backport patch from RT#7229

- backport patch to disable replay detection in krb5_verify_init_creds() while reading the AP-REQ that's generated in the same function (RT#7229)
2012-08-30 14:22:23 -04:00 · 2012-08-30 14:22:23 -04:00 · 7f06579f48
commit 7f06579f48
parent ec0380bcae
3 changed files with 55 additions and 1 deletions
--- a/krb5-1.10.2-replay.patch
+++ b/krb5-1.10.2-replay.patch
@ -0,0 +1,17 @@
 Backport from ticket 7229.
 --- krb5-1.10.2/src/lib/krb5/krb/vfy_increds.c
 +++ krb5-1.10.2/src/lib/krb5/krb/vfy_increds.c
@@ -194,6 +194,13 @@ krb5_verify_init_creds(krb5_context cont
         authcon = NULL;
     }
 +    /* Build an auth context that won't bother with replay checks -- it's
 +     * not as if we're going to mount a replay attack on ourselves here. */
 +    if (ret = krb5_auth_con_init(context, &authcon))
 +        goto cleanup;
 +    if (ret = krb5_auth_con_setflags(context, authcon, 0))
 +        goto cleanup;
 +
     /* verify the ap_req */
     if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab,
--- a/krb5.spec
+++ b/krb5.spec
@ -29,7 +29,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.10.3
-Release: 2%{?dist}
+Release: 3%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -81,6 +81,7 @@ Patch103: krb5-1.10-gcc47.patch
 Patch105: krb5-kvno-230379.patch
 Patch106: krb5-1.10.2-keytab-etype.patch
 Patch107: krb5-trunk-pkinit-anchorsign.patch
 Patch108: krb5-1.10.2-replay.patch
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -269,6 +270,7 @@ ln -s NOTICE LICENSE
 %patch105 -p1 -b .kvno
 %patch106 -p1 -b .keytab-etype
 %patch107 -p1 -b .pkinit-anchorsign
 %patch108 -p1 -b .replay
 rm src/lib/krb5/krb/deltat.c
 gzip doc/*.ps
@ -837,6 +839,10 @@ exit 0
 %{_sbindir}/uuserver
 %changelog
 * Thu Aug 30 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-3
 - backport patch to disable replay detection in krb5_verify_init_creds()
  while reading the AP-REQ that's generated in the same function (RT#7229)
 * Thu Aug 30 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-2
 - undo rename from krb5-pkinit-openssl to krb5-pkinit on EL6
 - version the Obsoletes: on the krb5-pkinit-openssl to krb5-pkinit rename
--- a/replay.patch
+++ b/replay.patch
@ -0,0 +1,31 @@
 commit f1783431cb8f146095067f5e2531e9155a8787bb
 Author: Nalin Dahyabhai <nalin@dahyabhai.net>
 Date:   Wed Apr 18 14:01:39 2012 -0400
    Turn off replay cache in krb5_verify_init_creds()
    The library isn't attempting a replay attack on itself, so any detected
    replays are only going to be false-positives.
    ticket: 7229 (new)
 diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
 index 14acb0a..e88a37f 100644
 --- a/src/lib/krb5/krb/vfy_increds.c
 +++ b/src/lib/krb5/krb/vfy_increds.c
@@ -149,6 +149,15 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server,
         authcon = NULL;
     }
 +    /* Build an auth context that won't bother with replay checks -- it's
 +     * not as if we're going to mount a replay attack on ourselves here. */
 +    ret = krb5_auth_con_init(context, &authcon);
 +    if (ret)
 +        goto cleanup;
 +    ret = krb5_auth_con_setflags(context, authcon, 0);
 +    if (ret)
 +        goto cleanup;
 +
     /* Verify the ap_req. */
     ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL);
     if (ret)