From 98128c40387e673eab5a2a4dd84b23fb273c5d24 Mon Sep 17 00:00:00 2001 From: "Robbie Harwood (frozencemetery)" Date: Thu, 15 Oct 2015 20:51:55 +0000 Subject: [PATCH] New upstream beta version --- .gitignore | 3 + ...ap_bug_triggering_selinux_avc_denial.patch | 32 ---- ...t-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch | 142 ------------------ krb5-1.14-client_referral_principal.patch | 17 --- krb5-kvno-230379.patch | 53 ------- krb5.spec | 22 ++- sources | 6 +- 7 files changed, 15 insertions(+), 260 deletions(-) delete mode 100644 krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch delete mode 100644 krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch delete mode 100644 krb5-1.14-client_referral_principal.patch delete mode 100644 krb5-kvno-230379.patch diff --git a/.gitignore b/.gitignore index baaab88..16bae36 100644 --- a/.gitignore +++ b/.gitignore @@ -121,3 +121,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.13.2.tar.gz.asc /krb5-1.13.2-pdf.pax.xz /krb5-1.13.2-pdfs.tar +/krb5-1.14-beta1.tar.gz +/krb5-1.14-beta1.tar.gz.asc +/krb5-1.14-beta1-pdfs.tar diff --git a/krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch b/krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch deleted file mode 100644 index fc3101f..0000000 --- a/krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 0e65104d521d29664c129c1cf5e918bf54ac055e Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 19 May 2015 10:38:51 -0400 -Subject: [PATCH] Fix bindresvport_sa port byte swap bug - -The sa_setport() helper handles conversion to network byte order, so -bindresvport_sa() should not itself call htons() on the port argument. - -(This bug was introduced in commit -0d04b60d159ab83b943e43802b1449a3b074bc83 when adding -bindresvport_sa(). It was my fault, not Andreas Schneider's.) - -ticket: 8197 (new) -target_version: 1.13.3 -tags: pullup ---- - src/lib/rpc/bindresvport.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lib/rpc/bindresvport.c b/src/lib/rpc/bindresvport.c -index ccc4d73..a421dd8 100644 ---- a/src/lib/rpc/bindresvport.c -+++ b/src/lib/rpc/bindresvport.c -@@ -76,7 +76,7 @@ bindresvport_sa(int sd, struct sockaddr *sa) - res = -1; - errno = EADDRINUSE; - for (i = 0; i < NPORTS && res < 0 && errno == EADDRINUSE; i++) { -- sa_setport(sa, htons(port++)); -+ sa_setport(sa, port++); - if (port > ENDPORT) { - port = STARTPORT; - } diff --git a/krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch b/krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch deleted file mode 100644 index 7757885..0000000 --- a/krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch +++ /dev/null @@ -1,142 +0,0 @@ -From 95c3cab051aa1b8b4f7eb309bf135e8f51665baa Mon Sep 17 00:00:00 2001 -From: Nathaniel McCallum -Date: Sun, 25 Jan 2015 16:53:49 -0500 -Subject: [PATCH] Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED - -Add support for multi-hop preauth mechs. - -In the KDC, allow kdcpreauth modules to return -KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined in RFC 6113. - -In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth -modules can use the modreq parameter to distinguish between the first -and subsequent KDC messages. We assume that the error padata will -include an element of the preauth mech's type, or at least of a type -recognized by the clpreauth module. - -Also reset the list of previously attempted preauth types for both -kinds of errors. That list is really only appropriate for retrying -after a failed preauth attempt, which we don't currently do. Add an -intermediate variable for the reply code to avoid a long conditional -expression. - -[ghudson@mit.edu: adjust get_in_tkt.c logic to avoid needing a helper -function; clarify commit message] - -ticket: 8063 (new) ---- - doc/plugindev/clpreauth.rst | 6 +++--- - src/include/k5-int.h | 1 + - src/kdc/kdc_preauth.c | 2 ++ - src/lib/krb5/error_tables/krb5_err.et | 2 +- - src/lib/krb5/krb/get_in_tkt.c | 13 ++++++++----- - 5 files changed, 15 insertions(+), 9 deletions(-) - -diff --git a/doc/plugindev/clpreauth.rst b/doc/plugindev/clpreauth.rst -index c3e7298..38aa52e 100644 ---- a/doc/plugindev/clpreauth.rst -+++ b/doc/plugindev/clpreauth.rst -@@ -21,9 +21,9 @@ A clpreauth module is generally responsible for: - just returns ``PA_REAL``, indicating that it implements a normal - preauthentication type. - --* Examining the padata information included in the preauth_required -- error and producing padata values for the next AS request. This is -- done with the **process** method. -+* Examining the padata information included in a PREAUTH_REQUIRED or -+ MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the -+ next AS request. This is done with the **process** method. - - * Examining the padata information included in a successful ticket - reply, possibly verifying the KDC identity and computing a reply -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index a1ea25a..4868e7d 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -391,6 +391,7 @@ typedef unsigned char u_char; - not find a KDC */ - #define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE 86 /* The KDC did not respond - to the IAKERB proxy */ -+#define KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 91 /* RFC 6113 */ - #define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */ - - /* -diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c -index 50cc252..dd83844 100644 ---- a/src/kdc/kdc_preauth.c -+++ b/src/kdc/kdc_preauth.c -@@ -1000,6 +1000,8 @@ finish_check_padata(struct padata_state *state, krb5_error_code code) - case KRB5KDC_ERR_DISCARD: - /* pkinit alg-agility */ - case KRB5KDC_ERR_NO_ACCEPTABLE_KDF: -+ /* rfc 6113 */ -+ case KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED: - (*oldrespond)(oldarg, code); - return; - default: -diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et -index 5c6f10b..7ba7c1e 100644 ---- a/src/lib/krb5/error_tables/krb5_err.et -+++ b/src/lib/krb5/error_tables/krb5_err.et -@@ -132,7 +132,7 @@ error_code KRB5PLACEHOLD_87, "KRB5 error code 87" - error_code KRB5PLACEHOLD_88, "KRB5 error code 88" - error_code KRB5PLACEHOLD_89, "KRB5 error code 89" - error_code KRB5PLACEHOLD_90, "KRB5 error code 90" --error_code KRB5PLACEHOLD_91, "KRB5 error code 91" -+error_code KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, "More preauthentication data is required" - error_code KRB5PLACEHOLD_92, "KRB5 error code 92" - error_code KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION, "An unsupported critical FAST option was requested" - error_code KRB5PLACEHOLD_94, "KRB5 error code 94" -diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index f9bc027..fa8afcc 100644 ---- a/src/lib/krb5/krb/get_in_tkt.c -+++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -1239,7 +1239,8 @@ init_creds_step_request(krb5_context context, - clear_cc_config_out_data(context, ctx); - - if (ctx->err_reply == NULL) { -- /* either our first attempt, or retrying after PREAUTH_NEEDED */ -+ /* Either our first attempt, or retrying after KDC_ERR_PREAUTH_REQUIRED -+ * or KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */ - code = k5_preauth(context, ctx, ctx->preauth_to_use, - ctx->preauth_required, &ctx->request->padata, - &ctx->selected_preauth_type); -@@ -1408,6 +1409,7 @@ init_creds_step_reply(krb5_context context, - krb5_preauthtype kdc_pa_type; - krb5_boolean retry = FALSE; - int canon_flag = 0; -+ uint32_t reply_code; - krb5_keyblock *strengthen_key = NULL; - krb5_keyblock encrypting_key; - krb5_boolean fast_avail; -@@ -1431,6 +1433,7 @@ init_creds_step_reply(krb5_context context, - &retry); - if (code != 0) - goto cleanup; -+ reply_code = ctx->err_reply->error; - if (negotiation_requests_restart(context, ctx, ctx->err_padata)) { - ctx->have_restarted = 1; - k5_preauth_request_context_fini(context); -@@ -1441,9 +1444,10 @@ init_creds_step_reply(krb5_context context, - ctx->err_reply = NULL; - krb5_free_pa_data(context, ctx->err_padata); - ctx->err_padata = NULL; -- } else if (ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED && -- retry) { -+ } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED || -+ reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) { - /* reset the list of preauth types to try */ -+ k5_reset_preauth_types_tried(context); - krb5_free_pa_data(context, ctx->preauth_to_use); - ctx->preauth_to_use = ctx->err_padata; - ctx->err_padata = NULL; -@@ -1480,8 +1484,7 @@ init_creds_step_reply(krb5_context context, - code = 0; - } else { - /* error + no hints = give up */ -- code = (krb5_error_code)ctx->err_reply->error + -- ERROR_TABLE_BASE_krb5; -+ code = (krb5_error_code)reply_code + ERROR_TABLE_BASE_krb5; - } - } - diff --git a/krb5-1.14-client_referral_principal.patch b/krb5-1.14-client_referral_principal.patch deleted file mode 100644 index 78b1906..0000000 --- a/krb5-1.14-client_referral_principal.patch +++ /dev/null @@ -1,17 +0,0 @@ -@@ -, +, @@ - wrong realm ---- - src/kdc/do_as_req.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) ---- a/src/kdc/do_as_req.c -+++ a/src/kdc/do_as_req.c -@@ -862,7 +862,7 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request, - return retval; - errpkt.error = error; - errpkt.server = request->server; -- errpkt.client = (error == KRB5KDC_ERR_WRONG_REALM) ? canon_client : -+ errpkt.client = (error == KDC_ERR_WRONG_REALM) ? canon_client : - request->client; - errpkt.text = string2data((char *)status); - --- diff --git a/krb5-kvno-230379.patch b/krb5-kvno-230379.patch deleted file mode 100644 index ea9b69f..0000000 --- a/krb5-kvno-230379.patch +++ /dev/null @@ -1,53 +0,0 @@ -From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349, -at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted -as needed to apply to 1.10. FIXME: I'd like to better handle cases where we -have a new key with the right version stored later in the keytab file. -Currently, we're setting up to overlook that possibility. - -Note that this only affects the path taken when krb5_rd_rep() is passed a -server principal name, as without a server principal name it already tries -all of the keys it finds in the keytab, regardless of version numbers. - -Index: krb5/src/kadmin/ktutil/ktutil.c -=================================================================== ---- krb5/src/kadmin/ktutil/ktutil.c (revision 3367) -+++ krb5/src/kadmin/ktutil/ktutil.c (working copy) -@@ -155,7 +155,7 @@ - char *princ = NULL; - char *enctype = NULL; - krb5_kvno kvno = 0; -- int use_pass = 0, use_key = 0, i; -+ int use_pass = 0, use_key = 0, use_kvno = 0, i; - - for (i = 1; i < argc; i++) { - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) { -@@ -164,6 +164,7 @@ - } - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { - kvno = (krb5_kvno) atoi(argv[++i]); -+ use_kvno++; - continue; - } - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { -@@ -180,7 +181,7 @@ - } - } - -- if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) { -+ if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) { - fprintf(stderr, _("usage: %s (-key | -password) -p principal " - "-k kvno -e enctype\n"), argv[0]); - return; -Index: krb5/src/lib/krb5/keytab/kt_file.c -=================================================================== ---- krb5/src/lib/krb5/keytab/kt_file.c (revision 3367) -+++ krb5/src/lib/krb5/keytab/kt_file.c (working copy) -@@ -349,7 +349,7 @@ - higher than that. Short-term workaround: only compare - the low 8 bits. */ - -- if (new_entry.vno == (kvno & 0xff)) { -+ if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) { - krb5_kt_free_entry(context, &cur_entry); - cur_entry = new_entry; - break; diff --git a/krb5.spec b/krb5.spec index 3c61402..5e136c2 100644 --- a/krb5.spec +++ b/krb5.spec @@ -38,12 +38,12 @@ %global configured_default_ccache_name KEYRING:persistent:%%{uid} %endif -%global prerelease %{nil} +%global prerelease -beta1 Summary: The Kerberos network authentication system Name: krb5 -Version: 1.13.2 -Release: 13%{?dist} +Version: 1.14 +Release: 1%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -84,14 +84,10 @@ Patch60: krb5-1.12.1-pam.patch Patch63: krb5-1.13-selinux-label.patch Patch71: krb5-1.13-dirsrv-accountlock.patch Patch86: krb5-1.9-debuginfo.patch -Patch105: krb5-kvno-230379.patch Patch129: krb5-1.11-run_user_0.patch Patch134: krb5-1.11-kpasswdtest.patch -Patch140: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch Patch143: krb5-tests_use_libs_from_build.patch -Patch144: krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch Patch146: krb5-1.14-no_system_krb5_conf.patch -Patch147: krb5-1.14-client_referral_principal.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -267,7 +263,6 @@ ln NOTICE LICENSE %patch39 -p1 -b .api %patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild} %patch86 -p0 -b .debuginfo -%patch105 -p1 -b .kvno # Apply when the hard-wired or configured default location is # DIR:/run/user/%%{uid}/krb5cc. @@ -275,14 +270,9 @@ ln NOTICE LICENSE %patch134 -p1 -b .kpasswdtest -%patch140 -p1 -b .krb5-1.14-support-kdc_err_more_preauth_data_required %patch143 -p1 -b .krb5-tests_use_libs_from_build %patch146 -p1 -b .no_system_krb5_conf -%patch144 -p1 -b .krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial - -%patch147 -p1 -b .client_referral_principal.patch - # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -580,6 +570,9 @@ rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/kdc.conf" rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/krb5.conf" rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/services.append" +# This is only needed for tests +rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so" + %find_lang %{gettext_domain} %clean @@ -892,6 +885,9 @@ exit 0 %changelog +* Thu Oct 15 2015 Robbie Harwood - 1.14-beta1-1 +- New upstream beta version + * Thu Oct 08 2015 Robbie Harwood - 1.13.2-13 - Work around KDC client prinicipal in referrals issue (#1259844) diff --git a/sources b/sources index 487ed89..ed76762 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -f9b9275c6ceb9e6c39fabecc00c6a059 krb5-1.13.2.tar.gz -b62135d2089349b571479feb39f049c9 krb5-1.13.2.tar.gz.asc -095ed64aa1d28f06db1d9b3d89bd8d6b krb5-1.13.2-pdfs.tar +59b5f990857356285a869060f13b904b krb5-1.14-beta1-pdfs.tar +17d4fd5136ca39579f54860d4e21eeea krb5-1.14-beta1.tar.gz +be9d1d40f589a1a2afcb1a285a030c73 krb5-1.14-beta1.tar.gz.asc