From a9ccd6fd5703d21eecd044c5b984daa5a2441770 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 8 May 2020 14:14:22 -0400 Subject: [PATCH] Omit KDC indicator check for S4U2Self requests --- ...ndicator-check-for-S4U2Self-requests.patch | 48 +++++++++++++++++++ krb5.spec | 6 ++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 Omit-KDC-indicator-check-for-S4U2Self-requests.patch diff --git a/Omit-KDC-indicator-check-for-S4U2Self-requests.patch b/Omit-KDC-indicator-check-for-S4U2Self-requests.patch new file mode 100644 index 0000000..b1b1908 --- /dev/null +++ b/Omit-KDC-indicator-check-for-S4U2Self-requests.patch @@ -0,0 +1,48 @@ +From 442f1fa5b2e4034954a51048414cc0863b914379 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 6 May 2020 16:03:13 -0400 +Subject: [PATCH] Omit KDC indicator check for S4U2Self requests + +As there was no initial ticket exchange from the client for an +S4U2Self request, the auth indicator check is inapplicable (and would +always fail if any auth indicators are required). + +ticket: 8902 (new) +(cherry picked from commit 183631fbf72351c2d5fc7d60b2d9fc4d09fe7465) +--- + src/kdc/do_tgs_req.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index 241f34e2a..463a9c0dd 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -392,8 +392,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, + } + authtime = subject_tkt->times.authtime; + +- /* Extract auth indicators from the subject ticket, except for S4U2Self +- * requests (where the client didn't authenticate). */ ++ /* Extract and check auth indicators from the subject ticket, except for ++ * S4U2Self requests (where the client didn't authenticate). */ + if (s4u_x509_user == NULL) { + errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt, + &local_tgt_key, &auth_indicators); +@@ -401,12 +401,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, + status = "GET_AUTH_INDICATORS"; + goto cleanup; + } +- } + +- errcode = check_indicators(kdc_context, server, auth_indicators); +- if (errcode) { +- status = "HIGHER_AUTHENTICATION_REQUIRED"; +- goto cleanup; ++ errcode = check_indicators(kdc_context, server, auth_indicators); ++ if (errcode) { ++ status = "HIGHER_AUTHENTICATION_REQUIRED"; ++ goto cleanup; ++ } + } + + if (is_referral) diff --git a/krb5.spec b/krb5.spec index 03bfa71..23dcee4 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.1 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 3%{?dist} +Release: 4%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -57,6 +57,7 @@ Patch14: Eliminate-redundant-PKINIT-responder-invocation.patch Patch15: Correctly-import-service-GSS-host-based-name.patch Patch16: Do-expiration-warnings-for-all-init_creds-APIs.patch Patch17: Pass-gss_localname-through-SPNEGO.patch +Patch18: Omit-KDC-indicator-check-for-S4U2Self-requests.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -629,6 +630,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Fri May 08 2020 Robbie Harwood - 1.18.1-4 +- Omit KDC indicator check for S4U2Self requests + * Tue Apr 28 2020 Robbie Harwood - 1.18.1-3 - Pass gss_localname() through SPNEGO