rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

krb5 1.21.3-1

Browse Source 
- New upstream version (1.21.3)
- CVE-2024-37370 CVE-2024-37371
  Fix vulnerabilities in GSS message token handling
  Resolves: RHEL-45387 RHEL-45378
- Fix memory leak in GSSAPI interface
  Resolves: RHEL-47284
- Fix memory leak in PMAP RPC interface
  Resolves: RHEL-47287
- Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC
  Resolves: RHEL-47285
- Make TCP waiting time configurable
  Resolves: RHEL-47278
- Do not include files with "~" termination in krb5-tests
  Resolves: RHEL-45995

Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
Julien Rische 2024-07-12 11:45:37 +02:00
parent 2b58aeee72
commit 8c423dc9d5
26 changed files with 11506 additions and 215 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -206,3 +206,5 @@
/krb5-1.21.tar.gz.asc
/krb5-1.21.2.tar.gz
/krb5-1.21.2.tar.gz.asc
/krb5-1.21.3.tar.gz
/krb5-1.21.3.tar.gz.asc

9
0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch → 0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch
View File

@ -1,7 +1,8 @@
From 087d150e4afe47a8d269d5e80dcef2204b007ceb Mon Sep 17 00:00:00 2001
From 6f7fd964539dfe4a885068f43a91db9738661870 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 16 Aug 2023 10:00:30 +0200
Subject: [PATCH] Revert "Don't issue session keys with deprecated enctypes"
Date: Tue, 9 Jul 2024 11:15:33 +0200
Subject: [PATCH] [downstream] Revert "Don't issue session keys with
deprecated enctypes"
This reverts commit 1b57a4d134bbd0e7c52d5885a92eccc815726463.
---
@ -305,5 +306,5 @@ index 8e5f5ba8e9..2a86c5cdfc 100644
'supported_enctypes': 'arcfour-hmac:normal',
'master_key_type': 'arcfour-hmac'}}}),
--
2.41.0
2.45.1

4
0002-downstream-ksu-pam-integration.patch
View File

@ -1,4 +1,4 @@
From 2080ff4c57d29e74466987d673aaf25273160534 Mon Sep 17 00:00:00 2001
From de4205c45e310ceaaa7cd7958af7293322fa43a6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] [downstream] ksu pam integration
@ -773,5 +773,5 @@ index 77be7a2025..587221936e 100644
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
--
2.41.0
2.45.1

8
0003-downstream-SELinux-integration.patch
View File

@ -1,4 +1,4 @@
From 3efc0e3ce4ccc8a89700f35bef041794982d95ca Mon Sep 17 00:00:00 2001
From 30ff501e4b519396f5aea25e24919be817863e7c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] [downstream] SELinux integration
@ -238,10 +238,10 @@ index 0000000000..dfaaa847cb
+#endif
+#endif
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 9c76780181..dd6430ece8 100644
index 4e09ed345d..09f800be52 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
@@ -83,6 +83,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
@ -1034,5 +1034,5 @@ index 0000000000..807d039da3
+
+#endif /* USE_SELINUX */
--
2.41.0
2.45.1

4
0004-downstream-fix-debuginfo-with-y.tab.c.patch
View File

@ -1,4 +1,4 @@
From 28677b932c200eba07576358b4e5df2ae22c8ecd Mon Sep 17 00:00:00 2001
From 393830d96000ed692aa9a99ef87187d6f2863931 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
@ -40,5 +40,5 @@ index 8669c2436c..a22f23c02c 100644
install:
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
--
2.41.0
2.45.1

26
0005-downstream-Remove-3des-support.patch
View File

@ -1,4 +1,4 @@
From 6734a067c600ea6ad81d08fcc481609c2bad9fbb Mon Sep 17 00:00:00 2001
From 7d697742abb370cfc7241c1faa78ba08d7650f6a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 26 Mar 2019 18:51:10 -0400
Subject: [PATCH] [downstream] Remove 3des support
@ -259,7 +259,7 @@ index 45fe160d7f..b4b1f3bd93 100644
CKSUMTYPE_NIST_SHA.rst
CKSUMTYPE_RSA_MD4.rst
diff --git a/doc/conf.py b/doc/conf.py
index cd76f5999f..1e1cfce80c 100644
index ecf9020a72..db7fa377ef 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -281,7 +281,7 @@ else:
@ -326,10 +326,10 @@ index 69be9030f8..2561e917a2 100644
lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index dd6430ece8..350bcf86f2 100644
index 09f800be52..c5a625db8f 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
@@ -422,8 +422,8 @@ typedef struct _krb5_crypto_iov {
#define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */
#define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */
#define ENCTYPE_DES_CBC_RAW 0x0004 /**< @deprecated no longer supported */
@ -340,7 +340,7 @@ index dd6430ece8..350bcf86f2 100644
#define ENCTYPE_DES_HMAC_SHA1 0x0008 /**< @deprecated no longer supported */
/* PKINIT */
#define ENCTYPE_DSA_SHA1_CMS 0x0009 /**< DSA with SHA1, CMS signature */
@@ -436,9 +436,9 @@ typedef struct _krb5_crypto_iov {
@@ -432,9 +432,9 @@ typedef struct _krb5_crypto_iov {
#define ENCTYPE_RC2_CBC_ENV 0x000c /**< RC2 cbc mode, CMS enveloped data */
#define ENCTYPE_RSA_ENV 0x000d /**< RSA encryption, CMS enveloped data */
#define ENCTYPE_RSA_ES_OAEP_ENV 0x000e /**< RSA w/OEAP encryption, CMS enveloped data */
@ -352,7 +352,7 @@ index dd6430ece8..350bcf86f2 100644
#define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 /**< RFC 3962 */
#define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 /**< RFC 3962 */
#define ENCTYPE_AES128_CTS_HMAC_SHA256_128 0x0013 /**< RFC 8009 */
@@ -463,7 +463,7 @@ typedef struct _krb5_crypto_iov {
@@ -459,7 +459,7 @@ typedef struct _krb5_crypto_iov {
#define CKSUMTYPE_RSA_MD5 0x0007
#define CKSUMTYPE_RSA_MD5_DES 0x0008
#define CKSUMTYPE_NIST_SHA 0x0009
@ -5491,10 +5491,10 @@ index 9b183bc337..f0cc4a6809 100644
if (sealalg != 0xffff)
xfree(plain);
diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
index 85a9574f36..3ce2a90ce9 100644
index 21b501731e..6a6585d9af 100644
--- a/src/lib/gssapi/krb5/k5unsealiov.c
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -102,28 +102,21 @@ kg_unseal_v1_iov(krb5_context context,
@@ -103,28 +103,21 @@ kg_unseal_v1_iov(krb5_context context,
}
if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
@ -5528,7 +5528,7 @@ index 85a9574f36..3ce2a90ce9 100644
/* get the token parameters */
code = kg_get_seq_num(context, ctx->seq, ptr + 14, ptr + 6, &direction,
&seqnum);
@@ -181,16 +174,10 @@ kg_unseal_v1_iov(krb5_context context,
@@ -182,16 +175,10 @@ kg_unseal_v1_iov(krb5_context context,
/* initialize the checksum */
@ -5548,7 +5548,7 @@ index 85a9574f36..3ce2a90ce9 100644
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
if (code != 0) {
@@ -209,18 +196,13 @@ kg_unseal_v1_iov(krb5_context context,
@@ -210,18 +197,13 @@ kg_unseal_v1_iov(krb5_context context,
goto cleanup;
}
@ -5917,10 +5917,10 @@ index 7494d7fcdb..2f95d89967 100755
# because the ticket session key and initiator subkey are
# non-permitted. (This is unfortunate if the acceptor's restriction
diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c
index 9876a11e67..fb8fe55111 100644
index 882e163634..8192935099 100644
--- a/src/tests/gssapi/t_invalid.c
+++ b/src/tests/gssapi/t_invalid.c
@@ -84,18 +84,6 @@ struct test {
@@ -94,18 +94,6 @@ struct test {
size_t toklen;
const char *token;
} tests[] = {
@ -6201,5 +6201,5 @@ index 1aebdd0b4a..c38eefd2bd 100644
<td>The AES Advanced Encryption Standard
family, like 3DES, is a symmetric block cipher and was designed
--
2.41.0
2.45.1

4
0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
View File

@ -1,4 +1,4 @@
From dc3fd927ccd5b7b40049145c3fc7c610d72e9502 Mon Sep 17 00:00:00 2001
From 7b6453903c248a761d3ceb538dfacebbf3d3a9ff Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
@ -608,5 +608,5 @@ index 1a772d450f..232e78bc05 100644
vt->name = "spake";
vt->pa_type_list = pa_types;
--
2.41.0
2.45.1

7
0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch
View File

@ -1,7 +1,8 @@
From 19db7e5b5d13732c2dfd08b35e2ad3f311553d54 Mon Sep 17 00:00:00 2001
From 707fa7bd2be6327343dc8fc5c20dc77645524518 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Thu, 5 May 2022 17:15:12 +0200
Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection with FIPS
Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection
with FIPS
libkrad allows to establish connections only to UNIX socket in FIPS
mode, because MD5 digest is not considered safe enough to be used for
@ -77,5 +78,5 @@ index 929f1cef67..063f17a613 100644
retval = ESOCKTNOSUPPORT;
goto error;
--
2.41.0
2.45.1

4
0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch
View File

@ -1,4 +1,4 @@
From 16d3f9a54d4707ae9de18f108a7b61965e83ceaf Mon Sep 17 00:00:00 2001
From 1da88bea558348be2974470774aa688f8be634c0 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 7 Dec 2022 13:22:42 +0100
Subject: [PATCH] [downstream] Make tests compatible with
@ -37,5 +37,5 @@ index 87bac17929..26bc95a8dc 100644
fail('URI answers do not match')
j += 1
--
2.41.0
2.45.1

4
0009-downstream-Include-missing-OpenSSL-FIPS-header.patch
View File

@ -1,4 +1,4 @@
From 511a6260f0dadc3fe5ebe075f8b548eae026a1cc Mon Sep 17 00:00:00 2001
From 775ed8588cc21385fb16a4cec4a861f0d578ce04 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Thu, 5 Jan 2023 20:06:47 +0100
Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header
@ -116,5 +116,5 @@ index 232e78bc05..3394f8a58e 100644
* The SPAKE kdcpreauth module uses a secure cookie containing the following
* concatenated fields (all integer fields are big-endian):
--
2.41.0
2.45.1

4
0010-downstream-Do-not-set-root-as-ksu-file-owner.patch
View File

@ -1,4 +1,4 @@
From 1b0bb0c3e5575559ea9135af5b9a1e91fe0f79f3 Mon Sep 17 00:00:00 2001
From 4fd20741afcf76085ea62eb015cd589bb9392a7b Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Mon, 9 Jan 2023 22:39:52 +0100
Subject: [PATCH] [downstream] Do not set root as ksu file owner
@ -27,5 +27,5 @@ index 7eaa2f351c..e9ae71471e 100644
## ${prefix}.
prefix=@prefix@
--
2.41.0
2.45.1

4
0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch
View File

@ -1,4 +1,4 @@
From 6e239888cdb938ddda2bf49ec03ad2af3923c381 Mon Sep 17 00:00:00 2001
From 16f90c007036789d8d9343e8a0cbabfd21853b5a Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Thu, 19 Jan 2023 19:22:27 +0100
Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode
@ -161,5 +161,5 @@ index 5a43c3d9eb..8528ddc4a9 100644
ret = KRB5_CRYPTO_INTERNAL;
goto done;
--
2.41.0
2.45.1

13
0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch
View File

@ -1,7 +1,8 @@
From 640492ecb4ee42edf33c343c08c01a549ed68a52 Mon Sep 17 00:00:00 2001
From 23b58199db429603802e338db530677b61561335 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 15 Mar 2023 15:56:34 +0100
Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional
Subject: [PATCH] [downstream] Allow to set PAC ticket signature as
optional
MS-PAC states that "The ticket signature SHOULD be included in tickets
that are not encrypted to the krbtgt account". However, the
@ -73,10 +74,10 @@ index 745b24f351..6075349e5e 100644
#if !defined(_WIN32)
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 350bcf86f2..17e1b52266 100644
index c5a625db8f..2d9b64dc85 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -8356,6 +8356,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
@@ -8329,6 +8329,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
const krb5_keyblock *server,
const krb5_keyblock *privsvr, krb5_pac *pac_out);
@ -258,7 +259,7 @@ index 4c50e935a2..d4b0455c8c 100644
krb5_kt_client_default
krb5_kt_close
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 461207021b..e8d78309cb 100644
index 8413e70ccd..f68eb0569d 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to
@ -275,5 +276,5 @@ index 461207021b..e8d78309cb 100644
.sp
This command requires the \fBmodify\fP privilege.
--
2.41.0
2.45.1

10
0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch
View File

@ -1,8 +1,8 @@
From 1b2f64d66e01c1abeefdb7cbef7b04035c2128c0 Mon Sep 17 00:00:00 2001
From 31b9debcf2cbd558f8f315fefb69fc8206b115b4 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Tue, 23 May 2023 12:19:54 +0200
Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification
available in FIPS mode
Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature
verification available in FIPS mode
We recommend using the SHA1 crypto-module in order to allow the
verification of SHA-1 signature for CMS messages. However, this module
@ -20,7 +20,7 @@ curve cryptography is implemented for PKINIT in MIT krb5.
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index f41328763e..263ef7845e 100644
index cb9c79626c..17dd18e37d 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context,
@ -43,5 +43,5 @@ index f41328763e..263ef7845e 100644
goto cleanup;
}
--
2.41.0
2.45.1

10
0014-Enable-PKINIT-if-at-least-one-group-is-available.patch
View File

@ -1,4 +1,4 @@
From d2b061bea524012edde2915aa95fc4cb6a6f3ae9 Mon Sep 17 00:00:00 2001
From c24c9faf859ddc04910a6bc591d8ddb2ada93e80 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 30 May 2023 01:21:48 -0400
Subject: [PATCH] Enable PKINIT if at least one group is available
@ -52,7 +52,7 @@ index 9fa315d7a0..8bdbea8e95 100644
krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 263ef7845e..d646073d55 100644
index 17dd18e37d..8cdc40bfb4 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -47,7 +47,8 @@
@ -139,7 +139,7 @@ index 263ef7845e..d646073d55 100644
}
static void
@@ -2910,11 +2918,11 @@ client_create_dh(krb5_context context,
@@ -2912,11 +2920,11 @@ client_create_dh(krb5_context context,
if (cryptoctx->received_params != NULL)
params = cryptoctx->received_params;
@ -154,7 +154,7 @@ index 263ef7845e..d646073d55 100644
params = plg_cryptoctx->dh_4096;
else
goto cleanup;
@@ -3210,19 +3218,23 @@ pkinit_create_td_dh_parameters(krb5_context context,
@@ -3212,19 +3220,23 @@ pkinit_create_td_dh_parameters(krb5_context context,
krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 };
krb5_algorithm_identifier *alglist[4];
@ -214,5 +214,5 @@ index 259e95c6c2..5ee39c085c 100644
TRACE(c, "PKINIT OpenSSL error: {str}", msg)
--
2.41.0
2.45.1

10685
0015-Eliminate-old-style-function-declarations.patch Normal file
View File

File diff suppressed because it is too large Load Diff

4
0015-Replace-ssl.wrap_socket-for-tests.patch → 0016-Replace-ssl.wrap_socket-for-tests.patch
View File

@ -1,4 +1,4 @@
From 42e831da09bd196068aeb7fe6bfe380bb46b846c Mon Sep 17 00:00:00 2001
From abb95e961f4e6a5482220a64fba843a3adc171df Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 19 Jul 2023 13:43:17 +0200
Subject: [PATCH] Replace ssl.wrap_socket() for tests
@ -60,5 +60,5 @@ index 58759696b6..d1d10d733c 100755
os.write(sys.stdout.fileno(), b'proxy server ready\n')
server.serve_forever()
--
2.41.0
2.45.1

254
0016-Fix-unimportant-memory-leaks.patch → 0017-Fix-unimportant-memory-leaks.patch
View File

@ -1,4 +1,4 @@
From f0414954d79283075d1f627dbb9fe6e4f43c1aae Mon Sep 17 00:00:00 2001
From 0628ab09deb09b98c171316c0b9718914e18e9f4 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Thu, 13 Jul 2023 16:22:30 -0400
Subject: [PATCH] Fix unimportant memory leaks
@ -16,10 +16,10 @@ some unused ksu functions; rewrote commit message]
src/appl/gss-sample/gss-client.c | 367 ++++++++----------
src/appl/gss-sample/gss-server.c | 3 +-
src/clients/klist/klist.c | 59 +--
src/clients/ksu/authorization.c | 140 +++----
src/clients/ksu/ccache.c | 289 +++++---------
src/clients/ksu/authorization.c | 134 +++----
src/clients/ksu/ccache.c | 283 +++++---------
src/clients/ksu/heuristic.c | 128 +++---
src/clients/ksu/krb_auth_su.c | 137 ++-----
src/clients/ksu/krb_auth_su.c | 134 ++-----
src/clients/ksu/ksu.h | 6 -
src/clients/ksu/main.c | 3 +-
src/kadmin/cli/keytab.c | 6 +-
@ -32,10 +32,10 @@ some unused ksu functions; rewrote commit message]
src/lib/krb5/ccache/ccfns.c | 12 +-
src/lib/krb5/keytab/kt_file.c | 3 +-
src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 8 +-
19 files changed, 520 insertions(+), 684 deletions(-)
19 files changed, 517 insertions(+), 672 deletions(-)
diff --git a/src/appl/gss-sample/gss-client.c b/src/appl/gss-sample/gss-client.c
index 6e2aa33690..cf94623d63 100644
index 0722ae196f..2cfcfc6cc5 100644
--- a/src/appl/gss-sample/gss-client.c
+++ b/src/appl/gss-sample/gss-client.c
@@ -182,180 +182,148 @@ client_establish_context(int s, char *service_name, OM_uint32 gss_flags,
@ -345,7 +345,7 @@ index 6e2aa33690..cf94623d63 100644
}
static void
@@ -449,11 +417,11 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
@@ -436,11 +404,11 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
{
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
gss_buffer_desc in_buf, out_buf;
@ -360,7 +360,7 @@ index 6e2aa33690..cf94623d63 100644
OM_uint32 lifetime;
gss_OID mechanism, name_type;
int is_local;
@@ -467,14 +435,13 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
@@ -454,14 +422,13 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
/* Open connection */
if ((s = connect_to_server(host, port)) < 0)
@ -377,7 +377,7 @@ index 6e2aa33690..cf94623d63 100644
}
if (auth_flag && verbose) {
@@ -488,19 +455,19 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
@@ -475,19 +442,19 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
&is_local, &is_open);
if (maj_stat != GSS_S_COMPLETE) {
display_status("inquiring context", maj_stat, min_stat);
@ -400,7 +400,7 @@ index 6e2aa33690..cf94623d63 100644
}
printf("\"%.*s\" to \"%.*s\", lifetime %d, flags %x, %s, %s\n",
(int) sname.length, (char *) sname.value,
@@ -509,15 +476,10 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
@@ -496,15 +463,10 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
(is_local) ? "locally initiated" : "remotely initiated",
(is_open) ? "open" : "closed");
@ -417,7 +417,7 @@ index 6e2aa33690..cf94623d63 100644
}
printf("Name type of source name is %.*s.\n",
(int) oid_name.length, (char *) oid_name.value);
@@ -528,13 +490,13 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
@@ -515,13 +477,13 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
mechanism, &mech_names);
if (maj_stat != GSS_S_COMPLETE) {
display_status("inquiring mech names", maj_stat, min_stat);
@ -433,7 +433,7 @@ index 6e2aa33690..cf94623d63 100644
}
printf("Mechanism %.*s supports %d names\n",
(int) oid_name.length, (char *) oid_name.value,
@@ -546,7 +508,7 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
@@ -533,7 +495,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
&mech_names->elements[i], &oid_name);
if (maj_stat != GSS_S_COMPLETE) {
display_status("converting oid->string", maj_stat, min_stat);
@ -442,7 +442,7 @@ index 6e2aa33690..cf94623d63 100644
}
printf(" %d: %.*s\n", (int) i,
(int) oid_name.length, (char *) oid_name.value);
@@ -571,10 +533,7 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
@@ -558,10 +520,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
&in_buf, &state, &out_buf);
if (maj_stat != GSS_S_COMPLETE) {
display_status("wrapping message", maj_stat, min_stat);
@ -454,7 +454,7 @@ index 6e2aa33690..cf94623d63 100644
} else if (encrypt_flag && !state) {
fprintf(stderr, "Warning! Message not encrypted.\n");
}
@@ -588,22 +547,15 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
@@ -575,22 +534,15 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
(wrap_flag ? TOKEN_WRAPPED : 0) |
(encrypt_flag ? TOKEN_ENCRYPTED : 0) |
(mic_flag ? TOKEN_SEND_MIC : 0))),
@ -482,7 +482,7 @@ index 6e2aa33690..cf94623d63 100644
if (mic_flag) {
/* Verify signature block */
@@ -611,10 +563,7 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
@@ -598,10 +550,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
&out_buf, &qop_state);
if (maj_stat != GSS_S_COMPLETE) {
display_status("verifying signature", maj_stat, min_stat);
@ -494,7 +494,7 @@ index 6e2aa33690..cf94623d63 100644
}
if (verbose)
@@ -634,23 +583,17 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
@@ -621,23 +570,17 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
if (!v1_format)
(void) send_token(s, TOKEN_NOOP, empty_token);
@ -529,7 +529,7 @@ index 6e2aa33690..cf94623d63 100644
static void
diff --git a/src/appl/gss-sample/gss-server.c b/src/appl/gss-sample/gss-server.c
index 9b6ce9ffb3..ce25df8b40 100644
index 0e9c857e56..4ba864d9fb 100644
--- a/src/appl/gss-sample/gss-server.c
+++ b/src/appl/gss-sample/gss-server.c
@@ -138,13 +138,12 @@ server_acquire_creds(char *service_name, gss_OID mech,
@ -548,7 +548,7 @@ index 9b6ce9ffb3..ce25df8b40 100644
}
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index dcdc5a2d59..43392d2337 100644
index c797b1698f..b5ae96a843 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -469,20 +469,21 @@ do_ccache()
@ -667,7 +667,7 @@ index dcdc5a2d59..43392d2337 100644
* current. Otherwise accept any current cred. */
if (found_tgt)
diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c
index fb9d5d0942..6c6a2d007e 100644
index 17a8a8f2f0..1f2650c2ab 100644
--- a/src/clients/ksu/authorization.c
+++ b/src/clients/ksu/authorization.c
@@ -28,7 +28,17 @@
@ -687,9 +687,9 @@ index fb9d5d0942..6c6a2d007e 100644
+ free(list);
+}
krb5_boolean fowner(fp, uid)
FILE *fp;
@@ -53,10 +63,10 @@ krb5_boolean fowner(fp, uid)
krb5_boolean
fowner(FILE *fp, uid_t uid)
@@ -52,10 +62,10 @@ fowner(FILE *fp, uid_t uid)
/*
* Given a Kerberos principal "principal", and a local username "luser",
@ -703,9 +703,9 @@ index fb9d5d0942..6c6a2d007e 100644
+ * (regardless of its result), non-zero if it encountered an error.
*/
krb5_error_code krb5_authorization(context, principal, luser,
@@ -71,7 +81,7 @@ krb5_error_code krb5_authorization(context, principal, luser,
char **out_fcmd;
krb5_error_code
@@ -64,7 +74,7 @@ krb5_authorization(krb5_context context, krb5_principal principal,
char **out_fcmd)
{
struct passwd *pwd;
- char *princname;
@ -713,7 +713,7 @@ index fb9d5d0942..6c6a2d007e 100644
int k5login_flag =0;
int k5users_flag =0;
krb5_boolean retbool =FALSE;
@@ -83,7 +93,7 @@ krb5_error_code krb5_authorization(context, principal, luser,
@@ -76,7 +86,7 @@ krb5_authorization(krb5_context context, krb5_principal principal,
/* no account => no access */
if ((pwd = getpwnam(luser)) == NULL)
@ -722,7 +722,7 @@ index fb9d5d0942..6c6a2d007e 100644
retval = krb5_unparse_name(context, principal, &princname);
if (retval)
@@ -100,22 +110,19 @@ krb5_error_code krb5_authorization(context, principal, luser,
@@ -93,22 +103,19 @@ krb5_authorization(krb5_context context, krb5_principal principal,
/* k5login and k5users must be owned by target user or root */
if (!k5login_flag){
@ -755,7 +755,7 @@ index fb9d5d0942..6c6a2d007e 100644
}
if (auth_debug){
@@ -134,10 +141,8 @@ krb5_error_code krb5_authorization(context, principal, luser,
@@ -127,10 +134,8 @@ krb5_authorization(krb5_context context, krb5_principal principal,
princname);
retval = k5login_lookup(login_fp, princname, &retbool);
@ -768,7 +768,7 @@ index fb9d5d0942..6c6a2d007e 100644
if (retbool) {
if (cmd)
*out_fcmd = xstrdup(cmd);
@@ -147,10 +152,8 @@ krb5_error_code krb5_authorization(context, principal, luser,
@@ -140,10 +145,8 @@ krb5_authorization(krb5_context context, krb5_principal principal,
if ((!k5users_flag) && (retbool == FALSE) ){
retval = k5users_lookup (users_fp, princname,
cmd, &retbool, out_fcmd);
@ -781,7 +781,7 @@ index fb9d5d0942..6c6a2d007e 100644
}
if (k5login_flag && k5users_flag){
@@ -166,8 +169,14 @@ krb5_error_code krb5_authorization(context, principal, luser,
@@ -159,8 +162,14 @@ krb5_authorization(krb5_context context, krb5_principal principal,
}
*ok =retbool;
@ -798,8 +798,8 @@ index fb9d5d0942..6c6a2d007e 100644
}
/***********************************************************
@@ -334,10 +343,11 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
char **out_err;
@@ -320,10 +329,11 @@ krb5_boolean
fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
{
char * err;
- char ** tmp_fcmd;
@ -811,7 +811,7 @@ index fb9d5d0942..6c6a2d007e 100644
tmp_fcmd = (char **) xcalloc (MAX_CMD, sizeof(char *));
@@ -345,7 +355,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
@@ -331,7 +341,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
tmp_fcmd[0] = xstrdup(fcmd);
tmp_fcmd[1] = NULL;
*out_fcmd = tmp_fcmd;
@ -820,7 +820,7 @@ index fb9d5d0942..6c6a2d007e 100644
}else{
/* must be either full path or just the cmd name */
if (strchr(fcmd, '/')){
@@ -353,7 +363,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
@@ -339,7 +349,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
"either full path or just the cmd name\n"),
fcmd, KRB5_USERS_NAME);
*out_err = err;
@ -829,7 +829,7 @@ index fb9d5d0942..6c6a2d007e 100644
}
#ifndef CMD_PATH
@@ -361,7 +371,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
@@ -347,7 +357,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
"the cmd name, CMD_PATH must be defined \n"),
fcmd, KRB5_USERS_NAME, fcmd);
*out_err = err;
@ -838,7 +838,7 @@ index fb9d5d0942..6c6a2d007e 100644
#else
path = xstrdup (CMD_PATH);
@@ -375,7 +385,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
@@ -361,7 +371,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
asprintf(&err, _("Error: bad entry - %s in %s file, CMD_PATH "
"contains no paths \n"), fcmd, KRB5_USERS_NAME);
*out_err = err;
@ -847,7 +847,7 @@ index fb9d5d0942..6c6a2d007e 100644
}
i=0;
@@ -384,7 +394,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
@@ -370,7 +380,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
asprintf(&err, _("Error: bad path %s in CMD_PATH for %s must "
"start with '/' \n"), tc, KRB5_USERS_NAME );
*out_err = err;
@ -856,7 +856,7 @@ index fb9d5d0942..6c6a2d007e 100644
}
tmp_fcmd[i] = xasprintf("%s/%s", tc, fcmd);
@@ -395,10 +405,15 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
@@ -381,10 +391,15 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
tmp_fcmd[i] = NULL;
*out_fcmd = tmp_fcmd;
@ -874,9 +874,9 @@ index fb9d5d0942..6c6a2d007e 100644
}
/********************************************
@@ -524,41 +539,42 @@ int match_commands (fcmd, cmd, match, cmd_out, err_out)
char **cmd_out;
char **err_out;
@@ -503,41 +518,42 @@ int
match_commands(char *fcmd, char *cmd, krb5_boolean *match,
char **cmd_out, char **err_out)
{
- char ** fcmd_arr;
+ char ** fcmd_arr = NULL;
@ -930,7 +930,7 @@ index fb9d5d0942..6c6a2d007e 100644
}
/*********************************************************
@@ -587,10 +603,7 @@ krb5_error_code get_line (fp, out_line)
@@ -563,10 +579,7 @@ get_line(FILE *fp, char **out_line)
}
else {
chunk_count ++;
@ -942,14 +942,12 @@ index fb9d5d0942..6c6a2d007e 100644
line_ptr = line + (BUFSIZ -1) *( chunk_count -1) ;
}
@@ -677,21 +690,8 @@ char * get_next_token (lnext)
@@ -652,17 +665,6 @@ get_next_token (char **lnext)
return out_ptr;
}
-static void auth_cleanup(users_fp, login_fp, princname)
- FILE *users_fp;
- FILE *login_fp;
- char *princname;
-static void
-auth_cleanup(FILE *users_fp, FILE *login_fp, char *princname)
-{
-
- free (princname);
@ -959,22 +957,17 @@ index fb9d5d0942..6c6a2d007e 100644
- fclose(login_fp);
-}
-
-void init_auth_names(pw_dir)
- char *pw_dir;
+void
+init_auth_names(char *pw_dir)
void
init_auth_names(char *pw_dir)
{
const char *sep;
int r1, r2;
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index cbb9aa2b85..45667dd24a 100644
index cca9ce2dfc..76cb1d6aa4 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -40,7 +40,19 @@ copies the default cache into the secondary cache,
@@ -40,6 +40,18 @@ copies the default cache into the secondary cache,
************************************************************************/
-void show_credential();
+static void
+free_creds_list(krb5_context context, krb5_creds **list)
+{
@ -987,13 +980,12 @@ index cbb9aa2b85..45667dd24a 100644
+ free(list);
+}
+
+void show_credential(krb5_context, krb5_creds *, krb5_ccache);
void show_credential(krb5_context, krb5_creds *, krb5_ccache);
/* modifies only the cc_other, the algorithm may look a bit funny,
but I had to do it this way, since remove function did not come
@@ -59,20 +71,19 @@ krb5_error_code krb5_ccache_copy(context, cc_def, target_principal, cc_target,
/* OUT */
krb5_boolean *stored;
@@ -53,20 +65,19 @@ krb5_ccache_copy(krb5_context context, krb5_ccache cc_def,
krb5_boolean restrict_creds, krb5_principal primary_principal,
krb5_boolean *stored)
{
- int i=0;
krb5_error_code retval=0;
@ -1016,7 +1008,7 @@ index cbb9aa2b85..45667dd24a 100644
if (restrict_creds) {
retval = krb5_store_some_creds(context, cc_target, cc_def_creds_arr,
@@ -85,22 +96,9 @@ krb5_error_code krb5_ccache_copy(context, cc_def, target_principal, cc_target,
@@ -79,22 +90,9 @@ krb5_ccache_copy(krb5_context context, krb5_ccache cc_def,
cc_other_creds_arr);
}
@ -1042,7 +1034,7 @@ index cbb9aa2b85..45667dd24a 100644
return retval;
}
@@ -198,32 +196,29 @@ krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array)
@@ -184,32 +182,29 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc,
{
krb5_creds creds, temp_tktq, temp_tkt;
@ -1082,7 +1074,7 @@ index cbb9aa2b85..45667dd24a 100644
}
if (auth_debug){
fprintf(stderr,"krb5_ccache_copy: CREDS EXPIRED:\n");
@@ -233,19 +228,19 @@ krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array)
@@ -219,19 +214,19 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc,
}
}
else { /* these credentials didn't expire */
@ -1111,7 +1103,7 @@ index cbb9aa2b85..45667dd24a 100644
}
}
@@ -253,13 +248,15 @@ krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array)
@@ -239,13 +234,15 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc,
temp_creds[count] = NULL;
*creds_array = temp_creds;
@ -1127,16 +1119,14 @@ index cbb9aa2b85..45667dd24a 100644
-
}
@@ -331,97 +328,6 @@ void printtime(krb5_timestamp ts)
krb5_error_code
@@ -315,122 +312,33 @@ printtime(krb5_timestamp ts)
printf("%s", fmtbuf);
}
-
-krb5_error_code
-krb5_get_login_princ(luser, princ_list)
- const char *luser;
- char ***princ_list;
-krb5_get_login_princ(const char *luser, char ***princ_list)
-{
- struct stat sbuf;
- struct passwd *pwd;
@ -1220,14 +1210,9 @@ index cbb9aa2b85..45667dd24a 100644
- fclose(fp);
- return 0;
-}
-
-
-
void
show_credential(context, cred, cc)
krb5_context context;
@@ -429,31 +335,29 @@ show_credential(context, cred, cc)
krb5_ccache cc;
show_credential(krb5_context context, krb5_creds *cred, krb5_ccache cc)
{
krb5_error_code retval;
- char *name, *sname, *flags;
@ -1264,7 +1249,7 @@ index cbb9aa2b85..45667dd24a 100644
}
if (!cred->times.starttime)
@@ -491,8 +395,12 @@ show_credential(context, cred, cc)
@@ -468,8 +376,12 @@ show_credential(krb5_context context, krb5_creds *cred, krb5_ccache cc)
}
}
putchar('\n');
@ -1277,8 +1262,8 @@ index cbb9aa2b85..45667dd24a 100644
}
/* Create a random string suitable for a filename extension. */
@@ -526,37 +434,26 @@ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal)
krb5_principal primary_principal;
@@ -501,37 +413,26 @@ krb5_ccache_overwrite(krb5_context context, krb5_ccache ccs, krb5_ccache cct,
krb5_principal primary_principal)
{
krb5_error_code retval=0;
- krb5_principal temp_principal;
@ -1327,8 +1312,8 @@ index cbb9aa2b85..45667dd24a 100644
return retval;
}
@@ -616,45 +513,40 @@ krb5_error_code krb5_ccache_filter (context, cc, prst)
krb5_principal prst;
@@ -585,45 +486,40 @@ krb5_error_code
krb5_ccache_filter(krb5_context context, krb5_ccache cc, krb5_principal prst)
{
- int i=0;
@ -1395,10 +1380,10 @@ index cbb9aa2b85..45667dd24a 100644
+ return retval;
}
krb5_boolean krb5_find_princ_in_cred_list (context, creds_list, princ)
@@ -688,17 +580,20 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found)
krb5_principal princ;
krb5_boolean *found;
krb5_boolean
@@ -654,17 +550,20 @@ krb5_error_code
krb5_find_princ_in_cache(krb5_context context, krb5_ccache cc,
krb5_principal princ, krb5_boolean *found)
{
- krb5_error_code retval;
+ krb5_error_code retval = 0;
@ -1423,10 +1408,10 @@ index cbb9aa2b85..45667dd24a 100644
krb5_boolean
diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c
index 4f7280f4cb..47baa785e5 100644
index e906de8ef0..6ed94eb887 100644
--- a/src/clients/ksu/heuristic.c
+++ b/src/clients/ksu/heuristic.c
@@ -156,28 +156,31 @@ filter(fp, cmd, k5users_list, k5users_filt_list)
@@ -149,28 +149,31 @@ filter(FILE *fp, char *cmd, char **k5users_list, char ***k5users_filt_list)
*k5users_filt_list = NULL;
@ -1464,7 +1449,7 @@ index 4f7280f4cb..47baa785e5 100644
for(j= 0, k=0; j < i; j++ ) {
if (k5users_list[j]){
@@ -191,7 +194,10 @@ filter(fp, cmd, k5users_list, k5users_filt_list)
@@ -184,7 +187,10 @@ filter(FILE *fp, char *cmd, char **k5users_list, char ***k5users_filt_list)
free (k5users_list);
*k5users_filt_list = temp_filt_list;
@ -1476,7 +1461,7 @@ index 4f7280f4cb..47baa785e5 100644
}
krb5_error_code
@@ -335,7 +341,7 @@ krb5_error_code get_closest_principal(context, plist, client, found)
@@ -318,7 +324,7 @@ get_closest_principal(krb5_context context, char **plist,
retval = krb5_parse_name(context, plist[i], &temp_client);
if (retval)
@ -1485,7 +1470,7 @@ index 4f7280f4cb..47baa785e5 100644
pnelem = krb5_princ_size(context, temp_client);
@@ -363,6 +369,7 @@ krb5_error_code get_closest_principal(context, plist, client, found)
@@ -346,6 +352,7 @@ get_closest_principal(krb5_context context, char **plist,
if(best_client){
if(krb5_princ_size(context, best_client) >
krb5_princ_size(context, temp_client)){
@ -1493,7 +1478,7 @@ index 4f7280f4cb..47baa785e5 100644
best_client = temp_client;
}
}else
@@ -375,9 +382,12 @@ krb5_error_code get_closest_principal(context, plist, client, found)
@@ -358,9 +365,12 @@ get_closest_principal(krb5_context context, char **plist,
if (best_client) {
*found = TRUE;
*client = best_client;
@ -1507,7 +1492,7 @@ index 4f7280f4cb..47baa785e5 100644
}
/****************************************************************
@@ -499,6 +509,7 @@ krb5_error_code find_princ_in_list (context, princ, plist, found)
@@ -471,6 +481,7 @@ find_princ_in_list(krb5_context context, krb5_principal princ, char **plist,
i++;
}
@ -1515,7 +1500,7 @@ index 4f7280f4cb..47baa785e5 100644
return 0;
}
@@ -534,11 +545,9 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
@@ -498,11 +509,9 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
{
princ_info princ_trials[10];
@ -1530,7 +1515,7 @@ index 4f7280f4cb..47baa785e5 100644
krb5_error_code retval;
char ** aplist =NULL;
krb5_boolean found = FALSE;
@@ -555,54 +564,59 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
@@ -519,54 +528,59 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
if (ks_ccache_is_initialized(context, cc_source)) {
retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
if (retval)
@ -1609,7 +1594,7 @@ index 4f7280f4cb..47baa785e5 100644
if (cmd)
*path_out = NOT_AUTHORIZED;
@@ -610,26 +624,25 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
@@ -574,26 +588,25 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
if (auth_debug)
printf(" GET_best_princ_for_target: via no auth files path\n");
@ -1640,7 +1625,7 @@ index 4f7280f4cb..47baa785e5 100644
/* first see if default principal of the source cache
* can get us in, then the target_user@realm, then the
@@ -652,7 +665,7 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
@@ -616,7 +629,7 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
retval= find_princ_in_list(context, princ_trials[i].p, aplist,
&found);
if (retval)
@ -1649,7 +1634,7 @@ index 4f7280f4cb..47baa785e5 100644
if (found == TRUE){
princ_trials[i].found = TRUE;
@@ -661,12 +674,13 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
@@ -625,12 +638,13 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
princ_trials[i].p,
end_server, &found);
if (retval)
@ -1666,7 +1651,7 @@ index 4f7280f4cb..47baa785e5 100644
}
}
}
@@ -679,21 +693,23 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
@@ -643,21 +657,23 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
while (aplist[i]){
retval = krb5_parse_name(context, aplist[i], &temp_client);
if (retval)
@ -1693,7 +1678,7 @@ index 4f7280f4cb..47baa785e5 100644
i++;
}
@@ -704,11 +720,11 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
@@ -668,11 +684,11 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
for (i=0; i < count; i ++){
if (princ_trials[i].found == TRUE){
@ -1707,7 +1692,7 @@ index 4f7280f4cb..47baa785e5 100644
}
}
@@ -718,7 +734,7 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
@@ -682,7 +698,7 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
retval=krb5_copy_principal(context, princ_trials[i].p,
&temp_client);
if(retval)
@ -1716,7 +1701,7 @@ index 4f7280f4cb..47baa785e5 100644
/* get the client name that is the closest
to the three princ in trials */
@@ -726,15 +742,15 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
@@ -690,15 +706,15 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
retval=get_closest_principal(context, aplist, &temp_client,
&found);
if(retval)
@ -1735,7 +1720,7 @@ index 4f7280f4cb..47baa785e5 100644
}
}
@@ -745,5 +761,13 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
@@ -709,5 +725,13 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
printf( "GET_best_princ_for_target: out of luck, can't get appropriate default principal\n");
*path_out = NOT_AUTHORIZED;
@ -1751,12 +1736,12 @@ index 4f7280f4cb..47baa785e5 100644
+ return retval;
}
diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c
index fb848dcab1..a99c4c826c 100644
index db10251f95..68cfe6b0ed 100644
--- a/src/clients/ksu/krb_auth_su.c
+++ b/src/clients/ksu/krb_auth_su.c
@@ -42,33 +42,31 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
krb5_ccache cc;
int *path_passwd;
@@ -37,33 +37,31 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
char *target_user, krb5_ccache cc, int *path_passwd,
uid_t target_uid)
{
- krb5_principal client;
+ krb5_principal client = NULL;
@ -1794,7 +1779,7 @@ index fb848dcab1..a99c4c826c 100644
}
if (auth_debug){ dump_principal(context, "local tgt principal name", tgtq.server ); }
@@ -82,7 +80,7 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
@@ -77,7 +75,7 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
if ((retval != KRB5_CC_NOTFOUND) &&
(retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){
com_err(prog_name, retval, _("while retrieving creds from cache"));
@ -1803,7 +1788,7 @@ index fb848dcab1..a99c4c826c 100644
}
} else{
got_it = 1;
@@ -93,7 +91,7 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
@@ -88,7 +86,7 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
#ifdef GET_TGT_VIA_PASSWD
if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
com_err("ksu", errno, _("while switching to target uid"));
@ -1812,7 +1797,7 @@ index fb848dcab1..a99c4c826c 100644
}
@@ -107,19 +105,19 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
@@ -102,19 +100,19 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
&tgt) == FALSE) {
krb5_seteuid(0);
@ -1835,7 +1820,7 @@ index fb848dcab1..a99c4c826c 100644
#endif /* GET_TGT_VIA_PASSWD */
@@ -131,10 +129,16 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
@@ -126,10 +124,16 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
&vfy_opts);
if (retval) {
com_err(prog_name, retval, _("while verifying ticket for server"));
@ -1853,10 +1838,10 @@ index fb848dcab1..a99c4c826c 100644
+ return ok;
}
krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
@@ -145,11 +149,12 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
krb5_boolean *zero_password;
krb5_creds *creds_out;
krb5_boolean
@@ -137,11 +141,12 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
krb5_get_init_creds_opt *options,
krb5_boolean *zero_password, krb5_creds *creds_out)
{
+ krb5_boolean ok = FALSE;
krb5_error_code code;
@ -1869,7 +1854,7 @@ index fb848dcab1..a99c4c826c 100644
int result;
*zero_password = FALSE;
@@ -158,14 +163,14 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
@@ -150,14 +155,14 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
if ((code = krb5_unparse_name(context, client, &client_name))) {
com_err (prog_name, code, _("when unparsing name"));
@ -1886,7 +1871,7 @@ index fb848dcab1..a99c4c826c 100644
}
result = snprintf(prompt, sizeof(prompt), _("Kerberos password for %s: "),
@@ -174,7 +179,7 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
@@ -166,7 +171,7 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
fprintf(stderr,
_("principal name %s too long for internal buffer space\n"),
client_name);
@ -1895,7 +1880,7 @@ index fb848dcab1..a99c4c826c 100644
}
pwsize = sizeof(password);
@@ -183,13 +188,13 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
@@ -175,13 +180,13 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
if (code ) {
com_err(prog_name, code, _("while reading password for '%s'\n"),
client_name);
@ -1911,7 +1896,7 @@ index fb848dcab1..a99c4c826c 100644
}
code = krb5_get_init_creds_password(context, &creds, client, password,
@@ -203,13 +208,19 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
@@ -195,13 +200,19 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
fprintf(stderr, _("%s: Password incorrect\n"), prog_name);
else
com_err(prog_name, code, _("while getting initial credentials"));
@ -1935,8 +1920,8 @@ index fb848dcab1..a99c4c826c 100644
+ return ok;
}
@@ -224,8 +235,10 @@ void dump_principal (context, str, p)
void
@@ -213,8 +224,10 @@ dump_principal(krb5_context context, char *str, krb5_principal p)
if ((retval = krb5_unparse_name(context, p, &stname))) {
fprintf(stderr, _(" %s while unparsing name\n"),
error_message(retval));
@ -1946,8 +1931,8 @@ index fb848dcab1..a99c4c826c 100644
+ free(stname);
}
void plain_dump_principal (context, p)
@@ -238,74 +251,8 @@ void plain_dump_principal (context, p)
void
@@ -226,71 +239,8 @@ plain_dump_principal (krb5_context context, krb5_principal p)
if ((retval = krb5_unparse_name(context, p, &stname))) {
fprintf(stderr, _(" %s while unparsing name\n"),
error_message(retval));
@ -1965,11 +1950,8 @@ index fb848dcab1..a99c4c826c 100644
-
-**********************************************************************/
-
-
-krb5_error_code get_best_principal(context, plist, client)
- krb5_context context;
- char **plist;
- krb5_principal *client;
-krb5_error_code
-get_best_principal(krb5_context context, char **plist, krb5_principal *client)
-{
- krb5_error_code retval =0;
- krb5_principal temp_client, best_client = NULL;
@ -2049,10 +2031,10 @@ index 66fb4bcc6a..32ce11cb85 100644
(krb5_context, krb5_creds *, krb5_ccache);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 931f054041..a7cb7ed3be 100644
index 2a351662c8..77703a6a2b 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -1003,7 +1003,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
@@ -1002,7 +1002,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
if (retval) {
com_err(prog_name, retval,
_("while generating part of the target ccache name"));
@ -2061,7 +2043,7 @@ index 931f054041..a7cb7ed3be 100644
}
if (asprintf(&ccname, "%s.%s", target, sym) < 0) {
retval = ENOMEM;
@@ -1015,6 +1015,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
@@ -1014,6 +1014,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
free(sym);
} while (ks_ccache_name_is_initialized(context, ccname));
retval = krb5_cc_resolve(context, ccname, &ccache);
@ -2070,7 +2052,7 @@ index 931f054041..a7cb7ed3be 100644
/* Look for a cache in the collection that we can reuse. */
retval = krb5_cc_cache_match(context, princ, &ccache);
diff --git a/src/kadmin/cli/keytab.c b/src/kadmin/cli/keytab.c
index b0c8378b40..8a59188216 100644
index 26f340af31..976c8969e8 100644
--- a/src/kadmin/cli/keytab.c
+++ b/src/kadmin/cli/keytab.c
@@ -363,7 +363,7 @@ remove_principal(char *keytab_str, krb5_keytab keytab,
@ -2108,10 +2090,10 @@ index b0c8378b40..8a59188216 100644
}
diff --git a/src/kadmin/ktutil/ktutil.c b/src/kadmin/ktutil/ktutil.c
index 92d7023a4f..782c7289c5 100644
index 87a69ca145..a1c17d154d 100644
--- a/src/kadmin/ktutil/ktutil.c
+++ b/src/kadmin/ktutil/ktutil.c
@@ -263,6 +263,7 @@ void ktutil_list(argc, argv)
@@ -254,6 +254,7 @@ ktutil_list(int argc, char *argv[])
buf, sizeof(buf)))) {
com_err(argv[0], retval,
_("While converting enctype to string"));
@ -2120,7 +2102,7 @@ index 92d7023a4f..782c7289c5 100644
}
printf(" (%s) ", buf);
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index cb9785aaeb..286b3a655e 100644
index f883ae2df8..9a4826e441 100644
--- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c
@@ -1300,19 +1300,20 @@ static krb5_boolean
@ -2187,7 +2169,7 @@ index 96a408c237..bf5cede54a 100644
if (json_kgcred(context, cred, &jcred))
diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c
index cb1cb9393a..87a46cd533 100644
index 83e7634106..d4b070f8c0 100644
--- a/src/lib/gssapi/krb5/val_cred.c
+++ b/src/lib/gssapi/krb5/val_cred.c
@@ -35,6 +35,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
@ -2330,5 +2312,5 @@ index 753929b06d..f7fad27867 100644
}
}
--
2.41.0
2.45.1

34
0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch Normal file
View File

@ -0,0 +1,34 @@
From 6e898b880a0c752f83decf33d64a7d8706e6d6f8 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 27 Oct 2023 00:44:53 -0400
Subject: [PATCH] End connection on KDC_ERR_SVC_UNAVAILABLE
In sendto_kdc.c:service_fds(), if a message handler indicates that a
message should be discarded, kill the connection so we don't continue
waiting on it for more data.
ticket: 7899
(cherry picked from commit ca80f64c786341d5871ae1de18142e62af64f7b9)
---
src/lib/krb5/os/sendto_kdc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 0f4bf23a95..262edf09b4 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -1440,7 +1440,10 @@ service_fds(krb5_context context, struct select_state *selstate,
if (msg_handler != NULL) {
krb5_data reply = make_data(state->in.buf, state->in.pos);
- stop = (msg_handler(context, &reply, msg_handler_data) != 0);
+ if (!msg_handler(context, &reply, msg_handler_data)) {
+ kill_conn(context, state, selstate);
+ stop = 0;
+ }
}
if (stop) {
--
2.45.1

226
0019-Add-request_timeout-configuration-parameter.patch Normal file
View File

@ -0,0 +1,226 @@
From fa711b7cb3b7cbb234bd202bc9d9b9d7ca4defad Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 26 Oct 2023 14:20:34 -0400
Subject: [PATCH] Add request_timeout configuration parameter
Add a parameter to limit the total amount of time taken for a KDC or
password change request.
ticket: 9106 (new)
(cherry picked from commit 802318cda963456b3ed7856c836e89da891483be)
---
doc/admin/conf_files/krb5_conf.rst | 9 ++++++
src/include/k5-int.h | 2 ++
src/lib/krb5/krb/init_ctx.c | 14 +++++++-
src/lib/krb5/os/sendto_kdc.c | 51 ++++++++++++++++++++----------
4 files changed, 58 insertions(+), 18 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index a33711d918..65fb592d98 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -356,6 +356,15 @@ The libdefaults section may contain any of the following relations:
(:ref:`duration` string.) Sets the default renewable lifetime
for initial ticket requests. The default value is 0.
+**request_timeout**
+ (:ref:`duration` string.) Sets the maximum total time for KDC or
+ password change requests. This timeout does not affect the
+ intervals between requests, so setting a low timeout may result in
+ fewer requests being attempted and/or some servers not being
+ contacted. A value of 0 indicates no specific maximum, in which
+ case requests will time out if no server responds after several
+ tries. The default value is 0. (New in release 1.22.)
+
**spake_preauth_groups**
A whitespace or comma-separated list of words which specifies the
groups allowed for SPAKE preauthentication. The possible values
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index b3e07945c1..69d6a6f569 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -296,6 +296,7 @@ typedef unsigned char u_char;
#define KRB5_CONF_SPAKE_PREAUTH_INDICATOR "spake_preauth_indicator"
#define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE "spake_preauth_kdc_challenge"
#define KRB5_CONF_SPAKE_PREAUTH_GROUPS "spake_preauth_groups"
+#define KRB5_CONF_REQUEST_TIMEOUT "request_timeout"
#define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime"
#define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit"
#define KRB5_CONF_UNLOCKITER "unlockiter"
@@ -1200,6 +1201,7 @@ struct _krb5_context {
kdb5_dal_handle *dal_handle;
/* allowable clock skew */
krb5_deltat clockskew;
+ krb5_deltat req_timeout;
krb5_flags kdc_default_options;
krb5_flags library_options;
krb5_boolean profile_secure;
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 2b5abcd817..582a2945ff 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -157,7 +157,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
krb5_context ctx = 0;
krb5_error_code retval;
int tmp;
- char *plugin_dir = NULL;
+ char *plugin_dir = NULL, *timeout_str = NULL;
/* Verify some assumptions. If the assumptions hold and the
compiler is optimizing, this should result in no code being
@@ -240,6 +240,17 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
get_integer(ctx, KRB5_CONF_CLOCKSKEW, DEFAULT_CLOCKSKEW, &tmp);
ctx->clockskew = tmp;
+ retval = profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_REQUEST_TIMEOUT, NULL, NULL,
+ &timeout_str);
+ if (retval)
+ goto cleanup;
+ if (timeout_str != NULL) {
+ retval = krb5_string_to_deltat(timeout_str, &ctx->req_timeout);
+ if (retval)
+ goto cleanup;
+ }
+
get_integer(ctx, KRB5_CONF_KDC_DEFAULT_OPTIONS, KDC_OPT_RENEWABLE_OK,
&tmp);
ctx->kdc_default_options = tmp;
@@ -281,6 +292,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
cleanup:
profile_release_string(plugin_dir);
+ profile_release_string(timeout_str);
krb5_free_context(ctx);
return retval;
}
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 262edf09b4..98247a1089 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -1395,34 +1395,41 @@ get_endtime(time_ms endtime, struct conn_state *conns)
static krb5_boolean
service_fds(krb5_context context, struct select_state *selstate,
- time_ms interval, struct conn_state *conns,
+ time_ms interval, time_ms timeout, struct conn_state *conns,
struct select_state *seltemp, const krb5_data *realm,
int (*msg_handler)(krb5_context, const krb5_data *, void *),
void *msg_handler_data, struct conn_state **winner_out)
{
int e, selret = 0;
- time_ms endtime;
+ time_ms curtime, interval_end, endtime;
struct conn_state *state;
*winner_out = NULL;
- e = get_curtime_ms(&endtime);
+ e = get_curtime_ms(&curtime);
if (e)
return TRUE;
- endtime += interval;
+ interval_end = curtime + interval;
e = 0;
while (selstate->nfds > 0) {
- e = cm_select_or_poll(selstate, get_endtime(endtime, conns),
- seltemp, &selret);
+ endtime = get_endtime(interval_end, conns);
+ /* Don't wait longer than the whole request should last. */
+ if (timeout && endtime > timeout)
+ endtime = timeout;
+ e = cm_select_or_poll(selstate, endtime, seltemp, &selret);
if (e == EINTR)
continue;
if (e != 0)
break;
- if (selret == 0)
- /* Timeout, return to caller. */
+ if (selret == 0) {
+ /* We timed out. Stop if we hit the overall request timeout. */
+ if (timeout && (get_curtime_ms(&curtime) || curtime >= timeout))
+ return TRUE;
+ /* Otherwise return to the caller to send the next request. */
return FALSE;
+ }
/* Got something on a socket, process it. */
for (state = conns; state != NULL; state = state->next) {
@@ -1495,7 +1502,7 @@ k5_sendto(krb5_context context, const krb5_data *message,
void *msg_handler_data)
{
int pass;
- time_ms delay;
+ time_ms delay, timeout = 0;
krb5_error_code retval;
struct conn_state *conns = NULL, *state, **tailptr, *next, *winner;
size_t s;
@@ -1505,6 +1512,13 @@ k5_sendto(krb5_context context, const krb5_data *message,
*reply = empty_data();
+ if (context->req_timeout) {
+ retval = get_curtime_ms(&timeout);
+ if (retval)
+ return retval;
+ timeout += 1000 * context->req_timeout;
+ }
+
/* One for use here, listing all our fds in use, and one for
* temporary use in service_fds, for the fds of interest. */
sel_state = malloc(2 * sizeof(*sel_state));
@@ -1532,8 +1546,9 @@ k5_sendto(krb5_context context, const krb5_data *message,
if (maybe_send(context, state, message, sel_state, realm,
callback_info))
continue;
- done = service_fds(context, sel_state, 1000, conns, seltemp,
- realm, msg_handler, msg_handler_data, &winner);
+ done = service_fds(context, sel_state, 1000, timeout, conns,
+ seltemp, realm, msg_handler, msg_handler_data,
+ &winner);
}
}
@@ -1545,13 +1560,13 @@ k5_sendto(krb5_context context, const krb5_data *message,
if (maybe_send(context, state, message, sel_state, realm,
callback_info))
continue;
- done = service_fds(context, sel_state, 1000, conns, seltemp,
+ done = service_fds(context, sel_state, 1000, timeout, conns, seltemp,
realm, msg_handler, msg_handler_data, &winner);
}
/* Wait for two seconds at the end of the first pass. */
if (!done) {
- done = service_fds(context, sel_state, 2000, conns, seltemp,
+ done = service_fds(context, sel_state, 2000, timeout, conns, seltemp,
realm, msg_handler, msg_handler_data, &winner);
}
@@ -1562,15 +1577,17 @@ k5_sendto(krb5_context context, const krb5_data *message,
if (maybe_send(context, state, message, sel_state, realm,
callback_info))
continue;
- done = service_fds(context, sel_state, 1000, conns, seltemp,
- realm, msg_handler, msg_handler_data, &winner);
+ done = service_fds(context, sel_state, 1000, timeout, conns,
+ seltemp, realm, msg_handler, msg_handler_data,
+ &winner);
if (sel_state->nfds == 0)
break;
}
/* Wait for the delay backoff at the end of this pass. */
if (!done) {
- done = service_fds(context, sel_state, delay, conns, seltemp,
- realm, msg_handler, msg_handler_data, &winner);
+ done = service_fds(context, sel_state, delay, timeout, conns,
+ seltemp, realm, msg_handler, msg_handler_data,
+ &winner);
}
if (sel_state->nfds == 0)
break;
--
2.45.1

138
0020-Wait-indefinitely-on-KDC-TCP-connections.patch Normal file
View File

@ -0,0 +1,138 @@
From 58b64df22e22b9b89f9c6af96990276a1fc8e3c6 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 26 Oct 2023 16:26:42 -0400
Subject: [PATCH] Wait indefinitely on KDC TCP connections
When making a KDC or password change request, wait indefinitely
(limited only by request_timeout if set) once a KDC has accepted a TCP
connection.
ticket: 9105 (new)
(cherry picked from commit 6436a3808061da787a43c6810f5f0370cdfb6e36)
---
doc/admin/conf_files/krb5_conf.rst | 2 +-
src/lib/krb5/os/sendto_kdc.c | 50 ++++++++++++++++--------------
2 files changed, 27 insertions(+), 25 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 65fb592d98..b7284c47df 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -357,7 +357,7 @@ The libdefaults section may contain any of the following relations:
for initial ticket requests. The default value is 0.
**request_timeout**
- (:ref:`duration` string.) Sets the maximum total time for KDC or
+ (:ref:`duration` string.) Sets the maximum total time for KDC and
password change requests. This timeout does not affect the
intervals between requests, so setting a low timeout may result in
fewer requests being attempted and/or some servers not being
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 98247a1089..924f5b2d26 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -134,7 +134,6 @@ struct conn_state {
krb5_data callback_buffer;
size_t server_index;
struct conn_state *next;
- time_ms endtime;
krb5_boolean defer;
struct {
const char *uri_path;
@@ -344,15 +343,19 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime,
struct select_state *out, int *sret)
{
#ifndef USE_POLL
- struct timeval tv;
+ struct timeval tv, *tvp;
#endif
krb5_error_code retval;
time_ms curtime, interval;
- retval = get_curtime_ms(&curtime);
- if (retval != 0)
- return retval;
- interval = (curtime < endtime) ? endtime - curtime : 0;
+ if (endtime != 0) {
+ retval = get_curtime_ms(&curtime);
+ if (retval != 0)
+ return retval;
+ interval = (curtime < endtime) ? endtime - curtime : 0;
+ } else {
+ interval = -1;
+ }
/* We don't need a separate copy of the selstate for poll, but use one for
* consistency with how we use select. */
@@ -361,9 +364,14 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime,
#ifdef USE_POLL
*sret = poll(out->fds, out->nfds, interval);
#else
- tv.tv_sec = interval / 1000;
- tv.tv_usec = interval % 1000 * 1000;
- *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, &tv);
+ if (interval != -1) {
+ tv.tv_sec = interval / 1000;
+ tv.tv_usec = interval % 1000 * 1000;
+ tvp = &tv;
+ } else {
+ tvp = NULL;
+ }
+ *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, tvp);
#endif
return (*sret < 0) ? SOCKET_ERRNO : 0;
@@ -1099,11 +1107,6 @@ service_tcp_connect(krb5_context context, const krb5_data *realm,
}
conn->state = WRITING;
-
- /* Record this connection's timeout for service_fds. */
- if (get_curtime_ms(&conn->endtime) == 0)
- conn->endtime += 10000;
-
return conn->service_write(context, realm, conn, selstate);
}
@@ -1378,19 +1381,18 @@ kill_conn:
return FALSE;
}
-/* Return the maximum of endtime and the endtime fields of all currently active
- * TCP connections. */
-static time_ms
-get_endtime(time_ms endtime, struct conn_state *conns)
+/* Return true if conns contains any states with connected TCP sockets. */
+static krb5_boolean
+any_tcp_connections(struct conn_state *conns)
{
struct conn_state *state;
for (state = conns; state != NULL; state = state->next) {
- if ((state->state == READING || state->state == WRITING) &&
- state->endtime > endtime)
- endtime = state->endtime;
+ if (state->addr.transport != UDP &&
+ (state->state == READING || state->state == WRITING))
+ return TRUE;
}
- return endtime;
+ return FALSE;
}
static krb5_boolean
@@ -1413,9 +1415,9 @@ service_fds(krb5_context context, struct select_state *selstate,
e = 0;
while (selstate->nfds > 0) {
- endtime = get_endtime(interval_end, conns);
+ endtime = any_tcp_connections(conns) ? 0 : interval_end;
/* Don't wait longer than the whole request should last. */
- if (timeout && endtime > timeout)
+ if (timeout && (!endtime || endtime > timeout))
endtime = timeout;
e = cm_select_or_poll(selstate, endtime, seltemp, &selret);
if (e == EINTR)
--
2.45.1

8
0017-Remove-klist-s-defname-global-variable.patch → 0021-Remove-klist-s-defname-global-variable.patch
View File

@ -1,4 +1,4 @@
From c5cdf6f71621569c6c389be720937ac97ace988f Mon Sep 17 00:00:00 2001
From fa9dfdc9d85e88b6880edde5de45333b97a53a11 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Mon, 8 Jan 2024 16:52:27 +0100
Subject: [PATCH] Remove klist's defname global variable
@ -13,12 +13,14 @@ Convert "defname" to a local variable initialized at the beginning of
show_ccache().
[ghudson@mit.edu: edited commit message]
(cherry picked from commit 5b00197227231943bd2305328c8260dd0b0dbcf0)
---
src/clients/klist/klist.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index 43392d2337..394c75b6b7 100644
index b5ae96a843..b5808e5c93 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -53,7 +53,6 @@ int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0;
@ -65,5 +67,5 @@ index 43392d2337..394c75b6b7 100644
krb5_error_code ret;
krb5_ticket *tkt = NULL;
--
2.41.0
2.45.1

206
0022-Fix-two-unlikely-memory-leaks.patch Normal file
View File

@ -0,0 +1,206 @@
From 313d7b1afdcfca2bc0f6824cfeb25594c2eae176 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 5 Mar 2024 19:53:07 -0500
Subject: [PATCH] Fix two unlikely memory leaks
In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
could probably never be triggered) leaks plain.data. Fix this leak
and use current practices for cleanup throughout the function.
In xmt_rmtcallres() (unused within the tree and likely elsewhere),
store port_ptr into crp->port_ptr as soon as it is allocated;
otherwise it could leak if the subsequent xdr_u_int32() operation
fails.
(cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d)
---
src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
src/lib/rpc/pmap_rmt.c | 10 +++---
2 files changed, 29 insertions(+), 37 deletions(-)
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index 1fcbdfbb87..d3210c1107 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
int conf_req_flag, int toktype)
{
size_t bufsize = 16;
- unsigned char *outbuf = 0;
+ unsigned char *outbuf = NULL;
krb5_error_code err;
int key_usage;
unsigned char acceptor_flag;
@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
size_t ec;
unsigned short tok_id;
- krb5_checksum sum;
+ krb5_checksum sum = { 0 };
krb5_key key;
krb5_cksumtype cksumtype;
+ krb5_data plain = empty_data();
+
+ token->value = NULL;
+ token->length = 0;
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
key_usage = (toktype == KG_TOK_WRAP_MSG
@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
- krb5_data plain;
krb5_enc_data cipher;
size_t ec_max;
size_t encrypt_size;
/* 300: Adds some slop. */
- if (SIZE_MAX - 300 < message->length)
- return ENOMEM;
+ if (SIZE_MAX - 300 < message->length) {
+ err = ENOMEM;
+ goto cleanup;
+ }
ec_max = SIZE_MAX - message->length - 300;
if (ec_max > 0xffff)
ec_max = 0xffff;
@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
err = alloc_data(&plain, message->length + 16 + ec);
if (err)
- return err;
+ goto cleanup;
/* Get size of ciphertext. */
encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
if (encrypt_size > SIZE_MAX / 2) {
err = ENOMEM;
- goto error;
+ goto cleanup;
}
bufsize = 16 + encrypt_size;
/* Allocate space for header plus encrypted data. */
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
- free(plain.data);
- return ENOMEM;
+ err = ENOMEM;
+ goto cleanup;
}
/* TOK_ID */
@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
cipher.ciphertext.length = bufsize - 16;
cipher.enctype = key->keyblock.enctype;
err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
if (err)
- goto error;
+ goto cleanup;
/* Now that we know we're returning a valid token.... */
ctx->seq_send++;
@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
/* If the rotate fails, don't worry about it. */
#endif
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
- krb5_data plain;
size_t cksumsize;
/* Here, message is the application-supplied data; message2 is
@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
wrap_with_checksum:
err = alloc_data(&plain, message->length + 16);
if (err)
- return err;
+ goto cleanup;
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
if (err)
- goto error;
+ goto cleanup;
assert(cksumsize <= 0xffff);
bufsize = 16 + message2->length + cksumsize;
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
- free(plain.data);
- plain.data = 0;
err = ENOMEM;
- goto error;
+ goto cleanup;
}
/* TOK_ID */
@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
if (message2->length)
memcpy(outbuf + 16, message2->value, message2->length);
- sum.contents = outbuf + 16 + message2->length;
- sum.length = cksumsize;
-
err = krb5_k_make_checksum(context, cksumtype, key,
key_usage, &plain, &sum);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
if (err) {
zap(outbuf,bufsize);
- goto error;
+ goto cleanup;
}
if (sum.length != cksumsize)
abort();
memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
- krb5_free_checksum_contents(context, &sum);
- sum.contents = 0;
/* Now that we know we're actually generating the token... */
ctx->seq_send++;
@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
token->value = outbuf;
token->length = bufsize;
- return 0;
+ outbuf = NULL;
+ err = 0;
-error:
+cleanup:
+ krb5_free_checksum_contents(context, &sum);
+ zapfree(plain.data, plain.length);
gssalloc_free(outbuf);
- token->value = NULL;
- token->length = 0;
return err;
}
diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
index 434e4eea65..f55ca46c60 100644
--- a/src/lib/rpc/pmap_rmt.c
+++ b/src/lib/rpc/pmap_rmt.c
@@ -161,12 +161,12 @@ xdr_rmtcallres(
caddr_t port_ptr;
port_ptr = (caddr_t)(void *)crp->port_ptr;
- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
- (xdrproc_t)xdr_u_int32) &&
- xdr_u_int32(xdrs, &crp->resultslen)) {
- crp->port_ptr = (uint32_t *)(void *)port_ptr;
+ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
+ (xdrproc_t)xdr_u_int32))
+ return (FALSE);
+ crp->port_ptr = (uint32_t *)(void *)port_ptr;
+ if (xdr_u_int32(xdrs, &crp->resultslen))
return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
- }
return (FALSE);
}
--
2.45.1

32
krb5.spec
View File

@ -10,7 +10,7 @@
#
# baserelease is what we have standardized across Fedora and what
# rpmdev-bumpspec knows how to handle.
%global baserelease 7
%global baserelease 1
# This should be e.g. beta1 or %%nil
%global pre_release %nil
@ -24,7 +24,7 @@
%global krb5_version_major 1
%global krb5_version_minor 21
# For a release without a patch number set to %%nil
%global krb5_version_patch 2
%global krb5_version_patch 3
%global krb5_version_major_minor %{krb5_version_major}.%{krb5_version_minor}
%global krb5_version %{krb5_version_major_minor}
@ -59,7 +59,7 @@ Source13: kadmind.logrotate
Source14: krb5-krb5kdc.conf
Source15: %{name}-tests
Patch0001: 0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch
Patch0001: 0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch
Patch0002: 0002-downstream-ksu-pam-integration.patch
Patch0003: 0003-downstream-SELinux-integration.patch
Patch0004: 0004-downstream-fix-debuginfo-with-y.tab.c.patch
@ -73,8 +73,14 @@ Patch0011: 0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch
Patch0012: 0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch
Patch0013: 0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch
Patch0014: 0014-Enable-PKINIT-if-at-least-one-group-is-available.patch
Patch0015: 0015-Replace-ssl.wrap_socket-for-tests.patch
Patch0016: 0016-Fix-unimportant-memory-leaks.patch
Patch0015: 0015-Eliminate-old-style-function-declarations.patch
Patch0016: 0016-Replace-ssl.wrap_socket-for-tests.patch
Patch0017: 0017-Fix-unimportant-memory-leaks.patch
Patch0018: 0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch
Patch0019: 0019-Add-request_timeout-configuration-parameter.patch
Patch0020: 0020-Wait-indefinitely-on-KDC-TCP-connections.patch
Patch0021: 0021-Remove-klist-s-defname-global-variable.patch
Patch0022: 0022-Fix-two-unlikely-memory-leaks.patch
License: Brian-Gladman-2-Clause AND BSD-2-Clause AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-first-lines AND BSD-3-Clause AND BSD-4-Clause AND CMU-Mach-nodoc AND FSFULLRWD AND HPND AND HPND-export2-US AND HPND-export-US AND HPND-export-US-acknowledgement AND HPND-export-US-modify AND ISC AND MIT AND MIT-CMU AND OLDAP-2.8 AND OpenVision
URL: https://web.mit.edu/kerberos/www/
@ -711,6 +717,22 @@ exit 0
%{_datarootdir}/%{name}-tests/%{_arch}
%changelog
* Fri Jul 12 2024 Julien Rische <jrische@redhat.com> - 1.21.3-1
- New upstream version (1.21.3)
- CVE-2024-37370 CVE-2024-37371
Fix vulnerabilities in GSS message token handling
Resolves: RHEL-45387 RHEL-45378
- Fix memory leak in GSSAPI interface
Resolves: RHEL-47284
- Fix memory leak in PMAP RPC interface
Resolves: RHEL-47287
- Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC
Resolves: RHEL-47285
- Make TCP waiting time configurable
Resolves: RHEL-47278
- Do not include files with "~" termination in krb5-tests
Resolves: RHEL-45995
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.21.2-7
- Bump release for June 2024 mass rebuild

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (krb5-1.21.2.tar.gz) = 4e09296b412383d53872661718dbfaa90201e0d85f69db48e57a8d4bd73c95a90c7ec7b6f0f325f6bc967f8d203b256b071c0191facf080aca0e2caec5d0ac49
SHA512 (krb5-1.21.2.tar.gz.asc) = 1cee1ed77047067d7b6fb3620ffa6f5807d4182ae7cfeec6d5cc847c99f30c6dd2a5c1a160d992a13eb6d84754b202895a982111618711f3c14f4aa33c07d9e9
SHA512 (krb5-1.21.3.tar.gz) = 87bc06607f4d95ff604169cea22180703a42d667af05f66f1569b8bd592670c42820b335e5c279e8b4f066d1e7da20f1948a1e4def7c5d295c170cbfc7f49c71
SHA512 (krb5-1.21.3.tar.gz.asc) = 8992a5f5247315b9846aa73be4ee1ea223c0231a52d5c6c28718b1f3e3b45d62e2dad4aa5543a83163d1369bb79886b6c1c22766f22d8aa2f6b2575c54d0075c

17
tests/inplace-upgrade-sanity/runtest.sh
View File

@ -27,6 +27,7 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="krb5"
@ -88,17 +89,11 @@ rlJournalStart
if rlIsRHEL 6; then
rlRun "sed -i \"s/EXAMPLE.COM/$krb5REALM1/\" $krb5conf"
rlRun "sed -i \"s/kerberos.example.com/$krb5HostName/\" $krb5conf"
if [ "$krb5DomainName" ]; then
rlRun "sed -i \"s/example.com/$krb5DomainName/\" $krb5conf"
fi
rlRun "sed -i \"s/example.com/$krb5DomainName/\" $krb5conf"
else
rlRun "sed -i \"s/\[libdefaults\]/[libdefaults]\n default_realm = $krb5REALM1/\" $krb5conf"
rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM1 = {\n kdc = $krb5HostName\n admin_server = $krb5HostName\n }/\" $krb5conf"
if [ "$krb5DomainName" ]; then
rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n .$krb5DomainName = $krb5REALM1\n $krb5DomainName = $krb5REALM1/\" $krb5conf"
else
rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n $krb5HostName = $krb5REALM1/\" $krb5conf"
fi
rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n .$krb5DomainName = $krb5REALM1\n $krb5DomainName = $krb5REALM1/\" $krb5conf"
fi
rlRun "sed -i s/EXAMPLE.COM/$krb5REALM1/ $krb5kdcconf"
# Configure the kadmin ACL
@ -259,11 +254,7 @@ _EOF
#The principal related to kadmin are not created with hostname (kadmin/hostname@REALM) during creating krb5 DB
#RHEL9 constains only kadmin/admin@REALM - this change was intentional - Don't create hostbased principals in new KDBs
#https://krbdev.mit.edu/rt/Ticket/Display.html?id=8935
if rlIsRHEL 9 || rlIsFedora '>=33';then
kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/admin@$krb5REALM1"
else
kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/.*`hostname`@$krb5REALM1"
fi
kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/admin@$krb5REALM1"
rlAssertGrep "${kadmin_princ}" kadmind.log.record
#rlAssertGrep "Request: kadm5_init.*root\/master@$krb5REALM1.*service=kadmin\/(admin|.*`hostname`)@$krb5REALM1" kadmind.log.record -E
echo "***krb5kdc.log.record***" && cat krb5kdc.log.record