Fix transited realm checks in GSSAPI servers

- backport fix for not being able to verify the list of transited realms
  in GSS acceptors (RT#7639, #959685)

2 files changed, 86 insertions, 0 deletions

diff --git a/krb5-1.11.2-gss_transited.patch b/krb5-1.11.2-gss_transited.patch
new file mode 100644
index 0000000..664d1bf
--- /dev/null
+++ b/krb5-1.11.2-gss_transited.patch
@@ -0,0 +1,80 @@
+Should fix #959685.  Adjusted to apply to 1.11.2, which wrapped some of the
+context differently.
+
+commit 57acee11b5c6682a7f4f036e35d8b2fc9292875e
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Mon May 20 11:03:04 2013 -0400
+
+    Fix transited handling for GSSAPI acceptors
+    
+    The Acceptor Names project (#6855) extended krb5_rd_req so that it can
+    accept a "matching principal" in the server parameter.  If the
+    matching principal has an empty realm, rd_req_decoded_opt attempted to
+    do transited checking with an empty server realm.
+    
+    To fix this, always reset server to req->ticket->server for future
+    processing steps if we decrypt the ticket using a keytab.
+    decrypt_ticket replaces req->ticket->server with the principal name
+    from the keytab entry, so we know this name is correct.
+    
+    Based on a bug report and patch from nalin@redhat.com.
+    
+    ticket: 7639
+    target_version: 1.11.3
+    tags: pullup
+
+diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
+index bd447f3..4b952f5 100644
+--- a/src/lib/krb5/krb/rd_req_dec.c
++++ b/src/lib/krb5/krb/rd_req_dec.c
+@@ -277,11 +277,16 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
+         }
+         krb5_k_free_key(context, (*auth_context)->key);
+         (*auth_context)->key = NULL;
++        if (server == NULL)
++            server = req->ticket->server;
+     } else {
+         retval = decrypt_ticket(context, req, server, keytab,
+                                 check_valid_flag ? &decrypt_key : NULL);
+         if (retval)
+             goto cleanup;
++        /* decrypt_ticket placed the principal of the keytab key in
++         * req->ticket->server; always use this for later steps. */
++        server = req->ticket->server;
+     }
+     TRACE_RD_REQ_TICKET(context, req->ticket->enc_part2->client,
+                         req->ticket->server, req->ticket->enc_part2->session);
+@@ -308,9 +313,6 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
+         goto cleanup;
+     }
+ 
+-    if (!server) {
+-        server = req->ticket->server;
+-    }
+     /* Get an rcache if necessary. */
+     if (((*auth_context)->rcache == NULL)
+         && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
+diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
+index de778cc..5583b02 100755
+--- a/src/tests/gssapi/t_gssapi.py
++++ b/src/tests/gssapi/t_gssapi.py
+@@ -110,6 +110,19 @@ if 'host/-nomatch-' not in output:
+ 
+ realm.stop()
+ 
++# Make sure a GSSAPI acceptor can handle cross-realm tickets with a
++# transited field.  (Regression test for #7639.)
++r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
++                          create_user=False, create_host=False,
++                          args=[{'realm': 'A.X', 'create_user': True},
++                                {'realm': 'X'},
++                                {'realm': 'B.X', 'create_host': True}])
++os.rename(r3.keytab, r1.keytab)
++r1.run_as_client(['./t_accname', 'p:' + r3.host_princ, 'h:host'])
++r1.stop()
++r2.stop()
++r3.stop()
++
+ ### Test gss_inquire_cred behavior.
+ 
+ realm = K5Realm()
diff --git a/krb5.spec b/krb5.spec
index 696e19c..2033e47 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -79,6 +79,7 @@ Patch118: krb5-1.11.1-rpcbind.patch
 Patch119: krb5-fast-msg_type.patch
 Patch120: krb5-1.11.2-kpasswd_pingpong.patch
 Patch121: krb5-cccol-primary.patch
+Patch122: krb5-1.11.2-gss_transited.patch
 
 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@@ -300,6 +301,7 @@ ln -s NOTICE LICENSE
 %patch119 -p1 -b .fast-msg_type
 %patch120 -p1 -b .kpasswd_pingpong
 %patch121 -p1 -b .cccol-primary
+%patch122 -p1 -b .gss_transited
 
 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@@ -825,6 +827,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Tue May 28 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-7
+- backport fix for not being able to verify the list of transited realms
+  in GSS acceptors (RT#7639, #959685)
+
 * Tue May 21 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-6
 - pull in upstream fix to start treating a KRB5CCNAME value that begins
   with DIR:: the same as it would a DIR: value with just one ccache file