drop backported patches for RT #7406,#7407,#7408

- drop backported patch for RT #7406 - drop backported patch for RT #7407 - drop backported patch for RT #7408
2012-11-15 15:04:38 -05:00 · 2012-11-15 15:04:38 -05:00 · 03522e1559
commit 03522e1559
parent 6baa28a80d
4 changed files with 6 additions and 413 deletions
--- a/krb5-trunk-7046.patch
+++ b/krb5-trunk-7046.patch
@ -1,301 +0,0 @@
 commit 9dc75551cb8cc4c03f7e0fe5e8a705ed678079f4
 Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
 Date:   Wed Dec 7 19:38:13 2011 +0000
    ticket: 7046
    subject: Allow S4U2Proxy delegated credentials to be saved
    The initial implementation of client-side S4U2Proxy support did not
    allow delegated proxy credentials to be stored (gss_store_cred would
    error out, and gss_krb5_copy_ccache would generate a non-working
    cache).  To make this work, we save the impersonator name in a cache
    config variable and in a cred structure field (replacing the
    proxy_cred flag), and make the default principal of the proxy cache
    the subject principal as the caller would expect for a regular
    delegated cred.
    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970
 diff --git a/src/include/k5-int.h b/src/include/k5-int.h
 index 514e2ea..b25c159 100644
 --- a/src/include/k5-int.h
 +++ b/src/include/k5-int.h
@@ -273,7 +273,10 @@ typedef INT64_TYPE krb5_int64;
 #define KRB5_CONF_V4_INSTANCE_CONVERT         "v4_instance_convert"
 #define KRB5_CONF_V4_REALM                    "v4_realm"
 #define KRB5_CONF_ASTERISK                    "*"
 +
 +/* Cache configuration variables */
 #define KRB5_CONF_FAST_AVAIL                  "fast_avail"
 +#define KRB5_CONF_PROXY_IMPERSONATOR          "proxy_impersonator"
 /* Error codes used in KRB_ERROR protocol messages.
    Return values of library routines are based on a different error table
 diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
 index c815b35..c08e059 100644
 --- a/src/lib/gssapi/krb5/acquire_cred.c
 +++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -417,6 +417,34 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
     return 0;
 }
 +/* If an impersonator config entry exists in ccache, set *impersonator_out to
 + * the parsed principal.  Otherwise set *impersonator_out to NULL. */
 +static krb5_error_code
 +get_impersonator(krb5_context context, krb5_ccache ccache,
 +                 krb5_principal *impersonator_out)
 +{
 +    krb5_error_code code;
 +    krb5_data data = empty_data(), data0 = empty_data();
 +
 +    *impersonator_out = NULL;
 +
 +    code = krb5_cc_get_config(context, ccache, NULL,
 +                              KRB5_CONF_PROXY_IMPERSONATOR, &data);
 +    if (code)
 +        return (code == KRB5_CC_NOTFOUND) ? 0 : code;
 +
 +    code = krb5int_copy_data_contents_add0(context, &data, &data0);
 +    if (code)
 +        goto cleanup;
 +
 +    code = krb5_parse_name(context, data0.data, impersonator_out);
 +
 +cleanup:
 +    krb5_free_data_contents(context, &data);
 +    krb5_free_data_contents(context, &data0);
 +    return code;
 +}
 +
 /* Check ccache and scan it for its expiry time.  On success, cred takes
  * ownership of ccache. */
 static krb5_error_code
@@ -493,6 +521,10 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
         goto cleanup;
     }
 +    code = get_impersonator(context, ccache, &cred->impersonator);
 +    if (code)
 +        goto cleanup;
 +
     (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
     cred->ccache = ccache;
@@ -622,6 +654,7 @@ acquire_cred(OM_uint32 *minor_status,
     cred->usage = args->cred_usage;
     cred->name = NULL;
 +    cred->impersonator = NULL;
     cred->iakerb_mech = args->iakerb;
     cred->default_identity = (name == NULL);
 #ifndef LEAN_CLIENT
 diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
 index 016a2e6..6b7d530 100644
 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h
 +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -172,7 +172,7 @@ typedef struct _krb5_gss_cred_id_rec {
     /* name/type of credential */
     gss_cred_usage_t usage;
     krb5_gss_name_t name;
 -    unsigned int proxy_cred : 1;
 +    krb5_principal impersonator;
     unsigned int default_identity : 1;
     unsigned int iakerb_mech : 1;
     unsigned int destroy_ccache : 1;
 diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
 index 1b8120c..d7b9ffa 100644
 --- a/src/lib/gssapi/krb5/init_sec_context.c
 +++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -129,7 +129,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
     krb5_error_code     code;
     krb5_creds          in_creds, evidence_creds, *result_creds = NULL;
     krb5_flags          flags = 0;
 -    krb5_principal      cc_princ = NULL;
     *out_creds = NULL;
@@ -140,16 +139,13 @@ static krb5_error_code get_credentials(context, cred, server, now,
     assert(cred->name != NULL);
 -    if ((code = krb5_cc_get_principal(context, cred->ccache, &cc_princ)))
 -        goto cleanup;
 -
     /*
      * Do constrained delegation if we have proxy credentials and
      * we're not trying to get a ticket to ourselves (in which case
      * we can just use the S4U2Self or evidence ticket directly).
      */
 -    if (cred->proxy_cred &&
 -        !krb5_principal_compare(context, cc_princ, server->princ)) {
 +    if (cred->impersonator &&
 +        !krb5_principal_compare(context, cred->impersonator, server->princ)) {
         krb5_creds mcreds;
         flags |= KRB5_GC_CANONICALIZE |
@@ -159,20 +155,18 @@ static krb5_error_code get_credentials(context, cred, server, now,
         memset(&mcreds, 0, sizeof(mcreds));
         mcreds.magic = KV5M_CREDS;
 -        mcreds.times.endtime = cred->tgt_expire;
 -        mcreds.server = cc_princ;
 +        mcreds.server = cred->impersonator;
         mcreds.client = cred->name->princ;
         code = krb5_cc_retrieve_cred(context, cred->ccache,
 -                                     KRB5_TC_MATCH_TIMES | KRB5_TC_MATCH_AUTHDATA,
 -                                     &mcreds,
 +                                     KRB5_TC_MATCH_AUTHDATA, &mcreds,
                                      &evidence_creds);
         if (code)
             goto cleanup;
         assert(evidence_creds.ticket_flags & TKT_FLG_FORWARDABLE);
 -        in_creds.client = cc_princ;
 +        in_creds.client = cred->impersonator;
         in_creds.second_ticket = evidence_creds.ticket;
     } else {
         in_creds.client = cred->name->princ;
@@ -255,7 +249,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
 cleanup:
     krb5_free_authdata(context, in_creds.authdata);
 -    krb5_free_principal(context, cc_princ);
     krb5_free_cred_contents(context, &evidence_creds);
     krb5_free_creds(context, result_creds);
 diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c
 index 5b2ea2f..4fd3694 100644
 --- a/src/lib/gssapi/krb5/rel_cred.c
 +++ b/src/lib/gssapi/krb5/rel_cred.c
@@ -71,6 +71,8 @@ krb5_gss_release_cred(minor_status, cred_handle)
     if (cred->name)
         kg_release_name(context, &cred->name);
 +    krb5_free_principal(context, cred->impersonator);
 +
     if (cred->req_enctypes)
         free(cred->req_enctypes);
 diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
 index 4ac2ce3..4b37c5a 100644
 --- a/src/lib/gssapi/krb5/s4u_gss_glue.c
 +++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
@@ -169,6 +169,39 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
 }
 +/*
 + * Set up cred to be an S4U2Proxy credential by copying in the impersonator's
 + * creds, setting a cache config variable with the impersonator principal name,
 + * and saving the impersonator principal name in the cred structure.
 + */
 +static krb5_error_code
 +make_proxy_cred(krb5_context context, krb5_gss_cred_id_t cred,
 +                krb5_gss_cred_id_t impersonator_cred)
 +{
 +    krb5_error_code code;
 +    krb5_data data;
 +    char *str;
 +
 +    code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
 +                              cred->ccache);
 +    if (code)
 +        return code;
 +
 +    code = krb5_unparse_name(context, impersonator_cred->name->princ, &str);
 +    if (code)
 +        return code;
 +
 +    data = string2data(str);
 +    code = krb5_cc_set_config(context, cred->ccache, NULL,
 +                              KRB5_CONF_PROXY_IMPERSONATOR, &data);
 +    krb5_free_unparsed_name(context, str);
 +    if (code)
 +        return code;
 +
 +    return krb5_copy_principal(context, impersonator_cred->name->princ,
 +                               &cred->impersonator);
 +}
 +
 OM_uint32
 kg_compose_deleg_cred(OM_uint32 *minor_status,
                       krb5_gss_cred_id_t impersonator_cred,
@@ -187,7 +220,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
     if (!kg_is_initiator_cred(impersonator_cred) ||
         impersonator_cred->name == NULL ||
 -        impersonator_cred->proxy_cred) {
 +        impersonator_cred->impersonator != NULL) {
         code = G_BAD_USAGE;
         goto cleanup;
     }
@@ -208,14 +241,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
     if (code != 0)
         goto cleanup;
 -    /*
 -     * Only return a "proxy" credential for use with constrained
 -     * delegation if the subject credentials are forwardable.
 -     * Submitting non-forwardable credentials to the KDC for use
 -     * with constrained delegation will only return an error.
 -     */
     cred->usage = GSS_C_INITIATE;
 -    cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE);
     cred->tgt_expire = subject_creds->times.endtime;
@@ -229,16 +255,18 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
         goto cleanup;
     cred->destroy_ccache = 1;
 -    code = krb5_cc_initialize(context, cred->ccache,
 -                              cred->proxy_cred ? impersonator_cred->name->princ :
 -                              subject_creds->client);
 +    code = krb5_cc_initialize(context, cred->ccache, subject_creds->client);
     if (code != 0)
         goto cleanup;
 -    if (cred->proxy_cred) {
 -        /* Impersonator's TGT will be necessary for S4U2Proxy */
 -        code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
 -                                  cred->ccache);
 +    /*
 +     * Only return a "proxy" credential for use with constrained
 +     * delegation if the subject credentials are forwardable.
 +     * Submitting non-forwardable credentials to the KDC for use
 +     * with constrained delegation will only return an error.
 +     */
 +    if (subject_creds->ticket_flags & TKT_FLG_FORWARDABLE) {
 +        code = make_proxy_cred(context, cred, impersonator_cred);
         if (code != 0)
             goto cleanup;
     }
 diff --git a/src/lib/gssapi/krb5/store_cred.c b/src/lib/gssapi/krb5/store_cred.c
 index bff3cde..d587589 100644
 --- a/src/lib/gssapi/krb5/store_cred.c
 +++ b/src/lib/gssapi/krb5/store_cred.c
@@ -91,7 +91,7 @@ copy_initiator_creds(OM_uint32 *minor_status,
     kcred = (krb5_gss_cred_id_t)input_cred_handle;
 -    if (kcred->ccache == NULL || kcred->proxy_cred) {
 +    if (kcred->ccache == NULL) {
         *minor_status = KG_CCACHE_NOMATCH;
         major_status = GSS_S_DEFECTIVE_CREDENTIAL;
         goto cleanup;
 diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c
 index e87f249..46a9ae1 100644
 --- a/src/lib/gssapi/krb5/val_cred.c
 +++ b/src/lib/gssapi/krb5/val_cred.c
@@ -50,8 +50,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
             *minor_status = code;
             return(GSS_S_DEFECTIVE_CREDENTIAL);
         }
 -        if (!cred->proxy_cred &&
 -            !krb5_principal_compare(context, princ, cred->name->princ)) {
 +        if (!krb5_principal_compare(context, princ, cred->name->princ)) {
             k5_mutex_unlock(&cred->lock);
             *minor_status = KG_CCACHE_NOMATCH;
             return(GSS_S_DEFECTIVE_CREDENTIAL);
--- a/krb5-trunk-7047.patch
+++ b/krb5-trunk-7047.patch
@ -1,28 +0,0 @@
 commit 59a8a0861d5aacd4e985ad4dc4d46a11c2ebc136
 Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
 Date:   Wed Dec 7 19:38:22 2011 +0000
    ticket: 7047
    subject: Allow S4U2Proxy service tickets to be cached
    Previous to this change, the GSS code avoids caching S4U2Proxy results
    for fear of the memory cache growing without bound, but that seems
    unlikely to be a serious problem.  Allow these to be cached.
    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25530 dc483132-0cff-0310-8789-dd5450dbe970
 diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
 index d7b9ffa..07baefa 100644
 --- a/src/lib/gssapi/krb5/init_sec_context.c
 +++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -148,9 +148,7 @@ static krb5_error_code get_credentials(context, cred, server, now,
         !krb5_principal_compare(context, cred->impersonator, server->princ)) {
         krb5_creds mcreds;
 -        flags |= KRB5_GC_CANONICALIZE |
 -            KRB5_GC_NO_STORE |
 -            KRB5_GC_CONSTRAINED_DELEGATION;
 +        flags |= KRB5_GC_CANONICALIZE | KRB5_GC_CONSTRAINED_DELEGATION;
         memset(&mcreds, 0, sizeof(mcreds));
--- a/krb5-trunk-7048.patch
+++ b/krb5-trunk-7048.patch
@ -1,78 +0,0 @@
 commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e
 Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
 Date:   Wed Dec 7 19:38:32 2011 +0000
    ticket: 7048
    subject: Allow null server key to krb5_pac_verify
    When the KDC verifies a PAC, it doesn't really need to check the
    server signature, since it can't trust that anyway.  Allow the caller
    to pass only a TGT key.
    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
 diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
 index f3d0225..83c2dc7 100644
 --- a/src/include/krb5/krb5.hin
 +++ b/src/include/krb5/krb5.hin
@@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
  * @param [in] pac              PAC handle
  * @param [in] authtime         Expected timestamp
  * @param [in] principal        Expected principal name (or NULL)
 - * @param [in] server           Key to validate server checksum
 + * @param [in] server           Key to validate server checksum (or NULL)
  * @param [in] privsvr          Key to validate KDC checksum (or NULL)
  *
  * This function validates @a pac against the supplied @a server, @a privsvr,
  * @a principal and @a authtime.  If @a principal is NULL, the principal and
 - * authtime are not verified.  If @a privsvr is NULL, the KDC checksum is not
 - * verified.
 + * authtime are not verified.  If @a server or @a privsvr is NULL, the
 + * corresponding checksum is not verified.
  *
  * If successful, @a pac is marked as verified.
  *
 diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
 index f173b04..23aa930 100644
 --- a/src/lib/krb5/krb/pac.c
 +++ b/src/lib/krb5/krb/pac.c
@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context,
     if (server == NULL)
         return EINVAL;
 -    ret = k5_pac_verify_server_checksum(context, pac, server);
 -    if (ret != 0)
 -        return ret;
 +    if (server != NULL) {
 +        ret = k5_pac_verify_server_checksum(context, pac, server);
 +        if (ret != 0)
 +            return ret;
 +    }
     if (privsvr != NULL) {
         ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
 commit e31486a84380647e49ba6199a3e10ac739fa1a45
 Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
 Date:   Thu Dec 8 04:21:23 2011 +0000
    ticket: 7048
    Actually allow null server key in krb5_pac_verify
    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
 diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
 index 23aa930..3262d21 100644
 --- a/src/lib/krb5/krb/pac.c
 +++ b/src/lib/krb5/krb/pac.c
@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context,
 {
     krb5_error_code ret;
 -    if (server == NULL)
 -        return EINVAL;
 -
     if (server != NULL) {
         ret = k5_pac_verify_server_checksum(context, pac, server);
         if (ret != 0)
--- a/krb5.spec
+++ b/krb5.spec
@ -74,9 +74,6 @@ Patch63: krb5-1.10.2-selinux-label.patch
 Patch71: krb5-1.9-dirsrv-accountlock.patch
 Patch75: krb5-pkinit-debug.patch
 Patch86: krb5-1.9-debuginfo.patch
 Patch100: krb5-trunk-7046.patch
 Patch101: krb5-trunk-7047.patch
 Patch102: krb5-trunk-7048.patch
 Patch103: krb5-1.10-gcc47.patch
 Patch105: krb5-kvno-230379.patch
 Patch106: krb5-1.10.2-keytab-etype.patch
@ -272,9 +269,6 @@ ln -s NOTICE LICENSE
 %patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild}
 #%patch75 -p1 -b .pkinit-debug
 %patch86 -p0 -b .debuginfo
 %patch100 -p1 -b .7046
 %patch101 -p1 -b .7047
 %patch102 -p1 -b .7048
 %patch103 -p0 -b .gcc47 %{?_rawbuild}
 %patch105 -p1 -b .kvno
 %patch106 -p1 -b .keytab-etype
@ -852,6 +846,12 @@ exit 0
 %{_sbindir}/uuserver
 %changelog
 * Thu Nov 15 2012 Nalin Dahyabhai <nalin@redhat.com> 1.11.0-0.alpha1.0
 - update to 1.11 alpha 1
  - drop backported patch for RT #7406
  - drop backported patch for RT #7407
  - drop backported patch for RT #7408
 * Wed Oct 17 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-7
 - tag a couple of other patches which we still need to be applied during
  %%{?_rawbuild} builds (zmraz)