New upstream release and integrate with external git

This commit is contained in:
Robbie Harwood 2016-09-19 23:49:29 +00:00
parent 4f5955da72
commit 14f028579d
30 changed files with 747 additions and 1195 deletions

3
.gitignore vendored
View File

@ -136,3 +136,6 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.14.3.tar.gz /krb5-1.14.3.tar.gz
/krb5-1.14.3.tar.gz.asc /krb5-1.14.3.tar.gz.asc
/krb5-1.14.3-pdfs.tar /krb5-1.14.3-pdfs.tar
/krb5-1.14.4.tar.gz
/krb5-1.14.4.tar.gz.asc
/krb5-1.14.4-pdfs.tar

View File

@ -1,7 +1,7 @@
From 700f0921e891c5986e31e8394a9e7287a7c16524 Mon Sep 17 00:00:00 2001 From 21330cb3db69fc5a004844a1e4dec8998eb50068 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org> From: Andreas Schneider <asn@samba.org>
Date: Thu, 3 Mar 2016 18:53:31 +0100 Date: Thu, 3 Mar 2016 18:53:31 +0100
Subject: [PATCH 1/2] Add KDC pre-send and post-receive KDC hooks Subject: [PATCH 14/19] Add KDC pre-send and post-receive KDC hooks
Add two new APIs, krb5_set_kdc_send_hook() and Add two new APIs, krb5_set_kdc_send_hook() and
krb5_set_kdc_recv_hook(), which can be used to inspect and override krb5_set_kdc_recv_hook(), which can be used to inspect and override
@ -47,10 +47,10 @@ index 51c4093..dc414cf 100644
krb5_principal.rst krb5_principal.rst
krb5_principal_data.rst krb5_principal_data.rst
diff --git a/src/include/k5-int.h b/src/include/k5-int.h diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 41c3d1b..a4266d9 100644 index 6b7b2e3..045abfc 100644
--- a/src/include/k5-int.h --- a/src/include/k5-int.h
+++ b/src/include/k5-int.h +++ b/src/include/k5-int.h
@@ -1237,6 +1237,12 @@ struct _krb5_context { @@ -1238,6 +1238,12 @@ struct _krb5_context {
krb5_trace_callback trace_callback; krb5_trace_callback trace_callback;
void *trace_callback_data; void *trace_callback_data;
@ -64,10 +64,10 @@ index 41c3d1b..a4266d9 100644
char *plugin_base_dir; char *plugin_base_dir;
}; };
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 851cea3..59baf70 100644 index c93a0f2..2b0d59e 100644
--- a/src/include/krb5/krb5.hin --- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin
@@ -8288,6 +8288,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, @@ -8300,6 +8300,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn,
krb5_error_code KRB5_CALLCONV krb5_error_code KRB5_CALLCONV
krb5_set_trace_filename(krb5_context context, const char *filename); krb5_set_trace_filename(krb5_context context, const char *filename);
@ -192,10 +192,10 @@ index c623409..ea6982d 100644
krb5_set_trace_callback krb5_set_trace_callback
krb5_set_trace_filename krb5_set_trace_filename
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 3b3b438..a2bc591 100644 index 6231de2..be00b8f 100644
--- a/src/lib/krb5/os/sendto_kdc.c --- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c +++ b/src/lib/krb5/os/sendto_kdc.c
@@ -399,6 +399,22 @@ check_for_svc_unavailable (krb5_context context, @@ -403,6 +403,22 @@ check_for_svc_unavailable (krb5_context context,
return 1; return 1;
} }
@ -218,7 +218,7 @@ index 3b3b438..a2bc591 100644
/* /*
* send the formatted request 'message' to a KDC for realm 'realm' and * send the formatted request 'message' to a KDC for realm 'realm' and
* return the response (if any) in 'reply'. * return the response (if any) in 'reply'.
@@ -412,13 +428,16 @@ check_for_svc_unavailable (krb5_context context, @@ -416,13 +432,16 @@ check_for_svc_unavailable (krb5_context context,
krb5_error_code krb5_error_code
krb5_sendto_kdc(krb5_context context, const krb5_data *message, krb5_sendto_kdc(krb5_context context, const krb5_data *message,
@ -236,7 +236,7 @@ index 3b3b438..a2bc591 100644
/* /*
* find KDC location(s) for realm * find KDC location(s) for realm
@@ -463,9 +482,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, @@ -467,9 +486,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
if (retval) if (retval)
return retval; return retval;
@ -264,7 +264,7 @@ index 3b3b438..a2bc591 100644
check_for_svc_unavailable, &err); check_for_svc_unavailable, &err);
if (retval == KRB5_KDC_UNREACH) { if (retval == KRB5_KDC_UNREACH) {
if (err == KDC_ERR_SVC_UNAVAILABLE) { if (err == KDC_ERR_SVC_UNAVAILABLE) {
@@ -476,9 +512,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, @@ -480,9 +516,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
realm->length, realm->data); realm->length, realm->data);
} }
} }
@ -288,7 +288,7 @@ index 3b3b438..a2bc591 100644
/* Set use_master to 1 if we ended up talking to a master when we didn't /* Set use_master to 1 if we ended up talking to a master when we didn't
* explicitly request to. */ * explicitly request to. */
if (*use_master == 0) { if (*use_master == 0) {
@@ -488,6 +538,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, @@ -492,6 +542,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
} }
cleanup: cleanup:
@ -310,5 +310,5 @@ index 3734e9b..8d58ea1 100644
+ krb5_set_kdc_send_hook @433 + krb5_set_kdc_send_hook @433
+ krb5_set_kdc_recv_hook @434 + krb5_set_kdc_recv_hook @434
-- --
2.8.0.rc3 2.9.3

View File

@ -1,7 +1,7 @@
From c9136272512a6158d77e74035d52869443403a10 Mon Sep 17 00:00:00 2001 From 2047b7b227a4e2a07b5e2ef149fd968406c8f750 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org> From: Andreas Schneider <asn@samba.org>
Date: Wed, 7 Sep 2016 18:33:43 +0200 Date: Wed, 7 Sep 2016 18:33:43 +0200
Subject: [PATCH] Add krb5_db_register_keytab() Subject: [PATCH 19/19] Add krb5_db_register_keytab()
Add a public libkdb5 function to register the KDB keytab type. This Add a public libkdb5 function to register the KDB keytab type. This
functionality is needed for out-of-tree KDC servers such as the Samba functionality is needed for out-of-tree KDC servers such as the Samba

View File

@ -1,7 +1,7 @@
From e60e5e0a8e8e98edae8c678e5c300b30368006fb Mon Sep 17 00:00:00 2001 From b54a8377972db8cfc5f74c42831f61445c6f82d9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org> From: Andreas Schneider <asn@samba.org>
Date: Mon, 7 Mar 2016 17:59:07 +0100 Date: Mon, 7 Mar 2016 17:59:07 +0100
Subject: [PATCH 2/2] Add tests for send and receive sendto_kdc hooks Subject: [PATCH 15/19] Add tests for send and receive sendto_kdc hooks
[ghudson@mit.edu: style changes] [ghudson@mit.edu: style changes]
@ -10,7 +10,7 @@ ticket: 8386
Conflicts: Conflicts:
src/tests/Makefile.in src/tests/Makefile.in
[rharwood@redhat.com: fix cherry-pick merge conflicts] [rharwood@redhat.com: fix cherry-pick merge conflicts]
[rharwood@redhat.com: remove references to .gitignore] [rharwood@redhat.com: locally remove gitignore]
--- ---
src/tests/Makefile.in | 12 ++- src/tests/Makefile.in | 12 ++-
src/tests/deps | 10 ++ src/tests/deps | 10 ++
@ -363,5 +363,5 @@ index 0000000..58dff3a
+ +
+success('send and recv hook tests') +success('send and recv hook tests')
-- --
2.8.0.rc3 2.9.3

View File

@ -1,7 +1,7 @@
From 7b072ef4135e776982a61fae62cda9a5f0fe001b Mon Sep 17 00:00:00 2001 From ad1af1b23bd716fc3129de16e3fbf7edca0daa6b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org> From: Andreas Schneider <asn@samba.org>
Date: Mon, 8 Aug 2016 18:03:55 +0200 Date: Mon, 8 Aug 2016 18:03:55 +0200
Subject: [PATCH 3/3] Change KDC error for encrypted timestamp preauth Subject: [PATCH 18/19] Change KDC error for encrypted timestamp preauth
When encrypted timestamp pre-authentication fails, respond with error When encrypted timestamp pre-authentication fails, respond with error
code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for

View File

@ -1,7 +1,7 @@
From 9914b93516bbce9b1123ed5f9f796b7028944892 Mon Sep 17 00:00:00 2001 From 6b126bfc40ba416746e4d30edb0b6b72c21c8b10 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 17 Dec 2015 13:31:39 -0500 Date: Tue, 23 Aug 2016 16:58:44 -0400
Subject: [PATCH] Create KDC and kadmind log files with mode 0640 Subject: [PATCH 13/19] Create KDC and kadmind log files with mode 0640
In krb5_klog_init(), use open() and fdopen() to open log files so that In krb5_klog_init(), use open() and fdopen() to open log files so that
we can specify a mode. Specify a mode which doesn't include the we can specify a mode. Specify a mode which doesn't include the
@ -18,11 +18,10 @@ ticket: 8344 (new)
1 file changed, 12 insertions(+), 9 deletions(-) 1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index 19c4355..f4a9387 100644 index 64f9641..0517efe 100644
--- a/src/lib/kadm5/logger.c
--- a/src/lib/kadm5/logger.c 2016-01-21 18:52:52.529544902 +0000 +++ b/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c 2016-01-21 18:57:22.923972419 +0000 @@ -354,7 +354,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
@@ -354,7 +354,7 @@
const char *logging_profent[3]; const char *logging_profent[3];
const char *logging_defent[3]; const char *logging_defent[3];
char **logging_specs; char **logging_specs;
@ -31,7 +30,7 @@ index 19c4355..f4a9387 100644
char *cp, *cp2; char *cp, *cp2;
char savec = '\0'; char savec = '\0';
int error; int error;
@@ -422,18 +422,21 @@ @@ -422,18 +422,21 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
/* /*
* Check for append/overwrite, then open the file. * Check for append/overwrite, then open the file.
*/ */
@ -61,3 +60,6 @@ index 19c4355..f4a9387 100644
} }
} }
#ifdef HAVE_SYSLOG #ifdef HAVE_SYSLOG
--
2.9.3

View File

@ -1,7 +1,7 @@
From b3901af6970fb7bde88eb16d51c8d05db6f37746 Mon Sep 17 00:00:00 2001 From 748617c1b8d1550284157a79bc7aeb6295a27bf4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com> From: Simo Sorce <simo@redhat.com>
Date: Fri, 13 Nov 2015 14:54:11 -0500 Date: Fri, 13 Nov 2015 14:54:11 -0500
Subject: [PATCH] Fix impersonate_name to work with interposers Subject: [PATCH 12/19] Fix impersonate_name to work with interposers
This follows the same modifications applied to This follows the same modifications applied to
gss_acquire_cred_with_password() when interposer plugins were gss_acquire_cred_with_password() when interposer plugins were
@ -154,10 +154,10 @@ index 0dd4f87..9eab25e 100644
if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred) if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred)
free(union_cred); free(union_cred);
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index e6703eb..28fb9b1 100644 index 07435d8..99e374f 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c --- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -2619,10 +2619,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, @@ -2620,10 +2620,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
gss_OID_set *actual_mechs, gss_OID_set *actual_mechs,
OM_uint32 *time_rec) OM_uint32 *time_rec)
{ {
@ -170,7 +170,7 @@ index e6703eb..28fb9b1 100644
dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n"); dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n");
@@ -2634,31 +2634,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, @@ -2635,31 +2635,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle; imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle;
imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL; imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL;
@ -218,5 +218,5 @@ index e6703eb..28fb9b1 100644
return (status); return (status);
} }
-- --
2.6.2 2.9.3

View File

@ -1,7 +1,7 @@
From c8938509344921906aa74d31eb6befe58055fc1d Mon Sep 17 00:00:00 2001 From e9517473b649a50ab7414788fb5d6c2715ac8ee4 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu> From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 25 Jul 2016 13:28:43 -0400 Date: Mon, 25 Jul 2016 13:28:43 -0400
Subject: [PATCH 2/3] Improve bad password inference in kinit Subject: [PATCH 17/19] Improve bad password inference in kinit
kinit currently outputs "Password incorrect" if it sees a kinit currently outputs "Password incorrect" if it sees a
bad-integrity error code, which results if the KDC reply couldn't be bad-integrity error code, which results if the KDC reply couldn't be

View File

@ -1,7 +1,7 @@
From 4885a9b10ddf457f290ff5e9ce4a9a99765cfd1d Mon Sep 17 00:00:00 2001 From dc032c01a5c23eb199a267d9ab650eef02c2dd01 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu> From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 25 Jul 2016 13:23:31 -0400 Date: Mon, 25 Jul 2016 13:23:31 -0400
Subject: [PATCH 1/3] Set prompt type for OTP preauth prompt Subject: [PATCH 16/19] Set prompt type for OTP preauth prompt
Add k5_set_prompt_type() calls around the prompter invocation in Add k5_set_prompt_type() calls around the prompter invocation in
preauth_otp.c, and add the comment we conventionally put before preauth_otp.c, and add the comment we conventionally put before
@ -14,7 +14,7 @@ ticket: 8464 (new)
1 file changed, 5 insertions(+) 1 file changed, 5 insertions(+)
diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
index 3de528b..01c48b4 100644 index 37f98b2..48fcbb5 100644
--- a/src/lib/krb5/krb/preauth_otp.c --- a/src/lib/krb5/krb/preauth_otp.c
+++ b/src/lib/krb5/krb/preauth_otp.c +++ b/src/lib/krb5/krb/preauth_otp.c
@@ -31,6 +31,7 @@ @@ -31,6 +31,7 @@

View File

@ -1,6 +1,17 @@
--- krb5-1.11.3/src/kadmin/testing/proto/krb5.conf.proto From 61389fb098b36c1927ad01e4efa51f38da39176a Mon Sep 17 00:00:00 2001
+++ krb5-1.11.3/src/kadmin/testing/proto/krb5.conf.proto From: Robbie Harwood <rharwood@redhat.com>
@@ -7,6 +7,7 @@ Date: Tue, 23 Aug 2016 16:52:01 -0400
Subject: [PATCH 11/19] krb5-1.11-kpasswdtest.patch
---
src/kadmin/testing/proto/krb5.conf.proto | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto
index e9702bb..482fda6 100644
--- a/src/kadmin/testing/proto/krb5.conf.proto
+++ b/src/kadmin/testing/proto/krb5.conf.proto
@@ -8,6 +8,7 @@
__REALM__ = { __REALM__ = {
kdc = __KDCHOST__:1750 kdc = __KDCHOST__:1750
admin_server = __KDCHOST__:1751 admin_server = __KDCHOST__:1751
@ -8,3 +19,6 @@
database_module = foobar_db2_module_blah database_module = foobar_db2_module_blah
} }
--
2.9.3

View File

@ -1,9 +1,19 @@
From 8f81af0f10a917a000a12c9b344b3f801c939666 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:57 -0400
Subject: [PATCH 10/19] krb5-1.11-run_user_0.patch
A hack: if we're looking at creating a ccache directory directly below A hack: if we're looking at creating a ccache directory directly below
the /run/user/0 directory, and /run/user/0 doesn't exist, try to create the /run/user/0 directory, and /run/user/0 doesn't exist, try to create
it, too. it, too.
---
src/lib/krb5/ccache/cc_dir.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- krb5/src/lib/krb5/ccache/cc_dir.c diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
+++ krb5/src/lib/krb5/ccache/cc_dir.c index 73f0fe6..4850c0d 100644
--- a/src/lib/krb5/ccache/cc_dir.c
+++ b/src/lib/krb5/ccache/cc_dir.c
@@ -61,6 +61,8 @@ @@ -61,6 +61,8 @@
#include <dirent.h> #include <dirent.h>
@ -13,7 +23,7 @@ it, too.
extern const krb5_cc_ops krb5_dcc_ops; extern const krb5_cc_ops krb5_dcc_ops;
extern const krb5_cc_ops krb5_fcc_ops; extern const krb5_cc_ops krb5_fcc_ops;
@@ -239,6 +241,18 @@ @@ -237,6 +239,18 @@ verify_dir(krb5_context context, const char *dirname)
if (stat(dirname, &st) < 0) { if (stat(dirname, &st) < 0) {
if (errno == ENOENT) { if (errno == ENOENT) {
@ -32,3 +42,6 @@ it, too.
#ifdef USE_SELINUX #ifdef USE_SELINUX
selabel = krb5int_push_fscreatecon_for(dirname); selabel = krb5int_push_fscreatecon_for(dirname);
#endif #endif
--
2.9.3

View File

@ -1,10 +1,20 @@
From 9ca4f0e1081e667ebc9150097559f5fe85595e33 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:00 -0400
Subject: [PATCH 07/19] krb5-1.12-api.patch
Reference docs don't define what happens if you call krb5_realm_compare() with Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time. crashing if applications don't check ahead of time.
---
src/lib/krb5/krb/princ_comp.c | 7 +++++++
1 file changed, 7 insertions(+)
--- krb5/src/lib/krb5/krb/princ_comp.c diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c
+++ krb5/src/lib/krb5/krb/princ_comp.c index a693610..0ed7883 100644
@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context --- a/src/lib/krb5/krb/princ_comp.c
+++ b/src/lib/krb5/krb/princ_comp.c
@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context,
const krb5_data *realm1 = &princ1->realm; const krb5_data *realm1 = &princ1->realm;
const krb5_data *realm2 = &princ2->realm; const krb5_data *realm2 = &princ2->realm;
@ -15,7 +25,7 @@ crashing if applications don't check ahead of time.
if (realm1->length != realm2->length) if (realm1->length != realm2->length)
return FALSE; return FALSE;
if (realm1->length == 0) if (realm1->length == 0)
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex @@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context,
krb5_principal upn2 = NULL; krb5_principal upn2 = NULL;
krb5_boolean ret = FALSE; krb5_boolean ret = FALSE;
@ -25,3 +35,6 @@ crashing if applications don't check ahead of time.
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
/* Treat UPNs as if they were real principals */ /* Treat UPNs as if they were real principals */
if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
--
2.9.3

View File

@ -1,33 +1,24 @@
From 1df0a74f88f044f1e538e3d4fda13bbceb76e68b Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH 05/19] krb5-1.12-buildconf.patch
Build binaries in this package as RELRO PIEs, libraries as partial RELRO, Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
and install shared libraries with the execute bit set on them. Prune out and install shared libraries with the execute bit set on them. Prune out
the -L/usr/lib* and PIE flags where they might leak out and affect the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags. not just assume that the compiler supports using these flags.
---
src/build-tools/krb5-config.in | 7 +++++++
src/config/pre.in | 2 +-
src/config/shlib.conf | 5 +++--
3 files changed, 11 insertions(+), 3 deletions(-)
--- krb5/src/config/shlib.conf diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
+++ krb5/src/config/shlib.conf index c17cb5e..1891dea 100755
@@ -419,7 +419,7 @@ mips-*-netbsd*) --- a/src/build-tools/krb5-config.in
SHLIBEXT=.so +++ b/src/build-tools/krb5-config.in
# Linux ld doesn't default to stuffing the SONAME field... @@ -226,6 +226,13 @@ if test -n "$do_libs"; then
# Use objdump -x to examine the fields of the library
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro -Wl,--warn-shared-textrel'
#
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
SHLIB_EXPORT_FILE_DEP=binutils.versions
@@ -430,7 +430,8 @@
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
--- krb5/src/build-tools/krb5-config.in
+++ krb5/src/build-tools/krb5-config.in
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)##'` -e 's#\$(CFLAGS)##'`
@ -41,9 +32,11 @@ not just assume that the compiler supports using these flags.
if test $library = 'kdb'; then if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5 library=krb5
--- krb5/src/config/pre.in diff --git a/src/config/pre.in b/src/config/pre.in
+++ krb5/src/config/pre.in index 63271e7..c100fef 100644
@@ -188,7 +188,7 @@ --- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -182,7 +182,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_SCRIPT=@INSTALL_PROGRAM@
INSTALL_DATA=@INSTALL_DATA@ INSTALL_DATA=@INSTALL_DATA@
INSTALL_SHLIB=@INSTALL_SHLIB@ INSTALL_SHLIB=@INSTALL_SHLIB@
@ -52,3 +45,29 @@ not just assume that the compiler supports using these flags.
## This is needed because autoconf will sometimes define @exec_prefix@ to be ## This is needed because autoconf will sometimes define @exec_prefix@ to be
## ${prefix}. ## ${prefix}.
prefix=@prefix@ prefix=@prefix@
diff --git a/src/config/shlib.conf b/src/config/shlib.conf
index 55f16be..f4a762c 100644
--- a/src/config/shlib.conf
+++ b/src/config/shlib.conf
@@ -422,7 +422,7 @@ mips-*-netbsd*)
SHLIBEXT=.so
# Linux ld doesn't default to stuffing the SONAME field...
# Use objdump -x to examine the fields of the library
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro -Wl,--warn-shared-textrel'
#
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
SHLIB_EXPORT_FILE_DEP=binutils.versions
@@ -433,7 +433,8 @@ mips-*-netbsd*)
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
--
2.9.3

View File

@ -1,7 +1,17 @@
Set the default PATH to the one set by login. From a33c34eabf9cd4d98d633994bfcf19359ff087a6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:32:09 -0400
Subject: [PATCH 03/19] krb5-1.12-ksu-path.patch
--- krb5/src/clients/ksu/Makefile.in Set the default PATH to the one set by login.
+++ krb5/src/clients/ksu/Makefile.in ---
src/clients/ksu/Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index ad2406a..1379c4a 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
mydir=clients$(S)ksu mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S).. BUILDTOP=$(REL)..$(S)..
@ -10,3 +20,6 @@ Set the default PATH to the one set by login.
KSU_LIBS=@KSU_LIBS@ KSU_LIBS=@KSU_LIBS@
PAM_LIBS=@PAM_LIBS@ PAM_LIBS=@PAM_LIBS@
--
2.9.3

View File

@ -1,10 +1,51 @@
From f02d4a098b5e94df15ae39e9fad79e861e6c6483 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:33:53 -0400
Subject: [PATCH 04/19] krb5-1.12-ktany.patch
Adds an "ANY" keytab type which is a list of other keytab locations to search Adds an "ANY" keytab type which is a list of other keytab locations to search
when searching for a specific entry. When iterated through, it only presents when searching for a specific entry. When iterated through, it only presents
the contents of the first keytab. the contents of the first keytab.
---
src/lib/krb5/keytab/Makefile.in | 3 +
src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++++++++++
src/lib/krb5/keytab/ktbase.c | 7 +-
3 files changed, 301 insertions(+), 1 deletion(-)
create mode 100644 src/lib/krb5/keytab/kt_any.c
diff -up /dev/null krb5-1.7/src/lib/krb5/keytab/kt_any.c diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in
--- /dev/null 2009-06-04 10:34:55.169007373 -0400 index 28485d5..c17ab82 100644
+++ krb5-1.7/src/lib/krb5/keytab/kt_any.c 2009-06-04 13:54:36.000000000 -0400 --- a/src/lib/krb5/keytab/Makefile.in
+++ b/src/lib/krb5/keytab/Makefile.in
@@ -12,6 +12,7 @@ STLIBOBJS= \
ktfr_entry.o \
ktremove.o \
ktfns.o \
+ kt_any.o \
kt_file.o \
kt_memory.o \
kt_srvtab.o \
@@ -24,6 +25,7 @@ OBJS= \
$(OUTPRE)ktfr_entry.$(OBJEXT) \
$(OUTPRE)ktremove.$(OBJEXT) \
$(OUTPRE)ktfns.$(OBJEXT) \
+ $(OUTPRE)kt_any.$(OBJEXT) \
$(OUTPRE)kt_file.$(OBJEXT) \
$(OUTPRE)kt_memory.$(OBJEXT) \
$(OUTPRE)kt_srvtab.$(OBJEXT) \
@@ -36,6 +38,7 @@ SRCS= \
$(srcdir)/ktfr_entry.c \
$(srcdir)/ktremove.c \
$(srcdir)/ktfns.c \
+ $(srcdir)/kt_any.c \
$(srcdir)/kt_file.c \
$(srcdir)/kt_memory.c \
$(srcdir)/kt_srvtab.c \
diff --git a/src/lib/krb5/keytab/kt_any.c b/src/lib/krb5/keytab/kt_any.c
new file mode 100644
index 0000000..1b9b776
--- /dev/null
+++ b/src/lib/krb5/keytab/kt_any.c
@@ -0,0 +1,292 @@ @@ -0,0 +1,292 @@
+/* +/*
+ * lib/krb5/keytab/kt_any.c + * lib/krb5/keytab/kt_any.c
@ -298,10 +339,11 @@ diff -up /dev/null krb5-1.7/src/lib/krb5/keytab/kt_any.c
+ free(data->choices); + free(data->choices);
+ free(data); + free(data);
+} +}
diff -up krb5-1.7/src/lib/krb5/keytab/ktbase.c krb5-1.7/src/lib/krb5/keytab/ktbase.c diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c
--- krb5-1.7/src/lib/krb5/keytab/ktbase.c 2009-02-18 13:18:56.000000000 -0500 index 0d39b29..6534d7c 100644
+++ krb5-1.7/src/lib/krb5/keytab/ktbase.c 2009-06-04 13:54:36.000000000 -0400 --- a/src/lib/krb5/keytab/ktbase.c
@@ -59,14 +59,19 @@ extern const krb5_kt_ops krb5_ktf_ops; +++ b/src/lib/krb5/keytab/ktbase.c
@@ -57,14 +57,19 @@ extern const krb5_kt_ops krb5_ktf_ops;
extern const krb5_kt_ops krb5_ktf_writable_ops; extern const krb5_kt_ops krb5_ktf_writable_ops;
extern const krb5_kt_ops krb5_kts_ops; extern const krb5_kt_ops krb5_kts_ops;
extern const krb5_kt_ops krb5_mkt_ops; extern const krb5_kt_ops krb5_mkt_ops;
@ -322,30 +364,6 @@ diff -up krb5-1.7/src/lib/krb5/keytab/ktbase.c krb5-1.7/src/lib/krb5/keytab/ktba
}; };
const static struct krb5_kt_typelist krb5_kt_typelist_memory = { const static struct krb5_kt_typelist krb5_kt_typelist_memory = {
&krb5_mkt_ops, &krb5_mkt_ops,
diff -up krb5-1.7/src/lib/krb5/keytab/Makefile.in krb5-1.7/src/lib/krb5/keytab/Makefile.in --
--- krb5-1.7/src/lib/krb5/keytab/Makefile.in 2009-01-05 15:27:53.000000000 -0500 2.9.3
+++ krb5-1.7/src/lib/krb5/keytab/Makefile.in 2009-06-04 13:54:36.000000000 -0400
@@ -19,6 +19,7 @@ STLIBOBJS= \
ktfr_entry.o \
ktremove.o \
ktfns.o \
+ kt_any.o \
kt_file.o \
kt_memory.o \
kt_srvtab.o \
@@ -31,6 +32,7 @@ OBJS= \
$(OUTPRE)ktfr_entry.$(OBJEXT) \
$(OUTPRE)ktremove.$(OBJEXT) \
$(OUTPRE)ktfns.$(OBJEXT) \
+ $(OUTPRE)kt_any.$(OBJEXT) \
$(OUTPRE)kt_file.$(OBJEXT) \
$(OUTPRE)kt_memory.$(OBJEXT) \
$(OUTPRE)kt_srvtab.$(OBJEXT) \
@@ -43,6 +45,7 @@ SRCS= \
$(srcdir)/ktfr_entry.c \
$(srcdir)/ktremove.c \
$(srcdir)/ktfns.c \
+ $(srcdir)/kt_any.c \
$(srcdir)/kt_file.c \
$(srcdir)/kt_memory.c \
$(srcdir)/kt_srvtab.c \

View File

@ -1,3 +1,8 @@
From 74b07bf5a3c73f2d46ddfa4a03baa76b19ee1681 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH 01/19] krb5-1.12.1-pam.patch
Modify ksu so that it performs account and session management on behalf of Modify ksu so that it performs account and session management on behalf of
the target user account, mimicking the action of regular su. The default the target user account, mimicking the action of regular su. The default
service name is "ksu", because on Fedora at least the configuration used service name is "ksu", because on Fedora at least the configuration used
@ -11,11 +16,22 @@ When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges, and to apply on top of and session management before dropping privileges, and to apply on top of
changes we're proposing for how it handles cache collections. changes we're proposing for how it handles cache collections.
---
src/aclocal.m4 | 67 ++++++++
src/clients/ksu/Makefile.in | 8 +-
src/clients/ksu/main.c | 88 +++++++++-
src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++++++++++
src/clients/ksu/pam.h | 57 +++++++
src/configure.in | 2 +
6 files changed, 608 insertions(+), 3 deletions(-)
create mode 100644 src/clients/ksu/pam.c
create mode 100644 src/clients/ksu/pam.h
diff -up krb5/src/aclocal.m4.pam krb5/src/aclocal.m4 diff --git a/src/aclocal.m4 b/src/aclocal.m4
--- krb5/src/aclocal.m4.pam 2009-11-22 12:00:45.000000000 -0500 index dbb7db2..ce045ab 100644
+++ krb5/src/aclocal.m4 2010-03-05 10:48:08.000000000 -0500 --- a/src/aclocal.m4
@@ -1703,3 +1703,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ +++ b/src/aclocal.m4
@@ -1672,3 +1672,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
])) ]))
])dnl ])dnl
dnl dnl
@ -86,9 +102,48 @@ diff -up krb5/src/aclocal.m4.pam krb5/src/aclocal.m4
+AC_SUBST(PAM_MAN) +AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN) +AC_SUBST(NON_PAM_MAN)
+])dnl +])dnl
diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
--- krb5/src/clients/ksu/main.c.pam 2009-11-02 22:27:56.000000000 -0500 index c705fda..ad2406a 100644
+++ krb5/src/clients/ksu/main.c 2010-03-05 10:48:08.000000000 -0500 --- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
KSU_LIBS=@KSU_LIBS@
+PAM_LIBS=@PAM_LIBS@
SRCS = \
$(srcdir)/krb_auth_su.c \
$(srcdir)/ccache.c \
$(srcdir)/authorization.c \
$(srcdir)/main.c \
+ $(srcdir)/pam.c \
$(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \
$(srcdir)/setenv.c
@@ -17,13 +19,17 @@ OBJS = \
ccache.o \
authorization.o \
main.o \
+ pam.o \
heuristic.o \
xmalloc.o @SETENVOBJ@
all:: ksu
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
+
+pam.o: pam.c
+ $(CC) $(ALL_CFLAGS) -c $<
clean::
$(RM) ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 2f8d8e1..1b2ca83 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@ @@ -26,6 +26,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu * KSU was writen by: Ari Medvinsky, ari@isi.edu
*/ */
@ -116,7 +171,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
/***********/ /***********/
#define KS_TEMPORARY_CACHE "MEMORY:_ksu" #define KS_TEMPORARY_CACHE "MEMORY:_ksu"
@@ -586,6 +592,23 @@ main (argc, argv) @@ -514,6 +520,23 @@ main (argc, argv)
prog_name,target_user,client_name, prog_name,target_user,client_name,
source_user,ontty()); source_user,ontty());
@ -140,7 +195,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
/* Run authorization as target.*/ /* Run authorization as target.*/
if (krb5_seteuid(target_uid)) { if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for " com_err(prog_name, errno, _("while switching to target for "
@@ -651,6 +676,24 @@ @@ -574,6 +597,24 @@ main (argc, argv)
exit(1); exit(1);
} }
@ -165,7 +220,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
} }
if( some_rest_copy){ if( some_rest_copy){
@@ -720,6 +745,30 @@ @@ -631,6 +672,30 @@ main (argc, argv)
exit(1); exit(1);
} }
@ -196,7 +251,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
/* set permissions */ /* set permissions */
if (setgid(target_pwd->pw_gid) < 0) { if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid"); perror("ksu: setgid");
@@ -792,7 +817,7 @@ main (argc, argv) @@ -728,7 +793,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]); fprintf(stderr, "program to be execed %s\n",params[0]);
} }
@ -205,7 +260,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
execv(params[0], params); execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]); com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target); sweep_up(ksu_context, cc_target);
@@ -823,16 +875,35 @@ main (argc, argv) @@ -758,16 +823,35 @@ main (argc, argv)
if (ret_pid == -1) { if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid")); com_err(prog_name, errno, _("while calling waitpid"));
} }
@ -242,46 +297,11 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
exit (1); exit (1);
} }
} }
diff -up krb5/src/clients/ksu/Makefile.in.pam krb5/src/clients/ksu/Makefile.in diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c
--- krb5/src/clients/ksu/Makefile.in.pam 2009-11-22 13:13:29.000000000 -0500 new file mode 100644
+++ krb5/src/clients/ksu/Makefile.in 2010-03-05 11:55:14.000000000 -0500 index 0000000..cbfe487
@@ -7,12 +7,14 @@ --- /dev/null
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' +++ b/src/clients/ksu/pam.c
KSU_LIBS=@KSU_LIBS@
+PAM_LIBS=@PAM_LIBS@
SRCS = \
$(srcdir)/krb_auth_su.c \
$(srcdir)/ccache.c \
$(srcdir)/authorization.c \
$(srcdir)/main.c \
+ $(srcdir)/pam.c \
$(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \
$(srcdir)/setenv.c
@@ -21,13 +23,17 @@ OBJS = \
ccache.o \
authorization.o \
main.o \
+ pam.o \
heuristic.o \
xmalloc.o @SETENVOBJ@
all:: ksu
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
+
+pam.o: pam.c
+ $(CC) $(ALL_CFLAGS) -c $<
clean::
$(RM) ksu
diff -up krb5/src/clients/ksu/pam.c.pam krb5/src/clients/ksu/pam.c
--- krb5/src/clients/ksu/pam.c.pam 2010-03-05 10:48:08.000000000 -0500
+++ krb5/src/clients/ksu/pam.c 2010-03-05 10:48:08.000000000 -0500
@@ -0,0 +1,389 @@ @@ -0,0 +1,389 @@
+/* +/*
+ * src/clients/ksu/pam.c + * src/clients/ksu/pam.c
@ -672,9 +692,11 @@ diff -up krb5/src/clients/ksu/pam.c.pam krb5/src/clients/ksu/pam.c
+ return ret; + return ret;
+} +}
+#endif +#endif
diff -up krb5/src/clients/ksu/pam.h.pam krb5/src/clients/ksu/pam.h diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h
--- krb5/src/clients/ksu/pam.h.pam 2010-03-05 10:48:08.000000000 -0500 new file mode 100644
+++ krb5/src/clients/ksu/pam.h 2010-03-05 10:48:08.000000000 -0500 index 0000000..0ab7656
--- /dev/null
+++ b/src/clients/ksu/pam.h
@@ -0,0 +1,57 @@ @@ -0,0 +1,57 @@
+/* +/*
+ * src/clients/ksu/pam.h + * src/clients/ksu/pam.h
@ -733,10 +755,11 @@ diff -up krb5/src/clients/ksu/pam.h.pam krb5/src/clients/ksu/pam.h
+int appl_pam_cred_init(void); +int appl_pam_cred_init(void);
+void appl_pam_cleanup(void); +void appl_pam_cleanup(void);
+#endif +#endif
diff -up krb5/src/configure.in.pam krb5/src/configure.in diff --git a/src/configure.in b/src/configure.in
--- krb5/src/configure.in.pam 2009-12-31 18:13:56.000000000 -0500 index b2a8675..8846ca0 100644
+++ krb5/src/configure.in 2010-03-05 10:48:08.000000000 -0500 --- a/src/configure.in
@@ -1051,6 +1051,8 @@ if test "$ac_cv_lib_socket" = "yes" -a " +++ b/src/configure.in
@@ -1327,6 +1327,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff) AC_PATH_PROG(GROFF, groff)
@ -745,3 +768,6 @@ diff -up krb5/src/configure.in.pam krb5/src/configure.in
# Make localedir work in autoconf 2.5x. # Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then if test "${localedir+set}" != set; then
localedir='$(datadir)/locale' localedir='$(datadir)/locale'
--
2.9.3

View File

@ -1,10 +1,21 @@
From f7538a0621d6b593e31f2031570a6f4678940241 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:44 -0400
Subject: [PATCH 08/19] krb5-1.13-dirsrv-accountlock.patch
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from
original version filed as RT#5891. original version filed as RT#5891.
---
src/aclocal.m4 | 9 +++++++++
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c | 3 +++
3 files changed, 29 insertions(+)
diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4 diff --git a/src/aclocal.m4 b/src/aclocal.m4
--- krb5-1.8/src/aclocal.m4.dirsrv-accountlock 2010-03-05 11:03:09.000000000 -0500 index ed343c5..f67eef7 100644
+++ krb5-1.8/src/aclocal.m4 2010-03-05 11:03:10.000000000 -0500 --- a/src/aclocal.m4
@@ -1656,6 +1656,15 @@ if test $with_ldap = yes; then +++ b/src/aclocal.m4
@@ -1653,6 +1653,15 @@ if test "$with_ldap" = yes; then
AC_MSG_NOTICE(enabling OpenLDAP database backend module support) AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
OPENLDAP_PLUGIN=yes OPENLDAP_PLUGIN=yes
fi fi
@ -20,10 +31,11 @@ diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4
])dnl ])dnl
dnl dnl
dnl If libkeyutils exists (on Linux) include it and use keyring ccache dnl If libkeyutils exists (on Linux) include it and use keyring ccache
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500 index aca8f31..0a0968c 100644
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2010-03-05 11:03:10.000000000 -0500 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -1546,6 +1546,23 @@ populate_krb5_db_entry(krb5_context cont +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -1545,6 +1545,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data); ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data);
if (ret) if (ret)
goto cleanup; goto cleanup;
@ -47,11 +59,11 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountloc
ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname); ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
if (ret) if (ret)
goto cleanup; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c index 6a06f55..1f87e21 100644
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2010-03-05 11:03:10.000000000 -0500 +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
@@ -59,6 +59,9 @@ char *principal_attributes[] = { "kr @@ -54,6 +54,9 @@ char *principal_attributes[] = { "krbprincipalname",
"krbLastFailedAuth", "krbLastFailedAuth",
"krbLoginFailedCount", "krbLoginFailedCount",
"krbLastSuccessfulAuth", "krbLastSuccessfulAuth",
@ -61,3 +73,6 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accou
"krbLastPwdChange", "krbLastPwdChange",
"krbLastAdminUnlock", "krbLastAdminUnlock",
"krbExtraData", "krbExtraData",
--
2.9.3

View File

@ -1,3 +1,8 @@
From 2af05336edb5a2f86db22ee2937626a219f090f6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH 02/19] krb5-1.13-selinux-label.patch
SELinux bases access to files on the domain of the requesting process, SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file. the operation being performed, and the context applied to the file.
@ -30,10 +35,42 @@ stomp all over us.
The selabel APIs for looking up the context should be thread-safe (per The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(), Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement. which we used earlier, is some improvement.
---
src/aclocal.m4 | 49 +++
src/build-tools/krb5-config.in | 3 +-
src/config/pre.in | 3 +-
src/configure.in | 2 +
src/include/k5-int.h | 1 +
src/include/k5-label.h | 32 ++
src/include/krb5/krb5.hin | 6 +
src/kadmin/dbutil/dump.c | 11 +-
src/kdc/main.c | 2 +-
src/lib/kadm5/logger.c | 4 +-
src/lib/kdb/kdb_log.c | 2 +-
src/lib/krb5/ccache/cc_dir.c | 26 +-
src/lib/krb5/keytab/kt_file.c | 4 +-
src/lib/krb5/os/trace.c | 2 +-
src/lib/krb5/rcache/rc_dfl.c | 13 +
src/plugins/kdb/db2/adb_openclose.c | 2 +-
src/plugins/kdb/db2/kdb_db2.c | 4 +-
src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +-
src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +-
src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +-
.../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +-
src/slave/kpropd.c | 9 +
src/util/gss-kernel-lib/Makefile.in | 5 +-
src/util/profile/prof_file.c | 3 +-
src/util/support/Makefile.in | 3 +-
src/util/support/selinux.c | 381 +++++++++++++++++++++
26 files changed, 566 insertions(+), 22 deletions(-)
create mode 100644 src/include/k5-label.h
create mode 100644 src/util/support/selinux.c
--- krb5/src/aclocal.m4 diff --git a/src/aclocal.m4 b/src/aclocal.m4
+++ krb5/src/aclocal.m4 index ce045ab..311f099 100644
@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag) --- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -87,6 +87,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl dnl
KRB5_AC_PRAGMA_WEAK_REF KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP WITH_LDAP
@ -41,7 +78,7 @@ which we used earlier, is some improvement.
KRB5_LIB_PARAMS KRB5_LIB_PARAMS
KRB5_AC_INITFINI KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS KRB5_AC_ENABLE_THREADS
@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir) @@ -1739,3 +1740,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN) AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN) AC_SUBST(NON_PAM_MAN)
])dnl ])dnl
@ -93,9 +130,32 @@ which we used earlier, is some improvement.
+LIBS="$old_LIBS" +LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS) +AC_SUBST(SELINUX_LIBS)
+])dnl +])dnl
--- krb5/src/config/pre.in diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
+++ krb5/src/config/pre.in index f6184da..c17cb5e 100755
@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@ --- a/src/build-tools/krb5-config.in
+++ b/src/build-tools/krb5-config.in
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
DEFCCNAME='@DEFCCNAME@'
DEFKTNAME='@DEFKTNAME@'
DEFCKTNAME='@DEFCKTNAME@'
+SELINUX_LIBS='@SELINUX_LIBS@'
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -255,7 +256,7 @@ if test -n "$do_libs"; then
fi
# If we ever support a flag to generate output suitable for static
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
# here.
echo $lib_flags
diff --git a/src/config/pre.in b/src/config/pre.in
index b0d9015..63271e7 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -174,6 +174,7 @@ LD = $(PURE) @LD@
KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
LDFLAGS = @LDFLAGS@ LDFLAGS = @LDFLAGS@
LIBS = @LIBS@ LIBS = @LIBS@
@ -103,7 +163,7 @@ which we used earlier, is some improvement.
INSTALL=@INSTALL@ INSTALL=@INSTALL@
INSTALL_STRIP= INSTALL_STRIP=
@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) @@ -395,7 +396,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod... # HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@ HESIOD_LIBS = @HESIOD_LIBS@
@ -112,9 +172,11 @@ which we used earlier, is some improvement.
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB) GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X! # needs fixing if ever used on Mac OS X!
--- krb5/src/configure.in diff --git a/src/configure.in b/src/configure.in
+++ krb5/src/configure.in index 8846ca0..9ec8d84 100644
@@ -1053,6 +1053,8 @@ fi --- a/src/configure.in
+++ b/src/configure.in
@@ -1329,6 +1329,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM KRB5_WITH_PAM
@ -123,8 +185,10 @@ which we used earlier, is some improvement.
# Make localedir work in autoconf 2.5x. # Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then if test "${localedir+set}" != set; then
localedir='$(datadir)/locale' localedir='$(datadir)/locale'
--- krb5/src/include/k5-int.h diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+++ krb5/src/include/k5-int.h index 41c3d1b..6b7b2e3 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -129,6 +129,7 @@ typedef unsigned char u_char; @@ -129,6 +129,7 @@ typedef unsigned char u_char;
@ -133,8 +197,11 @@ which we used earlier, is some improvement.
#define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
#define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
--- krb5/src/include/k5-label.h diff --git a/src/include/k5-label.h b/src/include/k5-label.h
+++ krb5/src/include/k5-label.h new file mode 100644
index 0000000..dfaaa84
--- /dev/null
+++ b/src/include/k5-label.h
@@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
+#ifndef _KRB5_LABEL_H +#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H +#define _KRB5_LABEL_H
@ -168,8 +235,10 @@ which we used earlier, is some improvement.
+#define THREEPARAMOPEN(x,y,z) open(x,y,z) +#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif +#endif
+#endif +#endif
--- krb5/src/include/krb5/krb5.hin diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
+++ krb5/src/include/krb5/krb5.hin index e2c08ae..c93a0f2 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@ @@ -87,6 +87,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z) #define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif #endif
@ -183,9 +252,11 @@ which we used earlier, is some improvement.
#define KRB5_OLD_CRYPTO #define KRB5_OLD_CRYPTO
#include <stdlib.h> #include <stdlib.h>
--- krb5/src/kadmin/dbutil/dump.c diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
+++ krb5/src/kadmin/dbutil/dump.c index 253bf3f..9c8c3dc 100644
@@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname --- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
{ {
int fd = -1; int fd = -1;
FILE *f; FILE *f;
@ -207,7 +278,7 @@ which we used earlier, is some improvement.
if (fd == -1) if (fd == -1)
goto error; goto error;
@@ -514,7 +514,7 @@ prep_ok_file(krb5_context context, char @@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd)
return 0; return 0;
} }
@ -216,28 +287,24 @@ which we used earlier, is some improvement.
if (*fd == -1) { if (*fd == -1) {
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
exit_status++; exit_status++;
--- krb5/src/build-tools/krb5-config.in diff --git a/src/kdc/main.c b/src/kdc/main.c
+++ krb5/src/build-tools/krb5-config.in index 82dfc0e..936f46b 100644
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@' --- a/src/kdc/main.c
DEFCCNAME='@DEFCCNAME@' +++ b/src/kdc/main.c
DEFKTNAME='@DEFKTNAME@' @@ -847,7 +847,7 @@ write_pid_file(const char *path)
DEFCKTNAME='@DEFCKTNAME@' FILE *file;
+SELINUX_LIBS='@SELINUX_LIBS@' unsigned long pid;
LIBS='@LIBS@' - file = fopen(path, "w");
GEN_LIB=@GEN_LIB@ + file = WRITABLEFOPEN(path, "w");
@@ -218,7 +219,7 @@ if (file == NULL)
fi return errno;
pid = (unsigned long) getpid();
# If we ever support a flag to generate output suitable for static diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" index 19c4355..64f9641 100644
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" --- a/src/lib/kadm5/logger.c
# here. +++ b/src/lib/kadm5/logger.c
@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
echo $lib_flags
--- krb5/src/lib/kadm5/logger.c
+++ krb5/src/lib/kadm5/logger.c
@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch
* Check for append/overwrite, then open the file. * Check for append/overwrite, then open the file.
*/ */
if (cp[4] == ':' || cp[4] == '=') { if (cp[4] == ':' || cp[4] == '=') {
@ -246,7 +313,7 @@ which we used earlier, is some improvement.
if (f) { if (f) {
set_cloexec_file(f); set_cloexec_file(f);
log_control.log_entries[i].lfu_filep = f; log_control.log_entries[i].lfu_filep = f;
@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext) @@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the * In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs. * way, open for append to prevent squashing the old logs.
*/ */
@ -255,9 +322,74 @@ which we used earlier, is some improvement.
if (f) { if (f) {
set_cloexec_file(f); set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f; log_control.log_entries[lindex].lfu_filep = f;
--- krb5/src/lib/krb5/keytab/kt_file.c diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
+++ krb5/src/lib/krb5/keytab/kt_file.c index 99cda59..523b99a 100644
@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context --- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c
@@ -476,7 +476,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
int ulogfd = -1;
if (stat(logname, &st) == -1) {
- ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
if (ulogfd == -1)
return errno;
diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
index bba64e5..73f0fe6 100644
--- a/src/lib/krb5/ccache/cc_dir.c
+++ b/src/lib/krb5/ccache/cc_dir.c
@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents)
char *newpath = NULL;
FILE *fp = NULL;
int fd = -1, status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
return ENOMEM;
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(primary_path);
+#endif
fd = mkstemp(newpath);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (fd < 0)
goto cleanup;
#ifdef HAVE_CHMOD
@@ -221,10 +230,23 @@ static krb5_error_code
verify_dir(krb5_context context, const char *dirname)
{
struct stat st;
+ int status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (stat(dirname, &st) < 0) {
- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
- return 0;
+ if (errno == ENOENT) {
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(dirname);
+#endif
+ status = mkdir(dirname, S_IRWXU);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
+ if (status == 0)
+ return 0;
+ }
k5_setmsg(context, KRB5_FCC_NOFILE,
_("Credential cache directory %s does not exist"),
dirname);
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index e105a51..ff1fc54 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -1030,7 +1030,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
KTCHECKLOCK(id); KTCHECKLOCK(id);
errno = 0; errno = 0;
@ -266,7 +398,7 @@ which we used earlier, is some improvement.
(mode == KRB5_LOCKMODE_EXCLUSIVE) ? (mode == KRB5_LOCKMODE_EXCLUSIVE) ?
fopen_mode_rbplus : fopen_mode_rb); fopen_mode_rbplus : fopen_mode_rb);
if (!KTFILEP(id)) { if (!KTFILEP(id)) {
@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context @@ -1038,7 +1038,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
/* try making it first time around */ /* try making it first time around */
k5_create_secure_file(context, KTFILENAME(id)); k5_create_secure_file(context, KTFILENAME(id));
errno = 0; errno = 0;
@ -275,20 +407,84 @@ which we used earlier, is some improvement.
if (!KTFILEP(id)) if (!KTFILEP(id))
goto report_errno; goto report_errno;
writevno = 1; writevno = 1;
--- krb5/src/plugins/kdb/db2/adb_openclose.c diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
+++ krb5/src/plugins/kdb/db2/adb_openclose.c index 83c8d4d..a192461 100644
@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char --- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -397,7 +397,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
fd = malloc(sizeof(*fd));
if (fd == NULL)
return ENOMEM;
- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
if (*fd == -1) {
free(fd);
return errno;
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index 2fb6aa0..c453189 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (! t->recovering) {
name = t->name;
@@ -815,7 +818,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
+#ifdef USE_SELINUX
+ if (t->d.fn != NULL)
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
+ else
+ selabel = NULL;
+#endif
retval = krb5_rc_initialize(context, tmp, lifespan);
+#ifdef USE_SELINUX
+ if (selabel != NULL)
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
index 7db30a3..2b9d019 100644
--- a/src/plugins/kdb/db2/adb_openclose.c
+++ b/src/plugins/kdb/db2/adb_openclose.c
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
* needs be open read/write so that write locking can work with
* POSIX systems * POSIX systems
*/ */
lockp->lockinfo.filename = strdup(lockfilename);
- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { - if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {
+ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { + if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) {
/* /*
* maybe someone took away write permission so we could only * maybe someone took away write permission so we could only
* get shared locks? * get shared locks?
--- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
+++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c index e97b841..5d1cd61 100644
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. --- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
if (retval)
return retval;
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
- 0600);
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
if (dbc->db_lf_file < 0) {
retval = errno;
goto cleanup;
diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
index 2977b17..d5809a5 100644
--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95";
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
@ -296,7 +492,7 @@ which we used earlier, is some improvement.
#include "db-int.h" #include "db-int.h"
#include "btree.h" #include "btree.h"
@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, @@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags)
goto einval; goto einval;
} }
@ -305,9 +501,11 @@ which we used earlier, is some improvement.
goto err; goto err;
} else { } else {
--- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5/src/plugins/kdb/db2/libdb2/hash/hash.c index 2a5b4f8..7239d03 100644
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 --- a/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95";
#include <assert.h> #include <assert.h>
#endif #endif
@ -315,7 +513,7 @@ which we used earlier, is some improvement.
#include "db-int.h" #include "db-int.h"
#include "hash.h" #include "hash.h"
#include "page.h" #include "page.h"
@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info @@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
new_table = 1; new_table = 1;
} }
if (file) { if (file) {
@ -324,9 +522,33 @@ which we used earlier, is some improvement.
RETURN_ERROR(errno, error0); RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1); (void)fcntl(hashp->fp, F_SETFD, 1);
} }
--- krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c index d8b26e7..b0daa7c 100644
@@ -179,7 +179,7 @@ done: --- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94";
#include <stdio.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags)
int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
+ if (fname != NULL &&
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
index 64d0f91..5d5c0a6 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -178,7 +178,7 @@ done:
/* set password in the file */ /* set password in the file */
old_mode = umask(0177); old_mode = umask(0177);
@ -335,7 +557,7 @@ which we used earlier, is some improvement.
if (pfile == NULL) { if (pfile == NULL) {
com_err(me, errno, _("Failed to open file %s: %s"), file_name, com_err(me, errno, _("Failed to open file %s: %s"), file_name,
strerror (errno)); strerror (errno));
@@ -220,6 +220,9 @@ done: @@ -219,6 +219,9 @@ done:
* Delete the existing entry and add the new entry * Delete the existing entry and add the new entry
*/ */
FILE *newfile; FILE *newfile;
@ -345,7 +567,7 @@ which we used earlier, is some improvement.
mode_t omask; mode_t omask;
@@ -231,7 +234,13 @@ done: @@ -230,7 +233,13 @@ done:
} }
omask = umask(077); omask = umask(077);
@ -359,9 +581,11 @@ which we used earlier, is some improvement.
umask (omask); umask (omask);
if (newfile == NULL) { if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file); com_err(me, errno, _("Error creating file %s"), tmp_file);
--- krb5/src/slave/kpropd.c diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
+++ krb5/src/slave/kpropd.c index 1383156..a950924 100644
@@ -437,6 +437,9 @@ void doit(fd) --- a/src/slave/kpropd.c
+++ b/src/slave/kpropd.c
@@ -464,6 +464,9 @@ doit(int fd)
krb5_enctype etype; krb5_enctype etype;
int database_fd; int database_fd;
char host[INET6_ADDRSTRLEN + 1]; char host[INET6_ADDRSTRLEN + 1];
@ -371,7 +595,7 @@ which we used earlier, is some improvement.
signal_wrapper(SIGALRM, alarm_handler); signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout); alarm(params.iprop_resync_timeout);
@@ -515,9 +518,15 @@ void doit(fd) @@ -520,9 +523,15 @@ doit(int fd)
free(name); free(name);
exit(1); exit(1);
} }
@ -387,9 +611,37 @@ which we used earlier, is some improvement.
retval = krb5_lock_file(kpropd_context, lock_fd, retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
if (retval) { if (retval) {
--- krb5/src/util/profile/prof_file.c diff --git a/src/util/gss-kernel-lib/Makefile.in b/src/util/gss-kernel-lib/Makefile.in
+++ krb5/src/util/profile/prof_file.c index f70f3c6..7a2f9cc 100644
@@ -30,6 +30,7 @@ --- a/src/util/gss-kernel-lib/Makefile.in
+++ b/src/util/gss-kernel-lib/Makefile.in
@@ -61,6 +61,7 @@ HEADERS= \
gssapi_err_generic.h \
k5-int.h \
k5-int-pkinit.h \
+ k5-label.h \
k5-thread.h \
k5-platform.h \
k5-buf.h \
@@ -162,10 +163,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_generic.h
$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
-k5-int.h: $(INCLUDE)/k5-int.h
+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h
$(CP) $(INCLUDE)/k5-int.h $@
k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
$(CP) $(INCLUDE)/k5-int-pkinit.h $@
+k5-label.h: $(INCLUDE)/k5-label.h
+ $(CP) $(INCLUDE)/k5-label.h $@
k5-thread.h: $(INCLUDE)/k5-thread.h
$(CP) $(INCLUDE)/k5-thread.h $@
k5-platform.h: $(INCLUDE)/k5-platform.h
diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
index 907c119..0f5462a 100644
--- a/src/util/profile/prof_file.c
+++ b/src/util/profile/prof_file.c
@@ -33,6 +33,7 @@
#endif #endif
#include "k5-platform.h" #include "k5-platform.h"
@ -397,7 +649,7 @@ which we used earlier, is some improvement.
struct global_shared_profile_data { struct global_shared_profile_data {
/* This is the head of the global list of shared trees */ /* This is the head of the global list of shared trees */
@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_ @@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile,
errno = 0; errno = 0;
@ -406,9 +658,11 @@ which we used earlier, is some improvement.
if (!f) { if (!f) {
retval = errno; retval = errno;
if (retval == 0) if (retval == 0)
--- krb5/src/util/support/Makefile.in diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
+++ krb5/src/util/support/Makefile.in index 5181762..f77acd4 100644
@@ -54,6 +54,7 @@ IPC_SYMS= \ --- a/src/util/support/Makefile.in
+++ b/src/util/support/Makefile.in
@@ -59,6 +59,7 @@ IPC_SYMS= \
STLIBOBJS= \ STLIBOBJS= \
threads.o \ threads.o \
@ -416,7 +670,7 @@ which we used earlier, is some improvement.
init-addrinfo.o \ init-addrinfo.o \
plugins.o \ plugins.o \
errors.o \ errors.o \
@@ -108,7 +109,7 @@ SRCS=\ @@ -131,7 +132,7 @@ SRCS=\
SHLIB_EXPDEPS = SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt. # Add -lm if dumping thread stats, for sqrt.
@ -425,8 +679,11 @@ which we used earlier, is some improvement.
DEPLIBS= DEPLIBS=
--- krb5/src/util/support/selinux.c diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c
+++ krb5/src/util/support/selinux.c new file mode 100644
index 0000000..ffba6a9
--- /dev/null
+++ b/src/util/support/selinux.c
@@ -0,0 +1,381 @@ @@ -0,0 +1,381 @@
+/* +/*
+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved. + * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved.
@ -809,171 +1066,6 @@ which we used earlier, is some improvement.
+} +}
+ +
+#endif +#endif
--- krb5/src/lib/krb5/rcache/rc_dfl.c --
+++ krb5/src/lib/krb5/rcache/rc_dfl.c 2.9.3
@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (! t->recovering) {
name = t->name;
@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
+#ifdef USE_SELINUX
+ if (t->d.fn != NULL)
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
+ else
+ selabel = NULL;
+#endif
retval = krb5_rc_initialize(context, tmp, lifespan);
+#ifdef USE_SELINUX
+ if (selabel != NULL)
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
--- krb5/src/lib/krb5/ccache/cc_dir.c
+++ krb5/src/lib/krb5/ccache/cc_dir.c
@@ -185,10 +185,19 @@ write_primary_file(const char *primary_p
char *newpath = NULL;
FILE *fp = NULL;
int fd = -1, status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
return ENOMEM;
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(primary_path);
+#endif
fd = mkstemp(newpath);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (fd < 0)
goto cleanup;
#ifdef HAVE_CHMOD
@@ -223,10 +232,23 @@
verify_dir(krb5_context context, const char *dirname)
{
struct stat st;
+ int status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (stat(dirname, &st) < 0) {
- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
- return 0;
+ if (errno == ENOENT) {
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(dirname);
+#endif
+ status = mkdir(dirname, S_IRWXU);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
+ if (status == 0)
+ return 0;
+ }
k5_setmsg(context, KRB5_FCC_NOFILE,
_("Credential cache directory %s does not exist"),
dirname);
--- krb5/src/lib/krb5/os/trace.c
+++ krb5/src/lib/krb5/os/trace.c
@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con
fd = malloc(sizeof(*fd));
if (fd == NULL)
return ENOMEM;
- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
if (*fd == -1) {
free(fd);
return errno;
--- krb5/src/plugins/kdb/db2/kdb_db2.c
+++ krb5/src/plugins/kdb/db2/kdb_db2.c
@@ -683,8 +683,8 @@
if (retval)
return retval;
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
- 0600);
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
if (dbc->db_lf_file < 0) {
retval = errno;
goto cleanup;
--- krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@
#include <stdio.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,8 @@
int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
+ if (fname != NULL &&
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
--- krb5/src/kdc/main.c
+++ krb5/src/kdc/main.c
@@ -905,7 +905,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
- file = fopen(path, "w");
+ file = WRITABLEFOPEN(path, "w");
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
--- krb5/src/lib/kdb/kdb_log.c
+++ krb5/src/lib/kdb/kdb_log.c
@@ -456,7 +456,7 @@ ulog_map(krb5_context context, const cha
int ulogfd = -1;
if (stat(logname, &st) == -1) {
- ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
if (ulogfd == -1)
return errno;
--- krb5/src/util/gss-kernel-lib/Makefile.in
+++ krb5/src/util/gss-kernel-lib/Makefile.in
@@ -60,6 +60,7 @@ HEADERS= \
gssapi_err_generic.h \
k5-int.h \
k5-int-pkinit.h \
+ k5-label.h \
k5-thread.h \
k5-platform.h \
k5-buf.h \
@@ -166,10 +167,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
-k5-int.h: $(INCLUDE)/k5-int.h
+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h
$(CP) $(INCLUDE)/k5-int.h $@
k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
$(CP) $(INCLUDE)/k5-int-pkinit.h $@
+k5-label.h: $(INCLUDE)/k5-label.h
+ $(CP) $(INCLUDE)/k5-label.h $@
k5-thread.h: $(INCLUDE)/k5-thread.h
$(CP) $(INCLUDE)/k5-thread.h $@
k5-platform.h: $(INCLUDE)/k5-platform.h

View File

@ -1,108 +0,0 @@
From 69c8662190bcd46f2300d0cea139681001ea5b26 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 8 Aug 2016 12:38:17 +0200
Subject: [PATCH] Add Host HTTP header to MS-KKDCP requests
Some web servers require a Host HTTP header for TLS connections with
SNI (server name indicator). It is also required for virtual hosts.
ticket: 8472 (new)
target_version: 1.14-next
tags: pullup
---
src/lib/krb5/os/sendto_kdc.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index c85fdba..a2b7359 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -78,6 +78,7 @@
#define MAX_PASS 3
#define DEFAULT_UDP_PREF_LIMIT 1465
#define HARD_UDP_LIMIT 32700 /* could probably do 64K-epsilon ? */
+#define PORT_LENGTH 6 /* decimal repr of UINT16_MAX */
/* Select state flags. */
#define SSF_READ 0x01
@@ -138,6 +139,7 @@ struct conn_state {
struct {
const char *uri_path;
const char *servername;
+ char port[PORT_LENGTH];
char *https_request;
k5_tls_handle tls;
} http;
@@ -611,6 +613,8 @@ make_proxy_request(struct conn_state *state, const krb5_data *realm,
k5_buf_init_dynamic(&buf);
uri_path = (state->http.uri_path != NULL) ? state->http.uri_path : "";
k5_buf_add_fmt(&buf, "POST /%s HTTP/1.0\r\n", uri_path);
+ k5_buf_add_fmt(&buf, "Host: %s:%s\r\n", state->http.servername,
+ state->http.port);
k5_buf_add(&buf, "Cache-Control: no-cache\r\n");
k5_buf_add(&buf, "Pragma: no-cache\r\n");
k5_buf_add(&buf, "User-Agent: kerberos/1.0\r\n");
@@ -673,7 +677,7 @@ static krb5_error_code
add_connection(struct conn_state **conns, k5_transport transport,
krb5_boolean defer, struct addrinfo *ai, size_t server_index,
const krb5_data *realm, const char *hostname,
- const char *uri_path, char **udpbufp)
+ const char *port, const char *uri_path, char **udpbufp)
{
struct conn_state *state, **tailptr;
@@ -695,11 +699,13 @@ add_connection(struct conn_state **conns, k5_transport transport,
state->service_write = service_tcp_write;
state->service_read = service_tcp_read;
} else if (transport == HTTPS) {
+ assert(hostname != NULL && port != NULL);
state->service_connect = service_tcp_connect;
state->service_write = service_https_write;
state->service_read = service_https_read;
state->http.uri_path = uri_path;
state->http.servername = hostname;
+ strlcpy(state->http.port, port, PORT_LENGTH);
} else {
state->service_connect = NULL;
state->service_write = NULL;
@@ -785,7 +791,7 @@ resolve_server(krb5_context context, const krb5_data *realm,
struct addrinfo *addrs, *a, hint, ai;
krb5_boolean defer;
int err, result;
- char portbuf[64];
+ char portbuf[PORT_LENGTH];
/* Skip UDP entries if we don't want UDP. */
if (strategy == NO_UDP && entry->transport == UDP)
@@ -800,7 +806,7 @@ resolve_server(krb5_context context, const krb5_data *realm,
ai.ai_addr = (struct sockaddr *)&entry->addr;
defer = (entry->transport != transport);
return add_connection(conns, entry->transport, defer, &ai, ind, realm,
- NULL, entry->uri_path, udpbufp);
+ NULL, NULL, entry->uri_path, udpbufp);
}
/* If the entry has a specified transport, use it. */
@@ -826,7 +832,8 @@ resolve_server(krb5_context context, const krb5_data *realm,
retval = 0;
for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
retval = add_connection(conns, transport, FALSE, a, ind, realm,
- entry->hostname, entry->uri_path, udpbufp);
+ entry->hostname, portbuf, entry->uri_path,
+ udpbufp);
}
/* For TCP_OR_UDP entries, add each address again with the non-preferred
@@ -836,7 +843,8 @@ resolve_server(krb5_context context, const krb5_data *realm,
for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
a->ai_socktype = socktype_for_transport(transport);
retval = add_connection(conns, transport, TRUE, a, ind, realm,
- entry->hostname, entry->uri_path, udpbufp);
+ entry->hostname, portbuf,
+ entry->uri_path, udpbufp);
}
}
freeaddrinfo(addrs);
--
2.8.1

View File

@ -1,73 +0,0 @@
From 65110210b75d38908cdd84cb202cf013ccf6ed0e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 14 Aug 2016 12:08:16 -0400
Subject: [PATCH] Work around glibc OFD lock bug on 32-bit Linux
A bug in Gnu libc causes OFD locking to fail unpredictably on 32-bit
Linux, typically leading to deadlocks. Work around this bug by using
the fcntl64 system call and struct flock64.
See also: https://sourceware.org/bugzilla/show_bug.cgi?id=20251
ticket: 8474
target_version: 1.14-next
tags: pullup
---
src/lib/krb5/os/lock_file.c | 26 ++++++++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/os/lock_file.c b/src/lib/krb5/os/lock_file.c
index a2f247c..2360c96 100644
--- a/src/lib/krb5/os/lock_file.c
+++ b/src/lib/krb5/os/lock_file.c
@@ -43,7 +43,29 @@
#if defined(HAVE_FCNTL_H) && defined(F_SETLKW) && defined(F_RDLCK)
#define POSIX_FILE_LOCKS
+
+/*
+ * Gnu libc bug 20251, currently unfixed, breaks OFD lock support on
+ * 32-bit platforms. Work around this bug by explicitly using the
+ * fcntl64 system call and struct flock64.
+ */
+#if defined(__linux__) && __WORDSIZE == 32
+#include <sys/syscall.h>
+#ifdef SYS_fcntl64
+#define USE_FCNTL64
#endif
+#endif
+#ifdef USE_FCNTL64
+/* Use the fcntl64 system call and struct flock64. (Gnu libc does not
+ * define a fcntl64() function, so we must use syscall().) */
+#define fcntl(fd, cmd, arg) syscall(SYS_fcntl64, fd, cmd, arg)
+typedef struct flock64 fcntl_lock_st;
+#else
+/* Use regular fcntl() and struct flock. */
+typedef struct flock fcntl_lock_st;
+#endif
+
+#endif /* defined(HAVE_FCNTL_H) && defined(F_SETLKW) && defined(F_RDLCK) */
#ifdef HAVE_FLOCK
#ifndef sysvimp
@@ -66,7 +88,7 @@
* older kernel than we were built with.
*/
static int
-ofdlock(int fd, int cmd, struct flock *lock_arg)
+ofdlock(int fd, int cmd, fcntl_lock_st *lock_arg)
{
#ifdef F_OFD_SETLKW
int st, ofdcmd;
@@ -89,7 +111,7 @@ krb5_lock_file(krb5_context context, int fd, int mode)
krb5_error_code retval = 0;
#ifdef POSIX_FILE_LOCKS
int lock_cmd = F_SETLKW;
- struct flock lock_arg = { 0 };
+ fcntl_lock_st lock_arg = { 0 };
#endif
switch (mode & ~KRB5_LOCKMODE_DONTBLOCK) {
--
2.8.1

View File

@ -1,86 +0,0 @@
From 60824edc278fe2207ead773baca6fe56416e2874 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 5 Aug 2016 12:28:03 -0400
Subject: [PATCH] Use responder for non-preauth AS requests
If no AS reply key is computed during pre-authentication (typically
because no pre-authentication was required by the KDC), ask for the
password using the responder before calling gak_fct for the key, and
supply any resulting responder items to gak_fct.
ticket: 8454
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
---
src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++-
src/tests/t_general.py | 5 +++++
2 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index b78e19a..659be66 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1351,6 +1351,8 @@ init_creds_step_reply(krb5_context context,
krb5_keyblock encrypting_key;
krb5_boolean fast_avail;
krb5_ccache out_ccache = k5_gic_opt_get_out_ccache(ctx->opt);
+ krb5_responder_fn responder;
+ void *responder_data;
encrypting_key.length = 0;
encrypting_key.contents = NULL;
@@ -1509,13 +1511,33 @@ init_creds_step_reply(krb5_context context,
code = -1;
if (code != 0) {
+ /* If a responder was provided and we are using a password, ask for the
+ * password using the responder before falling back to the prompter. */
+ k5_gic_opt_get_responder(ctx->opt, &responder, &responder_data);
+ if (responder != NULL && !ctx->as_key.length) {
+ /* Indicate a need for the AS key by calling the gak_fct with a
+ * NULL as_key. */
+ code = ctx->gak_fct(context, ctx->request->client, ctx->etype,
+ NULL, NULL, NULL, NULL, NULL, ctx->gak_data,
+ ctx->rctx.items);
+ if (code != 0)
+ goto cleanup;
+
+ /* If that produced a responder question, invoke the responder. */
+ if (!k5_response_items_empty(ctx->rctx.items)) {
+ code = (*responder)(context, responder_data, &ctx->rctx);
+ if (code != 0)
+ goto cleanup;
+ }
+ }
+
/* if we haven't get gotten a key, get it now */
TRACE_INIT_CREDS_GAK(context, &ctx->salt, &ctx->s2kparams);
code = (*ctx->gak_fct)(context, ctx->request->client,
ctx->reply->enc_part.enctype,
ctx->prompter, ctx->prompter_data,
&ctx->salt, &ctx->s2kparams,
- &ctx->as_key, ctx->gak_data, NULL);
+ &ctx->as_key, ctx->gak_data, ctx->rctx.items);
if (code != 0)
goto cleanup;
TRACE_INIT_CREDS_AS_KEY_GAK(context, &ctx->as_key);
diff --git a/src/tests/t_general.py b/src/tests/t_general.py
index c3629e6..13dd99b 100755
--- a/src/tests/t_general.py
+++ b/src/tests/t_general.py
@@ -34,6 +34,11 @@ realm.stop()
realm = K5Realm(create_host=False)
+# Regression test for #8454 (responder callback isn't used when
+# preauth is not required).
+realm.run(['./responder', '-r', 'password=%s' % password('user'),
+ realm.user_princ])
+
# Test that WRONG_REALM responses aren't treated as referrals unless
# they contain a crealm field pointing to a different realm.
# (Regression test for #8060.)
--
2.9.3

View File

@ -1,37 +0,0 @@
From dcb523a4201dc882b2c466824ee1913eaed2e30d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Thu, 25 Aug 2016 10:41:33 +0200
Subject: [PATCH] Guess Samba client mutual flag using ap_options
To work correctly with older Samba clients, we should guess the mutual
flag based on the ap_options from the AP-REQ and not set it
unconditionally. Found by the Samba torture testsuite.
[ghudson@mit.edu: edited comments and commit message]
ticket: 8486 (new)
target_version: 1.14-next
tags: pullup
---
src/lib/gssapi/krb5/accept_sec_context.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index b7fffeb..580d08c 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -699,7 +699,10 @@ kg_accept_krb5(minor_status, context_handle,
goto fail;
}
- gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ /* Use ap_options from the request to guess the mutual flag. */
+ gss_flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED)
+ gss_flags |= GSS_C_MUTUAL_FLAG;
} else {
/* gss krb5 v1 */
--
2.9.3

View File

@ -1,8 +1,18 @@
From 95b7e75522dd905eea23e853f062d89749a17799 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH 06/19] krb5-1.3.1-dns.patch
We want to be able to use --with-netlib and --enable-dns at the same time. We want to be able to use --with-netlib and --enable-dns at the same time.
RT#2022 ---
--- krb5-1.3.1/src/aclocal.m4 2003-11-24 11:17:30.000000000 -0500 src/aclocal.m4 | 1 +
+++ krb5-1.3.1/src/aclocal.m4 2003-11-24 11:18:45.000000000 -0500 1 file changed, 1 insertion(+)
@@ -647,6 +647,7 @@
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 311f099..ed343c5 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -701,6 +701,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library),
LIBS="$LIBS $withval" LIBS="$LIBS $withval"
AC_MSG_RESULT("netlib will use \'$withval\'") AC_MSG_RESULT("netlib will use \'$withval\'")
fi fi
@ -10,3 +20,6 @@ RT#2022
],dnl ],dnl
[AC_LIBRARY_NET] [AC_LIBRARY_NET]
)])dnl )])dnl
--
2.9.3

View File

@ -1,247 +0,0 @@
Provide an option to make the KDC also listen on loopback interfaces for
datagram requests. Adds an internal symbol to libkrb5 which the KDC
needs if listening on loopback is enabled.
The default might be better changed from FALSE to TRUE so that the
default matches what we do with stream sockets.
FIXME: doesn't add documentation anywhere.
diff -up src/include/foreachaddr.h src/include/foreachaddr.h
--- src/include/foreachaddr.h 2004-05-05 18:44:46.000000000 -0400
+++ src/include/foreachaddr.h 2008-04-04 15:39:28.000000000 -0400
@@ -62,3 +62,18 @@ krb5int_foreach_localaddr (/*@null@*/ vo
;
#define foreach_localaddr krb5int_foreach_localaddr
+
+extern int
+krb5int_foreach_localaddr_ext (/*@null@*/ void *data,
+ int (*pass1fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/,
+ /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/)
+#if defined(DEBUG) || defined(TEST)
+ /*@modifies fileSystem@*/
+#endif
+ ;
+
+#define foreach_localaddr_ext krb5int_foreach_localaddr_ext
diff -up src/kdc/kdc_util.h src/kdc/kdc_util.h
--- src/kdc/kdc_util.h 2008-04-04 16:28:18.000000000 -0400
+++ src/kdc/kdc_util.h 2008-04-04 16:51:27.000000000 -0400
@@ -126,6 +126,7 @@ krb5_error_code kdc_initialize_rcache (k
krb5_error_code setup_server_realm (krb5_principal);
/* network.c */
+void process_listen_loopback (krb5_boolean);
krb5_error_code listen_and_process (const char *);
krb5_error_code setup_network (const char *);
krb5_error_code closedown_network (const char *);
diff -up src/kdc/main.c src/kdc/main.c
--- src/kdc/main.c 2008-04-04 16:22:43.000000000 -0400
+++ src/kdc/main.c 2008-04-04 16:55:22.000000000 -0400
@@ -422,6 +422,7 @@ initialize_realms(krb5_context kcontext,
krb5_enctype menctype = ENCTYPE_UNKNOWN;
kdc_realm_t *rdatap;
krb5_boolean manual = FALSE;
+ krb5_boolean listen_loopback = FALSE;
char *default_udp_ports = 0;
char *default_tcp_ports = 0;
krb5_pointer aprof;
@@ -448,6 +449,9 @@ initialize_realms(krb5_context kcontext,
if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &v4mode))
v4mode = 0;
#endif
+ hierarchy[1] = "kdc_listen_loopback";
+ if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &listen_loopback))
+ listen_loopback = FALSE;
/* aprof_init can return 0 with aprof == NULL */
if (aprof)
krb5_aprof_finish(aprof);
@@ -587,6 +591,8 @@ initialize_realms(krb5_context kcontext,
free(v4mode);
#endif
+ process_listen_loopback(listen_loopback);
+
/*
* Check to see if we processed any realms.
*/
diff -up src/kdc/network.c src/kdc/network.c
--- src/kdc/network.c 2008-04-04 15:39:28.000000000 -0400
+++ src/kdc/network.c 2008-04-04 16:51:44.000000000 -0400
@@ -221,6 +221,7 @@ static SET(u_short) udp_port_data, tcp_p
#include "cm.h"
static struct select_state sstate;
+static krb5_boolean listen_loopback;
static krb5_error_code add_udp_port(int port)
{
@@ -604,6 +605,12 @@ scan_for_newlines:
}
#endif
+void
+process_listen_loopback(krb5_boolean listen_loop)
+{
+ listen_loopback = listen_loop;
+}
+
/* XXX */
extern int krb5int_debug_sendto_kdc;
extern void (*krb5int_sendtokdc_debug_handler)(const void*, size_t);
@@ -662,7 +669,9 @@ setup_network(const char *prog)
so we might need only one UDP socket; fall back to binding
sockets on each address only if IPV6_PKTINFO isn't
supported. */
- if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
+ if (listen_loopback ?
+ foreach_localaddr_ext (&setup_data, setup_udp_port, 0, 0, 0) :
+ foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
return setup_data.retval;
}
setup_tcp_listener_ports(&setup_data);
diff -up src/lib/krb5/os/localaddr.c src/lib/krb5/os/localaddr.c
--- src/lib/krb5/os/localaddr.c 2005-04-13 12:55:43.000000000 -0400
+++ src/lib/krb5/os/localaddr.c 2008-04-04 15:39:28.000000000 -0400
@@ -242,6 +242,17 @@ addr_eq (const struct sockaddr *s1, cons
}
#endif
+static krb5_boolean
+skip_loopback (struct sockaddr *addr, int flags)
+{
+#ifdef IFF_LOOPBACK
+ if (flags & IFF_LOOPBACK) {
+ return TRUE;
+ }
+#endif
+ return FALSE;
+}
+
#ifndef HAVE_IFADDRS_H
/*@-usereleased@*/ /* lclint doesn't understand realloc */
static /*@null@*/ void *
@@ -413,14 +424,27 @@ get_linux_ipv6_addrs ()
indication, it should do it via some field pointed to by the DATA
argument. */
-#ifdef HAVE_IFADDRS_H
-
int
foreach_localaddr (/*@null@*/ void *data,
int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
/*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
/*@null@*/ int (*pass2fn) (/*@null@*/ void *,
struct sockaddr *) /*@*/)
+{
+ return foreach_localaddr_ext(data, pass1fn,
+ &skip_loopback, betweenfn,
+ pass2fn);
+}
+
+#ifdef HAVE_IFADDRS_H
+
+int
+foreach_localaddr_ext (/*@null@*/ void *data,
+ int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+ /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/)
#if defined(DEBUG) || defined(TEST)
/*@modifies fileSystem@*/
#endif
@@ -436,7 +460,7 @@ foreach_localaddr (/*@null@*/ void *data
#endif
if ((ifp->ifa_flags & IFF_UP) == 0)
continue;
- if (ifp->ifa_flags & IFF_LOOPBACK) {
+ if (skipfn && (*skipfn)(ifp->ifa_addr, ifp->ifa_flags)) {
/* Pretend it's not up, so the second pass will skip
it. */
ifp->ifa_flags &= ~IFF_UP;
@@ -459,7 +483,7 @@ foreach_localaddr (/*@null@*/ void *data
for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) {
if ((ifp2->ifa_flags & IFF_UP) == 0)
continue;
- if (ifp2->ifa_flags & IFF_LOOPBACK)
+ if (skipfn && (*skipfn)(ifp2->ifa_addr, ifp2->ifa_flags))
continue;
if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) {
match = 1;
@@ -488,11 +512,12 @@ foreach_localaddr (/*@null@*/ void *data
#elif defined (SIOCGLIFNUM) && defined(HAVE_STRUCT_LIFCONF) /* Solaris 8 and later; Sol 7? */
int
-foreach_localaddr (/*@null@*/ void *data,
- int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
- /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
- /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
- struct sockaddr *) /*@*/)
+foreach_localaddr_ext (/*@null@*/ void *data,
+ int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+ /*@null@*/ int (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/)
#if defined(DEBUG) || defined(TEST)
/*@modifies fileSystem@*/
#endif
@@ -583,13 +608,12 @@ foreach_localaddr (/*@null@*/ void *data
}
/*@=moduncon@*/
-#ifdef IFF_LOOPBACK
- /* None of the current callers want loopback addresses. */
- if (lifreq.lifr_flags & IFF_LOOPBACK) {
- Tprintf ((" loopback\n"));
+ if (skipfn && (*skipfn)(lifreq.lifr_addr, lifreq.lifr_flags))
+ if (skipfn && (skipfn == &skip_loopback))
+ Tprintf ((" loopback\n"));
goto skip;
}
-#endif
+
/* Ignore interfaces that are down. */
if ((lifreq.lifr_flags & IFF_UP) == 0) {
Tprintf ((" down\n"));
@@ -755,13 +779,12 @@ foreach_localaddr (/*@null@*/ void *data
}
/*@=moduncon@*/
-#ifdef IFF_LOOPBACK
/* None of the current callers want loopback addresses. */
- if (lifreq.iflr_flags & IFF_LOOPBACK) {
- Tprintf ((" loopback\n"));
+ if (skipfn && (*skipfn)(ifp2->ifa_addr, lifreq.lifr_flags))
+ if (skipfn && (skipfn == &skip_loopback))
+ Tprintf ((" loopback\n"));
goto skip;
}
-#endif
/* Ignore interfaces that are down. */
if ((lifreq.iflr_flags & IFF_UP) == 0) {
Tprintf ((" down\n"));
@@ -971,13 +994,12 @@ foreach_localaddr (/*@null@*/ void *data
}
/*@=moduncon@*/
-#ifdef IFF_LOOPBACK
- /* None of the current callers want loopback addresses. */
- if (ifreq.ifr_flags & IFF_LOOPBACK) {
- Tprintf ((" loopback\n"));
+ if (skipfn && (*skipfn)(NULL, ifreq.ifr_flags))
+ if (skipfn && (skipfn == &skip_loopback))
+ Tprintf ((" loopback\n"));
goto skip;
}
-#endif
+
/* Ignore interfaces that are down. */
if ((ifreq.ifr_flags & IFF_UP) == 0) {
Tprintf ((" down\n"));

View File

@ -1,10 +1,21 @@
From 3743c3636fd23e62f996b119a1536ecd882a5e80 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH 09/19] krb5-1.9-debuginfo.patch
We want to keep these y.tab.c files around because the debuginfo points to We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that them. It would be more elegant at the end to use symbolic links, but that
could mess up people working in the tree on other things. could mess up people working in the tree on other things.
---
src/kadmin/cli/Makefile.in | 5 +++++
src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
--- src/kadmin/cli/Makefile.in diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
+++ src/kadmin/cli/Makefile.in index 789c597..7e7a148 100644
@@ -43,3 +43,8 @@ clean-unix:: --- a/src/kadmin/cli/Makefile.in
+++ b/src/kadmin/cli/Makefile.in
@@ -37,3 +37,8 @@ clean-unix::
# CC_LINK is not meant for compilation and this use may break in the future. # CC_LINK is not meant for compilation and this use may break in the future.
datetest: getdate.c datetest: getdate.c
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
@ -13,9 +24,11 @@ could mess up people working in the tree on other things.
+ $(RM) y.tab.c $@ + $(RM) y.tab.c $@
+ $(YACC.y) $< + $(YACC.y) $<
+ $(CP) y.tab.c $@ + $(CP) y.tab.c $@
--- src/plugins/kdb/ldap/ldap_util/Makefile.in diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
+++ src/plugins/kdb/ldap/ldap_util/Makefile.in index b9ea339..060f500 100644
@@ -22,7 +22,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KR --- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
+++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE)
getdate.c: $(GETDATE) getdate.c: $(GETDATE)
$(RM) getdate.c y.tab.c $(RM) getdate.c y.tab.c
$(YACC) $(GETDATE) $(YACC) $(GETDATE)
@ -24,3 +37,6 @@ could mess up people working in the tree on other things.
install:: install::
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
--
2.9.3

View File

@ -1,18 +0,0 @@
On x86 rawhide, usage of OFD locks causes deadlock in the test suite.
TEMPORARILY revert their usage until I can investigate the deeper issue with
their usage here.
diff --git a/src/lib/krb5/os/lock_file.c b/src/lib/krb5/os/lock_file.c
index a2f247c..f7f5bb4 100644
--- a/src/lib/krb5/os/lock_file.c
+++ b/src/lib/krb5/os/lock_file.c
@@ -68,7 +68,8 @@
static int
ofdlock(int fd, int cmd, struct flock *lock_arg)
{
-#ifdef F_OFD_SETLKW
+#if 0
+/* #ifdef F_OFD_SETLKW */
int st, ofdcmd;
assert(cmd == F_SETLKW || cmd == F_SETLK);

View File

@ -1,17 +0,0 @@
Remove an extra "/krb5kdc" from any paths under KDC_DIR, which already
includes that component.
--- krb5/src/include/osconf.hin
+++ krb5/src/include/osconf.hin
@@ -63,10 +63,10 @@
#define DEFAULT_KEYFILE_STUB KDC_DIR "/.k5."
#define KRB5_DEFAULT_ADMIN_ACL KDC_DIR "/krb5_adm.acl"
/* Used by old admin server */
-#define DEFAULT_ADMIN_ACL KDC_DIR "/krb5kdc/kadm_old.acl"
+#define DEFAULT_ADMIN_ACL KDC_DIR "/kadm_old.acl"
/* Location of KDC profile */
-#define DEFAULT_KDC_PROFILE KDC_DIR "/krb5kdc/kdc.conf"
+#define DEFAULT_KDC_PROFILE KDC_DIR "/kdc.conf"
#define KDC_PROFILE_ENV "KRB5_KDC_PROFILE"
#if TARGET_OS_MAC

View File

@ -1,99 +0,0 @@
This is a cheap, non-very-portable way to make debugging a run-time option.
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
index 6598482..85e1c0d 100644
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -34,6 +34,7 @@
#include <krb5/krb5.h>
#include <krb5/preauth_plugin.h>
#include <k5-int-pkinit.h>
+#include <autoconf.h>
#include <profile.h>
#include "pkinit_accessor.h"
@@ -96,12 +97,15 @@ extern int longhorn; /* XXX Talking to a Longhorn server? */
#define pkiDebug printf
#else
/* Still evaluates for side effects. */
-static inline void pkiDebug (const char *fmt, ...) { }
+/* static inline void pkiDebug (const char *fmt, ...) { } */
+#define pkiDebug if (pkinit_debug_is_enabled()) printf
/* This is better if the compiler doesn't inline variadic functions
well, but gcc will warn about "left-hand operand of comma
expression has no effect". Still evaluates for side effects. */
/* #define pkiDebug (void) */
#endif
+extern void pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc);
+extern int pkinit_debug_is_enabled(void);
/* Solaris compiler doesn't grok __FUNCTION__
* hack for now. Fix all the uses eventually. */
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 6888c1b..bb39fce 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -1002,6 +1002,8 @@ pkinit_client_process(krb5_context context,
pkinit_req_context reqctx = (pkinit_req_context)request_context;
krb5_keyblock *armor_key = NULL;
+ pkinit_debug_init(context, &(request->server->realm), 0);
+
pkiDebug("pkinit_client_process %p %p %p %p\n",
context, plgctx, reqctx, request);
diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c
index a6d7762..2b59fd0 100644
--- a/src/plugins/preauth/pkinit/pkinit_lib.c
+++ b/src/plugins/preauth/pkinit/pkinit_lib.c
@@ -452,3 +452,28 @@ print_buffer_bin(unsigned char *buf, unsigned int len, char *filename)
fclose(f);
}
+
+/* This is a cheat to avoid having to rewrite every caller of pkiDebug() to pass
+ in a context structure, which is where this flag would be better placed. */
+static __thread int pkinit_debug_enabled = 0;
+
+void
+pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc)
+{
+ pkinit_debug_enabled = -1;
+ if (kdc) {
+ pkinit_kdcdefault_boolean(context, realm, "pkinit_debug",
+ -1, &pkinit_debug_enabled);
+ }
+ if (pkinit_debug_enabled == -1) {
+ pkinit_libdefault_boolean(context, realm, "pkinit_debug",
+ 0, &pkinit_debug_enabled);
+ }
+ printf("pkinit_debug: %d\n", pkinit_debug_enabled);
+}
+
+int
+pkinit_debug_is_enabled(void)
+{
+ return (pkinit_debug_enabled == 1);
+}
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 5a7a5ad..d7a0a44 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -108,6 +108,8 @@ pkinit_server_get_edata(krb5_context context,
pkinit_kdc_context plgctx = NULL;
krb5_keyblock *armor_key = NULL;
+ pkinit_debug_init(context, &(request->server->realm), 1);
+
pkiDebug("pkinit_server_get_edata: entered!\n");
/* Remove (along with armor_key) when FAST PKINIT is settled. */
@@ -315,6 +317,8 @@ pkinit_server_verify_padata(krb5_context context,
int is_signed = 1;
krb5_keyblock *armor_key;
+ pkinit_debug_init(context, &(request->server->realm), 1);
+
pkiDebug("pkinit_verify_padata: entered!\n");
if (data == NULL || data->length <= 0 || data->contents == NULL)
return 0;

108
krb5.spec
View File

@ -12,8 +12,8 @@
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.14.3 Version: 1.14.4
Release: 9%{?dist} Release: 1%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead? # - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with # - The sources below are stored in a lookaside cache. Upload with
@ -45,33 +45,25 @@ Source39: krb5-krb5kdc.conf
# Carry this locally until it's available in a packaged form. # Carry this locally until it's available in a packaged form.
Source100: noport.c Source100: noport.c
Patch6: krb5-1.12-ksu-path.patch Patch1: krb5-1.12.1-pam.patch
Patch12: krb5-1.12-ktany.patch Patch2: krb5-1.13-selinux-label.patch
Patch16: krb5-1.12-buildconf.patch Patch3: krb5-1.12-ksu-path.patch
Patch23: krb5-1.3.1-dns.patch Patch4: krb5-1.12-ktany.patch
Patch39: krb5-1.12-api.patch Patch5: krb5-1.12-buildconf.patch
Patch60: krb5-1.12.1-pam.patch Patch6: krb5-1.3.1-dns.patch
Patch63: krb5-1.13-selinux-label.patch Patch7: krb5-1.12-api.patch
Patch71: krb5-1.13-dirsrv-accountlock.patch Patch8: krb5-1.13-dirsrv-accountlock.patch
Patch86: krb5-1.9-debuginfo.patch Patch9: krb5-1.9-debuginfo.patch
Patch129: krb5-1.11-run_user_0.patch Patch10: krb5-1.11-run_user_0.patch
Patch134: krb5-1.11-kpasswdtest.patch Patch11: krb5-1.11-kpasswdtest.patch
Patch148: krb5-1.14.4-ofd-lock-workaround.patch Patch12: Fix-impersonate_name-to-work-with-interposers.patch
Patch150: krb5-acquire_cred_interposer.patch Patch13: Create-KDC-and-kadmind-log-files-with-mode-0640.patch
Patch153: krb5-1.14.1-log_file_permissions.patch Patch14: Add-KDC-pre-send-and-post-receive-KDC-hooks.patch
Patch15: Add-tests-for-send-and-receive-sendto_kdc-hooks.patch
Patch164: krb5-1.15-kdc_send_receive_hooks.patch Patch16: Set-prompt-type-for-OTP-preauth-prompt.patch
Patch165: krb5-1.15-kdc_hooks_test.patch Patch17: Improve-bad-password-inference-in-kinit.patch
Patch18: Change-KDC-error-for-encrypted-timestamp-preauth.patch
Patch166: krb5-1.14.4-SNI-HTTP-Host.patch Patch19: Add-krb5_db_register_keytab.patch
Patch167: krb5-1.15-otp-preauth-prompt-type.patch
Patch168: krb5-1.15-improve-bad-password-inference.patch
Patch169: krb5-1.15-kdc-error-encrypted-timestamp.patch
Patch170: krb5-1.14.4-samba-client-mutual-flag.patch
Patch171: krb5-1.14.4-responder-non-preauth.patch
Patch172: krb5-1.15-krb5_db_register_keytab.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -254,41 +246,25 @@ interface is not considered stable.
%setup -q -n %{name}-%{version}%{prerelease} -a 3 %setup -q -n %{name}-%{version}%{prerelease} -a 3
ln NOTICE LICENSE ln NOTICE LICENSE
%patch60 -p1 -b .pam %patch1 -p1 -b .krb5-1.12.1-pam
%patch2 -p1 -b .krb5-1.13-selinux-label
%patch63 -p1 -b .selinux-label %patch3 -p1 -b .krb5-1.12-ksu-path
%patch4 -p1 -b .krb5-1.12-ktany
%patch6 -p1 -b .ksu-path %patch5 -p1 -b .krb5-1.12-buildconf
%patch12 -p1 -b .ktany %patch6 -p1 -b .krb5-1.3.1-dns
%patch16 -p1 -b .buildconf %{?_rawbuild} %patch7 -p1 -b .krb5-1.12-api
%patch23 -p1 -b .dns %{?_rawbuild} %patch8 -p1 -b .krb5-1.13-dirsrv-accountlock
%patch39 -p1 -b .api %patch9 -p1 -b .krb5-1.9-debuginfo
%patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild} %patch10 -p1 -b .krb5-1.11-run_user_0
%patch86 -p0 -b .debuginfo %patch11 -p1 -b .krb5-1.11-kpasswdtest
%patch12 -p1 -b .Fix-impersonate_name-to-work-with-interposers
# Apply when the hard-wired or configured default location is %patch13 -p1 -b .Create-KDC-and-kadmind-log-files-with-mode-0640
# DIR:/run/user/%%{uid}/krb5cc. %patch14 -p1 -b .Add-KDC-pre-send-and-post-receive-KDC-hooks
%patch129 -p1 -b .run_user_0 %patch15 -p1 -b .Add-tests-for-send-and-receive-sendto_kdc-hooks
%patch16 -p1 -b .Set-prompt-type-for-OTP-preauth-prompt
%patch134 -p1 -b .kpasswdtest %patch17 -p1 -b .Improve-bad-password-inference-in-kinit
%patch18 -p1 -b .Change-KDC-error-for-encrypted-timestamp-preauth
%patch148 -p1 -b .ofd-lock-workaround %patch19 -p1 -b .Add-krb5_db_register_keytab
%patch150 -p1 -b .fix_interposer
%patch153 -p1 -b .log_file_permissions
%patch164 -p1 -b .kdc_send_receive_hooks
%patch165 -p1 -b .kdc_hooks_test
%patch166 -p1 -b .SNI-HTTP-Host
%patch167 -p1 -b .otp-preauth-prompt-type
%patch168 -p1 -b .improve-bad-password-inference
%patch169 -p1 -b .kdc-error-encrypted-timestamp
%patch170 -p1 -b .samba-client-mutual-flag
%patch171 -p1 -b .responder-non-preauth
%patch172 -p1 -b .krb5_db_register_keytab
# Take the execute bit off of documentation. # Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -758,6 +734,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%changelog %changelog
* Mon Sep 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.4-1
- New upstream release
- Update names and numbers to match external git
* Mon Sep 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-9 * Mon Sep 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-9
- Add krb5_db_register_keytab - Add krb5_db_register_keytab
- Resolves: #1376812 - Resolves: #1376812

View File

@ -1,3 +1,3 @@
f76e4f8a3c95bb59980dd5ef4b48aea9 krb5-1.14.3.tar.gz ba90f5701fc2dda76133c1f34ba4ee80 krb5-1.14.4.tar.gz
438c48157c7b7daf6f133ffe6369342e krb5-1.14.3.tar.gz.asc 1d91e165f25519bbb60b4715bcabda0f krb5-1.14.4.tar.gz.asc
c2385c39dfed8ecad41052abd09a49c9 krb5-1.14.3-pdfs.tar c2385c39dfed8ecad41052abd09a49c9 krb5-1.14.4-pdfs.tar