diff --git a/Add-finalization-safety-check-to-com_err.patch b/Add-finalization-safety-check-to-com_err.patch index 0fcb8cc..0dc7663 100644 --- a/Add-finalization-safety-check-to-com_err.patch +++ b/Add-finalization-safety-check-to-com_err.patch @@ -1,4 +1,4 @@ -From 7d375a59fb36cc5ef8dd87895b83e9dfccc57058 Mon Sep 17 00:00:00 2001 +From c7a37d3e87132864ebc44710baf1d50a69682b5c Mon Sep 17 00:00:00 2001 From: Jiri Sasek Date: Fri, 13 Mar 2020 19:02:58 +0100 Subject: [PATCH] Add finalization safety check to com_err diff --git a/Allow-certauth-modules-to-set-hw-authent-flag.patch b/Allow-certauth-modules-to-set-hw-authent-flag.patch index c1266c9..6fdb430 100644 --- a/Allow-certauth-modules-to-set-hw-authent-flag.patch +++ b/Allow-certauth-modules-to-set-hw-authent-flag.patch @@ -1,4 +1,4 @@ -From 745aa16c41305da1a3f288bf06e551f56cb04594 Mon Sep 17 00:00:00 2001 +From d23b2ed4f06fa77cd021814834dd1391ef6f452f Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 24 Feb 2020 15:58:59 -0500 Subject: [PATCH] Allow certauth modules to set hw-authent flag diff --git a/Allow-deletion-of-require_auth-with-LDAP-KDB.patch b/Allow-deletion-of-require_auth-with-LDAP-KDB.patch deleted file mode 100644 index 58ef195..0000000 --- a/Allow-deletion-of-require_auth-with-LDAP-KDB.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 59eea8a1977c6039069b3826e5e651582a33fc25 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 25 Feb 2020 11:32:09 -0500 -Subject: [PATCH] Allow deletion of require_auth with LDAP KDB - -In update_ldap_mod_auth_ind(), if there is no string attribute value -for require_auth, check for krbPrincipalAuthInd attributes that might -need to be removed. (This will only work if the entry is loaded and -then modified, but that is the normal case for an existing entry.) - -Move the update_ldap_mod_auth_ind() call inside the tl-data -conditional (which should perhaps be a check for KADM5_TL_DATA in the -mask instead). A modification which did not intend to update tl-data -should not remove the krbPrincipalAuthInd attributes. - -Change get_int_from_tl_data() to to zero its output so that it can't -leave a garbage value behind if it returns 0 (as it does if no -KDB_TL_USER_INFO tl-data is present). - -Based on a patch by Glenn Machin. - -ticket: 8877 -tags: pullup -target_version: 1.18-next -target_version: 1.17-next - -(cherry picked from commit 6d9da7bb216f96cbdd731aa894714bd84213a9d0) ---- - src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 2 ++ - .../kdb/ldap/libkdb_ldap/ldap_principal2.c | 31 ++++++++++++------- - src/tests/t_kdb.py | 26 +++++++++++++++- - 3 files changed, 47 insertions(+), 12 deletions(-) - -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -index ec7f32511..6bc20593f 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -@@ -721,6 +721,8 @@ get_int_from_tl_data(krb5_context context, krb5_db_entry *entry, int type, - void *ptr; - int *intptr; - -+ *intval = 0; -+ - tl_data.tl_data_type = KDB_TL_USER_INFO; - ret = krb5_dbe_lookup_tl_data(context, entry, &tl_data); - if (ret || tl_data.tl_data_length == 0) -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 1d0726707..8d97a29b6 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -627,12 +627,22 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry, - char *auth_ind = NULL; - char *strval[10] = { 0 }; - char *ai, *ai_save = NULL; -- int sv_num = sizeof(strval) / sizeof(*strval); -+ int mask, sv_num = sizeof(strval) / sizeof(*strval); - - ret = krb5_dbe_get_string(context, entry, KRB5_KDB_SK_REQUIRE_AUTH, - &auth_ind); -- if (ret || auth_ind == NULL) -- goto cleanup; -+ if (ret) -+ return ret; -+ if (auth_ind == NULL) { -+ /* If we know krbPrincipalAuthInd attributes are present from loading -+ * the entry, delete them. */ -+ ret = krb5_get_attributes_mask(context, entry, &mask); -+ if (!ret && (mask & KDB_AUTH_IND_ATTR)) { -+ return krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd", -+ LDAP_MOD_DELETE, NULL); -+ } -+ return 0; -+ } - - ai = strtok_r(auth_ind, " ", &ai_save); - while (ai != NULL && i < sv_num) { -@@ -642,8 +652,6 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry, - - ret = krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd", - LDAP_MOD_REPLACE, strval); -- --cleanup: - krb5_dbe_free_string(context, auth_ind); - return ret; - } -@@ -1251,18 +1259,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, - - } /* Modify Key data ends here */ - -- /* Auth indicators will also be stored in krbExtraData when processing -- * tl_data. */ -- st = update_ldap_mod_auth_ind(context, entry, &mods); -- if (st != 0) -- goto cleanup; -- - /* Set tl_data */ - if (entry->tl_data != NULL) { - int count = 0; - struct berval **ber_tl_data = NULL; - krb5_tl_data *ptr; - krb5_timestamp unlock_time; -+ -+ /* Normalize required auth indicators, but also store them as string -+ * attributes within krbExtraData. */ -+ st = update_ldap_mod_auth_ind(context, entry, &mods); -+ if (st != 0) -+ goto cleanup; -+ - for (ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { - if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE - #ifdef SECURID -diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py -index 03ee70f47..caa7e9d8f 100755 ---- a/src/tests/t_kdb.py -+++ b/src/tests/t_kdb.py -@@ -319,19 +319,43 @@ realm.klist(realm.user_princ, realm.host_princ) - - mark('LDAP auth indicator') - --# Test auth indicator support -+# Test require_auth normalization. - realm.addprinc('authind', password('authind')) - realm.run([kadminl, 'setstr', 'authind', 'require_auth', 'otp radius']) - -+# Check that krbPrincipalAuthInd attributes are set when the string -+# attribute it set. - out = ldap_search('(krbPrincipalName=authind*)') - if 'krbPrincipalAuthInd: otp' not in out: - fail('Expected krbPrincipalAuthInd value not in output') - if 'krbPrincipalAuthInd: radius' not in out: - fail('Expected krbPrincipalAuthInd value not in output') - -+# Check that the string attribute still appears when the principal is -+# loaded. - realm.run([kadminl, 'getstrs', 'authind'], - expected_msg='require_auth: otp radius') - -+# Modify the LDAP attributes and check that the change is reflected in -+# the string attribute. -+ldap_modify('dn: krbPrincipalName=authind@KRBTEST.COM,cn=t1,cn=krb5\n' -+ 'changetype: modify\n' -+ 'replace: krbPrincipalAuthInd\n' -+ 'krbPrincipalAuthInd: radius\n' -+ 'krbPrincipalAuthInd: pkinit\n') -+realm.run([kadminl, 'getstrs', 'authind'], -+ expected_msg='require_auth: radius pkinit') -+ -+# Regression test for #8877: remove the string attribute and check -+# that it is reflected in the LDAP attributes and by getstrs. -+realm.run([kadminl, 'delstr', 'authind', 'require_auth']) -+out = ldap_search('(krbPrincipalName=authind*)') -+if 'krbPrincipalAuthInd' in out: -+ fail('krbPrincipalAuthInd attribute still present after delstr') -+out = realm.run([kadminl, 'getstrs', 'authind']) -+if 'require_auth' in out: -+ fail('require_auth string attribute still visible after delstr') -+ - mark('LDAP service principal aliases') - - # Test service principal aliases. diff --git a/Correctly-import-service-GSS-host-based-name.patch b/Correctly-import-service-GSS-host-based-name.patch index 683b2d9..523ebaf 100644 --- a/Correctly-import-service-GSS-host-based-name.patch +++ b/Correctly-import-service-GSS-host-based-name.patch @@ -1,4 +1,4 @@ -From 53b7be87de77b09f44b4ced1d4e85f520c9ce71a Mon Sep 17 00:00:00 2001 +From dd4364d76925ce1fe21c2ab995554d6af3a2ea12 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 30 Mar 2020 15:26:02 -0400 Subject: [PATCH] Correctly import "service@" GSS host-based name diff --git a/Do-expiration-warnings-for-all-init_creds-APIs.patch b/Do-expiration-warnings-for-all-init_creds-APIs.patch index d94f11d..3dbe1f5 100644 --- a/Do-expiration-warnings-for-all-init_creds-APIs.patch +++ b/Do-expiration-warnings-for-all-init_creds-APIs.patch @@ -1,4 +1,4 @@ -From 9d452dc135ba0fad9470f096938a5dbfbacdbbe1 Mon Sep 17 00:00:00 2001 +From c136cfe050d203c910624573a33247fde2889b09 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 28 Feb 2020 10:11:49 +0100 Subject: [PATCH] Do expiration warnings for all init_creds APIs @@ -21,7 +21,7 @@ ticket: 8893 (new) 5 files changed, 165 insertions(+), 135 deletions(-) diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index 26a3b6ec8..36300ea53 100644 +index 6355e6540..f8269fb17 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -7174,11 +7174,10 @@ typedef void diff --git a/Document-client-keytab-usage.patch b/Document-client-keytab-usage.patch deleted file mode 100644 index 800522f..0000000 --- a/Document-client-keytab-usage.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 90a4102f334ce0c655492de9248c3c60ffbd0449 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Mon, 16 Mar 2020 18:14:30 -0400 -Subject: [PATCH] Document client keytab usage - -ticket: 8886 (new) -tags: pullup -target_version: 1.18-next - -(cherry picked from commit 366c64897d55c86cdc616d2d1cf4617ff8a07a99) ---- - doc/admin/appl_servers.rst | 37 +++++++++++++++++++++++++++++++++++++ - 1 file changed, 37 insertions(+) - -diff --git a/doc/admin/appl_servers.rst b/doc/admin/appl_servers.rst -index fee49f027..5232db9af 100644 ---- a/doc/admin/appl_servers.rst -+++ b/doc/admin/appl_servers.rst -@@ -60,6 +60,43 @@ To remove a principal from an existing keytab, use the kadmin - :end-before: _ktremove_end: - - -+Using a keytab to acquire client credentials -+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+ -+While keytabs are ordinarily used to accept credentials from clients, -+they can also be used to acquire initial credentials, allowing one -+service to authenticate to another. -+ -+To manually obtain credentials using a keytab, use the :ref:`kinit(1)` -+**-k** option, together with the **-t** option if the keytab is not in -+the default location. -+ -+Beginning with release 1.11, GSSAPI applications can be configured to -+automatically obtain initial credentials from a keytab as needed. The -+recommended configuration is as follows: -+ -+#. Create a keytab containing a single entry for the desired client -+ identity. -+ -+#. Place the keytab in a location readable by the service, and set the -+ **KRB5_CLIENT_KTNAME** environment variable to its filename. -+ Alternatively, use the **default_client_keytab_name** profile -+ variable in :ref:`libdefaults`, or use the default location of -+ |ckeytab|. -+ -+#. Set **KRB5CCNAME** to a filename writable by the service, which -+ will not be used for any other purpose. Do not manually obtain -+ credentials at this location. (Another credential cache type -+ besides **FILE** can be used if desired, as long the cache will not -+ conflict with another use. A **MEMORY** cache can be used if the -+ service runs as a long-lived process. See :ref:`ccache_definition` -+ for details.) -+ -+#. Start the service. When it authenticates using GSSAPI, it will -+ automatically obtain credentials from the client keytab into the -+ specified credential cache, and refresh them before they expire. -+ -+ - Clock Skew - ---------- - diff --git a/Eliminate-redundant-PKINIT-responder-invocation.patch b/Eliminate-redundant-PKINIT-responder-invocation.patch index ea973b7..92bc1ab 100644 --- a/Eliminate-redundant-PKINIT-responder-invocation.patch +++ b/Eliminate-redundant-PKINIT-responder-invocation.patch @@ -1,4 +1,4 @@ -From b5793f8024320aaa7a85ca39cdc03bf99773bf11 Mon Sep 17 00:00:00 2001 +From 4a05805eb39ba088c07f782fb52a6538ec3f2db6 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 23 Mar 2020 19:10:03 -0400 Subject: [PATCH] Eliminate redundant PKINIT responder invocation diff --git a/Fix-AS-REQ-checking-of-KDB-modified-indicators.patch b/Fix-AS-REQ-checking-of-KDB-modified-indicators.patch deleted file mode 100644 index 1655c38..0000000 --- a/Fix-AS-REQ-checking-of-KDB-modified-indicators.patch +++ /dev/null @@ -1,189 +0,0 @@ -From 744154b19c8000965e5a5de51d5dbef0794958be Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Wed, 19 Feb 2020 15:36:38 -0500 -Subject: [PATCH] Fix AS-REQ checking of KDB-modified indicators - -Commit 7196c03f18f14695abeb5ae4923004469b172f0f (ticket 8823) gave the -KDB the ability to modify auth indicators, but it happens after the -asserted indicators are checked against the server principal -requirements. In finish_process_as_req(), move the call to -check_indicators() after the call to handle_authdata() so that the -final indicator list is checked. - -For the test case, add string attribute functionality to the test KDB -module, and fix a bug where test_get_principal() would return failure -if a principal has no keys. Also add a test case for AS-REQ -enforcement of normally asserted auth indicators. - -ticket: 8876 (new) -tags: pullup -target_version: 1.18-next - -(cherry picked from commit 109e30ce22c20f18b8233119f274935bdf573886) ---- - src/kdc/do_as_req.c | 14 +++++------ - src/plugins/kdb/test/kdb_test.c | 42 +++++++++++++++++++++++++++++++-- - src/tests/t_authdata.py | 11 +++++++++ - 3 files changed, 58 insertions(+), 9 deletions(-) - -diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c -index 87dd7e993..9ae7b0a5e 100644 ---- a/src/kdc/do_as_req.c -+++ b/src/kdc/do_as_req.c -@@ -211,13 +211,6 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) - - au_state->stage = ENCR_REP; - -- errcode = check_indicators(kdc_context, state->server, -- state->auth_indicators); -- if (errcode) { -- state->status = "HIGHER_AUTHENTICATION_REQUIRED"; -- goto egress; -- } -- - state->ticket_reply.enc_part2 = &state->enc_tkt_reply; - - errcode = check_kdcpolicy_as(kdc_context, state->request, state->client, -@@ -301,6 +294,13 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) - goto egress; - } - -+ errcode = check_indicators(kdc_context, state->server, -+ state->auth_indicators); -+ if (errcode) { -+ state->status = "HIGHER_AUTHENTICATION_REQUIRED"; -+ goto egress; -+ } -+ - errcode = krb5_encrypt_tkt_part(kdc_context, &state->server_keyblock, - &state->ticket_reply); - if (errcode) -diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c -index 1936cb0e4..95a6062e2 100644 ---- a/src/plugins/kdb/test/kdb_test.c -+++ b/src/plugins/kdb/test/kdb_test.c -@@ -54,6 +54,8 @@ - * # Initial number is kvno; defaults to 1. - * keys = 3 aes256-cts aes128-cts:normal - * keys = 2 rc4-hmac -+ * strings = key1:value1 -+ * strings = key2:value2 - * } - * } - * delegation = { -@@ -282,6 +284,33 @@ make_keys(char **strings, const char *princstr, const krb5_data *realm, - ent->n_key_data = nkeys; - } - -+static void -+make_strings(char **stringattrs, krb5_db_entry *ent) -+{ -+ struct k5buf buf; -+ char **p; -+ const char *str, *sep; -+ krb5_tl_data *tl; -+ -+ k5_buf_init_dynamic(&buf); -+ for (p = stringattrs; *p != NULL; p++) { -+ str = *p; -+ sep = strchr(str, ':'); -+ assert(sep != NULL); -+ k5_buf_add_len(&buf, str, sep - str); -+ k5_buf_add_len(&buf, "\0", 1); -+ k5_buf_add_len(&buf, sep + 1, strlen(sep + 1) + 1); -+ } -+ assert(buf.data != NULL); -+ -+ tl = ealloc(sizeof(*ent->tl_data)); -+ tl->tl_data_next = NULL; -+ tl->tl_data_type = KRB5_TL_STRING_ATTRS; -+ tl->tl_data_length = buf.len; -+ tl->tl_data_contents = buf.data; -+ ent->tl_data = tl; -+} -+ - static krb5_error_code - test_init() - { -@@ -339,7 +368,8 @@ test_get_principal(krb5_context context, krb5_const_principal search_for, - krb5_principal princ = NULL, tgtprinc; - krb5_principal_data empty_princ = { KV5M_PRINCIPAL }; - testhandle h = context->dal_handle->db_context; -- char *search_name = NULL, *canon = NULL, *flagstr, **names, **key_strings; -+ char *search_name = NULL, *canon = NULL, *flagstr; -+ char **names, **key_strings, **stringattrs; - const char *ename; - krb5_db_entry *ent; - -@@ -415,7 +445,7 @@ test_get_principal(krb5_context context, krb5_const_principal search_for, - ent->pw_expiration = get_time(h, "princs", ename, "pwexpiration"); - - /* Leave last_success, last_failed, fail_auth_count zeroed. */ -- /* Leave tl_data and e_data empty. */ -+ /* Leave e_data empty. */ - - set_names(h, "princs", ename, "keys"); - ret = profile_get_values(h->profile, h->names, &key_strings); -@@ -424,11 +454,19 @@ test_get_principal(krb5_context context, krb5_const_principal search_for, - profile_free_list(key_strings); - } - -+ set_names(h, "princs", ename, "strings"); -+ ret = profile_get_values(h->profile, h->names, &stringattrs); -+ if (ret != PROF_NO_RELATION) { -+ make_strings(stringattrs, ent); -+ profile_free_list(stringattrs); -+ } -+ - /* We must include mod-princ data or kadm5_get_principal() won't work and - * we can't extract keys with kadmin.local. */ - check(krb5_dbe_update_mod_princ_data(context, ent, 0, &empty_princ)); - - *entry = ent; -+ ret = 0; - - cleanup: - krb5_free_unparsed_name(context, search_name); -diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py -index 3153ebca3..4fbdbec05 100644 ---- a/src/tests/t_authdata.py -+++ b/src/tests/t_authdata.py -@@ -158,6 +158,8 @@ realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]') - mark('auth indicator enforcement') - realm.addprinc('restricted') - realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'superstrong']) -+realm.kinit(realm.user_princ, password('user'), ['-S', 'restricted'], -+ expected_code=1, expected_msg='KDC policy rejects request') - realm.run([kvno, 'restricted'], expected_code=1, - expected_msg='KDC policy rejects request') - realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'indcl']) -@@ -194,6 +196,8 @@ testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'}, - 'krbtgt/FOREIGN': {'keys': 'aes128-cts'}, - 'user': {'keys': 'aes128-cts', 'flags': '+preauth'}, - 'user2': {'keys': 'aes128-cts', 'flags': '+preauth'}, -+ 'rservice': {'keys': 'aes128-cts', -+ 'strings': 'require_auth:strong'}, - 'service/1': {'keys': 'aes128-cts', - 'flags': '+ok_to_auth_as_delegate'}, - 'service/2': {'keys': 'aes128-cts'}, -@@ -208,6 +212,7 @@ usercache = 'FILE:' + os.path.join(realm.testdir, 'usercache') - realm.extract_keytab(realm.krbtgt_princ, realm.keytab) - realm.extract_keytab('krbtgt/FOREIGN', realm.keytab) - realm.extract_keytab(realm.user_princ, realm.keytab) -+realm.extract_keytab('ruser', realm.keytab) - realm.extract_keytab('service/1', realm.keytab) - realm.extract_keytab('service/2', realm.keytab) - realm.extract_keytab('noauthdata', realm.keytab) -@@ -252,6 +257,12 @@ if ' -2: self_ad' not in out or ' -2: proxy_ad' not in out: - realm.kinit(realm.user_princ, None, ['-k', '-X', 'indicators=dummy dbincr1']) - realm.run(['./adata', realm.krbtgt_princ], expected_msg='+97: [dbincr2]') - realm.run(['./adata', 'service/1'], expected_msg='+97: [dbincr3]') -+realm.kinit(realm.user_princ, None, -+ ['-k', '-X', 'indicators=strong', '-S', 'rservice']) -+# Test enforcement of altered indicators during AS request. -+realm.kinit(realm.user_princ, None, -+ ['-k', '-X', 'indicators=strong dbincr1', '-S', 'rservice'], -+ expected_code=1) - - # Test that KDB module authdata is included in an AS request, by - # default or with an explicit PAC request. diff --git a/Make-ksu-honor-KRB5CCNAME-again.patch b/Make-ksu-honor-KRB5CCNAME-again.patch deleted file mode 100644 index 19f05ae..0000000 --- a/Make-ksu-honor-KRB5CCNAME-again.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 59f2a9dd6a83a3721cdffe852343d96ffaa5c18a Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Mon, 6 Apr 2020 20:45:10 -0400 -Subject: [PATCH] Make ksu honor KRB5CCNAME again - -Commit d439e370b70f7af4ed2da9c692a3be7dcf7b4ac6 (ticket 8800) caused -ksu to ignore KRB5CCNAME from the environment. ksu uses euid -switching to access the source cache, and should honor KRB5CCNAME to -find the ccache to potentially authorize the su operation. - -Add a helper function init_ksu_context() to create the ksu context, -with explicit code to honor KRB5CCNAME using -krb5_cc_set_default_name(). - -ticket: 8895 -tags: pullup -target_version: 1.18-next - -(cherry picked from commit f040a3ac73947312e1b08c76f75f3389ffb4ba75) ---- - src/clients/ksu/main.c | 31 ++++++++++++++++++++++++++++++- - 1 file changed, 30 insertions(+), 1 deletion(-) - -diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index 21a4d02bb..508242e0e 100644 ---- a/src/clients/ksu/main.c -+++ b/src/clients/ksu/main.c -@@ -54,6 +54,7 @@ int force_fork = 0; - static int set_env_var (char *, char *); - static void sweep_up (krb5_context, krb5_ccache); - static char * ontty (void); -+static krb5_error_code init_ksu_context(krb5_context *); - static krb5_error_code set_ccname_env(krb5_context, krb5_ccache); - static void print_status( const char *fmt, ...) - #if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7) -@@ -135,7 +136,7 @@ main (argc, argv) - - unsetenv ("KRB5_CONFIG"); - -- retval = krb5_init_secure_context(&ksu_context); -+ retval = init_ksu_context(&ksu_context); - if (retval) { - com_err(argv[0], retval, _("while initializing krb5")); - exit(1); -@@ -878,6 +879,34 @@ main (argc, argv) - } - } - -+static krb5_error_code -+init_ksu_context(krb5_context *context_out) -+{ -+ krb5_error_code retval; -+ const char *env_ccname; -+ krb5_context context; -+ -+ *context_out = NULL; -+ -+ retval = krb5_init_secure_context(&context); -+ if (retval) -+ return retval; -+ -+ /* We want to obey KRB5CCNAME in this context even though this is a setuid -+ * program. (It will only be used when operating as the real uid.) */ -+ env_ccname = getenv(KRB5_ENV_CCNAME); -+ if (env_ccname != NULL) { -+ retval = krb5_cc_set_default_name(context, env_ccname); -+ if (retval) { -+ krb5_free_context(context); -+ return retval; -+ } -+ } -+ -+ *context_out = context; -+ return 0; -+} -+ - /* Set KRB5CCNAME in the environment to point to ccache. Print an error - * message on failure. */ - static krb5_error_code diff --git a/Refresh-manually-acquired-creds-from-client-keytab.patch b/Refresh-manually-acquired-creds-from-client-keytab.patch index fe2588f..cb20c44 100644 --- a/Refresh-manually-acquired-creds-from-client-keytab.patch +++ b/Refresh-manually-acquired-creds-from-client-keytab.patch @@ -1,4 +1,4 @@ -From e67aca9a77d78efa798237b43e177caf9e79f64a Mon Sep 17 00:00:00 2001 +From 685aada9eae420cb5156ca7b71c2c7614c0b6e2c Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 26 Feb 2020 18:27:17 -0500 Subject: [PATCH] Refresh manually acquired creds from client keytab diff --git a/downstream-Adjust-build-configuration.patch b/downstream-Adjust-build-configuration.patch index 68ecf50..f15a4a2 100644 --- a/downstream-Adjust-build-configuration.patch +++ b/downstream-Adjust-build-configuration.patch @@ -1,4 +1,4 @@ -From cbfe13d5f0de6e2a3deab2ba0dacda8c952476ab Mon Sep 17 00:00:00 2001 +From 92508996ed4c69fa6f5cf855fdf10f34cfa07ec9 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:45:26 -0400 Subject: [PATCH] [downstream] Adjust build configuration diff --git a/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch index 573d222..e6a0a64 100644 --- a/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +++ b/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch @@ -1,4 +1,4 @@ -From 5978878bcee5ec39e4357f408470d39e9540d2bf Mon Sep 17 00:00:00 2001 +From a721df13d09b5fdad32de15e6aa973b732727aa9 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 diff --git a/downstream-Remove-3des-support.patch b/downstream-Remove-3des-support.patch index 4f14733..01d9338 100644 --- a/downstream-Remove-3des-support.patch +++ b/downstream-Remove-3des-support.patch @@ -1,4 +1,4 @@ -From 7dda569170c3f6ab08a9373572b4bc90481eeaf7 Mon Sep 17 00:00:00 2001 +From e9cd83237b54e2f6010a063f523217b0a442ecbf Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 26 Mar 2019 18:51:10 -0400 Subject: [PATCH] [downstream] Remove 3des support @@ -256,7 +256,7 @@ index 68debe714..788d094bf 100644 CKSUMTYPE_NIST_SHA.rst CKSUMTYPE_RSA_MD4.rst diff --git a/doc/conf.py b/doc/conf.py -index fc5662767..37eda67fa 100644 +index c32b2882a..5eeafc30f 100644 --- a/doc/conf.py +++ b/doc/conf.py @@ -272,7 +272,7 @@ else: @@ -269,7 +269,7 @@ index fc5662767..37eda67fa 100644 .. |copy| unicode:: U+000A9 ''' diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst -index 513ecfd1b..05243f47b 100644 +index 5d286b6ee..f4594ed13 100644 --- a/doc/mitK5features.rst +++ b/doc/mitK5features.rst @@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB @@ -316,7 +316,7 @@ index 440a22bd9..d4e4da525 100644 lib/crypto/$CRYPTO_IMPL/sha1 lib/crypto/$CRYPTO_IMPL/sha2 lib/crypto/$CRYPTO_IMPL/aes lib/crypto/$CRYPTO_IMPL/camellia diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index d1f5661bf..26a3b6ec8 100644 +index e9435c693..6355e6540 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov { @@ -365,7 +365,7 @@ index 8a4b87de1..d7f1d076b 100644 + supported_enctypes = aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal } diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 221bde1dd..b8d292021 100644 +index e5898ea63..973976fd9 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1103,8 +1103,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) @@ -377,7 +377,7 @@ index 221bde1dd..b8d292021 100644 else return krb5_enctype_to_name(ktype, FALSE, buf, buflen); -@@ -1841,8 +1839,6 @@ krb5_boolean +@@ -1826,8 +1824,6 @@ krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype) { switch(enctype) { @@ -6258,10 +6258,10 @@ index f71774cdc..d1857c433 100644 "3BB3AE288C12B3B9D06B208A4151B3B6", "9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28" diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py -index 378174a2e..3153ebca3 100644 +index c589adf2a..4fbdbec05 100644 --- a/src/tests/t_authdata.py +++ b/src/tests/t_authdata.py -@@ -172,7 +172,7 @@ realm.run([kvno, 'restricted']) +@@ -174,7 +174,7 @@ realm.run([kvno, 'restricted']) # preferred krbtgt enctype changes. mark('#8139 regression test') realm.kinit(realm.user_princ, password('user'), ['-f']) diff --git a/downstream-SELinux-integration.patch b/downstream-SELinux-integration.patch index e40bd1a..3d3bd08 100644 --- a/downstream-SELinux-integration.patch +++ b/downstream-SELinux-integration.patch @@ -1,4 +1,4 @@ -From 4a215a206d1d5af69ea9fbf1e78001971ab18be2 Mon Sep 17 00:00:00 2001 +From 0f8851a23a7b6fa0e195e01d0475e9e55707adf2 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 Subject: [PATCH] [downstream] SELinux integration @@ -236,7 +236,7 @@ index 000000000..dfaaa847c +#endif +#endif diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index d48685357..d1f5661bf 100644 +index 79761f6d2..e9435c693 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ @@ -437,7 +437,7 @@ index 021c94398..aaf573439 100644 goto report_errno; writevno = 1; diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c -index 2a03ae980..85dbfeb47 100644 +index 7073459f0..e9b99f4ca 100644 --- a/src/lib/krb5/os/trace.c +++ b/src/lib/krb5/os/trace.c @@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) diff --git a/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch b/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch index b796692..478fd82 100644 --- a/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch +++ b/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch @@ -1,4 +1,4 @@ -From 0a53577ebb24f0f9b05d769b34bdd4ef2ee2a629 Mon Sep 17 00:00:00 2001 +From 3f5875cf859271bca62f07aee6f663787972def9 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 15 Nov 2019 20:05:16 +0000 Subject: [PATCH] [downstream] Use backported version of OpenSSL-3 KDF diff --git a/downstream-fix-debuginfo-with-y.tab.c.patch b/downstream-fix-debuginfo-with-y.tab.c.patch index e8e1870..167fcaf 100644 --- a/downstream-fix-debuginfo-with-y.tab.c.patch +++ b/downstream-fix-debuginfo-with-y.tab.c.patch @@ -1,4 +1,4 @@ -From ed161c3f3cb642d025f0fee6d4af6f56bba711e9 Mon Sep 17 00:00:00 2001 +From f4002f246332695d8ea12ec803139fcac18fbba2 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] [downstream] fix debuginfo with y.tab.c diff --git a/downstream-ksu-pam-integration.patch b/downstream-ksu-pam-integration.patch index 4532601..220363b 100644 --- a/downstream-ksu-pam-integration.patch +++ b/downstream-ksu-pam-integration.patch @@ -1,4 +1,4 @@ -From 9a082e1e02ae4efd2404d0672d38b3d4eb2d6660 Mon Sep 17 00:00:00 2001 +From a7322a84657752c886c317a6994a9fc7a4a70ca5 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] [downstream] ksu pam integration @@ -145,7 +145,7 @@ index 8b4edce4d..9d58f29b5 100644 clean: $(RM) ksu diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index 4f03dd8ed..21a4d02bb 100644 +index 57c349200..508242e0e 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -26,6 +26,7 @@ @@ -175,7 +175,7 @@ index 4f03dd8ed..21a4d02bb 100644 /***********/ #define KS_TEMPORARY_CACHE "MEMORY:_ksu" -@@ -535,6 +541,23 @@ main (argc, argv) +@@ -536,6 +542,23 @@ main (argc, argv) prog_name,target_user,client_name, source_user,ontty()); @@ -199,7 +199,7 @@ index 4f03dd8ed..21a4d02bb 100644 /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " -@@ -595,6 +618,24 @@ main (argc, argv) +@@ -596,6 +619,24 @@ main (argc, argv) exit(1); } @@ -224,7 +224,7 @@ index 4f03dd8ed..21a4d02bb 100644 } if( some_rest_copy){ -@@ -652,6 +693,30 @@ main (argc, argv) +@@ -653,6 +694,30 @@ main (argc, argv) exit(1); } @@ -255,7 +255,7 @@ index 4f03dd8ed..21a4d02bb 100644 /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -749,7 +814,7 @@ main (argc, argv) +@@ -750,7 +815,7 @@ main (argc, argv) fprintf(stderr, "program to be execed %s\n",params[0]); } @@ -264,7 +264,7 @@ index 4f03dd8ed..21a4d02bb 100644 execv(params[0], params); com_err(prog_name, errno, _("while trying to execv %s"), params[0]); sweep_up(ksu_context, cc_target); -@@ -779,16 +844,35 @@ main (argc, argv) +@@ -780,16 +845,35 @@ main (argc, argv) if (ret_pid == -1) { com_err(prog_name, errno, _("while calling waitpid")); } diff --git a/downstream-netlib-and-dns.patch b/downstream-netlib-and-dns.patch index ba04deb..d7ceab1 100644 --- a/downstream-netlib-and-dns.patch +++ b/downstream-netlib-and-dns.patch @@ -1,4 +1,4 @@ -From 40553473b674dfbb6328389b6b39ebe3218ed597 Mon Sep 17 00:00:00 2001 +From 355dd481511af4d517ee540854f95a6fb12116a9 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:46:21 -0400 Subject: [PATCH] [downstream] netlib and dns diff --git a/krb5.spec b/krb5.spec index 6913a3b..37089cc 100644 --- a/krb5.spec +++ b/krb5.spec @@ -16,9 +16,9 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.18 +Version: 1.18.1 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 12%{?dist} +Release: 1%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -50,16 +50,12 @@ Patch4: downstream-fix-debuginfo-with-y.tab.c.patch Patch5: downstream-Remove-3des-support.patch Patch6: downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch -Patch8: Fix-AS-REQ-checking-of-KDB-modified-indicators.patch Patch9: Allow-certauth-modules-to-set-hw-authent-flag.patch -Patch10: Allow-deletion-of-require_auth-with-LDAP-KDB.patch Patch11: Refresh-manually-acquired-creds-from-client-keytab.patch -Patch12: Document-client-keytab-usage.patch Patch13: Add-finalization-safety-check-to-com_err.patch Patch14: Eliminate-redundant-PKINIT-responder-invocation.patch Patch15: Correctly-import-service-GSS-host-based-name.patch Patch16: Do-expiration-warnings-for-all-init_creds-APIs.patch -Patch17: Make-ksu-honor-KRB5CCNAME-again.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -637,6 +633,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Apr 14 2020 Robbie Harwood - 1.18.1-1 +- New upstream version (1.18.1) + * Tue Apr 07 2020 Robbie Harwood - 1.18-12 - Make ksu honor KRB5CCNAME again