Fix KDC return code and set prompt types for OTP client preauth

Resolves: #1370072

4 files changed, 213 insertions, 2 deletions

diff --git a/krb5-1.15-improve-bad-password-inference.patch b/krb5-1.15-improve-bad-password-inference.patch
new file mode 100644
index 0000000..8e1424a
--- /dev/null
+++ b/krb5-1.15-improve-bad-password-inference.patch
@@ -0,0 +1,82 @@
+From c8938509344921906aa74d31eb6befe58055fc1d Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 25 Jul 2016 13:28:43 -0400
+Subject: [PATCH 2/3] Improve bad password inference in kinit
+
+kinit currently outputs "Password incorrect" if it sees a
+bad-integrity error code, which results if the KDC reply couldn't be
+decrypted, or when encrypted timestamp preauth fails against an MIT
+krb5 1.14 or earlier KDC.  Expand this check to include general
+preauth failures reported by the KDC, but only if a password was
+prompted for.
+
+ticket: 8465 (new)
+(cherry picked from commit 1a83ffad4d8e405ce696536c06d9bce1f8100595)
+---
+ src/clients/kinit/kinit.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
+index eba36b9..990fd11 100644
+--- a/src/clients/kinit/kinit.c
++++ b/src/clients/kinit/kinit.c
+@@ -700,9 +700,18 @@ kinit_prompter(
+     krb5_prompt prompts[]
+ )
+ {
+-    krb5_error_code rc =
+-        krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
+-    return rc;
++    krb5_boolean *pwprompt = data;
++    krb5_prompt_type *ptypes;
++    int i;
++
++    /* Make a note if we receive a password prompt. */
++    ptypes = krb5_get_prompt_types(ctx);
++    for (i = 0; i < num_prompts; i++) {
++        if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD)
++            *pwprompt = TRUE;
++    }
++
++    return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
+ }
+ 
+ static int
+@@ -715,6 +724,7 @@ k5_kinit(opts, k5)
+     krb5_creds my_creds;
+     krb5_error_code code = 0;
+     krb5_get_init_creds_opt *options = NULL;
++    krb5_boolean pwprompt = FALSE;
+     int i;
+ 
+     memset(&my_creds, 0, sizeof(my_creds));
+@@ -819,7 +829,7 @@ k5_kinit(opts, k5)
+     switch (opts->action) {
+     case INIT_PW:
+         code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
+-                                            0, kinit_prompter, 0,
++                                            0, kinit_prompter, &pwprompt,
+                                             opts->starttime,
+                                             opts->service_name,
+                                             options);
+@@ -856,11 +866,15 @@ k5_kinit(opts, k5)
+             break;
+         }
+ 
+-        if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
++        /* If reply decryption failed, or if pre-authentication failed and we
++         * were prompted for a password, assume the password was wrong. */
++        if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
++            (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) {
+             fprintf(stderr, _("%s: Password incorrect while %s\n"), progname,
+                     doing);
+-        else
++        } else {
+             com_err(progname, code, _("while %s"), doing);
++        }
+         goto cleanup;
+     }
+ 
+-- 
+2.9.3
+
diff --git a/krb5-1.15-kdc-error-encrypted-timestamp.patch b/krb5-1.15-kdc-error-encrypted-timestamp.patch
new file mode 100644
index 0000000..cbf9309
--- /dev/null
+++ b/krb5-1.15-kdc-error-encrypted-timestamp.patch
@@ -0,0 +1,68 @@
+From 7b072ef4135e776982a61fae62cda9a5f0fe001b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 8 Aug 2016 18:03:55 +0200
+Subject: [PATCH 3/3] Change KDC error for encrypted timestamp preauth
+
+When encrypted timestamp pre-authentication fails, respond with error
+code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for
+consistency with other Kerberos implementations.
+
+[ghudson@mit.edu: clarified commit message and comment]
+
+ticket: 8471 (new)
+(cherry picked from commit 2653d69e0705a925597dff10083a24a77e2a20af)
+---
+ src/kdc/kdc_preauth_encts.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
+index 65f7c36..e80dc12 100644
+--- a/src/kdc/kdc_preauth_encts.c
++++ b/src/kdc/kdc_preauth_encts.c
+@@ -59,7 +59,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
+     krb5_key_data *             client_key;
+     krb5_int32                  start;
+     krb5_timestamp              timenow;
+-    krb5_error_code             decrypt_err = 0;
+ 
+     scratch.data = (char *)pa->contents;
+     scratch.length = pa->length;
+@@ -74,7 +73,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
+         goto cleanup;
+ 
+     start = 0;
+-    decrypt_err = 0;
+     while (1) {
+         if ((retval = krb5_dbe_search_enctype(context, rock->client,
+                                               &start, enc_data->enctype,
+@@ -92,8 +90,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
+         krb5_free_keyblock_contents(context, &key);
+         if (retval == 0)
+             break;
+-        else
+-            decrypt_err = retval;
+     }
+ 
+     if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
+@@ -119,14 +115,10 @@ cleanup:
+     krb5_free_data_contents(context, &enc_ts_data);
+     if (pa_enc)
+         free(pa_enc);
+-    /*
+-     * If we get NO_MATCHING_KEY and decryption previously failed, and
+-     * we failed to find any other keys of the correct enctype after
+-     * that failed decryption, it probably means that the password was
+-     * incorrect.
+-     */
+-    if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
+-        retval = decrypt_err;
++    /* If we get NO_MATCHING_KEY, it probably means that the password was
++     * incorrect. */
++    if (retval == KRB5_KDB_NO_MATCHING_KEY)
++        retval = KRB5KDC_ERR_PREAUTH_FAILED;
+ 
+     (*respond)(arg, retval, NULL, NULL, NULL);
+ }
+-- 
+2.9.3
+
diff --git a/krb5-1.15-otp-preauth-prompt-type.patch b/krb5-1.15-otp-preauth-prompt-type.patch
new file mode 100644
index 0000000..2c3d975
--- /dev/null
+++ b/krb5-1.15-otp-preauth-prompt-type.patch
@@ -0,0 +1,49 @@
+From 4885a9b10ddf457f290ff5e9ce4a9a99765cfd1d Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 25 Jul 2016 13:23:31 -0400
+Subject: [PATCH 1/3] Set prompt type for OTP preauth prompt
+
+Add k5_set_prompt_type() calls around the prompter invocation in
+preauth_otp.c, and add the comment we conventionally put before
+prompter invocations.
+
+ticket: 8464 (new)
+(cherry picked from commit 7d497a56279dcb59b6be9f8994257e76788d2e89)
+---
+ src/lib/krb5/krb/preauth_otp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
+index 3de528b..01c48b4 100644
+--- a/src/lib/krb5/krb/preauth_otp.c
++++ b/src/lib/krb5/krb/preauth_otp.c
+@@ -31,6 +31,7 @@
+ #include "k5-int.h"
+ #include "k5-json.h"
+ #include "int-proto.h"
++#include "os-proto.h"
+ 
+ #include <krb5/clpreauth_plugin.h>
+ #include <ctype.h>
+@@ -475,6 +476,7 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data,
+     krb5_prompt prompt;
+     krb5_data prompt_reply;
+     krb5_error_code retval;
++    krb5_prompt_type prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
+ 
+     if (prompttxt == NULL || out == NULL)
+         return EINVAL;
+@@ -486,7 +488,10 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data,
+     prompt.prompt = (char *)prompttxt;
+     prompt.hidden = 1;
+ 
++    /* PROMPTER_INVOCATION */
++    k5_set_prompt_types(context, &prompt_type);
+     retval = (*prompter)(context, prompter_data, NULL, banner, 1, &prompt);
++    k5_set_prompt_types(context, NULL);
+     if (retval != 0)
+         return retval;
+ 
+-- 
+2.9.3
+
diff --git a/krb5.spec b/krb5.spec
index 6abb731..f9ec0ba 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -13,7 +13,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.14.3
-Release: 5%{?dist}
+Release: 6%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -65,6 +65,10 @@ Patch165: krb5-1.15-kdc_hooks_test.patch
 
 Patch166: krb5-1.14.4-SNI-HTTP-Host.patch
 
+Patch167: krb5-1.15-otp-preauth-prompt-type.patch
+Patch168: krb5-1.15-improve-bad-password-inference.patch
+Patch169: krb5-1.15-kdc-error-encrypted-timestamp.patch
+
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@@ -272,7 +276,11 @@ ln NOTICE LICENSE
 %patch164 -p1 -b .kdc_send_receive_hooks
 %patch165 -p1 -b .kdc_hooks_test
 
-%patch166 -p1 -b .krb5-1.14.4-SNI-HTTP-Host.patch
+%patch166 -p1 -b .SNI-HTTP-Host
+
+%patch167 -p1 -b .otp-preauth-prompt-type
+%patch168 -p1 -b .improve-bad-password-inference
+%patch169 -p1 -b .kdc-error-encrypted-timestamp
 
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -742,6 +750,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Thu Aug 25 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-6
+- Fix KDC return code and set prompt types for OTP client preauth
+- Resolves: #1370072
+
 * Mon Aug 15 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-5
 - Turn OFD locks back on with glibc workaround
 - Resolves: #1274922