Ignore bad enctypes in krb5_string_to_keysalts()

This commit is contained in:
Robbie Harwood 2020-07-15 16:30:20 -04:00
parent da1e8dbb3f
commit b1b925635d
2 changed files with 36 additions and 1 deletions

View File

@ -0,0 +1,31 @@
From f9c314847c999727679a9e8ad4fb565001e47fd2 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 15 Jul 2020 15:42:20 -0400
Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts()
Fixes a problem where the presence of legacy/unrecognized keysalts in
supported_enctypes would prevent the kadmin programs from starting.
(cherry picked from commit 860b411d441e4a486f6714762605c42997b8946a)
---
src/lib/kadm5/str_conv.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/lib/kadm5/str_conv.c b/src/lib/kadm5/str_conv.c
index 7cf51d316..0abfa845c 100644
--- a/src/lib/kadm5/str_conv.c
+++ b/src/lib/kadm5/str_conv.c
@@ -340,9 +340,10 @@ krb5_string_to_keysalts(const char *string, const char *tupleseps,
while ((ksp = strtok_r(p, tseps, &tlasts)) != NULL) {
/* Pass a null pointer to subsequent calls to strtok_r(). */
p = NULL;
- ret = string_to_keysalt(ksp, ksaltseps, &etype, &stype);
- if (ret)
- goto cleanup;
+
+ /* Discard unrecognized keysalts. */
+ if (string_to_keysalt(ksp, ksaltseps, &etype, &stype))
+ continue;
/* Ignore duplicate keysalts if caller asks. */
if (!dups && krb5_keysalt_is_present(ksalts, nksalts, etype, stype))

View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.18.2
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 10%{?dist}
Release: 11%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@ -68,6 +68,7 @@ Patch29: Add-client_aware_channel_bindings-option.patch
Patch30: Pass-channel-bindings-through-SPNEGO.patch
Patch31: Add-channel-bindings-tests.patch
Patch32: Use-two-queues-for-concurrent-t_otp.py-daemons.patch
Patch33: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -622,6 +623,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Wed Jul 15 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-11
- Ignore bad enctypes in krb5_string_to_keysalts()
* Wed Jul 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-10
- Set qualify_shortname empty in default configuration
- Resolves: #1852041