iakerb_gss_verify_mic,
|
||||
+#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE)
|
||||
+ NULL,
|
||||
+#else
|
||||
+ iakerb_gss_wrap,
|
||||
+#endif
|
||||
+#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE)
|
||||
+ NULL,
|
||||
+#else
|
||||
+ iakerb_gss_unwrap,
|
||||
+#endif
|
||||
+ krb5_gss_display_status,
|
||||
+ krb5_gss_indicate_mechs,
|
||||
+ krb5_gss_compare_name,
|
||||
+ krb5_gss_display_name,
|
||||
+ krb5_gss_import_name,
|
||||
+ krb5_gss_release_name,
|
||||
+ krb5_gss_inquire_cred,
|
||||
+ NULL, /* add_cred */
|
||||
+#ifdef LEAN_CLIENT
|
||||
+ NULL,
|
||||
+ NULL,
|
||||
+#else
|
||||
+ iakerb_gss_export_sec_context,
|
||||
+ NULL,
|
||||
+#endif
|
||||
+ krb5_gss_inquire_cred_by_mech,
|
||||
+ krb5_gss_inquire_names_for_mech,
|
||||
+ iakerb_gss_inquire_context,
|
||||
+ krb5_gss_internal_release_oid,
|
||||
+ iakerb_gss_wrap_size_limit,
|
||||
+ krb5_gss_localname,
|
||||
+ krb5_gss_authorize_localname,
|
||||
+ krb5_gss_export_name,
|
||||
+ krb5_gss_duplicate_name,
|
||||
+ krb5_gss_store_cred,
|
||||
+ iakerb_gss_inquire_sec_context_by_oid,
|
||||
+ krb5_gss_inquire_cred_by_oid,
|
||||
+ iakerb_gss_set_sec_context_option,
|
||||
+ krb5_gssspi_set_cred_option,
|
||||
+ krb5_gssspi_mech_invoke,
|
||||
+ NULL, /* wrap_aead */
|
||||
+ NULL, /* unwrap_aead */
|
||||
+ iakerb_gss_wrap_iov,
|
||||
+ iakerb_gss_unwrap_iov,
|
||||
+ iakerb_gss_wrap_iov_length,
|
||||
+ NULL, /* complete_auth_token */
|
||||
+ NULL, /* acquire_cred_impersonate_name */
|
||||
+ NULL, /* add_cred_impersonate_name */
|
||||
+ NULL, /* display_name_ext */
|
||||
+ krb5_gss_inquire_name,
|
||||
+ krb5_gss_get_name_attribute,
|
||||
+ krb5_gss_set_name_attribute,
|
||||
+ krb5_gss_delete_name_attribute,
|
||||
+ krb5_gss_export_name_composite,
|
||||
+ krb5_gss_map_name_to_any,
|
||||
+ krb5_gss_release_any_name_mapping,
|
||||
+ iakerb_gss_pseudo_random,
|
||||
+ NULL, /* set_neg_mechs */
|
||||
+ krb5_gss_inquire_saslname_for_mech,
|
||||
+ krb5_gss_inquire_mech_for_saslname,
|
||||
+ krb5_gss_inquire_attrs_for_mech,
|
||||
+ krb5_gss_acquire_cred_from,
|
||||
+ krb5_gss_store_cred_into,
|
||||
+ iakerb_gss_acquire_cred_with_password,
|
||||
+ krb5_gss_export_cred,
|
||||
+ krb5_gss_import_cred,
|
||||
+ NULL, /* import_sec_context_by_mech */
|
||||
+ NULL, /* import_name_by_mech */
|
||||
+ NULL, /* import_cred_by_mech */
|
||||
+ iakerb_gss_get_mic_iov,
|
||||
+ iakerb_gss_verify_mic_iov,
|
||||
+ iakerb_gss_get_mic_iov_length,
|
||||
+};
|
||||
+
|
||||
#ifdef _GSS_STATIC_LINK
|
||||
#include "mglueP.h"
|
||||
static int gss_iakerbmechglue_init(void)
|
||||
{
|
||||
struct gss_mech_config mech_iakerb;
|
||||
- struct gss_config iakerb_mechanism = krb5_mechanism;
|
||||
-
|
||||
- /* IAKERB mechanism mirrors krb5, but with different context SPIs */
|
||||
- iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context;
|
||||
- iakerb_mechanism.gss_init_sec_context = iakerb_gss_init_sec_context;
|
||||
- iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context;
|
||||
- iakerb_mechanism.gss_acquire_cred = iakerb_gss_acquire_cred;
|
||||
- iakerb_mechanism.gssspi_acquire_cred_with_password
|
||||
- = iakerb_gss_acquire_cred_with_password;
|
||||
|
||||
memset(&mech_iakerb, 0, sizeof(mech_iakerb));
|
||||
mech_iakerb.mech = &iakerb_mechanism;
|
||||
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
|
||||
index f30de32..4662bd9 100644
|
||||
--- a/src/lib/gssapi/krb5/iakerb.c
|
||||
+++ b/src/lib/gssapi/krb5/iakerb.c
|
||||
@@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec {
|
||||
gss_ctx_id_t gssc;
|
||||
krb5_data conv; /* conversation for checksumming */
|
||||
unsigned int count; /* number of round trips */
|
||||
+ int initiate;
|
||||
+ int established;
|
||||
krb5_get_init_creds_opt *gic_opts;
|
||||
};
|
||||
|
||||
@@ -695,7 +697,7 @@ cleanup:
|
||||
* Allocate and initialise an IAKERB context
|
||||
*/
|
||||
static krb5_error_code
|
||||
-iakerb_alloc_context(iakerb_ctx_id_t *pctx)
|
||||
+iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate)
|
||||
{
|
||||
iakerb_ctx_id_t ctx;
|
||||
krb5_error_code code;
|
||||
@@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx)
|
||||
ctx->magic = KG_IAKERB_CONTEXT;
|
||||
ctx->state = IAKERB_AS_REQ;
|
||||
ctx->count = 0;
|
||||
+ ctx->initiate = initiate;
|
||||
+ ctx->established = 0;
|
||||
|
||||
code = krb5_gss_init_context(&ctx->k5c);
|
||||
if (code != 0)
|
||||
@@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
|
||||
gss_ctx_id_t *context_handle,
|
||||
gss_buffer_t output_token)
|
||||
{
|
||||
- OM_uint32 major_status = GSS_S_COMPLETE;
|
||||
+ iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
|
||||
|
||||
if (output_token != GSS_C_NO_BUFFER) {
|
||||
output_token->length = 0;
|
||||
@@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
|
||||
}
|
||||
|
||||
*minor_status = 0;
|
||||
+ *context_handle = GSS_C_NO_CONTEXT;
|
||||
+ iakerb_release_context(iakerb_ctx);
|
||||
|
||||
- if (*context_handle != GSS_C_NO_CONTEXT) {
|
||||
- iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
|
||||
-
|
||||
- if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) {
|
||||
- iakerb_release_context(iakerb_ctx);
|
||||
- *context_handle = GSS_C_NO_CONTEXT;
|
||||
- } else {
|
||||
- assert(iakerb_ctx->magic == KG_CONTEXT);
|
||||
-
|
||||
- major_status = krb5_gss_delete_sec_context(minor_status,
|
||||
- context_handle,
|
||||
- output_token);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- return major_status;
|
||||
+ return GSS_S_COMPLETE;
|
||||
}
|
||||
|
||||
static krb5_boolean
|
||||
@@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
|
||||
int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
|
||||
|
||||
if (initialContextToken) {
|
||||
- code = iakerb_alloc_context(&ctx);
|
||||
+ code = iakerb_alloc_context(&ctx, 0);
|
||||
if (code != 0)
|
||||
goto cleanup;
|
||||
|
||||
@@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
|
||||
time_rec,
|
||||
delegated_cred_handle,
|
||||
&exts);
|
||||
- if (major_status == GSS_S_COMPLETE) {
|
||||
- *context_handle = ctx->gssc;
|
||||
- ctx->gssc = NULL;
|
||||
- iakerb_release_context(ctx);
|
||||
- }
|
||||
+ if (major_status == GSS_S_COMPLETE)
|
||||
+ ctx->established = 1;
|
||||
if (mech_type != NULL)
|
||||
*mech_type = (gss_OID)gss_mech_krb5;
|
||||
}
|
||||
@@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
|
||||
int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
|
||||
|
||||
if (initialContextToken) {
|
||||
- code = iakerb_alloc_context(&ctx);
|
||||
+ code = iakerb_alloc_context(&ctx, 1);
|
||||
if (code != 0) {
|
||||
*minor_status = code;
|
||||
goto cleanup;
|
||||
@@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
|
||||
ret_flags,
|
||||
time_rec,
|
||||
&exts);
|
||||
- if (major_status == GSS_S_COMPLETE) {
|
||||
- *context_handle = ctx->gssc;
|
||||
- ctx->gssc = GSS_C_NO_CONTEXT;
|
||||
- iakerb_release_context(ctx);
|
||||
- }
|
||||
+ if (major_status == GSS_S_COMPLETE)
|
||||
+ ctx->established = 1;
|
||||
if (actual_mech_type != NULL)
|
||||
*actual_mech_type = (gss_OID)gss_mech_krb5;
|
||||
} else {
|
||||
@@ -1010,3 +995,309 @@ cleanup:
|
||||
|
||||
return major_status;
|
||||
}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ gss_buffer_t input_message_buffer,
|
||||
+ gss_buffer_t output_message_buffer, int *conf_state,
|
||||
+ gss_qop_t *qop_state)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_NO_CONTEXT;
|
||||
+
|
||||
+ return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer,
|
||||
+ output_message_buffer, conf_state, qop_state);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ int conf_req_flag, gss_qop_t qop_req,
|
||||
+ gss_buffer_t input_message_buffer, int *conf_state,
|
||||
+ gss_buffer_t output_message_buffer)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_NO_CONTEXT;
|
||||
+
|
||||
+ return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req,
|
||||
+ input_message_buffer, conf_state,
|
||||
+ output_message_buffer);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_process_context_token(OM_uint32 *minor_status,
|
||||
+ const gss_ctx_id_t context_handle,
|
||||
+ const gss_buffer_t token_buffer)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_DEFECTIVE_TOKEN;
|
||||
+
|
||||
+ return krb5_gss_process_context_token(minor_status, ctx->gssc,
|
||||
+ token_buffer);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ OM_uint32 *time_rec)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_NO_CONTEXT;
|
||||
+
|
||||
+ return krb5_gss_context_time(minor_status, ctx->gssc, time_rec);
|
||||
+}
|
||||
+
|
||||
+#ifndef LEAN_CLIENT
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_export_sec_context(OM_uint32 *minor_status,
|
||||
+ gss_ctx_id_t *context_handle,
|
||||
+ gss_buffer_t interprocess_token)
|
||||
+{
|
||||
+ OM_uint32 maj;
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ /* We don't currently support exporting partially established contexts. */
|
||||
+ if (!ctx->established)
|
||||
+ return GSS_S_UNAVAILABLE;
|
||||
+
|
||||
+ maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc,
|
||||
+ interprocess_token);
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT) {
|
||||
+ iakerb_release_context(ctx);
|
||||
+ *context_handle = GSS_C_NO_CONTEXT;
|
||||
+ }
|
||||
+ return maj;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Until we implement partial context exports, there are no SPNEGO exported
|
||||
+ * context tokens, only tokens for the underlying krb5 context. So we do not
|
||||
+ * need to implement an iakerb_gss_import_sec_context() yet; it would be
|
||||
+ * unreachable except via a manually constructed token.
|
||||
+ */
|
||||
+
|
||||
+#endif /* LEAN_CLIENT */
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_inquire_context(OM_uint32 *minor_status,
|
||||
+ gss_ctx_id_t context_handle, gss_name_t *src_name,
|
||||
+ gss_name_t *targ_name, OM_uint32 *lifetime_rec,
|
||||
+ gss_OID *mech_type, OM_uint32 *ctx_flags,
|
||||
+ int *initiate, int *opened)
|
||||
+{
|
||||
+ OM_uint32 ret;
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (src_name != NULL)
|
||||
+ *src_name = GSS_C_NO_NAME;
|
||||
+ if (targ_name != NULL)
|
||||
+ *targ_name = GSS_C_NO_NAME;
|
||||
+ if (lifetime_rec != NULL)
|
||||
+ *lifetime_rec = 0;
|
||||
+ if (mech_type != NULL)
|
||||
+ *mech_type = (gss_OID)gss_mech_iakerb;
|
||||
+ if (ctx_flags != NULL)
|
||||
+ *ctx_flags = 0;
|
||||
+ if (initiate != NULL)
|
||||
+ *initiate = ctx->initiate;
|
||||
+ if (opened != NULL)
|
||||
+ *opened = ctx->established;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_COMPLETE;
|
||||
+
|
||||
+ ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name,
|
||||
+ targ_name, lifetime_rec, mech_type,
|
||||
+ ctx_flags, initiate, opened);
|
||||
+
|
||||
+ if (!ctx->established) {
|
||||
+ /* Report IAKERB as the mech OID until the context is established. */
|
||||
+ if (mech_type != NULL)
|
||||
+ *mech_type = (gss_OID)gss_mech_iakerb;
|
||||
+
|
||||
+ /* We don't support exporting partially-established contexts. */
|
||||
+ if (ctx_flags != NULL)
|
||||
+ *ctx_flags &= ~GSS_C_TRANS_FLAG;
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
|
||||
+ gss_ctx_id_t context_handle, int conf_req_flag,
|
||||
+ gss_qop_t qop_req, OM_uint32 req_output_size,
|
||||
+ OM_uint32 *max_input_size)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_NO_CONTEXT;
|
||||
+
|
||||
+ return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag,
|
||||
+ qop_req, req_output_size, max_input_size);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ gss_qop_t qop_req, gss_buffer_t message_buffer,
|
||||
+ gss_buffer_t message_token)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_NO_CONTEXT;
|
||||
+
|
||||
+ return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer,
|
||||
+ message_token);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
|
||||
+ gss_qop_t *qop_state)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_NO_CONTEXT;
|
||||
+
|
||||
+ return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer,
|
||||
+ token_buffer, qop_state);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
|
||||
+ const gss_ctx_id_t context_handle,
|
||||
+ const gss_OID desired_object,
|
||||
+ gss_buffer_set_t *data_set)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_UNAVAILABLE;
|
||||
+
|
||||
+ return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc,
|
||||
+ desired_object, data_set);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
|
||||
+ gss_ctx_id_t *context_handle,
|
||||
+ const gss_OID desired_object,
|
||||
+ const gss_buffer_t value)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
|
||||
+
|
||||
+ if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_UNAVAILABLE;
|
||||
+
|
||||
+ return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc,
|
||||
+ desired_object, value);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ int conf_req_flag, gss_qop_t qop_req, int *conf_state,
|
||||
+ gss_iov_buffer_desc *iov, int iov_count)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_NO_CONTEXT;
|
||||
+
|
||||
+ return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req,
|
||||
+ conf_state, iov, iov_count);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ int *conf_state, gss_qop_t *qop_state,
|
||||
+ gss_iov_buffer_desc *iov, int iov_count)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_NO_CONTEXT;
|
||||
+
|
||||
+ return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state,
|
||||
+ iov, iov_count);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
|
||||
+ gss_ctx_id_t context_handle, int conf_req_flag,
|
||||
+ gss_qop_t qop_req, int *conf_state,
|
||||
+ gss_iov_buffer_desc *iov, int iov_count)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_NO_CONTEXT;
|
||||
+
|
||||
+ return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag,
|
||||
+ qop_req, conf_state, iov, iov_count);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ int prf_key, const gss_buffer_t prf_in,
|
||||
+ ssize_t desired_output_len, gss_buffer_t prf_out)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_NO_CONTEXT;
|
||||
+
|
||||
+ return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in,
|
||||
+ desired_output_len, prf_out);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ gss_qop_t qop_req, gss_iov_buffer_desc *iov,
|
||||
+ int iov_count)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_NO_CONTEXT;
|
||||
+
|
||||
+ return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov,
|
||||
+ iov_count);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
+ gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
|
||||
+ int iov_count)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_NO_CONTEXT;
|
||||
+
|
||||
+ return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov,
|
||||
+ iov_count);
|
||||
+}
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
|
||||
+ gss_ctx_id_t context_handle, gss_qop_t qop_req,
|
||||
+ gss_iov_buffer_desc *iov, int iov_count)
|
||||
+{
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
|
||||
+ return GSS_S_NO_CONTEXT;
|
||||
+
|
||||
+ return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov,
|
||||
+ iov_count);
|
||||
+}
|
||||
--
|
||||
1.9.1
|
||||
|
||||
@@ -1,134 +0,0 @@
|
||||
From aa769c8c6905d1abfac66d4d1b0fc73740ccbe7d Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 14 Nov 2015 02:47:04 -0500
|
||||
Subject: [PATCH 4/4] Fix IAKERB context export/import [CVE-2015-2698]
|
||||
|
||||
The patches for CVE-2015-2696 contained a regression in the newly
|
||||
added IAKERB iakerb_gss_export_sec_context() function, which could
|
||||
cause it to corrupt memory. Fix the regression by properly
|
||||
dereferencing the context_handle pointer before casting it.
|
||||
|
||||
Also, the patches did not implement an IAKERB gss_import_sec_context()
|
||||
function, under the erroneous belief that an exported IAKERB context
|
||||
would be tagged as a krb5 context. Implement it now to allow IAKERB
|
||||
contexts to be successfully exported and imported after establishment.
|
||||
|
||||
CVE-2015-2698:
|
||||
|
||||
In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
|
||||
application which calls gss_export_sec_context() may experience memory
|
||||
corruption if the context was established using the IAKERB mechanism.
|
||||
Historically, some vulnerabilities of this nature can be translated
|
||||
into remote code execution, though the necessary exploits must be
|
||||
tailored to the individual application and are usually quite
|
||||
complicated.
|
||||
|
||||
CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
|
||||
|
||||
ticket: 8273 (new)
|
||||
target_version: 1.14
|
||||
tags: pullup
|
||||
|
||||
Backport upstream commit:
|
||||
https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd
|
||||
|
||||
Upstream-Status: Backport
|
||||
---
|
||||
src/lib/gssapi/krb5/gssapiP_krb5.h | 5 +++++
|
||||
src/lib/gssapi/krb5/gssapi_krb5.c | 2 +-
|
||||
src/lib/gssapi/krb5/iakerb.c | 42 +++++++++++++++++++++++++++++++-------
|
||||
3 files changed, 41 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||
index 05dc321..ac53662 100644
|
||||
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||
@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV
|
||||
iakerb_gss_export_sec_context(OM_uint32 *minor_status,
|
||||
gss_ctx_id_t *context_handle,
|
||||
gss_buffer_t interprocess_token);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
|
||||
+ const gss_buffer_t interprocess_token,
|
||||
+ gss_ctx_id_t *context_handle);
|
||||
#endif /* LEAN_CLIENT */
|
||||
|
||||
OM_uint32 KRB5_CALLCONV
|
||||
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
|
||||
index 9a23656..d7ba279 100644
|
||||
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
|
||||
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
|
||||
@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = {
|
||||
NULL,
|
||||
#else
|
||||
iakerb_gss_export_sec_context,
|
||||
- NULL,
|
||||
+ iakerb_gss_import_sec_context,
|
||||
#endif
|
||||
krb5_gss_inquire_cred_by_mech,
|
||||
krb5_gss_inquire_names_for_mech,
|
||||
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
|
||||
index 4662bd9..48beaee 100644
|
||||
--- a/src/lib/gssapi/krb5/iakerb.c
|
||||
+++ b/src/lib/gssapi/krb5/iakerb.c
|
||||
@@ -1061,7 +1061,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
|
||||
gss_buffer_t interprocess_token)
|
||||
{
|
||||
OM_uint32 maj;
|
||||
- iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
|
||||
|
||||
/* We don't currently support exporting partially established contexts. */
|
||||
if (!ctx->established)
|
||||
@@ -1076,13 +1076,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
|
||||
return maj;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * Until we implement partial context exports, there are no SPNEGO exported
|
||||
- * context tokens, only tokens for the underlying krb5 context. So we do not
|
||||
- * need to implement an iakerb_gss_import_sec_context() yet; it would be
|
||||
- * unreachable except via a manually constructed token.
|
||||
- */
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
|
||||
+ gss_buffer_t interprocess_token,
|
||||
+ gss_ctx_id_t *context_handle)
|
||||
+{
|
||||
+ OM_uint32 maj, tmpmin;
|
||||
+ krb5_error_code code;
|
||||
+ gss_ctx_id_t gssc;
|
||||
+ krb5_gss_ctx_id_t kctx;
|
||||
+ iakerb_ctx_id_t ctx;
|
||||
+
|
||||
+ maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc);
|
||||
+ if (maj != GSS_S_COMPLETE)
|
||||
+ return maj;
|
||||
+ kctx = (krb5_gss_ctx_id_t)gssc;
|
||||
+
|
||||
+ if (!kctx->established) {
|
||||
+ /* We don't currently support importing partially established
|
||||
+ * contexts. */
|
||||
+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
|
||||
+ return GSS_S_FAILURE;
|
||||
+ }
|
||||
|
||||
+ code = iakerb_alloc_context(&ctx, kctx->initiate);
|
||||
+ if (code != 0) {
|
||||
+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
|
||||
+ *minor_status = code;
|
||||
+ return GSS_S_FAILURE;
|
||||
+ }
|
||||
+
|
||||
+ ctx->gssc = gssc;
|
||||
+ ctx->established = 1;
|
||||
+ *context_handle = (gss_ctx_id_t)ctx;
|
||||
+ return GSS_S_COMPLETE;
|
||||
+}
|
||||
#endif /* LEAN_CLIENT */
|
||||
|
||||
OM_uint32 KRB5_CALLCONV
|
||||
--
|
||||
1.9.1
|
||||
|
||||
@@ -1,572 +0,0 @@
|
||||
From 884913e807414a1e06245918dea71243c5fdd0e6 Mon Sep 17 00:00:00 2001
|
||||
From: Nicolas Williams <nico@twosigma.com>
|
||||
Date: Mon, 14 Sep 2015 12:27:52 -0400
|
||||
Subject: [PATCH 1/4] Fix SPNEGO context aliasing bugs [CVE-2015-2695]
|
||||
|
||||
The SPNEGO mechanism currently replaces its context handle with the
|
||||
mechanism context handle upon establishment, under the assumption that
|
||||
most GSS functions are only called after context establishment. This
|
||||
assumption is incorrect, and can lead to aliasing violations for some
|
||||
programs. Maintain the SPNEGO context structure after context
|
||||
establishment and refer to it in all GSS methods. Add initiate and
|
||||
opened flags to the SPNEGO context structure for use in
|
||||
gss_inquire_context() prior to context establishment.
|
||||
|
||||
CVE-2015-2695:
|
||||
|
||||
In MIT krb5 1.5 and later, applications which call
|
||||
gss_inquire_context() on a partially-established SPNEGO context can
|
||||
cause the GSS-API library to read from a pointer using the wrong type,
|
||||
generally causing a process crash. This bug may go unnoticed, because
|
||||
the most common SPNEGO authentication scenario establishes the context
|
||||
after just one call to gss_accept_sec_context(). Java server
|
||||
applications using the native JGSS provider are vulnerable to this
|
||||
bug. A carefully crafted SPNEGO packet might allow the
|
||||
gss_inquire_context() call to succeed with attacker-determined
|
||||
results, but applications should not make access control decisions
|
||||
based on gss_inquire_context() results prior to context establishment.
|
||||
|
||||
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
|
||||
|
||||
[ghudson@mit.edu: several bugfixes, style changes, and edge-case
|
||||
behavior changes; commit message and CVE description]
|
||||
|
||||
ticket: 8244
|
||||
target_version: 1.14
|
||||
tags: pullup
|
||||
|
||||
Backport upstream commit:
|
||||
https://github.com/krb5/krb5/commit/b51b33f2bc5d1497ddf5bd107f791c101695000d
|
||||
|
||||
Upstream-Status: Backport
|
||||
---
|
||||
src/lib/gssapi/spnego/gssapiP_spnego.h | 2 +
|
||||
src/lib/gssapi/spnego/spnego_mech.c | 254 ++++++++++++++++++++++++---------
|
||||
2 files changed, 192 insertions(+), 64 deletions(-)
|
||||
|
||||
diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h
|
||||
index bc23f56..8e05736 100644
|
||||
--- a/src/lib/gssapi/spnego/gssapiP_spnego.h
|
||||
+++ b/src/lib/gssapi/spnego/gssapiP_spnego.h
|
||||
@@ -102,6 +102,8 @@ typedef struct {
|
||||
int firstpass;
|
||||
int mech_complete;
|
||||
int nego_done;
|
||||
+ int initiate;
|
||||
+ int opened;
|
||||
OM_uint32 ctx_flags;
|
||||
gss_name_t internal_name;
|
||||
gss_OID actual_mech;
|
||||
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
index f9248ab..3423f22 100644
|
||||
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
||||
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
@@ -101,7 +101,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t,
|
||||
gss_cred_usage_t, gss_OID_set *);
|
||||
static void release_spnego_ctx(spnego_gss_ctx_id_t *);
|
||||
static void check_spnego_options(spnego_gss_ctx_id_t);
|
||||
-static spnego_gss_ctx_id_t create_spnego_ctx(void);
|
||||
+static spnego_gss_ctx_id_t create_spnego_ctx(int);
|
||||
static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf);
|
||||
static int put_input_token(unsigned char **, gss_buffer_t, unsigned int);
|
||||
static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int);
|
||||
@@ -439,7 +439,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx)
|
||||
}
|
||||
|
||||
static spnego_gss_ctx_id_t
|
||||
-create_spnego_ctx(void)
|
||||
+create_spnego_ctx(int initiate)
|
||||
{
|
||||
spnego_gss_ctx_id_t spnego_ctx = NULL;
|
||||
spnego_ctx = (spnego_gss_ctx_id_t)
|
||||
@@ -462,6 +462,8 @@ create_spnego_ctx(void)
|
||||
spnego_ctx->mic_rcvd = 0;
|
||||
spnego_ctx->mech_complete = 0;
|
||||
spnego_ctx->nego_done = 0;
|
||||
+ spnego_ctx->opened = 0;
|
||||
+ spnego_ctx->initiate = initiate;
|
||||
spnego_ctx->internal_name = GSS_C_NO_NAME;
|
||||
spnego_ctx->actual_mech = GSS_C_NO_OID;
|
||||
|
||||
@@ -627,7 +629,7 @@ init_ctx_new(OM_uint32 *minor_status,
|
||||
OM_uint32 ret;
|
||||
spnego_gss_ctx_id_t sc = NULL;
|
||||
|
||||
- sc = create_spnego_ctx();
|
||||
+ sc = create_spnego_ctx(1);
|
||||
if (sc == NULL)
|
||||
return GSS_S_FAILURE;
|
||||
|
||||
@@ -644,10 +646,7 @@ init_ctx_new(OM_uint32 *minor_status,
|
||||
ret = GSS_S_FAILURE;
|
||||
goto cleanup;
|
||||
}
|
||||
- /*
|
||||
- * The actual context is not yet determined, set the output
|
||||
- * context handle to refer to the spnego context itself.
|
||||
- */
|
||||
+
|
||||
sc->ctx_handle = GSS_C_NO_CONTEXT;
|
||||
*ctx = (gss_ctx_id_t)sc;
|
||||
sc = NULL;
|
||||
@@ -1088,16 +1087,11 @@ cleanup:
|
||||
}
|
||||
gss_release_buffer(&tmpmin, &mechtok_out);
|
||||
if (ret == GSS_S_COMPLETE) {
|
||||
- /*
|
||||
- * Now, switch the output context to refer to the
|
||||
- * negotiated mechanism's context.
|
||||
- */
|
||||
- *context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle;
|
||||
+ spnego_ctx->opened = 1;
|
||||
if (actual_mech != NULL)
|
||||
*actual_mech = spnego_ctx->actual_mech;
|
||||
if (ret_flags != NULL)
|
||||
*ret_flags = spnego_ctx->ctx_flags;
|
||||
- release_spnego_ctx(&spnego_ctx);
|
||||
} else if (ret != GSS_S_CONTINUE_NEEDED) {
|
||||
if (spnego_ctx != NULL) {
|
||||
gss_delete_sec_context(&tmpmin,
|
||||
@@ -1341,7 +1335,7 @@ acc_ctx_hints(OM_uint32 *minor_status,
|
||||
if (ret != GSS_S_COMPLETE)
|
||||
goto cleanup;
|
||||
|
||||
- sc = create_spnego_ctx();
|
||||
+ sc = create_spnego_ctx(0);
|
||||
if (sc == NULL) {
|
||||
ret = GSS_S_FAILURE;
|
||||
goto cleanup;
|
||||
@@ -1423,7 +1417,7 @@ acc_ctx_new(OM_uint32 *minor_status,
|
||||
gss_release_buffer(&tmpmin, &sc->DER_mechTypes);
|
||||
assert(mech_wanted != GSS_C_NO_OID);
|
||||
} else
|
||||
- sc = create_spnego_ctx();
|
||||
+ sc = create_spnego_ctx(0);
|
||||
if (sc == NULL) {
|
||||
ret = GSS_S_FAILURE;
|
||||
*return_token = NO_TOKEN_SEND;
|
||||
@@ -1806,13 +1800,12 @@ cleanup:
|
||||
ret = GSS_S_FAILURE;
|
||||
}
|
||||
if (ret == GSS_S_COMPLETE) {
|
||||
- *context_handle = (gss_ctx_id_t)sc->ctx_handle;
|
||||
+ sc->opened = 1;
|
||||
if (sc->internal_name != GSS_C_NO_NAME &&
|
||||
src_name != NULL) {
|
||||
*src_name = sc->internal_name;
|
||||
sc->internal_name = GSS_C_NO_NAME;
|
||||
}
|
||||
- release_spnego_ctx(&sc);
|
||||
} else if (ret != GSS_S_CONTINUE_NEEDED) {
|
||||
if (sc != NULL) {
|
||||
gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
|
||||
@@ -2125,8 +2118,13 @@ spnego_gss_unwrap(
|
||||
gss_qop_t *qop_state)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
ret = gss_unwrap(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
input_message_buffer,
|
||||
output_message_buffer,
|
||||
conf_state,
|
||||
@@ -2146,8 +2144,13 @@ spnego_gss_wrap(
|
||||
gss_buffer_t output_message_buffer)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
ret = gss_wrap(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
conf_req_flag,
|
||||
qop_req,
|
||||
input_message_buffer,
|
||||
@@ -2164,8 +2167,14 @@ spnego_gss_process_context_token(
|
||||
const gss_buffer_t token_buffer)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ /* SPNEGO doesn't have its own context tokens. */
|
||||
+ if (!sc->opened)
|
||||
+ return (GSS_S_DEFECTIVE_TOKEN);
|
||||
+
|
||||
ret = gss_process_context_token(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
token_buffer);
|
||||
|
||||
return (ret);
|
||||
@@ -2189,19 +2198,9 @@ spnego_gss_delete_sec_context(
|
||||
if (*ctx == NULL)
|
||||
return (GSS_S_COMPLETE);
|
||||
|
||||
- /*
|
||||
- * If this is still an SPNEGO mech, release it locally.
|
||||
- */
|
||||
- if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) {
|
||||
- (void) gss_delete_sec_context(minor_status,
|
||||
- &(*ctx)->ctx_handle,
|
||||
- output_token);
|
||||
- (void) release_spnego_ctx(ctx);
|
||||
- } else {
|
||||
- ret = gss_delete_sec_context(minor_status,
|
||||
- context_handle,
|
||||
- output_token);
|
||||
- }
|
||||
+ (void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle,
|
||||
+ output_token);
|
||||
+ (void) release_spnego_ctx(ctx);
|
||||
|
||||
return (ret);
|
||||
}
|
||||
@@ -2213,8 +2212,13 @@ spnego_gss_context_time(
|
||||
OM_uint32 *time_rec)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
ret = gss_context_time(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
time_rec);
|
||||
return (ret);
|
||||
}
|
||||
@@ -2226,9 +2230,20 @@ spnego_gss_export_sec_context(
|
||||
gss_buffer_t interprocess_token)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle;
|
||||
+
|
||||
+ /* We don't currently support exporting partially established
|
||||
+ * contexts. */
|
||||
+ if (!sc->opened)
|
||||
+ return GSS_S_UNAVAILABLE;
|
||||
+
|
||||
ret = gss_export_sec_context(minor_status,
|
||||
- context_handle,
|
||||
+ &sc->ctx_handle,
|
||||
interprocess_token);
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) {
|
||||
+ release_spnego_ctx(&sc);
|
||||
+ *context_handle = GSS_C_NO_CONTEXT;
|
||||
+ }
|
||||
return (ret);
|
||||
}
|
||||
|
||||
@@ -2238,11 +2253,12 @@ spnego_gss_import_sec_context(
|
||||
const gss_buffer_t interprocess_token,
|
||||
gss_ctx_id_t *context_handle)
|
||||
{
|
||||
- OM_uint32 ret;
|
||||
- ret = gss_import_sec_context(minor_status,
|
||||
- interprocess_token,
|
||||
- context_handle);
|
||||
- return (ret);
|
||||
+ /*
|
||||
+ * Until we implement partial context exports, there are no SPNEGO
|
||||
+ * exported context tokens, only tokens for underlying mechs. So just
|
||||
+ * return an error for now.
|
||||
+ */
|
||||
+ return GSS_S_UNAVAILABLE;
|
||||
}
|
||||
#endif /* LEAN_CLIENT */
|
||||
|
||||
@@ -2259,16 +2275,48 @@ spnego_gss_inquire_context(
|
||||
int *opened)
|
||||
{
|
||||
OM_uint32 ret = GSS_S_COMPLETE;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (src_name != NULL)
|
||||
+ *src_name = GSS_C_NO_NAME;
|
||||
+ if (targ_name != NULL)
|
||||
+ *targ_name = GSS_C_NO_NAME;
|
||||
+ if (lifetime_rec != NULL)
|
||||
+ *lifetime_rec = 0;
|
||||
+ if (mech_type != NULL)
|
||||
+ *mech_type = (gss_OID)gss_mech_spnego;
|
||||
+ if (ctx_flags != NULL)
|
||||
+ *ctx_flags = 0;
|
||||
+ if (locally_initiated != NULL)
|
||||
+ *locally_initiated = sc->initiate;
|
||||
+ if (opened != NULL)
|
||||
+ *opened = sc->opened;
|
||||
+
|
||||
+ if (sc->ctx_handle != GSS_C_NO_CONTEXT) {
|
||||
+ ret = gss_inquire_context(minor_status, sc->ctx_handle,
|
||||
+ src_name, targ_name, lifetime_rec,
|
||||
+ mech_type, ctx_flags, NULL, NULL);
|
||||
+ }
|
||||
|
||||
- ret = gss_inquire_context(minor_status,
|
||||
- context_handle,
|
||||
- src_name,
|
||||
- targ_name,
|
||||
- lifetime_rec,
|
||||
- mech_type,
|
||||
- ctx_flags,
|
||||
- locally_initiated,
|
||||
- opened);
|
||||
+ if (!sc->opened) {
|
||||
+ /*
|
||||
+ * We are still doing SPNEGO negotiation, so report SPNEGO as
|
||||
+ * the OID. After negotiation is complete we will report the
|
||||
+ * underlying mechanism OID.
|
||||
+ */
|
||||
+ if (mech_type != NULL)
|
||||
+ *mech_type = (gss_OID)gss_mech_spnego;
|
||||
+
|
||||
+ /*
|
||||
+ * Remove flags we don't support with partially-established
|
||||
+ * contexts. (Change this to keep GSS_C_TRANS_FLAG if we add
|
||||
+ * support for exporting partial SPNEGO contexts.)
|
||||
+ */
|
||||
+ if (ctx_flags != NULL) {
|
||||
+ *ctx_flags &= ~GSS_C_PROT_READY_FLAG;
|
||||
+ *ctx_flags &= ~GSS_C_TRANS_FLAG;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
return (ret);
|
||||
}
|
||||
@@ -2283,8 +2331,13 @@ spnego_gss_wrap_size_limit(
|
||||
OM_uint32 *max_input_size)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
ret = gss_wrap_size_limit(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
conf_req_flag,
|
||||
qop_req,
|
||||
req_output_size,
|
||||
@@ -2301,8 +2354,13 @@ spnego_gss_get_mic(
|
||||
gss_buffer_t message_token)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
ret = gss_get_mic(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
qop_req,
|
||||
message_buffer,
|
||||
message_token);
|
||||
@@ -2318,8 +2376,13 @@ spnego_gss_verify_mic(
|
||||
gss_qop_t *qop_state)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
ret = gss_verify_mic(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
msg_buffer,
|
||||
token_buffer,
|
||||
qop_state);
|
||||
@@ -2334,8 +2397,14 @@ spnego_gss_inquire_sec_context_by_oid(
|
||||
gss_buffer_set_t *data_set)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ /* There are no SPNEGO-specific OIDs for this function. */
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_UNAVAILABLE);
|
||||
+
|
||||
ret = gss_inquire_sec_context_by_oid(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
desired_object,
|
||||
data_set);
|
||||
return (ret);
|
||||
@@ -2404,8 +2473,15 @@ spnego_gss_set_sec_context_option(
|
||||
const gss_buffer_t value)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle;
|
||||
+
|
||||
+ /* There are no SPNEGO-specific OIDs for this function, and we cannot
|
||||
+ * construct an empty SPNEGO context with it. */
|
||||
+ if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_UNAVAILABLE);
|
||||
+
|
||||
ret = gss_set_sec_context_option(minor_status,
|
||||
- context_handle,
|
||||
+ &sc->ctx_handle,
|
||||
desired_object,
|
||||
value);
|
||||
return (ret);
|
||||
@@ -2422,8 +2498,13 @@ spnego_gss_wrap_aead(OM_uint32 *minor_status,
|
||||
gss_buffer_t output_message_buffer)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
ret = gss_wrap_aead(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
conf_req_flag,
|
||||
qop_req,
|
||||
input_assoc_buffer,
|
||||
@@ -2444,8 +2525,13 @@ spnego_gss_unwrap_aead(OM_uint32 *minor_status,
|
||||
gss_qop_t *qop_state)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
ret = gss_unwrap_aead(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
input_message_buffer,
|
||||
input_assoc_buffer,
|
||||
output_payload_buffer,
|
||||
@@ -2464,8 +2550,13 @@ spnego_gss_wrap_iov(OM_uint32 *minor_status,
|
||||
int iov_count)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
ret = gss_wrap_iov(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
conf_req_flag,
|
||||
qop_req,
|
||||
conf_state,
|
||||
@@ -2483,8 +2574,13 @@ spnego_gss_unwrap_iov(OM_uint32 *minor_status,
|
||||
int iov_count)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
ret = gss_unwrap_iov(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
conf_state,
|
||||
qop_state,
|
||||
iov,
|
||||
@@ -2502,8 +2598,13 @@ spnego_gss_wrap_iov_length(OM_uint32 *minor_status,
|
||||
int iov_count)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
ret = gss_wrap_iov_length(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
conf_req_flag,
|
||||
qop_req,
|
||||
conf_state,
|
||||
@@ -2520,8 +2621,13 @@ spnego_gss_complete_auth_token(
|
||||
gss_buffer_t input_message_buffer)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_UNAVAILABLE);
|
||||
+
|
||||
ret = gss_complete_auth_token(minor_status,
|
||||
- context_handle,
|
||||
+ sc->ctx_handle,
|
||||
input_message_buffer);
|
||||
return (ret);
|
||||
}
|
||||
@@ -2773,8 +2879,13 @@ spnego_gss_pseudo_random(OM_uint32 *minor_status,
|
||||
gss_buffer_t prf_out)
|
||||
{
|
||||
OM_uint32 ret;
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
ret = gss_pseudo_random(minor_status,
|
||||
- context,
|
||||
+ sc->ctx_handle,
|
||||
prf_key,
|
||||
prf_in,
|
||||
desired_output_len,
|
||||
@@ -2915,7 +3026,12 @@ spnego_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
gss_qop_t qop_req, gss_iov_buffer_desc *iov,
|
||||
int iov_count)
|
||||
{
|
||||
- return gss_get_mic_iov(minor_status, context_handle, qop_req, iov,
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
+ return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov,
|
||||
iov_count);
|
||||
}
|
||||
|
||||
@@ -2924,7 +3040,12 @@ spnego_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
|
||||
gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
|
||||
int iov_count)
|
||||
{
|
||||
- return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov,
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
+ return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov,
|
||||
iov_count);
|
||||
}
|
||||
|
||||
@@ -2933,7 +3054,12 @@ spnego_gss_get_mic_iov_length(OM_uint32 *minor_status,
|
||||
gss_ctx_id_t context_handle, gss_qop_t qop_req,
|
||||
gss_iov_buffer_desc *iov, int iov_count)
|
||||
{
|
||||
- return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov,
|
||||
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
|
||||
+
|
||||
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
|
||||
+ return (GSS_S_NO_CONTEXT);
|
||||
+
|
||||
+ return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov,
|
||||
iov_count);
|
||||
}
|
||||
|
||||
--
|
||||
1.9.1
|
||||
|
||||
@@ -1,58 +0,0 @@
|
||||
From 9cb63711e63042f22da914ba039c4537b22e8fb0 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 25 Sep 2015 12:51:47 -0400
|
||||
Subject: [PATCH 3/4] Fix build_principal memory bug [CVE-2015-2697]
|
||||
|
||||
In build_principal_va(), use k5memdup0() instead of strdup() to make a
|
||||
copy of the realm, to ensure that we allocate the correct number of
|
||||
bytes and do not read past the end of the input string. This bug
|
||||
affects krb5_build_principal(), krb5_build_principal_va(), and
|
||||
krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not
|
||||
affected.
|
||||
|
||||
CVE-2015-2697:
|
||||
|
||||
In MIT krb5 1.7 and later, an authenticated attacker may be able to
|
||||
cause a KDC to crash using a TGS request with a large realm field
|
||||
beginning with a null byte. If the KDC attempts to find a referral to
|
||||
answer the request, it constructs a principal name for lookup using
|
||||
krb5_build_principal() with the requested realm. Due to a bug in this
|
||||
function, the null byte causes only one byte be allocated for the
|
||||
realm field of the constructed principal, far less than its length.
|
||||
Subsequent operations on the lookup principal may cause a read beyond
|
||||
the end of the mapped memory region, causing the KDC process to crash.
|
||||
|
||||
CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
|
||||
|
||||
ticket: 8252 (new)
|
||||
target_version: 1.14
|
||||
tags: pullup
|
||||
|
||||
Backport upstream commit:
|
||||
https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789
|
||||
|
||||
Upstream-Status: Backport
|
||||
---
|
||||
src/lib/krb5/krb/bld_princ.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
|
||||
index ab6fed8..8604268 100644
|
||||
--- a/src/lib/krb5/krb/bld_princ.c
|
||||
+++ b/src/lib/krb5/krb/bld_princ.c
|
||||
@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ,
|
||||
data = malloc(size * sizeof(krb5_data));
|
||||
if (!data) { retval = ENOMEM; }
|
||||
|
||||
- if (!retval) {
|
||||
- r = strdup(realm);
|
||||
- if (!r) { retval = ENOMEM; }
|
||||
- }
|
||||
+ if (!retval)
|
||||
+ r = k5memdup0(realm, rlen, &retval);
|
||||
|
||||
while (!retval && (component = va_arg(ap, char *))) {
|
||||
if (count == size) {
|
||||
--
|
||||
1.9.1
|
||||
|
||||
@@ -1,36 +0,0 @@
|
||||
Subject: kerb: Fix LDAP null deref on empty arg [CVE-2016-3119]
|
||||
From: Greg Hudson
|
||||
|
||||
In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
|
||||
if there is an empty string in the db_args array. Check for this case
|
||||
and avoid dereferencing a null pointer.
|
||||
|
||||
CVE-2016-3119:
|
||||
|
||||
In MIT krb5 1.6 and later, an authenticated attacker with permission
|
||||
to modify a principal entry can cause kadmind to dereference a null
|
||||
pointer by supplying an empty DB argument to the modify_principal
|
||||
command, if kadmind is configured to use the LDAP KDB module.
|
||||
|
||||
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
|
||||
|
||||
ticket: 8383 (new)
|
||||
target_version: 1.14-next
|
||||
target_version: 1.13-next
|
||||
tags: pullup
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
|
||||
Index: krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
||||
===================================================================
|
||||
--- krb5-1.13.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-05-09 07:27:02.000000000 +0800
|
||||
+++ krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-04-11 15:17:12.874140518 +0800
|
||||
@@ -267,6 +267,7 @@
|
||||
if (db_args) {
|
||||
for (i=0; db_args[i]; ++i) {
|
||||
arg = strtok_r(db_args[i], "=", &arg_val);
|
||||
+ arg = (arg != NULL) ? arg : "";
|
||||
if (strcmp(arg, TKTPOLICY_ARG) == 0) {
|
||||
dptr = &xargs->tktpolicydn;
|
||||
} else {
|
||||
@@ -1,63 +0,0 @@
|
||||
From 5b9b82d0696f1ffd4e693c1f8eafc0915b15e85b Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 19 Jul 2016 11:00:28 -0400
|
||||
Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted
|
||||
|
||||
cherry-picked from 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 upstream
|
||||
|
||||
In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
|
||||
use client.princ instead of request->client; the latter is NULL when
|
||||
validating S4U2Self requests.
|
||||
|
||||
CVE-2016-3120:
|
||||
|
||||
In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
|
||||
to dereference a null pointer if the restrict_anonymous_to_tgt option
|
||||
is set to true, by making an S4U2Self request.
|
||||
|
||||
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
|
||||
|
||||
ticket: 8458 (new)
|
||||
target_version: 1.14-next
|
||||
target_version: 1.13-next
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
|
||||
---
|
||||
src/kdc/kdc_util.c | 2 +-
|
||||
src/tests/t_pkinit.py | 5 +++++
|
||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||
index 48be1ae..10daec4 100644
|
||||
--- a/src/kdc/kdc_util.c
|
||||
+++ b/src/kdc/kdc_util.c
|
||||
@@ -700,7 +700,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
|
||||
return(KDC_ERR_MUST_USE_USER2USER);
|
||||
}
|
||||
|
||||
- if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
|
||||
+ if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
|
||||
*status = "ANONYMOUS NOT ALLOWED";
|
||||
return(KDC_ERR_POLICY);
|
||||
}
|
||||
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
|
||||
index 762e322..d27d05b 100644
|
||||
--- a/src/tests/t_pkinit.py
|
||||
+++ b/src/tests/t_pkinit.py
|
||||
@@ -94,6 +94,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1)
|
||||
if 'KDC policy rejects request' not in out:
|
||||
fail('Wrong error for restricted anonymous PKINIT')
|
||||
|
||||
+# Regression test for #8458: S4U2Self requests crash the KDC if
|
||||
+# anonymous is restricted.
|
||||
+realm.kinit(realm.host_princ, flags=['-k'])
|
||||
+realm.run([kvno, '-U', 'user', realm.host_princ])
|
||||
+
|
||||
# Go back to a normal KDC and disable anonymous PKINIT.
|
||||
realm.stop_kdc()
|
||||
realm.start_kdc()
|
||||
--
|
||||
2.5.0
|
||||
|
||||
@@ -14,19 +14,15 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n
|
||||
HOMEPAGE = "http://web.mit.edu/Kerberos/"
|
||||
SECTION = "console/network"
|
||||
LICENSE = "MIT"
|
||||
LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=f64248328d2d9928e1f04158b5243e7f"
|
||||
LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=c6f37efad53b098e420f45e7ab6807dc"
|
||||
DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native"
|
||||
|
||||
inherit autotools-brokensep binconfig perlnative systemd
|
||||
|
||||
SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
|
||||
SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \
|
||||
SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
|
||||
file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \
|
||||
file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \
|
||||
file://Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch;striplevel=2 \
|
||||
file://Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch;striplevel=2 \
|
||||
file://Fix-build_principal-memory-bug-CVE-2015-2697.patch;striplevel=2 \
|
||||
file://Fix-IAKERB-context-export-import-CVE-2015-2698.patch;striplevel=2 \
|
||||
file://crosscompile_nm.patch \
|
||||
file://etc/init.d/krb5-kdc \
|
||||
file://etc/init.d/krb5-admin-server \
|
||||
@@ -34,12 +30,9 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
|
||||
file://etc/default/krb5-admin-server \
|
||||
file://krb5-kdc.service \
|
||||
file://krb5-admin-server.service \
|
||||
file://krb5-CVE-2016-3119.patch;striplevel=2 \
|
||||
file://0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch;striplevel=2 \
|
||||
file://krb5-CVE-2016-3120.patch;striplevel=2 \
|
||||
"
|
||||
SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"
|
||||
SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"
|
||||
SRC_URI[md5sum] = "6164ca9c075b4ecc68eadd6d13040417"
|
||||
SRC_URI[sha256sum] = "9c0a46b8918237a53916370d2e02298c2b294f55f0351f9404e18930bc26badc"
|
||||
|
||||
S = "${WORKDIR}/${BP}/src"
|
||||
|
||||
@@ -68,16 +61,6 @@ FILES_${PN}-dbg += "${libdir}/krb5/plugins/*/.debug"
|
||||
# As this recipe doesn't inherit update-rc.d, we need to add this dependency here
|
||||
RDEPENDS_${PN}_class-target += "initscripts-functions"
|
||||
|
||||
krb5_do_unpack() {
|
||||
# ${P}-signed.tar contains ${P}.tar.gz.asc and ${P}.tar.gz
|
||||
tar xzf ${WORKDIR}/${BP}.tar.gz -C ${WORKDIR}/
|
||||
}
|
||||
|
||||
python do_unpack() {
|
||||
bb.build.exec_func('base_do_unpack', d)
|
||||
bb.build.exec_func('krb5_do_unpack', d)
|
||||
}
|
||||
|
||||
do_configure() {
|
||||
gnu-configize --force
|
||||
autoreconf
|
||||
Reference in New Issue
Block a user