diff options
Diffstat (limited to 'main/krb5')
| -rw-r--r-- | main/krb5/CVE-2018-20217.patch | 72 | ||||
| -rw-r--r-- | main/krb5/libressl.patch | 28 |
2 files changed, 0 insertions, 100 deletions
diff --git a/main/krb5/CVE-2018-20217.patch b/main/krb5/CVE-2018-20217.patch deleted file mode 100644 index 80f2d55058..0000000000 --- a/main/krb5/CVE-2018-20217.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 5e6d1796106df8ba6bc1973ee0917c170d929086 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris <iboukris@gmail.com> -Date: Mon, 3 Dec 2018 02:33:07 +0200 -Subject: [PATCH] Ignore password attributes for S4U2Self requests - -For consistency with Windows KDCs, allow protocol transition to work -even if the password has expired or needs changing. - -Also, when looking up an enterprise principal with an AS request, -treat ERR_KEY_EXP as confirmation that the client is present in the -realm. - -[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited -commit message] - -ticket: 8763 (new) -tags: pullup -target_version: 1.17 ---- - src/kdc/kdc_util.c | 5 +++++ - src/lib/krb5/krb/s4u_creds.c | 2 +- - src/tests/gssapi/t_s4u.py | 8 ++++++++ - 3 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 6d53173fb0..6517a213cd 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -1607,6 +1607,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, - - memset(&no_server, 0, sizeof(no_server)); - -+ /* Ignore password expiration and needchange attributes (as Windows -+ * does), since S4U2Self is not password authentication. */ -+ princ->pw_expiration = 0; -+ clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE); -+ - code = validate_as_request(kdc_active_realm, request, *princ, - no_server, kdc_time, status, &e_data); - if (code) { -diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c -index d2fdcb3f16..614ed41908 100644 ---- a/src/lib/krb5/krb/s4u_creds.c -+++ b/src/lib/krb5/krb/s4u_creds.c -@@ -116,7 +116,7 @@ s4u_identify_user(krb5_context context, - code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL, - opts, krb5_get_as_key_noop, &userid, &use_master, - NULL); -- if (code == 0 || code == KRB5_PREAUTH_FAILED) { -+ if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) { - *canon_user = userid.user; - userid.user = NULL; - code = 0; -diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py -index fd29e1a270..84f3fbd752 100755 ---- a/src/tests/gssapi/t_s4u.py -+++ b/src/tests/gssapi/t_s4u.py -@@ -19,6 +19,14 @@ - # Get forwardable creds for service1 in the default cache. - realm.kinit(service1, None, ['-f', '-k']) - -+# Try S4U2Self for user with a restricted password. -+realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ]) -+realm.run(['./t_s4u', 'e:user', '-']) -+realm.run([kadminl, 'modprinc', '-needchange', -+ '-pwexpire', '1/1/2000', realm.user_princ]) -+realm.run(['./t_s4u', 'e:user', '-']) -+realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ]) -+ - # Try krb5 -> S4U2Proxy with forwardable user creds. This should fail - # at the S4U2Proxy step since the DB2 back end currently has no - # support for allowing it. diff --git a/main/krb5/libressl.patch b/main/krb5/libressl.patch deleted file mode 100644 index ec274cc6ae..0000000000 --- a/main/krb5/libressl.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c.orig -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -191,7 +191,7 @@ - (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si) - #endif - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - - /* 1.1 standardizes constructor and destructor names, renaming - * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */ -@@ -3059,7 +3059,7 @@ - return retval; - } - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - - /* - * We need to decode DomainParameters from RFC 3279 section 2.3.3. We would -@@ -3122,6 +3122,7 @@ - - #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */ - -+#include <openssl/asn1_mac.h> - /* - * Do the same decoding (except without decoding j and vparams or checking the - * sequence length) using the pre-OpenSSL-1.1 asn1_mac.h. Define an internal |