Upstream release 1.15-beta1
Also update selinux with RHEL hygene. Resolves: #1314096
This commit is contained in:
parent
895d0bdfea
commit
821dac42ed
3
.gitignore
vendored
3
.gitignore
vendored
@ -139,3 +139,6 @@ krb5-1.8.3-pdf.tar.gz
|
||||
/krb5-1.14.4.tar.gz
|
||||
/krb5-1.14.4.tar.gz.asc
|
||||
/krb5-1.14.4-pdfs.tar
|
||||
/krb5-1.15-beta1.tar.gz
|
||||
/krb5-1.15-beta1.tar.gz.asc
|
||||
/krb5-1.15-beta1-pdfs.tar
|
||||
|
@ -1,314 +0,0 @@
|
||||
From 21330cb3db69fc5a004844a1e4dec8998eb50068 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Thu, 3 Mar 2016 18:53:31 +0100
|
||||
Subject: [PATCH] Add KDC pre-send and post-receive KDC hooks
|
||||
|
||||
Add two new APIs, krb5_set_kdc_send_hook() and
|
||||
krb5_set_kdc_recv_hook(), which can be used to inspect and override
|
||||
messages sent to KDCs.
|
||||
|
||||
[ghudson@mit.edu: style and documentation changes]
|
||||
|
||||
ticket: 8386 (new)
|
||||
---
|
||||
doc/appdev/refs/api/index.rst | 2 +
|
||||
doc/appdev/refs/types/index.rst | 2 +
|
||||
src/include/k5-int.h | 6 +++
|
||||
src/include/krb5/krb5.hin | 104 ++++++++++++++++++++++++++++++++++++++++
|
||||
src/lib/krb5/libkrb5.exports | 2 +
|
||||
src/lib/krb5/os/sendto_kdc.c | 56 +++++++++++++++++++++-
|
||||
src/lib/krb5_32.def | 4 ++
|
||||
7 files changed, 174 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst
|
||||
index 8df351d..e97cbca 100644
|
||||
--- a/doc/appdev/refs/api/index.rst
|
||||
+++ b/doc/appdev/refs/api/index.rst
|
||||
@@ -268,6 +268,8 @@ Rarely used public interfaces
|
||||
krb5_server_decrypt_ticket_keytab.rst
|
||||
krb5_set_default_tgs_enctypes.rst
|
||||
krb5_set_error_message.rst
|
||||
+ krb5_set_kdc_recv_hook.rst
|
||||
+ krb5_set_kdc_send_hook.rst
|
||||
krb5_set_real_time.rst
|
||||
krb5_string_to_cksumtype.rst
|
||||
krb5_string_to_deltat.rst
|
||||
diff --git a/doc/appdev/refs/types/index.rst b/doc/appdev/refs/types/index.rst
|
||||
index 51c4093..dc414cf 100644
|
||||
--- a/doc/appdev/refs/types/index.rst
|
||||
+++ b/doc/appdev/refs/types/index.rst
|
||||
@@ -57,6 +57,8 @@ Public
|
||||
krb5_pa_svr_referral_data.rst
|
||||
krb5_pa_data.rst
|
||||
krb5_pointer.rst
|
||||
+ krb5_post_recv_fn.rst
|
||||
+ krb5_pre_send_fn.rst
|
||||
krb5_preauthtype.rst
|
||||
krb5_principal.rst
|
||||
krb5_principal_data.rst
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index 6b7b2e3..045abfc 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -1238,6 +1238,12 @@ struct _krb5_context {
|
||||
krb5_trace_callback trace_callback;
|
||||
void *trace_callback_data;
|
||||
|
||||
+ krb5_pre_send_fn kdc_send_hook;
|
||||
+ void *kdc_send_hook_data;
|
||||
+
|
||||
+ krb5_post_recv_fn kdc_recv_hook;
|
||||
+ void *kdc_recv_hook_data;
|
||||
+
|
||||
struct plugin_interface plugins[PLUGIN_NUM_INTERFACES];
|
||||
char *plugin_base_dir;
|
||||
};
|
||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||
index c93a0f2..2b0d59e 100644
|
||||
--- a/src/include/krb5/krb5.hin
|
||||
+++ b/src/include/krb5/krb5.hin
|
||||
@@ -8300,6 +8300,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn,
|
||||
krb5_error_code KRB5_CALLCONV
|
||||
krb5_set_trace_filename(krb5_context context, const char *filename);
|
||||
|
||||
+
|
||||
+/**
|
||||
+ * Hook function for inspecting or modifying messages sent to KDCs.
|
||||
+ *
|
||||
+ * If the hook function returns an error code, the KDC communication will be
|
||||
+ * aborted and the error code will be returned to the library operation which
|
||||
+ * initiated the communication.
|
||||
+ *
|
||||
+ * If the hook function sets @a reply_out, @a message will not be sent to the
|
||||
+ * KDC, and the given reply will used instead.
|
||||
+ *
|
||||
+ * If the hook function sets @a new_message_out, the given message will be sent
|
||||
+ * to the KDC in place of @a message.
|
||||
+ *
|
||||
+ * If the hook function returns successfully without setting either output,
|
||||
+ * @a message will be sent to the KDC normally.
|
||||
+ *
|
||||
+ * The hook function should use krb5_copy_data() to construct the value for
|
||||
+ * @a new_message_out or @a reply_out, to ensure that it can be freed correctly
|
||||
+ * by the library.
|
||||
+ *
|
||||
+ * @param [in] context Library context
|
||||
+ * @param [in] data Callback data
|
||||
+ * @param [in] realm The realm the message will be sent to
|
||||
+ * @param [in] message The original message to be sent to the KDC
|
||||
+ * @param [out] new_message_out Optional replacement message to be sent
|
||||
+ * @param [out] reply_out Optional synthetic reply
|
||||
+ *
|
||||
+ * @retval 0 Success
|
||||
+ * @return A Kerberos error code
|
||||
+ */
|
||||
+typedef krb5_error_code
|
||||
+(KRB5_CALLCONV *krb5_pre_send_fn)(krb5_context context, void *data,
|
||||
+ const krb5_data *realm,
|
||||
+ const krb5_data *message,
|
||||
+ krb5_data **new_message_out,
|
||||
+ krb5_data **new_reply_out);
|
||||
+
|
||||
+/**
|
||||
+ * Hook function for inspecting or overriding KDC replies.
|
||||
+ *
|
||||
+ * If @a code is zero, @a reply contains the reply received from the KDC. The
|
||||
+ * hook function may return an error code to simulate an error, may synthesize
|
||||
+ * a different reply by setting @a new_reply_out, or may simply return
|
||||
+ * successfully to do nothing.
|
||||
+ *
|
||||
+ * If @a code is non-zero, KDC communication failed and @a reply should be
|
||||
+ * ignored. The hook function may return @a code or a different error code, or
|
||||
+ * may synthesize a reply by setting @a new_reply_out and return successfully.
|
||||
+ *
|
||||
+ * The hook function should use krb5_copy_data() to construct the value for
|
||||
+ * @a new_reply_out, to ensure that it can be freed correctly by the library.
|
||||
+ *
|
||||
+ * @param [in] context Library context
|
||||
+ * @param [in] data Callback data
|
||||
+ * @param [in] code Status of KDC communication
|
||||
+ * @param [in] realm The realm the reply was received from
|
||||
+ * @param [in] message The message sent to the realm's KDC
|
||||
+ * @param [in] reply The reply received from the KDC
|
||||
+ * @param [out] new_reply_out Optional replacement reply
|
||||
+ *
|
||||
+ * @retval 0 Success
|
||||
+ * @return A Kerberos error code
|
||||
+ */
|
||||
+typedef krb5_error_code
|
||||
+(KRB5_CALLCONV *krb5_post_recv_fn)(krb5_context context, void *data,
|
||||
+ krb5_error_code code,
|
||||
+ const krb5_data *realm,
|
||||
+ const krb5_data *message,
|
||||
+ const krb5_data *reply,
|
||||
+ krb5_data **new_reply_out);
|
||||
+
|
||||
+/**
|
||||
+ * Set a KDC pre-send hook function.
|
||||
+ *
|
||||
+ * @a send_hook will be called before messages are sent to KDCs by library
|
||||
+ * functions such as krb5_get_credentials(). The hook function may inspect,
|
||||
+ * override, or synthesize its own reply to the message.
|
||||
+ *
|
||||
+ * @param [in] context Library context
|
||||
+ * @param [in] send_hook Hook function (or NULL to disable the hook)
|
||||
+ * @param [in] data Callback data to be passed to @a send_hook
|
||||
+ */
|
||||
+void KRB5_CALLCONV
|
||||
+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook,
|
||||
+ void *data);
|
||||
+
|
||||
+/**
|
||||
+ * Set a KDC post-receive hook function.
|
||||
+ *
|
||||
+ * @a recv_hook will be called after a reply is received from a KDC during a
|
||||
+ * call to a library function such as krb5_get_credentials(). The hook
|
||||
+ * function may inspect or override the reply. This hook will not be executed
|
||||
+ * if the pre-send hook returns a synthetic reply.
|
||||
+ *
|
||||
+ * @param [in] context The library context.
|
||||
+ * @param [in] recv_hook Hook function (or NULL to disable the hook)
|
||||
+ * @param [in] data Callback data to be passed to @a recv_hook
|
||||
+ */
|
||||
+void KRB5_CALLCONV
|
||||
+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook,
|
||||
+ void *data);
|
||||
+
|
||||
+
|
||||
#if TARGET_OS_MAC
|
||||
# pragma pack(pop)
|
||||
#endif
|
||||
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
|
||||
index c623409..ea6982d 100644
|
||||
--- a/src/lib/krb5/libkrb5.exports
|
||||
+++ b/src/lib/krb5/libkrb5.exports
|
||||
@@ -581,6 +581,8 @@ krb5_set_password
|
||||
krb5_set_password_using_ccache
|
||||
krb5_set_principal_realm
|
||||
krb5_set_real_time
|
||||
+krb5_set_kdc_send_hook
|
||||
+krb5_set_kdc_recv_hook
|
||||
krb5_set_time_offsets
|
||||
krb5_set_trace_callback
|
||||
krb5_set_trace_filename
|
||||
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
|
||||
index 6231de2..be00b8f 100644
|
||||
--- a/src/lib/krb5/os/sendto_kdc.c
|
||||
+++ b/src/lib/krb5/os/sendto_kdc.c
|
||||
@@ -403,6 +403,22 @@ check_for_svc_unavailable (krb5_context context,
|
||||
return 1;
|
||||
}
|
||||
|
||||
+void
|
||||
+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook,
|
||||
+ void *data)
|
||||
+{
|
||||
+ context->kdc_send_hook = send_hook;
|
||||
+ context->kdc_send_hook_data = data;
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook,
|
||||
+ void *data)
|
||||
+{
|
||||
+ context->kdc_recv_hook = recv_hook;
|
||||
+ context->kdc_recv_hook_data = data;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* send the formatted request 'message' to a KDC for realm 'realm' and
|
||||
* return the response (if any) in 'reply'.
|
||||
@@ -416,13 +432,16 @@ check_for_svc_unavailable (krb5_context context,
|
||||
|
||||
krb5_error_code
|
||||
krb5_sendto_kdc(krb5_context context, const krb5_data *message,
|
||||
- const krb5_data *realm, krb5_data *reply, int *use_master,
|
||||
+ const krb5_data *realm, krb5_data *reply_out, int *use_master,
|
||||
int no_udp)
|
||||
{
|
||||
krb5_error_code retval, err;
|
||||
struct serverlist servers;
|
||||
int server_used;
|
||||
k5_transport_strategy strategy;
|
||||
+ krb5_data reply = empty_data(), *hook_message = NULL, *hook_reply = NULL;
|
||||
+
|
||||
+ *reply_out = empty_data();
|
||||
|
||||
/*
|
||||
* find KDC location(s) for realm
|
||||
@@ -467,9 +486,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
|
||||
if (retval)
|
||||
return retval;
|
||||
|
||||
+ if (context->kdc_send_hook != NULL) {
|
||||
+ retval = context->kdc_send_hook(context, context->kdc_send_hook_data,
|
||||
+ realm, message, &hook_message,
|
||||
+ &hook_reply);
|
||||
+ if (retval)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ if (hook_reply != NULL) {
|
||||
+ *reply_out = *hook_reply;
|
||||
+ free(hook_reply);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ if (hook_message != NULL)
|
||||
+ message = hook_message;
|
||||
+ }
|
||||
+
|
||||
err = 0;
|
||||
retval = k5_sendto(context, message, realm, &servers, strategy, NULL,
|
||||
- reply, NULL, NULL, &server_used,
|
||||
+ &reply, NULL, NULL, &server_used,
|
||||
check_for_svc_unavailable, &err);
|
||||
if (retval == KRB5_KDC_UNREACH) {
|
||||
if (err == KDC_ERR_SVC_UNAVAILABLE) {
|
||||
@@ -480,9 +516,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
|
||||
realm->length, realm->data);
|
||||
}
|
||||
}
|
||||
+
|
||||
+ if (context->kdc_recv_hook != NULL) {
|
||||
+ retval = context->kdc_recv_hook(context, context->kdc_recv_hook_data,
|
||||
+ retval, realm, message, &reply,
|
||||
+ &hook_reply);
|
||||
+ }
|
||||
if (retval)
|
||||
goto cleanup;
|
||||
|
||||
+ if (hook_reply != NULL) {
|
||||
+ *reply_out = *hook_reply;
|
||||
+ free(hook_reply);
|
||||
+ } else {
|
||||
+ *reply_out = reply;
|
||||
+ reply = empty_data();
|
||||
+ }
|
||||
+
|
||||
/* Set use_master to 1 if we ended up talking to a master when we didn't
|
||||
* explicitly request to. */
|
||||
if (*use_master == 0) {
|
||||
@@ -492,6 +542,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
|
||||
}
|
||||
|
||||
cleanup:
|
||||
+ krb5_free_data(context, hook_message);
|
||||
+ krb5_free_data_contents(context, &reply);
|
||||
k5_free_serverlist(&servers);
|
||||
return retval;
|
||||
}
|
||||
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
|
||||
index 3734e9b..8d58ea1 100644
|
||||
--- a/src/lib/krb5_32.def
|
||||
+++ b/src/lib/krb5_32.def
|
||||
@@ -463,3 +463,7 @@ EXPORTS
|
||||
krb5_vwrap_error_message @430
|
||||
krb5_c_prfplus @431
|
||||
krb5_c_derive_prfplus @432
|
||||
+
|
||||
+; new in 1.15
|
||||
+ krb5_set_kdc_send_hook @433
|
||||
+ krb5_set_kdc_recv_hook @434
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,100 +0,0 @@
|
||||
From 5d38da6d4eb29bf87e98a5cb4577b870dbf405ed Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 14 Sep 2016 16:12:57 -0400
|
||||
Subject: [PATCH] Add OS prng intended for use with getrandom()
|
||||
|
||||
Add the prng_os.c module, using the name previously occupied by what
|
||||
is now prng_device.c. Unlike prng_device.c, this PRNG module
|
||||
maintains no file descriptor and just uses k5_os_random(), which is
|
||||
most efficient on platforms which have a getrandom() system call.
|
||||
|
||||
[ghudson@mit.edu: expanded on commit message]
|
||||
|
||||
ticket: 8499
|
||||
(cherry picked from commit 0be7642b2b6f7b9e0acebb2c3d60aa6c3f7543aa)
|
||||
---
|
||||
src/lib/crypto/krb/prng_os.c | 72 ++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 72 insertions(+)
|
||||
create mode 100644 src/lib/crypto/krb/prng_os.c
|
||||
|
||||
diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_os.c
|
||||
new file mode 100644
|
||||
index 0000000..8ea13e7
|
||||
--- /dev/null
|
||||
+++ b/src/lib/crypto/krb/prng_os.c
|
||||
@@ -0,0 +1,72 @@
|
||||
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
||||
+/* lib/crypto/krb/prng_os.c - OS PRNG implementation */
|
||||
+/*
|
||||
+ * Copyright (C) 2016 by the Massachusetts Institute of Technology.
|
||||
+ * All rights reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ *
|
||||
+ * * Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ *
|
||||
+ * * Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in
|
||||
+ * the documentation and/or other materials provided with the
|
||||
+ * distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * This file implements a PRNG module which relies on the system's PRNG. An
|
||||
+ * OS packager can select this module given sufficient confidence in the
|
||||
+ * operating system's native PRNG quality.
|
||||
+ */
|
||||
+
|
||||
+#include "crypto_int.h"
|
||||
+
|
||||
+int
|
||||
+k5_prng_init(void)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+k5_prng_cleanup(void)
|
||||
+{
|
||||
+}
|
||||
+
|
||||
+krb5_error_code KRB5_CALLCONV
|
||||
+krb5_c_random_add_entropy(krb5_context context, unsigned int randsource,
|
||||
+ const krb5_data *indata)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+krb5_error_code KRB5_CALLCONV
|
||||
+krb5_c_random_make_octets(krb5_context context, krb5_data *outdata)
|
||||
+{
|
||||
+ krb5_boolean res;
|
||||
+
|
||||
+ res = k5_get_os_entropy((uint8_t *)outdata->data, outdata->length, 0);
|
||||
+ return res ? 0 : KRB5_CRYPTO_INTERNAL;
|
||||
+}
|
||||
+
|
||||
+krb5_error_code KRB5_CALLCONV
|
||||
+krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,62 +0,0 @@
|
||||
From 3a8bf57bd3008b2f5338bbd8ba1db5e9e2622c92 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 14 Sep 2016 16:10:34 -0400
|
||||
Subject: [PATCH] Add getrandom to k5_get_os_entropy() using syscall
|
||||
|
||||
ticket: 8499
|
||||
(cherry picked from commit a9a48392c088b53d8dd86b8008b4059ab78a3679)
|
||||
---
|
||||
src/lib/crypto/krb/prng.c | 30 ++++++++++++++++++++++++++++++
|
||||
1 file changed, 30 insertions(+)
|
||||
|
||||
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
|
||||
index 9ad24c1..22948a4 100644
|
||||
--- a/src/lib/crypto/krb/prng.c
|
||||
+++ b/src/lib/crypto/krb/prng.c
|
||||
@@ -58,6 +58,9 @@ k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
|
||||
#ifdef HAVE_SYS_STAT_H
|
||||
#include <sys/stat.h>
|
||||
#endif
|
||||
+#ifdef __linux__
|
||||
+#include <sys/syscall.h>
|
||||
+#endif /* __linux__ */
|
||||
|
||||
/* Open device, ensure that it is not a regular file, and read entropy. Return
|
||||
* true on success, false on failure. */
|
||||
@@ -96,6 +99,33 @@ krb5_boolean
|
||||
k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
|
||||
{
|
||||
const char *device;
|
||||
+#if defined(__linux__) && defined(SYS_getrandom)
|
||||
+ int r;
|
||||
+
|
||||
+ while (len > 0) {
|
||||
+ /*
|
||||
+ * Pull from the /dev/urandom pool, but it to have been seeded. This
|
||||
+ * ensures strong randomness while only blocking during first system
|
||||
+ * boot.
|
||||
+ *
|
||||
+ * glibc does not currently provide a binding for getrandom:
|
||||
+ * https://sourceware.org/bugzilla/show_bug.cgi?id=17252
|
||||
+ */
|
||||
+ errno = 0;
|
||||
+ r = syscall(SYS_getrandom, buf, len, 0);
|
||||
+ if (r <= 0) {
|
||||
+ if (errno == EINTR)
|
||||
+ continue;
|
||||
+
|
||||
+ /* ENOSYS or other unrecoverable failure */
|
||||
+ break;
|
||||
+ }
|
||||
+ len -= r;
|
||||
+ buf += r;
|
||||
+ }
|
||||
+ if (len == 0)
|
||||
+ return TRUE;
|
||||
+#endif /* defined(__linux__) && defined(SYS_getrandom) */
|
||||
|
||||
device = strong ? "/dev/random" : "/dev/urandom";
|
||||
return read_entropy_from_device(device, buf, len);
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,69 +0,0 @@
|
||||
From 4514bc6f0b32471d1a9081ee3677d41eb373d3ff Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Wed, 7 Sep 2016 18:33:43 +0200
|
||||
Subject: [PATCH] Add krb5_db_register_keytab()
|
||||
|
||||
Add a public libkdb5 function to register the KDB keytab type. This
|
||||
functionality is needed for out-of-tree KDC servers such as the Samba
|
||||
kpasswd service.
|
||||
|
||||
[ghudson@mit.edu: edited comments, whitespace, commit message]
|
||||
|
||||
ticket: 8494 (new)
|
||||
(cherry picked from commit 2e99582062d9d6a70f2adb00fd8fe58a1f95b9b7)
|
||||
---
|
||||
src/include/kdb.h | 7 +++++++
|
||||
src/lib/kdb/keytab.c | 6 ++++++
|
||||
src/lib/kdb/libkdb5.exports | 1 +
|
||||
3 files changed, 14 insertions(+)
|
||||
|
||||
diff --git a/src/include/kdb.h b/src/include/kdb.h
|
||||
index 9d3bf9d..048327c 100644
|
||||
--- a/src/include/kdb.h
|
||||
+++ b/src/include/kdb.h
|
||||
@@ -797,6 +797,13 @@ krb5_dbe_free_strings(krb5_context, krb5_string_attr *, int count);
|
||||
void
|
||||
krb5_dbe_free_string(krb5_context, char *);
|
||||
|
||||
+/*
|
||||
+ * Register the KDB keytab type, allowing "KDB:" to be used as a keytab name.
|
||||
+ * For this type to work, the context used for keytab operations must have an
|
||||
+ * associated database handle (via krb5_db_open()).
|
||||
+ */
|
||||
+krb5_error_code krb5_db_register_keytab(krb5_context context);
|
||||
+
|
||||
#define KRB5_KDB_DEF_FLAGS 0
|
||||
|
||||
#define KDB_MAX_DB_NAME 128
|
||||
diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c
|
||||
index b85b67d..c6aa100 100644
|
||||
--- a/src/lib/kdb/keytab.c
|
||||
+++ b/src/lib/kdb/keytab.c
|
||||
@@ -66,6 +66,12 @@ typedef struct krb5_ktkdb_data {
|
||||
} krb5_ktkdb_data;
|
||||
|
||||
krb5_error_code
|
||||
+krb5_db_register_keytab(krb5_context context)
|
||||
+{
|
||||
+ return krb5_kt_register(context, &krb5_kt_kdb_ops);
|
||||
+}
|
||||
+
|
||||
+krb5_error_code
|
||||
krb5_ktkdb_resolve(context, name, id)
|
||||
krb5_context context;
|
||||
const char * name;
|
||||
diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports
|
||||
index cb4c3df..e5d1045 100644
|
||||
--- a/src/lib/kdb/libkdb5.exports
|
||||
+++ b/src/lib/kdb/libkdb5.exports
|
||||
@@ -85,6 +85,7 @@ krb5_db_delete_policy
|
||||
krb5_db_free_policy
|
||||
krb5_def_store_mkey_list
|
||||
krb5_db_promote
|
||||
+krb5_db_register_keytab
|
||||
ulog_add_update
|
||||
ulog_init_header
|
||||
ulog_map
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,367 +0,0 @@
|
||||
From db601cd51030a1e48f38078dd706e95db069ead7 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 7 Mar 2016 17:59:07 +0100
|
||||
Subject: [PATCH] Add tests for send and receive sendto_kdc hooks
|
||||
|
||||
[ghudson@mit.edu: style changes]
|
||||
|
||||
ticket: 8386
|
||||
|
||||
Conflicts:
|
||||
src/tests/Makefile.in
|
||||
[rharwood@redhat.com: fix cherry-pick merge conflicts]
|
||||
[rharwood@redhat.com: delete .gitignore]
|
||||
---
|
||||
src/tests/Makefile.in | 12 ++-
|
||||
src/tests/deps | 10 ++
|
||||
src/tests/hooks.c | 253 ++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
src/tests/t_hooks.py | 9 ++
|
||||
4 files changed, 280 insertions(+), 4 deletions(-)
|
||||
create mode 100644 src/tests/hooks.c
|
||||
create mode 100755 src/tests/t_hooks.py
|
||||
|
||||
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
|
||||
index b24e197..0fc0ea9 100644
|
||||
--- a/src/tests/Makefile.in
|
||||
+++ b/src/tests/Makefile.in
|
||||
@@ -6,9 +6,9 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \
|
||||
RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
|
||||
LC_ALL=C $(VALGRIND)
|
||||
|
||||
-OBJS= adata.o etinfo.o gcred.o hist.o hrealm.o kdbtest.o plugorder.o \
|
||||
+OBJS= adata.o etinfo.o gcred.o hist.o hooks.o hrealm.o kdbtest.o plugorder.o \
|
||||
t_init_creds.o t_localauth.o rdreq.o responder.o s2p.o s4u2proxy.o
|
||||
-EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hrealm.c kdbtest.c plugorder.c \
|
||||
+EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hooks.c hrealm.c kdbtest.c plugorder.c \
|
||||
t_init_creds.c t_localauth.c rdreq.o responder.c s2p.c s4u2proxy.c
|
||||
|
||||
TEST_DB = ./testdb
|
||||
@@ -33,6 +33,9 @@ gcred: gcred.o $(KRB5_BASE_DEPLIBS)
|
||||
hist: hist.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS)
|
||||
$(CC_LINK) -o $@ hist.o $(KDB5_LIBS) $(KADMSRV_LIBS) $(KRB5_BASE_LIBS)
|
||||
|
||||
+hooks: hooks.o $(KRB5_BASE_DEPLIBS)
|
||||
+ $(CC_LINK) -o $@ hooks.o $(KRB5_BASE_LIBS)
|
||||
+
|
||||
hrealm: hrealm.o $(KRB5_BASE_DEPLIBS)
|
||||
$(CC_LINK) -o $@ hrealm.o $(KRB5_BASE_LIBS)
|
||||
|
||||
@@ -107,9 +110,10 @@ kdb_check: kdc.conf krb5.conf
|
||||
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
|
||||
$(RM) $(TEST_DB)* stash_file
|
||||
|
||||
-check-pytests:: adata etinfo gcred hist hrealm kdbtest plugorder rdreq
|
||||
+check-pytests:: adata etinfo gcred hist hooks hrealm kdbtest plugorder rdreq
|
||||
check-pytests:: responder s2p s4u2proxy t_init_creds t_localauth unlockiter
|
||||
$(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS)
|
||||
+ $(RUNPYTEST) $(srcdir)/t_hooks.py $(PYTESTFLAGS)
|
||||
$(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS)
|
||||
$(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS)
|
||||
$(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS)
|
||||
@@ -159,7 +163,7 @@ check-pytests:: responder s2p s4u2proxy t_init_creds t_localauth unlockiter
|
||||
$(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
|
||||
|
||||
clean::
|
||||
- $(RM) gcred hist hrealm kdbtest plugorder rdreq responder s2p
|
||||
+ $(RM) gcred hist hooks hrealm kdbtest plugorder rdreq responder s2p
|
||||
$(RM) adata etinfo gcred hist hrealm kdbtest plugorder rdreq responder
|
||||
$(RM) s2p s4u2proxy t_init_creds t_localauth krb5.conf kdc.conf
|
||||
$(RM) -rf kdc_realm/sandbox ldap
|
||||
diff --git a/src/tests/deps b/src/tests/deps
|
||||
index de33c55..3634dc4 100644
|
||||
--- a/src/tests/deps
|
||||
+++ b/src/tests/deps
|
||||
@@ -50,6 +50,16 @@ $(OUTPRE)hist.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
||||
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
|
||||
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
|
||||
hist.c
|
||||
+$(OUTPRE)hooks.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
||||
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
||||
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
|
||||
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
|
||||
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
|
||||
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
|
||||
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
|
||||
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
|
||||
+ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
|
||||
+ $(top_srcdir)/include/socket-utils.h hooks.c
|
||||
$(OUTPRE)hrealm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
||||
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
||||
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
|
||||
diff --git a/src/tests/hooks.c b/src/tests/hooks.c
|
||||
new file mode 100644
|
||||
index 0000000..fabdb89
|
||||
--- /dev/null
|
||||
+++ b/src/tests/hooks.c
|
||||
@@ -0,0 +1,253 @@
|
||||
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
||||
+/* tests/hooks.c - test harness for KDC send and recv hooks */
|
||||
+/*
|
||||
+ * Copyright (C) 2016 by the Massachusetts Institute of Technology.
|
||||
+ * All rights reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ *
|
||||
+ * * Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ *
|
||||
+ * * Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in
|
||||
+ * the documentation and/or other materials provided with the
|
||||
+ * distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "k5-int.h"
|
||||
+
|
||||
+static krb5_context ctx;
|
||||
+
|
||||
+static void
|
||||
+check_code(krb5_error_code code, const char *file, int line)
|
||||
+{
|
||||
+ const char *errmsg;
|
||||
+
|
||||
+ if (code) {
|
||||
+ errmsg = krb5_get_error_message(ctx, code);
|
||||
+ fprintf(stderr, "%s:%d -- %s (code=%d)\n", file, line, errmsg,
|
||||
+ (int)code);
|
||||
+ krb5_free_error_message(ctx, errmsg);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+#define check(code) check_code((code), __FILE__, __LINE__)
|
||||
+
|
||||
+/* Verify that the canonicalize bit is set in an AS-REQ and remove it. */
|
||||
+static krb5_error_code
|
||||
+test_send_as_req(krb5_context context, void *data, const krb5_data *realm,
|
||||
+ const krb5_data *message, krb5_data **new_message_out,
|
||||
+ krb5_data **reply_out)
|
||||
+{
|
||||
+ krb5_kdc_req *as_req;
|
||||
+ int cmp;
|
||||
+
|
||||
+ assert(krb5_is_as_req(message));
|
||||
+ check(decode_krb5_as_req(message, &as_req));
|
||||
+
|
||||
+ assert(as_req->msg_type == KRB5_AS_REQ);
|
||||
+ assert(as_req->kdc_options & KDC_OPT_CANONICALIZE);
|
||||
+ assert(as_req->client->realm.length == realm->length);
|
||||
+ cmp = memcmp(as_req->client->realm.data, realm->data, realm->length);
|
||||
+ assert(cmp == 0);
|
||||
+
|
||||
+ /* Remove the canonicalize flag and create a new message. */
|
||||
+ as_req->kdc_options &= ~KDC_OPT_CANONICALIZE;
|
||||
+ check(encode_krb5_as_req(as_req, new_message_out));
|
||||
+
|
||||
+ krb5_free_kdc_req(context, as_req);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/* Verify that reply is an AS-REP with kvno 1 and a valid enctype. */
|
||||
+static krb5_error_code
|
||||
+test_recv_as_rep(krb5_context context, void *data, krb5_error_code code,
|
||||
+ const krb5_data *realm, const krb5_data *message,
|
||||
+ const krb5_data *reply, krb5_data **new_reply)
|
||||
+{
|
||||
+ krb5_kdc_rep *as_rep;
|
||||
+
|
||||
+ assert(code == 0);
|
||||
+ assert(krb5_is_as_rep(reply));
|
||||
+ check(decode_krb5_as_rep(reply, &as_rep));
|
||||
+
|
||||
+ assert(as_rep->msg_type == KRB5_AS_REP);
|
||||
+ assert(as_rep->ticket->enc_part.kvno == 1);
|
||||
+ assert(krb5_c_valid_enctype(as_rep->ticket->enc_part.enctype));
|
||||
+
|
||||
+ krb5_free_kdc_rep(context, as_rep);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/* Create a fake error reply. */
|
||||
+static krb5_error_code
|
||||
+test_send_error(krb5_context context, void *data, const krb5_data *realm,
|
||||
+ const krb5_data *message, krb5_data **new_message_out,
|
||||
+ krb5_data **reply_out)
|
||||
+{
|
||||
+ krb5_error_code ret;
|
||||
+ krb5_error err;
|
||||
+ krb5_principal client, server;
|
||||
+ char *realm_str, *princ_str;
|
||||
+ int r;
|
||||
+
|
||||
+ realm_str = k5memdup0(realm->data, realm->length, &ret);
|
||||
+ check(ret);
|
||||
+
|
||||
+ r = asprintf(&princ_str, "invalid@%s", realm_str);
|
||||
+ assert(r > 0);
|
||||
+ check(krb5_parse_name(ctx, princ_str, &client));
|
||||
+ free(princ_str);
|
||||
+
|
||||
+ r = asprintf(&princ_str, "krbtgt@%s", realm_str);
|
||||
+ assert(r > 0);
|
||||
+ check(krb5_parse_name(ctx, princ_str, &server));
|
||||
+ free(princ_str);
|
||||
+ free(realm_str);
|
||||
+
|
||||
+ err.magic = KV5M_ERROR;
|
||||
+ err.ctime = 1971196337;
|
||||
+ err.cusec = 0;
|
||||
+ err.susec = 97008;
|
||||
+ err.stime = 1458219390;
|
||||
+ err.error = 6;
|
||||
+ err.client = client;
|
||||
+ err.server = server;
|
||||
+ err.text = string2data("CLIENT_NOT_FOUND");
|
||||
+ err.e_data = empty_data();
|
||||
+ check(encode_krb5_error(&err, reply_out));
|
||||
+
|
||||
+ krb5_free_principal(ctx, client);
|
||||
+ krb5_free_principal(ctx, server);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static krb5_error_code
|
||||
+test_recv_error(krb5_context context, void *data, krb5_error_code code,
|
||||
+ const krb5_data *realm, const krb5_data *message,
|
||||
+ const krb5_data *reply, krb5_data **new_reply)
|
||||
+{
|
||||
+ /* The send hook created a reply, so this hook should not be executed. */
|
||||
+ abort();
|
||||
+}
|
||||
+
|
||||
+/* Modify an AS-REP reply, change the msg_type to KRB5_TGS_REP. */
|
||||
+static krb5_error_code
|
||||
+test_recv_modify_reply(krb5_context context, void *data, krb5_error_code code,
|
||||
+ const krb5_data *realm, const krb5_data *message,
|
||||
+ const krb5_data *reply, krb5_data **new_reply)
|
||||
+{
|
||||
+ krb5_kdc_rep *as_rep;
|
||||
+
|
||||
+ assert(code == 0);
|
||||
+ assert(krb5_is_as_rep(reply));
|
||||
+ check(decode_krb5_as_rep(reply, &as_rep));
|
||||
+
|
||||
+ as_rep->msg_type = KRB5_TGS_REP;
|
||||
+ check(encode_krb5_as_rep(as_rep, new_reply));
|
||||
+
|
||||
+ krb5_free_kdc_rep(context, as_rep);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/* Return an error given by the callback data argument. */
|
||||
+static krb5_error_code
|
||||
+test_send_return_value(krb5_context context, void *data,
|
||||
+ const krb5_data *realm, const krb5_data *message,
|
||||
+ krb5_data **new_message_out, krb5_data **reply_out)
|
||||
+{
|
||||
+ assert(data != NULL);
|
||||
+ return *(krb5_error_code *)data;
|
||||
+}
|
||||
+
|
||||
+/* Return an error given by the callback argument. */
|
||||
+static krb5_error_code
|
||||
+test_recv_return_value(krb5_context context, void *data, krb5_error_code code,
|
||||
+ const krb5_data *realm, const krb5_data *message,
|
||||
+ const krb5_data *reply, krb5_data **new_reply)
|
||||
+{
|
||||
+ assert(data != NULL);
|
||||
+ return *(krb5_error_code *)data;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char *argv[])
|
||||
+{
|
||||
+ const char *principal, *password;
|
||||
+ krb5_principal client;
|
||||
+ krb5_get_init_creds_opt *opts;
|
||||
+ krb5_creds creds;
|
||||
+ krb5_error_code ret, test_return_code;
|
||||
+
|
||||
+ if (argc != 3) {
|
||||
+ fprintf(stderr, "Usage: %s princname password\n", argv[0]);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ principal = argv[1];
|
||||
+ password = argv[2];
|
||||
+
|
||||
+ check(krb5_init_context(&ctx));
|
||||
+ check(krb5_parse_name(ctx, principal, &client));
|
||||
+
|
||||
+ /* Use a send hook to modify an outgoing AS-REQ. The library will detect
|
||||
+ * the modification in the reply. */
|
||||
+ check(krb5_get_init_creds_opt_alloc(ctx, &opts));
|
||||
+ krb5_get_init_creds_opt_set_canonicalize(opts, 1);
|
||||
+ krb5_set_kdc_send_hook(ctx, test_send_as_req, NULL);
|
||||
+ krb5_set_kdc_recv_hook(ctx, test_recv_as_rep, NULL);
|
||||
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
|
||||
+ NULL, 0, NULL, opts);
|
||||
+ assert(ret == KRB5_KDCREP_MODIFIED);
|
||||
+ krb5_get_init_creds_opt_free(ctx, opts);
|
||||
+
|
||||
+ /* Use a send hook to synthesize a KRB-ERROR reply. */
|
||||
+ krb5_set_kdc_send_hook(ctx, test_send_error, NULL);
|
||||
+ krb5_set_kdc_recv_hook(ctx, test_recv_error, NULL);
|
||||
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
|
||||
+ NULL, 0, NULL, NULL);
|
||||
+ assert(ret == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN);
|
||||
+
|
||||
+ /* Use a recv hook to modify a KDC reply. */
|
||||
+ krb5_set_kdc_send_hook(ctx, NULL, NULL);
|
||||
+ krb5_set_kdc_recv_hook(ctx, test_recv_modify_reply, NULL);
|
||||
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
|
||||
+ NULL, 0, NULL, NULL);
|
||||
+ assert(ret == KRB5KRB_AP_ERR_MSG_TYPE);
|
||||
+
|
||||
+ /* Verify that the user data pointer works in the send hook. */
|
||||
+ test_return_code = KRB5KDC_ERR_PREAUTH_FAILED;
|
||||
+ krb5_set_kdc_send_hook(ctx, test_send_return_value, &test_return_code);
|
||||
+ krb5_set_kdc_recv_hook(ctx, NULL, NULL);
|
||||
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
|
||||
+ NULL, 0, NULL, NULL);
|
||||
+ assert(ret == KRB5KDC_ERR_PREAUTH_FAILED);
|
||||
+
|
||||
+ /* Verify that the user data pointer works in the recv hook. */
|
||||
+ test_return_code = KRB5KDC_ERR_NULL_KEY;
|
||||
+ krb5_set_kdc_send_hook(ctx, NULL, NULL);
|
||||
+ krb5_set_kdc_recv_hook(ctx, test_recv_return_value, &test_return_code);
|
||||
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
|
||||
+ NULL, 0, NULL, NULL);
|
||||
+ assert(ret == KRB5KDC_ERR_NULL_KEY);
|
||||
+
|
||||
+ krb5_free_principal(ctx, client);
|
||||
+ krb5_free_context(ctx);
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/src/tests/t_hooks.py b/src/tests/t_hooks.py
|
||||
new file mode 100755
|
||||
index 0000000..58dff3a
|
||||
--- /dev/null
|
||||
+++ b/src/tests/t_hooks.py
|
||||
@@ -0,0 +1,9 @@
|
||||
+#!/usr/bin/python
|
||||
+from k5test import *
|
||||
+
|
||||
+# Test that KDC send and recv hooks work correctly.
|
||||
+realm = K5Realm(create_host=False, get_creds=False)
|
||||
+realm.run(['./hooks', realm.user_princ, password('user')])
|
||||
+realm.stop()
|
||||
+
|
||||
+success('send and recv hook tests')
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,68 +0,0 @@
|
||||
From 709ed799a4f266de9846adb3393ec9f59e6bdecd Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 8 Aug 2016 18:03:55 +0200
|
||||
Subject: [PATCH] Change KDC error for encrypted timestamp preauth
|
||||
|
||||
When encrypted timestamp pre-authentication fails, respond with error
|
||||
code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for
|
||||
consistency with other Kerberos implementations.
|
||||
|
||||
[ghudson@mit.edu: clarified commit message and comment]
|
||||
|
||||
ticket: 8471 (new)
|
||||
(cherry picked from commit 2653d69e0705a925597dff10083a24a77e2a20af)
|
||||
---
|
||||
src/kdc/kdc_preauth_encts.c | 16 ++++------------
|
||||
1 file changed, 4 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
|
||||
index 65f7c36..e80dc12 100644
|
||||
--- a/src/kdc/kdc_preauth_encts.c
|
||||
+++ b/src/kdc/kdc_preauth_encts.c
|
||||
@@ -59,7 +59,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
|
||||
krb5_key_data * client_key;
|
||||
krb5_int32 start;
|
||||
krb5_timestamp timenow;
|
||||
- krb5_error_code decrypt_err = 0;
|
||||
|
||||
scratch.data = (char *)pa->contents;
|
||||
scratch.length = pa->length;
|
||||
@@ -74,7 +73,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
|
||||
goto cleanup;
|
||||
|
||||
start = 0;
|
||||
- decrypt_err = 0;
|
||||
while (1) {
|
||||
if ((retval = krb5_dbe_search_enctype(context, rock->client,
|
||||
&start, enc_data->enctype,
|
||||
@@ -92,8 +90,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
|
||||
krb5_free_keyblock_contents(context, &key);
|
||||
if (retval == 0)
|
||||
break;
|
||||
- else
|
||||
- decrypt_err = retval;
|
||||
}
|
||||
|
||||
if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
|
||||
@@ -119,14 +115,10 @@ cleanup:
|
||||
krb5_free_data_contents(context, &enc_ts_data);
|
||||
if (pa_enc)
|
||||
free(pa_enc);
|
||||
- /*
|
||||
- * If we get NO_MATCHING_KEY and decryption previously failed, and
|
||||
- * we failed to find any other keys of the correct enctype after
|
||||
- * that failed decryption, it probably means that the password was
|
||||
- * incorrect.
|
||||
- */
|
||||
- if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
|
||||
- retval = decrypt_err;
|
||||
+ /* If we get NO_MATCHING_KEY, it probably means that the password was
|
||||
+ * incorrect. */
|
||||
+ if (retval == KRB5_KDB_NO_MATCHING_KEY)
|
||||
+ retval = KRB5KDC_ERR_PREAUTH_FAILED;
|
||||
|
||||
(*respond)(arg, retval, NULL, NULL, NULL);
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,65 +0,0 @@
|
||||
From 6b126bfc40ba416746e4d30edb0b6b72c21c8b10 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:58:44 -0400
|
||||
Subject: [PATCH] Create KDC and kadmind log files with mode 0640
|
||||
|
||||
In krb5_klog_init(), use open() and fdopen() to open log files so that
|
||||
we can specify a mode. Specify a mode which doesn't include the
|
||||
group-write, other-read, or other-write bits even if the process umask
|
||||
allows them.
|
||||
|
||||
[ghudson@mit.edu: wrote commit message, de-indented post-open setup
|
||||
code]
|
||||
[rharwood@redhat.com: backport not clean due to SELinux patching]
|
||||
|
||||
ticket: 8344 (new)
|
||||
---
|
||||
src/lib/kadm5/logger.c | 21 ++++++++++++---------
|
||||
1 file changed, 12 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
|
||||
index 64f9641..0517efe 100644
|
||||
--- a/src/lib/kadm5/logger.c
|
||||
+++ b/src/lib/kadm5/logger.c
|
||||
@@ -354,7 +354,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
|
||||
const char *logging_profent[3];
|
||||
const char *logging_defent[3];
|
||||
char **logging_specs;
|
||||
- int i, ngood;
|
||||
+ int i, ngood, fd, append;
|
||||
char *cp, *cp2;
|
||||
char savec = '\0';
|
||||
int error;
|
||||
@@ -422,18 +422,21 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
|
||||
/*
|
||||
* Check for append/overwrite, then open the file.
|
||||
*/
|
||||
- if (cp[4] == ':' || cp[4] == '=') {
|
||||
- f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w");
|
||||
- if (f) {
|
||||
- set_cloexec_file(f);
|
||||
- log_control.log_entries[i].lfu_filep = f;
|
||||
- log_control.log_entries[i].log_type = K_LOG_FILE;
|
||||
- log_control.log_entries[i].lfu_fname = &cp[5];
|
||||
- } else {
|
||||
+ append = (cp[4] == ':') ? O_APPEND : 0;
|
||||
+ if (append || cp[4] == '=') {
|
||||
+ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append,
|
||||
+ S_IRUSR | S_IWUSR | S_IRGRP);
|
||||
+ if (fd != -1)
|
||||
+ f = fdopen(fd, append ? "a" : "w");
|
||||
+ if (fd == -1 || f == NULL) {
|
||||
fprintf(stderr,"Couldn't open log file %s: %s\n",
|
||||
&cp[5], error_message(errno));
|
||||
continue;
|
||||
}
|
||||
+ set_cloexec_file(f);
|
||||
+ log_control.log_entries[i].lfu_filep = f;
|
||||
+ log_control.log_entries[i].log_type = K_LOG_FILE;
|
||||
+ log_control.log_entries[i].lfu_fname = &cp[5];
|
||||
}
|
||||
}
|
||||
#ifdef HAVE_SYSLOG
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,187 +0,0 @@
|
||||
From dd0c141bfc858caa8470271205220a968db7ab51 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 12 Sep 2016 12:25:05 -0400
|
||||
Subject: [PATCH] Don't feed OS RNG output into the OS RNG
|
||||
|
||||
krb5_c_random_os_entropy() now must be provided by PRNG modules.
|
||||
|
||||
ticket: 8499
|
||||
(cherry picked from commit 0bbbc2bd3a42cfbd9e6eb34c273da8aaa077c29f)
|
||||
---
|
||||
src/lib/crypto/krb/crypto_int.h | 3 +-
|
||||
src/lib/crypto/krb/prng.c | 60 +++++----------------------------------
|
||||
src/lib/crypto/krb/prng_fortuna.c | 26 ++++++++++++++++-
|
||||
src/lib/crypto/krb/prng_os.c | 6 ++++
|
||||
4 files changed, 40 insertions(+), 55 deletions(-)
|
||||
|
||||
diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
|
||||
index c054144..a205e3f 100644
|
||||
--- a/src/lib/crypto/krb/crypto_int.h
|
||||
+++ b/src/lib/crypto/krb/crypto_int.h
|
||||
@@ -508,6 +508,7 @@ void krb5int_crypto_impl_cleanup(void);
|
||||
* PRNG modules must implement the following APIs from krb5.h:
|
||||
* krb5_c_random_add_entropy
|
||||
* krb5_c_random_make_octets
|
||||
+ * krb5_c_random_os_entropy
|
||||
*
|
||||
* PRNG modules should implement these functions. They are called from the
|
||||
* crypto library init and cleanup functions, and can be used to setup and tear
|
||||
@@ -517,7 +518,7 @@ int k5_prng_init(void);
|
||||
void k5_prng_cleanup(void);
|
||||
|
||||
/* Used by PRNG modules to gather OS entropy. Returns true on success. */
|
||||
-krb5_boolean k5_get_os_entropy(unsigned char *buf, size_t len);
|
||||
+krb5_boolean k5_get_os_entropy(unsigned char *buf, size_t len, int strong);
|
||||
|
||||
/*** Inline helper functions ***/
|
||||
|
||||
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
|
||||
index e478b19..9ad24c1 100644
|
||||
--- a/src/lib/crypto/krb/prng.c
|
||||
+++ b/src/lib/crypto/krb/prng.c
|
||||
@@ -36,11 +36,13 @@ krb5_c_random_seed(krb5_context context, krb5_data *data)
|
||||
#if defined(_WIN32)
|
||||
|
||||
krb5_boolean
|
||||
-k5_get_os_entropy(unsigned char *buf, size_t len)
|
||||
+k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
|
||||
{
|
||||
krb5_boolean result;
|
||||
HCRYPTPROV provider;
|
||||
|
||||
+ /* CryptGenRandom is always considered strong. */
|
||||
+
|
||||
if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
|
||||
CRYPT_VERIFYCONTEXT))
|
||||
return FALSE;
|
||||
@@ -49,22 +51,6 @@ k5_get_os_entropy(unsigned char *buf, size_t len)
|
||||
return result;
|
||||
}
|
||||
|
||||
-krb5_error_code KRB5_CALLCONV
|
||||
-krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
|
||||
-{
|
||||
- int oursuccess = 0;
|
||||
- char buf[1024];
|
||||
- krb5_data data = make_data(buf, sizeof(buf));
|
||||
-
|
||||
- if (k5_get_os_entropy(buf, sizeof(buf)) &&
|
||||
- krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND,
|
||||
- &data) == 0)
|
||||
- oursuccess = 1;
|
||||
- if (success != NULL)
|
||||
- *success = oursuccess;
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
#else /* not Windows */
|
||||
#ifdef HAVE_UNISTD_H
|
||||
#include <unistd.h>
|
||||
@@ -107,44 +93,12 @@ cleanup:
|
||||
}
|
||||
|
||||
krb5_boolean
|
||||
-k5_get_os_entropy(unsigned char *buf, size_t len)
|
||||
+k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
|
||||
{
|
||||
- return read_entropy_from_device("/dev/urandom", buf, len);
|
||||
-}
|
||||
+ const char *device;
|
||||
|
||||
-/* Read entropy from device and contribute it to the PRNG. Returns true on
|
||||
- * success. */
|
||||
-static krb5_boolean
|
||||
-add_entropy_from_device(krb5_context context, const char *device)
|
||||
-{
|
||||
- krb5_data data;
|
||||
- unsigned char buf[64];
|
||||
-
|
||||
- if (!read_entropy_from_device(device, buf, sizeof(buf)))
|
||||
- return FALSE;
|
||||
- data = make_data(buf, sizeof(buf));
|
||||
- return (krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND,
|
||||
- &data) == 0);
|
||||
-}
|
||||
-
|
||||
-krb5_error_code KRB5_CALLCONV
|
||||
-krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
|
||||
-{
|
||||
- int unused;
|
||||
- int *oursuccess = (success != NULL) ? success : &unused;
|
||||
-
|
||||
- *oursuccess = 0;
|
||||
- /* If we are getting strong data then try that first. We are
|
||||
- guaranteed to cause a reseed of some kind if strong is true and
|
||||
- we have both /dev/random and /dev/urandom. We want the strong
|
||||
- data included in the reseed so we get it first.*/
|
||||
- if (strong) {
|
||||
- if (add_entropy_from_device(context, "/dev/random"))
|
||||
- *oursuccess = 1;
|
||||
- }
|
||||
- if (add_entropy_from_device(context, "/dev/urandom"))
|
||||
- *oursuccess = 1;
|
||||
- return 0;
|
||||
+ device = strong ? "/dev/random" : "/dev/urandom";
|
||||
+ return read_entropy_from_device(device, buf, len);
|
||||
}
|
||||
|
||||
#endif /* not Windows */
|
||||
diff --git a/src/lib/crypto/krb/prng_fortuna.c b/src/lib/crypto/krb/prng_fortuna.c
|
||||
index e70ffa3..017a119 100644
|
||||
--- a/src/lib/crypto/krb/prng_fortuna.c
|
||||
+++ b/src/lib/crypto/krb/prng_fortuna.c
|
||||
@@ -366,7 +366,7 @@ k5_prng_init(void)
|
||||
#else
|
||||
last_pid = getpid();
|
||||
#endif
|
||||
- if (k5_get_os_entropy(osbuf, sizeof(osbuf))) {
|
||||
+ if (k5_get_os_entropy(osbuf, sizeof(osbuf), 0)) {
|
||||
generator_reseed(&main_state, osbuf, sizeof(osbuf));
|
||||
have_entropy = TRUE;
|
||||
}
|
||||
@@ -443,4 +443,28 @@ krb5_c_random_make_octets(krb5_context context, krb5_data *outdata)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+krb5_error_code KRB5_CALLCONV
|
||||
+krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
|
||||
+{
|
||||
+ krb5_error_code ret;
|
||||
+ krb5_data data;
|
||||
+ uint8_t buf[64];
|
||||
+ int status = 0;
|
||||
+
|
||||
+ if (!k5_get_os_entropy(buf, sizeof(buf), strong))
|
||||
+ goto done;
|
||||
+
|
||||
+ data = make_data(buf, sizeof(buf));
|
||||
+ ret = krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND, &data);
|
||||
+ if (ret)
|
||||
+ goto done;
|
||||
+
|
||||
+ status = 1;
|
||||
+
|
||||
+done:
|
||||
+ if (success != NULL)
|
||||
+ *success = status;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
#endif /* not TEST */
|
||||
diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_os.c
|
||||
index 730ed2e..ecfe351 100644
|
||||
--- a/src/lib/crypto/krb/prng_os.c
|
||||
+++ b/src/lib/crypto/krb/prng_os.c
|
||||
@@ -91,3 +91,9 @@ krb5_c_random_make_octets(krb5_context context, krb5_data *outdata)
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+krb5_error_code KRB5_CALLCONV
|
||||
+krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,222 +0,0 @@
|
||||
From 748617c1b8d1550284157a79bc7aeb6295a27bf4 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Fri, 13 Nov 2015 14:54:11 -0500
|
||||
Subject: [PATCH] Fix impersonate_name to work with interposers
|
||||
|
||||
This follows the same modifications applied to
|
||||
gss_acquire_cred_with_password() when interposer plugins were
|
||||
introduced.
|
||||
|
||||
[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in
|
||||
spnego_gss_acquire_cred_impersonate_name() since it is released in the
|
||||
cleanup handler]
|
||||
|
||||
ticket: 8280 (new)
|
||||
---
|
||||
src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++--------
|
||||
src/lib/gssapi/spnego/spnego_mech.c | 35 +++++++-------
|
||||
2 files changed, 54 insertions(+), 39 deletions(-)
|
||||
|
||||
diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
|
||||
index 0dd4f87..9eab25e 100644
|
||||
--- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
|
||||
+++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
|
||||
@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
|
||||
gss_cred_id_t cred = NULL;
|
||||
gss_OID new_mechs_array = NULL;
|
||||
gss_cred_id_t * new_cred_array = NULL;
|
||||
+ gss_OID_set target_mechs = GSS_C_NO_OID_SET;
|
||||
+ gss_OID selected_mech = GSS_C_NO_OID;
|
||||
|
||||
status = val_add_cred_impersonate_name_args(minor_status,
|
||||
input_cred_handle,
|
||||
@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
|
||||
if (status != GSS_S_COMPLETE)
|
||||
return (status);
|
||||
|
||||
- mech = gssint_get_mechanism(desired_mech);
|
||||
+ status = gssint_select_mech_type(minor_status, desired_mech,
|
||||
+ &selected_mech);
|
||||
+ if (status != GSS_S_COMPLETE)
|
||||
+ return status;
|
||||
+
|
||||
+ mech = gssint_get_mechanism(selected_mech);
|
||||
if (!mech)
|
||||
return GSS_S_BAD_MECH;
|
||||
else if (!mech->gss_acquire_cred_impersonate_name)
|
||||
@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
|
||||
internal_name = GSS_C_NO_NAME;
|
||||
} else {
|
||||
union_cred = (gss_union_cred_t)input_cred_handle;
|
||||
- if (gssint_get_mechanism_cred(union_cred, desired_mech) !=
|
||||
+ if (gssint_get_mechanism_cred(union_cred, selected_mech) !=
|
||||
GSS_C_NO_CREDENTIAL)
|
||||
return (GSS_S_DUPLICATE_ELEMENT);
|
||||
}
|
||||
|
||||
mech_impersonator_cred =
|
||||
gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle,
|
||||
- desired_mech);
|
||||
+ selected_mech);
|
||||
if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL)
|
||||
return (GSS_S_NO_CRED);
|
||||
|
||||
/* may need to create a mechanism specific name */
|
||||
union_name = (gss_union_name_t)desired_name;
|
||||
if (union_name->mech_type &&
|
||||
- g_OID_equal(union_name->mech_type,
|
||||
- &mech->mech_type))
|
||||
+ g_OID_equal(union_name->mech_type, selected_mech))
|
||||
internal_name = union_name->mech_name;
|
||||
else {
|
||||
if (gssint_import_internal_name(minor_status,
|
||||
- &mech->mech_type, union_name,
|
||||
- &allocated_name) != GSS_S_COMPLETE)
|
||||
+ selected_mech, union_name,
|
||||
+ &allocated_name) != GSS_S_COMPLETE)
|
||||
return (GSS_S_BAD_NAME);
|
||||
internal_name = allocated_name;
|
||||
}
|
||||
@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
|
||||
else
|
||||
time_req = 0;
|
||||
|
||||
+ status = gss_create_empty_oid_set(minor_status, &target_mechs);
|
||||
+ if (status != GSS_S_COMPLETE)
|
||||
+ goto errout;
|
||||
+
|
||||
+ status = gss_add_oid_set_member(minor_status,
|
||||
+ gssint_get_public_oid(selected_mech),
|
||||
+ &target_mechs);
|
||||
+ if (status != GSS_S_COMPLETE)
|
||||
+ goto errout;
|
||||
+
|
||||
status = mech->gss_acquire_cred_impersonate_name(minor_status,
|
||||
mech_impersonator_cred,
|
||||
internal_name,
|
||||
time_req,
|
||||
- GSS_C_NULL_OID_SET,
|
||||
+ target_mechs,
|
||||
cred_usage,
|
||||
&cred,
|
||||
NULL,
|
||||
@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
|
||||
|
||||
new_cred_array[union_cred->count] = cred;
|
||||
if ((new_mechs_array[union_cred->count].elements =
|
||||
- malloc(mech->mech_type.length)) == NULL)
|
||||
+ malloc(selected_mech->length)) == NULL)
|
||||
goto errout;
|
||||
|
||||
- g_OID_copy(&new_mechs_array[union_cred->count],
|
||||
- &mech->mech_type);
|
||||
+ g_OID_copy(&new_mechs_array[union_cred->count], selected_mech);
|
||||
|
||||
if (actual_mechs != NULL) {
|
||||
- gss_OID_set_desc oids;
|
||||
-
|
||||
- oids.count = union_cred->count + 1;
|
||||
- oids.elements = new_mechs_array;
|
||||
-
|
||||
- status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs);
|
||||
+ status = gssint_make_public_oid_set(minor_status, new_mechs_array,
|
||||
+ union_cred->count + 1,
|
||||
+ actual_mechs);
|
||||
if (GSS_ERROR(status)) {
|
||||
free(new_mechs_array[union_cred->count].elements);
|
||||
goto errout;
|
||||
@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
|
||||
/* We're done with the internal name. Free it if we allocated it. */
|
||||
|
||||
if (allocated_name)
|
||||
- (void) gssint_release_internal_name(&temp_minor_status,
|
||||
- &mech->mech_type,
|
||||
+ (void) gssint_release_internal_name(&temp_minor_status, selected_mech,
|
||||
&allocated_name);
|
||||
|
||||
+ if (target_mechs)
|
||||
+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs);
|
||||
+
|
||||
return (GSS_S_COMPLETE);
|
||||
|
||||
errout:
|
||||
@@ -503,8 +517,10 @@ errout:
|
||||
|
||||
if (allocated_name)
|
||||
(void) gssint_release_internal_name(&temp_minor_status,
|
||||
- &mech->mech_type,
|
||||
- &allocated_name);
|
||||
+ selected_mech, &allocated_name);
|
||||
+
|
||||
+ if (target_mechs)
|
||||
+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs);
|
||||
|
||||
if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred)
|
||||
free(union_cred);
|
||||
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
index 07435d8..99e374f 100644
|
||||
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
||||
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
@@ -2620,10 +2620,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
|
||||
gss_OID_set *actual_mechs,
|
||||
OM_uint32 *time_rec)
|
||||
{
|
||||
- OM_uint32 status;
|
||||
+ OM_uint32 status, tmpmin;
|
||||
gss_OID_set amechs = GSS_C_NULL_OID_SET;
|
||||
spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL;
|
||||
- gss_cred_id_t imp_mcred, out_mcred;
|
||||
+ gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL;
|
||||
|
||||
dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n");
|
||||
|
||||
@@ -2635,31 +2635,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
|
||||
|
||||
imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle;
|
||||
imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL;
|
||||
- if (desired_mechs == GSS_C_NO_OID_SET) {
|
||||
- status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL,
|
||||
- NULL, &amechs);
|
||||
- if (status != GSS_S_COMPLETE)
|
||||
- return status;
|
||||
-
|
||||
- desired_mechs = amechs;
|
||||
- }
|
||||
+ status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL,
|
||||
+ NULL, &amechs);
|
||||
+ if (status != GSS_S_COMPLETE)
|
||||
+ return status;
|
||||
|
||||
status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred,
|
||||
desired_name, time_req,
|
||||
- desired_mechs, cred_usage,
|
||||
+ amechs, cred_usage,
|
||||
&out_mcred, actual_mechs,
|
||||
time_rec);
|
||||
-
|
||||
- if (amechs != GSS_C_NULL_OID_SET)
|
||||
- (void) gss_release_oid_set(minor_status, &amechs);
|
||||
+ if (status != GSS_S_COMPLETE)
|
||||
+ goto cleanup;
|
||||
|
||||
status = create_spnego_cred(minor_status, out_mcred, &out_spcred);
|
||||
- if (status != GSS_S_COMPLETE) {
|
||||
- gss_release_cred(minor_status, &out_mcred);
|
||||
- return (status);
|
||||
- }
|
||||
+ if (status != GSS_S_COMPLETE)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ out_mcred = GSS_C_NO_CREDENTIAL;
|
||||
*output_cred_handle = (gss_cred_id_t)out_spcred;
|
||||
|
||||
+cleanup:
|
||||
+ (void) gss_release_oid_set(&tmpmin, &amechs);
|
||||
+ (void) gss_release_cred(&tmpmin, &out_mcred);
|
||||
+
|
||||
dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n");
|
||||
return (status);
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,82 +0,0 @@
|
||||
From 79d626dde9e7e38da79da1911338e18998e348df Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 25 Jul 2016 13:28:43 -0400
|
||||
Subject: [PATCH] Improve bad password inference in kinit
|
||||
|
||||
kinit currently outputs "Password incorrect" if it sees a
|
||||
bad-integrity error code, which results if the KDC reply couldn't be
|
||||
decrypted, or when encrypted timestamp preauth fails against an MIT
|
||||
krb5 1.14 or earlier KDC. Expand this check to include general
|
||||
preauth failures reported by the KDC, but only if a password was
|
||||
prompted for.
|
||||
|
||||
ticket: 8465 (new)
|
||||
(cherry picked from commit 1a83ffad4d8e405ce696536c06d9bce1f8100595)
|
||||
---
|
||||
src/clients/kinit/kinit.c | 26 ++++++++++++++++++++------
|
||||
1 file changed, 20 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
|
||||
index eba36b9..990fd11 100644
|
||||
--- a/src/clients/kinit/kinit.c
|
||||
+++ b/src/clients/kinit/kinit.c
|
||||
@@ -700,9 +700,18 @@ kinit_prompter(
|
||||
krb5_prompt prompts[]
|
||||
)
|
||||
{
|
||||
- krb5_error_code rc =
|
||||
- krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
|
||||
- return rc;
|
||||
+ krb5_boolean *pwprompt = data;
|
||||
+ krb5_prompt_type *ptypes;
|
||||
+ int i;
|
||||
+
|
||||
+ /* Make a note if we receive a password prompt. */
|
||||
+ ptypes = krb5_get_prompt_types(ctx);
|
||||
+ for (i = 0; i < num_prompts; i++) {
|
||||
+ if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD)
|
||||
+ *pwprompt = TRUE;
|
||||
+ }
|
||||
+
|
||||
+ return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -715,6 +724,7 @@ k5_kinit(opts, k5)
|
||||
krb5_creds my_creds;
|
||||
krb5_error_code code = 0;
|
||||
krb5_get_init_creds_opt *options = NULL;
|
||||
+ krb5_boolean pwprompt = FALSE;
|
||||
int i;
|
||||
|
||||
memset(&my_creds, 0, sizeof(my_creds));
|
||||
@@ -819,7 +829,7 @@ k5_kinit(opts, k5)
|
||||
switch (opts->action) {
|
||||
case INIT_PW:
|
||||
code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
|
||||
- 0, kinit_prompter, 0,
|
||||
+ 0, kinit_prompter, &pwprompt,
|
||||
opts->starttime,
|
||||
opts->service_name,
|
||||
options);
|
||||
@@ -856,11 +866,15 @@ k5_kinit(opts, k5)
|
||||
break;
|
||||
}
|
||||
|
||||
- if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
|
||||
+ /* If reply decryption failed, or if pre-authentication failed and we
|
||||
+ * were prompted for a password, assume the password was wrong. */
|
||||
+ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
|
||||
+ (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) {
|
||||
fprintf(stderr, _("%s: Password incorrect while %s\n"), progname,
|
||||
doing);
|
||||
- else
|
||||
+ } else {
|
||||
com_err(progname, code, _("while %s"), doing);
|
||||
+ }
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,49 +0,0 @@
|
||||
From 9a3a64665819a0e1ee82953bf879f57d6f433358 Mon Sep 17 00:00:00 2001
|
||||
From: Nathaniel McCallum <npmccallum@redhat.com>
|
||||
Date: Fri, 30 Sep 2016 10:03:33 -0400
|
||||
Subject: [PATCH] Properly handle EOF condition on libkrad sockets
|
||||
|
||||
In the previous code, when the remote peer performed an orderly shutdown
|
||||
on the socket, libkrad would enter a state in which all future requests
|
||||
timed out. Instead, if the peer shuts down its socket, we need to
|
||||
attempt to reopen it.
|
||||
|
||||
ticket: 8504 (new)
|
||||
target_version: 1.14-next
|
||||
tags: pullup
|
||||
|
||||
(cherry picked from commit 248497427d5a45225817b6c22e9224e8ad969872)
|
||||
---
|
||||
src/lib/krad/remote.c | 13 ++++++-------
|
||||
1 file changed, 6 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
|
||||
index df3de3a..68cd16f 100644
|
||||
--- a/src/lib/krad/remote.c
|
||||
+++ b/src/lib/krad/remote.c
|
||||
@@ -329,16 +329,15 @@ on_io_read(krad_remote *rr)
|
||||
/* Read the packet. */
|
||||
i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length,
|
||||
pktlen, 0);
|
||||
- if (i < 0) {
|
||||
- /* Should we try again? */
|
||||
- if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR)
|
||||
- return;
|
||||
|
||||
- /* The socket is unrecoverable. */
|
||||
+ /* On these errors, try again. */
|
||||
+ if (i < 0 && (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR))
|
||||
+ return;
|
||||
+
|
||||
+ /* On any other errors or on EOF, the socket is unrecoverable. */
|
||||
+ if (i <= 0) {
|
||||
remote_shutdown(rr);
|
||||
return;
|
||||
- } else if (i == 0) {
|
||||
- remote_del_flags(rr, FLAGS_READ);
|
||||
}
|
||||
|
||||
/* If we have a partial read or just the header, try again. */
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,29 +0,0 @@
|
||||
From 8ca87ac2ab358d9fa6756636a6c5280858a72e3b Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 14 Sep 2016 12:53:10 -0400
|
||||
Subject: [PATCH] Rename prng_os.c to prng_device.c
|
||||
|
||||
ticket: 8499
|
||||
(cherry picked from commit 5e54525fbe40d56f44368e216c92938403cad96d)
|
||||
---
|
||||
src/lib/crypto/krb/{prng_os.c => prng_device.c} | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
rename src/lib/crypto/krb/{prng_os.c => prng_device.c} (97%)
|
||||
|
||||
diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_device.c
|
||||
similarity index 97%
|
||||
rename from src/lib/crypto/krb/prng_os.c
|
||||
rename to src/lib/crypto/krb/prng_device.c
|
||||
index ecfe351..bef5b37 100644
|
||||
--- a/src/lib/crypto/krb/prng_os.c
|
||||
+++ b/src/lib/crypto/krb/prng_device.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
||||
-/* lib/crypto/krb/prng_os.c - OS-native PRNG implementation */
|
||||
+/* lib/crypto/krb/prng_device.c - OS device-based PRNG implementation */
|
||||
/*
|
||||
* Copyright (C) 2011 by the Massachusetts Institute of Technology.
|
||||
* All rights reserved.
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,49 +0,0 @@
|
||||
From 59ffbc2016ae2e164a0da7bacc5449bd9898337c Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 25 Jul 2016 13:23:31 -0400
|
||||
Subject: [PATCH] Set prompt type for OTP preauth prompt
|
||||
|
||||
Add k5_set_prompt_type() calls around the prompter invocation in
|
||||
preauth_otp.c, and add the comment we conventionally put before
|
||||
prompter invocations.
|
||||
|
||||
ticket: 8464 (new)
|
||||
(cherry picked from commit 7d497a56279dcb59b6be9f8994257e76788d2e89)
|
||||
---
|
||||
src/lib/krb5/krb/preauth_otp.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
|
||||
index 37f98b2..48fcbb5 100644
|
||||
--- a/src/lib/krb5/krb/preauth_otp.c
|
||||
+++ b/src/lib/krb5/krb/preauth_otp.c
|
||||
@@ -31,6 +31,7 @@
|
||||
#include "k5-int.h"
|
||||
#include "k5-json.h"
|
||||
#include "int-proto.h"
|
||||
+#include "os-proto.h"
|
||||
|
||||
#include <krb5/clpreauth_plugin.h>
|
||||
#include <ctype.h>
|
||||
@@ -475,6 +476,7 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data,
|
||||
krb5_prompt prompt;
|
||||
krb5_data prompt_reply;
|
||||
krb5_error_code retval;
|
||||
+ krb5_prompt_type prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
|
||||
|
||||
if (prompttxt == NULL || out == NULL)
|
||||
return EINVAL;
|
||||
@@ -486,7 +488,10 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data,
|
||||
prompt.prompt = (char *)prompttxt;
|
||||
prompt.hidden = 1;
|
||||
|
||||
+ /* PROMPTER_INVOCATION */
|
||||
+ k5_set_prompt_types(context, &prompt_type);
|
||||
retval = (*prompter)(context, prompter_data, NULL, banner, 1, &prompt);
|
||||
+ k5_set_prompt_types(context, NULL);
|
||||
if (retval != 0)
|
||||
return retval;
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 61389fb098b36c1927ad01e4efa51f38da39176a Mon Sep 17 00:00:00 2001
|
||||
From a8750a1a2d0925c6ad01096e09bdbf18c058cb70 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:52:01 -0400
|
||||
Subject: [PATCH] krb5-1.11-kpasswdtest.patch
|
||||
@ -8,10 +8,10 @@ Subject: [PATCH] krb5-1.11-kpasswdtest.patch
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto
|
||||
index e9702bb..482fda6 100644
|
||||
index 00c4429..9c4bc1d 100644
|
||||
--- a/src/kadmin/testing/proto/krb5.conf.proto
|
||||
+++ b/src/kadmin/testing/proto/krb5.conf.proto
|
||||
@@ -8,6 +8,7 @@
|
||||
@@ -9,6 +9,7 @@
|
||||
__REALM__ = {
|
||||
kdc = __KDCHOST__:1750
|
||||
admin_server = __KDCHOST__:1751
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 8f81af0f10a917a000a12c9b344b3f801c939666 Mon Sep 17 00:00:00 2001
|
||||
From 9ad4aa0ba462b3bee535b4e579f8247258742d59 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:49:57 -0400
|
||||
Subject: [PATCH] krb5-1.11-run_user_0.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 9ca4f0e1081e667ebc9150097559f5fe85595e33 Mon Sep 17 00:00:00 2001
|
||||
From a7903a70342d35bfba50d3d1c080d481f3d725c6 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:47:00 -0400
|
||||
Subject: [PATCH] krb5-1.12-api.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From a33c34eabf9cd4d98d633994bfcf19359ff087a6 Mon Sep 17 00:00:00 2001
|
||||
From d60c3784417faad05fffb5bb4d6db4c44e79c8cb Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:32:09 -0400
|
||||
Subject: [PATCH] krb5-1.12-ksu-path.patch
|
||||
@ -9,7 +9,7 @@ Set the default PATH to the one set by login.
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
|
||||
index ad2406a..1379c4a 100644
|
||||
index 5755bb5..9d58f29 100644
|
||||
--- a/src/clients/ksu/Makefile.in
|
||||
+++ b/src/clients/ksu/Makefile.in
|
||||
@@ -1,6 +1,6 @@
|
||||
|
@ -1,4 +1,4 @@
|
||||
From f02d4a098b5e94df15ae39e9fad79e861e6c6483 Mon Sep 17 00:00:00 2001
|
||||
From 813d3e2617057252ad1f9ffa30624f36629903b7 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:33:53 -0400
|
||||
Subject: [PATCH] krb5-1.12-ktany.patch
|
||||
@ -14,7 +14,7 @@ the contents of the first keytab.
|
||||
create mode 100644 src/lib/krb5/keytab/kt_any.c
|
||||
|
||||
diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in
|
||||
index 28485d5..c17ab82 100644
|
||||
index 2a8fceb..ffd179f 100644
|
||||
--- a/src/lib/krb5/keytab/Makefile.in
|
||||
+++ b/src/lib/krb5/keytab/Makefile.in
|
||||
@@ -12,6 +12,7 @@ STLIBOBJS= \
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 74b07bf5a3c73f2d46ddfa4a03baa76b19ee1681 Mon Sep 17 00:00:00 2001
|
||||
From 551bd300005a8c45bad3a26f813ae99f31f4a641 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:29:58 -0400
|
||||
Subject: [PATCH] krb5-1.12.1-pam.patch
|
||||
@ -28,10 +28,10 @@ changes we're proposing for how it handles cache collections.
|
||||
create mode 100644 src/clients/ksu/pam.h
|
||||
|
||||
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
||||
index dbb7db2..ce045ab 100644
|
||||
index bd2eb48..5fc7f3e 100644
|
||||
--- a/src/aclocal.m4
|
||||
+++ b/src/aclocal.m4
|
||||
@@ -1672,3 +1672,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
|
||||
@@ -1673,3 +1673,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
|
||||
]))
|
||||
])dnl
|
||||
dnl
|
||||
@ -103,7 +103,7 @@ index dbb7db2..ce045ab 100644
|
||||
+AC_SUBST(NON_PAM_MAN)
|
||||
+])dnl
|
||||
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
|
||||
index c705fda..ad2406a 100644
|
||||
index b2fcbf2..5755bb5 100644
|
||||
--- a/src/clients/ksu/Makefile.in
|
||||
+++ b/src/clients/ksu/Makefile.in
|
||||
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
|
||||
@ -129,7 +129,7 @@ index c705fda..ad2406a 100644
|
||||
heuristic.o \
|
||||
xmalloc.o @SETENVOBJ@
|
||||
|
||||
all:: ksu
|
||||
all: ksu
|
||||
|
||||
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
|
||||
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
|
||||
@ -138,10 +138,10 @@ index c705fda..ad2406a 100644
|
||||
+pam.o: pam.c
|
||||
+ $(CC) $(ALL_CFLAGS) -c $<
|
||||
|
||||
clean::
|
||||
clean:
|
||||
$(RM) ksu
|
||||
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
|
||||
index 2f8d8e1..1b2ca83 100644
|
||||
index 28342c2..cab0c18 100644
|
||||
--- a/src/clients/ksu/main.c
|
||||
+++ b/src/clients/ksu/main.c
|
||||
@@ -26,6 +26,7 @@
|
||||
@ -171,7 +171,7 @@ index 2f8d8e1..1b2ca83 100644
|
||||
/***********/
|
||||
|
||||
#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
|
||||
@@ -514,6 +520,23 @@ main (argc, argv)
|
||||
@@ -515,6 +521,23 @@ main (argc, argv)
|
||||
prog_name,target_user,client_name,
|
||||
source_user,ontty());
|
||||
|
||||
@ -195,7 +195,7 @@ index 2f8d8e1..1b2ca83 100644
|
||||
/* Run authorization as target.*/
|
||||
if (krb5_seteuid(target_uid)) {
|
||||
com_err(prog_name, errno, _("while switching to target for "
|
||||
@@ -574,6 +597,24 @@ main (argc, argv)
|
||||
@@ -575,6 +598,24 @@ main (argc, argv)
|
||||
|
||||
exit(1);
|
||||
}
|
||||
@ -220,7 +220,7 @@ index 2f8d8e1..1b2ca83 100644
|
||||
}
|
||||
|
||||
if( some_rest_copy){
|
||||
@@ -631,6 +672,30 @@ main (argc, argv)
|
||||
@@ -632,6 +673,30 @@ main (argc, argv)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@ -251,7 +251,7 @@ index 2f8d8e1..1b2ca83 100644
|
||||
/* set permissions */
|
||||
if (setgid(target_pwd->pw_gid) < 0) {
|
||||
perror("ksu: setgid");
|
||||
@@ -728,7 +793,7 @@ main (argc, argv)
|
||||
@@ -729,7 +794,7 @@ main (argc, argv)
|
||||
fprintf(stderr, "program to be execed %s\n",params[0]);
|
||||
}
|
||||
|
||||
@ -260,7 +260,7 @@ index 2f8d8e1..1b2ca83 100644
|
||||
execv(params[0], params);
|
||||
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
|
||||
sweep_up(ksu_context, cc_target);
|
||||
@@ -758,16 +823,35 @@ main (argc, argv)
|
||||
@@ -759,16 +824,35 @@ main (argc, argv)
|
||||
if (ret_pid == -1) {
|
||||
com_err(prog_name, errno, _("while calling waitpid"));
|
||||
}
|
||||
@ -756,10 +756,10 @@ index 0000000..0ab7656
|
||||
+void appl_pam_cleanup(void);
|
||||
+#endif
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index b2a8675..8846ca0 100644
|
||||
index fde09a1..79c0fe2 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -1327,6 +1327,8 @@ AC_SUBST([VERTO_VERSION])
|
||||
@@ -1336,6 +1336,8 @@ AC_SUBST([VERTO_VERSION])
|
||||
|
||||
AC_PATH_PROG(GROFF, groff)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From f7538a0621d6b593e31f2031570a6f4678940241 Mon Sep 17 00:00:00 2001
|
||||
From 71c4e4b129b33d8b71262c5f2eea55267b6b33cb Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:47:44 -0400
|
||||
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
|
||||
@ -12,10 +12,10 @@ original version filed as RT#5891.
|
||||
3 files changed, 29 insertions(+)
|
||||
|
||||
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
||||
index ed343c5..f67eef7 100644
|
||||
index d49b7c1..9076016 100644
|
||||
--- a/src/aclocal.m4
|
||||
+++ b/src/aclocal.m4
|
||||
@@ -1653,6 +1653,15 @@ if test "$with_ldap" = yes; then
|
||||
@@ -1654,6 +1654,15 @@ if test "$with_ldap" = yes; then
|
||||
AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
|
||||
OPENLDAP_PLUGIN=yes
|
||||
fi
|
||||
@ -32,10 +32,10 @@ index ed343c5..f67eef7 100644
|
||||
dnl
|
||||
dnl If libkeyutils exists (on Linux) include it and use keyring ccache
|
||||
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
|
||||
index aca8f31..0a0968c 100644
|
||||
index 32efc4f..af8b2db 100644
|
||||
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
|
||||
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
|
||||
@@ -1545,6 +1545,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
|
||||
@@ -1674,6 +1674,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
|
||||
ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data);
|
||||
if (ret)
|
||||
goto cleanup;
|
||||
@ -60,7 +60,7 @@ index aca8f31..0a0968c 100644
|
||||
ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
|
||||
if (ret)
|
||||
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
|
||||
index 6a06f55..1f87e21 100644
|
||||
index d722dbf..5e8e9a8 100644
|
||||
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
|
||||
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
|
||||
@@ -54,6 +54,9 @@ char *principal_attributes[] = { "krbprincipalname",
|
||||
@ -72,7 +72,7 @@ index 6a06f55..1f87e21 100644
|
||||
+#endif
|
||||
"krbLastPwdChange",
|
||||
"krbLastAdminUnlock",
|
||||
"krbExtraData",
|
||||
"krbPrincipalAuthInd",
|
||||
--
|
||||
2.9.3
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
||||
From 1df0a74f88f044f1e538e3d4fda13bbceb76e68b Mon Sep 17 00:00:00 2001
|
||||
From e7cea9ceea5a97248384a3bb0cc2bb2d58cce326 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:45:26 -0400
|
||||
Subject: [PATCH] krb5-1.12-buildconf.patch
|
||||
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
|
||||
|
||||
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
|
||||
and install shared libraries with the execute bit set on them. Prune out
|
||||
@ -33,10 +33,10 @@ index c17cb5e..1891dea 100755
|
||||
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
|
||||
library=krb5
|
||||
diff --git a/src/config/pre.in b/src/config/pre.in
|
||||
index 63271e7..c100fef 100644
|
||||
index fcea229..d961b56 100644
|
||||
--- a/src/config/pre.in
|
||||
+++ b/src/config/pre.in
|
||||
@@ -182,7 +182,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
|
||||
@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
|
||||
INSTALL_SCRIPT=@INSTALL_PROGRAM@
|
||||
INSTALL_DATA=@INSTALL_DATA@
|
||||
INSTALL_SHLIB=@INSTALL_SHLIB@
|
||||
@ -46,19 +46,19 @@ index 63271e7..c100fef 100644
|
||||
## ${prefix}.
|
||||
prefix=@prefix@
|
||||
diff --git a/src/config/shlib.conf b/src/config/shlib.conf
|
||||
index 55f16be..f4a762c 100644
|
||||
index 3e4af6c..2b20c3f 100644
|
||||
--- a/src/config/shlib.conf
|
||||
+++ b/src/config/shlib.conf
|
||||
@@ -422,7 +422,7 @@ mips-*-netbsd*)
|
||||
SHLIBEXT=.so
|
||||
@@ -423,7 +423,7 @@ mips-*-netbsd*)
|
||||
# Linux ld doesn't default to stuffing the SONAME field...
|
||||
# Use objdump -x to examine the fields of the library
|
||||
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
|
||||
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro -Wl,--warn-shared-textrel'
|
||||
#
|
||||
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
|
||||
SHLIB_EXPORT_FILE_DEP=binutils.versions
|
||||
@@ -433,7 +433,8 @@ mips-*-netbsd*)
|
||||
# UNDEF_CHECK is suppressed by --enable-asan
|
||||
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
|
||||
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel'
|
||||
UNDEF_CHECK='-Wl,--no-undefined'
|
||||
# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
|
||||
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
|
||||
@@ -435,7 +435,8 @@ mips-*-netbsd*)
|
||||
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
|
||||
PROFFLAGS=-pg
|
||||
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
|
@ -1,7 +1,7 @@
|
||||
From 2af05336edb5a2f86db22ee2937626a219f090f6 Mon Sep 17 00:00:00 2001
|
||||
From 7fea764528d0d1b0b2c8bf17d116f3da622f9cb6 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:30:53 -0400
|
||||
Subject: [PATCH] krb5-1.13-selinux-label.patch
|
||||
Subject: [PATCH] krb5-1.15-beta1-selinux-label.patch
|
||||
|
||||
SELinux bases access to files on the domain of the requesting process,
|
||||
the operation being performed, and the context applied to the file.
|
||||
@ -58,16 +58,15 @@ which we used earlier, is some improvement.
|
||||
src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +-
|
||||
.../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +-
|
||||
src/slave/kpropd.c | 9 +
|
||||
src/util/gss-kernel-lib/Makefile.in | 5 +-
|
||||
src/util/profile/prof_file.c | 3 +-
|
||||
src/util/support/Makefile.in | 3 +-
|
||||
src/util/support/selinux.c | 381 +++++++++++++++++++++
|
||||
26 files changed, 566 insertions(+), 22 deletions(-)
|
||||
src/util/support/selinux.c | 406 +++++++++++++++++++++
|
||||
25 files changed, 587 insertions(+), 21 deletions(-)
|
||||
create mode 100644 src/include/k5-label.h
|
||||
create mode 100644 src/util/support/selinux.c
|
||||
|
||||
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
||||
index ce045ab..311f099 100644
|
||||
index 5fc7f3e..5b02b40 100644
|
||||
--- a/src/aclocal.m4
|
||||
+++ b/src/aclocal.m4
|
||||
@@ -87,6 +87,7 @@ AC_SUBST_FILE(libnodeps_frag)
|
||||
@ -78,7 +77,7 @@ index ce045ab..311f099 100644
|
||||
KRB5_LIB_PARAMS
|
||||
KRB5_AC_INITFINI
|
||||
KRB5_AC_ENABLE_THREADS
|
||||
@@ -1739,3 +1740,51 @@ AC_SUBST(PAM_LIBS)
|
||||
@@ -1740,3 +1741,51 @@ AC_SUBST(PAM_LIBS)
|
||||
AC_SUBST(PAM_MAN)
|
||||
AC_SUBST(NON_PAM_MAN)
|
||||
])dnl
|
||||
@ -152,10 +151,10 @@ index f6184da..c17cb5e 100755
|
||||
|
||||
echo $lib_flags
|
||||
diff --git a/src/config/pre.in b/src/config/pre.in
|
||||
index b0d9015..63271e7 100644
|
||||
index e062632..fcea229 100644
|
||||
--- a/src/config/pre.in
|
||||
+++ b/src/config/pre.in
|
||||
@@ -174,6 +174,7 @@ LD = $(PURE) @LD@
|
||||
@@ -177,6 +177,7 @@ LD = $(PURE) @LD@
|
||||
KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
|
||||
LDFLAGS = @LDFLAGS@
|
||||
LIBS = @LIBS@
|
||||
@ -163,7 +162,7 @@ index b0d9015..63271e7 100644
|
||||
|
||||
INSTALL=@INSTALL@
|
||||
INSTALL_STRIP=
|
||||
@@ -395,7 +396,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
|
||||
@@ -399,7 +400,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
|
||||
# HESIOD_LIBS is -lhesiod...
|
||||
HESIOD_LIBS = @HESIOD_LIBS@
|
||||
|
||||
@ -173,10 +172,10 @@ index b0d9015..63271e7 100644
|
||||
GSS_LIBS = $(GSS_KRB5_LIB)
|
||||
# needs fixing if ever used on Mac OS X!
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index 8846ca0..9ec8d84 100644
|
||||
index 79c0fe2..d085a4b 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -1329,6 +1329,8 @@ AC_PATH_PROG(GROFF, groff)
|
||||
@@ -1338,6 +1338,8 @@ AC_PATH_PROG(GROFF, groff)
|
||||
|
||||
KRB5_WITH_PAM
|
||||
|
||||
@ -186,10 +185,10 @@ index 8846ca0..9ec8d84 100644
|
||||
if test "${localedir+set}" != set; then
|
||||
localedir='$(datadir)/locale'
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index 41c3d1b..6b7b2e3 100644
|
||||
index 3cc32c3..afefe28 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -129,6 +129,7 @@ typedef unsigned char u_char;
|
||||
@@ -128,6 +128,7 @@ typedef unsigned char u_char;
|
||||
|
||||
|
||||
#include "k5-platform.h"
|
||||
@ -236,7 +235,7 @@ index 0000000..dfaaa84
|
||||
+#endif
|
||||
+#endif
|
||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||
index e2c08ae..c93a0f2 100644
|
||||
index 64b0d0f..0c9347b 100644
|
||||
--- a/src/include/krb5/krb5.hin
|
||||
+++ b/src/include/krb5/krb5.hin
|
||||
@@ -87,6 +87,12 @@
|
||||
@ -253,7 +252,7 @@ index e2c08ae..c93a0f2 100644
|
||||
|
||||
#include <stdlib.h>
|
||||
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
|
||||
index 253bf3f..9c8c3dc 100644
|
||||
index f7889bd..cad53cf 100644
|
||||
--- a/src/kadmin/dbutil/dump.c
|
||||
+++ b/src/kadmin/dbutil/dump.c
|
||||
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
|
||||
@ -288,10 +287,10 @@ index 253bf3f..9c8c3dc 100644
|
||||
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
|
||||
exit_status++;
|
||||
diff --git a/src/kdc/main.c b/src/kdc/main.c
|
||||
index 82dfc0e..936f46b 100644
|
||||
index 6767ef0..70cb256 100644
|
||||
--- a/src/kdc/main.c
|
||||
+++ b/src/kdc/main.c
|
||||
@@ -847,7 +847,7 @@ write_pid_file(const char *path)
|
||||
@@ -873,7 +873,7 @@ write_pid_file(const char *path)
|
||||
FILE *file;
|
||||
unsigned long pid;
|
||||
|
||||
@ -301,19 +300,19 @@ index 82dfc0e..936f46b 100644
|
||||
return errno;
|
||||
pid = (unsigned long) getpid();
|
||||
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
|
||||
index 19c4355..64f9641 100644
|
||||
index ce79fab..c53a574 100644
|
||||
--- a/src/lib/kadm5/logger.c
|
||||
+++ b/src/lib/kadm5/logger.c
|
||||
@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
|
||||
* Check for append/overwrite, then open the file.
|
||||
@@ -414,7 +414,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
|
||||
*/
|
||||
if (cp[4] == ':' || cp[4] == '=') {
|
||||
- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w");
|
||||
+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w");
|
||||
if (f) {
|
||||
set_cloexec_file(f);
|
||||
log_control.log_entries[i].lfu_filep = f;
|
||||
@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
||||
append = (cp[4] == ':') ? O_APPEND : 0;
|
||||
if (append || cp[4] == '=') {
|
||||
- fd = open(&cp[5], O_CREAT | O_WRONLY | append,
|
||||
+ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append,
|
||||
S_IRUSR | S_IWUSR | S_IRGRP);
|
||||
if (fd != -1)
|
||||
f = fdopen(fd, append ? "a" : "w");
|
||||
@@ -918,7 +918,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
||||
* In case the old logfile did not get moved out of the
|
||||
* way, open for append to prevent squashing the old logs.
|
||||
*/
|
||||
@ -323,7 +322,7 @@ index 19c4355..64f9641 100644
|
||||
set_cloexec_file(f);
|
||||
log_control.log_entries[lindex].lfu_filep = f;
|
||||
diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
|
||||
index 99cda59..523b99a 100644
|
||||
index 766d300..6466417 100644
|
||||
--- a/src/lib/kdb/kdb_log.c
|
||||
+++ b/src/lib/kdb/kdb_log.c
|
||||
@@ -476,7 +476,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
|
||||
@ -386,24 +385,23 @@ index bba64e5..73f0fe6 100644
|
||||
_("Credential cache directory %s does not exist"),
|
||||
dirname);
|
||||
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
|
||||
index e105a51..ff1fc54 100644
|
||||
index 6a42f26..674d88b 100644
|
||||
--- a/src/lib/krb5/keytab/kt_file.c
|
||||
+++ b/src/lib/krb5/keytab/kt_file.c
|
||||
@@ -1030,7 +1030,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
|
||||
@@ -1022,14 +1022,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
|
||||
|
||||
KTCHECKLOCK(id);
|
||||
errno = 0;
|
||||
- KTFILEP(id) = fopen(KTFILENAME(id),
|
||||
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id),
|
||||
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
|
||||
fopen_mode_rbplus : fopen_mode_rb);
|
||||
(mode == KRB5_LOCKMODE_EXCLUSIVE) ? "rb+" : "rb");
|
||||
if (!KTFILEP(id)) {
|
||||
@@ -1038,7 +1038,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
|
||||
if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) {
|
||||
/* try making it first time around */
|
||||
k5_create_secure_file(context, KTFILENAME(id));
|
||||
errno = 0;
|
||||
- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
|
||||
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus);
|
||||
- KTFILEP(id) = fopen(KTFILENAME(id), "rb+");
|
||||
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), "rb+");
|
||||
if (!KTFILEP(id))
|
||||
goto report_errno;
|
||||
writevno = 1;
|
||||
@ -421,7 +419,7 @@ index 83c8d4d..a192461 100644
|
||||
free(fd);
|
||||
return errno;
|
||||
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
|
||||
index 2fb6aa0..c453189 100644
|
||||
index c4d2c74..c0f12ed 100644
|
||||
--- a/src/lib/krb5/rcache/rc_dfl.c
|
||||
+++ b/src/lib/krb5/rcache/rc_dfl.c
|
||||
@@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
|
||||
@ -466,7 +464,7 @@ index 7db30a3..2b9d019 100644
|
||||
* maybe someone took away write permission so we could only
|
||||
* get shared locks?
|
||||
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
|
||||
index e97b841..5d1cd61 100644
|
||||
index 4c4036e..d90bdea 100644
|
||||
--- a/src/plugins/kdb/db2/kdb_db2.c
|
||||
+++ b/src/plugins/kdb/db2/kdb_db2.c
|
||||
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
|
||||
@ -502,7 +500,7 @@ index 2977b17..d5809a5 100644
|
||||
|
||||
} else {
|
||||
diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
index 2a5b4f8..7239d03 100644
|
||||
index 76f5d47..1fa8b83 100644
|
||||
--- a/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95";
|
||||
@ -545,10 +543,10 @@ index d8b26e7..b0daa7c 100644
|
||||
|
||||
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
|
||||
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
index 64d0f91..5d5c0a6 100644
|
||||
index 022156a..3d6994c 100644
|
||||
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
@@ -178,7 +178,7 @@ done:
|
||||
@@ -203,7 +203,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
|
||||
|
||||
/* set password in the file */
|
||||
old_mode = umask(0177);
|
||||
@ -557,7 +555,7 @@ index 64d0f91..5d5c0a6 100644
|
||||
if (pfile == NULL) {
|
||||
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
|
||||
strerror (errno));
|
||||
@@ -219,6 +219,9 @@ done:
|
||||
@@ -244,6 +244,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
|
||||
* Delete the existing entry and add the new entry
|
||||
*/
|
||||
FILE *newfile;
|
||||
@ -567,7 +565,7 @@ index 64d0f91..5d5c0a6 100644
|
||||
|
||||
mode_t omask;
|
||||
|
||||
@@ -230,7 +233,13 @@ done:
|
||||
@@ -255,7 +258,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
|
||||
}
|
||||
|
||||
omask = umask(077);
|
||||
@ -582,7 +580,7 @@ index 64d0f91..5d5c0a6 100644
|
||||
if (newfile == NULL) {
|
||||
com_err(me, errno, _("Error creating file %s"), tmp_file);
|
||||
diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
|
||||
index 1383156..a950924 100644
|
||||
index 056c31a..b78c3d9 100644
|
||||
--- a/src/slave/kpropd.c
|
||||
+++ b/src/slave/kpropd.c
|
||||
@@ -464,6 +464,9 @@ doit(int fd)
|
||||
@ -611,32 +609,6 @@ index 1383156..a950924 100644
|
||||
retval = krb5_lock_file(kpropd_context, lock_fd,
|
||||
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
|
||||
if (retval) {
|
||||
diff --git a/src/util/gss-kernel-lib/Makefile.in b/src/util/gss-kernel-lib/Makefile.in
|
||||
index f70f3c6..7a2f9cc 100644
|
||||
--- a/src/util/gss-kernel-lib/Makefile.in
|
||||
+++ b/src/util/gss-kernel-lib/Makefile.in
|
||||
@@ -61,6 +61,7 @@ HEADERS= \
|
||||
gssapi_err_generic.h \
|
||||
k5-int.h \
|
||||
k5-int-pkinit.h \
|
||||
+ k5-label.h \
|
||||
k5-thread.h \
|
||||
k5-platform.h \
|
||||
k5-buf.h \
|
||||
@@ -162,10 +163,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_generic.h
|
||||
$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
|
||||
gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
|
||||
$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
|
||||
-k5-int.h: $(INCLUDE)/k5-int.h
|
||||
+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h
|
||||
$(CP) $(INCLUDE)/k5-int.h $@
|
||||
k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
|
||||
$(CP) $(INCLUDE)/k5-int-pkinit.h $@
|
||||
+k5-label.h: $(INCLUDE)/k5-label.h
|
||||
+ $(CP) $(INCLUDE)/k5-label.h $@
|
||||
k5-thread.h: $(INCLUDE)/k5-thread.h
|
||||
$(CP) $(INCLUDE)/k5-thread.h $@
|
||||
k5-platform.h: $(INCLUDE)/k5-platform.h
|
||||
diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
|
||||
index 907c119..0f5462a 100644
|
||||
--- a/src/util/profile/prof_file.c
|
||||
@ -659,10 +631,10 @@ index 907c119..0f5462a 100644
|
||||
retval = errno;
|
||||
if (retval == 0)
|
||||
diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
|
||||
index 5181762..f77acd4 100644
|
||||
index 6239e41..17bcd2a 100644
|
||||
--- a/src/util/support/Makefile.in
|
||||
+++ b/src/util/support/Makefile.in
|
||||
@@ -59,6 +59,7 @@ IPC_SYMS= \
|
||||
@@ -69,6 +69,7 @@ IPC_SYMS= \
|
||||
|
||||
STLIBOBJS= \
|
||||
threads.o \
|
||||
@ -670,7 +642,7 @@ index 5181762..f77acd4 100644
|
||||
init-addrinfo.o \
|
||||
plugins.o \
|
||||
errors.o \
|
||||
@@ -131,7 +132,7 @@ SRCS=\
|
||||
@@ -148,7 +149,7 @@ SRCS=\
|
||||
|
||||
SHLIB_EXPDEPS =
|
||||
# Add -lm if dumping thread stats, for sqrt.
|
||||
@ -681,12 +653,12 @@ index 5181762..f77acd4 100644
|
||||
|
||||
diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c
|
||||
new file mode 100644
|
||||
index 0000000..ffba6a9
|
||||
index 0000000..2302634
|
||||
--- /dev/null
|
||||
+++ b/src/util/support/selinux.c
|
||||
@@ -0,0 +1,381 @@
|
||||
@@ -0,0 +1,406 @@
|
||||
+/*
|
||||
+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved.
|
||||
+ * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions are met:
|
||||
@ -724,8 +696,10 @@ index 0000000..ffba6a9
|
||||
+
|
||||
+#include <k5-label.h>
|
||||
+#include <k5-platform.h>
|
||||
+
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/stat.h>
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <fcntl.h>
|
||||
+#include <limits.h>
|
||||
@ -735,13 +709,26 @@ index 0000000..ffba6a9
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <unistd.h>
|
||||
+
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/context.h>
|
||||
+#ifdef HAVE_SELINUX_LABEL_H
|
||||
+#include <selinux/label.h>
|
||||
+#endif
|
||||
+
|
||||
+/* #define DEBUG 1 */
|
||||
+static void
|
||||
+debug_log(const char *fmt, ...)
|
||||
+{
|
||||
+#ifdef DEBUG
|
||||
+ va_list ap;
|
||||
+ va_start(ap, str);
|
||||
+ if (isatty(fileno(stderr))) {
|
||||
+ vfprintf(stderr, fmt, ap);
|
||||
+ }
|
||||
+ va_end(ap);
|
||||
+#endif
|
||||
+
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+/* Mutex used to serialize use of the process-global file creation context. */
|
||||
+k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
|
||||
@ -751,10 +738,9 @@ index 0000000..ffba6a9
|
||||
+static void
|
||||
+label_mutex_init(void)
|
||||
+{
|
||||
+ k5_mutex_finish_init(&labeled_mutex);
|
||||
+ k5_mutex_finish_init(&labeled_mutex);
|
||||
+}
|
||||
+
|
||||
+#ifdef HAVE_SELINUX_LABEL_H
|
||||
+static struct selabel_handle *selabel_ctx;
|
||||
+static time_t selabel_last_changed;
|
||||
+
|
||||
@ -763,309 +749,320 @@ index 0000000..ffba6a9
|
||||
+static void
|
||||
+cleanup_fscreatecon(void)
|
||||
+{
|
||||
+ if (selabel_ctx != NULL) {
|
||||
+ selabel_close(selabel_ctx);
|
||||
+ selabel_ctx = NULL;
|
||||
+ }
|
||||
+ if (selabel_ctx != NULL) {
|
||||
+ selabel_close(selabel_ctx);
|
||||
+ selabel_ctx = NULL;
|
||||
+ }
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+static security_context_t
|
||||
+push_fscreatecon(const char *pathname, mode_t mode)
|
||||
+{
|
||||
+ security_context_t previous, configuredsc, currentsc, derivedsc;
|
||||
+ context_t current, derived;
|
||||
+ const char *fullpath, *currentuser;
|
||||
+ security_context_t previous, configuredsc, currentsc, derivedsc;
|
||||
+ context_t current, derived;
|
||||
+ const char *fullpath, *currentuser;
|
||||
+ char *genpath;
|
||||
+
|
||||
+ previous = NULL;
|
||||
+ if (is_selinux_enabled()) {
|
||||
+ if (getfscreatecon(&previous) == 0) {
|
||||
+ char *genpath;
|
||||
+ genpath = NULL;
|
||||
+ if (pathname[0] != '/') {
|
||||
+ char *wd;
|
||||
+ size_t len;
|
||||
+ len = 0;
|
||||
+ wd = getcwd(NULL, len);
|
||||
+ if (wd == NULL) {
|
||||
+ if (previous != NULL) {
|
||||
+ freecon(previous);
|
||||
+ }
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ len = strlen(wd) + 1 + strlen(pathname) + 1;
|
||||
+ genpath = malloc(len);
|
||||
+ if (genpath == NULL) {
|
||||
+ free(wd);
|
||||
+ if (previous != NULL) {
|
||||
+ freecon(previous);
|
||||
+ }
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ sprintf(genpath, "%s/%s", wd, pathname);
|
||||
+ free(wd);
|
||||
+ fullpath = genpath;
|
||||
+ } else {
|
||||
+ fullpath = pathname;
|
||||
+ }
|
||||
+#ifdef DEBUG
|
||||
+ if (isatty(fileno(stderr))) {
|
||||
+ fprintf(stderr, "Looking up context for "
|
||||
+ "\"%s\"(%05o).\n", fullpath, mode);
|
||||
+ }
|
||||
+#endif
|
||||
+ configuredsc = NULL;
|
||||
+#ifdef HAVE_SELINUX_LABEL_H
|
||||
+ if ((selabel_ctx != NULL) ||
|
||||
+ (selabel_last_changed == 0)) {
|
||||
+ const char *cpath;
|
||||
+ struct stat st;
|
||||
+ int i = -1;
|
||||
+ cpath = selinux_file_context_path();
|
||||
+ if ((cpath == NULL) ||
|
||||
+ ((i = stat(cpath, &st)) != 0) ||
|
||||
+ (st.st_mtime != selabel_last_changed)) {
|
||||
+ if (selabel_ctx != NULL) {
|
||||
+ selabel_close(selabel_ctx);
|
||||
+ selabel_ctx = NULL;
|
||||
+ }
|
||||
+ selabel_last_changed = i ?
|
||||
+ time(NULL) :
|
||||
+ st.st_mtime;
|
||||
+ }
|
||||
+ }
|
||||
+ if (selabel_ctx == NULL) {
|
||||
+ selabel_ctx = selabel_open(SELABEL_CTX_FILE,
|
||||
+ NULL, 0);
|
||||
+ }
|
||||
+ if (selabel_ctx != NULL) {
|
||||
+ if (selabel_lookup(selabel_ctx, &configuredsc,
|
||||
+ fullpath, mode) != 0) {
|
||||
+ free(genpath);
|
||||
+ if (previous != NULL) {
|
||||
+ freecon(previous);
|
||||
+ }
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ }
|
||||
+#else
|
||||
+ if (matchpathcon(fullpath, mode, &configuredsc) != 0) {
|
||||
+ free(genpath);
|
||||
+ if (previous != NULL) {
|
||||
+ freecon(previous);
|
||||
+ }
|
||||
+ return NULL;
|
||||
+ }
|
||||
+#endif
|
||||
+ free(genpath);
|
||||
+ if (configuredsc == NULL) {
|
||||
+ if (previous != NULL) {
|
||||
+ freecon(previous);
|
||||
+ }
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ currentsc = NULL;
|
||||
+ getcon(¤tsc);
|
||||
+ if (currentsc != NULL) {
|
||||
+ derived = context_new(configuredsc);
|
||||
+ if (derived != NULL) {
|
||||
+ current = context_new(currentsc);
|
||||
+ if (current != NULL) {
|
||||
+ currentuser = context_user_get(current);
|
||||
+ if (currentuser != NULL) {
|
||||
+ if (context_user_set(derived,
|
||||
+ currentuser) == 0) {
|
||||
+ derivedsc = context_str(derived);
|
||||
+ if (derivedsc != NULL) {
|
||||
+ freecon(configuredsc);
|
||||
+ configuredsc = strdup(derivedsc);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ context_free(current);
|
||||
+ }
|
||||
+ context_free(derived);
|
||||
+ }
|
||||
+ freecon(currentsc);
|
||||
+ }
|
||||
+#ifdef DEBUG
|
||||
+ if (isatty(fileno(stderr))) {
|
||||
+ fprintf(stderr, "Setting file creation context "
|
||||
+ "to \"%s\".\n", configuredsc);
|
||||
+ }
|
||||
+#endif
|
||||
+ if (setfscreatecon(configuredsc) != 0) {
|
||||
+ freecon(configuredsc);
|
||||
+ if (previous != NULL) {
|
||||
+ freecon(previous);
|
||||
+ }
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ freecon(configuredsc);
|
||||
+#ifdef DEBUG
|
||||
+ } else {
|
||||
+ if (isatty(fileno(stderr))) {
|
||||
+ fprintf(stderr, "Unable to determine "
|
||||
+ "current context.\n");
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+ }
|
||||
+ return previous;
|
||||
+ previous = configuredsc = currentsc = derivedsc = NULL;
|
||||
+ current = derived = NULL;
|
||||
+ genpath = NULL;
|
||||
+
|
||||
+ fullpath = pathname;
|
||||
+
|
||||
+ if (!is_selinux_enabled()) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ if (getfscreatecon(&previous) != 0) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ /* Canonicalize pathname */
|
||||
+ if (pathname[0] != '/') {
|
||||
+ char *wd;
|
||||
+ size_t len;
|
||||
+ len = 0;
|
||||
+
|
||||
+ wd = getcwd(NULL, len);
|
||||
+ if (wd == NULL) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ len = strlen(wd) + 1 + strlen(pathname) + 1;
|
||||
+ genpath = malloc(len);
|
||||
+ if (genpath == NULL) {
|
||||
+ free(wd);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ sprintf(genpath, "%s/%s", wd, pathname);
|
||||
+ free(wd);
|
||||
+ fullpath = genpath;
|
||||
+ }
|
||||
+
|
||||
+ debug_log("Looking up context for \"%s\"(%05o).\n", fullpath, mode);
|
||||
+
|
||||
+ /* Check whether context file has changed under us */
|
||||
+ if (selabel_ctx != NULL || selabel_last_changed == 0) {
|
||||
+ const char *cpath;
|
||||
+ struct stat st;
|
||||
+ int i = -1;
|
||||
+
|
||||
+ cpath = selinux_file_context_path();
|
||||
+ if (cpath == NULL || (i = stat(cpath, &st)) != 0 ||
|
||||
+ st.st_mtime != selabel_last_changed) {
|
||||
+ cleanup_fscreatecon();
|
||||
+
|
||||
+ selabel_last_changed = i ? time(NULL) : st.st_mtime;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (selabel_ctx == NULL) {
|
||||
+ selabel_ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
|
||||
+ }
|
||||
+
|
||||
+ if (selabel_ctx != NULL &&
|
||||
+ selabel_lookup(selabel_ctx, &configuredsc, fullpath, mode) != 0) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ if (genpath != NULL) {
|
||||
+ free(genpath);
|
||||
+ genpath = NULL;
|
||||
+ }
|
||||
+
|
||||
+ if (configuredsc == NULL) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ getcon(¤tsc);
|
||||
+
|
||||
+ /* AAAAAAAA */
|
||||
+ if (currentsc != NULL) {
|
||||
+ derived = context_new(configuredsc);
|
||||
+
|
||||
+ if (derived != NULL) {
|
||||
+ current = context_new(currentsc);
|
||||
+
|
||||
+ if (current != NULL) {
|
||||
+ currentuser = context_user_get(current);
|
||||
+
|
||||
+ if (currentuser != NULL) {
|
||||
+ if (context_user_set(derived,
|
||||
+ currentuser) == 0) {
|
||||
+ derivedsc = context_str(derived);
|
||||
+
|
||||
+ if (derivedsc != NULL) {
|
||||
+ freecon(configuredsc);
|
||||
+ configuredsc = strdup(derivedsc);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ context_free(current);
|
||||
+ }
|
||||
+
|
||||
+ context_free(derived);
|
||||
+ }
|
||||
+
|
||||
+ freecon(currentsc);
|
||||
+ }
|
||||
+
|
||||
+ debug_log("Setting file creation context to \"%s\".\n", configuredsc);
|
||||
+ if (setfscreatecon(configuredsc) != 0) {
|
||||
+ debug_log("Unable to determine current context.\n");
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ freecon(configuredsc);
|
||||
+ return previous;
|
||||
+
|
||||
+fail:
|
||||
+ if (previous != NULL) {
|
||||
+ freecon(previous);
|
||||
+ }
|
||||
+ if (genpath != NULL) {
|
||||
+ free(genpath);
|
||||
+ }
|
||||
+ if (configuredsc != NULL) {
|
||||
+ freecon(configuredsc);
|
||||
+ }
|
||||
+
|
||||
+ cleanup_fscreatecon();
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+pop_fscreatecon(security_context_t previous)
|
||||
+{
|
||||
+ if (is_selinux_enabled()) {
|
||||
+#ifdef DEBUG
|
||||
+ if (isatty(fileno(stderr))) {
|
||||
+ if (previous != NULL) {
|
||||
+ fprintf(stderr, "Resetting file creation "
|
||||
+ "context to \"%s\".\n", previous);
|
||||
+ } else {
|
||||
+ fprintf(stderr, "Resetting file creation "
|
||||
+ "context to default.\n");
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+ setfscreatecon(previous);
|
||||
+ if (previous != NULL) {
|
||||
+ freecon(previous);
|
||||
+ }
|
||||
+ }
|
||||
+ if (!is_selinux_enabled()) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (previous != NULL) {
|
||||
+ debug_log("Resetting file creation context to \"%s\".\n", previous);
|
||||
+ } else {
|
||||
+ debug_log("Resetting file creation context to default.\n");
|
||||
+ }
|
||||
+
|
||||
+ /* NULL resets to default */
|
||||
+ setfscreatecon(previous);
|
||||
+
|
||||
+ if (previous != NULL) {
|
||||
+ freecon(previous);
|
||||
+ }
|
||||
+
|
||||
+ /* Need to clean this up here otherwise it leaks */
|
||||
+ cleanup_fscreatecon();
|
||||
+}
|
||||
+
|
||||
+void *
|
||||
+krb5int_push_fscreatecon_for(const char *pathname)
|
||||
+{
|
||||
+ struct stat st;
|
||||
+ void *retval;
|
||||
+ k5_once(&labeled_once, label_mutex_init);
|
||||
+ k5_mutex_lock(&labeled_mutex);
|
||||
+ if (stat(pathname, &st) != 0) {
|
||||
+ st.st_mode = S_IRUSR | S_IWUSR;
|
||||
+ }
|
||||
+ retval = push_fscreatecon(pathname, st.st_mode);
|
||||
+ return retval ? retval : (void *) -1;
|
||||
+ struct stat st;
|
||||
+ void *retval;
|
||||
+
|
||||
+ k5_once(&labeled_once, label_mutex_init);
|
||||
+ k5_mutex_lock(&labeled_mutex);
|
||||
+
|
||||
+ if (stat(pathname, &st) != 0) {
|
||||
+ st.st_mode = S_IRUSR | S_IWUSR;
|
||||
+ }
|
||||
+
|
||||
+ retval = push_fscreatecon(pathname, st.st_mode);
|
||||
+ return retval ? retval : (void *) -1;
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+krb5int_pop_fscreatecon(void *con)
|
||||
+{
|
||||
+ if (con != NULL) {
|
||||
+ pop_fscreatecon((con == (void *) -1) ? NULL : con);
|
||||
+ k5_mutex_unlock(&labeled_mutex);
|
||||
+ }
|
||||
+ if (con != NULL) {
|
||||
+ pop_fscreatecon((con == (void *) -1) ? NULL : con);
|
||||
+ k5_mutex_unlock(&labeled_mutex);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+FILE *
|
||||
+krb5int_labeled_fopen(const char *path, const char *mode)
|
||||
+{
|
||||
+ FILE *fp;
|
||||
+ int errno_save;
|
||||
+ security_context_t ctx;
|
||||
+ FILE *fp;
|
||||
+ int errno_save;
|
||||
+ security_context_t ctx;
|
||||
+
|
||||
+ if ((strcmp(mode, "r") == 0) ||
|
||||
+ (strcmp(mode, "rb") == 0)) {
|
||||
+ return fopen(path, mode);
|
||||
+ }
|
||||
+ if ((strcmp(mode, "r") == 0) ||
|
||||
+ (strcmp(mode, "rb") == 0)) {
|
||||
+ return fopen(path, mode);
|
||||
+ }
|
||||
+
|
||||
+ k5_once(&labeled_once, label_mutex_init);
|
||||
+ k5_mutex_lock(&labeled_mutex);
|
||||
+ ctx = push_fscreatecon(path, 0);
|
||||
+ fp = fopen(path, mode);
|
||||
+ errno_save = errno;
|
||||
+ pop_fscreatecon(ctx);
|
||||
+ k5_mutex_unlock(&labeled_mutex);
|
||||
+ errno = errno_save;
|
||||
+ return fp;
|
||||
+ k5_once(&labeled_once, label_mutex_init);
|
||||
+ k5_mutex_lock(&labeled_mutex);
|
||||
+ ctx = push_fscreatecon(path, 0);
|
||||
+
|
||||
+ fp = fopen(path, mode);
|
||||
+ errno_save = errno;
|
||||
+
|
||||
+ pop_fscreatecon(ctx);
|
||||
+ k5_mutex_unlock(&labeled_mutex);
|
||||
+
|
||||
+ errno = errno_save;
|
||||
+ return fp;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+krb5int_labeled_creat(const char *path, mode_t mode)
|
||||
+{
|
||||
+ int fd;
|
||||
+ int errno_save;
|
||||
+ security_context_t ctx;
|
||||
+ int fd;
|
||||
+ int errno_save;
|
||||
+ security_context_t ctx;
|
||||
+
|
||||
+ k5_once(&labeled_once, label_mutex_init);
|
||||
+ k5_mutex_lock(&labeled_mutex);
|
||||
+ ctx = push_fscreatecon(path, 0);
|
||||
+ fd = creat(path, mode);
|
||||
+ errno_save = errno;
|
||||
+ pop_fscreatecon(ctx);
|
||||
+ k5_mutex_unlock(&labeled_mutex);
|
||||
+ errno = errno_save;
|
||||
+ return fd;
|
||||
+ k5_once(&labeled_once, label_mutex_init);
|
||||
+ k5_mutex_lock(&labeled_mutex);
|
||||
+ ctx = push_fscreatecon(path, 0);
|
||||
+
|
||||
+ fd = creat(path, mode);
|
||||
+ errno_save = errno;
|
||||
+
|
||||
+ pop_fscreatecon(ctx);
|
||||
+ k5_mutex_unlock(&labeled_mutex);
|
||||
+
|
||||
+ errno = errno_save;
|
||||
+ return fd;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev)
|
||||
+{
|
||||
+ int ret;
|
||||
+ int errno_save;
|
||||
+ security_context_t ctx;
|
||||
+ int ret;
|
||||
+ int errno_save;
|
||||
+ security_context_t ctx;
|
||||
+
|
||||
+ k5_once(&labeled_once, label_mutex_init);
|
||||
+ k5_mutex_lock(&labeled_mutex);
|
||||
+ ctx = push_fscreatecon(path, mode);
|
||||
+ ret = mknod(path, mode, dev);
|
||||
+ errno_save = errno;
|
||||
+ pop_fscreatecon(ctx);
|
||||
+ k5_mutex_unlock(&labeled_mutex);
|
||||
+ errno = errno_save;
|
||||
+ return ret;
|
||||
+ k5_once(&labeled_once, label_mutex_init);
|
||||
+ k5_mutex_lock(&labeled_mutex);
|
||||
+ ctx = push_fscreatecon(path, mode);
|
||||
+
|
||||
+ ret = mknod(path, mode, dev);
|
||||
+ errno_save = errno;
|
||||
+
|
||||
+ pop_fscreatecon(ctx);
|
||||
+ k5_mutex_unlock(&labeled_mutex);
|
||||
+
|
||||
+ errno = errno_save;
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+krb5int_labeled_mkdir(const char *path, mode_t mode)
|
||||
+{
|
||||
+ int ret;
|
||||
+ int errno_save;
|
||||
+ security_context_t ctx;
|
||||
+ int ret;
|
||||
+ int errno_save;
|
||||
+ security_context_t ctx;
|
||||
+
|
||||
+ k5_once(&labeled_once, label_mutex_init);
|
||||
+ k5_mutex_lock(&labeled_mutex);
|
||||
+ ctx = push_fscreatecon(path, S_IFDIR);
|
||||
+ ret = mkdir(path, mode);
|
||||
+ errno_save = errno;
|
||||
+ pop_fscreatecon(ctx);
|
||||
+ k5_mutex_unlock(&labeled_mutex);
|
||||
+ errno = errno_save;
|
||||
+ return ret;
|
||||
+ k5_once(&labeled_once, label_mutex_init);
|
||||
+ k5_mutex_lock(&labeled_mutex);
|
||||
+ ctx = push_fscreatecon(path, S_IFDIR);
|
||||
+
|
||||
+ ret = mkdir(path, mode);
|
||||
+ errno_save = errno;
|
||||
+
|
||||
+ pop_fscreatecon(ctx);
|
||||
+ k5_mutex_unlock(&labeled_mutex);
|
||||
+
|
||||
+ errno = errno_save;
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+krb5int_labeled_open(const char *path, int flags, ...)
|
||||
+{
|
||||
+ int fd;
|
||||
+ int errno_save;
|
||||
+ security_context_t ctx;
|
||||
+ mode_t mode;
|
||||
+ va_list ap;
|
||||
+ int fd;
|
||||
+ int errno_save;
|
||||
+ security_context_t ctx;
|
||||
+ mode_t mode;
|
||||
+ va_list ap;
|
||||
+
|
||||
+ if ((flags & O_CREAT) == 0) {
|
||||
+ return open(path, flags);
|
||||
+ }
|
||||
+ if ((flags & O_CREAT) == 0) {
|
||||
+ return open(path, flags);
|
||||
+ }
|
||||
+
|
||||
+ k5_once(&labeled_once, label_mutex_init);
|
||||
+ k5_mutex_lock(&labeled_mutex);
|
||||
+ ctx = push_fscreatecon(path, 0);
|
||||
+ k5_once(&labeled_once, label_mutex_init);
|
||||
+ k5_mutex_lock(&labeled_mutex);
|
||||
+ ctx = push_fscreatecon(path, 0);
|
||||
+
|
||||
+ va_start(ap, flags);
|
||||
+ mode = va_arg(ap, mode_t);
|
||||
+ fd = open(path, flags, mode);
|
||||
+ va_end(ap);
|
||||
+ va_start(ap, flags);
|
||||
+ mode = va_arg(ap, mode_t);
|
||||
+ fd = open(path, flags, mode);
|
||||
+ va_end(ap);
|
||||
+
|
||||
+ errno_save = errno;
|
||||
+ pop_fscreatecon(ctx);
|
||||
+ k5_mutex_unlock(&labeled_mutex);
|
||||
+ errno = errno_save;
|
||||
+ return fd;
|
||||
+ errno_save = errno;
|
||||
+
|
||||
+ pop_fscreatecon(ctx);
|
||||
+ k5_mutex_unlock(&labeled_mutex);
|
||||
+
|
||||
+ errno = errno_save;
|
||||
+ return fd;
|
||||
+}
|
||||
+
|
||||
+#endif
|
||||
+#endif /* USE_SELINUX */
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 95b7e75522dd905eea23e853f062d89749a17799 Mon Sep 17 00:00:00 2001
|
||||
From e84b0d40e31cdb98a9a87bd1c4925802d963a479 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:46:21 -0400
|
||||
Subject: [PATCH] krb5-1.3.1-dns.patch
|
||||
@ -9,7 +9,7 @@ We want to be able to use --with-netlib and --enable-dns at the same time.
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
||||
index 311f099..ed343c5 100644
|
||||
index 5b02b40..d49b7c1 100644
|
||||
--- a/src/aclocal.m4
|
||||
+++ b/src/aclocal.m4
|
||||
@@ -701,6 +701,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library),
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 3743c3636fd23e62f996b119a1536ecd882a5e80 Mon Sep 17 00:00:00 2001
|
||||
From e2f0b0317c6a251c202500f409976dda3a6a82e7 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:49:25 -0400
|
||||
Subject: [PATCH] krb5-1.9-debuginfo.patch
|
||||
@ -12,7 +12,7 @@ could mess up people working in the tree on other things.
|
||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
|
||||
index 789c597..7e7a148 100644
|
||||
index adfea6e..d1327e4 100644
|
||||
--- a/src/kadmin/cli/Makefile.in
|
||||
+++ b/src/kadmin/cli/Makefile.in
|
||||
@@ -37,3 +37,8 @@ clean-unix::
|
||||
@ -25,7 +25,7 @@ index 789c597..7e7a148 100644
|
||||
+ $(YACC.y) $<
|
||||
+ $(CP) y.tab.c $@
|
||||
diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
||||
index b9ea339..060f500 100644
|
||||
index 8669c24..a22f23c 100644
|
||||
--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
||||
+++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
||||
@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE)
|
||||
@ -35,7 +35,7 @@ index b9ea339..060f500 100644
|
||||
- $(MV) y.tab.c getdate.c
|
||||
+ $(CP) y.tab.c getdate.c
|
||||
|
||||
install::
|
||||
install:
|
||||
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
|
||||
--
|
||||
2.9.3
|
||||
|
34
krb5.spec
34
krb5.spec
@ -8,12 +8,12 @@
|
||||
%global configure_default_ccache_name 1
|
||||
%global configured_default_ccache_name KEYRING:persistent:%%{uid}
|
||||
|
||||
%global prerelease %{nil}
|
||||
%global prerelease -beta1
|
||||
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.14.4
|
||||
Release: 6%{?dist}
|
||||
Version: 1.15
|
||||
Release: 1%{?dist}.beta1.0
|
||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
||||
# - The sources below are stored in a lookaside cache. Upload with
|
||||
@ -46,30 +46,16 @@ Source39: krb5-krb5kdc.conf
|
||||
Source100: noport.c
|
||||
|
||||
Patch1: krb5-1.12.1-pam.patch
|
||||
Patch2: krb5-1.13-selinux-label.patch
|
||||
Patch2: krb5-1.15-beta1-selinux-label.patch
|
||||
Patch3: krb5-1.12-ksu-path.patch
|
||||
Patch4: krb5-1.12-ktany.patch
|
||||
Patch5: krb5-1.12-buildconf.patch
|
||||
Patch5: krb5-1.15-beta1-buildconf.patch
|
||||
Patch6: krb5-1.3.1-dns.patch
|
||||
Patch7: krb5-1.12-api.patch
|
||||
Patch8: krb5-1.13-dirsrv-accountlock.patch
|
||||
Patch9: krb5-1.9-debuginfo.patch
|
||||
Patch10: krb5-1.11-run_user_0.patch
|
||||
Patch11: krb5-1.11-kpasswdtest.patch
|
||||
Patch12: Fix-impersonate_name-to-work-with-interposers.patch
|
||||
Patch13: Create-KDC-and-kadmind-log-files-with-mode-0640.patch
|
||||
Patch14: Add-KDC-pre-send-and-post-receive-KDC-hooks.patch
|
||||
Patch15: Add-tests-for-send-and-receive-sendto_kdc-hooks.patch
|
||||
Patch16: Set-prompt-type-for-OTP-preauth-prompt.patch
|
||||
Patch17: Improve-bad-password-inference-in-kinit.patch
|
||||
Patch18: Change-KDC-error-for-encrypted-timestamp-preauth.patch
|
||||
Patch19: Add-krb5_db_register_keytab.patch
|
||||
Patch20: Don-t-feed-OS-RNG-output-into-the-OS-RNG.patch
|
||||
Patch21: Rename-prng_os.c-to-prng_device.c.patch
|
||||
Patch22: Add-getrandom-to-k5_get_os_entropy-using-syscall.patch
|
||||
Patch23: Add-OS-prng-intended-for-use-with-getrandom.patch
|
||||
Patch24: Properly-handle-EOF-condition-on-libkrad-sockets.patch
|
||||
Patch25: krb5-1.14.4-openssl11.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -256,7 +242,7 @@ interface is not considered stable.
|
||||
ln NOTICE LICENSE
|
||||
|
||||
# Take the execute bit off of documentation.
|
||||
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
||||
chmod -x doc/ccapi/*.html
|
||||
|
||||
# Generate an FDS-compatible LDIF file.
|
||||
inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
|
||||
@ -271,7 +257,7 @@ touch -r $inldif 60kerberos.ldif
|
||||
|
||||
# Rebuild the configure scripts.
|
||||
pushd src
|
||||
./util/reconf --verbose
|
||||
autoreconf -fiv
|
||||
popd
|
||||
|
||||
# Mess with some of the default ports that we use for testing, so that multiple
|
||||
@ -684,7 +670,6 @@ exit 0
|
||||
%files devel
|
||||
%defattr(-,root,root,-)
|
||||
%docdir %{_mandir}
|
||||
%doc doc/krb5-protocol
|
||||
%doc build-pdf/appdev.pdf build-pdf/plugindev.pdf
|
||||
|
||||
%{_includedir}/*
|
||||
@ -724,6 +709,11 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Thu Oct 20 2016 Robbie Harwood <rharwood@redhat.com> - 1.15-beta1-1
|
||||
- New upstream release
|
||||
- Update selinux with RHEL hygene
|
||||
- Resolves: #1314096
|
||||
|
||||
* Tue Oct 11 2016 Tomáš Mráz <tmraz@redhat.com> - 1.14.4-6
|
||||
- rebuild with OpenSSL 1.1.0, added backported upstream patch
|
||||
|
||||
|
6
sources
6
sources
@ -1,3 +1,3 @@
|
||||
ba90f5701fc2dda76133c1f34ba4ee80 krb5-1.14.4.tar.gz
|
||||
1d91e165f25519bbb60b4715bcabda0f krb5-1.14.4.tar.gz.asc
|
||||
c2385c39dfed8ecad41052abd09a49c9 krb5-1.14.4-pdfs.tar
|
||||
fa2af49908afa204ab177fb997d8c17f krb5-1.15-beta1-pdfs.tar
|
||||
aeac2080eb2cb88d02ae1722e2681021 krb5-1.15-beta1.tar.gz
|
||||
dc8b927e0f6597767e222114540a6f3d krb5-1.15-beta1.tar.gz.asc
|
||||
|
Loading…
Reference in New Issue
Block a user