rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream beta release - 1.18-beta1

Browse Source
This commit is contained in:
Robbie Harwood 2020-01-10 21:31:31 +00:00
parent 84aac1fa6d
commit 7f642b1512
82 changed files with 132 additions and 32167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -177,3 +177,5 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.17.tar.gz.asc
/krb5-1.17.1.tar.gz
/krb5-1.17.1.tar.gz.asc
/krb5-1.18-beta1.tar.gz
/krb5-1.18-beta1.tar.gz.asc

409
Add-dns_canonicalize_hostname-fallback-support.patch
View File

@ -1,409 +0,0 @@
From b952b5ac5301ed9f4ae49300e90631ae0562b012 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 4 Dec 2018 15:22:55 -0500
Subject: [PATCH] Add dns_canonicalize_hostname=fallback support
Turn dns_canonicalize_hostname into a tristate variable, allowing the
value "fallback" as well as the true/false booleans. If it is set to
fallback, delay DNS canonicalization and attempt it only in
krb5_get_credentials() if the KDC responds that the requested server
principal name is unknown.
[ghudson@mit.edu: added TGS tests; refactored code; edited commit
message and documentation]
ticket: 8765 (new)
(cherry picked from commit 6c20cb1c89acaa03db897182a3b28d5f8f284907)
---
doc/admin/conf_files/krb5_conf.rst | 4 ++
src/include/k5-int.h | 8 ++-
src/include/k5-trace.h | 3 ++
src/lib/krb5/krb/get_creds.c | 79 ++++++++++++++++++++++++++----
src/lib/krb5/krb/init_ctx.c | 27 +++++++++-
src/lib/krb5/krb/t_copy_context.c | 2 +-
src/lib/krb5/os/os-proto.h | 4 ++
src/lib/krb5/os/sn2princ.c | 19 +++++--
src/tests/gcred.c | 5 +-
src/tests/t_sn2princ.py | 34 ++++++++++++-
10 files changed, 167 insertions(+), 18 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 4adb084a6..d1e1a222d 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -195,6 +195,10 @@ The libdefaults section may contain any of the following relations:
means that short hostnames will not be canonicalized to
fully-qualified hostnames. The default value is true.
+ If this option is set to ``fallback`` (new in release 1.18), DNS
+ canonicalization will only be performed the server hostname is not
+ found with the original name when requesting credentials.
+
**dns_lookup_kdc**
Indicate whether DNS SRV records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 255cee822..1e6a739e9 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1159,6 +1159,12 @@ k5_plugin_register_dyn(krb5_context context, int interface_id,
void
k5_plugin_free_context(krb5_context context);
+enum dns_canonhost {
+ CANONHOST_FALSE = 0,
+ CANONHOST_TRUE = 1,
+ CANONHOST_FALLBACK = 2
+};
+
struct _kdb5_dal_handle; /* private, in kdb5.h */
typedef struct _kdb5_dal_handle kdb5_dal_handle;
struct _kdb_log_context;
@@ -1222,7 +1228,7 @@ struct _krb5_context {
krb5_boolean allow_weak_crypto;
krb5_boolean ignore_acceptor_hostname;
- krb5_boolean dns_canonicalize_hostname;
+ enum dns_canonhost dns_canonicalize_hostname;
krb5_trace_callback trace_callback;
void *trace_callback_data;
diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
index 2aa379b76..f3ed6a45d 100644
--- a/src/include/k5-trace.h
+++ b/src/include/k5-trace.h
@@ -191,6 +191,9 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
#define TRACE_FAST_REQUIRED(c) \
TRACE(c, "Using FAST due to KRB5_FAST_REQUIRED flag")
+#define TRACE_GET_CREDS_FALLBACK(c, hostname) \
+ TRACE(c, "Falling back to canonicalized server hostname {str}", hostname)
+
#define TRACE_GIC_PWD_CHANGED(c) \
TRACE(c, "Getting initial TGT with changed password")
#define TRACE_GIC_PWD_CHANGEPW(c, tries) \
diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index 69900adfa..0a04d68b9 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -39,6 +39,7 @@
#include "k5-int.h"
#include "int-proto.h"
+#include "os-proto.h"
#include "fast.h"
/*
@@ -1249,6 +1250,26 @@ krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx,
return EINVAL;
}
+static krb5_error_code
+try_get_creds(krb5_context context, krb5_flags options, krb5_ccache ccache,
+ krb5_creds *in_creds, krb5_creds *creds_out)
+{
+ krb5_error_code code;
+ krb5_tkt_creds_context ctx = NULL;
+
+ code = krb5_tkt_creds_init(context, ccache, in_creds, options, &ctx);
+ if (code)
+ goto cleanup;
+ code = krb5_tkt_creds_get(context, ctx);
+ if (code)
+ goto cleanup;
+ code = krb5_tkt_creds_get_creds(context, ctx, creds_out);
+
+cleanup:
+ krb5_tkt_creds_free(context, ctx);
+ return code;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_get_credentials(krb5_context context, krb5_flags options,
krb5_ccache ccache, krb5_creds *in_creds,
@@ -1256,7 +1277,10 @@ krb5_get_credentials(krb5_context context, krb5_flags options,
{
krb5_error_code code;
krb5_creds *ncreds = NULL;
- krb5_tkt_creds_context ctx = NULL;
+ krb5_creds canon_creds, store_creds;
+ krb5_principal_data canon_server;
+ krb5_data canon_components[2];
+ char *hostname = NULL, *canon_hostname = NULL;
*out_creds = NULL;
@@ -1265,22 +1289,59 @@ krb5_get_credentials(krb5_context context, krb5_flags options,
if (ncreds == NULL)
goto cleanup;
- /* Make and execute a krb5_tkt_creds context to get the credential. */
- code = krb5_tkt_creds_init(context, ccache, in_creds, options, &ctx);
- if (code != 0)
+ code = try_get_creds(context, options, ccache, in_creds, ncreds);
+ if (!code) {
+ *out_creds = ncreds;
+ return 0;
+ }
+
+ /* Possibly try again with the canonicalized hostname, if the server is
+ * host-based and we are configured for fallback canonicalization. */
+ if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
goto cleanup;
- code = krb5_tkt_creds_get(context, ctx);
- if (code != 0)
+ if (context->dns_canonicalize_hostname != CANONHOST_FALLBACK)
goto cleanup;
- code = krb5_tkt_creds_get_creds(context, ctx, ncreds);
- if (code != 0)
+ if (in_creds->server->type != KRB5_NT_SRV_HST ||
+ in_creds->server->length != 2)
goto cleanup;
+ hostname = k5memdup0(in_creds->server->data[1].data,
+ in_creds->server->data[1].length, &code);
+ if (hostname == NULL)
+ goto cleanup;
+ code = k5_expand_hostname(context, hostname, TRUE, &canon_hostname);
+ if (code)
+ goto cleanup;
+
+ TRACE_GET_CREDS_FALLBACK(context, canon_hostname);
+
+ /* Make shallow copies of in_creds and its server to alter the hostname. */
+ canon_components[0] = in_creds->server->data[0];
+ canon_components[1] = string2data(canon_hostname);
+ canon_server = *in_creds->server;
+ canon_server.data = canon_components;
+ canon_creds = *in_creds;
+ canon_creds.server = &canon_server;
+
+ code = try_get_creds(context, options | KRB5_GC_NO_STORE, ccache,
+ &canon_creds, ncreds);
+ if (code)
+ goto cleanup;
+
+ if (!(options & KRB5_GC_NO_STORE)) {
+ /* Store the creds under the originally requested server name. The
+ * ccache layer will also store them under the ticket server name. */
+ store_creds = *ncreds;
+ store_creds.server = in_creds->server;
+ (void)krb5_cc_store_cred(context, ccache, &store_creds);
+ }
+
*out_creds = ncreds;
ncreds = NULL;
cleanup:
+ free(hostname);
+ free(canon_hostname);
krb5_free_creds(context, ncreds);
- krb5_tkt_creds_free(context, ctx);
return code;
}
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 947e50400..d263d5cc5 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -101,6 +101,30 @@ get_boolean(krb5_context ctx, const char *name, int def_val, int *boolean_out)
return retval;
}
+static krb5_error_code
+get_tristate(krb5_context ctx, const char *name, const char *third_option,
+ int third_option_val, int def_val, int *val_out)
+{
+ krb5_error_code retval;
+ char *str;
+ int match;
+
+ retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, name,
+ NULL, def_val, val_out);
+ if (retval != PROF_BAD_BOOLEAN)
+ return retval;
+ retval = profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS, name,
+ NULL, NULL, &str);
+ if (retval)
+ return retval;
+ match = (strcasecmp(third_option, str) == 0);
+ free(str);
+ if (!match)
+ return EINVAL;
+ *val_out = third_option_val;
+ return 0;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_init_context(krb5_context *context)
{
@@ -213,7 +237,8 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
goto cleanup;
ctx->ignore_acceptor_hostname = tmp;
- retval = get_boolean(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, 1, &tmp);
+ retval = get_tristate(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, "fallback",
+ CANONHOST_FALLBACK, 1, &tmp);
if (retval)
goto cleanup;
ctx->dns_canonicalize_hostname = tmp;
diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c
index fa810be8a..a6e48cd25 100644
--- a/src/lib/krb5/krb/t_copy_context.c
+++ b/src/lib/krb5/krb/t_copy_context.c
@@ -145,7 +145,7 @@ main(int argc, char **argv)
ctx->udp_pref_limit = 2345;
ctx->use_conf_ktypes = TRUE;
ctx->ignore_acceptor_hostname = TRUE;
- ctx->dns_canonicalize_hostname = FALSE;
+ ctx->dns_canonicalize_hostname = CANONHOST_FALSE;
free(ctx->plugin_base_dir);
check((ctx->plugin_base_dir = strdup("/a/b/c/d")) != NULL);
diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
index 634e82d70..066d30221 100644
--- a/src/lib/krb5/os/os-proto.h
+++ b/src/lib/krb5/os/os-proto.h
@@ -83,6 +83,10 @@ struct sendto_callback_info {
void *data;
};
+krb5_error_code k5_expand_hostname(krb5_context context, const char *host,
+ krb5_boolean is_fallback,
+ char **canonhost_out);
+
krb5_error_code k5_locate_server(krb5_context, const krb5_data *realm,
struct serverlist *serverlist,
enum locate_service_type svc,
diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
index 5932fd9b3..98d2600aa 100644
--- a/src/lib/krb5/os/sn2princ.c
+++ b/src/lib/krb5/os/sn2princ.c
@@ -53,19 +53,23 @@ use_reverse_dns(krb5_context context)
return value;
}
-krb5_error_code KRB5_CALLCONV
-krb5_expand_hostname(krb5_context context, const char *host,
- char **canonhost_out)
+krb5_error_code
+k5_expand_hostname(krb5_context context, const char *host,
+ krb5_boolean is_fallback, char **canonhost_out)
{
struct addrinfo *ai = NULL, hint;
char namebuf[NI_MAXHOST], *copy, *p;
int err;
const char *canonhost;
+ krb5_boolean use_dns;
*canonhost_out = NULL;
canonhost = host;
- if (context->dns_canonicalize_hostname) {
+ use_dns = (context->dns_canonicalize_hostname == CANONHOST_TRUE ||
+ (is_fallback &&
+ context->dns_canonicalize_hostname == CANONHOST_FALLBACK));
+ if (use_dns) {
/* Try a forward lookup of the hostname. */
memset(&hint, 0, sizeof(hint));
hint.ai_flags = AI_CANONNAME;
@@ -112,6 +116,13 @@ cleanup:
return (*canonhost_out == NULL) ? ENOMEM : 0;
}
+krb5_error_code KRB5_CALLCONV
+krb5_expand_hostname(krb5_context context, const char *host,
+ char **canonhost_out)
+{
+ return k5_expand_hostname(context, host, FALSE, canonhost_out);
+}
+
/* If hostname appears to have a :port or :instance trailer (used in MSSQLSvc
* principals), return a pointer to the separator. Otherwise return NULL. */
static const char *
diff --git a/src/tests/gcred.c b/src/tests/gcred.c
index b14e4fc9a..cac524c51 100644
--- a/src/tests/gcred.c
+++ b/src/tests/gcred.c
@@ -66,6 +66,7 @@ main(int argc, char **argv)
krb5_principal client, server;
krb5_ccache ccache;
krb5_creds in_creds, *creds;
+ krb5_ticket *ticket;
krb5_flags options = 0;
char *name;
int c;
@@ -102,9 +103,11 @@ main(int argc, char **argv)
in_creds.client = client;
in_creds.server = server;
check(krb5_get_credentials(ctx, options, ccache, &in_creds, &creds));
- check(krb5_unparse_name(ctx, creds->server, &name));
+ check(krb5_decode_ticket(&creds->ticket, &ticket));
+ check(krb5_unparse_name(ctx, ticket->server, &name));
printf("%s\n", name);
+ krb5_free_ticket(ctx, ticket);
krb5_free_unparsed_name(ctx, name);
krb5_free_creds(ctx, creds);
krb5_free_principal(ctx, client);
diff --git a/src/tests/t_sn2princ.py b/src/tests/t_sn2princ.py
index 1ffda51f4..fe435a2d5 100755
--- a/src/tests/t_sn2princ.py
+++ b/src/tests/t_sn2princ.py
@@ -7,10 +7,15 @@ conf = {'domain_realm': {'kerberos.org': 'R1',
'mit.edu': 'R3'}}
no_rdns_conf = {'libdefaults': {'rdns': 'false'}}
no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}}
+fallback_canon_conf = {'libdefaults':
+ {'rdns': 'false',
+ 'dns_canonicalize_hostname': 'fallback'}}
-realm = K5Realm(create_kdb=False, krb5_conf=conf)
+realm = K5Realm(realm='R1', create_host=False, krb5_conf=conf)
no_rdns = realm.special_env('no_rdns', False, krb5_conf=no_rdns_conf)
no_canon = realm.special_env('no_canon', False, krb5_conf=no_canon_conf)
+fallback_canon = realm.special_env('fallback_canon', False,
+ krb5_conf=fallback_canon_conf)
def testbase(host, nametype, princhost, princrealm, env=None):
# Run the sn2princ harness with a specified host and name type and
@@ -37,6 +42,10 @@ def testu(host, princhost, princrealm):
# Test with the unknown name type.
testbase(host, 'unknown', princhost, princrealm)
+def testfc(host, princhost, princrealm):
+ # Test with the host-based name type with canonicalization fallback.
+ testbase(host, 'srv-hst', princhost, princrealm, env=fallback_canon)
+
# With the unknown principal type, we do not canonicalize or downcase,
# but we do remove a trailing period and look up the realm.
mark('unknown type')
@@ -71,6 +80,29 @@ if offline:
oname = 'ptr-mismatch.kerberos.org'
fname = 'www.kerberos.org'
+# Test fallback canonicalization krb5_sname_to_principal() results
+# (same as dns_canonicalize_hostname=false).
+mark('dns_canonicalize_host=fallback')
+testfc(oname, oname, 'R1')
+
+# Test fallback canonicalization in krb5_get_credentials().
+oprinc = 'host/' + oname
+fprinc = 'host/' + fname
+shutil.copy(realm.ccache, realm.ccache + '.save')
+realm.addprinc(fprinc)
+# oprinc doesn't exist, so we get the canonicalized fprinc as a fallback.
+msgs = ('Falling back to canonicalized server hostname ' + fname,)
+realm.run(['./gcred', 'srv-hst', oprinc], env=fallback_canon,
+ expected_msg=fprinc, expected_trace=msgs)
+realm.addprinc(oprinc)
+# oprinc now exists, but we still get the fprinc ticket from the cache.
+realm.run(['./gcred', 'srv-hst', oprinc], env=fallback_canon,
+ expected_msg=fprinc)
+# Without the cached result, we sould get oprinc in preference to fprinc.
+os.rename(realm.ccache + '.save', realm.ccache)
+realm.run(['./gcred', 'srv-hst', oprinc], env=fallback_canon,
+ expected_msg=oprinc)
+
# Verify forward resolution before testing for it.
try:
ai = socket.getaddrinfo(oname, None, 0, 0, 0, socket.AI_CANONNAME)

183
Add-function-and-enctype-flag-for-deprecations.patch
View File

@ -1,183 +0,0 @@
From 397ce771e195edf63f796f1cf917bc65b4eafd8c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 15 Jan 2019 16:16:57 -0500
Subject: [PATCH] Add function and enctype flag for deprecations
krb5int_c_deprecated_enctype() checks for the ETYPE_DEPRECATED flag on
enctypes. All ENCTYPE_WEAK enctypes are currently deprecated; not all
deprecated enctypes are considered weak. Deprecations follow RFC 6649
and RFC 8429.
(cherry picked from commit 484a6e7712f9b66e782b2520f07b0883889e116f)
---
src/include/k5-int.h | 1 +
src/lib/crypto/krb/crypto_int.h | 9 ++++++++-
src/lib/crypto/krb/enctype_util.c | 7 +++++++
src/lib/crypto/krb/etypes.c | 19 ++++++++++---------
src/lib/crypto/libk5crypto.exports | 1 +
src/lib/krb5_32.def | 3 +++
6 files changed, 30 insertions(+), 10 deletions(-)
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 8f9329c59..255cee822 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -2077,6 +2077,7 @@ krb5_get_tgs_ktypes(krb5_context, krb5_const_principal, krb5_enctype **);
krb5_boolean krb5_is_permitted_enctype(krb5_context, krb5_enctype);
krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype);
+krb5_boolean KRB5_CALLCONV krb5int_c_deprecated_enctype(krb5_enctype);
krb5_error_code k5_enctype_to_ssf(krb5_enctype enctype, unsigned int *ssf_out);
krb5_error_code krb5_kdc_rep_decrypt_proc(krb5_context, const krb5_keyblock *,
diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
index e5099291e..6c1c77cac 100644
--- a/src/lib/crypto/krb/crypto_int.h
+++ b/src/lib/crypto/krb/crypto_int.h
@@ -114,7 +114,14 @@ struct krb5_keytypes {
unsigned int ssf;
};
-#define ETYPE_WEAK 1
+/*
+ * "Weak" means the enctype is believed to be vulnerable to practical attacks,
+ * and will be disabled unless allow_weak_crypto is set to true. "Deprecated"
+ * means the enctype has been deprecated by the IETF, and affects display and
+ * logging.
+ */
+#define ETYPE_WEAK (1 << 0)
+#define ETYPE_DEPRECATED (1 << 1)
extern const struct krb5_keytypes krb5int_enctypes_list[];
extern const int krb5int_enctypes_length;
diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c
index b1b40e7ec..e394f4e19 100644
--- a/src/lib/crypto/krb/enctype_util.c
+++ b/src/lib/crypto/krb/enctype_util.c
@@ -51,6 +51,13 @@ krb5int_c_weak_enctype(krb5_enctype etype)
return (ktp != NULL && (ktp->flags & ETYPE_WEAK) != 0);
}
+krb5_boolean KRB5_CALLCONV
+krb5int_c_deprecated_enctype(krb5_enctype etype)
+{
+ const struct krb5_keytypes *ktp = find_enctype(etype);
+ return ktp != NULL && (ktp->flags & ETYPE_DEPRECATED) != 0;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2,
krb5_boolean *similar)
diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c
index 53d4a5c79..8f44c37e7 100644
--- a/src/lib/crypto/krb/etypes.c
+++ b/src/lib/crypto/krb/etypes.c
@@ -33,6 +33,7 @@
that the keytypes are all near each other. I'd rather not make
that assumption. */
+/* Deprecations come from RFC 6649 and RFC 8249. */
const struct krb5_keytypes krb5int_enctypes_list[] = {
{ ENCTYPE_DES_CBC_CRC,
"des-cbc-crc", { 0 }, "DES cbc mode with CRC-32",
@@ -42,7 +43,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_des_string_to_key, k5_rand2key_des,
krb5int_des_prf,
CKSUMTYPE_RSA_MD5_DES,
- ETYPE_WEAK, 56 },
+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
{ ENCTYPE_DES_CBC_MD4,
"des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4",
&krb5int_enc_des, &krb5int_hash_md4,
@@ -51,7 +52,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_des_string_to_key, k5_rand2key_des,
krb5int_des_prf,
CKSUMTYPE_RSA_MD4_DES,
- ETYPE_WEAK, 56 },
+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
{ ENCTYPE_DES_CBC_MD5,
"des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5",
&krb5int_enc_des, &krb5int_hash_md5,
@@ -60,7 +61,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_des_string_to_key, k5_rand2key_des,
krb5int_des_prf,
CKSUMTYPE_RSA_MD5_DES,
- ETYPE_WEAK, 56 },
+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
{ ENCTYPE_DES_CBC_RAW,
"des-cbc-raw", { 0 }, "DES cbc mode raw",
&krb5int_enc_des, NULL,
@@ -69,7 +70,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_des_string_to_key, k5_rand2key_des,
krb5int_des_prf,
0,
- ETYPE_WEAK, 56 },
+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
{ ENCTYPE_DES3_CBC_RAW,
"des3-cbc-raw", { 0 }, "Triple DES cbc mode raw",
&krb5int_enc_des3, NULL,
@@ -78,7 +79,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_dk_string_to_key, k5_rand2key_des3,
NULL, /*PRF*/
0,
- ETYPE_WEAK, 112 },
+ ETYPE_WEAK | ETYPE_DEPRECATED, 112 },
{ ENCTYPE_DES3_CBC_SHA1,
"des3-cbc-sha1", { "des3-hmac-sha1", "des3-cbc-sha1-kd" },
@@ -89,7 +90,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_dk_string_to_key, k5_rand2key_des3,
krb5int_dk_prf,
CKSUMTYPE_HMAC_SHA1_DES3,
- 0 /*flags*/, 112 },
+ ETYPE_DEPRECATED, 112 },
{ ENCTYPE_DES_HMAC_SHA1,
"des-hmac-sha1", { 0 }, "DES with HMAC/sha1",
@@ -99,7 +100,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_dk_string_to_key, k5_rand2key_des,
NULL, /*PRF*/
0,
- ETYPE_WEAK, 56 },
+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
/* rc4-hmac uses a 128-bit key, but due to weaknesses in the RC4 cipher, we
* consider its strength degraded and assign it an SSF value of 64. */
@@ -113,7 +114,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key,
k5_rand2key_direct, krb5int_arcfour_prf,
CKSUMTYPE_HMAC_MD5_ARCFOUR,
- 0 /*flags*/, 64 },
+ ETYPE_DEPRECATED, 64 },
{ ENCTYPE_ARCFOUR_HMAC_EXP,
"arcfour-hmac-exp", { "rc4-hmac-exp", "arcfour-hmac-md5-exp" },
"Exportable ArcFour with HMAC/md5",
@@ -124,7 +125,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key,
k5_rand2key_direct, krb5int_arcfour_prf,
CKSUMTYPE_HMAC_MD5_ARCFOUR,
- ETYPE_WEAK, 40
+ ETYPE_WEAK | ETYPE_DEPRECATED, 40
},
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports
index 82eb5f30c..90afdf5f7 100644
--- a/src/lib/crypto/libk5crypto.exports
+++ b/src/lib/crypto/libk5crypto.exports
@@ -109,3 +109,4 @@ k5_allow_weak_pbkdf2iter
krb5_c_prfplus
krb5_c_derive_prfplus
k5_enctype_to_ssf
+krb5int_c_deprecated_enctype
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index c35022931..e6a487593 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -487,3 +487,6 @@ EXPORTS
encode_krb5_pa_spake @444 ; PRIVATE
decode_krb5_pa_spake @445 ; PRIVATE
k5_free_pa_spake @446 ; PRIVATE
+
+; new in 1.18
+ krb5int_c_deprecated_enctype @450 ; PRIVATE

37
Add-missing-newlines-to-deprecation-warnings.patch
View File

@ -1,37 +0,0 @@
From 6946ea68b719da8434fc4c09b4ed97be91d8464b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 21 May 2019 12:52:26 -0400
Subject: [PATCH] Add missing newlines to deprecation warnings
Commit 8d8e68283b599e680f9fe45eff8af397e827bd6c omitted newlines in
two warning messages sent to stderr. Add them now.
ticket: 8773
(cherry picked from commit 274fee295d1429668b31c6ed898fc5d11a7e3589)
---
src/kdc/main.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 04393772f..1596c1c5b 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -223,7 +223,8 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm,
if (krb5_enctype_to_name(def_enctype, FALSE, ename, sizeof(ename)))
ename[0] = '\0';
fprintf(stderr,
- _("Requested master password enctype %s in %s is DEPRECATED!"),
+ _("Requested master password enctype %s in %s is "
+ "DEPRECATED!\n"),
ename, realm);
}
@@ -385,7 +386,7 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm,
if (krb5_enctype_to_name(rdp->realm_mkey.enctype, FALSE, ename,
sizeof(ename)))
ename[0] = '\0';
- fprintf(stderr, _("Stash file %s uses DEPRECATED enctype %s!"),
+ fprintf(stderr, _("Stash file %s uses DEPRECATED enctype %s!\n"),
rdp->realm_stash, ename);
}

2071
Add-soft-pkcs11-source-code.patch
View File

File diff suppressed because it is too large Load Diff

294
Add-tests-for-KCM-ccache-type.patch
View File

@ -1,294 +0,0 @@
From 0b63afda1a399a37274021115524db1e65675cb9 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 22 Nov 2018 00:27:35 -0500
Subject: [PATCH] Add tests for KCM ccache type
Using a trivial Python implementation of a KCM server, run the
t_ccache.py tests against the KCM ccache type.
(cherry picked from commit f0bcb86131e385b2603ccf0f3c7d65aa3891b220)
---
src/tests/kcmserver.py | 246 +++++++++++++++++++++++++++++++++++++++++
src/tests/t_ccache.py | 9 +-
2 files changed, 254 insertions(+), 1 deletion(-)
create mode 100644 src/tests/kcmserver.py
diff --git a/src/tests/kcmserver.py b/src/tests/kcmserver.py
new file mode 100644
index 000000000..57432e5a7
--- /dev/null
+++ b/src/tests/kcmserver.py
@@ -0,0 +1,246 @@
+# This is a simple KCM test server, used to exercise the KCM ccache
+# client code. It will generally throw an uncaught exception if the
+# client sends anything unexpected, so is unsuitable for production.
+# (It also imposes no namespace or access constraints, and blocks
+# while reading requests and writing responses.)
+
+# This code knows nothing about how to marshal and unmarshal principal
+# names and credentials as is required in the KCM protocol; instead,
+# it just remembers the marshalled forms and replays them to the
+# client when asked. This works because marshalled creds and
+# principal names are always the last part of marshalled request
+# arguments, and because we don't need to implement remove_cred (which
+# would need to know how to match a cred tag against previously stored
+# credentials).
+
+# The following code is useful for debugging if anything appears to be
+# going wrong in the server, since daemon output is generally not
+# visible in Python test scripts.
+#
+# import sys, traceback
+# def ehook(etype, value, tb):
+# with open('/tmp/exception', 'w') as f:
+# traceback.print_exception(etype, value, tb, file=f)
+# sys.excepthook = ehook
+
+import select
+import socket
+import struct
+import sys
+
+caches = {}
+cache_uuidmap = {}
+defname = b'default'
+next_unique = 1
+next_uuid = 1
+
+class KCMOpcodes(object):
+ GEN_NEW = 3
+ INITIALIZE = 4
+ DESTROY = 5
+ STORE = 6
+ GET_PRINCIPAL = 8
+ GET_CRED_UUID_LIST = 9
+ GET_CRED_BY_UUID = 10
+ REMOVE_CRED = 11
+ GET_CACHE_UUID_LIST = 18
+ GET_CACHE_BY_UUID = 19
+ GET_DEFAULT_CACHE = 20
+ SET_DEFAULT_CACHE = 21
+ GET_KDC_OFFSET = 22
+ SET_KDC_OFFSET = 23
+
+
+class KRB5Errors(object):
+ KRB5_CC_END = -1765328242
+ KRB5_CC_NOSUPP = -1765328137
+ KRB5_FCC_NOFILE = -1765328189
+
+
+def make_uuid():
+ global next_uuid
+ uuid = bytes(12) + struct.pack('>L', next_uuid)
+ next_uuid = next_uuid + 1
+ return uuid
+
+
+class Cache(object):
+ def __init__(self, name):
+ self.name = name
+ self.princ = None
+ self.uuid = make_uuid()
+ self.cred_uuids = []
+ self.creds = {}
+ self.time_offset = 0
+
+
+def get_cache(name):
+ if name in caches:
+ return caches[name]
+ cache = Cache(name)
+ caches[name] = cache
+ cache_uuidmap[cache.uuid] = cache
+ return cache
+
+
+def unmarshal_name(argbytes):
+ offset = argbytes.find(b'\0')
+ return argbytes[0:offset], argbytes[offset+1:]
+
+
+def op_gen_new(argbytes):
+ # Does not actually check for uniqueness.
+ global next_unique
+ name = b'unique' + str(next_unique).encode('ascii')
+ next_unique += 1
+ return 0, name + b'\0'
+
+
+def op_initialize(argbytes):
+ name, princ = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ cache.princ = princ
+ cache.cred_uuids = []
+ cache.creds = {}
+ cache.time_offset = 0
+ return 0, b''
+
+
+def op_destroy(argbytes):
+ name, rest = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ del cache_uuidmap[cache.uuid]
+ del caches[name]
+ return 0, b''
+
+
+def op_store(argbytes):
+ name, cred = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ uuid = make_uuid()
+ cache.creds[uuid] = cred
+ cache.cred_uuids.append(uuid)
+ return 0, b''
+
+
+def op_get_principal(argbytes):
+ name, rest = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ if cache.princ is None:
+ return KRB5Errors.KRB5_FCC_NOFILE, b''
+ return 0, cache.princ + b'\0'
+
+
+def op_get_cred_uuid_list(argbytes):
+ name, rest = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ return 0, b''.join(cache.cred_uuids)
+
+
+def op_get_cred_by_uuid(argbytes):
+ name, uuid = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ if uuid not in cache.creds:
+ return KRB5Errors.KRB5_CC_END, b''
+ return 0, cache.creds[uuid]
+
+
+def op_remove_cred(argbytes):
+ return KRB5Errors.KRB5_CC_NOSUPP, b''
+
+
+def op_get_cache_uuid_list(argbytes):
+ return 0, b''.join(cache_uuidmap.keys())
+
+
+def op_get_cache_by_uuid(argbytes):
+ uuid = argbytes
+ if uuid not in cache_uuidmap:
+ return KRB5Errors.KRB5_CC_END, b''
+ return 0, cache_uuidmap[uuid].name + b'\0'
+
+
+def op_get_default_cache(argbytes):
+ return 0, defname + b'\0'
+
+
+def op_set_default_cache(argbytes):
+ global defname
+ defname, rest = unmarshal_name(argbytes)
+ return 0, b''
+
+
+def op_get_kdc_offset(argbytes):
+ name, rest = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ return 0, struct.pack('>l', cache.time_offset)
+
+
+def op_set_kdc_offset(argbytes):
+ name, obytes = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ cache.time_offset, = struct.unpack('>l', obytes)
+ return 0, b''
+
+
+ophandlers = {
+ KCMOpcodes.GEN_NEW : op_gen_new,
+ KCMOpcodes.INITIALIZE : op_initialize,
+ KCMOpcodes.DESTROY : op_destroy,
+ KCMOpcodes.STORE : op_store,
+ KCMOpcodes.GET_PRINCIPAL : op_get_principal,
+ KCMOpcodes.GET_CRED_UUID_LIST : op_get_cred_uuid_list,
+ KCMOpcodes.GET_CRED_BY_UUID : op_get_cred_by_uuid,
+ KCMOpcodes.REMOVE_CRED : op_remove_cred,
+ KCMOpcodes.GET_CACHE_UUID_LIST : op_get_cache_uuid_list,
+ KCMOpcodes.GET_CACHE_BY_UUID : op_get_cache_by_uuid,
+ KCMOpcodes.GET_DEFAULT_CACHE : op_get_default_cache,
+ KCMOpcodes.SET_DEFAULT_CACHE : op_set_default_cache,
+ KCMOpcodes.GET_KDC_OFFSET : op_get_kdc_offset,
+ KCMOpcodes.SET_KDC_OFFSET : op_set_kdc_offset
+}
+
+# Read and respond to a request from the socket s.
+def service_request(s):
+ lenbytes = b''
+ while len(lenbytes) < 4:
+ lenbytes += s.recv(4 - len(lenbytes))
+ if lenbytes == b'':
+ return False
+
+ reqlen, = struct.unpack('>L', lenbytes)
+ req = b''
+ while len(req) < reqlen:
+ req += s.recv(reqlen - len(req))
+
+ majver, minver, op = struct.unpack('>BBH', req[:4])
+ argbytes = req[4:]
+ code, payload = ophandlers[op](argbytes)
+
+ # The KCM response is the code (4 bytes) and the response payload.
+ # The Heimdal IPC response is the length of the KCM response (4
+ # bytes), a status code which is essentially always 0 (4 bytes),
+ # and the KCM response.
+ kcm_response = struct.pack('>l', code) + payload
+ hipc_response = struct.pack('>LL', len(kcm_response), 0) + kcm_response
+ s.sendall(hipc_response)
+ return True
+
+
+server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+server.bind(sys.argv[1])
+server.listen(5)
+select_input = [server,]
+sys.stderr.write('starting...\n')
+sys.stderr.flush()
+
+while True:
+ iready, oready, xready = select.select(select_input, [], [])
+ for s in iready:
+ if s == server:
+ client, addr = server.accept()
+ select_input.append(client)
+ else:
+ if not service_request(s):
+ select_input.remove(s)
+ s.close()
diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py
index fcf1a611e..66804afa5 100755
--- a/src/tests/t_ccache.py
+++ b/src/tests/t_ccache.py
@@ -22,7 +22,10 @@
from k5test import *
-realm = K5Realm(create_host=False)
+kcm_socket_path = os.path.join(os.getcwd(), 'testdir', 'kcm')
+conf = {'libdefaults': {'kcm_socket': kcm_socket_path,
+ 'kcm_mach_service': '-'}}
+realm = K5Realm(create_host=False, krb5_conf=conf)
keyctl = which('keyctl')
out = realm.run([klist, '-c', 'KEYRING:process:abcd'], expected_code=1)
@@ -122,6 +125,10 @@ def collection_test(realm, ccname):
collection_test(realm, 'DIR:' + os.path.join(realm.testdir, 'cc'))
+kcmserver_path = os.path.join(srctop, 'tests', 'kcmserver.py')
+realm.start_server([sys.executable, kcmserver_path, kcm_socket_path],
+ 'starting...')
+collection_test(realm, 'KCM:')
if test_keyring:
def cleanup_keyring(anchor, name):
out = realm.run(['keyctl', 'list', anchor])

31
Add-zapfreedata-convenience-function.patch
View File

@ -1,31 +0,0 @@
From b99ba3fa4bc99c2925fa4b509004d694e9d7ac68 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 14 Mar 2019 11:26:44 -0400
Subject: [PATCH] Add zapfreedata() convenience function
(cherry picked from commit abd974cf867db5a398aa87ba9b9aaa34346e12a4)
---
src/include/k5-int.h | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index e0c557554..2bc59e636 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -663,6 +663,16 @@ zapfreestr(void *str)
}
}
+/* Convenience function: zap and free krb5_data pointer if it is non-NULL. */
+static inline void
+zapfreedata(krb5_data *data)
+{
+ if (data != NULL) {
+ zapfree(data->data, data->length);
+ free(data);
+ }
+}
+
/*
* Combine two keys (normally used by the hardware preauth mechanism)
*/

94
Address-some-optimized-out-memset-calls.patch
View File

@ -1,94 +0,0 @@
From 95fec44aebd6a4d815f88a0b5a53517c4f3175f4 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 30 Dec 2018 16:40:28 -0500
Subject: [PATCH] Address some optimized-out memset() calls
Ilja Van Sprundel reported a list of memset() calls which gcc
optimizes out. In krb_auth_su.c, use zap() to clear the password, and
remove two memset() calls when there is no password to clear. In
iakerb.c, remove an unnecessary memset() before setting the only two
fields of the IAKERB header structure. In svr_principal.c, use
krb5_free_key_keyblock_contents() instead of hand-freeing key data.
In asn1_k_encode.c, remove an unnecessary memset() of the kdc_req_hack
shell before returning.
(cherry picked from commit 1057b0befec1f1c0e9d4da5521a58496e2dc0997)
---
src/clients/ksu/krb_auth_su.c | 4 +---
src/lib/gssapi/krb5/iakerb.c | 1 -
src/lib/kadm5/srv/svr_principal.c | 10 ++--------
src/lib/krb5/asn.1/asn1_k_encode.c | 1 -
4 files changed, 3 insertions(+), 13 deletions(-)
diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c
index 7af48195c..e39685fff 100644
--- a/src/clients/ksu/krb_auth_su.c
+++ b/src/clients/ksu/krb_auth_su.c
@@ -183,21 +183,19 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
if (code ) {
com_err(prog_name, code, _("while reading password for '%s'\n"),
client_name);
- memset(password, 0, sizeof(password));
return (FALSE);
}
if ( pwsize == 0) {
fprintf(stderr, _("No password given\n"));
*zero_password = TRUE;
- memset(password, 0, sizeof(password));
return (FALSE);
}
code = krb5_get_init_creds_password(context, &creds, client, password,
krb5_prompter_posix, NULL, 0, NULL,
options);
- memset(password, 0, sizeof(password));
+ zap(password, sizeof(password));
if (code) {
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index bb1072fe4..47c161ec9 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -262,7 +262,6 @@ iakerb_make_token(iakerb_ctx_id_t ctx,
/*
* Assemble the IAKERB-HEADER from the realm and cookie
*/
- memset(&iah, 0, sizeof(iah));
iah.target_realm = *realm;
iah.cookie = cookie;
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 8582bbc56..be0922101 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -2097,14 +2097,8 @@ static int decrypt_key_data(krb5_context context,
ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i],
NULL);
if (ret) {
- for (; i >= 0; i--) {
- if (keys[i].contents) {
- memset (keys[i].contents, 0, keys[i].length);
- free( keys[i].contents );
- }
- }
-
- memset(keys, 0, n_key_data*sizeof(krb5_keyblock));
+ for (; i >= 0; i--)
+ krb5_free_keyblock_contents(context, &keys[i]);
free(keys);
return ret;
}
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 65c84be2f..81a34bac9 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -528,7 +528,6 @@ decode_kdc_req_body(const taginfo *t, const uint8_t *asn1, size_t len,
if (ret) {
free_kdc_req_body(b);
free(h.server_realm.data);
- memset(&h, 0, sizeof(h));
return ret;
}
b->server->realm = h.server_realm;

64
Allow-client-canonicalization-in-non-krbtgt-AS-REP.patch
View File

@ -1,64 +0,0 @@
From 0bbb2104fd6c494552c9261137fac782941b6440 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 15 Oct 2019 20:41:49 +0300
Subject: [PATCH] Allow client canonicalization in non-krbtgt AS-REP
If a caller makes an AS-REQ with the canonicalize flag set (or with an
enterprise client principal or the anonymous flag), always allow the
KDC to change the client principal. Continue to restrict server name
changes to requests for TGS principals.
Also remove the conditional for setting canon_ok for fully anonymous
requests. Both kinds of anonymous requests change the client
principal or realm, but neither kind changes the server principal or
realm, so this logic is no longer needed now that canon_ok only
applies to server name changes.
[ghudson@mit.edu: clarified commit message; removed anonymous PKINIT
clause]
ticket: 8843 (new)
(cherry picked from commit c6c19b1d35c6523cb7ed220c1f2e97e12e039293)
---
src/lib/krb5/krb/get_in_tkt.c | 9 ++-------
src/tests/t_kdb.py | 3 +++
2 files changed, 5 insertions(+), 7 deletions(-)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 79dede2c6..9ee605888 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -230,17 +230,12 @@ verify_as_reply(krb5_context context,
if (canon_req) {
canon_ok = IS_TGS_PRINC(request->server) &&
IS_TGS_PRINC(as_reply->enc_part2->server);
- if (!canon_ok && (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS)) {
- canon_ok = krb5_principal_compare_any_realm(context,
- as_reply->client,
- krb5_anonymous_principal());
- }
} else
canon_ok = 0;
if ((!canon_ok &&
- (!krb5_principal_compare(context, as_reply->client, request->client) ||
- !krb5_principal_compare(context, as_reply->enc_part2->server, request->server)))
+ !krb5_principal_compare(context, as_reply->enc_part2->server, request->server))
+ || (!canon_req && !krb5_principal_compare(context, as_reply->client, request->client))
|| !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server)
|| (request->nonce != as_reply->enc_part2->nonce)
/* XXX check for extraneous flags */
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 7a082a5b9..cc5d2fc3c 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -389,6 +389,9 @@ realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon'])
realm.kinit('canon', password('canon'))
realm.kinit('alias', password('canon'), ['-C'])
+# Test client name canonicalization in non-krbtgt AS reply
+realm.kinit('alias', password('canon'), ['-C', '-S', 'kadmin/changepw'])
+
mark('LDAP password history')
# Test password history.

63
Avoid-alignment-warnings-in-openssl-rc4.c.patch
View File

@ -1,63 +0,0 @@
From 399b9ed8ef199b6280bf4d6564928c79a3611cc5 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 6 May 2019 15:14:49 -0400
Subject: [PATCH] Avoid alignment warnings in openssl rc4.c
Add a comment to k5_arcfour_init_state() explaining how we stretch the
krb5_data cipher state contract. Use void * casts when interpreting
the data pointer to avoid alignment warnings.
[ghudson@mit.edu: moved and expanded comment; rewrote commit message]
(cherry picked from commit 1cd41d76c12fc1cea0a8bf0d6a40f34623c60d6d)
---
src/lib/crypto/openssl/enc_provider/rc4.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
index 7f3c086ed..a65d57b7a 100644
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
@@ -57,7 +57,7 @@ struct arcfour_state {
/* In-place IOV crypto */
static krb5_error_code
-k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data,
+k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
size_t num_data)
{
size_t i;
@@ -66,7 +66,7 @@ k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx = NULL;
struct arcfour_state *arcstate;
- arcstate = (state != NULL) ? (struct arcfour_state *) state->data : NULL;
+ arcstate = (state != NULL) ? (void *)state->data : NULL;
if (arcstate != NULL) {
ctx = arcstate->ctx;
if (arcstate->loopback != arcstate)
@@ -113,7 +113,7 @@ k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data,
static void
k5_arcfour_free_state(krb5_data *state)
{
- struct arcfour_state *arcstate = (struct arcfour_state *) state->data;
+ struct arcfour_state *arcstate = (void *)state->data;
EVP_CIPHER_CTX_free(arcstate->ctx);
free(arcstate);
@@ -125,6 +125,15 @@ k5_arcfour_init_state(const krb5_keyblock *key,
{
struct arcfour_state *arcstate;
+ /*
+ * The cipher state here is a saved pointer to a struct arcfour_state
+ * object, rather than a flat byte array as in most enc providers. The
+ * object includes a loopback pointer to detect if if the caller made a
+ * copy of the krb5_data value or otherwise assumed it was a simple byte
+ * array. When we cast the data pointer back, we need to go through void *
+ * to avoid increased alignment warnings.
+ */
+
/* Create a state structure with an uninitialized context. */
arcstate = calloc(1, sizeof(*arcstate));
if (arcstate == NULL)

55
Avoid-allocating-a-register-in-zap-assembly.patch
View File

@ -1,55 +0,0 @@
From c896facca7dd9d0fbbd561d3a723a90216821b72 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 3 Jan 2019 17:19:32 +0100
Subject: [PATCH] Avoid allocating a register in zap() assembly
See https://bugs.llvm.org/show_bug.cgi?id=15495
Also add explicit_bzero() (glibc, FreeBSD) and explicit_memset()
(NetBSD) as alternatives.
[ghudson@mit.edu: added explicit_bzero() and explicit_memset()]
(cherry picked from commit 7391e8b541061d0f584193b4a53365b64364b0e8)
---
src/configure.in | 2 +-
src/include/k5-platform.h | 6 +++++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/configure.in b/src/configure.in
index feae21c3e..505dabb02 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -421,7 +421,7 @@ AC_PROG_LEX
AC_C_CONST
AC_HEADER_DIRENT
AC_FUNC_STRERROR_R
-AC_CHECK_FUNCS(strdup setvbuf seteuid setresuid setreuid setegid setresgid setregid setsid flock fchmod chmod strptime geteuid setenv unsetenv getenv gmtime_r localtime_r bswap16 bswap64 mkstemp getusershell access getcwd srand48 srand srandom stat strchr strerror timegm)
+AC_CHECK_FUNCS(strdup setvbuf seteuid setresuid setreuid setegid setresgid setregid setsid flock fchmod chmod strptime geteuid setenv unsetenv getenv gmtime_r localtime_r bswap16 bswap64 mkstemp getusershell access getcwd srand48 srand srandom stat strchr strerror timegm explicit_bzero explicit_memset)
AC_CHECK_FUNC(mkstemp,
[MKSTEMP_ST_OBJ=
diff --git a/src/include/k5-platform.h b/src/include/k5-platform.h
index 997b655e1..1fcd68e8c 100644
--- a/src/include/k5-platform.h
+++ b/src/include/k5-platform.h
@@ -1023,6 +1023,10 @@ static inline void zap(void *ptr, size_t len)
if (len > 0)
memset_s(ptr, len, 0, len);
}
+#elif defined(HAVE_EXPLICIT_BZERO)
+# define zap(ptr, len) explicit_bzero(ptr, len)
+#elif defined(HAVE_EXPLICIT_MEMSET)
+# define zap(ptr, len) explicit_memset(ptr, 0, len)
#elif defined(__GNUC__) || defined(__clang__)
/*
* Use an asm statement which declares a memory clobber to force the memset to
@@ -1032,7 +1036,7 @@ static inline void zap(void *ptr, size_t len)
{
if (len > 0)
memset(ptr, 0, len);
- __asm__ __volatile__("" : : "r" (ptr) : "memory");
+ __asm__ __volatile__("" : : "g" (ptr) : "memory");
}
#else
/*

88
Check-more-errors-in-OpenSSL-crypto-backend.patch
View File

@ -1,88 +0,0 @@
From 57e48b63b1f0b34861c66fb24dafc0feb524f47c Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 22 Apr 2019 14:26:42 -0400
Subject: [PATCH] Check more errors in OpenSSL crypto backend
In krb5int_hmac_keyblock() and krb5int_pbkdf2_hmac(), check for errors
from previously unchecked OpenSSL function calls and return
KRB5_CRYPTO_INTERNAL if they fail.
HMAC_Init() is deprecated in OpenSSL 1.0 and later; as we are
modifying the call to check for errors, call HMAC_Init_ex() instead.
ticket: 8799 (new)
(cherry picked from commit 2298e5c2ff1122bcaff715129f5b746e77c3f42a)
---
src/lib/crypto/openssl/hmac.c | 18 +++++++++---------
src/lib/crypto/openssl/pbkdf2.c | 9 +++++----
2 files changed, 14 insertions(+), 13 deletions(-)
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
index b2db6ec02..7dc59dcc0 100644
--- a/src/lib/crypto/openssl/hmac.c
+++ b/src/lib/crypto/openssl/hmac.c
@@ -117,7 +117,7 @@ krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
const krb5_crypto_iov *data, size_t num_data,
krb5_data *output)
{
- unsigned int i = 0, md_len = 0;
+ unsigned int i = 0, md_len = 0, ok;
unsigned char md[EVP_MAX_MD_SIZE];
HMAC_CTX *ctx;
size_t hashsize, blocksize;
@@ -137,22 +137,22 @@ krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
if (ctx == NULL)
return ENOMEM;
- HMAC_Init(ctx, keyblock->contents, keyblock->length, map_digest(hash));
- for (i = 0; i < num_data; i++) {
+ ok = HMAC_Init_ex(ctx, keyblock->contents, keyblock->length,
+ map_digest(hash), NULL);
+ for (i = 0; ok && i < num_data; i++) {
const krb5_crypto_iov *iov = &data[i];
if (SIGN_IOV(iov))
- HMAC_Update(ctx, (uint8_t *)iov->data.data, iov->data.length);
+ ok = HMAC_Update(ctx, (uint8_t *)iov->data.data, iov->data.length);
}
- HMAC_Final(ctx, md, &md_len);
- if ( md_len <= output->length) {
+ if (ok)
+ ok = HMAC_Final(ctx, md, &md_len);
+ if (ok && md_len <= output->length) {
output->length = md_len;
memcpy(output->data, md, output->length);
}
HMAC_CTX_free(ctx);
- return 0;
-
-
+ return ok ? 0 : KRB5_CRYPTO_INTERNAL;
}
krb5_error_code
diff --git a/src/lib/crypto/openssl/pbkdf2.c b/src/lib/crypto/openssl/pbkdf2.c
index 00c2116fc..732ec6405 100644
--- a/src/lib/crypto/openssl/pbkdf2.c
+++ b/src/lib/crypto/openssl/pbkdf2.c
@@ -35,6 +35,7 @@ krb5int_pbkdf2_hmac(const struct krb5_hash_provider *hash,
const krb5_data *pass, const krb5_data *salt)
{
const EVP_MD *md = NULL;
+ int ok;
/* Get the message digest handle corresponding to the hash. */
if (hash == &krb5int_hash_sha1)
@@ -46,8 +47,8 @@ krb5int_pbkdf2_hmac(const struct krb5_hash_provider *hash,
if (md == NULL)
return KRB5_CRYPTO_INTERNAL;
- PKCS5_PBKDF2_HMAC(pass->data, pass->length, (unsigned char *)salt->data,
- salt->length, count, md, out->length,
- (unsigned char *)out->data);
- return 0;
+ ok = PKCS5_PBKDF2_HMAC(pass->data, pass->length,
+ (unsigned char *)salt->data, salt->length, count,
+ md, out->length, (unsigned char *)out->data);
+ return ok ? 0 : KRB5_CRYPTO_INTERNAL;
}

31
Clarify-header-comment-for-krb5_cc_start_seq_get.patch
View File

@ -1,31 +0,0 @@
From 037981b197a6046574539ec405cc1d67b9f22473 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 2 Apr 2019 14:18:57 -0400
Subject: [PATCH] Clarify header comment for krb5_cc_start_seq_get()
Previously this comment seemed to suggest that applications needed to
block all other access to the ccache (including by other processes)
during iteration.
(cherry picked from commit f4f51a25dd38601357e2f64b17b51eb23f45a53e)
---
src/include/krb5/krb5.hin | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 3ff86d7ff..346e796a5 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -2491,8 +2491,10 @@ krb5_cc_get_principal(krb5_context context, krb5_ccache cache,
*
* krb5_cc_end_seq_get() must be called to complete the retrieve operation.
*
- * @note If @a cache is modified between the time of the call to this function
- * and the time of the final krb5_cc_end_seq_get(), the results are undefined.
+ * @note If the cache represented by @a cache is modified between the time of
+ * the call to this function and the time of the final krb5_cc_end_seq_get(),
+ * these changes may not be reflected in the results of krb5_cc_next_cred()
+ * calls.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/

484
Clear-forwardable-flag-instead-of-denying-request.patch
View File

@ -1,484 +0,0 @@
From 54b5eceb45db9cf6ff86eea5efebba66cf48153e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 15 Nov 2018 13:40:43 -0500
Subject: [PATCH] Clear forwardable flag instead of denying request
If the client requests a forwardable or proxiable ticket and the
option cannot be honored by policy, issue a non-forwardable or
non-proxiable ticket rather than denying the request.
Add a test script for testing KDC request options and populate it with
tests for the forwardable and proxiable flags.
ticket: 7871
(cherry picked from commit 08e948cce2c79a3604066fcf7a64fc527456f83d)
---
src/kdc/do_as_req.c | 19 ++------
src/kdc/do_tgs_req.c | 56 ++++-----------------
src/kdc/kdc_util.c | 82 ++++++++++++++++++-------------
src/kdc/kdc_util.h | 9 ++--
src/kdc/tgs_policy.c | 8 +--
src/tests/Makefile.in | 1 +
src/tests/gcred.c | 28 ++++++++---
src/tests/t_kdcoptions.py | 100 ++++++++++++++++++++++++++++++++++++++
8 files changed, 189 insertions(+), 114 deletions(-)
create mode 100644 src/tests/t_kdcoptions.py
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 588c1375a..8a96c12a9 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -192,13 +192,6 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
au_state->stage = ENCR_REP;
- if ((errcode = validate_forwardable(state->request, *state->client,
- *state->server, state->kdc_time,
- &state->status))) {
- errcode += ERROR_TABLE_BASE_krb5;
- goto egress;
- }
-
errcode = check_indicators(kdc_context, state->server,
state->auth_indicators);
if (errcode) {
@@ -708,12 +701,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
}
/* Copy options that request the corresponding ticket flags. */
- state->enc_tkt_reply.flags = OPTS2FLAGS(state->request->kdc_options);
+ state->enc_tkt_reply.flags = get_ticket_flags(state->request->kdc_options,
+ state->client, state->server,
+ NULL);
state->enc_tkt_reply.times.authtime = state->authtime;
- setflag(state->enc_tkt_reply.flags, TKT_FLG_INITIAL);
- setflag(state->enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP);
-
/*
* It should be noted that local policy may affect the
* processing of any of these flags. For example, some
@@ -732,10 +724,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
state->enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
state->enc_tkt_reply.transited.tr_contents = empty_string;
- if (isflagset(state->request->kdc_options, KDC_OPT_POSTDATED)) {
- setflag(state->enc_tkt_reply.flags, TKT_FLG_INVALID);
+ if (isflagset(state->request->kdc_options, KDC_OPT_POSTDATED))
state->enc_tkt_reply.times.starttime = state->request->from;
- } else
+ else
state->enc_tkt_reply.times.starttime = state->kdc_time;
kdc_get_ticket_endtime(kdc_active_realm,
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 587342a6c..1da099318 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -378,15 +378,16 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
else
ticket_reply.server = request->server; /* XXX careful for realm... */
- enc_tkt_reply.flags = OPTS2FLAGS(request->kdc_options);
- enc_tkt_reply.flags |= COPY_TKT_FLAGS(header_enc_tkt->flags);
+ enc_tkt_reply.flags = get_ticket_flags(request->kdc_options, client,
+ server, header_enc_tkt);
enc_tkt_reply.times.starttime = 0;
- if (isflagset(server->attributes, KRB5_KDB_OK_AS_DELEGATE))
- setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
-
- /* Indicate support for encrypted padata (RFC 6806). */
- setflag(enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP);
+ /* OK_TO_AUTH_AS_DELEGATE must be set on the service requesting S4U2Self
+ * for forwardable tickets to be issued. */
+ if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
+ !is_referral &&
+ !isflagset(server->attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
+ clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
/* don't use new addresses unless forwarded, see below */
@@ -401,37 +402,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
* realms may refuse to issue renewable tickets
*/
- if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) {
-
- if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
- /*
- * If S4U2Self principal is not forwardable, then mark ticket as
- * unforwardable. This behaviour matches Windows, but it is
- * different to the MIT AS-REQ path, which returns an error
- * (KDC_ERR_POLICY) if forwardable tickets cannot be issued.
- *
- * Consider this block the S4U2Self equivalent to
- * validate_forwardable().
- */
- if (client != NULL &&
- isflagset(client->attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
- clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
- /*
- * Forwardable flag is propagated along referral path.
- */
- else if (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE))
- clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
- /*
- * OK_TO_AUTH_AS_DELEGATE must be set on the service requesting
- * S4U2Self in order for forwardable tickets to be returned.
- */
- else if (!is_referral &&
- !isflagset(server->attributes,
- KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
- clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
- }
- }
-
if (isflagset(request->kdc_options, KDC_OPT_FORWARDED) ||
isflagset(request->kdc_options, KDC_OPT_PROXY)) {
@@ -440,16 +410,10 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
enc_tkt_reply.caddrs = request->addresses;
reply_encpart.caddrs = request->addresses;
}
- /* We don't currently handle issuing anonymous tickets based on
- * non-anonymous ones, so just ignore the option. */
- if (isflagset(request->kdc_options, KDC_OPT_REQUEST_ANONYMOUS) &&
- !isflagset(header_enc_tkt->flags, TKT_FLG_ANONYMOUS))
- clear(enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
- if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
- setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
+ if (isflagset(request->kdc_options, KDC_OPT_POSTDATED))
enc_tkt_reply.times.starttime = request->from;
- } else
+ else
enc_tkt_reply.times.starttime = kdc_time;
if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 96c88edc1..f2741090e 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -697,29 +697,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
return(KDC_ERR_CANNOT_POSTDATE);
}
- /*
- * A Windows KDC will return KDC_ERR_PREAUTH_REQUIRED instead of
- * KDC_ERR_POLICY in the following case:
- *
- * - KDC_OPT_FORWARDABLE is set in KDCOptions but local
- * policy has KRB5_KDB_DISALLOW_FORWARDABLE set for the
- * client, and;
- * - KRB5_KDB_REQUIRES_PRE_AUTH is set for the client but
- * preauthentication data is absent in the request.
- *
- * Hence, this check most be done after the check for preauth
- * data, and is now performed by validate_forwardable() (the
- * contents of which were previously below).
- */
-
- /* Client and server must allow proxiable tickets */
- if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE) &&
- (isflagset(client.attributes, KRB5_KDB_DISALLOW_PROXIABLE) ||
- isflagset(server.attributes, KRB5_KDB_DISALLOW_PROXIABLE))) {
- *status = "PROXIABLE NOT ALLOWED";
- return(KDC_ERR_POLICY);
- }
-
/* Check to see if client is locked out */
if (isflagset(client.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
*status = "CLIENT LOCKED OUT";
@@ -752,19 +729,54 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
return 0;
}
-int
-validate_forwardable(krb5_kdc_req *request, krb5_db_entry client,
- krb5_db_entry server, krb5_timestamp kdc_time,
- const char **status)
+/*
+ * Compute ticket flags based on the request, the client and server DB entry
+ * (which may prohibit forwardable or proxiable tickets), and the header
+ * ticket. client may be NULL for a TGS request (although it may be set, such
+ * as for an S4U2Self request). header_enc may be NULL for an AS request.
+ */
+krb5_flags
+get_ticket_flags(krb5_flags reqflags, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_enc_tkt_part *header_enc)
{
- *status = NULL;
- if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE) &&
- (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE) ||
- isflagset(server.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))) {
- *status = "FORWARDABLE NOT ALLOWED";
- return(KDC_ERR_POLICY);
- } else
- return 0;
+ krb5_flags flags;
+
+ /* Indicate support for encrypted padata (RFC 6806), and set flags based on
+ * request options and the header ticket. */
+ flags = OPTS2FLAGS(reqflags) | TKT_FLG_ENC_PA_REP;
+ if (reqflags & KDC_OPT_POSTDATED)
+ flags |= TKT_FLG_INVALID;
+ if (header_enc != NULL)
+ flags |= COPY_TKT_FLAGS(header_enc->flags);
+ if (header_enc == NULL)
+ flags |= TKT_FLG_INITIAL;
+
+ /* For TGS requests, indicate if the service is marked ok-as-delegate. */
+ if (header_enc != NULL && (server->attributes & KRB5_KDB_OK_AS_DELEGATE))
+ flags |= TKT_FLG_OK_AS_DELEGATE;
+
+ /* Unset PROXIABLE if it is disallowed. */
+ if (client != NULL && (client->attributes & KRB5_KDB_DISALLOW_PROXIABLE))
+ flags &= ~TKT_FLG_PROXIABLE;
+ if (server->attributes & KRB5_KDB_DISALLOW_PROXIABLE)
+ flags &= ~TKT_FLG_PROXIABLE;
+ if (header_enc != NULL && !(header_enc->flags & TKT_FLG_PROXIABLE))
+ flags &= ~TKT_FLG_PROXIABLE;
+
+ /* Unset FORWARDABLE if it is disallowed. */
+ if (client != NULL && (client->attributes & KRB5_KDB_DISALLOW_FORWARDABLE))
+ flags &= ~TKT_FLG_FORWARDABLE;
+ if (server->attributes & KRB5_KDB_DISALLOW_FORWARDABLE)
+ flags &= ~TKT_FLG_FORWARDABLE;
+ if (header_enc != NULL && !(header_enc->flags & TKT_FLG_FORWARDABLE))
+ flags &= ~TKT_FLG_FORWARDABLE;
+
+ /* We don't currently handle issuing anonymous tickets based on
+ * non-anonymous ones. */
+ if (header_enc != NULL && !(header_enc->flags & TKT_FLG_ANONYMOUS))
+ flags &= ~TKT_FLG_ANONYMOUS;
+
+ return flags;
}
/* Return KRB5KDC_ERR_POLICY if indicators does not contain the required auth
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 25077cbf5..1314bdd58 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -85,16 +85,15 @@ validate_as_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry,
krb5_db_entry, krb5_timestamp,
const char **, krb5_pa_data ***);
-int
-validate_forwardable(krb5_kdc_req *, krb5_db_entry,
- krb5_db_entry, krb5_timestamp,
- const char **);
-
int
validate_tgs_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry,
krb5_ticket *, krb5_timestamp,
const char **, krb5_pa_data ***);
+krb5_flags
+get_ticket_flags(krb5_flags reqflags, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_enc_tkt_part *header_enc);
+
krb5_error_code
check_indicators(krb5_context context, krb5_db_entry *server,
krb5_data *const *indicators);
diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c
index 907fcd330..554345ba5 100644
--- a/src/kdc/tgs_policy.c
+++ b/src/kdc/tgs_policy.c
@@ -63,9 +63,9 @@ static check_tgs_svc_pol_fn * const svc_pol_fns[] = {
};
static const struct tgsflagrule tgsflagrules[] = {
- { (KDC_OPT_FORWARDED | KDC_OPT_FORWARDABLE), TKT_FLG_FORWARDABLE,
+ { KDC_OPT_FORWARDED, TKT_FLG_FORWARDABLE,
"TGT NOT FORWARDABLE", KDC_ERR_BADOPTION },
- { (KDC_OPT_PROXY | KDC_OPT_PROXIABLE), TKT_FLG_PROXIABLE,
+ { KDC_OPT_PROXY, TKT_FLG_PROXIABLE,
"TGT NOT PROXIABLE", KDC_ERR_BADOPTION },
{ (KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED), TKT_FLG_MAY_POSTDATE,
"TGT NOT POSTDATABLE", KDC_ERR_BADOPTION },
@@ -98,12 +98,8 @@ check_tgs_opts(krb5_kdc_req *req, krb5_ticket *tkt, const char **status)
}
static const struct tgsflagrule svcdenyrules[] = {
- { KDC_OPT_FORWARDABLE, KRB5_KDB_DISALLOW_FORWARDABLE,
- "NON-FORWARDABLE TICKET", KDC_ERR_POLICY },
{ KDC_OPT_RENEWABLE, KRB5_KDB_DISALLOW_RENEWABLE,
"NON-RENEWABLE TICKET", KDC_ERR_POLICY },
- { KDC_OPT_PROXIABLE, KRB5_KDB_DISALLOW_PROXIABLE,
- "NON-PROXIABLE TICKET", KDC_ERR_POLICY },
{ KDC_OPT_ALLOW_POSTDATE, KRB5_KDB_DISALLOW_POSTDATED,
"NON-POSTDATABLE TICKET", KDC_ERR_CANNOT_POSTDATE },
{ KDC_OPT_ENC_TKT_IN_SKEY, KRB5_KDB_DISALLOW_DUP_SKEY,
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index c96c5d6b7..d2a37c616 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -171,6 +171,7 @@ check-pytests: unlockiter
$(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_u2u.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_kdcoptions.py $(PYTESTFLAGS)
clean:
$(RM) adata etinfo forward gcred hist hooks hrealm icinterleave icred
diff --git a/src/tests/gcred.c b/src/tests/gcred.c
index cb0ae6af5..b14e4fc9a 100644
--- a/src/tests/gcred.c
+++ b/src/tests/gcred.c
@@ -66,20 +66,32 @@ main(int argc, char **argv)
krb5_principal client, server;
krb5_ccache ccache;
krb5_creds in_creds, *creds;
+ krb5_flags options = 0;
char *name;
+ int c;
check(krb5_init_context(&ctx));
- /* Parse arguments. */
- assert(argc == 3);
- check(krb5_parse_name(ctx, argv[2], &server));
- if (strcmp(argv[1], "unknown") == 0)
+ while ((c = getopt(argc, argv, "f")) != -1) {
+ switch (c) {
+ case 'f':
+ options |= KRB5_GC_FORWARDABLE;
+ break;
+ default:
+ abort();
+ }
+ }
+ argc -= optind;
+ argv += optind;
+ assert(argc == 2);
+ check(krb5_parse_name(ctx, argv[1], &server));
+ if (strcmp(argv[0], "unknown") == 0)
server->type = KRB5_NT_UNKNOWN;
- else if (strcmp(argv[1], "principal") == 0)
+ else if (strcmp(argv[0], "principal") == 0)
server->type = KRB5_NT_PRINCIPAL;
- else if (strcmp(argv[1], "srv-inst") == 0)
+ else if (strcmp(argv[0], "srv-inst") == 0)
server->type = KRB5_NT_SRV_INST;
- else if (strcmp(argv[1], "srv-hst") == 0)
+ else if (strcmp(argv[0], "srv-hst") == 0)
server->type = KRB5_NT_SRV_HST;
else
abort();
@@ -89,7 +101,7 @@ main(int argc, char **argv)
memset(&in_creds, 0, sizeof(in_creds));
in_creds.client = client;
in_creds.server = server;
- check(krb5_get_credentials(ctx, 0, ccache, &in_creds, &creds));
+ check(krb5_get_credentials(ctx, options, ccache, &in_creds, &creds));
check(krb5_unparse_name(ctx, creds->server, &name));
printf("%s\n", name);
diff --git a/src/tests/t_kdcoptions.py b/src/tests/t_kdcoptions.py
new file mode 100644
index 000000000..7ec57508c
--- /dev/null
+++ b/src/tests/t_kdcoptions.py
@@ -0,0 +1,100 @@
+from k5test import *
+import re
+
+# KDC option test coverage notes:
+#
+# FORWARDABLE here
+# FORWARDED no test
+# PROXIABLE here
+# PROXY no test
+# ALLOW_POSTDATE no test
+# POSTDATED no test
+# RENEWABLE t_renew.py
+# CNAME_IN_ADDL_TKT gssapi/t_s4u.py
+# CANONICALIZE t_kdb.py and various other tests
+# REQUEST_ANONYMOUS t_pkinit.py
+# DISABLE_TRANSITED_CHECK no test
+# RENEWABLE_OK t_renew.py
+# ENC_TKT_IN_SKEY t_u2u.py
+# RENEW t_renew.py
+# VALIDATE no test
+
+# Run klist -f and return the flags on the ticket for svcprinc.
+def get_flags(realm, svcprinc):
+ grab_flags = False
+ for line in realm.run([klist, '-f']).splitlines():
+ if grab_flags:
+ return re.findall(r'Flags: ([a-zA-Z]*)', line)[0]
+ grab_flags = line.endswith(svcprinc)
+
+
+# Get the flags on the ticket for svcprinc, and check for an expected
+# element and an expected-absent element, either of which can be None.
+def check_flags(realm, svcprinc, expected_flag, expected_noflag):
+ flags = get_flags(realm, svcprinc)
+ if expected_flag is not None and not expected_flag in flags:
+ fail('expected flag ' + expected_flag)
+ if expected_noflag is not None and expected_noflag in flags:
+ fail('did not expect flag ' + expected_noflag)
+
+
+# Run kinit with the given flags, and check the flags on the resulting
+# TGT.
+def kinit_check_flags(realm, flags, expected_flag, expected_noflag):
+ realm.kinit(realm.user_princ, password('user'), flags)
+ check_flags(realm, realm.krbtgt_princ, expected_flag, expected_noflag)
+
+
+# Run kinit with kflags. Then get credentials for the host principal
+# with gflags, and check the flags on the resulting ticket.
+def gcred_check_flags(realm, kflags, gflags, expected_flag, expected_noflag):
+ realm.kinit(realm.user_princ, password('user'), kflags)
+ realm.run(['./gcred'] + gflags + ['unknown', realm.host_princ])
+ check_flags(realm, realm.host_princ, expected_flag, expected_noflag)
+
+
+realm = K5Realm()
+
+mark('proxiable (AS)')
+kinit_check_flags(realm, [], None, 'P')
+kinit_check_flags(realm, ['-p'], 'P', None)
+realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.user_princ])
+kinit_check_flags(realm, ['-p'], None, 'P')
+realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.user_princ])
+realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.krbtgt_princ])
+kinit_check_flags(realm, ['-p'], None, 'P')
+realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.krbtgt_princ])
+
+mark('proxiable (TGS)')
+gcred_check_flags(realm, [], [], None, 'P')
+gcred_check_flags(realm, ['-p'], [], 'P', None)
+
+# Not tested: PROXIABLE option set with a non-proxiable TGT (because
+# there is no krb5_get_credentials() flag to request this; would
+# expect a non-proxiable ticket).
+
+# Not tested: proxiable TGT but PROXIABLE flag not set (because we
+# internally set the PROXIABLE option when using a proxiable TGT;
+# would expect a non-proxiable ticket).
+
+mark('forwardable (AS)')
+kinit_check_flags(realm, [], None, 'F')
+kinit_check_flags(realm, ['-f'], 'F', None)
+realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.user_princ])
+kinit_check_flags(realm, ['-f'], None, 'F')
+realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.user_princ])
+realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.krbtgt_princ])
+kinit_check_flags(realm, ['-f'], None, 'F')
+realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.krbtgt_princ])
+
+mark('forwardable (TGS)')
+realm.kinit(realm.user_princ, password('user'))
+gcred_check_flags(realm, [], [], None, 'F')
+gcred_check_flags(realm, [], ['-f'], None, 'F')
+gcred_check_flags(realm, ['-f'], [], 'F', None)
+
+# Not tested: forwardable TGT but FORWARDABLE flag not set (because we
+# internally set the FORWARDABLE option when using a forwardable TGT;
+# would expect a non-proxiable ticket).
+
+success('KDC option tests')

79
Display-unsupported-enctype-names.patch
View File

@ -1,79 +0,0 @@
From c8b24f222719df0c4b9815d26019ad96c551ec81 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 21 May 2019 13:34:39 -0400
Subject: [PATCH] Display unsupported enctype names
Add a table of unsupported enctype numbers to enctype_util.c and
consult it in krb5_enctype_to_name(). Treat unsupported enctype
numbers as deprecated in krb5int_c_deprecated_enctype(). In kadmin,
display "UNSUPPORTED:" before invalid enctype names.
ticket: 8808
(cherry picked from commit ebbc6e8e99ee9d5d757411200a6a3173171774df)
---
src/kadmin/cli/kadmin.c | 4 +++-
src/lib/crypto/krb/enctype_util.c | 22 +++++++++++++++++++++-
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index fe4cb493c..b4d1aad93 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -1461,7 +1461,9 @@ kadmin_getprinc(int argc, char *argv[])
enctype, sizeof(enctype)))
snprintf(enctype, sizeof(enctype), _("<Encryption type 0x%x>"),
key_data->key_data_type[0]);
- if (krb5int_c_deprecated_enctype(key_data->key_data_type[0]))
+ if (!krb5_c_valid_enctype(key_data->key_data_type[0]))
+ deprecated = "UNSUPPORTED:";
+ else if (krb5int_c_deprecated_enctype(key_data->key_data_type[0]))
deprecated = "DEPRECATED:";
printf("Key: vno %d, %s%s", key_data->key_data_kvno, deprecated,
enctype);
diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c
index e394f4e19..1542d4062 100644
--- a/src/lib/crypto/krb/enctype_util.c
+++ b/src/lib/crypto/krb/enctype_util.c
@@ -36,6 +36,18 @@
#include "crypto_int.h"
+struct {
+ krb5_enctype etype;
+ const char *name;
+} unsupported_etypes[] = {
+ { ENCTYPE_DES_CBC_CRC, "des-cbc-crc" },
+ { ENCTYPE_DES_CBC_MD4, "des-cbc-md4" },
+ { ENCTYPE_DES_CBC_MD5, "des-cbc-md5" },
+ { ENCTYPE_DES_CBC_RAW, "des-cbc-raw" },
+ { ENCTYPE_DES_HMAC_SHA1, "des-hmac-sha1" },
+ { ENCTYPE_NULL, NULL }
+};
+
krb5_boolean KRB5_CALLCONV
krb5_c_valid_enctype(krb5_enctype etype)
{
@@ -55,7 +67,7 @@ krb5_boolean KRB5_CALLCONV
krb5int_c_deprecated_enctype(krb5_enctype etype)
{
const struct krb5_keytypes *ktp = find_enctype(etype);
- return ktp != NULL && (ktp->flags & ETYPE_DEPRECATED) != 0;
+ return ktp == NULL || (ktp->flags & ETYPE_DEPRECATED) != 0;
}
krb5_error_code KRB5_CALLCONV
@@ -122,6 +134,14 @@ krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest,
const char *name;
int i;
+ for (i = 0; unsupported_etypes[i].etype != ENCTYPE_NULL; i++) {
+ if (enctype == unsupported_etypes[i].etype) {
+ if (strlcpy(buffer, unsupported_etypes[i].name, buflen) >= buflen)
+ return ENOMEM;
+ return 0;
+ }
+ }
+
ktp = find_enctype(enctype);
if (ktp == NULL)
return EINVAL;

113
Do-not-always-canonicalize-enterprise-principals.patch
View File

@ -1,113 +0,0 @@
From f1890cb3b09789e62c6711d79b032a7af0a09ea8 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 2 Nov 2019 13:32:32 +0100
Subject: [PATCH] Do not always canonicalize enterprise principals
When processing an AS request in the KDC, do not assume
KRB5_KDB_FLAG_CANONICALIZE for enterprise client names. This change
allows the KDB module to only canonicalize enterprise client names if
the canonicalize flag was set on the request, as Windows does. The
KDB module may check the principal type and apply canonicalization as
appropriate.
[ghudson@mit.edu: edited comments; rewrote commit message]
ticket: 8858 (new)
(cherry picked from commit 3f5955631a2056f8ec4d1ce73d9681fa7da061c2)
---
src/include/kdb.h | 21 ++++++++++++---------
src/kdc/do_as_req.c | 9 ++++-----
src/tests/t_kdb.py | 12 ++++++++++++
3 files changed, 28 insertions(+), 14 deletions(-)
diff --git a/src/include/kdb.h b/src/include/kdb.h
index 7749cfc99..1dd37cdab 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -1023,15 +1023,18 @@ typedef struct _kdb_vftabl {
* in-realm alias, fill in a different value for entries->princ than the
* one requested.
*
- * A module can return out-of-realm referrals if KRB5_KDB_FLAG_CANONICALIZE
- * is set. For AS request clients (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is
- * also set), the module should do so by simply filling in an out-of-realm
- * name in entries->princ and setting all other fields to NULL. Otherwise,
- * the module should return the entry for the cross-realm TGS of the
- * referred-to realm. For TGS referals, the module can also include
- * tl-data of type KRB5_TL_SERVER_REFERRAL containing ASN.1-encoded Windows
- * referral data as documented in draft-ietf-krb-wg-kerberos-referrals-11
- * appendix A; this will be returned to the client as encrypted padata.
+ * A module can return a referral to another realm if
+ * KRB5_KDB_FLAG_CANONICALIZE is set, or if
+ * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is set and search_for->type is
+ * KRB5_NT_ENTERPRISE_PRINCIPAL. If KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is
+ * set, the module should return a referral by simply filling in an
+ * out-of-realm name in (*entry)->princ and setting all other fields to
+ * NULL. Otherwise, the module should return the entry for the cross-realm
+ * TGS of the referred-to realm. For TGS referals, the module can also
+ * include tl-data of type KRB5_TL_SERVER_REFERRAL containing ASN.1-encoded
+ * Windows referral data as documented in
+ * draft-ietf-krb-wg-kerberos-referrals-11 appendix A; this will be
+ * returned to the client as encrypted padata.
*/
krb5_error_code (*get_principal)(krb5_context kcontext,
krb5_const_principal search_for,
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 8a96c12a9..02c0a8a1f 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -585,15 +585,14 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
* of cross realm TGS entries.
*/
setflag(state->c_flags, KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY);
- /*
- * Note that according to the referrals draft we should
- * always canonicalize enterprise principal names.
- */
+ /* Enterprise principals are implicitly alias-ok. */
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE) ||
state->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
- setflag(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE);
setflag(state->c_flags, KRB5_KDB_FLAG_ALIAS_OK);
}
+ if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
+ setflag(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ }
if (include_pac_p(kdc_context, state->request)) {
setflag(state->c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
}
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index cc5d2fc3c..7271fcbbd 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -340,11 +340,14 @@ ldap_modify('dn: krbPrincipalName=canon@KRBTEST.COM,cn=t1,cn=krb5\n'
'changetype: modify\n'
'add: krbPrincipalName\n'
'krbPrincipalName: alias@KRBTEST.COM\n'
+ 'krbPrincipalName: ent@abc@KRBTEST.COM\n'
'-\n'
'add: krbCanonicalName\n'
'krbCanonicalName: canon@KRBTEST.COM\n')
realm.run([kadminl, 'getprinc', 'alias'],
expected_msg='Principal: canon@KRBTEST.COM\n')
+realm.run([kadminl, 'getprinc', 'ent\@abc'],
+ expected_msg='Principal: canon@KRBTEST.COM\n')
realm.run([kadminl, 'getprinc', 'canon'],
expected_msg='Principal: canon@KRBTEST.COM\n')
realm.run([kvno, 'alias', 'canon'])
@@ -389,6 +392,15 @@ realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon'])
realm.kinit('canon', password('canon'))
realm.kinit('alias', password('canon'), ['-C'])
+# Test enterprise alias with and without canonicalization.
+realm.kinit('ent@abc', password('canon'), ['-E', '-C'])
+realm.run([kvno, 'alias'])
+realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM')
+
+realm.kinit('ent@abc', password('canon'), ['-E'])
+realm.run([kvno, 'alias'])
+realm.klist('ent\@abc@KRBTEST.COM', 'alias@KRBTEST.COM')
+
# Test client name canonicalization in non-krbtgt AS reply
realm.kinit('alias', password('canon'), ['-C', '-S', 'kadmin/changepw'])

67
Don-t-error-on-invalid-enctypes-in-keytab.patch
View File

@ -1,67 +0,0 @@
From d39897c46818f990eb7752573c309b97d90a983e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 10 Jul 2019 17:10:16 -0400
Subject: [PATCH] Don't error on invalid enctypes in keytab
krb5_ktfile_get_entry() used krb5_c_enctype_compare() to compare
enctypes, in order to share keys between single-DES enctypes. As
key-sharing between enctypes is no longer done and single-DES support
has been removed, use a simple equality test to match the enctype.
This fixes a bug where krb5_kt_get_entry() would error out if the
keytab contained any entries with invalid enctypes (include single-DES
entries, after commit fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8) even
if a matching entry is found.
[ghudson@mit.edu: rewrote commit message]
ticket: 8808
(cherry picked from commit 38be1a0a31a6104cdf8c8d72828905775f6d6636)
---
src/lib/krb5/keytab/kt_file.c | 27 +++++----------------------
1 file changed, 5 insertions(+), 22 deletions(-)
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 21c80d419..df2530a45 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -289,7 +289,6 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id,
krb5_keytab_entry cur_entry, new_entry;
krb5_error_code kerror = 0;
int found_wrong_kvno = 0;
- krb5_boolean similar;
int was_open;
char *princname;
@@ -336,27 +335,11 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id,
continue;
}
- /* if the enctype is not ignored and doesn't match, free new_entry
- and continue to the next */
-
- if (enctype != IGNORE_ENCTYPE) {
- if ((kerror = krb5_c_enctype_compare(context, enctype,
- new_entry.key.enctype,
- &similar))) {
- krb5_kt_free_entry(context, &new_entry);
- break;
- }
-
- if (!similar) {
- krb5_kt_free_entry(context, &new_entry);
- continue;
- }
- /*
- * Coerce the enctype of the output keyblock in case we
- * got an inexact match on the enctype.
- */
- new_entry.key.enctype = enctype;
-
+ /* If the enctype is not ignored and doesn't match, free new_entry and
+ continue to the next. */
+ if (enctype != IGNORE_ENCTYPE && enctype != new_entry.key.enctype) {
+ krb5_kt_free_entry(context, &new_entry);
+ continue;
}
if (kvno == IGNORE_VNO || new_entry.vno == IGNORE_VNO) {

160
Don-t-warn-in-kadmin-when-no-policy-is-specified.patch
View File

@ -1,160 +0,0 @@
From aec16ed11477f08f477f915fb8119271d688711c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 19 Dec 2019 17:49:05 -0500
Subject: [PATCH] Don't warn in kadmin when no policy is specified
Not having policy defined is a normal occurrence. While it's a useful
message to log in case it's unexpected, the current form is
unnecessarily alarmist.
ticket: 8857 (new)
(cherry picked from commit 2ca842d5cbd5981ab5fa50e418359763c9f1a6d5)
---
doc/admin/admin_commands/kadmin_local.rst | 2 +-
doc/admin/database.rst | 4 ++--
doc/admin/install_kdc.rst | 6 +++---
src/kadmin/cli/kadmin.c | 4 ++--
src/man/kadmin.man | 2 +-
src/po/de.po | 8 ++++----
src/po/mit-krb5.pot | 4 ++--
7 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index 71aa894f6..fafa61365 100644
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -419,7 +419,7 @@ Options:
Example::
kadmin: addprinc jennifer
- WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
+ No policy specified for "jennifer@ATHENA.MIT.EDU";
defaulting to no policy.
Enter password for principal jennifer@ATHENA.MIT.EDU:
Re-enter password for principal jennifer@ATHENA.MIT.EDU:
diff --git a/doc/admin/database.rst b/doc/admin/database.rst
index cea60b009..8505fe1ec 100644
--- a/doc/admin/database.rst
+++ b/doc/admin/database.rst
@@ -103,7 +103,7 @@ If you want to create a principal which is contained by a LDAP object,
all you need to do is::
kadmin: addprinc -x dn=cn=jennifer,dc=example,dc=com jennifer
- WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
+ No policy specified for "jennifer@ATHENA.MIT.EDU";
defaulting to no policy.
Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password.
Re-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again.
@@ -114,7 +114,7 @@ If you want to create a principal under a specific LDAP container and
link to an existing LDAP object, all you need to do is::
kadmin: addprinc -x containerdn=dc=example,dc=com -x linkdn=cn=david,dc=example,dc=com david
- WARNING: no policy specified for "david@ATHENA.MIT.EDU";
+ No policy specified for "david@ATHENA.MIT.EDU";
defaulting to no policy.
Enter password for principal david@ATHENA.MIT.EDU: <= Type the password.
Re-enter password for principal david@ATHENA.MIT.EDU: <=Type it again.
diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst
index 3bec59f96..157c6059e 100644
--- a/doc/admin/install_kdc.rst
+++ b/doc/admin/install_kdc.rst
@@ -239,7 +239,7 @@ is created::
kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU
- WARNING: no policy specified for "admin/admin@ATHENA.MIT.EDU";
+ No policy specified for "admin/admin@ATHENA.MIT.EDU";
assigning "default".
Enter password for principal admin/admin@ATHENA.MIT.EDU: <= Enter a password.
Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <= Type it again.
@@ -316,11 +316,11 @@ following::
shell% kadmin
kadmin: addprinc -randkey host/kerberos.mit.edu
- NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default"
+ No policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default"
Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created.
kadmin: addprinc -randkey host/kerberos-1.mit.edu
- NOTICE: no policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU"; assigning "default"
+ No policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU"; assigning "default"
Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created.
It is not strictly necessary to have the master KDC server in the
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index b4d1aad93..a6e858d82 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -1229,13 +1229,13 @@ kadmin_addprinc(int argc, char *argv[])
/* If the policy "default" exists, assign it. */
if (policy_exists("default")) {
if (!script_mode) {
- fprintf(stderr, _("NOTICE: no policy specified for %s; "
+ fprintf(stderr, _("No policy specified for %s; "
"assigning \"default\"\n"), canon);
}
princ.policy = "default";
mask |= KADM5_POLICY;
} else if (!script_mode) {
- fprintf(stderr, _("WARNING: no policy specified for %s; "
+ fprintf(stderr, _("No policy specified for %s; "
"defaulting to no policy\n"), canon);
}
}
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 44859a378..b514fe279 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -458,7 +458,7 @@ Example:
.nf
.ft C
kadmin: addprinc jennifer
-WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
+No policy specified for "jennifer@ATHENA.MIT.EDU";
defaulting to no policy.
Enter password for principal jennifer@ATHENA.MIT.EDU:
Re\-enter password for principal jennifer@ATHENA.MIT.EDU:
diff --git a/src/po/de.po b/src/po/de.po
index 40e31da90..5d78bdded 100644
--- a/src/po/de.po
+++ b/src/po/de.po
@@ -1690,16 +1690,16 @@ msgstr "WARNUNG: Richtlinie »%s« existiert nicht.\n"
#: ../../src/kadmin/cli/kadmin.c:1230
#, c-format
-msgid "NOTICE: no policy specified for %s; assigning \"default\"\n"
+msgid "No policy specified for %s; assigning \"default\"\n"
msgstr ""
-"HINWEIS: Für %s wurde keine Richtlinie angegeben, es wird »default« "
+"Für %s wurde keine Richtlinie angegeben, es wird »default« "
"zugewiesen\n"
#: ../../src/kadmin/cli/kadmin.c:1235
#, c-format
-msgid "WARNING: no policy specified for %s; defaulting to no policy\n"
+msgid "No policy specified for %s; defaulting to no policy\n"
msgstr ""
-"WARNUNG: Für %s wurde keine Richtlinie angegeben, es wird die Vorgabe "
+"Für %s wurde keine Richtlinie angegeben, es wird die Vorgabe "
"»keine\n"
"Richtlinie« verwandt.\n"
diff --git a/src/po/mit-krb5.pot b/src/po/mit-krb5.pot
index 8cfbe9f3c..de1998d2f 100644
--- a/src/po/mit-krb5.pot
+++ b/src/po/mit-krb5.pot
@@ -1645,12 +1645,12 @@ msgstr ""
#: ../../src/kadmin/cli/kadmin.c:1228
#, c-format
-msgid "NOTICE: no policy specified for %s; assigning \"default\"\n"
+msgid "No policy specified for %s; assigning \"default\"\n"
msgstr ""
#: ../../src/kadmin/cli/kadmin.c:1234
#, c-format
-msgid "WARNING: no policy specified for %s; defaulting to no policy\n"
+msgid "No policy specified for %s; defaulting to no policy\n"
msgstr ""
#: ../../src/kadmin/cli/kadmin.c:1276

70
Filter-enctypes-in-gss_set_allowable_enctypes.patch
View File

@ -1,70 +0,0 @@
From 073c20a214df8b416b8d848412256c57feb43ef0 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 16 Jul 2019 00:15:42 -0400
Subject: [PATCH] Filter enctypes in gss_set_allowable_enctypes()
Instead of erroring out when any invalid enctypes are present in the
caller's list, filter out the invalid ones and only error if no
enctypes remain.
ticket: 8819
(cherry picked from commit 37ab7ea128a4c2aa2dad65ab9006baded5335bc7)
---
src/lib/gssapi/krb5/set_allowable_enctypes.c | 29 ++++++++++----------
1 file changed, 14 insertions(+), 15 deletions(-)
diff --git a/src/lib/gssapi/krb5/set_allowable_enctypes.c b/src/lib/gssapi/krb5/set_allowable_enctypes.c
index d9fd279ed..a74b161cb 100644
--- a/src/lib/gssapi/krb5/set_allowable_enctypes.c
+++ b/src/lib/gssapi/krb5/set_allowable_enctypes.c
@@ -66,7 +66,7 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
const gss_OID desired_oid,
const gss_buffer_t value)
{
- unsigned int i;
+ unsigned int i, j;
krb5_enctype * new_ktypes;
OM_uint32 major_status;
krb5_gss_cred_id_t cred;
@@ -83,14 +83,7 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
/* verify and valildate cred handle */
cred = (krb5_gss_cred_id_t) *cred_handle;
- if (req->ktypes) {
- for (i = 0; i < req->num_ktypes && req->ktypes[i]; i++) {
- if (!krb5_c_valid_enctype(req->ktypes[i])) {
- kerr = KRB5_PROG_ETYPE_NOSUPP;
- goto error_out;
- }
- }
- } else {
+ if (req->ktypes == NULL) {
k5_mutex_lock(&cred->lock);
if (cred->req_enctypes)
free(cred->req_enctypes);
@@ -99,13 +92,19 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
- /* Copy the requested ktypes into the cred structure */
- if ((new_ktypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * (i + 1)))) {
- memcpy(new_ktypes, req->ktypes, sizeof(krb5_enctype) * i);
- new_ktypes[i] = 0; /* "null-terminate" the list */
+ /* Copy the requested enctypes into the cred structure. Filter out the
+ * ones we don't consider valid. Error out if no enctypes are valid. */
+ new_ktypes = k5calloc(req->num_ktypes + 1, sizeof(*new_ktypes), &kerr);
+ if (new_ktypes == NULL)
+ goto error_out;
+ for (i = 0, j = 0; i < req->num_ktypes && req->ktypes[i]; i++) {
+ if (krb5_c_valid_enctype(req->ktypes[i]))
+ new_ktypes[j++] = req->ktypes[i];
}
- else {
- kerr = ENOMEM;
+ new_ktypes[j] = 0;
+ if (j == 0) {
+ free(new_ktypes);
+ kerr = KRB5_PROG_ETYPE_NOSUPP;
goto error_out;
}
k5_mutex_lock(&cred->lock);

206
Fix-Coverity-defects-in-soft-pkcs11-test-code.patch
View File

@ -1,206 +0,0 @@
From 14bc517f1fbd0bc7b3a6137871c167c595747a3e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 20 Jul 2019 00:51:52 -0400
Subject: [PATCH] Fix Coverity defects in soft-pkcs11 test code
Nothing in the code removes objects from soft_token.object.obs, so
simplify add_st_object() not to search for an empty slot. Avoid using
random() by using a counter for session handles and just the array
slot number for object handles. Add a helper get_rcfilename() to
facilitate checking the result of asprintf(). Properly initialize ap
in sprintf_fill(). Close the file handle in read_conf_file().
(cherry picked from commit b4831515b2f3b6fd7d7fd4bff4558c10c710891d)
---
src/tests/softpkcs11/main.c | 102 +++++++++++++++++++-----------------
1 file changed, 53 insertions(+), 49 deletions(-)
diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c
index 5255323d3..2d1448ca2 100644
--- a/src/tests/softpkcs11/main.c
+++ b/src/tests/softpkcs11/main.c
@@ -78,6 +78,7 @@ compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e,
(BL) = i2d_##T((S), &p); \
if ((BL) <= 0) { \
free((B)); \
+ (B) = NULL; \
(R) = EINVAL; \
} \
} \
@@ -149,6 +150,7 @@ static struct soft_token {
} state[10];
#define MAX_NUM_SESSION (sizeof(soft_token.state)/sizeof(soft_token.state[0]))
FILE *logfile;
+ CK_SESSION_HANDLE next_session_handle;
} soft_token;
static void
@@ -179,6 +181,7 @@ snprintf_fill(char *str, int size, char fillchar, const char *fmt, ...)
{
int len;
va_list ap;
+ va_start(ap, fmt);
len = vsnprintf(str, size, fmt, ap);
va_end(ap);
if (len < 0 || len > size)
@@ -344,7 +347,13 @@ static struct st_object *
add_st_object(void)
{
struct st_object *o, **objs;
- int i;
+
+ objs = realloc(soft_token.object.objs,
+ (soft_token.object.num_objs + 1) *
+ sizeof(soft_token.object.objs[0]));
+ if (objs == NULL)
+ return NULL;
+ soft_token.object.objs = objs;
o = malloc(sizeof(*o));
if (o == NULL)
@@ -352,26 +361,9 @@ add_st_object(void)
memset(o, 0, sizeof(*o));
o->attrs = NULL;
o->num_attributes = 0;
+ o->object_handle = soft_token.object.num_objs;
- for (i = 0; i < soft_token.object.num_objs; i++) {
- if (soft_token.object.objs == NULL) {
- soft_token.object.objs[i] = o;
- break;
- }
- }
- if (i == soft_token.object.num_objs) {
- objs = realloc(soft_token.object.objs,
- (soft_token.object.num_objs + 1) * sizeof(soft_token.object.objs[0]));
- if (objs == NULL) {
- free(o);
- return NULL;
- }
- soft_token.object.objs = objs;
- soft_token.object.objs[soft_token.object.num_objs++] = o;
- }
- soft_token.object.objs[i]->object_handle =
- (random() & (~OBJECT_ID_MASK)) | i;
-
+ soft_token.object.objs[soft_token.object.num_objs++] = o;
return o;
}
@@ -797,6 +789,8 @@ read_conf_file(const char *fn)
add_certificate(label, cert, key, id, anchor);
}
+
+ fclose(f);
}
static CK_RV
@@ -806,19 +800,47 @@ func_not_supported(void)
return CKR_FUNCTION_NOT_SUPPORTED;
}
+static char *
+get_rcfilename()
+{
+ struct passwd *pw;
+ const char *home = NULL;
+ char *fn;
+
+ if (getuid() == geteuid()) {
+ fn = getenv("SOFTPKCS11RC");
+ if (fn != NULL)
+ return strdup(fn);
+
+ home = getenv("HOME");
+ }
+
+ if (home == NULL) {
+ pw = getpwuid(getuid());
+ if (pw != NULL)
+ home = pw->pw_dir;
+ }
+
+ if (home == NULL)
+ return strdup("/etc/soft-token.rc");
+
+ if (asprintf(&fn, "%s/.soft-token.rc", home) < 0)
+ return NULL;
+ return fn;
+}
+
CK_RV
C_Initialize(CK_VOID_PTR a)
{
CK_C_INITIALIZE_ARGS_PTR args = a;
size_t i;
+ char *fn;
st_logf("Initialize\n");
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
- srandom(getpid() ^ time(NULL));
-
for (i = 0; i < MAX_NUM_SESSION; i++) {
soft_token.state[i].session_handle = CK_INVALID_HANDLE;
soft_token.state[i].find.attributes = NULL;
@@ -850,31 +872,13 @@ C_Initialize(CK_VOID_PTR a)
st_logf("\tFlags\t%04x\n", (unsigned int)args->flags);
}
- {
- char *fn = NULL, *home = NULL;
-
- if (getuid() == geteuid()) {
- fn = getenv("SOFTPKCS11RC");
- if (fn)
- fn = strdup(fn);
- home = getenv("HOME");
- }
- if (fn == NULL && home == NULL) {
- struct passwd *pw = getpwuid(getuid());
- if(pw != NULL)
- home = pw->pw_dir;
- }
- if (fn == NULL) {
- if (home)
- asprintf(&fn, "%s/.soft-token.rc", home);
- else
- fn = strdup("/etc/soft-token.rc");
- }
-
- read_conf_file(fn);
- free(fn);
- }
+ soft_token.next_session_handle = 0;
+ fn = get_rcfilename();
+ if (fn == NULL)
+ return CKR_DEVICE_MEMORY;
+ read_conf_file(fn);
+ free(fn);
return CKR_OK;
}
@@ -1082,8 +1086,7 @@ C_OpenSession(CK_SLOT_ID slotID,
soft_token.open_sessions++;
- soft_token.state[i].session_handle =
- (CK_SESSION_HANDLE)(random() & 0xfffff);
+ soft_token.state[i].session_handle = soft_token.next_session_handle++;
*phSession = soft_token.state[i].session_handle;
return CKR_OK;
@@ -1152,7 +1155,8 @@ C_Login(CK_SESSION_HANDLE hSession,
VERIFY_SESSION_HANDLE(hSession, NULL);
if (pPin != NULL_PTR) {
- asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
+ if (asprintf(&pin, "%.*s", (int)ulPinLen, pPin) < 0)
+ return CKR_DEVICE_MEMORY;
st_logf("type: %d password: %s\n", (int)userType, pin);
}

31
Fix-KDC-crash-when-logging-PKINIT-enctypes.patch
View File

@ -1,31 +0,0 @@
From 2f939727e531f04a24b687b9807b2e23599a2e4f Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 25 Sep 2019 12:57:56 -0400
Subject: [PATCH] Fix KDC crash when logging PKINIT enctypes
Commit a649279727490687d54becad91fde8cf7429d951 introduced a KDC crash
bug due to transposed strlcpy() arguments. Fix the argument order.
This bug does not affect any MIT krb5 release, but affects the Fedora
krb5 packages due to backports. CVE-2019-14844 has been issued as a
result.
ticket: 8772
(cherry picked from commit 275c9a1aad36a1a7b56042f1a2c21c33e7d16eaf)
---
src/kdc/kdc_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 23ad6c584..698f18c1c 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1080,7 +1080,7 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
else
return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
- if (strlcpy(name, buf, buflen) >= buflen)
+ if (strlcpy(buf, name, buflen) >= buflen)
return ENOMEM;
return 0;
}

302
Fix-LDAP-policy-enforcement-of-pw_expiration.patch
View File

@ -1,302 +0,0 @@
From d62cb044abe57eda1216f9ab97f50bd178f1d495 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 17 Dec 2019 17:37:41 -0500
Subject: [PATCH] Fix LDAP policy enforcement of pw_expiration
In the LDAP backend, the change mask is used to determine what LDAP
attributes to update. As a result, password expiration was not set
from policy when running during addprinc, among other issues.
However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration
would be applied regardless, which meant that (for instance) changing
the password would cause the password application to be applied.
Remove the check for KADM5_PRINCIPAL, and fix the mask to contain
KADM5_PW_EXPIRATION where appropriate. Add a regression test to
t_kdb.py.
[ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey
since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and
commit message]
ticket: 8861 (new)
tags: pullup
target_version: 1.17-next
(cherry picked from commit 6b004dd5739bded71be4290c11e7ac3a816c7e09)
---
src/lib/kadm5/srv/svr_principal.c | 92 +++++++++----------
.../kdb/ldap/libkdb_ldap/ldap_principal2.c | 13 ---
src/tests/t_kdb.py | 17 ++++
3 files changed, 60 insertions(+), 62 deletions(-)
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index a1ecdbfc4..35bbf1218 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -356,6 +356,11 @@ kadm5_create_principal_3(void *server_handle,
kdb = calloc(1, sizeof(*kdb));
if (kdb == NULL)
return ENOMEM;
+
+ /* In all cases the principal entry is new and key data is set; let the
+ * database provider know. */
+ kdb->mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL;
+
memset(&adb, 0, sizeof(osa_princ_ent_rec));
/*
@@ -405,14 +410,12 @@ kadm5_create_principal_3(void *server_handle,
kdb->expiration = handle->params.expiration;
kdb->pw_expiration = 0;
- if (have_polent) {
- if(polent.pw_max_life)
- kdb->pw_expiration = ts_incr(now, polent.pw_max_life);
- else
- kdb->pw_expiration = 0;
- }
- if ((mask & KADM5_PW_EXPIRATION))
+ if (mask & KADM5_PW_EXPIRATION) {
kdb->pw_expiration = entry->pw_expiration;
+ } else if (have_polent && polent.pw_max_life) {
+ kdb->mask |= KADM5_PW_EXPIRATION;
+ kdb->pw_expiration = ts_incr(now, polent.pw_max_life);
+ }
kdb->last_success = 0;
kdb->last_failed = 0;
@@ -503,9 +506,6 @@ kadm5_create_principal_3(void *server_handle,
adb.policy = entry->policy;
}
- /* In all cases key and the principal data is set, let the database provider know */
- kdb->mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL ;
-
/* store the new db entry */
ret = kdb_put_entry(handle, kdb, &adb);
@@ -601,6 +601,9 @@ kadm5_modify_principal(void *server_handle,
if (ret)
return(ret);
+ /* Let the mask propagate to the database provider. */
+ kdb->mask = mask;
+
/*
* This is pretty much the same as create ...
*/
@@ -616,11 +619,15 @@ kadm5_modify_principal(void *server_handle,
free(adb.policy);
adb.policy = strdup(entry->policy);
}
- if (have_pol) {
+
+ if (mask & KADM5_PW_EXPIRATION) {
+ kdb->pw_expiration = entry->pw_expiration;
+ } else if (have_pol) {
/* set pw_max_life based on new policy */
+ kdb->mask |= KADM5_PW_EXPIRATION;
if (pol.pw_max_life) {
ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb,
- &(kdb->pw_expiration));
+ &kdb->pw_expiration);
if (ret)
goto done;
kdb->pw_expiration = ts_incr(kdb->pw_expiration, pol.pw_max_life);
@@ -642,8 +649,6 @@ kadm5_modify_principal(void *server_handle,
kdb->max_life = entry->max_life;
if ((mask & KADM5_PRINC_EXPIRE_TIME))
kdb->expiration = entry->princ_expire_time;
- if (mask & KADM5_PW_EXPIRATION)
- kdb->pw_expiration = entry->pw_expiration;
if (mask & KADM5_MAX_RLIFE)
kdb->max_renewable_life = entry->max_renewable_life;
@@ -682,9 +687,6 @@ kadm5_modify_principal(void *server_handle,
kdb->fail_auth_count = 0;
}
- /* let the mask propagate to the database provider */
- kdb->mask = mask;
-
ret = k5_kadm5_hook_modify(handle->context, handle->hook_handles,
KADM5_HOOK_STAGE_PRECOMMIT, entry, mask);
if (ret)
@@ -1362,6 +1364,11 @@ kadm5_chpass_principal_3(void *server_handle,
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
return(ret);
+ /* We will always be changing the key data, attributes, auth failure count,
+ * and password expiration time. */
+ kdb->mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | KADM5_FAIL_AUTH_COUNT |
+ KADM5_PW_EXPIRATION;
+
ret = apply_keysalt_policy(handle, adb.policy, n_ks_tuple, ks_tuple,
&new_n_ks_tuple, &new_ks_tuple);
if (ret)
@@ -1407,6 +1414,7 @@ kadm5_chpass_principal_3(void *server_handle,
if (ret)
goto done;
+ kdb->pw_expiration = 0;
if ((adb.aux_attributes & KADM5_POLICY)) {
/* the policy was loaded before */
@@ -1439,10 +1447,6 @@ kadm5_chpass_principal_3(void *server_handle,
if (pol.pw_max_life)
kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
- else
- kdb->pw_expiration = 0;
- } else {
- kdb->pw_expiration = 0;
}
#ifdef USE_PASSWORD_SERVER
@@ -1481,11 +1485,6 @@ kadm5_chpass_principal_3(void *server_handle,
/* unlock principal on this KDC */
kdb->fail_auth_count = 0;
- /* key data and attributes changed, let the database provider know */
- kdb->mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES |
- KADM5_FAIL_AUTH_COUNT;
- /* | KADM5_CPW_FUNCTION */
-
if (hist_added)
kdb->mask |= KADM5_KEY_HIST;
@@ -1560,6 +1559,11 @@ kadm5_randkey_principal_3(void *server_handle,
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
return(ret);
+ /* We will always be changing the key data, attributes, auth failure count,
+ * and password expiration time. */
+ kdb->mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | KADM5_FAIL_AUTH_COUNT |
+ KADM5_PW_EXPIRATION;
+
ret = apply_keysalt_policy(handle, adb.policy, n_ks_tuple, ks_tuple,
&new_n_ks_tuple, &new_ks_tuple);
if (ret)
@@ -1599,14 +1603,10 @@ kadm5_randkey_principal_3(void *server_handle,
if (ret)
goto done;
}
- if (have_pol) {
- if (pol.pw_max_life)
- kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
- else
- kdb->pw_expiration = 0;
- } else {
- kdb->pw_expiration = 0;
- }
+
+ kdb->pw_expiration = 0;
+ if (have_pol && pol.pw_max_life)
+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
if (ret)
@@ -1624,10 +1624,6 @@ kadm5_randkey_principal_3(void *server_handle,
goto done;
}
- /* key data changed, let the database provider know */
- kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
- /* | KADM5_RANDKEY_USED */;
-
ret = k5_kadm5_hook_chpass(handle->context, handle->hook_handles,
KADM5_HOOK_STAGE_PRECOMMIT, principal, keepold,
new_n_ks_tuple, new_ks_tuple, NULL);
@@ -1763,6 +1759,11 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
if (ret)
return ret;
+ /* We will always be changing the key data, attributes, auth failure count,
+ * and password expiration time. */
+ kdb->mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | KADM5_FAIL_AUTH_COUNT |
+ KADM5_PW_EXPIRATION;
+
if (kvno == 0) {
/* Pick the next kvno. */
for (i = 0; i < kdb->n_key_data; i++) {
@@ -1864,14 +1865,10 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
if (ret)
goto done;
}
- if (have_pol) {
- if (pol.pw_max_life)
- kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
- else
- kdb->pw_expiration = 0;
- } else {
- kdb->pw_expiration = 0;
- }
+
+ kdb->pw_expiration = 0;
+ if (have_pol && pol.pw_max_life)
+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
if (ret)
@@ -1880,9 +1877,6 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
/* Unlock principal on this KDC. */
kdb->fail_auth_count = 0;
- /* key data changed, let the database provider know */
- kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
-
ret = kdb_put_entry(handle, kdb, &adb);
if (ret)
goto done;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index ee9c02814..fa0a2c683 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -1233,19 +1233,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
goto cleanup;
}
- if (!(entry->mask & KADM5_PRINCIPAL)) {
- memset(strval, 0, sizeof(strval));
- if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL)
- goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods,
- "krbpasswordexpiration",
- LDAP_MOD_REPLACE, strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
- free (strval[0]);
- }
-
/* Update last password change whenever a new key is set */
{
krb5_timestamp last_pw_changed;
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 7271fcbbd..d18f672c1 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -494,6 +494,23 @@ else:
realm.run([kadminl, 'modprinc', '-pwexpire', '2040-02-03', 'user'])
realm.run([kadminl, 'getprinc', 'user'], expected_msg=' 2040\n')
+# Regression test for #8861 (pw_expiration policy enforcement).
+mark('pw_expiration propogation')
+# Create a policy with a max life and verify its application.
+realm.run([kadminl, 'addpol', '-maxlife', '1s', 'pw_e'])
+realm.run([kadminl, 'addprinc', '-policy', 'pw_e', '-pw', 'password',
+ 'pwuser'])
+out = realm.run([kadminl, 'getprinc', 'pwuser'],
+ expected_msg='Password expiration date: ')
+if 'Password expiration date: [never]' in out:
+ fail('pw_expiration not applied at principal creation')
+# Unset the policy max life and verify its application during password
+# change.
+realm.run([kadminl, 'modpol', '-maxlife', '0', 'pw_e'])
+realm.run([kadminl, 'cpw', '-pw', 'password_', 'pwuser'])
+realm.run([kadminl, 'getprinc', 'pwuser'],
+ expected_msg='Password expiration date: [never]')
+
realm.stop()
# Briefly test dump and load.

29
Fix-config-realm-change-logic-in-FILE-remove_cred.patch
View File

@ -1,29 +0,0 @@
From bde05bf227939691855c025ce3c79cda07093fa7 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 16 Apr 2019 10:47:35 -0400
Subject: [PATCH] Fix config realm change logic in FILE remove_cred
Use data_eq_string() to check the server realm, and do not check if
cred->server is NULL since it is not expected to be (and
k5_marshal_cred() would have already crashed if it were).
ticket: 8792
(cherry picked from commit e5367fcddd53dc4db0c1fd2279e91eda3791960a)
---
src/lib/krb5/ccache/cc_file.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index 09da38fa9..a3f67766e 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -1058,8 +1058,7 @@ delete_cred(krb5_context context, krb5_ccache cache, krb5_cc_cursor *cursor,
/* For config entries, also change the realm so that other implementations
* won't match them. */
- if (cred->server != NULL && cred->server->realm.length > 0 &&
- strcmp(cred->server->realm.data, "X-CACHECONF:") == 0)
+ if (data_eq_string(cred->server->realm, "X-CACHECONF:"))
memcpy(cred->server->realm.data, "X-RMED-CONF:", 12);
k5_marshal_cred(&overwrite, fcursor->version, cred);

30
Fix-handling-of-invalid-CAMMAC-service-verifier.patch
View File

@ -1,30 +0,0 @@
From 87d0a1364b9ddb4b9ed8dfaee3022172bfb879ba Mon Sep 17 00:00:00 2001
From: Jeffrey Arbuckle <jeffa.lans@gmail.com>
Date: Sat, 21 Dec 2019 22:59:20 -0500
Subject: [PATCH] Fix handling of invalid CAMMAC service verifier
In extract_cammacs(), avoid a null dereference if the CAMMAC service
verifier is invalid or the CAMMAC is empty.
ticket: 8856
tags: pullup
target_version: 1.17-next
(cherry picked from commit 8451ff6ed57361de585a35f35a39c54dc48172c7)
---
src/lib/krb5/krb/authdata.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c
index 3e7dfbe49..d3096e5a2 100644
--- a/src/lib/krb5/krb/authdata.c
+++ b/src/lib/krb5/krb/authdata.c
@@ -557,6 +557,8 @@ extract_cammacs(krb5_context kcontext, krb5_authdata **cammacs,
if (ret && ret != KRB5KRB_AP_ERR_BAD_INTEGRITY)
goto cleanup;
ret = 0;
+ if (elements == NULL)
+ continue;
/* Add the verified elements to list and free the container array. */
for (n_elements = 0; elements[n_elements] != NULL; n_elements++);

122
Fix-memory-leaks-in-soft-pkcs11-code.patch
View File

@ -1,122 +0,0 @@
From b0acd2918e673a60a88cfed9fe7da08fb7fc4987 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 5 Aug 2019 01:53:51 -0400
Subject: [PATCH] Fix memory leaks in soft-pkcs11 code
Fix leaks detected by asan in t_pkinit.py. Add a helper to free a
struct st_object and free objects in C_Finalize(). Duplicate the X509
cert in add_certificate() instead of creating aliases so it can be
properly freed. Start the session handle counter at 1 so that
C_Finalize() won't confuse the first session handle with
CK_INVALID_HANDLE (defined to 0 in pkinit.h) and will properly clean
the session object.
(cherry picked from commit 15bcaf8bcb4af25ff89820ad3bf23ad5a324e863)
---
src/tests/softpkcs11/main.c | 44 +++++++++++++++++++++++++++++++++----
1 file changed, 40 insertions(+), 4 deletions(-)
diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c
index 2d1448ca2..a4c3ae78e 100644
--- a/src/tests/softpkcs11/main.c
+++ b/src/tests/softpkcs11/main.c
@@ -109,7 +109,7 @@ struct st_object {
X509 *cert;
EVP_PKEY *public_key;
struct {
- const char *file;
+ char *file;
EVP_PKEY *key;
X509 *cert;
} private_key;
@@ -343,6 +343,26 @@ print_attributes(const CK_ATTRIBUTE *attributes,
}
}
+static void
+free_st_object(struct st_object *o)
+{
+ int i;
+
+ for (i = 0; i < o->num_attributes; i++)
+ free(o->attrs[i].attribute.pValue);
+ free(o->attrs);
+ if (o->type == STO_T_CERTIFICATE) {
+ X509_free(o->u.cert);
+ } else if (o->type == STO_T_PRIVATE_KEY) {
+ free(o->u.private_key.file);
+ EVP_PKEY_free(o->u.private_key.key);
+ X509_free(o->u.private_key.cert);
+ } else if (o->type == STO_T_PUBLIC_KEY) {
+ EVP_PKEY_free(o->u.public_key);
+ }
+ free(o);
+}
+
static struct st_object *
add_st_object(void)
{
@@ -518,7 +538,11 @@ add_certificate(char *label,
goto out;
}
o->type = STO_T_CERTIFICATE;
- o->u.cert = cert;
+ o->u.cert = X509_dup(cert);
+ if (o->u.cert == NULL) {
+ ret = CKR_DEVICE_MEMORY;
+ goto out;
+ }
public_key = X509_get_pubkey(o->u.cert);
switch (EVP_PKEY_base_id(public_key)) {
@@ -602,7 +626,11 @@ add_certificate(char *label,
o->u.private_key.file = strdup(private_key_file);
o->u.private_key.key = NULL;
- o->u.private_key.cert = cert;
+ o->u.private_key.cert = X509_dup(cert);
+ if (o->u.private_key.cert == NULL) {
+ ret = CKR_DEVICE_MEMORY;
+ goto out;
+ }
c = CKO_PRIVATE_KEY;
add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c));
@@ -676,6 +704,7 @@ add_certificate(char *label,
free(serial_data);
free(issuer_data);
free(subject_data);
+ X509_free(cert);
return ret;
}
@@ -872,7 +901,7 @@ C_Initialize(CK_VOID_PTR a)
st_logf("\tFlags\t%04x\n", (unsigned int)args->flags);
}
- soft_token.next_session_handle = 0;
+ soft_token.next_session_handle = 1;
fn = get_rcfilename();
if (fn == NULL)
@@ -886,6 +915,7 @@ CK_RV
C_Finalize(CK_VOID_PTR args)
{
size_t i;
+ int j;
st_logf("Finalize\n");
@@ -897,6 +927,12 @@ C_Finalize(CK_VOID_PTR args)
}
}
+ for (j = 0; j < soft_token.object.num_objs; j++)
+ free_st_object(soft_token.object.objs[j]);
+ free(soft_token.object.objs);
+ soft_token.object.objs = NULL;
+ soft_token.object.num_objs = 0;
+
return CKR_OK;
}

41
Fix-minor-errors-in-softpkcs11.patch
View File

@ -1,41 +0,0 @@
From 343068058951e343179156e895c7483ab8194236 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 8 Nov 2019 14:28:56 -0500
Subject: [PATCH] Fix minor errors in softpkcs11
Fix a printf type mismatch in attributes_match() reported by Coverity,
and a possible uninitizlied use of key_type in add_certificate()
reported by clang.
[ghudson@mit.edu: squashed commits and rewrote commit message]
(cherry picked from commit 560e48fee9a192ed4eb1b6cbd62c119087b53948)
---
src/tests/softpkcs11/main.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c
index a4c3ae78e..1cccdfb43 100644
--- a/src/tests/softpkcs11/main.c
+++ b/src/tests/softpkcs11/main.c
@@ -261,7 +261,7 @@ attributes_match(const struct st_object *obj,
}
}
if (match == 0) {
- st_logf("type %d attribute have no match\n", attributes[i].type);
+ st_logf("type %lu attribute have no match\n", attributes[i].type);
return 0;
}
}
@@ -553,8 +553,9 @@ add_certificate(char *label,
key_type = CKK_DSA;
break;
default:
- /* XXX */
- break;
+ st_logf("invalid key_type\n");
+ ret = CKR_GENERAL_ERROR;
+ goto out;
}
c = CKO_CERTIFICATE;

30
Fix-potential-close-1-in-cc_file.c.patch
View File

@ -1,30 +0,0 @@
From 20e18b31bac004c13b7f2b5b1e67e80730481aea Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 18 Apr 2019 13:39:37 -0400
Subject: [PATCH] Fix potential close(-1) in cc_file.c
As part of error handling in d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5,
an error path in delete_cred() may result in close(-1). While this
shouldn't be a prolblem in practice (just returning EBADF), it does
upset Coverity.
ticket: 8792
(cherry picked from commit 5ccfbaf2f0c8871d2f0ea87ad4b21cc33392ca2c)
---
src/lib/krb5/ccache/cc_file.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index a3f67766e..bf58c1d45 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -1122,7 +1122,8 @@ delete_cred(krb5_context context, krb5_ccache cache, krb5_cc_cursor *cursor,
}
cleanup:
- close(fd);
+ if (fd >= 0)
+ close(fd);
zapfree(on_disk, expected.len);
k5_buf_free(&expected);
k5_buf_free(&overwrite);

138
Fix-xdr_bytes-strict-aliasing-violations.patch
View File

@ -1,138 +0,0 @@
From e48e04d955c809c6f7b4f9052294d407f0d93daa Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 10 Dec 2019 12:06:05 -0500
Subject: [PATCH] Fix xdr_bytes() strict-aliasing violations
When xdr_bytes() is used for a gss_buffer_desc object, a temporary
character pointer must be used for the data value to avoid a strict
aliasing violation.
When xdr_bytes() is used for a krb5_keyblock object, a temporary
character pointer must also be used, even though the data pointer is
of type unsigned char *, to avoid a clang warning on macOS due to the
"#pragma pack" declaration in krb5.h.
(cherry picked from commit 21b39d0196e3e0bb6b1bfbf5d60a0596cfc82e27)
---
src/lib/kadm5/kadm_rpc_xdr.c | 8 +++++---
src/lib/rpc/auth_gssapi_misc.c | 21 +++++++++++++--------
src/lib/rpc/authgss_prot.c | 5 ++++-
3 files changed, 22 insertions(+), 12 deletions(-)
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index f22ea7f1f..8383e4e23 100644
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -1125,14 +1125,16 @@ xdr_krb5_salttype(XDR *xdrs, krb5_int32 *objp)
bool_t
xdr_krb5_keyblock(XDR *xdrs, krb5_keyblock *objp)
{
+ char *cp;
+
/* XXX This only works because free_keyblock assumes ->contents
is allocated by malloc() */
-
if(!xdr_krb5_enctype(xdrs, &objp->enctype))
return FALSE;
- if(!xdr_bytes(xdrs, (char **) &objp->contents, (unsigned int *)
- &objp->length, ~0))
+ cp = (char *)objp->contents;
+ if(!xdr_bytes(xdrs, &cp, &objp->length, ~0))
return FALSE;
+ objp->contents = (uint8_t *)cp;
return TRUE;
}
diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c
index a05ea19eb..a60eb7f7c 100644
--- a/src/lib/rpc/auth_gssapi_misc.c
+++ b/src/lib/rpc/auth_gssapi_misc.c
@@ -45,9 +45,11 @@ bool_t xdr_gss_buf(
bool_t result;
/* Fix type mismatches between APIs. */
unsigned int length = buf->length;
- result = xdr_bytes(xdrs, (char **) &buf->value, &length,
+ char *cp = buf->value;
+ result = xdr_bytes(xdrs, &cp, &length,
(xdrs->x_op == XDR_DECODE && buf->value == NULL)
? (unsigned int) -1 : (unsigned int) buf->length);
+ buf->value = cp;
buf->length = length;
return result;
}
@@ -204,6 +206,7 @@ bool_t auth_gssapi_wrap_data(
XDR temp_xdrs;
int conf_state;
unsigned int length;
+ char *cp;
PRINTF(("gssapi_wrap_data: starting\n"));
@@ -243,13 +246,13 @@ bool_t auth_gssapi_wrap_data(
/* write the token */
length = out_buf.length;
- if (! xdr_bytes(out_xdrs, (char **) &out_buf.value,
- (unsigned int *) &length,
- out_buf.length)) {
+ cp = out_buf.value;
+ if (! xdr_bytes(out_xdrs, &cp, &length, out_buf.length)) {
PRINTF(("gssapi_wrap_data: serializing encrypted data failed\n"));
XDR_DESTROY(&temp_xdrs);
return FALSE;
}
+ out_buf.value = cp;
*major = gss_release_buffer(minor, &out_buf);
@@ -272,6 +275,7 @@ bool_t auth_gssapi_unwrap_data(
uint32_t verf_seq_num;
int conf, qop;
unsigned int length;
+ char *cp;
PRINTF(("gssapi_unwrap_data: starting\n"));
@@ -280,14 +284,15 @@ bool_t auth_gssapi_unwrap_data(
in_buf.value = NULL;
out_buf.value = NULL;
- if (! xdr_bytes(in_xdrs, (char **) &in_buf.value,
- &length, (unsigned int) -1)) {
+ cp = in_buf.value;
+ if (! xdr_bytes(in_xdrs, &cp, &length, (unsigned int) -1)) {
PRINTF(("gssapi_unwrap_data: deserializing encrypted data failed\n"));
temp_xdrs.x_op = XDR_FREE;
- (void)xdr_bytes(&temp_xdrs, (char **) &in_buf.value, &length,
- (unsigned int) -1);
+ (void)xdr_bytes(&temp_xdrs, &cp, &length, (unsigned int) -1);
+ in_buf.value = NULL;
return FALSE;
}
+ in_buf.value = cp;
in_buf.length = length;
*major = gss_unseal(minor, context, &in_buf, &out_buf, &conf,
diff --git a/src/lib/rpc/authgss_prot.c b/src/lib/rpc/authgss_prot.c
index a5a587f90..9a48277b3 100644
--- a/src/lib/rpc/authgss_prot.c
+++ b/src/lib/rpc/authgss_prot.c
@@ -50,6 +50,7 @@ xdr_rpc_gss_buf(XDR *xdrs, gss_buffer_t buf, u_int maxsize)
{
bool_t xdr_stat;
u_int tmplen;
+ char *cp;
if (xdrs->x_op != XDR_DECODE) {
if (buf->length > UINT_MAX)
@@ -57,7 +58,9 @@ xdr_rpc_gss_buf(XDR *xdrs, gss_buffer_t buf, u_int maxsize)
else
tmplen = buf->length;
}
- xdr_stat = xdr_bytes(xdrs, (char **)&buf->value, &tmplen, maxsize);
+ cp = buf->value;
+ xdr_stat = xdr_bytes(xdrs, &cp, &tmplen, maxsize);
+ buf->value = cp;
if (xdr_stat && xdrs->x_op == XDR_DECODE)
buf->length = tmplen;

599
Implement-krb5_cc_remove_cred-for-remaining-types.patch
View File

@ -1,599 +0,0 @@
From adeba65ff738184656bb9589e1e3ffb079d3adf0 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 1 Apr 2019 14:28:48 -0400
Subject: [PATCH] Implement krb5_cc_remove_cred for remaining types
Previously, only KCM and MSLA implemented credential removal. Add
support for FILE (and therefore DIR), MEMORY, and KEYRING.
The FILE logic is similar Heimdal's implementation, with additional
logic for skipping removed creds during iteration. In addition to
setting endtime to 0 and changing the realm for config entries as
Heimdal does, we set authtime to -1 to make deleted entries
distinguishable from gssproxy encrypted creds and config entries.
For MEMORY, leave behind empty list elements when removing a cred will
leave behind an empty list element, in case an iterator holds a
pointer to that element.
[ghudson@mit.edu: edited commit message; made minor style and comment
changes; fixed memory leaks detected by asan]
ticket: 8792 (new)
(cherry picked from commit d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5)
---
src/lib/krb5/ccache/cc_file.c | 177 ++++++++++++++++++++++++++++---
src/lib/krb5/ccache/cc_keyring.c | 89 +++++++++++-----
src/lib/krb5/ccache/cc_memory.c | 36 +++++--
src/lib/krb5/ccache/t_cc.c | 129 +++++++++++++++++++++-
4 files changed, 381 insertions(+), 50 deletions(-)
diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index 9263a0054..09da38fa9 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -744,6 +744,14 @@ cleanup:
return set_errmsg_filename(context, ret, data->filename);
}
+/* Return true if cred is a removed entry (assuming that no legitimate cred
+ * entries will have authtime=-1 and endtime=0). */
+static inline krb5_boolean
+cred_removed(krb5_creds *c)
+{
+ return c->times.endtime == 0 && c->times.authtime == -1;
+}
+
/* Get the next credential from the cache file. */
static krb5_error_code KRB5_CALLCONV
fcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor,
@@ -765,19 +773,30 @@ fcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor,
goto cleanup;
file_locked = TRUE;
- /* Load a marshalled cred into memory. */
- ret = get_size(context, fcursor->fp, &maxsize);
- if (ret)
- goto cleanup;
- ret = load_cred(context, fcursor->fp, fcursor->version, maxsize, &buf);
- if (ret)
- goto cleanup;
- ret = k5_buf_status(&buf);
- if (ret)
- goto cleanup;
+ for (;;) {
+ /* Load a marshalled cred into memory. */
+ ret = get_size(context, fcursor->fp, &maxsize);
+ if (ret)
+ goto cleanup;
+ ret = load_cred(context, fcursor->fp, fcursor->version, maxsize, &buf);
+ if (ret)
+ goto cleanup;
+ ret = k5_buf_status(&buf);
+ if (ret)
+ goto cleanup;
- /* Unmarshal it from buf into creds. */
- ret = k5_unmarshal_cred(buf.data, buf.len, fcursor->version, creds);
+ /* Unmarshal it from buf into creds. */
+ ret = k5_unmarshal_cred(buf.data, buf.len, fcursor->version, creds);
+ if (ret)
+ goto cleanup;
+
+ /* Keep going if this entry has been removed; otherwise stop. */
+ if (!cred_removed(creds))
+ break;
+
+ k5_buf_truncate(&buf, 0);
+ krb5_free_cred_contents(context, creds);
+ }
cleanup:
if (file_locked)
@@ -1002,12 +1021,142 @@ cleanup:
return set_errmsg_filename(context, ret ? ret : ret2, data->filename);
}
-/* Non-functional stub for removing a cred from the cache file. */
+/*
+ * Overwrite cred in the ccache file with an entry that should not match any
+ * reasonable search. Deletion is not guaranteed. This method is originally
+ * from Heimdal, with the addition of setting authtime to -1.
+ */
+static krb5_error_code
+delete_cred(krb5_context context, krb5_ccache cache, krb5_cc_cursor *cursor,
+ krb5_creds *cred)
+{
+ krb5_error_code ret;
+ krb5_fcc_cursor *fcursor = *cursor;
+ fcc_data *data = cache->data;
+ struct k5buf expected = EMPTY_K5BUF, overwrite = EMPTY_K5BUF;
+ int fd = -1;
+ uint8_t *on_disk = NULL;
+ ssize_t rwret;
+ off_t start_offset;
+
+ k5_buf_init_dynamic_zap(&expected);
+ k5_buf_init_dynamic_zap(&overwrite);
+
+ /* Re-marshal cred to get its byte representation in the file. */
+ k5_marshal_cred(&expected, fcursor->version, cred);
+ ret = k5_buf_status(&expected);
+ if (ret)
+ goto cleanup;
+
+ /*
+ * Mark the cred expired so that it will be skipped over by any future
+ * match checks. Heimdal only sets endtime, but we also set authtime to
+ * distinguish from gssproxy's creds.
+ */
+ cred->times.endtime = 0;
+ cred->times.authtime = -1;
+
+ /* For config entries, also change the realm so that other implementations
+ * won't match them. */
+ if (cred->server != NULL && cred->server->realm.length > 0 &&
+ strcmp(cred->server->realm.data, "X-CACHECONF:") == 0)
+ memcpy(cred->server->realm.data, "X-RMED-CONF:", 12);
+
+ k5_marshal_cred(&overwrite, fcursor->version, cred);
+ ret = k5_buf_status(&overwrite);
+ if (ret)
+ goto cleanup;
+
+ if (expected.len != overwrite.len) {
+ ret = KRB5_CC_FORMAT;
+ goto cleanup;
+ }
+
+ /* Get a non-O_APPEND handle to the raw file. */
+ fd = open(data->filename, O_RDWR | O_BINARY | O_CLOEXEC);
+ if (fd == -1) {
+ ret = interpret_errno(context, errno);
+ goto cleanup;
+ }
+
+ start_offset = ftell(fcursor->fp);
+ if (start_offset == -1) {
+ ret = interpret_errno(context, errno);
+ goto cleanup;
+ }
+ start_offset -= expected.len;
+
+ /* Read the bytes at the entry to be overwritten. */
+ if (lseek(fd, start_offset, SEEK_SET) == -1) {
+ ret = interpret_errno(context, errno);
+ goto cleanup;
+ }
+ on_disk = k5alloc(expected.len, &ret);
+ if (ret != 0)
+ goto cleanup;
+ rwret = read(fd, on_disk, expected.len);
+ if (rwret < 0) {
+ ret = interpret_errno(context, errno);
+ goto cleanup;
+ } else if ((size_t)rwret != expected.len) {
+ ret = KRB5_CC_FORMAT;
+ goto cleanup;
+ }
+
+ /*
+ * If the bytes have changed, either someone else removed the same cred or
+ * the cache was reinitialized. Either way the cred is no longer present,
+ * so return successfully.
+ */
+ if (memcmp(on_disk, expected.data, expected.len) != 0)
+ goto cleanup;
+
+ /* Write out the altered entry. */
+ if (lseek(fd, start_offset, SEEK_SET) == -1) {
+ ret = interpret_errno(context, errno);
+ goto cleanup;
+ }
+ rwret = write(fd, overwrite.data, overwrite.len);
+ if (rwret < 0) {
+ ret = interpret_errno(context, errno);
+ goto cleanup;
+ }
+
+cleanup:
+ close(fd);
+ zapfree(on_disk, expected.len);
+ k5_buf_free(&expected);
+ k5_buf_free(&overwrite);
+ return ret;
+}
+
+/* Remove the given creds from the ccache file. */
static krb5_error_code KRB5_CALLCONV
fcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
krb5_creds *creds)
{
- return KRB5_CC_NOSUPP;
+ krb5_error_code ret;
+ krb5_cc_cursor cursor;
+ krb5_creds cur;
+
+ ret = krb5_cc_start_seq_get(context, cache, &cursor);
+ if (ret)
+ return ret;
+
+ for (;;) {
+ ret = krb5_cc_next_cred(context, cache, &cursor, &cur);
+ if (ret)
+ break;
+
+ if (krb5int_cc_creds_match_request(context, flags, creds, &cur))
+ ret = delete_cred(context, cache, &cursor, &cur);
+ krb5_free_cred_contents(context, &cur);
+ if (ret)
+ break;
+ }
+
+ krb5_cc_end_seq_get(context, cache, &cursor);
+ return (ret == KRB5_CC_END) ? 0 : ret;
}
static krb5_error_code KRB5_CALLCONV
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
index 8419f6ebf..98723fe2e 100644
--- a/src/lib/krb5/ccache/cc_keyring.c
+++ b/src/lib/krb5/ccache/cc_keyring.c
@@ -1032,40 +1032,44 @@ krcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor,
memset(creds, 0, sizeof(krb5_creds));
- /* The cursor has the entire list of keys. (Note that we don't support
- * remove_cred.) */
+ /* The cursor has the entire list of keys. */
krcursor = *cursor;
if (krcursor == NULL)
return KRB5_CC_END;
- /* If we're pointing past the end of the keys array, there are no more. */
- if (krcursor->currkey >= krcursor->numkeys)
- return KRB5_CC_END;
+ while (krcursor->currkey < krcursor->numkeys) {
+ /* If we're pointing at the entry with the principal, or at the key
+ * with the time offsets, skip it. */
+ if (krcursor->keys[krcursor->currkey] == krcursor->princ_id ||
+ krcursor->keys[krcursor->currkey] == krcursor->offsets_id) {
+ krcursor->currkey++;
+ continue;
+ }
- /* If we're pointing at the entry with the principal, or at the key
- * with the time offsets, skip it. */
- while (krcursor->keys[krcursor->currkey] == krcursor->princ_id ||
- krcursor->keys[krcursor->currkey] == krcursor->offsets_id) {
+ /* Read the key; the right size buffer will be allocated and
+ * returned. */
+ psize = keyctl_read_alloc(krcursor->keys[krcursor->currkey],
+ &payload);
+ if (psize != -1) {
+ krcursor->currkey++;
+
+ /* Unmarshal the cred using the file ccache version 4 format. */
+ ret = k5_unmarshal_cred(payload, psize, 4, creds);
+ free(payload);
+ return ret;
+ } else if (errno != ENOKEY && errno != EACCES) {
+ DEBUG_PRINT(("Error reading key %d: %s\n",
+ krcursor->keys[krcursor->currkey], strerror(errno)));
+ return KRB5_FCC_NOFILE;
+ }
+
+ /* The current key was unlinked, probably by a remove_cred call; move
+ * on to the next one. */
krcursor->currkey++;
- /* Check if we have now reached the end */
- if (krcursor->currkey >= krcursor->numkeys)
- return KRB5_CC_END;
}
- /* Read the key; the right size buffer will be allocated and returned. */
- psize = keyctl_read_alloc(krcursor->keys[krcursor->currkey], &payload);
- if (psize == -1) {
- DEBUG_PRINT(("Error reading key %d: %s\n",
- krcursor->keys[krcursor->currkey],
- strerror(errno)));
- return KRB5_FCC_NOFILE;
- }
- krcursor->currkey++;
-
- /* Unmarshal the credential using the file ccache version 4 format. */
- ret = k5_unmarshal_cred(payload, psize, 4, creds);
- free(payload);
- return ret;
+ /* No more keys in keyring. */
+ return KRB5_CC_END;
}
/* Release an iteration cursor. */
@@ -1248,12 +1252,41 @@ krcc_retrieve(krb5_context context, krb5_ccache id,
creds);
}
-/* Non-functional stub for removing a cred from the cache keyring. */
+/* Remove a credential from the cache keyring. */
static krb5_error_code KRB5_CALLCONV
krcc_remove_cred(krb5_context context, krb5_ccache cache,
krb5_flags flags, krb5_creds *creds)
{
- return KRB5_CC_NOSUPP;
+ krb5_error_code ret;
+ krcc_data *data = cache->data;
+ krb5_cc_cursor cursor;
+ krb5_creds c;
+ krcc_cursor krcursor;
+ key_serial_t key;
+ krb5_boolean match;
+
+ ret = krcc_start_seq_get(context, cache, &cursor);
+ if (ret)
+ return ret;
+
+ for (;;) {
+ ret = krcc_next_cred(context, cache, &cursor, &c);
+ if (ret)
+ break;
+ match = krb5int_cc_creds_match_request(context, flags, creds, &c);
+ krb5_free_cred_contents(context, &c);
+ if (match) {
+ krcursor = cursor;
+ key = krcursor->keys[krcursor->currkey - 1];
+ if (keyctl_unlink(key, data->cache_id) == -1) {
+ ret = errno;
+ break;
+ }
+ }
+ }
+
+ krcc_end_seq_get(context, cache, &cursor);
+ return (ret == KRB5_CC_END) ? 0 : ret;
}
/* Set flags on the cache. (We don't care about any flags.) */
diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c
index 114ef6913..edf6fcc26 100644
--- a/src/lib/krb5/ccache/cc_memory.c
+++ b/src/lib/krb5/ccache/cc_memory.c
@@ -405,14 +405,23 @@ krb5_mcc_next_cred(krb5_context context, krb5_ccache id,
*/
k5_cc_mutex_lock(context, &d->lock);
if (mcursor->generation != d->generation) {
- k5_cc_mutex_unlock(context, &d->lock);
- return KRB5_CC_END;
+ retval = KRB5_CC_END;
+ goto done;
+ }
+
+ /* Skip over removed creds. */
+ while (mcursor->next_link != NULL && mcursor->next_link->creds == NULL)
+ mcursor->next_link = mcursor->next_link->next;
+ if (mcursor->next_link == NULL) {
+ retval = KRB5_CC_END;
+ goto done;
}
retval = k5_copy_creds_contents(context, mcursor->next_link->creds, creds);
if (retval == 0)
mcursor->next_link = mcursor->next_link->next;
+done:
k5_cc_mutex_unlock(context, &d->lock);
return retval;
}
@@ -592,16 +601,31 @@ krb5_mcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields,
}
/*
- * Non-functional stub implementation for krb5_mcc_remove
+ * Modifies:
+ * the memory cache
*
- * Errors:
- * KRB5_CC_NOSUPP - not implemented
+ * Effects:
+ * Remove the given creds from the ccache.
*/
static krb5_error_code KRB5_CALLCONV
krb5_mcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
krb5_creds *creds)
{
- return KRB5_CC_NOSUPP;
+ krb5_mcc_data *data = (krb5_mcc_data *)cache->data;
+ krb5_mcc_link *l;
+
+ k5_cc_mutex_lock(context, &data->lock);
+
+ for (l = data->link; l != NULL; l = l->next) {
+ if (l->creds != NULL &&
+ krb5int_cc_creds_match_request(context, flags, creds, l->creds)) {
+ krb5_free_creds(context, l->creds);
+ l->creds = NULL;
+ }
+ }
+
+ k5_cc_mutex_unlock(context, &data->lock);
+ return 0;
}
diff --git a/src/lib/krb5/ccache/t_cc.c b/src/lib/krb5/ccache/t_cc.c
index cd4569c4c..954f2f465 100644
--- a/src/lib/krb5/ccache/t_cc.c
+++ b/src/lib/krb5/ccache/t_cc.c
@@ -36,7 +36,7 @@
#define KRB5_OK 0
-krb5_creds test_creds;
+krb5_creds test_creds, test_creds2;
int debug=0;
@@ -144,6 +144,10 @@ init_test_cred(krb5_context context)
a->length = 2;
test_creds.authdata[1] = a;
+ memcpy(&test_creds2, &test_creds, sizeof(test_creds));
+ kret = krb5_build_principal(context, &test_creds2.server, sizeof(REALM),
+ REALM, "server-comp1", "server-comp3", NULL);
+
cleanup:
if(kret) {
if (test_creds.client) {
@@ -170,6 +174,7 @@ free_test_cred(krb5_context context)
krb5_free_principal(context, test_creds.client);
krb5_free_principal(context, test_creds.server);
+ krb5_free_principal(context, test_creds2.server);
if(test_creds.authdata) {
krb5_free_authdata(context, test_creds.authdata);
@@ -199,6 +204,44 @@ free_test_cred(krb5_context context)
#define CHECK_FAIL(experr, kret, msg) \
if (experr != kret) { CHECK(kret, msg);}
+static void
+check_num_entries(krb5_context context, krb5_ccache cache, int expected,
+ unsigned linenum)
+{
+ krb5_error_code ret;
+ krb5_cc_cursor cursor;
+ krb5_creds creds;
+ int count = 0;
+
+ ret = krb5_cc_start_seq_get(context, cache, &cursor);
+ if (ret != 0) {
+ com_err("", ret, "(on line %d) - krb5_cc_start_seq_get", linenum);
+ fflush(stderr);
+ exit(1);
+ }
+
+ while (1) {
+ ret = krb5_cc_next_cred(context, cache, &cursor, &creds);
+ if (ret)
+ break;
+
+ count++;
+ krb5_free_cred_contents(context, &creds);
+ }
+ krb5_cc_end_seq_get(context, cache, &cursor);
+ if (ret != KRB5_CC_END) {
+ CHECK(ret, "counting entries in ccache");
+ }
+
+ if (count != expected) {
+ com_err("", KRB5_FCC_INTERNAL,
+ "(on line %d) - count didn't match (expected %d, got %d)",
+ linenum, expected, count);
+ fflush(stderr);
+ exit(1);
+ }
+}
+
static void
cc_test(krb5_context context, const char *name, krb5_flags flags)
{
@@ -207,6 +250,7 @@ cc_test(krb5_context context, const char *name, krb5_flags flags)
krb5_error_code kret;
krb5_cc_cursor cursor;
krb5_principal tmp;
+ krb5_flags matchflags = KRB5_TC_MATCH_IS_SKEY;
const char *c_name;
char newcache[300];
@@ -311,9 +355,90 @@ cc_test(krb5_context context, const char *name, krb5_flags flags)
kret = krb5_cc_destroy(context, id2);
CHECK(kret, "destroy id2");
+ /* ----------------------------------------------------- */
+ /* Test credential removal */
+ kret = krb5_cc_resolve(context, name, &id);
+ CHECK(kret, "resolving for remove");
+
+ kret = krb5_cc_initialize(context, id, test_creds.client);
+ CHECK(kret, "initialize for remove");
+ check_num_entries(context, id, 0, __LINE__);
+
+ kret = krb5_cc_store_cred(context, id, &test_creds);
+ CHECK(kret, "store for remove (first pass)");
+ check_num_entries(context, id, 1, __LINE__); /* 1 */
+
+ kret = krb5_cc_remove_cred(context, id, matchflags, &test_creds);
+ CHECK(kret, "removing credential (first pass)");
+ check_num_entries(context, id, 0, __LINE__); /* empty */
+
+ kret = krb5_cc_store_cred(context, id, &test_creds);
+ CHECK(kret, "first store for remove (second pass)");
+ check_num_entries(context, id, 1, __LINE__); /* 1 */
+
+ kret = krb5_cc_store_cred(context, id, &test_creds2);
+ CHECK(kret, "second store for remove (second pass)");
+ check_num_entries(context, id, 2, __LINE__); /* 1, 2 */
+
+ kret = krb5_cc_remove_cred(context, id, matchflags, &test_creds2);
+ CHECK(kret, "first remove (second pass)");
+ check_num_entries(context, id, 1, __LINE__); /* 1 */
+
+ kret = krb5_cc_store_cred(context, id, &test_creds2);
+ CHECK(kret, "third store for remove (second pass)");
+ check_num_entries(context, id, 2, __LINE__); /* 1, 2 */
+
+ kret = krb5_cc_remove_cred(context, id, matchflags, &test_creds);
+ CHECK(kret, "second remove (second pass)");
+ check_num_entries(context, id, 1, __LINE__); /* 2 */
+
+ kret = krb5_cc_remove_cred(context, id, matchflags, &test_creds2);
+ CHECK(kret, "third remove (second pass)");
+ check_num_entries(context, id, 0, __LINE__); /* empty */
+
+ kret = krb5_cc_destroy(context, id);
+ CHECK(kret, "destruction for remove");
+
+ /* Test removal with iteration. */
+ kret = krb5_cc_resolve(context, name, &id);
+ CHECK(kret, "resolving for remove-iter");
+
+ kret = krb5_cc_initialize(context, id, test_creds.client);
+ CHECK(kret, "initialize for remove-iter");
+
+ kret = krb5_cc_store_cred(context, id, &test_creds);
+ CHECK(kret, "first store for remove-iter");
+
+ kret = krb5_cc_store_cred(context, id, &test_creds2);
+ CHECK(kret, "second store for remove-iter");
+
+ kret = krb5_cc_start_seq_get(context, id, &cursor);
+ CHECK(kret, "start_seq_get for remove-iter");
+
+ kret = krb5_cc_remove_cred(context, id, matchflags, &test_creds);
+ CHECK(kret, "remove for remove-iter");
+
+ while (1) {
+ /* The removed credential may or may not be present in the cache -
+ * either behavior is technically correct. */
+ kret = krb5_cc_next_cred(context, id, &cursor, &creds);
+ if (kret == KRB5_CC_END)
+ break;
+ CHECK(kret, "next_cred for remove-iter: %s");
+
+ CHECK(creds.times.endtime == 0, "no-lifetime cred");
+
+ krb5_free_cred_contents(context, &creds);
+ }
+
+ kret = krb5_cc_end_seq_get(context, id, &cursor);
+ CHECK(kret, "end_seq_get for remove-iter");
+
+ kret = krb5_cc_destroy(context, id);
+ CHECK(kret, "destruction for remove-iter");
+
free(save_type);
free_test_cred(context);
-
}
/*

55
Improve-error-messages-from-kadmin-change_password.patch
View File

@ -1,55 +0,0 @@
From 69a09fc7c76f443f08c437043d689669d39f46ca Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 6 May 2019 13:13:16 -0400
Subject: [PATCH] Improve error messages from kadmin change_password
The checks for missing option arguments were dead code, because the
loop condition requires at least two remaining arguments. Instead
check for at least one argument with a leading "-", and check for too
many or too few arguments after the loop. Add an initial message for
unrecognized options.
[ghudson@mit.edu: adjusted logic to improve mesages in more cases]
(cherry picked from commit 13ba54002d362ebb09be464b4e7ec75050d1348f)
---
src/kadmin/cli/kadmin.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index cc74921bf..fe4cb493c 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -797,11 +797,11 @@ kadmin_cpw(int argc, char *argv[])
char **db_args = NULL;
int db_args_size = 0;
- if (argc < 2) {
+ if (argc < 1) {
cpw_usage(NULL);
return;
}
- for (argv++, argc--; argc > 1; argc--, argv++) {
+ for (argv++, argc--; argc > 0 && **argv == '-'; argc--, argv++) {
if (!strcmp("-x", *argv)) {
argc--;
if (argc < 1) {
@@ -841,12 +841,16 @@ kadmin_cpw(int argc, char *argv[])
goto cleanup;
}
} else {
+ com_err("change_password", 0, _("unrecognized option %s"), *argv);
cpw_usage(NULL);
goto cleanup;
}
}
- if (*argv == NULL) {
- com_err("change_password", 0, _("missing principal name"));
+ if (argc != 1) {
+ if (argc < 1)
+ com_err("change_password", 0, _("missing principal name"));
+ else
+ com_err("change_password", 0, _("too many arguments"));
cpw_usage(NULL);
goto cleanup;
}

28
In-kpropd-debug-log-proper-ticket-enctype-names.patch
View File

@ -1,28 +0,0 @@
From bcd727fc66e9213e7b6ea4d22f781812033789ba Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 15 Jan 2019 13:41:16 -0500
Subject: [PATCH] In kpropd, debug-log proper ticket enctype names
This change replaces the last call of krb5_enctype_to_string() in our
sources with krb5_enctype_to_name(), ensuring that we log consistently
to users using readily discoverable strings.
(cherry picked from commit 30e12a2ecdf7e2a034a91626a03b5c9909e4c68d)
---
src/kprop/kpropd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index 4cc035dc6..0c7bffa24 100644
--- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c
@@ -1279,7 +1279,8 @@ kerberos_authenticate(krb5_context context, int fd, krb5_principal *clientp,
exit(1);
}
- retval = krb5_enctype_to_string(*etype, etypebuf, sizeof(etypebuf));
+ retval = krb5_enctype_to_name(*etype, FALSE, etypebuf,
+ sizeof(etypebuf));
if (retval) {
com_err(progname, retval, _("while unparsing ticket etype"));
exit(1);

54
In-rd_req_dec-always-log-non-permitted-enctypes.patch
View File

@ -1,54 +0,0 @@
From 7710ba9b6d48ae82a2b2559131c6a8da802a4c0d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 14 Jan 2019 17:14:42 -0500
Subject: [PATCH] In rd_req_dec, always log non-permitted enctypes
The buffer specified in negotiate_etype() is too small for use with
the AES enctypes when used with krb5_enctype_to_string(), so switch to
using krb5_enctype_to_name().
(cherry picked from commit bf75ebf583a51bf00005a96d17924818d19377be)
---
src/lib/krb5/krb/rd_req_dec.c | 5 ++---
src/tests/gssapi/t_enctypes.py | 5 +++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index 4cd429a11..e75192fee 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -864,9 +864,8 @@ negotiate_etype(krb5_context context,
if (permitted == FALSE) {
char enctype_name[30];
- if (krb5_enctype_to_string(desired_etypes[i],
- enctype_name,
- sizeof(enctype_name)) == 0)
+ if (krb5_enctype_to_name(desired_etypes[i], FALSE, enctype_name,
+ sizeof(enctype_name)) == 0)
k5_setmsg(context, KRB5_NOPERM_ETYPE,
_("Encryption type %s not permitted"), enctype_name);
return KRB5_NOPERM_ETYPE;
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
index ee43ff028..5d9f80e04 100755
--- a/src/tests/gssapi/t_enctypes.py
+++ b/src/tests/gssapi/t_enctypes.py
@@ -85,7 +85,8 @@ test('both aes128', 'aes128-cts', 'aes128-cts',
# If only the acceptor constrains the permitted session enctypes to
# aes128, subkey negotiation fails because the acceptor considers the
# aes256 session key to be non-permitted.
-test_err('acc aes128', None, 'aes128-cts', 'Encryption type not permitted')
+test_err('acc aes128', None, 'aes128-cts',
+ 'Encryption type aes256-cts-hmac-sha1-96 not permitted')
# If the initiator constrains the permitted session enctypes to des3,
# no acceptor subkey will be generated because we can't upgrade to a
@@ -128,7 +129,7 @@ test('upgrade init des3+rc4', 'des3 rc4', None,
# is only for the sake of the kernel, since we could upgrade to an
# aes128 subkey, but it's the current semantics.)
test_err('upgrade acc aes128', None, 'aes128-cts',
- 'Encryption type ArcFour with HMAC/md5 not permitted')
+ 'Encryption type arcfour-hmac not permitted')
# If the acceptor permits rc4 but prefers aes128, it will negotiate an
# upgrade to aes128.

55
Initialize-some-data-structure-magic-fields.patch
View File

@ -1,55 +0,0 @@
From 3f8434553e5bc3551c7be651de196caf98647cf3 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 May 2019 13:36:38 -0400
Subject: [PATCH] Initialize some data structure magic fields
Static analyzers may complain if they see a data structure copied with
an uninitialized field, even if the copy target won't use the field.
Add magic field initializers in three such places.
[ghudson@mit.edu: rewrote commit message]
(cherry picked from commit 551e88e76e537e45f6c80eadaefeb790994f83f9)
---
src/lib/gssapi/krb5/util_cksum.c | 1 +
src/lib/krb5/krb/authdata.c | 8 ++------
2 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/src/lib/gssapi/krb5/util_cksum.c b/src/lib/gssapi/krb5/util_cksum.c
index cfd585ec7..a1770774e 100644
--- a/src/lib/gssapi/krb5/util_cksum.c
+++ b/src/lib/gssapi/krb5/util_cksum.c
@@ -48,6 +48,7 @@ kg_checksum_channel_bindings(context, cb, cksum)
cksum->checksum_type = CKSUMTYPE_RSA_MD5;
cksum->length = sumlen;
+ cksum->magic = KV5M_CHECKSUM;
/* generate a buffer full of zeros if no cb specified */
diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c
index 7fbcfab68..3e7dfbe49 100644
--- a/src/lib/krb5/krb/authdata.c
+++ b/src/lib/krb5/krb/authdata.c
@@ -976,9 +976,7 @@ krb5_authdata_export_internal(krb5_context kcontext,
*ptr = NULL;
- name.length = strlen(module_name);
- name.data = (char *)module_name;
-
+ name = make_data((char *)module_name, strlen(module_name));
module = k5_ad_find_module(kcontext, context, AD_USAGE_MASK, &name);
if (module == NULL)
return ENOENT;
@@ -1005,9 +1003,7 @@ krb5_authdata_free_internal(krb5_context kcontext,
krb5_data name;
struct _krb5_authdata_context_module *module;
- name.length = strlen(module_name);
- name.data = (char *)module_name;
-
+ name = make_data((char *)module_name, strlen(module_name));
module = k5_ad_find_module(kcontext, context, AD_USAGE_MASK, &name);
if (module == NULL)
return ENOENT;

52
Log-unknown-enctypes-as-unsupported-in-KDC.patch
View File

@ -1,52 +0,0 @@
From f4681ed7ec9f22fdbacc5c58a9f12ef567601267 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 27 Sep 2019 16:55:37 -0400
Subject: [PATCH] Log unknown enctypes as unsupported in KDC
Commit 8d8e68283b599e680f9fe45eff8af397e827bd6c logs both invalid and
deprecated enctypes as "DEPRECATED:". An invalid enctype might be too
old or marginal to be supported (like single-DES) or too new to be
recognized. For clarity, prefix invalid enctypes with "UNSUPPORTED:"
instead.
ticket: 8773
(cherry picked from commit 5ee99b0007f480f01f86340d1c30da51cc80da96)
---
src/kdc/kdc_util.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 698f18c1c..8700ec02c 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1048,20 +1048,22 @@ void limit_string(char *name)
static krb5_error_code
enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
{
- char *name;
+ const char *name, *prefix = "";
size_t len;
if (buflen == 0)
return EINVAL;
*buf = '\0'; /* ensure these are always valid C-strings */
- if (krb5int_c_deprecated_enctype(ktype)) {
- len = strlcpy(buf, "DEPRECATED:", buflen);
- if (len >= buflen)
- return ENOMEM;
- buflen -= len;
- buf += len;
- }
+ if (!krb5_c_valid_enctype(ktype))
+ prefix = "UNSUPPORTED:";
+ else if (krb5int_c_deprecated_enctype(ktype))
+ prefix = "DEPRECATED:";
+ len = strlcpy(buf, prefix, buflen);
+ if (len >= buflen)
+ return ENOMEM;
+ buflen -= len;
+ buf += len;
/* rfc4556 recommends that clients wishing to indicate support for these
* pkinit algorithms include them in the etype field of the AS-REQ. */

296
Make-etype-names-in-KDC-logs-human-readable.patch
View File

@ -1,296 +0,0 @@
From 87e5a350db1c18a92427a2a7645cc53d5813672d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 8 Jan 2019 17:42:35 -0500
Subject: [PATCH] Make etype names in KDC logs human-readable
Introduce enctype_name() as a wrapper over krb5_enctype_to_name for
converting between registered constants and names. Adjust signatures
and rewrite ktypes2str() and rep_etypes2str() to operate on dynamic
buffers.
ticket: 8772 (new)
(cherry picked from commit a649279727490687d54becad91fde8cf7429d951)
---
src/kdc/kdc_log.c | 42 +++++++--------
src/kdc/kdc_util.c | 131 +++++++++++++++++++++++----------------------
src/kdc/kdc_util.h | 6 +--
3 files changed, 90 insertions(+), 89 deletions(-)
diff --git a/src/kdc/kdc_log.c b/src/kdc/kdc_log.c
index 4eec50373..b160ba21a 100644
--- a/src/kdc/kdc_log.c
+++ b/src/kdc/kdc_log.c
@@ -65,7 +65,7 @@ log_as_req(krb5_context context,
{
const char *fromstring = 0;
char fromstringbuf[70];
- char ktypestr[128];
+ char *ktypestr = NULL;
const char *cname2 = cname ? cname : "<unknown client>";
const char *sname2 = sname ? sname : "<unknown server>";
@@ -74,26 +74,29 @@ log_as_req(krb5_context context,
fromstringbuf, sizeof(fromstringbuf));
if (!fromstring)
fromstring = "<unknown>";
- ktypes2str(ktypestr, sizeof(ktypestr),
- request->nktypes, request->ktype);
+
+ ktypestr = ktypes2str(request->ktype, request->nktypes);
if (status == NULL) {
/* success */
- char rep_etypestr[128];
- rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply);
+ char *rep_etypestr = rep_etypes2str(reply);
krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %u, %s, "
"%s for %s"),
- ktypestr, fromstring, (unsigned int)authtime,
- rep_etypestr, cname2, sname2);
+ ktypestr ? ktypestr : "", fromstring,
+ (unsigned int)authtime,
+ rep_etypestr ? rep_etypestr : "", cname2, sname2);
+ free(rep_etypestr);
} else {
/* fail */
krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: %s: %s for %s%s%s"),
- ktypestr, fromstring, status,
- cname2, sname2, emsg ? ", " : "", emsg ? emsg : "");
+ ktypestr ? ktypestr : "", fromstring, status, cname2,
+ sname2, emsg ? ", " : "", emsg ? emsg : "");
}
krb5_db_audit_as_req(context, request,
local_addr->address, remote_addr->address,
client, server, authtime, errcode);
+
+ free(ktypestr);
}
/*
@@ -122,10 +125,9 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,
unsigned int c_flags,
const char *status, krb5_error_code errcode, const char *emsg)
{
- char ktypestr[128];
+ char *ktypestr = NULL, *rep_etypestr = NULL;
const char *fromstring = 0;
char fromstringbuf[70];
- char rep_etypestr[128];
char *cname = NULL, *sname = NULL, *altcname = NULL;
char *logcname = NULL, *logsname = NULL, *logaltcname = NULL;
@@ -134,11 +136,6 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,
fromstringbuf, sizeof(fromstringbuf));
if (!fromstring)
fromstring = "<unknown>";
- ktypes2str(ktypestr, sizeof(ktypestr), request->nktypes, request->ktype);
- if (!errcode)
- rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply);
- else
- rep_etypestr[0] = 0;
unparse_and_limit(ctx, cprinc, &cname);
logcname = (cname != NULL) ? cname : "<unknown client>";
@@ -151,10 +148,14 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,
name (useful), and doesn't log ktypestr (probably not
important). */
if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) {
+ ktypestr = ktypes2str(request->ktype, request->nktypes);
+ rep_etypestr = rep_etypes2str(reply);
krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %u, %s%s "
"%s for %s%s%s"),
- ktypestr, fromstring, status, (unsigned int)authtime,
- rep_etypestr, !errcode ? "," : "", logcname, logsname,
+ ktypestr ? ktypestr : "", fromstring, status,
+ (unsigned int)authtime,
+ rep_etypestr ? rep_etypestr : "",
+ !errcode ? "," : "", logcname, logsname,
errcode ? ", " : "", errcode ? emsg : "");
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION))
krb5_klog_syslog(LOG_INFO,
@@ -171,9 +172,8 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,
fromstring, status, (unsigned int)authtime,
logcname, logsname, logaltcname);
- /* OpenSolaris: audit_krb5kdc_tgs_req(...) or
- audit_krb5kdc_tgs_req_2ndtktmm(...) */
-
+ free(rep_etypestr);
+ free(ktypestr);
krb5_free_unparsed_name(ctx, cname);
krb5_free_unparsed_name(ctx, sname);
krb5_free_unparsed_name(ctx, altcname);
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 0155c28c6..f5c581c82 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1043,84 +1043,87 @@ void limit_string(char *name)
return;
}
-/*
- * L10_2 = log10(2**x), rounded up; log10(2) ~= 0.301.
- */
-#define L10_2(x) ((int)(((x * 301) + 999) / 1000))
-
-/*
- * Max length of sprintf("%ld") for an int of type T; includes leading
- * minus sign and terminating NUL.
- */
-#define D_LEN(t) (L10_2(sizeof(t) * CHAR_BIT) + 2)
-
-void
-ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype)
+/* Wrapper of krb5_enctype_to_name() to include the PKINIT types. */
+static krb5_error_code
+enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
{
- int i;
- char stmp[D_LEN(krb5_enctype) + 1];
- char *p;
+ char *name;
- if (nktypes < 0
- || len < (sizeof(" etypes {...}") + D_LEN(int))) {
- *s = '\0';
- return;
- }
+ if (buflen == 0)
+ return EINVAL;
+ *buf = '\0'; /* ensure these are always valid C-strings */
- snprintf(s, len, "%d etypes {", nktypes);
- for (i = 0; i < nktypes; i++) {
- snprintf(stmp, sizeof(stmp), "%s%ld", i ? " " : "", (long)ktype[i]);
- if (strlen(s) + strlen(stmp) + sizeof("}") > len)
- break;
- strlcat(s, stmp, len);
- }
- if (i < nktypes) {
- /*
- * We broke out of the loop. Try to truncate the list.
- */
- p = s + strlen(s);
- while (p - s + sizeof("...}") > len) {
- while (p > s && *p != ' ' && *p != '{')
- *p-- = '\0';
- if (p > s && *p == ' ') {
- *p-- = '\0';
- continue;
- }
- }
- strlcat(s, "...", len);
- }
- strlcat(s, "}", len);
- return;
+ /* rfc4556 recommends that clients wishing to indicate support for these
+ * pkinit algorithms include them in the etype field of the AS-REQ. */
+ if (ktype == ENCTYPE_DSA_SHA1_CMS)
+ name = "id-dsa-with-sha1-CmsOID";
+ else if (ktype == ENCTYPE_MD5_RSA_CMS)
+ name = "md5WithRSAEncryption-CmsOID";
+ else if (ktype == ENCTYPE_SHA1_RSA_CMS)
+ name = "sha-1WithRSAEncryption-CmsOID";
+ else if (ktype == ENCTYPE_RC2_CBC_ENV)
+ name = "rc2-cbc-EnvOID";
+ else if (ktype == ENCTYPE_RSA_ENV)
+ name = "rsaEncryption-EnvOID";
+ else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV)
+ name = "id-RSAES-OAEP-EnvOID";
+ else if (ktype == ENCTYPE_DES3_CBC_ENV)
+ name = "des-ede3-cbc-EnvOID";
+ else
+ return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
+
+ if (strlcpy(name, buf, buflen) >= buflen)
+ return ENOMEM;
+ return 0;
}
-void
-rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep)
+char *
+ktypes2str(krb5_enctype *ktype, int nktypes)
{
- char stmp[sizeof("ses=") + D_LEN(krb5_enctype)];
+ struct k5buf buf;
+ int i;
+ char name[64];
- if (len < (3 * D_LEN(krb5_enctype)
- + sizeof("etypes {rep= tkt= ses=}"))) {
- *s = '\0';
- return;
+ if (nktypes < 0)
+ return NULL;
+
+ k5_buf_init_dynamic(&buf);
+ k5_buf_add_fmt(&buf, "%d etypes {", nktypes);
+ for (i = 0; i < nktypes; i++) {
+ enctype_name(ktype[i], name, sizeof(name));
+ k5_buf_add_fmt(&buf, "%s%s(%ld)", i ? ", " : "", name, (long)ktype[i]);
}
+ k5_buf_add(&buf, "}");
+ return buf.data;
+}
- snprintf(s, len, "etypes {rep=%ld", (long)rep->enc_part.enctype);
+char *
+rep_etypes2str(krb5_kdc_rep *rep)
+{
+ struct k5buf buf;
+ char name[64];
+ krb5_enctype etype;
+
+ k5_buf_init_dynamic(&buf);
+ k5_buf_add(&buf, "etypes {rep=");
+ enctype_name(rep->enc_part.enctype, name, sizeof(name));
+ k5_buf_add_fmt(&buf, "%s(%ld)", name, (long)rep->enc_part.enctype);
if (rep->ticket != NULL) {
- snprintf(stmp, sizeof(stmp),
- " tkt=%ld", (long)rep->ticket->enc_part.enctype);
- strlcat(s, stmp, len);
+ etype = rep->ticket->enc_part.enctype;
+ enctype_name(etype, name, sizeof(name));
+ k5_buf_add_fmt(&buf, ", tkt=%s(%ld)", name, (long)etype);
}
- if (rep->ticket != NULL
- && rep->ticket->enc_part2 != NULL
- && rep->ticket->enc_part2->session != NULL) {
- snprintf(stmp, sizeof(stmp), " ses=%ld",
- (long)rep->ticket->enc_part2->session->enctype);
- strlcat(s, stmp, len);
+ if (rep->ticket != NULL && rep->ticket->enc_part2 != NULL &&
+ rep->ticket->enc_part2->session != NULL) {
+ etype = rep->ticket->enc_part2->session->enctype;
+ enctype_name(etype, name, sizeof(name));
+ k5_buf_add_fmt(&buf, ", ses=%s(%ld)", name, (long)etype);
}
- strlcat(s, "}", len);
- return;
+
+ k5_buf_add(&buf, "}");
+ return buf.data;
}
static krb5_error_code
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 6ec645fc3..25077cbf5 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -110,11 +110,9 @@ select_session_keytype (kdc_realm_t *kdc_active_realm,
void limit_string (char *name);
-void
-ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype);
+char *ktypes2str(krb5_enctype *ktype, int nktypes);
-void
-rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep);
+char *rep_etypes2str(krb5_kdc_rep *rep);
/* authind.c */
krb5_boolean

250
Mark-deprecated-enctypes-when-used.patch
View File

@ -1,250 +0,0 @@
From 8e3b86c1e7bdd12c649127a8a44e5a269b5b4453 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 10 Jan 2019 16:34:54 -0500
Subject: [PATCH] Mark deprecated enctypes when used
Preface ETYPE_DEPRECATED enctypes with "DEPRECATED:" in klist output,
KDC logs, and kadmin interactions. Also complain in krb5kdc when the
stash file has a deprecated enctype or a deprecated enctype is
requested with -k.
ticket: 8773 (new)
(cherry picked from commit 8d8e68283b599e680f9fe45eff8af397e827bd6c)
---
src/clients/klist/klist.c | 14 ++++++++++----
src/kadmin/cli/kadmin.c | 6 +++++-
src/kdc/kdc_util.c | 9 +++++++++
src/kdc/main.c | 19 +++++++++++++++++++
src/tests/gssapi/t_enctypes.py | 15 +++++++++------
src/tests/t_keyrollover.py | 8 +++++---
src/tests/t_sesskeynego.py | 4 ++--
7 files changed, 59 insertions(+), 16 deletions(-)
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index 70adb54e8..8c307151a 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -571,11 +571,17 @@ static char *
etype_string(krb5_enctype enctype)
{
static char buf[100];
- krb5_error_code ret;
+ char *bp = buf;
+ size_t deplen, buflen = sizeof(buf);
- ret = krb5_enctype_to_name(enctype, FALSE, buf, sizeof(buf));
- if (ret)
- snprintf(buf, sizeof(buf), "etype %d", enctype);
+ if (krb5int_c_deprecated_enctype(enctype)) {
+ deplen = strlcpy(bp, "DEPRECATED:", buflen);
+ buflen -= deplen;
+ bp += deplen;
+ }
+
+ if (krb5_enctype_to_name(enctype, FALSE, bp, buflen))
+ snprintf(bp, buflen, "etype %d", enctype);
return buf;
}
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index ed581ee79..cc74921bf 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -1451,12 +1451,16 @@ kadmin_getprinc(int argc, char *argv[])
for (i = 0; i < dprinc.n_key_data; i++) {
krb5_key_data *key_data = &dprinc.key_data[i];
char enctype[BUFSIZ], salttype[BUFSIZ];
+ char *deprecated = "";
if (krb5_enctype_to_name(key_data->key_data_type[0], FALSE,
enctype, sizeof(enctype)))
snprintf(enctype, sizeof(enctype), _("<Encryption type 0x%x>"),
key_data->key_data_type[0]);
- printf("Key: vno %d, %s", key_data->key_data_kvno, enctype);
+ if (krb5int_c_deprecated_enctype(key_data->key_data_type[0]))
+ deprecated = "DEPRECATED:";
+ printf("Key: vno %d, %s%s", key_data->key_data_kvno, deprecated,
+ enctype);
if (key_data->key_data_ver > 1 &&
key_data->key_data_type[1] != KRB5_KDB_SALTTYPE_NORMAL) {
if (krb5_salttype_to_string(key_data->key_data_type[1],
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index f5c581c82..96c88edc1 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1048,11 +1048,20 @@ static krb5_error_code
enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
{
char *name;
+ size_t len;
if (buflen == 0)
return EINVAL;
*buf = '\0'; /* ensure these are always valid C-strings */
+ if (krb5int_c_deprecated_enctype(ktype)) {
+ len = strlcpy(buf, "DEPRECATED:", buflen);
+ if (len >= buflen)
+ return ENOMEM;
+ buflen -= len;
+ buf += len;
+ }
+
/* rfc4556 recommends that clients wishing to indicate support for these
* pkinit algorithms include them in the etype field of the AS-REQ. */
if (ktype == ENCTYPE_DSA_SHA1_CMS)
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 663fd6303..60092a0df 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -210,12 +210,23 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm,
char *svalue = NULL;
const char *hierarchy[4];
krb5_kvno mkvno = IGNORE_VNO;
+ char ename[32];
memset(rdp, 0, sizeof(kdc_realm_t));
if (!realm) {
kret = EINVAL;
goto whoops;
}
+
+ if (def_enctype != ENCTYPE_UNKNOWN &&
+ krb5int_c_deprecated_enctype(def_enctype)) {
+ if (krb5_enctype_to_name(def_enctype, FALSE, ename, sizeof(ename)))
+ ename[0] = '\0';
+ fprintf(stderr,
+ _("Requested master password enctype %s in %s is DEPRECATED!"),
+ ename, realm);
+ }
+
hierarchy[0] = KRB5_CONF_REALMS;
hierarchy[1] = realm;
hierarchy[3] = NULL;
@@ -370,6 +381,14 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm,
goto whoops;
}
+ if (krb5int_c_deprecated_enctype(rdp->realm_mkey.enctype)) {
+ if (krb5_enctype_to_name(rdp->realm_mkey.enctype, FALSE, ename,
+ sizeof(ename)))
+ ename[0] = '\0';
+ fprintf(stderr, _("Stash file %s uses DEPRECATED enctype %s!"),
+ rdp->realm_stash, ename);
+ }
+
if ((kret = krb5_db_fetch_mkey_list(rdp->realm_context, rdp->realm_mprinc,
&rdp->realm_mkey))) {
kdc_err(rdp->realm_context, kret,
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
index 5d9f80e04..ca3d32d21 100755
--- a/src/tests/gssapi/t_enctypes.py
+++ b/src/tests/gssapi/t_enctypes.py
@@ -9,8 +9,11 @@ from k5test import *
aes256 = 'aes256-cts-hmac-sha1-96'
aes128 = 'aes128-cts-hmac-sha1-96'
des3 = 'des3-cbc-sha1'
+d_des3 = 'DEPRECATED:des3-cbc-sha1'
des3raw = 'des3-cbc-raw'
+d_des3raw = 'DEPRECATED:des3-cbc-raw'
rc4 = 'arcfour-hmac'
+d_rc4 = 'DEPRECATED:arcfour-hmac'
# These tests make assumptions about the default enctype lists, so set
# them explicitly rather than relying on the library defaults.
@@ -92,7 +95,7 @@ test_err('acc aes128', None, 'aes128-cts',
# no acceptor subkey will be generated because we can't upgrade to a
# CFX enctype.
test('init des3', 'des3', None,
- tktenc=aes256, tktsession=des3,
+ tktenc=aes256, tktsession=d_des3,
proto='rfc1964', isubkey=des3raw, asubkey=None)
# Force the ticket session key to be rc4, so we can test some subkey
@@ -103,7 +106,7 @@ realm.run([kadminl, 'setstr', realm.host_princ, 'session_enctypes', 'rc4'])
# [aes256 aes128 des3] and the acceptor should upgrade to an aes256
# subkey.
test('upgrade noargs', None, None,
- tktenc=aes256, tktsession=rc4,
+ tktenc=aes256, tktsession=d_rc4,
proto='cfx', isubkey=rc4, asubkey=aes256)
# If the initiator won't permit rc4 as a session key, it won't be able
@@ -113,14 +116,14 @@ test_err('upgrade init aes', 'aes', None, 'no support for encryption type')
# If the initiator permits rc4 but prefers aes128, it will send an
# upgrade list of [aes128] and the acceptor will upgrade to aes128.
test('upgrade init aes128+rc4', 'aes128-cts rc4', None,
- tktenc=aes256, tktsession=rc4,
+ tktenc=aes256, tktsession=d_rc4,
proto='cfx', isubkey=rc4, asubkey=aes128)
# If the initiator permits rc4 but prefers des3, it will send an
# upgrade list of [des3], but the acceptor won't generate a subkey
# because des3 isn't a CFX enctype.
test('upgrade init des3+rc4', 'des3 rc4', None,
- tktenc=aes256, tktsession=rc4,
+ tktenc=aes256, tktsession=d_rc4,
proto='rfc1964', isubkey=rc4, asubkey=None)
# If the acceptor permits only aes128, subkey negotiation will fail
@@ -134,14 +137,14 @@ test_err('upgrade acc aes128', None, 'aes128-cts',
# If the acceptor permits rc4 but prefers aes128, it will negotiate an
# upgrade to aes128.
test('upgrade acc aes128 rc4', None, 'aes128-cts rc4',
- tktenc=aes256, tktsession=rc4,
+ tktenc=aes256, tktsession=d_rc4,
proto='cfx', isubkey=rc4, asubkey=aes128)
# In this test, the initiator and acceptor each prefer an AES enctype
# to rc4, but they can't agree on which one, so no subkey is
# generated.
test('upgrade mismatch', 'aes128-cts rc4', 'aes256-cts rc4',
- tktenc=aes256, tktsession=rc4,
+ tktenc=aes256, tktsession=d_rc4,
proto='rfc1964', isubkey=rc4, asubkey=None)
success('gss_krb5_set_allowable_enctypes tests')
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
index 7c8d828f0..4af6804f2 100755
--- a/src/tests/t_keyrollover.py
+++ b/src/tests/t_keyrollover.py
@@ -22,8 +22,9 @@ realm.run([kvno, princ1])
realm.run([kadminl, 'purgekeys', realm.krbtgt_princ])
# Make sure an old TGT fails after purging old TGS key.
realm.run([kvno, princ2], expected_code=1)
-msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \
- (realm.realm, realm.realm)
+ddes = "DEPRECATED:des-cbc-crc"
+msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \
+ (realm.realm, realm.realm, ddes, ddes)
realm.run([klist, '-e'], expected_msg=msg)
# Check that new key actually works.
@@ -48,7 +49,8 @@ realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes256-cts',
realm.krbtgt_princ])
realm.run([kadminl, 'modprinc', '-kvno', '1', realm.krbtgt_princ])
out = realm.run([kadminl, 'getprinc', realm.krbtgt_princ])
-if 'vno 1, aes256' not in out or 'vno 1, des3' not in out:
+if 'vno 1, aes256-cts' not in out or \
+ 'vno 1, DEPRECATED:des3-cbc-sha1' not in out:
fail('keyrollover: setup for TGS enctype test failed')
# Now present the DES3 ticket to the KDC and make sure it's rejected.
realm.run([kvno, realm.host_princ], expected_code=1)
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
index 448092387..da02f224a 100755
--- a/src/tests/t_sesskeynego.py
+++ b/src/tests/t_sesskeynego.py
@@ -62,11 +62,11 @@ test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term.
realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
'rc4-hmac,aes128-cts,aes256-cts'])
-test_kvno(realm, 'arcfour-hmac', 'aes256-cts-hmac-sha1-96')
+test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
# 3c: Test des-cbc-crc default assumption.
realm.run([kadminl, 'delstr', 'server', 'session_enctypes'])
-test_kvno(realm, 'des-cbc-crc', 'aes256-cts-hmac-sha1-96')
+test_kvno(realm, 'DEPRECATED:des-cbc-crc', 'aes256-cts-hmac-sha1-96')
realm.stop()
# Last go: test that we can disable the des-cbc-crc assumption

139
Mark-the-doc-kadm5-tex-files-as-historic.patch
View File

@ -1,139 +0,0 @@
From d8a20291fca962dfc88e396f2a60e41ede62be46 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 11 Apr 2019 18:33:04 -0400
Subject: [PATCH] Mark the doc/kadm5 tex files as historic
Remove rcsid.sty and the uses of the \rcsId macro as git does not
perform the keyword expansion necessary to make it work. Add comments
indicating the historic status of the kadm5 documentation.
[ghudson@mit.edu: fix the tex files instead of marking them as
non-building]
(cherry picked from commit e6047bdd6dec0d104417f9a1318bbafe022b81c1)
---
doc/kadm5/adb-unit-test.tex | 7 ++++---
doc/kadm5/api-funcspec.tex | 9 +++++----
doc/kadm5/api-server-design.tex | 9 +++++----
doc/kadm5/api-unit-test.tex | 7 ++++---
doc/kadm5/rcsid.sty | 5 -----
5 files changed, 18 insertions(+), 19 deletions(-)
delete mode 100644 doc/kadm5/rcsid.sty
diff --git a/doc/kadm5/adb-unit-test.tex b/doc/kadm5/adb-unit-test.tex
index d401342df..987af1a5e 100644
--- a/doc/kadm5/adb-unit-test.tex
+++ b/doc/kadm5/adb-unit-test.tex
@@ -1,6 +1,7 @@
-\documentstyle[times,fullpage,rcsid]{article}
+% This document is included for historical purposes only, and does not
+% apply to krb5 today.
-\rcs$Id$
+\documentstyle[times,fullpage]{article}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Make _ actually generate an _, and allow line-breaking after it.
@@ -39,7 +40,7 @@
%\newcommand{\Priority}[1]{}
\title{OpenV*Secure Admin Database API\\
-Unit Test Description\footnote{\rcsId}}
+Unit Test Description}
\author{Jonathan I. Kamens}
\begin{document}
diff --git a/doc/kadm5/api-funcspec.tex b/doc/kadm5/api-funcspec.tex
index c13090a51..76d2bb5d0 100644
--- a/doc/kadm5/api-funcspec.tex
+++ b/doc/kadm5/api-funcspec.tex
@@ -1,4 +1,7 @@
-\documentstyle[12pt,fullpage,rcsid]{article}
+% This document is included for historical purposes only, and does not
+% apply to krb5 today.
+
+\documentstyle[12pt,fullpage]{article}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Make _ actually generate an _, and allow line-breaking after it.
@@ -7,15 +10,13 @@
\def_{\underscore\penalty75\relax}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\rcs$Id$
-
\setlength{\parskip}{.7\baselineskip}
\setlength{\parindent}{0pt}
\def\v#1{\verb+#1+}
\title{Kerberos Administration System \\
- KADM5 API Functional Specifications\thanks{\rcsId}}
+ KADM5 API Functional Specifications}
\author{Barry Jaspan}
\begin{document}
diff --git a/doc/kadm5/api-server-design.tex b/doc/kadm5/api-server-design.tex
index 228e83113..94e05b877 100644
--- a/doc/kadm5/api-server-design.tex
+++ b/doc/kadm5/api-server-design.tex
@@ -1,4 +1,7 @@
-\documentstyle[12pt,fullpage,rcsid]{article}
+% This document is included for historical purposes only, and does not
+% apply to krb5 today.
+
+\documentstyle[12pt,fullpage]{article}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Make _ actually generate an _, and allow line-breaking after it.
@@ -7,15 +10,13 @@
\def_{\underscore\penalty75\relax}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\rcs$Id$
-
\setlength{\parskip}{.7\baselineskip}
\setlength{\parindent}{0pt}
\def\v#1{\verb+#1+}
\def\k#1{K$_#1$}
-\title{KADM5 Library and Server \\ Implementation Design\thanks{\rcsId}}
+\title{KADM5 Library and Server \\ Implementation Design}
\author{Barry Jaspan}
\begin{document}
diff --git a/doc/kadm5/api-unit-test.tex b/doc/kadm5/api-unit-test.tex
index 3e0eb503e..bfd6280bb 100644
--- a/doc/kadm5/api-unit-test.tex
+++ b/doc/kadm5/api-unit-test.tex
@@ -1,6 +1,7 @@
-\documentstyle[times,fullpage,rcsid]{article}
+% This document is included for historical purposes only, and does not
+% apply to krb5 today.
-\rcs$Id$
+\documentstyle[times,fullpage]{article}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Make _ actually generate an _, and allow line-breaking after it.
@@ -41,7 +42,7 @@
%\newcommand{\Priority}[1]{}
\title{KADM5 Admin API\\
-Unit Test Description\footnote{\rcsId}}
+Unit Test Description}
\author{Jonathan I. Kamens}
\begin{document}
diff --git a/doc/kadm5/rcsid.sty b/doc/kadm5/rcsid.sty
deleted file mode 100644
index 3ad7826ff..000000000
--- a/doc/kadm5/rcsid.sty
+++ /dev/null
@@ -1,5 +0,0 @@
-\def\rcs$#1: #2${\expandafter\def\csname rcs#1\endcsname{#2}}
-
-% example usage:
-% \rcs$Version$
-% Version \rcsVersion

232
Modernize-example-enctypes-in-documentation.patch
View File

@ -1,232 +0,0 @@
From b90cdec363eae38cb2ea40d40668e3fbc83edeb8 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 11 Apr 2019 18:25:41 -0400
Subject: [PATCH] Modernize example enctypes in documentation
ticket: 8805 (new)
(cherry picked from commit ccb4a3e4b35fa9ea63af0e98a42eba4aadb099e2)
[rharwood@redhat.com: release version conflict in man pages]
---
doc/admin/admin_commands/kadmin_local.rst | 8 ++++----
doc/admin/admin_commands/kdb5_util.rst | 10 +++++-----
doc/admin/database.rst | 2 +-
doc/admin/install_appl_srv.rst | 19 +++++++------------
doc/admin/install_kdc.rst | 2 +-
src/man/kadmin.man | 10 +++++-----
src/man/kdb5_util.man | 10 +++++-----
.../kdb/ldap/libkdb_ldap/kerberos.ldif | 4 ++--
.../kdb/ldap/libkdb_ldap/kerberos.schema | 4 ++--
9 files changed, 32 insertions(+), 37 deletions(-)
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index 150da1fad..71aa894f6 100644
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -569,16 +569,16 @@ Examples::
Principal: tlyu/admin@BLEEP.COM
Expiration date: [never]
Last password change: Mon Aug 12 14:16:47 EDT 1996
- Password expiration date: [none]
+ Password expiration date: [never]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
- Number of keys: 2
- Key: vno 1, des-cbc-crc
- Key: vno 1, des-cbc-crc:v4
+ Number of keys: 1
+ Key: vno 1, aes256-cts-hmac-sha384-192
+ MKey: vno 1
Attributes:
Policy: [none]
diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst
index 7dd54f797..444c58bcd 100644
--- a/doc/admin/admin_commands/kdb5_util.rst
+++ b/doc/admin/admin_commands/kdb5_util.rst
@@ -476,17 +476,17 @@ Examples::
$ kdb5_util tabdump -o keyinfo.txt keyinfo
$ cat keyinfo.txt
name keyindex kvno enctype salttype salt
+ K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1
foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1
bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1
- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1
$ sqlite3
sqlite> .mode tabs
sqlite> .import keyinfo.txt keyinfo
- sqlite> select * from keyinfo where enctype like 'des-cbc-%';
- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1
+ sqlite> select * from keyinfo where enctype like 'aes256-%';
+ K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1
sqlite> .quit
- $ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt
- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1
+ $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt
+ K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1
ENVIRONMENT
diff --git a/doc/admin/database.rst b/doc/admin/database.rst
index 33895b857..cea60b009 100644
--- a/doc/admin/database.rst
+++ b/doc/admin/database.rst
@@ -483,7 +483,7 @@ availability. To roll over the master key, follow these steps:
$ kdb5_util list_mkeys
Master keys for Principal: K/M@KRBTEST.COM
- KVNO: 1, Enctype: des-cbc-crc, Active on: Wed Dec 31 19:00:00 EST 1969 *
+ KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 *
#. On the master KDC, run ``kdb5_util use_mkey 1`` to ensure that a
master key activation list is present in the database. This step
diff --git a/doc/admin/install_appl_srv.rst b/doc/admin/install_appl_srv.rst
index 6bae7248f..6b2d8e471 100644
--- a/doc/admin/install_appl_srv.rst
+++ b/doc/admin/install_appl_srv.rst
@@ -44,18 +44,13 @@ pop, the administrator ``joeadmin`` would issue the command (on
``trillium.mit.edu``)::
trillium% kadmin
- kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu
- pop/trillium.mit.edu
- kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with
- kvno 3, encryption type DES-CBC-CRC added to keytab
- FILE:/etc/krb5.keytab.
- kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with
- kvno 3, encryption type DES-CBC-CRC added to keytab
- FILE:/etc/krb5.keytab.
- kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with
- kvno 3, encryption type DES-CBC-CRC added to keytab
- FILE:/etc/krb5.keytab.
- kadmin5: quit
+ Authenticating as principal root/admin@ATHENA.MIT.EDU with password.
+ Password for root/admin@ATHENA.MIT.EDU:
+ kadmin: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu
+ Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
+ kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
+ kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
+ kadmin: quit
trillium%
If you generate the keytab file on another host, you need to get a
diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst
index 5d1e70ede..3bec59f96 100644
--- a/doc/admin/install_kdc.rst
+++ b/doc/admin/install_kdc.rst
@@ -340,7 +340,7 @@ To extract a keytab directly on a replica KDC called
Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
- type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
+ type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 3c4f013fb..44859a378 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KADMIN" "1" " " "1.17.1" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.18" "MIT Kerberos"
.SH NAME
kadmin \- Kerberos V5 database administration program
.
@@ -610,16 +610,16 @@ kadmin: getprinc tlyu/admin
Principal: tlyu/admin@BLEEP.COM
Expiration date: [never]
Last password change: Mon Aug 12 14:16:47 EDT 1996
-Password expiration date: [none]
+Password expiration date: [never]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
-Number of keys: 2
-Key: vno 1, des\-cbc\-crc
-Key: vno 1, des\-cbc\-crc:v4
+Number of keys: 1
+Key: vno 1, aes256\-cts\-hmac\-sha384\-192
+MKey: vno 1
Attributes:
Policy: [none]
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index 9a36ef0df..46772a236 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -529,17 +529,17 @@ Examples:
$ kdb5_util tabdump \-o keyinfo.txt keyinfo
$ cat keyinfo.txt
name keyindex kvno enctype salttype salt
+K/M@EXAMPLE.COM 0 1 aes256\-cts\-hmac\-sha384\-192 normal \-1
foo@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1
bar@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1
-bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
$ sqlite3
sqlite> .mode tabs
sqlite> .import keyinfo.txt keyinfo
-sqlite> select * from keyinfo where enctype like \(aqdes\-cbc\-%\(aq;
-bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
+sqlite> select * from keyinfo where enctype like \(aqaes256\-%\(aq;
+K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1
sqlite> .quit
-$ awk \-F\(aq\et\(aq \(aq$4 ~ /des\-cbc\-/ { print }\(aq keyinfo.txt
-bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
+$ awk \-F\(aq\et\(aq \(aq$4 ~ /aes256\-/ { print }\(aq keyinfo.txt
+K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1
.ft P
.fi
.UNINDENT
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
index 13db48609..4224f0850 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
@@ -512,7 +512,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.41.1
##### Holds the default encryption/salt type combinations of principals for
##### the Realm. Stores in the form of key:salt strings.
-##### Example: des-cbc-crc:normal
+##### Example: aes256-cts-hmac-sha384-192:normal
dn: cn=schema
changetype: modify
@@ -533,7 +533,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.42.1
##### ONLYREALM
##### SPECIAL
##### AFS3
-##### Example: des-cbc-crc:normal
+##### Example: aes256-cts-hmac-sha384-192:normal
#####
##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes
##### attributes.
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
index 52036a178..171f66927 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
@@ -410,7 +410,7 @@ attributetype ( 2.16.840.1.113719.1.301.4.41.1
##### Holds the default encryption/salt type combinations of principals for
##### the Realm. Stores in the form of key:salt strings. This will be
##### subset of the supported encryption/salt types.
-##### Example: des-cbc-crc:normal
+##### Example: aes256-cts-hmac-sha384-192:normal
attributetype ( 2.16.840.1.113719.1.301.4.42.1
NAME 'krbDefaultEncSaltTypes'
@@ -428,7 +428,7 @@ attributetype ( 2.16.840.1.113719.1.301.4.42.1
##### ONLYREALM
##### SPECIAL
##### AFS3
-##### Example: des-cbc-crc:normal
+##### Example: aes256-cts-hmac-sha384-192:normal
attributetype ( 2.16.840.1.113719.1.301.4.43.1
NAME 'krbSupportedEncSaltTypes'

68
Modernize-exit-path-in-gss_krb5int_copy_ccache.patch
View File

@ -1,68 +0,0 @@
From 762241d6dbcb7b90ecf6a7352553465c30fcab74 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 May 2019 14:32:33 -0400
Subject: [PATCH] Modernize exit path in gss_krb5int_copy_ccache()
Move to a single lock / single unlock paradigm, and eliminate some
dead code in the old error handling.
(cherry picked from commit 1b89e3d8e949f52901bce74c9afc7a1a64099520)
---
src/lib/gssapi/krb5/copy_ccache.c | 31 ++++++++++++-------------------
1 file changed, 12 insertions(+), 19 deletions(-)
diff --git a/src/lib/gssapi/krb5/copy_ccache.c b/src/lib/gssapi/krb5/copy_ccache.c
index 027ed4847..2b2806e70 100644
--- a/src/lib/gssapi/krb5/copy_ccache.c
+++ b/src/lib/gssapi/krb5/copy_ccache.c
@@ -9,7 +9,7 @@ gss_krb5int_copy_ccache(OM_uint32 *minor_status,
{
krb5_gss_cred_id_t k5creds;
krb5_error_code code;
- krb5_context context;
+ krb5_context context = NULL;
krb5_ccache out_ccache;
assert(value->length == sizeof(out_ccache));
@@ -23,30 +23,23 @@ gss_krb5int_copy_ccache(OM_uint32 *minor_status,
k5creds = (krb5_gss_cred_id_t) *cred_handle;
k5_mutex_lock(&k5creds->lock);
if (k5creds->usage == GSS_C_ACCEPT) {
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = (OM_uint32) G_BAD_USAGE;
- return(GSS_S_FAILURE);
+ code = G_BAD_USAGE;
+ goto cleanup;
}
code = krb5_gss_init_context(&context);
- if (code) {
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ if (code)
+ goto cleanup;
code = krb5_cc_copy_creds(context, k5creds->ccache, out_ccache);
- if (code) {
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
+
+cleanup:
k5_mutex_unlock(&k5creds->lock);
*minor_status = code;
- if (code)
- save_error_info(*minor_status, context);
- krb5_free_context(context);
+ if (context != NULL) {
+ if (code)
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ }
return code ? GSS_S_FAILURE : GSS_S_COMPLETE;
}

33
Properly-size-ifdef-in-k5_cccol_lock.patch
View File

@ -1,33 +0,0 @@
From c1b4612565658d64940ba4760e0b47afd21e718f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 14 Feb 2019 11:50:35 -0500
Subject: [PATCH] Properly size #ifdef in k5_cccol_lock()
The cleanup code only could get executed in the USE_CCAPI_V3 case, so
move it inside that block. Reported by Coverity.
(cherry picked from commit 444a15f9cf82b9a6c1bca3f20307f82fee91c228)
---
src/lib/krb5/ccache/ccbase.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/krb5/ccache/ccbase.c b/src/lib/krb5/ccache/ccbase.c
index 8198f2b9b..2702bef69 100644
--- a/src/lib/krb5/ccache/ccbase.c
+++ b/src/lib/krb5/ccache/ccbase.c
@@ -511,7 +511,6 @@ krb5_cccol_lock(krb5_context context)
#endif
#ifdef USE_CCAPI_V3
ret = krb5_stdccv3_context_lock(context);
-#endif
if (ret) {
k5_cc_mutex_unlock(context, &krb5int_mcc_mutex);
k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex);
@@ -519,6 +518,7 @@ krb5_cccol_lock(krb5_context context)
k5_cc_mutex_unlock(context, &cccol_lock);
return ret;
}
+#endif
k5_mutex_unlock(&cc_typelist_lock);
return ret;
}

1604
Remove-Kerberos-v4-support-vestiges-from-ccapi.patch
View File

File diff suppressed because it is too large Load Diff

967
Remove-PKINIT-draft-9-ASN.1-code-and-types.patch
View File

@ -1,967 +0,0 @@
From 044e7ea922800bfc17ba816780803b1d67622b7b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 18 Jun 2019 11:40:48 -0400
Subject: [PATCH] Remove PKINIT draft 9 ASN.1 code and types
ticket: 8817
(cherry picked from commit c82e21d8836d4cb4c6ac7047752c9f600cb1ce33)
---
src/include/k5-int-pkinit.h | 74 --------------------------
src/include/k5-int.h | 30 +----------
src/lib/krb5/asn.1/asn1_k_encode.c | 81 ----------------------------
src/lib/krb5/os/accessor.c | 7 ---
src/tests/asn.1/krb5_decode_test.c | 41 --------------
src/tests/asn.1/krb5_encode_test.c | 40 --------------
src/tests/asn.1/ktest.c | 85 ------------------------------
src/tests/asn.1/ktest.h | 11 ----
src/tests/asn.1/ktest_equal.c | 51 ------------------
src/tests/asn.1/ktest_equal.h | 3 --
src/tests/asn.1/pkinit_encode.out | 5 --
src/tests/asn.1/pkinit_trval.out | 47 -----------------
12 files changed, 1 insertion(+), 474 deletions(-)
diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h
index 4622a629e..c23cfd304 100644
--- a/src/include/k5-int-pkinit.h
+++ b/src/include/k5-int-pkinit.h
@@ -45,14 +45,6 @@ typedef struct _krb5_pk_authenticator {
krb5_data *freshnessToken;
} krb5_pk_authenticator;
-/* PKAuthenticator draft9 */
-typedef struct _krb5_pk_authenticator_draft9 {
- krb5_principal kdcName;
- krb5_int32 cusec; /* (0..999999) */
- krb5_timestamp ctime;
- krb5_int32 nonce; /* (0..4294967295) */
-} krb5_pk_authenticator_draft9;
-
/* AlgorithmIdentifier */
typedef struct _krb5_algorithm_identifier {
krb5_data algorithm; /* OID */
@@ -74,12 +66,6 @@ typedef struct _krb5_auth_pack {
krb5_data **supportedKDFs; /* OIDs of KDFs; OPTIONAL */
} krb5_auth_pack;
-/* AuthPack draft9 */
-typedef struct _krb5_auth_pack_draft9 {
- krb5_pk_authenticator_draft9 pkAuthenticator;
- krb5_subject_pk_info *clientPublicValue; /* Optional */
-} krb5_auth_pack_draft9;
-
/* ExternalPrincipalIdentifier */
typedef struct _krb5_external_principal_identifier {
krb5_data subjectName; /* Optional */
@@ -87,14 +73,6 @@ typedef struct _krb5_external_principal_identifier {
krb5_data subjectKeyIdentifier; /* Optional */
} krb5_external_principal_identifier;
-/* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */
-/* This has four fields, but we only care about the first and third for
- * encoding, and the only about the first for decoding. */
-typedef struct _krb5_pa_pk_as_req_draft9 {
- krb5_data signedAuthPack;
- krb5_data kdcCert; /* Optional */
-} krb5_pa_pk_as_req_draft9;
-
/* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */
typedef struct _krb5_pa_pk_as_req {
krb5_data signedAuthPack;
@@ -116,37 +94,12 @@ typedef struct _krb5_kdc_dh_key_info {
krb5_timestamp dhKeyExpiration; /* Optional */
} krb5_kdc_dh_key_info;
-/* KDCDHKeyInfo draft9*/
-typedef struct _krb5_kdc_dh_key_info_draft9 {
- krb5_data subjectPublicKey; /* BIT STRING */
- krb5_int32 nonce; /* (0..4294967295) */
-} krb5_kdc_dh_key_info_draft9;
-
/* ReplyKeyPack */
typedef struct _krb5_reply_key_pack {
krb5_keyblock replyKey;
krb5_checksum asChecksum;
} krb5_reply_key_pack;
-/* ReplyKeyPack */
-typedef struct _krb5_reply_key_pack_draft9 {
- krb5_keyblock replyKey;
- krb5_int32 nonce;
-} krb5_reply_key_pack_draft9;
-
-/* PA-PK-AS-REP (Draft 9 -- PA TYPE 15) */
-typedef struct _krb5_pa_pk_as_rep_draft9 {
- enum krb5_pa_pk_as_rep_draft9_selection {
- choice_pa_pk_as_rep_draft9_UNKNOWN = -1,
- choice_pa_pk_as_rep_draft9_dhSignedData = 0,
- choice_pa_pk_as_rep_draft9_encKeyPack = 1
- } choice;
- union krb5_pa_pk_as_rep_draft9_choices {
- krb5_data dhSignedData;
- krb5_data encKeyPack;
- } u;
-} krb5_pa_pk_as_rep_draft9;
-
/* PA-PK-AS-REP (rfc4556 -- PA TYPE 17) */
typedef struct _krb5_pa_pk_as_rep {
enum krb5_pa_pk_as_rep_selection {
@@ -186,34 +139,18 @@ typedef struct _krb5_pkinit_supp_pub_info {
krb5_error_code
encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code);
-krb5_error_code
-encode_krb5_pa_pk_as_req_draft9(const krb5_pa_pk_as_req_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
encode_krb5_pa_pk_as_rep(const krb5_pa_pk_as_rep *rep, krb5_data **code);
-krb5_error_code
-encode_krb5_pa_pk_as_rep_draft9(const krb5_pa_pk_as_rep_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
encode_krb5_auth_pack(const krb5_auth_pack *rep, krb5_data **code);
-krb5_error_code
-encode_krb5_auth_pack_draft9(const krb5_auth_pack_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
encode_krb5_kdc_dh_key_info(const krb5_kdc_dh_key_info *rep, krb5_data **code);
krb5_error_code
encode_krb5_reply_key_pack(const krb5_reply_key_pack *, krb5_data **code);
-krb5_error_code
-encode_krb5_reply_key_pack_draft9(const krb5_reply_key_pack_draft9 *,
- krb5_data **code);
-
krb5_error_code
encode_krb5_td_trusted_certifiers(krb5_external_principal_identifier *const *,
krb5_data **code);
@@ -237,19 +174,12 @@ encode_krb5_pkinit_supp_pub_info(const krb5_pkinit_supp_pub_info *,
krb5_error_code
decode_krb5_pa_pk_as_req(const krb5_data *, krb5_pa_pk_as_req **);
-krb5_error_code
-decode_krb5_pa_pk_as_req_draft9(const krb5_data *,
- krb5_pa_pk_as_req_draft9 **);
-
krb5_error_code
decode_krb5_pa_pk_as_rep(const krb5_data *, krb5_pa_pk_as_rep **);
krb5_error_code
decode_krb5_auth_pack(const krb5_data *, krb5_auth_pack **);
-krb5_error_code
-decode_krb5_auth_pack_draft9(const krb5_data *, krb5_auth_pack_draft9 **);
-
krb5_error_code
decode_krb5_kdc_dh_key_info(const krb5_data *, krb5_kdc_dh_key_info **);
@@ -259,10 +189,6 @@ decode_krb5_principal_name(const krb5_data *, krb5_principal_data **);
krb5_error_code
decode_krb5_reply_key_pack(const krb5_data *, krb5_reply_key_pack **);
-krb5_error_code
-decode_krb5_reply_key_pack_draft9(const krb5_data *,
- krb5_reply_key_pack_draft9 **);
-
krb5_error_code
decode_krb5_td_trusted_certifiers(const krb5_data *,
krb5_external_principal_identifier ***);
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 0857fd1cc..cb328785d 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1836,7 +1836,7 @@ krb5int_random_string(krb5_context, char *string, unsigned int length);
/* To keep happy libraries which are (for now) accessing internal stuff */
/* Make sure to increment by one when changing the struct */
-#define KRB5INT_ACCESS_STRUCT_VERSION 22
+#define KRB5INT_ACCESS_STRUCT_VERSION 23
typedef struct _krb5int_access {
krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context,
@@ -1865,10 +1865,6 @@ typedef struct _krb5int_access {
krb5_error_code
(*encode_krb5_auth_pack)(const krb5_auth_pack *rep, krb5_data **code);
- krb5_error_code
- (*encode_krb5_auth_pack_draft9)(const krb5_auth_pack_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
(*encode_krb5_kdc_dh_key_info)(const krb5_kdc_dh_key_info *rep,
krb5_data **code);
@@ -1877,26 +1873,14 @@ typedef struct _krb5int_access {
(*encode_krb5_pa_pk_as_rep)(const krb5_pa_pk_as_rep *rep,
krb5_data **code);
- krb5_error_code
- (*encode_krb5_pa_pk_as_rep_draft9)(const krb5_pa_pk_as_rep_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
(*encode_krb5_pa_pk_as_req)(const krb5_pa_pk_as_req *rep,
krb5_data **code);
- krb5_error_code
- (*encode_krb5_pa_pk_as_req_draft9)(const krb5_pa_pk_as_req_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
(*encode_krb5_reply_key_pack)(const krb5_reply_key_pack *,
krb5_data **code);
- krb5_error_code
- (*encode_krb5_reply_key_pack_draft9)(const krb5_reply_key_pack_draft9 *,
- krb5_data **code);
-
krb5_error_code
(*encode_krb5_td_dh_parameters)(krb5_algorithm_identifier *const *,
krb5_data **code);
@@ -1908,17 +1892,9 @@ typedef struct _krb5int_access {
krb5_error_code
(*decode_krb5_auth_pack)(const krb5_data *, krb5_auth_pack **);
- krb5_error_code
- (*decode_krb5_auth_pack_draft9)(const krb5_data *,
- krb5_auth_pack_draft9 **);
-
krb5_error_code
(*decode_krb5_pa_pk_as_req)(const krb5_data *, krb5_pa_pk_as_req **);
- krb5_error_code
- (*decode_krb5_pa_pk_as_req_draft9)(const krb5_data *,
- krb5_pa_pk_as_req_draft9 **);
-
krb5_error_code
(*decode_krb5_pa_pk_as_rep)(const krb5_data *, krb5_pa_pk_as_rep **);
@@ -1931,10 +1907,6 @@ typedef struct _krb5int_access {
krb5_error_code
(*decode_krb5_reply_key_pack)(const krb5_data *, krb5_reply_key_pack **);
- krb5_error_code
- (*decode_krb5_reply_key_pack_draft9)(const krb5_data *,
- krb5_reply_key_pack_draft9 **);
-
krb5_error_code
(*decode_krb5_td_dh_parameters)(const krb5_data *,
krb5_algorithm_identifier ***);
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 81a34bac9..a026ab390 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1446,19 +1446,6 @@ static const struct atype_info *pk_authenticator_fields[] = {
};
DEFSEQTYPE(pk_authenticator, krb5_pk_authenticator, pk_authenticator_fields);
-DEFFIELD(pkauth9_0, krb5_pk_authenticator_draft9, kdcName, 0, principal);
-DEFFIELD(pkauth9_1, krb5_pk_authenticator_draft9, kdcName, 1,
- realm_of_principal);
-DEFFIELD(pkauth9_2, krb5_pk_authenticator_draft9, cusec, 2, int32);
-DEFFIELD(pkauth9_3, krb5_pk_authenticator_draft9, ctime, 3, kerberos_time);
-DEFFIELD(pkauth9_4, krb5_pk_authenticator_draft9, nonce, 4, int32);
-static const struct atype_info *pk_authenticator_draft9_fields[] = {
- &k5_atype_pkauth9_0, &k5_atype_pkauth9_1, &k5_atype_pkauth9_2,
- &k5_atype_pkauth9_3, &k5_atype_pkauth9_4
-};
-DEFSEQTYPE(pk_authenticator_draft9, krb5_pk_authenticator_draft9,
- pk_authenticator_draft9_fields);
-
DEFCOUNTEDSTRINGTYPE(s_bitstring, char *, unsigned int,
k5_asn1_encode_bitstring, k5_asn1_decode_bitstring,
ASN1_BITSTRING);
@@ -1488,15 +1475,6 @@ static const struct atype_info *auth_pack_fields[] = {
};
DEFSEQTYPE(auth_pack, krb5_auth_pack, auth_pack_fields);
-DEFFIELD(auth_pack9_0, krb5_auth_pack_draft9, pkAuthenticator, 0,
- pk_authenticator_draft9);
-DEFFIELD(auth_pack9_1, krb5_auth_pack_draft9, clientPublicValue, 1,
- opt_subject_pk_info_ptr);
-static const struct atype_info *auth_pack_draft9_fields[] = {
- &k5_atype_auth_pack9_0, &k5_atype_auth_pack9_1
-};
-DEFSEQTYPE(auth_pack_draft9, krb5_auth_pack_draft9, auth_pack_draft9_fields);
-
DEFFIELD_IMPLICIT(extprinc_0, krb5_external_principal_identifier,
subjectName, 0, opt_ostring_data);
DEFFIELD_IMPLICIT(extprinc_1, krb5_external_principal_identifier,
@@ -1529,29 +1507,6 @@ static const struct atype_info *pa_pk_as_req_fields[] = {
};
DEFSEQTYPE(pa_pk_as_req, krb5_pa_pk_as_req, pa_pk_as_req_fields);
-/*
- * In draft-ietf-cat-kerberos-pk-init-09, this sequence has four fields, but we
- * only ever use the first and third. The fields are specified as explicitly
- * tagged, but our historical behavior is to pretend that they are wrapped in
- * IMPLICIT OCTET STRING (i.e., generate primitive context tags), and we don't
- * want to change that without interop testing.
- */
-DEFFIELD_IMPLICIT(pa_pk_as_req9_0, krb5_pa_pk_as_req_draft9, signedAuthPack, 0,
- ostring_data);
-DEFFIELD_IMPLICIT(pa_pk_as_req9_2, krb5_pa_pk_as_req_draft9, kdcCert, 2,
- opt_ostring_data);
-static const struct atype_info *pa_pk_as_req_draft9_fields[] = {
- &k5_atype_pa_pk_as_req9_0, &k5_atype_pa_pk_as_req9_2
-};
-DEFSEQTYPE(pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9,
- pa_pk_as_req_draft9_fields);
-/* For decoding, we only care about the first field; we can ignore the rest. */
-static const struct atype_info *pa_pk_as_req_draft9_decode_fields[] = {
- &k5_atype_pa_pk_as_req9_0
-};
-DEFSEQTYPE(pa_pk_as_req_draft9_decode, krb5_pa_pk_as_req_draft9,
- pa_pk_as_req_draft9_decode_fields);
-
DEFFIELD_IMPLICIT(dh_rep_info_0, krb5_dh_rep_info, dhSignedData, 0,
ostring_data);
DEFFIELD(dh_rep_info_1, krb5_dh_rep_info, serverDHNonce, 1, opt_ostring_data);
@@ -1577,14 +1532,6 @@ static const struct atype_info *reply_key_pack_fields[] = {
};
DEFSEQTYPE(reply_key_pack, krb5_reply_key_pack, reply_key_pack_fields);
-DEFFIELD(key_pack9_0, krb5_reply_key_pack_draft9, replyKey, 0, encryption_key);
-DEFFIELD(key_pack9_1, krb5_reply_key_pack_draft9, nonce, 1, int32);
-static const struct atype_info *reply_key_pack_draft9_fields[] = {
- &k5_atype_key_pack9_0, &k5_atype_key_pack9_1
-};
-DEFSEQTYPE(reply_key_pack_draft9, krb5_reply_key_pack_draft9,
- reply_key_pack_draft9_fields);
-
DEFCTAGGEDTYPE(pa_pk_as_rep_0, 0, dh_rep_info);
DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep_1, 1, ostring_data);
static const struct atype_info *pa_pk_as_rep_alternatives[] = {
@@ -1595,44 +1542,16 @@ DEFCHOICETYPE(pa_pk_as_rep_choice, union krb5_pa_pk_as_rep_choices,
DEFCOUNTEDTYPE_SIGNED(pa_pk_as_rep, krb5_pa_pk_as_rep, u, choice,
pa_pk_as_rep_choice);
-/*
- * draft-ietf-cat-kerberos-pk-init-09 specifies these alternatives as
- * explicitly tagged SignedData and EnvelopedData respectively, which means
- * they should have constructed context tags. However, our historical behavior
- * is to use primitive context tags, and we don't want to change that behavior
- * without interop testing. We have the encodings for each alternative in a
- * krb5_data object; pretend that they are wrapped in IMPLICIT OCTET STRING in
- * order to wrap them in primitive [0] and [1] tags.
- */
-DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep9_0, 0, ostring_data);
-DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep9_1, 1, ostring_data);
-static const struct atype_info *pa_pk_as_rep_draft9_alternatives[] = {
- &k5_atype_pa_pk_as_rep9_0, &k5_atype_pa_pk_as_rep9_1
-};
-DEFCHOICETYPE(pa_pk_as_rep_draft9_choice,
- union krb5_pa_pk_as_rep_draft9_choices,
- enum krb5_pa_pk_as_rep_draft9_selection,
- pa_pk_as_rep_draft9_alternatives);
-DEFCOUNTEDTYPE_SIGNED(pa_pk_as_rep_draft9, krb5_pa_pk_as_rep_draft9, u, choice,
- pa_pk_as_rep_draft9_choice);
-
MAKE_ENCODER(encode_krb5_pa_pk_as_req, pa_pk_as_req);
MAKE_DECODER(decode_krb5_pa_pk_as_req, pa_pk_as_req);
-MAKE_ENCODER(encode_krb5_pa_pk_as_req_draft9, pa_pk_as_req_draft9);
-MAKE_DECODER(decode_krb5_pa_pk_as_req_draft9, pa_pk_as_req_draft9_decode);
MAKE_ENCODER(encode_krb5_pa_pk_as_rep, pa_pk_as_rep);
MAKE_DECODER(decode_krb5_pa_pk_as_rep, pa_pk_as_rep);
-MAKE_ENCODER(encode_krb5_pa_pk_as_rep_draft9, pa_pk_as_rep_draft9);
MAKE_ENCODER(encode_krb5_auth_pack, auth_pack);
MAKE_DECODER(decode_krb5_auth_pack, auth_pack);
-MAKE_ENCODER(encode_krb5_auth_pack_draft9, auth_pack_draft9);
-MAKE_DECODER(decode_krb5_auth_pack_draft9, auth_pack_draft9);
MAKE_ENCODER(encode_krb5_kdc_dh_key_info, kdc_dh_key_info);
MAKE_DECODER(decode_krb5_kdc_dh_key_info, kdc_dh_key_info);
MAKE_ENCODER(encode_krb5_reply_key_pack, reply_key_pack);
MAKE_DECODER(decode_krb5_reply_key_pack, reply_key_pack);
-MAKE_ENCODER(encode_krb5_reply_key_pack_draft9, reply_key_pack_draft9);
-MAKE_DECODER(decode_krb5_reply_key_pack_draft9, reply_key_pack_draft9);
MAKE_ENCODER(encode_krb5_td_trusted_certifiers,
seqof_external_principal_identifier);
MAKE_DECODER(decode_krb5_td_trusted_certifiers,
diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c
index d77f8c6b7..12a39a2ab 100644
--- a/src/lib/krb5/os/accessor.c
+++ b/src/lib/krb5/os/accessor.c
@@ -80,25 +80,18 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version)
#define SC(FIELD, VAL) S(FIELD, 0)
#endif
SC (encode_krb5_pa_pk_as_req, encode_krb5_pa_pk_as_req),
- SC (encode_krb5_pa_pk_as_req_draft9, encode_krb5_pa_pk_as_req_draft9),
SC (encode_krb5_pa_pk_as_rep, encode_krb5_pa_pk_as_rep),
- SC (encode_krb5_pa_pk_as_rep_draft9, encode_krb5_pa_pk_as_rep_draft9),
SC (encode_krb5_auth_pack, encode_krb5_auth_pack),
- SC (encode_krb5_auth_pack_draft9, encode_krb5_auth_pack_draft9),
SC (encode_krb5_kdc_dh_key_info, encode_krb5_kdc_dh_key_info),
SC (encode_krb5_reply_key_pack, encode_krb5_reply_key_pack),
- SC (encode_krb5_reply_key_pack_draft9, encode_krb5_reply_key_pack_draft9),
SC (encode_krb5_td_trusted_certifiers, encode_krb5_td_trusted_certifiers),
SC (encode_krb5_td_dh_parameters, encode_krb5_td_dh_parameters),
SC (decode_krb5_pa_pk_as_req, decode_krb5_pa_pk_as_req),
- SC (decode_krb5_pa_pk_as_req_draft9, decode_krb5_pa_pk_as_req_draft9),
SC (decode_krb5_pa_pk_as_rep, decode_krb5_pa_pk_as_rep),
SC (decode_krb5_auth_pack, decode_krb5_auth_pack),
- SC (decode_krb5_auth_pack_draft9, decode_krb5_auth_pack_draft9),
SC (decode_krb5_kdc_dh_key_info, decode_krb5_kdc_dh_key_info),
SC (decode_krb5_principal_name, decode_krb5_principal_name),
SC (decode_krb5_reply_key_pack, decode_krb5_reply_key_pack),
- SC (decode_krb5_reply_key_pack_draft9, decode_krb5_reply_key_pack_draft9),
SC (decode_krb5_td_trusted_certifiers, decode_krb5_td_trusted_certifiers),
SC (decode_krb5_td_dh_parameters, decode_krb5_td_dh_parameters),
SC (encode_krb5_kdc_req_body, encode_krb5_kdc_req_body),
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index cbd99ba63..7a116b40d 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -42,8 +42,6 @@ void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val);
#ifndef DISABLE_PKINIT
static int equal_principal(krb5_principal *ref, krb5_principal var);
static void ktest_free_auth_pack(krb5_context context, krb5_auth_pack *val);
-static void ktest_free_auth_pack_draft9(krb5_context context,
- krb5_auth_pack_draft9 *val);
static void ktest_free_kdc_dh_key_info(krb5_context context,
krb5_kdc_dh_key_info *val);
static void ktest_free_pa_pk_as_req(krb5_context context,
@@ -52,8 +50,6 @@ static void ktest_free_pa_pk_as_rep(krb5_context context,
krb5_pa_pk_as_rep *val);
static void ktest_free_reply_key_pack(krb5_context context,
krb5_reply_key_pack *val);
-static void ktest_free_reply_key_pack_draft9(krb5_context context,
- krb5_reply_key_pack_draft9 *val);
#endif
static void ktest_free_kkdcp_message(krb5_context context,
krb5_kkdcp_message *val);
@@ -1183,16 +1179,6 @@ int main(argc, argv)
ktest_empty_auth_pack(&ref);
}
- /****************************************************************/
- /* decode_krb5_auth_pack_draft9 */
- {
- setup(krb5_auth_pack_draft9,ktest_make_sample_auth_pack_draft9);
- decode_run("krb5_auth_pack_draft9","","30 75 A0 4F 30 4D A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 05 02 03 01 E2 40 A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 03 02 01 2A A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61",
- acc.decode_krb5_auth_pack_draft9,
- ktest_equal_auth_pack_draft9,ktest_free_auth_pack_draft9);
- ktest_empty_auth_pack_draft9(&ref);
- }
-
/****************************************************************/
/* decode_krb5_kdc_dh_key_info */
{
@@ -1213,16 +1199,6 @@ int main(argc, argv)
ktest_empty_reply_key_pack(&ref);
}
- /****************************************************************/
- /* decode_krb5_reply_key_pack_draft9 */
- {
- setup(krb5_reply_key_pack_draft9,ktest_make_sample_reply_key_pack_draft9);
- decode_run("krb5_reply_key_pack_draft9","","30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A",
- acc.decode_krb5_reply_key_pack_draft9,
- ktest_equal_reply_key_pack_draft9,ktest_free_reply_key_pack_draft9);
- ktest_empty_reply_key_pack_draft9(&ref);
- }
-
/****************************************************************/
/* decode_krb5_principal_name */
/* We have no encoder for this type (KerberosName from RFC 4556); the
@@ -1279,14 +1255,6 @@ ktest_free_auth_pack(krb5_context context, krb5_auth_pack *val)
free(val);
}
-static void
-ktest_free_auth_pack_draft9(krb5_context context, krb5_auth_pack_draft9 *val)
-{
- if (val)
- ktest_empty_auth_pack_draft9(val);
- free(val);
-}
-
static void
ktest_free_kdc_dh_key_info(krb5_context context, krb5_kdc_dh_key_info *val)
{
@@ -1319,15 +1287,6 @@ ktest_free_reply_key_pack(krb5_context context, krb5_reply_key_pack *val)
free(val);
}
-static void
-ktest_free_reply_key_pack_draft9(krb5_context context,
- krb5_reply_key_pack_draft9 *val)
-{
- if (val)
- ktest_empty_reply_key_pack_draft9(val);
- free(val);
-}
-
#endif /* not DISABLE_PKINIT */
static void
diff --git a/src/tests/asn.1/krb5_encode_test.c b/src/tests/asn.1/krb5_encode_test.c
index 3efbfb4c0..72c013468 100644
--- a/src/tests/asn.1/krb5_encode_test.c
+++ b/src/tests/asn.1/krb5_encode_test.c
@@ -798,15 +798,6 @@ main(argc, argv)
ktest_empty_pa_pk_as_req(&req);
}
/****************************************************************/
- /* encode_krb5_pa_pk_as_req_draft9 */
- {
- krb5_pa_pk_as_req_draft9 req;
- ktest_make_sample_pa_pk_as_req_draft9(&req);
- encode_run(req, "pa_pk_as_req_draft9", "",
- acc.encode_krb5_pa_pk_as_req_draft9);
- ktest_empty_pa_pk_as_req_draft9(&req);
- }
- /****************************************************************/
/* encode_krb5_pa_pk_as_rep */
{
krb5_pa_pk_as_rep rep;
@@ -820,19 +811,6 @@ main(argc, argv)
ktest_empty_pa_pk_as_rep(&rep);
}
/****************************************************************/
- /* encode_krb5_pa_pk_as_rep_draft9 */
- {
- krb5_pa_pk_as_rep_draft9 rep;
- ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData(&rep);
- encode_run(rep, "pa_pk_as_rep_draft9", "(dhSignedData)",
- acc.encode_krb5_pa_pk_as_rep_draft9);
- ktest_empty_pa_pk_as_rep_draft9(&rep);
- ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack(&rep);
- encode_run(rep, "pa_pk_as_rep_draft9", "(encKeyPack)",
- acc.encode_krb5_pa_pk_as_rep_draft9);
- ktest_empty_pa_pk_as_rep_draft9(&rep);
- }
- /****************************************************************/
/* encode_krb5_auth_pack */
{
krb5_auth_pack pack;
@@ -841,15 +819,6 @@ main(argc, argv)
ktest_empty_auth_pack(&pack);
}
/****************************************************************/
- /* encode_krb5_auth_pack_draft9_draft9 */
- {
- krb5_auth_pack_draft9 pack;
- ktest_make_sample_auth_pack_draft9(&pack);
- encode_run(pack, "auth_pack_draft9", "",
- acc.encode_krb5_auth_pack_draft9);
- ktest_empty_auth_pack_draft9(&pack);
- }
- /****************************************************************/
/* encode_krb5_kdc_dh_key_info */
{
krb5_kdc_dh_key_info ki;
@@ -866,15 +835,6 @@ main(argc, argv)
ktest_empty_reply_key_pack(&pack);
}
/****************************************************************/
- /* encode_krb5_reply_key_pack_draft9 */
- {
- krb5_reply_key_pack_draft9 pack;
- ktest_make_sample_reply_key_pack_draft9(&pack);
- encode_run(pack, "reply_key_pack_draft9", "",
- acc.encode_krb5_reply_key_pack_draft9);
- ktest_empty_reply_key_pack_draft9(&pack);
- }
- /****************************************************************/
/* encode_krb5_sp80056a_other_info */
{
krb5_sp80056a_other_info info;
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 258377299..7bb698732 100644
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -729,15 +729,6 @@ ktest_make_sample_pk_authenticator(krb5_pk_authenticator *p)
ktest_make_sample_data(p->freshnessToken);
}
-static void
-ktest_make_sample_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *p)
-{
- ktest_make_sample_principal(&p->kdcName);
- p->cusec = SAMPLE_USEC;
- p->ctime = SAMPLE_TIME;
- p->nonce = SAMPLE_NONCE;
-}
-
static void
ktest_make_sample_oid(krb5_data *p)
{
@@ -788,13 +779,6 @@ ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p)
ktest_make_sample_data(&p->kdcPkId);
}
-void
-ktest_make_sample_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p)
-{
- ktest_make_sample_data(&p->signedAuthPack);
- ktest_make_sample_data(&p->kdcCert);
-}
-
static void
ktest_make_sample_dh_rep_info(krb5_dh_rep_info *p)
{
@@ -818,20 +802,6 @@ ktest_make_sample_pa_pk_as_rep_encKeyPack(krb5_pa_pk_as_rep *p)
ktest_make_sample_data(&p->u.encKeyPack);
}
-void
-ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData(krb5_pa_pk_as_rep_draft9 *p)
-{
- p->choice = choice_pa_pk_as_rep_draft9_dhSignedData;
- ktest_make_sample_data(&p->u.dhSignedData);
-}
-
-void
-ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack(krb5_pa_pk_as_rep_draft9 *p)
-{
- p->choice = choice_pa_pk_as_rep_draft9_encKeyPack;
- ktest_make_sample_data(&p->u.encKeyPack);
-}
-
void
ktest_make_sample_auth_pack(krb5_auth_pack *p)
{
@@ -851,14 +821,6 @@ ktest_make_sample_auth_pack(krb5_auth_pack *p)
p->supportedKDFs[1] = NULL;
}
-void
-ktest_make_sample_auth_pack_draft9(krb5_auth_pack_draft9 *p)
-{
- ktest_make_sample_pk_authenticator_draft9(&p->pkAuthenticator);
- p->clientPublicValue = ealloc(sizeof(krb5_subject_pk_info));
- ktest_make_sample_subject_pk_info(p->clientPublicValue);
-}
-
void
ktest_make_sample_kdc_dh_key_info(krb5_kdc_dh_key_info *p)
{
@@ -874,13 +836,6 @@ ktest_make_sample_reply_key_pack(krb5_reply_key_pack *p)
ktest_make_sample_checksum(&p->asChecksum);
}
-void
-ktest_make_sample_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p)
-{
- ktest_make_sample_keyblock(&p->replyKey);
- p->nonce = SAMPLE_NONCE;
-}
-
void
ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p)
{
@@ -1717,12 +1672,6 @@ ktest_empty_pk_authenticator(krb5_pk_authenticator *p)
p->freshnessToken = NULL;
}
-static void
-ktest_empty_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *p)
-{
- ktest_destroy_principal(&p->kdcName);
-}
-
static void
ktest_empty_subject_pk_info(krb5_subject_pk_info *p)
{
@@ -1754,13 +1703,6 @@ ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p)
ktest_empty_data(&p->kdcPkId);
}
-void
-ktest_empty_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p)
-{
- ktest_empty_data(&p->signedAuthPack);
- ktest_empty_data(&p->kdcCert);
-}
-
static void
ktest_empty_dh_rep_info(krb5_dh_rep_info *p)
{
@@ -1779,16 +1721,6 @@ ktest_empty_pa_pk_as_rep(krb5_pa_pk_as_rep *p)
p->choice = choice_pa_pk_as_rep_UNKNOWN;
}
-void
-ktest_empty_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 *p)
-{
- if (p->choice == choice_pa_pk_as_rep_draft9_dhSignedData)
- ktest_empty_data(&p->u.dhSignedData);
- else if (p->choice == choice_pa_pk_as_rep_draft9_encKeyPack)
- ktest_empty_data(&p->u.encKeyPack);
- p->choice = choice_pa_pk_as_rep_draft9_UNKNOWN;
-}
-
void
ktest_empty_auth_pack(krb5_auth_pack *p)
{
@@ -1820,17 +1752,6 @@ ktest_empty_auth_pack(krb5_auth_pack *p)
}
}
-void
-ktest_empty_auth_pack_draft9(krb5_auth_pack_draft9 *p)
-{
- ktest_empty_pk_authenticator_draft9(&p->pkAuthenticator);
- if (p->clientPublicValue != NULL) {
- ktest_empty_subject_pk_info(p->clientPublicValue);
- free(p->clientPublicValue);
- p->clientPublicValue = NULL;
- }
-}
-
void
ktest_empty_kdc_dh_key_info(krb5_kdc_dh_key_info *p)
{
@@ -1844,12 +1765,6 @@ ktest_empty_reply_key_pack(krb5_reply_key_pack *p)
ktest_empty_checksum(&p->asChecksum);
}
-void
-ktest_empty_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p)
-{
- ktest_empty_keyblock(&p->replyKey);
-}
-
void ktest_empty_sp80056a_other_info(krb5_sp80056a_other_info *p)
{
ktest_empty_algorithm_identifier(&p->algorithm_identifier);
diff --git a/src/tests/asn.1/ktest.h b/src/tests/asn.1/ktest.h
index 1413cfae1..d9cc90a5c 100644
--- a/src/tests/asn.1/ktest.h
+++ b/src/tests/asn.1/ktest.h
@@ -101,18 +101,11 @@ void ktest_make_maximal_pa_otp_req(krb5_pa_otp_req *p);
#ifndef DISABLE_PKINIT
void ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p);
-void ktest_make_sample_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p);
void ktest_make_sample_pa_pk_as_rep_dhInfo(krb5_pa_pk_as_rep *p);
void ktest_make_sample_pa_pk_as_rep_encKeyPack(krb5_pa_pk_as_rep *p);
-void ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData(
- krb5_pa_pk_as_rep_draft9 *p);
-void ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack(
- krb5_pa_pk_as_rep_draft9 *p);
void ktest_make_sample_auth_pack(krb5_auth_pack *p);
-void ktest_make_sample_auth_pack_draft9(krb5_auth_pack_draft9 *p);
void ktest_make_sample_kdc_dh_key_info(krb5_kdc_dh_key_info *p);
void ktest_make_sample_reply_key_pack(krb5_reply_key_pack *p);
-void ktest_make_sample_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p);
void ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p);
void ktest_make_sample_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p);
#endif
@@ -197,14 +190,10 @@ void ktest_empty_pa_otp_req(krb5_pa_otp_req *p);
#ifndef DISABLE_PKINIT
void ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p);
-void ktest_empty_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p);
void ktest_empty_pa_pk_as_rep(krb5_pa_pk_as_rep *p);
-void ktest_empty_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 *p);
void ktest_empty_auth_pack(krb5_auth_pack *p);
-void ktest_empty_auth_pack_draft9(krb5_auth_pack_draft9 *p);
void ktest_empty_kdc_dh_key_info(krb5_kdc_dh_key_info *p);
void ktest_empty_reply_key_pack(krb5_reply_key_pack *p);
-void ktest_empty_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p);
void ktest_empty_sp80056a_other_info(krb5_sp80056a_other_info *p);
void ktest_empty_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p);
#endif
diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c
index 714cc4398..8a3911cdc 100644
--- a/src/tests/asn.1/ktest_equal.c
+++ b/src/tests/asn.1/ktest_equal.c
@@ -876,20 +876,6 @@ ktest_equal_pk_authenticator(krb5_pk_authenticator *ref,
return p;
}
-static int
-ktest_equal_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *ref,
- krb5_pk_authenticator_draft9 *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(kdcName, ktest_equal_principal_data);
- p = p && scalar_equal(cusec);
- p = p && scalar_equal(ctime);
- p = p && scalar_equal(nonce);
- return p;
-}
-
static int
ktest_equal_subject_pk_info(krb5_subject_pk_info *ref,
krb5_subject_pk_info *var)
@@ -937,18 +923,6 @@ ktest_equal_pa_pk_as_req(krb5_pa_pk_as_req *ref, krb5_pa_pk_as_req *var)
return p;
}
-int
-ktest_equal_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *ref,
- krb5_pa_pk_as_req_draft9 *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && equal_str(signedAuthPack);
- p = p && equal_str(kdcCert);
- return p;
-}
-
static int
ktest_equal_dh_rep_info(krb5_dh_rep_info *ref, krb5_dh_rep_info *var)
{
@@ -996,19 +970,6 @@ ktest_equal_auth_pack(krb5_auth_pack *ref, krb5_auth_pack *var)
return p;
}
-int
-ktest_equal_auth_pack_draft9(krb5_auth_pack_draft9 *ref,
- krb5_auth_pack_draft9 *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(pkAuthenticator,
- ktest_equal_pk_authenticator_draft9);
- p = p && ptr_equal(clientPublicValue, ktest_equal_subject_pk_info);
- return p;
-}
-
int
ktest_equal_kdc_dh_key_info(krb5_kdc_dh_key_info *ref,
krb5_kdc_dh_key_info *var)
@@ -1033,18 +994,6 @@ ktest_equal_reply_key_pack(krb5_reply_key_pack *ref, krb5_reply_key_pack *var)
return p;
}
-int
-ktest_equal_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *ref,
- krb5_reply_key_pack_draft9 *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(replyKey, ktest_equal_keyblock);
- p = p && scalar_equal(nonce);
- return p;
-}
-
#endif /* not DISABLE_PKINIT */
int
diff --git a/src/tests/asn.1/ktest_equal.h b/src/tests/asn.1/ktest_equal.h
index cfa82ac6e..80a0d781a 100644
--- a/src/tests/asn.1/ktest_equal.h
+++ b/src/tests/asn.1/ktest_equal.h
@@ -139,13 +139,10 @@ int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref,
#ifndef DISABLE_PKINIT
generic(ktest_equal_pa_pk_as_req, krb5_pa_pk_as_req);
-generic(ktest_equal_pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9);
generic(ktest_equal_pa_pk_as_rep, krb5_pa_pk_as_rep);
generic(ktest_equal_auth_pack, krb5_auth_pack);
-generic(ktest_equal_auth_pack_draft9, krb5_auth_pack_draft9);
generic(ktest_equal_kdc_dh_key_info, krb5_kdc_dh_key_info);
generic(ktest_equal_reply_key_pack, krb5_reply_key_pack);
-generic(ktest_equal_reply_key_pack_draft9, krb5_reply_key_pack_draft9);
#endif /* not DISABLE_PKINIT */
int ktest_equal_kkdcp_message(krb5_kkdcp_message *ref,
diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out
index 55a60bbef..9bd08e159 100644
--- a/src/tests/asn.1/pkinit_encode.out
+++ b/src/tests/asn.1/pkinit_encode.out
@@ -1,13 +1,8 @@
encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_req_draft9: 30 14 80 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_rep_draft9(dhSignedData): 80 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_rep_draft9(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
encode_krb5_auth_pack: 30 81 9F A0 35 30 33 A0 05 02 03 01 E2 40 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 06 04 04 31 32 33 34 A4 0A 04 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61 A2 24 30 22 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 10 30 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
-encode_krb5_auth_pack_draft9: 30 75 A0 4F 30 4D A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 05 02 03 01 E2 40 A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 03 02 01 2A A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61
encode_krb5_kdc_dh_key_info: 30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A
encode_krb5_reply_key_pack: 30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
-encode_krb5_reply_key_pack_draft9: 30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A
encode_krb5_sp80056a_other_info: 30 81 81 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A0 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 14 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out
index 9557188a8..3675fba38 100644
--- a/src/tests/asn.1/pkinit_trval.out
+++ b/src/tests/asn.1/pkinit_trval.out
@@ -15,14 +15,6 @@ encode_krb5_pa_pk_as_req:
. [2] <8>
6b 72 62 35 64 61 74 61 krb5data
-encode_krb5_pa_pk_as_req_draft9:
-
-[Sequence/Sequence Of]
-. [0] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-. [2] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
encode_krb5_pa_pk_as_rep(dhInfo):
[CONT 0]
@@ -36,16 +28,6 @@ encode_krb5_pa_pk_as_rep(dhInfo):
encode_krb5_pa_pk_as_rep(encKeyPack):
-[CONT 1] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
-encode_krb5_pa_pk_as_rep_draft9(dhSignedData):
-
-[CONT 0] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
-encode_krb5_pa_pk_as_rep_draft9(encKeyPack):
-
[CONT 1] <8>
6b 72 62 35 64 61 74 61 krb5data
@@ -79,27 +61,6 @@ encode_krb5_auth_pack:
. . . [0] [Object Identifier] <8>
6b 72 62 35 64 61 74 61 krb5data
-encode_krb5_auth_pack_draft9:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [0] [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [1] [General string] "ATHENA.MIT.EDU"
-. . [2] [Integer] 123456
-. . [3] [Generalized Time] "19940610060317Z"
-. . [4] [Integer] 42
-. [1] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [Object Identifier] <9>
- 2a 86 48 86 f7 12 01 02 02 *.H......
-. . . [Octet String] "params"
-. . [Bit String] <9>
- 00 6b 72 62 35 64 61 74 61 .krb5data
-
encode_krb5_kdc_dh_key_info:
[Sequence/Sequence Of]
@@ -118,14 +79,6 @@ encode_krb5_reply_key_pack:
. . [0] [Integer] 1
. . [1] [Octet String] "1234"
-encode_krb5_reply_key_pack_draft9:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [1] [Octet String] "12345678"
-. [1] [Integer] 42
-
encode_krb5_sp80056a_other_info:
[Sequence/Sequence Of]

1712
Remove-PKINIT-draft-9-support.patch
View File

File diff suppressed because it is too large Load Diff

34
Remove-ccapi-related-comments-in-configure.ac.patch
View File

@ -1,34 +0,0 @@
From ac8df1b0977dd5aedfaeb3d10458aaf18cece29f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 3 Apr 2019 16:01:22 -0400
Subject: [PATCH] Remove ccapi-related comments in configure.ac
These suggested ccapi is buildable on non-Windows, and empirically it
is not.
(cherry picked from commit eb48b176bccf3634b9c82f588dce85125a5c4bd8)
---
src/configure.in | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/configure.in b/src/configure.in
index 505dabb02..9d6825b78 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1450,7 +1450,6 @@ V5_AC_OUTPUT_MAKEFILE(.
lib/crypto/crypto_tests
lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache
-dnl lib/krb5/ccache/ccapi
lib/krb5/keytab lib/krb5/krb lib/krb5/rcache lib/krb5/os
lib/krb5/unicode
@@ -1463,8 +1462,6 @@ dnl lib/krb5/ccache/ccapi
lib/krad
lib/apputils
-dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
-
kdc kprop config-files build-tools man doc include
plugins/certauth/test

429
Remove-checksum-type-profile-variables.patch
View File

@ -1,429 +0,0 @@
From ee07471fa613fb68ddebc28577870e97cb5190cf Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 13 May 2019 14:19:57 -0400
Subject: [PATCH] Remove checksum type profile variables
Remove support for the krb5.conf relations ap_req_checksum_type,
kdc_req_checksum_type, and safe_checksum_type. These values were
useful for interoperating with very old KDCs, which should no longer
be deployed.
Additionally, kdc_req_checksum_type was incorrectly documented as only
applying to single-DES keys; in practice it also worked for RC4. The
other two were not clearly documented, but safe_checksum_type did
allow use of hmac-md5-rc4 for any enctype, and ap_req_checksum_type
did not impose any limitations.
[ghudson@mit.edu: edited commit message]
ticket: 8804 (new)
(cherry picked from commit a5a140dc85201faf1ba3a687553058354722a1b4)
[rharwood@redhat.com: release version conflict in man pages]
---
doc/admin/conf_files/krb5_conf.rst | 37 ------------
src/include/k5-int.h | 6 --
src/lib/krb5/krb/auth_con.c | 2 -
src/lib/krb5/krb/init_ctx.c | 13 -----
src/lib/krb5/krb/send_tgs.c | 19 +------
src/lib/krb5/krb/ser_ctx.c | 38 +------------
src/lib/krb5/krb/t_copy_context.c | 6 --
src/man/krb5.conf.man | 90 ++----------------------------
8 files changed, 7 insertions(+), 204 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index d1e1a222d..a3fb5d9f2 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -105,14 +105,6 @@ The libdefaults section may contain any of the following relations:
strong crypto. Users in affected environments should set this tag
to true until their infrastructure adopts stronger ciphers.
-**ap_req_checksum_type**
- An integer which specifies the type of AP-REQ checksum to use in
- authenticators. This variable should be unset so the appropriate
- checksum for the encryption key in use will be used. This can be
- set if backward compatibility requires a specific checksum type.
- See the **kdc_req_checksum_type** configuration option for the
- possible values and their meanings.
-
**canonicalize**
If this flag is set to true, initial ticket requests to the KDC
will request canonicalization of the client principal name, and
@@ -291,26 +283,6 @@ The libdefaults section may contain any of the following relations:
corrective factor is only used by the Kerberos library; it is not
used to change the system clock. The default value is 1.
-**kdc_req_checksum_type**
- An integer which specifies the type of checksum to use for the KDC
- requests, for compatibility with very old KDC implementations.
- This value is only used for DES keys; other keys use the preferred
- checksum type for those keys.
-
- The possible values and their meanings are as follows.
-
- ======== ===============================
- 1 CRC32
- 2 RSA MD4
- 3 RSA MD4 DES
- 4 DES CBC
- 7 RSA MD5
- 8 RSA MD5 DES
- 9 NIST SHA
- 12 HMAC SHA1 DES3
- -138 Microsoft MD5 HMAC checksum type
- ======== ===============================
-
**noaddresses**
If this flag is true, requests for initial tickets will not be
made with address restrictions set, allowing the tickets to be
@@ -359,15 +331,6 @@ The libdefaults section may contain any of the following relations:
(:ref:`duration` string.) Sets the default renewable lifetime
for initial ticket requests. The default value is 0.
-**safe_checksum_type**
- An integer which specifies the type of checksum to use for the
- KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For
- compatibility with applications linked against DCE version 1.1 or
- earlier Kerberos libraries, use a value of 3 to use the RSA MD4
- DES instead. This field is ignored when its value is incompatible
- with the session key type. See the **kdc_req_checksum_type**
- configuration option for the possible values and their meanings.
-
**spake_preauth_groups**
A whitespace or comma-separated list of words which specifies the
groups allowed for SPAKE preauthentication. The possible values
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 1e6a739e9..1a78fd7a9 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -182,7 +182,6 @@ typedef unsigned char u_char;
#define KRB5_CONF_ACL_FILE "acl_file"
#define KRB5_CONF_ADMIN_SERVER "admin_server"
#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
-#define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type"
#define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local"
#define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names"
#define KRB5_CONF_CANONICALIZE "canonicalize"
@@ -241,7 +240,6 @@ typedef unsigned char u_char;
#define KRB5_CONF_KDC_LISTEN "kdc_listen"
#define KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size"
#define KRB5_CONF_KDC_PORTS "kdc_ports"
-#define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type"
#define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
#define KRB5_CONF_KDC_TCP_LISTEN "kdc_tcp_listen"
#define KRB5_CONF_KDC_TCP_LISTEN_BACKLOG "kdc_tcp_listen_backlog"
@@ -289,7 +287,6 @@ typedef unsigned char u_char;
#define KRB5_CONF_REJECT_BAD_TRANSIT "reject_bad_transit"
#define KRB5_CONF_RENEW_LIFETIME "renew_lifetime"
#define KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT "restrict_anonymous_to_tgt"
-#define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type"
#define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes"
#define KRB5_CONF_SPAKE_PREAUTH_INDICATOR "spake_preauth_indicator"
#define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE "spake_preauth_kdc_challenge"
@@ -1185,9 +1182,6 @@ struct _krb5_context {
void *ser_ctx;
/* allowable clock skew */
krb5_deltat clockskew;
- krb5_cksumtype kdc_req_sumtype;
- krb5_cksumtype default_ap_req_sumtype;
- krb5_cksumtype default_safe_sumtype;
krb5_flags kdc_default_options;
krb5_flags library_options;
krb5_boolean profile_secure;
diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c
index c86a4af63..1dfce631c 100644
--- a/src/lib/krb5/krb/auth_con.c
+++ b/src/lib/krb5/krb/auth_con.c
@@ -40,8 +40,6 @@ krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context)
(*auth_context)->auth_context_flags =
KRB5_AUTH_CONTEXT_DO_TIME | KRB5_AUTH_CONN_INITIALIZED;
- (*auth_context)->req_cksumtype = context->default_ap_req_sumtype;
- (*auth_context)->safe_cksumtype = context->default_safe_sumtype;
(*auth_context)->checksum_func = NULL;
(*auth_context)->checksum_func_data = NULL;
(*auth_context)->negotiated_etype = ENCTYPE_NULL;
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index d263d5cc5..37405728c 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -258,19 +258,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
get_integer(ctx, KRB5_CONF_CLOCKSKEW, DEFAULT_CLOCKSKEW, &tmp);
ctx->clockskew = tmp;
- /* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */
- /* DCE add kdc_req_checksum_type = 2 to krb5.conf */
- get_integer(ctx, KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, CKSUMTYPE_RSA_MD5,
- &tmp);
- ctx->kdc_req_sumtype = tmp;
-
- get_integer(ctx, KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, &tmp);
- ctx->default_ap_req_sumtype = tmp;
-
- get_integer(ctx, KRB5_CONF_SAFE_CHECKSUM_TYPE, CKSUMTYPE_RSA_MD5_DES,
- &tmp);
- ctx->default_safe_sumtype = tmp;
-
get_integer(ctx, KRB5_CONF_KDC_DEFAULT_OPTIONS, KDC_OPT_RENEWABLE_OK,
&tmp);
ctx->kdc_default_options = tmp;
diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c
index e43a5cc5b..3dda2fdaa 100644
--- a/src/lib/krb5/krb/send_tgs.c
+++ b/src/lib/krb5/krb/send_tgs.c
@@ -53,7 +53,6 @@ tgs_construct_ap_req(krb5_context context, krb5_data *checksum_data,
krb5_creds *tgt, krb5_keyblock *subkey,
krb5_data **ap_req_asn1_out)
{
- krb5_cksumtype cksumtype;
krb5_error_code ret;
krb5_checksum checksum;
krb5_authenticator authent;
@@ -67,24 +66,8 @@ tgs_construct_ap_req(krb5_context context, krb5_data *checksum_data,
memset(&ap_req, 0, sizeof(ap_req));
memset(&authent_enc, 0, sizeof(authent_enc));
- /* Determine the authenticator checksum type. */
- switch (tgt->keyblock.enctype) {
- case ENCTYPE_DES_CBC_CRC:
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_ARCFOUR_HMAC:
- case ENCTYPE_ARCFOUR_HMAC_EXP:
- cksumtype = context->kdc_req_sumtype;
- break;
- default:
- ret = krb5int_c_mandatory_cksumtype(context, tgt->keyblock.enctype,
- &cksumtype);
- if (ret)
- goto cleanup;
- }
-
/* Generate checksum. */
- ret = krb5_c_make_checksum(context, cksumtype, &tgt->keyblock,
+ ret = krb5_c_make_checksum(context, 0, &tgt->keyblock,
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, checksum_data,
&checksum);
if (ret)
diff --git a/src/lib/krb5/krb/ser_ctx.c b/src/lib/krb5/krb/ser_ctx.c
index a9f50b239..39f656322 100644
--- a/src/lib/krb5/krb/ser_ctx.c
+++ b/src/lib/krb5/krb/ser_ctx.c
@@ -124,9 +124,6 @@ krb5_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
* krb5_int32 for n_tgs_etypes*sizeof(krb5_int32)
* nktypes*sizeof(krb5_int32) for tgs_etypes.
* krb5_int32 for clockskew
- * krb5_int32 for kdc_req_sumtype
- * krb5_int32 for ap_req_sumtype
- * krb5_int32 for safe_sumtype
* krb5_int32 for kdc_default_options
* krb5_int32 for library_options
* krb5_int32 for profile_secure
@@ -139,7 +136,7 @@ krb5_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
kret = EINVAL;
if ((context = (krb5_context) arg)) {
/* Calculate base length */
- required = (14 * sizeof(krb5_int32) +
+ required = (11 * sizeof(krb5_int32) +
(etypes_len(context->in_tkt_etypes) * sizeof(krb5_int32)) +
(etypes_len(context->tgs_etypes) * sizeof(krb5_int32)));
@@ -255,24 +252,6 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b
if (kret)
return (kret);
- /* Now kdc_req_sumtype */
- kret = krb5_ser_pack_int32((krb5_int32) context->kdc_req_sumtype,
- &bp, &remain);
- if (kret)
- return (kret);
-
- /* Now default ap_req_sumtype */
- kret = krb5_ser_pack_int32((krb5_int32) context->default_ap_req_sumtype,
- &bp, &remain);
- if (kret)
- return (kret);
-
- /* Now default safe_sumtype */
- kret = krb5_ser_pack_int32((krb5_int32) context->default_safe_sumtype,
- &bp, &remain);
- if (kret)
- return (kret);
-
/* Now kdc_default_options */
kret = krb5_ser_pack_int32((krb5_int32) context->kdc_default_options,
&bp, &remain);
@@ -426,21 +405,6 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet *
goto cleanup;
context->clockskew = (krb5_deltat) ibuf;
- /* kdc_req_sumtype */
- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)))
- goto cleanup;
- context->kdc_req_sumtype = (krb5_cksumtype) ibuf;
-
- /* default ap_req_sumtype */
- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)))
- goto cleanup;
- context->default_ap_req_sumtype = (krb5_cksumtype) ibuf;
-
- /* default_safe_sumtype */
- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)))
- goto cleanup;
- context->default_safe_sumtype = (krb5_cksumtype) ibuf;
-
/* kdc_default_options */
if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)))
goto cleanup;
diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c
index a6e48cd25..22be2198b 100644
--- a/src/lib/krb5/krb/t_copy_context.c
+++ b/src/lib/krb5/krb/t_copy_context.c
@@ -77,9 +77,6 @@ check_context(krb5_context c, krb5_context r)
check(c->os_context.os_flags == r->os_context.os_flags);
compare_string(c->os_context.default_ccname, r->os_context.default_ccname);
check(c->clockskew == r->clockskew);
- check(c->kdc_req_sumtype == r->kdc_req_sumtype);
- check(c->default_ap_req_sumtype == r->default_ap_req_sumtype);
- check(c->default_safe_sumtype == r->default_safe_sumtype);
check(c->kdc_default_options == r->kdc_default_options);
check(c->library_options == r->library_options);
check(c->profile_secure == r->profile_secure);
@@ -136,9 +133,6 @@ main(int argc, char **argv)
check(krb5_cc_set_default_name(ctx, "defccname") == 0);
check(krb5_set_default_realm(ctx, "defrealm") == 0);
ctx->clockskew = 18;
- ctx->kdc_req_sumtype = CKSUMTYPE_NIST_SHA;
- ctx->default_ap_req_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES128;
- ctx->default_safe_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES256;
ctx->kdc_default_options = KDC_OPT_FORWARDABLE;
ctx->library_options = 0;
ctx->profile_secure = TRUE;
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 2a7af6aa4..433f38d71 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KRB5.CONF" "5" " " "1.17.1" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.18" "MIT Kerberos"
.SH NAME
krb5.conf \- Kerberos configuration file
.
@@ -188,14 +188,6 @@ failures in existing Kerberos infrastructures that do not support
strong crypto. Users in affected environments should set this tag
to true until their infrastructure adopts stronger ciphers.
.TP
-\fBap_req_checksum_type\fP
-An integer which specifies the type of AP\-REQ checksum to use in
-authenticators. This variable should be unset so the appropriate
-checksum for the encryption key in use will be used. This can be
-set if backward compatibility requires a specific checksum type.
-See the \fBkdc_req_checksum_type\fP configuration option for the
-possible values and their meanings.
-.TP
\fBcanonicalize\fP
If this flag is set to true, initial ticket requests to the KDC
will request canonicalization of the client principal name, and
@@ -277,6 +269,10 @@ hostnames for use in service principal names. Setting this flag
to false can improve security by reducing reliance on DNS, but
means that short hostnames will not be canonicalized to
fully\-qualified hostnames. The default value is true.
+.sp
+If this option is set to \fBfallback\fP (new in release 1.18), DNS
+canonicalization will only be performed the server hostname is not
+found with the original name when requesting credentials.
.TP
\fBdns_lookup_kdc\fP
Indicate whether DNS SRV records should be used to locate the KDCs
@@ -370,73 +366,6 @@ requesting service tickets or authenticating to services. This
corrective factor is only used by the Kerberos library; it is not
used to change the system clock. The default value is 1.
.TP
-\fBkdc_req_checksum_type\fP
-An integer which specifies the type of checksum to use for the KDC
-requests, for compatibility with very old KDC implementations.
-This value is only used for DES keys; other keys use the preferred
-checksum type for those keys.
-.sp
-The possible values and their meanings are as follows.
-.TS
-center;
-|l|l|.
-_
-T{
-1
-T} T{
-CRC32
-T}
-_
-T{
-2
-T} T{
-RSA MD4
-T}
-_
-T{
-3
-T} T{
-RSA MD4 DES
-T}
-_
-T{
-4
-T} T{
-DES CBC
-T}
-_
-T{
-7
-T} T{
-RSA MD5
-T}
-_
-T{
-8
-T} T{
-RSA MD5 DES
-T}
-_
-T{
-9
-T} T{
-NIST SHA
-T}
-_
-T{
-12
-T} T{
-HMAC SHA1 DES3
-T}
-_
-T{
-\-138
-T} T{
-Microsoft MD5 HMAC checksum type
-T}
-_
-.TE
-.TP
\fBnoaddresses\fP
If this flag is true, requests for initial tickets will not be
made with address restrictions set, allowing the tickets to be
@@ -485,15 +414,6 @@ set. The default is not to search domain components.
(duration string.) Sets the default renewable lifetime
for initial ticket requests. The default value is 0.
.TP
-\fBsafe_checksum_type\fP
-An integer which specifies the type of checksum to use for the
-KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For
-compatibility with applications linked against DCE version 1.1 or
-earlier Kerberos libraries, use a value of 3 to use the RSA MD4
-DES instead. This field is ignored when its value is incompatible
-with the session key type. See the \fBkdc_req_checksum_type\fP
-configuration option for the possible values and their meanings.
-.TP
\fBspake_preauth_groups\fP
A whitespace or comma\-separated list of words which specifies the
groups allowed for SPAKE preauthentication. The possible values

430
Remove-confvalidator-utility.patch
View File

@ -1,430 +0,0 @@
From 1df6ae50de14c8795af7f7aea7f54eede51fd206 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 3 Apr 2019 14:58:19 -0400
Subject: [PATCH] Remove confvalidator utility
This utility has not been maintained with encryption types and salt
changes, which suggests it is unused.
(cherry picked from commit 482a366793d9338e9edb504b407d7704a4bb2f8f)
---
src/util/confvalidator/README | 25 ----
src/util/confvalidator/confparser.py | 144 -------------------
src/util/confvalidator/rules.yml | 13 --
src/util/confvalidator/validator.conf | 2 -
src/util/confvalidator/validator.py | 194 --------------------------
5 files changed, 378 deletions(-)
delete mode 100644 src/util/confvalidator/README
delete mode 100644 src/util/confvalidator/confparser.py
delete mode 100644 src/util/confvalidator/rules.yml
delete mode 100644 src/util/confvalidator/validator.conf
delete mode 100644 src/util/confvalidator/validator.py
diff --git a/src/util/confvalidator/README b/src/util/confvalidator/README
deleted file mode 100644
index 7bf7a106a..000000000
--- a/src/util/confvalidator/README
+++ /dev/null
@@ -1,25 +0,0 @@
-validator.py is a command line tool for identifying invalid attributes, values and some formating problems in Kerberos configuration files.
-The list of the valid attributes is created based on the “configuration variables” section in k5-int.h and user defined attributes from the rules file.
-
-Usage:
-
-validator.py path [-d defPath] [-r rulesPath] [-c validatorConfPath]
-
-Options:
-
-path the path to the configuration file to validate
-
--d defPath path to the k5-int.h file. Starting from the 1.7 release this header holds the profile attribute names in the form #define KRB5_CONF_xxx ”ZZZ”.
-
--r rulesPath - path the rules file in yaml format. It may be used to manage the list of the valid attributes and to define the additional validation rules.
-
--c validatorConfPath the same as -r and -d options, but in validator configuration file format.
-
-Example:
-
-python validator.py src/config-files/krb5.conf -r rules.yml -d src/include/k5-int.h
-or
-python validator.py src/config-files/krb5.conf -c validator.conf
-
-For more details please refer to the sample files validator.conf and rules.yml
-
diff --git a/src/util/confvalidator/confparser.py b/src/util/confvalidator/confparser.py
deleted file mode 100644
index 2fea142a5..000000000
--- a/src/util/confvalidator/confparser.py
+++ /dev/null
@@ -1,144 +0,0 @@
-'''
-Created on Jan 31, 2010
-
-@author: tsitkova
-'''
-import re
-import copy
-import yaml
-
-class ConfParser(object):
- def __init__(self, path):
- self.configuration = self._parse(path)
-
- def walk(self):
- for trio in self._walk(self.configuration):
- yield trio
-
- def _parse(self, path):
- comment_pattern = re.compile(r'(\s*[#].*)')
- section_pattern = re.compile(r'^\s*\[(?P<section>\w+)\]\s+$')
- empty_pattern = re.compile(r'^\s*$')
- equalsign_pattern = re.compile(r'=')
-
- section = None
- parser_stack = list()
- result = dict()
- value = None
- f = open(path, 'r')
- for (ln,line) in enumerate(f):
- line = comment_pattern.sub('', line)
- line = equalsign_pattern.sub(' = ',line,count=1)
- if empty_pattern.match(line) is not None:
- continue
- m = section_pattern.match(line)
- if m is not None:
- section = m.group('section')
- value = dict()
- result[section] = value
- continue
- if section is None:
- msg = 'Failed to determine section for line #%i' % ln
- raise ValueError(msg)
- try:
- value = self._parseLine(value, line, parser_stack)
- except:
- print 'Error while parsing line %i: %s' % (ln+1, line)
- raise
- f.close()
-
- if len(parser_stack):
- raise 'Parsing error.'
-
- return result
-
- def _parseLine(self, value, content, stack):
- token_pattern = re.compile(r'(?P<token>\S+)(?=\s+)')
- attr = None
- token_stack = list()
-
- for m in token_pattern.finditer(content):
- token = m.group('token')
- if not self._validate(token):
- raise ValueError('Invalid token %s' % token)
- if token == '=':
- if len(token_stack) == 0:
- raise ValueError('Failed to find attribute.')
- elif len(token_stack) == 1:
- attr = token_stack.pop()
- else:
- value[attr] = token_stack[:-1]
- attr = token_stack[-1]
- token_stack = list()
- elif token == '{':
- if attr is None:
- raise ValueError('Failed to find attribute.')
- stack.append((attr,value))
- value = dict()
- elif token == '}':
- if len(stack) == 0:
- raise ValueError('Failed to parse: unbalanced braces')
- if len(token_stack):
- if attr is None:
- raise ValueError('Missing attribute')
- value[attr] = token_stack
- attr = None
- token_stack = list()
- (attr,parent_value) = stack.pop()
- parent_value[attr] = value
- value = parent_value
- else:
- token_stack.append(token)
- if len(token_stack):
- if attr is None:
- raise ValueError('Missing attribute')
- value[attr] = token_stack
-
- return value
-
- def _validate(self, token):
- result = True
- for s in ['{','}']:
- if s in token and s != token:
- result = False
-
- return result
-
- def _walk(self, parsedData, path='root'):
- dirs = list()
- av = list()
- for (key, value) in parsedData.iteritems():
- if type(value) == dict:
- new_path = path + '.' + key
- for trio in self._walk(value, new_path):
- yield trio
- dirs.append(key)
- else:
- av.append((key,value))
- yield (path, dirs, av)
-
-
-
-class ConfParserTest(ConfParser):
- def __init__(self):
- self.conf_path = '../tests/krb5.conf'
- super(ConfParserTest, self).__init__(self.conf_path)
-
- def run_tests(self):
- self._test_walk()
-
- def _test_parse(self):
- result = self._parse(self.conf_path)
- print yaml.dump(result)
-
- def _test_walk(self):
- configuration = self._parse(self.conf_path)
- for (path,dirs,av) in self.walk():
- print path,dirs,av
-
-
-
-
-if __name__ == '__main__':
- tester = ConfParserTest()
- tester.run_tests()
diff --git a/src/util/confvalidator/rules.yml b/src/util/confvalidator/rules.yml
deleted file mode 100644
index c6ccc89fe..000000000
--- a/src/util/confvalidator/rules.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-# Extend the list of the allowed enctypes and salts as needed
-Types:
- supported_enctypes:
- '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1|des3-cbc-raw|des3-cbc-sha1|des3-hmac-sha1|rc4-hmac|arcfour-hmac-md5)(:(normal|v4))?$'
- default_tgs_enctypes:
- '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1|des3-cbc-raw|des3-cbc-sha1|des3-hmac-sha1|rc4-hmac|arcfour-hmac-md5)'
- default_tkt_enctypes:
- '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1|des3-cbc-raw|des3-cbc-sha1|des3-hmac-sha1|rc4-hmac|arcfour-hmac-md5)'
-
-# Add all valid profile attributes that are not listed in k5-int.h
-Attributes:
- - logging
- - dbmodules
diff --git a/src/util/confvalidator/validator.conf b/src/util/confvalidator/validator.conf
deleted file mode 100644
index 71e205c3b..000000000
--- a/src/util/confvalidator/validator.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-RulesPath=./rules.yml
-HfilePath=../../include/k5-int.h
diff --git a/src/util/confvalidator/validator.py b/src/util/confvalidator/validator.py
deleted file mode 100644
index d739bc091..000000000
--- a/src/util/confvalidator/validator.py
+++ /dev/null
@@ -1,194 +0,0 @@
-'''
-Created on Jan 25, 2010
-
-@author: tsitkova
-'''
-import os
-import sys
-import re
-import yaml
-from optparse import OptionParser
-from confparser import ConfParser
-
-class Rule(object):
- def __init__(self):
- pass
-
- def validate(self,node):
- (path,dirs,avs) = node
-
-
-class Validator(object):
- def __init__(self, kerberosPath, confPath=None, rulesPath=None, hfilePath=None):
- self.parser = ConfParser(kerberosPath)
- if confPath is not None:
- content = self._readConfigFile(confPath)
- rulesPath = content['RulesPath']
- hfilePath = content['HfilePath']
- if rulesPath is not None and hfilePath is not None:
- self.rules = self._loadRules(rulesPath)
- self.validKeys = SupportedKeys(hfilePath).validKeys.union(self.rules['Attributes'])
- else:
- raise ValueError('Invalid arguments for validator: no path to rules and definition files')
-
- self._attribute_pattern = re.compile(r'^\w+$')
- self._lowercase_pattern = re.compile(r'[a-z]')
-
- def _readConfigFile(self,path):
- f = open(path)
- result = dict()
- for line in f:
- line = line.rstrip()
- fields = line.split('=')
- result[fields[0]] = fields[1]
-
- return result
-
- def _loadRules(self, path):
- f = open(path)
- rules = yaml.load(f)
- f.close()
-
- return rules
-
- def validate(self):
- typeInfo = self.rules['Types']
-
- for node in self.parser.walk():
- self._validateTypes(node, typeInfo)
- self._validateAttrubutes(node, self.validKeys)
- # self._validateRealm(node)
-
-
- def _validateTypes(self, node, typeInfo):
- (path, dirs, avs) = node
- for (key, value) in avs:
- valid_type_pattern = typeInfo.get(key)
- if valid_type_pattern is not None:
- for t in value:
- if re.match(valid_type_pattern, t) is None:
- print 'Wrong type %s for attribute %s.%s' % (t,path,key)
-
- def _validateAttrubutes(self, node, validKeys):
- (path, dirs, avs) = node
- attributes = list()
- for attr in dirs:
- if self._attribute_pattern.match(attr) is not None:
- attributes.append(attr)
- for (attr, value) in avs:
- if self._attribute_pattern.match(attr) is not None:
- attributes.append(attr)
-
- for attr in attributes:
- if attr not in validKeys:
- print 'Unrecognized attribute %s at %s' % (attr, path)
-
-# def _validateRealm(self, node):
-# (path, dirs, avs) = node
-# if path == 'root.realms':
-# for attr in dirs:
-# if self._lowercase_pattern.search(attr) is not None:
-# print 'Lower case letter in realm attribute: %s at %s' % (attr, path)
-
-class SupportedKeys(object):
- def __init__(self, path):
- self.validKeys = self.getKeysFromHfile(path)
-
- def getKeysFromHfile(self, path):
- pattern = re.compile(r'^[#]define KRB5_CONF_\w+\s+["](\w+)["]')
- f = open(path)
- result = set()
- for l in f:
- l = l.rstrip()
- m = pattern.match(l)
- if m is not None:
- result.add(m.groups()[0])
- f.close()
-
- return result
-
-
-class ValidatorTest(Validator):
- def __init__(self):
- self.kerberosPath = '../tests/kdc1.conf'
- self.rulesPath = '../tests/rules.yml'
- self.hfilePath = '../tests/k5-int.h'
- self.confPath = '../tests/validator.conf'
-
- super(ValidatorTest, self).__init__(self.kerberosPath,
- rulesPath=self.rulesPath,
- hfilePath=self.hfilePath)
-
- def run_tests(self):
- self._test_validate()
-
- def _test__loadRules(self):
- result = self._loadRules(self.rulesPath)
- print result
-
- def _test_validate(self):
- self.validate()
-
- def _test__readConfigFile(self):
- result = self._readConfigFile(self.confPath)
- print result
-
-class SupportedKeysTest(SupportedKeys):
- def __init__(self):
- self.path = '../tests/k5-int.h'
-
- def run_tests(self):
- self._test_getKeysFromHFile()
-
- def _test_getKeysFromHFile(self):
- result = set()
- krb5keys = self.getKeysFromHfile(self.path)
- for key in krb5keys:
- print key
- result.update(key)
- print len(krb5keys)
-
- return result
-
-def _test():
- tester = ValidatorTest()
- krb5keys = tester.run_tests()
-
-if __name__ == '__main__':
- TEST = False
- if TEST:
- _test()
- sys.exit()
-
-
- usage = "\n\t%prog path [-d defPath] [-r rulesPath] [-c validatorConfPath]"
- description = 'Description: validates kerberos configuration file'
- parser = OptionParser(usage = usage, description = description)
- parser.add_option("-c", dest="confPath",
- help='path to validator config file')
- parser.add_option("-d", dest="hfilePath",
- help='path to h-file with attribute definition')
- parser.add_option("-r", dest="rulesPath",
- help='path to file with validation rules')
- (options, args) = parser.parse_args()
-
- if len(args) != 1 and len(sys.argv) <= 3:
- print '\n%s' % parser.get_usage()
- sys.exit()
-
- validator = None
- if options.confPath is not None:
- validator = Validator(args[0], confPath=options.confPath)
- elif options.hfilePath is not None and options.rulesPath is not None:
- validator = Validator(args[0], hfilePath=options.hfilePath, rulesPath=options.rulesPath)
- else:
- print '\nMust specify either configuration file or paths to rules and definitions files'
- print '%s' % parser.get_usage()
- sys.exit()
-
- validator.validate()
-
-
-
-
-

69
Remove-dead-variable-def_kslist-from-two-files.patch
View File

@ -1,69 +0,0 @@
From 5c9dce0ac1b8b6fcb048404e3830fd4619f4f1c5 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 May 2019 16:57:51 -0400
Subject: [PATCH] Remove dead variable def_kslist from two files
def_kslist was part of kdb5_create.c since its addition (commit
edf8b4d8a6a665c2aa150993cd813ea6c5cf12e1) and has always been
irrelevant since the rblock structure is fully initialized in
kdb5_create().
def_klist was copied into kdb5_ldap_realm.c (present in addition at
commit 42d9d6ab320ee3a661fe21472be542acd542d5be). The global rblock
structure (and therefore the initializer) was removed in commit
9c850f8b62784170a5e42315c1a9552ddcf4ca2b, leaving def_kslist
unreferenced.
Remove def_kslist from both files, and remove the rblock initializer
from kdb5_create.c.
[ghudson@mit.edu: edited commit message]
(cherry picked from commit 6309f5e3508cd24151222b2cd095766283e205f2)
---
src/kadmin/dbutil/kdb5_create.c | 12 +-----------
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 1 -
2 files changed, 1 insertion(+), 12 deletions(-)
diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c
index bc1b9195d..efdb8adb0 100644
--- a/src/kadmin/dbutil/kdb5_create.c
+++ b/src/kadmin/dbutil/kdb5_create.c
@@ -66,8 +66,6 @@ enum ap_op {
TGT_KEY /* special handling for tgt key */
};
-krb5_key_salt_tuple def_kslist = { ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL };
-
struct realm_info {
krb5_deltat max_life;
krb5_deltat max_rlife;
@@ -76,15 +74,7 @@ struct realm_info {
krb5_keyblock *key;
krb5_int32 nkslist;
krb5_key_salt_tuple *kslist;
-} rblock = { /* XXX */
- KRB5_KDB_MAX_LIFE,
- KRB5_KDB_MAX_RLIFE,
- KRB5_KDB_EXPIRATION,
- KRB5_KDB_DEF_FLAGS,
- (krb5_keyblock *) NULL,
- 1,
- &def_kslist
-};
+} rblock;
struct iterate_args {
krb5_context ctx;
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
index 5a745e21d..c21d19981 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
@@ -91,7 +91,6 @@
extern time_t get_date(char *); /* kadmin/cli/getdate.o */
char *yes = "yes\n"; /* \n to compare against result of fgets */
-krb5_key_salt_tuple def_kslist = {ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL};
krb5_data tgt_princ_entries[] = {
{0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME},

7653
Remove-doxygen-generated-HTML-output-for-ccapi.patch
View File

File diff suppressed because it is too large Load Diff

466
Remove-kadmin-RPC-support-for-setting-v4-key.patch
View File

@ -1,466 +0,0 @@
From 620a45acc6ea6c01cce0474883011ed47cb35458 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 4 Apr 2019 16:14:46 -0400
Subject: [PATCH] Remove kadmin RPC support for setting v4 key
ticket: 8794 (new)
(cherry picked from commit 752187a441ed0f301f1a8adb1fea843080ac8c97)
---
src/kadmin/server/kadm_rpc_svc.c | 7 --
src/kadmin/server/ovsec_kadmd.c | 2 +-
src/kadmin/server/server_stubs.c | 50 ---------
src/lib/kadm5/admin.h | 3 -
src/lib/kadm5/admin_xdr.h | 1 -
src/lib/kadm5/clnt/Makefile.in | 2 +-
src/lib/kadm5/clnt/client_principal.c | 22 ----
src/lib/kadm5/clnt/client_rpc.c | 8 --
src/lib/kadm5/clnt/libkadm5clnt_mit.exports | 2 -
src/lib/kadm5/kadm_rpc.h | 16 +--
src/lib/kadm5/kadm_rpc_xdr.c | 19 ----
src/lib/kadm5/srv/Makefile.in | 2 +-
src/lib/kadm5/srv/libkadm5srv_mit.exports | 2 -
src/lib/kadm5/srv/svr_principal.c | 118 --------------------
14 files changed, 6 insertions(+), 248 deletions(-)
diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c
index 41fc88ac8..d343e2c25 100644
--- a/src/kadmin/server/kadm_rpc_svc.c
+++ b/src/kadmin/server/kadm_rpc_svc.c
@@ -53,7 +53,6 @@ void kadm_1(rqstp, transp)
mpol_arg modify_policy_2_arg;
gpol_arg get_policy_2_arg;
setkey_arg setkey_principal_2_arg;
- setv4key_arg setv4key_principal_2_arg;
cprinc3_arg create_principal3_2_arg;
chpass3_arg chpass_principal3_2_arg;
chrand3_arg chrand_principal3_2_arg;
@@ -134,12 +133,6 @@ void kadm_1(rqstp, transp)
local = (bool_t (*)()) chpass_principal_2_svc;
break;
- case SETV4KEY_PRINCIPAL:
- xdr_argument = xdr_setv4key_arg;
- xdr_result = xdr_generic_ret;
- local = (bool_t (*)()) setv4key_principal_2_svc;
- break;
-
case SETKEY_PRINCIPAL:
xdr_argument = xdr_setkey_arg;
xdr_result = xdr_generic_ret;
diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index 6a6b21401..3737791b6 100644
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -227,7 +227,7 @@ log_badverf(gss_name_t client_name, gss_name_t server_name,
{14, "GET_PRINCS"},
{15, "GET_POLS"},
{16, "SETKEY_PRINCIPAL"},
- {17, "SETV4KEY_PRINCIPAL"},
+ /* 17 was "SETV4KEY_PRINCIPAL" */
{18, "CREATE_PRINCIPAL3"},
{19, "CHPASS_PRINCIPAL3"},
{20, "CHRAND_PRINCIPAL3"},
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
index cfef97fec..d5a25e502 100644
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -893,56 +893,6 @@ exit_func:
return TRUE;
}
-bool_t
-setv4key_principal_2_svc(setv4key_arg *arg, generic_ret *ret,
- struct svc_req *rqstp)
-{
- char *prime_arg = NULL;
- gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
- kadm5_server_handle_t handle;
- const char *errmsg = NULL;
-
- ret->code = stub_setup(arg->api_version, rqstp, arg->princ, &handle,
- &ret->api_version, &client_name, &service_name,
- &prime_arg);
- if (ret->code)
- goto exit_func;
-
- ret->code = check_lockdown_keys(handle, arg->princ);
- if (ret->code != KADM5_OK) {
- if (ret->code == KADM5_PROTECT_KEYS) {
- log_unauth("kadm5_setv4key_principal", prime_arg, &client_name,
- &service_name, rqstp);
- ret->code = KADM5_AUTH_SETKEY;
- }
- } else if (!(CHANGEPW_SERVICE(rqstp)) &&
- stub_auth(handle, OP_SETKEY, arg->princ, NULL, NULL, NULL)) {
- ret->code = kadm5_setv4key_principal(handle, arg->princ,
- arg->keyblock);
- } else {
- log_unauth("kadm5_setv4key_principal", prime_arg,
- &client_name, &service_name, rqstp);
- ret->code = KADM5_AUTH_SETKEY;
- }
-
- if (ret->code != KADM5_AUTH_SETKEY) {
- if (ret->code != 0)
- errmsg = krb5_get_error_message(handle->context, ret->code);
-
- log_done("kadm5_setv4key_principal", prime_arg, errmsg,
- &client_name, &service_name, rqstp);
-
- if (errmsg != NULL)
- krb5_free_error_message(handle->context, errmsg);
- }
-
-exit_func:
- stub_cleanup(handle, prime_arg, &client_name, &service_name);
- return TRUE;
-}
-
-
bool_t
setkey_principal_2_svc(setkey_arg *arg, generic_ret *ret,
struct svc_req *rqstp)
diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
index b765148b3..7268be44e 100644
--- a/src/lib/kadm5/admin.h
+++ b/src/lib/kadm5/admin.h
@@ -394,9 +394,6 @@ kadm5_ret_t kadm5_randkey_principal_3(void *server_handle,
krb5_key_salt_tuple *ks_tuple,
krb5_keyblock **keyblocks,
int *n_keys);
-kadm5_ret_t kadm5_setv4key_principal(void *server_handle,
- krb5_principal principal,
- krb5_keyblock *keyblock);
kadm5_ret_t kadm5_setkey_principal(void *server_handle,
krb5_principal principal,
diff --git a/src/lib/kadm5/admin_xdr.h b/src/lib/kadm5/admin_xdr.h
index 2d22611e7..9da98451e 100644
--- a/src/lib/kadm5/admin_xdr.h
+++ b/src/lib/kadm5/admin_xdr.h
@@ -37,7 +37,6 @@ bool_t xdr_mprinc_arg(XDR *xdrs, mprinc_arg *objp);
bool_t xdr_rprinc_arg(XDR *xdrs, rprinc_arg *objp);
bool_t xdr_chpass_arg(XDR *xdrs, chpass_arg *objp);
bool_t xdr_chpass3_arg(XDR *xdrs, chpass3_arg *objp);
-bool_t xdr_setv4key_arg(XDR *xdrs, setv4key_arg *objp);
bool_t xdr_setkey_arg(XDR *xdrs, setkey_arg *objp);
bool_t xdr_setkey3_arg(XDR *xdrs, setkey3_arg *objp);
bool_t xdr_setkey4_arg(XDR *xdrs, setkey4_arg *objp);
diff --git a/src/lib/kadm5/clnt/Makefile.in b/src/lib/kadm5/clnt/Makefile.in
index a180e85cd..2bc385afe 100644
--- a/src/lib/kadm5/clnt/Makefile.in
+++ b/src/lib/kadm5/clnt/Makefile.in
@@ -3,7 +3,7 @@ BUILDTOP=$(REL)..$(S)..$(S)..
LOCALINCLUDES = -I$(BUILDTOP)/include/kadm5
LIBBASE=kadm5clnt_mit
-LIBMAJOR=11
+LIBMAJOR=12
LIBMINOR=0
STOBJLISTS=../OBJS.ST OBJS.ST
SHLIB_EXPDEPS=\
diff --git a/src/lib/kadm5/clnt/client_principal.c b/src/lib/kadm5/clnt/client_principal.c
index 18714bf37..96d9d1932 100644
--- a/src/lib/kadm5/clnt/client_principal.c
+++ b/src/lib/kadm5/clnt/client_principal.c
@@ -273,28 +273,6 @@ kadm5_chpass_principal_3(void *server_handle,
return r.code;
}
-kadm5_ret_t
-kadm5_setv4key_principal(void *server_handle,
- krb5_principal princ,
- krb5_keyblock *keyblock)
-{
- setv4key_arg arg;
- generic_ret r = { 0, 0 };
- kadm5_server_handle_t handle = server_handle;
-
- CHECK_HANDLE(server_handle);
-
- arg.princ = princ;
- arg.keyblock = keyblock;
- arg.api_version = handle->api_version;
-
- if(princ == NULL || keyblock == NULL)
- return EINVAL;
- if (setv4key_principal_2(&arg, &r, handle->clnt))
- eret();
- return r.code;
-}
-
kadm5_ret_t
kadm5_setkey_principal(void *server_handle,
krb5_principal princ,
diff --git a/src/lib/kadm5/clnt/client_rpc.c b/src/lib/kadm5/clnt/client_rpc.c
index df5455fd8..d84d158b4 100644
--- a/src/lib/kadm5/clnt/client_rpc.c
+++ b/src/lib/kadm5/clnt/client_rpc.c
@@ -84,14 +84,6 @@ chpass_principal3_2(chpass3_arg *argp, generic_ret *res, CLIENT *clnt)
(xdrproc_t)xdr_generic_ret, (caddr_t)res, TIMEOUT);
}
-enum clnt_stat
-setv4key_principal_2(setv4key_arg *argp, generic_ret *res, CLIENT *clnt)
-{
- return clnt_call(clnt, SETV4KEY_PRINCIPAL,
- (xdrproc_t)xdr_setv4key_arg, (caddr_t)argp,
- (xdrproc_t)xdr_generic_ret, (caddr_t)res, TIMEOUT);
-}
-
enum clnt_stat
setkey_principal_2(setkey_arg *argp, generic_ret *res, CLIENT *clnt)
{
diff --git a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports
index f122b31ab..e41c8e4f7 100644
--- a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports
+++ b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports
@@ -44,7 +44,6 @@ kadm5_set_string
kadm5_setkey_principal
kadm5_setkey_principal_3
kadm5_setkey_principal_4
-kadm5_setv4key_principal
kadm5_unlock
krb5_aprof_finish
krb5_aprof_get_boolean
@@ -114,6 +113,5 @@ xdr_rprinc_arg
xdr_setkey3_arg
xdr_setkey4_arg
xdr_setkey_arg
-xdr_setv4key_arg
xdr_ui_4
kadm5_init_iprop
diff --git a/src/lib/kadm5/kadm_rpc.h b/src/lib/kadm5/kadm_rpc.h
index 8d7cf3b36..5099c6c14 100644
--- a/src/lib/kadm5/kadm_rpc.h
+++ b/src/lib/kadm5/kadm_rpc.h
@@ -82,13 +82,6 @@ struct chpass3_arg {
};
typedef struct chpass3_arg chpass3_arg;
-struct setv4key_arg {
- krb5_ui_4 api_version;
- krb5_principal princ;
- krb5_keyblock *keyblock;
-};
-typedef struct setv4key_arg setv4key_arg;
-
struct setkey_arg {
krb5_ui_4 api_version;
krb5_principal princ;
@@ -322,11 +315,9 @@ extern enum clnt_stat setkey_principal_2(setkey_arg *, generic_ret *,
CLIENT *);
extern bool_t setkey_principal_2_svc(setkey_arg *, generic_ret *,
struct svc_req *);
-#define SETV4KEY_PRINCIPAL 17
-extern enum clnt_stat setv4key_principal_2(setv4key_arg *, generic_ret *,
- CLIENT *);
-extern bool_t setv4key_principal_2_svc(setv4key_arg *, generic_ret *,
- struct svc_req *);
+
+/* 17 was SETV4KEY_PRINCIPAL (removed in 1.18). */
+
#define CREATE_PRINCIPAL3 18
extern enum clnt_stat create_principal3_2(cprinc3_arg *, generic_ret *,
CLIENT *);
@@ -380,7 +371,6 @@ extern bool_t xdr_gprincs_arg ();
extern bool_t xdr_gprincs_ret ();
extern bool_t xdr_chpass_arg ();
extern bool_t xdr_chpass3_arg ();
-extern bool_t xdr_setv4key_arg ();
extern bool_t xdr_setkey_arg ();
extern bool_t xdr_setkey3_arg ();
extern bool_t xdr_setkey4_arg ();
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index 2892d4147..745ee857e 100644
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -710,25 +710,6 @@ xdr_chpass3_arg(XDR *xdrs, chpass3_arg *objp)
return (TRUE);
}
-bool_t
-xdr_setv4key_arg(XDR *xdrs, setv4key_arg *objp)
-{
- unsigned int n_keys = 1;
-
- if (!xdr_ui_4(xdrs, &objp->api_version)) {
- return (FALSE);
- }
- if (!xdr_krb5_principal(xdrs, &objp->princ)) {
- return (FALSE);
- }
- if (!xdr_array(xdrs, (caddr_t *) &objp->keyblock,
- &n_keys, ~0,
- sizeof(krb5_keyblock), xdr_krb5_keyblock)) {
- return (FALSE);
- }
- return (TRUE);
-}
-
bool_t
xdr_setkey_arg(XDR *xdrs, setkey_arg *objp)
{
diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in
index 617d65666..89e6097cf 100644
--- a/src/lib/kadm5/srv/Makefile.in
+++ b/src/lib/kadm5/srv/Makefile.in
@@ -9,7 +9,7 @@ DEFINES = @HESIOD_DEFS@
##DOSLIBNAME = libkadm5srv.lib
LIBBASE=kadm5srv_mit
-LIBMAJOR=11
+LIBMAJOR=12
LIBMINOR=0
STOBJLISTS=../OBJS.ST OBJS.ST
diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports
index 64ad5dd69..e3c04e690 100644
--- a/src/lib/kadm5/srv/libkadm5srv_mit.exports
+++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports
@@ -45,7 +45,6 @@ kadm5_set_string
kadm5_setkey_principal
kadm5_setkey_principal_3
kadm5_setkey_principal_4
-kadm5_setv4key_principal
kadm5_unlock
kdb_delete_entry
kdb_free_entry
@@ -133,7 +132,6 @@ xdr_rprinc_arg
xdr_setkey3_arg
xdr_setkey4_arg
xdr_setkey_arg
-xdr_setv4key_arg
xdr_sstring_arg
xdr_ui_4
kadm5_init_iprop
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index be0922101..a1ecdbfc4 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -1649,124 +1649,6 @@ done:
return ret;
}
-/*
- * kadm5_setv4key_principal:
- *
- * Set only ONE key of the principal, removing all others. This key
- * must have the DES_CBC_CRC enctype and is entered as having the
- * krb4 salttype. This is to enable things like kadmind4 to work.
- */
-kadm5_ret_t
-kadm5_setv4key_principal(void *server_handle,
- krb5_principal principal,
- krb5_keyblock *keyblock)
-{
- krb5_db_entry *kdb;
- osa_princ_ent_rec adb;
- krb5_timestamp now;
- kadm5_policy_ent_rec pol;
- krb5_keysalt keysalt;
- int i, kvno, ret;
- krb5_boolean have_pol = FALSE;
- kadm5_server_handle_t handle = server_handle;
- krb5_key_data tmp_key_data;
- krb5_keyblock *act_mkey;
-
- memset( &tmp_key_data, 0, sizeof(tmp_key_data));
-
- CHECK_HANDLE(server_handle);
-
- krb5_clear_error_message(handle->context);
-
- if (principal == NULL || keyblock == NULL)
- return EINVAL;
- if (hist_princ && /* this will be NULL when initializing the databse */
- ((krb5_principal_compare(handle->context,
- principal, hist_princ)) == TRUE))
- return KADM5_PROTECT_PRINCIPAL;
-
- if (keyblock->enctype != ENCTYPE_DES_CBC_CRC)
- return KADM5_SETV4KEY_INVAL_ENCTYPE;
-
- if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
- return(ret);
-
- for (kvno = 0, i=0; i<kdb->n_key_data; i++)
- if (kdb->key_data[i].key_data_kvno > kvno)
- kvno = kdb->key_data[i].key_data_kvno;
-
- if (kdb->key_data != NULL)
- cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data);
-
- kdb->key_data = calloc(1, sizeof(krb5_key_data));
- if (kdb->key_data == NULL)
- return ENOMEM;
- kdb->n_key_data = 1;
- keysalt.type = KRB5_KDB_SALTTYPE_V4;
- /* XXX data.magic? */
- keysalt.data.length = 0;
- keysalt.data.data = NULL;
-
- ret = kdb_get_active_mkey(handle, NULL, &act_mkey);
- if (ret)
- goto done;
-
- /* use tmp_key_data as temporary location and reallocate later */
- ret = krb5_dbe_encrypt_key_data(handle->context, act_mkey, keyblock,
- &keysalt, kvno + 1, kdb->key_data);
- if (ret) {
- goto done;
- }
-
- kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
-
- ret = krb5_timeofday(handle->context, &now);
- if (ret)
- goto done;
-
- if ((adb.aux_attributes & KADM5_POLICY)) {
- ret = get_policy(handle, adb.policy, &pol, &have_pol);
- if (ret)
- goto done;
- }
- if (have_pol) {
- if (pol.pw_max_life)
- kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
- else
- kdb->pw_expiration = 0;
- } else {
- kdb->pw_expiration = 0;
- }
-
- ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
- if (ret)
- goto done;
-
- /* unlock principal on this KDC */
- kdb->fail_auth_count = 0;
-
- /* key data changed, let the database provider know */
- kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
-
- if ((ret = kdb_put_entry(handle, kdb, &adb)))
- goto done;
-
- ret = KADM5_OK;
-done:
- for (i = 0; i < tmp_key_data.key_data_ver; i++) {
- if (tmp_key_data.key_data_contents[i]) {
- memset (tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]);
- free (tmp_key_data.key_data_contents[i]);
- }
- }
-
- kdb_free_entry(handle, kdb, &adb);
- if (have_pol)
- kadm5_free_policy_ent(handle->lhandle, &pol);
-
- return ret;
-}
-
kadm5_ret_t
kadm5_setkey_principal(void *server_handle,
krb5_principal principal,

479
Remove-krb5int_c_combine_keys.patch
View File

@ -1,479 +0,0 @@
From 90c702467b0c4373758f235512c67f80f1998e02 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 18 Apr 2019 17:27:07 -0400
Subject: [PATCH] Remove krb5int_c_combine_keys()
This method of combining keys was specified by
draft-ietf-krb-wg-kerberos-sam for DES and 3DES enctypes, and is
otherwise unused. Remove it.
[ghudson@mit.edu: rewrote commit message]
ticket: 8812
(cherry picked from commit 925a7df2f486aaa3ff137d2bcdf8ff57186638c6)
[rharwood@redhat.com: conflicts: .gitignore]
---
src/include/k5-int.h | 7 -
src/lib/crypto/crypto_tests/Makefile.in | 12 +-
src/lib/crypto/crypto_tests/deps | 10 --
src/lib/crypto/crypto_tests/t_combine.c | 62 -------
src/lib/crypto/krb/Makefile.in | 3 -
src/lib/crypto/krb/combine_keys.c | 227 ------------------------
src/lib/crypto/krb/deps | 13 --
src/lib/crypto/libk5crypto.exports | 1 -
8 files changed, 3 insertions(+), 332 deletions(-)
delete mode 100644 src/lib/crypto/crypto_tests/t_combine.c
delete mode 100644 src/lib/crypto/krb/combine_keys.c
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 2bc59e636..0857fd1cc 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -673,13 +673,6 @@ zapfreedata(krb5_data *data)
}
}
-/*
- * Combine two keys (normally used by the hardware preauth mechanism)
- */
-krb5_error_code
-krb5int_c_combine_keys(krb5_context context, krb5_keyblock *key1,
- krb5_keyblock *key2, krb5_keyblock *outkey);
-
void krb5int_c_free_keyblock(krb5_context, krb5_keyblock *key);
void krb5int_c_free_keyblock_contents(krb5_context, krb5_keyblock *);
krb5_error_code krb5int_c_init_keyblock(krb5_context, krb5_enctype enctype,
diff --git a/src/lib/crypto/crypto_tests/Makefile.in b/src/lib/crypto/crypto_tests/Makefile.in
index 09feeb50e..0295ee14f 100644
--- a/src/lib/crypto/crypto_tests/Makefile.in
+++ b/src/lib/crypto/crypto_tests/Makefile.in
@@ -23,8 +23,7 @@ EXTRADEPSRCS=\
$(srcdir)/t_short.c \
$(srcdir)/t_str2key.c \
$(srcdir)/t_derive.c \
- $(srcdir)/t_fork.c \
- $(srcdir)/t_combine.c
+ $(srcdir)/t_fork.c
##DOS##BUILDTOP = ..\..\..
@@ -33,8 +32,7 @@ check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \
aes-test \
camellia-test \
t_mddriver4 t_mddriver \
- t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2 \
- t_combine
+ t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2
$(RUN_TEST) ./t_nfold
$(RUN_TEST) ./t_encrypt
$(RUN_TEST) ./t_decrypt
@@ -59,7 +57,6 @@ check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \
$(RUN_TEST) ./t_fork
$(RUN_TEST) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output
diff t_cf2.output $(srcdir)/t_cf2.expected
- $(RUN_TEST) ./t_combine
# $(RUN_TEST) ./t_pkcs5
t_nfold$(EXEEXT): t_nfold.$(OBJEXT) $(KRB5_BASE_DEPLIBS)
@@ -134,9 +131,6 @@ t_fork$(EXEEXT): t_fork.$(OBJEXT) $(KRB5_BASE_DEPLIBS)
t_cf2$(EXEEXT): t_cf2.$(OBJEXT) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ t_cf2.$(OBJEXT) $(KRB5_BASE_LIBS)
-t_combine$(EXEEXT): t_combine.$(OBJEXT) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ t_combine.$(OBJEXT) $(KRB5_BASE_LIBS)
-
clean:
$(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o \
t_decrypt.o t_decrypt t_prng.o t_prng t_cmac.o t_cmac \
@@ -149,7 +143,7 @@ clean:
t_str2key.o t_derive t_derive.o t_fork t_fork.o \
t_mddriver$(EXEEXT) $(OUTPRE)t_mddriver.$(OBJEXT) \
camellia-test camellia-test.o camellia-vt.txt \
- t_cf2 t_cf2.o t_cf2.output t_combine.o t_combine
+ t_cf2 t_cf2.o t_cf2.output
-$(RM) t_prng.output
-$(RM) t_prf.output
diff --git a/src/lib/crypto/crypto_tests/deps b/src/lib/crypto/crypto_tests/deps
index 19fef2582..0d10d4a1a 100644
--- a/src/lib/crypto/crypto_tests/deps
+++ b/src/lib/crypto/crypto_tests/deps
@@ -226,13 +226,3 @@ $(OUTPRE)t_fork.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
$(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
$(top_srcdir)/include/socket-utils.h t_fork.c
-$(OUTPRE)t_combine.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h t_combine.c
diff --git a/src/lib/crypto/crypto_tests/t_combine.c b/src/lib/crypto/crypto_tests/t_combine.c
deleted file mode 100644
index ba0622bcf..000000000
--- a/src/lib/crypto/crypto_tests/t_combine.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/crypto_tests/t_combine.c - krb5int_c_combine_keys tests */
-/*
- * Copyright (C) 2014 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "k5-int.h"
-
-unsigned char des3_key1[] = "\x10\xB6\x75\xD5\x5B\xD9\x6E\x73"
- "\xFD\x54\xB3\x3D\x37\x52\xC1\x2A\xF7\x43\x91\xFE\x1C\x02\x37\x13";
-unsigned char des3_key2[] = "\xC8\xDA\x3E\xA7\xB6\x64\xAE\x7A"
- "\xB5\x70\x2A\x29\xB3\xBF\x9B\xA8\x46\x7C\x5B\xA8\x8A\x46\x70\x10";
-unsigned char des3_result[] = "\x2F\x79\x97\x3E\x3E\xA4\x73\x1A"
- "\xB9\x3D\xEF\x5E\x7C\x29\xFB\x2A\x68\x86\x1F\xC1\x85\x0E\x79\x92";
-
-int
-main(int argc, char **argv)
-{
- krb5_keyblock kb1, kb2, result;
-
- kb1.enctype = ENCTYPE_DES3_CBC_SHA1;
- kb1.contents = des3_key1;
- kb1.length = 24;
- kb2.enctype = ENCTYPE_DES3_CBC_SHA1;
- kb2.contents = des3_key2;
- kb2.length = 24;
- memset(&result, 0, sizeof(result));
- if (krb5int_c_combine_keys(NULL, &kb1, &kb2, &result) != 0)
- abort();
- if (result.enctype != ENCTYPE_DES3_CBC_SHA1 || result.length != 24 ||
- memcmp(result.contents, des3_result, 24) != 0)
- abort();
- krb5_free_keyblock_contents(NULL, &result);
-
- return 0;
-}
diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in
index c0e0b791b..536bacb6e 100644
--- a/src/lib/crypto/krb/Makefile.in
+++ b/src/lib/crypto/krb/Makefile.in
@@ -22,7 +22,6 @@ STLIBOBJS=\
cksumtypes.o \
cmac.o \
coll_proof_cksum.o \
- combine_keys.o \
crypto_length.o \
crypto_libinit.o \
default_state.o \
@@ -84,7 +83,6 @@ OBJS=\
$(OUTPRE)cksumtypes.$(OBJEXT) \
$(OUTPRE)cmac.$(OBJEXT) \
$(OUTPRE)coll_proof_cksum.$(OBJEXT) \
- $(OUTPRE)combine_keys.$(OBJEXT) \
$(OUTPRE)crypto_length.$(OBJEXT) \
$(OUTPRE)crypto_libinit.$(OBJEXT) \
$(OUTPRE)default_state.$(OBJEXT) \
@@ -146,7 +144,6 @@ SRCS=\
$(srcdir)/cksumtypes.c \
$(srcdir)/cmac.c \
$(srcdir)/coll_proof_cksum.c \
- $(srcdir)/combine_keys.c \
$(srcdir)/crypto_length.c \
$(srcdir)/crypto_libinit.c \
$(srcdir)/default_state.c \
diff --git a/src/lib/crypto/krb/combine_keys.c b/src/lib/crypto/krb/combine_keys.c
deleted file mode 100644
index c36434e17..000000000
--- a/src/lib/crypto/krb/combine_keys.c
+++ /dev/null
@@ -1,227 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* Copyright (c) 2002 Naval Research Laboratory (NRL/CCS) */
-/*
- * Permission to use, copy, modify and distribute this software and its
- * documentation is hereby granted, provided that both the copyright
- * notice and this permission notice appear in all copies of the software,
- * derivative works or modified versions, and any portions thereof.
- *
- * NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" CONDITION AND
- * DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER
- * RESULTING FROM THE USE OF THIS SOFTWARE.
- */
-
-/*
- * Key combination function.
- *
- * If Key1 and Key2 are two keys to be combined, the algorithm to combine
- * them is as follows.
- *
- * Definitions:
- *
- * k-truncate is defined as truncating to the key size the input.
- *
- * DR is defined as the generate "random" data from a key
- * (defined in crypto draft)
- *
- * DK is defined as the key derivation function (krb5int_derive_key())
- *
- * (note: | means "concatenate")
- *
- * Combine key algorithm:
- *
- * R1 = DR(Key1, n-fold(Key2)) [ Output is length of Key1 ]
- * R2 = DR(Key2, n-fold(Key1)) [ Output is length of Key2 ]
- *
- * rnd = n-fold(R1 | R2) [ Note: output size of nfold must be appropriately
- * sized for random-to-key function ]
- * tkey = random-to-key(rnd)
- * Combine-Key(Key1, Key2) = DK(tkey, CombineConstant)
- *
- * CombineConstant is defined as the byte string:
- *
- * { 0x63 0x6f 0x6d 0x62 0x69 0x6e 0x65 }, which corresponds to the
- * ASCII encoding of the string "combine"
- */
-
-#include "crypto_int.h"
-
-static krb5_error_code dr(const struct krb5_enc_provider *enc,
- const krb5_keyblock *inkey, unsigned char *outdata,
- const krb5_data *in_constant);
-
-/*
- * We only support this combine_keys algorithm for des and 3des keys.
- * Everything else should use the PRF defined in the crypto framework.
- * We don't implement that yet.
- */
-
-static krb5_boolean
-enctype_ok(krb5_enctype e)
-{
- switch (e) {
- case ENCTYPE_DES3_CBC_SHA1:
- return TRUE;
- default:
- return FALSE;
- }
-}
-
-krb5_error_code
-krb5int_c_combine_keys(krb5_context context, krb5_keyblock *key1,
- krb5_keyblock *key2, krb5_keyblock *outkey)
-{
- unsigned char *r1 = NULL, *r2 = NULL, *combined = NULL, *rnd = NULL;
- unsigned char *output = NULL;
- size_t keybytes, keylength;
- const struct krb5_enc_provider *enc;
- krb5_data input, randbits;
- krb5_keyblock tkeyblock;
- krb5_key tkey = NULL;
- krb5_error_code ret;
- const struct krb5_keytypes *ktp;
- krb5_boolean myalloc = FALSE;
-
- if (!enctype_ok(key1->enctype) || !enctype_ok(key2->enctype))
- return KRB5_CRYPTO_INTERNAL;
-
- if (key1->length != key2->length || key1->enctype != key2->enctype)
- return KRB5_CRYPTO_INTERNAL;
-
- /* Find our encryption algorithm. */
- ktp = find_enctype(key1->enctype);
- if (ktp == NULL)
- return KRB5_BAD_ENCTYPE;
- enc = ktp->enc;
-
- keybytes = enc->keybytes;
- keylength = enc->keylength;
-
- /* Allocate and set up buffers. */
- r1 = k5alloc(keybytes, &ret);
- if (ret)
- goto cleanup;
- r2 = k5alloc(keybytes, &ret);
- if (ret)
- goto cleanup;
- rnd = k5alloc(keybytes, &ret);
- if (ret)
- goto cleanup;
- combined = k5calloc(2, keybytes, &ret);
- if (ret)
- goto cleanup;
- output = k5alloc(keylength, &ret);
- if (ret)
- goto cleanup;
-
- /*
- * Get R1 and R2 (by running the input keys through the DR algorithm.
- * Note this is most of derive-key, but not all.
- */
-
- input.length = key2->length;
- input.data = (char *) key2->contents;
- ret = dr(enc, key1, r1, &input);
- if (ret)
- goto cleanup;
-
- input.length = key1->length;
- input.data = (char *) key1->contents;
- ret = dr(enc, key2, r2, &input);
- if (ret)
- goto cleanup;
-
- /*
- * Concatenate the two keys together, and then run them through
- * n-fold to reduce them to a length appropriate for the random-to-key
- * operation. Note here that krb5int_nfold() takes sizes in bits, hence
- * the multiply by 8.
- */
-
- memcpy(combined, r1, keybytes);
- memcpy(combined + keybytes, r2, keybytes);
-
- krb5int_nfold((keybytes * 2) * 8, combined, keybytes * 8, rnd);
-
- /*
- * Run the "random" bits through random-to-key to produce a encryption
- * key.
- */
-
- randbits.length = keybytes;
- randbits.data = (char *) rnd;
- tkeyblock.length = keylength;
- tkeyblock.contents = output;
- tkeyblock.enctype = key1->enctype;
-
- ret = (*ktp->rand2key)(&randbits, &tkeyblock);
- if (ret)
- goto cleanup;
-
- ret = krb5_k_create_key(NULL, &tkeyblock, &tkey);
- if (ret)
- goto cleanup;
-
- /*
- * Run through derive-key one more time to produce the final key.
- * Note that the input to derive-key is the ASCII string "combine".
- */
-
- input.length = 7;
- input.data = "combine";
-
- /*
- * Just FYI: _if_ we have space here in the key, then simply use it
- * without modification. But if the key is blank (no allocated storage)
- * then allocate some memory for it. This allows programs to use one of
- * the existing keys as the output key, _or_ pass in a blank keyblock
- * for us to allocate. It's easier for us to allocate it since we already
- * know the crypto library internals
- */
-
- if (outkey->length == 0 || outkey->contents == NULL) {
- outkey->contents = k5alloc(keylength, &ret);
- if (ret)
- goto cleanup;
- outkey->length = keylength;
- outkey->enctype = key1->enctype;
- myalloc = TRUE;
- }
-
- ret = krb5int_derive_keyblock(enc, NULL, tkey, outkey, &input,
- DERIVE_RFC3961);
- if (ret) {
- if (myalloc) {
- free(outkey->contents);
- outkey->contents = NULL;
- }
- goto cleanup;
- }
-
-cleanup:
- zapfree(r1, keybytes);
- zapfree(r2, keybytes);
- zapfree(rnd, keybytes);
- zapfree(combined, keybytes * 2);
- zapfree(output, keylength);
- krb5_k_free_key(NULL, tkey);
- return ret;
-}
-
-/* Our DR function, a simple wrapper around krb5int_derive_random(). */
-static krb5_error_code
-dr(const struct krb5_enc_provider *enc, const krb5_keyblock *inkey,
- unsigned char *out, const krb5_data *in_constant)
-{
- krb5_data outdata = make_data(out, enc->keybytes);
- krb5_key key = NULL;
- krb5_error_code ret;
-
- ret = krb5_k_create_key(NULL, inkey, &key);
- if (ret != 0)
- return ret;
- ret = krb5int_derive_random(enc, NULL, key, &outdata, in_constant,
- DERIVE_RFC3961);
- krb5_k_free_key(NULL, key);
- return ret;
-}
diff --git a/src/lib/crypto/krb/deps b/src/lib/crypto/krb/deps
index f9a740860..2f4af1906 100644
--- a/src/lib/crypto/krb/deps
+++ b/src/lib/crypto/krb/deps
@@ -191,19 +191,6 @@ coll_proof_cksum.so coll_proof_cksum.po $(OUTPRE)coll_proof_cksum.$(OBJEXT): \
$(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
$(top_srcdir)/include/socket-utils.h coll_proof_cksum.c \
crypto_int.h
-combine_keys.so combine_keys.po $(OUTPRE)combine_keys.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h $(srcdir)/../builtin/crypto_mod.h \
- $(srcdir)/../builtin/sha2/sha2.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h combine_keys.c \
- crypto_int.h
crypto_length.so crypto_length.po $(OUTPRE)crypto_length.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports
index 63804299f..451d5e035 100644
--- a/src/lib/crypto/libk5crypto.exports
+++ b/src/lib/crypto/libk5crypto.exports
@@ -58,7 +58,6 @@ krb5_c_prf_length
krb5int_c_mandatory_cksumtype
krb5_c_fx_cf2_simple
krb5int_c_weak_enctype
-krb5int_c_combine_keys
krb5_encrypt_data
krb5int_c_copy_keyblock
krb5int_c_copy_keyblock_contents

276
Remove-more-dead-code.patch
View File

@ -1,276 +0,0 @@
From e470fc217b19f6d958cc891910527e43651167a3 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 9 May 2019 14:07:24 -0400
Subject: [PATCH] Remove more dead code
(cherry picked from commit 0269810b1aec6c554fb746433f045d59fd34ab3a)
---
src/clients/klist/klist.c | 5 ---
src/kadmin/dbutil/kdb5_mkey.c | 2 --
src/kadmin/server/ipropd_svc.c | 4 ---
src/lib/gssapi/krb5/gssapi_krb5.c | 2 +-
src/lib/gssapi/krb5/k5sealv3.c | 5 ++-
src/lib/gssapi/krb5/k5sealv3iov.c | 5 ++-
src/lib/kdb/kdb_convert.c | 36 +++----------------
.../kdb/ldap/ldap_util/kdb5_ldap_services.c | 4 ---
.../kdb/ldap/libkdb_ldap/ldap_create.c | 10 ------
src/plugins/preauth/pkinit/pkinit_srv.c | 8 -----
src/tests/hammer/kdc5_hammer.c | 4 +--
11 files changed, 10 insertions(+), 75 deletions(-)
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index 8c307151a..4261ac96c 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -720,11 +720,6 @@ show_credential(krb5_creds *cred)
extra_field += 2;
}
- if (extra_field > 3) {
- fputs("\n", stdout);
- extra_field = 0;
- }
-
if (show_flags) {
flags = flags_string(cred);
if (flags && *flags) {
diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c
index 19796c202..aceb0a9b8 100644
--- a/src/kadmin/dbutil/kdb5_mkey.c
+++ b/src/kadmin/dbutil/kdb5_mkey.c
@@ -1240,7 +1240,6 @@ kdb5_purge_mkeys(int argc, char *argv[])
if (actkvno_entry == actkvno_list) {
/* remove from head */
actkvno_list = actkvno_entry->next;
- prev_actkvno_entry = actkvno_list;
} else if (actkvno_entry->next == NULL) {
/* remove from tail */
prev_actkvno_entry->next = NULL;
@@ -1263,7 +1262,6 @@ kdb5_purge_mkeys(int argc, char *argv[])
if (mkey_aux_entry->mkey_kvno == args.kvnos[j].kvno) {
if (mkey_aux_entry == mkey_aux_list) {
mkey_aux_list = mkey_aux_entry->next;
- prev_mkey_aux_entry = mkey_aux_list;
} else if (mkey_aux_entry->next == NULL) {
prev_mkey_aux_entry->next = NULL;
} else {
diff --git a/src/kadmin/server/ipropd_svc.c b/src/kadmin/server/ipropd_svc.c
index dc9984c2c..56e9b90b2 100644
--- a/src/kadmin/server/ipropd_svc.c
+++ b/src/kadmin/server/ipropd_svc.c
@@ -263,8 +263,6 @@ ipropx_resync(uint32_t vers, struct svc_req *rqstp)
int pret, fret;
FILE *p;
kadm5_server_handle_t handle = global_server_handle;
- OM_uint32 min_stat;
- gss_name_t name = NULL;
char *client_name = NULL, *service_name = NULL;
char *whoami = "iprop_full_resync_1";
@@ -440,8 +438,6 @@ out:
debprret(whoami, ret.ret, 0);
free(client_name);
free(service_name);
- if (name)
- gss_release_name(&min_stat, &name);
free(ubuf);
return (&ret);
}
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index 79b83e0c6..f09cda007 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -780,7 +780,7 @@ krb5_gss_localname(OM_uint32 *minor,
localname->value = gssalloc_strdup(lname);
localname->length = strlen(lname);
- return (code == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
+ return GSS_S_COMPLETE;
}
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index 25d9f2711..3b4f8cb83 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -145,9 +145,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
/* TOK_ID */
store_16_be(KG2_TOK_WRAP_MSG, outbuf);
/* flags */
- outbuf[2] = (acceptor_flag
- | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0)
- | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
+ outbuf[2] = (acceptor_flag | FLAG_WRAP_CONFIDENTIAL |
+ (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
outbuf[3] = 0xff;
/* EC */
diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c
index a73edb6a4..333ee124d 100644
--- a/src/lib/gssapi/krb5/k5sealv3iov.c
+++ b/src/lib/gssapi/krb5/k5sealv3iov.c
@@ -144,9 +144,8 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context,
/* TOK_ID */
store_16_be(KG2_TOK_WRAP_MSG, outbuf);
/* flags */
- outbuf[2] = (acceptor_flag
- | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0)
- | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
+ outbuf[2] = (acceptor_flag | FLAG_WRAP_CONFIDENTIAL |
+ (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
outbuf[3] = 0xFF;
/* EC */
diff --git a/src/lib/kdb/kdb_convert.c b/src/lib/kdb/kdb_convert.c
index 76140732f..e1bf1919f 100644
--- a/src/lib/kdb/kdb_convert.c
+++ b/src/lib/kdb/kdb_convert.c
@@ -305,8 +305,6 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry,
krb5_error_code ret;
kdbe_attr_type_t *attr_types;
int kadm_data_yes;
- /* always exclude non-replicated attributes, for now */
- krb5_boolean exclude_nra = TRUE;
nattrs = tmpint = 0;
final = -1;
@@ -356,7 +354,8 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry,
nattrs++;
}
} else {
- find_changed_attrs(curr, entry, exclude_nra, attr_types, &nattrs);
+ /* Always exclude non-replicated attributes for now. */
+ find_changed_attrs(curr, entry, TRUE, attr_types, &nattrs);
krb5_db_free_principal(context, curr);
}
@@ -402,31 +401,6 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry,
}
break;
- case AT_LAST_SUCCESS:
- if (!exclude_nra && entry->last_success >= 0) {
- ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LAST_SUCCESS;
- ULOG_ENTRY(update, final).av_last_success =
- (uint32_t)entry->last_success;
- }
- break;
-
- case AT_LAST_FAILED:
- if (!exclude_nra && entry->last_failed >= 0) {
- ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LAST_FAILED;
- ULOG_ENTRY(update, final).av_last_failed =
- (uint32_t)entry->last_failed;
- }
- break;
-
- case AT_FAIL_AUTH_COUNT:
- if (!exclude_nra) {
- ULOG_ENTRY_TYPE(update, ++final).av_type =
- AT_FAIL_AUTH_COUNT;
- ULOG_ENTRY(update, final).av_fail_auth_count =
- (uint32_t)entry->fail_auth_count;
- }
- break;
-
case AT_PRINC:
if (entry->princ->length > 0) {
ULOG_ENTRY_TYPE(update, ++final).av_type = AT_PRINC;
@@ -552,10 +526,8 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry,
/* END CSTYLED */
case AT_LEN:
- if (entry->len >= 0) {
- ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LEN;
- ULOG_ENTRY(update, final).av_len = (int16_t)entry->len;
- }
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LEN;
+ ULOG_ENTRY(update, final).av_len = (int16_t)entry->len;
break;
default:
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
index ce038fc3d..0a95101ad 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -135,10 +135,6 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
print_usage = TRUE;
goto cleanup;
}
- if (file_name == NULL) {
- com_err(me, ENOMEM, _("while setting service object password"));
- goto cleanup;
- }
} else { /* argc == 2 */
service_object = strdup (argv[1]);
if (service_object == NULL) {
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
index 1e6fffee5..5b57c799a 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
@@ -56,7 +56,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
krb5_ldap_realm_params *rparams = NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_boolean realm_obj_created = FALSE;
- krb5_boolean krbcontainer_obj_created = FALSE;
int mask = 0;
/* Clear the global error string */
@@ -121,15 +120,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
goto cleanup;
cleanup:
- /* If the krbcontainer/realm creation is not complete, do the roll-back here */
- if ((krbcontainer_obj_created) && (!realm_obj_created)) {
- int rc;
- rc = krb5_ldap_delete_krbcontainer(context,
- ldap_context->container_dn);
- k5_setmsg(context, rc, _("could not complete roll-back, error "
- "deleting Kerberos Container"));
- }
-
if (rparams)
krb5_ldap_free_realm_params(rparams);
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 27e6ef4d2..6aa646cc6 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -258,15 +258,7 @@ verify_client_san(krb5_context context,
}
pkiDebug("%s: no upn san match found\n", __FUNCTION__);
- /* We found no match */
- if (princs != NULL || upns != NULL) {
- *valid_san = 0;
- /* XXX ??? If there was one or more name in the cert, but
- * none matched the client name, then return mismatch? */
- retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
- }
retval = 0;
-
out:
if (princs != NULL) {
for (i = 0; princs[i] != NULL; i++)
diff --git a/src/tests/hammer/kdc5_hammer.c b/src/tests/hammer/kdc5_hammer.c
index 086c21d1c..8220fd97b 100644
--- a/src/tests/hammer/kdc5_hammer.c
+++ b/src/tests/hammer/kdc5_hammer.c
@@ -439,7 +439,6 @@ int get_tgt (context, p_client_str, p_client, ccache)
krb5_principal *p_client;
krb5_ccache ccache;
{
- char *cache_name = NULL; /* -f option */
long lifetime = KRB5_DEFAULT_LIFE; /* -l option */
krb5_error_code code;
krb5_creds my_creds;
@@ -464,8 +463,7 @@ int get_tgt (context, p_client_str, p_client, ccache)
code = krb5_cc_initialize (context, ccache, *p_client);
if (code != 0) {
- com_err (prog, code, "when initializing cache %s",
- cache_name?cache_name:"");
+ com_err (prog, code, "when initializing cache");
return(-1);
}

335
Remove-now-unused-checksum-functions.patch
View File

@ -1,335 +0,0 @@
From e9cc0b8762266ed368cb50e7ba48d6196db54da5 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 28 Jun 2019 13:09:47 -0400
Subject: [PATCH] Remove now-unused checksum functions
fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8 removed all call sites of
krb5int_cbc_checksum(), krb5int_confounder_verify(), and
krb5int_confounder_checksum(), but neglected the functions themselves.
ticket: 8808
(cherry picked from commit 2063ff09b384d466c15aca8970c01d074230c815)
---
src/lib/crypto/krb/Makefile.in | 6 -
src/lib/crypto/krb/checksum_cbc.c | 41 ------
src/lib/crypto/krb/checksum_confounder.c | 159 -----------------------
src/lib/crypto/krb/crypto_int.h | 16 ---
src/lib/crypto/krb/deps | 26 ----
5 files changed, 248 deletions(-)
delete mode 100644 src/lib/crypto/krb/checksum_cbc.c
delete mode 100644 src/lib/crypto/krb/checksum_confounder.c
diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in
index b587f7e19..2b0c4163d 100644
--- a/src/lib/crypto/krb/Makefile.in
+++ b/src/lib/crypto/krb/Makefile.in
@@ -10,8 +10,6 @@ STLIBOBJS=\
aead.o \
block_size.o \
cf2.o \
- checksum_cbc.o \
- checksum_confounder.o \
checksum_dk_cmac.o \
checksum_dk_hmac.o \
checksum_etm.o \
@@ -70,8 +68,6 @@ OBJS=\
$(OUTPRE)aead.$(OBJEXT) \
$(OUTPRE)block_size.$(OBJEXT) \
$(OUTPRE)cf2.$(OBJEXT) \
- $(OUTPRE)checksum_cbc.$(OBJEXT) \
- $(OUTPRE)checksum_confounder.$(OBJEXT) \
$(OUTPRE)checksum_dk_cmac.$(OBJEXT) \
$(OUTPRE)checksum_dk_hmac.$(OBJEXT) \
$(OUTPRE)checksum_etm.$(OBJEXT) \
@@ -130,8 +126,6 @@ SRCS=\
$(srcdir)/aead.c \
$(srcdir)/block_size.c \
$(srcdir)/cf2.c \
- $(srcdir)/checksum_cbc.c \
- $(srcdir)/checksum_confounder.c \
$(srcdir)/checksum_dk_cmac.c \
$(srcdir)/checksum_dk_hmac.c \
$(srcdir)/checksum_etm.c \
diff --git a/src/lib/crypto/krb/checksum_cbc.c b/src/lib/crypto/krb/checksum_cbc.c
deleted file mode 100644
index 48afeb0e5..000000000
--- a/src/lib/crypto/krb/checksum_cbc.c
+++ /dev/null
@@ -1,41 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/krb/checksum_cbc.c */
-/*
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/* CBC checksum, which computes the ivec resulting from CBC encryption of the
- * input. */
-
-#include "crypto_int.h"
-
-krb5_error_code
-krb5int_cbc_checksum(const struct krb5_cksumtypes *ctp,
- krb5_key key, krb5_keyusage usage,
- const krb5_crypto_iov *data, size_t num_data,
- krb5_data *output)
-{
- if (ctp->enc->cbc_mac == NULL)
- return KRB5_CRYPTO_INTERNAL;
- return ctp->enc->cbc_mac(key, data, num_data, NULL, output);
-}
diff --git a/src/lib/crypto/krb/checksum_confounder.c b/src/lib/crypto/krb/checksum_confounder.c
deleted file mode 100644
index 34941562c..000000000
--- a/src/lib/crypto/krb/checksum_confounder.c
+++ /dev/null
@@ -1,159 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/krb/checksum_confounder.c */
-/*
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * Confounder checksum implementation, using tokens of the form:
- * enc(xorkey, confounder | hash(confounder | data))
- * where xorkey is the key XOR'd with 0xf0 bytes.
- */
-
-#include "crypto_int.h"
-
-/* Derive a key by XOR with 0xF0 bytes. */
-static krb5_error_code
-mk_xorkey(krb5_key origkey, krb5_key *xorkey)
-{
- krb5_error_code retval = 0;
- unsigned char *xorbytes;
- krb5_keyblock xorkeyblock;
- size_t i = 0;
-
- xorbytes = k5memdup(origkey->keyblock.contents, origkey->keyblock.length,
- &retval);
- if (xorbytes == NULL)
- return retval;
- for (i = 0; i < origkey->keyblock.length; i++)
- xorbytes[i] ^= 0xf0;
-
- /* Do a shallow copy here. */
- xorkeyblock = origkey->keyblock;
- xorkeyblock.contents = xorbytes;
-
- retval = krb5_k_create_key(0, &xorkeyblock, xorkey);
- zapfree(xorbytes, origkey->keyblock.length);
- return retval;
-}
-
-krb5_error_code
-krb5int_confounder_checksum(const struct krb5_cksumtypes *ctp,
- krb5_key key, krb5_keyusage usage,
- const krb5_crypto_iov *data, size_t num_data,
- krb5_data *output)
-{
- krb5_error_code ret;
- krb5_data conf, hashval;
- krb5_key xorkey = NULL;
- krb5_crypto_iov *hash_iov, iov;
- size_t blocksize = ctp->enc->block_size, hashsize = ctp->hash->hashsize;
-
- /* Partition the output buffer into confounder and hash. */
- conf = make_data(output->data, blocksize);
- hashval = make_data(output->data + blocksize, hashsize);
-
- /* Create the confounder. */
- ret = krb5_c_random_make_octets(NULL, &conf);
- if (ret != 0)
- return ret;
-
- ret = mk_xorkey(key, &xorkey);
- if (ret)
- return ret;
-
- /* Hash the confounder, then the input data. */
- hash_iov = k5calloc(num_data + 1, sizeof(krb5_crypto_iov), &ret);
- if (hash_iov == NULL)
- goto cleanup;
- hash_iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
- hash_iov[0].data = conf;
- memcpy(hash_iov + 1, data, num_data * sizeof(krb5_crypto_iov));
- ret = ctp->hash->hash(hash_iov, num_data + 1, &hashval);
- if (ret != 0)
- goto cleanup;
-
- /* Confounder and hash are in output buffer; encrypt them in place. */
- iov.flags = KRB5_CRYPTO_TYPE_DATA;
- iov.data = *output;
- ret = ctp->enc->encrypt(xorkey, NULL, &iov, 1);
-
-cleanup:
- free(hash_iov);
- krb5_k_free_key(NULL, xorkey);
- return ret;
-}
-
-krb5_error_code krb5int_confounder_verify(const struct krb5_cksumtypes *ctp,
- krb5_key key, krb5_keyusage usage,
- const krb5_crypto_iov *data,
- size_t num_data,
- const krb5_data *input,
- krb5_boolean *valid)
-{
- krb5_error_code ret;
- unsigned char *plaintext = NULL;
- krb5_key xorkey = NULL;
- krb5_data computed = empty_data();
- krb5_crypto_iov *hash_iov = NULL, iov;
- size_t blocksize = ctp->enc->block_size, hashsize = ctp->hash->hashsize;
-
- plaintext = k5memdup(input->data, input->length, &ret);
- if (plaintext == NULL)
- return ret;
-
- ret = mk_xorkey(key, &xorkey);
- if (ret != 0)
- goto cleanup;
-
- /* Decrypt the input checksum. */
- iov.flags = KRB5_CRYPTO_TYPE_DATA;
- iov.data = make_data(plaintext, input->length);
- ret = ctp->enc->decrypt(xorkey, NULL, &iov, 1);
- if (ret != 0)
- goto cleanup;
-
- /* Hash the confounder, then the input data. */
- hash_iov = k5calloc(num_data + 1, sizeof(krb5_crypto_iov), &ret);
- if (hash_iov == NULL)
- goto cleanup;
- hash_iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
- hash_iov[0].data = make_data(plaintext, blocksize);
- memcpy(hash_iov + 1, data, num_data * sizeof(krb5_crypto_iov));
- ret = alloc_data(&computed, hashsize);
- if (ret != 0)
- goto cleanup;
- ret = ctp->hash->hash(hash_iov, num_data + 1, &computed);
- if (ret != 0)
- goto cleanup;
-
- /* Compare the decrypted hash to the computed one. */
- *valid = (k5_bcmp(plaintext + blocksize, computed.data, hashsize) == 0);
-
-cleanup:
- zapfree(plaintext, input->length);
- zapfree(computed.data, hashsize);
- free(hash_iov);
- krb5_k_free_key(NULL, xorkey);
- return ret;
-}
diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
index 1b4324d71..5cc1f8e43 100644
--- a/src/lib/crypto/krb/crypto_int.h
+++ b/src/lib/crypto/krb/crypto_int.h
@@ -299,11 +299,6 @@ krb5_error_code krb5int_unkeyed_checksum(const struct krb5_cksumtypes *ctp,
const krb5_crypto_iov *data,
size_t num_data,
krb5_data *output);
-krb5_error_code krb5int_cbc_checksum(const struct krb5_cksumtypes *ctp,
- krb5_key key, krb5_keyusage usage,
- const krb5_crypto_iov *data,
- size_t num_data,
- krb5_data *output);
krb5_error_code krb5int_hmacmd5_checksum(const struct krb5_cksumtypes *ctp,
krb5_key key, krb5_keyusage usage,
const krb5_crypto_iov *data,
@@ -317,17 +312,6 @@ krb5_error_code krb5int_dk_cmac_checksum(const struct krb5_cksumtypes *ctp,
krb5_key key, krb5_keyusage usage,
const krb5_crypto_iov *data,
size_t num_data, krb5_data *output);
-krb5_error_code krb5int_confounder_checksum(const struct krb5_cksumtypes *ctp,
- krb5_key key, krb5_keyusage usage,
- const krb5_crypto_iov *data,
- size_t num_data,
- krb5_data *output);
-krb5_error_code krb5int_confounder_verify(const struct krb5_cksumtypes *ctp,
- krb5_key key, krb5_keyusage usage,
- const krb5_crypto_iov *data,
- size_t num_data,
- const krb5_data *input,
- krb5_boolean *valid);
krb5_error_code krb5int_etm_checksum(const struct krb5_cksumtypes *ctp,
krb5_key key, krb5_keyusage usage,
const krb5_crypto_iov *data,
diff --git a/src/lib/crypto/krb/deps b/src/lib/crypto/krb/deps
index 2f4af1906..883d12c56 100644
--- a/src/lib/crypto/krb/deps
+++ b/src/lib/crypto/krb/deps
@@ -37,32 +37,6 @@ cf2.so cf2.po $(OUTPRE)cf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
cf2.c crypto_int.h
-checksum_cbc.so checksum_cbc.po $(OUTPRE)checksum_cbc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h $(srcdir)/../builtin/crypto_mod.h \
- $(srcdir)/../builtin/sha2/sha2.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h checksum_cbc.c \
- crypto_int.h
-checksum_confounder.so checksum_confounder.po $(OUTPRE)checksum_confounder.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h $(srcdir)/../builtin/crypto_mod.h \
- $(srcdir)/../builtin/sha2/sha2.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h checksum_confounder.c \
- crypto_int.h
checksum_dk_cmac.so checksum_dk_cmac.po $(OUTPRE)checksum_dk_cmac.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \

28
Remove-null-check-in-krb5_gss_duplicate_name.patch
View File

@ -1,28 +0,0 @@
From 61855503e579611b2bb2f322070c2e1e0ca36ce8 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 30 Aug 2019 11:19:52 -0400
Subject: [PATCH] Remove null check in krb5_gss_duplicate_name()
Within the krb5 mechanism, we require minor_status to be writable
without checking. Remove the null check in krb5_gss_duplicate_name()
to squash a forward-null defect.
(cherry picked from commit 9fd7bc179f0bd74fc83c1edf0247dcfd87fc73e6)
---
src/lib/gssapi/krb5/duplicate_name.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/lib/gssapi/krb5/duplicate_name.c b/src/lib/gssapi/krb5/duplicate_name.c
index b88d97d9d..ea53e9c0d 100644
--- a/src/lib/gssapi/krb5/duplicate_name.c
+++ b/src/lib/gssapi/krb5/duplicate_name.c
@@ -34,8 +34,7 @@ krb5_gss_duplicate_name(OM_uint32 *minor_status, const gss_name_t input_name,
krb5_error_code code;
krb5_gss_name_t princ, outprinc;
- if (minor_status)
- *minor_status = 0;
+ *minor_status = 0;
code = krb5_gss_init_context(&context);
if (code) {

386
Remove-ovsec_adm_export-dump-format-support.patch
View File

@ -1,386 +0,0 @@
From e4c75d01bfdedfe77068a641e0053eef227dc22b Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 22 Jan 2019 18:34:58 -0500
Subject: [PATCH] Remove ovsec_adm_export dump format support
Dumping only suported single-DES principals. While importing still
functioned, it would only have been useful for extremely old (1.3-era)
KDCs.
ticket: 8798 (new)
(cherry picked from commit 23b93fd48bc445005436c5be98a7269b599b1800)
[rharwood@redhat.com: release version conflict in man pages]
---
doc/admin/admin_commands/kdb5_util.rst | 11 +--
doc/admin/database.rst | 14 ----
src/kadmin/dbutil/dump.c | 109 ++-----------------------
src/kadmin/dbutil/kdb5_util.c | 4 +-
src/man/kdb5_util.man | 13 +--
src/tests/Makefile.in | 6 --
src/tests/t_dump.py | 8 --
7 files changed, 13 insertions(+), 152 deletions(-)
diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst
index fee68261a..7dd54f797 100644
--- a/doc/admin/admin_commands/kdb5_util.rst
+++ b/doc/admin/admin_commands/kdb5_util.rst
@@ -136,7 +136,7 @@ dump
.. _kdb5_util_dump:
- **dump** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**]
+ **dump** [**-b7**\|\ **-r13**\|\ **-r18**]
[**-verbose**] [**-mkey_convert**] [**-new_mkey_file**
*mkey_file*] [**-rev**] [**-recurse**] [*filename*
[*principals*...]]
@@ -151,9 +151,6 @@ load_dump version 7". If filename is not specified, or is the string
load_dump version 4"). This was the dump format produced on
releases prior to 1.2.2.
-**-ov**
- causes the dump to be in "ovsec_adm_export" format.
-
**-r13**
causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
@@ -204,7 +201,7 @@ load
.. _kdb5_util_load:
- **load** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**] [**-hash**]
+ **load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**]
[**-verbose**] [**-update**] *filename*
Loads a database dump from the named file into the named database. If
@@ -222,10 +219,6 @@ Options:
("kdb5_util load_dump version 4"). This was the dump format
produced on releases prior to 1.2.2.
-**-ov**
- requires the database to be in "ovsec_adm_import" format. Must be
- used with the **-update** option.
-
**-r13**
requires the database to be in Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
diff --git a/doc/admin/database.rst b/doc/admin/database.rst
index d0be455f8..33895b857 100644
--- a/doc/admin/database.rst
+++ b/doc/admin/database.rst
@@ -393,20 +393,6 @@ To dump a single principal and later load it, updating the database:
If the database file exists, and the *-update* flag was not
given, *kdb5_util* will overwrite the existing database.
-Using kdb5_util to upgrade a master KDC from krb5 1.1.x:
-
-::
-
- shell% kdb5_util dump old-kdb-dump
- shell% kdb5_util dump -ov old-kdb-dump.ov
- [Create a new KDC installation, using the old stash file/master password]
- shell% kdb5_util load old-kdb-dump
- shell% kdb5_util load -update old-kdb-dump.ov
-
-The use of old-kdb-dump.ov for an extra dump and load is necessary
-to preserve per-principal policy information, which is not included in
-the default dump format of krb5 1.1.x.
-
.. note::
Using kdb5_util to dump and reload the principal database is
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 8301a33d0..19f2cc230 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -484,83 +484,6 @@ dump_r1_11_policy(void *data, osa_policy_ent_t entry)
fprintf(arg->ofile, "\n");
}
-static void
-print_key_data(FILE *f, krb5_key_data *kd)
-{
- int c;
-
- fprintf(f, "%d\t%d\t", kd->key_data_type[0], kd->key_data_length[0]);
- for (c = 0; c < kd->key_data_length[0]; c++)
- fprintf(f, "%02x ", kd->key_data_contents[0][c]);
-}
-
-/* Output osa_adb_princ_ent data in a printable serialized format, suitable for
- * ovsec_adm_import consumption. */
-static krb5_error_code
-dump_ov_princ(krb5_context context, krb5_db_entry *entry, const char *name,
- FILE *fp, krb5_boolean verbose, krb5_boolean omit_nra)
-{
- char *princstr;
- unsigned int x;
- int y, foundcrc;
- krb5_tl_data tl_data;
- osa_princ_ent_rec adb;
- XDR xdrs;
- krb5_key_data *key_data;
-
- tl_data.tl_data_type = KRB5_TL_KADM_DATA;
- if (krb5_dbe_lookup_tl_data(context, entry, &tl_data) ||
- tl_data.tl_data_length == 0)
- return 0;
-
- memset(&adb, 0, sizeof(adb));
- xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents,
- tl_data.tl_data_length, XDR_DECODE);
- if (!xdr_osa_princ_ent_rec(&xdrs, &adb)) {
- xdr_destroy(&xdrs);
- return KADM5_XDR_FAILURE;
- }
- xdr_destroy(&xdrs);
-
- krb5_unparse_name(context, entry->princ, &princstr);
- fprintf(fp, "princ\t%s\t", princstr);
- if (adb.policy == NULL)
- fputc('\t', fp);
- else
- fprintf(fp, "%s\t", adb.policy);
- fprintf(fp, "%lx\t%d\t%d\t%d", adb.aux_attributes, adb.old_key_len,
- adb.old_key_next, adb.admin_history_kvno);
-
- for (x = 0; x < adb.old_key_len; x++) {
- foundcrc = 0;
- for (y = 0; y < adb.old_keys[x].n_key_data; y++) {
- key_data = &adb.old_keys[x].key_data[y];
- if (key_data->key_data_type[0] != ENCTYPE_DES_CBC_CRC)
- continue;
- if (foundcrc) {
- fprintf(stderr, _("Warning! Multiple DES-CBC-CRC keys for "
- "principal %s; skipping duplicates.\n"),
- princstr);
- continue;
- }
- foundcrc++;
-
- fputc('\t', fp);
- print_key_data(fp, key_data);
- }
- if (!foundcrc) {
- fprintf(stderr, _("Warning! No DES-CBC-CRC key for principal %s, "
- "cannot generate OV-compatible record; "
- "skipping\n"), princstr);
- }
- }
-
- fputc('\n', fp);
- free(princstr);
- xdr_free(xdr_osa_princ_ent_rec, &adb);
- return 0;
-}
-
static krb5_error_code
dump_iterator(void *ptr, krb5_db_entry *entry)
{
@@ -1101,14 +1024,6 @@ process_k5beta7_record(krb5_context context, const char *fname, FILE *filep,
process_k5beta7_princ, process_k5beta7_policy);
}
-static int
-process_ov_record(krb5_context context, const char *fname, FILE *filep,
- krb5_boolean verbose, int *linenop)
-{
- return process_tagged(context, fname, filep, verbose, linenop,
- process_ov_principal, process_k5beta7_policy);
-}
-
static int
process_r1_8_record(krb5_context context, const char *fname, FILE *filep,
krb5_boolean verbose, int *linenop)
@@ -1135,16 +1050,6 @@ dump_version beta7_version = {
dump_k5beta7_policy,
process_k5beta7_record,
};
-dump_version ov_version = {
- "OpenV*Secure V1.0",
- "OpenV*Secure V1.0\t",
- 1,
- 0,
- 0,
- dump_ov_princ,
- dump_k5beta7_policy,
- process_ov_record
-};
dump_version r1_3_version = {
"Kerberos version 5 release 1.3",
"kdb5_util load_dump version 5\n",
@@ -1267,7 +1172,7 @@ current_dump_sno_in_ulog(krb5_context context, const char *ifile)
/*
* usage is:
- * dump_db [-b7] [-ov] [-r13] [-r18] [-verbose] [-mkey_convert]
+ * dump_db [-b7] [-r13] [-r18] [-verbose] [-mkey_convert]
* [-new_mkey_file mkey_file] [-rev] [-recurse]
* [filename [principals...]]
*/
@@ -1302,7 +1207,8 @@ dump_db(int argc, char **argv)
if (!strcmp(argv[aindex], "-b7")) {
dump = &beta7_version;
} else if (!strcmp(argv[aindex], "-ov")) {
- dump = &ov_version;
+ fprintf(stderr, _("OV dump format not supported\n"));
+ goto error;
} else if (!strcmp(argv[aindex], "-r13")) {
dump = &r1_3_version;
} else if (!strcmp(argv[aindex], "-r18")) {
@@ -1515,8 +1421,7 @@ restore_dump(krb5_context context, char *dumpfile, FILE *f,
}
/*
- * Usage: load_db [-ov] [-b7] [-r13] [-r18] [-verbose] [-update] [-hash]
- * filename
+ * Usage: load_db [-b7] [-r13] [-r18] [-verbose] [-update] [-hash] filename
*/
void
load_db(int argc, char **argv)
@@ -1540,7 +1445,8 @@ load_db(int argc, char **argv)
if (!strcmp(argv[aindex], "-b7")){
load = &beta7_version;
} else if (!strcmp(argv[aindex], "-ov")) {
- load = &ov_version;
+ fprintf(stderr, _("OV dump format not supported\n"));
+ goto error;
} else if (!strcmp(argv[aindex], "-r13")) {
load = &r1_3_version;
} else if (!strcmp(argv[aindex], "-r18")){
@@ -1605,9 +1511,6 @@ load_db(int argc, char **argv)
load = &r1_8_version;
} else if (strcmp(buf, r1_11_version.header) == 0) {
load = &r1_11_version;
- } else if (strncmp(buf, ov_version.header,
- strlen(ov_version.header)) == 0) {
- load = &ov_version;
} else {
fprintf(stderr, _("%s: dump header bad in %s\n"), progname,
dumpfile);
diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c
index accc959e0..e73e2c68e 100644
--- a/src/kadmin/dbutil/kdb5_util.c
+++ b/src/kadmin/dbutil/kdb5_util.c
@@ -85,10 +85,10 @@ void usage()
"\tcreate [-s]\n"
"\tdestroy [-f]\n"
"\tstash [-f keyfile]\n"
- "\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n"
+ "\tdump [-old|-b6|-b7|-r13|-r18] [-verbose]\n"
"\t [-mkey_convert] [-new_mkey_file mkey_file]\n"
"\t [-rev] [-recurse] [filename [princs...]]\n"
- "\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] "
+ "\tload [-old|-b6|-b7|-r13|-r18] [-verbose] [-update] "
"filename\n"
"\tark [-e etype_list] principal\n"
"\tadd_mkey [-e etype] [-s]\n"
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index 9c48c32fb..9a36ef0df 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KDB5_UTIL" "8" " " "1.17.1" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.18" "MIT Kerberos"
.SH NAME
kdb5_util \- Kerberos database maintenance utility
.
@@ -136,7 +136,7 @@ kdc.conf(5)\&.
.SS dump
.INDENT 0.0
.INDENT 3.5
-\fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP]
+\fBdump\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP]
[\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP
\fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP
[\fIprincipals\fP\&...]]
@@ -154,9 +154,6 @@ causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
load_dump version 4"). This was the dump format produced on
releases prior to 1.2.2.
.TP
-\fB\-ov\fP
-causes the dump to be in "ovsec_adm_export" format.
-.TP
\fB\-r13\fP
causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
@@ -203,7 +200,7 @@ doing a normal dump instead of a recursive traversal.
.SS load
.INDENT 0.0
.INDENT 3.5
-\fBload\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP]
+\fBload\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP]
[\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP
.UNINDENT
.UNINDENT
@@ -224,10 +221,6 @@ requires the database to be in the Kerberos 5 Beta 7 format
("kdb5_util load_dump version 4"). This was the dump format
produced on releases prior to 1.2.2.
.TP
-\fB\-ov\fP
-requires the database to be in "ovsec_adm_import" format. Must be
-used with the \fB\-update\fP option.
-.TP
\fB\-r13\fP
requires the database to be in Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index e27617ee2..c96c5d6b7 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -97,7 +97,6 @@ kdb_check: kdc.conf krb5.conf
$(RUN_DB_TEST) ../tests/create/kdb5_mkdums $(KTEST_OPTS)
$(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS)
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
@echo "====> NOTE!"
@echo "The following 'create' command is needed due to a change"
@@ -105,16 +104,11 @@ kdb_check: kdc.conf krb5.conf
@echo ====
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load $(TEST_DB).dump
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load -update -ov $(TEST_DB).ovdump
$(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS)
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump2
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump2
sort $(TEST_DB).dump > $(TEST_DB).sort
sort $(TEST_DB).dump2 > $(TEST_DB).sort2
- sort $(TEST_DB).ovdump > $(TEST_DB).ovsort
- sort $(TEST_DB).ovdump2 > $(TEST_DB).ovsort2
cmp $(TEST_DB).sort $(TEST_DB).sort2
- cmp $(TEST_DB).ovsort $(TEST_DB).ovsort2
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
$(RM) $(TEST_DB)* stash_file
diff --git a/src/tests/t_dump.py b/src/tests/t_dump.py
index d803d5602..5d692df99 100755
--- a/src/tests/t_dump.py
+++ b/src/tests/t_dump.py
@@ -73,7 +73,6 @@ for realm in multidb_realms(start_kdc=False):
srcdump_r18 = os.path.join(srcdumpdir, 'dump.r18')
srcdump_r13 = os.path.join(srcdumpdir, 'dump.r13')
srcdump_b7 = os.path.join(srcdumpdir, 'dump.b7')
- srcdump_ov = os.path.join(srcdumpdir, 'dump.ov')
# Load a dump file from the source directory.
realm.run([kdb5_util, 'destroy', '-f'])
@@ -86,17 +85,10 @@ for realm in multidb_realms(start_kdc=False):
dump_compare(realm, ['-r18'], srcdump_r18)
dump_compare(realm, ['-r13'], srcdump_r13)
dump_compare(realm, ['-b7'], srcdump_b7)
- dump_compare(realm, ['-ov'], srcdump_ov)
# Load each format of dump, check it, re-dump it, and compare.
load_dump_check_compare(realm, ['-r18'], srcdump_r18)
load_dump_check_compare(realm, ['-r13'], srcdump_r13)
load_dump_check_compare(realm, ['-b7'], srcdump_b7)
- # Loading the last (-b7 format) dump won't have loaded the
- # per-principal kadm data. Load that incrementally with -ov.
- realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: [none]')
- realm.run([kdb5_util, 'load', '-update', '-ov', srcdump_ov])
- realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: testpol')
-
success('Dump/load tests')

1411
Remove-srvtab-support.patch
View File

File diff suppressed because it is too large Load Diff

34
Remove-strerror-calls-from-k5_get_error.patch
View File

@ -1,34 +0,0 @@
From 128098be731775ecc2a5de6308868fae78059db9 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 6 Jun 2019 11:46:58 -0400
Subject: [PATCH] Remove strerror() calls from k5_get_error()
Coverity models strerror() as a function which cannot accept negative
values, even though it has defined behavior on all integers.
k5_get_error() contains code to call strerror_r() and strerror() if
its fptr global is unset, which isn't an expected case in practice.
To silence a large number of Coverity false positives, just return a
fixed string if fptr is null.
(cherry picked from commit 2d400bea7a81a5a834a1be6ded439f18e0afa5ba)
---
src/util/support/errors.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/util/support/errors.c b/src/util/support/errors.c
index 70e1d59d0..f8bea07a3 100644
--- a/src/util/support/errors.c
+++ b/src/util/support/errors.c
@@ -78,10 +78,9 @@ k5_get_error(struct errinfo *ep, long code)
lock();
if (fptr == NULL) {
+ /* Should be rare; fptr should be set whenever libkrb5 is loaded. */
unlock();
- if (strerror_r(code, buf, sizeof(buf)) == 0)
- return oom_check(strdup(buf));
- return oom_check(strdup(strerror(code)));
+ return oom_check(strdup(_("Error code translation unavailable")));
}
r = fptr(code);
#ifndef HAVE_COM_ERR_INTL

73
Remove-support-for-no-flags-SAM-2-preauth.patch
View File

@ -1,73 +0,0 @@
From c00274de6de883d74ae231405b6ae5e1486712c9 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 17 Apr 2019 17:07:46 -0400
Subject: [PATCH] Remove support for no-flags SAM-2 preauth
When neither the send-encrypted-sad nor the use-sad-as-key flag is set
in the SAM-2 challenge, the protocol calls for the AS key to be
combined with the string-to-key of the SAD using a key combination
method which has only been implemented for DES and 3DES enctypes.
Rather than extending key combination, remove support for this case.
[ghudson@mit.edu: rewrote commit message, added comment]
ticket: 8812 (new)
(cherry picked from commit c30e0af224ef3716513744fd86aec3eeea90abf9)
---
src/lib/krb5/krb/preauth_sam2.c | 40 +++++++++------------------------
1 file changed, 11 insertions(+), 29 deletions(-)
diff --git a/src/lib/krb5/krb/preauth_sam2.c b/src/lib/krb5/krb/preauth_sam2.c
index c7484c47e..fda86bee2 100644
--- a/src/lib/krb5/krb/preauth_sam2.c
+++ b/src/lib/krb5/krb/preauth_sam2.c
@@ -211,38 +211,20 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata,
/* Get encryption key to be used for checksum and sam_response */
if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) {
/* Retain as_key from above gak_fct call. */
-
- if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) {
- /* as_key = combine_key (as_key, string_to_key(SAD)) */
- krb5_keyblock tmp_kb;
-
- retval = krb5_c_string_to_key(context, sc2b->sam_etype,
- &response_data, salt, &tmp_kb);
-
- if (retval) {
- krb5_free_sam_challenge_2(context, sc2);
- krb5_free_sam_challenge_2_body(context, sc2b);
- if (defsalt.length) free(defsalt.data);
- return(retval);
- }
-
- /* This should be a call to the crypto library some day */
- /* key types should already match the sam_etype */
- retval = krb5int_c_combine_keys(context, &ctx->as_key, &tmp_kb,
- &ctx->as_key);
-
- if (retval) {
- krb5_free_sam_challenge_2(context, sc2);
- krb5_free_sam_challenge_2_body(context, sc2b);
- if (defsalt.length) free(defsalt.data);
- return(retval);
- }
- krb5_free_keyblock_contents(context, &tmp_kb);
- }
-
if (defsalt.length)
free(defsalt.data);
+ if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) {
+ /*
+ * If no flags are set, the protocol calls for us to combine the
+ * initial reply key with the SAD, using a method which is only
+ * specified for DES and 3DES enctypes. We no longer support this
+ * case.
+ */
+ krb5_free_sam_challenge_2(context, sc2);
+ krb5_free_sam_challenge_2_body(context, sc2b);
+ return(KRB5_SAM_UNSUPPORTED);
+ }
} else {
/* as_key = string_to_key(SAD) */

3340
Remove-support-for-single-DES-and-CRC.patch
View File

File diff suppressed because it is too large Load Diff

509
Remove-the-v4-and-afs3-salt-types.patch
View File

@ -1,509 +0,0 @@
From 111e528c68393435be41f71f22f41b7a04ccad1e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 24 May 2019 13:11:44 -0400
Subject: [PATCH] Remove the v4 and afs3 salt types
In preparation for removing single-DES support, remove the v4 and afs3
salt types. The afs3 salt type could only be used with single-DES
keys, and the v4 salt type was only useful for single-DES keys from
krb4 databases.
[ghudson@mit.edu: wrote commit message]
ticket: 8808
(cherry picked from commit e0a35ff48c09a26ebb9aefd7e98855a84574b8be)
[rharwood@redhat.com: release version conflict in man pages]
---
doc/admin/conf_files/kdc_conf.rst | 2 -
src/include/kdb.h | 4 +-
src/kadmin/testing/proto/kdc.conf.proto | 2 +-
src/kdc/kdc_preauth.c | 40 +++++--------------
.../api.current/chpass-principal-v2.exp | 8 ++--
.../api.current/get-principal-v2.exp | 4 +-
src/lib/kdb/kdb5.c | 4 --
src/lib/kdb/kdb_cpw.c | 16 +-------
src/lib/krb5/krb/str_conv.c | 2 -
src/lib/krb5/krb/t_get_etype_info.py | 7 ----
src/man/kdc.conf.man | 14 +------
src/tests/dejagnu/config/default.exp | 17 --------
src/tests/t_etype_info.py | 24 +----------
src/tests/t_keytab.py | 5 ---
src/tests/t_renprinc.py | 2 +-
src/tests/t_salt.py | 26 +-----------
src/util/k5test.py | 11 -----
17 files changed, 24 insertions(+), 164 deletions(-)
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 72f002d4d..7fbc8eb79 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -919,10 +919,8 @@ follows:
================= ============================================
normal default for Kerberos Version 5
-v4 the only type used by Kerberos Version 4 (no salt)
norealm same as the default, without using realm information
onlyrealm uses only realm information as the salt
-afs3 AFS version 3, only used for compatibility with Kerberos 4 in AFS
special generate a random salt
================= ============================================
diff --git a/src/include/kdb.h b/src/include/kdb.h
index 9812a35e6..7749cfc99 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -73,11 +73,11 @@
/* Salt types */
#define KRB5_KDB_SALTTYPE_NORMAL 0
-#define KRB5_KDB_SALTTYPE_V4 1
+/* #define KRB5_KDB_SALTTYPE_V4 1 */
#define KRB5_KDB_SALTTYPE_NOREALM 2
#define KRB5_KDB_SALTTYPE_ONLYREALM 3
#define KRB5_KDB_SALTTYPE_SPECIAL 4
-#define KRB5_KDB_SALTTYPE_AFS3 5
+/* #define KRB5_KDB_SALTTYPE_AFS3 5 */
#define KRB5_KDB_SALTTYPE_CERTHASH 6
/* Attributes */
diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto
index 61283ac77..45df78b91 100644
--- a/src/kadmin/testing/proto/kdc.conf.proto
+++ b/src/kadmin/testing/proto/kdc.conf.proto
@@ -12,5 +12,5 @@
kadmind_port = 1751
kpasswd_port = 1752
master_key_type = des3-hmac-sha1
- supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-md5:normal des-cbc-raw:normal
+ supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-raw:normal
}
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index caf133c14..508a5cf89 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -781,8 +781,8 @@ add_etype_info(krb5_context context, krb5_kdcpreauth_rock rock,
return add_pa_data_element(pa_list, pa);
}
-/* Add PW-SALT or AFS3-SALT entries to pa_list as appropriate for the request
- * and client principal. */
+/* Add PW-SALT entries to pa_list as appropriate for the request and client
+ * principal. */
static krb5_error_code
add_pw_salt(krb5_context context, krb5_kdcpreauth_rock rock,
krb5_pa_data ***pa_list)
@@ -801,21 +801,13 @@ add_pw_salt(krb5_context context, krb5_kdcpreauth_rock rock,
if (ret)
return 0;
- if (salttype == KRB5_KDB_SALTTYPE_AFS3) {
- ret = alloc_pa_data(KRB5_PADATA_AFS3_SALT, salt->length + 1, &pa);
- if (ret)
- goto cleanup;
- memcpy(pa->contents, salt->data, salt->length);
- pa->contents[salt->length] = '\0';
- } else {
- /* Steal memory from salt to make the pa-data entry. */
- ret = alloc_pa_data(KRB5_PADATA_PW_SALT, 0, &pa);
- if (ret)
- goto cleanup;
- pa->length = salt->length;
- pa->contents = (uint8_t *)salt->data;
- salt->data = NULL;
- }
+ /* Steal memory from salt to make the pa-data entry. */
+ ret = alloc_pa_data(KRB5_PADATA_PW_SALT, 0, &pa);
+ if (ret)
+ goto cleanup;
+ pa->length = salt->length;
+ pa->contents = (uint8_t *)salt->data;
+ salt->data = NULL;
/* add_pa_data_element() claims pa on success or failure. */
ret = add_pa_data_element(pa_list, pa);
@@ -1545,20 +1537,6 @@ _make_etype_info_entry(krb5_context context,
&salttype, &salt);
if (retval)
goto cleanup;
- if (etype_info2 && salttype == KRB5_KDB_SALTTYPE_AFS3) {
- switch (etype) {
- case ENCTYPE_DES_CBC_CRC:
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_MD5:
- retval = alloc_data(&entry->s2kparams, 1);
- if (retval)
- goto cleanup;
- entry->s2kparams.data[0] = 1;
- break;
- default:
- break;
- }
- }
entry->length = salt->length;
entry->salt = (unsigned char *)salt->data;
diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
index 8361fb085..db899a1dc 100644
--- a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
+++ b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
@@ -18,8 +18,8 @@ proc test200 {} {
# I'd like to specify a long list of keysalt tuples and make sure
# that chpass does the right thing, but we can only use those
- # enctypes that krbtgt has a key for: des-cbc-crc:normal and
- # des-cbc-crc:v4, according to the prototype kdc.conf.
+ # enctypes that krbtgt has a key for: des-cbc-crc:normal
+ # according to the prototype kdc.conf.
if {! [cmd [format {
kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
@@ -53,10 +53,10 @@ proc test200 {} {
}
# XXX Perhaps I should actually check the key type returned.
- if {$num_keys == 3} {
+ if {$num_keys == 2} {
pass "$test"
} else {
- fail "$test: $num_keys keys, should be 3"
+ fail "$test: $num_keys keys, should be 2"
}
if { ! [cmd {kadm5_destroy $server_handle}]} {
perror "$test: unexpected failure in destroy"
diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
index 86c45f49e..8526897ed 100644
--- a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
+++ b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
@@ -143,8 +143,8 @@ proc test101_102 {rpc} {
}
set failed 0
- if {$num_keys != 3} {
- fail "$test: num_keys $num_keys should be 3"
+ if {$num_keys != 2} {
+ fail "$test: num_keys $num_keys should be 2"
set failed 1
}
for {set i 0} {$i < $num_keys} {incr i} {
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index da5332217..b81a44312 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -2312,15 +2312,11 @@ krb5_dbe_compute_salt(krb5_context context, const krb5_key_data *key,
if (retval)
return retval;
break;
- case KRB5_KDB_SALTTYPE_V4:
- sdata = empty_data();
- break;
case KRB5_KDB_SALTTYPE_NOREALM:
retval = krb5_principal2salt_norealm(context, princ, &sdata);
if (retval)
return retval;
break;
- case KRB5_KDB_SALTTYPE_AFS3:
case KRB5_KDB_SALTTYPE_ONLYREALM:
return krb5_copy_data(context, &princ->realm, salt_out);
case KRB5_KDB_SALTTYPE_SPECIAL:
diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c
index 03efc28ed..450860f47 100644
--- a/src/lib/kdb/kdb_cpw.c
+++ b/src/lib/kdb/kdb_cpw.c
@@ -260,7 +260,6 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
krb5_keysalt key_salt;
krb5_keyblock key;
krb5_data pwd;
- krb5_data afs_params = string2data("\1"), *s2k_params;
int i, j;
krb5_key_data *kd_slot;
@@ -268,7 +267,6 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
krb5_boolean similar;
similar = 0;
- s2k_params = NULL;
/*
* We could use krb5_keysalt_iterate to replace this loop, or use
@@ -316,18 +314,6 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
&key_salt.data)))
return(retval);
break;
- case KRB5_KDB_SALTTYPE_V4:
- key_salt.data.length = 0;
- key_salt.data.data = 0;
- break;
- case KRB5_KDB_SALTTYPE_AFS3:
- retval = krb5int_copy_data_contents(context,
- &db_entry->princ->realm,
- &key_salt.data);
- if (retval)
- return retval;
- s2k_params = &afs_params;
- break;
case KRB5_KDB_SALTTYPE_SPECIAL:
retval = make_random_salt(context, &key_salt);
if (retval)
@@ -342,7 +328,7 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
retval = krb5_c_string_to_key_with_params(context,
ks_tuple[i].ks_enctype,
&pwd, &key_salt.data,
- s2k_params, &key);
+ NULL, &key);
if (retval) {
free(key_salt.data.data);
return retval;
diff --git a/src/lib/krb5/krb/str_conv.c b/src/lib/krb5/krb/str_conv.c
index 3d057241b..c8421a8c1 100644
--- a/src/lib/krb5/krb/str_conv.c
+++ b/src/lib/krb5/krb/str_conv.c
@@ -61,11 +61,9 @@ struct salttype_lookup_entry {
#include "kdb.h"
static const struct salttype_lookup_entry salttype_table[] = {
{ KRB5_KDB_SALTTYPE_NORMAL, "normal" },
- { KRB5_KDB_SALTTYPE_V4, "v4", },
{ KRB5_KDB_SALTTYPE_NOREALM, "norealm", },
{ KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm", },
{ KRB5_KDB_SALTTYPE_SPECIAL, "special", },
- { KRB5_KDB_SALTTYPE_AFS3, "afs3", },
};
static const int salttype_table_nents = sizeof(salttype_table)/
sizeof(salttype_table[0]);
diff --git a/src/lib/krb5/krb/t_get_etype_info.py b/src/lib/krb5/krb/t_get_etype_info.py
index 7c400be86..3c9168591 100644
--- a/src/lib/krb5/krb/t_get_etype_info.py
+++ b/src/lib/krb5/krb/t_get_etype_info.py
@@ -9,9 +9,6 @@ realm.run([kadminl, 'ank', '-nokey', '+preauth', 'pnokey'])
realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp'])
realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth',
'pexp'])
-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', 'afs'])
-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', '+preauth',
- 'pafs'])
# Extract the explicit salt values from the database.
out = realm.run([kdb5_util, 'tabdump', 'keyinfo'])
@@ -56,8 +53,4 @@ realm.run(['./t_get_etype_info', 'exp'],
realm.run(['./t_get_etype_info', 'pexp'],
expected_msg='etype: aes256-cts\nsalt: ' + pexp_salt + '\n')
-msg = 'etype: des-cbc-crc\nsalt: KRBTEST.COM\ns2kparams: 01\n'
-realm.run(['./t_get_etype_info', 'afs'], expected_msg=msg)
-realm.run(['./t_get_etype_info', 'pafs'], expected_msg=msg)
-
success('krb5_get_etype_info() tests')
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 959f00de5..fd4dbb2e2 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KDC.CONF" "5" " " "1.17.1" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.18" "MIT Kerberos"
.SH NAME
kdc.conf \- Kerberos V5 KDC configuration file
.
@@ -1149,12 +1149,6 @@ default for Kerberos Version 5
T}
_
T{
-v4
-T} T{
-the only type used by Kerberos Version 4 (no salt)
-T}
-_
-T{
norealm
T} T{
same as the default, without using realm information
@@ -1167,12 +1161,6 @@ uses only realm information as the salt
T}
_
T{
-afs3
-T} T{
-AFS version 3, only used for compatibility with Kerberos 4 in AFS
-T}
-_
-T{
special
T} T{
generate a random salt
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index ea9bedd45..c061d764e 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -238,22 +238,6 @@ set passes {
{master_key_type=aes256-cts-hmac-sha1-96}
{dummy=[verbose -log "AES + DES enctypes, DES3 TGT"]}
}
- {
- des-v4
- mode=udp
- des3_krbtgt=0
- {supported_enctypes=des-cbc-crc:v4}
- {default_tkt_enctypes(client)=des-cbc-crc}
- {dummy=[verbose -log "DES TGT, DES-CRC enctype, V4 salt"]}
- }
- {
- des-md5-v4
- mode=udp
- des3_krbtgt=0
- {supported_enctypes=des-cbc-md5:v4 des-cbc-crc:v4}
- {default_tkt_enctypes(client)=des-cbc-md5 des-cbc-crc}
- {dummy=[verbose -log "DES TGT, DES-MD5 and -CRC enctypes, V4 salt"]}
- }
{
all-enctypes
mode=udp
@@ -356,7 +340,6 @@ set unused_passes {
aes128-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:norealm \
des3-cbc-sha1:normal des3-cbc-sha1:none \
des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \
- des-cbc-md5:v4 des-cbc-md4:v4 des-cbc-crc:v4 \
}
{dummy=[verbose -log "DES3 TGT, default enctypes"]}
}
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
index 2026e7876..c21d054f1 100644
--- a/src/tests/t_etype_info.py
+++ b/src/tests/t_etype_info.py
@@ -1,6 +1,6 @@
from k5test import *
-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac des-cbc-crc:afs3'
+supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
conf = {'libdefaults': {'allow_weak_crypto': 'true'},
'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
@@ -43,28 +43,6 @@ test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4 des-cbc-crc',
test_etinfo('preauthuser', 'rc4 aes256-cts',
['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser'])
-# AFS3 salt for DES enctypes is conveyed using s2kparams in
-# PA-ETYPE-INFO2, not at all in PA-ETYPE-INFO, and with a special padata
-# type instead of PA-PW-SALT.
-test_etinfo('user', 'des-cbc-crc rc4',
- ['asrep etype_info2 des-cbc-crc KRBTEST.COM 01',
- 'asrep etype_info des-cbc-crc KRBTEST.COM',
- 'asrep afs3_salt KRBTEST.COM'])
-test_etinfo('preauthuser', 'des-cbc-crc rc4',
- ['error etype_info2 des-cbc-crc KRBTEST.COM 01',
- 'error etype_info des-cbc-crc KRBTEST.COM'])
-
-# DES keys can be used with other DES enctypes. The requested enctype
-# shows up in the etype-info, not the database key enctype.
-test_etinfo('user', 'des-cbc-md4 rc4',
- ['asrep etype_info2 des-cbc-md4 KRBTEST.COM 01',
- 'asrep etype_info des-cbc-md4 KRBTEST.COM',
- 'asrep afs3_salt KRBTEST.COM'])
-test_etinfo('user', 'des-cbc-md5 rc4',
- ['asrep etype_info2 des KRBTEST.COM 01',
- 'asrep etype_info des KRBTEST.COM',
- 'asrep afs3_salt KRBTEST.COM'])
-
# If no keys are found matching the request enctypes, a
# preauth-required error can be generated with no etype-info at all
# (to allow for preauth mechs which don't depend on long-term keys).
diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
index 72e09daac..633f7c7ef 100755
--- a/src/tests/t_keytab.py
+++ b/src/tests/t_keytab.py
@@ -155,9 +155,6 @@ realm.run([kadminl, 'ank', '-pw', 'pw', 'default'])
realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp'])
realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth',
'pexp'])
-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', 'afs'])
-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', '+preauth',
- 'pafs'])
# Extract one of the explicit salt values from the database.
out = realm.run([kdb5_util, 'tabdump', 'keyinfo'])
@@ -187,8 +184,6 @@ test_addent(realm, 'default', '-f')
test_addent(realm, 'default', '-f -e aes128-cts')
test_addent(realm, 'exp', '-f')
test_addent(realm, 'pexp', '-f')
-test_addent(realm, 'afs', '-f')
-test_addent(realm, 'pafs', '-f')
success('Keytab-related tests')
success('Keytab-related tests')
diff --git a/src/tests/t_renprinc.py b/src/tests/t_renprinc.py
index 46cbed441..3dbb3e77e 100755
--- a/src/tests/t_renprinc.py
+++ b/src/tests/t_renprinc.py
@@ -25,7 +25,7 @@ from k5test import *
enctype = "aes128-cts"
realm = K5Realm(create_host=False, create_user=False)
-salttypes = ('normal', 'v4', 'norealm', 'onlyrealm')
+salttypes = ('normal', 'norealm', 'onlyrealm')
# For a variety of salt types, test that we can rename a principal and
# still get tickets with the same password.
diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py
index 278911a22..008efcb03 100755
--- a/src/tests/t_salt.py
+++ b/src/tests/t_salt.py
@@ -15,13 +15,9 @@ def test_salt(realm, e1, salt, e2):
realm.run([kadminl, 'delprinc', 'user'])
# Enctype/salt pairs chosen with non-default salt types.
-# The enctypes are mostly arbitrary, though afs3 must only be used with des.
-# We do not enforce that v4 salts must only be used with des, but it seems
-# like a good idea.
-salts = [('des-cbc-crc', 'afs3'),
- ('des3-cbc-sha1', 'norealm'),
+# The enctypes are mostly arbitrary.
+salts = [('des3-cbc-sha1', 'norealm'),
('arcfour-hmac', 'onlyrealm'),
- ('des-cbc-crc', 'v4'),
('aes128-cts-hmac-sha1-96', 'special')]
# These enctypes are chosen to cover the different string-to-key routines.
# Omit ":normal" from aes256 to check that salttype defaulting works.
@@ -56,22 +52,4 @@ dup_kstypes = ['arcfour-hmac-md5:normal,rc4-hmac:normal',
for ks in dup_kstypes:
test_dup(realm, ks)
-# Attempt to create a principal with a non-des enctype and the afs3 salt,
-# verifying that the expected error is received and the principal creation
-# fails.
-def test_reject_afs3(realm, etype):
- query = 'ank -e ' + etype + ':afs3 -pw password princ1'
- realm.run([kadminl, 'ank', '-e', etype + ':afs3', '-pw', 'password',
- 'princ1'], expected_code=1,
- expected_msg='Invalid key generation parameters from KDC')
- realm.run([kadminl, 'getprinc', 'princ1'], expected_code=1,
- expected_msg='Principal does not exist')
-
-# Verify that the afs3 salt is rejected for arcfour and pbkdf2 enctypes.
-# We do not currently do any verification on the key-generation parameters
-# for the triple-DES enctypes, so that test is commented out.
-test_reject_afs3(realm, 'arcfour-hmac')
-test_reject_afs3(realm, 'aes256-cts-hmac-sha1-96')
-#test_reject_afs3(realm, 'des3-cbc-sha1')
-
success("Salt types")
diff --git a/src/util/k5test.py b/src/util/k5test.py
index 3aec1ef92..b6d93f1d8 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -1246,17 +1246,6 @@ _passes = [
# No special settings; exercises AES256.
('default', None, None, None),
- # Exercise a DES enctype and the v4 salt type.
- ('desv4', None,
- {'libdefaults': {
- 'default_tgs_enctypes': 'des-cbc-crc',
- 'default_tkt_enctypes': 'des-cbc-crc',
- 'permitted_enctypes': 'des-cbc-crc',
- 'allow_weak_crypto': 'true'}},
- {'realms': {'$realm': {
- 'supported_enctypes': 'des-cbc-crc:v4',
- 'master_key_type': 'des-cbc-crc'}}}),
-
# Exercise the DES3 enctype.
('des3', None,
{'libdefaults': {

26
Set-a-more-modern-default-ksu-CMD_PATH.patch
View File

@ -1,26 +0,0 @@
From 3d8b0bb1469295bd09f8ba81d3fb059a9ef372f2 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:32:09 -0400
Subject: [PATCH] Set a more modern default ksu CMD_PATH
ksu uses CMD_PATH to expand command names in .k5users. Include the /usr
tree and .../sbin variants. Drop nonstandard /local.
ticket: 8807 (new)
(cherry picked from commit 9eb937a6e1f740d323221813e5da096d30bd68de)
---
src/clients/ksu/Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index 5755bb58a..9d58f29b5 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
KSU_LIBS=@KSU_LIBS@
PAM_LIBS=@PAM_LIBS@

76
Simplify-SAM-2-as_key-handling.patch
View File

@ -1,76 +0,0 @@
From f7fb525d762ba42f62f1044f07f38a243980a2ba Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 5 May 2019 18:53:27 -0400
Subject: [PATCH] Simplify SAM-2 as_key handling
The ctx->gak_fct() call in sam2_process() used an empty salt instead
of the default salt when the KDC did not supply an explicit salt.
This bug arose when commit bc096a77ffdab283d77c2e0fc1fdd15b9f77eb41
changed the internal contracts around salts but did not adjust the
SAM-2 code. Commit e9aa891fcdb4c08d39902ab89afb268042b60c86 fixed the
resulting bug, but mistakenly did not adjust the gak_fct call to use
the correct salt.
Later on, the code contains a redundant call to krb5_c_string_to_key()
in the non-USE_SAD_AS_KEY modes, replacing ctx->as_key. This call was
properly adjusted by commit e9aa891fcdb4c08d39902ab89afb268042b60c86,
so the improper gak_fct call did not manifest as a bug.
Fix the gak_fct call to supply the correct salt, and remove the
redundant string_to_key operation.
(cherry picked from commit d48670c51460e9a74b4f4a9966f85ca6f77c1d8b)
---
src/lib/krb5/krb/preauth_sam2.c | 25 +++----------------------
1 file changed, 3 insertions(+), 22 deletions(-)
diff --git a/src/lib/krb5/krb/preauth_sam2.c b/src/lib/krb5/krb/preauth_sam2.c
index 4c70021a9..c7484c47e 100644
--- a/src/lib/krb5/krb/preauth_sam2.c
+++ b/src/lib/krb5/krb/preauth_sam2.c
@@ -95,7 +95,6 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata,
krb5_prompt kprompt;
krb5_prompt_type prompt_type;
krb5_data defsalt, *salt;
- struct gak_password *gakpw;
krb5_checksum **cksum;
krb5_data *scratch = NULL;
krb5_boolean valid_cksum = 0;
@@ -152,9 +151,8 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata,
salt = ctx->default_salt ? NULL : &ctx->salt;
retval = ctx->gak_fct(context, request->client, sc2b->sam_etype,
- prompter, prompter_data, &ctx->salt,
- &ctx->s2kparams, &ctx->as_key,
- ctx->gak_data, ctx->rctx.items);
+ prompter, prompter_data, salt, &ctx->s2kparams,
+ &ctx->as_key, ctx->gak_data, ctx->rctx.items);
if (retval) {
krb5_free_sam_challenge_2(context, sc2);
krb5_free_sam_challenge_2_body(context, sc2b);
@@ -212,24 +210,7 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata,
/* Get encryption key to be used for checksum and sam_response */
if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) {
- /* as_key = string_to_key(password) */
-
- if (ctx->as_key.length) {
- krb5_free_keyblock_contents(context, &ctx->as_key);
- ctx->as_key.length = 0;
- }
-
- /* generate a key using the supplied password */
- gakpw = ctx->gak_data;
- retval = krb5_c_string_to_key(context, sc2b->sam_etype,
- gakpw->password, salt, &ctx->as_key);
-
- if (retval) {
- krb5_free_sam_challenge_2(context, sc2);
- krb5_free_sam_challenge_2_body(context, sc2b);
- if (defsalt.length) free(defsalt.data);
- return(retval);
- }
+ /* Retain as_key from above gak_fct call. */
if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) {
/* as_key = combine_key (as_key, string_to_key(SAD)) */

162
Simplify-krb5_dbe_def_search_enctype.patch
View File

@ -1,162 +0,0 @@
From a7cd60bc97b4d9b171eddae391cf9ecd84c58d31 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 22 Aug 2019 16:19:12 -0400
Subject: [PATCH] Simplify krb5_dbe_def_search_enctype()
Key data is now sorted in descending kvno order (since commit
44ad57d8d38efc944f64536354435f5b721c0ee0) and key enctypes can be
compared with a simple equality test (since single-DES support was
removed in commit fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8). Use
these assumptions to simplify krb5_dbe_def_search_enctype().
The rewrite contains one probably-unnoticeable bugfix: if enctype,
salttype, and kvno are all given as -1 in a repeated search, yield all
key entries of permitted enctype, not just entries of the maximum
kvno.
(cherry picked from commit fcfb0e47c995a7e9f956c3716be3175f44ad26e0)
---
src/lib/kdb/kdb_default.c | 111 +++++++++++++++-----------------------
1 file changed, 42 insertions(+), 69 deletions(-)
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index a1021f13a..231a0d8b4 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -37,94 +37,67 @@
/*
- * Given a particular enctype and optional salttype and kvno, find the
- * most appropriate krb5_key_data entry of the database entry.
- *
- * If stype or kvno is negative, it is ignored.
- * If kvno is 0 get the key which is maxkvno for the princ and matches
- * the other attributes.
+ * Set *kd_out to the key data entry matching kvno, enctype, and salttype. If
+ * any of those three parameters are -1, ignore them. If kvno is 0, match only
+ * the highest kvno. Begin searching at the index *start and set *start to the
+ * index after the match. Do not return keys of non-permitted enctypes; return
+ * KRB5_KDB_NO_PERMITTED_KEY if the whole list was searched and only
+ * non-permitted matches were found.
*/
krb5_error_code
-krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
- krb5_context kcontext;
- krb5_db_entry *dbentp;
- krb5_int32 *start;
- krb5_int32 ktype;
- krb5_int32 stype;
- krb5_int32 kvno;
- krb5_key_data **kdatap;
+krb5_dbe_def_search_enctype(krb5_context context, krb5_db_entry *ent,
+ krb5_int32 *start, krb5_int32 enctype,
+ krb5_int32 salttype, krb5_int32 kvno,
+ krb5_key_data **kd_out)
{
- int i, idx;
- int maxkvno;
- krb5_key_data *datap;
- krb5_error_code ret;
- krb5_boolean saw_non_permitted = FALSE;
+ krb5_key_data *kd;
+ krb5_int32 db_salttype;
+ krb5_boolean saw_non_permitted = FALSE;
+ int i;
- ret = 0;
- if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
+ *kd_out = NULL;
+
+ if (enctype != -1 && !krb5_is_permitted_enctype(context, enctype))
return KRB5_KDB_NO_PERMITTED_KEY;
+ if (ent->n_key_data == 0)
+ return KRB5_KDB_NO_MATCHING_KEY;
- if (kvno == -1 && stype == -1 && ktype == -1)
- kvno = 0;
+ /* Match the highest kvno if kvno is 0. Key data is sorted in descending
+ * order of kvno. */
+ if (kvno == 0)
+ kvno = ent->key_data[0].key_data_kvno;
- if (kvno == 0) {
- /* Get the max key version */
- for (i = 0; i < dbentp->n_key_data; i++) {
- if (kvno < dbentp->key_data[i].key_data_kvno) {
- kvno = dbentp->key_data[i].key_data_kvno;
- }
- }
- }
+ for (i = *start; i < ent->n_key_data; i++) {
+ kd = &ent->key_data[i];
+ db_salttype = (kd->key_data_ver > 1) ? kd->key_data_type[1] :
+ KRB5_KDB_SALTTYPE_NORMAL;
- maxkvno = -1;
- idx = -1;
- datap = (krb5_key_data *) NULL;
- for (i = *start; i < dbentp->n_key_data; i++) {
- krb5_boolean similar;
- krb5_int32 db_stype;
-
- ret = 0;
- if (dbentp->key_data[i].key_data_ver > 1) {
- db_stype = dbentp->key_data[i].key_data_type[1];
- } else {
- db_stype = KRB5_KDB_SALTTYPE_NORMAL;
- }
-
- /* Match this entry against the arguments. */
- if (ktype != -1) {
- ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype,
- dbentp->key_data[i].key_data_type[0],
- &similar);
- if (ret != 0 || !similar)
- continue;
- }
- if (stype >= 0 && db_stype != stype)
+ /* Match this entry against the arguments. Stop searching if we have
+ * passed the entries for the requested kvno. */
+ if (enctype != -1 && kd->key_data_type[0] != enctype)
continue;
- if (kvno >= 0 && dbentp->key_data[i].key_data_kvno != kvno)
+ if (salttype >= 0 && db_salttype != salttype)
+ continue;
+ if (kvno >= 0 && kd->key_data_kvno < kvno)
+ break;
+ if (kvno >= 0 && kd->key_data_kvno != kvno)
continue;
/* Filter out non-permitted enctypes. */
- if (!krb5_is_permitted_enctype(kcontext,
- dbentp->key_data[i].key_data_type[0])) {
+ if (!krb5_is_permitted_enctype(context, kd->key_data_type[0])) {
saw_non_permitted = TRUE;
continue;
}
- if (dbentp->key_data[i].key_data_kvno > maxkvno) {
- maxkvno = dbentp->key_data[i].key_data_kvno;
- datap = &dbentp->key_data[i];
- idx = i;
- }
+ *start = i + 1;
+ *kd_out = kd;
+ return 0;
}
+
/* If we scanned the whole set of keys and matched only non-permitted
* enctypes, indicate that. */
- if (maxkvno < 0 && *start == 0 && saw_non_permitted)
- ret = KRB5_KDB_NO_PERMITTED_KEY;
- if (maxkvno < 0)
- return ret ? ret : KRB5_KDB_NO_MATCHING_KEY;
- *kdatap = datap;
- *start = idx+1;
- return 0;
+ return (*start == 0 && saw_non_permitted) ? KRB5_KDB_NO_PERMITTED_KEY :
+ KRB5_KDB_NO_MATCHING_KEY;
}
/*

301
Simply-OpenSSL-PKCS7-decryption-code.patch
View File

@ -1,301 +0,0 @@
From db62fe97a56f8f8476e3202a492d1c3d784d52b2 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 6 May 2019 13:13:06 -0400
Subject: [PATCH] Simply OpenSSL PKCS7 decryption code
Fold pkcs7_decrypt() and pkcs7_dataDecode() into a single function,
and make it output the plaintext rather than a BIO.
[ghudson@mit.edu: continued a modernization of pkcs7_dataDecode() into
a larger refactoring]
(cherry picked from commit 210356653a2f963ffe9a8a1b1627c64fb8ca7a3d)
---
.../preauth/pkinit/pkinit_crypto_openssl.c | 213 ++++++------------
1 file changed, 63 insertions(+), 150 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 5ff81d8cf..8aa2c5257 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -81,12 +81,8 @@ static int openssl_callback (int, X509_STORE_CTX *);
static int openssl_callback_ignore_crls (int, X509_STORE_CTX *);
static int pkcs7_decrypt
-(krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
- PKCS7 *p7, BIO *bio);
-
-static BIO * pkcs7_dataDecode
-(krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
- PKCS7 *p7);
+(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, PKCS7 *p7,
+ unsigned char **data_out, unsigned int *len_out);
static ASN1_OBJECT * pkinit_pkcs7type2oid
(pkinit_plg_crypto_context plg_cryptoctx, int pkcs7_type);
@@ -1964,9 +1960,6 @@ cms_envelopeddata_verify(krb5_context context,
{
krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;
PKCS7 *p7 = NULL;
- BIO *out = NULL;
- int i = 0;
- unsigned int size = 0;
const unsigned char *p = enveloped_data;
unsigned int tmp_buf_len = 0, tmp_buf2_len = 0, vfy_buf_len = 0;
unsigned char *tmp_buf = NULL, *tmp_buf2 = NULL, *vfy_buf = NULL;
@@ -1991,26 +1984,13 @@ cms_envelopeddata_verify(krb5_context context,
}
/* decrypt received PKCS7 message */
- out = BIO_new(BIO_s_mem());
- if (pkcs7_decrypt(context, id_cryptoctx, p7, out)) {
+ if (pkcs7_decrypt(context, id_cryptoctx, p7, &tmp_buf, &tmp_buf_len)) {
pkiDebug("PKCS7 decryption successful\n");
} else {
retval = oerr(context, 0, _("Failed to decrypt PKCS7 message"));
goto cleanup;
}
- /* transfer the decoded PKCS7 SignedData message into a separate buffer */
- for (;;) {
- if ((tmp_buf = realloc(tmp_buf, size + 1024 * 10)) == NULL)
- goto cleanup;
- i = BIO_read(out, &(tmp_buf[size]), 1024 * 10);
- if (i <= 0)
- break;
- else
- size += i;
- }
- tmp_buf_len = size;
-
#ifdef DEBUG_ASN1
print_buffer_bin(tmp_buf, tmp_buf_len, "/tmp/client_enc_keypack");
#endif
@@ -2072,8 +2052,6 @@ cleanup:
if (p7 != NULL)
PKCS7_free(p7);
- if (out != NULL)
- BIO_free(out);
free(tmp_buf);
free(tmp_buf2);
@@ -5714,39 +5692,6 @@ cleanup:
return retval;
}
-static int
-pkcs7_decrypt(krb5_context context,
- pkinit_identity_crypto_context id_cryptoctx,
- PKCS7 *p7,
- BIO *data)
-{
- BIO *tmpmem = NULL;
- int retval = 0, i = 0;
- char buf[4096];
-
- if(p7 == NULL)
- return 0;
-
- if(!PKCS7_type_is_enveloped(p7)) {
- pkiDebug("wrong pkcs7 content type\n");
- return 0;
- }
-
- if(!(tmpmem = pkcs7_dataDecode(context, id_cryptoctx, p7))) {
- pkiDebug("unable to decrypt pkcs7 object\n");
- return 0;
- }
-
- for(;;) {
- i = BIO_read(tmpmem, buf, sizeof(buf));
- if (i <= 0) break;
- BIO_write(data, buf, i);
- BIO_free_all(tmpmem);
- return 1;
- }
- return retval;
-}
-
krb5_error_code
pkinit_process_td_trusted_certifiers(
krb5_context context,
@@ -5827,118 +5772,86 @@ cleanup:
return retval;
}
-static BIO *
-pkcs7_dataDecode(krb5_context context,
- pkinit_identity_crypto_context id_cryptoctx,
- PKCS7 *p7)
+/* Originally based on OpenSSL's PKCS7_dataDecode(), now modified to remove the
+ * use of BIO objects and to fit the PKINIT internal interfaces. */
+static int
+pkcs7_decrypt(krb5_context context,
+ pkinit_identity_crypto_context id_cryptoctx, PKCS7 *p7,
+ unsigned char **data_out, unsigned int *len_out)
{
- unsigned int eklen=0, tkeylen=0;
- BIO *out=NULL,*etmp=NULL,*bio=NULL;
- unsigned char *ek=NULL, *tkey=NULL;
- ASN1_OCTET_STRING *data_body=NULL;
- const EVP_CIPHER *evp_cipher=NULL;
- EVP_CIPHER_CTX *evp_ctx=NULL;
- X509_ALGOR *enc_alg=NULL;
- STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
- PKCS7_RECIP_INFO *ri=NULL;
+ krb5_error_code ret;
+ int ok = 0, plaintext_len = 0, final_len;
+ unsigned int keylen = 0, eklen = 0, blocksize;
+ unsigned char *ek = NULL, *tkey = NULL, *plaintext = NULL, *use_key;
+ ASN1_OCTET_STRING *data_body = p7->d.enveloped->enc_data->enc_data;
+ const EVP_CIPHER *evp_cipher;
+ EVP_CIPHER_CTX *evp_ctx = NULL;
+ X509_ALGOR *enc_alg = p7->d.enveloped->enc_data->algorithm;
+ STACK_OF(PKCS7_RECIP_INFO) *rsk = p7->d.enveloped->recipientinfo;
+ PKCS7_RECIP_INFO *ri = NULL;
- p7->state=PKCS7_S_HEADER;
+ *data_out = NULL;
+ *len_out = 0;
- rsk=p7->d.enveloped->recipientinfo;
- enc_alg=p7->d.enveloped->enc_data->algorithm;
- data_body=p7->d.enveloped->enc_data->enc_data;
- evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
- if (evp_cipher == NULL) {
- PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
- goto cleanup;
- }
-
- if ((etmp=BIO_new(BIO_f_cipher())) == NULL) {
- PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB);
- goto cleanup;
- }
-
- /* It was encrypted, we need to decrypt the secret key
- * with the private key */
+ p7->state = PKCS7_S_HEADER;
/* RFC 4556 section 3.2.3.2 requires that there be exactly one
* recipientInfo. */
if (sk_PKCS7_RECIP_INFO_num(rsk) != 1) {
pkiDebug("invalid number of EnvelopedData RecipientInfos\n");
- goto cleanup;
+ return 0;
}
-
ri = sk_PKCS7_RECIP_INFO_value(rsk, 0);
- (void)pkinit_decode_data(context, id_cryptoctx,
- ASN1_STRING_get0_data(ri->enc_key),
- ASN1_STRING_length(ri->enc_key), &ek, &eklen);
- evp_ctx=NULL;
- BIO_get_cipher_ctx(etmp,&evp_ctx);
- if (EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0) <= 0)
+ evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
+ if (evp_cipher == NULL)
goto cleanup;
- if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)
+ keylen = EVP_CIPHER_key_length(evp_cipher);
+ blocksize = EVP_CIPHER_block_size(evp_cipher);
+
+ evp_ctx = EVP_CIPHER_CTX_new();
+ if (evp_ctx == NULL)
+ goto cleanup;
+ if (!EVP_DecryptInit(evp_ctx, evp_cipher, NULL, NULL) ||
+ EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) <= 0)
goto cleanup;
/* Generate a random symmetric key to avoid exposing timing data if RSA
* decryption fails the padding check. */
- tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx);
- tkey = OPENSSL_malloc(tkeylen);
- if (tkey == NULL)
- goto cleanup;
- if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0)
- goto cleanup;
- if (ek == NULL) {
- ek = tkey;
- eklen = tkeylen;
- tkey = NULL;
- }
-
- if (eklen != (unsigned)EVP_CIPHER_CTX_key_length(evp_ctx)) {
- /* Some S/MIME clients don't use the same key
- * and effective key length. The key length is
- * determined by the size of the decrypted RSA key.
- */
- if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, (int)eklen)) {
- ek = tkey;
- eklen = tkeylen;
- tkey = NULL;
- }
- }
- if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,ek,NULL,0) <= 0)
+ tkey = malloc(keylen);
+ if (tkey == NULL || !EVP_CIPHER_CTX_rand_key(evp_ctx, tkey))
goto cleanup;
- if (out == NULL)
- out=etmp;
- else
- BIO_push(out,etmp);
- etmp=NULL;
+ /* Decrypt the secret key with the private key. */
+ ret = pkinit_decode_data(context, id_cryptoctx,
+ ASN1_STRING_get0_data(ri->enc_key),
+ ASN1_STRING_length(ri->enc_key), &ek, &eklen);
+ use_key = (ret || eklen != keylen) ? tkey : ek;
- if (data_body->length > 0)
- bio = BIO_new_mem_buf(data_body->data, data_body->length);
- else {
- bio=BIO_new(BIO_s_mem());
- BIO_set_mem_eof_return(bio,0);
- }
- BIO_push(out,bio);
- bio=NULL;
+ /* Allocate a plaintext buffer and decrypt data_body into it. */
+ plaintext = malloc(data_body->length + blocksize);
+ if (plaintext == NULL)
+ goto cleanup;
+ if (!EVP_DecryptInit(evp_ctx, NULL, use_key, NULL))
+ goto cleanup;
+ if (!EVP_DecryptUpdate(evp_ctx, plaintext, &plaintext_len,
+ data_body->data, data_body->length))
+ goto cleanup;
+ if (!EVP_DecryptFinal(evp_ctx, plaintext + plaintext_len, &final_len))
+ goto cleanup;
+ plaintext_len += final_len;
- if (0) {
- cleanup:
- if (out != NULL) BIO_free_all(out);
- if (etmp != NULL) BIO_free_all(etmp);
- if (bio != NULL) BIO_free_all(bio);
- out=NULL;
- }
- if (ek != NULL) {
- OPENSSL_cleanse(ek, eklen);
- OPENSSL_free(ek);
- }
- if (tkey != NULL) {
- OPENSSL_cleanse(tkey, tkeylen);
- OPENSSL_free(tkey);
- }
- return(out);
+ *len_out = plaintext_len;
+ *data_out = plaintext;
+ plaintext = NULL;
+ ok = 1;
+
+cleanup:
+ EVP_CIPHER_CTX_free(evp_ctx);
+ zapfree(plaintext, plaintext_len);
+ zapfree(ek, eklen);
+ zapfree(tkey, keylen);
+ return ok;
}
#ifdef DEBUG_DH

37
Skip-URI-tests-when-using-asan.patch
View File

@ -1,37 +0,0 @@
From c58dbf05938b57a729d1b3811424866296f11998 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 3 Aug 2019 13:30:28 -0400
Subject: [PATCH] Skip URI tests when using asan
resolve_wrapper uses RTLD_DEEPBIND to load libresolv, triggering a
failure in the asan runtime.
(cherry picked from commit dbcec74b277952adf6e49d087932d2d0ea5393d1)
---
src/lib/krb5/os/Makefile.in | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in
index 91b0486b8..f523a5ac8 100644
--- a/src/lib/krb5/os/Makefile.in
+++ b/src/lib/krb5/os/Makefile.in
@@ -232,12 +232,16 @@ check-unix-locate: t_locate_kdc
echo 'Skipped t_locate_kdc test: OFFLINE' >> $(SKIPTESTS); \
fi
+ASAN = @ASAN@
check-unix-uri: t_locate_kdc
- if [ $(HAVE_RESOLV_WRAPPER) = 1 ]; then \
- $(RUNPYTEST) $(srcdir)/t_discover_uri.py $(PYTESTFLAGS); \
- else \
+ if [ $(HAVE_RESOLV_WRAPPER) = 0 ]; then \
echo '*** WARNING: skipped t_discover_uri.py due to not using resolv_wrapper'; \
echo 'Skipped URI discovery tests: resolv_wrapper 1.1.5 not found' >> $(SKIPTESTS); \
+ elif [ $(ASAN) = yes ]; then \
+ echo '*** Skipping URI discovery tests: resolv_wrapper is incompatible with asan'; \
+ echo 'Skipped URI discovery tests: incompatible with asan' >> $(SKIPTESTS); \
+ else \
+ $(RUNPYTEST) $(srcdir)/t_discover_uri.py $(PYTESTFLAGS); \
fi
check-unix-trace: t_trace

34
Squash-apparent-forward-null-in-clnttcp_create.patch
View File

@ -1,34 +0,0 @@
From 566fa44c8f53b3c558791bef29d01fb6a02ff559 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 30 Aug 2019 11:16:58 -0400
Subject: [PATCH] Squash apparent forward-null in clnttcp_create()
clnttcp_create() only allows raddr to be NULL if *sockp is set.
Static analyzers cannot know this, so can report a forward null
defect. Add an raddr check before calling connect() to squash the
defect.
[ghudson@mit.edu: rewrote commit message]
(cherry picked from commit b2f688eedd4bcca525201ef9485749a8c20b808a)
---
src/lib/rpc/clnt_tcp.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/lib/rpc/clnt_tcp.c b/src/lib/rpc/clnt_tcp.c
index 87761906c..dbd62d0a7 100644
--- a/src/lib/rpc/clnt_tcp.c
+++ b/src/lib/rpc/clnt_tcp.c
@@ -168,9 +168,9 @@ clnttcp_create(
if (*sockp < 0) {
*sockp = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
(void)bindresvport_sa(*sockp, NULL);
- if ((*sockp < 0)
- || (connect(*sockp, (struct sockaddr *)raddr,
- sizeof(*raddr)) < 0)) {
+ if (*sockp < 0 || raddr == NULL ||
+ connect(*sockp, (struct sockaddr *)raddr,
+ sizeof(*raddr)) < 0) {
rpc_createerr.cf_stat = RPC_SYSTEMERROR;
rpc_createerr.cf_error.re_errno = errno;
(void)closesocket(*sockp);

63
Support-389ds-s-lockout-model.patch
View File

@ -1,63 +0,0 @@
From a9c73bc1078dc6287a3838220ef1bd435273506e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:44 -0400
Subject: [PATCH] Support 389ds's lockout model
Handle the attribute 'nsAccountLock' from Netscape derivatives. Based
on a patch by Nalin Dahyabhai and Simo Sorce.
ticket: 5891
(cherry picked from commit 6ad061e24eca41a61eebed61db39768bfa51a084)
---
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 18 ++++++++++++++++++
.../kdb/ldap/libkdb_ldap/ldap_principal.c | 1 +
2 files changed, 19 insertions(+)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 5b9d1e9fa..2ade63719 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -1420,6 +1420,7 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
struct berval **ber_key_data = NULL, **ber_tl_data = NULL;
krb5_tl_data userinfo_tl_data = { NULL }, **endp, *tl;
osa_princ_ent_rec princ_ent;
+ char *is_login_disabled = NULL;
memset(&princ_ent, 0, sizeof(princ_ent));
@@ -1653,6 +1654,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
if (ret)
goto cleanup;
+ /*
+ * 389ds and other Netscape directory server derivatives support an
+ * attribute "nsAccountLock" which functions similarly to eDirectory's
+ * "loginDisabled". When the user's account object is also a
+ * krbPrincipalAux object, the kdb entry should be treated as if
+ * DISALLOW_ALL_TIX has been set.
+ */
+ ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
+ &attr_present);
+ if (ret)
+ goto cleanup;
+ if (attr_present == TRUE) {
+ if (strcasecmp(is_login_disabled, "TRUE") == 0)
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ free(is_login_disabled);
+ }
+
ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
if (ret)
goto cleanup;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
index d722dbfa6..a5180c73f 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
@@ -54,6 +54,7 @@ char *principal_attributes[] = { "krbprincipalname",
"krbLastFailedAuth",
"krbLoginFailedCount",
"krbLastSuccessfulAuth",
+ "nsAccountLock",
"krbLastPwdChange",
"krbLastAdminUnlock",
"krbPrincipalAuthInd",

85
Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch
View File

@ -1,85 +0,0 @@
From 5e7c6ac2f9ee4dfe182f28c0801811910b63be1d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 16 Apr 2019 14:16:39 -0400
Subject: [PATCH] Update ASN.1 SAM tests to use a modern enctype
(cherry picked from commit 3e94e53febc6d5636272f31ae9dba8e3babe9263)
---
src/tests/asn.1/krb5_decode_test.c | 2 +-
src/tests/asn.1/ktest.c | 4 ++--
src/tests/asn.1/reference_encode.out | 4 ++--
src/tests/asn.1/trval_reference.out | 4 ++--
4 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index ee70fa4b9..cbd99ba63 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -934,7 +934,7 @@ int main(argc, argv)
/* decode_sam_challenge_2_body */
{
setup(krb5_sam_challenge_2_body,ktest_make_sample_sam_challenge_2_body);
- decode_run("sam_challenge_2_body","","30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 01",decode_krb5_sam_challenge_2_body,ktest_equal_sam_challenge_2_body,krb5_free_sam_challenge_2_body);
+ decode_run("sam_challenge_2_body","","30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 14",decode_krb5_sam_challenge_2_body,ktest_equal_sam_challenge_2_body,krb5_free_sam_challenge_2_body);
ktest_empty_sam_challenge_2_body(&ref);
}
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 5bfdc5be2..6bf6e54ac 100644
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -507,7 +507,7 @@ ktest_make_sample_sam_challenge_2_body(krb5_sam_challenge_2_body *p)
krb5_data_parse(&p->sam_response_prompt, "response_prompt ipse");
p->sam_pk_for_sad = empty_data();
p->sam_nonce = 0x543210;
- p->sam_etype = ENCTYPE_DES_CBC_CRC;
+ p->sam_etype = ENCTYPE_AES256_CTS_HMAC_SHA384_192;
}
void
@@ -518,7 +518,7 @@ ktest_make_sample_sam_response_2(krb5_sam_response_2 *p)
p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* KRB5_SAM_* values */
krb5_data_parse(&p->sam_track_id, "track data");
krb5_data_parse(&p->sam_enc_nonce_or_sad.ciphertext, "nonce or sad");
- p->sam_enc_nonce_or_sad.enctype = ENCTYPE_DES_CBC_CRC;
+ p->sam_enc_nonce_or_sad.enctype = ENCTYPE_AES256_CTS_HMAC_SHA384_192;
p->sam_enc_nonce_or_sad.kvno = 3382;
p->sam_nonce = 0x543210;
}
diff --git a/src/tests/asn.1/reference_encode.out b/src/tests/asn.1/reference_encode.out
index a76deead2..80b18a2fb 100644
--- a/src/tests/asn.1/reference_encode.out
+++ b/src/tests/asn.1/reference_encode.out
@@ -49,8 +49,8 @@ encode_krb5_enc_data: 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 4
encode_krb5_enc_data(MSB-set kvno): 30 26 A0 03 02 01 00 A1 06 02 04 FF 00 00 00 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
encode_krb5_enc_data(kvno=-1): 30 23 A0 03 02 01 00 A1 03 02 01 FF A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
encode_krb5_sam_challenge_2: 30 22 A0 0D 30 0B 04 09 63 68 61 6C 6C 65 6E 67 65 A1 11 30 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
-encode_krb5_sam_challenge_2_body: 30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 01
-encode_krb5_sam_response_2: 30 42 A0 03 02 01 2B A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 1D 30 1B A0 03 02 01 01 A1 04 02 02 0D 36 A2 0E 04 0C 6E 6F 6E 63 65 20 6F 72 20 73 61 64 A4 05 02 03 54 32 10
+encode_krb5_sam_challenge_2_body: 30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 14
+encode_krb5_sam_response_2: 30 42 A0 03 02 01 2B A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 1D 30 1B A0 03 02 01 14 A1 04 02 02 0D 36 A2 0E 04 0C 6E 6F 6E 63 65 20 6F 72 20 73 61 64 A4 05 02 03 54 32 10
encode_krb5_enc_sam_response_enc_2: 30 1F A0 03 02 01 58 A1 18 04 16 65 6E 63 5F 73 61 6D 5F 72 65 73 70 6F 6E 73 65 5F 65 6E 63 5F 32
encode_krb5_pa_for_user: 30 4B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A3 0A 1B 08 6B 72 62 35 64 61 74 61
encode_krb5_pa_s4u_x509_user: 30 68 A0 55 30 53 A0 06 02 04 00 CA 14 9A A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 12 04 10 70 61 5F 73 34 75 5F 78 35 30 39 5F 75 73 65 72 A4 07 03 05 00 80 00 00 00 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
diff --git a/src/tests/asn.1/trval_reference.out b/src/tests/asn.1/trval_reference.out
index e5c715924..432fdcebb 100644
--- a/src/tests/asn.1/trval_reference.out
+++ b/src/tests/asn.1/trval_reference.out
@@ -1180,7 +1180,7 @@ encode_krb5_sam_challenge_2_body:
. [5] [Octet String] "challenge ipse"
. [6] [Octet String] "response_prompt ipse"
. [8] [Integer] 5517840
-. [9] [Integer] 1
+. [9] [Integer] 20
encode_krb5_sam_response_2:
@@ -1189,7 +1189,7 @@ encode_krb5_sam_response_2:
. [1] [Bit String] 0x80000000
. [2] [Octet String] "track data"
. [3] [Sequence/Sequence Of]
-. . [0] [Integer] 1
+. . [0] [Integer] 20
. . [1] [Integer] 3382
. . [2] [Octet String] "nonce or sad"
. [4] [Integer] 5517840

54
Update-default-krb5kdc-mkey-manual-entry-enctype.patch
View File

@ -1,54 +0,0 @@
From 04ce158f626a683d60914f464bac24a1bd5687e3 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 20 May 2019 16:52:57 -0400
Subject: [PATCH] Update default krb5kdc mkey manual-entry enctype
Change from the legacy des-cbc-crc to the default for kdb5_util and
kadmind, which is currently aes256-cts-hmac-sha1-96.
(cherry picked from commit 512f5cde625253cba1e6f87e037a00ef88178882)
---
doc/admin/admin_commands/krb5kdc.rst | 2 +-
src/kdc/main.c | 2 +-
src/man/krb5kdc.man | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/doc/admin/admin_commands/krb5kdc.rst b/doc/admin/admin_commands/krb5kdc.rst
index 08d40cc0d..631a0de84 100644
--- a/doc/admin/admin_commands/krb5kdc.rst
+++ b/doc/admin/admin_commands/krb5kdc.rst
@@ -41,7 +41,7 @@ LDAP database.
The **-k** *keytype* option specifies the key type of the master key
to be entered manually as a password when **-m** is given; the default
-is ``des-cbc-crc``.
+is |defmkey|.
The **-M** *mkeyname* option specifies the principal name for the
master key in the database (usually ``K/M`` in the KDC's realm).
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 60092a0df..04393772f 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -777,7 +777,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv,
case 'm': /* manual type-in of master key */
manual = TRUE;
if (menctype == ENCTYPE_UNKNOWN)
- menctype = ENCTYPE_DES_CBC_CRC;
+ menctype = DEFAULT_KDC_ENCTYPE;
break;
case 'M': /* master key name in DB */
mkey_name = optarg;
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 9c9b816b3..100f371c4 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -61,7 +61,7 @@ LDAP database.
.sp
The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key
to be entered manually as a password when \fB\-m\fP is given; the default
-is \fBdes\-cbc\-crc\fP\&.
+is \fBaes256\-cts\-hmac\-sha1\-96\fP\&.
.sp
The \fB\-M\fP \fImkeyname\fP option specifies the principal name for the
master key in the database (usually \fBK/M\fP in the KDC\(aqs realm).

638
Update-test-suite-cert-message-digest-to-sha256.patch
View File

@ -1,638 +0,0 @@
From 8c38e6a1cef9bee050e42f591a530d077bb11f17 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 12 Nov 2019 13:38:59 -0500
Subject: [PATCH] Update test suite cert message digest to sha256
Certain openssl configurations (such as Debian testing) will fail out
the sha1 certificates with errors like "ssl.SSLError: [SSL:
CA_MD_TOO_WEAK] ca md too weak (_ssl.c:3833)" or similar. Also update
the certs in question.
(cherry picked from commit b1c258c6aab95198bdc340b86ca67cbd531464f8)
---
src/tests/dejagnu/proxy-certs/ca.pem | 52 +++++-----
src/tests/dejagnu/proxy-certs/make-certs.sh | 2 +-
.../dejagnu/proxy-certs/proxy-badsig.pem | 96 +++++++++---------
src/tests/dejagnu/proxy-certs/proxy-ideal.pem | 98 +++++++++----------
.../dejagnu/proxy-certs/proxy-no-match.pem | 98 +++++++++----------
src/tests/dejagnu/proxy-certs/proxy-san.pem | 98 +++++++++----------
.../dejagnu/proxy-certs/proxy-subject.pem | 98 +++++++++----------
7 files changed, 271 insertions(+), 271 deletions(-)
diff --git a/src/tests/dejagnu/proxy-certs/ca.pem b/src/tests/dejagnu/proxy-certs/ca.pem
index e0f8dc73c..ee24cba81 100644
--- a/src/tests/dejagnu/proxy-certs/ca.pem
+++ b/src/tests/dejagnu/proxy-certs/ca.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEuzCCA6OgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG
-A1UEChMDTUlUMSIwIAYDVQQLExlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
-KgYDVQQDFCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
-NDA1MDIxOTA2MDhaFw0yNTA0MTQxOTA2MDhaMIGZMQswCQYDVQQGEwJVUzEWMBQG
-A1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQK
-EwNNSVQxIjAgBgNVBAsTGUluc2VjdXJlIEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNV
-BAMUI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zudnpN8FP7iLn1vgkyTSn/RQxXx1yt6
-zikHaMrVPjkjXPPUoCFpWS3eeI4aQFoj93L5MwZDmSxOflBAqLwV2AMAacrYnNPJ
-IkHtbYKdVsvw9b4INTWqV9/DOODO7UowyMppmO35/pUXaLL+AjHjLw1/EhQ3ZYtq
-fpAMOkf5TnS5GtqZFlrYgZKE8vTC8BxDKM7FYhWYz7kp/tG3S8O/RTnP7Nd+h1Yd
-pmlHBGfuwIRIJz5xNw6KIcCy3Q0NNoKnh00WVwLmR+x11BGSkMjiZZkwJ5D0RObS
-g13QD/itrGoV2gtPzjQgNPfTrjsMvyOWAAFrWVR3QLTxnnmXsqnXvwIDAQABo4IB
-CjCCAQYwHQYDVR0OBBYEFHO5+DSYzq8rvQhUldyvn0y4AqlHMIHGBgNVHSMEgb4w
-gbuAFHO5+DSYzq8rvQhUldyvn0y4AqlHoYGfpIGcMIGZMQswCQYDVQQGEwJVUzEW
-MBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMQwwCgYD
-VQQKEwNNSVQxIjAgBgNVBAsTGUluc2VjdXJlIEtlcmJlcm9zIHRlc3QgQ0ExLDAq
-BgNVBAMUI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsG
-A1UdDwQEAwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAM
-Mf4ptC6WoQBH3GoTfgBL0WlIeYeSFmLO7IaSjpK0FV6F/yF7iPFSXcpmu23m6USY
-LRSxnAvxFTi+h1S5Za9O2Pjq88R9nHmesg4v8HJqOw4HpkDowYo2lumjIMfAutyR
-MQUOujYJW1WyZ2PidN5M1exDeMgQN9nVjUCx/WKD9fnzOjOOR1Sc8Us2KpoyccIi
-A+ABHubCvSO3cln0Sp7qjkssJScZtouzPu8FYiroTIR+1oSIKTpJiik1EptlsTea
-L6fHTMHspFhZaiUJFHWTBAgn/dT+UkFntHdHGI6HWBThFVW05hKoarBA7N25W7FN
-AHyfC0lKds4qFiBQkpdi
+MIIEuzCCA6OgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
+KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
+OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaMIGZMQswCQYDVQQGEwJVUzEWMBQG
+A1UECAwNTWFzc2FjaHVzZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQK
+DANNSVQxIjAgBgNVBAsMGUluc2VjdXJlIEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNV
+BAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWK
+KayH5NmqOqnwnzRHkZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9
+uXnBb6AZog7hh9wMe//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTH
+EO4lLqusPQM16lRDSdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9
+B3PKs374N9kOPsgcj+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd
+3TLWHLhW9F7rzEcvzn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABo4IB
+CjCCAQYwHQYDVR0OBBYEFPf/vJvFMCwrABeCC0sq7RGfYeIiMIHGBgNVHSMEgb4w
+gbuAFPf/vJvFMCwrABeCC0sq7RGfYeIioYGfpIGcMIGZMQswCQYDVQQGEwJVUzEW
+MBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYD
+VQQKDANNSVQxIjAgBgNVBAsMGUluc2VjdXJlIEtlcmJlcm9zIHRlc3QgQ0ExLDAq
+BgNVBAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsG
+A1UdDwQEAwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBz
+q/t9amz4ahTFNc0v69NZrfCBgo7DWBHxXuE0Gov2/RBPwP/+Efrd4+1Tl5fSv6We
+N/cttEUTTM3Z7wtof3mkSQwkozwWpaHXm31St+0FbTuHNpN4i0Uae5lsO8/pTz/L
+VqsVLjGGpkZKP831BO9oJJbwUASNc2dpLs94pojlSlSZzf/u/T+k0wltgZexnQpU
+5IrdPIqteB32ym2XjZWSCS29jL3zoZ/y8UAPIOR/Zi77wNCehOuBx2bzc/P6RNLa
+CuuPMhDu8PPYVB3rfJInmF5wT5jQ9YX4UUb0qYXDRff5/l26fEjLHQSrA/iMqdIW
+dsDwkqTcy1lOjcP3xOMq
-----END CERTIFICATE-----
diff --git a/src/tests/dejagnu/proxy-certs/make-certs.sh b/src/tests/dejagnu/proxy-certs/make-certs.sh
index 24ef91bde..7a40e2b98 100755
--- a/src/tests/dejagnu/proxy-certs/make-certs.sh
+++ b/src/tests/dejagnu/proxy-certs/make-certs.sh
@@ -25,7 +25,7 @@ private_key = $PWD/privkey.pem
default_days = $DAYS
x509_extensions = exts_proxy
policy = proxyname
-default_md = sha1
+default_md = sha256
unique_subject = no
email_in_dn = no
diff --git a/src/tests/dejagnu/proxy-certs/proxy-badsig.pem b/src/tests/dejagnu/proxy-certs/proxy-badsig.pem
index 2b31f7d6a..40001d974 100644
--- a/src/tests/dejagnu/proxy-certs/proxy-badsig.pem
+++ b/src/tests/dejagnu/proxy-certs/proxy-badsig.pem
@@ -1,56 +1,56 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA1zudnpN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPU
-oCFpWS3eeI4aQFoj93L5MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4I
-NTWqV9/DOODO7UowyMppmO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZ
-FlrYgZKE8vTC8BxDKM7FYhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5x
-Nw6KIcCy3Q0NNoKnh00WVwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtP
-zjQgNPfTrjsMvyOWAAFrWVR3QLTxnnmXsqnXvwIDAQABAoIBAQCqvhpeMDXhGgoo
-Q03wmfrGwPsrMv91aIK1hYrhMPdVs1JAbRYiKh8+pcq07FYa8udRaB4UwkVh/+oM
-/nEs6niRsl/jjQ2l68TFrnNByroynvr6l9Q/EeGecF6Ygo7lY1OsFhcLQM5vjarS
-XhxvdU/6hcRmfS8tGRpUaMWqfmpiN3YgJcgt8SoYhiwAYDTMJjNyWC61lO7IqNVR
-4kntiM24sfAu1sdZynX8Gp2GrpNChapEuhilQ8RayjuStEYr2abcSIjfZFHQXN7o
-TnjL+AQUzc/ZTXDGnIe9ZzZeFz8UCueeoN6KPxfrq9UUWRL6qt7gOIMdhYR6lFxt
-6pj6kLhxAoGBAO5DTnTKDfCMY2/AsTzCJvMGSY0bT1rsdDxrpqjrbUSeMHV3s5Lm
-vEPnnm+05FD/vi99+HZjHXAZFkhA3ubij2qWFPBnQ5YUoh17IW/Ae4bzY2uXikgL
-tLZ+R+OrcGYQQlvPn//PLsxbfdk5vraqzm08kIX0T4o4Iz8ST5NFJ8hVAoGBAOdB
-ahXr14563Cjeu0pSQ1nXoz3IXdnDwePXasYhxQHl8Ayk8qZS5pt7r07H3dqq6pvn
-e09gZINJe47B9UhkR3H5bPyz/kujKS4zqo3Zlbryzm3V0BWqjNj+j8E2YuQKNQr+
-c480jn2FzwW66w0i3n4U4KUn1w2/iq5AnVzyNkPDAoGAWLYEsyU79XE/4K79DqM3
-P0r6/afKbw8U5B4syj4FzAOeBU6RNMPmGt5VNkBCtgnSdPpRFTsoDcG5cyN8GrkG
-Lug8WZoJJwr9pT5gH6yqEX/zZ27f1J1PJpd0CsedLNMm8eonJ2arhPkXrVZ7tKV6
-AGAJa2agatUmAmi96hZYjpUCgYEA32abJEgsedEIhFb/GYI03ELryRCaUXfCA+gj
-lvoihn3qE1z5qGGns4adyX5dPRQmBqxtvDXDg+zl9vg6i0+MkXdCqTD8tXcOnjp9
-RgFvmyVa9FI8beHPpQTuPNncWK3fpho/6pT8Hhi48LEsxwjrZWOnzQSaxQZH46Q6
-IQNAFt8CgYEAkflxXvA2/2naix+riaBzv5EVJB7ilbfWiWtq2LEAtwrQ5XNFjrtK
-g45jKrZ/ezAzTfPa5Dwn4xcImd0MIavnJhDu2ATxMGB0GATLlDH2HZvU7UwKLpTW
-6Hlol4yRcX4GSEOxJ2ZpWYNIOYH0yDf1qLJXs1j8Fi3zWRe+V1kff4w=
+MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH
+kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM
+e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD
+SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc
+j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv
+zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu
+HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv
+q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc
+zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9
+ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b
+21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5
+YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp
+1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP
+AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr
+47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT
+RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f
+lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz
+tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69
+hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO
+5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9
+yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0
+vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY
+CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y
+X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr
+Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIE3TCCA8WgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG
-A1UEChMDTUlUMSIwIAYDVQQLExlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
-KgYDVQQDFCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
-NDA1MDIxOTA2MDlaFw0yNTA0MTQxOTA2MDlaME8xCzAJBgNVBAYTAlVTMRYwFAYD
-VQQIEw1NYXNzYWNodXNldHRzMRQwEgYDVQQKEwtLUkJURVNULkNPTTESMBAGA1UE
-AxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zud
-npN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPUoCFpWS3eeI4aQFoj93L5
-MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4INTWqV9/DOODO7UowyMpp
-mO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZFlrYgZKE8vTC8BxDKM7F
-YhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5xNw6KIcCy3Q0NNoKnh00W
-VwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtPzjQgNPfTrjsMvyOWAAFr
-WVR3QLTxnnmXsqnXvwIDAQABo4IBdzCCAXMwHQYDVR0OBBYEFHO5+DSYzq8rvQhU
-ldyvn0y4AqlHMIHGBgNVHSMEgb4wgbuAFHO5+DSYzq8rvQhUldyvn0y4AqlHoYGf
-pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAG
-A1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxIjAgBgNVBAsTGUluc2VjdXJl
-IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMUI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v
+MIIE3TCCA8WgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
+KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
+OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaME8xCzAJBgNVBAYTAlVTMRYwFAYD
+VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTESMBAGA1UE
+AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA54HC
+eTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRHkZE5UjkazQ/h97S6LZ6Y
+b8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wMe//g9a7PpKanfw69fSVg
+Ar49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRDSdoXg42udAh3uBY+QDs2
+3snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgcj+8kyR/M+q+RfK5biqS3
+ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcvzn1Mfck35s0XDDRlGxRG
+GDy+ZCKmxf8Zu/8SwwIDAQABo4IBdzCCAXMwHQYDVR0OBBYEFPf/vJvFMCwrABeC
+C0sq7RGfYeIiMIHGBgNVHSMEgb4wgbuAFPf/vJvFMCwrABeCC0sq7RGfYeIioYGf
+pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAG
+A1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxIjAgBgNVBAsMGUluc2VjdXJl
+IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v
dCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQEAwID6DAMBgNVHRMBAf8EAjAAMFkG
A1UdEQRSMFCCFnByb3h5xaB1YmplY3TDhGx0w5FhbWWCE3Byb3h5U3ViamVjdEFs
dE5hbWWHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCCWxvY2FsaG9zdDATBgNVHSUE
-DDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAfTctgFjQSaevBi64q7yh
-GNsK3PqeNEALZz4pSXRbOwm0E4RpYIS7uqg1C4zJ5Zbd4V/dOX7q+T/iBS7gErzS
-rj21jH3Ggc92TmXzcFxMDCxLV0hO8xFkqg3P4sslJESOHxvEMTTf5s893yUb8vJ/
-DCvZXXRoRwPot9MFozkmcQcaTNunREWFvn4i4JXcMCSAfWTd+/VkpVsy69u3tj68
-7G2/K5nalvZikutEC+DyfyBuvDAoxIYzCi3VtQxCalW28Q5hzWV21QsvKTP5QBsh
-RaU2r0O58lZPPvrOrtWQBCudUgsnoraVLrjJshEQ4z/ZAAAAAAAAAAAAAAAAAAAA
+DDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAsMRJnxdbnpm5VlCFwNyU
+8ra1wCjj+ZH0POVCM4iXQ77bV6UBpcqlaQUvR7R/H1Bt5t3Cp0ycN/dy+RcXtj+5
+FA84bRM767rsakxTEwjOjWw6GiK6bGjBfQ4F6Q97ELmiM0OZgmW8D56UHZxrI+o7
+QrKWBpFf1UA8n/BmupHBtyW3gudtJS9a71u6lBRydPFqJ4l8YxHckbgPFceSRbRj
+x7E2pQVQ0p2nvG/NVyuC+2L29p81KAsG3vPzwOOfr1Tnpl1/B4R0+XEIy33KHpbz
+Ceyitz6k16fOVNxMI59W2OACPTQ/s99kygh+cARRPfEUAAAAAAAAAAAAAAAAAAAA
AA==
-----END CERTIFICATE-----
diff --git a/src/tests/dejagnu/proxy-certs/proxy-ideal.pem b/src/tests/dejagnu/proxy-certs/proxy-ideal.pem
index 4588f7d4e..3bb09dc94 100644
--- a/src/tests/dejagnu/proxy-certs/proxy-ideal.pem
+++ b/src/tests/dejagnu/proxy-certs/proxy-ideal.pem
@@ -1,56 +1,56 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA1zudnpN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPU
-oCFpWS3eeI4aQFoj93L5MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4I
-NTWqV9/DOODO7UowyMppmO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZ
-FlrYgZKE8vTC8BxDKM7FYhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5x
-Nw6KIcCy3Q0NNoKnh00WVwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtP
-zjQgNPfTrjsMvyOWAAFrWVR3QLTxnnmXsqnXvwIDAQABAoIBAQCqvhpeMDXhGgoo
-Q03wmfrGwPsrMv91aIK1hYrhMPdVs1JAbRYiKh8+pcq07FYa8udRaB4UwkVh/+oM
-/nEs6niRsl/jjQ2l68TFrnNByroynvr6l9Q/EeGecF6Ygo7lY1OsFhcLQM5vjarS
-XhxvdU/6hcRmfS8tGRpUaMWqfmpiN3YgJcgt8SoYhiwAYDTMJjNyWC61lO7IqNVR
-4kntiM24sfAu1sdZynX8Gp2GrpNChapEuhilQ8RayjuStEYr2abcSIjfZFHQXN7o
-TnjL+AQUzc/ZTXDGnIe9ZzZeFz8UCueeoN6KPxfrq9UUWRL6qt7gOIMdhYR6lFxt
-6pj6kLhxAoGBAO5DTnTKDfCMY2/AsTzCJvMGSY0bT1rsdDxrpqjrbUSeMHV3s5Lm
-vEPnnm+05FD/vi99+HZjHXAZFkhA3ubij2qWFPBnQ5YUoh17IW/Ae4bzY2uXikgL
-tLZ+R+OrcGYQQlvPn//PLsxbfdk5vraqzm08kIX0T4o4Iz8ST5NFJ8hVAoGBAOdB
-ahXr14563Cjeu0pSQ1nXoz3IXdnDwePXasYhxQHl8Ayk8qZS5pt7r07H3dqq6pvn
-e09gZINJe47B9UhkR3H5bPyz/kujKS4zqo3Zlbryzm3V0BWqjNj+j8E2YuQKNQr+
-c480jn2FzwW66w0i3n4U4KUn1w2/iq5AnVzyNkPDAoGAWLYEsyU79XE/4K79DqM3
-P0r6/afKbw8U5B4syj4FzAOeBU6RNMPmGt5VNkBCtgnSdPpRFTsoDcG5cyN8GrkG
-Lug8WZoJJwr9pT5gH6yqEX/zZ27f1J1PJpd0CsedLNMm8eonJ2arhPkXrVZ7tKV6
-AGAJa2agatUmAmi96hZYjpUCgYEA32abJEgsedEIhFb/GYI03ELryRCaUXfCA+gj
-lvoihn3qE1z5qGGns4adyX5dPRQmBqxtvDXDg+zl9vg6i0+MkXdCqTD8tXcOnjp9
-RgFvmyVa9FI8beHPpQTuPNncWK3fpho/6pT8Hhi48LEsxwjrZWOnzQSaxQZH46Q6
-IQNAFt8CgYEAkflxXvA2/2naix+riaBzv5EVJB7ilbfWiWtq2LEAtwrQ5XNFjrtK
-g45jKrZ/ezAzTfPa5Dwn4xcImd0MIavnJhDu2ATxMGB0GATLlDH2HZvU7UwKLpTW
-6Hlol4yRcX4GSEOxJ2ZpWYNIOYH0yDf1qLJXs1j8Fi3zWRe+V1kff4w=
+MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH
+kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM
+e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD
+SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc
+j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv
+zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu
+HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv
+q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc
+zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9
+ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b
+21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5
+YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp
+1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP
+AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr
+47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT
+RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f
+lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz
+tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69
+hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO
+5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9
+yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0
+vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY
+CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y
+X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr
+Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIE3TCCA8WgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG
-A1UEChMDTUlUMSIwIAYDVQQLExlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
-KgYDVQQDFCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
-NDA1MDIxOTA2MDlaFw0yNTA0MTQxOTA2MDlaME8xCzAJBgNVBAYTAlVTMRYwFAYD
-VQQIEw1NYXNzYWNodXNldHRzMRQwEgYDVQQKEwtLUkJURVNULkNPTTESMBAGA1UE
-AxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zud
-npN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPUoCFpWS3eeI4aQFoj93L5
-MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4INTWqV9/DOODO7UowyMpp
-mO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZFlrYgZKE8vTC8BxDKM7F
-YhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5xNw6KIcCy3Q0NNoKnh00W
-VwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtPzjQgNPfTrjsMvyOWAAFr
-WVR3QLTxnnmXsqnXvwIDAQABo4IBdzCCAXMwHQYDVR0OBBYEFHO5+DSYzq8rvQhU
-ldyvn0y4AqlHMIHGBgNVHSMEgb4wgbuAFHO5+DSYzq8rvQhUldyvn0y4AqlHoYGf
-pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAG
-A1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxIjAgBgNVBAsTGUluc2VjdXJl
-IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMUI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v
+MIIE3TCCA8WgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
+KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
+OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaME8xCzAJBgNVBAYTAlVTMRYwFAYD
+VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTESMBAGA1UE
+AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA54HC
+eTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRHkZE5UjkazQ/h97S6LZ6Y
+b8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wMe//g9a7PpKanfw69fSVg
+Ar49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRDSdoXg42udAh3uBY+QDs2
+3snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgcj+8kyR/M+q+RfK5biqS3
+ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcvzn1Mfck35s0XDDRlGxRG
+GDy+ZCKmxf8Zu/8SwwIDAQABo4IBdzCCAXMwHQYDVR0OBBYEFPf/vJvFMCwrABeC
+C0sq7RGfYeIiMIHGBgNVHSMEgb4wgbuAFPf/vJvFMCwrABeCC0sq7RGfYeIioYGf
+pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAG
+A1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxIjAgBgNVBAsMGUluc2VjdXJl
+IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v
dCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQEAwID6DAMBgNVHRMBAf8EAjAAMFkG
A1UdEQRSMFCCFnByb3h5xaB1YmplY3TDhGx0w5FhbWWCE3Byb3h5U3ViamVjdEFs
dE5hbWWHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCCWxvY2FsaG9zdDATBgNVHSUE
-DDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAfTctgFjQSaevBi64q7yh
-GNsK3PqeNEALZz4pSXRbOwm0E4RpYIS7uqg1C4zJ5Zbd4V/dOX7q+T/iBS7gErzS
-rj21jH3Ggc92TmXzcFxMDCxLV0hO8xFkqg3P4sslJESOHxvEMTTf5s893yUb8vJ/
-DCvZXXRoRwPot9MFozkmcQcaTNunREWFvn4i4JXcMCSAfWTd+/VkpVsy69u3tj68
-7G2/K5nalvZikutEC+DyfyBuvDAoxIYzCi3VtQxCalW28Q5hzWV21QsvKTP5QBsh
-RaU2r0O58lZPPvrOrtWQBCudUgsnoraVLrjJshEQ4z/ZA9fVtX2ndCSIoyWpWk01
-gQ==
+DDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAsMRJnxdbnpm5VlCFwNyU
+8ra1wCjj+ZH0POVCM4iXQ77bV6UBpcqlaQUvR7R/H1Bt5t3Cp0ycN/dy+RcXtj+5
+FA84bRM767rsakxTEwjOjWw6GiK6bGjBfQ4F6Q97ELmiM0OZgmW8D56UHZxrI+o7
+QrKWBpFf1UA8n/BmupHBtyW3gudtJS9a71u6lBRydPFqJ4l8YxHckbgPFceSRbRj
+x7E2pQVQ0p2nvG/NVyuC+2L29p81KAsG3vPzwOOfr1Tnpl1/B4R0+XEIy33KHpbz
+Ceyitz6k16fOVNxMI59W2OACPTQ/s99kygh+cARRPfEUPjDcJpS1gRZ6kDKRh6Np
+ig==
-----END CERTIFICATE-----
diff --git a/src/tests/dejagnu/proxy-certs/proxy-no-match.pem b/src/tests/dejagnu/proxy-certs/proxy-no-match.pem
index a97c1c77b..7464e40db 100644
--- a/src/tests/dejagnu/proxy-certs/proxy-no-match.pem
+++ b/src/tests/dejagnu/proxy-certs/proxy-no-match.pem
@@ -1,54 +1,54 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA1zudnpN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPU
-oCFpWS3eeI4aQFoj93L5MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4I
-NTWqV9/DOODO7UowyMppmO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZ
-FlrYgZKE8vTC8BxDKM7FYhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5x
-Nw6KIcCy3Q0NNoKnh00WVwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtP
-zjQgNPfTrjsMvyOWAAFrWVR3QLTxnnmXsqnXvwIDAQABAoIBAQCqvhpeMDXhGgoo
-Q03wmfrGwPsrMv91aIK1hYrhMPdVs1JAbRYiKh8+pcq07FYa8udRaB4UwkVh/+oM
-/nEs6niRsl/jjQ2l68TFrnNByroynvr6l9Q/EeGecF6Ygo7lY1OsFhcLQM5vjarS
-XhxvdU/6hcRmfS8tGRpUaMWqfmpiN3YgJcgt8SoYhiwAYDTMJjNyWC61lO7IqNVR
-4kntiM24sfAu1sdZynX8Gp2GrpNChapEuhilQ8RayjuStEYr2abcSIjfZFHQXN7o
-TnjL+AQUzc/ZTXDGnIe9ZzZeFz8UCueeoN6KPxfrq9UUWRL6qt7gOIMdhYR6lFxt
-6pj6kLhxAoGBAO5DTnTKDfCMY2/AsTzCJvMGSY0bT1rsdDxrpqjrbUSeMHV3s5Lm
-vEPnnm+05FD/vi99+HZjHXAZFkhA3ubij2qWFPBnQ5YUoh17IW/Ae4bzY2uXikgL
-tLZ+R+OrcGYQQlvPn//PLsxbfdk5vraqzm08kIX0T4o4Iz8ST5NFJ8hVAoGBAOdB
-ahXr14563Cjeu0pSQ1nXoz3IXdnDwePXasYhxQHl8Ayk8qZS5pt7r07H3dqq6pvn
-e09gZINJe47B9UhkR3H5bPyz/kujKS4zqo3Zlbryzm3V0BWqjNj+j8E2YuQKNQr+
-c480jn2FzwW66w0i3n4U4KUn1w2/iq5AnVzyNkPDAoGAWLYEsyU79XE/4K79DqM3
-P0r6/afKbw8U5B4syj4FzAOeBU6RNMPmGt5VNkBCtgnSdPpRFTsoDcG5cyN8GrkG
-Lug8WZoJJwr9pT5gH6yqEX/zZ27f1J1PJpd0CsedLNMm8eonJ2arhPkXrVZ7tKV6
-AGAJa2agatUmAmi96hZYjpUCgYEA32abJEgsedEIhFb/GYI03ELryRCaUXfCA+gj
-lvoihn3qE1z5qGGns4adyX5dPRQmBqxtvDXDg+zl9vg6i0+MkXdCqTD8tXcOnjp9
-RgFvmyVa9FI8beHPpQTuPNncWK3fpho/6pT8Hhi48LEsxwjrZWOnzQSaxQZH46Q6
-IQNAFt8CgYEAkflxXvA2/2naix+riaBzv5EVJB7ilbfWiWtq2LEAtwrQ5XNFjrtK
-g45jKrZ/ezAzTfPa5Dwn4xcImd0MIavnJhDu2ATxMGB0GATLlDH2HZvU7UwKLpTW
-6Hlol4yRcX4GSEOxJ2ZpWYNIOYH0yDf1qLJXs1j8Fi3zWRe+V1kff4w=
+MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH
+kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM
+e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD
+SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc
+j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv
+zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu
+HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv
+q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc
+zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9
+ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b
+21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5
+YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp
+1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP
+AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr
+47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT
+RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f
+lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz
+tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69
+hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO
+5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9
+yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0
+vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY
+CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y
+X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr
+Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIEhzCCA2+gAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG
-A1UEChMDTUlUMSIwIAYDVQQLExlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
-KgYDVQQDFCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
-NDA1MDIxOTA2MDhaFw0yNTA0MTQxOTA2MDhaMFQxCzAJBgNVBAYTAlVTMRYwFAYD
-VQQIEw1NYXNzYWNodXNldHRzMRQwEgYDVQQKEwtLUkJURVNULkNPTTEXMBUGA1UE
-AxMOUFJPWFlpblN1YmplY3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDXO52ek3wU/uIufW+CTJNKf9FDFfHXK3rOKQdoytU+OSNc89SgIWlZLd54jhpA
-WiP3cvkzBkOZLE5+UECovBXYAwBpytic08kiQe1tgp1Wy/D1vgg1NapX38M44M7t
-SjDIymmY7fn+lRdosv4CMeMvDX8SFDdli2p+kAw6R/lOdLka2pkWWtiBkoTy9MLw
-HEMozsViFZjPuSn+0bdLw79FOc/s136HVh2maUcEZ+7AhEgnPnE3DoohwLLdDQ02
-gqeHTRZXAuZH7HXUEZKQyOJlmTAnkPRE5tKDXdAP+K2sahXaC0/ONCA099OuOwy/
-I5YAAWtZVHdAtPGeeZeyqde/AgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQUc7n4NJjO
-ryu9CFSV3K+fTLgCqUcwgcYGA1UdIwSBvjCBu4AUc7n4NJjOryu9CFSV3K+fTLgC
-qUehgZ+kgZwwgZkxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRz
-MRIwEAYDVQQHEwlDYW1icmlkZ2UxDDAKBgNVBAoTA01JVDEiMCAGA1UECxMZSW5z
-ZWN1cmUgS2VyYmVyb3MgdGVzdCBDQTEsMCoGA1UEAxQjdGVzdCBzdWl0ZSBDQTsg
+MIIEhzCCA2+gAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
+KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
+OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaMFQxCzAJBgNVBAYTAlVTMRYwFAYD
+VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTEXMBUGA1UE
+AwwOUFJPWFlpblN1YmplY3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDngcJ5NNR7XbumqMryvbw0YzDavbH6FYoprIfk2ao6qfCfNEeRkTlSORrND+H3
+tLotnphvzDeYkTJfU91w0BEPDaZs48WTk325ecFvoBmiDuGH3Ax7/+D1rs+kpqd/
+Dr19JWACvj1MUWIugq7JOAeIk4HtiA/RtMcQ7iUuq6w9AzXqVENJ2heDja50CHe4
+Fj5AOzbeyctKIH72+3yC3qBeJphvcEE5az0Hc8qzfvg32Q4+yByP7yTJH8z6r5F8
+rluKpLdx7+zG89XQqx6H//W4nGVtALA6IF3dMtYcuFb0XuvMRy/OfUx9yTfmzRcM
+NGUbFEYYPL5kIqbF/xm7/xLDAgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQU9/+8m8Uw
+LCsAF4ILSyrtEZ9h4iIwgcYGA1UdIwSBvjCBu4AU9/+8m8UwLCsAF4ILSyrtEZ9h
+4iKhgZ+kgZwwgZkxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRz
+MRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEiMCAGA1UECwwZSW5z
+ZWN1cmUgS2VyYmVyb3MgdGVzdCBDQTEsMCoGA1UEAwwjdGVzdCBzdWl0ZSBDQTsg
ZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0PBAQDAgPoMAwGA1UdEwEB/wQC
-MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAMsP++r4
-vki0mBJg3POpp0i+H6zNMimoYLLtM5NvwXinfFuFQKbwLm8QWuHVifjfCYxMUm+l
-iL5cS/bq+SUWGDmrlOhsuu4+aYaxgNiEyki5Rol6miSOHbfOhzX8yp0EBPpq08dg
-SEdrTd/FIl4qgkkb1A4RJYZRErn/fbsyjJN66KIfSOXJuC8XMBf03Vw9f2rdrHJa
-r5lVGvqa4wjO2MPq9vVK52VFrbU/zuyyCUtggyIOwGLGSY0Axtbci+IHToDBQes+
-6W4WwSUCssWfIZXQDLjFw1oRHnN43fXmX5vsVLi7YvOFHOAa1BDnDtCTZit26xVA
-Mdic66hR2jHP0TE=
+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAI0Ons8g
+6aXdZsKSmp1hbwNUvsY5GNl/QHVJIMQbe9zNVkW9Hp286fzkMar6peTB9MEnhzJ5
+5mbJM9DkugzgJeG0+HwsSdjAQCOcG4jSQ3SaASETOo58LsaG/yssIaZiZdJBrzNb
+1D5fJVVpopZMZ/mKUNB/2ofUVGVBZCdfyOoIbVSkkm1UHJ9liLFK1ZNPDTX60613
+YNl4BydTiXtEg+IOYgmFXuZj310dDZUMHuYdzAM5j+6i2JaIcK4PgDE+yG9Oj9N+
+uKjj0iHWyoZW49y9Hq/oiMegi2X4XZBtbZlEUu4OkpBJ1QG0MTaz/vN94sHiLOzS
+81b7+2BMgHd51+E=
-----END CERTIFICATE-----
diff --git a/src/tests/dejagnu/proxy-certs/proxy-san.pem b/src/tests/dejagnu/proxy-certs/proxy-san.pem
index ac8bbaa16..8eaeceece 100644
--- a/src/tests/dejagnu/proxy-certs/proxy-san.pem
+++ b/src/tests/dejagnu/proxy-certs/proxy-san.pem
@@ -1,56 +1,56 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA1zudnpN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPU
-oCFpWS3eeI4aQFoj93L5MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4I
-NTWqV9/DOODO7UowyMppmO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZ
-FlrYgZKE8vTC8BxDKM7FYhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5x
-Nw6KIcCy3Q0NNoKnh00WVwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtP
-zjQgNPfTrjsMvyOWAAFrWVR3QLTxnnmXsqnXvwIDAQABAoIBAQCqvhpeMDXhGgoo
-Q03wmfrGwPsrMv91aIK1hYrhMPdVs1JAbRYiKh8+pcq07FYa8udRaB4UwkVh/+oM
-/nEs6niRsl/jjQ2l68TFrnNByroynvr6l9Q/EeGecF6Ygo7lY1OsFhcLQM5vjarS
-XhxvdU/6hcRmfS8tGRpUaMWqfmpiN3YgJcgt8SoYhiwAYDTMJjNyWC61lO7IqNVR
-4kntiM24sfAu1sdZynX8Gp2GrpNChapEuhilQ8RayjuStEYr2abcSIjfZFHQXN7o
-TnjL+AQUzc/ZTXDGnIe9ZzZeFz8UCueeoN6KPxfrq9UUWRL6qt7gOIMdhYR6lFxt
-6pj6kLhxAoGBAO5DTnTKDfCMY2/AsTzCJvMGSY0bT1rsdDxrpqjrbUSeMHV3s5Lm
-vEPnnm+05FD/vi99+HZjHXAZFkhA3ubij2qWFPBnQ5YUoh17IW/Ae4bzY2uXikgL
-tLZ+R+OrcGYQQlvPn//PLsxbfdk5vraqzm08kIX0T4o4Iz8ST5NFJ8hVAoGBAOdB
-ahXr14563Cjeu0pSQ1nXoz3IXdnDwePXasYhxQHl8Ayk8qZS5pt7r07H3dqq6pvn
-e09gZINJe47B9UhkR3H5bPyz/kujKS4zqo3Zlbryzm3V0BWqjNj+j8E2YuQKNQr+
-c480jn2FzwW66w0i3n4U4KUn1w2/iq5AnVzyNkPDAoGAWLYEsyU79XE/4K79DqM3
-P0r6/afKbw8U5B4syj4FzAOeBU6RNMPmGt5VNkBCtgnSdPpRFTsoDcG5cyN8GrkG
-Lug8WZoJJwr9pT5gH6yqEX/zZ27f1J1PJpd0CsedLNMm8eonJ2arhPkXrVZ7tKV6
-AGAJa2agatUmAmi96hZYjpUCgYEA32abJEgsedEIhFb/GYI03ELryRCaUXfCA+gj
-lvoihn3qE1z5qGGns4adyX5dPRQmBqxtvDXDg+zl9vg6i0+MkXdCqTD8tXcOnjp9
-RgFvmyVa9FI8beHPpQTuPNncWK3fpho/6pT8Hhi48LEsxwjrZWOnzQSaxQZH46Q6
-IQNAFt8CgYEAkflxXvA2/2naix+riaBzv5EVJB7ilbfWiWtq2LEAtwrQ5XNFjrtK
-g45jKrZ/ezAzTfPa5Dwn4xcImd0MIavnJhDu2ATxMGB0GATLlDH2HZvU7UwKLpTW
-6Hlol4yRcX4GSEOxJ2ZpWYNIOYH0yDf1qLJXs1j8Fi3zWRe+V1kff4w=
+MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH
+kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM
+e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD
+SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc
+j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv
+zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu
+HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv
+q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc
+zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9
+ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b
+21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5
+YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp
+1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP
+AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr
+47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT
+RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f
+lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz
+tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69
+hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO
+5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9
+yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0
+vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY
+CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y
+X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr
+Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIE4jCCA8qgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG
-A1UEChMDTUlUMSIwIAYDVQQLExlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
-KgYDVQQDFCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
-NDA1MDIxOTA2MDhaFw0yNTA0MTQxOTA2MDhaMFQxCzAJBgNVBAYTAlVTMRYwFAYD
-VQQIEw1NYXNzYWNodXNldHRzMRQwEgYDVQQKEwtLUkJURVNULkNPTTEXMBUGA1UE
-AxMOUFJPWFlpblN1YmplY3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDXO52ek3wU/uIufW+CTJNKf9FDFfHXK3rOKQdoytU+OSNc89SgIWlZLd54jhpA
-WiP3cvkzBkOZLE5+UECovBXYAwBpytic08kiQe1tgp1Wy/D1vgg1NapX38M44M7t
-SjDIymmY7fn+lRdosv4CMeMvDX8SFDdli2p+kAw6R/lOdLka2pkWWtiBkoTy9MLw
-HEMozsViFZjPuSn+0bdLw79FOc/s136HVh2maUcEZ+7AhEgnPnE3DoohwLLdDQ02
-gqeHTRZXAuZH7HXUEZKQyOJlmTAnkPRE5tKDXdAP+K2sahXaC0/ONCA099OuOwy/
-I5YAAWtZVHdAtPGeeZeyqde/AgMBAAGjggF3MIIBczAdBgNVHQ4EFgQUc7n4NJjO
-ryu9CFSV3K+fTLgCqUcwgcYGA1UdIwSBvjCBu4AUc7n4NJjOryu9CFSV3K+fTLgC
-qUehgZ+kgZwwgZkxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRz
-MRIwEAYDVQQHEwlDYW1icmlkZ2UxDDAKBgNVBAoTA01JVDEiMCAGA1UECxMZSW5z
-ZWN1cmUgS2VyYmVyb3MgdGVzdCBDQTEsMCoGA1UEAxQjdGVzdCBzdWl0ZSBDQTsg
+MIIE4jCCA8qgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
+KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
+OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaMFQxCzAJBgNVBAYTAlVTMRYwFAYD
+VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTEXMBUGA1UE
+AwwOUFJPWFlpblN1YmplY3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDngcJ5NNR7XbumqMryvbw0YzDavbH6FYoprIfk2ao6qfCfNEeRkTlSORrND+H3
+tLotnphvzDeYkTJfU91w0BEPDaZs48WTk325ecFvoBmiDuGH3Ax7/+D1rs+kpqd/
+Dr19JWACvj1MUWIugq7JOAeIk4HtiA/RtMcQ7iUuq6w9AzXqVENJ2heDja50CHe4
+Fj5AOzbeyctKIH72+3yC3qBeJphvcEE5az0Hc8qzfvg32Q4+yByP7yTJH8z6r5F8
+rluKpLdx7+zG89XQqx6H//W4nGVtALA6IF3dMtYcuFb0XuvMRy/OfUx9yTfmzRcM
+NGUbFEYYPL5kIqbF/xm7/xLDAgMBAAGjggF3MIIBczAdBgNVHQ4EFgQU9/+8m8Uw
+LCsAF4ILSyrtEZ9h4iIwgcYGA1UdIwSBvjCBu4AU9/+8m8UwLCsAF4ILSyrtEZ9h
+4iKhgZ+kgZwwgZkxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRz
+MRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEiMCAGA1UECwwZSW5z
+ZWN1cmUgS2VyYmVyb3MgdGVzdCBDQTEsMCoGA1UEAwwjdGVzdCBzdWl0ZSBDQTsg
ZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0PBAQDAgPoMAwGA1UdEwEB/wQC
MAAwWQYDVR0RBFIwUIIWcHJveHnFoHViamVjdMOEbHTDkWFtZYITcHJveHlTdWJq
ZWN0QWx0TmFtZYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAAYIJbG9jYWxob3N0MBMG
-A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQAH6AWuyRLzMbKq
-MUlyg9ZIar8p0Ms0/UEaa6Xm3/cfm6HSujtgcYlDN3M86Z3zWzWdTrOHsRr/YSG3
-H3YDhJToKqxcjgho+1xdBPm0xuFsJcypRqGj/mIaJSoa+wC2AdY1EdE+URsh87XC
-SHYNbxAVo8qBHMjtROm6AKb2YusYqHnkT+U6nc4Pn9UnIzmu4wfoSB+X1vtY24TP
-AtXNYQEG4BkgSrcsgoL+z/+wtZLU8QFk6JRO7Bedq711Oh/taEasZHjRAmnqC5TB
-Ab2fnwWuoVZHqz2qydeywXUKrZlctuRVdjE++wOt9xuMPKFGo0PKDw/SymCe61Q8
-Nc/d2mhz
+A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQDQI1/zeNAWvXAG
+CTJk+hFLNx7xzd28/vWGkumK60rSmLVLZNDlvfmNJZ/kd7d0YZFvZDvbzhugXigI
+5N54664XreRwXA7QkgD2laFd/Rzq+6NdhyMCno7V6j1VZUm6/FWgfYjfGEBvbGNv
+Ue50fyRSQBmFv3p87Av/Zc0OMjted0zOYUxUPH0OL+2e4BL/suo05Q5DZq+J8Dni
+7SJbDC0fp5mKVLQ500zIRwUF2y5TE4olBsYBoaMDxQl+HoG6XpzaVslTKXAvzFMk
+8beI2BmqUId1OSLa3TOKnbsK8K/MPnSnB5StINt1+ZtTjjV+dY3xB6ZC+G1Pl6Ta
+00C7EWul
-----END CERTIFICATE-----
diff --git a/src/tests/dejagnu/proxy-certs/proxy-subject.pem b/src/tests/dejagnu/proxy-certs/proxy-subject.pem
index e17918f2b..3846aece6 100644
--- a/src/tests/dejagnu/proxy-certs/proxy-subject.pem
+++ b/src/tests/dejagnu/proxy-certs/proxy-subject.pem
@@ -1,54 +1,54 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA1zudnpN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPU
-oCFpWS3eeI4aQFoj93L5MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4I
-NTWqV9/DOODO7UowyMppmO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZ
-FlrYgZKE8vTC8BxDKM7FYhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5x
-Nw6KIcCy3Q0NNoKnh00WVwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtP
-zjQgNPfTrjsMvyOWAAFrWVR3QLTxnnmXsqnXvwIDAQABAoIBAQCqvhpeMDXhGgoo
-Q03wmfrGwPsrMv91aIK1hYrhMPdVs1JAbRYiKh8+pcq07FYa8udRaB4UwkVh/+oM
-/nEs6niRsl/jjQ2l68TFrnNByroynvr6l9Q/EeGecF6Ygo7lY1OsFhcLQM5vjarS
-XhxvdU/6hcRmfS8tGRpUaMWqfmpiN3YgJcgt8SoYhiwAYDTMJjNyWC61lO7IqNVR
-4kntiM24sfAu1sdZynX8Gp2GrpNChapEuhilQ8RayjuStEYr2abcSIjfZFHQXN7o
-TnjL+AQUzc/ZTXDGnIe9ZzZeFz8UCueeoN6KPxfrq9UUWRL6qt7gOIMdhYR6lFxt
-6pj6kLhxAoGBAO5DTnTKDfCMY2/AsTzCJvMGSY0bT1rsdDxrpqjrbUSeMHV3s5Lm
-vEPnnm+05FD/vi99+HZjHXAZFkhA3ubij2qWFPBnQ5YUoh17IW/Ae4bzY2uXikgL
-tLZ+R+OrcGYQQlvPn//PLsxbfdk5vraqzm08kIX0T4o4Iz8ST5NFJ8hVAoGBAOdB
-ahXr14563Cjeu0pSQ1nXoz3IXdnDwePXasYhxQHl8Ayk8qZS5pt7r07H3dqq6pvn
-e09gZINJe47B9UhkR3H5bPyz/kujKS4zqo3Zlbryzm3V0BWqjNj+j8E2YuQKNQr+
-c480jn2FzwW66w0i3n4U4KUn1w2/iq5AnVzyNkPDAoGAWLYEsyU79XE/4K79DqM3
-P0r6/afKbw8U5B4syj4FzAOeBU6RNMPmGt5VNkBCtgnSdPpRFTsoDcG5cyN8GrkG
-Lug8WZoJJwr9pT5gH6yqEX/zZ27f1J1PJpd0CsedLNMm8eonJ2arhPkXrVZ7tKV6
-AGAJa2agatUmAmi96hZYjpUCgYEA32abJEgsedEIhFb/GYI03ELryRCaUXfCA+gj
-lvoihn3qE1z5qGGns4adyX5dPRQmBqxtvDXDg+zl9vg6i0+MkXdCqTD8tXcOnjp9
-RgFvmyVa9FI8beHPpQTuPNncWK3fpho/6pT8Hhi48LEsxwjrZWOnzQSaxQZH46Q6
-IQNAFt8CgYEAkflxXvA2/2naix+riaBzv5EVJB7ilbfWiWtq2LEAtwrQ5XNFjrtK
-g45jKrZ/ezAzTfPa5Dwn4xcImd0MIavnJhDu2ATxMGB0GATLlDH2HZvU7UwKLpTW
-6Hlol4yRcX4GSEOxJ2ZpWYNIOYH0yDf1qLJXs1j8Fi3zWRe+V1kff4w=
+MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH
+kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM
+e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD
+SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc
+j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv
+zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu
+HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv
+q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc
+zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9
+ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b
+21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5
+YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp
+1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP
+AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr
+47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT
+RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f
+lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz
+tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69
+hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO
+5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9
+yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0
+vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY
+CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y
+X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr
+Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIEgjCCA2qgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG
-A1UEChMDTUlUMSIwIAYDVQQLExlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
-KgYDVQQDFCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
-NDA1MDIxOTA2MDhaFw0yNTA0MTQxOTA2MDhaME8xCzAJBgNVBAYTAlVTMRYwFAYD
-VQQIEw1NYXNzYWNodXNldHRzMRQwEgYDVQQKEwtLUkJURVNULkNPTTESMBAGA1UE
-AxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zud
-npN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPUoCFpWS3eeI4aQFoj93L5
-MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4INTWqV9/DOODO7UowyMpp
-mO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZFlrYgZKE8vTC8BxDKM7F
-YhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5xNw6KIcCy3Q0NNoKnh00W
-VwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtPzjQgNPfTrjsMvyOWAAFr
-WVR3QLTxnnmXsqnXvwIDAQABo4IBHDCCARgwHQYDVR0OBBYEFHO5+DSYzq8rvQhU
-ldyvn0y4AqlHMIHGBgNVHSMEgb4wgbuAFHO5+DSYzq8rvQhUldyvn0y4AqlHoYGf
-pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAG
-A1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxIjAgBgNVBAsTGUluc2VjdXJl
-IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMUI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v
+MIIEgjCCA2qgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
+KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
+OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaME8xCzAJBgNVBAYTAlVTMRYwFAYD
+VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTESMBAGA1UE
+AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA54HC
+eTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRHkZE5UjkazQ/h97S6LZ6Y
+b8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wMe//g9a7PpKanfw69fSVg
+Ar49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRDSdoXg42udAh3uBY+QDs2
+3snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgcj+8kyR/M+q+RfK5biqS3
+ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcvzn1Mfck35s0XDDRlGxRG
+GDy+ZCKmxf8Zu/8SwwIDAQABo4IBHDCCARgwHQYDVR0OBBYEFPf/vJvFMCwrABeC
+C0sq7RGfYeIiMIHGBgNVHSMEgb4wgbuAFPf/vJvFMCwrABeCC0sq7RGfYeIioYGf
+pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAG
+A1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxIjAgBgNVBAsMGUluc2VjdXJl
+IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v
dCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQEAwID6DAMBgNVHRMBAf8EAjAAMBMG
-A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQCzGPT+QOrl9mbJ
-nsGlPlLUOF+PYz0a/9V/iznlofxwCXiRi2ryMpLFbjLeOvjLJ3UzyNKtmEeudTBM
-yfR4i8tb9WA7Oh0BjK1+kD4688bAUXiIDhueKBjonmPvMd9kq3MDd4vDLkcZk6R4
-4IcbdwhzSBmnJH8ha2J82XShPpRq5CZNR9+vTyFwGdGWdPDjTMiXoXAmpRemcEgO
-iO4Gxvcrg/Z06Ys3eLze7QHNMAEwXhC4rUR34j5I2zgU7CEhff3AktLmnKVa8go8
-4BJT/n3XGB+3gdAEihQmgCEZetHH+YxAR0Ppn3ty7fpAlOnbRJqpeu6TMN8x/lL8
-c6JtDWRG
+A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQBdg7Gk/RqQpTfD
+vyFB1GPWRcLYpYW4GQh3e/dcesmwjwT8Nsd4Mzq9mA9TzJIXwffUQ8de85L5+9Oh
+k4yiwRS3vDCP0fr+GZMpBqkBVunJIHQnm+RWxT42+0kBxxmO/fqp5ztND8gGBLiW
+QPHb+mSCFgmgwnRuW+UI3TZ965oZfd2oRjjHjr51cgxcXndqnNws/kakMpxSM+KT
++ICHNz5og79nC7zpVqu0Cd56stPXbrFeU+bnN5UT9sOZNOYstWZmS8u+ddDuJwhS
+ijJZgtQNOIuBfD2TLfDmg/QfLeh5hhgBVyXC5o8g6KEtjPgm+44OF3vNZeuwVPaf
+L58YyPcO
-----END CERTIFICATE-----

2328
Update-test-suite-to-avoid-single-DES-enctypes.patch
View File

File diff suppressed because it is too large Load Diff

14
Use-backported-version-of-OpenSSL-3-KDF-interface.patch
View File

@ -1,19 +1,19 @@
From bdb78f9d3fbf9abccec9b41709bb0131e9ec28d6 Mon Sep 17 00:00:00 2001
From 9d887898571744f5ea0a523c7fba9d86d9cf8588 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 15 Nov 2019 20:05:16 +0000
Subject: [PATCH] Use backported version of OpenSSL-3 KDF interface
---
src/configure.in | 4 +
src/configure.ac | 4 +
src/lib/crypto/krb/derive.c | 356 +++++++++++++-----
.../preauth/pkinit/pkinit_crypto_openssl.c | 257 ++++++++-----
3 files changed, 428 insertions(+), 189 deletions(-)
diff --git a/src/configure.in b/src/configure.in
index 1df6f18fc..3bd5e683d 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -269,6 +269,10 @@ AC_SUBST(CRYPTO_IMPL)
diff --git a/src/configure.ac b/src/configure.ac
index d4e4da525..29be532cb 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -282,6 +282,10 @@ AC_SUBST(CRYPTO_IMPL)
AC_SUBST(CRYPTO_IMPL_CFLAGS)
AC_SUBST(CRYPTO_IMPL_LIBS)

471
Use-imported-soft-pkcs11-for-tests.patch
View File

@ -1,471 +0,0 @@
From 923cafe924fa08c1b35ca11d5473a255d629592d Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 20 Jun 2019 13:41:57 -0400
Subject: [PATCH] Use imported soft-pkcs11 for tests
Update the soft-pkcs11 code for OpenSSL 1.1, fix some warnings,
integrate it into the build system, and use it for the PKINIT tests.
(cherry picked from commit e5ef7b69765353ea62ad8712a229ed4e90a8fe17)
---
src/configure.in | 1 +
src/tests/Makefile.in | 2 +-
src/tests/softpkcs11/Makefile.in | 21 ++++
src/tests/softpkcs11/deps | 6 ++
src/tests/softpkcs11/main.c | 124 +++++++++++++++++-------
src/tests/softpkcs11/softpkcs11.exports | 39 ++++++++
src/tests/t_pkinit.py | 18 +---
7 files changed, 162 insertions(+), 49 deletions(-)
create mode 100644 src/tests/softpkcs11/Makefile.in
create mode 100644 src/tests/softpkcs11/deps
create mode 100644 src/tests/softpkcs11/softpkcs11.exports
diff --git a/src/configure.in b/src/configure.in
index 3e3b95e49..1df6f18fc 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1086,6 +1086,7 @@ int i = 1;
fi
if test "$k5_cv_openssl_version_okay" = yes && (test "$enable_pkinit" = yes || test "$enable_pkinit" = try); then
K5_GEN_MAKEFILE(plugins/preauth/pkinit)
+ K5_GEN_MAKEFILE(tests/softpkcs11)
PKINIT=yes
AC_CHECK_LIB(crypto, CMS_get0_content, [AC_DEFINE([HAVE_OPENSSL_CMS], 1, [Define if OpenSSL supports cms.])])
elif test "$k5_cv_openssl_version_okay" = no && test "$enable_pkinit" = yes; then
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index d2a37c616..8fa44fb59 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -1,7 +1,7 @@
mydir=tests
BUILDTOP=$(REL)..
SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \
- gss-threads misc threads
+ gss-threads misc threads softpkcs11
RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
LC_ALL=C $(VALGRIND)
diff --git a/src/tests/softpkcs11/Makefile.in b/src/tests/softpkcs11/Makefile.in
new file mode 100644
index 000000000..e89678154
--- /dev/null
+++ b/src/tests/softpkcs11/Makefile.in
@@ -0,0 +1,21 @@
+mydir=tests$(S)softpkcs11
+BUILDTOP=$(REL)..$(S)..
+
+LOCALINCLUDES = -I$(top_srcdir)/plugins/preauth/pkinit
+
+LIBBASE=softpkcs11
+LIBMAJOR=0
+LIBMINOR=0
+
+SHLIB_EXPLIBS=$(SUPPORT_LIB) -lcrypto
+SHLIB_EXPDEPS=$(SUPPORT_DEPLIB)
+
+STLIBOBJS=main.o
+
+SRCS=$(srcdir)/main.c
+
+all-unix: all-libs
+clean-unix:: clean-libs clean-libobjs
+
+@libnover_frag@
+@libobj_frag@
diff --git a/src/tests/softpkcs11/deps b/src/tests/softpkcs11/deps
new file mode 100644
index 000000000..1e82d9572
--- /dev/null
+++ b/src/tests/softpkcs11/deps
@@ -0,0 +1,6 @@
+#
+# Generated makefile dependencies follow.
+#
+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/plugins/preauth/pkinit/pkcs11.h main.c
diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c
index 2acec5169..5255323d3 100644
--- a/src/tests/softpkcs11/main.c
+++ b/src/tests/softpkcs11/main.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (c) 2004-2006, Stockholms universitet
* (Stockholm University, Stockholm Sweden)
@@ -31,7 +32,57 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
-#include "locl.h"
+#include "k5-platform.h"
+
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+
+#include <ctype.h>
+#include <pwd.h>
+
+#include <pkcs11.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define EVP_PKEY_get0_RSA(key) ((key)->pkey.rsa)
+#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay
+#define RSA_get0_key compat_rsa_get0_key
+static void
+compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e,
+ const BIGNUM **d)
+{
+ if (n != NULL)
+ *n = rsa->n;
+ if (e != NULL)
+ *e = rsa->e;
+ if (d != NULL)
+ *d = rsa->d;
+}
+#endif
+
+#define OPENSSL_ASN1_MALLOC_ENCODE(T, B, BL, S, R) \
+ { \
+ unsigned char *p; \
+ (BL) = i2d_##T((S), NULL); \
+ if ((BL) <= 0) { \
+ (R) = EINVAL; \
+ } else { \
+ (B) = malloc((BL)); \
+ if ((B) == NULL) { \
+ (R) = ENOMEM; \
+ } else { \
+ p = (B); \
+ (R) = 0; \
+ (BL) = i2d_##T((S), &p); \
+ if ((BL) <= 0) { \
+ free((B)); \
+ (R) = EINVAL; \
+ } \
+ } \
+ } \
+ }
/* RCSID("$Id: main.c,v 1.24 2006/01/11 12:42:53 lha Exp $"); */
@@ -124,7 +175,7 @@ st_logf(const char *fmt, ...)
}
static void
-snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
+snprintf_fill(char *str, int size, char fillchar, const char *fmt, ...)
{
int len;
va_list ap;
@@ -141,19 +192,19 @@ snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
#endif
#define VERIFY_SESSION_HANDLE(s, state) \
-{ \
- CK_RV ret; \
- ret = verify_session_handle(s, state); \
- if (ret != CKR_OK) { \
- /* return CKR_OK */; \
- } \
-}
+ { \
+ CK_RV vshret; \
+ vshret = verify_session_handle(s, state); \
+ if (vshret != CKR_OK) { \
+ /* return CKR_OK */; \
+ } \
+ }
static CK_RV
verify_session_handle(CK_SESSION_HANDLE hSession,
struct session_state **state)
{
- int i;
+ size_t i;
for (i = 0; i < MAX_NUM_SESSION; i++){
if (soft_token.state[i].session_handle == hSession)
@@ -361,16 +412,20 @@ add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key)
CK_ULONG modulus_bits = 0;
CK_BYTE *exponent = NULL;
size_t exponent_len = 0;
+ RSA *rsa;
+ const BIGNUM *n, *e;
- modulus_bits = BN_num_bits(key->pkey.rsa->n);
+ rsa = EVP_PKEY_get0_RSA(key);
+ RSA_get0_key(rsa, &n, &e, NULL);
+ modulus_bits = BN_num_bits(n);
- modulus_len = BN_num_bytes(key->pkey.rsa->n);
+ modulus_len = BN_num_bytes(n);
modulus = malloc(modulus_len);
- BN_bn2bin(key->pkey.rsa->n, modulus);
+ BN_bn2bin(n, modulus);
- exponent_len = BN_num_bytes(key->pkey.rsa->e);
+ exponent_len = BN_num_bytes(e);
exponent = malloc(exponent_len);
- BN_bn2bin(key->pkey.rsa->e, exponent);
+ BN_bn2bin(e, exponent);
add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len);
add_object_attribute(o, 0, CKA_MODULUS_BITS,
@@ -378,7 +433,7 @@ add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key)
add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT,
exponent, exponent_len);
- RSA_set_method(key->pkey.rsa, RSA_PKCS1_SSLeay());
+ RSA_set_method(rsa, RSA_PKCS1_OpenSSL());
free(modulus);
free(exponent);
@@ -474,7 +529,7 @@ add_certificate(char *label,
o->u.cert = cert;
public_key = X509_get_pubkey(o->u.cert);
- switch (EVP_PKEY_type(public_key->type)) {
+ switch (EVP_PKEY_base_id(public_key)) {
case EVP_PKEY_RSA:
key_type = CKK_RSA;
break;
@@ -604,8 +659,8 @@ add_certificate(char *label,
/* XXX verify keytype */
if (key_type == CKK_RSA)
- RSA_set_method(o->u.private_key.key->pkey.rsa,
- RSA_PKCS1_SSLeay());
+ RSA_set_method(EVP_PKEY_get0_RSA(o->u.private_key.key),
+ RSA_PKCS1_OpenSSL());
if (X509_check_private_key(cert, o->u.private_key.key) != 1) {
EVP_PKEY_free(o->u.private_key.key);
@@ -755,8 +810,9 @@ CK_RV
C_Initialize(CK_VOID_PTR a)
{
CK_C_INITIALIZE_ARGS_PTR args = a;
+ size_t i;
+
st_logf("Initialize\n");
- int i;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
@@ -825,7 +881,7 @@ C_Initialize(CK_VOID_PTR a)
CK_RV
C_Finalize(CK_VOID_PTR args)
{
- int i;
+ size_t i;
st_logf("Finalize\n");
@@ -1008,7 +1064,7 @@ C_OpenSession(CK_SLOT_ID slotID,
CK_NOTIFY Notify,
CK_SESSION_HANDLE_PTR phSession)
{
- int i;
+ size_t i;
st_logf("OpenSession: slot: %d\n", (int)slotID);
@@ -1050,7 +1106,7 @@ C_CloseSession(CK_SESSION_HANDLE hSession)
CK_RV
C_CloseAllSessions(CK_SLOT_ID slotID)
{
- int i;
+ size_t i;
st_logf("CloseAllSessions\n");
@@ -1127,7 +1183,8 @@ C_Login(CK_SESSION_HANDLE hSession,
}
/* XXX check keytype */
- RSA_set_method(o->u.private_key.key->pkey.rsa, RSA_PKCS1_SSLeay());
+ RSA_set_method(EVP_PKEY_get0_RSA(o->u.private_key.key),
+ RSA_PKCS1_OpenSSL());
if (X509_check_private_key(o->u.private_key.cert, o->u.private_key.key) != 1) {
EVP_PKEY_free(o->u.private_key.key);
@@ -1226,7 +1283,6 @@ C_FindObjectsInit(CK_SESSION_HANDLE hSession,
}
if (ulCount) {
CK_ULONG i;
- size_t len;
print_attributes(pTemplate, ulCount);
@@ -1415,7 +1471,7 @@ C_Encrypt(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.public_key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.public_key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1445,7 +1501,7 @@ C_Encrypt(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len + padding_len < ulDataLen) {
+ if ((CK_ULONG)buffer_len + padding_len < ulDataLen) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1566,7 +1622,7 @@ C_Decrypt(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.private_key.key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.private_key.key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1596,7 +1652,7 @@ C_Decrypt(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len + padding_len < ulEncryptedDataLen) {
+ if ((CK_ULONG)buffer_len + padding_len < ulEncryptedDataLen) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1725,7 +1781,7 @@ C_Sign(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.private_key.key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.private_key.key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1754,7 +1810,7 @@ C_Sign(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len < ulDataLen + padding_len) {
+ if ((CK_ULONG)buffer_len < ulDataLen + padding_len) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1872,7 +1928,7 @@ C_Verify(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.public_key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.public_key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1900,7 +1956,7 @@ C_Verify(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len < ulDataLen) {
+ if ((CK_ULONG)buffer_len < ulDataLen) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1926,7 +1982,7 @@ C_Verify(CK_SESSION_HANDLE hSession,
if (len > buffer_len)
abort();
- if (len != ulSignatureLen) {
+ if ((CK_ULONG)len != ulSignatureLen) {
ret = CKR_GENERAL_ERROR;
goto out;
}
diff --git a/src/tests/softpkcs11/softpkcs11.exports b/src/tests/softpkcs11/softpkcs11.exports
new file mode 100644
index 000000000..aa7284511
--- /dev/null
+++ b/src/tests/softpkcs11/softpkcs11.exports
@@ -0,0 +1,39 @@
+C_CloseAllSessions
+C_CloseSession
+C_Decrypt
+C_DecryptFinal
+C_DecryptInit
+C_DecryptUpdate
+C_DigestInit
+C_Encrypt
+C_EncryptFinal
+C_EncryptInit
+C_EncryptUpdate
+C_Finalize
+C_FindObjects
+C_FindObjectsFinal
+C_FindObjectsInit
+C_GenerateRandom
+C_GetAttributeValue
+C_GetFunctionList
+C_GetInfo
+C_GetMechanismInfo
+C_GetMechanismList
+C_GetObjectSize
+C_GetSessionInfo
+C_GetSlotInfo
+C_GetSlotList
+C_GetTokenInfo
+C_Initialize
+C_InitToken
+C_Login
+C_Logout
+C_OpenSession
+C_Sign
+C_SignFinal
+C_SignInit
+C_SignUpdate
+C_Verify
+C_VerifyFinal
+C_VerifyInit
+C_VerifyUpdate
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index 93f0f2632..69daf4987 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -4,14 +4,7 @@ from k5test import *
if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
skip_rest('PKINIT tests', 'PKINIT module not built')
-# Check if soft-pkcs11.so is available.
-try:
- import ctypes
- lib = ctypes.LibraryLoader(ctypes.CDLL).LoadLibrary('soft-pkcs11.so')
- del lib
- have_soft_pkcs11 = True
-except:
- have_soft_pkcs11 = False
+soft_pkcs11 = os.path.join(buildtop, 'tests', 'softpkcs11', 'softpkcs11.so')
# Construct a krb5.conf fragment configuring pkinit.
certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
@@ -69,9 +62,9 @@ p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12
p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12
p12_generic_identity = 'PKCS12:%s' % generic_p12
p12_enc_identity = 'PKCS12:%s' % user_enc_p12
-p11_identity = 'PKCS11:soft-pkcs11.so'
-p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:'
- 'slotid=1:token=SoftToken (token)')
+p11_identity = 'PKCS11:' + soft_pkcs11
+p11_token_identity = ('PKCS11:module_name=' + soft_pkcs11 +
+ ':slotid=1:token=SoftToken (token)')
# Start a realm with the test kdb module for the following UPN SAN tests.
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=alias_kdc_conf,
@@ -398,9 +391,6 @@ realm.klist(realm.user_princ)
realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=,'],
expected_code=1, expected_msg='Preauthentication failed while')
-if not have_soft_pkcs11:
- skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')
-
softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc')
realm.env['SOFTPKCS11RC'] = softpkcs11rc

240
Use-secure_getenv-where-appropriate.patch
View File

@ -1,240 +0,0 @@
From a41dc78bd3a879870eece3bf0a7c66196c90e7e8 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 24 Apr 2019 16:19:50 -0400
Subject: [PATCH] Use secure_getenv() where appropriate
ticket: 8800
(cherry picked from commit d439e370b70f7af4ed2da9c692a3be7dcf7b4ac6)
---
src/lib/kadm5/alt_prof.c | 2 +-
src/lib/krb5/ccache/ccselect_k5identity.c | 2 +-
src/lib/krb5/os/ccdefname.c | 2 +-
src/lib/krb5/os/expand_path.c | 2 +-
src/lib/krb5/os/init_os_ctx.c | 6 +++---
src/lib/krb5/os/ktdefname.c | 4 ++--
src/lib/krb5/os/trace.c | 2 +-
src/lib/krb5/rcache/rc_base.c | 4 ++--
src/lib/krb5/rcache/rc_io.c | 4 ++--
src/plugins/preauth/pkinit/pkinit_identity.c | 13 ++++---------
src/plugins/tls/k5tls/openssl.c | 2 +-
src/util/profile/prof_file.c | 2 +-
12 files changed, 20 insertions(+), 25 deletions(-)
diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index 3f6b53651..5531a10fb 100644
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -73,7 +73,7 @@ krb5_aprof_init(char *fname, char *envname, krb5_pointer *acontextp)
ret = krb5_get_default_config_files(&filenames);
if (ret)
return ret;
- if (envname == NULL || (kdc_config = getenv(envname)) == NULL)
+ if (envname == NULL || (kdc_config = secure_getenv(envname)) == NULL)
kdc_config = fname;
k5_buf_init_dynamic(&buf);
if (kdc_config)
diff --git a/src/lib/krb5/ccache/ccselect_k5identity.c b/src/lib/krb5/ccache/ccselect_k5identity.c
index bee541658..b2dbf8a09 100644
--- a/src/lib/krb5/ccache/ccselect_k5identity.c
+++ b/src/lib/krb5/ccache/ccselect_k5identity.c
@@ -135,7 +135,7 @@ get_homedir(krb5_context context)
struct passwd pwx, *pwd;
if (!context->profile_secure)
- homedir = getenv("HOME");
+ homedir = secure_getenv("HOME");
if (homedir == NULL) {
if (k5_getpwuid_r(geteuid(), &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
diff --git a/src/lib/krb5/os/ccdefname.c b/src/lib/krb5/os/ccdefname.c
index e5cb3e44c..233173d35 100644
--- a/src/lib/krb5/os/ccdefname.c
+++ b/src/lib/krb5/os/ccdefname.c
@@ -300,7 +300,7 @@ krb5_cc_default_name(krb5_context context)
return os_ctx->default_ccname;
/* Try the environment variable first. */
- envstr = getenv(KRB5_ENV_CCNAME);
+ envstr = secure_getenv(KRB5_ENV_CCNAME);
if (envstr != NULL) {
os_ctx->default_ccname = strdup(envstr);
return os_ctx->default_ccname;
diff --git a/src/lib/krb5/os/expand_path.c b/src/lib/krb5/os/expand_path.c
index 61fb23459..4ce466c19 100644
--- a/src/lib/krb5/os/expand_path.c
+++ b/src/lib/krb5/os/expand_path.c
@@ -280,7 +280,7 @@ expand_temp_folder(krb5_context context, PTYPE param, const char *postfix,
const char *p = NULL;
if (context == NULL || !context->profile_secure)
- p = getenv("TMPDIR");
+ p = secure_getenv("TMPDIR");
*ret = strdup((p != NULL) ? p : "/tmp");
if (*ret == NULL)
return ENOMEM;
diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c
index 09809b932..3aa86f4ad 100644
--- a/src/lib/krb5/os/init_os_ctx.c
+++ b/src/lib/krb5/os/init_os_ctx.c
@@ -243,7 +243,7 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure)
char *name = 0;
if (!secure) {
- char *env = getenv("KRB5_CONFIG");
+ char *env = secure_getenv("KRB5_CONFIG");
if (env) {
name = strdup(env);
if (!name) return ENOMEM;
@@ -298,7 +298,7 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure)
if (secure) {
filepath = DEFAULT_SECURE_PROFILE_PATH;
} else {
- filepath = getenv("KRB5_CONFIG");
+ filepath = secure_getenv("KRB5_CONFIG");
if (!filepath) filepath = DEFAULT_PROFILE_PATH;
}
@@ -344,7 +344,7 @@ add_kdc_config_file(profile_filespec_t **pfiles)
size_t count = 0;
profile_filespec_t *newfiles;
- file = getenv(KDC_PROFILE_ENV);
+ file = secure_getenv(KDC_PROFILE_ENV);
if (file == NULL)
file = DEFAULT_KDC_PROFILE;
diff --git a/src/lib/krb5/os/ktdefname.c b/src/lib/krb5/os/ktdefname.c
index ffbd14d51..fbe4e98b4 100644
--- a/src/lib/krb5/os/ktdefname.c
+++ b/src/lib/krb5/os/ktdefname.c
@@ -42,7 +42,7 @@ kt_default_name(krb5_context context, char **name_out)
*name_out = strdup(krb5_overridekeyname);
return (*name_out == NULL) ? ENOMEM : 0;
} else if (context->profile_secure == FALSE &&
- (str = getenv("KRB5_KTNAME")) != NULL) {
+ (str = secure_getenv("KRB5_KTNAME")) != NULL) {
*name_out = strdup(str);
return (*name_out == NULL) ? ENOMEM : 0;
} else if (profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
@@ -63,7 +63,7 @@ k5_kt_client_default_name(krb5_context context, char **name_out)
char *str;
if (context->profile_secure == FALSE &&
- (str = getenv("KRB5_CLIENT_KTNAME")) != NULL) {
+ (str = secure_getenv("KRB5_CLIENT_KTNAME")) != NULL) {
*name_out = strdup(str);
return (*name_out == NULL) ? ENOMEM : 0;
} else if (profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 40a9e7b10..85dbfeb47 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -389,7 +389,7 @@ k5_init_trace(krb5_context context)
{
const char *filename;
- filename = getenv("KRB5_TRACE");
+ filename = secure_getenv("KRB5_TRACE");
if (filename)
(void) krb5_set_trace_filename(context, filename);
}
diff --git a/src/lib/krb5/rcache/rc_base.c b/src/lib/krb5/rcache/rc_base.c
index 373ac3046..9fa46432d 100644
--- a/src/lib/krb5/rcache/rc_base.c
+++ b/src/lib/krb5/rcache/rc_base.c
@@ -107,7 +107,7 @@ char *
krb5_rc_default_type(krb5_context context)
{
char *s;
- if ((s = getenv("KRB5RCACHETYPE")))
+ if ((s = secure_getenv("KRB5RCACHETYPE")))
return s;
else
return "dfl";
@@ -117,7 +117,7 @@ char *
krb5_rc_default_name(krb5_context context)
{
char *s;
- if ((s = getenv("KRB5RCACHENAME")))
+ if ((s = secure_getenv("KRB5RCACHENAME")))
return s;
else
return (char *) 0;
diff --git a/src/lib/krb5/rcache/rc_io.c b/src/lib/krb5/rcache/rc_io.c
index 35fa14a1f..1800460b2 100644
--- a/src/lib/krb5/rcache/rc_io.c
+++ b/src/lib/krb5/rcache/rc_io.c
@@ -48,13 +48,13 @@ getdir(void)
{
char *dir;
- if (!(dir = getenv("KRB5RCACHEDIR"))) {
+ if (!(dir = secure_getenv("KRB5RCACHEDIR"))) {
#if defined(_WIN32)
if (!(dir = getenv("TEMP")))
if (!(dir = getenv("TMP")))
dir = "C:";
#else
- if (!(dir = getenv("TMPDIR"))) {
+ if (!(dir = secure_getenv("TMPDIR"))) {
#ifdef RCTMPDIR
dir = RCTMPDIR;
#else
diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
index 8cd3fc640..b89c5d015 100644
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
@@ -29,15 +29,9 @@
* SUCH DAMAGES.
*/
-#include <errno.h>
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <dlfcn.h>
-#include <unistd.h>
-#include <dirent.h>
-
#include "pkinit.h"
+#include <dlfcn.h>
+#include <dirent.h>
static void
free_list(char **list)
@@ -430,7 +424,8 @@ process_option_identity(krb5_context context,
switch (idtype) {
case IDTYPE_ENVVAR:
return process_option_identity(context, plg_cryptoctx, req_cryptoctx,
- idopts, id_cryptoctx, getenv(residual));
+ idopts, id_cryptoctx,
+ secure_getenv(residual));
break;
case IDTYPE_FILE:
retval = parse_fs_options(context, idopts, residual);
diff --git a/src/plugins/tls/k5tls/openssl.c b/src/plugins/tls/k5tls/openssl.c
index 822632c90..76a43b3cd 100644
--- a/src/plugins/tls/k5tls/openssl.c
+++ b/src/plugins/tls/k5tls/openssl.c
@@ -399,7 +399,7 @@ load_anchor(SSL_CTX *ctx, const char *location)
} else if (strncmp(location, "DIR:", 4) == 0) {
return load_anchor_dir(store, location + 4);
} else if (strncmp(location, "ENV:", 4) == 0) {
- envloc = getenv(location + 4);
+ envloc = secure_getenv(location + 4);
if (envloc == NULL)
return ENOENT;
return load_anchor(ctx, envloc);
diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
index 0dcb6b543..79f9500f6 100644
--- a/src/util/profile/prof_file.c
+++ b/src/util/profile/prof_file.c
@@ -183,7 +183,7 @@ errcode_t profile_open_file(const_profile_filespec_t filespec,
prf->magic = PROF_MAGIC_FILE;
if (filespec[0] == '~' && filespec[1] == '/') {
- home_env = getenv("HOME");
+ home_env = secure_getenv("HOME");
#ifdef HAVE_PWD_H
if (home_env == NULL) {
uid_t uid;

2
krb5-1.15-beta1-buildconf.patch
View File

@ -1,4 +1,4 @@
From ab2b67102127e448cc1a266fbbe2c738a1a3a158 Mon Sep 17 00:00:00 2001
From e07920163e88a538e73b4d72db26b74c951b8256 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch

6
krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
View File

@ -1,4 +1,4 @@
From c874aa2c7ec16203c0be91e9e789b21221689de2 Mon Sep 17 00:00:00 2001
From ad14cab8d35e6c7edee196708ce5b5516b9bb1f8 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] krb5-1.17post6 FIPS with PRNG and RADIUS and MD4
@ -541,7 +541,7 @@ index 00734a13b..a3ce22b70 100644
vt->name = "spake";
vt->pa_type_list = pa_types;
diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c
index 59e88409e..1b3e569e9 100644
index 88c964ce1..c7df0392f 100644
--- a/src/plugins/preauth/spake/spake_kdc.c
+++ b/src/plugins/preauth/spake/spake_kdc.c
@@ -41,6 +41,8 @@
@ -553,7 +553,7 @@ index 59e88409e..1b3e569e9 100644
/*
* The SPAKE kdcpreauth module uses a secure cookie containing the following
* concatenated fields (all integer fields are big-endian):
@@ -578,6 +580,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver,
@@ -571,6 +573,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver,
if (maj_ver != 1)
return KRB5_PLUGIN_VER_NOTSUPP;

97
Remove-3des-support.patch → krb5-1.18-beta1-Remove-3des-support.patch
View File

@ -1,25 +1,22 @@
From 98db8d2582b72fb75023c43c5bee435be960247f Mon Sep 17 00:00:00 2001
From d042a0d6ea28c70e87ae342255a0af2bab631ec1 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 26 Mar 2019 18:51:10 -0400
Subject: [PATCH] Remove 3des support
Subject: [PATCH] krb5-1.18-beta1-Remove-3des-support
Completely remove support for all DES3 enctypes (des3-cbc-raw,
des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation
to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain
their constants.
(cherry picked from commit 57a8a84e035000b515ca9efd56e5cbe1568b95e7)
[rharwood@redhat.com: supported enctypes docs landed first]
---
doc/admin/advanced/retiring-des.rst | 11 +
doc/admin/conf_files/kdc_conf.rst | 7 +-
doc/admin/enctypes.rst | 13 +-
doc/admin/troubleshoot.rst | 9 +-
doc/appdev/refs/macros/index.rst | 1 -
doc/conf.py | 4 +-
doc/conf.py | 2 +-
doc/mitK5features.rst | 2 +-
src/Makefile.in | 4 +-
src/configure.in | 1 -
src/configure.ac | 1 -
src/include/krb5/krb5.hin | 10 +-
src/kadmin/testing/proto/kdc.conf.proto | 4 +-
src/kdc/kdc_util.c | 4 -
@ -107,7 +104,7 @@ their constants.
src/tests/t_salt.py | 5 +-
src/util/k5test.py | 10 -
.../leash/htmlhelp/html/Encryption_Types.htm | 13 -
96 files changed, 164 insertions(+), 4838 deletions(-)
96 files changed, 163 insertions(+), 4837 deletions(-)
delete mode 100644 src/lib/crypto/builtin/des/ISSUES
delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
@ -245,7 +242,7 @@ index 6a0c7f89b..263fc9c97 100644
.. _err_cert_chain_cert_expired:
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
index 534795d15..9542611ea 100644
index 68debe714..788d094bf 100644
--- a/doc/appdev/refs/macros/index.rst
+++ b/doc/appdev/refs/macros/index.rst
@@ -36,7 +36,6 @@ Public
@ -257,22 +254,20 @@ index 534795d15..9542611ea 100644
CKSUMTYPE_NIST_SHA.rst
CKSUMTYPE_RSA_MD4.rst
diff --git a/doc/conf.py b/doc/conf.py
index 759367c21..37eda67fa 100644
index fc5662767..37eda67fa 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -271,8 +271,8 @@ else:
rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
@@ -272,7 +272,7 @@ else:
rst_epilog += '''
.. |krb5conf| replace:: ``/etc/krb5.conf``
-.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal``
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
-.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac``
+.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
+.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac``
.. |defmkey| replace:: ``aes256-cts-hmac-sha1-96``
.. |copy| unicode:: U+000A9
'''
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
index a19068e26..5bfdc3936 100644
index d58c71898..8655e257d 100644
--- a/doc/mitK5features.rst
+++ b/doc/mitK5features.rst
@@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB
@ -285,10 +280,10 @@ index a19068e26..5bfdc3936 100644
Interoperability
----------------
diff --git a/src/Makefile.in b/src/Makefile.in
index 91a5f4bf8..0197e5b6d 100644
index 56c7a4e6f..70db82a30 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -129,7 +129,7 @@ WINMAKEFILES=Makefile \
@@ -130,7 +130,7 @@ WINMAKEFILES=Makefile \
lib\Makefile lib\crypto\Makefile lib\crypto\krb\Makefile \
lib\crypto\builtin\Makefile lib\crypto\builtin\aes\Makefile \
lib\crypto\builtin\enc_provider\Makefile \
@ -297,7 +292,7 @@ index 91a5f4bf8..0197e5b6d 100644
lib\crypto\builtin\camellia\Makefile lib\crypto\builtin\md4\Makefile \
lib\crypto\builtin\hash_provider\Makefile \
lib\crypto\builtin\sha2\Makefile lib\crypto\builtin\sha1\Makefile \
@@ -201,8 +201,6 @@ WINMAKEFILES=Makefile \
@@ -202,8 +202,6 @@ WINMAKEFILES=Makefile \
##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\crypto\builtin\enc_provider\Makefile: lib\crypto\builtin\enc_provider\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
@ -306,11 +301,11 @@ index 91a5f4bf8..0197e5b6d 100644
##DOS##lib\crypto\builtin\md5\Makefile: lib\crypto\builtin\md5\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP)
diff --git a/src/configure.in b/src/configure.in
index 9d6825b78..3e3b95e49 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1443,7 +1443,6 @@ V5_AC_OUTPUT_MAKEFILE(.
diff --git a/src/configure.ac b/src/configure.ac
index 440a22bd9..d4e4da525 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1481,7 +1481,6 @@ V5_AC_OUTPUT_MAKEFILE(.
lib/crypto lib/crypto/krb lib/crypto/$CRYPTO_IMPL
lib/crypto/$CRYPTO_IMPL/enc_provider
lib/crypto/$CRYPTO_IMPL/hash_provider
@ -319,7 +314,7 @@ index 9d6825b78..3e3b95e49 100644
lib/crypto/$CRYPTO_IMPL/sha1 lib/crypto/$CRYPTO_IMPL/sha2
lib/crypto/$CRYPTO_IMPL/aes lib/crypto/$CRYPTO_IMPL/camellia
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 5f596d1fc..9a05ce32d 100644
index d1f5661bf..26a3b6ec8 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
@ -368,10 +363,10 @@ index 8a4b87de1..d7f1d076b 100644
+ supported_enctypes = aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal
}
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index df1ba6acf..23ad6c584 100644
index d0fd5d7e1..050672840 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1077,8 +1077,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
@@ -1103,8 +1103,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
name = "rsaEncryption-EnvOID";
else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV)
name = "id-RSAES-OAEP-EnvOID";
@ -380,7 +375,7 @@ index df1ba6acf..23ad6c584 100644
else
return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
@@ -1741,8 +1739,6 @@ krb5_boolean
@@ -1839,8 +1837,6 @@ krb5_boolean
enctype_requires_etype_info_2(krb5_enctype enctype)
{
switch(enctype) {
@ -4551,10 +4546,10 @@ index cdb1acc6d..ef4c4a7d3 100644
{
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in
index 536bacb6e..b587f7e19 100644
index b74e6f7cc..2b0c4163d 100644
--- a/src/lib/crypto/krb/Makefile.in
+++ b/src/lib/crypto/krb/Makefile.in
@@ -52,7 +52,6 @@ STLIBOBJS=\
@@ -50,7 +50,6 @@ STLIBOBJS=\
prf.o \
prf_aes2.o \
prf_cmac.o \
@ -4562,7 +4557,7 @@ index 536bacb6e..b587f7e19 100644
prf_dk.o \
prf_rc4.o \
prng.o \
@@ -113,7 +112,6 @@ OBJS=\
@@ -109,7 +108,6 @@ OBJS=\
$(OUTPRE)prf.$(OBJEXT) \
$(OUTPRE)prf_aes2.$(OBJEXT) \
$(OUTPRE)prf_cmac.$(OBJEXT) \
@ -4570,7 +4565,7 @@ index 536bacb6e..b587f7e19 100644
$(OUTPRE)prf_dk.$(OBJEXT) \
$(OUTPRE)prf_rc4.$(OBJEXT) \
$(OUTPRE)prng.$(OBJEXT) \
@@ -174,7 +172,6 @@ SRCS=\
@@ -168,7 +166,6 @@ SRCS=\
$(srcdir)/prf.c \
$(srcdir)/prf_aes2.c \
$(srcdir)/prf_cmac.c \
@ -4596,7 +4591,7 @@ index ecc2e08c9..f5fbe8a2a 100644
"hmac-md5-rc4", { "hmac-md5-enc", "hmac-md5-earcfour" },
"Microsoft HMAC MD5",
diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
index b18d5e2e3..1b4324d71 100644
index ba693f8a4..5cc1f8e43 100644
--- a/src/lib/crypto/krb/crypto_int.h
+++ b/src/lib/crypto/krb/crypto_int.h
@@ -276,10 +276,6 @@ krb5_error_code krb5int_aes2_string_to_key(const struct krb5_keytypes *enc,
@ -4610,7 +4605,7 @@ index b18d5e2e3..1b4324d71 100644
/* Pseudo-random function */
krb5_error_code krb5int_des_prf(const struct krb5_keytypes *ktp,
@@ -384,11 +380,6 @@ krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage);
@@ -368,11 +364,6 @@ krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage);
/* Ensure library initialization has occurred. */
int krb5int_crypto_init(void);
@ -4622,7 +4617,7 @@ index b18d5e2e3..1b4324d71 100644
/* Default state cleanup handler (used by module enc providers). */
void krb5int_default_free_state(krb5_data *state);
@@ -441,7 +432,6 @@ void k5_iov_cursor_put(struct iov_cursor *cursor, unsigned char *block);
@@ -425,7 +416,6 @@ void k5_iov_cursor_put(struct iov_cursor *cursor, unsigned char *block);
/* Modules must implement the k5_sha256() function prototyped in k5-int.h. */
/* Modules must implement the following enc_providers and hash_providers: */
@ -4630,7 +4625,7 @@ index b18d5e2e3..1b4324d71 100644
extern const struct krb5_enc_provider krb5int_enc_arcfour;
extern const struct krb5_enc_provider krb5int_enc_aes128;
extern const struct krb5_enc_provider krb5int_enc_aes256;
@@ -458,12 +448,6 @@ extern const struct krb5_hash_provider krb5int_hash_sha384;
@@ -442,12 +432,6 @@ extern const struct krb5_hash_provider krb5int_hash_sha384;
/* Modules must implement the following functions. */
@ -5196,10 +5191,10 @@ index 1c439c2cd..000000000
- krb5int_default_free_state
-};
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 439ae6aeb..d8e0f93a1 100644
index c821cc830..c5bddb1e8 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -1011,7 +1011,6 @@ kg_accept_krb5(minor_status, context_handle,
@@ -1010,7 +1010,6 @@ kg_accept_krb5(minor_status, context_handle,
}
switch (negotiated_etype) {
@ -5208,7 +5203,7 @@ index 439ae6aeb..d8e0f93a1 100644
case ENCTYPE_ARCFOUR_HMAC_EXP:
/* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer"
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 2647434ba..1cdd23cc8 100644
index 2e2c775d6..f5b0fede6 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -125,14 +125,14 @@ enum sgn_alg {
@ -5626,7 +5621,7 @@ index 2925c1c43..2f76c8b43 100644
if { ! [cmd {kadm5_destroy $server_handle}]} {
perror "$test: unexpected failure in destroy"
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index b597dda54..ed52987a0 100644
index 0fad90389..316c2b40b 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -59,7 +59,6 @@
@ -5637,7 +5632,7 @@ index b597dda54..ed52987a0 100644
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC,
0
@@ -478,8 +477,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey,
@@ -479,8 +478,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey,
/* Set all enctypes in the default list. */
for (i = 0; default_list[i]; i++)
mod_list(default_list[i], sel, weak, &list);
@ -5647,10 +5642,10 @@ index b597dda54..ed52987a0 100644
mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, &list);
mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, &list);
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index d8015c64a..005cfd468 100644
index 8202fe9d3..731281938 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -341,8 +341,6 @@ verify_s4u2self_reply(krb5_context context,
@@ -287,8 +287,6 @@ verify_s4u2self_reply(krb5_context context,
assert(req_s4u_user != NULL);
switch (subkey->enctype) {
@ -5660,10 +5655,10 @@ index d8015c64a..005cfd468 100644
case ENCTYPE_ARCFOUR_HMAC_EXP :
not_newer = TRUE;
diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c
index 22be2198b..d489b78f9 100644
index 2970a8cea..fb82daf19 100644
--- a/src/lib/krb5/krb/t_copy_context.c
+++ b/src/lib/krb5/krb/t_copy_context.c
@@ -114,7 +114,7 @@ main(int argc, char **argv)
@@ -113,7 +113,7 @@ main(int argc, char **argv)
{
krb5_context ctx, ctx2;
krb5_plugin_initvt_fn *mods;
@ -5773,7 +5768,7 @@ index 044a66999..98fb14f3f 100644
krb5_ccache, display type:name: FILE:/path/to/ccache
krb5_keytab, display name: FILE:/etc/krb5.keytab
diff --git a/src/plugins/preauth/pkinit/pkcs11.h b/src/plugins/preauth/pkinit/pkcs11.h
index 28ded4a89..47f4727bd 100644
index e3d284631..586661bb7 100644
--- a/src/plugins/preauth/pkinit/pkcs11.h
+++ b/src/plugins/preauth/pkinit/pkcs11.h
@@ -339,9 +339,9 @@ typedef unsigned long ck_key_type_t;
@ -5966,7 +5961,7 @@ index 2279202d3..96b0307d7 100644
/* initial key, w, x, y, T, S, K */
"8846F7EAEE8FB117AD06BDD830B7586C",
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index e8adee234..30a2c0967 100644
index c24651737..9ef2af745 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -15,8 +15,6 @@ set timeout 100
@ -6045,7 +6040,7 @@ index e8adee234..30a2c0967 100644
{allow_weak_crypto(kdc)=false}
{allow_weak_crypto(replica)=false}
{allow_weak_crypto(client)=false}
@@ -947,7 +912,6 @@ proc setup_kerberos_db { standalone } {
@@ -962,7 +927,6 @@ proc setup_kerberos_db { standalone } {
global REALMNAME KDB5_UTIL KADMIN_LOCAL KEY
global tmppwd hostname
global spawn_id
@ -6053,7 +6048,7 @@ index e8adee234..30a2c0967 100644
global multipass_name last_passname_db
set failall 0
@@ -1144,48 +1108,6 @@ proc setup_kerberos_db { standalone } {
@@ -1159,48 +1123,6 @@ proc setup_kerberos_db { standalone } {
}
}
@ -6261,7 +6256,7 @@ index f71774cdc..d1857c433 100644
"3BB3AE288C12B3B9D06B208A4151B3B6",
"9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28"
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
index d98974b36..84153d9cf 100644
index 9b41bc0c1..5e6d31302 100644
--- a/src/tests/t_authdata.py
+++ b/src/tests/t_authdata.py
@@ -172,7 +172,7 @@ realm.run([kvno, 'restricted'])
@ -6424,10 +6419,10 @@ index 65084bbf3..55ca89745 100755
# Test using different salt types in a principal's key list.
# Parameters from one key in the list must not leak over to later ones.
diff --git a/src/util/k5test.py b/src/util/k5test.py
index da2782e15..feb6df7a0 100644
index e3614d735..94ab1e71e 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -1246,16 +1246,6 @@ _passes = [
@@ -1297,16 +1297,6 @@ _passes = [
# No special settings; exercises AES256.
('default', None, None, None),

99
krb5-1.17-beta1-selinux-label.patch → krb5-1.18-beta1-selinux-label.patch
View File

@ -1,7 +1,7 @@
From b50a43ef1f09694298ec043104a59082d6f37c8c Mon Sep 17 00:00:00 2001
From 49a03b8bff8399b9259b51da1e034f67878bfad4 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] krb5-1.17-beta1-selinux-label.patch
Subject: [PATCH] krb5-1.18-beta1-selinux-label.patch
SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file.
@ -36,10 +36,10 @@ The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
---
src/aclocal.m4 | 49 +++
src/aclocal.m4 | 48 +++
src/build-tools/krb5-config.in | 3 +-
src/config/pre.in | 3 +-
src/configure.in | 2 +
src/configure.ac | 2 +
src/include/k5-int.h | 1 +
src/include/k5-label.h | 32 ++
src/include/krb5/krb5.hin | 6 +
@ -51,7 +51,6 @@ which we used earlier, is some improvement.
src/lib/krb5/ccache/cc_dir.c | 26 +-
src/lib/krb5/keytab/kt_file.c | 4 +-
src/lib/krb5/os/trace.c | 2 +-
src/lib/krb5/rcache/rc_dfl.c | 13 +
src/plugins/kdb/db2/adb_openclose.c | 2 +-
src/plugins/kdb/db2/kdb_db2.c | 4 +-
src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +-
@ -61,12 +60,12 @@ which we used earlier, is some improvement.
src/util/profile/prof_file.c | 3 +-
src/util/support/Makefile.in | 3 +-
src/util/support/selinux.c | 406 ++++++++++++++++++
25 files changed, 587 insertions(+), 21 deletions(-)
24 files changed, 573 insertions(+), 21 deletions(-)
create mode 100644 src/include/k5-label.h
create mode 100644 src/util/support/selinux.c
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 340546d80..a7afec09e 100644
index 830203683..6796fec53 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag)
@ -77,7 +76,7 @@ index 340546d80..a7afec09e 100644
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1764,3 +1765,51 @@ AC_SUBST(PAM_LIBS)
@@ -1743,4 +1744,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
@ -100,7 +99,7 @@ index 340546d80..a7afec09e 100644
+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.])
+ fi
+ fi
+
+ LIBS=
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
@ -171,11 +170,11 @@ index ce87e21ca..917357df9 100644
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on macOS!
diff --git a/src/configure.in b/src/configure.in
index cd8ccabcd..feae21c3e 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff)
diff --git a/src/configure.ac b/src/configure.ac
index d1f576124..440a22bd9 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1392,6 +1392,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM
@ -185,7 +184,7 @@ index cd8ccabcd..feae21c3e 100644
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 652242207..8f9329c59 100644
index 9616b24bf..0d9af3d95 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -128,6 +128,7 @@ typedef unsigned char u_char;
@ -235,7 +234,7 @@ index 000000000..dfaaa847c
+#endif
+#endif
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index c40a6cca8..3ff86d7ff 100644
index d48685357..d1f5661bf 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
@ -252,7 +251,7 @@ index c40a6cca8..3ff86d7ff 100644
#include <stdlib.h>
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index c9574c6e1..8301a33d0 100644
index 301e3476d..19f2cc230 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
@ -287,10 +286,10 @@ index c9574c6e1..8301a33d0 100644
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
goto cleanup;
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 408c723f5..663fd6303 100644
index fdcd694d7..1ede4bf2f 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -858,7 +858,7 @@ write_pid_file(const char *path)
@@ -872,7 +872,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
@ -300,10 +299,10 @@ index 408c723f5..663fd6303 100644
return errno;
pid = (unsigned long) getpid();
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index 68323dd0f..4cc035dc6 100644
index 5622d56e1..356e3e0e6 100644
--- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c
@@ -488,6 +488,9 @@ doit(int fd)
@@ -487,6 +487,9 @@ doit(int fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN + 1];
@ -313,7 +312,7 @@ index 68323dd0f..4cc035dc6 100644
signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout);
@@ -543,9 +546,15 @@ doit(int fd)
@@ -542,9 +545,15 @@ doit(int fd)
free(name);
exit(1);
}
@ -365,7 +364,7 @@ index 2659a2501..e9b95fce5 100644
retval = errno;
goto cleanup;
diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
index bba64e516..73f0fe62d 100644
index 7b100a0ec..5683a0433 100644
--- a/src/lib/krb5/ccache/cc_dir.c
+++ b/src/lib/krb5/ccache/cc_dir.c
@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents)
@ -415,10 +414,10 @@ index bba64e516..73f0fe62d 100644
_("Credential cache directory %s does not exist"),
dirname);
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 89cb68680..21c80d419 100644
index 021c94398..aaf573439 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
KTCHECKLOCK(id);
errno = 0;
@ -436,7 +435,7 @@ index 89cb68680..21c80d419 100644
goto report_errno;
writevno = 1;
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 4fff8f38c..40a9e7b10 100644
index 2a03ae980..85dbfeb47 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
@ -448,38 +447,6 @@ index 4fff8f38c..40a9e7b10 100644
if (*fd == -1) {
free(fd);
return errno;
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index 1e0cb22c9..f5e93b1ab 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (! t->recovering) {
name = t->name;
@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
+#ifdef USE_SELINUX
+ if (t->d.fn != NULL)
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
+ else
+ selabel = NULL;
+#endif
retval = krb5_rc_initialize(context, tmp, lifespan);
+#ifdef USE_SELINUX
+ if (selabel != NULL)
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
index 7db30a33b..2b9d01921 100644
--- a/src/plugins/kdb/db2/adb_openclose.c
@ -573,10 +540,10 @@ index d8b26e701..b0daa7c02 100644
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
index 1ed72afe9..ce038fc3d 100644
index b92cb58c7..0a95101ad 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -194,7 +194,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
/* set password in the file */
old_mode = umask(0177);
@ -585,7 +552,7 @@ index 1ed72afe9..ce038fc3d 100644
if (pfile == NULL) {
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
strerror (errno));
@@ -235,6 +235,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
@@ -231,6 +231,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
* Delete the existing entry and add the new entry
*/
FILE *newfile;
@ -595,7 +562,7 @@ index 1ed72afe9..ce038fc3d 100644
mode_t omask;
@@ -246,7 +249,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
@@ -242,7 +245,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
}
omask = umask(077);
@ -610,7 +577,7 @@ index 1ed72afe9..ce038fc3d 100644
if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file);
diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
index 24e41fb80..0dcb6b543 100644
index aa951df05..79f9500f6 100644
--- a/src/util/profile/prof_file.c
+++ b/src/util/profile/prof_file.c
@@ -33,6 +33,7 @@
@ -631,10 +598,10 @@ index 24e41fb80..0dcb6b543 100644
retval = errno;
if (retval == 0)
diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
index db7b030b8..321672bcb 100644
index 86d5a950a..1052d53a1 100644
--- a/src/util/support/Makefile.in
+++ b/src/util/support/Makefile.in
@@ -69,6 +69,7 @@ IPC_SYMS= \
@@ -74,6 +74,7 @@ IPC_SYMS= \
STLIBOBJS= \
threads.o \
@ -642,7 +609,7 @@ index db7b030b8..321672bcb 100644
init-addrinfo.o \
plugins.o \
errors.o \
@@ -160,7 +161,7 @@ SRCS=\
@@ -168,7 +169,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.

46
krb5-1.12.1-pam.patch → krb5-1.18beta1-pam.patch
View File

@ -1,7 +1,7 @@
From 5e2837a56bb6bb1fbaf371377dbffa35aa81b3f1 Mon Sep 17 00:00:00 2001
From 9d77eb513f95821f01f12e233e16d4ce50da7d23 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] krb5-1.12.1-pam.patch
Subject: [PATCH] krb5-1.18beta1-pam.patch
Modify ksu so that it performs account and session management on behalf of
the target user account, mimicking the action of regular su. The default
@ -17,24 +17,25 @@ Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges, and to apply on top of
changes we're proposing for how it handles cache collections.
---
src/aclocal.m4 | 67 +++++++
src/aclocal.m4 | 69 +++++++
src/clients/ksu/Makefile.in | 8 +-
src/clients/ksu/main.c | 88 +++++++-
src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++
src/clients/ksu/pam.h | 57 ++++++
src/configure.in | 2 +
6 files changed, 608 insertions(+), 3 deletions(-)
src/configure.ac | 2 +
6 files changed, 610 insertions(+), 3 deletions(-)
create mode 100644 src/clients/ksu/pam.c
create mode 100644 src/clients/ksu/pam.h
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 3752d9bd5..340546d80 100644
index 2394f7e33..830203683 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -1697,3 +1697,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
]))
@@ -1675,3 +1675,72 @@ if test "$with_ldap" = yes; then
OPENLDAP_PLUGIN=yes
fi
])dnl
dnl
+dnl
+dnl
+dnl Use PAM instead of local crypt() compare for checking local passwords,
+dnl and perform PAM account, session management, and password-changing where
@ -102,12 +103,13 @@ index 3752d9bd5..340546d80 100644
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
+
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index b2fcbf240..5755bb58a 100644
index 8b4edce4d..9d58f29b5 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
KSU_LIBS=@KSU_LIBS@
+PAM_LIBS=@PAM_LIBS@
@ -141,7 +143,7 @@ index b2fcbf240..5755bb58a 100644
clean:
$(RM) ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index d9596d948..ec06788bc 100644
index 4f03dd8ed..21a4d02bb 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
@ -171,7 +173,7 @@ index d9596d948..ec06788bc 100644
/***********/
#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
@@ -528,6 +534,23 @@ main (argc, argv)
@@ -535,6 +541,23 @@ main (argc, argv)
prog_name,target_user,client_name,
source_user,ontty());
@ -195,7 +197,7 @@ index d9596d948..ec06788bc 100644
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
@@ -588,6 +611,24 @@ main (argc, argv)
@@ -595,6 +618,24 @@ main (argc, argv)
exit(1);
}
@ -220,7 +222,7 @@ index d9596d948..ec06788bc 100644
}
if( some_rest_copy){
@@ -645,6 +686,30 @@ main (argc, argv)
@@ -652,6 +693,30 @@ main (argc, argv)
exit(1);
}
@ -251,7 +253,7 @@ index d9596d948..ec06788bc 100644
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -742,7 +807,7 @@ main (argc, argv)
@@ -749,7 +814,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
@ -260,7 +262,7 @@ index d9596d948..ec06788bc 100644
execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target);
@@ -772,16 +837,35 @@ main (argc, argv)
@@ -779,16 +844,35 @@ main (argc, argv)
if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid"));
}
@ -755,11 +757,11 @@ index 000000000..0ab76569c
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
diff --git a/src/configure.in b/src/configure.in
index 36df71fa9..cd8ccabcd 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION])
diff --git a/src/configure.ac b/src/configure.ac
index 234f4281c..d1f576124 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1390,6 +1390,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff)

6
krb5-1.3.1-dns.patch
View File

@ -1,4 +1,4 @@
From 35cd8e40a35ce4546eaffada2f401a7f0f6a83b3 Mon Sep 17 00:00:00 2001
From fe90cb8f915e7f43899437e5e2d9a3aebf23ed82 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH] krb5-1.3.1-dns.patch
@ -9,10 +9,10 @@ We want to be able to use --with-netlib and --enable-dns at the same time.
1 file changed, 1 insertion(+)
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index a7afec09e..db18226ed 100644
index 6796fec53..c4358988a 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -726,6 +726,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library),
@@ -724,6 +724,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library),
LIBS="$LIBS $withval"
AC_MSG_RESULT("netlib will use \'$withval\'")
fi

2
krb5-1.9-debuginfo.patch
View File

@ -1,4 +1,4 @@
From e0391c7071741e6d59025d8b4a26119f2998d90c Mon Sep 17 00:00:00 2001
From c26cf6cc3507ba63cb458094b9237ad2231ca5eb Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] krb5-1.9-debuginfo.patch

88
krb5.spec
View File

@ -9,16 +9,16 @@
%global configured_default_ccache_name KEYRING:persistent:%%{uid}
# leave empty or set to e.g., -beta2
%global prerelease %{nil}
%global prerelease -beta1
# Should be in form 5.0, 6.1, etc.
%global kdbversion 7.0
%global kdbversion 8.0
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.17.1
Version: 1.18
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 5%{?dist}
Release: 0.beta1.1%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -42,85 +42,14 @@ Source39: krb5-krb5kdc.conf
# Carry this locally until it's available in a packaged form.
Source100: noport.c
Patch26: krb5-1.12.1-pam.patch
Patch27: krb5-1.17-beta1-selinux-label.patch
Patch1: krb5-1.18beta1-pam.patch
Patch2: krb5-1.18-beta1-selinux-label.patch
Patch30: krb5-1.15-beta1-buildconf.patch
Patch31: krb5-1.3.1-dns.patch
Patch34: krb5-1.9-debuginfo.patch
Patch90: Add-tests-for-KCM-ccache-type.patch
Patch92: Address-some-optimized-out-memset-calls.patch
Patch94: Avoid-allocating-a-register-in-zap-assembly.patch
Patch95: In-rd_req_dec-always-log-non-permitted-enctypes.patch
Patch96: In-kpropd-debug-log-proper-ticket-enctype-names.patch
Patch97: Add-function-and-enctype-flag-for-deprecations.patch
Patch98: Make-etype-names-in-KDC-logs-human-readable.patch
Patch99: Mark-deprecated-enctypes-when-used.patch
Patch100: Properly-size-ifdef-in-k5_cccol_lock.patch
Patch104: Clarify-header-comment-for-krb5_cc_start_seq_get.patch
Patch105: Implement-krb5_cc_remove_cred-for-remaining-types.patch
Patch106: Remove-srvtab-support.patch
Patch107: Remove-kadmin-RPC-support-for-setting-v4-key.patch
Patch108: Remove-ccapi-related-comments-in-configure.ac.patch
Patch109: Remove-doxygen-generated-HTML-output-for-ccapi.patch
Patch110: Remove-Kerberos-v4-support-vestiges-from-ccapi.patch
Patch111: Fix-config-realm-change-logic-in-FILE-remove_cred.patch
Patch112: Remove-confvalidator-utility.patch
Patch113: Remove-ovsec_adm_export-dump-format-support.patch
Patch114: Fix-potential-close-1-in-cc_file.c.patch
Patch115: Check-more-errors-in-OpenSSL-crypto-backend.patch
Patch116: Clear-forwardable-flag-instead-of-denying-request.patch
Patch117: Add-dns_canonicalize_hostname-fallback-support.patch
Patch118: Use-secure_getenv-where-appropriate.patch
Patch119: Initialize-some-data-structure-magic-fields.patch
Patch121: Modernize-exit-path-in-gss_krb5int_copy_ccache.patch
Patch122: Simplify-SAM-2-as_key-handling.patch
Patch123: Avoid-alignment-warnings-in-openssl-rc4.c.patch
Patch124: Simply-OpenSSL-PKCS7-decryption-code.patch
Patch125: Improve-error-messages-from-kadmin-change_password.patch
Patch126: Remove-more-dead-code.patch
Patch128: Remove-checksum-type-profile-variables.patch
Patch129: Remove-dead-variable-def_kslist-from-two-files.patch
Patch130: Mark-the-doc-kadm5-tex-files-as-historic.patch
Patch131: Modernize-example-enctypes-in-documentation.patch
Patch132: Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch
Patch133: Update-default-krb5kdc-mkey-manual-entry-enctype.patch
Patch134: Support-389ds-s-lockout-model.patch
Patch135: Add-missing-newlines-to-deprecation-warnings.patch
Patch136: Set-a-more-modern-default-ksu-CMD_PATH.patch
Patch137: Remove-the-v4-and-afs3-salt-types.patch
Patch138: Update-test-suite-to-avoid-single-DES-enctypes.patch
Patch139: Remove-support-for-single-DES-and-CRC.patch
Patch140: Display-unsupported-enctype-names.patch
Patch142: Add-zapfreedata-convenience-function.patch
Patch143: Remove-support-for-no-flags-SAM-2-preauth.patch
Patch144: Remove-krb5int_c_combine_keys.patch
Patch147: Remove-strerror-calls-from-k5_get_error.patch
Patch148: Remove-PKINIT-draft-9-support.patch
Patch149: Remove-PKINIT-draft-9-ASN.1-code-and-types.patch
Patch150: Remove-3des-support.patch
Patch151: Remove-now-unused-checksum-functions.patch
Patch152: Don-t-error-on-invalid-enctypes-in-keytab.patch
Patch153: Filter-enctypes-in-gss_set_allowable_enctypes.patch
Patch154: Add-soft-pkcs11-source-code.patch
Patch155: Use-imported-soft-pkcs11-for-tests.patch
Patch156: Fix-Coverity-defects-in-soft-pkcs11-test-code.patch
Patch157: Skip-URI-tests-when-using-asan.patch
Patch158: Fix-memory-leaks-in-soft-pkcs11-code.patch
Patch162: Simplify-krb5_dbe_def_search_enctype.patch
Patch163: Squash-apparent-forward-null-in-clnttcp_create.patch
Patch164: Remove-null-check-in-krb5_gss_duplicate_name.patch
Patch165: Fix-KDC-crash-when-logging-PKINIT-enctypes.patch
Patch166: Log-unknown-enctypes-as-unsupported-in-KDC.patch
Patch167: Fix-minor-errors-in-softpkcs11.patch
Patch168: Update-test-suite-cert-message-digest-to-sha256.patch
Patch35: krb5-1.18-beta1-Remove-3des-support.patch
Patch169: Use-backported-version-of-OpenSSL-3-KDF-interface.patch
Patch170: krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
Patch171: Don-t-warn-in-kadmin-when-no-policy-is-specified.patch
Patch172: Allow-client-canonicalization-in-non-krbtgt-AS-REP.patch
Patch173: Do-not-always-canonicalize-enterprise-principals.patch
Patch174: Fix-xdr_bytes-strict-aliasing-violations.patch
Patch175: Fix-handling-of-invalid-CAMMAC-service-verifier.patch
Patch176: Fix-LDAP-policy-enforcement-of-pw_expiration.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -694,6 +623,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Fri Jan 10 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0beta1.1
- New upstream beta release - 1.18-beta1
* Wed Jan 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.17.1-5
- Fix LDAP policy enforcement of pw_expiration
- Fix handling of invalid CAMMAC service verifier

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (krb5-1.17.1.tar.gz) = e0c3dc0a6554ab3105ac32f3f01519f56064500213aa743816235d83250abc1db9a9ca38a2ba93a938d562b4af135a013017ce96346d6742bca0c812b842ceef
SHA512 (krb5-1.17.1.tar.gz.asc) = 9665c0b83cc5e8fafbb7f47c383c6bf00e498befa305ab7ed8b867ff6f54a09b6b1f3b7a7f007ceb6dfbc1ebfb797be21cb97ac51c1c8fc8e956d83ce30aa7b1
SHA512 (krb5-1.18-beta1.tar.gz) = e9e622350c9d07bca573d1e416a7277377e85c0f3eab605d3f551f96c5ddc7eb21e8ef2cfadddbac7d9da99a204d738fd22939cfb23d7fcc8166e8ae35a679a4
SHA512 (krb5-1.18-beta1.tar.gz.asc) = b8542e317db89d11ad29bba9bc55f4d294e649b0e8c28b37dde398fed64fa3da394af262225ebefda5e5f3224ba108df21af460837e72a4349ae7e6469e21e43