Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2016-01-13 22:43:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5" Changes: -------- --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2015-12-13 09:38:30.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2016-01-13 22:44:01.000000000 +0100 @@ -1,0 +2,119 @@ +Mon Jan 11 12:33:54 UTC 2016 - [email protected] + +- Add two patches from Fedora, fixing two crashes: + * krb5-fix_interposer.patch + * krb5-mechglue_inqure_attrs.patch + +------------------------------------------------------------------- +Tue Dec 8 20:40:26 UTC 2015 - [email protected] + +- Update to 1.14 +- dropped krb5-kvno-230379.patch +- added krbdev.mit.edu-8301.patch fixing wrong function call + +Major changes in 1.14 (2015-11-20) +================================== + +Administrator experience: + +* Add a new kdb5_util tabdump command to provide reporting-friendly + tabular dump formats (tab-separated or CSV) for the KDC database. + Unlike the normal dump format, each output table has a fixed number + of fields. Some tables include human-readable forms of data that + are opaque in ordinary dump files. This format is also suitable for + importing into relational databases for complex queries. +* Add support to kadmin and kadmin.local for specifying a single + command line following any global options, where the command + arguments are split by the shell--for example, "kadmin getprinc + principalname". Commands issued this way do not prompt for + confirmation or display warning messages, and exit with non-zero + status if the operation fails. +* Accept the same principal flag names in kadmin as we do for the + default_principal_flags kdc.conf variable, and vice versa. Also + accept flag specifiers in the form that kadmin prints, as well as + hexadecimal numbers. +* Remove the triple-DES and RC4 encryption types from the default + value of supported_enctypes, which determines the default key and + salt types for new password-derived keys. By default, keys will + only created only for AES128 and AES256. This mitigates some types + of password guessing attacks. +* Add support for directory names in the KRB5_CONFIG and + KRB5_KDC_PROFILE environment variables. +* Add support for authentication indicators, which are ticket + annotations to indicate the strength of the initial authentication. + Add support for the "require_auth" string attribute, which can be + set on server principal entries to require an indicator when + authenticating to the server. +* Add support for key version numbers larger than 255 in keytab files, + and for version numbers up to 65535 in KDC databases. +* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC + during pre-authentication, corresponding to the client's most + preferred encryption type. +* Add support for server name identification (SNI) when proxying KDC + requests over HTTPS. +* Add support for the err_fmt profile parameter, which can be used to + generate custom-formatted error messages. + +Code quality: + +* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] +* Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] + +Developer experience: + +* Change gss_acquire_cred_with_password() to acquire credentials into + a private memory credential cache. Applications can use + gss_store_cred() to make the resulting credentials visible to other + processes. +* Change gss_acquire_cred() and SPNEGO not to acquire credentials for + IAKERB or for non-standard variants of the krb5 mechanism OID unless + explicitly requested. (SPNEGO will still accept the Microsoft + variant of the krb5 mechanism OID during negotiation.) +* Change gss_accept_sec_context() not to accept tokens for IAKERB or + for non-standard variants of the krb5 mechanism OID unless an + acceptor credential is acquired for those mechanisms. +* Change gss_acquire_cred() to immediately resolve credentials if the + time_rec parameter is not NULL, so that a correct expiration time + can be returned. Normally credential resolution is delayed until + the target name is known. +* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, + which can be used by plugin modules or applications to add prefixes + to existing detailed error messages. +* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which + implement the RFC 6113 PRF+ operation and key derivation using PRF+. +* Add support for pre-authentication mechanisms which use multiple + round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error + code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth + interface; these callbacks can be used to save marshalled state + information in an encrypted cookie for the next request. +* Add a client_key() callback to the kdcpreauth interface to retrieve + the chosen client key, corresponding to the ETYPE-INFO2 entry sent + by the KDC. +* Add an add_auth_indicator() callback to the kdcpreauth interface, + allowing pre-authentication modules to assert authentication + indicators. +* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to + suppress sending the confidentiality and integrity flags in GSS + initiator tokens unless they are requested by the caller. These + flags control the negotiated SASL security layer for the Microsoft + GSS-SPNEGO SASL mechanism. +* Make the FILE credential cache implementation less prone to + corruption issues in multi-threaded programs, especially on + platforms with support for open file description locks. + +Performance: + +* On slave KDCs, poll the master KDC immediately after processing a + full resync, and do not require two full resyncs after the master + KDC's log file is reset. + +User experience: + +* Make gss_accept_sec_context() accept tickets near their expiration + but within clock skew tolerances, rather than rejecting them + immediately after the server's view of the ticket expiration time. + +------------------------------------------------------------------- @@ -4 +123,6 @@ -- Udapte to 1.13.3 +- Update to 1.13.3 +- removed patches for security fixes now in upstream source: + 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch @@ -22 +146,19 @@ -Mon Jun 1 07:38:15 UTC 2015 - [email protected] +Tue Nov 10 14:57:01 UTC 2015 - [email protected] + +- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch + to fix a memory corruption regression introduced by resolution of + CVE-2015-2698. bsc#954204 + +------------------------------------------------------------------- +Wed Oct 28 13:54:39 UTC 2015 - [email protected] + +- Make kadmin.local man page available without having to install krb5-client. bsc#948011 +- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + to fix build_principal memory bug [CVE-2015-2697] bsc#952190 +- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189 +- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188 + +------------------------------------------------------------------- +Mon Jun 1 07:31:52 UTC 2015 - [email protected] @@ -25 +167 @@ - embedded implementation before the seperation of libverto from krb. + preferred implementation before the seperation of libverto from krb. --- /work/SRC/openSUSE:Factory/krb5/krb5.changes 2015-12-13 09:38:30.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2016-01-13 22:44:01.000000000 +0100 @@ -1,0 +2,119 @@ +Mon Jan 11 12:33:54 UTC 2016 - [email protected] + +- Add two patches from Fedora, fixing two crashes: + * krb5-fix_interposer.patch + * krb5-mechglue_inqure_attrs.patch + +------------------------------------------------------------------- +Tue Dec 8 20:40:26 UTC 2015 - [email protected] + +- Update to 1.14 +- dropped krb5-kvno-230379.patch +- added krbdev.mit.edu-8301.patch fixing wrong function call + +Major changes in 1.14 (2015-11-20) +================================== + +Administrator experience: + +* Add a new kdb5_util tabdump command to provide reporting-friendly + tabular dump formats (tab-separated or CSV) for the KDC database. + Unlike the normal dump format, each output table has a fixed number + of fields. Some tables include human-readable forms of data that + are opaque in ordinary dump files. This format is also suitable for + importing into relational databases for complex queries. +* Add support to kadmin and kadmin.local for specifying a single + command line following any global options, where the command + arguments are split by the shell--for example, "kadmin getprinc + principalname". Commands issued this way do not prompt for + confirmation or display warning messages, and exit with non-zero + status if the operation fails. +* Accept the same principal flag names in kadmin as we do for the + default_principal_flags kdc.conf variable, and vice versa. Also + accept flag specifiers in the form that kadmin prints, as well as + hexadecimal numbers. +* Remove the triple-DES and RC4 encryption types from the default + value of supported_enctypes, which determines the default key and + salt types for new password-derived keys. By default, keys will + only created only for AES128 and AES256. This mitigates some types + of password guessing attacks. +* Add support for directory names in the KRB5_CONFIG and + KRB5_KDC_PROFILE environment variables. +* Add support for authentication indicators, which are ticket + annotations to indicate the strength of the initial authentication. + Add support for the "require_auth" string attribute, which can be + set on server principal entries to require an indicator when + authenticating to the server. +* Add support for key version numbers larger than 255 in keytab files, + and for version numbers up to 65535 in KDC databases. +* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC + during pre-authentication, corresponding to the client's most + preferred encryption type. +* Add support for server name identification (SNI) when proxying KDC + requests over HTTPS. +* Add support for the err_fmt profile parameter, which can be used to + generate custom-formatted error messages. + +Code quality: + +* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] +* Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] + +Developer experience: + +* Change gss_acquire_cred_with_password() to acquire credentials into + a private memory credential cache. Applications can use + gss_store_cred() to make the resulting credentials visible to other + processes. +* Change gss_acquire_cred() and SPNEGO not to acquire credentials for + IAKERB or for non-standard variants of the krb5 mechanism OID unless + explicitly requested. (SPNEGO will still accept the Microsoft + variant of the krb5 mechanism OID during negotiation.) +* Change gss_accept_sec_context() not to accept tokens for IAKERB or + for non-standard variants of the krb5 mechanism OID unless an + acceptor credential is acquired for those mechanisms. +* Change gss_acquire_cred() to immediately resolve credentials if the + time_rec parameter is not NULL, so that a correct expiration time + can be returned. Normally credential resolution is delayed until + the target name is known. +* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, + which can be used by plugin modules or applications to add prefixes + to existing detailed error messages. +* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which + implement the RFC 6113 PRF+ operation and key derivation using PRF+. +* Add support for pre-authentication mechanisms which use multiple + round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error + code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth + interface; these callbacks can be used to save marshalled state + information in an encrypted cookie for the next request. +* Add a client_key() callback to the kdcpreauth interface to retrieve + the chosen client key, corresponding to the ETYPE-INFO2 entry sent + by the KDC. +* Add an add_auth_indicator() callback to the kdcpreauth interface, + allowing pre-authentication modules to assert authentication + indicators. +* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to + suppress sending the confidentiality and integrity flags in GSS + initiator tokens unless they are requested by the caller. These + flags control the negotiated SASL security layer for the Microsoft + GSS-SPNEGO SASL mechanism. +* Make the FILE credential cache implementation less prone to + corruption issues in multi-threaded programs, especially on + platforms with support for open file description locks. + +Performance: + +* On slave KDCs, poll the master KDC immediately after processing a + full resync, and do not require two full resyncs after the master + KDC's log file is reset. + +User experience: + +* Make gss_accept_sec_context() accept tickets near their expiration + but within clock skew tolerances, rather than rejecting them + immediately after the server's view of the ticket expiration time. + +------------------------------------------------------------------- @@ -4 +123 @@ -- Udapte to 1.13.3 +- Update to 1.13.3 Old: ---- krb5-1.13.3.tar.gz krb5-1.13.3.tar.gz.asc krb5-kvno-230379.patch New: ---- krb5-1.14.tar.gz krb5-1.14.tar.gz.asc krb5-fix_interposer.patch krb5-mechglue_inqure_attrs.patch krbdev.mit.edu-8301.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-mini.spec ++++++ --- /var/tmp/diff_new_pack.PnQjnV/_old 2016-01-13 22:44:03.000000000 +0100 +++ /var/tmp/diff_new_pack.PnQjnV/_new 2016-01-13 22:44:03.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ %define build_mini 1 -%define srcRoot krb5-1.13.3 +%define srcRoot krb5-1.14 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,7 +30,7 @@ BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.13.3 +Version: 1.14 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -82,7 +82,10 @@ Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch -Patch14: krb5-kvno-230379.patch +# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301 +Patch14: krbdev.mit.edu-8301.patch +Patch15: krb5-fix_interposer.patch +Patch16: krb5-mechglue_inqure_attrs.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -201,6 +204,8 @@ %patch12 -p1 %patch13 -p0 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 %build # needs to be re-generated @@ -247,6 +252,9 @@ cd .. %endif +# Copy kadmin manual page into kadmin.local's due to the split between client and server package +cp man/kadmin.man man/kadmin.local.8 + %install # Where per-user keytabs live by default. @@ -349,6 +357,8 @@ # doesn't support disabling it at build time rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so %endif +# manually remove test plugin since configure doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %find_lang mit-krb5 ++++++ krb5.spec ++++++ --- /var/tmp/diff_new_pack.PnQjnV/_old 2016-01-13 22:44:03.000000000 +0100 +++ /var/tmp/diff_new_pack.PnQjnV/_new 2016-01-13 22:44:03.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ %define build_mini 0 -%define srcRoot krb5-1.13.3 +%define srcRoot krb5-1.14 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,7 +30,7 @@ BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.13.3 +Version: 1.14 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -82,7 +82,10 @@ Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch -Patch14: krb5-kvno-230379.patch +# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301 +Patch14: krbdev.mit.edu-8301.patch +Patch15: krb5-fix_interposer.patch +Patch16: krb5-mechglue_inqure_attrs.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -201,6 +204,8 @@ %patch12 -p1 %patch13 -p0 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 %build # needs to be re-generated @@ -352,6 +357,8 @@ # doesn't support disabling it at build time rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so %endif +# manually remove test plugin since configure doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %find_lang mit-krb5 ++++++ krb5-1.13.3.tar.gz -> krb5-1.14.tar.gz ++++++ /work/SRC/openSUSE:Factory/krb5/krb5-1.13.3.tar.gz /work/SRC/openSUSE:Factory/.krb5.new/krb5-1.14.tar.gz differ: char 5, line 1 ++++++ krb5-fix_interposer.patch ++++++ >From b3901af6970fb7bde88eb16d51c8d05db6f37746 Mon Sep 17 00:00:00 2001 From: Simo Sorce <[email protected]> Date: Fri, 13 Nov 2015 14:54:11 -0500 Subject: [PATCH] Fix impersonate_name to work with interposers This follows the same modifications applied to gss_acquire_cred_with_password() when interposer plugins were introduced. [[email protected]: minor whitespace changes; initialize out_mcred in spnego_gss_acquire_cred_impersonate_name() since it is released in the cleanup handler] ticket: 8280 (new) --- src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++-------- src/lib/gssapi/spnego/spnego_mech.c | 35 +++++++------- 2 files changed, 54 insertions(+), 39 deletions(-) diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c index 0dd4f87..9eab25e 100644 --- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c +++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c @@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, gss_cred_id_t cred = NULL; gss_OID new_mechs_array = NULL; gss_cred_id_t * new_cred_array = NULL; + gss_OID_set target_mechs = GSS_C_NO_OID_SET; + gss_OID selected_mech = GSS_C_NO_OID; status = val_add_cred_impersonate_name_args(minor_status, input_cred_handle, @@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, if (status != GSS_S_COMPLETE) return (status); - mech = gssint_get_mechanism(desired_mech); + status = gssint_select_mech_type(minor_status, desired_mech, + &selected_mech); + if (status != GSS_S_COMPLETE) + return status; + + mech = gssint_get_mechanism(selected_mech); if (!mech) return GSS_S_BAD_MECH; else if (!mech->gss_acquire_cred) @@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, internal_name = GSS_C_NO_NAME; } else { union_cred = (gss_union_cred_t)input_cred_handle; - if (gssint_get_mechanism_cred(union_cred, desired_mech) != + if (gssint_get_mechanism_cred(union_cred, selected_mech) != GSS_C_NO_CREDENTIAL) return (GSS_S_DUPLICATE_ELEMENT); } mech_impersonator_cred = gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle, - desired_mech); + selected_mech); if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL) return (GSS_S_NO_CRED); /* may need to create a mechanism specific name */ union_name = (gss_union_name_t)desired_name; if (union_name->mech_type && - g_OID_equal(union_name->mech_type, - &mech->mech_type)) + g_OID_equal(union_name->mech_type, selected_mech)) internal_name = union_name->mech_name; else { if (gssint_import_internal_name(minor_status, - &mech->mech_type, union_name, - &allocated_name) != GSS_S_COMPLETE) + selected_mech, union_name, + &allocated_name) != GSS_S_COMPLETE) return (GSS_S_BAD_NAME); internal_name = allocated_name; } @@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, else time_req = 0; + status = gss_create_empty_oid_set(minor_status, &target_mechs); + if (status != GSS_S_COMPLETE) + goto errout; + + status = gss_add_oid_set_member(minor_status, + gssint_get_public_oid(selected_mech), + &target_mechs); + if (status != GSS_S_COMPLETE) + goto errout; + status = mech->gss_acquire_cred_impersonate_name(minor_status, mech_impersonator_cred, internal_name, time_req, - GSS_C_NULL_OID_SET, + target_mechs, cred_usage, &cred, NULL, @@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, new_cred_array[union_cred->count] = cred; if ((new_mechs_array[union_cred->count].elements = - malloc(mech->mech_type.length)) == NULL) + malloc(selected_mech->length)) == NULL) goto errout; - g_OID_copy(&new_mechs_array[union_cred->count], - &mech->mech_type); + g_OID_copy(&new_mechs_array[union_cred->count], selected_mech); if (actual_mechs != NULL) { - gss_OID_set_desc oids; - - oids.count = union_cred->count + 1; - oids.elements = new_mechs_array; - - status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs); + status = gssint_make_public_oid_set(minor_status, new_mechs_array, + union_cred->count + 1, + actual_mechs); if (GSS_ERROR(status)) { free(new_mechs_array[union_cred->count].elements); goto errout; @@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, /* We're done with the internal name. Free it if we allocated it. */ if (allocated_name) - (void) gssint_release_internal_name(&temp_minor_status, - &mech->mech_type, + (void) gssint_release_internal_name(&temp_minor_status, selected_mech, &allocated_name); + if (target_mechs) + (void) gss_release_oid_set(&temp_minor_status, &target_mechs); + return (GSS_S_COMPLETE); errout: @@ -503,8 +517,10 @@ errout: if (allocated_name) (void) gssint_release_internal_name(&temp_minor_status, - &mech->mech_type, - &allocated_name); + selected_mech, &allocated_name); + + if (target_mechs) + (void) gss_release_oid_set(&temp_minor_status, &target_mechs); if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred) free(union_cred); diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index e6703eb..28fb9b1 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -2619,10 +2619,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, gss_OID_set *actual_mechs, OM_uint32 *time_rec) { - OM_uint32 status; + OM_uint32 status, tmpmin; gss_OID_set amechs = GSS_C_NULL_OID_SET; spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL; - gss_cred_id_t imp_mcred, out_mcred; + gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL; dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n"); @@ -2634,31 +2634,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle; imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL; - if (desired_mechs == GSS_C_NO_OID_SET) { - status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, - NULL, &amechs); - if (status != GSS_S_COMPLETE) - return status; - - desired_mechs = amechs; - } + status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, + NULL, &amechs); + if (status != GSS_S_COMPLETE) + return status; status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred, desired_name, time_req, - desired_mechs, cred_usage, + amechs, cred_usage, &out_mcred, actual_mechs, time_rec); - - if (amechs != GSS_C_NULL_OID_SET) - (void) gss_release_oid_set(minor_status, &amechs); + if (status != GSS_S_COMPLETE) + goto cleanup; status = create_spnego_cred(minor_status, out_mcred, &out_spcred); - if (status != GSS_S_COMPLETE) { - gss_release_cred(minor_status, &out_mcred); - return (status); - } + if (status != GSS_S_COMPLETE) + goto cleanup; + + out_mcred = GSS_C_NO_CREDENTIAL; *output_cred_handle = (gss_cred_id_t)out_spcred; +cleanup: + (void) gss_release_oid_set(&tmpmin, &amechs); + (void) gss_release_cred(&tmpmin, &out_mcred); + dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n"); return (status); } -- 2.6.2 ++++++ krb5-mechglue_inqure_attrs.patch ++++++ >From 26f94f6e8fd99ee0dfc2f71afb38c74a12482601 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <[email protected]> Date: Wed, 16 Dec 2015 19:31:22 -0500 Subject: [PATCH] Fix mechglue on gss_inquire_attrs_for_mech() This includes proper mechanism selection in gss_inquire_attrs_for_mech() itself as well as passing the correct mech down from gss_accept_sec_context() through allow_mech_by_default(). Also-authored-by: Simo Sorce <[email protected]> --- src/lib/gssapi/mechglue/g_accept_sec_context.c | 2 +- src/lib/gssapi/mechglue/g_mechattr.c | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c index 6c72d1f..4a86024 100644 --- a/src/lib/gssapi/mechglue/g_accept_sec_context.c +++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c @@ -245,7 +245,7 @@ gss_cred_id_t * d_cred; status = GSS_S_NO_CRED; goto error_out; } - } else if (!allow_mech_by_default(selected_mech)) { + } else if (!allow_mech_by_default(gssint_get_public_oid(selected_mech))) { status = GSS_S_NO_CRED; goto error_out; } diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c index e9299f4..4bd44b5 100644 --- a/src/lib/gssapi/mechglue/g_mechattr.c +++ b/src/lib/gssapi/mechglue/g_mechattr.c @@ -161,6 +161,7 @@ gss_inquire_attrs_for_mech( { OM_uint32 status, tmpMinor; gss_mechanism mech; + gss_OID selected_mech; if (minor == NULL) return GSS_S_CALL_INACCESSIBLE_WRITE; @@ -173,7 +174,11 @@ gss_inquire_attrs_for_mech( if (known_mech_attrs != NULL) *known_mech_attrs = GSS_C_NO_OID_SET; - mech = gssint_get_mechanism((gss_OID)mech_oid); + status = gssint_select_mech_type(minor, mech_oid, &selected_mech); + if (status != GSS_S_COMPLETE) + return (status); + + mech = gssint_get_mechanism(selected_mech); if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) { status = mech->gss_inquire_attrs_for_mech(minor, mech_oid, -- 2.6.4 ++++++ krbdev.mit.edu-8301.patch ++++++ --- krb5-1.14.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-11-20 21:28:42.000000000 +0100 +++ krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-12-09 20:17:00.465765527 +0100 @@ -684,7 +684,7 @@ if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) { int ost = st; st = EINVAL; - k5_prependmsg(context, ost, st, _("'%s' not found"), + k5_wrapmsg(context, ost, st, _("'%s' not found"), xargs.containerdn); } goto cleanup;
