[krb5/f20] Fix NTLMSSP fallback (#1122324)
David Woodhouse
dwmw2 at fedoraproject.org
Tue Mar 17 13:28:07 UTC 2015
commit 92f0273231cbd8ad246061dcded4f997d174b27d
Author: David Woodhouse <David.Woodhouse at intel.com>
Date: Tue Mar 17 13:26:42 2015 +0000
Fix NTLMSSP fallback (#1122324)
...NEGO-fallback-to-NTLM-without-mechlistMIC.patch | 67 ++++++++++++++++++++++
krb5.spec | 10 +++-
2 files changed, 76 insertions(+), 1 deletion(-)
---
diff --git a/0001-Allow-SPNEGO-fallback-to-NTLM-without-mechlistMIC.patch b/0001-Allow-SPNEGO-fallback-to-NTLM-without-mechlistMIC.patch
new file mode 100644
index 0000000..e4d2d77
--- /dev/null
+++ b/0001-Allow-SPNEGO-fallback-to-NTLM-without-mechlistMIC.patch
@@ -0,0 +1,67 @@
+From 7208dace8bfbdf5b930e26a19c8ff31c13ea1ef3 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson at mit.edu>
+Date: Fri, 8 Aug 2014 13:32:51 -0400
+Subject: [PATCH] Allow SPNEGO fallback to NTLM without mechlistMIC
+
+For interoperability with Windows Server 2003 and earlier, loosen the
+initiator's enforcement of RFC 4178's mechlistMIC requirement when
+falling back to NTLMSSP.
+
+[ghudson at mit.edu: rewrote commit message, added comment to NTLMSSP
+OID]
+
+ticket: 7975
+target_version: 1.13
+tags: pullup
+---
+ src/lib/gssapi/spnego/spnego_mech.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 2aa6810..f9248ab 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -806,6 +806,11 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ return ret;
+ }
+
++/* iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) Microsoft(311)
++ * security(2) mechanisms(2) NTLM(10) */
++static const gss_OID_desc gss_mech_ntlmssp_oid =
++ { 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" };
++
+ /*
+ * Handle acceptor's counter-proposal of an alternative mechanism.
+ */
+@@ -831,17 +836,21 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ sc->internal_mech = &sc->mech_set->elements[i];
+
+ /*
+- * Windows 2003 and earlier don't correctly send a
+- * negState of request-mic when counter-proposing a
+- * mechanism. They probably don't handle mechListMICs
+- * properly either.
++ * A server conforming to RFC4178 MUST set REQUEST_MIC here, but
++ * Windows Server 2003 and earlier implement (roughly) RFC2478 instead,
++ * and send ACCEPT_INCOMPLETE. Tolerate that only if we are falling
++ * back to NTLMSSP.
+ */
+- if (acc_negState != REQUEST_MIC)
++ if (acc_negState == ACCEPT_INCOMPLETE) {
++ if (!g_OID_equal(supportedMech, &gss_mech_ntlmssp_oid))
++ return GSS_S_DEFECTIVE_TOKEN;
++ } else if (acc_negState != REQUEST_MIC) {
+ return GSS_S_DEFECTIVE_TOKEN;
++ }
+
+ sc->mech_complete = 0;
+- sc->mic_reqd = 1;
+- *negState = REQUEST_MIC;
++ sc->mic_reqd = (acc_negState == REQUEST_MIC);
++ *negState = acc_negState;
+ *tokflag = CONT_TOKEN_SEND;
+ return GSS_S_CONTINUE_NEEDED;
+ }
+--
+2.1.0
+
diff --git a/krb5.spec b/krb5.spec
index 317f5d6..67daf73 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.11.5
-Release: 18%{?dist}
+Release: 19%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.5-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -163,6 +163,9 @@ Patch409: krb5-11.1_CVE-2014-5351_001.patch
Patch410: krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
Patch411: krb5_cve_2014_9421_2014_9422_2014_9423_2014_5352_krb5-1.11.5-final.patch
+# Fix NTLMSSP fallback
+Patch412: 0001-Allow-SPNEGO-fallback-to-NTLM-without-mechlistMIC.patch
+
License: MIT
URL: http://web.mit.edu/kerberos/www/
Group: System Environment/Libraries
@@ -449,6 +452,8 @@ ln -s NOTICE LICENSE
%patch203 -p1 -b .otp2
%patch204 -p1 -b .move-otp-sockets
+%patch412 -p1 -b .ntlmssp
+
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt
@@ -1117,6 +1122,9 @@ exit 0
%changelog
+* Tue Mar 17 2015 David Woodhouse <dwmw2 at infradead.org> - 1.11.5-19
+- Fix NTLMSSP fallback (#1122324)
+
* Wed Feb 4 2015 Roland Mainz <rmainz at redhat.com> - 1.11.5-18
- fix for CVE-2014-5352 (#1179856) "gss_process_context_token()
incorrectly frees context (MITKRB5-SA-2015-001)"
More information about the scm-commits
mailing list