diff --git a/4045.patch b/4045.patch deleted file mode 100644 index 62c36f4..0000000 --- a/4045.patch +++ /dev/null @@ -1,46 +0,0 @@ -From cf8ab60234a263d2d813701ad07d71132b0b845e Mon Sep 17 00:00:00 2001 -From: Thomas Woerner -Date: Mon, 16 Dec 2019 14:39:51 +0100 -Subject: [PATCH] DNS install check: Fix overlapping DNS zone from the master - itself - -The change to allow overlapping zone to be from the master itself has -introduced two issues: The check for the master itself should only executed -if options.force and options.allow_zone_overlap are both false and the -reverse zone check later on was still handling ValueError instead of -dnsutil.DNSZoneAlreadyExists. - -Both issues have been fixed and the deployment with existing name servers -is properly working again. - -Fixes: https://pagure.io/freeipa/issue/8150 -Signed-off-by: Thomas Woerner ---- - ipaserver/install/dns.py | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py -index 36ba6f899d..9f08e86f9b 100644 ---- a/ipaserver/install/dns.py -+++ b/ipaserver/install/dns.py -@@ -135,15 +135,15 @@ def install_check(standalone, api, replica, options, hostname): - logger.warning("%s Please make sure that the domain is " - "properly delegated to this IPA server.", - e) -- -- hst = dnsutil.DNSName(hostname).make_absolute().to_text() -- if hst not in e.kwargs['ns']: -- raise ValueError(str(e)) -+ else: -+ hst = dnsutil.DNSName(hostname).make_absolute().to_text() -+ if hst not in e.kwargs['ns']: -+ raise ValueError(str(e)) - - for reverse_zone in options.reverse_zones: - try: - dnsutil.check_zone_overlap(reverse_zone) -- except ValueError as e: -+ except dnsutil.DNSZoneAlreadyExists as e: - if options.force or options.allow_zone_overlap: - logger.warning('%s', str(e)) - else: diff --git a/freeipa-4.8-opendnssec-2.1-support.patch b/freeipa-4.8-opendnssec-2.1-support.patch deleted file mode 100644 index c4d3942..0000000 --- a/freeipa-4.8-opendnssec-2.1-support.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 1836688dde1bbc746365f85b803a53afe7f83a47 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 2 Mar 2020 16:49:48 +0100 -Subject: [PATCH 1/3] Support opendnssec 2.1.6 - -The installation of IPA DNS server is using ods-ksmutil, but -openddnssec 2.1.6 does not ship any more /usr/bin/ods-ksmutil. The tool -is replaced by /usr/sbin/ods-enforcer and /usr/sbin/ods-enforcer-db-setup. - -The master branch currently supports fedora 30+, but fedora 30 and 31 are -still shipping opendnssec 1.4 while fedora 32+ is shipping opendnssec 2.1.6. -Because of this, the code needs to check at run-time if the ods-ksmutil -command is available. If the file is missing, the code falls back to -the new ods-enforcer and ods-enforcer-db-setup commands. - -This commit defines paths.ODS_ENFORCER and paths.ODS_ENFORCER_DB_SETUP -for all platforms, but the commands are used only if ods-ksmutil is not found. - -Fixes: https://pagure.io/freeipa/issue/8214 ---- - ipaplatform/base/paths.py | 4 ++-- - ipaplatform/base/tasks.py | 6 ++++-- - ipaplatform/debian/paths.py | 2 -- - 3 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index f3a95500e3..0efe8b5a90 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -190,8 +190,8 @@ class BasePathNamespace: - NSUPDATE = "/usr/bin/nsupdate" - ODS_KSMUTIL = "/usr/bin/ods-ksmutil" - ODS_SIGNER = "/usr/sbin/ods-signer" -- ODS_ENFORCER = None -- ODS_ENFORCER_DB_SETUP = None -+ ODS_ENFORCER = "/usr/sbin/ods-enforcer" -+ ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup" - OPENSSL = "/usr/bin/openssl" - PK12UTIL = "/usr/bin/pk12util" - SOFTHSM2_UTIL = "/usr/bin/softhsm2-util" -diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py -index 86617a07f5..d36039aa23 100644 ---- a/ipaplatform/base/tasks.py -+++ b/ipaplatform/base/tasks.py -@@ -290,9 +290,11 @@ def unconfigure_dns_resolver(self, fstore=None): - def run_ods_setup(self): - """Initialize a new kasp.db - """ -- if paths.ODS_KSMUTIL is not None: -+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL): -+ # OpenDNSSEC 1.4 - cmd = [paths.ODS_KSMUTIL, 'setup'] - else: -+ # OpenDNSSEC 2.x - cmd = [paths.ODS_ENFORCER_DB_SETUP] - return ipautil.run(cmd, stdin="y", runas=constants.ODS_USER) - -@@ -305,7 +307,7 @@ def run_ods_manager(self, params, **kwargs): - """ - assert params[0] != 'setup' - -- if paths.ODS_KSMUTIL is not None: -+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL): - # OpenDNSSEC 1.4 - cmd = [paths.ODS_KSMUTIL] - else: -diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py -index 764b5a2815..3a28c70ff4 100644 ---- a/ipaplatform/debian/paths.py -+++ b/ipaplatform/debian/paths.py -@@ -67,8 +67,6 @@ class DebianPathNamespace(BasePathNamespace): - SBIN_SERVICE = "/usr/sbin/service" - CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s" - ODS_KSMUTIL = None -- ODS_ENFORCER = "/usr/sbin/ods-enforcer" -- ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup" - UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates" - BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/" - BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/" - -From 70acce828f46d9d6516b590a9b84d379359b8204 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Tue, 3 Mar 2020 08:00:58 +0100 -Subject: [PATCH 3/3] Remove the from opendnssec conf - -In opendnssec 2.1.6, the element is not supported in the -configuration file. - -Related: https://pagure.io/freeipa/issue/8214 ---- - install/share/opendnssec_conf.template | 2 +- - ipaserver/install/opendnssecinstance.py | 6 ++++++ - 2 files changed, 7 insertions(+), 1 deletion(-) - -diff --git a/install/share/opendnssec_conf.template b/install/share/opendnssec_conf.template -index 3d01fb4156..5658693ac3 100644 ---- a/install/share/opendnssec_conf.template -+++ b/install/share/opendnssec_conf.template -@@ -33,7 +33,7 @@ - - - $KASP_DB -- PT3600S -+ $INTERVAL - - - -diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py -index df39705a44..6354521b4e 100644 ---- a/ipaserver/install/opendnssecinstance.py -+++ b/ipaserver/install/opendnssecinstance.py -@@ -179,6 +179,12 @@ def __setup_conf_files(self): - # add pin to template - sub_conf_dict = self.conf_file_dict - sub_conf_dict['PIN'] = pin -+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL): -+ # OpenDNSSEC 1.4 -+ sub_conf_dict['INTERVAL'] = 'PT3600S' -+ else: -+ # OpenDNSSEC 2.x -+ sub_conf_dict['INTERVAL'] = '' - - ods_conf_txt = ipautil.template_file( - os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"), diff --git a/krb5-1.18-support-constraint-delegation.patch b/krb5-1.18-support-constraint-delegation.patch deleted file mode 100644 index 250529a..0000000 --- a/krb5-1.18-support-constraint-delegation.patch +++ /dev/null @@ -1,61 +0,0 @@ -From d92f21ae1b3051f96043c64320a768551de39d5a Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 31 Jan 2020 22:58:18 +0100 -Subject: [PATCH 1/2] Fix DAL v8 support - -Signed-off-by: Isaac Boukris -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-kdb/ipa_kdb.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c -index 3982c131b..8f3c22070 100644 ---- a/daemons/ipa-kdb/ipa_kdb.c -+++ b/daemons/ipa-kdb/ipa_kdb.c -@@ -720,8 +720,8 @@ stub_sign_authdata(krb5_context context, unsigned int flags, - void *ad_info, krb5_data ***auth_indicators, - krb5_authdata ***signed_auth_data) - { -- krb5_db_entry *krbtgt = header_server ? header_server : server; -- krb5_keyblock *krbtgt_key = header_key ? header_key : server_key; -+ krb5_db_entry *krbtgt = header_server ? header_server : local_tgt; -+ krb5_keyblock *krbtgt_key = header_key ? header_key : local_tgt_key; - - return ipadb_sign_authdata(context, flags, client_princ, client, server, - krbtgt, client_key, server_key, krbtgt_key, --- -2.24.1 - - -From c940f96b700d845afda014d41a0004068d379a9a Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 31 Jan 2020 23:03:09 +0100 -Subject: [PATCH 2/2] Fix legacy S4U2Proxy in DAL v8 support - -Signed-off-by: Isaac Boukris -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-kdb/ipa_kdb.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c -index 8f3c22070..7bd30be85 100644 ---- a/daemons/ipa-kdb/ipa_kdb.c -+++ b/daemons/ipa-kdb/ipa_kdb.c -@@ -723,6 +723,12 @@ stub_sign_authdata(krb5_context context, unsigned int flags, - krb5_db_entry *krbtgt = header_server ? header_server : local_tgt; - krb5_keyblock *krbtgt_key = header_key ? header_key : local_tgt_key; - -+ if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { -+ client = header_server; -+ krbtgt = local_tgt; -+ krbtgt_key = local_tgt_key; -+ } -+ - return ipadb_sign_authdata(context, flags, client_princ, client, server, - krbtgt, client_key, server_key, krbtgt_key, - session_key, authtime, tgt_auth_data, --- -2.24.1 - diff --git a/krb5-1.18-support.patch b/krb5-1.18-support.patch deleted file mode 100644 index 1d921cc..0000000 --- a/krb5-1.18-support.patch +++ /dev/null @@ -1,409 +0,0 @@ -From b750e3f153ef97144ea6696672000f70da8d9bf1 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 9 Jan 2020 16:44:15 -0500 -Subject: [PATCH 1/3] [KDB] Handle the removal of KRB5_KDB_FLAG_ALIAS_OK - -In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18), -krb5 removed this flag, and always accepts aliases. - -Related-to: https://pagure.io/freeipa/issue/7879 -Signed-off-by: Robbie Harwood ---- - daemons/ipa-kdb/ipa_kdb_certauth.c | 21 +++++++------- - daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 11 +++++-- - daemons/ipa-kdb/ipa_kdb_principals.c | 43 ++++++++++++++++------------ - 3 files changed, 43 insertions(+), 32 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c -index 47911aa3d..bc6b26578 100644 ---- a/daemons/ipa-kdb/ipa_kdb_certauth.c -+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c -@@ -261,16 +261,18 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, - const krb5_db_entry *db_entry, - char ***authinds_out) - { -- char *cert_filter = NULL; -- char **domains = NULL; -- int ret; -+ char *cert_filter = NULL, **domains = NULL; -+ int ret, flags = 0; - size_t c; -- char *principal = NULL; -- char **auth_inds = NULL; -+ char *principal = NULL, **auth_inds = NULL; - LDAPMessage *res = NULL; - krb5_error_code kerr; - LDAPMessage *lentry; - -+#ifdef KRB5_KDB_FLAG_ALIAS_OK -+ flags = KRB5_KDB_FLAG_ALIAS_OK; -+#endif -+ - if (moddata == NULL) { - return KRB5_PLUGIN_NO_HANDLE; - } -@@ -327,10 +329,8 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, - } - } - -- kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx, -- KRB5_KDB_FLAG_ALIAS_OK, -- principal, -- cert_filter, -+ kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx, flags, -+ principal, cert_filter, - &res); - if (kerr != 0) { - krb5_klog_syslog(LOG_ERR, "Search failed [%d]", kerr); -@@ -338,8 +338,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, - goto done; - } - -- kerr = ipadb_find_principal(context, KRB5_KDB_FLAG_ALIAS_OK, res, -- &principal, &lentry); -+ kerr = ipadb_find_principal(context, flags, res, &principal, &lentry); - if (kerr == KRB5_KDB_NOENTRY) { - krb5_klog_syslog(LOG_INFO, "No matching entry found"); - ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH; -diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -index 9467b1ba1..8d2ad66f7 100644 ---- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -@@ -22,9 +22,14 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, - enum ipadb_user_auth ua; - struct ipadb_e_data *ied; - struct ipadb_e_pol_limits *pol_limits = NULL; -- int valid_auth_indicators = 0; -+ int valid_auth_indicators = 0, flags = 0; - krb5_db_entry *client_actual = NULL; - -+#ifdef KRB5_KDB_FLAG_ALIAS_OK -+ flags = KRB5_KDB_FLAG_ALIAS_OK; -+#endif -+ -+ - *status = NULL; - *lifetime_out = 0; - *renew_lifetime_out = 0; -@@ -33,8 +38,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, - if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) { - /* e-data is not availble, getting user auth from LDAP */ - krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching..."); -- kerr = ipadb_get_principal(context, request->client, -- KRB5_KDB_FLAG_ALIAS_OK, &client_actual); -+ kerr = ipadb_get_principal(context, request->client, flags, -+ &client_actual); - if (kerr != 0) { - krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed."); - return kerr; -diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c -index 47e44f090..da0b841a1 100644 ---- a/daemons/ipa-kdb/ipa_kdb_principals.c -+++ b/daemons/ipa-kdb/ipa_kdb_principals.c -@@ -964,8 +964,7 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, - LDAPMessage **result) - { - krb5_error_code kerr; -- char *src_filter = NULL; -- char *esc_original_princ = NULL; -+ char *src_filter = NULL, *esc_original_princ = NULL; - int ret; - - if (!ipactx->lcontext) { -@@ -976,28 +975,33 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, - } - } - -- /* escape filter but do not touch '*' as this function accepts -- * wildcards in names */ -+ /* Escape filter but do not touch '*' as this function accepts -+ * wildcards in names. */ - esc_original_princ = ipadb_filter_escape(principal, false); - if (!esc_original_princ) { - kerr = KRB5_KDB_INTERNAL_ERROR; - goto done; - } - -- if (filter == NULL) { -- if (flags & KRB5_KDB_FLAG_ALIAS_OK) { -+ /* Starting in DAL 8.0, aliases are always okay. */ -+#ifdef KRB5_KDB_FLAG_ALIAS_OK -+ if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) { -+ if (filter == NULL) { -+ ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, -+ esc_original_princ); -+ } else { -+ ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA, -+ esc_original_princ, filter); -+ } -+ } else -+#endif -+ { -+ if (filter == NULL) { - ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, - esc_original_princ, esc_original_princ); - } else { -- ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ); -- } -- } else { -- if (flags & KRB5_KDB_FLAG_ALIAS_OK) { - ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA, - esc_original_princ, esc_original_princ, filter); -- } else { -- ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA, -- esc_original_princ, filter); - } - } - -@@ -1006,11 +1010,8 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, - goto done; - } - -- kerr = ipadb_simple_search(ipactx, -- ipactx->base, LDAP_SCOPE_SUBTREE, -- src_filter, std_principal_attrs, -- result); -- -+ kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE, -+ src_filter, std_principal_attrs, result); - done: - free(src_filter); - free(esc_original_princ); -@@ -1054,6 +1055,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext, - /* We need to check for a strict match as a '*' in the name may have - * caused the ldap server to return multiple entries. */ - for (int i = 0; vals[i]; i++) { -+#ifdef KRB5_KDB_FLAG_ALIAS_OK - if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) { - found = strcmp(vals[i]->bv_val, *principal) == 0; - if (found) -@@ -1061,6 +1063,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext, - - continue; - } -+#endif - - /* The KDC will accept aliases when doing TGT lookup - * (ref_tgt_again in do_tgs_req.c), so use case-insensitive -@@ -1094,6 +1097,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext, - if (vals == NULL) - break; - -+#ifdef KRB5_KDB_FLAG_ALIAS_OK - /* If aliases aren't accepted by the KDC, use case-sensitive - * comparison. */ - if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) { -@@ -1103,6 +1107,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext, - continue; - } - } -+#endif - - free(*principal); - *principal = strdup(vals[0]->bv_val); -@@ -2601,7 +2606,9 @@ krb5_error_code ipadb_delete_principal(krb5_context kcontext, - goto done; - } - -+#ifdef KRB5_KDB_FLAG_ALIAS_OK - flags = KRB5_KDB_FLAG_ALIAS_OK; -+#endif - kerr = ipadb_find_principal(kcontext, flags, res, &canonicalized, &lentry); - if (kerr != 0) { - goto done; --- -2.24.1 - - -From 0dfebd690dc79db8f4fdcd663508e5d7e095eb20 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 9 Jan 2020 17:02:44 -0500 -Subject: [PATCH 2/3] [KDB] Support DAL version 8.0 - -Provide stubs for backward compatibility. DAL 8.0 was released with -krb5-1.18. - -Signed-off-by: Robbie Harwood ---- - daemons/ipa-kdb/ipa_kdb.c | 61 ++++++++++++++++++++++++++++++++++++++- - freeipa.spec.in | 2 +- - 2 files changed, 61 insertions(+), 2 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c -index 612857b38..9a5c29b13 100644 ---- a/daemons/ipa-kdb/ipa_kdb.c -+++ b/daemons/ipa-kdb/ipa_kdb.c -@@ -751,8 +751,67 @@ kdb_vftabl kdb_function_table = { - }; - #endif - -+#if (KRB5_KDB_DAL_MAJOR_VERSION == 8) -+/* Version 8 adds several arguments here. However, if we want to actually use -+ * them in mspac, we really ought to drop support for older DAL versions. */ -+static inline krb5_error_code -+stub_sign_authdata(krb5_context context, unsigned int flags, -+ krb5_const_principal client_princ, -+ krb5_const_principal server_princ, krb5_db_entry *client, -+ krb5_db_entry *server, krb5_db_entry *header_server, -+ krb5_db_entry *local_tgt, krb5_keyblock *client_key, -+ krb5_keyblock *server_key, krb5_keyblock *header_key, -+ krb5_keyblock *local_tgt_key, krb5_keyblock *session_key, -+ krb5_timestamp authtime, krb5_authdata **tgt_auth_data, -+ void *ad_info, krb5_data ***auth_indicators, -+ krb5_authdata ***signed_auth_data) -+{ -+ krb5_db_entry *krbtgt = header_server ? header_server : server; -+ krb5_keyblock *krbtgt_key = header_key ? header_key : server_key; -+ -+ return ipadb_sign_authdata(context, flags, client_princ, client, server, -+ krbtgt, client_key, server_key, krbtgt_key, -+ session_key, authtime, tgt_auth_data, -+ signed_auth_data); -+} -+ -+kdb_vftabl kdb_function_table = { -+ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, -+ .min_ver = 0, -+ .init_library = ipadb_init_library, -+ .fini_library = ipadb_fini_library, -+ .init_module = ipadb_init_module, -+ .fini_module = ipadb_fini_module, -+ .create = ipadb_create, -+ .get_age = ipadb_get_age, -+ .get_principal = ipadb_get_principal, -+ .put_principal = ipadb_put_principal, -+ .delete_principal = ipadb_delete_principal, -+ .iterate = ipadb_iterate, -+ .create_policy = ipadb_create_pwd_policy, -+ .get_policy = ipadb_get_pwd_policy, -+ .put_policy = ipadb_put_pwd_policy, -+ .iter_policy = ipadb_iterate_pwd_policy, -+ .delete_policy = ipadb_delete_pwd_policy, -+ .fetch_master_key = ipadb_fetch_master_key, -+ .store_master_key_list = ipadb_store_master_key_list, -+ .change_pwd = ipadb_change_pwd, -+ .sign_authdata = stub_sign_authdata, -+ .check_transited_realms = ipadb_check_transited_realms, -+ .check_policy_as = ipadb_check_policy_as, -+ .audit_as_req = ipadb_audit_as_req, -+ .check_allowed_to_delegate = ipadb_check_allowed_to_delegate, -+ .free_principal_e_data = ipadb_free_principal_e_data, -+ .get_s4u_x509_principal = NULL, -+ .allowed_to_delegate_from = NULL, -+ .get_authdata_info = NULL, -+ .free_authdata_info = NULL, -+}; -+#endif -+ - #if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \ - (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \ -- (KRB5_KDB_DAL_MAJOR_VERSION != 7) -+ (KRB5_KDB_DAL_MAJOR_VERSION != 7) && \ -+ (KRB5_KDB_DAL_MAJOR_VERSION != 8) - #error unsupported DAL major version - #endif -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 502ac2499..7617c935a 100755 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -61,7 +61,7 @@ - %global alt_name ipa - # Fix for CVE-2018-20217 - %global krb5_version 1.16.1-24 --%global krb5_kdb_version 7.0 -+%global krb5_kdb_version 8.0 - # 0.7.16: https://github.com/drkjam/netaddr/issues/71 - %global python_netaddr_version 0.7.16 - # Require 4.7.0 which brings Python 3 bindings --- -2.24.1 - - -From fb48a25c43c2110c27d36f09ac533403738328e2 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 9 Jan 2020 17:08:07 -0500 -Subject: [PATCH 3/3] [KDB] Drop support for DAL version 5.0 - -No supported Linux distro packages a version of krb5 with this DAL, so -we don't lose anything by removing it. - -Signed-off-by: Robbie Harwood ---- - daemons/ipa-kdb/ipa_kdb.c | 49 +-------------------------------------- - 1 file changed, 1 insertion(+), 48 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c -index 9a5c29b13..3982c131b 100644 ---- a/daemons/ipa-kdb/ipa_kdb.c -+++ b/daemons/ipa-kdb/ipa_kdb.c -@@ -635,57 +635,11 @@ static krb5_error_code ipadb_get_age(krb5_context kcontext, - return 0; - } - --#if KRB5_KDB_DAL_MAJOR_VERSION == 5 --static void *ipadb_alloc(krb5_context context, void *ptr, size_t size) --{ -- return realloc(ptr, size); --} -- --static void ipadb_free(krb5_context context, void *ptr) --{ -- free(ptr); --} --#endif -- - /* KDB Virtual Table */ - - /* We explicitly want to keep different ABI tables below separate. */ - /* Do not merge them together. Older ABI does not need to be updated */ - --#if KRB5_KDB_DAL_MAJOR_VERSION == 5 --kdb_vftabl kdb_function_table = { -- .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, -- .min_ver = 0, -- .init_library = ipadb_init_library, -- .fini_library = ipadb_fini_library, -- .init_module = ipadb_init_module, -- .fini_module = ipadb_fini_module, -- .create = ipadb_create, -- .get_age = ipadb_get_age, -- .get_principal = ipadb_get_principal, -- .free_principal = ipadb_free_principal, -- .put_principal = ipadb_put_principal, -- .delete_principal = ipadb_delete_principal, -- .iterate = ipadb_iterate, -- .create_policy = ipadb_create_pwd_policy, -- .get_policy = ipadb_get_pwd_policy, -- .put_policy = ipadb_put_pwd_policy, -- .iter_policy = ipadb_iterate_pwd_policy, -- .delete_policy = ipadb_delete_pwd_policy, -- .free_policy = ipadb_free_pwd_policy, -- .alloc = ipadb_alloc, -- .free = ipadb_free, -- .fetch_master_key = ipadb_fetch_master_key, -- .store_master_key_list = ipadb_store_master_key_list, -- .change_pwd = ipadb_change_pwd, -- .sign_authdata = ipadb_sign_authdata, -- .check_transited_realms = ipadb_check_transited_realms, -- .check_policy_as = ipadb_check_policy_as, -- .audit_as_req = ipadb_audit_as_req, -- .check_allowed_to_delegate = ipadb_check_allowed_to_delegate --}; --#endif -- - #if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA) - kdb_vftabl kdb_function_table = { - .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, -@@ -809,8 +763,7 @@ kdb_vftabl kdb_function_table = { - }; - #endif - --#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \ -- (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \ -+#if (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \ - (KRB5_KDB_DAL_MAJOR_VERSION != 7) && \ - (KRB5_KDB_DAL_MAJOR_VERSION != 8) - #error unsupported DAL major version --- -2.24.1 - diff --git a/krb5-kdb-fixes.patch b/krb5-kdb-fixes.patch deleted file mode 100644 index 0990a95..0000000 --- a/krb5-kdb-fixes.patch +++ /dev/null @@ -1,272 +0,0 @@ -From 86a8d9480aa402f885c72ccbcfeeb2bac488f268 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Wed, 31 Jul 2019 18:20:34 -0400 -Subject: [PATCH 1/3] Make the coding style explicit - -Signed-off-by: Robbie Harwood -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-kdb/README | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/daemons/ipa-kdb/README b/daemons/ipa-kdb/README -index b0786853b..4075082ee 100644 ---- a/daemons/ipa-kdb/README -+++ b/daemons/ipa-kdb/README -@@ -1 +1,19 @@ - This is the ipa krb5kdc database backend. -+ -+As the KDB interfaces heavily with krb5, we inherit its code style as well. -+However, note the following changes: -+ -+- no modelines (and different file preamble) -+- return types don't require their own line -+- single-statement blocks may optionally be braced -+- /* and */ do not ever get their own line -+- C99 for-loops are permitted (and encouraged) -+- a restricted set of other C99 features are permitted -+ -+In particular, variable-length arrays, flexible array members, compound -+literals, universal character names, and //-style comments are not permitted. -+ -+Use of regular malloc/free is preferred over talloc for new code. -+ -+By and large, existing code mostly conforms to these requirements. New code -+must conform to them. --- -2.24.1 - - -From 01c1b270cd83ab6573dc0a502ac37d0182503c3d Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 1 Nov 2019 16:48:55 -0400 -Subject: [PATCH 2/3] Use separate variable for client fetch in kdcpolicy - -`client` is not intended to be modified as a parameter of the AS check -function. Fixes an "incompatible pointer type" compiler warning. - -Signed-off-by: Robbie Harwood -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -index 0b8aa668f..9467b1ba1 100644 ---- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -@@ -23,6 +23,7 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, - struct ipadb_e_data *ied; - struct ipadb_e_pol_limits *pol_limits = NULL; - int valid_auth_indicators = 0; -+ krb5_db_entry *client_actual = NULL; - - *status = NULL; - *lifetime_out = 0; -@@ -32,13 +33,14 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, - if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) { - /* e-data is not availble, getting user auth from LDAP */ - krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching..."); -- kerr = ipadb_get_principal(context, request->client, KRB5_KDB_FLAG_ALIAS_OK, &client); -+ kerr = ipadb_get_principal(context, request->client, -+ KRB5_KDB_FLAG_ALIAS_OK, &client_actual); - if (kerr != 0) { - krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed."); - return kerr; - } - -- ied = (struct ipadb_e_data *)client->e_data; -+ ied = (struct ipadb_e_data *)client_actual->e_data; - if (ied == NULL && ied->magic != IPA_E_DATA_MAGIC) { - krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: client e_data fetching failed."); - return EINVAL; --- -2.24.1 - - -From 6bdd6b3d265ffc2f437e2a69707978758c2efdd8 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 9 Jan 2020 16:11:28 -0500 -Subject: [PATCH 3/3] Fix several leaks in ipadb_find_principal - -`vals` is often leaked during early exit. Refactor function to use a -single exit path to prevent this. - -Signed-off-by: Robbie Harwood -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-kdb/ipa_kdb_principals.c | 132 +++++++++++++-------------- - 1 file changed, 64 insertions(+), 68 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c -index 9e711cea5..47e44f090 100644 ---- a/daemons/ipa-kdb/ipa_kdb_principals.c -+++ b/daemons/ipa-kdb/ipa_kdb_principals.c -@@ -1035,100 +1035,96 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext, - struct ipadb_context *ipactx; - bool found = false; - LDAPMessage *le = NULL; -- struct berval **vals; -- int i, result; -+ struct berval **vals = NULL; -+ int result; -+ krb5_error_code ret; - - ipactx = ipadb_get_context(kcontext); - if (!ipactx) { -- return KRB5_KDB_DBNOTINITED; -+ ret = KRB5_KDB_DBNOTINITED; -+ goto done; - } - -- while (!found) { -- -- if (!le) { -- le = ldap_first_entry(ipactx->lcontext, res); -- } else { -- le = ldap_next_entry(ipactx->lcontext, le); -- } -- if (!le) { -- break; -- } -- -+ for (le = ldap_first_entry(ipactx->lcontext, res); le != NULL; -+ le = ldap_next_entry(ipactx->lcontext, le)) { - vals = ldap_get_values_len(ipactx->lcontext, le, "krbprincipalname"); -- if (vals == NULL) { -+ if (vals == NULL) - continue; -- } - -- /* we need to check for a strict match as a '*' in the name may have -- * caused the ldap server to return multiple entries */ -- for (i = 0; vals[i]; i++) { -- /* KDC will accept aliases when doing TGT lookup (ref_tgt_again in do_tgs_req.c */ -- /* Use case-insensitive comparison in such cases */ -- if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) { -- if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len, -- (*principal), strlen(*principal), -- NULL, NULL, &result) != 0) -- return KRB5_KDB_INTERNAL_ERROR; -- found = (result == 0); -- if (found) { -- /* replace the incoming principal with the value having -- * the correct case. This ensures that valid name/alias -- * is returned even if krbCanonicalName is not present -- */ -- free(*principal); -- *principal = strdup(vals[i]->bv_val); -- if (!(*principal)) { -- return KRB5_KDB_INTERNAL_ERROR; -- } -- } -- } else { -- found = (strcmp(vals[i]->bv_val, (*principal)) == 0); -+ /* We need to check for a strict match as a '*' in the name may have -+ * caused the ldap server to return multiple entries. */ -+ for (int i = 0; vals[i]; i++) { -+ if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) { -+ found = strcmp(vals[i]->bv_val, *principal) == 0; -+ if (found) -+ break; -+ -+ continue; - } -- if (found) { -- break; -+ -+ /* The KDC will accept aliases when doing TGT lookup -+ * (ref_tgt_again in do_tgs_req.c), so use case-insensitive -+ * comparison. */ -+ if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len, *principal, -+ strlen(*principal), NULL, NULL, &result) != 0) { -+ ret = KRB5_KDB_INTERNAL_ERROR; -+ goto done; - } -+ if (result != 0) -+ continue; -+ -+ /* Fix case on the incoming principal to ensure that a valid -+ * name/alias is returned even if krbCanonicalName is not -+ * present. */ -+ free(*principal); -+ *principal = strdup(vals[i]->bv_val); -+ if (!*principal) { -+ ret = KRB5_KDB_INTERNAL_ERROR; -+ goto done; -+ } -+ found = true; -+ break; - } -- -- ldap_value_free_len(vals); -- -- if (!found) { -+ if (!found) - continue; -- } - -- /* we need to check if this is the canonical name */ -+ /* We need to check if this is the canonical name. */ -+ ldap_value_free_len(vals); - vals = ldap_get_values_len(ipactx->lcontext, le, "krbcanonicalname"); -- if (vals == NULL) { -- continue; -- } -- -- /* Again, if aliases are accepted by KDC, use case-insensitive comparison */ -- if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) { -- found = true; -- } else { -- found = (strcmp(vals[0]->bv_val, (*principal)) == 0); -- } -+ if (vals == NULL) -+ break; - -- if (!found) { -- /* search does not allow aliases */ -- ldap_value_free_len(vals); -- continue; -+ /* If aliases aren't accepted by the KDC, use case-sensitive -+ * comparison. */ -+ if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) { -+ found = strcmp(vals[0]->bv_val, *principal) == 0; -+ if (!found) { -+ ldap_value_free_len(vals); -+ continue; -+ } - } - - free(*principal); - *principal = strdup(vals[0]->bv_val); -- if (!(*principal)) { -- return KRB5_KDB_INTERNAL_ERROR; -+ if (!*principal) { -+ ret = KRB5_KDB_INTERNAL_ERROR; -+ goto done; - } -- -- ldap_value_free_len(vals); -+ break; - } - - if (!found || !le) { -- return KRB5_KDB_NOENTRY; -+ ret = KRB5_KDB_NOENTRY; -+ goto done; - } - -+ ret = 0; - *entry = le; -- return 0; -+done: -+ if (vals) -+ ldap_value_free_len(vals); -+ -+ return ret; - } - - static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx, --- -2.24.1 - diff --git a/krb5-pg8200.patch b/krb5-pg8200.patch deleted file mode 100644 index c6d8480..0000000 --- a/krb5-pg8200.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 30b8c8b9985a5eb41e700b80fd03f95548e45fba Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Feb 17 2020 15:40:16 +0000 -Subject: kdb: make sure audit_as_req callback signature change is preserved - - -audit_as_req() callback has changed its signature with MIT krb5 commit -20991d55efbe1f987c1dbc1065f2d58c8f34031b in 2017, we should preserve the -change for any newer DAL versions. Otherwise audit_as_req() callback -would reference wrong data and we might crash. - -Fixes: https://pagure.io/freeipa/issue/8200 -Signed-off-by: Alexander Bokovoy -Reviewed-By: Christian Heimes - ---- - -diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h -index 7519f26..ae37a5a 100644 ---- a/daemons/ipa-kdb/ipa_kdb.h -+++ b/daemons/ipa-kdb/ipa_kdb.h -@@ -345,7 +345,7 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext, - - void ipadb_audit_as_req(krb5_context kcontext, - krb5_kdc_req *request, --#if (KRB5_KDB_DAL_MAJOR_VERSION == 7) -+#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7) - const krb5_address *local_addr, - const krb5_address *remote_addr, - #endif -diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c -index 77748a7..a60bc82 100644 ---- a/daemons/ipa-kdb/ipa_kdb_audit_as.c -+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c -@@ -25,7 +25,7 @@ - - void ipadb_audit_as_req(krb5_context kcontext, - krb5_kdc_req *request, --#if (KRB5_KDB_DAL_MAJOR_VERSION == 7) -+#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7) - const krb5_address *local_addr, - const krb5_address *remote_addr, - #endif -