Update otp patch; add keycheck patch

2013-05-03 17:04:40 -04:00 · 2013-05-03 17:04:40 -04:00 · c0d2f3b96d
commit c0d2f3b96d
parent fcc98d5403
6 changed files with 1534 additions and 1315 deletions
--- a/0001-add-k5memdup.patch
+++ b/0001-add-k5memdup.patch
@ -1,34 +0,0 @@
 From 5f7844ece4f81ce06f861c65a48c4e9dbeaa215e Mon Sep 17 00:00:00 2001
 From: Nathaniel McCallum <npmccallum@redhat.com>
 Date: Tue, 9 Apr 2013 11:17:04 -0400
 Subject: [PATCH 1/4] add k5memdup()
 ---
 src/include/k5-int.h | 11 +++++++++++
 1 file changed, 11 insertions(+)
 diff --git a/src/include/k5-int.h b/src/include/k5-int.h
 index 75e6783..7b5ab2c 100644
 --- a/src/include/k5-int.h
 +++ b/src/include/k5-int.h
@@ -2600,6 +2600,17 @@ k5alloc(size_t len, krb5_error_code *code)
     return ptr;
 }
 +/* Return a copy of the len bytes of memory at in; set *code to 0 or ENOMEM. */
 +static inline void *
 +k5memdup(const void *in, size_t len, krb5_error_code *code)
 +{
 +    void *ptr = k5alloc(len, code);
 +
 +    if (ptr != NULL)
 +        memcpy(ptr, in, len);
 +    return ptr;
 +}
 +
 krb5_error_code KRB5_CALLCONV
 krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
                               krb5_ccache ccache,
 -- 
 1.8.2
--- a/0003-Add-internal-KDC_DIR-macro.patch
+++ b/0003-Add-internal-KDC_DIR-macro.patch
@ -1,66 +0,0 @@
 From a4a7a4aeb2fb96e36494faff46243fbcb3c0d78b Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 15 Jan 2013 11:11:27 -0500
 Subject: [PATCH 3/4] Add internal KDC_DIR macro
 Define KDC_DIR in osconf.hin and use it for paths within the KDC
 directory.
 ---
 src/include/osconf.hin | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)
 diff --git a/src/include/osconf.hin b/src/include/osconf.hin
 index c3a33c2..1bca991 100644
 --- a/src/include/osconf.hin
 +++ b/src/include/osconf.hin
@@ -58,14 +58,15 @@
 #define DEFAULT_PLUGIN_BASE_DIR "@LIBDIR/krb5/plugins"
 #define PLUGIN_EXT              "@DYNOBJEXT"
 -#define DEFAULT_KDB_FILE        "@LOCALSTATEDIR/krb5kdc/principal"
 -#define DEFAULT_KEYFILE_STUB    "@LOCALSTATEDIR/krb5kdc/.k5."
 -#define KRB5_DEFAULT_ADMIN_ACL  "@LOCALSTATEDIR/krb5kdc/krb5_adm.acl"
 +#define KDC_DIR                 "@LOCALSTATEDIR/krb5kdc"
 +#define DEFAULT_KDB_FILE        KDC_DIR "/principal"
 +#define DEFAULT_KEYFILE_STUB    KDC_DIR "/.k5."
 +#define KRB5_DEFAULT_ADMIN_ACL  KDC_DIR "/krb5_adm.acl"
 /* Used by old admin server */
 -#define DEFAULT_ADMIN_ACL       "@LOCALSTATEDIR/krb5kdc/kadm_old.acl"
 +#define DEFAULT_ADMIN_ACL       KDC_DIR "/krb5kdc/kadm_old.acl"
 /* Location of KDC profile */
 -#define DEFAULT_KDC_PROFILE     "@LOCALSTATEDIR/krb5kdc/kdc.conf"
 +#define DEFAULT_KDC_PROFILE     KDC_DIR "/krb5kdc/kdc.conf"
 #define KDC_PROFILE_ENV         "KRB5_KDC_PROFILE"
 #if TARGET_OS_MAC
@@ -93,8 +94,8 @@
 /*
  * Defaults for the KADM5 admin system.
  */
 -#define DEFAULT_KADM5_KEYTAB    "@LOCALSTATEDIR/krb5kdc/kadm5.keytab"
 -#define DEFAULT_KADM5_ACL_FILE  "@LOCALSTATEDIR/krb5kdc/kadm5.acl"
 +#define DEFAULT_KADM5_KEYTAB    KDC_DIR "/kadm5.keytab"
 +#define DEFAULT_KADM5_ACL_FILE  KDC_DIR "/kadm5.acl"
 #define DEFAULT_KADM5_PORT      749 /* assigned by IANA */
 #define KRB5_DEFAULT_SUPPORTED_ENCTYPES                 \
@@ -116,12 +117,12 @@
  * krb5 slave support follows
  */
 -#define KPROP_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/slave_datatrans"
 -#define KPROPD_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/from_master"
 +#define KPROP_DEFAULT_FILE KDC_DIR "/slave_datatrans"
 +#define KPROPD_DEFAULT_FILE KDC_DIR "/from_master"
 #define KPROPD_DEFAULT_KDB5_UTIL "@SBINDIR/kdb5_util"
 #define KPROPD_DEFAULT_KPROP "@SBINDIR/kprop"
 #define KPROPD_DEFAULT_KRB_DB DEFAULT_KDB_FILE
 -#define KPROPD_ACL_FILE "@LOCALSTATEDIR/krb5kdc/kpropd.acl"
 +#define KPROPD_ACL_FILE KDC_DIR "/kpropd.acl"
 /*
  * GSS mechglue
 -- 
 1.8.2
--- a/0004-add-otp-plugin.patch
+++ b/0004-add-otp-plugin.patch
--- a/krb5-1.11.2-keycheck.patch
+++ b/krb5-1.11.2-keycheck.patch
@ -0,0 +1,230 @@
 From c7047421487c0e616b881c0922937bc759114233 Mon Sep 17 00:00:00 2001
 From: Nathaniel McCallum <npmccallum@redhat.com>
 Date: Fri, 3 May 2013 15:44:44 -0400
 Subject: [PATCH 1/3] Check for keys in encrypted timestamp/challenge
 Encrypted timestamp and encrypted challenge cannot succeed if the
 client has no long-term key matching the request enctypes, so do not
 offer them in that case.
 ticket: 7630
 NPM - This is a backport from the upstream fix. See upstream commits:
  https://github.com/krb5/krb5/commit/e50482720a805ecd8c160e4a8f4a846e6327dca2
  https://github.com/krb5/krb5/commit/9593d1311fa5e6e841c429653ad35a63d17c2fdd
 ---
 src/kdc/kdc_preauth_ec.c    | 23 +++++++++++++++++++++--
 src/kdc/kdc_preauth_encts.c | 22 ++++++++++++++++++++--
 2 files changed, 41 insertions(+), 4 deletions(-)
 diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
 index 9d7236c..db3ad07 100644
 --- a/src/kdc/kdc_preauth_ec.c
 +++ b/src/kdc/kdc_preauth_ec.c
@@ -39,8 +39,27 @@ ec_edata(krb5_context context, krb5_kdc_req *request,
          krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type,
          krb5_kdcpreauth_edata_respond_fn respond, void *arg)
 {
 -    krb5_keyblock *armor_key = cb->fast_armor(context, rock);
 -    (*respond)(arg, (armor_key == NULL) ? ENOENT : 0, NULL);
 +    krb5_boolean have_client_keys = FALSE;
 +    krb5_keyblock *armor_key;
 +    krb5_key_data *kd;
 +    int i;
 +
 +    armor_key = cb->fast_armor(context, rock);
 +
 +    for (i = 0; i < rock->request->nktypes; i++) {
 +        if (krb5_dbe_find_enctype(context, rock->client,
 +                                  rock->request->ktype[i],
 +                                  -1, 0, &kd) == 0) {
 +            have_client_keys = TRUE;
 +            break;
 +        }
 +    }
 +
 +    /* Encrypted challenge only works with FAST, and requires a client key. */
 +    if (armor_key == NULL || !have_client_keys)
 +        (*respond)(arg, ENOENT, NULL);
 +    else
 +        (*respond)(arg, 0, NULL);
 }
 static void
 diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
 index d708061..adde6e2 100644
 --- a/src/kdc/kdc_preauth_encts.c
 +++ b/src/kdc/kdc_preauth_encts.c
@@ -34,9 +34,27 @@ enc_ts_get(krb5_context context, krb5_kdc_req *request,
            krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type,
            krb5_kdcpreauth_edata_respond_fn respond, void *arg)
 {
 -    krb5_keyblock *armor_key = cb->fast_armor(context, rock);
 +    krb5_boolean have_client_keys = FALSE;
 +    krb5_keyblock *armor_key;
 +    krb5_key_data *kd;
 +    int i;
 +
 +    armor_key = cb->fast_armor(context, rock);
 +
 +    for (i = 0; i < rock->request->nktypes; i++) {
 +        if (krb5_dbe_find_enctype(context, rock->client,
 +                                  rock->request->ktype[i],
 +                                  -1, 0, &kd) == 0) {
 +            have_client_keys = TRUE;
 +            break;
 +        }
 +    }
 -    (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL);
 +    /* Encrypted timestamp must not be used with FAST, and requires a key. */
 +    if (armor_key != NULL || !have_client_keys)
 +        (*respond)(arg, ENOENT, NULL);
 +    else
 +        (*respond)(arg, 0, NULL);
 }
 static void
 -- 
 1.8.2.1
 From 4d19790527e2c9d52bb05abd6048a63a1a8c222c Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 29 Apr 2013 14:55:31 -0400
 Subject: [PATCH 2/3] Don't send empty etype info from KDC
 RFC 4120 prohibits empty ETYPE-INFO2 sequences (though not ETYPE-INFO
 sequences), and our client errors out if it sees an empty sequence of
 either.
 ticket: 7630
 ---
 src/kdc/kdc_preauth.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
 index 42a37a8..5c3b615 100644
 --- a/src/kdc/kdc_preauth.c
 +++ b/src/kdc/kdc_preauth.c
@@ -1404,6 +1404,11 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
             seen_des++;
         }
     }
 +
 +    /* If the list is empty, don't send it at all. */
 +    if (i == 0)
 +        goto cleanup;
 +
     if (etype_info2)
         retval = encode_krb5_etype_info2(entry, &scratch);
     else
 -- 
 1.8.2.1
 From a04cf2e89f4101eb6c2ec44ef1948976fe5fe9d3 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 2 May 2013 16:15:32 -0400
 Subject: [PATCH 3/3] Make AS requests work with no client key
 If we cannot find a client key while preparing an AS reply, give
 preauth mechanisms a chance to replace the reply key before erroring
 out.
 ticket: 7630
 ---
 src/kdc/do_as_req.c   | 36 ++++++++++++++++++++----------------
 src/kdc/kdc_preauth.c |  6 ++++++
 2 files changed, 26 insertions(+), 16 deletions(-)
 diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
 index 79da300..cb91803 100644
 --- a/src/kdc/do_as_req.c
 +++ b/src/kdc/do_as_req.c
@@ -195,23 +195,18 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
                                    useenctype, -1, 0, &client_key))
             break;
     }
 -    if (!(client_key)) {
 -        /* Cannot find an appropriate key */
 -        state->status = "CANT_FIND_CLIENT_KEY";
 -        errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
 -        goto egress;
 -    }
 -    state->rock.client_key = client_key;
 -    /* convert client.key_data into a real key */
 -    if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
 -                                             client_key,
 -                                             &state->client_keyblock,
 -                                             NULL))) {
 -        state->status = "DECRYPT_CLIENT_KEY";
 -        goto egress;
 +    if (client_key != NULL) {
 +        /* Decrypt the client key data entry to get the real reply key. */
 +        errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, client_key,
 +                                            &state->client_keyblock, NULL);
 +        if (errcode) {
 +            state->status = "DECRYPT_CLIENT_KEY";
 +            goto egress;
 +        }
 +        state->client_keyblock.enctype = useenctype;
 +        state->rock.client_key = client_key;
     }
 -    state->client_keyblock.enctype = useenctype;
     /* Start assembling the response */
     state->reply.msg_type = KRB5_AS_REP;
@@ -248,6 +243,14 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
         goto egress;
     }
 +    /* If we didn't find a client long-term key and no preauth mechanism
 +     * replaced the reply key, error out now. */
 +    if (state->client_keyblock.enctype == ENCTYPE_NULL) {
 +        state->status = "CANT_FIND_CLIENT_KEY";
 +        errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
 +        goto egress;
 +    }
 +
     errcode = handle_authdata(kdc_context,
                               state->c_flags,
                               state->client,
@@ -306,7 +309,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
                                   &state->reply_encpart, 0,
                                   as_encrypting_key,
                                   &state->reply, &response);
 -    state->reply.enc_part.kvno = client_key->key_data_kvno;
 +    if (client_key != NULL)
 +        state->reply.enc_part.kvno = client_key->key_data_kvno;
     if (errcode) {
         state->status = "ENCODE_KDC_REP";
         goto egress;
 diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
 index 5c3b615..5d12346 100644
 --- a/src/kdc/kdc_preauth.c
 +++ b/src/kdc/kdc_preauth.c
@@ -1473,6 +1473,9 @@ etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata,
     krb5_etype_info_entry **entry = NULL;
     krb5_data *scratch = NULL;
 +    if (client_key == NULL)
 +        return 0;
 +
     /*
      * Skip PA-ETYPE-INFO completely if AS-REQ lists any "newer"
      * enctypes.
@@ -1576,6 +1579,9 @@ return_pw_salt(krb5_context context, krb5_pa_data *in_padata,
     krb5_key_data *     client_key = rock->client_key;
     int i;
 +    if (client_key == NULL)
 +        return 0;
 +
     for (i = 0; i < request->nktypes; i++) {
         if (enctype_requires_etype_info_2(request->ktype[i]))
             return 0;
 -- 
 1.8.2.1
--- a/0002-add-libkrad.patch
+++ b/0002-add-libkrad.patch
--- a/krb5.spec
+++ b/krb5.spec
@ -30,7 +30,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -78,12 +78,9 @@ Patch117: krb5-1.11-gss-client-keytab.patch
 Patch118: krb5-1.11.1-rpcbind.patch
 Patch119: krb5-fast-msg_type.patch
-# Patch for otp plugin backport
+# Patches for otp plugin backport
-Patch201: 0001-add-k5memdup.patch
+Patch201: krb5-1.11.2-keycheck.patch
-Patch202: 0002-add-libkrad.patch
+Patch202: krb5-1.11.2-otp.patch
 Patch203: 0003-Add-internal-KDC_DIR-macro.patch
 Patch204: 0004-add-otp-plugin.patch
 Patch205: krb5-kdcdir2.patch
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -300,11 +297,8 @@ ln -s NOTICE LICENSE
 %patch118 -p1 -b .rpcbind
 %patch119 -p1 -b .fast-msg_type
-%patch201 -p1 -b .add-k5memdup
+%patch201 -p1 -b .keycheck
-%patch202 -p1 -b .add-libkrad
+%patch202 -p1 -b .otp
 %patch203 -p1 -b .add-internal-kdc_dir
 %patch204 -p1 -b .add-otp-plugin
 %patch205 -p1 -b .kdcdir2
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt
@ -827,6 +821,11 @@ exit 0
 %{_sbindir}/uuserver
 %changelog
 * Mon Apr 29 2013 Nathaniel McCallum <npmccallum@redhat.com> 1.11.2-4
 - Update otp patches
 - Merge otp patches into a single patch
 - Add keycheck patch
 * Tue Apr 23 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-3
 - pull the changing of the compiled-in default ccache location to
  DIR:/run/user/%%{uid}/krb5cc back into F19, in line with SSSD and