rpms
/
krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI krb5-1.18.2-26.el8_9

This commit is contained in:
eabdullin 2023-11-14 22:10:42 +00:00
parent 6d26dc1d96
commit 72f8fad7b9
7 changed files with 153 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
SOURCES/0155-Add-PAC-full-checksums.patch → SOURCES/Add-PAC-full-checksums.patch
View File

@ -1,4 +1,4 @@
From 1159d1e6057b6bc5b2a83bd6c8fc9f5fe38816d8 Mon Sep 17 00:00:00 2001
From bf3e55bcd66c5d35fddadc94fd680bdd57508bce Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 22 Dec 2022 03:05:23 -0500
Subject: [PATCH] Add PAC full checksums
@ -669,5 +669,5 @@ index 4fbdbec052..b0666c3b81 100644
# Get another S4U2Proxy ticket including request-authdata.
realm.run(['./s4u2proxy', usercache, 'service/2', '-2', 'proxy_ad'])
--
2.39.1
2.39.2

4
SOURCES/0153-Add-PAC-ticket-signature-APIs.patch → SOURCES/Add-PAC-ticket-signature-APIs.patch
View File

@ -1,4 +1,4 @@
From d9ba43315f4a3e0fe2af9acbe47413ccb1f69af2 Mon Sep 17 00:00:00 2001
From 48be25aaa27487fcbbba76044083de37211b30e7 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 7 Jan 2022 13:46:24 -0500
Subject: [PATCH] Add PAC ticket signature APIs
@ -836,5 +836,5 @@ index 38d371cb86..7d033acae4 100644
static krb5_error_code
--
2.39.1
2.39.2

4
SOURCES/0154-Factor-out-PAC-checksum-verification.patch → SOURCES/Factor-out-PAC-checksum-verification.patch
View File

@ -1,4 +1,4 @@
From ae7c326c3c074266d8c80d71561494d785172251 Mon Sep 17 00:00:00 2001
From b0372e31b81321a820204450a35c7633caf1b7dd Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 14 Jan 2022 02:05:58 -0500
Subject: [PATCH] Factor out PAC checksum verification
@ -254,5 +254,5 @@ index 6eb23d8090..2f6ad4e1df 100644
return ret;
}
--
2.39.1
2.39.2

4
SOURCES/0152-Use-14-instead-of-9-for-unkeyed-SHA-1-checksum.patch → SOURCES/Use-14-instead-of-9-for-unkeyed-SHA-1-checksum.patch
View File

@ -1,4 +1,4 @@
From 9f3e127806d14b84d40abdfeae8fcd0daa1e6a4f Mon Sep 17 00:00:00 2001
From b6ada496a285a7b350e28c97b53b6f659a9a94b9 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 11 Dec 2021 01:25:34 -0500
Subject: [PATCH] Use 14 instead of 9 for unkeyed SHA-1 checksum
@ -180,5 +180,5 @@ index 3ae56c0641..3bff456f8f 100644
pkiDebug("unable to calculate AS REQ checksum\n");
goto cleanup;
--
2.39.1
2.39.2

126
SOURCES/downstream-Allow-to-make-AD-SIGNEDPATH-optional.patch Normal file
View File

@ -0,0 +1,126 @@
From 274464a6faaee694c30ae4d1412a8ab516b1a982 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 20 Sep 2023 16:22:06 +0200
Subject: [PATCH] [downstream] Allow to make AD-SIGNEDPATH optional
MIT krb5 1.20 and newer KDCs do generate a minimal PAC instead of
AD-SIGNEDPATH. As a consequence, an evidence ticket generated by an
older KDC would fail to be processed by a newer KDC for a constrained
delegation request.
This commit modifies this behavior to check the AD-SIGNEDPATH whenever
it is present in a TGS-REQ, but do not require it in case a PAC is
provided AND the KDB plugin supports its verification. This is done
regardless to the fact the constrained delegation request is from a
local realm or a cross-realm.
To enable this mechanism, the KDB plugin must set the
"optional_ab_signedpath" string attribute to "true" for the local TGS
principal.
---
src/include/kdb.h | 1 +
src/kdc/kdc_authdata.c | 65 +++++++++++++++++++++++++++++++++---------
2 files changed, 52 insertions(+), 14 deletions(-)
diff --git a/src/include/kdb.h b/src/include/kdb.h
index c56947ab81..95d07d0195 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -136,6 +136,7 @@
/* String attribute names recognized by krb5 */
#define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes"
#define KRB5_KDB_SK_REQUIRE_AUTH "require_auth"
+#define KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH "optional_ad_signedpath"
#if !defined(_WIN32)
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index 1ebe872467..c0fcccdf21 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -668,6 +668,13 @@ has_pac(krb5_context context, krb5_authdata **authdata)
return has_kdc_issued_authdata(context, authdata, KRB5_AUTHDATA_WIN2K_PAC);
}
+/* Return true if the AD-SIGNEDPATH is present in authorization data. */
+static krb5_boolean
+has_ad_signedpath(krb5_context context, krb5_authdata **authdata)
+{
+ return has_kdc_issued_authdata(context, authdata, KRB5_AUTHDATA_SIGNTICKET);
+}
+
/* Verify AD-SIGNTICKET authdata if we need to, and insert an AD-SIGNEDPATH
* element if we should. */
static krb5_error_code
@@ -680,24 +687,54 @@ handle_signticket(krb5_context context, unsigned int flags,
{
krb5_error_code ret = 0;
krb5_principal *deleg_path = NULL;
- krb5_boolean signed_path = FALSE;
- krb5_boolean s4u2proxy;
+ krb5_boolean s4u2proxy, adsp_present, adsp_optional, adsp_valid = FALSE;
+ char *str;
s4u2proxy = isflagset(flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
- /* For cross-realm the Windows PAC must have been verified, and it
- * fulfills the same role as the signed path. */
- if (req->msg_type == KRB5_TGS_REQ &&
- (!isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM) ||
- !has_pac(context, enc_tkt_req->authorization_data))) {
- ret = verify_signedpath(context, local_tgt, local_tgt_key, enc_tkt_req,
- &deleg_path, &signed_path);
- if (ret)
- goto cleanup;
+ if (req->msg_type == KRB5_TGS_REQ) {
+ adsp_present = has_ad_signedpath(context,
+ enc_tkt_req->authorization_data);
+
+ /* In case of constained delegation, based on the value of the
+ * "optional_ad_signedpath" string attribute of the local TGS principal:
+ * - "true": in case AD-SIGNEDPATH is absent, the PAC must be present
+ * - "false" or undefined: AD-SIGNEDPATH must be present
+ */
+ if (s4u2proxy && !adsp_present) {
+ ret = krb5_dbe_get_string(context, local_tgt,
+ KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH,
+ &str);
+ /* TODO: should be using _krb5_conf_boolean(), but os-proto.h is not
+ * available here.
+ */
+ adsp_optional = !ret && str && (strncasecmp(str, "true", 4) == 0
+ || strncasecmp(str, "t", 1) == 0
+ || strncasecmp(str, "yes", 3) == 0
+ || strncasecmp(str, "y", 1) == 0
+ || strncasecmp(str, "1", 1) == 0
+ || strncasecmp(str, "on", 2) == 0);
+
+ if (!adsp_optional ||
+ !has_pac(context, enc_tkt_req->authorization_data)) {
+ ret = KRB5KDC_ERR_BADOPTION;
+ goto cleanup;
+ }
+ }
- if (s4u2proxy && signed_path == FALSE) {
- ret = KRB5KDC_ERR_BADOPTION;
- goto cleanup;
+ /* If AD-SIGNEDPATH is present, verify it */
+ if (adsp_present) {
+ ret = verify_signedpath(context, local_tgt, local_tgt_key,
+ enc_tkt_req, &deleg_path, &adsp_valid);
+ if (ret)
+ goto cleanup;
+
+ /* In case of contrained delegation, if AD-SIGNEDPATH is present, it
+ * has to be valid */
+ if (s4u2proxy && !adsp_valid) {
+ ret = KRB5KDC_ERR_BADOPTION;
+ goto cleanup;
+ }
}
}
--
2.41.0

4
SOURCES/0156-downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch → SOURCES/downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch
View File

@ -1,4 +1,4 @@
From 3e40a47cee51fb855c71d425eb572253b6fc41eb Mon Sep 17 00:00:00 2001
From 8ded82fb279198f3fa20fb7c836e77290e7bc6f6 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Fri, 24 Mar 2023 16:22:06 +0100
Subject: [PATCH] [downstream] Support PAC full checksum w/o ticket checksum
@ -136,5 +136,5 @@ index 28784ec67c..ac94e0c236 100644
krb5_pac_get_types
krb5_pac_init
--
2.39.2
2.40.1

29
SPECS/krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.18.2
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 25%{?dist}
Release: 26%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@ -94,11 +94,12 @@ Patch148: downstream-Fix-dejagnu-unit-tests-directory-name-for-RPC-lib.patch
Patch149: krb5-krad-larger-attrs.patch
Patch150: krb5-krad-remote.patch
Patch151: Fix-integer-overflows-in-PAC-parsing.patch
Patch152: 0152-Use-14-instead-of-9-for-unkeyed-SHA-1-checksum.patch
Patch153: 0153-Add-PAC-ticket-signature-APIs.patch
Patch154: 0154-Factor-out-PAC-checksum-verification.patch
Patch155: 0155-Add-PAC-full-checksums.patch
Patch156: 0156-downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch
Patch152: Use-14-instead-of-9-for-unkeyed-SHA-1-checksum.patch
Patch153: Add-PAC-ticket-signature-APIs.patch
Patch154: Factor-out-PAC-checksum-verification.patch
Patch155: Add-PAC-full-checksums.patch
Patch156: downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch
Patch157: downstream-Allow-to-make-AD-SIGNEDPATH-optional.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -709,15 +710,19 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Tue Jun 06 2023 Julien Rische <jrische@redhat.com> - 1.18.2-25
* Wed Sep 27 2023 Julien Rische <jrische@redhat.com> - 1.18.2-26
- Allow to make AD-SIGNEDPATH optional
Resolves: RHEL-10514
* Thu Jul 06 2023 Julien Rische <jrische@redhat.com> - 1.18.2-25
- Bump release number
* Fri Mar 24 2023 Julien Rische <jrische@redhat.com> - 1.18.2-24
- Support PAC with KDC extended signature and without ticket signature
- Resolves: rhbz#2211390
* Wed Jul 05 2023 Julien Rische <jrische@redhat.com> - 1.18.2-24
- Remove downloadable source signature file
- Resolves: rhbz#2219654
* Tue Feb 14 2023 Julien Rische <jrische@redhat.com> - 1.18.2-23
- Add support for MS-PAC extended KDC signature (CVE-2022-37967)
* Wed May 31 2023 Julien Rische <jrische@redhat.com> - 1.18.2-23
- Support PAC with KDC extended signature and without ticket signature
- Resolves: rhbz#2169477
* Tue Nov 08 2022 Julien Rische <jrische@redhat.com> - 1.18.2-22