rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

drop backported patches for RT #7406,#7407,#7408

Browse Source 
- drop backported patch for RT #7406
- drop backported patch for RT #7407
- drop backported patch for RT #7408
This commit is contained in:
Nalin Dahyabhai 2012-11-15 15:04:38 -05:00
parent 6baa28a80d
commit 03522e1559
4 changed files with 6 additions and 413 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

301
krb5-trunk-7046.patch
View File

@ -1,301 +0,0 @@
commit 9dc75551cb8cc4c03f7e0fe5e8a705ed678079f4
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Dec 7 19:38:13 2011 +0000
ticket: 7046
subject: Allow S4U2Proxy delegated credentials to be saved
The initial implementation of client-side S4U2Proxy support did not
allow delegated proxy credentials to be stored (gss_store_cred would
error out, and gss_krb5_copy_ccache would generate a non-working
cache). To make this work, we save the impersonator name in a cache
config variable and in a cred structure field (replacing the
proxy_cred flag), and make the default principal of the proxy cache
the subject principal as the caller would expect for a regular
delegated cred.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 514e2ea..b25c159 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -273,7 +273,10 @@ typedef INT64_TYPE krb5_int64;
#define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
#define KRB5_CONF_V4_REALM "v4_realm"
#define KRB5_CONF_ASTERISK "*"
+
+/* Cache configuration variables */
#define KRB5_CONF_FAST_AVAIL "fast_avail"
+#define KRB5_CONF_PROXY_IMPERSONATOR "proxy_impersonator"
/* Error codes used in KRB_ERROR protocol messages.
Return values of library routines are based on a different error table
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index c815b35..c08e059 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -417,6 +417,34 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
return 0;
}
+/* If an impersonator config entry exists in ccache, set *impersonator_out to
+ * the parsed principal. Otherwise set *impersonator_out to NULL. */
+static krb5_error_code
+get_impersonator(krb5_context context, krb5_ccache ccache,
+ krb5_principal *impersonator_out)
+{
+ krb5_error_code code;
+ krb5_data data = empty_data(), data0 = empty_data();
+
+ *impersonator_out = NULL;
+
+ code = krb5_cc_get_config(context, ccache, NULL,
+ KRB5_CONF_PROXY_IMPERSONATOR, &data);
+ if (code)
+ return (code == KRB5_CC_NOTFOUND) ? 0 : code;
+
+ code = krb5int_copy_data_contents_add0(context, &data, &data0);
+ if (code)
+ goto cleanup;
+
+ code = krb5_parse_name(context, data0.data, impersonator_out);
+
+cleanup:
+ krb5_free_data_contents(context, &data);
+ krb5_free_data_contents(context, &data0);
+ return code;
+}
+
/* Check ccache and scan it for its expiry time. On success, cred takes
* ownership of ccache. */
static krb5_error_code
@@ -493,6 +521,10 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
goto cleanup;
}
+ code = get_impersonator(context, ccache, &cred->impersonator);
+ if (code)
+ goto cleanup;
+
(void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
cred->ccache = ccache;
@@ -622,6 +654,7 @@ acquire_cred(OM_uint32 *minor_status,
cred->usage = args->cred_usage;
cred->name = NULL;
+ cred->impersonator = NULL;
cred->iakerb_mech = args->iakerb;
cred->default_identity = (name == NULL);
#ifndef LEAN_CLIENT
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 016a2e6..6b7d530 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -172,7 +172,7 @@ typedef struct _krb5_gss_cred_id_rec {
/* name/type of credential */
gss_cred_usage_t usage;
krb5_gss_name_t name;
- unsigned int proxy_cred : 1;
+ krb5_principal impersonator;
unsigned int default_identity : 1;
unsigned int iakerb_mech : 1;
unsigned int destroy_ccache : 1;
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 1b8120c..d7b9ffa 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -129,7 +129,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
krb5_error_code code;
krb5_creds in_creds, evidence_creds, *result_creds = NULL;
krb5_flags flags = 0;
- krb5_principal cc_princ = NULL;
*out_creds = NULL;
@@ -140,16 +139,13 @@ static krb5_error_code get_credentials(context, cred, server, now,
assert(cred->name != NULL);
- if ((code = krb5_cc_get_principal(context, cred->ccache, &cc_princ)))
- goto cleanup;
-
/*
* Do constrained delegation if we have proxy credentials and
* we're not trying to get a ticket to ourselves (in which case
* we can just use the S4U2Self or evidence ticket directly).
*/
- if (cred->proxy_cred &&
- !krb5_principal_compare(context, cc_princ, server->princ)) {
+ if (cred->impersonator &&
+ !krb5_principal_compare(context, cred->impersonator, server->princ)) {
krb5_creds mcreds;
flags |= KRB5_GC_CANONICALIZE |
@@ -159,20 +155,18 @@ static krb5_error_code get_credentials(context, cred, server, now,
memset(&mcreds, 0, sizeof(mcreds));
mcreds.magic = KV5M_CREDS;
- mcreds.times.endtime = cred->tgt_expire;
- mcreds.server = cc_princ;
+ mcreds.server = cred->impersonator;
mcreds.client = cred->name->princ;
code = krb5_cc_retrieve_cred(context, cred->ccache,
- KRB5_TC_MATCH_TIMES | KRB5_TC_MATCH_AUTHDATA,
- &mcreds,
+ KRB5_TC_MATCH_AUTHDATA, &mcreds,
&evidence_creds);
if (code)
goto cleanup;
assert(evidence_creds.ticket_flags & TKT_FLG_FORWARDABLE);
- in_creds.client = cc_princ;
+ in_creds.client = cred->impersonator;
in_creds.second_ticket = evidence_creds.ticket;
} else {
in_creds.client = cred->name->princ;
@@ -255,7 +249,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
cleanup:
krb5_free_authdata(context, in_creds.authdata);
- krb5_free_principal(context, cc_princ);
krb5_free_cred_contents(context, &evidence_creds);
krb5_free_creds(context, result_creds);
diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c
index 5b2ea2f..4fd3694 100644
--- a/src/lib/gssapi/krb5/rel_cred.c
+++ b/src/lib/gssapi/krb5/rel_cred.c
@@ -71,6 +71,8 @@ krb5_gss_release_cred(minor_status, cred_handle)
if (cred->name)
kg_release_name(context, &cred->name);
+ krb5_free_principal(context, cred->impersonator);
+
if (cred->req_enctypes)
free(cred->req_enctypes);
diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
index 4ac2ce3..4b37c5a 100644
--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
@@ -169,6 +169,39 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
}
+/*
+ * Set up cred to be an S4U2Proxy credential by copying in the impersonator's
+ * creds, setting a cache config variable with the impersonator principal name,
+ * and saving the impersonator principal name in the cred structure.
+ */
+static krb5_error_code
+make_proxy_cred(krb5_context context, krb5_gss_cred_id_t cred,
+ krb5_gss_cred_id_t impersonator_cred)
+{
+ krb5_error_code code;
+ krb5_data data;
+ char *str;
+
+ code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
+ cred->ccache);
+ if (code)
+ return code;
+
+ code = krb5_unparse_name(context, impersonator_cred->name->princ, &str);
+ if (code)
+ return code;
+
+ data = string2data(str);
+ code = krb5_cc_set_config(context, cred->ccache, NULL,
+ KRB5_CONF_PROXY_IMPERSONATOR, &data);
+ krb5_free_unparsed_name(context, str);
+ if (code)
+ return code;
+
+ return krb5_copy_principal(context, impersonator_cred->name->princ,
+ &cred->impersonator);
+}
+
OM_uint32
kg_compose_deleg_cred(OM_uint32 *minor_status,
krb5_gss_cred_id_t impersonator_cred,
@@ -187,7 +220,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
if (!kg_is_initiator_cred(impersonator_cred) ||
impersonator_cred->name == NULL ||
- impersonator_cred->proxy_cred) {
+ impersonator_cred->impersonator != NULL) {
code = G_BAD_USAGE;
goto cleanup;
}
@@ -208,14 +241,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
if (code != 0)
goto cleanup;
- /*
- * Only return a "proxy" credential for use with constrained
- * delegation if the subject credentials are forwardable.
- * Submitting non-forwardable credentials to the KDC for use
- * with constrained delegation will only return an error.
- */
cred->usage = GSS_C_INITIATE;
- cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE);
cred->tgt_expire = subject_creds->times.endtime;
@@ -229,16 +255,18 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
goto cleanup;
cred->destroy_ccache = 1;
- code = krb5_cc_initialize(context, cred->ccache,
- cred->proxy_cred ? impersonator_cred->name->princ :
- subject_creds->client);
+ code = krb5_cc_initialize(context, cred->ccache, subject_creds->client);
if (code != 0)
goto cleanup;
- if (cred->proxy_cred) {
- /* Impersonator's TGT will be necessary for S4U2Proxy */
- code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
- cred->ccache);
+ /*
+ * Only return a "proxy" credential for use with constrained
+ * delegation if the subject credentials are forwardable.
+ * Submitting non-forwardable credentials to the KDC for use
+ * with constrained delegation will only return an error.
+ */
+ if (subject_creds->ticket_flags & TKT_FLG_FORWARDABLE) {
+ code = make_proxy_cred(context, cred, impersonator_cred);
if (code != 0)
goto cleanup;
}
diff --git a/src/lib/gssapi/krb5/store_cred.c b/src/lib/gssapi/krb5/store_cred.c
index bff3cde..d587589 100644
--- a/src/lib/gssapi/krb5/store_cred.c
+++ b/src/lib/gssapi/krb5/store_cred.c
@@ -91,7 +91,7 @@ copy_initiator_creds(OM_uint32 *minor_status,
kcred = (krb5_gss_cred_id_t)input_cred_handle;
- if (kcred->ccache == NULL || kcred->proxy_cred) {
+ if (kcred->ccache == NULL) {
*minor_status = KG_CCACHE_NOMATCH;
major_status = GSS_S_DEFECTIVE_CREDENTIAL;
goto cleanup;
diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c
index e87f249..46a9ae1 100644
--- a/src/lib/gssapi/krb5/val_cred.c
+++ b/src/lib/gssapi/krb5/val_cred.c
@@ -50,8 +50,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
*minor_status = code;
return(GSS_S_DEFECTIVE_CREDENTIAL);
}
- if (!cred->proxy_cred &&
- !krb5_principal_compare(context, princ, cred->name->princ)) {
+ if (!krb5_principal_compare(context, princ, cred->name->princ)) {
k5_mutex_unlock(&cred->lock);
*minor_status = KG_CCACHE_NOMATCH;
return(GSS_S_DEFECTIVE_CREDENTIAL);

28
krb5-trunk-7047.patch
View File

@ -1,28 +0,0 @@
commit 59a8a0861d5aacd4e985ad4dc4d46a11c2ebc136
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Dec 7 19:38:22 2011 +0000
ticket: 7047
subject: Allow S4U2Proxy service tickets to be cached
Previous to this change, the GSS code avoids caching S4U2Proxy results
for fear of the memory cache growing without bound, but that seems
unlikely to be a serious problem. Allow these to be cached.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25530 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index d7b9ffa..07baefa 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -148,9 +148,7 @@ static krb5_error_code get_credentials(context, cred, server, now,
!krb5_principal_compare(context, cred->impersonator, server->princ)) {
krb5_creds mcreds;
- flags |= KRB5_GC_CANONICALIZE |
- KRB5_GC_NO_STORE |
- KRB5_GC_CONSTRAINED_DELEGATION;
+ flags |= KRB5_GC_CANONICALIZE | KRB5_GC_CONSTRAINED_DELEGATION;
memset(&mcreds, 0, sizeof(mcreds));

78
krb5-trunk-7048.patch
View File

@ -1,78 +0,0 @@
commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Dec 7 19:38:32 2011 +0000
ticket: 7048
subject: Allow null server key to krb5_pac_verify
When the KDC verifies a PAC, it doesn't really need to check the
server signature, since it can't trust that anyway. Allow the caller
to pass only a TGT key.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index f3d0225..83c2dc7 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
* @param [in] pac PAC handle
* @param [in] authtime Expected timestamp
* @param [in] principal Expected principal name (or NULL)
- * @param [in] server Key to validate server checksum
+ * @param [in] server Key to validate server checksum (or NULL)
* @param [in] privsvr Key to validate KDC checksum (or NULL)
*
* This function validates @a pac against the supplied @a server, @a privsvr,
* @a principal and @a authtime. If @a principal is NULL, the principal and
- * authtime are not verified. If @a privsvr is NULL, the KDC checksum is not
- * verified.
+ * authtime are not verified. If @a server or @a privsvr is NULL, the
+ * corresponding checksum is not verified.
*
* If successful, @a pac is marked as verified.
*
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index f173b04..23aa930 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context,
if (server == NULL)
return EINVAL;
- ret = k5_pac_verify_server_checksum(context, pac, server);
- if (ret != 0)
- return ret;
+ if (server != NULL) {
+ ret = k5_pac_verify_server_checksum(context, pac, server);
+ if (ret != 0)
+ return ret;
+ }
if (privsvr != NULL) {
ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
commit e31486a84380647e49ba6199a3e10ac739fa1a45
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Thu Dec 8 04:21:23 2011 +0000
ticket: 7048
Actually allow null server key in krb5_pac_verify
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 23aa930..3262d21 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context,
{
krb5_error_code ret;
- if (server == NULL)
- return EINVAL;
-
if (server != NULL) {
ret = k5_pac_verify_server_checksum(context, pac, server);
if (ret != 0)

12
krb5.spec
View File

@ -74,9 +74,6 @@ Patch63: krb5-1.10.2-selinux-label.patch
Patch71: krb5-1.9-dirsrv-accountlock.patch
Patch75: krb5-pkinit-debug.patch
Patch86: krb5-1.9-debuginfo.patch
Patch100: krb5-trunk-7046.patch
Patch101: krb5-trunk-7047.patch
Patch102: krb5-trunk-7048.patch
Patch103: krb5-1.10-gcc47.patch
Patch105: krb5-kvno-230379.patch
Patch106: krb5-1.10.2-keytab-etype.patch
@ -272,9 +269,6 @@ ln -s NOTICE LICENSE
%patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild}
#%patch75 -p1 -b .pkinit-debug
%patch86 -p0 -b .debuginfo
%patch100 -p1 -b .7046
%patch101 -p1 -b .7047
%patch102 -p1 -b .7048
%patch103 -p0 -b .gcc47 %{?_rawbuild}
%patch105 -p1 -b .kvno
%patch106 -p1 -b .keytab-etype
@ -852,6 +846,12 @@ exit 0
%{_sbindir}/uuserver
%changelog
* Thu Nov 15 2012 Nalin Dahyabhai <nalin@redhat.com> 1.11.0-0.alpha1.0
- update to 1.11 alpha 1
- drop backported patch for RT #7406
- drop backported patch for RT #7407
- drop backported patch for RT #7408
* Wed Oct 17 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-7
- tag a couple of other patches which we still need to be applied during
%%{?_rawbuild} builds (zmraz)