Skip to content

Commit 9ccf8e2

Browse files
CBL-Mariner-Botapurvparekh30Apurv ParekhCopilotKanishk-Bansal
authored
Merge PR "[AUTO-CHERRYPICK] krb5: backport upstream SPNEGO mechListMIC parsing fix (ticket 9183) - branch 3.0-dev" microsoft#17800
Co-authored-by: Apurv Parekh <apurvparekh30@gmail.com> Co-authored-by: Apurv Parekh <apurvparekh@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
1 parent beffe16 commit 9ccf8e2

6 files changed

Lines changed: 186 additions & 13 deletions

File tree

Lines changed: 169 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,169 @@
1+
From 942c5036e14066a1f4badfdf67716c47f2e33a39 Mon Sep 17 00:00:00 2001
2+
From: dovsyannikov <Dmitry.Ovsyannikov@dell.com>
3+
Date: Wed, 3 Sep 2025 13:52:57 +0000
4+
Subject: [PATCH] Fix SPNEGO mechListMIC parsing
5+
6+
Commit fdceb225f881e2b1337eebcb9a9443fa4a9be3fd erroneously altered
7+
get_negTokenResp() to look for mechListMIC with tag 0xA4 instead of
8+
0xA3. Fix it.
9+
10+
Restore the t_spnego.c reselection test by constructing a
11+
two-mechanism SPNEGO initiator credential using the internal
12+
structures.
13+
14+
[ghudson@mit.edu: added test case; rewrote commit message]
15+
16+
ticket: 9183 (new)
17+
tags: pullup
18+
target_version: 1.21-next
19+
target_version: 1.22-next
20+
Upstream-reference: https://github.com/krb5/krb5/commit/942c5036e14066a1f4badfdf67716c47f2e33a39.patch
21+
---
22+
src/lib/gssapi/spnego/spnego_mech.c | 2 +-
23+
src/tests/gssapi/Makefile.in | 2 +-
24+
src/tests/gssapi/deps | 19 ++++++++-
25+
src/tests/gssapi/t_spnego.c | 60 ++++++++++++++++++++++-------
26+
4 files changed, 66 insertions(+), 17 deletions(-)
27+
28+
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
29+
index 43ba63ab2a7..4a778364336 100644
30+
--- a/src/lib/gssapi/spnego/spnego_mech.c
31+
+++ b/src/lib/gssapi/spnego/spnego_mech.c
32+
@@ -3515,7 +3515,7 @@ get_negTokenResp(OM_uint32 *minor_status, struct k5input *in,
33+
return GSS_S_DEFECTIVE_TOKEN;
34+
}
35+
36+
- if (k5_der_get_value(&seq, CONTEXT | 0x04, &field)) {
37+
+ if (k5_der_get_value(&seq, CONTEXT | 0x03, &field)) {
38+
*mechListMIC = get_octet_string(&field);
39+
40+
/* Handle Windows 2000 duplicate response token */
41+
diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in
42+
index 97a6ac3f3f7..5f57173cd8a 100644
43+
--- a/src/tests/gssapi/Makefile.in
44+
+++ b/src/tests/gssapi/Makefile.in
45+
@@ -4,7 +4,7 @@ DEFINES = -DUSE_AUTOCONF_H
46+
47+
# For t_prf.c
48+
LOCALINCLUDES = -I$(srcdir)/../../lib/gssapi/mechglue \
49+
- -I$(srcdir)/../../lib/gssapi/krb5 \
50+
+ -I$(srcdir)/../../lib/gssapi/krb5 -I$(srcdir)/../../lib/gssapi/spnego \
51+
-I$(srcdir)/../../lib/gssapi/generic -I../../lib/gssapi/krb5 \
52+
-I../../lib/gssapi/generic
53+
54+
diff --git a/src/tests/gssapi/deps b/src/tests/gssapi/deps
55+
index 2c55fa51799..e93250af777 100644
56+
--- a/src/tests/gssapi/deps
57+
+++ b/src/tests/gssapi/deps
58+
@@ -187,9 +187,24 @@ $(OUTPRE)t_saslname.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
59+
$(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
60+
$(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
61+
common.h t_saslname.c
62+
-$(OUTPRE)t_spnego.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
63+
+$(OUTPRE)t_spnego.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
64+
+ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_alloc.h \
65+
$(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
66+
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
67+
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
68+
+ $(BUILDTOP)/include/profile.h $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.h \
69+
+ $(COM_ERR_DEPS) $(srcdir)/../../lib/gssapi/generic/gssapiP_generic.h \
70+
+ $(srcdir)/../../lib/gssapi/generic/gssapi_ext.h $(srcdir)/../../lib/gssapi/generic/gssapi_generic.h \
71+
+ $(srcdir)/../../lib/gssapi/mechglue/mechglue.h $(srcdir)/../../lib/gssapi/mechglue/mglueP.h \
72+
+ $(srcdir)/../../lib/gssapi/spnego/gssapiP_negoex.h \
73+
+ $(srcdir)/../../lib/gssapi/spnego/gssapiP_spnego.h \
74+
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
75+
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-input.h \
76+
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
77+
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
78+
+ $(top_srcdir)/include/k5-queue.h $(top_srcdir)/include/k5-thread.h \
79+
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
80+
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
81+
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
82+
common.h t_spnego.c
83+
$(OUTPRE)t_srcattrs.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
84+
$(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
85+
diff --git a/src/tests/gssapi/t_spnego.c b/src/tests/gssapi/t_spnego.c
86+
index 4091739f835..3b53097182d 100644
87+
--- a/src/tests/gssapi/t_spnego.c
88+
+++ b/src/tests/gssapi/t_spnego.c
89+
@@ -29,6 +29,11 @@
90+
#include <string.h>
91+
#include <assert.h>
92+
93+
+/* See create_reselection_cred(). */
94+
+#include "k5-int.h"
95+
+#include <mglueP.h>
96+
+#include <gssapiP_spnego.h>
97+
+
98+
#include "common.h"
99+
100+
static gss_OID_desc mech_krb5_wrong = {
101+
@@ -228,6 +233,47 @@ test_neghints(void)
102+
(void)gss_delete_sec_context(&minor, &actx, NULL);
103+
}
104+
105+
+/*
106+
+ * There is currently no API to create a SPNEGO credential supporting multiple
107+
+ * mechanisms unless a third-party mechanism is configured in the mechs file;
108+
+ * the default credential contains only krb5 (after tickets #8021 and #8217)
109+
+ * and a SPNEGO cred cannot be created from an existing union cred. Using
110+
+ * internal structures, create a two-mechanism initiator cred so that we can
111+
+ * test reselection.
112+
+ */
113+
+static gss_cred_id_t
114+
+create_reselection_cred(void)
115+
+{
116+
+ OM_uint32 major, minor;
117+
+ gss_OID_desc mlist[2] = { mech_krb5, mech_iakerb };
118+
+ gss_OID_set_desc mechs = { 2, mlist };
119+
+ gss_cred_id_t cred;
120+
+ spnego_gss_cred_id_t scred;
121+
+ gss_union_cred_t ucred;
122+
+
123+
+ major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
124+
+ &mechs, GSS_C_INITIATE, &cred, NULL, NULL);
125+
+ check_gsserr("gss_acquire_cred(reslection)", major, minor);
126+
+
127+
+ scred = calloc(1, sizeof(*scred));
128+
+ assert(scred != NULL);
129+
+ scred->mcred = cred;
130+
+
131+
+ ucred = calloc(1, sizeof(*ucred));
132+
+ assert(ucred != NULL);
133+
+ ucred->loopback = ucred;
134+
+ ucred->count = 1;
135+
+ ucred->mechs_array = calloc(1, sizeof(*ucred->mechs_array));
136+
+ ucred->cred_array = calloc(1, sizeof(*ucred->cred_array));
137+
+ assert(ucred->mechs_array != NULL && ucred->cred_array != NULL);
138+
+ ucred->mechs_array[0].elements = malloc(mech_spnego.length);
139+
+ assert(ucred->mechs_array[0].elements != NULL);
140+
+ g_OID_copy(&ucred->mechs_array[0], &mech_spnego);
141+
+ ucred->cred_array[0] = (gss_cred_id_t)scred;
142+
+
143+
+ return (gss_cred_id_t)ucred;
144+
+}
145+
+
146+
int
147+
main(int argc, char *argv[])
148+
{
149+
@@ -254,19 +300,7 @@ main(int argc, char *argv[])
150+
}
151+
152+
/* Get default initiator cred. */
153+
- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
154+
- &mechset_spnego, GSS_C_INITIATE,
155+
- &initiator_cred_handle, NULL, NULL);
156+
- check_gsserr("gss_acquire_cred(initiator)", major, minor);
157+
-
158+
- /*
159+
- * The following test is designed to exercise SPNEGO reselection on the
160+
- * client and server. Unfortunately, it no longer does so after tickets
161+
- * #8217 and #8021, since SPNEGO now only acquires a single krb5 cred and
162+
- * there is no way to expand the underlying creds with gss_set_neg_mechs().
163+
- * To fix this we need gss_acquire_cred_with_cred() or some other way to
164+
- * turn a cred with a specifically requested mech set into a SPNEGO cred.
165+
- */
166+
+ initiator_cred_handle = create_reselection_cred();
167+
168+
/* Make the initiator prefer IAKERB and offer krb5 as an alternative. */
169+
pref_oids[0] = mech_iakerb;

SPECS/krb5/krb5.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
Summary: The Kerberos newtork authentication system
55
Name: krb5
66
Version: 1.21.3
7-
Release: 4%{?dist}
7+
Release: 5%{?dist}
88
License: MIT
99
Vendor: Microsoft Corporation
1010
Distribution: Azure Linux
@@ -15,6 +15,7 @@ Source1: krb5.conf
1515
Patch0: CVE-2024-26461.patch
1616
Patch1: CVE-2025-24528.patch
1717
Patch2: CVE-2026-40356.patch
18+
Patch3: krb5-fix-SPNEGO-mechListMIC-parsing.patch
1819
BuildRequires: e2fsprogs-devel
1920
BuildRequires: openssl-devel
2021
Requires: e2fsprogs-libs
@@ -128,6 +129,9 @@ make check
128129
%{_datarootdir}/locale/*
129130

130131
%changelog
132+
* Tue Jun 23 2026 Apurv Parekh <apurvparekh@microsoft.com> - 1.21.3-5
133+
- Backport upstream fix for SPNEGO mechListMIC parsing (krb5 commit 942c503, ticket 9183)
134+
131135
* Fri May 01 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.21.3-4
132136
- Patch for CVE-2026-40356
133137

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -195,8 +195,8 @@ libsolv-0.7.28-4.azl3.aarch64.rpm
195195
libsolv-devel-0.7.28-4.azl3.aarch64.rpm
196196
libssh2-1.11.1-2.azl3.aarch64.rpm
197197
libssh2-devel-1.11.1-2.azl3.aarch64.rpm
198-
krb5-1.21.3-4.azl3.aarch64.rpm
199-
krb5-devel-1.21.3-4.azl3.aarch64.rpm
198+
krb5-1.21.3-5.azl3.aarch64.rpm
199+
krb5-devel-1.21.3-5.azl3.aarch64.rpm
200200
nghttp2-1.61.0-3.azl3.aarch64.rpm
201201
nghttp2-devel-1.61.0-3.azl3.aarch64.rpm
202202
curl-8.11.1-9.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -195,8 +195,8 @@ libsolv-0.7.28-4.azl3.x86_64.rpm
195195
libsolv-devel-0.7.28-4.azl3.x86_64.rpm
196196
libssh2-1.11.1-2.azl3.x86_64.rpm
197197
libssh2-devel-1.11.1-2.azl3.x86_64.rpm
198-
krb5-1.21.3-4.azl3.x86_64.rpm
199-
krb5-devel-1.21.3-4.azl3.x86_64.rpm
198+
krb5-1.21.3-5.azl3.x86_64.rpm
199+
krb5-devel-1.21.3-5.azl3.x86_64.rpm
200200
nghttp2-1.61.0-3.azl3.x86_64.rpm
201201
nghttp2-devel-1.61.0-3.azl3.x86_64.rpm
202202
curl-8.11.1-9.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -162,10 +162,10 @@ kernel-headers-6.6.142.1-1.azl3.noarch.rpm
162162
kmod-30-1.azl3.aarch64.rpm
163163
kmod-debuginfo-30-1.azl3.aarch64.rpm
164164
kmod-devel-30-1.azl3.aarch64.rpm
165-
krb5-1.21.3-4.azl3.aarch64.rpm
166-
krb5-debuginfo-1.21.3-4.azl3.aarch64.rpm
167-
krb5-devel-1.21.3-4.azl3.aarch64.rpm
168-
krb5-lang-1.21.3-4.azl3.aarch64.rpm
165+
krb5-1.21.3-5.azl3.aarch64.rpm
166+
krb5-debuginfo-1.21.3-5.azl3.aarch64.rpm
167+
krb5-devel-1.21.3-5.azl3.aarch64.rpm
168+
krb5-lang-1.21.3-5.azl3.aarch64.rpm
169169
libacl-2.3.1-2.azl3.aarch64.rpm
170170
libacl-devel-2.3.1-2.azl3.aarch64.rpm
171171
libarchive-3.7.7-6.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -170,10 +170,10 @@ kernel-headers-6.6.142.1-1.azl3.noarch.rpm
170170
kmod-30-1.azl3.x86_64.rpm
171171
kmod-debuginfo-30-1.azl3.x86_64.rpm
172172
kmod-devel-30-1.azl3.x86_64.rpm
173-
krb5-1.21.3-4.azl3.x86_64.rpm
174-
krb5-debuginfo-1.21.3-4.azl3.x86_64.rpm
175-
krb5-devel-1.21.3-4.azl3.x86_64.rpm
176-
krb5-lang-1.21.3-4.azl3.x86_64.rpm
173+
krb5-1.21.3-5.azl3.x86_64.rpm
174+
krb5-debuginfo-1.21.3-5.azl3.x86_64.rpm
175+
krb5-devel-1.21.3-5.azl3.x86_64.rpm
176+
krb5-lang-1.21.3-5.azl3.x86_64.rpm
177177
libacl-2.3.1-2.azl3.x86_64.rpm
178178
libacl-devel-2.3.1-2.azl3.x86_64.rpm
179179
libarchive-3.7.7-6.azl3.x86_64.rpm

0 commit comments

Comments
 (0)