rpms
/
krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import krb5-1.18.2-5.el8

This commit is contained in:
CentOS Sources 2020-11-03 06:50:51 -05:00 committed by Andrew Lukoshko
parent 3ec284c784
commit ee1d0c5e34
57 changed files with 9532 additions and 5149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/krb5-1.17-pdfs.tar
SOURCES/krb5-1.17.tar.gz
SOURCES/krb5-1.18.2-pdfs.tar
SOURCES/krb5-1.18.2.tar.gz

4
.krb5.metadata
View File

@ -1,2 +1,2 @@
494c62bea08e5d26e01d47c409ac745b65e509c8 SOURCES/krb5-1.17-pdfs.tar
0c404b081db9c996c581f636ce450ee28778f338 SOURCES/krb5-1.17.tar.gz
db930a6653503c36027a4f65d761f8838c7636ae SOURCES/krb5-1.18.2-pdfs.tar
547c4e4afa06dd39c888a9ee89397ec3c3425c90 SOURCES/krb5-1.18.2.tar.gz

420
SOURCES/Add-channel-bindings-tests.patch Normal file
View File

@ -0,0 +1,420 @@
From 6af3fd382e99a9724413929af7eee7c86326ffd9 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 20 Mar 2020 00:17:28 +0100
Subject: [PATCH] Add channel bindings tests
[ghudson@mit.edu: adjusted test program to output channel-bound state
instead of optionally enforcing it; adjusted tests to check program
output; split out tests into separate Python script; made cosmetic
changes]
ticket: 8900
(cherry picked from commit b0b21b6d25b06f3e2b365dfe9dd4c99b3d43bf57)
[rharwood@redhat.com: .gitignore]
(cherry picked from commit 3e92520c1417f22447751cd9172d5ab30c2e0ad8)
---
src/plugins/gssapi/negoextest/main.c | 18 +++++
src/tests/gssapi/Makefile.in | 49 ++++++------
src/tests/gssapi/common.c | 25 ++++--
src/tests/gssapi/common.h | 9 +++
src/tests/gssapi/deps | 4 +
src/tests/gssapi/t_bindings.c | 111 +++++++++++++++++++++++++++
src/tests/gssapi/t_bindings.py | 43 +++++++++++
src/tests/gssapi/t_negoex.py | 7 ++
8 files changed, 237 insertions(+), 29 deletions(-)
create mode 100644 src/tests/gssapi/t_bindings.c
create mode 100644 src/tests/gssapi/t_bindings.py
diff --git a/src/plugins/gssapi/negoextest/main.c b/src/plugins/gssapi/negoextest/main.c
index 6c340f41b..72fc5273a 100644
--- a/src/plugins/gssapi/negoextest/main.c
+++ b/src/plugins/gssapi/negoextest/main.c
@@ -57,6 +57,15 @@ gss_init_sec_context(OM_uint32 *minor_status,
const char *envstr;
uint8_t hops, mech_last_octet;
+ envstr = getenv("GSS_INIT_BINDING");
+ if (envstr != NULL) {
+ assert(strlen(envstr) > 0);
+ assert(input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS);
+ assert(strlen(envstr) == input_chan_bindings->application_data.length);
+ assert(strcmp((char *)input_chan_bindings->application_data.value,
+ envstr) == 0);
+ }
+
if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) {
envstr = getenv("HOPS");
hops = (envstr != NULL) ? atoi(envstr) : 1;
@@ -112,6 +121,15 @@ gss_accept_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle,
uint8_t hops, mech_last_octet;
const char *envstr;
+ envstr = getenv("GSS_ACCEPT_BINDING");
+ if (envstr != NULL) {
+ assert(strlen(envstr) > 0);
+ assert(input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS);
+ assert(strlen(envstr) == input_chan_bindings->application_data.length);
+ assert(strcmp((char *)input_chan_bindings->application_data.value,
+ envstr) == 0);
+ }
+
/*
* The unwrapped token sits at the end and is just one byte giving the
* remaining number of hops. The final octet of the mech encoding should
diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in
index 5cc1e0f58..68c132b79 100644
--- a/src/tests/gssapi/Makefile.in
+++ b/src/tests/gssapi/Makefile.in
@@ -9,33 +9,33 @@ LOCALINCLUDES = -I$(srcdir)/../../lib/gssapi/mechglue \
-I../../lib/gssapi/generic
SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \
- $(srcdir)/t_accname.c $(srcdir)/t_add_cred.c $(srcdir)/t_ccselect.c \
- $(srcdir)/t_ciflags.c $(srcdir)/t_context.c $(srcdir)/t_credstore.c \
- $(srcdir)/t_enctypes.c $(srcdir)/t_err.c $(srcdir)/t_export_cred.c \
- $(srcdir)/t_export_name.c $(srcdir)/t_gssexts.c \
- $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c $(srcdir)/t_invalid.c \
- $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \
+ $(srcdir)/t_accname.c $(srcdir)/t_add_cred.c $(srcdir)/t_bindings.c \
+ $(srcdir)/t_ccselect.c $(srcdir)/t_ciflags.c $(srcdir)/t_context.c \
+ $(srcdir)/t_credstore.c $(srcdir)/t_enctypes.c $(srcdir)/t_err.c \
+ $(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \
+ $(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \
+ $(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \
$(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \
$(srcdir)/t_lifetime.c $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c \
$(srcdir)/t_pcontok.c $(srcdir)/t_prf.c $(srcdir)/t_s4u.c \
$(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \
$(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c
-OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_add_cred.o t_ccselect.o \
- t_ciflags.o t_context.o t_credstore.o t_enctypes.o t_err.o \
- t_export_cred.o t_export_name.o t_gssexts.o t_imp_cred.o t_imp_name.o \
- t_invalid.o t_inq_cred.o t_inq_ctx.o t_inq_mechs_name.o t_iov.o \
- t_lifetime.o t_namingexts.o t_oid.o t_pcontok.o t_prf.o t_s4u.o \
- t_s4u2proxy_krb5.o t_saslname.o t_spnego.o t_srcattrs.o
+OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_add_cred.o t_bindings.o \
+ t_ccselect.o t_ciflags.o t_context.o t_credstore.o t_enctypes.o \
+ t_err.o t_export_cred.o t_export_name.o t_gssexts.o t_imp_cred.o \
+ t_imp_name.o t_invalid.o t_inq_cred.o t_inq_ctx.o t_inq_mechs_name.o \
+ t_iov.o t_lifetime.o t_namingexts.o t_oid.o t_pcontok.o t_prf.o \
+ t_s4u.o t_s4u2proxy_krb5.o t_saslname.o t_spnego.o t_srcattrs.o
COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
-all: ccinit ccrefresh t_accname t_add_cred t_ccselect t_ciflags t_context \
- t_credstore t_enctypes t_err t_export_cred t_export_name t_gssexts \
- t_imp_cred t_imp_name t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name \
- t_iov t_lifetime t_namingexts t_oid t_pcontok t_prf t_s4u \
- t_s4u2proxy_krb5 t_saslname t_spnego t_srcattrs
+all: ccinit ccrefresh t_accname t_add_cred t_bindings t_ccselect t_ciflags \
+ t_context t_credstore t_enctypes t_err t_export_cred t_export_name \
+ t_gssexts t_imp_cred t_imp_name t_invalid t_inq_cred t_inq_ctx \
+ t_inq_mechs_name t_iov t_lifetime t_namingexts t_oid t_pcontok t_prf \
+ t_s4u t_s4u2proxy_krb5 t_saslname t_spnego t_srcattrs
check-unix: t_oid
$(RUN_TEST) ./t_invalid
@@ -43,11 +43,12 @@ check-unix: t_oid
$(RUN_TEST) ./t_prf
$(RUN_TEST) ./t_imp_name
-check-pytests: ccinit ccrefresh t_accname t_add_cred t_ccselect t_ciflags \
- t_context t_credstore t_enctypes t_err t_export_cred t_export_name \
- t_imp_cred t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime \
- t_pcontok t_s4u t_s4u2proxy_krb5 t_spnego t_srcattrs
+check-pytests: ccinit ccrefresh t_accname t_add_cred t_bindings t_ccselect \
+ t_ciflags t_context t_credstore t_enctypes t_err t_export_cred \
+ t_export_name t_imp_cred t_inq_cred t_inq_ctx t_inq_mechs_name t_iov \
+ t_lifetime t_pcontok t_s4u t_s4u2proxy_krb5 t_spnego t_srcattrs
$(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_bindings.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_enctypes.py $(PYTESTFLAGS)
@@ -64,6 +65,8 @@ t_accname: t_accname.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_accname.o $(COMMON_LIBS)
t_add_cred: t_add_cred.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_add_cred.o $(COMMON_LIBS)
+t_bindings: t_bindings.o $(COMMON_DEPS)
+ $(CC_LINK) -o $@ t_bindings.o $(COMMON_LIBS)
t_ccselect: t_ccselect.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_ccselect.o $(COMMON_LIBS)
t_ciflags: t_ciflags.o $(COMMON_DEPS)
@@ -118,8 +121,8 @@ t_srcattrs: t_srcattrs.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_srcattrs.o $(COMMON_LIBS)
clean:
- $(RM) ccinit ccrefresh t_accname t_add_cred t_ccselect t_ciflags
- $(RM) t_context t_credstore t_enctypes t_err t_export_cred
+ $(RM) ccinit ccrefresh t_accname t_add_cred t_bindings t_ccselect
+ $(RM) t_ciflags t_context t_credstore t_enctypes t_err t_export_cred
$(RM) t_export_name t_gssexts t_imp_cred t_imp_name t_invalid
$(RM) t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime
$(RM) t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5
diff --git a/src/tests/gssapi/common.c b/src/tests/gssapi/common.c
index 83e9d9bb8..7ba72f7b2 100644
--- a/src/tests/gssapi/common.c
+++ b/src/tests/gssapi/common.c
@@ -115,6 +115,20 @@ establish_contexts(gss_OID imech, gss_cred_id_t icred, gss_cred_id_t acred,
gss_name_t tname, OM_uint32 flags, gss_ctx_id_t *ictx,
gss_ctx_id_t *actx, gss_name_t *src_name, gss_OID *amech,
gss_cred_id_t *deleg_cred)
+{
+ return establish_contexts_ex(imech, icred, acred, tname, flags, ictx, actx,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ GSS_C_NO_CHANNEL_BINDINGS, NULL, src_name,
+ amech, deleg_cred);
+}
+
+void
+establish_contexts_ex(gss_OID imech, gss_cred_id_t icred, gss_cred_id_t acred,
+ gss_name_t tname, OM_uint32 flags, gss_ctx_id_t *ictx,
+ gss_ctx_id_t *actx, gss_channel_bindings_t icb,
+ gss_channel_bindings_t acb, OM_uint32 *aret_flags,
+ gss_name_t *src_name, gss_OID *amech,
+ gss_cred_id_t *deleg_cred)
{
OM_uint32 minor, imaj, amaj;
gss_buffer_desc itok, atok;
@@ -126,17 +140,16 @@ establish_contexts(gss_OID imech, gss_cred_id_t icred, gss_cred_id_t acred,
for (;;) {
(void)gss_release_buffer(&minor, &itok);
imaj = gss_init_sec_context(&minor, icred, ictx, tname, imech, flags,
- GSS_C_INDEFINITE,
- GSS_C_NO_CHANNEL_BINDINGS, &atok, NULL,
- &itok, NULL, NULL);
+ GSS_C_INDEFINITE, icb, &atok, NULL, &itok,
+ NULL, NULL);
check_gsserr("gss_init_sec_context", imaj, minor);
if (amaj == GSS_S_COMPLETE)
break;
(void)gss_release_buffer(&minor, &atok);
- amaj = gss_accept_sec_context(&minor, actx, acred, &itok,
- GSS_C_NO_CHANNEL_BINDINGS, src_name,
- amech, &atok, NULL, NULL, deleg_cred);
+ amaj = gss_accept_sec_context(&minor, actx, acred, &itok, acb,
+ src_name, amech, &atok, aret_flags, NULL,
+ deleg_cred);
check_gsserr("gss_accept_sec_context", amaj, minor);
(void)gss_release_buffer(&minor, &itok);
if (imaj == GSS_S_COMPLETE)
diff --git a/src/tests/gssapi/common.h b/src/tests/gssapi/common.h
index ae11b51d4..a5c8f87e6 100644
--- a/src/tests/gssapi/common.h
+++ b/src/tests/gssapi/common.h
@@ -62,6 +62,15 @@ void establish_contexts(gss_OID imech, gss_cred_id_t icred,
gss_name_t *src_name, gss_OID *amech,
gss_cred_id_t *deleg_cred);
+/* Establish contexts with channel bindings. */
+void establish_contexts_ex(gss_OID imech, gss_cred_id_t icred,
+ gss_cred_id_t acred, gss_name_t tname,
+ OM_uint32 flags, gss_ctx_id_t *ictx,
+ gss_ctx_id_t *actx, gss_channel_bindings_t icb,
+ gss_channel_bindings_t acb, OM_uint32 *aret_flags,
+ gss_name_t *src_name, gss_OID *amech,
+ gss_cred_id_t *deleg_cred);
+
/* Export *cred to a token, then release *cred and replace it by re-importing
* the token. */
void export_import_cred(gss_cred_id_t *cred);
diff --git a/src/tests/gssapi/deps b/src/tests/gssapi/deps
index acd0e96f8..73e4d9a74 100644
--- a/src/tests/gssapi/deps
+++ b/src/tests/gssapi/deps
@@ -33,6 +33,10 @@ $(OUTPRE)t_add_cred.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
$(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
common.h t_add_cred.c
+$(OUTPRE)t_bindings.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
+ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
+ common.h t_bindings.c
$(OUTPRE)t_ccselect.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
$(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
diff --git a/src/tests/gssapi/t_bindings.c b/src/tests/gssapi/t_bindings.c
new file mode 100644
index 000000000..e8906715b
--- /dev/null
+++ b/src/tests/gssapi/t_bindings.c
@@ -0,0 +1,111 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * Copyright (C) 2020 by Red Hat, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <assert.h>
+
+#include "common.h"
+
+/*
+ * Establish contexts (without and with GSS_C_DCE_STYLE) with the default
+ * initiator name, a specified principal name as target name, initiator
+ * bindings, and acceptor bindings. If any call is unsuccessful, display an
+ * error message. Output "yes" or "no" to indicate whether the contexts were
+ * reported as channel-bound on the acceptor. Exit with status 0 if all
+ * operations are successful, or 1 if not.
+ *
+ * Usage: ./t_bindings [-s] targetname icb acb
+ *
+ * An icb or abc value of "-" will not specify channel bindings.
+ */
+
+int
+main(int argc, char *argv[])
+{
+ OM_uint32 minor, flags1, flags2;
+ gss_name_t target_name;
+ gss_ctx_id_t ictx, actx;
+ struct gss_channel_bindings_struct icb_data = {0}, acb_data = {0};
+ gss_channel_bindings_t icb = GSS_C_NO_CHANNEL_BINDINGS;
+ gss_channel_bindings_t acb = GSS_C_NO_CHANNEL_BINDINGS;
+ gss_OID_desc *mech;
+
+ argv++;
+ argc--;
+ if (*argv != NULL && strcmp(*argv, "-s") == 0) {
+ mech = &mech_spnego;
+ argv++;
+ argc--;
+ } else {
+ mech = &mech_krb5;
+ }
+
+ if (argc != 3) {
+ fprintf(stderr, "Usage: t_bindings [-s] targetname icb acb\n");
+ return 1;
+ }
+
+ target_name = import_name(argv[0]);
+
+ if (strcmp(argv[1], "-") != 0) {
+ icb_data.application_data.length = strlen(argv[1]);
+ icb_data.application_data.value = argv[1];
+ icb = &icb_data;
+ }
+
+ if (strcmp(argv[2], "-") != 0) {
+ acb_data.application_data.length = strlen(argv[2]);
+ acb_data.application_data.value = argv[2];
+ acb = &acb_data;
+ }
+
+ establish_contexts_ex(mech, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL,
+ target_name, 0, &ictx, &actx, icb, acb, &flags1,
+ NULL, NULL, NULL);
+
+ /* Try again with GSS_C_DCE_STYLE */
+ (void)gss_delete_sec_context(&minor, &ictx, NULL);
+ (void)gss_delete_sec_context(&minor, &actx, NULL);
+
+ establish_contexts_ex(mech, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL,
+ target_name, GSS_C_DCE_STYLE, &ictx, &actx, icb, acb,
+ &flags2, NULL, NULL, NULL);
+ assert((flags1 & GSS_C_CHANNEL_BOUND_FLAG) ==
+ (flags2 & GSS_C_CHANNEL_BOUND_FLAG));
+ printf("%s\n", (flags1 & GSS_C_CHANNEL_BOUND_FLAG) ? "yes" : "no");
+
+ (void)gss_delete_sec_context(&minor, &ictx, NULL);
+ (void)gss_delete_sec_context(&minor, &actx, NULL);
+ (void)gss_release_name(&minor, &target_name);
+
+ return 0;
+}
diff --git a/src/tests/gssapi/t_bindings.py b/src/tests/gssapi/t_bindings.py
new file mode 100644
index 000000000..f377977b6
--- /dev/null
+++ b/src/tests/gssapi/t_bindings.py
@@ -0,0 +1,43 @@
+from k5test import *
+
+realm = K5Realm()
+server = 'p:' + realm.host_princ
+
+mark('krb5 channel bindings')
+realm.run(['./t_bindings', server, '-', '-'], expected_msg='no')
+realm.run(['./t_bindings', server, 'a', '-'], expected_msg='no')
+realm.run(['./t_bindings', server, 'a', 'a'], expected_msg='yes')
+realm.run(['./t_bindings', server, '-', 'a'], expected_msg='no')
+realm.run(['./t_bindings', server, 'a', 'x'],
+ expected_code=1, expected_msg='Incorrect channel bindings')
+
+mark('SPNEGO channel bindings')
+realm.run(['./t_bindings', '-s', server, '-', '-'], expected_msg='no')
+realm.run(['./t_bindings', '-s', server, 'a', '-'], expected_msg='no')
+realm.run(['./t_bindings', '-s', server, 'a', 'a'], expected_msg='yes')
+realm.run(['./t_bindings', '-s', server, '-', 'a'], expected_msg='no')
+realm.run(['./t_bindings', '-s', server, 'a', 'x'],
+ expected_code=1, expected_msg='Incorrect channel bindings')
+
+client_aware_conf = {'libdefaults': {'client_aware_channel_bindings': 'true'}}
+e = realm.special_env('cb_aware', False, krb5_conf=client_aware_conf)
+
+mark('krb5 client_aware_channel_bindings')
+realm.run(['./t_bindings', server, '-', '-'], env=e, expected_msg='no')
+realm.run(['./t_bindings', server, 'a', '-'], env=e, expected_msg='no')
+realm.run(['./t_bindings', server, 'a', 'a'], env=e, expected_msg='yes')
+realm.run(['./t_bindings', server, '-', 'a'], env=e,
+ expected_code=1, expected_msg='Incorrect channel bindings')
+realm.run(['./t_bindings', server, 'a', 'x'], env=e,
+ expected_code=1, expected_msg='Incorrect channel bindings')
+
+mark('SPNEGO client_aware_channel_bindings')
+realm.run(['./t_bindings', '-s', server, '-', '-'], env=e, expected_msg='no')
+realm.run(['./t_bindings', '-s', server, 'a', '-'], env=e, expected_msg='no')
+realm.run(['./t_bindings', '-s', server, 'a', 'a'], env=e, expected_msg='yes')
+realm.run(['./t_bindings', '-s', server, '-', 'a'], env=e,
+ expected_code=1, expected_msg='Incorrect channel bindings')
+realm.run(['./t_bindings', '-s', server, 'a', 'x'], env=e,
+ expected_code=1, expected_msg='Incorrect channel bindings')
+
+success('channel bindings tests')
diff --git a/src/tests/gssapi/t_negoex.py b/src/tests/gssapi/t_negoex.py
index 88470d2fa..a218899c4 100644
--- a/src/tests/gssapi/t_negoex.py
+++ b/src/tests/gssapi/t_negoex.py
@@ -139,4 +139,11 @@ msgs = ('sending [3]AP_REQUEST', 'sending [7]CHALLENGE', 'sending [8]VERIFY',
'sending [11]CHALLENGE', 'sending [12]VERIFY', 'sending [13]VERIFY')
test({'HOPS': '4', 'KEY': 'accept-always'}, expected_trace=())
+mark('channel bindings')
+e = realm.env.copy()
+e.update({'HOPS': '1', 'GSS_INIT_BINDING': 'a', 'GSS_ACCEPT_BINDING': 'b'})
+# The test mech will verify that the bindings are communicated to the
+# mech, but does not set the channel-bound flag.
+realm.run(['./t_bindings', '-s', 'h:host', 'a', 'b'], env=e, expected_msg='no')
+
success('NegoEx tests')

265
SOURCES/Add-client_aware_channel_bindings-option.patch Normal file
View File

@ -0,0 +1,265 @@
From fe50c57f6428d7512868663bd226bdc9007148a9 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 10 Mar 2020 13:13:17 +0100
Subject: [PATCH] Add client_aware_channel_bindings option
Add client support for KERB_AP_OPTIONS_CBT in the form of a profile
option "client_aware_gss_bindings". Adjust the make_etype_list()
helper so that enctype negotiation and AP_OPTIONS can be included in
the same IF-RELEVANT wrapper.
[ghudson@mit.edu: refactored; edited documentation; wrote commit
message]
ticket: 8900
(cherry picked from commit 225e6ef7f021cd1a8ef2a054af0ca58b7288fd81)
(cherry picked from commit 2a08fe3d2d1972df4ffe37d4bb64b161889ff988)
---
doc/admin/conf_files/krb5_conf.rst | 6 +
src/include/k5-int.h | 1 +
src/lib/krb5/krb/mk_req_ext.c | 177 +++++++++++++++--------------
3 files changed, 98 insertions(+), 86 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 1d2aa7f68..1d8ffc1e4 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -383,6 +383,12 @@ The libdefaults section may contain any of the following relations:
credentials will fail if the client machine does not have a
keytab. The default value is false.
+**client_aware_channel_bindings**
+ If this flag is true, then all application protocol authentication
+ requests will be flagged to indicate that the application supports
+ channel bindings when operating over a secure channel. The
+ default value is false.
+
.. _realms:
[realms]
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 0d9af3d95..eb18a4cd6 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -299,6 +299,7 @@ typedef unsigned char u_char;
#define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
#define KRB5_CONF_V4_REALM "v4_realm"
#define KRB5_CONF_VERIFY_AP_REQ_NOFAIL "verify_ap_req_nofail"
+#define KRB5_CONF_CLIENT_AWARE_GSS_BINDINGS "client_aware_channel_bindings"
/* Cache configuration variables */
#define KRB5_CC_CONF_FAST_AVAIL "fast_avail"
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index 9fc6a0e52..08504860c 100644
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -68,10 +68,9 @@
*/
static krb5_error_code
-make_etype_list(krb5_context context,
- krb5_enctype *desired_etypes,
- krb5_enctype tkt_enctype,
- krb5_authdata ***authdata);
+make_ap_authdata(krb5_context context, krb5_enctype *desired_enctypes,
+ krb5_enctype tkt_enctype, krb5_boolean client_aware_cb,
+ krb5_authdata ***authdata_out);
static krb5_error_code
generate_authenticator(krb5_context,
@@ -263,7 +262,8 @@ generate_authenticator(krb5_context context, krb5_authenticator *authent,
krb5_enctype tkt_enctype)
{
krb5_error_code retval;
- krb5_authdata **ext_authdata = NULL;
+ krb5_authdata **ext_authdata = NULL, **ap_authdata, **combined;
+ int client_aware_cb;
authent->client = client;
authent->checksum = cksum;
@@ -297,99 +297,104 @@ generate_authenticator(krb5_context context, krb5_authenticator *authent,
krb5_free_authdata(context, ext_authdata);
}
- /* Only send EtypeList if we prefer another enctype to tkt_enctype */
- if (desired_etypes != NULL && desired_etypes[0] != tkt_enctype) {
- TRACE_MK_REQ_ETYPES(context, desired_etypes);
- retval = make_etype_list(context, desired_etypes, tkt_enctype,
- &authent->authorization_data);
+ retval = profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_CLIENT_AWARE_GSS_BINDINGS, NULL,
+ FALSE, &client_aware_cb);
+ if (retval)
+ return retval;
+
+ /* Add etype negotiation or channel-binding awareness authdata to the
+ * front, if appropriate. */
+ retval = make_ap_authdata(context, desired_etypes, tkt_enctype,
+ client_aware_cb, &ap_authdata);
+ if (retval)
+ return retval;
+ if (ap_authdata != NULL) {
+ retval = krb5_merge_authdata(context, ap_authdata,
+ authent->authorization_data, &combined);
+ krb5_free_authdata(context, ap_authdata);
if (retval)
return retval;
+ krb5_free_authdata(context, authent->authorization_data);
+ authent->authorization_data = combined;
}
return(krb5_us_timeofday(context, &authent->ctime, &authent->cusec));
}
-/* RFC 4537 */
+/* Set *out to a DER-encoded RFC 4537 etype list, or to NULL if no etype list
+ * should be sent. */
static krb5_error_code
-make_etype_list(krb5_context context,
- krb5_enctype *desired_etypes,
- krb5_enctype tkt_enctype,
- krb5_authdata ***authdata)
+make_etype_list(krb5_context context, krb5_enctype *desired_enctypes,
+ krb5_enctype tkt_enctype, krb5_data **out)
{
- krb5_error_code code;
- krb5_etype_list etypes;
- krb5_data *enc_etype_list;
- krb5_data *ad_if_relevant;
- krb5_authdata *etype_adata[2], etype_adatum, **adata;
- int i;
+ krb5_etype_list etlist;
+ int count;
- etypes.etypes = desired_etypes;
+ *out = NULL;
- for (etypes.length = 0;
- etypes.etypes[etypes.length] != ENCTYPE_NULL;
- etypes.length++)
- {
- /*
- * RFC 4537:
- *
- * If the enctype of the ticket session key is included in the enctype
- * list sent by the client, it SHOULD be the last on the list;
- */
- if (etypes.length && etypes.etypes[etypes.length - 1] == tkt_enctype)
+ /* Only send a list if we prefer another enctype to tkt_enctype. */
+ if (desired_enctypes == NULL || desired_enctypes[0] == tkt_enctype)
+ return 0;
+
+ /* Count elements of desired_etypes, stopping at tkt_enctypes if present.
+ * (Per RFC 4537, it must be the last option if it is included.) */
+ for (count = 0; desired_enctypes[count] != ENCTYPE_NULL; count++) {
+ if (count > 0 && desired_enctypes[count - 1] == tkt_enctype)
break;
}
- code = encode_krb5_etype_list(&etypes, &enc_etype_list);
- if (code) {
- return code;
- }
-
- etype_adatum.magic = KV5M_AUTHDATA;
- etype_adatum.ad_type = KRB5_AUTHDATA_ETYPE_NEGOTIATION;
- etype_adatum.length = enc_etype_list->length;
- etype_adatum.contents = (krb5_octet *)enc_etype_list->data;
-
- etype_adata[0] = &etype_adatum;
- etype_adata[1] = NULL;
-
- /* Wrap in AD-IF-RELEVANT container */
- code = encode_krb5_authdata(etype_adata, &ad_if_relevant);
- if (code) {
- krb5_free_data(context, enc_etype_list);
- return code;
- }
-
- krb5_free_data(context, enc_etype_list);
-
- adata = *authdata;
- if (adata == NULL) {
- adata = (krb5_authdata **)calloc(2, sizeof(krb5_authdata *));
- i = 0;
- } else {
- for (i = 0; adata[i] != NULL; i++)
- ;
-
- adata = (krb5_authdata **)realloc(*authdata,
- (i + 2) * sizeof(krb5_authdata *));
- }
- if (adata == NULL) {
- krb5_free_data(context, ad_if_relevant);
- return ENOMEM;
- }
- *authdata = adata;
-
- adata[i] = (krb5_authdata *)malloc(sizeof(krb5_authdata));
- if (adata[i] == NULL) {
- krb5_free_data(context, ad_if_relevant);
- return ENOMEM;
- }
- adata[i]->magic = KV5M_AUTHDATA;
- adata[i]->ad_type = KRB5_AUTHDATA_IF_RELEVANT;
- adata[i]->length = ad_if_relevant->length;
- adata[i]->contents = (krb5_octet *)ad_if_relevant->data;
- free(ad_if_relevant); /* contents owned by adata[i] */
-
- adata[i + 1] = NULL;
-
- return 0;
+ etlist.etypes = desired_enctypes;
+ etlist.length = count;
+ return encode_krb5_etype_list(&etlist, out);
+}
+
+/* Set *authdata_out to appropriate authenticator authdata for the request,
+ * encoded in a single AD_IF_RELEVANT element. */
+static krb5_error_code
+make_ap_authdata(krb5_context context, krb5_enctype *desired_enctypes,
+ krb5_enctype tkt_enctype, krb5_boolean client_aware_cb,
+ krb5_authdata ***authdata_out)
+{
+ krb5_error_code ret;
+ krb5_authdata etypes_ad, flags_ad, *list[3];
+ krb5_data *der_etypes = NULL;
+ size_t count = 0;
+ uint8_t flagbuf[4];
+ const uint32_t KERB_AP_OPTIONS_CBT = 0x4000;
+
+ *authdata_out = NULL;
+
+ /* Include an ETYPE_NEGOTIATION element if appropriate. */
+ ret = make_etype_list(context, desired_enctypes, tkt_enctype, &der_etypes);
+ if (ret)
+ goto cleanup;
+ if (der_etypes != NULL) {
+ etypes_ad.magic = KV5M_AUTHDATA;
+ etypes_ad.ad_type = KRB5_AUTHDATA_ETYPE_NEGOTIATION;
+ etypes_ad.length = der_etypes->length;
+ etypes_ad.contents = (uint8_t *)der_etypes->data;
+ list[count++] = &etypes_ad;
+ }
+
+ /* Include an AP_OPTIONS element if the CBT flag is configured. */
+ if (client_aware_cb != 0) {
+ store_32_le(KERB_AP_OPTIONS_CBT, flagbuf);
+ flags_ad.magic = KV5M_AUTHDATA;
+ flags_ad.ad_type = KRB5_AUTHDATA_AP_OPTIONS;
+ flags_ad.length = 4;
+ flags_ad.contents = flagbuf;
+ list[count++] = &flags_ad;
+ }
+
+ if (count > 0) {
+ list[count] = NULL;
+ ret = krb5_encode_authdata_container(context,
+ KRB5_AUTHDATA_IF_RELEVANT,
+ list, authdata_out);
+ }
+
+cleanup:
+ krb5_free_data(context, der_etypes);
+ return ret;
}

54
SOURCES/Add-finalization-safety-check-to-com_err.patch Normal file
View File

@ -0,0 +1,54 @@
From 2ea85d8228663c9592705a13edecbd4d3c70aac1 Mon Sep 17 00:00:00 2001
From: Jiri Sasek <Jiri.Sasek@Oracle.COM>
Date: Fri, 13 Mar 2020 19:02:58 +0100
Subject: [PATCH] Add finalization safety check to com_err
If the linker erroneously runs the libkrb5 finalizer after the
libcom_err finalizer, the consequent remove_error_table() calls could
crash due to accessing a destroyed mutex or an invalid et_list
pointer. Add an unsynchronized check on finalized in
remove_error_table(), and set et_list to null in com_err_terminate()
after destroying the list.
[ghudson@mit.edu: minimized code hanges; rewrote comment and commit
message]
ticket: 8890 (new)
(cherry picked from commit 9d654aa05e26bbf22f140abde3436afeff2fdf8d)
(cherry picked from commit c7a37d3e87132864ebc44710baf1d50a69682b5c)
---
src/util/et/error_message.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/util/et/error_message.c b/src/util/et/error_message.c
index d7069a9df..7dc02a34e 100644
--- a/src/util/et/error_message.c
+++ b/src/util/et/error_message.c
@@ -26,7 +26,7 @@
static struct et_list *et_list;
static k5_mutex_t et_list_lock = K5_MUTEX_PARTIAL_INITIALIZER;
-static int terminated = 0; /* for debugging shlib fini sequence errors */
+static int terminated = 0; /* for safety and finalization debugging */
MAKE_INIT_FUNCTION(com_err_initialize);
MAKE_FINI_FUNCTION(com_err_terminate);
@@ -69,6 +69,7 @@ void com_err_terminate(void)
enext = e->next;
free(e);
}
+ et_list = NULL;
k5_mutex_unlock(&et_list_lock);
k5_mutex_destroy(&et_list_lock);
terminated = 1;
@@ -280,6 +281,10 @@ remove_error_table(const struct error_table *et)
{
struct et_list **ep, *e;
+ /* Safety check in case libraries are finalized in the wrong order. */
+ if (terminated)
+ return ENOENT;
+
if (CALL_INIT_FUNCTION(com_err_initialize))
return 0;
k5_mutex_lock(&et_list_lock);

183
SOURCES/Add-function-and-enctype-flag-for-deprecations.patch
View File

@ -1,183 +0,0 @@
From ba1fd0a44c74089d42af244ff2b315baf506fd2f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 15 Jan 2019 16:16:57 -0500
Subject: [PATCH] Add function and enctype flag for deprecations
krb5int_c_deprecated_enctype() checks for the ETYPE_DEPRECATED flag on
enctypes. All ENCTYPE_WEAK enctypes are currently deprecated; not all
deprecated enctypes are considered weak. Deprecations follow RFC 6649
and RFC 8429.
(cherry picked from commit 484a6e7712f9b66e782b2520f07b0883889e116f)
---
src/include/k5-int.h | 1 +
src/lib/crypto/krb/crypto_int.h | 9 ++++++++-
src/lib/crypto/krb/enctype_util.c | 7 +++++++
src/lib/crypto/krb/etypes.c | 19 ++++++++++---------
src/lib/crypto/libk5crypto.exports | 1 +
src/lib/krb5_32.def | 3 +++
6 files changed, 30 insertions(+), 10 deletions(-)
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 8f9329c59..255cee822 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -2077,6 +2077,7 @@ krb5_get_tgs_ktypes(krb5_context, krb5_const_principal, krb5_enctype **);
krb5_boolean krb5_is_permitted_enctype(krb5_context, krb5_enctype);
krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype);
+krb5_boolean KRB5_CALLCONV krb5int_c_deprecated_enctype(krb5_enctype);
krb5_error_code k5_enctype_to_ssf(krb5_enctype enctype, unsigned int *ssf_out);
krb5_error_code krb5_kdc_rep_decrypt_proc(krb5_context, const krb5_keyblock *,
diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
index e5099291e..6c1c77cac 100644
--- a/src/lib/crypto/krb/crypto_int.h
+++ b/src/lib/crypto/krb/crypto_int.h
@@ -114,7 +114,14 @@ struct krb5_keytypes {
unsigned int ssf;
};
-#define ETYPE_WEAK 1
+/*
+ * "Weak" means the enctype is believed to be vulnerable to practical attacks,
+ * and will be disabled unless allow_weak_crypto is set to true. "Deprecated"
+ * means the enctype has been deprecated by the IETF, and affects display and
+ * logging.
+ */
+#define ETYPE_WEAK (1 << 0)
+#define ETYPE_DEPRECATED (1 << 1)
extern const struct krb5_keytypes krb5int_enctypes_list[];
extern const int krb5int_enctypes_length;
diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c
index b1b40e7ec..e394f4e19 100644
--- a/src/lib/crypto/krb/enctype_util.c
+++ b/src/lib/crypto/krb/enctype_util.c
@@ -51,6 +51,13 @@ krb5int_c_weak_enctype(krb5_enctype etype)
return (ktp != NULL && (ktp->flags & ETYPE_WEAK) != 0);
}
+krb5_boolean KRB5_CALLCONV
+krb5int_c_deprecated_enctype(krb5_enctype etype)
+{
+ const struct krb5_keytypes *ktp = find_enctype(etype);
+ return ktp != NULL && (ktp->flags & ETYPE_DEPRECATED) != 0;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2,
krb5_boolean *similar)
diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c
index 53d4a5c79..8f44c37e7 100644
--- a/src/lib/crypto/krb/etypes.c
+++ b/src/lib/crypto/krb/etypes.c
@@ -33,6 +33,7 @@
that the keytypes are all near each other. I'd rather not make
that assumption. */
+/* Deprecations come from RFC 6649 and RFC 8249. */
const struct krb5_keytypes krb5int_enctypes_list[] = {
{ ENCTYPE_DES_CBC_CRC,
"des-cbc-crc", { 0 }, "DES cbc mode with CRC-32",
@@ -42,7 +43,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_des_string_to_key, k5_rand2key_des,
krb5int_des_prf,
CKSUMTYPE_RSA_MD5_DES,
- ETYPE_WEAK, 56 },
+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
{ ENCTYPE_DES_CBC_MD4,
"des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4",
&krb5int_enc_des, &krb5int_hash_md4,
@@ -51,7 +52,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_des_string_to_key, k5_rand2key_des,
krb5int_des_prf,
CKSUMTYPE_RSA_MD4_DES,
- ETYPE_WEAK, 56 },
+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
{ ENCTYPE_DES_CBC_MD5,
"des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5",
&krb5int_enc_des, &krb5int_hash_md5,
@@ -60,7 +61,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_des_string_to_key, k5_rand2key_des,
krb5int_des_prf,
CKSUMTYPE_RSA_MD5_DES,
- ETYPE_WEAK, 56 },
+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
{ ENCTYPE_DES_CBC_RAW,
"des-cbc-raw", { 0 }, "DES cbc mode raw",
&krb5int_enc_des, NULL,
@@ -69,7 +70,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_des_string_to_key, k5_rand2key_des,
krb5int_des_prf,
0,
- ETYPE_WEAK, 56 },
+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
{ ENCTYPE_DES3_CBC_RAW,
"des3-cbc-raw", { 0 }, "Triple DES cbc mode raw",
&krb5int_enc_des3, NULL,
@@ -78,7 +79,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_dk_string_to_key, k5_rand2key_des3,
NULL, /*PRF*/
0,
- ETYPE_WEAK, 112 },
+ ETYPE_WEAK | ETYPE_DEPRECATED, 112 },
{ ENCTYPE_DES3_CBC_SHA1,
"des3-cbc-sha1", { "des3-hmac-sha1", "des3-cbc-sha1-kd" },
@@ -89,7 +90,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_dk_string_to_key, k5_rand2key_des3,
krb5int_dk_prf,
CKSUMTYPE_HMAC_SHA1_DES3,
- 0 /*flags*/, 112 },
+ ETYPE_DEPRECATED, 112 },
{ ENCTYPE_DES_HMAC_SHA1,
"des-hmac-sha1", { 0 }, "DES with HMAC/sha1",
@@ -99,7 +100,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_dk_string_to_key, k5_rand2key_des,
NULL, /*PRF*/
0,
- ETYPE_WEAK, 56 },
+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
/* rc4-hmac uses a 128-bit key, but due to weaknesses in the RC4 cipher, we
* consider its strength degraded and assign it an SSF value of 64. */
@@ -113,7 +114,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key,
k5_rand2key_direct, krb5int_arcfour_prf,
CKSUMTYPE_HMAC_MD5_ARCFOUR,
- 0 /*flags*/, 64 },
+ ETYPE_DEPRECATED, 64 },
{ ENCTYPE_ARCFOUR_HMAC_EXP,
"arcfour-hmac-exp", { "rc4-hmac-exp", "arcfour-hmac-md5-exp" },
"Exportable ArcFour with HMAC/md5",
@@ -124,7 +125,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key,
k5_rand2key_direct, krb5int_arcfour_prf,
CKSUMTYPE_HMAC_MD5_ARCFOUR,
- ETYPE_WEAK, 40
+ ETYPE_WEAK | ETYPE_DEPRECATED, 40
},
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports
index 82eb5f30c..90afdf5f7 100644
--- a/src/lib/crypto/libk5crypto.exports
+++ b/src/lib/crypto/libk5crypto.exports
@@ -109,3 +109,4 @@ k5_allow_weak_pbkdf2iter
krb5_c_prfplus
krb5_c_derive_prfplus
k5_enctype_to_ssf
+krb5int_c_deprecated_enctype
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index c35022931..e6a487593 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -487,3 +487,6 @@ EXPORTS
encode_krb5_pa_spake @444 ; PRIVATE
decode_krb5_pa_spake @445 ; PRIVATE
k5_free_pa_spake @446 ; PRIVATE
+
+; new in 1.18
+ krb5int_c_deprecated_enctype @450 ; PRIVATE

2072
SOURCES/Add-soft-pkcs11-source-code.patch
View File

File diff suppressed because it is too large Load Diff

295
SOURCES/Add-tests-for-KCM-ccache-type.patch
View File

@ -1,295 +0,0 @@
From 7ab0bbac058d2b82aa3432759c600b22012f8afe Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 22 Nov 2018 00:27:35 -0500
Subject: [PATCH] Add tests for KCM ccache type
Using a trivial Python implementation of a KCM server, run the
t_ccache.py tests against the KCM ccache type.
(cherry picked from commit f0bcb86131e385b2603ccf0f3c7d65aa3891b220)
(cherry picked from commit 5ecbe8d3ab4f53c0923a0442273bf18a9ff04fd5)
---
src/tests/kcmserver.py | 246 +++++++++++++++++++++++++++++++++++++++++
src/tests/t_ccache.py | 9 +-
2 files changed, 254 insertions(+), 1 deletion(-)
create mode 100644 src/tests/kcmserver.py
diff --git a/src/tests/kcmserver.py b/src/tests/kcmserver.py
new file mode 100644
index 000000000..57432e5a7
--- /dev/null
+++ b/src/tests/kcmserver.py
@@ -0,0 +1,246 @@
+# This is a simple KCM test server, used to exercise the KCM ccache
+# client code. It will generally throw an uncaught exception if the
+# client sends anything unexpected, so is unsuitable for production.
+# (It also imposes no namespace or access constraints, and blocks
+# while reading requests and writing responses.)
+
+# This code knows nothing about how to marshal and unmarshal principal
+# names and credentials as is required in the KCM protocol; instead,
+# it just remembers the marshalled forms and replays them to the
+# client when asked. This works because marshalled creds and
+# principal names are always the last part of marshalled request
+# arguments, and because we don't need to implement remove_cred (which
+# would need to know how to match a cred tag against previously stored
+# credentials).
+
+# The following code is useful for debugging if anything appears to be
+# going wrong in the server, since daemon output is generally not
+# visible in Python test scripts.
+#
+# import sys, traceback
+# def ehook(etype, value, tb):
+# with open('/tmp/exception', 'w') as f:
+# traceback.print_exception(etype, value, tb, file=f)
+# sys.excepthook = ehook
+
+import select
+import socket
+import struct
+import sys
+
+caches = {}
+cache_uuidmap = {}
+defname = b'default'
+next_unique = 1
+next_uuid = 1
+
+class KCMOpcodes(object):
+ GEN_NEW = 3
+ INITIALIZE = 4
+ DESTROY = 5
+ STORE = 6
+ GET_PRINCIPAL = 8
+ GET_CRED_UUID_LIST = 9
+ GET_CRED_BY_UUID = 10
+ REMOVE_CRED = 11
+ GET_CACHE_UUID_LIST = 18
+ GET_CACHE_BY_UUID = 19
+ GET_DEFAULT_CACHE = 20
+ SET_DEFAULT_CACHE = 21
+ GET_KDC_OFFSET = 22
+ SET_KDC_OFFSET = 23
+
+
+class KRB5Errors(object):
+ KRB5_CC_END = -1765328242
+ KRB5_CC_NOSUPP = -1765328137
+ KRB5_FCC_NOFILE = -1765328189
+
+
+def make_uuid():
+ global next_uuid
+ uuid = bytes(12) + struct.pack('>L', next_uuid)
+ next_uuid = next_uuid + 1
+ return uuid
+
+
+class Cache(object):
+ def __init__(self, name):
+ self.name = name
+ self.princ = None
+ self.uuid = make_uuid()
+ self.cred_uuids = []
+ self.creds = {}
+ self.time_offset = 0
+
+
+def get_cache(name):
+ if name in caches:
+ return caches[name]
+ cache = Cache(name)
+ caches[name] = cache
+ cache_uuidmap[cache.uuid] = cache
+ return cache
+
+
+def unmarshal_name(argbytes):
+ offset = argbytes.find(b'\0')
+ return argbytes[0:offset], argbytes[offset+1:]
+
+
+def op_gen_new(argbytes):
+ # Does not actually check for uniqueness.
+ global next_unique
+ name = b'unique' + str(next_unique).encode('ascii')
+ next_unique += 1
+ return 0, name + b'\0'
+
+
+def op_initialize(argbytes):
+ name, princ = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ cache.princ = princ
+ cache.cred_uuids = []
+ cache.creds = {}
+ cache.time_offset = 0
+ return 0, b''
+
+
+def op_destroy(argbytes):
+ name, rest = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ del cache_uuidmap[cache.uuid]
+ del caches[name]
+ return 0, b''
+
+
+def op_store(argbytes):
+ name, cred = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ uuid = make_uuid()
+ cache.creds[uuid] = cred
+ cache.cred_uuids.append(uuid)
+ return 0, b''
+
+
+def op_get_principal(argbytes):
+ name, rest = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ if cache.princ is None:
+ return KRB5Errors.KRB5_FCC_NOFILE, b''
+ return 0, cache.princ + b'\0'
+
+
+def op_get_cred_uuid_list(argbytes):
+ name, rest = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ return 0, b''.join(cache.cred_uuids)
+
+
+def op_get_cred_by_uuid(argbytes):
+ name, uuid = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ if uuid not in cache.creds:
+ return KRB5Errors.KRB5_CC_END, b''
+ return 0, cache.creds[uuid]
+
+
+def op_remove_cred(argbytes):
+ return KRB5Errors.KRB5_CC_NOSUPP, b''
+
+
+def op_get_cache_uuid_list(argbytes):
+ return 0, b''.join(cache_uuidmap.keys())
+
+
+def op_get_cache_by_uuid(argbytes):
+ uuid = argbytes
+ if uuid not in cache_uuidmap:
+ return KRB5Errors.KRB5_CC_END, b''
+ return 0, cache_uuidmap[uuid].name + b'\0'
+
+
+def op_get_default_cache(argbytes):
+ return 0, defname + b'\0'
+
+
+def op_set_default_cache(argbytes):
+ global defname
+ defname, rest = unmarshal_name(argbytes)
+ return 0, b''
+
+
+def op_get_kdc_offset(argbytes):
+ name, rest = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ return 0, struct.pack('>l', cache.time_offset)
+
+
+def op_set_kdc_offset(argbytes):
+ name, obytes = unmarshal_name(argbytes)
+ cache = get_cache(name)
+ cache.time_offset, = struct.unpack('>l', obytes)
+ return 0, b''
+
+
+ophandlers = {
+ KCMOpcodes.GEN_NEW : op_gen_new,
+ KCMOpcodes.INITIALIZE : op_initialize,
+ KCMOpcodes.DESTROY : op_destroy,
+ KCMOpcodes.STORE : op_store,
+ KCMOpcodes.GET_PRINCIPAL : op_get_principal,
+ KCMOpcodes.GET_CRED_UUID_LIST : op_get_cred_uuid_list,
+ KCMOpcodes.GET_CRED_BY_UUID : op_get_cred_by_uuid,
+ KCMOpcodes.REMOVE_CRED : op_remove_cred,
+ KCMOpcodes.GET_CACHE_UUID_LIST : op_get_cache_uuid_list,
+ KCMOpcodes.GET_CACHE_BY_UUID : op_get_cache_by_uuid,
+ KCMOpcodes.GET_DEFAULT_CACHE : op_get_default_cache,
+ KCMOpcodes.SET_DEFAULT_CACHE : op_set_default_cache,
+ KCMOpcodes.GET_KDC_OFFSET : op_get_kdc_offset,
+ KCMOpcodes.SET_KDC_OFFSET : op_set_kdc_offset
+}
+
+# Read and respond to a request from the socket s.
+def service_request(s):
+ lenbytes = b''
+ while len(lenbytes) < 4:
+ lenbytes += s.recv(4 - len(lenbytes))
+ if lenbytes == b'':
+ return False
+
+ reqlen, = struct.unpack('>L', lenbytes)
+ req = b''
+ while len(req) < reqlen:
+ req += s.recv(reqlen - len(req))
+
+ majver, minver, op = struct.unpack('>BBH', req[:4])
+ argbytes = req[4:]
+ code, payload = ophandlers[op](argbytes)
+
+ # The KCM response is the code (4 bytes) and the response payload.
+ # The Heimdal IPC response is the length of the KCM response (4
+ # bytes), a status code which is essentially always 0 (4 bytes),
+ # and the KCM response.
+ kcm_response = struct.pack('>l', code) + payload
+ hipc_response = struct.pack('>LL', len(kcm_response), 0) + kcm_response
+ s.sendall(hipc_response)
+ return True
+
+
+server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+server.bind(sys.argv[1])
+server.listen(5)
+select_input = [server,]
+sys.stderr.write('starting...\n')
+sys.stderr.flush()
+
+while True:
+ iready, oready, xready = select.select(select_input, [], [])
+ for s in iready:
+ if s == server:
+ client, addr = server.accept()
+ select_input.append(client)
+ else:
+ if not service_request(s):
+ select_input.remove(s)
+ s.close()
diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py
index fcf1a611e..66804afa5 100755
--- a/src/tests/t_ccache.py
+++ b/src/tests/t_ccache.py
@@ -22,7 +22,10 @@
from k5test import *
-realm = K5Realm(create_host=False)
+kcm_socket_path = os.path.join(os.getcwd(), 'testdir', 'kcm')
+conf = {'libdefaults': {'kcm_socket': kcm_socket_path,
+ 'kcm_mach_service': '-'}}
+realm = K5Realm(create_host=False, krb5_conf=conf)
keyctl = which('keyctl')
out = realm.run([klist, '-c', 'KEYRING:process:abcd'], expected_code=1)
@@ -122,6 +125,10 @@ def collection_test(realm, ccname):
collection_test(realm, 'DIR:' + os.path.join(realm.testdir, 'cc'))
+kcmserver_path = os.path.join(srctop, 'tests', 'kcmserver.py')
+realm.start_server([sys.executable, kcmserver_path, kcm_socket_path],
+ 'starting...')
+collection_test(realm, 'KCM:')
if test_keyring:
def cleanup_keyring(anchor, name):
out = realm.run(['keyctl', 'list', anchor])

95
SOURCES/Address-some-optimized-out-memset-calls.patch
View File

@ -1,95 +0,0 @@
From 722247aa6201d18a7ee69c4a9a05315226fe6383 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 30 Dec 2018 16:40:28 -0500
Subject: [PATCH] Address some optimized-out memset() calls
Ilja Van Sprundel reported a list of memset() calls which gcc
optimizes out. In krb_auth_su.c, use zap() to clear the password, and
remove two memset() calls when there is no password to clear. In
iakerb.c, remove an unnecessary memset() before setting the only two
fields of the IAKERB header structure. In svr_principal.c, use
krb5_free_key_keyblock_contents() instead of hand-freeing key data.
In asn1_k_encode.c, remove an unnecessary memset() of the kdc_req_hack
shell before returning.
(cherry picked from commit 1057b0befec1f1c0e9d4da5521a58496e2dc0997)
(cherry picked from commit 1dfff7202448a950c9133cdfe43d650092d930fd)
---
src/clients/ksu/krb_auth_su.c | 4 +---
src/lib/gssapi/krb5/iakerb.c | 1 -
src/lib/kadm5/srv/svr_principal.c | 10 ++--------
src/lib/krb5/asn.1/asn1_k_encode.c | 1 -
4 files changed, 3 insertions(+), 13 deletions(-)
diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c
index 7af48195c..e39685fff 100644
--- a/src/clients/ksu/krb_auth_su.c
+++ b/src/clients/ksu/krb_auth_su.c
@@ -183,21 +183,19 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
if (code ) {
com_err(prog_name, code, _("while reading password for '%s'\n"),
client_name);
- memset(password, 0, sizeof(password));
return (FALSE);
}
if ( pwsize == 0) {
fprintf(stderr, _("No password given\n"));
*zero_password = TRUE;
- memset(password, 0, sizeof(password));
return (FALSE);
}
code = krb5_get_init_creds_password(context, &creds, client, password,
krb5_prompter_posix, NULL, 0, NULL,
options);
- memset(password, 0, sizeof(password));
+ zap(password, sizeof(password));
if (code) {
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index bb1072fe4..47c161ec9 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -262,7 +262,6 @@ iakerb_make_token(iakerb_ctx_id_t ctx,
/*
* Assemble the IAKERB-HEADER from the realm and cookie
*/
- memset(&iah, 0, sizeof(iah));
iah.target_realm = *realm;
iah.cookie = cookie;
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 21c53ece1..9ab2c5a74 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -2093,14 +2093,8 @@ static int decrypt_key_data(krb5_context context,
ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i],
NULL);
if (ret) {
- for (; i >= 0; i--) {
- if (keys[i].contents) {
- memset (keys[i].contents, 0, keys[i].length);
- free( keys[i].contents );
- }
- }
-
- memset(keys, 0, n_key_data*sizeof(krb5_keyblock));
+ for (; i >= 0; i--)
+ krb5_free_keyblock_contents(context, &keys[i]);
free(keys);
return ret;
}
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 65c84be2f..81a34bac9 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -528,7 +528,6 @@ decode_kdc_req_body(const taginfo *t, const uint8_t *asn1, size_t len,
if (ret) {
free_kdc_req_body(b);
free(h.server_realm.data);
- memset(&h, 0, sizeof(h));
return ret;
}
b->server->realm = h.server_realm;

242
SOURCES/Allow-certauth-modules-to-set-hw-authent-flag.patch Normal file
View File

@ -0,0 +1,242 @@
From b4dba5a4c16b2585c38445e3067b5e3399f38a10 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 24 Feb 2020 15:58:59 -0500
Subject: [PATCH] Allow certauth modules to set hw-authent flag
In PKINIT, if a certauth module returns KRB5_CERTAUTH_HWAUTH from its
authorize method, set the hw-authent flag in the ticket.
ticket: 8879 (new)
(cherry picked from commit 50fb43b4a2d97ce2cd53e1ced30e8e8224fede70)
(cherry picked from commit d23b2ed4f06fa77cd021814834dd1391ef6f452f)
---
doc/plugindev/certauth.rst | 7 +++++--
src/include/krb5/certauth_plugin.h | 9 ++++++---
src/lib/krb5/error_tables/k5e1_err.et | 1 +
src/plugins/certauth/test/Makefile.in | 4 ++--
src/plugins/certauth/test/main.c | 11 +++++++++--
src/plugins/preauth/pkinit/pkinit_srv.c | 24 ++++++++++++++++--------
src/tests/t_certauth.py | 13 +++++++++++++
7 files changed, 52 insertions(+), 17 deletions(-)
diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst
index 8a7f7c5eb..3b715f738 100644
--- a/doc/plugindev/certauth.rst
+++ b/doc/plugindev/certauth.rst
@@ -15,8 +15,11 @@ principal. **authorize** receives the DER-encoded certificate, the
requested client principal, and a pointer to the client's
krb5_db_entry (for modules that link against libkdb5). It returns the
authorization status and optionally outputs a list of authentication
-indicator strings to be added to the ticket. A module must use its
-own internal or library-provided ASN.1 certificate decoder.
+indicator strings to be added to the ticket. Beginning in release
+1.19, the authorize method can request that the hardware
+authentication bit be set in the ticket by returning
+**KRB5_CERTAUTH_HWAUTH**. A module must use its own internal or
+library-provided ASN.1 certificate decoder.
A module can optionally create and destroy module data with the
**init** and **fini** methods. Module data objects last for the
diff --git a/src/include/krb5/certauth_plugin.h b/src/include/krb5/certauth_plugin.h
index 3074790f8..3466cf345 100644
--- a/src/include/krb5/certauth_plugin.h
+++ b/src/include/krb5/certauth_plugin.h
@@ -85,14 +85,17 @@ typedef void
(*krb5_certauth_fini_fn)(krb5_context context, krb5_certauth_moddata moddata);
/*
- * Mandatory:
- * Return 0 if the DER-encoded cert is authorized for PKINIT authentication by
- * princ; otherwise return one of the following error codes:
+ * Mandatory: return 0 or KRB5_CERTAUTH_HWAUTH if the DER-encoded cert is
+ * authorized for PKINIT authentication by princ; otherwise return one of the
+ * following error codes:
* - KRB5KDC_ERR_CLIENT_NAME_MISMATCH - incorrect SAN value
* - KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE - incorrect EKU
* - KRB5KDC_ERR_CERTIFICATE_MISMATCH - other extension error
* - KRB5_PLUGIN_NO_HANDLE - the module has no opinion about cert
*
+ * Returning KRB5_CERTAUTH_HWAUTH will cause the hw-authent flag to be set in
+ * the issued ticket (new in release 1.19).
+ *
* - opts is used by built-in modules to receive internal data, and must be
* ignored by other modules.
* - db_entry receives the client principal database entry, and can be ignored
diff --git a/src/lib/krb5/error_tables/k5e1_err.et b/src/lib/krb5/error_tables/k5e1_err.et
index ade5caecf..abd9f3bfe 100644
--- a/src/lib/krb5/error_tables/k5e1_err.et
+++ b/src/lib/krb5/error_tables/k5e1_err.et
@@ -42,4 +42,5 @@ error_code KRB5_KCM_MALFORMED_REPLY, "Malformed reply from KCM daemon"
error_code KRB5_KCM_RPC_ERROR, "Mach RPC error communicating with KCM daemon"
error_code KRB5_KCM_REPLY_TOO_BIG, "KCM daemon reply too big"
error_code KRB5_KCM_NO_SERVER, "No KCM server found"
+error_code KRB5_CERTAUTH_HWAUTH, "Authorize and set hw-authent ticket flag"
end
diff --git a/src/plugins/certauth/test/Makefile.in b/src/plugins/certauth/test/Makefile.in
index d3524084c..e94c13845 100644
--- a/src/plugins/certauth/test/Makefile.in
+++ b/src/plugins/certauth/test/Makefile.in
@@ -5,8 +5,8 @@ LIBBASE=certauth_test
LIBMAJOR=0
LIBMINOR=0
RELDIR=../plugins/certauth/test
-SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS)
-SHLIB_EXPLIBS=$(KRB5_BASE_LIBS)
+SHLIB_EXPDEPS=$(KDB5_DEPLIBS) $(KRB5_BASE_DEPLIBS)
+SHLIB_EXPLIBS=$(KDB5_LIBS) $(KRB5_BASE_LIBS)
STLIBOBJS=main.o
diff --git a/src/plugins/certauth/test/main.c b/src/plugins/certauth/test/main.c
index 77641230c..d4633b8cd 100644
--- a/src/plugins/certauth/test/main.c
+++ b/src/plugins/certauth/test/main.c
@@ -31,6 +31,7 @@
*/
#include <k5-int.h>
+#include <kdb.h>
#include "krb5/certauth_plugin.h"
struct krb5_certauth_moddata_st {
@@ -131,7 +132,8 @@ has_cn(krb5_context context, const uint8_t *cert, size_t cert_len,
/*
* Test module 2 returns OK if princ matches the CN part of the subject name,
- * and returns indicators of the module name and princ.
+ * and returns indicators of the module name and princ. If the "hwauth" string
+ * attribute is set on db_entry, it returns KRB5_CERTAUTH_HWAUTH.
*/
static krb5_error_code
test2_authorize(krb5_context context, krb5_certauth_moddata moddata,
@@ -141,7 +143,7 @@ test2_authorize(krb5_context context, krb5_certauth_moddata moddata,
char ***authinds_out)
{
krb5_error_code ret;
- char *name = NULL, **ais = NULL;
+ char *name = NULL, *strval = NULL, **ais = NULL;
*authinds_out = NULL;
@@ -167,6 +169,11 @@ test2_authorize(krb5_context context, krb5_certauth_moddata moddata,
ais = NULL;
+ ret = krb5_dbe_get_string(context, (krb5_db_entry *)db_entry, "hwauth",
+ &strval);
+ ret = (strval != NULL) ? KRB5_CERTAUTH_HWAUTH : 0;
+ krb5_dbe_free_string(context, strval);
+
cleanup:
krb5_free_unparsed_name(context, name);
return ret;
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index feca11806..3ae56c064 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -320,12 +320,12 @@ static krb5_error_code
authorize_cert(krb5_context context, certauth_handle *certauth_modules,
pkinit_kdc_context plgctx, pkinit_kdc_req_context reqctx,
krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
- krb5_principal client)
+ krb5_principal client, krb5_boolean *hwauth_out)
{
krb5_error_code ret;
certauth_handle h;
struct certauth_req_opts opts;
- krb5_boolean accepted = FALSE;
+ krb5_boolean accepted = FALSE, hwauth = FALSE;
uint8_t *cert;
size_t i, cert_len;
void *db_ent = NULL;
@@ -347,9 +347,10 @@ authorize_cert(krb5_context context, certauth_handle *certauth_modules,
/*
* Check the certificate against each certauth module. For the certificate
- * to be authorized at least one module must return 0, and no module can an
- * error code other than KRB5_PLUGIN_NO_HANDLE (pass). Add indicators from
- * modules that return 0 or pass.
+ * to be authorized at least one module must return 0 or
+ * KRB5_CERTAUTH_HWAUTH, and no module can return an error code other than
+ * KRB5_PLUGIN_NO_HANDLE (pass). Add indicators from modules that return 0
+ * or pass.
*/
ret = KRB5_PLUGIN_NO_HANDLE;
for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) {
@@ -359,6 +360,8 @@ authorize_cert(krb5_context context, certauth_handle *certauth_modules,
&opts, db_ent, &ais);
if (ret == 0)
accepted = TRUE;
+ else if (ret == KRB5_CERTAUTH_HWAUTH)
+ accepted = hwauth = TRUE;
else if (ret != KRB5_PLUGIN_NO_HANDLE)
goto cleanup;
@@ -374,6 +377,7 @@ authorize_cert(krb5_context context, certauth_handle *certauth_modules,
}
}
+ *hwauth_out = hwauth;
ret = accepted ? 0 : KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
cleanup:
@@ -430,7 +434,7 @@ pkinit_server_verify_padata(krb5_context context,
int is_signed = 1;
krb5_pa_data **e_data = NULL;
krb5_kdcpreauth_modreq modreq = NULL;
- krb5_boolean valid_freshness_token = FALSE;
+ krb5_boolean valid_freshness_token = FALSE, hwauth = FALSE;
char **sp;
pkiDebug("pkinit_verify_padata: entered!\n");
@@ -494,7 +498,7 @@ pkinit_server_verify_padata(krb5_context context,
}
if (is_signed) {
retval = authorize_cert(context, moddata->certauth_modules, plgctx,
- reqctx, cb, rock, request->client);
+ reqctx, cb, rock, request->client, &hwauth);
if (retval)
goto cleanup;
@@ -613,6 +617,8 @@ pkinit_server_verify_padata(krb5_context context,
/* remember to set the PREAUTH flag in the reply */
enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
+ if (hwauth)
+ enc_tkt_reply->flags |= TKT_FLG_HW_AUTH;
modreq = (krb5_kdcpreauth_modreq)reqctx;
reqctx = NULL;
@@ -1044,7 +1050,9 @@ pkinit_server_get_flags(krb5_context kcontext, krb5_preauthtype patype)
{
if (patype == KRB5_PADATA_PKINIT_KX)
return PA_INFO;
- return PA_SUFFICIENT | PA_REPLACES_KEY | PA_TYPED_E_DATA;
+ /* PKINIT does not normally set the hw-authent ticket flag, but a
+ * certauth module can cause it to do so. */
+ return PA_SUFFICIENT | PA_REPLACES_KEY | PA_TYPED_E_DATA | PA_HARDWARE;
}
static krb5_preauthtype supported_server_pa_types[] = {
diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py
index 9c7094525..0fe0fdb4a 100644
--- a/src/tests/t_certauth.py
+++ b/src/tests/t_certauth.py
@@ -43,4 +43,17 @@ out = realm.kinit("user2@KRBTEST.COM",
expected_code=1,
expected_msg='kinit: Certificate mismatch')
+# Test the KRB5_CERTAUTH_HWAUTH return code.
+mark('hw-authent flag tests')
+# First test +requires_hwauth without causing the hw-authent ticket
+# flag to be set. This currently results in a preauth loop.
+realm.run([kadminl, 'modprinc', '+requires_hwauth', realm.user_princ])
+realm.kinit(realm.user_princ,
+ flags=['-X', 'X509_user_identity=%s' % file_identity],
+ expected_code=1, expected_msg='Looping detected')
+# Cause the test2 module to return KRB5_CERTAUTH_HWAUTH and try again.
+realm.run([kadminl, 'setstr', realm.user_princ, 'hwauth', 'x'])
+realm.kinit(realm.user_princ,
+ flags=['-X', 'X509_user_identity=%s' % file_identity])
+
success("certauth tests")

63
SOURCES/Avoid-alignment-warnings-in-openssl-rc4.c.patch
View File

@ -1,63 +0,0 @@
From e22f3e2439903aa05321ca339be6a12067b2c4db Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 6 May 2019 15:14:49 -0400
Subject: [PATCH] Avoid alignment warnings in openssl rc4.c
Add a comment to k5_arcfour_init_state() explaining how we stretch the
krb5_data cipher state contract. Use void * casts when interpreting
the data pointer to avoid alignment warnings.
[ghudson@mit.edu: moved and expanded comment; rewrote commit message]
(cherry picked from commit 1cd41d76c12fc1cea0a8bf0d6a40f34623c60d6d)
---
src/lib/crypto/openssl/enc_provider/rc4.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
index 7f3c086ed..a65d57b7a 100644
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
@@ -57,7 +57,7 @@ struct arcfour_state {
/* In-place IOV crypto */
static krb5_error_code
-k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data,
+k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
size_t num_data)
{
size_t i;
@@ -66,7 +66,7 @@ k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx = NULL;
struct arcfour_state *arcstate;
- arcstate = (state != NULL) ? (struct arcfour_state *) state->data : NULL;
+ arcstate = (state != NULL) ? (void *)state->data : NULL;
if (arcstate != NULL) {
ctx = arcstate->ctx;
if (arcstate->loopback != arcstate)
@@ -113,7 +113,7 @@ k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data,
static void
k5_arcfour_free_state(krb5_data *state)
{
- struct arcfour_state *arcstate = (struct arcfour_state *) state->data;
+ struct arcfour_state *arcstate = (void *)state->data;
EVP_CIPHER_CTX_free(arcstate->ctx);
free(arcstate);
@@ -125,6 +125,15 @@ k5_arcfour_init_state(const krb5_keyblock *key,
{
struct arcfour_state *arcstate;
+ /*
+ * The cipher state here is a saved pointer to a struct arcfour_state
+ * object, rather than a flat byte array as in most enc providers. The
+ * object includes a loopback pointer to detect if if the caller made a
+ * copy of the krb5_data value or otherwise assumed it was a simple byte
+ * array. When we cast the data pointer back, we need to go through void *
+ * to avoid increased alignment warnings.
+ */
+
/* Create a state structure with an uninitialized context. */
arcstate = calloc(1, sizeof(*arcstate));
if (arcstate == NULL)

53
SOURCES/Correctly-import-service-GSS-host-based-name.patch Normal file
View File

@ -0,0 +1,53 @@
From abcbd3d12b0c92aa37384627edb6e1e6fad9b47a Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 30 Mar 2020 15:26:02 -0400
Subject: [PATCH] Correctly import "service@" GSS host-based name
The intended way to specify only a service in a GSS host-based name is
to omit the "@" separator. Some applications include the separator
but no hostname, and this happened to yield wildcard hostname behavior
prior to commit 996353767fe8afa7f67a3b5b465e4d70e18bad7c when
shortname qualification was added. To restore this behavior, check in
parse_hostbased() that at least one character is present after the "@"
separator before copying the hostname. Add a test case to t_gssapi.py.
ticket: 8892
tags: pullup
target_version: 1.18-next
(cherry picked from commit a2f047af0400ba8080dc26033fae2b17534501e2)
(cherry picked from commit dd4364d76925ce1fe21c2ab995554d6af3a2ea12)
---
src/lib/gssapi/krb5/import_name.c | 4 ++--
src/tests/gssapi/t_gssapi.py | 3 +++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c
index da2ab1423..21023dd76 100644
--- a/src/lib/gssapi/krb5/import_name.c
+++ b/src/lib/gssapi/krb5/import_name.c
@@ -102,8 +102,8 @@ parse_hostbased(const char *str, size_t len,
memcpy(service, str, servicelen);
service[servicelen] = '\0';
- /* If present, copy the hostname. */
- if (at != NULL) {
+ /* Copy the hostname if present (at least one character after '@'). */
+ if (len - servicelen > 1) {
hostlen = len - servicelen - 1;
host = malloc(hostlen + 1);
if (host == NULL) {
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index 54d5cf549..ecf982604 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -47,6 +47,9 @@ realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'],
expected_msg='service2/calvin')
realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], expected_code=1,
expected_msg=' found in keytab but does not match server principal')
+# Regression test for #8892 (trailing @ in name).
+realm.run(['./t_accname', 'p:service1/andrew', 'h:service1@'],
+ expected_msg='service1/abraham')
# Test with acceptor name containing service and host. Use the
# client's un-canonicalized hostname as acceptor input to mirror what

426
SOURCES/Do-expiration-warnings-for-all-init_creds-APIs.patch Normal file
View File

@ -0,0 +1,426 @@
From 640ba4fe0c5d7423431d649f8e5e6ac72341f4ab Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 28 Feb 2020 10:11:49 +0100
Subject: [PATCH] Do expiration warnings for all init_creds APIs
Move the password expiration warning code from gic_pwd.c to
get_in_tkt.c. Call it from init_creds_step_reply() on successful
completion.
[ghudson@mit.edu: added test case; simplified doc comment; moved call
site to init_creds_step_reply(); rewrote commit message]
ticket: 8893 (new)
(cherry picked from commit e1efb890f7ac31b32c68ab816ef118dbfb5a8c7e)
(cherry picked from commit c136cfe050d203c910624573a33247fde2889b09)
---
src/include/krb5/krb5.hin | 9 ++-
src/lib/krb5/krb/get_in_tkt.c | 112 ++++++++++++++++++++++++++++++
src/lib/krb5/krb/gic_pwd.c | 110 -----------------------------
src/lib/krb5/krb/t_expire_warn.c | 47 +++++++++----
src/lib/krb5/krb/t_expire_warn.py | 22 ++++--
5 files changed, 165 insertions(+), 135 deletions(-)
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 6355e6540..f8269fb17 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7174,11 +7174,10 @@ typedef void
*
* Set a callback to receive password and account expiration times.
*
- * This option only applies to krb5_get_init_creds_password(). @a cb will be
- * invoked if and only if credentials are successfully acquired. The callback
- * will receive the @a context from the krb5_get_init_creds_password() call and
- * the @a data argument supplied with this API. The remaining arguments should
- * be interpreted as follows:
+ * @a cb will be invoked if and only if credentials are successfully acquired.
+ * The callback will receive the @a context from the calling function and the
+ * @a data argument supplied with this API. The remaining arguments should be
+ * interpreted as follows:
*
* If @a is_last_req is true, then the KDC reply contained last-req entries
* which unambiguously indicated the password expiration, account expiration,
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 870df62a1..cc0f70e83 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1482,6 +1482,116 @@ accept_method_data(krb5_context context, krb5_init_creds_context ctx)
ctx->method_padata);
}
+/* Return the password expiry time indicated by enc_part2. Set *is_last_req
+ * if the information came from a last_req value. */
+static void
+get_expiry_times(krb5_enc_kdc_rep_part *enc_part2, krb5_timestamp *pw_exp,
+ krb5_timestamp *acct_exp, krb5_boolean *is_last_req)
+{
+ krb5_last_req_entry **last_req;
+ krb5_int32 lr_type;
+
+ *pw_exp = 0;
+ *acct_exp = 0;
+ *is_last_req = FALSE;
+
+ /* Look for last-req entries for password or account expiration. */
+ if (enc_part2->last_req) {
+ for (last_req = enc_part2->last_req; *last_req; last_req++) {
+ lr_type = (*last_req)->lr_type;
+ if (lr_type == KRB5_LRQ_ALL_PW_EXPTIME ||
+ lr_type == KRB5_LRQ_ONE_PW_EXPTIME) {
+ *is_last_req = TRUE;
+ *pw_exp = (*last_req)->value;
+ } else if (lr_type == KRB5_LRQ_ALL_ACCT_EXPTIME ||
+ lr_type == KRB5_LRQ_ONE_ACCT_EXPTIME) {
+ *is_last_req = TRUE;
+ *acct_exp = (*last_req)->value;
+ }
+ }
+ }
+
+ /* If we didn't find any, use the ambiguous key_exp field. */
+ if (*is_last_req == FALSE)
+ *pw_exp = enc_part2->key_exp;
+}
+
+/*
+ * Send an appropriate warning prompter if as_reply indicates that the password
+ * is going to expire soon. If an expire callback was provided, use that
+ * instead.
+ */
+static void
+warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
+ krb5_prompter_fct prompter, void *data,
+ const char *in_tkt_service, krb5_kdc_rep *as_reply)
+{
+ krb5_error_code ret;
+ krb5_expire_callback_func expire_cb;
+ void *expire_data;
+ krb5_timestamp pw_exp, acct_exp, now;
+ krb5_boolean is_last_req;
+ krb5_deltat delta;
+ char ts[256], banner[1024];
+
+ if (as_reply == NULL || as_reply->enc_part2 == NULL)
+ return;
+
+ get_expiry_times(as_reply->enc_part2, &pw_exp, &acct_exp, &is_last_req);
+
+ k5_gic_opt_get_expire_cb(options, &expire_cb, &expire_data);
+ if (expire_cb != NULL) {
+ /* Invoke the expire callback and don't send prompter warnings. */
+ (*expire_cb)(context, expire_data, pw_exp, acct_exp, is_last_req);
+ return;
+ }
+
+ /* Don't warn if no password expiry value was sent. */
+ if (pw_exp == 0)
+ return;
+
+ /* Don't warn if the password is being changed. */
+ if (in_tkt_service && strcmp(in_tkt_service, "kadmin/changepw") == 0)
+ return;
+
+ /*
+ * If the expiry time came from a last_req field, assume the KDC wants us
+ * to warn. Otherwise, warn only if the expiry time is less than a week
+ * from now.
+ */
+ ret = krb5_timeofday(context, &now);
+ if (ret != 0)
+ return;
+ if (!is_last_req &&
+ (ts_after(now, pw_exp) || ts_delta(pw_exp, now) > 7 * 24 * 60 * 60))
+ return;
+
+ if (!prompter)
+ return;
+
+ ret = krb5_timestamp_to_string(pw_exp, ts, sizeof(ts));
+ if (ret != 0)
+ return;
+
+ delta = ts_delta(pw_exp, now);
+ if (delta < 3600) {
+ snprintf(banner, sizeof(banner),
+ _("Warning: Your password will expire in less than one hour "
+ "on %s"), ts);
+ } else if (delta < 86400 * 2) {
+ snprintf(banner, sizeof(banner),
+ _("Warning: Your password will expire in %d hour%s on %s"),
+ delta / 3600, delta < 7200 ? "" : "s", ts);
+ } else {
+ snprintf(banner, sizeof(banner),
+ _("Warning: Your password will expire in %d days on %s"),
+ delta / 86400, ts);
+ }
+
+ /* PROMPTER_INVOCATION */
+ (*prompter)(context, data, 0, banner, 0, 0);
+}
+
static krb5_error_code
init_creds_step_reply(krb5_context context,
krb5_init_creds_context ctx,
@@ -1693,6 +1803,8 @@ init_creds_step_reply(krb5_context context,
/* success */
ctx->complete = TRUE;
+ warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data,
+ ctx->in_tkt_service, ctx->reply);
cleanup:
krb5_free_pa_data(context, kdc_padata);
diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
index 14ce23ba4..54e0a8ebe 100644
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -133,113 +133,6 @@ krb5_init_creds_set_password(krb5_context context,
return 0;
}
-/* Return the password expiry time indicated by enc_part2. Set *is_last_req
- * if the information came from a last_req value. */
-static void
-get_expiry_times(krb5_enc_kdc_rep_part *enc_part2, krb5_timestamp *pw_exp,
- krb5_timestamp *acct_exp, krb5_boolean *is_last_req)
-{
- krb5_last_req_entry **last_req;
- krb5_int32 lr_type;
-
- *pw_exp = 0;
- *acct_exp = 0;
- *is_last_req = FALSE;
-
- /* Look for last-req entries for password or account expiration. */
- if (enc_part2->last_req) {
- for (last_req = enc_part2->last_req; *last_req; last_req++) {
- lr_type = (*last_req)->lr_type;
- if (lr_type == KRB5_LRQ_ALL_PW_EXPTIME ||
- lr_type == KRB5_LRQ_ONE_PW_EXPTIME) {
- *is_last_req = TRUE;
- *pw_exp = (*last_req)->value;
- } else if (lr_type == KRB5_LRQ_ALL_ACCT_EXPTIME ||
- lr_type == KRB5_LRQ_ONE_ACCT_EXPTIME) {
- *is_last_req = TRUE;
- *acct_exp = (*last_req)->value;
- }
- }
- }
-
- /* If we didn't find any, use the ambiguous key_exp field. */
- if (*is_last_req == FALSE)
- *pw_exp = enc_part2->key_exp;
-}
-
-/*
- * Send an appropriate warning prompter if as_reply indicates that the password
- * is going to expire soon. If an expire callback was provided, use that
- * instead.
- */
-static void
-warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
- krb5_prompter_fct prompter, void *data,
- const char *in_tkt_service, krb5_kdc_rep *as_reply)
-{
- krb5_error_code ret;
- krb5_expire_callback_func expire_cb;
- void *expire_data;
- krb5_timestamp pw_exp, acct_exp, now;
- krb5_boolean is_last_req;
- krb5_deltat delta;
- char ts[256], banner[1024];
-
- get_expiry_times(as_reply->enc_part2, &pw_exp, &acct_exp, &is_last_req);
-
- k5_gic_opt_get_expire_cb(options, &expire_cb, &expire_data);
- if (expire_cb != NULL) {
- /* Invoke the expire callback and don't send prompter warnings. */
- (*expire_cb)(context, expire_data, pw_exp, acct_exp, is_last_req);
- return;
- }
-
- /* Don't warn if no password expiry value was sent. */
- if (pw_exp == 0)
- return;
-
- /* Don't warn if the password is being changed. */
- if (in_tkt_service && strcmp(in_tkt_service, "kadmin/changepw") == 0)
- return;
-
- /*
- * If the expiry time came from a last_req field, assume the KDC wants us
- * to warn. Otherwise, warn only if the expiry time is less than a week
- * from now.
- */
- ret = krb5_timeofday(context, &now);
- if (ret != 0)
- return;
- if (!is_last_req &&
- (ts_after(now, pw_exp) || ts_delta(pw_exp, now) > 7 * 24 * 60 * 60))
- return;
-
- if (!prompter)
- return;
-
- ret = krb5_timestamp_to_string(pw_exp, ts, sizeof(ts));
- if (ret != 0)
- return;
-
- delta = ts_delta(pw_exp, now);
- if (delta < 3600) {
- snprintf(banner, sizeof(banner),
- _("Warning: Your password will expire in less than one hour "
- "on %s"), ts);
- } else if (delta < 86400*2) {
- snprintf(banner, sizeof(banner),
- _("Warning: Your password will expire in %d hour%s on %s"),
- delta / 3600, delta < 7200 ? "" : "s", ts);
- } else {
- snprintf(banner, sizeof(banner),
- _("Warning: Your password will expire in %d days on %s"),
- delta / 86400, ts);
- }
-
- /* PROMPTER_INVOCATION */
- (*prompter)(context, data, 0, banner, 0, 0);
-}
-
/*
* Create a temporary options structure for getting a kadmin/changepw ticket,
* based on the appplication-specified options. Propagate all application
@@ -496,9 +389,6 @@ krb5_get_init_creds_password(krb5_context context,
goto cleanup;
cleanup:
- if (ret == 0)
- warn_pw_expiry(context, options, prompter, data, in_tkt_service,
- as_reply);
free(chpw_opts);
zapfree(gakpw.storage.data, gakpw.storage.length);
memset(pw0array, 0, sizeof(pw0array));
diff --git a/src/lib/krb5/krb/t_expire_warn.c b/src/lib/krb5/krb/t_expire_warn.c
index 1e59acba1..dc8dc8fb3 100644
--- a/src/lib/krb5/krb/t_expire_warn.c
+++ b/src/lib/krb5/krb/t_expire_warn.c
@@ -28,6 +28,13 @@
static int exp_dummy, prompt_dummy;
+static void
+check(krb5_error_code code)
+{
+ if (code != 0)
+ abort();
+}
+
static krb5_error_code
prompter_cb(krb5_context ctx, void *data, const char *name,
const char *banner, int num_prompts, krb5_prompt prompts[])
@@ -52,36 +59,48 @@ int
main(int argc, char **argv)
{
krb5_context ctx;
+ krb5_init_creds_context icctx;
krb5_get_init_creds_opt *opt;
char *user, *password, *service = NULL;
- krb5_boolean use_cb;
+ krb5_boolean use_cb, stepwise;
krb5_principal client;
krb5_creds creds;
- if (argc < 4) {
- fprintf(stderr, "Usage: %s username password {1|0} [service]\n",
+ if (argc < 5) {
+ fprintf(stderr, "Usage: %s username password {1|0} {1|0} [service]\n",
argv[0]);
return 1;
}
user = argv[1];
password = argv[2];
use_cb = atoi(argv[3]);
- if (argc >= 5)
- service = argv[4];
+ stepwise = atoi(argv[4]);
+ if (argc >= 6)
+ service = argv[5];
- assert(krb5_init_context(&ctx) == 0);
- assert(krb5_get_init_creds_opt_alloc(ctx, &opt) == 0);
+ check(krb5_init_context(&ctx));
+ check(krb5_get_init_creds_opt_alloc(ctx, &opt));
if (use_cb) {
- assert(krb5_get_init_creds_opt_set_expire_callback(ctx, opt, expire_cb,
- &exp_dummy) == 0);
+ check(krb5_get_init_creds_opt_set_expire_callback(ctx, opt, expire_cb,
+ &exp_dummy));
+ }
+ check(krb5_parse_name(ctx, user, &client));
+ if (stepwise) {
+ check(krb5_init_creds_init(ctx, client, prompter_cb, &prompt_dummy, 0,
+ opt, &icctx));
+ krb5_init_creds_set_password(ctx, icctx, password);
+ if (service != NULL)
+ check(krb5_init_creds_set_service(ctx, icctx, service));
+ check(krb5_init_creds_get(ctx, icctx));
+ krb5_init_creds_free(ctx, icctx);
+ } else {
+ check(krb5_get_init_creds_password(ctx, &creds, client, password,
+ prompter_cb, &prompt_dummy, 0,
+ service, opt));
+ krb5_free_cred_contents(ctx, &creds);
}
- assert(krb5_parse_name(ctx, user, &client) == 0);
- assert(krb5_get_init_creds_password(ctx, &creds, client, password,
- prompter_cb, &prompt_dummy, 0, service,
- opt) == 0);
krb5_get_init_creds_opt_free(ctx, opt);
krb5_free_principal(ctx, client);
- krb5_free_cred_contents(ctx, &creds);
krb5_free_context(ctx);
return 0;
}
diff --git a/src/lib/krb5/krb/t_expire_warn.py b/src/lib/krb5/krb/t_expire_warn.py
index 781f2728a..e163cc7e4 100755
--- a/src/lib/krb5/krb/t_expire_warn.py
+++ b/src/lib/krb5/krb/t_expire_warn.py
@@ -34,23 +34,33 @@ realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '12 hours',
realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '3 days', 'days'])
# Check for expected prompter warnings when no expire callback is used.
-output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '0'])
+output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '0', '0'])
if output:
fail('Unexpected output for noexpire')
-realm.run(['./t_expire_warn', 'minutes', 'pass', '0'],
+realm.run(['./t_expire_warn', 'minutes', 'pass', '0', '0'],
expected_msg=' less than one hour on ')
-realm.run(['./t_expire_warn', 'hours', 'pass', '0'], expected_msg=' hours on ')
-realm.run(['./t_expire_warn', 'days', 'pass', '0'], expected_msg=' days on ')
+realm.run(['./t_expire_warn', 'hours', 'pass', '0', '0'],
+ expected_msg=' hours on ')
+realm.run(['./t_expire_warn', 'days', 'pass', '0', '0'],
+ expected_msg=' days on ')
+# Try one case with the stepwise interface.
+realm.run(['./t_expire_warn', 'days', 'pass', '0', '1'],
+ expected_msg=' days on ')
# Check for expected expire callback behavior. These tests are
# carefully agnostic about whether the KDC supports last_req fields,
# and could be made more specific if last_req support is added.
-output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '1'])
+output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '1', '0'])
if 'password_expiration = 0\n' not in output or \
'account_expiration = 0\n' not in output or \
'is_last_req = ' not in output:
fail('Expected callback output not seen for noexpire')
-output = realm.run(['./t_expire_warn', 'days', 'pass', '1'])
+output = realm.run(['./t_expire_warn', 'days', 'pass', '1', '0'])
+if 'password_expiration = ' not in output or \
+ 'password_expiration = 0\n' in output:
+ fail('Expected non-zero password expiration not seen for days')
+# Try one case with the stepwise interface.
+output = realm.run(['./t_expire_warn', 'days', 'pass', '1', '1'])
if 'password_expiration = ' not in output or \
'password_expiration = 0\n' in output:
fail('Expected non-zero password expiration not seen for days')

94
SOURCES/Eliminate-redundant-PKINIT-responder-invocation.patch Normal file
View File

@ -0,0 +1,94 @@
From fa5d09798a56960c34f28296726ed4525e6950d9 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 23 Mar 2020 19:10:03 -0400
Subject: [PATCH] Eliminate redundant PKINIT responder invocation
In pkinit_client_prep_questions(), only act if the input padata type
is KRB5_PADATA_PK_AS_REQ. Otherwise we will ask questions again when
the KDC issues a ticket.
Commit 7621d2f9a87214327ca3b2594e34dc7cea84596b (ticket 8242)
unintentionally changed the behavior of pkinit_load_fs_cert_and_key(),
causing pkinit_client_prep_questions() to do nothing on its first
call. Restore the original behavior of returning 0 when prompting is
deferred.
Modify the existing "FILE identity, password on key (responder)"
PKINIT test to check that the responder is only invoked once.
ticket: 8885
(cherry picked from commit f1286842ce7b9e507a4ce0a47f44ab361a98be63)
(cherry picked from commit 4a05805eb39ba088c07f782fb52a6538ec3f2db6)
---
src/plugins/preauth/pkinit/pkinit_clnt.c | 5 +++++
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 13 +++++++------
src/tests/t_pkinit.py | 11 +++++++----
3 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 2f0431991..9b991ffe0 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -897,6 +897,11 @@ pkinit_client_prep_questions(krb5_context context,
k5_json_object jval = NULL;
k5_json_number jflag = NULL;
+ /* Don't ask questions for the informational padata items or when the
+ * ticket is issued. */
+ if (pa_data->pa_type != KRB5_PADATA_PK_AS_REQ)
+ return 0;
+
if (!reqctx->identity_initialized) {
pkinit_client_profile(context, plgctx, reqctx, cb, rock,
&request->server->realm);
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index dd718c2be..dbb054378 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -4362,17 +4362,18 @@ pkinit_load_fs_cert_and_key(krb5_context context,
/* Load the certificate. */
retval = get_cert(certname, &x);
- if (retval != 0 || x == NULL) {
- retval = oerr(context, 0, _("Cannot read certificate file '%s'"),
+ if (retval) {
+ retval = oerr(context, retval, _("Cannot read certificate file '%s'"),
certname);
- goto cleanup;
}
+ if (retval || x == NULL)
+ goto cleanup;
/* Load the key. */
retval = get_key(context, id_cryptoctx, keyname, fsname, &y, password);
- if (retval != 0 || y == NULL) {
- retval = oerr(context, 0, _("Cannot read key file '%s'"), fsname);
+ if (retval)
+ retval = oerr(context, retval, _("Cannot read key file '%s'"), fsname);
+ if (retval || y == NULL)
goto cleanup;
- }
id_cryptoctx->creds[cindex] = malloc(sizeof(struct _pkinit_cred_info));
if (id_cryptoctx->creds[cindex] == NULL) {
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index 69daf4987..ecd450e8a 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -248,10 +248,13 @@ realm.run(['./adata', realm.host_princ],
# supplied by the responder.
# Supply the response in raw form.
mark('FILE identity, password on key (responder)')
-realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity,
- '-r', 'pkinit={"%s": "encrypted"}' % file_enc_identity,
- '-X', 'X509_user_identity=%s' % file_enc_identity,
- realm.user_princ])
+out = realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity,
+ '-r', 'pkinit={"%s": "encrypted"}' % file_enc_identity,
+ '-X', 'X509_user_identity=%s' % file_enc_identity,
+ realm.user_princ])
+# Regression test for #8885 (password question asked twice).
+if out.count('OK: ') != 1:
+ fail('Wrong number of responder calls')
# Supply the response through the convenience API.
realm.run(['./responder', '-X', 'X509_user_identity=%s' % file_enc_identity,
'-p', '%s=%s' % (file_enc_identity, 'encrypted'), realm.user_princ])

207
SOURCES/Fix-Coverity-defects-in-soft-pkcs11-test-code.patch
View File

@ -1,207 +0,0 @@
From 44b429df9ac4bb8ad84a090fee1bd70d83adcf23 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 20 Jul 2019 00:51:52 -0400
Subject: [PATCH] Fix Coverity defects in soft-pkcs11 test code
Nothing in the code removes objects from soft_token.object.obs, so
simplify add_st_object() not to search for an empty slot. Avoid using
random() by using a counter for session handles and just the array
slot number for object handles. Add a helper get_rcfilename() to
facilitate checking the result of asprintf(). Properly initialize ap
in sprintf_fill(). Close the file handle in read_conf_file().
(cherry picked from commit b4831515b2f3b6fd7d7fd4bff4558c10c710891d)
(cherry picked from commit 28db01445d2807d51b5045c0a04d5e49905de504)
---
src/tests/softpkcs11/main.c | 102 +++++++++++++++++++-----------------
1 file changed, 53 insertions(+), 49 deletions(-)
diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c
index 5255323d3..2d1448ca2 100644
--- a/src/tests/softpkcs11/main.c
+++ b/src/tests/softpkcs11/main.c
@@ -78,6 +78,7 @@ compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e,
(BL) = i2d_##T((S), &p); \
if ((BL) <= 0) { \
free((B)); \
+ (B) = NULL; \
(R) = EINVAL; \
} \
} \
@@ -149,6 +150,7 @@ static struct soft_token {
} state[10];
#define MAX_NUM_SESSION (sizeof(soft_token.state)/sizeof(soft_token.state[0]))
FILE *logfile;
+ CK_SESSION_HANDLE next_session_handle;
} soft_token;
static void
@@ -179,6 +181,7 @@ snprintf_fill(char *str, int size, char fillchar, const char *fmt, ...)
{
int len;
va_list ap;
+ va_start(ap, fmt);
len = vsnprintf(str, size, fmt, ap);
va_end(ap);
if (len < 0 || len > size)
@@ -344,7 +347,13 @@ static struct st_object *
add_st_object(void)
{
struct st_object *o, **objs;
- int i;
+
+ objs = realloc(soft_token.object.objs,
+ (soft_token.object.num_objs + 1) *
+ sizeof(soft_token.object.objs[0]));
+ if (objs == NULL)
+ return NULL;
+ soft_token.object.objs = objs;
o = malloc(sizeof(*o));
if (o == NULL)
@@ -352,26 +361,9 @@ add_st_object(void)
memset(o, 0, sizeof(*o));
o->attrs = NULL;
o->num_attributes = 0;
+ o->object_handle = soft_token.object.num_objs;
- for (i = 0; i < soft_token.object.num_objs; i++) {
- if (soft_token.object.objs == NULL) {
- soft_token.object.objs[i] = o;
- break;
- }
- }
- if (i == soft_token.object.num_objs) {
- objs = realloc(soft_token.object.objs,
- (soft_token.object.num_objs + 1) * sizeof(soft_token.object.objs[0]));
- if (objs == NULL) {
- free(o);
- return NULL;
- }
- soft_token.object.objs = objs;
- soft_token.object.objs[soft_token.object.num_objs++] = o;
- }
- soft_token.object.objs[i]->object_handle =
- (random() & (~OBJECT_ID_MASK)) | i;
-
+ soft_token.object.objs[soft_token.object.num_objs++] = o;
return o;
}
@@ -797,6 +789,8 @@ read_conf_file(const char *fn)
add_certificate(label, cert, key, id, anchor);
}
+
+ fclose(f);
}
static CK_RV
@@ -806,19 +800,47 @@ func_not_supported(void)
return CKR_FUNCTION_NOT_SUPPORTED;
}
+static char *
+get_rcfilename()
+{
+ struct passwd *pw;
+ const char *home = NULL;
+ char *fn;
+
+ if (getuid() == geteuid()) {
+ fn = getenv("SOFTPKCS11RC");
+ if (fn != NULL)
+ return strdup(fn);
+
+ home = getenv("HOME");
+ }
+
+ if (home == NULL) {
+ pw = getpwuid(getuid());
+ if (pw != NULL)
+ home = pw->pw_dir;
+ }
+
+ if (home == NULL)
+ return strdup("/etc/soft-token.rc");
+
+ if (asprintf(&fn, "%s/.soft-token.rc", home) < 0)
+ return NULL;
+ return fn;
+}
+
CK_RV
C_Initialize(CK_VOID_PTR a)
{
CK_C_INITIALIZE_ARGS_PTR args = a;
size_t i;
+ char *fn;
st_logf("Initialize\n");
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
- srandom(getpid() ^ time(NULL));
-
for (i = 0; i < MAX_NUM_SESSION; i++) {
soft_token.state[i].session_handle = CK_INVALID_HANDLE;
soft_token.state[i].find.attributes = NULL;
@@ -850,31 +872,13 @@ C_Initialize(CK_VOID_PTR a)
st_logf("\tFlags\t%04x\n", (unsigned int)args->flags);
}
- {
- char *fn = NULL, *home = NULL;
-
- if (getuid() == geteuid()) {
- fn = getenv("SOFTPKCS11RC");
- if (fn)
- fn = strdup(fn);
- home = getenv("HOME");
- }
- if (fn == NULL && home == NULL) {
- struct passwd *pw = getpwuid(getuid());
- if(pw != NULL)
- home = pw->pw_dir;
- }
- if (fn == NULL) {
- if (home)
- asprintf(&fn, "%s/.soft-token.rc", home);
- else
- fn = strdup("/etc/soft-token.rc");
- }
-
- read_conf_file(fn);
- free(fn);
- }
+ soft_token.next_session_handle = 0;
+ fn = get_rcfilename();
+ if (fn == NULL)
+ return CKR_DEVICE_MEMORY;
+ read_conf_file(fn);
+ free(fn);
return CKR_OK;
}
@@ -1082,8 +1086,7 @@ C_OpenSession(CK_SLOT_ID slotID,
soft_token.open_sessions++;
- soft_token.state[i].session_handle =
- (CK_SESSION_HANDLE)(random() & 0xfffff);
+ soft_token.state[i].session_handle = soft_token.next_session_handle++;
*phSession = soft_token.state[i].session_handle;
return CKR_OK;
@@ -1152,7 +1155,8 @@ C_Login(CK_SESSION_HANDLE hSession,
VERIFY_SESSION_HANDLE(hSession, NULL);
if (pPin != NULL_PTR) {
- asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
+ if (asprintf(&pin, "%.*s", (int)ulPinLen, pPin) < 0)
+ return CKR_DEVICE_MEMORY;
st_logf("type: %d password: %s\n", (int)userType, pin);
}

33
SOURCES/Fix-KCM-client-time-offset-propagation.patch
View File

@ -1,33 +0,0 @@
From 7e4576cc62a16fa77030c42dcc43c61cdfa5b4e6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 14 Aug 2019 13:52:27 -0400
Subject: [PATCH] Fix KCM client time offset propagation
An inverted status check in get_kdc_offset() would cause querying the
offset time from the ccache to always fail (silently) on KCM. Fix the
status check so that KCM can properly handle desync.
ticket: 8826 (new)
tags: pullup
target_version: 1.17-next
target_verison: 1.16-next
(cherry picked from commit 323abb6d1ebe5469d6c2167c29aa5d696d099b90)
(cherry picked from commit 7e81b8077cf2cf186dadb96b064573f7c221fbf3)
---
src/lib/krb5/ccache/cc_kcm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
index 092ab7daf..fe93ca3dc 100644
--- a/src/lib/krb5/ccache/cc_kcm.c
+++ b/src/lib/krb5/ccache/cc_kcm.c
@@ -583,7 +583,7 @@ get_kdc_offset(krb5_context context, krb5_ccache cache)
if (cache_call(context, cache, &req, FALSE) != 0)
goto cleanup;
time_offset = k5_input_get_uint32_be(&req.reply);
- if (!req.reply.status)
+ if (req.reply.status)
goto cleanup;
context->os_context.time_offset = time_offset;
context->os_context.usec_offset = 0;

22
SOURCES/Fix-argument-order-on-strlcpy-in-enctype_name.patch
View File

@ -1,22 +0,0 @@
From 9a38af6aa136fdc92d5e0f1591c1647aec498f5a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 17 Sep 2019 18:29:15 -0400
Subject: [PATCH] Fix argument order on strlcpy() in enctype_name()
---
src/kdc/kdc_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 96c88edc1..6d1861a3b 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1081,7 +1081,7 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
else
return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
- if (strlcpy(name, buf, buflen) >= buflen)
+ if (strlcpy(buf, name, buflen) >= buflen)
return ENOMEM;
return 0;
}

60
SOURCES/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch Normal file
View File

@ -0,0 +1,60 @@
From 7b5ed3cffcfe2bc21f3157e883b078983947a113 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 24 Jul 2020 16:05:24 -0400
Subject: [PATCH] Fix leak in KERB_AP_OPTIONS_CBT server support
In check_cbt(), use a local variable to hold the retrieved authdata
list, and free it before returning.
ticket: 8900
(cherry picked from commit bf2ddff13c178e0c291f8fb382b040080d159e4f)
(cherry picked from commit 044e2209586fd1935d9a637df76d52f48c4f3e6e)
---
src/lib/gssapi/krb5/accept_sec_context.c | 23 +++++++++++++----------
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 175a24c4e..3d5b84b15 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -433,27 +433,30 @@ static const uint8_t null_cb[CB_MD5_LEN];
/* Look for AP_OPTIONS in authdata. If present and the options include
* KERB_AP_OPTIONS_CBT, set *cbt_out to true. */
static krb5_error_code
-check_cbt(krb5_context context, krb5_authdata **authdata,
+check_cbt(krb5_context context, krb5_authdata *const *authdata,
krb5_boolean *cbt_out)
{
krb5_error_code code;
+ krb5_authdata **ad;
uint32_t ad_ap_options;
const uint32_t KERB_AP_OPTIONS_CBT = 0x4000;
*cbt_out = FALSE;
code = krb5_find_authdata(context, NULL, authdata,
- KRB5_AUTHDATA_AP_OPTIONS, &authdata);
- if (code || authdata == NULL)
+ KRB5_AUTHDATA_AP_OPTIONS, &ad);
+ if (code || ad == NULL)
return code;
- if (authdata[1] != NULL || authdata[0]->length != 4)
- return KRB5KRB_AP_ERR_MSG_TYPE;
+ if (ad[1] != NULL || ad[0]->length != 4) {
+ code = KRB5KRB_AP_ERR_MSG_TYPE;
+ } else {
+ ad_ap_options = load_32_le(ad[0]->contents);
+ if (ad_ap_options & KERB_AP_OPTIONS_CBT)
+ *cbt_out = TRUE;
+ }
- ad_ap_options = load_32_le(authdata[0]->contents);
- if (ad_ap_options & KERB_AP_OPTIONS_CBT)
- *cbt_out = TRUE;
-
- return 0;
+ krb5_free_authdata(context, ad);
+ return code;
}
/*

34
SOURCES/Fix-memory-leak-in-none-replay-cache-type.patch
View File

@ -1,34 +0,0 @@
From 74a3b8448949130d91417b261c3e1c316ffa8796 Mon Sep 17 00:00:00 2001
From: Corene Casper <C.Casper@Dell.com>
Date: Sat, 16 Feb 2019 00:49:26 -0500
Subject: [PATCH] Fix memory leak in 'none' replay cache type
Commit 0f06098e2ab419d02e89a1ca6bc9f2828f6bdb1e fixed part of a memory
leak in the 'none' replay cache type by freeing the outer container,
but we also need to free the mutex.
[ghudson@mit.edu: wrote commit message]
ticket: 8783
tags: pullup
target_version: 1.17-next
target_version: 1.16-next
(cherry picked from commit af2a3115cb8feb5174151b4b40223ae45aa9db17)
(cherry picked from commit ff79351c4755d6df7c3245274708454311c25731)
---
src/lib/krb5/rcache/rc_none.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lib/krb5/rcache/rc_none.c b/src/lib/krb5/rcache/rc_none.c
index e30aed09f..0b2274df7 100644
--- a/src/lib/krb5/rcache/rc_none.c
+++ b/src/lib/krb5/rcache/rc_none.c
@@ -50,6 +50,7 @@ krb5_rc_none_noargs(krb5_context ctx, krb5_rcache rc)
static krb5_error_code KRB5_CALLCONV
krb5_rc_none_close(krb5_context ctx, krb5_rcache rc)
{
+ k5_mutex_destroy(&rc->lock);
free (rc);
return 0;
}

123
SOURCES/Fix-memory-leaks-in-soft-pkcs11-code.patch
View File

@ -1,123 +0,0 @@
From 604f5dcbb018fca8ea27e00314ed615133b861e1 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 5 Aug 2019 01:53:51 -0400
Subject: [PATCH] Fix memory leaks in soft-pkcs11 code
Fix leaks detected by asan in t_pkinit.py. Add a helper to free a
struct st_object and free objects in C_Finalize(). Duplicate the X509
cert in add_certificate() instead of creating aliases so it can be
properly freed. Start the session handle counter at 1 so that
C_Finalize() won't confuse the first session handle with
CK_INVALID_HANDLE (defined to 0 in pkinit.h) and will properly clean
the session object.
(cherry picked from commit 15bcaf8bcb4af25ff89820ad3bf23ad5a324e863)
(cherry picked from commit 5cc80472e7a8b0fb3002f229ffb104dccf8bd120)
---
src/tests/softpkcs11/main.c | 44 +++++++++++++++++++++++++++++++++----
1 file changed, 40 insertions(+), 4 deletions(-)
diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c
index 2d1448ca2..a4c3ae78e 100644
--- a/src/tests/softpkcs11/main.c
+++ b/src/tests/softpkcs11/main.c
@@ -109,7 +109,7 @@ struct st_object {
X509 *cert;
EVP_PKEY *public_key;
struct {
- const char *file;
+ char *file;
EVP_PKEY *key;
X509 *cert;
} private_key;
@@ -343,6 +343,26 @@ print_attributes(const CK_ATTRIBUTE *attributes,
}
}
+static void
+free_st_object(struct st_object *o)
+{
+ int i;
+
+ for (i = 0; i < o->num_attributes; i++)
+ free(o->attrs[i].attribute.pValue);
+ free(o->attrs);
+ if (o->type == STO_T_CERTIFICATE) {
+ X509_free(o->u.cert);
+ } else if (o->type == STO_T_PRIVATE_KEY) {
+ free(o->u.private_key.file);
+ EVP_PKEY_free(o->u.private_key.key);
+ X509_free(o->u.private_key.cert);
+ } else if (o->type == STO_T_PUBLIC_KEY) {
+ EVP_PKEY_free(o->u.public_key);
+ }
+ free(o);
+}
+
static struct st_object *
add_st_object(void)
{
@@ -518,7 +538,11 @@ add_certificate(char *label,
goto out;
}
o->type = STO_T_CERTIFICATE;
- o->u.cert = cert;
+ o->u.cert = X509_dup(cert);
+ if (o->u.cert == NULL) {
+ ret = CKR_DEVICE_MEMORY;
+ goto out;
+ }
public_key = X509_get_pubkey(o->u.cert);
switch (EVP_PKEY_base_id(public_key)) {
@@ -602,7 +626,11 @@ add_certificate(char *label,
o->u.private_key.file = strdup(private_key_file);
o->u.private_key.key = NULL;
- o->u.private_key.cert = cert;
+ o->u.private_key.cert = X509_dup(cert);
+ if (o->u.private_key.cert == NULL) {
+ ret = CKR_DEVICE_MEMORY;
+ goto out;
+ }
c = CKO_PRIVATE_KEY;
add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c));
@@ -676,6 +704,7 @@ add_certificate(char *label,
free(serial_data);
free(issuer_data);
free(subject_data);
+ X509_free(cert);
return ret;
}
@@ -872,7 +901,7 @@ C_Initialize(CK_VOID_PTR a)
st_logf("\tFlags\t%04x\n", (unsigned int)args->flags);
}
- soft_token.next_session_handle = 0;
+ soft_token.next_session_handle = 1;
fn = get_rcfilename();
if (fn == NULL)
@@ -886,6 +915,7 @@ CK_RV
C_Finalize(CK_VOID_PTR args)
{
size_t i;
+ int j;
st_logf("Finalize\n");
@@ -897,6 +927,12 @@ C_Finalize(CK_VOID_PTR args)
}
}
+ for (j = 0; j < soft_token.object.num_objs; j++)
+ free_st_object(soft_token.object.objs[j]);
+ free(soft_token.object.objs);
+ soft_token.object.objs = NULL;
+ soft_token.object.num_objs = 0;
+
return CKR_OK;
}

38
SOURCES/Fix-typo-in-in-in-the-ksu-man-page.patch Normal file
View File

@ -0,0 +1,38 @@
From 117681ff995f7a271ded83ff4615e7945c72a942 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 14 May 2020 15:01:18 -0400
Subject: [PATCH] Fix typo ("in in") in the ksu man page
(cherry picked from commit 1011841acdc1020f308ef4f569c6622f279d8c3f)
(cherry picked from commit 8de669742ae4190542741f0dc61119a6a0dad666)
---
doc/user/user_commands/ksu.rst | 2 +-
src/man/ksu.man | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/user/user_commands/ksu.rst b/doc/user/user_commands/ksu.rst
index 8d6c7ef79..933738229 100644
--- a/doc/user/user_commands/ksu.rst
+++ b/doc/user/user_commands/ksu.rst
@@ -155,7 +155,7 @@ wrong password is typed in, ksu fails.
.. note::
During authentication, only the tickets that could be
- obtained without providing a password are cached in in the
+ obtained without providing a password are cached in the
source cache.
diff --git a/src/man/ksu.man b/src/man/ksu.man
index 81e34815d..8d4c6a359 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -176,7 +176,7 @@ wrong password is typed in, ksu fails.
.INDENT 0.0
.INDENT 3.5
During authentication, only the tickets that could be
-obtained without providing a password are cached in in the
+obtained without providing a password are cached in the
source cache.
.UNINDENT
.UNINDENT

38
SOURCES/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch Normal file
View File

@ -0,0 +1,38 @@
From e339ad300caafc2a98e86ab48a9ac278cfe3bb85 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 15 Jul 2020 15:42:20 -0400
Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts()
Fixes a problem where the presence of legacy/unrecognized keysalts in
supported_enctypes would prevent the kadmin programs from starting.
[ghudson@mit.edu: ideally we would put a warning in the kadmind log,
but that is difficult to do when the parsing is done inside a library.
Even adding a trace log is difficult because the kadm5 str_conv
functions do not accept contexts.]
ticket: 8929 (new)
(cherry picked from commit be5396ada0e8dabd68bd0aceb733cfca39a609bc)
(cherry picked from commit 3f873868fb08b77da2d30e164a0ef6c71c17c607)
---
src/lib/kadm5/str_conv.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/lib/kadm5/str_conv.c b/src/lib/kadm5/str_conv.c
index 7cf51d316..798295606 100644
--- a/src/lib/kadm5/str_conv.c
+++ b/src/lib/kadm5/str_conv.c
@@ -340,9 +340,10 @@ krb5_string_to_keysalts(const char *string, const char *tupleseps,
while ((ksp = strtok_r(p, tseps, &tlasts)) != NULL) {
/* Pass a null pointer to subsequent calls to strtok_r(). */
p = NULL;
- ret = string_to_keysalt(ksp, ksaltseps, &etype, &stype);
- if (ret)
- goto cleanup;
+
+ /* Discard unrecognized keysalts. */
+ if (string_to_keysalt(ksp, ksaltseps, &etype, &stype) != 0)
+ continue;
/* Ignore duplicate keysalts if caller asks. */
if (!dups && krb5_keysalt_is_present(ksalts, nksalts, etype, stype))

92
SOURCES/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch Normal file
View File

@ -0,0 +1,92 @@
From 3c15e9724dae95a4bf0899a8b8efc3e9e3f486ab Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 5 Jul 2017 11:38:30 -0400
Subject: [PATCH] Implement GSS_C_CHANNEL_BOUND_FLAG
Define a new channel-bound GSS return flag, and set it in the krb5
mech if the initiator sent channel bindings matching the acceptor's.
Do not error out if the acceptor specifies channel bindings and the
initiator does not send them.
[ghudson@mit.edu: simplified code changes; fleshed out commit message]
[iboukris: cherry-picked from another PR and reduced in scope]
ticket: 8899 (new)
(cherry picked from commit 429a31146083fac21958631c2af572b08ec91022)
(cherry picked from commit 3ea1d6296ced3a998e79356f9be212e4c5e6a5d5)
---
src/lib/gssapi/generic/gssapi_ext.h | 2 ++
src/lib/gssapi/krb5/accept_sec_context.c | 18 +++++++++++++-----
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/src/lib/gssapi/generic/gssapi_ext.h b/src/lib/gssapi/generic/gssapi_ext.h
index 218456e44..c675e8ebb 100644
--- a/src/lib/gssapi/generic/gssapi_ext.h
+++ b/src/lib/gssapi/generic/gssapi_ext.h
@@ -595,6 +595,8 @@ gss_store_cred_into(
* attribute (along with any applicable RFC 5587 attributes).
*/
+#define GSS_C_CHANNEL_BOUND_FLAG 2048 /* 0x00000800 */
+
OM_uint32 KRB5_CALLCONV
gssspi_query_meta_data(
OM_uint32 *minor_status,
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 70dd7fc0c..9d3e2f4fe 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -427,6 +427,9 @@ kg_process_extension(krb5_context context,
GSS_C_SEQUENCE_FLAG | GSS_C_DCE_STYLE | \
GSS_C_IDENTIFY_FLAG | GSS_C_EXTENDED_ERROR_FLAG)
+/* A zero-value channel binding, for comparison */
+static const uint8_t null_cb[CB_MD5_LEN];
+
/*
* The krb5 GSS mech appropriates the authenticator checksum field from RFC
* 4120 to store structured data instead of a checksum, indicated with checksum
@@ -435,9 +438,10 @@ kg_process_extension(krb5_context context,
*
* Interpret the checksum. Read delegated creds into *deleg_out if it is not
* NULL. Set *flags_out to the allowed subset of token flags, plus
- * GSS_C_DELEG_FLAG if a delegated credential was present. Process any
- * extensions found using exts. On error, set *code_out to a krb5_error code
- * for use as a minor status value.
+ * GSS_C_DELEG_FLAG if a delegated credential was present and
+ * GSS_C_CHANNEL_BOUND_FLAG if matching channel bindings are present. Process
+ * any extensions found using exts. On error, set *code_out to a krb5_error
+ * code for use as a minor status value.
*/
static OM_uint32
process_checksum(OM_uint32 *minor_status, krb5_context context,
@@ -450,7 +454,7 @@ process_checksum(OM_uint32 *minor_status, krb5_context context,
krb5_error_code code = 0;
OM_uint32 status, option_id, token_flags;
size_t cb_len, option_len;
- krb5_boolean valid;
+ krb5_boolean valid, token_cb_present = FALSE, cb_match = FALSE;
krb5_key subkey;
krb5_data option, empty = empty_data();
krb5_checksum cb_cksum;
@@ -516,7 +520,9 @@ process_checksum(OM_uint32 *minor_status, krb5_context context,
goto fail;
}
assert(cb_cksum.length == cb_len);
- if (k5_bcmp(token_cb, cb_cksum.contents, cb_len) != 0) {
+ token_cb_present = (k5_bcmp(token_cb, null_cb, cb_len) != 0);
+ cb_match = (k5_bcmp(token_cb, cb_cksum.contents, cb_len) == 0);
+ if (token_cb_present && !cb_match) {
status = GSS_S_BAD_BINDINGS;
goto fail;
}
@@ -525,6 +531,8 @@ process_checksum(OM_uint32 *minor_status, krb5_context context,
/* Read the token flags and accept some of them as context flags. */
token_flags = k5_input_get_uint32_le(&in);
*flags_out = token_flags & INITIATOR_FLAGS;
+ if (cb_match)
+ *flags_out |= GSS_C_CHANNEL_BOUND_FLAG;
/* Read the delegated credential if present. */
if (in.len >= 4 && (token_flags & GSS_C_DELEG_FLAG)) {

103
SOURCES/Implement-KERB_AP_OPTIONS_CBT-server-side.patch Normal file
View File

@ -0,0 +1,103 @@
From 7aea9fc73fb508e3168581990eb2e2ff7a1aea31 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 9 Mar 2020 16:04:21 +0100
Subject: [PATCH] Implement KERB_AP_OPTIONS_CBT (server side)
Add server support for Microsoft's KERB_AP_OPTIONS_CBT as described in
MS-KILE. If the client includes the AP option in the authenticator
authdata and the server passed channel bindings, require the bindings
to match.
[ghudson@mit.edu: refactored to put more logic in the helper function;
added a comment; clarified commit message]
ticket: 8900 (new)
(cherry picked from commit 4f7c77b64a048ca5e3199b26b31493698c777a9c)
(cherry picked from commit 6407bf087fe53088d91efd09df736e979cd4e8db)
---
src/include/krb5/krb5.hin | 1 +
src/lib/gssapi/krb5/accept_sec_context.c | 45 +++++++++++++++++++++++-
2 files changed, 45 insertions(+), 1 deletion(-)
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index f8269fb17..9264bede1 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -1915,6 +1915,7 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
#define KRB5_AUTHDATA_SIGNTICKET 512 /**< formerly 142 in krb5 1.8 */
#define KRB5_AUTHDATA_FX_ARMOR 71
#define KRB5_AUTHDATA_AUTH_INDICATOR 97
+#define KRB5_AUTHDATA_AP_OPTIONS 143
/** @} */ /* end of KRB5_AUTHDATA group */
/* password change constants */
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 9d3e2f4fe..175a24c4e 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -430,6 +430,32 @@ kg_process_extension(krb5_context context,
/* A zero-value channel binding, for comparison */
static const uint8_t null_cb[CB_MD5_LEN];
+/* Look for AP_OPTIONS in authdata. If present and the options include
+ * KERB_AP_OPTIONS_CBT, set *cbt_out to true. */
+static krb5_error_code
+check_cbt(krb5_context context, krb5_authdata **authdata,
+ krb5_boolean *cbt_out)
+{
+ krb5_error_code code;
+ uint32_t ad_ap_options;
+ const uint32_t KERB_AP_OPTIONS_CBT = 0x4000;
+
+ *cbt_out = FALSE;
+
+ code = krb5_find_authdata(context, NULL, authdata,
+ KRB5_AUTHDATA_AP_OPTIONS, &authdata);
+ if (code || authdata == NULL)
+ return code;
+ if (authdata[1] != NULL || authdata[0]->length != 4)
+ return KRB5KRB_AP_ERR_MSG_TYPE;
+
+ ad_ap_options = load_32_le(authdata[0]->contents);
+ if (ad_ap_options & KERB_AP_OPTIONS_CBT)
+ *cbt_out = TRUE;
+
+ return 0;
+}
+
/*
* The krb5 GSS mech appropriates the authenticator checksum field from RFC
* 4120 to store structured data instead of a checksum, indicated with checksum
@@ -454,7 +480,7 @@ process_checksum(OM_uint32 *minor_status, krb5_context context,
krb5_error_code code = 0;
OM_uint32 status, option_id, token_flags;
size_t cb_len, option_len;
- krb5_boolean valid, token_cb_present = FALSE, cb_match = FALSE;
+ krb5_boolean valid, client_cbt, token_cb_present = FALSE, cb_match = FALSE;
krb5_key subkey;
krb5_data option, empty = empty_data();
krb5_checksum cb_cksum;
@@ -582,6 +608,23 @@ process_checksum(OM_uint32 *minor_status, krb5_context context,
}
}
+ /*
+ * If the client asserts the KERB_AP_OPTIONS_CBT flag (from MS-KILE) in the
+ * authenticator authdata, and the acceptor passed channel bindings,
+ * require matching channel bindings from the client. The intent is to
+ * prevent an authenticator generated for use outside of a TLS channel from
+ * being used inside of one.
+ */
+ code = check_cbt(context, authenticator->authorization_data, &client_cbt);
+ if (code) {
+ status = GSS_S_FAILURE;
+ goto fail;
+ }
+ if (client_cbt && acceptor_cb != GSS_C_NO_CHANNEL_BINDINGS && !cb_match) {
+ status = GSS_S_BAD_BINDINGS;
+ goto fail;
+ }
+
status = GSS_S_COMPLETE;
fail:

31
SOURCES/Improve-negoex_parse_token-code-hygiene.patch Normal file
View File

@ -0,0 +1,31 @@
From ca72aa3a2e4ca8bc1b1c33e46ca59ed4b3f20393 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 9 Jun 2020 16:23:37 -0400
Subject: [PATCH] Improve negoex_parse_token() code hygiene
If the while loop in negoex_parse_token() runs for zero iterations,
major will be used initialized. Currently this cannot happen, but
only because both of the call sites check for zero-length tokens.
Initialize major for safety.
[ghudson@mit.edu: rewrote commit message]
(cherry picked from commit 4f91b6f8fa6fe1de662b3fdac0d59b7758ec642a)
(cherry picked from commit c726a72c68244129eb08b840b92144acfa776573)
---
src/lib/gssapi/spnego/negoex_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c
index 700368456..99580fd79 100644
--- a/src/lib/gssapi/spnego/negoex_util.c
+++ b/src/lib/gssapi/spnego/negoex_util.c
@@ -454,7 +454,7 @@ negoex_parse_token(OM_uint32 *minor, spnego_gss_ctx_id_t ctx,
gss_const_buffer_t token,
struct negoex_message **messages_out, size_t *count_out)
{
- OM_uint32 major;
+ OM_uint32 major = GSS_S_COMPLETE;
size_t count = 0;
struct k5input in;
struct negoex_message *messages = NULL, *newptr;

28
SOURCES/In-kpropd-debug-log-proper-ticket-enctype-names.patch
View File

@ -1,28 +0,0 @@
From 30f112f8dc1c5241da5ba301cb45a06bb5bb4c01 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 15 Jan 2019 13:41:16 -0500
Subject: [PATCH] In kpropd, debug-log proper ticket enctype names
This change replaces the last call of krb5_enctype_to_string() in our
sources with krb5_enctype_to_name(), ensuring that we log consistently
to users using readily discoverable strings.
(cherry picked from commit 30e12a2ecdf7e2a034a91626a03b5c9909e4c68d)
---
src/kprop/kpropd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index 4cc035dc6..0c7bffa24 100644
--- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c
@@ -1279,7 +1279,8 @@ kerberos_authenticate(krb5_context context, int fd, krb5_principal *clientp,
exit(1);
}
- retval = krb5_enctype_to_string(*etype, etypebuf, sizeof(etypebuf));
+ retval = krb5_enctype_to_name(*etype, FALSE, etypebuf,
+ sizeof(etypebuf));
if (retval) {
com_err(progname, retval, _("while unparsing ticket etype"));
exit(1);

54
SOURCES/In-rd_req_dec-always-log-non-permitted-enctypes.patch
View File

@ -1,54 +0,0 @@
From 2b4521f3ba3dad064e3f64bfd56b88d5cb5d0955 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 14 Jan 2019 17:14:42 -0500
Subject: [PATCH] In rd_req_dec, always log non-permitted enctypes
The buffer specified in negotiate_etype() is too small for use with
the AES enctypes when used with krb5_enctype_to_string(), so switch to
using krb5_enctype_to_name().
(cherry picked from commit bf75ebf583a51bf00005a96d17924818d19377be)
---
src/lib/krb5/krb/rd_req_dec.c | 5 ++---
src/tests/gssapi/t_enctypes.py | 5 +++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index 4cd429a11..e75192fee 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -864,9 +864,8 @@ negotiate_etype(krb5_context context,
if (permitted == FALSE) {
char enctype_name[30];
- if (krb5_enctype_to_string(desired_etypes[i],
- enctype_name,
- sizeof(enctype_name)) == 0)
+ if (krb5_enctype_to_name(desired_etypes[i], FALSE, enctype_name,
+ sizeof(enctype_name)) == 0)
k5_setmsg(context, KRB5_NOPERM_ETYPE,
_("Encryption type %s not permitted"), enctype_name);
return KRB5_NOPERM_ETYPE;
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
index ee43ff028..5d9f80e04 100755
--- a/src/tests/gssapi/t_enctypes.py
+++ b/src/tests/gssapi/t_enctypes.py
@@ -85,7 +85,8 @@ test('both aes128', 'aes128-cts', 'aes128-cts',
# If only the acceptor constrains the permitted session enctypes to
# aes128, subkey negotiation fails because the acceptor considers the
# aes256 session key to be non-permitted.
-test_err('acc aes128', None, 'aes128-cts', 'Encryption type not permitted')
+test_err('acc aes128', None, 'aes128-cts',
+ 'Encryption type aes256-cts-hmac-sha1-96 not permitted')
# If the initiator constrains the permitted session enctypes to des3,
# no acceptor subkey will be generated because we can't upgrade to a
@@ -128,7 +129,7 @@ test('upgrade init des3+rc4', 'des3 rc4', None,
# is only for the sake of the kernel, since we could upgrade to an
# aes128 subkey, but it's the current semantics.)
test_err('upgrade acc aes128', None, 'aes128-cts',
- 'Encryption type ArcFour with HMAC/md5 not permitted')
+ 'Encryption type arcfour-hmac not permitted')
# If the acceptor permits rc4 but prefers aes128, it will negotiate an
# upgrade to aes128.

296
SOURCES/Make-etype-names-in-KDC-logs-human-readable.patch
View File

@ -1,296 +0,0 @@
From f815140182976e882445a38ee5a0a77f56da7c8a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 8 Jan 2019 17:42:35 -0500
Subject: [PATCH] Make etype names in KDC logs human-readable
Introduce enctype_name() as a wrapper over krb5_enctype_to_name for
converting between registered constants and names. Adjust signatures
and rewrite ktypes2str() and rep_etypes2str() to operate on dynamic
buffers.
ticket: 8772 (new)
(cherry picked from commit a649279727490687d54becad91fde8cf7429d951)
---
src/kdc/kdc_log.c | 42 +++++++--------
src/kdc/kdc_util.c | 131 +++++++++++++++++++++++----------------------
src/kdc/kdc_util.h | 6 +--
3 files changed, 90 insertions(+), 89 deletions(-)
diff --git a/src/kdc/kdc_log.c b/src/kdc/kdc_log.c
index 4eec50373..b160ba21a 100644
--- a/src/kdc/kdc_log.c
+++ b/src/kdc/kdc_log.c
@@ -65,7 +65,7 @@ log_as_req(krb5_context context,
{
const char *fromstring = 0;
char fromstringbuf[70];
- char ktypestr[128];
+ char *ktypestr = NULL;
const char *cname2 = cname ? cname : "<unknown client>";
const char *sname2 = sname ? sname : "<unknown server>";
@@ -74,26 +74,29 @@ log_as_req(krb5_context context,
fromstringbuf, sizeof(fromstringbuf));
if (!fromstring)
fromstring = "<unknown>";
- ktypes2str(ktypestr, sizeof(ktypestr),
- request->nktypes, request->ktype);
+
+ ktypestr = ktypes2str(request->ktype, request->nktypes);
if (status == NULL) {
/* success */
- char rep_etypestr[128];
- rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply);
+ char *rep_etypestr = rep_etypes2str(reply);
krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %u, %s, "
"%s for %s"),
- ktypestr, fromstring, (unsigned int)authtime,
- rep_etypestr, cname2, sname2);
+ ktypestr ? ktypestr : "", fromstring,
+ (unsigned int)authtime,
+ rep_etypestr ? rep_etypestr : "", cname2, sname2);
+ free(rep_etypestr);
} else {
/* fail */
krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: %s: %s for %s%s%s"),
- ktypestr, fromstring, status,
- cname2, sname2, emsg ? ", " : "", emsg ? emsg : "");
+ ktypestr ? ktypestr : "", fromstring, status, cname2,
+ sname2, emsg ? ", " : "", emsg ? emsg : "");
}
krb5_db_audit_as_req(context, request,
local_addr->address, remote_addr->address,
client, server, authtime, errcode);
+
+ free(ktypestr);
}
/*
@@ -122,10 +125,9 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,
unsigned int c_flags,
const char *status, krb5_error_code errcode, const char *emsg)
{
- char ktypestr[128];
+ char *ktypestr = NULL, *rep_etypestr = NULL;
const char *fromstring = 0;
char fromstringbuf[70];
- char rep_etypestr[128];
char *cname = NULL, *sname = NULL, *altcname = NULL;
char *logcname = NULL, *logsname = NULL, *logaltcname = NULL;
@@ -134,11 +136,6 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,
fromstringbuf, sizeof(fromstringbuf));
if (!fromstring)
fromstring = "<unknown>";
- ktypes2str(ktypestr, sizeof(ktypestr), request->nktypes, request->ktype);
- if (!errcode)
- rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply);
- else
- rep_etypestr[0] = 0;
unparse_and_limit(ctx, cprinc, &cname);
logcname = (cname != NULL) ? cname : "<unknown client>";
@@ -151,10 +148,14 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,
name (useful), and doesn't log ktypestr (probably not
important). */
if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) {
+ ktypestr = ktypes2str(request->ktype, request->nktypes);
+ rep_etypestr = rep_etypes2str(reply);
krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %u, %s%s "
"%s for %s%s%s"),
- ktypestr, fromstring, status, (unsigned int)authtime,
- rep_etypestr, !errcode ? "," : "", logcname, logsname,
+ ktypestr ? ktypestr : "", fromstring, status,
+ (unsigned int)authtime,
+ rep_etypestr ? rep_etypestr : "",
+ !errcode ? "," : "", logcname, logsname,
errcode ? ", " : "", errcode ? emsg : "");
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION))
krb5_klog_syslog(LOG_INFO,
@@ -171,9 +172,8 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,
fromstring, status, (unsigned int)authtime,
logcname, logsname, logaltcname);
- /* OpenSolaris: audit_krb5kdc_tgs_req(...) or
- audit_krb5kdc_tgs_req_2ndtktmm(...) */
-
+ free(rep_etypestr);
+ free(ktypestr);
krb5_free_unparsed_name(ctx, cname);
krb5_free_unparsed_name(ctx, sname);
krb5_free_unparsed_name(ctx, altcname);
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 0155c28c6..f5c581c82 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1043,84 +1043,87 @@ void limit_string(char *name)
return;
}
-/*
- * L10_2 = log10(2**x), rounded up; log10(2) ~= 0.301.
- */
-#define L10_2(x) ((int)(((x * 301) + 999) / 1000))
-
-/*
- * Max length of sprintf("%ld") for an int of type T; includes leading
- * minus sign and terminating NUL.
- */
-#define D_LEN(t) (L10_2(sizeof(t) * CHAR_BIT) + 2)
-
-void
-ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype)
+/* Wrapper of krb5_enctype_to_name() to include the PKINIT types. */
+static krb5_error_code
+enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
{
- int i;
- char stmp[D_LEN(krb5_enctype) + 1];
- char *p;
+ char *name;
- if (nktypes < 0
- || len < (sizeof(" etypes {...}") + D_LEN(int))) {
- *s = '\0';
- return;
- }
+ if (buflen == 0)
+ return EINVAL;
+ *buf = '\0'; /* ensure these are always valid C-strings */
- snprintf(s, len, "%d etypes {", nktypes);
- for (i = 0; i < nktypes; i++) {
- snprintf(stmp, sizeof(stmp), "%s%ld", i ? " " : "", (long)ktype[i]);
- if (strlen(s) + strlen(stmp) + sizeof("}") > len)
- break;
- strlcat(s, stmp, len);
- }
- if (i < nktypes) {
- /*
- * We broke out of the loop. Try to truncate the list.
- */
- p = s + strlen(s);
- while (p - s + sizeof("...}") > len) {
- while (p > s && *p != ' ' && *p != '{')
- *p-- = '\0';
- if (p > s && *p == ' ') {
- *p-- = '\0';
- continue;
- }
- }
- strlcat(s, "...", len);
- }
- strlcat(s, "}", len);
- return;
+ /* rfc4556 recommends that clients wishing to indicate support for these
+ * pkinit algorithms include them in the etype field of the AS-REQ. */
+ if (ktype == ENCTYPE_DSA_SHA1_CMS)
+ name = "id-dsa-with-sha1-CmsOID";
+ else if (ktype == ENCTYPE_MD5_RSA_CMS)
+ name = "md5WithRSAEncryption-CmsOID";
+ else if (ktype == ENCTYPE_SHA1_RSA_CMS)
+ name = "sha-1WithRSAEncryption-CmsOID";
+ else if (ktype == ENCTYPE_RC2_CBC_ENV)
+ name = "rc2-cbc-EnvOID";
+ else if (ktype == ENCTYPE_RSA_ENV)
+ name = "rsaEncryption-EnvOID";
+ else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV)
+ name = "id-RSAES-OAEP-EnvOID";
+ else if (ktype == ENCTYPE_DES3_CBC_ENV)
+ name = "des-ede3-cbc-EnvOID";
+ else
+ return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
+
+ if (strlcpy(name, buf, buflen) >= buflen)
+ return ENOMEM;
+ return 0;
}
-void
-rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep)
+char *
+ktypes2str(krb5_enctype *ktype, int nktypes)
{
- char stmp[sizeof("ses=") + D_LEN(krb5_enctype)];
+ struct k5buf buf;
+ int i;
+ char name[64];
- if (len < (3 * D_LEN(krb5_enctype)
- + sizeof("etypes {rep= tkt= ses=}"))) {
- *s = '\0';
- return;
+ if (nktypes < 0)
+ return NULL;
+
+ k5_buf_init_dynamic(&buf);
+ k5_buf_add_fmt(&buf, "%d etypes {", nktypes);
+ for (i = 0; i < nktypes; i++) {
+ enctype_name(ktype[i], name, sizeof(name));
+ k5_buf_add_fmt(&buf, "%s%s(%ld)", i ? ", " : "", name, (long)ktype[i]);
}
+ k5_buf_add(&buf, "}");
+ return buf.data;
+}
- snprintf(s, len, "etypes {rep=%ld", (long)rep->enc_part.enctype);
+char *
+rep_etypes2str(krb5_kdc_rep *rep)
+{
+ struct k5buf buf;
+ char name[64];
+ krb5_enctype etype;
+
+ k5_buf_init_dynamic(&buf);
+ k5_buf_add(&buf, "etypes {rep=");
+ enctype_name(rep->enc_part.enctype, name, sizeof(name));
+ k5_buf_add_fmt(&buf, "%s(%ld)", name, (long)rep->enc_part.enctype);
if (rep->ticket != NULL) {
- snprintf(stmp, sizeof(stmp),
- " tkt=%ld", (long)rep->ticket->enc_part.enctype);
- strlcat(s, stmp, len);
+ etype = rep->ticket->enc_part.enctype;
+ enctype_name(etype, name, sizeof(name));
+ k5_buf_add_fmt(&buf, ", tkt=%s(%ld)", name, (long)etype);
}
- if (rep->ticket != NULL
- && rep->ticket->enc_part2 != NULL
- && rep->ticket->enc_part2->session != NULL) {
- snprintf(stmp, sizeof(stmp), " ses=%ld",
- (long)rep->ticket->enc_part2->session->enctype);
- strlcat(s, stmp, len);
+ if (rep->ticket != NULL && rep->ticket->enc_part2 != NULL &&
+ rep->ticket->enc_part2->session != NULL) {
+ etype = rep->ticket->enc_part2->session->enctype;
+ enctype_name(etype, name, sizeof(name));
+ k5_buf_add_fmt(&buf, ", ses=%s(%ld)", name, (long)etype);
}
- strlcat(s, "}", len);
- return;
+
+ k5_buf_add(&buf, "}");
+ return buf.data;
}
static krb5_error_code
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 6ec645fc3..25077cbf5 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -110,11 +110,9 @@ select_session_keytype (kdc_realm_t *kdc_active_realm,
void limit_string (char *name);
-void
-ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype);
+char *ktypes2str(krb5_enctype *ktype, int nktypes);
-void
-rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep);
+char *rep_etypes2str(krb5_kdc_rep *rep);
/* authind.c */
krb5_boolean

250
SOURCES/Mark-deprecated-enctypes-when-used.patch
View File

@ -1,250 +0,0 @@
From 6306a2a8697c94f968a02d66204f7d357aa0e7f6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 10 Jan 2019 16:34:54 -0500
Subject: [PATCH] Mark deprecated enctypes when used
Preface ETYPE_DEPRECATED enctypes with "DEPRECATED:" in klist output,
KDC logs, and kadmin interactions. Also complain in krb5kdc when the
stash file has a deprecated enctype or a deprecated enctype is
requested with -k.
ticket: 8773 (new)
(cherry picked from commit 8d8e68283b599e680f9fe45eff8af397e827bd6c)
---
src/clients/klist/klist.c | 14 ++++++++++----
src/kadmin/cli/kadmin.c | 6 +++++-
src/kdc/kdc_util.c | 9 +++++++++
src/kdc/main.c | 19 +++++++++++++++++++
src/tests/gssapi/t_enctypes.py | 15 +++++++++------
src/tests/t_keyrollover.py | 8 +++++---
src/tests/t_sesskeynego.py | 4 ++--
7 files changed, 59 insertions(+), 16 deletions(-)
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index 70adb54e8..8c307151a 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -571,11 +571,17 @@ static char *
etype_string(krb5_enctype enctype)
{
static char buf[100];
- krb5_error_code ret;
+ char *bp = buf;
+ size_t deplen, buflen = sizeof(buf);
- ret = krb5_enctype_to_name(enctype, FALSE, buf, sizeof(buf));
- if (ret)
- snprintf(buf, sizeof(buf), "etype %d", enctype);
+ if (krb5int_c_deprecated_enctype(enctype)) {
+ deplen = strlcpy(bp, "DEPRECATED:", buflen);
+ buflen -= deplen;
+ bp += deplen;
+ }
+
+ if (krb5_enctype_to_name(enctype, FALSE, bp, buflen))
+ snprintf(bp, buflen, "etype %d", enctype);
return buf;
}
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index ed581ee79..cc74921bf 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -1451,12 +1451,16 @@ kadmin_getprinc(int argc, char *argv[])
for (i = 0; i < dprinc.n_key_data; i++) {
krb5_key_data *key_data = &dprinc.key_data[i];
char enctype[BUFSIZ], salttype[BUFSIZ];
+ char *deprecated = "";
if (krb5_enctype_to_name(key_data->key_data_type[0], FALSE,
enctype, sizeof(enctype)))
snprintf(enctype, sizeof(enctype), _("<Encryption type 0x%x>"),
key_data->key_data_type[0]);
- printf("Key: vno %d, %s", key_data->key_data_kvno, enctype);
+ if (krb5int_c_deprecated_enctype(key_data->key_data_type[0]))
+ deprecated = "DEPRECATED:";
+ printf("Key: vno %d, %s%s", key_data->key_data_kvno, deprecated,
+ enctype);
if (key_data->key_data_ver > 1 &&
key_data->key_data_type[1] != KRB5_KDB_SALTTYPE_NORMAL) {
if (krb5_salttype_to_string(key_data->key_data_type[1],
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index f5c581c82..96c88edc1 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1048,11 +1048,20 @@ static krb5_error_code
enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
{
char *name;
+ size_t len;
if (buflen == 0)
return EINVAL;
*buf = '\0'; /* ensure these are always valid C-strings */
+ if (krb5int_c_deprecated_enctype(ktype)) {
+ len = strlcpy(buf, "DEPRECATED:", buflen);
+ if (len >= buflen)
+ return ENOMEM;
+ buflen -= len;
+ buf += len;
+ }
+
/* rfc4556 recommends that clients wishing to indicate support for these
* pkinit algorithms include them in the etype field of the AS-REQ. */
if (ktype == ENCTYPE_DSA_SHA1_CMS)
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 663fd6303..60092a0df 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -210,12 +210,23 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm,
char *svalue = NULL;
const char *hierarchy[4];
krb5_kvno mkvno = IGNORE_VNO;
+ char ename[32];
memset(rdp, 0, sizeof(kdc_realm_t));
if (!realm) {
kret = EINVAL;
goto whoops;
}
+
+ if (def_enctype != ENCTYPE_UNKNOWN &&
+ krb5int_c_deprecated_enctype(def_enctype)) {
+ if (krb5_enctype_to_name(def_enctype, FALSE, ename, sizeof(ename)))
+ ename[0] = '\0';
+ fprintf(stderr,
+ _("Requested master password enctype %s in %s is DEPRECATED!"),
+ ename, realm);
+ }
+
hierarchy[0] = KRB5_CONF_REALMS;
hierarchy[1] = realm;
hierarchy[3] = NULL;
@@ -370,6 +381,14 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm,
goto whoops;
}
+ if (krb5int_c_deprecated_enctype(rdp->realm_mkey.enctype)) {
+ if (krb5_enctype_to_name(rdp->realm_mkey.enctype, FALSE, ename,
+ sizeof(ename)))
+ ename[0] = '\0';
+ fprintf(stderr, _("Stash file %s uses DEPRECATED enctype %s!"),
+ rdp->realm_stash, ename);
+ }
+
if ((kret = krb5_db_fetch_mkey_list(rdp->realm_context, rdp->realm_mprinc,
&rdp->realm_mkey))) {
kdc_err(rdp->realm_context, kret,
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
index 5d9f80e04..ca3d32d21 100755
--- a/src/tests/gssapi/t_enctypes.py
+++ b/src/tests/gssapi/t_enctypes.py
@@ -9,8 +9,11 @@ from k5test import *
aes256 = 'aes256-cts-hmac-sha1-96'
aes128 = 'aes128-cts-hmac-sha1-96'
des3 = 'des3-cbc-sha1'
+d_des3 = 'DEPRECATED:des3-cbc-sha1'
des3raw = 'des3-cbc-raw'
+d_des3raw = 'DEPRECATED:des3-cbc-raw'
rc4 = 'arcfour-hmac'
+d_rc4 = 'DEPRECATED:arcfour-hmac'
# These tests make assumptions about the default enctype lists, so set
# them explicitly rather than relying on the library defaults.
@@ -92,7 +95,7 @@ test_err('acc aes128', None, 'aes128-cts',
# no acceptor subkey will be generated because we can't upgrade to a
# CFX enctype.
test('init des3', 'des3', None,
- tktenc=aes256, tktsession=des3,
+ tktenc=aes256, tktsession=d_des3,
proto='rfc1964', isubkey=des3raw, asubkey=None)
# Force the ticket session key to be rc4, so we can test some subkey
@@ -103,7 +106,7 @@ realm.run([kadminl, 'setstr', realm.host_princ, 'session_enctypes', 'rc4'])
# [aes256 aes128 des3] and the acceptor should upgrade to an aes256
# subkey.
test('upgrade noargs', None, None,
- tktenc=aes256, tktsession=rc4,
+ tktenc=aes256, tktsession=d_rc4,
proto='cfx', isubkey=rc4, asubkey=aes256)
# If the initiator won't permit rc4 as a session key, it won't be able
@@ -113,14 +116,14 @@ test_err('upgrade init aes', 'aes', None, 'no support for encryption type')
# If the initiator permits rc4 but prefers aes128, it will send an
# upgrade list of [aes128] and the acceptor will upgrade to aes128.
test('upgrade init aes128+rc4', 'aes128-cts rc4', None,
- tktenc=aes256, tktsession=rc4,
+ tktenc=aes256, tktsession=d_rc4,
proto='cfx', isubkey=rc4, asubkey=aes128)
# If the initiator permits rc4 but prefers des3, it will send an
# upgrade list of [des3], but the acceptor won't generate a subkey
# because des3 isn't a CFX enctype.
test('upgrade init des3+rc4', 'des3 rc4', None,
- tktenc=aes256, tktsession=rc4,
+ tktenc=aes256, tktsession=d_rc4,
proto='rfc1964', isubkey=rc4, asubkey=None)
# If the acceptor permits only aes128, subkey negotiation will fail
@@ -134,14 +137,14 @@ test_err('upgrade acc aes128', None, 'aes128-cts',
# If the acceptor permits rc4 but prefers aes128, it will negotiate an
# upgrade to aes128.
test('upgrade acc aes128 rc4', None, 'aes128-cts rc4',
- tktenc=aes256, tktsession=rc4,
+ tktenc=aes256, tktsession=d_rc4,
proto='cfx', isubkey=rc4, asubkey=aes128)
# In this test, the initiator and acceptor each prefer an AES enctype
# to rc4, but they can't agree on which one, so no subkey is
# generated.
test('upgrade mismatch', 'aes128-cts rc4', 'aes256-cts rc4',
- tktenc=aes256, tktsession=rc4,
+ tktenc=aes256, tktsession=d_rc4,
proto='rfc1964', isubkey=rc4, asubkey=None)
success('gss_krb5_set_allowable_enctypes tests')
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
index 7c8d828f0..4af6804f2 100755
--- a/src/tests/t_keyrollover.py
+++ b/src/tests/t_keyrollover.py
@@ -22,8 +22,9 @@ realm.run([kvno, princ1])
realm.run([kadminl, 'purgekeys', realm.krbtgt_princ])
# Make sure an old TGT fails after purging old TGS key.
realm.run([kvno, princ2], expected_code=1)
-msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \
- (realm.realm, realm.realm)
+ddes = "DEPRECATED:des-cbc-crc"
+msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \
+ (realm.realm, realm.realm, ddes, ddes)
realm.run([klist, '-e'], expected_msg=msg)
# Check that new key actually works.
@@ -48,7 +49,8 @@ realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes256-cts',
realm.krbtgt_princ])
realm.run([kadminl, 'modprinc', '-kvno', '1', realm.krbtgt_princ])
out = realm.run([kadminl, 'getprinc', realm.krbtgt_princ])
-if 'vno 1, aes256' not in out or 'vno 1, des3' not in out:
+if 'vno 1, aes256-cts' not in out or \
+ 'vno 1, DEPRECATED:des3-cbc-sha1' not in out:
fail('keyrollover: setup for TGS enctype test failed')
# Now present the DES3 ticket to the KDC and make sure it's rejected.
realm.run([kvno, realm.host_princ], expected_code=1)
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
index 448092387..da02f224a 100755
--- a/src/tests/t_sesskeynego.py
+++ b/src/tests/t_sesskeynego.py
@@ -62,11 +62,11 @@ test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term.
realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
'rc4-hmac,aes128-cts,aes256-cts'])
-test_kvno(realm, 'arcfour-hmac', 'aes256-cts-hmac-sha1-96')
+test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
# 3c: Test des-cbc-crc default assumption.
realm.run([kadminl, 'delstr', 'server', 'session_enctypes'])
-test_kvno(realm, 'des-cbc-crc', 'aes256-cts-hmac-sha1-96')
+test_kvno(realm, 'DEPRECATED:des-cbc-crc', 'aes256-cts-hmac-sha1-96')
realm.stop()
# Last go: test that we can disable the des-cbc-crc assumption

49
SOURCES/Omit-KDC-indicator-check-for-S4U2Self-requests.patch Normal file
View File

@ -0,0 +1,49 @@
From 61f3943f9fc237936ed9fd098edcd8dcc43b8da7 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 6 May 2020 16:03:13 -0400
Subject: [PATCH] Omit KDC indicator check for S4U2Self requests
As there was no initial ticket exchange from the client for an
S4U2Self request, the auth indicator check is inapplicable (and would
always fail if any auth indicators are required).
ticket: 8902 (new)
(cherry picked from commit 183631fbf72351c2d5fc7d60b2d9fc4d09fe7465)
(cherry picked from commit 442f1fa5b2e4034954a51048414cc0863b914379)
---
src/kdc/do_tgs_req.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 241f34e2a..463a9c0dd 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -392,8 +392,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
}
authtime = subject_tkt->times.authtime;
- /* Extract auth indicators from the subject ticket, except for S4U2Self
- * requests (where the client didn't authenticate). */
+ /* Extract and check auth indicators from the subject ticket, except for
+ * S4U2Self requests (where the client didn't authenticate). */
if (s4u_x509_user == NULL) {
errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt,
&local_tgt_key, &auth_indicators);
@@ -401,12 +401,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
status = "GET_AUTH_INDICATORS";
goto cleanup;
}
- }
- errcode = check_indicators(kdc_context, server, auth_indicators);
- if (errcode) {
- status = "HIGHER_AUTHENTICATION_REQUIRED";
- goto cleanup;
+ errcode = check_indicators(kdc_context, server, auth_indicators);
+ if (errcode) {
+ status = "HIGHER_AUTHENTICATION_REQUIRED";
+ goto cleanup;
+ }
}
if (is_referral)

35
SOURCES/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch Normal file
View File

@ -0,0 +1,35 @@
From 4c4c22639eb2794e563370a2ee48a34dbdddc639 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 6 Jun 2020 11:03:37 +0200
Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum
OpenSSL in FIPS mode will refuse to perform hmac-md5. Omit the legacy
PA_FOR_USER element in this case rather than failing out.
[ghudson@mit.edu: minor code and comment edits; wrote commit message]
ticket: 8912 (new)
(cherry picked from commit 03f122bdb22cfa53c7d855ed929c9541e56365e0)
(cherry picked from commit 086de78292b8ae89aba8a72926831124da44205d)
---
src/lib/krb5/krb/s4u_creds.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index fc5c886d6..d8f486dc6 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -534,6 +534,13 @@ krb5_get_self_cred_from_kdc(krb5_context context,
if (s4u_user.user_id.user != NULL && s4u_user.user_id.user->length) {
code = build_pa_for_user(context, tgtptr, &s4u_user.user_id,
&in_padata[1]);
+ /*
+ * If we couldn't compute the hmac-md5 checksum, send only the
+ * KRB5_PADATA_S4U_X509_USER; this will still work against modern
+ * Windows and MIT KDCs.
+ */
+ if (code == KRB5_CRYPTO_INTERNAL)
+ code = 0;
if (code != 0) {
krb5_free_pa_data(context, in_padata);
goto cleanup;

257
SOURCES/Pass-channel-bindings-through-SPNEGO.patch Normal file
View File

@ -0,0 +1,257 @@
From d98f8867f8245b3c9dd506271897d0f03d69ae49 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 28 Apr 2020 18:15:55 +0200
Subject: [PATCH] Pass channel bindings through SPNEGO
ticket: 8907 (new)
(cherry picked from commit d16325a24c34ec9a5f6fb4910987f162e0d4d9cd)
(cherry picked from commit ee79bd43005245d3e5a2d3ec6d61146945e77717)
---
src/lib/gssapi/spnego/gssapiP_negoex.h | 8 ++---
src/lib/gssapi/spnego/negoex_ctx.c | 34 +++++++++++----------
src/lib/gssapi/spnego/spnego_mech.c | 41 +++++++++++++-------------
3 files changed, 43 insertions(+), 40 deletions(-)
diff --git a/src/lib/gssapi/spnego/gssapiP_negoex.h b/src/lib/gssapi/spnego/gssapiP_negoex.h
index 44b08f523..489ab7c42 100644
--- a/src/lib/gssapi/spnego/gssapiP_negoex.h
+++ b/src/lib/gssapi/spnego/gssapiP_negoex.h
@@ -201,10 +201,10 @@ negoex_restrict_auth_schemes(spnego_gss_ctx_id_t ctx,
OM_uint32
negoex_init(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, gss_cred_id_t cred,
gss_name_t target_name, OM_uint32 req_flags, OM_uint32 time_req,
- gss_buffer_t input_token, gss_buffer_t output_token,
- OM_uint32 *time_rec);
+ gss_buffer_t input_token, gss_channel_bindings_t bindings,
+ gss_buffer_t output_token, OM_uint32 *time_rec);
OM_uint32
negoex_accept(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, gss_cred_id_t cred,
- gss_buffer_t input_token, gss_buffer_t output_token,
- OM_uint32 *time_rec);
+ gss_buffer_t input_token, gss_channel_bindings_t bindings,
+ gss_buffer_t output_token, OM_uint32 *time_rec);
diff --git a/src/lib/gssapi/spnego/negoex_ctx.c b/src/lib/gssapi/spnego/negoex_ctx.c
index 18d9d4147..8848ee4db 100644
--- a/src/lib/gssapi/spnego/negoex_ctx.c
+++ b/src/lib/gssapi/spnego/negoex_ctx.c
@@ -276,7 +276,8 @@ static OM_uint32
mech_init(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, gss_cred_id_t cred,
gss_name_t target, OM_uint32 req_flags, OM_uint32 time_req,
struct negoex_message *messages, size_t nmessages,
- gss_buffer_t output_token, OM_uint32 *time_rec)
+ gss_channel_bindings_t bindings, gss_buffer_t output_token,
+ OM_uint32 *time_rec)
{
OM_uint32 major, first_major = 0, first_minor = 0;
struct negoex_auth_mech *mech = NULL;
@@ -316,10 +317,9 @@ mech_init(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, gss_cred_id_t cred,
mech = K5_TAILQ_FIRST(&ctx->negoex_mechs);
major = gss_init_sec_context(minor, cred, &mech->mech_context, target,
- mech->oid, req_flags, time_req,
- GSS_C_NO_CHANNEL_BINDINGS, input_token,
- &ctx->actual_mech, output_token,
- &ctx->ctx_flags, time_rec);
+ mech->oid, req_flags, time_req, bindings,
+ input_token, &ctx->actual_mech,
+ output_token, &ctx->ctx_flags, time_rec);
if (major == GSS_S_COMPLETE)
mech->complete = 1;
@@ -351,7 +351,8 @@ mech_init(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, gss_cred_id_t cred,
static OM_uint32
mech_accept(OM_uint32 *minor, spnego_gss_ctx_id_t ctx,
gss_cred_id_t cred, struct negoex_message *messages,
- size_t nmessages, gss_buffer_t output_token, OM_uint32 *time_rec)
+ size_t nmessages, gss_channel_bindings_t bindings,
+ gss_buffer_t output_token, OM_uint32 *time_rec)
{
OM_uint32 major, tmpmin;
struct negoex_auth_mech *mech;
@@ -395,10 +396,10 @@ mech_accept(OM_uint32 *minor, spnego_gss_ctx_id_t ctx,
gss_release_cred(&tmpmin, &ctx->deleg_cred);
major = gss_accept_sec_context(minor, &mech->mech_context, cred,
- &msg->token, GSS_C_NO_CHANNEL_BINDINGS,
- &ctx->internal_name, &ctx->actual_mech,
- output_token, &ctx->ctx_flags,
- time_rec, &ctx->deleg_cred);
+ &msg->token, bindings, &ctx->internal_name,
+ &ctx->actual_mech, output_token,
+ &ctx->ctx_flags, time_rec,
+ &ctx->deleg_cred);
if (major == GSS_S_COMPLETE)
mech->complete = 1;
@@ -609,8 +610,8 @@ make_output_token(OM_uint32 *minor, spnego_gss_ctx_id_t ctx,
OM_uint32
negoex_init(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, gss_cred_id_t cred,
gss_name_t target_name, OM_uint32 req_flags, OM_uint32 time_req,
- gss_buffer_t input_token, gss_buffer_t output_token,
- OM_uint32 *time_rec)
+ gss_buffer_t input_token, gss_channel_bindings_t bindings,
+ gss_buffer_t output_token, OM_uint32 *time_rec)
{
OM_uint32 major, tmpmin;
gss_buffer_desc mech_output_token = GSS_C_EMPTY_BUFFER;
@@ -663,7 +664,8 @@ negoex_init(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, gss_cred_id_t cred,
/* Process the input token and/or produce an output token. This may prune
* the mech list, but on success there will be at least one mech entry. */
major = mech_init(minor, ctx, cred, target_name, req_flags, time_req,
- messages, nmessages, &mech_output_token, time_rec);
+ messages, nmessages, bindings, &mech_output_token,
+ time_rec);
if (major != GSS_S_COMPLETE)
goto cleanup;
assert(!K5_TAILQ_EMPTY(&ctx->negoex_mechs));
@@ -701,8 +703,8 @@ cleanup:
OM_uint32
negoex_accept(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, gss_cred_id_t cred,
- gss_buffer_t input_token, gss_buffer_t output_token,
- OM_uint32 *time_rec)
+ gss_buffer_t input_token, gss_channel_bindings_t bindings,
+ gss_buffer_t output_token, OM_uint32 *time_rec)
{
OM_uint32 major, tmpmin;
gss_buffer_desc mech_output_token = GSS_C_EMPTY_BUFFER;
@@ -754,7 +756,7 @@ negoex_accept(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, gss_cred_id_t cred,
* prune the list to a single mech. Continue on error if an output token
* is generated, so that we send the token to the initiator.
*/
- major = mech_accept(minor, ctx, cred, messages, nmessages,
+ major = mech_accept(minor, ctx, cred, messages, nmessages, bindings,
&mech_output_token, time_rec);
if (major != GSS_S_COMPLETE && mech_output_token.length == 0)
goto cleanup;
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 594fc5894..4cf011143 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -130,6 +130,7 @@ init_ctx_reselect(OM_uint32 *, spnego_gss_ctx_id_t, OM_uint32,
static OM_uint32
init_ctx_call_init(OM_uint32 *, spnego_gss_ctx_id_t, spnego_gss_cred_id_t,
OM_uint32, gss_name_t, OM_uint32, OM_uint32, gss_buffer_t,
+ gss_channel_bindings_t,
gss_buffer_t, OM_uint32 *, send_token_flag *);
static OM_uint32
@@ -144,8 +145,8 @@ acc_ctx_vfy_oid(OM_uint32 *, spnego_gss_ctx_id_t, gss_OID,
OM_uint32 *, send_token_flag *);
static OM_uint32
acc_ctx_call_acc(OM_uint32 *, spnego_gss_ctx_id_t, spnego_gss_cred_id_t,
- gss_buffer_t, gss_buffer_t, OM_uint32 *, OM_uint32 *,
- send_token_flag *);
+ gss_buffer_t, gss_channel_bindings_t, gss_buffer_t,
+ OM_uint32 *, OM_uint32 *, send_token_flag *);
static gss_OID
negotiate_mech(spnego_gss_ctx_id_t, gss_OID_set, OM_uint32 *);
@@ -905,6 +906,7 @@ init_ctx_call_init(OM_uint32 *minor_status,
OM_uint32 req_flags,
OM_uint32 time_req,
gss_buffer_t mechtok_in,
+ gss_channel_bindings_t bindings,
gss_buffer_t mechtok_out,
OM_uint32 *time_rec,
send_token_flag *send_token)
@@ -921,15 +923,14 @@ init_ctx_call_init(OM_uint32 *minor_status,
if (gss_oid_equal(sc->internal_mech, &negoex_mech)) {
ret = negoex_init(minor_status, sc, mcred, target_name,
mech_req_flags, time_req, mechtok_in,
- mechtok_out, time_rec);
+ bindings, mechtok_out, time_rec);
} else {
ret = gss_init_sec_context(minor_status, mcred,
&sc->ctx_handle, target_name,
sc->internal_mech, mech_req_flags,
- time_req, GSS_C_NO_CHANNEL_BINDINGS,
- mechtok_in, &sc->actual_mech,
- mechtok_out, &sc->ctx_flags,
- time_rec);
+ time_req, bindings, mechtok_in,
+ &sc->actual_mech, mechtok_out,
+ &sc->ctx_flags, time_rec);
}
/* Bail out if the acceptor gave us an error token but the mech didn't
@@ -981,8 +982,8 @@ init_ctx_call_init(OM_uint32 *minor_status,
gss_delete_sec_context(&tmpmin, &sc->ctx_handle, GSS_C_NO_BUFFER);
tmpret = init_ctx_call_init(&tmpmin, sc, spcred, acc_negState,
target_name, req_flags, time_req,
- mechtok_in, mechtok_out, time_rec,
- send_token);
+ mechtok_in, bindings, mechtok_out,
+ time_rec, send_token);
if (HARD_ERROR(tmpret))
goto fail;
*minor_status = tmpmin;
@@ -1004,7 +1005,7 @@ spnego_gss_init_sec_context(
gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
- gss_channel_bindings_t input_chan_bindings,
+ gss_channel_bindings_t bindings,
gss_buffer_t input_token,
gss_OID *actual_mech,
gss_buffer_t output_token,
@@ -1084,8 +1085,8 @@ spnego_gss_init_sec_context(
if (!spnego_ctx->mech_complete) {
ret = init_ctx_call_init(minor_status, spnego_ctx, spcred,
acc_negState, target_name, req_flags,
- time_req, mechtok_in, &mechtok_out,
- time_rec, &send_token);
+ time_req, mechtok_in, bindings,
+ &mechtok_out, time_rec, &send_token);
if (ret != GSS_S_COMPLETE)
goto cleanup;
@@ -1542,8 +1543,9 @@ cleanup:
static OM_uint32
acc_ctx_call_acc(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
spnego_gss_cred_id_t spcred, gss_buffer_t mechtok_in,
- gss_buffer_t mechtok_out, OM_uint32 *time_rec,
- OM_uint32 *negState, send_token_flag *tokflag)
+ gss_channel_bindings_t bindings, gss_buffer_t mechtok_out,
+ OM_uint32 *time_rec, OM_uint32 *negState,
+ send_token_flag *tokflag)
{
OM_uint32 ret, tmpmin;
gss_OID_desc mechoid;
@@ -1568,13 +1570,12 @@ acc_ctx_call_acc(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
mcred = (spcred == NULL) ? GSS_C_NO_CREDENTIAL : spcred->mcred;
if (negoex) {
ret = negoex_accept(minor_status, sc, mcred, mechtok_in,
- mechtok_out, time_rec);
+ bindings, mechtok_out, time_rec);
} else {
(void) gss_release_name(&tmpmin, &sc->internal_name);
(void) gss_release_cred(&tmpmin, &sc->deleg_cred);
ret = gss_accept_sec_context(minor_status, &sc->ctx_handle,
- mcred, mechtok_in,
- GSS_C_NO_CHANNEL_BINDINGS,
+ mcred, mechtok_in, bindings,
&sc->internal_name,
&sc->actual_mech, mechtok_out,
&sc->ctx_flags, time_rec,
@@ -1620,7 +1621,7 @@ spnego_gss_accept_sec_context(
gss_ctx_id_t *context_handle,
gss_cred_id_t verifier_cred_handle,
gss_buffer_t input_token,
- gss_channel_bindings_t input_chan_bindings,
+ gss_channel_bindings_t bindings,
gss_name_t *src_name,
gss_OID *mech_type,
gss_buffer_t output_token,
@@ -1734,8 +1735,8 @@ spnego_gss_accept_sec_context(
*/
if (negState != REQUEST_MIC && mechtok_in != GSS_C_NO_BUFFER) {
ret = acc_ctx_call_acc(minor_status, sc, spcred, mechtok_in,
- &mechtok_out, time_rec, &negState,
- &return_token);
+ bindings, &mechtok_out, time_rec,
+ &negState, &return_token);
}
/* Step 3: process or generate the MIC, if the negotiated mech is

59
SOURCES/Pass-gss_localname-through-SPNEGO.patch Normal file
View File

@ -0,0 +1,59 @@
From 64b1fdf0732b094e174b484fd9aac29f06e482bd Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 26 Apr 2020 19:55:54 -0400
Subject: [PATCH] Pass gss_localname() through SPNEGO
ticket: 8897 (new)
(cherry picked from commit f7b8a6432bd289bdc528017be122305f95b8e285)
(cherry picked from commit 646212314a580a8cdffdacda9cb3c8f806471b08)
---
src/lib/gssapi/spnego/gssapiP_spnego.h | 8 ++++++++
src/lib/gssapi/spnego/spnego_mech.c | 9 ++++++++-
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h
index a93763314..066ec736f 100644
--- a/src/lib/gssapi/spnego/gssapiP_spnego.h
+++ b/src/lib/gssapi/spnego/gssapiP_spnego.h
@@ -357,6 +357,14 @@ OM_uint32 KRB5_CALLCONV spnego_gss_wrap_size_limit
OM_uint32 *max_input_size
);
+OM_uint32 KRB5_CALLCONV spnego_gss_localname
+(
+ OM_uint32 *minor_status,
+ const gss_name_t pname,
+ const gss_const_OID mech_type,
+ gss_buffer_t localname
+);
+
OM_uint32 KRB5_CALLCONV spnego_gss_get_mic
(
OM_uint32 *minor_status,
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index ec0bae6a4..594fc5894 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -237,7 +237,7 @@ static struct gss_config spnego_mechanism =
spnego_gss_inquire_context, /* gss_inquire_context */
NULL, /* gss_internal_release_oid */
spnego_gss_wrap_size_limit, /* gss_wrap_size_limit */
- NULL, /* gssd_pname_to_uid */
+ spnego_gss_localname,
NULL, /* gss_userok */
NULL, /* gss_export_name */
spnego_gss_duplicate_name, /* gss_duplicate_name */
@@ -2371,6 +2371,13 @@ spnego_gss_wrap_size_limit(
return (ret);
}
+OM_uint32 KRB5_CALLCONV
+spnego_gss_localname(OM_uint32 *minor_status, const gss_name_t pname,
+ const gss_const_OID mech_type, gss_buffer_t localname)
+{
+ return gss_localname(minor_status, pname, GSS_C_NO_OID, localname);
+}
+
OM_uint32 KRB5_CALLCONV
spnego_gss_get_mic(
OM_uint32 *minor_status,

34
SOURCES/Properly-size-ifdef-in-k5_cccol_lock.patch
View File

@ -1,34 +0,0 @@
From bad6d4390e6e23099cc2295d94e2553575687561 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 14 Feb 2019 11:50:35 -0500
Subject: [PATCH] Properly size #ifdef in k5_cccol_lock()
The cleanup code only could get executed in the USE_CCAPI_V3 case, so
move it inside that block. Reported by Coverity.
(cherry picked from commit 444a15f9cf82b9a6c1bca3f20307f82fee91c228)
(cherry picked from commit e2a0e04fb3be9297a8c532dd35a7c1045cae88f4)
---
src/lib/krb5/ccache/ccbase.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/krb5/ccache/ccbase.c b/src/lib/krb5/ccache/ccbase.c
index 8198f2b9b..2702bef69 100644
--- a/src/lib/krb5/ccache/ccbase.c
+++ b/src/lib/krb5/ccache/ccbase.c
@@ -511,7 +511,6 @@ krb5_cccol_lock(krb5_context context)
#endif
#ifdef USE_CCAPI_V3
ret = krb5_stdccv3_context_lock(context);
-#endif
if (ret) {
k5_cc_mutex_unlock(context, &krb5int_mcc_mutex);
k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex);
@@ -519,6 +518,7 @@ krb5_cccol_lock(krb5_context context)
k5_cc_mutex_unlock(context, &cccol_lock);
return ret;
}
+#endif
k5_mutex_unlock(&cc_typelist_lock);
return ret;
}

45
SOURCES/Put-KDB-authdata-first.patch
View File

@ -1,45 +0,0 @@
From 684821fc68fd27ddcc5f809a37819edd35365a9d Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 1 Feb 2020 16:13:30 +0100
Subject: [PATCH] Put KDB authdata first
Windows services, as well as some versions of Samba, may refuse
tickets if the PAC is not in the first AD-IF-RELEVANT container. In
fetch_kdb_authdata(), change the merge order so that authdata from the
KDB module appears first.
[ghudson@mit.edu: added comment and clarified commit message]
ticket: 8872 (new)
tags: pullup
target_version: 1.18
target_version: 1.17-next
(cherry picked from commit 331fa4bdd34263ea20667a0f51338cb84357fdaa)
(cherry picked from commit 1678270de3fda699114122447b1f06b08fb4e53e)
---
src/kdc/kdc_authdata.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index 1b067cb0b..616c3eadc 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -383,11 +383,14 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags,
if (ret)
return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret;
- /* Add the KDB authdata to the ticket, without copying or filtering. */
- ret = merge_authdata(context, db_authdata,
- &enc_tkt_reply->authorization_data, FALSE, FALSE);
+ /* Put the KDB authdata first in the ticket. A successful merge places the
+ * combined list in db_authdata and releases the old ticket authdata. */
+ ret = merge_authdata(context, enc_tkt_reply->authorization_data,
+ &db_authdata, FALSE, FALSE);
if (ret)
krb5_free_authdata(context, db_authdata);
+ else
+ enc_tkt_reply->authorization_data = db_authdata;
return ret;
}

480
SOURCES/Refactor-krb5-GSS-checksum-handling.patch Normal file
View File

@ -0,0 +1,480 @@
From c4a49f5b42916fdbb34c72a11adb42ff879c50c3 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 30 Jun 2017 16:03:01 -0400
Subject: [PATCH] Refactor krb5 GSS checksum handling
Separate out checksum handling from kg_accept_krb5() into a new helper
process_checksum().
[ghudson@mit.edu: simplified checksum processing and made it use
k5-input.h instead of TREAD_ macros; moved more flag handling into
helper]
[iboukris: adjusted helper function arguments, allowing access to the
full authenticator for subsequent changes]
(cherry picked from commit 64d56233f9816a2a93f6e8d3030c8ed6ce397735)
[rharwood@redhat.com: problem with typo fix commit, I think]
(cherry picked from commit a34b7c50e62c19f80d39ece6a72017dac781df64)
---
src/lib/gssapi/krb5/accept_sec_context.c | 383 +++++++++++------------
1 file changed, 179 insertions(+), 204 deletions(-)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index c5bddb1e8..70dd7fc0c 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -98,6 +98,7 @@
*/
#include "k5-int.h"
+#include "k5-input.h"
#include "gssapiP_krb5.h"
#ifdef HAVE_MEMORY_H
#include <memory.h>
@@ -413,6 +414,174 @@ kg_process_extension(krb5_context context,
return code;
}
+/* The length of the MD5 channel bindings in an 0x8003 checksum */
+#define CB_MD5_LEN 16
+
+/* The minimum length of an 0x8003 checksum value (4-byte channel bindings
+ * length, 16-byte channel bindings, 4-byte flags) */
+#define MIN_8003_LEN (4 + CB_MD5_LEN + 4)
+
+/* The flags we accept from the initiator's authenticator checksum. */
+#define INITIATOR_FLAGS (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | \
+ GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \
+ GSS_C_SEQUENCE_FLAG | GSS_C_DCE_STYLE | \
+ GSS_C_IDENTIFY_FLAG | GSS_C_EXTENDED_ERROR_FLAG)
+
+/*
+ * The krb5 GSS mech appropriates the authenticator checksum field from RFC
+ * 4120 to store structured data instead of a checksum, indicated with checksum
+ * type 0x8003 (see RFC 4121 section 4.1.1). Some implementations instead send
+ * no checksum, or a regular checksum over empty data.
+ *
+ * Interpret the checksum. Read delegated creds into *deleg_out if it is not
+ * NULL. Set *flags_out to the allowed subset of token flags, plus
+ * GSS_C_DELEG_FLAG if a delegated credential was present. Process any
+ * extensions found using exts. On error, set *code_out to a krb5_error code
+ * for use as a minor status value.
+ */
+static OM_uint32
+process_checksum(OM_uint32 *minor_status, krb5_context context,
+ gss_channel_bindings_t acceptor_cb,
+ krb5_auth_context auth_context, krb5_flags ap_req_options,
+ krb5_authenticator *authenticator, krb5_gss_ctx_ext_t exts,
+ krb5_gss_cred_id_t *deleg_out, krb5_ui_4 *flags_out,
+ krb5_error_code *code_out)
+{
+ krb5_error_code code = 0;
+ OM_uint32 status, option_id, token_flags;
+ size_t cb_len, option_len;
+ krb5_boolean valid;
+ krb5_key subkey;
+ krb5_data option, empty = empty_data();
+ krb5_checksum cb_cksum;
+ const uint8_t *token_cb, *option_bytes;
+ struct k5input in;
+ const krb5_checksum *cksum = authenticator->checksum;
+
+ cb_cksum.contents = NULL;
+
+ if (cksum == NULL) {
+ /*
+ * Some SMB client implementations use handcrafted GSSAPI code that
+ * does not provide a checksum. MS-KILE documents that the Microsoft
+ * implementation considers a missing checksum acceptable; the server
+ * assumes all flags are unset in this case, and does not check channel
+ * bindings.
+ */
+ *flags_out = 0;
+ } else if (cksum->checksum_type != CKSUMTYPE_KG_CB) {
+ /* Samba sends a regular checksum. */
+ code = krb5_auth_con_getkey_k(context, auth_context, &subkey);
+ if (code) {
+ status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ /* Verifying the checksum ensures that this authenticator wasn't
+ * replayed from one with a checksum over actual data. */
+ code = krb5_k_verify_checksum(context, subkey,
+ KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, &empty,
+ cksum, &valid);
+ krb5_k_free_key(context, subkey);
+ if (code || !valid) {
+ status = GSS_S_BAD_SIG;
+ goto fail;
+ }
+
+ /* Use ap_options from the request to guess the mutual flag. */
+ *flags_out = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED)
+ *flags_out |= GSS_C_MUTUAL_FLAG;
+ } else {
+ /* The checksum must contain at least a fixed 24-byte part. */
+ if (cksum->length < MIN_8003_LEN) {
+ status = GSS_S_BAD_BINDINGS;
+ goto fail;
+ }
+
+ k5_input_init(&in, cksum->contents, cksum->length);
+ cb_len = k5_input_get_uint32_le(&in);
+ if (cb_len != CB_MD5_LEN) {
+ code = KG_BAD_LENGTH;
+ status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ token_cb = k5_input_get_bytes(&in, cb_len);
+ if (acceptor_cb != GSS_C_NO_CHANNEL_BINDINGS) {
+ code = kg_checksum_channel_bindings(context, acceptor_cb,
+ &cb_cksum);
+ if (code) {
+ status = GSS_S_BAD_BINDINGS;
+ goto fail;
+ }
+ assert(cb_cksum.length == cb_len);
+ if (k5_bcmp(token_cb, cb_cksum.contents, cb_len) != 0) {
+ status = GSS_S_BAD_BINDINGS;
+ goto fail;
+ }
+ }
+
+ /* Read the token flags and accept some of them as context flags. */
+ token_flags = k5_input_get_uint32_le(&in);
+ *flags_out = token_flags & INITIATOR_FLAGS;
+
+ /* Read the delegated credential if present. */
+ if (in.len >= 4 && (token_flags & GSS_C_DELEG_FLAG)) {
+ option_id = k5_input_get_uint16_le(&in);
+ option_len = k5_input_get_uint16_le(&in);
+ option_bytes = k5_input_get_bytes(&in, option_len);
+ option = make_data((uint8_t *)option_bytes, option_len);
+ if (in.status) {
+ code = KG_BAD_LENGTH;
+ status = GSS_S_FAILURE;
+ goto fail;
+ }
+ if (option_id != KRB5_GSS_FOR_CREDS_OPTION) {
+ status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ /* Store the delegated credential. */
+ code = rd_and_store_for_creds(context, auth_context, &option,
+ deleg_out);
+ if (code) {
+ status = GSS_S_FAILURE;
+ goto fail;
+ }
+ *flags_out |= GSS_C_DELEG_FLAG;
+ }
+
+ /* Process any extensions at the end of the checksum. Extensions use
+ * 4-byte big-endian tag and length instead of 2-byte little-endian. */
+ while (in.len > 0) {
+ option_id = k5_input_get_uint32_be(&in);
+ option_len = k5_input_get_uint32_be(&in);
+ option_bytes = k5_input_get_bytes(&in, option_len);
+ option = make_data((uint8_t *)option_bytes, option_len);
+ if (in.status) {
+ code = KG_BAD_LENGTH;
+ status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ code = kg_process_extension(context, auth_context, option_id,
+ &option, exts);
+ if (code) {
+ status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+ }
+
+ status = GSS_S_COMPLETE;
+
+fail:
+ free(cb_cksum.contents);
+ *code_out = code;
+ return status;
+}
+
static OM_uint32
kg_accept_krb5(minor_status, context_handle,
verifier_cred_handle, input_token,
@@ -433,17 +602,13 @@ kg_accept_krb5(minor_status, context_handle,
krb5_gss_ctx_ext_t exts;
{
krb5_context context;
- unsigned char *ptr, *ptr2;
+ unsigned char *ptr;
char *sptr;
- OM_uint32 tmp;
- size_t md5len;
krb5_gss_cred_id_t cred = 0;
krb5_data ap_rep, ap_req;
- unsigned int i;
krb5_error_code code;
krb5_address addr, *paddr;
krb5_authenticator *authdat = 0;
- krb5_checksum reqcksum;
krb5_gss_name_t name = NULL;
krb5_ui_4 gss_flags = 0;
krb5_gss_ctx_id_rec *ctx = NULL;
@@ -451,8 +616,6 @@ kg_accept_krb5(minor_status, context_handle,
gss_buffer_desc token;
krb5_auth_context auth_context = NULL;
krb5_ticket * ticket = NULL;
- int option_id;
- krb5_data option;
const gss_OID_desc *mech_used = NULL;
OM_uint32 major_status = GSS_S_FAILURE;
OM_uint32 tmp_minor_status;
@@ -463,7 +626,6 @@ kg_accept_krb5(minor_status, context_handle,
krb5int_access kaccess;
int cred_rcache = 0;
int no_encap = 0;
- int token_deleg_flag = 0;
krb5_flags ap_req_options = 0;
krb5_enctype negotiated_etype;
krb5_authdata_context ad_context = NULL;
@@ -489,7 +651,6 @@ kg_accept_krb5(minor_status, context_handle,
output_token->length = 0;
output_token->value = NULL;
token.value = 0;
- reqcksum.contents = 0;
ap_req.data = 0;
ap_rep.data = 0;
@@ -654,195 +815,16 @@ kg_accept_krb5(minor_status, context_handle,
krb5_auth_con_getauthenticator(context, auth_context, &authdat);
- if (authdat->checksum == NULL) {
- /*
- * Some SMB client implementations use handcrafted GSSAPI code that
- * does not provide a checksum. MS-KILE documents that the Microsoft
- * implementation considers a missing checksum acceptable; the server
- * assumes all flags are unset in this case, and does not check channel
- * bindings.
- */
- gss_flags = 0;
- } else if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
- /* Samba does not send 0x8003 GSS-API checksums */
- krb5_boolean valid;
- krb5_key subkey;
- krb5_data zero;
+ major_status = process_checksum(minor_status, context, input_chan_bindings,
+ auth_context, ap_req_options,
+ authdat, exts,
+ delegated_cred_handle ? &deleg_cred : NULL,
+ &gss_flags, &code);
- code = krb5_auth_con_getkey_k(context, auth_context, &subkey);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ if (major_status != GSS_S_COMPLETE)
+ goto fail;
- zero.length = 0;
- zero.data = "";
-
- code = krb5_k_verify_checksum(context,
- subkey,
- KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM,
- &zero,
- authdat->checksum,
- &valid);
- krb5_k_free_key(context, subkey);
- if (code || !valid) {
- major_status = GSS_S_BAD_SIG;
- goto fail;
- }
-
- /* Use ap_options from the request to guess the mutual flag. */
- gss_flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
- if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED)
- gss_flags |= GSS_C_MUTUAL_FLAG;
- } else {
- /* gss krb5 v1 */
-
- /* stash this now, for later. */
- code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &md5len);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- /* verify that the checksum is correct */
-
- /*
- The checksum may be either exactly 24 bytes, in which case
- no options are specified, or greater than 24 bytes, in which case
- one or more options are specified. Currently, the only valid
- option is KRB5_GSS_FOR_CREDS_OPTION ( = 1 ).
- */
-
- if ((authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) ||
- (authdat->checksum->length < 24)) {
- code = 0;
- major_status = GSS_S_BAD_BINDINGS;
- goto fail;
- }
-
- ptr = (unsigned char *) authdat->checksum->contents;
-
- TREAD_INT(ptr, tmp, 0);
-
- if (tmp != md5len) {
- code = KG_BAD_LENGTH;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- /*
- The following section of code attempts to implement the
- optional channel binding facility as described in RFC2743.
-
- Since this facility is optional channel binding may or may
- not have been provided by either the client or the server.
-
- If the server has specified input_chan_bindings equal to
- GSS_C_NO_CHANNEL_BINDINGS then we skip the check. If
- the server does provide channel bindings then we compute
- a checksum and compare against those provided by the
- client. */
-
- if ((code = kg_checksum_channel_bindings(context,
- input_chan_bindings,
- &reqcksum))) {
- major_status = GSS_S_BAD_BINDINGS;
- goto fail;
- }
-
- /* Always read the clients bindings - eventhough we might ignore them */
- TREAD_STR(ptr, ptr2, reqcksum.length);
-
- if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS ) {
- if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
- xfree(reqcksum.contents);
- reqcksum.contents = 0;
- code = 0;
- major_status = GSS_S_BAD_BINDINGS;
- goto fail;
- }
-
- }
-
- xfree(reqcksum.contents);
- reqcksum.contents = 0;
-
- /* Read the token flags. Remember if GSS_C_DELEG_FLAG was set, but
- * mask it out until we actually read a delegated credential. */
- TREAD_INT(ptr, gss_flags, 0);
- token_deleg_flag = (gss_flags & GSS_C_DELEG_FLAG);
- gss_flags &= ~GSS_C_DELEG_FLAG;
-
- /* if the checksum length > 24, there are options to process */
-
- i = authdat->checksum->length - 24;
- if (i && token_deleg_flag) {
- if (i >= 4) {
- TREAD_INT16(ptr, option_id, 0);
- TREAD_INT16(ptr, option.length, 0);
- i -= 4;
-
- if (i < option.length) {
- code = KG_BAD_LENGTH;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- /* have to use ptr2, since option.data is wrong type and
- macro uses ptr as both lvalue and rvalue */
-
- TREAD_STR(ptr, ptr2, option.length);
- option.data = (char *) ptr2;
-
- i -= option.length;
-
- if (option_id != KRB5_GSS_FOR_CREDS_OPTION) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- /* store the delegated credential */
-
- code = rd_and_store_for_creds(context, auth_context, &option,
- (delegated_cred_handle) ?
- &deleg_cred : NULL);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- gss_flags |= GSS_C_DELEG_FLAG;
- } /* if i >= 4 */
- /* ignore any additional trailing data, for now */
- }
- while (i > 0) {
- /* Process Type-Length-Data options */
- if (i < 8) {
- code = KG_BAD_LENGTH;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- TREAD_INT(ptr, option_id, 1);
- TREAD_INT(ptr, option.length, 1);
- i -= 8;
- if (i < option.length) {
- code = KG_BAD_LENGTH;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- TREAD_STR(ptr, ptr2, option.length);
- option.data = (char *)ptr2;
-
- i -= option.length;
-
- code = kg_process_extension(context, auth_context,
- option_id, &option, exts);
- if (code != 0) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- }
- }
+ major_status = GSS_S_FAILURE;
if (exts->iakerb.conv && !exts->iakerb.verified) {
major_status = GSS_S_BAD_SIG;
@@ -869,12 +851,7 @@ kg_accept_krb5(minor_status, context_handle,
ctx->mech_used = (gss_OID) mech_used;
ctx->auth_context = auth_context;
ctx->initiate = 0;
- ctx->gss_flags = (GSS_C_TRANS_FLAG |
- ((gss_flags) & (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
- GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG |
- GSS_C_DCE_STYLE | GSS_C_IDENTIFY_FLAG |
- GSS_C_EXTENDED_ERROR_FLAG)));
+ ctx->gss_flags = gss_flags | GSS_C_TRANS_FLAG;
ctx->seed_init = 0;
ctx->cred_rcache = cred_rcache;
@@ -1161,8 +1138,6 @@ fail:
krb5_auth_con_free(context, auth_context);
}
- if (reqcksum.contents)
- xfree(reqcksum.contents);
if (ap_rep.data)
krb5_free_data_contents(context, &ap_rep);
if (major_status == GSS_S_COMPLETE ||

79
SOURCES/Refresh-manually-acquired-creds-from-client-keytab.patch Normal file
View File

@ -0,0 +1,79 @@
From fdd97fe6c9f0a3a6ff8d2580ca9f3c46826449b7 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 26 Feb 2020 18:27:17 -0500
Subject: [PATCH] Refresh manually acquired creds from client keytab
If a client keytab is present but credentials are acquired manually,
the credentials would not be refreshed because no refresh_time config
var is set in the cache. Change kg_cred_time_to_refresh() to attempt
a refresh from the client keytab on any credentials which will expire
in the next 30 seconds.
[ghudson@mit.edu: adjused code and added test case]
ticket: 7976
(cherry picked from commit 729896467e3c77904666019d6cbbda583ae49b95)
(cherry picked from commit 685aada9eae420cb5156ca7b71c2c7614c0b6e2c)
---
src/lib/gssapi/krb5/acquire_cred.c | 14 +++++++++++---
src/tests/gssapi/t_client_keytab.py | 18 ++++++++++++++++++
2 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index acc1868f8..4062f4741 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -557,15 +557,23 @@ set_refresh_time(krb5_context context, krb5_ccache ccache,
krb5_boolean
kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)
{
- krb5_timestamp now;
+ krb5_timestamp now, soon;
if (krb5_timeofday(context, &now))
return FALSE;
+ soon = ts_incr(now, 30);
if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) {
- set_refresh_time(context, cred->ccache,
- ts_incr(cred->refresh_time, 30));
+ set_refresh_time(context, cred->ccache, soon);
return TRUE;
}
+
+ /* If the creds will expire soon, try to refresh even if they weren't
+ * acquired with a client keytab. */
+ if (ts_after(soon, cred->expire)) {
+ set_refresh_time(context, cred->ccache, soon);
+ return TRUE;
+ }
+
return FALSE;
}
diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
index e474a27c7..7847b3ecd 100755
--- a/src/tests/gssapi/t_client_keytab.py
+++ b/src/tests/gssapi/t_client_keytab.py
@@ -124,4 +124,22 @@ realm.kinit(realm.user_princ, password('user'))
realm.run(['./t_ccselect', phost], env=bad_cktname,
expected_msg=realm.user_princ)
+mark('refresh of manually acquired creds')
+
+# Test 17: no name/ccache specified, manually acquired creds which
+# will expire soon. Verify that creds are refreshed using the current
+# client name, with refresh_time set in the refreshed ccache.
+realm.kinit('bob', password('bob'), ['-l', '15s'])
+realm.run(['./t_ccselect', phost], expected_msg='bob')
+realm.run([klist, '-C'], expected_msg='refresh_time = ')
+
+# Test 18: no name/ccache specified, manually acquired creds with a
+# client principal not present in the client keytab. A refresh is
+# attempted but fails, and an expired ticket error results.
+realm.kinit(realm.admin_princ, password('admin'), ['-l', '-1s'])
+msgs = ('Getting initial credentials for user/admin@KRBTEST.COM',
+ '/Matching credential not found')
+realm.run(['./t_ccselect', phost], expected_code=1,
+ expected_msg='Ticket expired', expected_trace=msgs)
+
success('Client keytab tests')

472
SOURCES/Use-imported-soft-pkcs11-for-tests.patch
View File

@ -1,472 +0,0 @@
From 43f5837eecd5022c525efcfb3605af16958dc59a Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 20 Jun 2019 13:41:57 -0400
Subject: [PATCH] Use imported soft-pkcs11 for tests
Update the soft-pkcs11 code for OpenSSL 1.1, fix some warnings,
integrate it into the build system, and use it for the PKINIT tests.
(cherry picked from commit e5ef7b69765353ea62ad8712a229ed4e90a8fe17)
(cherry picked from commit 47e66724b9d5cfef84965d99c83d29e4739932e3)
---
src/configure.in | 1 +
src/tests/Makefile.in | 2 +-
src/tests/softpkcs11/Makefile.in | 21 ++++
src/tests/softpkcs11/deps | 6 ++
src/tests/softpkcs11/main.c | 124 +++++++++++++++++-------
src/tests/softpkcs11/softpkcs11.exports | 39 ++++++++
src/tests/t_pkinit.py | 18 +---
7 files changed, 162 insertions(+), 49 deletions(-)
create mode 100644 src/tests/softpkcs11/Makefile.in
create mode 100644 src/tests/softpkcs11/deps
create mode 100644 src/tests/softpkcs11/softpkcs11.exports
diff --git a/src/configure.in b/src/configure.in
index 93aec682e..9f6b67b44 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1086,6 +1086,7 @@ int i = 1;
fi
if test "$k5_cv_openssl_version_okay" = yes && (test "$enable_pkinit" = yes || test "$enable_pkinit" = try); then
K5_GEN_MAKEFILE(plugins/preauth/pkinit)
+ K5_GEN_MAKEFILE(tests/softpkcs11)
PKINIT=yes
AC_CHECK_LIB(crypto, CMS_get0_content, [AC_DEFINE([HAVE_OPENSSL_CMS], 1, [Define if OpenSSL supports cms.])])
elif test "$k5_cv_openssl_version_okay" = no && test "$enable_pkinit" = yes; then
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index e27617ee2..ab958eb4c 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -1,7 +1,7 @@
mydir=tests
BUILDTOP=$(REL)..
SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \
- gss-threads misc threads
+ gss-threads misc threads softpkcs11
RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
LC_ALL=C $(VALGRIND)
diff --git a/src/tests/softpkcs11/Makefile.in b/src/tests/softpkcs11/Makefile.in
new file mode 100644
index 000000000..e89678154
--- /dev/null
+++ b/src/tests/softpkcs11/Makefile.in
@@ -0,0 +1,21 @@
+mydir=tests$(S)softpkcs11
+BUILDTOP=$(REL)..$(S)..
+
+LOCALINCLUDES = -I$(top_srcdir)/plugins/preauth/pkinit
+
+LIBBASE=softpkcs11
+LIBMAJOR=0
+LIBMINOR=0
+
+SHLIB_EXPLIBS=$(SUPPORT_LIB) -lcrypto
+SHLIB_EXPDEPS=$(SUPPORT_DEPLIB)
+
+STLIBOBJS=main.o
+
+SRCS=$(srcdir)/main.c
+
+all-unix: all-libs
+clean-unix:: clean-libs clean-libobjs
+
+@libnover_frag@
+@libobj_frag@
diff --git a/src/tests/softpkcs11/deps b/src/tests/softpkcs11/deps
new file mode 100644
index 000000000..1e82d9572
--- /dev/null
+++ b/src/tests/softpkcs11/deps
@@ -0,0 +1,6 @@
+#
+# Generated makefile dependencies follow.
+#
+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/plugins/preauth/pkinit/pkcs11.h main.c
diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c
index 2acec5169..5255323d3 100644
--- a/src/tests/softpkcs11/main.c
+++ b/src/tests/softpkcs11/main.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (c) 2004-2006, Stockholms universitet
* (Stockholm University, Stockholm Sweden)
@@ -31,7 +32,57 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
-#include "locl.h"
+#include "k5-platform.h"
+
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+
+#include <ctype.h>
+#include <pwd.h>
+
+#include <pkcs11.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define EVP_PKEY_get0_RSA(key) ((key)->pkey.rsa)
+#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay
+#define RSA_get0_key compat_rsa_get0_key
+static void
+compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e,
+ const BIGNUM **d)
+{
+ if (n != NULL)
+ *n = rsa->n;
+ if (e != NULL)
+ *e = rsa->e;
+ if (d != NULL)
+ *d = rsa->d;
+}
+#endif
+
+#define OPENSSL_ASN1_MALLOC_ENCODE(T, B, BL, S, R) \
+ { \
+ unsigned char *p; \
+ (BL) = i2d_##T((S), NULL); \
+ if ((BL) <= 0) { \
+ (R) = EINVAL; \
+ } else { \
+ (B) = malloc((BL)); \
+ if ((B) == NULL) { \
+ (R) = ENOMEM; \
+ } else { \
+ p = (B); \
+ (R) = 0; \
+ (BL) = i2d_##T((S), &p); \
+ if ((BL) <= 0) { \
+ free((B)); \
+ (R) = EINVAL; \
+ } \
+ } \
+ } \
+ }
/* RCSID("$Id: main.c,v 1.24 2006/01/11 12:42:53 lha Exp $"); */
@@ -124,7 +175,7 @@ st_logf(const char *fmt, ...)
}
static void
-snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
+snprintf_fill(char *str, int size, char fillchar, const char *fmt, ...)
{
int len;
va_list ap;
@@ -141,19 +192,19 @@ snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
#endif
#define VERIFY_SESSION_HANDLE(s, state) \
-{ \
- CK_RV ret; \
- ret = verify_session_handle(s, state); \
- if (ret != CKR_OK) { \
- /* return CKR_OK */; \
- } \
-}
+ { \
+ CK_RV vshret; \
+ vshret = verify_session_handle(s, state); \
+ if (vshret != CKR_OK) { \
+ /* return CKR_OK */; \
+ } \
+ }
static CK_RV
verify_session_handle(CK_SESSION_HANDLE hSession,
struct session_state **state)
{
- int i;
+ size_t i;
for (i = 0; i < MAX_NUM_SESSION; i++){
if (soft_token.state[i].session_handle == hSession)
@@ -361,16 +412,20 @@ add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key)
CK_ULONG modulus_bits = 0;
CK_BYTE *exponent = NULL;
size_t exponent_len = 0;
+ RSA *rsa;
+ const BIGNUM *n, *e;
- modulus_bits = BN_num_bits(key->pkey.rsa->n);
+ rsa = EVP_PKEY_get0_RSA(key);
+ RSA_get0_key(rsa, &n, &e, NULL);
+ modulus_bits = BN_num_bits(n);
- modulus_len = BN_num_bytes(key->pkey.rsa->n);
+ modulus_len = BN_num_bytes(n);
modulus = malloc(modulus_len);
- BN_bn2bin(key->pkey.rsa->n, modulus);
+ BN_bn2bin(n, modulus);
- exponent_len = BN_num_bytes(key->pkey.rsa->e);
+ exponent_len = BN_num_bytes(e);
exponent = malloc(exponent_len);
- BN_bn2bin(key->pkey.rsa->e, exponent);
+ BN_bn2bin(e, exponent);
add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len);
add_object_attribute(o, 0, CKA_MODULUS_BITS,
@@ -378,7 +433,7 @@ add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key)
add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT,
exponent, exponent_len);
- RSA_set_method(key->pkey.rsa, RSA_PKCS1_SSLeay());
+ RSA_set_method(rsa, RSA_PKCS1_OpenSSL());
free(modulus);
free(exponent);
@@ -474,7 +529,7 @@ add_certificate(char *label,
o->u.cert = cert;
public_key = X509_get_pubkey(o->u.cert);
- switch (EVP_PKEY_type(public_key->type)) {
+ switch (EVP_PKEY_base_id(public_key)) {
case EVP_PKEY_RSA:
key_type = CKK_RSA;
break;
@@ -604,8 +659,8 @@ add_certificate(char *label,
/* XXX verify keytype */
if (key_type == CKK_RSA)
- RSA_set_method(o->u.private_key.key->pkey.rsa,
- RSA_PKCS1_SSLeay());
+ RSA_set_method(EVP_PKEY_get0_RSA(o->u.private_key.key),
+ RSA_PKCS1_OpenSSL());
if (X509_check_private_key(cert, o->u.private_key.key) != 1) {
EVP_PKEY_free(o->u.private_key.key);
@@ -755,8 +810,9 @@ CK_RV
C_Initialize(CK_VOID_PTR a)
{
CK_C_INITIALIZE_ARGS_PTR args = a;
+ size_t i;
+
st_logf("Initialize\n");
- int i;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
@@ -825,7 +881,7 @@ C_Initialize(CK_VOID_PTR a)
CK_RV
C_Finalize(CK_VOID_PTR args)
{
- int i;
+ size_t i;
st_logf("Finalize\n");
@@ -1008,7 +1064,7 @@ C_OpenSession(CK_SLOT_ID slotID,
CK_NOTIFY Notify,
CK_SESSION_HANDLE_PTR phSession)
{
- int i;
+ size_t i;
st_logf("OpenSession: slot: %d\n", (int)slotID);
@@ -1050,7 +1106,7 @@ C_CloseSession(CK_SESSION_HANDLE hSession)
CK_RV
C_CloseAllSessions(CK_SLOT_ID slotID)
{
- int i;
+ size_t i;
st_logf("CloseAllSessions\n");
@@ -1127,7 +1183,8 @@ C_Login(CK_SESSION_HANDLE hSession,
}
/* XXX check keytype */
- RSA_set_method(o->u.private_key.key->pkey.rsa, RSA_PKCS1_SSLeay());
+ RSA_set_method(EVP_PKEY_get0_RSA(o->u.private_key.key),
+ RSA_PKCS1_OpenSSL());
if (X509_check_private_key(o->u.private_key.cert, o->u.private_key.key) != 1) {
EVP_PKEY_free(o->u.private_key.key);
@@ -1226,7 +1283,6 @@ C_FindObjectsInit(CK_SESSION_HANDLE hSession,
}
if (ulCount) {
CK_ULONG i;
- size_t len;
print_attributes(pTemplate, ulCount);
@@ -1415,7 +1471,7 @@ C_Encrypt(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.public_key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.public_key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1445,7 +1501,7 @@ C_Encrypt(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len + padding_len < ulDataLen) {
+ if ((CK_ULONG)buffer_len + padding_len < ulDataLen) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1566,7 +1622,7 @@ C_Decrypt(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.private_key.key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.private_key.key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1596,7 +1652,7 @@ C_Decrypt(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len + padding_len < ulEncryptedDataLen) {
+ if ((CK_ULONG)buffer_len + padding_len < ulEncryptedDataLen) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1725,7 +1781,7 @@ C_Sign(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.private_key.key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.private_key.key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1754,7 +1810,7 @@ C_Sign(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len < ulDataLen + padding_len) {
+ if ((CK_ULONG)buffer_len < ulDataLen + padding_len) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1872,7 +1928,7 @@ C_Verify(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.public_key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.public_key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1900,7 +1956,7 @@ C_Verify(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len < ulDataLen) {
+ if ((CK_ULONG)buffer_len < ulDataLen) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1926,7 +1982,7 @@ C_Verify(CK_SESSION_HANDLE hSession,
if (len > buffer_len)
abort();
- if (len != ulSignatureLen) {
+ if ((CK_ULONG)len != ulSignatureLen) {
ret = CKR_GENERAL_ERROR;
goto out;
}
diff --git a/src/tests/softpkcs11/softpkcs11.exports b/src/tests/softpkcs11/softpkcs11.exports
new file mode 100644
index 000000000..aa7284511
--- /dev/null
+++ b/src/tests/softpkcs11/softpkcs11.exports
@@ -0,0 +1,39 @@
+C_CloseAllSessions
+C_CloseSession
+C_Decrypt
+C_DecryptFinal
+C_DecryptInit
+C_DecryptUpdate
+C_DigestInit
+C_Encrypt
+C_EncryptFinal
+C_EncryptInit
+C_EncryptUpdate
+C_Finalize
+C_FindObjects
+C_FindObjectsFinal
+C_FindObjectsInit
+C_GenerateRandom
+C_GetAttributeValue
+C_GetFunctionList
+C_GetInfo
+C_GetMechanismInfo
+C_GetMechanismList
+C_GetObjectSize
+C_GetSessionInfo
+C_GetSlotInfo
+C_GetSlotList
+C_GetTokenInfo
+C_Initialize
+C_InitToken
+C_Login
+C_Logout
+C_OpenSession
+C_Sign
+C_SignFinal
+C_SignInit
+C_SignUpdate
+C_Verify
+C_VerifyFinal
+C_VerifyInit
+C_VerifyUpdate
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index 1dadb1b96..384bf1426 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -4,14 +4,7 @@ from k5test import *
if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
skip_rest('PKINIT tests', 'PKINIT module not built')
-# Check if soft-pkcs11.so is available.
-try:
- import ctypes
- lib = ctypes.LibraryLoader(ctypes.CDLL).LoadLibrary('soft-pkcs11.so')
- del lib
- have_soft_pkcs11 = True
-except:
- have_soft_pkcs11 = False
+soft_pkcs11 = os.path.join(buildtop, 'tests', 'softpkcs11', 'softpkcs11.so')
# Construct a krb5.conf fragment configuring pkinit.
certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
@@ -69,9 +62,9 @@ p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12
p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12
p12_generic_identity = 'PKCS12:%s' % generic_p12
p12_enc_identity = 'PKCS12:%s' % user_enc_p12
-p11_identity = 'PKCS11:soft-pkcs11.so'
-p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:'
- 'slotid=1:token=SoftToken (token)')
+p11_identity = 'PKCS11:' + soft_pkcs11
+p11_token_identity = ('PKCS11:module_name=' + soft_pkcs11 +
+ ':slotid=1:token=SoftToken (token)')
# Start a realm with the test kdb module for the following UPN SAN tests.
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=alias_kdc_conf,
@@ -398,9 +391,6 @@ realm.klist(realm.user_princ)
realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=,'],
expected_code=1, expected_msg='Preauthentication failed while')
-if not have_soft_pkcs11:
- skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')
-
softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc')
realm.env['SOFTPKCS11RC'] = softpkcs11rc

7
SOURCES/krb5-1.15-beta1-buildconf.patch → SOURCES/downstream-Adjust-build-configuration.patch
View File

@ -1,13 +1,16 @@
From 90bf9e3c4a80e7e46e6e00b9d541c6144968cad4 Mon Sep 17 00:00:00 2001
From 4e42a6786a06b7223f27536267492a463a700c76 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
Subject: [PATCH] [downstream] Adjust build configuration
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
and install shared libraries with the execute bit set on them. Prune out
the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.
Last-updated: krb5-1.15-beta1
(cherry picked from commit 92508996ed4c69fa6f5cf855fdf10f34cfa07ec9)
---
src/build-tools/krb5-config.in | 7 +++++++
src/config/pre.in | 2 +-

15
SOURCES/krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch → SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
View File

@ -1,7 +1,7 @@
From 2a4e2418875b41c3273db5f6b4e9e1b01c1fb5ff Mon Sep 17 00:00:00 2001
From a3f9d8f66a7f2e01aa7b12ef4e2a289d867bb276 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] krb5-1.17post6 FIPS with PRNG and RADIUS and MD4
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
NB: Use openssl's PRNG in FIPS mode and taint within krad.
@ -17,7 +17,8 @@ AES is fine. Shame about SPAKE though.
post6 restores MD4 (and therefore keygen-only RC4).
(cherry picked from commit 80b56b04d90fcacd9f78fed305c7d5528d863b38)
Last-updated: krb5-1.17
(cherry picked from commit a721df13d09b5fdad32de15e6aa973b732727aa9)
---
src/lib/crypto/krb/prng.c | 11 ++++-
.../crypto/openssl/enc_provider/camellia.c | 6 +++
@ -129,7 +130,7 @@ index a65d57b7a..6ccaca94a 100644
* The cipher state here is a saved pointer to a struct arcfour_state
* object, rather than a flat byte array as in most enc providers. The
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
index 957ed8d9c..915da9dbe 100644
index 1e0fb8fc3..feb5eda99 100644
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
@@ -49,6 +49,11 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
@ -165,7 +166,7 @@ index 957ed8d9c..915da9dbe 100644
}
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
index b2db6ec02..d94d9ac94 100644
index 7dc59dcc0..769a50c00 100644
--- a/src/lib/crypto/openssl/hmac.c
+++ b/src/lib/crypto/openssl/hmac.c
@@ -103,7 +103,11 @@ map_digest(const struct krb5_hash_provider *hash)
@ -543,7 +544,7 @@ index 00734a13b..a3ce22b70 100644
vt->name = "spake";
vt->pa_type_list = pa_types;
diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c
index 59e88409e..1b3e569e9 100644
index 88c964ce1..c7df0392f 100644
--- a/src/plugins/preauth/spake/spake_kdc.c
+++ b/src/plugins/preauth/spake/spake_kdc.c
@@ -41,6 +41,8 @@
@ -555,7 +556,7 @@ index 59e88409e..1b3e569e9 100644
/*
* The SPAKE kdcpreauth module uses a secure cookie containing the following
* concatenated fields (all integer fields are big-endian):
@@ -578,6 +580,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver,
@@ -571,6 +573,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver,
if (maj_ver != 1)
return KRB5_PLUGIN_VER_NOTSUPP;

6465
SOURCES/downstream-Remove-3des-support.patch Normal file
View File

File diff suppressed because it is too large Load Diff

102
SOURCES/krb5-1.17-beta1-selinux-label.patch → SOURCES/downstream-SELinux-integration.patch
View File

@ -1,7 +1,7 @@
From 46946e305e4536a56866ff21ac1f6e8ed7c3b814 Mon Sep 17 00:00:00 2001
From 791fe183bf67dcab6d044b23d8daaf4a3a96be48 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] krb5-1.17-beta1-selinux-label.patch
Subject: [PATCH] [downstream] SELinux integration
SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file.
@ -35,11 +35,14 @@ stomp all over us.
The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
Last-updated: krb5-1.18-beta1
(cherry picked from commit 0f8851a23a7b6fa0e195e01d0475e9e55707adf2)
---
src/aclocal.m4 | 49 +++
src/aclocal.m4 | 48 +++
src/build-tools/krb5-config.in | 3 +-
src/config/pre.in | 3 +-
src/configure.in | 2 +
src/configure.ac | 2 +
src/include/k5-int.h | 1 +
src/include/k5-label.h | 32 ++
src/include/krb5/krb5.hin | 6 +
@ -51,7 +54,6 @@ which we used earlier, is some improvement.
src/lib/krb5/ccache/cc_dir.c | 26 +-
src/lib/krb5/keytab/kt_file.c | 4 +-
src/lib/krb5/os/trace.c | 2 +-
src/lib/krb5/rcache/rc_dfl.c | 13 +
src/plugins/kdb/db2/adb_openclose.c | 2 +-
src/plugins/kdb/db2/kdb_db2.c | 4 +-
src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +-
@ -61,12 +63,12 @@ which we used earlier, is some improvement.
src/util/profile/prof_file.c | 3 +-
src/util/support/Makefile.in | 3 +-
src/util/support/selinux.c | 406 ++++++++++++++++++
25 files changed, 587 insertions(+), 21 deletions(-)
24 files changed, 573 insertions(+), 21 deletions(-)
create mode 100644 src/include/k5-label.h
create mode 100644 src/util/support/selinux.c
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 340546d80..a7afec09e 100644
index 830203683..6796fec53 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag)
@ -77,7 +79,7 @@ index 340546d80..a7afec09e 100644
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1764,3 +1765,51 @@ AC_SUBST(PAM_LIBS)
@@ -1743,4 +1744,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
@ -100,7 +102,7 @@ index 340546d80..a7afec09e 100644
+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.])
+ fi
+ fi
+
+ LIBS=
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
@ -171,11 +173,11 @@ index ce87e21ca..917357df9 100644
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on macOS!
diff --git a/src/configure.in b/src/configure.in
index e9a12ac16..93aec682e 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff)
diff --git a/src/configure.ac b/src/configure.ac
index d1f576124..440a22bd9 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1392,6 +1392,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM
@ -185,7 +187,7 @@ index e9a12ac16..93aec682e 100644
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 652242207..8f9329c59 100644
index 9616b24bf..0d9af3d95 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -128,6 +128,7 @@ typedef unsigned char u_char;
@ -235,7 +237,7 @@ index 000000000..dfaaa847c
+#endif
+#endif
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index c40a6cca8..3ff86d7ff 100644
index 79761f6d2..e9435c693 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
@ -252,7 +254,7 @@ index c40a6cca8..3ff86d7ff 100644
#include <stdlib.h>
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index c9574c6e1..8301a33d0 100644
index 301e3476d..19f2cc230 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
@ -287,10 +289,10 @@ index c9574c6e1..8301a33d0 100644
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
goto cleanup;
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 408c723f5..663fd6303 100644
index fdcd694d7..1ede4bf2f 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -858,7 +858,7 @@ write_pid_file(const char *path)
@@ -872,7 +872,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
@ -300,10 +302,10 @@ index 408c723f5..663fd6303 100644
return errno;
pid = (unsigned long) getpid();
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index 68323dd0f..4cc035dc6 100644
index 5622d56e1..356e3e0e6 100644
--- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c
@@ -488,6 +488,9 @@ doit(int fd)
@@ -487,6 +487,9 @@ doit(int fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN + 1];
@ -313,7 +315,7 @@ index 68323dd0f..4cc035dc6 100644
signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout);
@@ -543,9 +546,15 @@ doit(int fd)
@@ -542,9 +545,15 @@ doit(int fd)
free(name);
exit(1);
}
@ -365,7 +367,7 @@ index 2659a2501..e9b95fce5 100644
retval = errno;
goto cleanup;
diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
index bba64e516..73f0fe62d 100644
index 7b100a0ec..5683a0433 100644
--- a/src/lib/krb5/ccache/cc_dir.c
+++ b/src/lib/krb5/ccache/cc_dir.c
@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents)
@ -415,10 +417,10 @@ index bba64e516..73f0fe62d 100644
_("Credential cache directory %s does not exist"),
dirname);
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 89cb68680..21c80d419 100644
index 021c94398..aaf573439 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
KTCHECKLOCK(id);
errno = 0;
@ -436,7 +438,7 @@ index 89cb68680..21c80d419 100644
goto report_errno;
writevno = 1;
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 4fff8f38c..40a9e7b10 100644
index 7073459f0..e9b99f4ca 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
@ -448,38 +450,6 @@ index 4fff8f38c..40a9e7b10 100644
if (*fd == -1) {
free(fd);
return errno;
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index 1e0cb22c9..f5e93b1ab 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (! t->recovering) {
name = t->name;
@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
+#ifdef USE_SELINUX
+ if (t->d.fn != NULL)
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
+ else
+ selabel = NULL;
+#endif
retval = krb5_rc_initialize(context, tmp, lifespan);
+#ifdef USE_SELINUX
+ if (selabel != NULL)
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
index 7db30a33b..2b9d01921 100644
--- a/src/plugins/kdb/db2/adb_openclose.c
@ -573,10 +543,10 @@ index d8b26e701..b0daa7c02 100644
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
index 1ed72afe9..ce038fc3d 100644
index b92cb58c7..0a95101ad 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -194,7 +194,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
/* set password in the file */
old_mode = umask(0177);
@ -585,7 +555,7 @@ index 1ed72afe9..ce038fc3d 100644
if (pfile == NULL) {
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
strerror (errno));
@@ -235,6 +235,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
@@ -231,6 +231,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
* Delete the existing entry and add the new entry
*/
FILE *newfile;
@ -595,7 +565,7 @@ index 1ed72afe9..ce038fc3d 100644
mode_t omask;
@@ -246,7 +249,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
@@ -242,7 +245,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
}
omask = umask(077);
@ -610,7 +580,7 @@ index 1ed72afe9..ce038fc3d 100644
if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file);
diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
index 24e41fb80..0dcb6b543 100644
index aa951df05..79f9500f6 100644
--- a/src/util/profile/prof_file.c
+++ b/src/util/profile/prof_file.c
@@ -33,6 +33,7 @@
@ -631,10 +601,10 @@ index 24e41fb80..0dcb6b543 100644
retval = errno;
if (retval == 0)
diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
index db7b030b8..321672bcb 100644
index 86d5a950a..1052d53a1 100644
--- a/src/util/support/Makefile.in
+++ b/src/util/support/Makefile.in
@@ -69,6 +69,7 @@ IPC_SYMS= \
@@ -74,6 +74,7 @@ IPC_SYMS= \
STLIBOBJS= \
threads.o \
@ -642,7 +612,7 @@ index db7b030b8..321672bcb 100644
init-addrinfo.o \
plugins.o \
errors.o \
@@ -160,7 +161,7 @@ SRCS=\
@@ -168,7 +169,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.

7
SOURCES/krb5-1.9-debuginfo.patch → SOURCES/downstream-fix-debuginfo-with-y.tab.c.patch
View File

@ -1,11 +1,14 @@
From 56954a72afe83cce5168bc139139d7f74c3685d6 Mon Sep 17 00:00:00 2001
From 7f382fc40e082416e90f1e80c9fd0c91afa5baf7 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] krb5-1.9-debuginfo.patch
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that
could mess up people working in the tree on other things.
Last-updated: krb5-1.9
(cherry picked from commit f4002f246332695d8ea12ec803139fcac18fbba2)
---
src/kadmin/cli/Makefile.in | 5 +++++
src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-

49
SOURCES/krb5-1.12.1-pam.patch → SOURCES/downstream-ksu-pam-integration.patch
View File

@ -1,7 +1,7 @@
From 02a10f4b9a8decc8d10f3e045282a0ae7ed1c00d Mon Sep 17 00:00:00 2001
From 664bdd73b620f00d42e36e3888805fe0f035c8ee Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] krb5-1.12.1-pam.patch
Subject: [PATCH] [downstream] ksu pam integration
Modify ksu so that it performs account and session management on behalf of
the target user account, mimicking the action of regular su. The default
@ -16,25 +16,29 @@ When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges, and to apply on top of
changes we're proposing for how it handles cache collections.
Last-updated: krb5-1.18-beta1
(cherry picked from commit a7322a84657752c886c317a6994a9fc7a4a70ca5)
---
src/aclocal.m4 | 67 +++++++
src/aclocal.m4 | 69 +++++++
src/clients/ksu/Makefile.in | 8 +-
src/clients/ksu/main.c | 88 +++++++-
src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++
src/clients/ksu/pam.h | 57 ++++++
src/configure.in | 2 +
6 files changed, 608 insertions(+), 3 deletions(-)
src/configure.ac | 2 +
6 files changed, 610 insertions(+), 3 deletions(-)
create mode 100644 src/clients/ksu/pam.c
create mode 100644 src/clients/ksu/pam.h
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 3752d9bd5..340546d80 100644
index 2394f7e33..830203683 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -1697,3 +1697,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
]))
@@ -1675,3 +1675,72 @@ if test "$with_ldap" = yes; then
OPENLDAP_PLUGIN=yes
fi
])dnl
dnl
+dnl
+dnl
+dnl Use PAM instead of local crypt() compare for checking local passwords,
+dnl and perform PAM account, session management, and password-changing where
@ -102,12 +106,13 @@ index 3752d9bd5..340546d80 100644
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
+
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index b2fcbf240..5755bb58a 100644
index 8b4edce4d..9d58f29b5 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
KSU_LIBS=@KSU_LIBS@
+PAM_LIBS=@PAM_LIBS@
@ -141,7 +146,7 @@ index b2fcbf240..5755bb58a 100644
clean:
$(RM) ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index d9596d948..ec06788bc 100644
index 57c349200..508242e0e 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
@ -171,7 +176,7 @@ index d9596d948..ec06788bc 100644
/***********/
#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
@@ -528,6 +534,23 @@ main (argc, argv)
@@ -536,6 +542,23 @@ main (argc, argv)
prog_name,target_user,client_name,
source_user,ontty());
@ -195,7 +200,7 @@ index d9596d948..ec06788bc 100644
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
@@ -588,6 +611,24 @@ main (argc, argv)
@@ -596,6 +619,24 @@ main (argc, argv)
exit(1);
}
@ -220,7 +225,7 @@ index d9596d948..ec06788bc 100644
}
if( some_rest_copy){
@@ -645,6 +686,30 @@ main (argc, argv)
@@ -653,6 +694,30 @@ main (argc, argv)
exit(1);
}
@ -251,7 +256,7 @@ index d9596d948..ec06788bc 100644
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -742,7 +807,7 @@ main (argc, argv)
@@ -750,7 +815,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
@ -260,7 +265,7 @@ index d9596d948..ec06788bc 100644
execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target);
@@ -772,16 +837,35 @@ main (argc, argv)
@@ -780,16 +845,35 @@ main (argc, argv)
if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid"));
}
@ -755,11 +760,11 @@ index 000000000..0ab76569c
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
diff --git a/src/configure.in b/src/configure.in
index 61ef738dc..e9a12ac16 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION])
diff --git a/src/configure.ac b/src/configure.ac
index 234f4281c..d1f576124 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1390,6 +1390,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff)

11
SOURCES/krb5-1.3.1-dns.patch → SOURCES/downstream-netlib-and-dns.patch
View File

@ -1,18 +1,21 @@
From 19f0dc268c127fb51c4bb8c106104eee67119cca Mon Sep 17 00:00:00 2001
From 0a164c9c53a6f8ce20cfe5c6ef94ae5a2c2e9e28 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH] krb5-1.3.1-dns.patch
Subject: [PATCH] [downstream] netlib and dns
We want to be able to use --with-netlib and --enable-dns at the same time.
Last-updated: krb5-1.3.1
(cherry picked from commit 355dd481511af4d517ee540854f95a6fb12116a9)
---
src/aclocal.m4 | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index a7afec09e..db18226ed 100644
index 6796fec53..c4358988a 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -726,6 +726,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library),
@@ -724,6 +724,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library),
LIBS="$LIBS $withval"
AC_MSG_RESULT("netlib will use \'$withval\'")
fi

2
SOURCES/kdc.conf
View File

@ -9,5 +9,5 @@ EXAMPLE.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal
supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal
}

21
SOURCES/krb5-1.11-kpasswdtest.patch
View File

@ -1,21 +0,0 @@
From 174fddfa0c7d0d5c0f12d1531bc791865b630596 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:52:01 -0400
Subject: [PATCH] krb5-1.11-kpasswdtest.patch
---
src/kadmin/testing/proto/krb5.conf.proto | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto
index 00c442978..9c4bc1de7 100644
--- a/src/kadmin/testing/proto/krb5.conf.proto
+++ b/src/kadmin/testing/proto/krb5.conf.proto
@@ -9,6 +9,7 @@
__REALM__ = {
kdc = __KDCHOST__:1750
admin_server = __KDCHOST__:1751
+ kpasswd_server = __KDCHOST__:1752
database_module = foobar_db2_module_blah
}

44
SOURCES/krb5-1.11-run_user_0.patch
View File

@ -1,44 +0,0 @@
From f19ee759c49fac6477ef77eb4a0be41118add1f5 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:57 -0400
Subject: [PATCH] krb5-1.11-run_user_0.patch
A hack: if we're looking at creating a ccache directory directly below
the /run/user/0 directory, and /run/user/0 doesn't exist, try to create
it, too.
---
src/lib/krb5/ccache/cc_dir.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
index 73f0fe62d..4850c0d07 100644
--- a/src/lib/krb5/ccache/cc_dir.c
+++ b/src/lib/krb5/ccache/cc_dir.c
@@ -61,6 +61,8 @@
#include <dirent.h>
+#define ROOT_SPECIAL_DCC_PARENT "/run/user/0"
+
extern const krb5_cc_ops krb5_dcc_ops;
extern const krb5_cc_ops krb5_fcc_ops;
@@ -237,6 +239,18 @@ verify_dir(krb5_context context, const char *dirname)
if (stat(dirname, &st) < 0) {
if (errno == ENOENT) {
+ if (strncmp(dirname, ROOT_SPECIAL_DCC_PARENT "/",
+ sizeof(ROOT_SPECIAL_DCC_PARENT)) == 0 &&
+ stat(ROOT_SPECIAL_DCC_PARENT, &st) < 0 &&
+ errno == ENOENT) {
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(ROOT_SPECIAL_DCC_PARENT);
+#endif
+ status = mkdir(ROOT_SPECIAL_DCC_PARENT, S_IRWXU);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
+ }
#ifdef USE_SELINUX
selabel = krb5int_push_fscreatecon_for(dirname);
#endif

37
SOURCES/krb5-1.12-api.patch
View File

@ -1,37 +0,0 @@
From 3bac1a71756c634fe6b8cb3858ee9df87b1a660d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:00 -0400
Subject: [PATCH] krb5-1.12-api.patch
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
---
src/lib/krb5/krb/princ_comp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c
index a6936107d..0ed78833b 100644
--- a/src/lib/krb5/krb/princ_comp.c
+++ b/src/lib/krb5/krb/princ_comp.c
@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context,
const krb5_data *realm1 = &princ1->realm;
const krb5_data *realm2 = &princ2->realm;
+ if (princ1 == NULL || princ2 == NULL)
+ return FALSE;
+ if (realm1 == NULL || realm2 == NULL)
+ return FALSE;
if (realm1->length != realm2->length)
return FALSE;
if (realm1->length == 0)
@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context,
krb5_principal upn2 = NULL;
krb5_boolean ret = FALSE;
+ if (princ1 == NULL || princ2 == NULL)
+ return FALSE;
+
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
/* Treat UPNs as if they were real principals */
if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {

22
SOURCES/krb5-1.12-ksu-path.patch
View File

@ -1,22 +0,0 @@
From ef8aa0a18c2bd2f960942380202a5fa992e2c7b3 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:32:09 -0400
Subject: [PATCH] krb5-1.12-ksu-path.patch
Set the default PATH to the one set by login.
---
src/clients/ksu/Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index 5755bb58a..9d58f29b5 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
KSU_LIBS=@KSU_LIBS@
PAM_LIBS=@PAM_LIBS@

366
SOURCES/krb5-1.12-ktany.patch
View File

@ -1,366 +0,0 @@
From 2ca8d242b1cac8abdb35bf0068e5d78300e07c3c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:33:53 -0400
Subject: [PATCH] krb5-1.12-ktany.patch
Adds an "ANY" keytab type which is a list of other keytab locations to search
when searching for a specific entry. When iterated through, it only presents
the contents of the first keytab.
---
src/lib/krb5/keytab/Makefile.in | 3 +
src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++
src/lib/krb5/keytab/ktbase.c | 7 +-
3 files changed, 301 insertions(+), 1 deletion(-)
create mode 100644 src/lib/krb5/keytab/kt_any.c
diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in
index 2a8fceb00..ffd179fb2 100644
--- a/src/lib/krb5/keytab/Makefile.in
+++ b/src/lib/krb5/keytab/Makefile.in
@@ -12,6 +12,7 @@ STLIBOBJS= \
ktfr_entry.o \
ktremove.o \
ktfns.o \
+ kt_any.o \
kt_file.o \
kt_memory.o \
kt_srvtab.o \
@@ -24,6 +25,7 @@ OBJS= \
$(OUTPRE)ktfr_entry.$(OBJEXT) \
$(OUTPRE)ktremove.$(OBJEXT) \
$(OUTPRE)ktfns.$(OBJEXT) \
+ $(OUTPRE)kt_any.$(OBJEXT) \
$(OUTPRE)kt_file.$(OBJEXT) \
$(OUTPRE)kt_memory.$(OBJEXT) \
$(OUTPRE)kt_srvtab.$(OBJEXT) \
@@ -36,6 +38,7 @@ SRCS= \
$(srcdir)/ktfr_entry.c \
$(srcdir)/ktremove.c \
$(srcdir)/ktfns.c \
+ $(srcdir)/kt_any.c \
$(srcdir)/kt_file.c \
$(srcdir)/kt_memory.c \
$(srcdir)/kt_srvtab.c \
diff --git a/src/lib/krb5/keytab/kt_any.c b/src/lib/krb5/keytab/kt_any.c
new file mode 100644
index 000000000..1b9b7765b
--- /dev/null
+++ b/src/lib/krb5/keytab/kt_any.c
@@ -0,0 +1,292 @@
+/*
+ * lib/krb5/keytab/kt_any.c
+ *
+ * Copyright 1998, 1999 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * krb5_kta_ops
+ */
+
+#include "k5-int.h"
+
+typedef struct _krb5_ktany_data {
+ char *name;
+ krb5_keytab *choices;
+ int nchoices;
+} krb5_ktany_data;
+
+typedef struct _krb5_ktany_cursor_data {
+ int which;
+ krb5_kt_cursor cursor;
+} krb5_ktany_cursor_data;
+
+static krb5_error_code krb5_ktany_resolve
+ (krb5_context,
+ const char *,
+ krb5_keytab *);
+static krb5_error_code krb5_ktany_get_name
+ (krb5_context context,
+ krb5_keytab id,
+ char *name,
+ unsigned int len);
+static krb5_error_code krb5_ktany_close
+ (krb5_context context,
+ krb5_keytab id);
+static krb5_error_code krb5_ktany_get_entry
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_const_principal principal,
+ krb5_kvno kvno,
+ krb5_enctype enctype,
+ krb5_keytab_entry *entry);
+static krb5_error_code krb5_ktany_start_seq_get
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_kt_cursor *cursorp);
+static krb5_error_code krb5_ktany_next_entry
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_keytab_entry *entry,
+ krb5_kt_cursor *cursor);
+static krb5_error_code krb5_ktany_end_seq_get
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_kt_cursor *cursor);
+static void cleanup
+ (krb5_context context,
+ krb5_ktany_data *data,
+ int nchoices);
+
+struct _krb5_kt_ops krb5_kta_ops = {
+ 0,
+ "ANY", /* Prefix -- this string should not appear anywhere else! */
+ krb5_ktany_resolve,
+ krb5_ktany_get_name,
+ krb5_ktany_close,
+ krb5_ktany_get_entry,
+ krb5_ktany_start_seq_get,
+ krb5_ktany_next_entry,
+ krb5_ktany_end_seq_get,
+ NULL,
+ NULL,
+ NULL,
+};
+
+static krb5_error_code
+krb5_ktany_resolve(context, name, id)
+ krb5_context context;
+ const char *name;
+ krb5_keytab *id;
+{
+ const char *p, *q;
+ char *copy;
+ krb5_error_code kerror;
+ krb5_ktany_data *data;
+ int i;
+
+ /* Allocate space for our data and remember a copy of the name. */
+ if ((data = (krb5_ktany_data *)malloc(sizeof(krb5_ktany_data))) == NULL)
+ return(ENOMEM);
+ if ((data->name = (char *)malloc(strlen(name) + 1)) == NULL) {
+ free(data);
+ return(ENOMEM);
+ }
+ strcpy(data->name, name);
+
+ /* Count the number of choices and allocate memory for them. */
+ data->nchoices = 1;
+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1)
+ data->nchoices++;
+ if ((data->choices = (krb5_keytab *)
+ malloc(data->nchoices * sizeof(krb5_keytab))) == NULL) {
+ free(data->name);
+ free(data);
+ return(ENOMEM);
+ }
+
+ /* Resolve each of the choices. */
+ i = 0;
+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1) {
+ /* Make a copy of the choice name so we can terminate it. */
+ if ((copy = (char *)malloc(q - p + 1)) == NULL) {
+ cleanup(context, data, i);
+ return(ENOMEM);
+ }
+ memcpy(copy, p, q - p);
+ copy[q - p] = 0;
+
+ /* Try resolving the choice name. */
+ kerror = krb5_kt_resolve(context, copy, &data->choices[i]);
+ free(copy);
+ if (kerror) {
+ cleanup(context, data, i);
+ return(kerror);
+ }
+ i++;
+ }
+ if ((kerror = krb5_kt_resolve(context, p, &data->choices[i]))) {
+ cleanup(context, data, i);
+ return(kerror);
+ }
+
+ /* Allocate and fill in an ID for the caller. */
+ if ((*id = (krb5_keytab)malloc(sizeof(**id))) == NULL) {
+ cleanup(context, data, i);
+ return(ENOMEM);
+ }
+ (*id)->ops = &krb5_kta_ops;
+ (*id)->data = (krb5_pointer)data;
+ (*id)->magic = KV5M_KEYTAB;
+
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_get_name(context, id, name, len)
+ krb5_context context;
+ krb5_keytab id;
+ char *name;
+ unsigned int len;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+
+ if (len < strlen(data->name) + 1)
+ return(KRB5_KT_NAME_TOOLONG);
+ strcpy(name, data->name);
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_close(context, id)
+ krb5_context context;
+ krb5_keytab id;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+
+ cleanup(context, data, data->nchoices);
+ id->ops = 0;
+ free(id);
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_get_entry(context, id, principal, kvno, enctype, entry)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_const_principal principal;
+ krb5_kvno kvno;
+ krb5_enctype enctype;
+ krb5_keytab_entry *entry;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_error_code kerror = KRB5_KT_NOTFOUND;
+ int i;
+
+ for (i = 0; i < data->nchoices; i++) {
+ if ((kerror = krb5_kt_get_entry(context, data->choices[i], principal,
+ kvno, enctype, entry)) != ENOENT)
+ return kerror;
+ }
+ return kerror;
+}
+
+static krb5_error_code
+krb5_ktany_start_seq_get(context, id, cursorp)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_kt_cursor *cursorp;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_ktany_cursor_data *cdata;
+ krb5_error_code kerror = ENOENT;
+ int i;
+
+ if ((cdata = (krb5_ktany_cursor_data *)
+ malloc(sizeof(krb5_ktany_cursor_data))) == NULL)
+ return(ENOMEM);
+
+ /* Find a choice which can handle the serialization request. */
+ for (i = 0; i < data->nchoices; i++) {
+ if ((kerror = krb5_kt_start_seq_get(context, data->choices[i],
+ &cdata->cursor)) == 0)
+ break;
+ else if (kerror != ENOENT) {
+ free(cdata);
+ return(kerror);
+ }
+ }
+
+ if (i == data->nchoices) {
+ /* Everyone returned ENOENT, so no go. */
+ free(cdata);
+ return(kerror);
+ }
+
+ cdata->which = i;
+ *cursorp = (krb5_kt_cursor)cdata;
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_next_entry(context, id, entry, cursor)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_keytab_entry *entry;
+ krb5_kt_cursor *cursor;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor;
+ krb5_keytab choice_id;
+
+ choice_id = data->choices[cdata->which];
+ return(krb5_kt_next_entry(context, choice_id, entry, &cdata->cursor));
+}
+
+static krb5_error_code
+krb5_ktany_end_seq_get(context, id, cursor)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_kt_cursor *cursor;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor;
+ krb5_keytab choice_id;
+ krb5_error_code kerror;
+
+ choice_id = data->choices[cdata->which];
+ kerror = krb5_kt_end_seq_get(context, choice_id, &cdata->cursor);
+ free(cdata);
+ return(kerror);
+}
+
+static void
+cleanup(context, data, nchoices)
+ krb5_context context;
+ krb5_ktany_data *data;
+ int nchoices;
+{
+ int i;
+
+ free(data->name);
+ for (i = 0; i < nchoices; i++)
+ krb5_kt_close(context, data->choices[i]);
+ free(data->choices);
+ free(data);
+}
diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c
index 0d39b2940..6534d7c52 100644
--- a/src/lib/krb5/keytab/ktbase.c
+++ b/src/lib/krb5/keytab/ktbase.c
@@ -57,14 +57,19 @@ extern const krb5_kt_ops krb5_ktf_ops;
extern const krb5_kt_ops krb5_ktf_writable_ops;
extern const krb5_kt_ops krb5_kts_ops;
extern const krb5_kt_ops krb5_mkt_ops;
+extern const krb5_kt_ops krb5_kta_ops;
struct krb5_kt_typelist {
const krb5_kt_ops *ops;
const struct krb5_kt_typelist *next;
};
+static struct krb5_kt_typelist krb5_kt_typelist_any = {
+ &krb5_kta_ops,
+ NULL
+};
const static struct krb5_kt_typelist krb5_kt_typelist_srvtab = {
&krb5_kts_ops,
- NULL
+ &krb5_kt_typelist_any
};
const static struct krb5_kt_typelist krb5_kt_typelist_memory = {
&krb5_mkt_ops,

75
SOURCES/krb5-1.13-dirsrv-accountlock.patch
View File

@ -1,75 +0,0 @@
From 1dc051d5964aba0b8cd3d01f063ffc28253456de Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:44 -0400
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from
original version filed as RT#5891.
---
src/aclocal.m4 | 9 +++++++++
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++
.../kdb/ldap/libkdb_ldap/ldap_principal.c | 3 +++
3 files changed, 29 insertions(+)
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index db18226ed..518b1a547 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -1678,6 +1678,15 @@ if test "$with_ldap" = yes; then
AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
OPENLDAP_PLUGIN=yes
fi
+AC_ARG_WITH([dirsrv-account-locking],
+[ --with-dirsrv-account-locking compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
+[case "$withval" in
+ yes | no) ;;
+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv-account-locking="$withval") ;;
+esac], with_dirsrv_account_locking=no)
+if test $with_dirsrv_account_locking = yes; then
+ AC_DEFINE(HAVE_DIRSRV_ACCOUNT_LOCKING,1,[Define if LDAP KDB interface should heed 389 DS's nsAccountLock attribute.])
+fi
])dnl
dnl
dnl If libkeyutils exists (on Linux) include it and use keyring ccache
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 5b9d1e9fa..4e7270065 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -1652,6 +1652,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data);
if (ret)
goto cleanup;
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
+ {
+ krb5_timestamp expiretime=0;
+ char *is_login_disabled=NULL;
+
+ /* LOGIN DISABLED */
+ ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
+ &attr_present);
+ if (ret)
+ goto cleanup;
+ if (attr_present == TRUE) {
+ if (strcasecmp(is_login_disabled, "TRUE")== 0)
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ free (is_login_disabled);
+ }
+ }
+#endif
ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
if (ret)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
index d722dbfa6..5e8e9a897 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
@@ -54,6 +54,9 @@ char *principal_attributes[] = { "krbprincipalname",
"krbLastFailedAuth",
"krbLoginFailedCount",
"krbLastSuccessfulAuth",
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
+ "nsAccountLock",
+#endif
"krbLastPwdChange",
"krbLastAdminUnlock",
"krbPrincipalAuthInd",

17
SOURCES/krb5-1.17.tar.gz.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJcNMxOAAoJEAy6CFdfg3LfjAwP/2/oQe+4Bs/XwZTwNfakTbBl
YHSY8MNAHIKsLh6Bn+SJBQQXSE0fEsm0hYH+JWz85+mzlZk7TbNZUI+zeikhLxi6
+d8MMQBpk2mQN0dkIeWjTdfkcThGCDSL7l0fh3MuEfN5C7QPAPD1JL1ZeqXPH5AV
PSQRC9s2wiOTwwuHM2i27rZ7gdhL/xfJ3ZPUFJH4klRgszwp9j10I/nh4/XyS/wB
82umjfusFPa9VNSPzm1jm94oRmALkR3CHGvmku2XD3YOv/f5yO8C1cHWNNLxg+5h
EqVv05ddb6iLku4fRhkEjfN3VgCtEvXuMkuAXppkDJJ7wWxMBWgCIr1DS/x7LfbL
CI0ZTejn8HCUBNmRWsKkUuebgHJ7ccch8p/Fp0cV4eT1FL35N2oV51u7+/zK6R8y
1dygUF2VWFOqwm8cyczdFue7dFQVDGCw7R2eK5lXY3NpZVmJblQ/gNLMcbOxGBis
H2dOzSn+CnxlD/2LqOZnhQ1WnGBhOMxoINwX/MQsIvkwAFaM1EsdhPIP/6mSVA/g
p04+YQ2u2ag7Pq3zHsMIonC18w4ZqDPcvXvOXqCHtlQBDAMtb927XvjoTNj5W8Ei
jywxqdWuuqalmrKGPEsKVOJZN6xg7UTgaKzcvQTvW7D3gLbrTT2iM++VKB3vh9V9
SkULnR3c7fKMzFeLb/Q2
=4hZX
-----END PGP SIGNATURE-----

103
SOURCES/krb5-1.17post2-DES-3DES-fixups.patch
View File

@ -1,103 +0,0 @@
From fe66536c1b7aec67233739df97cbe0301ee6475e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 19 Nov 2019 15:03:19 -0500
Subject: [PATCH] krb5-1.17post2 DES/3DES fixups
Kept separate from the other patch because rawhide doesn't have DES.
post2 adds krb5kdf workarounds.
---
src/lib/crypto/krb/derive.c | 6 +++++-
src/lib/crypto/openssl/enc_provider/des.c | 9 +++++++++
src/lib/crypto/openssl/enc_provider/des3.c | 6 ++++++
3 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/src/lib/crypto/krb/derive.c b/src/lib/crypto/krb/derive.c
index 915a173dd..ebdab69bc 100644
--- a/src/lib/crypto/krb/derive.c
+++ b/src/lib/crypto/krb/derive.c
@@ -348,6 +348,7 @@ cleanup:
zapfree(prf.data, blocksize);
return ret;
}
+#endif /* OSSL_KDFS */
static krb5_error_code
builtin_derive_random_rfc3961(const struct krb5_enc_provider *enc,
@@ -400,7 +401,6 @@ cleanup:
zapfree(block.data, blocksize);
return ret;
}
-#endif /* OSSL_KDFS */
krb5_error_code
k5_sp800_108_counter_hmac(const struct krb5_hash_provider *hash,
@@ -432,6 +432,10 @@ k5_derive_random_rfc3961(const struct krb5_enc_provider *enc,
krb5_key inkey, krb5_data *outrnd,
const krb5_data *in_constant)
{
+ /* DES (single and triple). They'll be gone very soon. */
+ if (enc->keylength == 8 || enc->keylength == 24)
+ return builtin_derive_random_rfc3961(enc, inkey, outrnd, in_constant);
+
#ifdef OSSL_KDFS
return openssl_krb5kdf(enc, inkey, outrnd, in_constant);
#else
diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c
index a662db512..7d17d287e 100644
--- a/src/lib/crypto/openssl/enc_provider/des.c
+++ b/src/lib/crypto/openssl/enc_provider/des.c
@@ -85,6 +85,9 @@ k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;
@@ -133,6 +136,9 @@ k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;
@@ -182,6 +188,9 @@ k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data,
DES_key_schedule sched;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0)
return ret;
diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c
index 1c439c2cd..8be555a8d 100644
--- a/src/lib/crypto/openssl/enc_provider/des3.c
+++ b/src/lib/crypto/openssl/enc_provider/des3.c
@@ -84,6 +84,9 @@ k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;
@@ -133,6 +136,9 @@ k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;

16
SOURCES/krb5-1.18.2.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAl7H9FAACgkQDLoIV1+D
ct+rjxAAqLlDjeExNw1sJyyjaAKzo7vGzK0tFVouMglmmGcyluVwsqu9B2uHw3UC
TIm4bn1rgGtUB5oKWmbeD+hiuoAghLDa6gSrmDDkJfFR+o/K/vE7BGZewrrp7QJ5
jJnEhjuY9O+ZFM/ZNEwHa4/RNG1ga5uJUrfdlNkTUMFje5d1TXvx/ozuSk4bAUTF
nqHuJsyRAuhKcqTOZ9nr5a54me97CbWj7Be6sA7LQVaFDPyWcJCQsBHjFyextTOF
3ewsF7330B3oO8yE9/f+nxFq/x9ot6CctMXZqLzhbvdzcO2GwmwbvXy73ibhvjVU
w9n/zQ1xDjRO0z1wfM54Vq1upQW78+YXA33fEX6od0WBzdiR/o7hfU3arg/WraUy
pVcD9V7jvYhGPpqYwEdRhs4qROhAh/yvebZ+MVe/1Pd8kA4tTXtR+VmVkp21X3cq
+19eTz7actQemfdsUvfcL8guub0Mea/l+1l3cEHl20FOEeZ8RjpPMisYS9IrJ52O
3lro26vYFSWS4+U9j4gwdjuQwLS3xHuPZFwS7aykKGsIQ1r8l5Yb0xorDXXKKLjm
z4DNPaZbxxfcGhDWKTlDudrXEIAGTOD4FC1SJBV3hbqUsv4EH+EJnf92rmVMJ5z/
AmeUKsL02Abl3BjhwaLWmhIwoXIUhcI/5xNsoI6ePCAT2HLyJlE=
=fGT7
-----END PGP SIGNATURE-----

26
SOURCES/Use-backported-version-of-OpenSSL-3-KDF-interface.patch → SOURCES/rhel-Use-backported-version-of-OpenSSL-3-KDF-interfa.patch
View File

@ -1,20 +1,20 @@
From 5e147f7f2924edfd278940dea8b1d8ed09d6872c Mon Sep 17 00:00:00 2001
From 396ce77f48f758efa090aadd00cd7208e7e97491 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 15 Nov 2019 20:05:16 +0000
Subject: [PATCH] Use backported version of OpenSSL-3 KDF interface
Subject: [PATCH] [rhel] Use backported version of OpenSSL-3 KDF interface
(cherry picked from commit 0e20daf7ccfe50518c89735c3dae2fde08d92325)
---
src/configure.in | 4 +
src/configure.ac | 4 +
src/lib/crypto/krb/derive.c | 356 +++++++++++++-----
.../preauth/pkinit/pkinit_crypto_openssl.c | 257 ++++++++-----
3 files changed, 428 insertions(+), 189 deletions(-)
diff --git a/src/configure.in b/src/configure.in
index 9f6b67b44..cf4b1139a 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -269,6 +269,10 @@ AC_SUBST(CRYPTO_IMPL)
diff --git a/src/configure.ac b/src/configure.ac
index d4e4da525..29be532cb 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -282,6 +282,10 @@ AC_SUBST(CRYPTO_IMPL)
AC_SUBST(CRYPTO_IMPL_CFLAGS)
AC_SUBST(CRYPTO_IMPL_LIBS)
@ -440,7 +440,7 @@ index 6707a7308..915a173dd 100644
return k5_sp800_108_counter_hmac(hash, inkey, outrnd, in_constant,
&empty);
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 5ff81d8cf..8d2c230c8 100644
index 52976895b..dd718c2be 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -38,6 +38,13 @@
@ -457,7 +457,7 @@ index 5ff81d8cf..8d2c230c8 100644
static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context );
static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );
@@ -2460,11 +2467,51 @@ pkinit_alg_values(krb5_context context,
@@ -2331,11 +2338,51 @@ pkinit_alg_values(krb5_context context,
}
} /* pkinit_alg_values() */
@ -513,7 +513,7 @@ index 5ff81d8cf..8d2c230c8 100644
*
* 1. reps = keydatalen (K) / hash length (H)
*
@@ -2478,95 +2525,16 @@ pkinit_alg_values(krb5_context context,
@@ -2349,95 +2396,16 @@ pkinit_alg_values(krb5_context context,
*
* 4. Set key = Hash1 || Hash2 || ... so that length of key is K bytes.
*/
@ -614,7 +614,7 @@ index 5ff81d8cf..8d2c230c8 100644
/* 2. Initialize a 32-bit, big-endian bit string counter as 1.
* 3. For i = 1 to reps by 1, do the following:
@@ -2600,8 +2568,9 @@ pkinit_alg_agility_kdf(krb5_context context,
@@ -2471,8 +2439,9 @@ pkinit_alg_agility_kdf(krb5_context context,
goto cleanup;
}
@ -626,7 +626,7 @@ index 5ff81d8cf..8d2c230c8 100644
krb5_set_error_message(context, KRB5_CRYPTO_INTERNAL,
"Call to OpenSSL EVP_DigestUpdate() returned an error.");
retval = KRB5_CRYPTO_INTERNAL;
@@ -2613,26 +2582,110 @@ pkinit_alg_agility_kdf(krb5_context context,
@@ -2484,26 +2453,110 @@ pkinit_alg_agility_kdf(krb5_context context,
EVP_MD_CTX_free(ctx);
ctx = NULL;
}

107
SPECS/krb5.spec
View File

@ -12,13 +12,13 @@
%global prerelease %{nil}
# Should be in form 5.0, 6.1, etc.
%global kdbversion 7.0
%global kdbversion 8.0
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.17
Version: 1.18.2
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 18%{?dist}
Release: 5%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -46,37 +46,33 @@ Source33: krb5kdc.logrotate
Source34: kadmind.logrotate
Source39: krb5-krb5kdc.conf
Patch26: krb5-1.12.1-pam.patch
Patch27: krb5-1.17-beta1-selinux-label.patch
Patch28: krb5-1.12-ksu-path.patch
Patch29: krb5-1.12-ktany.patch
Patch30: krb5-1.15-beta1-buildconf.patch
Patch31: krb5-1.3.1-dns.patch
Patch32: krb5-1.12-api.patch
Patch33: krb5-1.13-dirsrv-accountlock.patch
Patch34: krb5-1.9-debuginfo.patch
Patch35: krb5-1.11-run_user_0.patch
Patch36: krb5-1.11-kpasswdtest.patch
Patch88: Add-tests-for-KCM-ccache-type.patch
Patch89: Properly-size-ifdef-in-k5_cccol_lock.patch
Patch90: Fix-memory-leak-in-none-replay-cache-type.patch
Patch91: Address-some-optimized-out-memset-calls.patch
Patch95: In-rd_req_dec-always-log-non-permitted-enctypes.patch
Patch96: In-kpropd-debug-log-proper-ticket-enctype-names.patch
Patch97: Make-etype-names-in-KDC-logs-human-readable.patch
Patch98: Mark-deprecated-enctypes-when-used.patch
Patch99: Add-function-and-enctype-flag-for-deprecations.patch
Patch100: Fix-argument-order-on-strlcpy-in-enctype_name.patch
Patch101: Fix-KCM-client-time-offset-propagation.patch
Patch102: Add-soft-pkcs11-source-code.patch
Patch103: Use-imported-soft-pkcs11-for-tests.patch
Patch104: Fix-Coverity-defects-in-soft-pkcs11-test-code.patch
Patch105: Fix-memory-leaks-in-soft-pkcs11-code.patch
Patch106: Avoid-alignment-warnings-in-openssl-rc4.c.patch
Patch107: Use-backported-version-of-OpenSSL-3-KDF-interface.patch
Patch108: krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
Patch109: krb5-1.17post2-DES-3DES-fixups.patch
Patch110: Put-KDB-authdata-first.patch
Patch1: downstream-ksu-pam-integration.patch
Patch2: downstream-SELinux-integration.patch
Patch3: downstream-Adjust-build-configuration.patch
Patch4: downstream-netlib-and-dns.patch
Patch5: downstream-fix-debuginfo-with-y.tab.c.patch
Patch6: downstream-Remove-3des-support.patch
Patch7: rhel-Use-backported-version-of-OpenSSL-3-KDF-interfa.patch
Patch108: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
Patch110: Allow-certauth-modules-to-set-hw-authent-flag.patch
Patch112: Refresh-manually-acquired-creds-from-client-keytab.patch
Patch114: Add-finalization-safety-check-to-com_err.patch
Patch115: Eliminate-redundant-PKINIT-responder-invocation.patch
Patch116: Correctly-import-service-GSS-host-based-name.patch
Patch117: Do-expiration-warnings-for-all-init_creds-APIs.patch
Patch118: Pass-gss_localname-through-SPNEGO.patch
Patch119: Omit-KDC-indicator-check-for-S4U2Self-requests.patch
Patch120: Fix-typo-in-in-in-the-ksu-man-page.patch
Patch121: Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch
Patch122: Improve-negoex_parse_token-code-hygiene.patch
Patch123: Refactor-krb5-GSS-checksum-handling.patch
Patch124: Implement-GSS_C_CHANNEL_BOUND_FLAG.patch
Patch125: Implement-KERB_AP_OPTIONS_CBT-server-side.patch
Patch126: Add-client_aware_channel_bindings-option.patch
Patch127: Pass-channel-bindings-through-SPNEGO.patch
Patch128: Add-channel-bindings-tests.patch
Patch129: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
Patch130: Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -262,9 +258,6 @@ interface is not considered stable.
%autosetup -S git -n %{name}-%{version}%{prerelease} -a 3
ln NOTICE LICENSE
# Take the execute bit off of documentation.
chmod -x doc/ccapi/*.html
# Generate an FDS-compatible LDIF file.
inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
cat > '60kerberos.ldif' << EOF
@ -690,6 +683,46 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Tue Aug 04 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-5
- Fix leak in KERB_AP_OPTIONS_CBT server support
- Resolves: #1860831
* Tue Jul 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-4
- Ignore bad enctypes in krb5_string_to_keysalts()
- Resolves: #1858322
* Mon Jun 15 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-3
- Match Heimdal behavior for channel bindings
- Code hygiene + test stability fix included
- Resolves: #1840518
* Wed May 27 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-2
- Drop DES3 from sample kdc.conf
- Resolves: #1802334
* Fri May 22 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-1
- New upstream release (1.18.2)
- Resolves: #1802334
* Fri May 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.1-3
- Omit KDC indicator check for S4U2Self requests
- Resolves: #1802334
* Tue Apr 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.1-2
- Pass gss_localname() through SPNEGO
- Resolves: #1802334
* Tue Apr 14 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.1-1
- New upstream version (1.18.1)
- Resolves: #1802334
* Tue Apr 07 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-1
- New upstream version (1.18)
- Resolves: #1802334
- Resolves: #1820311
- Resolves: #1791062
- Resolves: #1784655
* Wed Feb 19 2020 Robbie Harwood <rharwood@redhat.com> - 1.17-18
- Put KDB authdata first
- Resolves: #1800575