New upstream version (1.21.1)
- Fix double-free in KDC TGS processing (CVE-2023-39975) - Add support for "pac_privsvr_enctype" KDB string attribute Resolves: rhbz#2060421 Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
parent
21e03e152b
commit
19e63e55c9
4
.gitignore
vendored
4
.gitignore
vendored
@ -197,5 +197,9 @@
|
|||||||
/krb5-1.19.tar.gz.asc
|
/krb5-1.19.tar.gz.asc
|
||||||
/krb5-1.19.1.tar.gz
|
/krb5-1.19.1.tar.gz
|
||||||
/krb5-1.19.1.tar.gz.asc
|
/krb5-1.19.1.tar.gz.asc
|
||||||
|
/krb5-1.20.tar.gz
|
||||||
|
/krb5-1.20.tar.gz.asc
|
||||||
/krb5-1.20.1.tar.gz
|
/krb5-1.20.1.tar.gz
|
||||||
/krb5-1.20.1.tar.gz.asc
|
/krb5-1.20.1.tar.gz.asc
|
||||||
|
/krb5-1.21.1.tar.gz
|
||||||
|
/krb5-1.21.1.tar.gz.asc
|
||||||
|
310
0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch
Normal file
310
0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch
Normal file
@ -0,0 +1,310 @@
|
|||||||
|
From 93bb4f5ba6fd79e72a75de20e209db219118a3a1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Wed, 2 Aug 2023 10:19:28 +0200
|
||||||
|
Subject: [PATCH] [downstream] Revert "Don't issue session keys with deprecated
|
||||||
|
enctypes"
|
||||||
|
|
||||||
|
This reverts commit 1b57a4d134bbd0e7c52d5885a92eccc815726463.
|
||||||
|
---
|
||||||
|
doc/admin/conf_files/krb5_conf.rst | 12 ------------
|
||||||
|
doc/admin/enctypes.rst | 23 +++-------------------
|
||||||
|
src/include/k5-int.h | 4 ----
|
||||||
|
src/kdc/kdc_util.c | 10 ----------
|
||||||
|
src/lib/krb5/krb/get_in_tkt.c | 31 +++++++++++-------------------
|
||||||
|
src/lib/krb5/krb/init_ctx.c | 10 ----------
|
||||||
|
src/tests/gssapi/t_enctypes.py | 3 +--
|
||||||
|
src/tests/t_etype_info.py | 2 +-
|
||||||
|
src/tests/t_sesskeynego.py | 28 ++-------------------------
|
||||||
|
src/util/k5test.py | 4 ++--
|
||||||
|
10 files changed, 20 insertions(+), 107 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||||
|
index ecdf917501..f22d5db11b 100644
|
||||||
|
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||||
|
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||||
|
@@ -95,18 +95,6 @@ Additionally, krb5.conf may include any of the relations described in
|
||||||
|
|
||||||
|
The libdefaults section may contain any of the following relations:
|
||||||
|
|
||||||
|
-**allow_des3**
|
||||||
|
- Permit the KDC to issue tickets with des3-cbc-sha1 session keys.
|
||||||
|
- In future releases, this flag will allow des3-cbc-sha1 to be used
|
||||||
|
- at all. The default value for this tag is false. (Added in
|
||||||
|
- release 1.21.)
|
||||||
|
-
|
||||||
|
-**allow_rc4**
|
||||||
|
- Permit the KDC to issue tickets with arcfour-hmac session keys.
|
||||||
|
- In future releases, this flag will allow arcfour-hmac to be used
|
||||||
|
- at all. The default value for this tag is false. (Added in
|
||||||
|
- release 1.21.)
|
||||||
|
-
|
||||||
|
**allow_weak_crypto**
|
||||||
|
If this flag is set to false, then weak encryption types (as noted
|
||||||
|
in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered
|
||||||
|
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
|
||||||
|
index dce19ad43e..694922c0d9 100644
|
||||||
|
--- a/doc/admin/enctypes.rst
|
||||||
|
+++ b/doc/admin/enctypes.rst
|
||||||
|
@@ -48,15 +48,12 @@ Session key selection
|
||||||
|
The KDC chooses the session key enctype by taking the intersection of
|
||||||
|
its **permitted_enctypes** list, the list of long-term keys for the
|
||||||
|
most recent kvno of the service, and the client's requested list of
|
||||||
|
-enctypes. Starting in krb5-1.21, all services are assumed to support
|
||||||
|
-aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session
|
||||||
|
-keys will not be issued by default.
|
||||||
|
+enctypes.
|
||||||
|
|
||||||
|
Starting in krb5-1.11, it is possible to set a string attribute on a
|
||||||
|
service principal to control what session key enctypes the KDC may
|
||||||
|
-issue for service tickets for that principal, overriding the service's
|
||||||
|
-long-term keys and the assumption of aes256-cts-hmac-sha1-96 support.
|
||||||
|
-See :ref:`set_string` in :ref:`kadmin(1)` for details.
|
||||||
|
+issue for service tickets for that principal. See :ref:`set_string`
|
||||||
|
+in :ref:`kadmin(1)` for details.
|
||||||
|
|
||||||
|
|
||||||
|
Choosing enctypes for a service
|
||||||
|
@@ -90,20 +87,6 @@ affect how enctypes are chosen.
|
||||||
|
acceptable risk for your environment and the weak enctypes are
|
||||||
|
required for backward compatibility.
|
||||||
|
|
||||||
|
-**allow_des3**
|
||||||
|
- was added in release 1.21 and defaults to *false*. Unless this
|
||||||
|
- flag is set to *true*, the KDC will not issue tickets with
|
||||||
|
- des3-cbc-sha1 session keys. In a future release, this flag will
|
||||||
|
- control whether des3-cbc-sha1 is permitted in similar fashion to
|
||||||
|
- weak enctypes.
|
||||||
|
-
|
||||||
|
-**allow_rc4**
|
||||||
|
- was added in release 1.21 and defaults to *false*. Unless this
|
||||||
|
- flag is set to *true*, the KDC will not issue tickets with
|
||||||
|
- arcfour-hmac session keys. In a future release, this flag will
|
||||||
|
- control whether arcfour-hmac is permitted in similar fashion to
|
||||||
|
- weak enctypes.
|
||||||
|
-
|
||||||
|
**permitted_enctypes**
|
||||||
|
controls the set of enctypes that a service will permit for
|
||||||
|
session keys and for ticket and authenticator encryption. The KDC
|
||||||
|
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||||
|
index 2f7791b775..1d1c8293f4 100644
|
||||||
|
--- a/src/include/k5-int.h
|
||||||
|
+++ b/src/include/k5-int.h
|
||||||
|
@@ -180,8 +180,6 @@ typedef unsigned char u_char;
|
||||||
|
* matches the variable name. Keep these alphabetized. */
|
||||||
|
#define KRB5_CONF_ACL_FILE "acl_file"
|
||||||
|
#define KRB5_CONF_ADMIN_SERVER "admin_server"
|
||||||
|
-#define KRB5_CONF_ALLOW_DES3 "allow_des3"
|
||||||
|
-#define KRB5_CONF_ALLOW_RC4 "allow_rc4"
|
||||||
|
#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
|
||||||
|
#define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local"
|
||||||
|
#define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names"
|
||||||
|
@@ -1240,8 +1238,6 @@ struct _krb5_context {
|
||||||
|
struct _kdb_log_context *kdblog_context;
|
||||||
|
|
||||||
|
krb5_boolean allow_weak_crypto;
|
||||||
|
- krb5_boolean allow_des3;
|
||||||
|
- krb5_boolean allow_rc4;
|
||||||
|
krb5_boolean ignore_acceptor_hostname;
|
||||||
|
krb5_boolean enforce_ok_as_delegate;
|
||||||
|
enum dns_canonhost dns_canonicalize_hostname;
|
||||||
|
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||||
|
index e54cc751f9..75e04b73db 100644
|
||||||
|
--- a/src/kdc/kdc_util.c
|
||||||
|
+++ b/src/kdc/kdc_util.c
|
||||||
|
@@ -1088,16 +1088,6 @@ select_session_keytype(krb5_context context, krb5_db_entry *server,
|
||||||
|
if (!krb5_is_permitted_enctype(context, ktype[i]))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
- /*
|
||||||
|
- * Prevent these deprecated enctypes from being used as session keys
|
||||||
|
- * unless they are explicitly allowed. In the future they will be more
|
||||||
|
- * comprehensively disabled and eventually removed.
|
||||||
|
- */
|
||||||
|
- if (ktype[i] == ENCTYPE_DES3_CBC_SHA1 && !context->allow_des3)
|
||||||
|
- continue;
|
||||||
|
- if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !context->allow_rc4)
|
||||||
|
- continue;
|
||||||
|
-
|
||||||
|
if (dbentry_supports_enctype(context, server, ktype[i]))
|
||||||
|
return ktype[i];
|
||||||
|
}
|
||||||
|
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
||||||
|
index ea089f0fcc..1b420a3ac2 100644
|
||||||
|
--- a/src/lib/krb5/krb/get_in_tkt.c
|
||||||
|
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
||||||
|
@@ -1582,31 +1582,22 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
|
||||||
|
(*prompter)(context, data, 0, banner, 0, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
-/* Display a warning via the prompter if a deprecated enctype was used for
|
||||||
|
- * either the reply key or the session key. */
|
||||||
|
+/* Display a warning via the prompter if des3-cbc-sha1 was used for either the
|
||||||
|
+ * reply key or the session key. */
|
||||||
|
static void
|
||||||
|
-warn_deprecated(krb5_context context, krb5_init_creds_context ctx,
|
||||||
|
- krb5_enctype as_key_enctype)
|
||||||
|
+warn_des3(krb5_context context, krb5_init_creds_context ctx,
|
||||||
|
+ krb5_enctype as_key_enctype)
|
||||||
|
{
|
||||||
|
- krb5_enctype etype;
|
||||||
|
- char encbuf[128], banner[256];
|
||||||
|
+ const char *banner;
|
||||||
|
|
||||||
|
- if (ctx->prompter == NULL)
|
||||||
|
- return;
|
||||||
|
-
|
||||||
|
- if (krb5int_c_deprecated_enctype(as_key_enctype))
|
||||||
|
- etype = as_key_enctype;
|
||||||
|
- else if (krb5int_c_deprecated_enctype(ctx->cred.keyblock.enctype))
|
||||||
|
- etype = ctx->cred.keyblock.enctype;
|
||||||
|
- else
|
||||||
|
+ if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 &&
|
||||||
|
+ ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1)
|
||||||
|
return;
|
||||||
|
-
|
||||||
|
- if (krb5_enctype_to_name(etype, FALSE, encbuf, sizeof(encbuf)) != 0)
|
||||||
|
+ if (ctx->prompter == NULL)
|
||||||
|
return;
|
||||||
|
- snprintf(banner, sizeof(banner),
|
||||||
|
- _("Warning: encryption type %s used for authentication is "
|
||||||
|
- "deprecated and will be disabled"), encbuf);
|
||||||
|
|
||||||
|
+ banner = _("Warning: encryption type des3-cbc-sha1 used for "
|
||||||
|
+ "authentication is weak and will be disabled");
|
||||||
|
/* PROMPTER_INVOCATION */
|
||||||
|
(*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL);
|
||||||
|
}
|
||||||
|
@@ -1857,7 +1848,7 @@ init_creds_step_reply(krb5_context context,
|
||||||
|
ctx->complete = TRUE;
|
||||||
|
warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data,
|
||||||
|
ctx->in_tkt_service, ctx->reply);
|
||||||
|
- warn_deprecated(context, ctx, encrypting_key.enctype);
|
||||||
|
+ warn_des3(context, ctx, encrypting_key.enctype);
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
krb5_free_pa_data(context, kdc_padata);
|
||||||
|
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
|
||||||
|
index a6c2bbeb54..87b486c53f 100644
|
||||||
|
--- a/src/lib/krb5/krb/init_ctx.c
|
||||||
|
+++ b/src/lib/krb5/krb/init_ctx.c
|
||||||
|
@@ -221,16 +221,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
|
||||||
|
goto cleanup;
|
||||||
|
ctx->allow_weak_crypto = tmp;
|
||||||
|
|
||||||
|
- retval = get_boolean(ctx, KRB5_CONF_ALLOW_DES3, 0, &tmp);
|
||||||
|
- if (retval)
|
||||||
|
- goto cleanup;
|
||||||
|
- ctx->allow_des3 = tmp;
|
||||||
|
-
|
||||||
|
- retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp);
|
||||||
|
- if (retval)
|
||||||
|
- goto cleanup;
|
||||||
|
- ctx->allow_rc4 = tmp;
|
||||||
|
-
|
||||||
|
retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp);
|
||||||
|
if (retval)
|
||||||
|
goto cleanup;
|
||||||
|
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
|
||||||
|
index f5f11842e2..7494d7fcdb 100755
|
||||||
|
--- a/src/tests/gssapi/t_enctypes.py
|
||||||
|
+++ b/src/tests/gssapi/t_enctypes.py
|
||||||
|
@@ -18,8 +18,7 @@ d_rc4 = 'DEPRECATED:arcfour-hmac'
|
||||||
|
# These tests make assumptions about the default enctype lists, so set
|
||||||
|
# them explicitly rather than relying on the library defaults.
|
||||||
|
supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
|
||||||
|
-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4',
|
||||||
|
- 'allow_des3': 'true', 'allow_rc4': 'true'},
|
||||||
|
+conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'},
|
||||||
|
'realms': {'$realm': {'supported_enctypes': supp}}}
|
||||||
|
realm = K5Realm(krb5_conf=conf)
|
||||||
|
shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
|
||||||
|
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
|
||||||
|
index 38cf96ca8f..c982508d8b 100644
|
||||||
|
--- a/src/tests/t_etype_info.py
|
||||||
|
+++ b/src/tests/t_etype_info.py
|
||||||
|
@@ -1,7 +1,7 @@
|
||||||
|
from k5test import *
|
||||||
|
|
||||||
|
supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
|
||||||
|
-conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'},
|
||||||
|
+conf = {'libdefaults': {'allow_weak_crypto': 'true'},
|
||||||
|
'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
|
||||||
|
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
|
||||||
|
|
||||||
|
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
|
||||||
|
index 5a213617b5..9024aee838 100755
|
||||||
|
--- a/src/tests/t_sesskeynego.py
|
||||||
|
+++ b/src/tests/t_sesskeynego.py
|
||||||
|
@@ -25,8 +25,6 @@ conf3 = {'libdefaults': {
|
||||||
|
'default_tkt_enctypes': 'aes128-cts',
|
||||||
|
'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
|
||||||
|
conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}}
|
||||||
|
-conf5 = {'libdefaults': {'allow_rc4': 'true'}}
|
||||||
|
-conf6 = {'libdefaults': {'allow_des3': 'true'}}
|
||||||
|
# Test with client request and session_enctypes preferring aes128, but
|
||||||
|
# aes256 long-term key.
|
||||||
|
realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
|
||||||
|
@@ -56,12 +54,10 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
|
||||||
|
'aes128-cts,aes256-cts'])
|
||||||
|
test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
|
||||||
|
|
||||||
|
-# 3b: Skip RC4 (as the KDC does not allow it for session keys by
|
||||||
|
-# default) and negotiate aes128-cts session key, with only an aes256
|
||||||
|
-# long-term service key.
|
||||||
|
+# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term.
|
||||||
|
realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
|
||||||
|
'rc4-hmac,aes128-cts,aes256-cts'])
|
||||||
|
-test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
|
||||||
|
+test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
|
||||||
|
realm.stop()
|
||||||
|
|
||||||
|
# 4: Check that permitted_enctypes is a default for session key enctypes.
|
||||||
|
@@ -71,24 +67,4 @@ realm.run([kvno, 'user'],
|
||||||
|
expected_trace=('etypes requested in TGS request: aes256-cts',))
|
||||||
|
realm.stop()
|
||||||
|
|
||||||
|
-# 5: allow_rc4 permits negotiation of rc4-hmac session key.
|
||||||
|
-realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False)
|
||||||
|
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
||||||
|
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac'])
|
||||||
|
-test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
|
||||||
|
-realm.stop()
|
||||||
|
-
|
||||||
|
-# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key.
|
||||||
|
-realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False)
|
||||||
|
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
||||||
|
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1'])
|
||||||
|
-test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96')
|
||||||
|
-realm.stop()
|
||||||
|
-
|
||||||
|
-# 7: default config negotiates aes256-sha1 session key for RC4-only service.
|
||||||
|
-realm = K5Realm(create_host=False, get_creds=False)
|
||||||
|
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server'])
|
||||||
|
-test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac')
|
||||||
|
-realm.stop()
|
||||||
|
-
|
||||||
|
success('sesskeynego')
|
||||||
|
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
||||||
|
index 8e5f5ba8e9..2a86c5cdfc 100644
|
||||||
|
--- a/src/util/k5test.py
|
||||||
|
+++ b/src/util/k5test.py
|
||||||
|
@@ -1340,14 +1340,14 @@ _passes = [
|
||||||
|
|
||||||
|
# Exercise the DES3 enctype.
|
||||||
|
('des3', None,
|
||||||
|
- {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}},
|
||||||
|
+ {'libdefaults': {'permitted_enctypes': 'des3'}},
|
||||||
|
{'realms': {'$realm': {
|
||||||
|
'supported_enctypes': 'des3-cbc-sha1:normal',
|
||||||
|
'master_key_type': 'des3-cbc-sha1'}}}),
|
||||||
|
|
||||||
|
# Exercise the arcfour enctype.
|
||||||
|
('arcfour', None,
|
||||||
|
- {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}},
|
||||||
|
+ {'libdefaults': {'permitted_enctypes': 'rc4'}},
|
||||||
|
{'realms': {'$realm': {
|
||||||
|
'supported_enctypes': 'arcfour-hmac:normal',
|
||||||
|
'master_key_type': 'arcfour-hmac'}}}),
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 37d69135d0be7f46732c401cdbb3abc075bf4117 Mon Sep 17 00:00:00 2001
|
From d7be72b066a9b07f0426780c7931614eddf9dd9e Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Tue, 23 Aug 2016 16:29:58 -0400
|
Date: Tue, 23 Aug 2016 16:29:58 -0400
|
||||||
Subject: [PATCH] [downstream] ksu pam integration
|
Subject: [PATCH] [downstream] ksu pam integration
|
||||||
@ -30,7 +30,7 @@ Last-updated: krb5-1.18-beta1
|
|||||||
create mode 100644 src/clients/ksu/pam.h
|
create mode 100644 src/clients/ksu/pam.h
|
||||||
|
|
||||||
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
||||||
index 9920476f91..bf9da35bbc 100644
|
index 3d66a876b3..ce3c5a9bac 100644
|
||||||
--- a/src/aclocal.m4
|
--- a/src/aclocal.m4
|
||||||
+++ b/src/aclocal.m4
|
+++ b/src/aclocal.m4
|
||||||
@@ -1458,3 +1458,72 @@ if test "$with_ldap" = yes; then
|
@@ -1458,3 +1458,72 @@ if test "$with_ldap" = yes; then
|
||||||
@ -760,10 +760,10 @@ index 0000000000..0ab76569cb
|
|||||||
+void appl_pam_cleanup(void);
|
+void appl_pam_cleanup(void);
|
||||||
+#endif
|
+#endif
|
||||||
diff --git a/src/configure.ac b/src/configure.ac
|
diff --git a/src/configure.ac b/src/configure.ac
|
||||||
index f03028b5fd..aa970b0447 100644
|
index 77be7a2025..587221936e 100644
|
||||||
--- a/src/configure.ac
|
--- a/src/configure.ac
|
||||||
+++ b/src/configure.ac
|
+++ b/src/configure.ac
|
||||||
@@ -1400,6 +1400,8 @@ AC_SUBST([VERTO_VERSION])
|
@@ -1399,6 +1399,8 @@ AC_SUBST([VERTO_VERSION])
|
||||||
|
|
||||||
AC_PATH_PROG(GROFF, groff)
|
AC_PATH_PROG(GROFF, groff)
|
||||||
|
|
||||||
@ -773,5 +773,5 @@ index f03028b5fd..aa970b0447 100644
|
|||||||
if test "${localedir+set}" != set; then
|
if test "${localedir+set}" != set; then
|
||||||
localedir='$(datadir)/locale'
|
localedir='$(datadir)/locale'
|
||||||
--
|
--
|
||||||
2.38.1
|
2.41.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From c6b58ed180ed91b579d322ff5004f68750f1eb4f Mon Sep 17 00:00:00 2001
|
From 021f1f1bf690694945a3ab0a5221797a7bcd6a99 Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Tue, 23 Aug 2016 16:30:53 -0400
|
Date: Tue, 23 Aug 2016 16:30:53 -0400
|
||||||
Subject: [PATCH] [downstream] SELinux integration
|
Subject: [PATCH] [downstream] SELinux integration
|
||||||
@ -69,7 +69,7 @@ Last-updated: krb5-1.20.1
|
|||||||
create mode 100644 src/util/support/selinux.c
|
create mode 100644 src/util/support/selinux.c
|
||||||
|
|
||||||
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
||||||
index bf9da35bbc..01283f482e 100644
|
index ce3c5a9bac..3331970930 100644
|
||||||
--- a/src/aclocal.m4
|
--- a/src/aclocal.m4
|
||||||
+++ b/src/aclocal.m4
|
+++ b/src/aclocal.m4
|
||||||
@@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag)
|
@@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag)
|
||||||
@ -133,10 +133,10 @@ index bf9da35bbc..01283f482e 100644
|
|||||||
+AC_SUBST(SELINUX_LIBS)
|
+AC_SUBST(SELINUX_LIBS)
|
||||||
+])dnl
|
+])dnl
|
||||||
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
|
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
|
||||||
index dead0dddce..fef3e054fc 100755
|
index 8e6eb86601..7677f37359 100755
|
||||||
--- a/src/build-tools/krb5-config.in
|
--- a/src/build-tools/krb5-config.in
|
||||||
+++ b/src/build-tools/krb5-config.in
|
+++ b/src/build-tools/krb5-config.in
|
||||||
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
|
@@ -40,6 +40,7 @@ DL_LIB='@DL_LIB@'
|
||||||
DEFCCNAME='@DEFCCNAME@'
|
DEFCCNAME='@DEFCCNAME@'
|
||||||
DEFKTNAME='@DEFKTNAME@'
|
DEFKTNAME='@DEFKTNAME@'
|
||||||
DEFCKTNAME='@DEFCKTNAME@'
|
DEFCKTNAME='@DEFCKTNAME@'
|
||||||
@ -144,7 +144,7 @@ index dead0dddce..fef3e054fc 100755
|
|||||||
|
|
||||||
LIBS='@LIBS@'
|
LIBS='@LIBS@'
|
||||||
GEN_LIB=@GEN_LIB@
|
GEN_LIB=@GEN_LIB@
|
||||||
@@ -254,7 +255,7 @@ if test -n "$do_libs"; then
|
@@ -253,7 +254,7 @@ if test -n "$do_libs"; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If we ever support a flag to generate output suitable for static
|
# If we ever support a flag to generate output suitable for static
|
||||||
@ -175,10 +175,10 @@ index a0c60c70b3..7eaa2f351c 100644
|
|||||||
GSS_LIBS = $(GSS_KRB5_LIB)
|
GSS_LIBS = $(GSS_KRB5_LIB)
|
||||||
# needs fixing if ever used on macOS!
|
# needs fixing if ever used on macOS!
|
||||||
diff --git a/src/configure.ac b/src/configure.ac
|
diff --git a/src/configure.ac b/src/configure.ac
|
||||||
index aa970b0447..40545f2bfc 100644
|
index 587221936e..69be9030f8 100644
|
||||||
--- a/src/configure.ac
|
--- a/src/configure.ac
|
||||||
+++ b/src/configure.ac
|
+++ b/src/configure.ac
|
||||||
@@ -1402,6 +1402,8 @@ AC_PATH_PROG(GROFF, groff)
|
@@ -1401,6 +1401,8 @@ AC_PATH_PROG(GROFF, groff)
|
||||||
|
|
||||||
KRB5_WITH_PAM
|
KRB5_WITH_PAM
|
||||||
|
|
||||||
@ -188,7 +188,7 @@ index aa970b0447..40545f2bfc 100644
|
|||||||
if test "${localedir+set}" != set; then
|
if test "${localedir+set}" != set; then
|
||||||
localedir='$(datadir)/locale'
|
localedir='$(datadir)/locale'
|
||||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||||
index 44dc1eeb3f..c3aecba7d4 100644
|
index 1d1c8293f4..768110e5ef 100644
|
||||||
--- a/src/include/k5-int.h
|
--- a/src/include/k5-int.h
|
||||||
+++ b/src/include/k5-int.h
|
+++ b/src/include/k5-int.h
|
||||||
@@ -128,6 +128,7 @@ typedef unsigned char u_char;
|
@@ -128,6 +128,7 @@ typedef unsigned char u_char;
|
||||||
@ -238,7 +238,7 @@ index 0000000000..dfaaa847cb
|
|||||||
+#endif
|
+#endif
|
||||||
+#endif
|
+#endif
|
||||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||||
index c0194c3c94..7e1dea2cbf 100644
|
index 9c76780181..dd6430ece8 100644
|
||||||
--- a/src/include/krb5/krb5.hin
|
--- a/src/include/krb5/krb5.hin
|
||||||
+++ b/src/include/krb5/krb5.hin
|
+++ b/src/include/krb5/krb5.hin
|
||||||
@@ -87,6 +87,12 @@
|
@@ -87,6 +87,12 @@
|
||||||
@ -290,10 +290,10 @@ index a89b5144f6..4d6cc0bdf9 100644
|
|||||||
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
|
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
diff --git a/src/kdc/main.c b/src/kdc/main.c
|
diff --git a/src/kdc/main.c b/src/kdc/main.c
|
||||||
index 38b9299066..085afc9220 100644
|
index bfdfef5c48..b43fe9a082 100644
|
||||||
--- a/src/kdc/main.c
|
--- a/src/kdc/main.c
|
||||||
+++ b/src/kdc/main.c
|
+++ b/src/kdc/main.c
|
||||||
@@ -848,7 +848,7 @@ write_pid_file(const char *path)
|
@@ -844,7 +844,7 @@ write_pid_file(const char *path)
|
||||||
FILE *file;
|
FILE *file;
|
||||||
unsigned long pid;
|
unsigned long pid;
|
||||||
|
|
||||||
@ -303,7 +303,7 @@ index 38b9299066..085afc9220 100644
|
|||||||
return errno;
|
return errno;
|
||||||
pid = (unsigned long) getpid();
|
pid = (unsigned long) getpid();
|
||||||
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
|
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
|
||||||
index f2341d720f..ffdac9f397 100644
|
index aa3c81ea30..cb9785aaeb 100644
|
||||||
--- a/src/kprop/kpropd.c
|
--- a/src/kprop/kpropd.c
|
||||||
+++ b/src/kprop/kpropd.c
|
+++ b/src/kprop/kpropd.c
|
||||||
@@ -488,6 +488,9 @@ doit(int fd)
|
@@ -488,6 +488,9 @@ doit(int fd)
|
||||||
@ -333,10 +333,10 @@ index f2341d720f..ffdac9f397 100644
|
|||||||
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
|
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
|
||||||
if (retval) {
|
if (retval) {
|
||||||
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
|
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
|
||||||
index c6885edf2a..9aec3c05e8 100644
|
index e14da53790..b879a4049b 100644
|
||||||
--- a/src/lib/kadm5/logger.c
|
--- a/src/lib/kadm5/logger.c
|
||||||
+++ b/src/lib/kadm5/logger.c
|
+++ b/src/lib/kadm5/logger.c
|
||||||
@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
|
@@ -310,7 +310,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
|
||||||
*/
|
*/
|
||||||
append = (cp[4] == ':') ? O_APPEND : 0;
|
append = (cp[4] == ':') ? O_APPEND : 0;
|
||||||
if (append || cp[4] == '=') {
|
if (append || cp[4] == '=') {
|
||||||
@ -345,7 +345,7 @@ index c6885edf2a..9aec3c05e8 100644
|
|||||||
S_IRUSR | S_IWUSR | S_IRGRP);
|
S_IRUSR | S_IWUSR | S_IRGRP);
|
||||||
if (fd != -1)
|
if (fd != -1)
|
||||||
f = fdopen(fd, append ? "a" : "w");
|
f = fdopen(fd, append ? "a" : "w");
|
||||||
@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
@@ -777,7 +777,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
||||||
* In case the old logfile did not get moved out of the
|
* In case the old logfile did not get moved out of the
|
||||||
* way, open for append to prevent squashing the old logs.
|
* way, open for append to prevent squashing the old logs.
|
||||||
*/
|
*/
|
||||||
@ -439,10 +439,10 @@ index e510211fc5..f3ea28c8ec 100644
|
|||||||
goto report_errno;
|
goto report_errno;
|
||||||
writevno = 1;
|
writevno = 1;
|
||||||
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
|
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
|
||||||
index 3369fc4ba6..95f82cda03 100644
|
index 4cbbbb270a..c4058ddc96 100644
|
||||||
--- a/src/lib/krb5/os/trace.c
|
--- a/src/lib/krb5/os/trace.c
|
||||||
+++ b/src/lib/krb5/os/trace.c
|
+++ b/src/lib/krb5/os/trace.c
|
||||||
@@ -459,7 +459,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
|
@@ -460,7 +460,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
|
||||||
fd = malloc(sizeof(*fd));
|
fd = malloc(sizeof(*fd));
|
||||||
if (fd == NULL)
|
if (fd == NULL)
|
||||||
return ENOMEM;
|
return ENOMEM;
|
||||||
@ -452,7 +452,7 @@ index 3369fc4ba6..95f82cda03 100644
|
|||||||
free(fd);
|
free(fd);
|
||||||
return errno;
|
return errno;
|
||||||
diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
|
diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
|
||||||
index 7db30a33b0..2b9d01921d 100644
|
index 9a506e9d44..f92ab47143 100644
|
||||||
--- a/src/plugins/kdb/db2/adb_openclose.c
|
--- a/src/plugins/kdb/db2/adb_openclose.c
|
||||||
+++ b/src/plugins/kdb/db2/adb_openclose.c
|
+++ b/src/plugins/kdb/db2/adb_openclose.c
|
||||||
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
|
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
|
||||||
@ -1034,5 +1034,5 @@ index 0000000000..807d039da3
|
|||||||
+
|
+
|
||||||
+#endif /* USE_SELINUX */
|
+#endif /* USE_SELINUX */
|
||||||
--
|
--
|
||||||
2.38.1
|
2.41.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From c7fe7cbd61f7debf052ddcc6cc5f01bb7e4f5385 Mon Sep 17 00:00:00 2001
|
From 780db3e904ada1946b0d1dce04c8daa74273c7b6 Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Tue, 23 Aug 2016 16:49:25 -0400
|
Date: Tue, 23 Aug 2016 16:49:25 -0400
|
||||||
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
|
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
|
||||||
@ -40,5 +40,5 @@ index 8669c2436c..a22f23c02c 100644
|
|||||||
install:
|
install:
|
||||||
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
|
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
|
||||||
--
|
--
|
||||||
2.38.1
|
2.41.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 7b40250066bbcc529b5348b68199c58fbad82376 Mon Sep 17 00:00:00 2001
|
From 1f992f9a857346b8837fd12d8c90f7b2cafb9613 Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Tue, 26 Mar 2019 18:51:10 -0400
|
Date: Tue, 26 Mar 2019 18:51:10 -0400
|
||||||
Subject: [PATCH] [downstream] Remove 3des support
|
Subject: [PATCH] [downstream] Remove 3des support
|
||||||
@ -8,7 +8,7 @@ des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation
|
|||||||
to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain
|
to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain
|
||||||
their constants.
|
their constants.
|
||||||
|
|
||||||
Last-updated: 1.20-final
|
Last-updated: 1.21.1-final
|
||||||
[antorres@redhat.com: remove diffs for:
|
[antorres@redhat.com: remove diffs for:
|
||||||
- src/kdamin/testing/proto/kdc.conf.proto
|
- src/kdamin/testing/proto/kdc.conf.proto
|
||||||
- src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
|
- src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
|
||||||
@ -32,7 +32,7 @@ Last-updated: 1.20-final
|
|||||||
src/include/krb5/krb5.hin | 10 +-
|
src/include/krb5/krb5.hin | 10 +-
|
||||||
src/kdc/kdc_util.c | 4 -
|
src/kdc/kdc_util.c | 4 -
|
||||||
src/lib/crypto/Makefile.in | 8 +-
|
src/lib/crypto/Makefile.in | 8 +-
|
||||||
src/lib/crypto/builtin/Makefile.in | 6 +-
|
src/lib/crypto/builtin/Makefile.in | 4 +-
|
||||||
src/lib/crypto/builtin/des/ISSUES | 13 -
|
src/lib/crypto/builtin/des/ISSUES | 13 -
|
||||||
src/lib/crypto/builtin/des/Makefile.in | 82 ----
|
src/lib/crypto/builtin/des/Makefile.in | 82 ----
|
||||||
src/lib/crypto/builtin/des/d3_aead.c | 137 ------
|
src/lib/crypto/builtin/des/d3_aead.c | 137 ------
|
||||||
@ -74,7 +74,7 @@ Last-updated: 1.20-final
|
|||||||
src/lib/crypto/krb/prf_des.c | 47 ---
|
src/lib/crypto/krb/prf_des.c | 47 ---
|
||||||
src/lib/crypto/krb/random_to_key.c | 28 --
|
src/lib/crypto/krb/random_to_key.c | 28 --
|
||||||
src/lib/crypto/libk5crypto.exports | 1 -
|
src/lib/crypto/libk5crypto.exports | 1 -
|
||||||
src/lib/crypto/openssl/Makefile.in | 8 +-
|
src/lib/crypto/openssl/Makefile.in | 4 +-
|
||||||
src/lib/crypto/openssl/des/Makefile.in | 20 -
|
src/lib/crypto/openssl/des/Makefile.in | 20 -
|
||||||
src/lib/crypto/openssl/des/deps | 14 -
|
src/lib/crypto/openssl/des/deps | 14 -
|
||||||
src/lib/crypto/openssl/des/des_keys.c | 39 --
|
src/lib/crypto/openssl/des/des_keys.c | 39 --
|
||||||
@ -103,13 +103,13 @@ Last-updated: 1.20-final
|
|||||||
src/tests/gssapi/t_pcontok.c | 16 +-
|
src/tests/gssapi/t_pcontok.c | 16 +-
|
||||||
src/tests/gssapi/t_prf.c | 7 -
|
src/tests/gssapi/t_prf.c | 7 -
|
||||||
src/tests/t_authdata.py | 2 +-
|
src/tests/t_authdata.py | 2 +-
|
||||||
src/tests/t_etype_info.py | 18 +-
|
src/tests/t_etype_info.py | 21 +-
|
||||||
src/tests/t_keyrollover.py | 8 +-
|
src/tests/t_keyrollover.py | 8 +-
|
||||||
src/tests/t_mkey.py | 35 --
|
src/tests/t_mkey.py | 35 --
|
||||||
src/tests/t_salt.py | 5 +-
|
src/tests/t_salt.py | 5 +-
|
||||||
src/util/k5test.py | 7 -
|
src/util/k5test.py | 7 -
|
||||||
.../leash/htmlhelp/html/Encryption_Types.htm | 13 -
|
.../leash/htmlhelp/html/Encryption_Types.htm | 13 -
|
||||||
89 files changed, 151 insertions(+), 4713 deletions(-)
|
89 files changed, 149 insertions(+), 4712 deletions(-)
|
||||||
delete mode 100644 src/lib/crypto/builtin/des/ISSUES
|
delete mode 100644 src/lib/crypto/builtin/des/ISSUES
|
||||||
delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
|
delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
|
||||||
delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
|
delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
|
||||||
@ -247,7 +247,7 @@ index ade5e1f87a..e4dc54f7e5 100644
|
|||||||
|
|
||||||
.. _err_cert_chain_cert_expired:
|
.. _err_cert_chain_cert_expired:
|
||||||
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
|
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
|
||||||
index a0d4f26701..5f34dea5e8 100644
|
index 45fe160d7f..b4b1f3bd93 100644
|
||||||
--- a/doc/appdev/refs/macros/index.rst
|
--- a/doc/appdev/refs/macros/index.rst
|
||||||
+++ b/doc/appdev/refs/macros/index.rst
|
+++ b/doc/appdev/refs/macros/index.rst
|
||||||
@@ -36,7 +36,6 @@ Public
|
@@ -36,7 +36,6 @@ Public
|
||||||
@ -259,10 +259,10 @@ index a0d4f26701..5f34dea5e8 100644
|
|||||||
CKSUMTYPE_NIST_SHA.rst
|
CKSUMTYPE_NIST_SHA.rst
|
||||||
CKSUMTYPE_RSA_MD4.rst
|
CKSUMTYPE_RSA_MD4.rst
|
||||||
diff --git a/doc/conf.py b/doc/conf.py
|
diff --git a/doc/conf.py b/doc/conf.py
|
||||||
index fa0eb80f1f..12168fa695 100644
|
index cd76f5999f..1e1cfce80c 100644
|
||||||
--- a/doc/conf.py
|
--- a/doc/conf.py
|
||||||
+++ b/doc/conf.py
|
+++ b/doc/conf.py
|
||||||
@@ -278,7 +278,7 @@ else:
|
@@ -281,7 +281,7 @@ else:
|
||||||
rst_epilog += '''
|
rst_epilog += '''
|
||||||
.. |krb5conf| replace:: ``/etc/krb5.conf``
|
.. |krb5conf| replace:: ``/etc/krb5.conf``
|
||||||
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
|
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
|
||||||
@ -272,7 +272,7 @@ index fa0eb80f1f..12168fa695 100644
|
|||||||
.. |copy| unicode:: U+000A9
|
.. |copy| unicode:: U+000A9
|
||||||
'''
|
'''
|
||||||
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
|
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
|
||||||
index ca2d6ef117..100c64a1c1 100644
|
index 10effcf175..cad0855724 100644
|
||||||
--- a/doc/mitK5features.rst
|
--- a/doc/mitK5features.rst
|
||||||
+++ b/doc/mitK5features.rst
|
+++ b/doc/mitK5features.rst
|
||||||
@@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB
|
@@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB
|
||||||
@ -307,10 +307,10 @@ index 8f14e9bf2c..ba3bb18eec 100644
|
|||||||
##DOS## $(WCONFIG) config < $@.in > $@
|
##DOS## $(WCONFIG) config < $@.in > $@
|
||||||
##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP)
|
##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP)
|
||||||
diff --git a/src/configure.ac b/src/configure.ac
|
diff --git a/src/configure.ac b/src/configure.ac
|
||||||
index 40545f2bfc..8dc864718d 100644
|
index 69be9030f8..2561e917a2 100644
|
||||||
--- a/src/configure.ac
|
--- a/src/configure.ac
|
||||||
+++ b/src/configure.ac
|
+++ b/src/configure.ac
|
||||||
@@ -1489,12 +1489,12 @@ V5_AC_OUTPUT_MAKEFILE(.
|
@@ -1513,12 +1513,12 @@ V5_AC_OUTPUT_MAKEFILE(.
|
||||||
lib lib/kdb
|
lib lib/kdb
|
||||||
|
|
||||||
lib/crypto lib/crypto/krb lib/crypto/crypto_tests
|
lib/crypto lib/crypto/krb lib/crypto/crypto_tests
|
||||||
@ -326,7 +326,7 @@ index 40545f2bfc..8dc864718d 100644
|
|||||||
|
|
||||||
lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache
|
lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache
|
||||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||||
index 7e1dea2cbf..fb9f2a366c 100644
|
index dd6430ece8..350bcf86f2 100644
|
||||||
--- a/src/include/krb5/krb5.hin
|
--- a/src/include/krb5/krb5.hin
|
||||||
+++ b/src/include/krb5/krb5.hin
|
+++ b/src/include/krb5/krb5.hin
|
||||||
@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
|
@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
|
||||||
@ -362,10 +362,10 @@ index 7e1dea2cbf..fb9f2a366c 100644
|
|||||||
#define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with
|
#define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with
|
||||||
ENCTYPE_AES128_CTS_HMAC_SHA1_96 */
|
ENCTYPE_AES128_CTS_HMAC_SHA1_96 */
|
||||||
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||||
index 9f2a67d189..b7a9aa4992 100644
|
index 75e04b73db..fe4e48209a 100644
|
||||||
--- a/src/kdc/kdc_util.c
|
--- a/src/kdc/kdc_util.c
|
||||||
+++ b/src/kdc/kdc_util.c
|
+++ b/src/kdc/kdc_util.c
|
||||||
@@ -1111,8 +1111,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
|
@@ -1154,8 +1154,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
|
||||||
name = "rsaEncryption-EnvOID";
|
name = "rsaEncryption-EnvOID";
|
||||||
else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV)
|
else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV)
|
||||||
name = "id-RSAES-OAEP-EnvOID";
|
name = "id-RSAES-OAEP-EnvOID";
|
||||||
@ -374,7 +374,7 @@ index 9f2a67d189..b7a9aa4992 100644
|
|||||||
else
|
else
|
||||||
return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
|
return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
|
||||||
|
|
||||||
@@ -1704,8 +1702,6 @@ krb5_boolean
|
@@ -1647,8 +1645,6 @@ krb5_boolean
|
||||||
enctype_requires_etype_info_2(krb5_enctype enctype)
|
enctype_requires_etype_info_2(krb5_enctype enctype)
|
||||||
{
|
{
|
||||||
switch(enctype) {
|
switch(enctype) {
|
||||||
@ -414,7 +414,7 @@ index 10e8c74cf8..25c4f40cc3 100644
|
|||||||
all-unix: all-liblinks
|
all-unix: all-liblinks
|
||||||
install-unix: install-libs
|
install-unix: install-libs
|
||||||
diff --git a/src/lib/crypto/builtin/Makefile.in b/src/lib/crypto/builtin/Makefile.in
|
diff --git a/src/lib/crypto/builtin/Makefile.in b/src/lib/crypto/builtin/Makefile.in
|
||||||
index daf19da195..c9e967c807 100644
|
index 243bb17ba3..30bfcd30c0 100644
|
||||||
--- a/src/lib/crypto/builtin/Makefile.in
|
--- a/src/lib/crypto/builtin/Makefile.in
|
||||||
+++ b/src/lib/crypto/builtin/Makefile.in
|
+++ b/src/lib/crypto/builtin/Makefile.in
|
||||||
@@ -1,6 +1,6 @@
|
@@ -1,6 +1,6 @@
|
||||||
@ -429,15 +429,6 @@ index daf19da195..c9e967c807 100644
|
|||||||
$(srcdir)/kdf.c \
|
$(srcdir)/kdf.c \
|
||||||
$(srcdir)/pbkdf2.c
|
$(srcdir)/pbkdf2.c
|
||||||
|
|
||||||
-STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
|
||||||
+STOBJLISTS= md4/OBJS.ST \
|
|
||||||
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
|
||||||
enc_provider/OBJS.ST \
|
|
||||||
hash_provider/OBJS.ST \
|
|
||||||
@@ -33,7 +33,7 @@ STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
|
||||||
camellia/OBJS.ST \
|
|
||||||
OBJS.ST
|
|
||||||
|
|
||||||
-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
||||||
+SUBDIROBJLISTS= md4/OBJS.ST \
|
+SUBDIROBJLISTS= md4/OBJS.ST \
|
||||||
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
||||||
@ -4862,7 +4853,7 @@ index 052f4d4b51..d8ffa63304 100644
|
|||||||
krb5int_camellia_encrypt
|
krb5int_camellia_encrypt
|
||||||
krb5int_cmac_checksum
|
krb5int_cmac_checksum
|
||||||
diff --git a/src/lib/crypto/openssl/Makefile.in b/src/lib/crypto/openssl/Makefile.in
|
diff --git a/src/lib/crypto/openssl/Makefile.in b/src/lib/crypto/openssl/Makefile.in
|
||||||
index 08de047d0a..88f7fd0a09 100644
|
index cf11f6847b..8e4cdb8bbf 100644
|
||||||
--- a/src/lib/crypto/openssl/Makefile.in
|
--- a/src/lib/crypto/openssl/Makefile.in
|
||||||
+++ b/src/lib/crypto/openssl/Makefile.in
|
+++ b/src/lib/crypto/openssl/Makefile.in
|
||||||
@@ -1,6 +1,6 @@
|
@@ -1,6 +1,6 @@
|
||||||
@ -4873,32 +4864,15 @@ index 08de047d0a..88f7fd0a09 100644
|
|||||||
LOCALINCLUDES=-I$(srcdir)/../krb $(CRYPTO_IMPL_CFLAGS)
|
LOCALINCLUDES=-I$(srcdir)/../krb $(CRYPTO_IMPL_CFLAGS)
|
||||||
|
|
||||||
STLIBOBJS=\
|
STLIBOBJS=\
|
||||||
@@ -24,14 +24,14 @@ SRCS=\
|
@@ -24,7 +24,7 @@ SRCS=\
|
||||||
$(srcdir)/pbkdf2.c \
|
$(srcdir)/pbkdf2.c \
|
||||||
$(srcdir)/sha256.c
|
$(srcdir)/sha256.c
|
||||||
|
|
||||||
-STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
|
||||||
+STOBJLISTS= md4/OBJS.ST \
|
|
||||||
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
|
||||||
enc_provider/OBJS.ST \
|
|
||||||
hash_provider/OBJS.ST \
|
|
||||||
aes/OBJS.ST \
|
|
||||||
OBJS.ST
|
|
||||||
|
|
||||||
-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
||||||
+SUBDIROBJLISTS= md4/OBJS.ST \
|
+SUBDIROBJLISTS= md4/OBJS.ST \
|
||||||
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
||||||
enc_provider/OBJS.ST \
|
enc_provider/OBJS.ST \
|
||||||
hash_provider/OBJS.ST \
|
hash_provider/OBJS.ST \
|
||||||
@@ -42,7 +42,7 @@ includes: depend
|
|
||||||
|
|
||||||
depend: $(SRCS)
|
|
||||||
|
|
||||||
-clean-unix:: clean-libobjs
|
|
||||||
+clean-unix:: clean-libobjsn
|
|
||||||
|
|
||||||
@lib_frag@
|
|
||||||
@libobj_frag@
|
|
||||||
diff --git a/src/lib/crypto/openssl/des/Makefile.in b/src/lib/crypto/openssl/des/Makefile.in
|
diff --git a/src/lib/crypto/openssl/des/Makefile.in b/src/lib/crypto/openssl/des/Makefile.in
|
||||||
deleted file mode 100644
|
deleted file mode 100644
|
||||||
index a6cece1dd1..0000000000
|
index a6cece1dd1..0000000000
|
||||||
@ -5244,10 +5218,10 @@ index 41e845eae0..5a43c3d9eb 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
|
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
|
||||||
index d4e90793f9..1bc807172b 100644
|
index b35e11bfb6..d7c2ad321e 100644
|
||||||
--- a/src/lib/gssapi/krb5/accept_sec_context.c
|
--- a/src/lib/gssapi/krb5/accept_sec_context.c
|
||||||
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
|
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
|
||||||
@@ -1030,7 +1030,6 @@ kg_accept_krb5(minor_status, context_handle,
|
@@ -1026,7 +1026,6 @@ kg_accept_krb5(minor_status, context_handle,
|
||||||
}
|
}
|
||||||
|
|
||||||
switch (negotiated_etype) {
|
switch (negotiated_etype) {
|
||||||
@ -5256,7 +5230,7 @@ index d4e90793f9..1bc807172b 100644
|
|||||||
case ENCTYPE_ARCFOUR_HMAC_EXP:
|
case ENCTYPE_ARCFOUR_HMAC_EXP:
|
||||||
/* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer"
|
/* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer"
|
||||||
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||||
index a4446530fc..88d41130a7 100644
|
index 7364607198..5aeb69aebc 100644
|
||||||
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
|
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||||
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||||
@@ -125,14 +125,14 @@ enum sgn_alg {
|
@@ -125,14 +125,14 @@ enum sgn_alg {
|
||||||
@ -5286,10 +5260,10 @@ index a4446530fc..88d41130a7 100644
|
|||||||
};
|
};
|
||||||
|
|
||||||
diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
|
diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
|
||||||
index d1cdce486f..7f7146a0a2 100644
|
index 99275be53a..0e5d10b115 100644
|
||||||
--- a/src/lib/gssapi/krb5/k5seal.c
|
--- a/src/lib/gssapi/krb5/k5seal.c
|
||||||
+++ b/src/lib/gssapi/krb5/k5seal.c
|
+++ b/src/lib/gssapi/krb5/k5seal.c
|
||||||
@@ -136,19 +136,12 @@ make_seal_token_v1 (krb5_context context,
|
@@ -142,19 +142,12 @@ make_seal_token_v1 (krb5_context context,
|
||||||
|
|
||||||
/* pad the plaintext, encrypt if needed, and stick it in the token */
|
/* pad the plaintext, encrypt if needed, and stick it in the token */
|
||||||
|
|
||||||
@ -5315,7 +5289,7 @@ index d1cdce486f..7f7146a0a2 100644
|
|||||||
|
|
||||||
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
|
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
|
||||||
if (code) {
|
if (code) {
|
||||||
@@ -196,20 +189,8 @@ make_seal_token_v1 (krb5_context context,
|
@@ -203,20 +196,8 @@ make_seal_token_v1 (krb5_context context,
|
||||||
gssalloc_free(t);
|
gssalloc_free(t);
|
||||||
return(code);
|
return(code);
|
||||||
}
|
}
|
||||||
@ -5327,22 +5301,22 @@ index d1cdce486f..7f7146a0a2 100644
|
|||||||
- */
|
- */
|
||||||
- if (md5cksum.length != cksum_size)
|
- if (md5cksum.length != cksum_size)
|
||||||
- abort ();
|
- abort ();
|
||||||
- memcpy (ptr+14, md5cksum.contents, md5cksum.length);
|
- memcpy(checksum, md5cksum.contents, md5cksum.length);
|
||||||
- break;
|
- break;
|
||||||
- case SGN_ALG_HMAC_MD5:
|
- case SGN_ALG_HMAC_MD5:
|
||||||
- memcpy (ptr+14, md5cksum.contents, cksum_size);
|
- memcpy(checksum, md5cksum.contents, cksum_size);
|
||||||
- break;
|
- break;
|
||||||
- }
|
- }
|
||||||
+
|
+
|
||||||
+ memcpy (ptr+14, md5cksum.contents, cksum_size);
|
+ memcpy(checksum, md5cksum.contents, cksum_size);
|
||||||
|
|
||||||
krb5_free_checksum_contents(context, &md5cksum);
|
krb5_free_checksum_contents(context, &md5cksum);
|
||||||
|
|
||||||
diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c
|
diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c
|
||||||
index 9bb2ee1099..9147bb2c78 100644
|
index 7bf7609a48..d5e12cb436 100644
|
||||||
--- a/src/lib/gssapi/krb5/k5sealiov.c
|
--- a/src/lib/gssapi/krb5/k5sealiov.c
|
||||||
+++ b/src/lib/gssapi/krb5/k5sealiov.c
|
+++ b/src/lib/gssapi/krb5/k5sealiov.c
|
||||||
@@ -144,18 +144,11 @@ make_seal_token_v1_iov(krb5_context context,
|
@@ -147,18 +147,11 @@ make_seal_token_v1_iov(krb5_context context,
|
||||||
/* pad the plaintext, encrypt if needed, and stick it in the token */
|
/* pad the plaintext, encrypt if needed, and stick it in the token */
|
||||||
|
|
||||||
/* initialize the checksum */
|
/* initialize the checksum */
|
||||||
@ -5366,20 +5340,20 @@ index 9bb2ee1099..9147bb2c78 100644
|
|||||||
|
|
||||||
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &k5_trailerlen);
|
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &k5_trailerlen);
|
||||||
if (code != 0)
|
if (code != 0)
|
||||||
@@ -177,15 +170,7 @@ make_seal_token_v1_iov(krb5_context context,
|
@@ -182,15 +175,7 @@ make_seal_token_v1_iov(krb5_context context,
|
||||||
if (code != 0)
|
if (code != 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
- switch (ctx->signalg) {
|
- switch (ctx->signalg) {
|
||||||
- case SGN_ALG_HMAC_SHA1_DES3_KD:
|
- case SGN_ALG_HMAC_SHA1_DES3_KD:
|
||||||
- assert(md5cksum.length == ctx->cksum_size);
|
- assert(md5cksum.length == ctx->cksum_size);
|
||||||
- memcpy(ptr + 14, md5cksum.contents, md5cksum.length);
|
- memcpy(checksum, md5cksum.contents, md5cksum.length);
|
||||||
- break;
|
- break;
|
||||||
- case SGN_ALG_HMAC_MD5:
|
- case SGN_ALG_HMAC_MD5:
|
||||||
- memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size);
|
- memcpy(checksum, md5cksum.contents, ctx->cksum_size);
|
||||||
- break;
|
- break;
|
||||||
- }
|
- }
|
||||||
+ memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size);
|
+ memcpy(checksum, md5cksum.contents, ctx->cksum_size);
|
||||||
|
|
||||||
/* create the seq_num */
|
/* create the seq_num */
|
||||||
code = kg_make_seq_num(context, ctx->seq, ctx->initiate ? 0 : 0xFF,
|
code = kg_make_seq_num(context, ctx->seq, ctx->initiate ? 0 : 0xFF,
|
||||||
@ -5769,10 +5743,10 @@ index e3d2846315..586661bb7e 100644
|
|||||||
#define CKK_CAST3 (0x17)
|
#define CKK_CAST3 (0x17)
|
||||||
#define CKK_CAST128 (0x18)
|
#define CKK_CAST128 (0x18)
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
index 94a1b22fb1..65f6210727 100644
|
index e22798f668..9fa315d7a0 100644
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
@@ -376,11 +376,11 @@ krb5_error_code server_process_dh
|
@@ -370,11 +370,11 @@ krb5_error_code server_process_dh
|
||||||
* krb5_algorithm_identifier
|
* krb5_algorithm_identifier
|
||||||
*/
|
*/
|
||||||
krb5_error_code create_krb5_supportedCMSTypes
|
krb5_error_code create_krb5_supportedCMSTypes
|
||||||
@ -6019,10 +5993,10 @@ index f71774cdc9..d1857c433f 100644
|
|||||||
"3BB3AE288C12B3B9D06B208A4151B3B6",
|
"3BB3AE288C12B3B9D06B208A4151B3B6",
|
||||||
"9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28"
|
"9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28"
|
||||||
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
|
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
|
||||||
index 97e2474bf8..47ea9e4b47 100644
|
index bde1c36844..8fcd30db51 100644
|
||||||
--- a/src/tests/t_authdata.py
|
--- a/src/tests/t_authdata.py
|
||||||
+++ b/src/tests/t_authdata.py
|
+++ b/src/tests/t_authdata.py
|
||||||
@@ -164,7 +164,7 @@ realm.run([kvno, 'restricted'])
|
@@ -179,7 +179,7 @@ realm.run([kvno, 'restricted'])
|
||||||
# preferred krbtgt enctype changes.
|
# preferred krbtgt enctype changes.
|
||||||
mark('#8139 regression test')
|
mark('#8139 regression test')
|
||||||
realm.kinit(realm.user_princ, password('user'), ['-f'])
|
realm.kinit(realm.user_princ, password('user'), ['-f'])
|
||||||
@ -6032,18 +6006,21 @@ index 97e2474bf8..47ea9e4b47 100644
|
|||||||
realm.run(['./forward'])
|
realm.run(['./forward'])
|
||||||
realm.run([kvno, realm.host_princ])
|
realm.run([kvno, realm.host_princ])
|
||||||
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
|
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
|
||||||
index c982508d8b..96e90a69d2 100644
|
index c982508d8b..a6f538b66d 100644
|
||||||
--- a/src/tests/t_etype_info.py
|
--- a/src/tests/t_etype_info.py
|
||||||
+++ b/src/tests/t_etype_info.py
|
+++ b/src/tests/t_etype_info.py
|
||||||
@@ -1,6 +1,6 @@
|
@@ -1,8 +1,7 @@
|
||||||
from k5test import *
|
from k5test import *
|
||||||
|
|
||||||
-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
|
-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
|
||||||
|
-conf = {'libdefaults': {'allow_weak_crypto': 'true'},
|
||||||
|
- 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
|
||||||
+supported_enctypes = 'aes128-cts rc4-hmac'
|
+supported_enctypes = 'aes128-cts rc4-hmac'
|
||||||
conf = {'libdefaults': {'allow_weak_crypto': 'true'},
|
+conf = {'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
|
||||||
'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
|
|
||||||
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
|
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
|
||||||
@@ -26,9 +26,9 @@ def test_etinfo(princ, enctypes, expected_lines):
|
|
||||||
|
realm.run([kadminl, 'addprinc', '-pw', 'pw', '+requires_preauth',
|
||||||
|
@@ -26,9 +25,9 @@ def test_etinfo(princ, enctypes, expected_lines):
|
||||||
# With no newer enctypes in the request, PA-ETYPE-INFO2,
|
# With no newer enctypes in the request, PA-ETYPE-INFO2,
|
||||||
# PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one
|
# PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one
|
||||||
# key for the most preferred matching enctype.
|
# key for the most preferred matching enctype.
|
||||||
@ -6056,7 +6033,7 @@ index c982508d8b..96e90a69d2 100644
|
|||||||
'asrep pw_salt KRBTEST.COMuser'])
|
'asrep pw_salt KRBTEST.COMuser'])
|
||||||
|
|
||||||
# With a newer enctype in the request (even if it is not the most
|
# With a newer enctype in the request (even if it is not the most
|
||||||
@@ -39,9 +39,9 @@ test_etinfo('user', 'rc4 aes256-cts',
|
@@ -39,9 +38,9 @@ test_etinfo('user', 'rc4 aes256-cts',
|
||||||
|
|
||||||
# In preauth-required errors, PA-PW-SALT does not appear, but the same
|
# In preauth-required errors, PA-PW-SALT does not appear, but the same
|
||||||
# etype-info2 values are expected.
|
# etype-info2 values are expected.
|
||||||
@ -6069,7 +6046,7 @@ index c982508d8b..96e90a69d2 100644
|
|||||||
test_etinfo('preauthuser', 'rc4 aes256-cts',
|
test_etinfo('preauthuser', 'rc4 aes256-cts',
|
||||||
['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser'])
|
['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser'])
|
||||||
|
|
||||||
@@ -50,8 +50,8 @@ test_etinfo('preauthuser', 'rc4 aes256-cts',
|
@@ -50,8 +49,8 @@ test_etinfo('preauthuser', 'rc4 aes256-cts',
|
||||||
# (to allow for preauth mechs which don't depend on long-term keys).
|
# (to allow for preauth mechs which don't depend on long-term keys).
|
||||||
# An AS-REP cannot be generated without preauth as there is no reply
|
# An AS-REP cannot be generated without preauth as there is no reply
|
||||||
# key.
|
# key.
|
||||||
@ -6081,7 +6058,7 @@ index c982508d8b..96e90a69d2 100644
|
|||||||
# Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED
|
# Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED
|
||||||
# error if the client does optimistic preauth.
|
# error if the client does optimistic preauth.
|
||||||
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
|
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
|
||||||
index 2c825a6922..f29e0d5500 100755
|
index e9840dfae8..583c2fa27e 100755
|
||||||
--- a/src/tests/t_keyrollover.py
|
--- a/src/tests/t_keyrollover.py
|
||||||
+++ b/src/tests/t_keyrollover.py
|
+++ b/src/tests/t_keyrollover.py
|
||||||
@@ -37,9 +37,9 @@ realm.run([klist, '-e'], expected_msg=msg)
|
@@ -37,9 +37,9 @@ realm.run([klist, '-e'], expected_msg=msg)
|
||||||
@ -6182,10 +6159,10 @@ index 65084bbf35..55ca897459 100755
|
|||||||
# Test using different salt types in a principal's key list.
|
# Test using different salt types in a principal's key list.
|
||||||
# Parameters from one key in the list must not leak over to later ones.
|
# Parameters from one key in the list must not leak over to later ones.
|
||||||
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
||||||
index 619f1995f8..771f82e3cc 100644
|
index 2a86c5cdfc..d823653aa0 100644
|
||||||
--- a/src/util/k5test.py
|
--- a/src/util/k5test.py
|
||||||
+++ b/src/util/k5test.py
|
+++ b/src/util/k5test.py
|
||||||
@@ -1344,13 +1344,6 @@ _passes = [
|
@@ -1338,13 +1338,6 @@ _passes = [
|
||||||
# No special settings; exercises AES256.
|
# No special settings; exercises AES256.
|
||||||
('default', None, None, None),
|
('default', None, None, None),
|
||||||
|
|
||||||
@ -6224,5 +6201,5 @@ index 1aebdd0b4a..c38eefd2bd 100644
|
|||||||
<td>The AES Advanced Encryption Standard
|
<td>The AES Advanced Encryption Standard
|
||||||
family, like 3DES, is a symmetric block cipher and was designed
|
family, like 3DES, is a symmetric block cipher and was designed
|
||||||
--
|
--
|
||||||
2.38.1
|
2.41.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From b8e3a859f8904d395ea0e1a7d6c49a791029711c Mon Sep 17 00:00:00 2001
|
From 2dc9988da95cdd76335a00007b262272ca8c45b3 Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Fri, 9 Nov 2018 15:12:21 -0500
|
Date: Fri, 9 Nov 2018 15:12:21 -0500
|
||||||
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
|
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
|
||||||
@ -21,29 +21,27 @@ post7 restores MD5 and adds radius_md5_fips_override.
|
|||||||
|
|
||||||
post8 silences a static analyzer warning.
|
post8 silences a static analyzer warning.
|
||||||
|
|
||||||
post9 add missing includes for FIPS_mode() macro
|
Last-updated: krb5-1.20
|
||||||
|
|
||||||
Last-updated: krb5-1.20.1
|
|
||||||
---
|
---
|
||||||
doc/admin/conf_files/krb5_conf.rst | 6 +++
|
doc/admin/conf_files/krb5_conf.rst | 6 +++
|
||||||
src/lib/crypto/krb/prng.c | 17 ++++++-
|
src/lib/crypto/krb/prng.c | 15 +++++-
|
||||||
.../crypto/openssl/enc_provider/camellia.c | 7 +++
|
.../crypto/openssl/enc_provider/camellia.c | 6 +++
|
||||||
src/lib/crypto/openssl/enc_provider/rc4.c | 17 ++++++-
|
src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++++-
|
||||||
.../crypto/openssl/hash_provider/hash_evp.c | 12 +++++
|
.../crypto/openssl/hash_provider/hash_evp.c | 12 +++++
|
||||||
src/lib/crypto/openssl/hmac.c | 7 ++-
|
src/lib/crypto/openssl/hmac.c | 6 ++-
|
||||||
src/lib/krad/attr.c | 46 ++++++++++++++-----
|
src/lib/krad/attr.c | 46 ++++++++++++++-----
|
||||||
src/lib/krad/attrset.c | 5 +-
|
src/lib/krad/attrset.c | 5 +-
|
||||||
src/lib/krad/internal.h | 32 ++++++++++++-
|
src/lib/krad/internal.h | 28 ++++++++++-
|
||||||
src/lib/krad/packet.c | 22 +++++----
|
src/lib/krad/packet.c | 22 +++++----
|
||||||
src/lib/krad/remote.c | 10 +++-
|
src/lib/krad/remote.c | 10 +++-
|
||||||
src/lib/krad/t_attr.c | 3 +-
|
src/lib/krad/t_attr.c | 3 +-
|
||||||
src/lib/krad/t_attrset.c | 4 +-
|
src/lib/krad/t_attrset.c | 4 +-
|
||||||
src/plugins/preauth/spake/spake_client.c | 10 ++++
|
src/plugins/preauth/spake/spake_client.c | 6 +++
|
||||||
src/plugins/preauth/spake/spake_kdc.c | 10 ++++
|
src/plugins/preauth/spake/spake_kdc.c | 6 +++
|
||||||
15 files changed, 175 insertions(+), 33 deletions(-)
|
15 files changed, 155 insertions(+), 33 deletions(-)
|
||||||
|
|
||||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||||
index d5d6e06ebb..2a4962069f 100644
|
index f22d5db11b..a33711d918 100644
|
||||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||||
@@ -330,6 +330,12 @@ The libdefaults section may contain any of the following relations:
|
@@ -330,6 +330,12 @@ The libdefaults section may contain any of the following relations:
|
||||||
@ -60,25 +58,23 @@ index d5d6e06ebb..2a4962069f 100644
|
|||||||
If this flag is true, reverse name lookup will be used in addition
|
If this flag is true, reverse name lookup will be used in addition
|
||||||
to forward name lookup to canonicalizing hostnames for use in
|
to forward name lookup to canonicalizing hostnames for use in
|
||||||
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
|
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
|
||||||
index d6b79e2dea..ae37c77518 100644
|
index d6b79e2dea..9e80a03d21 100644
|
||||||
--- a/src/lib/crypto/krb/prng.c
|
--- a/src/lib/crypto/krb/prng.c
|
||||||
+++ b/src/lib/crypto/krb/prng.c
|
+++ b/src/lib/crypto/krb/prng.c
|
||||||
@@ -26,6 +26,14 @@
|
@@ -26,6 +26,12 @@
|
||||||
|
|
||||||
#include "crypto_int.h"
|
#include "crypto_int.h"
|
||||||
|
|
||||||
+#include <openssl/rand.h>
|
+#include <openssl/rand.h>
|
||||||
+
|
+
|
||||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
+#include <openssl/fips.h>
|
|
||||||
+#else
|
|
||||||
+#include <openssl/crypto.h>
|
+#include <openssl/crypto.h>
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
krb5_error_code KRB5_CALLCONV
|
krb5_error_code KRB5_CALLCONV
|
||||||
krb5_c_random_seed(krb5_context context, krb5_data *data)
|
krb5_c_random_seed(krb5_context context, krb5_data *data)
|
||||||
{
|
{
|
||||||
@@ -96,9 +104,16 @@ cleanup:
|
@@ -96,9 +102,16 @@ cleanup:
|
||||||
static krb5_boolean
|
static krb5_boolean
|
||||||
get_os_entropy(unsigned char *buf, size_t len)
|
get_os_entropy(unsigned char *buf, size_t len)
|
||||||
{
|
{
|
||||||
@ -97,18 +93,10 @@ index d6b79e2dea..ae37c77518 100644
|
|||||||
/*
|
/*
|
||||||
* Pull from the /dev/urandom pool, but require it to have been seeded.
|
* Pull from the /dev/urandom pool, but require it to have been seeded.
|
||||||
diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c
|
diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||||
index 01920e6ce1..3dd3b0624f 100644
|
index 01920e6ce1..d9f327add6 100644
|
||||||
--- a/src/lib/crypto/openssl/enc_provider/camellia.c
|
--- a/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||||
+++ b/src/lib/crypto/openssl/enc_provider/camellia.c
|
+++ b/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||||
@@ -32,6 +32,7 @@
|
@@ -387,6 +387,9 @@ krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
|
||||||
#include <openssl/camellia.h>
|
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
||||||
#include <openssl/core_names.h>
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
#else
|
|
||||||
#include <openssl/modes.h>
|
|
||||||
#endif
|
|
||||||
@@ -387,6 +388,9 @@ krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
|
|
||||||
unsigned char blockY[CAMELLIA_BLOCK_SIZE], blockB[CAMELLIA_BLOCK_SIZE];
|
unsigned char blockY[CAMELLIA_BLOCK_SIZE], blockB[CAMELLIA_BLOCK_SIZE];
|
||||||
struct iov_cursor cursor;
|
struct iov_cursor cursor;
|
||||||
|
|
||||||
@ -118,7 +106,7 @@ index 01920e6ce1..3dd3b0624f 100644
|
|||||||
if (output->length < CAMELLIA_BLOCK_SIZE)
|
if (output->length < CAMELLIA_BLOCK_SIZE)
|
||||||
return KRB5_BAD_MSIZE;
|
return KRB5_BAD_MSIZE;
|
||||||
|
|
||||||
@@ -418,6 +422,9 @@ static krb5_error_code
|
@@ -418,6 +421,9 @@ static krb5_error_code
|
||||||
krb5int_camellia_init_state (const krb5_keyblock *key, krb5_keyusage usage,
|
krb5int_camellia_init_state (const krb5_keyblock *key, krb5_keyusage usage,
|
||||||
krb5_data *state)
|
krb5_data *state)
|
||||||
{
|
{
|
||||||
@ -129,21 +117,10 @@ index 01920e6ce1..3dd3b0624f 100644
|
|||||||
state->data = (void *) malloc(16);
|
state->data = (void *) malloc(16);
|
||||||
if (state->data == NULL)
|
if (state->data == NULL)
|
||||||
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
|
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||||
index 448d563348..6a83f10d27 100644
|
index 448d563348..ce63cb5f1b 100644
|
||||||
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
|
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||||
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
|
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||||
@@ -38,6 +38,10 @@
|
@@ -69,6 +69,9 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
|
||||||
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
|
|
||||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* The loopback field is a pointer to the structure. If the application copies
|
|
||||||
* the state (not a valid operation, but one which happens to works with some
|
|
||||||
@@ -69,6 +73,9 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
|
|
||||||
EVP_CIPHER_CTX *ctx = NULL;
|
EVP_CIPHER_CTX *ctx = NULL;
|
||||||
struct arcfour_state *arcstate;
|
struct arcfour_state *arcstate;
|
||||||
|
|
||||||
@ -153,7 +130,7 @@ index 448d563348..6a83f10d27 100644
|
|||||||
arcstate = (state != NULL) ? (void *)state->data : NULL;
|
arcstate = (state != NULL) ? (void *)state->data : NULL;
|
||||||
if (arcstate != NULL) {
|
if (arcstate != NULL) {
|
||||||
ctx = arcstate->ctx;
|
ctx = arcstate->ctx;
|
||||||
@@ -116,7 +123,12 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
|
@@ -116,7 +119,12 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
|
||||||
static void
|
static void
|
||||||
k5_arcfour_free_state(krb5_data *state)
|
k5_arcfour_free_state(krb5_data *state)
|
||||||
{
|
{
|
||||||
@ -167,7 +144,7 @@ index 448d563348..6a83f10d27 100644
|
|||||||
|
|
||||||
EVP_CIPHER_CTX_free(arcstate->ctx);
|
EVP_CIPHER_CTX_free(arcstate->ctx);
|
||||||
free(arcstate);
|
free(arcstate);
|
||||||
@@ -128,6 +140,9 @@ k5_arcfour_init_state(const krb5_keyblock *key,
|
@@ -128,6 +136,9 @@ k5_arcfour_init_state(const krb5_keyblock *key,
|
||||||
{
|
{
|
||||||
struct arcfour_state *arcstate;
|
struct arcfour_state *arcstate;
|
||||||
|
|
||||||
@ -215,18 +192,10 @@ index f2fbffdb29..11659908bb 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
|
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
|
||||||
index bf12b8d6a0..25a419d73a 100644
|
index bf12b8d6a0..f21e268f7f 100644
|
||||||
--- a/src/lib/crypto/openssl/hmac.c
|
--- a/src/lib/crypto/openssl/hmac.c
|
||||||
+++ b/src/lib/crypto/openssl/hmac.c
|
+++ b/src/lib/crypto/openssl/hmac.c
|
||||||
@@ -59,6 +59,7 @@
|
@@ -111,7 +111,11 @@ map_digest(const struct krb5_hash_provider *hash)
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
||||||
#include <openssl/params.h>
|
|
||||||
#include <openssl/core_names.h>
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
#else
|
|
||||||
#include <openssl/hmac.h>
|
|
||||||
#endif
|
|
||||||
@@ -111,7 +112,11 @@ map_digest(const struct krb5_hash_provider *hash)
|
|
||||||
return EVP_sha256();
|
return EVP_sha256();
|
||||||
else if (hash == &krb5int_hash_sha384)
|
else if (hash == &krb5int_hash_sha384)
|
||||||
return EVP_sha384();
|
return EVP_sha384();
|
||||||
@ -387,23 +356,19 @@ index f309f1581c..6ec031e320 100644
|
|||||||
return retval;
|
return retval;
|
||||||
|
|
||||||
diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
|
diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
|
||||||
index 7619563fc5..a17b6f39b1 100644
|
index 7619563fc5..e123763954 100644
|
||||||
--- a/src/lib/krad/internal.h
|
--- a/src/lib/krad/internal.h
|
||||||
+++ b/src/lib/krad/internal.h
|
+++ b/src/lib/krad/internal.h
|
||||||
@@ -39,6 +39,12 @@
|
@@ -39,6 +39,8 @@
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
#include <netdb.h>
|
#include <netdb.h>
|
||||||
|
|
||||||
+#include <openssl/crypto.h>
|
+#include <openssl/crypto.h>
|
||||||
+
|
|
||||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
+#endif
|
|
||||||
+
|
+
|
||||||
#ifndef UCHAR_MAX
|
#ifndef UCHAR_MAX
|
||||||
#define UCHAR_MAX 255
|
#define UCHAR_MAX 255
|
||||||
#endif
|
#endif
|
||||||
@@ -49,6 +55,13 @@
|
@@ -49,6 +51,13 @@
|
||||||
|
|
||||||
typedef struct krad_remote_st krad_remote;
|
typedef struct krad_remote_st krad_remote;
|
||||||
|
|
||||||
@ -417,7 +382,7 @@ index 7619563fc5..a17b6f39b1 100644
|
|||||||
/* Validate constraints of an attribute. */
|
/* Validate constraints of an attribute. */
|
||||||
krb5_error_code
|
krb5_error_code
|
||||||
kr_attr_valid(krad_attr type, const krb5_data *data);
|
kr_attr_valid(krad_attr type, const krb5_data *data);
|
||||||
@@ -57,7 +70,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data);
|
@@ -57,7 +66,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data);
|
||||||
krb5_error_code
|
krb5_error_code
|
||||||
kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
||||||
krad_attr type, const krb5_data *in,
|
krad_attr type, const krb5_data *in,
|
||||||
@ -427,7 +392,7 @@ index 7619563fc5..a17b6f39b1 100644
|
|||||||
|
|
||||||
/* Decode an attribute. */
|
/* Decode an attribute. */
|
||||||
krb5_error_code
|
krb5_error_code
|
||||||
@@ -69,7 +83,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
@@ -69,7 +79,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
||||||
krb5_error_code
|
krb5_error_code
|
||||||
kr_attrset_encode(const krad_attrset *set, const char *secret,
|
kr_attrset_encode(const krad_attrset *set, const char *secret,
|
||||||
const unsigned char *auth,
|
const unsigned char *auth,
|
||||||
@ -437,7 +402,7 @@ index 7619563fc5..a17b6f39b1 100644
|
|||||||
|
|
||||||
/* Decode attributes from a buffer. */
|
/* Decode attributes from a buffer. */
|
||||||
krb5_error_code
|
krb5_error_code
|
||||||
@@ -156,4 +171,17 @@ gai_error_code(int err)
|
@@ -156,4 +167,17 @@ gai_error_code(int err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -595,23 +560,19 @@ index 7928335ca4..0f95762534 100644
|
|||||||
|
|
||||||
/* Manually encode User-Name. */
|
/* Manually encode User-Name. */
|
||||||
diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c
|
diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c
|
||||||
index 00734a13b5..13c699071f 100644
|
index 00734a13b5..a3ce22b70f 100644
|
||||||
--- a/src/plugins/preauth/spake/spake_client.c
|
--- a/src/plugins/preauth/spake/spake_client.c
|
||||||
+++ b/src/plugins/preauth/spake/spake_client.c
|
+++ b/src/plugins/preauth/spake/spake_client.c
|
||||||
@@ -38,6 +38,12 @@
|
@@ -38,6 +38,8 @@
|
||||||
#include "groups.h"
|
#include "groups.h"
|
||||||
#include <krb5/clpreauth_plugin.h>
|
#include <krb5/clpreauth_plugin.h>
|
||||||
|
|
||||||
+#include <openssl/crypto.h>
|
+#include <openssl/crypto.h>
|
||||||
+
|
|
||||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
+#endif
|
|
||||||
+
|
+
|
||||||
typedef struct reqstate_st {
|
typedef struct reqstate_st {
|
||||||
krb5_pa_spake *msg; /* set in prep_questions, used in process */
|
krb5_pa_spake *msg; /* set in prep_questions, used in process */
|
||||||
krb5_keyblock *initial_key;
|
krb5_keyblock *initial_key;
|
||||||
@@ -375,6 +381,10 @@ clpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver,
|
@@ -375,6 +377,10 @@ clpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver,
|
||||||
|
|
||||||
if (maj_ver != 1)
|
if (maj_ver != 1)
|
||||||
return KRB5_PLUGIN_VER_NOTSUPP;
|
return KRB5_PLUGIN_VER_NOTSUPP;
|
||||||
@ -623,23 +584,19 @@ index 00734a13b5..13c699071f 100644
|
|||||||
vt->name = "spake";
|
vt->name = "spake";
|
||||||
vt->pa_type_list = pa_types;
|
vt->pa_type_list = pa_types;
|
||||||
diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c
|
diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c
|
||||||
index 1a772d450f..3394f8a58e 100644
|
index 1a772d450f..232e78bc05 100644
|
||||||
--- a/src/plugins/preauth/spake/spake_kdc.c
|
--- a/src/plugins/preauth/spake/spake_kdc.c
|
||||||
+++ b/src/plugins/preauth/spake/spake_kdc.c
|
+++ b/src/plugins/preauth/spake/spake_kdc.c
|
||||||
@@ -41,6 +41,12 @@
|
@@ -41,6 +41,8 @@
|
||||||
|
|
||||||
#include <krb5/kdcpreauth_plugin.h>
|
#include <krb5/kdcpreauth_plugin.h>
|
||||||
|
|
||||||
+#include <openssl/crypto.h>
|
+#include <openssl/crypto.h>
|
||||||
+
|
|
||||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
+#endif
|
|
||||||
+
|
+
|
||||||
/*
|
/*
|
||||||
* The SPAKE kdcpreauth module uses a secure cookie containing the following
|
* The SPAKE kdcpreauth module uses a secure cookie containing the following
|
||||||
* concatenated fields (all integer fields are big-endian):
|
* concatenated fields (all integer fields are big-endian):
|
||||||
@@ -551,6 +557,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver,
|
@@ -551,6 +553,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver,
|
||||||
|
|
||||||
if (maj_ver != 1)
|
if (maj_ver != 1)
|
||||||
return KRB5_PLUGIN_VER_NOTSUPP;
|
return KRB5_PLUGIN_VER_NOTSUPP;
|
||||||
@ -651,5 +608,5 @@ index 1a772d450f..3394f8a58e 100644
|
|||||||
vt->name = "spake";
|
vt->name = "spake";
|
||||||
vt->pa_type_list = pa_types;
|
vt->pa_type_list = pa_types;
|
||||||
--
|
--
|
||||||
2.38.1
|
2.41.0
|
||||||
|
|
@ -1,201 +0,0 @@
|
|||||||
From c0a6d66e98e62b94d72bb51b8d6c00130a951215 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Julien Rische <jrische@redhat.com>
|
|
||||||
Date: Fri, 22 Apr 2022 14:12:37 +0200
|
|
||||||
Subject: [PATCH] Add configure variable for default PKCS#11 module
|
|
||||||
|
|
||||||
[ghudson@mit.edu: added documentation of configure variable and doc
|
|
||||||
substitution; shortened commit message]
|
|
||||||
|
|
||||||
ticket: 9058 (new)
|
|
||||||
---
|
|
||||||
doc/admin/conf_files/krb5_conf.rst | 2 +-
|
|
||||||
doc/build/options2configure.rst | 3 +++
|
|
||||||
doc/conf.py | 3 +++
|
|
||||||
doc/mitK5defaults.rst | 25 +++++++++++++------------
|
|
||||||
src/configure.ac | 8 ++++++++
|
|
||||||
src/doc/Makefile.in | 2 ++
|
|
||||||
src/man/Makefile.in | 4 +++-
|
|
||||||
src/man/krb5.conf.man | 2 +-
|
|
||||||
src/plugins/preauth/pkinit/pkinit.h | 1 -
|
|
||||||
9 files changed, 34 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
|
||||||
index 2a4962069f..a33711d918 100644
|
|
||||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
|
||||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
|
||||||
@@ -1017,7 +1017,7 @@ information for PKINIT is as follows:
|
|
||||||
All keyword/values are optional. *modname* specifies the location
|
|
||||||
of a library implementing PKCS #11. If a value is encountered
|
|
||||||
with no keyword, it is assumed to be the *modname*. If no
|
|
||||||
- module-name is specified, the default is ``opensc-pkcs11.so``.
|
|
||||||
+ module-name is specified, the default is |pkcs11_modname|.
|
|
||||||
``slotid=`` and/or ``token=`` may be specified to force the use of
|
|
||||||
a particular smard card reader or token if there is more than one
|
|
||||||
available. ``certid=`` and/or ``certlabel=`` may be specified to
|
|
||||||
diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst
|
|
||||||
index 9e355dc2c5..e879b18bd2 100644
|
|
||||||
--- a/doc/build/options2configure.rst
|
|
||||||
+++ b/doc/build/options2configure.rst
|
|
||||||
@@ -137,6 +137,9 @@ Environment variables
|
|
||||||
This option allows one to specify libraries to be passed to the
|
|
||||||
linker (e.g., ``-l<library>``)
|
|
||||||
|
|
||||||
+**PKCS11_MODNAME=**\ *library*
|
|
||||||
+ Override the built-in default PKCS11 library name.
|
|
||||||
+
|
|
||||||
**SS_LIB=**\ *libs*...
|
|
||||||
If ``-lss`` is not the correct way to link in your installed ss
|
|
||||||
library, for example if additional support libraries are needed,
|
|
||||||
diff --git a/doc/conf.py b/doc/conf.py
|
|
||||||
index 12168fa695..0ab5ff9606 100644
|
|
||||||
--- a/doc/conf.py
|
|
||||||
+++ b/doc/conf.py
|
|
||||||
@@ -242,6 +242,7 @@ if 'mansubs' in tags:
|
|
||||||
ccache = '``@CCNAME@``'
|
|
||||||
keytab = '``@KTNAME@``'
|
|
||||||
ckeytab = '``@CKTNAME@``'
|
|
||||||
+ pkcs11_modname = '``@PKCS11MOD@``'
|
|
||||||
elif 'pathsubs' in tags:
|
|
||||||
# Read configured paths from a file produced by the build system.
|
|
||||||
exec(open("paths.py").read())
|
|
||||||
@@ -255,6 +256,7 @@ else:
|
|
||||||
ccache = ':ref:`DEFCCNAME <paths>`'
|
|
||||||
keytab = ':ref:`DEFKTNAME <paths>`'
|
|
||||||
ckeytab = ':ref:`DEFCKTNAME <paths>`'
|
|
||||||
+ pkcs11_modname = ':ref:`PKCS11_MODNAME <paths>`'
|
|
||||||
|
|
||||||
rst_epilog = '\n'
|
|
||||||
|
|
||||||
@@ -275,6 +277,7 @@ else:
|
|
||||||
rst_epilog += '.. |ccache| replace:: %s\n' % ccache
|
|
||||||
rst_epilog += '.. |keytab| replace:: %s\n' % keytab
|
|
||||||
rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
|
|
||||||
+ rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname
|
|
||||||
rst_epilog += '''
|
|
||||||
.. |krb5conf| replace:: ``/etc/krb5.conf``
|
|
||||||
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
|
|
||||||
diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
|
|
||||||
index 74e69f4ad0..aea7af3dbb 100644
|
|
||||||
--- a/doc/mitK5defaults.rst
|
|
||||||
+++ b/doc/mitK5defaults.rst
|
|
||||||
@@ -59,18 +59,19 @@ subdirectories of ``/usr/local``. When MIT krb5 is integrated into an
|
|
||||||
operating system, the paths are generally chosen to match the
|
|
||||||
operating system's filesystem layout.
|
|
||||||
|
|
||||||
-========================== ============= =========================== ===========================
|
|
||||||
-Description Symbolic name Custom build path Typical OS path
|
|
||||||
-========================== ============= =========================== ===========================
|
|
||||||
-User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
|
|
||||||
-Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
|
|
||||||
-Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
|
|
||||||
-Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
|
|
||||||
-Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
|
|
||||||
-Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
|
|
||||||
-Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
|
|
||||||
-Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
|
|
||||||
-========================== ============= =========================== ===========================
|
|
||||||
+========================== ============== =========================== ===========================
|
|
||||||
+Description Symbolic name Custom build path Typical OS path
|
|
||||||
+========================== ============== =========================== ===========================
|
|
||||||
+User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
|
|
||||||
+Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
|
|
||||||
+Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
|
|
||||||
+Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
|
|
||||||
+Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
|
|
||||||
+Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
|
|
||||||
+Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
|
|
||||||
+Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
|
|
||||||
+Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so``
|
|
||||||
+========================== ============== =========================== ===========================
|
|
||||||
|
|
||||||
The default client keytab name (DEFCKTNAME) typically defaults to
|
|
||||||
``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom
|
|
||||||
diff --git a/src/configure.ac b/src/configure.ac
|
|
||||||
index 8dc864718d..9774cb71ae 100644
|
|
||||||
--- a/src/configure.ac
|
|
||||||
+++ b/src/configure.ac
|
|
||||||
@@ -1471,6 +1471,14 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name])
|
|
||||||
AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"],
|
|
||||||
[Define to default client keytab name])
|
|
||||||
|
|
||||||
+AC_ARG_VAR(PKCS11_MODNAME, [Default PKCS11 module name])
|
|
||||||
+if test "${PKCS11_MODNAME+set}" != set; then
|
|
||||||
+ PKCS11_MODNAME=opensc-pkcs11.so
|
|
||||||
+fi
|
|
||||||
+AC_MSG_NOTICE([Default PKCS11 module name: $PKCS11_MODNAME])
|
|
||||||
+AC_DEFINE_UNQUOTED(PKCS11_MODNAME, ["$PKCS11_MODNAME"],
|
|
||||||
+ [Default PKCS11 module name])
|
|
||||||
+
|
|
||||||
AC_CONFIG_FILES([build-tools/krb5-config], [chmod +x build-tools/krb5-config])
|
|
||||||
AC_CONFIG_FILES([build-tools/kadm-server.pc
|
|
||||||
build-tools/kadm-client.pc
|
|
||||||
diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
|
|
||||||
index 379bc36511..a1b0cff0a4 100644
|
|
||||||
--- a/src/doc/Makefile.in
|
|
||||||
+++ b/src/doc/Makefile.in
|
|
||||||
@@ -10,6 +10,7 @@ sysconfdir=@sysconfdir@
|
|
||||||
DEFCCNAME=@DEFCCNAME@
|
|
||||||
DEFKTNAME=@DEFKTNAME@
|
|
||||||
DEFCKTNAME=@DEFCKTNAME@
|
|
||||||
+PKCS11_MODNAME=@PKCS11_MODNAME@
|
|
||||||
|
|
||||||
RST_SOURCES= _static \
|
|
||||||
_templates \
|
|
||||||
@@ -118,6 +119,7 @@ paths.py:
|
|
||||||
echo 'ccache = "``$(DEFCCNAME)``"' >> $@
|
|
||||||
echo 'keytab = "``$(DEFKTNAME)``"' >> $@
|
|
||||||
echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@
|
|
||||||
+ echo 'pkcs11_modname = "``$(PKCS11_MODNAME)``"' >> $@
|
|
||||||
|
|
||||||
# Dummy rule that man/Makefile can invoke
|
|
||||||
version.py: $(docsrc)/version.py
|
|
||||||
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
|
|
||||||
index 00b1b2de06..85cae0914e 100644
|
|
||||||
--- a/src/man/Makefile.in
|
|
||||||
+++ b/src/man/Makefile.in
|
|
||||||
@@ -8,6 +8,7 @@ sysconfdir=@sysconfdir@
|
|
||||||
DEFCCNAME=@DEFCCNAME@
|
|
||||||
DEFKTNAME=@DEFKTNAME@
|
|
||||||
DEFCKTNAME=@DEFCKTNAME@
|
|
||||||
+PKCS11_MODNAME=@PKCS11_MODNAME@
|
|
||||||
|
|
||||||
MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \
|
|
||||||
kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \
|
|
||||||
@@ -47,7 +48,8 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h
|
|
||||||
-e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
|
|
||||||
-e 's|@CCNAME@|$(DEFCCNAME)|g' \
|
|
||||||
-e 's|@KTNAME@|$(DEFKTNAME)|g' \
|
|
||||||
- -e 's|@CKTNAME@|$(DEFCKTNAME)|g' $? > $@
|
|
||||||
+ -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \
|
|
||||||
+ -e 's|@PKCS11MOD@|$(PKCS11_MODNAME)|g' $? > $@
|
|
||||||
|
|
||||||
all: $(MANSUBS)
|
|
||||||
|
|
||||||
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
|
|
||||||
index 51acb38815..fd2c6f2bc4 100644
|
|
||||||
--- a/src/man/krb5.conf.man
|
|
||||||
+++ b/src/man/krb5.conf.man
|
|
||||||
@@ -1148,7 +1148,7 @@ user\(aqs certificate and private key.
|
|
||||||
All keyword/values are optional. \fImodname\fP specifies the location
|
|
||||||
of a library implementing PKCS #11. If a value is encountered
|
|
||||||
with no keyword, it is assumed to be the \fImodname\fP\&. If no
|
|
||||||
-module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&.
|
|
||||||
+module\-name is specified, the default is \fB@PKCS11MOD@\fP\&.
|
|
||||||
\fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of
|
|
||||||
a particular smard card reader or token if there is more than one
|
|
||||||
available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
|
|
||||||
index 8135535e2c..66f92d8f03 100644
|
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit.h
|
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit.h
|
|
||||||
@@ -42,7 +42,6 @@
|
|
||||||
#ifndef WITHOUT_PKCS11
|
|
||||||
#include "pkcs11.h"
|
|
||||||
|
|
||||||
-#define PKCS11_MODNAME "opensc-pkcs11.so"
|
|
||||||
#define PK_SIGLEN_GUESS 1000
|
|
||||||
#define PK_NOSLOT 999999
|
|
||||||
#endif
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,8 +1,7 @@
|
|||||||
From 813f3840c7b9f32c1d96dcd847be91fe545653eb Mon Sep 17 00:00:00 2001
|
From 343e4042abdec8697d2c30eb84f70bdbd8388302 Mon Sep 17 00:00:00 2001
|
||||||
From: Julien Rische <jrische@redhat.com>
|
From: Julien Rische <jrische@redhat.com>
|
||||||
Date: Thu, 5 May 2022 17:15:12 +0200
|
Date: Thu, 5 May 2022 17:15:12 +0200
|
||||||
Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection
|
Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection with FIPS
|
||||||
with FIPS
|
|
||||||
|
|
||||||
libkrad allows to establish connections only to UNIX socket in FIPS
|
libkrad allows to establish connections only to UNIX socket in FIPS
|
||||||
mode, because MD5 digest is not considered safe enough to be used for
|
mode, because MD5 digest is not considered safe enough to be used for
|
||||||
@ -78,5 +77,5 @@ index 929f1cef67..063f17a613 100644
|
|||||||
retval = ESOCKTNOSUPPORT;
|
retval = ESOCKTNOSUPPORT;
|
||||||
goto error;
|
goto error;
|
||||||
--
|
--
|
||||||
2.38.1
|
2.41.0
|
||||||
|
|
@ -1,159 +0,0 @@
|
|||||||
From 3cc9ef956342f55cc9ae283e30fc3ba080248cf3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Julien Rische <jrische@redhat.com>
|
|
||||||
Date: Wed, 1 Jun 2022 18:02:04 +0200
|
|
||||||
Subject: [PATCH] Set reasonable supportedCMSTypes in PKINIT
|
|
||||||
|
|
||||||
The PKINIT client uses AuthPack.supportedCMSTypes to let the KDC know
|
|
||||||
the algorithms it supports for verification of the CMS data signature.
|
|
||||||
(The MIT krb5 KDC currently ignores this list, but other
|
|
||||||
implementations use it.)
|
|
||||||
|
|
||||||
Replace 3DES with sha512WithRSAEncryption and sha256WithRSAEncryption.
|
|
||||||
|
|
||||||
[ghudson@mit.edu: simplified code and used appropriate helpers; edited
|
|
||||||
commit message]
|
|
||||||
|
|
||||||
ticket: 9066 (new)
|
|
||||||
---
|
|
||||||
src/plugins/preauth/pkinit/pkinit_constants.c | 33 ++++++++++++-
|
|
||||||
src/plugins/preauth/pkinit/pkinit_crypto.h | 4 ++
|
|
||||||
.../preauth/pkinit/pkinit_crypto_openssl.c | 49 ++++++++++---------
|
|
||||||
3 files changed, 60 insertions(+), 26 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c
|
|
||||||
index 652897fa14..1da482e0b4 100644
|
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_constants.c
|
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_constants.c
|
|
||||||
@@ -32,9 +32,14 @@
|
|
||||||
|
|
||||||
#include "pkinit.h"
|
|
||||||
|
|
||||||
-/* statically declare OID constants for all three algorithms */
|
|
||||||
-static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01};
|
|
||||||
+/* RFC 8636 id-pkinit-kdf-ah-sha1: iso(1) identified-organization(3) dod(6)
|
|
||||||
+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha1(1) */
|
|
||||||
+static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01 };
|
|
||||||
+/* RFC 8636 id-pkinit-kdf-ah-sha256: iso(1) identified-organization(3) dod(6)
|
|
||||||
+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha256(2) */
|
|
||||||
static char sha256_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x02 };
|
|
||||||
+/* RFC 8636 id-pkinit-kdf-ah-sha512: iso(1) identified-organization(3) dod(6)
|
|
||||||
+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha512(3) */
|
|
||||||
static char sha512_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x03 };
|
|
||||||
|
|
||||||
const krb5_data sha1_id = { KV5M_DATA, sizeof(sha1_oid), sha1_oid };
|
|
||||||
@@ -48,6 +53,30 @@ krb5_data const * const supported_kdf_alg_ids[] = {
|
|
||||||
NULL
|
|
||||||
};
|
|
||||||
|
|
||||||
+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
|
|
||||||
+ * rsadsi(113549) pkcs(1) 1 11 */
|
|
||||||
+static char sha256WithRSAEncr_oid[9] = {
|
|
||||||
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
|
|
||||||
+};
|
|
||||||
+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
|
|
||||||
+ * rsadsi(113549) pkcs(1) 1 13 */
|
|
||||||
+static char sha512WithRSAEncr_oid[9] = {
|
|
||||||
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+const krb5_data sha256WithRSAEncr_id = {
|
|
||||||
+ KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid
|
|
||||||
+};
|
|
||||||
+const krb5_data sha512WithRSAEncr_id = {
|
|
||||||
+ KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+krb5_data const * const supported_cms_algs[] = {
|
|
||||||
+ &sha512WithRSAEncr_id,
|
|
||||||
+ &sha256WithRSAEncr_id,
|
|
||||||
+ NULL
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
/* RFC 2412 section E.2 (well-known group 2) parameters, DER-encoded as
|
|
||||||
* DomainParameters (RFC 3279 section 2.3.3). */
|
|
||||||
static const uint8_t o1024[] = {
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
|
||||||
index 65f6210727..64300da856 100644
|
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
|
||||||
@@ -620,6 +620,10 @@ extern const krb5_data oakley_4096;
|
|
||||||
*/
|
|
||||||
extern krb5_data const * const supported_kdf_alg_ids[];
|
|
||||||
|
|
||||||
+/* CMS signature algorithms supported by this implementation, in order of
|
|
||||||
+ * decreasing preference. */
|
|
||||||
+extern krb5_data const * const supported_cms_algs[];
|
|
||||||
+
|
|
||||||
krb5_error_code
|
|
||||||
crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
|
|
||||||
uint8_t **der_out, size_t *der_len);
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
index d500455dec..1c2aa02827 100644
|
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
@@ -5475,37 +5475,38 @@ create_krb5_supportedCMSTypes(krb5_context context,
|
|
||||||
pkinit_plg_crypto_context plg_cryptoctx,
|
|
||||||
pkinit_req_crypto_context req_cryptoctx,
|
|
||||||
pkinit_identity_crypto_context id_cryptoctx,
|
|
||||||
- krb5_algorithm_identifier ***oids)
|
|
||||||
+ krb5_algorithm_identifier ***algs_out)
|
|
||||||
{
|
|
||||||
+ krb5_error_code ret;
|
|
||||||
+ krb5_algorithm_identifier **algs = NULL;
|
|
||||||
+ size_t i, count;
|
|
||||||
|
|
||||||
- krb5_error_code retval = ENOMEM;
|
|
||||||
- krb5_algorithm_identifier **loids = NULL;
|
|
||||||
- krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" };
|
|
||||||
+ *algs_out = NULL;
|
|
||||||
|
|
||||||
- *oids = NULL;
|
|
||||||
- loids = malloc(2 * sizeof(krb5_algorithm_identifier *));
|
|
||||||
- if (loids == NULL)
|
|
||||||
- goto cleanup;
|
|
||||||
- loids[1] = NULL;
|
|
||||||
- loids[0] = malloc(sizeof(krb5_algorithm_identifier));
|
|
||||||
- if (loids[0] == NULL) {
|
|
||||||
- free(loids);
|
|
||||||
- goto cleanup;
|
|
||||||
- }
|
|
||||||
- retval = pkinit_copy_krb5_data(&loids[0]->algorithm, &des3oid);
|
|
||||||
- if (retval) {
|
|
||||||
- free(loids[0]);
|
|
||||||
- free(loids);
|
|
||||||
+ /* Count supported OIDs and allocate list (including null terminator). */
|
|
||||||
+ for (count = 0; supported_cms_algs[count] != NULL; count++);
|
|
||||||
+ algs = k5calloc(count + 1, sizeof(*algs), &ret);
|
|
||||||
+ if (algs == NULL)
|
|
||||||
goto cleanup;
|
|
||||||
+
|
|
||||||
+ /* Add an algorithm identifier for each OID, with no parameters. */
|
|
||||||
+ for (i = 0; i < count; i++) {
|
|
||||||
+ algs[i] = k5alloc(sizeof(*algs[i]), &ret);
|
|
||||||
+ if (algs[i] == NULL)
|
|
||||||
+ goto cleanup;
|
|
||||||
+ ret = krb5int_copy_data_contents(context, supported_cms_algs[i],
|
|
||||||
+ &algs[i]->algorithm);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto cleanup;
|
|
||||||
+ algs[i]->parameters = empty_data();
|
|
||||||
}
|
|
||||||
- loids[0]->parameters.length = 0;
|
|
||||||
- loids[0]->parameters.data = NULL;
|
|
||||||
|
|
||||||
- *oids = loids;
|
|
||||||
- retval = 0;
|
|
||||||
-cleanup:
|
|
||||||
+ *algs_out = algs;
|
|
||||||
+ algs = NULL;
|
|
||||||
|
|
||||||
- return retval;
|
|
||||||
+cleanup:
|
|
||||||
+ free_krb5_algorithm_identifiers(&algs);
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
krb5_error_code
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 9aa12e932f08651785519890896647069e7a30b1 Mon Sep 17 00:00:00 2001
|
From aa0556348373d6aca0a1bda96fe7a47888051d33 Mon Sep 17 00:00:00 2001
|
||||||
From: Julien Rische <jrische@redhat.com>
|
From: Julien Rische <jrische@redhat.com>
|
||||||
Date: Wed, 7 Dec 2022 13:22:42 +0100
|
Date: Wed, 7 Dec 2022 13:22:42 +0100
|
||||||
Subject: [PATCH] [downstream] Make tests compatible with
|
Subject: [PATCH] [downstream] Make tests compatible with
|
||||||
@ -37,5 +37,5 @@ index 87bac17929..26bc95a8dc 100644
|
|||||||
fail('URI answers do not match')
|
fail('URI answers do not match')
|
||||||
j += 1
|
j += 1
|
||||||
--
|
--
|
||||||
2.38.1
|
2.41.0
|
||||||
|
|
@ -1,622 +0,0 @@
|
|||||||
From 593109802b52e3f89c3a65436bfdba78f8c517c4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Thu, 23 Jun 2022 16:41:40 -0400
|
|
||||||
Subject: [PATCH] Simplify plugin loading code
|
|
||||||
|
|
||||||
Remove the USE_CFBUNDLE code, which was only used by KfM. Handle
|
|
||||||
platform conditionals according to current practice. Use
|
|
||||||
k5_dir_filenames() instead of opendir() and remove the Windows
|
|
||||||
implementation of opendir().
|
|
||||||
---
|
|
||||||
src/util/support/plugins.c | 507 +++++++++++--------------------------
|
|
||||||
1 file changed, 150 insertions(+), 357 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/util/support/plugins.c b/src/util/support/plugins.c
|
|
||||||
index c6a9a21d57..0850565687 100644
|
|
||||||
--- a/src/util/support/plugins.c
|
|
||||||
+++ b/src/util/support/plugins.c
|
|
||||||
@@ -29,16 +29,6 @@
|
|
||||||
#if USE_DLOPEN
|
|
||||||
#include <dlfcn.h>
|
|
||||||
#endif
|
|
||||||
-#include <sys/types.h>
|
|
||||||
-#ifdef HAVE_SYS_STAT_H
|
|
||||||
-#include <sys/stat.h>
|
|
||||||
-#endif
|
|
||||||
-#ifdef HAVE_SYS_PARAM_H
|
|
||||||
-#include <sys/param.h>
|
|
||||||
-#endif
|
|
||||||
-#ifdef HAVE_UNISTD_H
|
|
||||||
-#include <unistd.h>
|
|
||||||
-#endif
|
|
||||||
|
|
||||||
#if USE_DLOPEN
|
|
||||||
#ifdef RTLD_GROUP
|
|
||||||
@@ -68,16 +58,6 @@
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#if USE_DLOPEN && USE_CFBUNDLE
|
|
||||||
-#include <CoreFoundation/CoreFoundation.h>
|
|
||||||
-
|
|
||||||
-/* Currently CoreFoundation only exists on the Mac so we just use
|
|
||||||
- * pthreads directly to avoid creating empty function calls on other
|
|
||||||
- * platforms. If a thread initializer ever gets created in the common
|
|
||||||
- * plugin code, move this there */
|
|
||||||
-static pthread_mutex_t krb5int_bundle_mutex = PTHREAD_MUTEX_INITIALIZER;
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
#include <stdarg.h>
|
|
||||||
static void Tprintf (const char *fmt, ...)
|
|
||||||
{
|
|
||||||
@@ -90,374 +70,193 @@ static void Tprintf (const char *fmt, ...)
|
|
||||||
}
|
|
||||||
|
|
||||||
struct plugin_file_handle {
|
|
||||||
-#if USE_DLOPEN
|
|
||||||
+#if defined(USE_DLOPEN)
|
|
||||||
void *dlhandle;
|
|
||||||
-#endif
|
|
||||||
-#ifdef _WIN32
|
|
||||||
- HMODULE hinstPlugin;
|
|
||||||
-#endif
|
|
||||||
-#if !defined (USE_DLOPEN) && !defined (_WIN32)
|
|
||||||
+#elif defined(_WIN32)
|
|
||||||
+ HMODULE module;
|
|
||||||
+#else
|
|
||||||
char dummy;
|
|
||||||
#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
-#ifdef _WIN32
|
|
||||||
-struct dirent {
|
|
||||||
- long d_ino; /* inode (always 1 in WIN32) */
|
|
||||||
- off_t d_off; /* offset to this dirent */
|
|
||||||
- unsigned short d_reclen; /* length of d_name */
|
|
||||||
- char d_name[_MAX_FNAME+1]; /* filename (null terminated) */
|
|
||||||
-};
|
|
||||||
-
|
|
||||||
-typedef struct {
|
|
||||||
- intptr_t handle; /* _findfirst/_findnext handle */
|
|
||||||
- short offset; /* offset into directory */
|
|
||||||
- short finished; /* 1 if there are not more files */
|
|
||||||
- struct _finddata_t fileinfo;/* from _findfirst/_findnext */
|
|
||||||
- char *dir; /* the dir we are reading */
|
|
||||||
- struct dirent dent; /* the dirent to return */
|
|
||||||
-} DIR;
|
|
||||||
+#if defined(USE_DLOPEN)
|
|
||||||
|
|
||||||
-DIR * opendir(const char *dir)
|
|
||||||
+static long
|
|
||||||
+open_plugin_dlfcn(struct plugin_file_handle *h, const char *filename,
|
|
||||||
+ struct errinfo *ep)
|
|
||||||
{
|
|
||||||
- DIR *dp;
|
|
||||||
- char *filespec;
|
|
||||||
- intptr_t handle;
|
|
||||||
- int index;
|
|
||||||
-
|
|
||||||
- filespec = malloc(strlen(dir) + 2 + 1);
|
|
||||||
- strcpy(filespec, dir);
|
|
||||||
- index = strlen(filespec) - 1;
|
|
||||||
- if (index >= 0 && (filespec[index] == '/' || filespec[index] == '\\'))
|
|
||||||
- filespec[index] = '\0';
|
|
||||||
- strcat(filespec, "/*");
|
|
||||||
-
|
|
||||||
- dp = (DIR *)malloc(sizeof(DIR));
|
|
||||||
- dp->offset = 0;
|
|
||||||
- dp->finished = 0;
|
|
||||||
- dp->dir = strdup(dir);
|
|
||||||
-
|
|
||||||
- if ((handle = _findfirst(filespec, &(dp->fileinfo))) < 0) {
|
|
||||||
- if (errno == ENOENT)
|
|
||||||
- dp->finished = 1;
|
|
||||||
- else {
|
|
||||||
- free(filespec);
|
|
||||||
- free(dp->dir);
|
|
||||||
- free(dp);
|
|
||||||
- return NULL;
|
|
||||||
- }
|
|
||||||
+ const char *e;
|
|
||||||
+
|
|
||||||
+ h->dlhandle = dlopen(filename, PLUGIN_DLOPEN_FLAGS);
|
|
||||||
+ if (h->dlhandle == NULL) {
|
|
||||||
+ e = dlerror();
|
|
||||||
+ if (e == NULL)
|
|
||||||
+ e = _("unknown failure");
|
|
||||||
+ Tprintf("dlopen(%s): %s\n", filename, e);
|
|
||||||
+ k5_set_error(ep, ENOENT, _("unable to load plugin [%s]: %s"),
|
|
||||||
+ filename, e);
|
|
||||||
+ return ENOENT;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- dp->handle = handle;
|
|
||||||
- free(filespec);
|
|
||||||
-
|
|
||||||
- return dp;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
+#define open_plugin open_plugin_dlfcn
|
|
||||||
|
|
||||||
-struct dirent * readdir(DIR *dp)
|
|
||||||
+static long
|
|
||||||
+get_sym_dlfcn(struct plugin_file_handle *h, const char *csymname,
|
|
||||||
+ void **sym_out, struct errinfo *ep)
|
|
||||||
{
|
|
||||||
- if (!dp || dp->finished) return NULL;
|
|
||||||
-
|
|
||||||
- if (dp->offset != 0) {
|
|
||||||
- if (_findnext(dp->handle, &(dp->fileinfo)) < 0) {
|
|
||||||
- dp->finished = 1;
|
|
||||||
- return NULL;
|
|
||||||
- }
|
|
||||||
+ const char *e;
|
|
||||||
+
|
|
||||||
+ if (h->dlhandle == NULL)
|
|
||||||
+ return ENOENT;
|
|
||||||
+ *sym_out = dlsym(h->dlhandle, csymname);
|
|
||||||
+ if (*sym_out == NULL) {
|
|
||||||
+ e = dlerror();
|
|
||||||
+ if (e == NULL)
|
|
||||||
+ e = _("unknown failure");
|
|
||||||
+ Tprintf("dlsym(%s): %s\n", csymname, e);
|
|
||||||
+ k5_set_error(ep, ENOENT, "%s", e);
|
|
||||||
+ return ENOENT;
|
|
||||||
}
|
|
||||||
- dp->offset++;
|
|
||||||
-
|
|
||||||
- strncpy(dp->dent.d_name, dp->fileinfo.name, _MAX_FNAME);
|
|
||||||
- dp->dent.d_ino = 1;
|
|
||||||
- dp->dent.d_reclen = (unsigned short)strlen(dp->dent.d_name);
|
|
||||||
- dp->dent.d_off = dp->offset;
|
|
||||||
-
|
|
||||||
- return &(dp->dent);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-int closedir(DIR *dp)
|
|
||||||
-{
|
|
||||||
- if (!dp) return 0;
|
|
||||||
- _findclose(dp->handle);
|
|
||||||
- free(dp->dir);
|
|
||||||
- free(dp);
|
|
||||||
-
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
-#endif
|
|
||||||
+#define get_sym get_sym_dlfcn
|
|
||||||
|
|
||||||
-long KRB5_CALLCONV
|
|
||||||
-krb5int_open_plugin (const char *filepath, struct plugin_file_handle **h, struct errinfo *ep)
|
|
||||||
+static void
|
|
||||||
+close_plugin_dlfcn(struct plugin_file_handle *h)
|
|
||||||
{
|
|
||||||
- long err = 0;
|
|
||||||
- struct plugin_file_handle *htmp = NULL;
|
|
||||||
- int got_plugin = 0;
|
|
||||||
-#if defined(USE_CFBUNDLE) || defined(_WIN32)
|
|
||||||
- struct stat statbuf;
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- if (stat (filepath, &statbuf) < 0) {
|
|
||||||
- err = errno;
|
|
||||||
- Tprintf ("stat(%s): %s\n", filepath, strerror (err));
|
|
||||||
- k5_set_error(ep, err, _("unable to find plugin [%s]: %s"),
|
|
||||||
- filepath, strerror(err));
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- htmp = calloc (1, sizeof (*htmp)); /* calloc initializes ptrs to NULL */
|
|
||||||
- if (htmp == NULL) { err = ENOMEM; }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
-#if USE_DLOPEN
|
|
||||||
- if (!err
|
|
||||||
-#if USE_CFBUNDLE
|
|
||||||
- && ((statbuf.st_mode & S_IFMT) == S_IFREG
|
|
||||||
- || (statbuf.st_mode & S_IFMT) == S_IFDIR)
|
|
||||||
-#endif /* USE_CFBUNDLE */
|
|
||||||
- ) {
|
|
||||||
- void *handle = NULL;
|
|
||||||
-
|
|
||||||
-#if USE_CFBUNDLE
|
|
||||||
- char executablepath[MAXPATHLEN];
|
|
||||||
-
|
|
||||||
- if ((statbuf.st_mode & S_IFMT) == S_IFDIR) {
|
|
||||||
- int lock_err = 0;
|
|
||||||
- CFStringRef pluginString = NULL;
|
|
||||||
- CFURLRef pluginURL = NULL;
|
|
||||||
- CFBundleRef pluginBundle = NULL;
|
|
||||||
- CFURLRef executableURL = NULL;
|
|
||||||
-
|
|
||||||
- /* Lock around CoreFoundation calls since objects are refcounted
|
|
||||||
- * and the refcounts are not thread-safe. Using pthreads directly
|
|
||||||
- * because this code is Mac-specific */
|
|
||||||
- lock_err = pthread_mutex_lock(&krb5int_bundle_mutex);
|
|
||||||
- if (lock_err) { err = lock_err; }
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- pluginString = CFStringCreateWithCString (kCFAllocatorDefault,
|
|
||||||
- filepath,
|
|
||||||
- kCFStringEncodingASCII);
|
|
||||||
- if (pluginString == NULL) { err = ENOMEM; }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- pluginURL = CFURLCreateWithFileSystemPath (kCFAllocatorDefault,
|
|
||||||
- pluginString,
|
|
||||||
- kCFURLPOSIXPathStyle,
|
|
||||||
- true);
|
|
||||||
- if (pluginURL == NULL) { err = ENOMEM; }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- pluginBundle = CFBundleCreate (kCFAllocatorDefault, pluginURL);
|
|
||||||
- if (pluginBundle == NULL) { err = ENOENT; } /* XXX need better error */
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- executableURL = CFBundleCopyExecutableURL (pluginBundle);
|
|
||||||
- if (executableURL == NULL) { err = ENOMEM; }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- if (!CFURLGetFileSystemRepresentation (executableURL,
|
|
||||||
- true, /* absolute */
|
|
||||||
- (UInt8 *)executablepath,
|
|
||||||
- sizeof (executablepath))) {
|
|
||||||
- err = ENOMEM;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- /* override the path the caller passed in */
|
|
||||||
- filepath = executablepath;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (executableURL != NULL) { CFRelease (executableURL); }
|
|
||||||
- if (pluginBundle != NULL) { CFRelease (pluginBundle); }
|
|
||||||
- if (pluginURL != NULL) { CFRelease (pluginURL); }
|
|
||||||
- if (pluginString != NULL) { CFRelease (pluginString); }
|
|
||||||
-
|
|
||||||
- /* unlock after CFRelease calls since they modify refcounts */
|
|
||||||
- if (!lock_err) { pthread_mutex_unlock (&krb5int_bundle_mutex); }
|
|
||||||
- }
|
|
||||||
-#endif /* USE_CFBUNDLE */
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
- handle = dlopen(filepath, PLUGIN_DLOPEN_FLAGS);
|
|
||||||
- if (handle == NULL) {
|
|
||||||
- const char *e = dlerror();
|
|
||||||
- if (e == NULL)
|
|
||||||
- e = _("unknown failure");
|
|
||||||
- Tprintf ("dlopen(%s): %s\n", filepath, e);
|
|
||||||
- err = ENOENT; /* XXX */
|
|
||||||
- k5_set_error(ep, err, _("unable to load plugin [%s]: %s"),
|
|
||||||
- filepath, e);
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
+ if (h->dlhandle != NULL)
|
|
||||||
+ dlclose(h->dlhandle);
|
|
||||||
+}
|
|
||||||
+#define close_plugin close_plugin_dlfcn
|
|
||||||
|
|
||||||
- if (!err) {
|
|
||||||
- got_plugin = 1;
|
|
||||||
- htmp->dlhandle = handle;
|
|
||||||
- handle = NULL;
|
|
||||||
- }
|
|
||||||
+#elif defined(_WIN32)
|
|
||||||
|
|
||||||
- if (handle != NULL) { dlclose (handle); }
|
|
||||||
+static long
|
|
||||||
+open_plugin_win32(struct plugin_file_handle *h, const char *filename,
|
|
||||||
+ struct errinfo *ep)
|
|
||||||
+{
|
|
||||||
+ h->module = LoadLibrary(filename);
|
|
||||||
+ if (h == NULL) {
|
|
||||||
+ Tprintf("Unable to load dll: %s\n", filename);
|
|
||||||
+ k5_set_error(ep, ENOENT, _("unable to load DLL [%s]"), filename);
|
|
||||||
+ return ENOENT;
|
|
||||||
}
|
|
||||||
-#endif /* USE_DLOPEN */
|
|
||||||
-
|
|
||||||
-#ifdef _WIN32
|
|
||||||
- if (!err && (statbuf.st_mode & S_IFMT) == S_IFREG) {
|
|
||||||
- HMODULE handle = NULL;
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+#define open_plugin open_plugin_win32
|
|
||||||
|
|
||||||
- handle = LoadLibrary(filepath);
|
|
||||||
- if (handle == NULL) {
|
|
||||||
- Tprintf ("Unable to load dll: %s\n", filepath);
|
|
||||||
- err = ENOENT; /* XXX */
|
|
||||||
- k5_set_error(ep, err, _("unable to load DLL [%s]"), filepath);
|
|
||||||
- }
|
|
||||||
+static long
|
|
||||||
+get_sym_win32(struct plugin_file_handle *h, const char *csymname,
|
|
||||||
+ void **sym_out, struct errinfo *ep)
|
|
||||||
+{
|
|
||||||
+ LPVOID lpMsgBuf;
|
|
||||||
+ DWORD dw;
|
|
||||||
|
|
||||||
- if (!err) {
|
|
||||||
- got_plugin = 1;
|
|
||||||
- htmp->hinstPlugin = handle;
|
|
||||||
- handle = NULL;
|
|
||||||
+ if (h->module == NULL)
|
|
||||||
+ return ENOENT;
|
|
||||||
+ *sym_out = GetProcAddress(h->module, csymname);
|
|
||||||
+ if (*sym_out == NULL) {
|
|
||||||
+ Tprintf("GetProcAddress(%s): %i\n", csymname, GetLastError());
|
|
||||||
+ dw = GetLastError();
|
|
||||||
+ if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
|
|
||||||
+ FORMAT_MESSAGE_FROM_SYSTEM,
|
|
||||||
+ NULL, dw, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
|
|
||||||
+ (LPTSTR)&lpMsgBuf, 0, NULL)) {
|
|
||||||
+ k5_set_error(ep, ENOENT, _("unable to get DLL Symbol: %s"),
|
|
||||||
+ (char *)lpMsgBuf);
|
|
||||||
+ LocalFree(lpMsgBuf);
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- if (handle != NULL)
|
|
||||||
- FreeLibrary(handle);
|
|
||||||
- }
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
- if (!err && !got_plugin) {
|
|
||||||
- err = ENOENT; /* no plugin or no way to load plugins */
|
|
||||||
- k5_set_error(ep, err, _("plugin unavailable: %s"), strerror(err));
|
|
||||||
+ return ENOENT;
|
|
||||||
}
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+#define get_sym get_sym_win32
|
|
||||||
|
|
||||||
- if (!err) {
|
|
||||||
- *h = htmp;
|
|
||||||
- htmp = NULL; /* h takes ownership */
|
|
||||||
- }
|
|
||||||
+static void
|
|
||||||
+close_plugin_win32(struct plugin_file_handle *h)
|
|
||||||
+{
|
|
||||||
+ if (h->module != NULL)
|
|
||||||
+ FreeLibrary(h->module);
|
|
||||||
+}
|
|
||||||
+#define close_plugin close_plugin_win32
|
|
||||||
|
|
||||||
- free(htmp);
|
|
||||||
+#else
|
|
||||||
|
|
||||||
- return err;
|
|
||||||
+static long
|
|
||||||
+open_plugin_dummy(struct plugin_file_handle *h, const char *filename,
|
|
||||||
+ struct errinfo *ep)
|
|
||||||
+{
|
|
||||||
+ k5_set_error(ep, ENOENT, _("plugin loading unavailable"));
|
|
||||||
+ return ENOENT;
|
|
||||||
}
|
|
||||||
+#define open_plugin open_plugin_dummy
|
|
||||||
|
|
||||||
static long
|
|
||||||
-krb5int_get_plugin_sym (struct plugin_file_handle *h,
|
|
||||||
- const char *csymname, int isfunc, void **ptr,
|
|
||||||
- struct errinfo *ep)
|
|
||||||
+get_sym_dummy(struct plugin_file_handle *h, const char *csymname,
|
|
||||||
+ void **sym_out, struct errinfo *ep)
|
|
||||||
{
|
|
||||||
- long err = 0;
|
|
||||||
- void *sym = NULL;
|
|
||||||
+ return ENOENT;
|
|
||||||
+}
|
|
||||||
+#define get_sym get_sym_dummy
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+close_plugin_dummy(struct plugin_file_handle *h)
|
|
||||||
+{
|
|
||||||
+}
|
|
||||||
+#define close_plugin close_plugin_dummy
|
|
||||||
|
|
||||||
-#if USE_DLOPEN
|
|
||||||
- if (!err && !sym && (h->dlhandle != NULL)) {
|
|
||||||
- /* XXX Do we need to add a leading "_" to the symbol name on any
|
|
||||||
- modern platforms? */
|
|
||||||
- sym = dlsym (h->dlhandle, csymname);
|
|
||||||
- if (sym == NULL) {
|
|
||||||
- const char *e = dlerror (); /* XXX copy and save away */
|
|
||||||
- if (e == NULL)
|
|
||||||
- e = "unknown failure";
|
|
||||||
- Tprintf ("dlsym(%s): %s\n", csymname, e);
|
|
||||||
- err = ENOENT; /* XXX */
|
|
||||||
- k5_set_error(ep, err, "%s", e);
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#ifdef _WIN32
|
|
||||||
- LPVOID lpMsgBuf;
|
|
||||||
- DWORD dw;
|
|
||||||
+long KRB5_CALLCONV
|
|
||||||
+krb5int_open_plugin(const char *filename,
|
|
||||||
+ struct plugin_file_handle **handle_out, struct errinfo *ep)
|
|
||||||
+{
|
|
||||||
+ long ret;
|
|
||||||
+ struct plugin_file_handle *h;
|
|
||||||
|
|
||||||
- if (!err && !sym && (h->hinstPlugin != NULL)) {
|
|
||||||
- sym = GetProcAddress(h->hinstPlugin, csymname);
|
|
||||||
- if (sym == NULL) {
|
|
||||||
- const char *e = "unable to get dll symbol"; /* XXX copy and save away */
|
|
||||||
- Tprintf ("GetProcAddress(%s): %i\n", csymname, GetLastError());
|
|
||||||
- err = ENOENT; /* XXX */
|
|
||||||
- k5_set_error(ep, err, "%s", e);
|
|
||||||
-
|
|
||||||
- dw = GetLastError();
|
|
||||||
- if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
|
|
||||||
- FORMAT_MESSAGE_FROM_SYSTEM,
|
|
||||||
- NULL,
|
|
||||||
- dw,
|
|
||||||
- MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
|
|
||||||
- (LPTSTR) &lpMsgBuf,
|
|
||||||
- 0, NULL )) {
|
|
||||||
-
|
|
||||||
- fprintf (stderr, "unable to get dll symbol, %s\n", (LPCTSTR)lpMsgBuf);
|
|
||||||
- LocalFree(lpMsgBuf);
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-#endif
|
|
||||||
+ *handle_out = NULL;
|
|
||||||
|
|
||||||
- if (!err && (sym == NULL)) {
|
|
||||||
- err = ENOENT; /* unimplemented */
|
|
||||||
- }
|
|
||||||
+ h = calloc(1, sizeof(*h));
|
|
||||||
+ if (h == NULL)
|
|
||||||
+ return ENOMEM;
|
|
||||||
|
|
||||||
- if (!err) {
|
|
||||||
- *ptr = sym;
|
|
||||||
+ ret = open_plugin(h, filename, ep);
|
|
||||||
+ if (ret) {
|
|
||||||
+ free(h);
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- return err;
|
|
||||||
+ *handle_out = h;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
long KRB5_CALLCONV
|
|
||||||
-krb5int_get_plugin_data (struct plugin_file_handle *h, const char *csymname,
|
|
||||||
- void **ptr, struct errinfo *ep)
|
|
||||||
+krb5int_get_plugin_data(struct plugin_file_handle *h, const char *csymname,
|
|
||||||
+ void **sym_out, struct errinfo *ep)
|
|
||||||
{
|
|
||||||
- return krb5int_get_plugin_sym (h, csymname, 0, ptr, ep);
|
|
||||||
+ return get_sym(h, csymname, sym_out, ep);
|
|
||||||
}
|
|
||||||
|
|
||||||
long KRB5_CALLCONV
|
|
||||||
-krb5int_get_plugin_func (struct plugin_file_handle *h, const char *csymname,
|
|
||||||
- void (**ptr)(), struct errinfo *ep)
|
|
||||||
+krb5int_get_plugin_func(struct plugin_file_handle *h, const char *csymname,
|
|
||||||
+ void (**sym_out)(), struct errinfo *ep)
|
|
||||||
{
|
|
||||||
void *dptr = NULL;
|
|
||||||
- long err = krb5int_get_plugin_sym (h, csymname, 1, &dptr, ep);
|
|
||||||
- if (!err) {
|
|
||||||
- /* Cast function pointers to avoid code duplication */
|
|
||||||
- *ptr = (void (*)()) dptr;
|
|
||||||
- }
|
|
||||||
- return err;
|
|
||||||
+ long ret = get_sym(h, csymname, &dptr, ep);
|
|
||||||
+
|
|
||||||
+ if (!ret)
|
|
||||||
+ *sym_out = (void (*)())dptr;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
void KRB5_CALLCONV
|
|
||||||
krb5int_close_plugin (struct plugin_file_handle *h)
|
|
||||||
{
|
|
||||||
-#if USE_DLOPEN
|
|
||||||
- if (h->dlhandle != NULL) { dlclose(h->dlhandle); }
|
|
||||||
-#endif
|
|
||||||
-#ifdef _WIN32
|
|
||||||
- if (h->hinstPlugin != NULL) { FreeLibrary(h->hinstPlugin); }
|
|
||||||
-#endif
|
|
||||||
- free (h);
|
|
||||||
+ close_plugin(h);
|
|
||||||
+ free(h);
|
|
||||||
}
|
|
||||||
|
|
||||||
-/* autoconf docs suggest using this preference order */
|
|
||||||
-#if HAVE_DIRENT_H || USE_DIRENT_H
|
|
||||||
-#include <dirent.h>
|
|
||||||
-#define NAMELEN(D) strlen((D)->d_name)
|
|
||||||
-#else
|
|
||||||
-#ifndef _WIN32
|
|
||||||
-#define dirent direct
|
|
||||||
-#define NAMELEN(D) ((D)->d->namlen)
|
|
||||||
-#else
|
|
||||||
-#define NAMELEN(D) strlen((D)->d_name)
|
|
||||||
-#endif
|
|
||||||
-#if HAVE_SYS_NDIR_H
|
|
||||||
-# include <sys/ndir.h>
|
|
||||||
-#elif HAVE_SYS_DIR_H
|
|
||||||
-# include <sys/dir.h>
|
|
||||||
-#elif HAVE_NDIR_H
|
|
||||||
-# include <ndir.h>
|
|
||||||
-#endif
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
static long
|
|
||||||
krb5int_plugin_file_handle_array_init (struct plugin_file_handle ***harray)
|
|
||||||
{
|
|
||||||
@@ -619,42 +418,36 @@ krb5int_open_plugin_dirs (const char * const *dirnames,
|
|
||||||
if (handle != NULL) { krb5int_close_plugin (handle); }
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- /* load all plugins in each directory */
|
|
||||||
- DIR *dir = opendir (dirnames[i]);
|
|
||||||
+ char **fnames = NULL;
|
|
||||||
+ int j;
|
|
||||||
|
|
||||||
- while (dir != NULL && !err) {
|
|
||||||
- struct dirent *d = NULL;
|
|
||||||
+ err = k5_dir_filenames(dirnames[i], &fnames);
|
|
||||||
+ for (j = 0; !err && fnames[j] != NULL; j++) {
|
|
||||||
char *filepath = NULL;
|
|
||||||
struct plugin_file_handle *handle = NULL;
|
|
||||||
|
|
||||||
- d = readdir (dir);
|
|
||||||
- if (d == NULL) { break; }
|
|
||||||
-
|
|
||||||
- if ((strcmp (d->d_name, ".") == 0) ||
|
|
||||||
- (strcmp (d->d_name, "..") == 0)) {
|
|
||||||
+ if (strcmp(fnames[j], ".") == 0 ||
|
|
||||||
+ strcmp(fnames[j], "..") == 0)
|
|
||||||
continue;
|
|
||||||
- }
|
|
||||||
|
|
||||||
- if (!err) {
|
|
||||||
- int len = NAMELEN (d);
|
|
||||||
- if (asprintf(&filepath, "%s/%*s", dirnames[i], len, d->d_name) < 0) {
|
|
||||||
- filepath = NULL;
|
|
||||||
- err = ENOMEM;
|
|
||||||
- }
|
|
||||||
+ if (asprintf(&filepath, "%s/%s", dirnames[i], fnames[j]) < 0) {
|
|
||||||
+ filepath = NULL;
|
|
||||||
+ err = ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!err) {
|
|
||||||
- if (krb5int_open_plugin (filepath, &handle, ep) == 0) {
|
|
||||||
- err = krb5int_plugin_file_handle_array_add (&h, &count, handle);
|
|
||||||
- if (!err) { handle = NULL; } /* h takes ownership */
|
|
||||||
- }
|
|
||||||
+ if (!err && krb5int_open_plugin(filepath, &handle, ep) == 0) {
|
|
||||||
+ err = krb5int_plugin_file_handle_array_add(&h, &count,
|
|
||||||
+ handle);
|
|
||||||
+ if (!err)
|
|
||||||
+ handle = NULL; /* h takes ownership */
|
|
||||||
}
|
|
||||||
|
|
||||||
free(filepath);
|
|
||||||
- if (handle != NULL) { krb5int_close_plugin (handle); }
|
|
||||||
+ if (handle != NULL)
|
|
||||||
+ krb5int_close_plugin(handle);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (dir != NULL) { closedir (dir); }
|
|
||||||
+ k5_free_filenames(fnames);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
120
0009-downstream-Include-missing-OpenSSL-FIPS-header.patch
Normal file
120
0009-downstream-Include-missing-OpenSSL-FIPS-header.patch
Normal file
@ -0,0 +1,120 @@
|
|||||||
|
From 52904f3693397dace4e9ef5db1cd7d14eaa3b1fb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Thu, 5 Jan 2023 20:06:47 +0100
|
||||||
|
Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header
|
||||||
|
|
||||||
|
The inclusion of openssl/fips.h, which provides the declaration of
|
||||||
|
FIPS_mode(), was removed from openssl/crypto.h. As a consequence, this
|
||||||
|
header file has to be included explicitly in krb5 code.
|
||||||
|
---
|
||||||
|
src/lib/crypto/krb/prng.c | 4 +++-
|
||||||
|
src/lib/crypto/openssl/enc_provider/camellia.c | 1 +
|
||||||
|
src/lib/crypto/openssl/enc_provider/rc4.c | 4 ++++
|
||||||
|
src/lib/crypto/openssl/hmac.c | 1 +
|
||||||
|
src/lib/krad/internal.h | 4 ++++
|
||||||
|
src/plugins/preauth/spake/spake_client.c | 4 ++++
|
||||||
|
src/plugins/preauth/spake/spake_kdc.c | 4 ++++
|
||||||
|
7 files changed, 21 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
|
||||||
|
index 9e80a03d21..ae37c77518 100644
|
||||||
|
--- a/src/lib/crypto/krb/prng.c
|
||||||
|
+++ b/src/lib/crypto/krb/prng.c
|
||||||
|
@@ -28,7 +28,9 @@
|
||||||
|
|
||||||
|
#include <openssl/rand.h>
|
||||||
|
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
+#else
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||||
|
index d9f327add6..3dd3b0624f 100644
|
||||||
|
--- a/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||||
|
+++ b/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||||
|
@@ -32,6 +32,7 @@
|
||||||
|
#include <openssl/camellia.h>
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
#include <openssl/core_names.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
#else
|
||||||
|
#include <openssl/modes.h>
|
||||||
|
#endif
|
||||||
|
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||||
|
index ce63cb5f1b..6a83f10d27 100644
|
||||||
|
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||||
|
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||||
|
@@ -38,6 +38,10 @@
|
||||||
|
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* The loopback field is a pointer to the structure. If the application copies
|
||||||
|
* the state (not a valid operation, but one which happens to works with some
|
||||||
|
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
|
||||||
|
index f21e268f7f..25a419d73a 100644
|
||||||
|
--- a/src/lib/crypto/openssl/hmac.c
|
||||||
|
+++ b/src/lib/crypto/openssl/hmac.c
|
||||||
|
@@ -59,6 +59,7 @@
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
#include <openssl/params.h>
|
||||||
|
#include <openssl/core_names.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
#else
|
||||||
|
#include <openssl/hmac.h>
|
||||||
|
#endif
|
||||||
|
diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
|
||||||
|
index e123763954..a17b6f39b1 100644
|
||||||
|
--- a/src/lib/krad/internal.h
|
||||||
|
+++ b/src/lib/krad/internal.h
|
||||||
|
@@ -41,6 +41,10 @@
|
||||||
|
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#ifndef UCHAR_MAX
|
||||||
|
#define UCHAR_MAX 255
|
||||||
|
#endif
|
||||||
|
diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c
|
||||||
|
index a3ce22b70f..13c699071f 100644
|
||||||
|
--- a/src/plugins/preauth/spake/spake_client.c
|
||||||
|
+++ b/src/plugins/preauth/spake/spake_client.c
|
||||||
|
@@ -40,6 +40,10 @@
|
||||||
|
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
typedef struct reqstate_st {
|
||||||
|
krb5_pa_spake *msg; /* set in prep_questions, used in process */
|
||||||
|
krb5_keyblock *initial_key;
|
||||||
|
diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c
|
||||||
|
index 232e78bc05..3394f8a58e 100644
|
||||||
|
--- a/src/plugins/preauth/spake/spake_kdc.c
|
||||||
|
+++ b/src/plugins/preauth/spake/spake_kdc.c
|
||||||
|
@@ -43,6 +43,10 @@
|
||||||
|
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* The SPAKE kdcpreauth module uses a secure cookie containing the following
|
||||||
|
* concatenated fields (all integer fields are big-endian):
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -1,48 +0,0 @@
|
|||||||
From 75f71ace74449a6e5154314229bfa61960cd326c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Julien Rische <jrische@redhat.com>
|
|
||||||
Date: Thu, 28 Jul 2022 15:20:12 +0200
|
|
||||||
Subject: [PATCH] Update error checking for OpenSSL CMS_verify
|
|
||||||
|
|
||||||
The code for CMS data verification was initially written for OpenSSL's
|
|
||||||
PKCS7_verify() function. It now uses CMS_verify(), but error handling
|
|
||||||
is still done using PKCS7_verify() error identifiers. Update the
|
|
||||||
recognized error codes so that the KDC generates
|
|
||||||
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate.
|
|
||||||
Use ERR_peek_last_error() to observe the error generated closest to
|
|
||||||
the API surface.
|
|
||||||
|
|
||||||
[ghudson@mit.edu: edited commit message]
|
|
||||||
|
|
||||||
ticket: 9069 (new)
|
|
||||||
tags: pullup
|
|
||||||
target_version: 1.20-next
|
|
||||||
---
|
|
||||||
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 9 ++++++---
|
|
||||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
index 1c2aa02827..16edf15cb2 100644
|
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
@@ -2102,12 +2102,15 @@ cms_signeddata_verify(krb5_context context,
|
|
||||||
goto cleanup;
|
|
||||||
out = BIO_new(BIO_s_mem());
|
|
||||||
if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
|
|
||||||
- unsigned long err = ERR_peek_error();
|
|
||||||
+ unsigned long err = ERR_peek_last_error();
|
|
||||||
switch(ERR_GET_REASON(err)) {
|
|
||||||
- case PKCS7_R_DIGEST_FAILURE:
|
|
||||||
+ case RSA_R_DIGEST_NOT_ALLOWED:
|
|
||||||
+ case CMS_R_UNKNOWN_DIGEST_ALGORITHM:
|
|
||||||
+ case CMS_R_NO_MATCHING_DIGEST:
|
|
||||||
+ case CMS_R_NO_MATCHING_SIGNATURE:
|
|
||||||
retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED;
|
|
||||||
break;
|
|
||||||
- case PKCS7_R_SIGNATURE_FAILURE:
|
|
||||||
+ case CMS_R_VERIFICATION_FAILURE:
|
|
||||||
default:
|
|
||||||
retval = KRB5KDC_ERR_INVALID_SIG;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From fb13766f8fbd78acfcf7a150332a4e5474e4f52a Mon Sep 17 00:00:00 2001
|
From f9429a9944b056376a1ff06e84dbf7e94f0d3108 Mon Sep 17 00:00:00 2001
|
||||||
From: Julien Rische <jrische@redhat.com>
|
From: Julien Rische <jrische@redhat.com>
|
||||||
Date: Mon, 9 Jan 2023 22:39:52 +0100
|
Date: Mon, 9 Jan 2023 22:39:52 +0100
|
||||||
Subject: [PATCH] [downstream] Do not set root as ksu file owner
|
Subject: [PATCH] [downstream] Do not set root as ksu file owner
|
||||||
@ -27,5 +27,5 @@ index 7eaa2f351c..e9ae71471e 100644
|
|||||||
## ${prefix}.
|
## ${prefix}.
|
||||||
prefix=@prefix@
|
prefix=@prefix@
|
||||||
--
|
--
|
||||||
2.38.1
|
2.41.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 6aea69170c2064aaea73ad3283b6d7dd0cae47e1 Mon Sep 17 00:00:00 2001
|
From c002d03cce1c82e74a0c76b323c1bf1e619d022e Mon Sep 17 00:00:00 2001
|
||||||
From: Julien Rische <jrische@redhat.com>
|
From: Julien Rische <jrische@redhat.com>
|
||||||
Date: Thu, 19 Jan 2023 19:22:27 +0100
|
Date: Thu, 19 Jan 2023 19:22:27 +0100
|
||||||
Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode
|
Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode
|
||||||
@ -161,5 +161,5 @@ index 5a43c3d9eb..8528ddc4a9 100644
|
|||||||
ret = KRB5_CRYPTO_INTERNAL;
|
ret = KRB5_CRYPTO_INTERNAL;
|
||||||
goto done;
|
goto done;
|
||||||
--
|
--
|
||||||
2.38.1
|
2.41.0
|
||||||
|
|
@ -1,28 +0,0 @@
|
|||||||
From 3f8a3b57cf0e057635e570d5038fb52c19ca5744 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Julien Rische <jrische@redhat.com>
|
|
||||||
Date: Fri, 19 Aug 2022 10:34:52 +0200
|
|
||||||
Subject: [PATCH] [downstream] Catch SHA-1 digest disallowed error for
|
|
||||||
PKINIT
|
|
||||||
|
|
||||||
An OpenSSL patch causes EVP_R_INVALID_DIGEST error to be raised if
|
|
||||||
CMS_verify is called to verify a SHA-1 signature. If this error is
|
|
||||||
caught, it will now return KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED.
|
|
||||||
---
|
|
||||||
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
index 16edf15cb2..bfa3fe8e91 100644
|
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
@@ -2104,6 +2104,7 @@ cms_signeddata_verify(krb5_context context,
|
|
||||||
if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
|
|
||||||
unsigned long err = ERR_peek_last_error();
|
|
||||||
switch(ERR_GET_REASON(err)) {
|
|
||||||
+ case EVP_R_INVALID_DIGEST:
|
|
||||||
case RSA_R_DIGEST_NOT_ALLOWED:
|
|
||||||
case CMS_R_UNKNOWN_DIGEST_ALGORITHM:
|
|
||||||
case CMS_R_NO_MATCHING_DIGEST:
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,239 +0,0 @@
|
|||||||
From 6ba011d89f9cf4661eb7110bf810cfdb514b69fa Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Mon, 19 Sep 2022 15:18:50 -0400
|
|
||||||
Subject: [PATCH] Add and use ts_interval() helper
|
|
||||||
|
|
||||||
ts_delta() returns a signed result, which cannot hold an interval
|
|
||||||
larger than 2^31-1 seconds. Intervals like this have been seen when
|
|
||||||
admins set password expiration dates more than 68 years in the future.
|
|
||||||
|
|
||||||
Add a second helper ts_interval() which returns a signed result, and
|
|
||||||
has the arguments reversed so that the start time is first. Use it in
|
|
||||||
warn_pw_expiry() to handle the password expiration case, in the GSS
|
|
||||||
krb5 mech where we return an unsigned context or credential lifetime
|
|
||||||
to the caller, and in the KEYRING ccache type where we compute an
|
|
||||||
unsigned keyring timeout.
|
|
||||||
|
|
||||||
ticket: 9071 (new)
|
|
||||||
---
|
|
||||||
src/include/k5-int.h | 9 +++++++++
|
|
||||||
src/lib/gssapi/krb5/accept_sec_context.c | 10 ++++++----
|
|
||||||
src/lib/gssapi/krb5/acquire_cred.c | 3 +--
|
|
||||||
src/lib/gssapi/krb5/context_time.c | 2 +-
|
|
||||||
src/lib/gssapi/krb5/init_sec_context.c | 4 ++--
|
|
||||||
src/lib/gssapi/krb5/inq_context.c | 2 +-
|
|
||||||
src/lib/gssapi/krb5/inq_cred.c | 2 +-
|
|
||||||
src/lib/gssapi/krb5/s4u_gss_glue.c | 2 +-
|
|
||||||
src/lib/krb5/ccache/cc_keyring.c | 4 ++--
|
|
||||||
src/lib/krb5/krb/get_in_tkt.c | 15 +++++++--------
|
|
||||||
10 files changed, 31 insertions(+), 22 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
|
||||||
index c3aecba7d4..768110e5ef 100644
|
|
||||||
--- a/src/include/k5-int.h
|
|
||||||
+++ b/src/include/k5-int.h
|
|
||||||
@@ -2325,6 +2325,15 @@ ts_delta(krb5_timestamp a, krb5_timestamp b)
|
|
||||||
return (krb5_deltat)((uint32_t)a - (uint32_t)b);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* Return (end - start) as an unsigned 32-bit value, or 0 if start > end. */
|
|
||||||
+static inline uint32_t
|
|
||||||
+ts_interval(krb5_timestamp start, krb5_timestamp end)
|
|
||||||
+{
|
|
||||||
+ if ((uint32_t)start > (uint32_t)end)
|
|
||||||
+ return 0;
|
|
||||||
+ return (uint32_t)end - (uint32_t)start;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* Increment a timestamp by a signed 32-bit interval, without relying on
|
|
||||||
* undefined behavior. */
|
|
||||||
static inline krb5_timestamp
|
|
||||||
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
|
|
||||||
index 1bc807172b..7de2c9fd77 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/accept_sec_context.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
|
|
||||||
@@ -353,8 +353,8 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,
|
|
||||||
*mech_type = ctx->mech_used;
|
|
||||||
|
|
||||||
if (time_rec) {
|
|
||||||
- *time_rec = ts_delta(ctx->krb_times.endtime, now) +
|
|
||||||
- ctx->k5_context->clockskew;
|
|
||||||
+ *time_rec = ts_interval(now - ctx->k5_context->clockskew,
|
|
||||||
+ ctx->krb_times.endtime);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Never return GSS_C_DELEG_FLAG since we don't support DCE credential
|
|
||||||
@@ -1151,8 +1151,10 @@ kg_accept_krb5(minor_status, context_handle,
|
|
||||||
|
|
||||||
/* Add the maximum allowable clock skew as a grace period for context
|
|
||||||
* expiration, just as we do for the ticket. */
|
|
||||||
- if (time_rec)
|
|
||||||
- *time_rec = ts_delta(ctx->krb_times.endtime, now) + context->clockskew;
|
|
||||||
+ if (time_rec) {
|
|
||||||
+ *time_rec = ts_interval(now - context->clockskew,
|
|
||||||
+ ctx->krb_times.endtime);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (ret_flags)
|
|
||||||
*ret_flags = ctx->gss_flags;
|
|
||||||
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
|
|
||||||
index e226a02692..006eba114d 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/acquire_cred.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/acquire_cred.c
|
|
||||||
@@ -879,8 +879,7 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
|
|
||||||
GSS_C_NO_NAME);
|
|
||||||
if (GSS_ERROR(ret))
|
|
||||||
goto error_out;
|
|
||||||
- *time_rec = ts_after(cred->expire, now) ?
|
|
||||||
- ts_delta(cred->expire, now) : 0;
|
|
||||||
+ *time_rec = ts_interval(now, cred->expire);
|
|
||||||
k5_mutex_unlock(&cred->lock);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c
|
|
||||||
index 1fdb5a16f2..5469d8154c 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/context_time.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/context_time.c
|
|
||||||
@@ -51,7 +51,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)
|
|
||||||
return(GSS_S_FAILURE);
|
|
||||||
}
|
|
||||||
|
|
||||||
- lifetime = ts_delta(ctx->krb_times.endtime, now);
|
|
||||||
+ lifetime = ts_interval(now, ctx->krb_times.endtime);
|
|
||||||
if (!ctx->initiate)
|
|
||||||
lifetime += ctx->k5_context->clockskew;
|
|
||||||
if (lifetime <= 0) {
|
|
||||||
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
|
|
||||||
index ea87cf6432..f0f094ccb7 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/init_sec_context.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/init_sec_context.c
|
|
||||||
@@ -664,7 +664,7 @@ kg_new_connection(
|
|
||||||
if (time_rec) {
|
|
||||||
if ((code = krb5_timeofday(context, &now)))
|
|
||||||
goto cleanup;
|
|
||||||
- *time_rec = ts_delta(ctx->krb_times.endtime, now);
|
|
||||||
+ *time_rec = ts_interval(now, ctx->krb_times.endtime);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* set the other returns */
|
|
||||||
@@ -878,7 +878,7 @@ mutual_auth(
|
|
||||||
if (time_rec) {
|
|
||||||
if ((code = krb5_timeofday(context, &now)))
|
|
||||||
goto fail;
|
|
||||||
- *time_rec = ts_delta(ctx->krb_times.endtime, now);
|
|
||||||
+ *time_rec = ts_interval(now, ctx->krb_times.endtime);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (ret_flags)
|
|
||||||
diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c
|
|
||||||
index cac024da1f..51c484fdfe 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/inq_context.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/inq_context.c
|
|
||||||
@@ -120,7 +120,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
|
|
||||||
|
|
||||||
/* Add the maximum allowable clock skew as a grace period for context
|
|
||||||
* expiration, just as we do for the ticket during authentication. */
|
|
||||||
- lifetime = ts_delta(ctx->krb_times.endtime, now);
|
|
||||||
+ lifetime = ts_interval(now, ctx->krb_times.endtime);
|
|
||||||
if (!ctx->initiate)
|
|
||||||
lifetime += context->clockskew;
|
|
||||||
if (lifetime < 0)
|
|
||||||
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
|
|
||||||
index bb63b726c8..0e675959a3 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/inq_cred.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/inq_cred.c
|
|
||||||
@@ -131,7 +131,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (cred->expire != 0) {
|
|
||||||
- lifetime = ts_delta(cred->expire, now);
|
|
||||||
+ lifetime = ts_interval(now, cred->expire);
|
|
||||||
if (lifetime < 0)
|
|
||||||
lifetime = 0;
|
|
||||||
}
|
|
||||||
diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
|
|
||||||
index 7dcfe4e1eb..fa7f980af7 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
|
|
||||||
@@ -279,7 +279,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
|
|
||||||
if (code != 0)
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
- *time_rec = ts_delta(cred->expire, now);
|
|
||||||
+ *time_rec = ts_interval(now, cred->expire);
|
|
||||||
}
|
|
||||||
|
|
||||||
major_status = GSS_S_COMPLETE;
|
|
||||||
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
|
|
||||||
index ebef37d607..1dadeef64f 100644
|
|
||||||
--- a/src/lib/krb5/ccache/cc_keyring.c
|
|
||||||
+++ b/src/lib/krb5/ccache/cc_keyring.c
|
|
||||||
@@ -762,7 +762,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id)
|
|
||||||
|
|
||||||
/* Setting the timeout to zero would reset the timeout, so we set it to one
|
|
||||||
* second instead if creds are already expired. */
|
|
||||||
- timeout = ts_after(endtime, now) ? ts_delta(endtime, now) : 1;
|
|
||||||
+ timeout = ts_after(endtime, now) ? ts_interval(now, endtime) : 1;
|
|
||||||
(void)keyctl_set_timeout(data->cache_id, timeout);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1343,7 +1343,7 @@ krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds)
|
|
||||||
|
|
||||||
if (ts_after(creds->times.endtime, now)) {
|
|
||||||
(void)keyctl_set_timeout(cred_key,
|
|
||||||
- ts_delta(creds->times.endtime, now));
|
|
||||||
+ ts_interval(now, creds->times.endtime));
|
|
||||||
}
|
|
||||||
|
|
||||||
update_keyring_expiration(context, id);
|
|
||||||
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
|
||||||
index 8b5ab595e9..1b420a3ac2 100644
|
|
||||||
--- a/src/lib/krb5/krb/get_in_tkt.c
|
|
||||||
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
|
||||||
@@ -1522,7 +1522,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
|
|
||||||
void *expire_data;
|
|
||||||
krb5_timestamp pw_exp, acct_exp, now;
|
|
||||||
krb5_boolean is_last_req;
|
|
||||||
- krb5_deltat delta;
|
|
||||||
+ uint32_t interval;
|
|
||||||
char ts[256], banner[1024];
|
|
||||||
|
|
||||||
if (as_reply == NULL || as_reply->enc_part2 == NULL)
|
|
||||||
@@ -1553,8 +1553,8 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
|
|
||||||
ret = krb5_timeofday(context, &now);
|
|
||||||
if (ret != 0)
|
|
||||||
return;
|
|
||||||
- if (!is_last_req &&
|
|
||||||
- (ts_after(now, pw_exp) || ts_delta(pw_exp, now) > 7 * 24 * 60 * 60))
|
|
||||||
+ interval = ts_interval(now, pw_exp);
|
|
||||||
+ if (!is_last_req && (!interval || interval > 7 * 24 * 60 * 60))
|
|
||||||
return;
|
|
||||||
|
|
||||||
if (!prompter)
|
|
||||||
@@ -1564,19 +1564,18 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
|
|
||||||
if (ret != 0)
|
|
||||||
return;
|
|
||||||
|
|
||||||
- delta = ts_delta(pw_exp, now);
|
|
||||||
- if (delta < 3600) {
|
|
||||||
+ if (interval < 3600) {
|
|
||||||
snprintf(banner, sizeof(banner),
|
|
||||||
_("Warning: Your password will expire in less than one hour "
|
|
||||||
"on %s"), ts);
|
|
||||||
- } else if (delta < 86400 * 2) {
|
|
||||||
+ } else if (interval < 86400 * 2) {
|
|
||||||
snprintf(banner, sizeof(banner),
|
|
||||||
_("Warning: Your password will expire in %d hour%s on %s"),
|
|
||||||
- delta / 3600, delta < 7200 ? "" : "s", ts);
|
|
||||||
+ interval / 3600, interval < 7200 ? "" : "s", ts);
|
|
||||||
} else {
|
|
||||||
snprintf(banner, sizeof(banner),
|
|
||||||
_("Warning: Your password will expire in %d days on %s"),
|
|
||||||
- delta / 86400, ts);
|
|
||||||
+ interval / 86400, ts);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* PROMPTER_INVOCATION */
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 5ace3ea56c0d507ca3d976d06c0e68aa63c52f26 Mon Sep 17 00:00:00 2001
|
From 83c99246ae9b157e462142daddccca5e18c2f3fd Mon Sep 17 00:00:00 2001
|
||||||
From: Julien Rische <jrische@redhat.com>
|
From: Julien Rische <jrische@redhat.com>
|
||||||
Date: Wed, 15 Mar 2023 15:56:34 +0100
|
Date: Wed, 15 Mar 2023 15:56:34 +0100
|
||||||
Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional
|
Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional
|
||||||
@ -25,20 +25,19 @@ attribute of the TGT KDB entry.
|
|||||||
doc/appdev/refs/api/index.rst | 1 +
|
doc/appdev/refs/api/index.rst | 1 +
|
||||||
src/include/kdb.h | 1 +
|
src/include/kdb.h | 1 +
|
||||||
src/include/krb5/krb5.hin | 40 +++++++++++++++++++++++
|
src/include/krb5/krb5.hin | 40 +++++++++++++++++++++++
|
||||||
src/kdc/kdc_util.c | 26 ++++++++++++---
|
src/kdc/kdc_util.c | 32 ++++++++++++++----
|
||||||
src/lib/krb5/krb/pac.c | 31 +++++++++++++++---
|
src/lib/krb5/krb/pac.c | 31 +++++++++++++++---
|
||||||
src/lib/krb5/libkrb5.exports | 1 +
|
src/lib/krb5/libkrb5.exports | 1 +
|
||||||
src/lib/krb5_32.def | 1 +
|
|
||||||
src/man/kadmin.man | 6 ++++
|
src/man/kadmin.man | 6 ++++
|
||||||
9 files changed, 105 insertions(+), 8 deletions(-)
|
8 files changed, 108 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
|
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
|
||||||
index cf75e61584..45cce8bb57 100644
|
index 2435b3c361..58ac79549f 100644
|
||||||
--- a/doc/admin/admin_commands/kadmin_local.rst
|
--- a/doc/admin/admin_commands/kadmin_local.rst
|
||||||
+++ b/doc/admin/admin_commands/kadmin_local.rst
|
+++ b/doc/admin/admin_commands/kadmin_local.rst
|
||||||
@@ -671,6 +671,12 @@ KDC:
|
@@ -658,6 +658,12 @@ KDC:
|
||||||
is in the same format as those used by the **pkinit_cert_match**
|
Directory realm when using aes-sha2 keys on the local krbtgt
|
||||||
option in :ref:`krb5.conf(5)`. (New in release 1.16.)
|
entry.
|
||||||
|
|
||||||
+**optional_pac_tkt_chksum**
|
+**optional_pac_tkt_chksum**
|
||||||
+ Boolean value defining the behavior of the KDC in case an expected
|
+ Boolean value defining the behavior of the KDC in case an expected
|
||||||
@ -62,11 +61,11 @@ index d12be47c3c..9b95ebd0f9 100644
|
|||||||
krb5_kt_end_seq_get.rst
|
krb5_kt_end_seq_get.rst
|
||||||
krb5_kt_get_entry.rst
|
krb5_kt_get_entry.rst
|
||||||
diff --git a/src/include/kdb.h b/src/include/kdb.h
|
diff --git a/src/include/kdb.h b/src/include/kdb.h
|
||||||
index 21bddcfb88..b65c300d8a 100644
|
index 745b24f351..6075349e5e 100644
|
||||||
--- a/src/include/kdb.h
|
--- a/src/include/kdb.h
|
||||||
+++ b/src/include/kdb.h
|
+++ b/src/include/kdb.h
|
||||||
@@ -134,6 +134,7 @@
|
@@ -136,6 +136,7 @@
|
||||||
/* String attribute names recognized by krb5 */
|
#define KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE "pac_privsvr_enctype"
|
||||||
#define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes"
|
#define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes"
|
||||||
#define KRB5_KDB_SK_REQUIRE_AUTH "require_auth"
|
#define KRB5_KDB_SK_REQUIRE_AUTH "require_auth"
|
||||||
+#define KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM "optional_pac_tkt_chksum"
|
+#define KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM "optional_pac_tkt_chksum"
|
||||||
@ -74,10 +73,10 @@ index 21bddcfb88..b65c300d8a 100644
|
|||||||
#if !defined(_WIN32)
|
#if !defined(_WIN32)
|
||||||
|
|
||||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||||
index 2ba4010514..404719a3a4 100644
|
index 350bcf86f2..17e1b52266 100644
|
||||||
--- a/src/include/krb5/krb5.hin
|
--- a/src/include/krb5/krb5.hin
|
||||||
+++ b/src/include/krb5/krb5.hin
|
+++ b/src/include/krb5/krb5.hin
|
||||||
@@ -8355,6 +8355,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
@@ -8356,6 +8356,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
const krb5_keyblock *server,
|
const krb5_keyblock *server,
|
||||||
const krb5_keyblock *privsvr, krb5_pac *pac_out);
|
const krb5_keyblock *privsvr, krb5_pac *pac_out);
|
||||||
|
|
||||||
@ -125,24 +124,28 @@ index 2ba4010514..404719a3a4 100644
|
|||||||
krb5_error_code KRB5_CALLCONV
|
krb5_error_code KRB5_CALLCONV
|
||||||
krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
||||||
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||||
index b7a9aa4992..bdf1bf2dc8 100644
|
index fe4e48209a..93415ba862 100644
|
||||||
--- a/src/kdc/kdc_util.c
|
--- a/src/kdc/kdc_util.c
|
||||||
+++ b/src/kdc/kdc_util.c
|
+++ b/src/kdc/kdc_util.c
|
||||||
@@ -535,6 +535,8 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
@@ -560,16 +560,36 @@ cleanup:
|
||||||
krb5_key_data *kd;
|
static krb5_error_code
|
||||||
krb5_keyblock old_key;
|
try_verify_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
krb5_kvno kvno;
|
krb5_db_entry *server, krb5_keyblock *server_key,
|
||||||
|
- const krb5_keyblock *tgt_key, krb5_pac *pac_out)
|
||||||
|
+ krb5_db_entry *tgt, const krb5_keyblock *tgt_key,
|
||||||
|
+ krb5_pac *pac_out)
|
||||||
|
{
|
||||||
|
krb5_error_code ret;
|
||||||
+ krb5_boolean optional_tkt_chksum;
|
+ krb5_boolean optional_tkt_chksum;
|
||||||
+ char *str = NULL;
|
+ char *str = NULL;
|
||||||
int tries;
|
krb5_keyblock *privsvr_key;
|
||||||
|
|
||||||
*pac_out = NULL;
|
ret = pac_privsvr_key(context, server, tgt_key, &privsvr_key);
|
||||||
@@ -545,8 +547,23 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
if (ret)
|
||||||
NULL, pac_out);
|
return ret;
|
||||||
}
|
- ret = krb5_kdc_verify_ticket(context, enc_tkt, server->princ, server_key,
|
||||||
|
- privsvr_key, pac_out);
|
||||||
- ret = krb5_kdc_verify_ticket(context, enc_tkt, sprinc, server_key,
|
+
|
||||||
- tgt_key, pac_out);
|
|
||||||
+ /* Check if the absence of ticket signature is tolerated for this realm */
|
+ /* Check if the absence of ticket signature is tolerated for this realm */
|
||||||
+ ret = krb5_dbe_get_string(context, tgt,
|
+ ret = krb5_dbe_get_string(context, tgt,
|
||||||
+ KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM, &str);
|
+ KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM, &str);
|
||||||
@ -158,28 +161,37 @@ index b7a9aa4992..bdf1bf2dc8 100644
|
|||||||
+
|
+
|
||||||
+ krb5_dbe_free_string(context, str);
|
+ krb5_dbe_free_string(context, str);
|
||||||
+
|
+
|
||||||
+ ret = krb5_kdc_verify_ticket_ext(context, enc_tkt, sprinc, server_key,
|
+ ret = krb5_kdc_verify_ticket_ext(context, enc_tkt, server->princ,
|
||||||
+ tgt_key, optional_tkt_chksum, pac_out);
|
+ server_key, privsvr_key,
|
||||||
|
+ optional_tkt_chksum, pac_out);
|
||||||
|
krb5_free_keyblock(context, privsvr_key);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
@@ -599,7 +619,7 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
|
server_key, NULL, pac_out);
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = try_verify_pac(context, enc_tkt, server, server_key, tgt_key,
|
||||||
|
+ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt, tgt_key,
|
||||||
|
pac_out);
|
||||||
if (ret != KRB5KRB_AP_ERR_MODIFIED && ret != KRB5_BAD_ENCTYPE)
|
if (ret != KRB5KRB_AP_ERR_MODIFIED && ret != KRB5_BAD_ENCTYPE)
|
||||||
return ret;
|
return ret;
|
||||||
|
@@ -613,8 +633,8 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
@@ -559,8 +576,9 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
||||||
ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &old_key, NULL);
|
ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &old_key, NULL);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
- ret = krb5_kdc_verify_ticket(context, enc_tkt, sprinc, server_key,
|
- ret = try_verify_pac(context, enc_tkt, server, server_key, &old_key,
|
||||||
- &old_key, pac_out);
|
- pac_out);
|
||||||
+ ret = krb5_kdc_verify_ticket_ext(context, enc_tkt, sprinc, server_key,
|
+ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt,
|
||||||
+ &old_key, optional_tkt_chksum,
|
+ &old_key, pac_out);
|
||||||
+ pac_out);
|
|
||||||
krb5_free_keyblock_contents(context, &old_key);
|
krb5_free_keyblock_contents(context, &old_key);
|
||||||
if (!ret)
|
if (!ret)
|
||||||
return 0;
|
return 0;
|
||||||
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
||||||
index 954482e0c7..738887b388 100644
|
index 5d1fdf1ba0..0c0e2ada68 100644
|
||||||
--- a/src/lib/krb5/krb/pac.c
|
--- a/src/lib/krb5/krb/pac.c
|
||||||
+++ b/src/lib/krb5/krb/pac.c
|
+++ b/src/lib/krb5/krb/pac.c
|
||||||
@@ -636,6 +636,19 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
@@ -594,6 +594,19 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
krb5_const_principal server_princ,
|
krb5_const_principal server_princ,
|
||||||
const krb5_keyblock *server,
|
const krb5_keyblock *server,
|
||||||
const krb5_keyblock *privsvr, krb5_pac *pac_out)
|
const krb5_keyblock *privsvr, krb5_pac *pac_out)
|
||||||
@ -199,8 +211,8 @@ index 954482e0c7..738887b388 100644
|
|||||||
{
|
{
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
krb5_pac pac = NULL;
|
krb5_pac pac = NULL;
|
||||||
@@ -643,7 +656,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
@@ -602,7 +615,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
krb5_authdata **authdata, *orig, **ifrel = NULL, **recoded_ifrel = NULL;
|
krb5_authdata *orig, **ifrel = NULL, **recoded_ifrel = NULL;
|
||||||
uint8_t z = 0;
|
uint8_t z = 0;
|
||||||
krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z };
|
krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z };
|
||||||
- krb5_boolean is_service_tkt;
|
- krb5_boolean is_service_tkt;
|
||||||
@ -208,7 +220,7 @@ index 954482e0c7..738887b388 100644
|
|||||||
size_t i, j;
|
size_t i, j;
|
||||||
|
|
||||||
*pac_out = NULL;
|
*pac_out = NULL;
|
||||||
@@ -706,11 +719,21 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
@@ -667,11 +680,21 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||||
|
|
||||||
ret = verify_checksum(context, pac, KRB5_PAC_TICKET_CHECKSUM, privsvr,
|
ret = verify_checksum(context, pac, KRB5_PAC_TICKET_CHECKSUM, privsvr,
|
||||||
KRB5_KEYUSAGE_APP_DATA_CKSUM, recoded_tkt);
|
KRB5_KEYUSAGE_APP_DATA_CKSUM, recoded_tkt);
|
||||||
@ -245,23 +257,14 @@ index 4c50e935a2..d4b0455c8c 100644
|
|||||||
krb5_kt_add_entry
|
krb5_kt_add_entry
|
||||||
krb5_kt_client_default
|
krb5_kt_client_default
|
||||||
krb5_kt_close
|
krb5_kt_close
|
||||||
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
|
|
||||||
index b1610974b1..6ecd92c1ec 100644
|
|
||||||
--- a/src/lib/krb5_32.def
|
|
||||||
+++ b/src/lib/krb5_32.def
|
|
||||||
@@ -510,3 +510,4 @@ EXPORTS
|
|
||||||
k5_sname_compare @474 ; PRIVATE GSSAPI
|
|
||||||
krb5_kdc_sign_ticket @475 ;
|
|
||||||
krb5_kdc_verify_ticket @476 ;
|
|
||||||
+ krb5_kdc_verify_ticket_ext @477 ;
|
|
||||||
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
|
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
|
||||||
index 73e1b03cdb..54efd4ebc9 100644
|
index c29638a227..1da1609cc8 100644
|
||||||
--- a/src/man/kadmin.man
|
--- a/src/man/kadmin.man
|
||||||
+++ b/src/man/kadmin.man
|
+++ b/src/man/kadmin.man
|
||||||
@@ -715,6 +715,12 @@ attributes required for the client certificate used by the
|
@@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to
|
||||||
principal during PKINIT authentication. The matching expression
|
"aes256\-sha1" on the cross\-realm krbtgt entry for an Active
|
||||||
is in the same format as those used by the \fBpkinit_cert_match\fP
|
Directory realm when using aes\-sha2 keys on the local krbtgt
|
||||||
option in krb5.conf(5)\&. (New in release 1.16.)
|
entry.
|
||||||
+.TP
|
+.TP
|
||||||
+\fBoptional_pac_tkt_chksum\fP
|
+\fBoptional_pac_tkt_chksum\fP
|
||||||
+Boolean value defining the behavior of the KDC in case an expected ticket
|
+Boolean value defining the behavior of the KDC in case an expected ticket
|
||||||
@ -272,5 +275,5 @@ index 73e1b03cdb..54efd4ebc9 100644
|
|||||||
.sp
|
.sp
|
||||||
This command requires the \fBmodify\fP privilege.
|
This command requires the \fBmodify\fP privilege.
|
||||||
--
|
--
|
||||||
2.40.1
|
2.41.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 9483b1ec7aa0c82d85ec3aa22bd4f10cb388ecfa Mon Sep 17 00:00:00 2001
|
From fef5896463a50e94d3a68f59f7c78a6e943ac5ad Mon Sep 17 00:00:00 2001
|
||||||
From: Julien Rische <jrische@redhat.com>
|
From: Julien Rische <jrische@redhat.com>
|
||||||
Date: Tue, 23 May 2023 12:19:54 +0200
|
Date: Tue, 23 May 2023 12:19:54 +0200
|
||||||
Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification
|
Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification
|
||||||
@ -20,10 +20,10 @@ curve cryptography is implemented for PKINIT in MIT krb5.
|
|||||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
index bfa3fe8e91..ca105d2421 100644
|
index f41328763e..263ef7845e 100644
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
@@ -1885,8 +1885,17 @@ cms_signeddata_verify(krb5_context context,
|
@@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context,
|
||||||
if (oid == NULL)
|
if (oid == NULL)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
@ -43,5 +43,5 @@ index bfa3fe8e91..ca105d2421 100644
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
--
|
--
|
||||||
2.40.1
|
2.41.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From cd0aad5a00c66d0a66892f33e9d65946dee9df06 Mon Sep 17 00:00:00 2001
|
From 906d3441b846ed09882490b6128db6fedf39e63b Mon Sep 17 00:00:00 2001
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
Date: Tue, 30 May 2023 01:21:48 -0400
|
Date: Tue, 30 May 2023 01:21:48 -0400
|
||||||
Subject: [PATCH] Enable PKINIT if at least one group is available
|
Subject: [PATCH] Enable PKINIT if at least one group is available
|
||||||
@ -15,7 +15,6 @@ well-known group parameters successfully decodes.
|
|||||||
[ghudson@mit.edu: minor commit message and code edits]
|
[ghudson@mit.edu: minor commit message and code edits]
|
||||||
|
|
||||||
ticket: 9096 (new)
|
ticket: 9096 (new)
|
||||||
(cherry picked from commit 509d8db922e9ad6f108883838473b6178f89874a)
|
|
||||||
---
|
---
|
||||||
src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +-
|
src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +-
|
||||||
src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +-
|
src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +-
|
||||||
@ -25,7 +24,7 @@ ticket: 9096 (new)
|
|||||||
5 files changed, 51 insertions(+), 35 deletions(-)
|
5 files changed, 51 insertions(+), 35 deletions(-)
|
||||||
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
|
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||||
index 8c4d81bbc1..a9d9b98250 100644
|
index 725d5bc438..ea9ba454df 100644
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
|
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
|
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||||
@@ -1378,7 +1378,7 @@ pkinit_client_plugin_init(krb5_context context,
|
@@ -1378,7 +1378,7 @@ pkinit_client_plugin_init(krb5_context context,
|
||||||
@ -38,7 +37,7 @@ index 8c4d81bbc1..a9d9b98250 100644
|
|||||||
goto errout;
|
goto errout;
|
||||||
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
index 64300da856..a87bae6df7 100644
|
index 9fa315d7a0..8bdbea8e95 100644
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
@@ -103,7 +103,8 @@ typedef struct _pkinit_cert_matching_data {
|
@@ -103,7 +103,8 @@ typedef struct _pkinit_cert_matching_data {
|
||||||
@ -52,7 +51,7 @@ index 64300da856..a87bae6df7 100644
|
|||||||
|
|
||||||
krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);
|
krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
index ca105d2421..2abc9dbbe1 100644
|
index 263ef7845e..d646073d55 100644
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
@@ -47,7 +47,8 @@
|
@@ -47,7 +47,8 @@
|
||||||
@ -65,7 +64,7 @@ index ca105d2421..2abc9dbbe1 100644
|
|||||||
static void pkinit_fini_dh_params(pkinit_plg_crypto_context );
|
static void pkinit_fini_dh_params(pkinit_plg_crypto_context );
|
||||||
|
|
||||||
static krb5_error_code pkinit_init_certs(pkinit_identity_crypto_context ctx);
|
static krb5_error_code pkinit_init_certs(pkinit_identity_crypto_context ctx);
|
||||||
@@ -988,7 +989,8 @@ oerr_cert(krb5_context context, krb5_error_code code, X509_STORE_CTX *certctx,
|
@@ -951,7 +952,8 @@ oerr_cert(krb5_context context, krb5_error_code code, X509_STORE_CTX *certctx,
|
||||||
}
|
}
|
||||||
|
|
||||||
krb5_error_code
|
krb5_error_code
|
||||||
@ -75,7 +74,7 @@ index ca105d2421..2abc9dbbe1 100644
|
|||||||
{
|
{
|
||||||
krb5_error_code retval = ENOMEM;
|
krb5_error_code retval = ENOMEM;
|
||||||
pkinit_plg_crypto_context ctx = NULL;
|
pkinit_plg_crypto_context ctx = NULL;
|
||||||
@@ -1006,7 +1008,7 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx)
|
@@ -969,7 +971,7 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx)
|
||||||
if (retval)
|
if (retval)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@ -84,7 +83,7 @@ index ca105d2421..2abc9dbbe1 100644
|
|||||||
if (retval)
|
if (retval)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@@ -1315,30 +1317,36 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx)
|
@@ -1278,30 +1280,36 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx)
|
||||||
ASN1_OBJECT_free(ctx->id_kp_serverAuth);
|
ASN1_OBJECT_free(ctx->id_kp_serverAuth);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -139,7 +138,7 @@ index ca105d2421..2abc9dbbe1 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@@ -2961,11 +2969,11 @@ client_create_dh(krb5_context context,
|
@@ -2910,11 +2918,11 @@ client_create_dh(krb5_context context,
|
||||||
|
|
||||||
if (cryptoctx->received_params != NULL)
|
if (cryptoctx->received_params != NULL)
|
||||||
params = cryptoctx->received_params;
|
params = cryptoctx->received_params;
|
||||||
@ -154,7 +153,7 @@ index ca105d2421..2abc9dbbe1 100644
|
|||||||
params = plg_cryptoctx->dh_4096;
|
params = plg_cryptoctx->dh_4096;
|
||||||
else
|
else
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
@@ -3261,19 +3269,23 @@ pkinit_create_td_dh_parameters(krb5_context context,
|
@@ -3210,19 +3218,23 @@ pkinit_create_td_dh_parameters(krb5_context context,
|
||||||
krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 };
|
krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 };
|
||||||
krb5_algorithm_identifier *alglist[4];
|
krb5_algorithm_identifier *alglist[4];
|
||||||
|
|
||||||
@ -187,7 +186,7 @@ index ca105d2421..2abc9dbbe1 100644
|
|||||||
if (ret)
|
if (ret)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
|
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||||
index 865c543c44..705e1f12ed 100644
|
index 1b3bf6d4d0..768a4e559f 100644
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
|
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
|
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||||
@@ -1222,7 +1222,7 @@ pkinit_server_plugin_init_realm(krb5_context context, const char *realmname,
|
@@ -1222,7 +1222,7 @@ pkinit_server_plugin_init_realm(krb5_context context, const char *realmname,
|
||||||
@ -214,5 +213,5 @@ index 259e95c6c2..5ee39c085c 100644
|
|||||||
TRACE(c, "PKINIT OpenSSL error: {str}", msg)
|
TRACE(c, "PKINIT OpenSSL error: {str}", msg)
|
||||||
|
|
||||||
--
|
--
|
||||||
2.40.1
|
2.41.0
|
||||||
|
|
48
0015-Fix-double-free-in-KDC-TGS-processing.patch
Normal file
48
0015-Fix-double-free-in-KDC-TGS-processing.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From 137e424f7ae7c054e1dcb41c929a961bb021ed8b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Fri, 4 Aug 2023 09:54:06 +0200
|
||||||
|
Subject: [PATCH] Fix double-free in KDC TGS processing
|
||||||
|
|
||||||
|
When issuing a ticket for a TGS renew or validate request, copy only
|
||||||
|
the server field from the outer part of the header ticket to the new
|
||||||
|
ticket. Copying the whole structure causes the enc_part pointer to be
|
||||||
|
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
|
||||||
|
resulting in a double-free if handle_authdata() fails.
|
||||||
|
|
||||||
|
[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
|
||||||
|
than check for aliasing before freeing; rewrote commit message]
|
||||||
|
|
||||||
|
CVE-2023-39975:
|
||||||
|
|
||||||
|
In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
|
||||||
|
free the same pointer twice if it can induce a failure in
|
||||||
|
authorization data handling.
|
||||||
|
|
||||||
|
ticket: 9101 (new)
|
||||||
|
tags: pullup
|
||||||
|
target_version: 1.21-next
|
||||||
|
|
||||||
|
(cherry picked from commit 88a1701b423c13991a8064feeb26952d3641d840)
|
||||||
|
---
|
||||||
|
src/kdc/do_tgs_req.c | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
||||||
|
index 6e4c8fa9f3..0acc45850f 100644
|
||||||
|
--- a/src/kdc/do_tgs_req.c
|
||||||
|
+++ b/src/kdc/do_tgs_req.c
|
||||||
|
@@ -1010,8 +1010,9 @@ tgs_issue_ticket(kdc_realm_t *realm, struct tgs_req_info *t,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) {
|
||||||
|
- /* Copy the whole header ticket except for authorization data. */
|
||||||
|
- ticket_reply = *t->header_tkt;
|
||||||
|
+ /* Copy the header ticket server and all enc-part fields except for
|
||||||
|
+ * authorization data. */
|
||||||
|
+ ticket_reply.server = t->header_tkt->server;
|
||||||
|
enc_tkt_reply = *t->header_tkt->enc_part2;
|
||||||
|
enc_tkt_reply.authorization_data = NULL;
|
||||||
|
} else {
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -1,672 +0,0 @@
|
|||||||
From f09300d9a9988215263775ac122b7ea2898d04db Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Thu, 22 Dec 2022 03:05:23 -0500
|
|
||||||
Subject: [PATCH] Add PAC full checksums
|
|
||||||
|
|
||||||
A paper by Tom Tervoort noted that computing the PAC privsvr checksum
|
|
||||||
over only the server checksum is vulnerable to collision attacks
|
|
||||||
(CVE-2022-37967). In response, Microsoft has added a second KDC
|
|
||||||
checksum over the full contents of the PAC. Generate and verify full
|
|
||||||
KDC checksums in PACs for service tickets. Update the t_pac.c ticket
|
|
||||||
test case to use a ticket issued by a recent version of Active
|
|
||||||
Directory (provided by Stefan Metzmacher).
|
|
||||||
|
|
||||||
ticket: 9084 (new)
|
|
||||||
---
|
|
||||||
doc/appdev/refs/macros/index.rst | 1 +
|
|
||||||
src/include/krb5/krb5.hin | 1 +
|
|
||||||
src/lib/krb5/krb/pac.c | 92 +++++++++--------
|
|
||||||
src/lib/krb5/krb/pac_sign.c | 146 +++++++++++++++-----------
|
|
||||||
src/lib/krb5/krb/t_pac.c | 171 ++++++++++++++++++-------------
|
|
||||||
src/tests/t_authdata.py | 4 +-
|
|
||||||
6 files changed, 240 insertions(+), 175 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
|
|
||||||
index 5f34dea5e8..3eeee25593 100644
|
|
||||||
--- a/doc/appdev/refs/macros/index.rst
|
|
||||||
+++ b/doc/appdev/refs/macros/index.rst
|
|
||||||
@@ -247,6 +247,7 @@ Public
|
|
||||||
KRB5_PAC_SERVER_CHECKSUM.rst
|
|
||||||
KRB5_PAC_TICKET_CHECKSUM.rst
|
|
||||||
KRB5_PAC_UPN_DNS_INFO.rst
|
|
||||||
+ KRB5_PAC_FULL_CHECKSUM.rst
|
|
||||||
KRB5_PADATA_AFS3_SALT.rst
|
|
||||||
KRB5_PADATA_AP_REQ.rst
|
|
||||||
KRB5_PADATA_AS_CHECKSUM.rst
|
|
||||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
|
||||||
index fb9f2a366c..2ba4010514 100644
|
|
||||||
--- a/src/include/krb5/krb5.hin
|
|
||||||
+++ b/src/include/krb5/krb5.hin
|
|
||||||
@@ -8164,6 +8164,7 @@ krb5_verify_authdata_kdc_issued(krb5_context context,
|
|
||||||
#define KRB5_PAC_TICKET_CHECKSUM 16 /**< Ticket checksum */
|
|
||||||
#define KRB5_PAC_ATTRIBUTES_INFO 17 /**< PAC attributes */
|
|
||||||
#define KRB5_PAC_REQUESTOR 18 /**< PAC requestor SID */
|
|
||||||
+#define KRB5_PAC_FULL_CHECKSUM 19 /**< KDC full checksum */
|
|
||||||
|
|
||||||
struct krb5_pac_data;
|
|
||||||
/** PAC data structure to convey authorization information */
|
|
||||||
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
|
||||||
index f6c4373de0..954482e0c7 100644
|
|
||||||
--- a/src/lib/krb5/krb/pac.c
|
|
||||||
+++ b/src/lib/krb5/krb/pac.c
|
|
||||||
@@ -490,7 +490,8 @@ zero_signature(krb5_context context, const krb5_pac pac, krb5_ui_4 type,
|
|
||||||
size_t i;
|
|
||||||
|
|
||||||
assert(type == KRB5_PAC_SERVER_CHECKSUM ||
|
|
||||||
- type == KRB5_PAC_PRIVSVR_CHECKSUM);
|
|
||||||
+ type == KRB5_PAC_PRIVSVR_CHECKSUM ||
|
|
||||||
+ type == KRB5_PAC_FULL_CHECKSUM);
|
|
||||||
assert(data->length >= pac->data.length);
|
|
||||||
|
|
||||||
for (i = 0; i < pac->pac->cBuffers; i++) {
|
|
||||||
@@ -557,17 +558,17 @@ verify_checksum(krb5_context context, const krb5_pac pac, uint32_t buffer_type,
|
|
||||||
}
|
|
||||||
|
|
||||||
static krb5_error_code
|
|
||||||
-verify_server_checksum(krb5_context context, const krb5_pac pac,
|
|
||||||
- const krb5_keyblock *server)
|
|
||||||
+verify_pac_checksums(krb5_context context, const krb5_pac pac,
|
|
||||||
+ krb5_boolean expect_full_checksum,
|
|
||||||
+ const krb5_keyblock *server, const krb5_keyblock *privsvr)
|
|
||||||
{
|
|
||||||
krb5_error_code ret;
|
|
||||||
- krb5_data copy; /* PAC with zeroed checksums */
|
|
||||||
+ krb5_data copy, server_checksum;
|
|
||||||
|
|
||||||
+ /* Make a copy of the PAC with zeroed out server and privsvr checksums. */
|
|
||||||
ret = krb5int_copy_data_contents(context, &pac->data, ©);
|
|
||||||
if (ret)
|
|
||||||
return ret;
|
|
||||||
-
|
|
||||||
- /* Zero out both checksum buffers */
|
|
||||||
ret = zero_signature(context, pac, KRB5_PAC_SERVER_CHECKSUM, ©);
|
|
||||||
if (ret)
|
|
||||||
goto cleanup;
|
|
||||||
@@ -575,32 +576,46 @@ verify_server_checksum(krb5_context context, const krb5_pac pac,
|
|
||||||
if (ret)
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
- ret = verify_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, server,
|
|
||||||
- KRB5_KEYUSAGE_APP_DATA_CKSUM, ©);
|
|
||||||
+ if (server != NULL) {
|
|
||||||
+ /* Verify the server checksum over the PAC copy. */
|
|
||||||
+ ret = verify_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, server,
|
|
||||||
+ KRB5_KEYUSAGE_APP_DATA_CKSUM, ©);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
-cleanup:
|
|
||||||
- free(copy.data);
|
|
||||||
- return ret;
|
|
||||||
-}
|
|
||||||
+ if (privsvr != NULL && expect_full_checksum) {
|
|
||||||
+ /* Zero the full checksum buffer in the copy and verify the full
|
|
||||||
+ * checksum over the copy with all three checksums zeroed. */
|
|
||||||
+ ret = zero_signature(context, pac, KRB5_PAC_FULL_CHECKSUM, ©);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto cleanup;
|
|
||||||
+ ret = verify_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM, privsvr,
|
|
||||||
+ KRB5_KEYUSAGE_APP_DATA_CKSUM, ©);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
-static krb5_error_code
|
|
||||||
-verify_kdc_checksum(krb5_context context, const krb5_pac pac,
|
|
||||||
- const krb5_keyblock *privsvr)
|
|
||||||
-{
|
|
||||||
- krb5_error_code ret;
|
|
||||||
- krb5_data server_checksum;
|
|
||||||
+ if (privsvr != NULL) {
|
|
||||||
+ /* Verify the privsvr checksum over the server checksum. */
|
|
||||||
+ ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
|
||||||
+ &server_checksum);
|
|
||||||
+ if (ret)
|
|
||||||
+ return ret;
|
|
||||||
+ if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH)
|
|
||||||
+ return KRB5_BAD_MSIZE;
|
|
||||||
+ server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
+ server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
|
|
||||||
- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
|
||||||
- &server_checksum);
|
|
||||||
- if (ret)
|
|
||||||
- return ret;
|
|
||||||
- if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH)
|
|
||||||
- return KRB5_BAD_MSIZE;
|
|
||||||
- server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
- server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
+ ret = verify_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, privsvr,
|
|
||||||
+ KRB5_KEYUSAGE_APP_DATA_CKSUM, &server_checksum);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ pac->verified = TRUE;
|
|
||||||
|
|
||||||
- return verify_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, privsvr,
|
|
||||||
- KRB5_KEYUSAGE_APP_DATA_CKSUM, &server_checksum);
|
|
||||||
+cleanup:
|
|
||||||
+ free(copy.data);
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Per MS-PAC 2.8.3, tickets encrypted to TGS and password change principals
|
|
||||||
@@ -628,6 +643,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
||||||
krb5_authdata **authdata, *orig, **ifrel = NULL, **recoded_ifrel = NULL;
|
|
||||||
uint8_t z = 0;
|
|
||||||
krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z };
|
|
||||||
+ krb5_boolean is_service_tkt;
|
|
||||||
size_t i, j;
|
|
||||||
|
|
||||||
*pac_out = NULL;
|
|
||||||
@@ -669,7 +685,8 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
||||||
if (ret)
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
- if (privsvr != NULL && k5_pac_should_have_ticket_signature(server_princ)) {
|
|
||||||
+ is_service_tkt = k5_pac_should_have_ticket_signature(server_princ);
|
|
||||||
+ if (privsvr != NULL && is_service_tkt) {
|
|
||||||
/* To check the PAC ticket signatures, re-encode the ticket with the
|
|
||||||
* PAC contents replaced by a single zero. */
|
|
||||||
orig = ifrel[j];
|
|
||||||
@@ -693,8 +710,9 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = krb5_pac_verify_ext(context, pac, enc_tkt->times.authtime, NULL,
|
|
||||||
- server, privsvr, FALSE);
|
|
||||||
+ ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto cleanup;
|
|
||||||
|
|
||||||
*pac_out = pac;
|
|
||||||
pac = NULL;
|
|
||||||
@@ -730,14 +748,8 @@ krb5_pac_verify_ext(krb5_context context,
|
|
||||||
{
|
|
||||||
krb5_error_code ret;
|
|
||||||
|
|
||||||
- if (server != NULL) {
|
|
||||||
- ret = verify_server_checksum(context, pac, server);
|
|
||||||
- if (ret != 0)
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (privsvr != NULL) {
|
|
||||||
- ret = verify_kdc_checksum(context, pac, privsvr);
|
|
||||||
+ if (server != NULL || privsvr != NULL) {
|
|
||||||
+ ret = verify_pac_checksums(context, pac, FALSE, server, privsvr);
|
|
||||||
if (ret != 0)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
@@ -749,8 +761,6 @@ krb5_pac_verify_ext(krb5_context context,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- pac->verified = TRUE;
|
|
||||||
-
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c
|
|
||||||
index 0f9581abbb..8ea61ac17b 100644
|
|
||||||
--- a/src/lib/krb5/krb/pac_sign.c
|
|
||||||
+++ b/src/lib/krb5/krb/pac_sign.c
|
|
||||||
@@ -187,26 +187,41 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
-krb5_error_code KRB5_CALLCONV
|
|
||||||
-krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
- krb5_const_principal principal, const krb5_keyblock *server_key,
|
|
||||||
- const krb5_keyblock *privsvr_key, krb5_data *data)
|
|
||||||
+/* Find the buffer of type buftype in pac and write within it a checksum of
|
|
||||||
+ * type cksumtype over data. Set *cksum_out to the checksum. */
|
|
||||||
+static krb5_error_code
|
|
||||||
+compute_pac_checksum(krb5_context context, krb5_pac pac, uint32_t buftype,
|
|
||||||
+ const krb5_keyblock *key, krb5_cksumtype cksumtype,
|
|
||||||
+ const krb5_data *data, krb5_data *cksum_out)
|
|
||||||
{
|
|
||||||
- return krb5_pac_sign_ext(context, pac, authtime, principal, server_key,
|
|
||||||
- privsvr_key, FALSE, data);
|
|
||||||
+ krb5_error_code ret;
|
|
||||||
+ krb5_data buf;
|
|
||||||
+ krb5_crypto_iov iov[2];
|
|
||||||
+
|
|
||||||
+ ret = k5_pac_locate_buffer(context, pac, buftype, &buf);
|
|
||||||
+ if (ret)
|
|
||||||
+ return ret;
|
|
||||||
+
|
|
||||||
+ assert(buf.length > PAC_SIGNATURE_DATA_LENGTH);
|
|
||||||
+ *cksum_out = make_data(buf.data + PAC_SIGNATURE_DATA_LENGTH,
|
|
||||||
+ buf.length - PAC_SIGNATURE_DATA_LENGTH);
|
|
||||||
+ iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
|
|
||||||
+ iov[0].data = *data;
|
|
||||||
+ iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
|
|
||||||
+ iov[1].data = *cksum_out;
|
|
||||||
+ return krb5_c_make_checksum_iov(context, cksumtype, key,
|
|
||||||
+ KRB5_KEYUSAGE_APP_DATA_CKSUM, iov, 2);
|
|
||||||
}
|
|
||||||
|
|
||||||
-krb5_error_code KRB5_CALLCONV
|
|
||||||
-krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
- krb5_const_principal principal,
|
|
||||||
- const krb5_keyblock *server_key,
|
|
||||||
- const krb5_keyblock *privsvr_key, krb5_boolean with_realm,
|
|
||||||
- krb5_data *data)
|
|
||||||
+static krb5_error_code
|
|
||||||
+sign_pac(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
+ krb5_const_principal principal, const krb5_keyblock *server_key,
|
|
||||||
+ const krb5_keyblock *privsvr_key, krb5_boolean with_realm,
|
|
||||||
+ krb5_boolean is_service_tkt, krb5_data *data)
|
|
||||||
{
|
|
||||||
krb5_error_code ret;
|
|
||||||
- krb5_data server_cksum, privsvr_cksum;
|
|
||||||
+ krb5_data full_cksum, server_cksum, privsvr_cksum;
|
|
||||||
krb5_cksumtype server_cksumtype, privsvr_cksumtype;
|
|
||||||
- krb5_crypto_iov iov[2];
|
|
||||||
|
|
||||||
data->length = 0;
|
|
||||||
data->data = NULL;
|
|
||||||
@@ -214,67 +229,53 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
if (principal != NULL) {
|
|
||||||
ret = k5_insert_client_info(context, pac, authtime, principal,
|
|
||||||
with_realm);
|
|
||||||
- if (ret != 0)
|
|
||||||
+ if (ret)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Create zeroed buffers for both checksums */
|
|
||||||
+ /* Create zeroed buffers for all checksums. */
|
|
||||||
ret = k5_insert_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
|
||||||
server_key, &server_cksumtype);
|
|
||||||
- if (ret != 0)
|
|
||||||
+ if (ret)
|
|
||||||
return ret;
|
|
||||||
-
|
|
||||||
ret = k5_insert_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
|
|
||||||
privsvr_key, &privsvr_cksumtype);
|
|
||||||
- if (ret != 0)
|
|
||||||
+ if (ret)
|
|
||||||
return ret;
|
|
||||||
+ if (is_service_tkt) {
|
|
||||||
+ ret = k5_insert_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM,
|
|
||||||
+ privsvr_key, &privsvr_cksumtype);
|
|
||||||
+ if (ret)
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- /* Now, encode the PAC header so that the checksums will include it */
|
|
||||||
+ /* Encode the PAC header so that the checksums will include it. */
|
|
||||||
ret = k5_pac_encode_header(context, pac);
|
|
||||||
- if (ret != 0)
|
|
||||||
- return ret;
|
|
||||||
-
|
|
||||||
- /* Generate the server checksum over the entire PAC */
|
|
||||||
- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
|
||||||
- &server_cksum);
|
|
||||||
- if (ret != 0)
|
|
||||||
+ if (ret)
|
|
||||||
return ret;
|
|
||||||
|
|
||||||
- assert(server_cksum.length > PAC_SIGNATURE_DATA_LENGTH);
|
|
||||||
-
|
|
||||||
- iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
|
|
||||||
- iov[0].data = pac->data;
|
|
||||||
-
|
|
||||||
- iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
|
|
||||||
- iov[1].data.data = server_cksum.data + PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
- iov[1].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
+ if (is_service_tkt) {
|
|
||||||
+ /* Generate a full KDC checksum over the whole PAC. */
|
|
||||||
+ ret = compute_pac_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM,
|
|
||||||
+ privsvr_key, privsvr_cksumtype,
|
|
||||||
+ &pac->data, &full_cksum);
|
|
||||||
+ if (ret)
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- ret = krb5_c_make_checksum_iov(context, server_cksumtype,
|
|
||||||
- server_key, KRB5_KEYUSAGE_APP_DATA_CKSUM,
|
|
||||||
- iov, sizeof(iov)/sizeof(iov[0]));
|
|
||||||
- if (ret != 0)
|
|
||||||
+ /* Generate the server checksum over the whole PAC, including the full KDC
|
|
||||||
+ * checksum if we added one. */
|
|
||||||
+ ret = compute_pac_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
|
||||||
+ server_key, server_cksumtype, &pac->data,
|
|
||||||
+ &server_cksum);
|
|
||||||
+ if (ret)
|
|
||||||
return ret;
|
|
||||||
|
|
||||||
- /* Generate the privsvr checksum over the server checksum buffer */
|
|
||||||
- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
|
|
||||||
+ /* Generate the privsvr checksum over the server checksum buffer. */
|
|
||||||
+ ret = compute_pac_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
|
|
||||||
+ privsvr_key, privsvr_cksumtype, &server_cksum,
|
|
||||||
&privsvr_cksum);
|
|
||||||
- if (ret != 0)
|
|
||||||
- return ret;
|
|
||||||
-
|
|
||||||
- assert(privsvr_cksum.length > PAC_SIGNATURE_DATA_LENGTH);
|
|
||||||
-
|
|
||||||
- iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
|
|
||||||
- iov[0].data.data = server_cksum.data + PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
- iov[0].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
-
|
|
||||||
- iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
|
|
||||||
- iov[1].data.data = privsvr_cksum.data + PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
- iov[1].data.length = privsvr_cksum.length - PAC_SIGNATURE_DATA_LENGTH;
|
|
||||||
-
|
|
||||||
- ret = krb5_c_make_checksum_iov(context, privsvr_cksumtype,
|
|
||||||
- privsvr_key, KRB5_KEYUSAGE_APP_DATA_CKSUM,
|
|
||||||
- iov, sizeof(iov)/sizeof(iov[0]));
|
|
||||||
- if (ret != 0)
|
|
||||||
+ if (ret)
|
|
||||||
return ret;
|
|
||||||
|
|
||||||
data->data = k5memdup(pac->data.data, pac->data.length, &ret);
|
|
||||||
@@ -288,6 +289,26 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+krb5_error_code KRB5_CALLCONV
|
|
||||||
+krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
+ krb5_const_principal principal, const krb5_keyblock *server_key,
|
|
||||||
+ const krb5_keyblock *privsvr_key, krb5_data *data)
|
|
||||||
+{
|
|
||||||
+ return sign_pac(context, pac, authtime, principal, server_key,
|
|
||||||
+ privsvr_key, FALSE, FALSE, data);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+krb5_error_code KRB5_CALLCONV
|
|
||||||
+krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
||||||
+ krb5_const_principal principal,
|
|
||||||
+ const krb5_keyblock *server_key,
|
|
||||||
+ const krb5_keyblock *privsvr_key, krb5_boolean with_realm,
|
|
||||||
+ krb5_data *data)
|
|
||||||
+{
|
|
||||||
+ return sign_pac(context, pac, authtime, principal, server_key, privsvr_key,
|
|
||||||
+ with_realm, FALSE, data);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* Add a signature over der_enc_tkt in privsvr to pac. der_enc_tkt should be
|
|
||||||
* encoded with a dummy PAC authdata element containing a single zero byte. */
|
|
||||||
static krb5_error_code
|
|
||||||
@@ -359,6 +380,7 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt,
|
|
||||||
krb5_error_code ret;
|
|
||||||
krb5_data *der_enc_tkt = NULL, pac_data = empty_data();
|
|
||||||
krb5_authdata **list, *pac_ad;
|
|
||||||
+ krb5_boolean is_service_tkt;
|
|
||||||
size_t count;
|
|
||||||
|
|
||||||
/* Reallocate space for another authdata element in enc_tkt. */
|
|
||||||
@@ -377,7 +399,8 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt,
|
|
||||||
memmove(list + 1, list, (count + 1) * sizeof(*list));
|
|
||||||
list[0] = pac_ad;
|
|
||||||
|
|
||||||
- if (k5_pac_should_have_ticket_signature(server_princ)) {
|
|
||||||
+ is_service_tkt = k5_pac_should_have_ticket_signature(server_princ);
|
|
||||||
+ if (is_service_tkt) {
|
|
||||||
ret = encode_krb5_enc_tkt_part(enc_tkt, &der_enc_tkt);
|
|
||||||
if (ret)
|
|
||||||
goto cleanup;
|
|
||||||
@@ -388,9 +411,8 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt,
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = krb5_pac_sign_ext(context, pac, enc_tkt->times.authtime,
|
|
||||||
- client_princ, server, privsvr, with_realm,
|
|
||||||
- &pac_data);
|
|
||||||
+ ret = sign_pac(context, pac, enc_tkt->times.authtime, client_princ, server,
|
|
||||||
+ privsvr, with_realm, is_service_tkt, &pac_data);
|
|
||||||
if (ret)
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
|
|
||||||
index 173bde7bab..81f1642ab0 100644
|
|
||||||
--- a/src/lib/krb5/krb/t_pac.c
|
|
||||||
+++ b/src/lib/krb5/krb/t_pac.c
|
|
||||||
@@ -607,78 +607,102 @@ check_pac(krb5_context context, int index, const unsigned char *pdata,
|
|
||||||
|
|
||||||
static const krb5_keyblock ticket_sig_krbtgt_key = {
|
|
||||||
0, ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
|
||||||
- 32, U("\x7a\x58\x98\xd2\xaf\xa6\xaf\xc0\x6a\xce\x06\x04\x4b\xc2\x70\x84"
|
|
||||||
- "\x9b\x8e\x0a\x6c\x4c\x07\xdc\x6f\xbb\x48\x43\xe1\xd2\xaa\x97\xf7")
|
|
||||||
+ 32, U("\x03\x73\x81\xEC\x43\x96\x7B\xC2\xAC\x3D\xF5\x2A\xAE\x95\xA6\x8E"
|
|
||||||
+ "\xBE\x24\x58\xDB\xCE\x52\x28\x20\xAF\x5E\xB7\x04\xA2\x22\x71\x4F")
|
|
||||||
};
|
|
||||||
|
|
||||||
static const krb5_keyblock ticket_sig_server_key = {
|
|
||||||
- 0, ENCTYPE_ARCFOUR_HMAC,
|
|
||||||
- 16, U("\xed\x23\x11\x20\x7a\x21\x44\x20\xbf\xc0\x8d\x36\xf7\xf6\xb2\x3e")
|
|
||||||
+ 0, ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
|
||||||
+ 32, U("\x11\x4A\x84\xE3\x14\x8F\xAA\xB1\xFA\x7B\x53\x51\xB2\x8A\xC2\xF1"
|
|
||||||
+ "\xFD\x19\x6D\x61\xE0\xF3\xF2\x3E\x1F\xDB\xD3\xC1\x79\x7D\xC1\xEE")
|
|
||||||
};
|
|
||||||
|
|
||||||
+/* A ticket issued by an Active Directory KDC (Windows Server 2022), containing
|
|
||||||
+ * a PAC with a full checksum. */
|
|
||||||
static const krb5_data ticket_data = {
|
|
||||||
- .length = 972, .data =
|
|
||||||
- "\x61\x82\x03\xC8\x30\x82\x03\xC4\xA0\x03\x02\x01\x05\xA1\x0A\x1B"
|
|
||||||
- "\x08\x43\x44\x4F\x4D\x2E\x43\x4F\x4D\xA2\x0F\x30\x0D\xA0\x03\x02"
|
|
||||||
- "\x01\x01\xA1\x06\x30\x04\x1B\x02\x73\x31\xA3\x82\x03\x9E\x30\x82"
|
|
||||||
- "\x03\x9A\xA0\x03\x02\x01\x17\xA1\x03\x02\x01\x03\xA2\x82\x03\x8C"
|
|
||||||
- "\x04\x82\x03\x88\x44\x31\x61\x20\x17\xC9\xFE\xBC\xAC\x46\xB5\x77"
|
|
||||||
- "\xE9\x68\x04\x4C\x9B\x31\x91\x0C\xC1\xD4\xDD\xEF\xC7\x34\x20\x08"
|
|
||||||
- "\x90\x91\xE8\x79\xE0\xB5\x03\x26\xA4\x65\xDE\xEC\x47\x03\x2A\x8F"
|
|
||||||
- "\x61\xE7\x4D\x38\x5A\x42\x95\x5A\xF9\x2F\x41\x2C\x2A\x6E\x60\xA1"
|
|
||||||
- "\xEB\x51\xB3\xBD\x4C\x00\x41\x2A\x44\x76\x08\x37\x1A\x51\xFD\x65"
|
|
||||||
- "\x67\x7E\xBF\x3D\x90\x86\xE3\x9A\x54\x6B\x67\xA8\x08\x7A\x73\xCC"
|
|
||||||
- "\xC3\xB7\x4B\xD5\x5C\x3A\x14\x6C\xC1\x5F\x54\x4B\x92\x55\xB4\xB7"
|
|
||||||
- "\x92\x23\x3F\x53\x89\x47\x8E\x1F\x8B\xB9\xDB\x3B\x93\xE8\x70\xE4"
|
|
||||||
- "\x24\xB8\x9D\xF0\x0E\x35\x28\xF8\x7A\x27\x5D\xF7\x25\x97\x9C\xF5"
|
|
||||||
- "\x9F\x9F\x64\x04\xF2\xA3\xAB\x11\x15\xB6\xDA\x18\xD6\x46\xD5\xE6"
|
|
||||||
- "\xB8\x08\xDE\x0A\x62\xFD\xF8\xAA\x52\x90\xD9\x67\x29\xB2\xCD\x06"
|
|
||||||
- "\xB6\xB0\x50\x2B\x3F\x0F\xA3\xA5\xBF\xAA\x6E\x40\x03\xD6\x5F\x02"
|
|
||||||
- "\xBC\xD8\x18\x47\x97\x09\xD7\xE4\x96\x3B\xCB\xEB\x92\x2C\x3C\x49"
|
|
||||||
- "\xFF\x1F\x71\xE0\x52\x94\x0F\x8B\x9F\xB8\x2A\xBB\x9C\xE2\xA3\xDD"
|
|
||||||
- "\x38\x89\xE2\xB1\x0B\x9E\x1F\x7A\xB3\xE3\xD2\xB0\x94\xDC\x87\xBE"
|
|
||||||
- "\x37\xA6\xD3\xB3\x29\x35\x9A\x72\xC3\x7A\xF1\xA9\xE6\xC5\xD1\x26"
|
|
||||||
- "\x83\x65\x44\x17\xBA\x55\xA8\x5E\x94\x26\xED\xE9\x8A\x93\x11\x5D"
|
|
||||||
- "\x7E\x20\x1B\x9C\x15\x9E\x13\x37\x03\x4D\xDD\x99\x51\xD8\x66\x29"
|
|
||||||
- "\x6A\xB9\xFB\x49\xFE\x52\x78\xDA\x86\x85\xA9\xA3\xB9\xEF\xEC\xAD"
|
|
||||||
- "\x35\xA6\x8D\xAC\x0F\x75\x22\xBB\x0B\x49\x1C\x13\x52\x40\xC9\x52"
|
|
||||||
- "\x69\x09\x54\xD1\x0F\x94\x3F\x22\x48\x67\xB0\x96\x28\xAA\xE6\x28"
|
|
||||||
- "\xD9\x0C\x08\xEF\x51\xED\x15\x5E\xA2\x53\x59\xA5\x03\xB4\x06\x20"
|
|
||||||
- "\x3D\xCC\xB4\xC5\xF8\x8C\x73\x67\xA3\x21\x3D\x19\xCD\xD4\x12\x28"
|
|
||||||
- "\xD2\x93\xDE\x0D\xF0\x71\x10\x50\xD6\x33\x35\x04\x11\x64\x43\x39"
|
|
||||||
- "\xC3\xDF\x96\xE3\x66\xE3\x85\xCA\xE7\x67\x14\x3A\xF0\x43\xAA\xBB"
|
|
||||||
- "\xD4\x1D\xB5\x24\xB5\x74\x90\x25\xA7\x87\x7E\xDB\xD3\x83\x8A\x3A"
|
|
||||||
- "\x69\xA8\x2D\xAF\xB7\xB8\xF3\xDC\x13\xAF\x45\x61\x3F\x59\x39\x7E"
|
|
||||||
- "\x69\xDE\x0C\x04\xF1\x10\x6B\xB4\x56\xFA\x21\x9F\x72\x2B\x60\x86"
|
|
||||||
- "\xE3\x23\x0E\xC4\x51\xF6\xBE\xD8\xE1\x5F\xEE\x73\x4C\x17\x4C\x2C"
|
|
||||||
- "\x1B\xFB\x9F\x1F\x7A\x3B\x07\x5B\x8E\xF1\x01\xAC\xD6\x30\x94\x8A"
|
|
||||||
- "\x5D\x22\x6F\x08\xCE\xED\x5E\xB6\xDB\x86\x8C\x87\xEB\x8D\x91\xFF"
|
|
||||||
- "\x0A\x86\x30\xBD\xC0\xF8\x25\xE7\xAE\x24\x35\xF2\xFC\xE5\xFD\x1B"
|
|
||||||
- "\xB0\x05\x4A\xA3\xE5\xEB\x2E\x05\xAD\x99\x67\x49\x87\xE6\xB3\x87"
|
|
||||||
- "\x82\xA4\x59\xA7\x6E\xDD\xF2\xB6\x66\xE8\xF7\x70\xF5\xBD\xC9\x0E"
|
|
||||||
- "\xFA\x9C\x79\x84\xD4\x9B\x05\x0E\xBB\xF5\xDB\xEF\xFC\xCC\x26\xF2"
|
|
||||||
- "\x93\xCF\xD2\x04\x3C\xA9\x2C\x65\x42\x97\x86\xD8\x38\x0A\x1E\xF6"
|
|
||||||
- "\xD6\xCA\x30\xB5\x1A\xEC\xFB\xBA\x3B\x84\x57\xB0\xFD\xFB\xE6\xBC"
|
|
||||||
- "\xF2\x76\xF6\x4C\xBB\xAB\xB1\x31\xA1\x27\x7C\xE6\xE6\x81\xB6\xCE"
|
|
||||||
- "\x84\x86\x40\xB6\x40\x33\xC4\xF8\xB4\x15\xCF\xAA\xA5\x51\x78\xB9"
|
|
||||||
- "\x8B\x50\x25\xB2\x88\x86\x96\x72\x8C\x71\x4D\xB5\x3A\x94\x86\x77"
|
|
||||||
- "\x0E\x95\x9B\x16\x93\xEF\x3A\x11\x79\xBA\x83\xF7\x74\xD3\x8D\xBA"
|
|
||||||
- "\x15\xE1\x2C\x04\x57\xA8\x92\x1E\x9D\x00\x8E\x20\xFD\x30\x70\xE7"
|
|
||||||
- "\xF5\x65\x2F\x19\x0C\x94\xBA\x03\x71\x12\x96\xCD\xC8\xB4\x96\xDB"
|
|
||||||
- "\xCE\x19\xC2\xDF\x3C\xC2\xF6\x3D\x53\xED\x98\xA5\x41\x72\x2A\x22"
|
|
||||||
- "\x7B\xF3\x2B\x17\x6C\xE1\x39\x7D\xAE\x9B\x11\xF9\xC1\xA6\x9E\x9F"
|
|
||||||
- "\x89\x3C\x12\xAA\x94\x74\xA7\x4F\x70\xE8\xB9\xDE\x04\xF0\x9D\x39"
|
|
||||||
- "\x24\x2D\x92\xE8\x46\x2D\x2E\xF0\x40\x66\x1A\xD9\x27\xF9\x98\xF1"
|
|
||||||
- "\x81\x1D\x70\x62\x63\x30\x6D\xCD\x84\x04\x5F\xFA\x83\xD3\xEC\x8D"
|
|
||||||
- "\x86\xFB\x40\x61\xC1\x8A\x45\xFF\x7B\xD9\xD4\x18\x61\x7F\x51\xE3"
|
|
||||||
- "\xFC\x1E\x18\xF0\xAF\xC6\x18\x2C\xE1\x6D\x5D\xF9\x62\xFC\x20\xA3"
|
|
||||||
- "\xB2\x8A\x5F\xE5\xBB\x29\x0F\x99\x63\x07\x88\x38\x3A\x3B\x73\x2A"
|
|
||||||
- "\x6D\xDA\x3D\xA8\x0D\x8F\x56\x41\x89\x82\xE5\xB8\x61\x00\x64\x7D"
|
|
||||||
- "\x17\x0C\xCE\x03\x55\x8F\xF4\x5B\x0D\x50\xF2\xEB\x05\x67\xBE\xDB"
|
|
||||||
- "\x7B\x75\xC5\xEA\xA1\xAB\x1D\xB0\x3C\x6D\x42\x08\x0B\x9A\x45\x20"
|
|
||||||
- "\xA8\x8F\xE5\x67\x47\x30\xDE\x93\x5F\x43\x05\xEB\xA8\x2D\x80\xF5"
|
|
||||||
- "\x1A\xB8\x4A\x4E\x42\x2D\x0B\x7A\xDC\x46\x20\x2D\x13\x17\xDD\x4B"
|
|
||||||
- "\x94\x96\xAA\x1F\x06\x0C\x1F\x62\x07\x9C\x40\xA1"
|
|
||||||
+ .length = 1307, .data =
|
|
||||||
+ "\x61\x82\x05\x17\x30\x82\x05\x13\xA0\x03\x02\x01\x05\xA1\x0F\x1B"
|
|
||||||
+ "\x0D\x57\x32\x30\x32\x32\x2D\x4C\x37\x2E\x42\x41\x53\x45\xA2\x2A"
|
|
||||||
+ "\x30\x28\xA0\x03\x02\x01\x01\xA1\x21\x30\x1F\x1B\x04\x63\x69\x66"
|
|
||||||
+ "\x73\x1B\x17\x77\x32\x30\x32\x32\x2D\x31\x31\x38\x2E\x77\x32\x30"
|
|
||||||
+ "\x32\x32\x2D\x6C\x37\x2E\x62\x61\x73\x65\xA3\x82\x04\xCD\x30\x82"
|
|
||||||
+ "\x04\xC9\xA0\x03\x02\x01\x12\xA1\x03\x02\x01\x05\xA2\x82\x04\xBB"
|
|
||||||
+ "\x04\x82\x04\xB7\x44\x5C\x7B\x5A\x3F\x2E\xA3\x50\x34\xDE\xB0\x69"
|
|
||||||
+ "\x23\x2D\x47\x89\x2C\xC0\xA3\xF9\xDD\x70\xAA\xA5\x1E\xFE\x74\xE5"
|
|
||||||
+ "\x19\xA2\x4F\x65\x6C\x9E\x00\xB4\x60\x00\x7C\x0C\x29\x43\x31\x99"
|
|
||||||
+ "\x77\x02\x73\xED\xB9\x40\xF5\xD2\xD1\xC9\x20\x0F\xE3\x38\xF9\xCC"
|
|
||||||
+ "\x5E\x2A\xBD\x1F\x91\x66\x1A\xD8\x2A\x80\x3C\x2C\x00\x3C\x1E\xC9"
|
|
||||||
+ "\x2A\x29\x19\x19\x96\x18\x54\x03\x97\x8F\x1D\x5F\xDB\xE9\x66\x68"
|
|
||||||
+ "\xCD\xB1\xD5\x00\x35\x69\x49\x45\xF1\x6A\x78\x7B\x37\x71\x87\x14"
|
|
||||||
+ "\x1C\x98\x4D\x69\xCB\x1B\xD8\xF5\xA3\xD8\x53\x4A\x75\x76\x62\xBA"
|
|
||||||
+ "\x6C\x3F\xEA\x8B\x97\x21\xCA\x8A\x46\x4B\x38\xDA\x09\x9F\x5A\xC8"
|
|
||||||
+ "\x38\xFF\x34\x97\x5B\xA2\xE5\xBA\xC9\x87\x17\xD8\x08\x05\x7A\x83"
|
|
||||||
+ "\x04\xD6\x02\x8E\x9B\x18\xB6\x40\x1A\xF7\x47\x25\x24\x3E\x37\x1E"
|
|
||||||
+ "\xF6\xC1\x3A\x1F\xCA\xB3\x43\x5A\xAE\x94\x83\x31\xAF\xFB\xEE\xED"
|
|
||||||
+ "\x46\x71\xEF\xE2\x37\x37\x15\xFE\x1B\x0B\x9E\xF8\x3E\x0C\x43\x96"
|
|
||||||
+ "\xB6\x0A\x04\x78\xF8\x5E\xAA\x33\x1F\xE2\x07\x5A\x8D\xC4\x4E\x32"
|
|
||||||
+ "\x6D\xD6\xA0\xC5\xEA\x3D\x12\x59\xD4\x41\x40\x4E\xA1\xD8\xBE\xED"
|
|
||||||
+ "\x17\xCB\x68\xCC\x59\xCB\x53\xB2\x0E\x58\x8A\xA9\x33\x7F\x6F\x2B"
|
|
||||||
+ "\x37\x89\x08\x44\xBA\xC7\x67\x17\xBB\x91\xF7\xC3\x0F\x00\xF8\xAA"
|
|
||||||
+ "\xA1\x33\xA6\x08\x47\xCA\xFA\xE8\x49\x27\x45\x46\xF1\xC1\xC3\x5F"
|
|
||||||
+ "\xE2\x45\x0A\x7D\x64\x52\x8C\x2E\xE1\xDE\xFF\xB2\x64\xEC\x69\x98"
|
|
||||||
+ "\x15\xDF\x9E\xB1\xEB\xD6\x9D\x08\x06\x4E\x73\xC1\x0B\x71\x21\x05"
|
|
||||||
+ "\x9E\xBC\xA2\x17\xCF\xB3\x70\xF4\xEF\xB8\x69\xA9\x94\x27\xFD\x5E"
|
|
||||||
+ "\x72\xB1\x2D\xD2\x20\x1B\x57\x80\xAB\x38\x97\xCF\x22\x68\x4F\xB8"
|
|
||||||
+ "\xB7\x17\x53\x25\x67\x0B\xED\xD1\x58\x20\x0D\x45\xF9\x09\xFA\xE7"
|
|
||||||
+ "\x61\x3E\xDB\xC2\x59\x7B\x3A\x3B\x59\x81\x51\xAA\xA4\x81\xF4\x96"
|
|
||||||
+ "\x3B\xE1\x6F\x6F\xF4\x8E\x68\x9E\xBA\x1E\x0F\xF2\x44\x68\x11\xFC"
|
|
||||||
+ "\x2B\x5F\xBE\xF2\xEA\x07\x80\xB9\xCA\x9E\x41\xBD\x2F\x81\xF5\x11"
|
|
||||||
+ "\x2A\x12\xF3\x4F\xD6\x12\x16\x0F\x21\x90\xF1\xD3\x1E\xF1\xA4\x94"
|
|
||||||
+ "\x46\xEA\x30\xF3\x84\x06\xC1\xA4\x51\xFC\x43\x35\xBD\xEF\x4D\x89"
|
|
||||||
+ "\x1D\xA5\x44\xB2\x69\xC4\x0F\xBF\x86\x01\x08\x44\x77\xD5\xB4\xB7"
|
|
||||||
+ "\x5C\x3F\xA7\xD4\x2F\x39\x73\x85\x88\xEE\xB1\x64\x1D\x80\x6C\xEE"
|
|
||||||
+ "\x6E\x31\x90\x92\x0D\xA1\xB7\xC4\x5C\xCC\xEE\x91\xC8\xCB\x11\x2D"
|
|
||||||
+ "\x4A\x1A\x7D\x43\x8F\xEB\x60\x09\xED\x1B\x07\x58\xBE\xBC\xBD\x29"
|
|
||||||
+ "\xF3\xB3\xA3\x4F\xC5\x8A\x30\x33\xB9\xA9\x9F\x43\x08\x27\x15\xC4"
|
|
||||||
+ "\x9C\x5D\x8E\xBD\x5C\x05\xC6\x05\x9C\x87\x60\x08\x1E\xE2\x52\xB8"
|
|
||||||
+ "\x45\x8D\x28\xB6\x2C\x15\x46\x74\x9F\x0E\xAA\x6B\x70\x3A\x2A\x55"
|
|
||||||
+ "\x45\x26\xB2\x58\x4D\x35\xA6\xF1\x96\xBE\x60\xB2\x71\x7B\xF8\x54"
|
|
||||||
+ "\xB9\x90\x21\x8E\xB9\x0F\x35\x98\x5E\x88\xEB\x1A\x53\xB4\x59\x7F"
|
|
||||||
+ "\xAF\x69\x1C\x61\x67\xF4\xF6\xBD\xAC\x24\xCD\xB7\xA9\x67\xE8\xA1"
|
|
||||||
+ "\x83\x85\x5F\x11\x74\x1F\xF7\x4C\x78\x36\xEF\x50\x74\x88\x58\x4B"
|
|
||||||
+ "\x1A\x9F\x84\x9A\x9A\x05\x92\xEC\x1D\xD5\xF3\xC4\x95\x51\x28\xE2"
|
|
||||||
+ "\x3F\x32\x87\xB2\xFD\x21\x27\x66\xE4\x6B\x85\x2F\xDC\x7B\xC0\x22"
|
|
||||||
+ "\xEB\x7A\x94\x20\x5A\x7B\xD3\x7A\xB9\x5B\xF8\x1A\x5A\x84\x4E\xA1"
|
|
||||||
+ "\x73\x41\x53\xD2\x60\xF7\x7C\xEE\x68\x59\x85\x80\xFC\x3D\x70\x4B"
|
|
||||||
+ "\x04\x32\xE7\xF2\xFD\xBD\xB3\xD9\x21\xE2\x37\x56\xA2\x16\xCC\xDE"
|
|
||||||
+ "\x8A\xD3\xBC\x71\xEF\x58\x19\x0E\x45\x8A\x5B\x53\xD6\x77\x30\x6A"
|
|
||||||
+ "\xA7\xF8\x68\x06\x4E\x07\xCA\xCE\x30\xD7\x35\xAB\x1A\xC7\x18\xD4"
|
|
||||||
+ "\xC6\x2F\x1A\xFF\xE9\x7A\x94\x0B\x76\x5E\x7E\x29\x0C\xE6\xD3\x3B"
|
|
||||||
+ "\x5B\x44\x96\xA8\xF1\x29\x23\x95\xD9\x79\xB3\x39\xFC\x76\xED\xE1"
|
|
||||||
+ "\x1E\x67\x4E\xF7\xE8\x7B\x7A\x12\x9E\xD8\x4B\x35\x09\x0A\xF2\xC1"
|
|
||||||
+ "\x63\x5B\xEE\xFD\x2A\xC2\xA6\x66\x30\x3C\x1F\x95\xAF\x65\x22\x95"
|
|
||||||
+ "\x14\x1D\xF5\xD5\xDC\x38\x79\x35\x1C\xCD\x24\x47\xE0\xFD\x08\xC8"
|
|
||||||
+ "\xF4\x15\x55\x9F\xD9\xC7\xAC\x3F\x67\xB3\x4F\xEB\x26\x7C\x8E\xD6"
|
|
||||||
+ "\x74\xB3\x0A\xCD\xE7\xFA\xBE\x7E\xA3\x3E\xEC\x61\x50\x77\x52\x56"
|
|
||||||
+ "\xCF\x90\x5D\x48\xFB\xD4\x2C\x6C\x61\x8B\xDD\x2B\xF5\x92\x1F\x30"
|
|
||||||
+ "\xBF\x3F\x80\x0D\x31\xDB\xB2\x0B\x7D\x84\xE3\xA6\x42\x7F\x00\x38"
|
|
||||||
+ "\x44\x02\xC5\xB8\xD9\x58\x29\x9D\x68\x5C\x32\x8B\x76\xAE\xED\x15"
|
|
||||||
+ "\xF9\x7C\xAE\x7B\xB6\x8E\xD6\x54\x24\xFF\xFA\x87\x05\xEF\x15\x08"
|
|
||||||
+ "\x5E\x4B\x21\xA2\x2F\x49\xE7\x0F\xC3\xD0\xB9\x49\x22\xEF\xD5\xCA"
|
|
||||||
+ "\xB2\x11\xF2\x17\xB6\x77\x24\x68\x76\xB2\x07\xF8\x0A\x73\xDD\x65"
|
|
||||||
+ "\x9C\x75\x64\xF7\xA1\xC6\x23\x08\x84\x72\x3E\x54\x2E\xEB\x9B\x40"
|
|
||||||
+ "\xA6\x83\x87\xEB\xB5\x00\x40\x4F\xE1\x72\x2A\x59\x3A\x06\x60\x29"
|
|
||||||
+ "\x7E\x25\x2F\xD8\x80\x40\x8C\x59\xCA\xCF\x8E\x44\xE4\x2D\x84\x7E"
|
|
||||||
+ "\xCB\xFD\x1E\x3B\xD5\xFF\x9A\xB9\x66\x93\x6D\x5E\xC8\xB7\x13\x26"
|
|
||||||
+ "\xD6\x38\x1B\x2B\xE1\x87\x96\x05\xD5\xF3\xAB\x68\xF7\x12\x62\x2C"
|
|
||||||
+ "\x58\xC1\xC9\x85\x3C\x72\xF1\x26\xEE\xC0\x09\x5F\x1D\x4B\xAC\x01"
|
|
||||||
+ "\x41\xC8\x12\xF8\xF3\x93\x43\x41\xFF\xEC\x0B\x80\xE2\xEE\x20\x85"
|
|
||||||
+ "\x25\xCD\x6C\x30\x8C\x0D\x24\x2E\xBA\x19\xEA\x28\x7F\xCF\xD5\x10"
|
|
||||||
+ "\x5C\xE9\xB2\x9D\x5F\x16\xE4\xC0\xF3\xCC\xD9\x68\x4A\x05\x08\x70"
|
|
||||||
+ "\x17\x26\xC8\x5C\x4A\xBF\x94\x6A\x0E\xD5\xDA\x67\x47\x4B\xAF\x44"
|
|
||||||
+ "\xE3\x94\xAA\x05\xDB\xA2\x49\x74\xFA\x5C\x69\xAB\x44\xB7\xF7\xBA"
|
|
||||||
+ "\xAE\x7A\x23\x87\xEB\x54\x7E\x80\xF1\x5B\x60\xA5\x93\xE5\xD4\x24"
|
|
||||||
+ "\x84\xF7\x0A\x16\x10\xBE\xE9\x4D\xD8\x6B\x15\x40\x5D\x74\xDA\x1B"
|
|
||||||
+ "\xFF\x2E\x4D\x17\x9D\x35\xF7\x0D\xCF\x66\x38\x0D\x8A\xE4\xDD\x6B"
|
|
||||||
+ "\xE1\x0F\x1F\xBD\xFD\x4F\x30\x37\x3F\x96\xB4\x92\x54\xD3\x9A\x7A"
|
|
||||||
+ "\xD1\x5B\x5B\xA9\x54\x16\xE6\x24\xAB\xD4\x23\x39\x7D\xD2\xC7\x09"
|
|
||||||
+ "\xFA\xD4\x86\x55\x4D\x60\xC2\x87\x67\x6B\xE6"
|
|
||||||
};
|
|
||||||
|
|
||||||
static void
|
|
||||||
@@ -686,7 +710,7 @@ test_pac_ticket_signature(krb5_context context)
|
|
||||||
{
|
|
||||||
krb5_error_code ret;
|
|
||||||
krb5_ticket *ticket;
|
|
||||||
- krb5_principal sprinc;
|
|
||||||
+ krb5_principal cprinc, sprinc;
|
|
||||||
krb5_authdata **authdata1, **authdata2;
|
|
||||||
krb5_pac pac, pac2, pac3;
|
|
||||||
uint32_t *list;
|
|
||||||
@@ -701,7 +725,13 @@ test_pac_ticket_signature(krb5_context context)
|
|
||||||
if (ret)
|
|
||||||
err(context, ret, "while decrypting ticket");
|
|
||||||
|
|
||||||
- ret = krb5_parse_name(context, "s1@CDOM.COM", &sprinc);
|
|
||||||
+ ret = krb5_parse_name(context, "administrator@W2022-L7.BASE", &cprinc);
|
|
||||||
+ if (ret)
|
|
||||||
+ err(context, ret, "krb5_parse_name");
|
|
||||||
+
|
|
||||||
+ ret = krb5_parse_name(context,
|
|
||||||
+ "cifs/w2022-118.w2022-l7.base@W2022-L7.BASE",
|
|
||||||
+ &sprinc);
|
|
||||||
if (ret)
|
|
||||||
err(context, ret, "krb5_parse_name");
|
|
||||||
|
|
||||||
@@ -713,7 +743,7 @@ test_pac_ticket_signature(krb5_context context)
|
|
||||||
|
|
||||||
/* In this test, the server is also the client. */
|
|
||||||
ret = krb5_pac_verify(context, pac, ticket->enc_part2->times.authtime,
|
|
||||||
- ticket->server, NULL, NULL);
|
|
||||||
+ cprinc, NULL, NULL);
|
|
||||||
if (ret)
|
|
||||||
err(context, ret, "while verifying PAC client info");
|
|
||||||
|
|
||||||
@@ -722,7 +752,7 @@ test_pac_ticket_signature(krb5_context context)
|
|
||||||
ticket->enc_part2->authorization_data = NULL;
|
|
||||||
|
|
||||||
ret = krb5_kdc_sign_ticket(context, ticket->enc_part2, pac, sprinc,
|
|
||||||
- sprinc, &ticket_sig_server_key,
|
|
||||||
+ cprinc, &ticket_sig_server_key,
|
|
||||||
&ticket_sig_krbtgt_key, FALSE);
|
|
||||||
if (ret)
|
|
||||||
err(context, ret, "while signing ticket");
|
|
||||||
@@ -781,6 +811,7 @@ test_pac_ticket_signature(krb5_context context)
|
|
||||||
krb5_pac_free(context, pac);
|
|
||||||
krb5_pac_free(context, pac2);
|
|
||||||
krb5_pac_free(context, pac3);
|
|
||||||
+ krb5_free_principal(context, cprinc);
|
|
||||||
krb5_free_principal(context, sprinc);
|
|
||||||
krb5_free_ticket(context, ticket);
|
|
||||||
}
|
|
||||||
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
|
|
||||||
index 47ea9e4b47..e934799268 100644
|
|
||||||
--- a/src/tests/t_authdata.py
|
|
||||||
+++ b/src/tests/t_authdata.py
|
|
||||||
@@ -11,7 +11,7 @@ realm = K5Realm(krb5_conf=conf)
|
|
||||||
# container.
|
|
||||||
mark('baseline authdata')
|
|
||||||
out = realm.run(['./adata', realm.host_princ])
|
|
||||||
-if '?128: [6, 7, 10, 16]' not in out or '^-42: Hello' not in out:
|
|
||||||
+if '?128: [6, 7, 10, 16, 19]' not in out or '^-42: Hello' not in out:
|
|
||||||
fail('expected authdata not seen for basic request')
|
|
||||||
|
|
||||||
# Requested authdata is copied into the ticket, with KDC-only types
|
|
||||||
@@ -243,7 +243,7 @@ out = realm.run(['./adata', '-p', realm.user_princ, 'service/2'])
|
|
||||||
if '+97: [indcl]' not in out or '[inds1]' in out:
|
|
||||||
fail('correct auth-indicator not seen for S4U2Proxy req')
|
|
||||||
# Make sure a PAC with an S4U_DELEGATION_INFO(11) buffer is included.
|
|
||||||
-if '?128: [1, 6, 7, 10, 11, 16]' not in out:
|
|
||||||
+if '?128: [1, 6, 7, 10, 11, 16, 19]' not in out:
|
|
||||||
fail('PAC with delegation info not seen for S4U2Proxy req')
|
|
||||||
|
|
||||||
# Get another S4U2Proxy ticket including request-authdata.
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
@ -1,45 +0,0 @@
|
|||||||
From ff9c99b689855a646c371379d30a668dfd7a87a7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Julien Rische <jrische@redhat.com>
|
|
||||||
Date: Wed, 1 Feb 2023 15:57:26 +0100
|
|
||||||
Subject: [PATCH] Fix possible double-free during KDB creation
|
|
||||||
|
|
||||||
In krb5_dbe_def_encrypt_key_data(), when we free
|
|
||||||
key_data->key_data_contents[0], reset it to null so the caller doesn't
|
|
||||||
free it as well.
|
|
||||||
|
|
||||||
Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug
|
|
||||||
manifests as a double-free during KDB creation if master key
|
|
||||||
encryption fails.
|
|
||||||
|
|
||||||
[ghudson@mit.edu: edited commit message]
|
|
||||||
|
|
||||||
ticket: 9086 (new)
|
|
||||||
tags: pullup
|
|
||||||
target_version: 1.20-next
|
|
||||||
---
|
|
||||||
src/lib/kdb/encrypt_key.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c
|
|
||||||
index dc612c810e..91debea533 100644
|
|
||||||
--- a/src/lib/kdb/encrypt_key.c
|
|
||||||
+++ b/src/lib/kdb/encrypt_key.c
|
|
||||||
@@ -109,6 +109,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context,
|
|
||||||
if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0,
|
|
||||||
&plain, &cipher))) {
|
|
||||||
free(key_data->key_data_contents[0]);
|
|
||||||
+ key_data->key_data_contents[0] = NULL;
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -121,6 +122,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context,
|
|
||||||
key_data->key_data_contents[1] = malloc(keysalt->data.length);
|
|
||||||
if (key_data->key_data_contents[1] == NULL) {
|
|
||||||
free(key_data->key_data_contents[0]);
|
|
||||||
+ key_data->key_data_contents[0] = NULL;
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
memcpy(key_data->key_data_contents[1], keysalt->data.data,
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From 604fce63b468d0efce4438df4ba0286f00bfce8d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Julien Rische <jrische@redhat.com>
|
|
||||||
Date: Tue, 21 Feb 2023 10:03:35 +0100
|
|
||||||
Subject: [PATCH] Fix meridian type in kadmin datetime parser
|
|
||||||
|
|
||||||
The meridian suffix is typed as "Number" in kadmin YACC file for
|
|
||||||
datetime parsing, while it should be using the "Meridian" enumeration
|
|
||||||
one.
|
|
||||||
|
|
||||||
This results in invalid Meridian value on 64-bit IBM zSystems (s390x),
|
|
||||||
causing core dumped errors on most kadmin commands where meridian
|
|
||||||
suffices are used.
|
|
||||||
|
|
||||||
Upstream PR:
|
|
||||||
https://github.com/krb5/krb5/pull/1290
|
|
||||||
---
|
|
||||||
src/kadmin/cli/getdate.y | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/kadmin/cli/getdate.y b/src/kadmin/cli/getdate.y
|
|
||||||
index b9dceec1ee..d14cf963c5 100644
|
|
||||||
--- a/src/kadmin/cli/getdate.y
|
|
||||||
+++ b/src/kadmin/cli/getdate.y
|
|
||||||
@@ -181,7 +181,8 @@ static time_t yyRelSeconds;
|
|
||||||
|
|
||||||
%token tAGO tID tDST tNEVER
|
|
||||||
%token <Number> tDAY tDAYZONE tMINUTE_UNIT tMONTH tMONTH_UNIT
|
|
||||||
-%token <Number> tSEC_UNIT tSNUMBER tUNUMBER tZONE tMERIDIAN
|
|
||||||
+%token <Number> tSEC_UNIT tSNUMBER tUNUMBER tZONE
|
|
||||||
+%token <Meridian> tMERIDIAN
|
|
||||||
%type <Meridian> o_merid
|
|
||||||
|
|
||||||
%%
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
|||||||
SHA512 (krb5-1.20.1.tar.gz) = 6f57479f13f107cd84f30de5c758eb6b9fc59171329c13e5da6073b806755f8d163eb7bd84767ea861ad6458ea0c9eeb00ee044d3bcad01ef136e9888564b6a2
|
SHA512 (krb5-1.21.1.tar.gz) = 6f04216b0a151d6a9886bf009777bc95a7d3f9bcab30427cc8bbef3357e0130748c1d42b477be0eb2d469d9e0fb65bf5ac5ff05c22d6e1046795e161fe6afbcc
|
||||||
SHA512 (krb5-1.20.1.tar.gz.asc) = 1d3312bd67581e07adfdadf2c5fe394179631d8add8bd075efefe982a0de22369004e60a14422d426382c8c591e4181b9897088afe9d4e86f0b5a97e5954c67a
|
SHA512 (krb5-1.21.1.tar.gz.asc) = 65b8529d84c9f43a81a4b3a00338a042957c45c36c8f58d8c1d846f70b1b3903c7b04063d7979f918b79db43d02084b5ef0732bc41d1b860c46497573f3b59a6
|
||||||
|
Loading…
Reference in New Issue
Block a user