[krb5/f20] Fix NTLMSSP fallback (#1122324)

David Woodhouse dwmw2 at fedoraproject.org
Tue Mar 17 13:28:07 UTC 2015 

commit 92f0273231cbd8ad246061dcded4f997d174b27d
Author: David Woodhouse <David.Woodhouse at intel.com>
Date:   Tue Mar 17 13:26:42 2015 +0000

    Fix NTLMSSP fallback (#1122324)

 ...NEGO-fallback-to-NTLM-without-mechlistMIC.patch | 67 ++++++++++++++++++++++
 krb5.spec                                          | 10 +++-
 2 files changed, 76 insertions(+), 1 deletion(-)
---
diff --git a/0001-Allow-SPNEGO-fallback-to-NTLM-without-mechlistMIC.patch b/0001-Allow-SPNEGO-fallback-to-NTLM-without-mechlistMIC.patch
new file mode 100644
index 0000000..e4d2d77
--- /dev/null
+++ b/0001-Allow-SPNEGO-fallback-to-NTLM-without-mechlistMIC.patch
@@ -0,0 +1,67 @@
+From 7208dace8bfbdf5b930e26a19c8ff31c13ea1ef3 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson at mit.edu>
+Date: Fri, 8 Aug 2014 13:32:51 -0400
+Subject: [PATCH] Allow SPNEGO fallback to NTLM without mechlistMIC
+
+For interoperability with Windows Server 2003 and earlier, loosen the
+initiator's enforcement of RFC 4178's mechlistMIC requirement when
+falling back to NTLMSSP.
+
+[ghudson at mit.edu: rewrote commit message, added comment to NTLMSSP
+OID]
+
+ticket: 7975
+target_version: 1.13
+tags: pullup
+---
+ src/lib/gssapi/spnego/spnego_mech.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 2aa6810..f9248ab 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -806,6 +806,11 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ 	return ret;
+ }
+ 
++/* iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) Microsoft(311)
++ * security(2) mechanisms(2) NTLM(10) */
++static const gss_OID_desc gss_mech_ntlmssp_oid =
++	{ 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" };
++
+ /*
+  * Handle acceptor's counter-proposal of an alternative mechanism.
+  */
+@@ -831,17 +836,21 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ 	sc->internal_mech = &sc->mech_set->elements[i];
+ 
+ 	/*
+-	 * Windows 2003 and earlier don't correctly send a
+-	 * negState of request-mic when counter-proposing a
+-	 * mechanism.  They probably don't handle mechListMICs
+-	 * properly either.
++	 * A server conforming to RFC4178 MUST set REQUEST_MIC here, but
++	 * Windows Server 2003 and earlier implement (roughly) RFC2478 instead,
++	 * and send ACCEPT_INCOMPLETE.  Tolerate that only if we are falling
++	 * back to NTLMSSP.
+ 	 */
+-	if (acc_negState != REQUEST_MIC)
++	if (acc_negState == ACCEPT_INCOMPLETE) {
++		if (!g_OID_equal(supportedMech, &gss_mech_ntlmssp_oid))
++			return GSS_S_DEFECTIVE_TOKEN;
++	} else if (acc_negState != REQUEST_MIC) {
+ 		return GSS_S_DEFECTIVE_TOKEN;
++	}
+ 
+ 	sc->mech_complete = 0;
+-	sc->mic_reqd = 1;
+-	*negState = REQUEST_MIC;
++	sc->mic_reqd = (acc_negState == REQUEST_MIC);
++	*negState = acc_negState;
+ 	*tokflag = CONT_TOKEN_SEND;
+ 	return GSS_S_CONTINUE_NEEDED;
+ }
+-- 
+2.1.0
+
diff --git a/krb5.spec b/krb5.spec
index 317f5d6..67daf73 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.5
-Release: 18%{?dist}
+Release: 19%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.5-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -163,6 +163,9 @@ Patch409: krb5-11.1_CVE-2014-5351_001.patch
 Patch410: krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
 Patch411: krb5_cve_2014_9421_2014_9422_2014_9423_2014_5352_krb5-1.11.5-final.patch
 
+# Fix NTLMSSP fallback
+Patch412: 0001-Allow-SPNEGO-fallback-to-NTLM-without-mechlistMIC.patch
+
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@@ -449,6 +452,8 @@ ln -s NOTICE LICENSE
 %patch203 -p1 -b .otp2
 %patch204 -p1 -b .move-otp-sockets
 
+%patch412 -p1 -b .ntlmssp
+
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt
 
@@ -1117,6 +1122,9 @@ exit 0
 
 
 %changelog
+* Tue Mar 17 2015 David Woodhouse <dwmw2 at infradead.org> - 1.11.5-19
+- Fix NTLMSSP fallback (#1122324)
+
 * Wed Feb 4 2015 Roland Mainz <rmainz at redhat.com> - 1.11.5-18
 - fix for CVE-2014-5352 (#1179856) "gss_process_context_token()
   incorrectly frees context (MITKRB5-SA-2015-001)"

More information about the scm-commits mailing list