New upstream version (1.19.2)

This commit is contained in:
Robbie Harwood 2021-07-26 14:49:39 -04:00
parent 2484569caa
commit c4016b4e4c
32 changed files with 37 additions and 474 deletions

View File

@ -1,4 +1,4 @@
From c1fe1c8fa3df7f50c7e28d52263d0d24afb4b3a1 Mon Sep 17 00:00:00 2001
From 3a99832252755cf7e5fef2bd824459cea3eb823e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 14 Jan 2021 18:13:09 -0500
Subject: [PATCH] Add APIs for marshalling credentials

View File

@ -1,4 +1,4 @@
From a0ee8b02e56c65e5dcd569caed0e151cef004ef4 Mon Sep 17 00:00:00 2001
From 8772d8f47b7460a0eef48366881483fd9b3acfd3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 11 Feb 2021 15:33:10 +0100
Subject: [PATCH] Add KCM_OP_GET_CRED_LIST for faster iteration

View File

@ -1,4 +1,4 @@
From 3e78bc5d48513fe38f3bc4228b12abcdc0733ee2 Mon Sep 17 00:00:00 2001
From e88f0319427cee7245fb05c97a25473297c9d2d6 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 15 Jan 2021 14:43:34 -0500
Subject: [PATCH] Add hostname canonicalization helper to k5test.py

View File

@ -1,4 +1,4 @@
From 090c7319652466339e3e6482bdd1b5a294638dff Mon Sep 17 00:00:00 2001
From fb4d9fa851b1d0d3375556d1cdc1fce72176df1e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 3 Jun 2021 16:03:07 -0400
Subject: [PATCH] Allow kinit with keytab to defer canonicalization

View File

@ -1,4 +1,4 @@
From 78c03a9b5ef3e3f894bea11c89e575b9bb4d1b0f Mon Sep 17 00:00:00 2001
From 95547c12b39e62df55cef05cae890302834b7f98 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 23 Jun 2021 16:57:39 -0400
Subject: [PATCH] Clean up context after failed open in libkdb5

View File

@ -1,4 +1,4 @@
From 8285f21d40e30477436128ae2c28403cd5575074 Mon Sep 17 00:00:00 2001
From 5e5ea8e8345c8b2f3254b0d346b8e0de0df3a696 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 26 May 2021 18:22:10 -0400
Subject: [PATCH] Clean up gssapi_krb5 ccache name functions

View File

@ -1,4 +1,4 @@
From 04f0de4420508161ce439f262f2761ff51a07ab0 Mon Sep 17 00:00:00 2001
From 1528c264d0e1eebff34132c01f4f770f01f1d1c2 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 29 Mar 2021 14:32:56 -0400
Subject: [PATCH] Fix KCM flag transmission for remove_cred

View File

@ -1,4 +1,4 @@
From a5b2cff51808cd86fe8195e7ac074ecd25c3344d Mon Sep 17 00:00:00 2001
From 43be8fba5301d08fc4d5ddef14f8ae3d9655b0ba Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 11 May 2021 14:04:07 -0400
Subject: [PATCH] Fix KCM retrieval support for sssd

View File

@ -1,113 +0,0 @@
From 791211b00a53b394376d096c881b725ee739a936 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 7 Jul 2021 11:47:44 +1200
Subject: [PATCH] Fix KDC null deref on bad encrypted challenge
The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
to avoid further processing if the armor key is NULL. However, this
check is bypassed by a call to k5memdup0() which overwrites retval
with 0 if the allocation succeeds. If the armor key is NULL, a call
to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
crash. Add a check before the k5memdup0() call to avoid overwriting
retval.
CVE-2021-36222:
In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
cause a null dereference in the KDC by sending a request containing a
PA-ENCRYPTED-CHALLENGE padata element without using FAST.
[ghudson@mit.edu: trimmed patch; added test case; edited commit
message]
ticket: 9007 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
(cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562)
---
src/kdc/kdc_preauth_ec.c | 3 ++-
src/tests/Makefile.in | 1 +
src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++
3 files changed, 49 insertions(+), 1 deletion(-)
create mode 100644 src/tests/t_cve-2021-36222.py
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
index 7e636b3f9..43a9902cc 100644
--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
}
/* Check for a configured FAST ec auth indicator. */
- realmstr = k5memdup0(realm.data, realm.length, &retval);
+ if (retval == 0)
+ realmstr = k5memdup0(realm.data, realm.length, &retval);
if (realmstr != NULL)
retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
realmstr,
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index ab416cc5f..20f27d748 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -159,6 +159,7 @@ check-pytests: unlockiter s4u2self
$(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
$(RM) au.log
$(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py
new file mode 100644
index 000000000..57e04993b
--- /dev/null
+++ b/src/tests/t_cve-2021-36222.py
@@ -0,0 +1,46 @@
+import socket
+from k5test import *
+
+realm = K5Realm()
+
+# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
+# without FAST
+
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+a = (hostname, realm.portbase)
+
+m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE
+ 'A103' '0201' '05' # [1] pvno = 5
+ 'A203' '0201' '0A' # [2] msg-type = 10
+ 'A30E' '300C' # [3] padata = SEQUENCE OF
+ '300A' # SEQUENCE
+ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE
+ 'A202' '0400' # [2] padata-value = ""
+ 'A48180' '307E' # [4] req-body = SEQUENCE
+ 'A007' '0305' '0000000000' # [0] kdc-options = 0
+ 'A120' '301E' # [1] cname = SEQUENCE
+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
+ '1B06' '6B7262746774' # krbtgt
+ '1B0B' '4B5242544553542E434F4D'
+ # KRBTEST.COM
+ 'A20D' '1B0B' '4B5242544553542E434F4D'
+ # [2] realm = KRBTEST.COM
+ 'A320' '301E' # [3] sname = SEQUENCE
+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
+ '1B06' '6B7262746774' # krbtgt
+ '1B0B' '4B5242544553542E434F4D'
+ # KRBTEST.COM
+ 'A511' '180F' '31393934303631303036303331375A'
+ # [5] till = 19940610060317Z
+ 'A703' '0201' '00' # [7] nonce = 0
+ 'A808' '3006' # [8] etype = SEQUENCE OF
+ '020112' '020111') # aes256-cts aes128-cts
+
+s.sendto(bytes.fromhex(m), a)
+
+# Make sure kinit still works.
+realm.kinit(realm.user_princ, password('user'))
+
+success('CVE-2021-36222 regression test')

View File

@ -1,85 +0,0 @@
From 7e6cdffd47559be61a8c26c4ed3c500c536d5368 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 16 Jul 2021 13:39:39 -0400
Subject: [PATCH] Fix defcred leak in krb5 gss_inquire_cred()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
management of krb5_gss_inquire_cred(), introducing defcred to act as
an owner pointer when the function must acquire a default credential.
The commit neglected to update the code to release the default cred
along the successful path. The old code does not trigger because
cred_handle is now reassigned, so the default credential is leaked.
Unify the success and failure cleanup for this function so that
defcred is properly released on success.
Reported by Pavel Březina.
ticket: 9016
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
(cherry picked from commit 593e16448e1af23eef74689afe06a7bcc86e79c7)
---
src/lib/gssapi/krb5/inq_cred.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
index a8f254110..bb63b726c 100644
--- a/src/lib/gssapi/krb5/inq_cred.c
+++ b/src/lib/gssapi/krb5/inq_cred.c
@@ -127,7 +127,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
if ((code = krb5_timeofday(context, &now))) {
*minor_status = code;
ret = GSS_S_FAILURE;
- goto fail;
+ goto cleanup;
}
if (cred->expire != 0) {
@@ -158,7 +158,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
*minor_status = code;
save_error_info(*minor_status, context);
ret = GSS_S_FAILURE;
- goto fail;
+ goto cleanup;
}
}
@@ -174,7 +174,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
if (ret_name)
kg_release_name(context, &ret_name);
/* *minor_status set above */
- goto fail;
+ goto cleanup;
}
}
@@ -190,20 +190,16 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
if (cred_usage)
*cred_usage = cred->usage;
- k5_mutex_unlock(&cred->lock);
if (mechanisms) {
*mechanisms = mechs;
mechs = GSS_C_NO_OID_SET;
}
- if (cred_handle == GSS_C_NO_CREDENTIAL)
- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
-
- krb5_free_context(context);
*minor_status = 0;
- return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
-fail:
+ ret = (lifetime == 0) ? GSS_S_CREDENTIALS_EXPIRED : GSS_S_COMPLETE;
+
+cleanup:
k5_mutex_unlock(&cred->lock);
krb5_gss_release_cred(&tmpmin, &defcred);
krb5_free_context(context);

View File

@ -1,152 +0,0 @@
From 0bf023bdbb8335f48a6a4dcf8bd5dac9c2cd7fb6 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 26 May 2021 15:08:28 -0400
Subject: [PATCH] Fix doc build for Sphinx 4.0
Use app.add_css_file() to register krb5.css if possible (it was added
in Sphinx 1.8), since the old name app.add_stylesheet() was removed in
Sphinx 4.0.
Use the highlight directive instead of the highlightlang directive,
which was removed in Sphinx 4.0.
Remove two duplicate table of contents entries to fix warnings.
In the Github Actions configuration, add a second doc build using the
newest version of Sphinx.
ticket: 9006
tags: pullup
target_version: 1.19-next
(cherry picked from commit 3fa40a32e22cb9de91fa1d18deddcba446515855)
---
.github/workflows/doc.yml | 16 +++++++++++++++-
doc/appdev/refs/macros/index.rst | 1 -
doc/appdev/refs/types/index.rst | 1 -
doc/appdev/refs/types/krb5_int32.rst | 2 +-
doc/appdev/refs/types/krb5_ui_4.rst | 2 +-
doc/conf.py | 9 ++++++++-
doc/tools/define_document.tmpl | 2 +-
doc/tools/type_document.tmpl | 2 +-
8 files changed, 27 insertions(+), 8 deletions(-)
diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml
index 292df4cfe..75f467cde 100644
--- a/.github/workflows/doc.yml
+++ b/.github/workflows/doc.yml
@@ -5,7 +5,7 @@ on:
pull_request: {paths: [doc/**, src/doc/*, src/include/krb5/krb5.hin, .github/workflows/doc.yml]}
jobs:
- doc:
+ doc-older-sphinx:
runs-on: ubuntu-18.04
steps:
- name: Checkout repository
@@ -19,6 +19,20 @@ jobs:
run: |
cd src/doc
make -f Makefile.in SPHINX_ARGS=-W htmlsrc
+ doc-newest-sphinx:
+ runs-on: ubuntu-18.04
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v1
+ - name: Linux setup
+ run: |
+ sudo apt-get update -qq
+ sudo apt-get install -y doxygen python3-lxml python3-pip
+ pip3 install Cheetah3 sphinx
+ - name: Build documentation
+ run: |
+ cd src/doc
+ make -f Makefile.in SPHINX_ARGS=-W htmlsrc
- name: Upload HTML
uses: actions/upload-artifact@v2
with:
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
index 4d51e795c..0cb2e81bd 100644
--- a/doc/appdev/refs/macros/index.rst
+++ b/doc/appdev/refs/macros/index.rst
@@ -54,7 +54,6 @@ Public
ENCTYPE_DES3_CBC_RAW.rst
ENCTYPE_DES3_CBC_SHA.rst
ENCTYPE_DES3_CBC_SHA1.rst
- ENCTYPE_DES3_CBC_SHA1.rst
ENCTYPE_DES_CBC_CRC.rst
ENCTYPE_DES_CBC_MD4.rst
ENCTYPE_DES_CBC_MD5.rst
diff --git a/doc/appdev/refs/types/index.rst b/doc/appdev/refs/types/index.rst
index dc414cfde..d8d2a8f3c 100644
--- a/doc/appdev/refs/types/index.rst
+++ b/doc/appdev/refs/types/index.rst
@@ -62,7 +62,6 @@ Public
krb5_preauthtype.rst
krb5_principal.rst
krb5_principal_data.rst
- krb5_const_principal.rst
krb5_prompt.rst
krb5_prompt_type.rst
krb5_prompter_fct.rst
diff --git a/doc/appdev/refs/types/krb5_int32.rst b/doc/appdev/refs/types/krb5_int32.rst
index 2bc914b3c..28baafa38 100644
--- a/doc/appdev/refs/types/krb5_int32.rst
+++ b/doc/appdev/refs/types/krb5_int32.rst
@@ -1,4 +1,4 @@
-.. highlightlang:: c
+.. highlight:: c
.. _krb5-int32-struct:
diff --git a/doc/appdev/refs/types/krb5_ui_4.rst b/doc/appdev/refs/types/krb5_ui_4.rst
index de79bafe1..73eb38cf4 100644
--- a/doc/appdev/refs/types/krb5_ui_4.rst
+++ b/doc/appdev/refs/types/krb5_ui_4.rst
@@ -1,4 +1,4 @@
-.. highlightlang:: c
+.. highlight:: c
.. _krb5-ui4-struct:
diff --git a/doc/conf.py b/doc/conf.py
index 4fb6aae14..a876fd633 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -98,8 +98,15 @@ pygments_style = 'sphinx'
# -- Options for HTML output ---------------------------------------------------
+# When we can rely on Sphinx 1.8 (released Sep 2018) we can just set:
+# html_css_files = ['kerb.css']
+# But in the meantime, we add this file using either a way that works
+# after 1.8 or a way that works before 4.0.
def setup(app):
- app.add_stylesheet('kerb.css')
+ if callable(getattr(app, 'add_css_file', None)):
+ app.add_css_file('kerb.css')
+ else:
+ app.add_stylesheet('kerb.css')
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
diff --git a/doc/tools/define_document.tmpl b/doc/tools/define_document.tmpl
index ca56d866c..8e74dc302 100644
--- a/doc/tools/define_document.tmpl
+++ b/doc/tools/define_document.tmpl
@@ -1,4 +1,4 @@
-.. highlightlang:: c
+.. highlight:: c
.. $composite.macro_reference($composite.name):
diff --git a/doc/tools/type_document.tmpl b/doc/tools/type_document.tmpl
index 5987fa762..11aafb818 100644
--- a/doc/tools/type_document.tmpl
+++ b/doc/tools/type_document.tmpl
@@ -1,4 +1,4 @@
-.. highlightlang:: c
+.. highlight:: c
.. $composite.struct_reference($composite.name):

View File

@ -1,4 +1,4 @@
From 201e38845e9f70234bcaa9ba7c25b28e38169b0a Mon Sep 17 00:00:00 2001
From 7e4429640f69acdd5d4f9caa655c011d8bd736f0 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Sat, 29 May 2021 12:05:49 -0400
Subject: [PATCH] Fix k5tls module for OpenSSL 3

View File

@ -1,4 +1,4 @@
From cd8ff035f5b4720a8fc457355726f7bd0eab5eaa Mon Sep 17 00:00:00 2001
From 2d2bb9a14613b3283dabdd40c3ee28e5b680cf93 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 7 Jun 2021 15:00:41 -0400
Subject: [PATCH] Fix kadmin -k with fallback or referral realm

View File

@ -1,4 +1,4 @@
From 6b2f7995ab23cffcababe537d57540236f99f0e3 Mon Sep 17 00:00:00 2001
From a14e0fd3c1d00ba625e6d9eb72829f31527c6ad8 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 23 Jun 2021 16:53:16 -0400
Subject: [PATCH] Fix leaks on error in kadm5 init functions

View File

@ -1,4 +1,4 @@
From a86b780ef275b35e8dc1e6d1886ec8e8d941f7c4 Mon Sep 17 00:00:00 2001
From 391379bff864751262dbcedb897f2c2dd394345f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Sat, 15 May 2021 17:35:25 -0400
Subject: [PATCH] Fix softpkcs11 build issues with openssl 3.0

View File

@ -1,4 +1,4 @@
From 5ae9bc98f23aeaa2ce17debe5a9b0cf1130e54ed Mon Sep 17 00:00:00 2001
From 0779309f52f4c05bb1f01f638261ef1b8ca82488 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 7 Jun 2021 13:27:29 -0400
Subject: [PATCH] Fix some principal realm canonicalization cases

View File

@ -1,38 +0,0 @@
From bcd7b5e8aa0d325e9b178d9be3459759d39b631e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Sat, 29 May 2021 13:25:59 -0400
Subject: [PATCH] Fix use-after-free during krad remote_shutdown()
Since elements of the queue can be removed on out-of-memory errors,
the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH.
Reported by Coverity.
ticket: 9015 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
(cherry picked from commit 8c88defb16b34937d5b72b4832c854ce2dbe32d1)
---
src/lib/krad/remote.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index eca432424..7b5804b1d 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -220,12 +220,12 @@ static void
remote_shutdown(krad_remote *rr)
{
krb5_error_code retval;
- request *r;
+ request *r, *next;
remote_disconnect(rr);
/* Start timers for all unsent packets. */
- K5_TAILQ_FOREACH(r, &rr->list, list) {
+ K5_TAILQ_FOREACH_SAFE(r, &rr->list, list, next) {
if (r->timer == NULL) {
retval = request_start_timer(r, rr->vctx);
if (retval != 0)

View File

@ -1,4 +1,4 @@
From 2dbca7e14c945d6394e0e05f285a068dcd541295 Mon Sep 17 00:00:00 2001
From 32ee800fa31d3bbda660bb9270f9aa20718ab202 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 30 Mar 2021 14:35:28 +0200
Subject: [PATCH] Make KCM iteration fallback work with sssd-kcm

View File

@ -1,4 +1,4 @@
From 9b3d8b9c395bf1a889ea6d6439dc3543c680480d Mon Sep 17 00:00:00 2001
From 2fd38805a159020722395e79213540d9bcfa6c71 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 22 Apr 2021 15:51:36 -0400
Subject: [PATCH] Move some dejagnu kadmin tests to Python tests
@ -32,7 +32,7 @@ and the ticket 2841 regression tests from pwhist.exp.
create mode 100644 src/tests/t_kadmin.py
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 6b7749129..ab416cc5f 100644
index fd714eedb..20f27d748 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -147,6 +147,7 @@ check-pytests: unlockiter s4u2self

View File

@ -1,4 +1,4 @@
From 5072bfdfaddae762680d0f9d97afa6dbf8274760 Mon Sep 17 00:00:00 2001
From 0a2778833d2f04a29fe9d7122913abe42299044a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Sat, 15 May 2021 18:04:58 -0400
Subject: [PATCH] Remove deprecated OpenSSL calls from softpkcs11

View File

@ -1,4 +1,4 @@
From 3133e5e24e94bf060e23a4d97cbdf74e934d010f Mon Sep 17 00:00:00 2001
From 818a777822658d44ce647fe975011a5ea25e8250 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 15 Jan 2021 13:51:34 -0500
Subject: [PATCH] Support host-based GSS initiator names

View File

@ -1,4 +1,4 @@
From c56d4b87de0f30a38dc61d374ad225d02d581eb3 Mon Sep 17 00:00:00 2001
From 336f744403baa5dfaffcc5bd226fdd8f14a0200b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 26 Mar 2021 23:38:54 -0400
Subject: [PATCH] Use KCM_OP_RETRIEVE in KCM client

View File

@ -1,4 +1,4 @@
From 5457242ca6742ace42f1f7dbe37208752c6f26f4 Mon Sep 17 00:00:00 2001
From 37e1fe755c6e976253a7f40ec7a9e740e4329789 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 21 Jun 2021 19:15:26 -0400
Subject: [PATCH] Use asan in one of the CI builds

View File

@ -1,47 +0,0 @@
From d9a6607d47ff6449d1cad2a9a5b4d3b9b2768ddd Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 20 Jun 2021 19:24:07 -0400
Subject: [PATCH] Using locking in MEMORY krb5_cc_get_principal()
Without locking, the principal pointer could be freed out from under
krb5_copy_principal() by another thread calling krb5_cc_initialize()
or krb5_cc_destroy().
ticket: 9014 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
(cherry picked from commit 1848447291c68e21311f441b0458ae53471d00d3)
---
src/lib/krb5/ccache/cc_memory.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c
index 610091a25..e4c795d25 100644
--- a/src/lib/krb5/ccache/cc_memory.c
+++ b/src/lib/krb5/ccache/cc_memory.c
@@ -575,12 +575,17 @@ krb5_mcc_get_name (krb5_context context, krb5_ccache id)
krb5_error_code KRB5_CALLCONV
krb5_mcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ)
{
- krb5_mcc_data *ptr = (krb5_mcc_data *)id->data;
- if (!ptr->prin) {
- *princ = 0L;
- return KRB5_FCC_NOFILE;
- }
- return krb5_copy_principal(context, ptr->prin, princ);
+ krb5_error_code ret;
+ krb5_mcc_data *d = id->data;
+
+ *princ = NULL;
+ k5_cc_mutex_lock(context, &d->lock);
+ if (d->prin == NULL)
+ ret = KRB5_FCC_NOFILE;
+ else
+ ret = krb5_copy_principal(context, d->prin, princ);
+ k5_cc_mutex_unlock(context, &d->lock);
+ return ret;
}
krb5_error_code KRB5_CALLCONV

View File

@ -1,4 +1,4 @@
From 852e9efad17e3ef6ea54f91044a279bb34020ecf Mon Sep 17 00:00:00 2001
From 91e1d43858d90f59f5d9f45987cfca02c3175feb Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
@ -477,7 +477,7 @@ index c597174b6..fc2d24800 100644
}
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index c96a9b4ee..eca432424 100644
index a938665f6..7b5804b1d 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -263,7 +263,7 @@ on_io_write(krad_remote *rr)

View File

@ -1,4 +1,4 @@
From fef4e551d3d2dcb55e58cc182304254c36aa8949 Mon Sep 17 00:00:00 2001
From defa8816e26ab9f5a8f0b61e7bebad67175c433e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 26 Mar 2019 18:51:10 -0400
Subject: [PATCH] [downstream] Remove 3des support
@ -195,7 +195,7 @@ index 1dc958d62..3a72aabef 100644
While **aes128-cts** and **aes256-cts** are supported for all Kerberos
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
index 047185afb..b08d954d9 100644
index 694922c0d..c4d5499d3 100644
--- a/doc/admin/enctypes.rst
+++ b/doc/admin/enctypes.rst
@@ -129,7 +129,7 @@ enctype weak? krb5 Windows
@ -243,7 +243,7 @@ index ade5e1f87..e4dc54f7e 100644
.. _err_cert_chain_cert_expired:
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
index cebb6644c..4d51e795c 100644
index 5542d9850..0cb2e81bd 100644
--- a/doc/appdev/refs/macros/index.rst
+++ b/doc/appdev/refs/macros/index.rst
@@ -36,7 +36,6 @@ Public
@ -255,10 +255,10 @@ index cebb6644c..4d51e795c 100644
CKSUMTYPE_NIST_SHA.rst
CKSUMTYPE_RSA_MD4.rst
diff --git a/doc/conf.py b/doc/conf.py
index 543202bf4..4fb6aae14 100644
index 14158ae81..a876fd633 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -271,7 +271,7 @@ else:
@@ -278,7 +278,7 @@ else:
rst_epilog += '''
.. |krb5conf| replace:: ``/etc/krb5.conf``
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``

View File

@ -1,4 +1,4 @@
From e787771b618a344d45ac515927e914602f48946f Mon Sep 17 00:00:00 2001
From 97966ffaac6bf9f2e09ac33a16b15794b31d51de Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] [downstream] SELinux integration

View File

@ -1,4 +1,4 @@
From 687bb26cb0877fa5497e90f7d325de42b456da2a Mon Sep 17 00:00:00 2001
From 86d606e33439fd0511c5154be7f32b0df2c72e54 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 15 Nov 2019 20:05:16 +0000
Subject: [PATCH] [downstream] Use backported version of OpenSSL-3 KDF

View File

@ -1,4 +1,4 @@
From d5ea86ef491feb38f12e6aa53b7579ac02675df6 Mon Sep 17 00:00:00 2001
From 98b50683165089bf7bd9d91f953abbd79a8b1b08 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c

View File

@ -1,4 +1,4 @@
From 90ba715be48c2e1b6c7ca53cb1d75f3af2c388d6 Mon Sep 17 00:00:00 2001
From 659b3b4a654b879ce84ad8fb4621dde5ae693385 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] [downstream] ksu pam integration

View File

@ -1,4 +1,4 @@
From ad123366e5fb2694cf6d9f4f292a001a761b78fa Mon Sep 17 00:00:00 2001
From 2d7e197fa88dccd3ca051f9f7cb97937c35c55a8 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH] [downstream] netlib and dns

View File

@ -41,8 +41,8 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.19.1
Release: %{?zdpd}15%{?dist}
Version: 1.19.2
Release: %{?zdpd}1%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@ -78,7 +78,6 @@ Patch12: Fix-KCM-flag-transmission-for-remove_cred.patch
Patch13: Make-KCM-iteration-fallback-work-with-sssd-kcm.patch
Patch14: Use-KCM_OP_RETRIEVE-in-KCM-client.patch
Patch15: Fix-KCM-retrieval-support-for-sssd.patch
Patch16: Fix-doc-build-for-Sphinx-4.0.patch
Patch17: Move-some-dejagnu-kadmin-tests-to-Python-tests.patch
Patch18: Fix-some-principal-realm-canonicalization-cases.patch
Patch19: Allow-kinit-with-keytab-to-defer-canonicalization.patch
@ -89,11 +88,7 @@ Patch23: Fix-k5tls-module-for-OpenSSL-3.patch
Patch24: Fix-leaks-on-error-in-kadm5-init-functions.patch
Patch25: Clean-up-context-after-failed-open-in-libkdb5.patch
Patch26: Use-asan-in-one-of-the-CI-builds.patch
Patch27: Using-locking-in-MEMORY-krb5_cc_get_principal.patch
Patch28: Fix-use-after-free-during-krad-remote_shutdown.patch
Patch29: Clean-up-gssapi_krb5-ccache-name-functions.patch
Patch30: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
Patch31: Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -656,6 +651,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Mon Jul 26 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.2-1
- New upstream version (1.19.2)
* Wed Jul 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-15
- Fix defcred leak in krb5 gss_inquire_cred()