Drop backports for RT#7656 and RT#7657
This commit is contained in:
Nalin Dahyabhai
parent
447ee6c9e6
commit
f8f559ef32
@ -1,115 +0,0 @@
|
||||
>From 8f6d12bae1a0f1d274593c4a06dfa5948aa61418 Mon Sep 17 00:00:00 2001
|
||||
From: Stef Walter <stefw@redhat.com>
|
||||
Date: Thu, 23 May 2013 08:38:20 +0200
|
||||
Subject: [PATCH 1/2] krb5: Refator duplicate code for setting the AS REQ nonce
|
||||
|
||||
---
|
||||
src/lib/krb5/krb/get_in_tkt.c | 64 +++++++++++++++++++++++--------------------
|
||||
1 file changed, 35 insertions(+), 29 deletions(-)
|
||||
|
||||
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
||||
index 828b0fb..1058112 100644
|
||||
--- a/src/lib/krb5/krb/get_in_tkt.c
|
||||
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
||||
@@ -650,6 +650,34 @@ cleanup:
|
||||
return code;
|
||||
}
|
||||
|
||||
+static krb5_error_code
|
||||
+update_req_before_encoding(krb5_context context, krb5_init_creds_context ctx)
|
||||
+{
|
||||
+ krb5_error_code code = 0;
|
||||
+ unsigned char random_buf[4];
|
||||
+ krb5_data random_data;
|
||||
+
|
||||
+ /*
|
||||
+ * RFC 6113 requires a new nonce for the inner request on each try. It's
|
||||
+ * permitted to change the nonce even for non-FAST as well.
|
||||
+ */
|
||||
+ random_data.length = 4;
|
||||
+ random_data.data = (char *)random_buf;
|
||||
+ code = krb5_c_random_make_octets(context, &random_data);
|
||||
+ if (code != 0)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ /*
|
||||
+ * See RT ticket 3196 at MIT. If we set the high bit, we may have
|
||||
+ * compatibility problems with Heimdal, because we (incorrectly) encode
|
||||
+ * this value as signed.
|
||||
+ */
|
||||
+ ctx->request->nonce = 0x7fffffff & load_32_n(random_buf);
|
||||
+
|
||||
+cleanup:
|
||||
+ return code;
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* Throw away any state related to specific realm either at the beginning of a
|
||||
* request, or when a realm changes, or when we start to use FAST after
|
||||
@@ -664,8 +692,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
|
||||
krb5_pa_data **padata)
|
||||
{
|
||||
krb5_error_code code = 0;
|
||||
- unsigned char random_buf[4];
|
||||
- krb5_data random_data;
|
||||
krb5_timestamp from;
|
||||
|
||||
if (ctx->preauth_to_use) {
|
||||
@@ -693,18 +719,10 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
- /* Set the request nonce. */
|
||||
- random_data.length = 4;
|
||||
- random_data.data = (char *)random_buf;
|
||||
- code = krb5_c_random_make_octets(context, &random_data);
|
||||
- if (code !=0)
|
||||
+ code = update_req_before_encoding(context, ctx);
|
||||
+ if (code != 0)
|
||||
goto cleanup;
|
||||
- /*
|
||||
- * See RT ticket 3196 at MIT. If we set the high bit, we may have
|
||||
- * compatibility problems with Heimdal, because we (incorrectly) encode
|
||||
- * this value as signed.
|
||||
- */
|
||||
- ctx->request->nonce = 0x7fffffff & load_32_n(random_buf);
|
||||
+
|
||||
krb5_free_principal(context, ctx->request->server);
|
||||
ctx->request->server = NULL;
|
||||
|
||||
@@ -1188,28 +1206,16 @@ init_creds_step_request(krb5_context context,
|
||||
{
|
||||
krb5_error_code code;
|
||||
krb5_boolean got_real;
|
||||
- char random_buf[4];
|
||||
- krb5_data random_data;
|
||||
|
||||
if (ctx->loopcount >= MAX_IN_TKT_LOOPS) {
|
||||
code = KRB5_GET_IN_TKT_LOOP;
|
||||
goto cleanup;
|
||||
}
|
||||
- /*
|
||||
- * RFC 6113 requires a new nonce for the inner request on each try. It's
|
||||
- * permitted to change the nonce even for non-FAST so we do here.
|
||||
- */
|
||||
- random_data.length = 4;
|
||||
- random_data.data = (char *)random_buf;
|
||||
- code = krb5_c_random_make_octets(context, &random_data);
|
||||
- if (code !=0)
|
||||
+
|
||||
+ code = update_req_before_encoding(context, ctx);
|
||||
+ if (code != 0)
|
||||
goto cleanup;
|
||||
- /*
|
||||
- * See RT ticket 3196 at MIT. If we set the high bit, we may have
|
||||
- * compatibility problems with Heimdal, because we (incorrectly) encode
|
||||
- * this value as signed.
|
||||
- */
|
||||
- ctx->request->nonce = 0x7fffffff & load_32_n(random_buf);
|
||||
+
|
||||
krb5_free_data(context, ctx->inner_request_body);
|
||||
ctx->inner_request_body = NULL;
|
||||
code = encode_krb5_kdc_req_body(ctx->request, &ctx->inner_request_body);
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
@ -1,144 +0,0 @@
|
||||
>From 51ab359d7cc6643cfd4fac28def2e1c756553201 Mon Sep 17 00:00:00 2001
|
||||
From: Stef Walter <stefw@redhat.com>
|
||||
Date: Thu, 23 May 2013 08:44:43 +0200
|
||||
Subject: [PATCH 2/2] krb5: Fix ticket start and end time to respect skew
|
||||
|
||||
Since the kerberos protocol uses timestamp rather than duration deltas
|
||||
for its starttime, endtime, and renewtime KDC AS REQ fields, we have
|
||||
to calculate these with respect to the offsets we know about received
|
||||
from the server.
|
||||
|
||||
Leverage the unauthenticated server time we received during preauth when
|
||||
calculating these these timestamps from the duration deltas we use
|
||||
in our krb5 api and tools.
|
||||
|
||||
In order to do this we have to update certain fields of the AS REQ
|
||||
each time we encode it for sending to the KDC.
|
||||
---
|
||||
src/lib/krb5/krb/get_in_tkt.c | 44 +++++++++++++++++++++++--------------------
|
||||
src/lib/krb5/krb/int-proto.h | 5 +++++
|
||||
src/lib/krb5/krb/preauth2.c | 8 ++++++++
|
||||
3 files changed, 37 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
||||
index 1058112..694c9b0b 100644
|
||||
--- a/src/lib/krb5/krb/get_in_tkt.c
|
||||
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
||||
@@ -656,6 +656,8 @@ update_req_before_encoding(krb5_context context, krb5_init_creds_context ctx)
|
||||
krb5_error_code code = 0;
|
||||
unsigned char random_buf[4];
|
||||
krb5_data random_data;
|
||||
+ krb5_timestamp from;
|
||||
+ krb5_int32 unused;
|
||||
|
||||
/*
|
||||
* RFC 6113 requires a new nonce for the inner request on each try. It's
|
||||
@@ -674,6 +676,28 @@ update_req_before_encoding(krb5_context context, krb5_init_creds_context ctx)
|
||||
*/
|
||||
ctx->request->nonce = 0x7fffffff & load_32_n(random_buf);
|
||||
|
||||
+ code = k5_preauth_get_time(context, &ctx->preauth_rock, TRUE, &ctx->request_time, &unused);
|
||||
+ if (code != 0)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ /* Omit request start time in the common case. MIT and Heimdal KDCs will
|
||||
+ * ignore it for non-postdated tickets anyway. */
|
||||
+ from = krb5int_addint32(ctx->request_time, ctx->start_time);
|
||||
+ if (ctx->start_time != 0)
|
||||
+ ctx->request->from = from;
|
||||
+ ctx->request->till = krb5int_addint32(from, ctx->tkt_life);
|
||||
+
|
||||
+ if (ctx->renew_life > 0) {
|
||||
+ ctx->request->rtime =
|
||||
+ krb5int_addint32(from, ctx->renew_life);
|
||||
+ if (ctx->request->rtime < ctx->request->till) {
|
||||
+ /* don't ask for a smaller renewable time than the lifetime */
|
||||
+ ctx->request->rtime = ctx->request->till;
|
||||
+ }
|
||||
+ ctx->request->kdc_options &= ~(KDC_OPT_RENEWABLE_OK);
|
||||
+ } else
|
||||
+ ctx->request->rtime = 0;
|
||||
+
|
||||
cleanup:
|
||||
return code;
|
||||
}
|
||||
@@ -692,7 +716,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
|
||||
krb5_pa_data **padata)
|
||||
{
|
||||
krb5_error_code code = 0;
|
||||
- krb5_timestamp from;
|
||||
|
||||
if (ctx->preauth_to_use) {
|
||||
krb5_free_pa_data(context, ctx->preauth_to_use);
|
||||
@@ -732,8 +755,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
|
||||
if (code != 0)
|
||||
goto cleanup;
|
||||
|
||||
- ctx->request_time = time(NULL);
|
||||
-
|
||||
code = krb5int_fast_as_armor(context, ctx->fast_state,
|
||||
ctx->opte, ctx->request);
|
||||
if (code != 0)
|
||||
@@ -747,23 +768,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
|
||||
/* give the preauth plugins a chance to prep the request body */
|
||||
krb5_preauth_prepare_request(context, ctx->opte, ctx->request);
|
||||
|
||||
- /* Omit request start time in the common case. MIT and Heimdal KDCs will
|
||||
- * ignore it for non-postdated tickets anyway. */
|
||||
- from = krb5int_addint32(ctx->request_time, ctx->start_time);
|
||||
- if (ctx->start_time != 0)
|
||||
- ctx->request->from = from;
|
||||
- ctx->request->till = krb5int_addint32(from, ctx->tkt_life);
|
||||
-
|
||||
- if (ctx->renew_life > 0) {
|
||||
- ctx->request->rtime =
|
||||
- krb5int_addint32(from, ctx->renew_life);
|
||||
- if (ctx->request->rtime < ctx->request->till) {
|
||||
- /* don't ask for a smaller renewable time than the lifetime */
|
||||
- ctx->request->rtime = ctx->request->till;
|
||||
- }
|
||||
- ctx->request->kdc_options &= ~(KDC_OPT_RENEWABLE_OK);
|
||||
- } else
|
||||
- ctx->request->rtime = 0;
|
||||
code = krb5int_fast_prep_req_body(context, ctx->fast_state,
|
||||
ctx->request,
|
||||
&ctx->outer_request_body);
|
||||
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
|
||||
index 3326154..83a47c0 100644
|
||||
--- a/src/lib/krb5/krb/int-proto.h
|
||||
+++ b/src/lib/krb5/krb/int-proto.h
|
||||
@@ -142,6 +142,11 @@ krb5_preauth_supply_preauth_data(krb5_context context,
|
||||
const char *value);
|
||||
|
||||
krb5_error_code
|
||||
+k5_preauth_get_time(krb5_context context, krb5_clpreauth_rock rock,
|
||||
+ krb5_boolean allow_unauth_time, krb5_timestamp *time_out,
|
||||
+ krb5_int32 *usec_out);
|
||||
+
|
||||
+krb5_error_code
|
||||
clpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
|
||||
int min_ver, krb5_plugin_vtable vtable);
|
||||
|
||||
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
|
||||
index 747611e..167f611 100644
|
||||
--- a/src/lib/krb5/krb/preauth2.c
|
||||
+++ b/src/lib/krb5/krb/preauth2.c
|
||||
@@ -397,6 +397,15 @@ get_preauth_time(krb5_context context, krb5_clpreauth_rock rock,
|
||||
krb5_boolean allow_unauth_time, krb5_timestamp *time_out,
|
||||
krb5_int32 *usec_out)
|
||||
{
|
||||
+ return k5_preauth_get_time(context, rock, allow_unauth_time,
|
||||
+ time_out, usec_out);
|
||||
+}
|
||||
+
|
||||
+krb5_error_code
|
||||
+k5_preauth_get_time(krb5_context context, krb5_clpreauth_rock rock,
|
||||
+ krb5_boolean allow_unauth_time, krb5_timestamp *time_out,
|
||||
+ krb5_int32 *usec_out)
|
||||
+{
|
||||
if (rock->pa_offset_state != NO_OFFSET &&
|
||||
(allow_unauth_time || rock->pa_offset_state == AUTH_OFFSET) &&
|
||||
(context->library_options & KRB5_LIBOPT_SYNC_KDCTIME)) {
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
@ -1,28 +0,0 @@
|
||||
commit 3b1b31a57cd932eda928932e67f5f2857929f429
|
||||
Author: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sun Jun 2 15:36:40 2013 -0400
|
||||
|
||||
Fix spurious clock skew caused by preauth delay
|
||||
|
||||
Commit 37b0e55e21926c7875b7176e24e13005920915a6 (#7063) prevented
|
||||
clock skew caused by preauth delay by recording the time of the
|
||||
initial request. However, it failed to take into account delay
|
||||
between requests due to prompting during preauthentication. Fix this
|
||||
by recording the request time for each request.
|
||||
|
||||
ticket: 7656 (new)
|
||||
|
||||
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
||||
index ff455d3..0dd497e 100644
|
||||
--- a/src/lib/krb5/krb/get_in_tkt.c
|
||||
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
||||
@@ -1256,6 +1256,9 @@ init_creds_step_request(krb5_context context,
|
||||
}
|
||||
}
|
||||
|
||||
+ /* Remember when we sent this request (after any preauth delay). */
|
||||
+ ctx->request_time = time(NULL);
|
||||
+
|
||||
if (ctx->encoded_previous_request != NULL) {
|
||||
krb5_free_data(context, ctx->encoded_previous_request);
|
||||
ctx->encoded_previous_request = NULL;
|
||||
@ -88,10 +88,7 @@ Patch63: krb5-1.12-selinux-label.patch
|
||||
Patch71: krb5-1.11-dirsrv-accountlock.patch
|
||||
Patch86: krb5-1.9-debuginfo.patch
|
||||
Patch105: krb5-kvno-230379.patch
|
||||
Patch125: krb5-1.11.2-skew1.patch
|
||||
Patch126: krb5-1.11.2-skew2.patch
|
||||
Patch129: krb5-1.11-run_user_0.patch
|
||||
Patch131: krb5-1.11.3-skew3.patch
|
||||
Patch134: krb5-1.11-kpasswdtest.patch
|
||||
Patch138: krb5-master-keyring-offsets.patch
|
||||
Patch139: krb5-master-keyring-expiration.patch
|
||||
@ -306,14 +303,11 @@ ln -s NOTICE LICENSE
|
||||
%patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild}
|
||||
%patch86 -p0 -b .debuginfo
|
||||
%patch105 -p1 -b .kvno
|
||||
%patch125 -p1 -b .skew1
|
||||
%patch126 -p1 -b .skew2
|
||||
|
||||
# Apply when the hard-wired or configured default location is
|
||||
# DIR:/run/user/%%{uid}/krb5cc.
|
||||
%patch129 -p1 -b .run_user_0
|
||||
|
||||
%patch131 -p1 -b .skew3
|
||||
%patch134 -p1 -b .kpasswdtest
|
||||
%patch138 -p1 -b .keyring-offsets
|
||||
%patch139 -p1 -b .keyring-expiration
|
||||
@ -1016,6 +1010,7 @@ exit 0
|
||||
- drop backport for RT#7709
|
||||
- drop backport for RT#7590 and partial backport for RT#7680
|
||||
- drop OTP backport
|
||||
- drop backports for RT#7656 and RT#7657
|
||||
|
||||
* Wed Oct 16 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-26
|
||||
- create and own /etc/gss (#1019937)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user