Bug#480434: marked as done (libkrb53: Delegation fails if an SPNEGO credential is passed to gss_krb5_copy_ccache)

Mon, 16 Jun 2008 07:22:09 -0700 

Your message dated Mon, 16 Jun 2008 14:17:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#480434: fixed in krb5 1.6.dfsg.4~beta1-2
has caused the Debian Bug report #480434,
regarding libkrb53: Delegation fails if an SPNEGO credential is passed to 
gss_krb5_copy_ccache
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
480434: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480434
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: libkrb53
Version: 1.6.dfsg.3~beta1-4
Severity: normal
Tags: patch

When trying to delegate credentials using mod_auth_kerb, delegation
succeeds (mod_auth_kerb receives a delegated gss_cred_id_t), but when it
tries to copy that credential into a ccache so it can write it out for
CGI scripts to use later, the copy fails.

The copy fails because gss_krb5_copy_ccache (the function being used) is
trying to find a credential from the passed-in gss_union_cred_t whose
mechanism OID is either krb5_mechanism, or krb5_mechanism_old.  But the
gss_union_cred_t returned to mod_auth_kerb uses the SPNEGO mechanism OID
(since the browser used SPNEGO), which doesn't match either of those.

The gss_krb5_copy_ccache function only needs to set "mcred" to one or
the other of the Kerberos mechanism credential handles; if the top level
gss_union_cred_t uses SPNEGO, then it should contain a sub-credential
that uses one of the Kerberos mechanisms.  So one fix would be to make
gssint_get_mechanism_cred recurse when it receives an SPNEGO-mechanism
union_cred, and SPNEGO is not what was asked for.

It needs to get a reference to the SPNEGO mechanism OID, of course, but
the spnego_gss_get_mech_configs() function provides this.

So if the current mechs_array element doesn't match the passed-in
mech_type, but does match spnego_mech, then call back into
gssint_get_mechanism_cred with the current cred_array element (cast to a
gss_union_cred_t), and see if any of its sub-credentials match.  If not,
keep running through the loop.  If so, return the one that does match.

Attached is a proposed patch to do exactly that (generated from a
libkrb53 tree that already has all the other Debian patches applied).

*** krb5-get_mechanism_cred-recurse-on-spnego.patch
Make gssint_get_mechanism_cred recurse if it finds a mechs_array item that
matches the SPNEGO OID, but not the OID that it's looking for.  (SPNEGO
credentials might contain the needed OID.)  If a sub-cred is found that
matches, return it; otherwise keep looping.

diff -ur a/src/lib/gssapi/mechglue/g_glue.c b/src/lib/gssapi/mechglue/g_glue.c
--- a/src/lib/gssapi/mechglue/g_glue.c  2007-10-01 22:43:12.000000000 -0400
+++ b/src/lib/gssapi/mechglue/g_glue.c  2008-05-09 13:54:29.000000000 -0400
@@ -519,6 +519,8 @@
     return (major_status);
 }
 
+extern gss_mechanism *spnego_gss_get_mech_configs(void);
+
 /*
  * Glue routine for returning the mechanism-specific credential from a
  * external union credential.
@@ -529,6 +531,7 @@
     gss_OID            mech_type;
 {
     int                i;
+    gss_OID    spnego_mech = &(spnego_gss_get_mech_configs()[0]->mech_type);
     
     if (union_cred == GSS_C_NO_CREDENTIAL)
        return GSS_C_NO_CREDENTIAL;
@@ -536,6 +539,18 @@
     for (i=0; i < union_cred->count; i++) {
        if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))
            return union_cred->cred_array[i];
+
+       /* for SPNEGO, check the next-lower set of creds */
+       if (g_OID_equal(spnego_mech, &union_cred->mechs_array[i])) {
+           gss_union_cred_t candidate_cred;
+           gss_cred_id_t    sub_cred;
+
+           candidate_cred = (gss_union_cred_t)union_cred->cred_array[i];
+           sub_cred = gssint_get_mechanism_cred(candidate_cred, mech_type);
+
+           if(sub_cred != GSS_C_NO_CREDENTIAL)
+               return sub_cred;
+       }
     }
     return GSS_C_NO_CREDENTIAL;
 }


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages libkrb53 depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  libcomerr2                    1.40.8-2   common error description library
ii  libkeyutils1                  1.2-7      Linux Key Management Utilities (li

libkrb53 recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: krb5
Source-Version: 1.6.dfsg.4~beta1-2

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive:

krb5-admin-server_1.6.dfsg.4~beta1-2_i386.deb
  to pool/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-2_i386.deb
krb5-clients_1.6.dfsg.4~beta1-2_i386.deb
  to pool/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-2_i386.deb
krb5-doc_1.6.dfsg.4~beta1-2_all.deb
  to pool/main/k/krb5/krb5-doc_1.6.dfsg.4~beta1-2_all.deb
krb5-ftpd_1.6.dfsg.4~beta1-2_i386.deb
  to pool/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-2_i386.deb
krb5-kdc-ldap_1.6.dfsg.4~beta1-2_i386.deb
  to pool/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-2_i386.deb
krb5-kdc_1.6.dfsg.4~beta1-2_i386.deb
  to pool/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-2_i386.deb
krb5-pkinit_1.6.dfsg.4~beta1-2_i386.deb
  to pool/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-2_i386.deb
krb5-rsh-server_1.6.dfsg.4~beta1-2_i386.deb
  to pool/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-2_i386.deb
krb5-telnetd_1.6.dfsg.4~beta1-2_i386.deb
  to pool/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-2_i386.deb
krb5-user_1.6.dfsg.4~beta1-2_i386.deb
  to pool/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-2_i386.deb
krb5_1.6.dfsg.4~beta1-2.diff.gz
  to pool/main/k/krb5/krb5_1.6.dfsg.4~beta1-2.diff.gz
krb5_1.6.dfsg.4~beta1-2.dsc
  to pool/main/k/krb5/krb5_1.6.dfsg.4~beta1-2.dsc
libkadm55_1.6.dfsg.4~beta1-2_i386.deb
  to pool/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-2_i386.deb
libkrb5-dbg_1.6.dfsg.4~beta1-2_i386.deb
  to pool/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-2_i386.deb
libkrb5-dev_1.6.dfsg.4~beta1-2_i386.deb
  to pool/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-2_i386.deb
libkrb53_1.6.dfsg.4~beta1-2_i386.deb
  to pool/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hartman <[EMAIL PROTECTED]> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 16 Jun 2008 09:29:00 -0400
Source: krb5
Binary: libkadm55 libkrb53 krb5-user krb5-clients krb5-rsh-server krb5-ftpd 
krb5-telnetd krb5-kdc krb5-kdc-ldap krb5-admin-server libkrb5-dev libkrb5-dbg 
krb5-pkinit krb5-doc
Architecture: source all i386
Version: 1.6.dfsg.4~beta1-2
Distribution: unstable
Urgency: low
Maintainer: Sam Hartman <[EMAIL PROTECTED]>
Changed-By: Sam Hartman <[EMAIL PROTECTED]>
Description: 
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-clients - Secure replacements for ftp, telnet and rsh using MIT Kerberos
 krb5-doc   - Documentation for MIT Kerberos
 krb5-ftpd  - Secure FTP server supporting MIT Kerberos
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-rsh-server - Secure replacements for rshd and rlogind using MIT Kerberos
 krb5-telnetd - Secure telnet server supporting MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libkadm55  - MIT Kerberos administration runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb53   - MIT Kerberos runtime libraries
Closes: 435427 480434 484371 484996 485473 485613
Changes: 
 krb5 (1.6.dfsg.4~beta1-2) unstable; urgency=low
 .
   [ Russ Allbery ]
   * Translation updates:
     - Japanese, thanks TANAKA, Atushi.
     - Russian, thanks Sergey Alyoshin.  (Closes: #485473)
     - Brazilian Portuguese, thanks Eder L. Marques.  (Closes: #485613)
     - Romanian, thanks Eddy Petrișor.  (Closes: #484996)
 .
   [ Sam Hartman ]
   * Upload 1.6.4 beta 1 to unstable.  As best I can tell evaluating the
     changes this is a strict improvement over 1.6.3 even though it is
     still a beta version.  There is not  an ABI change ; backing out would
     be relatively easy.
   * Patch from  Bryan Kadzban  to look inside spnego union_creds when
     looking for a specific mechanism cred.  This allows spnego creds to be
     used when copying out to a ccache after delegation, Closes: #480434
   * Ksu now calls krb5_verify_init_creds rather than using its own custom 
logic because that is correct and so it can take advantage of the following 
change.
   * krb5_verify_init_creds uses the default realm if it gets a referral
     realm as input for server, Closes: #435427
   * Add -D_FORTIFY_SOURCE=2 and -fstack-protector on ia32 and x86_64 at the 
request of  Moritz Muehlenhoff ; he was unsure that adding these flags on other 
platforms would be a good idea.  I'd be happy to expand the list at the request 
of port maintainers, Closes: #484371
   * Fix KDC purge code introduced in previous revision.
Files: 
 2c75cb742978804c66831d5f13009570 1088 net standard krb5_1.6.dfsg.4~beta1-2.dsc
 265531a019437f94269894cc2b7a42ac 843445 net standard 
krb5_1.6.dfsg.4~beta1-2.diff.gz
 8300048664659996faaa7129282cd36d 2148232 doc optional 
krb5-doc_1.6.dfsg.4~beta1-2_all.deb
 79d2a882cb3023ff9f02c020b4cda48a 151424 libs optional 
libkadm55_1.6.dfsg.4~beta1-2_i386.deb
 854c59e917b15a3a3f586a3bfdd78b56 475880 libs standard 
libkrb53_1.6.dfsg.4~beta1-2_i386.deb
 10adbc4affb171ddf57ef932531c0a5b 135870 net optional 
krb5-user_1.6.dfsg.4~beta1-2_i386.deb
 882d8130e45bbb05c37bd47b66bf18d2 208642 net optional 
krb5-clients_1.6.dfsg.4~beta1-2_i386.deb
 da6c03b040ffd05605f03b722774f3c9 86836 net optional 
krb5-rsh-server_1.6.dfsg.4~beta1-2_i386.deb
 92e39788774b2d443bd0cc917208433d 63192 net extra 
krb5-ftpd_1.6.dfsg.4~beta1-2_i386.deb
 7e4c2221501be4129230cf741bce0f9e 69352 net extra 
krb5-telnetd_1.6.dfsg.4~beta1-2_i386.deb
 471edeb076d0bc55b8d2db88c99493b1 181030 net optional 
krb5-kdc_1.6.dfsg.4~beta1-2_i386.deb
 228d07fe70bffd76371d9262510adb7a 101060 net extra 
krb5-kdc-ldap_1.6.dfsg.4~beta1-2_i386.deb
 5dcb9b0bb286e70e9df0c664454b1402 85520 net optional 
krb5-admin-server_1.6.dfsg.4~beta1-2_i386.deb
 60b217a48c73b885193a97f64be0b9ae 91958 libdevel extra 
libkrb5-dev_1.6.dfsg.4~beta1-2_i386.deb
 17831b072a8d5f0dccbf7234a4eec3f7 1417720 libdevel extra 
libkrb5-dbg_1.6.dfsg.4~beta1-2_i386.deb
 7afac73a9410ae9a78100b69dc3e601c 64068 net extra 
krb5-pkinit_1.6.dfsg.4~beta1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIVm4x/I12czyGJg8RAs1fAJ0UtEauFF6mXbH3OUo58WEIwv/N1ACfTQXb
rmDbHMxLiSsnu0HBiZngwnE=
=q2Ib
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to