import krb5-1.19.1-22.el9
This commit is contained in:
parent
9b62daa65d
commit
b0c01ac38e
201
SOURCES/Add-configure-variable-for-default-PKCS-11-module.patch
Normal file
201
SOURCES/Add-configure-variable-for-default-PKCS-11-module.patch
Normal file
@ -0,0 +1,201 @@
|
|||||||
|
From 2a6a4568ed1df4ed89604b09fa11785c9ae38c67 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Fri, 22 Apr 2022 14:12:37 +0200
|
||||||
|
Subject: [PATCH] Add configure variable for default PKCS#11 module
|
||||||
|
|
||||||
|
[ghudson@mit.edu: added documentation of configure variable and doc
|
||||||
|
substitution; shortened commit message]
|
||||||
|
|
||||||
|
ticket: 9058 (new)
|
||||||
|
---
|
||||||
|
doc/admin/conf_files/krb5_conf.rst | 2 +-
|
||||||
|
doc/build/options2configure.rst | 3 +++
|
||||||
|
doc/conf.py | 3 +++
|
||||||
|
doc/mitK5defaults.rst | 25 +++++++++++++------------
|
||||||
|
src/configure.ac | 8 ++++++++
|
||||||
|
src/doc/Makefile.in | 2 ++
|
||||||
|
src/man/Makefile.in | 4 +++-
|
||||||
|
src/man/krb5.conf.man | 2 +-
|
||||||
|
src/plugins/preauth/pkinit/pkinit.h | 1 -
|
||||||
|
9 files changed, 34 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||||
|
index adba8238d..3d25c9a12 100644
|
||||||
|
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||||
|
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||||
|
@@ -1020,7 +1020,7 @@ information for PKINIT is as follows:
|
||||||
|
All keyword/values are optional. *modname* specifies the location
|
||||||
|
of a library implementing PKCS #11. If a value is encountered
|
||||||
|
with no keyword, it is assumed to be the *modname*. If no
|
||||||
|
- module-name is specified, the default is ``opensc-pkcs11.so``.
|
||||||
|
+ module-name is specified, the default is |pkcs11_modname|.
|
||||||
|
``slotid=`` and/or ``token=`` may be specified to force the use of
|
||||||
|
a particular smard card reader or token if there is more than one
|
||||||
|
available. ``certid=`` and/or ``certlabel=`` may be specified to
|
||||||
|
diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst
|
||||||
|
index a8959626d..8f8ac911c 100644
|
||||||
|
--- a/doc/build/options2configure.rst
|
||||||
|
+++ b/doc/build/options2configure.rst
|
||||||
|
@@ -143,6 +143,9 @@ Environment variables
|
||||||
|
This option allows one to specify libraries to be passed to the
|
||||||
|
linker (e.g., ``-l<library>``)
|
||||||
|
|
||||||
|
+**PKCS11_MODNAME=**\ *library*
|
||||||
|
+ Override the built-in default PKCS11 library name.
|
||||||
|
+
|
||||||
|
**SS_LIB=**\ *libs*...
|
||||||
|
If ``-lss`` is not the correct way to link in your installed ss
|
||||||
|
library, for example if additional support libraries are needed,
|
||||||
|
diff --git a/doc/conf.py b/doc/conf.py
|
||||||
|
index 4fb6aae14..29fd53375 100644
|
||||||
|
--- a/doc/conf.py
|
||||||
|
+++ b/doc/conf.py
|
||||||
|
@@ -235,6 +235,7 @@ if 'mansubs' in tags:
|
||||||
|
ccache = '``@CCNAME@``'
|
||||||
|
keytab = '``@KTNAME@``'
|
||||||
|
ckeytab = '``@CKTNAME@``'
|
||||||
|
+ pkcs11_modname = '``@PKCS11MOD@``'
|
||||||
|
elif 'pathsubs' in tags:
|
||||||
|
# Read configured paths from a file produced by the build system.
|
||||||
|
exec(open("paths.py").read())
|
||||||
|
@@ -248,6 +249,7 @@ else:
|
||||||
|
ccache = ':ref:`DEFCCNAME <paths>`'
|
||||||
|
keytab = ':ref:`DEFKTNAME <paths>`'
|
||||||
|
ckeytab = ':ref:`DEFCKTNAME <paths>`'
|
||||||
|
+ pkcs11_modname = ':ref:`PKCS11_MODNAME <paths>`'
|
||||||
|
|
||||||
|
rst_epilog = '\n'
|
||||||
|
|
||||||
|
@@ -268,6 +270,7 @@ else:
|
||||||
|
rst_epilog += '.. |ccache| replace:: %s\n' % ccache
|
||||||
|
rst_epilog += '.. |keytab| replace:: %s\n' % keytab
|
||||||
|
rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
|
||||||
|
+ rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname
|
||||||
|
rst_epilog += '''
|
||||||
|
.. |krb5conf| replace:: ``/etc/krb5.conf``
|
||||||
|
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
|
||||||
|
diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
|
||||||
|
index 74e69f4ad..aea7af3db 100644
|
||||||
|
--- a/doc/mitK5defaults.rst
|
||||||
|
+++ b/doc/mitK5defaults.rst
|
||||||
|
@@ -59,18 +59,19 @@ subdirectories of ``/usr/local``. When MIT krb5 is integrated into an
|
||||||
|
operating system, the paths are generally chosen to match the
|
||||||
|
operating system's filesystem layout.
|
||||||
|
|
||||||
|
-========================== ============= =========================== ===========================
|
||||||
|
-Description Symbolic name Custom build path Typical OS path
|
||||||
|
-========================== ============= =========================== ===========================
|
||||||
|
-User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
|
||||||
|
-Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
|
||||||
|
-Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
|
||||||
|
-Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
|
||||||
|
-Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
|
||||||
|
-Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
|
||||||
|
-Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
|
||||||
|
-Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
|
||||||
|
-========================== ============= =========================== ===========================
|
||||||
|
+========================== ============== =========================== ===========================
|
||||||
|
+Description Symbolic name Custom build path Typical OS path
|
||||||
|
+========================== ============== =========================== ===========================
|
||||||
|
+User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
|
||||||
|
+Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
|
||||||
|
+Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
|
||||||
|
+Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
|
||||||
|
+Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
|
||||||
|
+Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
|
||||||
|
+Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
|
||||||
|
+Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
|
||||||
|
+Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so``
|
||||||
|
+========================== ============== =========================== ===========================
|
||||||
|
|
||||||
|
The default client keytab name (DEFCKTNAME) typically defaults to
|
||||||
|
``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom
|
||||||
|
diff --git a/src/configure.ac b/src/configure.ac
|
||||||
|
index 363d5d62d..3a0633177 100644
|
||||||
|
--- a/src/configure.ac
|
||||||
|
+++ b/src/configure.ac
|
||||||
|
@@ -1466,6 +1466,14 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name])
|
||||||
|
AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"],
|
||||||
|
[Define to default client keytab name])
|
||||||
|
|
||||||
|
+AC_ARG_VAR(PKCS11_MODNAME, [Default PKCS11 module name])
|
||||||
|
+if test "${PKCS11_MODNAME+set}" != set; then
|
||||||
|
+ PKCS11_MODNAME=opensc-pkcs11.so
|
||||||
|
+fi
|
||||||
|
+AC_MSG_NOTICE([Default PKCS11 module name: $PKCS11_MODNAME])
|
||||||
|
+AC_DEFINE_UNQUOTED(PKCS11_MODNAME, ["$PKCS11_MODNAME"],
|
||||||
|
+ [Default PKCS11 module name])
|
||||||
|
+
|
||||||
|
AC_CONFIG_FILES([build-tools/krb5-config], [chmod +x build-tools/krb5-config])
|
||||||
|
AC_CONFIG_FILES([build-tools/kadm-server.pc
|
||||||
|
build-tools/kadm-client.pc
|
||||||
|
diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
|
||||||
|
index 379bc3651..a1b0cff0a 100644
|
||||||
|
--- a/src/doc/Makefile.in
|
||||||
|
+++ b/src/doc/Makefile.in
|
||||||
|
@@ -10,6 +10,7 @@ sysconfdir=@sysconfdir@
|
||||||
|
DEFCCNAME=@DEFCCNAME@
|
||||||
|
DEFKTNAME=@DEFKTNAME@
|
||||||
|
DEFCKTNAME=@DEFCKTNAME@
|
||||||
|
+PKCS11_MODNAME=@PKCS11_MODNAME@
|
||||||
|
|
||||||
|
RST_SOURCES= _static \
|
||||||
|
_templates \
|
||||||
|
@@ -118,6 +119,7 @@ paths.py:
|
||||||
|
echo 'ccache = "``$(DEFCCNAME)``"' >> $@
|
||||||
|
echo 'keytab = "``$(DEFKTNAME)``"' >> $@
|
||||||
|
echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@
|
||||||
|
+ echo 'pkcs11_modname = "``$(PKCS11_MODNAME)``"' >> $@
|
||||||
|
|
||||||
|
# Dummy rule that man/Makefile can invoke
|
||||||
|
version.py: $(docsrc)/version.py
|
||||||
|
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
|
||||||
|
index 00b1b2de0..85cae0914 100644
|
||||||
|
--- a/src/man/Makefile.in
|
||||||
|
+++ b/src/man/Makefile.in
|
||||||
|
@@ -8,6 +8,7 @@ sysconfdir=@sysconfdir@
|
||||||
|
DEFCCNAME=@DEFCCNAME@
|
||||||
|
DEFKTNAME=@DEFKTNAME@
|
||||||
|
DEFCKTNAME=@DEFCKTNAME@
|
||||||
|
+PKCS11_MODNAME=@PKCS11_MODNAME@
|
||||||
|
|
||||||
|
MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \
|
||||||
|
kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \
|
||||||
|
@@ -47,7 +48,8 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h
|
||||||
|
-e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
|
||||||
|
-e 's|@CCNAME@|$(DEFCCNAME)|g' \
|
||||||
|
-e 's|@KTNAME@|$(DEFKTNAME)|g' \
|
||||||
|
- -e 's|@CKTNAME@|$(DEFCKTNAME)|g' $? > $@
|
||||||
|
+ -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \
|
||||||
|
+ -e 's|@PKCS11MOD@|$(PKCS11_MODNAME)|g' $? > $@
|
||||||
|
|
||||||
|
all: $(MANSUBS)
|
||||||
|
|
||||||
|
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
|
||||||
|
index 3a702ca8f..e4202723f 100644
|
||||||
|
--- a/src/man/krb5.conf.man
|
||||||
|
+++ b/src/man/krb5.conf.man
|
||||||
|
@@ -1151,7 +1151,7 @@ user\(aqs certificate and private key.
|
||||||
|
All keyword/values are optional. \fImodname\fP specifies the location
|
||||||
|
of a library implementing PKCS #11. If a value is encountered
|
||||||
|
with no keyword, it is assumed to be the \fImodname\fP\&. If no
|
||||||
|
-module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&.
|
||||||
|
+module\-name is specified, the default is \fB@PKCS11MOD@\fP\&.
|
||||||
|
\fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of
|
||||||
|
a particular smard card reader or token if there is more than one
|
||||||
|
available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
|
||||||
|
index b437fd53f..a2018cb10 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit.h
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit.h
|
||||||
|
@@ -42,7 +42,6 @@
|
||||||
|
#ifndef WITHOUT_PKCS11
|
||||||
|
#include "pkcs11.h"
|
||||||
|
|
||||||
|
-#define PKCS11_MODNAME "opensc-pkcs11.so"
|
||||||
|
#define PK_SIGLEN_GUESS 1000
|
||||||
|
#define PK_NOSLOT 999999
|
||||||
|
#endif
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
188
SOURCES/Set-reasonable-supportedCMSTypes-in-PKINIT.patch
Normal file
188
SOURCES/Set-reasonable-supportedCMSTypes-in-PKINIT.patch
Normal file
@ -0,0 +1,188 @@
|
|||||||
|
From dea9421ccdbe5c8f63aae85341a8f091c6019407 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Wed, 1 Jun 2022 18:02:04 +0200
|
||||||
|
Subject: [PATCH] Set reasonable supportedCMSTypes in PKINIT
|
||||||
|
|
||||||
|
The PKINIT client uses AuthPack.supportedCMSTypes to let the KDC know
|
||||||
|
the algorithms it supports for verification of the CMS data signature.
|
||||||
|
(The MIT krb5 KDC currently ignores this list, but other
|
||||||
|
implementations use it.)
|
||||||
|
|
||||||
|
Replace 3DES with sha512WithRSAEncryption and sha256WithRSAEncryption.
|
||||||
|
|
||||||
|
[ghudson@mit.edu: simplified code and used appropriate helpers; edited
|
||||||
|
commit message]
|
||||||
|
|
||||||
|
ticket: 9066 (new)
|
||||||
|
---
|
||||||
|
src/plugins/preauth/pkinit/Makefile.in | 4 +-
|
||||||
|
src/plugins/preauth/pkinit/pkinit_clnt.c | 8 ++++
|
||||||
|
...nit_kdf_constants.c => pkinit_constants.c} | 24 ++++++++++++
|
||||||
|
src/plugins/preauth/pkinit/pkinit_crypto.h | 16 ++++++++
|
||||||
|
.../preauth/pkinit/pkinit_crypto_openssl.c | 39 +++++++++++++++++++
|
||||||
|
5 files changed, 89 insertions(+), 2 deletions(-)
|
||||||
|
rename src/plugins/preauth/pkinit/{pkinit_kdf_constants.c => pkinit_constants.c} (76%)
|
||||||
|
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/Makefile.in b/src/plugins/preauth/pkinit/Makefile.in
|
||||||
|
index d20fb18a8..97aaded03 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/Makefile.in
|
||||||
|
+++ b/src/plugins/preauth/pkinit/Makefile.in
|
||||||
|
@@ -18,7 +18,7 @@ STLIBOBJS= \
|
||||||
|
pkinit_srv.o \
|
||||||
|
pkinit_lib.o \
|
||||||
|
pkinit_clnt.o \
|
||||||
|
- pkinit_kdf_constants.o \
|
||||||
|
+ pkinit_constants.o \
|
||||||
|
pkinit_profile.o \
|
||||||
|
pkinit_identity.o \
|
||||||
|
pkinit_matching.o \
|
||||||
|
@@ -29,7 +29,7 @@ SRCS= \
|
||||||
|
$(srcdir)/pkinit_srv.c \
|
||||||
|
$(srcdir)/pkinit_lib.c \
|
||||||
|
$(srcdir)/pkinit_kdf_test.c \
|
||||||
|
- $(srcdir)/pkinit_kdf_constants.c \
|
||||||
|
+ $(srcdir)/pkinit_constants.c \
|
||||||
|
$(srcdir)/pkinit_clnt.c \
|
||||||
|
$(srcdir)/pkinit_profile.c \
|
||||||
|
$(srcdir)/pkinit_identity.c \
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||||
|
index a385da7c3..2817cc213 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||||
|
@@ -212,6 +212,14 @@ pkinit_as_req_create(krb5_context context,
|
||||||
|
auth_pack.clientPublicValue = &info;
|
||||||
|
auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids;
|
||||||
|
|
||||||
|
+ /* add List of CMS algorithms */
|
||||||
|
+ retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx,
|
||||||
|
+ reqctx->cryptoctx,
|
||||||
|
+ reqctx->idctx, &cmstypes);
|
||||||
|
+ auth_pack.supportedCMSTypes = cmstypes;
|
||||||
|
+ if (retval)
|
||||||
|
+ goto cleanup;
|
||||||
|
+
|
||||||
|
switch(protocol) {
|
||||||
|
case DH_PROTOCOL:
|
||||||
|
TRACE_PKINIT_CLIENT_REQ_DH(context);
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c
|
||||||
|
similarity index 76%
|
||||||
|
rename from src/plugins/preauth/pkinit/pkinit_kdf_constants.c
|
||||||
|
rename to src/plugins/preauth/pkinit/pkinit_constants.c
|
||||||
|
index 1604f1670..1832e8f7b 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_constants.c
|
||||||
|
@@ -57,3 +57,27 @@ krb5_data const * const supported_kdf_alg_ids[] = {
|
||||||
|
&sha512_id,
|
||||||
|
NULL
|
||||||
|
};
|
||||||
|
+
|
||||||
|
+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
|
||||||
|
+ * rsadsi(113549) pkcs(1) 1 11 */
|
||||||
|
+static char sha256WithRSAEncr_oid[9] = {
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
|
||||||
|
+};
|
||||||
|
+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
|
||||||
|
+ * rsadsi(113549) pkcs(1) 1 13 */
|
||||||
|
+static char sha512WithRSAEncr_oid[9] = {
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+const krb5_data sha256WithRSAEncr_id = {
|
||||||
|
+ KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid
|
||||||
|
+};
|
||||||
|
+const krb5_data sha512WithRSAEncr_id = {
|
||||||
|
+ KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+krb5_data const * const supported_cms_algs[] = {
|
||||||
|
+ &sha512WithRSAEncr_id,
|
||||||
|
+ &sha256WithRSAEncr_id,
|
||||||
|
+ NULL
|
||||||
|
+};
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
|
index 1f9868351..f38a77093 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||||
|
@@ -380,6 +380,18 @@ krb5_error_code server_process_dh
|
||||||
|
unsigned int *server_key_len_out); /* OUT
|
||||||
|
receives length of DH secret key */
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * this functions takes in crypto specific representation of
|
||||||
|
+ * supportedCMSTypes and creates a list of
|
||||||
|
+ * krb5_algorithm_identifier
|
||||||
|
+ */
|
||||||
|
+krb5_error_code create_krb5_supportedCMSTypes
|
||||||
|
+ (krb5_context context, /* IN */
|
||||||
|
+ pkinit_plg_crypto_context plg_cryptoctx, /* IN */
|
||||||
|
+ pkinit_req_crypto_context req_cryptoctx, /* IN */
|
||||||
|
+ pkinit_identity_crypto_context id_cryptoctx, /* IN */
|
||||||
|
+ krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* this functions takes in crypto specific representation of
|
||||||
|
* trustedCertifiers and creates a list of
|
||||||
|
@@ -617,6 +629,10 @@ extern const size_t krb5_pkinit_sha512_oid_len;
|
||||||
|
*/
|
||||||
|
extern krb5_data const * const supported_kdf_alg_ids[];
|
||||||
|
|
||||||
|
+/* CMS signature algorithms supported by this implementation, in order of
|
||||||
|
+ * decreasing preference. */
|
||||||
|
+extern krb5_data const * const supported_cms_algs[];
|
||||||
|
+
|
||||||
|
krb5_error_code
|
||||||
|
crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
|
||||||
|
uint8_t **der_out, size_t *der_len);
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
index 2a6ef4aaa..41a7464b5 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
@@ -5582,6 +5582,45 @@ cleanup:
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
+krb5_error_code
|
||||||
|
+create_krb5_supportedCMSTypes(krb5_context context,
|
||||||
|
+ pkinit_plg_crypto_context plg_cryptoctx,
|
||||||
|
+ pkinit_req_crypto_context req_cryptoctx,
|
||||||
|
+ pkinit_identity_crypto_context id_cryptoctx,
|
||||||
|
+ krb5_algorithm_identifier ***algs_out)
|
||||||
|
+{
|
||||||
|
+ krb5_error_code ret;
|
||||||
|
+ krb5_algorithm_identifier **algs = NULL;
|
||||||
|
+ size_t i, count;
|
||||||
|
+
|
||||||
|
+ *algs_out = NULL;
|
||||||
|
+
|
||||||
|
+ /* Count supported OIDs and allocate list (including null terminator). */
|
||||||
|
+ for (count = 0; supported_cms_algs[count] != NULL; count++);
|
||||||
|
+ algs = k5calloc(count + 1, sizeof(*algs), &ret);
|
||||||
|
+ if (algs == NULL)
|
||||||
|
+ goto cleanup;
|
||||||
|
+
|
||||||
|
+ /* Add an algorithm identifier for each OID, with no parameters. */
|
||||||
|
+ for (i = 0; i < count; i++) {
|
||||||
|
+ algs[i] = k5alloc(sizeof(*algs[i]), &ret);
|
||||||
|
+ if (algs[i] == NULL)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ ret = krb5int_copy_data_contents(context, supported_cms_algs[i],
|
||||||
|
+ &algs[i]->algorithm);
|
||||||
|
+ if (ret)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ algs[i]->parameters = empty_data();
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *algs_out = algs;
|
||||||
|
+ algs = NULL;
|
||||||
|
+
|
||||||
|
+cleanup:
|
||||||
|
+ free_krb5_algorithm_identifiers(&algs);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
krb5_error_code
|
||||||
|
create_krb5_trustedCertifiers(krb5_context context,
|
||||||
|
pkinit_plg_crypto_context plg_cryptoctx,
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
@ -0,0 +1,91 @@
|
|||||||
|
From ad8e02485791023dcf66ef4612616f03895ceeb3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Fri, 4 Mar 2022 00:45:00 -0500
|
||||||
|
Subject: [PATCH] Try harder to avoid password change replay errors
|
||||||
|
|
||||||
|
Commit d7b3018d338fc9c989c3fa17505870f23c3759a8 (ticket 7905) changed
|
||||||
|
change_set_password() to prefer TCP. However, because UDP_LAST falls
|
||||||
|
back to UDP after one second, we can still get a replay error due to a
|
||||||
|
dropped packet, before the TCP layer has a chance to retry.
|
||||||
|
|
||||||
|
Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
|
||||||
|
TCP fails completely without reaching a server. In sendto_kdc.c,
|
||||||
|
implement an ONLY_UDP transport strategy to allow the UDP fallback.
|
||||||
|
|
||||||
|
ticket: 9037
|
||||||
|
---
|
||||||
|
src/lib/krb5/os/changepw.c | 9 ++++++++-
|
||||||
|
src/lib/krb5/os/os-proto.h | 1 +
|
||||||
|
src/lib/krb5/os/sendto_kdc.c | 12 ++++++++----
|
||||||
|
3 files changed, 17 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
|
||||||
|
index 9f968da7f..c59232586 100644
|
||||||
|
--- a/src/lib/krb5/os/changepw.c
|
||||||
|
+++ b/src/lib/krb5/os/changepw.c
|
||||||
|
@@ -255,9 +255,16 @@ change_set_password(krb5_context context,
|
||||||
|
callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup;
|
||||||
|
krb5_free_data_contents(callback_ctx.context, &chpw_rep);
|
||||||
|
|
||||||
|
+ /* UDP retransmits may be seen as replays. Only try UDP after other
|
||||||
|
+ * transports fail completely. */
|
||||||
|
code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm,
|
||||||
|
- &sl, UDP_LAST, &callback_info, &chpw_rep,
|
||||||
|
+ &sl, NO_UDP, &callback_info, &chpw_rep,
|
||||||
|
ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL);
|
||||||
|
+ if (code == KRB5_KDC_UNREACH) {
|
||||||
|
+ code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm,
|
||||||
|
+ &sl, ONLY_UDP, &callback_info, &chpw_rep,
|
||||||
|
+ ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL);
|
||||||
|
+ }
|
||||||
|
if (code)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
|
||||||
|
index a985f2aec..91d2791ce 100644
|
||||||
|
--- a/src/lib/krb5/os/os-proto.h
|
||||||
|
+++ b/src/lib/krb5/os/os-proto.h
|
||||||
|
@@ -49,6 +49,7 @@ typedef enum {
|
||||||
|
UDP_FIRST = 0,
|
||||||
|
UDP_LAST,
|
||||||
|
NO_UDP,
|
||||||
|
+ ONLY_UDP
|
||||||
|
} k5_transport_strategy;
|
||||||
|
|
||||||
|
/* A single server hostname or address. */
|
||||||
|
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
index 0eedec175..c7f5d861a 100644
|
||||||
|
--- a/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
+++ b/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
@@ -802,11 +802,14 @@ resolve_server(krb5_context context, const krb5_data *realm,
|
||||||
|
int err, result;
|
||||||
|
char portbuf[PORT_LENGTH];
|
||||||
|
|
||||||
|
- /* Skip UDP entries if we don't want UDP. */
|
||||||
|
+ /* Skip entries excluded by the strategy. */
|
||||||
|
if (strategy == NO_UDP && entry->transport == UDP)
|
||||||
|
return 0;
|
||||||
|
+ if (strategy == ONLY_UDP && entry->transport != UDP &&
|
||||||
|
+ entry->transport != TCP_OR_UDP)
|
||||||
|
+ return 0;
|
||||||
|
|
||||||
|
- transport = (strategy == UDP_FIRST) ? UDP : TCP;
|
||||||
|
+ transport = (strategy == UDP_FIRST || strategy == ONLY_UDP) ? UDP : TCP;
|
||||||
|
if (entry->hostname == NULL) {
|
||||||
|
/* Added by a module, so transport is either TCP or UDP. */
|
||||||
|
ai.ai_socktype = socktype_for_transport(entry->transport);
|
||||||
|
@@ -850,8 +853,9 @@ resolve_server(krb5_context context, const krb5_data *realm,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* For TCP_OR_UDP entries, add each address again with the non-preferred
|
||||||
|
- * transport, unless we are avoiding UDP. Flag these as deferred. */
|
||||||
|
- if (retval == 0 && entry->transport == TCP_OR_UDP && strategy != NO_UDP) {
|
||||||
|
+ * transport, if there is one. Flag these as deferred. */
|
||||||
|
+ if (retval == 0 && entry->transport == TCP_OR_UDP &&
|
||||||
|
+ (strategy == UDP_FIRST || strategy == UDP_LAST)) {
|
||||||
|
transport = (strategy == UDP_FIRST) ? TCP : UDP;
|
||||||
|
for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
|
||||||
|
a->ai_socktype = socktype_for_transport(transport);
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
@ -0,0 +1,82 @@
|
|||||||
|
From 790f485cf57e4de65351c29c41666db6370ef367 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Thu, 5 May 2022 17:15:12 +0200
|
||||||
|
Subject: [PATCH] Allow krad UDP/TCP localhost connection with FIPS
|
||||||
|
|
||||||
|
libkrad allows to establish connections only to UNIX socket in FIPS
|
||||||
|
mode, because MD5 digest is not considered safe enough to be used for
|
||||||
|
network communication. However, FreeRadius requires connection on TCP or
|
||||||
|
UDP ports.
|
||||||
|
|
||||||
|
This commit allows TCP or UDP connections in FIPS mode if destination is
|
||||||
|
localhost.
|
||||||
|
|
||||||
|
Resolves: rhbz#2068458
|
||||||
|
---
|
||||||
|
src/lib/krad/remote.c | 36 ++++++++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 34 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
|
||||||
|
index eca432424..c8912892c 100644
|
||||||
|
--- a/src/lib/krad/remote.c
|
||||||
|
+++ b/src/lib/krad/remote.c
|
||||||
|
@@ -33,6 +33,7 @@
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
+#include <stdbool.h>
|
||||||
|
|
||||||
|
#include <sys/un.h>
|
||||||
|
|
||||||
|
@@ -74,6 +75,36 @@ on_io(verto_ctx *ctx, verto_ev *ev);
|
||||||
|
static void
|
||||||
|
on_timeout(verto_ctx *ctx, verto_ev *ev);
|
||||||
|
|
||||||
|
+static in_addr_t get_in_addr(struct addrinfo *info)
|
||||||
|
+{ return ((struct sockaddr_in *)(info->ai_addr))->sin_addr.s_addr; }
|
||||||
|
+
|
||||||
|
+static struct in6_addr *get_in6_addr(struct addrinfo *info)
|
||||||
|
+{ return &(((struct sockaddr_in6 *)(info->ai_addr))->sin6_addr); }
|
||||||
|
+
|
||||||
|
+static bool is_inet_localhost(struct addrinfo *info)
|
||||||
|
+{
|
||||||
|
+ struct addrinfo *p;
|
||||||
|
+
|
||||||
|
+ for (p = info; p; p = p->ai_next) {
|
||||||
|
+ switch (p->ai_family) {
|
||||||
|
+ case AF_INET:
|
||||||
|
+ if (IN_LOOPBACKNET != (get_in_addr(p) & IN_CLASSA_NET
|
||||||
|
+ >> IN_CLASSA_NSHIFT))
|
||||||
|
+ return false;
|
||||||
|
+ break;
|
||||||
|
+ case AF_INET6:
|
||||||
|
+ if (!IN6_IS_ADDR_LOOPBACK(get_in6_addr(p)))
|
||||||
|
+ return false;
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return true;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/* Iterate over the set of outstanding packets. */
|
||||||
|
static const krad_packet *
|
||||||
|
iterator(request **out)
|
||||||
|
@@ -455,8 +486,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
|
||||||
|
(krad_packet_iter_cb)iterator, &r, &tmp);
|
||||||
|
if (retval != 0)
|
||||||
|
goto error;
|
||||||
|
- else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL &&
|
||||||
|
- rr->info->ai_family != AF_UNIX) {
|
||||||
|
+ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL
|
||||||
|
+ && rr->info->ai_family != AF_UNIX
|
||||||
|
+ && !is_inet_localhost(rr->info)) {
|
||||||
|
/* This would expose cleartext passwords, so abort. */
|
||||||
|
retval = ESOCKTNOSUPPORT;
|
||||||
|
goto error;
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From a7318c3cd6e1f58adb80493c05b59e6c180cd584 Mon Sep 17 00:00:00 2001
|
From 4f8cba1780bc167c52de2a791cad6a1817508bbe Mon Sep 17 00:00:00 2001
|
||||||
From: Julien Rische <jrische@redhat.com>
|
From: Julien Rische <jrische@redhat.com>
|
||||||
Date: Wed, 23 Feb 2022 17:34:33 +0100
|
Date: Wed, 23 Feb 2022 17:34:33 +0100
|
||||||
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
|
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
|
||||||
@ -28,24 +28,26 @@ global context.
|
|||||||
Remove EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag since does not have any
|
Remove EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag since does not have any
|
||||||
effect anymore.
|
effect anymore.
|
||||||
|
|
||||||
|
post9 load both default and legacy provider into library context
|
||||||
|
|
||||||
Last-updated: krb5-1.19
|
Last-updated: krb5-1.19
|
||||||
---
|
---
|
||||||
doc/admin/conf_files/krb5_conf.rst | 6 ++
|
doc/admin/conf_files/krb5_conf.rst | 6 ++
|
||||||
src/lib/crypto/krb/prng.c | 11 ++-
|
src/lib/crypto/krb/prng.c | 11 ++-
|
||||||
.../crypto/openssl/enc_provider/camellia.c | 6 ++
|
.../crypto/openssl/enc_provider/camellia.c | 6 ++
|
||||||
src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++-
|
src/lib/crypto/openssl/enc_provider/rc4.c | 13 ++-
|
||||||
.../crypto/openssl/hash_provider/hash_evp.c | 85 ++++++++++++++++++-
|
.../crypto/openssl/hash_provider/hash_evp.c | 93 ++++++++++++++++++-
|
||||||
src/lib/crypto/openssl/hmac.c | 6 +-
|
src/lib/crypto/openssl/hmac.c | 6 +-
|
||||||
src/lib/krad/attr.c | 46 ++++++++---
|
src/lib/krad/attr.c | 46 ++++++---
|
||||||
src/lib/krad/attrset.c | 5 +-
|
src/lib/krad/attrset.c | 5 +-
|
||||||
src/lib/krad/internal.h | 28 ++++++-
|
src/lib/krad/internal.h | 28 +++++-
|
||||||
src/lib/krad/packet.c | 22 +++---
|
src/lib/krad/packet.c | 22 +++--
|
||||||
src/lib/krad/remote.c | 10 ++-
|
src/lib/krad/remote.c | 10 +-
|
||||||
src/lib/krad/t_attr.c | 3 +-
|
src/lib/krad/t_attr.c | 3 +-
|
||||||
src/lib/krad/t_attrset.c | 4 +-
|
src/lib/krad/t_attrset.c | 4 +-
|
||||||
src/plugins/preauth/spake/spake_client.c | 6 ++
|
src/plugins/preauth/spake/spake_client.c | 6 ++
|
||||||
src/plugins/preauth/spake/spake_kdc.c | 6 ++
|
src/plugins/preauth/spake/spake_kdc.c | 6 ++
|
||||||
15 files changed, 218 insertions(+), 35 deletions(-)
|
15 files changed, 230 insertions(+), 35 deletions(-)
|
||||||
|
|
||||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||||
index 675175955..adba8238d 100644
|
index 675175955..adba8238d 100644
|
||||||
@ -158,10 +160,10 @@ index bc87c6f42..9bf407899 100644
|
|||||||
* The cipher state here is a saved pointer to a struct arcfour_state
|
* The cipher state here is a saved pointer to a struct arcfour_state
|
||||||
* object, rather than a flat byte array as in most enc providers. The
|
* object, rather than a flat byte array as in most enc providers. The
|
||||||
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||||
index 1e0fb8fc3..4b8e1a6b2 100644
|
index 1e0fb8fc3..57bca3fec 100644
|
||||||
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||||
+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||||
@@ -32,6 +32,50 @@
|
@@ -32,6 +32,46 @@
|
||||||
|
|
||||||
#include "crypto_int.h"
|
#include "crypto_int.h"
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
@ -170,8 +172,8 @@ index 1e0fb8fc3..4b8e1a6b2 100644
|
|||||||
+
|
+
|
||||||
+typedef struct ossl_lib_md_context {
|
+typedef struct ossl_lib_md_context {
|
||||||
+ OSSL_LIB_CTX *libctx;
|
+ OSSL_LIB_CTX *libctx;
|
||||||
|
+ OSSL_PROVIDER *default_provider;
|
||||||
+ OSSL_PROVIDER *legacy_provider;
|
+ OSSL_PROVIDER *legacy_provider;
|
||||||
+ EVP_MD *md;
|
|
||||||
+} ossl_md_context_t;
|
+} ossl_md_context_t;
|
||||||
+
|
+
|
||||||
+static thread_local ossl_md_context_t *ossl_md_ctx = NULL;
|
+static thread_local ossl_md_context_t *ossl_md_ctx = NULL;
|
||||||
@ -183,15 +185,11 @@ index 1e0fb8fc3..4b8e1a6b2 100644
|
|||||||
+ if (!ctx->libctx)
|
+ if (!ctx->libctx)
|
||||||
+ return KRB5_CRYPTO_INTERNAL;
|
+ return KRB5_CRYPTO_INTERNAL;
|
||||||
+
|
+
|
||||||
+ /*
|
+ /* Load both legacy and default provider as both may be needed. */
|
||||||
+ * Load both legacy and default provider as both may be needed.
|
+ ctx->default_provider = OSSL_PROVIDER_load(ctx->libctx, "default");
|
||||||
+ * If they fail keep going and an error will be raised when we try to
|
|
||||||
+ * fetch the cipher later.
|
|
||||||
+ */
|
|
||||||
+ ctx->legacy_provider = OSSL_PROVIDER_load(ctx->libctx, "legacy");
|
+ ctx->legacy_provider = OSSL_PROVIDER_load(ctx->libctx, "legacy");
|
||||||
+
|
+
|
||||||
+ ctx->md = EVP_MD_fetch(ctx->libctx, algo, NULL);
|
+ if (!(ctx->default_provider && ctx->legacy_provider))
|
||||||
+ if (!ctx->md)
|
|
||||||
+ return KRB5_CRYPTO_INTERNAL;
|
+ return KRB5_CRYPTO_INTERNAL;
|
||||||
+
|
+
|
||||||
+ return 0;
|
+ return 0;
|
||||||
@ -200,19 +198,19 @@ index 1e0fb8fc3..4b8e1a6b2 100644
|
|||||||
+static void
|
+static void
|
||||||
+deinit_ossl_ctx(ossl_md_context_t *ctx)
|
+deinit_ossl_ctx(ossl_md_context_t *ctx)
|
||||||
+{
|
+{
|
||||||
+ if (ctx->md)
|
|
||||||
+ EVP_MD_free(ctx->md);
|
|
||||||
+
|
|
||||||
+ if (ctx->legacy_provider)
|
+ if (ctx->legacy_provider)
|
||||||
+ OSSL_PROVIDER_unload(ctx->legacy_provider);
|
+ OSSL_PROVIDER_unload(ctx->legacy_provider);
|
||||||
+
|
+
|
||||||
|
+ if (ctx->default_provider)
|
||||||
|
+ OSSL_PROVIDER_unload(ctx->default_provider);
|
||||||
|
+
|
||||||
+ if (ctx->libctx)
|
+ if (ctx->libctx)
|
||||||
+ OSSL_LIB_CTX_free(ctx->libctx);
|
+ OSSL_LIB_CTX_free(ctx->libctx);
|
||||||
+}
|
+}
|
||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
|
hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
|
||||||
@@ -61,16 +104,53 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
|
@@ -61,16 +101,65 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
|
||||||
return ok ? 0 : KRB5_CRYPTO_INTERNAL;
|
return ok ? 0 : KRB5_CRYPTO_INTERNAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -221,11 +219,14 @@ index 1e0fb8fc3..4b8e1a6b2 100644
|
|||||||
+ krb5_data *output)
|
+ krb5_data *output)
|
||||||
+{
|
+{
|
||||||
+ krb5_error_code err;
|
+ krb5_error_code err;
|
||||||
|
+ EVP_MD *md = NULL;
|
||||||
+
|
+
|
||||||
+ if (!ossl_md_ctx) {
|
+ if (!ossl_md_ctx) {
|
||||||
+ ossl_md_ctx = malloc(sizeof(ossl_md_context_t));
|
+ ossl_md_ctx = malloc(sizeof(ossl_md_context_t));
|
||||||
+ if (!ossl_md_ctx)
|
+ if (!ossl_md_ctx) {
|
||||||
+ return ENOMEM;
|
+ err = ENOMEM;
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ err = init_ossl_md_ctx(ossl_md_ctx, algo);
|
+ err = init_ossl_md_ctx(ossl_md_ctx, algo);
|
||||||
+ if (err) {
|
+ if (err) {
|
||||||
@ -236,9 +237,18 @@ index 1e0fb8fc3..4b8e1a6b2 100644
|
|||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ err = hash_evp(ossl_md_ctx->md, data, num_data, output);
|
+ md = EVP_MD_fetch(ossl_md_ctx->libctx, algo, NULL);
|
||||||
|
+ if (!md) {
|
||||||
|
+ err = KRB5_CRYPTO_INTERNAL;
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ err = hash_evp(md, data, num_data, output);
|
||||||
+
|
+
|
||||||
+end:
|
+end:
|
||||||
|
+ if (md)
|
||||||
|
+ EVP_MD_free(md);
|
||||||
|
+
|
||||||
+ return err;
|
+ return err;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
@ -684,3 +694,6 @@ index 88c964ce1..c7df0392f 100644
|
|||||||
vt = (krb5_kdcpreauth_vtable)vtable;
|
vt = (krb5_kdcpreauth_vtable)vtable;
|
||||||
vt->name = "spake";
|
vt->name = "spake";
|
||||||
vt->pa_type_list = pa_types;
|
vt->pa_type_list = pa_types;
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
@ -0,0 +1,727 @@
|
|||||||
|
From 20cbbd0b273af56c6d527c8e6b9d96eef49926f2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Thu, 31 Mar 2022 18:24:39 +0200
|
||||||
|
Subject: [PATCH] Use newly enforced dejagnu path naming convention
|
||||||
|
|
||||||
|
Since version 1.6.3, dejagnu started to enforce a naming convention that
|
||||||
|
was already in place, but not mandatory: dejagnu test directories have
|
||||||
|
to be named "testsuite". If they don't implicit relative sub-paths
|
||||||
|
resolution (e.g. "lib", "config") is not forking.
|
||||||
|
|
||||||
|
This commit renames kadm5 library's unit tests and global tests
|
||||||
|
directories to match this requirement.
|
||||||
|
|
||||||
|
Resolves: rhbz#2053133
|
||||||
|
|
||||||
|
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||||
|
---
|
||||||
|
src/configure.ac | 4 +--
|
||||||
|
src/lib/kadm5/Makefile.in | 2 +-
|
||||||
|
.../{unit-test => testsuite}/Makefile.in | 28 +++++++++---------
|
||||||
|
.../api.2/crte-policy.exp | 0
|
||||||
|
.../api.2/get-policy.exp | 0
|
||||||
|
.../api.2/mod-policy.exp | 0
|
||||||
|
.../api.current/chpass-principal-v2.exp | 0
|
||||||
|
.../api.current/chpass-principal.exp | 0
|
||||||
|
.../api.current/crte-policy.exp | 0
|
||||||
|
.../api.current/crte-principal.exp | 0
|
||||||
|
.../api.current/destroy.exp | 0
|
||||||
|
.../api.current/dlte-policy.exp | 0
|
||||||
|
.../api.current/dlte-principal.exp | 0
|
||||||
|
.../api.current/get-policy.exp | 0
|
||||||
|
.../api.current/get-principal-v2.exp | 0
|
||||||
|
.../api.current/get-principal.exp | 0
|
||||||
|
.../api.current/init-v2.exp | 0
|
||||||
|
.../api.current/init.exp | 0
|
||||||
|
.../api.current/mod-policy.exp | 0
|
||||||
|
.../api.current/mod-principal-v2.exp | 0
|
||||||
|
.../api.current/mod-principal.exp | 0
|
||||||
|
.../api.current/randkey-principal-v2.exp | 0
|
||||||
|
.../api.current/randkey-principal.exp | 0
|
||||||
|
.../{unit-test => testsuite}/config/unix.exp | 0
|
||||||
|
src/lib/kadm5/{unit-test => testsuite}/deps | 0
|
||||||
|
.../{unit-test => testsuite}/destroy-test.c | 0
|
||||||
|
.../diff-files/destroy-1 | 0
|
||||||
|
.../diff-files/no-diffs | 0
|
||||||
|
.../{unit-test => testsuite}/handle-test.c | 0
|
||||||
|
.../{unit-test => testsuite}/init-test.c | 0
|
||||||
|
.../{unit-test => testsuite}/iter-test.c | 0
|
||||||
|
.../kadm5/{unit-test => testsuite}/lib/lib.t | 2 +-
|
||||||
|
.../{unit-test => testsuite}/lock-test.c | 0
|
||||||
|
.../{unit-test => testsuite}/randkey-test.c | 0
|
||||||
|
.../{unit-test => testsuite}/setkey-test.c | 0
|
||||||
|
.../kadm5/{unit-test => testsuite}/site.exp | 0
|
||||||
|
src/tests/Makefile.in | 2 +-
|
||||||
|
src/tests/t_authdata.py | 2 +-
|
||||||
|
src/tests/t_certauth.py | 2 +-
|
||||||
|
src/tests/t_pkinit.py | 2 +-
|
||||||
|
src/tests/t_proxy.py | 12 ++++----
|
||||||
|
src/tests/{dejagnu => testsuite}/Makefile.in | 4 +--
|
||||||
|
.../{dejagnu => testsuite}/config/default.exp | 2 +-
|
||||||
|
src/tests/{dejagnu => testsuite}/deps | 0
|
||||||
|
.../krb-standalone/gssapi.exp | 2 +-
|
||||||
|
.../krb-standalone/kprop.exp | 0
|
||||||
|
.../krb-standalone/princexpire.exp | 0
|
||||||
|
.../krb-standalone/sample.exp | 2 +-
|
||||||
|
.../krb-standalone/simple.exp | 2 +-
|
||||||
|
.../krb-standalone/standalone.exp | 0
|
||||||
|
.../krb-standalone/tcp.exp | 0
|
||||||
|
.../pkinit-certs/ca.pem | 0
|
||||||
|
.../pkinit-certs/generic.p12 | Bin
|
||||||
|
.../pkinit-certs/generic.pem | 0
|
||||||
|
.../pkinit-certs/kdc.pem | 0
|
||||||
|
.../pkinit-certs/make-certs.sh | 0
|
||||||
|
.../pkinit-certs/privkey-enc.pem | 0
|
||||||
|
.../pkinit-certs/privkey.pem | 0
|
||||||
|
.../pkinit-certs/user-enc.p12 | Bin
|
||||||
|
.../pkinit-certs/user-upn.p12 | Bin
|
||||||
|
.../pkinit-certs/user-upn.pem | 0
|
||||||
|
.../pkinit-certs/user-upn2.p12 | Bin
|
||||||
|
.../pkinit-certs/user-upn2.pem | 0
|
||||||
|
.../pkinit-certs/user-upn3.p12 | Bin
|
||||||
|
.../pkinit-certs/user-upn3.pem | 0
|
||||||
|
.../pkinit-certs/user.p12 | Bin
|
||||||
|
.../pkinit-certs/user.pem | 0
|
||||||
|
.../{dejagnu => testsuite}/proxy-certs/ca.pem | 0
|
||||||
|
.../proxy-certs/make-certs.sh | 0
|
||||||
|
.../proxy-certs/proxy-badsig.pem | 0
|
||||||
|
.../proxy-certs/proxy-ideal.pem | 0
|
||||||
|
.../proxy-certs/proxy-no-match.pem | 0
|
||||||
|
.../proxy-certs/proxy-san.pem | 0
|
||||||
|
.../proxy-certs/proxy-subject.pem | 0
|
||||||
|
src/tests/{dejagnu => testsuite}/t_inetd.c | 2 +-
|
||||||
|
src/util/k5test.py | 2 +-
|
||||||
|
76 files changed, 36 insertions(+), 36 deletions(-)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/Makefile.in (86%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.2/crte-policy.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.2/get-policy.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.2/mod-policy.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal-v2.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-policy.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-principal.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/destroy.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-policy.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-principal.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-policy.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal-v2.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/init-v2.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/init.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-policy.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal-v2.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal-v2.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/config/unix.exp (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/deps (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/destroy-test.c (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/diff-files/destroy-1 (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/diff-files/no-diffs (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/handle-test.c (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/init-test.c (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/iter-test.c (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/lib/lib.t (99%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/lock-test.c (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/randkey-test.c (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/setkey-test.c (100%)
|
||||||
|
rename src/lib/kadm5/{unit-test => testsuite}/site.exp (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/Makefile.in (92%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/config/default.exp (99%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/deps (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/krb-standalone/gssapi.exp (98%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/krb-standalone/kprop.exp (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/krb-standalone/princexpire.exp (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/krb-standalone/sample.exp (98%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/krb-standalone/simple.exp (98%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/krb-standalone/standalone.exp (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/krb-standalone/tcp.exp (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/ca.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/generic.p12 (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/generic.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/kdc.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/make-certs.sh (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/privkey-enc.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/privkey.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-enc.p12 (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn.p12 (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn2.p12 (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn2.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn3.p12 (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn3.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user.p12 (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/proxy-certs/ca.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/proxy-certs/make-certs.sh (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-badsig.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-ideal.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-no-match.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-san.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-subject.pem (100%)
|
||||||
|
rename src/tests/{dejagnu => testsuite}/t_inetd.c (99%)
|
||||||
|
|
||||||
|
diff --git a/src/configure.ac b/src/configure.ac
|
||||||
|
index 20066918b..363d5d62d 100644
|
||||||
|
--- a/src/configure.ac
|
||||||
|
+++ b/src/configure.ac
|
||||||
|
@@ -1500,7 +1500,7 @@ V5_AC_OUTPUT_MAKEFILE(.
|
||||||
|
|
||||||
|
lib/rpc lib/rpc/unit-test
|
||||||
|
|
||||||
|
- lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/unit-test
|
||||||
|
+ lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/testsuite
|
||||||
|
lib/krad
|
||||||
|
lib/apputils
|
||||||
|
|
||||||
|
@@ -1544,5 +1544,5 @@ V5_AC_OUTPUT_MAKEFILE(.
|
||||||
|
appl/gss-sample appl/user_user
|
||||||
|
|
||||||
|
tests tests/asn.1 tests/create tests/hammer tests/verify tests/gssapi
|
||||||
|
- tests/dejagnu tests/threads tests/shlib tests/gss-threads tests/misc
|
||||||
|
+ tests/testsuite tests/threads tests/shlib tests/gss-threads tests/misc
|
||||||
|
)
|
||||||
|
diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in
|
||||||
|
index c4eaad38d..76fc4b548 100644
|
||||||
|
--- a/src/lib/kadm5/Makefile.in
|
||||||
|
+++ b/src/lib/kadm5/Makefile.in
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
mydir=lib$(S)kadm5
|
||||||
|
BUILDTOP=$(REL)..$(S)..
|
||||||
|
-SUBDIRS = clnt srv unit-test
|
||||||
|
+SUBDIRS = clnt srv testsuite
|
||||||
|
|
||||||
|
##DOSBUILDTOP = ..\..
|
||||||
|
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/Makefile.in b/src/lib/kadm5/testsuite/Makefile.in
|
||||||
|
similarity index 86%
|
||||||
|
rename from src/lib/kadm5/unit-test/Makefile.in
|
||||||
|
rename to src/lib/kadm5/testsuite/Makefile.in
|
||||||
|
index 68fa097ff..5a55b786b 100644
|
||||||
|
--- a/src/lib/kadm5/unit-test/Makefile.in
|
||||||
|
+++ b/src/lib/kadm5/testsuite/Makefile.in
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-mydir=lib$(S)kadm5$(S)unit-test
|
||||||
|
+mydir=lib$(S)kadm5$(S)testsuite
|
||||||
|
BUILDTOP=$(REL)..$(S)..$(S)..
|
||||||
|
KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS)
|
||||||
|
|
||||||
|
@@ -61,7 +61,7 @@ runenv.exp: Makefile
|
||||||
|
eval echo "set env\($$i\) \$$$$i"; done > runenv.exp
|
||||||
|
|
||||||
|
#
|
||||||
|
-# The unit-test targets
|
||||||
|
+# The testsuite targets
|
||||||
|
#
|
||||||
|
|
||||||
|
check: check-@DO_TEST@
|
||||||
|
@@ -72,13 +72,13 @@ check-:
|
||||||
|
@echo "+++ Either tcl, runtest, or Perl is unavailable."
|
||||||
|
@echo "+++"
|
||||||
|
|
||||||
|
-check-ok unit-test: unit-test-client unit-test-server
|
||||||
|
+check-ok testsuite: testsuite-client testsuite-server
|
||||||
|
|
||||||
|
-unit-test-client: unit-test-client-setup unit-test-client-body \
|
||||||
|
- unit-test-client-cleanup
|
||||||
|
+testsuite-client: testsuite-client-setup testsuite-client-body \
|
||||||
|
+ testsuite-client-cleanup
|
||||||
|
|
||||||
|
-unit-test-server: unit-test-server-setup unit-test-server-body \
|
||||||
|
- unit-test-server-cleanup
|
||||||
|
+testsuite-server: testsuite-server-setup testsuite-server-body \
|
||||||
|
+ testsuite-server-cleanup
|
||||||
|
|
||||||
|
test-randkey: randkey-test
|
||||||
|
$(ENV_SETUP) $(VALGRIND) ./randkey-test
|
||||||
|
@@ -98,19 +98,19 @@ test-destroy: destroy-test
|
||||||
|
test-setkey-client: client-setkey-test
|
||||||
|
$(ENV_SETUP) $(VALGRIND) ./client-setkey-test testkeys admin admin
|
||||||
|
|
||||||
|
-unit-test-client-setup: runenv.sh
|
||||||
|
+testsuite-client-setup: runenv.sh
|
||||||
|
$(ENV_SETUP) $(VALGRIND) $(START_SERVERS)
|
||||||
|
|
||||||
|
-unit-test-client-cleanup:
|
||||||
|
+testsuite-client-cleanup:
|
||||||
|
$(ENV_SETUP) $(STOP_SERVERS)
|
||||||
|
|
||||||
|
-unit-test-server-setup: runenv.sh
|
||||||
|
+testsuite-server-setup: runenv.sh
|
||||||
|
$(ENV_SETUP) $(VALGRIND) $(START_SERVERS_LOCAL)
|
||||||
|
|
||||||
|
-unit-test-server-cleanup:
|
||||||
|
+testsuite-server-cleanup:
|
||||||
|
$(ENV_SETUP) $(STOP_SERVERS_LOCAL)
|
||||||
|
|
||||||
|
-unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \
|
||||||
|
+testsuite-client-body: site.exp test-noauth test-destroy test-handle-client \
|
||||||
|
test-setkey-client runenv.exp
|
||||||
|
$(ENV_SETUP) $(RUNTEST) --tool api RPC=1 API=$(CLNTTCL) \
|
||||||
|
KINIT=$(BUILDTOP)/clients/kinit/kinit \
|
||||||
|
@@ -121,7 +121,7 @@ unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \
|
||||||
|
-mv api.log capi.log
|
||||||
|
-mv api.sum capi.sum
|
||||||
|
|
||||||
|
-unit-test-server-body: site.exp test-handle-server lock-test
|
||||||
|
+testsuite-server-body: site.exp test-handle-server lock-test
|
||||||
|
$(ENV_SETUP) $(RUNTEST) --tool api RPC=0 API=$(SRVTCL) \
|
||||||
|
LOCKTEST=./lock-test \
|
||||||
|
KADMIN_LOCAL=$(BUILDTOP)/kadmin/cli/kadmin.local \
|
||||||
|
@@ -140,4 +140,4 @@ clean:
|
||||||
|
$(RM) lock-test lock-test.o
|
||||||
|
$(RM) server-iter-test iter-test.o
|
||||||
|
$(RM) server-setkey-test client-setkey-test setkey-test.o
|
||||||
|
- $(RM) *.log *.plog *.sum *.psum unit-test-log.* runenv.exp
|
||||||
|
+ $(RM) *.log *.plog *.sum *.psum testsuite-log.* runenv.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.2/crte-policy.exp b/src/lib/kadm5/testsuite/api.2/crte-policy.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.2/crte-policy.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.2/crte-policy.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.2/get-policy.exp b/src/lib/kadm5/testsuite/api.2/get-policy.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.2/get-policy.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.2/get-policy.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.2/mod-policy.exp b/src/lib/kadm5/testsuite/api.2/mod-policy.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.2/mod-policy.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.2/mod-policy.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/chpass-principal.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/chpass-principal.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/crte-policy.exp b/src/lib/kadm5/testsuite/api.current/crte-policy.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/crte-policy.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/crte-policy.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/crte-principal.exp b/src/lib/kadm5/testsuite/api.current/crte-principal.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/crte-principal.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/crte-principal.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/destroy.exp b/src/lib/kadm5/testsuite/api.current/destroy.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/destroy.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/destroy.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp b/src/lib/kadm5/testsuite/api.current/dlte-policy.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/dlte-policy.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/dlte-policy.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp b/src/lib/kadm5/testsuite/api.current/dlte-principal.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/dlte-principal.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/dlte-principal.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/get-policy.exp b/src/lib/kadm5/testsuite/api.current/get-policy.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/get-policy.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/get-policy.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/get-principal-v2.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/get-principal-v2.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/get-principal.exp b/src/lib/kadm5/testsuite/api.current/get-principal.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/get-principal.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/get-principal.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/testsuite/api.current/init-v2.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/init-v2.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/init-v2.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/init.exp b/src/lib/kadm5/testsuite/api.current/init.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/init.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/init.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/mod-policy.exp b/src/lib/kadm5/testsuite/api.current/mod-policy.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/mod-policy.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/mod-policy.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal.exp b/src/lib/kadm5/testsuite/api.current/mod-principal.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/mod-principal.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/mod-principal.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/api.current/randkey-principal.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/api.current/randkey-principal.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/config/unix.exp b/src/lib/kadm5/testsuite/config/unix.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/config/unix.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/config/unix.exp
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/deps b/src/lib/kadm5/testsuite/deps
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/deps
|
||||||
|
rename to src/lib/kadm5/testsuite/deps
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/destroy-test.c b/src/lib/kadm5/testsuite/destroy-test.c
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/destroy-test.c
|
||||||
|
rename to src/lib/kadm5/testsuite/destroy-test.c
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/diff-files/destroy-1 b/src/lib/kadm5/testsuite/diff-files/destroy-1
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/diff-files/destroy-1
|
||||||
|
rename to src/lib/kadm5/testsuite/diff-files/destroy-1
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/diff-files/no-diffs b/src/lib/kadm5/testsuite/diff-files/no-diffs
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/diff-files/no-diffs
|
||||||
|
rename to src/lib/kadm5/testsuite/diff-files/no-diffs
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/handle-test.c b/src/lib/kadm5/testsuite/handle-test.c
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/handle-test.c
|
||||||
|
rename to src/lib/kadm5/testsuite/handle-test.c
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/init-test.c b/src/lib/kadm5/testsuite/init-test.c
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/init-test.c
|
||||||
|
rename to src/lib/kadm5/testsuite/init-test.c
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/iter-test.c b/src/lib/kadm5/testsuite/iter-test.c
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/iter-test.c
|
||||||
|
rename to src/lib/kadm5/testsuite/iter-test.c
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/lib/lib.t b/src/lib/kadm5/testsuite/lib/lib.t
|
||||||
|
similarity index 99%
|
||||||
|
rename from src/lib/kadm5/unit-test/lib/lib.t
|
||||||
|
rename to src/lib/kadm5/testsuite/lib/lib.t
|
||||||
|
index 3444775cf..327946849 100644
|
||||||
|
--- a/src/lib/kadm5/unit-test/lib/lib.t
|
||||||
|
+++ b/src/lib/kadm5/testsuite/lib/lib.t
|
||||||
|
@@ -226,7 +226,7 @@ proc end_dump_compare {name} {
|
||||||
|
global RPC
|
||||||
|
|
||||||
|
if { ! $RPC } {
|
||||||
|
-# set file $TOP/admin/lib/unit-test/diff-files/$name
|
||||||
|
+# set file $TOP/admin/lib/testsuite/diff-files/$name
|
||||||
|
# exec $env(SIMPLE_DUMP) > /tmp/dump.after
|
||||||
|
# exec $env(COMPARE_DUMP) /tmp/dump.before /tmp/dump.after $file
|
||||||
|
}
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/lock-test.c b/src/lib/kadm5/testsuite/lock-test.c
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/lock-test.c
|
||||||
|
rename to src/lib/kadm5/testsuite/lock-test.c
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/randkey-test.c b/src/lib/kadm5/testsuite/randkey-test.c
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/randkey-test.c
|
||||||
|
rename to src/lib/kadm5/testsuite/randkey-test.c
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/testsuite/setkey-test.c
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/setkey-test.c
|
||||||
|
rename to src/lib/kadm5/testsuite/setkey-test.c
|
||||||
|
diff --git a/src/lib/kadm5/unit-test/site.exp b/src/lib/kadm5/testsuite/site.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/lib/kadm5/unit-test/site.exp
|
||||||
|
rename to src/lib/kadm5/testsuite/site.exp
|
||||||
|
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
|
||||||
|
index 20f27d748..1198dca0c 100644
|
||||||
|
--- a/src/tests/Makefile.in
|
||||||
|
+++ b/src/tests/Makefile.in
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
mydir=tests
|
||||||
|
BUILDTOP=$(REL)..
|
||||||
|
-SUBDIRS = asn.1 create hammer verify gssapi dejagnu shlib gss-threads misc \
|
||||||
|
+SUBDIRS = asn.1 create hammer verify gssapi testsuite shlib gss-threads misc \
|
||||||
|
threads softpkcs11
|
||||||
|
|
||||||
|
RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
|
||||||
|
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
|
||||||
|
index 2e01f46bc..e5135f435 100644
|
||||||
|
--- a/src/tests/t_authdata.py
|
||||||
|
+++ b/src/tests/t_authdata.py
|
||||||
|
@@ -57,7 +57,7 @@ if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
|
||||||
|
skipped('anonymous ticket authdata tests', 'PKINIT not built')
|
||||||
|
else:
|
||||||
|
# Set up a realm with PKINIT support and get anonymous tickets.
|
||||||
|
- certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
|
||||||
|
+ certs = os.path.join(srctop, 'tests', 'testsuite', 'pkinit-certs')
|
||||||
|
ca_pem = os.path.join(certs, 'ca.pem')
|
||||||
|
kdc_pem = os.path.join(certs, 'kdc.pem')
|
||||||
|
privkey_pem = os.path.join(certs, 'privkey.pem')
|
||||||
|
diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py
|
||||||
|
index 0fe0fdb4a..bfa5bfc96 100644
|
||||||
|
--- a/src/tests/t_certauth.py
|
||||||
|
+++ b/src/tests/t_certauth.py
|
||||||
|
@@ -4,7 +4,7 @@ from k5test import *
|
||||||
|
if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
|
||||||
|
skip_rest('certauth tests', 'PKINIT module not built')
|
||||||
|
|
||||||
|
-certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
|
||||||
|
+certs = os.path.join(srctop, 'tests', 'testsuite', 'pkinit-certs')
|
||||||
|
ca_pem = os.path.join(certs, 'ca.pem')
|
||||||
|
kdc_pem = os.path.join(certs, 'kdc.pem')
|
||||||
|
privkey_pem = os.path.join(certs, 'privkey.pem')
|
||||||
|
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
|
||||||
|
index aee4da2b1..8763ce484 100755
|
||||||
|
--- a/src/tests/t_pkinit.py
|
||||||
|
+++ b/src/tests/t_pkinit.py
|
||||||
|
@@ -7,7 +7,7 @@ if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
|
||||||
|
soft_pkcs11 = os.path.join(buildtop, 'tests', 'softpkcs11', 'softpkcs11.so')
|
||||||
|
|
||||||
|
# Construct a krb5.conf fragment configuring pkinit.
|
||||||
|
-certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
|
||||||
|
+certs = os.path.join(srctop, 'tests', 'testsuite', 'pkinit-certs')
|
||||||
|
ca_pem = os.path.join(certs, 'ca.pem')
|
||||||
|
kdc_pem = os.path.join(certs, 'kdc.pem')
|
||||||
|
user_pem = os.path.join(certs, 'user.pem')
|
||||||
|
diff --git a/src/tests/t_proxy.py b/src/tests/t_proxy.py
|
||||||
|
index 3069eaa8f..6ae5c8c8e 100755
|
||||||
|
--- a/src/tests/t_proxy.py
|
||||||
|
+++ b/src/tests/t_proxy.py
|
||||||
|
@@ -10,17 +10,17 @@ except:
|
||||||
|
|
||||||
|
# Construct a krb5.conf fragment configuring the client to use a local proxy
|
||||||
|
# server.
|
||||||
|
-proxysubjectpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
|
||||||
|
+proxysubjectpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
|
||||||
|
'proxy-subject.pem')
|
||||||
|
-proxysanpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
|
||||||
|
+proxysanpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
|
||||||
|
'proxy-san.pem')
|
||||||
|
-proxyidealpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
|
||||||
|
+proxyidealpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
|
||||||
|
'proxy-ideal.pem')
|
||||||
|
-proxywrongpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
|
||||||
|
+proxywrongpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
|
||||||
|
'proxy-no-match.pem')
|
||||||
|
-proxybadpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
|
||||||
|
+proxybadpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
|
||||||
|
'proxy-badsig.pem')
|
||||||
|
-proxyca = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', 'ca.pem')
|
||||||
|
+proxyca = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs', 'ca.pem')
|
||||||
|
proxyurl = 'https://localhost:$port5/KdcProxy'
|
||||||
|
proxyurlupcase = 'https://LocalHost:$port5/KdcProxy'
|
||||||
|
proxyurl4 = 'https://127.0.0.1:$port5/KdcProxy'
|
||||||
|
diff --git a/src/tests/dejagnu/Makefile.in b/src/tests/testsuite/Makefile.in
|
||||||
|
similarity index 92%
|
||||||
|
rename from src/tests/dejagnu/Makefile.in
|
||||||
|
rename to src/tests/testsuite/Makefile.in
|
||||||
|
index e78e270ed..d3efe3606 100644
|
||||||
|
--- a/src/tests/dejagnu/Makefile.in
|
||||||
|
+++ b/src/tests/testsuite/Makefile.in
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-mydir=tests$(S)dejagnu
|
||||||
|
+mydir=tests$(S)testsuite
|
||||||
|
BUILDTOP=$(REL)..$(S)..
|
||||||
|
RUNTEST = @RUNTEST@ $(DEJAFLAGS)
|
||||||
|
RUNTESTFLAGS =
|
||||||
|
@@ -13,7 +13,7 @@ check: check-runtest-@HAVE_RUNTEST@
|
||||||
|
|
||||||
|
check-runtest-no:
|
||||||
|
@echo "+++"
|
||||||
|
- @echo "+++ WARNING: tests/dejagnu tests not run."
|
||||||
|
+ @echo "+++ WARNING: tests/testsuite tests not run."
|
||||||
|
@echo "+++ runtest is unavailable."
|
||||||
|
@echo "+++"
|
||||||
|
@echo 'Skipped dejagnu tests: runtest not found' >> $(SKIPTESTS)
|
||||||
|
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/testsuite/config/default.exp
|
||||||
|
similarity index 99%
|
||||||
|
rename from src/tests/dejagnu/config/default.exp
|
||||||
|
rename to src/tests/testsuite/config/default.exp
|
||||||
|
index 302dee74c..1492fac32 100644
|
||||||
|
--- a/src/tests/dejagnu/config/default.exp
|
||||||
|
+++ b/src/tests/testsuite/config/default.exp
|
||||||
|
@@ -256,7 +256,7 @@ verbose "Test realm is $REALMNAME"
|
||||||
|
|
||||||
|
# Find some programs we need. We use the binaries from the build tree
|
||||||
|
# if they exist. If they do not, then they must be in PATH. We
|
||||||
|
-# expect $objdir to be ...tests/dejagnu.
|
||||||
|
+# expect $objdir to be ...tests/testsuite.
|
||||||
|
|
||||||
|
foreach i {
|
||||||
|
{KDB5_UTIL $objdir/../../kadmin/dbutil/kdb5_util}
|
||||||
|
diff --git a/src/tests/dejagnu/deps b/src/tests/testsuite/deps
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/deps
|
||||||
|
rename to src/tests/testsuite/deps
|
||||||
|
diff --git a/src/tests/dejagnu/krb-standalone/gssapi.exp b/src/tests/testsuite/krb-standalone/gssapi.exp
|
||||||
|
similarity index 98%
|
||||||
|
rename from src/tests/dejagnu/krb-standalone/gssapi.exp
|
||||||
|
rename to src/tests/testsuite/krb-standalone/gssapi.exp
|
||||||
|
index e3357e769..d176e210c 100644
|
||||||
|
--- a/src/tests/dejagnu/krb-standalone/gssapi.exp
|
||||||
|
+++ b/src/tests/testsuite/krb-standalone/gssapi.exp
|
||||||
|
@@ -2,7 +2,7 @@
|
||||||
|
# This is a DejaGnu test script.
|
||||||
|
# This script tests that the GSS-API tester functions correctly.
|
||||||
|
|
||||||
|
-# This mostly just calls procedures in test/dejagnu/config/default.exp.
|
||||||
|
+# This mostly just calls procedures in test/testsuite/config/default.exp.
|
||||||
|
|
||||||
|
if ![info exists KDESTROY] {
|
||||||
|
set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy]
|
||||||
|
diff --git a/src/tests/dejagnu/krb-standalone/kprop.exp b/src/tests/testsuite/krb-standalone/kprop.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/krb-standalone/kprop.exp
|
||||||
|
rename to src/tests/testsuite/krb-standalone/kprop.exp
|
||||||
|
diff --git a/src/tests/dejagnu/krb-standalone/princexpire.exp b/src/tests/testsuite/krb-standalone/princexpire.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/krb-standalone/princexpire.exp
|
||||||
|
rename to src/tests/testsuite/krb-standalone/princexpire.exp
|
||||||
|
diff --git a/src/tests/dejagnu/krb-standalone/sample.exp b/src/tests/testsuite/krb-standalone/sample.exp
|
||||||
|
similarity index 98%
|
||||||
|
rename from src/tests/dejagnu/krb-standalone/sample.exp
|
||||||
|
rename to src/tests/testsuite/krb-standalone/sample.exp
|
||||||
|
index 93a75f1d0..009de5ddb 100644
|
||||||
|
--- a/src/tests/dejagnu/krb-standalone/sample.exp
|
||||||
|
+++ b/src/tests/testsuite/krb-standalone/sample.exp
|
||||||
|
@@ -2,7 +2,7 @@
|
||||||
|
# This is a DejaGnu test script.
|
||||||
|
# This script tests that sample user-user communication works.
|
||||||
|
|
||||||
|
-# This mostly just calls procedures in test/dejagnu/config/default.exp.
|
||||||
|
+# This mostly just calls procedures in test/testsuite/config/default.exp.
|
||||||
|
|
||||||
|
if ![info exists KLIST] {
|
||||||
|
set KLIST [findfile $objdir/../../clients/klist/klist]
|
||||||
|
diff --git a/src/tests/dejagnu/krb-standalone/simple.exp b/src/tests/testsuite/krb-standalone/simple.exp
|
||||||
|
similarity index 98%
|
||||||
|
rename from src/tests/dejagnu/krb-standalone/simple.exp
|
||||||
|
rename to src/tests/testsuite/krb-standalone/simple.exp
|
||||||
|
index d8b218248..92b33066e 100644
|
||||||
|
--- a/src/tests/dejagnu/krb-standalone/simple.exp
|
||||||
|
+++ b/src/tests/testsuite/krb-standalone/simple.exp
|
||||||
|
@@ -2,7 +2,7 @@
|
||||||
|
# This is a DejaGnu test script.
|
||||||
|
# This script tests that krb-safe and krb-priv messages work.
|
||||||
|
|
||||||
|
-# This mostly just calls procedures in test/dejagnu/config/default.exp.
|
||||||
|
+# This mostly just calls procedures in test/testsuite/config/default.exp.
|
||||||
|
|
||||||
|
if ![info exists KLIST] {
|
||||||
|
set KLIST [findfile $objdir/../../clients/klist/klist]
|
||||||
|
diff --git a/src/tests/dejagnu/krb-standalone/standalone.exp b/src/tests/testsuite/krb-standalone/standalone.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/krb-standalone/standalone.exp
|
||||||
|
rename to src/tests/testsuite/krb-standalone/standalone.exp
|
||||||
|
diff --git a/src/tests/dejagnu/krb-standalone/tcp.exp b/src/tests/testsuite/krb-standalone/tcp.exp
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/krb-standalone/tcp.exp
|
||||||
|
rename to src/tests/testsuite/krb-standalone/tcp.exp
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/testsuite/pkinit-certs/ca.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/ca.pem
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/ca.pem
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/generic.p12 b/src/tests/testsuite/pkinit-certs/generic.p12
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/generic.p12
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/generic.p12
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/generic.pem b/src/tests/testsuite/pkinit-certs/generic.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/generic.pem
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/generic.pem
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/testsuite/pkinit-certs/kdc.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/kdc.pem
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/kdc.pem
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/testsuite/pkinit-certs/make-certs.sh
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/make-certs.sh
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/make-certs.sh
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/testsuite/pkinit-certs/privkey-enc.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/privkey-enc.pem
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/privkey-enc.pem
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/testsuite/pkinit-certs/privkey.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/privkey.pem
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/privkey.pem
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/testsuite/pkinit-certs/user-enc.p12
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/user-enc.p12
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/user-enc.p12
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.p12 b/src/tests/testsuite/pkinit-certs/user-upn.p12
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/user-upn.p12
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/user-upn.p12
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.pem b/src/tests/testsuite/pkinit-certs/user-upn.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/user-upn.pem
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/user-upn.pem
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.p12 b/src/tests/testsuite/pkinit-certs/user-upn2.p12
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/user-upn2.p12
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/user-upn2.p12
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.pem b/src/tests/testsuite/pkinit-certs/user-upn2.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/user-upn2.pem
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/user-upn2.pem
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.p12 b/src/tests/testsuite/pkinit-certs/user-upn3.p12
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/user-upn3.p12
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/user-upn3.p12
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.pem b/src/tests/testsuite/pkinit-certs/user-upn3.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/user-upn3.pem
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/user-upn3.pem
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/user.p12 b/src/tests/testsuite/pkinit-certs/user.p12
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/user.p12
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/user.p12
|
||||||
|
diff --git a/src/tests/dejagnu/pkinit-certs/user.pem b/src/tests/testsuite/pkinit-certs/user.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/pkinit-certs/user.pem
|
||||||
|
rename to src/tests/testsuite/pkinit-certs/user.pem
|
||||||
|
diff --git a/src/tests/dejagnu/proxy-certs/ca.pem b/src/tests/testsuite/proxy-certs/ca.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/proxy-certs/ca.pem
|
||||||
|
rename to src/tests/testsuite/proxy-certs/ca.pem
|
||||||
|
diff --git a/src/tests/dejagnu/proxy-certs/make-certs.sh b/src/tests/testsuite/proxy-certs/make-certs.sh
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/proxy-certs/make-certs.sh
|
||||||
|
rename to src/tests/testsuite/proxy-certs/make-certs.sh
|
||||||
|
diff --git a/src/tests/dejagnu/proxy-certs/proxy-badsig.pem b/src/tests/testsuite/proxy-certs/proxy-badsig.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/proxy-certs/proxy-badsig.pem
|
||||||
|
rename to src/tests/testsuite/proxy-certs/proxy-badsig.pem
|
||||||
|
diff --git a/src/tests/dejagnu/proxy-certs/proxy-ideal.pem b/src/tests/testsuite/proxy-certs/proxy-ideal.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/proxy-certs/proxy-ideal.pem
|
||||||
|
rename to src/tests/testsuite/proxy-certs/proxy-ideal.pem
|
||||||
|
diff --git a/src/tests/dejagnu/proxy-certs/proxy-no-match.pem b/src/tests/testsuite/proxy-certs/proxy-no-match.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/proxy-certs/proxy-no-match.pem
|
||||||
|
rename to src/tests/testsuite/proxy-certs/proxy-no-match.pem
|
||||||
|
diff --git a/src/tests/dejagnu/proxy-certs/proxy-san.pem b/src/tests/testsuite/proxy-certs/proxy-san.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/proxy-certs/proxy-san.pem
|
||||||
|
rename to src/tests/testsuite/proxy-certs/proxy-san.pem
|
||||||
|
diff --git a/src/tests/dejagnu/proxy-certs/proxy-subject.pem b/src/tests/testsuite/proxy-certs/proxy-subject.pem
|
||||||
|
similarity index 100%
|
||||||
|
rename from src/tests/dejagnu/proxy-certs/proxy-subject.pem
|
||||||
|
rename to src/tests/testsuite/proxy-certs/proxy-subject.pem
|
||||||
|
diff --git a/src/tests/dejagnu/t_inetd.c b/src/tests/testsuite/t_inetd.c
|
||||||
|
similarity index 99%
|
||||||
|
rename from src/tests/dejagnu/t_inetd.c
|
||||||
|
rename to src/tests/testsuite/t_inetd.c
|
||||||
|
index abcde50fa..2bad2cf65 100644
|
||||||
|
--- a/src/tests/dejagnu/t_inetd.c
|
||||||
|
+++ b/src/tests/testsuite/t_inetd.c
|
||||||
|
@@ -1,5 +1,5 @@
|
||||||
|
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
||||||
|
-/* tests/dejagnu/t_inetd.c */
|
||||||
|
+/* tests/testsuite/t_inetd.c */
|
||||||
|
/*
|
||||||
|
* Copyright 1991 by the Massachusetts Institute of Technology.
|
||||||
|
* All Rights Reserved.
|
||||||
|
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
||||||
|
index 251d11a9d..908a1495c 100644
|
||||||
|
--- a/src/util/k5test.py
|
||||||
|
+++ b/src/util/k5test.py
|
||||||
|
@@ -1383,7 +1383,7 @@ kswitch = os.path.join(buildtop, 'clients', 'kswitch', 'kswitch')
|
||||||
|
kvno = os.path.join(buildtop, 'clients', 'kvno', 'kvno')
|
||||||
|
kdestroy = os.path.join(buildtop, 'clients', 'kdestroy', 'kdestroy')
|
||||||
|
kpasswd = os.path.join(buildtop, 'clients', 'kpasswd', 'kpasswd')
|
||||||
|
-t_inetd = os.path.join(buildtop, 'tests', 'dejagnu', 't_inetd')
|
||||||
|
+t_inetd = os.path.join(buildtop, 'tests', 'testsuite', 't_inetd')
|
||||||
|
kproplog = os.path.join(buildtop, 'kprop', 'kproplog')
|
||||||
|
kpropd = os.path.join(buildtop, 'kprop', 'kpropd')
|
||||||
|
kprop = os.path.join(buildtop, 'kprop', 'kprop')
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
69
SOURCES/krb5-krad-larger-attrs.patch
Normal file
69
SOURCES/krb5-krad-larger-attrs.patch
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
From 0ac0fd2d349e4d5ef7379182f4d7ce480edd8d2b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Mon, 8 Nov 2021 17:48:50 +0100
|
||||||
|
Subject: [PATCH 2/2] Support larger RADIUS attributes in libkrad
|
||||||
|
|
||||||
|
In kr_attrset_decode(), explicitly treat the length byte as unsigned.
|
||||||
|
Otherwise attributes longer than 125 characters will be rejected with
|
||||||
|
EBADMSG.
|
||||||
|
|
||||||
|
Add a 253-character-long NAS-Identifier attribute to the tests to make
|
||||||
|
sure that attributes with the maximal number of characters are working
|
||||||
|
as expected.
|
||||||
|
|
||||||
|
[ghudson@mit.edu: used uint8_t cast per current practices; edited
|
||||||
|
commit message]
|
||||||
|
|
||||||
|
ticket: 9036 (new)
|
||||||
|
---
|
||||||
|
src/lib/krad/attrset.c | 2 +-
|
||||||
|
src/lib/krad/t_packet.c | 13 +++++++++++++
|
||||||
|
2 files changed, 14 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c
|
||||||
|
index d89982a13..6ec031e32 100644
|
||||||
|
--- a/src/lib/krad/attrset.c
|
||||||
|
+++ b/src/lib/krad/attrset.c
|
||||||
|
@@ -218,7 +218,7 @@ kr_attrset_decode(krb5_context ctx, const krb5_data *in, const char *secret,
|
||||||
|
|
||||||
|
for (i = 0; i + 2 < in->length; ) {
|
||||||
|
type = in->data[i++];
|
||||||
|
- tmp = make_data(&in->data[i + 1], in->data[i] - 2);
|
||||||
|
+ tmp = make_data(&in->data[i + 1], (uint8_t)in->data[i] - 2);
|
||||||
|
i += tmp.length + 1;
|
||||||
|
|
||||||
|
retval = (in->length < i) ? EBADMSG : 0;
|
||||||
|
diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c
|
||||||
|
index 0a92e9cc2..c22489144 100644
|
||||||
|
--- a/src/lib/krad/t_packet.c
|
||||||
|
+++ b/src/lib/krad/t_packet.c
|
||||||
|
@@ -57,6 +57,14 @@ make_packet(krb5_context ctx, const krb5_data *username,
|
||||||
|
krb5_error_code retval;
|
||||||
|
const krb5_data *data;
|
||||||
|
int i = 0;
|
||||||
|
+ krb5_data nas_id;
|
||||||
|
+
|
||||||
|
+ nas_id = string2data("12345678901234567890123456789012345678901234567890"
|
||||||
|
+ "12345678901234567890123456789012345678901234567890"
|
||||||
|
+ "12345678901234567890123456789012345678901234567890"
|
||||||
|
+ "12345678901234567890123456789012345678901234567890"
|
||||||
|
+ "12345678901234567890123456789012345678901234567890"
|
||||||
|
+ "123");
|
||||||
|
|
||||||
|
retval = krad_attrset_new(ctx, &set);
|
||||||
|
if (retval != 0)
|
||||||
|
@@ -71,6 +79,11 @@ make_packet(krb5_context ctx, const krb5_data *username,
|
||||||
|
if (retval != 0)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
+ retval = krad_attrset_add(set, krad_attr_name2num("NAS-Identifier"),
|
||||||
|
+ &nas_id);
|
||||||
|
+ if (retval != 0)
|
||||||
|
+ goto out;
|
||||||
|
+
|
||||||
|
retval = krad_packet_new_request(ctx, "foo",
|
||||||
|
krad_code_name2num("Access-Request"),
|
||||||
|
set, iterator, &i, &tmp);
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
171
SOURCES/krb5-krad-remote.patch
Normal file
171
SOURCES/krb5-krad-remote.patch
Normal file
@ -0,0 +1,171 @@
|
|||||||
|
From a8551b609fd50458ca3c06a9dd345b6cdf18689b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Tue, 9 Nov 2021 13:00:43 -0500
|
||||||
|
Subject: [PATCH 1/2] Avoid use after free during libkrad cleanup
|
||||||
|
|
||||||
|
libkrad client requests contain a list of references to remotes, with
|
||||||
|
no back-references or reference counts. To prevent accesses to
|
||||||
|
dangling references during cleanup, cancel all requests on all remotes
|
||||||
|
before freeing any remotes.
|
||||||
|
|
||||||
|
Remove the code for aging out unused servers. This code was fairly
|
||||||
|
safe as all requests referencing a remote should have completed or
|
||||||
|
timed out during an hour of disuse, but in the current design we have
|
||||||
|
no way to guarantee or check that. The set of addresses we send
|
||||||
|
RADIUS requests to will generally be small, so aging out servers is
|
||||||
|
unnecessary.
|
||||||
|
|
||||||
|
ticket: 9035 (new)
|
||||||
|
---
|
||||||
|
src/lib/krad/client.c | 42 ++++++++++++++---------------------------
|
||||||
|
src/lib/krad/internal.h | 4 ++++
|
||||||
|
src/lib/krad/remote.c | 11 ++++++++---
|
||||||
|
3 files changed, 26 insertions(+), 31 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/krad/client.c b/src/lib/krad/client.c
|
||||||
|
index 6365dd1c6..810940afc 100644
|
||||||
|
--- a/src/lib/krad/client.c
|
||||||
|
+++ b/src/lib/krad/client.c
|
||||||
|
@@ -64,7 +64,6 @@ struct request_st {
|
||||||
|
|
||||||
|
struct server_st {
|
||||||
|
krad_remote *serv;
|
||||||
|
- time_t last;
|
||||||
|
K5_LIST_ENTRY(server_st) list;
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -81,15 +80,10 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret,
|
||||||
|
krad_remote **out)
|
||||||
|
{
|
||||||
|
krb5_error_code retval;
|
||||||
|
- time_t currtime;
|
||||||
|
server *srv;
|
||||||
|
|
||||||
|
- if (time(&currtime) == (time_t)-1)
|
||||||
|
- return errno;
|
||||||
|
-
|
||||||
|
K5_LIST_FOREACH(srv, &rc->servers, list) {
|
||||||
|
if (kr_remote_equals(srv->serv, ai, secret)) {
|
||||||
|
- srv->last = currtime;
|
||||||
|
*out = srv->serv;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@@ -98,7 +92,6 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret,
|
||||||
|
srv = calloc(1, sizeof(server));
|
||||||
|
if (srv == NULL)
|
||||||
|
return ENOMEM;
|
||||||
|
- srv->last = currtime;
|
||||||
|
|
||||||
|
retval = kr_remote_new(rc->kctx, rc->vctx, ai, secret, &srv->serv);
|
||||||
|
if (retval != 0) {
|
||||||
|
@@ -173,28 +166,12 @@ request_new(krad_client *rc, krad_code code, const krad_attrset *attrs,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-/* Close remotes that haven't been used in a while. */
|
||||||
|
-static void
|
||||||
|
-age(struct server_head *head, time_t currtime)
|
||||||
|
-{
|
||||||
|
- server *srv, *tmp;
|
||||||
|
-
|
||||||
|
- K5_LIST_FOREACH_SAFE(srv, head, list, tmp) {
|
||||||
|
- if (currtime == (time_t)-1 || currtime - srv->last > 60 * 60) {
|
||||||
|
- K5_LIST_REMOVE(srv, list);
|
||||||
|
- kr_remote_free(srv->serv);
|
||||||
|
- free(srv);
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
/* Handle a response from a server (or related errors). */
|
||||||
|
static void
|
||||||
|
on_response(krb5_error_code retval, const krad_packet *reqp,
|
||||||
|
const krad_packet *rspp, void *data)
|
||||||
|
{
|
||||||
|
request *req = data;
|
||||||
|
- time_t currtime;
|
||||||
|
size_t i;
|
||||||
|
|
||||||
|
/* Do nothing if we are already completed. */
|
||||||
|
@@ -221,10 +198,6 @@ on_response(krb5_error_code retval, const krad_packet *reqp,
|
||||||
|
for (i = 0; req->remotes[i].remote != NULL; i++)
|
||||||
|
kr_remote_cancel(req->remotes[i].remote, req->remotes[i].packet);
|
||||||
|
|
||||||
|
- /* Age out servers that haven't been used in a while. */
|
||||||
|
- if (time(&currtime) != (time_t)-1)
|
||||||
|
- age(&req->rc->servers, currtime);
|
||||||
|
-
|
||||||
|
request_free(req);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -247,10 +220,23 @@ krad_client_new(krb5_context kctx, verto_ctx *vctx, krad_client **out)
|
||||||
|
void
|
||||||
|
krad_client_free(krad_client *rc)
|
||||||
|
{
|
||||||
|
+ server *srv;
|
||||||
|
+
|
||||||
|
if (rc == NULL)
|
||||||
|
return;
|
||||||
|
|
||||||
|
- age(&rc->servers, -1);
|
||||||
|
+ /* Cancel all requests before freeing any remotes, since each request's
|
||||||
|
+ * callback data may contain references to multiple remotes. */
|
||||||
|
+ K5_LIST_FOREACH(srv, &rc->servers, list)
|
||||||
|
+ kr_remote_cancel_all(srv->serv);
|
||||||
|
+
|
||||||
|
+ while (!K5_LIST_EMPTY(&rc->servers)) {
|
||||||
|
+ srv = K5_LIST_FIRST(&rc->servers);
|
||||||
|
+ K5_LIST_REMOVE(srv, list);
|
||||||
|
+ kr_remote_free(srv->serv);
|
||||||
|
+ free(srv);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
free(rc);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
|
||||||
|
index 223ffd730..fa012db78 100644
|
||||||
|
--- a/src/lib/krad/internal.h
|
||||||
|
+++ b/src/lib/krad/internal.h
|
||||||
|
@@ -120,6 +120,10 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
|
||||||
|
void
|
||||||
|
kr_remote_cancel(krad_remote *rr, const krad_packet *pkt);
|
||||||
|
|
||||||
|
+/* Cancel all requests awaiting responses. */
|
||||||
|
+void
|
||||||
|
+kr_remote_cancel_all(krad_remote *rr);
|
||||||
|
+
|
||||||
|
/* Determine if this remote object refers to the remote resource identified
|
||||||
|
* by the addrinfo struct and the secret. */
|
||||||
|
krb5_boolean
|
||||||
|
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
|
||||||
|
index c8912892c..01a5fd2a4 100644
|
||||||
|
--- a/src/lib/krad/remote.c
|
||||||
|
+++ b/src/lib/krad/remote.c
|
||||||
|
@@ -452,15 +452,20 @@ error:
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
+void
|
||||||
|
+kr_remote_cancel_all(krad_remote *rr)
|
||||||
|
+{
|
||||||
|
+ while (!K5_TAILQ_EMPTY(&rr->list))
|
||||||
|
+ request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
void
|
||||||
|
kr_remote_free(krad_remote *rr)
|
||||||
|
{
|
||||||
|
if (rr == NULL)
|
||||||
|
return;
|
||||||
|
|
||||||
|
- while (!K5_TAILQ_EMPTY(&rr->list))
|
||||||
|
- request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL);
|
||||||
|
-
|
||||||
|
+ kr_remote_cancel_all(rr);
|
||||||
|
free(rr->secret);
|
||||||
|
if (rr->info != NULL)
|
||||||
|
free(rr->info->ai_addr);
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
@ -42,7 +42,7 @@
|
|||||||
Summary: The Kerberos network authentication system
|
Summary: The Kerberos network authentication system
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.19.1
|
Version: 1.19.1
|
||||||
Release: %{?zdpd}15%{?dist}
|
Release: %{?zdpd}22%{?dist}
|
||||||
|
|
||||||
# rharwood has trust path to signing key and verifies on check-in
|
# rharwood has trust path to signing key and verifies on check-in
|
||||||
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
|
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
|
||||||
@ -91,6 +91,13 @@ Patch26: Fix-kadmin-k-with-fallback-or-referral-realm.patch
|
|||||||
Patch27: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
|
Patch27: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
|
||||||
Patch28: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
|
Patch28: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
|
||||||
Patch29: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
|
Patch29: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
|
||||||
|
Patch30: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
|
||||||
|
Patch31: Try-harder-to-avoid-password-change-replay-errors.patch
|
||||||
|
Patch32: Add-configure-variable-for-default-PKCS-11-module.patch
|
||||||
|
Patch33: downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch
|
||||||
|
Patch34: krb5-krad-remote.patch
|
||||||
|
Patch35: krb5-krad-larger-attrs.patch
|
||||||
|
Patch36: Set-reasonable-supportedCMSTypes-in-PKINIT.patch
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: https://web.mit.edu/kerberos/www/
|
URL: https://web.mit.edu/kerberos/www/
|
||||||
@ -250,7 +257,7 @@ popd
|
|||||||
# builds going on the same host don't step on each other.
|
# builds going on the same host don't step on each other.
|
||||||
cfg="src/kadmin/testing/proto/kdc.conf.proto \
|
cfg="src/kadmin/testing/proto/kdc.conf.proto \
|
||||||
src/kadmin/testing/proto/krb5.conf.proto \
|
src/kadmin/testing/proto/krb5.conf.proto \
|
||||||
src/lib/kadm5/unit-test/api.current/init-v2.exp \
|
src/lib/kadm5/testsuite/api.current/init-v2.exp \
|
||||||
src/util/k5test.py"
|
src/util/k5test.py"
|
||||||
LONG_BIT=`getconf LONG_BIT`
|
LONG_BIT=`getconf LONG_BIT`
|
||||||
PORT=`expr 61000 + $LONG_BIT - 48`
|
PORT=`expr 61000 + $LONG_BIT - 48`
|
||||||
@ -284,6 +291,7 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
|
|||||||
CFLAGS="$CFLAGS" \
|
CFLAGS="$CFLAGS" \
|
||||||
CPPFLAGS="$CPPFLAGS" \
|
CPPFLAGS="$CPPFLAGS" \
|
||||||
SS_LIB="-lss" \
|
SS_LIB="-lss" \
|
||||||
|
PKCS11_MODNAME="p11-kit-proxy.so" \
|
||||||
--enable-shared \
|
--enable-shared \
|
||||||
--runstatedir=/run \
|
--runstatedir=/run \
|
||||||
--localstatedir=%{_var}/kerberos \
|
--localstatedir=%{_var}/kerberos \
|
||||||
@ -647,6 +655,29 @@ exit 0
|
|||||||
%{_libdir}/libkadm5srv_mit.so.*
|
%{_libdir}/libkadm5srv_mit.so.*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 08 2022 Julien Rische <jrische@redhat.com> - 1.19.1-22
|
||||||
|
- Restore "supportedCMSTypes" attribute in PKINIT preauth requests
|
||||||
|
- Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms
|
||||||
|
- Resolves: rhbz#2068935
|
||||||
|
|
||||||
|
* Thu Jun 23 2022 Julien Rische <jrische@redhat.com> - 1.19.1-21
|
||||||
|
- Fix libkrad client cleanup
|
||||||
|
- Allow use of larger RADIUS attributes in krad library
|
||||||
|
- Resolves: rhbz#2100351
|
||||||
|
|
||||||
|
* Thu May 12 2022 Julien Rische <jrische@redhat.com> - 1.19.1-20
|
||||||
|
- Fix OpenSSL 3 MD5 encyption in FIPS mode
|
||||||
|
- Allow libkrad UDP/TCP connection to localhost in FIPS mode
|
||||||
|
- Resolves: rhbz#2068458
|
||||||
|
|
||||||
|
* Mon May 02 2022 Julien Rische <jrische@redhat.com> - 1.19.1-19
|
||||||
|
- Use p11-kit as default PKCS11 module
|
||||||
|
- Resolves: rhbz#2030981
|
||||||
|
|
||||||
|
* Tue Apr 26 2022 Julien Rische <jrische@redhat.com> - 1.19.1-18
|
||||||
|
- Try harder to avoid password change replay errors
|
||||||
|
- Resolves: rhbz#2075186
|
||||||
|
|
||||||
* Mon Mar 14 2022 Julien Rische <jrische@redhat.com> - 1.19.1-15
|
* Mon Mar 14 2022 Julien Rische <jrische@redhat.com> - 1.19.1-15
|
||||||
- Use SHA-256 instead of SHA-1 for PKINIT CMS digest
|
- Use SHA-256 instead of SHA-1 for PKINIT CMS digest
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user