Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package krb5 This version includes the upstream official patch for mitkrb5-sa-2015-001, a series of security vulnerabilities made public today. I've received permission from the security team to upload a backport of this patch to stable-security. diff --git a/debian/.git-dpm b/debian/.git-dpm index 423df28..237c3b1 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -877ad027ca2103f3ac2f581451fdd347a76b8981 -877ad027ca2103f3ac2f581451fdd347a76b8981 +769a3f26c919339002ef2936592a90d144d0e238 +769a3f26c919339002ef2936592a90d144d0e238 00dec38e79dd6436e9efed873df00e6ea11fdd0e 00dec38e79dd6436e9efed873df00e6ea11fdd0e krb5_1.12.1+dfsg.orig.tar.gz diff --git a/debian/changelog b/debian/changelog index 226cc36..c8a284c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +krb5 (1.12.1+dfsg-17) unstable; urgency=high + + * MITKRB5-SA-2015-001 + - CVE-2014-5352: gss_process_context_token() incorrectly frees context + - CVE-2014-9421: kadmind doubly frees partial deserialization results + - CVE-2014-9422: kadmind incorrectly validates server principal name + - CVE-2014-9423: libgssrpc server applications leak uninitialized bytes + + + -- Sam Hartman <[email protected]> Tue, 03 Feb 2015 10:29:35 -0500 + krb5 (1.12.1+dfsg-16) unstable; urgency=medium * Import upstream patches for CVE-2014-5353 and CVE-2014-5354, diff --git a/debian/patches/series b/debian/patches/series index 9d19440..721cb89 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -26,3 +26,4 @@ upstream/0025-Fix-build-on-systems-without-RTM_OLD.patch upstream/0026-Remove-rtm_type_name.patch upstream/0027-Fix-LDAP-misused-policy-name-crash-CVE-2014-5353.patch 0028-Support-keyless-principals-in-LDAP-CVE-2014-5354.patch +upstream/0029-MITKRB5-SA-2015-0001.patch diff --git a/debian/patches/upstream/0029-MITKRB5-SA-2015-0001.patch b/debian/patches/upstream/0029-MITKRB5-SA-2015-0001.patch new file mode 100644 index 0000000..c8183a3 --- /dev/null +++ b/debian/patches/upstream/0029-MITKRB5-SA-2015-0001.patch @@ -0,0 +1,397 @@ +From 769a3f26c919339002ef2936592a90d144d0e238 Mon Sep 17 00:00:00 2001 +From: Sam Hartman <[email protected]> +Date: Tue, 3 Feb 2015 10:26:16 -0500 +Subject: MITKRB5-SA-2015-0001 + +Topic: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token + +CVE-2014-5352: gss_process_context_token() incorrectly frees context + +CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C + +CVSSv2 Base Score: 9.0 + +Access Vector: Network +Access Complexity: Low +Authentication: Single +Confidentiality Impact: Complete +Integrity Impact: Complete +Availability Impact: Complete + +CVSSv2 Temporal Score: 7.0 + +Exploitability: Proof-of-Concept +Remediation Level: Official Fix +Report Confidence: Confirmed + +CVE-2014-9421: kadmind doubly frees partial deserialization results + +CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C +CVSSv2 Base Score: 9.0 +CVSSv2 Temporal Score: 7.0 + +CVE-2014-9422: kadmind incorrectly validates server principal name + +CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:C/E:POC/RL:OF/RC:C +CVSSv2 Base Score: 6.1 +CVSSv2 Temporal Score: 4.8 + +CVE-2014-9423: libgssrpc server applications leak uninitialized bytes + +CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C +CVSSv2 Base Score: 5.0 +CVSSv2 Temporal Score: 4.4 + +Patch-Category: upstream +--- + src/kadmin/server/kadm_rpc_svc.c | 12 +++--------- + src/lib/gssapi/krb5/context_time.c | 2 +- + src/lib/gssapi/krb5/export_sec_context.c | 5 +++++ + src/lib/gssapi/krb5/gssapiP_krb5.h | 1 + + src/lib/gssapi/krb5/gssapi_krb5.c | 2 +- + src/lib/gssapi/krb5/inq_context.c | 2 +- + src/lib/gssapi/krb5/k5seal.c | 2 +- + src/lib/gssapi/krb5/k5sealiov.c | 2 +- + src/lib/gssapi/krb5/k5unseal.c | 2 +- + src/lib/gssapi/krb5/k5unsealiov.c | 2 +- + src/lib/gssapi/krb5/lucid_context.c | 5 +++++ + src/lib/gssapi/krb5/prf.c | 4 ++++ + src/lib/gssapi/krb5/process_context_token.c | 17 ++++++++++++----- + src/lib/gssapi/krb5/wrap_size_limit.c | 2 +- + src/lib/gssapi/mechglue/mglueP.h | 1 - + src/lib/kadm5/kadm_rpc_xdr.c | 2 ++ + src/lib/rpc/auth_gssapi_misc.c | 1 - + src/lib/rpc/svc_auth_gss.c | 25 ++----------------------- + 18 files changed, 42 insertions(+), 47 deletions(-) + +diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c +index 3837931..f4d2a7c 100644 +--- a/src/kadmin/server/kadm_rpc_svc.c ++++ b/src/kadmin/server/kadm_rpc_svc.c +@@ -4,7 +4,7 @@ + * + */ + +-#include <k5-platform.h> ++#include <k5-int.h> + #include <gssrpc/rpc.h> + #include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */ + #include <syslog.h> +@@ -296,14 +296,8 @@ check_rpcsec_auth(struct svc_req *rqstp) + c1 = krb5_princ_component(kctx, princ, 0); + c2 = krb5_princ_component(kctx, princ, 1); + realm = krb5_princ_realm(kctx, princ); +- if (strncmp(handle->params.realm, realm->data, realm->length) == 0 +- && strncmp("kadmin", c1->data, c1->length) == 0) { +- +- if (strncmp("history", c2->data, c2->length) == 0) +- goto fail_princ; +- else +- success = 1; +- } ++ success = data_eq_string(*realm, handle->params.realm) && ++ data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history"); + + fail_princ: + if (!success) { +diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c +index b3d1db0..a18cfb0 100644 +--- a/src/lib/gssapi/krb5/context_time.c ++++ b/src/lib/gssapi/krb5/context_time.c +@@ -40,7 +40,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec) + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + +- if (! ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } +diff --git a/src/lib/gssapi/krb5/export_sec_context.c b/src/lib/gssapi/krb5/export_sec_context.c +index 18a3a34..1b3de68 100644 +--- a/src/lib/gssapi/krb5/export_sec_context.c ++++ b/src/lib/gssapi/krb5/export_sec_context.c +@@ -45,6 +45,11 @@ krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token) + *minor_status = 0; + + ctx = (krb5_gss_ctx_id_t) *context_handle; ++ if (ctx->terminated) { ++ *minor_status = KG_CTX_INCOMPLETE; ++ return (GSS_S_NO_CONTEXT); ++ } ++ + context = ctx->k5_context; + kret = krb5_gss_ser_init(context); + if (kret) +diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h +index 0167816..42d16ad 100644 +--- a/src/lib/gssapi/krb5/gssapiP_krb5.h ++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h +@@ -204,6 +204,7 @@ typedef struct _krb5_gss_ctx_id_rec { + unsigned int established : 1; + unsigned int have_acceptor_subkey : 1; + unsigned int seed_init : 1; /* XXX tested but never actually set */ ++ unsigned int terminated : 1; + OM_uint32 gss_flags; + unsigned char seed[16]; + krb5_gss_name_t here; +diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c +index a408259..088219a 100644 +--- a/src/lib/gssapi/krb5/gssapi_krb5.c ++++ b/src/lib/gssapi/krb5/gssapi_krb5.c +@@ -369,7 +369,7 @@ krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + +- if (!ctx->established) ++ if (ctx->terminated || !ctx->established) + return GSS_S_NO_CONTEXT; + + for (i = 0; i < sizeof(krb5_gss_inquire_sec_context_by_oid_ops)/ +diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c +index eacb0fd..096df2a 100644 +--- a/src/lib/gssapi/krb5/inq_context.c ++++ b/src/lib/gssapi/krb5/inq_context.c +@@ -105,7 +105,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name, + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + +- if (! ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } +diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c +index bd1e2a6..b11b615 100644 +--- a/src/lib/gssapi/krb5/k5seal.c ++++ b/src/lib/gssapi/krb5/k5seal.c +@@ -342,7 +342,7 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + +- if (! ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } +diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c +index 0b99a77..0f80095 100644 +--- a/src/lib/gssapi/krb5/k5sealiov.c ++++ b/src/lib/gssapi/krb5/k5sealiov.c +@@ -284,7 +284,7 @@ kg_seal_iov(OM_uint32 *minor_status, + } + + ctx = (krb5_gss_ctx_id_rec *)context_handle; +- if (!ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } +diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c +index b65c83c..9e78550 100644 +--- a/src/lib/gssapi/krb5/k5unseal.c ++++ b/src/lib/gssapi/krb5/k5unseal.c +@@ -492,7 +492,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer, + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + +- if (! ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } +diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c +index 8d6a2da..191de2c 100644 +--- a/src/lib/gssapi/krb5/k5unsealiov.c ++++ b/src/lib/gssapi/krb5/k5unsealiov.c +@@ -628,7 +628,7 @@ kg_unseal_iov(OM_uint32 *minor_status, + OM_uint32 code; + + ctx = (krb5_gss_ctx_id_rec *)context_handle; +- if (!ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } +diff --git a/src/lib/gssapi/krb5/lucid_context.c b/src/lib/gssapi/krb5/lucid_context.c +index dc129e1..50d8cc9 100644 +--- a/src/lib/gssapi/krb5/lucid_context.c ++++ b/src/lib/gssapi/krb5/lucid_context.c +@@ -75,6 +75,11 @@ gss_krb5int_export_lucid_sec_context( + *minor_status = 0; + *data_set = GSS_C_NO_BUFFER_SET; + ++ if (ctx->terminated || !ctx->established) { ++ *minor_status = KG_CTX_INCOMPLETE; ++ return GSS_S_NO_CONTEXT; ++ } ++ + retval = generic_gss_oid_decompose(minor_status, + GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID, + GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH, +diff --git a/src/lib/gssapi/krb5/prf.c b/src/lib/gssapi/krb5/prf.c +index a0fbcda..4831f9f 100644 +--- a/src/lib/gssapi/krb5/prf.c ++++ b/src/lib/gssapi/krb5/prf.c +@@ -60,6 +60,10 @@ krb5_gss_pseudo_random(OM_uint32 *minor_status, + ns.data = NULL; + + ctx = (krb5_gss_ctx_id_t)context; ++ if (ctx->terminated || !ctx->established) { ++ *minor_status = KG_CTX_INCOMPLETE; ++ return GSS_S_NO_CONTEXT; ++ } + + switch (prf_key) { + case GSS_C_PRF_KEY_FULL: +diff --git a/src/lib/gssapi/krb5/process_context_token.c b/src/lib/gssapi/krb5/process_context_token.c +index ae33180..a672f48 100644 +--- a/src/lib/gssapi/krb5/process_context_token.c ++++ b/src/lib/gssapi/krb5/process_context_token.c +@@ -39,11 +39,18 @@ krb5_gss_process_context_token(minor_status, context_handle, + + ctx = (krb5_gss_ctx_id_t) context_handle; + +- if (! ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } + ++ /* We only support context deletion tokens for now, and RFC 4121 does not ++ * define a context deletion token. */ ++ if (ctx->proto) { ++ *minor_status = 0; ++ return(GSS_S_DEFECTIVE_TOKEN); ++ } ++ + /* "unseal" the token */ + + if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle, +@@ -52,8 +59,8 @@ krb5_gss_process_context_token(minor_status, context_handle, + KG_TOK_DEL_CTX))) + return(majerr); + +- /* that's it. delete the context */ +- +- return(krb5_gss_delete_sec_context(minor_status, &context_handle, +- GSS_C_NO_BUFFER)); ++ /* Mark the context as terminated, but do not delete it (as that would ++ * leave the caller with a dangling context handle). */ ++ ctx->terminated = 1; ++ return(GSS_S_COMPLETE); + } +diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c +index 7bc4221..ed5c599 100644 +--- a/src/lib/gssapi/krb5/wrap_size_limit.c ++++ b/src/lib/gssapi/krb5/wrap_size_limit.c +@@ -95,7 +95,7 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, + } + + ctx = (krb5_gss_ctx_id_rec *) context_handle; +- if (! ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } +diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h +index e56b9c1..2b5145e 100644 +--- a/src/lib/gssapi/mechglue/mglueP.h ++++ b/src/lib/gssapi/mechglue/mglueP.h +@@ -25,7 +25,6 @@ do { \ + */ + typedef struct gss_union_ctx_id_struct { + struct gss_union_ctx_id_struct *loopback; +- struct gss_union_ctx_id_struct *interposer; + gss_OID mech_type; + gss_ctx_id_t internal_ctx_id; + } gss_union_ctx_id_desc, *gss_union_ctx_id_t; +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 42ac783..975f94c 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -320,6 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head) + free(tl); + tl = tl2; + } ++ *tl_data_head = NULL; + break; + + case XDR_ENCODE: +@@ -1096,6 +1097,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp) + case XDR_FREE: + if(*objp != NULL) + krb5_free_principal(context, *objp); ++ *objp = NULL; + break; + } + return TRUE; +diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c +index 53bdb98..a05ea19 100644 +--- a/src/lib/rpc/auth_gssapi_misc.c ++++ b/src/lib/rpc/auth_gssapi_misc.c +@@ -322,7 +322,6 @@ bool_t auth_gssapi_unwrap_data( + if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) { + PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n")); + gss_release_buffer(minor, &out_buf); +- xdr_free(xdr_func, xdr_ptr); + XDR_DESTROY(&temp_xdrs); + return FALSE; + } +diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c +index 8da7003..ea8149b 100644 +--- a/src/lib/rpc/svc_auth_gss.c ++++ b/src/lib/rpc/svc_auth_gss.c +@@ -68,16 +68,6 @@ extern const gss_OID_desc * const gss_mech_spkm3; + + extern SVCAUTH svc_auth_none; + +-/* +- * from mit-krb5-1.2.1 mechglue/mglueP.h: +- * Array of context IDs typed by mechanism OID +- */ +-typedef struct gss_union_ctx_id_t { +- gss_OID mech_type; +- gss_ctx_id_t internal_ctx_id; +-} gss_union_ctx_id_desc, *gss_union_ctx_id_t; +- +- + static auth_gssapi_log_badauth_func log_badauth = NULL; + static caddr_t log_badauth_data = NULL; + static auth_gssapi_log_badauth2_func log_badauth2 = NULL; +@@ -242,16 +232,8 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst, + gd->ctx = GSS_C_NO_CONTEXT; + goto errout; + } +- /* +- * ANDROS: krb5 mechglue returns ctx of size 8 - two pointers, +- * one to the mechanism oid, one to the internal_ctx_id +- */ +- if ((gr->gr_ctx.value = mem_alloc(sizeof(gss_union_ctx_id_desc))) == NULL) { +- fprintf(stderr, "svcauth_gss_accept_context: out of memory\n"); +- goto errout; +- } +- memcpy(gr->gr_ctx.value, gd->ctx, sizeof(gss_union_ctx_id_desc)); +- gr->gr_ctx.length = sizeof(gss_union_ctx_id_desc); ++ gr->gr_ctx.value = "xxxx"; ++ gr->gr_ctx.length = 4; + + /* gr->gr_win = 0x00000005; ANDROS: for debugging linux kernel version... */ + gr->gr_win = sizeof(gd->seqmask) * 8; +@@ -523,8 +505,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg, + + if (!svcauth_gss_nextverf(rqst, htonl(gr.gr_win))) { + gss_release_buffer(&min_stat, &gr.gr_token); +- mem_free(gr.gr_ctx.value, +- sizeof(gss_union_ctx_id_desc)); + ret_freegc (AUTH_FAILED); + } + *no_dispatch = TRUE; +@@ -534,7 +514,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg, + + gss_release_buffer(&min_stat, &gr.gr_token); + gss_release_buffer(&min_stat, &gd->checksum); +- mem_free(gr.gr_ctx.value, sizeof(gss_union_ctx_id_desc)); + if (!call_stat) + ret_freegc (AUTH_FAILED); + diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c index 3837931..f4d2a7c 100644 --- a/src/kadmin/server/kadm_rpc_svc.c +++ b/src/kadmin/server/kadm_rpc_svc.c @@ -4,7 +4,7 @@ * */ -#include <k5-platform.h> +#include <k5-int.h> #include <gssrpc/rpc.h> #include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */ #include <syslog.h> @@ -296,14 +296,8 @@ check_rpcsec_auth(struct svc_req *rqstp) c1 = krb5_princ_component(kctx, princ, 0); c2 = krb5_princ_component(kctx, princ, 1); realm = krb5_princ_realm(kctx, princ); - if (strncmp(handle->params.realm, realm->data, realm->length) == 0 - && strncmp("kadmin", c1->data, c1->length) == 0) { - - if (strncmp("history", c2->data, c2->length) == 0) - goto fail_princ; - else - success = 1; - } + success = data_eq_string(*realm, handle->params.realm) && + data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history"); fail_princ: if (!success) { diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c index b3d1db0..a18cfb0 100644 --- a/src/lib/gssapi/krb5/context_time.c +++ b/src/lib/gssapi/krb5/context_time.c @@ -40,7 +40,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec) ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } diff --git a/src/lib/gssapi/krb5/export_sec_context.c b/src/lib/gssapi/krb5/export_sec_context.c index 18a3a34..1b3de68 100644 --- a/src/lib/gssapi/krb5/export_sec_context.c +++ b/src/lib/gssapi/krb5/export_sec_context.c @@ -45,6 +45,11 @@ krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token) *minor_status = 0; ctx = (krb5_gss_ctx_id_t) *context_handle; + if (ctx->terminated) { + *minor_status = KG_CTX_INCOMPLETE; + return (GSS_S_NO_CONTEXT); + } + context = ctx->k5_context; kret = krb5_gss_ser_init(context); if (kret) diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 0167816..42d16ad 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -204,6 +204,7 @@ typedef struct _krb5_gss_ctx_id_rec { unsigned int established : 1; unsigned int have_acceptor_subkey : 1; unsigned int seed_init : 1; /* XXX tested but never actually set */ + unsigned int terminated : 1; OM_uint32 gss_flags; unsigned char seed[16]; krb5_gss_name_t here; diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index a408259..088219a 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -369,7 +369,7 @@ krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (!ctx->established) + if (ctx->terminated || !ctx->established) return GSS_S_NO_CONTEXT; for (i = 0; i < sizeof(krb5_gss_inquire_sec_context_by_oid_ops)/ diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c index eacb0fd..096df2a 100644 --- a/src/lib/gssapi/krb5/inq_context.c +++ b/src/lib/gssapi/krb5/inq_context.c @@ -105,7 +105,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name, ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index bd1e2a6..b11b615 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -342,7 +342,7 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c index 0b99a77..0f80095 100644 --- a/src/lib/gssapi/krb5/k5sealiov.c +++ b/src/lib/gssapi/krb5/k5sealiov.c @@ -284,7 +284,7 @@ kg_seal_iov(OM_uint32 *minor_status, } ctx = (krb5_gss_ctx_id_rec *)context_handle; - if (!ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return GSS_S_NO_CONTEXT; } diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index b65c83c..9e78550 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -492,7 +492,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer, ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c index 8d6a2da..191de2c 100644 --- a/src/lib/gssapi/krb5/k5unsealiov.c +++ b/src/lib/gssapi/krb5/k5unsealiov.c @@ -628,7 +628,7 @@ kg_unseal_iov(OM_uint32 *minor_status, OM_uint32 code; ctx = (krb5_gss_ctx_id_rec *)context_handle; - if (!ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return GSS_S_NO_CONTEXT; } diff --git a/src/lib/gssapi/krb5/lucid_context.c b/src/lib/gssapi/krb5/lucid_context.c index dc129e1..50d8cc9 100644 --- a/src/lib/gssapi/krb5/lucid_context.c +++ b/src/lib/gssapi/krb5/lucid_context.c @@ -75,6 +75,11 @@ gss_krb5int_export_lucid_sec_context( *minor_status = 0; *data_set = GSS_C_NO_BUFFER_SET; + if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + retval = generic_gss_oid_decompose(minor_status, GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID, GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH, diff --git a/src/lib/gssapi/krb5/prf.c b/src/lib/gssapi/krb5/prf.c index a0fbcda..4831f9f 100644 --- a/src/lib/gssapi/krb5/prf.c +++ b/src/lib/gssapi/krb5/prf.c @@ -60,6 +60,10 @@ krb5_gss_pseudo_random(OM_uint32 *minor_status, ns.data = NULL; ctx = (krb5_gss_ctx_id_t)context; + if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } switch (prf_key) { case GSS_C_PRF_KEY_FULL: diff --git a/src/lib/gssapi/krb5/process_context_token.c b/src/lib/gssapi/krb5/process_context_token.c index ae33180..a672f48 100644 --- a/src/lib/gssapi/krb5/process_context_token.c +++ b/src/lib/gssapi/krb5/process_context_token.c @@ -39,11 +39,18 @@ krb5_gss_process_context_token(minor_status, context_handle, ctx = (krb5_gss_ctx_id_t) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } + /* We only support context deletion tokens for now, and RFC 4121 does not + * define a context deletion token. */ + if (ctx->proto) { + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); + } + /* "unseal" the token */ if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle, @@ -52,8 +59,8 @@ krb5_gss_process_context_token(minor_status, context_handle, KG_TOK_DEL_CTX))) return(majerr); - /* that's it. delete the context */ - - return(krb5_gss_delete_sec_context(minor_status, &context_handle, - GSS_C_NO_BUFFER)); + /* Mark the context as terminated, but do not delete it (as that would + * leave the caller with a dangling context handle). */ + ctx->terminated = 1; + return(GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c index 7bc4221..ed5c599 100644 --- a/src/lib/gssapi/krb5/wrap_size_limit.c +++ b/src/lib/gssapi/krb5/wrap_size_limit.c @@ -95,7 +95,7 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, } ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h index e56b9c1..2b5145e 100644 --- a/src/lib/gssapi/mechglue/mglueP.h +++ b/src/lib/gssapi/mechglue/mglueP.h @@ -25,7 +25,6 @@ do { \ */ typedef struct gss_union_ctx_id_struct { struct gss_union_ctx_id_struct *loopback; - struct gss_union_ctx_id_struct *interposer; gss_OID mech_type; gss_ctx_id_t internal_ctx_id; } gss_union_ctx_id_desc, *gss_union_ctx_id_t; diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c index 42ac783..975f94c 100644 --- a/src/lib/kadm5/kadm_rpc_xdr.c +++ b/src/lib/kadm5/kadm_rpc_xdr.c @@ -320,6 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head) free(tl); tl = tl2; } + *tl_data_head = NULL; break; case XDR_ENCODE: @@ -1096,6 +1097,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp) case XDR_FREE: if(*objp != NULL) krb5_free_principal(context, *objp); + *objp = NULL; break; } return TRUE; diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c index 53bdb98..a05ea19 100644 --- a/src/lib/rpc/auth_gssapi_misc.c +++ b/src/lib/rpc/auth_gssapi_misc.c @@ -322,7 +322,6 @@ bool_t auth_gssapi_unwrap_data( if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) { PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n")); gss_release_buffer(minor, &out_buf); - xdr_free(xdr_func, xdr_ptr); XDR_DESTROY(&temp_xdrs); return FALSE; } diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c index 8da7003..ea8149b 100644 --- a/src/lib/rpc/svc_auth_gss.c +++ b/src/lib/rpc/svc_auth_gss.c @@ -68,16 +68,6 @@ extern const gss_OID_desc * const gss_mech_spkm3; extern SVCAUTH svc_auth_none; -/* - * from mit-krb5-1.2.1 mechglue/mglueP.h: - * Array of context IDs typed by mechanism OID - */ -typedef struct gss_union_ctx_id_t { - gss_OID mech_type; - gss_ctx_id_t internal_ctx_id; -} gss_union_ctx_id_desc, *gss_union_ctx_id_t; - - static auth_gssapi_log_badauth_func log_badauth = NULL; static caddr_t log_badauth_data = NULL; static auth_gssapi_log_badauth2_func log_badauth2 = NULL; @@ -242,16 +232,8 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst, gd->ctx = GSS_C_NO_CONTEXT; goto errout; } - /* - * ANDROS: krb5 mechglue returns ctx of size 8 - two pointers, - * one to the mechanism oid, one to the internal_ctx_id - */ - if ((gr->gr_ctx.value = mem_alloc(sizeof(gss_union_ctx_id_desc))) == NULL) { - fprintf(stderr, "svcauth_gss_accept_context: out of memory\n"); - goto errout; - } - memcpy(gr->gr_ctx.value, gd->ctx, sizeof(gss_union_ctx_id_desc)); - gr->gr_ctx.length = sizeof(gss_union_ctx_id_desc); + gr->gr_ctx.value = "xxxx"; + gr->gr_ctx.length = 4; /* gr->gr_win = 0x00000005; ANDROS: for debugging linux kernel version... */ gr->gr_win = sizeof(gd->seqmask) * 8; @@ -523,8 +505,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg, if (!svcauth_gss_nextverf(rqst, htonl(gr.gr_win))) { gss_release_buffer(&min_stat, &gr.gr_token); - mem_free(gr.gr_ctx.value, - sizeof(gss_union_ctx_id_desc)); ret_freegc (AUTH_FAILED); } *no_dispatch = TRUE; @@ -534,7 +514,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg, gss_release_buffer(&min_stat, &gr.gr_token); gss_release_buffer(&min_stat, &gd->checksum); - mem_free(gr.gr_ctx.value, sizeof(gss_union_ctx_id_desc)); if (!call_stat) ret_freegc (AUTH_FAILED); unblock krb5/1.12.1+dfsg-17 -- System Information: Debian Release: jessie/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (250, 'testing'), (200, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/20150203191840.4028.79382.reportbug@permutation-city
