summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWenzong Fan <wenzong.fan@windriver.com>2016-09-12 04:55:16 -0400
committerMartin Jansa <Martin.Jansa@gmail.com>2016-09-15 10:22:49 +0200
commit2ed5ad2e40ea29b549c1d39aad70e2e4f7d57b28 (patch)
treea23fe60e6020c0c476757e79297a1d55231d1c7b
parentdd0f1adc981a8517cfd0ab4395147316053278de (diff)
downloadmeta-openembedded-2ed5ad2e40ea29b549c1d39aad70e2e4f7d57b28.tar.gz
krb5: upgrade to 1.13.6
* fix CVEs: CVE-2015-8629, CVE-2015-8630, CVE-2015-8631 * update LIC_FILES_CHKSUM, only Copyright changed in NOTICE file: -Copyright (C) 1985-2015 by the Massachusetts Institute of Technology. +Copyright (C) 1985-2016 by the Massachusetts Institute of Technology. * remove useless functions: krb5_do_unpack(), do_unpack() * remove patches that included by new release: - 0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch - Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch - Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch - Fix-build_principal-memory-bug-CVE-2015-2697.patch - Fix-IAKERB-context-export-import-CVE-2015-2698.patch - krb5-CVE-2016-3119.patch - krb5-CVE-2016-3120.patch Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch37
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch739
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-export-import-CVE-2015-2698.patch134
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch572
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch58
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch36
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch63
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5_1.13.6.bb (renamed from meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb)25
8 files changed, 4 insertions, 1660 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch
deleted file mode 100644
index c6731a9002..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch
+++ /dev/null
@@ -1,37 +0,0 @@
1From f1b681a44d28946e6d8fc0080f3efe94228d7dfe Mon Sep 17 00:00:00 2001
2From: Tom Yu <tlyu@mit.edu>
3Date: Wed, 6 Jan 2016 15:24:16 -0500
4Subject: [PATCH] Work around uninitialized warning in cc_kcm.c
5
6Some versions of clang erroneously detect use of an uninitialized
7variable reply_len in kcmio_call() when building on non-Mac platforms.
8Initialize it to work around this warning.
9
10(cherry picked from commit 40b007c0d8e2a12c6f4205ac111dee731c9d970c)
11
12ticket: 8335
13version_fixed: 1.13.4
14tags: -pullup
15status: resolved
16
17Upstream-Status: backport
18---
19 src/lib/krb5/ccache/cc_kcm.c | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
23index b763ea4..6337b57 100644
24--- a/src/lib/krb5/ccache/cc_kcm.c
25+++ b/src/lib/krb5/ccache/cc_kcm.c
26@@ -377,7 +377,7 @@ static krb5_error_code
27 kcmio_call(krb5_context context, struct kcmio *io, struct kcmreq *req)
28 {
29 krb5_error_code ret;
30- size_t reply_len;
31+ size_t reply_len = 0;
32
33 if (k5_buf_status(&req->reqbuf) != 0)
34 return ENOMEM;
35--
362.8.2
37
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch b/meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
deleted file mode 100644
index b771b41466..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
+++ /dev/null
@@ -1,739 +0,0 @@
1From f6e57c402688f4bc386d1a39512657a30f0bafd3 Mon Sep 17 00:00:00 2001
2From: Nicolas Williams <nico@twosigma.com>
3Date: Mon, 14 Sep 2015 12:28:36 -0400
4Subject: [PATCH 2/4] Fix IAKERB context aliasing bugs [CVE-2015-2696]
5
6The IAKERB mechanism currently replaces its context handle with the
7krb5 mechanism handle upon establishment, under the assumption that
8most GSS functions are only called after context establishment. This
9assumption is incorrect, and can lead to aliasing violations for some
10programs. Maintain the IAKERB context structure after context
11establishment and add new IAKERB entry points to refer to it with that
12type. Add initiate and established flags to the IAKERB context
13structure for use in gss_inquire_context() prior to context
14establishment.
15
16CVE-2015-2696:
17
18In MIT krb5 1.9 and later, applications which call
19gss_inquire_context() on a partially-established IAKERB context can
20cause the GSS-API library to read from a pointer using the wrong type,
21generally causing a process crash. Java server applications using the
22native JGSS provider are vulnerable to this bug. A carefully crafted
23IAKERB packet might allow the gss_inquire_context() call to succeed
24with attacker-determined results, but applications should not make
25access control decisions based on gss_inquire_context() results prior
26to context establishment.
27
28 CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
29
30[ghudson@mit.edu: several bugfixes, style changes, and edge-case
31behavior changes; commit message and CVE description]
32
33ticket: 8244
34target_version: 1.14
35tags: pullup
36
37Backport upstream commit:
38https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a
39
40Upstream-Status: Backport
41---
42 src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++
43 src/lib/gssapi/krb5/gssapi_krb5.c | 105 +++++++++--
44 src/lib/gssapi/krb5/iakerb.c | 351 +++++++++++++++++++++++++++++++++----
45 3 files changed, 529 insertions(+), 41 deletions(-)
46
47diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
48index a0e8625..05dc321 100644
49--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
50+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
51@@ -620,6 +620,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext
52 );
53 #endif /* LEAN_CLIENT */
54
55+OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid
56+(OM_uint32*, /* minor_status */
57+ const gss_ctx_id_t,
58+ /* context_handle */
59+ const gss_OID, /* desired_object */
60+ gss_buffer_set_t* /* data_set */
61+);
62+
63+OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option
64+(OM_uint32*, /* minor_status */
65+ gss_ctx_id_t*, /* context_handle */
66+ const gss_OID, /* desired_object */
67+ const gss_buffer_t/* value */
68+);
69+
70 OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token
71 (OM_uint32*, /* minor_status */
72 gss_ctx_id_t, /* context_handle */
73@@ -1301,6 +1316,105 @@ OM_uint32 KRB5_CALLCONV
74 krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token,
75 gss_cred_id_t *cred_handle);
76
77+OM_uint32 KRB5_CALLCONV
78+iakerb_gss_process_context_token(OM_uint32 *minor_status,
79+ const gss_ctx_id_t context_handle,
80+ const gss_buffer_t token_buffer);
81+
82+OM_uint32 KRB5_CALLCONV
83+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
84+ OM_uint32 *time_rec);
85+
86+OM_uint32 KRB5_CALLCONV
87+iakerb_gss_inquire_context(OM_uint32 *minor_status,
88+ gss_ctx_id_t context_handle, gss_name_t *src_name,
89+ gss_name_t *targ_name, OM_uint32 *lifetime_rec,
90+ gss_OID *mech_type, OM_uint32 *ctx_flags,
91+ int *locally_initiated, int *opened);
92+
93+OM_uint32 KRB5_CALLCONV
94+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
95+ gss_qop_t qop_req, gss_buffer_t message_buffer,
96+ gss_buffer_t message_token);
97+
98+OM_uint32 KRB5_CALLCONV
99+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
100+ gss_qop_t qop_req, gss_iov_buffer_desc *iov,
101+ int iov_count);
102+
103+OM_uint32 KRB5_CALLCONV
104+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
105+ gss_ctx_id_t context_handle, gss_qop_t qop_req,
106+ gss_iov_buffer_desc *iov, int iov_count);
107+
108+OM_uint32 KRB5_CALLCONV
109+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
110+ gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
111+ gss_qop_t *qop_state);
112+
113+OM_uint32 KRB5_CALLCONV
114+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
115+ gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
116+ int iov_count);
117+
118+OM_uint32 KRB5_CALLCONV
119+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
120+ int conf_req_flag, gss_qop_t qop_req,
121+ gss_buffer_t input_message_buffer, int *conf_state,
122+ gss_buffer_t output_message_buffer);
123+
124+OM_uint32 KRB5_CALLCONV
125+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
126+ int conf_req_flag, gss_qop_t qop_req, int *conf_state,
127+ gss_iov_buffer_desc *iov, int iov_count);
128+
129+OM_uint32 KRB5_CALLCONV
130+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
131+ gss_ctx_id_t context_handle, int conf_req_flag,
132+ gss_qop_t qop_req, int *conf_state,
133+ gss_iov_buffer_desc *iov, int iov_count);
134+
135+OM_uint32 KRB5_CALLCONV
136+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
137+ gss_buffer_t input_message_buffer,
138+ gss_buffer_t output_message_buffer, int *conf_state,
139+ gss_qop_t *qop_state);
140+
141+OM_uint32 KRB5_CALLCONV
142+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
143+ int *conf_state, gss_qop_t *qop_state,
144+ gss_iov_buffer_desc *iov, int iov_count);
145+
146+OM_uint32 KRB5_CALLCONV
147+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
148+ gss_ctx_id_t context_handle, int conf_req_flag,
149+ gss_qop_t qop_req, OM_uint32 req_output_size,
150+ OM_uint32 *max_input_size);
151+
152+#ifndef LEAN_CLIENT
153+OM_uint32 KRB5_CALLCONV
154+iakerb_gss_export_sec_context(OM_uint32 *minor_status,
155+ gss_ctx_id_t *context_handle,
156+ gss_buffer_t interprocess_token);
157+#endif /* LEAN_CLIENT */
158+
159+OM_uint32 KRB5_CALLCONV
160+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
161+ const gss_ctx_id_t context_handle,
162+ const gss_OID desired_object,
163+ gss_buffer_set_t *data_set);
164+
165+OM_uint32 KRB5_CALLCONV
166+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
167+ gss_ctx_id_t *context_handle,
168+ const gss_OID desired_object,
169+ const gss_buffer_t value);
170+
171+OM_uint32 KRB5_CALLCONV
172+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
173+ int prf_key, const gss_buffer_t prf_in,
174+ ssize_t desired_output_len, gss_buffer_t prf_out);
175+
176 /* Magic string to identify exported krb5 GSS credentials. Increment this if
177 * the format changes. */
178 #define CRED_EXPORT_MAGIC "K5C1"
179diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
180index 77b7fff..9a23656 100644
181--- a/src/lib/gssapi/krb5/gssapi_krb5.c
182+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
183@@ -345,7 +345,7 @@ static struct {
184 }
185 };
186
187-static OM_uint32 KRB5_CALLCONV
188+OM_uint32 KRB5_CALLCONV
189 krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
190 const gss_ctx_id_t context_handle,
191 const gss_OID desired_object,
192@@ -459,7 +459,7 @@ static struct {
193 };
194 #endif
195
196-static OM_uint32 KRB5_CALLCONV
197+OM_uint32 KRB5_CALLCONV
198 krb5_gss_set_sec_context_option (OM_uint32 *minor_status,
199 gss_ctx_id_t *context_handle,
200 const gss_OID desired_object,
201@@ -904,20 +904,103 @@ static struct gss_config krb5_mechanism = {
202 krb5_gss_get_mic_iov_length,
203 };
204
205+/* Functions which use security contexts or acquire creds are IAKERB-specific;
206+ * other functions can borrow from the krb5 mech. */
207+static struct gss_config iakerb_mechanism = {
208+ { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID },
209+ NULL,
210+ iakerb_gss_acquire_cred,
211+ krb5_gss_release_cred,
212+ iakerb_gss_init_sec_context,
213+#ifdef LEAN_CLIENT
214+ NULL,
215+#else
216+ iakerb_gss_accept_sec_context,
217+#endif
218+ iakerb_gss_process_context_token,
219+ iakerb_gss_delete_sec_context,
220+ iakerb_gss_context_time,
221+ iakerb_gss_get_mic,
222+ iakerb_gss_verify_mic,
223+#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE)
224+ NULL,
225+#else
226+ iakerb_gss_wrap,
227+#endif
228+#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE)
229+ NULL,
230+#else
231+ iakerb_gss_unwrap,
232+#endif
233+ krb5_gss_display_status,
234+ krb5_gss_indicate_mechs,
235+ krb5_gss_compare_name,
236+ krb5_gss_display_name,
237+ krb5_gss_import_name,
238+ krb5_gss_release_name,
239+ krb5_gss_inquire_cred,
240+ NULL, /* add_cred */
241+#ifdef LEAN_CLIENT
242+ NULL,
243+ NULL,
244+#else
245+ iakerb_gss_export_sec_context,
246+ NULL,
247+#endif
248+ krb5_gss_inquire_cred_by_mech,
249+ krb5_gss_inquire_names_for_mech,
250+ iakerb_gss_inquire_context,
251+ krb5_gss_internal_release_oid,
252+ iakerb_gss_wrap_size_limit,
253+ krb5_gss_localname,
254+ krb5_gss_authorize_localname,
255+ krb5_gss_export_name,
256+ krb5_gss_duplicate_name,
257+ krb5_gss_store_cred,
258+ iakerb_gss_inquire_sec_context_by_oid,
259+ krb5_gss_inquire_cred_by_oid,
260+ iakerb_gss_set_sec_context_option,
261+ krb5_gssspi_set_cred_option,
262+ krb5_gssspi_mech_invoke,
263+ NULL, /* wrap_aead */
264+ NULL, /* unwrap_aead */
265+ iakerb_gss_wrap_iov,
266+ iakerb_gss_unwrap_iov,
267+ iakerb_gss_wrap_iov_length,
268+ NULL, /* complete_auth_token */
269+ NULL, /* acquire_cred_impersonate_name */
270+ NULL, /* add_cred_impersonate_name */
271+ NULL, /* display_name_ext */
272+ krb5_gss_inquire_name,
273+ krb5_gss_get_name_attribute,
274+ krb5_gss_set_name_attribute,
275+ krb5_gss_delete_name_attribute,
276+ krb5_gss_export_name_composite,
277+ krb5_gss_map_name_to_any,
278+ krb5_gss_release_any_name_mapping,
279+ iakerb_gss_pseudo_random,
280+ NULL, /* set_neg_mechs */
281+ krb5_gss_inquire_saslname_for_mech,
282+ krb5_gss_inquire_mech_for_saslname,
283+ krb5_gss_inquire_attrs_for_mech,
284+ krb5_gss_acquire_cred_from,
285+ krb5_gss_store_cred_into,
286+ iakerb_gss_acquire_cred_with_password,
287+ krb5_gss_export_cred,
288+ krb5_gss_import_cred,
289+ NULL, /* import_sec_context_by_mech */
290+ NULL, /* import_name_by_mech */
291+ NULL, /* import_cred_by_mech */
292+ iakerb_gss_get_mic_iov,
293+ iakerb_gss_verify_mic_iov,
294+ iakerb_gss_get_mic_iov_length,
295+};
296+
297 #ifdef _GSS_STATIC_LINK
298 #include "mglueP.h"
299 static int gss_iakerbmechglue_init(void)
300 {
301 struct gss_mech_config mech_iakerb;
302- struct gss_config iakerb_mechanism = krb5_mechanism;
303-
304- /* IAKERB mechanism mirrors krb5, but with different context SPIs */
305- iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context;
306- iakerb_mechanism.gss_init_sec_context = iakerb_gss_init_sec_context;
307- iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context;
308- iakerb_mechanism.gss_acquire_cred = iakerb_gss_acquire_cred;
309- iakerb_mechanism.gssspi_acquire_cred_with_password
310- = iakerb_gss_acquire_cred_with_password;
311
312 memset(&mech_iakerb, 0, sizeof(mech_iakerb));
313 mech_iakerb.mech = &iakerb_mechanism;
314diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
315index f30de32..4662bd9 100644
316--- a/src/lib/gssapi/krb5/iakerb.c
317+++ b/src/lib/gssapi/krb5/iakerb.c
318@@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec {
319 gss_ctx_id_t gssc;
320 krb5_data conv; /* conversation for checksumming */
321 unsigned int count; /* number of round trips */
322+ int initiate;
323+ int established;
324 krb5_get_init_creds_opt *gic_opts;
325 };
326
327@@ -695,7 +697,7 @@ cleanup:
328 * Allocate and initialise an IAKERB context
329 */
330 static krb5_error_code
331-iakerb_alloc_context(iakerb_ctx_id_t *pctx)
332+iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate)
333 {
334 iakerb_ctx_id_t ctx;
335 krb5_error_code code;
336@@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx)
337 ctx->magic = KG_IAKERB_CONTEXT;
338 ctx->state = IAKERB_AS_REQ;
339 ctx->count = 0;
340+ ctx->initiate = initiate;
341+ ctx->established = 0;
342
343 code = krb5_gss_init_context(&ctx->k5c);
344 if (code != 0)
345@@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
346 gss_ctx_id_t *context_handle,
347 gss_buffer_t output_token)
348 {
349- OM_uint32 major_status = GSS_S_COMPLETE;
350+ iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
351
352 if (output_token != GSS_C_NO_BUFFER) {
353 output_token->length = 0;
354@@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
355 }
356
357 *minor_status = 0;
358+ *context_handle = GSS_C_NO_CONTEXT;
359+ iakerb_release_context(iakerb_ctx);
360
361- if (*context_handle != GSS_C_NO_CONTEXT) {
362- iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
363-
364- if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) {
365- iakerb_release_context(iakerb_ctx);
366- *context_handle = GSS_C_NO_CONTEXT;
367- } else {
368- assert(iakerb_ctx->magic == KG_CONTEXT);
369-
370- major_status = krb5_gss_delete_sec_context(minor_status,
371- context_handle,
372- output_token);
373- }
374- }
375-
376- return major_status;
377+ return GSS_S_COMPLETE;
378 }
379
380 static krb5_boolean
381@@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
382 int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
383
384 if (initialContextToken) {
385- code = iakerb_alloc_context(&ctx);
386+ code = iakerb_alloc_context(&ctx, 0);
387 if (code != 0)
388 goto cleanup;
389
390@@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
391 time_rec,
392 delegated_cred_handle,
393 &exts);
394- if (major_status == GSS_S_COMPLETE) {
395- *context_handle = ctx->gssc;
396- ctx->gssc = NULL;
397- iakerb_release_context(ctx);
398- }
399+ if (major_status == GSS_S_COMPLETE)
400+ ctx->established = 1;
401 if (mech_type != NULL)
402 *mech_type = (gss_OID)gss_mech_krb5;
403 }
404@@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
405 int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
406
407 if (initialContextToken) {
408- code = iakerb_alloc_context(&ctx);
409+ code = iakerb_alloc_context(&ctx, 1);
410 if (code != 0) {
411 *minor_status = code;
412 goto cleanup;
413@@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
414 ret_flags,
415 time_rec,
416 &exts);
417- if (major_status == GSS_S_COMPLETE) {
418- *context_handle = ctx->gssc;
419- ctx->gssc = GSS_C_NO_CONTEXT;
420- iakerb_release_context(ctx);
421- }
422+ if (major_status == GSS_S_COMPLETE)
423+ ctx->established = 1;
424 if (actual_mech_type != NULL)
425 *actual_mech_type = (gss_OID)gss_mech_krb5;
426 } else {
427@@ -1010,3 +995,309 @@ cleanup:
428
429 return major_status;
430 }
431+
432+OM_uint32 KRB5_CALLCONV
433+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
434+ gss_buffer_t input_message_buffer,
435+ gss_buffer_t output_message_buffer, int *conf_state,
436+ gss_qop_t *qop_state)
437+{
438+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
439+
440+ if (ctx->gssc == GSS_C_NO_CONTEXT)
441+ return GSS_S_NO_CONTEXT;
442+
443+ return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer,
444+ output_message_buffer, conf_state, qop_state);
445+}
446+
447+OM_uint32 KRB5_CALLCONV
448+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
449+ int conf_req_flag, gss_qop_t qop_req,
450+ gss_buffer_t input_message_buffer, int *conf_state,
451+ gss_buffer_t output_message_buffer)
452+{
453+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
454+
455+ if (ctx->gssc == GSS_C_NO_CONTEXT)
456+ return GSS_S_NO_CONTEXT;
457+
458+ return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req,
459+ input_message_buffer, conf_state,
460+ output_message_buffer);
461+}
462+
463+OM_uint32 KRB5_CALLCONV
464+iakerb_gss_process_context_token(OM_uint32 *minor_status,
465+ const gss_ctx_id_t context_handle,
466+ const gss_buffer_t token_buffer)
467+{
468+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
469+
470+ if (ctx->gssc == GSS_C_NO_CONTEXT)
471+ return GSS_S_DEFECTIVE_TOKEN;
472+
473+ return krb5_gss_process_context_token(minor_status, ctx->gssc,
474+ token_buffer);
475+}
476+
477+OM_uint32 KRB5_CALLCONV
478+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
479+ OM_uint32 *time_rec)
480+{
481+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
482+
483+ if (ctx->gssc == GSS_C_NO_CONTEXT)
484+ return GSS_S_NO_CONTEXT;
485+
486+ return krb5_gss_context_time(minor_status, ctx->gssc, time_rec);
487+}
488+
489+#ifndef LEAN_CLIENT
490+
491+OM_uint32 KRB5_CALLCONV
492+iakerb_gss_export_sec_context(OM_uint32 *minor_status,
493+ gss_ctx_id_t *context_handle,
494+ gss_buffer_t interprocess_token)
495+{
496+ OM_uint32 maj;
497+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
498+
499+ /* We don't currently support exporting partially established contexts. */
500+ if (!ctx->established)
501+ return GSS_S_UNAVAILABLE;
502+
503+ maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc,
504+ interprocess_token);
505+ if (ctx->gssc == GSS_C_NO_CONTEXT) {
506+ iakerb_release_context(ctx);
507+ *context_handle = GSS_C_NO_CONTEXT;
508+ }
509+ return maj;
510+}
511+
512+/*
513+ * Until we implement partial context exports, there are no SPNEGO exported
514+ * context tokens, only tokens for the underlying krb5 context. So we do not
515+ * need to implement an iakerb_gss_import_sec_context() yet; it would be
516+ * unreachable except via a manually constructed token.
517+ */
518+
519+#endif /* LEAN_CLIENT */
520+
521+OM_uint32 KRB5_CALLCONV
522+iakerb_gss_inquire_context(OM_uint32 *minor_status,
523+ gss_ctx_id_t context_handle, gss_name_t *src_name,
524+ gss_name_t *targ_name, OM_uint32 *lifetime_rec,
525+ gss_OID *mech_type, OM_uint32 *ctx_flags,
526+ int *initiate, int *opened)
527+{
528+ OM_uint32 ret;
529+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
530+
531+ if (src_name != NULL)
532+ *src_name = GSS_C_NO_NAME;
533+ if (targ_name != NULL)
534+ *targ_name = GSS_C_NO_NAME;
535+ if (lifetime_rec != NULL)
536+ *lifetime_rec = 0;
537+ if (mech_type != NULL)
538+ *mech_type = (gss_OID)gss_mech_iakerb;
539+ if (ctx_flags != NULL)
540+ *ctx_flags = 0;
541+ if (initiate != NULL)
542+ *initiate = ctx->initiate;
543+ if (opened != NULL)
544+ *opened = ctx->established;
545+
546+ if (ctx->gssc == GSS_C_NO_CONTEXT)
547+ return GSS_S_COMPLETE;
548+
549+ ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name,
550+ targ_name, lifetime_rec, mech_type,
551+ ctx_flags, initiate, opened);
552+
553+ if (!ctx->established) {
554+ /* Report IAKERB as the mech OID until the context is established. */
555+ if (mech_type != NULL)
556+ *mech_type = (gss_OID)gss_mech_iakerb;
557+
558+ /* We don't support exporting partially-established contexts. */
559+ if (ctx_flags != NULL)
560+ *ctx_flags &= ~GSS_C_TRANS_FLAG;
561+ }
562+
563+ return ret;
564+}
565+
566+OM_uint32 KRB5_CALLCONV
567+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
568+ gss_ctx_id_t context_handle, int conf_req_flag,
569+ gss_qop_t qop_req, OM_uint32 req_output_size,
570+ OM_uint32 *max_input_size)
571+{
572+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
573+
574+ if (ctx->gssc == GSS_C_NO_CONTEXT)
575+ return GSS_S_NO_CONTEXT;
576+
577+ return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag,
578+ qop_req, req_output_size, max_input_size);
579+}
580+
581+OM_uint32 KRB5_CALLCONV
582+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
583+ gss_qop_t qop_req, gss_buffer_t message_buffer,
584+ gss_buffer_t message_token)
585+{
586+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
587+
588+ if (ctx->gssc == GSS_C_NO_CONTEXT)
589+ return GSS_S_NO_CONTEXT;
590+
591+ return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer,
592+ message_token);
593+}
594+
595+OM_uint32 KRB5_CALLCONV
596+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
597+ gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
598+ gss_qop_t *qop_state)
599+{
600+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
601+
602+ if (ctx->gssc == GSS_C_NO_CONTEXT)
603+ return GSS_S_NO_CONTEXT;
604+
605+ return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer,
606+ token_buffer, qop_state);
607+}
608+
609+OM_uint32 KRB5_CALLCONV
610+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
611+ const gss_ctx_id_t context_handle,
612+ const gss_OID desired_object,
613+ gss_buffer_set_t *data_set)
614+{
615+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
616+
617+ if (ctx->gssc == GSS_C_NO_CONTEXT)
618+ return GSS_S_UNAVAILABLE;
619+
620+ return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc,
621+ desired_object, data_set);
622+}
623+
624+OM_uint32 KRB5_CALLCONV
625+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
626+ gss_ctx_id_t *context_handle,
627+ const gss_OID desired_object,
628+ const gss_buffer_t value)
629+{
630+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
631+
632+ if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT)
633+ return GSS_S_UNAVAILABLE;
634+
635+ return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc,
636+ desired_object, value);
637+}
638+
639+OM_uint32 KRB5_CALLCONV
640+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
641+ int conf_req_flag, gss_qop_t qop_req, int *conf_state,
642+ gss_iov_buffer_desc *iov, int iov_count)
643+{
644+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
645+
646+ if (ctx->gssc == GSS_C_NO_CONTEXT)
647+ return GSS_S_NO_CONTEXT;
648+
649+ return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req,
650+ conf_state, iov, iov_count);
651+}
652+
653+OM_uint32 KRB5_CALLCONV
654+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
655+ int *conf_state, gss_qop_t *qop_state,
656+ gss_iov_buffer_desc *iov, int iov_count)
657+{
658+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
659+
660+ if (ctx->gssc == GSS_C_NO_CONTEXT)
661+ return GSS_S_NO_CONTEXT;
662+
663+ return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state,
664+ iov, iov_count);
665+}
666+
667+OM_uint32 KRB5_CALLCONV
668+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
669+ gss_ctx_id_t context_handle, int conf_req_flag,
670+ gss_qop_t qop_req, int *conf_state,
671+ gss_iov_buffer_desc *iov, int iov_count)
672+{
673+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
674+
675+ if (ctx->gssc == GSS_C_NO_CONTEXT)
676+ return GSS_S_NO_CONTEXT;
677+
678+ return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag,
679+ qop_req, conf_state, iov, iov_count);
680+}
681+
682+OM_uint32 KRB5_CALLCONV
683+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
684+ int prf_key, const gss_buffer_t prf_in,
685+ ssize_t desired_output_len, gss_buffer_t prf_out)
686+{
687+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
688+
689+ if (ctx->gssc == GSS_C_NO_CONTEXT)
690+ return GSS_S_NO_CONTEXT;
691+
692+ return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in,
693+ desired_output_len, prf_out);
694+}
695+
696+OM_uint32 KRB5_CALLCONV
697+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
698+ gss_qop_t qop_req, gss_iov_buffer_desc *iov,
699+ int iov_count)
700+{
701+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
702+
703+ if (ctx->gssc == GSS_C_NO_CONTEXT)
704+ return GSS_S_NO_CONTEXT;
705+
706+ return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov,
707+ iov_count);
708+}
709+
710+OM_uint32 KRB5_CALLCONV
711+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
712+ gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
713+ int iov_count)
714+{
715+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
716+
717+ if (ctx->gssc == GSS_C_NO_CONTEXT)
718+ return GSS_S_NO_CONTEXT;
719+
720+ return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov,
721+ iov_count);
722+}
723+
724+OM_uint32 KRB5_CALLCONV
725+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
726+ gss_ctx_id_t context_handle, gss_qop_t qop_req,
727+ gss_iov_buffer_desc *iov, int iov_count)
728+{
729+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
730+
731+ if (ctx->gssc == GSS_C_NO_CONTEXT)
732+ return GSS_S_NO_CONTEXT;
733+
734+ return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov,
735+ iov_count);
736+}
737--
7381.9.1
739
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-export-import-CVE-2015-2698.patch b/meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-export-import-CVE-2015-2698.patch
deleted file mode 100644
index 2f45d306b8..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-export-import-CVE-2015-2698.patch
+++ /dev/null
@@ -1,134 +0,0 @@
1From aa769c8c6905d1abfac66d4d1b0fc73740ccbe7d Mon Sep 17 00:00:00 2001
2From: Greg Hudson <ghudson@mit.edu>
3Date: Sat, 14 Nov 2015 02:47:04 -0500
4Subject: [PATCH 4/4] Fix IAKERB context export/import [CVE-2015-2698]
5
6The patches for CVE-2015-2696 contained a regression in the newly
7added IAKERB iakerb_gss_export_sec_context() function, which could
8cause it to corrupt memory. Fix the regression by properly
9dereferencing the context_handle pointer before casting it.
10
11Also, the patches did not implement an IAKERB gss_import_sec_context()
12function, under the erroneous belief that an exported IAKERB context
13would be tagged as a krb5 context. Implement it now to allow IAKERB
14contexts to be successfully exported and imported after establishment.
15
16CVE-2015-2698:
17
18In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
19application which calls gss_export_sec_context() may experience memory
20corruption if the context was established using the IAKERB mechanism.
21Historically, some vulnerabilities of this nature can be translated
22into remote code execution, though the necessary exploits must be
23tailored to the individual application and are usually quite
24complicated.
25
26 CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
27
28ticket: 8273 (new)
29target_version: 1.14
30tags: pullup
31
32Backport upstream commit:
33https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd
34
35Upstream-Status: Backport
36---
37 src/lib/gssapi/krb5/gssapiP_krb5.h | 5 +++++
38 src/lib/gssapi/krb5/gssapi_krb5.c | 2 +-
39 src/lib/gssapi/krb5/iakerb.c | 42 +++++++++++++++++++++++++++++++-------
40 3 files changed, 41 insertions(+), 8 deletions(-)
41
42diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
43index 05dc321..ac53662 100644
44--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
45+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
46@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV
47 iakerb_gss_export_sec_context(OM_uint32 *minor_status,
48 gss_ctx_id_t *context_handle,
49 gss_buffer_t interprocess_token);
50+
51+OM_uint32 KRB5_CALLCONV
52+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
53+ const gss_buffer_t interprocess_token,
54+ gss_ctx_id_t *context_handle);
55 #endif /* LEAN_CLIENT */
56
57 OM_uint32 KRB5_CALLCONV
58diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
59index 9a23656..d7ba279 100644
60--- a/src/lib/gssapi/krb5/gssapi_krb5.c
61+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
62@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = {
63 NULL,
64 #else
65 iakerb_gss_export_sec_context,
66- NULL,
67+ iakerb_gss_import_sec_context,
68 #endif
69 krb5_gss_inquire_cred_by_mech,
70 krb5_gss_inquire_names_for_mech,
71diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
72index 4662bd9..48beaee 100644
73--- a/src/lib/gssapi/krb5/iakerb.c
74+++ b/src/lib/gssapi/krb5/iakerb.c
75@@ -1061,7 +1061,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
76 gss_buffer_t interprocess_token)
77 {
78 OM_uint32 maj;
79- iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
80+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
81
82 /* We don't currently support exporting partially established contexts. */
83 if (!ctx->established)
84@@ -1076,13 +1076,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
85 return maj;
86 }
87
88-/*
89- * Until we implement partial context exports, there are no SPNEGO exported
90- * context tokens, only tokens for the underlying krb5 context. So we do not
91- * need to implement an iakerb_gss_import_sec_context() yet; it would be
92- * unreachable except via a manually constructed token.
93- */
94+OM_uint32 KRB5_CALLCONV
95+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
96+ gss_buffer_t interprocess_token,
97+ gss_ctx_id_t *context_handle)
98+{
99+ OM_uint32 maj, tmpmin;
100+ krb5_error_code code;
101+ gss_ctx_id_t gssc;
102+ krb5_gss_ctx_id_t kctx;
103+ iakerb_ctx_id_t ctx;
104+
105+ maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc);
106+ if (maj != GSS_S_COMPLETE)
107+ return maj;
108+ kctx = (krb5_gss_ctx_id_t)gssc;
109+
110+ if (!kctx->established) {
111+ /* We don't currently support importing partially established
112+ * contexts. */
113+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
114+ return GSS_S_FAILURE;
115+ }
116
117+ code = iakerb_alloc_context(&ctx, kctx->initiate);
118+ if (code != 0) {
119+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
120+ *minor_status = code;
121+ return GSS_S_FAILURE;
122+ }
123+
124+ ctx->gssc = gssc;
125+ ctx->established = 1;
126+ *context_handle = (gss_ctx_id_t)ctx;
127+ return GSS_S_COMPLETE;
128+}
129 #endif /* LEAN_CLIENT */
130
131 OM_uint32 KRB5_CALLCONV
132--
1331.9.1
134
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch b/meta-oe/recipes-connectivity/krb5/krb5/Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
deleted file mode 100644
index 227e6c614f..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+++ /dev/null
@@ -1,572 +0,0 @@
1From 884913e807414a1e06245918dea71243c5fdd0e6 Mon Sep 17 00:00:00 2001
2From: Nicolas Williams <nico@twosigma.com>
3Date: Mon, 14 Sep 2015 12:27:52 -0400
4Subject: [PATCH 1/4] Fix SPNEGO context aliasing bugs [CVE-2015-2695]
5
6The SPNEGO mechanism currently replaces its context handle with the
7mechanism context handle upon establishment, under the assumption that
8most GSS functions are only called after context establishment. This
9assumption is incorrect, and can lead to aliasing violations for some
10programs. Maintain the SPNEGO context structure after context
11establishment and refer to it in all GSS methods. Add initiate and
12opened flags to the SPNEGO context structure for use in
13gss_inquire_context() prior to context establishment.
14
15CVE-2015-2695:
16
17In MIT krb5 1.5 and later, applications which call
18gss_inquire_context() on a partially-established SPNEGO context can
19cause the GSS-API library to read from a pointer using the wrong type,
20generally causing a process crash. This bug may go unnoticed, because
21the most common SPNEGO authentication scenario establishes the context
22after just one call to gss_accept_sec_context(). Java server
23applications using the native JGSS provider are vulnerable to this
24bug. A carefully crafted SPNEGO packet might allow the
25gss_inquire_context() call to succeed with attacker-determined
26results, but applications should not make access control decisions
27based on gss_inquire_context() results prior to context establishment.
28
29 CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
30
31[ghudson@mit.edu: several bugfixes, style changes, and edge-case
32behavior changes; commit message and CVE description]
33
34ticket: 8244
35target_version: 1.14
36tags: pullup
37
38Backport upstream commit:
39https://github.com/krb5/krb5/commit/b51b33f2bc5d1497ddf5bd107f791c101695000d
40
41Upstream-Status: Backport
42---
43 src/lib/gssapi/spnego/gssapiP_spnego.h | 2 +
44 src/lib/gssapi/spnego/spnego_mech.c | 254 ++++++++++++++++++++++++---------
45 2 files changed, 192 insertions(+), 64 deletions(-)
46
47diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h
48index bc23f56..8e05736 100644
49--- a/src/lib/gssapi/spnego/gssapiP_spnego.h
50+++ b/src/lib/gssapi/spnego/gssapiP_spnego.h
51@@ -102,6 +102,8 @@ typedef struct {
52 int firstpass;
53 int mech_complete;
54 int nego_done;
55+ int initiate;
56+ int opened;
57 OM_uint32 ctx_flags;
58 gss_name_t internal_name;
59 gss_OID actual_mech;
60diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
61index f9248ab..3423f22 100644
62--- a/src/lib/gssapi/spnego/spnego_mech.c
63+++ b/src/lib/gssapi/spnego/spnego_mech.c
64@@ -101,7 +101,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t,
65 gss_cred_usage_t, gss_OID_set *);
66 static void release_spnego_ctx(spnego_gss_ctx_id_t *);
67 static void check_spnego_options(spnego_gss_ctx_id_t);
68-static spnego_gss_ctx_id_t create_spnego_ctx(void);
69+static spnego_gss_ctx_id_t create_spnego_ctx(int);
70 static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf);
71 static int put_input_token(unsigned char **, gss_buffer_t, unsigned int);
72 static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int);
73@@ -439,7 +439,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx)
74 }
75
76 static spnego_gss_ctx_id_t
77-create_spnego_ctx(void)
78+create_spnego_ctx(int initiate)
79 {
80 spnego_gss_ctx_id_t spnego_ctx = NULL;
81 spnego_ctx = (spnego_gss_ctx_id_t)
82@@ -462,6 +462,8 @@ create_spnego_ctx(void)
83 spnego_ctx->mic_rcvd = 0;
84 spnego_ctx->mech_complete = 0;
85 spnego_ctx->nego_done = 0;
86+ spnego_ctx->opened = 0;
87+ spnego_ctx->initiate = initiate;
88 spnego_ctx->internal_name = GSS_C_NO_NAME;
89 spnego_ctx->actual_mech = GSS_C_NO_OID;
90
91@@ -627,7 +629,7 @@ init_ctx_new(OM_uint32 *minor_status,
92 OM_uint32 ret;
93 spnego_gss_ctx_id_t sc = NULL;
94
95- sc = create_spnego_ctx();
96+ sc = create_spnego_ctx(1);
97 if (sc == NULL)
98 return GSS_S_FAILURE;
99
100@@ -644,10 +646,7 @@ init_ctx_new(OM_uint32 *minor_status,
101 ret = GSS_S_FAILURE;
102 goto cleanup;
103 }
104- /*
105- * The actual context is not yet determined, set the output
106- * context handle to refer to the spnego context itself.
107- */
108+
109 sc->ctx_handle = GSS_C_NO_CONTEXT;
110 *ctx = (gss_ctx_id_t)sc;
111 sc = NULL;
112@@ -1088,16 +1087,11 @@ cleanup:
113 }
114 gss_release_buffer(&tmpmin, &mechtok_out);
115 if (ret == GSS_S_COMPLETE) {
116- /*
117- * Now, switch the output context to refer to the
118- * negotiated mechanism's context.
119- */
120- *context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle;
121+ spnego_ctx->opened = 1;
122 if (actual_mech != NULL)
123 *actual_mech = spnego_ctx->actual_mech;
124 if (ret_flags != NULL)
125 *ret_flags = spnego_ctx->ctx_flags;
126- release_spnego_ctx(&spnego_ctx);
127 } else if (ret != GSS_S_CONTINUE_NEEDED) {
128 if (spnego_ctx != NULL) {
129 gss_delete_sec_context(&tmpmin,
130@@ -1341,7 +1335,7 @@ acc_ctx_hints(OM_uint32 *minor_status,
131 if (ret != GSS_S_COMPLETE)
132 goto cleanup;
133
134- sc = create_spnego_ctx();
135+ sc = create_spnego_ctx(0);
136 if (sc == NULL) {
137 ret = GSS_S_FAILURE;
138 goto cleanup;
139@@ -1423,7 +1417,7 @@ acc_ctx_new(OM_uint32 *minor_status,
140 gss_release_buffer(&tmpmin, &sc->DER_mechTypes);
141 assert(mech_wanted != GSS_C_NO_OID);
142 } else
143- sc = create_spnego_ctx();
144+ sc = create_spnego_ctx(0);
145 if (sc == NULL) {
146 ret = GSS_S_FAILURE;
147 *return_token = NO_TOKEN_SEND;
148@@ -1806,13 +1800,12 @@ cleanup:
149 ret = GSS_S_FAILURE;
150 }
151 if (ret == GSS_S_COMPLETE) {
152- *context_handle = (gss_ctx_id_t)sc->ctx_handle;
153+ sc->opened = 1;
154 if (sc->internal_name != GSS_C_NO_NAME &&
155 src_name != NULL) {
156 *src_name = sc->internal_name;
157 sc->internal_name = GSS_C_NO_NAME;
158 }
159- release_spnego_ctx(&sc);
160 } else if (ret != GSS_S_CONTINUE_NEEDED) {
161 if (sc != NULL) {
162 gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
163@@ -2125,8 +2118,13 @@ spnego_gss_unwrap(
164 gss_qop_t *qop_state)
165 {
166 OM_uint32 ret;
167+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
168+
169+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
170+ return (GSS_S_NO_CONTEXT);
171+
172 ret = gss_unwrap(minor_status,
173- context_handle,
174+ sc->ctx_handle,
175 input_message_buffer,
176 output_message_buffer,
177 conf_state,
178@@ -2146,8 +2144,13 @@ spnego_gss_wrap(
179 gss_buffer_t output_message_buffer)
180 {
181 OM_uint32 ret;
182+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
183+
184+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
185+ return (GSS_S_NO_CONTEXT);
186+
187 ret = gss_wrap(minor_status,
188- context_handle,
189+ sc->ctx_handle,
190 conf_req_flag,
191 qop_req,
192 input_message_buffer,
193@@ -2164,8 +2167,14 @@ spnego_gss_process_context_token(
194 const gss_buffer_t token_buffer)
195 {
196 OM_uint32 ret;
197+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
198+
199+ /* SPNEGO doesn't have its own context tokens. */
200+ if (!sc->opened)
201+ return (GSS_S_DEFECTIVE_TOKEN);
202+
203 ret = gss_process_context_token(minor_status,
204- context_handle,
205+ sc->ctx_handle,
206 token_buffer);
207
208 return (ret);
209@@ -2189,19 +2198,9 @@ spnego_gss_delete_sec_context(
210 if (*ctx == NULL)
211 return (GSS_S_COMPLETE);
212
213- /*
214- * If this is still an SPNEGO mech, release it locally.
215- */
216- if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) {
217- (void) gss_delete_sec_context(minor_status,
218- &(*ctx)->ctx_handle,
219- output_token);
220- (void) release_spnego_ctx(ctx);
221- } else {
222- ret = gss_delete_sec_context(minor_status,
223- context_handle,
224- output_token);
225- }
226+ (void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle,
227+ output_token);
228+ (void) release_spnego_ctx(ctx);
229
230 return (ret);
231 }
232@@ -2213,8 +2212,13 @@ spnego_gss_context_time(
233 OM_uint32 *time_rec)
234 {
235 OM_uint32 ret;
236+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
237+
238+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
239+ return (GSS_S_NO_CONTEXT);
240+
241 ret = gss_context_time(minor_status,
242- context_handle,
243+ sc->ctx_handle,
244 time_rec);
245 return (ret);
246 }
247@@ -2226,9 +2230,20 @@ spnego_gss_export_sec_context(
248 gss_buffer_t interprocess_token)
249 {
250 OM_uint32 ret;
251+ spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle;
252+
253+ /* We don't currently support exporting partially established
254+ * contexts. */
255+ if (!sc->opened)
256+ return GSS_S_UNAVAILABLE;
257+
258 ret = gss_export_sec_context(minor_status,
259- context_handle,
260+ &sc->ctx_handle,
261 interprocess_token);
262+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) {
263+ release_spnego_ctx(&sc);
264+ *context_handle = GSS_C_NO_CONTEXT;
265+ }
266 return (ret);
267 }
268
269@@ -2238,11 +2253,12 @@ spnego_gss_import_sec_context(
270 const gss_buffer_t interprocess_token,
271 gss_ctx_id_t *context_handle)
272 {
273- OM_uint32 ret;
274- ret = gss_import_sec_context(minor_status,
275- interprocess_token,
276- context_handle);
277- return (ret);
278+ /*
279+ * Until we implement partial context exports, there are no SPNEGO
280+ * exported context tokens, only tokens for underlying mechs. So just
281+ * return an error for now.
282+ */
283+ return GSS_S_UNAVAILABLE;
284 }
285 #endif /* LEAN_CLIENT */
286
287@@ -2259,16 +2275,48 @@ spnego_gss_inquire_context(
288 int *opened)
289 {
290 OM_uint32 ret = GSS_S_COMPLETE;
291+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
292+
293+ if (src_name != NULL)
294+ *src_name = GSS_C_NO_NAME;
295+ if (targ_name != NULL)
296+ *targ_name = GSS_C_NO_NAME;
297+ if (lifetime_rec != NULL)
298+ *lifetime_rec = 0;
299+ if (mech_type != NULL)
300+ *mech_type = (gss_OID)gss_mech_spnego;
301+ if (ctx_flags != NULL)
302+ *ctx_flags = 0;
303+ if (locally_initiated != NULL)
304+ *locally_initiated = sc->initiate;
305+ if (opened != NULL)
306+ *opened = sc->opened;
307+
308+ if (sc->ctx_handle != GSS_C_NO_CONTEXT) {
309+ ret = gss_inquire_context(minor_status, sc->ctx_handle,
310+ src_name, targ_name, lifetime_rec,
311+ mech_type, ctx_flags, NULL, NULL);
312+ }
313
314- ret = gss_inquire_context(minor_status,
315- context_handle,
316- src_name,
317- targ_name,
318- lifetime_rec,
319- mech_type,
320- ctx_flags,
321- locally_initiated,
322- opened);
323+ if (!sc->opened) {
324+ /*
325+ * We are still doing SPNEGO negotiation, so report SPNEGO as
326+ * the OID. After negotiation is complete we will report the
327+ * underlying mechanism OID.
328+ */
329+ if (mech_type != NULL)
330+ *mech_type = (gss_OID)gss_mech_spnego;
331+
332+ /*
333+ * Remove flags we don't support with partially-established
334+ * contexts. (Change this to keep GSS_C_TRANS_FLAG if we add
335+ * support for exporting partial SPNEGO contexts.)
336+ */
337+ if (ctx_flags != NULL) {
338+ *ctx_flags &= ~GSS_C_PROT_READY_FLAG;
339+ *ctx_flags &= ~GSS_C_TRANS_FLAG;
340+ }
341+ }
342
343 return (ret);
344 }
345@@ -2283,8 +2331,13 @@ spnego_gss_wrap_size_limit(
346 OM_uint32 *max_input_size)
347 {
348 OM_uint32 ret;
349+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
350+
351+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
352+ return (GSS_S_NO_CONTEXT);
353+
354 ret = gss_wrap_size_limit(minor_status,
355- context_handle,
356+ sc->ctx_handle,
357 conf_req_flag,
358 qop_req,
359 req_output_size,
360@@ -2301,8 +2354,13 @@ spnego_gss_get_mic(
361 gss_buffer_t message_token)
362 {
363 OM_uint32 ret;
364+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
365+
366+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
367+ return (GSS_S_NO_CONTEXT);
368+
369 ret = gss_get_mic(minor_status,
370- context_handle,
371+ sc->ctx_handle,
372 qop_req,
373 message_buffer,
374 message_token);
375@@ -2318,8 +2376,13 @@ spnego_gss_verify_mic(
376 gss_qop_t *qop_state)
377 {
378 OM_uint32 ret;
379+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
380+
381+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
382+ return (GSS_S_NO_CONTEXT);
383+
384 ret = gss_verify_mic(minor_status,
385- context_handle,
386+ sc->ctx_handle,
387 msg_buffer,
388 token_buffer,
389 qop_state);
390@@ -2334,8 +2397,14 @@ spnego_gss_inquire_sec_context_by_oid(
391 gss_buffer_set_t *data_set)
392 {
393 OM_uint32 ret;
394+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
395+
396+ /* There are no SPNEGO-specific OIDs for this function. */
397+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
398+ return (GSS_S_UNAVAILABLE);
399+
400 ret = gss_inquire_sec_context_by_oid(minor_status,
401- context_handle,
402+ sc->ctx_handle,
403 desired_object,
404 data_set);
405 return (ret);
406@@ -2404,8 +2473,15 @@ spnego_gss_set_sec_context_option(
407 const gss_buffer_t value)
408 {
409 OM_uint32 ret;
410+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle;
411+
412+ /* There are no SPNEGO-specific OIDs for this function, and we cannot
413+ * construct an empty SPNEGO context with it. */
414+ if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT)
415+ return (GSS_S_UNAVAILABLE);
416+
417 ret = gss_set_sec_context_option(minor_status,
418- context_handle,
419+ &sc->ctx_handle,
420 desired_object,
421 value);
422 return (ret);
423@@ -2422,8 +2498,13 @@ spnego_gss_wrap_aead(OM_uint32 *minor_status,
424 gss_buffer_t output_message_buffer)
425 {
426 OM_uint32 ret;
427+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
428+
429+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
430+ return (GSS_S_NO_CONTEXT);
431+
432 ret = gss_wrap_aead(minor_status,
433- context_handle,
434+ sc->ctx_handle,
435 conf_req_flag,
436 qop_req,
437 input_assoc_buffer,
438@@ -2444,8 +2525,13 @@ spnego_gss_unwrap_aead(OM_uint32 *minor_status,
439 gss_qop_t *qop_state)
440 {
441 OM_uint32 ret;
442+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
443+
444+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
445+ return (GSS_S_NO_CONTEXT);
446+
447 ret = gss_unwrap_aead(minor_status,
448- context_handle,
449+ sc->ctx_handle,
450 input_message_buffer,
451 input_assoc_buffer,
452 output_payload_buffer,
453@@ -2464,8 +2550,13 @@ spnego_gss_wrap_iov(OM_uint32 *minor_status,
454 int iov_count)
455 {
456 OM_uint32 ret;
457+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
458+
459+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
460+ return (GSS_S_NO_CONTEXT);
461+
462 ret = gss_wrap_iov(minor_status,
463- context_handle,
464+ sc->ctx_handle,
465 conf_req_flag,
466 qop_req,
467 conf_state,
468@@ -2483,8 +2574,13 @@ spnego_gss_unwrap_iov(OM_uint32 *minor_status,
469 int iov_count)
470 {
471 OM_uint32 ret;
472+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
473+
474+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
475+ return (GSS_S_NO_CONTEXT);
476+
477 ret = gss_unwrap_iov(minor_status,
478- context_handle,
479+ sc->ctx_handle,
480 conf_state,
481 qop_state,
482 iov,
483@@ -2502,8 +2598,13 @@ spnego_gss_wrap_iov_length(OM_uint32 *minor_status,
484 int iov_count)
485 {
486 OM_uint32 ret;
487+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
488+
489+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
490+ return (GSS_S_NO_CONTEXT);
491+
492 ret = gss_wrap_iov_length(minor_status,
493- context_handle,
494+ sc->ctx_handle,
495 conf_req_flag,
496 qop_req,
497 conf_state,
498@@ -2520,8 +2621,13 @@ spnego_gss_complete_auth_token(
499 gss_buffer_t input_message_buffer)
500 {
501 OM_uint32 ret;
502+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
503+
504+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
505+ return (GSS_S_UNAVAILABLE);
506+
507 ret = gss_complete_auth_token(minor_status,
508- context_handle,
509+ sc->ctx_handle,
510 input_message_buffer);
511 return (ret);
512 }
513@@ -2773,8 +2879,13 @@ spnego_gss_pseudo_random(OM_uint32 *minor_status,
514 gss_buffer_t prf_out)
515 {
516 OM_uint32 ret;
517+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context;
518+
519+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
520+ return (GSS_S_NO_CONTEXT);
521+
522 ret = gss_pseudo_random(minor_status,
523- context,
524+ sc->ctx_handle,
525 prf_key,
526 prf_in,
527 desired_output_len,
528@@ -2915,7 +3026,12 @@ spnego_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
529 gss_qop_t qop_req, gss_iov_buffer_desc *iov,
530 int iov_count)
531 {
532- return gss_get_mic_iov(minor_status, context_handle, qop_req, iov,
533+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
534+
535+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
536+ return (GSS_S_NO_CONTEXT);
537+
538+ return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov,
539 iov_count);
540 }
541
542@@ -2924,7 +3040,12 @@ spnego_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
543 gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
544 int iov_count)
545 {
546- return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov,
547+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
548+
549+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
550+ return (GSS_S_NO_CONTEXT);
551+
552+ return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov,
553 iov_count);
554 }
555
556@@ -2933,7 +3054,12 @@ spnego_gss_get_mic_iov_length(OM_uint32 *minor_status,
557 gss_ctx_id_t context_handle, gss_qop_t qop_req,
558 gss_iov_buffer_desc *iov, int iov_count)
559 {
560- return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov,
561+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
562+
563+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
564+ return (GSS_S_NO_CONTEXT);
565+
566+ return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov,
567 iov_count);
568 }
569
570--
5711.9.1
572
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch b/meta-oe/recipes-connectivity/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch
deleted file mode 100644
index 9b0c18b75f..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch
+++ /dev/null
@@ -1,58 +0,0 @@
1From 9cb63711e63042f22da914ba039c4537b22e8fb0 Mon Sep 17 00:00:00 2001
2From: Greg Hudson <ghudson@mit.edu>
3Date: Fri, 25 Sep 2015 12:51:47 -0400
4Subject: [PATCH 3/4] Fix build_principal memory bug [CVE-2015-2697]
5
6In build_principal_va(), use k5memdup0() instead of strdup() to make a
7copy of the realm, to ensure that we allocate the correct number of
8bytes and do not read past the end of the input string. This bug
9affects krb5_build_principal(), krb5_build_principal_va(), and
10krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not
11affected.
12
13CVE-2015-2697:
14
15In MIT krb5 1.7 and later, an authenticated attacker may be able to
16cause a KDC to crash using a TGS request with a large realm field
17beginning with a null byte. If the KDC attempts to find a referral to
18answer the request, it constructs a principal name for lookup using
19krb5_build_principal() with the requested realm. Due to a bug in this
20function, the null byte causes only one byte be allocated for the
21realm field of the constructed principal, far less than its length.
22Subsequent operations on the lookup principal may cause a read beyond
23the end of the mapped memory region, causing the KDC process to crash.
24
25CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
26
27ticket: 8252 (new)
28target_version: 1.14
29tags: pullup
30
31Backport upstream commit:
32https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789
33
34Upstream-Status: Backport
35---
36 src/lib/krb5/krb/bld_princ.c | 6 ++----
37 1 file changed, 2 insertions(+), 4 deletions(-)
38
39diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
40index ab6fed8..8604268 100644
41--- a/src/lib/krb5/krb/bld_princ.c
42+++ b/src/lib/krb5/krb/bld_princ.c
43@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ,
44 data = malloc(size * sizeof(krb5_data));
45 if (!data) { retval = ENOMEM; }
46
47- if (!retval) {
48- r = strdup(realm);
49- if (!r) { retval = ENOMEM; }
50- }
51+ if (!retval)
52+ r = k5memdup0(realm, rlen, &retval);
53
54 while (!retval && (component = va_arg(ap, char *))) {
55 if (count == size) {
56--
571.9.1
58
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch
deleted file mode 100644
index 67fefed898..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch
+++ /dev/null
@@ -1,36 +0,0 @@
1Subject: kerb: Fix LDAP null deref on empty arg [CVE-2016-3119]
2From: Greg Hudson
3
4In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
5if there is an empty string in the db_args array. Check for this case
6and avoid dereferencing a null pointer.
7
8CVE-2016-3119:
9
10In MIT krb5 1.6 and later, an authenticated attacker with permission
11to modify a principal entry can cause kadmind to dereference a null
12pointer by supplying an empty DB argument to the modify_principal
13command, if kadmind is configured to use the LDAP KDB module.
14
15 CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
16
17ticket: 8383 (new)
18target_version: 1.14-next
19target_version: 1.13-next
20tags: pullup
21
22Upstream-Status: Backport
23
24Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
25Index: krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
26===================================================================
27--- krb5-1.13.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-05-09 07:27:02.000000000 +0800
28+++ krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-04-11 15:17:12.874140518 +0800
29@@ -267,6 +267,7 @@
30 if (db_args) {
31 for (i=0; db_args[i]; ++i) {
32 arg = strtok_r(db_args[i], "=", &arg_val);
33+ arg = (arg != NULL) ? arg : "";
34 if (strcmp(arg, TKTPOLICY_ARG) == 0) {
35 dptr = &xargs->tktpolicydn;
36 } else {
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
deleted file mode 100644
index dbc46bb79d..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
+++ /dev/null
@@ -1,63 +0,0 @@
1From 5b9b82d0696f1ffd4e693c1f8eafc0915b15e85b Mon Sep 17 00:00:00 2001
2From: Greg Hudson <ghudson@mit.edu>
3Date: Tue, 19 Jul 2016 11:00:28 -0400
4Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted
5
6cherry-picked from 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 upstream
7
8In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
9use client.princ instead of request->client; the latter is NULL when
10validating S4U2Self requests.
11
12CVE-2016-3120:
13
14In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
15to dereference a null pointer if the restrict_anonymous_to_tgt option
16is set to true, by making an S4U2Self request.
17
18 CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
19
20ticket: 8458 (new)
21target_version: 1.14-next
22target_version: 1.13-next
23
24Upstream-Status: Backport
25
26Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
27---
28 src/kdc/kdc_util.c | 2 +-
29 src/tests/t_pkinit.py | 5 +++++
30 2 files changed, 6 insertions(+), 1 deletion(-)
31
32diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
33index 48be1ae..10daec4 100644
34--- a/src/kdc/kdc_util.c
35+++ b/src/kdc/kdc_util.c
36@@ -700,7 +700,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
37 return(KDC_ERR_MUST_USE_USER2USER);
38 }
39
40- if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
41+ if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
42 *status = "ANONYMOUS NOT ALLOWED";
43 return(KDC_ERR_POLICY);
44 }
45diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
46index 762e322..d27d05b 100644
47--- a/src/tests/t_pkinit.py
48+++ b/src/tests/t_pkinit.py
49@@ -94,6 +94,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1)
50 if 'KDC policy rejects request' not in out:
51 fail('Wrong error for restricted anonymous PKINIT')
52
53+# Regression test for #8458: S4U2Self requests crash the KDC if
54+# anonymous is restricted.
55+realm.kinit(realm.host_princ, flags=['-k'])
56+realm.run([kvno, '-U', 'user', realm.host_princ])
57+
58 # Go back to a normal KDC and disable anonymous PKINIT.
59 realm.stop_kdc()
60 realm.start_kdc()
61--
622.5.0
63
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.6.bb
index 12d35319c8..e2d0594bde 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.6.bb
@@ -14,19 +14,15 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n
14HOMEPAGE = "http://web.mit.edu/Kerberos/" 14HOMEPAGE = "http://web.mit.edu/Kerberos/"
15SECTION = "console/network" 15SECTION = "console/network"
16LICENSE = "MIT" 16LICENSE = "MIT"
17LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=f64248328d2d9928e1f04158b5243e7f" 17LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=c6f37efad53b098e420f45e7ab6807dc"
18DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native" 18DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native"
19 19
20inherit autotools-brokensep binconfig perlnative systemd 20inherit autotools-brokensep binconfig perlnative systemd
21 21
22SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" 22SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
23SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \ 23SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
24 file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \ 24 file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \
25 file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \ 25 file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \
26 file://Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch;striplevel=2 \
27 file://Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch;striplevel=2 \
28 file://Fix-build_principal-memory-bug-CVE-2015-2697.patch;striplevel=2 \
29 file://Fix-IAKERB-context-export-import-CVE-2015-2698.patch;striplevel=2 \
30 file://crosscompile_nm.patch \ 26 file://crosscompile_nm.patch \
31 file://etc/init.d/krb5-kdc \ 27 file://etc/init.d/krb5-kdc \
32 file://etc/init.d/krb5-admin-server \ 28 file://etc/init.d/krb5-admin-server \
@@ -34,12 +30,9 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
34 file://etc/default/krb5-admin-server \ 30 file://etc/default/krb5-admin-server \
35 file://krb5-kdc.service \ 31 file://krb5-kdc.service \
36 file://krb5-admin-server.service \ 32 file://krb5-admin-server.service \
37 file://krb5-CVE-2016-3119.patch;striplevel=2 \
38 file://0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch;striplevel=2 \
39 file://krb5-CVE-2016-3120.patch;striplevel=2 \
40" 33"
41SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189" 34SRC_URI[md5sum] = "6164ca9c075b4ecc68eadd6d13040417"
42SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1" 35SRC_URI[sha256sum] = "9c0a46b8918237a53916370d2e02298c2b294f55f0351f9404e18930bc26badc"
43 36
44S = "${WORKDIR}/${BP}/src" 37S = "${WORKDIR}/${BP}/src"
45 38
@@ -68,16 +61,6 @@ FILES_${PN}-dbg += "${libdir}/krb5/plugins/*/.debug"
68# As this recipe doesn't inherit update-rc.d, we need to add this dependency here 61# As this recipe doesn't inherit update-rc.d, we need to add this dependency here
69RDEPENDS_${PN}_class-target += "initscripts-functions" 62RDEPENDS_${PN}_class-target += "initscripts-functions"
70 63
71krb5_do_unpack() {
72 # ${P}-signed.tar contains ${P}.tar.gz.asc and ${P}.tar.gz
73 tar xzf ${WORKDIR}/${BP}.tar.gz -C ${WORKDIR}/
74}
75
76python do_unpack() {
77 bb.build.exec_func('base_do_unpack', d)
78 bb.build.exec_func('krb5_do_unpack', d)
79}
80
81do_configure() { 64do_configure() {
82 gnu-configize --force 65 gnu-configize --force
83 autoreconf 66 autoreconf
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-02-05 11:43:42 +0000