rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Upstream release 1.15-beta1

Browse Source 
Also update selinux with RHEL hygene.

Resolves: #1314096
This commit is contained in:
Robbie Harwood 2016-10-20 23:34:28 +00:00
parent 895d0bdfea
commit 821dac42ed
28 changed files with 392 additions and 4005 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -139,3 +139,6 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.14.4.tar.gz /krb5-1.14.4.tar.gz
/krb5-1.14.4.tar.gz.asc /krb5-1.14.4.tar.gz.asc
/krb5-1.14.4-pdfs.tar /krb5-1.14.4-pdfs.tar
/krb5-1.15-beta1.tar.gz
/krb5-1.15-beta1.tar.gz.asc
/krb5-1.15-beta1-pdfs.tar

314
Add-KDC-pre-send-and-post-receive-KDC-hooks.patch
View File

@ -1,314 +0,0 @@
From 21330cb3db69fc5a004844a1e4dec8998eb50068 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 3 Mar 2016 18:53:31 +0100
Subject: [PATCH] Add KDC pre-send and post-receive KDC hooks
Add two new APIs, krb5_set_kdc_send_hook() and
krb5_set_kdc_recv_hook(), which can be used to inspect and override
messages sent to KDCs.
[ghudson@mit.edu: style and documentation changes]
ticket: 8386 (new)
---
doc/appdev/refs/api/index.rst | 2 +
doc/appdev/refs/types/index.rst | 2 +
src/include/k5-int.h | 6 +++
src/include/krb5/krb5.hin | 104 ++++++++++++++++++++++++++++++++++++++++
src/lib/krb5/libkrb5.exports | 2 +
src/lib/krb5/os/sendto_kdc.c | 56 +++++++++++++++++++++-
src/lib/krb5_32.def | 4 ++
7 files changed, 174 insertions(+), 2 deletions(-)
diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst
index 8df351d..e97cbca 100644
--- a/doc/appdev/refs/api/index.rst
+++ b/doc/appdev/refs/api/index.rst
@@ -268,6 +268,8 @@ Rarely used public interfaces
krb5_server_decrypt_ticket_keytab.rst
krb5_set_default_tgs_enctypes.rst
krb5_set_error_message.rst
+ krb5_set_kdc_recv_hook.rst
+ krb5_set_kdc_send_hook.rst
krb5_set_real_time.rst
krb5_string_to_cksumtype.rst
krb5_string_to_deltat.rst
diff --git a/doc/appdev/refs/types/index.rst b/doc/appdev/refs/types/index.rst
index 51c4093..dc414cf 100644
--- a/doc/appdev/refs/types/index.rst
+++ b/doc/appdev/refs/types/index.rst
@@ -57,6 +57,8 @@ Public
krb5_pa_svr_referral_data.rst
krb5_pa_data.rst
krb5_pointer.rst
+ krb5_post_recv_fn.rst
+ krb5_pre_send_fn.rst
krb5_preauthtype.rst
krb5_principal.rst
krb5_principal_data.rst
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 6b7b2e3..045abfc 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1238,6 +1238,12 @@ struct _krb5_context {
krb5_trace_callback trace_callback;
void *trace_callback_data;
+ krb5_pre_send_fn kdc_send_hook;
+ void *kdc_send_hook_data;
+
+ krb5_post_recv_fn kdc_recv_hook;
+ void *kdc_recv_hook_data;
+
struct plugin_interface plugins[PLUGIN_NUM_INTERFACES];
char *plugin_base_dir;
};
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index c93a0f2..2b0d59e 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -8300,6 +8300,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn,
krb5_error_code KRB5_CALLCONV
krb5_set_trace_filename(krb5_context context, const char *filename);
+
+/**
+ * Hook function for inspecting or modifying messages sent to KDCs.
+ *
+ * If the hook function returns an error code, the KDC communication will be
+ * aborted and the error code will be returned to the library operation which
+ * initiated the communication.
+ *
+ * If the hook function sets @a reply_out, @a message will not be sent to the
+ * KDC, and the given reply will used instead.
+ *
+ * If the hook function sets @a new_message_out, the given message will be sent
+ * to the KDC in place of @a message.
+ *
+ * If the hook function returns successfully without setting either output,
+ * @a message will be sent to the KDC normally.
+ *
+ * The hook function should use krb5_copy_data() to construct the value for
+ * @a new_message_out or @a reply_out, to ensure that it can be freed correctly
+ * by the library.
+ *
+ * @param [in] context Library context
+ * @param [in] data Callback data
+ * @param [in] realm The realm the message will be sent to
+ * @param [in] message The original message to be sent to the KDC
+ * @param [out] new_message_out Optional replacement message to be sent
+ * @param [out] reply_out Optional synthetic reply
+ *
+ * @retval 0 Success
+ * @return A Kerberos error code
+ */
+typedef krb5_error_code
+(KRB5_CALLCONV *krb5_pre_send_fn)(krb5_context context, void *data,
+ const krb5_data *realm,
+ const krb5_data *message,
+ krb5_data **new_message_out,
+ krb5_data **new_reply_out);
+
+/**
+ * Hook function for inspecting or overriding KDC replies.
+ *
+ * If @a code is zero, @a reply contains the reply received from the KDC. The
+ * hook function may return an error code to simulate an error, may synthesize
+ * a different reply by setting @a new_reply_out, or may simply return
+ * successfully to do nothing.
+ *
+ * If @a code is non-zero, KDC communication failed and @a reply should be
+ * ignored. The hook function may return @a code or a different error code, or
+ * may synthesize a reply by setting @a new_reply_out and return successfully.
+ *
+ * The hook function should use krb5_copy_data() to construct the value for
+ * @a new_reply_out, to ensure that it can be freed correctly by the library.
+ *
+ * @param [in] context Library context
+ * @param [in] data Callback data
+ * @param [in] code Status of KDC communication
+ * @param [in] realm The realm the reply was received from
+ * @param [in] message The message sent to the realm's KDC
+ * @param [in] reply The reply received from the KDC
+ * @param [out] new_reply_out Optional replacement reply
+ *
+ * @retval 0 Success
+ * @return A Kerberos error code
+ */
+typedef krb5_error_code
+(KRB5_CALLCONV *krb5_post_recv_fn)(krb5_context context, void *data,
+ krb5_error_code code,
+ const krb5_data *realm,
+ const krb5_data *message,
+ const krb5_data *reply,
+ krb5_data **new_reply_out);
+
+/**
+ * Set a KDC pre-send hook function.
+ *
+ * @a send_hook will be called before messages are sent to KDCs by library
+ * functions such as krb5_get_credentials(). The hook function may inspect,
+ * override, or synthesize its own reply to the message.
+ *
+ * @param [in] context Library context
+ * @param [in] send_hook Hook function (or NULL to disable the hook)
+ * @param [in] data Callback data to be passed to @a send_hook
+ */
+void KRB5_CALLCONV
+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook,
+ void *data);
+
+/**
+ * Set a KDC post-receive hook function.
+ *
+ * @a recv_hook will be called after a reply is received from a KDC during a
+ * call to a library function such as krb5_get_credentials(). The hook
+ * function may inspect or override the reply. This hook will not be executed
+ * if the pre-send hook returns a synthetic reply.
+ *
+ * @param [in] context The library context.
+ * @param [in] recv_hook Hook function (or NULL to disable the hook)
+ * @param [in] data Callback data to be passed to @a recv_hook
+ */
+void KRB5_CALLCONV
+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook,
+ void *data);
+
+
#if TARGET_OS_MAC
# pragma pack(pop)
#endif
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index c623409..ea6982d 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -581,6 +581,8 @@ krb5_set_password
krb5_set_password_using_ccache
krb5_set_principal_realm
krb5_set_real_time
+krb5_set_kdc_send_hook
+krb5_set_kdc_recv_hook
krb5_set_time_offsets
krb5_set_trace_callback
krb5_set_trace_filename
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 6231de2..be00b8f 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -403,6 +403,22 @@ check_for_svc_unavailable (krb5_context context,
return 1;
}
+void
+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook,
+ void *data)
+{
+ context->kdc_send_hook = send_hook;
+ context->kdc_send_hook_data = data;
+}
+
+void
+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook,
+ void *data)
+{
+ context->kdc_recv_hook = recv_hook;
+ context->kdc_recv_hook_data = data;
+}
+
/*
* send the formatted request 'message' to a KDC for realm 'realm' and
* return the response (if any) in 'reply'.
@@ -416,13 +432,16 @@ check_for_svc_unavailable (krb5_context context,
krb5_error_code
krb5_sendto_kdc(krb5_context context, const krb5_data *message,
- const krb5_data *realm, krb5_data *reply, int *use_master,
+ const krb5_data *realm, krb5_data *reply_out, int *use_master,
int no_udp)
{
krb5_error_code retval, err;
struct serverlist servers;
int server_used;
k5_transport_strategy strategy;
+ krb5_data reply = empty_data(), *hook_message = NULL, *hook_reply = NULL;
+
+ *reply_out = empty_data();
/*
* find KDC location(s) for realm
@@ -467,9 +486,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
if (retval)
return retval;
+ if (context->kdc_send_hook != NULL) {
+ retval = context->kdc_send_hook(context, context->kdc_send_hook_data,
+ realm, message, &hook_message,
+ &hook_reply);
+ if (retval)
+ goto cleanup;
+
+ if (hook_reply != NULL) {
+ *reply_out = *hook_reply;
+ free(hook_reply);
+ goto cleanup;
+ }
+
+ if (hook_message != NULL)
+ message = hook_message;
+ }
+
err = 0;
retval = k5_sendto(context, message, realm, &servers, strategy, NULL,
- reply, NULL, NULL, &server_used,
+ &reply, NULL, NULL, &server_used,
check_for_svc_unavailable, &err);
if (retval == KRB5_KDC_UNREACH) {
if (err == KDC_ERR_SVC_UNAVAILABLE) {
@@ -480,9 +516,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
realm->length, realm->data);
}
}
+
+ if (context->kdc_recv_hook != NULL) {
+ retval = context->kdc_recv_hook(context, context->kdc_recv_hook_data,
+ retval, realm, message, &reply,
+ &hook_reply);
+ }
if (retval)
goto cleanup;
+ if (hook_reply != NULL) {
+ *reply_out = *hook_reply;
+ free(hook_reply);
+ } else {
+ *reply_out = reply;
+ reply = empty_data();
+ }
+
/* Set use_master to 1 if we ended up talking to a master when we didn't
* explicitly request to. */
if (*use_master == 0) {
@@ -492,6 +542,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
}
cleanup:
+ krb5_free_data(context, hook_message);
+ krb5_free_data_contents(context, &reply);
k5_free_serverlist(&servers);
return retval;
}
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 3734e9b..8d58ea1 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -463,3 +463,7 @@ EXPORTS
krb5_vwrap_error_message @430
krb5_c_prfplus @431
krb5_c_derive_prfplus @432
+
+; new in 1.15
+ krb5_set_kdc_send_hook @433
+ krb5_set_kdc_recv_hook @434
--
2.9.3

100
Add-OS-prng-intended-for-use-with-getrandom.patch
View File

@ -1,100 +0,0 @@
From 5d38da6d4eb29bf87e98a5cb4577b870dbf405ed Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 14 Sep 2016 16:12:57 -0400
Subject: [PATCH] Add OS prng intended for use with getrandom()
Add the prng_os.c module, using the name previously occupied by what
is now prng_device.c. Unlike prng_device.c, this PRNG module
maintains no file descriptor and just uses k5_os_random(), which is
most efficient on platforms which have a getrandom() system call.
[ghudson@mit.edu: expanded on commit message]
ticket: 8499
(cherry picked from commit 0be7642b2b6f7b9e0acebb2c3d60aa6c3f7543aa)
---
src/lib/crypto/krb/prng_os.c | 72 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 72 insertions(+)
create mode 100644 src/lib/crypto/krb/prng_os.c
diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_os.c
new file mode 100644
index 0000000..8ea13e7
--- /dev/null
+++ b/src/lib/crypto/krb/prng_os.c
@@ -0,0 +1,72 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/krb/prng_os.c - OS PRNG implementation */
+/*
+ * Copyright (C) 2016 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This file implements a PRNG module which relies on the system's PRNG. An
+ * OS packager can select this module given sufficient confidence in the
+ * operating system's native PRNG quality.
+ */
+
+#include "crypto_int.h"
+
+int
+k5_prng_init(void)
+{
+ return 0;
+}
+
+void
+k5_prng_cleanup(void)
+{
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_add_entropy(krb5_context context, unsigned int randsource,
+ const krb5_data *indata)
+{
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_make_octets(krb5_context context, krb5_data *outdata)
+{
+ krb5_boolean res;
+
+ res = k5_get_os_entropy((uint8_t *)outdata->data, outdata->length, 0);
+ return res ? 0 : KRB5_CRYPTO_INTERNAL;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
+{
+ return 0;
+}
--
2.9.3

62
Add-getrandom-to-k5_get_os_entropy-using-syscall.patch
View File

@ -1,62 +0,0 @@
From 3a8bf57bd3008b2f5338bbd8ba1db5e9e2622c92 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 14 Sep 2016 16:10:34 -0400
Subject: [PATCH] Add getrandom to k5_get_os_entropy() using syscall
ticket: 8499
(cherry picked from commit a9a48392c088b53d8dd86b8008b4059ab78a3679)
---
src/lib/crypto/krb/prng.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
index 9ad24c1..22948a4 100644
--- a/src/lib/crypto/krb/prng.c
+++ b/src/lib/crypto/krb/prng.c
@@ -58,6 +58,9 @@ k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
+#ifdef __linux__
+#include <sys/syscall.h>
+#endif /* __linux__ */
/* Open device, ensure that it is not a regular file, and read entropy. Return
* true on success, false on failure. */
@@ -96,6 +99,33 @@ krb5_boolean
k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
{
const char *device;
+#if defined(__linux__) && defined(SYS_getrandom)
+ int r;
+
+ while (len > 0) {
+ /*
+ * Pull from the /dev/urandom pool, but it to have been seeded. This
+ * ensures strong randomness while only blocking during first system
+ * boot.
+ *
+ * glibc does not currently provide a binding for getrandom:
+ * https://sourceware.org/bugzilla/show_bug.cgi?id=17252
+ */
+ errno = 0;
+ r = syscall(SYS_getrandom, buf, len, 0);
+ if (r <= 0) {
+ if (errno == EINTR)
+ continue;
+
+ /* ENOSYS or other unrecoverable failure */
+ break;
+ }
+ len -= r;
+ buf += r;
+ }
+ if (len == 0)
+ return TRUE;
+#endif /* defined(__linux__) && defined(SYS_getrandom) */
device = strong ? "/dev/random" : "/dev/urandom";
return read_entropy_from_device(device, buf, len);
--
2.9.3

69
Add-krb5_db_register_keytab.patch
View File

@ -1,69 +0,0 @@
From 4514bc6f0b32471d1a9081ee3677d41eb373d3ff Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 7 Sep 2016 18:33:43 +0200
Subject: [PATCH] Add krb5_db_register_keytab()
Add a public libkdb5 function to register the KDB keytab type. This
functionality is needed for out-of-tree KDC servers such as the Samba
kpasswd service.
[ghudson@mit.edu: edited comments, whitespace, commit message]
ticket: 8494 (new)
(cherry picked from commit 2e99582062d9d6a70f2adb00fd8fe58a1f95b9b7)
---
src/include/kdb.h | 7 +++++++
src/lib/kdb/keytab.c | 6 ++++++
src/lib/kdb/libkdb5.exports | 1 +
3 files changed, 14 insertions(+)
diff --git a/src/include/kdb.h b/src/include/kdb.h
index 9d3bf9d..048327c 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -797,6 +797,13 @@ krb5_dbe_free_strings(krb5_context, krb5_string_attr *, int count);
void
krb5_dbe_free_string(krb5_context, char *);
+/*
+ * Register the KDB keytab type, allowing "KDB:" to be used as a keytab name.
+ * For this type to work, the context used for keytab operations must have an
+ * associated database handle (via krb5_db_open()).
+ */
+krb5_error_code krb5_db_register_keytab(krb5_context context);
+
#define KRB5_KDB_DEF_FLAGS 0
#define KDB_MAX_DB_NAME 128
diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c
index b85b67d..c6aa100 100644
--- a/src/lib/kdb/keytab.c
+++ b/src/lib/kdb/keytab.c
@@ -66,6 +66,12 @@ typedef struct krb5_ktkdb_data {
} krb5_ktkdb_data;
krb5_error_code
+krb5_db_register_keytab(krb5_context context)
+{
+ return krb5_kt_register(context, &krb5_kt_kdb_ops);
+}
+
+krb5_error_code
krb5_ktkdb_resolve(context, name, id)
krb5_context context;
const char * name;
diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports
index cb4c3df..e5d1045 100644
--- a/src/lib/kdb/libkdb5.exports
+++ b/src/lib/kdb/libkdb5.exports
@@ -85,6 +85,7 @@ krb5_db_delete_policy
krb5_db_free_policy
krb5_def_store_mkey_list
krb5_db_promote
+krb5_db_register_keytab
ulog_add_update
ulog_init_header
ulog_map
--
2.9.3

367
Add-tests-for-send-and-receive-sendto_kdc-hooks.patch
View File

@ -1,367 +0,0 @@
From db601cd51030a1e48f38078dd706e95db069ead7 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 7 Mar 2016 17:59:07 +0100
Subject: [PATCH] Add tests for send and receive sendto_kdc hooks
[ghudson@mit.edu: style changes]
ticket: 8386
Conflicts:
src/tests/Makefile.in
[rharwood@redhat.com: fix cherry-pick merge conflicts]
[rharwood@redhat.com: delete .gitignore]
---
src/tests/Makefile.in | 12 ++-
src/tests/deps | 10 ++
src/tests/hooks.c | 253 ++++++++++++++++++++++++++++++++++++++++++++++++++
src/tests/t_hooks.py | 9 ++
4 files changed, 280 insertions(+), 4 deletions(-)
create mode 100644 src/tests/hooks.c
create mode 100755 src/tests/t_hooks.py
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index b24e197..0fc0ea9 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -6,9 +6,9 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \
RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
LC_ALL=C $(VALGRIND)
-OBJS= adata.o etinfo.o gcred.o hist.o hrealm.o kdbtest.o plugorder.o \
+OBJS= adata.o etinfo.o gcred.o hist.o hooks.o hrealm.o kdbtest.o plugorder.o \
t_init_creds.o t_localauth.o rdreq.o responder.o s2p.o s4u2proxy.o
-EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hrealm.c kdbtest.c plugorder.c \
+EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hooks.c hrealm.c kdbtest.c plugorder.c \
t_init_creds.c t_localauth.c rdreq.o responder.c s2p.c s4u2proxy.c
TEST_DB = ./testdb
@@ -33,6 +33,9 @@ gcred: gcred.o $(KRB5_BASE_DEPLIBS)
hist: hist.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ hist.o $(KDB5_LIBS) $(KADMSRV_LIBS) $(KRB5_BASE_LIBS)
+hooks: hooks.o $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ hooks.o $(KRB5_BASE_LIBS)
+
hrealm: hrealm.o $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ hrealm.o $(KRB5_BASE_LIBS)
@@ -107,9 +110,10 @@ kdb_check: kdc.conf krb5.conf
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
$(RM) $(TEST_DB)* stash_file
-check-pytests:: adata etinfo gcred hist hrealm kdbtest plugorder rdreq
+check-pytests:: adata etinfo gcred hist hooks hrealm kdbtest plugorder rdreq
check-pytests:: responder s2p s4u2proxy t_init_creds t_localauth unlockiter
$(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_hooks.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS)
@@ -159,7 +163,7 @@ check-pytests:: responder s2p s4u2proxy t_init_creds t_localauth unlockiter
$(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
clean::
- $(RM) gcred hist hrealm kdbtest plugorder rdreq responder s2p
+ $(RM) gcred hist hooks hrealm kdbtest plugorder rdreq responder s2p
$(RM) adata etinfo gcred hist hrealm kdbtest plugorder rdreq responder
$(RM) s2p s4u2proxy t_init_creds t_localauth krb5.conf kdc.conf
$(RM) -rf kdc_realm/sandbox ldap
diff --git a/src/tests/deps b/src/tests/deps
index de33c55..3634dc4 100644
--- a/src/tests/deps
+++ b/src/tests/deps
@@ -50,6 +50,16 @@ $(OUTPRE)hist.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
hist.c
+$(OUTPRE)hooks.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h hooks.c
$(OUTPRE)hrealm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
diff --git a/src/tests/hooks.c b/src/tests/hooks.c
new file mode 100644
index 0000000..fabdb89
--- /dev/null
+++ b/src/tests/hooks.c
@@ -0,0 +1,253 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/hooks.c - test harness for KDC send and recv hooks */
+/*
+ * Copyright (C) 2016 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+
+static krb5_context ctx;
+
+static void
+check_code(krb5_error_code code, const char *file, int line)
+{
+ const char *errmsg;
+
+ if (code) {
+ errmsg = krb5_get_error_message(ctx, code);
+ fprintf(stderr, "%s:%d -- %s (code=%d)\n", file, line, errmsg,
+ (int)code);
+ krb5_free_error_message(ctx, errmsg);
+ exit(1);
+ }
+}
+
+#define check(code) check_code((code), __FILE__, __LINE__)
+
+/* Verify that the canonicalize bit is set in an AS-REQ and remove it. */
+static krb5_error_code
+test_send_as_req(krb5_context context, void *data, const krb5_data *realm,
+ const krb5_data *message, krb5_data **new_message_out,
+ krb5_data **reply_out)
+{
+ krb5_kdc_req *as_req;
+ int cmp;
+
+ assert(krb5_is_as_req(message));
+ check(decode_krb5_as_req(message, &as_req));
+
+ assert(as_req->msg_type == KRB5_AS_REQ);
+ assert(as_req->kdc_options & KDC_OPT_CANONICALIZE);
+ assert(as_req->client->realm.length == realm->length);
+ cmp = memcmp(as_req->client->realm.data, realm->data, realm->length);
+ assert(cmp == 0);
+
+ /* Remove the canonicalize flag and create a new message. */
+ as_req->kdc_options &= ~KDC_OPT_CANONICALIZE;
+ check(encode_krb5_as_req(as_req, new_message_out));
+
+ krb5_free_kdc_req(context, as_req);
+ return 0;
+}
+
+/* Verify that reply is an AS-REP with kvno 1 and a valid enctype. */
+static krb5_error_code
+test_recv_as_rep(krb5_context context, void *data, krb5_error_code code,
+ const krb5_data *realm, const krb5_data *message,
+ const krb5_data *reply, krb5_data **new_reply)
+{
+ krb5_kdc_rep *as_rep;
+
+ assert(code == 0);
+ assert(krb5_is_as_rep(reply));
+ check(decode_krb5_as_rep(reply, &as_rep));
+
+ assert(as_rep->msg_type == KRB5_AS_REP);
+ assert(as_rep->ticket->enc_part.kvno == 1);
+ assert(krb5_c_valid_enctype(as_rep->ticket->enc_part.enctype));
+
+ krb5_free_kdc_rep(context, as_rep);
+ return 0;
+}
+
+/* Create a fake error reply. */
+static krb5_error_code
+test_send_error(krb5_context context, void *data, const krb5_data *realm,
+ const krb5_data *message, krb5_data **new_message_out,
+ krb5_data **reply_out)
+{
+ krb5_error_code ret;
+ krb5_error err;
+ krb5_principal client, server;
+ char *realm_str, *princ_str;
+ int r;
+
+ realm_str = k5memdup0(realm->data, realm->length, &ret);
+ check(ret);
+
+ r = asprintf(&princ_str, "invalid@%s", realm_str);
+ assert(r > 0);
+ check(krb5_parse_name(ctx, princ_str, &client));
+ free(princ_str);
+
+ r = asprintf(&princ_str, "krbtgt@%s", realm_str);
+ assert(r > 0);
+ check(krb5_parse_name(ctx, princ_str, &server));
+ free(princ_str);
+ free(realm_str);
+
+ err.magic = KV5M_ERROR;
+ err.ctime = 1971196337;
+ err.cusec = 0;
+ err.susec = 97008;
+ err.stime = 1458219390;
+ err.error = 6;
+ err.client = client;
+ err.server = server;
+ err.text = string2data("CLIENT_NOT_FOUND");
+ err.e_data = empty_data();
+ check(encode_krb5_error(&err, reply_out));
+
+ krb5_free_principal(ctx, client);
+ krb5_free_principal(ctx, server);
+ return 0;
+}
+
+static krb5_error_code
+test_recv_error(krb5_context context, void *data, krb5_error_code code,
+ const krb5_data *realm, const krb5_data *message,
+ const krb5_data *reply, krb5_data **new_reply)
+{
+ /* The send hook created a reply, so this hook should not be executed. */
+ abort();
+}
+
+/* Modify an AS-REP reply, change the msg_type to KRB5_TGS_REP. */
+static krb5_error_code
+test_recv_modify_reply(krb5_context context, void *data, krb5_error_code code,
+ const krb5_data *realm, const krb5_data *message,
+ const krb5_data *reply, krb5_data **new_reply)
+{
+ krb5_kdc_rep *as_rep;
+
+ assert(code == 0);
+ assert(krb5_is_as_rep(reply));
+ check(decode_krb5_as_rep(reply, &as_rep));
+
+ as_rep->msg_type = KRB5_TGS_REP;
+ check(encode_krb5_as_rep(as_rep, new_reply));
+
+ krb5_free_kdc_rep(context, as_rep);
+ return 0;
+}
+
+/* Return an error given by the callback data argument. */
+static krb5_error_code
+test_send_return_value(krb5_context context, void *data,
+ const krb5_data *realm, const krb5_data *message,
+ krb5_data **new_message_out, krb5_data **reply_out)
+{
+ assert(data != NULL);
+ return *(krb5_error_code *)data;
+}
+
+/* Return an error given by the callback argument. */
+static krb5_error_code
+test_recv_return_value(krb5_context context, void *data, krb5_error_code code,
+ const krb5_data *realm, const krb5_data *message,
+ const krb5_data *reply, krb5_data **new_reply)
+{
+ assert(data != NULL);
+ return *(krb5_error_code *)data;
+}
+
+int
+main(int argc, char *argv[])
+{
+ const char *principal, *password;
+ krb5_principal client;
+ krb5_get_init_creds_opt *opts;
+ krb5_creds creds;
+ krb5_error_code ret, test_return_code;
+
+ if (argc != 3) {
+ fprintf(stderr, "Usage: %s princname password\n", argv[0]);
+ exit(1);
+ }
+ principal = argv[1];
+ password = argv[2];
+
+ check(krb5_init_context(&ctx));
+ check(krb5_parse_name(ctx, principal, &client));
+
+ /* Use a send hook to modify an outgoing AS-REQ. The library will detect
+ * the modification in the reply. */
+ check(krb5_get_init_creds_opt_alloc(ctx, &opts));
+ krb5_get_init_creds_opt_set_canonicalize(opts, 1);
+ krb5_set_kdc_send_hook(ctx, test_send_as_req, NULL);
+ krb5_set_kdc_recv_hook(ctx, test_recv_as_rep, NULL);
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
+ NULL, 0, NULL, opts);
+ assert(ret == KRB5_KDCREP_MODIFIED);
+ krb5_get_init_creds_opt_free(ctx, opts);
+
+ /* Use a send hook to synthesize a KRB-ERROR reply. */
+ krb5_set_kdc_send_hook(ctx, test_send_error, NULL);
+ krb5_set_kdc_recv_hook(ctx, test_recv_error, NULL);
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
+ NULL, 0, NULL, NULL);
+ assert(ret == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN);
+
+ /* Use a recv hook to modify a KDC reply. */
+ krb5_set_kdc_send_hook(ctx, NULL, NULL);
+ krb5_set_kdc_recv_hook(ctx, test_recv_modify_reply, NULL);
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
+ NULL, 0, NULL, NULL);
+ assert(ret == KRB5KRB_AP_ERR_MSG_TYPE);
+
+ /* Verify that the user data pointer works in the send hook. */
+ test_return_code = KRB5KDC_ERR_PREAUTH_FAILED;
+ krb5_set_kdc_send_hook(ctx, test_send_return_value, &test_return_code);
+ krb5_set_kdc_recv_hook(ctx, NULL, NULL);
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
+ NULL, 0, NULL, NULL);
+ assert(ret == KRB5KDC_ERR_PREAUTH_FAILED);
+
+ /* Verify that the user data pointer works in the recv hook. */
+ test_return_code = KRB5KDC_ERR_NULL_KEY;
+ krb5_set_kdc_send_hook(ctx, NULL, NULL);
+ krb5_set_kdc_recv_hook(ctx, test_recv_return_value, &test_return_code);
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
+ NULL, 0, NULL, NULL);
+ assert(ret == KRB5KDC_ERR_NULL_KEY);
+
+ krb5_free_principal(ctx, client);
+ krb5_free_context(ctx);
+ return 0;
+}
diff --git a/src/tests/t_hooks.py b/src/tests/t_hooks.py
new file mode 100755
index 0000000..58dff3a
--- /dev/null
+++ b/src/tests/t_hooks.py
@@ -0,0 +1,9 @@
+#!/usr/bin/python
+from k5test import *
+
+# Test that KDC send and recv hooks work correctly.
+realm = K5Realm(create_host=False, get_creds=False)
+realm.run(['./hooks', realm.user_princ, password('user')])
+realm.stop()
+
+success('send and recv hook tests')
--
2.9.3

68
Change-KDC-error-for-encrypted-timestamp-preauth.patch
View File

@ -1,68 +0,0 @@
From 709ed799a4f266de9846adb3393ec9f59e6bdecd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 8 Aug 2016 18:03:55 +0200
Subject: [PATCH] Change KDC error for encrypted timestamp preauth
When encrypted timestamp pre-authentication fails, respond with error
code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for
consistency with other Kerberos implementations.
[ghudson@mit.edu: clarified commit message and comment]
ticket: 8471 (new)
(cherry picked from commit 2653d69e0705a925597dff10083a24a77e2a20af)
---
src/kdc/kdc_preauth_encts.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
index 65f7c36..e80dc12 100644
--- a/src/kdc/kdc_preauth_encts.c
+++ b/src/kdc/kdc_preauth_encts.c
@@ -59,7 +59,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
krb5_key_data * client_key;
krb5_int32 start;
krb5_timestamp timenow;
- krb5_error_code decrypt_err = 0;
scratch.data = (char *)pa->contents;
scratch.length = pa->length;
@@ -74,7 +73,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
goto cleanup;
start = 0;
- decrypt_err = 0;
while (1) {
if ((retval = krb5_dbe_search_enctype(context, rock->client,
&start, enc_data->enctype,
@@ -92,8 +90,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
krb5_free_keyblock_contents(context, &key);
if (retval == 0)
break;
- else
- decrypt_err = retval;
}
if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
@@ -119,14 +115,10 @@ cleanup:
krb5_free_data_contents(context, &enc_ts_data);
if (pa_enc)
free(pa_enc);
- /*
- * If we get NO_MATCHING_KEY and decryption previously failed, and
- * we failed to find any other keys of the correct enctype after
- * that failed decryption, it probably means that the password was
- * incorrect.
- */
- if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
- retval = decrypt_err;
+ /* If we get NO_MATCHING_KEY, it probably means that the password was
+ * incorrect. */
+ if (retval == KRB5_KDB_NO_MATCHING_KEY)
+ retval = KRB5KDC_ERR_PREAUTH_FAILED;
(*respond)(arg, retval, NULL, NULL, NULL);
}
--
2.9.3

65
Create-KDC-and-kadmind-log-files-with-mode-0640.patch
View File

@ -1,65 +0,0 @@
From 6b126bfc40ba416746e4d30edb0b6b72c21c8b10 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:58:44 -0400
Subject: [PATCH] Create KDC and kadmind log files with mode 0640
In krb5_klog_init(), use open() and fdopen() to open log files so that
we can specify a mode. Specify a mode which doesn't include the
group-write, other-read, or other-write bits even if the process umask
allows them.
[ghudson@mit.edu: wrote commit message, de-indented post-open setup
code]
[rharwood@redhat.com: backport not clean due to SELinux patching]
ticket: 8344 (new)
---
src/lib/kadm5/logger.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index 64f9641..0517efe 100644
--- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c
@@ -354,7 +354,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
const char *logging_profent[3];
const char *logging_defent[3];
char **logging_specs;
- int i, ngood;
+ int i, ngood, fd, append;
char *cp, *cp2;
char savec = '\0';
int error;
@@ -422,18 +422,21 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
/*
* Check for append/overwrite, then open the file.
*/
- if (cp[4] == ':' || cp[4] == '=') {
- f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w");
- if (f) {
- set_cloexec_file(f);
- log_control.log_entries[i].lfu_filep = f;
- log_control.log_entries[i].log_type = K_LOG_FILE;
- log_control.log_entries[i].lfu_fname = &cp[5];
- } else {
+ append = (cp[4] == ':') ? O_APPEND : 0;
+ if (append || cp[4] == '=') {
+ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append,
+ S_IRUSR | S_IWUSR | S_IRGRP);
+ if (fd != -1)
+ f = fdopen(fd, append ? "a" : "w");
+ if (fd == -1 || f == NULL) {
fprintf(stderr,"Couldn't open log file %s: %s\n",
&cp[5], error_message(errno));
continue;
}
+ set_cloexec_file(f);
+ log_control.log_entries[i].lfu_filep = f;
+ log_control.log_entries[i].log_type = K_LOG_FILE;
+ log_control.log_entries[i].lfu_fname = &cp[5];
}
}
#ifdef HAVE_SYSLOG
--
2.9.3

187
Don-t-feed-OS-RNG-output-into-the-OS-RNG.patch
View File

@ -1,187 +0,0 @@
From dd0c141bfc858caa8470271205220a968db7ab51 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 12 Sep 2016 12:25:05 -0400
Subject: [PATCH] Don't feed OS RNG output into the OS RNG
krb5_c_random_os_entropy() now must be provided by PRNG modules.
ticket: 8499
(cherry picked from commit 0bbbc2bd3a42cfbd9e6eb34c273da8aaa077c29f)
---
src/lib/crypto/krb/crypto_int.h | 3 +-
src/lib/crypto/krb/prng.c | 60 +++++----------------------------------
src/lib/crypto/krb/prng_fortuna.c | 26 ++++++++++++++++-
src/lib/crypto/krb/prng_os.c | 6 ++++
4 files changed, 40 insertions(+), 55 deletions(-)
diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
index c054144..a205e3f 100644
--- a/src/lib/crypto/krb/crypto_int.h
+++ b/src/lib/crypto/krb/crypto_int.h
@@ -508,6 +508,7 @@ void krb5int_crypto_impl_cleanup(void);
* PRNG modules must implement the following APIs from krb5.h:
* krb5_c_random_add_entropy
* krb5_c_random_make_octets
+ * krb5_c_random_os_entropy
*
* PRNG modules should implement these functions. They are called from the
* crypto library init and cleanup functions, and can be used to setup and tear
@@ -517,7 +518,7 @@ int k5_prng_init(void);
void k5_prng_cleanup(void);
/* Used by PRNG modules to gather OS entropy. Returns true on success. */
-krb5_boolean k5_get_os_entropy(unsigned char *buf, size_t len);
+krb5_boolean k5_get_os_entropy(unsigned char *buf, size_t len, int strong);
/*** Inline helper functions ***/
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
index e478b19..9ad24c1 100644
--- a/src/lib/crypto/krb/prng.c
+++ b/src/lib/crypto/krb/prng.c
@@ -36,11 +36,13 @@ krb5_c_random_seed(krb5_context context, krb5_data *data)
#if defined(_WIN32)
krb5_boolean
-k5_get_os_entropy(unsigned char *buf, size_t len)
+k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
{
krb5_boolean result;
HCRYPTPROV provider;
+ /* CryptGenRandom is always considered strong. */
+
if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT))
return FALSE;
@@ -49,22 +51,6 @@ k5_get_os_entropy(unsigned char *buf, size_t len)
return result;
}
-krb5_error_code KRB5_CALLCONV
-krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
-{
- int oursuccess = 0;
- char buf[1024];
- krb5_data data = make_data(buf, sizeof(buf));
-
- if (k5_get_os_entropy(buf, sizeof(buf)) &&
- krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND,
- &data) == 0)
- oursuccess = 1;
- if (success != NULL)
- *success = oursuccess;
- return 0;
-}
-
#else /* not Windows */
#ifdef HAVE_UNISTD_H
#include <unistd.h>
@@ -107,44 +93,12 @@ cleanup:
}
krb5_boolean
-k5_get_os_entropy(unsigned char *buf, size_t len)
+k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
{
- return read_entropy_from_device("/dev/urandom", buf, len);
-}
+ const char *device;
-/* Read entropy from device and contribute it to the PRNG. Returns true on
- * success. */
-static krb5_boolean
-add_entropy_from_device(krb5_context context, const char *device)
-{
- krb5_data data;
- unsigned char buf[64];
-
- if (!read_entropy_from_device(device, buf, sizeof(buf)))
- return FALSE;
- data = make_data(buf, sizeof(buf));
- return (krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND,
- &data) == 0);
-}
-
-krb5_error_code KRB5_CALLCONV
-krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
-{
- int unused;
- int *oursuccess = (success != NULL) ? success : &unused;
-
- *oursuccess = 0;
- /* If we are getting strong data then try that first. We are
- guaranteed to cause a reseed of some kind if strong is true and
- we have both /dev/random and /dev/urandom. We want the strong
- data included in the reseed so we get it first.*/
- if (strong) {
- if (add_entropy_from_device(context, "/dev/random"))
- *oursuccess = 1;
- }
- if (add_entropy_from_device(context, "/dev/urandom"))
- *oursuccess = 1;
- return 0;
+ device = strong ? "/dev/random" : "/dev/urandom";
+ return read_entropy_from_device(device, buf, len);
}
#endif /* not Windows */
diff --git a/src/lib/crypto/krb/prng_fortuna.c b/src/lib/crypto/krb/prng_fortuna.c
index e70ffa3..017a119 100644
--- a/src/lib/crypto/krb/prng_fortuna.c
+++ b/src/lib/crypto/krb/prng_fortuna.c
@@ -366,7 +366,7 @@ k5_prng_init(void)
#else
last_pid = getpid();
#endif
- if (k5_get_os_entropy(osbuf, sizeof(osbuf))) {
+ if (k5_get_os_entropy(osbuf, sizeof(osbuf), 0)) {
generator_reseed(&main_state, osbuf, sizeof(osbuf));
have_entropy = TRUE;
}
@@ -443,4 +443,28 @@ krb5_c_random_make_octets(krb5_context context, krb5_data *outdata)
return 0;
}
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
+{
+ krb5_error_code ret;
+ krb5_data data;
+ uint8_t buf[64];
+ int status = 0;
+
+ if (!k5_get_os_entropy(buf, sizeof(buf), strong))
+ goto done;
+
+ data = make_data(buf, sizeof(buf));
+ ret = krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND, &data);
+ if (ret)
+ goto done;
+
+ status = 1;
+
+done:
+ if (success != NULL)
+ *success = status;
+ return 0;
+}
+
#endif /* not TEST */
diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_os.c
index 730ed2e..ecfe351 100644
--- a/src/lib/crypto/krb/prng_os.c
+++ b/src/lib/crypto/krb/prng_os.c
@@ -91,3 +91,9 @@ krb5_c_random_make_octets(krb5_context context, krb5_data *outdata)
}
return 0;
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
+{
+ return 0;
+}
--
2.9.3

222
Fix-impersonate_name-to-work-with-interposers.patch
View File

@ -1,222 +0,0 @@
From 748617c1b8d1550284157a79bc7aeb6295a27bf4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 13 Nov 2015 14:54:11 -0500
Subject: [PATCH] Fix impersonate_name to work with interposers
This follows the same modifications applied to
gss_acquire_cred_with_password() when interposer plugins were
introduced.
[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in
spnego_gss_acquire_cred_impersonate_name() since it is released in the
cleanup handler]
ticket: 8280 (new)
---
src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++--------
src/lib/gssapi/spnego/spnego_mech.c | 35 +++++++-------
2 files changed, 54 insertions(+), 39 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
index 0dd4f87..9eab25e 100644
--- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
+++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
gss_cred_id_t cred = NULL;
gss_OID new_mechs_array = NULL;
gss_cred_id_t * new_cred_array = NULL;
+ gss_OID_set target_mechs = GSS_C_NO_OID_SET;
+ gss_OID selected_mech = GSS_C_NO_OID;
status = val_add_cred_impersonate_name_args(minor_status,
input_cred_handle,
@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
if (status != GSS_S_COMPLETE)
return (status);
- mech = gssint_get_mechanism(desired_mech);
+ status = gssint_select_mech_type(minor_status, desired_mech,
+ &selected_mech);
+ if (status != GSS_S_COMPLETE)
+ return status;
+
+ mech = gssint_get_mechanism(selected_mech);
if (!mech)
return GSS_S_BAD_MECH;
else if (!mech->gss_acquire_cred_impersonate_name)
@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
internal_name = GSS_C_NO_NAME;
} else {
union_cred = (gss_union_cred_t)input_cred_handle;
- if (gssint_get_mechanism_cred(union_cred, desired_mech) !=
+ if (gssint_get_mechanism_cred(union_cred, selected_mech) !=
GSS_C_NO_CREDENTIAL)
return (GSS_S_DUPLICATE_ELEMENT);
}
mech_impersonator_cred =
gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle,
- desired_mech);
+ selected_mech);
if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL)
return (GSS_S_NO_CRED);
/* may need to create a mechanism specific name */
union_name = (gss_union_name_t)desired_name;
if (union_name->mech_type &&
- g_OID_equal(union_name->mech_type,
- &mech->mech_type))
+ g_OID_equal(union_name->mech_type, selected_mech))
internal_name = union_name->mech_name;
else {
if (gssint_import_internal_name(minor_status,
- &mech->mech_type, union_name,
- &allocated_name) != GSS_S_COMPLETE)
+ selected_mech, union_name,
+ &allocated_name) != GSS_S_COMPLETE)
return (GSS_S_BAD_NAME);
internal_name = allocated_name;
}
@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
else
time_req = 0;
+ status = gss_create_empty_oid_set(minor_status, &target_mechs);
+ if (status != GSS_S_COMPLETE)
+ goto errout;
+
+ status = gss_add_oid_set_member(minor_status,
+ gssint_get_public_oid(selected_mech),
+ &target_mechs);
+ if (status != GSS_S_COMPLETE)
+ goto errout;
+
status = mech->gss_acquire_cred_impersonate_name(minor_status,
mech_impersonator_cred,
internal_name,
time_req,
- GSS_C_NULL_OID_SET,
+ target_mechs,
cred_usage,
&cred,
NULL,
@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
new_cred_array[union_cred->count] = cred;
if ((new_mechs_array[union_cred->count].elements =
- malloc(mech->mech_type.length)) == NULL)
+ malloc(selected_mech->length)) == NULL)
goto errout;
- g_OID_copy(&new_mechs_array[union_cred->count],
- &mech->mech_type);
+ g_OID_copy(&new_mechs_array[union_cred->count], selected_mech);
if (actual_mechs != NULL) {
- gss_OID_set_desc oids;
-
- oids.count = union_cred->count + 1;
- oids.elements = new_mechs_array;
-
- status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs);
+ status = gssint_make_public_oid_set(minor_status, new_mechs_array,
+ union_cred->count + 1,
+ actual_mechs);
if (GSS_ERROR(status)) {
free(new_mechs_array[union_cred->count].elements);
goto errout;
@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
/* We're done with the internal name. Free it if we allocated it. */
if (allocated_name)
- (void) gssint_release_internal_name(&temp_minor_status,
- &mech->mech_type,
+ (void) gssint_release_internal_name(&temp_minor_status, selected_mech,
&allocated_name);
+ if (target_mechs)
+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs);
+
return (GSS_S_COMPLETE);
errout:
@@ -503,8 +517,10 @@ errout:
if (allocated_name)
(void) gssint_release_internal_name(&temp_minor_status,
- &mech->mech_type,
- &allocated_name);
+ selected_mech, &allocated_name);
+
+ if (target_mechs)
+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs);
if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred)
free(union_cred);
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 07435d8..99e374f 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -2620,10 +2620,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
- OM_uint32 status;
+ OM_uint32 status, tmpmin;
gss_OID_set amechs = GSS_C_NULL_OID_SET;
spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL;
- gss_cred_id_t imp_mcred, out_mcred;
+ gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL;
dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n");
@@ -2635,31 +2635,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle;
imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL;
- if (desired_mechs == GSS_C_NO_OID_SET) {
- status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL,
- NULL, &amechs);
- if (status != GSS_S_COMPLETE)
- return status;
-
- desired_mechs = amechs;
- }
+ status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL,
+ NULL, &amechs);
+ if (status != GSS_S_COMPLETE)
+ return status;
status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred,
desired_name, time_req,
- desired_mechs, cred_usage,
+ amechs, cred_usage,
&out_mcred, actual_mechs,
time_rec);
-
- if (amechs != GSS_C_NULL_OID_SET)
- (void) gss_release_oid_set(minor_status, &amechs);
+ if (status != GSS_S_COMPLETE)
+ goto cleanup;
status = create_spnego_cred(minor_status, out_mcred, &out_spcred);
- if (status != GSS_S_COMPLETE) {
- gss_release_cred(minor_status, &out_mcred);
- return (status);
- }
+ if (status != GSS_S_COMPLETE)
+ goto cleanup;
+
+ out_mcred = GSS_C_NO_CREDENTIAL;
*output_cred_handle = (gss_cred_id_t)out_spcred;
+cleanup:
+ (void) gss_release_oid_set(&tmpmin, &amechs);
+ (void) gss_release_cred(&tmpmin, &out_mcred);
+
dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n");
return (status);
}
--
2.9.3

82
Improve-bad-password-inference-in-kinit.patch
View File

@ -1,82 +0,0 @@
From 79d626dde9e7e38da79da1911338e18998e348df Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 25 Jul 2016 13:28:43 -0400
Subject: [PATCH] Improve bad password inference in kinit
kinit currently outputs "Password incorrect" if it sees a
bad-integrity error code, which results if the KDC reply couldn't be
decrypted, or when encrypted timestamp preauth fails against an MIT
krb5 1.14 or earlier KDC. Expand this check to include general
preauth failures reported by the KDC, but only if a password was
prompted for.
ticket: 8465 (new)
(cherry picked from commit 1a83ffad4d8e405ce696536c06d9bce1f8100595)
---
src/clients/kinit/kinit.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index eba36b9..990fd11 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -700,9 +700,18 @@ kinit_prompter(
krb5_prompt prompts[]
)
{
- krb5_error_code rc =
- krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
- return rc;
+ krb5_boolean *pwprompt = data;
+ krb5_prompt_type *ptypes;
+ int i;
+
+ /* Make a note if we receive a password prompt. */
+ ptypes = krb5_get_prompt_types(ctx);
+ for (i = 0; i < num_prompts; i++) {
+ if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD)
+ *pwprompt = TRUE;
+ }
+
+ return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
}
static int
@@ -715,6 +724,7 @@ k5_kinit(opts, k5)
krb5_creds my_creds;
krb5_error_code code = 0;
krb5_get_init_creds_opt *options = NULL;
+ krb5_boolean pwprompt = FALSE;
int i;
memset(&my_creds, 0, sizeof(my_creds));
@@ -819,7 +829,7 @@ k5_kinit(opts, k5)
switch (opts->action) {
case INIT_PW:
code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
- 0, kinit_prompter, 0,
+ 0, kinit_prompter, &pwprompt,
opts->starttime,
opts->service_name,
options);
@@ -856,11 +866,15 @@ k5_kinit(opts, k5)
break;
}
- if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
+ /* If reply decryption failed, or if pre-authentication failed and we
+ * were prompted for a password, assume the password was wrong. */
+ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
+ (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) {
fprintf(stderr, _("%s: Password incorrect while %s\n"), progname,
doing);
- else
+ } else {
com_err(progname, code, _("while %s"), doing);
+ }
goto cleanup;
}
--
2.9.3

49
Properly-handle-EOF-condition-on-libkrad-sockets.patch
View File

@ -1,49 +0,0 @@
From 9a3a64665819a0e1ee82953bf879f57d6f433358 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Fri, 30 Sep 2016 10:03:33 -0400
Subject: [PATCH] Properly handle EOF condition on libkrad sockets
In the previous code, when the remote peer performed an orderly shutdown
on the socket, libkrad would enter a state in which all future requests
timed out. Instead, if the peer shuts down its socket, we need to
attempt to reopen it.
ticket: 8504 (new)
target_version: 1.14-next
tags: pullup
(cherry picked from commit 248497427d5a45225817b6c22e9224e8ad969872)
---
src/lib/krad/remote.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index df3de3a..68cd16f 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -329,16 +329,15 @@ on_io_read(krad_remote *rr)
/* Read the packet. */
i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length,
pktlen, 0);
- if (i < 0) {
- /* Should we try again? */
- if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR)
- return;
- /* The socket is unrecoverable. */
+ /* On these errors, try again. */
+ if (i < 0 && (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR))
+ return;
+
+ /* On any other errors or on EOF, the socket is unrecoverable. */
+ if (i <= 0) {
remote_shutdown(rr);
return;
- } else if (i == 0) {
- remote_del_flags(rr, FLAGS_READ);
}
/* If we have a partial read or just the header, try again. */
--
2.9.3

29
Rename-prng_os.c-to-prng_device.c.patch
View File

@ -1,29 +0,0 @@
From 8ca87ac2ab358d9fa6756636a6c5280858a72e3b Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 14 Sep 2016 12:53:10 -0400
Subject: [PATCH] Rename prng_os.c to prng_device.c
ticket: 8499
(cherry picked from commit 5e54525fbe40d56f44368e216c92938403cad96d)
---
src/lib/crypto/krb/{prng_os.c => prng_device.c} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename src/lib/crypto/krb/{prng_os.c => prng_device.c} (97%)
diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_device.c
similarity index 97%
rename from src/lib/crypto/krb/prng_os.c
rename to src/lib/crypto/krb/prng_device.c
index ecfe351..bef5b37 100644
--- a/src/lib/crypto/krb/prng_os.c
+++ b/src/lib/crypto/krb/prng_device.c
@@ -1,5 +1,5 @@
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/krb/prng_os.c - OS-native PRNG implementation */
+/* lib/crypto/krb/prng_device.c - OS device-based PRNG implementation */
/*
* Copyright (C) 2011 by the Massachusetts Institute of Technology.
* All rights reserved.
--
2.9.3

49
Set-prompt-type-for-OTP-preauth-prompt.patch
View File

@ -1,49 +0,0 @@
From 59ffbc2016ae2e164a0da7bacc5449bd9898337c Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 25 Jul 2016 13:23:31 -0400
Subject: [PATCH] Set prompt type for OTP preauth prompt
Add k5_set_prompt_type() calls around the prompter invocation in
preauth_otp.c, and add the comment we conventionally put before
prompter invocations.
ticket: 8464 (new)
(cherry picked from commit 7d497a56279dcb59b6be9f8994257e76788d2e89)
---
src/lib/krb5/krb/preauth_otp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
index 37f98b2..48fcbb5 100644
--- a/src/lib/krb5/krb/preauth_otp.c
+++ b/src/lib/krb5/krb/preauth_otp.c
@@ -31,6 +31,7 @@
#include "k5-int.h"
#include "k5-json.h"
#include "int-proto.h"
+#include "os-proto.h"
#include <krb5/clpreauth_plugin.h>
#include <ctype.h>
@@ -475,6 +476,7 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data,
krb5_prompt prompt;
krb5_data prompt_reply;
krb5_error_code retval;
+ krb5_prompt_type prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
if (prompttxt == NULL || out == NULL)
return EINVAL;
@@ -486,7 +488,10 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data,
prompt.prompt = (char *)prompttxt;
prompt.hidden = 1;
+ /* PROMPTER_INVOCATION */
+ k5_set_prompt_types(context, &prompt_type);
retval = (*prompter)(context, prompter_data, NULL, banner, 1, &prompt);
+ k5_set_prompt_types(context, NULL);
if (retval != 0)
return retval;
--
2.9.3

6
krb5-1.11-kpasswdtest.patch
View File

@ -1,4 +1,4 @@
From 61389fb098b36c1927ad01e4efa51f38da39176a Mon Sep 17 00:00:00 2001 From a8750a1a2d0925c6ad01096e09bdbf18c058cb70 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:52:01 -0400 Date: Tue, 23 Aug 2016 16:52:01 -0400
Subject: [PATCH] krb5-1.11-kpasswdtest.patch Subject: [PATCH] krb5-1.11-kpasswdtest.patch
@ -8,10 +8,10 @@ Subject: [PATCH] krb5-1.11-kpasswdtest.patch
1 file changed, 1 insertion(+) 1 file changed, 1 insertion(+)
diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto
index e9702bb..482fda6 100644 index 00c4429..9c4bc1d 100644
--- a/src/kadmin/testing/proto/krb5.conf.proto --- a/src/kadmin/testing/proto/krb5.conf.proto
+++ b/src/kadmin/testing/proto/krb5.conf.proto +++ b/src/kadmin/testing/proto/krb5.conf.proto
@@ -8,6 +8,7 @@ @@ -9,6 +9,7 @@
__REALM__ = { __REALM__ = {
kdc = __KDCHOST__:1750 kdc = __KDCHOST__:1750
admin_server = __KDCHOST__:1751 admin_server = __KDCHOST__:1751

2
krb5-1.11-run_user_0.patch
View File

@ -1,4 +1,4 @@
From 8f81af0f10a917a000a12c9b344b3f801c939666 Mon Sep 17 00:00:00 2001 From 9ad4aa0ba462b3bee535b4e579f8247258742d59 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:57 -0400 Date: Tue, 23 Aug 2016 16:49:57 -0400
Subject: [PATCH] krb5-1.11-run_user_0.patch Subject: [PATCH] krb5-1.11-run_user_0.patch

2
krb5-1.12-api.patch
View File

@ -1,4 +1,4 @@
From 9ca4f0e1081e667ebc9150097559f5fe85595e33 Mon Sep 17 00:00:00 2001 From a7903a70342d35bfba50d3d1c080d481f3d725c6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:00 -0400 Date: Tue, 23 Aug 2016 16:47:00 -0400
Subject: [PATCH] krb5-1.12-api.patch Subject: [PATCH] krb5-1.12-api.patch

4
krb5-1.12-ksu-path.patch
View File

@ -1,4 +1,4 @@
From a33c34eabf9cd4d98d633994bfcf19359ff087a6 Mon Sep 17 00:00:00 2001 From d60c3784417faad05fffb5bb4d6db4c44e79c8cb Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:32:09 -0400 Date: Tue, 23 Aug 2016 16:32:09 -0400
Subject: [PATCH] krb5-1.12-ksu-path.patch Subject: [PATCH] krb5-1.12-ksu-path.patch
@ -9,7 +9,7 @@ Set the default PATH to the one set by login.
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index ad2406a..1379c4a 100644 index 5755bb5..9d58f29 100644
--- a/src/clients/ksu/Makefile.in --- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in +++ b/src/clients/ksu/Makefile.in
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@

4
krb5-1.12-ktany.patch
View File

@ -1,4 +1,4 @@
From f02d4a098b5e94df15ae39e9fad79e861e6c6483 Mon Sep 17 00:00:00 2001 From 813d3e2617057252ad1f9ffa30624f36629903b7 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:33:53 -0400 Date: Tue, 23 Aug 2016 16:33:53 -0400
Subject: [PATCH] krb5-1.12-ktany.patch Subject: [PATCH] krb5-1.12-ktany.patch
@ -14,7 +14,7 @@ the contents of the first keytab.
create mode 100644 src/lib/krb5/keytab/kt_any.c create mode 100644 src/lib/krb5/keytab/kt_any.c
diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in
index 28485d5..c17ab82 100644 index 2a8fceb..ffd179f 100644
--- a/src/lib/krb5/keytab/Makefile.in --- a/src/lib/krb5/keytab/Makefile.in
+++ b/src/lib/krb5/keytab/Makefile.in +++ b/src/lib/krb5/keytab/Makefile.in
@@ -12,6 +12,7 @@ STLIBOBJS= \ @@ -12,6 +12,7 @@ STLIBOBJS= \

28
krb5-1.12.1-pam.patch
View File

@ -1,4 +1,4 @@
From 74b07bf5a3c73f2d46ddfa4a03baa76b19ee1681 Mon Sep 17 00:00:00 2001 From 551bd300005a8c45bad3a26f813ae99f31f4a641 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400 Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] krb5-1.12.1-pam.patch Subject: [PATCH] krb5-1.12.1-pam.patch
@ -28,10 +28,10 @@ changes we're proposing for how it handles cache collections.
create mode 100644 src/clients/ksu/pam.h create mode 100644 src/clients/ksu/pam.h
diff --git a/src/aclocal.m4 b/src/aclocal.m4 diff --git a/src/aclocal.m4 b/src/aclocal.m4
index dbb7db2..ce045ab 100644 index bd2eb48..5fc7f3e 100644
--- a/src/aclocal.m4 --- a/src/aclocal.m4
+++ b/src/aclocal.m4 +++ b/src/aclocal.m4
@@ -1672,3 +1672,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[ @@ -1673,3 +1673,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
])) ]))
])dnl ])dnl
dnl dnl
@ -103,7 +103,7 @@ index dbb7db2..ce045ab 100644
+AC_SUBST(NON_PAM_MAN) +AC_SUBST(NON_PAM_MAN)
+])dnl +])dnl
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index c705fda..ad2406a 100644 index b2fcbf2..5755bb5 100644
--- a/src/clients/ksu/Makefile.in --- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in +++ b/src/clients/ksu/Makefile.in
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. @@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
@ -129,7 +129,7 @@ index c705fda..ad2406a 100644
heuristic.o \ heuristic.o \
xmalloc.o @SETENVOBJ@ xmalloc.o @SETENVOBJ@
all:: ksu all: ksu
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) - $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
@ -138,10 +138,10 @@ index c705fda..ad2406a 100644
+pam.o: pam.c +pam.o: pam.c
+ $(CC) $(ALL_CFLAGS) -c $< + $(CC) $(ALL_CFLAGS) -c $<
clean:: clean:
$(RM) ksu $(RM) ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 2f8d8e1..1b2ca83 100644 index 28342c2..cab0c18 100644
--- a/src/clients/ksu/main.c --- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@ @@ -26,6 +26,7 @@
@ -171,7 +171,7 @@ index 2f8d8e1..1b2ca83 100644
/***********/ /***********/
#define KS_TEMPORARY_CACHE "MEMORY:_ksu" #define KS_TEMPORARY_CACHE "MEMORY:_ksu"
@@ -514,6 +520,23 @@ main (argc, argv) @@ -515,6 +521,23 @@ main (argc, argv)
prog_name,target_user,client_name, prog_name,target_user,client_name,
source_user,ontty()); source_user,ontty());
@ -195,7 +195,7 @@ index 2f8d8e1..1b2ca83 100644
/* Run authorization as target.*/ /* Run authorization as target.*/
if (krb5_seteuid(target_uid)) { if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for " com_err(prog_name, errno, _("while switching to target for "
@@ -574,6 +597,24 @@ main (argc, argv) @@ -575,6 +598,24 @@ main (argc, argv)
exit(1); exit(1);
} }
@ -220,7 +220,7 @@ index 2f8d8e1..1b2ca83 100644
} }
if( some_rest_copy){ if( some_rest_copy){
@@ -631,6 +672,30 @@ main (argc, argv) @@ -632,6 +673,30 @@ main (argc, argv)
exit(1); exit(1);
} }
@ -251,7 +251,7 @@ index 2f8d8e1..1b2ca83 100644
/* set permissions */ /* set permissions */
if (setgid(target_pwd->pw_gid) < 0) { if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid"); perror("ksu: setgid");
@@ -728,7 +793,7 @@ main (argc, argv) @@ -729,7 +794,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]); fprintf(stderr, "program to be execed %s\n",params[0]);
} }
@ -260,7 +260,7 @@ index 2f8d8e1..1b2ca83 100644
execv(params[0], params); execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]); com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target); sweep_up(ksu_context, cc_target);
@@ -758,16 +823,35 @@ main (argc, argv) @@ -759,16 +824,35 @@ main (argc, argv)
if (ret_pid == -1) { if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid")); com_err(prog_name, errno, _("while calling waitpid"));
} }
@ -756,10 +756,10 @@ index 0000000..0ab7656
+void appl_pam_cleanup(void); +void appl_pam_cleanup(void);
+#endif +#endif
diff --git a/src/configure.in b/src/configure.in diff --git a/src/configure.in b/src/configure.in
index b2a8675..8846ca0 100644 index fde09a1..79c0fe2 100644
--- a/src/configure.in --- a/src/configure.in
+++ b/src/configure.in +++ b/src/configure.in
@@ -1327,6 +1327,8 @@ AC_SUBST([VERTO_VERSION]) @@ -1336,6 +1336,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff) AC_PATH_PROG(GROFF, groff)

14
krb5-1.13-dirsrv-accountlock.patch
View File

@ -1,4 +1,4 @@
From f7538a0621d6b593e31f2031570a6f4678940241 Mon Sep 17 00:00:00 2001 From 71c4e4b129b33d8b71262c5f2eea55267b6b33cb Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:44 -0400 Date: Tue, 23 Aug 2016 16:47:44 -0400
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
@ -12,10 +12,10 @@ original version filed as RT#5891.
3 files changed, 29 insertions(+) 3 files changed, 29 insertions(+)
diff --git a/src/aclocal.m4 b/src/aclocal.m4 diff --git a/src/aclocal.m4 b/src/aclocal.m4
index ed343c5..f67eef7 100644 index d49b7c1..9076016 100644
--- a/src/aclocal.m4 --- a/src/aclocal.m4
+++ b/src/aclocal.m4 +++ b/src/aclocal.m4
@@ -1653,6 +1653,15 @@ if test "$with_ldap" = yes; then @@ -1654,6 +1654,15 @@ if test "$with_ldap" = yes; then
AC_MSG_NOTICE(enabling OpenLDAP database backend module support) AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
OPENLDAP_PLUGIN=yes OPENLDAP_PLUGIN=yes
fi fi
@ -32,10 +32,10 @@ index ed343c5..f67eef7 100644
dnl dnl
dnl If libkeyutils exists (on Linux) include it and use keyring ccache dnl If libkeyutils exists (on Linux) include it and use keyring ccache
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index aca8f31..0a0968c 100644 index 32efc4f..af8b2db 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -1545,6 +1545,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, @@ -1674,6 +1674,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data); ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data);
if (ret) if (ret)
goto cleanup; goto cleanup;
@ -60,7 +60,7 @@ index aca8f31..0a0968c 100644
ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname); ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
if (ret) if (ret)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
index 6a06f55..1f87e21 100644 index d722dbf..5e8e9a8 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
@@ -54,6 +54,9 @@ char *principal_attributes[] = { "krbprincipalname", @@ -54,6 +54,9 @@ char *principal_attributes[] = { "krbprincipalname",
@ -72,7 +72,7 @@ index 6a06f55..1f87e21 100644
+#endif +#endif
"krbLastPwdChange", "krbLastPwdChange",
"krbLastAdminUnlock", "krbLastAdminUnlock",
"krbExtraData", "krbPrincipalAuthInd",
-- --
2.9.3 2.9.3

1940
krb5-1.14.4-openssl11.patch
View File

File diff suppressed because it is too large Load Diff

26
krb5-1.12-buildconf.patch → krb5-1.15-beta1-buildconf.patch
View File

@ -1,7 +1,7 @@
From 1df0a74f88f044f1e538e3d4fda13bbceb76e68b Mon Sep 17 00:00:00 2001 From e7cea9ceea5a97248384a3bb0cc2bb2d58cce326 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400 Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH] krb5-1.12-buildconf.patch Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
Build binaries in this package as RELRO PIEs, libraries as partial RELRO, Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
and install shared libraries with the execute bit set on them. Prune out and install shared libraries with the execute bit set on them. Prune out
@ -33,10 +33,10 @@ index c17cb5e..1891dea 100755
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5 library=krb5
diff --git a/src/config/pre.in b/src/config/pre.in diff --git a/src/config/pre.in b/src/config/pre.in
index 63271e7..c100fef 100644 index fcea229..d961b56 100644
--- a/src/config/pre.in --- a/src/config/pre.in
+++ b/src/config/pre.in +++ b/src/config/pre.in
@@ -182,7 +182,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP) @@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_SCRIPT=@INSTALL_PROGRAM@
INSTALL_DATA=@INSTALL_DATA@ INSTALL_DATA=@INSTALL_DATA@
INSTALL_SHLIB=@INSTALL_SHLIB@ INSTALL_SHLIB=@INSTALL_SHLIB@
@ -46,19 +46,19 @@ index 63271e7..c100fef 100644
## ${prefix}. ## ${prefix}.
prefix=@prefix@ prefix=@prefix@
diff --git a/src/config/shlib.conf b/src/config/shlib.conf diff --git a/src/config/shlib.conf b/src/config/shlib.conf
index 55f16be..f4a762c 100644 index 3e4af6c..2b20c3f 100644
--- a/src/config/shlib.conf --- a/src/config/shlib.conf
+++ b/src/config/shlib.conf +++ b/src/config/shlib.conf
@@ -422,7 +422,7 @@ mips-*-netbsd*) @@ -423,7 +423,7 @@ mips-*-netbsd*)
SHLIBEXT=.so
# Linux ld doesn't default to stuffing the SONAME field... # Linux ld doesn't default to stuffing the SONAME field...
# Use objdump -x to examine the fields of the library # Use objdump -x to examine the fields of the library
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined' # UNDEF_CHECK is suppressed by --enable-asan
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro -Wl,--warn-shared-textrel' - LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
# + LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel'
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' UNDEF_CHECK='-Wl,--no-undefined'
SHLIB_EXPORT_FILE_DEP=binutils.versions # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
@@ -433,7 +433,8 @@ mips-*-netbsd*) LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
@@ -435,7 +435,8 @@ mips-*-netbsd*)
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'

329
krb5-1.13-selinux-label.patch → krb5-1.15-beta1-selinux-label.patch
View File

@ -1,7 +1,7 @@
From 2af05336edb5a2f86db22ee2937626a219f090f6 Mon Sep 17 00:00:00 2001 From 7fea764528d0d1b0b2c8bf17d116f3da622f9cb6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400 Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] krb5-1.13-selinux-label.patch Subject: [PATCH] krb5-1.15-beta1-selinux-label.patch
SELinux bases access to files on the domain of the requesting process, SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file. the operation being performed, and the context applied to the file.
@ -58,16 +58,15 @@ which we used earlier, is some improvement.
src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +- src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +-
.../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +-
src/slave/kpropd.c | 9 + src/slave/kpropd.c | 9 +
src/util/gss-kernel-lib/Makefile.in | 5 +-
src/util/profile/prof_file.c | 3 +- src/util/profile/prof_file.c | 3 +-
src/util/support/Makefile.in | 3 +- src/util/support/Makefile.in | 3 +-
src/util/support/selinux.c | 381 +++++++++++++++++++++ src/util/support/selinux.c | 406 +++++++++++++++++++++
26 files changed, 566 insertions(+), 22 deletions(-) 25 files changed, 587 insertions(+), 21 deletions(-)
create mode 100644 src/include/k5-label.h create mode 100644 src/include/k5-label.h
create mode 100644 src/util/support/selinux.c create mode 100644 src/util/support/selinux.c
diff --git a/src/aclocal.m4 b/src/aclocal.m4 diff --git a/src/aclocal.m4 b/src/aclocal.m4
index ce045ab..311f099 100644 index 5fc7f3e..5b02b40 100644
--- a/src/aclocal.m4 --- a/src/aclocal.m4
+++ b/src/aclocal.m4 +++ b/src/aclocal.m4
@@ -87,6 +87,7 @@ AC_SUBST_FILE(libnodeps_frag) @@ -87,6 +87,7 @@ AC_SUBST_FILE(libnodeps_frag)
@ -78,7 +77,7 @@ index ce045ab..311f099 100644
KRB5_LIB_PARAMS KRB5_LIB_PARAMS
KRB5_AC_INITFINI KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS KRB5_AC_ENABLE_THREADS
@@ -1739,3 +1740,51 @@ AC_SUBST(PAM_LIBS) @@ -1740,3 +1741,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN) AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN) AC_SUBST(NON_PAM_MAN)
])dnl ])dnl
@ -152,10 +151,10 @@ index f6184da..c17cb5e 100755
echo $lib_flags echo $lib_flags
diff --git a/src/config/pre.in b/src/config/pre.in diff --git a/src/config/pre.in b/src/config/pre.in
index b0d9015..63271e7 100644 index e062632..fcea229 100644
--- a/src/config/pre.in --- a/src/config/pre.in
+++ b/src/config/pre.in +++ b/src/config/pre.in
@@ -174,6 +174,7 @@ LD = $(PURE) @LD@ @@ -177,6 +177,7 @@ LD = $(PURE) @LD@
KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
LDFLAGS = @LDFLAGS@ LDFLAGS = @LDFLAGS@
LIBS = @LIBS@ LIBS = @LIBS@
@ -163,7 +162,7 @@ index b0d9015..63271e7 100644
INSTALL=@INSTALL@ INSTALL=@INSTALL@
INSTALL_STRIP= INSTALL_STRIP=
@@ -395,7 +396,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) @@ -399,7 +400,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod... # HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@ HESIOD_LIBS = @HESIOD_LIBS@
@ -173,10 +172,10 @@ index b0d9015..63271e7 100644
GSS_LIBS = $(GSS_KRB5_LIB) GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X! # needs fixing if ever used on Mac OS X!
diff --git a/src/configure.in b/src/configure.in diff --git a/src/configure.in b/src/configure.in
index 8846ca0..9ec8d84 100644 index 79c0fe2..d085a4b 100644
--- a/src/configure.in --- a/src/configure.in
+++ b/src/configure.in +++ b/src/configure.in
@@ -1329,6 +1329,8 @@ AC_PATH_PROG(GROFF, groff) @@ -1338,6 +1338,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM KRB5_WITH_PAM
@ -186,10 +185,10 @@ index 8846ca0..9ec8d84 100644
if test "${localedir+set}" != set; then if test "${localedir+set}" != set; then
localedir='$(datadir)/locale' localedir='$(datadir)/locale'
diff --git a/src/include/k5-int.h b/src/include/k5-int.h diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 41c3d1b..6b7b2e3 100644 index 3cc32c3..afefe28 100644
--- a/src/include/k5-int.h --- a/src/include/k5-int.h
+++ b/src/include/k5-int.h +++ b/src/include/k5-int.h
@@ -129,6 +129,7 @@ typedef unsigned char u_char; @@ -128,6 +128,7 @@ typedef unsigned char u_char;
#include "k5-platform.h" #include "k5-platform.h"
@ -236,7 +235,7 @@ index 0000000..dfaaa84
+#endif +#endif
+#endif +#endif
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index e2c08ae..c93a0f2 100644 index 64b0d0f..0c9347b 100644
--- a/src/include/krb5/krb5.hin --- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@ @@ -87,6 +87,12 @@
@ -253,7 +252,7 @@ index e2c08ae..c93a0f2 100644
#include <stdlib.h> #include <stdlib.h>
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 253bf3f..9c8c3dc 100644 index f7889bd..cad53cf 100644
--- a/src/kadmin/dbutil/dump.c --- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) @@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
@ -288,10 +287,10 @@ index 253bf3f..9c8c3dc 100644
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
exit_status++; exit_status++;
diff --git a/src/kdc/main.c b/src/kdc/main.c diff --git a/src/kdc/main.c b/src/kdc/main.c
index 82dfc0e..936f46b 100644 index 6767ef0..70cb256 100644
--- a/src/kdc/main.c --- a/src/kdc/main.c
+++ b/src/kdc/main.c +++ b/src/kdc/main.c
@@ -847,7 +847,7 @@ write_pid_file(const char *path) @@ -873,7 +873,7 @@ write_pid_file(const char *path)
FILE *file; FILE *file;
unsigned long pid; unsigned long pid;
@ -301,19 +300,19 @@ index 82dfc0e..936f46b 100644
return errno; return errno;
pid = (unsigned long) getpid(); pid = (unsigned long) getpid();
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index 19c4355..64f9641 100644 index ce79fab..c53a574 100644
--- a/src/lib/kadm5/logger.c --- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c
@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do @@ -414,7 +414,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
* Check for append/overwrite, then open the file.
*/ */
if (cp[4] == ':' || cp[4] == '=') { append = (cp[4] == ':') ? O_APPEND : 0;
- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w"); if (append || cp[4] == '=') {
+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); - fd = open(&cp[5], O_CREAT | O_WRONLY | append,
if (f) { + fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append,
set_cloexec_file(f); S_IRUSR | S_IWUSR | S_IRGRP);
log_control.log_entries[i].lfu_filep = f; if (fd != -1)
@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext) f = fdopen(fd, append ? "a" : "w");
@@ -918,7 +918,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the * In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs. * way, open for append to prevent squashing the old logs.
*/ */
@ -323,7 +322,7 @@ index 19c4355..64f9641 100644
set_cloexec_file(f); set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f; log_control.log_entries[lindex].lfu_filep = f;
diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
index 99cda59..523b99a 100644 index 766d300..6466417 100644
--- a/src/lib/kdb/kdb_log.c --- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c +++ b/src/lib/kdb/kdb_log.c
@@ -476,7 +476,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) @@ -476,7 +476,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
@ -386,24 +385,23 @@ index bba64e5..73f0fe6 100644
_("Credential cache directory %s does not exist"), _("Credential cache directory %s does not exist"),
dirname); dirname);
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index e105a51..ff1fc54 100644 index 6a42f26..674d88b 100644
--- a/src/lib/krb5/keytab/kt_file.c --- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c
@@ -1030,7 +1030,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) @@ -1022,14 +1022,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
KTCHECKLOCK(id); KTCHECKLOCK(id);
errno = 0; errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id), - KTFILEP(id) = fopen(KTFILENAME(id),
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), + KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id),
(mode == KRB5_LOCKMODE_EXCLUSIVE) ? (mode == KRB5_LOCKMODE_EXCLUSIVE) ? "rb+" : "rb");
fopen_mode_rbplus : fopen_mode_rb);
if (!KTFILEP(id)) { if (!KTFILEP(id)) {
@@ -1038,7 +1038,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) {
/* try making it first time around */ /* try making it first time around */
k5_create_secure_file(context, KTFILENAME(id)); k5_create_secure_file(context, KTFILENAME(id));
errno = 0; errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); - KTFILEP(id) = fopen(KTFILENAME(id), "rb+");
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus); + KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), "rb+");
if (!KTFILEP(id)) if (!KTFILEP(id))
goto report_errno; goto report_errno;
writevno = 1; writevno = 1;
@ -421,7 +419,7 @@ index 83c8d4d..a192461 100644
free(fd); free(fd);
return errno; return errno;
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index 2fb6aa0..c453189 100644 index c4d2c74..c0f12ed 100644
--- a/src/lib/krb5/rcache/rc_dfl.c --- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c +++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) @@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
@ -466,7 +464,7 @@ index 7db30a3..2b9d019 100644
* maybe someone took away write permission so we could only * maybe someone took away write permission so we could only
* get shared locks? * get shared locks?
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
index e97b841..5d1cd61 100644 index 4c4036e..d90bdea 100644
--- a/src/plugins/kdb/db2/kdb_db2.c --- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) @@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
@ -502,7 +500,7 @@ index 2977b17..d5809a5 100644
} else { } else {
diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
index 2a5b4f8..7239d03 100644 index 76f5d47..1fa8b83 100644
--- a/src/plugins/kdb/db2/libdb2/hash/hash.c --- a/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c +++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95";
@ -545,10 +543,10 @@ index d8b26e7..b0daa7c 100644
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
index 64d0f91..5d5c0a6 100644 index 022156a..3d6994c 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -178,7 +178,7 @@ done: @@ -203,7 +203,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
/* set password in the file */ /* set password in the file */
old_mode = umask(0177); old_mode = umask(0177);
@ -557,7 +555,7 @@ index 64d0f91..5d5c0a6 100644
if (pfile == NULL) { if (pfile == NULL) {
com_err(me, errno, _("Failed to open file %s: %s"), file_name, com_err(me, errno, _("Failed to open file %s: %s"), file_name,
strerror (errno)); strerror (errno));
@@ -219,6 +219,9 @@ done: @@ -244,6 +244,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
* Delete the existing entry and add the new entry * Delete the existing entry and add the new entry
*/ */
FILE *newfile; FILE *newfile;
@ -567,7 +565,7 @@ index 64d0f91..5d5c0a6 100644
mode_t omask; mode_t omask;
@@ -230,7 +233,13 @@ done: @@ -255,7 +258,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
} }
omask = umask(077); omask = umask(077);
@ -582,7 +580,7 @@ index 64d0f91..5d5c0a6 100644
if (newfile == NULL) { if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file); com_err(me, errno, _("Error creating file %s"), tmp_file);
diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
index 1383156..a950924 100644 index 056c31a..b78c3d9 100644
--- a/src/slave/kpropd.c --- a/src/slave/kpropd.c
+++ b/src/slave/kpropd.c +++ b/src/slave/kpropd.c
@@ -464,6 +464,9 @@ doit(int fd) @@ -464,6 +464,9 @@ doit(int fd)
@ -611,32 +609,6 @@ index 1383156..a950924 100644
retval = krb5_lock_file(kpropd_context, lock_fd, retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
if (retval) { if (retval) {
diff --git a/src/util/gss-kernel-lib/Makefile.in b/src/util/gss-kernel-lib/Makefile.in
index f70f3c6..7a2f9cc 100644
--- a/src/util/gss-kernel-lib/Makefile.in
+++ b/src/util/gss-kernel-lib/Makefile.in
@@ -61,6 +61,7 @@ HEADERS= \
gssapi_err_generic.h \
k5-int.h \
k5-int-pkinit.h \
+ k5-label.h \
k5-thread.h \
k5-platform.h \
k5-buf.h \
@@ -162,10 +163,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_generic.h
$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
-k5-int.h: $(INCLUDE)/k5-int.h
+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h
$(CP) $(INCLUDE)/k5-int.h $@
k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
$(CP) $(INCLUDE)/k5-int-pkinit.h $@
+k5-label.h: $(INCLUDE)/k5-label.h
+ $(CP) $(INCLUDE)/k5-label.h $@
k5-thread.h: $(INCLUDE)/k5-thread.h
$(CP) $(INCLUDE)/k5-thread.h $@
k5-platform.h: $(INCLUDE)/k5-platform.h
diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
index 907c119..0f5462a 100644 index 907c119..0f5462a 100644
--- a/src/util/profile/prof_file.c --- a/src/util/profile/prof_file.c
@ -659,10 +631,10 @@ index 907c119..0f5462a 100644
retval = errno; retval = errno;
if (retval == 0) if (retval == 0)
diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
index 5181762..f77acd4 100644 index 6239e41..17bcd2a 100644
--- a/src/util/support/Makefile.in --- a/src/util/support/Makefile.in
+++ b/src/util/support/Makefile.in +++ b/src/util/support/Makefile.in
@@ -59,6 +59,7 @@ IPC_SYMS= \ @@ -69,6 +69,7 @@ IPC_SYMS= \
STLIBOBJS= \ STLIBOBJS= \
threads.o \ threads.o \
@ -670,7 +642,7 @@ index 5181762..f77acd4 100644
init-addrinfo.o \ init-addrinfo.o \
plugins.o \ plugins.o \
errors.o \ errors.o \
@@ -131,7 +132,7 @@ SRCS=\ @@ -148,7 +149,7 @@ SRCS=\
SHLIB_EXPDEPS = SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt. # Add -lm if dumping thread stats, for sqrt.
@ -681,12 +653,12 @@ index 5181762..f77acd4 100644
diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c
new file mode 100644 new file mode 100644
index 0000000..ffba6a9 index 0000000..2302634
--- /dev/null --- /dev/null
+++ b/src/util/support/selinux.c +++ b/src/util/support/selinux.c
@@ -0,0 +1,381 @@ @@ -0,0 +1,406 @@
+/* +/*
+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved. + * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved.
+ * + *
+ * Redistribution and use in source and binary forms, with or without + * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met: + * modification, are permitted provided that the following conditions are met:
@ -724,8 +696,10 @@ index 0000000..ffba6a9
+ +
+#include <k5-label.h> +#include <k5-label.h>
+#include <k5-platform.h> +#include <k5-platform.h>
+
+#include <sys/types.h> +#include <sys/types.h>
+#include <sys/stat.h> +#include <sys/stat.h>
+
+#include <errno.h> +#include <errno.h>
+#include <fcntl.h> +#include <fcntl.h>
+#include <limits.h> +#include <limits.h>
@ -735,13 +709,26 @@ index 0000000..ffba6a9
+#include <stdlib.h> +#include <stdlib.h>
+#include <string.h> +#include <string.h>
+#include <unistd.h> +#include <unistd.h>
+
+#include <selinux/selinux.h> +#include <selinux/selinux.h>
+#include <selinux/context.h> +#include <selinux/context.h>
+#ifdef HAVE_SELINUX_LABEL_H
+#include <selinux/label.h> +#include <selinux/label.h>
+#endif
+ +
+/* #define DEBUG 1 */ +/* #define DEBUG 1 */
+static void
+debug_log(const char *fmt, ...)
+{
+#ifdef DEBUG
+ va_list ap;
+ va_start(ap, str);
+ if (isatty(fileno(stderr))) {
+ vfprintf(stderr, fmt, ap);
+ }
+ va_end(ap);
+#endif
+
+ return;
+}
+ +
+/* Mutex used to serialize use of the process-global file creation context. */ +/* Mutex used to serialize use of the process-global file creation context. */
+k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER; +k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
@ -754,7 +741,6 @@ index 0000000..ffba6a9
+ k5_mutex_finish_init(&labeled_mutex); + k5_mutex_finish_init(&labeled_mutex);
+} +}
+ +
+#ifdef HAVE_SELINUX_LABEL_H
+static struct selabel_handle *selabel_ctx; +static struct selabel_handle *selabel_ctx;
+static time_t selabel_last_changed; +static time_t selabel_last_changed;
+ +
@ -768,7 +754,6 @@ index 0000000..ffba6a9
+ selabel_ctx = NULL; + selabel_ctx = NULL;
+ } + }
+} +}
+#endif
+ +
+static security_context_t +static security_context_t
+push_fscreatecon(const char *pathname, mode_t mode) +push_fscreatecon(const char *pathname, mode_t mode)
@ -776,164 +761,159 @@ index 0000000..ffba6a9
+ security_context_t previous, configuredsc, currentsc, derivedsc; + security_context_t previous, configuredsc, currentsc, derivedsc;
+ context_t current, derived; + context_t current, derived;
+ const char *fullpath, *currentuser; + const char *fullpath, *currentuser;
+
+ previous = NULL;
+ if (is_selinux_enabled()) {
+ if (getfscreatecon(&previous) == 0) {
+ char *genpath; + char *genpath;
+
+ previous = configuredsc = currentsc = derivedsc = NULL;
+ current = derived = NULL;
+ genpath = NULL; + genpath = NULL;
+
+ fullpath = pathname;
+
+ if (!is_selinux_enabled()) {
+ goto fail;
+ }
+
+ if (getfscreatecon(&previous) != 0) {
+ goto fail;
+ }
+
+ /* Canonicalize pathname */
+ if (pathname[0] != '/') { + if (pathname[0] != '/') {
+ char *wd; + char *wd;
+ size_t len; + size_t len;
+ len = 0; + len = 0;
+
+ wd = getcwd(NULL, len); + wd = getcwd(NULL, len);
+ if (wd == NULL) { + if (wd == NULL) {
+ if (previous != NULL) { + goto fail;
+ freecon(previous);
+ }
+ return NULL;
+ } + }
+
+ len = strlen(wd) + 1 + strlen(pathname) + 1; + len = strlen(wd) + 1 + strlen(pathname) + 1;
+ genpath = malloc(len); + genpath = malloc(len);
+ if (genpath == NULL) { + if (genpath == NULL) {
+ free(wd); + free(wd);
+ if (previous != NULL) { + goto fail;
+ freecon(previous);
+ }
+ return NULL;
+ } + }
+
+ sprintf(genpath, "%s/%s", wd, pathname); + sprintf(genpath, "%s/%s", wd, pathname);
+ free(wd); + free(wd);
+ fullpath = genpath; + fullpath = genpath;
+ } else {
+ fullpath = pathname;
+ } + }
+#ifdef DEBUG +
+ if (isatty(fileno(stderr))) { + debug_log("Looking up context for \"%s\"(%05o).\n", fullpath, mode);
+ fprintf(stderr, "Looking up context for " +
+ "\"%s\"(%05o).\n", fullpath, mode); + /* Check whether context file has changed under us */
+ } + if (selabel_ctx != NULL || selabel_last_changed == 0) {
+#endif
+ configuredsc = NULL;
+#ifdef HAVE_SELINUX_LABEL_H
+ if ((selabel_ctx != NULL) ||
+ (selabel_last_changed == 0)) {
+ const char *cpath; + const char *cpath;
+ struct stat st; + struct stat st;
+ int i = -1; + int i = -1;
+
+ cpath = selinux_file_context_path(); + cpath = selinux_file_context_path();
+ if ((cpath == NULL) || + if (cpath == NULL || (i = stat(cpath, &st)) != 0 ||
+ ((i = stat(cpath, &st)) != 0) || + st.st_mtime != selabel_last_changed) {
+ (st.st_mtime != selabel_last_changed)) { + cleanup_fscreatecon();
+ if (selabel_ctx != NULL) { +
+ selabel_close(selabel_ctx); + selabel_last_changed = i ? time(NULL) : st.st_mtime;
+ selabel_ctx = NULL;
+ }
+ selabel_last_changed = i ?
+ time(NULL) :
+ st.st_mtime;
+ } + }
+ } + }
+
+ if (selabel_ctx == NULL) { + if (selabel_ctx == NULL) {
+ selabel_ctx = selabel_open(SELABEL_CTX_FILE, + selabel_ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ NULL, 0);
+ } + }
+ if (selabel_ctx != NULL) { +
+ if (selabel_lookup(selabel_ctx, &configuredsc, + if (selabel_ctx != NULL &&
+ fullpath, mode) != 0) { + selabel_lookup(selabel_ctx, &configuredsc, fullpath, mode) != 0) {
+ goto fail;
+ }
+
+ if (genpath != NULL) {
+ free(genpath); + free(genpath);
+ if (previous != NULL) { + genpath = NULL;
+ freecon(previous);
+ } + }
+ return NULL; +
+ }
+ }
+#else
+ if (matchpathcon(fullpath, mode, &configuredsc) != 0) {
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+#endif
+ free(genpath);
+ if (configuredsc == NULL) { + if (configuredsc == NULL) {
+ if (previous != NULL) { + goto fail;
+ freecon(previous);
+ } + }
+ return NULL; +
+ }
+ currentsc = NULL;
+ getcon(&currentsc); + getcon(&currentsc);
+
+ /* AAAAAAAA */
+ if (currentsc != NULL) { + if (currentsc != NULL) {
+ derived = context_new(configuredsc); + derived = context_new(configuredsc);
+
+ if (derived != NULL) { + if (derived != NULL) {
+ current = context_new(currentsc); + current = context_new(currentsc);
+
+ if (current != NULL) { + if (current != NULL) {
+ currentuser = context_user_get(current); + currentuser = context_user_get(current);
+
+ if (currentuser != NULL) { + if (currentuser != NULL) {
+ if (context_user_set(derived, + if (context_user_set(derived,
+ currentuser) == 0) { + currentuser) == 0) {
+ derivedsc = context_str(derived); + derivedsc = context_str(derived);
+
+ if (derivedsc != NULL) { + if (derivedsc != NULL) {
+ freecon(configuredsc); + freecon(configuredsc);
+ configuredsc = strdup(derivedsc); + configuredsc = strdup(derivedsc);
+ } + }
+ } + }
+ } + }
+
+ context_free(current); + context_free(current);
+ } + }
+
+ context_free(derived); + context_free(derived);
+ } + }
+
+ freecon(currentsc); + freecon(currentsc);
+ } + }
+#ifdef DEBUG +
+ if (isatty(fileno(stderr))) { + debug_log("Setting file creation context to \"%s\".\n", configuredsc);
+ fprintf(stderr, "Setting file creation context "
+ "to \"%s\".\n", configuredsc);
+ }
+#endif
+ if (setfscreatecon(configuredsc) != 0) { + if (setfscreatecon(configuredsc) != 0) {
+ debug_log("Unable to determine current context.\n");
+ goto fail;
+ }
+
+ freecon(configuredsc); + freecon(configuredsc);
+ return previous;
+
+fail:
+ if (previous != NULL) { + if (previous != NULL) {
+ freecon(previous); + freecon(previous);
+ } + }
+ return NULL; + if (genpath != NULL) {
+ free(genpath);
+ } + }
+ if (configuredsc != NULL) {
+ freecon(configuredsc); + freecon(configuredsc);
+#ifdef DEBUG
+ } else {
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Unable to determine "
+ "current context.\n");
+ } + }
+#endif +
+ } + cleanup_fscreatecon();
+ } + return NULL;
+ return previous;
+} +}
+ +
+static void +static void
+pop_fscreatecon(security_context_t previous) +pop_fscreatecon(security_context_t previous)
+{ +{
+ if (is_selinux_enabled()) { + if (!is_selinux_enabled()) {
+#ifdef DEBUG + return;
+ if (isatty(fileno(stderr))) { + }
+
+ if (previous != NULL) { + if (previous != NULL) {
+ fprintf(stderr, "Resetting file creation " + debug_log("Resetting file creation context to \"%s\".\n", previous);
+ "context to \"%s\".\n", previous);
+ } else { + } else {
+ fprintf(stderr, "Resetting file creation " + debug_log("Resetting file creation context to default.\n");
+ "context to default.\n");
+ } + }
+ } +
+#endif + /* NULL resets to default */
+ setfscreatecon(previous); + setfscreatecon(previous);
+
+ if (previous != NULL) { + if (previous != NULL) {
+ freecon(previous); + freecon(previous);
+ } + }
+ } +
+ /* Need to clean this up here otherwise it leaks */
+ cleanup_fscreatecon();
+} +}
+ +
+void * +void *
@ -941,11 +921,14 @@ index 0000000..ffba6a9
+{ +{
+ struct stat st; + struct stat st;
+ void *retval; + void *retval;
+
+ k5_once(&labeled_once, label_mutex_init); + k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex); + k5_mutex_lock(&labeled_mutex);
+
+ if (stat(pathname, &st) != 0) { + if (stat(pathname, &st) != 0) {
+ st.st_mode = S_IRUSR | S_IWUSR; + st.st_mode = S_IRUSR | S_IWUSR;
+ } + }
+
+ retval = push_fscreatecon(pathname, st.st_mode); + retval = push_fscreatecon(pathname, st.st_mode);
+ return retval ? retval : (void *) -1; + return retval ? retval : (void *) -1;
+} +}
@ -974,10 +957,13 @@ index 0000000..ffba6a9
+ k5_once(&labeled_once, label_mutex_init); + k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex); + k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0); + ctx = push_fscreatecon(path, 0);
+
+ fp = fopen(path, mode); + fp = fopen(path, mode);
+ errno_save = errno; + errno_save = errno;
+
+ pop_fscreatecon(ctx); + pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex); + k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save; + errno = errno_save;
+ return fp; + return fp;
+} +}
@ -992,10 +978,13 @@ index 0000000..ffba6a9
+ k5_once(&labeled_once, label_mutex_init); + k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex); + k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0); + ctx = push_fscreatecon(path, 0);
+
+ fd = creat(path, mode); + fd = creat(path, mode);
+ errno_save = errno; + errno_save = errno;
+
+ pop_fscreatecon(ctx); + pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex); + k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save; + errno = errno_save;
+ return fd; + return fd;
+} +}
@ -1010,10 +999,13 @@ index 0000000..ffba6a9
+ k5_once(&labeled_once, label_mutex_init); + k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex); + k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, mode); + ctx = push_fscreatecon(path, mode);
+
+ ret = mknod(path, mode, dev); + ret = mknod(path, mode, dev);
+ errno_save = errno; + errno_save = errno;
+
+ pop_fscreatecon(ctx); + pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex); + k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save; + errno = errno_save;
+ return ret; + return ret;
+} +}
@ -1028,10 +1020,13 @@ index 0000000..ffba6a9
+ k5_once(&labeled_once, label_mutex_init); + k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex); + k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, S_IFDIR); + ctx = push_fscreatecon(path, S_IFDIR);
+
+ ret = mkdir(path, mode); + ret = mkdir(path, mode);
+ errno_save = errno; + errno_save = errno;
+
+ pop_fscreatecon(ctx); + pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex); + k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save; + errno = errno_save;
+ return ret; + return ret;
+} +}
@ -1059,13 +1054,15 @@ index 0000000..ffba6a9
+ va_end(ap); + va_end(ap);
+ +
+ errno_save = errno; + errno_save = errno;
+
+ pop_fscreatecon(ctx); + pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex); + k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save; + errno = errno_save;
+ return fd; + return fd;
+} +}
+ +
+#endif +#endif /* USE_SELINUX */
-- --
2.9.3 2.9.3

4
krb5-1.3.1-dns.patch
View File

@ -1,4 +1,4 @@
From 95b7e75522dd905eea23e853f062d89749a17799 Mon Sep 17 00:00:00 2001 From e84b0d40e31cdb98a9a87bd1c4925802d963a479 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400 Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH] krb5-1.3.1-dns.patch Subject: [PATCH] krb5-1.3.1-dns.patch
@ -9,7 +9,7 @@ We want to be able to use --with-netlib and --enable-dns at the same time.
1 file changed, 1 insertion(+) 1 file changed, 1 insertion(+)
diff --git a/src/aclocal.m4 b/src/aclocal.m4 diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 311f099..ed343c5 100644 index 5b02b40..d49b7c1 100644
--- a/src/aclocal.m4 --- a/src/aclocal.m4
+++ b/src/aclocal.m4 +++ b/src/aclocal.m4
@@ -701,6 +701,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library), @@ -701,6 +701,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library),

8
krb5-1.9-debuginfo.patch
View File

@ -1,4 +1,4 @@
From 3743c3636fd23e62f996b119a1536ecd882a5e80 Mon Sep 17 00:00:00 2001 From e2f0b0317c6a251c202500f409976dda3a6a82e7 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400 Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] krb5-1.9-debuginfo.patch Subject: [PATCH] krb5-1.9-debuginfo.patch
@ -12,7 +12,7 @@ could mess up people working in the tree on other things.
2 files changed, 6 insertions(+), 1 deletion(-) 2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
index 789c597..7e7a148 100644 index adfea6e..d1327e4 100644
--- a/src/kadmin/cli/Makefile.in --- a/src/kadmin/cli/Makefile.in
+++ b/src/kadmin/cli/Makefile.in +++ b/src/kadmin/cli/Makefile.in
@@ -37,3 +37,8 @@ clean-unix:: @@ -37,3 +37,8 @@ clean-unix::
@ -25,7 +25,7 @@ index 789c597..7e7a148 100644
+ $(YACC.y) $< + $(YACC.y) $<
+ $(CP) y.tab.c $@ + $(CP) y.tab.c $@
diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
index b9ea339..060f500 100644 index 8669c24..a22f23c 100644
--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in --- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
+++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in +++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE) @@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE)
@ -35,7 +35,7 @@ index b9ea339..060f500 100644
- $(MV) y.tab.c getdate.c - $(MV) y.tab.c getdate.c
+ $(CP) y.tab.c getdate.c + $(CP) y.tab.c getdate.c
install:: install:
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
-- --
2.9.3 2.9.3

34
krb5.spec
View File

@ -8,12 +8,12 @@
%global configure_default_ccache_name 1 %global configure_default_ccache_name 1
%global configured_default_ccache_name KEYRING:persistent:%%{uid} %global configured_default_ccache_name KEYRING:persistent:%%{uid}
%global prerelease %{nil} %global prerelease -beta1
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.14.4 Version: 1.15
Release: 6%{?dist} Release: 1%{?dist}.beta1.0
# - Maybe we should explode from the now-available-to-everybody tarball instead? # - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with # - The sources below are stored in a lookaside cache. Upload with
@ -46,30 +46,16 @@ Source39: krb5-krb5kdc.conf
Source100: noport.c Source100: noport.c
Patch1: krb5-1.12.1-pam.patch Patch1: krb5-1.12.1-pam.patch
Patch2: krb5-1.13-selinux-label.patch Patch2: krb5-1.15-beta1-selinux-label.patch
Patch3: krb5-1.12-ksu-path.patch Patch3: krb5-1.12-ksu-path.patch
Patch4: krb5-1.12-ktany.patch Patch4: krb5-1.12-ktany.patch
Patch5: krb5-1.12-buildconf.patch Patch5: krb5-1.15-beta1-buildconf.patch
Patch6: krb5-1.3.1-dns.patch Patch6: krb5-1.3.1-dns.patch
Patch7: krb5-1.12-api.patch Patch7: krb5-1.12-api.patch
Patch8: krb5-1.13-dirsrv-accountlock.patch Patch8: krb5-1.13-dirsrv-accountlock.patch
Patch9: krb5-1.9-debuginfo.patch Patch9: krb5-1.9-debuginfo.patch
Patch10: krb5-1.11-run_user_0.patch Patch10: krb5-1.11-run_user_0.patch
Patch11: krb5-1.11-kpasswdtest.patch Patch11: krb5-1.11-kpasswdtest.patch
Patch12: Fix-impersonate_name-to-work-with-interposers.patch
Patch13: Create-KDC-and-kadmind-log-files-with-mode-0640.patch
Patch14: Add-KDC-pre-send-and-post-receive-KDC-hooks.patch
Patch15: Add-tests-for-send-and-receive-sendto_kdc-hooks.patch
Patch16: Set-prompt-type-for-OTP-preauth-prompt.patch
Patch17: Improve-bad-password-inference-in-kinit.patch
Patch18: Change-KDC-error-for-encrypted-timestamp-preauth.patch
Patch19: Add-krb5_db_register_keytab.patch
Patch20: Don-t-feed-OS-RNG-output-into-the-OS-RNG.patch
Patch21: Rename-prng_os.c-to-prng_device.c.patch
Patch22: Add-getrandom-to-k5_get_os_entropy-using-syscall.patch
Patch23: Add-OS-prng-intended-for-use-with-getrandom.patch
Patch24: Properly-handle-EOF-condition-on-libkrad-sockets.patch
Patch25: krb5-1.14.4-openssl11.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -256,7 +242,7 @@ interface is not considered stable.
ln NOTICE LICENSE ln NOTICE LICENSE
# Take the execute bit off of documentation. # Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html chmod -x doc/ccapi/*.html
# Generate an FDS-compatible LDIF file. # Generate an FDS-compatible LDIF file.
inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
@ -271,7 +257,7 @@ touch -r $inldif 60kerberos.ldif
# Rebuild the configure scripts. # Rebuild the configure scripts.
pushd src pushd src
./util/reconf --verbose autoreconf -fiv
popd popd
# Mess with some of the default ports that we use for testing, so that multiple # Mess with some of the default ports that we use for testing, so that multiple
@ -684,7 +670,6 @@ exit 0
%files devel %files devel
%defattr(-,root,root,-) %defattr(-,root,root,-)
%docdir %{_mandir} %docdir %{_mandir}
%doc doc/krb5-protocol
%doc build-pdf/appdev.pdf build-pdf/plugindev.pdf %doc build-pdf/appdev.pdf build-pdf/plugindev.pdf
%{_includedir}/* %{_includedir}/*
@ -724,6 +709,11 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%changelog %changelog
* Thu Oct 20 2016 Robbie Harwood <rharwood@redhat.com> - 1.15-beta1-1
- New upstream release
- Update selinux with RHEL hygene
- Resolves: #1314096
* Tue Oct 11 2016 Tomáš Mráz <tmraz@redhat.com> - 1.14.4-6 * Tue Oct 11 2016 Tomáš Mráz <tmraz@redhat.com> - 1.14.4-6
- rebuild with OpenSSL 1.1.0, added backported upstream patch - rebuild with OpenSSL 1.1.0, added backported upstream patch

6
sources
View File

@ -1,3 +1,3 @@
ba90f5701fc2dda76133c1f34ba4ee80 krb5-1.14.4.tar.gz fa2af49908afa204ab177fb997d8c17f krb5-1.15-beta1-pdfs.tar
1d91e165f25519bbb60b4715bcabda0f krb5-1.14.4.tar.gz.asc aeac2080eb2cb88d02ae1722e2681021 krb5-1.15-beta1.tar.gz
c2385c39dfed8ecad41052abd09a49c9 krb5-1.14.4-pdfs.tar dc8b927e0f6597767e222114540a6f3d krb5-1.15-beta1.tar.gz.asc