[krb5] Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (RT#8063)
Nathaniel McCallum
npmccallum at fedoraproject.org
Tue Feb 3 16:48:20 UTC 2015
commit 7188a346bd389a9c74c04c47664fd3f903a344ce
Author: Nathaniel McCallum <nathaniel at themccallums.org>
Date: Tue Feb 3 17:48:30 2015 +0100
Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (RT#8063)
...upport-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch | 142 ++++++++++++++++++++
krb5.spec | 7 +-
2 files changed, 148 insertions(+), 1 deletions(-)
---
diff --git a/krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch b/krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
new file mode 100644
index 0000000..7757885
--- /dev/null
+++ b/krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
@@ -0,0 +1,142 @@
+From 95c3cab051aa1b8b4f7eb309bf135e8f51665baa Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum at redhat.com>
+Date: Sun, 25 Jan 2015 16:53:49 -0500
+Subject: [PATCH] Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
+
+Add support for multi-hop preauth mechs.
+
+In the KDC, allow kdcpreauth modules to return
+KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined in RFC 6113.
+
+In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth
+modules can use the modreq parameter to distinguish between the first
+and subsequent KDC messages. We assume that the error padata will
+include an element of the preauth mech's type, or at least of a type
+recognized by the clpreauth module.
+
+Also reset the list of previously attempted preauth types for both
+kinds of errors. That list is really only appropriate for retrying
+after a failed preauth attempt, which we don't currently do. Add an
+intermediate variable for the reply code to avoid a long conditional
+expression.
+
+[ghudson at mit.edu: adjust get_in_tkt.c logic to avoid needing a helper
+function; clarify commit message]
+
+ticket: 8063 (new)
+---
+ doc/plugindev/clpreauth.rst | 6 +++---
+ src/include/k5-int.h | 1 +
+ src/kdc/kdc_preauth.c | 2 ++
+ src/lib/krb5/error_tables/krb5_err.et | 2 +-
+ src/lib/krb5/krb/get_in_tkt.c | 13 ++++++++-----
+ 5 files changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/doc/plugindev/clpreauth.rst b/doc/plugindev/clpreauth.rst
+index c3e7298..38aa52e 100644
+--- a/doc/plugindev/clpreauth.rst
++++ b/doc/plugindev/clpreauth.rst
+@@ -21,9 +21,9 @@ A clpreauth module is generally responsible for:
+ just returns ``PA_REAL``, indicating that it implements a normal
+ preauthentication type.
+
+-* Examining the padata information included in the preauth_required
+- error and producing padata values for the next AS request. This is
+- done with the **process** method.
++* Examining the padata information included in a PREAUTH_REQUIRED or
++ MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the
++ next AS request. This is done with the **process** method.
+
+ * Examining the padata information included in a successful ticket
+ reply, possibly verifying the KDC identity and computing a reply
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+index a1ea25a..4868e7d 100644
+--- a/src/include/k5-int.h
++++ b/src/include/k5-int.h
+@@ -391,6 +391,7 @@ typedef unsigned char u_char;
+ not find a KDC */
+ #define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE 86 /* The KDC did not respond
+ to the IAKERB proxy */
++#define KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 91 /* RFC 6113 */
+ #define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */
+
+ /*
+diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
+index 50cc252..dd83844 100644
+--- a/src/kdc/kdc_preauth.c
++++ b/src/kdc/kdc_preauth.c
+@@ -1000,6 +1000,8 @@ finish_check_padata(struct padata_state *state, krb5_error_code code)
+ case KRB5KDC_ERR_DISCARD:
+ /* pkinit alg-agility */
+ case KRB5KDC_ERR_NO_ACCEPTABLE_KDF:
++ /* rfc 6113 */
++ case KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED:
+ (*oldrespond)(oldarg, code);
+ return;
+ default:
+diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et
+index 5c6f10b..7ba7c1e 100644
+--- a/src/lib/krb5/error_tables/krb5_err.et
++++ b/src/lib/krb5/error_tables/krb5_err.et
+@@ -132,7 +132,7 @@ error_code KRB5PLACEHOLD_87, "KRB5 error code 87"
+ error_code KRB5PLACEHOLD_88, "KRB5 error code 88"
+ error_code KRB5PLACEHOLD_89, "KRB5 error code 89"
+ error_code KRB5PLACEHOLD_90, "KRB5 error code 90"
+-error_code KRB5PLACEHOLD_91, "KRB5 error code 91"
++error_code KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, "More preauthentication data is required"
+ error_code KRB5PLACEHOLD_92, "KRB5 error code 92"
+ error_code KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION, "An unsupported critical FAST option was requested"
+ error_code KRB5PLACEHOLD_94, "KRB5 error code 94"
+diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
+index f9bc027..fa8afcc 100644
+--- a/src/lib/krb5/krb/get_in_tkt.c
++++ b/src/lib/krb5/krb/get_in_tkt.c
+@@ -1239,7 +1239,8 @@ init_creds_step_request(krb5_context context,
+ clear_cc_config_out_data(context, ctx);
+
+ if (ctx->err_reply == NULL) {
+- /* either our first attempt, or retrying after PREAUTH_NEEDED */
++ /* Either our first attempt, or retrying after KDC_ERR_PREAUTH_REQUIRED
++ * or KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */
+ code = k5_preauth(context, ctx, ctx->preauth_to_use,
+ ctx->preauth_required, &ctx->request->padata,
+ &ctx->selected_preauth_type);
+@@ -1408,6 +1409,7 @@ init_creds_step_reply(krb5_context context,
+ krb5_preauthtype kdc_pa_type;
+ krb5_boolean retry = FALSE;
+ int canon_flag = 0;
++ uint32_t reply_code;
+ krb5_keyblock *strengthen_key = NULL;
+ krb5_keyblock encrypting_key;
+ krb5_boolean fast_avail;
+@@ -1431,6 +1433,7 @@ init_creds_step_reply(krb5_context context,
+ &retry);
+ if (code != 0)
+ goto cleanup;
++ reply_code = ctx->err_reply->error;
+ if (negotiation_requests_restart(context, ctx, ctx->err_padata)) {
+ ctx->have_restarted = 1;
+ k5_preauth_request_context_fini(context);
+@@ -1441,9 +1444,10 @@ init_creds_step_reply(krb5_context context,
+ ctx->err_reply = NULL;
+ krb5_free_pa_data(context, ctx->err_padata);
+ ctx->err_padata = NULL;
+- } else if (ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED &&
+- retry) {
++ } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED ||
++ reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) {
+ /* reset the list of preauth types to try */
++ k5_reset_preauth_types_tried(context);
+ krb5_free_pa_data(context, ctx->preauth_to_use);
+ ctx->preauth_to_use = ctx->err_padata;
+ ctx->err_padata = NULL;
+@@ -1480,8 +1484,7 @@ init_creds_step_reply(krb5_context context,
+ code = 0;
+ } else {
+ /* error + no hints = give up */
+- code = (krb5_error_code)ctx->err_reply->error +
+- ERROR_TABLE_BASE_krb5;
++ code = (krb5_error_code)reply_code + ERROR_TABLE_BASE_krb5;
+ }
+ }
+
diff --git a/krb5.spec b/krb5.spec
index bd08d06..e0dd903 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -43,7 +43,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.13
-Release: 5%{?dist}
+Release: 6%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
@@ -97,6 +97,7 @@ Patch136: krb5-socket_wrapper_eventfd_prototype_mismatch.patch
Patch137: krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
Patch138: krb5-CVE_2014_5354_support_keyless_principals_in_LDAP.patch
Patch139: krb5-1.13_kinit_C_loop_krb5bug243.patch
+Patch140: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -321,6 +322,7 @@ ln NOTICE LICENSE
%patch137 -p1
%patch138 -p1
%patch139 -p1 -b .krb5_1_13_kinit_C_loop_krb5bug243
+%patch140 -p1
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -993,6 +995,9 @@ exit 0
%changelog
+* Mon Feb 02 2015 Nathaniel McCallum <npmccallum at redhat.com>
+- Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (RT#8063)
+
* Mon Jan 26 2015 Roland Mainz <rmainz at redhat.com> - 1.13-5
- fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not
loop on principal unknown errors").
More information about the scm-commits
mailing list