rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream beta version

Browse Source
This commit is contained in:
Robbie Harwood (frozencemetery) 2015-10-15 20:51:55 +00:00
parent 4529758a74
commit 98128c4038
7 changed files with 15 additions and 260 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -121,3 +121,6 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.13.2.tar.gz.asc
/krb5-1.13.2-pdf.pax.xz
/krb5-1.13.2-pdfs.tar
/krb5-1.14-beta1.tar.gz
/krb5-1.14-beta1.tar.gz.asc
/krb5-1.14-beta1-pdfs.tar

32
krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch
View File

@ -1,32 +0,0 @@
From 0e65104d521d29664c129c1cf5e918bf54ac055e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 19 May 2015 10:38:51 -0400
Subject: [PATCH] Fix bindresvport_sa port byte swap bug
The sa_setport() helper handles conversion to network byte order, so
bindresvport_sa() should not itself call htons() on the port argument.
(This bug was introduced in commit
0d04b60d159ab83b943e43802b1449a3b074bc83 when adding
bindresvport_sa(). It was my fault, not Andreas Schneider's.)
ticket: 8197 (new)
target_version: 1.13.3
tags: pullup
---
src/lib/rpc/bindresvport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/rpc/bindresvport.c b/src/lib/rpc/bindresvport.c
index ccc4d73..a421dd8 100644
--- a/src/lib/rpc/bindresvport.c
+++ b/src/lib/rpc/bindresvport.c
@@ -76,7 +76,7 @@ bindresvport_sa(int sd, struct sockaddr *sa)
res = -1;
errno = EADDRINUSE;
for (i = 0; i < NPORTS && res < 0 && errno == EADDRINUSE; i++) {
- sa_setport(sa, htons(port++));
+ sa_setport(sa, port++);
if (port > ENDPORT) {
port = STARTPORT;
}

142
krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
View File

@ -1,142 +0,0 @@
From 95c3cab051aa1b8b4f7eb309bf135e8f51665baa Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Sun, 25 Jan 2015 16:53:49 -0500
Subject: [PATCH] Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
Add support for multi-hop preauth mechs.
In the KDC, allow kdcpreauth modules to return
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined in RFC 6113.
In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth
modules can use the modreq parameter to distinguish between the first
and subsequent KDC messages. We assume that the error padata will
include an element of the preauth mech's type, or at least of a type
recognized by the clpreauth module.
Also reset the list of previously attempted preauth types for both
kinds of errors. That list is really only appropriate for retrying
after a failed preauth attempt, which we don't currently do. Add an
intermediate variable for the reply code to avoid a long conditional
expression.
[ghudson@mit.edu: adjust get_in_tkt.c logic to avoid needing a helper
function; clarify commit message]
ticket: 8063 (new)
---
doc/plugindev/clpreauth.rst | 6 +++---
src/include/k5-int.h | 1 +
src/kdc/kdc_preauth.c | 2 ++
src/lib/krb5/error_tables/krb5_err.et | 2 +-
src/lib/krb5/krb/get_in_tkt.c | 13 ++++++++-----
5 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/doc/plugindev/clpreauth.rst b/doc/plugindev/clpreauth.rst
index c3e7298..38aa52e 100644
--- a/doc/plugindev/clpreauth.rst
+++ b/doc/plugindev/clpreauth.rst
@@ -21,9 +21,9 @@ A clpreauth module is generally responsible for:
just returns ``PA_REAL``, indicating that it implements a normal
preauthentication type.
-* Examining the padata information included in the preauth_required
- error and producing padata values for the next AS request. This is
- done with the **process** method.
+* Examining the padata information included in a PREAUTH_REQUIRED or
+ MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the
+ next AS request. This is done with the **process** method.
* Examining the padata information included in a successful ticket
reply, possibly verifying the KDC identity and computing a reply
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index a1ea25a..4868e7d 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -391,6 +391,7 @@ typedef unsigned char u_char;
not find a KDC */
#define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE 86 /* The KDC did not respond
to the IAKERB proxy */
+#define KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 91 /* RFC 6113 */
#define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */
/*
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 50cc252..dd83844 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1000,6 +1000,8 @@ finish_check_padata(struct padata_state *state, krb5_error_code code)
case KRB5KDC_ERR_DISCARD:
/* pkinit alg-agility */
case KRB5KDC_ERR_NO_ACCEPTABLE_KDF:
+ /* rfc 6113 */
+ case KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED:
(*oldrespond)(oldarg, code);
return;
default:
diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et
index 5c6f10b..7ba7c1e 100644
--- a/src/lib/krb5/error_tables/krb5_err.et
+++ b/src/lib/krb5/error_tables/krb5_err.et
@@ -132,7 +132,7 @@ error_code KRB5PLACEHOLD_87, "KRB5 error code 87"
error_code KRB5PLACEHOLD_88, "KRB5 error code 88"
error_code KRB5PLACEHOLD_89, "KRB5 error code 89"
error_code KRB5PLACEHOLD_90, "KRB5 error code 90"
-error_code KRB5PLACEHOLD_91, "KRB5 error code 91"
+error_code KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, "More preauthentication data is required"
error_code KRB5PLACEHOLD_92, "KRB5 error code 92"
error_code KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION, "An unsupported critical FAST option was requested"
error_code KRB5PLACEHOLD_94, "KRB5 error code 94"
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index f9bc027..fa8afcc 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1239,7 +1239,8 @@ init_creds_step_request(krb5_context context,
clear_cc_config_out_data(context, ctx);
if (ctx->err_reply == NULL) {
- /* either our first attempt, or retrying after PREAUTH_NEEDED */
+ /* Either our first attempt, or retrying after KDC_ERR_PREAUTH_REQUIRED
+ * or KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */
code = k5_preauth(context, ctx, ctx->preauth_to_use,
ctx->preauth_required, &ctx->request->padata,
&ctx->selected_preauth_type);
@@ -1408,6 +1409,7 @@ init_creds_step_reply(krb5_context context,
krb5_preauthtype kdc_pa_type;
krb5_boolean retry = FALSE;
int canon_flag = 0;
+ uint32_t reply_code;
krb5_keyblock *strengthen_key = NULL;
krb5_keyblock encrypting_key;
krb5_boolean fast_avail;
@@ -1431,6 +1433,7 @@ init_creds_step_reply(krb5_context context,
&retry);
if (code != 0)
goto cleanup;
+ reply_code = ctx->err_reply->error;
if (negotiation_requests_restart(context, ctx, ctx->err_padata)) {
ctx->have_restarted = 1;
k5_preauth_request_context_fini(context);
@@ -1441,9 +1444,10 @@ init_creds_step_reply(krb5_context context,
ctx->err_reply = NULL;
krb5_free_pa_data(context, ctx->err_padata);
ctx->err_padata = NULL;
- } else if (ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED &&
- retry) {
+ } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED ||
+ reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) {
/* reset the list of preauth types to try */
+ k5_reset_preauth_types_tried(context);
krb5_free_pa_data(context, ctx->preauth_to_use);
ctx->preauth_to_use = ctx->err_padata;
ctx->err_padata = NULL;
@@ -1480,8 +1484,7 @@ init_creds_step_reply(krb5_context context,
code = 0;
} else {
/* error + no hints = give up */
- code = (krb5_error_code)ctx->err_reply->error +
- ERROR_TABLE_BASE_krb5;
+ code = (krb5_error_code)reply_code + ERROR_TABLE_BASE_krb5;
}
}

17
krb5-1.14-client_referral_principal.patch
View File

@ -1,17 +0,0 @@
@@ -, +, @@
wrong realm
---
src/kdc/do_as_req.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/kdc/do_as_req.c
+++ a/src/kdc/do_as_req.c
@@ -862,7 +862,7 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
return retval;
errpkt.error = error;
errpkt.server = request->server;
- errpkt.client = (error == KRB5KDC_ERR_WRONG_REALM) ? canon_client :
+ errpkt.client = (error == KDC_ERR_WRONG_REALM) ? canon_client :
request->client;
errpkt.text = string2data((char *)status);
--

53
krb5-kvno-230379.patch
View File

@ -1,53 +0,0 @@
From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349,
at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted
as needed to apply to 1.10. FIXME: I'd like to better handle cases where we
have a new key with the right version stored later in the keytab file.
Currently, we're setting up to overlook that possibility.
Note that this only affects the path taken when krb5_rd_rep() is passed a
server principal name, as without a server principal name it already tries
all of the keys it finds in the keytab, regardless of version numbers.
Index: krb5/src/kadmin/ktutil/ktutil.c
===================================================================
--- krb5/src/kadmin/ktutil/ktutil.c (revision 3367)
+++ krb5/src/kadmin/ktutil/ktutil.c (working copy)
@@ -155,7 +155,7 @@
char *princ = NULL;
char *enctype = NULL;
krb5_kvno kvno = 0;
- int use_pass = 0, use_key = 0, i;
+ int use_pass = 0, use_key = 0, use_kvno = 0, i;
for (i = 1; i < argc; i++) {
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
@@ -164,6 +164,7 @@
}
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
kvno = (krb5_kvno) atoi(argv[++i]);
+ use_kvno++;
continue;
}
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
@@ -180,7 +181,7 @@
}
}
- if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) {
+ if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) {
fprintf(stderr, _("usage: %s (-key | -password) -p principal "
"-k kvno -e enctype\n"), argv[0]);
return;
Index: krb5/src/lib/krb5/keytab/kt_file.c
===================================================================
--- krb5/src/lib/krb5/keytab/kt_file.c (revision 3367)
+++ krb5/src/lib/krb5/keytab/kt_file.c (working copy)
@@ -349,7 +349,7 @@
higher than that. Short-term workaround: only compare
the low 8 bits. */
- if (new_entry.vno == (kvno & 0xff)) {
+ if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) {
krb5_kt_free_entry(context, &cur_entry);
cur_entry = new_entry;
break;

22
krb5.spec
View File

@ -38,12 +38,12 @@
%global configured_default_ccache_name KEYRING:persistent:%%{uid}
%endif
%global prerelease %{nil}
%global prerelease -beta1
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.13.2
Release: 13%{?dist}
Version: 1.14
Release: 1%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
@ -84,14 +84,10 @@ Patch60: krb5-1.12.1-pam.patch
Patch63: krb5-1.13-selinux-label.patch
Patch71: krb5-1.13-dirsrv-accountlock.patch
Patch86: krb5-1.9-debuginfo.patch
Patch105: krb5-kvno-230379.patch
Patch129: krb5-1.11-run_user_0.patch
Patch134: krb5-1.11-kpasswdtest.patch
Patch140: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
Patch143: krb5-tests_use_libs_from_build.patch
Patch144: krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch
Patch146: krb5-1.14-no_system_krb5_conf.patch
Patch147: krb5-1.14-client_referral_principal.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -267,7 +263,6 @@ ln NOTICE LICENSE
%patch39 -p1 -b .api
%patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild}
%patch86 -p0 -b .debuginfo
%patch105 -p1 -b .kvno
# Apply when the hard-wired or configured default location is
# DIR:/run/user/%%{uid}/krb5cc.
@ -275,14 +270,9 @@ ln NOTICE LICENSE
%patch134 -p1 -b .kpasswdtest
%patch140 -p1 -b .krb5-1.14-support-kdc_err_more_preauth_data_required
%patch143 -p1 -b .krb5-tests_use_libs_from_build
%patch146 -p1 -b .no_system_krb5_conf
%patch144 -p1 -b .krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial
%patch147 -p1 -b .client_referral_principal.patch
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -580,6 +570,9 @@ rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/kdc.conf"
rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/krb5.conf"
rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/services.append"
# This is only needed for tests
rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so"
%find_lang %{gettext_domain}
%clean
@ -892,6 +885,9 @@ exit 0
%changelog
* Thu Oct 15 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-beta1-1
- New upstream beta version
* Thu Oct 08 2015 Robbie Harwood <rharwood@redhat.com> - 1.13.2-13
- Work around KDC client prinicipal in referrals issue (#1259844)

6
sources
View File

@ -1,3 +1,3 @@
f9b9275c6ceb9e6c39fabecc00c6a059 krb5-1.13.2.tar.gz
b62135d2089349b571479feb39f049c9 krb5-1.13.2.tar.gz.asc
095ed64aa1d28f06db1d9b3d89bd8d6b krb5-1.13.2-pdfs.tar
59b5f990857356285a869060f13b904b krb5-1.14-beta1-pdfs.tar
17d4fd5136ca39579f54860d4e21eeea krb5-1.14-beta1.tar.gz
be9d1d40f589a1a2afcb1a285a030c73 krb5-1.14-beta1.tar.gz.asc