backport patch from RT#7229

- backport patch to disable replay detection in krb5_verify_init_creds() while reading the AP-REQ that's generated in the same function (RT#7229)
2012-08-30 14:22:23 -04:00 · 2012-08-30 14:22:23 -04:00 · 7f06579f48
commit 7f06579f48
parent ec0380bcae
3 changed files with 55 additions and 1 deletions
--- a/krb5-1.10.2-replay.patch
+++ b/krb5-1.10.2-replay.patch
@ -0,0 +1,17 @@
+Backport from ticket 7229.
+--- krb5-1.10.2/src/lib/krb5/krb/vfy_increds.c
+++ krb5-1.10.2/src/lib/krb5/krb/vfy_increds.c
+@@ -194,6 +194,13 @@ krb5_verify_init_creds(krb5_context cont
+         authcon = NULL;
+     }
+ 
+    /* Build an auth context that won't bother with replay checks -- it's
+     * not as if we're going to mount a replay attack on ourselves here. */
+    if (ret = krb5_auth_con_init(context, &authcon))
+        goto cleanup;
+    if (ret = krb5_auth_con_setflags(context, authcon, 0))
+        goto cleanup;
+
+     /* verify the ap_req */
+ 
+     if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab,
--- a/krb5.spec
+++ b/krb5.spec
@ -29,7 +29,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.10.3
-Release: 2%{?dist}
+Release: 3%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -81,6 +81,7 @@ Patch103: krb5-1.10-gcc47.patch
 Patch105: krb5-kvno-230379.patch
 Patch106: krb5-1.10.2-keytab-etype.patch
 Patch107: krb5-trunk-pkinit-anchorsign.patch
+Patch108: krb5-1.10.2-replay.patch

 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -269,6 +270,7 @@ ln -s NOTICE LICENSE
 %patch105 -p1 -b .kvno
 %patch106 -p1 -b .keytab-etype
 %patch107 -p1 -b .pkinit-anchorsign
+%patch108 -p1 -b .replay
 rm src/lib/krb5/krb/deltat.c

 gzip doc/*.ps
@ -837,6 +839,10 @@ exit 0
 %{_sbindir}/uuserver

 %changelog
+* Thu Aug 30 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-3
+- backport patch to disable replay detection in krb5_verify_init_creds()
+  while reading the AP-REQ that's generated in the same function (RT#7229)
+
 * Thu Aug 30 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-2
 - undo rename from krb5-pkinit-openssl to krb5-pkinit on EL6
 - version the Obsoletes: on the krb5-pkinit-openssl to krb5-pkinit rename
--- a/replay.patch
+++ b/replay.patch
@ -0,0 +1,31 @@
+commit f1783431cb8f146095067f5e2531e9155a8787bb
+Author: Nalin Dahyabhai <nalin@dahyabhai.net>
+Date:   Wed Apr 18 14:01:39 2012 -0400
+
+    Turn off replay cache in krb5_verify_init_creds()
+    
+    The library isn't attempting a replay attack on itself, so any detected
+    replays are only going to be false-positives.
+    
+    ticket: 7229 (new)
+
+diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
+index 14acb0a..e88a37f 100644
+--- a/src/lib/krb5/krb/vfy_increds.c
+++ b/src/lib/krb5/krb/vfy_increds.c
+@@ -149,6 +149,15 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server,
+         authcon = NULL;
+     }
+ 
+    /* Build an auth context that won't bother with replay checks -- it's
+     * not as if we're going to mount a replay attack on ourselves here. */
+    ret = krb5_auth_con_init(context, &authcon);
+    if (ret)
+        goto cleanup;
+    ret = krb5_auth_con_setflags(context, authcon, 0);
+    if (ret)
+        goto cleanup;
+
+     /* Verify the ap_req. */
+     ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL);
+     if (ret)