rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

krb5 1.21.1-2

Browse Source 
- Fix memory leak in GSSAPI interface
  Resolves: RHEL-27251
- Fix memory leak in PMAP RPC interface
  Resolves: RHEL-27245
- Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC
  Resolves: RHEL-27253
- Make TCP waiting time configurable
  Resolves: RHEL-17132

Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
Julien Rische 2024-03-12 11:06:11 +01:00
parent 19e63e55c9
commit b0d04d78e0
8 changed files with 11739 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10694
0016-Eliminate-old-style-function-declarations.patch Normal file
View File

File diff suppressed because it is too large Load Diff

34
0017-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch Normal file
View File

@ -0,0 +1,34 @@
From 347079e258e6ded99d8dda162cafaf133b982ab9 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 27 Oct 2023 00:44:53 -0400
Subject: [PATCH] End connection on KDC_ERR_SVC_UNAVAILABLE
In sendto_kdc.c:service_fds(), if a message handler indicates that a
message should be discarded, kill the connection so we don't continue
waiting on it for more data.
ticket: 7899
(cherry picked from commit ca80f64c786341d5871ae1de18142e62af64f7b9)
---
src/lib/krb5/os/sendto_kdc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 0f4bf23a95..262edf09b4 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -1440,7 +1440,10 @@ service_fds(krb5_context context, struct select_state *selstate,
if (msg_handler != NULL) {
krb5_data reply = make_data(state->in.buf, state->in.pos);
- stop = (msg_handler(context, &reply, msg_handler_data) != 0);
+ if (!msg_handler(context, &reply, msg_handler_data)) {
+ kill_conn(context, state, selstate);
+ stop = 0;
+ }
}
if (stop) {
--
2.44.0

226
0018-Add-request_timeout-configuration-parameter.patch Normal file
View File

@ -0,0 +1,226 @@
From d71ebaef4619d6281551793c297caed7a025a909 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 26 Oct 2023 14:20:34 -0400
Subject: [PATCH] Add request_timeout configuration parameter
Add a parameter to limit the total amount of time taken for a KDC or
password change request.
ticket: 9106 (new)
(cherry picked from commit 802318cda963456b3ed7856c836e89da891483be)
---
doc/admin/conf_files/krb5_conf.rst | 9 ++++++
src/include/k5-int.h | 2 ++
src/lib/krb5/krb/init_ctx.c | 14 +++++++-
src/lib/krb5/os/sendto_kdc.c | 51 ++++++++++++++++++++----------
4 files changed, 58 insertions(+), 18 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index a33711d918..65fb592d98 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -356,6 +356,15 @@ The libdefaults section may contain any of the following relations:
(:ref:`duration` string.) Sets the default renewable lifetime
for initial ticket requests. The default value is 0.
+**request_timeout**
+ (:ref:`duration` string.) Sets the maximum total time for KDC or
+ password change requests. This timeout does not affect the
+ intervals between requests, so setting a low timeout may result in
+ fewer requests being attempted and/or some servers not being
+ contacted. A value of 0 indicates no specific maximum, in which
+ case requests will time out if no server responds after several
+ tries. The default value is 0. (New in release 1.22.)
+
**spake_preauth_groups**
A whitespace or comma-separated list of words which specifies the
groups allowed for SPAKE preauthentication. The possible values
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index b3e07945c1..69d6a6f569 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -296,6 +296,7 @@ typedef unsigned char u_char;
#define KRB5_CONF_SPAKE_PREAUTH_INDICATOR "spake_preauth_indicator"
#define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE "spake_preauth_kdc_challenge"
#define KRB5_CONF_SPAKE_PREAUTH_GROUPS "spake_preauth_groups"
+#define KRB5_CONF_REQUEST_TIMEOUT "request_timeout"
#define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime"
#define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit"
#define KRB5_CONF_UNLOCKITER "unlockiter"
@@ -1200,6 +1201,7 @@ struct _krb5_context {
kdb5_dal_handle *dal_handle;
/* allowable clock skew */
krb5_deltat clockskew;
+ krb5_deltat req_timeout;
krb5_flags kdc_default_options;
krb5_flags library_options;
krb5_boolean profile_secure;
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 2b5abcd817..582a2945ff 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -157,7 +157,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
krb5_context ctx = 0;
krb5_error_code retval;
int tmp;
- char *plugin_dir = NULL;
+ char *plugin_dir = NULL, *timeout_str = NULL;
/* Verify some assumptions. If the assumptions hold and the
compiler is optimizing, this should result in no code being
@@ -240,6 +240,17 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
get_integer(ctx, KRB5_CONF_CLOCKSKEW, DEFAULT_CLOCKSKEW, &tmp);
ctx->clockskew = tmp;
+ retval = profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_REQUEST_TIMEOUT, NULL, NULL,
+ &timeout_str);
+ if (retval)
+ goto cleanup;
+ if (timeout_str != NULL) {
+ retval = krb5_string_to_deltat(timeout_str, &ctx->req_timeout);
+ if (retval)
+ goto cleanup;
+ }
+
get_integer(ctx, KRB5_CONF_KDC_DEFAULT_OPTIONS, KDC_OPT_RENEWABLE_OK,
&tmp);
ctx->kdc_default_options = tmp;
@@ -281,6 +292,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
cleanup:
profile_release_string(plugin_dir);
+ profile_release_string(timeout_str);
krb5_free_context(ctx);
return retval;
}
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 262edf09b4..98247a1089 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -1395,34 +1395,41 @@ get_endtime(time_ms endtime, struct conn_state *conns)
static krb5_boolean
service_fds(krb5_context context, struct select_state *selstate,
- time_ms interval, struct conn_state *conns,
+ time_ms interval, time_ms timeout, struct conn_state *conns,
struct select_state *seltemp, const krb5_data *realm,
int (*msg_handler)(krb5_context, const krb5_data *, void *),
void *msg_handler_data, struct conn_state **winner_out)
{
int e, selret = 0;
- time_ms endtime;
+ time_ms curtime, interval_end, endtime;
struct conn_state *state;
*winner_out = NULL;
- e = get_curtime_ms(&endtime);
+ e = get_curtime_ms(&curtime);
if (e)
return TRUE;
- endtime += interval;
+ interval_end = curtime + interval;
e = 0;
while (selstate->nfds > 0) {
- e = cm_select_or_poll(selstate, get_endtime(endtime, conns),
- seltemp, &selret);
+ endtime = get_endtime(interval_end, conns);
+ /* Don't wait longer than the whole request should last. */
+ if (timeout && endtime > timeout)
+ endtime = timeout;
+ e = cm_select_or_poll(selstate, endtime, seltemp, &selret);
if (e == EINTR)
continue;
if (e != 0)
break;
- if (selret == 0)
- /* Timeout, return to caller. */
+ if (selret == 0) {
+ /* We timed out. Stop if we hit the overall request timeout. */
+ if (timeout && (get_curtime_ms(&curtime) || curtime >= timeout))
+ return TRUE;
+ /* Otherwise return to the caller to send the next request. */
return FALSE;
+ }
/* Got something on a socket, process it. */
for (state = conns; state != NULL; state = state->next) {
@@ -1495,7 +1502,7 @@ k5_sendto(krb5_context context, const krb5_data *message,
void *msg_handler_data)
{
int pass;
- time_ms delay;
+ time_ms delay, timeout = 0;
krb5_error_code retval;
struct conn_state *conns = NULL, *state, **tailptr, *next, *winner;
size_t s;
@@ -1505,6 +1512,13 @@ k5_sendto(krb5_context context, const krb5_data *message,
*reply = empty_data();
+ if (context->req_timeout) {
+ retval = get_curtime_ms(&timeout);
+ if (retval)
+ return retval;
+ timeout += 1000 * context->req_timeout;
+ }
+
/* One for use here, listing all our fds in use, and one for
* temporary use in service_fds, for the fds of interest. */
sel_state = malloc(2 * sizeof(*sel_state));
@@ -1532,8 +1546,9 @@ k5_sendto(krb5_context context, const krb5_data *message,
if (maybe_send(context, state, message, sel_state, realm,
callback_info))
continue;
- done = service_fds(context, sel_state, 1000, conns, seltemp,
- realm, msg_handler, msg_handler_data, &winner);
+ done = service_fds(context, sel_state, 1000, timeout, conns,
+ seltemp, realm, msg_handler, msg_handler_data,
+ &winner);
}
}
@@ -1545,13 +1560,13 @@ k5_sendto(krb5_context context, const krb5_data *message,
if (maybe_send(context, state, message, sel_state, realm,
callback_info))
continue;
- done = service_fds(context, sel_state, 1000, conns, seltemp,
+ done = service_fds(context, sel_state, 1000, timeout, conns, seltemp,
realm, msg_handler, msg_handler_data, &winner);
}
/* Wait for two seconds at the end of the first pass. */
if (!done) {
- done = service_fds(context, sel_state, 2000, conns, seltemp,
+ done = service_fds(context, sel_state, 2000, timeout, conns, seltemp,
realm, msg_handler, msg_handler_data, &winner);
}
@@ -1562,15 +1577,17 @@ k5_sendto(krb5_context context, const krb5_data *message,
if (maybe_send(context, state, message, sel_state, realm,
callback_info))
continue;
- done = service_fds(context, sel_state, 1000, conns, seltemp,
- realm, msg_handler, msg_handler_data, &winner);
+ done = service_fds(context, sel_state, 1000, timeout, conns,
+ seltemp, realm, msg_handler, msg_handler_data,
+ &winner);
if (sel_state->nfds == 0)
break;
}
/* Wait for the delay backoff at the end of this pass. */
if (!done) {
- done = service_fds(context, sel_state, delay, conns, seltemp,
- realm, msg_handler, msg_handler_data, &winner);
+ done = service_fds(context, sel_state, delay, timeout, conns,
+ seltemp, realm, msg_handler, msg_handler_data,
+ &winner);
}
if (sel_state->nfds == 0)
break;
--
2.44.0

138
0019-Wait-indefinitely-on-KDC-TCP-connections.patch Normal file
View File

@ -0,0 +1,138 @@
From 0bf66d2018db92c95d3bab54a62f6a3265ceb158 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 26 Oct 2023 16:26:42 -0400
Subject: [PATCH] Wait indefinitely on KDC TCP connections
When making a KDC or password change request, wait indefinitely
(limited only by request_timeout if set) once a KDC has accepted a TCP
connection.
ticket: 9105 (new)
(cherry picked from commit 6436a3808061da787a43c6810f5f0370cdfb6e36)
---
doc/admin/conf_files/krb5_conf.rst | 2 +-
src/lib/krb5/os/sendto_kdc.c | 50 ++++++++++++++++--------------
2 files changed, 27 insertions(+), 25 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 65fb592d98..b7284c47df 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -357,7 +357,7 @@ The libdefaults section may contain any of the following relations:
for initial ticket requests. The default value is 0.
**request_timeout**
- (:ref:`duration` string.) Sets the maximum total time for KDC or
+ (:ref:`duration` string.) Sets the maximum total time for KDC and
password change requests. This timeout does not affect the
intervals between requests, so setting a low timeout may result in
fewer requests being attempted and/or some servers not being
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 98247a1089..924f5b2d26 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -134,7 +134,6 @@ struct conn_state {
krb5_data callback_buffer;
size_t server_index;
struct conn_state *next;
- time_ms endtime;
krb5_boolean defer;
struct {
const char *uri_path;
@@ -344,15 +343,19 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime,
struct select_state *out, int *sret)
{
#ifndef USE_POLL
- struct timeval tv;
+ struct timeval tv, *tvp;
#endif
krb5_error_code retval;
time_ms curtime, interval;
- retval = get_curtime_ms(&curtime);
- if (retval != 0)
- return retval;
- interval = (curtime < endtime) ? endtime - curtime : 0;
+ if (endtime != 0) {
+ retval = get_curtime_ms(&curtime);
+ if (retval != 0)
+ return retval;
+ interval = (curtime < endtime) ? endtime - curtime : 0;
+ } else {
+ interval = -1;
+ }
/* We don't need a separate copy of the selstate for poll, but use one for
* consistency with how we use select. */
@@ -361,9 +364,14 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime,
#ifdef USE_POLL
*sret = poll(out->fds, out->nfds, interval);
#else
- tv.tv_sec = interval / 1000;
- tv.tv_usec = interval % 1000 * 1000;
- *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, &tv);
+ if (interval != -1) {
+ tv.tv_sec = interval / 1000;
+ tv.tv_usec = interval % 1000 * 1000;
+ tvp = &tv;
+ } else {
+ tvp = NULL;
+ }
+ *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, tvp);
#endif
return (*sret < 0) ? SOCKET_ERRNO : 0;
@@ -1099,11 +1107,6 @@ service_tcp_connect(krb5_context context, const krb5_data *realm,
}
conn->state = WRITING;
-
- /* Record this connection's timeout for service_fds. */
- if (get_curtime_ms(&conn->endtime) == 0)
- conn->endtime += 10000;
-
return conn->service_write(context, realm, conn, selstate);
}
@@ -1378,19 +1381,18 @@ kill_conn:
return FALSE;
}
-/* Return the maximum of endtime and the endtime fields of all currently active
- * TCP connections. */
-static time_ms
-get_endtime(time_ms endtime, struct conn_state *conns)
+/* Return true if conns contains any states with connected TCP sockets. */
+static krb5_boolean
+any_tcp_connections(struct conn_state *conns)
{
struct conn_state *state;
for (state = conns; state != NULL; state = state->next) {
- if ((state->state == READING || state->state == WRITING) &&
- state->endtime > endtime)
- endtime = state->endtime;
+ if (state->addr.transport != UDP &&
+ (state->state == READING || state->state == WRITING))
+ return TRUE;
}
- return endtime;
+ return FALSE;
}
static krb5_boolean
@@ -1413,9 +1415,9 @@ service_fds(krb5_context context, struct select_state *selstate,
e = 0;
while (selstate->nfds > 0) {
- endtime = get_endtime(interval_end, conns);
+ endtime = any_tcp_connections(conns) ? 0 : interval_end;
/* Don't wait longer than the whole request should last. */
- if (timeout && endtime > timeout)
+ if (timeout && (!endtime || endtime > timeout))
endtime = timeout;
e = cm_select_or_poll(selstate, endtime, seltemp, &selret);
if (e == EINTR)
--
2.44.0

381
0020-Avoid-strict-prototype-compiler-errors.patch Normal file
View File

@ -0,0 +1,381 @@
From 0cb2e6c09fee3863c16664bf180e773f662cd313 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Steffen=20Kie=C3=9F?=
<steffen.kiess@cis.iti.uni-stuttgart.de>
Date: Tue, 13 Feb 2024 18:39:27 +0100
Subject: [PATCH] Avoid strict-prototype compiler errors
Commit 4b9d7f7c107f01a61600fddcd8cde3812d0366a2 added the
-Werror=strict-prototypes parameter to the build process, but left
behind 28 function definitions using "()" instead of "(void)". Most
of these definitions could not cause compiler errors for various
reasons (such as an accompanying prototype), but a few could cause
errors in gcc depending on the build configuration.
For consistency and safety, add "(void)" to all 28 definitions.
[ghudson@mit.edu: rewrote commit message]
(cherry picked from commit 3ae9244cd021a75eba909d872a92c25db490714d)
---
src/clients/kcpytkt/kcpytkt.c | 2 +-
src/clients/kdeltkt/kdeltkt.c | 2 +-
src/clients/kinit/kinit.c | 4 ++--
src/clients/kinit/kinit_kdb.c | 2 +-
src/clients/klist/klist.c | 4 ++--
src/kadmin/cli/kadmin.c | 2 +-
src/kadmin/dbutil/kdb5_util.c | 4 ++--
src/kdc/main.c | 2 +-
src/kprop/kpropd.c | 4 ++--
src/lib/crypto/builtin/enc_provider/aes.c | 2 +-
src/lib/crypto/openssl/hmac.c | 2 +-
src/lib/krb5/ccache/t_memory.c | 4 ++--
src/lib/krb5/ccache/t_stdio.c | 4 ++--
src/plugins/kdb/db2/libdb2/btree/bt_debug.c | 2 +-
src/plugins/kdb/db2/libdb2/btree/bt_open.c | 4 ++--
src/plugins/kdb/db2/libdb2/hash/dbm.c | 2 +-
src/plugins/kdb/db2/libdb2/test/btree.tests/main.c | 2 +-
src/plugins/kdb/db2/libdb2/test/dbtest.c | 2 +-
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 2 +-
src/plugins/tls/k5tls/openssl.c | 2 +-
src/tests/asn.1/make-vectors.c | 2 +-
21 files changed, 28 insertions(+), 28 deletions(-)
diff --git a/src/clients/kcpytkt/kcpytkt.c b/src/clients/kcpytkt/kcpytkt.c
index 0b8802261e..f1d50e5de0 100644
--- a/src/clients/kcpytkt/kcpytkt.c
+++ b/src/clients/kcpytkt/kcpytkt.c
@@ -10,7 +10,7 @@ static char *prog;
static int quiet = 0;
static void
-xusage()
+xusage(void)
{
fprintf(stderr, "xusage: %s [-c from_ccache] [-e etype] [-f flags] "
"dest_ccache service1 service2 ...\n", prog);
diff --git a/src/clients/kdeltkt/kdeltkt.c b/src/clients/kdeltkt/kdeltkt.c
index cd0bf637db..66a32a8bd3 100644
--- a/src/clients/kdeltkt/kdeltkt.c
+++ b/src/clients/kdeltkt/kdeltkt.c
@@ -10,7 +10,7 @@ static char *prog;
static int quiet = 0;
static void
-xusage()
+xusage(void)
{
fprintf(stderr, "xusage: %s [-c ccache] [-e etype] [-f flags] service1 "
"service2 ...\n", prog);
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index 7a33ffae59..b27b723f2d 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -55,7 +55,7 @@ get_name_from_os(void)
#else /* HAVE_PWD_H */
#ifdef _WIN32
static char *
-get_name_from_os()
+get_name_from_os(void)
{
static char name[1024];
DWORD name_size = sizeof(name);
@@ -69,7 +69,7 @@ get_name_from_os()
}
#else /* _WIN32 */
static char *
-get_name_from_os()
+get_name_from_os(void)
{
return NULL;
}
diff --git a/src/clients/kinit/kinit_kdb.c b/src/clients/kinit/kinit_kdb.c
index fbd174bf0c..4e7cd50169 100644
--- a/src/clients/kinit/kinit_kdb.c
+++ b/src/clients/kinit/kinit_kdb.c
@@ -69,7 +69,7 @@ kinit_kdb_init(krb5_context *pcontext, char *realm)
}
void
-kinit_kdb_fini()
+kinit_kdb_fini(void)
{
kadm5_destroy(server_handle);
}
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index c797b1698f..27cf0ee11b 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -359,7 +359,7 @@ do_keytab(const char *name)
}
static void
-list_all_ccaches()
+list_all_ccaches(void)
{
krb5_error_code ret;
krb5_ccache cache;
@@ -451,7 +451,7 @@ show_all_ccaches(void)
}
static void
-do_ccache()
+do_ccache(void)
{
krb5_error_code ret;
krb5_ccache cache;
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index 23b64b0f58..c1256f7708 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -607,7 +607,7 @@ kadmin_startup(int argc, char *argv[], char **request_out, char ***args_out)
}
int
-quit()
+quit(void)
{
kadm5_ret_t retval;
diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c
index 55d529fa4c..b9b61e3f91 100644
--- a/src/kadmin/dbutil/kdb5_util.c
+++ b/src/kadmin/dbutil/kdb5_util.c
@@ -367,7 +367,7 @@ main(int argc, char *argv[])
* program is run).
*/
static int
-open_db_and_mkey()
+open_db_and_mkey(void)
{
krb5_error_code retval;
krb5_data scratch, pwd, seed;
@@ -489,7 +489,7 @@ open_db_and_mkey()
#endif
int
-quit()
+quit(void)
{
krb5_error_code retval;
static krb5_boolean finished = 0;
diff --git a/src/kdc/main.c b/src/kdc/main.c
index b43fe9a082..2dfad5673f 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -854,7 +854,7 @@ write_pid_file(const char *path)
}
static void
-finish_realms()
+finish_realms(void)
{
int i;
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index f883ae2df8..fbb8e37ae9 100644
--- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c
@@ -376,7 +376,7 @@ get_wildcard_addr(struct addrinfo **res)
}
static void
-do_standalone()
+do_standalone(void)
{
struct sockaddr_in frominet;
struct addrinfo *res;
@@ -639,7 +639,7 @@ full_resync(CLIENT *clnt)
* Returns non-zero on failure due to errors.
*/
krb5_error_code
-do_iprop()
+do_iprop(void)
{
kadm5_ret_t retval;
krb5_principal iprop_svc_principal = NULL;
diff --git a/src/lib/crypto/builtin/enc_provider/aes.c b/src/lib/crypto/builtin/enc_provider/aes.c
index 7fa9449797..39e2a84005 100644
--- a/src/lib/crypto/builtin/enc_provider/aes.c
+++ b/src/lib/crypto/builtin/enc_provider/aes.c
@@ -69,7 +69,7 @@ void k5_iEnc256_CBC(struct aes_data *data);
void k5_iDec256_CBC(struct aes_data *data);
static krb5_boolean
-aesni_supported_by_cpu()
+aesni_supported_by_cpu(void)
{
unsigned int a, b, c, d;
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
index 25a419d73a..32dec3022e 100644
--- a/src/lib/crypto/openssl/hmac.c
+++ b/src/lib/crypto/openssl/hmac.c
@@ -71,7 +71,7 @@
#define HMAC_CTX_new compat_hmac_ctx_new
static HMAC_CTX *
-compat_hmac_ctx_new()
+compat_hmac_ctx_new(void)
{
HMAC_CTX *ctx;
diff --git a/src/lib/krb5/ccache/t_memory.c b/src/lib/krb5/ccache/t_memory.c
index 6d103a00d1..0f94e823cb 100644
--- a/src/lib/krb5/ccache/t_memory.c
+++ b/src/lib/krb5/ccache/t_memory.c
@@ -85,7 +85,7 @@ krb5_creds test_creds = {
};
void
-init_test_cred()
+init_test_cred(void)
{
test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3);
test_creds.client[0] = &client1;
@@ -104,7 +104,7 @@ init_test_cred()
};
void
-mcc_test()
+mcc_test(void)
{
krb5_ccache id;
krb5_creds creds;
diff --git a/src/lib/krb5/ccache/t_stdio.c b/src/lib/krb5/ccache/t_stdio.c
index 15185e301c..06a9c2dea1 100644
--- a/src/lib/krb5/ccache/t_stdio.c
+++ b/src/lib/krb5/ccache/t_stdio.c
@@ -98,7 +98,7 @@ krb5_creds test_creds = {
};
void
-init_test_cred()
+init_test_cred(void)
{
test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3);
test_creds.client[0] = &client1;
@@ -118,7 +118,7 @@ init_test_cred()
int flags = 0;
void
-scc_test()
+scc_test(void)
{
krb5_ccache id;
krb5_creds creds;
diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_debug.c b/src/plugins/kdb/db2/libdb2/btree/bt_debug.c
index bc71076a35..5a955e09be 100644
--- a/src/plugins/kdb/db2/libdb2/btree/bt_debug.c
+++ b/src/plugins/kdb/db2/libdb2/btree/bt_debug.c
@@ -56,7 +56,7 @@ static FILE *tracefp;
* initialize debugging.
*/
static void
-__bt_dinit()
+__bt_dinit(void)
{
static int first = 1;
diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
index a2910422eb..ef7515c3d4 100644
--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -391,7 +391,7 @@ nroot(BTREE *t)
}
static int
-tmp()
+tmp(void)
{
#ifdef SIG_BLOCK
sigset_t set, oset;
@@ -438,7 +438,7 @@ tmp()
}
static int
-byteorder()
+byteorder(void)
{
u_int32_t x;
u_char *p;
diff --git a/src/plugins/kdb/db2/libdb2/hash/dbm.c b/src/plugins/kdb/db2/libdb2/hash/dbm.c
index 2dca256dc3..e643634433 100644
--- a/src/plugins/kdb/db2/libdb2/hash/dbm.c
+++ b/src/plugins/kdb/db2/libdb2/hash/dbm.c
@@ -143,7 +143,7 @@ kdb2_store(datum key, datum dat)
}
static void
-no_open_db()
+no_open_db(void)
{
(void)fprintf(stderr, "dbm: no open database.\n");
}
diff --git a/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c b/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c
index 088f903231..eec843d4db 100644
--- a/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c
+++ b/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c
@@ -908,7 +908,7 @@ keydata(key, data)
}
void
-usage()
+usage(void)
{
(void)fprintf(stderr,
"usage: %s [-bdluw] [-c cache] [-i file] [-p page] [file]\n",
diff --git a/src/plugins/kdb/db2/libdb2/test/dbtest.c b/src/plugins/kdb/db2/libdb2/test/dbtest.c
index 04bf34b90d..a2866b4412 100644
--- a/src/plugins/kdb/db2/libdb2/test/dbtest.c
+++ b/src/plugins/kdb/db2/libdb2/test/dbtest.c
@@ -792,7 +792,7 @@ xmalloc(char *text, size_t len)
}
void
-usage()
+usage(void)
{
(void)fprintf(stderr,
"usage: dbtest [-l] [-f file] [-i info] [-o file] type script\n");
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 6d96499d77..af3fa9ee8b 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -3090,7 +3090,7 @@ cleanup:
}
int
-pkinit_openssl_init()
+pkinit_openssl_init(void)
{
/* Initialize OpenSSL. */
ERR_load_crypto_strings();
diff --git a/src/plugins/tls/k5tls/openssl.c b/src/plugins/tls/k5tls/openssl.c
index 99fda7ffcd..aab67c01cb 100644
--- a/src/plugins/tls/k5tls/openssl.c
+++ b/src/plugins/tls/k5tls/openssl.c
@@ -49,7 +49,7 @@ static int ex_handle_id = -1;
MAKE_INIT_FUNCTION(init_openssl);
int
-init_openssl()
+init_openssl(void)
{
SSL_library_init();
SSL_load_error_strings();
diff --git a/src/tests/asn.1/make-vectors.c b/src/tests/asn.1/make-vectors.c
index 2fc85466bb..6f2b7dd021 100644
--- a/src/tests/asn.1/make-vectors.c
+++ b/src/tests/asn.1/make-vectors.c
@@ -224,7 +224,7 @@ printbuf(void)
}
int
-main()
+main(void)
{
/* Initialize values which can't use static initializers. */
asn_long2INTEGER(&otp_format, 2); /* Alphanumeric */
--
2.44.0

42
0021-Fix-leak-in-KDC-NDR-encoding.patch Normal file
View File

@ -0,0 +1,42 @@
From f54763bc90df9c76c69ee9a837cf856bcf93e633 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 5 Mar 2024 17:38:49 -0500
Subject: [PATCH] Fix leak in KDC NDR encoding
If the KDC tries to encode a principal containing encode invalid UTF-8
sequences for inclusion in a PAC delegation info buffer, it will leak
a small amount of memory in enc_wchar_pointer() before failing. Fix
the leak.
ticket: 9115 (new)
tags: pullup
target_version: 1.21-next
(cherry picked from commit 7d0d85bf99caf60c0afd4dcf91b0c4c683b983fe)
---
src/kdc/ndr.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c
index 48395abe52..d438408ee2 100644
--- a/src/kdc/ndr.c
+++ b/src/kdc/ndr.c
@@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out)
size_t utf16len, num_wchars;
uint8_t *utf16;
- k5_buf_init_dynamic(&b);
-
ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len);
if (ret)
return ret;
num_wchars = utf16len / 2;
+ k5_buf_init_dynamic(&b);
k5_buf_add_uint32_le(&b, num_wchars + 1);
k5_buf_add_uint32_le(&b, 0);
k5_buf_add_uint32_le(&b, num_wchars);
--
2.44.0

206
0022-Fix-two-unlikely-memory-leaks.patch Normal file
View File

@ -0,0 +1,206 @@
From d230c72573430803c569817a71b79be8656fa6c5 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 5 Mar 2024 19:53:07 -0500
Subject: [PATCH] Fix two unlikely memory leaks
In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
could probably never be triggered) leaks plain.data. Fix this leak
and use current practices for cleanup throughout the function.
In xmt_rmtcallres() (unused within the tree and likely elsewhere),
store port_ptr into crp->port_ptr as soon as it is allocated;
otherwise it could leak if the subsequent xdr_u_int32() operation
fails.
(cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d)
---
src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
src/lib/rpc/pmap_rmt.c | 10 +++---
2 files changed, 29 insertions(+), 37 deletions(-)
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index 3b4f8cb837..e881eee835 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
int conf_req_flag, int toktype)
{
size_t bufsize = 16;
- unsigned char *outbuf = 0;
+ unsigned char *outbuf = NULL;
krb5_error_code err;
int key_usage;
unsigned char acceptor_flag;
@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
size_t ec;
unsigned short tok_id;
- krb5_checksum sum;
+ krb5_checksum sum = { 0 };
krb5_key key;
krb5_cksumtype cksumtype;
+ krb5_data plain = empty_data();
+
+ token->value = NULL;
+ token->length = 0;
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
key_usage = (toktype == KG_TOK_WRAP_MSG
@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
- krb5_data plain;
krb5_enc_data cipher;
size_t ec_max;
size_t encrypt_size;
/* 300: Adds some slop. */
- if (SIZE_MAX - 300 < message->length)
- return ENOMEM;
+ if (SIZE_MAX - 300 < message->length) {
+ err = ENOMEM;
+ goto cleanup;
+ }
ec_max = SIZE_MAX - message->length - 300;
if (ec_max > 0xffff)
ec_max = 0xffff;
@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
err = alloc_data(&plain, message->length + 16 + ec);
if (err)
- return err;
+ goto cleanup;
/* Get size of ciphertext. */
encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
if (encrypt_size > SIZE_MAX / 2) {
err = ENOMEM;
- goto error;
+ goto cleanup;
}
bufsize = 16 + encrypt_size;
/* Allocate space for header plus encrypted data. */
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
- free(plain.data);
- return ENOMEM;
+ err = ENOMEM;
+ goto cleanup;
}
/* TOK_ID */
@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
cipher.ciphertext.length = bufsize - 16;
cipher.enctype = key->keyblock.enctype;
err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
if (err)
- goto error;
+ goto cleanup;
/* Now that we know we're returning a valid token.... */
ctx->seq_send++;
@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
/* If the rotate fails, don't worry about it. */
#endif
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
- krb5_data plain;
size_t cksumsize;
/* Here, message is the application-supplied data; message2 is
@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
wrap_with_checksum:
err = alloc_data(&plain, message->length + 16);
if (err)
- return err;
+ goto cleanup;
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
if (err)
- goto error;
+ goto cleanup;
assert(cksumsize <= 0xffff);
bufsize = 16 + message2->length + cksumsize;
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
- free(plain.data);
- plain.data = 0;
err = ENOMEM;
- goto error;
+ goto cleanup;
}
/* TOK_ID */
@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
if (message2->length)
memcpy(outbuf + 16, message2->value, message2->length);
- sum.contents = outbuf + 16 + message2->length;
- sum.length = cksumsize;
-
err = krb5_k_make_checksum(context, cksumtype, key,
key_usage, &plain, &sum);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
if (err) {
zap(outbuf,bufsize);
- goto error;
+ goto cleanup;
}
if (sum.length != cksumsize)
abort();
memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
- krb5_free_checksum_contents(context, &sum);
- sum.contents = 0;
/* Now that we know we're actually generating the token... */
ctx->seq_send++;
@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
token->value = outbuf;
token->length = bufsize;
- return 0;
+ outbuf = NULL;
+ err = 0;
-error:
+cleanup:
+ krb5_free_checksum_contents(context, &sum);
+ zapfree(plain.data, plain.length);
gssalloc_free(outbuf);
- token->value = NULL;
- token->length = 0;
return err;
}
diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
index 434e4eea65..f55ca46c60 100644
--- a/src/lib/rpc/pmap_rmt.c
+++ b/src/lib/rpc/pmap_rmt.c
@@ -161,12 +161,12 @@ xdr_rmtcallres(
caddr_t port_ptr;
port_ptr = (caddr_t)(void *)crp->port_ptr;
- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
- (xdrproc_t)xdr_u_int32) &&
- xdr_u_int32(xdrs, &crp->resultslen)) {
- crp->port_ptr = (uint32_t *)(void *)port_ptr;
+ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
+ (xdrproc_t)xdr_u_int32))
+ return (FALSE);
+ crp->port_ptr = (uint32_t *)(void *)port_ptr;
+ if (xdr_u_int32(xdrs, &crp->resultslen))
return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
- }
return (FALSE);
}
--
2.44.0

19
krb5.spec
View File

@ -34,7 +34,7 @@
#
# baserelease is what we have standardized across Fedora and what
# rpmdev-bumpspec knows how to handle.
%global baserelease 1
%global baserelease 2
# This should be e.g. beta1 or %%nil
%global pre_release %nil
@ -98,6 +98,13 @@ Patch0012: 0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch
Patch0013: 0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch
Patch0014: 0014-Enable-PKINIT-if-at-least-one-group-is-available.patch
Patch0015: 0015-Fix-double-free-in-KDC-TGS-processing.patch
Patch0016: 0016-Eliminate-old-style-function-declarations.patch
Patch0017: 0017-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch
Patch0018: 0018-Add-request_timeout-configuration-parameter.patch
Patch0019: 0019-Wait-indefinitely-on-KDC-TCP-connections.patch
Patch0020: 0020-Avoid-strict-prototype-compiler-errors.patch
Patch0021: 0021-Fix-leak-in-KDC-NDR-encoding.patch
Patch0022: 0022-Fix-two-unlikely-memory-leaks.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -662,6 +669,16 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Wed Mar 20 2024 Julien Rische <jrische@redhat.com> - 1.21.1-2
- Fix memory leak in GSSAPI interface
Resolves: RHEL-27251
- Fix memory leak in PMAP RPC interface
Resolves: RHEL-27245
- Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC
Resolves: RHEL-27253
- Make TCP waiting time configurable
Resolves: RHEL-17132
* Tue Aug 08 2023 Julien Rische <jrische@redhat.com> - 1.21.1-1
- New upstream version (1.21.1)
- Fix double-free in KDC TGS processing (CVE-2023-39975)