New upstream beta version
This commit is contained in:
parent
4529758a74
commit
98128c4038
3
.gitignore
vendored
3
.gitignore
vendored
@ -121,3 +121,6 @@ krb5-1.8.3-pdf.tar.gz
|
||||
/krb5-1.13.2.tar.gz.asc
|
||||
/krb5-1.13.2-pdf.pax.xz
|
||||
/krb5-1.13.2-pdfs.tar
|
||||
/krb5-1.14-beta1.tar.gz
|
||||
/krb5-1.14-beta1.tar.gz.asc
|
||||
/krb5-1.14-beta1-pdfs.tar
|
||||
|
@ -1,32 +0,0 @@
|
||||
From 0e65104d521d29664c129c1cf5e918bf54ac055e Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 19 May 2015 10:38:51 -0400
|
||||
Subject: [PATCH] Fix bindresvport_sa port byte swap bug
|
||||
|
||||
The sa_setport() helper handles conversion to network byte order, so
|
||||
bindresvport_sa() should not itself call htons() on the port argument.
|
||||
|
||||
(This bug was introduced in commit
|
||||
0d04b60d159ab83b943e43802b1449a3b074bc83 when adding
|
||||
bindresvport_sa(). It was my fault, not Andreas Schneider's.)
|
||||
|
||||
ticket: 8197 (new)
|
||||
target_version: 1.13.3
|
||||
tags: pullup
|
||||
---
|
||||
src/lib/rpc/bindresvport.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/rpc/bindresvport.c b/src/lib/rpc/bindresvport.c
|
||||
index ccc4d73..a421dd8 100644
|
||||
--- a/src/lib/rpc/bindresvport.c
|
||||
+++ b/src/lib/rpc/bindresvport.c
|
||||
@@ -76,7 +76,7 @@ bindresvport_sa(int sd, struct sockaddr *sa)
|
||||
res = -1;
|
||||
errno = EADDRINUSE;
|
||||
for (i = 0; i < NPORTS && res < 0 && errno == EADDRINUSE; i++) {
|
||||
- sa_setport(sa, htons(port++));
|
||||
+ sa_setport(sa, port++);
|
||||
if (port > ENDPORT) {
|
||||
port = STARTPORT;
|
||||
}
|
@ -1,142 +0,0 @@
|
||||
From 95c3cab051aa1b8b4f7eb309bf135e8f51665baa Mon Sep 17 00:00:00 2001
|
||||
From: Nathaniel McCallum <npmccallum@redhat.com>
|
||||
Date: Sun, 25 Jan 2015 16:53:49 -0500
|
||||
Subject: [PATCH] Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
|
||||
|
||||
Add support for multi-hop preauth mechs.
|
||||
|
||||
In the KDC, allow kdcpreauth modules to return
|
||||
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined in RFC 6113.
|
||||
|
||||
In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth
|
||||
modules can use the modreq parameter to distinguish between the first
|
||||
and subsequent KDC messages. We assume that the error padata will
|
||||
include an element of the preauth mech's type, or at least of a type
|
||||
recognized by the clpreauth module.
|
||||
|
||||
Also reset the list of previously attempted preauth types for both
|
||||
kinds of errors. That list is really only appropriate for retrying
|
||||
after a failed preauth attempt, which we don't currently do. Add an
|
||||
intermediate variable for the reply code to avoid a long conditional
|
||||
expression.
|
||||
|
||||
[ghudson@mit.edu: adjust get_in_tkt.c logic to avoid needing a helper
|
||||
function; clarify commit message]
|
||||
|
||||
ticket: 8063 (new)
|
||||
---
|
||||
doc/plugindev/clpreauth.rst | 6 +++---
|
||||
src/include/k5-int.h | 1 +
|
||||
src/kdc/kdc_preauth.c | 2 ++
|
||||
src/lib/krb5/error_tables/krb5_err.et | 2 +-
|
||||
src/lib/krb5/krb/get_in_tkt.c | 13 ++++++++-----
|
||||
5 files changed, 15 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/doc/plugindev/clpreauth.rst b/doc/plugindev/clpreauth.rst
|
||||
index c3e7298..38aa52e 100644
|
||||
--- a/doc/plugindev/clpreauth.rst
|
||||
+++ b/doc/plugindev/clpreauth.rst
|
||||
@@ -21,9 +21,9 @@ A clpreauth module is generally responsible for:
|
||||
just returns ``PA_REAL``, indicating that it implements a normal
|
||||
preauthentication type.
|
||||
|
||||
-* Examining the padata information included in the preauth_required
|
||||
- error and producing padata values for the next AS request. This is
|
||||
- done with the **process** method.
|
||||
+* Examining the padata information included in a PREAUTH_REQUIRED or
|
||||
+ MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the
|
||||
+ next AS request. This is done with the **process** method.
|
||||
|
||||
* Examining the padata information included in a successful ticket
|
||||
reply, possibly verifying the KDC identity and computing a reply
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index a1ea25a..4868e7d 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -391,6 +391,7 @@ typedef unsigned char u_char;
|
||||
not find a KDC */
|
||||
#define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE 86 /* The KDC did not respond
|
||||
to the IAKERB proxy */
|
||||
+#define KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 91 /* RFC 6113 */
|
||||
#define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */
|
||||
|
||||
/*
|
||||
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
|
||||
index 50cc252..dd83844 100644
|
||||
--- a/src/kdc/kdc_preauth.c
|
||||
+++ b/src/kdc/kdc_preauth.c
|
||||
@@ -1000,6 +1000,8 @@ finish_check_padata(struct padata_state *state, krb5_error_code code)
|
||||
case KRB5KDC_ERR_DISCARD:
|
||||
/* pkinit alg-agility */
|
||||
case KRB5KDC_ERR_NO_ACCEPTABLE_KDF:
|
||||
+ /* rfc 6113 */
|
||||
+ case KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED:
|
||||
(*oldrespond)(oldarg, code);
|
||||
return;
|
||||
default:
|
||||
diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et
|
||||
index 5c6f10b..7ba7c1e 100644
|
||||
--- a/src/lib/krb5/error_tables/krb5_err.et
|
||||
+++ b/src/lib/krb5/error_tables/krb5_err.et
|
||||
@@ -132,7 +132,7 @@ error_code KRB5PLACEHOLD_87, "KRB5 error code 87"
|
||||
error_code KRB5PLACEHOLD_88, "KRB5 error code 88"
|
||||
error_code KRB5PLACEHOLD_89, "KRB5 error code 89"
|
||||
error_code KRB5PLACEHOLD_90, "KRB5 error code 90"
|
||||
-error_code KRB5PLACEHOLD_91, "KRB5 error code 91"
|
||||
+error_code KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, "More preauthentication data is required"
|
||||
error_code KRB5PLACEHOLD_92, "KRB5 error code 92"
|
||||
error_code KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION, "An unsupported critical FAST option was requested"
|
||||
error_code KRB5PLACEHOLD_94, "KRB5 error code 94"
|
||||
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
||||
index f9bc027..fa8afcc 100644
|
||||
--- a/src/lib/krb5/krb/get_in_tkt.c
|
||||
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
||||
@@ -1239,7 +1239,8 @@ init_creds_step_request(krb5_context context,
|
||||
clear_cc_config_out_data(context, ctx);
|
||||
|
||||
if (ctx->err_reply == NULL) {
|
||||
- /* either our first attempt, or retrying after PREAUTH_NEEDED */
|
||||
+ /* Either our first attempt, or retrying after KDC_ERR_PREAUTH_REQUIRED
|
||||
+ * or KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */
|
||||
code = k5_preauth(context, ctx, ctx->preauth_to_use,
|
||||
ctx->preauth_required, &ctx->request->padata,
|
||||
&ctx->selected_preauth_type);
|
||||
@@ -1408,6 +1409,7 @@ init_creds_step_reply(krb5_context context,
|
||||
krb5_preauthtype kdc_pa_type;
|
||||
krb5_boolean retry = FALSE;
|
||||
int canon_flag = 0;
|
||||
+ uint32_t reply_code;
|
||||
krb5_keyblock *strengthen_key = NULL;
|
||||
krb5_keyblock encrypting_key;
|
||||
krb5_boolean fast_avail;
|
||||
@@ -1431,6 +1433,7 @@ init_creds_step_reply(krb5_context context,
|
||||
&retry);
|
||||
if (code != 0)
|
||||
goto cleanup;
|
||||
+ reply_code = ctx->err_reply->error;
|
||||
if (negotiation_requests_restart(context, ctx, ctx->err_padata)) {
|
||||
ctx->have_restarted = 1;
|
||||
k5_preauth_request_context_fini(context);
|
||||
@@ -1441,9 +1444,10 @@ init_creds_step_reply(krb5_context context,
|
||||
ctx->err_reply = NULL;
|
||||
krb5_free_pa_data(context, ctx->err_padata);
|
||||
ctx->err_padata = NULL;
|
||||
- } else if (ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED &&
|
||||
- retry) {
|
||||
+ } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED ||
|
||||
+ reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) {
|
||||
/* reset the list of preauth types to try */
|
||||
+ k5_reset_preauth_types_tried(context);
|
||||
krb5_free_pa_data(context, ctx->preauth_to_use);
|
||||
ctx->preauth_to_use = ctx->err_padata;
|
||||
ctx->err_padata = NULL;
|
||||
@@ -1480,8 +1484,7 @@ init_creds_step_reply(krb5_context context,
|
||||
code = 0;
|
||||
} else {
|
||||
/* error + no hints = give up */
|
||||
- code = (krb5_error_code)ctx->err_reply->error +
|
||||
- ERROR_TABLE_BASE_krb5;
|
||||
+ code = (krb5_error_code)reply_code + ERROR_TABLE_BASE_krb5;
|
||||
}
|
||||
}
|
||||
|
@ -1,17 +0,0 @@
|
||||
@@ -, +, @@
|
||||
wrong realm
|
||||
---
|
||||
src/kdc/do_as_req.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
--- a/src/kdc/do_as_req.c
|
||||
+++ a/src/kdc/do_as_req.c
|
||||
@@ -862,7 +862,7 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
|
||||
return retval;
|
||||
errpkt.error = error;
|
||||
errpkt.server = request->server;
|
||||
- errpkt.client = (error == KRB5KDC_ERR_WRONG_REALM) ? canon_client :
|
||||
+ errpkt.client = (error == KDC_ERR_WRONG_REALM) ? canon_client :
|
||||
request->client;
|
||||
errpkt.text = string2data((char *)status);
|
||||
|
||||
--
|
@ -1,53 +0,0 @@
|
||||
From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349,
|
||||
at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted
|
||||
as needed to apply to 1.10. FIXME: I'd like to better handle cases where we
|
||||
have a new key with the right version stored later in the keytab file.
|
||||
Currently, we're setting up to overlook that possibility.
|
||||
|
||||
Note that this only affects the path taken when krb5_rd_rep() is passed a
|
||||
server principal name, as without a server principal name it already tries
|
||||
all of the keys it finds in the keytab, regardless of version numbers.
|
||||
|
||||
Index: krb5/src/kadmin/ktutil/ktutil.c
|
||||
===================================================================
|
||||
--- krb5/src/kadmin/ktutil/ktutil.c (revision 3367)
|
||||
+++ krb5/src/kadmin/ktutil/ktutil.c (working copy)
|
||||
@@ -155,7 +155,7 @@
|
||||
char *princ = NULL;
|
||||
char *enctype = NULL;
|
||||
krb5_kvno kvno = 0;
|
||||
- int use_pass = 0, use_key = 0, i;
|
||||
+ int use_pass = 0, use_key = 0, use_kvno = 0, i;
|
||||
|
||||
for (i = 1; i < argc; i++) {
|
||||
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
|
||||
@@ -164,6 +164,7 @@
|
||||
}
|
||||
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
|
||||
kvno = (krb5_kvno) atoi(argv[++i]);
|
||||
+ use_kvno++;
|
||||
continue;
|
||||
}
|
||||
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
|
||||
@@ -180,7 +181,7 @@
|
||||
}
|
||||
}
|
||||
|
||||
- if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) {
|
||||
+ if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) {
|
||||
fprintf(stderr, _("usage: %s (-key | -password) -p principal "
|
||||
"-k kvno -e enctype\n"), argv[0]);
|
||||
return;
|
||||
Index: krb5/src/lib/krb5/keytab/kt_file.c
|
||||
===================================================================
|
||||
--- krb5/src/lib/krb5/keytab/kt_file.c (revision 3367)
|
||||
+++ krb5/src/lib/krb5/keytab/kt_file.c (working copy)
|
||||
@@ -349,7 +349,7 @@
|
||||
higher than that. Short-term workaround: only compare
|
||||
the low 8 bits. */
|
||||
|
||||
- if (new_entry.vno == (kvno & 0xff)) {
|
||||
+ if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) {
|
||||
krb5_kt_free_entry(context, &cur_entry);
|
||||
cur_entry = new_entry;
|
||||
break;
|
22
krb5.spec
22
krb5.spec
@ -38,12 +38,12 @@
|
||||
%global configured_default_ccache_name KEYRING:persistent:%%{uid}
|
||||
%endif
|
||||
|
||||
%global prerelease %{nil}
|
||||
%global prerelease -beta1
|
||||
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.13.2
|
||||
Release: 13%{?dist}
|
||||
Version: 1.14
|
||||
Release: 1%{?dist}
|
||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
||||
# - The sources below are stored in a lookaside cache. Upload with
|
||||
@ -84,14 +84,10 @@ Patch60: krb5-1.12.1-pam.patch
|
||||
Patch63: krb5-1.13-selinux-label.patch
|
||||
Patch71: krb5-1.13-dirsrv-accountlock.patch
|
||||
Patch86: krb5-1.9-debuginfo.patch
|
||||
Patch105: krb5-kvno-230379.patch
|
||||
Patch129: krb5-1.11-run_user_0.patch
|
||||
Patch134: krb5-1.11-kpasswdtest.patch
|
||||
Patch140: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
|
||||
Patch143: krb5-tests_use_libs_from_build.patch
|
||||
Patch144: krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch
|
||||
Patch146: krb5-1.14-no_system_krb5_conf.patch
|
||||
Patch147: krb5-1.14-client_referral_principal.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -267,7 +263,6 @@ ln NOTICE LICENSE
|
||||
%patch39 -p1 -b .api
|
||||
%patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild}
|
||||
%patch86 -p0 -b .debuginfo
|
||||
%patch105 -p1 -b .kvno
|
||||
|
||||
# Apply when the hard-wired or configured default location is
|
||||
# DIR:/run/user/%%{uid}/krb5cc.
|
||||
@ -275,14 +270,9 @@ ln NOTICE LICENSE
|
||||
|
||||
%patch134 -p1 -b .kpasswdtest
|
||||
|
||||
%patch140 -p1 -b .krb5-1.14-support-kdc_err_more_preauth_data_required
|
||||
%patch143 -p1 -b .krb5-tests_use_libs_from_build
|
||||
%patch146 -p1 -b .no_system_krb5_conf
|
||||
|
||||
%patch144 -p1 -b .krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial
|
||||
|
||||
%patch147 -p1 -b .client_referral_principal.patch
|
||||
|
||||
# Take the execute bit off of documentation.
|
||||
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
||||
|
||||
@ -580,6 +570,9 @@ rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/kdc.conf"
|
||||
rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/krb5.conf"
|
||||
rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/services.append"
|
||||
|
||||
# This is only needed for tests
|
||||
rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so"
|
||||
|
||||
%find_lang %{gettext_domain}
|
||||
|
||||
%clean
|
||||
@ -892,6 +885,9 @@ exit 0
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Oct 15 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-beta1-1
|
||||
- New upstream beta version
|
||||
|
||||
* Thu Oct 08 2015 Robbie Harwood <rharwood@redhat.com> - 1.13.2-13
|
||||
- Work around KDC client prinicipal in referrals issue (#1259844)
|
||||
|
||||
|
6
sources
6
sources
@ -1,3 +1,3 @@
|
||||
f9b9275c6ceb9e6c39fabecc00c6a059 krb5-1.13.2.tar.gz
|
||||
b62135d2089349b571479feb39f049c9 krb5-1.13.2.tar.gz.asc
|
||||
095ed64aa1d28f06db1d9b3d89bd8d6b krb5-1.13.2-pdfs.tar
|
||||
59b5f990857356285a869060f13b904b krb5-1.14-beta1-pdfs.tar
|
||||
17d4fd5136ca39579f54860d4e21eeea krb5-1.14-beta1.tar.gz
|
||||
be9d1d40f589a1a2afcb1a285a030c73 krb5-1.14-beta1.tar.gz.asc
|
||||
|
Loading…
Reference in New Issue
Block a user