Attachment 576590 Details for Bug 811375 – Patch which fixes the problem

[patch] Patch which fixes the problem

0001-Limit-krb5_get_init_creds_keytab-to-etypes-in-keytab.patch (text/plain), 6.78 KB, created by Stef Walter on 2012-04-10 20:28:55 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stef Walter

Created: 2012-04-10 20:28:55 UTC

Size: 6.78 KB

patch

obsolete

>From 5c307c4629e9e2ba01efb558d268d0fd9670ff6d Mon Sep 17 00:00:00 2001
>From: Stef Walter <stefw@gnome.org>
>Date: Tue, 10 Apr 2012 22:20:53 +0200
>Subject: [PATCH] Limit krb5_get_init_creds_keytab() to etypes in keytab
>
> * Load the enctypes for the keys in the keytab and pass
>   them to krb5_get_init_creds_keytab().
> * This fixes the problem where the server offers a enctype
>   that krb5 supports, but we don't have a key for in the keytab.
>
>https://bugzilla.redhat.com/show_bug.cgi?id=811375
>---
> src/providers/krb5/krb5_child.c |   19 +++++++++-
> src/providers/ldap/ldap_child.c |   11 ++++++
> src/util/sss_krb5.c             |   78 +++++++++++++++++++++++++++++++++++++++
> src/util/sss_krb5.h             |    7 ++++
> 4 files changed, 114 insertions(+), 1 deletion(-)
>
>diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
>index 209643a..142c8ff 100644
>--- a/src/providers/krb5/krb5_child.c
>+++ b/src/providers/krb5/krb5_child.c
>@@ -610,6 +610,13 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
>     krb5_error_code kerr = 0;
>     krb5_creds creds;
>     krb5_get_init_creds_opt options;
>+    krb5_enctype *etype_list;
>+    krb5_error_code krberr;
>+    TALLOC_CTX *memctx;
>+
>+    memctx = talloc_new (NULL);
>+    if (memctx == NULL)
>+        return ENOMEM;
> 
>     memset(&creds, 0, sizeof(creds));
>     memset(&options, 0, sizeof(options));
>@@ -619,6 +626,16 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
>     krb5_get_init_creds_opt_set_proxiable(&options, 0);
>     krb5_set_canonicalize(&options);
> 
>+    krberr = sss_krb5_read_etypes_for_keytab(memctx, ctx, keytab, princ, &etype_list);
>+    if (krberr) {
>+        DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to load etypes from keytab: %s\n",
>+                                     sss_krb5_get_error_message(ctx, krberr)));
>+    } else {
>+        krb5_get_init_creds_opt_set_etype_list (&options, etype_list, talloc_array_length (etype_list));
>+        DEBUG(SSSDBG_FUNC_DATA, ("Loaded %d enctypes from keytab\n",
>+                                 talloc_array_length (etype_list)));
>+    }
>+
>     kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL,
>                                       &options);
>     if (kerr != 0) {
>@@ -635,7 +652,7 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
> 
> done:
>     krb5_free_cred_contents(ctx, &creds);
>-
>+    talloc_free(memctx);
>     return kerr;
> 
> }
>diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
>index e66406c..ab91559 100644
>--- a/src/providers/ldap/ldap_child.c
>+++ b/src/providers/ldap/ldap_child.c
>@@ -155,6 +155,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
>     krb5_get_init_creds_opt options;
>     krb5_error_code krberr;
>     krb5_timestamp kdc_time_offset;
>+    krb5_enctype *etype_list;
>     int canonicalize = 0;
>     int kdc_time_offset_usec;
>     int ret;
>@@ -270,6 +271,16 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
>     }
>     sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
> 
>+    krberr = sss_krb5_read_etypes_for_keytab(memctx, context, keytab, kprinc, &etype_list);
>+    if (krberr) {
>+        DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to load etypes from keytab: %s\n",
>+                                     sss_krb5_get_error_message(context, krberr)));
>+    } else if (talloc_array_length(etype_list) > 0) {
>+        krb5_get_init_creds_opt_set_etype_list (&options, etype_list, talloc_array_length(etype_list));
>+        DEBUG(SSSDBG_FUNC_DATA, ("Loaded %d enctypes from keytab for %s\n",
>+                                 talloc_array_length(etype_list), full_princ));
>+    }
>+
>     krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
>                                         keytab, 0, NULL, &options);
> 
>diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
>index a38a0c1..23a7702 100644
>--- a/src/util/sss_krb5.c
>+++ b/src/util/sss_krb5.c
>@@ -981,3 +981,81 @@ sss_krb5_free_keytab_entry_contents(krb5_context context,
>     return krb5_kt_free_entry(context, entry);
> }
> #endif
>+
>+static int
>+compare_etypes (const void *one,
>+                const void *two)
>+{
>+    const krb5_enctype *e1 = one;
>+    const krb5_enctype *e2 = two;
>+
>+    /*
>+     * TODO: Sadly we don't have access to the kerberos function which
>+     * flags weak enctypes. Do we have a better sort criteria here?
>+     */
>+    return (int)*e2 - (int)*e1;
>+}
>+
>+krb5_error_code
>+sss_krb5_read_etypes_for_keytab(TALLOC_CTX *mem_ctx,
>+                                krb5_context context,
>+                                krb5_keytab keytab,
>+                                krb5_principal princ,
>+                                krb5_enctype **etype_list)
>+{
>+    krb5_kt_cursor cursor;
>+    krb5_keytab_entry entry;
>+    krb5_enctype *etypes = NULL;
>+    int allocated = 0;
>+    int count = 0;
>+    int ret;
>+    int i;
>+
>+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
>+    if (ret != 0)
>+        return ret;
>+
>+    for (;;) {
>+        ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
>+        if (ret != 0)
>+            break;
>+
>+        if (!krb5_c_valid_enctype(entry.key.enctype))
>+            continue;
>+        if (!krb5_principal_compare(context, entry.principal, princ))
>+            continue;
>+
>+        /* Already have this one? */
>+        for (i = 0; i < count; i++)
>+            if (entry.key.enctype == etypes[i])
>+                break;
>+        if (i != count)
>+            continue;
>+
>+        /*
>+         * Reallocate and add enctype. When reallocating always reserve
>+         * one for null termination.
>+         */
>+        if (count + 1 >= allocated) {
>+            allocated += 16;
>+            etypes = talloc_realloc(mem_ctx, etypes, krb5_enctype, allocated);
>+            if (etypes == NULL) {
>+                ret = ENOMEM;
>+                break;
>+            }
>+        }
>+        etypes[count++] = entry.key.enctype;
>+    }
>+
>+    krb5_kt_end_seq_get (context, keytab, &cursor);
>+
>+    if (ret == KRB5_KT_END)
>+        ret = 0;
>+    if (ret != 0)
>+        return ret;
>+
>+    /* Sort the weak enctypes last */
>+    qsort(etypes, count, sizeof (*etypes), compare_etypes);
>+    *etype_list = talloc_realloc(mem_ctx, etypes, krb5_enctype, count);
>+    return 0;
>+}
>diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
>index 50c4b69..78a1f91 100644
>--- a/src/util/sss_krb5.h
>+++ b/src/util/sss_krb5.h
>@@ -132,4 +132,11 @@ typedef krb5_ticket_times sss_krb5_ticket_times;
> typedef krb5_times sss_krb5_ticket_times;
> #endif
> 
>+krb5_error_code
>+sss_krb5_read_etypes_for_keytab(TALLOC_CTX *mem_ctx,
>+                                krb5_context context,
>+                                krb5_keytab keytab,
>+                                krb5_principal princ,
>+                                krb5_enctype **etype_list);
>+
> #endif /* __SSS_KRB5_H__ */
>-- 
>1.7.9.3
>

Actions: View | Diff

Attachments on bug 811375: 576590