diff --git a/SOURCES/krb5-1.13.3-do_not_allow_stream_socket_retries_in_libkrad.patch b/SOURCES/krb5-1.13.3-do_not_allow_stream_socket_retries_in_libkrad.patch new file mode 100644 index 0000000..e17972b --- /dev/null +++ b/SOURCES/krb5-1.13.3-do_not_allow_stream_socket_retries_in_libkrad.patch @@ -0,0 +1,53 @@ +From 25e0656fdf9862faf9aa91288023776e9a47caad Mon Sep 17 00:00:00 2001 +From: Nathaniel McCallum +Date: Fri, 7 Aug 2015 15:35:58 -0400 +Subject: [PATCH] Do not allow stream socket retries in libkrad + +Before this patch, libkrad would follow the same exact logic for all +socket types when the retries parameter was non-zero. This meant that +when connecting with SOCK_STREAM, multiple requests were sent in case +of packet drops, which, of course, cannot happen for SOCK_STREAM. + +Instead, just disable retries for SOCK_STREAM sockets. + +[ghudson@mit.edu: minor wording edits] + +ticket: 8229 (new) +target_version: 1.13.3 +tags: pullup +--- +Patch for RH Bug #1251586 ("KDC sends multiple requests to ipa-otpd +for the same authentication") +--- + src/include/krad.h | 3 ++- + src/lib/krad/remote.c | 3 +++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/include/krad.h b/src/include/krad.h +index 913464c..e4edb52 100644 +--- a/src/include/krad.h ++++ b/src/include/krad.h +@@ -251,7 +251,8 @@ krad_client_free(krad_client *client); + * - hostname:service + * + * The timeout parameter (milliseconds) is the total timeout across all remote +- * hosts (when DNS returns multiple entries) and all retries. ++ * hosts (when DNS returns multiple entries) and all retries. For stream ++ * sockets, the retries parameter is ignored and no retries are performed. + * + * The cb function will be called with the data argument when either a response + * is received or the request times out on all possible remote hosts. +diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c +index 795485f..aaabffd 100644 +--- a/src/lib/krad/remote.c ++++ b/src/lib/krad/remote.c +@@ -448,6 +448,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs, + krb5_error_code retval; + request *r; + ++ if (rr->info->ai_socktype == SOCK_STREAM) ++ retries = 0; ++ + r = TAILQ_FIRST(&rr->list); + retval = krad_packet_new_request(rr->kctx, rr->secret, code, attrs, + (krad_packet_iter_cb)iterator, &r, &tmp); diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index d405896..dd47276 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.12.2 -Release: 14%{?dist} +Release: 15%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -133,6 +133,7 @@ Patch321: krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch Patch322: krb5-CVE_2014_5354_support_keyless_principals_in_LDAP.patch Patch323: krb5_cve_2014_9421_2014_9422_2014_9423_2014_5352_krb5-1.12.2-final.patch Patch324: krb5-1.13_kinit_C_loop_krb5bug243.patch +Patch325: krb5-1.13.3-do_not_allow_stream_socket_retries_in_libkrad.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -403,7 +404,8 @@ chmod u+x src/util/paste-kdcproxy.py %patch322 -p1 -b .krb5-cve_2014_5354_support_keyless_principals_in_ldap %patch323 -p1 -b .krb5_cve_2014_9421_2014_9422_2014_9423_2014_5352_krb5-1.12.2-final %patch324 -p1 -b .krb5_1_13_kinit_C_loop_krb5bug243 - +%patch325 -p1 -b .krb5-1.13.3-do_not_allow_stream_socket_retries_in_libkrad + # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -1083,6 +1085,12 @@ exit 0 %changelog +* Wed Aug 26 2015 Roland Mainz - 1.12.2-15 +- Add a patch to fix RedHat bug #1256870 ("KDC sends multiple + requests to ipa-otpd for the same authentication") which causes + the KDC to send multiple retries to ipa-otpd for TCP transports + while it should only be done for UDP. + * Mon Jan 26 2015 Roland Mainz - 1.12.2-14 - fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not loop on principal unknown errors").