rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream release - 1.16.1

Browse Source
This commit is contained in:
Robbie Harwood 2018-05-04 10:46:27 -04:00
parent ab1e0477e9
commit 88ba66fe53
49 changed files with 71 additions and 1311 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -163,3 +163,6 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.16-pdfs.tar
/krb5-1.16.tar.gz
/krb5-1.16.tar.gz.asc
/krb5-1.16.1-pdfs.tar
/krb5-1.16.1.tar.gz
/krb5-1.16.1.tar.gz.asc

2
Add-ASN.1-encoders-and-decoders-for-SPAKE-types.patch
View File

@ -1,4 +1,4 @@
From a675384ef4cc4b6d28cce20cbcef0d033206139a Mon Sep 17 00:00:00 2001
From dd66546bde0bc868a9af2ac702c7466e7494b33b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 13 Jun 2015 16:04:53 -0400
Subject: [PATCH] Add ASN.1 encoders and decoders for SPAKE types

22
Add-PKINIT-KDC-support-for-freshness-token.patch
View File

@ -1,4 +1,4 @@
From 4ddfba7c9c12056f9f5819648f20f68e5625dced Mon Sep 17 00:00:00 2001
From 9f69b78a93de5ae396eb96d2957f36f8b9dc7458 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 12 Mar 2018 11:31:46 -0400
Subject: [PATCH] Add PKINIT KDC support for freshness token
@ -377,10 +377,10 @@ index 6f34dc289..80b130222 100644
if (state->pa_data == NULL) {
krb5_klog_syslog(LOG_INFO,
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 18649b8ad..a63af2503 100644
index 198eab9c4..1885c9f80 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -427,11 +427,13 @@ struct krb5_kdcpreauth_rock_st {
@@ -426,11 +426,13 @@ struct krb5_kdcpreauth_rock_st {
krb5_kdc_req *request;
krb5_data *inner_body;
krb5_db_entry *client;
@ -415,7 +415,7 @@ index 8489a3e23..fe2ec0d31 100644
int dh_min_bits; /* minimum DH modulus size allowed */
} pkinit_plg_opts;
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 4e9685885..bbfde34b2 100644
index 8aa4d8b49..76ad5bf19 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -161,6 +161,10 @@ pkinit_server_get_edata(krb5_context context,
@ -429,7 +429,7 @@ index 4e9685885..bbfde34b2 100644
(*respond)(arg, retval, NULL);
}
@@ -396,6 +400,31 @@ cleanup:
@@ -403,6 +407,31 @@ cleanup:
return ret;
}
@ -461,7 +461,7 @@ index 4e9685885..bbfde34b2 100644
static void
pkinit_server_verify_padata(krb5_context context,
krb5_data *req_pkt,
@@ -418,10 +447,11 @@ pkinit_server_verify_padata(krb5_context context,
@@ -425,10 +454,11 @@ pkinit_server_verify_padata(krb5_context context,
pkinit_kdc_req_context reqctx = NULL;
krb5_checksum cksum = {0, 0, 0, NULL};
krb5_data *der_req = NULL;
@ -474,7 +474,7 @@ index 4e9685885..bbfde34b2 100644
char **sp;
pkiDebug("pkinit_verify_padata: entered!\n");
@@ -592,6 +622,14 @@ pkinit_server_verify_padata(krb5_context context,
@@ -599,6 +629,14 @@ pkinit_server_verify_padata(krb5_context context,
goto cleanup;
}
@ -489,7 +489,7 @@ index 4e9685885..bbfde34b2 100644
/* check if kdcPkId present and match KDC's subjectIdentifier */
if (reqp->kdcPkId.data != NULL) {
int valid_kdcPkId = 0;
@@ -634,6 +672,13 @@ pkinit_server_verify_padata(krb5_context context,
@@ -641,6 +679,13 @@ pkinit_server_verify_padata(krb5_context context,
break;
}
@ -503,7 +503,7 @@ index 4e9685885..bbfde34b2 100644
if (is_signed && plgctx->auth_indicators != NULL) {
/* Assert configured authentication indicators. */
for (sp = plgctx->auth_indicators; *sp != NULL; sp++) {
@@ -1323,6 +1368,10 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
@@ -1330,6 +1375,10 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING,
0, &plgctx->opts->require_crl_checking);
@ -515,7 +515,7 @@ index 4e9685885..bbfde34b2 100644
KRB5_CONF_PKINIT_EKU_CHECKING,
&eku_string);
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index b790a7cda..3030322e1 100755
index 86fe661a0..5bc60cb1e 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -39,6 +39,8 @@ pkinit_kdc_conf = {'realms': {'$realm': {
@ -620,7 +620,7 @@ index b790a7cda..3030322e1 100755
realm.kinit(realm.user_princ,
flags=['-X', 'X509_user_identity=%s' % p12_identity])
realm.klist(realm.user_princ)
@@ -350,8 +376,6 @@ conf = open(softpkcs11rc, 'w')
@@ -357,8 +383,6 @@ conf = open(softpkcs11rc, 'w')
conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, privkey_pem))
conf.close()
# Expect to succeed without having to supply any more information.

4
Add-PKINIT-client-support-for-freshness-token.patch
View File

@ -1,4 +1,4 @@
From 7eb2df66aef8e2b58ec7dfa13e9ee19f5e3b5b34 Mon Sep 17 00:00:00 2001
From 0bc035db40c5badae3cc00f452560785a0cb0a44 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 31 Jan 2017 17:02:34 -0500
Subject: [PATCH] Add PKINIT client support for freshness token
@ -275,7 +275,7 @@ index 2f88545da..d5858c424 100644
free_krb5_algorithm_identifiers(&((*in)->supportedCMSTypes));
if ((*in)->supportedKDFs) {
diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h
index d4eb39d88..67e0caeb4 100644
index 2d95da94a..7f95206c0 100644
--- a/src/plugins/preauth/pkinit/pkinit_trace.h
+++ b/src/plugins/preauth/pkinit/pkinit_trace.h
@@ -41,6 +41,8 @@

10
Add-SPAKE-preauth-support.patch
View File

@ -1,4 +1,4 @@
From bcc764eca6c92210716d1d6db59bfe112522a95d Mon Sep 17 00:00:00 2001
From b054d1d29e676600abd6fdd7a67a283c3c011f95 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 25 Sep 2015 17:47:35 -0400
Subject: [PATCH] Add SPAKE preauth support
@ -106,7 +106,7 @@ ticket: 8647 (new)
create mode 100644 src/tests/t_spake.py
diff --git a/NOTICE b/NOTICE
index 1db2420a7..9dc1148b1 100644
index 1f2ce6493..cb6ab462b 100644
--- a/NOTICE
+++ b/NOTICE
@@ -1316,3 +1316,54 @@ The following notice applies to
@ -219,10 +219,10 @@ index 1ac1a37c2..f8cf1be7c 100644
(List of *key*:*salt* strings.) Specifies the default key/salt
combinations of principals for this realm. Any principals created
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 4ed9832c7..8cfe5f458 100644
index 3d33dba40..2574e5c26 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -365,6 +365,21 @@ The libdefaults section may contain any of the following relations:
@@ -367,6 +367,21 @@ The libdefaults section may contain any of the following relations:
with the session key type. See the **kdc_req_checksum_type**
configuration option for the possible values and their meanings.
@ -354,7 +354,7 @@ index 640955c90..e32365daa 100644
+For other cookies, there must be exactly one second-factor record
+corresponding to the factor type chosen by the client.
diff --git a/doc/notice.rst b/doc/notice.rst
index 26011550b..cacfd659a 100644
index a32e55529..8f6b68638 100644
--- a/doc/notice.rst
+++ b/doc/notice.rst
@@ -1237,3 +1237,50 @@ The following notice applies to

2
Add-doc-index-entries-for-SPAKE-constants.patch
View File

@ -1,4 +1,4 @@
From 6410daacd3b14ca1b96889f3db5ea9c94bf58734 Mon Sep 17 00:00:00 2001
From 0ff94a373749e83fb9c2c5c6fa6d5788b2b63460 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 27 Mar 2018 00:49:43 -0400
Subject: [PATCH] Add doc index entries for SPAKE constants

2
Add-k5_buf_add_vfmt-to-k5buf-interface.patch
View File

@ -1,4 +1,4 @@
From 87e99d886fe8ea74521e73f8f0a8445353162526 Mon Sep 17 00:00:00 2001
From f2402ea18c8587dab261cd724ef62fd7f6bcc8ec Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 4 Jan 2018 14:35:12 -0500
Subject: [PATCH] Add k5_buf_add_vfmt to k5buf interface

2
Add-libkrb5support-hex-functions-and-tests.patch
View File

@ -1,4 +1,4 @@
From 443151a0690d3f11b38db54f650b320cb733535f Mon Sep 17 00:00:00 2001
From c8992ad9dc0c7fc4d8bec3b9ecb129fe587d615e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 19 Feb 2018 00:51:44 -0500
Subject: [PATCH] Add libkrb5support hex functions and tests

2
Add-vector-support-to-k5_sha256.patch
View File

@ -1,4 +1,4 @@
From 181d3a9e2d274b49a2830895a59ce1b22be4000a Mon Sep 17 00:00:00 2001
From 5ed0331bd6bfd39b9c5ca40ec38d536221118998 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 3 Feb 2018 20:53:42 -0500
Subject: [PATCH] Add vector support to k5_sha256()

49
Allow-validation-of-PACs-with-enterprise-names.patch
View File

@ -1,49 +0,0 @@
From 8a2ceda87107973ec10fec532c095cf347ec050c Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 14 Mar 2018 01:19:17 +0200
Subject: [PATCH] Allow validation of PACs with enterprise names
In k5_pac_validate_client(), if we are verifying against an enterprise
principal, parse the PAC_CLIENT_INFO field as an enterprise principal.
This scenario may arise in the response to an S4U2Self request for an
enterprise principal, as the KDC does not appear to canonicalize the
client principal requested in PA-FOR-USER.
[ghudson@mit.edu: rewrote commit message; adjusted style]
ticket: 8649 (new)
tags: pullup
target_version: 1.16-next
(cherry picked from commit f876aab80a69f9b934cd7f4e2339e3815aa8c4bf)
---
src/lib/krb5/krb/pac.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 0eb19e6bb..c9b5de30a 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -413,6 +413,7 @@ k5_pac_validate_client(krb5_context context,
krb5_ui_2 pac_princname_length;
int64_t pac_nt_authtime;
krb5_principal pac_principal;
+ int flags;
ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
&client_info);
@@ -440,8 +441,12 @@ k5_pac_validate_client(krb5_context context,
if (ret != 0)
return ret;
- ret = krb5_parse_name_flags(context, pac_princname,
- KRB5_PRINCIPAL_PARSE_NO_REALM, &pac_principal);
+ /* Parse the UTF-8 name as an enterprise principal if we are matching
+ * against one; otherwise parse it as a regular principal with no realm. */
+ flags = KRB5_PRINCIPAL_PARSE_NO_REALM;
+ if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL)
+ flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
+ ret = krb5_parse_name_flags(context, pac_princname, flags, &pac_principal);
if (ret != 0) {
free(pac_princname);
return ret;

2
Be-more-careful-asking-for-AS-key-in-SPAKE-client.patch
View File

@ -1,4 +1,4 @@
From 864f90dcc860997189679b980f52de41ef10a238 Mon Sep 17 00:00:00 2001
From c98a6fc929b80dd8d221314e31903a9d5ee56295 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 31 Mar 2018 10:43:49 -0400
Subject: [PATCH] Be more careful asking for AS key in SPAKE client

42
Continue-after-KRB5_CC_END-in-KCM-cache-iteration.patch
View File

@ -1,42 +0,0 @@
From 3001200ba4598aeb14511353a72dc746034280b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 28 Mar 2018 18:27:06 +0200
Subject: [PATCH] Continue after KRB5_CC_END in KCM cache iteration
The KCM server returns KRB5_CC_END in response to a GET_CACHE_BY_UUID
request to indicate that the specified ccache uuid no longer exists.
In krb5_ptcursor_next(), ignore this error and continue the iteration,
as the Heimdal KCM client code does.
In addition to addressing the case where a third party deletes a cache
between the GET_CACHE_UUID_LIST request and when we reach that uuid in
the iteration, this change also fixes a bug in kdestroy -A where the
caller deletes the primary cache and we later request it by uuid when
iterating over the list.
[ghudson@mit.edu: rewrote commit message; edited comment]
ticket: 8658 (new)
tags: pullup
target_version: 1.16-next
target_version: 1.15-next
(cherry picked from commit 49087f5e6309f298f8898c35af6f4ade418ced60)
---
src/lib/krb5/ccache/cc_kcm.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
index b621ed33b..0d38b1839 100644
--- a/src/lib/krb5/ccache/cc_kcm.c
+++ b/src/lib/krb5/ccache/cc_kcm.c
@@ -966,6 +966,9 @@ kcm_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
kcmreq_init(&req, KCM_OP_GET_CACHE_BY_UUID, NULL);
k5_buf_add_len(&req.reqbuf, id, KCM_UUID_LEN);
ret = kcmio_call(context, data->io, &req);
+ /* Continue if the cache has been deleted. */
+ if (ret == KRB5_CC_END)
+ continue;
if (ret)
goto cleanup;
ret = kcmreq_get_name(&req, &name);

6
Exit-with-status-0-from-kadmind.patch
View File

@ -1,4 +1,4 @@
From a4576a5946d84e1a74093c4fc171a7fcb1f7ef59 Mon Sep 17 00:00:00 2001
From cb8f31e6bbf72e207b428d52c2fd9ed719bbec4f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 14 Mar 2018 14:31:22 -0400
Subject: [PATCH] Exit with status 0 from kadmind
@ -19,10 +19,10 @@ code, which used a similar event model for signals.
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index 6c875901a..936955b89 100644
index aac4d4ffd..0a28b2384 100644
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -560,5 +560,5 @@ main(int argc, char *argv[])
@@ -559,5 +559,5 @@ main(int argc, char *argv[])
krb5_klog_close(context);
krb5_free_context(context);

224
Fix-KDC-null-dereference-on-large-TGS-replies.patch
View File

@ -1,224 +0,0 @@
From d3697aa9a653bc9aaf11f3c9e985ba544c23a9c3 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 20 Apr 2018 16:16:02 -0400
Subject: [PATCH] Fix KDC null dereference on large TGS replies
For TGS requests, dispatch() doesn't set state->active_realm, which
leads to a NULL dereference in finish_dispatch() if the reply is too
big for UDP. Prior to commit 0a2f14f752c32a24200363cc6b6ae64a92f81379
the active realm was a global and was set when process_tgs_req()
called setup_server_realm().
Move TGS decoding out of process_tgs_req() so that we can set
state->active_realm before any errors requiring response. Add a test
case.
[ghudson@mit.edu: edited commit message; added test case; reduced code
duplication; removed server handle from process_tgs_req() parameters]
ticket: 8666
tags: pullup
target_version: 1.16-next
target_version: 1.15-next
(cherry picked from commit 6afa8b4abf8f7c5774d03e6b15ee7288ad68d725)
---
src/kdc/Makefile.in | 1 +
src/kdc/dispatch.c | 50 ++++++++++++++++++++++++-------------------
src/kdc/do_tgs_req.c | 24 ++++++---------------
src/kdc/kdc_util.h | 5 ++---
src/kdc/t_bigreply.py | 19 ++++++++++++++++
5 files changed, 56 insertions(+), 43 deletions(-)
create mode 100644 src/kdc/t_bigreply.py
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index 61a3dbc6f..117a8f561 100644
--- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
@@ -85,6 +85,7 @@ check-cmocka: t_replay
check-pytests:
$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_bigreply.py $(PYTESTFLAGS)
install:
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
index 3867ff952..3ed5176a8 100644
--- a/src/kdc/dispatch.c
+++ b/src/kdc/dispatch.c
@@ -124,7 +124,7 @@ dispatch(void *cb, const krb5_fulladdr *local_addr,
verto_ctx *vctx, loop_respond_fn respond, void *arg)
{
krb5_error_code retval;
- krb5_kdc_req *as_req;
+ krb5_kdc_req *req = NULL;
krb5_data *response = NULL;
struct dispatch_state *state;
struct server_handle *handle = cb;
@@ -176,29 +176,35 @@ dispatch(void *cb, const krb5_fulladdr *local_addr,
/* try TGS_REQ first; they are more common! */
- if (krb5_is_tgs_req(pkt)) {
- retval = process_tgs_req(handle, pkt, remote_addr, &response);
- } else if (krb5_is_as_req(pkt)) {
- if (!(retval = decode_krb5_as_req(pkt, &as_req))) {
- /*
- * setup_server_realm() sets up the global realm-specific data
- * pointer.
- * process_as_req frees the request if it is called
- */
- state->active_realm = setup_server_realm(handle, as_req->server);
- if (state->active_realm != NULL) {
- process_as_req(as_req, pkt, local_addr, remote_addr,
- state->active_realm, vctx,
- finish_dispatch_cache, state);
- return;
- } else {
- retval = KRB5KDC_ERR_WRONG_REALM;
- krb5_free_kdc_req(kdc_err_context, as_req);
- }
- }
- } else
+ if (krb5_is_tgs_req(pkt))
+ retval = decode_krb5_tgs_req(pkt, &req);
+ else if (krb5_is_as_req(pkt))
+ retval = decode_krb5_as_req(pkt, &req);
+ else
retval = KRB5KRB_AP_ERR_MSG_TYPE;
+ if (retval)
+ goto done;
+ state->active_realm = setup_server_realm(handle, req->server);
+ if (state->active_realm == NULL) {
+ retval = KRB5KDC_ERR_WRONG_REALM;
+ goto done;
+ }
+
+ if (krb5_is_tgs_req(pkt)) {
+ /* process_tgs_req frees the request */
+ retval = process_tgs_req(req, pkt, remote_addr, state->active_realm,
+ &response);
+ req = NULL;
+ } else if (krb5_is_as_req(pkt)) {
+ /* process_as_req frees the request and calls finish_dispatch_cache. */
+ process_as_req(req, pkt, local_addr, remote_addr, state->active_realm,
+ vctx, finish_dispatch_cache, state);
+ return;
+ }
+
+done:
+ krb5_free_kdc_req(kdc_err_context, req);
finish_dispatch_cache(state, retval, response);
}
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index cc5a69236..61051bafa 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -98,12 +98,12 @@ search_sprinc(kdc_realm_t *, krb5_kdc_req *, krb5_flags,
/*ARGSUSED*/
krb5_error_code
-process_tgs_req(struct server_handle *handle, krb5_data *pkt,
- const krb5_fulladdr *from, krb5_data **response)
+process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
+ const krb5_fulladdr *from, kdc_realm_t *kdc_active_realm,
+ krb5_data **response)
{
krb5_keyblock * subkey = 0;
krb5_keyblock *header_key = NULL;
- krb5_kdc_req *request = 0;
krb5_db_entry *server = NULL;
krb5_db_entry *stkt_server = NULL;
krb5_kdc_rep reply;
@@ -136,7 +136,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
krb5_pa_data *pa_tgs_req; /*points into request*/
krb5_data scratch;
krb5_pa_data **e_data = NULL;
- kdc_realm_t *kdc_active_realm = NULL;
krb5_audit_state *au_state = NULL;
krb5_data **auth_indicators = NULL;
@@ -146,36 +145,25 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply));
session_key.contents = NULL;
- retval = decode_krb5_tgs_req(pkt, &request);
- if (retval)
- return retval;
/* Save pointer to client-requested service principal, in case of
* errors before a successful call to search_sprinc(). */
sprinc = request->server;
if (request->msg_type != KRB5_TGS_REQ) {
- krb5_free_kdc_req(handle->kdc_err_context, request);
+ krb5_free_kdc_req(kdc_context, request);
return KRB5_BADMSGTYPE;
}
- /*
- * setup_server_realm() sets up the global realm-specific data pointer.
- */
- kdc_active_realm = setup_server_realm(handle, request->server);
- if (kdc_active_realm == NULL) {
- krb5_free_kdc_req(handle->kdc_err_context, request);
- return KRB5KDC_ERR_WRONG_REALM;
- }
errcode = kdc_make_rstate(kdc_active_realm, &state);
if (errcode !=0) {
- krb5_free_kdc_req(handle->kdc_err_context, request);
+ krb5_free_kdc_req(kdc_context, request);
return errcode;
}
/* Initialize audit state. */
errcode = kau_init_kdc_req(kdc_context, request, from, &au_state);
if (errcode) {
- krb5_free_kdc_req(handle->kdc_err_context, request);
+ krb5_free_kdc_req(kdc_context, request);
return errcode;
}
/* Seed the audit trail with the request ID and basic information. */
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index a63af2503..1885c9f80 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -145,9 +145,8 @@ process_as_req (krb5_kdc_req *, krb5_data *,
/* do_tgs_req.c */
krb5_error_code
-process_tgs_req (struct server_handle *, krb5_data *,
- const krb5_fulladdr *,
- krb5_data ** );
+process_tgs_req (krb5_kdc_req *, krb5_data *, const krb5_fulladdr *,
+ kdc_realm_t *, krb5_data ** );
/* dispatch.c */
void
dispatch (void *,
diff --git a/src/kdc/t_bigreply.py b/src/kdc/t_bigreply.py
new file mode 100644
index 000000000..6bc9a8fe0
--- /dev/null
+++ b/src/kdc/t_bigreply.py
@@ -0,0 +1,19 @@
+#!/usr/bin/python
+from k5test import *
+
+# Set the maximum UDP reply size very low, so that all replies go
+# through the RESPONSE_TOO_BIG path.
+kdc_conf = {'kdcdefaults': {'kdc_max_dgram_reply_size': '10'}}
+realm = K5Realm(kdc_conf=kdc_conf, get_creds=False)
+
+msgs = ('Sending initial UDP request',
+ 'Received answer',
+ 'Request or response is too big for UDP; retrying with TCP',
+ ' to KRBTEST.COM (tcp only)',
+ 'Initiating TCP connection',
+ 'Sending TCP request',
+ 'Terminating TCP connection')
+realm.kinit(realm.user_princ, password('user'), expected_trace=msgs)
+realm.run([kvno, realm.host_princ], expected_trace=msgs)
+
+success('Large KDC replies')

2
Fix-SPAKE-memory-leak.patch
View File

@ -1,4 +1,4 @@
From 9bfd14df2d6458dfef8d1a17af5247af21183e3d Mon Sep 17 00:00:00 2001
From 3ea258c813de4c55a8979f019b716422b998e231 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 27 Mar 2018 10:36:05 -0400
Subject: [PATCH] Fix SPAKE memory leak

60
Fix-capaths-.-values-on-client.patch
View File

@ -1,60 +0,0 @@
From 5cdef749204eccf05ae5d7bad455d34899eb33da Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 3 Mar 2018 13:44:00 -0500
Subject: [PATCH] Fix capaths "." values on client
Commit b72aef2c1cbcc76f7fba14ddc54a4e66e7a4e66c (ticket 6966)
introduced k5_client_realm_path() for use on the client in place of
krb5_walk_realm_tree(), but failed to handle the special case of a
capaths "." value as is done in the latter function. Correct that
omission and add a test case.
ticket: 8646 (new)
tags: pullup
target_version: 1.16-next
target_version: 1.15-next
(cherry picked from commit f8d0877f848563d07152a0ee191fe82846fdb8f1)
---
src/lib/krb5/krb/walk_rtree.c | 6 ++++++
src/tests/t_crossrealm.py | 10 ++++++++++
2 files changed, 16 insertions(+)
diff --git a/src/lib/krb5/krb/walk_rtree.c b/src/lib/krb5/krb/walk_rtree.c
index 0566a55f1..f4e8e35f5 100644
--- a/src/lib/krb5/krb/walk_rtree.c
+++ b/src/lib/krb5/krb/walk_rtree.c
@@ -133,6 +133,12 @@ k5_client_realm_path(krb5_context context, const krb5_data *client,
if (retval)
return retval;
+ /* A capaths value of "." means no intermediates. */
+ if (capvals != NULL && capvals[0] != NULL && *capvals[0] == '.') {
+ profile_free_list(capvals);
+ capvals = NULL;
+ }
+
/* Count capaths (if any) and allocate space. Leave room for the client
* realm, server realm, and terminator. */
for (i = 0; capvals != NULL && capvals[i] != NULL; i++);
diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py
index e7ddb0525..4d595dca6 100755
--- a/src/tests/t_crossrealm.py
+++ b/src/tests/t_crossrealm.py
@@ -109,6 +109,16 @@ test_kvno(r1, r4.host_princ, 'KDC capaths')
check_klist(r1, (tgt(r1, r1), tgt(r4, r3), r4.host_princ))
stop(r1, r2, r3, r4)
+# A capaths value of '.' should enforce direct cross-realm, with no
+# intermediate.
+capaths = {'capaths': {'A.X': {'B.X': '.'}}}
+r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
+ args=({'realm': 'A.X', 'krb5_conf': capaths},
+ {'realm': 'X'}, {'realm': 'B.X'}))
+r1.run([kvno, r3.host_princ], expected_code=1,
+ expected_msg='Server krbtgt/B.X@A.X not found in Kerberos database')
+stop(r1, r2, r3)
+
# Test transited error. The KDC for C does not recognize B as an
# intermediate realm for A->C, so it refuses to issue a service
# ticket.

346
Fix-flaws-in-LDAP-DN-checking.patch
View File

@ -1,346 +0,0 @@
From 27581397cd0d2f213c91bdf20ea9a6736f3e60dc Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 12 Jan 2018 11:43:01 -0500
Subject: [PATCH] Fix flaws in LDAP DN checking
KDB_TL_USER_INFO tl-data is intended to be internal to the LDAP KDB
module, and not used in disk or wire principal entries. Prevent
kadmin clients from sending KDB_TL_USER_INFO tl-data by giving it a
type number less than 256 and filtering out type numbers less than 256
in kadm5_create_principal_3(). (We already filter out low type
numbers in kadm5_modify_principal()).
In the LDAP KDB module, if containerdn and linkdn are both specified
in a put_principal operation, check both linkdn and the computed
standalone_principal_dn for container membership. To that end, factor
out the checks into helper functions and call them on all applicable
client-influenced DNs.
CVE-2018-5729:
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can cause a null
dereference in kadmind, or circumvent a DN container check, by
supplying tagged data intended to be internal to the database module.
Thanks to Sharwan Ram and Pooja Anil for discovering the potential
null dereference.
CVE-2018-5730:
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can circumvent a DN
containership check by supplying both a "linkdn" and "containerdn"
database argument, or by supplying a DN string which is a left
extension of a container DN string but is not hierarchically within
the container DN.
ticket: 8643 (new)
tags: pullup
target_version: 1.16-next
target_version: 1.15-next
(cherry picked from commit e1caf6fb74981da62039846931ebdffed71309d1)
---
src/lib/kadm5/srv/svr_principal.c | 7 +
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 2 +-
.../kdb/ldap/libkdb_ldap/ldap_principal2.c | 200 ++++++++++--------
src/tests/t_kdb.py | 11 +
4 files changed, 125 insertions(+), 95 deletions(-)
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 2420f2c2b..a59a65e8f 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle,
return KADM5_BAD_MASK;
if((mask & ~ALL_PRINC_MASK))
return KADM5_BAD_MASK;
+ if (mask & KADM5_TL_DATA) {
+ for (tl_data_tail = entry->tl_data; tl_data_tail != NULL;
+ tl_data_tail = tl_data_tail->tl_data_next) {
+ if (tl_data_tail->tl_data_type < 256)
+ return KADM5_BAD_TL_TYPE;
+ }
+ }
/*
* Check to see if the principal exists
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
index 535a1f309..8b8420faa 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op);
#define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr))
#define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr))
-#define KDB_TL_USER_INFO 0x7ffe
+#define KDB_TL_USER_INFO 0xff
#define KDB_TL_PRINCTYPE 0x01
#define KDB_TL_PRINCCOUNT 0x02
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 88a170495..b7c9212cb 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -651,6 +651,107 @@ cleanup:
return ret;
}
+static krb5_error_code
+check_dn_in_container(krb5_context context, const char *dn,
+ char *const *subtrees, unsigned int ntrees)
+{
+ unsigned int i;
+ size_t dnlen = strlen(dn), stlen;
+
+ for (i = 0; i < ntrees; i++) {
+ if (subtrees[i] == NULL || *subtrees[i] == '\0')
+ return 0;
+ stlen = strlen(subtrees[i]);
+ if (dnlen >= stlen &&
+ strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 &&
+ (dnlen == stlen || dn[dnlen - stlen - 1] == ','))
+ return 0;
+ }
+
+ k5_setmsg(context, EINVAL, _("DN is out of the realm subtree"));
+ return EINVAL;
+}
+
+static krb5_error_code
+check_dn_exists(krb5_context context,
+ krb5_ldap_server_handle *ldap_server_handle,
+ const char *dn, krb5_boolean nonkrb_only)
+{
+ krb5_error_code st = 0, tempst;
+ krb5_ldap_context *ldap_context = context->dal_handle->db_context;
+ LDAP *ld = ldap_server_handle->ldap_handle;
+ LDAPMessage *result = NULL, *ent;
+ char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL };
+ char **values;
+
+ LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS);
+ if (st != LDAP_SUCCESS)
+ return set_ldap_error(context, st, OP_SEARCH);
+
+ ent = ldap_first_entry(ld, result);
+ CHECK_NULL(ent);
+
+ values = ldap_get_values(ld, ent, "krbticketpolicyreference");
+ if (values != NULL)
+ ldap_value_free(values);
+
+ values = ldap_get_values(ld, ent, "krbprincipalname");
+ if (values != NULL) {
+ ldap_value_free(values);
+ if (nonkrb_only) {
+ st = EINVAL;
+ k5_setmsg(context, st, _("ldap object is already kerberized"));
+ goto cleanup;
+ }
+ }
+
+cleanup:
+ ldap_msgfree(result);
+ return st;
+}
+
+static krb5_error_code
+validate_xargs(krb5_context context,
+ krb5_ldap_server_handle *ldap_server_handle,
+ const xargs_t *xargs, const char *standalone_dn,
+ char *const *subtrees, unsigned int ntrees)
+{
+ krb5_error_code st;
+
+ if (xargs->dn != NULL) {
+ /* The supplied dn must be within a realm container. */
+ st = check_dn_in_container(context, xargs->dn, subtrees, ntrees);
+ if (st)
+ return st;
+ /* The supplied dn must exist without Kerberos attributes. */
+ st = check_dn_exists(context, ldap_server_handle, xargs->dn, TRUE);
+ if (st)
+ return st;
+ }
+
+ if (xargs->linkdn != NULL) {
+ /* The supplied linkdn must be within a realm container. */
+ st = check_dn_in_container(context, xargs->linkdn, subtrees, ntrees);
+ if (st)
+ return st;
+ /* The supplied linkdn must exist. */
+ st = check_dn_exists(context, ldap_server_handle, xargs->linkdn,
+ FALSE);
+ if (st)
+ return st;
+ }
+
+ if (xargs->containerdn != NULL && standalone_dn != NULL) {
+ /* standalone_dn (likely composed using containerdn) must be within a
+ * container. */
+ st = check_dn_in_container(context, standalone_dn, subtrees, ntrees);
+ if (st)
+ return st;
+ }
+
+ return 0;
+}
+
krb5_error_code
krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
char **db_args)
@@ -662,12 +763,12 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
LDAPMessage *result=NULL, *ent=NULL;
char **subtreelist = NULL;
char *user=NULL, *subtree=NULL, *principal_dn=NULL;
- char **values=NULL, *strval[10]={NULL}, errbuf[1024];
+ char *strval[10]={NULL}, errbuf[1024];
char *filtuser=NULL;
struct berval **bersecretkey=NULL;
LDAPMod **mods=NULL;
krb5_boolean create_standalone=FALSE;
- krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE;
+ krb5_boolean establish_links=FALSE;
char *standalone_principal_dn=NULL;
krb5_tl_data *tl_data=NULL;
krb5_key_data **keys=NULL;
@@ -860,24 +961,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
* any of the subtrees
*/
if (xargs.dn_from_kbd == TRUE) {
- /* make sure the DN falls in the subtree */
- int dnlen=0, subtreelen=0;
- char *dn=NULL;
- krb5_boolean outofsubtree=TRUE;
-
- if (xargs.dn != NULL) {
- dn = xargs.dn;
- } else if (xargs.linkdn != NULL) {
- dn = xargs.linkdn;
- } else if (standalone_principal_dn != NULL) {
- /*
- * Even though the standalone_principal_dn is constructed
- * within this function, there is the containerdn input
- * from the user that can become part of the it.
- */
- dn = standalone_principal_dn;
- }
-
/* Get the current subtree list if we haven't already done so. */
if (subtreelist == NULL) {
st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees);
@@ -885,81 +968,10 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
goto cleanup;
}
- for (tre=0; tre<ntrees; ++tre) {
- if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
- outofsubtree = FALSE;
- break;
- } else {
- dnlen = strlen (dn);
- subtreelen = strlen(subtreelist[tre]);
- if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
- outofsubtree = FALSE;
- break;
- }
- }
- }
-
- if (outofsubtree == TRUE) {
- st = EINVAL;
- k5_setmsg(context, st, _("DN is out of the realm subtree"));
+ st = validate_xargs(context, ldap_server_handle, &xargs,
+ standalone_principal_dn, subtreelist, ntrees);
+ if (st)
goto cleanup;
- }
-
- /*
- * dn value will be set either by dn, linkdn or the standalone_principal_dn
- * In the first 2 cases, the dn should be existing and in the last case we
- * are supposed to create the ldap object. so the below should not be
- * executed for the last case.
- */
-
- if (standalone_principal_dn == NULL) {
- /*
- * If the ldap object is missing, this results in an error.
- */
-
- /*
- * Search for krbprincipalname attribute here.
- * This is to find if a kerberos identity is already present
- * on the ldap object, in which case adding a kerberos identity
- * on the ldap object should result in an error.
- */
- char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
-
- ldap_msgfree(result);
- result = NULL;
- LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
- if (st == LDAP_SUCCESS) {
- ent = ldap_first_entry(ld, result);
- if (ent != NULL) {
- if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
- krb_identity_exists = TRUE;
- ldap_value_free(values);
- }
- }
- } else {
- st = set_ldap_error(context, st, OP_SEARCH);
- goto cleanup;
- }
- }
- }
-
- /*
- * If xargs.dn is set then the request is to add a
- * kerberos principal on a ldap object, but if
- * there is one already on the ldap object this
- * should result in an error.
- */
-
- if (xargs.dn != NULL && krb_identity_exists == TRUE) {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf),
- _("ldap object is already kerberized"));
- k5_setmsg(context, st, "%s", errbuf);
- goto cleanup;
}
if (xargs.linkdn != NULL) {
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 217f2cdc3..6e563b103 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -203,6 +203,12 @@ if out != 'KRBTEST.COM\n':
# in the test LDAP server.
realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'],
expected_code=1, expected_msg='DN is out of the realm subtree')
+# Check that the DN container check is a hierarchy test, not a simple
+# suffix match (CVE-2018-5730). We expect this operation to fail
+# either way (because "xcn" isn't a valid DN tag) but the container
+# check should happen before the DN is parsed.
+realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'],
+ expected_code=1, expected_msg='DN is out of the realm subtree')
realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1'])
realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1')
realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'],
@@ -226,6 +232,11 @@ realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=t1,cn=krb5',
'princ3'])
realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'],
expected_code=1, expected_msg='containerdn option not supported')
+# Verify that containerdn is checked when linkdn is also supplied
+# (CVE-2018-5730).
+realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5',
+ '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1,
+ expected_msg='DN is out of the realm subtree')
# Create and modify a ticket policy.
kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour',

8
Fix-hex-conversion-of-PKINIT-certid-strings.patch
View File

@ -1,4 +1,4 @@
From 46fada3b8a7ad21adf6831cf86c38a822a38748e Mon Sep 17 00:00:00 2001
From 6b8f7371e49c3aa636871bb4e2ea2d2e86c743de Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 26 Jan 2018 11:47:50 -0500
Subject: [PATCH] Fix hex conversion of PKINIT certid strings
@ -17,10 +17,10 @@ ticket: 8636
1 file changed, 44 insertions(+), 11 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index ac107c2c1..4f21f90d2 100644
index 2064eb7bd..eb2953fe1 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -4623,6 +4623,43 @@ reassemble_pkcs11_name(pkinit_identity_opts *idopts)
@@ -4616,6 +4616,43 @@ reassemble_pkcs11_name(pkinit_identity_opts *idopts)
return ret;
}
@ -64,7 +64,7 @@ index ac107c2c1..4f21f90d2 100644
static krb5_error_code
pkinit_get_certs_pkcs11(krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx,
@@ -4665,18 +4702,14 @@ pkinit_get_certs_pkcs11(krb5_context context,
@@ -4658,18 +4695,14 @@ pkinit_get_certs_pkcs11(krb5_context context,
}
/* Convert the ascii cert_id string into a binary blob */
if (idopts->cert_id_string != NULL) {

2
Fix-read-overflow-in-KDC-sort_pa_data.patch
View File

@ -1,4 +1,4 @@
From 87cc924b8c127afb617cd110b1fbee57f809cd49 Mon Sep 17 00:00:00 2001
From 20c25d4a2f78d8ab33d4879e1cf843e1fdb8a20b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 15 Mar 2018 20:27:30 -0400
Subject: [PATCH] Fix read overflow in KDC sort_pa_data()

2
Fix-securid_sam2-preauth-for-non-default-salt.patch
View File

@ -1,4 +1,4 @@
From afe1c26d08f0aead0d4ac49ad06715b1e8be7b6d Mon Sep 17 00:00:00 2001
From 9c9ff189c16b16f848f2e85c1d262f12c6d5e922 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 3 Jan 2018 12:06:08 -0500
Subject: [PATCH] Fix securid_sam2 preauth for non-default salt

2
Implement-k5_buf_init_dynamic_zap.patch
View File

@ -1,4 +1,4 @@
From 4656f809f0f50c3a0a82192f9436e3292a5fe82a Mon Sep 17 00:00:00 2001
From e6945eee571b0ff776270dea52fb051b62aedabd Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 26 Mar 2018 11:12:39 -0400
Subject: [PATCH] Implement k5_buf_init_dynamic_zap

2
Include-etype-info-in-for-hardware-preauth-hints.patch
View File

@ -1,4 +1,4 @@
From be4a469216fb87408484b90be9a1da772ba923df Mon Sep 17 00:00:00 2001
From 6f883193ddb63da0f29977e3b95a663321404546 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 3 Jan 2018 11:59:14 -0500
Subject: [PATCH] Include etype-info in for hardware preauth hints

4
Include-preauth-name-in-trace-output-if-possible.patch
View File

@ -1,4 +1,4 @@
From 44fe6e4df092e3bc7673449ccd7c70b6f0a4ccbf Mon Sep 17 00:00:00 2001
From 265d00ef6bb5469b2464d7813af8c37581338385 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 15 Mar 2018 14:37:28 -0400
Subject: [PATCH] Include preauth name in trace output if possible
@ -183,7 +183,7 @@ index 779f184cb..10b4f0c14 100644
etype = va_arg(ap, krb5_enctype);
if (krb5_enctype_to_name(etype, TRUE, tmpbuf, sizeof(tmpbuf)) == 0)
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index 3030322e1..1ba3536da 100755
index 5bc60cb1e..0e964c689 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -164,18 +164,19 @@ realm.stop_kdc()

122
Merge-duplicate-subsections-in-profile-library.patch
View File

@ -1,122 +0,0 @@
From 77ece30d3df5b119a74f7fe9e2c0a4c693194917 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 10 Apr 2018 15:55:41 -0400
Subject: [PATCH] Merge duplicate subsections in profile library
Modify profile_add_node() to return the existing node, rather than
making a new one, when adding subsection configuration.
This fixes an issue where the first instance of a subsection will hide
the second instance entirely. In particular, it was previously
impossible to split realm-specific configuration across multiple
config files.
[ghudson@mit.edu: adjusted style, added test case]
ticket: 7863
tags: pullup
target_version: 1.16-next
target_version: 1.15-next
(cherry picked from commit efab9fa5a6d23c486467264e20b58bf5a9c60f0c)
---
src/util/profile/prof_test1 | 22 ++++++++++++++++++++++
src/util/profile/prof_tree.c | 15 +++++++++++----
src/util/profile/test.ini | 6 ++++++
3 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/src/util/profile/prof_test1 b/src/util/profile/prof_test1
index 7e30fc12f..7d13c9389 100644
--- a/src/util/profile/prof_test1
+++ b/src/util/profile/prof_test1
@@ -341,6 +341,27 @@ proc test9 {} {
puts "OK: test9: profile_flush_to_file with no changes"
}
+proc test10 {} {
+ global wd verbose
+
+ # Regression test for #7863: multiply-specified subsections should
+ # be merged.
+ set p [profile_init_path $wd/test2.ini]
+ set x [profile_get_values $p {{test section 2} child_section2 child}]
+ if $verbose { puts "Read $x from profile" }
+ if ![string equal $x "slick harry {john\tb } ron"] {
+ puts stderr "Error: test10: Did not get expected merged children."
+ exit 1
+ }
+
+ set x [profile_get_string $p {test section 2} child_section2 chores]
+ if $verbose { puts "Read $x from profile" }
+ if ![string equal $x "cleaning"] {
+ puts stderr "Error: test10: Did not find expected chores."
+ exit 1
+ }
+}
+
test1
test2
test3
@@ -350,5 +371,6 @@ test6
test7
test8
test9
+test10
exit 0
diff --git a/src/util/profile/prof_tree.c b/src/util/profile/prof_tree.c
index 081f688e4..38aadc4e5 100644
--- a/src/util/profile/prof_tree.c
+++ b/src/util/profile/prof_tree.c
@@ -9,7 +9,7 @@
*
* Each node may represent either a relation or a section header.
*
- * A section header must have its value field set to 0, and may a one
+ * A section header must have its value field be null, and may have one
* or more child nodes, pointed to by first_child.
*
* A relation has as its value a pointer to allocated memory
@@ -159,15 +159,22 @@ errcode_t profile_add_node(struct profile_node *section, const char *name,
return PROF_ADD_NOT_SECTION;
/*
- * Find the place to insert the new node. We look for the
- * place *after* the last match of the node name, since
+ * Find the place to insert the new node. If we are adding a subsection
+ * and already have a subsection with that name, merge them. Otherwise,
+ * we look for the place *after* the last match of the node name, since
* order matters.
*/
for (p=section->first_child, last = 0; p; last = p, p = p->next) {
int cmp;
cmp = strcmp(p->name, name);
- if (cmp > 0)
+ if (cmp > 0) {
break;
+ } else if (value == NULL && cmp == 0 &&
+ p->value == NULL && p->deleted != 1) {
+ /* Found duplicate subsection, so don't make a new one. */
+ *ret_node = p;
+ return 0;
+ }
}
retval = profile_create_node(name, value, &new);
if (retval)
diff --git a/src/util/profile/test.ini b/src/util/profile/test.ini
index 23ca89677..6622df108 100644
--- a/src/util/profile/test.ini
+++ b/src/util/profile/test.ini
@@ -10,6 +10,12 @@ this is a comment. Everything up to the first square brace is ignored.
}
child_section2 = foo
+[test section 2]
+ child_section2 = {
+ child = ron
+ chores = cleaning
+ }
+
[realms]
ATHENA.MIT.EDU = {
server = KERBEROS.MIT.EDU:88

2
Move-zap-definition-to-k5-platform.h.patch
View File

@ -1,4 +1,4 @@
From b0fb55f284f543e1e3752512df1f581e77d486ca Mon Sep 17 00:00:00 2001
From 56521276ff20bc05a61c6f070cb4dcab730ff6d6 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 26 Mar 2018 10:54:29 -0400
Subject: [PATCH] Move zap() definition to k5-platform.h

2
Process-included-directories-in-alphabetical-order.patch
View File

@ -1,4 +1,4 @@
From c7c44bbd80beabe7fb21f5fb6cfb9b57faa320f4 Mon Sep 17 00:00:00 2001
From 88abb837d8a9ff12b71a848efbeaa9b9a009cc1f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 29 Jan 2018 12:10:53 +0100
Subject: [PATCH] Process included directories in alphabetical order

6
Refactor-KDC-krb5_pa_data-utility-functions.patch
View File

@ -1,4 +1,4 @@
From 61e3f0142b09cb230be3a2a110f5224e773f1281 Mon Sep 17 00:00:00 2001
From 276ecd7ba513ce0bfe5e51d6368e00476041a5b4 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 21 Dec 2017 11:28:52 -0500
Subject: [PATCH] Refactor KDC krb5_pa_data utility functions
@ -373,10 +373,10 @@ index 754570c01..13111215d 100644
}
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index f99efcf50..18649b8ad 100644
index c57d48f73..198eab9c4 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -203,10 +203,10 @@ void
@@ -202,10 +202,10 @@ void
free_padata_context(krb5_context context, void *padata_context);
krb5_error_code

2
Report-extended-errors-in-kinit-k-t-KDB.patch
View File

@ -1,4 +1,4 @@
From b3b5cf3d57ac2889aeab82a79a6ea967c1412eb6 Mon Sep 17 00:00:00 2001
From 177cb167cfc151a1f58fb3e771cd29d0598f462f Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 17 Mar 2018 22:47:34 -0400
Subject: [PATCH] Report extended errors in kinit -k -t KDB:

2
Restrict-pre-authentication-fallback-cases.patch
View File

@ -1,4 +1,4 @@
From 4a13b97ffba771de4b45b1ed309934cc840569d1 Mon Sep 17 00:00:00 2001
From 1e423ec03dbd65845a4aeb8999d130d3d6a0cdd7 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 5 Apr 2018 16:23:34 -0400
Subject: [PATCH] Restrict pre-authentication fallback cases

204
Return-UPN-SANs-as-strings.patch
View File

@ -1,204 +0,0 @@
From 06d48c8d04a5efb098b026a1ec1c1609a5491ab0 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 22 Mar 2018 20:07:17 -0400
Subject: [PATCH] Return UPN SANs as strings
(cherry picked from commit fd3c824e3be56a1fa77d140fd7e93934bfd6e565)
---
src/plugins/preauth/pkinit/pkinit_crypto.h | 4 +--
.../preauth/pkinit/pkinit_crypto_openssl.c | 28 +++++++------------
src/plugins/preauth/pkinit/pkinit_matching.c | 16 ++---------
src/plugins/preauth/pkinit/pkinit_srv.c | 21 +++++++++-----
4 files changed, 29 insertions(+), 40 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
index c7ff29fb2..4e4752ff7 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
@@ -98,7 +98,7 @@ typedef struct _pkinit_cert_matching_data {
unsigned int ku_bits; /* key usage information */
unsigned int eku_bits; /* extended key usage information */
krb5_principal *sans; /* Null-terminated array of PKINIT SANs */
- krb5_principal *upns; /* Null-terimnated array of UPN SANs */
+ char **upns; /* Null-terimnated array of UPN SANs */
} pkinit_cert_matching_data;
/*
@@ -250,7 +250,7 @@ krb5_error_code crypto_retrieve_cert_sans
if non-NULL, a null-terminated array of
id-pkinit-san values found in the certificate
are returned */
- krb5_principal **upn_sans, /* OUT
+ char ***upn_sans, /* OUT
if non-NULL, a null-terminated array of
id-ms-upn-san values found in the certificate
are returned */
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index bc6de7ae8..b5a549c2c 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -29,6 +29,7 @@
* SUCH DAMAGES.
*/
+#include "k5-int.h"
#include "pkinit_crypto_openssl.h"
#include "k5-buf.h"
#include <dlfcn.h>
@@ -2083,15 +2084,14 @@ crypto_retrieve_X509_sans(krb5_context context,
pkinit_plg_crypto_context plgctx,
pkinit_req_crypto_context reqctx,
X509 *cert,
- krb5_principal **princs_ret,
- krb5_principal **upn_ret,
+ krb5_principal **princs_ret, char ***upn_ret,
unsigned char ***dns_ret)
{
krb5_error_code retval = EINVAL;
char buf[DN_BUF_LEN];
int p = 0, u = 0, d = 0, ret = 0, l;
krb5_principal *princs = NULL;
- krb5_principal *upns = NULL;
+ char **upns = NULL;
unsigned char **dnss = NULL;
unsigned int i, num_found = 0, num_sans = 0;
X509_EXTENSION *ext = NULL;
@@ -2141,7 +2141,7 @@ crypto_retrieve_X509_sans(krb5_context context,
}
}
if (upn_ret != NULL) {
- upns = calloc(num_sans + 1, sizeof(krb5_principal));
+ upns = calloc(num_sans + 1, sizeof(*upns));
if (upns == NULL) {
retval = ENOMEM;
goto cleanup;
@@ -2184,16 +2184,9 @@ crypto_retrieve_X509_sans(krb5_context context,
/* Prevent abuse of embedded null characters. */
if (memchr(name.data, '\0', name.length))
break;
- ret = krb5_parse_name_flags(context, name.data,
- KRB5_PRINCIPAL_PARSE_ENTERPRISE,
- &upns[u]);
- if (ret) {
- pkiDebug("%s: failed parsing ms-upn san value\n",
- __FUNCTION__);
- } else {
- u++;
- num_found++;
- }
+ upns[u] = k5memdup0(name.data, name.length, &ret);
+ if (upns[u] == NULL)
+ goto cleanup;
} else {
pkiDebug("%s: unrecognized othername oid in SAN\n",
__FUNCTION__);
@@ -2245,7 +2238,7 @@ cleanup:
krb5_free_principal(context, princs[i]);
free(princs);
for (i = 0; upns != NULL && upns[i] != NULL; i++)
- krb5_free_principal(context, upns[i]);
+ free(upns[i]);
free(upns);
for (i = 0; dnss != NULL && dnss[i] != NULL; i++)
free(dnss[i]);
@@ -2269,8 +2262,7 @@ crypto_retrieve_cert_sans(krb5_context context,
pkinit_plg_crypto_context plgctx,
pkinit_req_crypto_context reqctx,
pkinit_identity_crypto_context idctx,
- krb5_principal **princs_ret,
- krb5_principal **upn_ret,
+ krb5_principal **princs_ret, char ***upn_ret,
unsigned char ***dns_ret)
{
krb5_error_code retval = EINVAL;
@@ -5094,7 +5086,7 @@ crypto_cert_free_matching_data(krb5_context context,
krb5_free_principal(context, md->sans[i]);
free(md->sans);
for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++)
- krb5_free_principal(context, md->upns[i]);
+ free(md->upns[i]);
free(md->upns);
free(md);
}
diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
index 37bd0251a..c2a4c084d 100644
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
@@ -490,11 +490,7 @@ component_match(krb5_context context,
break;
}
for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++) {
- krb5_unparse_name_flags(context, md->upns[i],
- KRB5_PRINCIPAL_UNPARSE_NO_REALM,
- &princ_string);
- match = regexp_match(context, rc, princ_string);
- krb5_free_unparsed_name(context, princ_string);
+ match = regexp_match(context, rc, md->upns[i]);
if (match)
break;
}
@@ -584,14 +580,8 @@ check_all_certs(krb5_context context,
pkiDebug("%s: PKINIT san: '%s'\n", __FUNCTION__, san_string);
krb5_free_unparsed_name(context, san_string);
}
- for (j = 0; md->upns != NULL && md->upns[j] != NULL; j++) {
- char *san_string;
- krb5_unparse_name_flags(context, md->upns[j],
- KRB5_PRINCIPAL_UNPARSE_NO_REALM,
- &san_string);
- pkiDebug("%s: UPN san: '%s'\n", __FUNCTION__, san_string);
- krb5_free_unparsed_name(context, san_string);
- }
+ for (j = 0; md->upns != NULL && md->upns[j] != NULL; j++)
+ pkiDebug("%s: UPN san: '%s'\n", __FUNCTION__, md->upns[j]);
#endif
certs_checked++;
for (rc = rs->crs; rc != NULL; rc = rc->next) {
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index bbfde34b2..3cc573813 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -178,8 +178,9 @@ verify_client_san(krb5_context context,
int *valid_san)
{
krb5_error_code retval;
- krb5_principal *princs = NULL;
- krb5_principal *upns = NULL;
+ krb5_principal *princs = NULL, upn;
+ krb5_boolean match;
+ char **upns = NULL;
int i;
#ifdef DEBUG_SAN_INFO
char *client_string = NULL, *san_string;
@@ -255,12 +256,18 @@ verify_client_san(krb5_context context,
pkiDebug("%s: Checking upn sans\n", __FUNCTION__);
for (i = 0; upns[i] != NULL; i++) {
#ifdef DEBUG_SAN_INFO
- krb5_unparse_name(context, upns[i], &san_string);
pkiDebug("%s: Comparing client '%s' to upn san value '%s'\n",
- __FUNCTION__, client_string, san_string);
- krb5_free_unparsed_name(context, san_string);
+ __FUNCTION__, client_string, upns[i]);
#endif
- if (cb->match_client(context, rock, upns[i])) {
+ retval = krb5_parse_name_flags(context, upns[i],
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE, &upn);
+ if (retval) {
+ /* XXX trace */
+ continue;
+ }
+ match = cb->match_client(context, rock, upn);
+ krb5_free_principal(context, upn);
+ if (match) {
TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(context);
*valid_san = 1;
retval = 0;
@@ -286,7 +293,7 @@ out:
}
if (upns != NULL) {
for (i = 0; upns[i] != NULL; i++)
- krb5_free_principal(context, upns[i]);
+ free(upns[i]);
free(upns);
}
#ifdef DEBUG_SAN_INFO

148
Save-SANs-separately-and-unparse-them-with-NO_REALM.patch
View File

@ -1,148 +0,0 @@
From 8924d4bbbf82a29f1d6bf524a416d6e44b694734 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 22 Mar 2018 19:46:22 -0400
Subject: [PATCH] Save SANs separately and unparse them with NO_REALM
(cherry picked from commit 23ea8d6a9617d17ae5a529c23174d77adac39055)
---
src/plugins/preauth/pkinit/pkinit_crypto.h | 4 +-
.../preauth/pkinit/pkinit_crypto_openssl.c | 37 ++-----------------
src/plugins/preauth/pkinit/pkinit_matching.c | 30 +++++++++++----
3 files changed, 28 insertions(+), 43 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
index 2d3733bbc..c7ff29fb2 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
@@ -97,8 +97,8 @@ typedef struct _pkinit_cert_matching_data {
char *issuer_dn; /* rfc2253-style issuer name string */
unsigned int ku_bits; /* key usage information */
unsigned int eku_bits; /* extended key usage information */
- krb5_principal *sans; /* Null-terminated array of subject alternative
- name info (pkinit and ms-upn) */
+ krb5_principal *sans; /* Null-terminated array of PKINIT SANs */
+ krb5_principal *upns; /* Null-terimnated array of UPN SANs */
} pkinit_cert_matching_data;
/*
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 4f21f90d2..bc6de7ae8 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -5093,6 +5093,9 @@ crypto_cert_free_matching_data(krb5_context context,
for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++)
krb5_free_principal(context, md->sans[i]);
free(md->sans);
+ for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++)
+ krb5_free_principal(context, md->upns[i]);
+ free(md->upns);
free(md);
}
@@ -5121,8 +5124,6 @@ get_matching_data(krb5_context context,
{
krb5_error_code ret = ENOMEM;
pkinit_cert_matching_data *md = NULL;
- krb5_principal *pkinit_sans = NULL, *upn_sans = NULL;
- size_t i, j;
*md_out = NULL;
@@ -5139,40 +5140,10 @@ get_matching_data(krb5_context context,
/* Get the SAN data. */
ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,
- cert, &pkinit_sans, &upn_sans, NULL);
+ cert, &md->sans, &md->upns, NULL);
if (ret)
goto cleanup;
- j = 0;
- if (pkinit_sans != NULL) {
- for (i = 0; pkinit_sans[i] != NULL; i++)
- j++;
- }
- if (upn_sans != NULL) {
- for (i = 0; upn_sans[i] != NULL; i++)
- j++;
- }
- if (j != 0) {
- md->sans = calloc((size_t)j+1, sizeof(*md->sans));
- if (md->sans == NULL) {
- ret = ENOMEM;
- goto cleanup;
- }
- j = 0;
- if (pkinit_sans != NULL) {
- for (i = 0; pkinit_sans[i] != NULL; i++)
- md->sans[j++] = pkinit_sans[i];
- free(pkinit_sans);
- }
- if (upn_sans != NULL) {
- for (i = 0; upn_sans[i] != NULL; i++)
- md->sans[j++] = upn_sans[i];
- free(upn_sans);
- }
- md->sans[j] = NULL;
- } else
- md->sans = NULL;
-
/* Get the KU and EKU data. */
ret = crypto_retrieve_X509_key_usage(context, plg_cryptoctx,
req_cryptoctx, cert, &md->ku_bits,
diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
index c1ce84b82..37bd0251a 100644
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
@@ -470,7 +470,6 @@ component_match(krb5_context context,
{
int match = 0;
int i;
- krb5_principal p;
char *princ_string;
switch (rc->kwval_type) {
@@ -483,10 +482,17 @@ component_match(krb5_context context,
match = regexp_match(context, rc, md->issuer_dn);
break;
case kw_san:
- if (md->sans == NULL)
- break;
- for (i = 0, p = md->sans[i]; p != NULL; p = md->sans[++i]) {
- krb5_unparse_name(context, p, &princ_string);
+ for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++) {
+ krb5_unparse_name(context, md->sans[i], &princ_string);
+ match = regexp_match(context, rc, princ_string);
+ krb5_free_unparsed_name(context, princ_string);
+ if (match)
+ break;
+ }
+ for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++) {
+ krb5_unparse_name_flags(context, md->upns[i],
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+ &princ_string);
match = regexp_match(context, rc, princ_string);
krb5_free_unparsed_name(context, princ_string);
if (match)
@@ -572,10 +578,18 @@ check_all_certs(krb5_context context,
pkiDebug("%s: subject: '%s'\n", __FUNCTION__, md->subject_dn);
#if 0
pkiDebug("%s: issuer: '%s'\n", __FUNCTION__, md->subject_dn);
- for (j = 0, p = md->sans[j]; p != NULL; p = md->sans[++j]) {
+ for (j = 0; md->sans != NULL && md->sans[j] != NULL; j++) {
char *san_string;
- krb5_unparse_name(context, p, &san_string);
- pkiDebug("%s: san: '%s'\n", __FUNCTION__, san_string);
+ krb5_unparse_name(context, md->sans[j], &san_string);
+ pkiDebug("%s: PKINIT san: '%s'\n", __FUNCTION__, san_string);
+ krb5_free_unparsed_name(context, san_string);
+ }
+ for (j = 0; md->upns != NULL && md->upns[j] != NULL; j++) {
+ char *san_string;
+ krb5_unparse_name_flags(context, md->upns[j],
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+ &san_string);
+ pkiDebug("%s: UPN san: '%s'\n", __FUNCTION__, san_string);
krb5_free_unparsed_name(context, san_string);
}
#endif

42
Set-error-message-on-KCM-get_princ-failure.patch
View File

@ -1,42 +0,0 @@
From f9c9d683852eb4881e099b3042d4c6e5e1444efc Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 27 Apr 2018 13:51:39 -0400
Subject: [PATCH] Set error message on KCM get_princ failure
This matches the expected behavior from other ccache types. Most
notably, the KEYRING equivalent was added in
c25fc42e8eac7350209df61e4a7b9960d17755ca
ticket: 8675 (new)
tags: pullup
target_version: 1.16-next
target_version: 1.15-next
(cherry picked from commit 58f60f3df7a625ccdcce23dfadd52dc335fd8da7)
---
src/lib/krb5/ccache/cc_kcm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
index 0d38b1839..a777f2710 100644
--- a/src/lib/krb5/ccache/cc_kcm.c
+++ b/src/lib/krb5/ccache/cc_kcm.c
@@ -721,12 +721,18 @@ kcm_get_princ(krb5_context context, krb5_ccache cache,
{
krb5_error_code ret;
struct kcmreq req;
+ struct kcm_cache_data *data = cache->data;
kcmreq_init(&req, KCM_OP_GET_PRINCIPAL, cache);
ret = cache_call(context, cache, &req, FALSE);
/* Heimdal KCM can respond with code 0 and no principal. */
if (!ret && req.reply.len == 0)
ret = KRB5_FCC_NOFILE;
+ if (ret == KRB5_FCC_NOFILE) {
+ k5_setmsg(context, ret, _("Credentials cache 'KCM:%s' not found"),
+ data->residual);
+ }
+
if (!ret)
ret = k5_unmarshal_princ(req.reply.ptr, req.reply.len, 4, princ_out);
kcmreq_free(&req);

2
Simplify-kdc_preauth.c-systems-table.patch
View File

@ -1,4 +1,4 @@
From 0afb9c336dd8573faa025915fcb97e643cc3e748 Mon Sep 17 00:00:00 2001
From bd2f01d99b623be070c8bc8d660ca92c337147ae Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 11 Feb 2018 15:23:35 -0500
Subject: [PATCH] Simplify kdc_preauth.c systems table

2
Use-k5_buf_init_dynamic_zap-where-appropriate.patch
View File

@ -1,4 +1,4 @@
From 678c67ef21578fb269f2efc56ff46bbd0e6b482b Mon Sep 17 00:00:00 2001
From 0c2324e3f88f5ba3dbe7c9053017549f13e1f995 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 26 Mar 2018 11:24:49 -0400
Subject: [PATCH] Use k5_buf_init_dynamic_zap where appropriate

2
Use-libkrb5support-hex-functions-where-appropriate.patch
View File

@ -1,4 +1,4 @@
From 4a33689d89144f9e473e8192241dcd2473c78bd7 Mon Sep 17 00:00:00 2001
From c7677e91fb406c7ec55cb115155ed0d4c5943b72 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 19 Feb 2018 00:52:35 -0500
Subject: [PATCH] Use libkrb5support hex functions where appropriate

2
Zap-data-when-freeing-krb5_spake_factor.patch
View File

@ -1,4 +1,4 @@
From 19ed715d39bdf8415f69156d6cef19225cf6355a Mon Sep 17 00:00:00 2001
From 6f02200464dd484641639f2cb38b775d34af4bcd Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 27 Mar 2018 15:42:28 -0400
Subject: [PATCH] Zap data when freeing krb5_spake_factor

2
krb5-1.11-kpasswdtest.patch
View File

@ -1,4 +1,4 @@
From 5d7ff3b42a2f1a4f5f15ac7f2b8fff743c3f33fc Mon Sep 17 00:00:00 2001
From fc2953ce9ce06ff896b1687e1c0cc9b8a4357d09 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:52:01 -0400
Subject: [PATCH] krb5-1.11-kpasswdtest.patch

2
krb5-1.11-run_user_0.patch
View File

@ -1,4 +1,4 @@
From d29ad5a58999cb952cdb8ae876fe8b195a11a3e1 Mon Sep 17 00:00:00 2001
From b0adf9a65d5c22a77cf957ceb1c298baff01555d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:57 -0400
Subject: [PATCH] krb5-1.11-run_user_0.patch

2
krb5-1.12-api.patch
View File

@ -1,4 +1,4 @@
From d2297aa0ca6006dae654f0f2a24ac8f7ead737f6 Mon Sep 17 00:00:00 2001
From abb19d2d2eac5f9f6e4a1bf26f59f3a62143dab9 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:00 -0400
Subject: [PATCH] krb5-1.12-api.patch

2
krb5-1.12-ksu-path.patch
View File

@ -1,4 +1,4 @@
From bd1a0d1d4dba9f72bf8150d9aa8fdf70f738c4d7 Mon Sep 17 00:00:00 2001
From 7f076496c7441cd108929aa05dbe009f34054bf5 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:32:09 -0400
Subject: [PATCH] krb5-1.12-ksu-path.patch

2
krb5-1.12-ktany.patch
View File

@ -1,4 +1,4 @@
From 812be10fc5f9f2d771fc38e6ba84f7d89a32f726 Mon Sep 17 00:00:00 2001
From 01acbf3cbd60bd460e6ec6702589451d19c89933 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:33:53 -0400
Subject: [PATCH] krb5-1.12-ktany.patch

2
krb5-1.12.1-pam.patch
View File

@ -1,4 +1,4 @@
From f4bb886c93625c39d4ee788250385c55230a8442 Mon Sep 17 00:00:00 2001
From 4cbb4325a86d1d71fa45d254221ec460c41b434d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] krb5-1.12.1-pam.patch

2
krb5-1.13-dirsrv-accountlock.patch
View File

@ -1,4 +1,4 @@
From 43fe2e2c880cc8281cb9c0ffbaff374eb4a075aa Mon Sep 17 00:00:00 2001
From bd9a3cc0c53f6dc47a124eb6e8f698c7f1d3cd36 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:44 -0400
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch

2
krb5-1.15-beta1-buildconf.patch
View File

@ -1,4 +1,4 @@
From c1c44857896ab37ed59c6cab841f5f9a0ceba5d0 Mon Sep 17 00:00:00 2001
From 162ba7fbce23d82719956de1b126e48fe676e9d1 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch

2
krb5-1.15.1-selinux-label.patch
View File

@ -1,4 +1,4 @@
From 2857105eb2e301164a1486d31907699d0073dc5f Mon Sep 17 00:00:00 2001
From c79d3881fefb6108306eb56cff62de03897d4bbc Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] krb5-1.15.1-selinux-label.patch

2
krb5-1.3.1-dns.patch
View File

@ -1,4 +1,4 @@
From bf0db245d46aa0a43479a38bf0b4ec964ae642b7 Mon Sep 17 00:00:00 2001
From 2338e73d8dced4f85d6b4f5a0f7df21033ac78c1 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH] krb5-1.3.1-dns.patch

2
krb5-1.9-debuginfo.patch
View File

@ -1,4 +1,4 @@
From 6df2f0876e95a39d88f602abe992f26907e0136a Mon Sep 17 00:00:00 2001
From 20bc1c9b1d37138d1a8538f9cef22108c8fabf4f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] krb5-1.9-debuginfo.patch

16
krb5.spec
View File

@ -16,9 +16,9 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.16
Version: 1.16.1
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 27%{?dist}
Release: 1%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@ -61,8 +61,6 @@ Patch34: krb5-1.9-debuginfo.patch
Patch35: krb5-1.11-run_user_0.patch
Patch36: krb5-1.11-kpasswdtest.patch
Patch37: Process-included-directories-in-alphabetical-order.patch
Patch38: Fix-flaws-in-LDAP-DN-checking.patch
Patch39: Fix-capaths-.-values-on-client.patch
Patch40: Fix-hex-conversion-of-PKINIT-certid-strings.patch
Patch41: Exit-with-status-0-from-kadmind.patch
Patch42: Include-etype-info-in-for-hardware-preauth-hints.patch
@ -71,7 +69,6 @@ Patch44: Refactor-KDC-krb5_pa_data-utility-functions.patch
Patch45: Simplify-kdc_preauth.c-systems-table.patch
Patch46: Add-PKINIT-client-support-for-freshness-token.patch
Patch47: Add-PKINIT-KDC-support-for-freshness-token.patch
Patch48: Allow-validation-of-PACs-with-enterprise-names.patch
Patch49: Fix-read-overflow-in-KDC-sort_pa_data.patch
Patch50: Include-preauth-name-in-trace-output-if-possible.patch
Patch51: Report-extended-errors-in-kinit-k-t-KDB.patch
@ -86,15 +83,9 @@ Patch59: Use-k5_buf_init_dynamic_zap-where-appropriate.patch
Patch60: Add-SPAKE-preauth-support.patch
Patch61: Add-doc-index-entries-for-SPAKE-constants.patch
Patch62: Fix-SPAKE-memory-leak.patch
Patch63: Continue-after-KRB5_CC_END-in-KCM-cache-iteration.patch
Patch64: Zap-data-when-freeing-krb5_spake_factor.patch
Patch65: Be-more-careful-asking-for-AS-key-in-SPAKE-client.patch
Patch66: Save-SANs-separately-and-unparse-them-with-NO_REALM.patch
Patch67: Return-UPN-SANs-as-strings.patch
Patch68: Restrict-pre-authentication-fallback-cases.patch
Patch69: Merge-duplicate-subsections-in-profile-library.patch
Patch70: Fix-KDC-null-dereference-on-large-TGS-replies.patch
Patch73: Set-error-message-on-KCM-get_princ-failure.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -746,6 +737,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Fri May 04 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-1
- New upstream release - 1.16.1
* Thu May 03 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-27
- Fix configuration of default ccache name to match file indentation

6
sources
View File

@ -1,3 +1,3 @@
SHA512 (krb5-1.16-pdfs.tar) = d245aad2be70d7786c45331671ed04ebaa7e5a30f7fcf5da9baf74441723e8841a7bd4dbbd977a27c925d487591a98f03430c90c72aa17f859daa9bf6cd91410
SHA512 (krb5-1.16.tar.gz) = 7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9
SHA512 (krb5-1.16.tar.gz.asc) = a4b28b0877b7e1df28016cec7cd50569aa3bd539c366e7ef304e4824560f7c4cbf92ab0cd7d14328a0b578e982ff585c619a49378e59648b4259a33a799e6b2a
SHA512 (krb5-1.16.1-pdfs.tar) = 89a5a709720ee9028e9bfbcbc808eec436c4b9c6e105888b37660e97cff48e190bc77affa9809353de9cf2f39e517e8a6ab22792263978b403a4a6317ac24a46
SHA512 (krb5-1.16.1.tar.gz) = fa4ec14a4ffe690861e2dd7ea39d7698af2058ce181bb733ea891f80279f4dde4bb891adec5ccb0eaddf737306e6ceb1fe3744a2946e6189a7d7d2dd3bc5ba84
SHA512 (krb5-1.16.1.tar.gz.asc) = 2d24fec31ca71ee93a1339ff4fa50a9397693deff2cc7097927617e04c2509fe7e671b58b982360cbdf80c0df066e03f289a2ecacdb270dc65d7abad1e6812de