rpms/krb5
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix setting of AS key in OTP preauth failure

Browse Source
This commit is contained in:
Robbie Harwood 2016-05-27 21:19:23 +00:00
parent 0429334fa0
commit db300d8761
2 changed files with 59 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
krb5-1.14.3-fix_otp_as_key.patch Normal file
View File

@ -0,0 +1,50 @@
From 9929130f03f6a7f8a5f1acc23e92a609c8f27938 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Thu, 26 May 2016 16:54:29 -0400
Subject: [PATCH] Avoid setting AS key when OTP preauth fails
In otp_client_process(), call cb->set_as_key() later in the function
after the OTP request has been created. The previous position of this
call caused the AS key to be replaced even when later code in the
function failed, preventing other preauth mechanisms from retrieving
the correct AS key.
ticket: 8421 (new)
target_version: 1.14-new
target_version: 1.13-new
tags: pullup
---
src/lib/krb5/krb/preauth_otp.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
index d9ddc8b..3de528b 100644
--- a/src/lib/krb5/krb/preauth_otp.c
+++ b/src/lib/krb5/krb/preauth_otp.c
@@ -1081,11 +1081,6 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
if (as_key == NULL)
return ENOENT;
- /* Use FAST armor key as response key. */
- retval = cb->set_as_key(context, rock, as_key);
- if (retval != 0)
- return retval;
-
/* Attempt to get token selection from the responder. */
pin = empty_data();
value = empty_data();
@@ -1115,6 +1110,11 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
if (retval != 0)
goto error;
+ /* Use FAST armor key as response key. */
+ retval = cb->set_as_key(context, rock, as_key);
+ if (retval != 0)
+ goto error;
+
/* Encode the request into the pa_data output. */
retval = set_pa_data(req, pa_data_out);
error:
--
2.8.1

11
krb5.spec
View File

@ -13,7 +13,7 @@
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.14.1 Version: 1.14.1
Release: 5%{?dist} Release: 6%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead? # - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with # - The sources below are stored in a lookaside cache. Upload with
@ -71,6 +71,8 @@ Patch163: krb5-CVE-2016-3119.patch
Patch164: krb5-1.15-kdc_send_receive_hooks.patch Patch164: krb5-1.15-kdc_send_receive_hooks.patch
Patch165: krb5-1.15-kdc_hooks_test.patch Patch165: krb5-1.15-kdc_hooks_test.patch
Patch166: krb5-1.14.3-fix_otp_as_key.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
Group: System Environment/Libraries Group: System Environment/Libraries
@ -257,6 +259,8 @@ ln NOTICE LICENSE
%patch164 -p1 -b .kdc_send_receive_hooks %patch164 -p1 -b .kdc_send_receive_hooks
%patch165 -p1 -b .kdc_hooks_test %patch165 -p1 -b .kdc_hooks_test
%patch166 -p1 -b .fix_otp_as_key
# Take the execute bit off of documentation. # Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -778,7 +782,10 @@ exit 0
%changelog %changelog
* Mon Apr 05 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-5 * Fri May 27 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-6
- Fix setting of AS key in OTP preauth failure
* Tue Apr 05 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-5
- Use the correct patches this time. - Use the correct patches this time.
- Resolves: #1321135 - Resolves: #1321135