Fix several fallback canonicalization problems

Resolves: #1967505
2021-06-17 17:47:21 -04:00 · 2021-06-17 17:47:21 -04:00 · bbae1053b5
commit bbae1053b5
parent b99dafad10
5 changed files with 1983 additions and 1 deletions
--- a/Allow-kinit-with-keytab-to-defer-canonicalization.patch
+++ b/Allow-kinit-with-keytab-to-defer-canonicalization.patch
@ -0,0 +1,61 @@
+From 1bc00e294cddd2061012c50d78eaf65ae06146bb Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 3 Jun 2021 16:03:07 -0400
+Subject: [PATCH] Allow kinit with keytab to defer canonicalization
+
+[ghudson@mit.edu: added tests]
+
+ticket: 9012 (new)
+(cherry picked from commit 5e6a6efc5df689d9fb8730d0227167ffbb6ece0e)
+(cherry picked from commit 090c7319652466339e3e6482bdd1b5a294638dff)
+---
+ src/clients/kinit/kinit.c | 11 -----------
+ src/tests/t_keytab.py     | 13 +++++++++++++
+ 2 files changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
+index d1f5d74c3..5a6d7237c 100644
+--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
+@@ -510,17 +510,6 @@ k5_begin(struct k_opts *opts, struct k5_data *k5)
+                     _("when creating default server principal name"));
+             goto cleanup;
+         }
+-        if (k5->me->realm.data[0] == 0) {
+-            ret = krb5_unparse_name(k5->ctx, k5->me, &k5->name);
+-            if (ret == 0) {
+-                com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN,
+-                        _("(principal %s)"), k5->name);
+-            } else {
+-                com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN,
+-                        _("for local services"));
+-            }
+-            goto cleanup;
+-        }
+     } else if (k5->out_cc != NULL) {
+         /* If the output ccache is initialized, use its principal. */
+         if (krb5_cc_get_principal(k5->ctx, k5->out_cc, &princ) == 0)
+diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
+index 850375c92..a9adebb26 100755
+--- a/src/tests/t_keytab.py
+++ b/src/tests/t_keytab.py
+@@ -41,6 +41,19 @@ realm.kinit(realm.user_princ, flags=['-i'],
+             expected_msg='keytab specified, forcing -k')
+ realm.klist(realm.user_princ)
+ 
+# Test default principal for -k.  This operation requires
+# canonicalization against the keytab in krb5_get_init_creds_keytab()
+# as the krb5_sname_to_principal() result won't have a realm.  Try
+# with and without without fallback processing since the code paths
+# are different.
+mark('default principal for -k')
+realm.run([kinit, '-k'])
+realm.klist(realm.host_princ)
+no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}}
+no_canon = realm.special_env('no_canon', False, krb5_conf=no_canon_conf)
+realm.run([kinit, '-k'], env=no_canon)
+realm.klist(realm.host_princ)
+
+ # Test extracting keys with multiple key versions present.
+ mark('multi-kvno extract')
+ os.remove(realm.keytab)
--- a/Fix-kadmin-k-with-fallback-or-referral-realm.patch
+++ b/Fix-kadmin-k-with-fallback-or-referral-realm.patch
@ -0,0 +1,65 @@
+From da276b30dacda8a96a98213e8293f484e8f4ae21 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 7 Jun 2021 15:00:41 -0400
+Subject: [PATCH] Fix kadmin -k with fallback or referral realm
+
+kadmin -k produces a client principal name with
+krb5_sname_to_principal(), but it gets converted to a string and back
+due to the signature of kadm5_init_with_skey(), which loses track of
+the name type, so no canonicalization is performed.
+
+In libkadm5clnt initialization, recognize the important subset of this
+case--an empty realm indicates either fallback processing or the
+referral realm--and restore the host-based name type so that the
+client principal can be canonicalized against the keytab.
+
+ticket: 9013 (new)
+(cherry picked from commit dcb79089276624d7ddf44e08d35bd6d7d7e557d2)
+(cherry picked from commit cd8ff035f5b4720a8fc457355726f7bd0eab5eaa)
+---
+ src/lib/kadm5/clnt/client_init.c |  7 +++++++
+ src/tests/t_kadmin.py            | 12 ++++++++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c
+index aa1223bb3..0aaca701f 100644
+--- a/src/lib/kadm5/clnt/client_init.c
+++ b/src/lib/kadm5/clnt/client_init.c
+@@ -221,9 +221,16 @@ init_any(krb5_context context, char *client_name, enum init_type init_type,
+         return KADM5_MISSING_KRB5_CONF_PARAMS;
+     }
+ 
+    /*
+     * Parse the client name.  If it has an empty realm, it is almost certainly
+     * a host-based principal using DNS fallback processing or the referral
+     * realm, so give it the appropriate name type for canonicalization.
+     */
+     code = krb5_parse_name(handle->context, client_name, &client);
+     if (code)
+         goto error;
+    if (init_type == INIT_SKEY && client->realm.length == 0)
+        client->type = KRB5_NT_SRV_HST;
+ 
+     /*
+      * Get credentials.  Also does some fallbacks in case kadmin/fqdn
+diff --git a/src/tests/t_kadmin.py b/src/tests/t_kadmin.py
+index fe6a3cc2e..98453d92e 100644
+--- a/src/tests/t_kadmin.py
+++ b/src/tests/t_kadmin.py
+@@ -51,4 +51,16 @@ for i in range(200):
+     realm.run_kadmin(['addprinc', '-randkey', 'foo%d' % i])
+ realm.run_kadmin(['listprincs'], expected_msg='foo199')
+ 
+# Test kadmin -k with the default principal, with and without
+# fallback.  This operation requires canonicalization against the
+# keytab in krb5_get_init_creds_keytab() as the
+# krb5_sname_to_principal() result won't have a realm.  Try with and
+# without without fallback processing since the code paths are
+# different.
+mark('kadmin -k')
+realm.run([kadmin, '-k', 'getprinc', realm.host_princ])
+no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}}
+no_canon = realm.special_env('no_canon', False, krb5_conf=no_canon_conf)
+realm.run([kadmin, '-k', 'getprinc', realm.host_princ], env=no_canon)
+
+ success('kadmin and kpasswd tests')
--- a/Fix-some-principal-realm-canonicalization-cases.patch
+++ b/Fix-some-principal-realm-canonicalization-cases.patch
@ -0,0 +1,97 @@
+From 634db456d552d813c1227ec3c2078c1fcc269b17 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 7 Jun 2021 13:27:29 -0400
+Subject: [PATCH] Fix some principal realm canonicalization cases
+
+The no_hostrealm and subst_defrealm flags in struct canonprinc were
+only applied when dns_canonicalize_hostname=fallback; in the other
+cases, the initial krb5_sname_to_principal() result is treated as
+canonical.  For no_hostrealm this limitation doesn't currently matter,
+because all uses pass a principal with no realm as input.  However,
+subst_defrealm is used to convert the referral realm to the default
+realm in krb5_get_init_creds_keytab(), krb5_cc_cache_match(), and
+gss_acquire_cred() when it needs to check the desired name against a
+specified ccache.
+
+In k5_canonprinc(), if the input principal is a
+krb5_sname_to_principal() result and fallback isn't in effect, apply
+subst_defrealm.  Document in os-proto.h that no_hostrealm doesn't
+remove an existing realm and that krb5_sname_to_principal() may
+already have looked one up.
+
+ticket: 9011 (new)
+(cherry picked from commit c077d0c6430c4ac163443aacc03d14d206a4cbb8)
+(cherry picked from commit 5ae9bc98f23aeaa2ce17debe5a9b0cf1130e54ed)
+---
+ src/lib/krb5/os/os-proto.h | 13 +++++++++----
+ src/lib/krb5/os/sn2princ.c | 24 +++++++++++++++++++++---
+ 2 files changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
+index 7d5e7978f..a985f2aec 100644
+--- a/src/lib/krb5/os/os-proto.h
+++ b/src/lib/krb5/os/os-proto.h
+@@ -85,10 +85,15 @@ struct sendto_callback_info {
+ 
+ /*
+  * Initialize with all zeros except for princ.  Set no_hostrealm to disable
+- * host-to-realm lookup, which ordinarily happens after canonicalizing the host
+- * part.  Set subst_defrealm to substitute the default realm for the referral
+- * realm after realm lookup (this has no effect if no_hostrealm is set).  Free
+- * with free_canonprinc() when done.
+ * host-to-realm lookup, which ordinarily happens during fallback processing
+ * after canonicalizing the host part.  Set subst_defrealm to substitute the
+ * default realm for the referral realm after realm lookup.  Do not set both
+ * flags.  Free with free_canonprinc() when done.
+ *
+ * no_hostrealm only applies if fallback processing is in use
+ * (dns_canonicalize_hostname = fallback).  It will not remove the realm if
+ * krb5_sname_to_principal() already canonicalized the hostname and looked up a
+ * realm.  subst_defrealm applies whether or not fallback processing is in use.
+  */
+ struct canonprinc {
+     krb5_const_principal princ;
+diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
+index c99b7da17..93c155932 100644
+--- a/src/lib/krb5/os/sn2princ.c
+++ b/src/lib/krb5/os/sn2princ.c
+@@ -271,18 +271,36 @@ krb5_error_code
+ k5_canonprinc(krb5_context context, struct canonprinc *iter,
+               krb5_const_principal *princ_out)
+ {
+    krb5_error_code ret;
+     int step = ++iter->step;
+ 
+     *princ_out = NULL;
+ 
+-    /* If we're not doing fallback, the input principal is canonical. */
+-    if (context->dns_canonicalize_hostname != CANONHOST_FALLBACK ||
+-        iter->princ->type != KRB5_NT_SRV_HST || iter->princ->length != 2 ||
+    /* If the hostname isn't from krb5_sname_to_principal(), the input
+     * principal is canonical. */
+    if (iter->princ->type != KRB5_NT_SRV_HST || iter->princ->length != 2 ||
+         iter->princ->data[1].length == 0) {
+         *princ_out = (step == 1) ? iter->princ : NULL;
+         return 0;
+     }
+ 
+    /* If we're not doing fallback, the hostname is canonical, but we may need
+     * to substitute the default realm. */
+    if (context->dns_canonicalize_hostname != CANONHOST_FALLBACK) {
+        if (step > 1)
+            return 0;
+        iter->copy = *iter->princ;
+        if (iter->subst_defrealm && iter->copy.realm.length == 0) {
+            ret = krb5_get_default_realm(context, &iter->realm);
+            if (ret)
+                return ret;
+            iter->copy = *iter->princ;
+            iter->copy.realm = string2data(iter->realm);
+        }
+        *princ_out = &iter->copy;
+        return 0;
+    }
+
+     /* Canonicalize without DNS at step 1, with DNS at step 2. */
+     if (step > 2)
+         return 0;
--- a/Move-some-dejagnu-kadmin-tests-to-Python-tests.patch
+++ b/Move-some-dejagnu-kadmin-tests-to-Python-tests.patch
--- a/krb5.spec
+++ b/krb5.spec
@ -42,7 +42,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.19.1
-Release: %{?zdpd}6%{?dist}.1
+Release: %{?zdpd}7%{?dist}

 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@ -84,6 +84,10 @@ Patch19: Fix-KCM-flag-transmission-for-remove_cred.patch
 Patch20: Make-KCM-iteration-fallback-work-with-sssd-kcm.patch
 Patch21: Use-KCM_OP_RETRIEVE-in-KCM-client.patch
 Patch22: Fix-KCM-retrieval-support-for-sssd.patch
+Patch23: Move-some-dejagnu-kadmin-tests-to-Python-tests.patch
+Patch24: Fix-some-principal-realm-canonicalization-cases.patch
+Patch25: Allow-kinit-with-keytab-to-defer-canonicalization.patch
+Patch26: Fix-kadmin-k-with-fallback-or-referral-realm.patch

 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@ -645,6 +649,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Thu Jun 17 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-7
+- Fix several fallback canonicalization problems
+- Resolves: #1967505
+
 * Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.19.1-6.1
 - Rebuilt for RHEL 9 BETA for openssl 3.0