rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Remove outdated patches

Browse Source
This commit is contained in:
Alexander Bokovoy 2020-03-21 22:42:47 +02:00
parent 307dce1d32
commit 8b42b6320e
6 changed files with 0 additions and 956 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
4045.patch
View File

@ -1,46 +0,0 @@
From cf8ab60234a263d2d813701ad07d71132b0b845e Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Mon, 16 Dec 2019 14:39:51 +0100
Subject: [PATCH] DNS install check: Fix overlapping DNS zone from the master
itself
The change to allow overlapping zone to be from the master itself has
introduced two issues: The check for the master itself should only executed
if options.force and options.allow_zone_overlap are both false and the
reverse zone check later on was still handling ValueError instead of
dnsutil.DNSZoneAlreadyExists.
Both issues have been fixed and the deployment with existing name servers
is properly working again.
Fixes: https://pagure.io/freeipa/issue/8150
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
---
ipaserver/install/dns.py | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 36ba6f899d..9f08e86f9b 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -135,15 +135,15 @@ def install_check(standalone, api, replica, options, hostname):
logger.warning("%s Please make sure that the domain is "
"properly delegated to this IPA server.",
e)
-
- hst = dnsutil.DNSName(hostname).make_absolute().to_text()
- if hst not in e.kwargs['ns']:
- raise ValueError(str(e))
+ else:
+ hst = dnsutil.DNSName(hostname).make_absolute().to_text()
+ if hst not in e.kwargs['ns']:
+ raise ValueError(str(e))
for reverse_zone in options.reverse_zones:
try:
dnsutil.check_zone_overlap(reverse_zone)
- except ValueError as e:
+ except dnsutil.DNSZoneAlreadyExists as e:
if options.force or options.allow_zone_overlap:
logger.warning('%s', str(e))
else:

124
freeipa-4.8-opendnssec-2.1-support.patch
View File

@ -1,124 +0,0 @@
From 1836688dde1bbc746365f85b803a53afe7f83a47 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 2 Mar 2020 16:49:48 +0100
Subject: [PATCH 1/3] Support opendnssec 2.1.6
The installation of IPA DNS server is using ods-ksmutil, but
openddnssec 2.1.6 does not ship any more /usr/bin/ods-ksmutil. The tool
is replaced by /usr/sbin/ods-enforcer and /usr/sbin/ods-enforcer-db-setup.
The master branch currently supports fedora 30+, but fedora 30 and 31 are
still shipping opendnssec 1.4 while fedora 32+ is shipping opendnssec 2.1.6.
Because of this, the code needs to check at run-time if the ods-ksmutil
command is available. If the file is missing, the code falls back to
the new ods-enforcer and ods-enforcer-db-setup commands.
This commit defines paths.ODS_ENFORCER and paths.ODS_ENFORCER_DB_SETUP
for all platforms, but the commands are used only if ods-ksmutil is not found.
Fixes: https://pagure.io/freeipa/issue/8214
---
ipaplatform/base/paths.py | 4 ++--
ipaplatform/base/tasks.py | 6 ++++--
ipaplatform/debian/paths.py | 2 --
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index f3a95500e3..0efe8b5a90 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -190,8 +190,8 @@ class BasePathNamespace:
NSUPDATE = "/usr/bin/nsupdate"
ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
ODS_SIGNER = "/usr/sbin/ods-signer"
- ODS_ENFORCER = None
- ODS_ENFORCER_DB_SETUP = None
+ ODS_ENFORCER = "/usr/sbin/ods-enforcer"
+ ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
OPENSSL = "/usr/bin/openssl"
PK12UTIL = "/usr/bin/pk12util"
SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 86617a07f5..d36039aa23 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -290,9 +290,11 @@ def unconfigure_dns_resolver(self, fstore=None):
def run_ods_setup(self):
"""Initialize a new kasp.db
"""
- if paths.ODS_KSMUTIL is not None:
+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
+ # OpenDNSSEC 1.4
cmd = [paths.ODS_KSMUTIL, 'setup']
else:
+ # OpenDNSSEC 2.x
cmd = [paths.ODS_ENFORCER_DB_SETUP]
return ipautil.run(cmd, stdin="y", runas=constants.ODS_USER)
@@ -305,7 +307,7 @@ def run_ods_manager(self, params, **kwargs):
"""
assert params[0] != 'setup'
- if paths.ODS_KSMUTIL is not None:
+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
# OpenDNSSEC 1.4
cmd = [paths.ODS_KSMUTIL]
else:
diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index 764b5a2815..3a28c70ff4 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -67,8 +67,6 @@ class DebianPathNamespace(BasePathNamespace):
SBIN_SERVICE = "/usr/sbin/service"
CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
ODS_KSMUTIL = None
- ODS_ENFORCER = "/usr/sbin/ods-enforcer"
- ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
From 70acce828f46d9d6516b590a9b84d379359b8204 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 3 Mar 2020 08:00:58 +0100
Subject: [PATCH 3/3] Remove the <Interval> from opendnssec conf
In opendnssec 2.1.6, the <Interval> element is not supported in the
configuration file.
Related: https://pagure.io/freeipa/issue/8214
---
install/share/opendnssec_conf.template | 2 +-
ipaserver/install/opendnssecinstance.py | 6 ++++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/install/share/opendnssec_conf.template b/install/share/opendnssec_conf.template
index 3d01fb4156..5658693ac3 100644
--- a/install/share/opendnssec_conf.template
+++ b/install/share/opendnssec_conf.template
@@ -33,7 +33,7 @@
</Privileges>
<Datastore><SQLite>$KASP_DB</SQLite></Datastore>
- <Interval>PT3600S</Interval>
+ $INTERVAL
<!-- <ManualKeyGeneration/> -->
<!-- <RolloverNotification>P14D</RolloverNotification> -->
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index df39705a44..6354521b4e 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -179,6 +179,12 @@ def __setup_conf_files(self):
# add pin to template
sub_conf_dict = self.conf_file_dict
sub_conf_dict['PIN'] = pin
+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
+ # OpenDNSSEC 1.4
+ sub_conf_dict['INTERVAL'] = '<Interval>PT3600S</Interval>'
+ else:
+ # OpenDNSSEC 2.x
+ sub_conf_dict['INTERVAL'] = '<!-- Interval not used in 2x -->'
ods_conf_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"),

61
krb5-1.18-support-constraint-delegation.patch
View File

@ -1,61 +0,0 @@
From d92f21ae1b3051f96043c64320a768551de39d5a Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 31 Jan 2020 22:58:18 +0100
Subject: [PATCH 1/2] Fix DAL v8 support
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 3982c131b..8f3c22070 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -720,8 +720,8 @@ stub_sign_authdata(krb5_context context, unsigned int flags,
void *ad_info, krb5_data ***auth_indicators,
krb5_authdata ***signed_auth_data)
{
- krb5_db_entry *krbtgt = header_server ? header_server : server;
- krb5_keyblock *krbtgt_key = header_key ? header_key : server_key;
+ krb5_db_entry *krbtgt = header_server ? header_server : local_tgt;
+ krb5_keyblock *krbtgt_key = header_key ? header_key : local_tgt_key;
return ipadb_sign_authdata(context, flags, client_princ, client, server,
krbtgt, client_key, server_key, krbtgt_key,
--
2.24.1
From c940f96b700d845afda014d41a0004068d379a9a Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 31 Jan 2020 23:03:09 +0100
Subject: [PATCH 2/2] Fix legacy S4U2Proxy in DAL v8 support
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 8f3c22070..7bd30be85 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -723,6 +723,12 @@ stub_sign_authdata(krb5_context context, unsigned int flags,
krb5_db_entry *krbtgt = header_server ? header_server : local_tgt;
krb5_keyblock *krbtgt_key = header_key ? header_key : local_tgt_key;
+ if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
+ client = header_server;
+ krbtgt = local_tgt;
+ krbtgt_key = local_tgt_key;
+ }
+
return ipadb_sign_authdata(context, flags, client_princ, client, server,
krbtgt, client_key, server_key, krbtgt_key,
session_key, authtime, tgt_auth_data,
--
2.24.1

409
krb5-1.18-support.patch
View File

@ -1,409 +0,0 @@
From b750e3f153ef97144ea6696672000f70da8d9bf1 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 9 Jan 2020 16:44:15 -0500
Subject: [PATCH 1/3] [KDB] Handle the removal of KRB5_KDB_FLAG_ALIAS_OK
In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18),
krb5 removed this flag, and always accepts aliases.
Related-to: https://pagure.io/freeipa/issue/7879
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_certauth.c | 21 +++++++-------
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 11 +++++--
daemons/ipa-kdb/ipa_kdb_principals.c | 43 ++++++++++++++++------------
3 files changed, 43 insertions(+), 32 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
index 47911aa3d..bc6b26578 100644
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
@@ -261,16 +261,18 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
const krb5_db_entry *db_entry,
char ***authinds_out)
{
- char *cert_filter = NULL;
- char **domains = NULL;
- int ret;
+ char *cert_filter = NULL, **domains = NULL;
+ int ret, flags = 0;
size_t c;
- char *principal = NULL;
- char **auth_inds = NULL;
+ char *principal = NULL, **auth_inds = NULL;
LDAPMessage *res = NULL;
krb5_error_code kerr;
LDAPMessage *lentry;
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
+ flags = KRB5_KDB_FLAG_ALIAS_OK;
+#endif
+
if (moddata == NULL) {
return KRB5_PLUGIN_NO_HANDLE;
}
@@ -327,10 +329,8 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
}
}
- kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx,
- KRB5_KDB_FLAG_ALIAS_OK,
- principal,
- cert_filter,
+ kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx, flags,
+ principal, cert_filter,
&res);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "Search failed [%d]", kerr);
@@ -338,8 +338,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
goto done;
}
- kerr = ipadb_find_principal(context, KRB5_KDB_FLAG_ALIAS_OK, res,
- &principal, &lentry);
+ kerr = ipadb_find_principal(context, flags, res, &principal, &lentry);
if (kerr == KRB5_KDB_NOENTRY) {
krb5_klog_syslog(LOG_INFO, "No matching entry found");
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 9467b1ba1..8d2ad66f7 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -22,9 +22,14 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
enum ipadb_user_auth ua;
struct ipadb_e_data *ied;
struct ipadb_e_pol_limits *pol_limits = NULL;
- int valid_auth_indicators = 0;
+ int valid_auth_indicators = 0, flags = 0;
krb5_db_entry *client_actual = NULL;
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
+ flags = KRB5_KDB_FLAG_ALIAS_OK;
+#endif
+
+
*status = NULL;
*lifetime_out = 0;
*renew_lifetime_out = 0;
@@ -33,8 +38,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) {
/* e-data is not availble, getting user auth from LDAP */
krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching...");
- kerr = ipadb_get_principal(context, request->client,
- KRB5_KDB_FLAG_ALIAS_OK, &client_actual);
+ kerr = ipadb_get_principal(context, request->client, flags,
+ &client_actual);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed.");
return kerr;
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 47e44f090..da0b841a1 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -964,8 +964,7 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
LDAPMessage **result)
{
krb5_error_code kerr;
- char *src_filter = NULL;
- char *esc_original_princ = NULL;
+ char *src_filter = NULL, *esc_original_princ = NULL;
int ret;
if (!ipactx->lcontext) {
@@ -976,28 +975,33 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
}
}
- /* escape filter but do not touch '*' as this function accepts
- * wildcards in names */
+ /* Escape filter but do not touch '*' as this function accepts
+ * wildcards in names. */
esc_original_princ = ipadb_filter_escape(principal, false);
if (!esc_original_princ) {
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
- if (filter == NULL) {
- if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+ /* Starting in DAL 8.0, aliases are always okay. */
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
+ if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) {
+ if (filter == NULL) {
+ ret = asprintf(&src_filter, PRINC_SEARCH_FILTER,
+ esc_original_princ);
+ } else {
+ ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
+ esc_original_princ, filter);
+ }
+ } else
+#endif
+ {
+ if (filter == NULL) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
esc_original_princ, esc_original_princ);
} else {
- ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
- }
- } else {
- if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
esc_original_princ, esc_original_princ, filter);
- } else {
- ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
- esc_original_princ, filter);
}
}
@@ -1006,11 +1010,8 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
goto done;
}
- kerr = ipadb_simple_search(ipactx,
- ipactx->base, LDAP_SCOPE_SUBTREE,
- src_filter, std_principal_attrs,
- result);
-
+ kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
+ src_filter, std_principal_attrs, result);
done:
free(src_filter);
free(esc_original_princ);
@@ -1054,6 +1055,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
/* We need to check for a strict match as a '*' in the name may have
* caused the ldap server to return multiple entries. */
for (int i = 0; vals[i]; i++) {
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
found = strcmp(vals[i]->bv_val, *principal) == 0;
if (found)
@@ -1061,6 +1063,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
continue;
}
+#endif
/* The KDC will accept aliases when doing TGT lookup
* (ref_tgt_again in do_tgs_req.c), so use case-insensitive
@@ -1094,6 +1097,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
if (vals == NULL)
break;
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
/* If aliases aren't accepted by the KDC, use case-sensitive
* comparison. */
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
@@ -1103,6 +1107,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
continue;
}
}
+#endif
free(*principal);
*principal = strdup(vals[0]->bv_val);
@@ -2601,7 +2606,9 @@ krb5_error_code ipadb_delete_principal(krb5_context kcontext,
goto done;
}
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
flags = KRB5_KDB_FLAG_ALIAS_OK;
+#endif
kerr = ipadb_find_principal(kcontext, flags, res, &canonicalized, &lentry);
if (kerr != 0) {
goto done;
--
2.24.1
From 0dfebd690dc79db8f4fdcd663508e5d7e095eb20 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 9 Jan 2020 17:02:44 -0500
Subject: [PATCH 2/3] [KDB] Support DAL version 8.0
Provide stubs for backward compatibility. DAL 8.0 was released with
krb5-1.18.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 61 ++++++++++++++++++++++++++++++++++++++-
freeipa.spec.in | 2 +-
2 files changed, 61 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 612857b38..9a5c29b13 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -751,8 +751,67 @@ kdb_vftabl kdb_function_table = {
};
#endif
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 8)
+/* Version 8 adds several arguments here. However, if we want to actually use
+ * them in mspac, we really ought to drop support for older DAL versions. */
+static inline krb5_error_code
+stub_sign_authdata(krb5_context context, unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_const_principal server_princ, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_db_entry *header_server,
+ krb5_db_entry *local_tgt, krb5_keyblock *client_key,
+ krb5_keyblock *server_key, krb5_keyblock *header_key,
+ krb5_keyblock *local_tgt_key, krb5_keyblock *session_key,
+ krb5_timestamp authtime, krb5_authdata **tgt_auth_data,
+ void *ad_info, krb5_data ***auth_indicators,
+ krb5_authdata ***signed_auth_data)
+{
+ krb5_db_entry *krbtgt = header_server ? header_server : server;
+ krb5_keyblock *krbtgt_key = header_key ? header_key : server_key;
+
+ return ipadb_sign_authdata(context, flags, client_princ, client, server,
+ krbtgt, client_key, server_key, krbtgt_key,
+ session_key, authtime, tgt_auth_data,
+ signed_auth_data);
+}
+
+kdb_vftabl kdb_function_table = {
+ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+ .min_ver = 0,
+ .init_library = ipadb_init_library,
+ .fini_library = ipadb_fini_library,
+ .init_module = ipadb_init_module,
+ .fini_module = ipadb_fini_module,
+ .create = ipadb_create,
+ .get_age = ipadb_get_age,
+ .get_principal = ipadb_get_principal,
+ .put_principal = ipadb_put_principal,
+ .delete_principal = ipadb_delete_principal,
+ .iterate = ipadb_iterate,
+ .create_policy = ipadb_create_pwd_policy,
+ .get_policy = ipadb_get_pwd_policy,
+ .put_policy = ipadb_put_pwd_policy,
+ .iter_policy = ipadb_iterate_pwd_policy,
+ .delete_policy = ipadb_delete_pwd_policy,
+ .fetch_master_key = ipadb_fetch_master_key,
+ .store_master_key_list = ipadb_store_master_key_list,
+ .change_pwd = ipadb_change_pwd,
+ .sign_authdata = stub_sign_authdata,
+ .check_transited_realms = ipadb_check_transited_realms,
+ .check_policy_as = ipadb_check_policy_as,
+ .audit_as_req = ipadb_audit_as_req,
+ .check_allowed_to_delegate = ipadb_check_allowed_to_delegate,
+ .free_principal_e_data = ipadb_free_principal_e_data,
+ .get_s4u_x509_principal = NULL,
+ .allowed_to_delegate_from = NULL,
+ .get_authdata_info = NULL,
+ .free_authdata_info = NULL,
+};
+#endif
+
#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
- (KRB5_KDB_DAL_MAJOR_VERSION != 7)
+ (KRB5_KDB_DAL_MAJOR_VERSION != 7) && \
+ (KRB5_KDB_DAL_MAJOR_VERSION != 8)
#error unsupported DAL major version
#endif
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 502ac2499..7617c935a 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -61,7 +61,7 @@
%global alt_name ipa
# Fix for CVE-2018-20217
%global krb5_version 1.16.1-24
-%global krb5_kdb_version 7.0
+%global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
# Require 4.7.0 which brings Python 3 bindings
--
2.24.1
From fb48a25c43c2110c27d36f09ac533403738328e2 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 9 Jan 2020 17:08:07 -0500
Subject: [PATCH 3/3] [KDB] Drop support for DAL version 5.0
No supported Linux distro packages a version of krb5 with this DAL, so
we don't lose anything by removing it.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 49 +--------------------------------------
1 file changed, 1 insertion(+), 48 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 9a5c29b13..3982c131b 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -635,57 +635,11 @@ static krb5_error_code ipadb_get_age(krb5_context kcontext,
return 0;
}
-#if KRB5_KDB_DAL_MAJOR_VERSION == 5
-static void *ipadb_alloc(krb5_context context, void *ptr, size_t size)
-{
- return realloc(ptr, size);
-}
-
-static void ipadb_free(krb5_context context, void *ptr)
-{
- free(ptr);
-}
-#endif
-
/* KDB Virtual Table */
/* We explicitly want to keep different ABI tables below separate. */
/* Do not merge them together. Older ABI does not need to be updated */
-#if KRB5_KDB_DAL_MAJOR_VERSION == 5
-kdb_vftabl kdb_function_table = {
- .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
- .min_ver = 0,
- .init_library = ipadb_init_library,
- .fini_library = ipadb_fini_library,
- .init_module = ipadb_init_module,
- .fini_module = ipadb_fini_module,
- .create = ipadb_create,
- .get_age = ipadb_get_age,
- .get_principal = ipadb_get_principal,
- .free_principal = ipadb_free_principal,
- .put_principal = ipadb_put_principal,
- .delete_principal = ipadb_delete_principal,
- .iterate = ipadb_iterate,
- .create_policy = ipadb_create_pwd_policy,
- .get_policy = ipadb_get_pwd_policy,
- .put_policy = ipadb_put_pwd_policy,
- .iter_policy = ipadb_iterate_pwd_policy,
- .delete_policy = ipadb_delete_pwd_policy,
- .free_policy = ipadb_free_pwd_policy,
- .alloc = ipadb_alloc,
- .free = ipadb_free,
- .fetch_master_key = ipadb_fetch_master_key,
- .store_master_key_list = ipadb_store_master_key_list,
- .change_pwd = ipadb_change_pwd,
- .sign_authdata = ipadb_sign_authdata,
- .check_transited_realms = ipadb_check_transited_realms,
- .check_policy_as = ipadb_check_policy_as,
- .audit_as_req = ipadb_audit_as_req,
- .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
-};
-#endif
-
#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
@@ -809,8 +763,7 @@ kdb_vftabl kdb_function_table = {
};
#endif
-#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \
- (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
+#if (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 7) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 8)
#error unsupported DAL major version
--
2.24.1

272
krb5-kdb-fixes.patch
View File

@ -1,272 +0,0 @@
From 86a8d9480aa402f885c72ccbcfeeb2bac488f268 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 31 Jul 2019 18:20:34 -0400
Subject: [PATCH 1/3] Make the coding style explicit
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/README | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/daemons/ipa-kdb/README b/daemons/ipa-kdb/README
index b0786853b..4075082ee 100644
--- a/daemons/ipa-kdb/README
+++ b/daemons/ipa-kdb/README
@@ -1 +1,19 @@
This is the ipa krb5kdc database backend.
+
+As the KDB interfaces heavily with krb5, we inherit its code style as well.
+However, note the following changes:
+
+- no modelines (and different file preamble)
+- return types don't require their own line
+- single-statement blocks may optionally be braced
+- /* and */ do not ever get their own line
+- C99 for-loops are permitted (and encouraged)
+- a restricted set of other C99 features are permitted
+
+In particular, variable-length arrays, flexible array members, compound
+literals, universal character names, and //-style comments are not permitted.
+
+Use of regular malloc/free is preferred over talloc for new code.
+
+By and large, existing code mostly conforms to these requirements. New code
+must conform to them.
--
2.24.1
From 01c1b270cd83ab6573dc0a502ac37d0182503c3d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 1 Nov 2019 16:48:55 -0400
Subject: [PATCH 2/3] Use separate variable for client fetch in kdcpolicy
`client` is not intended to be modified as a parameter of the AS check
function. Fixes an "incompatible pointer type" compiler warning.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 0b8aa668f..9467b1ba1 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -23,6 +23,7 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
struct ipadb_e_data *ied;
struct ipadb_e_pol_limits *pol_limits = NULL;
int valid_auth_indicators = 0;
+ krb5_db_entry *client_actual = NULL;
*status = NULL;
*lifetime_out = 0;
@@ -32,13 +33,14 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) {
/* e-data is not availble, getting user auth from LDAP */
krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching...");
- kerr = ipadb_get_principal(context, request->client, KRB5_KDB_FLAG_ALIAS_OK, &client);
+ kerr = ipadb_get_principal(context, request->client,
+ KRB5_KDB_FLAG_ALIAS_OK, &client_actual);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed.");
return kerr;
}
- ied = (struct ipadb_e_data *)client->e_data;
+ ied = (struct ipadb_e_data *)client_actual->e_data;
if (ied == NULL && ied->magic != IPA_E_DATA_MAGIC) {
krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: client e_data fetching failed.");
return EINVAL;
--
2.24.1
From 6bdd6b3d265ffc2f437e2a69707978758c2efdd8 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 9 Jan 2020 16:11:28 -0500
Subject: [PATCH 3/3] Fix several leaks in ipadb_find_principal
`vals` is often leaked during early exit. Refactor function to use a
single exit path to prevent this.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_principals.c | 132 +++++++++++++--------------
1 file changed, 64 insertions(+), 68 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 9e711cea5..47e44f090 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1035,100 +1035,96 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
struct ipadb_context *ipactx;
bool found = false;
LDAPMessage *le = NULL;
- struct berval **vals;
- int i, result;
+ struct berval **vals = NULL;
+ int result;
+ krb5_error_code ret;
ipactx = ipadb_get_context(kcontext);
if (!ipactx) {
- return KRB5_KDB_DBNOTINITED;
+ ret = KRB5_KDB_DBNOTINITED;
+ goto done;
}
- while (!found) {
-
- if (!le) {
- le = ldap_first_entry(ipactx->lcontext, res);
- } else {
- le = ldap_next_entry(ipactx->lcontext, le);
- }
- if (!le) {
- break;
- }
-
+ for (le = ldap_first_entry(ipactx->lcontext, res); le != NULL;
+ le = ldap_next_entry(ipactx->lcontext, le)) {
vals = ldap_get_values_len(ipactx->lcontext, le, "krbprincipalname");
- if (vals == NULL) {
+ if (vals == NULL)
continue;
- }
- /* we need to check for a strict match as a '*' in the name may have
- * caused the ldap server to return multiple entries */
- for (i = 0; vals[i]; i++) {
- /* KDC will accept aliases when doing TGT lookup (ref_tgt_again in do_tgs_req.c */
- /* Use case-insensitive comparison in such cases */
- if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) {
- if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len,
- (*principal), strlen(*principal),
- NULL, NULL, &result) != 0)
- return KRB5_KDB_INTERNAL_ERROR;
- found = (result == 0);
- if (found) {
- /* replace the incoming principal with the value having
- * the correct case. This ensures that valid name/alias
- * is returned even if krbCanonicalName is not present
- */
- free(*principal);
- *principal = strdup(vals[i]->bv_val);
- if (!(*principal)) {
- return KRB5_KDB_INTERNAL_ERROR;
- }
- }
- } else {
- found = (strcmp(vals[i]->bv_val, (*principal)) == 0);
+ /* We need to check for a strict match as a '*' in the name may have
+ * caused the ldap server to return multiple entries. */
+ for (int i = 0; vals[i]; i++) {
+ if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
+ found = strcmp(vals[i]->bv_val, *principal) == 0;
+ if (found)
+ break;
+
+ continue;
}
- if (found) {
- break;
+
+ /* The KDC will accept aliases when doing TGT lookup
+ * (ref_tgt_again in do_tgs_req.c), so use case-insensitive
+ * comparison. */
+ if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len, *principal,
+ strlen(*principal), NULL, NULL, &result) != 0) {
+ ret = KRB5_KDB_INTERNAL_ERROR;
+ goto done;
}
+ if (result != 0)
+ continue;
+
+ /* Fix case on the incoming principal to ensure that a valid
+ * name/alias is returned even if krbCanonicalName is not
+ * present. */
+ free(*principal);
+ *principal = strdup(vals[i]->bv_val);
+ if (!*principal) {
+ ret = KRB5_KDB_INTERNAL_ERROR;
+ goto done;
+ }
+ found = true;
+ break;
}
-
- ldap_value_free_len(vals);
-
- if (!found) {
+ if (!found)
continue;
- }
- /* we need to check if this is the canonical name */
+ /* We need to check if this is the canonical name. */
+ ldap_value_free_len(vals);
vals = ldap_get_values_len(ipactx->lcontext, le, "krbcanonicalname");
- if (vals == NULL) {
- continue;
- }
-
- /* Again, if aliases are accepted by KDC, use case-insensitive comparison */
- if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) {
- found = true;
- } else {
- found = (strcmp(vals[0]->bv_val, (*principal)) == 0);
- }
+ if (vals == NULL)
+ break;
- if (!found) {
- /* search does not allow aliases */
- ldap_value_free_len(vals);
- continue;
+ /* If aliases aren't accepted by the KDC, use case-sensitive
+ * comparison. */
+ if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
+ found = strcmp(vals[0]->bv_val, *principal) == 0;
+ if (!found) {
+ ldap_value_free_len(vals);
+ continue;
+ }
}
free(*principal);
*principal = strdup(vals[0]->bv_val);
- if (!(*principal)) {
- return KRB5_KDB_INTERNAL_ERROR;
+ if (!*principal) {
+ ret = KRB5_KDB_INTERNAL_ERROR;
+ goto done;
}
-
- ldap_value_free_len(vals);
+ break;
}
if (!found || !le) {
- return KRB5_KDB_NOENTRY;
+ ret = KRB5_KDB_NOENTRY;
+ goto done;
}
+ ret = 0;
*entry = le;
- return 0;
+done:
+ if (vals)
+ ldap_value_free_len(vals);
+
+ return ret;
}
static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
--
2.24.1

44
krb5-pg8200.patch
View File

@ -1,44 +0,0 @@
From 30b8c8b9985a5eb41e700b80fd03f95548e45fba Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Feb 17 2020 15:40:16 +0000
Subject: kdb: make sure audit_as_req callback signature change is preserved
audit_as_req() callback has changed its signature with MIT krb5 commit
20991d55efbe1f987c1dbc1065f2d58c8f34031b in 2017, we should preserve the
change for any newer DAL versions. Otherwise audit_as_req() callback
would reference wrong data and we might crash.
Fixes: https://pagure.io/freeipa/issue/8200
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 7519f26..ae37a5a 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -345,7 +345,7 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
-#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
+#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
const krb5_address *local_addr,
const krb5_address *remote_addr,
#endif
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
index 77748a7..a60bc82 100644
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
@@ -25,7 +25,7 @@
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
-#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
+#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
const krb5_address *local_addr,
const krb5_address *remote_addr,
#endif