From 2eafc4d8aa9711086e763e77d6569162e7a725fd Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 20 Mar 2018 11:20:09 -0400 Subject: [PATCH] Include preauth names in trace output where possible Also fix misc bugs --- ...dation-of-PACs-with-enterprise-names.patch | 49 ++ Fix-read-overflow-in-KDC-sort_pa_data.patch | 48 ++ ...uth-name-in-trace-output-if-possible.patch | 514 ++++++++++++++++++ Report-extended-errors-in-kinit-k-t-KDB.patch | 27 + krb5.spec | 10 +- 5 files changed, 647 insertions(+), 1 deletion(-) create mode 100644 Allow-validation-of-PACs-with-enterprise-names.patch create mode 100644 Fix-read-overflow-in-KDC-sort_pa_data.patch create mode 100644 Include-preauth-name-in-trace-output-if-possible.patch create mode 100644 Report-extended-errors-in-kinit-k-t-KDB.patch diff --git a/Allow-validation-of-PACs-with-enterprise-names.patch b/Allow-validation-of-PACs-with-enterprise-names.patch new file mode 100644 index 0000000..b8492f5 --- /dev/null +++ b/Allow-validation-of-PACs-with-enterprise-names.patch @@ -0,0 +1,49 @@ +From 8a2ceda87107973ec10fec532c095cf347ec050c Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 14 Mar 2018 01:19:17 +0200 +Subject: [PATCH] Allow validation of PACs with enterprise names + +In k5_pac_validate_client(), if we are verifying against an enterprise +principal, parse the PAC_CLIENT_INFO field as an enterprise principal. +This scenario may arise in the response to an S4U2Self request for an +enterprise principal, as the KDC does not appear to canonicalize the +client principal requested in PA-FOR-USER. + +[ghudson@mit.edu: rewrote commit message; adjusted style] + +ticket: 8649 (new) +tags: pullup +target_version: 1.16-next + +(cherry picked from commit f876aab80a69f9b934cd7f4e2339e3815aa8c4bf) +--- + src/lib/krb5/krb/pac.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index 0eb19e6bb..c9b5de30a 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -413,6 +413,7 @@ k5_pac_validate_client(krb5_context context, + krb5_ui_2 pac_princname_length; + int64_t pac_nt_authtime; + krb5_principal pac_principal; ++ int flags; + + ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO, + &client_info); +@@ -440,8 +441,12 @@ k5_pac_validate_client(krb5_context context, + if (ret != 0) + return ret; + +- ret = krb5_parse_name_flags(context, pac_princname, +- KRB5_PRINCIPAL_PARSE_NO_REALM, &pac_principal); ++ /* Parse the UTF-8 name as an enterprise principal if we are matching ++ * against one; otherwise parse it as a regular principal with no realm. */ ++ flags = KRB5_PRINCIPAL_PARSE_NO_REALM; ++ if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL) ++ flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE; ++ ret = krb5_parse_name_flags(context, pac_princname, flags, &pac_principal); + if (ret != 0) { + free(pac_princname); + return ret; diff --git a/Fix-read-overflow-in-KDC-sort_pa_data.patch b/Fix-read-overflow-in-KDC-sort_pa_data.patch new file mode 100644 index 0000000..709eac9 --- /dev/null +++ b/Fix-read-overflow-in-KDC-sort_pa_data.patch @@ -0,0 +1,48 @@ +From 87cc924b8c127afb617cd110b1fbee57f809cd49 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 15 Mar 2018 20:27:30 -0400 +Subject: [PATCH] Fix read overflow in KDC sort_pa_data() + +sort_pa_data() could read past the end of pa_order if all preauth +systems in the table have the PA_REPLACES_KEY flag, causing a +dereference of preauth_systems[-1]. This situation became possible +after commit fea1a488924faa3938ef723feaa1ff12d22a91ff with the +elimination of static_preauth_systems; before that there were always +table entries which did not have PA_REPLACES_KEY set. + +Fix this bug by removing the loop to count n_key_replacers, and +instead get the count from the prior loop by stopping once we move all +of the key-replacing modules to the front. + +(cherry picked from commit b38e318cea18fd65647189eed64aef83bf1cb772) +--- + src/kdc/kdc_preauth.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c +index 80b130222..62ff9a8a7 100644 +--- a/src/kdc/kdc_preauth.c ++++ b/src/kdc/kdc_preauth.c +@@ -663,17 +663,18 @@ sort_pa_order(krb5_context context, krb5_kdc_req *request, int *pa_order) + break; + } + } ++ /* If we didn't find one, we have moved all of the key-replacing ++ * modules, and i is the count of those modules. */ ++ if (j == n_repliers) ++ break; + } ++ n_key_replacers = i; + + if (request->padata != NULL) { + /* Now reorder the subset of modules which replace the key, + * bubbling those which handle pa_data types provided by the + * client ahead of the others. + */ +- for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) { +- continue; +- } +- n_key_replacers = i; + for (i = 0; i < n_key_replacers; i++) { + if (pa_list_includes(request->padata, + preauth_systems[pa_order[i]].type)) diff --git a/Include-preauth-name-in-trace-output-if-possible.patch b/Include-preauth-name-in-trace-output-if-possible.patch new file mode 100644 index 0000000..ca12e6f --- /dev/null +++ b/Include-preauth-name-in-trace-output-if-possible.patch @@ -0,0 +1,514 @@ +From 44fe6e4df092e3bc7673449ccd7c70b6f0a4ccbf Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 15 Mar 2018 14:37:28 -0400 +Subject: [PATCH] Include preauth name in trace output if possible + +Add a {patype} trace format specifier for a single pa-type value. Add +a krb5_preauthtype to string conversion function to trace machinery +and use it when formatting {patype} or {patypes}. + +[ghudson@mit.edu: wrote conversion function; edited commit message] + +ticket: 8653 (new) +(cherry picked from commit 9c68fe39b018666eabe033b639c1f35d03ba51c7) +--- + src/include/k5-trace.h | 17 ++-- + src/lib/krb5/os/t_trace.ref | 2 +- + src/lib/krb5/os/trace.c | 61 ++++++++++++- + src/tests/t_pkinit.py | 43 ++++----- + src/tests/t_preauth.py | 216 ++++++++++++++++++++++---------------------- + 5 files changed, 200 insertions(+), 139 deletions(-) + +diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h +index 390a8b7d6..5f7eb9517 100644 +--- a/src/include/k5-trace.h ++++ b/src/include/k5-trace.h +@@ -75,6 +75,7 @@ + * {cksum} const krb5_checksum *, display cksumtype and hex checksum + * {princ} krb5_principal, unparse and display + * {ptype} krb5_int32, krb5_principal type, display name ++ * {patype} krb5_preauthtype, a single padata type number + * {patypes} krb5_pa_data **, display list of padata type numbers + * {etype} krb5_enctype, display shortest name of enctype + * {etypes} krb5_enctype *, display list of enctypes +@@ -232,14 +233,14 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); + #define TRACE_INIT_CREDS_PREAUTH_DECRYPT_FAIL(c, code) \ + TRACE(c, "Decrypt with preauth AS key failed: {kerr}", code) + #define TRACE_INIT_CREDS_PREAUTH_MORE(c, patype) \ +- TRACE(c, "Continuing preauth mech {int}", (int)patype) ++ TRACE(c, "Continuing preauth mech {patype}", patype) + #define TRACE_INIT_CREDS_PREAUTH_NONE(c) \ + TRACE(c, "Sending unauthenticated request") + #define TRACE_INIT_CREDS_PREAUTH_OPTIMISTIC(c) \ + TRACE(c, "Attempting optimistic preauth") + #define TRACE_INIT_CREDS_PREAUTH_TRYAGAIN(c, patype, code) \ +- TRACE(c, "Recovering from KDC error {int} using preauth mech {int}", \ +- (int)patype, (int)code) ++ TRACE(c, "Recovering from KDC error {int} using preauth mech {patype}", \ ++ patype, (int)code) + #define TRACE_INIT_CREDS_RESTART_FAST(c) \ + TRACE(c, "Restarting to upgrade to FAST") + #define TRACE_INIT_CREDS_RESTART_PREAUTH_FAILED(c) \ +@@ -290,7 +291,7 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); + + #define TRACE_PREAUTH_CONFLICT(c, name1, name2, patype) \ + TRACE(c, "Preauth module {str} conflicts with module {str} for pa " \ +- "type {int}", name1, name2, (int) patype) ++ "type {patype}", name1, name2, patype) + #define TRACE_PREAUTH_COOKIE(c, len, data) \ + TRACE(c, "Received cookie: {lenstr}", (size_t) len, data) + #define TRACE_PREAUTH_ENC_TS_KEY_GAK(c, keyblock) \ +@@ -302,8 +303,8 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); + TRACE(c, "Selected etype info: etype {etype}, salt \"{data}\", " \ + "params \"{data}\"", etype, salt, s2kparams) + #define TRACE_PREAUTH_INFO_FAIL(c, patype, code) \ +- TRACE(c, "Preauth builtin info function failure, type={int}: {kerr}", \ +- (int) patype, code) ++ TRACE(c, "Preauth builtin info function failure, type={patype}: {kerr}", \ ++ patype, code) + #define TRACE_PREAUTH_INPUT(c, padata) \ + TRACE(c, "Processing preauth types: {patypes}", padata) + #define TRACE_PREAUTH_OUTPUT(c, padata) \ +@@ -314,8 +315,8 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); + #define TRACE_PREAUTH_SAM_KEY_GAK(c, keyblock) \ + TRACE(c, "AS key obtained for SAM: {keyblock}", keyblock) + #define TRACE_PREAUTH_SALT(c, salt, patype) \ +- TRACE(c, "Received salt \"{data}\" via padata type {int}", salt, \ +- (int) patype) ++ TRACE(c, "Received salt \"{data}\" via padata type {patype}", salt, \ ++ patype) + #define TRACE_PREAUTH_SKIP(c, name, patype) \ + TRACE(c, "Skipping previously used preauth module {str} ({int})", \ + name, (int) patype) +diff --git a/src/lib/krb5/os/t_trace.ref b/src/lib/krb5/os/t_trace.ref +index ca5818a1e..bd5d9b6b6 100644 +--- a/src/lib/krb5/os/t_trace.ref ++++ b/src/lib/krb5/os/t_trace.ref +@@ -38,7 +38,7 @@ int, krb5_principal type: Windows 2000 UPN and SID + int, krb5_principal type: NT 4 style name + int, krb5_principal type: NT 4 style name and SID + int, krb5_principal type: ? +-krb5_pa_data **, display list of padata type numbers: 3, 0 ++krb5_pa_data **, display list of padata type numbers: PA-PW-SALT (3), 0 + krb5_pa_data **, display list of padata type numbers: (empty) + krb5_enctype, display shortest name of enctype: des-cbc-crc + krb5_enctype *, display list of enctypes: 5, rc4-hmac-exp, 511 +diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c +index 779f184cb..10b4f0c14 100644 +--- a/src/lib/krb5/os/trace.c ++++ b/src/lib/krb5/os/trace.c +@@ -123,6 +123,50 @@ principal_type_string(krb5_int32 type) + } + } + ++static char * ++padata_type_string(krb5_preauthtype type) ++{ ++ switch (type) { ++ case KRB5_PADATA_TGS_REQ: return "PA-TGS-REQ"; ++ case KRB5_PADATA_ENC_TIMESTAMP: return "PA-ENC-TIMESTAMP"; ++ case KRB5_PADATA_PW_SALT: return "PA-PW-SALT"; ++ case KRB5_PADATA_ENC_UNIX_TIME: return "PA-ENC-UNIX-TIME"; ++ case KRB5_PADATA_ENC_SANDIA_SECURID: return "PA-SANDIA-SECUREID"; ++ case KRB5_PADATA_SESAME: return "PA-SESAME"; ++ case KRB5_PADATA_OSF_DCE: return "PA-OSF-DCE"; ++ case KRB5_CYBERSAFE_SECUREID: return "PA-CYBERSAFE-SECUREID"; ++ case KRB5_PADATA_AFS3_SALT: return "PA-AFS3-SALT"; ++ case KRB5_PADATA_ETYPE_INFO: return "PA-ETYPE-INFO"; ++ case KRB5_PADATA_SAM_CHALLENGE: return "PA-SAM-CHALLENGE"; ++ case KRB5_PADATA_SAM_RESPONSE: return "PA-SAM-RESPONSE"; ++ case KRB5_PADATA_PK_AS_REQ_OLD: return "PA-PK-AS-REQ_OLD"; ++ case KRB5_PADATA_PK_AS_REP_OLD: return "PA-PK-AS-REP_OLD"; ++ case KRB5_PADATA_PK_AS_REQ: return "PA-PK-AS-REQ"; ++ case KRB5_PADATA_PK_AS_REP: return "PA-PK-AS-REP"; ++ case KRB5_PADATA_ETYPE_INFO2: return "PA-ETYPE-INFO2"; ++ case KRB5_PADATA_SVR_REFERRAL_INFO: return "PA-SVR-REFERRAL-INFO"; ++ case KRB5_PADATA_SAM_REDIRECT: return "PA-SAM-REDIRECT"; ++ case KRB5_PADATA_GET_FROM_TYPED_DATA: return "PA-GET-FROM-TYPED-DATA"; ++ case KRB5_PADATA_SAM_CHALLENGE_2: return "PA-SAM-CHALLENGE2"; ++ case KRB5_PADATA_SAM_RESPONSE_2: return "PA-SAM-RESPONSE2"; ++ case KRB5_PADATA_PAC_REQUEST: return "PA-PAC-REQUEST"; ++ case KRB5_PADATA_FOR_USER: return "PA-FOR_USER"; ++ case KRB5_PADATA_S4U_X509_USER: return "PA-FOR-X509-USER"; ++ case KRB5_PADATA_AS_CHECKSUM: return "PA-AS-CHECKSUM"; ++ case KRB5_PADATA_FX_COOKIE: return "PA-FX-COOKIE"; ++ case KRB5_PADATA_FX_FAST: return "PA-FX-FAST"; ++ case KRB5_PADATA_FX_ERROR: return "PA-FX-ERROR"; ++ case KRB5_PADATA_ENCRYPTED_CHALLENGE: return "PA-ENCRYPTED-CHALLENGE"; ++ case KRB5_PADATA_OTP_CHALLENGE: return "PA-OTP-CHALLENGE"; ++ case KRB5_PADATA_OTP_REQUEST: return "PA-OTP-REQUEST"; ++ case KRB5_PADATA_OTP_PIN_CHANGE: return "PA-OTP-PIN-CHANGE"; ++ case KRB5_PADATA_PKINIT_KX: return "PA-PKINIT-KX"; ++ case KRB5_ENCPADATA_REQ_ENC_PA_REP: return "PA-REQ-ENC-PA-REP"; ++ case KRB5_PADATA_AS_FRESHNESS: return "PA_AS_FRESHNESS"; ++ default: return NULL; ++ } ++} ++ + static char * + trace_format(krb5_context context, const char *fmt, va_list ap) + { +@@ -140,6 +184,8 @@ trace_format(krb5_context context, const char *fmt, va_list ap) + krb5_key key; + const krb5_checksum *cksum; + krb5_pa_data **padata; ++ krb5_preauthtype pa_type; ++ const char *name; + krb5_ccache ccache; + krb5_keytab keytab; + krb5_creds *creds; +@@ -271,10 +317,23 @@ trace_format(krb5_context context, const char *fmt, va_list ap) + if (padata == NULL || *padata == NULL) + k5_buf_add(&buf, "(empty)"); + for (; padata != NULL && *padata != NULL; padata++) { +- k5_buf_add_fmt(&buf, "%d", (int)(*padata)->pa_type); ++ pa_type = (*padata)->pa_type; ++ name = padata_type_string(pa_type); ++ if (name != NULL) ++ k5_buf_add_fmt(&buf, "%s (%d)", name, (int)pa_type); ++ else ++ k5_buf_add_fmt(&buf, "%d", (int)pa_type); ++ + if (*(padata + 1) != NULL) + k5_buf_add(&buf, ", "); + } ++ } else if (strcmp(tmpbuf, "patype") == 0) { ++ pa_type = va_arg(ap, krb5_preauthtype); ++ name = padata_type_string(pa_type); ++ if (name != NULL) ++ k5_buf_add_fmt(&buf, "%s (%d)", name, (int)pa_type); ++ else ++ k5_buf_add_fmt(&buf, "%d", (int)pa_type); + } else if (strcmp(tmpbuf, "etype") == 0) { + etype = va_arg(ap, krb5_enctype); + if (krb5_enctype_to_name(etype, TRUE, tmpbuf, sizeof(tmpbuf)) == 0) +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index 3030322e1..1ba3536da 100755 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -164,18 +164,19 @@ realm.stop_kdc() + realm.start_kdc() + + # Run the basic test - PKINIT with FILE: identity, with no password on the key. ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'PKINIT client received freshness token from KDC', ++ 'PKINIT loading CA certs and CRLs from FILE', ++ 'PKINIT client making DH request', ++ ' preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)', ++ 'PKINIT client verified DH reply', ++ 'PKINIT client found id-pkinit-san in KDC cert', ++ 'PKINIT client matched KDC principal krbtgt/') + realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % file_identity], +- expected_trace=('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'PKINIT client received freshness token from KDC', +- 'PKINIT loading CA certs and CRLs from FILE', +- 'PKINIT client making DH request', +- 'Produced preauth for next request: 133, 16', +- 'PKINIT client verified DH reply', +- 'PKINIT client found id-pkinit-san in KDC cert', +- 'PKINIT client matched KDC principal krbtgt/')) ++ expected_trace=msgs) + realm.klist(realm.user_princ) + realm.run([kvno, realm.host_princ]) + +@@ -194,19 +195,19 @@ minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}} + minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf) + realm.stop_kdc() + realm.start_kdc(env=minbits_env) +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Preauth module pkinit (16) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, 16', +- '/Key parameters not accepted', +- 'Preauth tryagain input types (16): 109, 133', +- 'trying again with KDC-provided parameters', +- 'Preauth module pkinit (16) tryagain returned: 0/Success', +- 'Followup preauth for next request: 16, 133') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Preauth module pkinit (16) (real) returned: 0/Success', ++ ' preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)', ++ '/Key parameters not accepted', ++ 'Preauth tryagain input types (16): 109, PA-FX-COOKIE (133)', ++ 'trying again with KDC-provided parameters', ++ 'Preauth module pkinit (16) tryagain returned: 0/Success', ++ ' preauth for next request: PA-PK-AS-REQ (16), PA-FX-COOKIE (133)') + realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % file_identity], +- expected_trace=expected_trace) ++ expected_trace=msgs) + + # Test enforcement of required freshness tokens. (We can leave + # freshness tokens required after this test.) +diff --git a/src/tests/t_preauth.py b/src/tests/t_preauth.py +index fec0bf619..efb3ea20d 100644 +--- a/src/tests/t_preauth.py ++++ b/src/tests/t_preauth.py +@@ -18,15 +18,15 @@ realm.kinit('nokeyuser', password('user'), expected_code=1, + # PA-FX-COOKIE; 2 is encrypted timestamp. + + # Test normal preauth flow. +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- 'Decrypted AS reply') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ 'Decrypted AS reply') + realm.run(['./icred', realm.user_princ, password('user')], +- expected_msg='testval', expected_trace=expected_trace) ++ expected_msg='testval', expected_trace=msgs) + + # Test successful optimistic preauth. + expected_trace = ('Attempting optimistic preauth', +@@ -39,136 +39,136 @@ realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')], + + # Test optimistic preauth failing on client, followed by successful + # preauth using the same module. +-expected_trace = ('Attempting optimistic preauth', +- 'Processing preauth types: -123', +- '/induced optimistic fail', +- 'Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- 'Decrypted AS reply') ++msgs = ('Attempting optimistic preauth', ++ 'Processing preauth types: -123', ++ '/induced optimistic fail', ++ 'Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ 'Decrypted AS reply') + realm.run(['./icred', '-o', '-123', '-X', 'fail_optimistic', realm.user_princ, + password('user')], expected_msg='testval', +- expected_trace=expected_trace) ++ expected_trace=msgs) + + # Test optimistic preauth failing on KDC, followed by successful preauth + # using the same module. + realm.run([kadminl, 'setstr', realm.user_princ, 'failopt', 'yes']) +-expected_trace = ('Attempting optimistic preauth', +- 'Processing preauth types: -123', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: -123', +- '/Preauthentication failed', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- 'Decrypted AS reply') ++msgs = ('Attempting optimistic preauth', ++ 'Processing preauth types: -123', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: -123', ++ '/Preauthentication failed', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ 'Decrypted AS reply') + realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')], +- expected_msg='testval', expected_trace=expected_trace) ++ expected_msg='testval', expected_trace=msgs) + realm.run([kadminl, 'delstr', realm.user_princ, 'failopt']) + + # Test KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and secure cookies. + realm.run([kadminl, 'setstr', realm.user_princ, '2rt', 'secondtrip']) +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- '/More preauthentication data is required', +- 'Continuing preauth mech -123', +- 'Processing preauth types: -123, 133', +- 'Produced preauth for next request: 133, -123', +- 'Decrypted AS reply') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ '/More preauthentication data is required', ++ 'Continuing preauth mech -123', ++ 'Processing preauth types: -123, PA-FX-COOKIE (133)', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ 'Decrypted AS reply') + realm.run(['./icred', realm.user_princ, password('user')], +- expected_msg='2rt: secondtrip', expected_trace=expected_trace) ++ expected_msg='2rt: secondtrip', expected_trace=msgs) + + # Test client-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, + # falling back to encrypted timestamp. +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- '/More preauthentication data is required', +- 'Continuing preauth mech -123', +- 'Processing preauth types: -123, 133', +- '/induced 2rt fail', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Encrypted timestamp (for ', +- 'module encrypted_timestamp (2) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, 2', +- 'Decrypted AS reply') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ '/More preauthentication data is required', ++ 'Continuing preauth mech -123', ++ 'Processing preauth types: -123, PA-FX-COOKIE (133)', ++ '/induced 2rt fail', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Encrypted timestamp (for ', ++ 'module encrypted_timestamp (2) (real) returned: 0/Success', ++ 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)', ++ 'Decrypted AS reply') + realm.run(['./icred', '-X', 'fail_2rt', realm.user_princ, password('user')], +- expected_msg='2rt: secondtrip', expected_trace=expected_trace) ++ expected_msg='2rt: secondtrip', expected_trace=msgs) + + # Test KDC-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, + # falling back to encrypted timestamp. + realm.run([kadminl, 'setstr', realm.user_princ, 'fail2rt', 'yes']) +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- '/More preauthentication data is required', +- 'Continuing preauth mech -123', +- 'Processing preauth types: -123, 133', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- '/Preauthentication failed', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Encrypted timestamp (for ', +- 'module encrypted_timestamp (2) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, 2', +- 'Decrypted AS reply') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ '/More preauthentication data is required', ++ 'Continuing preauth mech -123', ++ 'Processing preauth types: -123, PA-FX-COOKIE (133)', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ '/Preauthentication failed', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Encrypted timestamp (for ', ++ 'module encrypted_timestamp (2) (real) returned: 0/Success', ++ 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)', ++ 'Decrypted AS reply') + realm.run(['./icred', realm.user_princ, password('user')], +- expected_msg='2rt: secondtrip', expected_trace=expected_trace) ++ expected_msg='2rt: secondtrip', expected_trace=msgs) + realm.run([kadminl, 'delstr', realm.user_princ, 'fail2rt']) + + # Test tryagain flow by inducing a KDC_ERR_ENCTYPE_NOSUPP error on the KDC. + realm.run([kadminl, 'setstr', realm.user_princ, 'err', 'testagain']) +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- '/KDC has no support for encryption type', +- 'Recovering from KDC error 14 using preauth mech -123', +- 'Preauth tryagain input types (-123): -123, 133', +- 'Preauth module test (-123) tryagain returned: 0/Success', +- 'Followup preauth for next request: -123, 133', +- 'Decrypted AS reply') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ '/KDC has no support for encryption type', ++ 'Recovering from KDC error 14 using preauth mech -123', ++ 'Preauth tryagain input types (-123): -123, PA-FX-COOKIE (133)', ++ 'Preauth module test (-123) tryagain returned: 0/Success', ++ 'Followup preauth for next request: -123, PA-FX-COOKIE (133)', ++ 'Decrypted AS reply') + realm.run(['./icred', realm.user_princ, password('user')], +- expected_msg='tryagain: testagain', expected_trace=expected_trace) ++ expected_msg='tryagain: testagain', expected_trace=msgs) + + # Test a client-side tryagain failure, falling back to encrypted + # timestamp. +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- '/KDC has no support for encryption type', +- 'Recovering from KDC error 14 using preauth mech -123', +- 'Preauth tryagain input types (-123): -123, 133', +- '/induced tryagain fail', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Encrypted timestamp (for ', +- 'module encrypted_timestamp (2) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, 2', +- 'Decrypted AS reply') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ '/KDC has no support for encryption type', ++ 'Recovering from KDC error 14 using preauth mech -123', ++ 'Preauth tryagain input types (-123): -123, PA-FX-COOKIE (133)', ++ '/induced tryagain fail', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Encrypted timestamp (for ', ++ 'module encrypted_timestamp (2) (real) returned: 0/Success', ++ 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)', ++ 'Decrypted AS reply') + realm.run(['./icred', '-X', 'fail_tryagain', realm.user_princ, +- password('user')], expected_trace=expected_trace) ++ password('user')], expected_trace=msgs) + + # Test that multiple stepwise initial creds operations can be + # performed with the same krb5_context, with proper tracking of diff --git a/Report-extended-errors-in-kinit-k-t-KDB.patch b/Report-extended-errors-in-kinit-k-t-KDB.patch new file mode 100644 index 0000000..feb49b7 --- /dev/null +++ b/Report-extended-errors-in-kinit-k-t-KDB.patch @@ -0,0 +1,27 @@ +From b3b5cf3d57ac2889aeab82a79a6ea967c1412eb6 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sat, 17 Mar 2018 22:47:34 -0400 +Subject: [PATCH] Report extended errors in kinit -k -t KDB: + +In kinit, if we recreate the context using kinit_kdb_init(), also +reset the global errctx so that we use the new context to retrieve +extended error messages. + +ticket: 8652 (new) +(cherry picked from commit d4d902d317a2acc46ee71094a33a9203b6135275) +--- + src/clients/kinit/kinit.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c +index a518284ea..3fdae2878 100644 +--- a/src/clients/kinit/kinit.c ++++ b/src/clients/kinit/kinit.c +@@ -718,6 +718,7 @@ k5_kinit(struct k_opts *opts, struct k5_data *k5) + #ifndef _WIN32 + if (strncmp(opts->keytab_name, "KDB:", 4) == 0) { + ret = kinit_kdb_init(&k5->ctx, k5->me->realm.data); ++ errctx = k5->ctx; + if (ret) { + com_err(progname, ret, + _("while setting up KDB keytab for realm %s"), diff --git a/krb5.spec b/krb5.spec index 105326d..4cbdcf1 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.16 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 11%{?dist} +Release: 12%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz @@ -71,6 +71,10 @@ Patch44: Refactor-KDC-krb5_pa_data-utility-functions.patch Patch45: Simplify-kdc_preauth.c-systems-table.patch Patch46: Add-PKINIT-client-support-for-freshness-token.patch Patch47: Add-PKINIT-KDC-support-for-freshness-token.patch +Patch48: Allow-validation-of-PACs-with-enterprise-names.patch +Patch49: Fix-read-overflow-in-KDC-sort_pa_data.patch +Patch50: Include-preauth-name-in-trace-output-if-possible.patch +Patch51: Report-extended-errors-in-kinit-k-t-KDB.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -720,6 +724,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Mar 20 2018 Robbie Harwood - 1.16-12 +- Log preauth names in trace output +- Misc bugfixes from upstream + * Mon Mar 19 2018 Robbie Harwood - 1.16-11 - Add PKINIT KDC support for freshness token