Use responder for non-preauth AS requests

Resolves: #1370622
2016-08-29 17:58:00 +00:00 · 2016-08-29 17:58:00 +00:00 · 3e13029eb0
commit 3e13029eb0
parent 10d34c1413
2 changed files with 95 additions and 1 deletions
--- a/krb5-1.14.4-responder-non-preauth.patch
+++ b/krb5-1.14.4-responder-non-preauth.patch
@ -0,0 +1,86 @@
+From 60824edc278fe2207ead773baca6fe56416e2874 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 5 Aug 2016 12:28:03 -0400
+Subject: [PATCH] Use responder for non-preauth AS requests
+
+If no AS reply key is computed during pre-authentication (typically
+because no pre-authentication was required by the KDC), ask for the
+password using the responder before calling gak_fct for the key, and
+supply any resulting responder items to gak_fct.
+
+ticket: 8454
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+---
+ src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++-
+ src/tests/t_general.py        |  5 +++++
+ 2 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
+index b78e19a..659be66 100644
+--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
+@@ -1351,6 +1351,8 @@ init_creds_step_reply(krb5_context context,
+     krb5_keyblock encrypting_key;
+     krb5_boolean fast_avail;
+     krb5_ccache out_ccache = k5_gic_opt_get_out_ccache(ctx->opt);
+    krb5_responder_fn responder;
+    void *responder_data;
+ 
+     encrypting_key.length = 0;
+     encrypting_key.contents = NULL;
+@@ -1509,13 +1511,33 @@ init_creds_step_reply(krb5_context context,
+         code = -1;
+ 
+     if (code != 0) {
+        /* If a responder was provided and we are using a password, ask for the
+         * password using the responder before falling back to the prompter. */
+        k5_gic_opt_get_responder(ctx->opt, &responder, &responder_data);
+        if (responder != NULL && !ctx->as_key.length) {
+            /* Indicate a need for the AS key by calling the gak_fct with a
+             * NULL as_key. */
+            code = ctx->gak_fct(context, ctx->request->client, ctx->etype,
+                                NULL, NULL, NULL, NULL, NULL, ctx->gak_data,
+                                ctx->rctx.items);
+            if (code != 0)
+                goto cleanup;
+
+            /* If that produced a responder question, invoke the responder. */
+            if (!k5_response_items_empty(ctx->rctx.items)) {
+                code = (*responder)(context, responder_data, &ctx->rctx);
+                if (code != 0)
+                    goto cleanup;
+            }
+        }
+
+         /* if we haven't get gotten a key, get it now */
+         TRACE_INIT_CREDS_GAK(context, &ctx->salt, &ctx->s2kparams);
+         code = (*ctx->gak_fct)(context, ctx->request->client,
+                                ctx->reply->enc_part.enctype,
+                                ctx->prompter, ctx->prompter_data,
+                                &ctx->salt, &ctx->s2kparams,
+-                               &ctx->as_key, ctx->gak_data, NULL);
+                               &ctx->as_key, ctx->gak_data, ctx->rctx.items);
+         if (code != 0)
+             goto cleanup;
+         TRACE_INIT_CREDS_AS_KEY_GAK(context, &ctx->as_key);
+diff --git a/src/tests/t_general.py b/src/tests/t_general.py
+index c3629e6..13dd99b 100755
+--- a/src/tests/t_general.py
+++ b/src/tests/t_general.py
+@@ -34,6 +34,11 @@ realm.stop()
+ 
+ realm = K5Realm(create_host=False)
+ 
+# Regression test for #8454 (responder callback isn't used when
+# preauth is not required).
+realm.run(['./responder', '-r', 'password=%s' % password('user'),
+           realm.user_princ])
+
+ # Test that WRONG_REALM responses aren't treated as referrals unless
+ # they contain a crealm field pointing to a different realm.
+ # (Regression test for #8060.)
+-- 
+2.9.3
+
--- a/krb5.spec
+++ b/krb5.spec
@ -13,7 +13,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.14.3
-Release: 7%{?dist}
+Release: 8%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@ -70,6 +70,8 @@ Patch168: krb5-1.15-improve-bad-password-inference.patch
 Patch169: krb5-1.15-kdc-error-encrypted-timestamp.patch
 Patch170: krb5-1.14.4-samba-client-mutual-flag.patch

+Patch171: krb5-1.14.4-responder-non-preauth.patch
+
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@ -284,6 +286,8 @@ ln NOTICE LICENSE
 %patch169 -p1 -b .kdc-error-encrypted-timestamp
 %patch170 -p1 -b .samba-client-mutual-flag

+%patch171 -p1 -b .responder-non-preauth
+
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html

@ -752,6 +756,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-8
+- Use responder for non-preauth AS requests
+- Resolves: #1370622
+
 * Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-7
 - Guess Samba client mutual flag using ap_option
 - Resolves: #1370980