rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport getrandom() support and remove patch numbering

Browse Source
This commit is contained in:
Robbie Harwood 2016-09-22 19:36:45 +00:00
parent 14f028579d
commit 32ef372877
24 changed files with 419 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Add-KDC-pre-send-and-post-receive-KDC-hooks.patch
View File

@ -1,7 +1,7 @@
From 21330cb3db69fc5a004844a1e4dec8998eb50068 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 3 Mar 2016 18:53:31 +0100
Subject: [PATCH 14/19] Add KDC pre-send and post-receive KDC hooks
Subject: [PATCH] Add KDC pre-send and post-receive KDC hooks
Add two new APIs, krb5_set_kdc_send_hook() and
krb5_set_kdc_recv_hook(), which can be used to inspect and override

100
Add-OS-prng-intended-for-use-with-getrandom.patch Normal file
View File

@ -0,0 +1,100 @@
From 5d38da6d4eb29bf87e98a5cb4577b870dbf405ed Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 14 Sep 2016 16:12:57 -0400
Subject: [PATCH] Add OS prng intended for use with getrandom()
Add the prng_os.c module, using the name previously occupied by what
is now prng_device.c. Unlike prng_device.c, this PRNG module
maintains no file descriptor and just uses k5_os_random(), which is
most efficient on platforms which have a getrandom() system call.
[ghudson@mit.edu: expanded on commit message]
ticket: 8499
(cherry picked from commit 0be7642b2b6f7b9e0acebb2c3d60aa6c3f7543aa)
---
src/lib/crypto/krb/prng_os.c | 72 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 72 insertions(+)
create mode 100644 src/lib/crypto/krb/prng_os.c
diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_os.c
new file mode 100644
index 0000000..8ea13e7
--- /dev/null
+++ b/src/lib/crypto/krb/prng_os.c
@@ -0,0 +1,72 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/krb/prng_os.c - OS PRNG implementation */
+/*
+ * Copyright (C) 2016 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This file implements a PRNG module which relies on the system's PRNG. An
+ * OS packager can select this module given sufficient confidence in the
+ * operating system's native PRNG quality.
+ */
+
+#include "crypto_int.h"
+
+int
+k5_prng_init(void)
+{
+ return 0;
+}
+
+void
+k5_prng_cleanup(void)
+{
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_add_entropy(krb5_context context, unsigned int randsource,
+ const krb5_data *indata)
+{
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_make_octets(krb5_context context, krb5_data *outdata)
+{
+ krb5_boolean res;
+
+ res = k5_get_os_entropy((uint8_t *)outdata->data, outdata->length, 0);
+ return res ? 0 : KRB5_CRYPTO_INTERNAL;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
+{
+ return 0;
+}
--
2.9.3

62
Add-getrandom-to-k5_get_os_entropy-using-syscall.patch Normal file
View File

@ -0,0 +1,62 @@
From 3a8bf57bd3008b2f5338bbd8ba1db5e9e2622c92 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 14 Sep 2016 16:10:34 -0400
Subject: [PATCH] Add getrandom to k5_get_os_entropy() using syscall
ticket: 8499
(cherry picked from commit a9a48392c088b53d8dd86b8008b4059ab78a3679)
---
src/lib/crypto/krb/prng.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
index 9ad24c1..22948a4 100644
--- a/src/lib/crypto/krb/prng.c
+++ b/src/lib/crypto/krb/prng.c
@@ -58,6 +58,9 @@ k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
+#ifdef __linux__
+#include <sys/syscall.h>
+#endif /* __linux__ */
/* Open device, ensure that it is not a regular file, and read entropy. Return
* true on success, false on failure. */
@@ -96,6 +99,33 @@ krb5_boolean
k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
{
const char *device;
+#if defined(__linux__) && defined(SYS_getrandom)
+ int r;
+
+ while (len > 0) {
+ /*
+ * Pull from the /dev/urandom pool, but it to have been seeded. This
+ * ensures strong randomness while only blocking during first system
+ * boot.
+ *
+ * glibc does not currently provide a binding for getrandom:
+ * https://sourceware.org/bugzilla/show_bug.cgi?id=17252
+ */
+ errno = 0;
+ r = syscall(SYS_getrandom, buf, len, 0);
+ if (r <= 0) {
+ if (errno == EINTR)
+ continue;
+
+ /* ENOSYS or other unrecoverable failure */
+ break;
+ }
+ len -= r;
+ buf += r;
+ }
+ if (len == 0)
+ return TRUE;
+#endif /* defined(__linux__) && defined(SYS_getrandom) */
device = strong ? "/dev/random" : "/dev/urandom";
return read_entropy_from_device(device, buf, len);
--
2.9.3

4
Add-krb5_db_register_keytab.patch
View File

@ -1,7 +1,7 @@
From 2047b7b227a4e2a07b5e2ef149fd968406c8f750 Mon Sep 17 00:00:00 2001
From 4514bc6f0b32471d1a9081ee3677d41eb373d3ff Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 7 Sep 2016 18:33:43 +0200
Subject: [PATCH 19/19] Add krb5_db_register_keytab()
Subject: [PATCH] Add krb5_db_register_keytab()
Add a public libkdb5 function to register the KDB keytab type. This
functionality is needed for out-of-tree KDC servers such as the Samba

8
Add-tests-for-send-and-receive-sendto_kdc-hooks.patch
View File

@ -1,7 +1,7 @@
From b54a8377972db8cfc5f74c42831f61445c6f82d9 Mon Sep 17 00:00:00 2001
From db601cd51030a1e48f38078dd706e95db069ead7 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 7 Mar 2016 17:59:07 +0100
Subject: [PATCH 15/19] Add tests for send and receive sendto_kdc hooks
Subject: [PATCH] Add tests for send and receive sendto_kdc hooks
[ghudson@mit.edu: style changes]
@ -10,13 +10,13 @@ ticket: 8386
Conflicts:
src/tests/Makefile.in
[rharwood@redhat.com: fix cherry-pick merge conflicts]
[rharwood@redhat.com: locally remove gitignore]
[rharwood@redhat.com: delete .gitignore]
---
src/tests/Makefile.in | 12 ++-
src/tests/deps | 10 ++
src/tests/hooks.c | 253 ++++++++++++++++++++++++++++++++++++++++++++++++++
src/tests/t_hooks.py | 9 ++
5 files changed, 281 insertions(+), 4 deletions(-)
4 files changed, 280 insertions(+), 4 deletions(-)
create mode 100644 src/tests/hooks.c
create mode 100755 src/tests/t_hooks.py

4
Change-KDC-error-for-encrypted-timestamp-preauth.patch
View File

@ -1,7 +1,7 @@
From ad1af1b23bd716fc3129de16e3fbf7edca0daa6b Mon Sep 17 00:00:00 2001
From 709ed799a4f266de9846adb3393ec9f59e6bdecd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 8 Aug 2016 18:03:55 +0200
Subject: [PATCH 18/19] Change KDC error for encrypted timestamp preauth
Subject: [PATCH] Change KDC error for encrypted timestamp preauth
When encrypted timestamp pre-authentication fails, respond with error
code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for

2
Create-KDC-and-kadmind-log-files-with-mode-0640.patch
View File

@ -1,7 +1,7 @@
From 6b126bfc40ba416746e4d30edb0b6b72c21c8b10 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:58:44 -0400
Subject: [PATCH 13/19] Create KDC and kadmind log files with mode 0640
Subject: [PATCH] Create KDC and kadmind log files with mode 0640
In krb5_klog_init(), use open() and fdopen() to open log files so that
we can specify a mode. Specify a mode which doesn't include the

187
Don-t-feed-OS-RNG-output-into-the-OS-RNG.patch Normal file
View File

@ -0,0 +1,187 @@
From dd0c141bfc858caa8470271205220a968db7ab51 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 12 Sep 2016 12:25:05 -0400
Subject: [PATCH] Don't feed OS RNG output into the OS RNG
krb5_c_random_os_entropy() now must be provided by PRNG modules.
ticket: 8499
(cherry picked from commit 0bbbc2bd3a42cfbd9e6eb34c273da8aaa077c29f)
---
src/lib/crypto/krb/crypto_int.h | 3 +-
src/lib/crypto/krb/prng.c | 60 +++++----------------------------------
src/lib/crypto/krb/prng_fortuna.c | 26 ++++++++++++++++-
src/lib/crypto/krb/prng_os.c | 6 ++++
4 files changed, 40 insertions(+), 55 deletions(-)
diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
index c054144..a205e3f 100644
--- a/src/lib/crypto/krb/crypto_int.h
+++ b/src/lib/crypto/krb/crypto_int.h
@@ -508,6 +508,7 @@ void krb5int_crypto_impl_cleanup(void);
* PRNG modules must implement the following APIs from krb5.h:
* krb5_c_random_add_entropy
* krb5_c_random_make_octets
+ * krb5_c_random_os_entropy
*
* PRNG modules should implement these functions. They are called from the
* crypto library init and cleanup functions, and can be used to setup and tear
@@ -517,7 +518,7 @@ int k5_prng_init(void);
void k5_prng_cleanup(void);
/* Used by PRNG modules to gather OS entropy. Returns true on success. */
-krb5_boolean k5_get_os_entropy(unsigned char *buf, size_t len);
+krb5_boolean k5_get_os_entropy(unsigned char *buf, size_t len, int strong);
/*** Inline helper functions ***/
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
index e478b19..9ad24c1 100644
--- a/src/lib/crypto/krb/prng.c
+++ b/src/lib/crypto/krb/prng.c
@@ -36,11 +36,13 @@ krb5_c_random_seed(krb5_context context, krb5_data *data)
#if defined(_WIN32)
krb5_boolean
-k5_get_os_entropy(unsigned char *buf, size_t len)
+k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
{
krb5_boolean result;
HCRYPTPROV provider;
+ /* CryptGenRandom is always considered strong. */
+
if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT))
return FALSE;
@@ -49,22 +51,6 @@ k5_get_os_entropy(unsigned char *buf, size_t len)
return result;
}
-krb5_error_code KRB5_CALLCONV
-krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
-{
- int oursuccess = 0;
- char buf[1024];
- krb5_data data = make_data(buf, sizeof(buf));
-
- if (k5_get_os_entropy(buf, sizeof(buf)) &&
- krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND,
- &data) == 0)
- oursuccess = 1;
- if (success != NULL)
- *success = oursuccess;
- return 0;
-}
-
#else /* not Windows */
#ifdef HAVE_UNISTD_H
#include <unistd.h>
@@ -107,44 +93,12 @@ cleanup:
}
krb5_boolean
-k5_get_os_entropy(unsigned char *buf, size_t len)
+k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
{
- return read_entropy_from_device("/dev/urandom", buf, len);
-}
+ const char *device;
-/* Read entropy from device and contribute it to the PRNG. Returns true on
- * success. */
-static krb5_boolean
-add_entropy_from_device(krb5_context context, const char *device)
-{
- krb5_data data;
- unsigned char buf[64];
-
- if (!read_entropy_from_device(device, buf, sizeof(buf)))
- return FALSE;
- data = make_data(buf, sizeof(buf));
- return (krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND,
- &data) == 0);
-}
-
-krb5_error_code KRB5_CALLCONV
-krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
-{
- int unused;
- int *oursuccess = (success != NULL) ? success : &unused;
-
- *oursuccess = 0;
- /* If we are getting strong data then try that first. We are
- guaranteed to cause a reseed of some kind if strong is true and
- we have both /dev/random and /dev/urandom. We want the strong
- data included in the reseed so we get it first.*/
- if (strong) {
- if (add_entropy_from_device(context, "/dev/random"))
- *oursuccess = 1;
- }
- if (add_entropy_from_device(context, "/dev/urandom"))
- *oursuccess = 1;
- return 0;
+ device = strong ? "/dev/random" : "/dev/urandom";
+ return read_entropy_from_device(device, buf, len);
}
#endif /* not Windows */
diff --git a/src/lib/crypto/krb/prng_fortuna.c b/src/lib/crypto/krb/prng_fortuna.c
index e70ffa3..017a119 100644
--- a/src/lib/crypto/krb/prng_fortuna.c
+++ b/src/lib/crypto/krb/prng_fortuna.c
@@ -366,7 +366,7 @@ k5_prng_init(void)
#else
last_pid = getpid();
#endif
- if (k5_get_os_entropy(osbuf, sizeof(osbuf))) {
+ if (k5_get_os_entropy(osbuf, sizeof(osbuf), 0)) {
generator_reseed(&main_state, osbuf, sizeof(osbuf));
have_entropy = TRUE;
}
@@ -443,4 +443,28 @@ krb5_c_random_make_octets(krb5_context context, krb5_data *outdata)
return 0;
}
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
+{
+ krb5_error_code ret;
+ krb5_data data;
+ uint8_t buf[64];
+ int status = 0;
+
+ if (!k5_get_os_entropy(buf, sizeof(buf), strong))
+ goto done;
+
+ data = make_data(buf, sizeof(buf));
+ ret = krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND, &data);
+ if (ret)
+ goto done;
+
+ status = 1;
+
+done:
+ if (success != NULL)
+ *success = status;
+ return 0;
+}
+
#endif /* not TEST */
diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_os.c
index 730ed2e..ecfe351 100644
--- a/src/lib/crypto/krb/prng_os.c
+++ b/src/lib/crypto/krb/prng_os.c
@@ -91,3 +91,9 @@ krb5_c_random_make_octets(krb5_context context, krb5_data *outdata)
}
return 0;
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
+{
+ return 0;
+}
--
2.9.3

2
Fix-impersonate_name-to-work-with-interposers.patch
View File

@ -1,7 +1,7 @@
From 748617c1b8d1550284157a79bc7aeb6295a27bf4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 13 Nov 2015 14:54:11 -0500
Subject: [PATCH 12/19] Fix impersonate_name to work with interposers
Subject: [PATCH] Fix impersonate_name to work with interposers
This follows the same modifications applied to
gss_acquire_cred_with_password() when interposer plugins were

4
Improve-bad-password-inference-in-kinit.patch
View File

@ -1,7 +1,7 @@
From e9517473b649a50ab7414788fb5d6c2715ac8ee4 Mon Sep 17 00:00:00 2001
From 79d626dde9e7e38da79da1911338e18998e348df Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 25 Jul 2016 13:28:43 -0400
Subject: [PATCH 17/19] Improve bad password inference in kinit
Subject: [PATCH] Improve bad password inference in kinit
kinit currently outputs "Password incorrect" if it sees a
bad-integrity error code, which results if the KDC reply couldn't be

29
Rename-prng_os.c-to-prng_device.c.patch Normal file
View File

@ -0,0 +1,29 @@
From 8ca87ac2ab358d9fa6756636a6c5280858a72e3b Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 14 Sep 2016 12:53:10 -0400
Subject: [PATCH] Rename prng_os.c to prng_device.c
ticket: 8499
(cherry picked from commit 5e54525fbe40d56f44368e216c92938403cad96d)
---
src/lib/crypto/krb/{prng_os.c => prng_device.c} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename src/lib/crypto/krb/{prng_os.c => prng_device.c} (97%)
diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_device.c
similarity index 97%
rename from src/lib/crypto/krb/prng_os.c
rename to src/lib/crypto/krb/prng_device.c
index ecfe351..bef5b37 100644
--- a/src/lib/crypto/krb/prng_os.c
+++ b/src/lib/crypto/krb/prng_device.c
@@ -1,5 +1,5 @@
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/krb/prng_os.c - OS-native PRNG implementation */
+/* lib/crypto/krb/prng_device.c - OS device-based PRNG implementation */
/*
* Copyright (C) 2011 by the Massachusetts Institute of Technology.
* All rights reserved.
--
2.9.3

4
Set-prompt-type-for-OTP-preauth-prompt.patch
View File

@ -1,7 +1,7 @@
From dc032c01a5c23eb199a267d9ab650eef02c2dd01 Mon Sep 17 00:00:00 2001
From 59ffbc2016ae2e164a0da7bacc5449bd9898337c Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 25 Jul 2016 13:23:31 -0400
Subject: [PATCH 16/19] Set prompt type for OTP preauth prompt
Subject: [PATCH] Set prompt type for OTP preauth prompt
Add k5_set_prompt_type() calls around the prompter invocation in
preauth_otp.c, and add the comment we conventionally put before

2
krb5-1.11-kpasswdtest.patch
View File

@ -1,7 +1,7 @@
From 61389fb098b36c1927ad01e4efa51f38da39176a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:52:01 -0400
Subject: [PATCH 11/19] krb5-1.11-kpasswdtest.patch
Subject: [PATCH] krb5-1.11-kpasswdtest.patch
---
src/kadmin/testing/proto/krb5.conf.proto | 1 +

2
krb5-1.11-run_user_0.patch
View File

@ -1,7 +1,7 @@
From 8f81af0f10a917a000a12c9b344b3f801c939666 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:57 -0400
Subject: [PATCH 10/19] krb5-1.11-run_user_0.patch
Subject: [PATCH] krb5-1.11-run_user_0.patch
A hack: if we're looking at creating a ccache directory directly below
the /run/user/0 directory, and /run/user/0 doesn't exist, try to create

2
krb5-1.12-api.patch
View File

@ -1,7 +1,7 @@
From 9ca4f0e1081e667ebc9150097559f5fe85595e33 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:00 -0400
Subject: [PATCH 07/19] krb5-1.12-api.patch
Subject: [PATCH] krb5-1.12-api.patch
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from

2
krb5-1.12-buildconf.patch
View File

@ -1,7 +1,7 @@
From 1df0a74f88f044f1e538e3d4fda13bbceb76e68b Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH 05/19] krb5-1.12-buildconf.patch
Subject: [PATCH] krb5-1.12-buildconf.patch
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
and install shared libraries with the execute bit set on them. Prune out

2
krb5-1.12-ksu-path.patch
View File

@ -1,7 +1,7 @@
From a33c34eabf9cd4d98d633994bfcf19359ff087a6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:32:09 -0400
Subject: [PATCH 03/19] krb5-1.12-ksu-path.patch
Subject: [PATCH] krb5-1.12-ksu-path.patch
Set the default PATH to the one set by login.
---

2
krb5-1.12-ktany.patch
View File

@ -1,7 +1,7 @@
From f02d4a098b5e94df15ae39e9fad79e861e6c6483 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:33:53 -0400
Subject: [PATCH 04/19] krb5-1.12-ktany.patch
Subject: [PATCH] krb5-1.12-ktany.patch
Adds an "ANY" keytab type which is a list of other keytab locations to search
when searching for a specific entry. When iterated through, it only presents

2
krb5-1.12.1-pam.patch
View File

@ -1,7 +1,7 @@
From 74b07bf5a3c73f2d46ddfa4a03baa76b19ee1681 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH 01/19] krb5-1.12.1-pam.patch
Subject: [PATCH] krb5-1.12.1-pam.patch
Modify ksu so that it performs account and session management on behalf of
the target user account, mimicking the action of regular su. The default

2
krb5-1.13-dirsrv-accountlock.patch
View File

@ -1,7 +1,7 @@
From f7538a0621d6b593e31f2031570a6f4678940241 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:44 -0400
Subject: [PATCH 08/19] krb5-1.13-dirsrv-accountlock.patch
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from
original version filed as RT#5891.

2
krb5-1.13-selinux-label.patch
View File

@ -1,7 +1,7 @@
From 2af05336edb5a2f86db22ee2937626a219f090f6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH 02/19] krb5-1.13-selinux-label.patch
Subject: [PATCH] krb5-1.13-selinux-label.patch
SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file.

2
krb5-1.3.1-dns.patch
View File

@ -1,7 +1,7 @@
From 95b7e75522dd905eea23e853f062d89749a17799 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH 06/19] krb5-1.3.1-dns.patch
Subject: [PATCH] krb5-1.3.1-dns.patch
We want to be able to use --with-netlib and --enable-dns at the same time.
---

2
krb5-1.9-debuginfo.patch
View File

@ -1,7 +1,7 @@
From 3743c3636fd23e62f996b119a1536ecd882a5e80 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH 09/19] krb5-1.9-debuginfo.patch
Subject: [PATCH] krb5-1.9-debuginfo.patch
We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that

17
krb5.spec
View File

@ -13,7 +13,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.14.4
Release: 1%{?dist}
Release: 2%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
@ -64,6 +64,10 @@ Patch16: Set-prompt-type-for-OTP-preauth-prompt.patch
Patch17: Improve-bad-password-inference-in-kinit.patch
Patch18: Change-KDC-error-for-encrypted-timestamp-preauth.patch
Patch19: Add-krb5_db_register_keytab.patch
Patch20: Don-t-feed-OS-RNG-output-into-the-OS-RNG.patch
Patch21: Rename-prng_os.c-to-prng_device.c.patch
Patch22: Add-getrandom-to-k5_get_os_entropy-using-syscall.patch
Patch23: Add-OS-prng-intended-for-use-with-getrandom.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -265,6 +269,10 @@ ln NOTICE LICENSE
%patch17 -p1 -b .Improve-bad-password-inference-in-kinit
%patch18 -p1 -b .Change-KDC-error-for-encrypted-timestamp-preauth
%patch19 -p1 -b .Add-krb5_db_register_keytab
%patch20 -p1 -b .Don-t-feed-OS-RNG-output-into-the-OS-RNG
%patch21 -p1 -b .Rename-prng_os.c-to-prng_device.c
%patch22 -p1 -b .Add-getrandom-to-k5_get_os_entropy-using-syscall
%patch23 -p1 -b .Add-OS-prng-intended-for-use-with-getrandom
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -341,7 +349,8 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
--with-tls-impl=openssl \
--with-system-verto \
--with-pam \
--with-selinux
--with-selinux \
--with-prng-alg=os
# Now build it.
make
popd
@ -734,6 +743,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Thu Sep 22 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.4-2
- Backport getrandom() support
- Remove patch numbering
* Mon Sep 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.4-1
- New upstream release
- Update names and numbers to match external git