Fix transited realm checks in GSSAPI servers
- backport fix for not being able to verify the list of transited realms in GSS acceptors (RT#7639, #959685)
This commit is contained in:
Nalin Dahyabhai
parent
325dca9ce4
commit
2fdc61e398
80
krb5-1.11.2-gss_transited.patch
Normal file
80
krb5-1.11.2-gss_transited.patch
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
Should fix #959685. Adjusted to apply to 1.11.2, which wrapped some of the
|
||||||
|
context differently.
|
||||||
|
|
||||||
|
commit 57acee11b5c6682a7f4f036e35d8b2fc9292875e
|
||||||
|
Author: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Mon May 20 11:03:04 2013 -0400
|
||||||
|
|
||||||
|
Fix transited handling for GSSAPI acceptors
|
||||||
|
|
||||||
|
The Acceptor Names project (#6855) extended krb5_rd_req so that it can
|
||||||
|
accept a "matching principal" in the server parameter. If the
|
||||||
|
matching principal has an empty realm, rd_req_decoded_opt attempted to
|
||||||
|
do transited checking with an empty server realm.
|
||||||
|
|
||||||
|
To fix this, always reset server to req->ticket->server for future
|
||||||
|
processing steps if we decrypt the ticket using a keytab.
|
||||||
|
decrypt_ticket replaces req->ticket->server with the principal name
|
||||||
|
from the keytab entry, so we know this name is correct.
|
||||||
|
|
||||||
|
Based on a bug report and patch from nalin@redhat.com.
|
||||||
|
|
||||||
|
ticket: 7639
|
||||||
|
target_version: 1.11.3
|
||||||
|
tags: pullup
|
||||||
|
|
||||||
|
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
|
||||||
|
index bd447f3..4b952f5 100644
|
||||||
|
--- a/src/lib/krb5/krb/rd_req_dec.c
|
||||||
|
+++ b/src/lib/krb5/krb/rd_req_dec.c
|
||||||
|
@@ -277,11 +277,16 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
|
||||||
|
}
|
||||||
|
krb5_k_free_key(context, (*auth_context)->key);
|
||||||
|
(*auth_context)->key = NULL;
|
||||||
|
+ if (server == NULL)
|
||||||
|
+ server = req->ticket->server;
|
||||||
|
} else {
|
||||||
|
retval = decrypt_ticket(context, req, server, keytab,
|
||||||
|
check_valid_flag ? &decrypt_key : NULL);
|
||||||
|
if (retval)
|
||||||
|
goto cleanup;
|
||||||
|
+ /* decrypt_ticket placed the principal of the keytab key in
|
||||||
|
+ * req->ticket->server; always use this for later steps. */
|
||||||
|
+ server = req->ticket->server;
|
||||||
|
}
|
||||||
|
TRACE_RD_REQ_TICKET(context, req->ticket->enc_part2->client,
|
||||||
|
req->ticket->server, req->ticket->enc_part2->session);
|
||||||
|
@@ -308,9 +313,6 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!server) {
|
||||||
|
- server = req->ticket->server;
|
||||||
|
- }
|
||||||
|
/* Get an rcache if necessary. */
|
||||||
|
if (((*auth_context)->rcache == NULL)
|
||||||
|
&& ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
|
||||||
|
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
|
||||||
|
index de778cc..5583b02 100755
|
||||||
|
--- a/src/tests/gssapi/t_gssapi.py
|
||||||
|
+++ b/src/tests/gssapi/t_gssapi.py
|
||||||
|
@@ -110,6 +110,19 @@ if 'host/-nomatch-' not in output:
|
||||||
|
|
||||||
|
realm.stop()
|
||||||
|
|
||||||
|
+# Make sure a GSSAPI acceptor can handle cross-realm tickets with a
|
||||||
|
+# transited field. (Regression test for #7639.)
|
||||||
|
+r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
|
||||||
|
+ create_user=False, create_host=False,
|
||||||
|
+ args=[{'realm': 'A.X', 'create_user': True},
|
||||||
|
+ {'realm': 'X'},
|
||||||
|
+ {'realm': 'B.X', 'create_host': True}])
|
||||||
|
+os.rename(r3.keytab, r1.keytab)
|
||||||
|
+r1.run_as_client(['./t_accname', 'p:' + r3.host_princ, 'h:host'])
|
||||||
|
+r1.stop()
|
||||||
|
+r2.stop()
|
||||||
|
+r3.stop()
|
||||||
|
+
|
||||||
|
### Test gss_inquire_cred behavior.
|
||||||
|
|
||||||
|
realm = K5Realm()
|
||||||
@ -79,6 +79,7 @@ Patch118: krb5-1.11.1-rpcbind.patch
|
|||||||
Patch119: krb5-fast-msg_type.patch
|
Patch119: krb5-fast-msg_type.patch
|
||||||
Patch120: krb5-1.11.2-kpasswd_pingpong.patch
|
Patch120: krb5-1.11.2-kpasswd_pingpong.patch
|
||||||
Patch121: krb5-cccol-primary.patch
|
Patch121: krb5-cccol-primary.patch
|
||||||
|
Patch122: krb5-1.11.2-gss_transited.patch
|
||||||
|
|
||||||
# Patches for otp plugin backport
|
# Patches for otp plugin backport
|
||||||
Patch201: krb5-1.11.2-keycheck.patch
|
Patch201: krb5-1.11.2-keycheck.patch
|
||||||
@ -300,6 +301,7 @@ ln -s NOTICE LICENSE
|
|||||||
%patch119 -p1 -b .fast-msg_type
|
%patch119 -p1 -b .fast-msg_type
|
||||||
%patch120 -p1 -b .kpasswd_pingpong
|
%patch120 -p1 -b .kpasswd_pingpong
|
||||||
%patch121 -p1 -b .cccol-primary
|
%patch121 -p1 -b .cccol-primary
|
||||||
|
%patch122 -p1 -b .gss_transited
|
||||||
|
|
||||||
%patch201 -p1 -b .keycheck
|
%patch201 -p1 -b .keycheck
|
||||||
%patch202 -p1 -b .otp
|
%patch202 -p1 -b .otp
|
||||||
@ -825,6 +827,10 @@ exit 0
|
|||||||
%{_sbindir}/uuserver
|
%{_sbindir}/uuserver
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue May 28 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-7
|
||||||
|
- backport fix for not being able to verify the list of transited realms
|
||||||
|
in GSS acceptors (RT#7639, #959685)
|
||||||
|
|
||||||
* Tue May 21 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-6
|
* Tue May 21 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-6
|
||||||
- pull in upstream fix to start treating a KRB5CCNAME value that begins
|
- pull in upstream fix to start treating a KRB5CCNAME value that begins
|
||||||
with DIR:: the same as it would a DIR: value with just one ccache file
|
with DIR:: the same as it would a DIR: value with just one ccache file
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user