Drop backports for RT#7656 and RT#7657

This commit is contained in:
Nalin Dahyabhai 2013-10-15 18:11:32 -04:00
parent 447ee6c9e6
commit f8f559ef32
4 changed files with 1 additions and 293 deletions

View File

@ -1,115 +0,0 @@
>From 8f6d12bae1a0f1d274593c4a06dfa5948aa61418 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Thu, 23 May 2013 08:38:20 +0200
Subject: [PATCH 1/2] krb5: Refator duplicate code for setting the AS REQ nonce
---
src/lib/krb5/krb/get_in_tkt.c | 64 +++++++++++++++++++++++--------------------
1 file changed, 35 insertions(+), 29 deletions(-)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 828b0fb..1058112 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -650,6 +650,34 @@ cleanup:
return code;
}
+static krb5_error_code
+update_req_before_encoding(krb5_context context, krb5_init_creds_context ctx)
+{
+ krb5_error_code code = 0;
+ unsigned char random_buf[4];
+ krb5_data random_data;
+
+ /*
+ * RFC 6113 requires a new nonce for the inner request on each try. It's
+ * permitted to change the nonce even for non-FAST as well.
+ */
+ random_data.length = 4;
+ random_data.data = (char *)random_buf;
+ code = krb5_c_random_make_octets(context, &random_data);
+ if (code != 0)
+ goto cleanup;
+
+ /*
+ * See RT ticket 3196 at MIT. If we set the high bit, we may have
+ * compatibility problems with Heimdal, because we (incorrectly) encode
+ * this value as signed.
+ */
+ ctx->request->nonce = 0x7fffffff & load_32_n(random_buf);
+
+cleanup:
+ return code;
+}
+
/**
* Throw away any state related to specific realm either at the beginning of a
* request, or when a realm changes, or when we start to use FAST after
@@ -664,8 +692,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
krb5_pa_data **padata)
{
krb5_error_code code = 0;
- unsigned char random_buf[4];
- krb5_data random_data;
krb5_timestamp from;
if (ctx->preauth_to_use) {
@@ -693,18 +719,10 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
goto cleanup;
}
- /* Set the request nonce. */
- random_data.length = 4;
- random_data.data = (char *)random_buf;
- code = krb5_c_random_make_octets(context, &random_data);
- if (code !=0)
+ code = update_req_before_encoding(context, ctx);
+ if (code != 0)
goto cleanup;
- /*
- * See RT ticket 3196 at MIT. If we set the high bit, we may have
- * compatibility problems with Heimdal, because we (incorrectly) encode
- * this value as signed.
- */
- ctx->request->nonce = 0x7fffffff & load_32_n(random_buf);
+
krb5_free_principal(context, ctx->request->server);
ctx->request->server = NULL;
@@ -1188,28 +1206,16 @@ init_creds_step_request(krb5_context context,
{
krb5_error_code code;
krb5_boolean got_real;
- char random_buf[4];
- krb5_data random_data;
if (ctx->loopcount >= MAX_IN_TKT_LOOPS) {
code = KRB5_GET_IN_TKT_LOOP;
goto cleanup;
}
- /*
- * RFC 6113 requires a new nonce for the inner request on each try. It's
- * permitted to change the nonce even for non-FAST so we do here.
- */
- random_data.length = 4;
- random_data.data = (char *)random_buf;
- code = krb5_c_random_make_octets(context, &random_data);
- if (code !=0)
+
+ code = update_req_before_encoding(context, ctx);
+ if (code != 0)
goto cleanup;
- /*
- * See RT ticket 3196 at MIT. If we set the high bit, we may have
- * compatibility problems with Heimdal, because we (incorrectly) encode
- * this value as signed.
- */
- ctx->request->nonce = 0x7fffffff & load_32_n(random_buf);
+
krb5_free_data(context, ctx->inner_request_body);
ctx->inner_request_body = NULL;
code = encode_krb5_kdc_req_body(ctx->request, &ctx->inner_request_body);
--
1.8.1.4

View File

@ -1,144 +0,0 @@
>From 51ab359d7cc6643cfd4fac28def2e1c756553201 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Thu, 23 May 2013 08:44:43 +0200
Subject: [PATCH 2/2] krb5: Fix ticket start and end time to respect skew
Since the kerberos protocol uses timestamp rather than duration deltas
for its starttime, endtime, and renewtime KDC AS REQ fields, we have
to calculate these with respect to the offsets we know about received
from the server.
Leverage the unauthenticated server time we received during preauth when
calculating these these timestamps from the duration deltas we use
in our krb5 api and tools.
In order to do this we have to update certain fields of the AS REQ
each time we encode it for sending to the KDC.
---
src/lib/krb5/krb/get_in_tkt.c | 44 +++++++++++++++++++++++--------------------
src/lib/krb5/krb/int-proto.h | 5 +++++
src/lib/krb5/krb/preauth2.c | 8 ++++++++
3 files changed, 37 insertions(+), 20 deletions(-)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 1058112..694c9b0b 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -656,6 +656,8 @@ update_req_before_encoding(krb5_context context, krb5_init_creds_context ctx)
krb5_error_code code = 0;
unsigned char random_buf[4];
krb5_data random_data;
+ krb5_timestamp from;
+ krb5_int32 unused;
/*
* RFC 6113 requires a new nonce for the inner request on each try. It's
@@ -674,6 +676,28 @@ update_req_before_encoding(krb5_context context, krb5_init_creds_context ctx)
*/
ctx->request->nonce = 0x7fffffff & load_32_n(random_buf);
+ code = k5_preauth_get_time(context, &ctx->preauth_rock, TRUE, &ctx->request_time, &unused);
+ if (code != 0)
+ goto cleanup;
+
+ /* Omit request start time in the common case. MIT and Heimdal KDCs will
+ * ignore it for non-postdated tickets anyway. */
+ from = krb5int_addint32(ctx->request_time, ctx->start_time);
+ if (ctx->start_time != 0)
+ ctx->request->from = from;
+ ctx->request->till = krb5int_addint32(from, ctx->tkt_life);
+
+ if (ctx->renew_life > 0) {
+ ctx->request->rtime =
+ krb5int_addint32(from, ctx->renew_life);
+ if (ctx->request->rtime < ctx->request->till) {
+ /* don't ask for a smaller renewable time than the lifetime */
+ ctx->request->rtime = ctx->request->till;
+ }
+ ctx->request->kdc_options &= ~(KDC_OPT_RENEWABLE_OK);
+ } else
+ ctx->request->rtime = 0;
+
cleanup:
return code;
}
@@ -692,7 +716,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
krb5_pa_data **padata)
{
krb5_error_code code = 0;
- krb5_timestamp from;
if (ctx->preauth_to_use) {
krb5_free_pa_data(context, ctx->preauth_to_use);
@@ -732,8 +755,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
if (code != 0)
goto cleanup;
- ctx->request_time = time(NULL);
-
code = krb5int_fast_as_armor(context, ctx->fast_state,
ctx->opte, ctx->request);
if (code != 0)
@@ -747,23 +768,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
/* give the preauth plugins a chance to prep the request body */
krb5_preauth_prepare_request(context, ctx->opte, ctx->request);
- /* Omit request start time in the common case. MIT and Heimdal KDCs will
- * ignore it for non-postdated tickets anyway. */
- from = krb5int_addint32(ctx->request_time, ctx->start_time);
- if (ctx->start_time != 0)
- ctx->request->from = from;
- ctx->request->till = krb5int_addint32(from, ctx->tkt_life);
-
- if (ctx->renew_life > 0) {
- ctx->request->rtime =
- krb5int_addint32(from, ctx->renew_life);
- if (ctx->request->rtime < ctx->request->till) {
- /* don't ask for a smaller renewable time than the lifetime */
- ctx->request->rtime = ctx->request->till;
- }
- ctx->request->kdc_options &= ~(KDC_OPT_RENEWABLE_OK);
- } else
- ctx->request->rtime = 0;
code = krb5int_fast_prep_req_body(context, ctx->fast_state,
ctx->request,
&ctx->outer_request_body);
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
index 3326154..83a47c0 100644
--- a/src/lib/krb5/krb/int-proto.h
+++ b/src/lib/krb5/krb/int-proto.h
@@ -142,6 +142,11 @@ krb5_preauth_supply_preauth_data(krb5_context context,
const char *value);
krb5_error_code
+k5_preauth_get_time(krb5_context context, krb5_clpreauth_rock rock,
+ krb5_boolean allow_unauth_time, krb5_timestamp *time_out,
+ krb5_int32 *usec_out);
+
+krb5_error_code
clpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
int min_ver, krb5_plugin_vtable vtable);
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 747611e..167f611 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -397,6 +397,15 @@ get_preauth_time(krb5_context context, krb5_clpreauth_rock rock,
krb5_boolean allow_unauth_time, krb5_timestamp *time_out,
krb5_int32 *usec_out)
{
+ return k5_preauth_get_time(context, rock, allow_unauth_time,
+ time_out, usec_out);
+}
+
+krb5_error_code
+k5_preauth_get_time(krb5_context context, krb5_clpreauth_rock rock,
+ krb5_boolean allow_unauth_time, krb5_timestamp *time_out,
+ krb5_int32 *usec_out)
+{
if (rock->pa_offset_state != NO_OFFSET &&
(allow_unauth_time || rock->pa_offset_state == AUTH_OFFSET) &&
(context->library_options & KRB5_LIBOPT_SYNC_KDCTIME)) {
--
1.8.1.4

View File

@ -1,28 +0,0 @@
commit 3b1b31a57cd932eda928932e67f5f2857929f429
Author: Greg Hudson <ghudson@mit.edu>
Date: Sun Jun 2 15:36:40 2013 -0400
Fix spurious clock skew caused by preauth delay
Commit 37b0e55e21926c7875b7176e24e13005920915a6 (#7063) prevented
clock skew caused by preauth delay by recording the time of the
initial request. However, it failed to take into account delay
between requests due to prompting during preauthentication. Fix this
by recording the request time for each request.
ticket: 7656 (new)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index ff455d3..0dd497e 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1256,6 +1256,9 @@ init_creds_step_request(krb5_context context,
}
}
+ /* Remember when we sent this request (after any preauth delay). */
+ ctx->request_time = time(NULL);
+
if (ctx->encoded_previous_request != NULL) {
krb5_free_data(context, ctx->encoded_previous_request);
ctx->encoded_previous_request = NULL;

View File

@ -88,10 +88,7 @@ Patch63: krb5-1.12-selinux-label.patch
Patch71: krb5-1.11-dirsrv-accountlock.patch
Patch86: krb5-1.9-debuginfo.patch
Patch105: krb5-kvno-230379.patch
Patch125: krb5-1.11.2-skew1.patch
Patch126: krb5-1.11.2-skew2.patch
Patch129: krb5-1.11-run_user_0.patch
Patch131: krb5-1.11.3-skew3.patch
Patch134: krb5-1.11-kpasswdtest.patch
Patch138: krb5-master-keyring-offsets.patch
Patch139: krb5-master-keyring-expiration.patch
@ -306,14 +303,11 @@ ln -s NOTICE LICENSE
%patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild}
%patch86 -p0 -b .debuginfo
%patch105 -p1 -b .kvno
%patch125 -p1 -b .skew1
%patch126 -p1 -b .skew2
# Apply when the hard-wired or configured default location is
# DIR:/run/user/%%{uid}/krb5cc.
%patch129 -p1 -b .run_user_0
%patch131 -p1 -b .skew3
%patch134 -p1 -b .kpasswdtest
%patch138 -p1 -b .keyring-offsets
%patch139 -p1 -b .keyring-expiration
@ -1016,6 +1010,7 @@ exit 0
- drop backport for RT#7709
- drop backport for RT#7590 and partial backport for RT#7680
- drop OTP backport
- drop backports for RT#7656 and RT#7657
* Wed Oct 16 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-26
- create and own /etc/gss (#1019937)