[krb5/f16-s4u] - backport patch for RT#7046: tag a ccache containing credentials obtained via S4U2Proxy with the pr
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Dec 13 18:30:17 UTC 2011
commit 22053d7231013e3dcd845b1d6d82208fea5e7bfa
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Tue Dec 13 13:28:05 2011 -0500
- backport patch for RT#7046: tag a ccache containing credentials obtained via S4U2Proxy with the principal name of the proxying principal (part of #761317) so that the default principal name can be set to that of the client for which it is proxying, which results in the ccache looking more normal to consumers of the ccache that don't care that there's proxying going on
- pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached (more of #761317)
- pull in patch for RT#7048: allow PAC verification to only bother trying to verify the signature with keys that it's given (still more of #761317)
krb5-1.9-7046.patch | 306 +++++++++++++++++++++++++++++++++++++++++++++++++
krb5-1.9-7048.patch | 60 ++++++++++
krb5-trunk-7047.patch | 28 +++++
krb5.spec | 19 +++-
4 files changed, 412 insertions(+), 1 deletions(-)
---
diff --git a/krb5-1.9-7046.patch b/krb5-1.9-7046.patch
new file mode 100644
index 0000000..ca2e7e8
--- /dev/null
+++ b/krb5-1.9-7046.patch
@@ -0,0 +1,306 @@
+Adjusted for 1.9. Original commit message:
+
+commit 9dc75551cb8cc4c03f7e0fe5e8a705ed678079f4
+Author: ghudson <ghudson at dc483132-0cff-0310-8789-dd5450dbe970>
+Date: Wed Dec 7 19:38:13 2011 +0000
+
+ ticket: 7046
+ subject: Allow S4U2Proxy delegated credentials to be saved
+
+ The initial implementation of client-side S4U2Proxy support did not
+ allow delegated proxy credentials to be stored (gss_store_cred would
+ error out, and gss_krb5_copy_ccache would generate a non-working
+ cache). To make this work, we save the impersonator name in a cache
+ config variable and in a cred structure field (replacing the
+ proxy_cred flag), and make the default principal of the proxy cache
+ the subject principal as the caller would expect for a regular
+ delegated cred.
+
+ git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+index 514e2ea..b25c159 100644
+--- a/src/include/k5-int.h
++++ b/src/include/k5-int.h
+@@ -273,7 +273,10 @@ typedef INT64_TYPE krb5_int64;
+ #define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
+ #define KRB5_CONF_V4_REALM "v4_realm"
+ #define KRB5_CONF_ASTERISK "*"
++
++/* Cache configuration variables */
+ #define KRB5_CONF_FAST_AVAIL "fast_avail"
++#define KRB5_CONF_PROXY_IMPERSONATOR "proxy_impersonator"
+
+ /* Error codes used in KRB_ERROR protocol messages.
+ Return values of library routines are based on a different error table
+diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
+index c815b35..c08e059 100644
+--- a/src/lib/gssapi/krb5/acquire_cred.c
++++ b/src/lib/gssapi/krb5/acquire_cred.c
+@@ -212,6 +212,34 @@
+ }
+ #endif /* LEAN_CLIENT */
+
++/* If an impersonator config entry exists in ccache, set *impersonator_out to
++ * the parsed principal. Otherwise set *impersonator_out to NULL. */
++static krb5_error_code
++get_impersonator(krb5_context context, krb5_ccache ccache,
++ krb5_principal *impersonator_out)
++{
++ krb5_error_code code;
++ krb5_data data = empty_data(), data0 = empty_data();
++
++ *impersonator_out = NULL;
++
++ code = krb5_cc_get_config(context, ccache, NULL,
++ KRB5_CONF_PROXY_IMPERSONATOR, &data);
++ if (code)
++ return (code == KRB5_CC_NOTFOUND) ? 0 : code;
++
++ code = krb5int_copy_data_contents_add0(context, &data, &data0);
++ if (code)
++ goto cleanup;
++
++ code = krb5_parse_name(context, data0.data, impersonator_out);
++
++cleanup:
++ krb5_free_data_contents(context, &data);
++ krb5_free_data_contents(context, &data0);
++ return code;
++}
++
+ /* get credentials corresponding to the default credential cache.
+ If successful, set the ccache-specific fields in cred.
+ */
+@@ -490,6 +518,13 @@
+ }
+ }
+
++ code = get_impersonator(context, ccache, &cred->impersonator);
++ if (code != 0) {
++ krb5_cc_close(context, ccache);
++ *minor_status = code;
++ return GSS_S_FAILURE;
++ }
++
+ /* the credentials match and are valid */
+
+ cred->ccache = ccache;
+@@ -541,6 +576,7 @@
+
+ cred->usage = args->cred_usage;
+ cred->name = NULL;
++ cred->impersonator = NULL;
+ cred->iakerb_mech = args->iakerb;
+ cred->default_identity = (args->desired_name == GSS_C_NO_NAME);
+ #ifndef LEAN_CLIENT
+diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
+index 016a2e6..6b7d530 100644
+--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
+@@ -172,7 +172,7 @@ typedef struct _krb5_gss_cred_id_rec {
+ /* name/type of credential */
+ gss_cred_usage_t usage;
+ krb5_gss_name_t name;
+- unsigned int proxy_cred : 1;
++ krb5_principal impersonator;
+ unsigned int default_identity : 1;
+ unsigned int iakerb_mech : 1;
+ unsigned int destroy_ccache : 1;
+diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
+index 1b8120c..d7b9ffa 100644
+--- a/src/lib/gssapi/krb5/init_sec_context.c
++++ b/src/lib/gssapi/krb5/init_sec_context.c
+@@ -129,7 +129,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
+ krb5_error_code code;
+ krb5_creds in_creds, evidence_creds, *result_creds = NULL;
+ krb5_flags flags = 0;
+- krb5_principal cc_princ = NULL;
+
+ *out_creds = NULL;
+
+@@ -140,16 +139,13 @@ static krb5_error_code get_credentials(context, cred, server, now,
+
+ assert(cred->name != NULL);
+
+- if ((code = krb5_cc_get_principal(context, cred->ccache, &cc_princ)))
+- goto cleanup;
+-
+ /*
+ * Do constrained delegation if we have proxy credentials and
+ * we're not trying to get a ticket to ourselves (in which case
+ * we can just use the S4U2Self or evidence ticket directly).
+ */
+- if (cred->proxy_cred &&
+- !krb5_principal_compare(context, cc_princ, server->princ)) {
++ if (cred->impersonator &&
++ !krb5_principal_compare(context, cred->impersonator, server->princ)) {
+ krb5_creds mcreds;
+
+ flags |= KRB5_GC_CANONICALIZE |
+@@ -159,20 +155,18 @@ static krb5_error_code get_credentials(context, cred, server, now,
+ memset(&mcreds, 0, sizeof(mcreds));
+
+ mcreds.magic = KV5M_CREDS;
+- mcreds.times.endtime = cred->tgt_expire;
+- mcreds.server = cc_princ;
++ mcreds.server = cred->impersonator;
+ mcreds.client = cred->name->princ;
+
+ code = krb5_cc_retrieve_cred(context, cred->ccache,
+- KRB5_TC_MATCH_TIMES | KRB5_TC_MATCH_AUTHDATA,
+- &mcreds,
++ KRB5_TC_MATCH_AUTHDATA, &mcreds,
+ &evidence_creds);
+ if (code)
+ goto cleanup;
+
+ assert(evidence_creds.ticket_flags & TKT_FLG_FORWARDABLE);
+
+- in_creds.client = cc_princ;
++ in_creds.client = cred->impersonator;
+ in_creds.second_ticket = evidence_creds.ticket;
+ } else {
+ in_creds.client = cred->name->princ;
+@@ -255,7 +249,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
+
+ cleanup:
+ krb5_free_authdata(context, in_creds.authdata);
+- krb5_free_principal(context, cc_princ);
+ krb5_free_cred_contents(context, &evidence_creds);
+ krb5_free_creds(context, result_creds);
+
+diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c
+index 5b2ea2f..4fd3694 100644
+--- a/src/lib/gssapi/krb5/rel_cred.c
++++ b/src/lib/gssapi/krb5/rel_cred.c
+@@ -71,6 +71,8 @@ krb5_gss_release_cred(minor_status, cred_handle)
+ if (cred->name)
+ kg_release_name(context, 0, &cred->name);
+
++ krb5_free_principal(context, cred->impersonator);
++
+ if (cred->req_enctypes)
+ free(cred->req_enctypes);
+
+diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
+index 4ac2ce3..4b37c5a 100644
+--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
++++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
+@@ -169,6 +169,39 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
+
+ }
+
++/*
++ * Set up cred to be an S4U2Proxy credential by copying in the impersonator's
++ * creds, setting a cache config variable with the impersonator principal name,
++ * and saving the impersonator principal name in the cred structure.
++ */
++static krb5_error_code
++make_proxy_cred(krb5_context context, krb5_gss_cred_id_t cred,
++ krb5_gss_cred_id_t impersonator_cred)
++{
++ krb5_error_code code;
++ krb5_data data;
++ char *str;
++
++ code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
++ cred->ccache);
++ if (code)
++ return code;
++
++ code = krb5_unparse_name(context, impersonator_cred->name->princ, &str);
++ if (code)
++ return code;
++
++ data = string2data(str);
++ code = krb5_cc_set_config(context, cred->ccache, NULL,
++ KRB5_CONF_PROXY_IMPERSONATOR, &data);
++ krb5_free_unparsed_name(context, str);
++ if (code)
++ return code;
++
++ return krb5_copy_principal(context, impersonator_cred->name->princ,
++ &cred->impersonator);
++}
++
+ OM_uint32
+ kg_compose_deleg_cred(OM_uint32 *minor_status,
+ krb5_gss_cred_id_t impersonator_cred,
+@@ -187,7 +220,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
+
+ if (!kg_is_initiator_cred(impersonator_cred) ||
+ impersonator_cred->name == NULL ||
+- impersonator_cred->proxy_cred) {
++ impersonator_cred->impersonator != NULL) {
+ code = G_BAD_USAGE;
+ goto cleanup;
+ }
+@@ -208,14 +241,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
+ if (code != 0)
+ goto cleanup;
+
+- /*
+- * Only return a "proxy" credential for use with constrained
+- * delegation if the subject credentials are forwardable.
+- * Submitting non-forwardable credentials to the KDC for use
+- * with constrained delegation will only return an error.
+- */
+ cred->usage = GSS_C_INITIATE;
+- cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE);
+
+ cred->tgt_expire = impersonator_cred->tgt_expire;
+
+@@ -229,16 +255,18 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
+ goto cleanup;
+ cred->destroy_ccache = 1;
+
+- code = krb5_cc_initialize(context, cred->ccache,
+- cred->proxy_cred ? impersonator_cred->name->princ :
+- subject_creds->client);
++ code = krb5_cc_initialize(context, cred->ccache, subject_creds->client);
+ if (code != 0)
+ goto cleanup;
+
+- if (cred->proxy_cred) {
+- /* Impersonator's TGT will be necessary for S4U2Proxy */
+- code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
+- cred->ccache);
++ /*
++ * Only return a "proxy" credential for use with constrained
++ * delegation if the subject credentials are forwardable.
++ * Submitting non-forwardable credentials to the KDC for use
++ * with constrained delegation will only return an error.
++ */
++ if (subject_creds->ticket_flags & TKT_FLG_FORWARDABLE) {
++ code = make_proxy_cred(context, cred, impersonator_cred);
+ if (code != 0)
+ goto cleanup;
+ }
+diff --git a/src/lib/gssapi/krb5/store_cred.c b/src/lib/gssapi/krb5/store_cred.c
+index bff3cde..d587589 100644
+--- a/src/lib/gssapi/krb5/store_cred.c
++++ b/src/lib/gssapi/krb5/store_cred.c
+@@ -91,7 +91,7 @@ copy_initiator_creds(OM_uint32 *minor_status,
+
+ kcred = (krb5_gss_cred_id_t)input_cred_handle;
+
+- if (kcred->ccache == NULL || kcred->proxy_cred) {
++ if (kcred->ccache == NULL) {
+ *minor_status = KG_CCACHE_NOMATCH;
+ major_status = GSS_S_DEFECTIVE_CREDENTIAL;
+ goto cleanup;
+diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c
+index e87f249..46a9ae1 100644
+--- a/src/lib/gssapi/krb5/val_cred.c
++++ b/src/lib/gssapi/krb5/val_cred.c
+@@ -50,8 +50,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
+ *minor_status = code;
+ return(GSS_S_DEFECTIVE_CREDENTIAL);
+ }
+- if (!cred->proxy_cred &&
+- !krb5_principal_compare(context, princ, cred->name->princ)) {
++ if (!krb5_principal_compare(context, princ, cred->name->princ)) {
+ k5_mutex_unlock(&cred->lock);
+ *minor_status = KG_CCACHE_NOMATCH;
+ return(GSS_S_DEFECTIVE_CREDENTIAL);
diff --git a/krb5-1.9-7048.patch b/krb5-1.9-7048.patch
new file mode 100644
index 0000000..7d3e2df
--- /dev/null
+++ b/krb5-1.9-7048.patch
@@ -0,0 +1,60 @@
+Portions updating comments in krb5.hin removed because they weren't there
+in 1.9. The rest is unchanged from trunk.
+
+commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e
+Author: ghudson <ghudson at dc483132-0cff-0310-8789-dd5450dbe970>
+Date: Wed Dec 7 19:38:32 2011 +0000
+
+ ticket: 7048
+ subject: Allow null server key to krb5_pac_verify
+
+ When the KDC verifies a PAC, it doesn't really need to check the
+ server signature, since it can't trust that anyway. Allow the caller
+ to pass only a TGT key.
+
+ git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
+index f173b04..23aa930 100644
+--- a/src/lib/krb5/krb/pac.c
++++ b/src/lib/krb5/krb/pac.c
+@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context,
+ if (server == NULL)
+ return EINVAL;
+
+- ret = k5_pac_verify_server_checksum(context, pac, server);
+- if (ret != 0)
+- return ret;
++ if (server != NULL) {
++ ret = k5_pac_verify_server_checksum(context, pac, server);
++ if (ret != 0)
++ return ret;
++ }
+
+ if (privsvr != NULL) {
+ ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
+
+commit e31486a84380647e49ba6199a3e10ac739fa1a45
+Author: ghudson <ghudson at dc483132-0cff-0310-8789-dd5450dbe970>
+Date: Thu Dec 8 04:21:23 2011 +0000
+
+ ticket: 7048
+
+ Actually allow null server key in krb5_pac_verify
+
+ git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
+index 23aa930..3262d21 100644
+--- a/src/lib/krb5/krb/pac.c
++++ b/src/lib/krb5/krb/pac.c
+@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context,
+ {
+ krb5_error_code ret;
+
+- if (server == NULL)
+- return EINVAL;
+-
+ if (server != NULL) {
+ ret = k5_pac_verify_server_checksum(context, pac, server);
+ if (ret != 0)
diff --git a/krb5-trunk-7047.patch b/krb5-trunk-7047.patch
new file mode 100644
index 0000000..381449b
--- /dev/null
+++ b/krb5-trunk-7047.patch
@@ -0,0 +1,28 @@
+commit 59a8a0861d5aacd4e985ad4dc4d46a11c2ebc136
+Author: ghudson <ghudson at dc483132-0cff-0310-8789-dd5450dbe970>
+Date: Wed Dec 7 19:38:22 2011 +0000
+
+ ticket: 7047
+ subject: Allow S4U2Proxy service tickets to be cached
+
+ Previous to this change, the GSS code avoids caching S4U2Proxy results
+ for fear of the memory cache growing without bound, but that seems
+ unlikely to be a serious problem. Allow these to be cached.
+
+ git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25530 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
+index d7b9ffa..07baefa 100644
+--- a/src/lib/gssapi/krb5/init_sec_context.c
++++ b/src/lib/gssapi/krb5/init_sec_context.c
+@@ -148,9 +148,7 @@ static krb5_error_code get_credentials(context, cred, server, now,
+ !krb5_principal_compare(context, cred->impersonator, server->princ)) {
+ krb5_creds mcreds;
+
+- flags |= KRB5_GC_CANONICALIZE |
+- KRB5_GC_NO_STORE |
+- KRB5_GC_CONSTRAINED_DELEGATION;
++ flags |= KRB5_GC_CANONICALIZE | KRB5_GC_CONSTRAINED_DELEGATION;
+
+ memset(&mcreds, 0, sizeof(mcreds));
+
diff --git a/krb5.spec b/krb5.spec
index b0c6ed3..75dd79b 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -6,7 +6,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.9.2
-Release: 4%{?dist}
+Release: 5%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -61,6 +61,9 @@ Patch87: krb5-1.9.1-sendto_poll2.patch
Patch89: krb5-1.9.1-sendto_poll3.patch
Patch90: krb5-1.9-aes-hmac.patch
Patch91: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
+Patch100: krb5-1.9-7046.patch
+Patch101: krb5-trunk-7047.patch
+Patch102: krb5-1.9-7048.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -219,6 +222,9 @@ ln -s NOTICE LICENSE
%patch89 -p1 -b .sendto_poll3
%patch90 -p1 -b .aes-hmac
%patch91 -p1 -b .2011-007
+%patch100 -p1 -b .7046
+%patch101 -p1 -b .7047
+%patch102 -p1 -b .7048
gzip doc/*.ps
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -697,6 +703,17 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Tue Dec 13 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.2-5
+- backport patch for RT#7046: tag a ccache containing credentials obtained via
+ S4U2Proxy with the principal name of the proxying principal (part of #761317)
+ so that the default principal name can be set to that of the client for which
+ it is proxying, which results in the ccache looking more normal to consumers
+ of the ccache that don't care that there's proxying going on
+- pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached
+ (more of #761317)
+- backport patch for RT#7048: allow PAC verification to only bother trying to
+ verify the signature with keys that it's given (still more of #761317)
+
* Tue Dec 6 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.2-4
- apply upstream patch to fix a null pointer dereference when processing
TGS requests (CVE-2011-1530, #753748)
More information about the scm-commits
mailing list