From c4016b4e4cb2510246b6bbe186acd5784592e9ff Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 26 Jul 2021 14:49:39 -0400 Subject: [PATCH] New upstream version (1.19.2) --- Add-APIs-for-marshalling-credentials.patch | 2 +- ...P_GET_CRED_LIST-for-faster-iteration.patch | 2 +- ...canonicalization-helper-to-k5test.py.patch | 2 +- ...ith-keytab-to-defer-canonicalization.patch | 2 +- ...context-after-failed-open-in-libkdb5.patch | 2 +- ...up-gssapi_krb5-ccache-name-functions.patch | 2 +- ...CM-flag-transmission-for-remove_cred.patch | 2 +- Fix-KCM-retrieval-support-for-sssd.patch | 2 +- ...ull-deref-on-bad-encrypted-challenge.patch | 113 ------------- ...efcred-leak-in-krb5-gss_inquire_cred.patch | 85 ---------- Fix-doc-build-for-Sphinx-4.0.patch | 152 ------------------ Fix-k5tls-module-for-OpenSSL-3.patch | 2 +- ...in-k-with-fallback-or-referral-realm.patch | 2 +- ...aks-on-error-in-kadm5-init-functions.patch | 2 +- ...pkcs11-build-issues-with-openssl-3.0.patch | 2 +- ...incipal-realm-canonicalization-cases.patch | 2 +- ...ter-free-during-krad-remote_shutdown.patch | 38 ----- ...teration-fallback-work-with-sssd-kcm.patch | 2 +- ...dejagnu-kadmin-tests-to-Python-tests.patch | 4 +- ...ecated-OpenSSL-calls-from-softpkcs11.patch | 2 +- Support-host-based-GSS-initiator-names.patch | 2 +- Use-KCM_OP_RETRIEVE-in-KCM-client.patch | 2 +- Use-asan-in-one-of-the-CI-builds.patch | 2 +- ...king-in-MEMORY-krb5_cc_get_principal.patch | 47 ------ ...am-FIPS-with-PRNG-and-RADIUS-and-MD4.patch | 4 +- downstream-Remove-3des-support.patch | 10 +- downstream-SELinux-integration.patch | 2 +- ...ackported-version-of-OpenSSL-3-KDF-i.patch | 2 +- downstream-fix-debuginfo-with-y.tab.c.patch | 2 +- downstream-ksu-pam-integration.patch | 2 +- downstream-netlib-and-dns.patch | 2 +- krb5.spec | 12 +- 32 files changed, 37 insertions(+), 474 deletions(-) delete mode 100644 Fix-KDC-null-deref-on-bad-encrypted-challenge.patch delete mode 100644 Fix-defcred-leak-in-krb5-gss_inquire_cred.patch delete mode 100644 Fix-doc-build-for-Sphinx-4.0.patch delete mode 100644 Fix-use-after-free-during-krad-remote_shutdown.patch delete mode 100644 Using-locking-in-MEMORY-krb5_cc_get_principal.patch diff --git a/Add-APIs-for-marshalling-credentials.patch b/Add-APIs-for-marshalling-credentials.patch index da613e9..8578721 100644 --- a/Add-APIs-for-marshalling-credentials.patch +++ b/Add-APIs-for-marshalling-credentials.patch @@ -1,4 +1,4 @@ -From c1fe1c8fa3df7f50c7e28d52263d0d24afb4b3a1 Mon Sep 17 00:00:00 2001 +From 3a99832252755cf7e5fef2bd824459cea3eb823e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 14 Jan 2021 18:13:09 -0500 Subject: [PATCH] Add APIs for marshalling credentials diff --git a/Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch b/Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch index 060b039..455e3e0 100644 --- a/Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch +++ b/Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch @@ -1,4 +1,4 @@ -From a0ee8b02e56c65e5dcd569caed0e151cef004ef4 Mon Sep 17 00:00:00 2001 +From 8772d8f47b7460a0eef48366881483fd9b3acfd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Thu, 11 Feb 2021 15:33:10 +0100 Subject: [PATCH] Add KCM_OP_GET_CRED_LIST for faster iteration diff --git a/Add-hostname-canonicalization-helper-to-k5test.py.patch b/Add-hostname-canonicalization-helper-to-k5test.py.patch index 75c3e87..58179a2 100644 --- a/Add-hostname-canonicalization-helper-to-k5test.py.patch +++ b/Add-hostname-canonicalization-helper-to-k5test.py.patch @@ -1,4 +1,4 @@ -From 3e78bc5d48513fe38f3bc4228b12abcdc0733ee2 Mon Sep 17 00:00:00 2001 +From e88f0319427cee7245fb05c97a25473297c9d2d6 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 15 Jan 2021 14:43:34 -0500 Subject: [PATCH] Add hostname canonicalization helper to k5test.py diff --git a/Allow-kinit-with-keytab-to-defer-canonicalization.patch b/Allow-kinit-with-keytab-to-defer-canonicalization.patch index 9315f66..eee7d1d 100644 --- a/Allow-kinit-with-keytab-to-defer-canonicalization.patch +++ b/Allow-kinit-with-keytab-to-defer-canonicalization.patch @@ -1,4 +1,4 @@ -From 090c7319652466339e3e6482bdd1b5a294638dff Mon Sep 17 00:00:00 2001 +From fb4d9fa851b1d0d3375556d1cdc1fce72176df1e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 3 Jun 2021 16:03:07 -0400 Subject: [PATCH] Allow kinit with keytab to defer canonicalization diff --git a/Clean-up-context-after-failed-open-in-libkdb5.patch b/Clean-up-context-after-failed-open-in-libkdb5.patch index a892a14..fca6a71 100644 --- a/Clean-up-context-after-failed-open-in-libkdb5.patch +++ b/Clean-up-context-after-failed-open-in-libkdb5.patch @@ -1,4 +1,4 @@ -From 78c03a9b5ef3e3f894bea11c89e575b9bb4d1b0f Mon Sep 17 00:00:00 2001 +From 95547c12b39e62df55cef05cae890302834b7f98 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 23 Jun 2021 16:57:39 -0400 Subject: [PATCH] Clean up context after failed open in libkdb5 diff --git a/Clean-up-gssapi_krb5-ccache-name-functions.patch b/Clean-up-gssapi_krb5-ccache-name-functions.patch index 32f3fc4..207f186 100644 --- a/Clean-up-gssapi_krb5-ccache-name-functions.patch +++ b/Clean-up-gssapi_krb5-ccache-name-functions.patch @@ -1,4 +1,4 @@ -From 8285f21d40e30477436128ae2c28403cd5575074 Mon Sep 17 00:00:00 2001 +From 5e5ea8e8345c8b2f3254b0d346b8e0de0df3a696 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 26 May 2021 18:22:10 -0400 Subject: [PATCH] Clean up gssapi_krb5 ccache name functions diff --git a/Fix-KCM-flag-transmission-for-remove_cred.patch b/Fix-KCM-flag-transmission-for-remove_cred.patch index 951be10..77c383e 100644 --- a/Fix-KCM-flag-transmission-for-remove_cred.patch +++ b/Fix-KCM-flag-transmission-for-remove_cred.patch @@ -1,4 +1,4 @@ -From 04f0de4420508161ce439f262f2761ff51a07ab0 Mon Sep 17 00:00:00 2001 +From 1528c264d0e1eebff34132c01f4f770f01f1d1c2 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 29 Mar 2021 14:32:56 -0400 Subject: [PATCH] Fix KCM flag transmission for remove_cred diff --git a/Fix-KCM-retrieval-support-for-sssd.patch b/Fix-KCM-retrieval-support-for-sssd.patch index 5fb7c2b..9c09507 100644 --- a/Fix-KCM-retrieval-support-for-sssd.patch +++ b/Fix-KCM-retrieval-support-for-sssd.patch @@ -1,4 +1,4 @@ -From a5b2cff51808cd86fe8195e7ac074ecd25c3344d Mon Sep 17 00:00:00 2001 +From 43be8fba5301d08fc4d5ddef14f8ae3d9655b0ba Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 11 May 2021 14:04:07 -0400 Subject: [PATCH] Fix KCM retrieval support for sssd diff --git a/Fix-KDC-null-deref-on-bad-encrypted-challenge.patch b/Fix-KDC-null-deref-on-bad-encrypted-challenge.patch deleted file mode 100644 index 4a7c7ae..0000000 --- a/Fix-KDC-null-deref-on-bad-encrypted-challenge.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 791211b00a53b394376d096c881b725ee739a936 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton -Date: Wed, 7 Jul 2021 11:47:44 +1200 -Subject: [PATCH] Fix KDC null deref on bad encrypted challenge - -The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check -to avoid further processing if the armor key is NULL. However, this -check is bypassed by a call to k5memdup0() which overwrites retval -with 0 if the allocation succeeds. If the armor key is NULL, a call -to krb5_c_fx_cf2_simple() will then dereference it, resulting in a -crash. Add a check before the k5memdup0() call to avoid overwriting -retval. - -CVE-2021-36222: - -In MIT krb5 releases 1.16 and later, an unauthenticated attacker can -cause a null dereference in the KDC by sending a request containing a -PA-ENCRYPTED-CHALLENGE padata element without using FAST. - -[ghudson@mit.edu: trimmed patch; added test case; edited commit -message] - -ticket: 9007 (new) -tags: pullup -target_version: 1.19-next -target_version: 1.18-next - -(cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562) ---- - src/kdc/kdc_preauth_ec.c | 3 ++- - src/tests/Makefile.in | 1 + - src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++ - 3 files changed, 49 insertions(+), 1 deletion(-) - create mode 100644 src/tests/t_cve-2021-36222.py - -diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c -index 7e636b3f9..43a9902cc 100644 ---- a/src/kdc/kdc_preauth_ec.c -+++ b/src/kdc/kdc_preauth_ec.c -@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, - } - - /* Check for a configured FAST ec auth indicator. */ -- realmstr = k5memdup0(realm.data, realm.length, &retval); -+ if (retval == 0) -+ realmstr = k5memdup0(realm.data, realm.length, &retval); - if (realmstr != NULL) - retval = profile_get_string(context->profile, KRB5_CONF_REALMS, - realmstr, -diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in -index ab416cc5f..20f27d748 100644 ---- a/src/tests/Makefile.in -+++ b/src/tests/Makefile.in -@@ -159,6 +159,7 @@ check-pytests: unlockiter s4u2self - $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS) -+ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS) - $(RM) au.log - $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \ -diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py -new file mode 100644 -index 000000000..57e04993b ---- /dev/null -+++ b/src/tests/t_cve-2021-36222.py -@@ -0,0 +1,46 @@ -+import socket -+from k5test import * -+ -+realm = K5Realm() -+ -+# CVE-2021-36222 KDC null dereference on encrypted challenge preauth -+# without FAST -+ -+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) -+a = (hostname, realm.portbase) -+ -+m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE -+ 'A103' '0201' '05' # [1] pvno = 5 -+ 'A203' '0201' '0A' # [2] msg-type = 10 -+ 'A30E' '300C' # [3] padata = SEQUENCE OF -+ '300A' # SEQUENCE -+ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE -+ 'A202' '0400' # [2] padata-value = "" -+ 'A48180' '307E' # [4] req-body = SEQUENCE -+ 'A007' '0305' '0000000000' # [0] kdc-options = 0 -+ 'A120' '301E' # [1] cname = SEQUENCE -+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL -+ 'A117' '3015' # [1] name-string = SEQUENCE-OF -+ '1B06' '6B7262746774' # krbtgt -+ '1B0B' '4B5242544553542E434F4D' -+ # KRBTEST.COM -+ 'A20D' '1B0B' '4B5242544553542E434F4D' -+ # [2] realm = KRBTEST.COM -+ 'A320' '301E' # [3] sname = SEQUENCE -+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL -+ 'A117' '3015' # [1] name-string = SEQUENCE-OF -+ '1B06' '6B7262746774' # krbtgt -+ '1B0B' '4B5242544553542E434F4D' -+ # KRBTEST.COM -+ 'A511' '180F' '31393934303631303036303331375A' -+ # [5] till = 19940610060317Z -+ 'A703' '0201' '00' # [7] nonce = 0 -+ 'A808' '3006' # [8] etype = SEQUENCE OF -+ '020112' '020111') # aes256-cts aes128-cts -+ -+s.sendto(bytes.fromhex(m), a) -+ -+# Make sure kinit still works. -+realm.kinit(realm.user_princ, password('user')) -+ -+success('CVE-2021-36222 regression test') diff --git a/Fix-defcred-leak-in-krb5-gss_inquire_cred.patch b/Fix-defcred-leak-in-krb5-gss_inquire_cred.patch deleted file mode 100644 index 9b11bc7..0000000 --- a/Fix-defcred-leak-in-krb5-gss_inquire_cred.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 7e6cdffd47559be61a8c26c4ed3c500c536d5368 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Fri, 16 Jul 2021 13:39:39 -0400 -Subject: [PATCH] Fix defcred leak in krb5 gss_inquire_cred() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory -management of krb5_gss_inquire_cred(), introducing defcred to act as -an owner pointer when the function must acquire a default credential. -The commit neglected to update the code to release the default cred -along the successful path. The old code does not trigger because -cred_handle is now reassigned, so the default credential is leaked. - -Unify the success and failure cleanup for this function so that -defcred is properly released on success. - -Reported by Pavel Březina. - -ticket: 9016 -tags: pullup -target_version: 1.19-next -target_version: 1.18-next - -(cherry picked from commit 593e16448e1af23eef74689afe06a7bcc86e79c7) ---- - src/lib/gssapi/krb5/inq_cred.c | 16 ++++++---------- - 1 file changed, 6 insertions(+), 10 deletions(-) - -diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c -index a8f254110..bb63b726c 100644 ---- a/src/lib/gssapi/krb5/inq_cred.c -+++ b/src/lib/gssapi/krb5/inq_cred.c -@@ -127,7 +127,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, - if ((code = krb5_timeofday(context, &now))) { - *minor_status = code; - ret = GSS_S_FAILURE; -- goto fail; -+ goto cleanup; - } - - if (cred->expire != 0) { -@@ -158,7 +158,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, - *minor_status = code; - save_error_info(*minor_status, context); - ret = GSS_S_FAILURE; -- goto fail; -+ goto cleanup; - } - } - -@@ -174,7 +174,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, - if (ret_name) - kg_release_name(context, &ret_name); - /* *minor_status set above */ -- goto fail; -+ goto cleanup; - } - } - -@@ -190,20 +190,16 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, - - if (cred_usage) - *cred_usage = cred->usage; -- k5_mutex_unlock(&cred->lock); - - if (mechanisms) { - *mechanisms = mechs; - mechs = GSS_C_NO_OID_SET; - } - -- if (cred_handle == GSS_C_NO_CREDENTIAL) -- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred); -- -- krb5_free_context(context); - *minor_status = 0; -- return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE); --fail: -+ ret = (lifetime == 0) ? GSS_S_CREDENTIALS_EXPIRED : GSS_S_COMPLETE; -+ -+cleanup: - k5_mutex_unlock(&cred->lock); - krb5_gss_release_cred(&tmpmin, &defcred); - krb5_free_context(context); diff --git a/Fix-doc-build-for-Sphinx-4.0.patch b/Fix-doc-build-for-Sphinx-4.0.patch deleted file mode 100644 index ae3972c..0000000 --- a/Fix-doc-build-for-Sphinx-4.0.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 0bf023bdbb8335f48a6a4dcf8bd5dac9c2cd7fb6 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Wed, 26 May 2021 15:08:28 -0400 -Subject: [PATCH] Fix doc build for Sphinx 4.0 - -Use app.add_css_file() to register krb5.css if possible (it was added -in Sphinx 1.8), since the old name app.add_stylesheet() was removed in -Sphinx 4.0. - -Use the highlight directive instead of the highlightlang directive, -which was removed in Sphinx 4.0. - -Remove two duplicate table of contents entries to fix warnings. - -In the Github Actions configuration, add a second doc build using the -newest version of Sphinx. - -ticket: 9006 -tags: pullup -target_version: 1.19-next - -(cherry picked from commit 3fa40a32e22cb9de91fa1d18deddcba446515855) ---- - .github/workflows/doc.yml | 16 +++++++++++++++- - doc/appdev/refs/macros/index.rst | 1 - - doc/appdev/refs/types/index.rst | 1 - - doc/appdev/refs/types/krb5_int32.rst | 2 +- - doc/appdev/refs/types/krb5_ui_4.rst | 2 +- - doc/conf.py | 9 ++++++++- - doc/tools/define_document.tmpl | 2 +- - doc/tools/type_document.tmpl | 2 +- - 8 files changed, 27 insertions(+), 8 deletions(-) - -diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml -index 292df4cfe..75f467cde 100644 ---- a/.github/workflows/doc.yml -+++ b/.github/workflows/doc.yml -@@ -5,7 +5,7 @@ on: - pull_request: {paths: [doc/**, src/doc/*, src/include/krb5/krb5.hin, .github/workflows/doc.yml]} - - jobs: -- doc: -+ doc-older-sphinx: - runs-on: ubuntu-18.04 - steps: - - name: Checkout repository -@@ -19,6 +19,20 @@ jobs: - run: | - cd src/doc - make -f Makefile.in SPHINX_ARGS=-W htmlsrc -+ doc-newest-sphinx: -+ runs-on: ubuntu-18.04 -+ steps: -+ - name: Checkout repository -+ uses: actions/checkout@v1 -+ - name: Linux setup -+ run: | -+ sudo apt-get update -qq -+ sudo apt-get install -y doxygen python3-lxml python3-pip -+ pip3 install Cheetah3 sphinx -+ - name: Build documentation -+ run: | -+ cd src/doc -+ make -f Makefile.in SPHINX_ARGS=-W htmlsrc - - name: Upload HTML - uses: actions/upload-artifact@v2 - with: -diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst -index 4d51e795c..0cb2e81bd 100644 ---- a/doc/appdev/refs/macros/index.rst -+++ b/doc/appdev/refs/macros/index.rst -@@ -54,7 +54,6 @@ Public - ENCTYPE_DES3_CBC_RAW.rst - ENCTYPE_DES3_CBC_SHA.rst - ENCTYPE_DES3_CBC_SHA1.rst -- ENCTYPE_DES3_CBC_SHA1.rst - ENCTYPE_DES_CBC_CRC.rst - ENCTYPE_DES_CBC_MD4.rst - ENCTYPE_DES_CBC_MD5.rst -diff --git a/doc/appdev/refs/types/index.rst b/doc/appdev/refs/types/index.rst -index dc414cfde..d8d2a8f3c 100644 ---- a/doc/appdev/refs/types/index.rst -+++ b/doc/appdev/refs/types/index.rst -@@ -62,7 +62,6 @@ Public - krb5_preauthtype.rst - krb5_principal.rst - krb5_principal_data.rst -- krb5_const_principal.rst - krb5_prompt.rst - krb5_prompt_type.rst - krb5_prompter_fct.rst -diff --git a/doc/appdev/refs/types/krb5_int32.rst b/doc/appdev/refs/types/krb5_int32.rst -index 2bc914b3c..28baafa38 100644 ---- a/doc/appdev/refs/types/krb5_int32.rst -+++ b/doc/appdev/refs/types/krb5_int32.rst -@@ -1,4 +1,4 @@ --.. highlightlang:: c -+.. highlight:: c - - .. _krb5-int32-struct: - -diff --git a/doc/appdev/refs/types/krb5_ui_4.rst b/doc/appdev/refs/types/krb5_ui_4.rst -index de79bafe1..73eb38cf4 100644 ---- a/doc/appdev/refs/types/krb5_ui_4.rst -+++ b/doc/appdev/refs/types/krb5_ui_4.rst -@@ -1,4 +1,4 @@ --.. highlightlang:: c -+.. highlight:: c - - .. _krb5-ui4-struct: - -diff --git a/doc/conf.py b/doc/conf.py -index 4fb6aae14..a876fd633 100644 ---- a/doc/conf.py -+++ b/doc/conf.py -@@ -98,8 +98,15 @@ pygments_style = 'sphinx' - - # -- Options for HTML output --------------------------------------------------- - -+# When we can rely on Sphinx 1.8 (released Sep 2018) we can just set: -+# html_css_files = ['kerb.css'] -+# But in the meantime, we add this file using either a way that works -+# after 1.8 or a way that works before 4.0. - def setup(app): -- app.add_stylesheet('kerb.css') -+ if callable(getattr(app, 'add_css_file', None)): -+ app.add_css_file('kerb.css') -+ else: -+ app.add_stylesheet('kerb.css') - - # The theme to use for HTML and HTML Help pages. See the documentation for - # a list of builtin themes. -diff --git a/doc/tools/define_document.tmpl b/doc/tools/define_document.tmpl -index ca56d866c..8e74dc302 100644 ---- a/doc/tools/define_document.tmpl -+++ b/doc/tools/define_document.tmpl -@@ -1,4 +1,4 @@ --.. highlightlang:: c -+.. highlight:: c - - .. $composite.macro_reference($composite.name): - -diff --git a/doc/tools/type_document.tmpl b/doc/tools/type_document.tmpl -index 5987fa762..11aafb818 100644 ---- a/doc/tools/type_document.tmpl -+++ b/doc/tools/type_document.tmpl -@@ -1,4 +1,4 @@ --.. highlightlang:: c -+.. highlight:: c - - .. $composite.struct_reference($composite.name): - diff --git a/Fix-k5tls-module-for-OpenSSL-3.patch b/Fix-k5tls-module-for-OpenSSL-3.patch index fd425b8..f53a23c 100644 --- a/Fix-k5tls-module-for-OpenSSL-3.patch +++ b/Fix-k5tls-module-for-OpenSSL-3.patch @@ -1,4 +1,4 @@ -From 201e38845e9f70234bcaa9ba7c25b28e38169b0a Mon Sep 17 00:00:00 2001 +From 7e4429640f69acdd5d4f9caa655c011d8bd736f0 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Sat, 29 May 2021 12:05:49 -0400 Subject: [PATCH] Fix k5tls module for OpenSSL 3 diff --git a/Fix-kadmin-k-with-fallback-or-referral-realm.patch b/Fix-kadmin-k-with-fallback-or-referral-realm.patch index 3e03da1..a5162e7 100644 --- a/Fix-kadmin-k-with-fallback-or-referral-realm.patch +++ b/Fix-kadmin-k-with-fallback-or-referral-realm.patch @@ -1,4 +1,4 @@ -From cd8ff035f5b4720a8fc457355726f7bd0eab5eaa Mon Sep 17 00:00:00 2001 +From 2d2bb9a14613b3283dabdd40c3ee28e5b680cf93 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 7 Jun 2021 15:00:41 -0400 Subject: [PATCH] Fix kadmin -k with fallback or referral realm diff --git a/Fix-leaks-on-error-in-kadm5-init-functions.patch b/Fix-leaks-on-error-in-kadm5-init-functions.patch index ef12052..bdacecb 100644 --- a/Fix-leaks-on-error-in-kadm5-init-functions.patch +++ b/Fix-leaks-on-error-in-kadm5-init-functions.patch @@ -1,4 +1,4 @@ -From 6b2f7995ab23cffcababe537d57540236f99f0e3 Mon Sep 17 00:00:00 2001 +From a14e0fd3c1d00ba625e6d9eb72829f31527c6ad8 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 23 Jun 2021 16:53:16 -0400 Subject: [PATCH] Fix leaks on error in kadm5 init functions diff --git a/Fix-softpkcs11-build-issues-with-openssl-3.0.patch b/Fix-softpkcs11-build-issues-with-openssl-3.0.patch index d7a0a5c..184c1bf 100644 --- a/Fix-softpkcs11-build-issues-with-openssl-3.0.patch +++ b/Fix-softpkcs11-build-issues-with-openssl-3.0.patch @@ -1,4 +1,4 @@ -From a86b780ef275b35e8dc1e6d1886ec8e8d941f7c4 Mon Sep 17 00:00:00 2001 +From 391379bff864751262dbcedb897f2c2dd394345f Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Sat, 15 May 2021 17:35:25 -0400 Subject: [PATCH] Fix softpkcs11 build issues with openssl 3.0 diff --git a/Fix-some-principal-realm-canonicalization-cases.patch b/Fix-some-principal-realm-canonicalization-cases.patch index 2c6c915..81fde7f 100644 --- a/Fix-some-principal-realm-canonicalization-cases.patch +++ b/Fix-some-principal-realm-canonicalization-cases.patch @@ -1,4 +1,4 @@ -From 5ae9bc98f23aeaa2ce17debe5a9b0cf1130e54ed Mon Sep 17 00:00:00 2001 +From 0779309f52f4c05bb1f01f638261ef1b8ca82488 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 7 Jun 2021 13:27:29 -0400 Subject: [PATCH] Fix some principal realm canonicalization cases diff --git a/Fix-use-after-free-during-krad-remote_shutdown.patch b/Fix-use-after-free-during-krad-remote_shutdown.patch deleted file mode 100644 index fb9c56d..0000000 --- a/Fix-use-after-free-during-krad-remote_shutdown.patch +++ /dev/null @@ -1,38 +0,0 @@ -From bcd7b5e8aa0d325e9b178d9be3459759d39b631e Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Sat, 29 May 2021 13:25:59 -0400 -Subject: [PATCH] Fix use-after-free during krad remote_shutdown() - -Since elements of the queue can be removed on out-of-memory errors, -the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH. -Reported by Coverity. - -ticket: 9015 (new) -tags: pullup -target_version: 1.19-next -target_version: 1.18-next - -(cherry picked from commit 8c88defb16b34937d5b72b4832c854ce2dbe32d1) ---- - src/lib/krad/remote.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c -index eca432424..7b5804b1d 100644 ---- a/src/lib/krad/remote.c -+++ b/src/lib/krad/remote.c -@@ -220,12 +220,12 @@ static void - remote_shutdown(krad_remote *rr) - { - krb5_error_code retval; -- request *r; -+ request *r, *next; - - remote_disconnect(rr); - - /* Start timers for all unsent packets. */ -- K5_TAILQ_FOREACH(r, &rr->list, list) { -+ K5_TAILQ_FOREACH_SAFE(r, &rr->list, list, next) { - if (r->timer == NULL) { - retval = request_start_timer(r, rr->vctx); - if (retval != 0) diff --git a/Make-KCM-iteration-fallback-work-with-sssd-kcm.patch b/Make-KCM-iteration-fallback-work-with-sssd-kcm.patch index 5fa3106..a0e28a9 100644 --- a/Make-KCM-iteration-fallback-work-with-sssd-kcm.patch +++ b/Make-KCM-iteration-fallback-work-with-sssd-kcm.patch @@ -1,4 +1,4 @@ -From 2dbca7e14c945d6394e0e05f285a068dcd541295 Mon Sep 17 00:00:00 2001 +From 32ee800fa31d3bbda660bb9270f9aa20718ab202 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Tue, 30 Mar 2021 14:35:28 +0200 Subject: [PATCH] Make KCM iteration fallback work with sssd-kcm diff --git a/Move-some-dejagnu-kadmin-tests-to-Python-tests.patch b/Move-some-dejagnu-kadmin-tests-to-Python-tests.patch index 9334c19..1c97190 100644 --- a/Move-some-dejagnu-kadmin-tests-to-Python-tests.patch +++ b/Move-some-dejagnu-kadmin-tests-to-Python-tests.patch @@ -1,4 +1,4 @@ -From 9b3d8b9c395bf1a889ea6d6439dc3543c680480d Mon Sep 17 00:00:00 2001 +From 2fd38805a159020722395e79213540d9bcfa6c71 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 22 Apr 2021 15:51:36 -0400 Subject: [PATCH] Move some dejagnu kadmin tests to Python tests @@ -32,7 +32,7 @@ and the ticket 2841 regression tests from pwhist.exp. create mode 100644 src/tests/t_kadmin.py diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in -index 6b7749129..ab416cc5f 100644 +index fd714eedb..20f27d748 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -147,6 +147,7 @@ check-pytests: unlockiter s4u2self diff --git a/Remove-deprecated-OpenSSL-calls-from-softpkcs11.patch b/Remove-deprecated-OpenSSL-calls-from-softpkcs11.patch index 23f21a5..429cf4d 100644 --- a/Remove-deprecated-OpenSSL-calls-from-softpkcs11.patch +++ b/Remove-deprecated-OpenSSL-calls-from-softpkcs11.patch @@ -1,4 +1,4 @@ -From 5072bfdfaddae762680d0f9d97afa6dbf8274760 Mon Sep 17 00:00:00 2001 +From 0a2778833d2f04a29fe9d7122913abe42299044a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Sat, 15 May 2021 18:04:58 -0400 Subject: [PATCH] Remove deprecated OpenSSL calls from softpkcs11 diff --git a/Support-host-based-GSS-initiator-names.patch b/Support-host-based-GSS-initiator-names.patch index 25b074f..cd7450c 100644 --- a/Support-host-based-GSS-initiator-names.patch +++ b/Support-host-based-GSS-initiator-names.patch @@ -1,4 +1,4 @@ -From 3133e5e24e94bf060e23a4d97cbdf74e934d010f Mon Sep 17 00:00:00 2001 +From 818a777822658d44ce647fe975011a5ea25e8250 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 15 Jan 2021 13:51:34 -0500 Subject: [PATCH] Support host-based GSS initiator names diff --git a/Use-KCM_OP_RETRIEVE-in-KCM-client.patch b/Use-KCM_OP_RETRIEVE-in-KCM-client.patch index 401b363..2af5676 100644 --- a/Use-KCM_OP_RETRIEVE-in-KCM-client.patch +++ b/Use-KCM_OP_RETRIEVE-in-KCM-client.patch @@ -1,4 +1,4 @@ -From c56d4b87de0f30a38dc61d374ad225d02d581eb3 Mon Sep 17 00:00:00 2001 +From 336f744403baa5dfaffcc5bd226fdd8f14a0200b Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 26 Mar 2021 23:38:54 -0400 Subject: [PATCH] Use KCM_OP_RETRIEVE in KCM client diff --git a/Use-asan-in-one-of-the-CI-builds.patch b/Use-asan-in-one-of-the-CI-builds.patch index e6b1e86..4964d2f 100644 --- a/Use-asan-in-one-of-the-CI-builds.patch +++ b/Use-asan-in-one-of-the-CI-builds.patch @@ -1,4 +1,4 @@ -From 5457242ca6742ace42f1f7dbe37208752c6f26f4 Mon Sep 17 00:00:00 2001 +From 37e1fe755c6e976253a7f40ec7a9e740e4329789 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 21 Jun 2021 19:15:26 -0400 Subject: [PATCH] Use asan in one of the CI builds diff --git a/Using-locking-in-MEMORY-krb5_cc_get_principal.patch b/Using-locking-in-MEMORY-krb5_cc_get_principal.patch deleted file mode 100644 index 2ae1967..0000000 --- a/Using-locking-in-MEMORY-krb5_cc_get_principal.patch +++ /dev/null @@ -1,47 +0,0 @@ -From d9a6607d47ff6449d1cad2a9a5b4d3b9b2768ddd Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Sun, 20 Jun 2021 19:24:07 -0400 -Subject: [PATCH] Using locking in MEMORY krb5_cc_get_principal() - -Without locking, the principal pointer could be freed out from under -krb5_copy_principal() by another thread calling krb5_cc_initialize() -or krb5_cc_destroy(). - -ticket: 9014 (new) -tags: pullup -target_version: 1.19-next -target_version: 1.18-next - -(cherry picked from commit 1848447291c68e21311f441b0458ae53471d00d3) ---- - src/lib/krb5/ccache/cc_memory.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c -index 610091a25..e4c795d25 100644 ---- a/src/lib/krb5/ccache/cc_memory.c -+++ b/src/lib/krb5/ccache/cc_memory.c -@@ -575,12 +575,17 @@ krb5_mcc_get_name (krb5_context context, krb5_ccache id) - krb5_error_code KRB5_CALLCONV - krb5_mcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ) - { -- krb5_mcc_data *ptr = (krb5_mcc_data *)id->data; -- if (!ptr->prin) { -- *princ = 0L; -- return KRB5_FCC_NOFILE; -- } -- return krb5_copy_principal(context, ptr->prin, princ); -+ krb5_error_code ret; -+ krb5_mcc_data *d = id->data; -+ -+ *princ = NULL; -+ k5_cc_mutex_lock(context, &d->lock); -+ if (d->prin == NULL) -+ ret = KRB5_FCC_NOFILE; -+ else -+ ret = krb5_copy_principal(context, d->prin, princ); -+ k5_cc_mutex_unlock(context, &d->lock); -+ return ret; - } - - krb5_error_code KRB5_CALLCONV diff --git a/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch index d48b1cd..553dec9 100644 --- a/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +++ b/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch @@ -1,4 +1,4 @@ -From 852e9efad17e3ef6ea54f91044a279bb34020ecf Mon Sep 17 00:00:00 2001 +From 91e1d43858d90f59f5d9f45987cfca02c3175feb Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 @@ -477,7 +477,7 @@ index c597174b6..fc2d24800 100644 } diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c -index c96a9b4ee..eca432424 100644 +index a938665f6..7b5804b1d 100644 --- a/src/lib/krad/remote.c +++ b/src/lib/krad/remote.c @@ -263,7 +263,7 @@ on_io_write(krad_remote *rr) diff --git a/downstream-Remove-3des-support.patch b/downstream-Remove-3des-support.patch index 2bc2479..9c29cdd 100644 --- a/downstream-Remove-3des-support.patch +++ b/downstream-Remove-3des-support.patch @@ -1,4 +1,4 @@ -From fef4e551d3d2dcb55e58cc182304254c36aa8949 Mon Sep 17 00:00:00 2001 +From defa8816e26ab9f5a8f0b61e7bebad67175c433e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 26 Mar 2019 18:51:10 -0400 Subject: [PATCH] [downstream] Remove 3des support @@ -195,7 +195,7 @@ index 1dc958d62..3a72aabef 100644 While **aes128-cts** and **aes256-cts** are supported for all Kerberos diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst -index 047185afb..b08d954d9 100644 +index 694922c0d..c4d5499d3 100644 --- a/doc/admin/enctypes.rst +++ b/doc/admin/enctypes.rst @@ -129,7 +129,7 @@ enctype weak? krb5 Windows @@ -243,7 +243,7 @@ index ade5e1f87..e4dc54f7e 100644 .. _err_cert_chain_cert_expired: diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst -index cebb6644c..4d51e795c 100644 +index 5542d9850..0cb2e81bd 100644 --- a/doc/appdev/refs/macros/index.rst +++ b/doc/appdev/refs/macros/index.rst @@ -36,7 +36,6 @@ Public @@ -255,10 +255,10 @@ index cebb6644c..4d51e795c 100644 CKSUMTYPE_NIST_SHA.rst CKSUMTYPE_RSA_MD4.rst diff --git a/doc/conf.py b/doc/conf.py -index 543202bf4..4fb6aae14 100644 +index 14158ae81..a876fd633 100644 --- a/doc/conf.py +++ b/doc/conf.py -@@ -271,7 +271,7 @@ else: +@@ -278,7 +278,7 @@ else: rst_epilog += ''' .. |krb5conf| replace:: ``/etc/krb5.conf`` .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` diff --git a/downstream-SELinux-integration.patch b/downstream-SELinux-integration.patch index 0ba8b6c..48b058b 100644 --- a/downstream-SELinux-integration.patch +++ b/downstream-SELinux-integration.patch @@ -1,4 +1,4 @@ -From e787771b618a344d45ac515927e914602f48946f Mon Sep 17 00:00:00 2001 +From 97966ffaac6bf9f2e09ac33a16b15794b31d51de Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 Subject: [PATCH] [downstream] SELinux integration diff --git a/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch b/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch index 84551d1..4a9f664 100644 --- a/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch +++ b/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch @@ -1,4 +1,4 @@ -From 687bb26cb0877fa5497e90f7d325de42b456da2a Mon Sep 17 00:00:00 2001 +From 86d606e33439fd0511c5154be7f32b0df2c72e54 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 15 Nov 2019 20:05:16 +0000 Subject: [PATCH] [downstream] Use backported version of OpenSSL-3 KDF diff --git a/downstream-fix-debuginfo-with-y.tab.c.patch b/downstream-fix-debuginfo-with-y.tab.c.patch index 172a093..494152c 100644 --- a/downstream-fix-debuginfo-with-y.tab.c.patch +++ b/downstream-fix-debuginfo-with-y.tab.c.patch @@ -1,4 +1,4 @@ -From d5ea86ef491feb38f12e6aa53b7579ac02675df6 Mon Sep 17 00:00:00 2001 +From 98b50683165089bf7bd9d91f953abbd79a8b1b08 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] [downstream] fix debuginfo with y.tab.c diff --git a/downstream-ksu-pam-integration.patch b/downstream-ksu-pam-integration.patch index 7490bf2..bebe946 100644 --- a/downstream-ksu-pam-integration.patch +++ b/downstream-ksu-pam-integration.patch @@ -1,4 +1,4 @@ -From 90ba715be48c2e1b6c7ca53cb1d75f3af2c388d6 Mon Sep 17 00:00:00 2001 +From 659b3b4a654b879ce84ad8fb4621dde5ae693385 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] [downstream] ksu pam integration diff --git a/downstream-netlib-and-dns.patch b/downstream-netlib-and-dns.patch index de4f9bf..d3ae129 100644 --- a/downstream-netlib-and-dns.patch +++ b/downstream-netlib-and-dns.patch @@ -1,4 +1,4 @@ -From ad123366e5fb2694cf6d9f4f292a001a761b78fa Mon Sep 17 00:00:00 2001 +From 2d7e197fa88dccd3ca051f9f7cb97937c35c55a8 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:46:21 -0400 Subject: [PATCH] [downstream] netlib and dns diff --git a/krb5.spec b/krb5.spec index d27bf68..930a581 100644 --- a/krb5.spec +++ b/krb5.spec @@ -41,8 +41,8 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.19.1 -Release: %{?zdpd}15%{?dist} +Version: 1.19.2 +Release: %{?zdpd}1%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz @@ -78,7 +78,6 @@ Patch12: Fix-KCM-flag-transmission-for-remove_cred.patch Patch13: Make-KCM-iteration-fallback-work-with-sssd-kcm.patch Patch14: Use-KCM_OP_RETRIEVE-in-KCM-client.patch Patch15: Fix-KCM-retrieval-support-for-sssd.patch -Patch16: Fix-doc-build-for-Sphinx-4.0.patch Patch17: Move-some-dejagnu-kadmin-tests-to-Python-tests.patch Patch18: Fix-some-principal-realm-canonicalization-cases.patch Patch19: Allow-kinit-with-keytab-to-defer-canonicalization.patch @@ -89,11 +88,7 @@ Patch23: Fix-k5tls-module-for-OpenSSL-3.patch Patch24: Fix-leaks-on-error-in-kadm5-init-functions.patch Patch25: Clean-up-context-after-failed-open-in-libkdb5.patch Patch26: Use-asan-in-one-of-the-CI-builds.patch -Patch27: Using-locking-in-MEMORY-krb5_cc_get_principal.patch -Patch28: Fix-use-after-free-during-krad-remote_shutdown.patch Patch29: Clean-up-gssapi_krb5-ccache-name-functions.patch -Patch30: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch -Patch31: Fix-defcred-leak-in-krb5-gss_inquire_cred.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -656,6 +651,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon Jul 26 2021 Robbie Harwood - 1.19.2-1 +- New upstream version (1.19.2) + * Wed Jul 21 2021 Robbie Harwood - 1.19.1-15 - Fix defcred leak in krb5 gss_inquire_cred()