rpms/krb5
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Pull in 2019-05-02 static analysis updates

Browse Source
This commit is contained in:
Robbie Harwood 2019-05-10 13:50:56 -04:00
parent d1b5e24f4c
commit 0b0d802a54
35 changed files with 1120 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Add-dns_canonicalize_hostname-fallback-support.patch
View File

@ -1,4 +1,4 @@
From 18d45e4b48c363f631b1acd7dac5902351bf1a0e Mon Sep 17 00:00:00 2001
From 05672fdc2530618441710361daba097bccf51f61 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 4 Dec 2018 15:22:55 -0500
Subject: [PATCH] Add dns_canonicalize_hostname=fallback support

2
Add-function-and-enctype-flag-for-deprecations.patch
View File

@ -1,4 +1,4 @@
From 461e3a4d81c73db832401592d417489dc0151a2c Mon Sep 17 00:00:00 2001
From 4cd829c935319049142052ac45f252a8c3c54b49 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 15 Jan 2019 16:16:57 -0500
Subject: [PATCH] Add function and enctype flag for deprecations

63
Avoid-alignment-warnings-in-openssl-rc4.c.patch Normal file
View File

@ -0,0 +1,63 @@
From 05c4ea24fa8603572ea1bffc767886bb26b8d542 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 6 May 2019 15:14:49 -0400
Subject: [PATCH] Avoid alignment warnings in openssl rc4.c
Add a comment to k5_arcfour_init_state() explaining how we stretch the
krb5_data cipher state contract. Use void * casts when interpreting
the data pointer to avoid alignment warnings.
[ghudson@mit.edu: moved and expanded comment; rewrote commit message]
(cherry picked from commit 1cd41d76c12fc1cea0a8bf0d6a40f34623c60d6d)
---
src/lib/crypto/openssl/enc_provider/rc4.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
index 7f3c086ed..a65d57b7a 100644
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
@@ -57,7 +57,7 @@ struct arcfour_state {
/* In-place IOV crypto */
static krb5_error_code
-k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data,
+k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
size_t num_data)
{
size_t i;
@@ -66,7 +66,7 @@ k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx = NULL;
struct arcfour_state *arcstate;
- arcstate = (state != NULL) ? (struct arcfour_state *) state->data : NULL;
+ arcstate = (state != NULL) ? (void *)state->data : NULL;
if (arcstate != NULL) {
ctx = arcstate->ctx;
if (arcstate->loopback != arcstate)
@@ -113,7 +113,7 @@ k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data,
static void
k5_arcfour_free_state(krb5_data *state)
{
- struct arcfour_state *arcstate = (struct arcfour_state *) state->data;
+ struct arcfour_state *arcstate = (void *)state->data;
EVP_CIPHER_CTX_free(arcstate->ctx);
free(arcstate);
@@ -125,6 +125,15 @@ k5_arcfour_init_state(const krb5_keyblock *key,
{
struct arcfour_state *arcstate;
+ /*
+ * The cipher state here is a saved pointer to a struct arcfour_state
+ * object, rather than a flat byte array as in most enc providers. The
+ * object includes a loopback pointer to detect if if the caller made a
+ * copy of the krb5_data value or otherwise assumed it was a simple byte
+ * array. When we cast the data pointer back, we need to go through void *
+ * to avoid increased alignment warnings.
+ */
+
/* Create a state structure with an uninitialized context. */
arcstate = calloc(1, sizeof(*arcstate));
if (arcstate == NULL)

2
Avoid-allocating-a-register-in-zap-assembly.patch
View File

@ -1,4 +1,4 @@
From 26dc343d4e59ef0f80e1ecca09b40f120b79d809 Mon Sep 17 00:00:00 2001
From 273475be9d8aafb41edf417f6317c9537a03c3fa Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 3 Jan 2019 17:19:32 +0100
Subject: [PATCH] Avoid allocating a register in zap() assembly

8
Check-more-errors-in-OpenSSL-crypto-backend.patch
View File

@ -1,4 +1,4 @@
From 27bc3f5a90533af509202d851374ea40f3982864 Mon Sep 17 00:00:00 2001
From b87d0cd119732b9066606d388b4fdebde2facbe5 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 22 Apr 2019 14:26:42 -0400
Subject: [PATCH] Check more errors in OpenSSL crypto backend
@ -18,10 +18,10 @@ ticket: 8799 (new)
2 files changed, 14 insertions(+), 13 deletions(-)
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
index d94d9ac94..769a50c00 100644
index b2db6ec02..7dc59dcc0 100644
--- a/src/lib/crypto/openssl/hmac.c
+++ b/src/lib/crypto/openssl/hmac.c
@@ -121,7 +121,7 @@ krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
@@ -117,7 +117,7 @@ krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
const krb5_crypto_iov *data, size_t num_data,
krb5_data *output)
{
@ -30,7 +30,7 @@ index d94d9ac94..769a50c00 100644
unsigned char md[EVP_MAX_MD_SIZE];
HMAC_CTX *ctx;
size_t hashsize, blocksize;
@@ -141,22 +141,22 @@ krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
@@ -137,22 +137,22 @@ krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
if (ctx == NULL)
return ENOMEM;

2
Clarify-header-comment-for-krb5_cc_start_seq_get.patch
View File

@ -1,4 +1,4 @@
From 18dd4d5c622238d1607671198cf2b2ddec9abda5 Mon Sep 17 00:00:00 2001
From dc0ff969a963c0dcbf203a636cf12030ea2845d9 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 2 Apr 2019 14:18:57 -0400
Subject: [PATCH] Clarify header comment for krb5_cc_start_seq_get()

2
Clear-forwardable-flag-instead-of-denying-request.patch
View File

@ -1,4 +1,4 @@
From 297ad5039231e655eaae7c142991326fd863e70a Mon Sep 17 00:00:00 2001
From 561ac441f046a01a4e71e3c475760cc2d42b8213 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 15 Nov 2018 13:40:43 -0500
Subject: [PATCH] Clear forwardable flag instead of denying request

2
Fix-config-realm-change-logic-in-FILE-remove_cred.patch
View File

@ -1,4 +1,4 @@
From 908eb6dde51917bb50d388a1769c50eede68fc10 Mon Sep 17 00:00:00 2001
From 7eb42e3fbdb854b085eceaa500f1c18569bd044d Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 16 Apr 2019 10:47:35 -0400
Subject: [PATCH] Fix config realm change logic in FILE remove_cred

2
Fix-memory-leak-in-none-replay-cache-type.patch
View File

@ -1,4 +1,4 @@
From 050acb871c242931b3fb51c59461f22555046d19 Mon Sep 17 00:00:00 2001
From aeae5941ff8beea66516a31cd16fe4df6e8165f9 Mon Sep 17 00:00:00 2001
From: Corene Casper <C.Casper@Dell.com>
Date: Sat, 16 Feb 2019 00:49:26 -0500
Subject: [PATCH] Fix memory leak in 'none' replay cache type

2
Fix-potential-close-1-in-cc_file.c.patch
View File

@ -1,4 +1,4 @@
From b2002f8286c0f77e57c7387123328a31125cda2e Mon Sep 17 00:00:00 2001
From c1fe784e79b847a7e9ae9009193dee66bc1b6164 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 18 Apr 2019 13:39:37 -0400
Subject: [PATCH] Fix potential close(-1) in cc_file.c

103
Fix-some-return-code-handling-bugs.patch Normal file
View File

@ -0,0 +1,103 @@
From 202a4ef4b2d1fa88d1a5c7f0b673bc4f563c57cd Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 May 2019 14:05:38 -0400
Subject: [PATCH] Fix some return code handling bugs
Fix five cases where return codes could be set (in unlikely cases) but
did not result in error exits.
[ghudson@mit.edu: squashed commits and rewrote commit message]
ticket: 8801 (new)
tags: pullup
target_version: 1.17-next
target_version: 1.16-next
(cherry picked from commit 7c26740f9df3c79c3f01c3a4dda4d9dabba5298d)
---
src/kdc/fast_util.c | 16 ++++++++--------
src/lib/gssapi/krb5/k5unsealiov.c | 1 +
src/lib/kadm5/clnt/client_init.c | 3 +++
src/tests/gssapi/t_pcontok.c | 1 +
4 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index 6a3fc11b9..c9ba83e5e 100644
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -47,9 +47,10 @@ static krb5_error_code armor_ap_request
if (retval == 0)
retval = krb5_auth_con_setflags(kdc_context,
authcontext, 0); /*disable replay cache*/
- retval = krb5_rd_req(kdc_context, &authcontext,
- &armor->armor_value, NULL /*server*/,
- kdc_active_realm->realm_keytab, NULL, &ticket);
+ if (retval == 0)
+ retval = krb5_rd_req(kdc_context, &authcontext, &armor->armor_value,
+ NULL /*server*/, kdc_active_realm->realm_keytab,
+ NULL, &ticket);
if (retval != 0) {
const char * errmsg = krb5_get_error_message(kdc_context, retval);
k5_setmsg(kdc_context, retval, _("%s while handling ap-request armor"),
@@ -132,7 +133,7 @@ kdc_find_fast(krb5_kdc_req **requestptr,
{
krb5_error_code retval = 0;
krb5_pa_data *fast_padata;
- krb5_data scratch, *inner_body = NULL;
+ krb5_data scratch, plaintext, *inner_body = NULL;
krb5_fast_req * fast_req = NULL;
krb5_kdc_req *request = *requestptr;
krb5_fast_armored_req *fast_armored_req = NULL;
@@ -183,11 +184,10 @@ kdc_find_fast(krb5_kdc_req **requestptr,
}
}
if (retval == 0) {
- krb5_data plaintext;
plaintext.length = fast_armored_req->enc_part.ciphertext.length;
- plaintext.data = malloc(plaintext.length);
- if (plaintext.data == NULL)
- retval = ENOMEM;
+ plaintext.data = k5alloc(plaintext.length, &retval);
+ }
+ if (retval == 0) {
retval = krb5_c_decrypt(kdc_context,
state->armor_key,
KRB5_KEYUSAGE_FAST_ENC, NULL,
diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
index 8b6704274..f15d2db69 100644
--- a/src/lib/gssapi/krb5/k5unsealiov.c
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -281,6 +281,7 @@ kg_unseal_v1_iov(krb5_context context,
(!ctx->initiate && direction != 0)) {
*minor_status = (OM_uint32)G_BAD_DIRECTION;
retval = GSS_S_BAD_SIG;
+ goto cleanup;
}
code = 0;
diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c
index 6f10db018..aa08918e2 100644
--- a/src/lib/kadm5/clnt/client_init.c
+++ b/src/lib/kadm5/clnt/client_init.c
@@ -465,6 +465,9 @@ gic_iter(kadm5_server_handle_t handle, enum init_type init_type,
/* Credentials for kadmin don't need to be forwardable or proxiable. */
if (init_type != INIT_CREDS) {
code = krb5_get_init_creds_opt_alloc(ctx, &opt);
+ if (code)
+ goto error;
+
krb5_get_init_creds_opt_set_forwardable(opt, 0);
krb5_get_init_creds_opt_set_proxiable(opt, 0);
krb5_get_init_creds_opt_set_out_ccache(ctx, opt, ccache);
diff --git a/src/tests/gssapi/t_pcontok.c b/src/tests/gssapi/t_pcontok.c
index b966f8129..c40ea434c 100644
--- a/src/tests/gssapi/t_pcontok.c
+++ b/src/tests/gssapi/t_pcontok.c
@@ -126,6 +126,7 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out)
iov.flags = KRB5_CRYPTO_TYPE_DATA;
iov.data = make_data(cksum.contents, 16);
ret = krb5_k_encrypt_iov(context, seq, 0, NULL, &iov, 1);
+ check_k5err(context, "krb5_k_encrypt_iov", ret);
memcpy(ptr + 8, cksum.contents + 8, 8);
} else {
memcpy(ptr + 8, cksum.contents, cksize);

2
Implement-krb5_cc_remove_cred-for-remaining-types.patch
View File

@ -1,4 +1,4 @@
From 57ce492d6700ca6417cc43f3e97e0186b2cdfa90 Mon Sep 17 00:00:00 2001
From fd67573d4f0e2ac155752697ebf750c43fab3c59 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 1 Apr 2019 14:28:48 -0400
Subject: [PATCH] Implement krb5_cc_remove_cred for remaining types

55
Improve-error-messages-from-kadmin-change_password.patch Normal file
View File

@ -0,0 +1,55 @@
From a479ad01696f97114cdc1734a7fe5f3d4bd80e80 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 6 May 2019 13:13:16 -0400
Subject: [PATCH] Improve error messages from kadmin change_password
The checks for missing option arguments were dead code, because the
loop condition requires at least two remaining arguments. Instead
check for at least one argument with a leading "-", and check for too
many or too few arguments after the loop. Add an initial message for
unrecognized options.
[ghudson@mit.edu: adjusted logic to improve mesages in more cases]
(cherry picked from commit 13ba54002d362ebb09be464b4e7ec75050d1348f)
---
src/kadmin/cli/kadmin.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index cc74921bf..fe4cb493c 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -797,11 +797,11 @@ kadmin_cpw(int argc, char *argv[])
char **db_args = NULL;
int db_args_size = 0;
- if (argc < 2) {
+ if (argc < 1) {
cpw_usage(NULL);
return;
}
- for (argv++, argc--; argc > 1; argc--, argv++) {
+ for (argv++, argc--; argc > 0 && **argv == '-'; argc--, argv++) {
if (!strcmp("-x", *argv)) {
argc--;
if (argc < 1) {
@@ -841,12 +841,16 @@ kadmin_cpw(int argc, char *argv[])
goto cleanup;
}
} else {
+ com_err("change_password", 0, _("unrecognized option %s"), *argv);
cpw_usage(NULL);
goto cleanup;
}
}
- if (*argv == NULL) {
- com_err("change_password", 0, _("missing principal name"));
+ if (argc != 1) {
+ if (argc < 1)
+ com_err("change_password", 0, _("missing principal name"));
+ else
+ com_err("change_password", 0, _("too many arguments"));
cpw_usage(NULL);
goto cleanup;
}

2
In-kpropd-debug-log-proper-ticket-enctype-names.patch
View File

@ -1,4 +1,4 @@
From c06d20bf241059059cc3ffd810a44e310ff9970d Mon Sep 17 00:00:00 2001
From fe497f16d8da570dea363dacb18cfc2fcfa52f24 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 15 Jan 2019 13:41:16 -0500
Subject: [PATCH] In kpropd, debug-log proper ticket enctype names

2
In-rd_req_dec-always-log-non-permitted-enctypes.patch
View File

@ -1,4 +1,4 @@
From 6a316b681a2e0b6917285b9a0cdde605d463288b Mon Sep 17 00:00:00 2001
From d868f6753cd6e9de447f097626f5e5155c727414 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 14 Jan 2019 17:14:42 -0500
Subject: [PATCH] In rd_req_dec, always log non-permitted enctypes

55
Initialize-some-data-structure-magic-fields.patch Normal file
View File

@ -0,0 +1,55 @@
From a1327230380d0c73ebb9a22e4c6bbb1b6f3e0c64 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 May 2019 13:36:38 -0400
Subject: [PATCH] Initialize some data structure magic fields
Static analyzers may complain if they see a data structure copied with
an uninitialized field, even if the copy target won't use the field.
Add magic field initializers in three such places.
[ghudson@mit.edu: rewrote commit message]
(cherry picked from commit 551e88e76e537e45f6c80eadaefeb790994f83f9)
---
src/lib/gssapi/krb5/util_cksum.c | 1 +
src/lib/krb5/krb/authdata.c | 8 ++------
2 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/src/lib/gssapi/krb5/util_cksum.c b/src/lib/gssapi/krb5/util_cksum.c
index cfd585ec7..a1770774e 100644
--- a/src/lib/gssapi/krb5/util_cksum.c
+++ b/src/lib/gssapi/krb5/util_cksum.c
@@ -48,6 +48,7 @@ kg_checksum_channel_bindings(context, cb, cksum)
cksum->checksum_type = CKSUMTYPE_RSA_MD5;
cksum->length = sumlen;
+ cksum->magic = KV5M_CHECKSUM;
/* generate a buffer full of zeros if no cb specified */
diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c
index 7fbcfab68..3e7dfbe49 100644
--- a/src/lib/krb5/krb/authdata.c
+++ b/src/lib/krb5/krb/authdata.c
@@ -976,9 +976,7 @@ krb5_authdata_export_internal(krb5_context kcontext,
*ptr = NULL;
- name.length = strlen(module_name);
- name.data = (char *)module_name;
-
+ name = make_data((char *)module_name, strlen(module_name));
module = k5_ad_find_module(kcontext, context, AD_USAGE_MASK, &name);
if (module == NULL)
return ENOENT;
@@ -1005,9 +1003,7 @@ krb5_authdata_free_internal(krb5_context kcontext,
krb5_data name;
struct _krb5_authdata_context_module *module;
- name.length = strlen(module_name);
- name.data = (char *)module_name;
-
+ name = make_data((char *)module_name, strlen(module_name));
module = k5_ad_find_module(kcontext, context, AD_USAGE_MASK, &name);
if (module == NULL)
return ENOENT;

2
Make-etype-names-in-KDC-logs-human-readable.patch
View File

@ -1,4 +1,4 @@
From 2a8005296c3da39f6d0c6ecd48b950447897af91 Mon Sep 17 00:00:00 2001
From c14796879b9c4601a3333444c9aa6388031e6ab2 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 8 Jan 2019 17:42:35 -0500
Subject: [PATCH] Make etype names in KDC logs human-readable

2
Mark-deprecated-enctypes-when-used.patch
View File

@ -1,4 +1,4 @@
From 6d265afd53ead9290948b5ba07438b6a91939bfd Mon Sep 17 00:00:00 2001
From 5b81e75e1c5ec39a070df7c87c64aa74b5b9c0ba Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 10 Jan 2019 16:34:54 -0500
Subject: [PATCH] Mark deprecated enctypes when used

68
Modernize-exit-path-in-gss_krb5int_copy_ccache.patch Normal file
View File

@ -0,0 +1,68 @@
From ae9b51bc4f4ca5e88d7675d373e35fde8470e223 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 May 2019 14:32:33 -0400
Subject: [PATCH] Modernize exit path in gss_krb5int_copy_ccache()
Move to a single lock / single unlock paradigm, and eliminate some
dead code in the old error handling.
(cherry picked from commit 1b89e3d8e949f52901bce74c9afc7a1a64099520)
---
src/lib/gssapi/krb5/copy_ccache.c | 31 ++++++++++++-------------------
1 file changed, 12 insertions(+), 19 deletions(-)
diff --git a/src/lib/gssapi/krb5/copy_ccache.c b/src/lib/gssapi/krb5/copy_ccache.c
index 027ed4847..2b2806e70 100644
--- a/src/lib/gssapi/krb5/copy_ccache.c
+++ b/src/lib/gssapi/krb5/copy_ccache.c
@@ -9,7 +9,7 @@ gss_krb5int_copy_ccache(OM_uint32 *minor_status,
{
krb5_gss_cred_id_t k5creds;
krb5_error_code code;
- krb5_context context;
+ krb5_context context = NULL;
krb5_ccache out_ccache;
assert(value->length == sizeof(out_ccache));
@@ -23,30 +23,23 @@ gss_krb5int_copy_ccache(OM_uint32 *minor_status,
k5creds = (krb5_gss_cred_id_t) *cred_handle;
k5_mutex_lock(&k5creds->lock);
if (k5creds->usage == GSS_C_ACCEPT) {
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = (OM_uint32) G_BAD_USAGE;
- return(GSS_S_FAILURE);
+ code = G_BAD_USAGE;
+ goto cleanup;
}
code = krb5_gss_init_context(&context);
- if (code) {
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ if (code)
+ goto cleanup;
code = krb5_cc_copy_creds(context, k5creds->ccache, out_ccache);
- if (code) {
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
+
+cleanup:
k5_mutex_unlock(&k5creds->lock);
*minor_status = code;
- if (code)
- save_error_info(*minor_status, context);
- krb5_free_context(context);
+ if (context != NULL) {
+ if (code)
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ }
return code ? GSS_S_FAILURE : GSS_S_COMPLETE;
}

2
Properly-size-ifdef-in-k5_cccol_lock.patch
View File

@ -1,4 +1,4 @@
From ec9e4597188234e402cd318aebe0fa0a3587a993 Mon Sep 17 00:00:00 2001
From 85577bdae928613c87828fff79d5d6c6b9b8b291 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 14 Feb 2019 11:50:35 -0500
Subject: [PATCH] Properly size #ifdef in k5_cccol_lock()

2
Remove-Kerberos-v4-support-vestiges-from-ccapi.patch
View File

@ -1,4 +1,4 @@
From 7fa37c0c80b3bbd611ba27dd162aa0b6016c20b3 Mon Sep 17 00:00:00 2001
From 6bd60d3985df4e327f86d2a19349f52058d09a17 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 4 Apr 2019 14:37:38 -0400
Subject: [PATCH] Remove Kerberos v4 support vestiges from ccapi

2
Remove-ccapi-related-comments-in-configure.ac.patch
View File

@ -1,4 +1,4 @@
From 1f214b1265bde1d8f6c9b99af0755ca8f5463385 Mon Sep 17 00:00:00 2001
From 74c45a65b34e49aecfedfb8451b857350fbbe616 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 3 Apr 2019 16:01:22 -0400
Subject: [PATCH] Remove ccapi-related comments in configure.ac

2
Remove-confvalidator-utility.patch
View File

@ -1,4 +1,4 @@
From 32a6caec15bafd37fdf5746c08cf1a385166020e Mon Sep 17 00:00:00 2001
From 841be050c7f02d09aade0ed2c708bff8787afcd2 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 3 Apr 2019 14:58:19 -0400
Subject: [PATCH] Remove confvalidator utility

2
Remove-doxygen-generated-HTML-output-for-ccapi.patch
View File

@ -1,4 +1,4 @@
From 5f56eefcf0017d6c0c574e667f55f827b226b295 Mon Sep 17 00:00:00 2001
From 33acfff1a6ec51f2d60933c362ec8afb89d5d548 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 4 Apr 2019 14:15:58 -0400
Subject: [PATCH] Remove doxygen-generated HTML output for ccapi

2
Remove-kadmin-RPC-support-for-setting-v4-key.patch
View File

@ -1,4 +1,4 @@
From a2fc99321c797c1534f6314d17560c622ec93418 Mon Sep 17 00:00:00 2001
From 76b39ce5081eb3b288532d615c356ab508e93495 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 4 Apr 2019 16:14:46 -0400
Subject: [PATCH] Remove kadmin RPC support for setting v4 key

276
Remove-more-dead-code.patch Normal file
View File

@ -0,0 +1,276 @@
From eb6d9cd533d087d38b7f3c1b7086a712cb0bfe46 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 9 May 2019 14:07:24 -0400
Subject: [PATCH] Remove more dead code
(cherry picked from commit 0269810b1aec6c554fb746433f045d59fd34ab3a)
---
src/clients/klist/klist.c | 5 ---
src/kadmin/dbutil/kdb5_mkey.c | 2 --
src/kadmin/server/ipropd_svc.c | 4 ---
src/lib/gssapi/krb5/gssapi_krb5.c | 2 +-
src/lib/gssapi/krb5/k5sealv3.c | 5 ++-
src/lib/gssapi/krb5/k5sealv3iov.c | 5 ++-
src/lib/kdb/kdb_convert.c | 36 +++----------------
.../kdb/ldap/ldap_util/kdb5_ldap_services.c | 4 ---
.../kdb/ldap/libkdb_ldap/ldap_create.c | 10 ------
src/plugins/preauth/pkinit/pkinit_srv.c | 8 -----
src/tests/hammer/kdc5_hammer.c | 4 +--
11 files changed, 10 insertions(+), 75 deletions(-)
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index 8c307151a..4261ac96c 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -720,11 +720,6 @@ show_credential(krb5_creds *cred)
extra_field += 2;
}
- if (extra_field > 3) {
- fputs("\n", stdout);
- extra_field = 0;
- }
-
if (show_flags) {
flags = flags_string(cred);
if (flags && *flags) {
diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c
index 19796c202..aceb0a9b8 100644
--- a/src/kadmin/dbutil/kdb5_mkey.c
+++ b/src/kadmin/dbutil/kdb5_mkey.c
@@ -1240,7 +1240,6 @@ kdb5_purge_mkeys(int argc, char *argv[])
if (actkvno_entry == actkvno_list) {
/* remove from head */
actkvno_list = actkvno_entry->next;
- prev_actkvno_entry = actkvno_list;
} else if (actkvno_entry->next == NULL) {
/* remove from tail */
prev_actkvno_entry->next = NULL;
@@ -1263,7 +1262,6 @@ kdb5_purge_mkeys(int argc, char *argv[])
if (mkey_aux_entry->mkey_kvno == args.kvnos[j].kvno) {
if (mkey_aux_entry == mkey_aux_list) {
mkey_aux_list = mkey_aux_entry->next;
- prev_mkey_aux_entry = mkey_aux_list;
} else if (mkey_aux_entry->next == NULL) {
prev_mkey_aux_entry->next = NULL;
} else {
diff --git a/src/kadmin/server/ipropd_svc.c b/src/kadmin/server/ipropd_svc.c
index dc9984c2c..56e9b90b2 100644
--- a/src/kadmin/server/ipropd_svc.c
+++ b/src/kadmin/server/ipropd_svc.c
@@ -263,8 +263,6 @@ ipropx_resync(uint32_t vers, struct svc_req *rqstp)
int pret, fret;
FILE *p;
kadm5_server_handle_t handle = global_server_handle;
- OM_uint32 min_stat;
- gss_name_t name = NULL;
char *client_name = NULL, *service_name = NULL;
char *whoami = "iprop_full_resync_1";
@@ -440,8 +438,6 @@ out:
debprret(whoami, ret.ret, 0);
free(client_name);
free(service_name);
- if (name)
- gss_release_name(&min_stat, &name);
free(ubuf);
return (&ret);
}
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index 79b83e0c6..f09cda007 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -780,7 +780,7 @@ krb5_gss_localname(OM_uint32 *minor,
localname->value = gssalloc_strdup(lname);
localname->length = strlen(lname);
- return (code == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
+ return GSS_S_COMPLETE;
}
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index 25d9f2711..3b4f8cb83 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -145,9 +145,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
/* TOK_ID */
store_16_be(KG2_TOK_WRAP_MSG, outbuf);
/* flags */
- outbuf[2] = (acceptor_flag
- | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0)
- | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
+ outbuf[2] = (acceptor_flag | FLAG_WRAP_CONFIDENTIAL |
+ (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
outbuf[3] = 0xff;
/* EC */
diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c
index a73edb6a4..333ee124d 100644
--- a/src/lib/gssapi/krb5/k5sealv3iov.c
+++ b/src/lib/gssapi/krb5/k5sealv3iov.c
@@ -144,9 +144,8 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context,
/* TOK_ID */
store_16_be(KG2_TOK_WRAP_MSG, outbuf);
/* flags */
- outbuf[2] = (acceptor_flag
- | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0)
- | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
+ outbuf[2] = (acceptor_flag | FLAG_WRAP_CONFIDENTIAL |
+ (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
outbuf[3] = 0xFF;
/* EC */
diff --git a/src/lib/kdb/kdb_convert.c b/src/lib/kdb/kdb_convert.c
index 76140732f..e1bf1919f 100644
--- a/src/lib/kdb/kdb_convert.c
+++ b/src/lib/kdb/kdb_convert.c
@@ -305,8 +305,6 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry,
krb5_error_code ret;
kdbe_attr_type_t *attr_types;
int kadm_data_yes;
- /* always exclude non-replicated attributes, for now */
- krb5_boolean exclude_nra = TRUE;
nattrs = tmpint = 0;
final = -1;
@@ -356,7 +354,8 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry,
nattrs++;
}
} else {
- find_changed_attrs(curr, entry, exclude_nra, attr_types, &nattrs);
+ /* Always exclude non-replicated attributes for now. */
+ find_changed_attrs(curr, entry, TRUE, attr_types, &nattrs);
krb5_db_free_principal(context, curr);
}
@@ -402,31 +401,6 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry,
}
break;
- case AT_LAST_SUCCESS:
- if (!exclude_nra && entry->last_success >= 0) {
- ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LAST_SUCCESS;
- ULOG_ENTRY(update, final).av_last_success =
- (uint32_t)entry->last_success;
- }
- break;
-
- case AT_LAST_FAILED:
- if (!exclude_nra && entry->last_failed >= 0) {
- ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LAST_FAILED;
- ULOG_ENTRY(update, final).av_last_failed =
- (uint32_t)entry->last_failed;
- }
- break;
-
- case AT_FAIL_AUTH_COUNT:
- if (!exclude_nra) {
- ULOG_ENTRY_TYPE(update, ++final).av_type =
- AT_FAIL_AUTH_COUNT;
- ULOG_ENTRY(update, final).av_fail_auth_count =
- (uint32_t)entry->fail_auth_count;
- }
- break;
-
case AT_PRINC:
if (entry->princ->length > 0) {
ULOG_ENTRY_TYPE(update, ++final).av_type = AT_PRINC;
@@ -552,10 +526,8 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry,
/* END CSTYLED */
case AT_LEN:
- if (entry->len >= 0) {
- ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LEN;
- ULOG_ENTRY(update, final).av_len = (int16_t)entry->len;
- }
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LEN;
+ ULOG_ENTRY(update, final).av_len = (int16_t)entry->len;
break;
default:
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
index ce038fc3d..0a95101ad 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -135,10 +135,6 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
print_usage = TRUE;
goto cleanup;
}
- if (file_name == NULL) {
- com_err(me, ENOMEM, _("while setting service object password"));
- goto cleanup;
- }
} else { /* argc == 2 */
service_object = strdup (argv[1]);
if (service_object == NULL) {
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
index 1e6fffee5..5b57c799a 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
@@ -56,7 +56,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
krb5_ldap_realm_params *rparams = NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_boolean realm_obj_created = FALSE;
- krb5_boolean krbcontainer_obj_created = FALSE;
int mask = 0;
/* Clear the global error string */
@@ -121,15 +120,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
goto cleanup;
cleanup:
- /* If the krbcontainer/realm creation is not complete, do the roll-back here */
- if ((krbcontainer_obj_created) && (!realm_obj_created)) {
- int rc;
- rc = krb5_ldap_delete_krbcontainer(context,
- ldap_context->container_dn);
- k5_setmsg(context, rc, _("could not complete roll-back, error "
- "deleting Kerberos Container"));
- }
-
if (rparams)
krb5_ldap_free_realm_params(rparams);
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 27e6ef4d2..6aa646cc6 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -258,15 +258,7 @@ verify_client_san(krb5_context context,
}
pkiDebug("%s: no upn san match found\n", __FUNCTION__);
- /* We found no match */
- if (princs != NULL || upns != NULL) {
- *valid_san = 0;
- /* XXX ??? If there was one or more name in the cert, but
- * none matched the client name, then return mismatch? */
- retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
- }
retval = 0;
-
out:
if (princs != NULL) {
for (i = 0; princs[i] != NULL; i++)
diff --git a/src/tests/hammer/kdc5_hammer.c b/src/tests/hammer/kdc5_hammer.c
index 086c21d1c..8220fd97b 100644
--- a/src/tests/hammer/kdc5_hammer.c
+++ b/src/tests/hammer/kdc5_hammer.c
@@ -439,7 +439,6 @@ int get_tgt (context, p_client_str, p_client, ccache)
krb5_principal *p_client;
krb5_ccache ccache;
{
- char *cache_name = NULL; /* -f option */
long lifetime = KRB5_DEFAULT_LIFE; /* -l option */
krb5_error_code code;
krb5_creds my_creds;
@@ -464,8 +463,7 @@ int get_tgt (context, p_client_str, p_client, ccache)
code = krb5_cc_initialize (context, ccache, *p_client);
if (code != 0) {
- com_err (prog, code, "when initializing cache %s",
- cache_name?cache_name:"");
+ com_err (prog, code, "when initializing cache");
return(-1);
}

2
Remove-ovsec_adm_export-dump-format-support.patch
View File

@ -1,4 +1,4 @@
From 34bde16a10c0cf0f05732376b955af0302af155d Mon Sep 17 00:00:00 2001
From e7766b4c1df19738a4cf34d498046cfa8dd91637 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 22 Jan 2019 18:34:58 -0500
Subject: [PATCH] Remove ovsec_adm_export dump format support

2
Remove-srvtab-support.patch
View File

@ -1,4 +1,4 @@
From 152f5ed9961f54dd9d764ffb3c6298eb85d8f934 Mon Sep 17 00:00:00 2001
From e74dc82235b3948dee706310ebf5b1878d08d7df Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 9 Oct 2017 15:58:33 -0400
Subject: [PATCH] Remove srvtab support

76
Simplify-SAM-2-as_key-handling.patch Normal file
View File

@ -0,0 +1,76 @@
From 4f9e21c9daf505f5147dcab2fb4d1b241e1b90f8 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 5 May 2019 18:53:27 -0400
Subject: [PATCH] Simplify SAM-2 as_key handling
The ctx->gak_fct() call in sam2_process() used an empty salt instead
of the default salt when the KDC did not supply an explicit salt.
This bug arose when commit bc096a77ffdab283d77c2e0fc1fdd15b9f77eb41
changed the internal contracts around salts but did not adjust the
SAM-2 code. Commit e9aa891fcdb4c08d39902ab89afb268042b60c86 fixed the
resulting bug, but mistakenly did not adjust the gak_fct call to use
the correct salt.
Later on, the code contains a redundant call to krb5_c_string_to_key()
in the non-USE_SAD_AS_KEY modes, replacing ctx->as_key. This call was
properly adjusted by commit e9aa891fcdb4c08d39902ab89afb268042b60c86,
so the improper gak_fct call did not manifest as a bug.
Fix the gak_fct call to supply the correct salt, and remove the
redundant string_to_key operation.
(cherry picked from commit d48670c51460e9a74b4f4a9966f85ca6f77c1d8b)
---
src/lib/krb5/krb/preauth_sam2.c | 25 +++----------------------
1 file changed, 3 insertions(+), 22 deletions(-)
diff --git a/src/lib/krb5/krb/preauth_sam2.c b/src/lib/krb5/krb/preauth_sam2.c
index 4c70021a9..c7484c47e 100644
--- a/src/lib/krb5/krb/preauth_sam2.c
+++ b/src/lib/krb5/krb/preauth_sam2.c
@@ -95,7 +95,6 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata,
krb5_prompt kprompt;
krb5_prompt_type prompt_type;
krb5_data defsalt, *salt;
- struct gak_password *gakpw;
krb5_checksum **cksum;
krb5_data *scratch = NULL;
krb5_boolean valid_cksum = 0;
@@ -152,9 +151,8 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata,
salt = ctx->default_salt ? NULL : &ctx->salt;
retval = ctx->gak_fct(context, request->client, sc2b->sam_etype,
- prompter, prompter_data, &ctx->salt,
- &ctx->s2kparams, &ctx->as_key,
- ctx->gak_data, ctx->rctx.items);
+ prompter, prompter_data, salt, &ctx->s2kparams,
+ &ctx->as_key, ctx->gak_data, ctx->rctx.items);
if (retval) {
krb5_free_sam_challenge_2(context, sc2);
krb5_free_sam_challenge_2_body(context, sc2b);
@@ -212,24 +210,7 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata,
/* Get encryption key to be used for checksum and sam_response */
if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) {
- /* as_key = string_to_key(password) */
-
- if (ctx->as_key.length) {
- krb5_free_keyblock_contents(context, &ctx->as_key);
- ctx->as_key.length = 0;
- }
-
- /* generate a key using the supplied password */
- gakpw = ctx->gak_data;
- retval = krb5_c_string_to_key(context, sc2b->sam_etype,
- gakpw->password, salt, &ctx->as_key);
-
- if (retval) {
- krb5_free_sam_challenge_2(context, sc2);
- krb5_free_sam_challenge_2_body(context, sc2b);
- if (defsalt.length) free(defsalt.data);
- return(retval);
- }
+ /* Retain as_key from above gak_fct call. */
if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) {
/* as_key = combine_key (as_key, string_to_key(SAD)) */

301
Simply-OpenSSL-PKCS7-decryption-code.patch Normal file
View File

@ -0,0 +1,301 @@
From 89470cb724edb9a3c9d31f6fb5c967fed73e38a1 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 6 May 2019 13:13:06 -0400
Subject: [PATCH] Simply OpenSSL PKCS7 decryption code
Fold pkcs7_decrypt() and pkcs7_dataDecode() into a single function,
and make it output the plaintext rather than a BIO.
[ghudson@mit.edu: continued a modernization of pkcs7_dataDecode() into
a larger refactoring]
(cherry picked from commit 210356653a2f963ffe9a8a1b1627c64fb8ca7a3d)
---
.../preauth/pkinit/pkinit_crypto_openssl.c | 213 ++++++------------
1 file changed, 63 insertions(+), 150 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 5ff81d8cf..8aa2c5257 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -81,12 +81,8 @@ static int openssl_callback (int, X509_STORE_CTX *);
static int openssl_callback_ignore_crls (int, X509_STORE_CTX *);
static int pkcs7_decrypt
-(krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
- PKCS7 *p7, BIO *bio);
-
-static BIO * pkcs7_dataDecode
-(krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
- PKCS7 *p7);
+(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, PKCS7 *p7,
+ unsigned char **data_out, unsigned int *len_out);
static ASN1_OBJECT * pkinit_pkcs7type2oid
(pkinit_plg_crypto_context plg_cryptoctx, int pkcs7_type);
@@ -1964,9 +1960,6 @@ cms_envelopeddata_verify(krb5_context context,
{
krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;
PKCS7 *p7 = NULL;
- BIO *out = NULL;
- int i = 0;
- unsigned int size = 0;
const unsigned char *p = enveloped_data;
unsigned int tmp_buf_len = 0, tmp_buf2_len = 0, vfy_buf_len = 0;
unsigned char *tmp_buf = NULL, *tmp_buf2 = NULL, *vfy_buf = NULL;
@@ -1991,26 +1984,13 @@ cms_envelopeddata_verify(krb5_context context,
}
/* decrypt received PKCS7 message */
- out = BIO_new(BIO_s_mem());
- if (pkcs7_decrypt(context, id_cryptoctx, p7, out)) {
+ if (pkcs7_decrypt(context, id_cryptoctx, p7, &tmp_buf, &tmp_buf_len)) {
pkiDebug("PKCS7 decryption successful\n");
} else {
retval = oerr(context, 0, _("Failed to decrypt PKCS7 message"));
goto cleanup;
}
- /* transfer the decoded PKCS7 SignedData message into a separate buffer */
- for (;;) {
- if ((tmp_buf = realloc(tmp_buf, size + 1024 * 10)) == NULL)
- goto cleanup;
- i = BIO_read(out, &(tmp_buf[size]), 1024 * 10);
- if (i <= 0)
- break;
- else
- size += i;
- }
- tmp_buf_len = size;
-
#ifdef DEBUG_ASN1
print_buffer_bin(tmp_buf, tmp_buf_len, "/tmp/client_enc_keypack");
#endif
@@ -2072,8 +2052,6 @@ cleanup:
if (p7 != NULL)
PKCS7_free(p7);
- if (out != NULL)
- BIO_free(out);
free(tmp_buf);
free(tmp_buf2);
@@ -5714,39 +5692,6 @@ cleanup:
return retval;
}
-static int
-pkcs7_decrypt(krb5_context context,
- pkinit_identity_crypto_context id_cryptoctx,
- PKCS7 *p7,
- BIO *data)
-{
- BIO *tmpmem = NULL;
- int retval = 0, i = 0;
- char buf[4096];
-
- if(p7 == NULL)
- return 0;
-
- if(!PKCS7_type_is_enveloped(p7)) {
- pkiDebug("wrong pkcs7 content type\n");
- return 0;
- }
-
- if(!(tmpmem = pkcs7_dataDecode(context, id_cryptoctx, p7))) {
- pkiDebug("unable to decrypt pkcs7 object\n");
- return 0;
- }
-
- for(;;) {
- i = BIO_read(tmpmem, buf, sizeof(buf));
- if (i <= 0) break;
- BIO_write(data, buf, i);
- BIO_free_all(tmpmem);
- return 1;
- }
- return retval;
-}
-
krb5_error_code
pkinit_process_td_trusted_certifiers(
krb5_context context,
@@ -5827,118 +5772,86 @@ cleanup:
return retval;
}
-static BIO *
-pkcs7_dataDecode(krb5_context context,
- pkinit_identity_crypto_context id_cryptoctx,
- PKCS7 *p7)
+/* Originally based on OpenSSL's PKCS7_dataDecode(), now modified to remove the
+ * use of BIO objects and to fit the PKINIT internal interfaces. */
+static int
+pkcs7_decrypt(krb5_context context,
+ pkinit_identity_crypto_context id_cryptoctx, PKCS7 *p7,
+ unsigned char **data_out, unsigned int *len_out)
{
- unsigned int eklen=0, tkeylen=0;
- BIO *out=NULL,*etmp=NULL,*bio=NULL;
- unsigned char *ek=NULL, *tkey=NULL;
- ASN1_OCTET_STRING *data_body=NULL;
- const EVP_CIPHER *evp_cipher=NULL;
- EVP_CIPHER_CTX *evp_ctx=NULL;
- X509_ALGOR *enc_alg=NULL;
- STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
- PKCS7_RECIP_INFO *ri=NULL;
+ krb5_error_code ret;
+ int ok = 0, plaintext_len = 0, final_len;
+ unsigned int keylen = 0, eklen = 0, blocksize;
+ unsigned char *ek = NULL, *tkey = NULL, *plaintext = NULL, *use_key;
+ ASN1_OCTET_STRING *data_body = p7->d.enveloped->enc_data->enc_data;
+ const EVP_CIPHER *evp_cipher;
+ EVP_CIPHER_CTX *evp_ctx = NULL;
+ X509_ALGOR *enc_alg = p7->d.enveloped->enc_data->algorithm;
+ STACK_OF(PKCS7_RECIP_INFO) *rsk = p7->d.enveloped->recipientinfo;
+ PKCS7_RECIP_INFO *ri = NULL;
- p7->state=PKCS7_S_HEADER;
+ *data_out = NULL;
+ *len_out = 0;
- rsk=p7->d.enveloped->recipientinfo;
- enc_alg=p7->d.enveloped->enc_data->algorithm;
- data_body=p7->d.enveloped->enc_data->enc_data;
- evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
- if (evp_cipher == NULL) {
- PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
- goto cleanup;
- }
-
- if ((etmp=BIO_new(BIO_f_cipher())) == NULL) {
- PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB);
- goto cleanup;
- }
-
- /* It was encrypted, we need to decrypt the secret key
- * with the private key */
+ p7->state = PKCS7_S_HEADER;
/* RFC 4556 section 3.2.3.2 requires that there be exactly one
* recipientInfo. */
if (sk_PKCS7_RECIP_INFO_num(rsk) != 1) {
pkiDebug("invalid number of EnvelopedData RecipientInfos\n");
- goto cleanup;
+ return 0;
}
-
ri = sk_PKCS7_RECIP_INFO_value(rsk, 0);
- (void)pkinit_decode_data(context, id_cryptoctx,
- ASN1_STRING_get0_data(ri->enc_key),
- ASN1_STRING_length(ri->enc_key), &ek, &eklen);
- evp_ctx=NULL;
- BIO_get_cipher_ctx(etmp,&evp_ctx);
- if (EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0) <= 0)
+ evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
+ if (evp_cipher == NULL)
goto cleanup;
- if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)
+ keylen = EVP_CIPHER_key_length(evp_cipher);
+ blocksize = EVP_CIPHER_block_size(evp_cipher);
+
+ evp_ctx = EVP_CIPHER_CTX_new();
+ if (evp_ctx == NULL)
+ goto cleanup;
+ if (!EVP_DecryptInit(evp_ctx, evp_cipher, NULL, NULL) ||
+ EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) <= 0)
goto cleanup;
/* Generate a random symmetric key to avoid exposing timing data if RSA
* decryption fails the padding check. */
- tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx);
- tkey = OPENSSL_malloc(tkeylen);
- if (tkey == NULL)
- goto cleanup;
- if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0)
- goto cleanup;
- if (ek == NULL) {
- ek = tkey;
- eklen = tkeylen;
- tkey = NULL;
- }
-
- if (eklen != (unsigned)EVP_CIPHER_CTX_key_length(evp_ctx)) {
- /* Some S/MIME clients don't use the same key
- * and effective key length. The key length is
- * determined by the size of the decrypted RSA key.
- */
- if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, (int)eklen)) {
- ek = tkey;
- eklen = tkeylen;
- tkey = NULL;
- }
- }
- if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,ek,NULL,0) <= 0)
+ tkey = malloc(keylen);
+ if (tkey == NULL || !EVP_CIPHER_CTX_rand_key(evp_ctx, tkey))
goto cleanup;
- if (out == NULL)
- out=etmp;
- else
- BIO_push(out,etmp);
- etmp=NULL;
+ /* Decrypt the secret key with the private key. */
+ ret = pkinit_decode_data(context, id_cryptoctx,
+ ASN1_STRING_get0_data(ri->enc_key),
+ ASN1_STRING_length(ri->enc_key), &ek, &eklen);
+ use_key = (ret || eklen != keylen) ? tkey : ek;
- if (data_body->length > 0)
- bio = BIO_new_mem_buf(data_body->data, data_body->length);
- else {
- bio=BIO_new(BIO_s_mem());
- BIO_set_mem_eof_return(bio,0);
- }
- BIO_push(out,bio);
- bio=NULL;
+ /* Allocate a plaintext buffer and decrypt data_body into it. */
+ plaintext = malloc(data_body->length + blocksize);
+ if (plaintext == NULL)
+ goto cleanup;
+ if (!EVP_DecryptInit(evp_ctx, NULL, use_key, NULL))
+ goto cleanup;
+ if (!EVP_DecryptUpdate(evp_ctx, plaintext, &plaintext_len,
+ data_body->data, data_body->length))
+ goto cleanup;
+ if (!EVP_DecryptFinal(evp_ctx, plaintext + plaintext_len, &final_len))
+ goto cleanup;
+ plaintext_len += final_len;
- if (0) {
- cleanup:
- if (out != NULL) BIO_free_all(out);
- if (etmp != NULL) BIO_free_all(etmp);
- if (bio != NULL) BIO_free_all(bio);
- out=NULL;
- }
- if (ek != NULL) {
- OPENSSL_cleanse(ek, eklen);
- OPENSSL_free(ek);
- }
- if (tkey != NULL) {
- OPENSSL_cleanse(tkey, tkeylen);
- OPENSSL_free(tkey);
- }
- return(out);
+ *len_out = plaintext_len;
+ *data_out = plaintext;
+ plaintext = NULL;
+ ok = 1;
+
+cleanup:
+ EVP_CIPHER_CTX_free(evp_ctx);
+ zapfree(plaintext, plaintext_len);
+ zapfree(ek, eklen);
+ zapfree(tkey, keylen);
+ return ok;
}
#ifdef DEBUG_DH

2
Use-secure_getenv-where-appropriate.patch
View File

@ -1,4 +1,4 @@
From 8987708dbafbb7d3eb743f06d9fbef40a04275e3 Mon Sep 17 00:00:00 2001
From ec428980300c85ba2c4b220174c2c05447cf4bd8 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 24 Apr 2019 16:19:50 -0400
Subject: [PATCH] Use secure_getenv() where appropriate

42
krb5-1.17-FIPS-aware-SPAKE-group-negotiation.patch
View File

@ -1,42 +0,0 @@
From e039796a0fbefac03a3fd888aef7d192e7c1437e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 1 Apr 2019 13:13:09 -0400
Subject: [PATCH] krb5-1.17 FIPS-aware SPAKE group negotiation
---
src/plugins/preauth/spake/groups.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/plugins/preauth/spake/groups.c b/src/plugins/preauth/spake/groups.c
index a195cc195..8a913cb5a 100644
--- a/src/plugins/preauth/spake/groups.c
+++ b/src/plugins/preauth/spake/groups.c
@@ -56,6 +56,8 @@
#include "trace.h"
#include "groups.h"
+#include <openssl/crypto.h>
+
#define DEFAULT_GROUPS_CLIENT "edwards25519"
#define DEFAULT_GROUPS_KDC ""
@@ -102,6 +104,9 @@ find_gdef(int32_t group)
{
size_t i;
+ if (group == builtin_edwards25519.reg->id && FIPS_mode())
+ return NULL;
+
for (i = 0; groupdefs[i] != NULL; i++) {
if (groupdefs[i]->reg->id == group)
return groupdefs[i];
@@ -116,6 +121,9 @@ find_gnum(const char *name)
{
size_t i;
+ if (strcasecmp(name, builtin_edwards25519.reg->name) == 0 && FIPS_mode())
+ return 0;
+
for (i = 0; groupdefs[i] != NULL; i++) {
if (strcasecmp(name, groupdefs[i]->reg->name) == 0)
return groupdefs[i]->reg->id;

40
krb5-1.17-Use-openssl-s-PRNG-in-FIPS-mode.patch
View File

@ -1,40 +0,0 @@
From e307112cfcc52474d07eac890825303655ef8b6f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 4 Jan 2019 17:00:15 -0500
Subject: [PATCH] krb5-1.17 Use openssl's PRNG in FIPS mode
---
src/lib/crypto/krb/prng.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
index cb9ca9b98..f0e9984ca 100644
--- a/src/lib/crypto/krb/prng.c
+++ b/src/lib/crypto/krb/prng.c
@@ -26,6 +26,8 @@
#include "crypto_int.h"
+#include <openssl/rand.h>
+
krb5_error_code KRB5_CALLCONV
krb5_c_random_seed(krb5_context context, krb5_data *data)
{
@@ -99,9 +101,16 @@ krb5_boolean
k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
{
const char *device;
-#if defined(__linux__) && defined(SYS_getrandom)
int r;
+ /* A wild FIPS mode appeared! */
+ if (FIPS_mode()) {
+ /* The return codes on this API are not good */
+ r = RAND_bytes(buf, len);
+ return r == 1;
+ }
+
+#if defined(__linux__) && defined(SYS_getrandom)
while (len > 0) {
/*
* Pull from the /dev/urandom pool, but require it to have been seeded.

99
krb5-1.17-Become-FIPS-aware.patch → krb5-1.17post1-FIPS-with-PRNG-and-SPAKE.patch
View File

@ -1,7 +1,10 @@
From 15c0aec4315cc5cfae864b179848f043e2b100c6 Mon Sep 17 00:00:00 2001
From dff44c20d9d9ed6a3e71888406b2913d9309e738 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] krb5-1.17 Become FIPS-aware
Subject: [PATCH] krb5-1.17post1 FIPS with PRNG and SPAKE
NB: Use openssl's PRNG in FIPS mode, and be aware during SPAKE group
negotiation.
A lot of the FIPS error conditions from OpenSSL are incredibly
mysterious (at best, things return NULL unexpectedly; at worst,
@ -10,17 +13,50 @@ ENOMEM). In order to cope with this, we need to have some level of
awareness of what we can and can't safely call.
This will slow down some calls slightly (FIPS_mode() takes multiple
locks), but not for any crypto we care about - which is to say that
AES is fine.
locks), but not for any ciphers we care about - which is to say that
AES is fine. Shame about the SPAKE groups though.
---
src/lib/crypto/krb/prng.c | 11 ++++++++++-
src/lib/crypto/openssl/enc_provider/camellia.c | 6 ++++++
src/lib/crypto/openssl/enc_provider/des.c | 9 +++++++++
src/lib/crypto/openssl/enc_provider/des3.c | 6 ++++++
src/lib/crypto/openssl/enc_provider/rc4.c | 13 ++++++++++++-
src/lib/crypto/openssl/hash_provider/hash_evp.c | 4 ++++
src/lib/crypto/openssl/hmac.c | 6 +++++-
6 files changed, 42 insertions(+), 2 deletions(-)
src/plugins/preauth/spake/groups.c | 8 ++++++++
8 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
index cb9ca9b98..f0e9984ca 100644
--- a/src/lib/crypto/krb/prng.c
+++ b/src/lib/crypto/krb/prng.c
@@ -26,6 +26,8 @@
#include "crypto_int.h"
+#include <openssl/rand.h>
+
krb5_error_code KRB5_CALLCONV
krb5_c_random_seed(krb5_context context, krb5_data *data)
{
@@ -99,9 +101,16 @@ krb5_boolean
k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
{
const char *device;
-#if defined(__linux__) && defined(SYS_getrandom)
int r;
+ /* A wild FIPS mode appeared! */
+ if (FIPS_mode()) {
+ /* The return codes on this API are not good */
+ r = RAND_bytes(buf, len);
+ return r == 1;
+ }
+
+#if defined(__linux__) && defined(SYS_getrandom)
while (len > 0) {
/*
* Pull from the /dev/urandom pool, but require it to have been seeded.
diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c
index 2da691329..f79679a0b 100644
--- a/src/lib/crypto/openssl/enc_provider/camellia.c
@ -104,30 +140,30 @@ index 1c439c2cd..8be555a8d 100644
if (ret != 0 || empty)
return ret;
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
index 7f3c086ed..a3f2a7442 100644
index a65d57b7a..6ccaca94a 100644
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
@@ -66,6 +66,9 @@ k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data,
@@ -66,6 +66,9 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx = NULL;
struct arcfour_state *arcstate;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
arcstate = (state != NULL) ? (struct arcfour_state *) state->data : NULL;
arcstate = (state != NULL) ? (void *)state->data : NULL;
if (arcstate != NULL) {
ctx = arcstate->ctx;
@@ -113,7 +116,12 @@ k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data,
@@ -113,7 +116,12 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
static void
k5_arcfour_free_state(krb5_data *state)
{
- struct arcfour_state *arcstate = (struct arcfour_state *) state->data;
- struct arcfour_state *arcstate = (void *)state->data;
+ struct arcfour_state *arcstate;
+
+ if (FIPS_mode())
+ return;
+
+ arcstate = (struct arcfour_state *) state->data;
+ arcstate = (void *) state->data;
EVP_CIPHER_CTX_free(arcstate->ctx);
free(arcstate);
@ -138,9 +174,9 @@ index 7f3c086ed..a3f2a7442 100644
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
/* Create a state structure with an uninitialized context. */
arcstate = calloc(1, sizeof(*arcstate));
if (arcstate == NULL)
/*
* The cipher state here is a saved pointer to a struct arcfour_state
* object, rather than a flat byte array as in most enc providers. The
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
index 957ed8d9c..8c1fd7f59 100644
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
@ -163,7 +199,7 @@ index 957ed8d9c..8c1fd7f59 100644
}
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
index b2db6ec02..d94d9ac94 100644
index 7dc59dcc0..769a50c00 100644
--- a/src/lib/crypto/openssl/hmac.c
+++ b/src/lib/crypto/openssl/hmac.c
@@ -103,7 +103,11 @@ map_digest(const struct krb5_hash_provider *hash)
@ -179,3 +215,36 @@ index b2db6ec02..d94d9ac94 100644
return EVP_md5();
else if (!strncmp(hash->hash_name, "MD4", 3))
return EVP_md4();
diff --git a/src/plugins/preauth/spake/groups.c b/src/plugins/preauth/spake/groups.c
index a195cc195..8a913cb5a 100644
--- a/src/plugins/preauth/spake/groups.c
+++ b/src/plugins/preauth/spake/groups.c
@@ -56,6 +56,8 @@
#include "trace.h"
#include "groups.h"
+#include <openssl/crypto.h>
+
#define DEFAULT_GROUPS_CLIENT "edwards25519"
#define DEFAULT_GROUPS_KDC ""
@@ -102,6 +104,9 @@ find_gdef(int32_t group)
{
size_t i;
+ if (group == builtin_edwards25519.reg->id && FIPS_mode())
+ return NULL;
+
for (i = 0; groupdefs[i] != NULL; i++) {
if (groupdefs[i]->reg->id == group)
return groupdefs[i];
@@ -116,6 +121,9 @@ find_gnum(const char *name)
{
size_t i;
+ if (strcasecmp(name, builtin_edwards25519.reg->name) == 0 && FIPS_mode())
+ return 0;
+
for (i = 0; groupdefs[i] != NULL; i++) {
if (strcasecmp(name, groupdefs[i]->reg->name) == 0)
return groupdefs[i]->reg->id;

17
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.17
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 17%{?dist}
Release: 18%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -62,7 +62,6 @@ Patch36: krb5-1.11-kpasswdtest.patch
Patch37: krb5-1.17-In-FIPS-mode-add-plaintext-fallback-for-RC.patch
Patch90: Add-tests-for-KCM-ccache-type.patch
Patch92: Address-some-optimized-out-memset-calls.patch
Patch93: krb5-1.17-Use-openssl-s-PRNG-in-FIPS-mode.patch
Patch94: Avoid-allocating-a-register-in-zap-assembly.patch
Patch95: In-rd_req_dec-always-log-non-permitted-enctypes.patch
Patch96: In-kpropd-debug-log-proper-ticket-enctype-names.patch
@ -71,8 +70,6 @@ Patch98: Make-etype-names-in-KDC-logs-human-readable.patch
Patch99: Mark-deprecated-enctypes-when-used.patch
Patch100: Properly-size-ifdef-in-k5_cccol_lock.patch
Patch101: Fix-memory-leak-in-none-replay-cache-type.patch
Patch102: krb5-1.17-Become-FIPS-aware.patch
Patch103: krb5-1.17-FIPS-aware-SPAKE-group-negotiation.patch
Patch104: Clarify-header-comment-for-krb5_cc_start_seq_get.patch
Patch105: Implement-krb5_cc_remove_cred-for-remaining-types.patch
Patch106: Remove-srvtab-support.patch
@ -88,6 +85,15 @@ Patch115: Check-more-errors-in-OpenSSL-crypto-backend.patch
Patch116: Clear-forwardable-flag-instead-of-denying-request.patch
Patch117: Add-dns_canonicalize_hostname-fallback-support.patch
Patch118: Use-secure_getenv-where-appropriate.patch
Patch119: Initialize-some-data-structure-magic-fields.patch
Patch120: Fix-some-return-code-handling-bugs.patch
Patch121: Modernize-exit-path-in-gss_krb5int_copy_ccache.patch
Patch122: Simplify-SAM-2-as_key-handling.patch
Patch123: Avoid-alignment-warnings-in-openssl-rc4.c.patch
Patch124: Simply-OpenSSL-PKCS7-decryption-code.patch
Patch125: Improve-error-messages-from-kadmin-change_password.patch
Patch126: Remove-more-dead-code.patch
Patch127: krb5-1.17post1-FIPS-with-PRNG-and-SPAKE.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -694,6 +700,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Fri May 10 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-18
- Pull in 2019-05-02 static analysis updates
* Fri May 03 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-17
- Move krb5-kdb-version provide into krb5-server for freeipa