rpms / krb5

Clone
Source Code
GIT

Blame SOURCES/Document-and-check-init_creds-context-requirement.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   c7-beta
  2.   SOURCES
  3.   Document-and-check-init_creds-context-requirement.patch
Blob History Raw
d738b9 
From 86fd6a4e1a768eff55aa3df6bc5794dfa63b801f Mon Sep 17 00:00:00 2001
d738b9 
From: Greg Hudson <ghudson@mit.edu>
d738b9 
Date: Mon, 9 Jan 2017 11:44:29 -0500
d738b9 
Subject: [PATCH] Document and check init_creds context requirement
d738b9
d738b9 
To ensure that the same clpreauth plugin modules and moddata pointers
d738b9 
are used for each step of an initial creds operation, the caller must
d738b9 
use the same library context for krb5_init_creds_init(),
d738b9 
krb5_init_creds_step(), and krb5_init_creds_free().  Document and
d738b9 
enforce this requirement.
d738b9
d738b9 
ticket: 7877
d738b9 
(cherry picked from commit c4beb35c9ac0711ef650abc4f1e44a4c82d5f3d0)
d738b9 
---
d738b9 
 src/include/krb5/krb5.hin     | 13 +++++++++++++
d738b9 
 src/lib/krb5/krb/get_in_tkt.c |  6 +++++-
d738b9 
 src/lib/krb5/krb/int-proto.h  |  3 +++
d738b9 
 src/lib/krb5/krb/preauth2.c   | 13 +++++++++++++
d738b9 
 4 files changed, 34 insertions(+), 1 deletion(-)
d738b9
d738b9 
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
d738b9 
index 53ad85384..28557659e 100644
d738b9 
--- a/src/include/krb5/krb5.hin
d738b9 
+++ b/src/include/krb5/krb5.hin
d738b9 
@@ -7321,6 +7321,9 @@ typedef struct _krb5_init_creds_context *krb5_init_creds_context;
d738b9 
  *
d738b9 
  * @param [in] context          Library context
d738b9 
  * @param [in] ctx              Initial credentials context
d738b9 
+ *
d738b9 
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
d738b9 
+ * this initial credentials context.
d738b9 
  */
d738b9 
 void KRB5_CALLCONV
d738b9 
 krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx);
d738b9 
@@ -7335,6 +7338,9 @@ krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx);
d738b9 
  * krb5_init_creds_init().  On successful return, the credentials can be
d738b9 
  * retrieved with krb5_init_creds_get_creds().
d738b9 
  *
d738b9 
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
d738b9 
+ * this initial credentials context.
d738b9 
+ *
d738b9 
  * @retval 0 Success; otherwise - Kerberos error codes
d738b9 
  */
d738b9 
 krb5_error_code KRB5_CALLCONV
d738b9 
@@ -7385,6 +7391,10 @@ krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx,
d738b9 
  * This function creates a new context for acquiring initial credentials.  Use
d738b9 
  * krb5_init_creds_free() to free @a ctx when it is no longer needed.
d738b9 
  *
d738b9 
+ * Any subsequent calls to krb5_init_creds_step(), krb5_init_creds_get(), or
d738b9 
+ * krb5_init_creds_free() for this initial credentials context must use the
d738b9 
+ * same @a context argument as the one passed to this function.
d738b9 
+ *
d738b9 
  * @retval 0 Success; otherwise - Kerberos error codes
d738b9 
  */
d738b9 
 krb5_error_code KRB5_CALLCONV
d738b9 
@@ -7434,6 +7444,9 @@ krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx,
d738b9 
  * transmit the next request using TCP rather than UDP.  If this function
d738b9 
  * returns any other error, the initial credential exchange has failed.
d738b9 
  *
d738b9 
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
d738b9 
+ * this initial credentials context.
d738b9 
+ *
d738b9 
  * @retval 0 Success; otherwise - Kerberos error codes
d738b9 
  */
d738b9 
 krb5_error_code KRB5_CALLCONV
d738b9 
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
d738b9 
index 80f5e1870..52e07bb67 100644
d738b9 
--- a/src/lib/krb5/krb/get_in_tkt.c
d738b9 
+++ b/src/lib/krb5/krb/get_in_tkt.c
d738b9 
@@ -1667,7 +1667,7 @@ krb5_init_creds_step(krb5_context context,
d738b9 
                      krb5_data *realm,
d738b9 
                      unsigned int *flags)
d738b9 
 {
d738b9 
-    krb5_error_code code = 0, code2;
d738b9 
+    krb5_error_code code, code2;
d738b9
d738b9 
     *flags = 0;
d738b9
d738b9 
@@ -1680,6 +1680,10 @@ krb5_init_creds_step(krb5_context context,
d738b9 
     if (ctx->complete)
d738b9 
         return EINVAL;
d738b9
d738b9 
+    code = k5_preauth_check_context(context, ctx);
d738b9 
+    if (code)
d738b9 
+        return code;
d738b9 
+
d738b9 
     if (in->length != 0) {
d738b9 
         code = init_creds_step_reply(context, ctx, in);
d738b9 
         if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG) {
d738b9 
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
d738b9 
index f1667c238..628f0baa8 100644
d738b9 
--- a/src/lib/krb5/krb/int-proto.h
d738b9 
+++ b/src/lib/krb5/krb/int-proto.h
d738b9 
@@ -208,6 +208,9 @@ void
d738b9 
 k5_preauth_request_context_fini(krb5_context context,
d738b9 
                                 krb5_init_creds_context ctx);
d738b9
d738b9 
+krb5_error_code
d738b9 
+k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx);
d738b9 
+
d738b9 
 krb5_error_code
d738b9 
 k5_response_items_new(k5_response_items **ri_out);
d738b9
d738b9 
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
d738b9 
index 9a178f4e3..9c5d6eaa9 100644
d738b9 
--- a/src/lib/krb5/krb/preauth2.c
d738b9 
+++ b/src/lib/krb5/krb/preauth2.c
d738b9 
@@ -296,6 +296,19 @@ k5_preauth_request_context_fini(krb5_context context,
d738b9 
     ctx->preauth_reqctx = NULL;
d738b9 
 }
d738b9
d738b9 
+krb5_error_code
d738b9 
+k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx)
d738b9 
+{
d738b9 
+    krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
d738b9 
+
d738b9 
+    if (reqctx != NULL && reqctx->orig_context != context) {
d738b9 
+        k5_setmsg(context, EINVAL,
d738b9 
+                  _("krb5_init_creds calls must use same library context"));
d738b9 
+        return EINVAL;
d738b9 
+    }
d738b9 
+    return 0;
d738b9 
+}
d738b9 
+
d738b9 
 /* Return 1 if pa_type is a real preauthentication mechanism according to the
d738b9 
  * module h.  Return 0 if it is not. */
d738b9 
 static int

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation