Fix setting of AS key in OTP preauth failure

2016-05-27 21:19:23 +00:00 · 2016-05-27 21:19:23 +00:00 · db300d8761
commit db300d8761
parent 0429334fa0
2 changed files with 59 additions and 2 deletions
--- a/krb5-1.14.3-fix_otp_as_key.patch
+++ b/krb5-1.14.3-fix_otp_as_key.patch
@ -0,0 +1,50 @@
+From 9929130f03f6a7f8a5f1acc23e92a609c8f27938 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Thu, 26 May 2016 16:54:29 -0400
+Subject: [PATCH] Avoid setting AS key when OTP preauth fails
+
+In otp_client_process(), call cb->set_as_key() later in the function
+after the OTP request has been created.  The previous position of this
+call caused the AS key to be replaced even when later code in the
+function failed, preventing other preauth mechanisms from retrieving
+the correct AS key.
+
+ticket: 8421 (new)
+target_version: 1.14-new
+target_version: 1.13-new
+tags: pullup
+---
+ src/lib/krb5/krb/preauth_otp.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
+index d9ddc8b..3de528b 100644
+--- a/src/lib/krb5/krb/preauth_otp.c
+++ b/src/lib/krb5/krb/preauth_otp.c
+@@ -1081,11 +1081,6 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
+     if (as_key == NULL)
+         return ENOENT;
+ 
+-    /* Use FAST armor key as response key. */
+-    retval = cb->set_as_key(context, rock, as_key);
+-    if (retval != 0)
+-        return retval;
+-
+     /* Attempt to get token selection from the responder. */
+     pin = empty_data();
+     value = empty_data();
+@@ -1115,6 +1110,11 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
+     if (retval != 0)
+         goto error;
+ 
+    /* Use FAST armor key as response key. */
+    retval = cb->set_as_key(context, rock, as_key);
+    if (retval != 0)
+        goto error;
+
+     /* Encode the request into the pa_data output. */
+     retval = set_pa_data(req, pa_data_out);
+ error:
+-- 
+2.8.1
+
--- a/krb5.spec
+++ b/krb5.spec
@ -13,7 +13,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.14.1
-Release: 5%{?dist}
+Release: 6%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@ -71,6 +71,8 @@ Patch163: krb5-CVE-2016-3119.patch
 Patch164: krb5-1.15-kdc_send_receive_hooks.patch
 Patch165: krb5-1.15-kdc_hooks_test.patch

+Patch166: krb5-1.14.3-fix_otp_as_key.patch
+
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@ -257,6 +259,8 @@ ln NOTICE LICENSE
 %patch164 -p1 -b .kdc_send_receive_hooks
 %patch165 -p1 -b .kdc_hooks_test

+%patch166 -p1 -b .fix_otp_as_key
+
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html

@ -778,7 +782,10 @@ exit 0


 %changelog
-* Mon Apr 05 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-5
+* Fri May 27 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-6
+- Fix setting of AS key in OTP preauth failure
+
+* Tue Apr 05 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-5
 - Use the correct patches this time.
 - Resolves: #1321135