diff --git a/.gitignore b/.gitignore index 7fa0027..7db6eaa 100644 --- a/.gitignore +++ b/.gitignore @@ -202,3 +202,5 @@ /krb5-1.19.2.tar.gz.asc /krb5-1.20.1.tar.gz /krb5-1.20.1.tar.gz.asc +/krb5-1.21.tar.gz +/krb5-1.21.tar.gz.asc diff --git a/0001-downstream-ksu-pam-integration.patch b/0001-downstream-ksu-pam-integration.patch index 2b737c0..d33704a 100644 --- a/0001-downstream-ksu-pam-integration.patch +++ b/0001-downstream-ksu-pam-integration.patch @@ -1,4 +1,4 @@ -From 37d69135d0be7f46732c401cdbb3abc075bf4117 Mon Sep 17 00:00:00 2001 +From 67c82a09c6c53713c281045cd55de2720cd06907 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] [downstream] ksu pam integration @@ -30,7 +30,7 @@ Last-updated: krb5-1.18-beta1 create mode 100644 src/clients/ksu/pam.h diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 9920476f91..bf9da35bbc 100644 +index 3d66a876b3..ce3c5a9bac 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -1458,3 +1458,72 @@ if test "$with_ldap" = yes; then @@ -760,10 +760,10 @@ index 0000000000..0ab76569cb +void appl_pam_cleanup(void); +#endif diff --git a/src/configure.ac b/src/configure.ac -index f03028b5fd..aa970b0447 100644 +index 77be7a2025..587221936e 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1400,6 +1400,8 @@ AC_SUBST([VERTO_VERSION]) +@@ -1399,6 +1399,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) @@ -773,5 +773,5 @@ index f03028b5fd..aa970b0447 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' -- -2.38.1 +2.40.1 diff --git a/0002-downstream-SELinux-integration.patch b/0002-downstream-SELinux-integration.patch index 4271d66..840c2a3 100644 --- a/0002-downstream-SELinux-integration.patch +++ b/0002-downstream-SELinux-integration.patch @@ -1,4 +1,4 @@ -From c6b58ed180ed91b579d322ff5004f68750f1eb4f Mon Sep 17 00:00:00 2001 +From dfbac76ab7bb7e6e2c3171eefcaa93573e6b630e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 Subject: [PATCH] [downstream] SELinux integration @@ -69,7 +69,7 @@ Last-updated: krb5-1.20.1 create mode 100644 src/util/support/selinux.c diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index bf9da35bbc..01283f482e 100644 +index ce3c5a9bac..3331970930 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag) @@ -133,10 +133,10 @@ index bf9da35bbc..01283f482e 100644 +AC_SUBST(SELINUX_LIBS) +])dnl diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in -index dead0dddce..fef3e054fc 100755 +index 8e6eb86601..7677f37359 100755 --- a/src/build-tools/krb5-config.in +++ b/src/build-tools/krb5-config.in -@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' +@@ -40,6 +40,7 @@ DL_LIB='@DL_LIB@' DEFCCNAME='@DEFCCNAME@' DEFKTNAME='@DEFKTNAME@' DEFCKTNAME='@DEFCKTNAME@' @@ -144,7 +144,7 @@ index dead0dddce..fef3e054fc 100755 LIBS='@LIBS@' GEN_LIB=@GEN_LIB@ -@@ -254,7 +255,7 @@ if test -n "$do_libs"; then +@@ -253,7 +254,7 @@ if test -n "$do_libs"; then fi # If we ever support a flag to generate output suitable for static @@ -175,10 +175,10 @@ index a0c60c70b3..7eaa2f351c 100644 GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on macOS! diff --git a/src/configure.ac b/src/configure.ac -index aa970b0447..40545f2bfc 100644 +index 587221936e..69be9030f8 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1402,6 +1402,8 @@ AC_PATH_PROG(GROFF, groff) +@@ -1401,6 +1401,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -188,7 +188,7 @@ index aa970b0447..40545f2bfc 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 44dc1eeb3f..c3aecba7d4 100644 +index 2f7791b775..9c534faa8a 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -128,6 +128,7 @@ typedef unsigned char u_char; @@ -238,7 +238,7 @@ index 0000000000..dfaaa847cb +#endif +#endif diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index c0194c3c94..7e1dea2cbf 100644 +index 9c76780181..dd6430ece8 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ @@ -290,10 +290,10 @@ index a89b5144f6..4d6cc0bdf9 100644 com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); goto cleanup; diff --git a/src/kdc/main.c b/src/kdc/main.c -index 38b9299066..085afc9220 100644 +index bfdfef5c48..b43fe9a082 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c -@@ -848,7 +848,7 @@ write_pid_file(const char *path) +@@ -844,7 +844,7 @@ write_pid_file(const char *path) FILE *file; unsigned long pid; @@ -303,7 +303,7 @@ index 38b9299066..085afc9220 100644 return errno; pid = (unsigned long) getpid(); diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c -index f2341d720f..ffdac9f397 100644 +index aa3c81ea30..cb9785aaeb 100644 --- a/src/kprop/kpropd.c +++ b/src/kprop/kpropd.c @@ -488,6 +488,9 @@ doit(int fd) @@ -333,10 +333,10 @@ index f2341d720f..ffdac9f397 100644 KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); if (retval) { diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c -index c6885edf2a..9aec3c05e8 100644 +index e14da53790..b879a4049b 100644 --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c -@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do +@@ -310,7 +310,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do */ append = (cp[4] == ':') ? O_APPEND : 0; if (append || cp[4] == '=') { @@ -345,7 +345,7 @@ index c6885edf2a..9aec3c05e8 100644 S_IRUSR | S_IWUSR | S_IRGRP); if (fd != -1) f = fdopen(fd, append ? "a" : "w"); -@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext) +@@ -777,7 +777,7 @@ krb5_klog_reopen(krb5_context kcontext) * In case the old logfile did not get moved out of the * way, open for append to prevent squashing the old logs. */ @@ -439,10 +439,10 @@ index e510211fc5..f3ea28c8ec 100644 goto report_errno; writevno = 1; diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c -index 3369fc4ba6..95f82cda03 100644 +index 4cbbbb270a..c4058ddc96 100644 --- a/src/lib/krb5/os/trace.c +++ b/src/lib/krb5/os/trace.c -@@ -459,7 +459,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) +@@ -460,7 +460,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) fd = malloc(sizeof(*fd)); if (fd == NULL) return ENOMEM; @@ -452,7 +452,7 @@ index 3369fc4ba6..95f82cda03 100644 free(fd); return errno; diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c -index 7db30a33b0..2b9d01921d 100644 +index 9a506e9d44..f92ab47143 100644 --- a/src/plugins/kdb/db2/adb_openclose.c +++ b/src/plugins/kdb/db2/adb_openclose.c @@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, @@ -1034,5 +1034,5 @@ index 0000000000..807d039da3 + +#endif /* USE_SELINUX */ -- -2.38.1 +2.40.1 diff --git a/0003-downstream-fix-debuginfo-with-y.tab.c.patch b/0003-downstream-fix-debuginfo-with-y.tab.c.patch index 3c58cc1..40361ac 100644 --- a/0003-downstream-fix-debuginfo-with-y.tab.c.patch +++ b/0003-downstream-fix-debuginfo-with-y.tab.c.patch @@ -1,4 +1,4 @@ -From c7fe7cbd61f7debf052ddcc6cc5f01bb7e4f5385 Mon Sep 17 00:00:00 2001 +From a9c463ed5988c860ebb18de212d6c56da1cb1169 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] [downstream] fix debuginfo with y.tab.c @@ -40,5 +40,5 @@ index 8669c2436c..a22f23c02c 100644 install: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) -- -2.38.1 +2.40.1 diff --git a/0004-downstream-Remove-3des-support.patch b/0004-downstream-Remove-3des-support.patch index 4ec3a0f..f7b5134 100644 --- a/0004-downstream-Remove-3des-support.patch +++ b/0004-downstream-Remove-3des-support.patch @@ -1,4 +1,4 @@ -From 7b40250066bbcc529b5348b68199c58fbad82376 Mon Sep 17 00:00:00 2001 +From 0691db92e13e0d224c2c9dd72c1421d8f7c3c078 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 26 Mar 2019 18:51:10 -0400 Subject: [PATCH] [downstream] Remove 3des support @@ -32,7 +32,7 @@ Last-updated: 1.20-final src/include/krb5/krb5.hin | 10 +- src/kdc/kdc_util.c | 4 - src/lib/crypto/Makefile.in | 8 +- - src/lib/crypto/builtin/Makefile.in | 6 +- + src/lib/crypto/builtin/Makefile.in | 4 +- src/lib/crypto/builtin/des/ISSUES | 13 - src/lib/crypto/builtin/des/Makefile.in | 82 ---- src/lib/crypto/builtin/des/d3_aead.c | 137 ------ @@ -74,7 +74,7 @@ Last-updated: 1.20-final src/lib/crypto/krb/prf_des.c | 47 --- src/lib/crypto/krb/random_to_key.c | 28 -- src/lib/crypto/libk5crypto.exports | 1 - - src/lib/crypto/openssl/Makefile.in | 8 +- + src/lib/crypto/openssl/Makefile.in | 4 +- src/lib/crypto/openssl/des/Makefile.in | 20 - src/lib/crypto/openssl/des/deps | 14 - src/lib/crypto/openssl/des/des_keys.c | 39 -- @@ -98,18 +98,19 @@ Last-updated: 1.20-final src/plugins/preauth/pkinit/pkinit_crypto.h | 10 +- src/plugins/preauth/pkinit/pkinit_kdf_test.c | 30 -- src/plugins/preauth/spake/t_vectors.c | 25 -- - src/tests/gssapi/t_enctypes.py | 33 +- + src/tests/gssapi/t_enctypes.py | 34 +- src/tests/gssapi/t_invalid.c | 12 - src/tests/gssapi/t_pcontok.c | 16 +- src/tests/gssapi/t_prf.c | 7 - src/tests/t_authdata.py | 2 +- - src/tests/t_etype_info.py | 18 +- + src/tests/t_etype_info.py | 20 +- src/tests/t_keyrollover.py | 8 +- src/tests/t_mkey.py | 35 -- src/tests/t_salt.py | 5 +- + src/tests/t_sesskeynego.py | 8 - src/util/k5test.py | 7 - .../leash/htmlhelp/html/Encryption_Types.htm | 13 - - 89 files changed, 151 insertions(+), 4713 deletions(-) + 90 files changed, 149 insertions(+), 4720 deletions(-) delete mode 100644 src/lib/crypto/builtin/des/ISSUES delete mode 100644 src/lib/crypto/builtin/des/Makefile.in delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c @@ -199,10 +200,10 @@ index 74a0a2acef..846c58ed82 100644 While **aes128-cts** and **aes256-cts** are supported for all Kerberos diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst -index 694922c0d9..c4d5499d3b 100644 +index dce19ad43e..2b4ed7da0b 100644 --- a/doc/admin/enctypes.rst +++ b/doc/admin/enctypes.rst -@@ -129,7 +129,7 @@ enctype weak? krb5 Windows +@@ -146,7 +146,7 @@ enctype weak? krb5 Windows des-cbc-crc weak <1.18 >=2000 des-cbc-md4 weak <1.18 ? des-cbc-md5 weak <1.18 >=2000 @@ -211,7 +212,7 @@ index 694922c0d9..c4d5499d3b 100644 arcfour-hmac deprecated >=1.3 >=2000 arcfour-hmac-exp weak >=1.3 >=2000 aes128-cts-hmac-sha1-96 >=1.3 >=Vista -@@ -148,9 +148,11 @@ default. +@@ -165,9 +165,11 @@ default. krb5 releases 1.17 and later flag deprecated encryption types (including ``des3-cbc-sha1`` and ``arcfour-hmac``) in KDC logs and kadmin output. krb5 release 1.19 issues a warning during initial @@ -247,7 +248,7 @@ index ade5e1f87a..e4dc54f7e5 100644 .. _err_cert_chain_cert_expired: diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst -index a0d4f26701..5f34dea5e8 100644 +index 45fe160d7f..b4b1f3bd93 100644 --- a/doc/appdev/refs/macros/index.rst +++ b/doc/appdev/refs/macros/index.rst @@ -36,7 +36,6 @@ Public @@ -259,10 +260,10 @@ index a0d4f26701..5f34dea5e8 100644 CKSUMTYPE_NIST_SHA.rst CKSUMTYPE_RSA_MD4.rst diff --git a/doc/conf.py b/doc/conf.py -index fa0eb80f1f..12168fa695 100644 +index cd76f5999f..1e1cfce80c 100644 --- a/doc/conf.py +++ b/doc/conf.py -@@ -278,7 +278,7 @@ else: +@@ -281,7 +281,7 @@ else: rst_epilog += ''' .. |krb5conf| replace:: ``/etc/krb5.conf`` .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` @@ -272,7 +273,7 @@ index fa0eb80f1f..12168fa695 100644 .. |copy| unicode:: U+000A9 ''' diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst -index ca2d6ef117..100c64a1c1 100644 +index 10effcf175..cad0855724 100644 --- a/doc/mitK5features.rst +++ b/doc/mitK5features.rst @@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB @@ -307,10 +308,10 @@ index 8f14e9bf2c..ba3bb18eec 100644 ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP) diff --git a/src/configure.ac b/src/configure.ac -index 40545f2bfc..8dc864718d 100644 +index 69be9030f8..2561e917a2 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1489,12 +1489,12 @@ V5_AC_OUTPUT_MAKEFILE(. +@@ -1513,12 +1513,12 @@ V5_AC_OUTPUT_MAKEFILE(. lib lib/kdb lib/crypto lib/crypto/krb lib/crypto/crypto_tests @@ -326,7 +327,7 @@ index 40545f2bfc..8dc864718d 100644 lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index 7e1dea2cbf..fb9f2a366c 100644 +index dd6430ece8..350bcf86f2 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov { @@ -362,10 +363,10 @@ index 7e1dea2cbf..fb9f2a366c 100644 #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with ENCTYPE_AES128_CTS_HMAC_SHA1_96 */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 9f2a67d189..b7a9aa4992 100644 +index e54cc751f9..ea10e23a95 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c -@@ -1111,8 +1111,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) +@@ -1164,8 +1164,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) name = "rsaEncryption-EnvOID"; else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV) name = "id-RSAES-OAEP-EnvOID"; @@ -374,7 +375,7 @@ index 9f2a67d189..b7a9aa4992 100644 else return krb5_enctype_to_name(ktype, FALSE, buf, buflen); -@@ -1704,8 +1702,6 @@ krb5_boolean +@@ -1657,8 +1655,6 @@ krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype) { switch(enctype) { @@ -414,7 +415,7 @@ index 10e8c74cf8..25c4f40cc3 100644 all-unix: all-liblinks install-unix: install-libs diff --git a/src/lib/crypto/builtin/Makefile.in b/src/lib/crypto/builtin/Makefile.in -index daf19da195..c9e967c807 100644 +index 243bb17ba3..30bfcd30c0 100644 --- a/src/lib/crypto/builtin/Makefile.in +++ b/src/lib/crypto/builtin/Makefile.in @@ -1,6 +1,6 @@ @@ -429,15 +430,6 @@ index daf19da195..c9e967c807 100644 $(srcdir)/kdf.c \ $(srcdir)/pbkdf2.c --STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ -+STOBJLISTS= md4/OBJS.ST \ - md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ - enc_provider/OBJS.ST \ - hash_provider/OBJS.ST \ -@@ -33,7 +33,7 @@ STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ - camellia/OBJS.ST \ - OBJS.ST - -SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \ +SUBDIROBJLISTS= md4/OBJS.ST \ md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ @@ -4862,7 +4854,7 @@ index 052f4d4b51..d8ffa63304 100644 krb5int_camellia_encrypt krb5int_cmac_checksum diff --git a/src/lib/crypto/openssl/Makefile.in b/src/lib/crypto/openssl/Makefile.in -index 08de047d0a..88f7fd0a09 100644 +index cf11f6847b..8e4cdb8bbf 100644 --- a/src/lib/crypto/openssl/Makefile.in +++ b/src/lib/crypto/openssl/Makefile.in @@ -1,6 +1,6 @@ @@ -4873,32 +4865,15 @@ index 08de047d0a..88f7fd0a09 100644 LOCALINCLUDES=-I$(srcdir)/../krb $(CRYPTO_IMPL_CFLAGS) STLIBOBJS=\ -@@ -24,14 +24,14 @@ SRCS=\ +@@ -24,7 +24,7 @@ SRCS=\ $(srcdir)/pbkdf2.c \ $(srcdir)/sha256.c --STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ -+STOBJLISTS= md4/OBJS.ST \ - md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ - enc_provider/OBJS.ST \ - hash_provider/OBJS.ST \ - aes/OBJS.ST \ - OBJS.ST - -SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \ +SUBDIROBJLISTS= md4/OBJS.ST \ md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ enc_provider/OBJS.ST \ hash_provider/OBJS.ST \ -@@ -42,7 +42,7 @@ includes: depend - - depend: $(SRCS) - --clean-unix:: clean-libobjs -+clean-unix:: clean-libobjsn - - @lib_frag@ - @libobj_frag@ diff --git a/src/lib/crypto/openssl/des/Makefile.in b/src/lib/crypto/openssl/des/Makefile.in deleted file mode 100644 index a6cece1dd1..0000000000 @@ -5244,10 +5219,10 @@ index 41e845eae0..5a43c3d9eb 100644 } diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c -index d4e90793f9..1bc807172b 100644 +index b35e11bfb6..d7c2ad321e 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c -@@ -1030,7 +1030,6 @@ kg_accept_krb5(minor_status, context_handle, +@@ -1026,7 +1026,6 @@ kg_accept_krb5(minor_status, context_handle, } switch (negotiated_etype) { @@ -5256,7 +5231,7 @@ index d4e90793f9..1bc807172b 100644 case ENCTYPE_ARCFOUR_HMAC_EXP: /* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index a4446530fc..88d41130a7 100644 +index 7364607198..5aeb69aebc 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -125,14 +125,14 @@ enum sgn_alg { @@ -5286,10 +5261,10 @@ index a4446530fc..88d41130a7 100644 }; diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c -index d1cdce486f..7f7146a0a2 100644 +index 99275be53a..0e5d10b115 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c -@@ -136,19 +136,12 @@ make_seal_token_v1 (krb5_context context, +@@ -142,19 +142,12 @@ make_seal_token_v1 (krb5_context context, /* pad the plaintext, encrypt if needed, and stick it in the token */ @@ -5315,7 +5290,7 @@ index d1cdce486f..7f7146a0a2 100644 code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen); if (code) { -@@ -196,20 +189,8 @@ make_seal_token_v1 (krb5_context context, +@@ -203,20 +196,8 @@ make_seal_token_v1 (krb5_context context, gssalloc_free(t); return(code); } @@ -5327,22 +5302,22 @@ index d1cdce486f..7f7146a0a2 100644 - */ - if (md5cksum.length != cksum_size) - abort (); -- memcpy (ptr+14, md5cksum.contents, md5cksum.length); +- memcpy(checksum, md5cksum.contents, md5cksum.length); - break; - case SGN_ALG_HMAC_MD5: -- memcpy (ptr+14, md5cksum.contents, cksum_size); +- memcpy(checksum, md5cksum.contents, cksum_size); - break; - } + -+ memcpy (ptr+14, md5cksum.contents, cksum_size); ++ memcpy(checksum, md5cksum.contents, cksum_size); krb5_free_checksum_contents(context, &md5cksum); diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c -index 9bb2ee1099..9147bb2c78 100644 +index 7bf7609a48..d5e12cb436 100644 --- a/src/lib/gssapi/krb5/k5sealiov.c +++ b/src/lib/gssapi/krb5/k5sealiov.c -@@ -144,18 +144,11 @@ make_seal_token_v1_iov(krb5_context context, +@@ -147,18 +147,11 @@ make_seal_token_v1_iov(krb5_context context, /* pad the plaintext, encrypt if needed, and stick it in the token */ /* initialize the checksum */ @@ -5366,20 +5341,20 @@ index 9bb2ee1099..9147bb2c78 100644 code = krb5_c_checksum_length(context, md5cksum.checksum_type, &k5_trailerlen); if (code != 0) -@@ -177,15 +170,7 @@ make_seal_token_v1_iov(krb5_context context, +@@ -182,15 +175,7 @@ make_seal_token_v1_iov(krb5_context context, if (code != 0) goto cleanup; - switch (ctx->signalg) { - case SGN_ALG_HMAC_SHA1_DES3_KD: - assert(md5cksum.length == ctx->cksum_size); -- memcpy(ptr + 14, md5cksum.contents, md5cksum.length); +- memcpy(checksum, md5cksum.contents, md5cksum.length); - break; - case SGN_ALG_HMAC_MD5: -- memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size); +- memcpy(checksum, md5cksum.contents, ctx->cksum_size); - break; - } -+ memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size); ++ memcpy(checksum, md5cksum.contents, ctx->cksum_size); /* create the seq_num */ code = kg_make_seq_num(context, ctx->seq, ctx->initiate ? 0 : 0xFF, @@ -5618,7 +5593,7 @@ index 84f1949887..32150f5e34 100644 case ENCTYPE_ARCFOUR_HMAC_EXP: /* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" enctype, diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c -index 87b486c53f..2b5abcd817 100644 +index a6c2bbeb54..18290b764b 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -59,7 +59,6 @@ @@ -5629,7 +5604,7 @@ index 87b486c53f..2b5abcd817 100644 ENCTYPE_ARCFOUR_HMAC, ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC, 0 -@@ -450,8 +449,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey, +@@ -460,8 +459,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey, /* Set all enctypes in the default list. */ for (i = 0; default_list[i]; i++) mod_list(default_list[i], sel, weak, &list); @@ -5769,10 +5744,10 @@ index e3d2846315..586661bb7e 100644 #define CKK_CAST3 (0x17) #define CKK_CAST128 (0x18) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h -index 94a1b22fb1..65f6210727 100644 +index e22798f668..9fa315d7a0 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h -@@ -376,11 +376,11 @@ krb5_error_code server_process_dh +@@ -370,11 +370,11 @@ krb5_error_code server_process_dh * krb5_algorithm_identifier */ krb5_error_code create_krb5_supportedCMSTypes @@ -5874,10 +5849,10 @@ index 2279202d3a..96b0307d78 100644 /* initial key, w, x, y, T, S, K */ "8846F7EAEE8FB117AD06BDD830B7586C", diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py -index 7494d7fcdb..2f95d89967 100755 +index f5f11842e2..1bb8c40b6b 100755 --- a/src/tests/gssapi/t_enctypes.py +++ b/src/tests/gssapi/t_enctypes.py -@@ -1,24 +1,17 @@ +@@ -1,25 +1,17 @@ from k5test import * -# Define some convenience abbreviations for enctypes we will see in @@ -5901,13 +5876,14 @@ index 7494d7fcdb..2f95d89967 100755 # These tests make assumptions about the default enctype lists, so set # them explicitly rather than relying on the library defaults. -supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal' --conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'}, +-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4', +- 'allow_des3': 'true', 'allow_rc4': 'true'}, +supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal' -+conf = {'libdefaults': {'permitted_enctypes': 'aes rc4'}, ++conf = {'libdefaults': {'permitted_enctypes': 'aes rc4', 'allow_rc4': 'true'}, 'realms': {'$realm': {'supported_enctypes': supp}}} realm = K5Realm(krb5_conf=conf) shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save')) -@@ -87,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts', +@@ -88,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts', test_err('acc aes128', None, 'aes128-cts', 'Encryption type aes256-cts-hmac-sha1-96 not permitted') @@ -5928,7 +5904,7 @@ index 7494d7fcdb..2f95d89967 100755 # subkey. test('upgrade noargs', None, None, tktenc=aes256, tktsession=d_rc4, -@@ -115,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None, +@@ -116,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None, tktenc=aes256, tktsession=d_rc4, proto='cfx', isubkey=rc4, asubkey=aes128) @@ -6019,10 +5995,10 @@ index f71774cdc9..d1857c433f 100644 "3BB3AE288C12B3B9D06B208A4151B3B6", "9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28" diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py -index 97e2474bf8..47ea9e4b47 100644 +index bde1c36844..8fcd30db51 100644 --- a/src/tests/t_authdata.py +++ b/src/tests/t_authdata.py -@@ -164,7 +164,7 @@ realm.run([kvno, 'restricted']) +@@ -179,7 +179,7 @@ realm.run([kvno, 'restricted']) # preferred krbtgt enctype changes. mark('#8139 regression test') realm.kinit(realm.user_princ, password('user'), ['-f']) @@ -6032,17 +6008,19 @@ index 97e2474bf8..47ea9e4b47 100644 realm.run(['./forward']) realm.run([kvno, realm.host_princ]) diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py -index c982508d8b..96e90a69d2 100644 +index 38cf96ca8f..e82ff7ff07 100644 --- a/src/tests/t_etype_info.py +++ b/src/tests/t_etype_info.py -@@ -1,6 +1,6 @@ +@@ -1,7 +1,7 @@ from k5test import * -supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac' +-conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'}, +supported_enctypes = 'aes128-cts rc4-hmac' - conf = {'libdefaults': {'allow_weak_crypto': 'true'}, ++conf = {'libdefaults': {'allow_rc4': 'true'}, 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) + @@ -26,9 +26,9 @@ def test_etinfo(princ, enctypes, expected_lines): # With no newer enctypes in the request, PA-ETYPE-INFO2, # PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one @@ -6081,7 +6059,7 @@ index c982508d8b..96e90a69d2 100644 # Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED # error if the client does optimistic preauth. diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py -index 2c825a6922..f29e0d5500 100755 +index e9840dfae8..583c2fa27e 100755 --- a/src/tests/t_keyrollover.py +++ b/src/tests/t_keyrollover.py @@ -37,9 +37,9 @@ realm.run([klist, '-e'], expected_msg=msg) @@ -6181,24 +6159,50 @@ index 65084bbf35..55ca897459 100755 # Test using different salt types in a principal's key list. # Parameters from one key in the list must not leak over to later ones. +diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py +index 5a213617b5..c7dba0ff5b 100755 +--- a/src/tests/t_sesskeynego.py ++++ b/src/tests/t_sesskeynego.py +@@ -26,7 +26,6 @@ conf3 = {'libdefaults': { + 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}} + conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}} + conf5 = {'libdefaults': {'allow_rc4': 'true'}} +-conf6 = {'libdefaults': {'allow_des3': 'true'}} + # Test with client request and session_enctypes preferring aes128, but + # aes256 long-term key. + realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) +@@ -78,13 +77,6 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac']) + test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') + realm.stop() + +-# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key. +-realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False) +-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) +-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1']) +-test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96') +-realm.stop() +- + # 7: default config negotiates aes256-sha1 session key for RC4-only service. + realm = K5Realm(create_host=False, get_creds=False) + realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server']) diff --git a/src/util/k5test.py b/src/util/k5test.py -index 619f1995f8..771f82e3cc 100644 +index 8e5f5ba8e9..b953827018 100644 --- a/src/util/k5test.py +++ b/src/util/k5test.py -@@ -1344,13 +1344,6 @@ _passes = [ +@@ -1338,13 +1338,6 @@ _passes = [ # No special settings; exercises AES256. ('default', None, None, None), - # Exercise the DES3 enctype. - ('des3', None, -- {'libdefaults': {'permitted_enctypes': 'des3'}}, +- {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}}, - {'realms': {'$realm': { - 'supported_enctypes': 'des3-cbc-sha1:normal', - 'master_key_type': 'des3-cbc-sha1'}}}), - # Exercise the arcfour enctype. ('arcfour', None, - {'libdefaults': {'permitted_enctypes': 'rc4'}}, + {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}}, diff --git a/src/windows/leash/htmlhelp/html/Encryption_Types.htm b/src/windows/leash/htmlhelp/html/Encryption_Types.htm index 1aebdd0b4a..c38eefd2bd 100644 --- a/src/windows/leash/htmlhelp/html/Encryption_Types.htm @@ -6224,5 +6228,5 @@ index 1aebdd0b4a..c38eefd2bd 100644 The AES Advanced Encryption Standard family, like 3DES, is a symmetric block cipher and was designed -- -2.38.1 +2.40.1 diff --git a/0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch index ecf661d..e575b79 100644 --- a/0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +++ b/0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch @@ -1,4 +1,4 @@ -From 239cd24624b801d4fc4bb4686bef8526e7675d77 Mon Sep 17 00:00:00 2001 +From 53191fd3a1acfeefa8e5c26e7e9d130688daf745 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 @@ -41,10 +41,10 @@ Last-updated: krb5-1.20 15 files changed, 155 insertions(+), 33 deletions(-) diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index d5d6e06ebb..2a4962069f 100644 +index ecdf917501..b78a3faf0a 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst -@@ -330,6 +330,12 @@ The libdefaults section may contain any of the following relations: +@@ -342,6 +342,12 @@ The libdefaults section may contain any of the following relations: qualification of shortnames, set this relation to the empty string with ``qualify_shortname = ""``. (New in release 1.18.) @@ -608,5 +608,5 @@ index 1a772d450f..232e78bc05 100644 vt->name = "spake"; vt->pa_type_list = pa_types; -- -2.38.1 +2.40.1 diff --git a/0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch b/0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch index b8e5429..68f10a0 100644 --- a/0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch +++ b/0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch @@ -1,8 +1,7 @@ -From 5587c755b6ca82bde093523e2d17b255158cd90e Mon Sep 17 00:00:00 2001 +From c19d0bd35cde40172118c67c38a44f164bce1e16 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Thu, 5 May 2022 17:15:12 +0200 -Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection - with FIPS +Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection with FIPS libkrad allows to establish connections only to UNIX socket in FIPS mode, because MD5 digest is not considered safe enough to be used for @@ -78,5 +77,5 @@ index 929f1cef67..063f17a613 100644 retval = ESOCKTNOSUPPORT; goto error; -- -2.38.1 +2.40.1 diff --git a/0007-Add-configure-variable-for-default-PKCS-11-module.patch b/0007-Add-configure-variable-for-default-PKCS-11-module.patch deleted file mode 100644 index 1445133..0000000 --- a/0007-Add-configure-variable-for-default-PKCS-11-module.patch +++ /dev/null @@ -1,201 +0,0 @@ -From 842b4c3b5695e2518e6f1a1545db78865c04b59c Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Fri, 22 Apr 2022 14:12:37 +0200 -Subject: [PATCH] Add configure variable for default PKCS#11 module - -[ghudson@mit.edu: added documentation of configure variable and doc -substitution; shortened commit message] - -ticket: 9058 (new) ---- - doc/admin/conf_files/krb5_conf.rst | 2 +- - doc/build/options2configure.rst | 3 +++ - doc/conf.py | 3 +++ - doc/mitK5defaults.rst | 25 +++++++++++++------------ - src/configure.ac | 8 ++++++++ - src/doc/Makefile.in | 2 ++ - src/man/Makefile.in | 4 +++- - src/man/krb5.conf.man | 2 +- - src/plugins/preauth/pkinit/pkinit.h | 1 - - 9 files changed, 34 insertions(+), 16 deletions(-) - -diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index 2a4962069f..a33711d918 100644 ---- a/doc/admin/conf_files/krb5_conf.rst -+++ b/doc/admin/conf_files/krb5_conf.rst -@@ -1017,7 +1017,7 @@ information for PKINIT is as follows: - All keyword/values are optional. *modname* specifies the location - of a library implementing PKCS #11. If a value is encountered - with no keyword, it is assumed to be the *modname*. If no -- module-name is specified, the default is ``opensc-pkcs11.so``. -+ module-name is specified, the default is |pkcs11_modname|. - ``slotid=`` and/or ``token=`` may be specified to force the use of - a particular smard card reader or token if there is more than one - available. ``certid=`` and/or ``certlabel=`` may be specified to -diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst -index 9e355dc2c5..e879b18bd2 100644 ---- a/doc/build/options2configure.rst -+++ b/doc/build/options2configure.rst -@@ -137,6 +137,9 @@ Environment variables - This option allows one to specify libraries to be passed to the - linker (e.g., ``-l``) - -+**PKCS11_MODNAME=**\ *library* -+ Override the built-in default PKCS11 library name. -+ - **SS_LIB=**\ *libs*... - If ``-lss`` is not the correct way to link in your installed ss - library, for example if additional support libraries are needed, -diff --git a/doc/conf.py b/doc/conf.py -index 12168fa695..0ab5ff9606 100644 ---- a/doc/conf.py -+++ b/doc/conf.py -@@ -242,6 +242,7 @@ if 'mansubs' in tags: - ccache = '``@CCNAME@``' - keytab = '``@KTNAME@``' - ckeytab = '``@CKTNAME@``' -+ pkcs11_modname = '``@PKCS11MOD@``' - elif 'pathsubs' in tags: - # Read configured paths from a file produced by the build system. - exec(open("paths.py").read()) -@@ -255,6 +256,7 @@ else: - ccache = ':ref:`DEFCCNAME `' - keytab = ':ref:`DEFKTNAME `' - ckeytab = ':ref:`DEFCKTNAME `' -+ pkcs11_modname = ':ref:`PKCS11_MODNAME `' - - rst_epilog = '\n' - -@@ -275,6 +277,7 @@ else: - rst_epilog += '.. |ccache| replace:: %s\n' % ccache - rst_epilog += '.. |keytab| replace:: %s\n' % keytab - rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab -+ rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname - rst_epilog += ''' - .. |krb5conf| replace:: ``/etc/krb5.conf`` - .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` -diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst -index 74e69f4ad0..aea7af3dbb 100644 ---- a/doc/mitK5defaults.rst -+++ b/doc/mitK5defaults.rst -@@ -59,18 +59,19 @@ subdirectories of ``/usr/local``. When MIT krb5 is integrated into an - operating system, the paths are generally chosen to match the - operating system's filesystem layout. - --========================== ============= =========================== =========================== --Description Symbolic name Custom build path Typical OS path --========================== ============= =========================== =========================== --User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` --Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` --Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` --Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` --Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` --Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` --Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` --Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab`` --========================== ============= =========================== =========================== -+========================== ============== =========================== =========================== -+Description Symbolic name Custom build path Typical OS path -+========================== ============== =========================== =========================== -+User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` -+Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` -+Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` -+Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` -+Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` -+Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` -+Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` -+Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab`` -+Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so`` -+========================== ============== =========================== =========================== - - The default client keytab name (DEFCKTNAME) typically defaults to - ``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom -diff --git a/src/configure.ac b/src/configure.ac -index 8dc864718d..9774cb71ae 100644 ---- a/src/configure.ac -+++ b/src/configure.ac -@@ -1471,6 +1471,14 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name]) - AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"], - [Define to default client keytab name]) - -+AC_ARG_VAR(PKCS11_MODNAME, [Default PKCS11 module name]) -+if test "${PKCS11_MODNAME+set}" != set; then -+ PKCS11_MODNAME=opensc-pkcs11.so -+fi -+AC_MSG_NOTICE([Default PKCS11 module name: $PKCS11_MODNAME]) -+AC_DEFINE_UNQUOTED(PKCS11_MODNAME, ["$PKCS11_MODNAME"], -+ [Default PKCS11 module name]) -+ - AC_CONFIG_FILES([build-tools/krb5-config], [chmod +x build-tools/krb5-config]) - AC_CONFIG_FILES([build-tools/kadm-server.pc - build-tools/kadm-client.pc -diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in -index 379bc36511..a1b0cff0a4 100644 ---- a/src/doc/Makefile.in -+++ b/src/doc/Makefile.in -@@ -10,6 +10,7 @@ sysconfdir=@sysconfdir@ - DEFCCNAME=@DEFCCNAME@ - DEFKTNAME=@DEFKTNAME@ - DEFCKTNAME=@DEFCKTNAME@ -+PKCS11_MODNAME=@PKCS11_MODNAME@ - - RST_SOURCES= _static \ - _templates \ -@@ -118,6 +119,7 @@ paths.py: - echo 'ccache = "``$(DEFCCNAME)``"' >> $@ - echo 'keytab = "``$(DEFKTNAME)``"' >> $@ - echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@ -+ echo 'pkcs11_modname = "``$(PKCS11_MODNAME)``"' >> $@ - - # Dummy rule that man/Makefile can invoke - version.py: $(docsrc)/version.py -diff --git a/src/man/Makefile.in b/src/man/Makefile.in -index 00b1b2de06..85cae0914e 100644 ---- a/src/man/Makefile.in -+++ b/src/man/Makefile.in -@@ -8,6 +8,7 @@ sysconfdir=@sysconfdir@ - DEFCCNAME=@DEFCCNAME@ - DEFKTNAME=@DEFKTNAME@ - DEFCKTNAME=@DEFCKTNAME@ -+PKCS11_MODNAME=@PKCS11_MODNAME@ - - MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \ - kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \ -@@ -47,7 +48,8 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h - -e 's|@SYSCONFDIR@|$(sysconfdir)|g' \ - -e 's|@CCNAME@|$(DEFCCNAME)|g' \ - -e 's|@KTNAME@|$(DEFKTNAME)|g' \ -- -e 's|@CKTNAME@|$(DEFCKTNAME)|g' $? > $@ -+ -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \ -+ -e 's|@PKCS11MOD@|$(PKCS11_MODNAME)|g' $? > $@ - - all: $(MANSUBS) - -diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man -index 51acb38815..fd2c6f2bc4 100644 ---- a/src/man/krb5.conf.man -+++ b/src/man/krb5.conf.man -@@ -1148,7 +1148,7 @@ user\(aqs certificate and private key. - All keyword/values are optional. \fImodname\fP specifies the location - of a library implementing PKCS #11. If a value is encountered - with no keyword, it is assumed to be the \fImodname\fP\&. If no --module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&. -+module\-name is specified, the default is \fB@PKCS11MOD@\fP\&. - \fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of - a particular smard card reader or token if there is more than one - available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to -diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h -index 8135535e2c..66f92d8f03 100644 ---- a/src/plugins/preauth/pkinit/pkinit.h -+++ b/src/plugins/preauth/pkinit/pkinit.h -@@ -42,7 +42,6 @@ - #ifndef WITHOUT_PKCS11 - #include "pkcs11.h" - --#define PKCS11_MODNAME "opensc-pkcs11.so" - #define PK_SIGLEN_GUESS 1000 - #define PK_NOSLOT 999999 - #endif --- -2.38.1 - diff --git a/0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch b/0007-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch similarity index 94% rename from 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch rename to 0007-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch index 5840faa..f1c3ed6 100644 --- a/0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch +++ b/0007-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch @@ -1,4 +1,4 @@ -From 9a536113196d8b32e3143964a655356ac8af1347 Mon Sep 17 00:00:00 2001 +From 0366e8b5b2f960cb8305fd95839376b6c18aae42 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Wed, 7 Dec 2022 13:22:42 +0100 Subject: [PATCH] [downstream] Make tests compatible with @@ -37,5 +37,5 @@ index 87bac17929..26bc95a8dc 100644 fail('URI answers do not match') j += 1 -- -2.38.1 +2.40.1 diff --git a/0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch b/0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch deleted file mode 100644 index 3755c15..0000000 --- a/0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 3fb8c4c68274d2ff4addb44b7b95b4698c2c4f34 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Wed, 1 Jun 2022 18:02:04 +0200 -Subject: [PATCH] Set reasonable supportedCMSTypes in PKINIT - -The PKINIT client uses AuthPack.supportedCMSTypes to let the KDC know -the algorithms it supports for verification of the CMS data signature. -(The MIT krb5 KDC currently ignores this list, but other -implementations use it.) - -Replace 3DES with sha512WithRSAEncryption and sha256WithRSAEncryption. - -[ghudson@mit.edu: simplified code and used appropriate helpers; edited -commit message] - -ticket: 9066 (new) ---- - src/plugins/preauth/pkinit/pkinit_constants.c | 33 ++++++++++++- - src/plugins/preauth/pkinit/pkinit_crypto.h | 4 ++ - .../preauth/pkinit/pkinit_crypto_openssl.c | 49 ++++++++++--------- - 3 files changed, 60 insertions(+), 26 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c -index 652897fa14..1da482e0b4 100644 ---- a/src/plugins/preauth/pkinit/pkinit_constants.c -+++ b/src/plugins/preauth/pkinit/pkinit_constants.c -@@ -32,9 +32,14 @@ - - #include "pkinit.h" - --/* statically declare OID constants for all three algorithms */ --static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01}; -+/* RFC 8636 id-pkinit-kdf-ah-sha1: iso(1) identified-organization(3) dod(6) -+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha1(1) */ -+static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01 }; -+/* RFC 8636 id-pkinit-kdf-ah-sha256: iso(1) identified-organization(3) dod(6) -+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha256(2) */ - static char sha256_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x02 }; -+/* RFC 8636 id-pkinit-kdf-ah-sha512: iso(1) identified-organization(3) dod(6) -+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha512(3) */ - static char sha512_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x03 }; - - const krb5_data sha1_id = { KV5M_DATA, sizeof(sha1_oid), sha1_oid }; -@@ -48,6 +53,30 @@ krb5_data const * const supported_kdf_alg_ids[] = { - NULL - }; - -+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840) -+ * rsadsi(113549) pkcs(1) 1 11 */ -+static char sha256WithRSAEncr_oid[9] = { -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b -+}; -+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840) -+ * rsadsi(113549) pkcs(1) 1 13 */ -+static char sha512WithRSAEncr_oid[9] = { -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d -+}; -+ -+const krb5_data sha256WithRSAEncr_id = { -+ KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid -+}; -+const krb5_data sha512WithRSAEncr_id = { -+ KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid -+}; -+ -+krb5_data const * const supported_cms_algs[] = { -+ &sha512WithRSAEncr_id, -+ &sha256WithRSAEncr_id, -+ NULL -+}; -+ - /* RFC 2412 section E.2 (well-known group 2) parameters, DER-encoded as - * DomainParameters (RFC 3279 section 2.3.3). */ - static const uint8_t o1024[] = { -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h -index 65f6210727..64300da856 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto.h -+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h -@@ -620,6 +620,10 @@ extern const krb5_data oakley_4096; - */ - extern krb5_data const * const supported_kdf_alg_ids[]; - -+/* CMS signature algorithms supported by this implementation, in order of -+ * decreasing preference. */ -+extern krb5_data const * const supported_cms_algs[]; -+ - krb5_error_code - crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, - uint8_t **der_out, size_t *der_len); -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index d500455dec..1c2aa02827 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -5475,37 +5475,38 @@ create_krb5_supportedCMSTypes(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, -- krb5_algorithm_identifier ***oids) -+ krb5_algorithm_identifier ***algs_out) - { -+ krb5_error_code ret; -+ krb5_algorithm_identifier **algs = NULL; -+ size_t i, count; - -- krb5_error_code retval = ENOMEM; -- krb5_algorithm_identifier **loids = NULL; -- krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" }; -+ *algs_out = NULL; - -- *oids = NULL; -- loids = malloc(2 * sizeof(krb5_algorithm_identifier *)); -- if (loids == NULL) -- goto cleanup; -- loids[1] = NULL; -- loids[0] = malloc(sizeof(krb5_algorithm_identifier)); -- if (loids[0] == NULL) { -- free(loids); -- goto cleanup; -- } -- retval = pkinit_copy_krb5_data(&loids[0]->algorithm, &des3oid); -- if (retval) { -- free(loids[0]); -- free(loids); -+ /* Count supported OIDs and allocate list (including null terminator). */ -+ for (count = 0; supported_cms_algs[count] != NULL; count++); -+ algs = k5calloc(count + 1, sizeof(*algs), &ret); -+ if (algs == NULL) - goto cleanup; -+ -+ /* Add an algorithm identifier for each OID, with no parameters. */ -+ for (i = 0; i < count; i++) { -+ algs[i] = k5alloc(sizeof(*algs[i]), &ret); -+ if (algs[i] == NULL) -+ goto cleanup; -+ ret = krb5int_copy_data_contents(context, supported_cms_algs[i], -+ &algs[i]->algorithm); -+ if (ret) -+ goto cleanup; -+ algs[i]->parameters = empty_data(); - } -- loids[0]->parameters.length = 0; -- loids[0]->parameters.data = NULL; - -- *oids = loids; -- retval = 0; --cleanup: -+ *algs_out = algs; -+ algs = NULL; - -- return retval; -+cleanup: -+ free_krb5_algorithm_identifiers(&algs); -+ return ret; - } - - krb5_error_code --- -2.38.1 - diff --git a/0014-downstream-Include-missing-OpenSSL-FIPS-header.patch b/0008-downstream-Include-missing-OpenSSL-FIPS-header.patch similarity index 98% rename from 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch rename to 0008-downstream-Include-missing-OpenSSL-FIPS-header.patch index 24ba48a..43648a7 100644 --- a/0014-downstream-Include-missing-OpenSSL-FIPS-header.patch +++ b/0008-downstream-Include-missing-OpenSSL-FIPS-header.patch @@ -1,4 +1,4 @@ -From d57a804136c5ebf473ce053a9517edd71a56389f Mon Sep 17 00:00:00 2001 +From a567b9de563cd8ad262f77cf97a8bc528a884745 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Thu, 5 Jan 2023 20:06:47 +0100 Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header @@ -116,5 +116,5 @@ index 232e78bc05..3394f8a58e 100644 * The SPAKE kdcpreauth module uses a secure cookie containing the following * concatenated fields (all integer fields are big-endian): -- -2.38.1 +2.40.1 diff --git a/0009-Simplify-plugin-loading-code.patch b/0009-Simplify-plugin-loading-code.patch deleted file mode 100644 index 42802e5..0000000 --- a/0009-Simplify-plugin-loading-code.patch +++ /dev/null @@ -1,622 +0,0 @@ -From ffb47e4120d68aef015453350a3a50a9bab1ec58 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 23 Jun 2022 16:41:40 -0400 -Subject: [PATCH] Simplify plugin loading code - -Remove the USE_CFBUNDLE code, which was only used by KfM. Handle -platform conditionals according to current practice. Use -k5_dir_filenames() instead of opendir() and remove the Windows -implementation of opendir(). ---- - src/util/support/plugins.c | 507 +++++++++++-------------------------- - 1 file changed, 150 insertions(+), 357 deletions(-) - -diff --git a/src/util/support/plugins.c b/src/util/support/plugins.c -index c6a9a21d57..0850565687 100644 ---- a/src/util/support/plugins.c -+++ b/src/util/support/plugins.c -@@ -29,16 +29,6 @@ - #if USE_DLOPEN - #include - #endif --#include --#ifdef HAVE_SYS_STAT_H --#include --#endif --#ifdef HAVE_SYS_PARAM_H --#include --#endif --#ifdef HAVE_UNISTD_H --#include --#endif - - #if USE_DLOPEN - #ifdef RTLD_GROUP -@@ -68,16 +58,6 @@ - #endif - #endif - --#if USE_DLOPEN && USE_CFBUNDLE --#include -- --/* Currently CoreFoundation only exists on the Mac so we just use -- * pthreads directly to avoid creating empty function calls on other -- * platforms. If a thread initializer ever gets created in the common -- * plugin code, move this there */ --static pthread_mutex_t krb5int_bundle_mutex = PTHREAD_MUTEX_INITIALIZER; --#endif -- - #include - static void Tprintf (const char *fmt, ...) - { -@@ -90,374 +70,193 @@ static void Tprintf (const char *fmt, ...) - } - - struct plugin_file_handle { --#if USE_DLOPEN -+#if defined(USE_DLOPEN) - void *dlhandle; --#endif --#ifdef _WIN32 -- HMODULE hinstPlugin; --#endif --#if !defined (USE_DLOPEN) && !defined (_WIN32) -+#elif defined(_WIN32) -+ HMODULE module; -+#else - char dummy; - #endif - }; - --#ifdef _WIN32 --struct dirent { -- long d_ino; /* inode (always 1 in WIN32) */ -- off_t d_off; /* offset to this dirent */ -- unsigned short d_reclen; /* length of d_name */ -- char d_name[_MAX_FNAME+1]; /* filename (null terminated) */ --}; -- --typedef struct { -- intptr_t handle; /* _findfirst/_findnext handle */ -- short offset; /* offset into directory */ -- short finished; /* 1 if there are not more files */ -- struct _finddata_t fileinfo;/* from _findfirst/_findnext */ -- char *dir; /* the dir we are reading */ -- struct dirent dent; /* the dirent to return */ --} DIR; -+#if defined(USE_DLOPEN) - --DIR * opendir(const char *dir) -+static long -+open_plugin_dlfcn(struct plugin_file_handle *h, const char *filename, -+ struct errinfo *ep) - { -- DIR *dp; -- char *filespec; -- intptr_t handle; -- int index; -- -- filespec = malloc(strlen(dir) + 2 + 1); -- strcpy(filespec, dir); -- index = strlen(filespec) - 1; -- if (index >= 0 && (filespec[index] == '/' || filespec[index] == '\\')) -- filespec[index] = '\0'; -- strcat(filespec, "/*"); -- -- dp = (DIR *)malloc(sizeof(DIR)); -- dp->offset = 0; -- dp->finished = 0; -- dp->dir = strdup(dir); -- -- if ((handle = _findfirst(filespec, &(dp->fileinfo))) < 0) { -- if (errno == ENOENT) -- dp->finished = 1; -- else { -- free(filespec); -- free(dp->dir); -- free(dp); -- return NULL; -- } -+ const char *e; -+ -+ h->dlhandle = dlopen(filename, PLUGIN_DLOPEN_FLAGS); -+ if (h->dlhandle == NULL) { -+ e = dlerror(); -+ if (e == NULL) -+ e = _("unknown failure"); -+ Tprintf("dlopen(%s): %s\n", filename, e); -+ k5_set_error(ep, ENOENT, _("unable to load plugin [%s]: %s"), -+ filename, e); -+ return ENOENT; - } -- -- dp->handle = handle; -- free(filespec); -- -- return dp; -+ return 0; - } -+#define open_plugin open_plugin_dlfcn - --struct dirent * readdir(DIR *dp) -+static long -+get_sym_dlfcn(struct plugin_file_handle *h, const char *csymname, -+ void **sym_out, struct errinfo *ep) - { -- if (!dp || dp->finished) return NULL; -- -- if (dp->offset != 0) { -- if (_findnext(dp->handle, &(dp->fileinfo)) < 0) { -- dp->finished = 1; -- return NULL; -- } -+ const char *e; -+ -+ if (h->dlhandle == NULL) -+ return ENOENT; -+ *sym_out = dlsym(h->dlhandle, csymname); -+ if (*sym_out == NULL) { -+ e = dlerror(); -+ if (e == NULL) -+ e = _("unknown failure"); -+ Tprintf("dlsym(%s): %s\n", csymname, e); -+ k5_set_error(ep, ENOENT, "%s", e); -+ return ENOENT; - } -- dp->offset++; -- -- strncpy(dp->dent.d_name, dp->fileinfo.name, _MAX_FNAME); -- dp->dent.d_ino = 1; -- dp->dent.d_reclen = (unsigned short)strlen(dp->dent.d_name); -- dp->dent.d_off = dp->offset; -- -- return &(dp->dent); --} -- --int closedir(DIR *dp) --{ -- if (!dp) return 0; -- _findclose(dp->handle); -- free(dp->dir); -- free(dp); -- - return 0; - } --#endif -+#define get_sym get_sym_dlfcn - --long KRB5_CALLCONV --krb5int_open_plugin (const char *filepath, struct plugin_file_handle **h, struct errinfo *ep) -+static void -+close_plugin_dlfcn(struct plugin_file_handle *h) - { -- long err = 0; -- struct plugin_file_handle *htmp = NULL; -- int got_plugin = 0; --#if defined(USE_CFBUNDLE) || defined(_WIN32) -- struct stat statbuf; -- -- if (!err) { -- if (stat (filepath, &statbuf) < 0) { -- err = errno; -- Tprintf ("stat(%s): %s\n", filepath, strerror (err)); -- k5_set_error(ep, err, _("unable to find plugin [%s]: %s"), -- filepath, strerror(err)); -- } -- } --#endif -- -- if (!err) { -- htmp = calloc (1, sizeof (*htmp)); /* calloc initializes ptrs to NULL */ -- if (htmp == NULL) { err = ENOMEM; } -- } -- --#if USE_DLOPEN -- if (!err --#if USE_CFBUNDLE -- && ((statbuf.st_mode & S_IFMT) == S_IFREG -- || (statbuf.st_mode & S_IFMT) == S_IFDIR) --#endif /* USE_CFBUNDLE */ -- ) { -- void *handle = NULL; -- --#if USE_CFBUNDLE -- char executablepath[MAXPATHLEN]; -- -- if ((statbuf.st_mode & S_IFMT) == S_IFDIR) { -- int lock_err = 0; -- CFStringRef pluginString = NULL; -- CFURLRef pluginURL = NULL; -- CFBundleRef pluginBundle = NULL; -- CFURLRef executableURL = NULL; -- -- /* Lock around CoreFoundation calls since objects are refcounted -- * and the refcounts are not thread-safe. Using pthreads directly -- * because this code is Mac-specific */ -- lock_err = pthread_mutex_lock(&krb5int_bundle_mutex); -- if (lock_err) { err = lock_err; } -- -- if (!err) { -- pluginString = CFStringCreateWithCString (kCFAllocatorDefault, -- filepath, -- kCFStringEncodingASCII); -- if (pluginString == NULL) { err = ENOMEM; } -- } -- -- if (!err) { -- pluginURL = CFURLCreateWithFileSystemPath (kCFAllocatorDefault, -- pluginString, -- kCFURLPOSIXPathStyle, -- true); -- if (pluginURL == NULL) { err = ENOMEM; } -- } -- -- if (!err) { -- pluginBundle = CFBundleCreate (kCFAllocatorDefault, pluginURL); -- if (pluginBundle == NULL) { err = ENOENT; } /* XXX need better error */ -- } -- -- if (!err) { -- executableURL = CFBundleCopyExecutableURL (pluginBundle); -- if (executableURL == NULL) { err = ENOMEM; } -- } -- -- if (!err) { -- if (!CFURLGetFileSystemRepresentation (executableURL, -- true, /* absolute */ -- (UInt8 *)executablepath, -- sizeof (executablepath))) { -- err = ENOMEM; -- } -- } -- -- if (!err) { -- /* override the path the caller passed in */ -- filepath = executablepath; -- } -- -- if (executableURL != NULL) { CFRelease (executableURL); } -- if (pluginBundle != NULL) { CFRelease (pluginBundle); } -- if (pluginURL != NULL) { CFRelease (pluginURL); } -- if (pluginString != NULL) { CFRelease (pluginString); } -- -- /* unlock after CFRelease calls since they modify refcounts */ -- if (!lock_err) { pthread_mutex_unlock (&krb5int_bundle_mutex); } -- } --#endif /* USE_CFBUNDLE */ -- -- if (!err) { -- handle = dlopen(filepath, PLUGIN_DLOPEN_FLAGS); -- if (handle == NULL) { -- const char *e = dlerror(); -- if (e == NULL) -- e = _("unknown failure"); -- Tprintf ("dlopen(%s): %s\n", filepath, e); -- err = ENOENT; /* XXX */ -- k5_set_error(ep, err, _("unable to load plugin [%s]: %s"), -- filepath, e); -- } -- } -+ if (h->dlhandle != NULL) -+ dlclose(h->dlhandle); -+} -+#define close_plugin close_plugin_dlfcn - -- if (!err) { -- got_plugin = 1; -- htmp->dlhandle = handle; -- handle = NULL; -- } -+#elif defined(_WIN32) - -- if (handle != NULL) { dlclose (handle); } -+static long -+open_plugin_win32(struct plugin_file_handle *h, const char *filename, -+ struct errinfo *ep) -+{ -+ h->module = LoadLibrary(filename); -+ if (h == NULL) { -+ Tprintf("Unable to load dll: %s\n", filename); -+ k5_set_error(ep, ENOENT, _("unable to load DLL [%s]"), filename); -+ return ENOENT; - } --#endif /* USE_DLOPEN */ -- --#ifdef _WIN32 -- if (!err && (statbuf.st_mode & S_IFMT) == S_IFREG) { -- HMODULE handle = NULL; -+ return 0; -+} -+#define open_plugin open_plugin_win32 - -- handle = LoadLibrary(filepath); -- if (handle == NULL) { -- Tprintf ("Unable to load dll: %s\n", filepath); -- err = ENOENT; /* XXX */ -- k5_set_error(ep, err, _("unable to load DLL [%s]"), filepath); -- } -+static long -+get_sym_win32(struct plugin_file_handle *h, const char *csymname, -+ void **sym_out, struct errinfo *ep) -+{ -+ LPVOID lpMsgBuf; -+ DWORD dw; - -- if (!err) { -- got_plugin = 1; -- htmp->hinstPlugin = handle; -- handle = NULL; -+ if (h->module == NULL) -+ return ENOENT; -+ *sym_out = GetProcAddress(h->module, csymname); -+ if (*sym_out == NULL) { -+ Tprintf("GetProcAddress(%s): %i\n", csymname, GetLastError()); -+ dw = GetLastError(); -+ if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | -+ FORMAT_MESSAGE_FROM_SYSTEM, -+ NULL, dw, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), -+ (LPTSTR)&lpMsgBuf, 0, NULL)) { -+ k5_set_error(ep, ENOENT, _("unable to get DLL Symbol: %s"), -+ (char *)lpMsgBuf); -+ LocalFree(lpMsgBuf); - } -- -- if (handle != NULL) -- FreeLibrary(handle); -- } --#endif -- -- if (!err && !got_plugin) { -- err = ENOENT; /* no plugin or no way to load plugins */ -- k5_set_error(ep, err, _("plugin unavailable: %s"), strerror(err)); -+ return ENOENT; - } -+ return 0; -+} -+#define get_sym get_sym_win32 - -- if (!err) { -- *h = htmp; -- htmp = NULL; /* h takes ownership */ -- } -+static void -+close_plugin_win32(struct plugin_file_handle *h) -+{ -+ if (h->module != NULL) -+ FreeLibrary(h->module); -+} -+#define close_plugin close_plugin_win32 - -- free(htmp); -+#else - -- return err; -+static long -+open_plugin_dummy(struct plugin_file_handle *h, const char *filename, -+ struct errinfo *ep) -+{ -+ k5_set_error(ep, ENOENT, _("plugin loading unavailable")); -+ return ENOENT; - } -+#define open_plugin open_plugin_dummy - - static long --krb5int_get_plugin_sym (struct plugin_file_handle *h, -- const char *csymname, int isfunc, void **ptr, -- struct errinfo *ep) -+get_sym_dummy(struct plugin_file_handle *h, const char *csymname, -+ void **sym_out, struct errinfo *ep) - { -- long err = 0; -- void *sym = NULL; -+ return ENOENT; -+} -+#define get_sym get_sym_dummy -+ -+static void -+close_plugin_dummy(struct plugin_file_handle *h) -+{ -+} -+#define close_plugin close_plugin_dummy - --#if USE_DLOPEN -- if (!err && !sym && (h->dlhandle != NULL)) { -- /* XXX Do we need to add a leading "_" to the symbol name on any -- modern platforms? */ -- sym = dlsym (h->dlhandle, csymname); -- if (sym == NULL) { -- const char *e = dlerror (); /* XXX copy and save away */ -- if (e == NULL) -- e = "unknown failure"; -- Tprintf ("dlsym(%s): %s\n", csymname, e); -- err = ENOENT; /* XXX */ -- k5_set_error(ep, err, "%s", e); -- } -- } - #endif - --#ifdef _WIN32 -- LPVOID lpMsgBuf; -- DWORD dw; -+long KRB5_CALLCONV -+krb5int_open_plugin(const char *filename, -+ struct plugin_file_handle **handle_out, struct errinfo *ep) -+{ -+ long ret; -+ struct plugin_file_handle *h; - -- if (!err && !sym && (h->hinstPlugin != NULL)) { -- sym = GetProcAddress(h->hinstPlugin, csymname); -- if (sym == NULL) { -- const char *e = "unable to get dll symbol"; /* XXX copy and save away */ -- Tprintf ("GetProcAddress(%s): %i\n", csymname, GetLastError()); -- err = ENOENT; /* XXX */ -- k5_set_error(ep, err, "%s", e); -- -- dw = GetLastError(); -- if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | -- FORMAT_MESSAGE_FROM_SYSTEM, -- NULL, -- dw, -- MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), -- (LPTSTR) &lpMsgBuf, -- 0, NULL )) { -- -- fprintf (stderr, "unable to get dll symbol, %s\n", (LPCTSTR)lpMsgBuf); -- LocalFree(lpMsgBuf); -- } -- } -- } --#endif -+ *handle_out = NULL; - -- if (!err && (sym == NULL)) { -- err = ENOENT; /* unimplemented */ -- } -+ h = calloc(1, sizeof(*h)); -+ if (h == NULL) -+ return ENOMEM; - -- if (!err) { -- *ptr = sym; -+ ret = open_plugin(h, filename, ep); -+ if (ret) { -+ free(h); -+ return ret; - } - -- return err; -+ *handle_out = h; -+ return 0; - } - - long KRB5_CALLCONV --krb5int_get_plugin_data (struct plugin_file_handle *h, const char *csymname, -- void **ptr, struct errinfo *ep) -+krb5int_get_plugin_data(struct plugin_file_handle *h, const char *csymname, -+ void **sym_out, struct errinfo *ep) - { -- return krb5int_get_plugin_sym (h, csymname, 0, ptr, ep); -+ return get_sym(h, csymname, sym_out, ep); - } - - long KRB5_CALLCONV --krb5int_get_plugin_func (struct plugin_file_handle *h, const char *csymname, -- void (**ptr)(), struct errinfo *ep) -+krb5int_get_plugin_func(struct plugin_file_handle *h, const char *csymname, -+ void (**sym_out)(), struct errinfo *ep) - { - void *dptr = NULL; -- long err = krb5int_get_plugin_sym (h, csymname, 1, &dptr, ep); -- if (!err) { -- /* Cast function pointers to avoid code duplication */ -- *ptr = (void (*)()) dptr; -- } -- return err; -+ long ret = get_sym(h, csymname, &dptr, ep); -+ -+ if (!ret) -+ *sym_out = (void (*)())dptr; -+ return ret; - } - - void KRB5_CALLCONV - krb5int_close_plugin (struct plugin_file_handle *h) - { --#if USE_DLOPEN -- if (h->dlhandle != NULL) { dlclose(h->dlhandle); } --#endif --#ifdef _WIN32 -- if (h->hinstPlugin != NULL) { FreeLibrary(h->hinstPlugin); } --#endif -- free (h); -+ close_plugin(h); -+ free(h); - } - --/* autoconf docs suggest using this preference order */ --#if HAVE_DIRENT_H || USE_DIRENT_H --#include --#define NAMELEN(D) strlen((D)->d_name) --#else --#ifndef _WIN32 --#define dirent direct --#define NAMELEN(D) ((D)->d->namlen) --#else --#define NAMELEN(D) strlen((D)->d_name) --#endif --#if HAVE_SYS_NDIR_H --# include --#elif HAVE_SYS_DIR_H --# include --#elif HAVE_NDIR_H --# include --#endif --#endif -- - static long - krb5int_plugin_file_handle_array_init (struct plugin_file_handle ***harray) - { -@@ -619,42 +418,36 @@ krb5int_open_plugin_dirs (const char * const *dirnames, - if (handle != NULL) { krb5int_close_plugin (handle); } - } - } else { -- /* load all plugins in each directory */ -- DIR *dir = opendir (dirnames[i]); -+ char **fnames = NULL; -+ int j; - -- while (dir != NULL && !err) { -- struct dirent *d = NULL; -+ err = k5_dir_filenames(dirnames[i], &fnames); -+ for (j = 0; !err && fnames[j] != NULL; j++) { - char *filepath = NULL; - struct plugin_file_handle *handle = NULL; - -- d = readdir (dir); -- if (d == NULL) { break; } -- -- if ((strcmp (d->d_name, ".") == 0) || -- (strcmp (d->d_name, "..") == 0)) { -+ if (strcmp(fnames[j], ".") == 0 || -+ strcmp(fnames[j], "..") == 0) - continue; -- } - -- if (!err) { -- int len = NAMELEN (d); -- if (asprintf(&filepath, "%s/%*s", dirnames[i], len, d->d_name) < 0) { -- filepath = NULL; -- err = ENOMEM; -- } -+ if (asprintf(&filepath, "%s/%s", dirnames[i], fnames[j]) < 0) { -+ filepath = NULL; -+ err = ENOMEM; - } - -- if (!err) { -- if (krb5int_open_plugin (filepath, &handle, ep) == 0) { -- err = krb5int_plugin_file_handle_array_add (&h, &count, handle); -- if (!err) { handle = NULL; } /* h takes ownership */ -- } -+ if (!err && krb5int_open_plugin(filepath, &handle, ep) == 0) { -+ err = krb5int_plugin_file_handle_array_add(&h, &count, -+ handle); -+ if (!err) -+ handle = NULL; /* h takes ownership */ - } - - free(filepath); -- if (handle != NULL) { krb5int_close_plugin (handle); } -+ if (handle != NULL) -+ krb5int_close_plugin(handle); - } - -- if (dir != NULL) { closedir (dir); } -+ k5_free_filenames(fnames); - } - } - --- -2.38.1 - diff --git a/0015-downstream-Do-not-set-root-as-ksu-file-owner.patch b/0009-downstream-Do-not-set-root-as-ksu-file-owner.patch similarity index 93% rename from 0015-downstream-Do-not-set-root-as-ksu-file-owner.patch rename to 0009-downstream-Do-not-set-root-as-ksu-file-owner.patch index 5c53868..0dd8834 100644 --- a/0015-downstream-Do-not-set-root-as-ksu-file-owner.patch +++ b/0009-downstream-Do-not-set-root-as-ksu-file-owner.patch @@ -1,4 +1,4 @@ -From 59d3ecdab7210e87ec475f4ae0d64888d5416b29 Mon Sep 17 00:00:00 2001 +From 6adfd97a3558aae4ace346685266bac9dae8bba9 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Mon, 9 Jan 2023 22:39:52 +0100 Subject: [PATCH] [downstream] Do not set root as ksu file owner @@ -27,5 +27,5 @@ index 7eaa2f351c..e9ae71471e 100644 ## ${prefix}. prefix=@prefix@ -- -2.38.1 +2.40.1 diff --git a/0010-Update-error-checking-for-OpenSSL-CMS_verify.patch b/0010-Update-error-checking-for-OpenSSL-CMS_verify.patch deleted file mode 100644 index 0fbd529..0000000 --- a/0010-Update-error-checking-for-OpenSSL-CMS_verify.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 963314f4f449e136195232bdada3109af65d0881 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Thu, 28 Jul 2022 15:20:12 +0200 -Subject: [PATCH] Update error checking for OpenSSL CMS_verify - -The code for CMS data verification was initially written for OpenSSL's -PKCS7_verify() function. It now uses CMS_verify(), but error handling -is still done using PKCS7_verify() error identifiers. Update the -recognized error codes so that the KDC generates -KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate. -Use ERR_peek_last_error() to observe the error generated closest to -the API surface. - -[ghudson@mit.edu: edited commit message] - -ticket: 9069 (new) -tags: pullup -target_version: 1.20-next ---- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 1c2aa02827..16edf15cb2 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -2102,12 +2102,15 @@ cms_signeddata_verify(krb5_context context, - goto cleanup; - out = BIO_new(BIO_s_mem()); - if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) { -- unsigned long err = ERR_peek_error(); -+ unsigned long err = ERR_peek_last_error(); - switch(ERR_GET_REASON(err)) { -- case PKCS7_R_DIGEST_FAILURE: -+ case RSA_R_DIGEST_NOT_ALLOWED: -+ case CMS_R_UNKNOWN_DIGEST_ALGORITHM: -+ case CMS_R_NO_MATCHING_DIGEST: -+ case CMS_R_NO_MATCHING_SIGNATURE: - retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED; - break; -- case PKCS7_R_SIGNATURE_FAILURE: -+ case CMS_R_VERIFICATION_FAILURE: - default: - retval = KRB5KDC_ERR_INVALID_SIG; - } --- -2.38.1 - diff --git a/0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch b/0010-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch similarity index 98% rename from 0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch rename to 0010-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch index 227650e..a78d09c 100644 --- a/0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch +++ b/0010-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch @@ -1,4 +1,4 @@ -From d8f67df42efd68142aa904040f9e8cc0f9138c10 Mon Sep 17 00:00:00 2001 +From 73640dc4899494d010b83b080b3a65bd3e69177c Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Thu, 19 Jan 2023 19:22:27 +0100 Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode @@ -161,5 +161,5 @@ index 5a43c3d9eb..8528ddc4a9 100644 ret = KRB5_CRYPTO_INTERNAL; goto done; -- -2.39.1 +2.40.1 diff --git a/0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch b/0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch new file mode 100644 index 0000000..8109a84 --- /dev/null +++ b/0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch @@ -0,0 +1,279 @@ +From f47c9eb8618006012600a906367295ed53c558d0 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 15 Mar 2023 15:56:34 +0100 +Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional + +MS-PAC states that "The ticket signature SHOULD be included in tickets +that are not encrypted to the krbtgt account". However, the +implementation of krb5_kdc_verify_ticket() will require the ticket +signature to be present in case the target of the request is a service +principal. + +In gradual upgrade environments, it results in S4U2Proxy requests +against a 1.20 KDC using a service ticket generated by an older version +KDC to fail. + +This commit adds a krb5_kdc_verify_ticket_ext() function with an extra +switch parameter to tolerate the absence of ticket signature in this +scenario. If the ticket signature is present, it has to be valid, +regardless of this parameter. + +This parameter is set based on the "optional_pac_tkt_chksum" string +attribute of the TGT KDB entry. +--- + doc/admin/admin_commands/kadmin_local.rst | 6 ++++ + doc/appdev/refs/api/index.rst | 1 + + src/include/kdb.h | 1 + + src/include/krb5/krb5.hin | 40 +++++++++++++++++++++++ + src/kdc/kdc_util.c | 32 ++++++++++++++---- + src/lib/krb5/krb/pac.c | 31 +++++++++++++++--- + src/lib/krb5/libkrb5.exports | 1 + + src/man/kadmin.man | 6 ++++ + 8 files changed, 108 insertions(+), 10 deletions(-) + +diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst +index 2435b3c361..58ac79549f 100644 +--- a/doc/admin/admin_commands/kadmin_local.rst ++++ b/doc/admin/admin_commands/kadmin_local.rst +@@ -658,6 +658,12 @@ KDC: + Directory realm when using aes-sha2 keys on the local krbtgt + entry. + ++**optional_pac_tkt_chksum** ++ Boolean value defining the behavior of the KDC in case an expected ++ ticket checksum signed with one of this principal keys is not ++ present in the PAC. This is typically the case for TGS or ++ cross-realm TGS principals when processing S4U2Proxy requests. ++ + This command requires the **modify** privilege. + + Alias: **setstr** +diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst +index d12be47c3c..9b95ebd0f9 100644 +--- a/doc/appdev/refs/api/index.rst ++++ b/doc/appdev/refs/api/index.rst +@@ -225,6 +225,7 @@ Rarely used public interfaces + krb5_is_referral_realm.rst + krb5_kdc_sign_ticket.rst + krb5_kdc_verify_ticket.rst ++ krb5_kdc_verify_ticket_ext.rst + krb5_kt_add_entry.rst + krb5_kt_end_seq_get.rst + krb5_kt_get_entry.rst +diff --git a/src/include/kdb.h b/src/include/kdb.h +index 745b24f351..6075349e5e 100644 +--- a/src/include/kdb.h ++++ b/src/include/kdb.h +@@ -136,6 +136,7 @@ + #define KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE "pac_privsvr_enctype" + #define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes" + #define KRB5_KDB_SK_REQUIRE_AUTH "require_auth" ++#define KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM "optional_pac_tkt_chksum" + + #if !defined(_WIN32) + +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index 350bcf86f2..17e1b52266 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin +@@ -8356,6 +8356,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + const krb5_keyblock *server, + const krb5_keyblock *privsvr, krb5_pac *pac_out); + ++/** ++ * Verify a PAC, possibly including ticket signature ++ * ++ * @param [in] context Library context ++ * @param [in] enc_tkt Ticket enc-part, possibly containing a PAC ++ * @param [in] server_princ Canonicalized name of ticket server ++ * @param [in] server Key to validate server checksum (or NULL) ++ * @param [in] privsvr Key to validate KDC checksum (or NULL) ++ * @paran [in] optional_tkt_chksum Whether to require a ticket checksum ++ * @param [out] pac_out Verified PAC (NULL if no PAC included) ++ * ++ * This function is an extension of krb5_kdc_verify_ticket(), adding the @a ++ * optional_tkt_chksum parameter allowing to tolerate the absence of the PAC ++ * ticket signature. ++ * ++ * If a PAC is present in @a enc_tkt, verify its signatures. If @a privsvr is ++ * not NULL and @a server_princ is not a krbtgt or kadmin/changepw service and ++ * @a optional_tkt_chksum is FALSE, require a ticket signature over @a enc_tkt ++ * in addition to the KDC signature. Place the verified PAC in @a pac_out. If ++ * an invalid PAC signature is found, return an error matching the Windows KDC ++ * protocol code for that condition as closely as possible. ++ * ++ * If no PAC is present in @a enc_tkt, set @a pac_out to NULL and return ++ * successfully. ++ * ++ * @note This function does not validate the PAC_CLIENT_INFO buffer. If a ++ * specific value is expected, the caller can make a separate call to ++ * krb5_pac_verify_ext() with a principal but no keys. ++ * ++ * @retval 0 Success; otherwise - Kerberos error codes ++ */ ++krb5_error_code KRB5_CALLCONV ++krb5_kdc_verify_ticket_ext(krb5_context context, ++ const krb5_enc_tkt_part *enc_tkt, ++ krb5_const_principal server_princ, ++ const krb5_keyblock *server, ++ const krb5_keyblock *privsvr, ++ krb5_boolean optional_tkt_chksum, ++ krb5_pac *pac_out); ++ + /** @deprecated Use krb5_kdc_sign_ticket() instead. */ + krb5_error_code KRB5_CALLCONV + krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index ea10e23a95..c7b6e4090d 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -560,16 +560,36 @@ cleanup: + static krb5_error_code + try_verify_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + krb5_db_entry *server, krb5_keyblock *server_key, +- const krb5_keyblock *tgt_key, krb5_pac *pac_out) ++ krb5_db_entry *tgt, const krb5_keyblock *tgt_key, ++ krb5_pac *pac_out) + { + krb5_error_code ret; ++ krb5_boolean optional_tkt_chksum; ++ char *str = NULL; + krb5_keyblock *privsvr_key; + + ret = pac_privsvr_key(context, server, tgt_key, &privsvr_key); + if (ret) + return ret; +- ret = krb5_kdc_verify_ticket(context, enc_tkt, server->princ, server_key, +- privsvr_key, pac_out); ++ ++ /* Check if the absence of ticket signature is tolerated for this realm */ ++ ret = krb5_dbe_get_string(context, tgt, ++ KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM, &str); ++ /* TODO: should be using _krb5_conf_boolean(), but os-proto.h is not ++ * available here. ++ */ ++ optional_tkt_chksum = !ret && str && (strncasecmp(str, "true", 4) == 0 ++ || strncasecmp(str, "t", 1) == 0 ++ || strncasecmp(str, "yes", 3) == 0 ++ || strncasecmp(str, "y", 1) == 0 ++ || strncasecmp(str, "1", 1) == 0 ++ || strncasecmp(str, "on", 2) == 0); ++ ++ krb5_dbe_free_string(context, str); ++ ++ ret = krb5_kdc_verify_ticket_ext(context, enc_tkt, server->princ, ++ server_key, privsvr_key, ++ optional_tkt_chksum, pac_out); + krb5_free_keyblock(context, privsvr_key); + return ret; + } +@@ -599,7 +619,7 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + server_key, NULL, pac_out); + } + +- ret = try_verify_pac(context, enc_tkt, server, server_key, tgt_key, ++ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt, tgt_key, + pac_out); + if (ret != KRB5KRB_AP_ERR_MODIFIED && ret != KRB5_BAD_ENCTYPE) + return ret; +@@ -613,8 +633,8 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &old_key, NULL); + if (ret) + return ret; +- ret = try_verify_pac(context, enc_tkt, server, server_key, &old_key, +- pac_out); ++ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt, ++ &old_key, pac_out); + krb5_free_keyblock_contents(context, &old_key); + if (!ret) + return 0; +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index 5d1fdf1ba0..0c0e2ada68 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -594,6 +594,19 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + krb5_const_principal server_princ, + const krb5_keyblock *server, + const krb5_keyblock *privsvr, krb5_pac *pac_out) ++{ ++ return krb5_kdc_verify_ticket_ext(context, enc_tkt, server_princ, server, ++ privsvr, FALSE, pac_out); ++} ++ ++krb5_error_code KRB5_CALLCONV ++krb5_kdc_verify_ticket_ext(krb5_context context, ++ const krb5_enc_tkt_part *enc_tkt, ++ krb5_const_principal server_princ, ++ const krb5_keyblock *server, ++ const krb5_keyblock *privsvr, ++ krb5_boolean optional_tkt_chksum, ++ krb5_pac *pac_out) + { + krb5_error_code ret; + krb5_pac pac = NULL; +@@ -602,7 +615,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + krb5_authdata *orig, **ifrel = NULL, **recoded_ifrel = NULL; + uint8_t z = 0; + krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z }; +- krb5_boolean is_service_tkt; ++ krb5_boolean is_service_tkt, has_tkt_chksum = FALSE; + size_t i, j; + + *pac_out = NULL; +@@ -667,11 +680,21 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + + ret = verify_checksum(context, pac, KRB5_PAC_TICKET_CHECKSUM, privsvr, + KRB5_KEYUSAGE_APP_DATA_CKSUM, recoded_tkt); +- if (ret) +- goto cleanup; ++ if (ret) { ++ if (!optional_tkt_chksum) ++ goto cleanup; ++ else if (ret != ENOENT) ++ goto cleanup; ++ /* Otherwise ticket signature is absent but optional. Proceed... */ ++ } else { ++ has_tkt_chksum = TRUE; ++ } + } ++ /* Else, we make the assumption the ticket signature is absent in case this ++ * is not a service ticket. ++ */ + +- ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr); ++ ret = verify_pac_checksums(context, pac, has_tkt_chksum, server, privsvr); + if (ret) + goto cleanup; + +diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports +index 4c50e935a2..d4b0455c8c 100644 +--- a/src/lib/krb5/libkrb5.exports ++++ b/src/lib/krb5/libkrb5.exports +@@ -463,6 +463,7 @@ krb5_is_thread_safe + krb5_kdc_rep_decrypt_proc + krb5_kdc_sign_ticket + krb5_kdc_verify_ticket ++krb5_kdc_verify_ticket_ext + krb5_kt_add_entry + krb5_kt_client_default + krb5_kt_close +diff --git a/src/man/kadmin.man b/src/man/kadmin.man +index d028dc2975..2c8d10067f 100644 +--- a/src/man/kadmin.man ++++ b/src/man/kadmin.man +@@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to + "aes256\-sha1" on the cross\-realm krbtgt entry for an Active + Directory realm when using aes\-sha2 keys on the local krbtgt + entry. ++.TP ++\fBoptional_pac_tkt_chksum\fP ++Boolean value defining the behavior of the KDC in case an expected ticket ++checksum signed with one of this principal keys is not present in the PAC. This ++is typically the case for TGS or cross-realm TGS principals when processing ++S4U2Proxy requests. + .UNINDENT + .sp + This command requires the \fBmodify\fP privilege. +-- +2.40.1 + diff --git a/0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch b/0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch deleted file mode 100644 index 373cd1a..0000000 --- a/0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch +++ /dev/null @@ -1,28 +0,0 @@ -From c7d2d7c090bc000acd67b358150b9487f606ff20 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Fri, 19 Aug 2022 10:34:52 +0200 -Subject: [PATCH] [downstream] Catch SHA-1 digest disallowed error for - PKINIT - -An OpenSSL patch causes EVP_R_INVALID_DIGEST error to be raised if -CMS_verify is called to verify a SHA-1 signature. If this error is -caught, it will now return KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED. ---- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 16edf15cb2..bfa3fe8e91 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -2104,6 +2104,7 @@ cms_signeddata_verify(krb5_context context, - if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) { - unsigned long err = ERR_peek_last_error(); - switch(ERR_GET_REASON(err)) { -+ case EVP_R_INVALID_DIGEST: - case RSA_R_DIGEST_NOT_ALLOWED: - case CMS_R_UNKNOWN_DIGEST_ALGORITHM: - case CMS_R_NO_MATCHING_DIGEST: --- -2.38.1 - diff --git a/0012-Add-and-use-ts_interval-helper.patch b/0012-Add-and-use-ts_interval-helper.patch deleted file mode 100644 index 5f9647e..0000000 --- a/0012-Add-and-use-ts_interval-helper.patch +++ /dev/null @@ -1,239 +0,0 @@ -From 07ec260c65ec036d44362868df0f796a53495f27 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Mon, 19 Sep 2022 15:18:50 -0400 -Subject: [PATCH] Add and use ts_interval() helper - -ts_delta() returns a signed result, which cannot hold an interval -larger than 2^31-1 seconds. Intervals like this have been seen when -admins set password expiration dates more than 68 years in the future. - -Add a second helper ts_interval() which returns a signed result, and -has the arguments reversed so that the start time is first. Use it in -warn_pw_expiry() to handle the password expiration case, in the GSS -krb5 mech where we return an unsigned context or credential lifetime -to the caller, and in the KEYRING ccache type where we compute an -unsigned keyring timeout. - -ticket: 9071 (new) ---- - src/include/k5-int.h | 9 +++++++++ - src/lib/gssapi/krb5/accept_sec_context.c | 10 ++++++---- - src/lib/gssapi/krb5/acquire_cred.c | 3 +-- - src/lib/gssapi/krb5/context_time.c | 2 +- - src/lib/gssapi/krb5/init_sec_context.c | 4 ++-- - src/lib/gssapi/krb5/inq_context.c | 2 +- - src/lib/gssapi/krb5/inq_cred.c | 2 +- - src/lib/gssapi/krb5/s4u_gss_glue.c | 2 +- - src/lib/krb5/ccache/cc_keyring.c | 4 ++-- - src/lib/krb5/krb/get_in_tkt.c | 15 +++++++-------- - 10 files changed, 31 insertions(+), 22 deletions(-) - -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index c3aecba7d4..768110e5ef 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -2325,6 +2325,15 @@ ts_delta(krb5_timestamp a, krb5_timestamp b) - return (krb5_deltat)((uint32_t)a - (uint32_t)b); - } - -+/* Return (end - start) as an unsigned 32-bit value, or 0 if start > end. */ -+static inline uint32_t -+ts_interval(krb5_timestamp start, krb5_timestamp end) -+{ -+ if ((uint32_t)start > (uint32_t)end) -+ return 0; -+ return (uint32_t)end - (uint32_t)start; -+} -+ - /* Increment a timestamp by a signed 32-bit interval, without relying on - * undefined behavior. */ - static inline krb5_timestamp -diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c -index 1bc807172b..7de2c9fd77 100644 ---- a/src/lib/gssapi/krb5/accept_sec_context.c -+++ b/src/lib/gssapi/krb5/accept_sec_context.c -@@ -353,8 +353,8 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle, - *mech_type = ctx->mech_used; - - if (time_rec) { -- *time_rec = ts_delta(ctx->krb_times.endtime, now) + -- ctx->k5_context->clockskew; -+ *time_rec = ts_interval(now - ctx->k5_context->clockskew, -+ ctx->krb_times.endtime); - } - - /* Never return GSS_C_DELEG_FLAG since we don't support DCE credential -@@ -1151,8 +1151,10 @@ kg_accept_krb5(minor_status, context_handle, - - /* Add the maximum allowable clock skew as a grace period for context - * expiration, just as we do for the ticket. */ -- if (time_rec) -- *time_rec = ts_delta(ctx->krb_times.endtime, now) + context->clockskew; -+ if (time_rec) { -+ *time_rec = ts_interval(now - context->clockskew, -+ ctx->krb_times.endtime); -+ } - - if (ret_flags) - *ret_flags = ctx->gss_flags; -diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c -index e226a02692..006eba114d 100644 ---- a/src/lib/gssapi/krb5/acquire_cred.c -+++ b/src/lib/gssapi/krb5/acquire_cred.c -@@ -879,8 +879,7 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status, - GSS_C_NO_NAME); - if (GSS_ERROR(ret)) - goto error_out; -- *time_rec = ts_after(cred->expire, now) ? -- ts_delta(cred->expire, now) : 0; -+ *time_rec = ts_interval(now, cred->expire); - k5_mutex_unlock(&cred->lock); - } - } -diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c -index 1fdb5a16f2..5469d8154c 100644 ---- a/src/lib/gssapi/krb5/context_time.c -+++ b/src/lib/gssapi/krb5/context_time.c -@@ -51,7 +51,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec) - return(GSS_S_FAILURE); - } - -- lifetime = ts_delta(ctx->krb_times.endtime, now); -+ lifetime = ts_interval(now, ctx->krb_times.endtime); - if (!ctx->initiate) - lifetime += ctx->k5_context->clockskew; - if (lifetime <= 0) { -diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c -index ea87cf6432..f0f094ccb7 100644 ---- a/src/lib/gssapi/krb5/init_sec_context.c -+++ b/src/lib/gssapi/krb5/init_sec_context.c -@@ -664,7 +664,7 @@ kg_new_connection( - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto cleanup; -- *time_rec = ts_delta(ctx->krb_times.endtime, now); -+ *time_rec = ts_interval(now, ctx->krb_times.endtime); - } - - /* set the other returns */ -@@ -878,7 +878,7 @@ mutual_auth( - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto fail; -- *time_rec = ts_delta(ctx->krb_times.endtime, now); -+ *time_rec = ts_interval(now, ctx->krb_times.endtime); - } - - if (ret_flags) -diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c -index cac024da1f..51c484fdfe 100644 ---- a/src/lib/gssapi/krb5/inq_context.c -+++ b/src/lib/gssapi/krb5/inq_context.c -@@ -120,7 +120,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name, - - /* Add the maximum allowable clock skew as a grace period for context - * expiration, just as we do for the ticket during authentication. */ -- lifetime = ts_delta(ctx->krb_times.endtime, now); -+ lifetime = ts_interval(now, ctx->krb_times.endtime); - if (!ctx->initiate) - lifetime += context->clockskew; - if (lifetime < 0) -diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c -index bb63b726c8..0e675959a3 100644 ---- a/src/lib/gssapi/krb5/inq_cred.c -+++ b/src/lib/gssapi/krb5/inq_cred.c -@@ -131,7 +131,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, - } - - if (cred->expire != 0) { -- lifetime = ts_delta(cred->expire, now); -+ lifetime = ts_interval(now, cred->expire); - if (lifetime < 0) - lifetime = 0; - } -diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c -index 7dcfe4e1eb..fa7f980af7 100644 ---- a/src/lib/gssapi/krb5/s4u_gss_glue.c -+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c -@@ -279,7 +279,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status, - if (code != 0) - goto cleanup; - -- *time_rec = ts_delta(cred->expire, now); -+ *time_rec = ts_interval(now, cred->expire); - } - - major_status = GSS_S_COMPLETE; -diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c -index ebef37d607..1dadeef64f 100644 ---- a/src/lib/krb5/ccache/cc_keyring.c -+++ b/src/lib/krb5/ccache/cc_keyring.c -@@ -762,7 +762,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id) - - /* Setting the timeout to zero would reset the timeout, so we set it to one - * second instead if creds are already expired. */ -- timeout = ts_after(endtime, now) ? ts_delta(endtime, now) : 1; -+ timeout = ts_after(endtime, now) ? ts_interval(now, endtime) : 1; - (void)keyctl_set_timeout(data->cache_id, timeout); - } - -@@ -1343,7 +1343,7 @@ krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds) - - if (ts_after(creds->times.endtime, now)) { - (void)keyctl_set_timeout(cred_key, -- ts_delta(creds->times.endtime, now)); -+ ts_interval(now, creds->times.endtime)); - } - - update_keyring_expiration(context, id); -diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index 8b5ab595e9..1b420a3ac2 100644 ---- a/src/lib/krb5/krb/get_in_tkt.c -+++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -1522,7 +1522,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, - void *expire_data; - krb5_timestamp pw_exp, acct_exp, now; - krb5_boolean is_last_req; -- krb5_deltat delta; -+ uint32_t interval; - char ts[256], banner[1024]; - - if (as_reply == NULL || as_reply->enc_part2 == NULL) -@@ -1553,8 +1553,8 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, - ret = krb5_timeofday(context, &now); - if (ret != 0) - return; -- if (!is_last_req && -- (ts_after(now, pw_exp) || ts_delta(pw_exp, now) > 7 * 24 * 60 * 60)) -+ interval = ts_interval(now, pw_exp); -+ if (!is_last_req && (!interval || interval > 7 * 24 * 60 * 60)) - return; - - if (!prompter) -@@ -1564,19 +1564,18 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, - if (ret != 0) - return; - -- delta = ts_delta(pw_exp, now); -- if (delta < 3600) { -+ if (interval < 3600) { - snprintf(banner, sizeof(banner), - _("Warning: Your password will expire in less than one hour " - "on %s"), ts); -- } else if (delta < 86400 * 2) { -+ } else if (interval < 86400 * 2) { - snprintf(banner, sizeof(banner), - _("Warning: Your password will expire in %d hour%s on %s"), -- delta / 3600, delta < 7200 ? "" : "s", ts); -+ interval / 3600, interval < 7200 ? "" : "s", ts); - } else { - snprintf(banner, sizeof(banner), - _("Warning: Your password will expire in %d days on %s"), -- delta / 86400, ts); -+ interval / 86400, ts); - } - - /* PROMPTER_INVOCATION */ --- -2.38.1 - diff --git a/0012-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch b/0012-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch new file mode 100644 index 0000000..c40ed12 --- /dev/null +++ b/0012-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch @@ -0,0 +1,47 @@ +From d1322546dca51100759eac318ce554bd301c50c3 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 23 May 2023 12:19:54 +0200 +Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification + available in FIPS mode + +We recommend using the SHA1 crypto-module in order to allow the +verification of SHA-1 signature for CMS messages. However, this module +does not work in FIPS mode, because the SHA-1 algorithm is absent from +the OpenSSL FIPS provider. + +This commit enables the signature verification process to fetch the +algorithm from a non-FIPS OpenSSL provider. + +Support for SHA-1 CMS signature is still required, especially in order +to interoperate with Active Directory. At least it is until elliptic +curve cryptography is implemented for PKINIT in MIT krb5. +--- + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index f41328763e..263ef7845e 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context, + if (oid == NULL) + goto cleanup; + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ /* Do not use FIPS provider (even in FIPS mode) because it keeps from ++ * allowing SHA-1 signature verification using the SHA1 crypto-module ++ */ ++ cms = CMS_ContentInfo_new_ex(NULL, "-fips"); ++ if (!cms) ++ goto cleanup; ++#endif ++ + /* decode received CMS message */ +- if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) { ++ if (!d2i_CMS_ContentInfo(&cms, &p, (int)signed_data_len)) { + retval = oerr(context, 0, _("Failed to decode CMS message")); + goto cleanup; + } +-- +2.40.1 + diff --git a/0013-Enable-PKINIT-if-at-least-one-group-is-available.patch b/0013-Enable-PKINIT-if-at-least-one-group-is-available.patch new file mode 100644 index 0000000..ebfa323 --- /dev/null +++ b/0013-Enable-PKINIT-if-at-least-one-group-is-available.patch @@ -0,0 +1,218 @@ +From a378b1970d92692baeddf6a8681f47efb13e343d Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 30 May 2023 01:21:48 -0400 +Subject: [PATCH] Enable PKINIT if at least one group is available + +OpenSSL may no longer allow decoding of non-well-known Diffie-Hellman +group parameters as EVP_PKEY objects in FIPS mode. However, OpenSSL +does not know about MODP group 2 (1024-bit), which is considered as a +custom group. As a consequence, the PKINIT kdcpreauth module fails to +load in FIPS mode. + +Allow initialization of PKINIT plugin if at least one of the MODP +well-known group parameters successfully decodes. + +[ghudson@mit.edu: minor commit message and code edits] + +ticket: 9096 (new) +(cherry picked from commit 509d8db922e9ad6f108883838473b6178f89874a) +--- + src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +- + src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +- + .../preauth/pkinit/pkinit_crypto_openssl.c | 76 +++++++++++-------- + src/plugins/preauth/pkinit/pkinit_srv.c | 2 +- + src/plugins/preauth/pkinit/pkinit_trace.h | 3 + + 5 files changed, 51 insertions(+), 35 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c +index 725d5bc438..ea9ba454df 100644 +--- a/src/plugins/preauth/pkinit/pkinit_clnt.c ++++ b/src/plugins/preauth/pkinit/pkinit_clnt.c +@@ -1378,7 +1378,7 @@ pkinit_client_plugin_init(krb5_context context, + if (retval) + goto errout; + +- retval = pkinit_init_plg_crypto(&ctx->cryptoctx); ++ retval = pkinit_init_plg_crypto(context, &ctx->cryptoctx); + if (retval) + goto errout; + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h +index 9fa315d7a0..8bdbea8e95 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto.h ++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +@@ -103,7 +103,8 @@ typedef struct _pkinit_cert_matching_data { + /* + * Functions to initialize and cleanup crypto contexts + */ +-krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *); ++krb5_error_code pkinit_init_plg_crypto(krb5_context, ++ pkinit_plg_crypto_context *); + void pkinit_fini_plg_crypto(pkinit_plg_crypto_context); + + krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *); +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 263ef7845e..d646073d55 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -47,7 +47,8 @@ + static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context ); + static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ); + +-static krb5_error_code pkinit_init_dh_params(pkinit_plg_crypto_context ); ++static krb5_error_code pkinit_init_dh_params(krb5_context, ++ pkinit_plg_crypto_context); + static void pkinit_fini_dh_params(pkinit_plg_crypto_context ); + + static krb5_error_code pkinit_init_certs(pkinit_identity_crypto_context ctx); +@@ -951,7 +952,8 @@ oerr_cert(krb5_context context, krb5_error_code code, X509_STORE_CTX *certctx, + } + + krb5_error_code +-pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx) ++pkinit_init_plg_crypto(krb5_context context, ++ pkinit_plg_crypto_context *cryptoctx) + { + krb5_error_code retval = ENOMEM; + pkinit_plg_crypto_context ctx = NULL; +@@ -969,7 +971,7 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx) + if (retval) + goto out; + +- retval = pkinit_init_dh_params(ctx); ++ retval = pkinit_init_dh_params(context, ctx); + if (retval) + goto out; + +@@ -1278,30 +1280,36 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx) + ASN1_OBJECT_free(ctx->id_kp_serverAuth); + } + +-static krb5_error_code +-pkinit_init_dh_params(pkinit_plg_crypto_context plgctx) ++static int ++try_import_group(krb5_context context, const krb5_data *params, ++ const char *name, EVP_PKEY **pkey_out) + { +- krb5_error_code retval = ENOMEM; +- +- plgctx->dh_1024 = decode_dh_params(&oakley_1024); +- if (plgctx->dh_1024 == NULL) +- goto cleanup; +- +- plgctx->dh_2048 = decode_dh_params(&oakley_2048); +- if (plgctx->dh_2048 == NULL) +- goto cleanup; ++ *pkey_out = decode_dh_params(params); ++ if (*pkey_out == NULL) ++ TRACE_PKINIT_DH_GROUP_UNAVAILABLE(context, name); ++ return (*pkey_out != NULL) ? 1 : 0; ++} + +- plgctx->dh_4096 = decode_dh_params(&oakley_4096); +- if (plgctx->dh_4096 == NULL) +- goto cleanup; ++static krb5_error_code ++pkinit_init_dh_params(krb5_context context, pkinit_plg_crypto_context plgctx) ++{ ++ int n = 0; + +- retval = 0; ++ n += try_import_group(context, &oakley_1024, "MODP 2 (1024-bit)", ++ &plgctx->dh_1024); ++ n += try_import_group(context, &oakley_2048, "MODP 14 (2048-bit)", ++ &plgctx->dh_2048); ++ n += try_import_group(context, &oakley_4096, "MODP 16 (4096-bit)", ++ &plgctx->dh_4096); + +-cleanup: +- if (retval) ++ if (n == 0) { + pkinit_fini_dh_params(plgctx); ++ k5_setmsg(context, ENOMEM, ++ _("PKINIT cannot initialize any key exchange groups")); ++ return ENOMEM; ++ } + +- return retval; ++ return 0; + } + + static void +@@ -2910,11 +2918,11 @@ client_create_dh(krb5_context context, + + if (cryptoctx->received_params != NULL) + params = cryptoctx->received_params; +- else if (dh_size == 1024) ++ else if (plg_cryptoctx->dh_1024 != NULL && dh_size == 1024) + params = plg_cryptoctx->dh_1024; +- else if (dh_size == 2048) ++ else if (plg_cryptoctx->dh_2048 != NULL && dh_size == 2048) + params = plg_cryptoctx->dh_2048; +- else if (dh_size == 4096) ++ else if (plg_cryptoctx->dh_4096 != NULL && dh_size == 4096) + params = plg_cryptoctx->dh_4096; + else + goto cleanup; +@@ -3210,19 +3218,23 @@ pkinit_create_td_dh_parameters(krb5_context context, + krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 }; + krb5_algorithm_identifier *alglist[4]; + +- if (opts->dh_min_bits > 4096) { +- ret = KRB5KRB_ERR_GENERIC; +- goto cleanup; +- } +- + i = 0; +- if (opts->dh_min_bits <= 2048) ++ if (plg_cryptoctx->dh_2048 != NULL && opts->dh_min_bits <= 2048) + alglist[i++] = &alg_2048; +- alglist[i++] = &alg_4096; +- if (opts->dh_min_bits <= 1024) ++ if (plg_cryptoctx->dh_4096 != NULL && opts->dh_min_bits <= 4096) ++ alglist[i++] = &alg_4096; ++ if (plg_cryptoctx->dh_1024 != NULL && opts->dh_min_bits <= 1024) + alglist[i++] = &alg_1024; + alglist[i] = NULL; + ++ if (i == 0) { ++ ret = KRB5KRB_ERR_GENERIC; ++ k5_setmsg(context, ret, ++ _("OpenSSL has no supported key exchange groups for " ++ "pkinit_dh_min_bits=%d"), opts->dh_min_bits); ++ goto cleanup; ++ } ++ + ret = k5int_encode_krb5_td_dh_parameters(alglist, &der_alglist); + if (ret) + goto cleanup; +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 1b3bf6d4d0..768a4e559f 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -1222,7 +1222,7 @@ pkinit_server_plugin_init_realm(krb5_context context, const char *realmname, + goto errout; + plgctx->realmname_len = strlen(plgctx->realmname); + +- retval = pkinit_init_plg_crypto(&plgctx->cryptoctx); ++ retval = pkinit_init_plg_crypto(context, &plgctx->cryptoctx); + if (retval) + goto errout; + +diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h +index 259e95c6c2..5ee39c085c 100644 +--- a/src/plugins/preauth/pkinit/pkinit_trace.h ++++ b/src/plugins/preauth/pkinit/pkinit_trace.h +@@ -90,6 +90,9 @@ + #define TRACE_PKINIT_CLIENT_TRYAGAIN(c) \ + TRACE(c, "PKINIT client trying again with KDC-provided parameters") + ++#define TRACE_PKINIT_DH_GROUP_UNAVAILABLE(c, name) \ ++ TRACE(c, "PKINIT key exchange group {str} unsupported", name) ++ + #define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \ + TRACE(c, "PKINIT OpenSSL error: {str}", msg) + +-- +2.40.1 + diff --git a/0017-Add-PAC-full-checksums.patch b/0017-Add-PAC-full-checksums.patch deleted file mode 100644 index f0a20f6..0000000 --- a/0017-Add-PAC-full-checksums.patch +++ /dev/null @@ -1,672 +0,0 @@ -From 5801da1ddc3b0984ad6997bb7a692eac85ff7dd3 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 22 Dec 2022 03:05:23 -0500 -Subject: [PATCH] Add PAC full checksums - -A paper by Tom Tervoort noted that computing the PAC privsvr checksum -over only the server checksum is vulnerable to collision attacks -(CVE-2022-37967). In response, Microsoft has added a second KDC -checksum over the full contents of the PAC. Generate and verify full -KDC checksums in PACs for service tickets. Update the t_pac.c ticket -test case to use a ticket issued by a recent version of Active -Directory (provided by Stefan Metzmacher). - -ticket: 9084 (new) ---- - doc/appdev/refs/macros/index.rst | 1 + - src/include/krb5/krb5.hin | 1 + - src/lib/krb5/krb/pac.c | 92 +++++++++-------- - src/lib/krb5/krb/pac_sign.c | 146 +++++++++++++++----------- - src/lib/krb5/krb/t_pac.c | 171 ++++++++++++++++++------------- - src/tests/t_authdata.py | 4 +- - 6 files changed, 240 insertions(+), 175 deletions(-) - -diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst -index 5f34dea5e8..3eeee25593 100644 ---- a/doc/appdev/refs/macros/index.rst -+++ b/doc/appdev/refs/macros/index.rst -@@ -247,6 +247,7 @@ Public - KRB5_PAC_SERVER_CHECKSUM.rst - KRB5_PAC_TICKET_CHECKSUM.rst - KRB5_PAC_UPN_DNS_INFO.rst -+ KRB5_PAC_FULL_CHECKSUM.rst - KRB5_PADATA_AFS3_SALT.rst - KRB5_PADATA_AP_REQ.rst - KRB5_PADATA_AS_CHECKSUM.rst -diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index fb9f2a366c..2ba4010514 100644 ---- a/src/include/krb5/krb5.hin -+++ b/src/include/krb5/krb5.hin -@@ -8164,6 +8164,7 @@ krb5_verify_authdata_kdc_issued(krb5_context context, - #define KRB5_PAC_TICKET_CHECKSUM 16 /**< Ticket checksum */ - #define KRB5_PAC_ATTRIBUTES_INFO 17 /**< PAC attributes */ - #define KRB5_PAC_REQUESTOR 18 /**< PAC requestor SID */ -+#define KRB5_PAC_FULL_CHECKSUM 19 /**< KDC full checksum */ - - struct krb5_pac_data; - /** PAC data structure to convey authorization information */ -diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c -index f6c4373de0..954482e0c7 100644 ---- a/src/lib/krb5/krb/pac.c -+++ b/src/lib/krb5/krb/pac.c -@@ -490,7 +490,8 @@ zero_signature(krb5_context context, const krb5_pac pac, krb5_ui_4 type, - size_t i; - - assert(type == KRB5_PAC_SERVER_CHECKSUM || -- type == KRB5_PAC_PRIVSVR_CHECKSUM); -+ type == KRB5_PAC_PRIVSVR_CHECKSUM || -+ type == KRB5_PAC_FULL_CHECKSUM); - assert(data->length >= pac->data.length); - - for (i = 0; i < pac->pac->cBuffers; i++) { -@@ -557,17 +558,17 @@ verify_checksum(krb5_context context, const krb5_pac pac, uint32_t buffer_type, - } - - static krb5_error_code --verify_server_checksum(krb5_context context, const krb5_pac pac, -- const krb5_keyblock *server) -+verify_pac_checksums(krb5_context context, const krb5_pac pac, -+ krb5_boolean expect_full_checksum, -+ const krb5_keyblock *server, const krb5_keyblock *privsvr) - { - krb5_error_code ret; -- krb5_data copy; /* PAC with zeroed checksums */ -+ krb5_data copy, server_checksum; - -+ /* Make a copy of the PAC with zeroed out server and privsvr checksums. */ - ret = krb5int_copy_data_contents(context, &pac->data, ©); - if (ret) - return ret; -- -- /* Zero out both checksum buffers */ - ret = zero_signature(context, pac, KRB5_PAC_SERVER_CHECKSUM, ©); - if (ret) - goto cleanup; -@@ -575,32 +576,46 @@ verify_server_checksum(krb5_context context, const krb5_pac pac, - if (ret) - goto cleanup; - -- ret = verify_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, server, -- KRB5_KEYUSAGE_APP_DATA_CKSUM, ©); -+ if (server != NULL) { -+ /* Verify the server checksum over the PAC copy. */ -+ ret = verify_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, server, -+ KRB5_KEYUSAGE_APP_DATA_CKSUM, ©); -+ } - --cleanup: -- free(copy.data); -- return ret; --} -+ if (privsvr != NULL && expect_full_checksum) { -+ /* Zero the full checksum buffer in the copy and verify the full -+ * checksum over the copy with all three checksums zeroed. */ -+ ret = zero_signature(context, pac, KRB5_PAC_FULL_CHECKSUM, ©); -+ if (ret) -+ goto cleanup; -+ ret = verify_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM, privsvr, -+ KRB5_KEYUSAGE_APP_DATA_CKSUM, ©); -+ if (ret) -+ goto cleanup; -+ } - --static krb5_error_code --verify_kdc_checksum(krb5_context context, const krb5_pac pac, -- const krb5_keyblock *privsvr) --{ -- krb5_error_code ret; -- krb5_data server_checksum; -+ if (privsvr != NULL) { -+ /* Verify the privsvr checksum over the server checksum. */ -+ ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM, -+ &server_checksum); -+ if (ret) -+ return ret; -+ if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH) -+ return KRB5_BAD_MSIZE; -+ server_checksum.data += PAC_SIGNATURE_DATA_LENGTH; -+ server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH; - -- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM, -- &server_checksum); -- if (ret) -- return ret; -- if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH) -- return KRB5_BAD_MSIZE; -- server_checksum.data += PAC_SIGNATURE_DATA_LENGTH; -- server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH; -+ ret = verify_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, privsvr, -+ KRB5_KEYUSAGE_APP_DATA_CKSUM, &server_checksum); -+ if (ret) -+ goto cleanup; -+ } -+ -+ pac->verified = TRUE; - -- return verify_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, privsvr, -- KRB5_KEYUSAGE_APP_DATA_CKSUM, &server_checksum); -+cleanup: -+ free(copy.data); -+ return ret; - } - - /* Per MS-PAC 2.8.3, tickets encrypted to TGS and password change principals -@@ -628,6 +643,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, - krb5_authdata **authdata, *orig, **ifrel = NULL, **recoded_ifrel = NULL; - uint8_t z = 0; - krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z }; -+ krb5_boolean is_service_tkt; - size_t i, j; - - *pac_out = NULL; -@@ -669,7 +685,8 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, - if (ret) - goto cleanup; - -- if (privsvr != NULL && k5_pac_should_have_ticket_signature(server_princ)) { -+ is_service_tkt = k5_pac_should_have_ticket_signature(server_princ); -+ if (privsvr != NULL && is_service_tkt) { - /* To check the PAC ticket signatures, re-encode the ticket with the - * PAC contents replaced by a single zero. */ - orig = ifrel[j]; -@@ -693,8 +710,9 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, - goto cleanup; - } - -- ret = krb5_pac_verify_ext(context, pac, enc_tkt->times.authtime, NULL, -- server, privsvr, FALSE); -+ ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr); -+ if (ret) -+ goto cleanup; - - *pac_out = pac; - pac = NULL; -@@ -730,14 +748,8 @@ krb5_pac_verify_ext(krb5_context context, - { - krb5_error_code ret; - -- if (server != NULL) { -- ret = verify_server_checksum(context, pac, server); -- if (ret != 0) -- return ret; -- } -- -- if (privsvr != NULL) { -- ret = verify_kdc_checksum(context, pac, privsvr); -+ if (server != NULL || privsvr != NULL) { -+ ret = verify_pac_checksums(context, pac, FALSE, server, privsvr); - if (ret != 0) - return ret; - } -@@ -749,8 +761,6 @@ krb5_pac_verify_ext(krb5_context context, - return ret; - } - -- pac->verified = TRUE; -- - return 0; - } - -diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c -index 0f9581abbb..8ea61ac17b 100644 ---- a/src/lib/krb5/krb/pac_sign.c -+++ b/src/lib/krb5/krb/pac_sign.c -@@ -187,26 +187,41 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac) - return 0; - } - --krb5_error_code KRB5_CALLCONV --krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -- krb5_const_principal principal, const krb5_keyblock *server_key, -- const krb5_keyblock *privsvr_key, krb5_data *data) -+/* Find the buffer of type buftype in pac and write within it a checksum of -+ * type cksumtype over data. Set *cksum_out to the checksum. */ -+static krb5_error_code -+compute_pac_checksum(krb5_context context, krb5_pac pac, uint32_t buftype, -+ const krb5_keyblock *key, krb5_cksumtype cksumtype, -+ const krb5_data *data, krb5_data *cksum_out) - { -- return krb5_pac_sign_ext(context, pac, authtime, principal, server_key, -- privsvr_key, FALSE, data); -+ krb5_error_code ret; -+ krb5_data buf; -+ krb5_crypto_iov iov[2]; -+ -+ ret = k5_pac_locate_buffer(context, pac, buftype, &buf); -+ if (ret) -+ return ret; -+ -+ assert(buf.length > PAC_SIGNATURE_DATA_LENGTH); -+ *cksum_out = make_data(buf.data + PAC_SIGNATURE_DATA_LENGTH, -+ buf.length - PAC_SIGNATURE_DATA_LENGTH); -+ iov[0].flags = KRB5_CRYPTO_TYPE_DATA; -+ iov[0].data = *data; -+ iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM; -+ iov[1].data = *cksum_out; -+ return krb5_c_make_checksum_iov(context, cksumtype, key, -+ KRB5_KEYUSAGE_APP_DATA_CKSUM, iov, 2); - } - --krb5_error_code KRB5_CALLCONV --krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -- krb5_const_principal principal, -- const krb5_keyblock *server_key, -- const krb5_keyblock *privsvr_key, krb5_boolean with_realm, -- krb5_data *data) -+static krb5_error_code -+sign_pac(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -+ krb5_const_principal principal, const krb5_keyblock *server_key, -+ const krb5_keyblock *privsvr_key, krb5_boolean with_realm, -+ krb5_boolean is_service_tkt, krb5_data *data) - { - krb5_error_code ret; -- krb5_data server_cksum, privsvr_cksum; -+ krb5_data full_cksum, server_cksum, privsvr_cksum; - krb5_cksumtype server_cksumtype, privsvr_cksumtype; -- krb5_crypto_iov iov[2]; - - data->length = 0; - data->data = NULL; -@@ -214,67 +229,53 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, - if (principal != NULL) { - ret = k5_insert_client_info(context, pac, authtime, principal, - with_realm); -- if (ret != 0) -+ if (ret) - return ret; - } - -- /* Create zeroed buffers for both checksums */ -+ /* Create zeroed buffers for all checksums. */ - ret = k5_insert_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, - server_key, &server_cksumtype); -- if (ret != 0) -+ if (ret) - return ret; -- - ret = k5_insert_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, - privsvr_key, &privsvr_cksumtype); -- if (ret != 0) -+ if (ret) - return ret; -+ if (is_service_tkt) { -+ ret = k5_insert_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM, -+ privsvr_key, &privsvr_cksumtype); -+ if (ret) -+ return ret; -+ } - -- /* Now, encode the PAC header so that the checksums will include it */ -+ /* Encode the PAC header so that the checksums will include it. */ - ret = k5_pac_encode_header(context, pac); -- if (ret != 0) -- return ret; -- -- /* Generate the server checksum over the entire PAC */ -- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM, -- &server_cksum); -- if (ret != 0) -+ if (ret) - return ret; - -- assert(server_cksum.length > PAC_SIGNATURE_DATA_LENGTH); -- -- iov[0].flags = KRB5_CRYPTO_TYPE_DATA; -- iov[0].data = pac->data; -- -- iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM; -- iov[1].data.data = server_cksum.data + PAC_SIGNATURE_DATA_LENGTH; -- iov[1].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH; -+ if (is_service_tkt) { -+ /* Generate a full KDC checksum over the whole PAC. */ -+ ret = compute_pac_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM, -+ privsvr_key, privsvr_cksumtype, -+ &pac->data, &full_cksum); -+ if (ret) -+ return ret; -+ } - -- ret = krb5_c_make_checksum_iov(context, server_cksumtype, -- server_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, -- iov, sizeof(iov)/sizeof(iov[0])); -- if (ret != 0) -+ /* Generate the server checksum over the whole PAC, including the full KDC -+ * checksum if we added one. */ -+ ret = compute_pac_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, -+ server_key, server_cksumtype, &pac->data, -+ &server_cksum); -+ if (ret) - return ret; - -- /* Generate the privsvr checksum over the server checksum buffer */ -- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, -+ /* Generate the privsvr checksum over the server checksum buffer. */ -+ ret = compute_pac_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, -+ privsvr_key, privsvr_cksumtype, &server_cksum, - &privsvr_cksum); -- if (ret != 0) -- return ret; -- -- assert(privsvr_cksum.length > PAC_SIGNATURE_DATA_LENGTH); -- -- iov[0].flags = KRB5_CRYPTO_TYPE_DATA; -- iov[0].data.data = server_cksum.data + PAC_SIGNATURE_DATA_LENGTH; -- iov[0].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH; -- -- iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM; -- iov[1].data.data = privsvr_cksum.data + PAC_SIGNATURE_DATA_LENGTH; -- iov[1].data.length = privsvr_cksum.length - PAC_SIGNATURE_DATA_LENGTH; -- -- ret = krb5_c_make_checksum_iov(context, privsvr_cksumtype, -- privsvr_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, -- iov, sizeof(iov)/sizeof(iov[0])); -- if (ret != 0) -+ if (ret) - return ret; - - data->data = k5memdup(pac->data.data, pac->data.length, &ret); -@@ -288,6 +289,26 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, - return 0; - } - -+krb5_error_code KRB5_CALLCONV -+krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -+ krb5_const_principal principal, const krb5_keyblock *server_key, -+ const krb5_keyblock *privsvr_key, krb5_data *data) -+{ -+ return sign_pac(context, pac, authtime, principal, server_key, -+ privsvr_key, FALSE, FALSE, data); -+} -+ -+krb5_error_code KRB5_CALLCONV -+krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -+ krb5_const_principal principal, -+ const krb5_keyblock *server_key, -+ const krb5_keyblock *privsvr_key, krb5_boolean with_realm, -+ krb5_data *data) -+{ -+ return sign_pac(context, pac, authtime, principal, server_key, privsvr_key, -+ with_realm, FALSE, data); -+} -+ - /* Add a signature over der_enc_tkt in privsvr to pac. der_enc_tkt should be - * encoded with a dummy PAC authdata element containing a single zero byte. */ - static krb5_error_code -@@ -359,6 +380,7 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt, - krb5_error_code ret; - krb5_data *der_enc_tkt = NULL, pac_data = empty_data(); - krb5_authdata **list, *pac_ad; -+ krb5_boolean is_service_tkt; - size_t count; - - /* Reallocate space for another authdata element in enc_tkt. */ -@@ -377,7 +399,8 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt, - memmove(list + 1, list, (count + 1) * sizeof(*list)); - list[0] = pac_ad; - -- if (k5_pac_should_have_ticket_signature(server_princ)) { -+ is_service_tkt = k5_pac_should_have_ticket_signature(server_princ); -+ if (is_service_tkt) { - ret = encode_krb5_enc_tkt_part(enc_tkt, &der_enc_tkt); - if (ret) - goto cleanup; -@@ -388,9 +411,8 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt, - goto cleanup; - } - -- ret = krb5_pac_sign_ext(context, pac, enc_tkt->times.authtime, -- client_princ, server, privsvr, with_realm, -- &pac_data); -+ ret = sign_pac(context, pac, enc_tkt->times.authtime, client_princ, server, -+ privsvr, with_realm, is_service_tkt, &pac_data); - if (ret) - goto cleanup; - -diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c -index 173bde7bab..81f1642ab0 100644 ---- a/src/lib/krb5/krb/t_pac.c -+++ b/src/lib/krb5/krb/t_pac.c -@@ -607,78 +607,102 @@ check_pac(krb5_context context, int index, const unsigned char *pdata, - - static const krb5_keyblock ticket_sig_krbtgt_key = { - 0, ENCTYPE_AES256_CTS_HMAC_SHA1_96, -- 32, U("\x7a\x58\x98\xd2\xaf\xa6\xaf\xc0\x6a\xce\x06\x04\x4b\xc2\x70\x84" -- "\x9b\x8e\x0a\x6c\x4c\x07\xdc\x6f\xbb\x48\x43\xe1\xd2\xaa\x97\xf7") -+ 32, U("\x03\x73\x81\xEC\x43\x96\x7B\xC2\xAC\x3D\xF5\x2A\xAE\x95\xA6\x8E" -+ "\xBE\x24\x58\xDB\xCE\x52\x28\x20\xAF\x5E\xB7\x04\xA2\x22\x71\x4F") - }; - - static const krb5_keyblock ticket_sig_server_key = { -- 0, ENCTYPE_ARCFOUR_HMAC, -- 16, U("\xed\x23\x11\x20\x7a\x21\x44\x20\xbf\xc0\x8d\x36\xf7\xf6\xb2\x3e") -+ 0, ENCTYPE_AES256_CTS_HMAC_SHA1_96, -+ 32, U("\x11\x4A\x84\xE3\x14\x8F\xAA\xB1\xFA\x7B\x53\x51\xB2\x8A\xC2\xF1" -+ "\xFD\x19\x6D\x61\xE0\xF3\xF2\x3E\x1F\xDB\xD3\xC1\x79\x7D\xC1\xEE") - }; - -+/* A ticket issued by an Active Directory KDC (Windows Server 2022), containing -+ * a PAC with a full checksum. */ - static const krb5_data ticket_data = { -- .length = 972, .data = -- "\x61\x82\x03\xC8\x30\x82\x03\xC4\xA0\x03\x02\x01\x05\xA1\x0A\x1B" -- "\x08\x43\x44\x4F\x4D\x2E\x43\x4F\x4D\xA2\x0F\x30\x0D\xA0\x03\x02" -- "\x01\x01\xA1\x06\x30\x04\x1B\x02\x73\x31\xA3\x82\x03\x9E\x30\x82" -- "\x03\x9A\xA0\x03\x02\x01\x17\xA1\x03\x02\x01\x03\xA2\x82\x03\x8C" -- "\x04\x82\x03\x88\x44\x31\x61\x20\x17\xC9\xFE\xBC\xAC\x46\xB5\x77" -- "\xE9\x68\x04\x4C\x9B\x31\x91\x0C\xC1\xD4\xDD\xEF\xC7\x34\x20\x08" -- "\x90\x91\xE8\x79\xE0\xB5\x03\x26\xA4\x65\xDE\xEC\x47\x03\x2A\x8F" -- "\x61\xE7\x4D\x38\x5A\x42\x95\x5A\xF9\x2F\x41\x2C\x2A\x6E\x60\xA1" -- "\xEB\x51\xB3\xBD\x4C\x00\x41\x2A\x44\x76\x08\x37\x1A\x51\xFD\x65" -- "\x67\x7E\xBF\x3D\x90\x86\xE3\x9A\x54\x6B\x67\xA8\x08\x7A\x73\xCC" -- "\xC3\xB7\x4B\xD5\x5C\x3A\x14\x6C\xC1\x5F\x54\x4B\x92\x55\xB4\xB7" -- "\x92\x23\x3F\x53\x89\x47\x8E\x1F\x8B\xB9\xDB\x3B\x93\xE8\x70\xE4" -- "\x24\xB8\x9D\xF0\x0E\x35\x28\xF8\x7A\x27\x5D\xF7\x25\x97\x9C\xF5" -- "\x9F\x9F\x64\x04\xF2\xA3\xAB\x11\x15\xB6\xDA\x18\xD6\x46\xD5\xE6" -- "\xB8\x08\xDE\x0A\x62\xFD\xF8\xAA\x52\x90\xD9\x67\x29\xB2\xCD\x06" -- "\xB6\xB0\x50\x2B\x3F\x0F\xA3\xA5\xBF\xAA\x6E\x40\x03\xD6\x5F\x02" -- "\xBC\xD8\x18\x47\x97\x09\xD7\xE4\x96\x3B\xCB\xEB\x92\x2C\x3C\x49" -- "\xFF\x1F\x71\xE0\x52\x94\x0F\x8B\x9F\xB8\x2A\xBB\x9C\xE2\xA3\xDD" -- "\x38\x89\xE2\xB1\x0B\x9E\x1F\x7A\xB3\xE3\xD2\xB0\x94\xDC\x87\xBE" -- "\x37\xA6\xD3\xB3\x29\x35\x9A\x72\xC3\x7A\xF1\xA9\xE6\xC5\xD1\x26" -- "\x83\x65\x44\x17\xBA\x55\xA8\x5E\x94\x26\xED\xE9\x8A\x93\x11\x5D" -- "\x7E\x20\x1B\x9C\x15\x9E\x13\x37\x03\x4D\xDD\x99\x51\xD8\x66\x29" -- "\x6A\xB9\xFB\x49\xFE\x52\x78\xDA\x86\x85\xA9\xA3\xB9\xEF\xEC\xAD" -- "\x35\xA6\x8D\xAC\x0F\x75\x22\xBB\x0B\x49\x1C\x13\x52\x40\xC9\x52" -- "\x69\x09\x54\xD1\x0F\x94\x3F\x22\x48\x67\xB0\x96\x28\xAA\xE6\x28" -- "\xD9\x0C\x08\xEF\x51\xED\x15\x5E\xA2\x53\x59\xA5\x03\xB4\x06\x20" -- "\x3D\xCC\xB4\xC5\xF8\x8C\x73\x67\xA3\x21\x3D\x19\xCD\xD4\x12\x28" -- "\xD2\x93\xDE\x0D\xF0\x71\x10\x50\xD6\x33\x35\x04\x11\x64\x43\x39" -- "\xC3\xDF\x96\xE3\x66\xE3\x85\xCA\xE7\x67\x14\x3A\xF0\x43\xAA\xBB" -- "\xD4\x1D\xB5\x24\xB5\x74\x90\x25\xA7\x87\x7E\xDB\xD3\x83\x8A\x3A" -- "\x69\xA8\x2D\xAF\xB7\xB8\xF3\xDC\x13\xAF\x45\x61\x3F\x59\x39\x7E" -- "\x69\xDE\x0C\x04\xF1\x10\x6B\xB4\x56\xFA\x21\x9F\x72\x2B\x60\x86" -- "\xE3\x23\x0E\xC4\x51\xF6\xBE\xD8\xE1\x5F\xEE\x73\x4C\x17\x4C\x2C" -- "\x1B\xFB\x9F\x1F\x7A\x3B\x07\x5B\x8E\xF1\x01\xAC\xD6\x30\x94\x8A" -- "\x5D\x22\x6F\x08\xCE\xED\x5E\xB6\xDB\x86\x8C\x87\xEB\x8D\x91\xFF" -- "\x0A\x86\x30\xBD\xC0\xF8\x25\xE7\xAE\x24\x35\xF2\xFC\xE5\xFD\x1B" -- "\xB0\x05\x4A\xA3\xE5\xEB\x2E\x05\xAD\x99\x67\x49\x87\xE6\xB3\x87" -- "\x82\xA4\x59\xA7\x6E\xDD\xF2\xB6\x66\xE8\xF7\x70\xF5\xBD\xC9\x0E" -- "\xFA\x9C\x79\x84\xD4\x9B\x05\x0E\xBB\xF5\xDB\xEF\xFC\xCC\x26\xF2" -- "\x93\xCF\xD2\x04\x3C\xA9\x2C\x65\x42\x97\x86\xD8\x38\x0A\x1E\xF6" -- "\xD6\xCA\x30\xB5\x1A\xEC\xFB\xBA\x3B\x84\x57\xB0\xFD\xFB\xE6\xBC" -- "\xF2\x76\xF6\x4C\xBB\xAB\xB1\x31\xA1\x27\x7C\xE6\xE6\x81\xB6\xCE" -- "\x84\x86\x40\xB6\x40\x33\xC4\xF8\xB4\x15\xCF\xAA\xA5\x51\x78\xB9" -- "\x8B\x50\x25\xB2\x88\x86\x96\x72\x8C\x71\x4D\xB5\x3A\x94\x86\x77" -- "\x0E\x95\x9B\x16\x93\xEF\x3A\x11\x79\xBA\x83\xF7\x74\xD3\x8D\xBA" -- "\x15\xE1\x2C\x04\x57\xA8\x92\x1E\x9D\x00\x8E\x20\xFD\x30\x70\xE7" -- "\xF5\x65\x2F\x19\x0C\x94\xBA\x03\x71\x12\x96\xCD\xC8\xB4\x96\xDB" -- "\xCE\x19\xC2\xDF\x3C\xC2\xF6\x3D\x53\xED\x98\xA5\x41\x72\x2A\x22" -- "\x7B\xF3\x2B\x17\x6C\xE1\x39\x7D\xAE\x9B\x11\xF9\xC1\xA6\x9E\x9F" -- "\x89\x3C\x12\xAA\x94\x74\xA7\x4F\x70\xE8\xB9\xDE\x04\xF0\x9D\x39" -- "\x24\x2D\x92\xE8\x46\x2D\x2E\xF0\x40\x66\x1A\xD9\x27\xF9\x98\xF1" -- "\x81\x1D\x70\x62\x63\x30\x6D\xCD\x84\x04\x5F\xFA\x83\xD3\xEC\x8D" -- "\x86\xFB\x40\x61\xC1\x8A\x45\xFF\x7B\xD9\xD4\x18\x61\x7F\x51\xE3" -- "\xFC\x1E\x18\xF0\xAF\xC6\x18\x2C\xE1\x6D\x5D\xF9\x62\xFC\x20\xA3" -- "\xB2\x8A\x5F\xE5\xBB\x29\x0F\x99\x63\x07\x88\x38\x3A\x3B\x73\x2A" -- "\x6D\xDA\x3D\xA8\x0D\x8F\x56\x41\x89\x82\xE5\xB8\x61\x00\x64\x7D" -- "\x17\x0C\xCE\x03\x55\x8F\xF4\x5B\x0D\x50\xF2\xEB\x05\x67\xBE\xDB" -- "\x7B\x75\xC5\xEA\xA1\xAB\x1D\xB0\x3C\x6D\x42\x08\x0B\x9A\x45\x20" -- "\xA8\x8F\xE5\x67\x47\x30\xDE\x93\x5F\x43\x05\xEB\xA8\x2D\x80\xF5" -- "\x1A\xB8\x4A\x4E\x42\x2D\x0B\x7A\xDC\x46\x20\x2D\x13\x17\xDD\x4B" -- "\x94\x96\xAA\x1F\x06\x0C\x1F\x62\x07\x9C\x40\xA1" -+ .length = 1307, .data = -+ "\x61\x82\x05\x17\x30\x82\x05\x13\xA0\x03\x02\x01\x05\xA1\x0F\x1B" -+ "\x0D\x57\x32\x30\x32\x32\x2D\x4C\x37\x2E\x42\x41\x53\x45\xA2\x2A" -+ "\x30\x28\xA0\x03\x02\x01\x01\xA1\x21\x30\x1F\x1B\x04\x63\x69\x66" -+ "\x73\x1B\x17\x77\x32\x30\x32\x32\x2D\x31\x31\x38\x2E\x77\x32\x30" -+ "\x32\x32\x2D\x6C\x37\x2E\x62\x61\x73\x65\xA3\x82\x04\xCD\x30\x82" -+ "\x04\xC9\xA0\x03\x02\x01\x12\xA1\x03\x02\x01\x05\xA2\x82\x04\xBB" -+ "\x04\x82\x04\xB7\x44\x5C\x7B\x5A\x3F\x2E\xA3\x50\x34\xDE\xB0\x69" -+ "\x23\x2D\x47\x89\x2C\xC0\xA3\xF9\xDD\x70\xAA\xA5\x1E\xFE\x74\xE5" -+ "\x19\xA2\x4F\x65\x6C\x9E\x00\xB4\x60\x00\x7C\x0C\x29\x43\x31\x99" -+ "\x77\x02\x73\xED\xB9\x40\xF5\xD2\xD1\xC9\x20\x0F\xE3\x38\xF9\xCC" -+ "\x5E\x2A\xBD\x1F\x91\x66\x1A\xD8\x2A\x80\x3C\x2C\x00\x3C\x1E\xC9" -+ "\x2A\x29\x19\x19\x96\x18\x54\x03\x97\x8F\x1D\x5F\xDB\xE9\x66\x68" -+ "\xCD\xB1\xD5\x00\x35\x69\x49\x45\xF1\x6A\x78\x7B\x37\x71\x87\x14" -+ "\x1C\x98\x4D\x69\xCB\x1B\xD8\xF5\xA3\xD8\x53\x4A\x75\x76\x62\xBA" -+ "\x6C\x3F\xEA\x8B\x97\x21\xCA\x8A\x46\x4B\x38\xDA\x09\x9F\x5A\xC8" -+ "\x38\xFF\x34\x97\x5B\xA2\xE5\xBA\xC9\x87\x17\xD8\x08\x05\x7A\x83" -+ "\x04\xD6\x02\x8E\x9B\x18\xB6\x40\x1A\xF7\x47\x25\x24\x3E\x37\x1E" -+ "\xF6\xC1\x3A\x1F\xCA\xB3\x43\x5A\xAE\x94\x83\x31\xAF\xFB\xEE\xED" -+ "\x46\x71\xEF\xE2\x37\x37\x15\xFE\x1B\x0B\x9E\xF8\x3E\x0C\x43\x96" -+ "\xB6\x0A\x04\x78\xF8\x5E\xAA\x33\x1F\xE2\x07\x5A\x8D\xC4\x4E\x32" -+ "\x6D\xD6\xA0\xC5\xEA\x3D\x12\x59\xD4\x41\x40\x4E\xA1\xD8\xBE\xED" -+ "\x17\xCB\x68\xCC\x59\xCB\x53\xB2\x0E\x58\x8A\xA9\x33\x7F\x6F\x2B" -+ "\x37\x89\x08\x44\xBA\xC7\x67\x17\xBB\x91\xF7\xC3\x0F\x00\xF8\xAA" -+ "\xA1\x33\xA6\x08\x47\xCA\xFA\xE8\x49\x27\x45\x46\xF1\xC1\xC3\x5F" -+ "\xE2\x45\x0A\x7D\x64\x52\x8C\x2E\xE1\xDE\xFF\xB2\x64\xEC\x69\x98" -+ "\x15\xDF\x9E\xB1\xEB\xD6\x9D\x08\x06\x4E\x73\xC1\x0B\x71\x21\x05" -+ "\x9E\xBC\xA2\x17\xCF\xB3\x70\xF4\xEF\xB8\x69\xA9\x94\x27\xFD\x5E" -+ "\x72\xB1\x2D\xD2\x20\x1B\x57\x80\xAB\x38\x97\xCF\x22\x68\x4F\xB8" -+ "\xB7\x17\x53\x25\x67\x0B\xED\xD1\x58\x20\x0D\x45\xF9\x09\xFA\xE7" -+ "\x61\x3E\xDB\xC2\x59\x7B\x3A\x3B\x59\x81\x51\xAA\xA4\x81\xF4\x96" -+ "\x3B\xE1\x6F\x6F\xF4\x8E\x68\x9E\xBA\x1E\x0F\xF2\x44\x68\x11\xFC" -+ "\x2B\x5F\xBE\xF2\xEA\x07\x80\xB9\xCA\x9E\x41\xBD\x2F\x81\xF5\x11" -+ "\x2A\x12\xF3\x4F\xD6\x12\x16\x0F\x21\x90\xF1\xD3\x1E\xF1\xA4\x94" -+ "\x46\xEA\x30\xF3\x84\x06\xC1\xA4\x51\xFC\x43\x35\xBD\xEF\x4D\x89" -+ "\x1D\xA5\x44\xB2\x69\xC4\x0F\xBF\x86\x01\x08\x44\x77\xD5\xB4\xB7" -+ "\x5C\x3F\xA7\xD4\x2F\x39\x73\x85\x88\xEE\xB1\x64\x1D\x80\x6C\xEE" -+ "\x6E\x31\x90\x92\x0D\xA1\xB7\xC4\x5C\xCC\xEE\x91\xC8\xCB\x11\x2D" -+ "\x4A\x1A\x7D\x43\x8F\xEB\x60\x09\xED\x1B\x07\x58\xBE\xBC\xBD\x29" -+ "\xF3\xB3\xA3\x4F\xC5\x8A\x30\x33\xB9\xA9\x9F\x43\x08\x27\x15\xC4" -+ "\x9C\x5D\x8E\xBD\x5C\x05\xC6\x05\x9C\x87\x60\x08\x1E\xE2\x52\xB8" -+ "\x45\x8D\x28\xB6\x2C\x15\x46\x74\x9F\x0E\xAA\x6B\x70\x3A\x2A\x55" -+ "\x45\x26\xB2\x58\x4D\x35\xA6\xF1\x96\xBE\x60\xB2\x71\x7B\xF8\x54" -+ "\xB9\x90\x21\x8E\xB9\x0F\x35\x98\x5E\x88\xEB\x1A\x53\xB4\x59\x7F" -+ "\xAF\x69\x1C\x61\x67\xF4\xF6\xBD\xAC\x24\xCD\xB7\xA9\x67\xE8\xA1" -+ "\x83\x85\x5F\x11\x74\x1F\xF7\x4C\x78\x36\xEF\x50\x74\x88\x58\x4B" -+ "\x1A\x9F\x84\x9A\x9A\x05\x92\xEC\x1D\xD5\xF3\xC4\x95\x51\x28\xE2" -+ "\x3F\x32\x87\xB2\xFD\x21\x27\x66\xE4\x6B\x85\x2F\xDC\x7B\xC0\x22" -+ "\xEB\x7A\x94\x20\x5A\x7B\xD3\x7A\xB9\x5B\xF8\x1A\x5A\x84\x4E\xA1" -+ "\x73\x41\x53\xD2\x60\xF7\x7C\xEE\x68\x59\x85\x80\xFC\x3D\x70\x4B" -+ "\x04\x32\xE7\xF2\xFD\xBD\xB3\xD9\x21\xE2\x37\x56\xA2\x16\xCC\xDE" -+ "\x8A\xD3\xBC\x71\xEF\x58\x19\x0E\x45\x8A\x5B\x53\xD6\x77\x30\x6A" -+ "\xA7\xF8\x68\x06\x4E\x07\xCA\xCE\x30\xD7\x35\xAB\x1A\xC7\x18\xD4" -+ "\xC6\x2F\x1A\xFF\xE9\x7A\x94\x0B\x76\x5E\x7E\x29\x0C\xE6\xD3\x3B" -+ "\x5B\x44\x96\xA8\xF1\x29\x23\x95\xD9\x79\xB3\x39\xFC\x76\xED\xE1" -+ "\x1E\x67\x4E\xF7\xE8\x7B\x7A\x12\x9E\xD8\x4B\x35\x09\x0A\xF2\xC1" -+ "\x63\x5B\xEE\xFD\x2A\xC2\xA6\x66\x30\x3C\x1F\x95\xAF\x65\x22\x95" -+ "\x14\x1D\xF5\xD5\xDC\x38\x79\x35\x1C\xCD\x24\x47\xE0\xFD\x08\xC8" -+ "\xF4\x15\x55\x9F\xD9\xC7\xAC\x3F\x67\xB3\x4F\xEB\x26\x7C\x8E\xD6" -+ "\x74\xB3\x0A\xCD\xE7\xFA\xBE\x7E\xA3\x3E\xEC\x61\x50\x77\x52\x56" -+ "\xCF\x90\x5D\x48\xFB\xD4\x2C\x6C\x61\x8B\xDD\x2B\xF5\x92\x1F\x30" -+ "\xBF\x3F\x80\x0D\x31\xDB\xB2\x0B\x7D\x84\xE3\xA6\x42\x7F\x00\x38" -+ "\x44\x02\xC5\xB8\xD9\x58\x29\x9D\x68\x5C\x32\x8B\x76\xAE\xED\x15" -+ "\xF9\x7C\xAE\x7B\xB6\x8E\xD6\x54\x24\xFF\xFA\x87\x05\xEF\x15\x08" -+ "\x5E\x4B\x21\xA2\x2F\x49\xE7\x0F\xC3\xD0\xB9\x49\x22\xEF\xD5\xCA" -+ "\xB2\x11\xF2\x17\xB6\x77\x24\x68\x76\xB2\x07\xF8\x0A\x73\xDD\x65" -+ "\x9C\x75\x64\xF7\xA1\xC6\x23\x08\x84\x72\x3E\x54\x2E\xEB\x9B\x40" -+ "\xA6\x83\x87\xEB\xB5\x00\x40\x4F\xE1\x72\x2A\x59\x3A\x06\x60\x29" -+ "\x7E\x25\x2F\xD8\x80\x40\x8C\x59\xCA\xCF\x8E\x44\xE4\x2D\x84\x7E" -+ "\xCB\xFD\x1E\x3B\xD5\xFF\x9A\xB9\x66\x93\x6D\x5E\xC8\xB7\x13\x26" -+ "\xD6\x38\x1B\x2B\xE1\x87\x96\x05\xD5\xF3\xAB\x68\xF7\x12\x62\x2C" -+ "\x58\xC1\xC9\x85\x3C\x72\xF1\x26\xEE\xC0\x09\x5F\x1D\x4B\xAC\x01" -+ "\x41\xC8\x12\xF8\xF3\x93\x43\x41\xFF\xEC\x0B\x80\xE2\xEE\x20\x85" -+ "\x25\xCD\x6C\x30\x8C\x0D\x24\x2E\xBA\x19\xEA\x28\x7F\xCF\xD5\x10" -+ "\x5C\xE9\xB2\x9D\x5F\x16\xE4\xC0\xF3\xCC\xD9\x68\x4A\x05\x08\x70" -+ "\x17\x26\xC8\x5C\x4A\xBF\x94\x6A\x0E\xD5\xDA\x67\x47\x4B\xAF\x44" -+ "\xE3\x94\xAA\x05\xDB\xA2\x49\x74\xFA\x5C\x69\xAB\x44\xB7\xF7\xBA" -+ "\xAE\x7A\x23\x87\xEB\x54\x7E\x80\xF1\x5B\x60\xA5\x93\xE5\xD4\x24" -+ "\x84\xF7\x0A\x16\x10\xBE\xE9\x4D\xD8\x6B\x15\x40\x5D\x74\xDA\x1B" -+ "\xFF\x2E\x4D\x17\x9D\x35\xF7\x0D\xCF\x66\x38\x0D\x8A\xE4\xDD\x6B" -+ "\xE1\x0F\x1F\xBD\xFD\x4F\x30\x37\x3F\x96\xB4\x92\x54\xD3\x9A\x7A" -+ "\xD1\x5B\x5B\xA9\x54\x16\xE6\x24\xAB\xD4\x23\x39\x7D\xD2\xC7\x09" -+ "\xFA\xD4\x86\x55\x4D\x60\xC2\x87\x67\x6B\xE6" - }; - - static void -@@ -686,7 +710,7 @@ test_pac_ticket_signature(krb5_context context) - { - krb5_error_code ret; - krb5_ticket *ticket; -- krb5_principal sprinc; -+ krb5_principal cprinc, sprinc; - krb5_authdata **authdata1, **authdata2; - krb5_pac pac, pac2, pac3; - uint32_t *list; -@@ -701,7 +725,13 @@ test_pac_ticket_signature(krb5_context context) - if (ret) - err(context, ret, "while decrypting ticket"); - -- ret = krb5_parse_name(context, "s1@CDOM.COM", &sprinc); -+ ret = krb5_parse_name(context, "administrator@W2022-L7.BASE", &cprinc); -+ if (ret) -+ err(context, ret, "krb5_parse_name"); -+ -+ ret = krb5_parse_name(context, -+ "cifs/w2022-118.w2022-l7.base@W2022-L7.BASE", -+ &sprinc); - if (ret) - err(context, ret, "krb5_parse_name"); - -@@ -713,7 +743,7 @@ test_pac_ticket_signature(krb5_context context) - - /* In this test, the server is also the client. */ - ret = krb5_pac_verify(context, pac, ticket->enc_part2->times.authtime, -- ticket->server, NULL, NULL); -+ cprinc, NULL, NULL); - if (ret) - err(context, ret, "while verifying PAC client info"); - -@@ -722,7 +752,7 @@ test_pac_ticket_signature(krb5_context context) - ticket->enc_part2->authorization_data = NULL; - - ret = krb5_kdc_sign_ticket(context, ticket->enc_part2, pac, sprinc, -- sprinc, &ticket_sig_server_key, -+ cprinc, &ticket_sig_server_key, - &ticket_sig_krbtgt_key, FALSE); - if (ret) - err(context, ret, "while signing ticket"); -@@ -781,6 +811,7 @@ test_pac_ticket_signature(krb5_context context) - krb5_pac_free(context, pac); - krb5_pac_free(context, pac2); - krb5_pac_free(context, pac3); -+ krb5_free_principal(context, cprinc); - krb5_free_principal(context, sprinc); - krb5_free_ticket(context, ticket); - } -diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py -index 47ea9e4b47..e934799268 100644 ---- a/src/tests/t_authdata.py -+++ b/src/tests/t_authdata.py -@@ -11,7 +11,7 @@ realm = K5Realm(krb5_conf=conf) - # container. - mark('baseline authdata') - out = realm.run(['./adata', realm.host_princ]) --if '?128: [6, 7, 10, 16]' not in out or '^-42: Hello' not in out: -+if '?128: [6, 7, 10, 16, 19]' not in out or '^-42: Hello' not in out: - fail('expected authdata not seen for basic request') - - # Requested authdata is copied into the ticket, with KDC-only types -@@ -243,7 +243,7 @@ out = realm.run(['./adata', '-p', realm.user_princ, 'service/2']) - if '+97: [indcl]' not in out or '[inds1]' in out: - fail('correct auth-indicator not seen for S4U2Proxy req') - # Make sure a PAC with an S4U_DELEGATION_INFO(11) buffer is included. --if '?128: [1, 6, 7, 10, 11, 16]' not in out: -+if '?128: [1, 6, 7, 10, 11, 16, 19]' not in out: - fail('PAC with delegation info not seen for S4U2Proxy req') - - # Get another S4U2Proxy ticket including request-authdata. --- -2.39.1 - diff --git a/krb5-tests b/krb5-tests index cbbb302..beaeb2b 100644 --- a/krb5-tests +++ b/krb5-tests @@ -5,10 +5,13 @@ export RPM_PACKAGE_NAME={{ name }} export RPM_PACKAGE_VERSION={{ version }} export RPM_PACKAGE_RELEASE={{ release }} export RPM_ARCH={{ arch }} +export RPM_BUILD_NCPUS="$(getconf _NPROCESSORS_ONLN)" testdir="$(mktemp -d)" trap "rm -rf ${testdir}" EXIT +build_flags="$(eval "echo $(rpm --eval '%{_smp_mflags}')")" + cp -rp /usr/share/{{ name }}-tests "${testdir}/" -make -C "${testdir}/{{ name }}-tests" $(rpm --eval '%{_smp_mflags}') +make -C "${testdir}/{{ name }}-tests" $build_flags keyctl session - make -C "${testdir}/{{ name }}-tests" check diff --git a/krb5.spec b/krb5.spec index 7800eea..a16e111 100644 --- a/krb5.spec +++ b/krb5.spec @@ -10,7 +10,7 @@ # # baserelease is what we have standardized across Fedora and what # rpmdev-bumpspec knows how to handle. -%global baserelease 9 +%global baserelease 1 # This should be e.g. beta1 or %%nil %global pre_release %nil @@ -22,9 +22,9 @@ %endif %global krb5_version_major 1 -%global krb5_version_minor 20 +%global krb5_version_minor 21 # For a release without a patch number set to %%nil -%global krb5_version_patch 1 +%global krb5_version_patch %nil %global krb5_version_major_minor %{krb5_version_major}.%{krb5_version_minor} %global krb5_version %{krb5_version_major_minor} @@ -59,23 +59,19 @@ Source13: kadmind.logrotate Source14: krb5-krb5kdc.conf Source15: %{name}-tests -Patch1: 0001-downstream-ksu-pam-integration.patch -Patch2: 0002-downstream-SELinux-integration.patch -Patch3: 0003-downstream-fix-debuginfo-with-y.tab.c.patch -Patch4: 0004-downstream-Remove-3des-support.patch -Patch5: 0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch -Patch6: 0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch -Patch7: 0007-Add-configure-variable-for-default-PKCS-11-module.patch -Patch8: 0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch -Patch9: 0009-Simplify-plugin-loading-code.patch -Patch10: 0010-Update-error-checking-for-OpenSSL-CMS_verify.patch -Patch11: 0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch -Patch12: 0012-Add-and-use-ts_interval-helper.patch -Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch -Patch14: 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch -Patch15: 0015-downstream-Do-not-set-root-as-ksu-file-owner.patch -Patch16: 0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch -Patch17: 0017-Add-PAC-full-checksums.patch +Patch0001: 0001-downstream-ksu-pam-integration.patch +Patch0002: 0002-downstream-SELinux-integration.patch +Patch0003: 0003-downstream-fix-debuginfo-with-y.tab.c.patch +Patch0004: 0004-downstream-Remove-3des-support.patch +Patch0005: 0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +Patch0006: 0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch +Patch0007: 0007-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch +Patch0008: 0008-downstream-Include-missing-OpenSSL-FIPS-header.patch +Patch0009: 0009-downstream-Do-not-set-root-as-ksu-file-owner.patch +Patch0010: 0010-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch +Patch0011: 0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch +Patch0012: 0012-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch +Patch0013: 0013-Enable-PKINIT-if-at-least-one-group-is-available.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -712,9 +708,22 @@ exit 0 %{_datarootdir}/%{name}-tests/ %changelog +* Mon Jun 12 2023 Julien Rische - 1.21-1 +- New upstream version (1.21) +- Do not disable PKINIT if some of the well-known DH groups are unavailable + Resolves: rhbz#2214297 +- Make PKINIT CMS SHA-1 signature verification available in FIPS mode + Resolves: rhbz#2214300 +- Allow to set PAC ticket signature as optional + Resolves: rhbz#2181311 +- Add support for MS-PAC extended KDC signature (CVE-2022-37967) + Resolves: rhbz#2166001 +- Fix syntax error in aclocal.m4 + Resolves: rhbz#2143306 + * Tue Jan 31 2023 Julien Rische - 1.20.1-9 - Add support for MS-PAC extended KDC signature (CVE-2022-37967) -- Resolves: rhbz#2166001 + Resolves: rhbz#2166001 * Mon Jan 30 2023 Julien Rische - 1.20.1-8 - Bypass FIPS restrictions to use KRB5KDF in case AES SHA-1 HMAC is enabled @@ -726,7 +735,7 @@ exit 0 * Wed Jan 18 2023 Julien Rische - 1.20.1-6 - Set aes256-cts-hmac-sha384-192 as EXAMLE.COM master key in kdc.conf - Add AES SHA-2 HMAC family as EXAMPLE.COM supported etypes in kdc.conf -- Resolves: rhbz#2114771 + Resolves: rhbz#2114771 * Mon Jan 09 2023 Julien Rische - 1.20.1-5 - Strip debugging data from ksu executable file @@ -743,18 +752,18 @@ exit 0 * Wed Nov 23 2022 Julien Rische - 1.20.1-1 - New upstream version (1.20.1) -- Resolves: rhbz#2124463 + Resolves: rhbz#2124463 - Restore "supportedCMSTypes" attribute in PKINIT preauth requests - Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms -- Resolves: rhbz#2114766 + Resolves: rhbz#2114766 - Update error checking for OpenSSL CMS_verify -- Resolves: rhbz#2119704 + Resolves: rhbz#2119704 - Remove invalid password expiry warning -- Resolves: rhbz#2129113 + Resolves: rhbz#2129113 * Wed Nov 09 2022 Julien Rische - 1.19.2-13 - Fix integer overflows in PAC parsing (CVE-2022-42898) -- Resolves: rhbz#2143011 + Resolves: rhbz#2143011 * Tue Aug 02 2022 Andreas Schneider - 1.19.2-12 - Use baserelease to set the release number @@ -766,14 +775,14 @@ exit 0 * Wed Jun 15 2022 Julien Rische - 1.19.2-11 - Allow libkrad UDP/TCP connection to localhost in FIPS mode -- Resolves: rhbz#2082189 + Resolves: rhbz#2082189 - Read GSS configuration files with mtime 0 * Mon May 2 2022 Julien Rische - 1.19.2-10 - Use p11-kit as default PKCS11 module -- Resolves: rhbz#2073274 + Resolves: rhbz#2073274 - Try harder to avoid password change replay errors -- Resolves: rhbz#2072059 + Resolves: rhbz#2072059 * Tue Apr 05 2022 Alexander Bokovoy - 1.19.2-9 - Fix libkrad client cleanup @@ -791,7 +800,7 @@ exit 0 * Wed Feb 02 2022 Alexander Bokovoy - 1.19.2-5 - Temporarily remove package note to unblock krb5-dependent packages -- Resolves: rhbz#2048909 + Resolves: rhbz#2048909 * Thu Jan 20 2022 Fedora Release Engineering - 1.19.2-4.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild @@ -909,7 +918,7 @@ exit 0 * Tue Nov 17 2020 Robbie Harwood - 1.18.2-30 - Migrate /var/run to /run, an exercise in pointlessness -- Resolves: #1898410 + Resolves: rhbz#1898410 * Thu Nov 05 2020 Robbie Harwood - 1.18.2-29 - Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196) @@ -931,14 +940,14 @@ exit 0 * Thu Sep 10 2020 Robbie Harwood - 1.18.2-23 - Use `systemctl reload` to HUP the KDC during logrotate -- Resolves: #1877692 + Resolves: rhbz#1877692 * Wed Sep 09 2020 Robbie Harwood - 1.18.2-22 - Fix input length checking in SPNEGO DER decoding * Fri Aug 28 2020 Robbie Harwood - 1.18.2-21 - Mark crypto-polices snippet as missingok -- Resolves: #1868379 + Resolves: rhbz#1868379 * Thu Aug 13 2020 Robbie Harwood - 1.18.2-20 - Temporarily dns_canonicalize_hostname=fallback changes @@ -955,7 +964,7 @@ exit 0 * Mon Aug 03 2020 Robbie Harwood - 1.18.2-16 - Disable tests on s390x -- Resolves: #1863952 + Resolves: rhbz#1863952 * Sat Aug 01 2020 Fedora Release Engineering - 1.18.2-15 - Second attempt - Rebuilt for @@ -976,7 +985,7 @@ exit 0 * Wed Jul 08 2020 Robbie Harwood - 1.18.2-10 - Set qualify_shortname empty in default configuration -- Resolves: #1852041 + Resolves: rhbz#1852041 * Mon Jun 15 2020 Robbie Harwood - 1.18.2-9 - Use two queues for concurrent t_otp.py daemons @@ -1150,7 +1159,7 @@ exit 0 * Mon Jul 15 2019 Robbie Harwood - 1.17-35 - Don't error on invalid enctypes in keytab -- Resolves: #1724380 + Resolves: rhbz#1724380 * Tue Jul 02 2019 Robbie Harwood - 1.17-34 - Remove now-unused checksum functions @@ -1235,7 +1244,7 @@ exit 0 * Thu Apr 11 2019 Robbie Harwood - 1.17-8 - Implement krb5_cc_remove_cred for remaining types -- Resolves: #1693836 + Resolves: rhbz#1693836 * Mon Apr 01 2019 Robbie Harwood - 1.17-7 - FIPS-aware SPAKE group negotiation @@ -1270,7 +1279,7 @@ exit 0 * Mon Dec 17 2018 Robbie Harwood - 1.17-1.beta2.2 - Restore pdfs source file -- Resolves: #1659716 + Resolves: rhbz#1659716 * Thu Dec 06 2018 Robbie Harwood - 1.17-1.beta2.1 - New upstream release (1.17-beta2) @@ -1284,26 +1293,26 @@ exit 0 * Thu Nov 08 2018 Robbie Harwood - 1.17-1.beta1.1 - Fix spurious errors from kcmio_unix_socket_write -- Resolves: #1645912 + Resolves: rhbz#1645912 * Thu Nov 01 2018 Robbie Harwood - 1.17-0.beta1.1 - New upstream beta release * Wed Oct 24 2018 Robbie Harwood - 1.16.1-25 - Update man pages to reference kerberos(7) -- Resolves: #1143767 + Resolves: rhbz#1143767 * Wed Oct 17 2018 Robbie Harwood - 1.16.1-24 - Use port-sockets.h macros in cc_kcm, sendto_kdc -- Resolves: #1631998 + Resolves: rhbz#1631998 * Wed Oct 17 2018 Robbie Harwood - 1.16.1-23 - Correct kpasswd_server description in krb5.conf(5) -- Resolves: #1640272 + Resolves: rhbz#1640272 * Mon Oct 15 2018 Robbie Harwood - 1.16.1-22 - Prefer TCP to UDP for password changes -- Resolves: #1637611 + Resolves: rhbz#1637611 * Tue Oct 09 2018 Adam Williamson - 1.16.1-21 - Revert the patch from -20 for now as it seems to make FreeIPA worse @@ -1352,18 +1361,18 @@ exit 0 * Thu Jun 14 2018 Robbie Harwood - 1.16.1-6 - Switch to python3-sphinx for docs -- Resolves: #1590928 + Resolves: rhbz#1590928 * Thu Jun 14 2018 Robbie Harwood - 1.16.1-5 - Make docs build python3-compatible -- Resolves: #1590928 + Resolves: rhbz#1590928 * Thu Jun 07 2018 Robbie Harwood - 1.16.1-4 - Update includedir processing to match upstream * Fri Jun 01 2018 Robbie Harwood - 1.16.1-3 - Log when non-root ksu authorization fails -- Resolves: #1575771 + Resolves: rhbz#1575771 * Fri May 04 2018 Robbie Harwood - 1.16.1-2 - Remove "-nodes" option from make-certs scripts @@ -1385,7 +1394,7 @@ exit 0 * Mon Apr 23 2018 Robbie Harwood - 1.16-23 - Explicitly use openssl rather than builtin crypto -- Resolves: #1570910 + Resolves: rhbz#1570910 * Tue Apr 17 2018 Robbie Harwood - 1.16-22 - Merge duplicate subsections in profile library @@ -1435,7 +1444,7 @@ exit 0 * Wed Mar 07 2018 Robbie Harwood - 1.16-8 - Fix capaths "." values on client -- Resolves: 1551099 + Resolves: 1551099 * Tue Feb 13 2018 Robbie Harwood - 1.16-7 - Fix flaws in LDAP DN checking @@ -1444,7 +1453,7 @@ exit 0 * Mon Feb 12 2018 Robbie Harwood - 1.16-6 - Fix a leak in the previous commit - Restore dist macro that was accidentally removed -- Resolves: #1540939 + Resolves: rhbz#1540939 * Wed Feb 07 2018 Fedora Release Engineering - 1.16-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild @@ -1457,7 +1466,7 @@ exit 0 * Tue Dec 12 2017 Robbie Harwood - 1.16-2 - Fix network service dependencies -- Resolves: #1525230 + Resolves: rhbz#1525230 * Wed Dec 06 2017 Robbie Harwood - 1.16-1 - New upstream release (1.16) @@ -1487,12 +1496,12 @@ exit 0 * Wed Sep 06 2017 Robbie Harwood - 1.15.1-28 - Save other programs from worrying about CVE-2017-11462 -- Resolves: #1488873 -- Resolves: #1488874 + Resolves: rhbz#1488873 + Resolves: rhbz#1488874 * Tue Sep 05 2017 Robbie Harwood - 1.15.1-27 - Add hostname-based ccselect module -- Resolves: #1463665 + Resolves: rhbz#1463665 * Tue Sep 05 2017 Robbie Harwood - 1.15.1-26 - Backport upstream certauth EKU fixes @@ -1543,7 +1552,7 @@ exit 0 * Fri Jun 23 2017 Robbie Harwood - 1.15.1-11 - Include more test suite changes from upstream -- Resolves: #1464381 + Resolves: rhbz#1464381 * Wed Jun 07 2017 Robbie Harwood - 1.15.1-10 - Fix custom build with -DDEBUG @@ -1559,12 +1568,12 @@ exit 0 * Thu Apr 13 2017 Robbie Harwood - 1.15.1-6 - Include fixes for previous commit -- Resolves: #1433083 + Resolves: rhbz#1433083 * Thu Apr 13 2017 Robbie Harwood - 1.15.1-5 - Automatically add includedir where not present - Try removing sleep statement to see if it is still needed -- Resolves: #1433083 + Resolves: rhbz#1433083 * Fri Apr 07 2017 Robbie Harwood - 1.15.1-4 - Fix use of enterprise principals with forwarding @@ -1574,7 +1583,7 @@ exit 0 * Tue Mar 07 2017 Robbie Harwood - 1.15.1-2 - Remove duplication between subpackages -- Resolves: #1250228 + Resolves: rhbz#1250228 * Fri Mar 03 2017 Robbie Harwood - 1.15.1-1 - New upstream release - 1.15.1 @@ -1608,14 +1617,14 @@ exit 0 * Thu Oct 20 2016 Robbie Harwood - 1.15-beta1-1 - New upstream release - Update selinux with RHEL hygene -- Resolves: #1314096 + Resolves: rhbz#1314096 * Tue Oct 11 2016 Tomáš Mráz - 1.14.4-6 - rebuild with OpenSSL 1.1.0, added backported upstream patch * Fri Sep 30 2016 Robbie Harwood - 1.14.4-5 - Properly close krad sockets -- Resolves: #1380836 + Resolves: rhbz#1380836 * Fri Sep 30 2016 Robbie Harwood - 1.14.4-4 - Fix backward check in kprop.service @@ -1634,42 +1643,42 @@ exit 0 * Mon Sep 19 2016 Robbie Harwood - 1.14.3-9 - Add krb5_db_register_keytab -- Resolves: #1376812 + Resolves: rhbz#1376812 * Mon Aug 29 2016 Robbie Harwood - 1.14.3-8 - Use responder for non-preauth AS requests -- Resolves: #1370622 + Resolves: rhbz#1370622 * Mon Aug 29 2016 Robbie Harwood - 1.14.3-7 - Guess Samba client mutual flag using ap_option -- Resolves: #1370980 + Resolves: rhbz#1370980 * Thu Aug 25 2016 Robbie Harwood - 1.14.3-6 - Fix KDC return code and set prompt types for OTP client preauth -- Resolves: #1370072 + Resolves: rhbz#1370072 * Mon Aug 15 2016 Robbie Harwood - 1.14.3-5 - Turn OFD locks back on with glibc workaround -- Resolves: #1274922 + Resolves: rhbz#1274922 * Wed Aug 10 2016 Robbie Harwood - 1.14.3-4 - Fix use of KKDCPP with SNI -- Resolves: #1365027 + Resolves: rhbz#1365027 * Fri Aug 05 2016 Robbie Harwood - 1.14.3-3 - Make krb5-devel depend on libkadm5 -- Resolves: #1364487 + Resolves: rhbz#1364487 * Wed Aug 03 2016 Robbie Harwood - 1.14.3-2 - Up-port a bunch of stuff from the el-7.3 cycle -- Resolves: #1255450, #1314989 + Resolves: rhbz#1255450, rhbz#1314989 * Mon Aug 01 2016 Robbie Harwood - 1.14.3-1 - New upstream version 1.14.3 * Thu Jul 28 2016 Robbie Harwood - 1.14.1-9 - Fix CVE-2016-3120 -- Resolves: #1361051 + Resolves: rhbz#1361051 * Wed Jun 22 2016 Robbie Harwood - 1.14.1-8 - Fix incorrect recv() size calculation in libkrad @@ -1682,18 +1691,18 @@ exit 0 * Tue Apr 05 2016 Robbie Harwood - 1.14.1-5 - Use the correct patches this time. -- Resolves: #1321135 + Resolves: rhbz#1321135 * Mon Apr 04 2016 Robbie Harwood - 1.14.1-4 - Add send/receive sendto_kdc hooks and corresponding tests -- Resolves: #1321135 + Resolves: rhbz#1321135 * Fri Mar 18 2016 Robbie Harwood - 1.14.1-3 - Fix CVE-2016-3119 (NULL deref in LDAP module) * Thu Mar 17 2016 Robbie Harwood - 1.14.1-2 - Backport OID mech fix -- Resolves: #1317609 + Resolves: rhbz#1317609 * Mon Feb 29 2016 Robbie Harwood - 1.14.1-1 - New rawhide, new upstream version @@ -1703,7 +1712,7 @@ exit 0 * Mon Feb 22 2016 Robbie Harwood - 1.14-23 - Fix log file permissions patch with our selinux -- Resolves: #1309421 + Resolves: rhbz#1309421 * Fri Feb 19 2016 Robbie Harwood - 1.14-22 - Backport my interposer fixes from upstream @@ -1712,7 +1721,7 @@ exit 0 * Tue Feb 16 2016 Robbie Harwood - 1.14-21 - Adjust dependency on crypto-polices to be just the file we want - Patch courtesy of lslebodn -- Resolves: #1308984 + Resolves: rhbz#1308984 * Thu Feb 04 2016 Fedora Release Engineering - 1.14-20 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild @@ -1720,21 +1729,21 @@ exit 0 * Thu Jan 28 2016 Robbie Harwood - 1.14-19 - Replace _kadmin/_kprop with systemd macros - Remove traces of upstart from fedora package per policy -- Resolves: #1290185 + Resolves: rhbz#1290185 * Wed Jan 27 2016 Robbie Harwood - 1.14-18 - Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631 * Thu Jan 21 2016 Robbie Harwood - 1.14-17 - Make krb5kdc.log not world-readable by default -- Resolves: #1276484 + Resolves: rhbz#1276484 * Thu Jan 21 2016 Robbie Harwood - 1.14-16 - Allow verification of attributes on krb5.conf * Wed Jan 20 2016 Robbie Harwood - 1.14-15 - Use "new" systemd macros for service handling. (Thanks vpavlin!) -- Resolves: #850399 + Resolves: rhbz#850399 * Wed Jan 20 2016 Robbie Harwood - 1.14-14 - Remove WITH_NSS macro (always false) @@ -1744,7 +1753,7 @@ exit 0 * Fri Jan 08 2016 Robbie Harwood - 1.14-13 - Backport fix for chrome crash in spnego_gss_inquire_context -- Resolves: #1295893 + Resolves: rhbz#1295893 * Wed Dec 16 2015 Robbie Harwood - 1.14-12 - Backport patch to fix mechglue for gss_inqure_attrs_for_mech() diff --git a/sources b/sources index 9bc9770..d6c0df1 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (krb5-1.20.1.tar.gz) = 6f57479f13f107cd84f30de5c758eb6b9fc59171329c13e5da6073b806755f8d163eb7bd84767ea861ad6458ea0c9eeb00ee044d3bcad01ef136e9888564b6a2 -SHA512 (krb5-1.20.1.tar.gz.asc) = 1d3312bd67581e07adfdadf2c5fe394179631d8add8bd075efefe982a0de22369004e60a14422d426382c8c591e4181b9897088afe9d4e86f0b5a97e5954c67a +SHA512 (krb5-1.21.tar.gz) = 8ee2366888f6d553a44fc642a89c69a57dbc1ec4c89a36b9ba8b00584a9a32c73a2b0566ba5f21852ad9617046666c276dac402393bf8eb19fbe0c07a838071a +SHA512 (krb5-1.21.tar.gz.asc) = 7147a44a13f4f26c5c1d9aba738b32892b50e351ad149dcaf0b6f2c010e3c51d7d51540d0a51b085450ffa31d5027b5f2e5841109d7af8bdaddbdd3a569582d5