diff --git a/Avoid-passing-DB-entry-structures-in-KDC.patch b/Avoid-passing-DB-entry-structures-in-KDC.patch new file mode 100644 index 0000000..e5cff1a --- /dev/null +++ b/Avoid-passing-DB-entry-structures-in-KDC.patch @@ -0,0 +1,298 @@ +From dd8b146093d4bdf8a7d0c0eb8156b62d090448d7 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 30 Sep 2020 02:12:00 -0400 +Subject: [PATCH] Avoid passing DB entry structures in KDC + +When validating AS or TGS requests, pass pointers to DB entry +structures, not the structures themselves. + +(cherry picked from commit 7ccc08a889b40693b2ce7f108f2cdda51bc04bff) +--- + src/kdc/do_as_req.c | 4 ++-- + src/kdc/do_tgs_req.c | 2 +- + src/kdc/kdc_util.c | 34 +++++++++++++++++----------------- + src/kdc/kdc_util.h | 6 +++--- + src/kdc/tgs_policy.c | 35 ++++++++++++++++++----------------- + 5 files changed, 41 insertions(+), 40 deletions(-) + +diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c +index 9ae7b0a5e..c2dfea9b8 100644 +--- a/src/kdc/do_as_req.c ++++ b/src/kdc/do_as_req.c +@@ -663,8 +663,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, + au_state->stage = VALIDATE_POL; + + if ((errcode = validate_as_request(kdc_active_realm, +- state->request, *state->client, +- *state->server, state->kdc_time, ++ state->request, state->client, ++ state->server, state->kdc_time, + &state->status, &state->e_data))) { + errcode += ERROR_TABLE_BASE_krb5; + goto errout; +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index 74cd19e96..d345797c4 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -260,7 +260,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, + goto cleanup; + + if ((retval = validate_tgs_request(kdc_active_realm, +- request, *server, header_ticket, ++ request, server, header_ticket, + kdc_time, &status, &e_data))) { + if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION) + au_state->violation = PROT_CONSTRAINT; +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index a4a05b9fa..b2042862a 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -612,8 +612,8 @@ check_anon(kdc_realm_t *kdc_active_realm, + KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT) + int + validate_as_request(kdc_realm_t *kdc_active_realm, +- krb5_kdc_req *request, krb5_db_entry client, +- krb5_db_entry server, krb5_timestamp kdc_time, ++ krb5_kdc_req *request, krb5_db_entry *client, ++ krb5_db_entry *server, krb5_timestamp kdc_time, + const char **status, krb5_pa_data ***e_data) + { + krb5_error_code ret; +@@ -627,7 +627,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, + } + + /* The client must not be expired */ +- if (client.expiration && ts_after(kdc_time, client.expiration)) { ++ if (client->expiration && ts_after(kdc_time, client->expiration)) { + *status = "CLIENT EXPIRED"; + if (vague_errors) + return(KRB_ERR_GENERIC); +@@ -637,8 +637,8 @@ validate_as_request(kdc_realm_t *kdc_active_realm, + + /* The client's password must not be expired, unless the server is + a KRB5_KDC_PWCHANGE_SERVICE. */ +- if (client.pw_expiration && ts_after(kdc_time, client.pw_expiration) && +- !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { ++ if (client->pw_expiration && ts_after(kdc_time, client->pw_expiration) && ++ !isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE)) { + *status = "CLIENT KEY EXPIRED"; + if (vague_errors) + return(KRB_ERR_GENERIC); +@@ -647,7 +647,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, + } + + /* The server must not be expired */ +- if (server.expiration && ts_after(kdc_time, server.expiration)) { ++ if (server->expiration && ts_after(kdc_time, server->expiration)) { + *status = "SERVICE EXPIRED"; + return(KDC_ERR_SERVICE_EXP); + } +@@ -656,8 +656,8 @@ validate_as_request(kdc_realm_t *kdc_active_realm, + * If the client requires password changing, then only allow the + * pwchange service. + */ +- if (isflagset(client.attributes, KRB5_KDB_REQUIRES_PWCHANGE) && +- !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { ++ if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PWCHANGE) && ++ !isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE)) { + *status = "REQUIRED PWCHANGE"; + return(KDC_ERR_KEY_EXP); + } +@@ -665,37 +665,37 @@ validate_as_request(kdc_realm_t *kdc_active_realm, + /* Client and server must allow postdating tickets */ + if ((isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE) || + isflagset(request->kdc_options, KDC_OPT_POSTDATED)) && +- (isflagset(client.attributes, KRB5_KDB_DISALLOW_POSTDATED) || +- isflagset(server.attributes, KRB5_KDB_DISALLOW_POSTDATED))) { ++ (isflagset(client->attributes, KRB5_KDB_DISALLOW_POSTDATED) || ++ isflagset(server->attributes, KRB5_KDB_DISALLOW_POSTDATED))) { + *status = "POSTDATE NOT ALLOWED"; + return(KDC_ERR_CANNOT_POSTDATE); + } + + /* Check to see if client is locked out */ +- if (isflagset(client.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { ++ if (isflagset(client->attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { + *status = "CLIENT LOCKED OUT"; + return(KDC_ERR_CLIENT_REVOKED); + } + + /* Check to see if server is locked out */ +- if (isflagset(server.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { ++ if (isflagset(server->attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { + *status = "SERVICE LOCKED OUT"; + return(KDC_ERR_S_PRINCIPAL_UNKNOWN); + } + + /* Check to see if server is allowed to be a service */ +- if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) { ++ if (isflagset(server->attributes, KRB5_KDB_DISALLOW_SVR)) { + *status = "SERVICE NOT ALLOWED"; + return(KDC_ERR_MUST_USE_USER2USER); + } + +- if (check_anon(kdc_active_realm, client.princ, request->server) != 0) { ++ if (check_anon(kdc_active_realm, client->princ, request->server) != 0) { + *status = "ANONYMOUS NOT ALLOWED"; + return(KDC_ERR_POLICY); + } + + /* Perform KDB module policy checks. */ +- ret = krb5_db_check_policy_as(kdc_context, request, &client, &server, ++ ret = krb5_db_check_policy_as(kdc_context, request, client, server, + kdc_time, status, e_data); + if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP) + return errcode_to_protocol(ret); +@@ -1568,8 +1568,8 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, + princ->pw_expiration = 0; + clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE); + +- code = validate_as_request(kdc_active_realm, request, *princ, +- no_server, kdc_time, status, &e_data); ++ code = validate_as_request(kdc_active_realm, request, princ, ++ &no_server, kdc_time, status, &e_data); + if (code) { + krb5_db_free_principal(kdc_context, princ); + krb5_free_pa_data(kdc_context, e_data); +diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h +index 42b7ee208..04007a8f5 100644 +--- a/src/kdc/kdc_util.h ++++ b/src/kdc/kdc_util.h +@@ -76,12 +76,12 @@ get_local_tgt(krb5_context context, const krb5_data *realm, + krb5_db_entry **storage_out, krb5_keyblock *kb_out); + + int +-validate_as_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry, +- krb5_db_entry, krb5_timestamp, ++validate_as_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry *, ++ krb5_db_entry *, krb5_timestamp, + const char **, krb5_pa_data ***); + + int +-validate_tgs_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry, ++validate_tgs_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry *, + krb5_ticket *, krb5_timestamp, + const char **, krb5_pa_data ***); + +diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c +index 554345ba5..3f4fa8499 100644 +--- a/src/kdc/tgs_policy.c ++++ b/src/kdc/tgs_policy.c +@@ -48,7 +48,7 @@ struct tgsflagrule { + }; + + /* Service principal TGS policy checking functions */ +-typedef int (check_tgs_svc_pol_fn)(krb5_kdc_req *, krb5_db_entry, ++typedef int (check_tgs_svc_pol_fn)(krb5_kdc_req *, krb5_db_entry *, + krb5_ticket *, krb5_timestamp, + const char **); + +@@ -110,7 +110,7 @@ static const struct tgsflagrule svcdenyrules[] = { + * A service principal can forbid some TGS-REQ options. + */ + static int +-check_tgs_svc_deny_opts(krb5_kdc_req *req, krb5_db_entry server, ++check_tgs_svc_deny_opts(krb5_kdc_req *req, krb5_db_entry *server, + krb5_ticket *tkt, krb5_timestamp kdc_time, + const char **status) + { +@@ -122,7 +122,7 @@ check_tgs_svc_deny_opts(krb5_kdc_req *req, krb5_db_entry server, + r = &svcdenyrules[i]; + if (!(r->reqflags & req->kdc_options)) + continue; +- if (r->checkflag & server.attributes) { ++ if (r->checkflag & server->attributes) { + *status = r->status; + return r->err; + } +@@ -134,20 +134,20 @@ check_tgs_svc_deny_opts(krb5_kdc_req *req, krb5_db_entry server, + * A service principal can deny all TGS-REQs for it. + */ + static int +-check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry server, ++check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry *server, + krb5_ticket *tkt, krb5_timestamp kdc_time, + const char **status) + { +- if (server.attributes & KRB5_KDB_DISALLOW_ALL_TIX) { ++ if (server->attributes & KRB5_KDB_DISALLOW_ALL_TIX) { + *status = "SERVER LOCKED OUT"; + return KDC_ERR_S_PRINCIPAL_UNKNOWN; + } +- if ((server.attributes & KRB5_KDB_DISALLOW_SVR) && ++ if ((server->attributes & KRB5_KDB_DISALLOW_SVR) && + !(req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY)) { + *status = "SERVER NOT ALLOWED"; + return KDC_ERR_MUST_USE_USER2USER; + } +- if (server.attributes & KRB5_KDB_DISALLOW_TGT_BASED) { ++ if (server->attributes & KRB5_KDB_DISALLOW_TGT_BASED) { + if (krb5_is_tgs_principal(tkt->server)) { + *status = "TGT BASED NOT ALLOWED"; + return KDC_ERR_POLICY; +@@ -160,17 +160,17 @@ check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry server, + * A service principal can require certain TGT flags. + */ + static int +-check_tgs_svc_reqd_flags(krb5_kdc_req *req, krb5_db_entry server, ++check_tgs_svc_reqd_flags(krb5_kdc_req *req, krb5_db_entry *server, + krb5_ticket *tkt, + krb5_timestamp kdc_time, const char **status) + { +- if (server.attributes & KRB5_KDB_REQUIRES_HW_AUTH) { ++ if (server->attributes & KRB5_KDB_REQUIRES_HW_AUTH) { + if (!(tkt->enc_part2->flags & TKT_FLG_HW_AUTH)) { + *status = "NO HW PREAUTH"; + return KRB_ERR_GENERIC; + } + } +- if (server.attributes & KRB5_KDB_REQUIRES_PRE_AUTH) { ++ if (server->attributes & KRB5_KDB_REQUIRES_PRE_AUTH) { + if (!(tkt->enc_part2->flags & TKT_FLG_PRE_AUTH)) { + *status = "NO PREAUTH"; + return KRB_ERR_GENERIC; +@@ -180,10 +180,10 @@ check_tgs_svc_reqd_flags(krb5_kdc_req *req, krb5_db_entry server, + } + + static int +-check_tgs_svc_time(krb5_kdc_req *req, krb5_db_entry server, krb5_ticket *tkt, ++check_tgs_svc_time(krb5_kdc_req *req, krb5_db_entry *server, krb5_ticket *tkt, + krb5_timestamp kdc_time, const char **status) + { +- if (server.expiration && ts_after(kdc_time, server.expiration)) { ++ if (server->expiration && ts_after(kdc_time, server->expiration)) { + *status = "SERVICE EXPIRED"; + return KDC_ERR_SERVICE_EXP; + } +@@ -191,8 +191,9 @@ check_tgs_svc_time(krb5_kdc_req *req, krb5_db_entry server, krb5_ticket *tkt, + } + + static int +-check_tgs_svc_policy(krb5_kdc_req *req, krb5_db_entry server, krb5_ticket *tkt, +- krb5_timestamp kdc_time, const char **status) ++check_tgs_svc_policy(krb5_kdc_req *req, krb5_db_entry *server, ++ krb5_ticket *tkt, krb5_timestamp kdc_time, ++ const char **status) + { + int errcode; + size_t i; +@@ -317,7 +318,7 @@ check_tgs_tgt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, + + int + validate_tgs_request(kdc_realm_t *kdc_active_realm, +- krb5_kdc_req *request, krb5_db_entry server, ++ krb5_kdc_req *request, krb5_db_entry *server, + krb5_ticket *ticket, krb5_timestamp kdc_time, + const char **status, krb5_pa_data ***e_data) + { +@@ -367,8 +368,8 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm, + } + + /* Perform KDB module policy checks. */ +- ret = krb5_db_check_policy_tgs(kdc_context, request, &server, +- ticket, status, e_data); ++ ret = krb5_db_check_policy_tgs(kdc_context, request, server, ticket, ++ status, e_data); + if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP) + return errcode_to_protocol(ret); + diff --git a/Minimize-usage-of-tgs_server-in-KDC.patch b/Minimize-usage-of-tgs_server-in-KDC.patch index 7a2a031..f08458e 100644 --- a/Minimize-usage-of-tgs_server-in-KDC.patch +++ b/Minimize-usage-of-tgs_server-in-KDC.patch @@ -1,4 +1,4 @@ -From 604135b5ad6bf954491413243eb305b82fec1c06 Mon Sep 17 00:00:00 2001 +From 5e79319edf3836d12dbc710ec1e2dd4405c9df35 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 25 Sep 2020 11:12:34 -0400 Subject: [PATCH] Minimize usage of tgs_server in KDC @@ -36,7 +36,7 @@ request. 5 files changed, 46 insertions(+), 78 deletions(-) diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c -index 9ae7b0a5e..e243f50be 100644 +index c2dfea9b8..e0ac33649 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -620,18 +620,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, @@ -75,7 +75,7 @@ index 9ae7b0a5e..e243f50be 100644 state->server, &state->local_tgt, &state->local_tgt_storage, &state->local_tgt_key); diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 74cd19e96..72525a462 100644 +index d345797c4..8ea418e43 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -268,7 +268,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, @@ -120,7 +120,7 @@ index 74cd19e96..72525a462 100644 enc_tkt_reply.client)) { /* tgt issued by local realm or issued by realm of client */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index a4a05b9fa..a631b498d 100644 +index b2042862a..e0b65a87c 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -78,12 +78,6 @@ static krb5_error_code find_server_key(krb5_context, @@ -258,7 +258,7 @@ index a4a05b9fa..a631b498d 100644 *status = "XREALM_EVIDENCE_TICKET_MISMATCH"; return KRB5KDC_ERR_BADOPTION; diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h -index 42b7ee208..c730409ae 100644 +index 04007a8f5..a6bac4388 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -37,10 +37,9 @@ @@ -274,10 +274,10 @@ index 42b7ee208..c730409ae 100644 add_to_transited (krb5_data *, krb5_data *, diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c -index 554345ba5..59d60ca25 100644 +index 3f4fa8499..a5a00f0cc 100644 --- a/src/kdc/tgs_policy.c +++ b/src/kdc/tgs_policy.c -@@ -251,19 +251,21 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, +@@ -252,19 +252,21 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, } static int @@ -305,7 +305,7 @@ index 554345ba5..59d60ca25 100644 *status = "2ND_TKT_NOT_TGS"; return KDC_ERR_POLICY; } -@@ -352,7 +354,7 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm, +@@ -353,7 +355,7 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm, return(KRB_AP_ERR_REPEAT); } diff --git a/krb5.spec b/krb5.spec index 9cdd23b..30396a5 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 26%{?dist} +Release: 27%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -78,7 +78,8 @@ Patch39: Improve-KDC-alias-checking-for-S4U-requests.patch Patch40: Adjust-KDC-alias-helper-function-contract.patch Patch41: Allow-aliases-when-matching-U2U-second-ticket.patch Patch42: Refactor-KDC-authdata-list-management-helpers.patch -Patch43: Minimize-usage-of-tgs_server-in-KDC.patch +Patch43: Avoid-passing-DB-entry-structures-in-KDC.patch +Patch44: Minimize-usage-of-tgs_server-in-KDC.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -639,6 +640,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Oct 21 2020 Robbie Harwood - 1.18.2-27 +- Fix build of previous + * Wed Oct 21 2020 Robbie Harwood - 1.18.2-26 - Cross-realm s4u fixes for samba (#1836630)