From f28b57af20bf9c114ddc033d31eb3b706967bd5f Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 13 Dec 2011 10:50:02 -0500 Subject: [PATCH] - pull in patch for RT#7048: allow PAC verification to only bother trying to verify the signature with keys that it's given (still more of #761317) --- krb5-trunk-7048.patch | 78 +++++++++++++++++++++++++++++++++++++++++++ krb5.spec | 11 ++++-- 2 files changed, 87 insertions(+), 2 deletions(-) create mode 100644 krb5-trunk-7048.patch diff --git a/krb5-trunk-7048.patch b/krb5-trunk-7048.patch new file mode 100644 index 0000000..0399565 --- /dev/null +++ b/krb5-trunk-7048.patch @@ -0,0 +1,78 @@ +commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e +Author: ghudson +Date: Wed Dec 7 19:38:32 2011 +0000 + + ticket: 7048 + subject: Allow null server key to krb5_pac_verify + + When the KDC verifies a PAC, it doesn't really need to check the + server signature, since it can't trust that anyway. Allow the caller + to pass only a TGT key. + + git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970 + +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index f3d0225..83c2dc7 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin +@@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len, + * @param [in] pac PAC handle + * @param [in] authtime Expected timestamp + * @param [in] principal Expected principal name (or NULL) +- * @param [in] server Key to validate server checksum ++ * @param [in] server Key to validate server checksum (or NULL) + * @param [in] privsvr Key to validate KDC checksum (or NULL) + * + * This function validates @a pac against the supplied @a server, @a privsvr, + * @a principal and @a authtime. If @a principal is NULL, the principal and +- * authtime are not verified. If @a privsvr is NULL, the KDC checksum is not +- * verified. ++ * authtime are not verified. If @a server or @a privsvr is NULL, the ++ * corresponding checksum is not verified. + * + * If successful, @a pac is marked as verified. + * +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index f173b04..23aa930 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context, + if (server == NULL) + return EINVAL; + +- ret = k5_pac_verify_server_checksum(context, pac, server); +- if (ret != 0) +- return ret; ++ if (server != NULL) { ++ ret = k5_pac_verify_server_checksum(context, pac, server); ++ if (ret != 0) ++ return ret; ++ } + + if (privsvr != NULL) { + ret = k5_pac_verify_kdc_checksum(context, pac, privsvr); + +commit e31486a84380647e49ba6199a3e10ac739fa1a45 +Author: ghudson +Date: Thu Dec 8 04:21:23 2011 +0000 + + ticket: 7048 + + Actually allow null server key in krb5_pac_verify + + git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970 + +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index 23aa930..3262d21 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context, + { + krb5_error_code ret; + +- if (server == NULL) +- return EINVAL; +- + if (server != NULL) { + ret = k5_pac_verify_server_checksum(context, pac, server); + if (ret != 0) diff --git a/krb5.spec b/krb5.spec index 795834d..00aa160 100644 --- a/krb5.spec +++ b/krb5.spec @@ -15,7 +15,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.10 -Release: 0%{?dist}.alpha1.2 +Release: 0%{?dist}.alpha1.3 # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-alpha1-signed.tar Source0: krb5-%{version}-alpha1.tar.gz @@ -61,6 +61,7 @@ Patch92: krb5-1.10-alpha1-uninit.patch Patch93: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt Patch100: krb5-trunk-7046.patch Patch101: krb5-trunk-7047.patch +Patch102: krb5-trunk-7048.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -229,6 +230,7 @@ ln -s NOTICE LICENSE %patch93 -p1 -b .2011-007 %patch100 -p1 -b .7046 %patch101 -p1 -b .7047 +%patch102 -p1 -b .7048 # XXX Temporary, backported from trunk. %patch92 -p1 -b .uninit # XXX Temporary, fixed properly in trunk. @@ -743,11 +745,16 @@ exit 0 %{_sbindir}/uuserver %changelog -* Tue Dec 13 2011 Nalin Dahyabhai +* Tue Dec 13 2011 Nalin Dahyabhai 1.10-0.alpha1.3 - pull in patch for RT#7046: tag a ccache containing credentials obtained via S4U2Proxy with the principal name of the proxying principal (part of #761317) + so that the default principal name can be set to that of the client for which + it is proxying, which results in the ccache looking more normal to consumers + of the ccache that don't care that there's proxying going on - pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached (more of #761317) +- pull in patch for RT#7048: allow PAC verification to only bother trying to + verify the signature with keys that it's given (still more of #761317) * Tue Dec 6 2011 Nalin Dahyabhai 1.10-0.alpha1.2 - apply upstream patch to fix a null pointer dereference when processing