Fix several fallback canonicalization problems

Resolves: #1967505
2021-06-17 17:47:21 -04:00 · 2021-06-17 17:47:21 -04:00 · bbae1053b5
commit bbae1053b5
parent b99dafad10
5 changed files with 1983 additions and 1 deletions
--- a/Allow-kinit-with-keytab-to-defer-canonicalization.patch
+++ b/Allow-kinit-with-keytab-to-defer-canonicalization.patch
@ -0,0 +1,61 @@
 From 1bc00e294cddd2061012c50d78eaf65ae06146bb Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 3 Jun 2021 16:03:07 -0400
 Subject: [PATCH] Allow kinit with keytab to defer canonicalization
 [ghudson@mit.edu: added tests]
 ticket: 9012 (new)
 (cherry picked from commit 5e6a6efc5df689d9fb8730d0227167ffbb6ece0e)
 (cherry picked from commit 090c7319652466339e3e6482bdd1b5a294638dff)
 ---
 src/clients/kinit/kinit.c | 11 -----------
 src/tests/t_keytab.py     | 13 +++++++++++++
 2 files changed, 13 insertions(+), 11 deletions(-)
 diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
 index d1f5d74c3..5a6d7237c 100644
 --- a/src/clients/kinit/kinit.c
 +++ b/src/clients/kinit/kinit.c
@@ -510,17 +510,6 @@ k5_begin(struct k_opts *opts, struct k5_data *k5)
                     _("when creating default server principal name"));
             goto cleanup;
         }
 -        if (k5->me->realm.data[0] == 0) {
 -            ret = krb5_unparse_name(k5->ctx, k5->me, &k5->name);
 -            if (ret == 0) {
 -                com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN,
 -                        _("(principal %s)"), k5->name);
 -            } else {
 -                com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN,
 -                        _("for local services"));
 -            }
 -            goto cleanup;
 -        }
     } else if (k5->out_cc != NULL) {
         /* If the output ccache is initialized, use its principal. */
         if (krb5_cc_get_principal(k5->ctx, k5->out_cc, &princ) == 0)
 diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
 index 850375c92..a9adebb26 100755
 --- a/src/tests/t_keytab.py
 +++ b/src/tests/t_keytab.py
@@ -41,6 +41,19 @@ realm.kinit(realm.user_princ, flags=['-i'],
             expected_msg='keytab specified, forcing -k')
 realm.klist(realm.user_princ)
 +# Test default principal for -k.  This operation requires
 +# canonicalization against the keytab in krb5_get_init_creds_keytab()
 +# as the krb5_sname_to_principal() result won't have a realm.  Try
 +# with and without without fallback processing since the code paths
 +# are different.
 +mark('default principal for -k')
 +realm.run([kinit, '-k'])
 +realm.klist(realm.host_princ)
 +no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}}
 +no_canon = realm.special_env('no_canon', False, krb5_conf=no_canon_conf)
 +realm.run([kinit, '-k'], env=no_canon)
 +realm.klist(realm.host_princ)
 +
 # Test extracting keys with multiple key versions present.
 mark('multi-kvno extract')
 os.remove(realm.keytab)
--- a/Fix-kadmin-k-with-fallback-or-referral-realm.patch
+++ b/Fix-kadmin-k-with-fallback-or-referral-realm.patch
@ -0,0 +1,65 @@
 From da276b30dacda8a96a98213e8293f484e8f4ae21 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 7 Jun 2021 15:00:41 -0400
 Subject: [PATCH] Fix kadmin -k with fallback or referral realm
 kadmin -k produces a client principal name with
 krb5_sname_to_principal(), but it gets converted to a string and back
 due to the signature of kadm5_init_with_skey(), which loses track of
 the name type, so no canonicalization is performed.
 In libkadm5clnt initialization, recognize the important subset of this
 case--an empty realm indicates either fallback processing or the
 referral realm--and restore the host-based name type so that the
 client principal can be canonicalized against the keytab.
 ticket: 9013 (new)
 (cherry picked from commit dcb79089276624d7ddf44e08d35bd6d7d7e557d2)
 (cherry picked from commit cd8ff035f5b4720a8fc457355726f7bd0eab5eaa)
 ---
 src/lib/kadm5/clnt/client_init.c |  7 +++++++
 src/tests/t_kadmin.py            | 12 ++++++++++++
 2 files changed, 19 insertions(+)
 diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c
 index aa1223bb3..0aaca701f 100644
 --- a/src/lib/kadm5/clnt/client_init.c
 +++ b/src/lib/kadm5/clnt/client_init.c
@@ -221,9 +221,16 @@ init_any(krb5_context context, char *client_name, enum init_type init_type,
         return KADM5_MISSING_KRB5_CONF_PARAMS;
     }
 +    /*
 +     * Parse the client name.  If it has an empty realm, it is almost certainly
 +     * a host-based principal using DNS fallback processing or the referral
 +     * realm, so give it the appropriate name type for canonicalization.
 +     */
     code = krb5_parse_name(handle->context, client_name, &client);
     if (code)
         goto error;
 +    if (init_type == INIT_SKEY && client->realm.length == 0)
 +        client->type = KRB5_NT_SRV_HST;
     /*
      * Get credentials.  Also does some fallbacks in case kadmin/fqdn
 diff --git a/src/tests/t_kadmin.py b/src/tests/t_kadmin.py
 index fe6a3cc2e..98453d92e 100644
 --- a/src/tests/t_kadmin.py
 +++ b/src/tests/t_kadmin.py
@@ -51,4 +51,16 @@ for i in range(200):
     realm.run_kadmin(['addprinc', '-randkey', 'foo%d' % i])
 realm.run_kadmin(['listprincs'], expected_msg='foo199')
 +# Test kadmin -k with the default principal, with and without
 +# fallback.  This operation requires canonicalization against the
 +# keytab in krb5_get_init_creds_keytab() as the
 +# krb5_sname_to_principal() result won't have a realm.  Try with and
 +# without without fallback processing since the code paths are
 +# different.
 +mark('kadmin -k')
 +realm.run([kadmin, '-k', 'getprinc', realm.host_princ])
 +no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}}
 +no_canon = realm.special_env('no_canon', False, krb5_conf=no_canon_conf)
 +realm.run([kadmin, '-k', 'getprinc', realm.host_princ], env=no_canon)
 +
 success('kadmin and kpasswd tests')
--- a/Fix-some-principal-realm-canonicalization-cases.patch
+++ b/Fix-some-principal-realm-canonicalization-cases.patch
@ -0,0 +1,97 @@
 From 634db456d552d813c1227ec3c2078c1fcc269b17 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 7 Jun 2021 13:27:29 -0400
 Subject: [PATCH] Fix some principal realm canonicalization cases
 The no_hostrealm and subst_defrealm flags in struct canonprinc were
 only applied when dns_canonicalize_hostname=fallback; in the other
 cases, the initial krb5_sname_to_principal() result is treated as
 canonical.  For no_hostrealm this limitation doesn't currently matter,
 because all uses pass a principal with no realm as input.  However,
 subst_defrealm is used to convert the referral realm to the default
 realm in krb5_get_init_creds_keytab(), krb5_cc_cache_match(), and
 gss_acquire_cred() when it needs to check the desired name against a
 specified ccache.
 In k5_canonprinc(), if the input principal is a
 krb5_sname_to_principal() result and fallback isn't in effect, apply
 subst_defrealm.  Document in os-proto.h that no_hostrealm doesn't
 remove an existing realm and that krb5_sname_to_principal() may
 already have looked one up.
 ticket: 9011 (new)
 (cherry picked from commit c077d0c6430c4ac163443aacc03d14d206a4cbb8)
 (cherry picked from commit 5ae9bc98f23aeaa2ce17debe5a9b0cf1130e54ed)
 ---
 src/lib/krb5/os/os-proto.h | 13 +++++++++----
 src/lib/krb5/os/sn2princ.c | 24 +++++++++++++++++++++---
 2 files changed, 30 insertions(+), 7 deletions(-)
 diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
 index 7d5e7978f..a985f2aec 100644
 --- a/src/lib/krb5/os/os-proto.h
 +++ b/src/lib/krb5/os/os-proto.h
@@ -85,10 +85,15 @@ struct sendto_callback_info {
 /*
  * Initialize with all zeros except for princ.  Set no_hostrealm to disable
 - * host-to-realm lookup, which ordinarily happens after canonicalizing the host
 - * part.  Set subst_defrealm to substitute the default realm for the referral
 - * realm after realm lookup (this has no effect if no_hostrealm is set).  Free
 - * with free_canonprinc() when done.
 + * host-to-realm lookup, which ordinarily happens during fallback processing
 + * after canonicalizing the host part.  Set subst_defrealm to substitute the
 + * default realm for the referral realm after realm lookup.  Do not set both
 + * flags.  Free with free_canonprinc() when done.
 + *
 + * no_hostrealm only applies if fallback processing is in use
 + * (dns_canonicalize_hostname = fallback).  It will not remove the realm if
 + * krb5_sname_to_principal() already canonicalized the hostname and looked up a
 + * realm.  subst_defrealm applies whether or not fallback processing is in use.
  */
 struct canonprinc {
     krb5_const_principal princ;
 diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
 index c99b7da17..93c155932 100644
 --- a/src/lib/krb5/os/sn2princ.c
 +++ b/src/lib/krb5/os/sn2princ.c
@@ -271,18 +271,36 @@ krb5_error_code
 k5_canonprinc(krb5_context context, struct canonprinc *iter,
               krb5_const_principal *princ_out)
 {
 +    krb5_error_code ret;
     int step = ++iter->step;
     *princ_out = NULL;
 -    /* If we're not doing fallback, the input principal is canonical. */
 -    if (context->dns_canonicalize_hostname != CANONHOST_FALLBACK ||
 -        iter->princ->type != KRB5_NT_SRV_HST || iter->princ->length != 2 ||
 +    /* If the hostname isn't from krb5_sname_to_principal(), the input
 +     * principal is canonical. */
 +    if (iter->princ->type != KRB5_NT_SRV_HST || iter->princ->length != 2 ||
         iter->princ->data[1].length == 0) {
         *princ_out = (step == 1) ? iter->princ : NULL;
         return 0;
     }
 +    /* If we're not doing fallback, the hostname is canonical, but we may need
 +     * to substitute the default realm. */
 +    if (context->dns_canonicalize_hostname != CANONHOST_FALLBACK) {
 +        if (step > 1)
 +            return 0;
 +        iter->copy = *iter->princ;
 +        if (iter->subst_defrealm && iter->copy.realm.length == 0) {
 +            ret = krb5_get_default_realm(context, &iter->realm);
 +            if (ret)
 +                return ret;
 +            iter->copy = *iter->princ;
 +            iter->copy.realm = string2data(iter->realm);
 +        }
 +        *princ_out = &iter->copy;
 +        return 0;
 +    }
 +
     /* Canonicalize without DNS at step 1, with DNS at step 2. */
     if (step > 2)
         return 0;
--- a/Move-some-dejagnu-kadmin-tests-to-Python-tests.patch
+++ b/Move-some-dejagnu-kadmin-tests-to-Python-tests.patch
--- a/krb5.spec
+++ b/krb5.spec
@ -42,7 +42,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.19.1
-Release: %{?zdpd}6%{?dist}.1
+Release: %{?zdpd}7%{?dist}
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@ -84,6 +84,10 @@ Patch19: Fix-KCM-flag-transmission-for-remove_cred.patch
 Patch20: Make-KCM-iteration-fallback-work-with-sssd-kcm.patch
 Patch21: Use-KCM_OP_RETRIEVE-in-KCM-client.patch
 Patch22: Fix-KCM-retrieval-support-for-sssd.patch
 Patch23: Move-some-dejagnu-kadmin-tests-to-Python-tests.patch
 Patch24: Fix-some-principal-realm-canonicalization-cases.patch
 Patch25: Allow-kinit-with-keytab-to-defer-canonicalization.patch
 Patch26: Fix-kadmin-k-with-fallback-or-referral-realm.patch
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@ -645,6 +649,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 %changelog
 * Thu Jun 17 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-7
 - Fix several fallback canonicalization problems
 - Resolves: #1967505
 * Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.19.1-6.1
 - Rebuilt for RHEL 9 BETA for openssl 3.0