diff --git a/krb5-1.15-kdc_hooks_test.patch b/krb5-1.15-kdc_hooks_test.patch new file mode 100644 index 0000000..1c3a1c6 --- /dev/null +++ b/krb5-1.15-kdc_hooks_test.patch @@ -0,0 +1,379 @@ +From 117f6e415238b507a42cbc3ccdb45ad8408bfdfd Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 7 Mar 2016 17:59:07 +0100 +Subject: [PATCH] Add tests for send and receive sendto_kdc hooks + +[ghudson@mit.edu: style changes] + +ticket: 8386 +--- + .gitignore | 1 + + src/tests/Makefile.in | 18 ++-- + src/tests/deps | 10 ++ + src/tests/hooks.c | 253 ++++++++++++++++++++++++++++++++++++++++++++++++++ + src/tests/t_hooks.py | 9 ++ + 5 files changed, 284 insertions(+), 7 deletions(-) + create mode 100644 src/tests/hooks.c + create mode 100755 src/tests/t_hooks.py + +diff --git a/.gitignore b/.gitignore +index d424019..fdc62f9 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -361,6 +361,7 @@ local.properties + /src/tests/etinfo + /src/tests/gcred + /src/tests/hist ++/src/tests/hooks + /src/tests/hrealm + /src/tests/icred + /src/tests/kdbtest +diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in +index 4ab8e6e..d060513 100644 +--- a/src/tests/Makefile.in ++++ b/src/tests/Makefile.in +@@ -6,10 +6,10 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \ + RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \ + LC_ALL=C $(VALGRIND) + +-OBJS= adata.o etinfo.o gcred.o hist.o hrealm.o icred.o kdbtest.o localauth.o \ +- plugorder.o rdreq.o responder.o s2p.o s4u2proxy.o +-EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hrealm.c icred.c kdbtest.c \ +- localauth.c plugorder.c rdreq.o responder.c s2p.c s4u2proxy.c ++OBJS= adata.o etinfo.o gcred.o hist.o hooks.o hrealm.o icred.o kdbtest.o \ ++ localauth.o plugorder.o rdreq.o responder.o s2p.o s4u2proxy.o ++EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hooks.c hrealm.c icred.c \ ++ kdbtest.c localauth.c plugorder.c rdreq.o responder.c s2p.c s4u2proxy.c + + TEST_DB = ./testdb + TEST_REALM = FOO.TEST.REALM +@@ -33,6 +33,9 @@ gcred: gcred.o $(KRB5_BASE_DEPLIBS) + hist: hist.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ hist.o $(KDB5_LIBS) $(KADMSRV_LIBS) $(KRB5_BASE_LIBS) + ++hooks: hooks.o $(KRB5_BASE_DEPLIBS) ++ $(CC_LINK) -o $@ hooks.o $(KRB5_BASE_LIBS) ++ + hrealm: hrealm.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ hrealm.o $(KRB5_BASE_LIBS) + +@@ -107,9 +110,10 @@ kdb_check: kdc.conf krb5.conf + $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f + $(RM) $(TEST_DB)* stash_file + +-check-pytests:: adata etinfo gcred hist hrealm icred kdbtest localauth ++check-pytests:: adata etinfo gcred hist hooks hrealm icred kdbtest localauth + check-pytests:: plugorder rdreq responder s2p s4u2proxy unlockiter + $(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS) ++ $(RUNPYTEST) $(srcdir)/t_hooks.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS) +@@ -159,7 +163,7 @@ check-pytests:: plugorder rdreq responder s2p s4u2proxy unlockiter + $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS) + + clean:: +- $(RM) adata etinfo gcred hist hrealm icred kdbtest localauth plugorder +- $(RM) rdreq responder s2p s4u2proxy krb5.conf kdc.conf ++ $(RM) adata etinfo gcred hist hooks hrealm icred kdbtest localauth ++ $(RM) plugorder rdreq responder s2p s4u2proxy krb5.conf kdc.conf + $(RM) -rf kdc_realm/sandbox ldap + $(RM) au.log +diff --git a/src/tests/deps b/src/tests/deps +index d280026..55df1a7 100644 +--- a/src/tests/deps ++++ b/src/tests/deps +@@ -50,6 +50,16 @@ $(OUTPRE)hist.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + hist.c ++$(OUTPRE)hooks.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ ++ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ ++ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ ++ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ ++ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ ++ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ ++ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ ++ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ ++ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ ++ $(top_srcdir)/include/socket-utils.h hooks.c + $(OUTPRE)hrealm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ +diff --git a/src/tests/hooks.c b/src/tests/hooks.c +new file mode 100644 +index 0000000..fabdb89 +--- /dev/null ++++ b/src/tests/hooks.c +@@ -0,0 +1,253 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* tests/hooks.c - test harness for KDC send and recv hooks */ ++/* ++ * Copyright (C) 2016 by the Massachusetts Institute of Technology. ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS ++ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ++ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "k5-int.h" ++ ++static krb5_context ctx; ++ ++static void ++check_code(krb5_error_code code, const char *file, int line) ++{ ++ const char *errmsg; ++ ++ if (code) { ++ errmsg = krb5_get_error_message(ctx, code); ++ fprintf(stderr, "%s:%d -- %s (code=%d)\n", file, line, errmsg, ++ (int)code); ++ krb5_free_error_message(ctx, errmsg); ++ exit(1); ++ } ++} ++ ++#define check(code) check_code((code), __FILE__, __LINE__) ++ ++/* Verify that the canonicalize bit is set in an AS-REQ and remove it. */ ++static krb5_error_code ++test_send_as_req(krb5_context context, void *data, const krb5_data *realm, ++ const krb5_data *message, krb5_data **new_message_out, ++ krb5_data **reply_out) ++{ ++ krb5_kdc_req *as_req; ++ int cmp; ++ ++ assert(krb5_is_as_req(message)); ++ check(decode_krb5_as_req(message, &as_req)); ++ ++ assert(as_req->msg_type == KRB5_AS_REQ); ++ assert(as_req->kdc_options & KDC_OPT_CANONICALIZE); ++ assert(as_req->client->realm.length == realm->length); ++ cmp = memcmp(as_req->client->realm.data, realm->data, realm->length); ++ assert(cmp == 0); ++ ++ /* Remove the canonicalize flag and create a new message. */ ++ as_req->kdc_options &= ~KDC_OPT_CANONICALIZE; ++ check(encode_krb5_as_req(as_req, new_message_out)); ++ ++ krb5_free_kdc_req(context, as_req); ++ return 0; ++} ++ ++/* Verify that reply is an AS-REP with kvno 1 and a valid enctype. */ ++static krb5_error_code ++test_recv_as_rep(krb5_context context, void *data, krb5_error_code code, ++ const krb5_data *realm, const krb5_data *message, ++ const krb5_data *reply, krb5_data **new_reply) ++{ ++ krb5_kdc_rep *as_rep; ++ ++ assert(code == 0); ++ assert(krb5_is_as_rep(reply)); ++ check(decode_krb5_as_rep(reply, &as_rep)); ++ ++ assert(as_rep->msg_type == KRB5_AS_REP); ++ assert(as_rep->ticket->enc_part.kvno == 1); ++ assert(krb5_c_valid_enctype(as_rep->ticket->enc_part.enctype)); ++ ++ krb5_free_kdc_rep(context, as_rep); ++ return 0; ++} ++ ++/* Create a fake error reply. */ ++static krb5_error_code ++test_send_error(krb5_context context, void *data, const krb5_data *realm, ++ const krb5_data *message, krb5_data **new_message_out, ++ krb5_data **reply_out) ++{ ++ krb5_error_code ret; ++ krb5_error err; ++ krb5_principal client, server; ++ char *realm_str, *princ_str; ++ int r; ++ ++ realm_str = k5memdup0(realm->data, realm->length, &ret); ++ check(ret); ++ ++ r = asprintf(&princ_str, "invalid@%s", realm_str); ++ assert(r > 0); ++ check(krb5_parse_name(ctx, princ_str, &client)); ++ free(princ_str); ++ ++ r = asprintf(&princ_str, "krbtgt@%s", realm_str); ++ assert(r > 0); ++ check(krb5_parse_name(ctx, princ_str, &server)); ++ free(princ_str); ++ free(realm_str); ++ ++ err.magic = KV5M_ERROR; ++ err.ctime = 1971196337; ++ err.cusec = 0; ++ err.susec = 97008; ++ err.stime = 1458219390; ++ err.error = 6; ++ err.client = client; ++ err.server = server; ++ err.text = string2data("CLIENT_NOT_FOUND"); ++ err.e_data = empty_data(); ++ check(encode_krb5_error(&err, reply_out)); ++ ++ krb5_free_principal(ctx, client); ++ krb5_free_principal(ctx, server); ++ return 0; ++} ++ ++static krb5_error_code ++test_recv_error(krb5_context context, void *data, krb5_error_code code, ++ const krb5_data *realm, const krb5_data *message, ++ const krb5_data *reply, krb5_data **new_reply) ++{ ++ /* The send hook created a reply, so this hook should not be executed. */ ++ abort(); ++} ++ ++/* Modify an AS-REP reply, change the msg_type to KRB5_TGS_REP. */ ++static krb5_error_code ++test_recv_modify_reply(krb5_context context, void *data, krb5_error_code code, ++ const krb5_data *realm, const krb5_data *message, ++ const krb5_data *reply, krb5_data **new_reply) ++{ ++ krb5_kdc_rep *as_rep; ++ ++ assert(code == 0); ++ assert(krb5_is_as_rep(reply)); ++ check(decode_krb5_as_rep(reply, &as_rep)); ++ ++ as_rep->msg_type = KRB5_TGS_REP; ++ check(encode_krb5_as_rep(as_rep, new_reply)); ++ ++ krb5_free_kdc_rep(context, as_rep); ++ return 0; ++} ++ ++/* Return an error given by the callback data argument. */ ++static krb5_error_code ++test_send_return_value(krb5_context context, void *data, ++ const krb5_data *realm, const krb5_data *message, ++ krb5_data **new_message_out, krb5_data **reply_out) ++{ ++ assert(data != NULL); ++ return *(krb5_error_code *)data; ++} ++ ++/* Return an error given by the callback argument. */ ++static krb5_error_code ++test_recv_return_value(krb5_context context, void *data, krb5_error_code code, ++ const krb5_data *realm, const krb5_data *message, ++ const krb5_data *reply, krb5_data **new_reply) ++{ ++ assert(data != NULL); ++ return *(krb5_error_code *)data; ++} ++ ++int ++main(int argc, char *argv[]) ++{ ++ const char *principal, *password; ++ krb5_principal client; ++ krb5_get_init_creds_opt *opts; ++ krb5_creds creds; ++ krb5_error_code ret, test_return_code; ++ ++ if (argc != 3) { ++ fprintf(stderr, "Usage: %s princname password\n", argv[0]); ++ exit(1); ++ } ++ principal = argv[1]; ++ password = argv[2]; ++ ++ check(krb5_init_context(&ctx)); ++ check(krb5_parse_name(ctx, principal, &client)); ++ ++ /* Use a send hook to modify an outgoing AS-REQ. The library will detect ++ * the modification in the reply. */ ++ check(krb5_get_init_creds_opt_alloc(ctx, &opts)); ++ krb5_get_init_creds_opt_set_canonicalize(opts, 1); ++ krb5_set_kdc_send_hook(ctx, test_send_as_req, NULL); ++ krb5_set_kdc_recv_hook(ctx, test_recv_as_rep, NULL); ++ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, ++ NULL, 0, NULL, opts); ++ assert(ret == KRB5_KDCREP_MODIFIED); ++ krb5_get_init_creds_opt_free(ctx, opts); ++ ++ /* Use a send hook to synthesize a KRB-ERROR reply. */ ++ krb5_set_kdc_send_hook(ctx, test_send_error, NULL); ++ krb5_set_kdc_recv_hook(ctx, test_recv_error, NULL); ++ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, ++ NULL, 0, NULL, NULL); ++ assert(ret == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN); ++ ++ /* Use a recv hook to modify a KDC reply. */ ++ krb5_set_kdc_send_hook(ctx, NULL, NULL); ++ krb5_set_kdc_recv_hook(ctx, test_recv_modify_reply, NULL); ++ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, ++ NULL, 0, NULL, NULL); ++ assert(ret == KRB5KRB_AP_ERR_MSG_TYPE); ++ ++ /* Verify that the user data pointer works in the send hook. */ ++ test_return_code = KRB5KDC_ERR_PREAUTH_FAILED; ++ krb5_set_kdc_send_hook(ctx, test_send_return_value, &test_return_code); ++ krb5_set_kdc_recv_hook(ctx, NULL, NULL); ++ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, ++ NULL, 0, NULL, NULL); ++ assert(ret == KRB5KDC_ERR_PREAUTH_FAILED); ++ ++ /* Verify that the user data pointer works in the recv hook. */ ++ test_return_code = KRB5KDC_ERR_NULL_KEY; ++ krb5_set_kdc_send_hook(ctx, NULL, NULL); ++ krb5_set_kdc_recv_hook(ctx, test_recv_return_value, &test_return_code); ++ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, ++ NULL, 0, NULL, NULL); ++ assert(ret == KRB5KDC_ERR_NULL_KEY); ++ ++ krb5_free_principal(ctx, client); ++ krb5_free_context(ctx); ++ return 0; ++} +diff --git a/src/tests/t_hooks.py b/src/tests/t_hooks.py +new file mode 100755 +index 0000000..58dff3a +--- /dev/null ++++ b/src/tests/t_hooks.py +@@ -0,0 +1,9 @@ ++#!/usr/bin/python ++from k5test import * ++ ++# Test that KDC send and recv hooks work correctly. ++realm = K5Realm(create_host=False, get_creds=False) ++realm.run(['./hooks', realm.user_princ, password('user')]) ++realm.stop() ++ ++success('send and recv hook tests') +-- +2.8.0.rc3 + diff --git a/krb5-1.15-kdc_send_receive_hooks.patch b/krb5-1.15-kdc_send_receive_hooks.patch new file mode 100644 index 0000000..63a146b --- /dev/null +++ b/krb5-1.15-kdc_send_receive_hooks.patch @@ -0,0 +1,314 @@ +From fb4d426ddeb9d4802a53dfbd74189ef8eacbe65e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 3 Mar 2016 18:53:31 +0100 +Subject: [PATCH] Add KDC pre-send and post-receive KDC hooks + +Add two new APIs, krb5_set_kdc_send_hook() and +krb5_set_kdc_recv_hook(), which can be used to inspect and override +messages sent to KDCs. + +[ghudson@mit.edu: style and documentation changes] + +ticket: 8386 (new) +--- + doc/appdev/refs/api/index.rst | 2 + + doc/appdev/refs/types/index.rst | 2 + + src/include/k5-int.h | 6 +++ + src/include/krb5/krb5.hin | 104 ++++++++++++++++++++++++++++++++++++++++ + src/lib/krb5/libkrb5.exports | 2 + + src/lib/krb5/os/sendto_kdc.c | 56 +++++++++++++++++++++- + src/lib/krb5_32.def | 4 ++ + 7 files changed, 174 insertions(+), 2 deletions(-) + +diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst +index 8df351d..e97cbca 100644 +--- a/doc/appdev/refs/api/index.rst ++++ b/doc/appdev/refs/api/index.rst +@@ -268,6 +268,8 @@ Rarely used public interfaces + krb5_server_decrypt_ticket_keytab.rst + krb5_set_default_tgs_enctypes.rst + krb5_set_error_message.rst ++ krb5_set_kdc_recv_hook.rst ++ krb5_set_kdc_send_hook.rst + krb5_set_real_time.rst + krb5_string_to_cksumtype.rst + krb5_string_to_deltat.rst +diff --git a/doc/appdev/refs/types/index.rst b/doc/appdev/refs/types/index.rst +index 51c4093..dc414cf 100644 +--- a/doc/appdev/refs/types/index.rst ++++ b/doc/appdev/refs/types/index.rst +@@ -57,6 +57,8 @@ Public + krb5_pa_svr_referral_data.rst + krb5_pa_data.rst + krb5_pointer.rst ++ krb5_post_recv_fn.rst ++ krb5_pre_send_fn.rst + krb5_preauthtype.rst + krb5_principal.rst + krb5_principal_data.rst +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 6b36e9d..d0216d6 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -1242,6 +1242,12 @@ struct _krb5_context { + krb5_trace_callback trace_callback; + void *trace_callback_data; + ++ krb5_pre_send_fn kdc_send_hook; ++ void *kdc_send_hook_data; ++ ++ krb5_post_recv_fn kdc_recv_hook; ++ void *kdc_recv_hook_data; ++ + struct plugin_interface plugins[PLUGIN_NUM_INTERFACES]; + char *plugin_base_dir; + }; +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index 0a0d272..9e91a60 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin +@@ -8292,6 +8292,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, + krb5_error_code KRB5_CALLCONV + krb5_set_trace_filename(krb5_context context, const char *filename); + ++ ++/** ++ * Hook function for inspecting or modifying messages sent to KDCs. ++ * ++ * If the hook function returns an error code, the KDC communication will be ++ * aborted and the error code will be returned to the library operation which ++ * initiated the communication. ++ * ++ * If the hook function sets @a reply_out, @a message will not be sent to the ++ * KDC, and the given reply will used instead. ++ * ++ * If the hook function sets @a new_message_out, the given message will be sent ++ * to the KDC in place of @a message. ++ * ++ * If the hook function returns successfully without setting either output, ++ * @a message will be sent to the KDC normally. ++ * ++ * The hook function should use krb5_copy_data() to construct the value for ++ * @a new_message_out or @a reply_out, to ensure that it can be freed correctly ++ * by the library. ++ * ++ * @param [in] context Library context ++ * @param [in] data Callback data ++ * @param [in] realm The realm the message will be sent to ++ * @param [in] message The original message to be sent to the KDC ++ * @param [out] new_message_out Optional replacement message to be sent ++ * @param [out] reply_out Optional synthetic reply ++ * ++ * @retval 0 Success ++ * @return A Kerberos error code ++ */ ++typedef krb5_error_code ++(KRB5_CALLCONV *krb5_pre_send_fn)(krb5_context context, void *data, ++ const krb5_data *realm, ++ const krb5_data *message, ++ krb5_data **new_message_out, ++ krb5_data **new_reply_out); ++ ++/** ++ * Hook function for inspecting or overriding KDC replies. ++ * ++ * If @a code is zero, @a reply contains the reply received from the KDC. The ++ * hook function may return an error code to simulate an error, may synthesize ++ * a different reply by setting @a new_reply_out, or may simply return ++ * successfully to do nothing. ++ * ++ * If @a code is non-zero, KDC communication failed and @a reply should be ++ * ignored. The hook function may return @a code or a different error code, or ++ * may synthesize a reply by setting @a new_reply_out and return successfully. ++ * ++ * The hook function should use krb5_copy_data() to construct the value for ++ * @a new_reply_out, to ensure that it can be freed correctly by the library. ++ * ++ * @param [in] context Library context ++ * @param [in] data Callback data ++ * @param [in] code Status of KDC communication ++ * @param [in] realm The realm the reply was received from ++ * @param [in] message The message sent to the realm's KDC ++ * @param [in] reply The reply received from the KDC ++ * @param [out] new_reply_out Optional replacement reply ++ * ++ * @retval 0 Success ++ * @return A Kerberos error code ++ */ ++typedef krb5_error_code ++(KRB5_CALLCONV *krb5_post_recv_fn)(krb5_context context, void *data, ++ krb5_error_code code, ++ const krb5_data *realm, ++ const krb5_data *message, ++ const krb5_data *reply, ++ krb5_data **new_reply_out); ++ ++/** ++ * Set a KDC pre-send hook function. ++ * ++ * @a send_hook will be called before messages are sent to KDCs by library ++ * functions such as krb5_get_credentials(). The hook function may inspect, ++ * override, or synthesize its own reply to the message. ++ * ++ * @param [in] context Library context ++ * @param [in] send_hook Hook function (or NULL to disable the hook) ++ * @param [in] data Callback data to be passed to @a send_hook ++ */ ++void KRB5_CALLCONV ++krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, ++ void *data); ++ ++/** ++ * Set a KDC post-receive hook function. ++ * ++ * @a recv_hook will be called after a reply is received from a KDC during a ++ * call to a library function such as krb5_get_credentials(). The hook ++ * function may inspect or override the reply. This hook will not be executed ++ * if the pre-send hook returns a synthetic reply. ++ * ++ * @param [in] context The library context. ++ * @param [in] recv_hook Hook function (or NULL to disable the hook) ++ * @param [in] data Callback data to be passed to @a recv_hook ++ */ ++void KRB5_CALLCONV ++krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, ++ void *data); ++ ++ + #if TARGET_OS_MAC + # pragma pack(pop) + #endif +diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports +index c623409..ea6982d 100644 +--- a/src/lib/krb5/libkrb5.exports ++++ b/src/lib/krb5/libkrb5.exports +@@ -581,6 +581,8 @@ krb5_set_password + krb5_set_password_using_ccache + krb5_set_principal_realm + krb5_set_real_time ++krb5_set_kdc_send_hook ++krb5_set_kdc_recv_hook + krb5_set_time_offsets + krb5_set_trace_callback + krb5_set_trace_filename +diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c +index 3b3b438..a2bc591 100644 +--- a/src/lib/krb5/os/sendto_kdc.c ++++ b/src/lib/krb5/os/sendto_kdc.c +@@ -399,6 +399,22 @@ check_for_svc_unavailable (krb5_context context, + return 1; + } + ++void ++krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, ++ void *data) ++{ ++ context->kdc_send_hook = send_hook; ++ context->kdc_send_hook_data = data; ++} ++ ++void ++krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, ++ void *data) ++{ ++ context->kdc_recv_hook = recv_hook; ++ context->kdc_recv_hook_data = data; ++} ++ + /* + * send the formatted request 'message' to a KDC for realm 'realm' and + * return the response (if any) in 'reply'. +@@ -412,13 +428,16 @@ check_for_svc_unavailable (krb5_context context, + + krb5_error_code + krb5_sendto_kdc(krb5_context context, const krb5_data *message, +- const krb5_data *realm, krb5_data *reply, int *use_master, ++ const krb5_data *realm, krb5_data *reply_out, int *use_master, + int no_udp) + { + krb5_error_code retval, err; + struct serverlist servers; + int server_used; + k5_transport_strategy strategy; ++ krb5_data reply = empty_data(), *hook_message = NULL, *hook_reply = NULL; ++ ++ *reply_out = empty_data(); + + /* + * find KDC location(s) for realm +@@ -463,9 +482,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, + if (retval) + return retval; + ++ if (context->kdc_send_hook != NULL) { ++ retval = context->kdc_send_hook(context, context->kdc_send_hook_data, ++ realm, message, &hook_message, ++ &hook_reply); ++ if (retval) ++ goto cleanup; ++ ++ if (hook_reply != NULL) { ++ *reply_out = *hook_reply; ++ free(hook_reply); ++ goto cleanup; ++ } ++ ++ if (hook_message != NULL) ++ message = hook_message; ++ } ++ + err = 0; + retval = k5_sendto(context, message, realm, &servers, strategy, NULL, +- reply, NULL, NULL, &server_used, ++ &reply, NULL, NULL, &server_used, + check_for_svc_unavailable, &err); + if (retval == KRB5_KDC_UNREACH) { + if (err == KDC_ERR_SVC_UNAVAILABLE) { +@@ -476,9 +512,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, + realm->length, realm->data); + } + } ++ ++ if (context->kdc_recv_hook != NULL) { ++ retval = context->kdc_recv_hook(context, context->kdc_recv_hook_data, ++ retval, realm, message, &reply, ++ &hook_reply); ++ } + if (retval) + goto cleanup; + ++ if (hook_reply != NULL) { ++ *reply_out = *hook_reply; ++ free(hook_reply); ++ } else { ++ *reply_out = reply; ++ reply = empty_data(); ++ } ++ + /* Set use_master to 1 if we ended up talking to a master when we didn't + * explicitly request to. */ + if (*use_master == 0) { +@@ -488,6 +538,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, + } + + cleanup: ++ krb5_free_data(context, hook_message); ++ krb5_free_data_contents(context, &reply); + k5_free_serverlist(&servers); + return retval; + } +diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def +index 3734e9b..8d58ea1 100644 +--- a/src/lib/krb5_32.def ++++ b/src/lib/krb5_32.def +@@ -463,3 +463,7 @@ EXPORTS + krb5_vwrap_error_message @430 + krb5_c_prfplus @431 + krb5_c_derive_prfplus @432 ++ ++; new in 1.15 ++ krb5_set_kdc_send_hook @433 ++ krb5_set_kdc_recv_hook @434 +-- +2.8.0.rc3 + diff --git a/krb5.spec b/krb5.spec index 398a81e..59c958e 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14.1 -Release: 3%{?dist} +Release: 4%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -68,6 +68,9 @@ Patch162: krb5-1.14.2-Revisit-inquire_attrs_for_mech-on-old-mechs.patch Patch163: krb5-CVE-2016-3119.patch +Patch164: krb5-1.15-kdc_send_receive_hooks.patch +Patch165: krb5-1.15-kdc_hooks_test.patch + License: MIT URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -251,6 +254,9 @@ ln NOTICE LICENSE %patch163 -p1 -b .CVE-2016-3119 +%patch164 -p1 -b .kdc_send_receive_hooks +%patch165 -p1 -b .kdc_hooks_test + # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -772,6 +778,10 @@ exit 0 %changelog +* Mon Apr 04 2016 Robbie Harwood - 1.14.1-4 +- Add send/receive sendto_kdc hooks and corresponding tests +- Resolves: #1321135 + * Fri Mar 18 2016 Robbie Harwood - 1.14.1-3 - Fix CVE-2016-3119 (NULL deref in LDAP module)