diff --git a/freeipa.spec b/freeipa.spec index c4c78b4..ec28bc2 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -76,12 +76,13 @@ %global package_name freeipa %global alt_name ipa # Fix for CVE-2018-20217 -%global krb5_version 1.17-17 -%global krb5_kdb_version 7.0 +%global krb5_version 1.19 +%global krb5_kdb_version 8.0 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.16 # Require 4.7.0 which brings Python 3 bindings -%global samba_version 2:4.9.0 +# Require 4.12 which has DsRGetForestTrustInformation access rights fixes +%global samba_version 2:4.12 # SELinux context for /etc/named directory, RHBZ#1759495 %global selinux_policy_version 3.14.3-52 %global slapi_nis_version 0.56.1 @@ -142,7 +143,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -153,6 +154,7 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as # https://github.com/freeipa/freeipa/pull/4045 # Fix bugs in the overlapping DNS zone check Patch0: 4045.patch +Patch1: krb5-1.18-support.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -1359,6 +1361,9 @@ fi %changelog +* Fri Jan 24 2020 Alexander Bokovoy - 4.8.4-3 +- Rebuild against krb5 1.18 beta + * Mon Dec 16 2019 Adam Williamson - 4.8.4-2 - Backport PR #4045 to fix overlapping DNS zone check bugs diff --git a/krb5-1.18-support.patch b/krb5-1.18-support.patch new file mode 100644 index 0000000..1d921cc --- /dev/null +++ b/krb5-1.18-support.patch @@ -0,0 +1,409 @@ +From b750e3f153ef97144ea6696672000f70da8d9bf1 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 9 Jan 2020 16:44:15 -0500 +Subject: [PATCH 1/3] [KDB] Handle the removal of KRB5_KDB_FLAG_ALIAS_OK + +In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18), +krb5 removed this flag, and always accepts aliases. + +Related-to: https://pagure.io/freeipa/issue/7879 +Signed-off-by: Robbie Harwood +--- + daemons/ipa-kdb/ipa_kdb_certauth.c | 21 +++++++------- + daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 11 +++++-- + daemons/ipa-kdb/ipa_kdb_principals.c | 43 ++++++++++++++++------------ + 3 files changed, 43 insertions(+), 32 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c +index 47911aa3d..bc6b26578 100644 +--- a/daemons/ipa-kdb/ipa_kdb_certauth.c ++++ b/daemons/ipa-kdb/ipa_kdb_certauth.c +@@ -261,16 +261,18 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, + const krb5_db_entry *db_entry, + char ***authinds_out) + { +- char *cert_filter = NULL; +- char **domains = NULL; +- int ret; ++ char *cert_filter = NULL, **domains = NULL; ++ int ret, flags = 0; + size_t c; +- char *principal = NULL; +- char **auth_inds = NULL; ++ char *principal = NULL, **auth_inds = NULL; + LDAPMessage *res = NULL; + krb5_error_code kerr; + LDAPMessage *lentry; + ++#ifdef KRB5_KDB_FLAG_ALIAS_OK ++ flags = KRB5_KDB_FLAG_ALIAS_OK; ++#endif ++ + if (moddata == NULL) { + return KRB5_PLUGIN_NO_HANDLE; + } +@@ -327,10 +329,8 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, + } + } + +- kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx, +- KRB5_KDB_FLAG_ALIAS_OK, +- principal, +- cert_filter, ++ kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx, flags, ++ principal, cert_filter, + &res); + if (kerr != 0) { + krb5_klog_syslog(LOG_ERR, "Search failed [%d]", kerr); +@@ -338,8 +338,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, + goto done; + } + +- kerr = ipadb_find_principal(context, KRB5_KDB_FLAG_ALIAS_OK, res, +- &principal, &lentry); ++ kerr = ipadb_find_principal(context, flags, res, &principal, &lentry); + if (kerr == KRB5_KDB_NOENTRY) { + krb5_klog_syslog(LOG_INFO, "No matching entry found"); + ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH; +diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +index 9467b1ba1..8d2ad66f7 100644 +--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c ++++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +@@ -22,9 +22,14 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, + enum ipadb_user_auth ua; + struct ipadb_e_data *ied; + struct ipadb_e_pol_limits *pol_limits = NULL; +- int valid_auth_indicators = 0; ++ int valid_auth_indicators = 0, flags = 0; + krb5_db_entry *client_actual = NULL; + ++#ifdef KRB5_KDB_FLAG_ALIAS_OK ++ flags = KRB5_KDB_FLAG_ALIAS_OK; ++#endif ++ ++ + *status = NULL; + *lifetime_out = 0; + *renew_lifetime_out = 0; +@@ -33,8 +38,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, + if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) { + /* e-data is not availble, getting user auth from LDAP */ + krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching..."); +- kerr = ipadb_get_principal(context, request->client, +- KRB5_KDB_FLAG_ALIAS_OK, &client_actual); ++ kerr = ipadb_get_principal(context, request->client, flags, ++ &client_actual); + if (kerr != 0) { + krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed."); + return kerr; +diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c +index 47e44f090..da0b841a1 100644 +--- a/daemons/ipa-kdb/ipa_kdb_principals.c ++++ b/daemons/ipa-kdb/ipa_kdb_principals.c +@@ -964,8 +964,7 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, + LDAPMessage **result) + { + krb5_error_code kerr; +- char *src_filter = NULL; +- char *esc_original_princ = NULL; ++ char *src_filter = NULL, *esc_original_princ = NULL; + int ret; + + if (!ipactx->lcontext) { +@@ -976,28 +975,33 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, + } + } + +- /* escape filter but do not touch '*' as this function accepts +- * wildcards in names */ ++ /* Escape filter but do not touch '*' as this function accepts ++ * wildcards in names. */ + esc_original_princ = ipadb_filter_escape(principal, false); + if (!esc_original_princ) { + kerr = KRB5_KDB_INTERNAL_ERROR; + goto done; + } + +- if (filter == NULL) { +- if (flags & KRB5_KDB_FLAG_ALIAS_OK) { ++ /* Starting in DAL 8.0, aliases are always okay. */ ++#ifdef KRB5_KDB_FLAG_ALIAS_OK ++ if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) { ++ if (filter == NULL) { ++ ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, ++ esc_original_princ); ++ } else { ++ ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA, ++ esc_original_princ, filter); ++ } ++ } else ++#endif ++ { ++ if (filter == NULL) { + ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, + esc_original_princ, esc_original_princ); + } else { +- ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ); +- } +- } else { +- if (flags & KRB5_KDB_FLAG_ALIAS_OK) { + ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA, + esc_original_princ, esc_original_princ, filter); +- } else { +- ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA, +- esc_original_princ, filter); + } + } + +@@ -1006,11 +1010,8 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, + goto done; + } + +- kerr = ipadb_simple_search(ipactx, +- ipactx->base, LDAP_SCOPE_SUBTREE, +- src_filter, std_principal_attrs, +- result); +- ++ kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE, ++ src_filter, std_principal_attrs, result); + done: + free(src_filter); + free(esc_original_princ); +@@ -1054,6 +1055,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext, + /* We need to check for a strict match as a '*' in the name may have + * caused the ldap server to return multiple entries. */ + for (int i = 0; vals[i]; i++) { ++#ifdef KRB5_KDB_FLAG_ALIAS_OK + if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) { + found = strcmp(vals[i]->bv_val, *principal) == 0; + if (found) +@@ -1061,6 +1063,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext, + + continue; + } ++#endif + + /* The KDC will accept aliases when doing TGT lookup + * (ref_tgt_again in do_tgs_req.c), so use case-insensitive +@@ -1094,6 +1097,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext, + if (vals == NULL) + break; + ++#ifdef KRB5_KDB_FLAG_ALIAS_OK + /* If aliases aren't accepted by the KDC, use case-sensitive + * comparison. */ + if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) { +@@ -1103,6 +1107,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext, + continue; + } + } ++#endif + + free(*principal); + *principal = strdup(vals[0]->bv_val); +@@ -2601,7 +2606,9 @@ krb5_error_code ipadb_delete_principal(krb5_context kcontext, + goto done; + } + ++#ifdef KRB5_KDB_FLAG_ALIAS_OK + flags = KRB5_KDB_FLAG_ALIAS_OK; ++#endif + kerr = ipadb_find_principal(kcontext, flags, res, &canonicalized, &lentry); + if (kerr != 0) { + goto done; +-- +2.24.1 + + +From 0dfebd690dc79db8f4fdcd663508e5d7e095eb20 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 9 Jan 2020 17:02:44 -0500 +Subject: [PATCH 2/3] [KDB] Support DAL version 8.0 + +Provide stubs for backward compatibility. DAL 8.0 was released with +krb5-1.18. + +Signed-off-by: Robbie Harwood +--- + daemons/ipa-kdb/ipa_kdb.c | 61 ++++++++++++++++++++++++++++++++++++++- + freeipa.spec.in | 2 +- + 2 files changed, 61 insertions(+), 2 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c +index 612857b38..9a5c29b13 100644 +--- a/daemons/ipa-kdb/ipa_kdb.c ++++ b/daemons/ipa-kdb/ipa_kdb.c +@@ -751,8 +751,67 @@ kdb_vftabl kdb_function_table = { + }; + #endif + ++#if (KRB5_KDB_DAL_MAJOR_VERSION == 8) ++/* Version 8 adds several arguments here. However, if we want to actually use ++ * them in mspac, we really ought to drop support for older DAL versions. */ ++static inline krb5_error_code ++stub_sign_authdata(krb5_context context, unsigned int flags, ++ krb5_const_principal client_princ, ++ krb5_const_principal server_princ, krb5_db_entry *client, ++ krb5_db_entry *server, krb5_db_entry *header_server, ++ krb5_db_entry *local_tgt, krb5_keyblock *client_key, ++ krb5_keyblock *server_key, krb5_keyblock *header_key, ++ krb5_keyblock *local_tgt_key, krb5_keyblock *session_key, ++ krb5_timestamp authtime, krb5_authdata **tgt_auth_data, ++ void *ad_info, krb5_data ***auth_indicators, ++ krb5_authdata ***signed_auth_data) ++{ ++ krb5_db_entry *krbtgt = header_server ? header_server : server; ++ krb5_keyblock *krbtgt_key = header_key ? header_key : server_key; ++ ++ return ipadb_sign_authdata(context, flags, client_princ, client, server, ++ krbtgt, client_key, server_key, krbtgt_key, ++ session_key, authtime, tgt_auth_data, ++ signed_auth_data); ++} ++ ++kdb_vftabl kdb_function_table = { ++ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, ++ .min_ver = 0, ++ .init_library = ipadb_init_library, ++ .fini_library = ipadb_fini_library, ++ .init_module = ipadb_init_module, ++ .fini_module = ipadb_fini_module, ++ .create = ipadb_create, ++ .get_age = ipadb_get_age, ++ .get_principal = ipadb_get_principal, ++ .put_principal = ipadb_put_principal, ++ .delete_principal = ipadb_delete_principal, ++ .iterate = ipadb_iterate, ++ .create_policy = ipadb_create_pwd_policy, ++ .get_policy = ipadb_get_pwd_policy, ++ .put_policy = ipadb_put_pwd_policy, ++ .iter_policy = ipadb_iterate_pwd_policy, ++ .delete_policy = ipadb_delete_pwd_policy, ++ .fetch_master_key = ipadb_fetch_master_key, ++ .store_master_key_list = ipadb_store_master_key_list, ++ .change_pwd = ipadb_change_pwd, ++ .sign_authdata = stub_sign_authdata, ++ .check_transited_realms = ipadb_check_transited_realms, ++ .check_policy_as = ipadb_check_policy_as, ++ .audit_as_req = ipadb_audit_as_req, ++ .check_allowed_to_delegate = ipadb_check_allowed_to_delegate, ++ .free_principal_e_data = ipadb_free_principal_e_data, ++ .get_s4u_x509_principal = NULL, ++ .allowed_to_delegate_from = NULL, ++ .get_authdata_info = NULL, ++ .free_authdata_info = NULL, ++}; ++#endif ++ + #if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \ + (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \ +- (KRB5_KDB_DAL_MAJOR_VERSION != 7) ++ (KRB5_KDB_DAL_MAJOR_VERSION != 7) && \ ++ (KRB5_KDB_DAL_MAJOR_VERSION != 8) + #error unsupported DAL major version + #endif +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 502ac2499..7617c935a 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -61,7 +61,7 @@ + %global alt_name ipa + # Fix for CVE-2018-20217 + %global krb5_version 1.16.1-24 +-%global krb5_kdb_version 7.0 ++%global krb5_kdb_version 8.0 + # 0.7.16: https://github.com/drkjam/netaddr/issues/71 + %global python_netaddr_version 0.7.16 + # Require 4.7.0 which brings Python 3 bindings +-- +2.24.1 + + +From fb48a25c43c2110c27d36f09ac533403738328e2 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 9 Jan 2020 17:08:07 -0500 +Subject: [PATCH 3/3] [KDB] Drop support for DAL version 5.0 + +No supported Linux distro packages a version of krb5 with this DAL, so +we don't lose anything by removing it. + +Signed-off-by: Robbie Harwood +--- + daemons/ipa-kdb/ipa_kdb.c | 49 +-------------------------------------- + 1 file changed, 1 insertion(+), 48 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c +index 9a5c29b13..3982c131b 100644 +--- a/daemons/ipa-kdb/ipa_kdb.c ++++ b/daemons/ipa-kdb/ipa_kdb.c +@@ -635,57 +635,11 @@ static krb5_error_code ipadb_get_age(krb5_context kcontext, + return 0; + } + +-#if KRB5_KDB_DAL_MAJOR_VERSION == 5 +-static void *ipadb_alloc(krb5_context context, void *ptr, size_t size) +-{ +- return realloc(ptr, size); +-} +- +-static void ipadb_free(krb5_context context, void *ptr) +-{ +- free(ptr); +-} +-#endif +- + /* KDB Virtual Table */ + + /* We explicitly want to keep different ABI tables below separate. */ + /* Do not merge them together. Older ABI does not need to be updated */ + +-#if KRB5_KDB_DAL_MAJOR_VERSION == 5 +-kdb_vftabl kdb_function_table = { +- .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, +- .min_ver = 0, +- .init_library = ipadb_init_library, +- .fini_library = ipadb_fini_library, +- .init_module = ipadb_init_module, +- .fini_module = ipadb_fini_module, +- .create = ipadb_create, +- .get_age = ipadb_get_age, +- .get_principal = ipadb_get_principal, +- .free_principal = ipadb_free_principal, +- .put_principal = ipadb_put_principal, +- .delete_principal = ipadb_delete_principal, +- .iterate = ipadb_iterate, +- .create_policy = ipadb_create_pwd_policy, +- .get_policy = ipadb_get_pwd_policy, +- .put_policy = ipadb_put_pwd_policy, +- .iter_policy = ipadb_iterate_pwd_policy, +- .delete_policy = ipadb_delete_pwd_policy, +- .free_policy = ipadb_free_pwd_policy, +- .alloc = ipadb_alloc, +- .free = ipadb_free, +- .fetch_master_key = ipadb_fetch_master_key, +- .store_master_key_list = ipadb_store_master_key_list, +- .change_pwd = ipadb_change_pwd, +- .sign_authdata = ipadb_sign_authdata, +- .check_transited_realms = ipadb_check_transited_realms, +- .check_policy_as = ipadb_check_policy_as, +- .audit_as_req = ipadb_audit_as_req, +- .check_allowed_to_delegate = ipadb_check_allowed_to_delegate +-}; +-#endif +- + #if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA) + kdb_vftabl kdb_function_table = { + .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, +@@ -809,8 +763,7 @@ kdb_vftabl kdb_function_table = { + }; + #endif + +-#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \ +- (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \ ++#if (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \ + (KRB5_KDB_DAL_MAJOR_VERSION != 7) && \ + (KRB5_KDB_DAL_MAJOR_VERSION != 8) + #error unsupported DAL major version +-- +2.24.1 +