rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

more backported fixes for keytab-doesn't-have-all-key-types cases

Browse Source 
- add a backport of more patches to set the client's list of supported enctypes
  when using a keytab to be the list of types of keys in the keytab, plus the
  list of other types the client supports but for which it doesn't have keys,
  in that order, so that KDCs have a better chance of being able to issue
  tickets with session keys of types that the client can use (#837855)
This commit is contained in:
Nalin Dahyabhai 2012-09-07 16:10:45 -04:00
parent e39bc82589
commit 4c51c8bc7e
3 changed files with 250 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
krb5-1.10.3-keytab-etype-corners-prep.patch Normal file
View File

@ -0,0 +1,63 @@
Had to remove the t_keytab.py bits because that file doesn't exist in this
version. Also dropped the bit that made dbentry_supports_enctype() a static
function, since we don't have to go revert it later.
commit 18b02f3e839c007fff54fc9b693f479b7563ec73
Author: Greg Hudson <ghudson@mit.edu>
Date: Sun Jul 1 14:19:56 2012 -0400
Try harder to make keytab-based AS requests work
When making a keytab-based AS request, a client has to choose between
sending its reply key enctype preference list (the enctypes it has in
the keytab) and its session key enctype preference list (all of the
enctypes it supports). Heimdal and MIT krb5 1.11 clients send the
reply key preference list. If this list doesn't overlap with the
server principal keys (say, because the krbtgt principal has only a
DES key), then the AS request will fail.
Try to make this work by making the KDC optimistically pick the first
permitted enctype in the request as the session key, even though it
can't be certain that other KDCs in the realm support that enctype.
Make sure to exercise this case in t_keytab.py by doing a multipass
keytab kinit test.
ticket: 7190 (new)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 3c2169e..48947c6 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1571,6 +1571,7 @@ select_session_keytype(krb5_context context, krb5_db_entry *server,
int nktypes, krb5_enctype *ktype)
{
int i;
+ krb5_enctype first_permitted = 0;
for (i = 0; i < nktypes; i++) {
if (!krb5_c_valid_enctype(ktype[i]))
@@ -1579,9 +1580,23 @@ select_session_keytype(krb5_context context, krb5_db_entry *server,
if (!krb5_is_permitted_enctype(context, ktype[i]))
continue;
+ if (first_permitted == 0)
+ first_permitted = ktype[i];
+
if (dbentry_supports_enctype(context, server, ktype[i]))
return ktype[i];
}
+
+ /*
+ * If we didn't find a match and the server is the local TGS server, this
+ * could be a keytab-based AS request where the keytab enctypes don't
+ * overlap the TGT principal enctypes. Try to make this work by using the
+ * first permitted enctype in the request, even though we can't be certain
+ * that other KDCs in the realm support it.
+ */
+ if (krb5_principal_compare(context, server->princ, tgs_server))
+ return first_permitted;
+
return 0;
}

178
krb5-1.10.3-keytab-etype-corners.patch Normal file
View File

@ -0,0 +1,178 @@
Add a static definition of k5_etypes_contains(), which was introduced properly
in a different upstream commit.
commit 61659df1036d1ad6d6891293f5949e720a2028f7
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon Jul 2 12:46:59 2012 -0400
Include all default etypes in gic_keytab requests
Revert 18b02f3e839c007fff54fc9b693f479b7563ec73 in the KDC. Instead,
when making an initial request with a keytab, transmit the whole
default_tkt_enctypes list, but sorted with the enctypes we have in the
keytab first. That way the KDC should prefer enctypes which we have
keys for (for both reply key and session key), but the other enctypes
are still available for use as ticket session keys.
ticket: 7190
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 48947c6..fb49973 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1571,7 +1571,6 @@ select_session_keytype(krb5_context context, krb5_db_entry *server,
int nktypes, krb5_enctype *ktype)
{
int i;
- krb5_enctype first_permitted = 0;
for (i = 0; i < nktypes; i++) {
if (!krb5_c_valid_enctype(ktype[i]))
@@ -1580,23 +1579,10 @@ select_session_keytype(krb5_context context, krb5_db_entry *server,
if (!krb5_is_permitted_enctype(context, ktype[i]))
continue;
- if (first_permitted == 0)
- first_permitted = ktype[i];
-
if (dbentry_supports_enctype(context, server, ktype[i]))
return ktype[i];
}
- /*
- * If we didn't find a match and the server is the local TGS server, this
- * could be a keytab-based AS request where the keytab enctypes don't
- * overlap the TGT principal enctypes. Try to make this work by using the
- * first permitted enctype in the request, even though we can't be certain
- * that other KDCs in the realm support it.
- */
- if (krb5_principal_compare(context, server->princ, tgs_server))
- return first_permitted;
-
return 0;
}
diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index bae83db..49e5023 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -142,21 +142,42 @@ cleanup:
return ret;
}
+static krb5_boolean
+k5_etypes_contains(const krb5_enctype *list, krb5_enctype etype)
+{
+ size_t i;
+
+ for (i = 0; list[i] && list[i] != etype; i++);
+ return (list[i] == etype);
+}
-/* Return true if search_for is in etype_list. */
-static krb5_boolean
-check_etypes_have(krb5_enctype *etype_list, krb5_enctype search_for)
+/* Move the entries in keytab_list (zero-terminated) to the front of req_list
+ * (of length req_len), preserving order otherwise. */
+static krb5_error_code
+sort_enctypes(krb5_enctype *req_list, int req_len, krb5_enctype *keytab_list)
{
- int i;
-
- if (!etype_list)
- return FALSE;
-
- for (i = 0; etype_list[i] != 0; i++) {
- if (etype_list[i] == search_for)
- return TRUE;
+ krb5_enctype *save_list;
+ int save_pos, req_pos, i;
+
+ save_list = malloc(req_len * sizeof(*save_list));
+ if (save_list == NULL)
+ return ENOMEM;
+
+ /* Sort req_list entries into the front of req_list or into save_list. */
+ req_pos = save_pos = 0;
+ for (i = 0; i < req_len; i++) {
+ if (k5_etypes_contains(keytab_list, req_list[i]))
+ req_list[req_pos++] = req_list[i];
+ else
+ save_list[save_pos++] = req_list[i];
}
- return FALSE;
+ /* Put the entries we saved back in at the end, in order. */
+ for (i = 0; i < save_pos; i++)
+ req_list[req_pos++] = save_list[i];
+ assert(req_pos == req_len);
+
+ free(save_list);
+ return 0;
}
krb5_error_code KRB5_CALLCONV
@@ -166,7 +179,6 @@ krb5_init_creds_set_keytab(krb5_context context,
{
krb5_enctype *etype_list;
krb5_error_code ret;
- int i, j;
char *name;
ctx->gak_fct = get_as_key_keytab;
@@ -178,21 +190,10 @@ krb5_init_creds_set_keytab(krb5_context context,
TRACE_INIT_CREDS_KEYTAB_LOOKUP_FAILED(context, ret);
return 0;
}
-
TRACE_INIT_CREDS_KEYTAB_LOOKUP(context, etype_list);
- /* Filter the ktypes list based on what's in the keytab */
- for (i = 0, j = 0; i < ctx->request->nktypes; i++) {
- if (check_etypes_have(etype_list, ctx->request->ktype[i])) {
- ctx->request->ktype[j] = ctx->request->ktype[i];
- j++;
- }
- }
- ctx->request->nktypes = j;
- free(etype_list);
-
- /* Error out now if there's no overlap. */
- if (ctx->request->nktypes == 0) {
+ /* Error out if we have no keys for the client principal. */
+ if (etype_list == NULL) {
ret = krb5_unparse_name(context, ctx->request->client, &name);
if (ret == 0) {
krb5_set_error_message(context, KRB5_KT_NOTFOUND,
@@ -203,6 +204,9 @@ krb5_init_creds_set_keytab(krb5_context context,
return KRB5_KT_NOTFOUND;
}
+ /* Sort the request enctypes so the ones in the keytab appear first. */
+ sort_enctypes(ctx->request->ktype, ctx->request->nktypes, etype_list);
+ free(etype_list);
return 0;
}
commit 7266becb5590fdf5b10463fe22bfd67650e24975
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon Jul 2 12:49:22 2012 -0400
Check sort_enctypes return value in gic_keytab
diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index 49e5023..38051db 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -205,9 +205,10 @@ krb5_init_creds_set_keytab(krb5_context context,
}
/* Sort the request enctypes so the ones in the keytab appear first. */
- sort_enctypes(ctx->request->ktype, ctx->request->nktypes, etype_list);
+ ret = sort_enctypes(ctx->request->ktype, ctx->request->nktypes,
+ etype_list);
free(etype_list);
- return 0;
+ return ret;
}
static krb5_error_code

9
krb5.spec
View File

@ -83,6 +83,8 @@ Patch106: krb5-1.10.2-keytab-etype.patch
Patch107: krb5-trunk-pkinit-anchorsign.patch
Patch108: krb5-1.10.2-replay.patch
Patch109: krb5-1.10.3-as_rep_skew.patch
Patch110: krb5-1.10.3-keytab-etype-corners-prep.patch
Patch111: krb5-1.10.3-keytab-etype-corners.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -278,6 +280,8 @@ ln -s NOTICE LICENSE
%patch107 -p1 -b .pkinit-anchorsign
%patch108 -p1 -b .replay
%patch109 -p1 -b .as_rep_skew
%patch110 -p1 -b .keytab-etype-corners-prep
%patch111 -p1 -b .keytab-etype-corners
rm src/lib/krb5/krb/deltat.c
gzip doc/*.ps
@ -852,6 +856,11 @@ exit 0
- pull up patch for RT#7063, in which not noticing a prompt for a long
time throws the client library's idea of the time difference between it
and the KDC really far out of whack (#773496)
- add a backport of more patches to set the client's list of supported enctypes
when using a keytab to be the list of types of keys in the keytab, plus the
list of other types the client supports but for which it doesn't have keys,
in that order, so that KDCs have a better chance of being able to issue
tickets with session keys of types that the client can use (#837855)
* Thu Sep 6 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-4
- cut down the number of times we load SELinux labeling configuration from