[30984] in CVS-changelog-for-Kerberos-V5
krb5 commit: Fix gss-krb5 handling of high sequence numbers
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Mar 31 02:13:06 2021
Date: Wed, 31 Mar 2021 02:12:48 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202103310612.12V6Cmnu023348@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/dac8de0b26b9b67c1b03067c1ec90b81114ff370
commit dac8de0b26b9b67c1b03067c1ec90b81114ff370
Author: Greg Hudson <ghudson@mit.edu>
Date: Sat Mar 27 00:52:05 2021 -0400
Fix gss-krb5 handling of high sequence numbers
Commits abcfdaff756631d73f49103f679cafa7bc45f14e and
41ddaaeb286e8bb1bba64fb557ba0e4cff9b404d incorrectly changed the
interpretation of authenticator sequence numbers in the range
2^31..2^32-1, mapping them to sign-extended 64-bit values. The major
Kerberos implementations do not generate sequence numbers this large,
so the changed went unnoticed. Prevent unwanted sign extension by
casting sequence numbers retrieved from auth contexts to uint32_t
before assigning them to uint64_t fields. Reported by Jake Scott.
ticket: 8994 (new)
src/lib/gssapi/krb5/accept_sec_context.c | 4 ++--
src/lib/gssapi/krb5/init_sec_context.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index cb62a25..d4e9079 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -982,7 +982,7 @@ kg_accept_krb5(minor_status, context_handle,
{
krb5_int32 seq_temp;
krb5_auth_con_getremoteseqnumber(context, auth_context, &seq_temp);
- ctx->seq_recv = seq_temp;
+ ctx->seq_recv = (uint32_t)seq_temp;
}
if ((code = krb5_timeofday(context, &now))) {
@@ -1065,7 +1065,7 @@ kg_accept_krb5(minor_status, context_handle,
}
krb5_auth_con_getlocalseqnumber(context, auth_context, &seq_temp);
- ctx->seq_send = seq_temp & 0xffffffffL;
+ ctx->seq_send = (uint32_t)seq_temp;
if (cfx_generate_subkey) {
/* Get the new acceptor subkey. With the code above, there
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 8236560..ea87cf6 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -631,7 +631,7 @@ kg_new_connection(
}
krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &seq_temp);
- ctx->seq_send = seq_temp;
+ ctx->seq_send = (uint32_t)seq_temp;
code = krb5_auth_con_getsendsubkey(context, ctx->auth_context,
&keyblock);
if (code != 0)
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
