import krb5-1.19.1-22.el9

This commit is contained in:
CentOS Sources 2022-09-27 09:59:59 -04:00 committed by Stepan Oksanichenko
parent 9b62daa65d
commit b0c01ac38e
9 changed files with 1600 additions and 27 deletions

View File

@ -0,0 +1,201 @@
From 2a6a4568ed1df4ed89604b09fa11785c9ae38c67 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Fri, 22 Apr 2022 14:12:37 +0200
Subject: [PATCH] Add configure variable for default PKCS#11 module
[ghudson@mit.edu: added documentation of configure variable and doc
substitution; shortened commit message]
ticket: 9058 (new)
---
doc/admin/conf_files/krb5_conf.rst | 2 +-
doc/build/options2configure.rst | 3 +++
doc/conf.py | 3 +++
doc/mitK5defaults.rst | 25 +++++++++++++------------
src/configure.ac | 8 ++++++++
src/doc/Makefile.in | 2 ++
src/man/Makefile.in | 4 +++-
src/man/krb5.conf.man | 2 +-
src/plugins/preauth/pkinit/pkinit.h | 1 -
9 files changed, 34 insertions(+), 16 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index adba8238d..3d25c9a12 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -1020,7 +1020,7 @@ information for PKINIT is as follows:
All keyword/values are optional. *modname* specifies the location
of a library implementing PKCS #11. If a value is encountered
with no keyword, it is assumed to be the *modname*. If no
- module-name is specified, the default is ``opensc-pkcs11.so``.
+ module-name is specified, the default is |pkcs11_modname|.
``slotid=`` and/or ``token=`` may be specified to force the use of
a particular smard card reader or token if there is more than one
available. ``certid=`` and/or ``certlabel=`` may be specified to
diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst
index a8959626d..8f8ac911c 100644
--- a/doc/build/options2configure.rst
+++ b/doc/build/options2configure.rst
@@ -143,6 +143,9 @@ Environment variables
This option allows one to specify libraries to be passed to the
linker (e.g., ``-l<library>``)
+**PKCS11_MODNAME=**\ *library*
+ Override the built-in default PKCS11 library name.
+
**SS_LIB=**\ *libs*...
If ``-lss`` is not the correct way to link in your installed ss
library, for example if additional support libraries are needed,
diff --git a/doc/conf.py b/doc/conf.py
index 4fb6aae14..29fd53375 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -235,6 +235,7 @@ if 'mansubs' in tags:
ccache = '``@CCNAME@``'
keytab = '``@KTNAME@``'
ckeytab = '``@CKTNAME@``'
+ pkcs11_modname = '``@PKCS11MOD@``'
elif 'pathsubs' in tags:
# Read configured paths from a file produced by the build system.
exec(open("paths.py").read())
@@ -248,6 +249,7 @@ else:
ccache = ':ref:`DEFCCNAME <paths>`'
keytab = ':ref:`DEFKTNAME <paths>`'
ckeytab = ':ref:`DEFCKTNAME <paths>`'
+ pkcs11_modname = ':ref:`PKCS11_MODNAME <paths>`'
rst_epilog = '\n'
@@ -268,6 +270,7 @@ else:
rst_epilog += '.. |ccache| replace:: %s\n' % ccache
rst_epilog += '.. |keytab| replace:: %s\n' % keytab
rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
+ rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname
rst_epilog += '''
.. |krb5conf| replace:: ``/etc/krb5.conf``
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
index 74e69f4ad..aea7af3db 100644
--- a/doc/mitK5defaults.rst
+++ b/doc/mitK5defaults.rst
@@ -59,18 +59,19 @@ subdirectories of ``/usr/local``. When MIT krb5 is integrated into an
operating system, the paths are generally chosen to match the
operating system's filesystem layout.
-========================== ============= =========================== ===========================
-Description Symbolic name Custom build path Typical OS path
-========================== ============= =========================== ===========================
-User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
-Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
-Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
-Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
-Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
-Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
-Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
-Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
-========================== ============= =========================== ===========================
+========================== ============== =========================== ===========================
+Description Symbolic name Custom build path Typical OS path
+========================== ============== =========================== ===========================
+User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
+Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
+Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
+Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
+Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
+Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
+Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
+Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
+Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so``
+========================== ============== =========================== ===========================
The default client keytab name (DEFCKTNAME) typically defaults to
``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom
diff --git a/src/configure.ac b/src/configure.ac
index 363d5d62d..3a0633177 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1466,6 +1466,14 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name])
AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"],
[Define to default client keytab name])
+AC_ARG_VAR(PKCS11_MODNAME, [Default PKCS11 module name])
+if test "${PKCS11_MODNAME+set}" != set; then
+ PKCS11_MODNAME=opensc-pkcs11.so
+fi
+AC_MSG_NOTICE([Default PKCS11 module name: $PKCS11_MODNAME])
+AC_DEFINE_UNQUOTED(PKCS11_MODNAME, ["$PKCS11_MODNAME"],
+ [Default PKCS11 module name])
+
AC_CONFIG_FILES([build-tools/krb5-config], [chmod +x build-tools/krb5-config])
AC_CONFIG_FILES([build-tools/kadm-server.pc
build-tools/kadm-client.pc
diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
index 379bc3651..a1b0cff0a 100644
--- a/src/doc/Makefile.in
+++ b/src/doc/Makefile.in
@@ -10,6 +10,7 @@ sysconfdir=@sysconfdir@
DEFCCNAME=@DEFCCNAME@
DEFKTNAME=@DEFKTNAME@
DEFCKTNAME=@DEFCKTNAME@
+PKCS11_MODNAME=@PKCS11_MODNAME@
RST_SOURCES= _static \
_templates \
@@ -118,6 +119,7 @@ paths.py:
echo 'ccache = "``$(DEFCCNAME)``"' >> $@
echo 'keytab = "``$(DEFKTNAME)``"' >> $@
echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@
+ echo 'pkcs11_modname = "``$(PKCS11_MODNAME)``"' >> $@
# Dummy rule that man/Makefile can invoke
version.py: $(docsrc)/version.py
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
index 00b1b2de0..85cae0914 100644
--- a/src/man/Makefile.in
+++ b/src/man/Makefile.in
@@ -8,6 +8,7 @@ sysconfdir=@sysconfdir@
DEFCCNAME=@DEFCCNAME@
DEFKTNAME=@DEFKTNAME@
DEFCKTNAME=@DEFCKTNAME@
+PKCS11_MODNAME=@PKCS11_MODNAME@
MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \
kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \
@@ -47,7 +48,8 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h
-e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
-e 's|@CCNAME@|$(DEFCCNAME)|g' \
-e 's|@KTNAME@|$(DEFKTNAME)|g' \
- -e 's|@CKTNAME@|$(DEFCKTNAME)|g' $? > $@
+ -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \
+ -e 's|@PKCS11MOD@|$(PKCS11_MODNAME)|g' $? > $@
all: $(MANSUBS)
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 3a702ca8f..e4202723f 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1151,7 +1151,7 @@ user\(aqs certificate and private key.
All keyword/values are optional. \fImodname\fP specifies the location
of a library implementing PKCS #11. If a value is encountered
with no keyword, it is assumed to be the \fImodname\fP\&. If no
-module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&.
+module\-name is specified, the default is \fB@PKCS11MOD@\fP\&.
\fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of
a particular smard card reader or token if there is more than one
available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
index b437fd53f..a2018cb10 100644
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -42,7 +42,6 @@
#ifndef WITHOUT_PKCS11
#include "pkcs11.h"
-#define PKCS11_MODNAME "opensc-pkcs11.so"
#define PK_SIGLEN_GUESS 1000
#define PK_NOSLOT 999999
#endif
--
2.35.1

View File

@ -0,0 +1,188 @@
From dea9421ccdbe5c8f63aae85341a8f091c6019407 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 1 Jun 2022 18:02:04 +0200
Subject: [PATCH] Set reasonable supportedCMSTypes in PKINIT
The PKINIT client uses AuthPack.supportedCMSTypes to let the KDC know
the algorithms it supports for verification of the CMS data signature.
(The MIT krb5 KDC currently ignores this list, but other
implementations use it.)
Replace 3DES with sha512WithRSAEncryption and sha256WithRSAEncryption.
[ghudson@mit.edu: simplified code and used appropriate helpers; edited
commit message]
ticket: 9066 (new)
---
src/plugins/preauth/pkinit/Makefile.in | 4 +-
src/plugins/preauth/pkinit/pkinit_clnt.c | 8 ++++
...nit_kdf_constants.c => pkinit_constants.c} | 24 ++++++++++++
src/plugins/preauth/pkinit/pkinit_crypto.h | 16 ++++++++
.../preauth/pkinit/pkinit_crypto_openssl.c | 39 +++++++++++++++++++
5 files changed, 89 insertions(+), 2 deletions(-)
rename src/plugins/preauth/pkinit/{pkinit_kdf_constants.c => pkinit_constants.c} (76%)
diff --git a/src/plugins/preauth/pkinit/Makefile.in b/src/plugins/preauth/pkinit/Makefile.in
index d20fb18a8..97aaded03 100644
--- a/src/plugins/preauth/pkinit/Makefile.in
+++ b/src/plugins/preauth/pkinit/Makefile.in
@@ -18,7 +18,7 @@ STLIBOBJS= \
pkinit_srv.o \
pkinit_lib.o \
pkinit_clnt.o \
- pkinit_kdf_constants.o \
+ pkinit_constants.o \
pkinit_profile.o \
pkinit_identity.o \
pkinit_matching.o \
@@ -29,7 +29,7 @@ SRCS= \
$(srcdir)/pkinit_srv.c \
$(srcdir)/pkinit_lib.c \
$(srcdir)/pkinit_kdf_test.c \
- $(srcdir)/pkinit_kdf_constants.c \
+ $(srcdir)/pkinit_constants.c \
$(srcdir)/pkinit_clnt.c \
$(srcdir)/pkinit_profile.c \
$(srcdir)/pkinit_identity.c \
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index a385da7c3..2817cc213 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -212,6 +212,14 @@ pkinit_as_req_create(krb5_context context,
auth_pack.clientPublicValue = &info;
auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids;
+ /* add List of CMS algorithms */
+ retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx,
+ reqctx->cryptoctx,
+ reqctx->idctx, &cmstypes);
+ auth_pack.supportedCMSTypes = cmstypes;
+ if (retval)
+ goto cleanup;
+
switch(protocol) {
case DH_PROTOCOL:
TRACE_PKINIT_CLIENT_REQ_DH(context);
diff --git a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c
similarity index 76%
rename from src/plugins/preauth/pkinit/pkinit_kdf_constants.c
rename to src/plugins/preauth/pkinit/pkinit_constants.c
index 1604f1670..1832e8f7b 100644
--- a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c
+++ b/src/plugins/preauth/pkinit/pkinit_constants.c
@@ -57,3 +57,27 @@ krb5_data const * const supported_kdf_alg_ids[] = {
&sha512_id,
NULL
};
+
+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
+ * rsadsi(113549) pkcs(1) 1 11 */
+static char sha256WithRSAEncr_oid[9] = {
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
+};
+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
+ * rsadsi(113549) pkcs(1) 1 13 */
+static char sha512WithRSAEncr_oid[9] = {
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d
+};
+
+const krb5_data sha256WithRSAEncr_id = {
+ KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid
+};
+const krb5_data sha512WithRSAEncr_id = {
+ KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid
+};
+
+krb5_data const * const supported_cms_algs[] = {
+ &sha512WithRSAEncr_id,
+ &sha256WithRSAEncr_id,
+ NULL
+};
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
index 1f9868351..f38a77093 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
@@ -380,6 +380,18 @@ krb5_error_code server_process_dh
unsigned int *server_key_len_out); /* OUT
receives length of DH secret key */
+/*
+ * this functions takes in crypto specific representation of
+ * supportedCMSTypes and creates a list of
+ * krb5_algorithm_identifier
+ */
+krb5_error_code create_krb5_supportedCMSTypes
+ (krb5_context context, /* IN */
+ pkinit_plg_crypto_context plg_cryptoctx, /* IN */
+ pkinit_req_crypto_context req_cryptoctx, /* IN */
+ pkinit_identity_crypto_context id_cryptoctx, /* IN */
+ krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */
+
/*
* this functions takes in crypto specific representation of
* trustedCertifiers and creates a list of
@@ -617,6 +629,10 @@ extern const size_t krb5_pkinit_sha512_oid_len;
*/
extern krb5_data const * const supported_kdf_alg_ids[];
+/* CMS signature algorithms supported by this implementation, in order of
+ * decreasing preference. */
+extern krb5_data const * const supported_cms_algs[];
+
krb5_error_code
crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
uint8_t **der_out, size_t *der_len);
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 2a6ef4aaa..41a7464b5 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -5582,6 +5582,45 @@ cleanup:
return retval;
}
+krb5_error_code
+create_krb5_supportedCMSTypes(krb5_context context,
+ pkinit_plg_crypto_context plg_cryptoctx,
+ pkinit_req_crypto_context req_cryptoctx,
+ pkinit_identity_crypto_context id_cryptoctx,
+ krb5_algorithm_identifier ***algs_out)
+{
+ krb5_error_code ret;
+ krb5_algorithm_identifier **algs = NULL;
+ size_t i, count;
+
+ *algs_out = NULL;
+
+ /* Count supported OIDs and allocate list (including null terminator). */
+ for (count = 0; supported_cms_algs[count] != NULL; count++);
+ algs = k5calloc(count + 1, sizeof(*algs), &ret);
+ if (algs == NULL)
+ goto cleanup;
+
+ /* Add an algorithm identifier for each OID, with no parameters. */
+ for (i = 0; i < count; i++) {
+ algs[i] = k5alloc(sizeof(*algs[i]), &ret);
+ if (algs[i] == NULL)
+ goto cleanup;
+ ret = krb5int_copy_data_contents(context, supported_cms_algs[i],
+ &algs[i]->algorithm);
+ if (ret)
+ goto cleanup;
+ algs[i]->parameters = empty_data();
+ }
+
+ *algs_out = algs;
+ algs = NULL;
+
+cleanup:
+ free_krb5_algorithm_identifiers(&algs);
+ return ret;
+}
+
krb5_error_code
create_krb5_trustedCertifiers(krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx,
--
2.35.3

View File

@ -0,0 +1,91 @@
From ad8e02485791023dcf66ef4612616f03895ceeb3 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 4 Mar 2022 00:45:00 -0500
Subject: [PATCH] Try harder to avoid password change replay errors
Commit d7b3018d338fc9c989c3fa17505870f23c3759a8 (ticket 7905) changed
change_set_password() to prefer TCP. However, because UDP_LAST falls
back to UDP after one second, we can still get a replay error due to a
dropped packet, before the TCP layer has a chance to retry.
Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
TCP fails completely without reaching a server. In sendto_kdc.c,
implement an ONLY_UDP transport strategy to allow the UDP fallback.
ticket: 9037
---
src/lib/krb5/os/changepw.c | 9 ++++++++-
src/lib/krb5/os/os-proto.h | 1 +
src/lib/krb5/os/sendto_kdc.c | 12 ++++++++----
3 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
index 9f968da7f..c59232586 100644
--- a/src/lib/krb5/os/changepw.c
+++ b/src/lib/krb5/os/changepw.c
@@ -255,9 +255,16 @@ change_set_password(krb5_context context,
callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup;
krb5_free_data_contents(callback_ctx.context, &chpw_rep);
+ /* UDP retransmits may be seen as replays. Only try UDP after other
+ * transports fail completely. */
code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm,
- &sl, UDP_LAST, &callback_info, &chpw_rep,
+ &sl, NO_UDP, &callback_info, &chpw_rep,
ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL);
+ if (code == KRB5_KDC_UNREACH) {
+ code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm,
+ &sl, ONLY_UDP, &callback_info, &chpw_rep,
+ ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL);
+ }
if (code)
goto cleanup;
diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
index a985f2aec..91d2791ce 100644
--- a/src/lib/krb5/os/os-proto.h
+++ b/src/lib/krb5/os/os-proto.h
@@ -49,6 +49,7 @@ typedef enum {
UDP_FIRST = 0,
UDP_LAST,
NO_UDP,
+ ONLY_UDP
} k5_transport_strategy;
/* A single server hostname or address. */
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 0eedec175..c7f5d861a 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -802,11 +802,14 @@ resolve_server(krb5_context context, const krb5_data *realm,
int err, result;
char portbuf[PORT_LENGTH];
- /* Skip UDP entries if we don't want UDP. */
+ /* Skip entries excluded by the strategy. */
if (strategy == NO_UDP && entry->transport == UDP)
return 0;
+ if (strategy == ONLY_UDP && entry->transport != UDP &&
+ entry->transport != TCP_OR_UDP)
+ return 0;
- transport = (strategy == UDP_FIRST) ? UDP : TCP;
+ transport = (strategy == UDP_FIRST || strategy == ONLY_UDP) ? UDP : TCP;
if (entry->hostname == NULL) {
/* Added by a module, so transport is either TCP or UDP. */
ai.ai_socktype = socktype_for_transport(entry->transport);
@@ -850,8 +853,9 @@ resolve_server(krb5_context context, const krb5_data *realm,
}
/* For TCP_OR_UDP entries, add each address again with the non-preferred
- * transport, unless we are avoiding UDP. Flag these as deferred. */
- if (retval == 0 && entry->transport == TCP_OR_UDP && strategy != NO_UDP) {
+ * transport, if there is one. Flag these as deferred. */
+ if (retval == 0 && entry->transport == TCP_OR_UDP &&
+ (strategy == UDP_FIRST || strategy == UDP_LAST)) {
transport = (strategy == UDP_FIRST) ? TCP : UDP;
for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
a->ai_socktype = socktype_for_transport(transport);
--
2.35.1

View File

@ -0,0 +1,82 @@
From 790f485cf57e4de65351c29c41666db6370ef367 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Thu, 5 May 2022 17:15:12 +0200
Subject: [PATCH] Allow krad UDP/TCP localhost connection with FIPS
libkrad allows to establish connections only to UNIX socket in FIPS
mode, because MD5 digest is not considered safe enough to be used for
network communication. However, FreeRadius requires connection on TCP or
UDP ports.
This commit allows TCP or UDP connections in FIPS mode if destination is
localhost.
Resolves: rhbz#2068458
---
src/lib/krad/remote.c | 36 ++++++++++++++++++++++++++++++++++--
1 file changed, 34 insertions(+), 2 deletions(-)
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index eca432424..c8912892c 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -33,6 +33,7 @@
#include <string.h>
#include <unistd.h>
+#include <stdbool.h>
#include <sys/un.h>
@@ -74,6 +75,36 @@ on_io(verto_ctx *ctx, verto_ev *ev);
static void
on_timeout(verto_ctx *ctx, verto_ev *ev);
+static in_addr_t get_in_addr(struct addrinfo *info)
+{ return ((struct sockaddr_in *)(info->ai_addr))->sin_addr.s_addr; }
+
+static struct in6_addr *get_in6_addr(struct addrinfo *info)
+{ return &(((struct sockaddr_in6 *)(info->ai_addr))->sin6_addr); }
+
+static bool is_inet_localhost(struct addrinfo *info)
+{
+ struct addrinfo *p;
+
+ for (p = info; p; p = p->ai_next) {
+ switch (p->ai_family) {
+ case AF_INET:
+ if (IN_LOOPBACKNET != (get_in_addr(p) & IN_CLASSA_NET
+ >> IN_CLASSA_NSHIFT))
+ return false;
+ break;
+ case AF_INET6:
+ if (!IN6_IS_ADDR_LOOPBACK(get_in6_addr(p)))
+ return false;
+ break;
+ default:
+ return false;
+ }
+ }
+
+ return true;
+}
+
+
/* Iterate over the set of outstanding packets. */
static const krad_packet *
iterator(request **out)
@@ -455,8 +486,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
(krad_packet_iter_cb)iterator, &r, &tmp);
if (retval != 0)
goto error;
- else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL &&
- rr->info->ai_family != AF_UNIX) {
+ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL
+ && rr->info->ai_family != AF_UNIX
+ && !is_inet_localhost(rr->info)) {
/* This would expose cleartext passwords, so abort. */
retval = ESOCKTNOSUPPORT;
goto error;
--
2.35.1

View File

@ -1,4 +1,4 @@
From a7318c3cd6e1f58adb80493c05b59e6c180cd584 Mon Sep 17 00:00:00 2001
From 4f8cba1780bc167c52de2a791cad6a1817508bbe Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 23 Feb 2022 17:34:33 +0100
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
@ -28,24 +28,26 @@ global context.
Remove EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag since does not have any
effect anymore.
post9 load both default and legacy provider into library context
Last-updated: krb5-1.19
---
doc/admin/conf_files/krb5_conf.rst | 6 ++
src/lib/crypto/krb/prng.c | 11 ++-
.../crypto/openssl/enc_provider/camellia.c | 6 ++
src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++-
.../crypto/openssl/hash_provider/hash_evp.c | 85 ++++++++++++++++++-
src/lib/crypto/openssl/enc_provider/rc4.c | 13 ++-
.../crypto/openssl/hash_provider/hash_evp.c | 93 ++++++++++++++++++-
src/lib/crypto/openssl/hmac.c | 6 +-
src/lib/krad/attr.c | 46 ++++++++---
src/lib/krad/attr.c | 46 ++++++---
src/lib/krad/attrset.c | 5 +-
src/lib/krad/internal.h | 28 ++++++-
src/lib/krad/packet.c | 22 +++---
src/lib/krad/remote.c | 10 ++-
src/lib/krad/internal.h | 28 +++++-
src/lib/krad/packet.c | 22 +++--
src/lib/krad/remote.c | 10 +-
src/lib/krad/t_attr.c | 3 +-
src/lib/krad/t_attrset.c | 4 +-
src/plugins/preauth/spake/spake_client.c | 6 ++
src/plugins/preauth/spake/spake_kdc.c | 6 ++
15 files changed, 218 insertions(+), 35 deletions(-)
15 files changed, 230 insertions(+), 35 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 675175955..adba8238d 100644
@ -158,10 +160,10 @@ index bc87c6f42..9bf407899 100644
* The cipher state here is a saved pointer to a struct arcfour_state
* object, rather than a flat byte array as in most enc providers. The
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
index 1e0fb8fc3..4b8e1a6b2 100644
index 1e0fb8fc3..57bca3fec 100644
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
@@ -32,6 +32,50 @@
@@ -32,6 +32,46 @@
#include "crypto_int.h"
#include <openssl/evp.h>
@ -170,8 +172,8 @@ index 1e0fb8fc3..4b8e1a6b2 100644
+
+typedef struct ossl_lib_md_context {
+ OSSL_LIB_CTX *libctx;
+ OSSL_PROVIDER *default_provider;
+ OSSL_PROVIDER *legacy_provider;
+ EVP_MD *md;
+} ossl_md_context_t;
+
+static thread_local ossl_md_context_t *ossl_md_ctx = NULL;
@ -183,15 +185,11 @@ index 1e0fb8fc3..4b8e1a6b2 100644
+ if (!ctx->libctx)
+ return KRB5_CRYPTO_INTERNAL;
+
+ /*
+ * Load both legacy and default provider as both may be needed.
+ * If they fail keep going and an error will be raised when we try to
+ * fetch the cipher later.
+ */
+ /* Load both legacy and default provider as both may be needed. */
+ ctx->default_provider = OSSL_PROVIDER_load(ctx->libctx, "default");
+ ctx->legacy_provider = OSSL_PROVIDER_load(ctx->libctx, "legacy");
+
+ ctx->md = EVP_MD_fetch(ctx->libctx, algo, NULL);
+ if (!ctx->md)
+ if (!(ctx->default_provider && ctx->legacy_provider))
+ return KRB5_CRYPTO_INTERNAL;
+
+ return 0;
@ -200,19 +198,19 @@ index 1e0fb8fc3..4b8e1a6b2 100644
+static void
+deinit_ossl_ctx(ossl_md_context_t *ctx)
+{
+ if (ctx->md)
+ EVP_MD_free(ctx->md);
+
+ if (ctx->legacy_provider)
+ OSSL_PROVIDER_unload(ctx->legacy_provider);
+
+ if (ctx->default_provider)
+ OSSL_PROVIDER_unload(ctx->default_provider);
+
+ if (ctx->libctx)
+ OSSL_LIB_CTX_free(ctx->libctx);
+}
static krb5_error_code
hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
@@ -61,16 +104,53 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
@@ -61,16 +101,65 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
return ok ? 0 : KRB5_CRYPTO_INTERNAL;
}
@ -221,11 +219,14 @@ index 1e0fb8fc3..4b8e1a6b2 100644
+ krb5_data *output)
+{
+ krb5_error_code err;
+ EVP_MD *md = NULL;
+
+ if (!ossl_md_ctx) {
+ ossl_md_ctx = malloc(sizeof(ossl_md_context_t));
+ if (!ossl_md_ctx)
+ return ENOMEM;
+ if (!ossl_md_ctx) {
+ err = ENOMEM;
+ goto end;
+ }
+
+ err = init_ossl_md_ctx(ossl_md_ctx, algo);
+ if (err) {
@ -236,9 +237,18 @@ index 1e0fb8fc3..4b8e1a6b2 100644
+ }
+ }
+
+ err = hash_evp(ossl_md_ctx->md, data, num_data, output);
+ md = EVP_MD_fetch(ossl_md_ctx->libctx, algo, NULL);
+ if (!md) {
+ err = KRB5_CRYPTO_INTERNAL;
+ goto end;
+ }
+
+ err = hash_evp(md, data, num_data, output);
+
+end:
+ if (md)
+ EVP_MD_free(md);
+
+ return err;
+}
+
@ -684,3 +694,6 @@ index 88c964ce1..c7df0392f 100644
vt = (krb5_kdcpreauth_vtable)vtable;
vt->name = "spake";
vt->pa_type_list = pa_types;
--
2.35.1

View File

@ -0,0 +1,727 @@
From 20cbbd0b273af56c6d527c8e6b9d96eef49926f2 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Thu, 31 Mar 2022 18:24:39 +0200
Subject: [PATCH] Use newly enforced dejagnu path naming convention
Since version 1.6.3, dejagnu started to enforce a naming convention that
was already in place, but not mandatory: dejagnu test directories have
to be named "testsuite". If they don't implicit relative sub-paths
resolution (e.g. "lib", "config") is not forking.
This commit renames kadm5 library's unit tests and global tests
directories to match this requirement.
Resolves: rhbz#2053133
Signed-off-by: Julien Rische <jrische@redhat.com>
---
src/configure.ac | 4 +--
src/lib/kadm5/Makefile.in | 2 +-
.../{unit-test => testsuite}/Makefile.in | 28 +++++++++---------
.../api.2/crte-policy.exp | 0
.../api.2/get-policy.exp | 0
.../api.2/mod-policy.exp | 0
.../api.current/chpass-principal-v2.exp | 0
.../api.current/chpass-principal.exp | 0
.../api.current/crte-policy.exp | 0
.../api.current/crte-principal.exp | 0
.../api.current/destroy.exp | 0
.../api.current/dlte-policy.exp | 0
.../api.current/dlte-principal.exp | 0
.../api.current/get-policy.exp | 0
.../api.current/get-principal-v2.exp | 0
.../api.current/get-principal.exp | 0
.../api.current/init-v2.exp | 0
.../api.current/init.exp | 0
.../api.current/mod-policy.exp | 0
.../api.current/mod-principal-v2.exp | 0
.../api.current/mod-principal.exp | 0
.../api.current/randkey-principal-v2.exp | 0
.../api.current/randkey-principal.exp | 0
.../{unit-test => testsuite}/config/unix.exp | 0
src/lib/kadm5/{unit-test => testsuite}/deps | 0
.../{unit-test => testsuite}/destroy-test.c | 0
.../diff-files/destroy-1 | 0
.../diff-files/no-diffs | 0
.../{unit-test => testsuite}/handle-test.c | 0
.../{unit-test => testsuite}/init-test.c | 0
.../{unit-test => testsuite}/iter-test.c | 0
.../kadm5/{unit-test => testsuite}/lib/lib.t | 2 +-
.../{unit-test => testsuite}/lock-test.c | 0
.../{unit-test => testsuite}/randkey-test.c | 0
.../{unit-test => testsuite}/setkey-test.c | 0
.../kadm5/{unit-test => testsuite}/site.exp | 0
src/tests/Makefile.in | 2 +-
src/tests/t_authdata.py | 2 +-
src/tests/t_certauth.py | 2 +-
src/tests/t_pkinit.py | 2 +-
src/tests/t_proxy.py | 12 ++++----
src/tests/{dejagnu => testsuite}/Makefile.in | 4 +--
.../{dejagnu => testsuite}/config/default.exp | 2 +-
src/tests/{dejagnu => testsuite}/deps | 0
.../krb-standalone/gssapi.exp | 2 +-
.../krb-standalone/kprop.exp | 0
.../krb-standalone/princexpire.exp | 0
.../krb-standalone/sample.exp | 2 +-
.../krb-standalone/simple.exp | 2 +-
.../krb-standalone/standalone.exp | 0
.../krb-standalone/tcp.exp | 0
.../pkinit-certs/ca.pem | 0
.../pkinit-certs/generic.p12 | Bin
.../pkinit-certs/generic.pem | 0
.../pkinit-certs/kdc.pem | 0
.../pkinit-certs/make-certs.sh | 0
.../pkinit-certs/privkey-enc.pem | 0
.../pkinit-certs/privkey.pem | 0
.../pkinit-certs/user-enc.p12 | Bin
.../pkinit-certs/user-upn.p12 | Bin
.../pkinit-certs/user-upn.pem | 0
.../pkinit-certs/user-upn2.p12 | Bin
.../pkinit-certs/user-upn2.pem | 0
.../pkinit-certs/user-upn3.p12 | Bin
.../pkinit-certs/user-upn3.pem | 0
.../pkinit-certs/user.p12 | Bin
.../pkinit-certs/user.pem | 0
.../{dejagnu => testsuite}/proxy-certs/ca.pem | 0
.../proxy-certs/make-certs.sh | 0
.../proxy-certs/proxy-badsig.pem | 0
.../proxy-certs/proxy-ideal.pem | 0
.../proxy-certs/proxy-no-match.pem | 0
.../proxy-certs/proxy-san.pem | 0
.../proxy-certs/proxy-subject.pem | 0
src/tests/{dejagnu => testsuite}/t_inetd.c | 2 +-
src/util/k5test.py | 2 +-
76 files changed, 36 insertions(+), 36 deletions(-)
rename src/lib/kadm5/{unit-test => testsuite}/Makefile.in (86%)
rename src/lib/kadm5/{unit-test => testsuite}/api.2/crte-policy.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.2/get-policy.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.2/mod-policy.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal-v2.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-policy.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-principal.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/destroy.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-policy.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-principal.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-policy.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal-v2.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/init-v2.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/init.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-policy.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal-v2.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal-v2.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/config/unix.exp (100%)
rename src/lib/kadm5/{unit-test => testsuite}/deps (100%)
rename src/lib/kadm5/{unit-test => testsuite}/destroy-test.c (100%)
rename src/lib/kadm5/{unit-test => testsuite}/diff-files/destroy-1 (100%)
rename src/lib/kadm5/{unit-test => testsuite}/diff-files/no-diffs (100%)
rename src/lib/kadm5/{unit-test => testsuite}/handle-test.c (100%)
rename src/lib/kadm5/{unit-test => testsuite}/init-test.c (100%)
rename src/lib/kadm5/{unit-test => testsuite}/iter-test.c (100%)
rename src/lib/kadm5/{unit-test => testsuite}/lib/lib.t (99%)
rename src/lib/kadm5/{unit-test => testsuite}/lock-test.c (100%)
rename src/lib/kadm5/{unit-test => testsuite}/randkey-test.c (100%)
rename src/lib/kadm5/{unit-test => testsuite}/setkey-test.c (100%)
rename src/lib/kadm5/{unit-test => testsuite}/site.exp (100%)
rename src/tests/{dejagnu => testsuite}/Makefile.in (92%)
rename src/tests/{dejagnu => testsuite}/config/default.exp (99%)
rename src/tests/{dejagnu => testsuite}/deps (100%)
rename src/tests/{dejagnu => testsuite}/krb-standalone/gssapi.exp (98%)
rename src/tests/{dejagnu => testsuite}/krb-standalone/kprop.exp (100%)
rename src/tests/{dejagnu => testsuite}/krb-standalone/princexpire.exp (100%)
rename src/tests/{dejagnu => testsuite}/krb-standalone/sample.exp (98%)
rename src/tests/{dejagnu => testsuite}/krb-standalone/simple.exp (98%)
rename src/tests/{dejagnu => testsuite}/krb-standalone/standalone.exp (100%)
rename src/tests/{dejagnu => testsuite}/krb-standalone/tcp.exp (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/ca.pem (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/generic.p12 (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/generic.pem (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/kdc.pem (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/make-certs.sh (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/privkey-enc.pem (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/privkey.pem (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-enc.p12 (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn.p12 (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn.pem (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn2.p12 (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn2.pem (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn3.p12 (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn3.pem (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user.p12 (100%)
rename src/tests/{dejagnu => testsuite}/pkinit-certs/user.pem (100%)
rename src/tests/{dejagnu => testsuite}/proxy-certs/ca.pem (100%)
rename src/tests/{dejagnu => testsuite}/proxy-certs/make-certs.sh (100%)
rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-badsig.pem (100%)
rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-ideal.pem (100%)
rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-no-match.pem (100%)
rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-san.pem (100%)
rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-subject.pem (100%)
rename src/tests/{dejagnu => testsuite}/t_inetd.c (99%)
diff --git a/src/configure.ac b/src/configure.ac
index 20066918b..363d5d62d 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1500,7 +1500,7 @@ V5_AC_OUTPUT_MAKEFILE(.
lib/rpc lib/rpc/unit-test
- lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/unit-test
+ lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/testsuite
lib/krad
lib/apputils
@@ -1544,5 +1544,5 @@ V5_AC_OUTPUT_MAKEFILE(.
appl/gss-sample appl/user_user
tests tests/asn.1 tests/create tests/hammer tests/verify tests/gssapi
- tests/dejagnu tests/threads tests/shlib tests/gss-threads tests/misc
+ tests/testsuite tests/threads tests/shlib tests/gss-threads tests/misc
)
diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in
index c4eaad38d..76fc4b548 100644
--- a/src/lib/kadm5/Makefile.in
+++ b/src/lib/kadm5/Makefile.in
@@ -1,6 +1,6 @@
mydir=lib$(S)kadm5
BUILDTOP=$(REL)..$(S)..
-SUBDIRS = clnt srv unit-test
+SUBDIRS = clnt srv testsuite
##DOSBUILDTOP = ..\..
diff --git a/src/lib/kadm5/unit-test/Makefile.in b/src/lib/kadm5/testsuite/Makefile.in
similarity index 86%
rename from src/lib/kadm5/unit-test/Makefile.in
rename to src/lib/kadm5/testsuite/Makefile.in
index 68fa097ff..5a55b786b 100644
--- a/src/lib/kadm5/unit-test/Makefile.in
+++ b/src/lib/kadm5/testsuite/Makefile.in
@@ -1,4 +1,4 @@
-mydir=lib$(S)kadm5$(S)unit-test
+mydir=lib$(S)kadm5$(S)testsuite
BUILDTOP=$(REL)..$(S)..$(S)..
KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS)
@@ -61,7 +61,7 @@ runenv.exp: Makefile
eval echo "set env\($$i\) \$$$$i"; done > runenv.exp
#
-# The unit-test targets
+# The testsuite targets
#
check: check-@DO_TEST@
@@ -72,13 +72,13 @@ check-:
@echo "+++ Either tcl, runtest, or Perl is unavailable."
@echo "+++"
-check-ok unit-test: unit-test-client unit-test-server
+check-ok testsuite: testsuite-client testsuite-server
-unit-test-client: unit-test-client-setup unit-test-client-body \
- unit-test-client-cleanup
+testsuite-client: testsuite-client-setup testsuite-client-body \
+ testsuite-client-cleanup
-unit-test-server: unit-test-server-setup unit-test-server-body \
- unit-test-server-cleanup
+testsuite-server: testsuite-server-setup testsuite-server-body \
+ testsuite-server-cleanup
test-randkey: randkey-test
$(ENV_SETUP) $(VALGRIND) ./randkey-test
@@ -98,19 +98,19 @@ test-destroy: destroy-test
test-setkey-client: client-setkey-test
$(ENV_SETUP) $(VALGRIND) ./client-setkey-test testkeys admin admin
-unit-test-client-setup: runenv.sh
+testsuite-client-setup: runenv.sh
$(ENV_SETUP) $(VALGRIND) $(START_SERVERS)
-unit-test-client-cleanup:
+testsuite-client-cleanup:
$(ENV_SETUP) $(STOP_SERVERS)
-unit-test-server-setup: runenv.sh
+testsuite-server-setup: runenv.sh
$(ENV_SETUP) $(VALGRIND) $(START_SERVERS_LOCAL)
-unit-test-server-cleanup:
+testsuite-server-cleanup:
$(ENV_SETUP) $(STOP_SERVERS_LOCAL)
-unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \
+testsuite-client-body: site.exp test-noauth test-destroy test-handle-client \
test-setkey-client runenv.exp
$(ENV_SETUP) $(RUNTEST) --tool api RPC=1 API=$(CLNTTCL) \
KINIT=$(BUILDTOP)/clients/kinit/kinit \
@@ -121,7 +121,7 @@ unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \
-mv api.log capi.log
-mv api.sum capi.sum
-unit-test-server-body: site.exp test-handle-server lock-test
+testsuite-server-body: site.exp test-handle-server lock-test
$(ENV_SETUP) $(RUNTEST) --tool api RPC=0 API=$(SRVTCL) \
LOCKTEST=./lock-test \
KADMIN_LOCAL=$(BUILDTOP)/kadmin/cli/kadmin.local \
@@ -140,4 +140,4 @@ clean:
$(RM) lock-test lock-test.o
$(RM) server-iter-test iter-test.o
$(RM) server-setkey-test client-setkey-test setkey-test.o
- $(RM) *.log *.plog *.sum *.psum unit-test-log.* runenv.exp
+ $(RM) *.log *.plog *.sum *.psum testsuite-log.* runenv.exp
diff --git a/src/lib/kadm5/unit-test/api.2/crte-policy.exp b/src/lib/kadm5/testsuite/api.2/crte-policy.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.2/crte-policy.exp
rename to src/lib/kadm5/testsuite/api.2/crte-policy.exp
diff --git a/src/lib/kadm5/unit-test/api.2/get-policy.exp b/src/lib/kadm5/testsuite/api.2/get-policy.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.2/get-policy.exp
rename to src/lib/kadm5/testsuite/api.2/get-policy.exp
diff --git a/src/lib/kadm5/unit-test/api.2/mod-policy.exp b/src/lib/kadm5/testsuite/api.2/mod-policy.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.2/mod-policy.exp
rename to src/lib/kadm5/testsuite/api.2/mod-policy.exp
diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
rename to src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp
diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/chpass-principal.exp
rename to src/lib/kadm5/testsuite/api.current/chpass-principal.exp
diff --git a/src/lib/kadm5/unit-test/api.current/crte-policy.exp b/src/lib/kadm5/testsuite/api.current/crte-policy.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/crte-policy.exp
rename to src/lib/kadm5/testsuite/api.current/crte-policy.exp
diff --git a/src/lib/kadm5/unit-test/api.current/crte-principal.exp b/src/lib/kadm5/testsuite/api.current/crte-principal.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/crte-principal.exp
rename to src/lib/kadm5/testsuite/api.current/crte-principal.exp
diff --git a/src/lib/kadm5/unit-test/api.current/destroy.exp b/src/lib/kadm5/testsuite/api.current/destroy.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/destroy.exp
rename to src/lib/kadm5/testsuite/api.current/destroy.exp
diff --git a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp b/src/lib/kadm5/testsuite/api.current/dlte-policy.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/dlte-policy.exp
rename to src/lib/kadm5/testsuite/api.current/dlte-policy.exp
diff --git a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp b/src/lib/kadm5/testsuite/api.current/dlte-principal.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/dlte-principal.exp
rename to src/lib/kadm5/testsuite/api.current/dlte-principal.exp
diff --git a/src/lib/kadm5/unit-test/api.current/get-policy.exp b/src/lib/kadm5/testsuite/api.current/get-policy.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/get-policy.exp
rename to src/lib/kadm5/testsuite/api.current/get-policy.exp
diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/get-principal-v2.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
rename to src/lib/kadm5/testsuite/api.current/get-principal-v2.exp
diff --git a/src/lib/kadm5/unit-test/api.current/get-principal.exp b/src/lib/kadm5/testsuite/api.current/get-principal.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/get-principal.exp
rename to src/lib/kadm5/testsuite/api.current/get-principal.exp
diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/testsuite/api.current/init-v2.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/init-v2.exp
rename to src/lib/kadm5/testsuite/api.current/init-v2.exp
diff --git a/src/lib/kadm5/unit-test/api.current/init.exp b/src/lib/kadm5/testsuite/api.current/init.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/init.exp
rename to src/lib/kadm5/testsuite/api.current/init.exp
diff --git a/src/lib/kadm5/unit-test/api.current/mod-policy.exp b/src/lib/kadm5/testsuite/api.current/mod-policy.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/mod-policy.exp
rename to src/lib/kadm5/testsuite/api.current/mod-policy.exp
diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp
rename to src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp
diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal.exp b/src/lib/kadm5/testsuite/api.current/mod-principal.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/mod-principal.exp
rename to src/lib/kadm5/testsuite/api.current/mod-principal.exp
diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
rename to src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp
diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/api.current/randkey-principal.exp
rename to src/lib/kadm5/testsuite/api.current/randkey-principal.exp
diff --git a/src/lib/kadm5/unit-test/config/unix.exp b/src/lib/kadm5/testsuite/config/unix.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/config/unix.exp
rename to src/lib/kadm5/testsuite/config/unix.exp
diff --git a/src/lib/kadm5/unit-test/deps b/src/lib/kadm5/testsuite/deps
similarity index 100%
rename from src/lib/kadm5/unit-test/deps
rename to src/lib/kadm5/testsuite/deps
diff --git a/src/lib/kadm5/unit-test/destroy-test.c b/src/lib/kadm5/testsuite/destroy-test.c
similarity index 100%
rename from src/lib/kadm5/unit-test/destroy-test.c
rename to src/lib/kadm5/testsuite/destroy-test.c
diff --git a/src/lib/kadm5/unit-test/diff-files/destroy-1 b/src/lib/kadm5/testsuite/diff-files/destroy-1
similarity index 100%
rename from src/lib/kadm5/unit-test/diff-files/destroy-1
rename to src/lib/kadm5/testsuite/diff-files/destroy-1
diff --git a/src/lib/kadm5/unit-test/diff-files/no-diffs b/src/lib/kadm5/testsuite/diff-files/no-diffs
similarity index 100%
rename from src/lib/kadm5/unit-test/diff-files/no-diffs
rename to src/lib/kadm5/testsuite/diff-files/no-diffs
diff --git a/src/lib/kadm5/unit-test/handle-test.c b/src/lib/kadm5/testsuite/handle-test.c
similarity index 100%
rename from src/lib/kadm5/unit-test/handle-test.c
rename to src/lib/kadm5/testsuite/handle-test.c
diff --git a/src/lib/kadm5/unit-test/init-test.c b/src/lib/kadm5/testsuite/init-test.c
similarity index 100%
rename from src/lib/kadm5/unit-test/init-test.c
rename to src/lib/kadm5/testsuite/init-test.c
diff --git a/src/lib/kadm5/unit-test/iter-test.c b/src/lib/kadm5/testsuite/iter-test.c
similarity index 100%
rename from src/lib/kadm5/unit-test/iter-test.c
rename to src/lib/kadm5/testsuite/iter-test.c
diff --git a/src/lib/kadm5/unit-test/lib/lib.t b/src/lib/kadm5/testsuite/lib/lib.t
similarity index 99%
rename from src/lib/kadm5/unit-test/lib/lib.t
rename to src/lib/kadm5/testsuite/lib/lib.t
index 3444775cf..327946849 100644
--- a/src/lib/kadm5/unit-test/lib/lib.t
+++ b/src/lib/kadm5/testsuite/lib/lib.t
@@ -226,7 +226,7 @@ proc end_dump_compare {name} {
global RPC
if { ! $RPC } {
-# set file $TOP/admin/lib/unit-test/diff-files/$name
+# set file $TOP/admin/lib/testsuite/diff-files/$name
# exec $env(SIMPLE_DUMP) > /tmp/dump.after
# exec $env(COMPARE_DUMP) /tmp/dump.before /tmp/dump.after $file
}
diff --git a/src/lib/kadm5/unit-test/lock-test.c b/src/lib/kadm5/testsuite/lock-test.c
similarity index 100%
rename from src/lib/kadm5/unit-test/lock-test.c
rename to src/lib/kadm5/testsuite/lock-test.c
diff --git a/src/lib/kadm5/unit-test/randkey-test.c b/src/lib/kadm5/testsuite/randkey-test.c
similarity index 100%
rename from src/lib/kadm5/unit-test/randkey-test.c
rename to src/lib/kadm5/testsuite/randkey-test.c
diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/testsuite/setkey-test.c
similarity index 100%
rename from src/lib/kadm5/unit-test/setkey-test.c
rename to src/lib/kadm5/testsuite/setkey-test.c
diff --git a/src/lib/kadm5/unit-test/site.exp b/src/lib/kadm5/testsuite/site.exp
similarity index 100%
rename from src/lib/kadm5/unit-test/site.exp
rename to src/lib/kadm5/testsuite/site.exp
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 20f27d748..1198dca0c 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -1,6 +1,6 @@
mydir=tests
BUILDTOP=$(REL)..
-SUBDIRS = asn.1 create hammer verify gssapi dejagnu shlib gss-threads misc \
+SUBDIRS = asn.1 create hammer verify gssapi testsuite shlib gss-threads misc \
threads softpkcs11
RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
index 2e01f46bc..e5135f435 100644
--- a/src/tests/t_authdata.py
+++ b/src/tests/t_authdata.py
@@ -57,7 +57,7 @@ if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
skipped('anonymous ticket authdata tests', 'PKINIT not built')
else:
# Set up a realm with PKINIT support and get anonymous tickets.
- certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
+ certs = os.path.join(srctop, 'tests', 'testsuite', 'pkinit-certs')
ca_pem = os.path.join(certs, 'ca.pem')
kdc_pem = os.path.join(certs, 'kdc.pem')
privkey_pem = os.path.join(certs, 'privkey.pem')
diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py
index 0fe0fdb4a..bfa5bfc96 100644
--- a/src/tests/t_certauth.py
+++ b/src/tests/t_certauth.py
@@ -4,7 +4,7 @@ from k5test import *
if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
skip_rest('certauth tests', 'PKINIT module not built')
-certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
+certs = os.path.join(srctop, 'tests', 'testsuite', 'pkinit-certs')
ca_pem = os.path.join(certs, 'ca.pem')
kdc_pem = os.path.join(certs, 'kdc.pem')
privkey_pem = os.path.join(certs, 'privkey.pem')
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index aee4da2b1..8763ce484 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -7,7 +7,7 @@ if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
soft_pkcs11 = os.path.join(buildtop, 'tests', 'softpkcs11', 'softpkcs11.so')
# Construct a krb5.conf fragment configuring pkinit.
-certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
+certs = os.path.join(srctop, 'tests', 'testsuite', 'pkinit-certs')
ca_pem = os.path.join(certs, 'ca.pem')
kdc_pem = os.path.join(certs, 'kdc.pem')
user_pem = os.path.join(certs, 'user.pem')
diff --git a/src/tests/t_proxy.py b/src/tests/t_proxy.py
index 3069eaa8f..6ae5c8c8e 100755
--- a/src/tests/t_proxy.py
+++ b/src/tests/t_proxy.py
@@ -10,17 +10,17 @@ except:
# Construct a krb5.conf fragment configuring the client to use a local proxy
# server.
-proxysubjectpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
+proxysubjectpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
'proxy-subject.pem')
-proxysanpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
+proxysanpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
'proxy-san.pem')
-proxyidealpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
+proxyidealpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
'proxy-ideal.pem')
-proxywrongpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
+proxywrongpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
'proxy-no-match.pem')
-proxybadpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
+proxybadpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
'proxy-badsig.pem')
-proxyca = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', 'ca.pem')
+proxyca = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs', 'ca.pem')
proxyurl = 'https://localhost:$port5/KdcProxy'
proxyurlupcase = 'https://LocalHost:$port5/KdcProxy'
proxyurl4 = 'https://127.0.0.1:$port5/KdcProxy'
diff --git a/src/tests/dejagnu/Makefile.in b/src/tests/testsuite/Makefile.in
similarity index 92%
rename from src/tests/dejagnu/Makefile.in
rename to src/tests/testsuite/Makefile.in
index e78e270ed..d3efe3606 100644
--- a/src/tests/dejagnu/Makefile.in
+++ b/src/tests/testsuite/Makefile.in
@@ -1,4 +1,4 @@
-mydir=tests$(S)dejagnu
+mydir=tests$(S)testsuite
BUILDTOP=$(REL)..$(S)..
RUNTEST = @RUNTEST@ $(DEJAFLAGS)
RUNTESTFLAGS =
@@ -13,7 +13,7 @@ check: check-runtest-@HAVE_RUNTEST@
check-runtest-no:
@echo "+++"
- @echo "+++ WARNING: tests/dejagnu tests not run."
+ @echo "+++ WARNING: tests/testsuite tests not run."
@echo "+++ runtest is unavailable."
@echo "+++"
@echo 'Skipped dejagnu tests: runtest not found' >> $(SKIPTESTS)
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/testsuite/config/default.exp
similarity index 99%
rename from src/tests/dejagnu/config/default.exp
rename to src/tests/testsuite/config/default.exp
index 302dee74c..1492fac32 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/testsuite/config/default.exp
@@ -256,7 +256,7 @@ verbose "Test realm is $REALMNAME"
# Find some programs we need. We use the binaries from the build tree
# if they exist. If they do not, then they must be in PATH. We
-# expect $objdir to be ...tests/dejagnu.
+# expect $objdir to be ...tests/testsuite.
foreach i {
{KDB5_UTIL $objdir/../../kadmin/dbutil/kdb5_util}
diff --git a/src/tests/dejagnu/deps b/src/tests/testsuite/deps
similarity index 100%
rename from src/tests/dejagnu/deps
rename to src/tests/testsuite/deps
diff --git a/src/tests/dejagnu/krb-standalone/gssapi.exp b/src/tests/testsuite/krb-standalone/gssapi.exp
similarity index 98%
rename from src/tests/dejagnu/krb-standalone/gssapi.exp
rename to src/tests/testsuite/krb-standalone/gssapi.exp
index e3357e769..d176e210c 100644
--- a/src/tests/dejagnu/krb-standalone/gssapi.exp
+++ b/src/tests/testsuite/krb-standalone/gssapi.exp
@@ -2,7 +2,7 @@
# This is a DejaGnu test script.
# This script tests that the GSS-API tester functions correctly.
-# This mostly just calls procedures in test/dejagnu/config/default.exp.
+# This mostly just calls procedures in test/testsuite/config/default.exp.
if ![info exists KDESTROY] {
set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy]
diff --git a/src/tests/dejagnu/krb-standalone/kprop.exp b/src/tests/testsuite/krb-standalone/kprop.exp
similarity index 100%
rename from src/tests/dejagnu/krb-standalone/kprop.exp
rename to src/tests/testsuite/krb-standalone/kprop.exp
diff --git a/src/tests/dejagnu/krb-standalone/princexpire.exp b/src/tests/testsuite/krb-standalone/princexpire.exp
similarity index 100%
rename from src/tests/dejagnu/krb-standalone/princexpire.exp
rename to src/tests/testsuite/krb-standalone/princexpire.exp
diff --git a/src/tests/dejagnu/krb-standalone/sample.exp b/src/tests/testsuite/krb-standalone/sample.exp
similarity index 98%
rename from src/tests/dejagnu/krb-standalone/sample.exp
rename to src/tests/testsuite/krb-standalone/sample.exp
index 93a75f1d0..009de5ddb 100644
--- a/src/tests/dejagnu/krb-standalone/sample.exp
+++ b/src/tests/testsuite/krb-standalone/sample.exp
@@ -2,7 +2,7 @@
# This is a DejaGnu test script.
# This script tests that sample user-user communication works.
-# This mostly just calls procedures in test/dejagnu/config/default.exp.
+# This mostly just calls procedures in test/testsuite/config/default.exp.
if ![info exists KLIST] {
set KLIST [findfile $objdir/../../clients/klist/klist]
diff --git a/src/tests/dejagnu/krb-standalone/simple.exp b/src/tests/testsuite/krb-standalone/simple.exp
similarity index 98%
rename from src/tests/dejagnu/krb-standalone/simple.exp
rename to src/tests/testsuite/krb-standalone/simple.exp
index d8b218248..92b33066e 100644
--- a/src/tests/dejagnu/krb-standalone/simple.exp
+++ b/src/tests/testsuite/krb-standalone/simple.exp
@@ -2,7 +2,7 @@
# This is a DejaGnu test script.
# This script tests that krb-safe and krb-priv messages work.
-# This mostly just calls procedures in test/dejagnu/config/default.exp.
+# This mostly just calls procedures in test/testsuite/config/default.exp.
if ![info exists KLIST] {
set KLIST [findfile $objdir/../../clients/klist/klist]
diff --git a/src/tests/dejagnu/krb-standalone/standalone.exp b/src/tests/testsuite/krb-standalone/standalone.exp
similarity index 100%
rename from src/tests/dejagnu/krb-standalone/standalone.exp
rename to src/tests/testsuite/krb-standalone/standalone.exp
diff --git a/src/tests/dejagnu/krb-standalone/tcp.exp b/src/tests/testsuite/krb-standalone/tcp.exp
similarity index 100%
rename from src/tests/dejagnu/krb-standalone/tcp.exp
rename to src/tests/testsuite/krb-standalone/tcp.exp
diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/testsuite/pkinit-certs/ca.pem
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/ca.pem
rename to src/tests/testsuite/pkinit-certs/ca.pem
diff --git a/src/tests/dejagnu/pkinit-certs/generic.p12 b/src/tests/testsuite/pkinit-certs/generic.p12
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/generic.p12
rename to src/tests/testsuite/pkinit-certs/generic.p12
diff --git a/src/tests/dejagnu/pkinit-certs/generic.pem b/src/tests/testsuite/pkinit-certs/generic.pem
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/generic.pem
rename to src/tests/testsuite/pkinit-certs/generic.pem
diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/testsuite/pkinit-certs/kdc.pem
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/kdc.pem
rename to src/tests/testsuite/pkinit-certs/kdc.pem
diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/testsuite/pkinit-certs/make-certs.sh
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/make-certs.sh
rename to src/tests/testsuite/pkinit-certs/make-certs.sh
diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/testsuite/pkinit-certs/privkey-enc.pem
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/privkey-enc.pem
rename to src/tests/testsuite/pkinit-certs/privkey-enc.pem
diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/testsuite/pkinit-certs/privkey.pem
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/privkey.pem
rename to src/tests/testsuite/pkinit-certs/privkey.pem
diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/testsuite/pkinit-certs/user-enc.p12
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/user-enc.p12
rename to src/tests/testsuite/pkinit-certs/user-enc.p12
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.p12 b/src/tests/testsuite/pkinit-certs/user-upn.p12
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/user-upn.p12
rename to src/tests/testsuite/pkinit-certs/user-upn.p12
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.pem b/src/tests/testsuite/pkinit-certs/user-upn.pem
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/user-upn.pem
rename to src/tests/testsuite/pkinit-certs/user-upn.pem
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.p12 b/src/tests/testsuite/pkinit-certs/user-upn2.p12
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/user-upn2.p12
rename to src/tests/testsuite/pkinit-certs/user-upn2.p12
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.pem b/src/tests/testsuite/pkinit-certs/user-upn2.pem
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/user-upn2.pem
rename to src/tests/testsuite/pkinit-certs/user-upn2.pem
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.p12 b/src/tests/testsuite/pkinit-certs/user-upn3.p12
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/user-upn3.p12
rename to src/tests/testsuite/pkinit-certs/user-upn3.p12
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.pem b/src/tests/testsuite/pkinit-certs/user-upn3.pem
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/user-upn3.pem
rename to src/tests/testsuite/pkinit-certs/user-upn3.pem
diff --git a/src/tests/dejagnu/pkinit-certs/user.p12 b/src/tests/testsuite/pkinit-certs/user.p12
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/user.p12
rename to src/tests/testsuite/pkinit-certs/user.p12
diff --git a/src/tests/dejagnu/pkinit-certs/user.pem b/src/tests/testsuite/pkinit-certs/user.pem
similarity index 100%
rename from src/tests/dejagnu/pkinit-certs/user.pem
rename to src/tests/testsuite/pkinit-certs/user.pem
diff --git a/src/tests/dejagnu/proxy-certs/ca.pem b/src/tests/testsuite/proxy-certs/ca.pem
similarity index 100%
rename from src/tests/dejagnu/proxy-certs/ca.pem
rename to src/tests/testsuite/proxy-certs/ca.pem
diff --git a/src/tests/dejagnu/proxy-certs/make-certs.sh b/src/tests/testsuite/proxy-certs/make-certs.sh
similarity index 100%
rename from src/tests/dejagnu/proxy-certs/make-certs.sh
rename to src/tests/testsuite/proxy-certs/make-certs.sh
diff --git a/src/tests/dejagnu/proxy-certs/proxy-badsig.pem b/src/tests/testsuite/proxy-certs/proxy-badsig.pem
similarity index 100%
rename from src/tests/dejagnu/proxy-certs/proxy-badsig.pem
rename to src/tests/testsuite/proxy-certs/proxy-badsig.pem
diff --git a/src/tests/dejagnu/proxy-certs/proxy-ideal.pem b/src/tests/testsuite/proxy-certs/proxy-ideal.pem
similarity index 100%
rename from src/tests/dejagnu/proxy-certs/proxy-ideal.pem
rename to src/tests/testsuite/proxy-certs/proxy-ideal.pem
diff --git a/src/tests/dejagnu/proxy-certs/proxy-no-match.pem b/src/tests/testsuite/proxy-certs/proxy-no-match.pem
similarity index 100%
rename from src/tests/dejagnu/proxy-certs/proxy-no-match.pem
rename to src/tests/testsuite/proxy-certs/proxy-no-match.pem
diff --git a/src/tests/dejagnu/proxy-certs/proxy-san.pem b/src/tests/testsuite/proxy-certs/proxy-san.pem
similarity index 100%
rename from src/tests/dejagnu/proxy-certs/proxy-san.pem
rename to src/tests/testsuite/proxy-certs/proxy-san.pem
diff --git a/src/tests/dejagnu/proxy-certs/proxy-subject.pem b/src/tests/testsuite/proxy-certs/proxy-subject.pem
similarity index 100%
rename from src/tests/dejagnu/proxy-certs/proxy-subject.pem
rename to src/tests/testsuite/proxy-certs/proxy-subject.pem
diff --git a/src/tests/dejagnu/t_inetd.c b/src/tests/testsuite/t_inetd.c
similarity index 99%
rename from src/tests/dejagnu/t_inetd.c
rename to src/tests/testsuite/t_inetd.c
index abcde50fa..2bad2cf65 100644
--- a/src/tests/dejagnu/t_inetd.c
+++ b/src/tests/testsuite/t_inetd.c
@@ -1,5 +1,5 @@
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/dejagnu/t_inetd.c */
+/* tests/testsuite/t_inetd.c */
/*
* Copyright 1991 by the Massachusetts Institute of Technology.
* All Rights Reserved.
diff --git a/src/util/k5test.py b/src/util/k5test.py
index 251d11a9d..908a1495c 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -1383,7 +1383,7 @@ kswitch = os.path.join(buildtop, 'clients', 'kswitch', 'kswitch')
kvno = os.path.join(buildtop, 'clients', 'kvno', 'kvno')
kdestroy = os.path.join(buildtop, 'clients', 'kdestroy', 'kdestroy')
kpasswd = os.path.join(buildtop, 'clients', 'kpasswd', 'kpasswd')
-t_inetd = os.path.join(buildtop, 'tests', 'dejagnu', 't_inetd')
+t_inetd = os.path.join(buildtop, 'tests', 'testsuite', 't_inetd')
kproplog = os.path.join(buildtop, 'kprop', 'kproplog')
kpropd = os.path.join(buildtop, 'kprop', 'kpropd')
kprop = os.path.join(buildtop, 'kprop', 'kprop')
--
2.35.1

View File

@ -0,0 +1,69 @@
From 0ac0fd2d349e4d5ef7379182f4d7ce480edd8d2b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 8 Nov 2021 17:48:50 +0100
Subject: [PATCH 2/2] Support larger RADIUS attributes in libkrad
In kr_attrset_decode(), explicitly treat the length byte as unsigned.
Otherwise attributes longer than 125 characters will be rejected with
EBADMSG.
Add a 253-character-long NAS-Identifier attribute to the tests to make
sure that attributes with the maximal number of characters are working
as expected.
[ghudson@mit.edu: used uint8_t cast per current practices; edited
commit message]
ticket: 9036 (new)
---
src/lib/krad/attrset.c | 2 +-
src/lib/krad/t_packet.c | 13 +++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c
index d89982a13..6ec031e32 100644
--- a/src/lib/krad/attrset.c
+++ b/src/lib/krad/attrset.c
@@ -218,7 +218,7 @@ kr_attrset_decode(krb5_context ctx, const krb5_data *in, const char *secret,
for (i = 0; i + 2 < in->length; ) {
type = in->data[i++];
- tmp = make_data(&in->data[i + 1], in->data[i] - 2);
+ tmp = make_data(&in->data[i + 1], (uint8_t)in->data[i] - 2);
i += tmp.length + 1;
retval = (in->length < i) ? EBADMSG : 0;
diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c
index 0a92e9cc2..c22489144 100644
--- a/src/lib/krad/t_packet.c
+++ b/src/lib/krad/t_packet.c
@@ -57,6 +57,14 @@ make_packet(krb5_context ctx, const krb5_data *username,
krb5_error_code retval;
const krb5_data *data;
int i = 0;
+ krb5_data nas_id;
+
+ nas_id = string2data("12345678901234567890123456789012345678901234567890"
+ "12345678901234567890123456789012345678901234567890"
+ "12345678901234567890123456789012345678901234567890"
+ "12345678901234567890123456789012345678901234567890"
+ "12345678901234567890123456789012345678901234567890"
+ "123");
retval = krad_attrset_new(ctx, &set);
if (retval != 0)
@@ -71,6 +79,11 @@ make_packet(krb5_context ctx, const krb5_data *username,
if (retval != 0)
goto out;
+ retval = krad_attrset_add(set, krad_attr_name2num("NAS-Identifier"),
+ &nas_id);
+ if (retval != 0)
+ goto out;
+
retval = krad_packet_new_request(ctx, "foo",
krad_code_name2num("Access-Request"),
set, iterator, &i, &tmp);
--
2.35.3

View File

@ -0,0 +1,171 @@
From a8551b609fd50458ca3c06a9dd345b6cdf18689b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 9 Nov 2021 13:00:43 -0500
Subject: [PATCH 1/2] Avoid use after free during libkrad cleanup
libkrad client requests contain a list of references to remotes, with
no back-references or reference counts. To prevent accesses to
dangling references during cleanup, cancel all requests on all remotes
before freeing any remotes.
Remove the code for aging out unused servers. This code was fairly
safe as all requests referencing a remote should have completed or
timed out during an hour of disuse, but in the current design we have
no way to guarantee or check that. The set of addresses we send
RADIUS requests to will generally be small, so aging out servers is
unnecessary.
ticket: 9035 (new)
---
src/lib/krad/client.c | 42 ++++++++++++++---------------------------
src/lib/krad/internal.h | 4 ++++
src/lib/krad/remote.c | 11 ++++++++---
3 files changed, 26 insertions(+), 31 deletions(-)
diff --git a/src/lib/krad/client.c b/src/lib/krad/client.c
index 6365dd1c6..810940afc 100644
--- a/src/lib/krad/client.c
+++ b/src/lib/krad/client.c
@@ -64,7 +64,6 @@ struct request_st {
struct server_st {
krad_remote *serv;
- time_t last;
K5_LIST_ENTRY(server_st) list;
};
@@ -81,15 +80,10 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret,
krad_remote **out)
{
krb5_error_code retval;
- time_t currtime;
server *srv;
- if (time(&currtime) == (time_t)-1)
- return errno;
-
K5_LIST_FOREACH(srv, &rc->servers, list) {
if (kr_remote_equals(srv->serv, ai, secret)) {
- srv->last = currtime;
*out = srv->serv;
return 0;
}
@@ -98,7 +92,6 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret,
srv = calloc(1, sizeof(server));
if (srv == NULL)
return ENOMEM;
- srv->last = currtime;
retval = kr_remote_new(rc->kctx, rc->vctx, ai, secret, &srv->serv);
if (retval != 0) {
@@ -173,28 +166,12 @@ request_new(krad_client *rc, krad_code code, const krad_attrset *attrs,
return 0;
}
-/* Close remotes that haven't been used in a while. */
-static void
-age(struct server_head *head, time_t currtime)
-{
- server *srv, *tmp;
-
- K5_LIST_FOREACH_SAFE(srv, head, list, tmp) {
- if (currtime == (time_t)-1 || currtime - srv->last > 60 * 60) {
- K5_LIST_REMOVE(srv, list);
- kr_remote_free(srv->serv);
- free(srv);
- }
- }
-}
-
/* Handle a response from a server (or related errors). */
static void
on_response(krb5_error_code retval, const krad_packet *reqp,
const krad_packet *rspp, void *data)
{
request *req = data;
- time_t currtime;
size_t i;
/* Do nothing if we are already completed. */
@@ -221,10 +198,6 @@ on_response(krb5_error_code retval, const krad_packet *reqp,
for (i = 0; req->remotes[i].remote != NULL; i++)
kr_remote_cancel(req->remotes[i].remote, req->remotes[i].packet);
- /* Age out servers that haven't been used in a while. */
- if (time(&currtime) != (time_t)-1)
- age(&req->rc->servers, currtime);
-
request_free(req);
}
@@ -247,10 +220,23 @@ krad_client_new(krb5_context kctx, verto_ctx *vctx, krad_client **out)
void
krad_client_free(krad_client *rc)
{
+ server *srv;
+
if (rc == NULL)
return;
- age(&rc->servers, -1);
+ /* Cancel all requests before freeing any remotes, since each request's
+ * callback data may contain references to multiple remotes. */
+ K5_LIST_FOREACH(srv, &rc->servers, list)
+ kr_remote_cancel_all(srv->serv);
+
+ while (!K5_LIST_EMPTY(&rc->servers)) {
+ srv = K5_LIST_FIRST(&rc->servers);
+ K5_LIST_REMOVE(srv, list);
+ kr_remote_free(srv->serv);
+ free(srv);
+ }
+
free(rc);
}
diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
index 223ffd730..fa012db78 100644
--- a/src/lib/krad/internal.h
+++ b/src/lib/krad/internal.h
@@ -120,6 +120,10 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
void
kr_remote_cancel(krad_remote *rr, const krad_packet *pkt);
+/* Cancel all requests awaiting responses. */
+void
+kr_remote_cancel_all(krad_remote *rr);
+
/* Determine if this remote object refers to the remote resource identified
* by the addrinfo struct and the secret. */
krb5_boolean
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index c8912892c..01a5fd2a4 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -452,15 +452,20 @@ error:
return retval;
}
+void
+kr_remote_cancel_all(krad_remote *rr)
+{
+ while (!K5_TAILQ_EMPTY(&rr->list))
+ request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL);
+}
+
void
kr_remote_free(krad_remote *rr)
{
if (rr == NULL)
return;
- while (!K5_TAILQ_EMPTY(&rr->list))
- request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL);
-
+ kr_remote_cancel_all(rr);
free(rr->secret);
if (rr->info != NULL)
free(rr->info->ai_addr);
--
2.35.3

View File

@ -42,7 +42,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.19.1
Release: %{?zdpd}15%{?dist}
Release: %{?zdpd}22%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@ -91,6 +91,13 @@ Patch26: Fix-kadmin-k-with-fallback-or-referral-realm.patch
Patch27: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
Patch28: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
Patch29: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
Patch30: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
Patch31: Try-harder-to-avoid-password-change-replay-errors.patch
Patch32: Add-configure-variable-for-default-PKCS-11-module.patch
Patch33: downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch
Patch34: krb5-krad-remote.patch
Patch35: krb5-krad-larger-attrs.patch
Patch36: Set-reasonable-supportedCMSTypes-in-PKINIT.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -250,7 +257,7 @@ popd
# builds going on the same host don't step on each other.
cfg="src/kadmin/testing/proto/kdc.conf.proto \
src/kadmin/testing/proto/krb5.conf.proto \
src/lib/kadm5/unit-test/api.current/init-v2.exp \
src/lib/kadm5/testsuite/api.current/init-v2.exp \
src/util/k5test.py"
LONG_BIT=`getconf LONG_BIT`
PORT=`expr 61000 + $LONG_BIT - 48`
@ -284,6 +291,7 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
CFLAGS="$CFLAGS" \
CPPFLAGS="$CPPFLAGS" \
SS_LIB="-lss" \
PKCS11_MODNAME="p11-kit-proxy.so" \
--enable-shared \
--runstatedir=/run \
--localstatedir=%{_var}/kerberos \
@ -647,6 +655,29 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Fri Jul 08 2022 Julien Rische <jrische@redhat.com> - 1.19.1-22
- Restore "supportedCMSTypes" attribute in PKINIT preauth requests
- Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms
- Resolves: rhbz#2068935
* Thu Jun 23 2022 Julien Rische <jrische@redhat.com> - 1.19.1-21
- Fix libkrad client cleanup
- Allow use of larger RADIUS attributes in krad library
- Resolves: rhbz#2100351
* Thu May 12 2022 Julien Rische <jrische@redhat.com> - 1.19.1-20
- Fix OpenSSL 3 MD5 encyption in FIPS mode
- Allow libkrad UDP/TCP connection to localhost in FIPS mode
- Resolves: rhbz#2068458
* Mon May 02 2022 Julien Rische <jrische@redhat.com> - 1.19.1-19
- Use p11-kit as default PKCS11 module
- Resolves: rhbz#2030981
* Tue Apr 26 2022 Julien Rische <jrische@redhat.com> - 1.19.1-18
- Try harder to avoid password change replay errors
- Resolves: rhbz#2075186
* Mon Mar 14 2022 Julien Rische <jrische@redhat.com> - 1.19.1-15
- Use SHA-256 instead of SHA-1 for PKINIT CMS digest