- pull in patch for RT#7048: allow PAC verification to only bother trying to
verify the signature with keys that it's given (still more of #761317)
This commit is contained in:
parent
6d68d342c9
commit
f28b57af20
78
krb5-trunk-7048.patch
Normal file
78
krb5-trunk-7048.patch
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e
|
||||||
|
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
|
||||||
|
Date: Wed Dec 7 19:38:32 2011 +0000
|
||||||
|
|
||||||
|
ticket: 7048
|
||||||
|
subject: Allow null server key to krb5_pac_verify
|
||||||
|
|
||||||
|
When the KDC verifies a PAC, it doesn't really need to check the
|
||||||
|
server signature, since it can't trust that anyway. Allow the caller
|
||||||
|
to pass only a TGT key.
|
||||||
|
|
||||||
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
|
||||||
|
|
||||||
|
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||||
|
index f3d0225..83c2dc7 100644
|
||||||
|
--- a/src/include/krb5/krb5.hin
|
||||||
|
+++ b/src/include/krb5/krb5.hin
|
||||||
|
@@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
|
||||||
|
* @param [in] pac PAC handle
|
||||||
|
* @param [in] authtime Expected timestamp
|
||||||
|
* @param [in] principal Expected principal name (or NULL)
|
||||||
|
- * @param [in] server Key to validate server checksum
|
||||||
|
+ * @param [in] server Key to validate server checksum (or NULL)
|
||||||
|
* @param [in] privsvr Key to validate KDC checksum (or NULL)
|
||||||
|
*
|
||||||
|
* This function validates @a pac against the supplied @a server, @a privsvr,
|
||||||
|
* @a principal and @a authtime. If @a principal is NULL, the principal and
|
||||||
|
- * authtime are not verified. If @a privsvr is NULL, the KDC checksum is not
|
||||||
|
- * verified.
|
||||||
|
+ * authtime are not verified. If @a server or @a privsvr is NULL, the
|
||||||
|
+ * corresponding checksum is not verified.
|
||||||
|
*
|
||||||
|
* If successful, @a pac is marked as verified.
|
||||||
|
*
|
||||||
|
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
||||||
|
index f173b04..23aa930 100644
|
||||||
|
--- a/src/lib/krb5/krb/pac.c
|
||||||
|
+++ b/src/lib/krb5/krb/pac.c
|
||||||
|
@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context,
|
||||||
|
if (server == NULL)
|
||||||
|
return EINVAL;
|
||||||
|
|
||||||
|
- ret = k5_pac_verify_server_checksum(context, pac, server);
|
||||||
|
- if (ret != 0)
|
||||||
|
- return ret;
|
||||||
|
+ if (server != NULL) {
|
||||||
|
+ ret = k5_pac_verify_server_checksum(context, pac, server);
|
||||||
|
+ if (ret != 0)
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (privsvr != NULL) {
|
||||||
|
ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
|
||||||
|
|
||||||
|
commit e31486a84380647e49ba6199a3e10ac739fa1a45
|
||||||
|
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
|
||||||
|
Date: Thu Dec 8 04:21:23 2011 +0000
|
||||||
|
|
||||||
|
ticket: 7048
|
||||||
|
|
||||||
|
Actually allow null server key in krb5_pac_verify
|
||||||
|
|
||||||
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
|
||||||
|
|
||||||
|
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
||||||
|
index 23aa930..3262d21 100644
|
||||||
|
--- a/src/lib/krb5/krb/pac.c
|
||||||
|
+++ b/src/lib/krb5/krb/pac.c
|
||||||
|
@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context,
|
||||||
|
{
|
||||||
|
krb5_error_code ret;
|
||||||
|
|
||||||
|
- if (server == NULL)
|
||||||
|
- return EINVAL;
|
||||||
|
-
|
||||||
|
if (server != NULL) {
|
||||||
|
ret = k5_pac_verify_server_checksum(context, pac, server);
|
||||||
|
if (ret != 0)
|
11
krb5.spec
11
krb5.spec
@ -15,7 +15,7 @@
|
|||||||
Summary: The Kerberos network authentication system
|
Summary: The Kerberos network authentication system
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.10
|
Version: 1.10
|
||||||
Release: 0%{?dist}.alpha1.2
|
Release: 0%{?dist}.alpha1.3
|
||||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||||
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-alpha1-signed.tar
|
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-alpha1-signed.tar
|
||||||
Source0: krb5-%{version}-alpha1.tar.gz
|
Source0: krb5-%{version}-alpha1.tar.gz
|
||||||
@ -61,6 +61,7 @@ Patch92: krb5-1.10-alpha1-uninit.patch
|
|||||||
Patch93: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
|
Patch93: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
|
||||||
Patch100: krb5-trunk-7046.patch
|
Patch100: krb5-trunk-7046.patch
|
||||||
Patch101: krb5-trunk-7047.patch
|
Patch101: krb5-trunk-7047.patch
|
||||||
|
Patch102: krb5-trunk-7048.patch
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://web.mit.edu/kerberos/www/
|
URL: http://web.mit.edu/kerberos/www/
|
||||||
@ -229,6 +230,7 @@ ln -s NOTICE LICENSE
|
|||||||
%patch93 -p1 -b .2011-007
|
%patch93 -p1 -b .2011-007
|
||||||
%patch100 -p1 -b .7046
|
%patch100 -p1 -b .7046
|
||||||
%patch101 -p1 -b .7047
|
%patch101 -p1 -b .7047
|
||||||
|
%patch102 -p1 -b .7048
|
||||||
# XXX Temporary, backported from trunk.
|
# XXX Temporary, backported from trunk.
|
||||||
%patch92 -p1 -b .uninit
|
%patch92 -p1 -b .uninit
|
||||||
# XXX Temporary, fixed properly in trunk.
|
# XXX Temporary, fixed properly in trunk.
|
||||||
@ -743,11 +745,16 @@ exit 0
|
|||||||
%{_sbindir}/uuserver
|
%{_sbindir}/uuserver
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Dec 13 2011 Nalin Dahyabhai <nalin@redhat.com>
|
* Tue Dec 13 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.3
|
||||||
- pull in patch for RT#7046: tag a ccache containing credentials obtained via
|
- pull in patch for RT#7046: tag a ccache containing credentials obtained via
|
||||||
S4U2Proxy with the principal name of the proxying principal (part of #761317)
|
S4U2Proxy with the principal name of the proxying principal (part of #761317)
|
||||||
|
so that the default principal name can be set to that of the client for which
|
||||||
|
it is proxying, which results in the ccache looking more normal to consumers
|
||||||
|
of the ccache that don't care that there's proxying going on
|
||||||
- pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached
|
- pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached
|
||||||
(more of #761317)
|
(more of #761317)
|
||||||
|
- pull in patch for RT#7048: allow PAC verification to only bother trying to
|
||||||
|
verify the signature with keys that it's given (still more of #761317)
|
||||||
|
|
||||||
* Tue Dec 6 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.2
|
* Tue Dec 6 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.2
|
||||||
- apply upstream patch to fix a null pointer dereference when processing
|
- apply upstream patch to fix a null pointer dereference when processing
|
||||||
|
Loading…
Reference in New Issue
Block a user