krb5/krb5-1.11.2-gss_transited.patch
2013-05-28 17:46:20 -04:00

82 lines
3.1 KiB
Diff

Should fix #959685.
commit b4d2d74082d239e3024254ab8ffb55c9dd087ff7
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon May 20 11:03:04 2013 -0400
Fix transited handling for GSSAPI acceptors
The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.
To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.
Based on a bug report and patch from nalin@redhat.com.
(cherry picked from commit 57acee11b5c6682a7f4f036e35d8b2fc9292875e)
ticket: 7639
version_fixed: 1.11.3
status: resolved
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index 6495bae..6dacb35 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -277,11 +277,16 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
}
krb5_k_free_key(context, (*auth_context)->key);
(*auth_context)->key = NULL;
+ if (server == NULL)
+ server = req->ticket->server;
} else {
retval = decrypt_ticket(context, req, server, keytab,
check_valid_flag ? &decrypt_key : NULL);
if (retval)
goto cleanup;
+ /* decrypt_ticket placed the principal of the keytab key in
+ * req->ticket->server; always use this for later steps. */
+ server = req->ticket->server;
}
TRACE_RD_REQ_TICKET(context, req->ticket->enc_part2->client,
req->ticket->server, req->ticket->enc_part2->session);
@@ -308,9 +313,6 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
goto cleanup;
}
- if (!server) {
- server = req->ticket->server;
- }
/* Get an rcache if necessary. */
if (((*auth_context)->rcache == NULL)
&& ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index e453b71..cafbea1 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -117,6 +117,19 @@ if 'host/-nomatch-' not in output:
realm.stop()
+# Make sure a GSSAPI acceptor can handle cross-realm tickets with a
+# transited field. (Regression test for #7639.)
+r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
+ create_user=False, create_host=False,
+ args=[{'realm': 'A.X', 'create_user': True},
+ {'realm': 'X'},
+ {'realm': 'B.X', 'create_host': True}])
+os.rename(r3.keytab, r1.keytab)
+r1.run_as_client(['./t_accname', 'p:' + r3.host_princ, 'h:host'])
+r1.stop()
+r2.stop()
+r3.stop()
+
### Test gss_inquire_cred behavior.
realm = K5Realm()