[krb5] backport patch from RT#7229
Nalin Dahyabhai
nalin at fedoraproject.org
Thu Aug 30 18:22:49 UTC 2012
commit 7f06579f48a238553ed5c22938aa9f1d7574ad49
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Thu Aug 30 14:22:23 2012 -0400
backport patch from RT#7229
- backport patch to disable replay detection in krb5_verify_init_creds()
while reading the AP-REQ that's generated in the same function (RT#7229)
krb5-1.10.2-replay.patch | 17 +++++++++++++++++
krb5.spec | 8 +++++++-
replay.patch | 31 +++++++++++++++++++++++++++++++
3 files changed, 55 insertions(+), 1 deletions(-)
---
diff --git a/krb5-1.10.2-replay.patch b/krb5-1.10.2-replay.patch
new file mode 100644
index 0000000..d6dfff0
--- /dev/null
+++ b/krb5-1.10.2-replay.patch
@@ -0,0 +1,17 @@
+Backport from ticket 7229.
+--- krb5-1.10.2/src/lib/krb5/krb/vfy_increds.c
++++ krb5-1.10.2/src/lib/krb5/krb/vfy_increds.c
+@@ -194,6 +194,13 @@ krb5_verify_init_creds(krb5_context cont
+ authcon = NULL;
+ }
+
++ /* Build an auth context that won't bother with replay checks -- it's
++ * not as if we're going to mount a replay attack on ourselves here. */
++ if (ret = krb5_auth_con_init(context, &authcon))
++ goto cleanup;
++ if (ret = krb5_auth_con_setflags(context, authcon, 0))
++ goto cleanup;
++
+ /* verify the ap_req */
+
+ if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab,
diff --git a/krb5.spec b/krb5.spec
index ef3aa61..812cd1f 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -29,7 +29,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10.3
-Release: 2%{?dist}
+Release: 3%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.3-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -81,6 +81,7 @@ Patch103: krb5-1.10-gcc47.patch
Patch105: krb5-kvno-230379.patch
Patch106: krb5-1.10.2-keytab-etype.patch
Patch107: krb5-trunk-pkinit-anchorsign.patch
+Patch108: krb5-1.10.2-replay.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -269,6 +270,7 @@ ln -s NOTICE LICENSE
%patch105 -p1 -b .kvno
%patch106 -p1 -b .keytab-etype
%patch107 -p1 -b .pkinit-anchorsign
+%patch108 -p1 -b .replay
rm src/lib/krb5/krb/deltat.c
gzip doc/*.ps
@@ -837,6 +839,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Thu Aug 30 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-3
+- backport patch to disable replay detection in krb5_verify_init_creds()
+ while reading the AP-REQ that's generated in the same function (RT#7229)
+
* Thu Aug 30 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-2
- undo rename from krb5-pkinit-openssl to krb5-pkinit on EL6
- version the Obsoletes: on the krb5-pkinit-openssl to krb5-pkinit rename
diff --git a/replay.patch b/replay.patch
new file mode 100644
index 0000000..193f139
--- /dev/null
+++ b/replay.patch
@@ -0,0 +1,31 @@
+commit f1783431cb8f146095067f5e2531e9155a8787bb
+Author: Nalin Dahyabhai <nalin at dahyabhai.net>
+Date: Wed Apr 18 14:01:39 2012 -0400
+
+ Turn off replay cache in krb5_verify_init_creds()
+
+ The library isn't attempting a replay attack on itself, so any detected
+ replays are only going to be false-positives.
+
+ ticket: 7229 (new)
+
+diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
+index 14acb0a..e88a37f 100644
+--- a/src/lib/krb5/krb/vfy_increds.c
++++ b/src/lib/krb5/krb/vfy_increds.c
+@@ -149,6 +149,15 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server,
+ authcon = NULL;
+ }
+
++ /* Build an auth context that won't bother with replay checks -- it's
++ * not as if we're going to mount a replay attack on ourselves here. */
++ ret = krb5_auth_con_init(context, &authcon);
++ if (ret)
++ goto cleanup;
++ ret = krb5_auth_con_setflags(context, authcon, 0);
++ if (ret)
++ goto cleanup;
++
+ /* Verify the ap_req. */
+ ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL);
+ if (ret)
More information about the scm-commits
mailing list