Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/krb5/patches/036-verify-nofail.patch
author Mike Sullivan <Mike.Sullivan@Oracle.COM>
Sat, 14 May 2016 15:38:32 -0700
changeset 5986 bab15c34f645
parent 5969 96bac9fbcfbd
child 6085 eb3c11e27709
permissions -rw-r--r--
backout 22954706/23116276 - needs more work

#
# This patch changes the default behavior of MIT to that of Solaris, in which
# during initial authentication the KDC is verified by fetching a service
# ticket of the system.
#
# Note: MIT is unlikely to take this as a patch as they have a less strict
# position on validating a KDC during initial authentication.
# Patch source: in-house
#
diff -pur old/src/lib/krb5/krb/t_vfy_increds.c new/src/lib/krb5/krb/t_vfy_increds.c
--- old/src/lib/krb5/krb/t_vfy_increds.c	2015-05-28 14:42:17.094623052 -0600
+++ new/src/lib/krb5/krb/t_vfy_increds.c	2015-05-28 15:53:08.651207899 -0600
@@ -59,6 +59,9 @@ main(int argc, char **argv)
     if (*argv != NULL && strcmp(*argv, "-n") == 0) {
         argv++;
         krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, TRUE);
+    } else if (*argv != NULL && strcmp(*argv, "-f") == 0) {
+        argv++;
+        krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, FALSE);
     }
     if (*argv != NULL)
         check(krb5_parse_name(context, *argv, &princ));
diff -pur old/src/lib/krb5/krb/t_vfy_increds.py new/src/lib/krb5/krb/t_vfy_increds.py
--- old/src/lib/krb5/krb/t_vfy_increds.py	2015-05-28 14:42:17.100176857 -0600
+++ new/src/lib/krb5/krb/t_vfy_increds.py	2015-05-28 18:03:03.977698328 -0600
@@ -53,29 +53,31 @@ realm.run(['./t_vfy_increds'])
 realm.run(['./t_vfy_increds', '-n'])
 
 # Remove the keytab and verify again.  This should succeed if nofail
-# is not set, and fail if it is set.
+# is set to false and fail otherwise.
 os.remove(realm.keytab)
-realm.run(['./t_vfy_increds'])
+realm.run(['./t_vfy_increds'], expected_code=1)
 realm.run(['./t_vfy_increds', '-n'], expected_code=1)
+realm.run(['./t_vfy_increds', '-f'])
 
 # Create an empty keytab file and verify again.  This simulates a
 # system where an admin ran "touch krb5.keytab" to work around a
 # Solaris Kerberos bug where krb5_kt_default() fails if the keytab
-# file doesn't exist.  Verification should succeed in nofail is not
-# set.  (An empty keytab file appears as corrupt to keytab calls,
+# file doesn't exist.  Verification should succeed if nofail is
+# set to false.  (An empty keytab file appears as corrupt to keytab calls,
 # causing a KRB5_KEYTAB_BADVNO error, so any tightening of the
 # krb5_verify_init_creds semantics needs to take this into account.)
 open(realm.keytab, 'w').close()
-realm.run(['./t_vfy_increds'])
+realm.run(['./t_vfy_increds'], expected_code=1)
 realm.run(['./t_vfy_increds', '-n'], expected_code=1)
+realm.run(['./t_vfy_increds', '-f'])
 os.remove(realm.keytab)
 
 # Add an NFS service principal to keytab.  Verify should ignore it by
-# default (succeeding unless nofail is set), but should verify with it
+# default (succeeding only when nofail is unset), but should verify with it
 # when it is specifically requested.
 realm.run_kadminl('addprinc -randkey ' + realm.nfs_princ)
 realm.run_kadminl('ktadd ' + realm.nfs_princ)
-realm.run(['./t_vfy_increds'])
+realm.run(['./t_vfy_increds'], expected_code=1)
 realm.run(['./t_vfy_increds', '-n'], expected_code=1)
 realm.run(['./t_vfy_increds', realm.nfs_princ])
 realm.run(['./t_vfy_increds', '-n', realm.nfs_princ])
@@ -84,7 +86,7 @@ realm.run(['./t_vfy_increds', '-n', real
 # results with the default principal argument, but verification should
 # now fail if we request it specifically.
 realm.run_kadminl('change_password -randkey ' + realm.nfs_princ)
-realm.run(['./t_vfy_increds'])
+realm.run(['./t_vfy_increds'], expected_code=1)
 realm.run(['./t_vfy_increds', '-n'], expected_code=1)
 realm.run(['./t_vfy_increds', realm.nfs_princ], expected_code=1)
 realm.run(['./t_vfy_increds', '-n', realm.nfs_princ], expected_code=1)
diff -pur old/src/lib/krb5/krb/vfy_increds.c new/src/lib/krb5/krb/vfy_increds.c
--- old/src/lib/krb5/krb/vfy_increds.c	2015-05-28 14:42:17.092454308 -0600
+++ new/src/lib/krb5/krb/vfy_increds.c	2015-05-28 15:45:14.121515053 -0600
@@ -33,8 +33,8 @@
 #include "k5-int.h"
 #include "int-proto.h"
 
-/* Return true if configuration demands that a keytab be present.  (By default
- * verification will be skipped if no keytab exists.) */
+/* Return true if configuration demands that a keytab be present.  (Verification
+ * will only be skipped IFF verify_ap_req_nofail has been set to false.) */
 static krb5_boolean
 nofail(krb5_context context, krb5_verify_init_creds_opt *options,
        krb5_creds *creds)
@@ -48,7 +48,7 @@ nofail(krb5_context context, krb5_verify
                                    KRB5_CONF_VERIFY_AP_REQ_NOFAIL,
                                    &val) == 0)
         return (val != 0);
-    return FALSE;
+    return TRUE;
 }
 
 static krb5_error_code
upstream/oracle/userland-gate