Drop OTP backport
This commit is contained in:
Nalin Dahyabhai
parent
7448cea67e
commit
f619caa9c9
@ -1,230 +0,0 @@
|
||||
From c7047421487c0e616b881c0922937bc759114233 Mon Sep 17 00:00:00 2001
|
||||
From: Nathaniel McCallum <npmccallum@redhat.com>
|
||||
Date: Fri, 3 May 2013 15:44:44 -0400
|
||||
Subject: [PATCH 1/3] Check for keys in encrypted timestamp/challenge
|
||||
|
||||
Encrypted timestamp and encrypted challenge cannot succeed if the
|
||||
client has no long-term key matching the request enctypes, so do not
|
||||
offer them in that case.
|
||||
|
||||
ticket: 7630
|
||||
|
||||
NPM - This is a backport from the upstream fix. See upstream commits:
|
||||
https://github.com/krb5/krb5/commit/e50482720a805ecd8c160e4a8f4a846e6327dca2
|
||||
https://github.com/krb5/krb5/commit/9593d1311fa5e6e841c429653ad35a63d17c2fdd
|
||||
---
|
||||
src/kdc/kdc_preauth_ec.c | 23 +++++++++++++++++++++--
|
||||
src/kdc/kdc_preauth_encts.c | 22 ++++++++++++++++++++--
|
||||
2 files changed, 41 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
|
||||
index 9d7236c..db3ad07 100644
|
||||
--- a/src/kdc/kdc_preauth_ec.c
|
||||
+++ b/src/kdc/kdc_preauth_ec.c
|
||||
@@ -39,8 +39,27 @@ ec_edata(krb5_context context, krb5_kdc_req *request,
|
||||
krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type,
|
||||
krb5_kdcpreauth_edata_respond_fn respond, void *arg)
|
||||
{
|
||||
- krb5_keyblock *armor_key = cb->fast_armor(context, rock);
|
||||
- (*respond)(arg, (armor_key == NULL) ? ENOENT : 0, NULL);
|
||||
+ krb5_boolean have_client_keys = FALSE;
|
||||
+ krb5_keyblock *armor_key;
|
||||
+ krb5_key_data *kd;
|
||||
+ int i;
|
||||
+
|
||||
+ armor_key = cb->fast_armor(context, rock);
|
||||
+
|
||||
+ for (i = 0; i < rock->request->nktypes; i++) {
|
||||
+ if (krb5_dbe_find_enctype(context, rock->client,
|
||||
+ rock->request->ktype[i],
|
||||
+ -1, 0, &kd) == 0) {
|
||||
+ have_client_keys = TRUE;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* Encrypted challenge only works with FAST, and requires a client key. */
|
||||
+ if (armor_key == NULL || !have_client_keys)
|
||||
+ (*respond)(arg, ENOENT, NULL);
|
||||
+ else
|
||||
+ (*respond)(arg, 0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
|
||||
index d708061..adde6e2 100644
|
||||
--- a/src/kdc/kdc_preauth_encts.c
|
||||
+++ b/src/kdc/kdc_preauth_encts.c
|
||||
@@ -34,9 +34,27 @@ enc_ts_get(krb5_context context, krb5_kdc_req *request,
|
||||
krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type,
|
||||
krb5_kdcpreauth_edata_respond_fn respond, void *arg)
|
||||
{
|
||||
- krb5_keyblock *armor_key = cb->fast_armor(context, rock);
|
||||
+ krb5_boolean have_client_keys = FALSE;
|
||||
+ krb5_keyblock *armor_key;
|
||||
+ krb5_key_data *kd;
|
||||
+ int i;
|
||||
+
|
||||
+ armor_key = cb->fast_armor(context, rock);
|
||||
+
|
||||
+ for (i = 0; i < rock->request->nktypes; i++) {
|
||||
+ if (krb5_dbe_find_enctype(context, rock->client,
|
||||
+ rock->request->ktype[i],
|
||||
+ -1, 0, &kd) == 0) {
|
||||
+ have_client_keys = TRUE;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL);
|
||||
+ /* Encrypted timestamp must not be used with FAST, and requires a key. */
|
||||
+ if (armor_key != NULL || !have_client_keys)
|
||||
+ (*respond)(arg, ENOENT, NULL);
|
||||
+ else
|
||||
+ (*respond)(arg, 0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
--
|
||||
1.8.2.1
|
||||
|
||||
|
||||
From 4d19790527e2c9d52bb05abd6048a63a1a8c222c Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 29 Apr 2013 14:55:31 -0400
|
||||
Subject: [PATCH 2/3] Don't send empty etype info from KDC
|
||||
|
||||
RFC 4120 prohibits empty ETYPE-INFO2 sequences (though not ETYPE-INFO
|
||||
sequences), and our client errors out if it sees an empty sequence of
|
||||
either.
|
||||
|
||||
ticket: 7630
|
||||
---
|
||||
src/kdc/kdc_preauth.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
|
||||
index 42a37a8..5c3b615 100644
|
||||
--- a/src/kdc/kdc_preauth.c
|
||||
+++ b/src/kdc/kdc_preauth.c
|
||||
@@ -1404,6 +1404,11 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
|
||||
seen_des++;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ /* If the list is empty, don't send it at all. */
|
||||
+ if (i == 0)
|
||||
+ goto cleanup;
|
||||
+
|
||||
if (etype_info2)
|
||||
retval = encode_krb5_etype_info2(entry, &scratch);
|
||||
else
|
||||
--
|
||||
1.8.2.1
|
||||
|
||||
|
||||
From a04cf2e89f4101eb6c2ec44ef1948976fe5fe9d3 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 2 May 2013 16:15:32 -0400
|
||||
Subject: [PATCH 3/3] Make AS requests work with no client key
|
||||
|
||||
If we cannot find a client key while preparing an AS reply, give
|
||||
preauth mechanisms a chance to replace the reply key before erroring
|
||||
out.
|
||||
|
||||
ticket: 7630
|
||||
---
|
||||
src/kdc/do_as_req.c | 36 ++++++++++++++++++++----------------
|
||||
src/kdc/kdc_preauth.c | 6 ++++++
|
||||
2 files changed, 26 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
|
||||
index 79da300..cb91803 100644
|
||||
--- a/src/kdc/do_as_req.c
|
||||
+++ b/src/kdc/do_as_req.c
|
||||
@@ -195,23 +195,18 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
|
||||
useenctype, -1, 0, &client_key))
|
||||
break;
|
||||
}
|
||||
- if (!(client_key)) {
|
||||
- /* Cannot find an appropriate key */
|
||||
- state->status = "CANT_FIND_CLIENT_KEY";
|
||||
- errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
|
||||
- goto egress;
|
||||
- }
|
||||
- state->rock.client_key = client_key;
|
||||
|
||||
- /* convert client.key_data into a real key */
|
||||
- if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
|
||||
- client_key,
|
||||
- &state->client_keyblock,
|
||||
- NULL))) {
|
||||
- state->status = "DECRYPT_CLIENT_KEY";
|
||||
- goto egress;
|
||||
+ if (client_key != NULL) {
|
||||
+ /* Decrypt the client key data entry to get the real reply key. */
|
||||
+ errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, client_key,
|
||||
+ &state->client_keyblock, NULL);
|
||||
+ if (errcode) {
|
||||
+ state->status = "DECRYPT_CLIENT_KEY";
|
||||
+ goto egress;
|
||||
+ }
|
||||
+ state->client_keyblock.enctype = useenctype;
|
||||
+ state->rock.client_key = client_key;
|
||||
}
|
||||
- state->client_keyblock.enctype = useenctype;
|
||||
|
||||
/* Start assembling the response */
|
||||
state->reply.msg_type = KRB5_AS_REP;
|
||||
@@ -248,6 +243,14 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
|
||||
goto egress;
|
||||
}
|
||||
|
||||
+ /* If we didn't find a client long-term key and no preauth mechanism
|
||||
+ * replaced the reply key, error out now. */
|
||||
+ if (state->client_keyblock.enctype == ENCTYPE_NULL) {
|
||||
+ state->status = "CANT_FIND_CLIENT_KEY";
|
||||
+ errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
|
||||
+ goto egress;
|
||||
+ }
|
||||
+
|
||||
errcode = handle_authdata(kdc_context,
|
||||
state->c_flags,
|
||||
state->client,
|
||||
@@ -306,7 +309,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
|
||||
&state->reply_encpart, 0,
|
||||
as_encrypting_key,
|
||||
&state->reply, &response);
|
||||
- state->reply.enc_part.kvno = client_key->key_data_kvno;
|
||||
+ if (client_key != NULL)
|
||||
+ state->reply.enc_part.kvno = client_key->key_data_kvno;
|
||||
if (errcode) {
|
||||
state->status = "ENCODE_KDC_REP";
|
||||
goto egress;
|
||||
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
|
||||
index 5c3b615..5d12346 100644
|
||||
--- a/src/kdc/kdc_preauth.c
|
||||
+++ b/src/kdc/kdc_preauth.c
|
||||
@@ -1473,6 +1473,9 @@ etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata,
|
||||
krb5_etype_info_entry **entry = NULL;
|
||||
krb5_data *scratch = NULL;
|
||||
|
||||
+ if (client_key == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
/*
|
||||
* Skip PA-ETYPE-INFO completely if AS-REQ lists any "newer"
|
||||
* enctypes.
|
||||
@@ -1576,6 +1579,9 @@ return_pw_salt(krb5_context context, krb5_pa_data *in_padata,
|
||||
krb5_key_data * client_key = rock->client_key;
|
||||
int i;
|
||||
|
||||
+ if (client_key == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
for (i = 0; i < request->nktypes; i++) {
|
||||
if (enctype_requires_etype_info_2(request->ktype[i]))
|
||||
return 0;
|
||||
--
|
||||
1.8.2.1
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -97,10 +97,6 @@ Patch138: krb5-master-keyring-offsets.patch
|
||||
Patch139: krb5-master-keyring-expiration.patch
|
||||
Patch140: krb5-1.12-alpha-gss-ccache-import.patch
|
||||
|
||||
# Patches for otp plugin backport
|
||||
Patch201: krb5-1.11.2-keycheck.patch
|
||||
Patch202: krb5-1.11.2-otp.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
Group: System Environment/Libraries
|
||||
@ -323,9 +319,6 @@ ln -s NOTICE LICENSE
|
||||
%patch139 -p1 -b .keyring-expiration
|
||||
%patch140 -p1 -b .gss-ccache-import
|
||||
|
||||
%patch201 -p1 -b .keycheck
|
||||
%patch202 -p1 -b .otp
|
||||
|
||||
# Take the execute bit off of documentation.
|
||||
chmod -x doc/krb5-protocol/*.txt
|
||||
|
||||
@ -1022,6 +1015,7 @@ exit 0
|
||||
- drop backports for RT#7682
|
||||
- drop backport for RT#7709
|
||||
- drop backport for RT#7590 and partial backport for RT#7680
|
||||
- drop OTP backport
|
||||
|
||||
* Wed Oct 16 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-26
|
||||
- create and own /etc/gss (#1019937)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user