- pull in patch for RT#7048: allow PAC verification to only bother trying to

verify the signature with keys that it's given (still more of #761317)
2011-12-13 10:50:02 -05:00 · 2011-12-13 10:50:02 -05:00 · f28b57af20
commit f28b57af20
parent 6d68d342c9
2 changed files with 87 additions and 2 deletions
--- a/krb5-trunk-7048.patch
+++ b/krb5-trunk-7048.patch
@ -0,0 +1,78 @@
+commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e
+Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
+Date:   Wed Dec 7 19:38:32 2011 +0000
+
+    ticket: 7048
+    subject: Allow null server key to krb5_pac_verify
+    
+    When the KDC verifies a PAC, it doesn't really need to check the
+    server signature, since it can't trust that anyway.  Allow the caller
+    to pass only a TGT key.
+    
+    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
+index f3d0225..83c2dc7 100644
+--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
+@@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
+  * @param [in] pac              PAC handle
+  * @param [in] authtime         Expected timestamp
+  * @param [in] principal        Expected principal name (or NULL)
+- * @param [in] server           Key to validate server checksum
+ * @param [in] server           Key to validate server checksum (or NULL)
+  * @param [in] privsvr          Key to validate KDC checksum (or NULL)
+  *
+  * This function validates @a pac against the supplied @a server, @a privsvr,
+  * @a principal and @a authtime.  If @a principal is NULL, the principal and
+- * authtime are not verified.  If @a privsvr is NULL, the KDC checksum is not
+- * verified.
+ * authtime are not verified.  If @a server or @a privsvr is NULL, the
+ * corresponding checksum is not verified.
+  *
+  * If successful, @a pac is marked as verified.
+  *
+diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
+index f173b04..23aa930 100644
+--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
+@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context,
+     if (server == NULL)
+         return EINVAL;
+ 
+-    ret = k5_pac_verify_server_checksum(context, pac, server);
+-    if (ret != 0)
+-        return ret;
+    if (server != NULL) {
+        ret = k5_pac_verify_server_checksum(context, pac, server);
+        if (ret != 0)
+            return ret;
+    }
+ 
+     if (privsvr != NULL) {
+         ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
+
+commit e31486a84380647e49ba6199a3e10ac739fa1a45
+Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
+Date:   Thu Dec 8 04:21:23 2011 +0000
+
+    ticket: 7048
+    
+    Actually allow null server key in krb5_pac_verify
+    
+    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
+index 23aa930..3262d21 100644
+--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
+@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context,
+ {
+     krb5_error_code ret;
+ 
+-    if (server == NULL)
+-        return EINVAL;
+-
+     if (server != NULL) {
+         ret = k5_pac_verify_server_checksum(context, pac, server);
+         if (ret != 0)
--- a/krb5.spec
+++ b/krb5.spec
@ -15,7 +15,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.10
-Release: 0%{?dist}.alpha1.2
+Release: 0%{?dist}.alpha1.3
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-alpha1-signed.tar
 Source0: krb5-%{version}-alpha1.tar.gz
@ -61,6 +61,7 @@ Patch92: krb5-1.10-alpha1-uninit.patch
 Patch93: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
 Patch100: krb5-trunk-7046.patch
 Patch101: krb5-trunk-7047.patch
+Patch102: krb5-trunk-7048.patch

 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -229,6 +230,7 @@ ln -s NOTICE LICENSE
 %patch93 -p1 -b .2011-007
 %patch100 -p1 -b .7046
 %patch101 -p1 -b .7047
+%patch102 -p1 -b .7048
 # XXX Temporary, backported from trunk.
 %patch92 -p1 -b .uninit
 # XXX Temporary, fixed properly in trunk.
@ -743,11 +745,16 @@ exit 0
 %{_sbindir}/uuserver

 %changelog
-* Tue Dec 13 2011 Nalin Dahyabhai <nalin@redhat.com>
+* Tue Dec 13 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.3
 - pull in patch for RT#7046: tag a ccache containing credentials obtained via
  S4U2Proxy with the principal name of the proxying principal (part of #761317)
+  so that the default principal name can be set to that of the client for which
+  it is proxying, which results in the ccache looking more normal to consumers
+  of the ccache that don't care that there's proxying going on
 - pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached
  (more of #761317)
+- pull in patch for RT#7048: allow PAC verification to only bother trying to
+  verify the signature with keys that it's given (still more of #761317)

 * Tue Dec  6 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.2
 - apply upstream patch to fix a null pointer dereference when processing