[krb5] - pull in patch for RT#7048: allow PAC verification to only bother trying to verify the signature
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Dec 13 15:50:24 UTC 2011
commit f28b57af20bf9c114ddc033d31eb3b706967bd5f
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Tue Dec 13 10:50:02 2011 -0500
- pull in patch for RT#7048: allow PAC verification to only bother trying to
verify the signature with keys that it's given (still more of #761317)
krb5-trunk-7048.patch | 78 +++++++++++++++++++++++++++++++++++++++++++++++++
krb5.spec | 11 +++++-
2 files changed, 87 insertions(+), 2 deletions(-)
---
diff --git a/krb5-trunk-7048.patch b/krb5-trunk-7048.patch
new file mode 100644
index 0000000..0399565
--- /dev/null
+++ b/krb5-trunk-7048.patch
@@ -0,0 +1,78 @@
+commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e
+Author: ghudson <ghudson at dc483132-0cff-0310-8789-dd5450dbe970>
+Date: Wed Dec 7 19:38:32 2011 +0000
+
+ ticket: 7048
+ subject: Allow null server key to krb5_pac_verify
+
+ When the KDC verifies a PAC, it doesn't really need to check the
+ server signature, since it can't trust that anyway. Allow the caller
+ to pass only a TGT key.
+
+ git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
+index f3d0225..83c2dc7 100644
+--- a/src/include/krb5/krb5.hin
++++ b/src/include/krb5/krb5.hin
+@@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
+ * @param [in] pac PAC handle
+ * @param [in] authtime Expected timestamp
+ * @param [in] principal Expected principal name (or NULL)
+- * @param [in] server Key to validate server checksum
++ * @param [in] server Key to validate server checksum (or NULL)
+ * @param [in] privsvr Key to validate KDC checksum (or NULL)
+ *
+ * This function validates @a pac against the supplied @a server, @a privsvr,
+ * @a principal and @a authtime. If @a principal is NULL, the principal and
+- * authtime are not verified. If @a privsvr is NULL, the KDC checksum is not
+- * verified.
++ * authtime are not verified. If @a server or @a privsvr is NULL, the
++ * corresponding checksum is not verified.
+ *
+ * If successful, @a pac is marked as verified.
+ *
+diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
+index f173b04..23aa930 100644
+--- a/src/lib/krb5/krb/pac.c
++++ b/src/lib/krb5/krb/pac.c
+@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context,
+ if (server == NULL)
+ return EINVAL;
+
+- ret = k5_pac_verify_server_checksum(context, pac, server);
+- if (ret != 0)
+- return ret;
++ if (server != NULL) {
++ ret = k5_pac_verify_server_checksum(context, pac, server);
++ if (ret != 0)
++ return ret;
++ }
+
+ if (privsvr != NULL) {
+ ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
+
+commit e31486a84380647e49ba6199a3e10ac739fa1a45
+Author: ghudson <ghudson at dc483132-0cff-0310-8789-dd5450dbe970>
+Date: Thu Dec 8 04:21:23 2011 +0000
+
+ ticket: 7048
+
+ Actually allow null server key in krb5_pac_verify
+
+ git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
+index 23aa930..3262d21 100644
+--- a/src/lib/krb5/krb/pac.c
++++ b/src/lib/krb5/krb/pac.c
+@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context,
+ {
+ krb5_error_code ret;
+
+- if (server == NULL)
+- return EINVAL;
+-
+ if (server != NULL) {
+ ret = k5_pac_verify_server_checksum(context, pac, server);
+ if (ret != 0)
diff --git a/krb5.spec b/krb5.spec
index 795834d..00aa160 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -15,7 +15,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10
-Release: 0%{?dist}.alpha1.2
+Release: 0%{?dist}.alpha1.3
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-alpha1-signed.tar
Source0: krb5-%{version}-alpha1.tar.gz
@@ -61,6 +61,7 @@ Patch92: krb5-1.10-alpha1-uninit.patch
Patch93: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
Patch100: krb5-trunk-7046.patch
Patch101: krb5-trunk-7047.patch
+Patch102: krb5-trunk-7048.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -229,6 +230,7 @@ ln -s NOTICE LICENSE
%patch93 -p1 -b .2011-007
%patch100 -p1 -b .7046
%patch101 -p1 -b .7047
+%patch102 -p1 -b .7048
# XXX Temporary, backported from trunk.
%patch92 -p1 -b .uninit
# XXX Temporary, fixed properly in trunk.
@@ -743,11 +745,16 @@ exit 0
%{_sbindir}/uuserver
%changelog
-* Tue Dec 13 2011 Nalin Dahyabhai <nalin at redhat.com>
+* Tue Dec 13 2011 Nalin Dahyabhai <nalin at redhat.com> 1.10-0.alpha1.3
- pull in patch for RT#7046: tag a ccache containing credentials obtained via
S4U2Proxy with the principal name of the proxying principal (part of #761317)
+ so that the default principal name can be set to that of the client for which
+ it is proxying, which results in the ccache looking more normal to consumers
+ of the ccache that don't care that there's proxying going on
- pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached
(more of #761317)
+- pull in patch for RT#7048: allow PAC verification to only bother trying to
+ verify the signature with keys that it's given (still more of #761317)
* Tue Dec 6 2011 Nalin Dahyabhai <nalin at redhat.com> 1.10-0.alpha1.2
- apply upstream patch to fix a null pointer dereference when processing
More information about the scm-commits
mailing list