[krb5] - pull in patch for RT#7046: tag a ccache containing credentials obtained via S4U2Proxy with the p
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Dec 13 15:50:14 UTC 2011
commit fb7c02faff07424bd67bc3c882b935b41b31b386
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Tue Dec 13 10:47:31 2011 -0500
- pull in patch for RT#7046: tag a ccache containing credentials obtained via
S4U2Proxy with the principal name of the proxying principal (part of #761317)
krb5-trunk-7046.patch | 301 +++++++++++++++++++++++++++++++++++++++++++++++++
krb5.spec | 6 +
2 files changed, 307 insertions(+), 0 deletions(-)
---
diff --git a/krb5-trunk-7046.patch b/krb5-trunk-7046.patch
new file mode 100644
index 0000000..7db7ef5
--- /dev/null
+++ b/krb5-trunk-7046.patch
@@ -0,0 +1,301 @@
+commit 9dc75551cb8cc4c03f7e0fe5e8a705ed678079f4
+Author: ghudson <ghudson at dc483132-0cff-0310-8789-dd5450dbe970>
+Date: Wed Dec 7 19:38:13 2011 +0000
+
+ ticket: 7046
+ subject: Allow S4U2Proxy delegated credentials to be saved
+
+ The initial implementation of client-side S4U2Proxy support did not
+ allow delegated proxy credentials to be stored (gss_store_cred would
+ error out, and gss_krb5_copy_ccache would generate a non-working
+ cache). To make this work, we save the impersonator name in a cache
+ config variable and in a cred structure field (replacing the
+ proxy_cred flag), and make the default principal of the proxy cache
+ the subject principal as the caller would expect for a regular
+ delegated cred.
+
+ git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+index 514e2ea..b25c159 100644
+--- a/src/include/k5-int.h
++++ b/src/include/k5-int.h
+@@ -273,7 +273,10 @@ typedef INT64_TYPE krb5_int64;
+ #define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
+ #define KRB5_CONF_V4_REALM "v4_realm"
+ #define KRB5_CONF_ASTERISK "*"
++
++/* Cache configuration variables */
+ #define KRB5_CONF_FAST_AVAIL "fast_avail"
++#define KRB5_CONF_PROXY_IMPERSONATOR "proxy_impersonator"
+
+ /* Error codes used in KRB_ERROR protocol messages.
+ Return values of library routines are based on a different error table
+diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
+index c815b35..c08e059 100644
+--- a/src/lib/gssapi/krb5/acquire_cred.c
++++ b/src/lib/gssapi/krb5/acquire_cred.c
+@@ -417,6 +417,34 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
+ return 0;
+ }
+
++/* If an impersonator config entry exists in ccache, set *impersonator_out to
++ * the parsed principal. Otherwise set *impersonator_out to NULL. */
++static krb5_error_code
++get_impersonator(krb5_context context, krb5_ccache ccache,
++ krb5_principal *impersonator_out)
++{
++ krb5_error_code code;
++ krb5_data data = empty_data(), data0 = empty_data();
++
++ *impersonator_out = NULL;
++
++ code = krb5_cc_get_config(context, ccache, NULL,
++ KRB5_CONF_PROXY_IMPERSONATOR, &data);
++ if (code)
++ return (code == KRB5_CC_NOTFOUND) ? 0 : code;
++
++ code = krb5int_copy_data_contents_add0(context, &data, &data0);
++ if (code)
++ goto cleanup;
++
++ code = krb5_parse_name(context, data0.data, impersonator_out);
++
++cleanup:
++ krb5_free_data_contents(context, &data);
++ krb5_free_data_contents(context, &data0);
++ return code;
++}
++
+ /* Check ccache and scan it for its expiry time. On success, cred takes
+ * ownership of ccache. */
+ static krb5_error_code
+@@ -493,6 +521,10 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
+ goto cleanup;
+ }
+
++ code = get_impersonator(context, ccache, &cred->impersonator);
++ if (code)
++ goto cleanup;
++
+ (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
+ cred->ccache = ccache;
+
+@@ -622,6 +654,7 @@ acquire_cred(OM_uint32 *minor_status,
+
+ cred->usage = args->cred_usage;
+ cred->name = NULL;
++ cred->impersonator = NULL;
+ cred->iakerb_mech = args->iakerb;
+ cred->default_identity = (name == NULL);
+ #ifndef LEAN_CLIENT
+diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
+index 016a2e6..6b7d530 100644
+--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
+@@ -172,7 +172,7 @@ typedef struct _krb5_gss_cred_id_rec {
+ /* name/type of credential */
+ gss_cred_usage_t usage;
+ krb5_gss_name_t name;
+- unsigned int proxy_cred : 1;
++ krb5_principal impersonator;
+ unsigned int default_identity : 1;
+ unsigned int iakerb_mech : 1;
+ unsigned int destroy_ccache : 1;
+diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
+index 1b8120c..d7b9ffa 100644
+--- a/src/lib/gssapi/krb5/init_sec_context.c
++++ b/src/lib/gssapi/krb5/init_sec_context.c
+@@ -129,7 +129,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
+ krb5_error_code code;
+ krb5_creds in_creds, evidence_creds, *result_creds = NULL;
+ krb5_flags flags = 0;
+- krb5_principal cc_princ = NULL;
+
+ *out_creds = NULL;
+
+@@ -140,16 +139,13 @@ static krb5_error_code get_credentials(context, cred, server, now,
+
+ assert(cred->name != NULL);
+
+- if ((code = krb5_cc_get_principal(context, cred->ccache, &cc_princ)))
+- goto cleanup;
+-
+ /*
+ * Do constrained delegation if we have proxy credentials and
+ * we're not trying to get a ticket to ourselves (in which case
+ * we can just use the S4U2Self or evidence ticket directly).
+ */
+- if (cred->proxy_cred &&
+- !krb5_principal_compare(context, cc_princ, server->princ)) {
++ if (cred->impersonator &&
++ !krb5_principal_compare(context, cred->impersonator, server->princ)) {
+ krb5_creds mcreds;
+
+ flags |= KRB5_GC_CANONICALIZE |
+@@ -159,20 +155,18 @@ static krb5_error_code get_credentials(context, cred, server, now,
+ memset(&mcreds, 0, sizeof(mcreds));
+
+ mcreds.magic = KV5M_CREDS;
+- mcreds.times.endtime = cred->tgt_expire;
+- mcreds.server = cc_princ;
++ mcreds.server = cred->impersonator;
+ mcreds.client = cred->name->princ;
+
+ code = krb5_cc_retrieve_cred(context, cred->ccache,
+- KRB5_TC_MATCH_TIMES | KRB5_TC_MATCH_AUTHDATA,
+- &mcreds,
++ KRB5_TC_MATCH_AUTHDATA, &mcreds,
+ &evidence_creds);
+ if (code)
+ goto cleanup;
+
+ assert(evidence_creds.ticket_flags & TKT_FLG_FORWARDABLE);
+
+- in_creds.client = cc_princ;
++ in_creds.client = cred->impersonator;
+ in_creds.second_ticket = evidence_creds.ticket;
+ } else {
+ in_creds.client = cred->name->princ;
+@@ -255,7 +249,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
+
+ cleanup:
+ krb5_free_authdata(context, in_creds.authdata);
+- krb5_free_principal(context, cc_princ);
+ krb5_free_cred_contents(context, &evidence_creds);
+ krb5_free_creds(context, result_creds);
+
+diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c
+index 5b2ea2f..4fd3694 100644
+--- a/src/lib/gssapi/krb5/rel_cred.c
++++ b/src/lib/gssapi/krb5/rel_cred.c
+@@ -71,6 +71,8 @@ krb5_gss_release_cred(minor_status, cred_handle)
+ if (cred->name)
+ kg_release_name(context, &cred->name);
+
++ krb5_free_principal(context, cred->impersonator);
++
+ if (cred->req_enctypes)
+ free(cred->req_enctypes);
+
+diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
+index 4ac2ce3..4b37c5a 100644
+--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
++++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
+@@ -169,6 +169,39 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
+
+ }
+
++/*
++ * Set up cred to be an S4U2Proxy credential by copying in the impersonator's
++ * creds, setting a cache config variable with the impersonator principal name,
++ * and saving the impersonator principal name in the cred structure.
++ */
++static krb5_error_code
++make_proxy_cred(krb5_context context, krb5_gss_cred_id_t cred,
++ krb5_gss_cred_id_t impersonator_cred)
++{
++ krb5_error_code code;
++ krb5_data data;
++ char *str;
++
++ code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
++ cred->ccache);
++ if (code)
++ return code;
++
++ code = krb5_unparse_name(context, impersonator_cred->name->princ, &str);
++ if (code)
++ return code;
++
++ data = string2data(str);
++ code = krb5_cc_set_config(context, cred->ccache, NULL,
++ KRB5_CONF_PROXY_IMPERSONATOR, &data);
++ krb5_free_unparsed_name(context, str);
++ if (code)
++ return code;
++
++ return krb5_copy_principal(context, impersonator_cred->name->princ,
++ &cred->impersonator);
++}
++
+ OM_uint32
+ kg_compose_deleg_cred(OM_uint32 *minor_status,
+ krb5_gss_cred_id_t impersonator_cred,
+@@ -187,7 +220,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
+
+ if (!kg_is_initiator_cred(impersonator_cred) ||
+ impersonator_cred->name == NULL ||
+- impersonator_cred->proxy_cred) {
++ impersonator_cred->impersonator != NULL) {
+ code = G_BAD_USAGE;
+ goto cleanup;
+ }
+@@ -208,14 +241,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
+ if (code != 0)
+ goto cleanup;
+
+- /*
+- * Only return a "proxy" credential for use with constrained
+- * delegation if the subject credentials are forwardable.
+- * Submitting non-forwardable credentials to the KDC for use
+- * with constrained delegation will only return an error.
+- */
+ cred->usage = GSS_C_INITIATE;
+- cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE);
+
+ cred->tgt_expire = subject_creds->times.endtime;
+
+@@ -229,16 +255,18 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
+ goto cleanup;
+ cred->destroy_ccache = 1;
+
+- code = krb5_cc_initialize(context, cred->ccache,
+- cred->proxy_cred ? impersonator_cred->name->princ :
+- subject_creds->client);
++ code = krb5_cc_initialize(context, cred->ccache, subject_creds->client);
+ if (code != 0)
+ goto cleanup;
+
+- if (cred->proxy_cred) {
+- /* Impersonator's TGT will be necessary for S4U2Proxy */
+- code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
+- cred->ccache);
++ /*
++ * Only return a "proxy" credential for use with constrained
++ * delegation if the subject credentials are forwardable.
++ * Submitting non-forwardable credentials to the KDC for use
++ * with constrained delegation will only return an error.
++ */
++ if (subject_creds->ticket_flags & TKT_FLG_FORWARDABLE) {
++ code = make_proxy_cred(context, cred, impersonator_cred);
+ if (code != 0)
+ goto cleanup;
+ }
+diff --git a/src/lib/gssapi/krb5/store_cred.c b/src/lib/gssapi/krb5/store_cred.c
+index bff3cde..d587589 100644
+--- a/src/lib/gssapi/krb5/store_cred.c
++++ b/src/lib/gssapi/krb5/store_cred.c
+@@ -91,7 +91,7 @@ copy_initiator_creds(OM_uint32 *minor_status,
+
+ kcred = (krb5_gss_cred_id_t)input_cred_handle;
+
+- if (kcred->ccache == NULL || kcred->proxy_cred) {
++ if (kcred->ccache == NULL) {
+ *minor_status = KG_CCACHE_NOMATCH;
+ major_status = GSS_S_DEFECTIVE_CREDENTIAL;
+ goto cleanup;
+diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c
+index e87f249..46a9ae1 100644
+--- a/src/lib/gssapi/krb5/val_cred.c
++++ b/src/lib/gssapi/krb5/val_cred.c
+@@ -50,8 +50,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
+ *minor_status = code;
+ return(GSS_S_DEFECTIVE_CREDENTIAL);
+ }
+- if (!cred->proxy_cred &&
+- !krb5_principal_compare(context, princ, cred->name->princ)) {
++ if (!krb5_principal_compare(context, princ, cred->name->princ)) {
+ k5_mutex_unlock(&cred->lock);
+ *minor_status = KG_CCACHE_NOMATCH;
+ return(GSS_S_DEFECTIVE_CREDENTIAL);
diff --git a/krb5.spec b/krb5.spec
index c60393f..9a7bf44 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -59,6 +59,7 @@ Patch75: krb5-pkinit-debug.patch
Patch86: krb5-1.9-debuginfo.patch
Patch92: krb5-1.10-alpha1-uninit.patch
Patch93: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
+Patch100: krb5-trunk-7046.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -225,6 +226,7 @@ ln -s NOTICE LICENSE
#%patch75 -p1 -b .pkinit-debug
%patch86 -p0 -b .debuginfo
%patch93 -p1 -b .2011-007
+%patch100 -p1 -b .7046
# XXX Temporary, backported from trunk.
%patch92 -p1 -b .uninit
# XXX Temporary, fixed properly in trunk.
@@ -739,6 +741,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Tue Dec 13 2011 Nalin Dahyabhai <nalin at redhat.com>
+- pull in patch for RT#7046: tag a ccache containing credentials obtained via
+ S4U2Proxy with the principal name of the proxying principal (part of #761317)
+
* Tue Dec 6 2011 Nalin Dahyabhai <nalin at redhat.com> 1.10-0.alpha1.2
- apply upstream patch to fix a null pointer dereference when processing
TGS requests (CVE-2011-1530, #753748)
More information about the scm-commits
mailing list