diff --git a/krb5-1.14.4-SNI-HTTP-Host.patch b/krb5-1.14.4-SNI-HTTP-Host.patch new file mode 100644 index 0000000..a34faad --- /dev/null +++ b/krb5-1.14.4-SNI-HTTP-Host.patch @@ -0,0 +1,108 @@ +From 69c8662190bcd46f2300d0cea139681001ea5b26 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 8 Aug 2016 12:38:17 +0200 +Subject: [PATCH] Add Host HTTP header to MS-KKDCP requests + +Some web servers require a Host HTTP header for TLS connections with +SNI (server name indicator). It is also required for virtual hosts. + +ticket: 8472 (new) +target_version: 1.14-next +tags: pullup +--- + src/lib/krb5/os/sendto_kdc.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c +index c85fdba..a2b7359 100644 +--- a/src/lib/krb5/os/sendto_kdc.c ++++ b/src/lib/krb5/os/sendto_kdc.c +@@ -78,6 +78,7 @@ + #define MAX_PASS 3 + #define DEFAULT_UDP_PREF_LIMIT 1465 + #define HARD_UDP_LIMIT 32700 /* could probably do 64K-epsilon ? */ ++#define PORT_LENGTH 6 /* decimal repr of UINT16_MAX */ + + /* Select state flags. */ + #define SSF_READ 0x01 +@@ -138,6 +139,7 @@ struct conn_state { + struct { + const char *uri_path; + const char *servername; ++ char port[PORT_LENGTH]; + char *https_request; + k5_tls_handle tls; + } http; +@@ -611,6 +613,8 @@ make_proxy_request(struct conn_state *state, const krb5_data *realm, + k5_buf_init_dynamic(&buf); + uri_path = (state->http.uri_path != NULL) ? state->http.uri_path : ""; + k5_buf_add_fmt(&buf, "POST /%s HTTP/1.0\r\n", uri_path); ++ k5_buf_add_fmt(&buf, "Host: %s:%s\r\n", state->http.servername, ++ state->http.port); + k5_buf_add(&buf, "Cache-Control: no-cache\r\n"); + k5_buf_add(&buf, "Pragma: no-cache\r\n"); + k5_buf_add(&buf, "User-Agent: kerberos/1.0\r\n"); +@@ -673,7 +677,7 @@ static krb5_error_code + add_connection(struct conn_state **conns, k5_transport transport, + krb5_boolean defer, struct addrinfo *ai, size_t server_index, + const krb5_data *realm, const char *hostname, +- const char *uri_path, char **udpbufp) ++ const char *port, const char *uri_path, char **udpbufp) + { + struct conn_state *state, **tailptr; + +@@ -695,11 +699,13 @@ add_connection(struct conn_state **conns, k5_transport transport, + state->service_write = service_tcp_write; + state->service_read = service_tcp_read; + } else if (transport == HTTPS) { ++ assert(hostname != NULL && port != NULL); + state->service_connect = service_tcp_connect; + state->service_write = service_https_write; + state->service_read = service_https_read; + state->http.uri_path = uri_path; + state->http.servername = hostname; ++ strlcpy(state->http.port, port, PORT_LENGTH); + } else { + state->service_connect = NULL; + state->service_write = NULL; +@@ -785,7 +791,7 @@ resolve_server(krb5_context context, const krb5_data *realm, + struct addrinfo *addrs, *a, hint, ai; + krb5_boolean defer; + int err, result; +- char portbuf[64]; ++ char portbuf[PORT_LENGTH]; + + /* Skip UDP entries if we don't want UDP. */ + if (strategy == NO_UDP && entry->transport == UDP) +@@ -800,7 +806,7 @@ resolve_server(krb5_context context, const krb5_data *realm, + ai.ai_addr = (struct sockaddr *)&entry->addr; + defer = (entry->transport != transport); + return add_connection(conns, entry->transport, defer, &ai, ind, realm, +- NULL, entry->uri_path, udpbufp); ++ NULL, NULL, entry->uri_path, udpbufp); + } + + /* If the entry has a specified transport, use it. */ +@@ -826,7 +832,8 @@ resolve_server(krb5_context context, const krb5_data *realm, + retval = 0; + for (a = addrs; a != 0 && retval == 0; a = a->ai_next) { + retval = add_connection(conns, transport, FALSE, a, ind, realm, +- entry->hostname, entry->uri_path, udpbufp); ++ entry->hostname, portbuf, entry->uri_path, ++ udpbufp); + } + + /* For TCP_OR_UDP entries, add each address again with the non-preferred +@@ -836,7 +843,8 @@ resolve_server(krb5_context context, const krb5_data *realm, + for (a = addrs; a != 0 && retval == 0; a = a->ai_next) { + a->ai_socktype = socktype_for_transport(transport); + retval = add_connection(conns, transport, TRUE, a, ind, realm, +- entry->hostname, entry->uri_path, udpbufp); ++ entry->hostname, portbuf, ++ entry->uri_path, udpbufp); + } + } + freeaddrinfo(addrs); +-- +2.8.1 + diff --git a/krb5.spec b/krb5.spec index 8d5771a..440c059 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14.3 -Release: 3%{?dist} +Release: 4%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -63,6 +63,8 @@ Patch153: krb5-1.14.1-log_file_permissions.patch Patch164: krb5-1.15-kdc_send_receive_hooks.patch Patch165: krb5-1.15-kdc_hooks_test.patch +Patch166: krb5-1.14.4-SNI-HTTP-Host.patch + License: MIT URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -270,6 +272,8 @@ ln NOTICE LICENSE %patch164 -p1 -b .kdc_send_receive_hooks %patch165 -p1 -b .kdc_hooks_test +%patch166 -p1 -b .krb5-1.14.4-SNI-HTTP-Host.patch + # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -738,6 +742,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Aug 10 2016 Robbie Harwood - 1.14.3-4 +- Fix use of KKDCPP with SNI +- Resolves: #1365027 + * Fri Aug 05 2016 Robbie Harwood - 1.14.3-3 - Make krb5-devel depend on libkadm5 - Resolves: #1364487