[krb5/f18] keep track of the message type of FAST requests

Mon Apr 15 14:41:45 UTC 2013

commit 3e24d2995e0044799296e905f6669f4909fc884f
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Mon Apr 15 10:40:48 2013 -0400

    keep track of the message type of FAST requests
    
    - pull fix for keeping track of the message type when parsing FAST requests in
      the KDC (RT#7605, #951964)

 krb5-fast-msg_type.patch |   30 ++++++++++++++++++++++++++++++
 krb5.spec                |    8 +++++++-
 2 files changed, 37 insertions(+), 1 deletions(-)
---

diff --git a/krb5-fast-msg_type.patch b/krb5-fast-msg_type.patch
new file mode 100644
index 0000000..392860f
--- /dev/null
+++ b/krb5-fast-msg_type.patch
@@ -0,0 +1,30 @@
+Modified to apply to 1.10.3.
+
+commit 3fbdcd0965180b46c545187e7784350340ae88ee
+Author: Greg Hudson <ghudson at mit.edu>
+Date:   Fri Apr 12 16:28:14 2013 -0400
+
+    Set msg_type when decoding FAST requests
+    
+    An RFC 6113 KrbFastReq contains a padata sequence and a KDC-REQ-BODY,
+    neither of which contain the msg-type field found in a KDC-REQ.  So
+    when we decode the FAST request, the resulting krb5_kdc_req structure
+    has a msg_type of 0.  Copy msg_type from the outer body, since we make
+    use of it in further KDC processing.
+    
+    ticket: 7605 (new)
+    target_version: 1.11.3
+    tags: pullup
+
+diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
+index 40c5783..4fa36c6 100644
+--- a/src/kdc/fast_util.c
++++ b/src/kdc/fast_util.c
+@@ -239,6 +239,7 @@ kdc_find_fast(krb5_kdc_req **requestptr,
+                                          KRB5_PADATA_FX_COOKIE);
+         if (retval == 0) {
+             state->fast_options = fast_req->fast_options;
++            fast_req->req_body->msg_type = request->msg_type;
+             krb5_free_kdc_req( kdc_context, request);
+             *requestptr = fast_req->req_body;
+             fast_req->req_body = NULL;
diff --git a/krb5.spec b/krb5.spec
index 722ab4c..384444e 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -29,7 +29,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.10.3
-Release: 15%{?dist}
+Release: 16%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -91,6 +91,7 @@ Patch114: krb5-1.10-pkinit-null.patch
 Patch115: krb5-lookup_etypes-leak.patch
 Patch116: krb5-1.10-pkinit-agility.patch
 Patch117: krb5-1.10-CVE-2013-1416.patch
+Patch118: krb5-fast-msg_type.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -296,6 +297,7 @@ ln -s NOTICE LICENSE
 %patch115 -p1 -b .lookup_etypes-leak
 %patch116 -p1 -b .pkinit-agility
 %patch117 -p1 -b .CVE-2013-1416
+%patch118 -p1 -b .fast-msg_type
 rm src/lib/krb5/krb/deltat.c
 
 gzip doc/*.ps
@@ -862,6 +864,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Mon Apr 15 2013 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-16
+- pull fix for keeping track of the message type when parsing FAST requests in
+  the KDC (RT#7605, #951964)
+
 * Tue Apr  9 2013 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-15
 - incorporate upstream patch to fix a NULL pointer dereference while processing
   certain TGS requests (CVE-2013-1416, #949984/#949987)
