New upstream release - 1.16.1
This commit is contained in:
parent
ab1e0477e9
commit
88ba66fe53
3
.gitignore
vendored
3
.gitignore
vendored
@ -163,3 +163,6 @@ krb5-1.8.3-pdf.tar.gz
|
||||
/krb5-1.16-pdfs.tar
|
||||
/krb5-1.16.tar.gz
|
||||
/krb5-1.16.tar.gz.asc
|
||||
/krb5-1.16.1-pdfs.tar
|
||||
/krb5-1.16.1.tar.gz
|
||||
/krb5-1.16.1.tar.gz.asc
|
||||
|
@ -1,4 +1,4 @@
|
||||
From a675384ef4cc4b6d28cce20cbcef0d033206139a Mon Sep 17 00:00:00 2001
|
||||
From dd66546bde0bc868a9af2ac702c7466e7494b33b Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 13 Jun 2015 16:04:53 -0400
|
||||
Subject: [PATCH] Add ASN.1 encoders and decoders for SPAKE types
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 4ddfba7c9c12056f9f5819648f20f68e5625dced Mon Sep 17 00:00:00 2001
|
||||
From 9f69b78a93de5ae396eb96d2957f36f8b9dc7458 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 12 Mar 2018 11:31:46 -0400
|
||||
Subject: [PATCH] Add PKINIT KDC support for freshness token
|
||||
@ -377,10 +377,10 @@ index 6f34dc289..80b130222 100644
|
||||
if (state->pa_data == NULL) {
|
||||
krb5_klog_syslog(LOG_INFO,
|
||||
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
|
||||
index 18649b8ad..a63af2503 100644
|
||||
index 198eab9c4..1885c9f80 100644
|
||||
--- a/src/kdc/kdc_util.h
|
||||
+++ b/src/kdc/kdc_util.h
|
||||
@@ -427,11 +427,13 @@ struct krb5_kdcpreauth_rock_st {
|
||||
@@ -426,11 +426,13 @@ struct krb5_kdcpreauth_rock_st {
|
||||
krb5_kdc_req *request;
|
||||
krb5_data *inner_body;
|
||||
krb5_db_entry *client;
|
||||
@ -415,7 +415,7 @@ index 8489a3e23..fe2ec0d31 100644
|
||||
int dh_min_bits; /* minimum DH modulus size allowed */
|
||||
} pkinit_plg_opts;
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
index 4e9685885..bbfde34b2 100644
|
||||
index 8aa4d8b49..76ad5bf19 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
@@ -161,6 +161,10 @@ pkinit_server_get_edata(krb5_context context,
|
||||
@ -429,7 +429,7 @@ index 4e9685885..bbfde34b2 100644
|
||||
(*respond)(arg, retval, NULL);
|
||||
}
|
||||
|
||||
@@ -396,6 +400,31 @@ cleanup:
|
||||
@@ -403,6 +407,31 @@ cleanup:
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -461,7 +461,7 @@ index 4e9685885..bbfde34b2 100644
|
||||
static void
|
||||
pkinit_server_verify_padata(krb5_context context,
|
||||
krb5_data *req_pkt,
|
||||
@@ -418,10 +447,11 @@ pkinit_server_verify_padata(krb5_context context,
|
||||
@@ -425,10 +454,11 @@ pkinit_server_verify_padata(krb5_context context,
|
||||
pkinit_kdc_req_context reqctx = NULL;
|
||||
krb5_checksum cksum = {0, 0, 0, NULL};
|
||||
krb5_data *der_req = NULL;
|
||||
@ -474,7 +474,7 @@ index 4e9685885..bbfde34b2 100644
|
||||
char **sp;
|
||||
|
||||
pkiDebug("pkinit_verify_padata: entered!\n");
|
||||
@@ -592,6 +622,14 @@ pkinit_server_verify_padata(krb5_context context,
|
||||
@@ -599,6 +629,14 @@ pkinit_server_verify_padata(krb5_context context,
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
@ -489,7 +489,7 @@ index 4e9685885..bbfde34b2 100644
|
||||
/* check if kdcPkId present and match KDC's subjectIdentifier */
|
||||
if (reqp->kdcPkId.data != NULL) {
|
||||
int valid_kdcPkId = 0;
|
||||
@@ -634,6 +672,13 @@ pkinit_server_verify_padata(krb5_context context,
|
||||
@@ -641,6 +679,13 @@ pkinit_server_verify_padata(krb5_context context,
|
||||
break;
|
||||
}
|
||||
|
||||
@ -503,7 +503,7 @@ index 4e9685885..bbfde34b2 100644
|
||||
if (is_signed && plgctx->auth_indicators != NULL) {
|
||||
/* Assert configured authentication indicators. */
|
||||
for (sp = plgctx->auth_indicators; *sp != NULL; sp++) {
|
||||
@@ -1323,6 +1368,10 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
|
||||
@@ -1330,6 +1375,10 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
|
||||
KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING,
|
||||
0, &plgctx->opts->require_crl_checking);
|
||||
|
||||
@ -515,7 +515,7 @@ index 4e9685885..bbfde34b2 100644
|
||||
KRB5_CONF_PKINIT_EKU_CHECKING,
|
||||
&eku_string);
|
||||
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
|
||||
index b790a7cda..3030322e1 100755
|
||||
index 86fe661a0..5bc60cb1e 100755
|
||||
--- a/src/tests/t_pkinit.py
|
||||
+++ b/src/tests/t_pkinit.py
|
||||
@@ -39,6 +39,8 @@ pkinit_kdc_conf = {'realms': {'$realm': {
|
||||
@ -620,7 +620,7 @@ index b790a7cda..3030322e1 100755
|
||||
realm.kinit(realm.user_princ,
|
||||
flags=['-X', 'X509_user_identity=%s' % p12_identity])
|
||||
realm.klist(realm.user_princ)
|
||||
@@ -350,8 +376,6 @@ conf = open(softpkcs11rc, 'w')
|
||||
@@ -357,8 +383,6 @@ conf = open(softpkcs11rc, 'w')
|
||||
conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, privkey_pem))
|
||||
conf.close()
|
||||
# Expect to succeed without having to supply any more information.
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 7eb2df66aef8e2b58ec7dfa13e9ee19f5e3b5b34 Mon Sep 17 00:00:00 2001
|
||||
From 0bc035db40c5badae3cc00f452560785a0cb0a44 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 31 Jan 2017 17:02:34 -0500
|
||||
Subject: [PATCH] Add PKINIT client support for freshness token
|
||||
@ -275,7 +275,7 @@ index 2f88545da..d5858c424 100644
|
||||
free_krb5_algorithm_identifiers(&((*in)->supportedCMSTypes));
|
||||
if ((*in)->supportedKDFs) {
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h
|
||||
index d4eb39d88..67e0caeb4 100644
|
||||
index 2d95da94a..7f95206c0 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_trace.h
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_trace.h
|
||||
@@ -41,6 +41,8 @@
|
||||
|
@ -1,4 +1,4 @@
|
||||
From bcc764eca6c92210716d1d6db59bfe112522a95d Mon Sep 17 00:00:00 2001
|
||||
From b054d1d29e676600abd6fdd7a67a283c3c011f95 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 25 Sep 2015 17:47:35 -0400
|
||||
Subject: [PATCH] Add SPAKE preauth support
|
||||
@ -106,7 +106,7 @@ ticket: 8647 (new)
|
||||
create mode 100644 src/tests/t_spake.py
|
||||
|
||||
diff --git a/NOTICE b/NOTICE
|
||||
index 1db2420a7..9dc1148b1 100644
|
||||
index 1f2ce6493..cb6ab462b 100644
|
||||
--- a/NOTICE
|
||||
+++ b/NOTICE
|
||||
@@ -1316,3 +1316,54 @@ The following notice applies to
|
||||
@ -219,10 +219,10 @@ index 1ac1a37c2..f8cf1be7c 100644
|
||||
(List of *key*:*salt* strings.) Specifies the default key/salt
|
||||
combinations of principals for this realm. Any principals created
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index 4ed9832c7..8cfe5f458 100644
|
||||
index 3d33dba40..2574e5c26 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -365,6 +365,21 @@ The libdefaults section may contain any of the following relations:
|
||||
@@ -367,6 +367,21 @@ The libdefaults section may contain any of the following relations:
|
||||
with the session key type. See the **kdc_req_checksum_type**
|
||||
configuration option for the possible values and their meanings.
|
||||
|
||||
@ -354,7 +354,7 @@ index 640955c90..e32365daa 100644
|
||||
+For other cookies, there must be exactly one second-factor record
|
||||
+corresponding to the factor type chosen by the client.
|
||||
diff --git a/doc/notice.rst b/doc/notice.rst
|
||||
index 26011550b..cacfd659a 100644
|
||||
index a32e55529..8f6b68638 100644
|
||||
--- a/doc/notice.rst
|
||||
+++ b/doc/notice.rst
|
||||
@@ -1237,3 +1237,50 @@ The following notice applies to
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 6410daacd3b14ca1b96889f3db5ea9c94bf58734 Mon Sep 17 00:00:00 2001
|
||||
From 0ff94a373749e83fb9c2c5c6fa6d5788b2b63460 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 27 Mar 2018 00:49:43 -0400
|
||||
Subject: [PATCH] Add doc index entries for SPAKE constants
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 87e99d886fe8ea74521e73f8f0a8445353162526 Mon Sep 17 00:00:00 2001
|
||||
From f2402ea18c8587dab261cd724ef62fd7f6bcc8ec Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 4 Jan 2018 14:35:12 -0500
|
||||
Subject: [PATCH] Add k5_buf_add_vfmt to k5buf interface
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 443151a0690d3f11b38db54f650b320cb733535f Mon Sep 17 00:00:00 2001
|
||||
From c8992ad9dc0c7fc4d8bec3b9ecb129fe587d615e Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 19 Feb 2018 00:51:44 -0500
|
||||
Subject: [PATCH] Add libkrb5support hex functions and tests
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 181d3a9e2d274b49a2830895a59ce1b22be4000a Mon Sep 17 00:00:00 2001
|
||||
From 5ed0331bd6bfd39b9c5ca40ec38d536221118998 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 3 Feb 2018 20:53:42 -0500
|
||||
Subject: [PATCH] Add vector support to k5_sha256()
|
||||
|
@ -1,49 +0,0 @@
|
||||
From 8a2ceda87107973ec10fec532c095cf347ec050c Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Wed, 14 Mar 2018 01:19:17 +0200
|
||||
Subject: [PATCH] Allow validation of PACs with enterprise names
|
||||
|
||||
In k5_pac_validate_client(), if we are verifying against an enterprise
|
||||
principal, parse the PAC_CLIENT_INFO field as an enterprise principal.
|
||||
This scenario may arise in the response to an S4U2Self request for an
|
||||
enterprise principal, as the KDC does not appear to canonicalize the
|
||||
client principal requested in PA-FOR-USER.
|
||||
|
||||
[ghudson@mit.edu: rewrote commit message; adjusted style]
|
||||
|
||||
ticket: 8649 (new)
|
||||
tags: pullup
|
||||
target_version: 1.16-next
|
||||
|
||||
(cherry picked from commit f876aab80a69f9b934cd7f4e2339e3815aa8c4bf)
|
||||
---
|
||||
src/lib/krb5/krb/pac.c | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
||||
index 0eb19e6bb..c9b5de30a 100644
|
||||
--- a/src/lib/krb5/krb/pac.c
|
||||
+++ b/src/lib/krb5/krb/pac.c
|
||||
@@ -413,6 +413,7 @@ k5_pac_validate_client(krb5_context context,
|
||||
krb5_ui_2 pac_princname_length;
|
||||
int64_t pac_nt_authtime;
|
||||
krb5_principal pac_principal;
|
||||
+ int flags;
|
||||
|
||||
ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
|
||||
&client_info);
|
||||
@@ -440,8 +441,12 @@ k5_pac_validate_client(krb5_context context,
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
|
||||
- ret = krb5_parse_name_flags(context, pac_princname,
|
||||
- KRB5_PRINCIPAL_PARSE_NO_REALM, &pac_principal);
|
||||
+ /* Parse the UTF-8 name as an enterprise principal if we are matching
|
||||
+ * against one; otherwise parse it as a regular principal with no realm. */
|
||||
+ flags = KRB5_PRINCIPAL_PARSE_NO_REALM;
|
||||
+ if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL)
|
||||
+ flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
|
||||
+ ret = krb5_parse_name_flags(context, pac_princname, flags, &pac_principal);
|
||||
if (ret != 0) {
|
||||
free(pac_princname);
|
||||
return ret;
|
@ -1,4 +1,4 @@
|
||||
From 864f90dcc860997189679b980f52de41ef10a238 Mon Sep 17 00:00:00 2001
|
||||
From c98a6fc929b80dd8d221314e31903a9d5ee56295 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 31 Mar 2018 10:43:49 -0400
|
||||
Subject: [PATCH] Be more careful asking for AS key in SPAKE client
|
||||
|
@ -1,42 +0,0 @@
|
||||
From 3001200ba4598aeb14511353a72dc746034280b1 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Wed, 28 Mar 2018 18:27:06 +0200
|
||||
Subject: [PATCH] Continue after KRB5_CC_END in KCM cache iteration
|
||||
|
||||
The KCM server returns KRB5_CC_END in response to a GET_CACHE_BY_UUID
|
||||
request to indicate that the specified ccache uuid no longer exists.
|
||||
In krb5_ptcursor_next(), ignore this error and continue the iteration,
|
||||
as the Heimdal KCM client code does.
|
||||
|
||||
In addition to addressing the case where a third party deletes a cache
|
||||
between the GET_CACHE_UUID_LIST request and when we reach that uuid in
|
||||
the iteration, this change also fixes a bug in kdestroy -A where the
|
||||
caller deletes the primary cache and we later request it by uuid when
|
||||
iterating over the list.
|
||||
|
||||
[ghudson@mit.edu: rewrote commit message; edited comment]
|
||||
|
||||
ticket: 8658 (new)
|
||||
tags: pullup
|
||||
target_version: 1.16-next
|
||||
target_version: 1.15-next
|
||||
|
||||
(cherry picked from commit 49087f5e6309f298f8898c35af6f4ade418ced60)
|
||||
---
|
||||
src/lib/krb5/ccache/cc_kcm.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
|
||||
index b621ed33b..0d38b1839 100644
|
||||
--- a/src/lib/krb5/ccache/cc_kcm.c
|
||||
+++ b/src/lib/krb5/ccache/cc_kcm.c
|
||||
@@ -966,6 +966,9 @@ kcm_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
|
||||
kcmreq_init(&req, KCM_OP_GET_CACHE_BY_UUID, NULL);
|
||||
k5_buf_add_len(&req.reqbuf, id, KCM_UUID_LEN);
|
||||
ret = kcmio_call(context, data->io, &req);
|
||||
+ /* Continue if the cache has been deleted. */
|
||||
+ if (ret == KRB5_CC_END)
|
||||
+ continue;
|
||||
if (ret)
|
||||
goto cleanup;
|
||||
ret = kcmreq_get_name(&req, &name);
|
@ -1,4 +1,4 @@
|
||||
From a4576a5946d84e1a74093c4fc171a7fcb1f7ef59 Mon Sep 17 00:00:00 2001
|
||||
From cb8f31e6bbf72e207b428d52c2fd9ed719bbec4f Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 14 Mar 2018 14:31:22 -0400
|
||||
Subject: [PATCH] Exit with status 0 from kadmind
|
||||
@ -19,10 +19,10 @@ code, which used a similar event model for signals.
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
|
||||
index 6c875901a..936955b89 100644
|
||||
index aac4d4ffd..0a28b2384 100644
|
||||
--- a/src/kadmin/server/ovsec_kadmd.c
|
||||
+++ b/src/kadmin/server/ovsec_kadmd.c
|
||||
@@ -560,5 +560,5 @@ main(int argc, char *argv[])
|
||||
@@ -559,5 +559,5 @@ main(int argc, char *argv[])
|
||||
|
||||
krb5_klog_close(context);
|
||||
krb5_free_context(context);
|
||||
|
@ -1,224 +0,0 @@
|
||||
From d3697aa9a653bc9aaf11f3c9e985ba544c23a9c3 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 20 Apr 2018 16:16:02 -0400
|
||||
Subject: [PATCH] Fix KDC null dereference on large TGS replies
|
||||
|
||||
For TGS requests, dispatch() doesn't set state->active_realm, which
|
||||
leads to a NULL dereference in finish_dispatch() if the reply is too
|
||||
big for UDP. Prior to commit 0a2f14f752c32a24200363cc6b6ae64a92f81379
|
||||
the active realm was a global and was set when process_tgs_req()
|
||||
called setup_server_realm().
|
||||
|
||||
Move TGS decoding out of process_tgs_req() so that we can set
|
||||
state->active_realm before any errors requiring response. Add a test
|
||||
case.
|
||||
|
||||
[ghudson@mit.edu: edited commit message; added test case; reduced code
|
||||
duplication; removed server handle from process_tgs_req() parameters]
|
||||
|
||||
ticket: 8666
|
||||
tags: pullup
|
||||
target_version: 1.16-next
|
||||
target_version: 1.15-next
|
||||
|
||||
(cherry picked from commit 6afa8b4abf8f7c5774d03e6b15ee7288ad68d725)
|
||||
---
|
||||
src/kdc/Makefile.in | 1 +
|
||||
src/kdc/dispatch.c | 50 ++++++++++++++++++++++++-------------------
|
||||
src/kdc/do_tgs_req.c | 24 ++++++---------------
|
||||
src/kdc/kdc_util.h | 5 ++---
|
||||
src/kdc/t_bigreply.py | 19 ++++++++++++++++
|
||||
5 files changed, 56 insertions(+), 43 deletions(-)
|
||||
create mode 100644 src/kdc/t_bigreply.py
|
||||
|
||||
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
|
||||
index 61a3dbc6f..117a8f561 100644
|
||||
--- a/src/kdc/Makefile.in
|
||||
+++ b/src/kdc/Makefile.in
|
||||
@@ -85,6 +85,7 @@ check-cmocka: t_replay
|
||||
check-pytests:
|
||||
$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
|
||||
$(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
|
||||
+ $(RUNPYTEST) $(srcdir)/t_bigreply.py $(PYTESTFLAGS)
|
||||
|
||||
install:
|
||||
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
|
||||
diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
|
||||
index 3867ff952..3ed5176a8 100644
|
||||
--- a/src/kdc/dispatch.c
|
||||
+++ b/src/kdc/dispatch.c
|
||||
@@ -124,7 +124,7 @@ dispatch(void *cb, const krb5_fulladdr *local_addr,
|
||||
verto_ctx *vctx, loop_respond_fn respond, void *arg)
|
||||
{
|
||||
krb5_error_code retval;
|
||||
- krb5_kdc_req *as_req;
|
||||
+ krb5_kdc_req *req = NULL;
|
||||
krb5_data *response = NULL;
|
||||
struct dispatch_state *state;
|
||||
struct server_handle *handle = cb;
|
||||
@@ -176,29 +176,35 @@ dispatch(void *cb, const krb5_fulladdr *local_addr,
|
||||
|
||||
/* try TGS_REQ first; they are more common! */
|
||||
|
||||
- if (krb5_is_tgs_req(pkt)) {
|
||||
- retval = process_tgs_req(handle, pkt, remote_addr, &response);
|
||||
- } else if (krb5_is_as_req(pkt)) {
|
||||
- if (!(retval = decode_krb5_as_req(pkt, &as_req))) {
|
||||
- /*
|
||||
- * setup_server_realm() sets up the global realm-specific data
|
||||
- * pointer.
|
||||
- * process_as_req frees the request if it is called
|
||||
- */
|
||||
- state->active_realm = setup_server_realm(handle, as_req->server);
|
||||
- if (state->active_realm != NULL) {
|
||||
- process_as_req(as_req, pkt, local_addr, remote_addr,
|
||||
- state->active_realm, vctx,
|
||||
- finish_dispatch_cache, state);
|
||||
- return;
|
||||
- } else {
|
||||
- retval = KRB5KDC_ERR_WRONG_REALM;
|
||||
- krb5_free_kdc_req(kdc_err_context, as_req);
|
||||
- }
|
||||
- }
|
||||
- } else
|
||||
+ if (krb5_is_tgs_req(pkt))
|
||||
+ retval = decode_krb5_tgs_req(pkt, &req);
|
||||
+ else if (krb5_is_as_req(pkt))
|
||||
+ retval = decode_krb5_as_req(pkt, &req);
|
||||
+ else
|
||||
retval = KRB5KRB_AP_ERR_MSG_TYPE;
|
||||
+ if (retval)
|
||||
+ goto done;
|
||||
|
||||
+ state->active_realm = setup_server_realm(handle, req->server);
|
||||
+ if (state->active_realm == NULL) {
|
||||
+ retval = KRB5KDC_ERR_WRONG_REALM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (krb5_is_tgs_req(pkt)) {
|
||||
+ /* process_tgs_req frees the request */
|
||||
+ retval = process_tgs_req(req, pkt, remote_addr, state->active_realm,
|
||||
+ &response);
|
||||
+ req = NULL;
|
||||
+ } else if (krb5_is_as_req(pkt)) {
|
||||
+ /* process_as_req frees the request and calls finish_dispatch_cache. */
|
||||
+ process_as_req(req, pkt, local_addr, remote_addr, state->active_realm,
|
||||
+ vctx, finish_dispatch_cache, state);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ krb5_free_kdc_req(kdc_err_context, req);
|
||||
finish_dispatch_cache(state, retval, response);
|
||||
}
|
||||
|
||||
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
||||
index cc5a69236..61051bafa 100644
|
||||
--- a/src/kdc/do_tgs_req.c
|
||||
+++ b/src/kdc/do_tgs_req.c
|
||||
@@ -98,12 +98,12 @@ search_sprinc(kdc_realm_t *, krb5_kdc_req *, krb5_flags,
|
||||
|
||||
/*ARGSUSED*/
|
||||
krb5_error_code
|
||||
-process_tgs_req(struct server_handle *handle, krb5_data *pkt,
|
||||
- const krb5_fulladdr *from, krb5_data **response)
|
||||
+process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
|
||||
+ const krb5_fulladdr *from, kdc_realm_t *kdc_active_realm,
|
||||
+ krb5_data **response)
|
||||
{
|
||||
krb5_keyblock * subkey = 0;
|
||||
krb5_keyblock *header_key = NULL;
|
||||
- krb5_kdc_req *request = 0;
|
||||
krb5_db_entry *server = NULL;
|
||||
krb5_db_entry *stkt_server = NULL;
|
||||
krb5_kdc_rep reply;
|
||||
@@ -136,7 +136,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
|
||||
krb5_pa_data *pa_tgs_req; /*points into request*/
|
||||
krb5_data scratch;
|
||||
krb5_pa_data **e_data = NULL;
|
||||
- kdc_realm_t *kdc_active_realm = NULL;
|
||||
krb5_audit_state *au_state = NULL;
|
||||
krb5_data **auth_indicators = NULL;
|
||||
|
||||
@@ -146,36 +145,25 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
|
||||
memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply));
|
||||
session_key.contents = NULL;
|
||||
|
||||
- retval = decode_krb5_tgs_req(pkt, &request);
|
||||
- if (retval)
|
||||
- return retval;
|
||||
/* Save pointer to client-requested service principal, in case of
|
||||
* errors before a successful call to search_sprinc(). */
|
||||
sprinc = request->server;
|
||||
|
||||
if (request->msg_type != KRB5_TGS_REQ) {
|
||||
- krb5_free_kdc_req(handle->kdc_err_context, request);
|
||||
+ krb5_free_kdc_req(kdc_context, request);
|
||||
return KRB5_BADMSGTYPE;
|
||||
}
|
||||
|
||||
- /*
|
||||
- * setup_server_realm() sets up the global realm-specific data pointer.
|
||||
- */
|
||||
- kdc_active_realm = setup_server_realm(handle, request->server);
|
||||
- if (kdc_active_realm == NULL) {
|
||||
- krb5_free_kdc_req(handle->kdc_err_context, request);
|
||||
- return KRB5KDC_ERR_WRONG_REALM;
|
||||
- }
|
||||
errcode = kdc_make_rstate(kdc_active_realm, &state);
|
||||
if (errcode !=0) {
|
||||
- krb5_free_kdc_req(handle->kdc_err_context, request);
|
||||
+ krb5_free_kdc_req(kdc_context, request);
|
||||
return errcode;
|
||||
}
|
||||
|
||||
/* Initialize audit state. */
|
||||
errcode = kau_init_kdc_req(kdc_context, request, from, &au_state);
|
||||
if (errcode) {
|
||||
- krb5_free_kdc_req(handle->kdc_err_context, request);
|
||||
+ krb5_free_kdc_req(kdc_context, request);
|
||||
return errcode;
|
||||
}
|
||||
/* Seed the audit trail with the request ID and basic information. */
|
||||
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
|
||||
index a63af2503..1885c9f80 100644
|
||||
--- a/src/kdc/kdc_util.h
|
||||
+++ b/src/kdc/kdc_util.h
|
||||
@@ -145,9 +145,8 @@ process_as_req (krb5_kdc_req *, krb5_data *,
|
||||
|
||||
/* do_tgs_req.c */
|
||||
krb5_error_code
|
||||
-process_tgs_req (struct server_handle *, krb5_data *,
|
||||
- const krb5_fulladdr *,
|
||||
- krb5_data ** );
|
||||
+process_tgs_req (krb5_kdc_req *, krb5_data *, const krb5_fulladdr *,
|
||||
+ kdc_realm_t *, krb5_data ** );
|
||||
/* dispatch.c */
|
||||
void
|
||||
dispatch (void *,
|
||||
diff --git a/src/kdc/t_bigreply.py b/src/kdc/t_bigreply.py
|
||||
new file mode 100644
|
||||
index 000000000..6bc9a8fe0
|
||||
--- /dev/null
|
||||
+++ b/src/kdc/t_bigreply.py
|
||||
@@ -0,0 +1,19 @@
|
||||
+#!/usr/bin/python
|
||||
+from k5test import *
|
||||
+
|
||||
+# Set the maximum UDP reply size very low, so that all replies go
|
||||
+# through the RESPONSE_TOO_BIG path.
|
||||
+kdc_conf = {'kdcdefaults': {'kdc_max_dgram_reply_size': '10'}}
|
||||
+realm = K5Realm(kdc_conf=kdc_conf, get_creds=False)
|
||||
+
|
||||
+msgs = ('Sending initial UDP request',
|
||||
+ 'Received answer',
|
||||
+ 'Request or response is too big for UDP; retrying with TCP',
|
||||
+ ' to KRBTEST.COM (tcp only)',
|
||||
+ 'Initiating TCP connection',
|
||||
+ 'Sending TCP request',
|
||||
+ 'Terminating TCP connection')
|
||||
+realm.kinit(realm.user_princ, password('user'), expected_trace=msgs)
|
||||
+realm.run([kvno, realm.host_princ], expected_trace=msgs)
|
||||
+
|
||||
+success('Large KDC replies')
|
@ -1,4 +1,4 @@
|
||||
From 9bfd14df2d6458dfef8d1a17af5247af21183e3d Mon Sep 17 00:00:00 2001
|
||||
From 3ea258c813de4c55a8979f019b716422b998e231 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 27 Mar 2018 10:36:05 -0400
|
||||
Subject: [PATCH] Fix SPAKE memory leak
|
||||
|
@ -1,60 +0,0 @@
|
||||
From 5cdef749204eccf05ae5d7bad455d34899eb33da Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 3 Mar 2018 13:44:00 -0500
|
||||
Subject: [PATCH] Fix capaths "." values on client
|
||||
|
||||
Commit b72aef2c1cbcc76f7fba14ddc54a4e66e7a4e66c (ticket 6966)
|
||||
introduced k5_client_realm_path() for use on the client in place of
|
||||
krb5_walk_realm_tree(), but failed to handle the special case of a
|
||||
capaths "." value as is done in the latter function. Correct that
|
||||
omission and add a test case.
|
||||
|
||||
ticket: 8646 (new)
|
||||
tags: pullup
|
||||
target_version: 1.16-next
|
||||
target_version: 1.15-next
|
||||
|
||||
(cherry picked from commit f8d0877f848563d07152a0ee191fe82846fdb8f1)
|
||||
---
|
||||
src/lib/krb5/krb/walk_rtree.c | 6 ++++++
|
||||
src/tests/t_crossrealm.py | 10 ++++++++++
|
||||
2 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/src/lib/krb5/krb/walk_rtree.c b/src/lib/krb5/krb/walk_rtree.c
|
||||
index 0566a55f1..f4e8e35f5 100644
|
||||
--- a/src/lib/krb5/krb/walk_rtree.c
|
||||
+++ b/src/lib/krb5/krb/walk_rtree.c
|
||||
@@ -133,6 +133,12 @@ k5_client_realm_path(krb5_context context, const krb5_data *client,
|
||||
if (retval)
|
||||
return retval;
|
||||
|
||||
+ /* A capaths value of "." means no intermediates. */
|
||||
+ if (capvals != NULL && capvals[0] != NULL && *capvals[0] == '.') {
|
||||
+ profile_free_list(capvals);
|
||||
+ capvals = NULL;
|
||||
+ }
|
||||
+
|
||||
/* Count capaths (if any) and allocate space. Leave room for the client
|
||||
* realm, server realm, and terminator. */
|
||||
for (i = 0; capvals != NULL && capvals[i] != NULL; i++);
|
||||
diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py
|
||||
index e7ddb0525..4d595dca6 100755
|
||||
--- a/src/tests/t_crossrealm.py
|
||||
+++ b/src/tests/t_crossrealm.py
|
||||
@@ -109,6 +109,16 @@ test_kvno(r1, r4.host_princ, 'KDC capaths')
|
||||
check_klist(r1, (tgt(r1, r1), tgt(r4, r3), r4.host_princ))
|
||||
stop(r1, r2, r3, r4)
|
||||
|
||||
+# A capaths value of '.' should enforce direct cross-realm, with no
|
||||
+# intermediate.
|
||||
+capaths = {'capaths': {'A.X': {'B.X': '.'}}}
|
||||
+r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
|
||||
+ args=({'realm': 'A.X', 'krb5_conf': capaths},
|
||||
+ {'realm': 'X'}, {'realm': 'B.X'}))
|
||||
+r1.run([kvno, r3.host_princ], expected_code=1,
|
||||
+ expected_msg='Server krbtgt/B.X@A.X not found in Kerberos database')
|
||||
+stop(r1, r2, r3)
|
||||
+
|
||||
# Test transited error. The KDC for C does not recognize B as an
|
||||
# intermediate realm for A->C, so it refuses to issue a service
|
||||
# ticket.
|
@ -1,346 +0,0 @@
|
||||
From 27581397cd0d2f213c91bdf20ea9a6736f3e60dc Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 12 Jan 2018 11:43:01 -0500
|
||||
Subject: [PATCH] Fix flaws in LDAP DN checking
|
||||
|
||||
KDB_TL_USER_INFO tl-data is intended to be internal to the LDAP KDB
|
||||
module, and not used in disk or wire principal entries. Prevent
|
||||
kadmin clients from sending KDB_TL_USER_INFO tl-data by giving it a
|
||||
type number less than 256 and filtering out type numbers less than 256
|
||||
in kadm5_create_principal_3(). (We already filter out low type
|
||||
numbers in kadm5_modify_principal()).
|
||||
|
||||
In the LDAP KDB module, if containerdn and linkdn are both specified
|
||||
in a put_principal operation, check both linkdn and the computed
|
||||
standalone_principal_dn for container membership. To that end, factor
|
||||
out the checks into helper functions and call them on all applicable
|
||||
client-influenced DNs.
|
||||
|
||||
CVE-2018-5729:
|
||||
|
||||
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
|
||||
to add principals to an LDAP Kerberos database can cause a null
|
||||
dereference in kadmind, or circumvent a DN container check, by
|
||||
supplying tagged data intended to be internal to the database module.
|
||||
Thanks to Sharwan Ram and Pooja Anil for discovering the potential
|
||||
null dereference.
|
||||
|
||||
CVE-2018-5730:
|
||||
|
||||
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
|
||||
to add principals to an LDAP Kerberos database can circumvent a DN
|
||||
containership check by supplying both a "linkdn" and "containerdn"
|
||||
database argument, or by supplying a DN string which is a left
|
||||
extension of a container DN string but is not hierarchically within
|
||||
the container DN.
|
||||
|
||||
ticket: 8643 (new)
|
||||
tags: pullup
|
||||
target_version: 1.16-next
|
||||
target_version: 1.15-next
|
||||
|
||||
(cherry picked from commit e1caf6fb74981da62039846931ebdffed71309d1)
|
||||
---
|
||||
src/lib/kadm5/srv/svr_principal.c | 7 +
|
||||
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 2 +-
|
||||
.../kdb/ldap/libkdb_ldap/ldap_principal2.c | 200 ++++++++++--------
|
||||
src/tests/t_kdb.py | 11 +
|
||||
4 files changed, 125 insertions(+), 95 deletions(-)
|
||||
|
||||
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
|
||||
index 2420f2c2b..a59a65e8f 100644
|
||||
--- a/src/lib/kadm5/srv/svr_principal.c
|
||||
+++ b/src/lib/kadm5/srv/svr_principal.c
|
||||
@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle,
|
||||
return KADM5_BAD_MASK;
|
||||
if((mask & ~ALL_PRINC_MASK))
|
||||
return KADM5_BAD_MASK;
|
||||
+ if (mask & KADM5_TL_DATA) {
|
||||
+ for (tl_data_tail = entry->tl_data; tl_data_tail != NULL;
|
||||
+ tl_data_tail = tl_data_tail->tl_data_next) {
|
||||
+ if (tl_data_tail->tl_data_type < 256)
|
||||
+ return KADM5_BAD_TL_TYPE;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Check to see if the principal exists
|
||||
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
|
||||
index 535a1f309..8b8420faa 100644
|
||||
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
|
||||
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
|
||||
@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op);
|
||||
#define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr))
|
||||
#define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr))
|
||||
|
||||
-#define KDB_TL_USER_INFO 0x7ffe
|
||||
+#define KDB_TL_USER_INFO 0xff
|
||||
|
||||
#define KDB_TL_PRINCTYPE 0x01
|
||||
#define KDB_TL_PRINCCOUNT 0x02
|
||||
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
||||
index 88a170495..b7c9212cb 100644
|
||||
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
||||
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
||||
@@ -651,6 +651,107 @@ cleanup:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static krb5_error_code
|
||||
+check_dn_in_container(krb5_context context, const char *dn,
|
||||
+ char *const *subtrees, unsigned int ntrees)
|
||||
+{
|
||||
+ unsigned int i;
|
||||
+ size_t dnlen = strlen(dn), stlen;
|
||||
+
|
||||
+ for (i = 0; i < ntrees; i++) {
|
||||
+ if (subtrees[i] == NULL || *subtrees[i] == '\0')
|
||||
+ return 0;
|
||||
+ stlen = strlen(subtrees[i]);
|
||||
+ if (dnlen >= stlen &&
|
||||
+ strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 &&
|
||||
+ (dnlen == stlen || dn[dnlen - stlen - 1] == ','))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ k5_setmsg(context, EINVAL, _("DN is out of the realm subtree"));
|
||||
+ return EINVAL;
|
||||
+}
|
||||
+
|
||||
+static krb5_error_code
|
||||
+check_dn_exists(krb5_context context,
|
||||
+ krb5_ldap_server_handle *ldap_server_handle,
|
||||
+ const char *dn, krb5_boolean nonkrb_only)
|
||||
+{
|
||||
+ krb5_error_code st = 0, tempst;
|
||||
+ krb5_ldap_context *ldap_context = context->dal_handle->db_context;
|
||||
+ LDAP *ld = ldap_server_handle->ldap_handle;
|
||||
+ LDAPMessage *result = NULL, *ent;
|
||||
+ char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL };
|
||||
+ char **values;
|
||||
+
|
||||
+ LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS);
|
||||
+ if (st != LDAP_SUCCESS)
|
||||
+ return set_ldap_error(context, st, OP_SEARCH);
|
||||
+
|
||||
+ ent = ldap_first_entry(ld, result);
|
||||
+ CHECK_NULL(ent);
|
||||
+
|
||||
+ values = ldap_get_values(ld, ent, "krbticketpolicyreference");
|
||||
+ if (values != NULL)
|
||||
+ ldap_value_free(values);
|
||||
+
|
||||
+ values = ldap_get_values(ld, ent, "krbprincipalname");
|
||||
+ if (values != NULL) {
|
||||
+ ldap_value_free(values);
|
||||
+ if (nonkrb_only) {
|
||||
+ st = EINVAL;
|
||||
+ k5_setmsg(context, st, _("ldap object is already kerberized"));
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+cleanup:
|
||||
+ ldap_msgfree(result);
|
||||
+ return st;
|
||||
+}
|
||||
+
|
||||
+static krb5_error_code
|
||||
+validate_xargs(krb5_context context,
|
||||
+ krb5_ldap_server_handle *ldap_server_handle,
|
||||
+ const xargs_t *xargs, const char *standalone_dn,
|
||||
+ char *const *subtrees, unsigned int ntrees)
|
||||
+{
|
||||
+ krb5_error_code st;
|
||||
+
|
||||
+ if (xargs->dn != NULL) {
|
||||
+ /* The supplied dn must be within a realm container. */
|
||||
+ st = check_dn_in_container(context, xargs->dn, subtrees, ntrees);
|
||||
+ if (st)
|
||||
+ return st;
|
||||
+ /* The supplied dn must exist without Kerberos attributes. */
|
||||
+ st = check_dn_exists(context, ldap_server_handle, xargs->dn, TRUE);
|
||||
+ if (st)
|
||||
+ return st;
|
||||
+ }
|
||||
+
|
||||
+ if (xargs->linkdn != NULL) {
|
||||
+ /* The supplied linkdn must be within a realm container. */
|
||||
+ st = check_dn_in_container(context, xargs->linkdn, subtrees, ntrees);
|
||||
+ if (st)
|
||||
+ return st;
|
||||
+ /* The supplied linkdn must exist. */
|
||||
+ st = check_dn_exists(context, ldap_server_handle, xargs->linkdn,
|
||||
+ FALSE);
|
||||
+ if (st)
|
||||
+ return st;
|
||||
+ }
|
||||
+
|
||||
+ if (xargs->containerdn != NULL && standalone_dn != NULL) {
|
||||
+ /* standalone_dn (likely composed using containerdn) must be within a
|
||||
+ * container. */
|
||||
+ st = check_dn_in_container(context, standalone_dn, subtrees, ntrees);
|
||||
+ if (st)
|
||||
+ return st;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
krb5_error_code
|
||||
krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
|
||||
char **db_args)
|
||||
@@ -662,12 +763,12 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
|
||||
LDAPMessage *result=NULL, *ent=NULL;
|
||||
char **subtreelist = NULL;
|
||||
char *user=NULL, *subtree=NULL, *principal_dn=NULL;
|
||||
- char **values=NULL, *strval[10]={NULL}, errbuf[1024];
|
||||
+ char *strval[10]={NULL}, errbuf[1024];
|
||||
char *filtuser=NULL;
|
||||
struct berval **bersecretkey=NULL;
|
||||
LDAPMod **mods=NULL;
|
||||
krb5_boolean create_standalone=FALSE;
|
||||
- krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE;
|
||||
+ krb5_boolean establish_links=FALSE;
|
||||
char *standalone_principal_dn=NULL;
|
||||
krb5_tl_data *tl_data=NULL;
|
||||
krb5_key_data **keys=NULL;
|
||||
@@ -860,24 +961,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
|
||||
* any of the subtrees
|
||||
*/
|
||||
if (xargs.dn_from_kbd == TRUE) {
|
||||
- /* make sure the DN falls in the subtree */
|
||||
- int dnlen=0, subtreelen=0;
|
||||
- char *dn=NULL;
|
||||
- krb5_boolean outofsubtree=TRUE;
|
||||
-
|
||||
- if (xargs.dn != NULL) {
|
||||
- dn = xargs.dn;
|
||||
- } else if (xargs.linkdn != NULL) {
|
||||
- dn = xargs.linkdn;
|
||||
- } else if (standalone_principal_dn != NULL) {
|
||||
- /*
|
||||
- * Even though the standalone_principal_dn is constructed
|
||||
- * within this function, there is the containerdn input
|
||||
- * from the user that can become part of the it.
|
||||
- */
|
||||
- dn = standalone_principal_dn;
|
||||
- }
|
||||
-
|
||||
/* Get the current subtree list if we haven't already done so. */
|
||||
if (subtreelist == NULL) {
|
||||
st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees);
|
||||
@@ -885,81 +968,10 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
- for (tre=0; tre<ntrees; ++tre) {
|
||||
- if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
|
||||
- outofsubtree = FALSE;
|
||||
- break;
|
||||
- } else {
|
||||
- dnlen = strlen (dn);
|
||||
- subtreelen = strlen(subtreelist[tre]);
|
||||
- if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
|
||||
- outofsubtree = FALSE;
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (outofsubtree == TRUE) {
|
||||
- st = EINVAL;
|
||||
- k5_setmsg(context, st, _("DN is out of the realm subtree"));
|
||||
+ st = validate_xargs(context, ldap_server_handle, &xargs,
|
||||
+ standalone_principal_dn, subtreelist, ntrees);
|
||||
+ if (st)
|
||||
goto cleanup;
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * dn value will be set either by dn, linkdn or the standalone_principal_dn
|
||||
- * In the first 2 cases, the dn should be existing and in the last case we
|
||||
- * are supposed to create the ldap object. so the below should not be
|
||||
- * executed for the last case.
|
||||
- */
|
||||
-
|
||||
- if (standalone_principal_dn == NULL) {
|
||||
- /*
|
||||
- * If the ldap object is missing, this results in an error.
|
||||
- */
|
||||
-
|
||||
- /*
|
||||
- * Search for krbprincipalname attribute here.
|
||||
- * This is to find if a kerberos identity is already present
|
||||
- * on the ldap object, in which case adding a kerberos identity
|
||||
- * on the ldap object should result in an error.
|
||||
- */
|
||||
- char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
|
||||
-
|
||||
- ldap_msgfree(result);
|
||||
- result = NULL;
|
||||
- LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
|
||||
- if (st == LDAP_SUCCESS) {
|
||||
- ent = ldap_first_entry(ld, result);
|
||||
- if (ent != NULL) {
|
||||
- if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
|
||||
- ldap_value_free(values);
|
||||
- }
|
||||
-
|
||||
- if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
|
||||
- krb_identity_exists = TRUE;
|
||||
- ldap_value_free(values);
|
||||
- }
|
||||
- }
|
||||
- } else {
|
||||
- st = set_ldap_error(context, st, OP_SEARCH);
|
||||
- goto cleanup;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * If xargs.dn is set then the request is to add a
|
||||
- * kerberos principal on a ldap object, but if
|
||||
- * there is one already on the ldap object this
|
||||
- * should result in an error.
|
||||
- */
|
||||
-
|
||||
- if (xargs.dn != NULL && krb_identity_exists == TRUE) {
|
||||
- st = EINVAL;
|
||||
- snprintf(errbuf, sizeof(errbuf),
|
||||
- _("ldap object is already kerberized"));
|
||||
- k5_setmsg(context, st, "%s", errbuf);
|
||||
- goto cleanup;
|
||||
}
|
||||
|
||||
if (xargs.linkdn != NULL) {
|
||||
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
|
||||
index 217f2cdc3..6e563b103 100755
|
||||
--- a/src/tests/t_kdb.py
|
||||
+++ b/src/tests/t_kdb.py
|
||||
@@ -203,6 +203,12 @@ if out != 'KRBTEST.COM\n':
|
||||
# in the test LDAP server.
|
||||
realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'],
|
||||
expected_code=1, expected_msg='DN is out of the realm subtree')
|
||||
+# Check that the DN container check is a hierarchy test, not a simple
|
||||
+# suffix match (CVE-2018-5730). We expect this operation to fail
|
||||
+# either way (because "xcn" isn't a valid DN tag) but the container
|
||||
+# check should happen before the DN is parsed.
|
||||
+realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'],
|
||||
+ expected_code=1, expected_msg='DN is out of the realm subtree')
|
||||
realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1'])
|
||||
realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1')
|
||||
realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'],
|
||||
@@ -226,6 +232,11 @@ realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=t1,cn=krb5',
|
||||
'princ3'])
|
||||
realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'],
|
||||
expected_code=1, expected_msg='containerdn option not supported')
|
||||
+# Verify that containerdn is checked when linkdn is also supplied
|
||||
+# (CVE-2018-5730).
|
||||
+realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5',
|
||||
+ '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1,
|
||||
+ expected_msg='DN is out of the realm subtree')
|
||||
|
||||
# Create and modify a ticket policy.
|
||||
kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour',
|
@ -1,4 +1,4 @@
|
||||
From 46fada3b8a7ad21adf6831cf86c38a822a38748e Mon Sep 17 00:00:00 2001
|
||||
From 6b8f7371e49c3aa636871bb4e2ea2d2e86c743de Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 26 Jan 2018 11:47:50 -0500
|
||||
Subject: [PATCH] Fix hex conversion of PKINIT certid strings
|
||||
@ -17,10 +17,10 @@ ticket: 8636
|
||||
1 file changed, 44 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index ac107c2c1..4f21f90d2 100644
|
||||
index 2064eb7bd..eb2953fe1 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -4623,6 +4623,43 @@ reassemble_pkcs11_name(pkinit_identity_opts *idopts)
|
||||
@@ -4616,6 +4616,43 @@ reassemble_pkcs11_name(pkinit_identity_opts *idopts)
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -64,7 +64,7 @@ index ac107c2c1..4f21f90d2 100644
|
||||
static krb5_error_code
|
||||
pkinit_get_certs_pkcs11(krb5_context context,
|
||||
pkinit_plg_crypto_context plg_cryptoctx,
|
||||
@@ -4665,18 +4702,14 @@ pkinit_get_certs_pkcs11(krb5_context context,
|
||||
@@ -4658,18 +4695,14 @@ pkinit_get_certs_pkcs11(krb5_context context,
|
||||
}
|
||||
/* Convert the ascii cert_id string into a binary blob */
|
||||
if (idopts->cert_id_string != NULL) {
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 87cc924b8c127afb617cd110b1fbee57f809cd49 Mon Sep 17 00:00:00 2001
|
||||
From 20c25d4a2f78d8ab33d4879e1cf843e1fdb8a20b Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 15 Mar 2018 20:27:30 -0400
|
||||
Subject: [PATCH] Fix read overflow in KDC sort_pa_data()
|
||||
|
@ -1,4 +1,4 @@
|
||||
From afe1c26d08f0aead0d4ac49ad06715b1e8be7b6d Mon Sep 17 00:00:00 2001
|
||||
From 9c9ff189c16b16f848f2e85c1d262f12c6d5e922 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 3 Jan 2018 12:06:08 -0500
|
||||
Subject: [PATCH] Fix securid_sam2 preauth for non-default salt
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 4656f809f0f50c3a0a82192f9436e3292a5fe82a Mon Sep 17 00:00:00 2001
|
||||
From e6945eee571b0ff776270dea52fb051b62aedabd Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 26 Mar 2018 11:12:39 -0400
|
||||
Subject: [PATCH] Implement k5_buf_init_dynamic_zap
|
||||
|
@ -1,4 +1,4 @@
|
||||
From be4a469216fb87408484b90be9a1da772ba923df Mon Sep 17 00:00:00 2001
|
||||
From 6f883193ddb63da0f29977e3b95a663321404546 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 3 Jan 2018 11:59:14 -0500
|
||||
Subject: [PATCH] Include etype-info in for hardware preauth hints
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 44fe6e4df092e3bc7673449ccd7c70b6f0a4ccbf Mon Sep 17 00:00:00 2001
|
||||
From 265d00ef6bb5469b2464d7813af8c37581338385 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 15 Mar 2018 14:37:28 -0400
|
||||
Subject: [PATCH] Include preauth name in trace output if possible
|
||||
@ -183,7 +183,7 @@ index 779f184cb..10b4f0c14 100644
|
||||
etype = va_arg(ap, krb5_enctype);
|
||||
if (krb5_enctype_to_name(etype, TRUE, tmpbuf, sizeof(tmpbuf)) == 0)
|
||||
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
|
||||
index 3030322e1..1ba3536da 100755
|
||||
index 5bc60cb1e..0e964c689 100755
|
||||
--- a/src/tests/t_pkinit.py
|
||||
+++ b/src/tests/t_pkinit.py
|
||||
@@ -164,18 +164,19 @@ realm.stop_kdc()
|
||||
|
@ -1,122 +0,0 @@
|
||||
From 77ece30d3df5b119a74f7fe9e2c0a4c693194917 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 10 Apr 2018 15:55:41 -0400
|
||||
Subject: [PATCH] Merge duplicate subsections in profile library
|
||||
|
||||
Modify profile_add_node() to return the existing node, rather than
|
||||
making a new one, when adding subsection configuration.
|
||||
|
||||
This fixes an issue where the first instance of a subsection will hide
|
||||
the second instance entirely. In particular, it was previously
|
||||
impossible to split realm-specific configuration across multiple
|
||||
config files.
|
||||
|
||||
[ghudson@mit.edu: adjusted style, added test case]
|
||||
|
||||
ticket: 7863
|
||||
tags: pullup
|
||||
target_version: 1.16-next
|
||||
target_version: 1.15-next
|
||||
|
||||
(cherry picked from commit efab9fa5a6d23c486467264e20b58bf5a9c60f0c)
|
||||
---
|
||||
src/util/profile/prof_test1 | 22 ++++++++++++++++++++++
|
||||
src/util/profile/prof_tree.c | 15 +++++++++++----
|
||||
src/util/profile/test.ini | 6 ++++++
|
||||
3 files changed, 39 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/util/profile/prof_test1 b/src/util/profile/prof_test1
|
||||
index 7e30fc12f..7d13c9389 100644
|
||||
--- a/src/util/profile/prof_test1
|
||||
+++ b/src/util/profile/prof_test1
|
||||
@@ -341,6 +341,27 @@ proc test9 {} {
|
||||
puts "OK: test9: profile_flush_to_file with no changes"
|
||||
}
|
||||
|
||||
+proc test10 {} {
|
||||
+ global wd verbose
|
||||
+
|
||||
+ # Regression test for #7863: multiply-specified subsections should
|
||||
+ # be merged.
|
||||
+ set p [profile_init_path $wd/test2.ini]
|
||||
+ set x [profile_get_values $p {{test section 2} child_section2 child}]
|
||||
+ if $verbose { puts "Read $x from profile" }
|
||||
+ if ![string equal $x "slick harry {john\tb } ron"] {
|
||||
+ puts stderr "Error: test10: Did not get expected merged children."
|
||||
+ exit 1
|
||||
+ }
|
||||
+
|
||||
+ set x [profile_get_string $p {test section 2} child_section2 chores]
|
||||
+ if $verbose { puts "Read $x from profile" }
|
||||
+ if ![string equal $x "cleaning"] {
|
||||
+ puts stderr "Error: test10: Did not find expected chores."
|
||||
+ exit 1
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
test1
|
||||
test2
|
||||
test3
|
||||
@@ -350,5 +371,6 @@ test6
|
||||
test7
|
||||
test8
|
||||
test9
|
||||
+test10
|
||||
|
||||
exit 0
|
||||
diff --git a/src/util/profile/prof_tree.c b/src/util/profile/prof_tree.c
|
||||
index 081f688e4..38aadc4e5 100644
|
||||
--- a/src/util/profile/prof_tree.c
|
||||
+++ b/src/util/profile/prof_tree.c
|
||||
@@ -9,7 +9,7 @@
|
||||
*
|
||||
* Each node may represent either a relation or a section header.
|
||||
*
|
||||
- * A section header must have its value field set to 0, and may a one
|
||||
+ * A section header must have its value field be null, and may have one
|
||||
* or more child nodes, pointed to by first_child.
|
||||
*
|
||||
* A relation has as its value a pointer to allocated memory
|
||||
@@ -159,15 +159,22 @@ errcode_t profile_add_node(struct profile_node *section, const char *name,
|
||||
return PROF_ADD_NOT_SECTION;
|
||||
|
||||
/*
|
||||
- * Find the place to insert the new node. We look for the
|
||||
- * place *after* the last match of the node name, since
|
||||
+ * Find the place to insert the new node. If we are adding a subsection
|
||||
+ * and already have a subsection with that name, merge them. Otherwise,
|
||||
+ * we look for the place *after* the last match of the node name, since
|
||||
* order matters.
|
||||
*/
|
||||
for (p=section->first_child, last = 0; p; last = p, p = p->next) {
|
||||
int cmp;
|
||||
cmp = strcmp(p->name, name);
|
||||
- if (cmp > 0)
|
||||
+ if (cmp > 0) {
|
||||
break;
|
||||
+ } else if (value == NULL && cmp == 0 &&
|
||||
+ p->value == NULL && p->deleted != 1) {
|
||||
+ /* Found duplicate subsection, so don't make a new one. */
|
||||
+ *ret_node = p;
|
||||
+ return 0;
|
||||
+ }
|
||||
}
|
||||
retval = profile_create_node(name, value, &new);
|
||||
if (retval)
|
||||
diff --git a/src/util/profile/test.ini b/src/util/profile/test.ini
|
||||
index 23ca89677..6622df108 100644
|
||||
--- a/src/util/profile/test.ini
|
||||
+++ b/src/util/profile/test.ini
|
||||
@@ -10,6 +10,12 @@ this is a comment. Everything up to the first square brace is ignored.
|
||||
}
|
||||
child_section2 = foo
|
||||
|
||||
+[test section 2]
|
||||
+ child_section2 = {
|
||||
+ child = ron
|
||||
+ chores = cleaning
|
||||
+ }
|
||||
+
|
||||
[realms]
|
||||
ATHENA.MIT.EDU = {
|
||||
server = KERBEROS.MIT.EDU:88
|
@ -1,4 +1,4 @@
|
||||
From b0fb55f284f543e1e3752512df1f581e77d486ca Mon Sep 17 00:00:00 2001
|
||||
From 56521276ff20bc05a61c6f070cb4dcab730ff6d6 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 26 Mar 2018 10:54:29 -0400
|
||||
Subject: [PATCH] Move zap() definition to k5-platform.h
|
||||
|
@ -1,4 +1,4 @@
|
||||
From c7c44bbd80beabe7fb21f5fb6cfb9b57faa320f4 Mon Sep 17 00:00:00 2001
|
||||
From 88abb837d8a9ff12b71a848efbeaa9b9a009cc1f Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 29 Jan 2018 12:10:53 +0100
|
||||
Subject: [PATCH] Process included directories in alphabetical order
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 61e3f0142b09cb230be3a2a110f5224e773f1281 Mon Sep 17 00:00:00 2001
|
||||
From 276ecd7ba513ce0bfe5e51d6368e00476041a5b4 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 21 Dec 2017 11:28:52 -0500
|
||||
Subject: [PATCH] Refactor KDC krb5_pa_data utility functions
|
||||
@ -373,10 +373,10 @@ index 754570c01..13111215d 100644
|
||||
}
|
||||
|
||||
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
|
||||
index f99efcf50..18649b8ad 100644
|
||||
index c57d48f73..198eab9c4 100644
|
||||
--- a/src/kdc/kdc_util.h
|
||||
+++ b/src/kdc/kdc_util.h
|
||||
@@ -203,10 +203,10 @@ void
|
||||
@@ -202,10 +202,10 @@ void
|
||||
free_padata_context(krb5_context context, void *padata_context);
|
||||
|
||||
krb5_error_code
|
||||
|
@ -1,4 +1,4 @@
|
||||
From b3b5cf3d57ac2889aeab82a79a6ea967c1412eb6 Mon Sep 17 00:00:00 2001
|
||||
From 177cb167cfc151a1f58fb3e771cd29d0598f462f Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 17 Mar 2018 22:47:34 -0400
|
||||
Subject: [PATCH] Report extended errors in kinit -k -t KDB:
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 4a13b97ffba771de4b45b1ed309934cc840569d1 Mon Sep 17 00:00:00 2001
|
||||
From 1e423ec03dbd65845a4aeb8999d130d3d6a0cdd7 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 5 Apr 2018 16:23:34 -0400
|
||||
Subject: [PATCH] Restrict pre-authentication fallback cases
|
||||
|
@ -1,204 +0,0 @@
|
||||
From 06d48c8d04a5efb098b026a1ec1c1609a5491ab0 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 22 Mar 2018 20:07:17 -0400
|
||||
Subject: [PATCH] Return UPN SANs as strings
|
||||
|
||||
(cherry picked from commit fd3c824e3be56a1fa77d140fd7e93934bfd6e565)
|
||||
---
|
||||
src/plugins/preauth/pkinit/pkinit_crypto.h | 4 +--
|
||||
.../preauth/pkinit/pkinit_crypto_openssl.c | 28 +++++++------------
|
||||
src/plugins/preauth/pkinit/pkinit_matching.c | 16 ++---------
|
||||
src/plugins/preauth/pkinit/pkinit_srv.c | 21 +++++++++-----
|
||||
4 files changed, 29 insertions(+), 40 deletions(-)
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||
index c7ff29fb2..4e4752ff7 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||
@@ -98,7 +98,7 @@ typedef struct _pkinit_cert_matching_data {
|
||||
unsigned int ku_bits; /* key usage information */
|
||||
unsigned int eku_bits; /* extended key usage information */
|
||||
krb5_principal *sans; /* Null-terminated array of PKINIT SANs */
|
||||
- krb5_principal *upns; /* Null-terimnated array of UPN SANs */
|
||||
+ char **upns; /* Null-terimnated array of UPN SANs */
|
||||
} pkinit_cert_matching_data;
|
||||
|
||||
/*
|
||||
@@ -250,7 +250,7 @@ krb5_error_code crypto_retrieve_cert_sans
|
||||
if non-NULL, a null-terminated array of
|
||||
id-pkinit-san values found in the certificate
|
||||
are returned */
|
||||
- krb5_principal **upn_sans, /* OUT
|
||||
+ char ***upn_sans, /* OUT
|
||||
if non-NULL, a null-terminated array of
|
||||
id-ms-upn-san values found in the certificate
|
||||
are returned */
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index bc6de7ae8..b5a549c2c 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -29,6 +29,7 @@
|
||||
* SUCH DAMAGES.
|
||||
*/
|
||||
|
||||
+#include "k5-int.h"
|
||||
#include "pkinit_crypto_openssl.h"
|
||||
#include "k5-buf.h"
|
||||
#include <dlfcn.h>
|
||||
@@ -2083,15 +2084,14 @@ crypto_retrieve_X509_sans(krb5_context context,
|
||||
pkinit_plg_crypto_context plgctx,
|
||||
pkinit_req_crypto_context reqctx,
|
||||
X509 *cert,
|
||||
- krb5_principal **princs_ret,
|
||||
- krb5_principal **upn_ret,
|
||||
+ krb5_principal **princs_ret, char ***upn_ret,
|
||||
unsigned char ***dns_ret)
|
||||
{
|
||||
krb5_error_code retval = EINVAL;
|
||||
char buf[DN_BUF_LEN];
|
||||
int p = 0, u = 0, d = 0, ret = 0, l;
|
||||
krb5_principal *princs = NULL;
|
||||
- krb5_principal *upns = NULL;
|
||||
+ char **upns = NULL;
|
||||
unsigned char **dnss = NULL;
|
||||
unsigned int i, num_found = 0, num_sans = 0;
|
||||
X509_EXTENSION *ext = NULL;
|
||||
@@ -2141,7 +2141,7 @@ crypto_retrieve_X509_sans(krb5_context context,
|
||||
}
|
||||
}
|
||||
if (upn_ret != NULL) {
|
||||
- upns = calloc(num_sans + 1, sizeof(krb5_principal));
|
||||
+ upns = calloc(num_sans + 1, sizeof(*upns));
|
||||
if (upns == NULL) {
|
||||
retval = ENOMEM;
|
||||
goto cleanup;
|
||||
@@ -2184,16 +2184,9 @@ crypto_retrieve_X509_sans(krb5_context context,
|
||||
/* Prevent abuse of embedded null characters. */
|
||||
if (memchr(name.data, '\0', name.length))
|
||||
break;
|
||||
- ret = krb5_parse_name_flags(context, name.data,
|
||||
- KRB5_PRINCIPAL_PARSE_ENTERPRISE,
|
||||
- &upns[u]);
|
||||
- if (ret) {
|
||||
- pkiDebug("%s: failed parsing ms-upn san value\n",
|
||||
- __FUNCTION__);
|
||||
- } else {
|
||||
- u++;
|
||||
- num_found++;
|
||||
- }
|
||||
+ upns[u] = k5memdup0(name.data, name.length, &ret);
|
||||
+ if (upns[u] == NULL)
|
||||
+ goto cleanup;
|
||||
} else {
|
||||
pkiDebug("%s: unrecognized othername oid in SAN\n",
|
||||
__FUNCTION__);
|
||||
@@ -2245,7 +2238,7 @@ cleanup:
|
||||
krb5_free_principal(context, princs[i]);
|
||||
free(princs);
|
||||
for (i = 0; upns != NULL && upns[i] != NULL; i++)
|
||||
- krb5_free_principal(context, upns[i]);
|
||||
+ free(upns[i]);
|
||||
free(upns);
|
||||
for (i = 0; dnss != NULL && dnss[i] != NULL; i++)
|
||||
free(dnss[i]);
|
||||
@@ -2269,8 +2262,7 @@ crypto_retrieve_cert_sans(krb5_context context,
|
||||
pkinit_plg_crypto_context plgctx,
|
||||
pkinit_req_crypto_context reqctx,
|
||||
pkinit_identity_crypto_context idctx,
|
||||
- krb5_principal **princs_ret,
|
||||
- krb5_principal **upn_ret,
|
||||
+ krb5_principal **princs_ret, char ***upn_ret,
|
||||
unsigned char ***dns_ret)
|
||||
{
|
||||
krb5_error_code retval = EINVAL;
|
||||
@@ -5094,7 +5086,7 @@ crypto_cert_free_matching_data(krb5_context context,
|
||||
krb5_free_principal(context, md->sans[i]);
|
||||
free(md->sans);
|
||||
for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++)
|
||||
- krb5_free_principal(context, md->upns[i]);
|
||||
+ free(md->upns[i]);
|
||||
free(md->upns);
|
||||
free(md);
|
||||
}
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
|
||||
index 37bd0251a..c2a4c084d 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
|
||||
@@ -490,11 +490,7 @@ component_match(krb5_context context,
|
||||
break;
|
||||
}
|
||||
for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++) {
|
||||
- krb5_unparse_name_flags(context, md->upns[i],
|
||||
- KRB5_PRINCIPAL_UNPARSE_NO_REALM,
|
||||
- &princ_string);
|
||||
- match = regexp_match(context, rc, princ_string);
|
||||
- krb5_free_unparsed_name(context, princ_string);
|
||||
+ match = regexp_match(context, rc, md->upns[i]);
|
||||
if (match)
|
||||
break;
|
||||
}
|
||||
@@ -584,14 +580,8 @@ check_all_certs(krb5_context context,
|
||||
pkiDebug("%s: PKINIT san: '%s'\n", __FUNCTION__, san_string);
|
||||
krb5_free_unparsed_name(context, san_string);
|
||||
}
|
||||
- for (j = 0; md->upns != NULL && md->upns[j] != NULL; j++) {
|
||||
- char *san_string;
|
||||
- krb5_unparse_name_flags(context, md->upns[j],
|
||||
- KRB5_PRINCIPAL_UNPARSE_NO_REALM,
|
||||
- &san_string);
|
||||
- pkiDebug("%s: UPN san: '%s'\n", __FUNCTION__, san_string);
|
||||
- krb5_free_unparsed_name(context, san_string);
|
||||
- }
|
||||
+ for (j = 0; md->upns != NULL && md->upns[j] != NULL; j++)
|
||||
+ pkiDebug("%s: UPN san: '%s'\n", __FUNCTION__, md->upns[j]);
|
||||
#endif
|
||||
certs_checked++;
|
||||
for (rc = rs->crs; rc != NULL; rc = rc->next) {
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
index bbfde34b2..3cc573813 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
@@ -178,8 +178,9 @@ verify_client_san(krb5_context context,
|
||||
int *valid_san)
|
||||
{
|
||||
krb5_error_code retval;
|
||||
- krb5_principal *princs = NULL;
|
||||
- krb5_principal *upns = NULL;
|
||||
+ krb5_principal *princs = NULL, upn;
|
||||
+ krb5_boolean match;
|
||||
+ char **upns = NULL;
|
||||
int i;
|
||||
#ifdef DEBUG_SAN_INFO
|
||||
char *client_string = NULL, *san_string;
|
||||
@@ -255,12 +256,18 @@ verify_client_san(krb5_context context,
|
||||
pkiDebug("%s: Checking upn sans\n", __FUNCTION__);
|
||||
for (i = 0; upns[i] != NULL; i++) {
|
||||
#ifdef DEBUG_SAN_INFO
|
||||
- krb5_unparse_name(context, upns[i], &san_string);
|
||||
pkiDebug("%s: Comparing client '%s' to upn san value '%s'\n",
|
||||
- __FUNCTION__, client_string, san_string);
|
||||
- krb5_free_unparsed_name(context, san_string);
|
||||
+ __FUNCTION__, client_string, upns[i]);
|
||||
#endif
|
||||
- if (cb->match_client(context, rock, upns[i])) {
|
||||
+ retval = krb5_parse_name_flags(context, upns[i],
|
||||
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE, &upn);
|
||||
+ if (retval) {
|
||||
+ /* XXX trace */
|
||||
+ continue;
|
||||
+ }
|
||||
+ match = cb->match_client(context, rock, upn);
|
||||
+ krb5_free_principal(context, upn);
|
||||
+ if (match) {
|
||||
TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(context);
|
||||
*valid_san = 1;
|
||||
retval = 0;
|
||||
@@ -286,7 +293,7 @@ out:
|
||||
}
|
||||
if (upns != NULL) {
|
||||
for (i = 0; upns[i] != NULL; i++)
|
||||
- krb5_free_principal(context, upns[i]);
|
||||
+ free(upns[i]);
|
||||
free(upns);
|
||||
}
|
||||
#ifdef DEBUG_SAN_INFO
|
@ -1,148 +0,0 @@
|
||||
From 8924d4bbbf82a29f1d6bf524a416d6e44b694734 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 22 Mar 2018 19:46:22 -0400
|
||||
Subject: [PATCH] Save SANs separately and unparse them with NO_REALM
|
||||
|
||||
(cherry picked from commit 23ea8d6a9617d17ae5a529c23174d77adac39055)
|
||||
---
|
||||
src/plugins/preauth/pkinit/pkinit_crypto.h | 4 +-
|
||||
.../preauth/pkinit/pkinit_crypto_openssl.c | 37 ++-----------------
|
||||
src/plugins/preauth/pkinit/pkinit_matching.c | 30 +++++++++++----
|
||||
3 files changed, 28 insertions(+), 43 deletions(-)
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||
index 2d3733bbc..c7ff29fb2 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||
@@ -97,8 +97,8 @@ typedef struct _pkinit_cert_matching_data {
|
||||
char *issuer_dn; /* rfc2253-style issuer name string */
|
||||
unsigned int ku_bits; /* key usage information */
|
||||
unsigned int eku_bits; /* extended key usage information */
|
||||
- krb5_principal *sans; /* Null-terminated array of subject alternative
|
||||
- name info (pkinit and ms-upn) */
|
||||
+ krb5_principal *sans; /* Null-terminated array of PKINIT SANs */
|
||||
+ krb5_principal *upns; /* Null-terimnated array of UPN SANs */
|
||||
} pkinit_cert_matching_data;
|
||||
|
||||
/*
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index 4f21f90d2..bc6de7ae8 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -5093,6 +5093,9 @@ crypto_cert_free_matching_data(krb5_context context,
|
||||
for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++)
|
||||
krb5_free_principal(context, md->sans[i]);
|
||||
free(md->sans);
|
||||
+ for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++)
|
||||
+ krb5_free_principal(context, md->upns[i]);
|
||||
+ free(md->upns);
|
||||
free(md);
|
||||
}
|
||||
|
||||
@@ -5121,8 +5124,6 @@ get_matching_data(krb5_context context,
|
||||
{
|
||||
krb5_error_code ret = ENOMEM;
|
||||
pkinit_cert_matching_data *md = NULL;
|
||||
- krb5_principal *pkinit_sans = NULL, *upn_sans = NULL;
|
||||
- size_t i, j;
|
||||
|
||||
*md_out = NULL;
|
||||
|
||||
@@ -5139,40 +5140,10 @@ get_matching_data(krb5_context context,
|
||||
|
||||
/* Get the SAN data. */
|
||||
ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,
|
||||
- cert, &pkinit_sans, &upn_sans, NULL);
|
||||
+ cert, &md->sans, &md->upns, NULL);
|
||||
if (ret)
|
||||
goto cleanup;
|
||||
|
||||
- j = 0;
|
||||
- if (pkinit_sans != NULL) {
|
||||
- for (i = 0; pkinit_sans[i] != NULL; i++)
|
||||
- j++;
|
||||
- }
|
||||
- if (upn_sans != NULL) {
|
||||
- for (i = 0; upn_sans[i] != NULL; i++)
|
||||
- j++;
|
||||
- }
|
||||
- if (j != 0) {
|
||||
- md->sans = calloc((size_t)j+1, sizeof(*md->sans));
|
||||
- if (md->sans == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto cleanup;
|
||||
- }
|
||||
- j = 0;
|
||||
- if (pkinit_sans != NULL) {
|
||||
- for (i = 0; pkinit_sans[i] != NULL; i++)
|
||||
- md->sans[j++] = pkinit_sans[i];
|
||||
- free(pkinit_sans);
|
||||
- }
|
||||
- if (upn_sans != NULL) {
|
||||
- for (i = 0; upn_sans[i] != NULL; i++)
|
||||
- md->sans[j++] = upn_sans[i];
|
||||
- free(upn_sans);
|
||||
- }
|
||||
- md->sans[j] = NULL;
|
||||
- } else
|
||||
- md->sans = NULL;
|
||||
-
|
||||
/* Get the KU and EKU data. */
|
||||
ret = crypto_retrieve_X509_key_usage(context, plg_cryptoctx,
|
||||
req_cryptoctx, cert, &md->ku_bits,
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
|
||||
index c1ce84b82..37bd0251a 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
|
||||
@@ -470,7 +470,6 @@ component_match(krb5_context context,
|
||||
{
|
||||
int match = 0;
|
||||
int i;
|
||||
- krb5_principal p;
|
||||
char *princ_string;
|
||||
|
||||
switch (rc->kwval_type) {
|
||||
@@ -483,10 +482,17 @@ component_match(krb5_context context,
|
||||
match = regexp_match(context, rc, md->issuer_dn);
|
||||
break;
|
||||
case kw_san:
|
||||
- if (md->sans == NULL)
|
||||
- break;
|
||||
- for (i = 0, p = md->sans[i]; p != NULL; p = md->sans[++i]) {
|
||||
- krb5_unparse_name(context, p, &princ_string);
|
||||
+ for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++) {
|
||||
+ krb5_unparse_name(context, md->sans[i], &princ_string);
|
||||
+ match = regexp_match(context, rc, princ_string);
|
||||
+ krb5_free_unparsed_name(context, princ_string);
|
||||
+ if (match)
|
||||
+ break;
|
||||
+ }
|
||||
+ for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++) {
|
||||
+ krb5_unparse_name_flags(context, md->upns[i],
|
||||
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM,
|
||||
+ &princ_string);
|
||||
match = regexp_match(context, rc, princ_string);
|
||||
krb5_free_unparsed_name(context, princ_string);
|
||||
if (match)
|
||||
@@ -572,10 +578,18 @@ check_all_certs(krb5_context context,
|
||||
pkiDebug("%s: subject: '%s'\n", __FUNCTION__, md->subject_dn);
|
||||
#if 0
|
||||
pkiDebug("%s: issuer: '%s'\n", __FUNCTION__, md->subject_dn);
|
||||
- for (j = 0, p = md->sans[j]; p != NULL; p = md->sans[++j]) {
|
||||
+ for (j = 0; md->sans != NULL && md->sans[j] != NULL; j++) {
|
||||
char *san_string;
|
||||
- krb5_unparse_name(context, p, &san_string);
|
||||
- pkiDebug("%s: san: '%s'\n", __FUNCTION__, san_string);
|
||||
+ krb5_unparse_name(context, md->sans[j], &san_string);
|
||||
+ pkiDebug("%s: PKINIT san: '%s'\n", __FUNCTION__, san_string);
|
||||
+ krb5_free_unparsed_name(context, san_string);
|
||||
+ }
|
||||
+ for (j = 0; md->upns != NULL && md->upns[j] != NULL; j++) {
|
||||
+ char *san_string;
|
||||
+ krb5_unparse_name_flags(context, md->upns[j],
|
||||
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM,
|
||||
+ &san_string);
|
||||
+ pkiDebug("%s: UPN san: '%s'\n", __FUNCTION__, san_string);
|
||||
krb5_free_unparsed_name(context, san_string);
|
||||
}
|
||||
#endif
|
@ -1,42 +0,0 @@
|
||||
From f9c9d683852eb4881e099b3042d4c6e5e1444efc Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 27 Apr 2018 13:51:39 -0400
|
||||
Subject: [PATCH] Set error message on KCM get_princ failure
|
||||
|
||||
This matches the expected behavior from other ccache types. Most
|
||||
notably, the KEYRING equivalent was added in
|
||||
c25fc42e8eac7350209df61e4a7b9960d17755ca
|
||||
|
||||
ticket: 8675 (new)
|
||||
tags: pullup
|
||||
target_version: 1.16-next
|
||||
target_version: 1.15-next
|
||||
|
||||
(cherry picked from commit 58f60f3df7a625ccdcce23dfadd52dc335fd8da7)
|
||||
---
|
||||
src/lib/krb5/ccache/cc_kcm.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
|
||||
index 0d38b1839..a777f2710 100644
|
||||
--- a/src/lib/krb5/ccache/cc_kcm.c
|
||||
+++ b/src/lib/krb5/ccache/cc_kcm.c
|
||||
@@ -721,12 +721,18 @@ kcm_get_princ(krb5_context context, krb5_ccache cache,
|
||||
{
|
||||
krb5_error_code ret;
|
||||
struct kcmreq req;
|
||||
+ struct kcm_cache_data *data = cache->data;
|
||||
|
||||
kcmreq_init(&req, KCM_OP_GET_PRINCIPAL, cache);
|
||||
ret = cache_call(context, cache, &req, FALSE);
|
||||
/* Heimdal KCM can respond with code 0 and no principal. */
|
||||
if (!ret && req.reply.len == 0)
|
||||
ret = KRB5_FCC_NOFILE;
|
||||
+ if (ret == KRB5_FCC_NOFILE) {
|
||||
+ k5_setmsg(context, ret, _("Credentials cache 'KCM:%s' not found"),
|
||||
+ data->residual);
|
||||
+ }
|
||||
+
|
||||
if (!ret)
|
||||
ret = k5_unmarshal_princ(req.reply.ptr, req.reply.len, 4, princ_out);
|
||||
kcmreq_free(&req);
|
@ -1,4 +1,4 @@
|
||||
From 0afb9c336dd8573faa025915fcb97e643cc3e748 Mon Sep 17 00:00:00 2001
|
||||
From bd2f01d99b623be070c8bc8d660ca92c337147ae Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sun, 11 Feb 2018 15:23:35 -0500
|
||||
Subject: [PATCH] Simplify kdc_preauth.c systems table
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 678c67ef21578fb269f2efc56ff46bbd0e6b482b Mon Sep 17 00:00:00 2001
|
||||
From 0c2324e3f88f5ba3dbe7c9053017549f13e1f995 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 26 Mar 2018 11:24:49 -0400
|
||||
Subject: [PATCH] Use k5_buf_init_dynamic_zap where appropriate
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 4a33689d89144f9e473e8192241dcd2473c78bd7 Mon Sep 17 00:00:00 2001
|
||||
From c7677e91fb406c7ec55cb115155ed0d4c5943b72 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 19 Feb 2018 00:52:35 -0500
|
||||
Subject: [PATCH] Use libkrb5support hex functions where appropriate
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 19ed715d39bdf8415f69156d6cef19225cf6355a Mon Sep 17 00:00:00 2001
|
||||
From 6f02200464dd484641639f2cb38b775d34af4bcd Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 27 Mar 2018 15:42:28 -0400
|
||||
Subject: [PATCH] Zap data when freeing krb5_spake_factor
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 5d7ff3b42a2f1a4f5f15ac7f2b8fff743c3f33fc Mon Sep 17 00:00:00 2001
|
||||
From fc2953ce9ce06ff896b1687e1c0cc9b8a4357d09 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:52:01 -0400
|
||||
Subject: [PATCH] krb5-1.11-kpasswdtest.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From d29ad5a58999cb952cdb8ae876fe8b195a11a3e1 Mon Sep 17 00:00:00 2001
|
||||
From b0adf9a65d5c22a77cf957ceb1c298baff01555d Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:49:57 -0400
|
||||
Subject: [PATCH] krb5-1.11-run_user_0.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From d2297aa0ca6006dae654f0f2a24ac8f7ead737f6 Mon Sep 17 00:00:00 2001
|
||||
From abb19d2d2eac5f9f6e4a1bf26f59f3a62143dab9 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:47:00 -0400
|
||||
Subject: [PATCH] krb5-1.12-api.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From bd1a0d1d4dba9f72bf8150d9aa8fdf70f738c4d7 Mon Sep 17 00:00:00 2001
|
||||
From 7f076496c7441cd108929aa05dbe009f34054bf5 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:32:09 -0400
|
||||
Subject: [PATCH] krb5-1.12-ksu-path.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 812be10fc5f9f2d771fc38e6ba84f7d89a32f726 Mon Sep 17 00:00:00 2001
|
||||
From 01acbf3cbd60bd460e6ec6702589451d19c89933 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:33:53 -0400
|
||||
Subject: [PATCH] krb5-1.12-ktany.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From f4bb886c93625c39d4ee788250385c55230a8442 Mon Sep 17 00:00:00 2001
|
||||
From 4cbb4325a86d1d71fa45d254221ec460c41b434d Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:29:58 -0400
|
||||
Subject: [PATCH] krb5-1.12.1-pam.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 43fe2e2c880cc8281cb9c0ffbaff374eb4a075aa Mon Sep 17 00:00:00 2001
|
||||
From bd9a3cc0c53f6dc47a124eb6e8f698c7f1d3cd36 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:47:44 -0400
|
||||
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From c1c44857896ab37ed59c6cab841f5f9a0ceba5d0 Mon Sep 17 00:00:00 2001
|
||||
From 162ba7fbce23d82719956de1b126e48fe676e9d1 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:45:26 -0400
|
||||
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 2857105eb2e301164a1486d31907699d0073dc5f Mon Sep 17 00:00:00 2001
|
||||
From c79d3881fefb6108306eb56cff62de03897d4bbc Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:30:53 -0400
|
||||
Subject: [PATCH] krb5-1.15.1-selinux-label.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From bf0db245d46aa0a43479a38bf0b4ec964ae642b7 Mon Sep 17 00:00:00 2001
|
||||
From 2338e73d8dced4f85d6b4f5a0f7df21033ac78c1 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:46:21 -0400
|
||||
Subject: [PATCH] krb5-1.3.1-dns.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 6df2f0876e95a39d88f602abe992f26907e0136a Mon Sep 17 00:00:00 2001
|
||||
From 20bc1c9b1d37138d1a8538f9cef22108c8fabf4f Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:49:25 -0400
|
||||
Subject: [PATCH] krb5-1.9-debuginfo.patch
|
||||
|
16
krb5.spec
16
krb5.spec
@ -16,9 +16,9 @@
|
||||
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.16
|
||||
Version: 1.16.1
|
||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||
Release: 27%{?dist}
|
||||
Release: 1%{?dist}
|
||||
|
||||
# lookaside-cached sources; two downloads and a build artifact
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
|
||||
@ -61,8 +61,6 @@ Patch34: krb5-1.9-debuginfo.patch
|
||||
Patch35: krb5-1.11-run_user_0.patch
|
||||
Patch36: krb5-1.11-kpasswdtest.patch
|
||||
Patch37: Process-included-directories-in-alphabetical-order.patch
|
||||
Patch38: Fix-flaws-in-LDAP-DN-checking.patch
|
||||
Patch39: Fix-capaths-.-values-on-client.patch
|
||||
Patch40: Fix-hex-conversion-of-PKINIT-certid-strings.patch
|
||||
Patch41: Exit-with-status-0-from-kadmind.patch
|
||||
Patch42: Include-etype-info-in-for-hardware-preauth-hints.patch
|
||||
@ -71,7 +69,6 @@ Patch44: Refactor-KDC-krb5_pa_data-utility-functions.patch
|
||||
Patch45: Simplify-kdc_preauth.c-systems-table.patch
|
||||
Patch46: Add-PKINIT-client-support-for-freshness-token.patch
|
||||
Patch47: Add-PKINIT-KDC-support-for-freshness-token.patch
|
||||
Patch48: Allow-validation-of-PACs-with-enterprise-names.patch
|
||||
Patch49: Fix-read-overflow-in-KDC-sort_pa_data.patch
|
||||
Patch50: Include-preauth-name-in-trace-output-if-possible.patch
|
||||
Patch51: Report-extended-errors-in-kinit-k-t-KDB.patch
|
||||
@ -86,15 +83,9 @@ Patch59: Use-k5_buf_init_dynamic_zap-where-appropriate.patch
|
||||
Patch60: Add-SPAKE-preauth-support.patch
|
||||
Patch61: Add-doc-index-entries-for-SPAKE-constants.patch
|
||||
Patch62: Fix-SPAKE-memory-leak.patch
|
||||
Patch63: Continue-after-KRB5_CC_END-in-KCM-cache-iteration.patch
|
||||
Patch64: Zap-data-when-freeing-krb5_spake_factor.patch
|
||||
Patch65: Be-more-careful-asking-for-AS-key-in-SPAKE-client.patch
|
||||
Patch66: Save-SANs-separately-and-unparse-them-with-NO_REALM.patch
|
||||
Patch67: Return-UPN-SANs-as-strings.patch
|
||||
Patch68: Restrict-pre-authentication-fallback-cases.patch
|
||||
Patch69: Merge-duplicate-subsections-in-profile-library.patch
|
||||
Patch70: Fix-KDC-null-dereference-on-large-TGS-replies.patch
|
||||
Patch73: Set-error-message-on-KCM-get_princ-failure.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -746,6 +737,9 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Fri May 04 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-1
|
||||
- New upstream release - 1.16.1
|
||||
|
||||
* Thu May 03 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-27
|
||||
- Fix configuration of default ccache name to match file indentation
|
||||
|
||||
|
6
sources
6
sources
@ -1,3 +1,3 @@
|
||||
SHA512 (krb5-1.16-pdfs.tar) = d245aad2be70d7786c45331671ed04ebaa7e5a30f7fcf5da9baf74441723e8841a7bd4dbbd977a27c925d487591a98f03430c90c72aa17f859daa9bf6cd91410
|
||||
SHA512 (krb5-1.16.tar.gz) = 7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9
|
||||
SHA512 (krb5-1.16.tar.gz.asc) = a4b28b0877b7e1df28016cec7cd50569aa3bd539c366e7ef304e4824560f7c4cbf92ab0cd7d14328a0b578e982ff585c619a49378e59648b4259a33a799e6b2a
|
||||
SHA512 (krb5-1.16.1-pdfs.tar) = 89a5a709720ee9028e9bfbcbc808eec436c4b9c6e105888b37660e97cff48e190bc77affa9809353de9cf2f39e517e8a6ab22792263978b403a4a6317ac24a46
|
||||
SHA512 (krb5-1.16.1.tar.gz) = fa4ec14a4ffe690861e2dd7ea39d7698af2058ce181bb733ea891f80279f4dde4bb891adec5ccb0eaddf737306e6ceb1fe3744a2946e6189a7d7d2dd3bc5ba84
|
||||
SHA512 (krb5-1.16.1.tar.gz.asc) = 2d24fec31ca71ee93a1339ff4fa50a9397693deff2cc7097927617e04c2509fe7e671b58b982360cbdf80c0df066e03f289a2ecacdb270dc65d7abad1e6812de
|
||||
|
Loading…
Reference in New Issue
Block a user