Update otp patch; add keycheck patch

2013-05-03 17:04:40 -04:00 · 2013-05-03 17:04:40 -04:00 · c0d2f3b96d
commit c0d2f3b96d
parent fcc98d5403
6 changed files with 1534 additions and 1315 deletions
--- a/0001-add-k5memdup.patch
+++ b/0001-add-k5memdup.patch
@ -1,34 +0,0 @@
-From 5f7844ece4f81ce06f861c65a48c4e9dbeaa215e Mon Sep 17 00:00:00 2001
-From: Nathaniel McCallum <npmccallum@redhat.com>
-Date: Tue, 9 Apr 2013 11:17:04 -0400
-Subject: [PATCH 1/4] add k5memdup()
-
---
- src/include/k5-int.h | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/src/include/k5-int.h b/src/include/k5-int.h
-index 75e6783..7b5ab2c 100644
--- a/src/include/k5-int.h
-+++ b/src/include/k5-int.h
-@@ -2600,6 +2600,17 @@ k5alloc(size_t len, krb5_error_code *code)
-     return ptr;
- }
- 
-+/* Return a copy of the len bytes of memory at in; set *code to 0 or ENOMEM. */
-+static inline void *
-+k5memdup(const void *in, size_t len, krb5_error_code *code)
-+{
-+    void *ptr = k5alloc(len, code);
-+
-+    if (ptr != NULL)
-+        memcpy(ptr, in, len);
-+    return ptr;
-+}
-+
- krb5_error_code KRB5_CALLCONV
- krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
-                               krb5_ccache ccache,
-- 
-1.8.2
-
--- a/0003-Add-internal-KDC_DIR-macro.patch
+++ b/0003-Add-internal-KDC_DIR-macro.patch
@ -1,66 +0,0 @@
-From a4a7a4aeb2fb96e36494faff46243fbcb3c0d78b Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Tue, 15 Jan 2013 11:11:27 -0500
-Subject: [PATCH 3/4] Add internal KDC_DIR macro
-
-Define KDC_DIR in osconf.hin and use it for paths within the KDC
-directory.
---
- src/include/osconf.hin | 21 +++++++++++----------
- 1 file changed, 11 insertions(+), 10 deletions(-)
-
-diff --git a/src/include/osconf.hin b/src/include/osconf.hin
-index c3a33c2..1bca991 100644
--- a/src/include/osconf.hin
-+++ b/src/include/osconf.hin
-@@ -58,14 +58,15 @@
- #define DEFAULT_PLUGIN_BASE_DIR "@LIBDIR/krb5/plugins"
- #define PLUGIN_EXT              "@DYNOBJEXT"
- 
-#define DEFAULT_KDB_FILE        "@LOCALSTATEDIR/krb5kdc/principal"
-#define DEFAULT_KEYFILE_STUB    "@LOCALSTATEDIR/krb5kdc/.k5."
-#define KRB5_DEFAULT_ADMIN_ACL  "@LOCALSTATEDIR/krb5kdc/krb5_adm.acl"
-+#define KDC_DIR                 "@LOCALSTATEDIR/krb5kdc"
-+#define DEFAULT_KDB_FILE        KDC_DIR "/principal"
-+#define DEFAULT_KEYFILE_STUB    KDC_DIR "/.k5."
-+#define KRB5_DEFAULT_ADMIN_ACL  KDC_DIR "/krb5_adm.acl"
- /* Used by old admin server */
-#define DEFAULT_ADMIN_ACL       "@LOCALSTATEDIR/krb5kdc/kadm_old.acl"
-+#define DEFAULT_ADMIN_ACL       KDC_DIR "/krb5kdc/kadm_old.acl"
- 
- /* Location of KDC profile */
-#define DEFAULT_KDC_PROFILE     "@LOCALSTATEDIR/krb5kdc/kdc.conf"
-+#define DEFAULT_KDC_PROFILE     KDC_DIR "/krb5kdc/kdc.conf"
- #define KDC_PROFILE_ENV         "KRB5_KDC_PROFILE"
- 
- #if TARGET_OS_MAC
-@@ -93,8 +94,8 @@
- /*
-  * Defaults for the KADM5 admin system.
-  */
-#define DEFAULT_KADM5_KEYTAB    "@LOCALSTATEDIR/krb5kdc/kadm5.keytab"
-#define DEFAULT_KADM5_ACL_FILE  "@LOCALSTATEDIR/krb5kdc/kadm5.acl"
-+#define DEFAULT_KADM5_KEYTAB    KDC_DIR "/kadm5.keytab"
-+#define DEFAULT_KADM5_ACL_FILE  KDC_DIR "/kadm5.acl"
- #define DEFAULT_KADM5_PORT      749 /* assigned by IANA */
- 
- #define KRB5_DEFAULT_SUPPORTED_ENCTYPES                 \
-@@ -116,12 +117,12 @@
-  * krb5 slave support follows
-  */
- 
-#define KPROP_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/slave_datatrans"
-#define KPROPD_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/from_master"
-+#define KPROP_DEFAULT_FILE KDC_DIR "/slave_datatrans"
-+#define KPROPD_DEFAULT_FILE KDC_DIR "/from_master"
- #define KPROPD_DEFAULT_KDB5_UTIL "@SBINDIR/kdb5_util"
- #define KPROPD_DEFAULT_KPROP "@SBINDIR/kprop"
- #define KPROPD_DEFAULT_KRB_DB DEFAULT_KDB_FILE
-#define KPROPD_ACL_FILE "@LOCALSTATEDIR/krb5kdc/kpropd.acl"
-+#define KPROPD_ACL_FILE KDC_DIR "/kpropd.acl"
- 
- /*
-  * GSS mechglue
-- 
-1.8.2
-
--- a/0004-add-otp-plugin.patch
+++ b/0004-add-otp-plugin.patch
--- a/krb5-1.11.2-keycheck.patch
+++ b/krb5-1.11.2-keycheck.patch
@ -0,0 +1,230 @@
+From c7047421487c0e616b881c0922937bc759114233 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Fri, 3 May 2013 15:44:44 -0400
+Subject: [PATCH 1/3] Check for keys in encrypted timestamp/challenge
+
+Encrypted timestamp and encrypted challenge cannot succeed if the
+client has no long-term key matching the request enctypes, so do not
+offer them in that case.
+
+ticket: 7630
+
+NPM - This is a backport from the upstream fix. See upstream commits:
+  https://github.com/krb5/krb5/commit/e50482720a805ecd8c160e4a8f4a846e6327dca2
+  https://github.com/krb5/krb5/commit/9593d1311fa5e6e841c429653ad35a63d17c2fdd
+---
+ src/kdc/kdc_preauth_ec.c    | 23 +++++++++++++++++++++--
+ src/kdc/kdc_preauth_encts.c | 22 ++++++++++++++++++++--
+ 2 files changed, 41 insertions(+), 4 deletions(-)
+
+diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
+index 9d7236c..db3ad07 100644
+--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
+@@ -39,8 +39,27 @@ ec_edata(krb5_context context, krb5_kdc_req *request,
+          krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type,
+          krb5_kdcpreauth_edata_respond_fn respond, void *arg)
+ {
+-    krb5_keyblock *armor_key = cb->fast_armor(context, rock);
+-    (*respond)(arg, (armor_key == NULL) ? ENOENT : 0, NULL);
+    krb5_boolean have_client_keys = FALSE;
+    krb5_keyblock *armor_key;
+    krb5_key_data *kd;
+    int i;
+
+    armor_key = cb->fast_armor(context, rock);
+
+    for (i = 0; i < rock->request->nktypes; i++) {
+        if (krb5_dbe_find_enctype(context, rock->client,
+                                  rock->request->ktype[i],
+                                  -1, 0, &kd) == 0) {
+            have_client_keys = TRUE;
+            break;
+        }
+    }
+
+    /* Encrypted challenge only works with FAST, and requires a client key. */
+    if (armor_key == NULL || !have_client_keys)
+        (*respond)(arg, ENOENT, NULL);
+    else
+        (*respond)(arg, 0, NULL);
+ }
+ 
+ static void
+diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
+index d708061..adde6e2 100644
+--- a/src/kdc/kdc_preauth_encts.c
+++ b/src/kdc/kdc_preauth_encts.c
+@@ -34,9 +34,27 @@ enc_ts_get(krb5_context context, krb5_kdc_req *request,
+            krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type,
+            krb5_kdcpreauth_edata_respond_fn respond, void *arg)
+ {
+-    krb5_keyblock *armor_key = cb->fast_armor(context, rock);
+    krb5_boolean have_client_keys = FALSE;
+    krb5_keyblock *armor_key;
+    krb5_key_data *kd;
+    int i;
+
+    armor_key = cb->fast_armor(context, rock);
+
+    for (i = 0; i < rock->request->nktypes; i++) {
+        if (krb5_dbe_find_enctype(context, rock->client,
+                                  rock->request->ktype[i],
+                                  -1, 0, &kd) == 0) {
+            have_client_keys = TRUE;
+            break;
+        }
+    }
+ 
+-    (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL);
+    /* Encrypted timestamp must not be used with FAST, and requires a key. */
+    if (armor_key != NULL || !have_client_keys)
+        (*respond)(arg, ENOENT, NULL);
+    else
+        (*respond)(arg, 0, NULL);
+ }
+ 
+ static void
+-- 
+1.8.2.1
+
+
+From 4d19790527e2c9d52bb05abd6048a63a1a8c222c Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 29 Apr 2013 14:55:31 -0400
+Subject: [PATCH 2/3] Don't send empty etype info from KDC
+
+RFC 4120 prohibits empty ETYPE-INFO2 sequences (though not ETYPE-INFO
+sequences), and our client errors out if it sees an empty sequence of
+either.
+
+ticket: 7630
+---
+ src/kdc/kdc_preauth.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
+index 42a37a8..5c3b615 100644
+--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
+@@ -1404,6 +1404,11 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
+             seen_des++;
+         }
+     }
+
+    /* If the list is empty, don't send it at all. */
+    if (i == 0)
+        goto cleanup;
+
+     if (etype_info2)
+         retval = encode_krb5_etype_info2(entry, &scratch);
+     else
+-- 
+1.8.2.1
+
+
+From a04cf2e89f4101eb6c2ec44ef1948976fe5fe9d3 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Thu, 2 May 2013 16:15:32 -0400
+Subject: [PATCH 3/3] Make AS requests work with no client key
+
+If we cannot find a client key while preparing an AS reply, give
+preauth mechanisms a chance to replace the reply key before erroring
+out.
+
+ticket: 7630
+---
+ src/kdc/do_as_req.c   | 36 ++++++++++++++++++++----------------
+ src/kdc/kdc_preauth.c |  6 ++++++
+ 2 files changed, 26 insertions(+), 16 deletions(-)
+
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 79da300..cb91803 100644
+--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
+@@ -195,23 +195,18 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
+                                    useenctype, -1, 0, &client_key))
+             break;
+     }
+-    if (!(client_key)) {
+-        /* Cannot find an appropriate key */
+-        state->status = "CANT_FIND_CLIENT_KEY";
+-        errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
+-        goto egress;
+-    }
+-    state->rock.client_key = client_key;
+ 
+-    /* convert client.key_data into a real key */
+-    if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
+-                                             client_key,
+-                                             &state->client_keyblock,
+-                                             NULL))) {
+-        state->status = "DECRYPT_CLIENT_KEY";
+-        goto egress;
+    if (client_key != NULL) {
+        /* Decrypt the client key data entry to get the real reply key. */
+        errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, client_key,
+                                            &state->client_keyblock, NULL);
+        if (errcode) {
+            state->status = "DECRYPT_CLIENT_KEY";
+            goto egress;
+        }
+        state->client_keyblock.enctype = useenctype;
+        state->rock.client_key = client_key;
+     }
+-    state->client_keyblock.enctype = useenctype;
+ 
+     /* Start assembling the response */
+     state->reply.msg_type = KRB5_AS_REP;
+@@ -248,6 +243,14 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
+         goto egress;
+     }
+ 
+    /* If we didn't find a client long-term key and no preauth mechanism
+     * replaced the reply key, error out now. */
+    if (state->client_keyblock.enctype == ENCTYPE_NULL) {
+        state->status = "CANT_FIND_CLIENT_KEY";
+        errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
+        goto egress;
+    }
+
+     errcode = handle_authdata(kdc_context,
+                               state->c_flags,
+                               state->client,
+@@ -306,7 +309,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
+                                   &state->reply_encpart, 0,
+                                   as_encrypting_key,
+                                   &state->reply, &response);
+-    state->reply.enc_part.kvno = client_key->key_data_kvno;
+    if (client_key != NULL)
+        state->reply.enc_part.kvno = client_key->key_data_kvno;
+     if (errcode) {
+         state->status = "ENCODE_KDC_REP";
+         goto egress;
+diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
+index 5c3b615..5d12346 100644
+--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
+@@ -1473,6 +1473,9 @@ etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata,
+     krb5_etype_info_entry **entry = NULL;
+     krb5_data *scratch = NULL;
+ 
+    if (client_key == NULL)
+        return 0;
+
+     /*
+      * Skip PA-ETYPE-INFO completely if AS-REQ lists any "newer"
+      * enctypes.
+@@ -1576,6 +1579,9 @@ return_pw_salt(krb5_context context, krb5_pa_data *in_padata,
+     krb5_key_data *     client_key = rock->client_key;
+     int i;
+ 
+    if (client_key == NULL)
+        return 0;
+
+     for (i = 0; i < request->nktypes; i++) {
+         if (enctype_requires_etype_info_2(request->ktype[i]))
+             return 0;
+-- 
+1.8.2.1
+
--- a/0002-add-libkrad.patch
+++ b/0002-add-libkrad.patch
--- a/krb5.spec
+++ b/krb5.spec
@ -30,7 +30,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -78,12 +78,9 @@ Patch117: krb5-1.11-gss-client-keytab.patch
 Patch118: krb5-1.11.1-rpcbind.patch
 Patch119: krb5-fast-msg_type.patch

-# Patch for otp plugin backport
-Patch201: 0001-add-k5memdup.patch
-Patch202: 0002-add-libkrad.patch
-Patch203: 0003-Add-internal-KDC_DIR-macro.patch
-Patch204: 0004-add-otp-plugin.patch
-Patch205: krb5-kdcdir2.patch
+# Patches for otp plugin backport
+Patch201: krb5-1.11.2-keycheck.patch
+Patch202: krb5-1.11.2-otp.patch

 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -300,11 +297,8 @@ ln -s NOTICE LICENSE
 %patch118 -p1 -b .rpcbind
 %patch119 -p1 -b .fast-msg_type

-%patch201 -p1 -b .add-k5memdup
-%patch202 -p1 -b .add-libkrad
-%patch203 -p1 -b .add-internal-kdc_dir
-%patch204 -p1 -b .add-otp-plugin
-%patch205 -p1 -b .kdcdir2
+%patch201 -p1 -b .keycheck
+%patch202 -p1 -b .otp

 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt
@ -827,6 +821,11 @@ exit 0
 %{_sbindir}/uuserver

 %changelog
+* Mon Apr 29 2013 Nathaniel McCallum <npmccallum@redhat.com> 1.11.2-4
+- Update otp patches
+- Merge otp patches into a single patch
+- Add keycheck patch
+
 * Tue Apr 23 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-3
 - pull the changing of the compiled-in default ccache location to
  DIR:/run/user/%%{uid}/krb5cc back into F19, in line with SSSD and