From 03522e1559100dbc045b555a6cb5a1419cba0e2a Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Thu, 15 Nov 2012 15:04:38 -0500 Subject: [PATCH] drop backported patches for RT #7406,#7407,#7408 - drop backported patch for RT #7406 - drop backported patch for RT #7407 - drop backported patch for RT #7408 --- krb5-trunk-7046.patch | 301 ------------------------------------------ krb5-trunk-7047.patch | 28 ---- krb5-trunk-7048.patch | 78 ----------- krb5.spec | 12 +- 4 files changed, 6 insertions(+), 413 deletions(-) delete mode 100644 krb5-trunk-7046.patch delete mode 100644 krb5-trunk-7047.patch delete mode 100644 krb5-trunk-7048.patch diff --git a/krb5-trunk-7046.patch b/krb5-trunk-7046.patch deleted file mode 100644 index 7db7ef5..0000000 --- a/krb5-trunk-7046.patch +++ /dev/null @@ -1,301 +0,0 @@ -commit 9dc75551cb8cc4c03f7e0fe5e8a705ed678079f4 -Author: ghudson -Date: Wed Dec 7 19:38:13 2011 +0000 - - ticket: 7046 - subject: Allow S4U2Proxy delegated credentials to be saved - - The initial implementation of client-side S4U2Proxy support did not - allow delegated proxy credentials to be stored (gss_store_cred would - error out, and gss_krb5_copy_ccache would generate a non-working - cache). To make this work, we save the impersonator name in a cache - config variable and in a cred structure field (replacing the - proxy_cred flag), and make the default principal of the proxy cache - the subject principal as the caller would expect for a regular - delegated cred. - - git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970 - -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 514e2ea..b25c159 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -273,7 +273,10 @@ typedef INT64_TYPE krb5_int64; - #define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert" - #define KRB5_CONF_V4_REALM "v4_realm" - #define KRB5_CONF_ASTERISK "*" -+ -+/* Cache configuration variables */ - #define KRB5_CONF_FAST_AVAIL "fast_avail" -+#define KRB5_CONF_PROXY_IMPERSONATOR "proxy_impersonator" - - /* Error codes used in KRB_ERROR protocol messages. - Return values of library routines are based on a different error table -diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c -index c815b35..c08e059 100644 ---- a/src/lib/gssapi/krb5/acquire_cred.c -+++ b/src/lib/gssapi/krb5/acquire_cred.c -@@ -417,6 +417,34 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred, - return 0; - } - -+/* If an impersonator config entry exists in ccache, set *impersonator_out to -+ * the parsed principal. Otherwise set *impersonator_out to NULL. */ -+static krb5_error_code -+get_impersonator(krb5_context context, krb5_ccache ccache, -+ krb5_principal *impersonator_out) -+{ -+ krb5_error_code code; -+ krb5_data data = empty_data(), data0 = empty_data(); -+ -+ *impersonator_out = NULL; -+ -+ code = krb5_cc_get_config(context, ccache, NULL, -+ KRB5_CONF_PROXY_IMPERSONATOR, &data); -+ if (code) -+ return (code == KRB5_CC_NOTFOUND) ? 0 : code; -+ -+ code = krb5int_copy_data_contents_add0(context, &data, &data0); -+ if (code) -+ goto cleanup; -+ -+ code = krb5_parse_name(context, data0.data, impersonator_out); -+ -+cleanup: -+ krb5_free_data_contents(context, &data); -+ krb5_free_data_contents(context, &data0); -+ return code; -+} -+ - /* Check ccache and scan it for its expiry time. On success, cred takes - * ownership of ccache. */ - static krb5_error_code -@@ -493,6 +521,10 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred, - goto cleanup; - } - -+ code = get_impersonator(context, ccache, &cred->impersonator); -+ if (code) -+ goto cleanup; -+ - (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE); - cred->ccache = ccache; - -@@ -622,6 +654,7 @@ acquire_cred(OM_uint32 *minor_status, - - cred->usage = args->cred_usage; - cred->name = NULL; -+ cred->impersonator = NULL; - cred->iakerb_mech = args->iakerb; - cred->default_identity = (name == NULL); - #ifndef LEAN_CLIENT -diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index 016a2e6..6b7d530 100644 ---- a/src/lib/gssapi/krb5/gssapiP_krb5.h -+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h -@@ -172,7 +172,7 @@ typedef struct _krb5_gss_cred_id_rec { - /* name/type of credential */ - gss_cred_usage_t usage; - krb5_gss_name_t name; -- unsigned int proxy_cred : 1; -+ krb5_principal impersonator; - unsigned int default_identity : 1; - unsigned int iakerb_mech : 1; - unsigned int destroy_ccache : 1; -diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c -index 1b8120c..d7b9ffa 100644 ---- a/src/lib/gssapi/krb5/init_sec_context.c -+++ b/src/lib/gssapi/krb5/init_sec_context.c -@@ -129,7 +129,6 @@ static krb5_error_code get_credentials(context, cred, server, now, - krb5_error_code code; - krb5_creds in_creds, evidence_creds, *result_creds = NULL; - krb5_flags flags = 0; -- krb5_principal cc_princ = NULL; - - *out_creds = NULL; - -@@ -140,16 +139,13 @@ static krb5_error_code get_credentials(context, cred, server, now, - - assert(cred->name != NULL); - -- if ((code = krb5_cc_get_principal(context, cred->ccache, &cc_princ))) -- goto cleanup; -- - /* - * Do constrained delegation if we have proxy credentials and - * we're not trying to get a ticket to ourselves (in which case - * we can just use the S4U2Self or evidence ticket directly). - */ -- if (cred->proxy_cred && -- !krb5_principal_compare(context, cc_princ, server->princ)) { -+ if (cred->impersonator && -+ !krb5_principal_compare(context, cred->impersonator, server->princ)) { - krb5_creds mcreds; - - flags |= KRB5_GC_CANONICALIZE | -@@ -159,20 +155,18 @@ static krb5_error_code get_credentials(context, cred, server, now, - memset(&mcreds, 0, sizeof(mcreds)); - - mcreds.magic = KV5M_CREDS; -- mcreds.times.endtime = cred->tgt_expire; -- mcreds.server = cc_princ; -+ mcreds.server = cred->impersonator; - mcreds.client = cred->name->princ; - - code = krb5_cc_retrieve_cred(context, cred->ccache, -- KRB5_TC_MATCH_TIMES | KRB5_TC_MATCH_AUTHDATA, -- &mcreds, -+ KRB5_TC_MATCH_AUTHDATA, &mcreds, - &evidence_creds); - if (code) - goto cleanup; - - assert(evidence_creds.ticket_flags & TKT_FLG_FORWARDABLE); - -- in_creds.client = cc_princ; -+ in_creds.client = cred->impersonator; - in_creds.second_ticket = evidence_creds.ticket; - } else { - in_creds.client = cred->name->princ; -@@ -255,7 +249,6 @@ static krb5_error_code get_credentials(context, cred, server, now, - - cleanup: - krb5_free_authdata(context, in_creds.authdata); -- krb5_free_principal(context, cc_princ); - krb5_free_cred_contents(context, &evidence_creds); - krb5_free_creds(context, result_creds); - -diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c -index 5b2ea2f..4fd3694 100644 ---- a/src/lib/gssapi/krb5/rel_cred.c -+++ b/src/lib/gssapi/krb5/rel_cred.c -@@ -71,6 +71,8 @@ krb5_gss_release_cred(minor_status, cred_handle) - if (cred->name) - kg_release_name(context, &cred->name); - -+ krb5_free_principal(context, cred->impersonator); -+ - if (cred->req_enctypes) - free(cred->req_enctypes); - -diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c -index 4ac2ce3..4b37c5a 100644 ---- a/src/lib/gssapi/krb5/s4u_gss_glue.c -+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c -@@ -169,6 +169,39 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, - - } - -+/* -+ * Set up cred to be an S4U2Proxy credential by copying in the impersonator's -+ * creds, setting a cache config variable with the impersonator principal name, -+ * and saving the impersonator principal name in the cred structure. -+ */ -+static krb5_error_code -+make_proxy_cred(krb5_context context, krb5_gss_cred_id_t cred, -+ krb5_gss_cred_id_t impersonator_cred) -+{ -+ krb5_error_code code; -+ krb5_data data; -+ char *str; -+ -+ code = krb5_cc_copy_creds(context, impersonator_cred->ccache, -+ cred->ccache); -+ if (code) -+ return code; -+ -+ code = krb5_unparse_name(context, impersonator_cred->name->princ, &str); -+ if (code) -+ return code; -+ -+ data = string2data(str); -+ code = krb5_cc_set_config(context, cred->ccache, NULL, -+ KRB5_CONF_PROXY_IMPERSONATOR, &data); -+ krb5_free_unparsed_name(context, str); -+ if (code) -+ return code; -+ -+ return krb5_copy_principal(context, impersonator_cred->name->princ, -+ &cred->impersonator); -+} -+ - OM_uint32 - kg_compose_deleg_cred(OM_uint32 *minor_status, - krb5_gss_cred_id_t impersonator_cred, -@@ -187,7 +220,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status, - - if (!kg_is_initiator_cred(impersonator_cred) || - impersonator_cred->name == NULL || -- impersonator_cred->proxy_cred) { -+ impersonator_cred->impersonator != NULL) { - code = G_BAD_USAGE; - goto cleanup; - } -@@ -208,14 +241,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status, - if (code != 0) - goto cleanup; - -- /* -- * Only return a "proxy" credential for use with constrained -- * delegation if the subject credentials are forwardable. -- * Submitting non-forwardable credentials to the KDC for use -- * with constrained delegation will only return an error. -- */ - cred->usage = GSS_C_INITIATE; -- cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE); - - cred->tgt_expire = subject_creds->times.endtime; - -@@ -229,16 +255,18 @@ kg_compose_deleg_cred(OM_uint32 *minor_status, - goto cleanup; - cred->destroy_ccache = 1; - -- code = krb5_cc_initialize(context, cred->ccache, -- cred->proxy_cred ? impersonator_cred->name->princ : -- subject_creds->client); -+ code = krb5_cc_initialize(context, cred->ccache, subject_creds->client); - if (code != 0) - goto cleanup; - -- if (cred->proxy_cred) { -- /* Impersonator's TGT will be necessary for S4U2Proxy */ -- code = krb5_cc_copy_creds(context, impersonator_cred->ccache, -- cred->ccache); -+ /* -+ * Only return a "proxy" credential for use with constrained -+ * delegation if the subject credentials are forwardable. -+ * Submitting non-forwardable credentials to the KDC for use -+ * with constrained delegation will only return an error. -+ */ -+ if (subject_creds->ticket_flags & TKT_FLG_FORWARDABLE) { -+ code = make_proxy_cred(context, cred, impersonator_cred); - if (code != 0) - goto cleanup; - } -diff --git a/src/lib/gssapi/krb5/store_cred.c b/src/lib/gssapi/krb5/store_cred.c -index bff3cde..d587589 100644 ---- a/src/lib/gssapi/krb5/store_cred.c -+++ b/src/lib/gssapi/krb5/store_cred.c -@@ -91,7 +91,7 @@ copy_initiator_creds(OM_uint32 *minor_status, - - kcred = (krb5_gss_cred_id_t)input_cred_handle; - -- if (kcred->ccache == NULL || kcred->proxy_cred) { -+ if (kcred->ccache == NULL) { - *minor_status = KG_CCACHE_NOMATCH; - major_status = GSS_S_DEFECTIVE_CREDENTIAL; - goto cleanup; -diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c -index e87f249..46a9ae1 100644 ---- a/src/lib/gssapi/krb5/val_cred.c -+++ b/src/lib/gssapi/krb5/val_cred.c -@@ -50,8 +50,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle, - *minor_status = code; - return(GSS_S_DEFECTIVE_CREDENTIAL); - } -- if (!cred->proxy_cred && -- !krb5_principal_compare(context, princ, cred->name->princ)) { -+ if (!krb5_principal_compare(context, princ, cred->name->princ)) { - k5_mutex_unlock(&cred->lock); - *minor_status = KG_CCACHE_NOMATCH; - return(GSS_S_DEFECTIVE_CREDENTIAL); diff --git a/krb5-trunk-7047.patch b/krb5-trunk-7047.patch deleted file mode 100644 index 381449b..0000000 --- a/krb5-trunk-7047.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 59a8a0861d5aacd4e985ad4dc4d46a11c2ebc136 -Author: ghudson -Date: Wed Dec 7 19:38:22 2011 +0000 - - ticket: 7047 - subject: Allow S4U2Proxy service tickets to be cached - - Previous to this change, the GSS code avoids caching S4U2Proxy results - for fear of the memory cache growing without bound, but that seems - unlikely to be a serious problem. Allow these to be cached. - - git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25530 dc483132-0cff-0310-8789-dd5450dbe970 - -diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c -index d7b9ffa..07baefa 100644 ---- a/src/lib/gssapi/krb5/init_sec_context.c -+++ b/src/lib/gssapi/krb5/init_sec_context.c -@@ -148,9 +148,7 @@ static krb5_error_code get_credentials(context, cred, server, now, - !krb5_principal_compare(context, cred->impersonator, server->princ)) { - krb5_creds mcreds; - -- flags |= KRB5_GC_CANONICALIZE | -- KRB5_GC_NO_STORE | -- KRB5_GC_CONSTRAINED_DELEGATION; -+ flags |= KRB5_GC_CANONICALIZE | KRB5_GC_CONSTRAINED_DELEGATION; - - memset(&mcreds, 0, sizeof(mcreds)); - diff --git a/krb5-trunk-7048.patch b/krb5-trunk-7048.patch deleted file mode 100644 index 0399565..0000000 --- a/krb5-trunk-7048.patch +++ /dev/null @@ -1,78 +0,0 @@ -commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e -Author: ghudson -Date: Wed Dec 7 19:38:32 2011 +0000 - - ticket: 7048 - subject: Allow null server key to krb5_pac_verify - - When the KDC verifies a PAC, it doesn't really need to check the - server signature, since it can't trust that anyway. Allow the caller - to pass only a TGT key. - - git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970 - -diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index f3d0225..83c2dc7 100644 ---- a/src/include/krb5/krb5.hin -+++ b/src/include/krb5/krb5.hin -@@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len, - * @param [in] pac PAC handle - * @param [in] authtime Expected timestamp - * @param [in] principal Expected principal name (or NULL) -- * @param [in] server Key to validate server checksum -+ * @param [in] server Key to validate server checksum (or NULL) - * @param [in] privsvr Key to validate KDC checksum (or NULL) - * - * This function validates @a pac against the supplied @a server, @a privsvr, - * @a principal and @a authtime. If @a principal is NULL, the principal and -- * authtime are not verified. If @a privsvr is NULL, the KDC checksum is not -- * verified. -+ * authtime are not verified. If @a server or @a privsvr is NULL, the -+ * corresponding checksum is not verified. - * - * If successful, @a pac is marked as verified. - * -diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c -index f173b04..23aa930 100644 ---- a/src/lib/krb5/krb/pac.c -+++ b/src/lib/krb5/krb/pac.c -@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context, - if (server == NULL) - return EINVAL; - -- ret = k5_pac_verify_server_checksum(context, pac, server); -- if (ret != 0) -- return ret; -+ if (server != NULL) { -+ ret = k5_pac_verify_server_checksum(context, pac, server); -+ if (ret != 0) -+ return ret; -+ } - - if (privsvr != NULL) { - ret = k5_pac_verify_kdc_checksum(context, pac, privsvr); - -commit e31486a84380647e49ba6199a3e10ac739fa1a45 -Author: ghudson -Date: Thu Dec 8 04:21:23 2011 +0000 - - ticket: 7048 - - Actually allow null server key in krb5_pac_verify - - git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970 - -diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c -index 23aa930..3262d21 100644 ---- a/src/lib/krb5/krb/pac.c -+++ b/src/lib/krb5/krb/pac.c -@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context, - { - krb5_error_code ret; - -- if (server == NULL) -- return EINVAL; -- - if (server != NULL) { - ret = k5_pac_verify_server_checksum(context, pac, server); - if (ret != 0) diff --git a/krb5.spec b/krb5.spec index 9c3599e..4dd3fa5 100644 --- a/krb5.spec +++ b/krb5.spec @@ -74,9 +74,6 @@ Patch63: krb5-1.10.2-selinux-label.patch Patch71: krb5-1.9-dirsrv-accountlock.patch Patch75: krb5-pkinit-debug.patch Patch86: krb5-1.9-debuginfo.patch -Patch100: krb5-trunk-7046.patch -Patch101: krb5-trunk-7047.patch -Patch102: krb5-trunk-7048.patch Patch103: krb5-1.10-gcc47.patch Patch105: krb5-kvno-230379.patch Patch106: krb5-1.10.2-keytab-etype.patch @@ -272,9 +269,6 @@ ln -s NOTICE LICENSE %patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild} #%patch75 -p1 -b .pkinit-debug %patch86 -p0 -b .debuginfo -%patch100 -p1 -b .7046 -%patch101 -p1 -b .7047 -%patch102 -p1 -b .7048 %patch103 -p0 -b .gcc47 %{?_rawbuild} %patch105 -p1 -b .kvno %patch106 -p1 -b .keytab-etype @@ -852,6 +846,12 @@ exit 0 %{_sbindir}/uuserver %changelog +* Thu Nov 15 2012 Nalin Dahyabhai 1.11.0-0.alpha1.0 +- update to 1.11 alpha 1 + - drop backported patch for RT #7406 + - drop backported patch for RT #7407 + - drop backported patch for RT #7408 + * Wed Oct 17 2012 Nalin Dahyabhai 1.10.3-7 - tag a couple of other patches which we still need to be applied during %%{?_rawbuild} builds (zmraz)