kdb: Use krb5_pac_full_sign_compat() when available
This commit is contained in:
parent
77e6c50e87
commit
0b2668538c
@ -0,0 +1,71 @@
|
|||||||
|
From a8d81b5005ea15a35d0d63330b922037de3ca253 Mon Sep 17 00:00:00 2001
|
||||||
|
From: David Sloboda <david.x.sloboda@oracle.com>
|
||||||
|
Date: Fri, 30 Jun 2023 15:37:34 +0200
|
||||||
|
Subject: [PATCH] OLERRATA-43634 - Support for PAC extended KDC signature
|
||||||
|
|
||||||
|
In November 2022, Microsoft introduced a new PAC signature type called
|
||||||
|
"extended KDC signature" (or "full PAC checksum"). This new PAC
|
||||||
|
signature will be required by default by Active Directory in July 2023
|
||||||
|
for S4U requests, and opt-out will no longer be possible after October
|
||||||
|
2023.
|
||||||
|
|
||||||
|
Support for this new signature type was added to MIT krb5, but it relies
|
||||||
|
on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions,
|
||||||
|
the code generating extended KDC signatures cannot be backported as it
|
||||||
|
is without backporting the full new KDB API code too. This would have
|
||||||
|
too much impact to be done.
|
||||||
|
|
||||||
|
As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL
|
||||||
|
8 will include a downstream-only update adding the
|
||||||
|
krb5_pac_full_sign_compat() function, which can be used in combination
|
||||||
|
with the prior to 1.20 KDB API to generate PAC extended KDC signatures.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9373
|
||||||
|
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
|
||||||
|
---
|
||||||
|
diff -Nuar freeipa-4.9.11.orig/daemons/ipa-kdb/ipa_kdb_mspac_v6.c freeipa-4.9.11/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
|
||||||
|
--- freeipa-4.9.11.orig/daemons/ipa-kdb/ipa_kdb_mspac_v6.c 2022-11-25 17:16:11.352773047 +0100
|
||||||
|
+++ freeipa-4.9.11/daemons/ipa-kdb/ipa_kdb_mspac_v6.c 2023-06-30 14:58:17.198538781 +0200
|
||||||
|
@@ -176,11 +176,21 @@
|
||||||
|
|
||||||
|
/* only pass with_realm TRUE when it is cross-realm ticket and S4U2Self
|
||||||
|
* was requested */
|
||||||
|
+#ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
|
||||||
|
+ kerr = krb5_pac_full_sign_compat(
|
||||||
|
+ context, pac, authtime, client_princ, server->princ, server_key,
|
||||||
|
+ right_krbtgt_signing_key,
|
||||||
|
+ (is_issuing_referral && (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)),
|
||||||
|
+ pac_data
|
||||||
|
+ );
|
||||||
|
+#else
|
||||||
|
+ /* Use standard function, PAC extended KDC signature not supported */
|
||||||
|
kerr = krb5_pac_sign_ext(context, pac, authtime, client_princ, server_key,
|
||||||
|
right_krbtgt_signing_key,
|
||||||
|
(is_issuing_referral &&
|
||||||
|
(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)),
|
||||||
|
pac_data);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
done:
|
||||||
|
free(princ);
|
||||||
|
diff -Nuar freeipa-4.9.11.orig/server.m4 freeipa-4.9.11/server.m4
|
||||||
|
--- freeipa-4.9.11.orig/server.m4 2022-11-25 17:16:11.353773052 +0100
|
||||||
|
+++ freeipa-4.9.11/server.m4 2023-06-30 14:59:52.845995040 +0200
|
||||||
|
@@ -91,6 +91,15 @@
|
||||||
|
[have_kdb_issue_pac=no], [#include <kdb.h>])
|
||||||
|
|
||||||
|
dnl ---------------------------------------------------------------------------
|
||||||
|
+dnl - Check for KRB5 krb5_kdc_sign_ticket function
|
||||||
|
+dnl ---------------------------------------------------------------------------
|
||||||
|
+
|
||||||
|
+AC_CHECK_LIB(krb5, krb5_pac_full_sign_compat,
|
||||||
|
+ [AC_DEFINE([HAVE_KRB5_PAC_FULL_SIGN_COMPAT], [1],
|
||||||
|
+ [krb5_pac_full_sign_compat() is available.])],
|
||||||
|
+ [AC_MSG_NOTICE([krb5_pac_full_sign_compat() is not available])])
|
||||||
|
+
|
||||||
|
+dnl ---------------------------------------------------------------------------
|
||||||
|
dnl - Check for UUID library
|
||||||
|
dnl ---------------------------------------------------------------------------
|
||||||
|
PKG_CHECK_MODULES([UUID], [uuid])
|
@ -189,7 +189,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 5%{?rc_version:.%rc_version}%{?dist}
|
Release: 6%{?rc_version:.%rc_version}%{?dist}.alma
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -216,6 +216,8 @@ Patch0004: 0004-server-install-remove-error-log-about-missing-bkup-file_rhb
|
|||||||
Patch0005: 0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch
|
Patch0005: 0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch
|
||||||
Patch0006: 0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch
|
Patch0006: 0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch
|
||||||
Patch0007: 0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch
|
Patch0007: 0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch
|
||||||
|
# Patch taken from Oracle Linux ipa-4.9.11-5.0.2.module+el8.8.0+21110+f1feef29.src.rpm
|
||||||
|
Patch0008: 0008-Use-krb5_pac_full_sign_compat-when-available.patch
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
||||||
Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
|
Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
|
||||||
@ -1715,6 +1717,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jul 13 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 4.9.11-6.alma
|
||||||
|
- kdb: Use krb5_pac_full_sign_compat() when available
|
||||||
|
|
||||||
* Fri Feb 10 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-5
|
* Fri Feb 10 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-5
|
||||||
- Wipe the ipa-ca DNS record when updating system records
|
- Wipe the ipa-ca DNS record when updating system records
|
||||||
Resolves: RHBZ#2158775
|
Resolves: RHBZ#2158775
|
||||||
|
Loading…
Reference in New Issue
Block a user