diff --git a/krb5-1.10.2-replay.patch b/krb5-1.10.2-replay.patch new file mode 100644 index 0000000..d6dfff0 --- /dev/null +++ b/krb5-1.10.2-replay.patch @@ -0,0 +1,17 @@ +Backport from ticket 7229. +--- krb5-1.10.2/src/lib/krb5/krb/vfy_increds.c ++++ krb5-1.10.2/src/lib/krb5/krb/vfy_increds.c +@@ -194,6 +194,13 @@ krb5_verify_init_creds(krb5_context cont + authcon = NULL; + } + ++ /* Build an auth context that won't bother with replay checks -- it's ++ * not as if we're going to mount a replay attack on ourselves here. */ ++ if (ret = krb5_auth_con_init(context, &authcon)) ++ goto cleanup; ++ if (ret = krb5_auth_con_setflags(context, authcon, 0)) ++ goto cleanup; ++ + /* verify the ap_req */ + + if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, diff --git a/krb5.spec b/krb5.spec index ef3aa61..812cd1f 100644 --- a/krb5.spec +++ b/krb5.spec @@ -29,7 +29,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.10.3 -Release: 2%{?dist} +Release: 3%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.3-signed.tar Source0: krb5-%{version}.tar.gz @@ -81,6 +81,7 @@ Patch103: krb5-1.10-gcc47.patch Patch105: krb5-kvno-230379.patch Patch106: krb5-1.10.2-keytab-etype.patch Patch107: krb5-trunk-pkinit-anchorsign.patch +Patch108: krb5-1.10.2-replay.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -269,6 +270,7 @@ ln -s NOTICE LICENSE %patch105 -p1 -b .kvno %patch106 -p1 -b .keytab-etype %patch107 -p1 -b .pkinit-anchorsign +%patch108 -p1 -b .replay rm src/lib/krb5/krb/deltat.c gzip doc/*.ps @@ -837,6 +839,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Thu Aug 30 2012 Nalin Dahyabhai 1.10.3-3 +- backport patch to disable replay detection in krb5_verify_init_creds() + while reading the AP-REQ that's generated in the same function (RT#7229) + * Thu Aug 30 2012 Nalin Dahyabhai 1.10.3-2 - undo rename from krb5-pkinit-openssl to krb5-pkinit on EL6 - version the Obsoletes: on the krb5-pkinit-openssl to krb5-pkinit rename diff --git a/replay.patch b/replay.patch new file mode 100644 index 0000000..193f139 --- /dev/null +++ b/replay.patch @@ -0,0 +1,31 @@ +commit f1783431cb8f146095067f5e2531e9155a8787bb +Author: Nalin Dahyabhai +Date: Wed Apr 18 14:01:39 2012 -0400 + + Turn off replay cache in krb5_verify_init_creds() + + The library isn't attempting a replay attack on itself, so any detected + replays are only going to be false-positives. + + ticket: 7229 (new) + +diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c +index 14acb0a..e88a37f 100644 +--- a/src/lib/krb5/krb/vfy_increds.c ++++ b/src/lib/krb5/krb/vfy_increds.c +@@ -149,6 +149,15 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server, + authcon = NULL; + } + ++ /* Build an auth context that won't bother with replay checks -- it's ++ * not as if we're going to mount a replay attack on ourselves here. */ ++ ret = krb5_auth_con_init(context, &authcon); ++ if (ret) ++ goto cleanup; ++ ret = krb5_auth_con_setflags(context, authcon, 0); ++ if (ret) ++ goto cleanup; ++ + /* Verify the ap_req. */ + ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL); + if (ret)