From b750e3f153ef97144ea6696672000f70da8d9bf1 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 9 Jan 2020 16:44:15 -0500 Subject: [PATCH 1/3] [KDB] Handle the removal of KRB5_KDB_FLAG_ALIAS_OK In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18), krb5 removed this flag, and always accepts aliases. Related-to: https://pagure.io/freeipa/issue/7879 Signed-off-by: Robbie Harwood --- daemons/ipa-kdb/ipa_kdb_certauth.c | 21 +++++++------- daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 11 +++++-- daemons/ipa-kdb/ipa_kdb_principals.c | 43 ++++++++++++++++------------ 3 files changed, 43 insertions(+), 32 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c index 47911aa3d..bc6b26578 100644 --- a/daemons/ipa-kdb/ipa_kdb_certauth.c +++ b/daemons/ipa-kdb/ipa_kdb_certauth.c @@ -261,16 +261,18 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, const krb5_db_entry *db_entry, char ***authinds_out) { - char *cert_filter = NULL; - char **domains = NULL; - int ret; + char *cert_filter = NULL, **domains = NULL; + int ret, flags = 0; size_t c; - char *principal = NULL; - char **auth_inds = NULL; + char *principal = NULL, **auth_inds = NULL; LDAPMessage *res = NULL; krb5_error_code kerr; LDAPMessage *lentry; +#ifdef KRB5_KDB_FLAG_ALIAS_OK + flags = KRB5_KDB_FLAG_ALIAS_OK; +#endif + if (moddata == NULL) { return KRB5_PLUGIN_NO_HANDLE; } @@ -327,10 +329,8 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, } } - kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx, - KRB5_KDB_FLAG_ALIAS_OK, - principal, - cert_filter, + kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx, flags, + principal, cert_filter, &res); if (kerr != 0) { krb5_klog_syslog(LOG_ERR, "Search failed [%d]", kerr); @@ -338,8 +338,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, goto done; } - kerr = ipadb_find_principal(context, KRB5_KDB_FLAG_ALIAS_OK, res, - &principal, &lentry); + kerr = ipadb_find_principal(context, flags, res, &principal, &lentry); if (kerr == KRB5_KDB_NOENTRY) { krb5_klog_syslog(LOG_INFO, "No matching entry found"); ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH; diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c index 9467b1ba1..8d2ad66f7 100644 --- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c @@ -22,9 +22,14 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, enum ipadb_user_auth ua; struct ipadb_e_data *ied; struct ipadb_e_pol_limits *pol_limits = NULL; - int valid_auth_indicators = 0; + int valid_auth_indicators = 0, flags = 0; krb5_db_entry *client_actual = NULL; +#ifdef KRB5_KDB_FLAG_ALIAS_OK + flags = KRB5_KDB_FLAG_ALIAS_OK; +#endif + + *status = NULL; *lifetime_out = 0; *renew_lifetime_out = 0; @@ -33,8 +38,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) { /* e-data is not availble, getting user auth from LDAP */ krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching..."); - kerr = ipadb_get_principal(context, request->client, - KRB5_KDB_FLAG_ALIAS_OK, &client_actual); + kerr = ipadb_get_principal(context, request->client, flags, + &client_actual); if (kerr != 0) { krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed."); return kerr; diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 47e44f090..da0b841a1 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -964,8 +964,7 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, LDAPMessage **result) { krb5_error_code kerr; - char *src_filter = NULL; - char *esc_original_princ = NULL; + char *src_filter = NULL, *esc_original_princ = NULL; int ret; if (!ipactx->lcontext) { @@ -976,28 +975,33 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, } } - /* escape filter but do not touch '*' as this function accepts - * wildcards in names */ + /* Escape filter but do not touch '*' as this function accepts + * wildcards in names. */ esc_original_princ = ipadb_filter_escape(principal, false); if (!esc_original_princ) { kerr = KRB5_KDB_INTERNAL_ERROR; goto done; } - if (filter == NULL) { - if (flags & KRB5_KDB_FLAG_ALIAS_OK) { + /* Starting in DAL 8.0, aliases are always okay. */ +#ifdef KRB5_KDB_FLAG_ALIAS_OK + if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) { + if (filter == NULL) { + ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, + esc_original_princ); + } else { + ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA, + esc_original_princ, filter); + } + } else +#endif + { + if (filter == NULL) { ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, esc_original_princ, esc_original_princ); } else { - ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ); - } - } else { - if (flags & KRB5_KDB_FLAG_ALIAS_OK) { ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA, esc_original_princ, esc_original_princ, filter); - } else { - ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA, - esc_original_princ, filter); } } @@ -1006,11 +1010,8 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, goto done; } - kerr = ipadb_simple_search(ipactx, - ipactx->base, LDAP_SCOPE_SUBTREE, - src_filter, std_principal_attrs, - result); - + kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE, + src_filter, std_principal_attrs, result); done: free(src_filter); free(esc_original_princ); @@ -1054,6 +1055,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext, /* We need to check for a strict match as a '*' in the name may have * caused the ldap server to return multiple entries. */ for (int i = 0; vals[i]; i++) { +#ifdef KRB5_KDB_FLAG_ALIAS_OK if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) { found = strcmp(vals[i]->bv_val, *principal) == 0; if (found) @@ -1061,6 +1063,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext, continue; } +#endif /* The KDC will accept aliases when doing TGT lookup * (ref_tgt_again in do_tgs_req.c), so use case-insensitive @@ -1094,6 +1097,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext, if (vals == NULL) break; +#ifdef KRB5_KDB_FLAG_ALIAS_OK /* If aliases aren't accepted by the KDC, use case-sensitive * comparison. */ if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) { @@ -1103,6 +1107,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext, continue; } } +#endif free(*principal); *principal = strdup(vals[0]->bv_val); @@ -2601,7 +2606,9 @@ krb5_error_code ipadb_delete_principal(krb5_context kcontext, goto done; } +#ifdef KRB5_KDB_FLAG_ALIAS_OK flags = KRB5_KDB_FLAG_ALIAS_OK; +#endif kerr = ipadb_find_principal(kcontext, flags, res, &canonicalized, &lentry); if (kerr != 0) { goto done; -- 2.24.1 From 0dfebd690dc79db8f4fdcd663508e5d7e095eb20 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 9 Jan 2020 17:02:44 -0500 Subject: [PATCH 2/3] [KDB] Support DAL version 8.0 Provide stubs for backward compatibility. DAL 8.0 was released with krb5-1.18. Signed-off-by: Robbie Harwood --- daemons/ipa-kdb/ipa_kdb.c | 61 ++++++++++++++++++++++++++++++++++++++- freeipa.spec.in | 2 +- 2 files changed, 61 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index 612857b38..9a5c29b13 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -751,8 +751,67 @@ kdb_vftabl kdb_function_table = { }; #endif +#if (KRB5_KDB_DAL_MAJOR_VERSION == 8) +/* Version 8 adds several arguments here. However, if we want to actually use + * them in mspac, we really ought to drop support for older DAL versions. */ +static inline krb5_error_code +stub_sign_authdata(krb5_context context, unsigned int flags, + krb5_const_principal client_princ, + krb5_const_principal server_princ, krb5_db_entry *client, + krb5_db_entry *server, krb5_db_entry *header_server, + krb5_db_entry *local_tgt, krb5_keyblock *client_key, + krb5_keyblock *server_key, krb5_keyblock *header_key, + krb5_keyblock *local_tgt_key, krb5_keyblock *session_key, + krb5_timestamp authtime, krb5_authdata **tgt_auth_data, + void *ad_info, krb5_data ***auth_indicators, + krb5_authdata ***signed_auth_data) +{ + krb5_db_entry *krbtgt = header_server ? header_server : server; + krb5_keyblock *krbtgt_key = header_key ? header_key : server_key; + + return ipadb_sign_authdata(context, flags, client_princ, client, server, + krbtgt, client_key, server_key, krbtgt_key, + session_key, authtime, tgt_auth_data, + signed_auth_data); +} + +kdb_vftabl kdb_function_table = { + .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, + .min_ver = 0, + .init_library = ipadb_init_library, + .fini_library = ipadb_fini_library, + .init_module = ipadb_init_module, + .fini_module = ipadb_fini_module, + .create = ipadb_create, + .get_age = ipadb_get_age, + .get_principal = ipadb_get_principal, + .put_principal = ipadb_put_principal, + .delete_principal = ipadb_delete_principal, + .iterate = ipadb_iterate, + .create_policy = ipadb_create_pwd_policy, + .get_policy = ipadb_get_pwd_policy, + .put_policy = ipadb_put_pwd_policy, + .iter_policy = ipadb_iterate_pwd_policy, + .delete_policy = ipadb_delete_pwd_policy, + .fetch_master_key = ipadb_fetch_master_key, + .store_master_key_list = ipadb_store_master_key_list, + .change_pwd = ipadb_change_pwd, + .sign_authdata = stub_sign_authdata, + .check_transited_realms = ipadb_check_transited_realms, + .check_policy_as = ipadb_check_policy_as, + .audit_as_req = ipadb_audit_as_req, + .check_allowed_to_delegate = ipadb_check_allowed_to_delegate, + .free_principal_e_data = ipadb_free_principal_e_data, + .get_s4u_x509_principal = NULL, + .allowed_to_delegate_from = NULL, + .get_authdata_info = NULL, + .free_authdata_info = NULL, +}; +#endif + #if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \ (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \ - (KRB5_KDB_DAL_MAJOR_VERSION != 7) + (KRB5_KDB_DAL_MAJOR_VERSION != 7) && \ + (KRB5_KDB_DAL_MAJOR_VERSION != 8) #error unsupported DAL major version #endif diff --git a/freeipa.spec.in b/freeipa.spec.in index 502ac2499..7617c935a 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -61,7 +61,7 @@ %global alt_name ipa # Fix for CVE-2018-20217 %global krb5_version 1.16.1-24 -%global krb5_kdb_version 7.0 +%global krb5_kdb_version 8.0 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.16 # Require 4.7.0 which brings Python 3 bindings -- 2.24.1 From fb48a25c43c2110c27d36f09ac533403738328e2 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 9 Jan 2020 17:08:07 -0500 Subject: [PATCH 3/3] [KDB] Drop support for DAL version 5.0 No supported Linux distro packages a version of krb5 with this DAL, so we don't lose anything by removing it. Signed-off-by: Robbie Harwood --- daemons/ipa-kdb/ipa_kdb.c | 49 +-------------------------------------- 1 file changed, 1 insertion(+), 48 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index 9a5c29b13..3982c131b 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -635,57 +635,11 @@ static krb5_error_code ipadb_get_age(krb5_context kcontext, return 0; } -#if KRB5_KDB_DAL_MAJOR_VERSION == 5 -static void *ipadb_alloc(krb5_context context, void *ptr, size_t size) -{ - return realloc(ptr, size); -} - -static void ipadb_free(krb5_context context, void *ptr) -{ - free(ptr); -} -#endif - /* KDB Virtual Table */ /* We explicitly want to keep different ABI tables below separate. */ /* Do not merge them together. Older ABI does not need to be updated */ -#if KRB5_KDB_DAL_MAJOR_VERSION == 5 -kdb_vftabl kdb_function_table = { - .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, - .min_ver = 0, - .init_library = ipadb_init_library, - .fini_library = ipadb_fini_library, - .init_module = ipadb_init_module, - .fini_module = ipadb_fini_module, - .create = ipadb_create, - .get_age = ipadb_get_age, - .get_principal = ipadb_get_principal, - .free_principal = ipadb_free_principal, - .put_principal = ipadb_put_principal, - .delete_principal = ipadb_delete_principal, - .iterate = ipadb_iterate, - .create_policy = ipadb_create_pwd_policy, - .get_policy = ipadb_get_pwd_policy, - .put_policy = ipadb_put_pwd_policy, - .iter_policy = ipadb_iterate_pwd_policy, - .delete_policy = ipadb_delete_pwd_policy, - .free_policy = ipadb_free_pwd_policy, - .alloc = ipadb_alloc, - .free = ipadb_free, - .fetch_master_key = ipadb_fetch_master_key, - .store_master_key_list = ipadb_store_master_key_list, - .change_pwd = ipadb_change_pwd, - .sign_authdata = ipadb_sign_authdata, - .check_transited_realms = ipadb_check_transited_realms, - .check_policy_as = ipadb_check_policy_as, - .audit_as_req = ipadb_audit_as_req, - .check_allowed_to_delegate = ipadb_check_allowed_to_delegate -}; -#endif - #if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA) kdb_vftabl kdb_function_table = { .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, @@ -809,8 +763,7 @@ kdb_vftabl kdb_function_table = { }; #endif -#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \ - (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \ +#if (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \ (KRB5_KDB_DAL_MAJOR_VERSION != 7) && \ (KRB5_KDB_DAL_MAJOR_VERSION != 8) #error unsupported DAL major version -- 2.24.1