Fix use of enterprise principals with forwarding

2017-04-07 16:12:58 +00:00 · 2017-04-07 16:12:58 +00:00 · 82cabae196
commit 82cabae196
parent 0dc40d929f
3 changed files with 93 additions and 1 deletions
--- a/Add-the-client_name-kdcpreauth-callback.patch
+++ b/Add-the-client_name-kdcpreauth-callback.patch
@ -0,0 +1,58 @@
+From 5d560c28ff46b04013ab64dc51a7d912d38b01de Mon Sep 17 00:00:00 2001
+From: Matt Rogers <mrogers@redhat.com>
+Date: Tue, 4 Apr 2017 16:54:56 -0400
+Subject: [PATCH] Add the client_name() kdcpreauth callback
+
+Add a kdcpreauth callback to returns the canonicalized client principal.
+
+ticket: 8570 (new)
+(cherry picked from commit a84f39ec30f3deeda7836da6e8b3d8dcf7a045b1)
+---
+ src/include/krb5/kdcpreauth_plugin.h | 6 ++++++
+ src/kdc/kdc_preauth.c                | 9 ++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
+index 92aa5a5a5..fa4436b83 100644
+--- a/src/include/krb5/kdcpreauth_plugin.h
+++ b/src/include/krb5/kdcpreauth_plugin.h
+@@ -232,6 +232,12 @@ typedef struct krb5_kdcpreauth_callbacks_st {
+                                  krb5_kdcpreauth_rock rock,
+                                  krb5_principal princ);
+ 
+    /*
+     * Get an alias to the client DB entry principal (possibly canonicalized).
+     */
+    krb5_principal (*client_name)(krb5_context context,
+                                  krb5_kdcpreauth_rock rock);
+
+     /* End of version 4 kdcpreauth callbacks. */
+ 
+ } *krb5_kdcpreauth_callbacks;
+diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
+index 0ce79c667..81d0b8cff 100644
+--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
+@@ -591,6 +591,12 @@ match_client(krb5_context context, krb5_kdcpreauth_rock rock,
+     return match;
+ }
+ 
+static krb5_principal
+client_name(krb5_context context, krb5_kdcpreauth_rock rock)
+{
+    return rock->client->princ;
+}
+
+ static struct krb5_kdcpreauth_callbacks_st callbacks = {
+     4,
+     max_time_skew,
+@@ -607,7 +613,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = {
+     add_auth_indicator,
+     get_cookie,
+     set_cookie,
+-    match_client
+    match_client,
+    client_name
+ };
+ 
+ static krb5_error_code
--- a/Use-the-canonical-client-principal-name-for-OTP.patch
+++ b/Use-the-canonical-client-principal-name-for-OTP.patch
@ -0,0 +1,29 @@
+From ca74a8a49f4a05c0b602c9dc473fd16fe71847fd Mon Sep 17 00:00:00 2001
+From: Matt Rogers <mrogers@redhat.com>
+Date: Wed, 5 Apr 2017 16:48:55 -0400
+Subject: [PATCH] Use the canonical client principal name for OTP
+
+In the OTP module, when constructing the RADIUS request, use the
+canonicalized client principal (using the new client_name kdcpreauth
+callback) instead of the request client principal.
+
+ticket: 8571 (new)
+(cherry picked from commit 6411398e35e343cdc4d2d103b079c4d3b9031f7e)
+---
+ src/plugins/preauth/otp/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c
+index 2649e9a90..a1b681682 100644
+--- a/src/plugins/preauth/otp/main.c
+++ b/src/plugins/preauth/otp/main.c
+@@ -331,7 +331,8 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
+ 
+     /* Send the request. */
+     otp_state_verify((otp_state *)moddata, cb->event_context(context, rock),
+-                     request->client, config, req, on_response, rs);
+                     cb->client_name(context, rock), config, req, on_response,
+                     rs);
+     cb->free_string(context, rock, config);
+ 
+     k5_free_pa_otp_req(context, req);
--- a/krb5.spec
+++ b/krb5.spec
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.15.1
 # for prerelease, should be e.g., 0.3.beta2%{?dist}
-Release: 3%{?dist}
+Release: 4%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@ -69,6 +69,8 @@ Patch18: Add-test-cert-generation-to-make-certs.sh.patch
 Patch19: Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
 Patch20: Deindent-crypto_retrieve_X509_sans.patch
 Patch21: Add-certauth-pluggable-interface.patch
+Patch22: Add-the-client_name-kdcpreauth-callback.patch
+Patch23: Use-the-canonical-client-principal-name-for-OTP.patch

 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -719,6 +721,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Fri Apr 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-4
+- Fix use of enterprise principals with forwarding
+
 * Wed Mar 22 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-3
 - Backport certauth plugin and related pkinit changes