krb5 1.21.3-1
- New upstream version (1.21.3) - CVE-2024-37370 CVE-2024-37371 Fix vulnerabilities in GSS message token handling Resolves: RHEL-45387 RHEL-45378 - Fix memory leak in GSSAPI interface Resolves: RHEL-47284 - Fix memory leak in PMAP RPC interface Resolves: RHEL-47287 - Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC Resolves: RHEL-47285 - Make TCP waiting time configurable Resolves: RHEL-47278 - Do not include files with "~" termination in krb5-tests Resolves: RHEL-45995 Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
parent
2b58aeee72
commit
8c423dc9d5
2
.gitignore
vendored
2
.gitignore
vendored
@ -206,3 +206,5 @@
|
||||
/krb5-1.21.tar.gz.asc
|
||||
/krb5-1.21.2.tar.gz
|
||||
/krb5-1.21.2.tar.gz.asc
|
||||
/krb5-1.21.3.tar.gz
|
||||
/krb5-1.21.3.tar.gz.asc
|
||||
|
@ -1,7 +1,8 @@
|
||||
From 087d150e4afe47a8d269d5e80dcef2204b007ceb Mon Sep 17 00:00:00 2001
|
||||
From 6f7fd964539dfe4a885068f43a91db9738661870 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Wed, 16 Aug 2023 10:00:30 +0200
|
||||
Subject: [PATCH] Revert "Don't issue session keys with deprecated enctypes"
|
||||
Date: Tue, 9 Jul 2024 11:15:33 +0200
|
||||
Subject: [PATCH] [downstream] Revert "Don't issue session keys with
|
||||
deprecated enctypes"
|
||||
|
||||
This reverts commit 1b57a4d134bbd0e7c52d5885a92eccc815726463.
|
||||
---
|
||||
@ -305,5 +306,5 @@ index 8e5f5ba8e9..2a86c5cdfc 100644
|
||||
'supported_enctypes': 'arcfour-hmac:normal',
|
||||
'master_key_type': 'arcfour-hmac'}}}),
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 2080ff4c57d29e74466987d673aaf25273160534 Mon Sep 17 00:00:00 2001
|
||||
From de4205c45e310ceaaa7cd7958af7293322fa43a6 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:29:58 -0400
|
||||
Subject: [PATCH] [downstream] ksu pam integration
|
||||
@ -773,5 +773,5 @@ index 77be7a2025..587221936e 100644
|
||||
if test "${localedir+set}" != set; then
|
||||
localedir='$(datadir)/locale'
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 3efc0e3ce4ccc8a89700f35bef041794982d95ca Mon Sep 17 00:00:00 2001
|
||||
From 30ff501e4b519396f5aea25e24919be817863e7c Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:30:53 -0400
|
||||
Subject: [PATCH] [downstream] SELinux integration
|
||||
@ -238,10 +238,10 @@ index 0000000000..dfaaa847cb
|
||||
+#endif
|
||||
+#endif
|
||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||
index 9c76780181..dd6430ece8 100644
|
||||
index 4e09ed345d..09f800be52 100644
|
||||
--- a/src/include/krb5/krb5.hin
|
||||
+++ b/src/include/krb5/krb5.hin
|
||||
@@ -87,6 +87,12 @@
|
||||
@@ -83,6 +83,12 @@
|
||||
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
||||
#endif
|
||||
|
||||
@ -1034,5 +1034,5 @@ index 0000000000..807d039da3
|
||||
+
|
||||
+#endif /* USE_SELINUX */
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 28677b932c200eba07576358b4e5df2ae22c8ecd Mon Sep 17 00:00:00 2001
|
||||
From 393830d96000ed692aa9a99ef87187d6f2863931 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:49:25 -0400
|
||||
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
|
||||
@ -40,5 +40,5 @@ index 8669c2436c..a22f23c02c 100644
|
||||
install:
|
||||
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 6734a067c600ea6ad81d08fcc481609c2bad9fbb Mon Sep 17 00:00:00 2001
|
||||
From 7d697742abb370cfc7241c1faa78ba08d7650f6a Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 26 Mar 2019 18:51:10 -0400
|
||||
Subject: [PATCH] [downstream] Remove 3des support
|
||||
@ -259,7 +259,7 @@ index 45fe160d7f..b4b1f3bd93 100644
|
||||
CKSUMTYPE_NIST_SHA.rst
|
||||
CKSUMTYPE_RSA_MD4.rst
|
||||
diff --git a/doc/conf.py b/doc/conf.py
|
||||
index cd76f5999f..1e1cfce80c 100644
|
||||
index ecf9020a72..db7fa377ef 100644
|
||||
--- a/doc/conf.py
|
||||
+++ b/doc/conf.py
|
||||
@@ -281,7 +281,7 @@ else:
|
||||
@ -326,10 +326,10 @@ index 69be9030f8..2561e917a2 100644
|
||||
|
||||
lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache
|
||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||
index dd6430ece8..350bcf86f2 100644
|
||||
index 09f800be52..c5a625db8f 100644
|
||||
--- a/src/include/krb5/krb5.hin
|
||||
+++ b/src/include/krb5/krb5.hin
|
||||
@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
|
||||
@@ -422,8 +422,8 @@ typedef struct _krb5_crypto_iov {
|
||||
#define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */
|
||||
#define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */
|
||||
#define ENCTYPE_DES_CBC_RAW 0x0004 /**< @deprecated no longer supported */
|
||||
@ -340,7 +340,7 @@ index dd6430ece8..350bcf86f2 100644
|
||||
#define ENCTYPE_DES_HMAC_SHA1 0x0008 /**< @deprecated no longer supported */
|
||||
/* PKINIT */
|
||||
#define ENCTYPE_DSA_SHA1_CMS 0x0009 /**< DSA with SHA1, CMS signature */
|
||||
@@ -436,9 +436,9 @@ typedef struct _krb5_crypto_iov {
|
||||
@@ -432,9 +432,9 @@ typedef struct _krb5_crypto_iov {
|
||||
#define ENCTYPE_RC2_CBC_ENV 0x000c /**< RC2 cbc mode, CMS enveloped data */
|
||||
#define ENCTYPE_RSA_ENV 0x000d /**< RSA encryption, CMS enveloped data */
|
||||
#define ENCTYPE_RSA_ES_OAEP_ENV 0x000e /**< RSA w/OEAP encryption, CMS enveloped data */
|
||||
@ -352,7 +352,7 @@ index dd6430ece8..350bcf86f2 100644
|
||||
#define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 /**< RFC 3962 */
|
||||
#define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 /**< RFC 3962 */
|
||||
#define ENCTYPE_AES128_CTS_HMAC_SHA256_128 0x0013 /**< RFC 8009 */
|
||||
@@ -463,7 +463,7 @@ typedef struct _krb5_crypto_iov {
|
||||
@@ -459,7 +459,7 @@ typedef struct _krb5_crypto_iov {
|
||||
#define CKSUMTYPE_RSA_MD5 0x0007
|
||||
#define CKSUMTYPE_RSA_MD5_DES 0x0008
|
||||
#define CKSUMTYPE_NIST_SHA 0x0009
|
||||
@ -5491,10 +5491,10 @@ index 9b183bc337..f0cc4a6809 100644
|
||||
if (sealalg != 0xffff)
|
||||
xfree(plain);
|
||||
diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
|
||||
index 85a9574f36..3ce2a90ce9 100644
|
||||
index 21b501731e..6a6585d9af 100644
|
||||
--- a/src/lib/gssapi/krb5/k5unsealiov.c
|
||||
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
|
||||
@@ -102,28 +102,21 @@ kg_unseal_v1_iov(krb5_context context,
|
||||
@@ -103,28 +103,21 @@ kg_unseal_v1_iov(krb5_context context,
|
||||
}
|
||||
|
||||
if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
|
||||
@ -5528,7 +5528,7 @@ index 85a9574f36..3ce2a90ce9 100644
|
||||
/* get the token parameters */
|
||||
code = kg_get_seq_num(context, ctx->seq, ptr + 14, ptr + 6, &direction,
|
||||
&seqnum);
|
||||
@@ -181,16 +174,10 @@ kg_unseal_v1_iov(krb5_context context,
|
||||
@@ -182,16 +175,10 @@ kg_unseal_v1_iov(krb5_context context,
|
||||
|
||||
/* initialize the checksum */
|
||||
|
||||
@ -5548,7 +5548,7 @@ index 85a9574f36..3ce2a90ce9 100644
|
||||
|
||||
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
|
||||
if (code != 0) {
|
||||
@@ -209,18 +196,13 @@ kg_unseal_v1_iov(krb5_context context,
|
||||
@@ -210,18 +197,13 @@ kg_unseal_v1_iov(krb5_context context,
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
@ -5917,10 +5917,10 @@ index 7494d7fcdb..2f95d89967 100755
|
||||
# because the ticket session key and initiator subkey are
|
||||
# non-permitted. (This is unfortunate if the acceptor's restriction
|
||||
diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c
|
||||
index 9876a11e67..fb8fe55111 100644
|
||||
index 882e163634..8192935099 100644
|
||||
--- a/src/tests/gssapi/t_invalid.c
|
||||
+++ b/src/tests/gssapi/t_invalid.c
|
||||
@@ -84,18 +84,6 @@ struct test {
|
||||
@@ -94,18 +94,6 @@ struct test {
|
||||
size_t toklen;
|
||||
const char *token;
|
||||
} tests[] = {
|
||||
@ -6201,5 +6201,5 @@ index 1aebdd0b4a..c38eefd2bd 100644
|
||||
<td>The AES Advanced Encryption Standard
|
||||
family, like 3DES, is a symmetric block cipher and was designed
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From dc3fd927ccd5b7b40049145c3fc7c610d72e9502 Mon Sep 17 00:00:00 2001
|
||||
From 7b6453903c248a761d3ceb538dfacebbf3d3a9ff Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 9 Nov 2018 15:12:21 -0500
|
||||
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
|
||||
@ -608,5 +608,5 @@ index 1a772d450f..232e78bc05 100644
|
||||
vt->name = "spake";
|
||||
vt->pa_type_list = pa_types;
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
||||
|
@ -1,7 +1,8 @@
|
||||
From 19db7e5b5d13732c2dfd08b35e2ad3f311553d54 Mon Sep 17 00:00:00 2001
|
||||
From 707fa7bd2be6327343dc8fc5c20dc77645524518 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Thu, 5 May 2022 17:15:12 +0200
|
||||
Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection with FIPS
|
||||
Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection
|
||||
with FIPS
|
||||
|
||||
libkrad allows to establish connections only to UNIX socket in FIPS
|
||||
mode, because MD5 digest is not considered safe enough to be used for
|
||||
@ -77,5 +78,5 @@ index 929f1cef67..063f17a613 100644
|
||||
retval = ESOCKTNOSUPPORT;
|
||||
goto error;
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 16d3f9a54d4707ae9de18f108a7b61965e83ceaf Mon Sep 17 00:00:00 2001
|
||||
From 1da88bea558348be2974470774aa688f8be634c0 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Wed, 7 Dec 2022 13:22:42 +0100
|
||||
Subject: [PATCH] [downstream] Make tests compatible with
|
||||
@ -37,5 +37,5 @@ index 87bac17929..26bc95a8dc 100644
|
||||
fail('URI answers do not match')
|
||||
j += 1
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 511a6260f0dadc3fe5ebe075f8b548eae026a1cc Mon Sep 17 00:00:00 2001
|
||||
From 775ed8588cc21385fb16a4cec4a861f0d578ce04 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Thu, 5 Jan 2023 20:06:47 +0100
|
||||
Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header
|
||||
@ -116,5 +116,5 @@ index 232e78bc05..3394f8a58e 100644
|
||||
* The SPAKE kdcpreauth module uses a secure cookie containing the following
|
||||
* concatenated fields (all integer fields are big-endian):
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 1b0bb0c3e5575559ea9135af5b9a1e91fe0f79f3 Mon Sep 17 00:00:00 2001
|
||||
From 4fd20741afcf76085ea62eb015cd589bb9392a7b Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Mon, 9 Jan 2023 22:39:52 +0100
|
||||
Subject: [PATCH] [downstream] Do not set root as ksu file owner
|
||||
@ -27,5 +27,5 @@ index 7eaa2f351c..e9ae71471e 100644
|
||||
## ${prefix}.
|
||||
prefix=@prefix@
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 6e239888cdb938ddda2bf49ec03ad2af3923c381 Mon Sep 17 00:00:00 2001
|
||||
From 16f90c007036789d8d9343e8a0cbabfd21853b5a Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Thu, 19 Jan 2023 19:22:27 +0100
|
||||
Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode
|
||||
@ -161,5 +161,5 @@ index 5a43c3d9eb..8528ddc4a9 100644
|
||||
ret = KRB5_CRYPTO_INTERNAL;
|
||||
goto done;
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
||||
|
@ -1,7 +1,8 @@
|
||||
From 640492ecb4ee42edf33c343c08c01a549ed68a52 Mon Sep 17 00:00:00 2001
|
||||
From 23b58199db429603802e338db530677b61561335 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Wed, 15 Mar 2023 15:56:34 +0100
|
||||
Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional
|
||||
Subject: [PATCH] [downstream] Allow to set PAC ticket signature as
|
||||
optional
|
||||
|
||||
MS-PAC states that "The ticket signature SHOULD be included in tickets
|
||||
that are not encrypted to the krbtgt account". However, the
|
||||
@ -73,10 +74,10 @@ index 745b24f351..6075349e5e 100644
|
||||
#if !defined(_WIN32)
|
||||
|
||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||
index 350bcf86f2..17e1b52266 100644
|
||||
index c5a625db8f..2d9b64dc85 100644
|
||||
--- a/src/include/krb5/krb5.hin
|
||||
+++ b/src/include/krb5/krb5.hin
|
||||
@@ -8356,6 +8356,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||
@@ -8329,6 +8329,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||
const krb5_keyblock *server,
|
||||
const krb5_keyblock *privsvr, krb5_pac *pac_out);
|
||||
|
||||
@ -258,7 +259,7 @@ index 4c50e935a2..d4b0455c8c 100644
|
||||
krb5_kt_client_default
|
||||
krb5_kt_close
|
||||
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
|
||||
index 461207021b..e8d78309cb 100644
|
||||
index 8413e70ccd..f68eb0569d 100644
|
||||
--- a/src/man/kadmin.man
|
||||
+++ b/src/man/kadmin.man
|
||||
@@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to
|
||||
@ -275,5 +276,5 @@ index 461207021b..e8d78309cb 100644
|
||||
.sp
|
||||
This command requires the \fBmodify\fP privilege.
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
From 1b2f64d66e01c1abeefdb7cbef7b04035c2128c0 Mon Sep 17 00:00:00 2001
|
||||
From 31b9debcf2cbd558f8f315fefb69fc8206b115b4 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Tue, 23 May 2023 12:19:54 +0200
|
||||
Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification
|
||||
available in FIPS mode
|
||||
Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature
|
||||
verification available in FIPS mode
|
||||
|
||||
We recommend using the SHA1 crypto-module in order to allow the
|
||||
verification of SHA-1 signature for CMS messages. However, this module
|
||||
@ -20,7 +20,7 @@ curve cryptography is implemented for PKINIT in MIT krb5.
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index f41328763e..263ef7845e 100644
|
||||
index cb9c79626c..17dd18e37d 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context,
|
||||
@ -43,5 +43,5 @@ index f41328763e..263ef7845e 100644
|
||||
goto cleanup;
|
||||
}
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From d2b061bea524012edde2915aa95fc4cb6a6f3ae9 Mon Sep 17 00:00:00 2001
|
||||
From c24c9faf859ddc04910a6bc591d8ddb2ada93e80 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 30 May 2023 01:21:48 -0400
|
||||
Subject: [PATCH] Enable PKINIT if at least one group is available
|
||||
@ -52,7 +52,7 @@ index 9fa315d7a0..8bdbea8e95 100644
|
||||
|
||||
krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index 263ef7845e..d646073d55 100644
|
||||
index 17dd18e37d..8cdc40bfb4 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -47,7 +47,8 @@
|
||||
@ -139,7 +139,7 @@ index 263ef7845e..d646073d55 100644
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -2910,11 +2918,11 @@ client_create_dh(krb5_context context,
|
||||
@@ -2912,11 +2920,11 @@ client_create_dh(krb5_context context,
|
||||
|
||||
if (cryptoctx->received_params != NULL)
|
||||
params = cryptoctx->received_params;
|
||||
@ -154,7 +154,7 @@ index 263ef7845e..d646073d55 100644
|
||||
params = plg_cryptoctx->dh_4096;
|
||||
else
|
||||
goto cleanup;
|
||||
@@ -3210,19 +3218,23 @@ pkinit_create_td_dh_parameters(krb5_context context,
|
||||
@@ -3212,19 +3220,23 @@ pkinit_create_td_dh_parameters(krb5_context context,
|
||||
krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 };
|
||||
krb5_algorithm_identifier *alglist[4];
|
||||
|
||||
@ -214,5 +214,5 @@ index 259e95c6c2..5ee39c085c 100644
|
||||
TRACE(c, "PKINIT OpenSSL error: {str}", msg)
|
||||
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
||||
|
10685
0015-Eliminate-old-style-function-declarations.patch
Normal file
10685
0015-Eliminate-old-style-function-declarations.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
||||
From 42e831da09bd196068aeb7fe6bfe380bb46b846c Mon Sep 17 00:00:00 2001
|
||||
From abb95e961f4e6a5482220a64fba843a3adc171df Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Wed, 19 Jul 2023 13:43:17 +0200
|
||||
Subject: [PATCH] Replace ssl.wrap_socket() for tests
|
||||
@ -60,5 +60,5 @@ index 58759696b6..d1d10d733c 100755
|
||||
os.write(sys.stdout.fileno(), b'proxy server ready\n')
|
||||
server.serve_forever()
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
@ -1,4 +1,4 @@
|
||||
From f0414954d79283075d1f627dbb9fe6e4f43c1aae Mon Sep 17 00:00:00 2001
|
||||
From 0628ab09deb09b98c171316c0b9718914e18e9f4 Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Thu, 13 Jul 2023 16:22:30 -0400
|
||||
Subject: [PATCH] Fix unimportant memory leaks
|
||||
@ -16,10 +16,10 @@ some unused ksu functions; rewrote commit message]
|
||||
src/appl/gss-sample/gss-client.c | 367 ++++++++----------
|
||||
src/appl/gss-sample/gss-server.c | 3 +-
|
||||
src/clients/klist/klist.c | 59 +--
|
||||
src/clients/ksu/authorization.c | 140 +++----
|
||||
src/clients/ksu/ccache.c | 289 +++++---------
|
||||
src/clients/ksu/authorization.c | 134 +++----
|
||||
src/clients/ksu/ccache.c | 283 +++++---------
|
||||
src/clients/ksu/heuristic.c | 128 +++---
|
||||
src/clients/ksu/krb_auth_su.c | 137 ++-----
|
||||
src/clients/ksu/krb_auth_su.c | 134 ++-----
|
||||
src/clients/ksu/ksu.h | 6 -
|
||||
src/clients/ksu/main.c | 3 +-
|
||||
src/kadmin/cli/keytab.c | 6 +-
|
||||
@ -32,10 +32,10 @@ some unused ksu functions; rewrote commit message]
|
||||
src/lib/krb5/ccache/ccfns.c | 12 +-
|
||||
src/lib/krb5/keytab/kt_file.c | 3 +-
|
||||
src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 8 +-
|
||||
19 files changed, 520 insertions(+), 684 deletions(-)
|
||||
19 files changed, 517 insertions(+), 672 deletions(-)
|
||||
|
||||
diff --git a/src/appl/gss-sample/gss-client.c b/src/appl/gss-sample/gss-client.c
|
||||
index 6e2aa33690..cf94623d63 100644
|
||||
index 0722ae196f..2cfcfc6cc5 100644
|
||||
--- a/src/appl/gss-sample/gss-client.c
|
||||
+++ b/src/appl/gss-sample/gss-client.c
|
||||
@@ -182,180 +182,148 @@ client_establish_context(int s, char *service_name, OM_uint32 gss_flags,
|
||||
@ -345,7 +345,7 @@ index 6e2aa33690..cf94623d63 100644
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -449,11 +417,11 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
|
||||
@@ -436,11 +404,11 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
|
||||
{
|
||||
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
|
||||
gss_buffer_desc in_buf, out_buf;
|
||||
@ -360,7 +360,7 @@ index 6e2aa33690..cf94623d63 100644
|
||||
OM_uint32 lifetime;
|
||||
gss_OID mechanism, name_type;
|
||||
int is_local;
|
||||
@@ -467,14 +435,13 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
|
||||
@@ -454,14 +422,13 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
|
||||
|
||||
/* Open connection */
|
||||
if ((s = connect_to_server(host, port)) < 0)
|
||||
@ -377,7 +377,7 @@ index 6e2aa33690..cf94623d63 100644
|
||||
}
|
||||
|
||||
if (auth_flag && verbose) {
|
||||
@@ -488,19 +455,19 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
|
||||
@@ -475,19 +442,19 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
|
||||
&is_local, &is_open);
|
||||
if (maj_stat != GSS_S_COMPLETE) {
|
||||
display_status("inquiring context", maj_stat, min_stat);
|
||||
@ -400,7 +400,7 @@ index 6e2aa33690..cf94623d63 100644
|
||||
}
|
||||
printf("\"%.*s\" to \"%.*s\", lifetime %d, flags %x, %s, %s\n",
|
||||
(int) sname.length, (char *) sname.value,
|
||||
@@ -509,15 +476,10 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
|
||||
@@ -496,15 +463,10 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
|
||||
(is_local) ? "locally initiated" : "remotely initiated",
|
||||
(is_open) ? "open" : "closed");
|
||||
|
||||
@ -417,7 +417,7 @@ index 6e2aa33690..cf94623d63 100644
|
||||
}
|
||||
printf("Name type of source name is %.*s.\n",
|
||||
(int) oid_name.length, (char *) oid_name.value);
|
||||
@@ -528,13 +490,13 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
|
||||
@@ -515,13 +477,13 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
|
||||
mechanism, &mech_names);
|
||||
if (maj_stat != GSS_S_COMPLETE) {
|
||||
display_status("inquiring mech names", maj_stat, min_stat);
|
||||
@ -433,7 +433,7 @@ index 6e2aa33690..cf94623d63 100644
|
||||
}
|
||||
printf("Mechanism %.*s supports %d names\n",
|
||||
(int) oid_name.length, (char *) oid_name.value,
|
||||
@@ -546,7 +508,7 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
|
||||
@@ -533,7 +495,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
|
||||
&mech_names->elements[i], &oid_name);
|
||||
if (maj_stat != GSS_S_COMPLETE) {
|
||||
display_status("converting oid->string", maj_stat, min_stat);
|
||||
@ -442,7 +442,7 @@ index 6e2aa33690..cf94623d63 100644
|
||||
}
|
||||
printf(" %d: %.*s\n", (int) i,
|
||||
(int) oid_name.length, (char *) oid_name.value);
|
||||
@@ -571,10 +533,7 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
|
||||
@@ -558,10 +520,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
|
||||
&in_buf, &state, &out_buf);
|
||||
if (maj_stat != GSS_S_COMPLETE) {
|
||||
display_status("wrapping message", maj_stat, min_stat);
|
||||
@ -454,7 +454,7 @@ index 6e2aa33690..cf94623d63 100644
|
||||
} else if (encrypt_flag && !state) {
|
||||
fprintf(stderr, "Warning! Message not encrypted.\n");
|
||||
}
|
||||
@@ -588,22 +547,15 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
|
||||
@@ -575,22 +534,15 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
|
||||
(wrap_flag ? TOKEN_WRAPPED : 0) |
|
||||
(encrypt_flag ? TOKEN_ENCRYPTED : 0) |
|
||||
(mic_flag ? TOKEN_SEND_MIC : 0))),
|
||||
@ -482,7 +482,7 @@ index 6e2aa33690..cf94623d63 100644
|
||||
|
||||
if (mic_flag) {
|
||||
/* Verify signature block */
|
||||
@@ -611,10 +563,7 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
|
||||
@@ -598,10 +550,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
|
||||
&out_buf, &qop_state);
|
||||
if (maj_stat != GSS_S_COMPLETE) {
|
||||
display_status("verifying signature", maj_stat, min_stat);
|
||||
@ -494,7 +494,7 @@ index 6e2aa33690..cf94623d63 100644
|
||||
}
|
||||
|
||||
if (verbose)
|
||||
@@ -634,23 +583,17 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
|
||||
@@ -621,23 +570,17 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
|
||||
if (!v1_format)
|
||||
(void) send_token(s, TOKEN_NOOP, empty_token);
|
||||
|
||||
@ -529,7 +529,7 @@ index 6e2aa33690..cf94623d63 100644
|
||||
|
||||
static void
|
||||
diff --git a/src/appl/gss-sample/gss-server.c b/src/appl/gss-sample/gss-server.c
|
||||
index 9b6ce9ffb3..ce25df8b40 100644
|
||||
index 0e9c857e56..4ba864d9fb 100644
|
||||
--- a/src/appl/gss-sample/gss-server.c
|
||||
+++ b/src/appl/gss-sample/gss-server.c
|
||||
@@ -138,13 +138,12 @@ server_acquire_creds(char *service_name, gss_OID mech,
|
||||
@ -548,7 +548,7 @@ index 9b6ce9ffb3..ce25df8b40 100644
|
||||
}
|
||||
|
||||
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
|
||||
index dcdc5a2d59..43392d2337 100644
|
||||
index c797b1698f..b5ae96a843 100644
|
||||
--- a/src/clients/klist/klist.c
|
||||
+++ b/src/clients/klist/klist.c
|
||||
@@ -469,20 +469,21 @@ do_ccache()
|
||||
@ -667,7 +667,7 @@ index dcdc5a2d59..43392d2337 100644
|
||||
* current. Otherwise accept any current cred. */
|
||||
if (found_tgt)
|
||||
diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c
|
||||
index fb9d5d0942..6c6a2d007e 100644
|
||||
index 17a8a8f2f0..1f2650c2ab 100644
|
||||
--- a/src/clients/ksu/authorization.c
|
||||
+++ b/src/clients/ksu/authorization.c
|
||||
@@ -28,7 +28,17 @@
|
||||
@ -687,9 +687,9 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
+ free(list);
|
||||
+}
|
||||
|
||||
krb5_boolean fowner(fp, uid)
|
||||
FILE *fp;
|
||||
@@ -53,10 +63,10 @@ krb5_boolean fowner(fp, uid)
|
||||
krb5_boolean
|
||||
fowner(FILE *fp, uid_t uid)
|
||||
@@ -52,10 +62,10 @@ fowner(FILE *fp, uid_t uid)
|
||||
|
||||
/*
|
||||
* Given a Kerberos principal "principal", and a local username "luser",
|
||||
@ -703,9 +703,9 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
+ * (regardless of its result), non-zero if it encountered an error.
|
||||
*/
|
||||
|
||||
krb5_error_code krb5_authorization(context, principal, luser,
|
||||
@@ -71,7 +81,7 @@ krb5_error_code krb5_authorization(context, principal, luser,
|
||||
char **out_fcmd;
|
||||
krb5_error_code
|
||||
@@ -64,7 +74,7 @@ krb5_authorization(krb5_context context, krb5_principal principal,
|
||||
char **out_fcmd)
|
||||
{
|
||||
struct passwd *pwd;
|
||||
- char *princname;
|
||||
@ -713,7 +713,7 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
int k5login_flag =0;
|
||||
int k5users_flag =0;
|
||||
krb5_boolean retbool =FALSE;
|
||||
@@ -83,7 +93,7 @@ krb5_error_code krb5_authorization(context, principal, luser,
|
||||
@@ -76,7 +86,7 @@ krb5_authorization(krb5_context context, krb5_principal principal,
|
||||
|
||||
/* no account => no access */
|
||||
if ((pwd = getpwnam(luser)) == NULL)
|
||||
@ -722,7 +722,7 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
|
||||
retval = krb5_unparse_name(context, principal, &princname);
|
||||
if (retval)
|
||||
@@ -100,22 +110,19 @@ krb5_error_code krb5_authorization(context, principal, luser,
|
||||
@@ -93,22 +103,19 @@ krb5_authorization(krb5_context context, krb5_principal principal,
|
||||
|
||||
/* k5login and k5users must be owned by target user or root */
|
||||
if (!k5login_flag){
|
||||
@ -755,7 +755,7 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
}
|
||||
|
||||
if (auth_debug){
|
||||
@@ -134,10 +141,8 @@ krb5_error_code krb5_authorization(context, principal, luser,
|
||||
@@ -127,10 +134,8 @@ krb5_authorization(krb5_context context, krb5_principal principal,
|
||||
princname);
|
||||
|
||||
retval = k5login_lookup(login_fp, princname, &retbool);
|
||||
@ -768,7 +768,7 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
if (retbool) {
|
||||
if (cmd)
|
||||
*out_fcmd = xstrdup(cmd);
|
||||
@@ -147,10 +152,8 @@ krb5_error_code krb5_authorization(context, principal, luser,
|
||||
@@ -140,10 +145,8 @@ krb5_authorization(krb5_context context, krb5_principal principal,
|
||||
if ((!k5users_flag) && (retbool == FALSE) ){
|
||||
retval = k5users_lookup (users_fp, princname,
|
||||
cmd, &retbool, out_fcmd);
|
||||
@ -781,7 +781,7 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
}
|
||||
|
||||
if (k5login_flag && k5users_flag){
|
||||
@@ -166,8 +169,14 @@ krb5_error_code krb5_authorization(context, principal, luser,
|
||||
@@ -159,8 +162,14 @@ krb5_authorization(krb5_context context, krb5_principal principal,
|
||||
}
|
||||
|
||||
*ok =retbool;
|
||||
@ -798,8 +798,8 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
}
|
||||
|
||||
/***********************************************************
|
||||
@@ -334,10 +343,11 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
|
||||
char **out_err;
|
||||
@@ -320,10 +329,11 @@ krb5_boolean
|
||||
fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
|
||||
{
|
||||
char * err;
|
||||
- char ** tmp_fcmd;
|
||||
@ -811,7 +811,7 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
|
||||
tmp_fcmd = (char **) xcalloc (MAX_CMD, sizeof(char *));
|
||||
|
||||
@@ -345,7 +355,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
|
||||
@@ -331,7 +341,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
|
||||
tmp_fcmd[0] = xstrdup(fcmd);
|
||||
tmp_fcmd[1] = NULL;
|
||||
*out_fcmd = tmp_fcmd;
|
||||
@ -820,7 +820,7 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
}else{
|
||||
/* must be either full path or just the cmd name */
|
||||
if (strchr(fcmd, '/')){
|
||||
@@ -353,7 +363,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
|
||||
@@ -339,7 +349,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
|
||||
"either full path or just the cmd name\n"),
|
||||
fcmd, KRB5_USERS_NAME);
|
||||
*out_err = err;
|
||||
@ -829,7 +829,7 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
}
|
||||
|
||||
#ifndef CMD_PATH
|
||||
@@ -361,7 +371,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
|
||||
@@ -347,7 +357,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
|
||||
"the cmd name, CMD_PATH must be defined \n"),
|
||||
fcmd, KRB5_USERS_NAME, fcmd);
|
||||
*out_err = err;
|
||||
@ -838,7 +838,7 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
#else
|
||||
|
||||
path = xstrdup (CMD_PATH);
|
||||
@@ -375,7 +385,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
|
||||
@@ -361,7 +371,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
|
||||
asprintf(&err, _("Error: bad entry - %s in %s file, CMD_PATH "
|
||||
"contains no paths \n"), fcmd, KRB5_USERS_NAME);
|
||||
*out_err = err;
|
||||
@ -847,7 +847,7 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
}
|
||||
|
||||
i=0;
|
||||
@@ -384,7 +394,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
|
||||
@@ -370,7 +380,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
|
||||
asprintf(&err, _("Error: bad path %s in CMD_PATH for %s must "
|
||||
"start with '/' \n"), tc, KRB5_USERS_NAME );
|
||||
*out_err = err;
|
||||
@ -856,7 +856,7 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
}
|
||||
|
||||
tmp_fcmd[i] = xasprintf("%s/%s", tc, fcmd);
|
||||
@@ -395,10 +405,15 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
|
||||
@@ -381,10 +391,15 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
|
||||
|
||||
tmp_fcmd[i] = NULL;
|
||||
*out_fcmd = tmp_fcmd;
|
||||
@ -874,9 +874,9 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
}
|
||||
|
||||
/********************************************
|
||||
@@ -524,41 +539,42 @@ int match_commands (fcmd, cmd, match, cmd_out, err_out)
|
||||
char **cmd_out;
|
||||
char **err_out;
|
||||
@@ -503,41 +518,42 @@ int
|
||||
match_commands(char *fcmd, char *cmd, krb5_boolean *match,
|
||||
char **cmd_out, char **err_out)
|
||||
{
|
||||
- char ** fcmd_arr;
|
||||
+ char ** fcmd_arr = NULL;
|
||||
@ -930,7 +930,7 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
}
|
||||
|
||||
/*********************************************************
|
||||
@@ -587,10 +603,7 @@ krb5_error_code get_line (fp, out_line)
|
||||
@@ -563,10 +579,7 @@ get_line(FILE *fp, char **out_line)
|
||||
}
|
||||
else {
|
||||
chunk_count ++;
|
||||
@ -942,14 +942,12 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
|
||||
line_ptr = line + (BUFSIZ -1) *( chunk_count -1) ;
|
||||
}
|
||||
@@ -677,21 +690,8 @@ char * get_next_token (lnext)
|
||||
@@ -652,17 +665,6 @@ get_next_token (char **lnext)
|
||||
return out_ptr;
|
||||
}
|
||||
|
||||
-static void auth_cleanup(users_fp, login_fp, princname)
|
||||
- FILE *users_fp;
|
||||
- FILE *login_fp;
|
||||
- char *princname;
|
||||
-static void
|
||||
-auth_cleanup(FILE *users_fp, FILE *login_fp, char *princname)
|
||||
-{
|
||||
-
|
||||
- free (princname);
|
||||
@ -959,22 +957,17 @@ index fb9d5d0942..6c6a2d007e 100644
|
||||
- fclose(login_fp);
|
||||
-}
|
||||
-
|
||||
-void init_auth_names(pw_dir)
|
||||
- char *pw_dir;
|
||||
+void
|
||||
+init_auth_names(char *pw_dir)
|
||||
void
|
||||
init_auth_names(char *pw_dir)
|
||||
{
|
||||
const char *sep;
|
||||
int r1, r2;
|
||||
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
|
||||
index cbb9aa2b85..45667dd24a 100644
|
||||
index cca9ce2dfc..76cb1d6aa4 100644
|
||||
--- a/src/clients/ksu/ccache.c
|
||||
+++ b/src/clients/ksu/ccache.c
|
||||
@@ -40,7 +40,19 @@ copies the default cache into the secondary cache,
|
||||
@@ -40,6 +40,18 @@ copies the default cache into the secondary cache,
|
||||
|
||||
************************************************************************/
|
||||
|
||||
-void show_credential();
|
||||
+static void
|
||||
+free_creds_list(krb5_context context, krb5_creds **list)
|
||||
+{
|
||||
@ -987,13 +980,12 @@ index cbb9aa2b85..45667dd24a 100644
|
||||
+ free(list);
|
||||
+}
|
||||
+
|
||||
+void show_credential(krb5_context, krb5_creds *, krb5_ccache);
|
||||
void show_credential(krb5_context, krb5_creds *, krb5_ccache);
|
||||
|
||||
/* modifies only the cc_other, the algorithm may look a bit funny,
|
||||
but I had to do it this way, since remove function did not come
|
||||
@@ -59,20 +71,19 @@ krb5_error_code krb5_ccache_copy(context, cc_def, target_principal, cc_target,
|
||||
/* OUT */
|
||||
krb5_boolean *stored;
|
||||
@@ -53,20 +65,19 @@ krb5_ccache_copy(krb5_context context, krb5_ccache cc_def,
|
||||
krb5_boolean restrict_creds, krb5_principal primary_principal,
|
||||
krb5_boolean *stored)
|
||||
{
|
||||
- int i=0;
|
||||
krb5_error_code retval=0;
|
||||
@ -1016,7 +1008,7 @@ index cbb9aa2b85..45667dd24a 100644
|
||||
|
||||
if (restrict_creds) {
|
||||
retval = krb5_store_some_creds(context, cc_target, cc_def_creds_arr,
|
||||
@@ -85,22 +96,9 @@ krb5_error_code krb5_ccache_copy(context, cc_def, target_principal, cc_target,
|
||||
@@ -79,22 +90,9 @@ krb5_ccache_copy(krb5_context context, krb5_ccache cc_def,
|
||||
cc_other_creds_arr);
|
||||
}
|
||||
|
||||
@ -1042,7 +1034,7 @@ index cbb9aa2b85..45667dd24a 100644
|
||||
return retval;
|
||||
}
|
||||
|
||||
@@ -198,32 +196,29 @@ krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array)
|
||||
@@ -184,32 +182,29 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc,
|
||||
{
|
||||
|
||||
krb5_creds creds, temp_tktq, temp_tkt;
|
||||
@ -1082,7 +1074,7 @@ index cbb9aa2b85..45667dd24a 100644
|
||||
}
|
||||
if (auth_debug){
|
||||
fprintf(stderr,"krb5_ccache_copy: CREDS EXPIRED:\n");
|
||||
@@ -233,19 +228,19 @@ krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array)
|
||||
@@ -219,19 +214,19 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc,
|
||||
}
|
||||
}
|
||||
else { /* these credentials didn't expire */
|
||||
@ -1111,7 +1103,7 @@ index cbb9aa2b85..45667dd24a 100644
|
||||
}
|
||||
}
|
||||
|
||||
@@ -253,13 +248,15 @@ krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array)
|
||||
@@ -239,13 +234,15 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc,
|
||||
|
||||
temp_creds[count] = NULL;
|
||||
*creds_array = temp_creds;
|
||||
@ -1127,16 +1119,14 @@ index cbb9aa2b85..45667dd24a 100644
|
||||
-
|
||||
}
|
||||
|
||||
|
||||
@@ -331,97 +328,6 @@ void printtime(krb5_timestamp ts)
|
||||
krb5_error_code
|
||||
@@ -315,122 +312,33 @@ printtime(krb5_timestamp ts)
|
||||
printf("%s", fmtbuf);
|
||||
}
|
||||
|
||||
-
|
||||
-krb5_error_code
|
||||
-krb5_get_login_princ(luser, princ_list)
|
||||
- const char *luser;
|
||||
- char ***princ_list;
|
||||
-krb5_get_login_princ(const char *luser, char ***princ_list)
|
||||
-{
|
||||
- struct stat sbuf;
|
||||
- struct passwd *pwd;
|
||||
@ -1220,14 +1210,9 @@ index cbb9aa2b85..45667dd24a 100644
|
||||
- fclose(fp);
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-
|
||||
-
|
||||
void
|
||||
show_credential(context, cred, cc)
|
||||
krb5_context context;
|
||||
@@ -429,31 +335,29 @@ show_credential(context, cred, cc)
|
||||
krb5_ccache cc;
|
||||
show_credential(krb5_context context, krb5_creds *cred, krb5_ccache cc)
|
||||
{
|
||||
krb5_error_code retval;
|
||||
- char *name, *sname, *flags;
|
||||
@ -1264,7 +1249,7 @@ index cbb9aa2b85..45667dd24a 100644
|
||||
}
|
||||
|
||||
if (!cred->times.starttime)
|
||||
@@ -491,8 +395,12 @@ show_credential(context, cred, cc)
|
||||
@@ -468,8 +376,12 @@ show_credential(krb5_context context, krb5_creds *cred, krb5_ccache cc)
|
||||
}
|
||||
}
|
||||
putchar('\n');
|
||||
@ -1277,8 +1262,8 @@ index cbb9aa2b85..45667dd24a 100644
|
||||
}
|
||||
|
||||
/* Create a random string suitable for a filename extension. */
|
||||
@@ -526,37 +434,26 @@ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal)
|
||||
krb5_principal primary_principal;
|
||||
@@ -501,37 +413,26 @@ krb5_ccache_overwrite(krb5_context context, krb5_ccache ccs, krb5_ccache cct,
|
||||
krb5_principal primary_principal)
|
||||
{
|
||||
krb5_error_code retval=0;
|
||||
- krb5_principal temp_principal;
|
||||
@ -1327,8 +1312,8 @@ index cbb9aa2b85..45667dd24a 100644
|
||||
return retval;
|
||||
}
|
||||
|
||||
@@ -616,45 +513,40 @@ krb5_error_code krb5_ccache_filter (context, cc, prst)
|
||||
krb5_principal prst;
|
||||
@@ -585,45 +486,40 @@ krb5_error_code
|
||||
krb5_ccache_filter(krb5_context context, krb5_ccache cc, krb5_principal prst)
|
||||
{
|
||||
|
||||
- int i=0;
|
||||
@ -1395,10 +1380,10 @@ index cbb9aa2b85..45667dd24a 100644
|
||||
+ return retval;
|
||||
}
|
||||
|
||||
krb5_boolean krb5_find_princ_in_cred_list (context, creds_list, princ)
|
||||
@@ -688,17 +580,20 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found)
|
||||
krb5_principal princ;
|
||||
krb5_boolean *found;
|
||||
krb5_boolean
|
||||
@@ -654,17 +550,20 @@ krb5_error_code
|
||||
krb5_find_princ_in_cache(krb5_context context, krb5_ccache cc,
|
||||
krb5_principal princ, krb5_boolean *found)
|
||||
{
|
||||
- krb5_error_code retval;
|
||||
+ krb5_error_code retval = 0;
|
||||
@ -1423,10 +1408,10 @@ index cbb9aa2b85..45667dd24a 100644
|
||||
|
||||
krb5_boolean
|
||||
diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c
|
||||
index 4f7280f4cb..47baa785e5 100644
|
||||
index e906de8ef0..6ed94eb887 100644
|
||||
--- a/src/clients/ksu/heuristic.c
|
||||
+++ b/src/clients/ksu/heuristic.c
|
||||
@@ -156,28 +156,31 @@ filter(fp, cmd, k5users_list, k5users_filt_list)
|
||||
@@ -149,28 +149,31 @@ filter(FILE *fp, char *cmd, char **k5users_list, char ***k5users_filt_list)
|
||||
|
||||
*k5users_filt_list = NULL;
|
||||
|
||||
@ -1464,7 +1449,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
|
||||
for(j= 0, k=0; j < i; j++ ) {
|
||||
if (k5users_list[j]){
|
||||
@@ -191,7 +194,10 @@ filter(fp, cmd, k5users_list, k5users_filt_list)
|
||||
@@ -184,7 +187,10 @@ filter(FILE *fp, char *cmd, char **k5users_list, char ***k5users_filt_list)
|
||||
free (k5users_list);
|
||||
|
||||
*k5users_filt_list = temp_filt_list;
|
||||
@ -1476,7 +1461,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
}
|
||||
|
||||
krb5_error_code
|
||||
@@ -335,7 +341,7 @@ krb5_error_code get_closest_principal(context, plist, client, found)
|
||||
@@ -318,7 +324,7 @@ get_closest_principal(krb5_context context, char **plist,
|
||||
|
||||
retval = krb5_parse_name(context, plist[i], &temp_client);
|
||||
if (retval)
|
||||
@ -1485,7 +1470,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
|
||||
pnelem = krb5_princ_size(context, temp_client);
|
||||
|
||||
@@ -363,6 +369,7 @@ krb5_error_code get_closest_principal(context, plist, client, found)
|
||||
@@ -346,6 +352,7 @@ get_closest_principal(krb5_context context, char **plist,
|
||||
if(best_client){
|
||||
if(krb5_princ_size(context, best_client) >
|
||||
krb5_princ_size(context, temp_client)){
|
||||
@ -1493,7 +1478,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
best_client = temp_client;
|
||||
}
|
||||
}else
|
||||
@@ -375,9 +382,12 @@ krb5_error_code get_closest_principal(context, plist, client, found)
|
||||
@@ -358,9 +365,12 @@ get_closest_principal(krb5_context context, char **plist,
|
||||
if (best_client) {
|
||||
*found = TRUE;
|
||||
*client = best_client;
|
||||
@ -1507,7 +1492,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
}
|
||||
|
||||
/****************************************************************
|
||||
@@ -499,6 +509,7 @@ krb5_error_code find_princ_in_list (context, princ, plist, found)
|
||||
@@ -471,6 +481,7 @@ find_princ_in_list(krb5_context context, krb5_principal princ, char **plist,
|
||||
i++;
|
||||
}
|
||||
|
||||
@ -1515,7 +1500,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
return 0;
|
||||
|
||||
}
|
||||
@@ -534,11 +545,9 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
|
||||
@@ -498,11 +509,9 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
|
||||
{
|
||||
|
||||
princ_info princ_trials[10];
|
||||
@ -1530,7 +1515,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
krb5_error_code retval;
|
||||
char ** aplist =NULL;
|
||||
krb5_boolean found = FALSE;
|
||||
@@ -555,54 +564,59 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
|
||||
@@ -519,54 +528,59 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
|
||||
if (ks_ccache_is_initialized(context, cc_source)) {
|
||||
retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
|
||||
if (retval)
|
||||
@ -1609,7 +1594,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
|
||||
if (cmd)
|
||||
*path_out = NOT_AUTHORIZED;
|
||||
@@ -610,26 +624,25 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
|
||||
@@ -574,26 +588,25 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
|
||||
if (auth_debug)
|
||||
printf(" GET_best_princ_for_target: via no auth files path\n");
|
||||
|
||||
@ -1640,7 +1625,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
|
||||
/* first see if default principal of the source cache
|
||||
* can get us in, then the target_user@realm, then the
|
||||
@@ -652,7 +665,7 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
|
||||
@@ -616,7 +629,7 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
|
||||
retval= find_princ_in_list(context, princ_trials[i].p, aplist,
|
||||
&found);
|
||||
if (retval)
|
||||
@ -1649,7 +1634,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
|
||||
if (found == TRUE){
|
||||
princ_trials[i].found = TRUE;
|
||||
@@ -661,12 +674,13 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
|
||||
@@ -625,12 +638,13 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
|
||||
princ_trials[i].p,
|
||||
end_server, &found);
|
||||
if (retval)
|
||||
@ -1666,7 +1651,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -679,21 +693,23 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
|
||||
@@ -643,21 +657,23 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
|
||||
while (aplist[i]){
|
||||
retval = krb5_parse_name(context, aplist[i], &temp_client);
|
||||
if (retval)
|
||||
@ -1693,7 +1678,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
|
||||
i++;
|
||||
}
|
||||
@@ -704,11 +720,11 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
|
||||
@@ -668,11 +684,11 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
|
||||
|
||||
for (i=0; i < count; i ++){
|
||||
if (princ_trials[i].found == TRUE){
|
||||
@ -1707,7 +1692,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
}
|
||||
}
|
||||
|
||||
@@ -718,7 +734,7 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
|
||||
@@ -682,7 +698,7 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
|
||||
retval=krb5_copy_principal(context, princ_trials[i].p,
|
||||
&temp_client);
|
||||
if(retval)
|
||||
@ -1716,7 +1701,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
|
||||
/* get the client name that is the closest
|
||||
to the three princ in trials */
|
||||
@@ -726,15 +742,15 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
|
||||
@@ -690,15 +706,15 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
|
||||
retval=get_closest_principal(context, aplist, &temp_client,
|
||||
&found);
|
||||
if(retval)
|
||||
@ -1735,7 +1720,7 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
}
|
||||
}
|
||||
|
||||
@@ -745,5 +761,13 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
|
||||
@@ -709,5 +725,13 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
|
||||
printf( "GET_best_princ_for_target: out of luck, can't get appropriate default principal\n");
|
||||
|
||||
*path_out = NOT_AUTHORIZED;
|
||||
@ -1751,12 +1736,12 @@ index 4f7280f4cb..47baa785e5 100644
|
||||
+ return retval;
|
||||
}
|
||||
diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c
|
||||
index fb848dcab1..a99c4c826c 100644
|
||||
index db10251f95..68cfe6b0ed 100644
|
||||
--- a/src/clients/ksu/krb_auth_su.c
|
||||
+++ b/src/clients/ksu/krb_auth_su.c
|
||||
@@ -42,33 +42,31 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
|
||||
krb5_ccache cc;
|
||||
int *path_passwd;
|
||||
@@ -37,33 +37,31 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
|
||||
char *target_user, krb5_ccache cc, int *path_passwd,
|
||||
uid_t target_uid)
|
||||
{
|
||||
- krb5_principal client;
|
||||
+ krb5_principal client = NULL;
|
||||
@ -1794,7 +1779,7 @@ index fb848dcab1..a99c4c826c 100644
|
||||
}
|
||||
|
||||
if (auth_debug){ dump_principal(context, "local tgt principal name", tgtq.server ); }
|
||||
@@ -82,7 +80,7 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
|
||||
@@ -77,7 +75,7 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
|
||||
if ((retval != KRB5_CC_NOTFOUND) &&
|
||||
(retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){
|
||||
com_err(prog_name, retval, _("while retrieving creds from cache"));
|
||||
@ -1803,7 +1788,7 @@ index fb848dcab1..a99c4c826c 100644
|
||||
}
|
||||
} else{
|
||||
got_it = 1;
|
||||
@@ -93,7 +91,7 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
|
||||
@@ -88,7 +86,7 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
|
||||
#ifdef GET_TGT_VIA_PASSWD
|
||||
if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
|
||||
com_err("ksu", errno, _("while switching to target uid"));
|
||||
@ -1812,7 +1797,7 @@ index fb848dcab1..a99c4c826c 100644
|
||||
}
|
||||
|
||||
|
||||
@@ -107,19 +105,19 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
|
||||
@@ -102,19 +100,19 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
|
||||
&tgt) == FALSE) {
|
||||
krb5_seteuid(0);
|
||||
|
||||
@ -1835,7 +1820,7 @@ index fb848dcab1..a99c4c826c 100644
|
||||
|
||||
#endif /* GET_TGT_VIA_PASSWD */
|
||||
|
||||
@@ -131,10 +129,16 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
|
||||
@@ -126,10 +124,16 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
|
||||
&vfy_opts);
|
||||
if (retval) {
|
||||
com_err(prog_name, retval, _("while verifying ticket for server"));
|
||||
@ -1853,10 +1838,10 @@ index fb848dcab1..a99c4c826c 100644
|
||||
+ return ok;
|
||||
}
|
||||
|
||||
krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
|
||||
@@ -145,11 +149,12 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
|
||||
krb5_boolean *zero_password;
|
||||
krb5_creds *creds_out;
|
||||
krb5_boolean
|
||||
@@ -137,11 +141,12 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
|
||||
krb5_get_init_creds_opt *options,
|
||||
krb5_boolean *zero_password, krb5_creds *creds_out)
|
||||
{
|
||||
+ krb5_boolean ok = FALSE;
|
||||
krb5_error_code code;
|
||||
@ -1869,7 +1854,7 @@ index fb848dcab1..a99c4c826c 100644
|
||||
int result;
|
||||
|
||||
*zero_password = FALSE;
|
||||
@@ -158,14 +163,14 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
|
||||
@@ -150,14 +155,14 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
|
||||
|
||||
if ((code = krb5_unparse_name(context, client, &client_name))) {
|
||||
com_err (prog_name, code, _("when unparsing name"));
|
||||
@ -1886,7 +1871,7 @@ index fb848dcab1..a99c4c826c 100644
|
||||
}
|
||||
|
||||
result = snprintf(prompt, sizeof(prompt), _("Kerberos password for %s: "),
|
||||
@@ -174,7 +179,7 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
|
||||
@@ -166,7 +171,7 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
|
||||
fprintf(stderr,
|
||||
_("principal name %s too long for internal buffer space\n"),
|
||||
client_name);
|
||||
@ -1895,7 +1880,7 @@ index fb848dcab1..a99c4c826c 100644
|
||||
}
|
||||
|
||||
pwsize = sizeof(password);
|
||||
@@ -183,13 +188,13 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
|
||||
@@ -175,13 +180,13 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
|
||||
if (code ) {
|
||||
com_err(prog_name, code, _("while reading password for '%s'\n"),
|
||||
client_name);
|
||||
@ -1911,7 +1896,7 @@ index fb848dcab1..a99c4c826c 100644
|
||||
}
|
||||
|
||||
code = krb5_get_init_creds_password(context, &creds, client, password,
|
||||
@@ -203,13 +208,19 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
|
||||
@@ -195,13 +200,19 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
|
||||
fprintf(stderr, _("%s: Password incorrect\n"), prog_name);
|
||||
else
|
||||
com_err(prog_name, code, _("while getting initial credentials"));
|
||||
@ -1935,8 +1920,8 @@ index fb848dcab1..a99c4c826c 100644
|
||||
+ return ok;
|
||||
}
|
||||
|
||||
|
||||
@@ -224,8 +235,10 @@ void dump_principal (context, str, p)
|
||||
void
|
||||
@@ -213,8 +224,10 @@ dump_principal(krb5_context context, char *str, krb5_principal p)
|
||||
if ((retval = krb5_unparse_name(context, p, &stname))) {
|
||||
fprintf(stderr, _(" %s while unparsing name\n"),
|
||||
error_message(retval));
|
||||
@ -1946,8 +1931,8 @@ index fb848dcab1..a99c4c826c 100644
|
||||
+ free(stname);
|
||||
}
|
||||
|
||||
void plain_dump_principal (context, p)
|
||||
@@ -238,74 +251,8 @@ void plain_dump_principal (context, p)
|
||||
void
|
||||
@@ -226,71 +239,8 @@ plain_dump_principal (krb5_context context, krb5_principal p)
|
||||
if ((retval = krb5_unparse_name(context, p, &stname))) {
|
||||
fprintf(stderr, _(" %s while unparsing name\n"),
|
||||
error_message(retval));
|
||||
@ -1965,11 +1950,8 @@ index fb848dcab1..a99c4c826c 100644
|
||||
-
|
||||
-**********************************************************************/
|
||||
-
|
||||
-
|
||||
-krb5_error_code get_best_principal(context, plist, client)
|
||||
- krb5_context context;
|
||||
- char **plist;
|
||||
- krb5_principal *client;
|
||||
-krb5_error_code
|
||||
-get_best_principal(krb5_context context, char **plist, krb5_principal *client)
|
||||
-{
|
||||
- krb5_error_code retval =0;
|
||||
- krb5_principal temp_client, best_client = NULL;
|
||||
@ -2049,10 +2031,10 @@ index 66fb4bcc6a..32ce11cb85 100644
|
||||
(krb5_context, krb5_creds *, krb5_ccache);
|
||||
|
||||
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
|
||||
index 931f054041..a7cb7ed3be 100644
|
||||
index 2a351662c8..77703a6a2b 100644
|
||||
--- a/src/clients/ksu/main.c
|
||||
+++ b/src/clients/ksu/main.c
|
||||
@@ -1003,7 +1003,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
|
||||
@@ -1002,7 +1002,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
|
||||
if (retval) {
|
||||
com_err(prog_name, retval,
|
||||
_("while generating part of the target ccache name"));
|
||||
@ -2061,7 +2043,7 @@ index 931f054041..a7cb7ed3be 100644
|
||||
}
|
||||
if (asprintf(&ccname, "%s.%s", target, sym) < 0) {
|
||||
retval = ENOMEM;
|
||||
@@ -1015,6 +1015,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
|
||||
@@ -1014,6 +1014,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
|
||||
free(sym);
|
||||
} while (ks_ccache_name_is_initialized(context, ccname));
|
||||
retval = krb5_cc_resolve(context, ccname, &ccache);
|
||||
@ -2070,7 +2052,7 @@ index 931f054041..a7cb7ed3be 100644
|
||||
/* Look for a cache in the collection that we can reuse. */
|
||||
retval = krb5_cc_cache_match(context, princ, &ccache);
|
||||
diff --git a/src/kadmin/cli/keytab.c b/src/kadmin/cli/keytab.c
|
||||
index b0c8378b40..8a59188216 100644
|
||||
index 26f340af31..976c8969e8 100644
|
||||
--- a/src/kadmin/cli/keytab.c
|
||||
+++ b/src/kadmin/cli/keytab.c
|
||||
@@ -363,7 +363,7 @@ remove_principal(char *keytab_str, krb5_keytab keytab,
|
||||
@ -2108,10 +2090,10 @@ index b0c8378b40..8a59188216 100644
|
||||
}
|
||||
|
||||
diff --git a/src/kadmin/ktutil/ktutil.c b/src/kadmin/ktutil/ktutil.c
|
||||
index 92d7023a4f..782c7289c5 100644
|
||||
index 87a69ca145..a1c17d154d 100644
|
||||
--- a/src/kadmin/ktutil/ktutil.c
|
||||
+++ b/src/kadmin/ktutil/ktutil.c
|
||||
@@ -263,6 +263,7 @@ void ktutil_list(argc, argv)
|
||||
@@ -254,6 +254,7 @@ ktutil_list(int argc, char *argv[])
|
||||
buf, sizeof(buf)))) {
|
||||
com_err(argv[0], retval,
|
||||
_("While converting enctype to string"));
|
||||
@ -2120,7 +2102,7 @@ index 92d7023a4f..782c7289c5 100644
|
||||
}
|
||||
printf(" (%s) ", buf);
|
||||
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
|
||||
index cb9785aaeb..286b3a655e 100644
|
||||
index f883ae2df8..9a4826e441 100644
|
||||
--- a/src/kprop/kpropd.c
|
||||
+++ b/src/kprop/kpropd.c
|
||||
@@ -1300,19 +1300,20 @@ static krb5_boolean
|
||||
@ -2187,7 +2169,7 @@ index 96a408c237..bf5cede54a 100644
|
||||
|
||||
if (json_kgcred(context, cred, &jcred))
|
||||
diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c
|
||||
index cb1cb9393a..87a46cd533 100644
|
||||
index 83e7634106..d4b070f8c0 100644
|
||||
--- a/src/lib/gssapi/krb5/val_cred.c
|
||||
+++ b/src/lib/gssapi/krb5/val_cred.c
|
||||
@@ -35,6 +35,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
|
||||
@ -2330,5 +2312,5 @@ index 753929b06d..f7fad27867 100644
|
||||
}
|
||||
}
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
34
0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch
Normal file
34
0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From 6e898b880a0c752f83decf33d64a7d8706e6d6f8 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 27 Oct 2023 00:44:53 -0400
|
||||
Subject: [PATCH] End connection on KDC_ERR_SVC_UNAVAILABLE
|
||||
|
||||
In sendto_kdc.c:service_fds(), if a message handler indicates that a
|
||||
message should be discarded, kill the connection so we don't continue
|
||||
waiting on it for more data.
|
||||
|
||||
ticket: 7899
|
||||
(cherry picked from commit ca80f64c786341d5871ae1de18142e62af64f7b9)
|
||||
---
|
||||
src/lib/krb5/os/sendto_kdc.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
|
||||
index 0f4bf23a95..262edf09b4 100644
|
||||
--- a/src/lib/krb5/os/sendto_kdc.c
|
||||
+++ b/src/lib/krb5/os/sendto_kdc.c
|
||||
@@ -1440,7 +1440,10 @@ service_fds(krb5_context context, struct select_state *selstate,
|
||||
if (msg_handler != NULL) {
|
||||
krb5_data reply = make_data(state->in.buf, state->in.pos);
|
||||
|
||||
- stop = (msg_handler(context, &reply, msg_handler_data) != 0);
|
||||
+ if (!msg_handler(context, &reply, msg_handler_data)) {
|
||||
+ kill_conn(context, state, selstate);
|
||||
+ stop = 0;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (stop) {
|
||||
--
|
||||
2.45.1
|
||||
|
226
0019-Add-request_timeout-configuration-parameter.patch
Normal file
226
0019-Add-request_timeout-configuration-parameter.patch
Normal file
@ -0,0 +1,226 @@
|
||||
From fa711b7cb3b7cbb234bd202bc9d9b9d7ca4defad Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 26 Oct 2023 14:20:34 -0400
|
||||
Subject: [PATCH] Add request_timeout configuration parameter
|
||||
|
||||
Add a parameter to limit the total amount of time taken for a KDC or
|
||||
password change request.
|
||||
|
||||
ticket: 9106 (new)
|
||||
(cherry picked from commit 802318cda963456b3ed7856c836e89da891483be)
|
||||
---
|
||||
doc/admin/conf_files/krb5_conf.rst | 9 ++++++
|
||||
src/include/k5-int.h | 2 ++
|
||||
src/lib/krb5/krb/init_ctx.c | 14 +++++++-
|
||||
src/lib/krb5/os/sendto_kdc.c | 51 ++++++++++++++++++++----------
|
||||
4 files changed, 58 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index a33711d918..65fb592d98 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -356,6 +356,15 @@ The libdefaults section may contain any of the following relations:
|
||||
(:ref:`duration` string.) Sets the default renewable lifetime
|
||||
for initial ticket requests. The default value is 0.
|
||||
|
||||
+**request_timeout**
|
||||
+ (:ref:`duration` string.) Sets the maximum total time for KDC or
|
||||
+ password change requests. This timeout does not affect the
|
||||
+ intervals between requests, so setting a low timeout may result in
|
||||
+ fewer requests being attempted and/or some servers not being
|
||||
+ contacted. A value of 0 indicates no specific maximum, in which
|
||||
+ case requests will time out if no server responds after several
|
||||
+ tries. The default value is 0. (New in release 1.22.)
|
||||
+
|
||||
**spake_preauth_groups**
|
||||
A whitespace or comma-separated list of words which specifies the
|
||||
groups allowed for SPAKE preauthentication. The possible values
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index b3e07945c1..69d6a6f569 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -296,6 +296,7 @@ typedef unsigned char u_char;
|
||||
#define KRB5_CONF_SPAKE_PREAUTH_INDICATOR "spake_preauth_indicator"
|
||||
#define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE "spake_preauth_kdc_challenge"
|
||||
#define KRB5_CONF_SPAKE_PREAUTH_GROUPS "spake_preauth_groups"
|
||||
+#define KRB5_CONF_REQUEST_TIMEOUT "request_timeout"
|
||||
#define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime"
|
||||
#define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit"
|
||||
#define KRB5_CONF_UNLOCKITER "unlockiter"
|
||||
@@ -1200,6 +1201,7 @@ struct _krb5_context {
|
||||
kdb5_dal_handle *dal_handle;
|
||||
/* allowable clock skew */
|
||||
krb5_deltat clockskew;
|
||||
+ krb5_deltat req_timeout;
|
||||
krb5_flags kdc_default_options;
|
||||
krb5_flags library_options;
|
||||
krb5_boolean profile_secure;
|
||||
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
|
||||
index 2b5abcd817..582a2945ff 100644
|
||||
--- a/src/lib/krb5/krb/init_ctx.c
|
||||
+++ b/src/lib/krb5/krb/init_ctx.c
|
||||
@@ -157,7 +157,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
|
||||
krb5_context ctx = 0;
|
||||
krb5_error_code retval;
|
||||
int tmp;
|
||||
- char *plugin_dir = NULL;
|
||||
+ char *plugin_dir = NULL, *timeout_str = NULL;
|
||||
|
||||
/* Verify some assumptions. If the assumptions hold and the
|
||||
compiler is optimizing, this should result in no code being
|
||||
@@ -240,6 +240,17 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
|
||||
get_integer(ctx, KRB5_CONF_CLOCKSKEW, DEFAULT_CLOCKSKEW, &tmp);
|
||||
ctx->clockskew = tmp;
|
||||
|
||||
+ retval = profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS,
|
||||
+ KRB5_CONF_REQUEST_TIMEOUT, NULL, NULL,
|
||||
+ &timeout_str);
|
||||
+ if (retval)
|
||||
+ goto cleanup;
|
||||
+ if (timeout_str != NULL) {
|
||||
+ retval = krb5_string_to_deltat(timeout_str, &ctx->req_timeout);
|
||||
+ if (retval)
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
get_integer(ctx, KRB5_CONF_KDC_DEFAULT_OPTIONS, KDC_OPT_RENEWABLE_OK,
|
||||
&tmp);
|
||||
ctx->kdc_default_options = tmp;
|
||||
@@ -281,6 +292,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
|
||||
|
||||
cleanup:
|
||||
profile_release_string(plugin_dir);
|
||||
+ profile_release_string(timeout_str);
|
||||
krb5_free_context(ctx);
|
||||
return retval;
|
||||
}
|
||||
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
|
||||
index 262edf09b4..98247a1089 100644
|
||||
--- a/src/lib/krb5/os/sendto_kdc.c
|
||||
+++ b/src/lib/krb5/os/sendto_kdc.c
|
||||
@@ -1395,34 +1395,41 @@ get_endtime(time_ms endtime, struct conn_state *conns)
|
||||
|
||||
static krb5_boolean
|
||||
service_fds(krb5_context context, struct select_state *selstate,
|
||||
- time_ms interval, struct conn_state *conns,
|
||||
+ time_ms interval, time_ms timeout, struct conn_state *conns,
|
||||
struct select_state *seltemp, const krb5_data *realm,
|
||||
int (*msg_handler)(krb5_context, const krb5_data *, void *),
|
||||
void *msg_handler_data, struct conn_state **winner_out)
|
||||
{
|
||||
int e, selret = 0;
|
||||
- time_ms endtime;
|
||||
+ time_ms curtime, interval_end, endtime;
|
||||
struct conn_state *state;
|
||||
|
||||
*winner_out = NULL;
|
||||
|
||||
- e = get_curtime_ms(&endtime);
|
||||
+ e = get_curtime_ms(&curtime);
|
||||
if (e)
|
||||
return TRUE;
|
||||
- endtime += interval;
|
||||
+ interval_end = curtime + interval;
|
||||
|
||||
e = 0;
|
||||
while (selstate->nfds > 0) {
|
||||
- e = cm_select_or_poll(selstate, get_endtime(endtime, conns),
|
||||
- seltemp, &selret);
|
||||
+ endtime = get_endtime(interval_end, conns);
|
||||
+ /* Don't wait longer than the whole request should last. */
|
||||
+ if (timeout && endtime > timeout)
|
||||
+ endtime = timeout;
|
||||
+ e = cm_select_or_poll(selstate, endtime, seltemp, &selret);
|
||||
if (e == EINTR)
|
||||
continue;
|
||||
if (e != 0)
|
||||
break;
|
||||
|
||||
- if (selret == 0)
|
||||
- /* Timeout, return to caller. */
|
||||
+ if (selret == 0) {
|
||||
+ /* We timed out. Stop if we hit the overall request timeout. */
|
||||
+ if (timeout && (get_curtime_ms(&curtime) || curtime >= timeout))
|
||||
+ return TRUE;
|
||||
+ /* Otherwise return to the caller to send the next request. */
|
||||
return FALSE;
|
||||
+ }
|
||||
|
||||
/* Got something on a socket, process it. */
|
||||
for (state = conns; state != NULL; state = state->next) {
|
||||
@@ -1495,7 +1502,7 @@ k5_sendto(krb5_context context, const krb5_data *message,
|
||||
void *msg_handler_data)
|
||||
{
|
||||
int pass;
|
||||
- time_ms delay;
|
||||
+ time_ms delay, timeout = 0;
|
||||
krb5_error_code retval;
|
||||
struct conn_state *conns = NULL, *state, **tailptr, *next, *winner;
|
||||
size_t s;
|
||||
@@ -1505,6 +1512,13 @@ k5_sendto(krb5_context context, const krb5_data *message,
|
||||
|
||||
*reply = empty_data();
|
||||
|
||||
+ if (context->req_timeout) {
|
||||
+ retval = get_curtime_ms(&timeout);
|
||||
+ if (retval)
|
||||
+ return retval;
|
||||
+ timeout += 1000 * context->req_timeout;
|
||||
+ }
|
||||
+
|
||||
/* One for use here, listing all our fds in use, and one for
|
||||
* temporary use in service_fds, for the fds of interest. */
|
||||
sel_state = malloc(2 * sizeof(*sel_state));
|
||||
@@ -1532,8 +1546,9 @@ k5_sendto(krb5_context context, const krb5_data *message,
|
||||
if (maybe_send(context, state, message, sel_state, realm,
|
||||
callback_info))
|
||||
continue;
|
||||
- done = service_fds(context, sel_state, 1000, conns, seltemp,
|
||||
- realm, msg_handler, msg_handler_data, &winner);
|
||||
+ done = service_fds(context, sel_state, 1000, timeout, conns,
|
||||
+ seltemp, realm, msg_handler, msg_handler_data,
|
||||
+ &winner);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1545,13 +1560,13 @@ k5_sendto(krb5_context context, const krb5_data *message,
|
||||
if (maybe_send(context, state, message, sel_state, realm,
|
||||
callback_info))
|
||||
continue;
|
||||
- done = service_fds(context, sel_state, 1000, conns, seltemp,
|
||||
+ done = service_fds(context, sel_state, 1000, timeout, conns, seltemp,
|
||||
realm, msg_handler, msg_handler_data, &winner);
|
||||
}
|
||||
|
||||
/* Wait for two seconds at the end of the first pass. */
|
||||
if (!done) {
|
||||
- done = service_fds(context, sel_state, 2000, conns, seltemp,
|
||||
+ done = service_fds(context, sel_state, 2000, timeout, conns, seltemp,
|
||||
realm, msg_handler, msg_handler_data, &winner);
|
||||
}
|
||||
|
||||
@@ -1562,15 +1577,17 @@ k5_sendto(krb5_context context, const krb5_data *message,
|
||||
if (maybe_send(context, state, message, sel_state, realm,
|
||||
callback_info))
|
||||
continue;
|
||||
- done = service_fds(context, sel_state, 1000, conns, seltemp,
|
||||
- realm, msg_handler, msg_handler_data, &winner);
|
||||
+ done = service_fds(context, sel_state, 1000, timeout, conns,
|
||||
+ seltemp, realm, msg_handler, msg_handler_data,
|
||||
+ &winner);
|
||||
if (sel_state->nfds == 0)
|
||||
break;
|
||||
}
|
||||
/* Wait for the delay backoff at the end of this pass. */
|
||||
if (!done) {
|
||||
- done = service_fds(context, sel_state, delay, conns, seltemp,
|
||||
- realm, msg_handler, msg_handler_data, &winner);
|
||||
+ done = service_fds(context, sel_state, delay, timeout, conns,
|
||||
+ seltemp, realm, msg_handler, msg_handler_data,
|
||||
+ &winner);
|
||||
}
|
||||
if (sel_state->nfds == 0)
|
||||
break;
|
||||
--
|
||||
2.45.1
|
||||
|
138
0020-Wait-indefinitely-on-KDC-TCP-connections.patch
Normal file
138
0020-Wait-indefinitely-on-KDC-TCP-connections.patch
Normal file
@ -0,0 +1,138 @@
|
||||
From 58b64df22e22b9b89f9c6af96990276a1fc8e3c6 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 26 Oct 2023 16:26:42 -0400
|
||||
Subject: [PATCH] Wait indefinitely on KDC TCP connections
|
||||
|
||||
When making a KDC or password change request, wait indefinitely
|
||||
(limited only by request_timeout if set) once a KDC has accepted a TCP
|
||||
connection.
|
||||
|
||||
ticket: 9105 (new)
|
||||
(cherry picked from commit 6436a3808061da787a43c6810f5f0370cdfb6e36)
|
||||
---
|
||||
doc/admin/conf_files/krb5_conf.rst | 2 +-
|
||||
src/lib/krb5/os/sendto_kdc.c | 50 ++++++++++++++++--------------
|
||||
2 files changed, 27 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index 65fb592d98..b7284c47df 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -357,7 +357,7 @@ The libdefaults section may contain any of the following relations:
|
||||
for initial ticket requests. The default value is 0.
|
||||
|
||||
**request_timeout**
|
||||
- (:ref:`duration` string.) Sets the maximum total time for KDC or
|
||||
+ (:ref:`duration` string.) Sets the maximum total time for KDC and
|
||||
password change requests. This timeout does not affect the
|
||||
intervals between requests, so setting a low timeout may result in
|
||||
fewer requests being attempted and/or some servers not being
|
||||
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
|
||||
index 98247a1089..924f5b2d26 100644
|
||||
--- a/src/lib/krb5/os/sendto_kdc.c
|
||||
+++ b/src/lib/krb5/os/sendto_kdc.c
|
||||
@@ -134,7 +134,6 @@ struct conn_state {
|
||||
krb5_data callback_buffer;
|
||||
size_t server_index;
|
||||
struct conn_state *next;
|
||||
- time_ms endtime;
|
||||
krb5_boolean defer;
|
||||
struct {
|
||||
const char *uri_path;
|
||||
@@ -344,15 +343,19 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime,
|
||||
struct select_state *out, int *sret)
|
||||
{
|
||||
#ifndef USE_POLL
|
||||
- struct timeval tv;
|
||||
+ struct timeval tv, *tvp;
|
||||
#endif
|
||||
krb5_error_code retval;
|
||||
time_ms curtime, interval;
|
||||
|
||||
- retval = get_curtime_ms(&curtime);
|
||||
- if (retval != 0)
|
||||
- return retval;
|
||||
- interval = (curtime < endtime) ? endtime - curtime : 0;
|
||||
+ if (endtime != 0) {
|
||||
+ retval = get_curtime_ms(&curtime);
|
||||
+ if (retval != 0)
|
||||
+ return retval;
|
||||
+ interval = (curtime < endtime) ? endtime - curtime : 0;
|
||||
+ } else {
|
||||
+ interval = -1;
|
||||
+ }
|
||||
|
||||
/* We don't need a separate copy of the selstate for poll, but use one for
|
||||
* consistency with how we use select. */
|
||||
@@ -361,9 +364,14 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime,
|
||||
#ifdef USE_POLL
|
||||
*sret = poll(out->fds, out->nfds, interval);
|
||||
#else
|
||||
- tv.tv_sec = interval / 1000;
|
||||
- tv.tv_usec = interval % 1000 * 1000;
|
||||
- *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, &tv);
|
||||
+ if (interval != -1) {
|
||||
+ tv.tv_sec = interval / 1000;
|
||||
+ tv.tv_usec = interval % 1000 * 1000;
|
||||
+ tvp = &tv;
|
||||
+ } else {
|
||||
+ tvp = NULL;
|
||||
+ }
|
||||
+ *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, tvp);
|
||||
#endif
|
||||
|
||||
return (*sret < 0) ? SOCKET_ERRNO : 0;
|
||||
@@ -1099,11 +1107,6 @@ service_tcp_connect(krb5_context context, const krb5_data *realm,
|
||||
}
|
||||
|
||||
conn->state = WRITING;
|
||||
-
|
||||
- /* Record this connection's timeout for service_fds. */
|
||||
- if (get_curtime_ms(&conn->endtime) == 0)
|
||||
- conn->endtime += 10000;
|
||||
-
|
||||
return conn->service_write(context, realm, conn, selstate);
|
||||
}
|
||||
|
||||
@@ -1378,19 +1381,18 @@ kill_conn:
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
-/* Return the maximum of endtime and the endtime fields of all currently active
|
||||
- * TCP connections. */
|
||||
-static time_ms
|
||||
-get_endtime(time_ms endtime, struct conn_state *conns)
|
||||
+/* Return true if conns contains any states with connected TCP sockets. */
|
||||
+static krb5_boolean
|
||||
+any_tcp_connections(struct conn_state *conns)
|
||||
{
|
||||
struct conn_state *state;
|
||||
|
||||
for (state = conns; state != NULL; state = state->next) {
|
||||
- if ((state->state == READING || state->state == WRITING) &&
|
||||
- state->endtime > endtime)
|
||||
- endtime = state->endtime;
|
||||
+ if (state->addr.transport != UDP &&
|
||||
+ (state->state == READING || state->state == WRITING))
|
||||
+ return TRUE;
|
||||
}
|
||||
- return endtime;
|
||||
+ return FALSE;
|
||||
}
|
||||
|
||||
static krb5_boolean
|
||||
@@ -1413,9 +1415,9 @@ service_fds(krb5_context context, struct select_state *selstate,
|
||||
|
||||
e = 0;
|
||||
while (selstate->nfds > 0) {
|
||||
- endtime = get_endtime(interval_end, conns);
|
||||
+ endtime = any_tcp_connections(conns) ? 0 : interval_end;
|
||||
/* Don't wait longer than the whole request should last. */
|
||||
- if (timeout && endtime > timeout)
|
||||
+ if (timeout && (!endtime || endtime > timeout))
|
||||
endtime = timeout;
|
||||
e = cm_select_or_poll(selstate, endtime, seltemp, &selret);
|
||||
if (e == EINTR)
|
||||
--
|
||||
2.45.1
|
||||
|
@ -1,4 +1,4 @@
|
||||
From c5cdf6f71621569c6c389be720937ac97ace988f Mon Sep 17 00:00:00 2001
|
||||
From fa9dfdc9d85e88b6880edde5de45333b97a53a11 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Mon, 8 Jan 2024 16:52:27 +0100
|
||||
Subject: [PATCH] Remove klist's defname global variable
|
||||
@ -13,12 +13,14 @@ Convert "defname" to a local variable initialized at the beginning of
|
||||
show_ccache().
|
||||
|
||||
[ghudson@mit.edu: edited commit message]
|
||||
|
||||
(cherry picked from commit 5b00197227231943bd2305328c8260dd0b0dbcf0)
|
||||
---
|
||||
src/clients/klist/klist.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
|
||||
index 43392d2337..394c75b6b7 100644
|
||||
index b5ae96a843..b5808e5c93 100644
|
||||
--- a/src/clients/klist/klist.c
|
||||
+++ b/src/clients/klist/klist.c
|
||||
@@ -53,7 +53,6 @@ int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0;
|
||||
@ -65,5 +67,5 @@ index 43392d2337..394c75b6b7 100644
|
||||
krb5_error_code ret;
|
||||
krb5_ticket *tkt = NULL;
|
||||
--
|
||||
2.41.0
|
||||
2.45.1
|
||||
|
206
0022-Fix-two-unlikely-memory-leaks.patch
Normal file
206
0022-Fix-two-unlikely-memory-leaks.patch
Normal file
@ -0,0 +1,206 @@
|
||||
From 313d7b1afdcfca2bc0f6824cfeb25594c2eae176 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 5 Mar 2024 19:53:07 -0500
|
||||
Subject: [PATCH] Fix two unlikely memory leaks
|
||||
|
||||
In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
|
||||
could probably never be triggered) leaks plain.data. Fix this leak
|
||||
and use current practices for cleanup throughout the function.
|
||||
|
||||
In xmt_rmtcallres() (unused within the tree and likely elsewhere),
|
||||
store port_ptr into crp->port_ptr as soon as it is allocated;
|
||||
otherwise it could leak if the subsequent xdr_u_int32() operation
|
||||
fails.
|
||||
|
||||
(cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d)
|
||||
---
|
||||
src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
|
||||
src/lib/rpc/pmap_rmt.c | 10 +++---
|
||||
2 files changed, 29 insertions(+), 37 deletions(-)
|
||||
|
||||
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
|
||||
index 1fcbdfbb87..d3210c1107 100644
|
||||
--- a/src/lib/gssapi/krb5/k5sealv3.c
|
||||
+++ b/src/lib/gssapi/krb5/k5sealv3.c
|
||||
@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
int conf_req_flag, int toktype)
|
||||
{
|
||||
size_t bufsize = 16;
|
||||
- unsigned char *outbuf = 0;
|
||||
+ unsigned char *outbuf = NULL;
|
||||
krb5_error_code err;
|
||||
int key_usage;
|
||||
unsigned char acceptor_flag;
|
||||
@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
#endif
|
||||
size_t ec;
|
||||
unsigned short tok_id;
|
||||
- krb5_checksum sum;
|
||||
+ krb5_checksum sum = { 0 };
|
||||
krb5_key key;
|
||||
krb5_cksumtype cksumtype;
|
||||
+ krb5_data plain = empty_data();
|
||||
+
|
||||
+ token->value = NULL;
|
||||
+ token->length = 0;
|
||||
|
||||
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
|
||||
key_usage = (toktype == KG_TOK_WRAP_MSG
|
||||
@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
#endif
|
||||
|
||||
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
|
||||
- krb5_data plain;
|
||||
krb5_enc_data cipher;
|
||||
size_t ec_max;
|
||||
size_t encrypt_size;
|
||||
|
||||
/* 300: Adds some slop. */
|
||||
- if (SIZE_MAX - 300 < message->length)
|
||||
- return ENOMEM;
|
||||
+ if (SIZE_MAX - 300 < message->length) {
|
||||
+ err = ENOMEM;
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
ec_max = SIZE_MAX - message->length - 300;
|
||||
if (ec_max > 0xffff)
|
||||
ec_max = 0xffff;
|
||||
@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
#endif
|
||||
err = alloc_data(&plain, message->length + 16 + ec);
|
||||
if (err)
|
||||
- return err;
|
||||
+ goto cleanup;
|
||||
|
||||
/* Get size of ciphertext. */
|
||||
encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
|
||||
if (encrypt_size > SIZE_MAX / 2) {
|
||||
err = ENOMEM;
|
||||
- goto error;
|
||||
+ goto cleanup;
|
||||
}
|
||||
bufsize = 16 + encrypt_size;
|
||||
/* Allocate space for header plus encrypted data. */
|
||||
outbuf = gssalloc_malloc(bufsize);
|
||||
if (outbuf == NULL) {
|
||||
- free(plain.data);
|
||||
- return ENOMEM;
|
||||
+ err = ENOMEM;
|
||||
+ goto cleanup;
|
||||
}
|
||||
|
||||
/* TOK_ID */
|
||||
@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
cipher.ciphertext.length = bufsize - 16;
|
||||
cipher.enctype = key->keyblock.enctype;
|
||||
err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
|
||||
- zap(plain.data, plain.length);
|
||||
- free(plain.data);
|
||||
- plain.data = 0;
|
||||
if (err)
|
||||
- goto error;
|
||||
+ goto cleanup;
|
||||
|
||||
/* Now that we know we're returning a valid token.... */
|
||||
ctx->seq_send++;
|
||||
@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
/* If the rotate fails, don't worry about it. */
|
||||
#endif
|
||||
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
|
||||
- krb5_data plain;
|
||||
size_t cksumsize;
|
||||
|
||||
/* Here, message is the application-supplied data; message2 is
|
||||
@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
wrap_with_checksum:
|
||||
err = alloc_data(&plain, message->length + 16);
|
||||
if (err)
|
||||
- return err;
|
||||
+ goto cleanup;
|
||||
|
||||
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
|
||||
if (err)
|
||||
- goto error;
|
||||
+ goto cleanup;
|
||||
|
||||
assert(cksumsize <= 0xffff);
|
||||
|
||||
bufsize = 16 + message2->length + cksumsize;
|
||||
outbuf = gssalloc_malloc(bufsize);
|
||||
if (outbuf == NULL) {
|
||||
- free(plain.data);
|
||||
- plain.data = 0;
|
||||
err = ENOMEM;
|
||||
- goto error;
|
||||
+ goto cleanup;
|
||||
}
|
||||
|
||||
/* TOK_ID */
|
||||
@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
if (message2->length)
|
||||
memcpy(outbuf + 16, message2->value, message2->length);
|
||||
|
||||
- sum.contents = outbuf + 16 + message2->length;
|
||||
- sum.length = cksumsize;
|
||||
-
|
||||
err = krb5_k_make_checksum(context, cksumtype, key,
|
||||
key_usage, &plain, &sum);
|
||||
- zap(plain.data, plain.length);
|
||||
- free(plain.data);
|
||||
- plain.data = 0;
|
||||
if (err) {
|
||||
zap(outbuf,bufsize);
|
||||
- goto error;
|
||||
+ goto cleanup;
|
||||
}
|
||||
if (sum.length != cksumsize)
|
||||
abort();
|
||||
memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
|
||||
- krb5_free_checksum_contents(context, &sum);
|
||||
- sum.contents = 0;
|
||||
/* Now that we know we're actually generating the token... */
|
||||
ctx->seq_send++;
|
||||
|
||||
@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
|
||||
token->value = outbuf;
|
||||
token->length = bufsize;
|
||||
- return 0;
|
||||
+ outbuf = NULL;
|
||||
+ err = 0;
|
||||
|
||||
-error:
|
||||
+cleanup:
|
||||
+ krb5_free_checksum_contents(context, &sum);
|
||||
+ zapfree(plain.data, plain.length);
|
||||
gssalloc_free(outbuf);
|
||||
- token->value = NULL;
|
||||
- token->length = 0;
|
||||
return err;
|
||||
}
|
||||
|
||||
diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
|
||||
index 434e4eea65..f55ca46c60 100644
|
||||
--- a/src/lib/rpc/pmap_rmt.c
|
||||
+++ b/src/lib/rpc/pmap_rmt.c
|
||||
@@ -161,12 +161,12 @@ xdr_rmtcallres(
|
||||
caddr_t port_ptr;
|
||||
|
||||
port_ptr = (caddr_t)(void *)crp->port_ptr;
|
||||
- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
|
||||
- (xdrproc_t)xdr_u_int32) &&
|
||||
- xdr_u_int32(xdrs, &crp->resultslen)) {
|
||||
- crp->port_ptr = (uint32_t *)(void *)port_ptr;
|
||||
+ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
|
||||
+ (xdrproc_t)xdr_u_int32))
|
||||
+ return (FALSE);
|
||||
+ crp->port_ptr = (uint32_t *)(void *)port_ptr;
|
||||
+ if (xdr_u_int32(xdrs, &crp->resultslen))
|
||||
return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
|
||||
- }
|
||||
return (FALSE);
|
||||
}
|
||||
|
||||
--
|
||||
2.45.1
|
||||
|
32
krb5.spec
32
krb5.spec
@ -10,7 +10,7 @@
|
||||
#
|
||||
# baserelease is what we have standardized across Fedora and what
|
||||
# rpmdev-bumpspec knows how to handle.
|
||||
%global baserelease 7
|
||||
%global baserelease 1
|
||||
|
||||
# This should be e.g. beta1 or %%nil
|
||||
%global pre_release %nil
|
||||
@ -24,7 +24,7 @@
|
||||
%global krb5_version_major 1
|
||||
%global krb5_version_minor 21
|
||||
# For a release without a patch number set to %%nil
|
||||
%global krb5_version_patch 2
|
||||
%global krb5_version_patch 3
|
||||
|
||||
%global krb5_version_major_minor %{krb5_version_major}.%{krb5_version_minor}
|
||||
%global krb5_version %{krb5_version_major_minor}
|
||||
@ -59,7 +59,7 @@ Source13: kadmind.logrotate
|
||||
Source14: krb5-krb5kdc.conf
|
||||
Source15: %{name}-tests
|
||||
|
||||
Patch0001: 0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch
|
||||
Patch0001: 0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch
|
||||
Patch0002: 0002-downstream-ksu-pam-integration.patch
|
||||
Patch0003: 0003-downstream-SELinux-integration.patch
|
||||
Patch0004: 0004-downstream-fix-debuginfo-with-y.tab.c.patch
|
||||
@ -73,8 +73,14 @@ Patch0011: 0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch
|
||||
Patch0012: 0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch
|
||||
Patch0013: 0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch
|
||||
Patch0014: 0014-Enable-PKINIT-if-at-least-one-group-is-available.patch
|
||||
Patch0015: 0015-Replace-ssl.wrap_socket-for-tests.patch
|
||||
Patch0016: 0016-Fix-unimportant-memory-leaks.patch
|
||||
Patch0015: 0015-Eliminate-old-style-function-declarations.patch
|
||||
Patch0016: 0016-Replace-ssl.wrap_socket-for-tests.patch
|
||||
Patch0017: 0017-Fix-unimportant-memory-leaks.patch
|
||||
Patch0018: 0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch
|
||||
Patch0019: 0019-Add-request_timeout-configuration-parameter.patch
|
||||
Patch0020: 0020-Wait-indefinitely-on-KDC-TCP-connections.patch
|
||||
Patch0021: 0021-Remove-klist-s-defname-global-variable.patch
|
||||
Patch0022: 0022-Fix-two-unlikely-memory-leaks.patch
|
||||
|
||||
License: Brian-Gladman-2-Clause AND BSD-2-Clause AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-first-lines AND BSD-3-Clause AND BSD-4-Clause AND CMU-Mach-nodoc AND FSFULLRWD AND HPND AND HPND-export2-US AND HPND-export-US AND HPND-export-US-acknowledgement AND HPND-export-US-modify AND ISC AND MIT AND MIT-CMU AND OLDAP-2.8 AND OpenVision
|
||||
URL: https://web.mit.edu/kerberos/www/
|
||||
@ -711,6 +717,22 @@ exit 0
|
||||
%{_datarootdir}/%{name}-tests/%{_arch}
|
||||
|
||||
%changelog
|
||||
* Fri Jul 12 2024 Julien Rische <jrische@redhat.com> - 1.21.3-1
|
||||
- New upstream version (1.21.3)
|
||||
- CVE-2024-37370 CVE-2024-37371
|
||||
Fix vulnerabilities in GSS message token handling
|
||||
Resolves: RHEL-45387 RHEL-45378
|
||||
- Fix memory leak in GSSAPI interface
|
||||
Resolves: RHEL-47284
|
||||
- Fix memory leak in PMAP RPC interface
|
||||
Resolves: RHEL-47287
|
||||
- Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC
|
||||
Resolves: RHEL-47285
|
||||
- Make TCP waiting time configurable
|
||||
Resolves: RHEL-47278
|
||||
- Do not include files with "~" termination in krb5-tests
|
||||
Resolves: RHEL-45995
|
||||
|
||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.21.2-7
|
||||
- Bump release for June 2024 mass rebuild
|
||||
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (krb5-1.21.2.tar.gz) = 4e09296b412383d53872661718dbfaa90201e0d85f69db48e57a8d4bd73c95a90c7ec7b6f0f325f6bc967f8d203b256b071c0191facf080aca0e2caec5d0ac49
|
||||
SHA512 (krb5-1.21.2.tar.gz.asc) = 1cee1ed77047067d7b6fb3620ffa6f5807d4182ae7cfeec6d5cc847c99f30c6dd2a5c1a160d992a13eb6d84754b202895a982111618711f3c14f4aa33c07d9e9
|
||||
SHA512 (krb5-1.21.3.tar.gz) = 87bc06607f4d95ff604169cea22180703a42d667af05f66f1569b8bd592670c42820b335e5c279e8b4f066d1e7da20f1948a1e4def7c5d295c170cbfc7f49c71
|
||||
SHA512 (krb5-1.21.3.tar.gz.asc) = 8992a5f5247315b9846aa73be4ee1ea223c0231a52d5c6c28718b1f3e3b45d62e2dad4aa5543a83163d1369bb79886b6c1c22766f22d8aa2f6b2575c54d0075c
|
||||
|
@ -27,6 +27,7 @@
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/bin/rhts-environment.sh
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="krb5"
|
||||
@ -88,17 +89,11 @@ rlJournalStart
|
||||
if rlIsRHEL 6; then
|
||||
rlRun "sed -i \"s/EXAMPLE.COM/$krb5REALM1/\" $krb5conf"
|
||||
rlRun "sed -i \"s/kerberos.example.com/$krb5HostName/\" $krb5conf"
|
||||
if [ "$krb5DomainName" ]; then
|
||||
rlRun "sed -i \"s/example.com/$krb5DomainName/\" $krb5conf"
|
||||
fi
|
||||
rlRun "sed -i \"s/example.com/$krb5DomainName/\" $krb5conf"
|
||||
else
|
||||
rlRun "sed -i \"s/\[libdefaults\]/[libdefaults]\n default_realm = $krb5REALM1/\" $krb5conf"
|
||||
rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM1 = {\n kdc = $krb5HostName\n admin_server = $krb5HostName\n }/\" $krb5conf"
|
||||
if [ "$krb5DomainName" ]; then
|
||||
rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n .$krb5DomainName = $krb5REALM1\n $krb5DomainName = $krb5REALM1/\" $krb5conf"
|
||||
else
|
||||
rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n $krb5HostName = $krb5REALM1/\" $krb5conf"
|
||||
fi
|
||||
rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n .$krb5DomainName = $krb5REALM1\n $krb5DomainName = $krb5REALM1/\" $krb5conf"
|
||||
fi
|
||||
rlRun "sed -i s/EXAMPLE.COM/$krb5REALM1/ $krb5kdcconf"
|
||||
# Configure the kadmin ACL
|
||||
@ -259,11 +254,7 @@ _EOF
|
||||
#The principal related to kadmin are not created with hostname (kadmin/hostname@REALM) during creating krb5 DB
|
||||
#RHEL9 constains only kadmin/admin@REALM - this change was intentional - Don't create hostbased principals in new KDBs
|
||||
#https://krbdev.mit.edu/rt/Ticket/Display.html?id=8935
|
||||
if rlIsRHEL 9 || rlIsFedora '>=33';then
|
||||
kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/admin@$krb5REALM1"
|
||||
else
|
||||
kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/.*`hostname`@$krb5REALM1"
|
||||
fi
|
||||
kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/admin@$krb5REALM1"
|
||||
rlAssertGrep "${kadmin_princ}" kadmind.log.record
|
||||
#rlAssertGrep "Request: kadm5_init.*root\/master@$krb5REALM1.*service=kadmin\/(admin|.*`hostname`)@$krb5REALM1" kadmind.log.record -E
|
||||
echo "***krb5kdc.log.record***" && cat krb5kdc.log.record
|
||||
|
Loading…
Reference in New Issue
Block a user