From edfb00e0013485d25cf4e3edaa0f4e28d57eb831 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 6 Feb 2020 10:17:38 -0500
Subject: [PATCH] Put KDB authdata first

---
 Put-KDB-authdata-first.patch                  |  44 ++++++
 ...at-PAC-is-the-first-authdata-element.patch | 147 ++++++++++++++++++
 krb5.spec                                     |   7 +-
 3 files changed, 197 insertions(+), 1 deletion(-)
 create mode 100644 Put-KDB-authdata-first.patch
 create mode 100644 Test-that-PAC-is-the-first-authdata-element.patch

diff --git a/Put-KDB-authdata-first.patch b/Put-KDB-authdata-first.patch
new file mode 100644
index 0000000..d8c1c9c
--- /dev/null
+++ b/Put-KDB-authdata-first.patch
@@ -0,0 +1,44 @@
+From 1678270de3fda699114122447b1f06b08fb4e53e Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Sat, 1 Feb 2020 16:13:30 +0100
+Subject: [PATCH] Put KDB authdata first
+
+Windows services, as well as some versions of Samba, may refuse
+tickets if the PAC is not in the first AD-IF-RELEVANT container.  In
+fetch_kdb_authdata(), change the merge order so that authdata from the
+KDB module appears first.
+
+[ghudson@mit.edu: added comment and clarified commit message]
+
+ticket: 8872 (new)
+tags: pullup
+target_version: 1.18
+target_version: 1.17-next
+
+(cherry picked from commit 331fa4bdd34263ea20667a0f51338cb84357fdaa)
+---
+ src/kdc/kdc_authdata.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
+index a18e4b4be..1ebe87246 100644
+--- a/src/kdc/kdc_authdata.c
++++ b/src/kdc/kdc_authdata.c
+@@ -372,11 +372,14 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags,
+     if (ret)
+         return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret;
+ 
+-    /* Add the KDB authdata to the ticket, without copying or filtering. */
+-    ret = merge_authdata(context, db_authdata,
+-                         &enc_tkt_reply->authorization_data, FALSE, FALSE);
++    /* Put the KDB authdata first in the ticket.  A successful merge places the
++     * combined list in db_authdata and releases the old ticket authdata. */
++    ret = merge_authdata(context, enc_tkt_reply->authorization_data,
++                         &db_authdata, FALSE, FALSE);
+     if (ret)
+         krb5_free_authdata(context, db_authdata);
++    else
++        enc_tkt_reply->authorization_data = db_authdata;
+     return ret;
+ }
+ 
diff --git a/Test-that-PAC-is-the-first-authdata-element.patch b/Test-that-PAC-is-the-first-authdata-element.patch
new file mode 100644
index 0000000..acda89e
--- /dev/null
+++ b/Test-that-PAC-is-the-first-authdata-element.patch
@@ -0,0 +1,147 @@
+From a3b82f95570e39c8689f5ce1bbcc80ad99483323 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Sat, 1 Feb 2020 13:21:39 +0100
+Subject: [PATCH] Test that PAC is the first authdata element
+
+In the test KDB module, set the PAC as the first authdata element.  In
+adata.c, add PAC service verification and verify that a PAC does not
+appear in authdata elements after the first.
+
+[ghudson@mit.edu: minor style changes; edited commit message]
+
+ticket: 8872
+(cherry picked from commit d40d7c8ee8d7fb547e45c545365b21a818050130)
+---
+ src/plugins/kdb/test/kdb_test.c |  7 +++--
+ src/tests/adata.c               | 54 ++++++++++++++++++++++++++++-----
+ 2 files changed, 51 insertions(+), 10 deletions(-)
+
+diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c
+index d95a7fa5d..1936cb0e4 100644
+--- a/src/plugins/kdb/test/kdb_test.c
++++ b/src/plugins/kdb/test/kdb_test.c
+@@ -897,10 +897,11 @@ test_sign_authdata(krb5_context context, unsigned int flags,
+     test_ad->contents = (uint8_t *)estrdup("db-authdata-test");
+     test_ad->length = strlen((char *)test_ad->contents);
+ 
+-    /* Assemble the authdata into a one-element or two-element list. */
++    /* Assemble the authdata into a one-element or two-element list.
++     * The PAC must be the first element. */
+     list = ealloc(3 * sizeof(*list));
+-    list[0] = test_ad;
+-    list[1] = pac_ad;
++    list[0] = (pac_ad != NULL) ? pac_ad : test_ad;
++    list[1] = (pac_ad != NULL) ? test_ad : NULL;
+     list[2] = NULL;
+     *signed_auth_data = list;
+ 
+diff --git a/src/tests/adata.c b/src/tests/adata.c
+index d3bd08e30..3869aec1d 100644
+--- a/src/tests/adata.c
++++ b/src/tests/adata.c
+@@ -56,7 +56,8 @@
+ static krb5_context ctx;
+ 
+ static void display_authdata_list(krb5_authdata **list, krb5_keyblock *skey,
+-                                  krb5_keyblock *tktkey, char prefix_byte);
++                                  krb5_keyblock *tktkey, char prefix_byte,
++                                  krb5_boolean pac_expected);
+ 
+ static void
+ check(krb5_error_code code)
+@@ -206,7 +207,7 @@ display_binary_or_ascii(krb5_authdata *ad)
+  * must be the ticket session key. */
+ static void
+ display_authdata(krb5_authdata *ad, krb5_keyblock *skey, krb5_keyblock *tktkey,
+-                 int prefix_byte)
++                 int prefix_byte, krb5_boolean pac_expected)
+ {
+     krb5_authdata **inner_ad;
+ 
+@@ -214,13 +215,18 @@ display_authdata(krb5_authdata *ad, krb5_keyblock *skey, krb5_keyblock *tktkey,
+         ad->ad_type == KRB5_AUTHDATA_MANDATORY_FOR_KDC ||
+         ad->ad_type == KRB5_AUTHDATA_KDC_ISSUED ||
+         ad->ad_type == KRB5_AUTHDATA_CAMMAC) {
++        if (ad->ad_type != KRB5_AUTHDATA_IF_RELEVANT)
++            pac_expected = FALSE;
+         /* Decode and display the contents. */
+         inner_ad = get_container_contents(ad, skey, tktkey);
+-        display_authdata_list(inner_ad, skey, tktkey, get_prefix_byte(ad));
++        display_authdata_list(inner_ad, skey, tktkey, get_prefix_byte(ad),
++                              pac_expected);
+         krb5_free_authdata(ctx, inner_ad);
+         return;
+     }
+ 
++    assert(!pac_expected || ad->ad_type == KRB5_AUTHDATA_WIN2K_PAC);
++
+     printf("%c", prefix_byte);
+     printf("%d: ", (int)ad->ad_type);
+ 
+@@ -233,12 +239,43 @@ display_authdata(krb5_authdata *ad, krb5_keyblock *skey, krb5_keyblock *tktkey,
+ 
+ static void
+ display_authdata_list(krb5_authdata **list, krb5_keyblock *skey,
+-                      krb5_keyblock *tktkey, char prefix_byte)
++                      krb5_keyblock *tktkey, char prefix_byte,
++                      krb5_boolean pac_expected)
+ {
+     if (list == NULL)
+         return;
+-    for (; *list != NULL; list++)
+-        display_authdata(*list, skey, tktkey, prefix_byte);
++    /* Only expect a PAC in the first element, if at all. */
++    for (; *list != NULL; list++) {
++        display_authdata(*list, skey, tktkey, prefix_byte, pac_expected);
++        pac_expected = FALSE;
++    }
++}
++
++/* If a PAC is present in enc_part2, verify its service signature with key and
++ * set *has_pac to true. */
++static void
++check_pac(krb5_context context, krb5_enc_tkt_part *enc_part2,
++          const krb5_keyblock *key, krb5_boolean *has_pac)
++{
++    krb5_authdata **authdata;
++    krb5_pac pac;
++
++    *has_pac = FALSE;
++
++    check(krb5_find_authdata(context, enc_part2->authorization_data, NULL,
++                             KRB5_AUTHDATA_WIN2K_PAC, &authdata));
++    if (authdata == NULL)
++        return;
++
++    assert(authdata[1] == NULL);
++    check(krb5_pac_parse(context, authdata[0]->contents, authdata[0]->length,
++                         &pac));
++    krb5_free_authdata(context, authdata);
++
++    check(krb5_pac_verify(context, pac, enc_part2->times.authtime,
++                          enc_part2->client, key, NULL));
++    krb5_pac_free(context, pac);
++    *has_pac = TRUE;
+ }
+ 
+ int
+@@ -252,6 +289,7 @@ main(int argc, char **argv)
+     krb5_ticket *ticket;
+     krb5_authdata **req_authdata = NULL, *ad;
+     krb5_keytab_entry ktent;
++    krb5_boolean with_pac;
+     size_t count;
+     int c;
+ 
+@@ -311,8 +349,10 @@ main(int argc, char **argv)
+                             ticket->enc_part.enctype, &ktent));
+     check(krb5_decrypt_tkt_part(ctx, &ktent.key, ticket));
+ 
++    check_pac(ctx, ticket->enc_part2, &ktent.key, &with_pac);
+     display_authdata_list(ticket->enc_part2->authorization_data,
+-                          ticket->enc_part2->session, &ktent.key, ' ');
++                          ticket->enc_part2->session, &ktent.key, ' ',
++                          with_pac);
+ 
+     while (count > 0) {
+         free(req_authdata[--count]->contents);
diff --git a/krb5.spec b/krb5.spec
index b2454fc..73216f6 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 0.beta2.1%{?dist}
+Release: 0.beta2.2%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@@ -50,6 +50,8 @@ Patch4: downstream-fix-debuginfo-with-y.tab.c.patch
 Patch5: downstream-Remove-3des-support.patch
 Patch6: downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch
 Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
+Patch8: Put-KDB-authdata-first.patch
+Patch9: Test-that-PAC-is-the-first-authdata-element.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -623,6 +625,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Thu Feb 06 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0.beta2.2
+- Put KDB authdata first
+
 * Fri Jan 31 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0.beta2.1
 - New upstream beta release - 1.18-beta2
 - Adjust naming convention for downstream patches