Use responder for non-preauth AS requests

Resolves: #1370622

krb5-1.14.4-responder-non-preauth.patch

@@ -0,0 +1,86 @@
+From 60824edc278fe2207ead773baca6fe56416e2874 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 5 Aug 2016 12:28:03 -0400
+Subject: [PATCH] Use responder for non-preauth AS requests
+
+If no AS reply key is computed during pre-authentication (typically
+because no pre-authentication was required by the KDC), ask for the
+password using the responder before calling gak_fct for the key, and
+supply any resulting responder items to gak_fct.
+
+ticket: 8454
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+---
+ src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++-
+ src/tests/t_general.py        |  5 +++++
+ 2 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
+index b78e19a..659be66 100644
+--- a/src/lib/krb5/krb/get_in_tkt.c
++++ b/src/lib/krb5/krb/get_in_tkt.c
+@@ -1351,6 +1351,8 @@ init_creds_step_reply(krb5_context context,
+     krb5_keyblock encrypting_key;
+     krb5_boolean fast_avail;
+     krb5_ccache out_ccache = k5_gic_opt_get_out_ccache(ctx->opt);
++    krb5_responder_fn responder;
++    void *responder_data;
+ 
+     encrypting_key.length = 0;
+     encrypting_key.contents = NULL;
+@@ -1509,13 +1511,33 @@ init_creds_step_reply(krb5_context context,
+         code = -1;
+ 
+     if (code != 0) {
++        /* If a responder was provided and we are using a password, ask for the
++         * password using the responder before falling back to the prompter. */
++        k5_gic_opt_get_responder(ctx->opt, &responder, &responder_data);
++        if (responder != NULL && !ctx->as_key.length) {
++            /* Indicate a need for the AS key by calling the gak_fct with a
++             * NULL as_key. */
++            code = ctx->gak_fct(context, ctx->request->client, ctx->etype,
++                                NULL, NULL, NULL, NULL, NULL, ctx->gak_data,
++                                ctx->rctx.items);
++            if (code != 0)
++                goto cleanup;
++
++            /* If that produced a responder question, invoke the responder. */
++            if (!k5_response_items_empty(ctx->rctx.items)) {
++                code = (*responder)(context, responder_data, &ctx->rctx);
++                if (code != 0)
++                    goto cleanup;
++            }
++        }
++
+         /* if we haven't get gotten a key, get it now */
+         TRACE_INIT_CREDS_GAK(context, &ctx->salt, &ctx->s2kparams);
+         code = (*ctx->gak_fct)(context, ctx->request->client,
+                                ctx->reply->enc_part.enctype,
+                                ctx->prompter, ctx->prompter_data,
+                                &ctx->salt, &ctx->s2kparams,
+-                               &ctx->as_key, ctx->gak_data, NULL);
++                               &ctx->as_key, ctx->gak_data, ctx->rctx.items);
+         if (code != 0)
+             goto cleanup;
+         TRACE_INIT_CREDS_AS_KEY_GAK(context, &ctx->as_key);
+diff --git a/src/tests/t_general.py b/src/tests/t_general.py
+index c3629e6..13dd99b 100755
+--- a/src/tests/t_general.py
++++ b/src/tests/t_general.py
+@@ -34,6 +34,11 @@ realm.stop()
+ 
+ realm = K5Realm(create_host=False)
+ 
++# Regression test for #8454 (responder callback isn't used when
++# preauth is not required).
++realm.run(['./responder', '-r', 'password=%s' % password('user'),
++           realm.user_princ])
++
+ # Test that WRONG_REALM responses aren't treated as referrals unless
+ # they contain a crealm field pointing to a different realm.
+ # (Regression test for #8060.)
+-- 
+2.9.3
+

krb5.spec

@@ -13,7 +13,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.14.3
-Release: 7%{?dist}
+Release: 8%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -70,6 +70,8 @@ Patch168: krb5-1.15-improve-bad-password-inference.patch
 Patch169: krb5-1.15-kdc-error-encrypted-timestamp.patch
 Patch170: krb5-1.14.4-samba-client-mutual-flag.patch
 
+Patch171: krb5-1.14.4-responder-non-preauth.patch
+
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@@ -284,6 +286,8 @@ ln NOTICE LICENSE
 %patch169 -p1 -b .kdc-error-encrypted-timestamp
 %patch170 -p1 -b .samba-client-mutual-flag
 
+%patch171 -p1 -b .responder-non-preauth
+
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
 
@@ -752,6 +756,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-8
+- Use responder for non-preauth AS requests
+- Resolves: #1370622
+
 * Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-7
 - Guess Samba client mutual flag using ap_option
 - Resolves: #1370980