Omit KDC indicator check for S4U2Self requests

2020-05-08 14:14:22 -04:00 · 2020-05-08 14:14:22 -04:00 · a9ccd6fd57
commit a9ccd6fd57
parent 19d5d2e504
2 changed files with 53 additions and 1 deletions
--- a/Omit-KDC-indicator-check-for-S4U2Self-requests.patch
+++ b/Omit-KDC-indicator-check-for-S4U2Self-requests.patch
@ -0,0 +1,48 @@
+From 442f1fa5b2e4034954a51048414cc0863b914379 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 6 May 2020 16:03:13 -0400
+Subject: [PATCH] Omit KDC indicator check for S4U2Self requests
+
+As there was no initial ticket exchange from the client for an
+S4U2Self request, the auth indicator check is inapplicable (and would
+always fail if any auth indicators are required).
+
+ticket: 8902 (new)
+(cherry picked from commit 183631fbf72351c2d5fc7d60b2d9fc4d09fe7465)
+---
+ src/kdc/do_tgs_req.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index 241f34e2a..463a9c0dd 100644
+--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
+@@ -392,8 +392,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
+     }
+     authtime = subject_tkt->times.authtime;
+ 
+-    /* Extract auth indicators from the subject ticket, except for S4U2Self
+-     * requests (where the client didn't authenticate). */
+    /* Extract and check auth indicators from the subject ticket, except for
+     * S4U2Self requests (where the client didn't authenticate). */
+     if (s4u_x509_user == NULL) {
+         errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt,
+                                       &local_tgt_key, &auth_indicators);
+@@ -401,12 +401,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
+             status = "GET_AUTH_INDICATORS";
+             goto cleanup;
+         }
+-    }
+ 
+-    errcode = check_indicators(kdc_context, server, auth_indicators);
+-    if (errcode) {
+-        status = "HIGHER_AUTHENTICATION_REQUIRED";
+-        goto cleanup;
+        errcode = check_indicators(kdc_context, server, auth_indicators);
+        if (errcode) {
+            status = "HIGHER_AUTHENTICATION_REQUIRED";
+            goto cleanup;
+        }
+     }
+ 
+     if (is_referral)
--- a/krb5.spec
+++ b/krb5.spec
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18.1
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 3%{?dist}
+Release: 4%{?dist}

 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@ -57,6 +57,7 @@ Patch14: Eliminate-redundant-PKINIT-responder-invocation.patch
 Patch15: Correctly-import-service-GSS-host-based-name.patch
 Patch16: Do-expiration-warnings-for-all-init_creds-APIs.patch
 Patch17: Pass-gss_localname-through-SPNEGO.patch
+Patch18: Omit-KDC-indicator-check-for-S4U2Self-requests.patch

 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@ -629,6 +630,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Fri May 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.1-4
+- Omit KDC indicator check for S4U2Self requests
+
 * Tue Apr 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.1-3
 - Pass gss_localname() through SPNEGO