Fix use of KKDCPP with SNI

Resolves: #1365027

krb5-1.14.4-SNI-HTTP-Host.patch

@@ -0,0 +1,108 @@
+From 69c8662190bcd46f2300d0cea139681001ea5b26 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Mon, 8 Aug 2016 12:38:17 +0200
+Subject: [PATCH] Add Host HTTP header to MS-KKDCP requests
+
+Some web servers require a Host HTTP header for TLS connections with
+SNI (server name indicator).  It is also required for virtual hosts.
+
+ticket: 8472 (new)
+target_version: 1.14-next
+tags: pullup
+---
+ src/lib/krb5/os/sendto_kdc.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
+index c85fdba..a2b7359 100644
+--- a/src/lib/krb5/os/sendto_kdc.c
++++ b/src/lib/krb5/os/sendto_kdc.c
+@@ -78,6 +78,7 @@
+ #define MAX_PASS                    3
+ #define DEFAULT_UDP_PREF_LIMIT   1465
+ #define HARD_UDP_LIMIT          32700 /* could probably do 64K-epsilon ? */
++#define PORT_LENGTH                 6 /* decimal repr of UINT16_MAX */
+ 
+ /* Select state flags.  */
+ #define SSF_READ 0x01
+@@ -138,6 +139,7 @@ struct conn_state {
+     struct {
+         const char *uri_path;
+         const char *servername;
++        char port[PORT_LENGTH];
+         char *https_request;
+         k5_tls_handle tls;
+     } http;
+@@ -611,6 +613,8 @@ make_proxy_request(struct conn_state *state, const krb5_data *realm,
+     k5_buf_init_dynamic(&buf);
+     uri_path = (state->http.uri_path != NULL) ? state->http.uri_path : "";
+     k5_buf_add_fmt(&buf, "POST /%s HTTP/1.0\r\n", uri_path);
++    k5_buf_add_fmt(&buf, "Host: %s:%s\r\n", state->http.servername,
++                   state->http.port);
+     k5_buf_add(&buf, "Cache-Control: no-cache\r\n");
+     k5_buf_add(&buf, "Pragma: no-cache\r\n");
+     k5_buf_add(&buf, "User-Agent: kerberos/1.0\r\n");
+@@ -673,7 +677,7 @@ static krb5_error_code
+ add_connection(struct conn_state **conns, k5_transport transport,
+                krb5_boolean defer, struct addrinfo *ai, size_t server_index,
+                const krb5_data *realm, const char *hostname,
+-               const char *uri_path, char **udpbufp)
++               const char *port, const char *uri_path, char **udpbufp)
+ {
+     struct conn_state *state, **tailptr;
+ 
+@@ -695,11 +699,13 @@ add_connection(struct conn_state **conns, k5_transport transport,
+         state->service_write = service_tcp_write;
+         state->service_read = service_tcp_read;
+     } else if (transport == HTTPS) {
++        assert(hostname != NULL && port != NULL);
+         state->service_connect = service_tcp_connect;
+         state->service_write = service_https_write;
+         state->service_read = service_https_read;
+         state->http.uri_path = uri_path;
+         state->http.servername = hostname;
++        strlcpy(state->http.port, port, PORT_LENGTH);
+     } else {
+         state->service_connect = NULL;
+         state->service_write = NULL;
+@@ -785,7 +791,7 @@ resolve_server(krb5_context context, const krb5_data *realm,
+     struct addrinfo *addrs, *a, hint, ai;
+     krb5_boolean defer;
+     int err, result;
+-    char portbuf[64];
++    char portbuf[PORT_LENGTH];
+ 
+     /* Skip UDP entries if we don't want UDP. */
+     if (strategy == NO_UDP && entry->transport == UDP)
+@@ -800,7 +806,7 @@ resolve_server(krb5_context context, const krb5_data *realm,
+         ai.ai_addr = (struct sockaddr *)&entry->addr;
+         defer = (entry->transport != transport);
+         return add_connection(conns, entry->transport, defer, &ai, ind, realm,
+-                              NULL, entry->uri_path, udpbufp);
++                              NULL, NULL, entry->uri_path, udpbufp);
+     }
+ 
+     /* If the entry has a specified transport, use it. */
+@@ -826,7 +832,8 @@ resolve_server(krb5_context context, const krb5_data *realm,
+     retval = 0;
+     for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
+         retval = add_connection(conns, transport, FALSE, a, ind, realm,
+-                                entry->hostname, entry->uri_path, udpbufp);
++                                entry->hostname, portbuf, entry->uri_path,
++                                udpbufp);
+     }
+ 
+     /* For TCP_OR_UDP entries, add each address again with the non-preferred
+@@ -836,7 +843,8 @@ resolve_server(krb5_context context, const krb5_data *realm,
+         for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
+             a->ai_socktype = socktype_for_transport(transport);
+             retval = add_connection(conns, transport, TRUE, a, ind, realm,
+-                                    entry->hostname, entry->uri_path, udpbufp);
++                                    entry->hostname, portbuf,
++                                    entry->uri_path, udpbufp);
+         }
+     }
+     freeaddrinfo(addrs);
+-- 
+2.8.1
+

krb5.spec

@@ -13,7 +13,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.14.3
-Release: 3%{?dist}
+Release: 4%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -63,6 +63,8 @@ Patch153: krb5-1.14.1-log_file_permissions.patch
 Patch164: krb5-1.15-kdc_send_receive_hooks.patch
 Patch165: krb5-1.15-kdc_hooks_test.patch
 
+Patch166: krb5-1.14.4-SNI-HTTP-Host.patch
+
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@@ -270,6 +272,8 @@ ln NOTICE LICENSE
 %patch164 -p1 -b .kdc_send_receive_hooks
 %patch165 -p1 -b .kdc_hooks_test
 
+%patch166 -p1 -b .krb5-1.14.4-SNI-HTTP-Host.patch
+
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
 
@@ -738,6 +742,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Wed Aug 10 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-4
+- Fix use of KKDCPP with SNI
+- Resolves: #1365027
+
 * Fri Aug 05 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-3
 - Make krb5-devel depend on libkadm5
 - Resolves: #1364487