From c0d2f3b96d0d2eee428f588872e97d6a97ad82ec Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Fri, 3 May 2013 17:04:40 -0400 Subject: Update otp patch; add keycheck patch --- krb5-1.11.2-keycheck.patch | 230 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 230 insertions(+) create mode 100644 krb5-1.11.2-keycheck.patch (limited to 'krb5-1.11.2-keycheck.patch') diff --git a/krb5-1.11.2-keycheck.patch b/krb5-1.11.2-keycheck.patch new file mode 100644 index 0000000..4b4bd08 --- /dev/null +++ b/krb5-1.11.2-keycheck.patch @@ -0,0 +1,230 @@ +From c7047421487c0e616b881c0922937bc759114233 Mon Sep 17 00:00:00 2001 +From: Nathaniel McCallum +Date: Fri, 3 May 2013 15:44:44 -0400 +Subject: [PATCH 1/3] Check for keys in encrypted timestamp/challenge + +Encrypted timestamp and encrypted challenge cannot succeed if the +client has no long-term key matching the request enctypes, so do not +offer them in that case. + +ticket: 7630 + +NPM - This is a backport from the upstream fix. See upstream commits: + https://github.com/krb5/krb5/commit/e50482720a805ecd8c160e4a8f4a846e6327dca2 + https://github.com/krb5/krb5/commit/9593d1311fa5e6e841c429653ad35a63d17c2fdd +--- + src/kdc/kdc_preauth_ec.c | 23 +++++++++++++++++++++-- + src/kdc/kdc_preauth_encts.c | 22 ++++++++++++++++++++-- + 2 files changed, 41 insertions(+), 4 deletions(-) + +diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c +index 9d7236c..db3ad07 100644 +--- a/src/kdc/kdc_preauth_ec.c ++++ b/src/kdc/kdc_preauth_ec.c +@@ -39,8 +39,27 @@ ec_edata(krb5_context context, krb5_kdc_req *request, + krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type, + krb5_kdcpreauth_edata_respond_fn respond, void *arg) + { +- krb5_keyblock *armor_key = cb->fast_armor(context, rock); +- (*respond)(arg, (armor_key == NULL) ? ENOENT : 0, NULL); ++ krb5_boolean have_client_keys = FALSE; ++ krb5_keyblock *armor_key; ++ krb5_key_data *kd; ++ int i; ++ ++ armor_key = cb->fast_armor(context, rock); ++ ++ for (i = 0; i < rock->request->nktypes; i++) { ++ if (krb5_dbe_find_enctype(context, rock->client, ++ rock->request->ktype[i], ++ -1, 0, &kd) == 0) { ++ have_client_keys = TRUE; ++ break; ++ } ++ } ++ ++ /* Encrypted challenge only works with FAST, and requires a client key. */ ++ if (armor_key == NULL || !have_client_keys) ++ (*respond)(arg, ENOENT, NULL); ++ else ++ (*respond)(arg, 0, NULL); + } + + static void +diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c +index d708061..adde6e2 100644 +--- a/src/kdc/kdc_preauth_encts.c ++++ b/src/kdc/kdc_preauth_encts.c +@@ -34,9 +34,27 @@ enc_ts_get(krb5_context context, krb5_kdc_req *request, + krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type, + krb5_kdcpreauth_edata_respond_fn respond, void *arg) + { +- krb5_keyblock *armor_key = cb->fast_armor(context, rock); ++ krb5_boolean have_client_keys = FALSE; ++ krb5_keyblock *armor_key; ++ krb5_key_data *kd; ++ int i; ++ ++ armor_key = cb->fast_armor(context, rock); ++ ++ for (i = 0; i < rock->request->nktypes; i++) { ++ if (krb5_dbe_find_enctype(context, rock->client, ++ rock->request->ktype[i], ++ -1, 0, &kd) == 0) { ++ have_client_keys = TRUE; ++ break; ++ } ++ } + +- (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL); ++ /* Encrypted timestamp must not be used with FAST, and requires a key. */ ++ if (armor_key != NULL || !have_client_keys) ++ (*respond)(arg, ENOENT, NULL); ++ else ++ (*respond)(arg, 0, NULL); + } + + static void +-- +1.8.2.1 + + +From 4d19790527e2c9d52bb05abd6048a63a1a8c222c Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 29 Apr 2013 14:55:31 -0400 +Subject: [PATCH 2/3] Don't send empty etype info from KDC + +RFC 4120 prohibits empty ETYPE-INFO2 sequences (though not ETYPE-INFO +sequences), and our client errors out if it sees an empty sequence of +either. + +ticket: 7630 +--- + src/kdc/kdc_preauth.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c +index 42a37a8..5c3b615 100644 +--- a/src/kdc/kdc_preauth.c ++++ b/src/kdc/kdc_preauth.c +@@ -1404,6 +1404,11 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request, + seen_des++; + } + } ++ ++ /* If the list is empty, don't send it at all. */ ++ if (i == 0) ++ goto cleanup; ++ + if (etype_info2) + retval = encode_krb5_etype_info2(entry, &scratch); + else +-- +1.8.2.1 + + +From a04cf2e89f4101eb6c2ec44ef1948976fe5fe9d3 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 2 May 2013 16:15:32 -0400 +Subject: [PATCH 3/3] Make AS requests work with no client key + +If we cannot find a client key while preparing an AS reply, give +preauth mechanisms a chance to replace the reply key before erroring +out. + +ticket: 7630 +--- + src/kdc/do_as_req.c | 36 ++++++++++++++++++++---------------- + src/kdc/kdc_preauth.c | 6 ++++++ + 2 files changed, 26 insertions(+), 16 deletions(-) + +diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c +index 79da300..cb91803 100644 +--- a/src/kdc/do_as_req.c ++++ b/src/kdc/do_as_req.c +@@ -195,23 +195,18 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) + useenctype, -1, 0, &client_key)) + break; + } +- if (!(client_key)) { +- /* Cannot find an appropriate key */ +- state->status = "CANT_FIND_CLIENT_KEY"; +- errcode = KRB5KDC_ERR_ETYPE_NOSUPP; +- goto egress; +- } +- state->rock.client_key = client_key; + +- /* convert client.key_data into a real key */ +- if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, +- client_key, +- &state->client_keyblock, +- NULL))) { +- state->status = "DECRYPT_CLIENT_KEY"; +- goto egress; ++ if (client_key != NULL) { ++ /* Decrypt the client key data entry to get the real reply key. */ ++ errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, client_key, ++ &state->client_keyblock, NULL); ++ if (errcode) { ++ state->status = "DECRYPT_CLIENT_KEY"; ++ goto egress; ++ } ++ state->client_keyblock.enctype = useenctype; ++ state->rock.client_key = client_key; + } +- state->client_keyblock.enctype = useenctype; + + /* Start assembling the response */ + state->reply.msg_type = KRB5_AS_REP; +@@ -248,6 +243,14 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) + goto egress; + } + ++ /* If we didn't find a client long-term key and no preauth mechanism ++ * replaced the reply key, error out now. */ ++ if (state->client_keyblock.enctype == ENCTYPE_NULL) { ++ state->status = "CANT_FIND_CLIENT_KEY"; ++ errcode = KRB5KDC_ERR_ETYPE_NOSUPP; ++ goto egress; ++ } ++ + errcode = handle_authdata(kdc_context, + state->c_flags, + state->client, +@@ -306,7 +309,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) + &state->reply_encpart, 0, + as_encrypting_key, + &state->reply, &response); +- state->reply.enc_part.kvno = client_key->key_data_kvno; ++ if (client_key != NULL) ++ state->reply.enc_part.kvno = client_key->key_data_kvno; + if (errcode) { + state->status = "ENCODE_KDC_REP"; + goto egress; +diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c +index 5c3b615..5d12346 100644 +--- a/src/kdc/kdc_preauth.c ++++ b/src/kdc/kdc_preauth.c +@@ -1473,6 +1473,9 @@ etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata, + krb5_etype_info_entry **entry = NULL; + krb5_data *scratch = NULL; + ++ if (client_key == NULL) ++ return 0; ++ + /* + * Skip PA-ETYPE-INFO completely if AS-REQ lists any "newer" + * enctypes. +@@ -1576,6 +1579,9 @@ return_pw_salt(krb5_context context, krb5_pa_data *in_padata, + krb5_key_data * client_key = rock->client_key; + int i; + ++ if (client_key == NULL) ++ return 0; ++ + for (i = 0; i < request->nktypes; i++) { + if (enctype_requires_etype_info_2(request->ktype[i])) + return 0; +-- +1.8.2.1 + -- cgit