rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream version (1.18.1)

Browse Source
This commit is contained in:
Robbie Harwood 2020-04-14 15:45:43 -04:00
parent 66ec722479
commit 7fca7fd076
19 changed files with 35 additions and 526 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Add-finalization-safety-check-to-com_err.patch
View File

@ -1,4 +1,4 @@
From 7d375a59fb36cc5ef8dd87895b83e9dfccc57058 Mon Sep 17 00:00:00 2001
From c7a37d3e87132864ebc44710baf1d50a69682b5c Mon Sep 17 00:00:00 2001
From: Jiri Sasek <Jiri.Sasek@Oracle.COM>
Date: Fri, 13 Mar 2020 19:02:58 +0100
Subject: [PATCH] Add finalization safety check to com_err

2
Allow-certauth-modules-to-set-hw-authent-flag.patch
View File

@ -1,4 +1,4 @@
From 745aa16c41305da1a3f288bf06e551f56cb04594 Mon Sep 17 00:00:00 2001
From d23b2ed4f06fa77cd021814834dd1391ef6f452f Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 24 Feb 2020 15:58:59 -0500
Subject: [PATCH] Allow certauth modules to set hw-authent flag

160
Allow-deletion-of-require_auth-with-LDAP-KDB.patch
View File

@ -1,160 +0,0 @@
From 59eea8a1977c6039069b3826e5e651582a33fc25 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 25 Feb 2020 11:32:09 -0500
Subject: [PATCH] Allow deletion of require_auth with LDAP KDB
In update_ldap_mod_auth_ind(), if there is no string attribute value
for require_auth, check for krbPrincipalAuthInd attributes that might
need to be removed. (This will only work if the entry is loaded and
then modified, but that is the normal case for an existing entry.)
Move the update_ldap_mod_auth_ind() call inside the tl-data
conditional (which should perhaps be a check for KADM5_TL_DATA in the
mask instead). A modification which did not intend to update tl-data
should not remove the krbPrincipalAuthInd attributes.
Change get_int_from_tl_data() to to zero its output so that it can't
leave a garbage value behind if it returns 0 (as it does if no
KDB_TL_USER_INFO tl-data is present).
Based on a patch by Glenn Machin.
ticket: 8877
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
(cherry picked from commit 6d9da7bb216f96cbdd731aa894714bd84213a9d0)
---
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 2 ++
.../kdb/ldap/libkdb_ldap/ldap_principal2.c | 31 ++++++++++++-------
src/tests/t_kdb.py | 26 +++++++++++++++-
3 files changed, 47 insertions(+), 12 deletions(-)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index ec7f32511..6bc20593f 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -721,6 +721,8 @@ get_int_from_tl_data(krb5_context context, krb5_db_entry *entry, int type,
void *ptr;
int *intptr;
+ *intval = 0;
+
tl_data.tl_data_type = KDB_TL_USER_INFO;
ret = krb5_dbe_lookup_tl_data(context, entry, &tl_data);
if (ret || tl_data.tl_data_length == 0)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 1d0726707..8d97a29b6 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -627,12 +627,22 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry,
char *auth_ind = NULL;
char *strval[10] = { 0 };
char *ai, *ai_save = NULL;
- int sv_num = sizeof(strval) / sizeof(*strval);
+ int mask, sv_num = sizeof(strval) / sizeof(*strval);
ret = krb5_dbe_get_string(context, entry, KRB5_KDB_SK_REQUIRE_AUTH,
&auth_ind);
- if (ret || auth_ind == NULL)
- goto cleanup;
+ if (ret)
+ return ret;
+ if (auth_ind == NULL) {
+ /* If we know krbPrincipalAuthInd attributes are present from loading
+ * the entry, delete them. */
+ ret = krb5_get_attributes_mask(context, entry, &mask);
+ if (!ret && (mask & KDB_AUTH_IND_ATTR)) {
+ return krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd",
+ LDAP_MOD_DELETE, NULL);
+ }
+ return 0;
+ }
ai = strtok_r(auth_ind, " ", &ai_save);
while (ai != NULL && i < sv_num) {
@@ -642,8 +652,6 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry,
ret = krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd",
LDAP_MOD_REPLACE, strval);
-
-cleanup:
krb5_dbe_free_string(context, auth_ind);
return ret;
}
@@ -1251,18 +1259,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
} /* Modify Key data ends here */
- /* Auth indicators will also be stored in krbExtraData when processing
- * tl_data. */
- st = update_ldap_mod_auth_ind(context, entry, &mods);
- if (st != 0)
- goto cleanup;
-
/* Set tl_data */
if (entry->tl_data != NULL) {
int count = 0;
struct berval **ber_tl_data = NULL;
krb5_tl_data *ptr;
krb5_timestamp unlock_time;
+
+ /* Normalize required auth indicators, but also store them as string
+ * attributes within krbExtraData. */
+ st = update_ldap_mod_auth_ind(context, entry, &mods);
+ if (st != 0)
+ goto cleanup;
+
for (ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
#ifdef SECURID
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 03ee70f47..caa7e9d8f 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -319,19 +319,43 @@ realm.klist(realm.user_princ, realm.host_princ)
mark('LDAP auth indicator')
-# Test auth indicator support
+# Test require_auth normalization.
realm.addprinc('authind', password('authind'))
realm.run([kadminl, 'setstr', 'authind', 'require_auth', 'otp radius'])
+# Check that krbPrincipalAuthInd attributes are set when the string
+# attribute it set.
out = ldap_search('(krbPrincipalName=authind*)')
if 'krbPrincipalAuthInd: otp' not in out:
fail('Expected krbPrincipalAuthInd value not in output')
if 'krbPrincipalAuthInd: radius' not in out:
fail('Expected krbPrincipalAuthInd value not in output')
+# Check that the string attribute still appears when the principal is
+# loaded.
realm.run([kadminl, 'getstrs', 'authind'],
expected_msg='require_auth: otp radius')
+# Modify the LDAP attributes and check that the change is reflected in
+# the string attribute.
+ldap_modify('dn: krbPrincipalName=authind@KRBTEST.COM,cn=t1,cn=krb5\n'
+ 'changetype: modify\n'
+ 'replace: krbPrincipalAuthInd\n'
+ 'krbPrincipalAuthInd: radius\n'
+ 'krbPrincipalAuthInd: pkinit\n')
+realm.run([kadminl, 'getstrs', 'authind'],
+ expected_msg='require_auth: radius pkinit')
+
+# Regression test for #8877: remove the string attribute and check
+# that it is reflected in the LDAP attributes and by getstrs.
+realm.run([kadminl, 'delstr', 'authind', 'require_auth'])
+out = ldap_search('(krbPrincipalName=authind*)')
+if 'krbPrincipalAuthInd' in out:
+ fail('krbPrincipalAuthInd attribute still present after delstr')
+out = realm.run([kadminl, 'getstrs', 'authind'])
+if 'require_auth' in out:
+ fail('require_auth string attribute still visible after delstr')
+
mark('LDAP service principal aliases')
# Test service principal aliases.

2
Correctly-import-service-GSS-host-based-name.patch
View File

@ -1,4 +1,4 @@
From 53b7be87de77b09f44b4ced1d4e85f520c9ce71a Mon Sep 17 00:00:00 2001
From dd4364d76925ce1fe21c2ab995554d6af3a2ea12 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 30 Mar 2020 15:26:02 -0400
Subject: [PATCH] Correctly import "service@" GSS host-based name

4
Do-expiration-warnings-for-all-init_creds-APIs.patch
View File

@ -1,4 +1,4 @@
From 9d452dc135ba0fad9470f096938a5dbfbacdbbe1 Mon Sep 17 00:00:00 2001
From c136cfe050d203c910624573a33247fde2889b09 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 28 Feb 2020 10:11:49 +0100
Subject: [PATCH] Do expiration warnings for all init_creds APIs
@ -21,7 +21,7 @@ ticket: 8893 (new)
5 files changed, 165 insertions(+), 135 deletions(-)
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 26a3b6ec8..36300ea53 100644
index 6355e6540..f8269fb17 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7174,11 +7174,10 @@ typedef void

62
Document-client-keytab-usage.patch
View File

@ -1,62 +0,0 @@
From 90a4102f334ce0c655492de9248c3c60ffbd0449 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 16 Mar 2020 18:14:30 -0400
Subject: [PATCH] Document client keytab usage
ticket: 8886 (new)
tags: pullup
target_version: 1.18-next
(cherry picked from commit 366c64897d55c86cdc616d2d1cf4617ff8a07a99)
---
doc/admin/appl_servers.rst | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/doc/admin/appl_servers.rst b/doc/admin/appl_servers.rst
index fee49f027..5232db9af 100644
--- a/doc/admin/appl_servers.rst
+++ b/doc/admin/appl_servers.rst
@@ -60,6 +60,43 @@ To remove a principal from an existing keytab, use the kadmin
:end-before: _ktremove_end:
+Using a keytab to acquire client credentials
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+While keytabs are ordinarily used to accept credentials from clients,
+they can also be used to acquire initial credentials, allowing one
+service to authenticate to another.
+
+To manually obtain credentials using a keytab, use the :ref:`kinit(1)`
+**-k** option, together with the **-t** option if the keytab is not in
+the default location.
+
+Beginning with release 1.11, GSSAPI applications can be configured to
+automatically obtain initial credentials from a keytab as needed. The
+recommended configuration is as follows:
+
+#. Create a keytab containing a single entry for the desired client
+ identity.
+
+#. Place the keytab in a location readable by the service, and set the
+ **KRB5_CLIENT_KTNAME** environment variable to its filename.
+ Alternatively, use the **default_client_keytab_name** profile
+ variable in :ref:`libdefaults`, or use the default location of
+ |ckeytab|.
+
+#. Set **KRB5CCNAME** to a filename writable by the service, which
+ will not be used for any other purpose. Do not manually obtain
+ credentials at this location. (Another credential cache type
+ besides **FILE** can be used if desired, as long the cache will not
+ conflict with another use. A **MEMORY** cache can be used if the
+ service runs as a long-lived process. See :ref:`ccache_definition`
+ for details.)
+
+#. Start the service. When it authenticates using GSSAPI, it will
+ automatically obtain credentials from the client keytab into the
+ specified credential cache, and refresh them before they expire.
+
+
Clock Skew
----------

2
Eliminate-redundant-PKINIT-responder-invocation.patch
View File

@ -1,4 +1,4 @@
From b5793f8024320aaa7a85ca39cdc03bf99773bf11 Mon Sep 17 00:00:00 2001
From 4a05805eb39ba088c07f782fb52a6538ec3f2db6 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 23 Mar 2020 19:10:03 -0400
Subject: [PATCH] Eliminate redundant PKINIT responder invocation

189
Fix-AS-REQ-checking-of-KDB-modified-indicators.patch
View File

@ -1,189 +0,0 @@
From 744154b19c8000965e5a5de51d5dbef0794958be Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 19 Feb 2020 15:36:38 -0500
Subject: [PATCH] Fix AS-REQ checking of KDB-modified indicators
Commit 7196c03f18f14695abeb5ae4923004469b172f0f (ticket 8823) gave the
KDB the ability to modify auth indicators, but it happens after the
asserted indicators are checked against the server principal
requirements. In finish_process_as_req(), move the call to
check_indicators() after the call to handle_authdata() so that the
final indicator list is checked.
For the test case, add string attribute functionality to the test KDB
module, and fix a bug where test_get_principal() would return failure
if a principal has no keys. Also add a test case for AS-REQ
enforcement of normally asserted auth indicators.
ticket: 8876 (new)
tags: pullup
target_version: 1.18-next
(cherry picked from commit 109e30ce22c20f18b8233119f274935bdf573886)
---
src/kdc/do_as_req.c | 14 +++++------
src/plugins/kdb/test/kdb_test.c | 42 +++++++++++++++++++++++++++++++--
src/tests/t_authdata.py | 11 +++++++++
3 files changed, 58 insertions(+), 9 deletions(-)
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 87dd7e993..9ae7b0a5e 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -211,13 +211,6 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
au_state->stage = ENCR_REP;
- errcode = check_indicators(kdc_context, state->server,
- state->auth_indicators);
- if (errcode) {
- state->status = "HIGHER_AUTHENTICATION_REQUIRED";
- goto egress;
- }
-
state->ticket_reply.enc_part2 = &state->enc_tkt_reply;
errcode = check_kdcpolicy_as(kdc_context, state->request, state->client,
@@ -301,6 +294,13 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
goto egress;
}
+ errcode = check_indicators(kdc_context, state->server,
+ state->auth_indicators);
+ if (errcode) {
+ state->status = "HIGHER_AUTHENTICATION_REQUIRED";
+ goto egress;
+ }
+
errcode = krb5_encrypt_tkt_part(kdc_context, &state->server_keyblock,
&state->ticket_reply);
if (errcode)
diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c
index 1936cb0e4..95a6062e2 100644
--- a/src/plugins/kdb/test/kdb_test.c
+++ b/src/plugins/kdb/test/kdb_test.c
@@ -54,6 +54,8 @@
* # Initial number is kvno; defaults to 1.
* keys = 3 aes256-cts aes128-cts:normal
* keys = 2 rc4-hmac
+ * strings = key1:value1
+ * strings = key2:value2
* }
* }
* delegation = {
@@ -282,6 +284,33 @@ make_keys(char **strings, const char *princstr, const krb5_data *realm,
ent->n_key_data = nkeys;
}
+static void
+make_strings(char **stringattrs, krb5_db_entry *ent)
+{
+ struct k5buf buf;
+ char **p;
+ const char *str, *sep;
+ krb5_tl_data *tl;
+
+ k5_buf_init_dynamic(&buf);
+ for (p = stringattrs; *p != NULL; p++) {
+ str = *p;
+ sep = strchr(str, ':');
+ assert(sep != NULL);
+ k5_buf_add_len(&buf, str, sep - str);
+ k5_buf_add_len(&buf, "\0", 1);
+ k5_buf_add_len(&buf, sep + 1, strlen(sep + 1) + 1);
+ }
+ assert(buf.data != NULL);
+
+ tl = ealloc(sizeof(*ent->tl_data));
+ tl->tl_data_next = NULL;
+ tl->tl_data_type = KRB5_TL_STRING_ATTRS;
+ tl->tl_data_length = buf.len;
+ tl->tl_data_contents = buf.data;
+ ent->tl_data = tl;
+}
+
static krb5_error_code
test_init()
{
@@ -339,7 +368,8 @@ test_get_principal(krb5_context context, krb5_const_principal search_for,
krb5_principal princ = NULL, tgtprinc;
krb5_principal_data empty_princ = { KV5M_PRINCIPAL };
testhandle h = context->dal_handle->db_context;
- char *search_name = NULL, *canon = NULL, *flagstr, **names, **key_strings;
+ char *search_name = NULL, *canon = NULL, *flagstr;
+ char **names, **key_strings, **stringattrs;
const char *ename;
krb5_db_entry *ent;
@@ -415,7 +445,7 @@ test_get_principal(krb5_context context, krb5_const_principal search_for,
ent->pw_expiration = get_time(h, "princs", ename, "pwexpiration");
/* Leave last_success, last_failed, fail_auth_count zeroed. */
- /* Leave tl_data and e_data empty. */
+ /* Leave e_data empty. */
set_names(h, "princs", ename, "keys");
ret = profile_get_values(h->profile, h->names, &key_strings);
@@ -424,11 +454,19 @@ test_get_principal(krb5_context context, krb5_const_principal search_for,
profile_free_list(key_strings);
}
+ set_names(h, "princs", ename, "strings");
+ ret = profile_get_values(h->profile, h->names, &stringattrs);
+ if (ret != PROF_NO_RELATION) {
+ make_strings(stringattrs, ent);
+ profile_free_list(stringattrs);
+ }
+
/* We must include mod-princ data or kadm5_get_principal() won't work and
* we can't extract keys with kadmin.local. */
check(krb5_dbe_update_mod_princ_data(context, ent, 0, &empty_princ));
*entry = ent;
+ ret = 0;
cleanup:
krb5_free_unparsed_name(context, search_name);
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
index 3153ebca3..4fbdbec05 100644
--- a/src/tests/t_authdata.py
+++ b/src/tests/t_authdata.py
@@ -158,6 +158,8 @@ realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
mark('auth indicator enforcement')
realm.addprinc('restricted')
realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'superstrong'])
+realm.kinit(realm.user_princ, password('user'), ['-S', 'restricted'],
+ expected_code=1, expected_msg='KDC policy rejects request')
realm.run([kvno, 'restricted'], expected_code=1,
expected_msg='KDC policy rejects request')
realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'indcl'])
@@ -194,6 +196,8 @@ testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
'krbtgt/FOREIGN': {'keys': 'aes128-cts'},
'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
'user2': {'keys': 'aes128-cts', 'flags': '+preauth'},
+ 'rservice': {'keys': 'aes128-cts',
+ 'strings': 'require_auth:strong'},
'service/1': {'keys': 'aes128-cts',
'flags': '+ok_to_auth_as_delegate'},
'service/2': {'keys': 'aes128-cts'},
@@ -208,6 +212,7 @@ usercache = 'FILE:' + os.path.join(realm.testdir, 'usercache')
realm.extract_keytab(realm.krbtgt_princ, realm.keytab)
realm.extract_keytab('krbtgt/FOREIGN', realm.keytab)
realm.extract_keytab(realm.user_princ, realm.keytab)
+realm.extract_keytab('ruser', realm.keytab)
realm.extract_keytab('service/1', realm.keytab)
realm.extract_keytab('service/2', realm.keytab)
realm.extract_keytab('noauthdata', realm.keytab)
@@ -252,6 +257,12 @@ if ' -2: self_ad' not in out or ' -2: proxy_ad' not in out:
realm.kinit(realm.user_princ, None, ['-k', '-X', 'indicators=dummy dbincr1'])
realm.run(['./adata', realm.krbtgt_princ], expected_msg='+97: [dbincr2]')
realm.run(['./adata', 'service/1'], expected_msg='+97: [dbincr3]')
+realm.kinit(realm.user_princ, None,
+ ['-k', '-X', 'indicators=strong', '-S', 'rservice'])
+# Test enforcement of altered indicators during AS request.
+realm.kinit(realm.user_princ, None,
+ ['-k', '-X', 'indicators=strong dbincr1', '-S', 'rservice'],
+ expected_code=1)
# Test that KDB module authdata is included in an AS request, by
# default or with an explicit PAC request.

79
Make-ksu-honor-KRB5CCNAME-again.patch
View File

@ -1,79 +0,0 @@
From 59f2a9dd6a83a3721cdffe852343d96ffaa5c18a Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 6 Apr 2020 20:45:10 -0400
Subject: [PATCH] Make ksu honor KRB5CCNAME again
Commit d439e370b70f7af4ed2da9c692a3be7dcf7b4ac6 (ticket 8800) caused
ksu to ignore KRB5CCNAME from the environment. ksu uses euid
switching to access the source cache, and should honor KRB5CCNAME to
find the ccache to potentially authorize the su operation.
Add a helper function init_ksu_context() to create the ksu context,
with explicit code to honor KRB5CCNAME using
krb5_cc_set_default_name().
ticket: 8895
tags: pullup
target_version: 1.18-next
(cherry picked from commit f040a3ac73947312e1b08c76f75f3389ffb4ba75)
---
src/clients/ksu/main.c | 31 ++++++++++++++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 21a4d02bb..508242e0e 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -54,6 +54,7 @@ int force_fork = 0;
static int set_env_var (char *, char *);
static void sweep_up (krb5_context, krb5_ccache);
static char * ontty (void);
+static krb5_error_code init_ksu_context(krb5_context *);
static krb5_error_code set_ccname_env(krb5_context, krb5_ccache);
static void print_status( const char *fmt, ...)
#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7)
@@ -135,7 +136,7 @@ main (argc, argv)
unsetenv ("KRB5_CONFIG");
- retval = krb5_init_secure_context(&ksu_context);
+ retval = init_ksu_context(&ksu_context);
if (retval) {
com_err(argv[0], retval, _("while initializing krb5"));
exit(1);
@@ -878,6 +879,34 @@ main (argc, argv)
}
}
+static krb5_error_code
+init_ksu_context(krb5_context *context_out)
+{
+ krb5_error_code retval;
+ const char *env_ccname;
+ krb5_context context;
+
+ *context_out = NULL;
+
+ retval = krb5_init_secure_context(&context);
+ if (retval)
+ return retval;
+
+ /* We want to obey KRB5CCNAME in this context even though this is a setuid
+ * program. (It will only be used when operating as the real uid.) */
+ env_ccname = getenv(KRB5_ENV_CCNAME);
+ if (env_ccname != NULL) {
+ retval = krb5_cc_set_default_name(context, env_ccname);
+ if (retval) {
+ krb5_free_context(context);
+ return retval;
+ }
+ }
+
+ *context_out = context;
+ return 0;
+}
+
/* Set KRB5CCNAME in the environment to point to ccache. Print an error
* message on failure. */
static krb5_error_code

2
Refresh-manually-acquired-creds-from-client-keytab.patch
View File

@ -1,4 +1,4 @@
From e67aca9a77d78efa798237b43e177caf9e79f64a Mon Sep 17 00:00:00 2001
From 685aada9eae420cb5156ca7b71c2c7614c0b6e2c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 26 Feb 2020 18:27:17 -0500
Subject: [PATCH] Refresh manually acquired creds from client keytab

2
downstream-Adjust-build-configuration.patch
View File

@ -1,4 +1,4 @@
From cbfe13d5f0de6e2a3deab2ba0dacda8c952476ab Mon Sep 17 00:00:00 2001
From 92508996ed4c69fa6f5cf855fdf10f34cfa07ec9 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH] [downstream] Adjust build configuration

2
downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
View File

@ -1,4 +1,4 @@
From 5978878bcee5ec39e4357f408470d39e9540d2bf Mon Sep 17 00:00:00 2001
From a721df13d09b5fdad32de15e6aa973b732727aa9 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4

16
downstream-Remove-3des-support.patch
View File

@ -1,4 +1,4 @@
From 7dda569170c3f6ab08a9373572b4bc90481eeaf7 Mon Sep 17 00:00:00 2001
From e9cd83237b54e2f6010a063f523217b0a442ecbf Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 26 Mar 2019 18:51:10 -0400
Subject: [PATCH] [downstream] Remove 3des support
@ -256,7 +256,7 @@ index 68debe714..788d094bf 100644
CKSUMTYPE_NIST_SHA.rst
CKSUMTYPE_RSA_MD4.rst
diff --git a/doc/conf.py b/doc/conf.py
index fc5662767..37eda67fa 100644
index c32b2882a..5eeafc30f 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -272,7 +272,7 @@ else:
@ -269,7 +269,7 @@ index fc5662767..37eda67fa 100644
.. |copy| unicode:: U+000A9
'''
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
index 513ecfd1b..05243f47b 100644
index 5d286b6ee..f4594ed13 100644
--- a/doc/mitK5features.rst
+++ b/doc/mitK5features.rst
@@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB
@ -316,7 +316,7 @@ index 440a22bd9..d4e4da525 100644
lib/crypto/$CRYPTO_IMPL/sha1 lib/crypto/$CRYPTO_IMPL/sha2
lib/crypto/$CRYPTO_IMPL/aes lib/crypto/$CRYPTO_IMPL/camellia
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index d1f5661bf..26a3b6ec8 100644
index e9435c693..6355e6540 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
@ -365,7 +365,7 @@ index 8a4b87de1..d7f1d076b 100644
+ supported_enctypes = aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal
}
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 221bde1dd..b8d292021 100644
index e5898ea63..973976fd9 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1103,8 +1103,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
@ -377,7 +377,7 @@ index 221bde1dd..b8d292021 100644
else
return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
@@ -1841,8 +1839,6 @@ krb5_boolean
@@ -1826,8 +1824,6 @@ krb5_boolean
enctype_requires_etype_info_2(krb5_enctype enctype)
{
switch(enctype) {
@ -6258,10 +6258,10 @@ index f71774cdc..d1857c433 100644
"3BB3AE288C12B3B9D06B208A4151B3B6",
"9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28"
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
index 378174a2e..3153ebca3 100644
index c589adf2a..4fbdbec05 100644
--- a/src/tests/t_authdata.py
+++ b/src/tests/t_authdata.py
@@ -172,7 +172,7 @@ realm.run([kvno, 'restricted'])
@@ -174,7 +174,7 @@ realm.run([kvno, 'restricted'])
# preferred krbtgt enctype changes.
mark('#8139 regression test')
realm.kinit(realm.user_princ, password('user'), ['-f'])

6
downstream-SELinux-integration.patch
View File

@ -1,4 +1,4 @@
From 4a215a206d1d5af69ea9fbf1e78001971ab18be2 Mon Sep 17 00:00:00 2001
From 0f8851a23a7b6fa0e195e01d0475e9e55707adf2 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] [downstream] SELinux integration
@ -236,7 +236,7 @@ index 000000000..dfaaa847c
+#endif
+#endif
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index d48685357..d1f5661bf 100644
index 79761f6d2..e9435c693 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
@ -437,7 +437,7 @@ index 021c94398..aaf573439 100644
goto report_errno;
writevno = 1;
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 2a03ae980..85dbfeb47 100644
index 7073459f0..e9b99f4ca 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)

2
downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch
View File

@ -1,4 +1,4 @@
From 0a53577ebb24f0f9b05d769b34bdd4ef2ee2a629 Mon Sep 17 00:00:00 2001
From 3f5875cf859271bca62f07aee6f663787972def9 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 15 Nov 2019 20:05:16 +0000
Subject: [PATCH] [downstream] Use backported version of OpenSSL-3 KDF

2
downstream-fix-debuginfo-with-y.tab.c.patch
View File

@ -1,4 +1,4 @@
From ed161c3f3cb642d025f0fee6d4af6f56bba711e9 Mon Sep 17 00:00:00 2001
From f4002f246332695d8ea12ec803139fcac18fbba2 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c

14
downstream-ksu-pam-integration.patch
View File

@ -1,4 +1,4 @@
From 9a082e1e02ae4efd2404d0672d38b3d4eb2d6660 Mon Sep 17 00:00:00 2001
From a7322a84657752c886c317a6994a9fc7a4a70ca5 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] [downstream] ksu pam integration
@ -145,7 +145,7 @@ index 8b4edce4d..9d58f29b5 100644
clean:
$(RM) ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 4f03dd8ed..21a4d02bb 100644
index 57c349200..508242e0e 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
@ -175,7 +175,7 @@ index 4f03dd8ed..21a4d02bb 100644
/***********/
#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
@@ -535,6 +541,23 @@ main (argc, argv)
@@ -536,6 +542,23 @@ main (argc, argv)
prog_name,target_user,client_name,
source_user,ontty());
@ -199,7 +199,7 @@ index 4f03dd8ed..21a4d02bb 100644
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
@@ -595,6 +618,24 @@ main (argc, argv)
@@ -596,6 +619,24 @@ main (argc, argv)
exit(1);
}
@ -224,7 +224,7 @@ index 4f03dd8ed..21a4d02bb 100644
}
if( some_rest_copy){
@@ -652,6 +693,30 @@ main (argc, argv)
@@ -653,6 +694,30 @@ main (argc, argv)
exit(1);
}
@ -255,7 +255,7 @@ index 4f03dd8ed..21a4d02bb 100644
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -749,7 +814,7 @@ main (argc, argv)
@@ -750,7 +815,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
@ -264,7 +264,7 @@ index 4f03dd8ed..21a4d02bb 100644
execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target);
@@ -779,16 +844,35 @@ main (argc, argv)
@@ -780,16 +845,35 @@ main (argc, argv)
if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid"));
}

2
downstream-netlib-and-dns.patch
View File

@ -1,4 +1,4 @@
From 40553473b674dfbb6328389b6b39ebe3218ed597 Mon Sep 17 00:00:00 2001
From 355dd481511af4d517ee540854f95a6fb12116a9 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH] [downstream] netlib and dns

11
krb5.spec
View File

@ -16,9 +16,9 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.18
Version: 1.18.1
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 12%{?dist}
Release: 1%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@ -50,16 +50,12 @@ Patch4: downstream-fix-debuginfo-with-y.tab.c.patch
Patch5: downstream-Remove-3des-support.patch
Patch6: downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch
Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
Patch8: Fix-AS-REQ-checking-of-KDB-modified-indicators.patch
Patch9: Allow-certauth-modules-to-set-hw-authent-flag.patch
Patch10: Allow-deletion-of-require_auth-with-LDAP-KDB.patch
Patch11: Refresh-manually-acquired-creds-from-client-keytab.patch
Patch12: Document-client-keytab-usage.patch
Patch13: Add-finalization-safety-check-to-com_err.patch
Patch14: Eliminate-redundant-PKINIT-responder-invocation.patch
Patch15: Correctly-import-service-GSS-host-based-name.patch
Patch16: Do-expiration-warnings-for-all-init_creds-APIs.patch
Patch17: Make-ksu-honor-KRB5CCNAME-again.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -637,6 +633,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Tue Apr 14 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.1-1
- New upstream version (1.18.1)
* Tue Apr 07 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-12
- Make ksu honor KRB5CCNAME again