From c262ec69f6436125b0421ab6fd6ebed6215ce92c Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 1 Apr 2020 14:24:49 -0400 Subject: [PATCH] Correctly import "service@" GSS host-based name --- ...y-import-service-GSS-host-based-name.patch | 52 +++++++++++++++++++ krb5.spec | 6 ++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 Correctly-import-service-GSS-host-based-name.patch diff --git a/Correctly-import-service-GSS-host-based-name.patch b/Correctly-import-service-GSS-host-based-name.patch new file mode 100644 index 0000000..683b2d9 --- /dev/null +++ b/Correctly-import-service-GSS-host-based-name.patch @@ -0,0 +1,52 @@ +From 53b7be87de77b09f44b4ced1d4e85f520c9ce71a Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 30 Mar 2020 15:26:02 -0400 +Subject: [PATCH] Correctly import "service@" GSS host-based name + +The intended way to specify only a service in a GSS host-based name is +to omit the "@" separator. Some applications include the separator +but no hostname, and this happened to yield wildcard hostname behavior +prior to commit 996353767fe8afa7f67a3b5b465e4d70e18bad7c when +shortname qualification was added. To restore this behavior, check in +parse_hostbased() that at least one character is present after the "@" +separator before copying the hostname. Add a test case to t_gssapi.py. + +ticket: 8892 +tags: pullup +target_version: 1.18-next + +(cherry picked from commit a2f047af0400ba8080dc26033fae2b17534501e2) +--- + src/lib/gssapi/krb5/import_name.c | 4 ++-- + src/tests/gssapi/t_gssapi.py | 3 +++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c +index da2ab1423..21023dd76 100644 +--- a/src/lib/gssapi/krb5/import_name.c ++++ b/src/lib/gssapi/krb5/import_name.c +@@ -102,8 +102,8 @@ parse_hostbased(const char *str, size_t len, + memcpy(service, str, servicelen); + service[servicelen] = '\0'; + +- /* If present, copy the hostname. */ +- if (at != NULL) { ++ /* Copy the hostname if present (at least one character after '@'). */ ++ if (len - servicelen > 1) { + hostlen = len - servicelen - 1; + host = malloc(hostlen + 1); + if (host == NULL) { +diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py +index 54d5cf549..ecf982604 100755 +--- a/src/tests/gssapi/t_gssapi.py ++++ b/src/tests/gssapi/t_gssapi.py +@@ -47,6 +47,9 @@ realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'], + expected_msg='service2/calvin') + realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], expected_code=1, + expected_msg=' found in keytab but does not match server principal') ++# Regression test for #8892 (trailing @ in name). ++realm.run(['./t_accname', 'p:service1/andrew', 'h:service1@'], ++ expected_msg='service1/abraham') + + # Test with acceptor name containing service and host. Use the + # client's un-canonicalized hostname as acceptor input to mirror what diff --git a/krb5.spec b/krb5.spec index a87f08c..37bd530 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 9%{?dist} +Release: 10%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -57,6 +57,7 @@ Patch11: Refresh-manually-acquired-creds-from-client-keytab.patch Patch12: Document-client-keytab-usage.patch Patch13: Add-finalization-safety-check-to-com_err.patch Patch14: Eliminate-redundant-PKINIT-responder-invocation.patch +Patch15: Correctly-import-service-GSS-host-based-name.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -634,6 +635,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Apr 01 2020 Robbie Harwood - 1.18-10 +- Correctly import "service@" GSS host-based name + * Thu Mar 26 2020 Robbie Harwood - 1.18-9 - Eliminate redundant PKINIT responder invocation