Fix constraint delegation for krb5 1.18 update

Fixes: rhbz#1797096
2020-02-01 10:14:56 +02:00 · 2020-02-01 10:14:56 +02:00 · 76138553c1
commit 76138553c1
parent 1343c174cd
2 changed files with 67 additions and 1 deletions
--- a/freeipa.spec
+++ b/freeipa.spec
@ -143,7 +143,7 @@
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        The Identity, Policy and Audit system
 License:        GPLv3+
@ -156,6 +156,7 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as
 Patch0:         4045.patch
 Patch1:         krb5-kdb-fixes.patch
 Patch2:         krb5-1.18-support.patch
 Patch3:         krb5-1.18-support-constraint-delegation.patch
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@ -1362,6 +1363,10 @@ fi
 %changelog
 * Sat Feb 01 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-6
 - Fix constraint delegation for krb5 1.18 update
 - Resolves: #1797096
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.4-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
--- a/krb5-1.18-support-constraint-delegation.patch
+++ b/krb5-1.18-support-constraint-delegation.patch
@ -0,0 +1,61 @@
 From d92f21ae1b3051f96043c64320a768551de39d5a Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Fri, 31 Jan 2020 22:58:18 +0100
 Subject: [PATCH 1/2] Fix DAL v8 support
 Signed-off-by: Isaac Boukris <iboukris@gmail.com>
 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 daemons/ipa-kdb/ipa_kdb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
 index 3982c131b..8f3c22070 100644
 --- a/daemons/ipa-kdb/ipa_kdb.c
 +++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -720,8 +720,8 @@ stub_sign_authdata(krb5_context context, unsigned int flags,
                    void *ad_info, krb5_data ***auth_indicators,
                    krb5_authdata ***signed_auth_data)
 {
 -    krb5_db_entry *krbtgt = header_server ? header_server : server;
 -    krb5_keyblock *krbtgt_key = header_key ? header_key : server_key;
 +    krb5_db_entry *krbtgt = header_server ? header_server : local_tgt;
 +    krb5_keyblock *krbtgt_key = header_key ? header_key : local_tgt_key;
     return ipadb_sign_authdata(context, flags, client_princ, client, server,
                                krbtgt, client_key, server_key, krbtgt_key,
 -- 
 2.24.1
 From c940f96b700d845afda014d41a0004068d379a9a Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Fri, 31 Jan 2020 23:03:09 +0100
 Subject: [PATCH 2/2] Fix legacy S4U2Proxy in DAL v8 support
 Signed-off-by: Isaac Boukris <iboukris@gmail.com>
 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 daemons/ipa-kdb/ipa_kdb.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
 index 8f3c22070..7bd30be85 100644
 --- a/daemons/ipa-kdb/ipa_kdb.c
 +++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -723,6 +723,12 @@ stub_sign_authdata(krb5_context context, unsigned int flags,
     krb5_db_entry *krbtgt = header_server ? header_server : local_tgt;
     krb5_keyblock *krbtgt_key = header_key ? header_key : local_tgt_key;
 +    if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
 +        client = header_server;
 +        krbtgt = local_tgt;
 +        krbtgt_key = local_tgt_key;
 +    }
 +
     return ipadb_sign_authdata(context, flags, client_princ, client, server,
                                krbtgt, client_key, server_key, krbtgt_key,
                                session_key, authtime, tgt_auth_data,
 -- 
 2.24.1