[krb5] - pull in patch for RT#7048: allow PAC verification to only bother trying to verify the signature

Nalin Dahyabhai nalin at fedoraproject.org
Tue Dec 13 15:50:24 UTC 2011 

commit f28b57af20bf9c114ddc033d31eb3b706967bd5f
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Tue Dec 13 10:50:02 2011 -0500

    - pull in patch for RT#7048: allow PAC verification to only bother trying to
      verify the signature with keys that it's given (still more of #761317)

 krb5-trunk-7048.patch |   78 +++++++++++++++++++++++++++++++++++++++++++++++++
 krb5.spec             |   11 +++++-
 2 files changed, 87 insertions(+), 2 deletions(-)
---
diff --git a/krb5-trunk-7048.patch b/krb5-trunk-7048.patch
new file mode 100644
index 0000000..0399565
--- /dev/null
+++ b/krb5-trunk-7048.patch
@@ -0,0 +1,78 @@
+commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e
+Author: ghudson <ghudson at dc483132-0cff-0310-8789-dd5450dbe970>
+Date:   Wed Dec 7 19:38:32 2011 +0000
+
+    ticket: 7048
+    subject: Allow null server key to krb5_pac_verify
+    
+    When the KDC verifies a PAC, it doesn't really need to check the
+    server signature, since it can't trust that anyway.  Allow the caller
+    to pass only a TGT key.
+    
+    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
+index f3d0225..83c2dc7 100644
+--- a/src/include/krb5/krb5.hin
++++ b/src/include/krb5/krb5.hin
+@@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
+  * @param [in] pac              PAC handle
+  * @param [in] authtime         Expected timestamp
+  * @param [in] principal        Expected principal name (or NULL)
+- * @param [in] server           Key to validate server checksum
++ * @param [in] server           Key to validate server checksum (or NULL)
+  * @param [in] privsvr          Key to validate KDC checksum (or NULL)
+  *
+  * This function validates @a pac against the supplied @a server, @a privsvr,
+  * @a principal and @a authtime.  If @a principal is NULL, the principal and
+- * authtime are not verified.  If @a privsvr is NULL, the KDC checksum is not
+- * verified.
++ * authtime are not verified.  If @a server or @a privsvr is NULL, the
++ * corresponding checksum is not verified.
+  *
+  * If successful, @a pac is marked as verified.
+  *
+diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
+index f173b04..23aa930 100644
+--- a/src/lib/krb5/krb/pac.c
++++ b/src/lib/krb5/krb/pac.c
+@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context,
+     if (server == NULL)
+         return EINVAL;
+ 
+-    ret = k5_pac_verify_server_checksum(context, pac, server);
+-    if (ret != 0)
+-        return ret;
++    if (server != NULL) {
++        ret = k5_pac_verify_server_checksum(context, pac, server);
++        if (ret != 0)
++            return ret;
++    }
+ 
+     if (privsvr != NULL) {
+         ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
+
+commit e31486a84380647e49ba6199a3e10ac739fa1a45
+Author: ghudson <ghudson at dc483132-0cff-0310-8789-dd5450dbe970>
+Date:   Thu Dec 8 04:21:23 2011 +0000
+
+    ticket: 7048
+    
+    Actually allow null server key in krb5_pac_verify
+    
+    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
+index 23aa930..3262d21 100644
+--- a/src/lib/krb5/krb/pac.c
++++ b/src/lib/krb5/krb/pac.c
+@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context,
+ {
+     krb5_error_code ret;
+ 
+-    if (server == NULL)
+-        return EINVAL;
+-
+     if (server != NULL) {
+         ret = k5_pac_verify_server_checksum(context, pac, server);
+         if (ret != 0)
diff --git a/krb5.spec b/krb5.spec
index 795834d..00aa160 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -15,7 +15,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.10
-Release: 0%{?dist}.alpha1.2
+Release: 0%{?dist}.alpha1.3
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-alpha1-signed.tar
 Source0: krb5-%{version}-alpha1.tar.gz
@@ -61,6 +61,7 @@ Patch92: krb5-1.10-alpha1-uninit.patch
 Patch93: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
 Patch100: krb5-trunk-7046.patch
 Patch101: krb5-trunk-7047.patch
+Patch102: krb5-trunk-7048.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -229,6 +230,7 @@ ln -s NOTICE LICENSE
 %patch93 -p1 -b .2011-007
 %patch100 -p1 -b .7046
 %patch101 -p1 -b .7047
+%patch102 -p1 -b .7048
 # XXX Temporary, backported from trunk.
 %patch92 -p1 -b .uninit
 # XXX Temporary, fixed properly in trunk.
@@ -743,11 +745,16 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
-* Tue Dec 13 2011 Nalin Dahyabhai <nalin at redhat.com>
+* Tue Dec 13 2011 Nalin Dahyabhai <nalin at redhat.com> 1.10-0.alpha1.3
 - pull in patch for RT#7046: tag a ccache containing credentials obtained via
   S4U2Proxy with the principal name of the proxying principal (part of #761317)
+  so that the default principal name can be set to that of the client for which
+  it is proxying, which results in the ccache looking more normal to consumers
+  of the ccache that don't care that there's proxying going on
 - pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached
   (more of #761317)
+- pull in patch for RT#7048: allow PAC verification to only bother trying to
+  verify the signature with keys that it's given (still more of #761317)
 
 * Tue Dec  6 2011 Nalin Dahyabhai <nalin at redhat.com> 1.10-0.alpha1.2
 - apply upstream patch to fix a null pointer dereference when processing

More information about the scm-commits mailing list