[krb5/f21] Backport skipping kpasswd reply address checks

Fri Sep 5 22:19:13 UTC 2014

commit f69697ba82697909efed00f34c51901f881e1989
Author: Nalin Dahyabhai <nalin at redhat.com>
Date:   Fri Sep 5 15:45:38 2014 -0400

    Backport skipping kpasswd reply address checks
    
    - backport patch to make the client skip checking the server's reply
      address when processing responses to password-change requests, which
      between NAT and upcoming HTTPS support, can cause us to erroneously
      report an error to the user when the server actually reported success
      (RT #7886)

 krb5-1.12-kpasswd-skip-address-check.patch |   55 ++++++++++++++++++++++++++++
 krb5.spec                                  |   12 ++++++-
 2 files changed, 66 insertions(+), 1 deletions(-)
---

diff --git a/krb5-1.12-kpasswd-skip-address-check.patch b/krb5-1.12-kpasswd-skip-address-check.patch
new file mode 100644
index 0000000..9873b93
--- /dev/null
+++ b/krb5-1.12-kpasswd-skip-address-check.patch
@@ -0,0 +1,55 @@
+commit b562400826409deceb0d52ffbe6570670ee9db55
+Author: Nalin Dahyabhai <nalin at dahyabhai.net>
+Date:   Wed Oct 9 15:03:16 2013 -0400
+
+    Don't check kpasswd reply address
+    
+    Don't check the address of the kpasswd server when parsing the reply
+    we received from it.  If the server's address was modified by a proxy
+    or other network element, the user will be incorrectly warned that the
+    password change failed when it succeeded.  The check is unnecessary as
+    the kpasswd protocol is not subject to a reflection attack.
+    
+    [ghudson at mit.edu: edit commit message]
+    
+    ticket: 7886 (new)
+
+diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
+index 462910f..4d8abd9 100644
+--- a/src/lib/krb5/os/changepw.c
++++ b/src/lib/krb5/os/changepw.c
+@@ -214,7 +214,6 @@ change_set_password(krb5_context context,
+                     krb5_data *result_string)
+ {
+     krb5_data                   chpw_rep;
+-    krb5_address                remote_kaddr;
+     krb5_boolean                use_tcp = 0;
+     GETSOCKNAME_ARG3_TYPE       addrlen;
+     krb5_error_code             code = 0;
+@@ -272,26 +271,6 @@ change_set_password(krb5_context context,
+             break;
+         }
+ 
+-        if (remote_addr.ss_family == AF_INET) {
+-            remote_kaddr.addrtype = ADDRTYPE_INET;
+-            remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
+-            remote_kaddr.contents =
+-                (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
+-        } else if (remote_addr.ss_family == AF_INET6) {
+-            remote_kaddr.addrtype = ADDRTYPE_INET6;
+-            remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr);
+-            remote_kaddr.contents =
+-                (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr;
+-        } else {
+-            break;
+-        }
+-
+-        if ((code = krb5_auth_con_setaddrs(callback_ctx.context,
+-                                           callback_ctx.auth_context,
+-                                           NULL,
+-                                           &remote_kaddr)))
+-            break;
+-
+         code = krb5int_rd_chpw_rep(callback_ctx.context,
+                                    callback_ctx.auth_context,
+                                    &chpw_rep, &local_result_code,
diff --git a/krb5.spec b/krb5.spec
index 56c43ab..393c0c2 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.12.2
-Release: 5%{?dist}
+Release: 6%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -108,6 +108,7 @@ Patch204: 0004-Make-ksu-respect-the-default_ccache_name-setting.patch
 Patch205: 0005-Copy-config-entries-to-the-ksu-target-ccache.patch
 Patch206: 0006-Use-more-randomness-for-ksu-secondary-cache-names.patch
 Patch207: 0007-Make-krb5_cc_new_unique-create-DIR-directories.patch
+Patch300: krb5-1.12-kpasswd-skip-address-check.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -318,6 +319,8 @@ ln -s NOTICE LICENSE
 %patch206 -p1 -b .Use-more-randomness-for-ksu-secondary-cache-names
 %patch207 -p1 -b .Make-krb5_cc_new_unique-create-DIR-directories
 
+%patch300 -p1 -b .kpasswd-skip-address-check
+
 %patch1 -p1 -b .pwdch-fast
 
 %patch60 -p1 -b .pam
@@ -1027,6 +1030,13 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Fri Sep  5 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.12.2-6
+- backport patch to make the client skip checking the server's reply
+  address when processing responses to password-change requests, which
+  between NAT and upcoming HTTPS support, can cause us to erroneously
+  report an error to the user when the server actually reported success
+  (RT #7886)
+
 * Thu Aug 28 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.12.2-5
 - backport fix for trying all compatible keys when not being strict about
   acceptor names while reading AP-REQs (RT#7883, #1078888)
