- pull in patch for RT#7048: allow PAC verification to only bother trying to

verify the signature with keys that it's given (still more of #761317)
This commit is contained in:
Nalin Dahyabhai 2011-12-13 10:50:02 -05:00
parent 6d68d342c9
commit f28b57af20
2 changed files with 87 additions and 2 deletions

78
krb5-trunk-7048.patch Normal file
View File

@ -0,0 +1,78 @@
commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Dec 7 19:38:32 2011 +0000
ticket: 7048
subject: Allow null server key to krb5_pac_verify
When the KDC verifies a PAC, it doesn't really need to check the
server signature, since it can't trust that anyway. Allow the caller
to pass only a TGT key.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index f3d0225..83c2dc7 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
* @param [in] pac PAC handle
* @param [in] authtime Expected timestamp
* @param [in] principal Expected principal name (or NULL)
- * @param [in] server Key to validate server checksum
+ * @param [in] server Key to validate server checksum (or NULL)
* @param [in] privsvr Key to validate KDC checksum (or NULL)
*
* This function validates @a pac against the supplied @a server, @a privsvr,
* @a principal and @a authtime. If @a principal is NULL, the principal and
- * authtime are not verified. If @a privsvr is NULL, the KDC checksum is not
- * verified.
+ * authtime are not verified. If @a server or @a privsvr is NULL, the
+ * corresponding checksum is not verified.
*
* If successful, @a pac is marked as verified.
*
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index f173b04..23aa930 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context,
if (server == NULL)
return EINVAL;
- ret = k5_pac_verify_server_checksum(context, pac, server);
- if (ret != 0)
- return ret;
+ if (server != NULL) {
+ ret = k5_pac_verify_server_checksum(context, pac, server);
+ if (ret != 0)
+ return ret;
+ }
if (privsvr != NULL) {
ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
commit e31486a84380647e49ba6199a3e10ac739fa1a45
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Thu Dec 8 04:21:23 2011 +0000
ticket: 7048
Actually allow null server key in krb5_pac_verify
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 23aa930..3262d21 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context,
{
krb5_error_code ret;
- if (server == NULL)
- return EINVAL;
-
if (server != NULL) {
ret = k5_pac_verify_server_checksum(context, pac, server);
if (ret != 0)

View File

@ -15,7 +15,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10
Release: 0%{?dist}.alpha1.2
Release: 0%{?dist}.alpha1.3
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-alpha1-signed.tar
Source0: krb5-%{version}-alpha1.tar.gz
@ -61,6 +61,7 @@ Patch92: krb5-1.10-alpha1-uninit.patch
Patch93: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
Patch100: krb5-trunk-7046.patch
Patch101: krb5-trunk-7047.patch
Patch102: krb5-trunk-7048.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -229,6 +230,7 @@ ln -s NOTICE LICENSE
%patch93 -p1 -b .2011-007
%patch100 -p1 -b .7046
%patch101 -p1 -b .7047
%patch102 -p1 -b .7048
# XXX Temporary, backported from trunk.
%patch92 -p1 -b .uninit
# XXX Temporary, fixed properly in trunk.
@ -743,11 +745,16 @@ exit 0
%{_sbindir}/uuserver
%changelog
* Tue Dec 13 2011 Nalin Dahyabhai <nalin@redhat.com>
* Tue Dec 13 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.3
- pull in patch for RT#7046: tag a ccache containing credentials obtained via
S4U2Proxy with the principal name of the proxying principal (part of #761317)
so that the default principal name can be set to that of the client for which
it is proxying, which results in the ccache looking more normal to consumers
of the ccache that don't care that there's proxying going on
- pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached
(more of #761317)
- pull in patch for RT#7048: allow PAC verification to only bother trying to
verify the signature with keys that it's given (still more of #761317)
* Tue Dec 6 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.2
- apply upstream patch to fix a null pointer dereference when processing