rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL 9.0.0 Alpha bootstrap

Browse Source 
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/krb5#dc8775d11d7134f84024545f21b4561a6bd8dccf
This commit is contained in:
Troy Dawson 2020-11-18 14:34:00 -08:00
parent dcd44d26dc
commit 85d9be4ef7
46 changed files with 136 additions and 607 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -187,3 +187,5 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.18.1.tar.gz.asc
/krb5-1.18.2.tar.gz
/krb5-1.18.2.tar.gz.asc
/krb5-1.18.3.tar.gz
/krb5-1.18.3.tar.gz.asc

68
Add-channel-bindings-tests.patch
View File

@ -1,4 +1,4 @@
From 6d36ea6fcfe281a8ce73fc5aa5c133f435d93fa4 Mon Sep 17 00:00:00 2001
From 2c8494a1b89d69da9de46ca2cb17f9e8f12eb9b5 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 20 Mar 2020 00:17:28 +0100
Subject: [PATCH] Add channel bindings tests
@ -10,17 +10,18 @@ changes]
ticket: 8900
(cherry picked from commit b0b21b6d25b06f3e2b365dfe9dd4c99b3d43bf57)
[rharwood@redhat.com: .gitignore]
[rharwood@redhat.com: slush around upstream not backporting reload,
gitignore]
---
src/plugins/gssapi/negoextest/main.c | 18 +++++
src/tests/gssapi/Makefile.in | 49 ++++++------
src/tests/gssapi/Makefile.in | 57 +++++++-------
src/tests/gssapi/common.c | 25 ++++--
src/tests/gssapi/common.h | 9 +++
src/tests/gssapi/deps | 4 +
src/tests/gssapi/t_bindings.c | 111 +++++++++++++++++++++++++++
src/tests/gssapi/t_bindings.py | 43 +++++++++++
src/tests/gssapi/t_negoex.py | 7 ++
8 files changed, 237 insertions(+), 29 deletions(-)
8 files changed, 242 insertions(+), 32 deletions(-)
create mode 100644 src/tests/gssapi/t_bindings.c
create mode 100644 src/tests/gssapi/t_bindings.py
@ -61,23 +62,25 @@ index 6c340f41b..72fc5273a 100644
* The unwrapped token sits at the end and is just one byte giving the
* remaining number of hops. The final octet of the mech encoding should
diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in
index 5cc1e0f58..68c132b79 100644
index 22a2f9480..cf7bcf451 100644
--- a/src/tests/gssapi/Makefile.in
+++ b/src/tests/gssapi/Makefile.in
@@ -9,33 +9,33 @@ LOCALINCLUDES = -I$(srcdir)/../../lib/gssapi/mechglue \
@@ -8,34 +8,36 @@ LOCALINCLUDES = -I$(srcdir)/../../lib/gssapi/mechglue \
-I$(srcdir)/../../lib/gssapi/generic -I../../lib/gssapi/krb5 \
-I../../lib/gssapi/generic
SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \
-SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c $(srcdir)/reload.c \
- $(srcdir)/t_accname.c $(srcdir)/t_add_cred.c $(srcdir)/t_ccselect.c \
- $(srcdir)/t_ciflags.c $(srcdir)/t_context.c $(srcdir)/t_credstore.c \
- $(srcdir)/t_enctypes.c $(srcdir)/t_err.c $(srcdir)/t_export_cred.c \
- $(srcdir)/t_export_name.c $(srcdir)/t_gssexts.c \
- $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c $(srcdir)/t_invalid.c \
- $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \
+ $(srcdir)/t_accname.c $(srcdir)/t_add_cred.c $(srcdir)/t_bindings.c \
+ $(srcdir)/t_ccselect.c $(srcdir)/t_ciflags.c $(srcdir)/t_context.c \
+ $(srcdir)/t_credstore.c $(srcdir)/t_enctypes.c $(srcdir)/t_err.c \
+ $(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \
+SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \
+ $(srcdir)/reload.c $(srcdir)/t_accname.c $(srcdir)/t_add_cred.c \
+ $(srcdir)/t_bindings.c $(srcdir)/t_ccselect.c $(srcdir)/t_ciflags.c \
+ $(srcdir)/t_context.c $(srcdir)/t_credstore.c $(srcdir)/t_enctypes.c \
+ $(srcdir)/t_err.c $(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \
+ $(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \
+ $(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \
$(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \
@ -86,18 +89,20 @@ index 5cc1e0f58..68c132b79 100644
$(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \
$(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c
-OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_add_cred.o t_ccselect.o \
-OBJS= ccinit.o ccrefresh.o common.o reload.o t_accname.o t_add_cred.o t_ccselect.o \
- t_ciflags.o t_context.o t_credstore.o t_enctypes.o t_err.o \
- t_export_cred.o t_export_name.o t_gssexts.o t_imp_cred.o t_imp_name.o \
- t_invalid.o t_inq_cred.o t_inq_ctx.o t_inq_mechs_name.o t_iov.o \
- t_lifetime.o t_namingexts.o t_oid.o t_pcontok.o t_prf.o t_s4u.o \
- t_s4u2proxy_krb5.o t_saslname.o t_spnego.o t_srcattrs.o
+OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_add_cred.o t_bindings.o \
+ t_ccselect.o t_ciflags.o t_context.o t_credstore.o t_enctypes.o \
+ t_err.o t_export_cred.o t_export_name.o t_gssexts.o t_imp_cred.o \
+ t_imp_name.o t_invalid.o t_inq_cred.o t_inq_ctx.o t_inq_mechs_name.o \
+ t_iov.o t_lifetime.o t_namingexts.o t_oid.o t_pcontok.o t_prf.o \
+ t_s4u.o t_s4u2proxy_krb5.o t_saslname.o t_spnego.o t_srcattrs.o
+
+OBJS= ccinit.o ccrefresh.o common.o reload.o t_accname.o t_add_cred.o \
+ t_bindings.o t_ccselect.o t_ciflags.o t_context.o t_credstore.o \
+ t_enctypes.o t_err.o t_export_cred.o t_export_name.o t_gssexts.o \
+ t_imp_cred.o t_imp_name.o t_invalid.o t_inq_cred.o t_inq_ctx.o \
+ t_inq_mechs_name.o t_iov.o t_lifetime.o t_namingexts.o t_oid.o \
+ t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \
+ t_spnego.o t_srcattrs.o
COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
@ -113,11 +118,11 @@ index 5cc1e0f58..68c132b79 100644
+ t_inq_mechs_name t_iov t_lifetime t_namingexts t_oid t_pcontok t_prf \
+ t_s4u t_s4u2proxy_krb5 t_saslname t_spnego t_srcattrs
check-unix: t_oid
check-unix: t_oid reload
$(RUN_TEST) ./t_invalid
@@ -43,11 +43,12 @@ check-unix: t_oid
$(RUN_TEST) ./t_prf
@@ -44,11 +46,12 @@ check-unix: t_oid reload
$(RUN_TEST) ./t_imp_name
if [ -r $(TOPLIBD)/libgssapi_krb5.so ]; then $(RUN_TEST) ./reload; fi
-check-pytests: ccinit ccrefresh t_accname t_add_cred t_ccselect t_ciflags \
- t_context t_credstore t_enctypes t_err t_export_cred t_export_name \
@ -132,7 +137,7 @@ index 5cc1e0f58..68c132b79 100644
$(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_enctypes.py $(PYTESTFLAGS)
@@ -64,6 +65,8 @@ t_accname: t_accname.o $(COMMON_DEPS)
@@ -67,6 +70,8 @@ t_accname: t_accname.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_accname.o $(COMMON_LIBS)
t_add_cred: t_add_cred.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_add_cred.o $(COMMON_LIBS)
@ -141,17 +146,20 @@ index 5cc1e0f58..68c132b79 100644
t_ccselect: t_ccselect.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_ccselect.o $(COMMON_LIBS)
t_ciflags: t_ciflags.o $(COMMON_DEPS)
@@ -118,8 +121,8 @@ t_srcattrs: t_srcattrs.o $(COMMON_DEPS)
@@ -121,9 +126,9 @@ t_srcattrs: t_srcattrs.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_srcattrs.o $(COMMON_LIBS)
clean:
- $(RM) ccinit ccrefresh t_accname t_add_cred t_ccselect t_ciflags
- $(RM) ccinit ccrefresh reload t_accname t_add_cred t_ccselect t_ciflags
- $(RM) t_context t_credstore t_enctypes t_err t_export_cred
+ $(RM) ccinit ccrefresh t_accname t_add_cred t_bindings t_ccselect
+ $(RM) t_ciflags t_context t_credstore t_enctypes t_err t_export_cred
$(RM) t_export_name t_gssexts t_imp_cred t_imp_name t_invalid
$(RM) t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime
- $(RM) t_export_name t_gssexts t_imp_cred t_imp_name t_invalid
- $(RM) t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime
+ $(RM) ccinit ccrefresh reload t_accname t_add_cred t_bindings
+ $(RM) t_ccselect t_ciflags t_context t_credstore t_enctypes t_err
+ $(RM) t_export_cred t_export_name t_gssexts t_imp_cred t_imp_name
+ $(RM) t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime
$(RM) t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5
$(RM) t_saslname t_spnego t_srcattrs
diff --git a/src/tests/gssapi/common.c b/src/tests/gssapi/common.c
index 83e9d9bb8..7ba72f7b2 100644
--- a/src/tests/gssapi/common.c
@ -221,10 +229,10 @@ index ae11b51d4..a5c8f87e6 100644
* the token. */
void export_import_cred(gss_cred_id_t *cred);
diff --git a/src/tests/gssapi/deps b/src/tests/gssapi/deps
index acd0e96f8..73e4d9a74 100644
index 55586de53..ca1d6e22a 100644
--- a/src/tests/gssapi/deps
+++ b/src/tests/gssapi/deps
@@ -33,6 +33,10 @@ $(OUTPRE)t_add_cred.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
@@ -35,6 +35,10 @@ $(OUTPRE)t_add_cred.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
$(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
common.h t_add_cred.c

2
Add-client_aware_channel_bindings-option.patch
View File

@ -1,4 +1,4 @@
From 46ec975eb8f33b6d42c440758fc0deb826f87313 Mon Sep 17 00:00:00 2001
From 849bb23d0044b2ff315608784c0f96b81feb472f Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 10 Mar 2020 13:13:17 +0100
Subject: [PATCH] Add client_aware_channel_bindings option

2
Add-finalization-safety-check-to-com_err.patch
View File

@ -1,4 +1,4 @@
From 96a36ef54aecb48b71c1ae0cc85b83ef644c3bd0 Mon Sep 17 00:00:00 2001
From 73f1db69f99462b5109a5dd4e1a9476667bd3715 Mon Sep 17 00:00:00 2001
From: Jiri Sasek <Jiri.Sasek@Oracle.COM>
Date: Fri, 13 Mar 2020 19:02:58 +0100
Subject: [PATCH] Add finalization safety check to com_err

97
Add-recursion-limit-for-ASN.1-indefinite-lengths.patch
View File

@ -1,97 +0,0 @@
From b7aca8b57422cdc67a2d2bff385f09646ca037bc Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 31 Oct 2020 17:07:05 -0400
Subject: [PATCH] Add recursion limit for ASN.1 indefinite lengths
The libkrb5 ASN.1 decoder supports BER indefinite lengths. It
computes the tag length using recursion; the lack of a recursion limit
allows an attacker to overrun the stack and cause the process to
crash. Reported by Demi Obenour.
CVE-2020-28196:
In MIT krb5 releases 1.11 and later, an unauthenticated attacker can
cause a denial of service for any client or server to which it can
send an ASN.1-encoded Kerberos message of sufficient length.
ticket: 8959 (new)
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
(cherry picked from commit 57415dda6cf04e73ffc3723be518eddfae599bfd)
---
src/lib/krb5/asn.1/asn1_encode.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c
index a160cf4fe..cd6b879f7 100644
--- a/src/lib/krb5/asn.1/asn1_encode.c
+++ b/src/lib/krb5/asn.1/asn1_encode.c
@@ -356,7 +356,7 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len)
static krb5_error_code
get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out,
const uint8_t **contents_out, size_t *clen_out,
- const uint8_t **remainder_out, size_t *rlen_out)
+ const uint8_t **remainder_out, size_t *rlen_out, int recursion)
{
krb5_error_code ret;
uint8_t o;
@@ -394,9 +394,11 @@ get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out,
/* Indefinite form (should not be present in DER, but we accept it). */
if (tag_out->construction != CONSTRUCTED)
return ASN1_MISMATCH_INDEF;
+ if (recursion >= 32)
+ return ASN1_OVERFLOW;
p = asn1;
while (!(len >= 2 && p[0] == 0 && p[1] == 0)) {
- ret = get_tag(p, len, &t, &c, &clen, &p, &len);
+ ret = get_tag(p, len, &t, &c, &clen, &p, &len, recursion + 1);
if (ret)
return ret;
}
@@ -613,7 +615,7 @@ split_der(asn1buf *buf, uint8_t *const *der, size_t len, taginfo *tag_out)
const uint8_t *contents, *remainder;
size_t clen, rlen;
- ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen);
+ ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen, 0);
if (ret)
return ret;
if (rlen != 0)
@@ -1199,7 +1201,7 @@ decode_atype(const taginfo *t, const uint8_t *asn1, size_t len,
const uint8_t *rem;
size_t rlen;
if (!tag->implicit) {
- ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen);
+ ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen, 0);
if (ret)
return ret;
/* Note: we don't check rlen (it should be 0). */
@@ -1420,7 +1422,7 @@ decode_sequence(const uint8_t *asn1, size_t len, const struct seq_info *seq,
for (i = 0; i < seq->n_fields; i++) {
if (len == 0)
break;
- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
+ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
if (ret)
goto error;
/*
@@ -1478,7 +1480,7 @@ decode_sequence_of(const uint8_t *asn1, size_t len,
*seq_out = NULL;
*count_out = 0;
while (len > 0) {
- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
+ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
if (ret)
goto error;
if (!check_atype_tag(elemtype, &t)) {
@@ -1584,7 +1586,7 @@ k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a,
*retrep = NULL;
ret = get_tag((uint8_t *)code->data, code->length, &t, &contents,
- &clen, &remainder, &rlen);
+ &clen, &remainder, &rlen, 0);
if (ret)
return ret;
/* rlen should be 0, but we don't check it (and due to padding in

54
Add-three-kvno-options-from-Heimdal-kgetcred.patch
View File

@ -1,4 +1,4 @@
From 538d787aa7c10894cc0426f54db0d8248efcf7c9 Mon Sep 17 00:00:00 2001
From 4da87d7fe288f3f7087dca8396d42abfd958b8e4 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 17 Jun 2020 20:48:38 -0400
Subject: [PATCH] Add three kvno options from Heimdal kgetcred
@ -13,20 +13,21 @@ tests for the new options.
ticket: 8917 (new)
(cherry picked from commit 876bab8418d7dd134c9d9db812ee2118d5ad58f0)
[rharwood@redhat.com: slush around option unification]
---
doc/user/user_commands/kvno.rst | 13 ++++
src/clients/kvno/Makefile.in | 3 +
src/clients/kvno/kvno.c | 115 +++++++++++++++++++++++---------
src/clients/kvno/kvno.c | 112 +++++++++++++++++++++++---------
src/clients/kvno/t_kvno.py | 75 +++++++++++++++++++++
src/man/kvno.man | 13 ++++
5 files changed, 187 insertions(+), 32 deletions(-)
5 files changed, 185 insertions(+), 31 deletions(-)
create mode 100644 src/clients/kvno/t_kvno.py
diff --git a/doc/user/user_commands/kvno.rst b/doc/user/user_commands/kvno.rst
index 3892f0ca5..718313576 100644
index 53e569651..6fd8577a5 100644
--- a/doc/user/user_commands/kvno.rst
+++ b/doc/user/user_commands/kvno.rst
@@ -74,6 +74,19 @@ OPTIONS
@@ -75,6 +75,19 @@ OPTIONS
client principal with the X.509 certificate in *cert_file*. The
certificate file must be in PEM format.
@ -61,17 +62,16 @@ index 1c3f79392..5ba877271 100644
$(RM) kvno.o kvno
diff --git a/src/clients/kvno/kvno.c b/src/clients/kvno/kvno.c
index 2472c0cfe..9d85864f6 100644
index 8edd97361..c5f6bf700 100644
--- a/src/clients/kvno/kvno.c
+++ b/src/clients/kvno/kvno.c
@@ -44,14 +44,17 @@ xusage()
fprintf(stderr, _("usage: %s [-C] [-u] [-c ccache] [-e etype]\n"), prog);
fprintf(stderr, _("\t[-k keytab] [-S sname] [{-I | -U} for_user | "
"[-F cert_file] [-P]]\n"));
- fprintf(stderr, _("\t[--u2u ccache] service1 service2 ...\n"));
+ fprintf(stderr, _("\t[--cached-only] [--no-store] [--out-cache ccache] "
+ "[--u2u ccache]\n"));
+ fprintf(stderr, _("\tservice1 service2 ...\n"));
@@ -47,15 +47,17 @@ xusage()
"[-u | -S sname]" XUSAGE_BREAK
"[[{-F cert_file | {-I | -U} for_user} [-P]] | "
"--u2u ccache]" XUSAGE_BREAK
+ "[--cached-only] [--no-store] [--out-cache] "
"service1 service2 ...\n"),
prog);
exit(1);
}
@ -86,7 +86,7 @@ index 2472c0cfe..9d85864f6 100644
const char *u2u_ccname);
#include <com_err.h>
@@ -61,18 +64,21 @@ static void extended_com_err_fn(const char *myprog, errcode_t code,
@@ -65,18 +67,21 @@ static void extended_com_err_fn(const char *myprog, errcode_t code,
int
main(int argc, char *argv[])
{
@ -115,7 +115,7 @@ index 2472c0cfe..9d85864f6 100644
setlocale(LC_ALL, "");
set_com_err_hook(extended_com_err_fn);
@@ -135,6 +141,12 @@ main(int argc, char *argv[])
@@ -139,6 +144,12 @@ main(int argc, char *argv[])
case OPTION_U2U:
u2u_ccname = optarg;
break;
@ -128,7 +128,7 @@ index 2472c0cfe..9d85864f6 100644
default:
xusage();
break;
@@ -159,8 +171,9 @@ main(int argc, char *argv[])
@@ -163,8 +174,9 @@ main(int argc, char *argv[])
xusage();
do_v5_kvno(argc - optind, argv + optind, ccachestr, etypestr, keytab_name,
@ -140,7 +140,7 @@ index 2472c0cfe..9d85864f6 100644
return 0;
}
@@ -274,14 +287,16 @@ static krb5_error_code
@@ -278,14 +290,16 @@ static krb5_error_code
kvno(const char *name, krb5_ccache ccache, krb5_principal me,
krb5_enctype etype, krb5_keytab keytab, const char *sname,
krb5_flags options, int unknown, krb5_principal for_user_princ,
@ -159,7 +159,7 @@ index 2472c0cfe..9d85864f6 100644
memset(&in_creds, 0, sizeof(in_creds));
if (sname != NULL) {
@@ -321,13 +336,12 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me,
@@ -325,13 +339,12 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me,
in_creds.client = for_user_princ;
in_creds.server = me;
ret = krb5_get_credentials_for_user(context, options, ccache,
@ -175,7 +175,7 @@ index 2472c0cfe..9d85864f6 100644
}
if (ret) {
@@ -336,7 +350,7 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me,
@@ -340,7 +353,7 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me,
}
/* We need a native ticket. */
@ -184,7 +184,7 @@ index 2472c0cfe..9d85864f6 100644
if (ret) {
com_err(prog, ret, _("while decoding ticket for %s"), princ);
goto cleanup;
@@ -362,15 +376,15 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me,
@@ -366,15 +379,15 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me,
}
if (proxy) {
@ -205,7 +205,7 @@ index 2472c0cfe..9d85864f6 100644
krb5_free_principal(context, in_creds.client);
if (ret) {
com_err(prog, ret, _("%s: constrained delegation failed"),
@@ -379,10 +393,13 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me,
@@ -383,10 +396,13 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me,
}
}
@ -220,7 +220,7 @@ index 2472c0cfe..9d85864f6 100644
krb5_free_unparsed_name(context, princ);
return ret;
}
@@ -428,19 +445,28 @@ cleanup:
@@ -432,19 +448,28 @@ cleanup:
static void
do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr,
@ -255,7 +255,7 @@ index 2472c0cfe..9d85864f6 100644
ret = krb5_init_context(&context);
if (ret) {
@@ -467,6 +493,14 @@ do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr,
@@ -471,6 +496,14 @@ do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr,
exit(1);
}
@ -270,7 +270,7 @@ index 2472c0cfe..9d85864f6 100644
if (keytab_name != NULL) {
ret = krb5_kt_resolve(context, keytab_name, &keytab);
if (ret) {
@@ -513,8 +547,25 @@ do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr,
@@ -517,8 +550,25 @@ do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr,
errors = 0;
for (i = 0; i < count; i++) {
if (kvno(names[i], ccache, me, etype, keytab, sname, options, unknown,
@ -379,10 +379,10 @@ index 000000000..e98b90e8a
+
+success('kvno tests')
diff --git a/src/man/kvno.man b/src/man/kvno.man
index 005a2ec97..b9f6739eb 100644
index 9eb9e1852..7c9565bdb 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -95,6 +95,19 @@ Specifies that protocol transition is to be used, identifying the
@@ -96,6 +96,19 @@ Specifies that protocol transition is to be used, identifying the
client principal with the X.509 certificate in \fIcert_file\fP\&. The
certificate file must be in PEM format.
.TP

2
Adjust-KDC-alias-helper-function-contract.patch
View File

@ -1,4 +1,4 @@
From 758f5031fe9d6c1e3eb33818bc6d57cf8b4a3a72 Mon Sep 17 00:00:00 2001
From 833dfff1a11da3b1b9cf45a2bb09f17efa49cdba Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 22 Sep 2020 01:11:39 +0300
Subject: [PATCH] Adjust KDC alias helper function contract

2
Allow-aliases-when-matching-U2U-second-ticket.patch
View File

@ -1,4 +1,4 @@
From ccc5b9663e229f20421c01836aa5ecb06f1f2a48 Mon Sep 17 00:00:00 2001
From e976a70ff23e600a76d1c3134f9c2f80753b6679 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 22 Sep 2020 01:17:11 +0300
Subject: [PATCH] Allow aliases when matching U2U second ticket

2
Allow-certauth-modules-to-set-hw-authent-flag.patch
View File

@ -1,4 +1,4 @@
From 5b62f6f6a960e5a428a39a3e83e0a16dba5a914a Mon Sep 17 00:00:00 2001
From c18034484eadb0f32cef384197d1185aa50c3adb Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 24 Feb 2020 15:58:59 -0500
Subject: [PATCH] Allow certauth modules to set hw-authent flag

49
Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch
View File

@ -1,49 +0,0 @@
From 594c9d225f470e73a46dd2a85c5e50571e90598c Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 11 Jul 2020 21:57:30 -0400
Subject: [PATCH] Allow gss_unwrap_iov() of unpadded RC4 tokens
Windows Remote Management, when used with an RC4 session key, appears
to generate GSS wrap tokens with no padding instead of the expected
one byte (RFC 4757 section 7.3). These tokens cannot be decoded with
gss_unwrap() or a STREAM buffer (even with Microsoft SSPI), but SSPI
allows them to be decoded using explicit IOVs with either a
zero-length padding buffer or no padding buffer. Allow these cases to
work in kg_fixup_padding_iov(). (It is already possible to make this
work with HEADER | DATA | DATA, but only by
accident--kg_fixup_padding_iov() doesn't find a data buffer because
kg_locate_iov() only looks for singleton buffers, so it exits early.)
ticket: 8926 (new)
tags: pullup
target_version: 1.18-next
(cherry picked from commit 3f204ddd567715ef360b4bb0b32961b6a9877f9d)
---
src/lib/gssapi/krb5/util_crypt.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c
index f7d3e92c4..d6c71aeb8 100644
--- a/src/lib/gssapi/krb5/util_crypt.c
+++ b/src/lib/gssapi/krb5/util_crypt.c
@@ -638,16 +638,13 @@ kg_fixup_padding_iov(OM_uint32 *minor_status, gss_iov_buffer_desc *iov,
data = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_DATA);
padding = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
- if (data == NULL) {
+ /* Do nothing if padding is absent or empty, to allow unwrapping of WinRM
+ * unpadded RC4 tokens using an explicit IOV array. */
+ if (data == NULL || padding == NULL || padding->buffer.length == 0) {
*minor_status = 0;
return GSS_S_COMPLETE;
}
- if (padding == NULL || padding->buffer.length == 0) {
- *minor_status = EINVAL;
- return GSS_S_FAILURE;
- }
-
p = (unsigned char *)padding->buffer.value;
padlength = p[padding->buffer.length - 1];

2
Avoid-passing-DB-entry-structures-in-KDC.patch
View File

@ -1,4 +1,4 @@
From dd8b146093d4bdf8a7d0c0eb8156b62d090448d7 Mon Sep 17 00:00:00 2001
From e0fc680b2fb51513993c4cdaa2c25b292f57a073 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 30 Sep 2020 02:12:00 -0400
Subject: [PATCH] Avoid passing DB entry structures in KDC

2
Correctly-import-service-GSS-host-based-name.patch
View File

@ -1,4 +1,4 @@
From f56afbeb7848322f3208edd55f2c12a9e32127f0 Mon Sep 17 00:00:00 2001
From 24c5e1ad937505a03628547ed7a5c6060a2b0ff2 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 30 Mar 2020 15:26:02 -0400
Subject: [PATCH] Correctly import "service@" GSS host-based name

2
Default-dns_canonicalize_hostname-to-fallback.patch
View File

@ -1,4 +1,4 @@
From c3d2c3bcafe0ac87d9cbbf37f1488ad642627fc3 Mon Sep 17 00:00:00 2001
From 6bdab27ef3dfcefb8426f2ea4e06bbdbd1141b16 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 27 May 2020 18:48:35 -0400
Subject: [PATCH] Default dns_canonicalize_hostname to "fallback"

2
Do-expiration-warnings-for-all-init_creds-APIs.patch
View File

@ -1,4 +1,4 @@
From 51a9f8e7498591b22558a7a61d42a821030f9c4e Mon Sep 17 00:00:00 2001
From c7abf942c66b2ba543cf412f12562e9bb8ee260a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 28 Feb 2020 10:11:49 +0100
Subject: [PATCH] Do expiration warnings for all init_creds APIs

93
Eliminate-redundant-PKINIT-responder-invocation.patch
View File

@ -1,93 +0,0 @@
From b27a2f1f330afed53b034a66031f9a801b4568b7 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 23 Mar 2020 19:10:03 -0400
Subject: [PATCH] Eliminate redundant PKINIT responder invocation
In pkinit_client_prep_questions(), only act if the input padata type
is KRB5_PADATA_PK_AS_REQ. Otherwise we will ask questions again when
the KDC issues a ticket.
Commit 7621d2f9a87214327ca3b2594e34dc7cea84596b (ticket 8242)
unintentionally changed the behavior of pkinit_load_fs_cert_and_key(),
causing pkinit_client_prep_questions() to do nothing on its first
call. Restore the original behavior of returning 0 when prompting is
deferred.
Modify the existing "FILE identity, password on key (responder)"
PKINIT test to check that the responder is only invoked once.
ticket: 8885
(cherry picked from commit f1286842ce7b9e507a4ce0a47f44ab361a98be63)
---
src/plugins/preauth/pkinit/pkinit_clnt.c | 5 +++++
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 13 +++++++------
src/tests/t_pkinit.py | 11 +++++++----
3 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 2f0431991..9b991ffe0 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -897,6 +897,11 @@ pkinit_client_prep_questions(krb5_context context,
k5_json_object jval = NULL;
k5_json_number jflag = NULL;
+ /* Don't ask questions for the informational padata items or when the
+ * ticket is issued. */
+ if (pa_data->pa_type != KRB5_PADATA_PK_AS_REQ)
+ return 0;
+
if (!reqctx->identity_initialized) {
pkinit_client_profile(context, plgctx, reqctx, cb, rock,
&request->server->realm);
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index dd718c2be..dbb054378 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -4362,17 +4362,18 @@ pkinit_load_fs_cert_and_key(krb5_context context,
/* Load the certificate. */
retval = get_cert(certname, &x);
- if (retval != 0 || x == NULL) {
- retval = oerr(context, 0, _("Cannot read certificate file '%s'"),
+ if (retval) {
+ retval = oerr(context, retval, _("Cannot read certificate file '%s'"),
certname);
- goto cleanup;
}
+ if (retval || x == NULL)
+ goto cleanup;
/* Load the key. */
retval = get_key(context, id_cryptoctx, keyname, fsname, &y, password);
- if (retval != 0 || y == NULL) {
- retval = oerr(context, 0, _("Cannot read key file '%s'"), fsname);
+ if (retval)
+ retval = oerr(context, retval, _("Cannot read key file '%s'"), fsname);
+ if (retval || y == NULL)
goto cleanup;
- }
id_cryptoctx->creds[cindex] = malloc(sizeof(struct _pkinit_cred_info));
if (id_cryptoctx->creds[cindex] == NULL) {
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index 69daf4987..ecd450e8a 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -248,10 +248,13 @@ realm.run(['./adata', realm.host_princ],
# supplied by the responder.
# Supply the response in raw form.
mark('FILE identity, password on key (responder)')
-realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity,
- '-r', 'pkinit={"%s": "encrypted"}' % file_enc_identity,
- '-X', 'X509_user_identity=%s' % file_enc_identity,
- realm.user_princ])
+out = realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity,
+ '-r', 'pkinit={"%s": "encrypted"}' % file_enc_identity,
+ '-X', 'X509_user_identity=%s' % file_enc_identity,
+ realm.user_princ])
+# Regression test for #8885 (password question asked twice).
+if out.count('OK: ') != 1:
+ fail('Wrong number of responder calls')
# Supply the response through the convenience API.
realm.run(['./responder', '-X', 'X509_user_identity=%s' % file_enc_identity,
'-p', '%s=%s' % (file_enc_identity, 'encrypted'), realm.user_princ])

58
Fix-input-length-checking-in-SPNEGO-DER-decoding.patch
View File

@ -1,58 +0,0 @@
From 5b42970afea248889fd3350448a40045d467ff3f Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 28 Jul 2020 12:58:26 -0400
Subject: [PATCH] Fix input length checking in SPNEGO DER decoding
In get_mech_set(), check the length before reading the first byte, and
decrease the length by the tag byte when reading and verifying the
sequence length.
In get_req_flags(), check the length before reading the first byte,
and check the context tag length after decoding it.
ticket: 8933 (new)
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
(cherry picked from commit 64f4b75a22212681ca293f8f09ddd24b0244d5b4)
---
src/lib/gssapi/spnego/spnego_mech.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 4cf011143..13c351620 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3462,14 +3462,14 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in,
unsigned char *start;
int i;
- if (**buff_in != SEQUENCE_OF)
+ if (buff_length < 1 || **buff_in != SEQUENCE_OF)
return (NULL);
start = *buff_in;
(*buff_in)++;
- length = gssint_get_der_length(buff_in, buff_length, &bytes);
- if (length < 0 || buff_length - bytes < (unsigned int)length)
+ length = gssint_get_der_length(buff_in, buff_length - 1, &bytes);
+ if (length < 0 || buff_length - 1 - bytes < (unsigned int)length)
return NULL;
major_status = gss_create_empty_oid_set(minor_status,
@@ -3549,11 +3549,11 @@ get_req_flags(unsigned char **buff_in, OM_uint32 bodysize,
{
unsigned int len;
- if (**buff_in != (CONTEXT | 0x01))
+ if (bodysize < 1 || **buff_in != (CONTEXT | 0x01))
return (0);
if (g_get_tag_and_length(buff_in, (CONTEXT | 0x01),
- bodysize, &len) < 0)
+ bodysize, &len) < 0 || len != 4)
return GSS_S_DEFECTIVE_TOKEN;
if (*(*buff_in)++ != BIT_STRING)

2
Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch
View File

@ -1,4 +1,4 @@
From ff47523d7d812fba24106f416aafa5d1f2c433a2 Mon Sep 17 00:00:00 2001
From 4b2176eaad00630890abe4b458cbc31f05b2b9c0 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 24 Jul 2020 16:05:24 -0400
Subject: [PATCH] Fix leak in KERB_AP_OPTIONS_CBT server support

2
Fix-minor-static-analysis-defects.patch
View File

@ -1,4 +1,4 @@
From c3d96fca46cb2cc3ee9f4c2e2a4ed98bad3e310a Mon Sep 17 00:00:00 2001
From 0de060366a1b75df47189f5cc0a7a92685cbe1d7 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 15 Oct 2020 18:15:29 -0400
Subject: [PATCH] Fix minor static analysis defects

4
Fix-typo-in-in-in-the-ksu-man-page.patch
View File

@ -1,4 +1,4 @@
From bf8567ed95991628f198e88403e30f78e2d74e15 Mon Sep 17 00:00:00 2001
From 5399eaea6c5e00c4e96fa5507aa50dd643337194 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 14 May 2020 15:01:18 -0400
Subject: [PATCH] Fix typo ("in in") in the ksu man page
@ -23,7 +23,7 @@ index 8d6c7ef79..933738229 100644
diff --git a/src/man/ksu.man b/src/man/ksu.man
index 81e34815d..8d4c6a359 100644
index a1972518c..b07a4b05d 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -176,7 +176,7 @@ wrong password is typed in, ksu fails.

2
Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
View File

@ -1,4 +1,4 @@
From e74f9424e47ab914c46e549fc5a2cbdf2615ef93 Mon Sep 17 00:00:00 2001
From 6931f8ed0fd8c9f634e1e48f1e8926022610fc3f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 15 Jul 2020 15:42:20 -0400
Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts()

2
Implement-GSS_C_CHANNEL_BOUND_FLAG.patch
View File

@ -1,4 +1,4 @@
From 651b9b8084ecff5553b7ef6ee723ce7c4438a9d8 Mon Sep 17 00:00:00 2001
From 40093f65c58ab78a050860ce41560595aa8ecf7e Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 5 Jul 2017 11:38:30 -0400
Subject: [PATCH] Implement GSS_C_CHANNEL_BOUND_FLAG

2
Implement-KERB_AP_OPTIONS_CBT-server-side.patch
View File

@ -1,4 +1,4 @@
From bc89c6c720c4170d43010fead23550b80499c32a Mon Sep 17 00:00:00 2001
From 2250babfa6fc6590d50fc9c9beb267ba280ff685 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 9 Mar 2020 16:04:21 +0100
Subject: [PATCH] Implement KERB_AP_OPTIONS_CBT (server side)

2
Improve-KDC-alias-checking-for-S4U-requests.patch
View File

@ -1,4 +1,4 @@
From ed87237cdd70f72b309960a294a2bed26cef1579 Mon Sep 17 00:00:00 2001
From dc03b33af17f2014baaa29412a1787cbcb140a62 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 4 Sep 2020 14:05:50 +0300
Subject: [PATCH] Improve KDC alias checking for S4U requests

2
Improve-negoex_parse_token-code-hygiene.patch
View File

@ -1,4 +1,4 @@
From 4c96c8fef146337b7d3c0ebb4118a18818dd1f4e Mon Sep 17 00:00:00 2001
From d604359e2f0bce65f08d0d805e0795e29287109c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 9 Jun 2020 16:23:37 -0400
Subject: [PATCH] Improve negoex_parse_token() code hygiene

2
Minimize-usage-of-tgs_server-in-KDC.patch
View File

@ -1,4 +1,4 @@
From 5e79319edf3836d12dbc710ec1e2dd4405c9df35 Mon Sep 17 00:00:00 2001
From ce60c549887a7732a6079d6e7111eb645f279781 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 25 Sep 2020 11:12:34 -0400
Subject: [PATCH] Minimize usage of tgs_server in KDC

2
Omit-KDC-indicator-check-for-S4U2Self-requests.patch
View File

@ -1,4 +1,4 @@
From f0ac5c1efef5401f669dc176e62c09b0b01fa2d0 Mon Sep 17 00:00:00 2001
From a9144f5238b91949f32355f5ab88e2ade734eb06 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 6 May 2020 16:03:13 -0400
Subject: [PATCH] Omit KDC indicator check for S4U2Self requests

2
Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch
View File

@ -1,4 +1,4 @@
From 5251097c927f476fe83ffe544b73fd2d785aaf2a Mon Sep 17 00:00:00 2001
From 8fc932c8f75e4332aa7dc6c4862cb881308b6813 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 6 Jun 2020 11:03:37 +0200
Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum

22
Pass-channel-bindings-through-SPNEGO.patch
View File

@ -1,4 +1,4 @@
From 17d9b74328f247de5f9d820ae008726632d11d2a Mon Sep 17 00:00:00 2001
From 19ef4a378a8fe483e82b1b4f979a7ffcb264325e Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 28 Apr 2020 18:15:55 +0200
Subject: [PATCH] Pass channel bindings through SPNEGO
@ -125,7 +125,7 @@ index 18d9d4147..8848ee4db 100644
if (major != GSS_S_COMPLETE && mech_output_token.length == 0)
goto cleanup;
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 594fc5894..4cf011143 100644
index f4a042478..2327cd927 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -130,6 +130,7 @@ init_ctx_reselect(OM_uint32 *, spnego_gss_ctx_id_t, OM_uint32,
@ -147,7 +147,7 @@ index 594fc5894..4cf011143 100644
static gss_OID
negotiate_mech(spnego_gss_ctx_id_t, gss_OID_set, OM_uint32 *);
@@ -905,6 +906,7 @@ init_ctx_call_init(OM_uint32 *minor_status,
@@ -906,6 +907,7 @@ init_ctx_call_init(OM_uint32 *minor_status,
OM_uint32 req_flags,
OM_uint32 time_req,
gss_buffer_t mechtok_in,
@ -155,7 +155,7 @@ index 594fc5894..4cf011143 100644
gss_buffer_t mechtok_out,
OM_uint32 *time_rec,
send_token_flag *send_token)
@@ -921,15 +923,14 @@ init_ctx_call_init(OM_uint32 *minor_status,
@@ -922,15 +924,14 @@ init_ctx_call_init(OM_uint32 *minor_status,
if (gss_oid_equal(sc->internal_mech, &negoex_mech)) {
ret = negoex_init(minor_status, sc, mcred, target_name,
mech_req_flags, time_req, mechtok_in,
@ -175,7 +175,7 @@ index 594fc5894..4cf011143 100644
}
/* Bail out if the acceptor gave us an error token but the mech didn't
@@ -981,8 +982,8 @@ init_ctx_call_init(OM_uint32 *minor_status,
@@ -982,8 +983,8 @@ init_ctx_call_init(OM_uint32 *minor_status,
gss_delete_sec_context(&tmpmin, &sc->ctx_handle, GSS_C_NO_BUFFER);
tmpret = init_ctx_call_init(&tmpmin, sc, spcred, acc_negState,
target_name, req_flags, time_req,
@ -186,7 +186,7 @@ index 594fc5894..4cf011143 100644
if (HARD_ERROR(tmpret))
goto fail;
*minor_status = tmpmin;
@@ -1004,7 +1005,7 @@ spnego_gss_init_sec_context(
@@ -1005,7 +1006,7 @@ spnego_gss_init_sec_context(
gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
@ -195,7 +195,7 @@ index 594fc5894..4cf011143 100644
gss_buffer_t input_token,
gss_OID *actual_mech,
gss_buffer_t output_token,
@@ -1084,8 +1085,8 @@ spnego_gss_init_sec_context(
@@ -1085,8 +1086,8 @@ spnego_gss_init_sec_context(
if (!spnego_ctx->mech_complete) {
ret = init_ctx_call_init(minor_status, spnego_ctx, spcred,
acc_negState, target_name, req_flags,
@ -206,7 +206,7 @@ index 594fc5894..4cf011143 100644
if (ret != GSS_S_COMPLETE)
goto cleanup;
@@ -1542,8 +1543,9 @@ cleanup:
@@ -1543,8 +1544,9 @@ cleanup:
static OM_uint32
acc_ctx_call_acc(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
spnego_gss_cred_id_t spcred, gss_buffer_t mechtok_in,
@ -218,7 +218,7 @@ index 594fc5894..4cf011143 100644
{
OM_uint32 ret, tmpmin;
gss_OID_desc mechoid;
@@ -1568,13 +1570,12 @@ acc_ctx_call_acc(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
@@ -1569,13 +1571,12 @@ acc_ctx_call_acc(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
mcred = (spcred == NULL) ? GSS_C_NO_CREDENTIAL : spcred->mcred;
if (negoex) {
ret = negoex_accept(minor_status, sc, mcred, mechtok_in,
@ -234,7 +234,7 @@ index 594fc5894..4cf011143 100644
&sc->internal_name,
&sc->actual_mech, mechtok_out,
&sc->ctx_flags, time_rec,
@@ -1620,7 +1621,7 @@ spnego_gss_accept_sec_context(
@@ -1621,7 +1622,7 @@ spnego_gss_accept_sec_context(
gss_ctx_id_t *context_handle,
gss_cred_id_t verifier_cred_handle,
gss_buffer_t input_token,
@ -243,7 +243,7 @@ index 594fc5894..4cf011143 100644
gss_name_t *src_name,
gss_OID *mech_type,
gss_buffer_t output_token,
@@ -1734,8 +1735,8 @@ spnego_gss_accept_sec_context(
@@ -1735,8 +1736,8 @@ spnego_gss_accept_sec_context(
*/
if (negState != REQUEST_MIC && mechtok_in != GSS_C_NO_BUFFER) {
ret = acc_ctx_call_acc(minor_status, sc, spcred, mechtok_in,

6
Pass-gss_localname-through-SPNEGO.patch
View File

@ -1,4 +1,4 @@
From cec820485e8b854fe3ee42d0a67a77e7ad20595e Mon Sep 17 00:00:00 2001
From fb89e83451519aed051bb129f3cf9cc34cde702f Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 26 Apr 2020 19:55:54 -0400
Subject: [PATCH] Pass gss_localname() through SPNEGO
@ -30,7 +30,7 @@ index a93763314..066ec736f 100644
(
OM_uint32 *minor_status,
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index ec0bae6a4..594fc5894 100644
index b3010c201..f4a042478 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -237,7 +237,7 @@ static struct gss_config spnego_mechanism =
@ -42,7 +42,7 @@ index ec0bae6a4..594fc5894 100644
NULL, /* gss_userok */
NULL, /* gss_export_name */
spnego_gss_duplicate_name, /* gss_duplicate_name */
@@ -2371,6 +2371,13 @@ spnego_gss_wrap_size_limit(
@@ -2372,6 +2372,13 @@ spnego_gss_wrap_size_limit(
return (ret);
}

2
Refactor-KDC-authdata-list-management-helpers.patch
View File

@ -1,4 +1,4 @@
From 9335481c00cd15170adec244ccff0a00a014bbab Mon Sep 17 00:00:00 2001
From 00245d789edc6cf6263540d7c9d7ee45bbac58ce Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 5 Feb 2020 18:46:11 -0500
Subject: [PATCH] Refactor KDC authdata list management helpers

2
Refactor-krb5-GSS-checksum-handling.patch
View File

@ -1,4 +1,4 @@
From c90cef2ebfbefc595798dd5dbb805575e1be0fbf Mon Sep 17 00:00:00 2001
From 544c37e2928f2585708e36f77a6b0baa52c3c541 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 30 Jun 2017 16:03:01 -0400
Subject: [PATCH] Refactor krb5 GSS checksum handling

2
Refresh-manually-acquired-creds-from-client-keytab.patch
View File

@ -1,4 +1,4 @@
From 7316aaa0e9249a88e919f2596d881f78970548bc Mon Sep 17 00:00:00 2001
From e1762f16fe4d900903c5395cc3268f9b78835100 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 26 Feb 2020 18:27:17 -0500
Subject: [PATCH] Refresh manually acquired creds from client keytab

2
Remove-resolver-test-utility.patch
View File

@ -1,4 +1,4 @@
From 3e75969e0c0a52ec3ca8195200fcdadaa63b324f Mon Sep 17 00:00:00 2001
From 8a2cd84c047ef7500dc8149ed6ace8e9fa631cad Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 28 May 2020 18:41:02 -0400
Subject: [PATCH] Remove resolver test utility

2
Replace-gssrpc-tests-with-a-Python-script.patch
View File

@ -1,4 +1,4 @@
From 404cc1152880a567fc27bb7c691a1a732692bbf9 Mon Sep 17 00:00:00 2001
From e2ad633616a3f4db91bbd332d778df93e4bdb652 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 15 Feb 2020 20:34:23 -0500
Subject: [PATCH] Replace gssrpc tests with a Python script

185
Unify-kvno-option-documentation.patch
View File

@ -1,185 +0,0 @@
From 52e3695cc5ef00766e12adfe8ed276c2885e71bb Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 20 Aug 2020 17:49:29 -0400
Subject: [PATCH] Unify kvno option documentation
Add missing kvno options to the kvno.rst synopsis and option
descriptions, and to the kvno usage message. Remove mention of '-h'
(help text), from kvno.rst as it is an implicit option. Note that the
three new caching options were added in release 1.19.
Indicate the two exclusions (-u/-S and --u2u with the S4U2Self options)
and dependency (-P on S4U2Self) where they are missing.
Switch xusage() to print only a single localized string, rather than
running each line of output through localization separately.
Leave kvno -C undocumented for now, as the semantics of
KRB5_GC_CANONICALIZE are minimally useful and likely to change.
[ghudson@mit.edu: edited documentation and commit message]
ticket: 7476
tags: pullup
target_version: 1.18-next
(cherry picked from commit becd1ad6830b526d08ddaf5b2b6f213154c6446c)
---
doc/user/user_commands/kvno.rst | 24 +++++++++++++-----------
src/clients/kvno/kvno.c | 15 +++++++++------
src/man/kvno.man | 24 +++++++++++++-----------
3 files changed, 35 insertions(+), 28 deletions(-)
diff --git a/doc/user/user_commands/kvno.rst b/doc/user/user_commands/kvno.rst
index 718313576..65c44e1c0 100644
--- a/doc/user/user_commands/kvno.rst
+++ b/doc/user/user_commands/kvno.rst
@@ -10,13 +10,9 @@ SYNOPSIS
[**-c** *ccache*]
[**-e** *etype*]
[**-q**]
-[**-h**]
+[**-u** | **-S** *sname*]
[**-P**]
-[**-S** *sname*]
-[**-I** *for_user*]
-[**-U** *for_user*]
-[**-F** *cert_file*]
-[**--u2u** *ccache*]
+[[{**-F** *cert_file* | {**-I** | **-U**} *for_user*} [**-P**]] | **--u2u** *ccache*]
*service1 service2* ...
@@ -39,13 +35,18 @@ OPTIONS
of all the services named on the command line. This is useful in
certain backward compatibility situations.
+**-k** *keytab*
+ Decrypt the acquired tickets using *keytab* to confirm their
+ validity.
+
**-q**
Suppress printing output when successful. If a service ticket
cannot be obtained, an error message will still be printed and
kvno will exit with nonzero status.
-**-h**
- Prints a usage statement and exits.
+**-u**
+ Use the unknown name type in requested service principal names.
+ This option Cannot be used with *-S*.
**-P**
Specifies that the *service1 service2* ... arguments are to be
@@ -76,16 +77,17 @@ OPTIONS
**--cached-only**
Only retrieve credentials already present in the cache, not from
- the KDC.
+ the KDC. (Added in release 1.19.)
**--no-store**
Do not store retrieved credentials in the cache. If
**--out-cache** is also specified, credentials will still be
- stored into the output credential cache.
+ stored into the output credential cache. (Added in release 1.19.)
**--out-cache** *ccache*
Initialize *ccache* and store all retrieved credentials into it.
- Do not store acquired credentials in the input cache.
+ Do not store acquired credentials in the input cache. (Added in
+ release 1.19.)
**--u2u** *ccache*
Requests a user-to-user ticket. *ccache* must contain a local
diff --git a/src/clients/kvno/kvno.c b/src/clients/kvno/kvno.c
index 9d85864f6..c5f6bf700 100644
--- a/src/clients/kvno/kvno.c
+++ b/src/clients/kvno/kvno.c
@@ -38,15 +38,18 @@
static char *prog;
static int quiet = 0;
+#define XUSAGE_BREAK "\n\t"
+
static void
xusage()
{
- fprintf(stderr, _("usage: %s [-C] [-u] [-c ccache] [-e etype]\n"), prog);
- fprintf(stderr, _("\t[-k keytab] [-S sname] [{-I | -U} for_user | "
- "[-F cert_file] [-P]]\n"));
- fprintf(stderr, _("\t[--cached-only] [--no-store] [--out-cache ccache] "
- "[--u2u ccache]\n"));
- fprintf(stderr, _("\tservice1 service2 ...\n"));
+ fprintf(stderr, _("usage: %s [-c ccache] [-e etype] [-k keytab] [-q] "
+ "[-u | -S sname]" XUSAGE_BREAK
+ "[[{-F cert_file | {-I | -U} for_user} [-P]] | "
+ "--u2u ccache]" XUSAGE_BREAK
+ "[--cached-only] [--no-store] [--out-cache] "
+ "service1 service2 ...\n"),
+ prog);
exit(1);
}
diff --git a/src/man/kvno.man b/src/man/kvno.man
index b9f6739eb..22318324d 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -36,13 +36,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[\fB\-c\fP \fIccache\fP]
[\fB\-e\fP \fIetype\fP]
[\fB\-q\fP]
-[\fB\-h\fP]
+[\fB\-u\fP | \fB\-S\fP \fIsname\fP]
[\fB\-P\fP]
-[\fB\-S\fP \fIsname\fP]
-[\fB\-I\fP \fIfor_user\fP]
-[\fB\-U\fP \fIfor_user\fP]
-[\fB\-F\fP \fIcert_file\fP]
-[\fB\-\-u2u\fP \fIccache\fP]
+[[{\fB\-F\fP \fIcert_file\fP | {\fB\-I\fP | \fB\-U\fP} \fIfor_user\fP} [\fB\-P\fP]] | \fB\-\-u2u\fP \fIccache\fP]
\fIservice1 service2\fP ...
.SH DESCRIPTION
.sp
@@ -60,13 +56,18 @@ Specifies the enctype which will be requested for the session key
of all the services named on the command line. This is useful in
certain backward compatibility situations.
.TP
+\fB\-k\fP \fIkeytab\fP
+Decrypt the acquired tickets using \fIkeytab\fP to confirm their
+validity.
+.TP
\fB\-q\fP
Suppress printing output when successful. If a service ticket
cannot be obtained, an error message will still be printed and
kvno will exit with nonzero status.
.TP
-\fB\-h\fP
-Prints a usage statement and exits.
+\fB\-u\fP
+Use the unknown name type in requested service principal names.
+This option Cannot be used with \fI\-S\fP\&.
.TP
\fB\-P\fP
Specifies that the \fIservice1 service2\fP ... arguments are to be
@@ -97,16 +98,17 @@ certificate file must be in PEM format.
.TP
\fB\-\-cached\-only\fP
Only retrieve credentials already present in the cache, not from
-the KDC.
+the KDC. (Added in release 1.19.)
.TP
\fB\-\-no\-store\fP
Do not store retrieved credentials in the cache. If
\fB\-\-out\-cache\fP is also specified, credentials will still be
-stored into the output credential cache.
+stored into the output credential cache. (Added in release 1.19.)
.TP
\fB\-\-out\-cache\fP \fIccache\fP
Initialize \fIccache\fP and store all retrieved credentials into it.
-Do not store acquired credentials in the input cache.
+Do not store acquired credentials in the input cache. (Added in
+release 1.19.)
.TP
\fB\-\-u2u\fP \fIccache\fP
Requests a user\-to\-user ticket. \fIccache\fP must contain a local

2
Use-two-queues-for-concurrent-t_otp.py-daemons.patch
View File

@ -1,4 +1,4 @@
From 3e0d464f55320b393e32285f31710c24758a9101 Mon Sep 17 00:00:00 2001
From e12c670bceb08413f797ecd643675a4a80dac824 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 4 Mar 2020 17:18:51 -0500
Subject: [PATCH] Use two queues for concurrent t_otp.py daemons

2
downstream-Adjust-build-configuration.patch
View File

@ -1,4 +1,4 @@
From 30ece66508c8e10f704cd2860dfd421ebee15897 Mon Sep 17 00:00:00 2001
From c06693e5a17daf0fd585e608e8bfd1eb3eef447c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH] [downstream] Adjust build configuration

2
downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
View File

@ -1,4 +1,4 @@
From bf8521bfaa4a4d54f6eb94f785c68942f4afa055 Mon Sep 17 00:00:00 2001
From a983f32cfd2ec3f0571db347426835e8fc7c8464 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4

4
downstream-Remove-3des-support.patch
View File

@ -1,4 +1,4 @@
From c920b585b8400ef44684c673c54264657195f3ce Mon Sep 17 00:00:00 2001
From 603a735ba52b50541520e53b031be47817de2fd5 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 26 Mar 2019 18:51:10 -0400
Subject: [PATCH] [downstream] Remove 3des support
@ -5552,7 +5552,7 @@ index 85a9574f3..3ce2a90ce 100644
code = 0;
retval = GSS_S_BAD_SIG;
diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c
index 80954aff7..f7d3e92c4 100644
index ddb0af8fc..d6c71aeb8 100644
--- a/src/lib/gssapi/krb5/util_crypt.c
+++ b/src/lib/gssapi/krb5/util_crypt.c
@@ -97,17 +97,6 @@ kg_setup_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, krb5_key subkey,

12
downstream-SELinux-integration.patch
View File

@ -1,4 +1,4 @@
From f8c70f6190a0573e2aca0b40964cf3b1a73ca8bb Mon Sep 17 00:00:00 2001
From 2c4d04d1da4dbb1a312db965f3392d7d0bc67a17 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] [downstream] SELinux integration
@ -67,10 +67,10 @@ Last-updated: krb5-1.18-beta1
create mode 100644 src/util/support/selinux.c
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 830203683..6796fec53 100644
index 59621e3e7..398eca7e4 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag)
@@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP
@ -78,7 +78,7 @@ index 830203683..6796fec53 100644
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1743,4 +1744,51 @@ AC_SUBST(PAM_LIBS)
@@ -1739,4 +1740,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
@ -253,7 +253,7 @@ index 79761f6d2..e9435c693 100644
#include <stdlib.h>
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 301e3476d..19f2cc230 100644
index ff2f25050..e3457622a 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
@ -288,7 +288,7 @@ index 301e3476d..19f2cc230 100644
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
goto cleanup;
diff --git a/src/kdc/main.c b/src/kdc/main.c
index fdcd694d7..1ede4bf2f 100644
index 38d76b3b1..eb6966f2d 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -872,7 +872,7 @@ write_pid_file(const char *path)

2
downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch
View File

@ -1,4 +1,4 @@
From 040dd62418b918adc993b9cc3e1e80fc232286c4 Mon Sep 17 00:00:00 2001
From b1eeb9caf1e1fec23d92f163086ec168fbaf74e5 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 15 Nov 2019 20:05:16 +0000
Subject: [PATCH] [downstream] Use backported version of OpenSSL-3 KDF

2
downstream-fix-debuginfo-with-y.tab.c.patch
View File

@ -1,4 +1,4 @@
From c6e103db0eb02c31a13b8cbcbae296c473074991 Mon Sep 17 00:00:00 2001
From 126569bf428c546b938b9fec5b12851f09d61c94 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c

6
downstream-ksu-pam-integration.patch
View File

@ -1,4 +1,4 @@
From 9feb7298b90d3e6a34821fce7315757c0bf81c9e Mon Sep 17 00:00:00 2001
From a5a642c33a2f57d24c1cfa8ca3e286418206ab55 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] [downstream] ksu pam integration
@ -30,10 +30,10 @@ Last-updated: krb5-1.18-beta1
create mode 100644 src/clients/ksu/pam.h
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 2394f7e33..830203683 100644
index 8709a7f5d..59621e3e7 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -1675,3 +1675,72 @@ if test "$with_ldap" = yes; then
@@ -1671,3 +1671,72 @@ if test "$with_ldap" = yes; then
OPENLDAP_PLUGIN=yes
fi
])dnl

6
downstream-netlib-and-dns.patch
View File

@ -1,4 +1,4 @@
From 4254bee1b97edeb0848efce635bcf1b56306f968 Mon Sep 17 00:00:00 2001
From 23bce0aef64454bf808b9885967b04abafcf7917 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH] [downstream] netlib and dns
@ -11,10 +11,10 @@ Last-updated: krb5-1.3.1
1 file changed, 1 insertion(+)
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 6796fec53..c4358988a 100644
index 398eca7e4..7ef2db56b 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -724,6 +724,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library),
@@ -720,6 +720,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library),
LIBS="$LIBS $withval"
AC_MSG_RESULT("netlib will use \'$withval\'")
fi

15
krb5.spec
View File

@ -16,9 +16,9 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.18.2
Version: 1.18.3
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 30%{?dist}
Release: 2%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@ -50,7 +50,6 @@ Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
Patch9: Allow-certauth-modules-to-set-hw-authent-flag.patch
Patch11: Refresh-manually-acquired-creds-from-client-keytab.patch
Patch13: Add-finalization-safety-check-to-com_err.patch
Patch14: Eliminate-redundant-PKINIT-responder-invocation.patch
Patch15: Correctly-import-service-GSS-host-based-name.patch
Patch16: Do-expiration-warnings-for-all-init_creds-APIs.patch
Patch17: Pass-gss_localname-through-SPNEGO.patch
@ -68,12 +67,9 @@ Patch29: Add-client_aware_channel_bindings-option.patch
Patch30: Pass-channel-bindings-through-SPNEGO.patch
Patch31: Add-channel-bindings-tests.patch
Patch32: Use-two-queues-for-concurrent-t_otp.py-daemons.patch
Patch33: Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch
Patch34: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
Patch35: Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch
Patch36: Fix-input-length-checking-in-SPNEGO-DER-decoding.patch
Patch37: Add-three-kvno-options-from-Heimdal-kgetcred.patch
Patch38: Unify-kvno-option-documentation.patch
Patch39: Improve-KDC-alias-checking-for-S4U-requests.patch
Patch40: Adjust-KDC-alias-helper-function-contract.patch
Patch41: Allow-aliases-when-matching-U2U-second-ticket.patch
@ -81,7 +77,6 @@ Patch42: Refactor-KDC-authdata-list-management-helpers.patch
Patch43: Avoid-passing-DB-entry-structures-in-KDC.patch
Patch44: Minimize-usage-of-tgs_server-in-KDC.patch
Patch45: Fix-minor-static-analysis-defects.patch
Patch46: Add-recursion-limit-for-ASN.1-indefinite-lengths.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -632,6 +627,12 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Wed Nov 18 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.3-2
- Fix build failure in -1
* Wed Nov 18 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.3-1
- New upstream version (1.18.3)
* Tue Nov 17 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-30
- Migrate /var/run to /run, an exercise in pointlessness
- Resolves: #1898410

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (krb5-1.18.2.tar.gz) = 7cbb1b28e677fea3e0794e93951f3caaa2c49bb1175dd187951e72a466cc69d96c3b833d838000fe911c1a437d96a558e550f27c53a8b332fb9dfc7cbb7ec44c
SHA512 (krb5-1.18.2.tar.gz.asc) = 70775a06104b4d792d278da2efa92e94ddacb4ea319bfe2b253f5afcfec27f3bc5ddd12560294a265e3cf3d4fc74bcbfc3f5eeff8634d66c00d67e18dc93a74a
SHA512 (krb5-1.18.3.tar.gz) = cf0bf6cf8f622fa085954e6da998d952cf64dc7ccc319972ed81ea0542089cabf2d0e8243df84da01ad6f40584768ca2f02d108630c6741fa7b3d7d98c887c01
SHA512 (krb5-1.18.3.tar.gz.asc) = 7c5a83e13d00910d895d545ed63310ebec48c90c29846dd54e48048f710360e8306778729b636baa091a4e9048998ff6d4dfe37f88dd6292540d55678c961a30