diff --git a/SOURCES/0155-Add-PAC-full-checksums.patch b/SOURCES/Add-PAC-full-checksums.patch similarity index 99% rename from SOURCES/0155-Add-PAC-full-checksums.patch rename to SOURCES/Add-PAC-full-checksums.patch index a83a008..d4d69d4 100644 --- a/SOURCES/0155-Add-PAC-full-checksums.patch +++ b/SOURCES/Add-PAC-full-checksums.patch @@ -1,4 +1,4 @@ -From 1159d1e6057b6bc5b2a83bd6c8fc9f5fe38816d8 Mon Sep 17 00:00:00 2001 +From bf3e55bcd66c5d35fddadc94fd680bdd57508bce Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 22 Dec 2022 03:05:23 -0500 Subject: [PATCH] Add PAC full checksums @@ -669,5 +669,5 @@ index 4fbdbec052..b0666c3b81 100644 # Get another S4U2Proxy ticket including request-authdata. realm.run(['./s4u2proxy', usercache, 'service/2', '-2', 'proxy_ad']) -- -2.39.1 +2.39.2 diff --git a/SOURCES/0153-Add-PAC-ticket-signature-APIs.patch b/SOURCES/Add-PAC-ticket-signature-APIs.patch similarity index 99% rename from SOURCES/0153-Add-PAC-ticket-signature-APIs.patch rename to SOURCES/Add-PAC-ticket-signature-APIs.patch index 81df71c..79f69c9 100644 --- a/SOURCES/0153-Add-PAC-ticket-signature-APIs.patch +++ b/SOURCES/Add-PAC-ticket-signature-APIs.patch @@ -1,4 +1,4 @@ -From d9ba43315f4a3e0fe2af9acbe47413ccb1f69af2 Mon Sep 17 00:00:00 2001 +From 48be25aaa27487fcbbba76044083de37211b30e7 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 7 Jan 2022 13:46:24 -0500 Subject: [PATCH] Add PAC ticket signature APIs @@ -836,5 +836,5 @@ index 38d371cb86..7d033acae4 100644 static krb5_error_code -- -2.39.1 +2.39.2 diff --git a/SOURCES/0154-Factor-out-PAC-checksum-verification.patch b/SOURCES/Factor-out-PAC-checksum-verification.patch similarity index 99% rename from SOURCES/0154-Factor-out-PAC-checksum-verification.patch rename to SOURCES/Factor-out-PAC-checksum-verification.patch index 1653853..fa5a21c 100644 --- a/SOURCES/0154-Factor-out-PAC-checksum-verification.patch +++ b/SOURCES/Factor-out-PAC-checksum-verification.patch @@ -1,4 +1,4 @@ -From ae7c326c3c074266d8c80d71561494d785172251 Mon Sep 17 00:00:00 2001 +From b0372e31b81321a820204450a35c7633caf1b7dd Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 14 Jan 2022 02:05:58 -0500 Subject: [PATCH] Factor out PAC checksum verification @@ -254,5 +254,5 @@ index 6eb23d8090..2f6ad4e1df 100644 return ret; } -- -2.39.1 +2.39.2 diff --git a/SOURCES/0152-Use-14-instead-of-9-for-unkeyed-SHA-1-checksum.patch b/SOURCES/Use-14-instead-of-9-for-unkeyed-SHA-1-checksum.patch similarity index 99% rename from SOURCES/0152-Use-14-instead-of-9-for-unkeyed-SHA-1-checksum.patch rename to SOURCES/Use-14-instead-of-9-for-unkeyed-SHA-1-checksum.patch index d23f854..4378d39 100644 --- a/SOURCES/0152-Use-14-instead-of-9-for-unkeyed-SHA-1-checksum.patch +++ b/SOURCES/Use-14-instead-of-9-for-unkeyed-SHA-1-checksum.patch @@ -1,4 +1,4 @@ -From 9f3e127806d14b84d40abdfeae8fcd0daa1e6a4f Mon Sep 17 00:00:00 2001 +From b6ada496a285a7b350e28c97b53b6f659a9a94b9 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 11 Dec 2021 01:25:34 -0500 Subject: [PATCH] Use 14 instead of 9 for unkeyed SHA-1 checksum @@ -180,5 +180,5 @@ index 3ae56c0641..3bff456f8f 100644 pkiDebug("unable to calculate AS REQ checksum\n"); goto cleanup; -- -2.39.1 +2.39.2 diff --git a/SOURCES/downstream-Allow-to-make-AD-SIGNEDPATH-optional.patch b/SOURCES/downstream-Allow-to-make-AD-SIGNEDPATH-optional.patch new file mode 100644 index 0000000..6f522cd --- /dev/null +++ b/SOURCES/downstream-Allow-to-make-AD-SIGNEDPATH-optional.patch @@ -0,0 +1,126 @@ +From 274464a6faaee694c30ae4d1412a8ab516b1a982 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 20 Sep 2023 16:22:06 +0200 +Subject: [PATCH] [downstream] Allow to make AD-SIGNEDPATH optional + +MIT krb5 1.20 and newer KDCs do generate a minimal PAC instead of +AD-SIGNEDPATH. As a consequence, an evidence ticket generated by an +older KDC would fail to be processed by a newer KDC for a constrained +delegation request. + +This commit modifies this behavior to check the AD-SIGNEDPATH whenever +it is present in a TGS-REQ, but do not require it in case a PAC is +provided AND the KDB plugin supports its verification. This is done +regardless to the fact the constrained delegation request is from a +local realm or a cross-realm. + +To enable this mechanism, the KDB plugin must set the +"optional_ab_signedpath" string attribute to "true" for the local TGS +principal. +--- + src/include/kdb.h | 1 + + src/kdc/kdc_authdata.c | 65 +++++++++++++++++++++++++++++++++--------- + 2 files changed, 52 insertions(+), 14 deletions(-) + +diff --git a/src/include/kdb.h b/src/include/kdb.h +index c56947ab81..95d07d0195 100644 +--- a/src/include/kdb.h ++++ b/src/include/kdb.h +@@ -136,6 +136,7 @@ + /* String attribute names recognized by krb5 */ + #define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes" + #define KRB5_KDB_SK_REQUIRE_AUTH "require_auth" ++#define KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH "optional_ad_signedpath" + + #if !defined(_WIN32) + +diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c +index 1ebe872467..c0fcccdf21 100644 +--- a/src/kdc/kdc_authdata.c ++++ b/src/kdc/kdc_authdata.c +@@ -668,6 +668,13 @@ has_pac(krb5_context context, krb5_authdata **authdata) + return has_kdc_issued_authdata(context, authdata, KRB5_AUTHDATA_WIN2K_PAC); + } + ++/* Return true if the AD-SIGNEDPATH is present in authorization data. */ ++static krb5_boolean ++has_ad_signedpath(krb5_context context, krb5_authdata **authdata) ++{ ++ return has_kdc_issued_authdata(context, authdata, KRB5_AUTHDATA_SIGNTICKET); ++} ++ + /* Verify AD-SIGNTICKET authdata if we need to, and insert an AD-SIGNEDPATH + * element if we should. */ + static krb5_error_code +@@ -680,24 +687,54 @@ handle_signticket(krb5_context context, unsigned int flags, + { + krb5_error_code ret = 0; + krb5_principal *deleg_path = NULL; +- krb5_boolean signed_path = FALSE; +- krb5_boolean s4u2proxy; ++ krb5_boolean s4u2proxy, adsp_present, adsp_optional, adsp_valid = FALSE; ++ char *str; + + s4u2proxy = isflagset(flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION); + +- /* For cross-realm the Windows PAC must have been verified, and it +- * fulfills the same role as the signed path. */ +- if (req->msg_type == KRB5_TGS_REQ && +- (!isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM) || +- !has_pac(context, enc_tkt_req->authorization_data))) { +- ret = verify_signedpath(context, local_tgt, local_tgt_key, enc_tkt_req, +- &deleg_path, &signed_path); +- if (ret) +- goto cleanup; ++ if (req->msg_type == KRB5_TGS_REQ) { ++ adsp_present = has_ad_signedpath(context, ++ enc_tkt_req->authorization_data); ++ ++ /* In case of constained delegation, based on the value of the ++ * "optional_ad_signedpath" string attribute of the local TGS principal: ++ * - "true": in case AD-SIGNEDPATH is absent, the PAC must be present ++ * - "false" or undefined: AD-SIGNEDPATH must be present ++ */ ++ if (s4u2proxy && !adsp_present) { ++ ret = krb5_dbe_get_string(context, local_tgt, ++ KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH, ++ &str); ++ /* TODO: should be using _krb5_conf_boolean(), but os-proto.h is not ++ * available here. ++ */ ++ adsp_optional = !ret && str && (strncasecmp(str, "true", 4) == 0 ++ || strncasecmp(str, "t", 1) == 0 ++ || strncasecmp(str, "yes", 3) == 0 ++ || strncasecmp(str, "y", 1) == 0 ++ || strncasecmp(str, "1", 1) == 0 ++ || strncasecmp(str, "on", 2) == 0); ++ ++ if (!adsp_optional || ++ !has_pac(context, enc_tkt_req->authorization_data)) { ++ ret = KRB5KDC_ERR_BADOPTION; ++ goto cleanup; ++ } ++ } + +- if (s4u2proxy && signed_path == FALSE) { +- ret = KRB5KDC_ERR_BADOPTION; +- goto cleanup; ++ /* If AD-SIGNEDPATH is present, verify it */ ++ if (adsp_present) { ++ ret = verify_signedpath(context, local_tgt, local_tgt_key, ++ enc_tkt_req, &deleg_path, &adsp_valid); ++ if (ret) ++ goto cleanup; ++ ++ /* In case of contrained delegation, if AD-SIGNEDPATH is present, it ++ * has to be valid */ ++ if (s4u2proxy && !adsp_valid) { ++ ret = KRB5KDC_ERR_BADOPTION; ++ goto cleanup; ++ } + } + } + +-- +2.41.0 + diff --git a/SOURCES/0156-downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch b/SOURCES/downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch similarity index 98% rename from SOURCES/0156-downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch rename to SOURCES/downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch index 84ca96c..0d5b894 100644 --- a/SOURCES/0156-downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch +++ b/SOURCES/downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch @@ -1,4 +1,4 @@ -From 3e40a47cee51fb855c71d425eb572253b6fc41eb Mon Sep 17 00:00:00 2001 +From 8ded82fb279198f3fa20fb7c836e77290e7bc6f6 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Fri, 24 Mar 2023 16:22:06 +0100 Subject: [PATCH] [downstream] Support PAC full checksum w/o ticket checksum @@ -136,5 +136,5 @@ index 28784ec67c..ac94e0c236 100644 krb5_pac_get_types krb5_pac_init -- -2.39.2 +2.40.1 diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index e45c8f2..df62543 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 25%{?dist} +Release: 26%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -94,11 +94,12 @@ Patch148: downstream-Fix-dejagnu-unit-tests-directory-name-for-RPC-lib.patch Patch149: krb5-krad-larger-attrs.patch Patch150: krb5-krad-remote.patch Patch151: Fix-integer-overflows-in-PAC-parsing.patch -Patch152: 0152-Use-14-instead-of-9-for-unkeyed-SHA-1-checksum.patch -Patch153: 0153-Add-PAC-ticket-signature-APIs.patch -Patch154: 0154-Factor-out-PAC-checksum-verification.patch -Patch155: 0155-Add-PAC-full-checksums.patch -Patch156: 0156-downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch +Patch152: Use-14-instead-of-9-for-unkeyed-SHA-1-checksum.patch +Patch153: Add-PAC-ticket-signature-APIs.patch +Patch154: Factor-out-PAC-checksum-verification.patch +Patch155: Add-PAC-full-checksums.patch +Patch156: downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch +Patch157: downstream-Allow-to-make-AD-SIGNEDPATH-optional.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -709,15 +710,19 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog -* Tue Jun 06 2023 Julien Rische - 1.18.2-25 +* Wed Sep 27 2023 Julien Rische - 1.18.2-26 +- Allow to make AD-SIGNEDPATH optional + Resolves: RHEL-10514 + +* Thu Jul 06 2023 Julien Rische - 1.18.2-25 - Bump release number -* Fri Mar 24 2023 Julien Rische - 1.18.2-24 -- Support PAC with KDC extended signature and without ticket signature -- Resolves: rhbz#2211390 +* Wed Jul 05 2023 Julien Rische - 1.18.2-24 +- Remove downloadable source signature file +- Resolves: rhbz#2219654 -* Tue Feb 14 2023 Julien Rische - 1.18.2-23 -- Add support for MS-PAC extended KDC signature (CVE-2022-37967) +* Wed May 31 2023 Julien Rische - 1.18.2-23 +- Support PAC with KDC extended signature and without ticket signature - Resolves: rhbz#2169477 * Tue Nov 08 2022 Julien Rische - 1.18.2-22