From db300d87615ecce3f8bf6795ba9e6b9b3291540b Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: May 27 2016 21:19:24 +0000 Subject: Fix setting of AS key in OTP preauth failure --- diff --git a/krb5-1.14.3-fix_otp_as_key.patch b/krb5-1.14.3-fix_otp_as_key.patch new file mode 100644 index 0000000..0a47bf0 --- /dev/null +++ b/krb5-1.14.3-fix_otp_as_key.patch @@ -0,0 +1,50 @@ +From 9929130f03f6a7f8a5f1acc23e92a609c8f27938 Mon Sep 17 00:00:00 2001 +From: Nathaniel McCallum +Date: Thu, 26 May 2016 16:54:29 -0400 +Subject: [PATCH] Avoid setting AS key when OTP preauth fails + +In otp_client_process(), call cb->set_as_key() later in the function +after the OTP request has been created. The previous position of this +call caused the AS key to be replaced even when later code in the +function failed, preventing other preauth mechanisms from retrieving +the correct AS key. + +ticket: 8421 (new) +target_version: 1.14-new +target_version: 1.13-new +tags: pullup +--- + src/lib/krb5/krb/preauth_otp.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c +index d9ddc8b..3de528b 100644 +--- a/src/lib/krb5/krb/preauth_otp.c ++++ b/src/lib/krb5/krb/preauth_otp.c +@@ -1081,11 +1081,6 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata, + if (as_key == NULL) + return ENOENT; + +- /* Use FAST armor key as response key. */ +- retval = cb->set_as_key(context, rock, as_key); +- if (retval != 0) +- return retval; +- + /* Attempt to get token selection from the responder. */ + pin = empty_data(); + value = empty_data(); +@@ -1115,6 +1110,11 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata, + if (retval != 0) + goto error; + ++ /* Use FAST armor key as response key. */ ++ retval = cb->set_as_key(context, rock, as_key); ++ if (retval != 0) ++ goto error; ++ + /* Encode the request into the pa_data output. */ + retval = set_pa_data(req, pa_data_out); + error: +-- +2.8.1 + diff --git a/krb5.spec b/krb5.spec index 11b8493..0cc17ce 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14.1 -Release: 5%{?dist} +Release: 6%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -71,6 +71,8 @@ Patch163: krb5-CVE-2016-3119.patch Patch164: krb5-1.15-kdc_send_receive_hooks.patch Patch165: krb5-1.15-kdc_hooks_test.patch +Patch166: krb5-1.14.3-fix_otp_as_key.patch + License: MIT URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -257,6 +259,8 @@ ln NOTICE LICENSE %patch164 -p1 -b .kdc_send_receive_hooks %patch165 -p1 -b .kdc_hooks_test +%patch166 -p1 -b .fix_otp_as_key + # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -778,7 +782,10 @@ exit 0 %changelog -* Mon Apr 05 2016 Robbie Harwood - 1.14.1-5 +* Fri May 27 2016 Robbie Harwood - 1.14.1-6 +- Fix setting of AS key in OTP preauth failure + +* Tue Apr 05 2016 Robbie Harwood - 1.14.1-5 - Use the correct patches this time. - Resolves: #1321135