ipa-kdb: Fix compilation issues.
Related: RHEL-22313 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
parent
4ced5cbefb
commit
f285979474
|
@ -242,3 +242,69 @@ index 05d5b40..a18beff 100644
|
||||||
krb5_free_authdata(context, ifrel);
|
krb5_free_authdata(context, ifrel);
|
||||||
krb5_pac_free(context, pac);
|
krb5_pac_free(context, pac);
|
||||||
|
|
||||||
|
From 81aa6ef695838a4b2fb5a53e773ea379a492913d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Fri, 9 Feb 2024 16:36:03 +0100
|
||||||
|
Subject: [PATCH] ipd-kdb: Fix some mistakes in
|
||||||
|
ipadb_check_for_bronze_bit_attack()
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9521
|
||||||
|
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
||||||
|
---
|
||||||
|
daemons/ipa-kdb/ipa_kdb.h | 3 ++-
|
||||||
|
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 2 +-
|
||||||
|
daemons/ipa-kdb/ipa_kdb_mspac.c | 5 +++--
|
||||||
|
3 files changed, 6 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
|
||||||
|
index 621c23591..5de5ea7a5 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb.h
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb.h
|
||||||
|
@@ -382,7 +382,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
|
||||||
|
* status If the call fails and the pointer is not NULL, set it with a
|
||||||
|
* message describing the cause of the failure. */
|
||||||
|
krb5_error_code
|
||||||
|
-ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
|
||||||
|
+ipadb_check_for_bronze_bit_attack(krb5_context context,
|
||||||
|
+ const krb5_kdc_req *request,
|
||||||
|
bool *supported, bool *detected,
|
||||||
|
const char **status);
|
||||||
|
# endif
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
||||||
|
index 713e9a0c8..44959f3de 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
||||||
|
@@ -190,7 +190,7 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
||||||
|
krb5_error_code kerr;
|
||||||
|
bool supported;
|
||||||
|
|
||||||
|
- kerr = ipadb_check_for_bronze_bit_attack(context, request, supported, NULL,
|
||||||
|
+ kerr = ipadb_check_for_bronze_bit_attack(context, request, &supported, NULL,
|
||||||
|
status);
|
||||||
|
if (kerr)
|
||||||
|
return KRB5KDC_ERR_POLICY;
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
index 80350364a..886ed7785 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
@@ -3308,13 +3308,14 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
|
||||||
|
#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
|
||||||
|
# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
|
||||||
|
krb5_error_code
|
||||||
|
-ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
|
||||||
|
+ipadb_check_for_bronze_bit_attack(krb5_context context,
|
||||||
|
+ const krb5_kdc_req *request,
|
||||||
|
bool *supported, bool *detected,
|
||||||
|
const char **status)
|
||||||
|
{
|
||||||
|
krb5_error_code kerr;
|
||||||
|
const char *st = NULL;
|
||||||
|
- size_t i, j;
|
||||||
|
+ size_t i, j = 0;
|
||||||
|
bool in_supported = true, in_detected = false;
|
||||||
|
struct ipadb_context *ipactx;
|
||||||
|
krb5_ticket *evidence_tkt;
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
||||||
|
|
7
ipa.spec
7
ipa.spec
|
@ -1738,21 +1738,22 @@ fi
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Feb 12 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-5
|
* Tue Feb 13 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-5
|
||||||
- kdb: PAC generator: do not fail if canonical principal is missing
|
- kdb: PAC generator: do not fail if canonical principal is missing
|
||||||
Resolves: RHEL-23630
|
Resolves: RHEL-23630
|
||||||
- ipa-kdb: Fix memory leak during PAC verification
|
- ipa-kdb: Fix memory leak during PAC verification
|
||||||
Resolves: RHEL-22644
|
Resolves: RHEL-22644
|
||||||
- Fix session cookie access
|
- Fix session cookie access
|
||||||
Resolves: RHEL-23622
|
Resolves: RHEL-23622
|
||||||
- Do not ignore staged users in sidgen plugin\
|
- Do not ignore staged users in sidgen plugin
|
||||||
Resovlves: RHEL-23626
|
Resovlves: RHEL-23626
|
||||||
- ipa-kdb: Disable Bronze-Bit check if PAC not available
|
- ipa-kdb: Disable Bronze-Bit check if PAC not available
|
||||||
Resolves: RHEL-22313
|
Resolves: RHEL-22313
|
||||||
- krb5kdc: Fix start when pkinit and otp auth type are enabled
|
- krb5kdc: Fix start when pkinit and otp auth type are enabled
|
||||||
Resolves: RHEL-4874
|
Resolves: RHEL-4874
|
||||||
- hbactest was not collecting or returning messages
|
- hbactest was not collecting or returning messages
|
||||||
Resolvez: RHEL-12780
|
Resolves: RHEL-12780
|
||||||
|
|
||||||
|
|
||||||
* Tue Jan 23 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-4
|
* Tue Jan 23 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-4
|
||||||
- Improve server affinity for CA-less deployments
|
- Improve server affinity for CA-less deployments
|
||||||
|
|
Loading…
Reference in New Issue