diff options
author | Nalin Dahyabhai <nalin@redhat.com> | 2014-08-28 14:44:34 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@redhat.com> | 2014-08-28 14:58:55 -0400 |
commit | 8a27a25d6f492f4c0b6670590d6e15d5e6159230 (patch) | |
tree | 758ff61f99044f56248e93b75562d464d010932e | |
parent | e237d18af1ab745e6c0888f346b1d085840e1204 (diff) | |
download | krb5-8a27a25d6f492f4c0b6670590d6e15d5e6159230.tar.gz krb5-8a27a25d6f492f4c0b6670590d6e15d5e6159230.tar.xz krb5-8a27a25d6f492f4c0b6670590d6e15d5e6159230.zip |
Add fix for using compatible enctypes with loose name checking
- backport fix for trying all compatible keys when not being strict about
acceptor names while reading AP-REQs (RT#7883, #1078888)
-rw-r--r-- | krb5-master-compatible-keys.patch | 56 | ||||
-rw-r--r-- | krb5.spec | 8 |
2 files changed, 63 insertions, 1 deletions
diff --git a/krb5-master-compatible-keys.patch b/krb5-master-compatible-keys.patch new file mode 100644 index 0000000..7c36e05 --- /dev/null +++ b/krb5-master-compatible-keys.patch @@ -0,0 +1,56 @@ +commit 4f99c75eb6b1a53d78b26648e39309261e37755c +Author: Nalin Dahyabhai <nalin@dahyabhai.net> +Date: Tue Mar 18 16:39:47 2014 -0400 + + Try compatible keys in rd_req_dec "any" path + + When we go to decrypt a ticket using a keytab, we have two code paths. + + In the first (traditional) one, we try to read an entry that exactly + matches the principal name, enctype, and kvno from the ticket, and then + attempt to decrypt the ticket using the entry's key. The keytab + routines helpfully return an entry so long as it's of a key type that's + compatible with the ticket being decrypted, fixing up the enctype in the + entry structure while doing so, allowing us to decrypt a DES-CBC-CRC + ticket with a DES-CBC-MD5 key. + + In the second code path, we try the key of every entry which loosely + matches the principal name from the ticket and which exactly matches its + enctype, meaning that the ticket/keytab pair above won't work if the + principal name is one which suggests we shouldn't be matching entries + exactly. + + This change modifies the "any" path to also try to decrypt the ticket + with compatible keys. + + [ghudson@mit.edu: avoid stuffing too much logic in one conditional] + + ticket: 7883 (new) + +diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c +index 4b952f5..fbd088d 100644 +--- a/src/lib/krb5/krb/rd_req_dec.c ++++ b/src/lib/krb5/krb/rd_req_dec.c +@@ -167,6 +167,8 @@ decrypt_ticket(krb5_context context, const krb5_ap_req *req, + krb5_error_code ret; + krb5_keytab_entry ent; + krb5_kt_cursor cursor; ++ krb5_boolean similar; ++ krb5_enctype req_etype = req->ticket->enc_part.enctype; + + #ifdef LEAN_CLIENT + return KRB5KRB_AP_WRONG_PRINC; +@@ -189,8 +191,12 @@ decrypt_ticket(krb5_context context, const krb5_ap_req *req, + goto cleanup; + + while ((ret = krb5_kt_next_entry(context, keytab, &ent, &cursor)) == 0) { +- if (ent.key.enctype == req->ticket->enc_part.enctype && ++ ret = krb5_c_enctype_compare(context, ent.key.enctype, req_etype, ++ &similar); ++ if (ret == 0 && similar && + krb5_sname_match(context, server, ent.principal)) { ++ /* Coerce inexact matches to the request enctype. */ ++ ent.key.enctype = req_etype; + ret = try_one_entry(context, req, &ent, keyblock_out); + if (ret == 0) { + TRACE_RD_REQ_DECRYPT_ANY(context, ent.principal, &ent.key); @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.12.2 -Release: 4%{?dist} +Release: 5%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -99,6 +99,7 @@ Patch141: krb5-master-rcache-acquirecred-test.patch Patch142: krb5-master-move-otp-sockets.patch Patch145: krb5-master-mechd.patch Patch146: krb5-master-strdupcheck.patch +Patch147: krb5-master-compatible-keys.patch Patch201: 0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch Patch202: 0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch Patch203: 0003-Use-an-intermediate-memory-cache-in-ksu.patch @@ -347,6 +348,7 @@ ln -s NOTICE LICENSE %patch142 -p1 -b .move-otp-sockets %patch145 -p1 -b .master-mechd %patch146 -p1 -b .master-strdupcheck +%patch147 -p1 -b .master-compatible-keys # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -1023,6 +1025,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Thu Aug 28 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.2-5 +- backport fix for trying all compatible keys when not being strict about + acceptor names while reading AP-REQs (RT#7883, #1078888) + * Tue Aug 26 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.2-4 - kpropd hasn't bothered with -S since 1.11; stop trying to use that flag in the systemd unit file |