New upstream version (1.21)
Do not disable PKINIT if some of the well-known DH groups are unavailable Resolves: rhbz#2214297 Make PKINIT CMS SHA-1 signature verification available in FIPS mode Resolves: rhbz#2214300 Allow to set PAC ticket signature as optional Resolves: rhbz#2181311 Add support for MS-PAC extended KDC signature (CVE-2022-37967) Resolves: rhbz#2166001 Fix syntax error in aclocal.m4 Resolves: rhbz#2143306 Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
parent
7058594eab
commit
0b340d0ef3
2
.gitignore
vendored
2
.gitignore
vendored
@ -202,3 +202,5 @@
|
|||||||
/krb5-1.19.2.tar.gz.asc
|
/krb5-1.19.2.tar.gz.asc
|
||||||
/krb5-1.20.1.tar.gz
|
/krb5-1.20.1.tar.gz
|
||||||
/krb5-1.20.1.tar.gz.asc
|
/krb5-1.20.1.tar.gz.asc
|
||||||
|
/krb5-1.21.tar.gz
|
||||||
|
/krb5-1.21.tar.gz.asc
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 37d69135d0be7f46732c401cdbb3abc075bf4117 Mon Sep 17 00:00:00 2001
|
From 67c82a09c6c53713c281045cd55de2720cd06907 Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Tue, 23 Aug 2016 16:29:58 -0400
|
Date: Tue, 23 Aug 2016 16:29:58 -0400
|
||||||
Subject: [PATCH] [downstream] ksu pam integration
|
Subject: [PATCH] [downstream] ksu pam integration
|
||||||
@ -30,7 +30,7 @@ Last-updated: krb5-1.18-beta1
|
|||||||
create mode 100644 src/clients/ksu/pam.h
|
create mode 100644 src/clients/ksu/pam.h
|
||||||
|
|
||||||
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
||||||
index 9920476f91..bf9da35bbc 100644
|
index 3d66a876b3..ce3c5a9bac 100644
|
||||||
--- a/src/aclocal.m4
|
--- a/src/aclocal.m4
|
||||||
+++ b/src/aclocal.m4
|
+++ b/src/aclocal.m4
|
||||||
@@ -1458,3 +1458,72 @@ if test "$with_ldap" = yes; then
|
@@ -1458,3 +1458,72 @@ if test "$with_ldap" = yes; then
|
||||||
@ -760,10 +760,10 @@ index 0000000000..0ab76569cb
|
|||||||
+void appl_pam_cleanup(void);
|
+void appl_pam_cleanup(void);
|
||||||
+#endif
|
+#endif
|
||||||
diff --git a/src/configure.ac b/src/configure.ac
|
diff --git a/src/configure.ac b/src/configure.ac
|
||||||
index f03028b5fd..aa970b0447 100644
|
index 77be7a2025..587221936e 100644
|
||||||
--- a/src/configure.ac
|
--- a/src/configure.ac
|
||||||
+++ b/src/configure.ac
|
+++ b/src/configure.ac
|
||||||
@@ -1400,6 +1400,8 @@ AC_SUBST([VERTO_VERSION])
|
@@ -1399,6 +1399,8 @@ AC_SUBST([VERTO_VERSION])
|
||||||
|
|
||||||
AC_PATH_PROG(GROFF, groff)
|
AC_PATH_PROG(GROFF, groff)
|
||||||
|
|
||||||
@ -773,5 +773,5 @@ index f03028b5fd..aa970b0447 100644
|
|||||||
if test "${localedir+set}" != set; then
|
if test "${localedir+set}" != set; then
|
||||||
localedir='$(datadir)/locale'
|
localedir='$(datadir)/locale'
|
||||||
--
|
--
|
||||||
2.38.1
|
2.40.1
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From c6b58ed180ed91b579d322ff5004f68750f1eb4f Mon Sep 17 00:00:00 2001
|
From dfbac76ab7bb7e6e2c3171eefcaa93573e6b630e Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Tue, 23 Aug 2016 16:30:53 -0400
|
Date: Tue, 23 Aug 2016 16:30:53 -0400
|
||||||
Subject: [PATCH] [downstream] SELinux integration
|
Subject: [PATCH] [downstream] SELinux integration
|
||||||
@ -69,7 +69,7 @@ Last-updated: krb5-1.20.1
|
|||||||
create mode 100644 src/util/support/selinux.c
|
create mode 100644 src/util/support/selinux.c
|
||||||
|
|
||||||
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
||||||
index bf9da35bbc..01283f482e 100644
|
index ce3c5a9bac..3331970930 100644
|
||||||
--- a/src/aclocal.m4
|
--- a/src/aclocal.m4
|
||||||
+++ b/src/aclocal.m4
|
+++ b/src/aclocal.m4
|
||||||
@@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag)
|
@@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag)
|
||||||
@ -133,10 +133,10 @@ index bf9da35bbc..01283f482e 100644
|
|||||||
+AC_SUBST(SELINUX_LIBS)
|
+AC_SUBST(SELINUX_LIBS)
|
||||||
+])dnl
|
+])dnl
|
||||||
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
|
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
|
||||||
index dead0dddce..fef3e054fc 100755
|
index 8e6eb86601..7677f37359 100755
|
||||||
--- a/src/build-tools/krb5-config.in
|
--- a/src/build-tools/krb5-config.in
|
||||||
+++ b/src/build-tools/krb5-config.in
|
+++ b/src/build-tools/krb5-config.in
|
||||||
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
|
@@ -40,6 +40,7 @@ DL_LIB='@DL_LIB@'
|
||||||
DEFCCNAME='@DEFCCNAME@'
|
DEFCCNAME='@DEFCCNAME@'
|
||||||
DEFKTNAME='@DEFKTNAME@'
|
DEFKTNAME='@DEFKTNAME@'
|
||||||
DEFCKTNAME='@DEFCKTNAME@'
|
DEFCKTNAME='@DEFCKTNAME@'
|
||||||
@ -144,7 +144,7 @@ index dead0dddce..fef3e054fc 100755
|
|||||||
|
|
||||||
LIBS='@LIBS@'
|
LIBS='@LIBS@'
|
||||||
GEN_LIB=@GEN_LIB@
|
GEN_LIB=@GEN_LIB@
|
||||||
@@ -254,7 +255,7 @@ if test -n "$do_libs"; then
|
@@ -253,7 +254,7 @@ if test -n "$do_libs"; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If we ever support a flag to generate output suitable for static
|
# If we ever support a flag to generate output suitable for static
|
||||||
@ -175,10 +175,10 @@ index a0c60c70b3..7eaa2f351c 100644
|
|||||||
GSS_LIBS = $(GSS_KRB5_LIB)
|
GSS_LIBS = $(GSS_KRB5_LIB)
|
||||||
# needs fixing if ever used on macOS!
|
# needs fixing if ever used on macOS!
|
||||||
diff --git a/src/configure.ac b/src/configure.ac
|
diff --git a/src/configure.ac b/src/configure.ac
|
||||||
index aa970b0447..40545f2bfc 100644
|
index 587221936e..69be9030f8 100644
|
||||||
--- a/src/configure.ac
|
--- a/src/configure.ac
|
||||||
+++ b/src/configure.ac
|
+++ b/src/configure.ac
|
||||||
@@ -1402,6 +1402,8 @@ AC_PATH_PROG(GROFF, groff)
|
@@ -1401,6 +1401,8 @@ AC_PATH_PROG(GROFF, groff)
|
||||||
|
|
||||||
KRB5_WITH_PAM
|
KRB5_WITH_PAM
|
||||||
|
|
||||||
@ -188,7 +188,7 @@ index aa970b0447..40545f2bfc 100644
|
|||||||
if test "${localedir+set}" != set; then
|
if test "${localedir+set}" != set; then
|
||||||
localedir='$(datadir)/locale'
|
localedir='$(datadir)/locale'
|
||||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||||
index 44dc1eeb3f..c3aecba7d4 100644
|
index 2f7791b775..9c534faa8a 100644
|
||||||
--- a/src/include/k5-int.h
|
--- a/src/include/k5-int.h
|
||||||
+++ b/src/include/k5-int.h
|
+++ b/src/include/k5-int.h
|
||||||
@@ -128,6 +128,7 @@ typedef unsigned char u_char;
|
@@ -128,6 +128,7 @@ typedef unsigned char u_char;
|
||||||
@ -238,7 +238,7 @@ index 0000000000..dfaaa847cb
|
|||||||
+#endif
|
+#endif
|
||||||
+#endif
|
+#endif
|
||||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||||
index c0194c3c94..7e1dea2cbf 100644
|
index 9c76780181..dd6430ece8 100644
|
||||||
--- a/src/include/krb5/krb5.hin
|
--- a/src/include/krb5/krb5.hin
|
||||||
+++ b/src/include/krb5/krb5.hin
|
+++ b/src/include/krb5/krb5.hin
|
||||||
@@ -87,6 +87,12 @@
|
@@ -87,6 +87,12 @@
|
||||||
@ -290,10 +290,10 @@ index a89b5144f6..4d6cc0bdf9 100644
|
|||||||
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
|
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
diff --git a/src/kdc/main.c b/src/kdc/main.c
|
diff --git a/src/kdc/main.c b/src/kdc/main.c
|
||||||
index 38b9299066..085afc9220 100644
|
index bfdfef5c48..b43fe9a082 100644
|
||||||
--- a/src/kdc/main.c
|
--- a/src/kdc/main.c
|
||||||
+++ b/src/kdc/main.c
|
+++ b/src/kdc/main.c
|
||||||
@@ -848,7 +848,7 @@ write_pid_file(const char *path)
|
@@ -844,7 +844,7 @@ write_pid_file(const char *path)
|
||||||
FILE *file;
|
FILE *file;
|
||||||
unsigned long pid;
|
unsigned long pid;
|
||||||
|
|
||||||
@ -303,7 +303,7 @@ index 38b9299066..085afc9220 100644
|
|||||||
return errno;
|
return errno;
|
||||||
pid = (unsigned long) getpid();
|
pid = (unsigned long) getpid();
|
||||||
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
|
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
|
||||||
index f2341d720f..ffdac9f397 100644
|
index aa3c81ea30..cb9785aaeb 100644
|
||||||
--- a/src/kprop/kpropd.c
|
--- a/src/kprop/kpropd.c
|
||||||
+++ b/src/kprop/kpropd.c
|
+++ b/src/kprop/kpropd.c
|
||||||
@@ -488,6 +488,9 @@ doit(int fd)
|
@@ -488,6 +488,9 @@ doit(int fd)
|
||||||
@ -333,10 +333,10 @@ index f2341d720f..ffdac9f397 100644
|
|||||||
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
|
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
|
||||||
if (retval) {
|
if (retval) {
|
||||||
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
|
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
|
||||||
index c6885edf2a..9aec3c05e8 100644
|
index e14da53790..b879a4049b 100644
|
||||||
--- a/src/lib/kadm5/logger.c
|
--- a/src/lib/kadm5/logger.c
|
||||||
+++ b/src/lib/kadm5/logger.c
|
+++ b/src/lib/kadm5/logger.c
|
||||||
@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
|
@@ -310,7 +310,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
|
||||||
*/
|
*/
|
||||||
append = (cp[4] == ':') ? O_APPEND : 0;
|
append = (cp[4] == ':') ? O_APPEND : 0;
|
||||||
if (append || cp[4] == '=') {
|
if (append || cp[4] == '=') {
|
||||||
@ -345,7 +345,7 @@ index c6885edf2a..9aec3c05e8 100644
|
|||||||
S_IRUSR | S_IWUSR | S_IRGRP);
|
S_IRUSR | S_IWUSR | S_IRGRP);
|
||||||
if (fd != -1)
|
if (fd != -1)
|
||||||
f = fdopen(fd, append ? "a" : "w");
|
f = fdopen(fd, append ? "a" : "w");
|
||||||
@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
@@ -777,7 +777,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
||||||
* In case the old logfile did not get moved out of the
|
* In case the old logfile did not get moved out of the
|
||||||
* way, open for append to prevent squashing the old logs.
|
* way, open for append to prevent squashing the old logs.
|
||||||
*/
|
*/
|
||||||
@ -439,10 +439,10 @@ index e510211fc5..f3ea28c8ec 100644
|
|||||||
goto report_errno;
|
goto report_errno;
|
||||||
writevno = 1;
|
writevno = 1;
|
||||||
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
|
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
|
||||||
index 3369fc4ba6..95f82cda03 100644
|
index 4cbbbb270a..c4058ddc96 100644
|
||||||
--- a/src/lib/krb5/os/trace.c
|
--- a/src/lib/krb5/os/trace.c
|
||||||
+++ b/src/lib/krb5/os/trace.c
|
+++ b/src/lib/krb5/os/trace.c
|
||||||
@@ -459,7 +459,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
|
@@ -460,7 +460,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
|
||||||
fd = malloc(sizeof(*fd));
|
fd = malloc(sizeof(*fd));
|
||||||
if (fd == NULL)
|
if (fd == NULL)
|
||||||
return ENOMEM;
|
return ENOMEM;
|
||||||
@ -452,7 +452,7 @@ index 3369fc4ba6..95f82cda03 100644
|
|||||||
free(fd);
|
free(fd);
|
||||||
return errno;
|
return errno;
|
||||||
diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
|
diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
|
||||||
index 7db30a33b0..2b9d01921d 100644
|
index 9a506e9d44..f92ab47143 100644
|
||||||
--- a/src/plugins/kdb/db2/adb_openclose.c
|
--- a/src/plugins/kdb/db2/adb_openclose.c
|
||||||
+++ b/src/plugins/kdb/db2/adb_openclose.c
|
+++ b/src/plugins/kdb/db2/adb_openclose.c
|
||||||
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
|
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
|
||||||
@ -1034,5 +1034,5 @@ index 0000000000..807d039da3
|
|||||||
+
|
+
|
||||||
+#endif /* USE_SELINUX */
|
+#endif /* USE_SELINUX */
|
||||||
--
|
--
|
||||||
2.38.1
|
2.40.1
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From c7fe7cbd61f7debf052ddcc6cc5f01bb7e4f5385 Mon Sep 17 00:00:00 2001
|
From a9c463ed5988c860ebb18de212d6c56da1cb1169 Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Tue, 23 Aug 2016 16:49:25 -0400
|
Date: Tue, 23 Aug 2016 16:49:25 -0400
|
||||||
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
|
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
|
||||||
@ -40,5 +40,5 @@ index 8669c2436c..a22f23c02c 100644
|
|||||||
install:
|
install:
|
||||||
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
|
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
|
||||||
--
|
--
|
||||||
2.38.1
|
2.40.1
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 7b40250066bbcc529b5348b68199c58fbad82376 Mon Sep 17 00:00:00 2001
|
From 0691db92e13e0d224c2c9dd72c1421d8f7c3c078 Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Tue, 26 Mar 2019 18:51:10 -0400
|
Date: Tue, 26 Mar 2019 18:51:10 -0400
|
||||||
Subject: [PATCH] [downstream] Remove 3des support
|
Subject: [PATCH] [downstream] Remove 3des support
|
||||||
@ -32,7 +32,7 @@ Last-updated: 1.20-final
|
|||||||
src/include/krb5/krb5.hin | 10 +-
|
src/include/krb5/krb5.hin | 10 +-
|
||||||
src/kdc/kdc_util.c | 4 -
|
src/kdc/kdc_util.c | 4 -
|
||||||
src/lib/crypto/Makefile.in | 8 +-
|
src/lib/crypto/Makefile.in | 8 +-
|
||||||
src/lib/crypto/builtin/Makefile.in | 6 +-
|
src/lib/crypto/builtin/Makefile.in | 4 +-
|
||||||
src/lib/crypto/builtin/des/ISSUES | 13 -
|
src/lib/crypto/builtin/des/ISSUES | 13 -
|
||||||
src/lib/crypto/builtin/des/Makefile.in | 82 ----
|
src/lib/crypto/builtin/des/Makefile.in | 82 ----
|
||||||
src/lib/crypto/builtin/des/d3_aead.c | 137 ------
|
src/lib/crypto/builtin/des/d3_aead.c | 137 ------
|
||||||
@ -74,7 +74,7 @@ Last-updated: 1.20-final
|
|||||||
src/lib/crypto/krb/prf_des.c | 47 ---
|
src/lib/crypto/krb/prf_des.c | 47 ---
|
||||||
src/lib/crypto/krb/random_to_key.c | 28 --
|
src/lib/crypto/krb/random_to_key.c | 28 --
|
||||||
src/lib/crypto/libk5crypto.exports | 1 -
|
src/lib/crypto/libk5crypto.exports | 1 -
|
||||||
src/lib/crypto/openssl/Makefile.in | 8 +-
|
src/lib/crypto/openssl/Makefile.in | 4 +-
|
||||||
src/lib/crypto/openssl/des/Makefile.in | 20 -
|
src/lib/crypto/openssl/des/Makefile.in | 20 -
|
||||||
src/lib/crypto/openssl/des/deps | 14 -
|
src/lib/crypto/openssl/des/deps | 14 -
|
||||||
src/lib/crypto/openssl/des/des_keys.c | 39 --
|
src/lib/crypto/openssl/des/des_keys.c | 39 --
|
||||||
@ -98,18 +98,19 @@ Last-updated: 1.20-final
|
|||||||
src/plugins/preauth/pkinit/pkinit_crypto.h | 10 +-
|
src/plugins/preauth/pkinit/pkinit_crypto.h | 10 +-
|
||||||
src/plugins/preauth/pkinit/pkinit_kdf_test.c | 30 --
|
src/plugins/preauth/pkinit/pkinit_kdf_test.c | 30 --
|
||||||
src/plugins/preauth/spake/t_vectors.c | 25 --
|
src/plugins/preauth/spake/t_vectors.c | 25 --
|
||||||
src/tests/gssapi/t_enctypes.py | 33 +-
|
src/tests/gssapi/t_enctypes.py | 34 +-
|
||||||
src/tests/gssapi/t_invalid.c | 12 -
|
src/tests/gssapi/t_invalid.c | 12 -
|
||||||
src/tests/gssapi/t_pcontok.c | 16 +-
|
src/tests/gssapi/t_pcontok.c | 16 +-
|
||||||
src/tests/gssapi/t_prf.c | 7 -
|
src/tests/gssapi/t_prf.c | 7 -
|
||||||
src/tests/t_authdata.py | 2 +-
|
src/tests/t_authdata.py | 2 +-
|
||||||
src/tests/t_etype_info.py | 18 +-
|
src/tests/t_etype_info.py | 20 +-
|
||||||
src/tests/t_keyrollover.py | 8 +-
|
src/tests/t_keyrollover.py | 8 +-
|
||||||
src/tests/t_mkey.py | 35 --
|
src/tests/t_mkey.py | 35 --
|
||||||
src/tests/t_salt.py | 5 +-
|
src/tests/t_salt.py | 5 +-
|
||||||
|
src/tests/t_sesskeynego.py | 8 -
|
||||||
src/util/k5test.py | 7 -
|
src/util/k5test.py | 7 -
|
||||||
.../leash/htmlhelp/html/Encryption_Types.htm | 13 -
|
.../leash/htmlhelp/html/Encryption_Types.htm | 13 -
|
||||||
89 files changed, 151 insertions(+), 4713 deletions(-)
|
90 files changed, 149 insertions(+), 4720 deletions(-)
|
||||||
delete mode 100644 src/lib/crypto/builtin/des/ISSUES
|
delete mode 100644 src/lib/crypto/builtin/des/ISSUES
|
||||||
delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
|
delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
|
||||||
delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
|
delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
|
||||||
@ -199,10 +200,10 @@ index 74a0a2acef..846c58ed82 100644
|
|||||||
|
|
||||||
While **aes128-cts** and **aes256-cts** are supported for all Kerberos
|
While **aes128-cts** and **aes256-cts** are supported for all Kerberos
|
||||||
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
|
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
|
||||||
index 694922c0d9..c4d5499d3b 100644
|
index dce19ad43e..2b4ed7da0b 100644
|
||||||
--- a/doc/admin/enctypes.rst
|
--- a/doc/admin/enctypes.rst
|
||||||
+++ b/doc/admin/enctypes.rst
|
+++ b/doc/admin/enctypes.rst
|
||||||
@@ -129,7 +129,7 @@ enctype weak? krb5 Windows
|
@@ -146,7 +146,7 @@ enctype weak? krb5 Windows
|
||||||
des-cbc-crc weak <1.18 >=2000
|
des-cbc-crc weak <1.18 >=2000
|
||||||
des-cbc-md4 weak <1.18 ?
|
des-cbc-md4 weak <1.18 ?
|
||||||
des-cbc-md5 weak <1.18 >=2000
|
des-cbc-md5 weak <1.18 >=2000
|
||||||
@ -211,7 +212,7 @@ index 694922c0d9..c4d5499d3b 100644
|
|||||||
arcfour-hmac deprecated >=1.3 >=2000
|
arcfour-hmac deprecated >=1.3 >=2000
|
||||||
arcfour-hmac-exp weak >=1.3 >=2000
|
arcfour-hmac-exp weak >=1.3 >=2000
|
||||||
aes128-cts-hmac-sha1-96 >=1.3 >=Vista
|
aes128-cts-hmac-sha1-96 >=1.3 >=Vista
|
||||||
@@ -148,9 +148,11 @@ default.
|
@@ -165,9 +165,11 @@ default.
|
||||||
krb5 releases 1.17 and later flag deprecated encryption types
|
krb5 releases 1.17 and later flag deprecated encryption types
|
||||||
(including ``des3-cbc-sha1`` and ``arcfour-hmac``) in KDC logs and
|
(including ``des3-cbc-sha1`` and ``arcfour-hmac``) in KDC logs and
|
||||||
kadmin output. krb5 release 1.19 issues a warning during initial
|
kadmin output. krb5 release 1.19 issues a warning during initial
|
||||||
@ -247,7 +248,7 @@ index ade5e1f87a..e4dc54f7e5 100644
|
|||||||
|
|
||||||
.. _err_cert_chain_cert_expired:
|
.. _err_cert_chain_cert_expired:
|
||||||
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
|
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
|
||||||
index a0d4f26701..5f34dea5e8 100644
|
index 45fe160d7f..b4b1f3bd93 100644
|
||||||
--- a/doc/appdev/refs/macros/index.rst
|
--- a/doc/appdev/refs/macros/index.rst
|
||||||
+++ b/doc/appdev/refs/macros/index.rst
|
+++ b/doc/appdev/refs/macros/index.rst
|
||||||
@@ -36,7 +36,6 @@ Public
|
@@ -36,7 +36,6 @@ Public
|
||||||
@ -259,10 +260,10 @@ index a0d4f26701..5f34dea5e8 100644
|
|||||||
CKSUMTYPE_NIST_SHA.rst
|
CKSUMTYPE_NIST_SHA.rst
|
||||||
CKSUMTYPE_RSA_MD4.rst
|
CKSUMTYPE_RSA_MD4.rst
|
||||||
diff --git a/doc/conf.py b/doc/conf.py
|
diff --git a/doc/conf.py b/doc/conf.py
|
||||||
index fa0eb80f1f..12168fa695 100644
|
index cd76f5999f..1e1cfce80c 100644
|
||||||
--- a/doc/conf.py
|
--- a/doc/conf.py
|
||||||
+++ b/doc/conf.py
|
+++ b/doc/conf.py
|
||||||
@@ -278,7 +278,7 @@ else:
|
@@ -281,7 +281,7 @@ else:
|
||||||
rst_epilog += '''
|
rst_epilog += '''
|
||||||
.. |krb5conf| replace:: ``/etc/krb5.conf``
|
.. |krb5conf| replace:: ``/etc/krb5.conf``
|
||||||
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
|
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
|
||||||
@ -272,7 +273,7 @@ index fa0eb80f1f..12168fa695 100644
|
|||||||
.. |copy| unicode:: U+000A9
|
.. |copy| unicode:: U+000A9
|
||||||
'''
|
'''
|
||||||
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
|
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
|
||||||
index ca2d6ef117..100c64a1c1 100644
|
index 10effcf175..cad0855724 100644
|
||||||
--- a/doc/mitK5features.rst
|
--- a/doc/mitK5features.rst
|
||||||
+++ b/doc/mitK5features.rst
|
+++ b/doc/mitK5features.rst
|
||||||
@@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB
|
@@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB
|
||||||
@ -307,10 +308,10 @@ index 8f14e9bf2c..ba3bb18eec 100644
|
|||||||
##DOS## $(WCONFIG) config < $@.in > $@
|
##DOS## $(WCONFIG) config < $@.in > $@
|
||||||
##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP)
|
##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP)
|
||||||
diff --git a/src/configure.ac b/src/configure.ac
|
diff --git a/src/configure.ac b/src/configure.ac
|
||||||
index 40545f2bfc..8dc864718d 100644
|
index 69be9030f8..2561e917a2 100644
|
||||||
--- a/src/configure.ac
|
--- a/src/configure.ac
|
||||||
+++ b/src/configure.ac
|
+++ b/src/configure.ac
|
||||||
@@ -1489,12 +1489,12 @@ V5_AC_OUTPUT_MAKEFILE(.
|
@@ -1513,12 +1513,12 @@ V5_AC_OUTPUT_MAKEFILE(.
|
||||||
lib lib/kdb
|
lib lib/kdb
|
||||||
|
|
||||||
lib/crypto lib/crypto/krb lib/crypto/crypto_tests
|
lib/crypto lib/crypto/krb lib/crypto/crypto_tests
|
||||||
@ -326,7 +327,7 @@ index 40545f2bfc..8dc864718d 100644
|
|||||||
|
|
||||||
lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache
|
lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache
|
||||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||||
index 7e1dea2cbf..fb9f2a366c 100644
|
index dd6430ece8..350bcf86f2 100644
|
||||||
--- a/src/include/krb5/krb5.hin
|
--- a/src/include/krb5/krb5.hin
|
||||||
+++ b/src/include/krb5/krb5.hin
|
+++ b/src/include/krb5/krb5.hin
|
||||||
@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
|
@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
|
||||||
@ -362,10 +363,10 @@ index 7e1dea2cbf..fb9f2a366c 100644
|
|||||||
#define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with
|
#define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with
|
||||||
ENCTYPE_AES128_CTS_HMAC_SHA1_96 */
|
ENCTYPE_AES128_CTS_HMAC_SHA1_96 */
|
||||||
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||||
index 9f2a67d189..b7a9aa4992 100644
|
index e54cc751f9..ea10e23a95 100644
|
||||||
--- a/src/kdc/kdc_util.c
|
--- a/src/kdc/kdc_util.c
|
||||||
+++ b/src/kdc/kdc_util.c
|
+++ b/src/kdc/kdc_util.c
|
||||||
@@ -1111,8 +1111,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
|
@@ -1164,8 +1164,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
|
||||||
name = "rsaEncryption-EnvOID";
|
name = "rsaEncryption-EnvOID";
|
||||||
else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV)
|
else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV)
|
||||||
name = "id-RSAES-OAEP-EnvOID";
|
name = "id-RSAES-OAEP-EnvOID";
|
||||||
@ -374,7 +375,7 @@ index 9f2a67d189..b7a9aa4992 100644
|
|||||||
else
|
else
|
||||||
return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
|
return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
|
||||||
|
|
||||||
@@ -1704,8 +1702,6 @@ krb5_boolean
|
@@ -1657,8 +1655,6 @@ krb5_boolean
|
||||||
enctype_requires_etype_info_2(krb5_enctype enctype)
|
enctype_requires_etype_info_2(krb5_enctype enctype)
|
||||||
{
|
{
|
||||||
switch(enctype) {
|
switch(enctype) {
|
||||||
@ -414,7 +415,7 @@ index 10e8c74cf8..25c4f40cc3 100644
|
|||||||
all-unix: all-liblinks
|
all-unix: all-liblinks
|
||||||
install-unix: install-libs
|
install-unix: install-libs
|
||||||
diff --git a/src/lib/crypto/builtin/Makefile.in b/src/lib/crypto/builtin/Makefile.in
|
diff --git a/src/lib/crypto/builtin/Makefile.in b/src/lib/crypto/builtin/Makefile.in
|
||||||
index daf19da195..c9e967c807 100644
|
index 243bb17ba3..30bfcd30c0 100644
|
||||||
--- a/src/lib/crypto/builtin/Makefile.in
|
--- a/src/lib/crypto/builtin/Makefile.in
|
||||||
+++ b/src/lib/crypto/builtin/Makefile.in
|
+++ b/src/lib/crypto/builtin/Makefile.in
|
||||||
@@ -1,6 +1,6 @@
|
@@ -1,6 +1,6 @@
|
||||||
@ -429,15 +430,6 @@ index daf19da195..c9e967c807 100644
|
|||||||
$(srcdir)/kdf.c \
|
$(srcdir)/kdf.c \
|
||||||
$(srcdir)/pbkdf2.c
|
$(srcdir)/pbkdf2.c
|
||||||
|
|
||||||
-STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
|
||||||
+STOBJLISTS= md4/OBJS.ST \
|
|
||||||
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
|
||||||
enc_provider/OBJS.ST \
|
|
||||||
hash_provider/OBJS.ST \
|
|
||||||
@@ -33,7 +33,7 @@ STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
|
||||||
camellia/OBJS.ST \
|
|
||||||
OBJS.ST
|
|
||||||
|
|
||||||
-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
||||||
+SUBDIROBJLISTS= md4/OBJS.ST \
|
+SUBDIROBJLISTS= md4/OBJS.ST \
|
||||||
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
||||||
@ -4862,7 +4854,7 @@ index 052f4d4b51..d8ffa63304 100644
|
|||||||
krb5int_camellia_encrypt
|
krb5int_camellia_encrypt
|
||||||
krb5int_cmac_checksum
|
krb5int_cmac_checksum
|
||||||
diff --git a/src/lib/crypto/openssl/Makefile.in b/src/lib/crypto/openssl/Makefile.in
|
diff --git a/src/lib/crypto/openssl/Makefile.in b/src/lib/crypto/openssl/Makefile.in
|
||||||
index 08de047d0a..88f7fd0a09 100644
|
index cf11f6847b..8e4cdb8bbf 100644
|
||||||
--- a/src/lib/crypto/openssl/Makefile.in
|
--- a/src/lib/crypto/openssl/Makefile.in
|
||||||
+++ b/src/lib/crypto/openssl/Makefile.in
|
+++ b/src/lib/crypto/openssl/Makefile.in
|
||||||
@@ -1,6 +1,6 @@
|
@@ -1,6 +1,6 @@
|
||||||
@ -4873,32 +4865,15 @@ index 08de047d0a..88f7fd0a09 100644
|
|||||||
LOCALINCLUDES=-I$(srcdir)/../krb $(CRYPTO_IMPL_CFLAGS)
|
LOCALINCLUDES=-I$(srcdir)/../krb $(CRYPTO_IMPL_CFLAGS)
|
||||||
|
|
||||||
STLIBOBJS=\
|
STLIBOBJS=\
|
||||||
@@ -24,14 +24,14 @@ SRCS=\
|
@@ -24,7 +24,7 @@ SRCS=\
|
||||||
$(srcdir)/pbkdf2.c \
|
$(srcdir)/pbkdf2.c \
|
||||||
$(srcdir)/sha256.c
|
$(srcdir)/sha256.c
|
||||||
|
|
||||||
-STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
|
||||||
+STOBJLISTS= md4/OBJS.ST \
|
|
||||||
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
|
||||||
enc_provider/OBJS.ST \
|
|
||||||
hash_provider/OBJS.ST \
|
|
||||||
aes/OBJS.ST \
|
|
||||||
OBJS.ST
|
|
||||||
|
|
||||||
-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
||||||
+SUBDIROBJLISTS= md4/OBJS.ST \
|
+SUBDIROBJLISTS= md4/OBJS.ST \
|
||||||
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
||||||
enc_provider/OBJS.ST \
|
enc_provider/OBJS.ST \
|
||||||
hash_provider/OBJS.ST \
|
hash_provider/OBJS.ST \
|
||||||
@@ -42,7 +42,7 @@ includes: depend
|
|
||||||
|
|
||||||
depend: $(SRCS)
|
|
||||||
|
|
||||||
-clean-unix:: clean-libobjs
|
|
||||||
+clean-unix:: clean-libobjsn
|
|
||||||
|
|
||||||
@lib_frag@
|
|
||||||
@libobj_frag@
|
|
||||||
diff --git a/src/lib/crypto/openssl/des/Makefile.in b/src/lib/crypto/openssl/des/Makefile.in
|
diff --git a/src/lib/crypto/openssl/des/Makefile.in b/src/lib/crypto/openssl/des/Makefile.in
|
||||||
deleted file mode 100644
|
deleted file mode 100644
|
||||||
index a6cece1dd1..0000000000
|
index a6cece1dd1..0000000000
|
||||||
@ -5244,10 +5219,10 @@ index 41e845eae0..5a43c3d9eb 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
|
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
|
||||||
index d4e90793f9..1bc807172b 100644
|
index b35e11bfb6..d7c2ad321e 100644
|
||||||
--- a/src/lib/gssapi/krb5/accept_sec_context.c
|
--- a/src/lib/gssapi/krb5/accept_sec_context.c
|
||||||
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
|
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
|
||||||
@@ -1030,7 +1030,6 @@ kg_accept_krb5(minor_status, context_handle,
|
@@ -1026,7 +1026,6 @@ kg_accept_krb5(minor_status, context_handle,
|
||||||
}
|
}
|
||||||
|
|
||||||
switch (negotiated_etype) {
|
switch (negotiated_etype) {
|
||||||
@ -5256,7 +5231,7 @@ index d4e90793f9..1bc807172b 100644
|
|||||||
case ENCTYPE_ARCFOUR_HMAC_EXP:
|
case ENCTYPE_ARCFOUR_HMAC_EXP:
|
||||||
/* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer"
|
/* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer"
|
||||||
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||||
index a4446530fc..88d41130a7 100644
|
index 7364607198..5aeb69aebc 100644
|
||||||
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
|
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||||
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||||
@@ -125,14 +125,14 @@ enum sgn_alg {
|
@@ -125,14 +125,14 @@ enum sgn_alg {
|
||||||
@ -5286,10 +5261,10 @@ index a4446530fc..88d41130a7 100644
|
|||||||
};
|
};
|
||||||
|
|
||||||
diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
|
diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
|
||||||
index d1cdce486f..7f7146a0a2 100644
|
index 99275be53a..0e5d10b115 100644
|
||||||
--- a/src/lib/gssapi/krb5/k5seal.c
|
--- a/src/lib/gssapi/krb5/k5seal.c
|
||||||
+++ b/src/lib/gssapi/krb5/k5seal.c
|
+++ b/src/lib/gssapi/krb5/k5seal.c
|
||||||
@@ -136,19 +136,12 @@ make_seal_token_v1 (krb5_context context,
|
@@ -142,19 +142,12 @@ make_seal_token_v1 (krb5_context context,
|
||||||
|
|
||||||
/* pad the plaintext, encrypt if needed, and stick it in the token */
|
/* pad the plaintext, encrypt if needed, and stick it in the token */
|
||||||
|
|
||||||
@ -5315,7 +5290,7 @@ index d1cdce486f..7f7146a0a2 100644
|
|||||||
|
|
||||||
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
|
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
|
||||||
if (code) {
|
if (code) {
|
||||||
@@ -196,20 +189,8 @@ make_seal_token_v1 (krb5_context context,
|
@@ -203,20 +196,8 @@ make_seal_token_v1 (krb5_context context,
|
||||||
gssalloc_free(t);
|
gssalloc_free(t);
|
||||||
return(code);
|
return(code);
|
||||||
}
|
}
|
||||||
@ -5327,22 +5302,22 @@ index d1cdce486f..7f7146a0a2 100644
|
|||||||
- */
|
- */
|
||||||
- if (md5cksum.length != cksum_size)
|
- if (md5cksum.length != cksum_size)
|
||||||
- abort ();
|
- abort ();
|
||||||
- memcpy (ptr+14, md5cksum.contents, md5cksum.length);
|
- memcpy(checksum, md5cksum.contents, md5cksum.length);
|
||||||
- break;
|
- break;
|
||||||
- case SGN_ALG_HMAC_MD5:
|
- case SGN_ALG_HMAC_MD5:
|
||||||
- memcpy (ptr+14, md5cksum.contents, cksum_size);
|
- memcpy(checksum, md5cksum.contents, cksum_size);
|
||||||
- break;
|
- break;
|
||||||
- }
|
- }
|
||||||
+
|
+
|
||||||
+ memcpy (ptr+14, md5cksum.contents, cksum_size);
|
+ memcpy(checksum, md5cksum.contents, cksum_size);
|
||||||
|
|
||||||
krb5_free_checksum_contents(context, &md5cksum);
|
krb5_free_checksum_contents(context, &md5cksum);
|
||||||
|
|
||||||
diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c
|
diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c
|
||||||
index 9bb2ee1099..9147bb2c78 100644
|
index 7bf7609a48..d5e12cb436 100644
|
||||||
--- a/src/lib/gssapi/krb5/k5sealiov.c
|
--- a/src/lib/gssapi/krb5/k5sealiov.c
|
||||||
+++ b/src/lib/gssapi/krb5/k5sealiov.c
|
+++ b/src/lib/gssapi/krb5/k5sealiov.c
|
||||||
@@ -144,18 +144,11 @@ make_seal_token_v1_iov(krb5_context context,
|
@@ -147,18 +147,11 @@ make_seal_token_v1_iov(krb5_context context,
|
||||||
/* pad the plaintext, encrypt if needed, and stick it in the token */
|
/* pad the plaintext, encrypt if needed, and stick it in the token */
|
||||||
|
|
||||||
/* initialize the checksum */
|
/* initialize the checksum */
|
||||||
@ -5366,20 +5341,20 @@ index 9bb2ee1099..9147bb2c78 100644
|
|||||||
|
|
||||||
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &k5_trailerlen);
|
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &k5_trailerlen);
|
||||||
if (code != 0)
|
if (code != 0)
|
||||||
@@ -177,15 +170,7 @@ make_seal_token_v1_iov(krb5_context context,
|
@@ -182,15 +175,7 @@ make_seal_token_v1_iov(krb5_context context,
|
||||||
if (code != 0)
|
if (code != 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
- switch (ctx->signalg) {
|
- switch (ctx->signalg) {
|
||||||
- case SGN_ALG_HMAC_SHA1_DES3_KD:
|
- case SGN_ALG_HMAC_SHA1_DES3_KD:
|
||||||
- assert(md5cksum.length == ctx->cksum_size);
|
- assert(md5cksum.length == ctx->cksum_size);
|
||||||
- memcpy(ptr + 14, md5cksum.contents, md5cksum.length);
|
- memcpy(checksum, md5cksum.contents, md5cksum.length);
|
||||||
- break;
|
- break;
|
||||||
- case SGN_ALG_HMAC_MD5:
|
- case SGN_ALG_HMAC_MD5:
|
||||||
- memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size);
|
- memcpy(checksum, md5cksum.contents, ctx->cksum_size);
|
||||||
- break;
|
- break;
|
||||||
- }
|
- }
|
||||||
+ memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size);
|
+ memcpy(checksum, md5cksum.contents, ctx->cksum_size);
|
||||||
|
|
||||||
/* create the seq_num */
|
/* create the seq_num */
|
||||||
code = kg_make_seq_num(context, ctx->seq, ctx->initiate ? 0 : 0xFF,
|
code = kg_make_seq_num(context, ctx->seq, ctx->initiate ? 0 : 0xFF,
|
||||||
@ -5618,7 +5593,7 @@ index 84f1949887..32150f5e34 100644
|
|||||||
case ENCTYPE_ARCFOUR_HMAC_EXP:
|
case ENCTYPE_ARCFOUR_HMAC_EXP:
|
||||||
/* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" enctype,
|
/* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" enctype,
|
||||||
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
|
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
|
||||||
index 87b486c53f..2b5abcd817 100644
|
index a6c2bbeb54..18290b764b 100644
|
||||||
--- a/src/lib/krb5/krb/init_ctx.c
|
--- a/src/lib/krb5/krb/init_ctx.c
|
||||||
+++ b/src/lib/krb5/krb/init_ctx.c
|
+++ b/src/lib/krb5/krb/init_ctx.c
|
||||||
@@ -59,7 +59,6 @@
|
@@ -59,7 +59,6 @@
|
||||||
@ -5629,7 +5604,7 @@ index 87b486c53f..2b5abcd817 100644
|
|||||||
ENCTYPE_ARCFOUR_HMAC,
|
ENCTYPE_ARCFOUR_HMAC,
|
||||||
ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC,
|
ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC,
|
||||||
0
|
0
|
||||||
@@ -450,8 +449,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey,
|
@@ -460,8 +459,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey,
|
||||||
/* Set all enctypes in the default list. */
|
/* Set all enctypes in the default list. */
|
||||||
for (i = 0; default_list[i]; i++)
|
for (i = 0; default_list[i]; i++)
|
||||||
mod_list(default_list[i], sel, weak, &list);
|
mod_list(default_list[i], sel, weak, &list);
|
||||||
@ -5769,10 +5744,10 @@ index e3d2846315..586661bb7e 100644
|
|||||||
#define CKK_CAST3 (0x17)
|
#define CKK_CAST3 (0x17)
|
||||||
#define CKK_CAST128 (0x18)
|
#define CKK_CAST128 (0x18)
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
index 94a1b22fb1..65f6210727 100644
|
index e22798f668..9fa315d7a0 100644
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
@@ -376,11 +376,11 @@ krb5_error_code server_process_dh
|
@@ -370,11 +370,11 @@ krb5_error_code server_process_dh
|
||||||
* krb5_algorithm_identifier
|
* krb5_algorithm_identifier
|
||||||
*/
|
*/
|
||||||
krb5_error_code create_krb5_supportedCMSTypes
|
krb5_error_code create_krb5_supportedCMSTypes
|
||||||
@ -5874,10 +5849,10 @@ index 2279202d3a..96b0307d78 100644
|
|||||||
/* initial key, w, x, y, T, S, K */
|
/* initial key, w, x, y, T, S, K */
|
||||||
"8846F7EAEE8FB117AD06BDD830B7586C",
|
"8846F7EAEE8FB117AD06BDD830B7586C",
|
||||||
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
|
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
|
||||||
index 7494d7fcdb..2f95d89967 100755
|
index f5f11842e2..1bb8c40b6b 100755
|
||||||
--- a/src/tests/gssapi/t_enctypes.py
|
--- a/src/tests/gssapi/t_enctypes.py
|
||||||
+++ b/src/tests/gssapi/t_enctypes.py
|
+++ b/src/tests/gssapi/t_enctypes.py
|
||||||
@@ -1,24 +1,17 @@
|
@@ -1,25 +1,17 @@
|
||||||
from k5test import *
|
from k5test import *
|
||||||
|
|
||||||
-# Define some convenience abbreviations for enctypes we will see in
|
-# Define some convenience abbreviations for enctypes we will see in
|
||||||
@ -5901,13 +5876,14 @@ index 7494d7fcdb..2f95d89967 100755
|
|||||||
# These tests make assumptions about the default enctype lists, so set
|
# These tests make assumptions about the default enctype lists, so set
|
||||||
# them explicitly rather than relying on the library defaults.
|
# them explicitly rather than relying on the library defaults.
|
||||||
-supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
|
-supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
|
||||||
-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'},
|
-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4',
|
||||||
|
- 'allow_des3': 'true', 'allow_rc4': 'true'},
|
||||||
+supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal'
|
+supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal'
|
||||||
+conf = {'libdefaults': {'permitted_enctypes': 'aes rc4'},
|
+conf = {'libdefaults': {'permitted_enctypes': 'aes rc4', 'allow_rc4': 'true'},
|
||||||
'realms': {'$realm': {'supported_enctypes': supp}}}
|
'realms': {'$realm': {'supported_enctypes': supp}}}
|
||||||
realm = K5Realm(krb5_conf=conf)
|
realm = K5Realm(krb5_conf=conf)
|
||||||
shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
|
shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
|
||||||
@@ -87,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts',
|
@@ -88,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts',
|
||||||
test_err('acc aes128', None, 'aes128-cts',
|
test_err('acc aes128', None, 'aes128-cts',
|
||||||
'Encryption type aes256-cts-hmac-sha1-96 not permitted')
|
'Encryption type aes256-cts-hmac-sha1-96 not permitted')
|
||||||
|
|
||||||
@ -5928,7 +5904,7 @@ index 7494d7fcdb..2f95d89967 100755
|
|||||||
# subkey.
|
# subkey.
|
||||||
test('upgrade noargs', None, None,
|
test('upgrade noargs', None, None,
|
||||||
tktenc=aes256, tktsession=d_rc4,
|
tktenc=aes256, tktsession=d_rc4,
|
||||||
@@ -115,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None,
|
@@ -116,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None,
|
||||||
tktenc=aes256, tktsession=d_rc4,
|
tktenc=aes256, tktsession=d_rc4,
|
||||||
proto='cfx', isubkey=rc4, asubkey=aes128)
|
proto='cfx', isubkey=rc4, asubkey=aes128)
|
||||||
|
|
||||||
@ -6019,10 +5995,10 @@ index f71774cdc9..d1857c433f 100644
|
|||||||
"3BB3AE288C12B3B9D06B208A4151B3B6",
|
"3BB3AE288C12B3B9D06B208A4151B3B6",
|
||||||
"9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28"
|
"9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28"
|
||||||
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
|
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
|
||||||
index 97e2474bf8..47ea9e4b47 100644
|
index bde1c36844..8fcd30db51 100644
|
||||||
--- a/src/tests/t_authdata.py
|
--- a/src/tests/t_authdata.py
|
||||||
+++ b/src/tests/t_authdata.py
|
+++ b/src/tests/t_authdata.py
|
||||||
@@ -164,7 +164,7 @@ realm.run([kvno, 'restricted'])
|
@@ -179,7 +179,7 @@ realm.run([kvno, 'restricted'])
|
||||||
# preferred krbtgt enctype changes.
|
# preferred krbtgt enctype changes.
|
||||||
mark('#8139 regression test')
|
mark('#8139 regression test')
|
||||||
realm.kinit(realm.user_princ, password('user'), ['-f'])
|
realm.kinit(realm.user_princ, password('user'), ['-f'])
|
||||||
@ -6032,17 +6008,19 @@ index 97e2474bf8..47ea9e4b47 100644
|
|||||||
realm.run(['./forward'])
|
realm.run(['./forward'])
|
||||||
realm.run([kvno, realm.host_princ])
|
realm.run([kvno, realm.host_princ])
|
||||||
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
|
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
|
||||||
index c982508d8b..96e90a69d2 100644
|
index 38cf96ca8f..e82ff7ff07 100644
|
||||||
--- a/src/tests/t_etype_info.py
|
--- a/src/tests/t_etype_info.py
|
||||||
+++ b/src/tests/t_etype_info.py
|
+++ b/src/tests/t_etype_info.py
|
||||||
@@ -1,6 +1,6 @@
|
@@ -1,7 +1,7 @@
|
||||||
from k5test import *
|
from k5test import *
|
||||||
|
|
||||||
-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
|
-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
|
||||||
|
-conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'},
|
||||||
+supported_enctypes = 'aes128-cts rc4-hmac'
|
+supported_enctypes = 'aes128-cts rc4-hmac'
|
||||||
conf = {'libdefaults': {'allow_weak_crypto': 'true'},
|
+conf = {'libdefaults': {'allow_rc4': 'true'},
|
||||||
'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
|
'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
|
||||||
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
|
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
|
||||||
|
|
||||||
@@ -26,9 +26,9 @@ def test_etinfo(princ, enctypes, expected_lines):
|
@@ -26,9 +26,9 @@ def test_etinfo(princ, enctypes, expected_lines):
|
||||||
# With no newer enctypes in the request, PA-ETYPE-INFO2,
|
# With no newer enctypes in the request, PA-ETYPE-INFO2,
|
||||||
# PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one
|
# PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one
|
||||||
@ -6081,7 +6059,7 @@ index c982508d8b..96e90a69d2 100644
|
|||||||
# Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED
|
# Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED
|
||||||
# error if the client does optimistic preauth.
|
# error if the client does optimistic preauth.
|
||||||
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
|
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
|
||||||
index 2c825a6922..f29e0d5500 100755
|
index e9840dfae8..583c2fa27e 100755
|
||||||
--- a/src/tests/t_keyrollover.py
|
--- a/src/tests/t_keyrollover.py
|
||||||
+++ b/src/tests/t_keyrollover.py
|
+++ b/src/tests/t_keyrollover.py
|
||||||
@@ -37,9 +37,9 @@ realm.run([klist, '-e'], expected_msg=msg)
|
@@ -37,9 +37,9 @@ realm.run([klist, '-e'], expected_msg=msg)
|
||||||
@ -6181,24 +6159,50 @@ index 65084bbf35..55ca897459 100755
|
|||||||
|
|
||||||
# Test using different salt types in a principal's key list.
|
# Test using different salt types in a principal's key list.
|
||||||
# Parameters from one key in the list must not leak over to later ones.
|
# Parameters from one key in the list must not leak over to later ones.
|
||||||
|
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
|
||||||
|
index 5a213617b5..c7dba0ff5b 100755
|
||||||
|
--- a/src/tests/t_sesskeynego.py
|
||||||
|
+++ b/src/tests/t_sesskeynego.py
|
||||||
|
@@ -26,7 +26,6 @@ conf3 = {'libdefaults': {
|
||||||
|
'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
|
||||||
|
conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}}
|
||||||
|
conf5 = {'libdefaults': {'allow_rc4': 'true'}}
|
||||||
|
-conf6 = {'libdefaults': {'allow_des3': 'true'}}
|
||||||
|
# Test with client request and session_enctypes preferring aes128, but
|
||||||
|
# aes256 long-term key.
|
||||||
|
realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
|
||||||
|
@@ -78,13 +77,6 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac'])
|
||||||
|
test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
|
||||||
|
realm.stop()
|
||||||
|
|
||||||
|
-# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key.
|
||||||
|
-realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False)
|
||||||
|
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
||||||
|
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1'])
|
||||||
|
-test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96')
|
||||||
|
-realm.stop()
|
||||||
|
-
|
||||||
|
# 7: default config negotiates aes256-sha1 session key for RC4-only service.
|
||||||
|
realm = K5Realm(create_host=False, get_creds=False)
|
||||||
|
realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server'])
|
||||||
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
||||||
index 619f1995f8..771f82e3cc 100644
|
index 8e5f5ba8e9..b953827018 100644
|
||||||
--- a/src/util/k5test.py
|
--- a/src/util/k5test.py
|
||||||
+++ b/src/util/k5test.py
|
+++ b/src/util/k5test.py
|
||||||
@@ -1344,13 +1344,6 @@ _passes = [
|
@@ -1338,13 +1338,6 @@ _passes = [
|
||||||
# No special settings; exercises AES256.
|
# No special settings; exercises AES256.
|
||||||
('default', None, None, None),
|
('default', None, None, None),
|
||||||
|
|
||||||
- # Exercise the DES3 enctype.
|
- # Exercise the DES3 enctype.
|
||||||
- ('des3', None,
|
- ('des3', None,
|
||||||
- {'libdefaults': {'permitted_enctypes': 'des3'}},
|
- {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}},
|
||||||
- {'realms': {'$realm': {
|
- {'realms': {'$realm': {
|
||||||
- 'supported_enctypes': 'des3-cbc-sha1:normal',
|
- 'supported_enctypes': 'des3-cbc-sha1:normal',
|
||||||
- 'master_key_type': 'des3-cbc-sha1'}}}),
|
- 'master_key_type': 'des3-cbc-sha1'}}}),
|
||||||
-
|
-
|
||||||
# Exercise the arcfour enctype.
|
# Exercise the arcfour enctype.
|
||||||
('arcfour', None,
|
('arcfour', None,
|
||||||
{'libdefaults': {'permitted_enctypes': 'rc4'}},
|
{'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}},
|
||||||
diff --git a/src/windows/leash/htmlhelp/html/Encryption_Types.htm b/src/windows/leash/htmlhelp/html/Encryption_Types.htm
|
diff --git a/src/windows/leash/htmlhelp/html/Encryption_Types.htm b/src/windows/leash/htmlhelp/html/Encryption_Types.htm
|
||||||
index 1aebdd0b4a..c38eefd2bd 100644
|
index 1aebdd0b4a..c38eefd2bd 100644
|
||||||
--- a/src/windows/leash/htmlhelp/html/Encryption_Types.htm
|
--- a/src/windows/leash/htmlhelp/html/Encryption_Types.htm
|
||||||
@ -6224,5 +6228,5 @@ index 1aebdd0b4a..c38eefd2bd 100644
|
|||||||
<td>The AES Advanced Encryption Standard
|
<td>The AES Advanced Encryption Standard
|
||||||
family, like 3DES, is a symmetric block cipher and was designed
|
family, like 3DES, is a symmetric block cipher and was designed
|
||||||
--
|
--
|
||||||
2.38.1
|
2.40.1
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 239cd24624b801d4fc4bb4686bef8526e7675d77 Mon Sep 17 00:00:00 2001
|
From 53191fd3a1acfeefa8e5c26e7e9d130688daf745 Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Fri, 9 Nov 2018 15:12:21 -0500
|
Date: Fri, 9 Nov 2018 15:12:21 -0500
|
||||||
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
|
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
|
||||||
@ -41,10 +41,10 @@ Last-updated: krb5-1.20
|
|||||||
15 files changed, 155 insertions(+), 33 deletions(-)
|
15 files changed, 155 insertions(+), 33 deletions(-)
|
||||||
|
|
||||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||||
index d5d6e06ebb..2a4962069f 100644
|
index ecdf917501..b78a3faf0a 100644
|
||||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||||
@@ -330,6 +330,12 @@ The libdefaults section may contain any of the following relations:
|
@@ -342,6 +342,12 @@ The libdefaults section may contain any of the following relations:
|
||||||
qualification of shortnames, set this relation to the empty string
|
qualification of shortnames, set this relation to the empty string
|
||||||
with ``qualify_shortname = ""``. (New in release 1.18.)
|
with ``qualify_shortname = ""``. (New in release 1.18.)
|
||||||
|
|
||||||
@ -608,5 +608,5 @@ index 1a772d450f..232e78bc05 100644
|
|||||||
vt->name = "spake";
|
vt->name = "spake";
|
||||||
vt->pa_type_list = pa_types;
|
vt->pa_type_list = pa_types;
|
||||||
--
|
--
|
||||||
2.38.1
|
2.40.1
|
||||||
|
|
||||||
|
@ -1,8 +1,7 @@
|
|||||||
From 5587c755b6ca82bde093523e2d17b255158cd90e Mon Sep 17 00:00:00 2001
|
From c19d0bd35cde40172118c67c38a44f164bce1e16 Mon Sep 17 00:00:00 2001
|
||||||
From: Julien Rische <jrische@redhat.com>
|
From: Julien Rische <jrische@redhat.com>
|
||||||
Date: Thu, 5 May 2022 17:15:12 +0200
|
Date: Thu, 5 May 2022 17:15:12 +0200
|
||||||
Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection
|
Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection with FIPS
|
||||||
with FIPS
|
|
||||||
|
|
||||||
libkrad allows to establish connections only to UNIX socket in FIPS
|
libkrad allows to establish connections only to UNIX socket in FIPS
|
||||||
mode, because MD5 digest is not considered safe enough to be used for
|
mode, because MD5 digest is not considered safe enough to be used for
|
||||||
@ -78,5 +77,5 @@ index 929f1cef67..063f17a613 100644
|
|||||||
retval = ESOCKTNOSUPPORT;
|
retval = ESOCKTNOSUPPORT;
|
||||||
goto error;
|
goto error;
|
||||||
--
|
--
|
||||||
2.38.1
|
2.40.1
|
||||||
|
|
||||||
|
@ -1,201 +0,0 @@
|
|||||||
From 842b4c3b5695e2518e6f1a1545db78865c04b59c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Julien Rische <jrische@redhat.com>
|
|
||||||
Date: Fri, 22 Apr 2022 14:12:37 +0200
|
|
||||||
Subject: [PATCH] Add configure variable for default PKCS#11 module
|
|
||||||
|
|
||||||
[ghudson@mit.edu: added documentation of configure variable and doc
|
|
||||||
substitution; shortened commit message]
|
|
||||||
|
|
||||||
ticket: 9058 (new)
|
|
||||||
---
|
|
||||||
doc/admin/conf_files/krb5_conf.rst | 2 +-
|
|
||||||
doc/build/options2configure.rst | 3 +++
|
|
||||||
doc/conf.py | 3 +++
|
|
||||||
doc/mitK5defaults.rst | 25 +++++++++++++------------
|
|
||||||
src/configure.ac | 8 ++++++++
|
|
||||||
src/doc/Makefile.in | 2 ++
|
|
||||||
src/man/Makefile.in | 4 +++-
|
|
||||||
src/man/krb5.conf.man | 2 +-
|
|
||||||
src/plugins/preauth/pkinit/pkinit.h | 1 -
|
|
||||||
9 files changed, 34 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
|
||||||
index 2a4962069f..a33711d918 100644
|
|
||||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
|
||||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
|
||||||
@@ -1017,7 +1017,7 @@ information for PKINIT is as follows:
|
|
||||||
All keyword/values are optional. *modname* specifies the location
|
|
||||||
of a library implementing PKCS #11. If a value is encountered
|
|
||||||
with no keyword, it is assumed to be the *modname*. If no
|
|
||||||
- module-name is specified, the default is ``opensc-pkcs11.so``.
|
|
||||||
+ module-name is specified, the default is |pkcs11_modname|.
|
|
||||||
``slotid=`` and/or ``token=`` may be specified to force the use of
|
|
||||||
a particular smard card reader or token if there is more than one
|
|
||||||
available. ``certid=`` and/or ``certlabel=`` may be specified to
|
|
||||||
diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst
|
|
||||||
index 9e355dc2c5..e879b18bd2 100644
|
|
||||||
--- a/doc/build/options2configure.rst
|
|
||||||
+++ b/doc/build/options2configure.rst
|
|
||||||
@@ -137,6 +137,9 @@ Environment variables
|
|
||||||
This option allows one to specify libraries to be passed to the
|
|
||||||
linker (e.g., ``-l<library>``)
|
|
||||||
|
|
||||||
+**PKCS11_MODNAME=**\ *library*
|
|
||||||
+ Override the built-in default PKCS11 library name.
|
|
||||||
+
|
|
||||||
**SS_LIB=**\ *libs*...
|
|
||||||
If ``-lss`` is not the correct way to link in your installed ss
|
|
||||||
library, for example if additional support libraries are needed,
|
|
||||||
diff --git a/doc/conf.py b/doc/conf.py
|
|
||||||
index 12168fa695..0ab5ff9606 100644
|
|
||||||
--- a/doc/conf.py
|
|
||||||
+++ b/doc/conf.py
|
|
||||||
@@ -242,6 +242,7 @@ if 'mansubs' in tags:
|
|
||||||
ccache = '``@CCNAME@``'
|
|
||||||
keytab = '``@KTNAME@``'
|
|
||||||
ckeytab = '``@CKTNAME@``'
|
|
||||||
+ pkcs11_modname = '``@PKCS11MOD@``'
|
|
||||||
elif 'pathsubs' in tags:
|
|
||||||
# Read configured paths from a file produced by the build system.
|
|
||||||
exec(open("paths.py").read())
|
|
||||||
@@ -255,6 +256,7 @@ else:
|
|
||||||
ccache = ':ref:`DEFCCNAME <paths>`'
|
|
||||||
keytab = ':ref:`DEFKTNAME <paths>`'
|
|
||||||
ckeytab = ':ref:`DEFCKTNAME <paths>`'
|
|
||||||
+ pkcs11_modname = ':ref:`PKCS11_MODNAME <paths>`'
|
|
||||||
|
|
||||||
rst_epilog = '\n'
|
|
||||||
|
|
||||||
@@ -275,6 +277,7 @@ else:
|
|
||||||
rst_epilog += '.. |ccache| replace:: %s\n' % ccache
|
|
||||||
rst_epilog += '.. |keytab| replace:: %s\n' % keytab
|
|
||||||
rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
|
|
||||||
+ rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname
|
|
||||||
rst_epilog += '''
|
|
||||||
.. |krb5conf| replace:: ``/etc/krb5.conf``
|
|
||||||
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
|
|
||||||
diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
|
|
||||||
index 74e69f4ad0..aea7af3dbb 100644
|
|
||||||
--- a/doc/mitK5defaults.rst
|
|
||||||
+++ b/doc/mitK5defaults.rst
|
|
||||||
@@ -59,18 +59,19 @@ subdirectories of ``/usr/local``. When MIT krb5 is integrated into an
|
|
||||||
operating system, the paths are generally chosen to match the
|
|
||||||
operating system's filesystem layout.
|
|
||||||
|
|
||||||
-========================== ============= =========================== ===========================
|
|
||||||
-Description Symbolic name Custom build path Typical OS path
|
|
||||||
-========================== ============= =========================== ===========================
|
|
||||||
-User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
|
|
||||||
-Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
|
|
||||||
-Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
|
|
||||||
-Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
|
|
||||||
-Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
|
|
||||||
-Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
|
|
||||||
-Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
|
|
||||||
-Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
|
|
||||||
-========================== ============= =========================== ===========================
|
|
||||||
+========================== ============== =========================== ===========================
|
|
||||||
+Description Symbolic name Custom build path Typical OS path
|
|
||||||
+========================== ============== =========================== ===========================
|
|
||||||
+User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
|
|
||||||
+Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
|
|
||||||
+Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
|
|
||||||
+Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
|
|
||||||
+Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
|
|
||||||
+Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
|
|
||||||
+Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
|
|
||||||
+Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
|
|
||||||
+Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so``
|
|
||||||
+========================== ============== =========================== ===========================
|
|
||||||
|
|
||||||
The default client keytab name (DEFCKTNAME) typically defaults to
|
|
||||||
``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom
|
|
||||||
diff --git a/src/configure.ac b/src/configure.ac
|
|
||||||
index 8dc864718d..9774cb71ae 100644
|
|
||||||
--- a/src/configure.ac
|
|
||||||
+++ b/src/configure.ac
|
|
||||||
@@ -1471,6 +1471,14 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name])
|
|
||||||
AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"],
|
|
||||||
[Define to default client keytab name])
|
|
||||||
|
|
||||||
+AC_ARG_VAR(PKCS11_MODNAME, [Default PKCS11 module name])
|
|
||||||
+if test "${PKCS11_MODNAME+set}" != set; then
|
|
||||||
+ PKCS11_MODNAME=opensc-pkcs11.so
|
|
||||||
+fi
|
|
||||||
+AC_MSG_NOTICE([Default PKCS11 module name: $PKCS11_MODNAME])
|
|
||||||
+AC_DEFINE_UNQUOTED(PKCS11_MODNAME, ["$PKCS11_MODNAME"],
|
|
||||||
+ [Default PKCS11 module name])
|
|
||||||
+
|
|
||||||
AC_CONFIG_FILES([build-tools/krb5-config], [chmod +x build-tools/krb5-config])
|
|
||||||
AC_CONFIG_FILES([build-tools/kadm-server.pc
|
|
||||||
build-tools/kadm-client.pc
|
|
||||||
diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
|
|
||||||
index 379bc36511..a1b0cff0a4 100644
|
|
||||||
--- a/src/doc/Makefile.in
|
|
||||||
+++ b/src/doc/Makefile.in
|
|
||||||
@@ -10,6 +10,7 @@ sysconfdir=@sysconfdir@
|
|
||||||
DEFCCNAME=@DEFCCNAME@
|
|
||||||
DEFKTNAME=@DEFKTNAME@
|
|
||||||
DEFCKTNAME=@DEFCKTNAME@
|
|
||||||
+PKCS11_MODNAME=@PKCS11_MODNAME@
|
|
||||||
|
|
||||||
RST_SOURCES= _static \
|
|
||||||
_templates \
|
|
||||||
@@ -118,6 +119,7 @@ paths.py:
|
|
||||||
echo 'ccache = "``$(DEFCCNAME)``"' >> $@
|
|
||||||
echo 'keytab = "``$(DEFKTNAME)``"' >> $@
|
|
||||||
echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@
|
|
||||||
+ echo 'pkcs11_modname = "``$(PKCS11_MODNAME)``"' >> $@
|
|
||||||
|
|
||||||
# Dummy rule that man/Makefile can invoke
|
|
||||||
version.py: $(docsrc)/version.py
|
|
||||||
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
|
|
||||||
index 00b1b2de06..85cae0914e 100644
|
|
||||||
--- a/src/man/Makefile.in
|
|
||||||
+++ b/src/man/Makefile.in
|
|
||||||
@@ -8,6 +8,7 @@ sysconfdir=@sysconfdir@
|
|
||||||
DEFCCNAME=@DEFCCNAME@
|
|
||||||
DEFKTNAME=@DEFKTNAME@
|
|
||||||
DEFCKTNAME=@DEFCKTNAME@
|
|
||||||
+PKCS11_MODNAME=@PKCS11_MODNAME@
|
|
||||||
|
|
||||||
MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \
|
|
||||||
kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \
|
|
||||||
@@ -47,7 +48,8 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h
|
|
||||||
-e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
|
|
||||||
-e 's|@CCNAME@|$(DEFCCNAME)|g' \
|
|
||||||
-e 's|@KTNAME@|$(DEFKTNAME)|g' \
|
|
||||||
- -e 's|@CKTNAME@|$(DEFCKTNAME)|g' $? > $@
|
|
||||||
+ -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \
|
|
||||||
+ -e 's|@PKCS11MOD@|$(PKCS11_MODNAME)|g' $? > $@
|
|
||||||
|
|
||||||
all: $(MANSUBS)
|
|
||||||
|
|
||||||
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
|
|
||||||
index 51acb38815..fd2c6f2bc4 100644
|
|
||||||
--- a/src/man/krb5.conf.man
|
|
||||||
+++ b/src/man/krb5.conf.man
|
|
||||||
@@ -1148,7 +1148,7 @@ user\(aqs certificate and private key.
|
|
||||||
All keyword/values are optional. \fImodname\fP specifies the location
|
|
||||||
of a library implementing PKCS #11. If a value is encountered
|
|
||||||
with no keyword, it is assumed to be the \fImodname\fP\&. If no
|
|
||||||
-module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&.
|
|
||||||
+module\-name is specified, the default is \fB@PKCS11MOD@\fP\&.
|
|
||||||
\fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of
|
|
||||||
a particular smard card reader or token if there is more than one
|
|
||||||
available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
|
|
||||||
index 8135535e2c..66f92d8f03 100644
|
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit.h
|
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit.h
|
|
||||||
@@ -42,7 +42,6 @@
|
|
||||||
#ifndef WITHOUT_PKCS11
|
|
||||||
#include "pkcs11.h"
|
|
||||||
|
|
||||||
-#define PKCS11_MODNAME "opensc-pkcs11.so"
|
|
||||||
#define PK_SIGLEN_GUESS 1000
|
|
||||||
#define PK_NOSLOT 999999
|
|
||||||
#endif
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 9a536113196d8b32e3143964a655356ac8af1347 Mon Sep 17 00:00:00 2001
|
From 0366e8b5b2f960cb8305fd95839376b6c18aae42 Mon Sep 17 00:00:00 2001
|
||||||
From: Julien Rische <jrische@redhat.com>
|
From: Julien Rische <jrische@redhat.com>
|
||||||
Date: Wed, 7 Dec 2022 13:22:42 +0100
|
Date: Wed, 7 Dec 2022 13:22:42 +0100
|
||||||
Subject: [PATCH] [downstream] Make tests compatible with
|
Subject: [PATCH] [downstream] Make tests compatible with
|
||||||
@ -37,5 +37,5 @@ index 87bac17929..26bc95a8dc 100644
|
|||||||
fail('URI answers do not match')
|
fail('URI answers do not match')
|
||||||
j += 1
|
j += 1
|
||||||
--
|
--
|
||||||
2.38.1
|
2.40.1
|
||||||
|
|
@ -1,159 +0,0 @@
|
|||||||
From 3fb8c4c68274d2ff4addb44b7b95b4698c2c4f34 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Julien Rische <jrische@redhat.com>
|
|
||||||
Date: Wed, 1 Jun 2022 18:02:04 +0200
|
|
||||||
Subject: [PATCH] Set reasonable supportedCMSTypes in PKINIT
|
|
||||||
|
|
||||||
The PKINIT client uses AuthPack.supportedCMSTypes to let the KDC know
|
|
||||||
the algorithms it supports for verification of the CMS data signature.
|
|
||||||
(The MIT krb5 KDC currently ignores this list, but other
|
|
||||||
implementations use it.)
|
|
||||||
|
|
||||||
Replace 3DES with sha512WithRSAEncryption and sha256WithRSAEncryption.
|
|
||||||
|
|
||||||
[ghudson@mit.edu: simplified code and used appropriate helpers; edited
|
|
||||||
commit message]
|
|
||||||
|
|
||||||
ticket: 9066 (new)
|
|
||||||
---
|
|
||||||
src/plugins/preauth/pkinit/pkinit_constants.c | 33 ++++++++++++-
|
|
||||||
src/plugins/preauth/pkinit/pkinit_crypto.h | 4 ++
|
|
||||||
.../preauth/pkinit/pkinit_crypto_openssl.c | 49 ++++++++++---------
|
|
||||||
3 files changed, 60 insertions(+), 26 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c
|
|
||||||
index 652897fa14..1da482e0b4 100644
|
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_constants.c
|
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_constants.c
|
|
||||||
@@ -32,9 +32,14 @@
|
|
||||||
|
|
||||||
#include "pkinit.h"
|
|
||||||
|
|
||||||
-/* statically declare OID constants for all three algorithms */
|
|
||||||
-static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01};
|
|
||||||
+/* RFC 8636 id-pkinit-kdf-ah-sha1: iso(1) identified-organization(3) dod(6)
|
|
||||||
+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha1(1) */
|
|
||||||
+static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01 };
|
|
||||||
+/* RFC 8636 id-pkinit-kdf-ah-sha256: iso(1) identified-organization(3) dod(6)
|
|
||||||
+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha256(2) */
|
|
||||||
static char sha256_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x02 };
|
|
||||||
+/* RFC 8636 id-pkinit-kdf-ah-sha512: iso(1) identified-organization(3) dod(6)
|
|
||||||
+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha512(3) */
|
|
||||||
static char sha512_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x03 };
|
|
||||||
|
|
||||||
const krb5_data sha1_id = { KV5M_DATA, sizeof(sha1_oid), sha1_oid };
|
|
||||||
@@ -48,6 +53,30 @@ krb5_data const * const supported_kdf_alg_ids[] = {
|
|
||||||
NULL
|
|
||||||
};
|
|
||||||
|
|
||||||
+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
|
|
||||||
+ * rsadsi(113549) pkcs(1) 1 11 */
|
|
||||||
+static char sha256WithRSAEncr_oid[9] = {
|
|
||||||
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
|
|
||||||
+};
|
|
||||||
+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
|
|
||||||
+ * rsadsi(113549) pkcs(1) 1 13 */
|
|
||||||
+static char sha512WithRSAEncr_oid[9] = {
|
|
||||||
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+const krb5_data sha256WithRSAEncr_id = {
|
|
||||||
+ KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid
|
|
||||||
+};
|
|
||||||
+const krb5_data sha512WithRSAEncr_id = {
|
|
||||||
+ KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+krb5_data const * const supported_cms_algs[] = {
|
|
||||||
+ &sha512WithRSAEncr_id,
|
|
||||||
+ &sha256WithRSAEncr_id,
|
|
||||||
+ NULL
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
/* RFC 2412 section E.2 (well-known group 2) parameters, DER-encoded as
|
|
||||||
* DomainParameters (RFC 3279 section 2.3.3). */
|
|
||||||
static const uint8_t o1024[] = {
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
|
||||||
index 65f6210727..64300da856 100644
|
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
|
||||||
@@ -620,6 +620,10 @@ extern const krb5_data oakley_4096;
|
|
||||||
*/
|
|
||||||
extern krb5_data const * const supported_kdf_alg_ids[];
|
|
||||||
|
|
||||||
+/* CMS signature algorithms supported by this implementation, in order of
|
|
||||||
+ * decreasing preference. */
|
|
||||||
+extern krb5_data const * const supported_cms_algs[];
|
|
||||||
+
|
|
||||||
krb5_error_code
|
|
||||||
crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
|
|
||||||
uint8_t **der_out, size_t *der_len);
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
index d500455dec..1c2aa02827 100644
|
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
@@ -5475,37 +5475,38 @@ create_krb5_supportedCMSTypes(krb5_context context,
|
|
||||||
pkinit_plg_crypto_context plg_cryptoctx,
|
|
||||||
pkinit_req_crypto_context req_cryptoctx,
|
|
||||||
pkinit_identity_crypto_context id_cryptoctx,
|
|
||||||
- krb5_algorithm_identifier ***oids)
|
|
||||||
+ krb5_algorithm_identifier ***algs_out)
|
|
||||||
{
|
|
||||||
+ krb5_error_code ret;
|
|
||||||
+ krb5_algorithm_identifier **algs = NULL;
|
|
||||||
+ size_t i, count;
|
|
||||||
|
|
||||||
- krb5_error_code retval = ENOMEM;
|
|
||||||
- krb5_algorithm_identifier **loids = NULL;
|
|
||||||
- krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" };
|
|
||||||
+ *algs_out = NULL;
|
|
||||||
|
|
||||||
- *oids = NULL;
|
|
||||||
- loids = malloc(2 * sizeof(krb5_algorithm_identifier *));
|
|
||||||
- if (loids == NULL)
|
|
||||||
- goto cleanup;
|
|
||||||
- loids[1] = NULL;
|
|
||||||
- loids[0] = malloc(sizeof(krb5_algorithm_identifier));
|
|
||||||
- if (loids[0] == NULL) {
|
|
||||||
- free(loids);
|
|
||||||
- goto cleanup;
|
|
||||||
- }
|
|
||||||
- retval = pkinit_copy_krb5_data(&loids[0]->algorithm, &des3oid);
|
|
||||||
- if (retval) {
|
|
||||||
- free(loids[0]);
|
|
||||||
- free(loids);
|
|
||||||
+ /* Count supported OIDs and allocate list (including null terminator). */
|
|
||||||
+ for (count = 0; supported_cms_algs[count] != NULL; count++);
|
|
||||||
+ algs = k5calloc(count + 1, sizeof(*algs), &ret);
|
|
||||||
+ if (algs == NULL)
|
|
||||||
goto cleanup;
|
|
||||||
+
|
|
||||||
+ /* Add an algorithm identifier for each OID, with no parameters. */
|
|
||||||
+ for (i = 0; i < count; i++) {
|
|
||||||
+ algs[i] = k5alloc(sizeof(*algs[i]), &ret);
|
|
||||||
+ if (algs[i] == NULL)
|
|
||||||
+ goto cleanup;
|
|
||||||
+ ret = krb5int_copy_data_contents(context, supported_cms_algs[i],
|
|
||||||
+ &algs[i]->algorithm);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto cleanup;
|
|
||||||
+ algs[i]->parameters = empty_data();
|
|
||||||
}
|
|
||||||
- loids[0]->parameters.length = 0;
|
|
||||||
- loids[0]->parameters.data = NULL;
|
|
||||||
|
|
||||||
- *oids = loids;
|
|
||||||
- retval = 0;
|
|
||||||
-cleanup:
|
|
||||||
+ *algs_out = algs;
|
|
||||||
+ algs = NULL;
|
|
||||||
|
|
||||||
- return retval;
|
|
||||||
+cleanup:
|
|
||||||
+ free_krb5_algorithm_identifiers(&algs);
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
krb5_error_code
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From d57a804136c5ebf473ce053a9517edd71a56389f Mon Sep 17 00:00:00 2001
|
From a567b9de563cd8ad262f77cf97a8bc528a884745 Mon Sep 17 00:00:00 2001
|
||||||
From: Julien Rische <jrische@redhat.com>
|
From: Julien Rische <jrische@redhat.com>
|
||||||
Date: Thu, 5 Jan 2023 20:06:47 +0100
|
Date: Thu, 5 Jan 2023 20:06:47 +0100
|
||||||
Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header
|
Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header
|
||||||
@ -116,5 +116,5 @@ index 232e78bc05..3394f8a58e 100644
|
|||||||
* The SPAKE kdcpreauth module uses a secure cookie containing the following
|
* The SPAKE kdcpreauth module uses a secure cookie containing the following
|
||||||
* concatenated fields (all integer fields are big-endian):
|
* concatenated fields (all integer fields are big-endian):
|
||||||
--
|
--
|
||||||
2.38.1
|
2.40.1
|
||||||
|
|
@ -1,622 +0,0 @@
|
|||||||
From ffb47e4120d68aef015453350a3a50a9bab1ec58 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Thu, 23 Jun 2022 16:41:40 -0400
|
|
||||||
Subject: [PATCH] Simplify plugin loading code
|
|
||||||
|
|
||||||
Remove the USE_CFBUNDLE code, which was only used by KfM. Handle
|
|
||||||
platform conditionals according to current practice. Use
|
|
||||||
k5_dir_filenames() instead of opendir() and remove the Windows
|
|
||||||
implementation of opendir().
|
|
||||||
---
|
|
||||||
src/util/support/plugins.c | 507 +++++++++++--------------------------
|
|
||||||
1 file changed, 150 insertions(+), 357 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/util/support/plugins.c b/src/util/support/plugins.c
|
|
||||||
index c6a9a21d57..0850565687 100644
|
|
||||||
--- a/src/util/support/plugins.c
|
|
||||||
+++ b/src/util/support/plugins.c
|
|
||||||
@@ -29,16 +29,6 @@
|
|
||||||
#if USE_DLOPEN
|
|
||||||
#include <dlfcn.h>
|
|
||||||
#endif
|
|
||||||
-#include <sys/types.h>
|
|
||||||
-#ifdef HAVE_SYS_STAT_H
|
|
||||||
-#include <sys/stat.h>
|
|
||||||
-#endif
|
|
||||||
-#ifdef HAVE_SYS_PARAM_H
|
|
||||||
-#include <sys/param.h>
|
|
||||||
-#endif
|
|
||||||
-#ifdef HAVE_UNISTD_H
|
|
||||||
-#include <unistd.h>
|
|
||||||
-#endif
|
|
||||||
|
|
||||||
#if USE_DLOPEN
|
|
||||||
#ifdef RTLD_GROUP
|
|
||||||
@@ -68,16 +58,6 @@
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#if USE_DLOPEN && USE_CFBUNDLE
|
|
||||||
-#include <CoreFoundation/CoreFoundation.h>
|
|
||||||
-
|
|
||||||
-/* Currently CoreFoundation only exists on the Mac so we just use
|
|
||||||
- * pthreads directly to avoid creating empty function calls on other
|
|
||||||
- * platforms. If a thread initializer ever gets created in the common
|
|
||||||
- * plugin code, move this there */
|
|
||||||
-static pthread_mutex_t krb5int_bundle_mutex = PTHREAD_MUTEX_INITIALIZER;
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
#include <stdarg.h>
|
|
||||||
static void Tprintf (const char *fmt, ...)
|
|
||||||
{
|
|
||||||
@@ -90,374 +70,193 @@ static void Tprintf (const char *fmt, ...)
|
|
||||||
}
|
|
||||||
|
|
||||||
struct plugin_file_handle {
|
|
||||||
-#if USE_DLOPEN
|
|
||||||
+#if defined(USE_DLOPEN)
|
|
||||||
void *dlhandle;
|
|
||||||
-#endif
|
|
||||||
-#ifdef _WIN32
|
|
||||||
- HMODULE hinstPlugin;
|
|
||||||
-#endif
|
|
||||||
-#if !defined (USE_DLOPEN) && !defined (_WIN32)
|
|
||||||
+#elif defined(_WIN32)
|
|
||||||
+ HMODULE module;
|
|
||||||
+#else
|
|
||||||
char dummy;
|
|
||||||
#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
-#ifdef _WIN32
|
|
||||||
-struct dirent {
|
|
||||||
- long d_ino; /* inode (always 1 in WIN32) */
|
|
||||||
- off_t d_off; /* offset to this dirent */
|
|
||||||
- unsigned short d_reclen; /* length of d_name */
|
|
||||||
- char d_name[_MAX_FNAME+1]; /* filename (null terminated) */
|
|
||||||
-};
|
|
||||||
-
|
|
||||||
-typedef struct {
|
|
||||||
- intptr_t handle; /* _findfirst/_findnext handle */
|
|
||||||
- short offset; /* offset into directory */
|
|
||||||
- short finished; /* 1 if there are not more files */
|
|
||||||
- struct _finddata_t fileinfo;/* from _findfirst/_findnext */
|
|
||||||
- char *dir; /* the dir we are reading */
|
|
||||||
- struct dirent dent; /* the dirent to return */
|
|
||||||
-} DIR;
|
|
||||||
+#if defined(USE_DLOPEN)
|
|
||||||
|
|
||||||
-DIR * opendir(const char *dir)
|
|
||||||
+static long
|
|
||||||
+open_plugin_dlfcn(struct plugin_file_handle *h, const char *filename,
|
|
||||||
+ struct errinfo *ep)
|
|
||||||
{
|
|
||||||
- DIR *dp;
|
|
||||||
- char *filespec;
|
|
||||||
- intptr_t handle;
|
|
||||||
- int index;
|
|
||||||
-
|
|
||||||
- filespec = malloc(strlen(dir) + 2 + 1);
|
|
||||||
- strcpy(filespec, dir);
|
|
||||||
- index = strlen(filespec) - 1;
|
|
||||||
- if (index >= 0 && (filespec[index] == '/' || filespec[index] == '\\'))
|
|
||||||
- filespec[index] = '\0';
|
|
||||||
- strcat(filespec, "/*");
|
|
||||||
-
|
|
||||||
- dp = (DIR *)malloc(sizeof(DIR));
|
|
||||||
- dp->offset = 0;
|
|
||||||
- dp->finished = 0;
|
|
||||||
- dp->dir = strdup(dir);
|
|
||||||
-
|
|
||||||
- if ((handle = _findfirst(filespec, &(dp->fileinfo))) < 0) {
|
|
||||||
- if (errno == ENOENT)
|
|
||||||
- dp->finished = 1;
|
|
||||||
- else {
|
|
||||||
- free(filespec);
|
|
||||||
- free(dp->dir);
|
|
||||||
- free(dp);
|
|
||||||
- return NULL;
|
|
||||||
- }
|
|
||||||
+ const char *e;
|
|
||||||
+
|
|
||||||
+ h->dlhandle = dlopen(filename, PLUGIN_DLOPEN_FLAGS);
|
|
||||||
+ if (h->dlhandle == NULL) {
|
|
||||||
+ e = dlerror();
|
|
||||||
+ if (e == NULL)
|
|
||||||
+ e = _("unknown failure");
|
|
||||||
+ Tprintf("dlopen(%s): %s\n", filename, e);
|
|
||||||
+ k5_set_error(ep, ENOENT, _("unable to load plugin [%s]: %s"),
|
|
||||||
+ filename, e);
|
|
||||||
+ return ENOENT;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- dp->handle = handle;
|
|
||||||
- free(filespec);
|
|
||||||
-
|
|
||||||
- return dp;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
+#define open_plugin open_plugin_dlfcn
|
|
||||||
|
|
||||||
-struct dirent * readdir(DIR *dp)
|
|
||||||
+static long
|
|
||||||
+get_sym_dlfcn(struct plugin_file_handle *h, const char *csymname,
|
|
||||||
+ void **sym_out, struct errinfo *ep)
|
|
||||||
{
|
|
||||||
- if (!dp || dp->finished) return NULL;
|
|
||||||
-
|
|
||||||
- if (dp->offset != 0) {
|
|
||||||
- if (_findnext(dp->handle, &(dp->fileinfo)) < 0) {
|
|
||||||
- dp->finished = 1;
|
|
||||||
- return NULL;
|
|
||||||
- }
|
|
||||||
+ const char *e;
|
|
||||||
+
|
|
||||||
+ if (h->dlhandle == NULL)
|
|
||||||
+ return ENOENT;
|
|
||||||
+ *sym_out = dlsym(h->dlhandle, csymname);
|
|
||||||
+ if (*sym_out == NULL) {
|
|
||||||
+ e = dlerror();
|
|
||||||
+ if (e == NULL)
|
|
||||||
+ e = _("unknown failure");
|
|
||||||
+ Tprintf("dlsym(%s): %s\n", csymname, e);
|
|
||||||
+ k5_set_error(ep, ENOENT, "%s", e);
|
|
||||||
+ return ENOENT;
|
|
||||||
}
|
|
||||||
- dp->offset++;
|
|
||||||
-
|
|
||||||
- strncpy(dp->dent.d_name, dp->fileinfo.name, _MAX_FNAME);
|
|
||||||
- dp->dent.d_ino = 1;
|
|
||||||
- dp->dent.d_reclen = (unsigned short)strlen(dp->dent.d_name);
|
|
||||||
- dp->dent.d_off = dp->offset;
|
|
||||||
-
|
|
||||||
- return &(dp->dent);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-int closedir(DIR *dp)
|
|
||||||
-{
|
|
||||||
- if (!dp) return 0;
|
|
||||||
- _findclose(dp->handle);
|
|
||||||
- free(dp->dir);
|
|
||||||
- free(dp);
|
|
||||||
-
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
-#endif
|
|
||||||
+#define get_sym get_sym_dlfcn
|
|
||||||
|
|
||||||
-long KRB5_CALLCONV
|
|
||||||
-krb5int_open_plugin (const char *filepath, struct plugin_file_handle **h, struct errinfo *ep)
|
|
||||||
+static void
|
|
||||||
+close_plugin_dlfcn(struct plugin_file_handle *h)
|
|
||||||
{
|
|
||||||
- long err = 0;
|
|
||||||
- struct plugin_file_handle *htmp = NULL;
|
|
||||||
- int got_plugin = 0;
|
|
||||||
-#if defined(USE_CFBUNDLE) || defined(_WIN32)
|
|
||||||
- struct stat statbuf;
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- if (stat (filepath, &statbuf) < 0) {
|
|
||||||
- err = errno;
|
|
||||||
- Tprintf ("stat(%s): %s\n", filepath, strerror (err));
|
|
||||||
- k5_set_error(ep, err, _("unable to find plugin [%s]: %s"),
|
|
||||||
- filepath, strerror(err));
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- htmp = calloc (1, sizeof (*htmp)); /* calloc initializes ptrs to NULL */
|
|
||||||
- if (htmp == NULL) { err = ENOMEM; }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
-#if USE_DLOPEN
|
|
||||||
- if (!err
|
|
||||||
-#if USE_CFBUNDLE
|
|
||||||
- && ((statbuf.st_mode & S_IFMT) == S_IFREG
|
|
||||||
- || (statbuf.st_mode & S_IFMT) == S_IFDIR)
|
|
||||||
-#endif /* USE_CFBUNDLE */
|
|
||||||
- ) {
|
|
||||||
- void *handle = NULL;
|
|
||||||
-
|
|
||||||
-#if USE_CFBUNDLE
|
|
||||||
- char executablepath[MAXPATHLEN];
|
|
||||||
-
|
|
||||||
- if ((statbuf.st_mode & S_IFMT) == S_IFDIR) {
|
|
||||||
- int lock_err = 0;
|
|
||||||
- CFStringRef pluginString = NULL;
|
|
||||||
- CFURLRef pluginURL = NULL;
|
|
||||||
- CFBundleRef pluginBundle = NULL;
|
|
||||||
- CFURLRef executableURL = NULL;
|
|
||||||
-
|
|
||||||
- /* Lock around CoreFoundation calls since objects are refcounted
|
|
||||||
- * and the refcounts are not thread-safe. Using pthreads directly
|
|
||||||
- * because this code is Mac-specific */
|
|
||||||
- lock_err = pthread_mutex_lock(&krb5int_bundle_mutex);
|
|
||||||
- if (lock_err) { err = lock_err; }
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- pluginString = CFStringCreateWithCString (kCFAllocatorDefault,
|
|
||||||
- filepath,
|
|
||||||
- kCFStringEncodingASCII);
|
|
||||||
- if (pluginString == NULL) { err = ENOMEM; }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- pluginURL = CFURLCreateWithFileSystemPath (kCFAllocatorDefault,
|
|
||||||
- pluginString,
|
|
||||||
- kCFURLPOSIXPathStyle,
|
|
||||||
- true);
|
|
||||||
- if (pluginURL == NULL) { err = ENOMEM; }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- pluginBundle = CFBundleCreate (kCFAllocatorDefault, pluginURL);
|
|
||||||
- if (pluginBundle == NULL) { err = ENOENT; } /* XXX need better error */
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- executableURL = CFBundleCopyExecutableURL (pluginBundle);
|
|
||||||
- if (executableURL == NULL) { err = ENOMEM; }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- if (!CFURLGetFileSystemRepresentation (executableURL,
|
|
||||||
- true, /* absolute */
|
|
||||||
- (UInt8 *)executablepath,
|
|
||||||
- sizeof (executablepath))) {
|
|
||||||
- err = ENOMEM;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- /* override the path the caller passed in */
|
|
||||||
- filepath = executablepath;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (executableURL != NULL) { CFRelease (executableURL); }
|
|
||||||
- if (pluginBundle != NULL) { CFRelease (pluginBundle); }
|
|
||||||
- if (pluginURL != NULL) { CFRelease (pluginURL); }
|
|
||||||
- if (pluginString != NULL) { CFRelease (pluginString); }
|
|
||||||
-
|
|
||||||
- /* unlock after CFRelease calls since they modify refcounts */
|
|
||||||
- if (!lock_err) { pthread_mutex_unlock (&krb5int_bundle_mutex); }
|
|
||||||
- }
|
|
||||||
-#endif /* USE_CFBUNDLE */
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- handle = dlopen(filepath, PLUGIN_DLOPEN_FLAGS);
|
|
||||||
- if (handle == NULL) {
|
|
||||||
- const char *e = dlerror();
|
|
||||||
- if (e == NULL)
|
|
||||||
- e = _("unknown failure");
|
|
||||||
- Tprintf ("dlopen(%s): %s\n", filepath, e);
|
|
||||||
- err = ENOENT; /* XXX */
|
|
||||||
- k5_set_error(ep, err, _("unable to load plugin [%s]: %s"),
|
|
||||||
- filepath, e);
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
+ if (h->dlhandle != NULL)
|
|
||||||
+ dlclose(h->dlhandle);
|
|
||||||
+}
|
|
||||||
+#define close_plugin close_plugin_dlfcn
|
|
||||||
|
|
||||||
- if (!err) {
|
|
||||||
- got_plugin = 1;
|
|
||||||
- htmp->dlhandle = handle;
|
|
||||||
- handle = NULL;
|
|
||||||
- }
|
|
||||||
+#elif defined(_WIN32)
|
|
||||||
|
|
||||||
- if (handle != NULL) { dlclose (handle); }
|
|
||||||
+static long
|
|
||||||
+open_plugin_win32(struct plugin_file_handle *h, const char *filename,
|
|
||||||
+ struct errinfo *ep)
|
|
||||||
+{
|
|
||||||
+ h->module = LoadLibrary(filename);
|
|
||||||
+ if (h == NULL) {
|
|
||||||
+ Tprintf("Unable to load dll: %s\n", filename);
|
|
||||||
+ k5_set_error(ep, ENOENT, _("unable to load DLL [%s]"), filename);
|
|
||||||
+ return ENOENT;
|
|
||||||
}
|
|
||||||
-#endif /* USE_DLOPEN */
|
|
||||||
-
|
|
||||||
-#ifdef _WIN32
|
|
||||||
- if (!err && (statbuf.st_mode & S_IFMT) == S_IFREG) {
|
|
||||||
- HMODULE handle = NULL;
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+#define open_plugin open_plugin_win32
|
|
||||||
|
|
||||||
- handle = LoadLibrary(filepath);
|
|
||||||
- if (handle == NULL) {
|
|
||||||
- Tprintf ("Unable to load dll: %s\n", filepath);
|
|
||||||
- err = ENOENT; /* XXX */
|
|
||||||
- k5_set_error(ep, err, _("unable to load DLL [%s]"), filepath);
|
|
||||||
- }
|
|
||||||
+static long
|
|
||||||
+get_sym_win32(struct plugin_file_handle *h, const char *csymname,
|
|
||||||
+ void **sym_out, struct errinfo *ep)
|
|
||||||
+{
|
|
||||||
+ LPVOID lpMsgBuf;
|
|
||||||
+ DWORD dw;
|
|
||||||
|
|
||||||
- if (!err) {
|
|
||||||
- got_plugin = 1;
|
|
||||||
- htmp->hinstPlugin = handle;
|
|
||||||
- handle = NULL;
|
|
||||||
+ if (h->module == NULL)
|
|
||||||
+ return ENOENT;
|
|
||||||
+ *sym_out = GetProcAddress(h->module, csymname);
|
|
||||||
+ if (*sym_out == NULL) {
|
|
||||||
+ Tprintf("GetProcAddress(%s): %i\n", csymname, GetLastError());
|
|
||||||
+ dw = GetLastError();
|
|
||||||
+ if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
|
|
||||||
+ FORMAT_MESSAGE_FROM_SYSTEM,
|
|
||||||
+ NULL, dw, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
|
|
||||||
+ (LPTSTR)&lpMsgBuf, 0, NULL)) {
|
|
||||||
+ k5_set_error(ep, ENOENT, _("unable to get DLL Symbol: %s"),
|
|
||||||
+ (char *)lpMsgBuf);
|
|
||||||
+ LocalFree(lpMsgBuf);
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- if (handle != NULL)
|
|
||||||
- FreeLibrary(handle);
|
|
||||||
- }
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
- if (!err && !got_plugin) {
|
|
||||||
- err = ENOENT; /* no plugin or no way to load plugins */
|
|
||||||
- k5_set_error(ep, err, _("plugin unavailable: %s"), strerror(err));
|
|
||||||
+ return ENOENT;
|
|
||||||
}
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+#define get_sym get_sym_win32
|
|
||||||
|
|
||||||
- if (!err) {
|
|
||||||
- *h = htmp;
|
|
||||||
- htmp = NULL; /* h takes ownership */
|
|
||||||
- }
|
|
||||||
+static void
|
|
||||||
+close_plugin_win32(struct plugin_file_handle *h)
|
|
||||||
+{
|
|
||||||
+ if (h->module != NULL)
|
|
||||||
+ FreeLibrary(h->module);
|
|
||||||
+}
|
|
||||||
+#define close_plugin close_plugin_win32
|
|
||||||
|
|
||||||
- free(htmp);
|
|
||||||
+#else
|
|
||||||
|
|
||||||
- return err;
|
|
||||||
+static long
|
|
||||||
+open_plugin_dummy(struct plugin_file_handle *h, const char *filename,
|
|
||||||
+ struct errinfo *ep)
|
|
||||||
+{
|
|
||||||
+ k5_set_error(ep, ENOENT, _("plugin loading unavailable"));
|
|
||||||
+ return ENOENT;
|
|
||||||
}
|
|
||||||
+#define open_plugin open_plugin_dummy
|
|
||||||
|
|
||||||
static long
|
|
||||||
-krb5int_get_plugin_sym (struct plugin_file_handle *h,
|
|
||||||
- const char *csymname, int isfunc, void **ptr,
|
|
||||||
- struct errinfo *ep)
|
|
||||||
+get_sym_dummy(struct plugin_file_handle *h, const char *csymname,
|
|
||||||
+ void **sym_out, struct errinfo *ep)
|
|
||||||
{
|
|
||||||
- long err = 0;
|
|
||||||
- void *sym = NULL;
|
|
||||||
+ return ENOENT;
|
|
||||||
+}
|
|
||||||
+#define get_sym get_sym_dummy
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+close_plugin_dummy(struct plugin_file_handle *h)
|
|
||||||
+{
|
|
||||||
+}
|
|
||||||
+#define close_plugin close_plugin_dummy
|
|
||||||
|
|
||||||
-#if USE_DLOPEN
|
|
||||||
- if (!err && !sym && (h->dlhandle != NULL)) {
|
|
||||||
- /* XXX Do we need to add a leading "_" to the symbol name on any
|
|
||||||
- modern platforms? */
|
|
||||||
- sym = dlsym (h->dlhandle, csymname);
|
|
||||||
- if (sym == NULL) {
|
|
||||||
- const char *e = dlerror (); /* XXX copy and save away */
|
|
||||||
- if (e == NULL)
|
|
||||||
- e = "unknown failure";
|
|
||||||
- Tprintf ("dlsym(%s): %s\n", csymname, e);
|
|
||||||
- err = ENOENT; /* XXX */
|
|
||||||
- k5_set_error(ep, err, "%s", e);
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#ifdef _WIN32
|
|
||||||
- LPVOID lpMsgBuf;
|
|
||||||
- DWORD dw;
|
|
||||||
+long KRB5_CALLCONV
|
|
||||||
+krb5int_open_plugin(const char *filename,
|
|
||||||
+ struct plugin_file_handle **handle_out, struct errinfo *ep)
|
|
||||||
+{
|
|
||||||
+ long ret;
|
|
||||||
+ struct plugin_file_handle *h;
|
|
||||||
|
|
||||||
- if (!err && !sym && (h->hinstPlugin != NULL)) {
|
|
||||||
- sym = GetProcAddress(h->hinstPlugin, csymname);
|
|
||||||
- if (sym == NULL) {
|
|
||||||
- const char *e = "unable to get dll symbol"; /* XXX copy and save away */
|
|
||||||
- Tprintf ("GetProcAddress(%s): %i\n", csymname, GetLastError());
|
|
||||||
- err = ENOENT; /* XXX */
|
|
||||||
- k5_set_error(ep, err, "%s", e);
|
|
||||||
-
|
|
||||||
- dw = GetLastError();
|
|
||||||
- if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
|
|
||||||
- FORMAT_MESSAGE_FROM_SYSTEM,
|
|
||||||
- NULL,
|
|
||||||
- dw,
|
|
||||||
- MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
|
|
||||||
- (LPTSTR) &lpMsgBuf,
|
|
||||||
- 0, NULL )) {
|
|
||||||
-
|
|
||||||
- fprintf (stderr, "unable to get dll symbol, %s\n", (LPCTSTR)lpMsgBuf);
|
|
||||||
- LocalFree(lpMsgBuf);
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-#endif
|
|
||||||
+ *handle_out = NULL;
|
|
||||||
|
|
||||||
- if (!err && (sym == NULL)) {
|
|
||||||
- err = ENOENT; /* unimplemented */
|
|
||||||
- }
|
|
||||||
+ h = calloc(1, sizeof(*h));
|
|
||||||
+ if (h == NULL)
|
|
||||||
+ return ENOMEM;
|
|
||||||
|
|
||||||
- if (!err) {
|
|
||||||
- *ptr = sym;
|
|
||||||
+ ret = open_plugin(h, filename, ep);
|
|
||||||
+ if (ret) {
|
|
||||||
+ free(h);
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- return err;
|
|
||||||
+ *handle_out = h;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
long KRB5_CALLCONV
|
|
||||||
-krb5int_get_plugin_data (struct plugin_file_handle *h, const char *csymname,
|
|
||||||
- void **ptr, struct errinfo *ep)
|
|
||||||
+krb5int_get_plugin_data(struct plugin_file_handle *h, const char *csymname,
|
|
||||||
+ void **sym_out, struct errinfo *ep)
|
|
||||||
{
|
|
||||||
- return krb5int_get_plugin_sym (h, csymname, 0, ptr, ep);
|
|
||||||
+ return get_sym(h, csymname, sym_out, ep);
|
|
||||||
}
|
|
||||||
|
|
||||||
long KRB5_CALLCONV
|
|
||||||
-krb5int_get_plugin_func (struct plugin_file_handle *h, const char *csymname,
|
|
||||||
- void (**ptr)(), struct errinfo *ep)
|
|
||||||
+krb5int_get_plugin_func(struct plugin_file_handle *h, const char *csymname,
|
|
||||||
+ void (**sym_out)(), struct errinfo *ep)
|
|
||||||
{
|
|
||||||
void *dptr = NULL;
|
|
||||||
- long err = krb5int_get_plugin_sym (h, csymname, 1, &dptr, ep);
|
|
||||||
- if (!err) {
|
|
||||||
- /* Cast function pointers to avoid code duplication */
|
|
||||||
- *ptr = (void (*)()) dptr;
|
|
||||||
- }
|
|
||||||
- return err;
|
|
||||||
+ long ret = get_sym(h, csymname, &dptr, ep);
|
|
||||||
+
|
|
||||||
+ if (!ret)
|
|
||||||
+ *sym_out = (void (*)())dptr;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
void KRB5_CALLCONV
|
|
||||||
krb5int_close_plugin (struct plugin_file_handle *h)
|
|
||||||
{
|
|
||||||
-#if USE_DLOPEN
|
|
||||||
- if (h->dlhandle != NULL) { dlclose(h->dlhandle); }
|
|
||||||
-#endif
|
|
||||||
-#ifdef _WIN32
|
|
||||||
- if (h->hinstPlugin != NULL) { FreeLibrary(h->hinstPlugin); }
|
|
||||||
-#endif
|
|
||||||
- free (h);
|
|
||||||
+ close_plugin(h);
|
|
||||||
+ free(h);
|
|
||||||
}
|
|
||||||
|
|
||||||
-/* autoconf docs suggest using this preference order */
|
|
||||||
-#if HAVE_DIRENT_H || USE_DIRENT_H
|
|
||||||
-#include <dirent.h>
|
|
||||||
-#define NAMELEN(D) strlen((D)->d_name)
|
|
||||||
-#else
|
|
||||||
-#ifndef _WIN32
|
|
||||||
-#define dirent direct
|
|
||||||
-#define NAMELEN(D) ((D)->d->namlen)
|
|
||||||
-#else
|
|
||||||
-#define NAMELEN(D) strlen((D)->d_name)
|
|
||||||
-#endif
|
|
||||||
-#if HAVE_SYS_NDIR_H
|
|
||||||
-# include <sys/ndir.h>
|
|
||||||
-#elif HAVE_SYS_DIR_H
|
|
||||||
-# include <sys/dir.h>
|
|
||||||
-#elif HAVE_NDIR_H
|
|
||||||
-# include <ndir.h>
|
|
||||||
-#endif
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
static long
|
|
||||||
krb5int_plugin_file_handle_array_init (struct plugin_file_handle ***harray)
|
|
||||||
{
|
|
||||||
@@ -619,42 +418,36 @@ krb5int_open_plugin_dirs (const char * const *dirnames,
|
|
||||||
if (handle != NULL) { krb5int_close_plugin (handle); }
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- /* load all plugins in each directory */
|
|
||||||
- DIR *dir = opendir (dirnames[i]);
|
|
||||||
+ char **fnames = NULL;
|
|
||||||
+ int j;
|
|
||||||
|
|
||||||
- while (dir != NULL && !err) {
|
|
||||||
- struct dirent *d = NULL;
|
|
||||||
+ err = k5_dir_filenames(dirnames[i], &fnames);
|
|
||||||
+ for (j = 0; !err && fnames[j] != NULL; j++) {
|
|
||||||
char *filepath = NULL;
|
|
||||||
struct plugin_file_handle *handle = NULL;
|
|
||||||
|
|
||||||
- d = readdir (dir);
|
|
||||||
- if (d == NULL) { break; }
|
|
||||||
-
|
|
||||||
- if ((strcmp (d->d_name, ".") == 0) ||
|
|
||||||
- (strcmp (d->d_name, "..") == 0)) {
|
|
||||||
+ if (strcmp(fnames[j], ".") == 0 ||
|
|
||||||
+ strcmp(fnames[j], "..") == 0)
|
|
||||||
continue;
|
|
||||||
- }
|
|
||||||
|
|
||||||
- if (!err) {
|
|
||||||
- int len = NAMELEN (d);
|
|
||||||
- if (asprintf(&filepath, "%s/%*s", dirnames[i], len, d->d_name) < 0) {
|
|
||||||
- filepath = NULL;
|
|
||||||
- err = ENOMEM;
|
|
||||||
- }
|
|
||||||
+ if (asprintf(&filepath, "%s/%s", dirnames[i], fnames[j]) < 0) {
|
|
||||||
+ filepath = NULL;
|
|
||||||
+ err = ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!err) {
|
|
||||||
- if (krb5int_open_plugin (filepath, &handle, ep) == 0) {
|
|
||||||
- err = krb5int_plugin_file_handle_array_add (&h, &count, handle);
|
|
||||||
- if (!err) { handle = NULL; } /* h takes ownership */
|
|
||||||
- }
|
|
||||||
+ if (!err && krb5int_open_plugin(filepath, &handle, ep) == 0) {
|
|
||||||
+ err = krb5int_plugin_file_handle_array_add(&h, &count,
|
|
||||||
+ handle);
|
|
||||||
+ if (!err)
|
|
||||||
+ handle = NULL; /* h takes ownership */
|
|
||||||
}
|
|
||||||
|
|
||||||
free(filepath);
|
|
||||||
- if (handle != NULL) { krb5int_close_plugin (handle); }
|
|
||||||
+ if (handle != NULL)
|
|
||||||
+ krb5int_close_plugin(handle);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (dir != NULL) { closedir (dir); }
|
|
||||||
+ k5_free_filenames(fnames);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 59d3ecdab7210e87ec475f4ae0d64888d5416b29 Mon Sep 17 00:00:00 2001
|
From 6adfd97a3558aae4ace346685266bac9dae8bba9 Mon Sep 17 00:00:00 2001
|
||||||
From: Julien Rische <jrische@redhat.com>
|
From: Julien Rische <jrische@redhat.com>
|
||||||
Date: Mon, 9 Jan 2023 22:39:52 +0100
|
Date: Mon, 9 Jan 2023 22:39:52 +0100
|
||||||
Subject: [PATCH] [downstream] Do not set root as ksu file owner
|
Subject: [PATCH] [downstream] Do not set root as ksu file owner
|
||||||
@ -27,5 +27,5 @@ index 7eaa2f351c..e9ae71471e 100644
|
|||||||
## ${prefix}.
|
## ${prefix}.
|
||||||
prefix=@prefix@
|
prefix=@prefix@
|
||||||
--
|
--
|
||||||
2.38.1
|
2.40.1
|
||||||
|
|
@ -1,48 +0,0 @@
|
|||||||
From 963314f4f449e136195232bdada3109af65d0881 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Julien Rische <jrische@redhat.com>
|
|
||||||
Date: Thu, 28 Jul 2022 15:20:12 +0200
|
|
||||||
Subject: [PATCH] Update error checking for OpenSSL CMS_verify
|
|
||||||
|
|
||||||
The code for CMS data verification was initially written for OpenSSL's
|
|
||||||
PKCS7_verify() function. It now uses CMS_verify(), but error handling
|
|
||||||
is still done using PKCS7_verify() error identifiers. Update the
|
|
||||||
recognized error codes so that the KDC generates
|
|
||||||
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate.
|
|
||||||
Use ERR_peek_last_error() to observe the error generated closest to
|
|
||||||
the API surface.
|
|
||||||
|
|
||||||
[ghudson@mit.edu: edited commit message]
|
|
||||||
|
|
||||||
ticket: 9069 (new)
|
|
||||||
tags: pullup
|
|
||||||
target_version: 1.20-next
|
|
||||||
---
|
|
||||||
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 9 ++++++---
|
|
||||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
index 1c2aa02827..16edf15cb2 100644
|
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
@@ -2102,12 +2102,15 @@ cms_signeddata_verify(krb5_context context,
|
|
||||||
goto cleanup;
|
|
||||||
out = BIO_new(BIO_s_mem());
|
|
||||||
if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
|
|
||||||
- unsigned long err = ERR_peek_error();
|
|
||||||
+ unsigned long err = ERR_peek_last_error();
|
|
||||||
switch(ERR_GET_REASON(err)) {
|
|
||||||
- case PKCS7_R_DIGEST_FAILURE:
|
|
||||||
+ case RSA_R_DIGEST_NOT_ALLOWED:
|
|
||||||
+ case CMS_R_UNKNOWN_DIGEST_ALGORITHM:
|
|
||||||
+ case CMS_R_NO_MATCHING_DIGEST:
|
|
||||||
+ case CMS_R_NO_MATCHING_SIGNATURE:
|
|
||||||
retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED;
|
|
||||||
break;
|
|
||||||
- case PKCS7_R_SIGNATURE_FAILURE:
|
|
||||||
+ case CMS_R_VERIFICATION_FAILURE:
|
|
||||||
default:
|
|
||||||
retval = KRB5KDC_ERR_INVALID_SIG;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From d8f67df42efd68142aa904040f9e8cc0f9138c10 Mon Sep 17 00:00:00 2001
|
From 73640dc4899494d010b83b080b3a65bd3e69177c Mon Sep 17 00:00:00 2001
|
||||||
From: Julien Rische <jrische@redhat.com>
|
From: Julien Rische <jrische@redhat.com>
|
||||||
Date: Thu, 19 Jan 2023 19:22:27 +0100
|
Date: Thu, 19 Jan 2023 19:22:27 +0100
|
||||||
Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode
|
Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode
|
||||||
@ -161,5 +161,5 @@ index 5a43c3d9eb..8528ddc4a9 100644
|
|||||||
ret = KRB5_CRYPTO_INTERNAL;
|
ret = KRB5_CRYPTO_INTERNAL;
|
||||||
goto done;
|
goto done;
|
||||||
--
|
--
|
||||||
2.39.1
|
2.40.1
|
||||||
|
|
279
0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch
Normal file
279
0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch
Normal file
@ -0,0 +1,279 @@
|
|||||||
|
From f47c9eb8618006012600a906367295ed53c558d0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Wed, 15 Mar 2023 15:56:34 +0100
|
||||||
|
Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional
|
||||||
|
|
||||||
|
MS-PAC states that "The ticket signature SHOULD be included in tickets
|
||||||
|
that are not encrypted to the krbtgt account". However, the
|
||||||
|
implementation of krb5_kdc_verify_ticket() will require the ticket
|
||||||
|
signature to be present in case the target of the request is a service
|
||||||
|
principal.
|
||||||
|
|
||||||
|
In gradual upgrade environments, it results in S4U2Proxy requests
|
||||||
|
against a 1.20 KDC using a service ticket generated by an older version
|
||||||
|
KDC to fail.
|
||||||
|
|
||||||
|
This commit adds a krb5_kdc_verify_ticket_ext() function with an extra
|
||||||
|
switch parameter to tolerate the absence of ticket signature in this
|
||||||
|
scenario. If the ticket signature is present, it has to be valid,
|
||||||
|
regardless of this parameter.
|
||||||
|
|
||||||
|
This parameter is set based on the "optional_pac_tkt_chksum" string
|
||||||
|
attribute of the TGT KDB entry.
|
||||||
|
---
|
||||||
|
doc/admin/admin_commands/kadmin_local.rst | 6 ++++
|
||||||
|
doc/appdev/refs/api/index.rst | 1 +
|
||||||
|
src/include/kdb.h | 1 +
|
||||||
|
src/include/krb5/krb5.hin | 40 +++++++++++++++++++++++
|
||||||
|
src/kdc/kdc_util.c | 32 ++++++++++++++----
|
||||||
|
src/lib/krb5/krb/pac.c | 31 +++++++++++++++---
|
||||||
|
src/lib/krb5/libkrb5.exports | 1 +
|
||||||
|
src/man/kadmin.man | 6 ++++
|
||||||
|
8 files changed, 108 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
|
||||||
|
index 2435b3c361..58ac79549f 100644
|
||||||
|
--- a/doc/admin/admin_commands/kadmin_local.rst
|
||||||
|
+++ b/doc/admin/admin_commands/kadmin_local.rst
|
||||||
|
@@ -658,6 +658,12 @@ KDC:
|
||||||
|
Directory realm when using aes-sha2 keys on the local krbtgt
|
||||||
|
entry.
|
||||||
|
|
||||||
|
+**optional_pac_tkt_chksum**
|
||||||
|
+ Boolean value defining the behavior of the KDC in case an expected
|
||||||
|
+ ticket checksum signed with one of this principal keys is not
|
||||||
|
+ present in the PAC. This is typically the case for TGS or
|
||||||
|
+ cross-realm TGS principals when processing S4U2Proxy requests.
|
||||||
|
+
|
||||||
|
This command requires the **modify** privilege.
|
||||||
|
|
||||||
|
Alias: **setstr**
|
||||||
|
diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst
|
||||||
|
index d12be47c3c..9b95ebd0f9 100644
|
||||||
|
--- a/doc/appdev/refs/api/index.rst
|
||||||
|
+++ b/doc/appdev/refs/api/index.rst
|
||||||
|
@@ -225,6 +225,7 @@ Rarely used public interfaces
|
||||||
|
krb5_is_referral_realm.rst
|
||||||
|
krb5_kdc_sign_ticket.rst
|
||||||
|
krb5_kdc_verify_ticket.rst
|
||||||
|
+ krb5_kdc_verify_ticket_ext.rst
|
||||||
|
krb5_kt_add_entry.rst
|
||||||
|
krb5_kt_end_seq_get.rst
|
||||||
|
krb5_kt_get_entry.rst
|
||||||
|
diff --git a/src/include/kdb.h b/src/include/kdb.h
|
||||||
|
index 745b24f351..6075349e5e 100644
|
||||||
|
--- a/src/include/kdb.h
|
||||||
|
+++ b/src/include/kdb.h
|
||||||
|
@@ -136,6 +136,7 @@
|
||||||
|
#define KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE "pac_privsvr_enctype"
|
||||||
|
#define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes"
|
||||||
|
#define KRB5_KDB_SK_REQUIRE_AUTH "require_auth"
|
||||||
|
+#define KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM "optional_pac_tkt_chksum"
|
||||||
|
|
||||||
|
#if !defined(_WIN32)
|
||||||
|
|
||||||
|
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||||
|
index 350bcf86f2..17e1b52266 100644
|
||||||
|
--- a/src/include/krb5/krb5.hin
|
||||||
|
+++ b/src/include/krb5/krb5.hin
|
||||||
|
@@ -8356,6 +8356,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
|
const krb5_keyblock *server,
|
||||||
|
const krb5_keyblock *privsvr, krb5_pac *pac_out);
|
||||||
|
|
||||||
|
+/**
|
||||||
|
+ * Verify a PAC, possibly including ticket signature
|
||||||
|
+ *
|
||||||
|
+ * @param [in] context Library context
|
||||||
|
+ * @param [in] enc_tkt Ticket enc-part, possibly containing a PAC
|
||||||
|
+ * @param [in] server_princ Canonicalized name of ticket server
|
||||||
|
+ * @param [in] server Key to validate server checksum (or NULL)
|
||||||
|
+ * @param [in] privsvr Key to validate KDC checksum (or NULL)
|
||||||
|
+ * @paran [in] optional_tkt_chksum Whether to require a ticket checksum
|
||||||
|
+ * @param [out] pac_out Verified PAC (NULL if no PAC included)
|
||||||
|
+ *
|
||||||
|
+ * This function is an extension of krb5_kdc_verify_ticket(), adding the @a
|
||||||
|
+ * optional_tkt_chksum parameter allowing to tolerate the absence of the PAC
|
||||||
|
+ * ticket signature.
|
||||||
|
+ *
|
||||||
|
+ * If a PAC is present in @a enc_tkt, verify its signatures. If @a privsvr is
|
||||||
|
+ * not NULL and @a server_princ is not a krbtgt or kadmin/changepw service and
|
||||||
|
+ * @a optional_tkt_chksum is FALSE, require a ticket signature over @a enc_tkt
|
||||||
|
+ * in addition to the KDC signature. Place the verified PAC in @a pac_out. If
|
||||||
|
+ * an invalid PAC signature is found, return an error matching the Windows KDC
|
||||||
|
+ * protocol code for that condition as closely as possible.
|
||||||
|
+ *
|
||||||
|
+ * If no PAC is present in @a enc_tkt, set @a pac_out to NULL and return
|
||||||
|
+ * successfully.
|
||||||
|
+ *
|
||||||
|
+ * @note This function does not validate the PAC_CLIENT_INFO buffer. If a
|
||||||
|
+ * specific value is expected, the caller can make a separate call to
|
||||||
|
+ * krb5_pac_verify_ext() with a principal but no keys.
|
||||||
|
+ *
|
||||||
|
+ * @retval 0 Success; otherwise - Kerberos error codes
|
||||||
|
+ */
|
||||||
|
+krb5_error_code KRB5_CALLCONV
|
||||||
|
+krb5_kdc_verify_ticket_ext(krb5_context context,
|
||||||
|
+ const krb5_enc_tkt_part *enc_tkt,
|
||||||
|
+ krb5_const_principal server_princ,
|
||||||
|
+ const krb5_keyblock *server,
|
||||||
|
+ const krb5_keyblock *privsvr,
|
||||||
|
+ krb5_boolean optional_tkt_chksum,
|
||||||
|
+ krb5_pac *pac_out);
|
||||||
|
+
|
||||||
|
/** @deprecated Use krb5_kdc_sign_ticket() instead. */
|
||||||
|
krb5_error_code KRB5_CALLCONV
|
||||||
|
krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
||||||
|
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||||
|
index ea10e23a95..c7b6e4090d 100644
|
||||||
|
--- a/src/kdc/kdc_util.c
|
||||||
|
+++ b/src/kdc/kdc_util.c
|
||||||
|
@@ -560,16 +560,36 @@ cleanup:
|
||||||
|
static krb5_error_code
|
||||||
|
try_verify_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
|
krb5_db_entry *server, krb5_keyblock *server_key,
|
||||||
|
- const krb5_keyblock *tgt_key, krb5_pac *pac_out)
|
||||||
|
+ krb5_db_entry *tgt, const krb5_keyblock *tgt_key,
|
||||||
|
+ krb5_pac *pac_out)
|
||||||
|
{
|
||||||
|
krb5_error_code ret;
|
||||||
|
+ krb5_boolean optional_tkt_chksum;
|
||||||
|
+ char *str = NULL;
|
||||||
|
krb5_keyblock *privsvr_key;
|
||||||
|
|
||||||
|
ret = pac_privsvr_key(context, server, tgt_key, &privsvr_key);
|
||||||
|
if (ret)
|
||||||
|
return ret;
|
||||||
|
- ret = krb5_kdc_verify_ticket(context, enc_tkt, server->princ, server_key,
|
||||||
|
- privsvr_key, pac_out);
|
||||||
|
+
|
||||||
|
+ /* Check if the absence of ticket signature is tolerated for this realm */
|
||||||
|
+ ret = krb5_dbe_get_string(context, tgt,
|
||||||
|
+ KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM, &str);
|
||||||
|
+ /* TODO: should be using _krb5_conf_boolean(), but os-proto.h is not
|
||||||
|
+ * available here.
|
||||||
|
+ */
|
||||||
|
+ optional_tkt_chksum = !ret && str && (strncasecmp(str, "true", 4) == 0
|
||||||
|
+ || strncasecmp(str, "t", 1) == 0
|
||||||
|
+ || strncasecmp(str, "yes", 3) == 0
|
||||||
|
+ || strncasecmp(str, "y", 1) == 0
|
||||||
|
+ || strncasecmp(str, "1", 1) == 0
|
||||||
|
+ || strncasecmp(str, "on", 2) == 0);
|
||||||
|
+
|
||||||
|
+ krb5_dbe_free_string(context, str);
|
||||||
|
+
|
||||||
|
+ ret = krb5_kdc_verify_ticket_ext(context, enc_tkt, server->princ,
|
||||||
|
+ server_key, privsvr_key,
|
||||||
|
+ optional_tkt_chksum, pac_out);
|
||||||
|
krb5_free_keyblock(context, privsvr_key);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
@@ -599,7 +619,7 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
|
server_key, NULL, pac_out);
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = try_verify_pac(context, enc_tkt, server, server_key, tgt_key,
|
||||||
|
+ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt, tgt_key,
|
||||||
|
pac_out);
|
||||||
|
if (ret != KRB5KRB_AP_ERR_MODIFIED && ret != KRB5_BAD_ENCTYPE)
|
||||||
|
return ret;
|
||||||
|
@@ -613,8 +633,8 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
|
ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &old_key, NULL);
|
||||||
|
if (ret)
|
||||||
|
return ret;
|
||||||
|
- ret = try_verify_pac(context, enc_tkt, server, server_key, &old_key,
|
||||||
|
- pac_out);
|
||||||
|
+ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt,
|
||||||
|
+ &old_key, pac_out);
|
||||||
|
krb5_free_keyblock_contents(context, &old_key);
|
||||||
|
if (!ret)
|
||||||
|
return 0;
|
||||||
|
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
||||||
|
index 5d1fdf1ba0..0c0e2ada68 100644
|
||||||
|
--- a/src/lib/krb5/krb/pac.c
|
||||||
|
+++ b/src/lib/krb5/krb/pac.c
|
||||||
|
@@ -594,6 +594,19 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
|
krb5_const_principal server_princ,
|
||||||
|
const krb5_keyblock *server,
|
||||||
|
const krb5_keyblock *privsvr, krb5_pac *pac_out)
|
||||||
|
+{
|
||||||
|
+ return krb5_kdc_verify_ticket_ext(context, enc_tkt, server_princ, server,
|
||||||
|
+ privsvr, FALSE, pac_out);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+krb5_error_code KRB5_CALLCONV
|
||||||
|
+krb5_kdc_verify_ticket_ext(krb5_context context,
|
||||||
|
+ const krb5_enc_tkt_part *enc_tkt,
|
||||||
|
+ krb5_const_principal server_princ,
|
||||||
|
+ const krb5_keyblock *server,
|
||||||
|
+ const krb5_keyblock *privsvr,
|
||||||
|
+ krb5_boolean optional_tkt_chksum,
|
||||||
|
+ krb5_pac *pac_out)
|
||||||
|
{
|
||||||
|
krb5_error_code ret;
|
||||||
|
krb5_pac pac = NULL;
|
||||||
|
@@ -602,7 +615,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
|
krb5_authdata *orig, **ifrel = NULL, **recoded_ifrel = NULL;
|
||||||
|
uint8_t z = 0;
|
||||||
|
krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z };
|
||||||
|
- krb5_boolean is_service_tkt;
|
||||||
|
+ krb5_boolean is_service_tkt, has_tkt_chksum = FALSE;
|
||||||
|
size_t i, j;
|
||||||
|
|
||||||
|
*pac_out = NULL;
|
||||||
|
@@ -667,11 +680,21 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
|
|
||||||
|
ret = verify_checksum(context, pac, KRB5_PAC_TICKET_CHECKSUM, privsvr,
|
||||||
|
KRB5_KEYUSAGE_APP_DATA_CKSUM, recoded_tkt);
|
||||||
|
- if (ret)
|
||||||
|
- goto cleanup;
|
||||||
|
+ if (ret) {
|
||||||
|
+ if (!optional_tkt_chksum)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ else if (ret != ENOENT)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ /* Otherwise ticket signature is absent but optional. Proceed... */
|
||||||
|
+ } else {
|
||||||
|
+ has_tkt_chksum = TRUE;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
+ /* Else, we make the assumption the ticket signature is absent in case this
|
||||||
|
+ * is not a service ticket.
|
||||||
|
+ */
|
||||||
|
|
||||||
|
- ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr);
|
||||||
|
+ ret = verify_pac_checksums(context, pac, has_tkt_chksum, server, privsvr);
|
||||||
|
if (ret)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
|
||||||
|
index 4c50e935a2..d4b0455c8c 100644
|
||||||
|
--- a/src/lib/krb5/libkrb5.exports
|
||||||
|
+++ b/src/lib/krb5/libkrb5.exports
|
||||||
|
@@ -463,6 +463,7 @@ krb5_is_thread_safe
|
||||||
|
krb5_kdc_rep_decrypt_proc
|
||||||
|
krb5_kdc_sign_ticket
|
||||||
|
krb5_kdc_verify_ticket
|
||||||
|
+krb5_kdc_verify_ticket_ext
|
||||||
|
krb5_kt_add_entry
|
||||||
|
krb5_kt_client_default
|
||||||
|
krb5_kt_close
|
||||||
|
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
|
||||||
|
index d028dc2975..2c8d10067f 100644
|
||||||
|
--- a/src/man/kadmin.man
|
||||||
|
+++ b/src/man/kadmin.man
|
||||||
|
@@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to
|
||||||
|
"aes256\-sha1" on the cross\-realm krbtgt entry for an Active
|
||||||
|
Directory realm when using aes\-sha2 keys on the local krbtgt
|
||||||
|
entry.
|
||||||
|
+.TP
|
||||||
|
+\fBoptional_pac_tkt_chksum\fP
|
||||||
|
+Boolean value defining the behavior of the KDC in case an expected ticket
|
||||||
|
+checksum signed with one of this principal keys is not present in the PAC. This
|
||||||
|
+is typically the case for TGS or cross-realm TGS principals when processing
|
||||||
|
+S4U2Proxy requests.
|
||||||
|
.UNINDENT
|
||||||
|
.sp
|
||||||
|
This command requires the \fBmodify\fP privilege.
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
@ -1,28 +0,0 @@
|
|||||||
From c7d2d7c090bc000acd67b358150b9487f606ff20 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Julien Rische <jrische@redhat.com>
|
|
||||||
Date: Fri, 19 Aug 2022 10:34:52 +0200
|
|
||||||
Subject: [PATCH] [downstream] Catch SHA-1 digest disallowed error for
|
|
||||||
PKINIT
|
|
||||||
|
|
||||||
An OpenSSL patch causes EVP_R_INVALID_DIGEST error to be raised if
|
|
||||||
CMS_verify is called to verify a SHA-1 signature. If this error is
|
|
||||||
caught, it will now return KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED.
|
|
||||||
---
|
|
||||||
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
index 16edf15cb2..bfa3fe8e91 100644
|
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
@@ -2104,6 +2104,7 @@ cms_signeddata_verify(krb5_context context,
|
|
||||||
if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
|
|
||||||
unsigned long err = ERR_peek_last_error();
|
|
||||||
switch(ERR_GET_REASON(err)) {
|
|
||||||
+ case EVP_R_INVALID_DIGEST:
|
|
||||||
case RSA_R_DIGEST_NOT_ALLOWED:
|
|
||||||
case CMS_R_UNKNOWN_DIGEST_ALGORITHM:
|
|
||||||
case CMS_R_NO_MATCHING_DIGEST:
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,239 +0,0 @@
|
|||||||
From 07ec260c65ec036d44362868df0f796a53495f27 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Mon, 19 Sep 2022 15:18:50 -0400
|
|
||||||
Subject: [PATCH] Add and use ts_interval() helper
|
|
||||||
|
|
||||||
ts_delta() returns a signed result, which cannot hold an interval
|
|
||||||
larger than 2^31-1 seconds. Intervals like this have been seen when
|
|
||||||
admins set password expiration dates more than 68 years in the future.
|
|
||||||
|
|
||||||
Add a second helper ts_interval() which returns a signed result, and
|
|
||||||
has the arguments reversed so that the start time is first. Use it in
|
|
||||||
warn_pw_expiry() to handle the password expiration case, in the GSS
|
|
||||||
krb5 mech where we return an unsigned context or credential lifetime
|
|
||||||
to the caller, and in the KEYRING ccache type where we compute an
|
|
||||||
unsigned keyring timeout.
|
|
||||||
|
|
||||||
ticket: 9071 (new)
|
|
||||||
---
|
|
||||||
src/include/k5-int.h | 9 +++++++++
|
|
||||||
src/lib/gssapi/krb5/accept_sec_context.c | 10 ++++++----
|
|
||||||
src/lib/gssapi/krb5/acquire_cred.c | 3 +--
|
|
||||||
src/lib/gssapi/krb5/context_time.c | 2 +-
|
|
||||||
src/lib/gssapi/krb5/init_sec_context.c | 4 ++--
|
|
||||||
src/lib/gssapi/krb5/inq_context.c | 2 +-
|
|
||||||
src/lib/gssapi/krb5/inq_cred.c | 2 +-
|
|
||||||
src/lib/gssapi/krb5/s4u_gss_glue.c | 2 +-
|
|
||||||
src/lib/krb5/ccache/cc_keyring.c | 4 ++--
|
|
||||||
src/lib/krb5/krb/get_in_tkt.c | 15 +++++++--------
|
|
||||||
10 files changed, 31 insertions(+), 22 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
|
||||||
index c3aecba7d4..768110e5ef 100644
|
|
||||||
--- a/src/include/k5-int.h
|
|
||||||
+++ b/src/include/k5-int.h
|
|
||||||
@@ -2325,6 +2325,15 @@ ts_delta(krb5_timestamp a, krb5_timestamp b)
|
|
||||||
return (krb5_deltat)((uint32_t)a - (uint32_t)b);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* Return (end - start) as an unsigned 32-bit value, or 0 if start > end. */
|
|
||||||
+static inline uint32_t
|
|
||||||
+ts_interval(krb5_timestamp start, krb5_timestamp end)
|
|
||||||
+{
|
|
||||||
+ if ((uint32_t)start > (uint32_t)end)
|
|
||||||
+ return 0;
|
|
||||||
+ return (uint32_t)end - (uint32_t)start;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* Increment a timestamp by a signed 32-bit interval, without relying on
|
|
||||||
* undefined behavior. */
|
|
||||||
static inline krb5_timestamp
|
|
||||||
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
|
|
||||||
index 1bc807172b..7de2c9fd77 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/accept_sec_context.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
|
|
||||||
@@ -353,8 +353,8 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,
|
|
||||||
*mech_type = ctx->mech_used;
|
|
||||||
|
|
||||||
if (time_rec) {
|
|
||||||
- *time_rec = ts_delta(ctx->krb_times.endtime, now) +
|
|
||||||
- ctx->k5_context->clockskew;
|
|
||||||
+ *time_rec = ts_interval(now - ctx->k5_context->clockskew,
|
|
||||||
+ ctx->krb_times.endtime);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Never return GSS_C_DELEG_FLAG since we don't support DCE credential
|
|
||||||
@@ -1151,8 +1151,10 @@ kg_accept_krb5(minor_status, context_handle,
|
|
||||||
|
|
||||||
/* Add the maximum allowable clock skew as a grace period for context
|
|
||||||
* expiration, just as we do for the ticket. */
|
|
||||||
- if (time_rec)
|
|
||||||
- *time_rec = ts_delta(ctx->krb_times.endtime, now) + context->clockskew;
|
|
||||||
+ if (time_rec) {
|
|
||||||
+ *time_rec = ts_interval(now - context->clockskew,
|
|
||||||
+ ctx->krb_times.endtime);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (ret_flags)
|
|
||||||
*ret_flags = ctx->gss_flags;
|
|
||||||
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
|
|
||||||
index e226a02692..006eba114d 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/acquire_cred.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/acquire_cred.c
|
|
||||||
@@ -879,8 +879,7 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
|
|
||||||
GSS_C_NO_NAME);
|
|
||||||
if (GSS_ERROR(ret))
|
|
||||||
goto error_out;
|
|
||||||
- *time_rec = ts_after(cred->expire, now) ?
|
|
||||||
- ts_delta(cred->expire, now) : 0;
|
|
||||||
+ *time_rec = ts_interval(now, cred->expire);
|
|
||||||
k5_mutex_unlock(&cred->lock);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c
|
|
||||||
index 1fdb5a16f2..5469d8154c 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/context_time.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/context_time.c
|
|
||||||
@@ -51,7 +51,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)
|
|
||||||
return(GSS_S_FAILURE);
|
|
||||||
}
|
|
||||||
|
|
||||||
- lifetime = ts_delta(ctx->krb_times.endtime, now);
|
|
||||||
+ lifetime = ts_interval(now, ctx->krb_times.endtime);
|
|
||||||
if (!ctx->initiate)
|
|
||||||
lifetime += ctx->k5_context->clockskew;
|
|
||||||
if (lifetime <= 0) {
|
|
||||||
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
|
|
||||||
index ea87cf6432..f0f094ccb7 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/init_sec_context.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/init_sec_context.c
|
|
||||||
@@ -664,7 +664,7 @@ kg_new_connection(
|
|
||||||
if (time_rec) {
|
|
||||||
if ((code = krb5_timeofday(context, &now)))
|
|
||||||
goto cleanup;
|
|
||||||
- *time_rec = ts_delta(ctx->krb_times.endtime, now);
|
|
||||||
+ *time_rec = ts_interval(now, ctx->krb_times.endtime);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* set the other returns */
|
|
||||||
@@ -878,7 +878,7 @@ mutual_auth(
|
|
||||||
if (time_rec) {
|
|
||||||
if ((code = krb5_timeofday(context, &now)))
|
|
||||||
goto fail;
|
|
||||||
- *time_rec = ts_delta(ctx->krb_times.endtime, now);
|
|
||||||
+ *time_rec = ts_interval(now, ctx->krb_times.endtime);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (ret_flags)
|
|
||||||
diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c
|
|
||||||
index cac024da1f..51c484fdfe 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/inq_context.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/inq_context.c
|
|
||||||
@@ -120,7 +120,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
|
|
||||||
|
|
||||||
/* Add the maximum allowable clock skew as a grace period for context
|
|
||||||
* expiration, just as we do for the ticket during authentication. */
|
|
||||||
- lifetime = ts_delta(ctx->krb_times.endtime, now);
|
|
||||||
+ lifetime = ts_interval(now, ctx->krb_times.endtime);
|
|
||||||
if (!ctx->initiate)
|
|
||||||
lifetime += context->clockskew;
|
|
||||||
if (lifetime < 0)
|
|
||||||
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
|
|
||||||
index bb63b726c8..0e675959a3 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/inq_cred.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/inq_cred.c
|
|
||||||
@@ -131,7 +131,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (cred->expire != 0) {
|
|
||||||
- lifetime = ts_delta(cred->expire, now);
|
|
||||||
+ lifetime = ts_interval(now, cred->expire);
|
|
||||||
if (lifetime < 0)
|
|
||||||
lifetime = 0;
|
|
||||||
}
|
|
||||||
diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
|
|
||||||
index 7dcfe4e1eb..fa7f980af7 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
|
|
||||||
@@ -279,7 +279,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
|
|
||||||
if (code != 0)
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
- *time_rec = ts_delta(cred->expire, now);
|
|
||||||
+ *time_rec = ts_interval(now, cred->expire);
|
|
||||||
}
|
|
||||||
|
|
||||||
major_status = GSS_S_COMPLETE;
|
|
||||||
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
|
|
||||||
index ebef37d607..1dadeef64f 100644
|
|
||||||
--- a/src/lib/krb5/ccache/cc_keyring.c
|
|
||||||
+++ b/src/lib/krb5/ccache/cc_keyring.c
|
|
||||||
@@ -762,7 +762,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id)
|
|
||||||
|
|
||||||
/* Setting the timeout to zero would reset the timeout, so we set it to one
|
|
||||||
* second instead if creds are already expired. */
|
|
||||||
- timeout = ts_after(endtime, now) ? ts_delta(endtime, now) : 1;
|
|
||||||
+ timeout = ts_after(endtime, now) ? ts_interval(now, endtime) : 1;
|
|
||||||
(void)keyctl_set_timeout(data->cache_id, timeout);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1343,7 +1343,7 @@ krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds)
|
|
||||||
|
|
||||||
if (ts_after(creds->times.endtime, now)) {
|
|
||||||
(void)keyctl_set_timeout(cred_key,
|
|
||||||
- ts_delta(creds->times.endtime, now));
|
|
||||||
+ ts_interval(now, creds->times.endtime));
|
|
||||||
}
|
|
||||||
|
|
||||||
update_keyring_expiration(context, id);
|
|
||||||
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
|
||||||
index 8b5ab595e9..1b420a3ac2 100644
|
|
||||||
--- a/src/lib/krb5/krb/get_in_tkt.c
|
|
||||||
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
|
||||||
@@ -1522,7 +1522,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
|
|
||||||
void *expire_data;
|
|
||||||
krb5_timestamp pw_exp, acct_exp, now;
|
|
||||||
krb5_boolean is_last_req;
|
|
||||||
- krb5_deltat delta;
|
|
||||||
+ uint32_t interval;
|
|
||||||
char ts[256], banner[1024];
|
|
||||||
|
|
||||||
if (as_reply == NULL || as_reply->enc_part2 == NULL)
|
|
||||||
@@ -1553,8 +1553,8 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
|
|
||||||
ret = krb5_timeofday(context, &now);
|
|
||||||
if (ret != 0)
|
|
||||||
return;
|
|
||||||
- if (!is_last_req &&
|
|
||||||
- (ts_after(now, pw_exp) || ts_delta(pw_exp, now) > 7 * 24 * 60 * 60))
|
|
||||||
+ interval = ts_interval(now, pw_exp);
|
|
||||||
+ if (!is_last_req && (!interval || interval > 7 * 24 * 60 * 60))
|
|
||||||
return;
|
|
||||||
|
|
||||||
if (!prompter)
|
|
||||||
@@ -1564,19 +1564,18 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
|
|
||||||
if (ret != 0)
|
|
||||||
return;
|
|
||||||
|
|
||||||
- delta = ts_delta(pw_exp, now);
|
|
||||||
- if (delta < 3600) {
|
|
||||||
+ if (interval < 3600) {
|
|
||||||
snprintf(banner, sizeof(banner),
|
|
||||||
_("Warning: Your password will expire in less than one hour "
|
|
||||||
"on %s"), ts);
|
|
||||||
- } else if (delta < 86400 * 2) {
|
|
||||||
+ } else if (interval < 86400 * 2) {
|
|
||||||
snprintf(banner, sizeof(banner),
|
|
||||||
_("Warning: Your password will expire in %d hour%s on %s"),
|
|
||||||
- delta / 3600, delta < 7200 ? "" : "s", ts);
|
|
||||||
+ interval / 3600, interval < 7200 ? "" : "s", ts);
|
|
||||||
} else {
|
|
||||||
snprintf(banner, sizeof(banner),
|
|
||||||
_("Warning: Your password will expire in %d days on %s"),
|
|
||||||
- delta / 86400, ts);
|
|
||||||
+ interval / 86400, ts);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* PROMPTER_INVOCATION */
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -0,0 +1,47 @@
|
|||||||
|
From d1322546dca51100759eac318ce554bd301c50c3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Tue, 23 May 2023 12:19:54 +0200
|
||||||
|
Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification
|
||||||
|
available in FIPS mode
|
||||||
|
|
||||||
|
We recommend using the SHA1 crypto-module in order to allow the
|
||||||
|
verification of SHA-1 signature for CMS messages. However, this module
|
||||||
|
does not work in FIPS mode, because the SHA-1 algorithm is absent from
|
||||||
|
the OpenSSL FIPS provider.
|
||||||
|
|
||||||
|
This commit enables the signature verification process to fetch the
|
||||||
|
algorithm from a non-FIPS OpenSSL provider.
|
||||||
|
|
||||||
|
Support for SHA-1 CMS signature is still required, especially in order
|
||||||
|
to interoperate with Active Directory. At least it is until elliptic
|
||||||
|
curve cryptography is implemented for PKINIT in MIT krb5.
|
||||||
|
---
|
||||||
|
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 11 ++++++++++-
|
||||||
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
index f41328763e..263ef7845e 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
@@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context,
|
||||||
|
if (oid == NULL)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
+ /* Do not use FIPS provider (even in FIPS mode) because it keeps from
|
||||||
|
+ * allowing SHA-1 signature verification using the SHA1 crypto-module
|
||||||
|
+ */
|
||||||
|
+ cms = CMS_ContentInfo_new_ex(NULL, "-fips");
|
||||||
|
+ if (!cms)
|
||||||
|
+ goto cleanup;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/* decode received CMS message */
|
||||||
|
- if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) {
|
||||||
|
+ if (!d2i_CMS_ContentInfo(&cms, &p, (int)signed_data_len)) {
|
||||||
|
retval = oerr(context, 0, _("Failed to decode CMS message"));
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
218
0013-Enable-PKINIT-if-at-least-one-group-is-available.patch
Normal file
218
0013-Enable-PKINIT-if-at-least-one-group-is-available.patch
Normal file
@ -0,0 +1,218 @@
|
|||||||
|
From a378b1970d92692baeddf6a8681f47efb13e343d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Tue, 30 May 2023 01:21:48 -0400
|
||||||
|
Subject: [PATCH] Enable PKINIT if at least one group is available
|
||||||
|
|
||||||
|
OpenSSL may no longer allow decoding of non-well-known Diffie-Hellman
|
||||||
|
group parameters as EVP_PKEY objects in FIPS mode. However, OpenSSL
|
||||||
|
does not know about MODP group 2 (1024-bit), which is considered as a
|
||||||
|
custom group. As a consequence, the PKINIT kdcpreauth module fails to
|
||||||
|
load in FIPS mode.
|
||||||
|
|
||||||
|
Allow initialization of PKINIT plugin if at least one of the MODP
|
||||||
|
well-known group parameters successfully decodes.
|
||||||
|
|
||||||
|
[ghudson@mit.edu: minor commit message and code edits]
|
||||||
|
|
||||||
|
ticket: 9096 (new)
|
||||||
|
(cherry picked from commit 509d8db922e9ad6f108883838473b6178f89874a)
|
||||||
|
---
|
||||||
|
src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +-
|
||||||
|
src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +-
|
||||||
|
.../preauth/pkinit/pkinit_crypto_openssl.c | 76 +++++++++++--------
|
||||||
|
src/plugins/preauth/pkinit/pkinit_srv.c | 2 +-
|
||||||
|
src/plugins/preauth/pkinit/pkinit_trace.h | 3 +
|
||||||
|
5 files changed, 51 insertions(+), 35 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||||
|
index 725d5bc438..ea9ba454df 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||||
|
@@ -1378,7 +1378,7 @@ pkinit_client_plugin_init(krb5_context context,
|
||||||
|
if (retval)
|
||||||
|
goto errout;
|
||||||
|
|
||||||
|
- retval = pkinit_init_plg_crypto(&ctx->cryptoctx);
|
||||||
|
+ retval = pkinit_init_plg_crypto(context, &ctx->cryptoctx);
|
||||||
|
if (retval)
|
||||||
|
goto errout;
|
||||||
|
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
|
index 9fa315d7a0..8bdbea8e95 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
|
@@ -103,7 +103,8 @@ typedef struct _pkinit_cert_matching_data {
|
||||||
|
/*
|
||||||
|
* Functions to initialize and cleanup crypto contexts
|
||||||
|
*/
|
||||||
|
-krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *);
|
||||||
|
+krb5_error_code pkinit_init_plg_crypto(krb5_context,
|
||||||
|
+ pkinit_plg_crypto_context *);
|
||||||
|
void pkinit_fini_plg_crypto(pkinit_plg_crypto_context);
|
||||||
|
|
||||||
|
krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
index 263ef7845e..d646073d55 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
@@ -47,7 +47,8 @@
|
||||||
|
static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context );
|
||||||
|
static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );
|
||||||
|
|
||||||
|
-static krb5_error_code pkinit_init_dh_params(pkinit_plg_crypto_context );
|
||||||
|
+static krb5_error_code pkinit_init_dh_params(krb5_context,
|
||||||
|
+ pkinit_plg_crypto_context);
|
||||||
|
static void pkinit_fini_dh_params(pkinit_plg_crypto_context );
|
||||||
|
|
||||||
|
static krb5_error_code pkinit_init_certs(pkinit_identity_crypto_context ctx);
|
||||||
|
@@ -951,7 +952,8 @@ oerr_cert(krb5_context context, krb5_error_code code, X509_STORE_CTX *certctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
krb5_error_code
|
||||||
|
-pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx)
|
||||||
|
+pkinit_init_plg_crypto(krb5_context context,
|
||||||
|
+ pkinit_plg_crypto_context *cryptoctx)
|
||||||
|
{
|
||||||
|
krb5_error_code retval = ENOMEM;
|
||||||
|
pkinit_plg_crypto_context ctx = NULL;
|
||||||
|
@@ -969,7 +971,7 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx)
|
||||||
|
if (retval)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
- retval = pkinit_init_dh_params(ctx);
|
||||||
|
+ retval = pkinit_init_dh_params(context, ctx);
|
||||||
|
if (retval)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
@@ -1278,30 +1280,36 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx)
|
||||||
|
ASN1_OBJECT_free(ctx->id_kp_serverAuth);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static krb5_error_code
|
||||||
|
-pkinit_init_dh_params(pkinit_plg_crypto_context plgctx)
|
||||||
|
+static int
|
||||||
|
+try_import_group(krb5_context context, const krb5_data *params,
|
||||||
|
+ const char *name, EVP_PKEY **pkey_out)
|
||||||
|
{
|
||||||
|
- krb5_error_code retval = ENOMEM;
|
||||||
|
-
|
||||||
|
- plgctx->dh_1024 = decode_dh_params(&oakley_1024);
|
||||||
|
- if (plgctx->dh_1024 == NULL)
|
||||||
|
- goto cleanup;
|
||||||
|
-
|
||||||
|
- plgctx->dh_2048 = decode_dh_params(&oakley_2048);
|
||||||
|
- if (plgctx->dh_2048 == NULL)
|
||||||
|
- goto cleanup;
|
||||||
|
+ *pkey_out = decode_dh_params(params);
|
||||||
|
+ if (*pkey_out == NULL)
|
||||||
|
+ TRACE_PKINIT_DH_GROUP_UNAVAILABLE(context, name);
|
||||||
|
+ return (*pkey_out != NULL) ? 1 : 0;
|
||||||
|
+}
|
||||||
|
|
||||||
|
- plgctx->dh_4096 = decode_dh_params(&oakley_4096);
|
||||||
|
- if (plgctx->dh_4096 == NULL)
|
||||||
|
- goto cleanup;
|
||||||
|
+static krb5_error_code
|
||||||
|
+pkinit_init_dh_params(krb5_context context, pkinit_plg_crypto_context plgctx)
|
||||||
|
+{
|
||||||
|
+ int n = 0;
|
||||||
|
|
||||||
|
- retval = 0;
|
||||||
|
+ n += try_import_group(context, &oakley_1024, "MODP 2 (1024-bit)",
|
||||||
|
+ &plgctx->dh_1024);
|
||||||
|
+ n += try_import_group(context, &oakley_2048, "MODP 14 (2048-bit)",
|
||||||
|
+ &plgctx->dh_2048);
|
||||||
|
+ n += try_import_group(context, &oakley_4096, "MODP 16 (4096-bit)",
|
||||||
|
+ &plgctx->dh_4096);
|
||||||
|
|
||||||
|
-cleanup:
|
||||||
|
- if (retval)
|
||||||
|
+ if (n == 0) {
|
||||||
|
pkinit_fini_dh_params(plgctx);
|
||||||
|
+ k5_setmsg(context, ENOMEM,
|
||||||
|
+ _("PKINIT cannot initialize any key exchange groups"));
|
||||||
|
+ return ENOMEM;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- return retval;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
@@ -2910,11 +2918,11 @@ client_create_dh(krb5_context context,
|
||||||
|
|
||||||
|
if (cryptoctx->received_params != NULL)
|
||||||
|
params = cryptoctx->received_params;
|
||||||
|
- else if (dh_size == 1024)
|
||||||
|
+ else if (plg_cryptoctx->dh_1024 != NULL && dh_size == 1024)
|
||||||
|
params = plg_cryptoctx->dh_1024;
|
||||||
|
- else if (dh_size == 2048)
|
||||||
|
+ else if (plg_cryptoctx->dh_2048 != NULL && dh_size == 2048)
|
||||||
|
params = plg_cryptoctx->dh_2048;
|
||||||
|
- else if (dh_size == 4096)
|
||||||
|
+ else if (plg_cryptoctx->dh_4096 != NULL && dh_size == 4096)
|
||||||
|
params = plg_cryptoctx->dh_4096;
|
||||||
|
else
|
||||||
|
goto cleanup;
|
||||||
|
@@ -3210,19 +3218,23 @@ pkinit_create_td_dh_parameters(krb5_context context,
|
||||||
|
krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 };
|
||||||
|
krb5_algorithm_identifier *alglist[4];
|
||||||
|
|
||||||
|
- if (opts->dh_min_bits > 4096) {
|
||||||
|
- ret = KRB5KRB_ERR_GENERIC;
|
||||||
|
- goto cleanup;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
i = 0;
|
||||||
|
- if (opts->dh_min_bits <= 2048)
|
||||||
|
+ if (plg_cryptoctx->dh_2048 != NULL && opts->dh_min_bits <= 2048)
|
||||||
|
alglist[i++] = &alg_2048;
|
||||||
|
- alglist[i++] = &alg_4096;
|
||||||
|
- if (opts->dh_min_bits <= 1024)
|
||||||
|
+ if (plg_cryptoctx->dh_4096 != NULL && opts->dh_min_bits <= 4096)
|
||||||
|
+ alglist[i++] = &alg_4096;
|
||||||
|
+ if (plg_cryptoctx->dh_1024 != NULL && opts->dh_min_bits <= 1024)
|
||||||
|
alglist[i++] = &alg_1024;
|
||||||
|
alglist[i] = NULL;
|
||||||
|
|
||||||
|
+ if (i == 0) {
|
||||||
|
+ ret = KRB5KRB_ERR_GENERIC;
|
||||||
|
+ k5_setmsg(context, ret,
|
||||||
|
+ _("OpenSSL has no supported key exchange groups for "
|
||||||
|
+ "pkinit_dh_min_bits=%d"), opts->dh_min_bits);
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ret = k5int_encode_krb5_td_dh_parameters(alglist, &der_alglist);
|
||||||
|
if (ret)
|
||||||
|
goto cleanup;
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||||
|
index 1b3bf6d4d0..768a4e559f 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||||
|
@@ -1222,7 +1222,7 @@ pkinit_server_plugin_init_realm(krb5_context context, const char *realmname,
|
||||||
|
goto errout;
|
||||||
|
plgctx->realmname_len = strlen(plgctx->realmname);
|
||||||
|
|
||||||
|
- retval = pkinit_init_plg_crypto(&plgctx->cryptoctx);
|
||||||
|
+ retval = pkinit_init_plg_crypto(context, &plgctx->cryptoctx);
|
||||||
|
if (retval)
|
||||||
|
goto errout;
|
||||||
|
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h
|
||||||
|
index 259e95c6c2..5ee39c085c 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_trace.h
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_trace.h
|
||||||
|
@@ -90,6 +90,9 @@
|
||||||
|
#define TRACE_PKINIT_CLIENT_TRYAGAIN(c) \
|
||||||
|
TRACE(c, "PKINIT client trying again with KDC-provided parameters")
|
||||||
|
|
||||||
|
+#define TRACE_PKINIT_DH_GROUP_UNAVAILABLE(c, name) \
|
||||||
|
+ TRACE(c, "PKINIT key exchange group {str} unsupported", name)
|
||||||
|
+
|
||||||
|
#define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \
|
||||||
|
TRACE(c, "PKINIT OpenSSL error: {str}", msg)
|
||||||
|
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
@ -1,672 +0,0 @@
|
|||||||
From 5801da1ddc3b0984ad6997bb7a692eac85ff7dd3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Thu, 22 Dec 2022 03:05:23 -0500
|
|
||||||
Subject: [PATCH] Add PAC full checksums
|
|
||||||
|
|
||||||
A paper by Tom Tervoort noted that computing the PAC privsvr checksum
|
|
||||||
over only the server checksum is vulnerable to collision attacks
|
|
||||||
(CVE-2022-37967). In response, Microsoft has added a second KDC
|
|
||||||
checksum over the full contents of the PAC. Generate and verify full
|
|
||||||
KDC checksums in PACs for service tickets. Update the t_pac.c ticket
|
|
||||||
test case to use a ticket issued by a recent version of Active
|
|
||||||
Directory (provided by Stefan Metzmacher).
|
|
||||||
|
|
||||||
ticket: 9084 (new)
|
|
||||||
---
|
|
||||||
doc/appdev/refs/macros/index.rst | 1 +
|
|
||||||
src/include/krb5/krb5.hin | 1 +
|
|
||||||
src/lib/krb5/krb/pac.c | 92 +++++++++--------
|
|
||||||
src/lib/krb5/krb/pac_sign.c | 146 +++++++++++++++-----------
|
|
||||||
src/lib/krb5/krb/t_pac.c | 171 ++++++++++++++++++-------------
|
|
||||||
src/tests/t_authdata.py | 4 +-
|
|
||||||
6 files changed, 240 insertions(+), 175 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
|
|
||||||
index 5f34dea5e8..3eeee25593 100644
|
|
||||||
--- a/doc/appdev/refs/macros/index.rst
|
|
||||||
+++ b/doc/appdev/refs/macros/index.rst
|
|
||||||
@@ -247,6 +247,7 @@ Public
|
|
||||||
KRB5_PAC_SERVER_CHECKSUM.rst
|
|
||||||
KRB5_PAC_TICKET_CHECKSUM.rst
|
|
||||||
KRB5_PAC_UPN_DNS_INFO.rst
|
|
||||||
+ KRB5_PAC_FULL_CHECKSUM.rst
|
|
||||||
KRB5_PADATA_AFS3_SALT.rst
|
|
||||||
KRB5_PADATA_AP_REQ.rst
|
|
||||||
KRB5_PADATA_AS_CHECKSUM.rst
|
|
||||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
|
||||||
index fb9f2a366c..2ba4010514 100644
|
|
||||||
--- a/src/include/krb5/krb5.hin
|
|
||||||
+++ b/src/include/krb5/krb5.hin
|
|
||||||
@@ -8164,6 +8164,7 @@ krb5_verify_authdata_kdc_issued(krb5_context context,
|
|
||||||
#define KRB5_PAC_TICKET_CHECKSUM 16 /**< Ticket checksum */
|
|
||||||
#define KRB5_PAC_ATTRIBUTES_INFO 17 /**< PAC attributes */
|
|
||||||
#define KRB5_PAC_REQUESTOR 18 /**< PAC requestor SID */
|
|
||||||
+#define KRB5_PAC_FULL_CHECKSUM 19 /**< KDC full checksum */
|
|
||||||
|
|
||||||
struct krb5_pac_data;
|
|
||||||
/** PAC data structure to convey authorization information */
|
|
||||||
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
|
||||||
index f6c4373de0..954482e0c7 100644
|
|
||||||
--- a/src/lib/krb5/krb/pac.c
|
|
||||||
+++ b/src/lib/krb5/krb/pac.c
|
|
||||||
@@ -490,7 +490,8 @@ zero_signature(krb5_context context, const krb5_pac pac, krb5_ui_4 type,
|
|
||||||
size_t i;
|
|
||||||
|
|
||||||
assert(type == KRB5_PAC_SERVER_CHECKSUM ||
|
|
||||||
- type == KRB5_PAC_PRIVSVR_CHECKSUM);
|
|
||||||
+ type == KRB5_PAC_PRIVSVR_CHECKSUM ||
|
|
||||||
+ type == KRB5_PAC_FULL_CHECKSUM);
|
|
||||||
assert(data->length >= pac->data.length);
|
|
||||||
|
|
||||||
for (i = 0; i < pac->pac->cBuffers; i++) {
|
|
||||||
@@ -557,17 +558,17 @@ verify_checksum(krb5_context context, const krb5_pac pac, uint32_t buffer_type,
|
|
||||||
}
|
|
||||||
|
|
||||||
static krb5_error_code
|
|
||||||
-verify_server_checksum(krb5_context context, const krb5_pac pac,
|
|
||||||
- const krb5_keyblock *server)
|
|
||||||
+verify_pac_checksums(krb5_context context, const krb5_pac pac,
|
|
||||||
+ krb5_boolean expect_full_checksum,
|
|
||||||
+ const krb5_keyblock *server, const krb5_keyblock *privsvr)
|
|
||||||
{
|
|
||||||
krb5_error_code ret;
|
|
||||||
- krb5_data copy; /* PAC with zeroed checksums */
|
|
||||||
+ krb5_data copy, server_checksum;
|
|
||||||
|
|
||||||
+ /* Make a copy of the PAC with zeroed out server and privsvr checksums. */
|
|
||||||
ret = krb5int_copy_data_contents(context, &pac->data, ©);
|
|
||||||
if (ret)
|
|
||||||
return ret;
|
|
||||||
-
|
|
||||||
- /* Zero out both checksum buffers */
|
|
||||||
ret = zero_signature(context, pac, KRB5_PAC_SERVER_CHECKSUM, ©);
|
|
||||||
if (ret)
|
|
||||||
goto cleanup;
|
|
||||||
@@ -575,32 +576,46 @@ verify_server_checksum(krb5_context context, const krb5_pac pac,
|
|
||||||
if (ret)
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
- ret = verify_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, server,
|
|
||||||
- KRB5_KEYUSAGE_APP_DATA_CKSUM, ©);
|
|
||||||
+ if (server != NULL) {
|
|
||||||
+ /* Verify the server checksum over the PAC copy. */
|
|
||||||
+ ret = verify_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, server,
|
|
||||||
+ KRB5_KEYUSAGE_APP_DATA_CKSUM, ©);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
-cleanup:
|
|
||||||
- free(copy.data);
|
|
||||||
- return ret;
|
|
||||||
-}
|
|
||||||
+ if (privsvr != NULL && expect_full_checksum) {
|
|
||||||
+ /* Zero the full checksum buffer in the copy and verify the full
|
|
||||||
+ * checksum over the copy with all three checksums zeroed. */
|
|
||||||
+ ret = zero_signature(context, pac, KRB5_PAC_FULL_CHECKSUM, ©);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto cleanup;
|
|
||||||
+ ret = verify_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM, privsvr,
|
|
||||||
+ KRB5_KEYUSAGE_APP_DATA_CKSUM, ©);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
-static krb5_error_code
|
|
||||||
-verify_kdc_checksum(krb5_context context, const krb5_pac pac,
|
|
||||||
- const krb5_keyblock *privsvr)
|
|
||||||
-{
|
|
||||||
- krb5_error_code ret;
|
|
||||||
- krb5_data server_checksum;
|
|
||||||
+ if (privsvr != NULL) {
|
|
||||||
+ /* Verify the privsvr checksum over the server checksum. */
|
|
||||||
+ ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
|
||||||
+ &server_checksum);
|
|
||||||
+ if (ret)
|
|
||||||
+ return ret;
|
|
||||||
+ if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH)
|
|
||||||
+ return KRB5_BAD_MSIZE;
|
|
||||||
+ server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
+ server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
|
|
||||||
- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
|
||||||
- &server_checksum);
|
|
||||||
- if (ret)
|
|
||||||
- return ret;
|
|
||||||
- if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH)
|
|
||||||
- return KRB5_BAD_MSIZE;
|
|
||||||
- server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
- server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
+ ret = verify_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, privsvr,
|
|
||||||
+ KRB5_KEYUSAGE_APP_DATA_CKSUM, &server_checksum);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ pac->verified = TRUE;
|
|
||||||
|
|
||||||
- return verify_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, privsvr,
|
|
||||||
- KRB5_KEYUSAGE_APP_DATA_CKSUM, &server_checksum);
|
|
||||||
+cleanup:
|
|
||||||
+ free(copy.data);
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Per MS-PAC 2.8.3, tickets encrypted to TGS and password change principals
|
|
||||||
@@ -628,6 +643,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
||||||
krb5_authdata **authdata, *orig, **ifrel = NULL, **recoded_ifrel = NULL;
|
|
||||||
uint8_t z = 0;
|
|
||||||
krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z };
|
|
||||||
+ krb5_boolean is_service_tkt;
|
|
||||||
size_t i, j;
|
|
||||||
|
|
||||||
*pac_out = NULL;
|
|
||||||
@@ -669,7 +685,8 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
||||||
if (ret)
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
- if (privsvr != NULL && k5_pac_should_have_ticket_signature(server_princ)) {
|
|
||||||
+ is_service_tkt = k5_pac_should_have_ticket_signature(server_princ);
|
|
||||||
+ if (privsvr != NULL && is_service_tkt) {
|
|
||||||
/* To check the PAC ticket signatures, re-encode the ticket with the
|
|
||||||
* PAC contents replaced by a single zero. */
|
|
||||||
orig = ifrel[j];
|
|
||||||
@@ -693,8 +710,9 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = krb5_pac_verify_ext(context, pac, enc_tkt->times.authtime, NULL,
|
|
||||||
- server, privsvr, FALSE);
|
|
||||||
+ ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto cleanup;
|
|
||||||
|
|
||||||
*pac_out = pac;
|
|
||||||
pac = NULL;
|
|
||||||
@@ -730,14 +748,8 @@ krb5_pac_verify_ext(krb5_context context,
|
|
||||||
{
|
|
||||||
krb5_error_code ret;
|
|
||||||
|
|
||||||
- if (server != NULL) {
|
|
||||||
- ret = verify_server_checksum(context, pac, server);
|
|
||||||
- if (ret != 0)
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (privsvr != NULL) {
|
|
||||||
- ret = verify_kdc_checksum(context, pac, privsvr);
|
|
||||||
+ if (server != NULL || privsvr != NULL) {
|
|
||||||
+ ret = verify_pac_checksums(context, pac, FALSE, server, privsvr);
|
|
||||||
if (ret != 0)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
@@ -749,8 +761,6 @@ krb5_pac_verify_ext(krb5_context context,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- pac->verified = TRUE;
|
|
||||||
-
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c
|
|
||||||
index 0f9581abbb..8ea61ac17b 100644
|
|
||||||
--- a/src/lib/krb5/krb/pac_sign.c
|
|
||||||
+++ b/src/lib/krb5/krb/pac_sign.c
|
|
||||||
@@ -187,26 +187,41 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
-krb5_error_code KRB5_CALLCONV
|
|
||||||
-krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
- krb5_const_principal principal, const krb5_keyblock *server_key,
|
|
||||||
- const krb5_keyblock *privsvr_key, krb5_data *data)
|
|
||||||
+/* Find the buffer of type buftype in pac and write within it a checksum of
|
|
||||||
+ * type cksumtype over data. Set *cksum_out to the checksum. */
|
|
||||||
+static krb5_error_code
|
|
||||||
+compute_pac_checksum(krb5_context context, krb5_pac pac, uint32_t buftype,
|
|
||||||
+ const krb5_keyblock *key, krb5_cksumtype cksumtype,
|
|
||||||
+ const krb5_data *data, krb5_data *cksum_out)
|
|
||||||
{
|
|
||||||
- return krb5_pac_sign_ext(context, pac, authtime, principal, server_key,
|
|
||||||
- privsvr_key, FALSE, data);
|
|
||||||
+ krb5_error_code ret;
|
|
||||||
+ krb5_data buf;
|
|
||||||
+ krb5_crypto_iov iov[2];
|
|
||||||
+
|
|
||||||
+ ret = k5_pac_locate_buffer(context, pac, buftype, &buf);
|
|
||||||
+ if (ret)
|
|
||||||
+ return ret;
|
|
||||||
+
|
|
||||||
+ assert(buf.length > PAC_SIGNATURE_DATA_LENGTH);
|
|
||||||
+ *cksum_out = make_data(buf.data + PAC_SIGNATURE_DATA_LENGTH,
|
|
||||||
+ buf.length - PAC_SIGNATURE_DATA_LENGTH);
|
|
||||||
+ iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
|
|
||||||
+ iov[0].data = *data;
|
|
||||||
+ iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
|
|
||||||
+ iov[1].data = *cksum_out;
|
|
||||||
+ return krb5_c_make_checksum_iov(context, cksumtype, key,
|
|
||||||
+ KRB5_KEYUSAGE_APP_DATA_CKSUM, iov, 2);
|
|
||||||
}
|
|
||||||
|
|
||||||
-krb5_error_code KRB5_CALLCONV
|
|
||||||
-krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
- krb5_const_principal principal,
|
|
||||||
- const krb5_keyblock *server_key,
|
|
||||||
- const krb5_keyblock *privsvr_key, krb5_boolean with_realm,
|
|
||||||
- krb5_data *data)
|
|
||||||
+static krb5_error_code
|
|
||||||
+sign_pac(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
+ krb5_const_principal principal, const krb5_keyblock *server_key,
|
|
||||||
+ const krb5_keyblock *privsvr_key, krb5_boolean with_realm,
|
|
||||||
+ krb5_boolean is_service_tkt, krb5_data *data)
|
|
||||||
{
|
|
||||||
krb5_error_code ret;
|
|
||||||
- krb5_data server_cksum, privsvr_cksum;
|
|
||||||
+ krb5_data full_cksum, server_cksum, privsvr_cksum;
|
|
||||||
krb5_cksumtype server_cksumtype, privsvr_cksumtype;
|
|
||||||
- krb5_crypto_iov iov[2];
|
|
||||||
|
|
||||||
data->length = 0;
|
|
||||||
data->data = NULL;
|
|
||||||
@@ -214,67 +229,53 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
if (principal != NULL) {
|
|
||||||
ret = k5_insert_client_info(context, pac, authtime, principal,
|
|
||||||
with_realm);
|
|
||||||
- if (ret != 0)
|
|
||||||
+ if (ret)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Create zeroed buffers for both checksums */
|
|
||||||
+ /* Create zeroed buffers for all checksums. */
|
|
||||||
ret = k5_insert_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
|
||||||
server_key, &server_cksumtype);
|
|
||||||
- if (ret != 0)
|
|
||||||
+ if (ret)
|
|
||||||
return ret;
|
|
||||||
-
|
|
||||||
ret = k5_insert_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
|
|
||||||
privsvr_key, &privsvr_cksumtype);
|
|
||||||
- if (ret != 0)
|
|
||||||
+ if (ret)
|
|
||||||
return ret;
|
|
||||||
+ if (is_service_tkt) {
|
|
||||||
+ ret = k5_insert_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM,
|
|
||||||
+ privsvr_key, &privsvr_cksumtype);
|
|
||||||
+ if (ret)
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- /* Now, encode the PAC header so that the checksums will include it */
|
|
||||||
+ /* Encode the PAC header so that the checksums will include it. */
|
|
||||||
ret = k5_pac_encode_header(context, pac);
|
|
||||||
- if (ret != 0)
|
|
||||||
- return ret;
|
|
||||||
-
|
|
||||||
- /* Generate the server checksum over the entire PAC */
|
|
||||||
- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
|
||||||
- &server_cksum);
|
|
||||||
- if (ret != 0)
|
|
||||||
+ if (ret)
|
|
||||||
return ret;
|
|
||||||
|
|
||||||
- assert(server_cksum.length > PAC_SIGNATURE_DATA_LENGTH);
|
|
||||||
-
|
|
||||||
- iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
|
|
||||||
- iov[0].data = pac->data;
|
|
||||||
-
|
|
||||||
- iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
|
|
||||||
- iov[1].data.data = server_cksum.data + PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
- iov[1].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
+ if (is_service_tkt) {
|
|
||||||
+ /* Generate a full KDC checksum over the whole PAC. */
|
|
||||||
+ ret = compute_pac_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM,
|
|
||||||
+ privsvr_key, privsvr_cksumtype,
|
|
||||||
+ &pac->data, &full_cksum);
|
|
||||||
+ if (ret)
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- ret = krb5_c_make_checksum_iov(context, server_cksumtype,
|
|
||||||
- server_key, KRB5_KEYUSAGE_APP_DATA_CKSUM,
|
|
||||||
- iov, sizeof(iov)/sizeof(iov[0]));
|
|
||||||
- if (ret != 0)
|
|
||||||
+ /* Generate the server checksum over the whole PAC, including the full KDC
|
|
||||||
+ * checksum if we added one. */
|
|
||||||
+ ret = compute_pac_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
|
||||||
+ server_key, server_cksumtype, &pac->data,
|
|
||||||
+ &server_cksum);
|
|
||||||
+ if (ret)
|
|
||||||
return ret;
|
|
||||||
|
|
||||||
- /* Generate the privsvr checksum over the server checksum buffer */
|
|
||||||
- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
|
|
||||||
+ /* Generate the privsvr checksum over the server checksum buffer. */
|
|
||||||
+ ret = compute_pac_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
|
|
||||||
+ privsvr_key, privsvr_cksumtype, &server_cksum,
|
|
||||||
&privsvr_cksum);
|
|
||||||
- if (ret != 0)
|
|
||||||
- return ret;
|
|
||||||
-
|
|
||||||
- assert(privsvr_cksum.length > PAC_SIGNATURE_DATA_LENGTH);
|
|
||||||
-
|
|
||||||
- iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
|
|
||||||
- iov[0].data.data = server_cksum.data + PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
- iov[0].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
-
|
|
||||||
- iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
|
|
||||||
- iov[1].data.data = privsvr_cksum.data + PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
- iov[1].data.length = privsvr_cksum.length - PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
-
|
|
||||||
- ret = krb5_c_make_checksum_iov(context, privsvr_cksumtype,
|
|
||||||
- privsvr_key, KRB5_KEYUSAGE_APP_DATA_CKSUM,
|
|
||||||
- iov, sizeof(iov)/sizeof(iov[0]));
|
|
||||||
- if (ret != 0)
|
|
||||||
+ if (ret)
|
|
||||||
return ret;
|
|
||||||
|
|
||||||
data->data = k5memdup(pac->data.data, pac->data.length, &ret);
|
|
||||||
@@ -288,6 +289,26 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+krb5_error_code KRB5_CALLCONV
|
|
||||||
+krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
+ krb5_const_principal principal, const krb5_keyblock *server_key,
|
|
||||||
+ const krb5_keyblock *privsvr_key, krb5_data *data)
|
|
||||||
+{
|
|
||||||
+ return sign_pac(context, pac, authtime, principal, server_key,
|
|
||||||
+ privsvr_key, FALSE, FALSE, data);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+krb5_error_code KRB5_CALLCONV
|
|
||||||
+krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
+ krb5_const_principal principal,
|
|
||||||
+ const krb5_keyblock *server_key,
|
|
||||||
+ const krb5_keyblock *privsvr_key, krb5_boolean with_realm,
|
|
||||||
+ krb5_data *data)
|
|
||||||
+{
|
|
||||||
+ return sign_pac(context, pac, authtime, principal, server_key, privsvr_key,
|
|
||||||
+ with_realm, FALSE, data);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* Add a signature over der_enc_tkt in privsvr to pac. der_enc_tkt should be
|
|
||||||
* encoded with a dummy PAC authdata element containing a single zero byte. */
|
|
||||||
static krb5_error_code
|
|
||||||
@@ -359,6 +380,7 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt,
|
|
||||||
krb5_error_code ret;
|
|
||||||
krb5_data *der_enc_tkt = NULL, pac_data = empty_data();
|
|
||||||
krb5_authdata **list, *pac_ad;
|
|
||||||
+ krb5_boolean is_service_tkt;
|
|
||||||
size_t count;
|
|
||||||
|
|
||||||
/* Reallocate space for another authdata element in enc_tkt. */
|
|
||||||
@@ -377,7 +399,8 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt,
|
|
||||||
memmove(list + 1, list, (count + 1) * sizeof(*list));
|
|
||||||
list[0] = pac_ad;
|
|
||||||
|
|
||||||
- if (k5_pac_should_have_ticket_signature(server_princ)) {
|
|
||||||
+ is_service_tkt = k5_pac_should_have_ticket_signature(server_princ);
|
|
||||||
+ if (is_service_tkt) {
|
|
||||||
ret = encode_krb5_enc_tkt_part(enc_tkt, &der_enc_tkt);
|
|
||||||
if (ret)
|
|
||||||
goto cleanup;
|
|
||||||
@@ -388,9 +411,8 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt,
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = krb5_pac_sign_ext(context, pac, enc_tkt->times.authtime,
|
|
||||||
- client_princ, server, privsvr, with_realm,
|
|
||||||
- &pac_data);
|
|
||||||
+ ret = sign_pac(context, pac, enc_tkt->times.authtime, client_princ, server,
|
|
||||||
+ privsvr, with_realm, is_service_tkt, &pac_data);
|
|
||||||
if (ret)
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
|
|
||||||
index 173bde7bab..81f1642ab0 100644
|
|
||||||
--- a/src/lib/krb5/krb/t_pac.c
|
|
||||||
+++ b/src/lib/krb5/krb/t_pac.c
|
|
||||||
@@ -607,78 +607,102 @@ check_pac(krb5_context context, int index, const unsigned char *pdata,
|
|
||||||
|
|
||||||
static const krb5_keyblock ticket_sig_krbtgt_key = {
|
|
||||||
0, ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
|
||||||
- 32, U("\x7a\x58\x98\xd2\xaf\xa6\xaf\xc0\x6a\xce\x06\x04\x4b\xc2\x70\x84"
|
|
||||||
- "\x9b\x8e\x0a\x6c\x4c\x07\xdc\x6f\xbb\x48\x43\xe1\xd2\xaa\x97\xf7")
|
|
||||||
+ 32, U("\x03\x73\x81\xEC\x43\x96\x7B\xC2\xAC\x3D\xF5\x2A\xAE\x95\xA6\x8E"
|
|
||||||
+ "\xBE\x24\x58\xDB\xCE\x52\x28\x20\xAF\x5E\xB7\x04\xA2\x22\x71\x4F")
|
|
||||||
};
|
|
||||||
|
|
||||||
static const krb5_keyblock ticket_sig_server_key = {
|
|
||||||
- 0, ENCTYPE_ARCFOUR_HMAC,
|
|
||||||
- 16, U("\xed\x23\x11\x20\x7a\x21\x44\x20\xbf\xc0\x8d\x36\xf7\xf6\xb2\x3e")
|
|
||||||
+ 0, ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
|
||||||
+ 32, U("\x11\x4A\x84\xE3\x14\x8F\xAA\xB1\xFA\x7B\x53\x51\xB2\x8A\xC2\xF1"
|
|
||||||
+ "\xFD\x19\x6D\x61\xE0\xF3\xF2\x3E\x1F\xDB\xD3\xC1\x79\x7D\xC1\xEE")
|
|
||||||
};
|
|
||||||
|
|
||||||
+/* A ticket issued by an Active Directory KDC (Windows Server 2022), containing
|
|
||||||
+ * a PAC with a full checksum. */
|
|
||||||
static const krb5_data ticket_data = {
|
|
||||||
- .length = 972, .data =
|
|
||||||
- "\x61\x82\x03\xC8\x30\x82\x03\xC4\xA0\x03\x02\x01\x05\xA1\x0A\x1B"
|
|
||||||
- "\x08\x43\x44\x4F\x4D\x2E\x43\x4F\x4D\xA2\x0F\x30\x0D\xA0\x03\x02"
|
|
||||||
- "\x01\x01\xA1\x06\x30\x04\x1B\x02\x73\x31\xA3\x82\x03\x9E\x30\x82"
|
|
||||||
- "\x03\x9A\xA0\x03\x02\x01\x17\xA1\x03\x02\x01\x03\xA2\x82\x03\x8C"
|
|
||||||
- "\x04\x82\x03\x88\x44\x31\x61\x20\x17\xC9\xFE\xBC\xAC\x46\xB5\x77"
|
|
||||||
- "\xE9\x68\x04\x4C\x9B\x31\x91\x0C\xC1\xD4\xDD\xEF\xC7\x34\x20\x08"
|
|
||||||
- "\x90\x91\xE8\x79\xE0\xB5\x03\x26\xA4\x65\xDE\xEC\x47\x03\x2A\x8F"
|
|
||||||
- "\x61\xE7\x4D\x38\x5A\x42\x95\x5A\xF9\x2F\x41\x2C\x2A\x6E\x60\xA1"
|
|
||||||
- "\xEB\x51\xB3\xBD\x4C\x00\x41\x2A\x44\x76\x08\x37\x1A\x51\xFD\x65"
|
|
||||||
- "\x67\x7E\xBF\x3D\x90\x86\xE3\x9A\x54\x6B\x67\xA8\x08\x7A\x73\xCC"
|
|
||||||
- "\xC3\xB7\x4B\xD5\x5C\x3A\x14\x6C\xC1\x5F\x54\x4B\x92\x55\xB4\xB7"
|
|
||||||
- "\x92\x23\x3F\x53\x89\x47\x8E\x1F\x8B\xB9\xDB\x3B\x93\xE8\x70\xE4"
|
|
||||||
- "\x24\xB8\x9D\xF0\x0E\x35\x28\xF8\x7A\x27\x5D\xF7\x25\x97\x9C\xF5"
|
|
||||||
- "\x9F\x9F\x64\x04\xF2\xA3\xAB\x11\x15\xB6\xDA\x18\xD6\x46\xD5\xE6"
|
|
||||||
- "\xB8\x08\xDE\x0A\x62\xFD\xF8\xAA\x52\x90\xD9\x67\x29\xB2\xCD\x06"
|
|
||||||
- "\xB6\xB0\x50\x2B\x3F\x0F\xA3\xA5\xBF\xAA\x6E\x40\x03\xD6\x5F\x02"
|
|
||||||
- "\xBC\xD8\x18\x47\x97\x09\xD7\xE4\x96\x3B\xCB\xEB\x92\x2C\x3C\x49"
|
|
||||||
- "\xFF\x1F\x71\xE0\x52\x94\x0F\x8B\x9F\xB8\x2A\xBB\x9C\xE2\xA3\xDD"
|
|
||||||
- "\x38\x89\xE2\xB1\x0B\x9E\x1F\x7A\xB3\xE3\xD2\xB0\x94\xDC\x87\xBE"
|
|
||||||
- "\x37\xA6\xD3\xB3\x29\x35\x9A\x72\xC3\x7A\xF1\xA9\xE6\xC5\xD1\x26"
|
|
||||||
- "\x83\x65\x44\x17\xBA\x55\xA8\x5E\x94\x26\xED\xE9\x8A\x93\x11\x5D"
|
|
||||||
- "\x7E\x20\x1B\x9C\x15\x9E\x13\x37\x03\x4D\xDD\x99\x51\xD8\x66\x29"
|
|
||||||
- "\x6A\xB9\xFB\x49\xFE\x52\x78\xDA\x86\x85\xA9\xA3\xB9\xEF\xEC\xAD"
|
|
||||||
- "\x35\xA6\x8D\xAC\x0F\x75\x22\xBB\x0B\x49\x1C\x13\x52\x40\xC9\x52"
|
|
||||||
- "\x69\x09\x54\xD1\x0F\x94\x3F\x22\x48\x67\xB0\x96\x28\xAA\xE6\x28"
|
|
||||||
- "\xD9\x0C\x08\xEF\x51\xED\x15\x5E\xA2\x53\x59\xA5\x03\xB4\x06\x20"
|
|
||||||
- "\x3D\xCC\xB4\xC5\xF8\x8C\x73\x67\xA3\x21\x3D\x19\xCD\xD4\x12\x28"
|
|
||||||
- "\xD2\x93\xDE\x0D\xF0\x71\x10\x50\xD6\x33\x35\x04\x11\x64\x43\x39"
|
|
||||||
- "\xC3\xDF\x96\xE3\x66\xE3\x85\xCA\xE7\x67\x14\x3A\xF0\x43\xAA\xBB"
|
|
||||||
- "\xD4\x1D\xB5\x24\xB5\x74\x90\x25\xA7\x87\x7E\xDB\xD3\x83\x8A\x3A"
|
|
||||||
- "\x69\xA8\x2D\xAF\xB7\xB8\xF3\xDC\x13\xAF\x45\x61\x3F\x59\x39\x7E"
|
|
||||||
- "\x69\xDE\x0C\x04\xF1\x10\x6B\xB4\x56\xFA\x21\x9F\x72\x2B\x60\x86"
|
|
||||||
- "\xE3\x23\x0E\xC4\x51\xF6\xBE\xD8\xE1\x5F\xEE\x73\x4C\x17\x4C\x2C"
|
|
||||||
- "\x1B\xFB\x9F\x1F\x7A\x3B\x07\x5B\x8E\xF1\x01\xAC\xD6\x30\x94\x8A"
|
|
||||||
- "\x5D\x22\x6F\x08\xCE\xED\x5E\xB6\xDB\x86\x8C\x87\xEB\x8D\x91\xFF"
|
|
||||||
- "\x0A\x86\x30\xBD\xC0\xF8\x25\xE7\xAE\x24\x35\xF2\xFC\xE5\xFD\x1B"
|
|
||||||
- "\xB0\x05\x4A\xA3\xE5\xEB\x2E\x05\xAD\x99\x67\x49\x87\xE6\xB3\x87"
|
|
||||||
- "\x82\xA4\x59\xA7\x6E\xDD\xF2\xB6\x66\xE8\xF7\x70\xF5\xBD\xC9\x0E"
|
|
||||||
- "\xFA\x9C\x79\x84\xD4\x9B\x05\x0E\xBB\xF5\xDB\xEF\xFC\xCC\x26\xF2"
|
|
||||||
- "\x93\xCF\xD2\x04\x3C\xA9\x2C\x65\x42\x97\x86\xD8\x38\x0A\x1E\xF6"
|
|
||||||
- "\xD6\xCA\x30\xB5\x1A\xEC\xFB\xBA\x3B\x84\x57\xB0\xFD\xFB\xE6\xBC"
|
|
||||||
- "\xF2\x76\xF6\x4C\xBB\xAB\xB1\x31\xA1\x27\x7C\xE6\xE6\x81\xB6\xCE"
|
|
||||||
- "\x84\x86\x40\xB6\x40\x33\xC4\xF8\xB4\x15\xCF\xAA\xA5\x51\x78\xB9"
|
|
||||||
- "\x8B\x50\x25\xB2\x88\x86\x96\x72\x8C\x71\x4D\xB5\x3A\x94\x86\x77"
|
|
||||||
- "\x0E\x95\x9B\x16\x93\xEF\x3A\x11\x79\xBA\x83\xF7\x74\xD3\x8D\xBA"
|
|
||||||
- "\x15\xE1\x2C\x04\x57\xA8\x92\x1E\x9D\x00\x8E\x20\xFD\x30\x70\xE7"
|
|
||||||
- "\xF5\x65\x2F\x19\x0C\x94\xBA\x03\x71\x12\x96\xCD\xC8\xB4\x96\xDB"
|
|
||||||
- "\xCE\x19\xC2\xDF\x3C\xC2\xF6\x3D\x53\xED\x98\xA5\x41\x72\x2A\x22"
|
|
||||||
- "\x7B\xF3\x2B\x17\x6C\xE1\x39\x7D\xAE\x9B\x11\xF9\xC1\xA6\x9E\x9F"
|
|
||||||
- "\x89\x3C\x12\xAA\x94\x74\xA7\x4F\x70\xE8\xB9\xDE\x04\xF0\x9D\x39"
|
|
||||||
- "\x24\x2D\x92\xE8\x46\x2D\x2E\xF0\x40\x66\x1A\xD9\x27\xF9\x98\xF1"
|
|
||||||
- "\x81\x1D\x70\x62\x63\x30\x6D\xCD\x84\x04\x5F\xFA\x83\xD3\xEC\x8D"
|
|
||||||
- "\x86\xFB\x40\x61\xC1\x8A\x45\xFF\x7B\xD9\xD4\x18\x61\x7F\x51\xE3"
|
|
||||||
- "\xFC\x1E\x18\xF0\xAF\xC6\x18\x2C\xE1\x6D\x5D\xF9\x62\xFC\x20\xA3"
|
|
||||||
- "\xB2\x8A\x5F\xE5\xBB\x29\x0F\x99\x63\x07\x88\x38\x3A\x3B\x73\x2A"
|
|
||||||
- "\x6D\xDA\x3D\xA8\x0D\x8F\x56\x41\x89\x82\xE5\xB8\x61\x00\x64\x7D"
|
|
||||||
- "\x17\x0C\xCE\x03\x55\x8F\xF4\x5B\x0D\x50\xF2\xEB\x05\x67\xBE\xDB"
|
|
||||||
- "\x7B\x75\xC5\xEA\xA1\xAB\x1D\xB0\x3C\x6D\x42\x08\x0B\x9A\x45\x20"
|
|
||||||
- "\xA8\x8F\xE5\x67\x47\x30\xDE\x93\x5F\x43\x05\xEB\xA8\x2D\x80\xF5"
|
|
||||||
- "\x1A\xB8\x4A\x4E\x42\x2D\x0B\x7A\xDC\x46\x20\x2D\x13\x17\xDD\x4B"
|
|
||||||
- "\x94\x96\xAA\x1F\x06\x0C\x1F\x62\x07\x9C\x40\xA1"
|
|
||||||
+ .length = 1307, .data =
|
|
||||||
+ "\x61\x82\x05\x17\x30\x82\x05\x13\xA0\x03\x02\x01\x05\xA1\x0F\x1B"
|
|
||||||
+ "\x0D\x57\x32\x30\x32\x32\x2D\x4C\x37\x2E\x42\x41\x53\x45\xA2\x2A"
|
|
||||||
+ "\x30\x28\xA0\x03\x02\x01\x01\xA1\x21\x30\x1F\x1B\x04\x63\x69\x66"
|
|
||||||
+ "\x73\x1B\x17\x77\x32\x30\x32\x32\x2D\x31\x31\x38\x2E\x77\x32\x30"
|
|
||||||
+ "\x32\x32\x2D\x6C\x37\x2E\x62\x61\x73\x65\xA3\x82\x04\xCD\x30\x82"
|
|
||||||
+ "\x04\xC9\xA0\x03\x02\x01\x12\xA1\x03\x02\x01\x05\xA2\x82\x04\xBB"
|
|
||||||
+ "\x04\x82\x04\xB7\x44\x5C\x7B\x5A\x3F\x2E\xA3\x50\x34\xDE\xB0\x69"
|
|
||||||
+ "\x23\x2D\x47\x89\x2C\xC0\xA3\xF9\xDD\x70\xAA\xA5\x1E\xFE\x74\xE5"
|
|
||||||
+ "\x19\xA2\x4F\x65\x6C\x9E\x00\xB4\x60\x00\x7C\x0C\x29\x43\x31\x99"
|
|
||||||
+ "\x77\x02\x73\xED\xB9\x40\xF5\xD2\xD1\xC9\x20\x0F\xE3\x38\xF9\xCC"
|
|
||||||
+ "\x5E\x2A\xBD\x1F\x91\x66\x1A\xD8\x2A\x80\x3C\x2C\x00\x3C\x1E\xC9"
|
|
||||||
+ "\x2A\x29\x19\x19\x96\x18\x54\x03\x97\x8F\x1D\x5F\xDB\xE9\x66\x68"
|
|
||||||
+ "\xCD\xB1\xD5\x00\x35\x69\x49\x45\xF1\x6A\x78\x7B\x37\x71\x87\x14"
|
|
||||||
+ "\x1C\x98\x4D\x69\xCB\x1B\xD8\xF5\xA3\xD8\x53\x4A\x75\x76\x62\xBA"
|
|
||||||
+ "\x6C\x3F\xEA\x8B\x97\x21\xCA\x8A\x46\x4B\x38\xDA\x09\x9F\x5A\xC8"
|
|
||||||
+ "\x38\xFF\x34\x97\x5B\xA2\xE5\xBA\xC9\x87\x17\xD8\x08\x05\x7A\x83"
|
|
||||||
+ "\x04\xD6\x02\x8E\x9B\x18\xB6\x40\x1A\xF7\x47\x25\x24\x3E\x37\x1E"
|
|
||||||
+ "\xF6\xC1\x3A\x1F\xCA\xB3\x43\x5A\xAE\x94\x83\x31\xAF\xFB\xEE\xED"
|
|
||||||
+ "\x46\x71\xEF\xE2\x37\x37\x15\xFE\x1B\x0B\x9E\xF8\x3E\x0C\x43\x96"
|
|
||||||
+ "\xB6\x0A\x04\x78\xF8\x5E\xAA\x33\x1F\xE2\x07\x5A\x8D\xC4\x4E\x32"
|
|
||||||
+ "\x6D\xD6\xA0\xC5\xEA\x3D\x12\x59\xD4\x41\x40\x4E\xA1\xD8\xBE\xED"
|
|
||||||
+ "\x17\xCB\x68\xCC\x59\xCB\x53\xB2\x0E\x58\x8A\xA9\x33\x7F\x6F\x2B"
|
|
||||||
+ "\x37\x89\x08\x44\xBA\xC7\x67\x17\xBB\x91\xF7\xC3\x0F\x00\xF8\xAA"
|
|
||||||
+ "\xA1\x33\xA6\x08\x47\xCA\xFA\xE8\x49\x27\x45\x46\xF1\xC1\xC3\x5F"
|
|
||||||
+ "\xE2\x45\x0A\x7D\x64\x52\x8C\x2E\xE1\xDE\xFF\xB2\x64\xEC\x69\x98"
|
|
||||||
+ "\x15\xDF\x9E\xB1\xEB\xD6\x9D\x08\x06\x4E\x73\xC1\x0B\x71\x21\x05"
|
|
||||||
+ "\x9E\xBC\xA2\x17\xCF\xB3\x70\xF4\xEF\xB8\x69\xA9\x94\x27\xFD\x5E"
|
|
||||||
+ "\x72\xB1\x2D\xD2\x20\x1B\x57\x80\xAB\x38\x97\xCF\x22\x68\x4F\xB8"
|
|
||||||
+ "\xB7\x17\x53\x25\x67\x0B\xED\xD1\x58\x20\x0D\x45\xF9\x09\xFA\xE7"
|
|
||||||
+ "\x61\x3E\xDB\xC2\x59\x7B\x3A\x3B\x59\x81\x51\xAA\xA4\x81\xF4\x96"
|
|
||||||
+ "\x3B\xE1\x6F\x6F\xF4\x8E\x68\x9E\xBA\x1E\x0F\xF2\x44\x68\x11\xFC"
|
|
||||||
+ "\x2B\x5F\xBE\xF2\xEA\x07\x80\xB9\xCA\x9E\x41\xBD\x2F\x81\xF5\x11"
|
|
||||||
+ "\x2A\x12\xF3\x4F\xD6\x12\x16\x0F\x21\x90\xF1\xD3\x1E\xF1\xA4\x94"
|
|
||||||
+ "\x46\xEA\x30\xF3\x84\x06\xC1\xA4\x51\xFC\x43\x35\xBD\xEF\x4D\x89"
|
|
||||||
+ "\x1D\xA5\x44\xB2\x69\xC4\x0F\xBF\x86\x01\x08\x44\x77\xD5\xB4\xB7"
|
|
||||||
+ "\x5C\x3F\xA7\xD4\x2F\x39\x73\x85\x88\xEE\xB1\x64\x1D\x80\x6C\xEE"
|
|
||||||
+ "\x6E\x31\x90\x92\x0D\xA1\xB7\xC4\x5C\xCC\xEE\x91\xC8\xCB\x11\x2D"
|
|
||||||
+ "\x4A\x1A\x7D\x43\x8F\xEB\x60\x09\xED\x1B\x07\x58\xBE\xBC\xBD\x29"
|
|
||||||
+ "\xF3\xB3\xA3\x4F\xC5\x8A\x30\x33\xB9\xA9\x9F\x43\x08\x27\x15\xC4"
|
|
||||||
+ "\x9C\x5D\x8E\xBD\x5C\x05\xC6\x05\x9C\x87\x60\x08\x1E\xE2\x52\xB8"
|
|
||||||
+ "\x45\x8D\x28\xB6\x2C\x15\x46\x74\x9F\x0E\xAA\x6B\x70\x3A\x2A\x55"
|
|
||||||
+ "\x45\x26\xB2\x58\x4D\x35\xA6\xF1\x96\xBE\x60\xB2\x71\x7B\xF8\x54"
|
|
||||||
+ "\xB9\x90\x21\x8E\xB9\x0F\x35\x98\x5E\x88\xEB\x1A\x53\xB4\x59\x7F"
|
|
||||||
+ "\xAF\x69\x1C\x61\x67\xF4\xF6\xBD\xAC\x24\xCD\xB7\xA9\x67\xE8\xA1"
|
|
||||||
+ "\x83\x85\x5F\x11\x74\x1F\xF7\x4C\x78\x36\xEF\x50\x74\x88\x58\x4B"
|
|
||||||
+ "\x1A\x9F\x84\x9A\x9A\x05\x92\xEC\x1D\xD5\xF3\xC4\x95\x51\x28\xE2"
|
|
||||||
+ "\x3F\x32\x87\xB2\xFD\x21\x27\x66\xE4\x6B\x85\x2F\xDC\x7B\xC0\x22"
|
|
||||||
+ "\xEB\x7A\x94\x20\x5A\x7B\xD3\x7A\xB9\x5B\xF8\x1A\x5A\x84\x4E\xA1"
|
|
||||||
+ "\x73\x41\x53\xD2\x60\xF7\x7C\xEE\x68\x59\x85\x80\xFC\x3D\x70\x4B"
|
|
||||||
+ "\x04\x32\xE7\xF2\xFD\xBD\xB3\xD9\x21\xE2\x37\x56\xA2\x16\xCC\xDE"
|
|
||||||
+ "\x8A\xD3\xBC\x71\xEF\x58\x19\x0E\x45\x8A\x5B\x53\xD6\x77\x30\x6A"
|
|
||||||
+ "\xA7\xF8\x68\x06\x4E\x07\xCA\xCE\x30\xD7\x35\xAB\x1A\xC7\x18\xD4"
|
|
||||||
+ "\xC6\x2F\x1A\xFF\xE9\x7A\x94\x0B\x76\x5E\x7E\x29\x0C\xE6\xD3\x3B"
|
|
||||||
+ "\x5B\x44\x96\xA8\xF1\x29\x23\x95\xD9\x79\xB3\x39\xFC\x76\xED\xE1"
|
|
||||||
+ "\x1E\x67\x4E\xF7\xE8\x7B\x7A\x12\x9E\xD8\x4B\x35\x09\x0A\xF2\xC1"
|
|
||||||
+ "\x63\x5B\xEE\xFD\x2A\xC2\xA6\x66\x30\x3C\x1F\x95\xAF\x65\x22\x95"
|
|
||||||
+ "\x14\x1D\xF5\xD5\xDC\x38\x79\x35\x1C\xCD\x24\x47\xE0\xFD\x08\xC8"
|
|
||||||
+ "\xF4\x15\x55\x9F\xD9\xC7\xAC\x3F\x67\xB3\x4F\xEB\x26\x7C\x8E\xD6"
|
|
||||||
+ "\x74\xB3\x0A\xCD\xE7\xFA\xBE\x7E\xA3\x3E\xEC\x61\x50\x77\x52\x56"
|
|
||||||
+ "\xCF\x90\x5D\x48\xFB\xD4\x2C\x6C\x61\x8B\xDD\x2B\xF5\x92\x1F\x30"
|
|
||||||
+ "\xBF\x3F\x80\x0D\x31\xDB\xB2\x0B\x7D\x84\xE3\xA6\x42\x7F\x00\x38"
|
|
||||||
+ "\x44\x02\xC5\xB8\xD9\x58\x29\x9D\x68\x5C\x32\x8B\x76\xAE\xED\x15"
|
|
||||||
+ "\xF9\x7C\xAE\x7B\xB6\x8E\xD6\x54\x24\xFF\xFA\x87\x05\xEF\x15\x08"
|
|
||||||
+ "\x5E\x4B\x21\xA2\x2F\x49\xE7\x0F\xC3\xD0\xB9\x49\x22\xEF\xD5\xCA"
|
|
||||||
+ "\xB2\x11\xF2\x17\xB6\x77\x24\x68\x76\xB2\x07\xF8\x0A\x73\xDD\x65"
|
|
||||||
+ "\x9C\x75\x64\xF7\xA1\xC6\x23\x08\x84\x72\x3E\x54\x2E\xEB\x9B\x40"
|
|
||||||
+ "\xA6\x83\x87\xEB\xB5\x00\x40\x4F\xE1\x72\x2A\x59\x3A\x06\x60\x29"
|
|
||||||
+ "\x7E\x25\x2F\xD8\x80\x40\x8C\x59\xCA\xCF\x8E\x44\xE4\x2D\x84\x7E"
|
|
||||||
+ "\xCB\xFD\x1E\x3B\xD5\xFF\x9A\xB9\x66\x93\x6D\x5E\xC8\xB7\x13\x26"
|
|
||||||
+ "\xD6\x38\x1B\x2B\xE1\x87\x96\x05\xD5\xF3\xAB\x68\xF7\x12\x62\x2C"
|
|
||||||
+ "\x58\xC1\xC9\x85\x3C\x72\xF1\x26\xEE\xC0\x09\x5F\x1D\x4B\xAC\x01"
|
|
||||||
+ "\x41\xC8\x12\xF8\xF3\x93\x43\x41\xFF\xEC\x0B\x80\xE2\xEE\x20\x85"
|
|
||||||
+ "\x25\xCD\x6C\x30\x8C\x0D\x24\x2E\xBA\x19\xEA\x28\x7F\xCF\xD5\x10"
|
|
||||||
+ "\x5C\xE9\xB2\x9D\x5F\x16\xE4\xC0\xF3\xCC\xD9\x68\x4A\x05\x08\x70"
|
|
||||||
+ "\x17\x26\xC8\x5C\x4A\xBF\x94\x6A\x0E\xD5\xDA\x67\x47\x4B\xAF\x44"
|
|
||||||
+ "\xE3\x94\xAA\x05\xDB\xA2\x49\x74\xFA\x5C\x69\xAB\x44\xB7\xF7\xBA"
|
|
||||||
+ "\xAE\x7A\x23\x87\xEB\x54\x7E\x80\xF1\x5B\x60\xA5\x93\xE5\xD4\x24"
|
|
||||||
+ "\x84\xF7\x0A\x16\x10\xBE\xE9\x4D\xD8\x6B\x15\x40\x5D\x74\xDA\x1B"
|
|
||||||
+ "\xFF\x2E\x4D\x17\x9D\x35\xF7\x0D\xCF\x66\x38\x0D\x8A\xE4\xDD\x6B"
|
|
||||||
+ "\xE1\x0F\x1F\xBD\xFD\x4F\x30\x37\x3F\x96\xB4\x92\x54\xD3\x9A\x7A"
|
|
||||||
+ "\xD1\x5B\x5B\xA9\x54\x16\xE6\x24\xAB\xD4\x23\x39\x7D\xD2\xC7\x09"
|
|
||||||
+ "\xFA\xD4\x86\x55\x4D\x60\xC2\x87\x67\x6B\xE6"
|
|
||||||
};
|
|
||||||
|
|
||||||
static void
|
|
||||||
@@ -686,7 +710,7 @@ test_pac_ticket_signature(krb5_context context)
|
|
||||||
{
|
|
||||||
krb5_error_code ret;
|
|
||||||
krb5_ticket *ticket;
|
|
||||||
- krb5_principal sprinc;
|
|
||||||
+ krb5_principal cprinc, sprinc;
|
|
||||||
krb5_authdata **authdata1, **authdata2;
|
|
||||||
krb5_pac pac, pac2, pac3;
|
|
||||||
uint32_t *list;
|
|
||||||
@@ -701,7 +725,13 @@ test_pac_ticket_signature(krb5_context context)
|
|
||||||
if (ret)
|
|
||||||
err(context, ret, "while decrypting ticket");
|
|
||||||
|
|
||||||
- ret = krb5_parse_name(context, "s1@CDOM.COM", &sprinc);
|
|
||||||
+ ret = krb5_parse_name(context, "administrator@W2022-L7.BASE", &cprinc);
|
|
||||||
+ if (ret)
|
|
||||||
+ err(context, ret, "krb5_parse_name");
|
|
||||||
+
|
|
||||||
+ ret = krb5_parse_name(context,
|
|
||||||
+ "cifs/w2022-118.w2022-l7.base@W2022-L7.BASE",
|
|
||||||
+ &sprinc);
|
|
||||||
if (ret)
|
|
||||||
err(context, ret, "krb5_parse_name");
|
|
||||||
|
|
||||||
@@ -713,7 +743,7 @@ test_pac_ticket_signature(krb5_context context)
|
|
||||||
|
|
||||||
/* In this test, the server is also the client. */
|
|
||||||
ret = krb5_pac_verify(context, pac, ticket->enc_part2->times.authtime,
|
|
||||||
- ticket->server, NULL, NULL);
|
|
||||||
+ cprinc, NULL, NULL);
|
|
||||||
if (ret)
|
|
||||||
err(context, ret, "while verifying PAC client info");
|
|
||||||
|
|
||||||
@@ -722,7 +752,7 @@ test_pac_ticket_signature(krb5_context context)
|
|
||||||
ticket->enc_part2->authorization_data = NULL;
|
|
||||||
|
|
||||||
ret = krb5_kdc_sign_ticket(context, ticket->enc_part2, pac, sprinc,
|
|
||||||
- sprinc, &ticket_sig_server_key,
|
|
||||||
+ cprinc, &ticket_sig_server_key,
|
|
||||||
&ticket_sig_krbtgt_key, FALSE);
|
|
||||||
if (ret)
|
|
||||||
err(context, ret, "while signing ticket");
|
|
||||||
@@ -781,6 +811,7 @@ test_pac_ticket_signature(krb5_context context)
|
|
||||||
krb5_pac_free(context, pac);
|
|
||||||
krb5_pac_free(context, pac2);
|
|
||||||
krb5_pac_free(context, pac3);
|
|
||||||
+ krb5_free_principal(context, cprinc);
|
|
||||||
krb5_free_principal(context, sprinc);
|
|
||||||
krb5_free_ticket(context, ticket);
|
|
||||||
}
|
|
||||||
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
|
|
||||||
index 47ea9e4b47..e934799268 100644
|
|
||||||
--- a/src/tests/t_authdata.py
|
|
||||||
+++ b/src/tests/t_authdata.py
|
|
||||||
@@ -11,7 +11,7 @@ realm = K5Realm(krb5_conf=conf)
|
|
||||||
# container.
|
|
||||||
mark('baseline authdata')
|
|
||||||
out = realm.run(['./adata', realm.host_princ])
|
|
||||||
-if '?128: [6, 7, 10, 16]' not in out or '^-42: Hello' not in out:
|
|
||||||
+if '?128: [6, 7, 10, 16, 19]' not in out or '^-42: Hello' not in out:
|
|
||||||
fail('expected authdata not seen for basic request')
|
|
||||||
|
|
||||||
# Requested authdata is copied into the ticket, with KDC-only types
|
|
||||||
@@ -243,7 +243,7 @@ out = realm.run(['./adata', '-p', realm.user_princ, 'service/2'])
|
|
||||||
if '+97: [indcl]' not in out or '[inds1]' in out:
|
|
||||||
fail('correct auth-indicator not seen for S4U2Proxy req')
|
|
||||||
# Make sure a PAC with an S4U_DELEGATION_INFO(11) buffer is included.
|
|
||||||
-if '?128: [1, 6, 7, 10, 11, 16]' not in out:
|
|
||||||
+if '?128: [1, 6, 7, 10, 11, 16, 19]' not in out:
|
|
||||||
fail('PAC with delegation info not seen for S4U2Proxy req')
|
|
||||||
|
|
||||||
# Get another S4U2Proxy ticket including request-authdata.
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
@ -5,10 +5,13 @@ export RPM_PACKAGE_NAME={{ name }}
|
|||||||
export RPM_PACKAGE_VERSION={{ version }}
|
export RPM_PACKAGE_VERSION={{ version }}
|
||||||
export RPM_PACKAGE_RELEASE={{ release }}
|
export RPM_PACKAGE_RELEASE={{ release }}
|
||||||
export RPM_ARCH={{ arch }}
|
export RPM_ARCH={{ arch }}
|
||||||
|
export RPM_BUILD_NCPUS="$(getconf _NPROCESSORS_ONLN)"
|
||||||
|
|
||||||
testdir="$(mktemp -d)"
|
testdir="$(mktemp -d)"
|
||||||
trap "rm -rf ${testdir}" EXIT
|
trap "rm -rf ${testdir}" EXIT
|
||||||
|
|
||||||
|
build_flags="$(eval "echo $(rpm --eval '%{_smp_mflags}')")"
|
||||||
|
|
||||||
cp -rp /usr/share/{{ name }}-tests "${testdir}/"
|
cp -rp /usr/share/{{ name }}-tests "${testdir}/"
|
||||||
make -C "${testdir}/{{ name }}-tests" $(rpm --eval '%{_smp_mflags}')
|
make -C "${testdir}/{{ name }}-tests" $build_flags
|
||||||
keyctl session - make -C "${testdir}/{{ name }}-tests" check
|
keyctl session - make -C "${testdir}/{{ name }}-tests" check
|
||||||
|
165
krb5.spec
165
krb5.spec
@ -10,7 +10,7 @@
|
|||||||
#
|
#
|
||||||
# baserelease is what we have standardized across Fedora and what
|
# baserelease is what we have standardized across Fedora and what
|
||||||
# rpmdev-bumpspec knows how to handle.
|
# rpmdev-bumpspec knows how to handle.
|
||||||
%global baserelease 9
|
%global baserelease 1
|
||||||
|
|
||||||
# This should be e.g. beta1 or %%nil
|
# This should be e.g. beta1 or %%nil
|
||||||
%global pre_release %nil
|
%global pre_release %nil
|
||||||
@ -22,9 +22,9 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%global krb5_version_major 1
|
%global krb5_version_major 1
|
||||||
%global krb5_version_minor 20
|
%global krb5_version_minor 21
|
||||||
# For a release without a patch number set to %%nil
|
# For a release without a patch number set to %%nil
|
||||||
%global krb5_version_patch 1
|
%global krb5_version_patch %nil
|
||||||
|
|
||||||
%global krb5_version_major_minor %{krb5_version_major}.%{krb5_version_minor}
|
%global krb5_version_major_minor %{krb5_version_major}.%{krb5_version_minor}
|
||||||
%global krb5_version %{krb5_version_major_minor}
|
%global krb5_version %{krb5_version_major_minor}
|
||||||
@ -59,23 +59,19 @@ Source13: kadmind.logrotate
|
|||||||
Source14: krb5-krb5kdc.conf
|
Source14: krb5-krb5kdc.conf
|
||||||
Source15: %{name}-tests
|
Source15: %{name}-tests
|
||||||
|
|
||||||
Patch1: 0001-downstream-ksu-pam-integration.patch
|
Patch0001: 0001-downstream-ksu-pam-integration.patch
|
||||||
Patch2: 0002-downstream-SELinux-integration.patch
|
Patch0002: 0002-downstream-SELinux-integration.patch
|
||||||
Patch3: 0003-downstream-fix-debuginfo-with-y.tab.c.patch
|
Patch0003: 0003-downstream-fix-debuginfo-with-y.tab.c.patch
|
||||||
Patch4: 0004-downstream-Remove-3des-support.patch
|
Patch0004: 0004-downstream-Remove-3des-support.patch
|
||||||
Patch5: 0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
|
Patch0005: 0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
|
||||||
Patch6: 0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch
|
Patch0006: 0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch
|
||||||
Patch7: 0007-Add-configure-variable-for-default-PKCS-11-module.patch
|
Patch0007: 0007-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch
|
||||||
Patch8: 0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch
|
Patch0008: 0008-downstream-Include-missing-OpenSSL-FIPS-header.patch
|
||||||
Patch9: 0009-Simplify-plugin-loading-code.patch
|
Patch0009: 0009-downstream-Do-not-set-root-as-ksu-file-owner.patch
|
||||||
Patch10: 0010-Update-error-checking-for-OpenSSL-CMS_verify.patch
|
Patch0010: 0010-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch
|
||||||
Patch11: 0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch
|
Patch0011: 0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch
|
||||||
Patch12: 0012-Add-and-use-ts_interval-helper.patch
|
Patch0012: 0012-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch
|
||||||
Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch
|
Patch0013: 0013-Enable-PKINIT-if-at-least-one-group-is-available.patch
|
||||||
Patch14: 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch
|
|
||||||
Patch15: 0015-downstream-Do-not-set-root-as-ksu-file-owner.patch
|
|
||||||
Patch16: 0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch
|
|
||||||
Patch17: 0017-Add-PAC-full-checksums.patch
|
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: https://web.mit.edu/kerberos/www/
|
URL: https://web.mit.edu/kerberos/www/
|
||||||
@ -712,9 +708,22 @@ exit 0
|
|||||||
%{_datarootdir}/%{name}-tests/
|
%{_datarootdir}/%{name}-tests/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jun 12 2023 Julien Rische <jrische@redhat.com> - 1.21-1
|
||||||
|
- New upstream version (1.21)
|
||||||
|
- Do not disable PKINIT if some of the well-known DH groups are unavailable
|
||||||
|
Resolves: rhbz#2214297
|
||||||
|
- Make PKINIT CMS SHA-1 signature verification available in FIPS mode
|
||||||
|
Resolves: rhbz#2214300
|
||||||
|
- Allow to set PAC ticket signature as optional
|
||||||
|
Resolves: rhbz#2181311
|
||||||
|
- Add support for MS-PAC extended KDC signature (CVE-2022-37967)
|
||||||
|
Resolves: rhbz#2166001
|
||||||
|
- Fix syntax error in aclocal.m4
|
||||||
|
Resolves: rhbz#2143306
|
||||||
|
|
||||||
* Tue Jan 31 2023 Julien Rische <jrische@redhat.com> - 1.20.1-9
|
* Tue Jan 31 2023 Julien Rische <jrische@redhat.com> - 1.20.1-9
|
||||||
- Add support for MS-PAC extended KDC signature (CVE-2022-37967)
|
- Add support for MS-PAC extended KDC signature (CVE-2022-37967)
|
||||||
- Resolves: rhbz#2166001
|
Resolves: rhbz#2166001
|
||||||
|
|
||||||
* Mon Jan 30 2023 Julien Rische <jrische@redhat.com> - 1.20.1-8
|
* Mon Jan 30 2023 Julien Rische <jrische@redhat.com> - 1.20.1-8
|
||||||
- Bypass FIPS restrictions to use KRB5KDF in case AES SHA-1 HMAC is enabled
|
- Bypass FIPS restrictions to use KRB5KDF in case AES SHA-1 HMAC is enabled
|
||||||
@ -726,7 +735,7 @@ exit 0
|
|||||||
* Wed Jan 18 2023 Julien Rische <jrische@redhat.com> - 1.20.1-6
|
* Wed Jan 18 2023 Julien Rische <jrische@redhat.com> - 1.20.1-6
|
||||||
- Set aes256-cts-hmac-sha384-192 as EXAMLE.COM master key in kdc.conf
|
- Set aes256-cts-hmac-sha384-192 as EXAMLE.COM master key in kdc.conf
|
||||||
- Add AES SHA-2 HMAC family as EXAMPLE.COM supported etypes in kdc.conf
|
- Add AES SHA-2 HMAC family as EXAMPLE.COM supported etypes in kdc.conf
|
||||||
- Resolves: rhbz#2114771
|
Resolves: rhbz#2114771
|
||||||
|
|
||||||
* Mon Jan 09 2023 Julien Rische <jrische@redhat.com> - 1.20.1-5
|
* Mon Jan 09 2023 Julien Rische <jrische@redhat.com> - 1.20.1-5
|
||||||
- Strip debugging data from ksu executable file
|
- Strip debugging data from ksu executable file
|
||||||
@ -743,18 +752,18 @@ exit 0
|
|||||||
|
|
||||||
* Wed Nov 23 2022 Julien Rische <jrische@redhat.com> - 1.20.1-1
|
* Wed Nov 23 2022 Julien Rische <jrische@redhat.com> - 1.20.1-1
|
||||||
- New upstream version (1.20.1)
|
- New upstream version (1.20.1)
|
||||||
- Resolves: rhbz#2124463
|
Resolves: rhbz#2124463
|
||||||
- Restore "supportedCMSTypes" attribute in PKINIT preauth requests
|
- Restore "supportedCMSTypes" attribute in PKINIT preauth requests
|
||||||
- Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms
|
- Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms
|
||||||
- Resolves: rhbz#2114766
|
Resolves: rhbz#2114766
|
||||||
- Update error checking for OpenSSL CMS_verify
|
- Update error checking for OpenSSL CMS_verify
|
||||||
- Resolves: rhbz#2119704
|
Resolves: rhbz#2119704
|
||||||
- Remove invalid password expiry warning
|
- Remove invalid password expiry warning
|
||||||
- Resolves: rhbz#2129113
|
Resolves: rhbz#2129113
|
||||||
|
|
||||||
* Wed Nov 09 2022 Julien Rische <jrische@redhat.com> - 1.19.2-13
|
* Wed Nov 09 2022 Julien Rische <jrische@redhat.com> - 1.19.2-13
|
||||||
- Fix integer overflows in PAC parsing (CVE-2022-42898)
|
- Fix integer overflows in PAC parsing (CVE-2022-42898)
|
||||||
- Resolves: rhbz#2143011
|
Resolves: rhbz#2143011
|
||||||
|
|
||||||
* Tue Aug 02 2022 Andreas Schneider <asn@redhat.com> - 1.19.2-12
|
* Tue Aug 02 2022 Andreas Schneider <asn@redhat.com> - 1.19.2-12
|
||||||
- Use baserelease to set the release number
|
- Use baserelease to set the release number
|
||||||
@ -766,14 +775,14 @@ exit 0
|
|||||||
|
|
||||||
* Wed Jun 15 2022 Julien Rische <jrische@redhat.com> - 1.19.2-11
|
* Wed Jun 15 2022 Julien Rische <jrische@redhat.com> - 1.19.2-11
|
||||||
- Allow libkrad UDP/TCP connection to localhost in FIPS mode
|
- Allow libkrad UDP/TCP connection to localhost in FIPS mode
|
||||||
- Resolves: rhbz#2082189
|
Resolves: rhbz#2082189
|
||||||
- Read GSS configuration files with mtime 0
|
- Read GSS configuration files with mtime 0
|
||||||
|
|
||||||
* Mon May 2 2022 Julien Rische <jrische@redhat.com> - 1.19.2-10
|
* Mon May 2 2022 Julien Rische <jrische@redhat.com> - 1.19.2-10
|
||||||
- Use p11-kit as default PKCS11 module
|
- Use p11-kit as default PKCS11 module
|
||||||
- Resolves: rhbz#2073274
|
Resolves: rhbz#2073274
|
||||||
- Try harder to avoid password change replay errors
|
- Try harder to avoid password change replay errors
|
||||||
- Resolves: rhbz#2072059
|
Resolves: rhbz#2072059
|
||||||
|
|
||||||
* Tue Apr 05 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.19.2-9
|
* Tue Apr 05 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.19.2-9
|
||||||
- Fix libkrad client cleanup
|
- Fix libkrad client cleanup
|
||||||
@ -791,7 +800,7 @@ exit 0
|
|||||||
|
|
||||||
* Wed Feb 02 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.19.2-5
|
* Wed Feb 02 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.19.2-5
|
||||||
- Temporarily remove package note to unblock krb5-dependent packages
|
- Temporarily remove package note to unblock krb5-dependent packages
|
||||||
- Resolves: rhbz#2048909
|
Resolves: rhbz#2048909
|
||||||
|
|
||||||
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.19.2-4.1
|
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.19.2-4.1
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||||
@ -909,7 +918,7 @@ exit 0
|
|||||||
|
|
||||||
* Tue Nov 17 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-30
|
* Tue Nov 17 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-30
|
||||||
- Migrate /var/run to /run, an exercise in pointlessness
|
- Migrate /var/run to /run, an exercise in pointlessness
|
||||||
- Resolves: #1898410
|
Resolves: rhbz#1898410
|
||||||
|
|
||||||
* Thu Nov 05 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-29
|
* Thu Nov 05 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-29
|
||||||
- Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196)
|
- Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196)
|
||||||
@ -931,14 +940,14 @@ exit 0
|
|||||||
|
|
||||||
* Thu Sep 10 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-23
|
* Thu Sep 10 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-23
|
||||||
- Use `systemctl reload` to HUP the KDC during logrotate
|
- Use `systemctl reload` to HUP the KDC during logrotate
|
||||||
- Resolves: #1877692
|
Resolves: rhbz#1877692
|
||||||
|
|
||||||
* Wed Sep 09 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-22
|
* Wed Sep 09 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-22
|
||||||
- Fix input length checking in SPNEGO DER decoding
|
- Fix input length checking in SPNEGO DER decoding
|
||||||
|
|
||||||
* Fri Aug 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-21
|
* Fri Aug 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-21
|
||||||
- Mark crypto-polices snippet as missingok
|
- Mark crypto-polices snippet as missingok
|
||||||
- Resolves: #1868379
|
Resolves: rhbz#1868379
|
||||||
|
|
||||||
* Thu Aug 13 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-20
|
* Thu Aug 13 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-20
|
||||||
- Temporarily dns_canonicalize_hostname=fallback changes
|
- Temporarily dns_canonicalize_hostname=fallback changes
|
||||||
@ -955,7 +964,7 @@ exit 0
|
|||||||
|
|
||||||
* Mon Aug 03 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-16
|
* Mon Aug 03 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-16
|
||||||
- Disable tests on s390x
|
- Disable tests on s390x
|
||||||
- Resolves: #1863952
|
Resolves: rhbz#1863952
|
||||||
|
|
||||||
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.18.2-15
|
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.18.2-15
|
||||||
- Second attempt - Rebuilt for
|
- Second attempt - Rebuilt for
|
||||||
@ -976,7 +985,7 @@ exit 0
|
|||||||
|
|
||||||
* Wed Jul 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-10
|
* Wed Jul 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-10
|
||||||
- Set qualify_shortname empty in default configuration
|
- Set qualify_shortname empty in default configuration
|
||||||
- Resolves: #1852041
|
Resolves: rhbz#1852041
|
||||||
|
|
||||||
* Mon Jun 15 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-9
|
* Mon Jun 15 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-9
|
||||||
- Use two queues for concurrent t_otp.py daemons
|
- Use two queues for concurrent t_otp.py daemons
|
||||||
@ -1150,7 +1159,7 @@ exit 0
|
|||||||
|
|
||||||
* Mon Jul 15 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-35
|
* Mon Jul 15 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-35
|
||||||
- Don't error on invalid enctypes in keytab
|
- Don't error on invalid enctypes in keytab
|
||||||
- Resolves: #1724380
|
Resolves: rhbz#1724380
|
||||||
|
|
||||||
* Tue Jul 02 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-34
|
* Tue Jul 02 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-34
|
||||||
- Remove now-unused checksum functions
|
- Remove now-unused checksum functions
|
||||||
@ -1235,7 +1244,7 @@ exit 0
|
|||||||
|
|
||||||
* Thu Apr 11 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-8
|
* Thu Apr 11 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-8
|
||||||
- Implement krb5_cc_remove_cred for remaining types
|
- Implement krb5_cc_remove_cred for remaining types
|
||||||
- Resolves: #1693836
|
Resolves: rhbz#1693836
|
||||||
|
|
||||||
* Mon Apr 01 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-7
|
* Mon Apr 01 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-7
|
||||||
- FIPS-aware SPAKE group negotiation
|
- FIPS-aware SPAKE group negotiation
|
||||||
@ -1270,7 +1279,7 @@ exit 0
|
|||||||
|
|
||||||
* Mon Dec 17 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.2
|
* Mon Dec 17 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.2
|
||||||
- Restore pdfs source file
|
- Restore pdfs source file
|
||||||
- Resolves: #1659716
|
Resolves: rhbz#1659716
|
||||||
|
|
||||||
* Thu Dec 06 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.1
|
* Thu Dec 06 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.1
|
||||||
- New upstream release (1.17-beta2)
|
- New upstream release (1.17-beta2)
|
||||||
@ -1284,26 +1293,26 @@ exit 0
|
|||||||
|
|
||||||
* Thu Nov 08 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta1.1
|
* Thu Nov 08 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta1.1
|
||||||
- Fix spurious errors from kcmio_unix_socket_write
|
- Fix spurious errors from kcmio_unix_socket_write
|
||||||
- Resolves: #1645912
|
Resolves: rhbz#1645912
|
||||||
|
|
||||||
* Thu Nov 01 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-0.beta1.1
|
* Thu Nov 01 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-0.beta1.1
|
||||||
- New upstream beta release
|
- New upstream beta release
|
||||||
|
|
||||||
* Wed Oct 24 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-25
|
* Wed Oct 24 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-25
|
||||||
- Update man pages to reference kerberos(7)
|
- Update man pages to reference kerberos(7)
|
||||||
- Resolves: #1143767
|
Resolves: rhbz#1143767
|
||||||
|
|
||||||
* Wed Oct 17 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-24
|
* Wed Oct 17 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-24
|
||||||
- Use port-sockets.h macros in cc_kcm, sendto_kdc
|
- Use port-sockets.h macros in cc_kcm, sendto_kdc
|
||||||
- Resolves: #1631998
|
Resolves: rhbz#1631998
|
||||||
|
|
||||||
* Wed Oct 17 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-23
|
* Wed Oct 17 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-23
|
||||||
- Correct kpasswd_server description in krb5.conf(5)
|
- Correct kpasswd_server description in krb5.conf(5)
|
||||||
- Resolves: #1640272
|
Resolves: rhbz#1640272
|
||||||
|
|
||||||
* Mon Oct 15 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-22
|
* Mon Oct 15 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-22
|
||||||
- Prefer TCP to UDP for password changes
|
- Prefer TCP to UDP for password changes
|
||||||
- Resolves: #1637611
|
Resolves: rhbz#1637611
|
||||||
|
|
||||||
* Tue Oct 09 2018 Adam Williamson <awilliam@redhat.com> - 1.16.1-21
|
* Tue Oct 09 2018 Adam Williamson <awilliam@redhat.com> - 1.16.1-21
|
||||||
- Revert the patch from -20 for now as it seems to make FreeIPA worse
|
- Revert the patch from -20 for now as it seems to make FreeIPA worse
|
||||||
@ -1352,18 +1361,18 @@ exit 0
|
|||||||
|
|
||||||
* Thu Jun 14 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-6
|
* Thu Jun 14 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-6
|
||||||
- Switch to python3-sphinx for docs
|
- Switch to python3-sphinx for docs
|
||||||
- Resolves: #1590928
|
Resolves: rhbz#1590928
|
||||||
|
|
||||||
* Thu Jun 14 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-5
|
* Thu Jun 14 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-5
|
||||||
- Make docs build python3-compatible
|
- Make docs build python3-compatible
|
||||||
- Resolves: #1590928
|
Resolves: rhbz#1590928
|
||||||
|
|
||||||
* Thu Jun 07 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-4
|
* Thu Jun 07 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-4
|
||||||
- Update includedir processing to match upstream
|
- Update includedir processing to match upstream
|
||||||
|
|
||||||
* Fri Jun 01 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-3
|
* Fri Jun 01 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-3
|
||||||
- Log when non-root ksu authorization fails
|
- Log when non-root ksu authorization fails
|
||||||
- Resolves: #1575771
|
Resolves: rhbz#1575771
|
||||||
|
|
||||||
* Fri May 04 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-2
|
* Fri May 04 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-2
|
||||||
- Remove "-nodes" option from make-certs scripts
|
- Remove "-nodes" option from make-certs scripts
|
||||||
@ -1385,7 +1394,7 @@ exit 0
|
|||||||
|
|
||||||
* Mon Apr 23 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-23
|
* Mon Apr 23 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-23
|
||||||
- Explicitly use openssl rather than builtin crypto
|
- Explicitly use openssl rather than builtin crypto
|
||||||
- Resolves: #1570910
|
Resolves: rhbz#1570910
|
||||||
|
|
||||||
* Tue Apr 17 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-22
|
* Tue Apr 17 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-22
|
||||||
- Merge duplicate subsections in profile library
|
- Merge duplicate subsections in profile library
|
||||||
@ -1435,7 +1444,7 @@ exit 0
|
|||||||
|
|
||||||
* Wed Mar 07 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-8
|
* Wed Mar 07 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-8
|
||||||
- Fix capaths "." values on client
|
- Fix capaths "." values on client
|
||||||
- Resolves: 1551099
|
Resolves: 1551099
|
||||||
|
|
||||||
* Tue Feb 13 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-7
|
* Tue Feb 13 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-7
|
||||||
- Fix flaws in LDAP DN checking
|
- Fix flaws in LDAP DN checking
|
||||||
@ -1444,7 +1453,7 @@ exit 0
|
|||||||
* Mon Feb 12 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-6
|
* Mon Feb 12 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-6
|
||||||
- Fix a leak in the previous commit
|
- Fix a leak in the previous commit
|
||||||
- Restore dist macro that was accidentally removed
|
- Restore dist macro that was accidentally removed
|
||||||
- Resolves: #1540939
|
Resolves: rhbz#1540939
|
||||||
|
|
||||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.16-5
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.16-5
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
@ -1457,7 +1466,7 @@ exit 0
|
|||||||
|
|
||||||
* Tue Dec 12 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-2
|
* Tue Dec 12 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-2
|
||||||
- Fix network service dependencies
|
- Fix network service dependencies
|
||||||
- Resolves: #1525230
|
Resolves: rhbz#1525230
|
||||||
|
|
||||||
* Wed Dec 06 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-1
|
* Wed Dec 06 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-1
|
||||||
- New upstream release (1.16)
|
- New upstream release (1.16)
|
||||||
@ -1487,12 +1496,12 @@ exit 0
|
|||||||
|
|
||||||
* Wed Sep 06 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-28
|
* Wed Sep 06 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-28
|
||||||
- Save other programs from worrying about CVE-2017-11462
|
- Save other programs from worrying about CVE-2017-11462
|
||||||
- Resolves: #1488873
|
Resolves: rhbz#1488873
|
||||||
- Resolves: #1488874
|
Resolves: rhbz#1488874
|
||||||
|
|
||||||
* Tue Sep 05 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-27
|
* Tue Sep 05 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-27
|
||||||
- Add hostname-based ccselect module
|
- Add hostname-based ccselect module
|
||||||
- Resolves: #1463665
|
Resolves: rhbz#1463665
|
||||||
|
|
||||||
* Tue Sep 05 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-26
|
* Tue Sep 05 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-26
|
||||||
- Backport upstream certauth EKU fixes
|
- Backport upstream certauth EKU fixes
|
||||||
@ -1543,7 +1552,7 @@ exit 0
|
|||||||
|
|
||||||
* Fri Jun 23 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-11
|
* Fri Jun 23 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-11
|
||||||
- Include more test suite changes from upstream
|
- Include more test suite changes from upstream
|
||||||
- Resolves: #1464381
|
Resolves: rhbz#1464381
|
||||||
|
|
||||||
* Wed Jun 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-10
|
* Wed Jun 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-10
|
||||||
- Fix custom build with -DDEBUG
|
- Fix custom build with -DDEBUG
|
||||||
@ -1559,12 +1568,12 @@ exit 0
|
|||||||
|
|
||||||
* Thu Apr 13 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-6
|
* Thu Apr 13 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-6
|
||||||
- Include fixes for previous commit
|
- Include fixes for previous commit
|
||||||
- Resolves: #1433083
|
Resolves: rhbz#1433083
|
||||||
|
|
||||||
* Thu Apr 13 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-5
|
* Thu Apr 13 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-5
|
||||||
- Automatically add includedir where not present
|
- Automatically add includedir where not present
|
||||||
- Try removing sleep statement to see if it is still needed
|
- Try removing sleep statement to see if it is still needed
|
||||||
- Resolves: #1433083
|
Resolves: rhbz#1433083
|
||||||
|
|
||||||
* Fri Apr 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-4
|
* Fri Apr 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-4
|
||||||
- Fix use of enterprise principals with forwarding
|
- Fix use of enterprise principals with forwarding
|
||||||
@ -1574,7 +1583,7 @@ exit 0
|
|||||||
|
|
||||||
* Tue Mar 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-2
|
* Tue Mar 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-2
|
||||||
- Remove duplication between subpackages
|
- Remove duplication between subpackages
|
||||||
- Resolves: #1250228
|
Resolves: rhbz#1250228
|
||||||
|
|
||||||
* Fri Mar 03 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-1
|
* Fri Mar 03 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-1
|
||||||
- New upstream release - 1.15.1
|
- New upstream release - 1.15.1
|
||||||
@ -1608,14 +1617,14 @@ exit 0
|
|||||||
* Thu Oct 20 2016 Robbie Harwood <rharwood@redhat.com> - 1.15-beta1-1
|
* Thu Oct 20 2016 Robbie Harwood <rharwood@redhat.com> - 1.15-beta1-1
|
||||||
- New upstream release
|
- New upstream release
|
||||||
- Update selinux with RHEL hygene
|
- Update selinux with RHEL hygene
|
||||||
- Resolves: #1314096
|
Resolves: rhbz#1314096
|
||||||
|
|
||||||
* Tue Oct 11 2016 Tomáš Mráz <tmraz@redhat.com> - 1.14.4-6
|
* Tue Oct 11 2016 Tomáš Mráz <tmraz@redhat.com> - 1.14.4-6
|
||||||
- rebuild with OpenSSL 1.1.0, added backported upstream patch
|
- rebuild with OpenSSL 1.1.0, added backported upstream patch
|
||||||
|
|
||||||
* Fri Sep 30 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.4-5
|
* Fri Sep 30 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.4-5
|
||||||
- Properly close krad sockets
|
- Properly close krad sockets
|
||||||
- Resolves: #1380836
|
Resolves: rhbz#1380836
|
||||||
|
|
||||||
* Fri Sep 30 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.4-4
|
* Fri Sep 30 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.4-4
|
||||||
- Fix backward check in kprop.service
|
- Fix backward check in kprop.service
|
||||||
@ -1634,42 +1643,42 @@ exit 0
|
|||||||
|
|
||||||
* Mon Sep 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-9
|
* Mon Sep 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-9
|
||||||
- Add krb5_db_register_keytab
|
- Add krb5_db_register_keytab
|
||||||
- Resolves: #1376812
|
Resolves: rhbz#1376812
|
||||||
|
|
||||||
* Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-8
|
* Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-8
|
||||||
- Use responder for non-preauth AS requests
|
- Use responder for non-preauth AS requests
|
||||||
- Resolves: #1370622
|
Resolves: rhbz#1370622
|
||||||
|
|
||||||
* Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-7
|
* Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-7
|
||||||
- Guess Samba client mutual flag using ap_option
|
- Guess Samba client mutual flag using ap_option
|
||||||
- Resolves: #1370980
|
Resolves: rhbz#1370980
|
||||||
|
|
||||||
* Thu Aug 25 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-6
|
* Thu Aug 25 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-6
|
||||||
- Fix KDC return code and set prompt types for OTP client preauth
|
- Fix KDC return code and set prompt types for OTP client preauth
|
||||||
- Resolves: #1370072
|
Resolves: rhbz#1370072
|
||||||
|
|
||||||
* Mon Aug 15 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-5
|
* Mon Aug 15 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-5
|
||||||
- Turn OFD locks back on with glibc workaround
|
- Turn OFD locks back on with glibc workaround
|
||||||
- Resolves: #1274922
|
Resolves: rhbz#1274922
|
||||||
|
|
||||||
* Wed Aug 10 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-4
|
* Wed Aug 10 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-4
|
||||||
- Fix use of KKDCPP with SNI
|
- Fix use of KKDCPP with SNI
|
||||||
- Resolves: #1365027
|
Resolves: rhbz#1365027
|
||||||
|
|
||||||
* Fri Aug 05 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-3
|
* Fri Aug 05 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-3
|
||||||
- Make krb5-devel depend on libkadm5
|
- Make krb5-devel depend on libkadm5
|
||||||
- Resolves: #1364487
|
Resolves: rhbz#1364487
|
||||||
|
|
||||||
* Wed Aug 03 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-2
|
* Wed Aug 03 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-2
|
||||||
- Up-port a bunch of stuff from the el-7.3 cycle
|
- Up-port a bunch of stuff from the el-7.3 cycle
|
||||||
- Resolves: #1255450, #1314989
|
Resolves: rhbz#1255450, rhbz#1314989
|
||||||
|
|
||||||
* Mon Aug 01 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-1
|
* Mon Aug 01 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-1
|
||||||
- New upstream version 1.14.3
|
- New upstream version 1.14.3
|
||||||
|
|
||||||
* Thu Jul 28 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-9
|
* Thu Jul 28 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-9
|
||||||
- Fix CVE-2016-3120
|
- Fix CVE-2016-3120
|
||||||
- Resolves: #1361051
|
Resolves: rhbz#1361051
|
||||||
|
|
||||||
* Wed Jun 22 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-8
|
* Wed Jun 22 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-8
|
||||||
- Fix incorrect recv() size calculation in libkrad
|
- Fix incorrect recv() size calculation in libkrad
|
||||||
@ -1682,18 +1691,18 @@ exit 0
|
|||||||
|
|
||||||
* Tue Apr 05 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-5
|
* Tue Apr 05 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-5
|
||||||
- Use the correct patches this time.
|
- Use the correct patches this time.
|
||||||
- Resolves: #1321135
|
Resolves: rhbz#1321135
|
||||||
|
|
||||||
* Mon Apr 04 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-4
|
* Mon Apr 04 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-4
|
||||||
- Add send/receive sendto_kdc hooks and corresponding tests
|
- Add send/receive sendto_kdc hooks and corresponding tests
|
||||||
- Resolves: #1321135
|
Resolves: rhbz#1321135
|
||||||
|
|
||||||
* Fri Mar 18 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-3
|
* Fri Mar 18 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-3
|
||||||
- Fix CVE-2016-3119 (NULL deref in LDAP module)
|
- Fix CVE-2016-3119 (NULL deref in LDAP module)
|
||||||
|
|
||||||
* Thu Mar 17 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-2
|
* Thu Mar 17 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-2
|
||||||
- Backport OID mech fix
|
- Backport OID mech fix
|
||||||
- Resolves: #1317609
|
Resolves: rhbz#1317609
|
||||||
|
|
||||||
* Mon Feb 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-1
|
* Mon Feb 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-1
|
||||||
- New rawhide, new upstream version
|
- New rawhide, new upstream version
|
||||||
@ -1703,7 +1712,7 @@ exit 0
|
|||||||
|
|
||||||
* Mon Feb 22 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-23
|
* Mon Feb 22 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-23
|
||||||
- Fix log file permissions patch with our selinux
|
- Fix log file permissions patch with our selinux
|
||||||
- Resolves: #1309421
|
Resolves: rhbz#1309421
|
||||||
|
|
||||||
* Fri Feb 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-22
|
* Fri Feb 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-22
|
||||||
- Backport my interposer fixes from upstream
|
- Backport my interposer fixes from upstream
|
||||||
@ -1712,7 +1721,7 @@ exit 0
|
|||||||
* Tue Feb 16 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-21
|
* Tue Feb 16 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-21
|
||||||
- Adjust dependency on crypto-polices to be just the file we want
|
- Adjust dependency on crypto-polices to be just the file we want
|
||||||
- Patch courtesy of lslebodn
|
- Patch courtesy of lslebodn
|
||||||
- Resolves: #1308984
|
Resolves: rhbz#1308984
|
||||||
|
|
||||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.14-20
|
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.14-20
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
@ -1720,21 +1729,21 @@ exit 0
|
|||||||
* Thu Jan 28 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-19
|
* Thu Jan 28 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-19
|
||||||
- Replace _kadmin/_kprop with systemd macros
|
- Replace _kadmin/_kprop with systemd macros
|
||||||
- Remove traces of upstart from fedora package per policy
|
- Remove traces of upstart from fedora package per policy
|
||||||
- Resolves: #1290185
|
Resolves: rhbz#1290185
|
||||||
|
|
||||||
* Wed Jan 27 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-18
|
* Wed Jan 27 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-18
|
||||||
- Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631
|
- Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631
|
||||||
|
|
||||||
* Thu Jan 21 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-17
|
* Thu Jan 21 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-17
|
||||||
- Make krb5kdc.log not world-readable by default
|
- Make krb5kdc.log not world-readable by default
|
||||||
- Resolves: #1276484
|
Resolves: rhbz#1276484
|
||||||
|
|
||||||
* Thu Jan 21 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-16
|
* Thu Jan 21 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-16
|
||||||
- Allow verification of attributes on krb5.conf
|
- Allow verification of attributes on krb5.conf
|
||||||
|
|
||||||
* Wed Jan 20 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-15
|
* Wed Jan 20 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-15
|
||||||
- Use "new" systemd macros for service handling. (Thanks vpavlin!)
|
- Use "new" systemd macros for service handling. (Thanks vpavlin!)
|
||||||
- Resolves: #850399
|
Resolves: rhbz#850399
|
||||||
|
|
||||||
* Wed Jan 20 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-14
|
* Wed Jan 20 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-14
|
||||||
- Remove WITH_NSS macro (always false)
|
- Remove WITH_NSS macro (always false)
|
||||||
@ -1744,7 +1753,7 @@ exit 0
|
|||||||
|
|
||||||
* Fri Jan 08 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-13
|
* Fri Jan 08 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-13
|
||||||
- Backport fix for chrome crash in spnego_gss_inquire_context
|
- Backport fix for chrome crash in spnego_gss_inquire_context
|
||||||
- Resolves: #1295893
|
Resolves: rhbz#1295893
|
||||||
|
|
||||||
* Wed Dec 16 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-12
|
* Wed Dec 16 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-12
|
||||||
- Backport patch to fix mechglue for gss_inqure_attrs_for_mech()
|
- Backport patch to fix mechglue for gss_inqure_attrs_for_mech()
|
||||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
|||||||
SHA512 (krb5-1.20.1.tar.gz) = 6f57479f13f107cd84f30de5c758eb6b9fc59171329c13e5da6073b806755f8d163eb7bd84767ea861ad6458ea0c9eeb00ee044d3bcad01ef136e9888564b6a2
|
SHA512 (krb5-1.21.tar.gz) = 8ee2366888f6d553a44fc642a89c69a57dbc1ec4c89a36b9ba8b00584a9a32c73a2b0566ba5f21852ad9617046666c276dac402393bf8eb19fbe0c07a838071a
|
||||||
SHA512 (krb5-1.20.1.tar.gz.asc) = 1d3312bd67581e07adfdadf2c5fe394179631d8add8bd075efefe982a0de22369004e60a14422d426382c8c591e4181b9897088afe9d4e86f0b5a97e5954c67a
|
SHA512 (krb5-1.21.tar.gz.asc) = 7147a44a13f4f26c5c1d9aba738b32892b50e351ad149dcaf0b6f2c010e3c51d7d51540d0a51b085450ffa31d5027b5f2e5841109d7af8bdaddbdd3a569582d5
|
||||||
|
Loading…
Reference in New Issue
Block a user