diff options
| author | Robbie Harwood <rharwood@redhat.com> | 2016-08-29 17:58:00 +0000 |
|---|---|---|
| committer | Robbie Harwood <rharwood@redhat.com> | 2016-08-29 17:58:02 +0000 |
| commit | 3e13029eb07b149e05d0490bf3e442924d0761e0 (patch) | |
| tree | 3b0ff35cfda3240dcf90cac1f1bad4a30ccf656d | |
| parent | 10d34c1413244a648a1f26f4695cb96c18b665b5 (diff) | |
| download | krb5-3e13029eb07b149e05d0490bf3e442924d0761e0.tar.gz krb5-3e13029eb07b149e05d0490bf3e442924d0761e0.tar.xz krb5-3e13029eb07b149e05d0490bf3e442924d0761e0.zip | |
Use responder for non-preauth AS requests
Resolves: #1370622
| -rw-r--r-- | krb5-1.14.4-responder-non-preauth.patch | 86 | ||||
| -rw-r--r-- | krb5.spec | 10 |
2 files changed, 95 insertions, 1 deletions
diff --git a/krb5-1.14.4-responder-non-preauth.patch b/krb5-1.14.4-responder-non-preauth.patch new file mode 100644 index 0000000..fc22104 --- /dev/null +++ b/krb5-1.14.4-responder-non-preauth.patch @@ -0,0 +1,86 @@ +From 60824edc278fe2207ead773baca6fe56416e2874 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Fri, 5 Aug 2016 12:28:03 -0400 +Subject: [PATCH] Use responder for non-preauth AS requests + +If no AS reply key is computed during pre-authentication (typically +because no pre-authentication was required by the KDC), ask for the +password using the responder before calling gak_fct for the key, and +supply any resulting responder items to gak_fct. + +ticket: 8454 +target_version: 1.14-next +target_version: 1.13-next +tags: pullup +--- + src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++- + src/tests/t_general.py | 5 +++++ + 2 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index b78e19a..659be66 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1351,6 +1351,8 @@ init_creds_step_reply(krb5_context context, + krb5_keyblock encrypting_key; + krb5_boolean fast_avail; + krb5_ccache out_ccache = k5_gic_opt_get_out_ccache(ctx->opt); ++ krb5_responder_fn responder; ++ void *responder_data; + + encrypting_key.length = 0; + encrypting_key.contents = NULL; +@@ -1509,13 +1511,33 @@ init_creds_step_reply(krb5_context context, + code = -1; + + if (code != 0) { ++ /* If a responder was provided and we are using a password, ask for the ++ * password using the responder before falling back to the prompter. */ ++ k5_gic_opt_get_responder(ctx->opt, &responder, &responder_data); ++ if (responder != NULL && !ctx->as_key.length) { ++ /* Indicate a need for the AS key by calling the gak_fct with a ++ * NULL as_key. */ ++ code = ctx->gak_fct(context, ctx->request->client, ctx->etype, ++ NULL, NULL, NULL, NULL, NULL, ctx->gak_data, ++ ctx->rctx.items); ++ if (code != 0) ++ goto cleanup; ++ ++ /* If that produced a responder question, invoke the responder. */ ++ if (!k5_response_items_empty(ctx->rctx.items)) { ++ code = (*responder)(context, responder_data, &ctx->rctx); ++ if (code != 0) ++ goto cleanup; ++ } ++ } ++ + /* if we haven't get gotten a key, get it now */ + TRACE_INIT_CREDS_GAK(context, &ctx->salt, &ctx->s2kparams); + code = (*ctx->gak_fct)(context, ctx->request->client, + ctx->reply->enc_part.enctype, + ctx->prompter, ctx->prompter_data, + &ctx->salt, &ctx->s2kparams, +- &ctx->as_key, ctx->gak_data, NULL); ++ &ctx->as_key, ctx->gak_data, ctx->rctx.items); + if (code != 0) + goto cleanup; + TRACE_INIT_CREDS_AS_KEY_GAK(context, &ctx->as_key); +diff --git a/src/tests/t_general.py b/src/tests/t_general.py +index c3629e6..13dd99b 100755 +--- a/src/tests/t_general.py ++++ b/src/tests/t_general.py +@@ -34,6 +34,11 @@ realm.stop() + + realm = K5Realm(create_host=False) + ++# Regression test for #8454 (responder callback isn't used when ++# preauth is not required). ++realm.run(['./responder', '-r', 'password=%s' % password('user'), ++ realm.user_princ]) ++ + # Test that WRONG_REALM responses aren't treated as referrals unless + # they contain a crealm field pointing to a different realm. + # (Regression test for #8060.) +-- +2.9.3 + @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14.3 -Release: 7%{?dist} +Release: 8%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -70,6 +70,8 @@ Patch168: krb5-1.15-improve-bad-password-inference.patch Patch169: krb5-1.15-kdc-error-encrypted-timestamp.patch Patch170: krb5-1.14.4-samba-client-mutual-flag.patch +Patch171: krb5-1.14.4-responder-non-preauth.patch + License: MIT URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -284,6 +286,8 @@ ln NOTICE LICENSE %patch169 -p1 -b .kdc-error-encrypted-timestamp %patch170 -p1 -b .samba-client-mutual-flag +%patch171 -p1 -b .responder-non-preauth + # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -752,6 +756,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-8 +- Use responder for non-preauth AS requests +- Resolves: #1370622 + * Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-7 - Guess Samba client mutual flag using ap_option - Resolves: #1370980 |