From 85d9be4ef795e9a8241d17c06d2456028867d72a Mon Sep 17 00:00:00 2001 From: Troy Dawson Date: Wed, 18 Nov 2020 14:34:00 -0800 Subject: [PATCH] RHEL 9.0.0 Alpha bootstrap The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/krb5#dc8775d11d7134f84024545f21b4561a6bd8dccf --- .gitignore | 2 + Add-channel-bindings-tests.patch | 68 ++++--- ...client_aware_channel_bindings-option.patch | 2 +- ...finalization-safety-check-to-com_err.patch | 2 +- ...n-limit-for-ASN.1-indefinite-lengths.patch | 97 --------- ...e-kvno-options-from-Heimdal-kgetcred.patch | 54 ++--- ...t-KDC-alias-helper-function-contract.patch | 2 +- ...ases-when-matching-U2U-second-ticket.patch | 2 +- ...tauth-modules-to-set-hw-authent-flag.patch | 2 +- ...ss_unwrap_iov-of-unpadded-RC4-tokens.patch | 49 ----- ...d-passing-DB-entry-structures-in-KDC.patch | 2 +- ...y-import-service-GSS-host-based-name.patch | 2 +- ...ns_canonicalize_hostname-to-fallback.patch | 2 +- ...ion-warnings-for-all-init_creds-APIs.patch | 2 +- ...edundant-PKINIT-responder-invocation.patch | 93 --------- ...ngth-checking-in-SPNEGO-DER-decoding.patch | 58 ------ ...n-KERB_AP_OPTIONS_CBT-server-support.patch | 2 +- Fix-minor-static-analysis-defects.patch | 2 +- Fix-typo-in-in-in-the-ksu-man-page.patch | 4 +- ...-enctypes-in-krb5_string_to_keysalts.patch | 2 +- Implement-GSS_C_CHANNEL_BOUND_FLAG.patch | 2 +- ...ment-KERB_AP_OPTIONS_CBT-server-side.patch | 2 +- ...-KDC-alias-checking-for-S4U-requests.patch | 2 +- Improve-negoex_parse_token-code-hygiene.patch | 2 +- Minimize-usage-of-tgs_server-in-KDC.patch | 2 +- ...ndicator-check-for-S4U2Self-requests.patch | 2 +- ...SER-if-we-can-t-compute-its-checksum.patch | 2 +- Pass-channel-bindings-through-SPNEGO.patch | 22 +-- Pass-gss_localname-through-SPNEGO.patch | 6 +- ...KDC-authdata-list-management-helpers.patch | 2 +- Refactor-krb5-GSS-checksum-handling.patch | 2 +- ...ly-acquired-creds-from-client-keytab.patch | 2 +- Remove-resolver-test-utility.patch | 2 +- ...ce-gssrpc-tests-with-a-Python-script.patch | 2 +- Unify-kvno-option-documentation.patch | 185 ------------------ ...eues-for-concurrent-t_otp.py-daemons.patch | 2 +- downstream-Adjust-build-configuration.patch | 2 +- ...am-FIPS-with-PRNG-and-RADIUS-and-MD4.patch | 2 +- downstream-Remove-3des-support.patch | 4 +- downstream-SELinux-integration.patch | 12 +- ...ackported-version-of-OpenSSL-3-KDF-i.patch | 2 +- downstream-fix-debuginfo-with-y.tab.c.patch | 2 +- downstream-ksu-pam-integration.patch | 6 +- downstream-netlib-and-dns.patch | 6 +- krb5.spec | 15 +- sources | 4 +- 46 files changed, 136 insertions(+), 607 deletions(-) delete mode 100644 Add-recursion-limit-for-ASN.1-indefinite-lengths.patch delete mode 100644 Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch delete mode 100644 Eliminate-redundant-PKINIT-responder-invocation.patch delete mode 100644 Fix-input-length-checking-in-SPNEGO-DER-decoding.patch delete mode 100644 Unify-kvno-option-documentation.patch diff --git a/.gitignore b/.gitignore index ecff9ea..35b6d60 100644 --- a/.gitignore +++ b/.gitignore @@ -187,3 +187,5 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.18.1.tar.gz.asc /krb5-1.18.2.tar.gz /krb5-1.18.2.tar.gz.asc +/krb5-1.18.3.tar.gz +/krb5-1.18.3.tar.gz.asc diff --git a/Add-channel-bindings-tests.patch b/Add-channel-bindings-tests.patch index 2eb0f1c..99c2da2 100644 --- a/Add-channel-bindings-tests.patch +++ b/Add-channel-bindings-tests.patch @@ -1,4 +1,4 @@ -From 6d36ea6fcfe281a8ce73fc5aa5c133f435d93fa4 Mon Sep 17 00:00:00 2001 +From 2c8494a1b89d69da9de46ca2cb17f9e8f12eb9b5 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 20 Mar 2020 00:17:28 +0100 Subject: [PATCH] Add channel bindings tests @@ -10,17 +10,18 @@ changes] ticket: 8900 (cherry picked from commit b0b21b6d25b06f3e2b365dfe9dd4c99b3d43bf57) -[rharwood@redhat.com: .gitignore] +[rharwood@redhat.com: slush around upstream not backporting reload, +gitignore] --- src/plugins/gssapi/negoextest/main.c | 18 +++++ - src/tests/gssapi/Makefile.in | 49 ++++++------ + src/tests/gssapi/Makefile.in | 57 +++++++------- src/tests/gssapi/common.c | 25 ++++-- src/tests/gssapi/common.h | 9 +++ src/tests/gssapi/deps | 4 + src/tests/gssapi/t_bindings.c | 111 +++++++++++++++++++++++++++ src/tests/gssapi/t_bindings.py | 43 +++++++++++ src/tests/gssapi/t_negoex.py | 7 ++ - 8 files changed, 237 insertions(+), 29 deletions(-) + 8 files changed, 242 insertions(+), 32 deletions(-) create mode 100644 src/tests/gssapi/t_bindings.c create mode 100644 src/tests/gssapi/t_bindings.py @@ -61,23 +62,25 @@ index 6c340f41b..72fc5273a 100644 * The unwrapped token sits at the end and is just one byte giving the * remaining number of hops. The final octet of the mech encoding should diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in -index 5cc1e0f58..68c132b79 100644 +index 22a2f9480..cf7bcf451 100644 --- a/src/tests/gssapi/Makefile.in +++ b/src/tests/gssapi/Makefile.in -@@ -9,33 +9,33 @@ LOCALINCLUDES = -I$(srcdir)/../../lib/gssapi/mechglue \ +@@ -8,34 +8,36 @@ LOCALINCLUDES = -I$(srcdir)/../../lib/gssapi/mechglue \ + -I$(srcdir)/../../lib/gssapi/generic -I../../lib/gssapi/krb5 \ -I../../lib/gssapi/generic - SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \ +-SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c $(srcdir)/reload.c \ - $(srcdir)/t_accname.c $(srcdir)/t_add_cred.c $(srcdir)/t_ccselect.c \ - $(srcdir)/t_ciflags.c $(srcdir)/t_context.c $(srcdir)/t_credstore.c \ - $(srcdir)/t_enctypes.c $(srcdir)/t_err.c $(srcdir)/t_export_cred.c \ - $(srcdir)/t_export_name.c $(srcdir)/t_gssexts.c \ - $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c $(srcdir)/t_invalid.c \ - $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \ -+ $(srcdir)/t_accname.c $(srcdir)/t_add_cred.c $(srcdir)/t_bindings.c \ -+ $(srcdir)/t_ccselect.c $(srcdir)/t_ciflags.c $(srcdir)/t_context.c \ -+ $(srcdir)/t_credstore.c $(srcdir)/t_enctypes.c $(srcdir)/t_err.c \ -+ $(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \ ++SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \ ++ $(srcdir)/reload.c $(srcdir)/t_accname.c $(srcdir)/t_add_cred.c \ ++ $(srcdir)/t_bindings.c $(srcdir)/t_ccselect.c $(srcdir)/t_ciflags.c \ ++ $(srcdir)/t_context.c $(srcdir)/t_credstore.c $(srcdir)/t_enctypes.c \ ++ $(srcdir)/t_err.c $(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \ + $(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \ + $(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \ $(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \ @@ -86,18 +89,20 @@ index 5cc1e0f58..68c132b79 100644 $(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \ $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c --OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_add_cred.o t_ccselect.o \ +-OBJS= ccinit.o ccrefresh.o common.o reload.o t_accname.o t_add_cred.o t_ccselect.o \ - t_ciflags.o t_context.o t_credstore.o t_enctypes.o t_err.o \ - t_export_cred.o t_export_name.o t_gssexts.o t_imp_cred.o t_imp_name.o \ - t_invalid.o t_inq_cred.o t_inq_ctx.o t_inq_mechs_name.o t_iov.o \ - t_lifetime.o t_namingexts.o t_oid.o t_pcontok.o t_prf.o t_s4u.o \ - t_s4u2proxy_krb5.o t_saslname.o t_spnego.o t_srcattrs.o -+OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_add_cred.o t_bindings.o \ -+ t_ccselect.o t_ciflags.o t_context.o t_credstore.o t_enctypes.o \ -+ t_err.o t_export_cred.o t_export_name.o t_gssexts.o t_imp_cred.o \ -+ t_imp_name.o t_invalid.o t_inq_cred.o t_inq_ctx.o t_inq_mechs_name.o \ -+ t_iov.o t_lifetime.o t_namingexts.o t_oid.o t_pcontok.o t_prf.o \ -+ t_s4u.o t_s4u2proxy_krb5.o t_saslname.o t_spnego.o t_srcattrs.o ++ ++OBJS= ccinit.o ccrefresh.o common.o reload.o t_accname.o t_add_cred.o \ ++ t_bindings.o t_ccselect.o t_ciflags.o t_context.o t_credstore.o \ ++ t_enctypes.o t_err.o t_export_cred.o t_export_name.o t_gssexts.o \ ++ t_imp_cred.o t_imp_name.o t_invalid.o t_inq_cred.o t_inq_ctx.o \ ++ t_inq_mechs_name.o t_iov.o t_lifetime.o t_namingexts.o t_oid.o \ ++ t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \ ++ t_spnego.o t_srcattrs.o COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS) @@ -113,11 +118,11 @@ index 5cc1e0f58..68c132b79 100644 + t_inq_mechs_name t_iov t_lifetime t_namingexts t_oid t_pcontok t_prf \ + t_s4u t_s4u2proxy_krb5 t_saslname t_spnego t_srcattrs - check-unix: t_oid + check-unix: t_oid reload $(RUN_TEST) ./t_invalid -@@ -43,11 +43,12 @@ check-unix: t_oid - $(RUN_TEST) ./t_prf +@@ -44,11 +46,12 @@ check-unix: t_oid reload $(RUN_TEST) ./t_imp_name + if [ -r $(TOPLIBD)/libgssapi_krb5.so ]; then $(RUN_TEST) ./reload; fi -check-pytests: ccinit ccrefresh t_accname t_add_cred t_ccselect t_ciflags \ - t_context t_credstore t_enctypes t_err t_export_cred t_export_name \ @@ -132,7 +137,7 @@ index 5cc1e0f58..68c132b79 100644 $(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_enctypes.py $(PYTESTFLAGS) -@@ -64,6 +65,8 @@ t_accname: t_accname.o $(COMMON_DEPS) +@@ -67,6 +70,8 @@ t_accname: t_accname.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_accname.o $(COMMON_LIBS) t_add_cred: t_add_cred.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_add_cred.o $(COMMON_LIBS) @@ -141,17 +146,20 @@ index 5cc1e0f58..68c132b79 100644 t_ccselect: t_ccselect.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_ccselect.o $(COMMON_LIBS) t_ciflags: t_ciflags.o $(COMMON_DEPS) -@@ -118,8 +121,8 @@ t_srcattrs: t_srcattrs.o $(COMMON_DEPS) +@@ -121,9 +126,9 @@ t_srcattrs: t_srcattrs.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_srcattrs.o $(COMMON_LIBS) clean: -- $(RM) ccinit ccrefresh t_accname t_add_cred t_ccselect t_ciflags +- $(RM) ccinit ccrefresh reload t_accname t_add_cred t_ccselect t_ciflags - $(RM) t_context t_credstore t_enctypes t_err t_export_cred -+ $(RM) ccinit ccrefresh t_accname t_add_cred t_bindings t_ccselect -+ $(RM) t_ciflags t_context t_credstore t_enctypes t_err t_export_cred - $(RM) t_export_name t_gssexts t_imp_cred t_imp_name t_invalid - $(RM) t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime +- $(RM) t_export_name t_gssexts t_imp_cred t_imp_name t_invalid +- $(RM) t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime ++ $(RM) ccinit ccrefresh reload t_accname t_add_cred t_bindings ++ $(RM) t_ccselect t_ciflags t_context t_credstore t_enctypes t_err ++ $(RM) t_export_cred t_export_name t_gssexts t_imp_cred t_imp_name ++ $(RM) t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime $(RM) t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 + $(RM) t_saslname t_spnego t_srcattrs diff --git a/src/tests/gssapi/common.c b/src/tests/gssapi/common.c index 83e9d9bb8..7ba72f7b2 100644 --- a/src/tests/gssapi/common.c @@ -221,10 +229,10 @@ index ae11b51d4..a5c8f87e6 100644 * the token. */ void export_import_cred(gss_cred_id_t *cred); diff --git a/src/tests/gssapi/deps b/src/tests/gssapi/deps -index acd0e96f8..73e4d9a74 100644 +index 55586de53..ca1d6e22a 100644 --- a/src/tests/gssapi/deps +++ b/src/tests/gssapi/deps -@@ -33,6 +33,10 @@ $(OUTPRE)t_add_cred.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ +@@ -35,6 +35,10 @@ $(OUTPRE)t_add_cred.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ common.h t_add_cred.c diff --git a/Add-client_aware_channel_bindings-option.patch b/Add-client_aware_channel_bindings-option.patch index bd3bcba..142e1d9 100644 --- a/Add-client_aware_channel_bindings-option.patch +++ b/Add-client_aware_channel_bindings-option.patch @@ -1,4 +1,4 @@ -From 46ec975eb8f33b6d42c440758fc0deb826f87313 Mon Sep 17 00:00:00 2001 +From 849bb23d0044b2ff315608784c0f96b81feb472f Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 10 Mar 2020 13:13:17 +0100 Subject: [PATCH] Add client_aware_channel_bindings option diff --git a/Add-finalization-safety-check-to-com_err.patch b/Add-finalization-safety-check-to-com_err.patch index a7ebd53..9411b15 100644 --- a/Add-finalization-safety-check-to-com_err.patch +++ b/Add-finalization-safety-check-to-com_err.patch @@ -1,4 +1,4 @@ -From 96a36ef54aecb48b71c1ae0cc85b83ef644c3bd0 Mon Sep 17 00:00:00 2001 +From 73f1db69f99462b5109a5dd4e1a9476667bd3715 Mon Sep 17 00:00:00 2001 From: Jiri Sasek Date: Fri, 13 Mar 2020 19:02:58 +0100 Subject: [PATCH] Add finalization safety check to com_err diff --git a/Add-recursion-limit-for-ASN.1-indefinite-lengths.patch b/Add-recursion-limit-for-ASN.1-indefinite-lengths.patch deleted file mode 100644 index bc1229c..0000000 --- a/Add-recursion-limit-for-ASN.1-indefinite-lengths.patch +++ /dev/null @@ -1,97 +0,0 @@ -From b7aca8b57422cdc67a2d2bff385f09646ca037bc Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Sat, 31 Oct 2020 17:07:05 -0400 -Subject: [PATCH] Add recursion limit for ASN.1 indefinite lengths - -The libkrb5 ASN.1 decoder supports BER indefinite lengths. It -computes the tag length using recursion; the lack of a recursion limit -allows an attacker to overrun the stack and cause the process to -crash. Reported by Demi Obenour. - -CVE-2020-28196: - -In MIT krb5 releases 1.11 and later, an unauthenticated attacker can -cause a denial of service for any client or server to which it can -send an ASN.1-encoded Kerberos message of sufficient length. - -ticket: 8959 (new) -tags: pullup -target_version: 1.18-next -target_version: 1.17-next - -(cherry picked from commit 57415dda6cf04e73ffc3723be518eddfae599bfd) ---- - src/lib/krb5/asn.1/asn1_encode.c | 16 +++++++++------- - 1 file changed, 9 insertions(+), 7 deletions(-) - -diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c -index a160cf4fe..cd6b879f7 100644 ---- a/src/lib/krb5/asn.1/asn1_encode.c -+++ b/src/lib/krb5/asn.1/asn1_encode.c -@@ -356,7 +356,7 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len) - static krb5_error_code - get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out, - const uint8_t **contents_out, size_t *clen_out, -- const uint8_t **remainder_out, size_t *rlen_out) -+ const uint8_t **remainder_out, size_t *rlen_out, int recursion) - { - krb5_error_code ret; - uint8_t o; -@@ -394,9 +394,11 @@ get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out, - /* Indefinite form (should not be present in DER, but we accept it). */ - if (tag_out->construction != CONSTRUCTED) - return ASN1_MISMATCH_INDEF; -+ if (recursion >= 32) -+ return ASN1_OVERFLOW; - p = asn1; - while (!(len >= 2 && p[0] == 0 && p[1] == 0)) { -- ret = get_tag(p, len, &t, &c, &clen, &p, &len); -+ ret = get_tag(p, len, &t, &c, &clen, &p, &len, recursion + 1); - if (ret) - return ret; - } -@@ -613,7 +615,7 @@ split_der(asn1buf *buf, uint8_t *const *der, size_t len, taginfo *tag_out) - const uint8_t *contents, *remainder; - size_t clen, rlen; - -- ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen); -+ ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen, 0); - if (ret) - return ret; - if (rlen != 0) -@@ -1199,7 +1201,7 @@ decode_atype(const taginfo *t, const uint8_t *asn1, size_t len, - const uint8_t *rem; - size_t rlen; - if (!tag->implicit) { -- ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen); -+ ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen, 0); - if (ret) - return ret; - /* Note: we don't check rlen (it should be 0). */ -@@ -1420,7 +1422,7 @@ decode_sequence(const uint8_t *asn1, size_t len, const struct seq_info *seq, - for (i = 0; i < seq->n_fields; i++) { - if (len == 0) - break; -- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len); -+ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0); - if (ret) - goto error; - /* -@@ -1478,7 +1480,7 @@ decode_sequence_of(const uint8_t *asn1, size_t len, - *seq_out = NULL; - *count_out = 0; - while (len > 0) { -- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len); -+ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0); - if (ret) - goto error; - if (!check_atype_tag(elemtype, &t)) { -@@ -1584,7 +1586,7 @@ k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a, - - *retrep = NULL; - ret = get_tag((uint8_t *)code->data, code->length, &t, &contents, -- &clen, &remainder, &rlen); -+ &clen, &remainder, &rlen, 0); - if (ret) - return ret; - /* rlen should be 0, but we don't check it (and due to padding in diff --git a/Add-three-kvno-options-from-Heimdal-kgetcred.patch b/Add-three-kvno-options-from-Heimdal-kgetcred.patch index 40a6318..1f6452f 100644 --- a/Add-three-kvno-options-from-Heimdal-kgetcred.patch +++ b/Add-three-kvno-options-from-Heimdal-kgetcred.patch @@ -1,4 +1,4 @@ -From 538d787aa7c10894cc0426f54db0d8248efcf7c9 Mon Sep 17 00:00:00 2001 +From 4da87d7fe288f3f7087dca8396d42abfd958b8e4 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 17 Jun 2020 20:48:38 -0400 Subject: [PATCH] Add three kvno options from Heimdal kgetcred @@ -13,20 +13,21 @@ tests for the new options. ticket: 8917 (new) (cherry picked from commit 876bab8418d7dd134c9d9db812ee2118d5ad58f0) +[rharwood@redhat.com: slush around option unification] --- doc/user/user_commands/kvno.rst | 13 ++++ src/clients/kvno/Makefile.in | 3 + - src/clients/kvno/kvno.c | 115 +++++++++++++++++++++++--------- + src/clients/kvno/kvno.c | 112 +++++++++++++++++++++++--------- src/clients/kvno/t_kvno.py | 75 +++++++++++++++++++++ src/man/kvno.man | 13 ++++ - 5 files changed, 187 insertions(+), 32 deletions(-) + 5 files changed, 185 insertions(+), 31 deletions(-) create mode 100644 src/clients/kvno/t_kvno.py diff --git a/doc/user/user_commands/kvno.rst b/doc/user/user_commands/kvno.rst -index 3892f0ca5..718313576 100644 +index 53e569651..6fd8577a5 100644 --- a/doc/user/user_commands/kvno.rst +++ b/doc/user/user_commands/kvno.rst -@@ -74,6 +74,19 @@ OPTIONS +@@ -75,6 +75,19 @@ OPTIONS client principal with the X.509 certificate in *cert_file*. The certificate file must be in PEM format. @@ -61,17 +62,16 @@ index 1c3f79392..5ba877271 100644 $(RM) kvno.o kvno diff --git a/src/clients/kvno/kvno.c b/src/clients/kvno/kvno.c -index 2472c0cfe..9d85864f6 100644 +index 8edd97361..c5f6bf700 100644 --- a/src/clients/kvno/kvno.c +++ b/src/clients/kvno/kvno.c -@@ -44,14 +44,17 @@ xusage() - fprintf(stderr, _("usage: %s [-C] [-u] [-c ccache] [-e etype]\n"), prog); - fprintf(stderr, _("\t[-k keytab] [-S sname] [{-I | -U} for_user | " - "[-F cert_file] [-P]]\n")); -- fprintf(stderr, _("\t[--u2u ccache] service1 service2 ...\n")); -+ fprintf(stderr, _("\t[--cached-only] [--no-store] [--out-cache ccache] " -+ "[--u2u ccache]\n")); -+ fprintf(stderr, _("\tservice1 service2 ...\n")); +@@ -47,15 +47,17 @@ xusage() + "[-u | -S sname]" XUSAGE_BREAK + "[[{-F cert_file | {-I | -U} for_user} [-P]] | " + "--u2u ccache]" XUSAGE_BREAK ++ "[--cached-only] [--no-store] [--out-cache] " + "service1 service2 ...\n"), + prog); exit(1); } @@ -86,7 +86,7 @@ index 2472c0cfe..9d85864f6 100644 const char *u2u_ccname); #include -@@ -61,18 +64,21 @@ static void extended_com_err_fn(const char *myprog, errcode_t code, +@@ -65,18 +67,21 @@ static void extended_com_err_fn(const char *myprog, errcode_t code, int main(int argc, char *argv[]) { @@ -115,7 +115,7 @@ index 2472c0cfe..9d85864f6 100644 setlocale(LC_ALL, ""); set_com_err_hook(extended_com_err_fn); -@@ -135,6 +141,12 @@ main(int argc, char *argv[]) +@@ -139,6 +144,12 @@ main(int argc, char *argv[]) case OPTION_U2U: u2u_ccname = optarg; break; @@ -128,7 +128,7 @@ index 2472c0cfe..9d85864f6 100644 default: xusage(); break; -@@ -159,8 +171,9 @@ main(int argc, char *argv[]) +@@ -163,8 +174,9 @@ main(int argc, char *argv[]) xusage(); do_v5_kvno(argc - optind, argv + optind, ccachestr, etypestr, keytab_name, @@ -140,7 +140,7 @@ index 2472c0cfe..9d85864f6 100644 return 0; } -@@ -274,14 +287,16 @@ static krb5_error_code +@@ -278,14 +290,16 @@ static krb5_error_code kvno(const char *name, krb5_ccache ccache, krb5_principal me, krb5_enctype etype, krb5_keytab keytab, const char *sname, krb5_flags options, int unknown, krb5_principal for_user_princ, @@ -159,7 +159,7 @@ index 2472c0cfe..9d85864f6 100644 memset(&in_creds, 0, sizeof(in_creds)); if (sname != NULL) { -@@ -321,13 +336,12 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me, +@@ -325,13 +339,12 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me, in_creds.client = for_user_princ; in_creds.server = me; ret = krb5_get_credentials_for_user(context, options, ccache, @@ -175,7 +175,7 @@ index 2472c0cfe..9d85864f6 100644 } if (ret) { -@@ -336,7 +350,7 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me, +@@ -340,7 +353,7 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me, } /* We need a native ticket. */ @@ -184,7 +184,7 @@ index 2472c0cfe..9d85864f6 100644 if (ret) { com_err(prog, ret, _("while decoding ticket for %s"), princ); goto cleanup; -@@ -362,15 +376,15 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me, +@@ -366,15 +379,15 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me, } if (proxy) { @@ -205,7 +205,7 @@ index 2472c0cfe..9d85864f6 100644 krb5_free_principal(context, in_creds.client); if (ret) { com_err(prog, ret, _("%s: constrained delegation failed"), -@@ -379,10 +393,13 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me, +@@ -383,10 +396,13 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me, } } @@ -220,7 +220,7 @@ index 2472c0cfe..9d85864f6 100644 krb5_free_unparsed_name(context, princ); return ret; } -@@ -428,19 +445,28 @@ cleanup: +@@ -432,19 +448,28 @@ cleanup: static void do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr, @@ -255,7 +255,7 @@ index 2472c0cfe..9d85864f6 100644 ret = krb5_init_context(&context); if (ret) { -@@ -467,6 +493,14 @@ do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr, +@@ -471,6 +496,14 @@ do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr, exit(1); } @@ -270,7 +270,7 @@ index 2472c0cfe..9d85864f6 100644 if (keytab_name != NULL) { ret = krb5_kt_resolve(context, keytab_name, &keytab); if (ret) { -@@ -513,8 +547,25 @@ do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr, +@@ -517,8 +550,25 @@ do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr, errors = 0; for (i = 0; i < count; i++) { if (kvno(names[i], ccache, me, etype, keytab, sname, options, unknown, @@ -379,10 +379,10 @@ index 000000000..e98b90e8a + +success('kvno tests') diff --git a/src/man/kvno.man b/src/man/kvno.man -index 005a2ec97..b9f6739eb 100644 +index 9eb9e1852..7c9565bdb 100644 --- a/src/man/kvno.man +++ b/src/man/kvno.man -@@ -95,6 +95,19 @@ Specifies that protocol transition is to be used, identifying the +@@ -96,6 +96,19 @@ Specifies that protocol transition is to be used, identifying the client principal with the X.509 certificate in \fIcert_file\fP\&. The certificate file must be in PEM format. .TP diff --git a/Adjust-KDC-alias-helper-function-contract.patch b/Adjust-KDC-alias-helper-function-contract.patch index 7b7c62b..13f4cb7 100644 --- a/Adjust-KDC-alias-helper-function-contract.patch +++ b/Adjust-KDC-alias-helper-function-contract.patch @@ -1,4 +1,4 @@ -From 758f5031fe9d6c1e3eb33818bc6d57cf8b4a3a72 Mon Sep 17 00:00:00 2001 +From 833dfff1a11da3b1b9cf45a2bb09f17efa49cdba Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 22 Sep 2020 01:11:39 +0300 Subject: [PATCH] Adjust KDC alias helper function contract diff --git a/Allow-aliases-when-matching-U2U-second-ticket.patch b/Allow-aliases-when-matching-U2U-second-ticket.patch index 8622ff8..523402f 100644 --- a/Allow-aliases-when-matching-U2U-second-ticket.patch +++ b/Allow-aliases-when-matching-U2U-second-ticket.patch @@ -1,4 +1,4 @@ -From ccc5b9663e229f20421c01836aa5ecb06f1f2a48 Mon Sep 17 00:00:00 2001 +From e976a70ff23e600a76d1c3134f9c2f80753b6679 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 22 Sep 2020 01:17:11 +0300 Subject: [PATCH] Allow aliases when matching U2U second ticket diff --git a/Allow-certauth-modules-to-set-hw-authent-flag.patch b/Allow-certauth-modules-to-set-hw-authent-flag.patch index 94ff5dd..0c155e7 100644 --- a/Allow-certauth-modules-to-set-hw-authent-flag.patch +++ b/Allow-certauth-modules-to-set-hw-authent-flag.patch @@ -1,4 +1,4 @@ -From 5b62f6f6a960e5a428a39a3e83e0a16dba5a914a Mon Sep 17 00:00:00 2001 +From c18034484eadb0f32cef384197d1185aa50c3adb Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 24 Feb 2020 15:58:59 -0500 Subject: [PATCH] Allow certauth modules to set hw-authent flag diff --git a/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch b/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch deleted file mode 100644 index 3824646..0000000 --- a/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 594c9d225f470e73a46dd2a85c5e50571e90598c Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Sat, 11 Jul 2020 21:57:30 -0400 -Subject: [PATCH] Allow gss_unwrap_iov() of unpadded RC4 tokens - -Windows Remote Management, when used with an RC4 session key, appears -to generate GSS wrap tokens with no padding instead of the expected -one byte (RFC 4757 section 7.3). These tokens cannot be decoded with -gss_unwrap() or a STREAM buffer (even with Microsoft SSPI), but SSPI -allows them to be decoded using explicit IOVs with either a -zero-length padding buffer or no padding buffer. Allow these cases to -work in kg_fixup_padding_iov(). (It is already possible to make this -work with HEADER | DATA | DATA, but only by -accident--kg_fixup_padding_iov() doesn't find a data buffer because -kg_locate_iov() only looks for singleton buffers, so it exits early.) - -ticket: 8926 (new) -tags: pullup -target_version: 1.18-next - -(cherry picked from commit 3f204ddd567715ef360b4bb0b32961b6a9877f9d) ---- - src/lib/gssapi/krb5/util_crypt.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c -index f7d3e92c4..d6c71aeb8 100644 ---- a/src/lib/gssapi/krb5/util_crypt.c -+++ b/src/lib/gssapi/krb5/util_crypt.c -@@ -638,16 +638,13 @@ kg_fixup_padding_iov(OM_uint32 *minor_status, gss_iov_buffer_desc *iov, - data = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_DATA); - padding = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING); - -- if (data == NULL) { -+ /* Do nothing if padding is absent or empty, to allow unwrapping of WinRM -+ * unpadded RC4 tokens using an explicit IOV array. */ -+ if (data == NULL || padding == NULL || padding->buffer.length == 0) { - *minor_status = 0; - return GSS_S_COMPLETE; - } - -- if (padding == NULL || padding->buffer.length == 0) { -- *minor_status = EINVAL; -- return GSS_S_FAILURE; -- } -- - p = (unsigned char *)padding->buffer.value; - padlength = p[padding->buffer.length - 1]; - diff --git a/Avoid-passing-DB-entry-structures-in-KDC.patch b/Avoid-passing-DB-entry-structures-in-KDC.patch index e5cff1a..23f96e3 100644 --- a/Avoid-passing-DB-entry-structures-in-KDC.patch +++ b/Avoid-passing-DB-entry-structures-in-KDC.patch @@ -1,4 +1,4 @@ -From dd8b146093d4bdf8a7d0c0eb8156b62d090448d7 Mon Sep 17 00:00:00 2001 +From e0fc680b2fb51513993c4cdaa2c25b292f57a073 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 30 Sep 2020 02:12:00 -0400 Subject: [PATCH] Avoid passing DB entry structures in KDC diff --git a/Correctly-import-service-GSS-host-based-name.patch b/Correctly-import-service-GSS-host-based-name.patch index f56aed4..e56648b 100644 --- a/Correctly-import-service-GSS-host-based-name.patch +++ b/Correctly-import-service-GSS-host-based-name.patch @@ -1,4 +1,4 @@ -From f56afbeb7848322f3208edd55f2c12a9e32127f0 Mon Sep 17 00:00:00 2001 +From 24c5e1ad937505a03628547ed7a5c6060a2b0ff2 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 30 Mar 2020 15:26:02 -0400 Subject: [PATCH] Correctly import "service@" GSS host-based name diff --git a/Default-dns_canonicalize_hostname-to-fallback.patch b/Default-dns_canonicalize_hostname-to-fallback.patch index 1c46562..3669432 100644 --- a/Default-dns_canonicalize_hostname-to-fallback.patch +++ b/Default-dns_canonicalize_hostname-to-fallback.patch @@ -1,4 +1,4 @@ -From c3d2c3bcafe0ac87d9cbbf37f1488ad642627fc3 Mon Sep 17 00:00:00 2001 +From 6bdab27ef3dfcefb8426f2ea4e06bbdbd1141b16 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 27 May 2020 18:48:35 -0400 Subject: [PATCH] Default dns_canonicalize_hostname to "fallback" diff --git a/Do-expiration-warnings-for-all-init_creds-APIs.patch b/Do-expiration-warnings-for-all-init_creds-APIs.patch index 4f642f4..374068f 100644 --- a/Do-expiration-warnings-for-all-init_creds-APIs.patch +++ b/Do-expiration-warnings-for-all-init_creds-APIs.patch @@ -1,4 +1,4 @@ -From 51a9f8e7498591b22558a7a61d42a821030f9c4e Mon Sep 17 00:00:00 2001 +From c7abf942c66b2ba543cf412f12562e9bb8ee260a Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 28 Feb 2020 10:11:49 +0100 Subject: [PATCH] Do expiration warnings for all init_creds APIs diff --git a/Eliminate-redundant-PKINIT-responder-invocation.patch b/Eliminate-redundant-PKINIT-responder-invocation.patch deleted file mode 100644 index 48e6e89..0000000 --- a/Eliminate-redundant-PKINIT-responder-invocation.patch +++ /dev/null @@ -1,93 +0,0 @@ -From b27a2f1f330afed53b034a66031f9a801b4568b7 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Mon, 23 Mar 2020 19:10:03 -0400 -Subject: [PATCH] Eliminate redundant PKINIT responder invocation - -In pkinit_client_prep_questions(), only act if the input padata type -is KRB5_PADATA_PK_AS_REQ. Otherwise we will ask questions again when -the KDC issues a ticket. - -Commit 7621d2f9a87214327ca3b2594e34dc7cea84596b (ticket 8242) -unintentionally changed the behavior of pkinit_load_fs_cert_and_key(), -causing pkinit_client_prep_questions() to do nothing on its first -call. Restore the original behavior of returning 0 when prompting is -deferred. - -Modify the existing "FILE identity, password on key (responder)" -PKINIT test to check that the responder is only invoked once. - -ticket: 8885 -(cherry picked from commit f1286842ce7b9e507a4ce0a47f44ab361a98be63) ---- - src/plugins/preauth/pkinit/pkinit_clnt.c | 5 +++++ - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 13 +++++++------ - src/tests/t_pkinit.py | 11 +++++++---- - 3 files changed, 19 insertions(+), 10 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c -index 2f0431991..9b991ffe0 100644 ---- a/src/plugins/preauth/pkinit/pkinit_clnt.c -+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c -@@ -897,6 +897,11 @@ pkinit_client_prep_questions(krb5_context context, - k5_json_object jval = NULL; - k5_json_number jflag = NULL; - -+ /* Don't ask questions for the informational padata items or when the -+ * ticket is issued. */ -+ if (pa_data->pa_type != KRB5_PADATA_PK_AS_REQ) -+ return 0; -+ - if (!reqctx->identity_initialized) { - pkinit_client_profile(context, plgctx, reqctx, cb, rock, - &request->server->realm); -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index dd718c2be..dbb054378 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -4362,17 +4362,18 @@ pkinit_load_fs_cert_and_key(krb5_context context, - - /* Load the certificate. */ - retval = get_cert(certname, &x); -- if (retval != 0 || x == NULL) { -- retval = oerr(context, 0, _("Cannot read certificate file '%s'"), -+ if (retval) { -+ retval = oerr(context, retval, _("Cannot read certificate file '%s'"), - certname); -- goto cleanup; - } -+ if (retval || x == NULL) -+ goto cleanup; - /* Load the key. */ - retval = get_key(context, id_cryptoctx, keyname, fsname, &y, password); -- if (retval != 0 || y == NULL) { -- retval = oerr(context, 0, _("Cannot read key file '%s'"), fsname); -+ if (retval) -+ retval = oerr(context, retval, _("Cannot read key file '%s'"), fsname); -+ if (retval || y == NULL) - goto cleanup; -- } - - id_cryptoctx->creds[cindex] = malloc(sizeof(struct _pkinit_cred_info)); - if (id_cryptoctx->creds[cindex] == NULL) { -diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py -index 69daf4987..ecd450e8a 100755 ---- a/src/tests/t_pkinit.py -+++ b/src/tests/t_pkinit.py -@@ -248,10 +248,13 @@ realm.run(['./adata', realm.host_princ], - # supplied by the responder. - # Supply the response in raw form. - mark('FILE identity, password on key (responder)') --realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity, -- '-r', 'pkinit={"%s": "encrypted"}' % file_enc_identity, -- '-X', 'X509_user_identity=%s' % file_enc_identity, -- realm.user_princ]) -+out = realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity, -+ '-r', 'pkinit={"%s": "encrypted"}' % file_enc_identity, -+ '-X', 'X509_user_identity=%s' % file_enc_identity, -+ realm.user_princ]) -+# Regression test for #8885 (password question asked twice). -+if out.count('OK: ') != 1: -+ fail('Wrong number of responder calls') - # Supply the response through the convenience API. - realm.run(['./responder', '-X', 'X509_user_identity=%s' % file_enc_identity, - '-p', '%s=%s' % (file_enc_identity, 'encrypted'), realm.user_princ]) diff --git a/Fix-input-length-checking-in-SPNEGO-DER-decoding.patch b/Fix-input-length-checking-in-SPNEGO-DER-decoding.patch deleted file mode 100644 index ae01c8d..0000000 --- a/Fix-input-length-checking-in-SPNEGO-DER-decoding.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 5b42970afea248889fd3350448a40045d467ff3f Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 28 Jul 2020 12:58:26 -0400 -Subject: [PATCH] Fix input length checking in SPNEGO DER decoding - -In get_mech_set(), check the length before reading the first byte, and -decrease the length by the tag byte when reading and verifying the -sequence length. - -In get_req_flags(), check the length before reading the first byte, -and check the context tag length after decoding it. - -ticket: 8933 (new) -tags: pullup -target_version: 1.18-next -target_version: 1.17-next - -(cherry picked from commit 64f4b75a22212681ca293f8f09ddd24b0244d5b4) ---- - src/lib/gssapi/spnego/spnego_mech.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 4cf011143..13c351620 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -3462,14 +3462,14 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in, - unsigned char *start; - int i; - -- if (**buff_in != SEQUENCE_OF) -+ if (buff_length < 1 || **buff_in != SEQUENCE_OF) - return (NULL); - - start = *buff_in; - (*buff_in)++; - -- length = gssint_get_der_length(buff_in, buff_length, &bytes); -- if (length < 0 || buff_length - bytes < (unsigned int)length) -+ length = gssint_get_der_length(buff_in, buff_length - 1, &bytes); -+ if (length < 0 || buff_length - 1 - bytes < (unsigned int)length) - return NULL; - - major_status = gss_create_empty_oid_set(minor_status, -@@ -3549,11 +3549,11 @@ get_req_flags(unsigned char **buff_in, OM_uint32 bodysize, - { - unsigned int len; - -- if (**buff_in != (CONTEXT | 0x01)) -+ if (bodysize < 1 || **buff_in != (CONTEXT | 0x01)) - return (0); - - if (g_get_tag_and_length(buff_in, (CONTEXT | 0x01), -- bodysize, &len) < 0) -+ bodysize, &len) < 0 || len != 4) - return GSS_S_DEFECTIVE_TOKEN; - - if (*(*buff_in)++ != BIT_STRING) diff --git a/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch b/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch index c5ec79a..90bbcab 100644 --- a/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch +++ b/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch @@ -1,4 +1,4 @@ -From ff47523d7d812fba24106f416aafa5d1f2c433a2 Mon Sep 17 00:00:00 2001 +From 4b2176eaad00630890abe4b458cbc31f05b2b9c0 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 24 Jul 2020 16:05:24 -0400 Subject: [PATCH] Fix leak in KERB_AP_OPTIONS_CBT server support diff --git a/Fix-minor-static-analysis-defects.patch b/Fix-minor-static-analysis-defects.patch index 653bce1..b94b48c 100644 --- a/Fix-minor-static-analysis-defects.patch +++ b/Fix-minor-static-analysis-defects.patch @@ -1,4 +1,4 @@ -From c3d96fca46cb2cc3ee9f4c2e2a4ed98bad3e310a Mon Sep 17 00:00:00 2001 +From 0de060366a1b75df47189f5cc0a7a92685cbe1d7 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 15 Oct 2020 18:15:29 -0400 Subject: [PATCH] Fix minor static analysis defects diff --git a/Fix-typo-in-in-in-the-ksu-man-page.patch b/Fix-typo-in-in-in-the-ksu-man-page.patch index 040355c..a6c1f5c 100644 --- a/Fix-typo-in-in-in-the-ksu-man-page.patch +++ b/Fix-typo-in-in-in-the-ksu-man-page.patch @@ -1,4 +1,4 @@ -From bf8567ed95991628f198e88403e30f78e2d74e15 Mon Sep 17 00:00:00 2001 +From 5399eaea6c5e00c4e96fa5507aa50dd643337194 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 14 May 2020 15:01:18 -0400 Subject: [PATCH] Fix typo ("in in") in the ksu man page @@ -23,7 +23,7 @@ index 8d6c7ef79..933738229 100644 diff --git a/src/man/ksu.man b/src/man/ksu.man -index 81e34815d..8d4c6a359 100644 +index a1972518c..b07a4b05d 100644 --- a/src/man/ksu.man +++ b/src/man/ksu.man @@ -176,7 +176,7 @@ wrong password is typed in, ksu fails. diff --git a/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch b/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch index 14e27a9..01edf16 100644 --- a/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch +++ b/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch @@ -1,4 +1,4 @@ -From e74f9424e47ab914c46e549fc5a2cbdf2615ef93 Mon Sep 17 00:00:00 2001 +From 6931f8ed0fd8c9f634e1e48f1e8926022610fc3f Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 15 Jul 2020 15:42:20 -0400 Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts() diff --git a/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch b/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch index 2b41b6b..d93a3f8 100644 --- a/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch +++ b/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch @@ -1,4 +1,4 @@ -From 651b9b8084ecff5553b7ef6ee723ce7c4438a9d8 Mon Sep 17 00:00:00 2001 +From 40093f65c58ab78a050860ce41560595aa8ecf7e Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 5 Jul 2017 11:38:30 -0400 Subject: [PATCH] Implement GSS_C_CHANNEL_BOUND_FLAG diff --git a/Implement-KERB_AP_OPTIONS_CBT-server-side.patch b/Implement-KERB_AP_OPTIONS_CBT-server-side.patch index eadc695..a43ae8b 100644 --- a/Implement-KERB_AP_OPTIONS_CBT-server-side.patch +++ b/Implement-KERB_AP_OPTIONS_CBT-server-side.patch @@ -1,4 +1,4 @@ -From bc89c6c720c4170d43010fead23550b80499c32a Mon Sep 17 00:00:00 2001 +From 2250babfa6fc6590d50fc9c9beb267ba280ff685 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 9 Mar 2020 16:04:21 +0100 Subject: [PATCH] Implement KERB_AP_OPTIONS_CBT (server side) diff --git a/Improve-KDC-alias-checking-for-S4U-requests.patch b/Improve-KDC-alias-checking-for-S4U-requests.patch index 3dbb119..76b0bf9 100644 --- a/Improve-KDC-alias-checking-for-S4U-requests.patch +++ b/Improve-KDC-alias-checking-for-S4U-requests.patch @@ -1,4 +1,4 @@ -From ed87237cdd70f72b309960a294a2bed26cef1579 Mon Sep 17 00:00:00 2001 +From dc03b33af17f2014baaa29412a1787cbcb140a62 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 4 Sep 2020 14:05:50 +0300 Subject: [PATCH] Improve KDC alias checking for S4U requests diff --git a/Improve-negoex_parse_token-code-hygiene.patch b/Improve-negoex_parse_token-code-hygiene.patch index a58c2e6..ef9bf2b 100644 --- a/Improve-negoex_parse_token-code-hygiene.patch +++ b/Improve-negoex_parse_token-code-hygiene.patch @@ -1,4 +1,4 @@ -From 4c96c8fef146337b7d3c0ebb4118a18818dd1f4e Mon Sep 17 00:00:00 2001 +From d604359e2f0bce65f08d0d805e0795e29287109c Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 9 Jun 2020 16:23:37 -0400 Subject: [PATCH] Improve negoex_parse_token() code hygiene diff --git a/Minimize-usage-of-tgs_server-in-KDC.patch b/Minimize-usage-of-tgs_server-in-KDC.patch index f08458e..5199395 100644 --- a/Minimize-usage-of-tgs_server-in-KDC.patch +++ b/Minimize-usage-of-tgs_server-in-KDC.patch @@ -1,4 +1,4 @@ -From 5e79319edf3836d12dbc710ec1e2dd4405c9df35 Mon Sep 17 00:00:00 2001 +From ce60c549887a7732a6079d6e7111eb645f279781 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 25 Sep 2020 11:12:34 -0400 Subject: [PATCH] Minimize usage of tgs_server in KDC diff --git a/Omit-KDC-indicator-check-for-S4U2Self-requests.patch b/Omit-KDC-indicator-check-for-S4U2Self-requests.patch index d5eacc1..782974b 100644 --- a/Omit-KDC-indicator-check-for-S4U2Self-requests.patch +++ b/Omit-KDC-indicator-check-for-S4U2Self-requests.patch @@ -1,4 +1,4 @@ -From f0ac5c1efef5401f669dc176e62c09b0b01fa2d0 Mon Sep 17 00:00:00 2001 +From a9144f5238b91949f32355f5ab88e2ade734eb06 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 6 May 2020 16:03:13 -0400 Subject: [PATCH] Omit KDC indicator check for S4U2Self requests diff --git a/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch b/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch index 8e1c248..bc4ed52 100644 --- a/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch +++ b/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch @@ -1,4 +1,4 @@ -From 5251097c927f476fe83ffe544b73fd2d785aaf2a Mon Sep 17 00:00:00 2001 +From 8fc932c8f75e4332aa7dc6c4862cb881308b6813 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 6 Jun 2020 11:03:37 +0200 Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum diff --git a/Pass-channel-bindings-through-SPNEGO.patch b/Pass-channel-bindings-through-SPNEGO.patch index 0e307c3..e376472 100644 --- a/Pass-channel-bindings-through-SPNEGO.patch +++ b/Pass-channel-bindings-through-SPNEGO.patch @@ -1,4 +1,4 @@ -From 17d9b74328f247de5f9d820ae008726632d11d2a Mon Sep 17 00:00:00 2001 +From 19ef4a378a8fe483e82b1b4f979a7ffcb264325e Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 28 Apr 2020 18:15:55 +0200 Subject: [PATCH] Pass channel bindings through SPNEGO @@ -125,7 +125,7 @@ index 18d9d4147..8848ee4db 100644 if (major != GSS_S_COMPLETE && mech_output_token.length == 0) goto cleanup; diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 594fc5894..4cf011143 100644 +index f4a042478..2327cd927 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -130,6 +130,7 @@ init_ctx_reselect(OM_uint32 *, spnego_gss_ctx_id_t, OM_uint32, @@ -147,7 +147,7 @@ index 594fc5894..4cf011143 100644 static gss_OID negotiate_mech(spnego_gss_ctx_id_t, gss_OID_set, OM_uint32 *); -@@ -905,6 +906,7 @@ init_ctx_call_init(OM_uint32 *minor_status, +@@ -906,6 +907,7 @@ init_ctx_call_init(OM_uint32 *minor_status, OM_uint32 req_flags, OM_uint32 time_req, gss_buffer_t mechtok_in, @@ -155,7 +155,7 @@ index 594fc5894..4cf011143 100644 gss_buffer_t mechtok_out, OM_uint32 *time_rec, send_token_flag *send_token) -@@ -921,15 +923,14 @@ init_ctx_call_init(OM_uint32 *minor_status, +@@ -922,15 +924,14 @@ init_ctx_call_init(OM_uint32 *minor_status, if (gss_oid_equal(sc->internal_mech, &negoex_mech)) { ret = negoex_init(minor_status, sc, mcred, target_name, mech_req_flags, time_req, mechtok_in, @@ -175,7 +175,7 @@ index 594fc5894..4cf011143 100644 } /* Bail out if the acceptor gave us an error token but the mech didn't -@@ -981,8 +982,8 @@ init_ctx_call_init(OM_uint32 *minor_status, +@@ -982,8 +983,8 @@ init_ctx_call_init(OM_uint32 *minor_status, gss_delete_sec_context(&tmpmin, &sc->ctx_handle, GSS_C_NO_BUFFER); tmpret = init_ctx_call_init(&tmpmin, sc, spcred, acc_negState, target_name, req_flags, time_req, @@ -186,7 +186,7 @@ index 594fc5894..4cf011143 100644 if (HARD_ERROR(tmpret)) goto fail; *minor_status = tmpmin; -@@ -1004,7 +1005,7 @@ spnego_gss_init_sec_context( +@@ -1005,7 +1006,7 @@ spnego_gss_init_sec_context( gss_OID mech_type, OM_uint32 req_flags, OM_uint32 time_req, @@ -195,7 +195,7 @@ index 594fc5894..4cf011143 100644 gss_buffer_t input_token, gss_OID *actual_mech, gss_buffer_t output_token, -@@ -1084,8 +1085,8 @@ spnego_gss_init_sec_context( +@@ -1085,8 +1086,8 @@ spnego_gss_init_sec_context( if (!spnego_ctx->mech_complete) { ret = init_ctx_call_init(minor_status, spnego_ctx, spcred, acc_negState, target_name, req_flags, @@ -206,7 +206,7 @@ index 594fc5894..4cf011143 100644 if (ret != GSS_S_COMPLETE) goto cleanup; -@@ -1542,8 +1543,9 @@ cleanup: +@@ -1543,8 +1544,9 @@ cleanup: static OM_uint32 acc_ctx_call_acc(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, spnego_gss_cred_id_t spcred, gss_buffer_t mechtok_in, @@ -218,7 +218,7 @@ index 594fc5894..4cf011143 100644 { OM_uint32 ret, tmpmin; gss_OID_desc mechoid; -@@ -1568,13 +1570,12 @@ acc_ctx_call_acc(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, +@@ -1569,13 +1571,12 @@ acc_ctx_call_acc(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, mcred = (spcred == NULL) ? GSS_C_NO_CREDENTIAL : spcred->mcred; if (negoex) { ret = negoex_accept(minor_status, sc, mcred, mechtok_in, @@ -234,7 +234,7 @@ index 594fc5894..4cf011143 100644 &sc->internal_name, &sc->actual_mech, mechtok_out, &sc->ctx_flags, time_rec, -@@ -1620,7 +1621,7 @@ spnego_gss_accept_sec_context( +@@ -1621,7 +1622,7 @@ spnego_gss_accept_sec_context( gss_ctx_id_t *context_handle, gss_cred_id_t verifier_cred_handle, gss_buffer_t input_token, @@ -243,7 +243,7 @@ index 594fc5894..4cf011143 100644 gss_name_t *src_name, gss_OID *mech_type, gss_buffer_t output_token, -@@ -1734,8 +1735,8 @@ spnego_gss_accept_sec_context( +@@ -1735,8 +1736,8 @@ spnego_gss_accept_sec_context( */ if (negState != REQUEST_MIC && mechtok_in != GSS_C_NO_BUFFER) { ret = acc_ctx_call_acc(minor_status, sc, spcred, mechtok_in, diff --git a/Pass-gss_localname-through-SPNEGO.patch b/Pass-gss_localname-through-SPNEGO.patch index e641a91..bbf703c 100644 --- a/Pass-gss_localname-through-SPNEGO.patch +++ b/Pass-gss_localname-through-SPNEGO.patch @@ -1,4 +1,4 @@ -From cec820485e8b854fe3ee42d0a67a77e7ad20595e Mon Sep 17 00:00:00 2001 +From fb89e83451519aed051bb129f3cf9cc34cde702f Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sun, 26 Apr 2020 19:55:54 -0400 Subject: [PATCH] Pass gss_localname() through SPNEGO @@ -30,7 +30,7 @@ index a93763314..066ec736f 100644 ( OM_uint32 *minor_status, diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index ec0bae6a4..594fc5894 100644 +index b3010c201..f4a042478 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -237,7 +237,7 @@ static struct gss_config spnego_mechanism = @@ -42,7 +42,7 @@ index ec0bae6a4..594fc5894 100644 NULL, /* gss_userok */ NULL, /* gss_export_name */ spnego_gss_duplicate_name, /* gss_duplicate_name */ -@@ -2371,6 +2371,13 @@ spnego_gss_wrap_size_limit( +@@ -2372,6 +2372,13 @@ spnego_gss_wrap_size_limit( return (ret); } diff --git a/Refactor-KDC-authdata-list-management-helpers.patch b/Refactor-KDC-authdata-list-management-helpers.patch index 00aed49..495dbda 100644 --- a/Refactor-KDC-authdata-list-management-helpers.patch +++ b/Refactor-KDC-authdata-list-management-helpers.patch @@ -1,4 +1,4 @@ -From 9335481c00cd15170adec244ccff0a00a014bbab Mon Sep 17 00:00:00 2001 +From 00245d789edc6cf6263540d7c9d7ee45bbac58ce Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 5 Feb 2020 18:46:11 -0500 Subject: [PATCH] Refactor KDC authdata list management helpers diff --git a/Refactor-krb5-GSS-checksum-handling.patch b/Refactor-krb5-GSS-checksum-handling.patch index c80426b..a0bb217 100644 --- a/Refactor-krb5-GSS-checksum-handling.patch +++ b/Refactor-krb5-GSS-checksum-handling.patch @@ -1,4 +1,4 @@ -From c90cef2ebfbefc595798dd5dbb805575e1be0fbf Mon Sep 17 00:00:00 2001 +From 544c37e2928f2585708e36f77a6b0baa52c3c541 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Fri, 30 Jun 2017 16:03:01 -0400 Subject: [PATCH] Refactor krb5 GSS checksum handling diff --git a/Refresh-manually-acquired-creds-from-client-keytab.patch b/Refresh-manually-acquired-creds-from-client-keytab.patch index ff28434..dc50194 100644 --- a/Refresh-manually-acquired-creds-from-client-keytab.patch +++ b/Refresh-manually-acquired-creds-from-client-keytab.patch @@ -1,4 +1,4 @@ -From 7316aaa0e9249a88e919f2596d881f78970548bc Mon Sep 17 00:00:00 2001 +From e1762f16fe4d900903c5395cc3268f9b78835100 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 26 Feb 2020 18:27:17 -0500 Subject: [PATCH] Refresh manually acquired creds from client keytab diff --git a/Remove-resolver-test-utility.patch b/Remove-resolver-test-utility.patch index e5dd78d..e765069 100644 --- a/Remove-resolver-test-utility.patch +++ b/Remove-resolver-test-utility.patch @@ -1,4 +1,4 @@ -From 3e75969e0c0a52ec3ca8195200fcdadaa63b324f Mon Sep 17 00:00:00 2001 +From 8a2cd84c047ef7500dc8149ed6ace8e9fa631cad Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 28 May 2020 18:41:02 -0400 Subject: [PATCH] Remove resolver test utility diff --git a/Replace-gssrpc-tests-with-a-Python-script.patch b/Replace-gssrpc-tests-with-a-Python-script.patch index ced6543..fc8fe87 100644 --- a/Replace-gssrpc-tests-with-a-Python-script.patch +++ b/Replace-gssrpc-tests-with-a-Python-script.patch @@ -1,4 +1,4 @@ -From 404cc1152880a567fc27bb7c691a1a732692bbf9 Mon Sep 17 00:00:00 2001 +From e2ad633616a3f4db91bbd332d778df93e4bdb652 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 15 Feb 2020 20:34:23 -0500 Subject: [PATCH] Replace gssrpc tests with a Python script diff --git a/Unify-kvno-option-documentation.patch b/Unify-kvno-option-documentation.patch deleted file mode 100644 index b6f5e01..0000000 --- a/Unify-kvno-option-documentation.patch +++ /dev/null @@ -1,185 +0,0 @@ -From 52e3695cc5ef00766e12adfe8ed276c2885e71bb Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 20 Aug 2020 17:49:29 -0400 -Subject: [PATCH] Unify kvno option documentation - -Add missing kvno options to the kvno.rst synopsis and option -descriptions, and to the kvno usage message. Remove mention of '-h' -(help text), from kvno.rst as it is an implicit option. Note that the -three new caching options were added in release 1.19. - -Indicate the two exclusions (-u/-S and --u2u with the S4U2Self options) -and dependency (-P on S4U2Self) where they are missing. - -Switch xusage() to print only a single localized string, rather than -running each line of output through localization separately. - -Leave kvno -C undocumented for now, as the semantics of -KRB5_GC_CANONICALIZE are minimally useful and likely to change. - -[ghudson@mit.edu: edited documentation and commit message] - -ticket: 7476 -tags: pullup -target_version: 1.18-next - -(cherry picked from commit becd1ad6830b526d08ddaf5b2b6f213154c6446c) ---- - doc/user/user_commands/kvno.rst | 24 +++++++++++++----------- - src/clients/kvno/kvno.c | 15 +++++++++------ - src/man/kvno.man | 24 +++++++++++++----------- - 3 files changed, 35 insertions(+), 28 deletions(-) - -diff --git a/doc/user/user_commands/kvno.rst b/doc/user/user_commands/kvno.rst -index 718313576..65c44e1c0 100644 ---- a/doc/user/user_commands/kvno.rst -+++ b/doc/user/user_commands/kvno.rst -@@ -10,13 +10,9 @@ SYNOPSIS - [**-c** *ccache*] - [**-e** *etype*] - [**-q**] --[**-h**] -+[**-u** | **-S** *sname*] - [**-P**] --[**-S** *sname*] --[**-I** *for_user*] --[**-U** *for_user*] --[**-F** *cert_file*] --[**--u2u** *ccache*] -+[[{**-F** *cert_file* | {**-I** | **-U**} *for_user*} [**-P**]] | **--u2u** *ccache*] - *service1 service2* ... - - -@@ -39,13 +35,18 @@ OPTIONS - of all the services named on the command line. This is useful in - certain backward compatibility situations. - -+**-k** *keytab* -+ Decrypt the acquired tickets using *keytab* to confirm their -+ validity. -+ - **-q** - Suppress printing output when successful. If a service ticket - cannot be obtained, an error message will still be printed and - kvno will exit with nonzero status. - --**-h** -- Prints a usage statement and exits. -+**-u** -+ Use the unknown name type in requested service principal names. -+ This option Cannot be used with *-S*. - - **-P** - Specifies that the *service1 service2* ... arguments are to be -@@ -76,16 +77,17 @@ OPTIONS - - **--cached-only** - Only retrieve credentials already present in the cache, not from -- the KDC. -+ the KDC. (Added in release 1.19.) - - **--no-store** - Do not store retrieved credentials in the cache. If - **--out-cache** is also specified, credentials will still be -- stored into the output credential cache. -+ stored into the output credential cache. (Added in release 1.19.) - - **--out-cache** *ccache* - Initialize *ccache* and store all retrieved credentials into it. -- Do not store acquired credentials in the input cache. -+ Do not store acquired credentials in the input cache. (Added in -+ release 1.19.) - - **--u2u** *ccache* - Requests a user-to-user ticket. *ccache* must contain a local -diff --git a/src/clients/kvno/kvno.c b/src/clients/kvno/kvno.c -index 9d85864f6..c5f6bf700 100644 ---- a/src/clients/kvno/kvno.c -+++ b/src/clients/kvno/kvno.c -@@ -38,15 +38,18 @@ - static char *prog; - static int quiet = 0; - -+#define XUSAGE_BREAK "\n\t" -+ - static void - xusage() - { -- fprintf(stderr, _("usage: %s [-C] [-u] [-c ccache] [-e etype]\n"), prog); -- fprintf(stderr, _("\t[-k keytab] [-S sname] [{-I | -U} for_user | " -- "[-F cert_file] [-P]]\n")); -- fprintf(stderr, _("\t[--cached-only] [--no-store] [--out-cache ccache] " -- "[--u2u ccache]\n")); -- fprintf(stderr, _("\tservice1 service2 ...\n")); -+ fprintf(stderr, _("usage: %s [-c ccache] [-e etype] [-k keytab] [-q] " -+ "[-u | -S sname]" XUSAGE_BREAK -+ "[[{-F cert_file | {-I | -U} for_user} [-P]] | " -+ "--u2u ccache]" XUSAGE_BREAK -+ "[--cached-only] [--no-store] [--out-cache] " -+ "service1 service2 ...\n"), -+ prog); - exit(1); - } - -diff --git a/src/man/kvno.man b/src/man/kvno.man -index b9f6739eb..22318324d 100644 ---- a/src/man/kvno.man -+++ b/src/man/kvno.man -@@ -36,13 +36,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - [\fB\-c\fP \fIccache\fP] - [\fB\-e\fP \fIetype\fP] - [\fB\-q\fP] --[\fB\-h\fP] -+[\fB\-u\fP | \fB\-S\fP \fIsname\fP] - [\fB\-P\fP] --[\fB\-S\fP \fIsname\fP] --[\fB\-I\fP \fIfor_user\fP] --[\fB\-U\fP \fIfor_user\fP] --[\fB\-F\fP \fIcert_file\fP] --[\fB\-\-u2u\fP \fIccache\fP] -+[[{\fB\-F\fP \fIcert_file\fP | {\fB\-I\fP | \fB\-U\fP} \fIfor_user\fP} [\fB\-P\fP]] | \fB\-\-u2u\fP \fIccache\fP] - \fIservice1 service2\fP ... - .SH DESCRIPTION - .sp -@@ -60,13 +56,18 @@ Specifies the enctype which will be requested for the session key - of all the services named on the command line. This is useful in - certain backward compatibility situations. - .TP -+\fB\-k\fP \fIkeytab\fP -+Decrypt the acquired tickets using \fIkeytab\fP to confirm their -+validity. -+.TP - \fB\-q\fP - Suppress printing output when successful. If a service ticket - cannot be obtained, an error message will still be printed and - kvno will exit with nonzero status. - .TP --\fB\-h\fP --Prints a usage statement and exits. -+\fB\-u\fP -+Use the unknown name type in requested service principal names. -+This option Cannot be used with \fI\-S\fP\&. - .TP - \fB\-P\fP - Specifies that the \fIservice1 service2\fP ... arguments are to be -@@ -97,16 +98,17 @@ certificate file must be in PEM format. - .TP - \fB\-\-cached\-only\fP - Only retrieve credentials already present in the cache, not from --the KDC. -+the KDC. (Added in release 1.19.) - .TP - \fB\-\-no\-store\fP - Do not store retrieved credentials in the cache. If - \fB\-\-out\-cache\fP is also specified, credentials will still be --stored into the output credential cache. -+stored into the output credential cache. (Added in release 1.19.) - .TP - \fB\-\-out\-cache\fP \fIccache\fP - Initialize \fIccache\fP and store all retrieved credentials into it. --Do not store acquired credentials in the input cache. -+Do not store acquired credentials in the input cache. (Added in -+release 1.19.) - .TP - \fB\-\-u2u\fP \fIccache\fP - Requests a user\-to\-user ticket. \fIccache\fP must contain a local diff --git a/Use-two-queues-for-concurrent-t_otp.py-daemons.patch b/Use-two-queues-for-concurrent-t_otp.py-daemons.patch index 4e81cd0..88c2364 100644 --- a/Use-two-queues-for-concurrent-t_otp.py-daemons.patch +++ b/Use-two-queues-for-concurrent-t_otp.py-daemons.patch @@ -1,4 +1,4 @@ -From 3e0d464f55320b393e32285f31710c24758a9101 Mon Sep 17 00:00:00 2001 +From e12c670bceb08413f797ecd643675a4a80dac824 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 4 Mar 2020 17:18:51 -0500 Subject: [PATCH] Use two queues for concurrent t_otp.py daemons diff --git a/downstream-Adjust-build-configuration.patch b/downstream-Adjust-build-configuration.patch index 47f6c31..62000c1 100644 --- a/downstream-Adjust-build-configuration.patch +++ b/downstream-Adjust-build-configuration.patch @@ -1,4 +1,4 @@ -From 30ece66508c8e10f704cd2860dfd421ebee15897 Mon Sep 17 00:00:00 2001 +From c06693e5a17daf0fd585e608e8bfd1eb3eef447c Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:45:26 -0400 Subject: [PATCH] [downstream] Adjust build configuration diff --git a/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch index 08b78b1..310e1ac 100644 --- a/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +++ b/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch @@ -1,4 +1,4 @@ -From bf8521bfaa4a4d54f6eb94f785c68942f4afa055 Mon Sep 17 00:00:00 2001 +From a983f32cfd2ec3f0571db347426835e8fc7c8464 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 diff --git a/downstream-Remove-3des-support.patch b/downstream-Remove-3des-support.patch index 570762d..e060f4e 100644 --- a/downstream-Remove-3des-support.patch +++ b/downstream-Remove-3des-support.patch @@ -1,4 +1,4 @@ -From c920b585b8400ef44684c673c54264657195f3ce Mon Sep 17 00:00:00 2001 +From 603a735ba52b50541520e53b031be47817de2fd5 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 26 Mar 2019 18:51:10 -0400 Subject: [PATCH] [downstream] Remove 3des support @@ -5552,7 +5552,7 @@ index 85a9574f3..3ce2a90ce 100644 code = 0; retval = GSS_S_BAD_SIG; diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c -index 80954aff7..f7d3e92c4 100644 +index ddb0af8fc..d6c71aeb8 100644 --- a/src/lib/gssapi/krb5/util_crypt.c +++ b/src/lib/gssapi/krb5/util_crypt.c @@ -97,17 +97,6 @@ kg_setup_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, krb5_key subkey, diff --git a/downstream-SELinux-integration.patch b/downstream-SELinux-integration.patch index e5322af..4574a19 100644 --- a/downstream-SELinux-integration.patch +++ b/downstream-SELinux-integration.patch @@ -1,4 +1,4 @@ -From f8c70f6190a0573e2aca0b40964cf3b1a73ca8bb Mon Sep 17 00:00:00 2001 +From 2c4d04d1da4dbb1a312db965f3392d7d0bc67a17 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 Subject: [PATCH] [downstream] SELinux integration @@ -67,10 +67,10 @@ Last-updated: krb5-1.18-beta1 create mode 100644 src/util/support/selinux.c diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 830203683..6796fec53 100644 +index 59621e3e7..398eca7e4 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag) +@@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag) dnl KRB5_AC_PRAGMA_WEAK_REF WITH_LDAP @@ -78,7 +78,7 @@ index 830203683..6796fec53 100644 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1743,4 +1744,51 @@ AC_SUBST(PAM_LIBS) +@@ -1739,4 +1740,51 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -253,7 +253,7 @@ index 79761f6d2..e9435c693 100644 #include diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c -index 301e3476d..19f2cc230 100644 +index ff2f25050..e3457622a 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) @@ -288,7 +288,7 @@ index 301e3476d..19f2cc230 100644 com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); goto cleanup; diff --git a/src/kdc/main.c b/src/kdc/main.c -index fdcd694d7..1ede4bf2f 100644 +index 38d76b3b1..eb6966f2d 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -872,7 +872,7 @@ write_pid_file(const char *path) diff --git a/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch b/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch index 56565b1..2e41026 100644 --- a/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch +++ b/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch @@ -1,4 +1,4 @@ -From 040dd62418b918adc993b9cc3e1e80fc232286c4 Mon Sep 17 00:00:00 2001 +From b1eeb9caf1e1fec23d92f163086ec168fbaf74e5 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 15 Nov 2019 20:05:16 +0000 Subject: [PATCH] [downstream] Use backported version of OpenSSL-3 KDF diff --git a/downstream-fix-debuginfo-with-y.tab.c.patch b/downstream-fix-debuginfo-with-y.tab.c.patch index 33f61c5..7600f5d 100644 --- a/downstream-fix-debuginfo-with-y.tab.c.patch +++ b/downstream-fix-debuginfo-with-y.tab.c.patch @@ -1,4 +1,4 @@ -From c6e103db0eb02c31a13b8cbcbae296c473074991 Mon Sep 17 00:00:00 2001 +From 126569bf428c546b938b9fec5b12851f09d61c94 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] [downstream] fix debuginfo with y.tab.c diff --git a/downstream-ksu-pam-integration.patch b/downstream-ksu-pam-integration.patch index e81f2c1..be0e02f 100644 --- a/downstream-ksu-pam-integration.patch +++ b/downstream-ksu-pam-integration.patch @@ -1,4 +1,4 @@ -From 9feb7298b90d3e6a34821fce7315757c0bf81c9e Mon Sep 17 00:00:00 2001 +From a5a642c33a2f57d24c1cfa8ca3e286418206ab55 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] [downstream] ksu pam integration @@ -30,10 +30,10 @@ Last-updated: krb5-1.18-beta1 create mode 100644 src/clients/ksu/pam.h diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 2394f7e33..830203683 100644 +index 8709a7f5d..59621e3e7 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -1675,3 +1675,72 @@ if test "$with_ldap" = yes; then +@@ -1671,3 +1671,72 @@ if test "$with_ldap" = yes; then OPENLDAP_PLUGIN=yes fi ])dnl diff --git a/downstream-netlib-and-dns.patch b/downstream-netlib-and-dns.patch index 05bddc4..156870b 100644 --- a/downstream-netlib-and-dns.patch +++ b/downstream-netlib-and-dns.patch @@ -1,4 +1,4 @@ -From 4254bee1b97edeb0848efce635bcf1b56306f968 Mon Sep 17 00:00:00 2001 +From 23bce0aef64454bf808b9885967b04abafcf7917 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:46:21 -0400 Subject: [PATCH] [downstream] netlib and dns @@ -11,10 +11,10 @@ Last-updated: krb5-1.3.1 1 file changed, 1 insertion(+) diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 6796fec53..c4358988a 100644 +index 398eca7e4..7ef2db56b 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -724,6 +724,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library), +@@ -720,6 +720,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library), LIBS="$LIBS $withval" AC_MSG_RESULT("netlib will use \'$withval\'") fi diff --git a/krb5.spec b/krb5.spec index 6223d52..8372f70 100644 --- a/krb5.spec +++ b/krb5.spec @@ -16,9 +16,9 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.18.2 +Version: 1.18.3 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 30%{?dist} +Release: 2%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -50,7 +50,6 @@ Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch Patch9: Allow-certauth-modules-to-set-hw-authent-flag.patch Patch11: Refresh-manually-acquired-creds-from-client-keytab.patch Patch13: Add-finalization-safety-check-to-com_err.patch -Patch14: Eliminate-redundant-PKINIT-responder-invocation.patch Patch15: Correctly-import-service-GSS-host-based-name.patch Patch16: Do-expiration-warnings-for-all-init_creds-APIs.patch Patch17: Pass-gss_localname-through-SPNEGO.patch @@ -68,12 +67,9 @@ Patch29: Add-client_aware_channel_bindings-option.patch Patch30: Pass-channel-bindings-through-SPNEGO.patch Patch31: Add-channel-bindings-tests.patch Patch32: Use-two-queues-for-concurrent-t_otp.py-daemons.patch -Patch33: Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch Patch34: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch Patch35: Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch -Patch36: Fix-input-length-checking-in-SPNEGO-DER-decoding.patch Patch37: Add-three-kvno-options-from-Heimdal-kgetcred.patch -Patch38: Unify-kvno-option-documentation.patch Patch39: Improve-KDC-alias-checking-for-S4U-requests.patch Patch40: Adjust-KDC-alias-helper-function-contract.patch Patch41: Allow-aliases-when-matching-U2U-second-ticket.patch @@ -81,7 +77,6 @@ Patch42: Refactor-KDC-authdata-list-management-helpers.patch Patch43: Avoid-passing-DB-entry-structures-in-KDC.patch Patch44: Minimize-usage-of-tgs_server-in-KDC.patch Patch45: Fix-minor-static-analysis-defects.patch -Patch46: Add-recursion-limit-for-ASN.1-indefinite-lengths.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -632,6 +627,12 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Nov 18 2020 Robbie Harwood - 1.18.3-2 +- Fix build failure in -1 + +* Wed Nov 18 2020 Robbie Harwood - 1.18.3-1 +- New upstream version (1.18.3) + * Tue Nov 17 2020 Robbie Harwood - 1.18.2-30 - Migrate /var/run to /run, an exercise in pointlessness - Resolves: #1898410 diff --git a/sources b/sources index c61d805..6ed904d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (krb5-1.18.2.tar.gz) = 7cbb1b28e677fea3e0794e93951f3caaa2c49bb1175dd187951e72a466cc69d96c3b833d838000fe911c1a437d96a558e550f27c53a8b332fb9dfc7cbb7ec44c -SHA512 (krb5-1.18.2.tar.gz.asc) = 70775a06104b4d792d278da2efa92e94ddacb4ea319bfe2b253f5afcfec27f3bc5ddd12560294a265e3cf3d4fc74bcbfc3f5eeff8634d66c00d67e18dc93a74a +SHA512 (krb5-1.18.3.tar.gz) = cf0bf6cf8f622fa085954e6da998d952cf64dc7ccc319972ed81ea0542089cabf2d0e8243df84da01ad6f40584768ca2f02d108630c6741fa7b3d7d98c887c01 +SHA512 (krb5-1.18.3.tar.gz.asc) = 7c5a83e13d00910d895d545ed63310ebec48c90c29846dd54e48048f710360e8306778729b636baa091a4e9048998ff6d4dfe37f88dd6292540d55678c961a30