diff --git a/crypto/krb5/README b/crypto/krb5/README --- a/crypto/krb5/README +++ b/crypto/krb5/README @@ -97,6 +97,18 @@ Beginning with the krb5-1.18 release, all support for single-DES encryption types has been removed. +Major changes in 1.22.1 (2025-08-20) +------------------------------------ + +This is a bug fix release. + +* Fix a vulnerability in GSS MIC verification [CVE-2025-57736]. + +krb5-1.22.1 changes by ticket ID +-------------------------------- + +9181 verify_mic_v3 broken in 1.22 + Major changes in 1.22 (2025-08-05) ---------------------------------- @@ -383,6 +395,7 @@ Roland Dowdeswell Ken Dreyer Dorian Ducournau + Francis Dupont Viktor Dukhovni Jason Edgecombe Mark Eichin diff --git a/crypto/krb5/src/configure b/crypto/krb5/src/configure --- a/crypto/krb5/src/configure +++ b/crypto/krb5/src/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for Kerberos 5 1.22-final. +# Generated by GNU Autoconf 2.71 for Kerberos 5 1.22.1. # # Report bugs to . # @@ -615,8 +615,8 @@ # Identity of this package. PACKAGE_NAME='Kerberos 5' PACKAGE_TARNAME='krb5' -PACKAGE_VERSION='1.22-final' -PACKAGE_STRING='Kerberos 5 1.22-final' +PACKAGE_VERSION='1.22.1' +PACKAGE_STRING='Kerberos 5 1.22.1' PACKAGE_BUGREPORT='krb5-bugs@mit.edu' PACKAGE_URL='' @@ -1506,7 +1506,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Kerberos 5 1.22-final to adapt to many kinds of systems. +\`configure' configures Kerberos 5 1.22.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1577,7 +1577,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Kerberos 5 1.22-final:";; + short | recursive ) echo "Configuration of Kerberos 5 1.22.1:";; esac cat <<\_ACEOF @@ -1739,7 +1739,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Kerberos 5 configure 1.22-final +Kerberos 5 configure 1.22.1 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2439,7 +2439,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Kerberos 5 $as_me 1.22-final, which was +It was created by Kerberos 5 $as_me 1.22.1, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -8159,7 +8159,7 @@ -KRB5_VERSION=1.22-final +KRB5_VERSION=1.22.1 @@ -15366,7 +15366,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Kerberos 5 $as_me 1.22-final, which was +This file was extended by Kerberos 5 $as_me 1.22.1, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -15430,7 +15430,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -Kerberos 5 config.status 1.22-final +Kerberos 5 config.status 1.22.1 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff --git a/crypto/krb5/src/lib/gssapi/generic/util_token.c b/crypto/krb5/src/lib/gssapi/generic/util_token.c --- a/crypto/krb5/src/lib/gssapi/generic/util_token.c +++ b/crypto/krb5/src/lib/gssapi/generic/util_token.c @@ -107,9 +107,8 @@ gss_OID_desc mech; size_t tlen, orig_len = in->len; - if (!g_get_token_header(in, &mech, &tlen) || tlen != orig_len) - return 0; - if (!g_OID_equal(&mech, expected_mech)) { + if (!g_get_token_header(in, &mech, &tlen) || tlen != orig_len || + !g_OID_equal(&mech, expected_mech)) { *in = orig; return 0; } diff --git a/crypto/krb5/src/lib/gssapi/krb5/unwrap.c b/crypto/krb5/src/lib/gssapi/krb5/unwrap.c --- a/crypto/krb5/src/lib/gssapi/krb5/unwrap.c +++ b/crypto/krb5/src/lib/gssapi/krb5/unwrap.c @@ -228,7 +228,7 @@ ret = krb5_k_decrypt(context, key, usage, NULL, &cipher, &plain); if (ret) { *minor_status = ret; - major = GSS_S_FAILURE; + major = GSS_S_BAD_SIG; goto cleanup; } diff --git a/crypto/krb5/src/man/k5identity.man b/crypto/krb5/src/man/k5identity.man --- a/crypto/krb5/src/man/k5identity.man +++ b/crypto/krb5/src/man/k5identity.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "K5IDENTITY" "5" " " "1.22" "MIT Kerberos" +.TH "K5IDENTITY" "5" " " "1.22.1" "MIT Kerberos" .SH NAME k5identity \- Kerberos V5 client principal selection rules .SH DESCRIPTION diff --git a/crypto/krb5/src/man/k5login.man b/crypto/krb5/src/man/k5login.man --- a/crypto/krb5/src/man/k5login.man +++ b/crypto/krb5/src/man/k5login.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "K5LOGIN" "5" " " "1.22" "MIT Kerberos" +.TH "K5LOGIN" "5" " " "1.22.1" "MIT Kerberos" .SH NAME k5login \- Kerberos V5 acl file for host access .SH DESCRIPTION diff --git a/crypto/krb5/src/man/k5srvutil.man b/crypto/krb5/src/man/k5srvutil.man --- a/crypto/krb5/src/man/k5srvutil.man +++ b/crypto/krb5/src/man/k5srvutil.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "K5SRVUTIL" "1" " " "1.22" "MIT Kerberos" +.TH "K5SRVUTIL" "1" " " "1.22.1" "MIT Kerberos" .SH NAME k5srvutil \- host key table (keytab) manipulation utility .SH SYNOPSIS diff --git a/crypto/krb5/src/man/kadm5.acl.man b/crypto/krb5/src/man/kadm5.acl.man --- a/crypto/krb5/src/man/kadm5.acl.man +++ b/crypto/krb5/src/man/kadm5.acl.man @@ -28,7 +28,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KADM5.ACL" "5" " " "1.22" "MIT Kerberos" +.TH "KADM5.ACL" "5" " " "1.22.1" "MIT Kerberos" .SH NAME kadm5.acl \- Kerberos ACL file .SH DESCRIPTION diff --git a/crypto/krb5/src/man/kadmin.man b/crypto/krb5/src/man/kadmin.man --- a/crypto/krb5/src/man/kadmin.man +++ b/crypto/krb5/src/man/kadmin.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KADMIN" "1" " " "1.22" "MIT Kerberos" +.TH "KADMIN" "1" " " "1.22.1" "MIT Kerberos" .SH NAME kadmin \- Kerberos V5 database administration program .SH SYNOPSIS diff --git a/crypto/krb5/src/man/kadmind.man b/crypto/krb5/src/man/kadmind.man --- a/crypto/krb5/src/man/kadmind.man +++ b/crypto/krb5/src/man/kadmind.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KADMIND" "8" " " "1.22" "MIT Kerberos" +.TH "KADMIND" "8" " " "1.22.1" "MIT Kerberos" .SH NAME kadmind \- KADM5 administration server .SH SYNOPSIS diff --git a/crypto/krb5/src/man/kdb5_ldap_util.man b/crypto/krb5/src/man/kdb5_ldap_util.man --- a/crypto/krb5/src/man/kdb5_ldap_util.man +++ b/crypto/krb5/src/man/kdb5_ldap_util.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KDB5_LDAP_UTIL" "8" " " "1.22" "MIT Kerberos" +.TH "KDB5_LDAP_UTIL" "8" " " "1.22.1" "MIT Kerberos" .SH NAME kdb5_ldap_util \- Kerberos configuration utility .SH SYNOPSIS diff --git a/crypto/krb5/src/man/kdb5_util.man b/crypto/krb5/src/man/kdb5_util.man --- a/crypto/krb5/src/man/kdb5_util.man +++ b/crypto/krb5/src/man/kdb5_util.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KDB5_UTIL" "8" " " "1.22" "MIT Kerberos" +.TH "KDB5_UTIL" "8" " " "1.22.1" "MIT Kerberos" .SH NAME kdb5_util \- Kerberos database maintenance utility .SH SYNOPSIS diff --git a/crypto/krb5/src/man/kdc.conf.man b/crypto/krb5/src/man/kdc.conf.man --- a/crypto/krb5/src/man/kdc.conf.man +++ b/crypto/krb5/src/man/kdc.conf.man @@ -28,7 +28,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KDC.CONF" "5" " " "1.22" "MIT Kerberos" +.TH "KDC.CONF" "5" " " "1.22.1" "MIT Kerberos" .SH NAME kdc.conf \- Kerberos V5 KDC configuration file .sp diff --git a/crypto/krb5/src/man/kdestroy.man b/crypto/krb5/src/man/kdestroy.man --- a/crypto/krb5/src/man/kdestroy.man +++ b/crypto/krb5/src/man/kdestroy.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KDESTROY" "1" " " "1.22" "MIT Kerberos" +.TH "KDESTROY" "1" " " "1.22.1" "MIT Kerberos" .SH NAME kdestroy \- destroy Kerberos tickets .SH SYNOPSIS diff --git a/crypto/krb5/src/man/kerberos.man b/crypto/krb5/src/man/kerberos.man --- a/crypto/krb5/src/man/kerberos.man +++ b/crypto/krb5/src/man/kerberos.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KERBEROS" "7" " " "1.22" "MIT Kerberos" +.TH "KERBEROS" "7" " " "1.22.1" "MIT Kerberos" .SH NAME kerberos \- Overview of using Kerberos .SH DESCRIPTION diff --git a/crypto/krb5/src/man/kinit.man b/crypto/krb5/src/man/kinit.man --- a/crypto/krb5/src/man/kinit.man +++ b/crypto/krb5/src/man/kinit.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KINIT" "1" " " "1.22" "MIT Kerberos" +.TH "KINIT" "1" " " "1.22.1" "MIT Kerberos" .SH NAME kinit \- obtain and cache Kerberos ticket-granting ticket .SH SYNOPSIS diff --git a/crypto/krb5/src/man/klist.man b/crypto/krb5/src/man/klist.man --- a/crypto/krb5/src/man/klist.man +++ b/crypto/krb5/src/man/klist.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KLIST" "1" " " "1.22" "MIT Kerberos" +.TH "KLIST" "1" " " "1.22.1" "MIT Kerberos" .SH NAME klist \- list cached Kerberos tickets .SH SYNOPSIS diff --git a/crypto/krb5/src/man/kpasswd.man b/crypto/krb5/src/man/kpasswd.man --- a/crypto/krb5/src/man/kpasswd.man +++ b/crypto/krb5/src/man/kpasswd.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KPASSWD" "1" " " "1.22" "MIT Kerberos" +.TH "KPASSWD" "1" " " "1.22.1" "MIT Kerberos" .SH NAME kpasswd \- change a user's Kerberos password .SH SYNOPSIS diff --git a/crypto/krb5/src/man/kprop.man b/crypto/krb5/src/man/kprop.man --- a/crypto/krb5/src/man/kprop.man +++ b/crypto/krb5/src/man/kprop.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KPROP" "8" " " "1.22" "MIT Kerberos" +.TH "KPROP" "8" " " "1.22.1" "MIT Kerberos" .SH NAME kprop \- propagate a Kerberos V5 principal database to a replica server .SH SYNOPSIS diff --git a/crypto/krb5/src/man/kpropd.man b/crypto/krb5/src/man/kpropd.man --- a/crypto/krb5/src/man/kpropd.man +++ b/crypto/krb5/src/man/kpropd.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KPROPD" "8" " " "1.22" "MIT Kerberos" +.TH "KPROPD" "8" " " "1.22.1" "MIT Kerberos" .SH NAME kpropd \- Kerberos V5 replica KDC update server .SH SYNOPSIS diff --git a/crypto/krb5/src/man/kproplog.man b/crypto/krb5/src/man/kproplog.man --- a/crypto/krb5/src/man/kproplog.man +++ b/crypto/krb5/src/man/kproplog.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KPROPLOG" "8" " " "1.22" "MIT Kerberos" +.TH "KPROPLOG" "8" " " "1.22.1" "MIT Kerberos" .SH NAME kproplog \- display the contents of the Kerberos principal update log .SH SYNOPSIS diff --git a/crypto/krb5/src/man/krb5-config.man b/crypto/krb5/src/man/krb5-config.man --- a/crypto/krb5/src/man/krb5-config.man +++ b/crypto/krb5/src/man/krb5-config.man @@ -28,7 +28,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KRB5-CONFIG" "1" " " "1.22" "MIT Kerberos" +.TH "KRB5-CONFIG" "1" " " "1.22.1" "MIT Kerberos" .SH NAME krb5-config \- tool for linking against MIT Kerberos libraries .SH SYNOPSIS diff --git a/crypto/krb5/src/man/krb5.conf.man b/crypto/krb5/src/man/krb5.conf.man --- a/crypto/krb5/src/man/krb5.conf.man +++ b/crypto/krb5/src/man/krb5.conf.man @@ -28,7 +28,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KRB5.CONF" "5" " " "1.22" "MIT Kerberos" +.TH "KRB5.CONF" "5" " " "1.22.1" "MIT Kerberos" .SH NAME krb5.conf \- Kerberos configuration file .sp diff --git a/crypto/krb5/src/man/krb5kdc.man b/crypto/krb5/src/man/krb5kdc.man --- a/crypto/krb5/src/man/krb5kdc.man +++ b/crypto/krb5/src/man/krb5kdc.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KRB5KDC" "8" " " "1.22" "MIT Kerberos" +.TH "KRB5KDC" "8" " " "1.22.1" "MIT Kerberos" .SH NAME krb5kdc \- Kerberos V5 KDC .SH SYNOPSIS diff --git a/crypto/krb5/src/man/ksu.man b/crypto/krb5/src/man/ksu.man --- a/crypto/krb5/src/man/ksu.man +++ b/crypto/krb5/src/man/ksu.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KSU" "1" " " "1.22" "MIT Kerberos" +.TH "KSU" "1" " " "1.22.1" "MIT Kerberos" .SH NAME ksu \- Kerberized super-user .SH SYNOPSIS diff --git a/crypto/krb5/src/man/kswitch.man b/crypto/krb5/src/man/kswitch.man --- a/crypto/krb5/src/man/kswitch.man +++ b/crypto/krb5/src/man/kswitch.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KSWITCH" "1" " " "1.22" "MIT Kerberos" +.TH "KSWITCH" "1" " " "1.22.1" "MIT Kerberos" .SH NAME kswitch \- switch primary ticket cache .SH SYNOPSIS diff --git a/crypto/krb5/src/man/ktutil.man b/crypto/krb5/src/man/ktutil.man --- a/crypto/krb5/src/man/ktutil.man +++ b/crypto/krb5/src/man/ktutil.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KTUTIL" "1" " " "1.22" "MIT Kerberos" +.TH "KTUTIL" "1" " " "1.22.1" "MIT Kerberos" .SH NAME ktutil \- Kerberos keytab file maintenance utility .SH SYNOPSIS diff --git a/crypto/krb5/src/man/kvno.man b/crypto/krb5/src/man/kvno.man --- a/crypto/krb5/src/man/kvno.man +++ b/crypto/krb5/src/man/kvno.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KVNO" "1" " " "1.22" "MIT Kerberos" +.TH "KVNO" "1" " " "1.22.1" "MIT Kerberos" .SH NAME kvno \- print key version numbers of Kerberos principals .SH SYNOPSIS diff --git a/crypto/krb5/src/man/sclient.man b/crypto/krb5/src/man/sclient.man --- a/crypto/krb5/src/man/sclient.man +++ b/crypto/krb5/src/man/sclient.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SCLIENT" "1" " " "1.22" "MIT Kerberos" +.TH "SCLIENT" "1" " " "1.22.1" "MIT Kerberos" .SH NAME sclient \- sample Kerberos version 5 client .SH SYNOPSIS diff --git a/crypto/krb5/src/man/sserver.man b/crypto/krb5/src/man/sserver.man --- a/crypto/krb5/src/man/sserver.man +++ b/crypto/krb5/src/man/sserver.man @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SSERVER" "8" " " "1.22" "MIT Kerberos" +.TH "SSERVER" "8" " " "1.22.1" "MIT Kerberos" .SH NAME sserver \- sample Kerberos version 5 server .SH SYNOPSIS diff --git a/crypto/krb5/src/patchlevel.h b/crypto/krb5/src/patchlevel.h --- a/crypto/krb5/src/patchlevel.h +++ b/crypto/krb5/src/patchlevel.h @@ -51,7 +51,7 @@ */ #define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 22 -#define KRB5_PATCHLEVEL 0 -#define KRB5_RELTAIL "final" -#define KRB5_RELDATE "20250805" -#define KRB5_RELTAG "krb5-1.22-final" +#define KRB5_PATCHLEVEL 1 +/* #undef KRB5_RELTAIL */ +#define KRB5_RELDATE "20250820" +#define KRB5_RELTAG "krb5-1.22.1-final" diff --git a/crypto/krb5/src/po/mit-krb5.pot b/crypto/krb5/src/po/mit-krb5.pot --- a/crypto/krb5/src/po/mit-krb5.pot +++ b/crypto/krb5/src/po/mit-krb5.pot @@ -6,9 +6,9 @@ #, fuzzy msgid "" msgstr "" -"Project-Id-Version: mit-krb5 1.22-final\n" +"Project-Id-Version: mit-krb5 1.22.1\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2025-08-04 20:58-0400\n" +"POT-Creation-Date: 2025-08-20 15:43-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" diff --git a/crypto/krb5/src/tests/gssapi/t_invalid.c b/crypto/krb5/src/tests/gssapi/t_invalid.c --- a/crypto/krb5/src/tests/gssapi/t_invalid.c +++ b/crypto/krb5/src/tests/gssapi/t_invalid.c @@ -79,9 +79,13 @@ #include "gssapiP_krb5.h" /* - * The following samples contain context parameters and otherwise valid seal - * tokens where the plain text is padded with byte value 100 instead of the - * proper value 1. + * The following samples contain: + * - context parameters + * - otherwise valid seal tokens where the plain text is padded with byte value + * 100 instead of the proper value 1. + * - valid MIC tokens for the message "message" + * - two valid wrap tokens for the message "message", one without + * confidentiality and one with */ struct test { krb5_enctype enctype; @@ -93,6 +97,12 @@ const char *keydata; size_t toklen; const char *token; + size_t miclen; + const char *mic; + size_t wrap1len; + const char *wrap1; + size_t wrap2len; + const char *wrap2; } tests[] = { { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES3_CBC_RAW, @@ -104,7 +114,21 @@ "\x60\x3F\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x04" "\x00\x02\x00\xFF\xFF\xEB\xF3\x9A\x89\x24\x57\xB8\x63\x95\x25\xE8" "\x6E\x8E\x79\xE6\x2E\xCA\xD3\xFF\x57\x9F\x8C\xAB\xEF\xDD\x28\x10" - "\x2F\x93\x21\x2E\xF2\x52\xB6\x6F\xA8\xBB\x8A\x6D\xAA\x6F\xB7\xF4\xD4" + "\x2F\x93\x21\x2E\xF2\x52\xB6\x6F\xA8\xBB\x8A\x6D\xAA\x6F\xB7\xF4\xD4", + 49, + "\x60\x2F\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x01\x01\x04" + "\x00\xFF\xFF\xFF\xFF\x57\xF5\x77\xC6\xC0\x72\x26\x97\x00\x89\xB2" + "\xEE\xD9\xD1\x90\xE7\x11\x50\x4F\xE9\x59\x18\xB1\x8F\x82\x8E\x8F\x5E", + 65, + "\x60\x3F\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x04" + "\x00\xFF\xFF\xFF\xFF\x0B\x81\x56\x4A\x02\x1B\xBE\x83\x2B\x35\x08" + "\x7B\x49\x15\x07\x97\x6A\x64\xEF\xDD\x32\x52\xF0\xA2\xE2\x62\x9B" + "\xA7\x72\xF7\x3D\x6B\x2D\xAC\x21\xE9\x6D\x65\x73\x73\x61\x67\x65\x01", + 65, + "\x60\x3F\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x04" + "\x00\x02\x00\xFF\xFF\x66\x5A\xE1\xC8\x4F\x69\x33\x97\x5D\x05\xE2" + "\x86\x40\x14\x15\x14\x27\x01\x9F\x32\x9D\x82\xF4\xE1\xC5\x3E\xFA" + "\x6D\x7D\x05\x39\xAE\x21\x44\xA0\x87\xA6\x24\xED\xFC\xA3\x53\xF1\x30" }, { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC, @@ -115,7 +139,21 @@ "\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x11" "\x00\x10\x00\xFF\xFF\x35\xD4\x79\xF3\x8C\x47\x8F\x6E\x23\x6F\x3E" "\xCC\x5E\x57\x5C\x6A\x89\xF0\xA2\x03\x4F\x0B\x51\x11\xEE\x89\x7E" - "\xD6\xF6\xB5\xD6\x51" + "\xD6\xF6\xB5\xD6\x51", + 37, + "\x60\x23\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x01\x01\x11" + "\x00\xFF\xFF\xFF\xFF\x5D\xE7\x51\xF6\xFB\x6C\x25\x5B\x23\x93\x5A" + "\x30\x20\x57\xDC\xB5", + 53, + "\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x11" + "\x00\xFF\xFF\xFF\xFF\xAD\xB5\x1D\x01\x39\x7B\xA2\x16\x4C\x1B\x68" + "\x18\xEC\xAC\xD9\xE5\x9E\xD1\x41\x7A\x89\xE8\xCB\x24\x6D\x65\x73" + "\x73\x61\x67\x65\x01", + 53, + "\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x11" + "\x00\x10\x00\xFF\xFF\xDD\x6D\x04\xEA\x64\x5C\xE7\x31\x50\xD0\x09" + "\x44\x9E\x67\xA4\x30\xEC\xFB\xFF\xC0\xF7\x16\x1E\x14\x1A\x82\x42" + "\xDD\x26\x23\x2B\x02" } }; @@ -397,6 +435,144 @@ free(iov[0].buffer.value); } +/* Verify that token is a valid MIC token for ctx and message, and that + * changing any of the input bytes yields one of the expected errors. */ +static void +mictest(gss_ctx_id_t ctx, gss_buffer_t message, gss_buffer_t token) +{ + OM_uint32 major, minor; + size_t i; + uint8_t *p; + + major = gss_verify_mic(&minor, ctx, message, token, NULL); + check_gsserr("gss_verify_mic", major, minor); + + p = token->value; + for (i = 0; i < token->length; i++) { + /* Skip sequence number bytes for RC4. */ + if (load_16_le(p + 15) == SGN_ALG_HMAC_MD5 && i >= 21 && i <= 24) + continue; + p[i]++; + major = gss_verify_mic(&minor, ctx, message, token, NULL); + if (major != GSS_S_DEFECTIVE_TOKEN && major != GSS_S_BAD_SIG) + abort(); + p[i]--; + } + p = message->value; + for (i = 0; i < message->length; i++) { + p[i]++; + major = gss_verify_mic(&minor, ctx, message, token, NULL); + if (major != GSS_S_DEFECTIVE_TOKEN && major != GSS_S_BAD_SIG) + abort(); + p[i]--; + } +} + +static void +test_cfx_verify_mic(gss_ctx_id_t ctx) +{ + gss_buffer_desc message, token; + uint8_t msg[] = "message"; + uint8_t mic[] = "\x04\x04\x00\xFF\xFF\xFF\xFF\xFF" + "\x00\x00\x00\x00\x00\x00\x00\x00\x97\xE9\x63\x3F\x9D\x82\x2B\x74" + "\x67\x94\x8A\xD0"; + + message.value = msg; + message.length = sizeof(msg) - 1; + token.value = mic; + token.length = sizeof(mic) - 1; + mictest(ctx, &message, &token); +} + +static void +test_verify_mic(gss_ctx_id_t ctx, const struct test *test) +{ + gss_buffer_desc message, token; + uint8_t msg[] = "message", buf[128]; + + assert(test->miclen <= sizeof(buf)); + memcpy(buf, test->mic, test->miclen); + + message.value = msg; + message.length = sizeof(msg) - 1; + token.value = buf; + token.length = test->miclen; + mictest(ctx, &message, &token); +} + +/* Verify that token is a valid wrap token for ctx unwrapping to message, and + * that changing any of the token bytes yields one of the expected errors. */ +static void +unwraptest(gss_ctx_id_t ctx, gss_buffer_t message, gss_buffer_t token) +{ + OM_uint32 major, minor; + gss_buffer_desc unwrapped; + size_t i; + uint8_t *p; + + major = gss_unwrap(&minor, ctx, token, &unwrapped, NULL, NULL); + check_gsserr("gss_unwrap", major, minor); + if (unwrapped.length != message->length || + memcmp(unwrapped.value, message->value, unwrapped.length) != 0) + abort(); + gss_release_buffer(&minor, &unwrapped); + + p = token->value; + for (i = 0; i < token->length; i++) { + /* Skip sequence number bytes for RC4. */ + if (load_16_le(p + 15) == SGN_ALG_HMAC_MD5 && i >= 21 && i <= 24) + continue; + p[i]++; + major = gss_unwrap(&minor, ctx, token, &unwrapped, NULL, NULL); + if (major != GSS_S_DEFECTIVE_TOKEN && major != GSS_S_BAD_SIG) + abort(); + p[i]--; + } +} + +static void +test_cfx_unwrap(gss_ctx_id_t ctx) +{ + gss_buffer_desc message, token; + uint8_t msg[] = "message"; + uint8_t token1[] = "\x05\x04\x00\xFF\x00\x0C\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x6D\x65\x73\x73\x61\x67\x65\xDF" + "\x57\xB9\x5E\xA2\xB1\x73\x31\xDB\xCE\x61\x62"; + uint8_t token2[] = "\x05\x04\x02\xFF\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x72\xBB\xD7\xCF\xDE\xB0\xF9\x20" + "\xE2\x9A\x98\xA7\xA4\xE7\xC9\x9B\x30\xD3\xFE\x61\x51\x2E\x1B\x56" + "\x88\xB7\x8A\xF5\xA9\xBF\x8F\x82\xB1\xEB\xCC\x88\xE6\x33\x13\xBF" + "\x52\x4B\xC0\x3B\x24\x3F\x3E\xF5\xF1\xE0\x64"; + + message.value = msg; + message.length = sizeof(msg) - 1; + token.value = token1; + token.length = sizeof(token1) - 1; + unwraptest(ctx, &message, &token); + token.value = token2; + token.length = sizeof(token2) - 1; + unwraptest(ctx, &message, &token); +} + +static void +test_unwrap(gss_ctx_id_t ctx, const struct test *test) +{ + gss_buffer_desc message, token; + uint8_t msg[] = "message", buf[128]; + + assert(test->wrap1len <= sizeof(buf) && test->wrap2len <= sizeof(buf)); + token.value = buf; + + message.value = msg; + message.length = sizeof(msg) - 1; + memcpy(buf, test->wrap1, test->wrap1len); + token.length = test->wrap1len; + unwraptest(ctx, &message, &token); + memcpy(buf, test->wrap2, test->wrap2len); + token.length = test->wrap2len; + unwraptest(ctx, &message, &token); +} + /* Process wrap and MIC tokens with incomplete headers. */ static void test_short_header(gss_ctx_id_t ctx) @@ -598,6 +774,8 @@ test_cfx_short_plaintext(ctx, cfx_subkey); test_cfx_large_ec(ctx, cfx_subkey); test_iov_large_asn1_wrapper(ctx); + test_cfx_verify_mic(ctx); + test_cfx_unwrap(ctx); free_fake_context(ctx); for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) { @@ -606,6 +784,8 @@ test_short_header_iov(ctx, &tests[i]); test_short_checksum(ctx, &tests[i]); test_bad_pad(ctx, &tests[i]); + test_verify_mic(ctx, &tests[i]); + test_unwrap(ctx, &tests[i]); free_fake_context(ctx); } diff --git a/krb5/Makefile.inc b/krb5/Makefile.inc --- a/krb5/Makefile.inc +++ b/krb5/Makefile.inc @@ -10,7 +10,7 @@ .include PACKAGE?= kerberos -KRB5_VERSION= 1.22-final +KRB5_VERSION= 1.22.1 # MIT KRB5 uses KRB5_DIR. Heimdal uses KRB5DIR. KRB5_SRCTOP= ${SRCTOP}/krb5 diff --git a/krb5/include/autoconf.h b/krb5/include/autoconf.h --- a/krb5/include/autoconf.h +++ b/krb5/include/autoconf.h @@ -641,7 +641,7 @@ #define PACKAGE_NAME "Kerberos 5" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "Kerberos 5 1.22.0" +#define PACKAGE_STRING "Kerberos 5 1.22.1" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "krb5" @@ -650,7 +650,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.22.0" +#define PACKAGE_VERSION "1.22.1" /* Default PKCS11 module name */ #define PKCS11_MODNAME "opensc-pkcs11.so" diff --git a/krb5/util/build-tools/krb5-config.sh b/krb5/util/build-tools/krb5-config.sh --- a/krb5/util/build-tools/krb5-config.sh +++ b/krb5/util/build-tools/krb5-config.sh @@ -26,7 +26,7 @@ # Configurable parameters set by autoconf # Disreagard the above. Edit this by hand in the bespoke FreeBSD build. -version_string="Kerberos 5 release 1.22.0" +version_string="Kerberos 5 release 1.22.1" prefix=/usr exec_prefix=${prefix}