diff --git a/SOURCES/Add-configure-variable-for-default-PKCS-11-module.patch b/SOURCES/Add-configure-variable-for-default-PKCS-11-module.patch new file mode 100644 index 0000000..2300bd2 --- /dev/null +++ b/SOURCES/Add-configure-variable-for-default-PKCS-11-module.patch @@ -0,0 +1,201 @@ +From 2a6a4568ed1df4ed89604b09fa11785c9ae38c67 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Fri, 22 Apr 2022 14:12:37 +0200 +Subject: [PATCH] Add configure variable for default PKCS#11 module + +[ghudson@mit.edu: added documentation of configure variable and doc +substitution; shortened commit message] + +ticket: 9058 (new) +--- + doc/admin/conf_files/krb5_conf.rst | 2 +- + doc/build/options2configure.rst | 3 +++ + doc/conf.py | 3 +++ + doc/mitK5defaults.rst | 25 +++++++++++++------------ + src/configure.ac | 8 ++++++++ + src/doc/Makefile.in | 2 ++ + src/man/Makefile.in | 4 +++- + src/man/krb5.conf.man | 2 +- + src/plugins/preauth/pkinit/pkinit.h | 1 - + 9 files changed, 34 insertions(+), 16 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index adba8238d..3d25c9a12 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -1020,7 +1020,7 @@ information for PKINIT is as follows: + All keyword/values are optional. *modname* specifies the location + of a library implementing PKCS #11. If a value is encountered + with no keyword, it is assumed to be the *modname*. If no +- module-name is specified, the default is ``opensc-pkcs11.so``. ++ module-name is specified, the default is |pkcs11_modname|. + ``slotid=`` and/or ``token=`` may be specified to force the use of + a particular smard card reader or token if there is more than one + available. ``certid=`` and/or ``certlabel=`` may be specified to +diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst +index a8959626d..8f8ac911c 100644 +--- a/doc/build/options2configure.rst ++++ b/doc/build/options2configure.rst +@@ -143,6 +143,9 @@ Environment variables + This option allows one to specify libraries to be passed to the + linker (e.g., ``-l``) + ++**PKCS11_MODNAME=**\ *library* ++ Override the built-in default PKCS11 library name. ++ + **SS_LIB=**\ *libs*... + If ``-lss`` is not the correct way to link in your installed ss + library, for example if additional support libraries are needed, +diff --git a/doc/conf.py b/doc/conf.py +index 4fb6aae14..29fd53375 100644 +--- a/doc/conf.py ++++ b/doc/conf.py +@@ -235,6 +235,7 @@ if 'mansubs' in tags: + ccache = '``@CCNAME@``' + keytab = '``@KTNAME@``' + ckeytab = '``@CKTNAME@``' ++ pkcs11_modname = '``@PKCS11MOD@``' + elif 'pathsubs' in tags: + # Read configured paths from a file produced by the build system. + exec(open("paths.py").read()) +@@ -248,6 +249,7 @@ else: + ccache = ':ref:`DEFCCNAME `' + keytab = ':ref:`DEFKTNAME `' + ckeytab = ':ref:`DEFCKTNAME `' ++ pkcs11_modname = ':ref:`PKCS11_MODNAME `' + + rst_epilog = '\n' + +@@ -268,6 +270,7 @@ else: + rst_epilog += '.. |ccache| replace:: %s\n' % ccache + rst_epilog += '.. |keytab| replace:: %s\n' % keytab + rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab ++ rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname + rst_epilog += ''' + .. |krb5conf| replace:: ``/etc/krb5.conf`` + .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` +diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst +index 74e69f4ad..aea7af3db 100644 +--- a/doc/mitK5defaults.rst ++++ b/doc/mitK5defaults.rst +@@ -59,18 +59,19 @@ subdirectories of ``/usr/local``. When MIT krb5 is integrated into an + operating system, the paths are generally chosen to match the + operating system's filesystem layout. + +-========================== ============= =========================== =========================== +-Description Symbolic name Custom build path Typical OS path +-========================== ============= =========================== =========================== +-User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` +-Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` +-Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` +-Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` +-Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` +-Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` +-Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` +-Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab`` +-========================== ============= =========================== =========================== ++========================== ============== =========================== =========================== ++Description Symbolic name Custom build path Typical OS path ++========================== ============== =========================== =========================== ++User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` ++Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` ++Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` ++Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` ++Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` ++Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` ++Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` ++Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab`` ++Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so`` ++========================== ============== =========================== =========================== + + The default client keytab name (DEFCKTNAME) typically defaults to + ``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom +diff --git a/src/configure.ac b/src/configure.ac +index 363d5d62d..3a0633177 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1466,6 +1466,14 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name]) + AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"], + [Define to default client keytab name]) + ++AC_ARG_VAR(PKCS11_MODNAME, [Default PKCS11 module name]) ++if test "${PKCS11_MODNAME+set}" != set; then ++ PKCS11_MODNAME=opensc-pkcs11.so ++fi ++AC_MSG_NOTICE([Default PKCS11 module name: $PKCS11_MODNAME]) ++AC_DEFINE_UNQUOTED(PKCS11_MODNAME, ["$PKCS11_MODNAME"], ++ [Default PKCS11 module name]) ++ + AC_CONFIG_FILES([build-tools/krb5-config], [chmod +x build-tools/krb5-config]) + AC_CONFIG_FILES([build-tools/kadm-server.pc + build-tools/kadm-client.pc +diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in +index 379bc3651..a1b0cff0a 100644 +--- a/src/doc/Makefile.in ++++ b/src/doc/Makefile.in +@@ -10,6 +10,7 @@ sysconfdir=@sysconfdir@ + DEFCCNAME=@DEFCCNAME@ + DEFKTNAME=@DEFKTNAME@ + DEFCKTNAME=@DEFCKTNAME@ ++PKCS11_MODNAME=@PKCS11_MODNAME@ + + RST_SOURCES= _static \ + _templates \ +@@ -118,6 +119,7 @@ paths.py: + echo 'ccache = "``$(DEFCCNAME)``"' >> $@ + echo 'keytab = "``$(DEFKTNAME)``"' >> $@ + echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@ ++ echo 'pkcs11_modname = "``$(PKCS11_MODNAME)``"' >> $@ + + # Dummy rule that man/Makefile can invoke + version.py: $(docsrc)/version.py +diff --git a/src/man/Makefile.in b/src/man/Makefile.in +index 00b1b2de0..85cae0914 100644 +--- a/src/man/Makefile.in ++++ b/src/man/Makefile.in +@@ -8,6 +8,7 @@ sysconfdir=@sysconfdir@ + DEFCCNAME=@DEFCCNAME@ + DEFKTNAME=@DEFKTNAME@ + DEFCKTNAME=@DEFCKTNAME@ ++PKCS11_MODNAME=@PKCS11_MODNAME@ + + MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \ + kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \ +@@ -47,7 +48,8 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h + -e 's|@SYSCONFDIR@|$(sysconfdir)|g' \ + -e 's|@CCNAME@|$(DEFCCNAME)|g' \ + -e 's|@KTNAME@|$(DEFKTNAME)|g' \ +- -e 's|@CKTNAME@|$(DEFCKTNAME)|g' $? > $@ ++ -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \ ++ -e 's|@PKCS11MOD@|$(PKCS11_MODNAME)|g' $? > $@ + + all: $(MANSUBS) + +diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man +index 3a702ca8f..e4202723f 100644 +--- a/src/man/krb5.conf.man ++++ b/src/man/krb5.conf.man +@@ -1151,7 +1151,7 @@ user\(aqs certificate and private key. + All keyword/values are optional. \fImodname\fP specifies the location + of a library implementing PKCS #11. If a value is encountered + with no keyword, it is assumed to be the \fImodname\fP\&. If no +-module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&. ++module\-name is specified, the default is \fB@PKCS11MOD@\fP\&. + \fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of + a particular smard card reader or token if there is more than one + available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to +diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h +index b437fd53f..a2018cb10 100644 +--- a/src/plugins/preauth/pkinit/pkinit.h ++++ b/src/plugins/preauth/pkinit/pkinit.h +@@ -42,7 +42,6 @@ + #ifndef WITHOUT_PKCS11 + #include "pkcs11.h" + +-#define PKCS11_MODNAME "opensc-pkcs11.so" + #define PK_SIGLEN_GUESS 1000 + #define PK_NOSLOT 999999 + #endif +-- +2.35.1 + diff --git a/SOURCES/Set-reasonable-supportedCMSTypes-in-PKINIT.patch b/SOURCES/Set-reasonable-supportedCMSTypes-in-PKINIT.patch new file mode 100644 index 0000000..6e87e04 --- /dev/null +++ b/SOURCES/Set-reasonable-supportedCMSTypes-in-PKINIT.patch @@ -0,0 +1,188 @@ +From dea9421ccdbe5c8f63aae85341a8f091c6019407 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 1 Jun 2022 18:02:04 +0200 +Subject: [PATCH] Set reasonable supportedCMSTypes in PKINIT + +The PKINIT client uses AuthPack.supportedCMSTypes to let the KDC know +the algorithms it supports for verification of the CMS data signature. +(The MIT krb5 KDC currently ignores this list, but other +implementations use it.) + +Replace 3DES with sha512WithRSAEncryption and sha256WithRSAEncryption. + +[ghudson@mit.edu: simplified code and used appropriate helpers; edited +commit message] + +ticket: 9066 (new) +--- + src/plugins/preauth/pkinit/Makefile.in | 4 +- + src/plugins/preauth/pkinit/pkinit_clnt.c | 8 ++++ + ...nit_kdf_constants.c => pkinit_constants.c} | 24 ++++++++++++ + src/plugins/preauth/pkinit/pkinit_crypto.h | 16 ++++++++ + .../preauth/pkinit/pkinit_crypto_openssl.c | 39 +++++++++++++++++++ + 5 files changed, 89 insertions(+), 2 deletions(-) + rename src/plugins/preauth/pkinit/{pkinit_kdf_constants.c => pkinit_constants.c} (76%) + +diff --git a/src/plugins/preauth/pkinit/Makefile.in b/src/plugins/preauth/pkinit/Makefile.in +index d20fb18a8..97aaded03 100644 +--- a/src/plugins/preauth/pkinit/Makefile.in ++++ b/src/plugins/preauth/pkinit/Makefile.in +@@ -18,7 +18,7 @@ STLIBOBJS= \ + pkinit_srv.o \ + pkinit_lib.o \ + pkinit_clnt.o \ +- pkinit_kdf_constants.o \ ++ pkinit_constants.o \ + pkinit_profile.o \ + pkinit_identity.o \ + pkinit_matching.o \ +@@ -29,7 +29,7 @@ SRCS= \ + $(srcdir)/pkinit_srv.c \ + $(srcdir)/pkinit_lib.c \ + $(srcdir)/pkinit_kdf_test.c \ +- $(srcdir)/pkinit_kdf_constants.c \ ++ $(srcdir)/pkinit_constants.c \ + $(srcdir)/pkinit_clnt.c \ + $(srcdir)/pkinit_profile.c \ + $(srcdir)/pkinit_identity.c \ +diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c +index a385da7c3..2817cc213 100644 +--- a/src/plugins/preauth/pkinit/pkinit_clnt.c ++++ b/src/plugins/preauth/pkinit/pkinit_clnt.c +@@ -212,6 +212,14 @@ pkinit_as_req_create(krb5_context context, + auth_pack.clientPublicValue = &info; + auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids; + ++ /* add List of CMS algorithms */ ++ retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx, ++ reqctx->cryptoctx, ++ reqctx->idctx, &cmstypes); ++ auth_pack.supportedCMSTypes = cmstypes; ++ if (retval) ++ goto cleanup; ++ + switch(protocol) { + case DH_PROTOCOL: + TRACE_PKINIT_CLIENT_REQ_DH(context); +diff --git a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c +similarity index 76% +rename from src/plugins/preauth/pkinit/pkinit_kdf_constants.c +rename to src/plugins/preauth/pkinit/pkinit_constants.c +index 1604f1670..1832e8f7b 100644 +--- a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c ++++ b/src/plugins/preauth/pkinit/pkinit_constants.c +@@ -57,3 +57,27 @@ krb5_data const * const supported_kdf_alg_ids[] = { + &sha512_id, + NULL + }; ++ ++/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840) ++ * rsadsi(113549) pkcs(1) 1 11 */ ++static char sha256WithRSAEncr_oid[9] = { ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b ++}; ++/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840) ++ * rsadsi(113549) pkcs(1) 1 13 */ ++static char sha512WithRSAEncr_oid[9] = { ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d ++}; ++ ++const krb5_data sha256WithRSAEncr_id = { ++ KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid ++}; ++const krb5_data sha512WithRSAEncr_id = { ++ KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid ++}; ++ ++krb5_data const * const supported_cms_algs[] = { ++ &sha512WithRSAEncr_id, ++ &sha256WithRSAEncr_id, ++ NULL ++}; +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h +index 1f9868351..f38a77093 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto.h ++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +@@ -380,6 +380,18 @@ krb5_error_code server_process_dh + unsigned int *server_key_len_out); /* OUT + receives length of DH secret key */ + ++/* ++ * this functions takes in crypto specific representation of ++ * supportedCMSTypes and creates a list of ++ * krb5_algorithm_identifier ++ */ ++krb5_error_code create_krb5_supportedCMSTypes ++ (krb5_context context, /* IN */ ++ pkinit_plg_crypto_context plg_cryptoctx, /* IN */ ++ pkinit_req_crypto_context req_cryptoctx, /* IN */ ++ pkinit_identity_crypto_context id_cryptoctx, /* IN */ ++ krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */ ++ + /* + * this functions takes in crypto specific representation of + * trustedCertifiers and creates a list of +@@ -617,6 +629,10 @@ extern const size_t krb5_pkinit_sha512_oid_len; + */ + extern krb5_data const * const supported_kdf_alg_ids[]; + ++/* CMS signature algorithms supported by this implementation, in order of ++ * decreasing preference. */ ++extern krb5_data const * const supported_cms_algs[]; ++ + krb5_error_code + crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, + uint8_t **der_out, size_t *der_len); +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 2a6ef4aaa..41a7464b5 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -5582,6 +5582,45 @@ cleanup: + return retval; + } + ++krb5_error_code ++create_krb5_supportedCMSTypes(krb5_context context, ++ pkinit_plg_crypto_context plg_cryptoctx, ++ pkinit_req_crypto_context req_cryptoctx, ++ pkinit_identity_crypto_context id_cryptoctx, ++ krb5_algorithm_identifier ***algs_out) ++{ ++ krb5_error_code ret; ++ krb5_algorithm_identifier **algs = NULL; ++ size_t i, count; ++ ++ *algs_out = NULL; ++ ++ /* Count supported OIDs and allocate list (including null terminator). */ ++ for (count = 0; supported_cms_algs[count] != NULL; count++); ++ algs = k5calloc(count + 1, sizeof(*algs), &ret); ++ if (algs == NULL) ++ goto cleanup; ++ ++ /* Add an algorithm identifier for each OID, with no parameters. */ ++ for (i = 0; i < count; i++) { ++ algs[i] = k5alloc(sizeof(*algs[i]), &ret); ++ if (algs[i] == NULL) ++ goto cleanup; ++ ret = krb5int_copy_data_contents(context, supported_cms_algs[i], ++ &algs[i]->algorithm); ++ if (ret) ++ goto cleanup; ++ algs[i]->parameters = empty_data(); ++ } ++ ++ *algs_out = algs; ++ algs = NULL; ++ ++cleanup: ++ free_krb5_algorithm_identifiers(&algs); ++ return ret; ++} ++ + krb5_error_code + create_krb5_trustedCertifiers(krb5_context context, + pkinit_plg_crypto_context plg_cryptoctx, +-- +2.35.3 + diff --git a/SOURCES/Try-harder-to-avoid-password-change-replay-errors.patch b/SOURCES/Try-harder-to-avoid-password-change-replay-errors.patch new file mode 100644 index 0000000..814043e --- /dev/null +++ b/SOURCES/Try-harder-to-avoid-password-change-replay-errors.patch @@ -0,0 +1,91 @@ +From ad8e02485791023dcf66ef4612616f03895ceeb3 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 4 Mar 2022 00:45:00 -0500 +Subject: [PATCH] Try harder to avoid password change replay errors + +Commit d7b3018d338fc9c989c3fa17505870f23c3759a8 (ticket 7905) changed +change_set_password() to prefer TCP. However, because UDP_LAST falls +back to UDP after one second, we can still get a replay error due to a +dropped packet, before the TCP layer has a chance to retry. + +Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after +TCP fails completely without reaching a server. In sendto_kdc.c, +implement an ONLY_UDP transport strategy to allow the UDP fallback. + +ticket: 9037 +--- + src/lib/krb5/os/changepw.c | 9 ++++++++- + src/lib/krb5/os/os-proto.h | 1 + + src/lib/krb5/os/sendto_kdc.c | 12 ++++++++---- + 3 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c +index 9f968da7f..c59232586 100644 +--- a/src/lib/krb5/os/changepw.c ++++ b/src/lib/krb5/os/changepw.c +@@ -255,9 +255,16 @@ change_set_password(krb5_context context, + callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup; + krb5_free_data_contents(callback_ctx.context, &chpw_rep); + ++ /* UDP retransmits may be seen as replays. Only try UDP after other ++ * transports fail completely. */ + code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm, +- &sl, UDP_LAST, &callback_info, &chpw_rep, ++ &sl, NO_UDP, &callback_info, &chpw_rep, + ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL); ++ if (code == KRB5_KDC_UNREACH) { ++ code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm, ++ &sl, ONLY_UDP, &callback_info, &chpw_rep, ++ ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL); ++ } + if (code) + goto cleanup; + +diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h +index a985f2aec..91d2791ce 100644 +--- a/src/lib/krb5/os/os-proto.h ++++ b/src/lib/krb5/os/os-proto.h +@@ -49,6 +49,7 @@ typedef enum { + UDP_FIRST = 0, + UDP_LAST, + NO_UDP, ++ ONLY_UDP + } k5_transport_strategy; + + /* A single server hostname or address. */ +diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c +index 0eedec175..c7f5d861a 100644 +--- a/src/lib/krb5/os/sendto_kdc.c ++++ b/src/lib/krb5/os/sendto_kdc.c +@@ -802,11 +802,14 @@ resolve_server(krb5_context context, const krb5_data *realm, + int err, result; + char portbuf[PORT_LENGTH]; + +- /* Skip UDP entries if we don't want UDP. */ ++ /* Skip entries excluded by the strategy. */ + if (strategy == NO_UDP && entry->transport == UDP) + return 0; ++ if (strategy == ONLY_UDP && entry->transport != UDP && ++ entry->transport != TCP_OR_UDP) ++ return 0; + +- transport = (strategy == UDP_FIRST) ? UDP : TCP; ++ transport = (strategy == UDP_FIRST || strategy == ONLY_UDP) ? UDP : TCP; + if (entry->hostname == NULL) { + /* Added by a module, so transport is either TCP or UDP. */ + ai.ai_socktype = socktype_for_transport(entry->transport); +@@ -850,8 +853,9 @@ resolve_server(krb5_context context, const krb5_data *realm, + } + + /* For TCP_OR_UDP entries, add each address again with the non-preferred +- * transport, unless we are avoiding UDP. Flag these as deferred. */ +- if (retval == 0 && entry->transport == TCP_OR_UDP && strategy != NO_UDP) { ++ * transport, if there is one. Flag these as deferred. */ ++ if (retval == 0 && entry->transport == TCP_OR_UDP && ++ (strategy == UDP_FIRST || strategy == UDP_LAST)) { + transport = (strategy == UDP_FIRST) ? TCP : UDP; + for (a = addrs; a != 0 && retval == 0; a = a->ai_next) { + a->ai_socktype = socktype_for_transport(transport); +-- +2.35.1 + diff --git a/SOURCES/downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch b/SOURCES/downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch new file mode 100644 index 0000000..78922f6 --- /dev/null +++ b/SOURCES/downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch @@ -0,0 +1,82 @@ +From 790f485cf57e4de65351c29c41666db6370ef367 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 5 May 2022 17:15:12 +0200 +Subject: [PATCH] Allow krad UDP/TCP localhost connection with FIPS + +libkrad allows to establish connections only to UNIX socket in FIPS +mode, because MD5 digest is not considered safe enough to be used for +network communication. However, FreeRadius requires connection on TCP or +UDP ports. + +This commit allows TCP or UDP connections in FIPS mode if destination is +localhost. + +Resolves: rhbz#2068458 +--- + src/lib/krad/remote.c | 36 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 34 insertions(+), 2 deletions(-) + +diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c +index eca432424..c8912892c 100644 +--- a/src/lib/krad/remote.c ++++ b/src/lib/krad/remote.c +@@ -33,6 +33,7 @@ + + #include + #include ++#include + + #include + +@@ -74,6 +75,36 @@ on_io(verto_ctx *ctx, verto_ev *ev); + static void + on_timeout(verto_ctx *ctx, verto_ev *ev); + ++static in_addr_t get_in_addr(struct addrinfo *info) ++{ return ((struct sockaddr_in *)(info->ai_addr))->sin_addr.s_addr; } ++ ++static struct in6_addr *get_in6_addr(struct addrinfo *info) ++{ return &(((struct sockaddr_in6 *)(info->ai_addr))->sin6_addr); } ++ ++static bool is_inet_localhost(struct addrinfo *info) ++{ ++ struct addrinfo *p; ++ ++ for (p = info; p; p = p->ai_next) { ++ switch (p->ai_family) { ++ case AF_INET: ++ if (IN_LOOPBACKNET != (get_in_addr(p) & IN_CLASSA_NET ++ >> IN_CLASSA_NSHIFT)) ++ return false; ++ break; ++ case AF_INET6: ++ if (!IN6_IS_ADDR_LOOPBACK(get_in6_addr(p))) ++ return false; ++ break; ++ default: ++ return false; ++ } ++ } ++ ++ return true; ++} ++ ++ + /* Iterate over the set of outstanding packets. */ + static const krad_packet * + iterator(request **out) +@@ -455,8 +486,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs, + (krad_packet_iter_cb)iterator, &r, &tmp); + if (retval != 0) + goto error; +- else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL && +- rr->info->ai_family != AF_UNIX) { ++ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL ++ && rr->info->ai_family != AF_UNIX ++ && !is_inet_localhost(rr->info)) { + /* This would expose cleartext passwords, so abort. */ + retval = ESOCKTNOSUPPORT; + goto error; +-- +2.35.1 + diff --git a/SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch index a1f5629..ba49d8c 100644 --- a/SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +++ b/SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch @@ -1,4 +1,4 @@ -From a7318c3cd6e1f58adb80493c05b59e6c180cd584 Mon Sep 17 00:00:00 2001 +From 4f8cba1780bc167c52de2a791cad6a1817508bbe Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Wed, 23 Feb 2022 17:34:33 +0100 Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 @@ -28,24 +28,26 @@ global context. Remove EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag since does not have any effect anymore. +post9 load both default and legacy provider into library context + Last-updated: krb5-1.19 --- doc/admin/conf_files/krb5_conf.rst | 6 ++ src/lib/crypto/krb/prng.c | 11 ++- .../crypto/openssl/enc_provider/camellia.c | 6 ++ - src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++- - .../crypto/openssl/hash_provider/hash_evp.c | 85 ++++++++++++++++++- + src/lib/crypto/openssl/enc_provider/rc4.c | 13 ++- + .../crypto/openssl/hash_provider/hash_evp.c | 93 ++++++++++++++++++- src/lib/crypto/openssl/hmac.c | 6 +- - src/lib/krad/attr.c | 46 ++++++++--- + src/lib/krad/attr.c | 46 ++++++--- src/lib/krad/attrset.c | 5 +- - src/lib/krad/internal.h | 28 ++++++- - src/lib/krad/packet.c | 22 +++--- - src/lib/krad/remote.c | 10 ++- + src/lib/krad/internal.h | 28 +++++- + src/lib/krad/packet.c | 22 +++-- + src/lib/krad/remote.c | 10 +- src/lib/krad/t_attr.c | 3 +- src/lib/krad/t_attrset.c | 4 +- src/plugins/preauth/spake/spake_client.c | 6 ++ src/plugins/preauth/spake/spake_kdc.c | 6 ++ - 15 files changed, 218 insertions(+), 35 deletions(-) + 15 files changed, 230 insertions(+), 35 deletions(-) diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 675175955..adba8238d 100644 @@ -158,10 +160,10 @@ index bc87c6f42..9bf407899 100644 * The cipher state here is a saved pointer to a struct arcfour_state * object, rather than a flat byte array as in most enc providers. The diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c -index 1e0fb8fc3..4b8e1a6b2 100644 +index 1e0fb8fc3..57bca3fec 100644 --- a/src/lib/crypto/openssl/hash_provider/hash_evp.c +++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c -@@ -32,6 +32,50 @@ +@@ -32,6 +32,46 @@ #include "crypto_int.h" #include @@ -170,8 +172,8 @@ index 1e0fb8fc3..4b8e1a6b2 100644 + +typedef struct ossl_lib_md_context { + OSSL_LIB_CTX *libctx; ++ OSSL_PROVIDER *default_provider; + OSSL_PROVIDER *legacy_provider; -+ EVP_MD *md; +} ossl_md_context_t; + +static thread_local ossl_md_context_t *ossl_md_ctx = NULL; @@ -183,15 +185,11 @@ index 1e0fb8fc3..4b8e1a6b2 100644 + if (!ctx->libctx) + return KRB5_CRYPTO_INTERNAL; + -+ /* -+ * Load both legacy and default provider as both may be needed. -+ * If they fail keep going and an error will be raised when we try to -+ * fetch the cipher later. -+ */ ++ /* Load both legacy and default provider as both may be needed. */ ++ ctx->default_provider = OSSL_PROVIDER_load(ctx->libctx, "default"); + ctx->legacy_provider = OSSL_PROVIDER_load(ctx->libctx, "legacy"); + -+ ctx->md = EVP_MD_fetch(ctx->libctx, algo, NULL); -+ if (!ctx->md) ++ if (!(ctx->default_provider && ctx->legacy_provider)) + return KRB5_CRYPTO_INTERNAL; + + return 0; @@ -200,19 +198,19 @@ index 1e0fb8fc3..4b8e1a6b2 100644 +static void +deinit_ossl_ctx(ossl_md_context_t *ctx) +{ -+ if (ctx->md) -+ EVP_MD_free(ctx->md); -+ + if (ctx->legacy_provider) + OSSL_PROVIDER_unload(ctx->legacy_provider); + ++ if (ctx->default_provider) ++ OSSL_PROVIDER_unload(ctx->default_provider); ++ + if (ctx->libctx) + OSSL_LIB_CTX_free(ctx->libctx); +} static krb5_error_code hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data, -@@ -61,16 +104,53 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data, +@@ -61,16 +101,65 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data, return ok ? 0 : KRB5_CRYPTO_INTERNAL; } @@ -221,11 +219,14 @@ index 1e0fb8fc3..4b8e1a6b2 100644 + krb5_data *output) +{ + krb5_error_code err; ++ EVP_MD *md = NULL; + + if (!ossl_md_ctx) { + ossl_md_ctx = malloc(sizeof(ossl_md_context_t)); -+ if (!ossl_md_ctx) -+ return ENOMEM; ++ if (!ossl_md_ctx) { ++ err = ENOMEM; ++ goto end; ++ } + + err = init_ossl_md_ctx(ossl_md_ctx, algo); + if (err) { @@ -236,9 +237,18 @@ index 1e0fb8fc3..4b8e1a6b2 100644 + } + } + -+ err = hash_evp(ossl_md_ctx->md, data, num_data, output); ++ md = EVP_MD_fetch(ossl_md_ctx->libctx, algo, NULL); ++ if (!md) { ++ err = KRB5_CRYPTO_INTERNAL; ++ goto end; ++ } ++ ++ err = hash_evp(md, data, num_data, output); + +end: ++ if (md) ++ EVP_MD_free(md); ++ + return err; +} + @@ -684,3 +694,6 @@ index 88c964ce1..c7df0392f 100644 vt = (krb5_kdcpreauth_vtable)vtable; vt->name = "spake"; vt->pa_type_list = pa_types; +-- +2.35.1 + diff --git a/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch b/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch new file mode 100644 index 0000000..bdb22f9 --- /dev/null +++ b/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch @@ -0,0 +1,727 @@ +From 20cbbd0b273af56c6d527c8e6b9d96eef49926f2 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 31 Mar 2022 18:24:39 +0200 +Subject: [PATCH] Use newly enforced dejagnu path naming convention + +Since version 1.6.3, dejagnu started to enforce a naming convention that +was already in place, but not mandatory: dejagnu test directories have +to be named "testsuite". If they don't implicit relative sub-paths +resolution (e.g. "lib", "config") is not forking. + +This commit renames kadm5 library's unit tests and global tests +directories to match this requirement. + +Resolves: rhbz#2053133 + +Signed-off-by: Julien Rische +--- + src/configure.ac | 4 +-- + src/lib/kadm5/Makefile.in | 2 +- + .../{unit-test => testsuite}/Makefile.in | 28 +++++++++--------- + .../api.2/crte-policy.exp | 0 + .../api.2/get-policy.exp | 0 + .../api.2/mod-policy.exp | 0 + .../api.current/chpass-principal-v2.exp | 0 + .../api.current/chpass-principal.exp | 0 + .../api.current/crte-policy.exp | 0 + .../api.current/crte-principal.exp | 0 + .../api.current/destroy.exp | 0 + .../api.current/dlte-policy.exp | 0 + .../api.current/dlte-principal.exp | 0 + .../api.current/get-policy.exp | 0 + .../api.current/get-principal-v2.exp | 0 + .../api.current/get-principal.exp | 0 + .../api.current/init-v2.exp | 0 + .../api.current/init.exp | 0 + .../api.current/mod-policy.exp | 0 + .../api.current/mod-principal-v2.exp | 0 + .../api.current/mod-principal.exp | 0 + .../api.current/randkey-principal-v2.exp | 0 + .../api.current/randkey-principal.exp | 0 + .../{unit-test => testsuite}/config/unix.exp | 0 + src/lib/kadm5/{unit-test => testsuite}/deps | 0 + .../{unit-test => testsuite}/destroy-test.c | 0 + .../diff-files/destroy-1 | 0 + .../diff-files/no-diffs | 0 + .../{unit-test => testsuite}/handle-test.c | 0 + .../{unit-test => testsuite}/init-test.c | 0 + .../{unit-test => testsuite}/iter-test.c | 0 + .../kadm5/{unit-test => testsuite}/lib/lib.t | 2 +- + .../{unit-test => testsuite}/lock-test.c | 0 + .../{unit-test => testsuite}/randkey-test.c | 0 + .../{unit-test => testsuite}/setkey-test.c | 0 + .../kadm5/{unit-test => testsuite}/site.exp | 0 + src/tests/Makefile.in | 2 +- + src/tests/t_authdata.py | 2 +- + src/tests/t_certauth.py | 2 +- + src/tests/t_pkinit.py | 2 +- + src/tests/t_proxy.py | 12 ++++---- + src/tests/{dejagnu => testsuite}/Makefile.in | 4 +-- + .../{dejagnu => testsuite}/config/default.exp | 2 +- + src/tests/{dejagnu => testsuite}/deps | 0 + .../krb-standalone/gssapi.exp | 2 +- + .../krb-standalone/kprop.exp | 0 + .../krb-standalone/princexpire.exp | 0 + .../krb-standalone/sample.exp | 2 +- + .../krb-standalone/simple.exp | 2 +- + .../krb-standalone/standalone.exp | 0 + .../krb-standalone/tcp.exp | 0 + .../pkinit-certs/ca.pem | 0 + .../pkinit-certs/generic.p12 | Bin + .../pkinit-certs/generic.pem | 0 + .../pkinit-certs/kdc.pem | 0 + .../pkinit-certs/make-certs.sh | 0 + .../pkinit-certs/privkey-enc.pem | 0 + .../pkinit-certs/privkey.pem | 0 + .../pkinit-certs/user-enc.p12 | Bin + .../pkinit-certs/user-upn.p12 | Bin + .../pkinit-certs/user-upn.pem | 0 + .../pkinit-certs/user-upn2.p12 | Bin + .../pkinit-certs/user-upn2.pem | 0 + .../pkinit-certs/user-upn3.p12 | Bin + .../pkinit-certs/user-upn3.pem | 0 + .../pkinit-certs/user.p12 | Bin + .../pkinit-certs/user.pem | 0 + .../{dejagnu => testsuite}/proxy-certs/ca.pem | 0 + .../proxy-certs/make-certs.sh | 0 + .../proxy-certs/proxy-badsig.pem | 0 + .../proxy-certs/proxy-ideal.pem | 0 + .../proxy-certs/proxy-no-match.pem | 0 + .../proxy-certs/proxy-san.pem | 0 + .../proxy-certs/proxy-subject.pem | 0 + src/tests/{dejagnu => testsuite}/t_inetd.c | 2 +- + src/util/k5test.py | 2 +- + 76 files changed, 36 insertions(+), 36 deletions(-) + rename src/lib/kadm5/{unit-test => testsuite}/Makefile.in (86%) + rename src/lib/kadm5/{unit-test => testsuite}/api.2/crte-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.2/get-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.2/mod-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/destroy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/init-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/init.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/config/unix.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/deps (100%) + rename src/lib/kadm5/{unit-test => testsuite}/destroy-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/diff-files/destroy-1 (100%) + rename src/lib/kadm5/{unit-test => testsuite}/diff-files/no-diffs (100%) + rename src/lib/kadm5/{unit-test => testsuite}/handle-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/init-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/iter-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/lib/lib.t (99%) + rename src/lib/kadm5/{unit-test => testsuite}/lock-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/randkey-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/setkey-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/site.exp (100%) + rename src/tests/{dejagnu => testsuite}/Makefile.in (92%) + rename src/tests/{dejagnu => testsuite}/config/default.exp (99%) + rename src/tests/{dejagnu => testsuite}/deps (100%) + rename src/tests/{dejagnu => testsuite}/krb-standalone/gssapi.exp (98%) + rename src/tests/{dejagnu => testsuite}/krb-standalone/kprop.exp (100%) + rename src/tests/{dejagnu => testsuite}/krb-standalone/princexpire.exp (100%) + rename src/tests/{dejagnu => testsuite}/krb-standalone/sample.exp (98%) + rename src/tests/{dejagnu => testsuite}/krb-standalone/simple.exp (98%) + rename src/tests/{dejagnu => testsuite}/krb-standalone/standalone.exp (100%) + rename src/tests/{dejagnu => testsuite}/krb-standalone/tcp.exp (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/ca.pem (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/generic.p12 (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/generic.pem (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/kdc.pem (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/make-certs.sh (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/privkey-enc.pem (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/privkey.pem (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-enc.p12 (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn.p12 (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn.pem (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn2.p12 (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn2.pem (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn3.p12 (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn3.pem (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/user.p12 (100%) + rename src/tests/{dejagnu => testsuite}/pkinit-certs/user.pem (100%) + rename src/tests/{dejagnu => testsuite}/proxy-certs/ca.pem (100%) + rename src/tests/{dejagnu => testsuite}/proxy-certs/make-certs.sh (100%) + rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-badsig.pem (100%) + rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-ideal.pem (100%) + rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-no-match.pem (100%) + rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-san.pem (100%) + rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-subject.pem (100%) + rename src/tests/{dejagnu => testsuite}/t_inetd.c (99%) + +diff --git a/src/configure.ac b/src/configure.ac +index 20066918b..363d5d62d 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1500,7 +1500,7 @@ V5_AC_OUTPUT_MAKEFILE(. + + lib/rpc lib/rpc/unit-test + +- lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/unit-test ++ lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/testsuite + lib/krad + lib/apputils + +@@ -1544,5 +1544,5 @@ V5_AC_OUTPUT_MAKEFILE(. + appl/gss-sample appl/user_user + + tests tests/asn.1 tests/create tests/hammer tests/verify tests/gssapi +- tests/dejagnu tests/threads tests/shlib tests/gss-threads tests/misc ++ tests/testsuite tests/threads tests/shlib tests/gss-threads tests/misc + ) +diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in +index c4eaad38d..76fc4b548 100644 +--- a/src/lib/kadm5/Makefile.in ++++ b/src/lib/kadm5/Makefile.in +@@ -1,6 +1,6 @@ + mydir=lib$(S)kadm5 + BUILDTOP=$(REL)..$(S).. +-SUBDIRS = clnt srv unit-test ++SUBDIRS = clnt srv testsuite + + ##DOSBUILDTOP = ..\.. + +diff --git a/src/lib/kadm5/unit-test/Makefile.in b/src/lib/kadm5/testsuite/Makefile.in +similarity index 86% +rename from src/lib/kadm5/unit-test/Makefile.in +rename to src/lib/kadm5/testsuite/Makefile.in +index 68fa097ff..5a55b786b 100644 +--- a/src/lib/kadm5/unit-test/Makefile.in ++++ b/src/lib/kadm5/testsuite/Makefile.in +@@ -1,4 +1,4 @@ +-mydir=lib$(S)kadm5$(S)unit-test ++mydir=lib$(S)kadm5$(S)testsuite + BUILDTOP=$(REL)..$(S)..$(S).. + KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS) + +@@ -61,7 +61,7 @@ runenv.exp: Makefile + eval echo "set env\($$i\) \$$$$i"; done > runenv.exp + + # +-# The unit-test targets ++# The testsuite targets + # + + check: check-@DO_TEST@ +@@ -72,13 +72,13 @@ check-: + @echo "+++ Either tcl, runtest, or Perl is unavailable." + @echo "+++" + +-check-ok unit-test: unit-test-client unit-test-server ++check-ok testsuite: testsuite-client testsuite-server + +-unit-test-client: unit-test-client-setup unit-test-client-body \ +- unit-test-client-cleanup ++testsuite-client: testsuite-client-setup testsuite-client-body \ ++ testsuite-client-cleanup + +-unit-test-server: unit-test-server-setup unit-test-server-body \ +- unit-test-server-cleanup ++testsuite-server: testsuite-server-setup testsuite-server-body \ ++ testsuite-server-cleanup + + test-randkey: randkey-test + $(ENV_SETUP) $(VALGRIND) ./randkey-test +@@ -98,19 +98,19 @@ test-destroy: destroy-test + test-setkey-client: client-setkey-test + $(ENV_SETUP) $(VALGRIND) ./client-setkey-test testkeys admin admin + +-unit-test-client-setup: runenv.sh ++testsuite-client-setup: runenv.sh + $(ENV_SETUP) $(VALGRIND) $(START_SERVERS) + +-unit-test-client-cleanup: ++testsuite-client-cleanup: + $(ENV_SETUP) $(STOP_SERVERS) + +-unit-test-server-setup: runenv.sh ++testsuite-server-setup: runenv.sh + $(ENV_SETUP) $(VALGRIND) $(START_SERVERS_LOCAL) + +-unit-test-server-cleanup: ++testsuite-server-cleanup: + $(ENV_SETUP) $(STOP_SERVERS_LOCAL) + +-unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \ ++testsuite-client-body: site.exp test-noauth test-destroy test-handle-client \ + test-setkey-client runenv.exp + $(ENV_SETUP) $(RUNTEST) --tool api RPC=1 API=$(CLNTTCL) \ + KINIT=$(BUILDTOP)/clients/kinit/kinit \ +@@ -121,7 +121,7 @@ unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \ + -mv api.log capi.log + -mv api.sum capi.sum + +-unit-test-server-body: site.exp test-handle-server lock-test ++testsuite-server-body: site.exp test-handle-server lock-test + $(ENV_SETUP) $(RUNTEST) --tool api RPC=0 API=$(SRVTCL) \ + LOCKTEST=./lock-test \ + KADMIN_LOCAL=$(BUILDTOP)/kadmin/cli/kadmin.local \ +@@ -140,4 +140,4 @@ clean: + $(RM) lock-test lock-test.o + $(RM) server-iter-test iter-test.o + $(RM) server-setkey-test client-setkey-test setkey-test.o +- $(RM) *.log *.plog *.sum *.psum unit-test-log.* runenv.exp ++ $(RM) *.log *.plog *.sum *.psum testsuite-log.* runenv.exp +diff --git a/src/lib/kadm5/unit-test/api.2/crte-policy.exp b/src/lib/kadm5/testsuite/api.2/crte-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.2/crte-policy.exp +rename to src/lib/kadm5/testsuite/api.2/crte-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.2/get-policy.exp b/src/lib/kadm5/testsuite/api.2/get-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.2/get-policy.exp +rename to src/lib/kadm5/testsuite/api.2/get-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.2/mod-policy.exp b/src/lib/kadm5/testsuite/api.2/mod-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.2/mod-policy.exp +rename to src/lib/kadm5/testsuite/api.2/mod-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp +rename to src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/chpass-principal.exp +rename to src/lib/kadm5/testsuite/api.current/chpass-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/crte-policy.exp b/src/lib/kadm5/testsuite/api.current/crte-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/crte-policy.exp +rename to src/lib/kadm5/testsuite/api.current/crte-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/crte-principal.exp b/src/lib/kadm5/testsuite/api.current/crte-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/crte-principal.exp +rename to src/lib/kadm5/testsuite/api.current/crte-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/destroy.exp b/src/lib/kadm5/testsuite/api.current/destroy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/destroy.exp +rename to src/lib/kadm5/testsuite/api.current/destroy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp b/src/lib/kadm5/testsuite/api.current/dlte-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/dlte-policy.exp +rename to src/lib/kadm5/testsuite/api.current/dlte-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp b/src/lib/kadm5/testsuite/api.current/dlte-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/dlte-principal.exp +rename to src/lib/kadm5/testsuite/api.current/dlte-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/get-policy.exp b/src/lib/kadm5/testsuite/api.current/get-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/get-policy.exp +rename to src/lib/kadm5/testsuite/api.current/get-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/get-principal-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/get-principal-v2.exp +rename to src/lib/kadm5/testsuite/api.current/get-principal-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/get-principal.exp b/src/lib/kadm5/testsuite/api.current/get-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/get-principal.exp +rename to src/lib/kadm5/testsuite/api.current/get-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/testsuite/api.current/init-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/init-v2.exp +rename to src/lib/kadm5/testsuite/api.current/init-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/init.exp b/src/lib/kadm5/testsuite/api.current/init.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/init.exp +rename to src/lib/kadm5/testsuite/api.current/init.exp +diff --git a/src/lib/kadm5/unit-test/api.current/mod-policy.exp b/src/lib/kadm5/testsuite/api.current/mod-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/mod-policy.exp +rename to src/lib/kadm5/testsuite/api.current/mod-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp +rename to src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal.exp b/src/lib/kadm5/testsuite/api.current/mod-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/mod-principal.exp +rename to src/lib/kadm5/testsuite/api.current/mod-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp +rename to src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/randkey-principal.exp +rename to src/lib/kadm5/testsuite/api.current/randkey-principal.exp +diff --git a/src/lib/kadm5/unit-test/config/unix.exp b/src/lib/kadm5/testsuite/config/unix.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/config/unix.exp +rename to src/lib/kadm5/testsuite/config/unix.exp +diff --git a/src/lib/kadm5/unit-test/deps b/src/lib/kadm5/testsuite/deps +similarity index 100% +rename from src/lib/kadm5/unit-test/deps +rename to src/lib/kadm5/testsuite/deps +diff --git a/src/lib/kadm5/unit-test/destroy-test.c b/src/lib/kadm5/testsuite/destroy-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/destroy-test.c +rename to src/lib/kadm5/testsuite/destroy-test.c +diff --git a/src/lib/kadm5/unit-test/diff-files/destroy-1 b/src/lib/kadm5/testsuite/diff-files/destroy-1 +similarity index 100% +rename from src/lib/kadm5/unit-test/diff-files/destroy-1 +rename to src/lib/kadm5/testsuite/diff-files/destroy-1 +diff --git a/src/lib/kadm5/unit-test/diff-files/no-diffs b/src/lib/kadm5/testsuite/diff-files/no-diffs +similarity index 100% +rename from src/lib/kadm5/unit-test/diff-files/no-diffs +rename to src/lib/kadm5/testsuite/diff-files/no-diffs +diff --git a/src/lib/kadm5/unit-test/handle-test.c b/src/lib/kadm5/testsuite/handle-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/handle-test.c +rename to src/lib/kadm5/testsuite/handle-test.c +diff --git a/src/lib/kadm5/unit-test/init-test.c b/src/lib/kadm5/testsuite/init-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/init-test.c +rename to src/lib/kadm5/testsuite/init-test.c +diff --git a/src/lib/kadm5/unit-test/iter-test.c b/src/lib/kadm5/testsuite/iter-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/iter-test.c +rename to src/lib/kadm5/testsuite/iter-test.c +diff --git a/src/lib/kadm5/unit-test/lib/lib.t b/src/lib/kadm5/testsuite/lib/lib.t +similarity index 99% +rename from src/lib/kadm5/unit-test/lib/lib.t +rename to src/lib/kadm5/testsuite/lib/lib.t +index 3444775cf..327946849 100644 +--- a/src/lib/kadm5/unit-test/lib/lib.t ++++ b/src/lib/kadm5/testsuite/lib/lib.t +@@ -226,7 +226,7 @@ proc end_dump_compare {name} { + global RPC + + if { ! $RPC } { +-# set file $TOP/admin/lib/unit-test/diff-files/$name ++# set file $TOP/admin/lib/testsuite/diff-files/$name + # exec $env(SIMPLE_DUMP) > /tmp/dump.after + # exec $env(COMPARE_DUMP) /tmp/dump.before /tmp/dump.after $file + } +diff --git a/src/lib/kadm5/unit-test/lock-test.c b/src/lib/kadm5/testsuite/lock-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/lock-test.c +rename to src/lib/kadm5/testsuite/lock-test.c +diff --git a/src/lib/kadm5/unit-test/randkey-test.c b/src/lib/kadm5/testsuite/randkey-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/randkey-test.c +rename to src/lib/kadm5/testsuite/randkey-test.c +diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/testsuite/setkey-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/setkey-test.c +rename to src/lib/kadm5/testsuite/setkey-test.c +diff --git a/src/lib/kadm5/unit-test/site.exp b/src/lib/kadm5/testsuite/site.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/site.exp +rename to src/lib/kadm5/testsuite/site.exp +diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in +index 20f27d748..1198dca0c 100644 +--- a/src/tests/Makefile.in ++++ b/src/tests/Makefile.in +@@ -1,6 +1,6 @@ + mydir=tests + BUILDTOP=$(REL).. +-SUBDIRS = asn.1 create hammer verify gssapi dejagnu shlib gss-threads misc \ ++SUBDIRS = asn.1 create hammer verify gssapi testsuite shlib gss-threads misc \ + threads softpkcs11 + + RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \ +diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py +index 2e01f46bc..e5135f435 100644 +--- a/src/tests/t_authdata.py ++++ b/src/tests/t_authdata.py +@@ -57,7 +57,7 @@ if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')): + skipped('anonymous ticket authdata tests', 'PKINIT not built') + else: + # Set up a realm with PKINIT support and get anonymous tickets. +- certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs') ++ certs = os.path.join(srctop, 'tests', 'testsuite', 'pkinit-certs') + ca_pem = os.path.join(certs, 'ca.pem') + kdc_pem = os.path.join(certs, 'kdc.pem') + privkey_pem = os.path.join(certs, 'privkey.pem') +diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py +index 0fe0fdb4a..bfa5bfc96 100644 +--- a/src/tests/t_certauth.py ++++ b/src/tests/t_certauth.py +@@ -4,7 +4,7 @@ from k5test import * + if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')): + skip_rest('certauth tests', 'PKINIT module not built') + +-certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs') ++certs = os.path.join(srctop, 'tests', 'testsuite', 'pkinit-certs') + ca_pem = os.path.join(certs, 'ca.pem') + kdc_pem = os.path.join(certs, 'kdc.pem') + privkey_pem = os.path.join(certs, 'privkey.pem') +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index aee4da2b1..8763ce484 100755 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -7,7 +7,7 @@ if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')): + soft_pkcs11 = os.path.join(buildtop, 'tests', 'softpkcs11', 'softpkcs11.so') + + # Construct a krb5.conf fragment configuring pkinit. +-certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs') ++certs = os.path.join(srctop, 'tests', 'testsuite', 'pkinit-certs') + ca_pem = os.path.join(certs, 'ca.pem') + kdc_pem = os.path.join(certs, 'kdc.pem') + user_pem = os.path.join(certs, 'user.pem') +diff --git a/src/tests/t_proxy.py b/src/tests/t_proxy.py +index 3069eaa8f..6ae5c8c8e 100755 +--- a/src/tests/t_proxy.py ++++ b/src/tests/t_proxy.py +@@ -10,17 +10,17 @@ except: + + # Construct a krb5.conf fragment configuring the client to use a local proxy + # server. +-proxysubjectpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', ++proxysubjectpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs', + 'proxy-subject.pem') +-proxysanpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', ++proxysanpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs', + 'proxy-san.pem') +-proxyidealpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', ++proxyidealpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs', + 'proxy-ideal.pem') +-proxywrongpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', ++proxywrongpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs', + 'proxy-no-match.pem') +-proxybadpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', ++proxybadpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs', + 'proxy-badsig.pem') +-proxyca = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', 'ca.pem') ++proxyca = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs', 'ca.pem') + proxyurl = 'https://localhost:$port5/KdcProxy' + proxyurlupcase = 'https://LocalHost:$port5/KdcProxy' + proxyurl4 = 'https://127.0.0.1:$port5/KdcProxy' +diff --git a/src/tests/dejagnu/Makefile.in b/src/tests/testsuite/Makefile.in +similarity index 92% +rename from src/tests/dejagnu/Makefile.in +rename to src/tests/testsuite/Makefile.in +index e78e270ed..d3efe3606 100644 +--- a/src/tests/dejagnu/Makefile.in ++++ b/src/tests/testsuite/Makefile.in +@@ -1,4 +1,4 @@ +-mydir=tests$(S)dejagnu ++mydir=tests$(S)testsuite + BUILDTOP=$(REL)..$(S).. + RUNTEST = @RUNTEST@ $(DEJAFLAGS) + RUNTESTFLAGS = +@@ -13,7 +13,7 @@ check: check-runtest-@HAVE_RUNTEST@ + + check-runtest-no: + @echo "+++" +- @echo "+++ WARNING: tests/dejagnu tests not run." ++ @echo "+++ WARNING: tests/testsuite tests not run." + @echo "+++ runtest is unavailable." + @echo "+++" + @echo 'Skipped dejagnu tests: runtest not found' >> $(SKIPTESTS) +diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/testsuite/config/default.exp +similarity index 99% +rename from src/tests/dejagnu/config/default.exp +rename to src/tests/testsuite/config/default.exp +index 302dee74c..1492fac32 100644 +--- a/src/tests/dejagnu/config/default.exp ++++ b/src/tests/testsuite/config/default.exp +@@ -256,7 +256,7 @@ verbose "Test realm is $REALMNAME" + + # Find some programs we need. We use the binaries from the build tree + # if they exist. If they do not, then they must be in PATH. We +-# expect $objdir to be ...tests/dejagnu. ++# expect $objdir to be ...tests/testsuite. + + foreach i { + {KDB5_UTIL $objdir/../../kadmin/dbutil/kdb5_util} +diff --git a/src/tests/dejagnu/deps b/src/tests/testsuite/deps +similarity index 100% +rename from src/tests/dejagnu/deps +rename to src/tests/testsuite/deps +diff --git a/src/tests/dejagnu/krb-standalone/gssapi.exp b/src/tests/testsuite/krb-standalone/gssapi.exp +similarity index 98% +rename from src/tests/dejagnu/krb-standalone/gssapi.exp +rename to src/tests/testsuite/krb-standalone/gssapi.exp +index e3357e769..d176e210c 100644 +--- a/src/tests/dejagnu/krb-standalone/gssapi.exp ++++ b/src/tests/testsuite/krb-standalone/gssapi.exp +@@ -2,7 +2,7 @@ + # This is a DejaGnu test script. + # This script tests that the GSS-API tester functions correctly. + +-# This mostly just calls procedures in test/dejagnu/config/default.exp. ++# This mostly just calls procedures in test/testsuite/config/default.exp. + + if ![info exists KDESTROY] { + set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy] +diff --git a/src/tests/dejagnu/krb-standalone/kprop.exp b/src/tests/testsuite/krb-standalone/kprop.exp +similarity index 100% +rename from src/tests/dejagnu/krb-standalone/kprop.exp +rename to src/tests/testsuite/krb-standalone/kprop.exp +diff --git a/src/tests/dejagnu/krb-standalone/princexpire.exp b/src/tests/testsuite/krb-standalone/princexpire.exp +similarity index 100% +rename from src/tests/dejagnu/krb-standalone/princexpire.exp +rename to src/tests/testsuite/krb-standalone/princexpire.exp +diff --git a/src/tests/dejagnu/krb-standalone/sample.exp b/src/tests/testsuite/krb-standalone/sample.exp +similarity index 98% +rename from src/tests/dejagnu/krb-standalone/sample.exp +rename to src/tests/testsuite/krb-standalone/sample.exp +index 93a75f1d0..009de5ddb 100644 +--- a/src/tests/dejagnu/krb-standalone/sample.exp ++++ b/src/tests/testsuite/krb-standalone/sample.exp +@@ -2,7 +2,7 @@ + # This is a DejaGnu test script. + # This script tests that sample user-user communication works. + +-# This mostly just calls procedures in test/dejagnu/config/default.exp. ++# This mostly just calls procedures in test/testsuite/config/default.exp. + + if ![info exists KLIST] { + set KLIST [findfile $objdir/../../clients/klist/klist] +diff --git a/src/tests/dejagnu/krb-standalone/simple.exp b/src/tests/testsuite/krb-standalone/simple.exp +similarity index 98% +rename from src/tests/dejagnu/krb-standalone/simple.exp +rename to src/tests/testsuite/krb-standalone/simple.exp +index d8b218248..92b33066e 100644 +--- a/src/tests/dejagnu/krb-standalone/simple.exp ++++ b/src/tests/testsuite/krb-standalone/simple.exp +@@ -2,7 +2,7 @@ + # This is a DejaGnu test script. + # This script tests that krb-safe and krb-priv messages work. + +-# This mostly just calls procedures in test/dejagnu/config/default.exp. ++# This mostly just calls procedures in test/testsuite/config/default.exp. + + if ![info exists KLIST] { + set KLIST [findfile $objdir/../../clients/klist/klist] +diff --git a/src/tests/dejagnu/krb-standalone/standalone.exp b/src/tests/testsuite/krb-standalone/standalone.exp +similarity index 100% +rename from src/tests/dejagnu/krb-standalone/standalone.exp +rename to src/tests/testsuite/krb-standalone/standalone.exp +diff --git a/src/tests/dejagnu/krb-standalone/tcp.exp b/src/tests/testsuite/krb-standalone/tcp.exp +similarity index 100% +rename from src/tests/dejagnu/krb-standalone/tcp.exp +rename to src/tests/testsuite/krb-standalone/tcp.exp +diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/testsuite/pkinit-certs/ca.pem +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/ca.pem +rename to src/tests/testsuite/pkinit-certs/ca.pem +diff --git a/src/tests/dejagnu/pkinit-certs/generic.p12 b/src/tests/testsuite/pkinit-certs/generic.p12 +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/generic.p12 +rename to src/tests/testsuite/pkinit-certs/generic.p12 +diff --git a/src/tests/dejagnu/pkinit-certs/generic.pem b/src/tests/testsuite/pkinit-certs/generic.pem +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/generic.pem +rename to src/tests/testsuite/pkinit-certs/generic.pem +diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/testsuite/pkinit-certs/kdc.pem +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/kdc.pem +rename to src/tests/testsuite/pkinit-certs/kdc.pem +diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/testsuite/pkinit-certs/make-certs.sh +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/make-certs.sh +rename to src/tests/testsuite/pkinit-certs/make-certs.sh +diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/testsuite/pkinit-certs/privkey-enc.pem +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/privkey-enc.pem +rename to src/tests/testsuite/pkinit-certs/privkey-enc.pem +diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/testsuite/pkinit-certs/privkey.pem +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/privkey.pem +rename to src/tests/testsuite/pkinit-certs/privkey.pem +diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/testsuite/pkinit-certs/user-enc.p12 +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/user-enc.p12 +rename to src/tests/testsuite/pkinit-certs/user-enc.p12 +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.p12 b/src/tests/testsuite/pkinit-certs/user-upn.p12 +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/user-upn.p12 +rename to src/tests/testsuite/pkinit-certs/user-upn.p12 +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.pem b/src/tests/testsuite/pkinit-certs/user-upn.pem +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/user-upn.pem +rename to src/tests/testsuite/pkinit-certs/user-upn.pem +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.p12 b/src/tests/testsuite/pkinit-certs/user-upn2.p12 +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/user-upn2.p12 +rename to src/tests/testsuite/pkinit-certs/user-upn2.p12 +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.pem b/src/tests/testsuite/pkinit-certs/user-upn2.pem +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/user-upn2.pem +rename to src/tests/testsuite/pkinit-certs/user-upn2.pem +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.p12 b/src/tests/testsuite/pkinit-certs/user-upn3.p12 +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/user-upn3.p12 +rename to src/tests/testsuite/pkinit-certs/user-upn3.p12 +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.pem b/src/tests/testsuite/pkinit-certs/user-upn3.pem +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/user-upn3.pem +rename to src/tests/testsuite/pkinit-certs/user-upn3.pem +diff --git a/src/tests/dejagnu/pkinit-certs/user.p12 b/src/tests/testsuite/pkinit-certs/user.p12 +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/user.p12 +rename to src/tests/testsuite/pkinit-certs/user.p12 +diff --git a/src/tests/dejagnu/pkinit-certs/user.pem b/src/tests/testsuite/pkinit-certs/user.pem +similarity index 100% +rename from src/tests/dejagnu/pkinit-certs/user.pem +rename to src/tests/testsuite/pkinit-certs/user.pem +diff --git a/src/tests/dejagnu/proxy-certs/ca.pem b/src/tests/testsuite/proxy-certs/ca.pem +similarity index 100% +rename from src/tests/dejagnu/proxy-certs/ca.pem +rename to src/tests/testsuite/proxy-certs/ca.pem +diff --git a/src/tests/dejagnu/proxy-certs/make-certs.sh b/src/tests/testsuite/proxy-certs/make-certs.sh +similarity index 100% +rename from src/tests/dejagnu/proxy-certs/make-certs.sh +rename to src/tests/testsuite/proxy-certs/make-certs.sh +diff --git a/src/tests/dejagnu/proxy-certs/proxy-badsig.pem b/src/tests/testsuite/proxy-certs/proxy-badsig.pem +similarity index 100% +rename from src/tests/dejagnu/proxy-certs/proxy-badsig.pem +rename to src/tests/testsuite/proxy-certs/proxy-badsig.pem +diff --git a/src/tests/dejagnu/proxy-certs/proxy-ideal.pem b/src/tests/testsuite/proxy-certs/proxy-ideal.pem +similarity index 100% +rename from src/tests/dejagnu/proxy-certs/proxy-ideal.pem +rename to src/tests/testsuite/proxy-certs/proxy-ideal.pem +diff --git a/src/tests/dejagnu/proxy-certs/proxy-no-match.pem b/src/tests/testsuite/proxy-certs/proxy-no-match.pem +similarity index 100% +rename from src/tests/dejagnu/proxy-certs/proxy-no-match.pem +rename to src/tests/testsuite/proxy-certs/proxy-no-match.pem +diff --git a/src/tests/dejagnu/proxy-certs/proxy-san.pem b/src/tests/testsuite/proxy-certs/proxy-san.pem +similarity index 100% +rename from src/tests/dejagnu/proxy-certs/proxy-san.pem +rename to src/tests/testsuite/proxy-certs/proxy-san.pem +diff --git a/src/tests/dejagnu/proxy-certs/proxy-subject.pem b/src/tests/testsuite/proxy-certs/proxy-subject.pem +similarity index 100% +rename from src/tests/dejagnu/proxy-certs/proxy-subject.pem +rename to src/tests/testsuite/proxy-certs/proxy-subject.pem +diff --git a/src/tests/dejagnu/t_inetd.c b/src/tests/testsuite/t_inetd.c +similarity index 99% +rename from src/tests/dejagnu/t_inetd.c +rename to src/tests/testsuite/t_inetd.c +index abcde50fa..2bad2cf65 100644 +--- a/src/tests/dejagnu/t_inetd.c ++++ b/src/tests/testsuite/t_inetd.c +@@ -1,5 +1,5 @@ + /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* tests/dejagnu/t_inetd.c */ ++/* tests/testsuite/t_inetd.c */ + /* + * Copyright 1991 by the Massachusetts Institute of Technology. + * All Rights Reserved. +diff --git a/src/util/k5test.py b/src/util/k5test.py +index 251d11a9d..908a1495c 100644 +--- a/src/util/k5test.py ++++ b/src/util/k5test.py +@@ -1383,7 +1383,7 @@ kswitch = os.path.join(buildtop, 'clients', 'kswitch', 'kswitch') + kvno = os.path.join(buildtop, 'clients', 'kvno', 'kvno') + kdestroy = os.path.join(buildtop, 'clients', 'kdestroy', 'kdestroy') + kpasswd = os.path.join(buildtop, 'clients', 'kpasswd', 'kpasswd') +-t_inetd = os.path.join(buildtop, 'tests', 'dejagnu', 't_inetd') ++t_inetd = os.path.join(buildtop, 'tests', 'testsuite', 't_inetd') + kproplog = os.path.join(buildtop, 'kprop', 'kproplog') + kpropd = os.path.join(buildtop, 'kprop', 'kpropd') + kprop = os.path.join(buildtop, 'kprop', 'kprop') +-- +2.35.1 + diff --git a/SOURCES/krb5-krad-larger-attrs.patch b/SOURCES/krb5-krad-larger-attrs.patch new file mode 100644 index 0000000..ff9a2ad --- /dev/null +++ b/SOURCES/krb5-krad-larger-attrs.patch @@ -0,0 +1,69 @@ +From 0ac0fd2d349e4d5ef7379182f4d7ce480edd8d2b Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 8 Nov 2021 17:48:50 +0100 +Subject: [PATCH 2/2] Support larger RADIUS attributes in libkrad + +In kr_attrset_decode(), explicitly treat the length byte as unsigned. +Otherwise attributes longer than 125 characters will be rejected with +EBADMSG. + +Add a 253-character-long NAS-Identifier attribute to the tests to make +sure that attributes with the maximal number of characters are working +as expected. + +[ghudson@mit.edu: used uint8_t cast per current practices; edited +commit message] + +ticket: 9036 (new) +--- + src/lib/krad/attrset.c | 2 +- + src/lib/krad/t_packet.c | 13 +++++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c +index d89982a13..6ec031e32 100644 +--- a/src/lib/krad/attrset.c ++++ b/src/lib/krad/attrset.c +@@ -218,7 +218,7 @@ kr_attrset_decode(krb5_context ctx, const krb5_data *in, const char *secret, + + for (i = 0; i + 2 < in->length; ) { + type = in->data[i++]; +- tmp = make_data(&in->data[i + 1], in->data[i] - 2); ++ tmp = make_data(&in->data[i + 1], (uint8_t)in->data[i] - 2); + i += tmp.length + 1; + + retval = (in->length < i) ? EBADMSG : 0; +diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c +index 0a92e9cc2..c22489144 100644 +--- a/src/lib/krad/t_packet.c ++++ b/src/lib/krad/t_packet.c +@@ -57,6 +57,14 @@ make_packet(krb5_context ctx, const krb5_data *username, + krb5_error_code retval; + const krb5_data *data; + int i = 0; ++ krb5_data nas_id; ++ ++ nas_id = string2data("12345678901234567890123456789012345678901234567890" ++ "12345678901234567890123456789012345678901234567890" ++ "12345678901234567890123456789012345678901234567890" ++ "12345678901234567890123456789012345678901234567890" ++ "12345678901234567890123456789012345678901234567890" ++ "123"); + + retval = krad_attrset_new(ctx, &set); + if (retval != 0) +@@ -71,6 +79,11 @@ make_packet(krb5_context ctx, const krb5_data *username, + if (retval != 0) + goto out; + ++ retval = krad_attrset_add(set, krad_attr_name2num("NAS-Identifier"), ++ &nas_id); ++ if (retval != 0) ++ goto out; ++ + retval = krad_packet_new_request(ctx, "foo", + krad_code_name2num("Access-Request"), + set, iterator, &i, &tmp); +-- +2.35.3 + diff --git a/SOURCES/krb5-krad-remote.patch b/SOURCES/krb5-krad-remote.patch new file mode 100644 index 0000000..b5b071f --- /dev/null +++ b/SOURCES/krb5-krad-remote.patch @@ -0,0 +1,171 @@ +From a8551b609fd50458ca3c06a9dd345b6cdf18689b Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 9 Nov 2021 13:00:43 -0500 +Subject: [PATCH 1/2] Avoid use after free during libkrad cleanup + +libkrad client requests contain a list of references to remotes, with +no back-references or reference counts. To prevent accesses to +dangling references during cleanup, cancel all requests on all remotes +before freeing any remotes. + +Remove the code for aging out unused servers. This code was fairly +safe as all requests referencing a remote should have completed or +timed out during an hour of disuse, but in the current design we have +no way to guarantee or check that. The set of addresses we send +RADIUS requests to will generally be small, so aging out servers is +unnecessary. + +ticket: 9035 (new) +--- + src/lib/krad/client.c | 42 ++++++++++++++--------------------------- + src/lib/krad/internal.h | 4 ++++ + src/lib/krad/remote.c | 11 ++++++++--- + 3 files changed, 26 insertions(+), 31 deletions(-) + +diff --git a/src/lib/krad/client.c b/src/lib/krad/client.c +index 6365dd1c6..810940afc 100644 +--- a/src/lib/krad/client.c ++++ b/src/lib/krad/client.c +@@ -64,7 +64,6 @@ struct request_st { + + struct server_st { + krad_remote *serv; +- time_t last; + K5_LIST_ENTRY(server_st) list; + }; + +@@ -81,15 +80,10 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret, + krad_remote **out) + { + krb5_error_code retval; +- time_t currtime; + server *srv; + +- if (time(&currtime) == (time_t)-1) +- return errno; +- + K5_LIST_FOREACH(srv, &rc->servers, list) { + if (kr_remote_equals(srv->serv, ai, secret)) { +- srv->last = currtime; + *out = srv->serv; + return 0; + } +@@ -98,7 +92,6 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret, + srv = calloc(1, sizeof(server)); + if (srv == NULL) + return ENOMEM; +- srv->last = currtime; + + retval = kr_remote_new(rc->kctx, rc->vctx, ai, secret, &srv->serv); + if (retval != 0) { +@@ -173,28 +166,12 @@ request_new(krad_client *rc, krad_code code, const krad_attrset *attrs, + return 0; + } + +-/* Close remotes that haven't been used in a while. */ +-static void +-age(struct server_head *head, time_t currtime) +-{ +- server *srv, *tmp; +- +- K5_LIST_FOREACH_SAFE(srv, head, list, tmp) { +- if (currtime == (time_t)-1 || currtime - srv->last > 60 * 60) { +- K5_LIST_REMOVE(srv, list); +- kr_remote_free(srv->serv); +- free(srv); +- } +- } +-} +- + /* Handle a response from a server (or related errors). */ + static void + on_response(krb5_error_code retval, const krad_packet *reqp, + const krad_packet *rspp, void *data) + { + request *req = data; +- time_t currtime; + size_t i; + + /* Do nothing if we are already completed. */ +@@ -221,10 +198,6 @@ on_response(krb5_error_code retval, const krad_packet *reqp, + for (i = 0; req->remotes[i].remote != NULL; i++) + kr_remote_cancel(req->remotes[i].remote, req->remotes[i].packet); + +- /* Age out servers that haven't been used in a while. */ +- if (time(&currtime) != (time_t)-1) +- age(&req->rc->servers, currtime); +- + request_free(req); + } + +@@ -247,10 +220,23 @@ krad_client_new(krb5_context kctx, verto_ctx *vctx, krad_client **out) + void + krad_client_free(krad_client *rc) + { ++ server *srv; ++ + if (rc == NULL) + return; + +- age(&rc->servers, -1); ++ /* Cancel all requests before freeing any remotes, since each request's ++ * callback data may contain references to multiple remotes. */ ++ K5_LIST_FOREACH(srv, &rc->servers, list) ++ kr_remote_cancel_all(srv->serv); ++ ++ while (!K5_LIST_EMPTY(&rc->servers)) { ++ srv = K5_LIST_FIRST(&rc->servers); ++ K5_LIST_REMOVE(srv, list); ++ kr_remote_free(srv->serv); ++ free(srv); ++ } ++ + free(rc); + } + +diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h +index 223ffd730..fa012db78 100644 +--- a/src/lib/krad/internal.h ++++ b/src/lib/krad/internal.h +@@ -120,6 +120,10 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs, + void + kr_remote_cancel(krad_remote *rr, const krad_packet *pkt); + ++/* Cancel all requests awaiting responses. */ ++void ++kr_remote_cancel_all(krad_remote *rr); ++ + /* Determine if this remote object refers to the remote resource identified + * by the addrinfo struct and the secret. */ + krb5_boolean +diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c +index c8912892c..01a5fd2a4 100644 +--- a/src/lib/krad/remote.c ++++ b/src/lib/krad/remote.c +@@ -452,15 +452,20 @@ error: + return retval; + } + ++void ++kr_remote_cancel_all(krad_remote *rr) ++{ ++ while (!K5_TAILQ_EMPTY(&rr->list)) ++ request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL); ++} ++ + void + kr_remote_free(krad_remote *rr) + { + if (rr == NULL) + return; + +- while (!K5_TAILQ_EMPTY(&rr->list)) +- request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL); +- ++ kr_remote_cancel_all(rr); + free(rr->secret); + if (rr->info != NULL) + free(rr->info->ai_addr); +-- +2.35.3 + diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index 7464cab..ee8f670 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -42,7 +42,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.19.1 -Release: %{?zdpd}15%{?dist} +Release: %{?zdpd}22%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz @@ -91,6 +91,13 @@ Patch26: Fix-kadmin-k-with-fallback-or-referral-realm.patch Patch27: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch Patch28: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch Patch29: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch +Patch30: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch +Patch31: Try-harder-to-avoid-password-change-replay-errors.patch +Patch32: Add-configure-variable-for-default-PKCS-11-module.patch +Patch33: downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch +Patch34: krb5-krad-remote.patch +Patch35: krb5-krad-larger-attrs.patch +Patch36: Set-reasonable-supportedCMSTypes-in-PKINIT.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -250,7 +257,7 @@ popd # builds going on the same host don't step on each other. cfg="src/kadmin/testing/proto/kdc.conf.proto \ src/kadmin/testing/proto/krb5.conf.proto \ - src/lib/kadm5/unit-test/api.current/init-v2.exp \ + src/lib/kadm5/testsuite/api.current/init-v2.exp \ src/util/k5test.py" LONG_BIT=`getconf LONG_BIT` PORT=`expr 61000 + $LONG_BIT - 48` @@ -284,6 +291,7 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" CFLAGS="$CFLAGS" \ CPPFLAGS="$CPPFLAGS" \ SS_LIB="-lss" \ + PKCS11_MODNAME="p11-kit-proxy.so" \ --enable-shared \ --runstatedir=/run \ --localstatedir=%{_var}/kerberos \ @@ -647,6 +655,29 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Fri Jul 08 2022 Julien Rische - 1.19.1-22 +- Restore "supportedCMSTypes" attribute in PKINIT preauth requests +- Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms +- Resolves: rhbz#2068935 + +* Thu Jun 23 2022 Julien Rische - 1.19.1-21 +- Fix libkrad client cleanup +- Allow use of larger RADIUS attributes in krad library +- Resolves: rhbz#2100351 + +* Thu May 12 2022 Julien Rische - 1.19.1-20 +- Fix OpenSSL 3 MD5 encyption in FIPS mode +- Allow libkrad UDP/TCP connection to localhost in FIPS mode +- Resolves: rhbz#2068458 + +* Mon May 02 2022 Julien Rische - 1.19.1-19 +- Use p11-kit as default PKCS11 module +- Resolves: rhbz#2030981 + +* Tue Apr 26 2022 Julien Rische - 1.19.1-18 +- Try harder to avoid password change replay errors +- Resolves: rhbz#2075186 + * Mon Mar 14 2022 Julien Rische - 1.19.1-15 - Use SHA-256 instead of SHA-1 for PKINIT CMS digest