Robbie Harwood
parent
da7614606c
commit
766ee8e989
108
krb5-1.14.4-SNI-HTTP-Host.patch
Normal file
108
krb5-1.14.4-SNI-HTTP-Host.patch
Normal file
@ -0,0 +1,108 @@
|
|||||||
|
From 69c8662190bcd46f2300d0cea139681001ea5b26 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Heimes <cheimes@redhat.com>
|
||||||
|
Date: Mon, 8 Aug 2016 12:38:17 +0200
|
||||||
|
Subject: [PATCH] Add Host HTTP header to MS-KKDCP requests
|
||||||
|
|
||||||
|
Some web servers require a Host HTTP header for TLS connections with
|
||||||
|
SNI (server name indicator). It is also required for virtual hosts.
|
||||||
|
|
||||||
|
ticket: 8472 (new)
|
||||||
|
target_version: 1.14-next
|
||||||
|
tags: pullup
|
||||||
|
---
|
||||||
|
src/lib/krb5/os/sendto_kdc.c | 18 +++++++++++++-----
|
||||||
|
1 file changed, 13 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
index c85fdba..a2b7359 100644
|
||||||
|
--- a/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
+++ b/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
@@ -78,6 +78,7 @@
|
||||||
|
#define MAX_PASS 3
|
||||||
|
#define DEFAULT_UDP_PREF_LIMIT 1465
|
||||||
|
#define HARD_UDP_LIMIT 32700 /* could probably do 64K-epsilon ? */
|
||||||
|
+#define PORT_LENGTH 6 /* decimal repr of UINT16_MAX */
|
||||||
|
|
||||||
|
/* Select state flags. */
|
||||||
|
#define SSF_READ 0x01
|
||||||
|
@@ -138,6 +139,7 @@ struct conn_state {
|
||||||
|
struct {
|
||||||
|
const char *uri_path;
|
||||||
|
const char *servername;
|
||||||
|
+ char port[PORT_LENGTH];
|
||||||
|
char *https_request;
|
||||||
|
k5_tls_handle tls;
|
||||||
|
} http;
|
||||||
|
@@ -611,6 +613,8 @@ make_proxy_request(struct conn_state *state, const krb5_data *realm,
|
||||||
|
k5_buf_init_dynamic(&buf);
|
||||||
|
uri_path = (state->http.uri_path != NULL) ? state->http.uri_path : "";
|
||||||
|
k5_buf_add_fmt(&buf, "POST /%s HTTP/1.0\r\n", uri_path);
|
||||||
|
+ k5_buf_add_fmt(&buf, "Host: %s:%s\r\n", state->http.servername,
|
||||||
|
+ state->http.port);
|
||||||
|
k5_buf_add(&buf, "Cache-Control: no-cache\r\n");
|
||||||
|
k5_buf_add(&buf, "Pragma: no-cache\r\n");
|
||||||
|
k5_buf_add(&buf, "User-Agent: kerberos/1.0\r\n");
|
||||||
|
@@ -673,7 +677,7 @@ static krb5_error_code
|
||||||
|
add_connection(struct conn_state **conns, k5_transport transport,
|
||||||
|
krb5_boolean defer, struct addrinfo *ai, size_t server_index,
|
||||||
|
const krb5_data *realm, const char *hostname,
|
||||||
|
- const char *uri_path, char **udpbufp)
|
||||||
|
+ const char *port, const char *uri_path, char **udpbufp)
|
||||||
|
{
|
||||||
|
struct conn_state *state, **tailptr;
|
||||||
|
|
||||||
|
@@ -695,11 +699,13 @@ add_connection(struct conn_state **conns, k5_transport transport,
|
||||||
|
state->service_write = service_tcp_write;
|
||||||
|
state->service_read = service_tcp_read;
|
||||||
|
} else if (transport == HTTPS) {
|
||||||
|
+ assert(hostname != NULL && port != NULL);
|
||||||
|
state->service_connect = service_tcp_connect;
|
||||||
|
state->service_write = service_https_write;
|
||||||
|
state->service_read = service_https_read;
|
||||||
|
state->http.uri_path = uri_path;
|
||||||
|
state->http.servername = hostname;
|
||||||
|
+ strlcpy(state->http.port, port, PORT_LENGTH);
|
||||||
|
} else {
|
||||||
|
state->service_connect = NULL;
|
||||||
|
state->service_write = NULL;
|
||||||
|
@@ -785,7 +791,7 @@ resolve_server(krb5_context context, const krb5_data *realm,
|
||||||
|
struct addrinfo *addrs, *a, hint, ai;
|
||||||
|
krb5_boolean defer;
|
||||||
|
int err, result;
|
||||||
|
- char portbuf[64];
|
||||||
|
+ char portbuf[PORT_LENGTH];
|
||||||
|
|
||||||
|
/* Skip UDP entries if we don't want UDP. */
|
||||||
|
if (strategy == NO_UDP && entry->transport == UDP)
|
||||||
|
@@ -800,7 +806,7 @@ resolve_server(krb5_context context, const krb5_data *realm,
|
||||||
|
ai.ai_addr = (struct sockaddr *)&entry->addr;
|
||||||
|
defer = (entry->transport != transport);
|
||||||
|
return add_connection(conns, entry->transport, defer, &ai, ind, realm,
|
||||||
|
- NULL, entry->uri_path, udpbufp);
|
||||||
|
+ NULL, NULL, entry->uri_path, udpbufp);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* If the entry has a specified transport, use it. */
|
||||||
|
@@ -826,7 +832,8 @@ resolve_server(krb5_context context, const krb5_data *realm,
|
||||||
|
retval = 0;
|
||||||
|
for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
|
||||||
|
retval = add_connection(conns, transport, FALSE, a, ind, realm,
|
||||||
|
- entry->hostname, entry->uri_path, udpbufp);
|
||||||
|
+ entry->hostname, portbuf, entry->uri_path,
|
||||||
|
+ udpbufp);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* For TCP_OR_UDP entries, add each address again with the non-preferred
|
||||||
|
@@ -836,7 +843,8 @@ resolve_server(krb5_context context, const krb5_data *realm,
|
||||||
|
for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
|
||||||
|
a->ai_socktype = socktype_for_transport(transport);
|
||||||
|
retval = add_connection(conns, transport, TRUE, a, ind, realm,
|
||||||
|
- entry->hostname, entry->uri_path, udpbufp);
|
||||||
|
+ entry->hostname, portbuf,
|
||||||
|
+ entry->uri_path, udpbufp);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
freeaddrinfo(addrs);
|
||||||
|
--
|
||||||
|
2.8.1
|
||||||
|
|
||||||
10
krb5.spec
10
krb5.spec
@ -13,7 +13,7 @@
|
|||||||
Summary: The Kerberos network authentication system
|
Summary: The Kerberos network authentication system
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.14.3
|
Version: 1.14.3
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
||||||
# - The sources below are stored in a lookaside cache. Upload with
|
# - The sources below are stored in a lookaside cache. Upload with
|
||||||
@ -63,6 +63,8 @@ Patch153: krb5-1.14.1-log_file_permissions.patch
|
|||||||
Patch164: krb5-1.15-kdc_send_receive_hooks.patch
|
Patch164: krb5-1.15-kdc_send_receive_hooks.patch
|
||||||
Patch165: krb5-1.15-kdc_hooks_test.patch
|
Patch165: krb5-1.15-kdc_hooks_test.patch
|
||||||
|
|
||||||
|
Patch166: krb5-1.14.4-SNI-HTTP-Host.patch
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://web.mit.edu/kerberos/www/
|
URL: http://web.mit.edu/kerberos/www/
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -270,6 +272,8 @@ ln NOTICE LICENSE
|
|||||||
%patch164 -p1 -b .kdc_send_receive_hooks
|
%patch164 -p1 -b .kdc_send_receive_hooks
|
||||||
%patch165 -p1 -b .kdc_hooks_test
|
%patch165 -p1 -b .kdc_hooks_test
|
||||||
|
|
||||||
|
%patch166 -p1 -b .krb5-1.14.4-SNI-HTTP-Host.patch
|
||||||
|
|
||||||
# Take the execute bit off of documentation.
|
# Take the execute bit off of documentation.
|
||||||
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
||||||
|
|
||||||
@ -738,6 +742,10 @@ exit 0
|
|||||||
%{_libdir}/libkadm5srv_mit.so.*
|
%{_libdir}/libkadm5srv_mit.so.*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 10 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-4
|
||||||
|
- Fix use of KKDCPP with SNI
|
||||||
|
- Resolves: #1365027
|
||||||
|
|
||||||
* Fri Aug 05 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-3
|
* Fri Aug 05 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-3
|
||||||
- Make krb5-devel depend on libkadm5
|
- Make krb5-devel depend on libkadm5
|
||||||
- Resolves: #1364487
|
- Resolves: #1364487
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user