rpms/krb5
6
0
Fork 0
Code Issues Pull Requests Releases Activity

In FIPS mode, add plaintext fallback for RC4 usages and taint

Browse Source
This commit is contained in:
Robbie Harwood 2018-08-01 15:11:35 -04:00
parent d21edd514c
commit ef8eae7c7b
55 changed files with 332 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Add-ASN.1-encoders-and-decoders-for-SPAKE-types.patch
View File

@ -13,7 +13,6 @@ compiled as part of "make test-vectors" and not as part of the regular
build.
(cherry picked from commit 78a09d95dff6915da4079bc611f4bb95f6a95f70)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/include/k5-spake.h | 107 +++++++++++++++++++++++++++
src/lib/krb5/asn.1/asn1_k_encode.c | 52 ++++++++++++-

1
Add-PKINIT-KDC-support-for-freshness-token.patch
View File

@ -24,7 +24,6 @@ the RSA test.
ticket: 8648
(cherry picked from commit 4a9050df0bc34bfb08ba24462d6e2514640f4b8e)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
doc/admin/conf_files/kdc_conf.rst | 4 +
doc/admin/pkinit.rst | 25 +++++

1
Add-PKINIT-client-support-for-freshness-token.patch
View File

@ -10,7 +10,6 @@ freshnessToken field of pkAuthenticator
ticket: 8648
(cherry picked from commit 085785362e01467cb25c79a90dcebfba9ea019d8)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
doc/user/user_commands/kinit.rst | 3 +++
src/include/k5-int-pkinit.h | 1 +

1
Add-SPAKE-preauth-support.patch
View File

@ -47,7 +47,6 @@ registry contents; implemented P-384 and P-521]
ticket: 8647 (new)
(cherry picked from commit 7447259401569c92b1fb2e31cb02edbbffd67d35)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
NOTICE | 51 +
doc/admin/conf_files/kdc_conf.rst | 22 +-

1
Add-doc-index-entries-for-SPAKE-constants.patch
View File

@ -5,7 +5,6 @@ Subject: [PATCH] Add doc index entries for SPAKE constants
ticket: 8647
(cherry picked from commit c010c9031753f356bb380e8a1324cc34721f8221)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
doc/appdev/refs/macros/index.rst | 2 ++
1 file changed, 2 insertions(+)

1
Add-flag-to-disable-encrypted-timestamp-on-client.patch
View File

@ -5,7 +5,6 @@ Subject: [PATCH] Add flag to disable encrypted timestamp on client
ticket: 8655
(cherry picked from commit 4ad376134b8d456392edbac7a7d351e6c7a7f0e7)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
doc/admin/conf_files/krb5_conf.rst | 10 ++++++++++
doc/admin/spake.rst | 8 ++++++++

1
Add-k5_buf_add_vfmt-to-k5buf-interface.patch
View File

@ -4,7 +4,6 @@ Date: Thu, 4 Jan 2018 14:35:12 -0500
Subject: [PATCH] Add k5_buf_add_vfmt to k5buf interface
(cherry picked from commit f05766469efc2a055085c0bcf9d40c4cdf47fe36)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/include/k5-buf.h | 8 ++++++
src/util/support/k5buf.c | 26 +++++++++++--------

1
Add-k5_dir_filenames-to-libkrb5support.patch
View File

@ -7,7 +7,6 @@ Add a support function to get a list of filenames from a directory in
sorted order.
(cherry picked from commit 27534121eb39089ff4335d8b465027e9ba783682)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/include/k5-platform.h | 7 +
src/util/support/Makefile.in | 3 +

1
Add-k5test-mark-function.patch
View File

@ -8,7 +8,6 @@ by allowing the script to output marks, and displaying the most recent
mark with command failures.
(cherry picked from commit 4e813204ac3dace93297f47d64dfc0aaecc370f8)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/util/k5test.py | 14 ++++++++++++++
1 file changed, 14 insertions(+)

1
Add-libkrb5support-hex-functions-and-tests.patch
View File

@ -5,7 +5,6 @@ Subject: [PATCH] Add libkrb5support hex functions and tests
(cherry picked from commit 720dea558da0062d3cea4385327161e62cf09a5e)
[rharwood@redhat.com Remove .gitignore]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/include/k5-hex.h | 53 ++++++
src/util/support/Makefile.in | 15 +-

1
Add-vector-support-to-k5_sha256.patch
View File

@ -8,7 +8,6 @@ to k5_sha256(), for efficient computation of SHA-256 hashes over
concatenations of data values.
(cherry picked from commit 4f3373e8c55b3e9bdfb5b065e07214c5816c85fa)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/include/k5-int.h | 4 ++--
src/lib/crypto/builtin/sha2/sha256.c | 6 ++++--

1
Be-more-careful-asking-for-AS-key-in-SPAKE-client.patch
View File

@ -19,7 +19,6 @@ spake_prep_questions() without a prototype.
ticket: 8659
(cherry picked from commit f240f1b0d324312be8aa59ead7cfbe0c329ed064)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/plugins/preauth/spake/spake_client.c | 111 ++++++++++++++---------
1 file changed, 66 insertions(+), 45 deletions(-)

1
Convert-Python-tests-to-Python-3.patch
View File

@ -9,7 +9,6 @@ test code to conform to Python 3.
ticket: 8710 (new)
(cherry picked from commit e23d24beacb73581bbf4351250f3955e6fd44361)
[rharwood@redhat.com: Context skew due to not having LMDB in tests]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/Makefile.in | 1 +
src/configure.in | 6 ++--

1
Eliminate-preprocessor-disabled-dead-code.patch
View File

@ -10,7 +10,6 @@ these dead hunks along with the complexity to support them.
(cherry picked from commit 2bc951d3c88b460a16249115cbd51d69c3c57e22)
[rharwood@redhat.com: context skew]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/ccapi/common/win/OldCC/ccutils.c | 6 --
src/ccapi/common/win/OldCC/ccutils.h | 3 -

1
Exit-with-status-0-from-kadmind.patch
View File

@ -14,7 +14,6 @@ weird return code has been present since the addition of the kadmin
code, which used a similar event model for signals.
(cherry picked from commit f970ad412aca36f8a7d3addb1cd4026ed22e5592)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kadmin/server/ovsec_kadmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

1
Explicitly-look-for-python2-in-configure.in.patch
View File

@ -15,7 +15,6 @@ doesn't need a #!/usr/bin/python header.
ticket: 8709 (new)
(cherry picked from commit 2bd410ecdb366083fe9b4e5f6ac4b741b624230b)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/appl/gss-sample/t_gss_sample.py | 2 --
src/appl/user_user/t_user2user.py | 1 -

1
Fix-SPAKE-memory-leak.patch
View File

@ -10,7 +10,6 @@ data object to avoid a harmless uninitialized memory copy.
ticket: 8647
(cherry picked from commit 70b88b8018658e052d6eabf06f8fdad17fbe993c)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/plugins/preauth/spake/openssl.c | 1 +
src/plugins/preauth/spake/spake_kdc.c | 1 +

1
Fix-hex-conversion-of-PKINIT-certid-strings.patch
View File

@ -12,7 +12,6 @@ commit message]
ticket: 8636
(cherry picked from commit 63e8b8142fd7b3931a7bf2d6448978ca536bafc0)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
.../preauth/pkinit/pkinit_crypto_openssl.c | 55 +++++++++++++++----
1 file changed, 44 insertions(+), 11 deletions(-)

1
Fix-k5test-prompts-for-Python-3.patch
View File

@ -9,7 +9,6 @@ flushes to make prompts visible in k5test.py.
ticket: 8710
(cherry picked from commit 297535b72177dcced036b78107e9d0e37781c7a3)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/util/k5test.py | 2 ++
1 file changed, 2 insertions(+)

1
Fix-read-overflow-in-KDC-sort_pa_data.patch
View File

@ -15,7 +15,6 @@ instead get the count from the prior loop by stopping once we move all
of the key-replacing modules to the front.
(cherry picked from commit b38e318cea18fd65647189eed64aef83bf1cb772)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kdc/kdc_preauth.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

1
Fix-securid_sam2-preauth-for-non-default-salt.patch
View File

@ -8,7 +8,6 @@ just the default salt type.
ticket: 8629
(cherry picked from commit a2339099ad13c84de0843fd04d0ba612fc194a1e)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/plugins/preauth/securid_sam2/grail.c | 3 +--
src/plugins/preauth/securid_sam2/securid2.c | 3 +--

2
Fix-segfault-in-finish_dispatch.patch
View File

@ -12,8 +12,6 @@ dereference state->active_realm.
tags: pullup
target_version: 1.16-next
target_version: 1.15-next
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kdc/dispatch.c | 79 ++++++++++++++++++++++++----------------------
1 file changed, 42 insertions(+), 37 deletions(-)

1
Fix-some-broken-tests-for-Python-3.patch
View File

@ -15,7 +15,6 @@ currently not exercised by Travis.
ticket: 8710
(cherry picked from commit d1fb3551c0dff5c3e6555b31fcbf04ff04d577fe)
[rharwood@redhat.com: .travis.yml]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/krad/t_daemon.py | 2 +-
src/tests/jsonwalker.py | 16 +++++-----------

1
Implement-k5_buf_init_dynamic_zap.patch
View File

@ -7,7 +7,6 @@ Add a variant of dynamic k5buf objects which zeroes memory when
reallocating or freeing the buffer.
(cherry picked from commit 8ee8246c14702dc03b02e31b9fb5b7c2bb674bfb)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/include/k5-buf.h | 6 ++-
src/util/support/k5buf.c | 41 +++++++++++++++----

327
In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch Normal file
View File

@ -0,0 +1,327 @@
From a9f547544ae43c2a71f21cab4fa61388c2f67553 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 31 Jul 2018 13:47:26 -0400
Subject: [PATCH] In FIPS mode, add plaintext fallback for RC4 usages and taint
---
src/lib/krad/attr.c | 38 ++++++++++++++++++++++++++++----------
src/lib/krad/attrset.c | 5 +++--
src/lib/krad/internal.h | 13 +++++++++++--
src/lib/krad/packet.c | 18 +++++++++---------
src/lib/krad/remote.c | 10 ++++++++--
src/lib/krad/t_attr.c | 3 ++-
src/lib/krad/t_attrset.c | 4 +++-
7 files changed, 64 insertions(+), 27 deletions(-)
diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c
index 9c13d9d75..3a2d0243b 100644
--- a/src/lib/krad/attr.c
+++ b/src/lib/krad/attr.c
@@ -38,7 +38,8 @@
typedef krb5_error_code
(*attribute_transform_fn)(krb5_context ctx, const char *secret,
const unsigned char *auth, const krb5_data *in,
- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen,
+ krb5_boolean *is_fips);
typedef struct {
const char *name;
@@ -51,12 +52,14 @@ typedef struct {
static krb5_error_code
user_password_encode(krb5_context ctx, const char *secret,
const unsigned char *auth, const krb5_data *in,
- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen,
+ krb5_boolean *is_fips);
static krb5_error_code
user_password_decode(krb5_context ctx, const char *secret,
const unsigned char *auth, const krb5_data *in,
- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen,
+ krb5_boolean *ignored);
static const attribute_record attributes[UCHAR_MAX] = {
{"User-Name", 1, MAX_ATTRSIZE, NULL, NULL},
@@ -128,7 +131,8 @@ static const attribute_record attributes[UCHAR_MAX] = {
static krb5_error_code
user_password_encode(krb5_context ctx, const char *secret,
const unsigned char *auth, const krb5_data *in,
- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen)
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen,
+ krb5_boolean *is_fips)
{
const unsigned char *indx;
krb5_error_code retval;
@@ -156,7 +160,12 @@ user_password_encode(krb5_context ctx, const char *secret,
retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp,
&sum);
- if (retval != 0) {
+ if (retval == ENOMEM) {
+ /* I'm Linux, so we know this is a FIPS failure. Taint so we
+ * don't send it later. */
+ *is_fips = TRUE;
+ sum.contents = calloc(1, BLOCKSIZE);
+ } else if (retval != 0) {
zap(tmp.data, tmp.length);
zap(outbuf, len);
krb5_free_data_contents(ctx, &tmp);
@@ -180,7 +189,8 @@ user_password_encode(krb5_context ctx, const char *secret,
static krb5_error_code
user_password_decode(krb5_context ctx, const char *secret,
const unsigned char *auth, const krb5_data *in,
- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen)
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen,
+ krb5_boolean *is_fips)
{
const unsigned char *indx;
krb5_error_code retval;
@@ -206,7 +216,12 @@ user_password_decode(krb5_context ctx, const char *secret,
retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0,
&tmp, &sum);
- if (retval != 0) {
+ if (retval == ENOMEM) {
+ /* I'm Linux, so we know this is a FIPS failure. Assume the
+ * other side is running locally and move on. */
+ *is_fips = TRUE;
+ sum.contents = calloc(1, BLOCKSIZE);
+ } else if (retval != 0) {
zap(tmp.data, tmp.length);
zap(outbuf, in->length);
krb5_free_data_contents(ctx, &tmp);
@@ -248,7 +263,7 @@ krb5_error_code
kr_attr_encode(krb5_context ctx, const char *secret,
const unsigned char *auth, krad_attr type,
const krb5_data *in, unsigned char outbuf[MAX_ATTRSIZE],
- size_t *outlen)
+ size_t *outlen, krb5_boolean *is_fips)
{
krb5_error_code retval;
@@ -265,7 +280,8 @@ kr_attr_encode(krb5_context ctx, const char *secret,
return 0;
}
- return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen);
+ return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen,
+ is_fips);
}
krb5_error_code
@@ -274,6 +290,7 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen)
{
krb5_error_code retval;
+ krb5_boolean ignored;
retval = kr_attr_valid(type, in);
if (retval != 0)
@@ -288,7 +305,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
return 0;
}
- return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen);
+ return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen,
+ &ignored);
}
krad_attr
diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c
index 03c613716..d89982a13 100644
--- a/src/lib/krad/attrset.c
+++ b/src/lib/krad/attrset.c
@@ -167,7 +167,8 @@ krad_attrset_copy(const krad_attrset *set, krad_attrset **copy)
krb5_error_code
kr_attrset_encode(const krad_attrset *set, const char *secret,
const unsigned char *auth,
- unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen)
+ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen,
+ krb5_boolean *is_fips)
{
unsigned char buffer[MAX_ATTRSIZE];
krb5_error_code retval;
@@ -181,7 +182,7 @@ kr_attrset_encode(const krad_attrset *set, const char *secret,
K5_TAILQ_FOREACH(a, &set->list, list) {
retval = kr_attr_encode(set->ctx, secret, auth, a->type, &a->attr,
- buffer, &attrlen);
+ buffer, &attrlen, is_fips);
if (retval != 0)
return retval;
diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
index 996a89372..a53ce31ce 100644
--- a/src/lib/krad/internal.h
+++ b/src/lib/krad/internal.h
@@ -49,6 +49,13 @@
typedef struct krad_remote_st krad_remote;
+struct krad_packet_st {
+ char buffer[KRAD_PACKET_SIZE_MAX];
+ krad_attrset *attrset;
+ krb5_data pkt;
+ krb5_boolean is_fips;
+};
+
/* Validate constraints of an attribute. */
krb5_error_code
kr_attr_valid(krad_attr type, const krb5_data *data);
@@ -57,7 +64,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data);
krb5_error_code
kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth,
krad_attr type, const krb5_data *in,
- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen,
+ krb5_boolean *is_fips);
/* Decode an attribute. */
krb5_error_code
@@ -69,7 +77,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
krb5_error_code
kr_attrset_encode(const krad_attrset *set, const char *secret,
const unsigned char *auth,
- unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen);
+ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen,
+ krb5_boolean *is_fips);
/* Decode attributes from a buffer. */
krb5_error_code
diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c
index c597174b6..2fbf0ee1e 100644
--- a/src/lib/krad/packet.c
+++ b/src/lib/krad/packet.c
@@ -53,12 +53,6 @@ typedef unsigned char uchar;
#define pkt_auth(p) ((uchar *)offset(&(p)->pkt, OFFSET_AUTH))
#define pkt_attr(p) ((unsigned char *)offset(&(p)->pkt, OFFSET_ATTR))
-struct krad_packet_st {
- char buffer[KRAD_PACKET_SIZE_MAX];
- krad_attrset *attrset;
- krb5_data pkt;
-};
-
typedef struct {
uchar x[(UCHAR_MAX + 1) / 8];
} idmap;
@@ -190,7 +184,11 @@ auth_generate_response(krb5_context ctx, const char *secret,
retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data,
&hash);
free(data.data);
- if (retval != 0)
+ if (retval == ENOMEM) {
+ /* We're on Linux, so this is a FIPS failure, and this checksum
+ * does very little security-wise anyway, so don't taint. */
+ hash.contents = calloc(1, AUTH_FIELD_SIZE);
+ } else if (retval != 0)
return retval;
memcpy(rauth, hash.contents, AUTH_FIELD_SIZE);
@@ -276,7 +274,7 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code,
/* Encode the attributes. */
retval = kr_attrset_encode(set, secret, pkt_auth(pkt), pkt_attr(pkt),
- &attrset_len);
+ &attrset_len, &pkt->is_fips);
if (retval != 0)
goto error;
@@ -314,7 +312,7 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code,
/* Encode the attributes. */
retval = kr_attrset_encode(set, secret, pkt_auth(request), pkt_attr(pkt),
- &attrset_len);
+ &attrset_len, &pkt->is_fips);
if (retval != 0)
goto error;
@@ -451,6 +449,8 @@ krad_packet_decode_response(krb5_context ctx, const char *secret,
const krb5_data *
krad_packet_encode(const krad_packet *pkt)
{
+ if (pkt->is_fips)
+ return NULL;
return &pkt->pkt;
}
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index 437f7e91a..0f90443ce 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -263,7 +263,7 @@ on_io_write(krad_remote *rr)
request *r;
K5_TAILQ_FOREACH(r, &rr->list, list) {
- tmp = krad_packet_encode(r->request);
+ tmp = &r->request->pkt;
/* If the packet has already been sent, do nothing. */
if (r->sent == tmp->length)
@@ -359,7 +359,7 @@ on_io_read(krad_remote *rr)
if (req != NULL) {
K5_TAILQ_FOREACH(r, &rr->list, list) {
if (r->request == req &&
- r->sent == krad_packet_encode(req)->length) {
+ r->sent == req->pkt.length) {
request_finish(r, 0, rsp);
break;
}
@@ -455,6 +455,12 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
(krad_packet_iter_cb)iterator, &r, &tmp);
if (retval != 0)
goto error;
+ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL &&
+ rr->info->ai_family != AF_UNIX) {
+ /* This would expose cleartext passwords, so abort. */
+ retval = ESOCKTNOSUPPORT;
+ goto error;
+ }
K5_TAILQ_FOREACH(r, &rr->list, list) {
if (r->request == tmp) {
diff --git a/src/lib/krad/t_attr.c b/src/lib/krad/t_attr.c
index eb2a780c8..4d285ad9d 100644
--- a/src/lib/krad/t_attr.c
+++ b/src/lib/krad/t_attr.c
@@ -50,6 +50,7 @@ main()
const char *tmp;
krb5_data in;
size_t len;
+ krb5_boolean is_fips = FALSE;
noerror(krb5_init_context(&ctx));
@@ -73,7 +74,7 @@ main()
in = string2data((char *)decoded);
retval = kr_attr_encode(ctx, secret, auth,
krad_attr_name2num("User-Password"),
- &in, outbuf, &len);
+ &in, outbuf, &len, &is_fips);
insist(retval == 0);
insist(len == sizeof(encoded));
insist(memcmp(outbuf, encoded, len) == 0);
diff --git a/src/lib/krad/t_attrset.c b/src/lib/krad/t_attrset.c
index 7928335ca..0f9576253 100644
--- a/src/lib/krad/t_attrset.c
+++ b/src/lib/krad/t_attrset.c
@@ -49,6 +49,7 @@ main()
krb5_context ctx;
size_t len = 0, encode_len;
krb5_data tmp;
+ krb5_boolean is_fips = FALSE;
noerror(krb5_init_context(&ctx));
noerror(krad_attrset_new(ctx, &set));
@@ -62,7 +63,8 @@ main()
noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp));
/* Encode attrset. */
- noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len));
+ noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len,
+ &is_fips));
krad_attrset_free(set);
/* Manually encode User-Name. */

1
Include-etype-info-in-for-hardware-preauth-hints.patch
View File

@ -10,7 +10,6 @@ password.
ticket: 8629
(cherry picked from commit ba92da05accc524b8037453b63ced1a6c65fd2a1)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kdc/kdc_preauth.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

1
Include-preauth-name-in-trace-output-if-possible.patch
View File

@ -11,7 +11,6 @@ and use it when formatting {patype} or {patypes}.
ticket: 8653 (new)
(cherry picked from commit 9c68fe39b018666eabe033b639c1f35d03ba51c7)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/include/k5-trace.h | 17 +--
src/lib/krb5/os/t_trace.ref | 2 +-

1
Log-when-non-root-ksu-authorization-fails.patch
View File

@ -8,7 +8,6 @@ syslog at LOG_WARNING in keeping with other failure messages.
ticket: 8270
(cherry picked from commit 6cfa5c113e981f14f70ccafa20abfa5c46b665ba)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/clients/ksu/main.c | 10 ++++++++++
1 file changed, 10 insertions(+)

1
Make-docs-build-python3-compatible.patch
View File

@ -8,7 +8,6 @@ paths information in docs. Call exec() directly instead.
ticket: 8692 (new)
(cherry picked from commit a7c6d98480f1e33454173f88381921472d72f80a)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
doc/conf.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

1
Make-krb5kdc-p-affect-TCP-ports.patch
View File

@ -9,7 +9,6 @@ ports.
ticket: 8715 (new)
(cherry picked from commit eb514587acc5c357bf0f554199bf0489b5515f8b)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
doc/admin/admin_commands/krb5kdc.rst | 12 ++++++------
src/kdc/main.c | 12 ++++--------

1
Move-zap-definition-to-k5-platform.h.patch
View File

@ -7,7 +7,6 @@ Make it possible to use zap() in parts of the code which should not
include k5-int.h by moving its definition to k5-platform.h.
(cherry picked from commit df6bef6f9ea6a5f6f3956a2988cd658c78aae817)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/include/k5-int.h | 45 -------------------------------------
src/include/k5-platform.h | 47 ++++++++++++++++++++++++++++++++++++++-

1
Process-profile-includedir-in-sorted-order.patch
View File

@ -9,7 +9,6 @@ within the C locale).
ticket: 8686
(cherry picked from commit f574eda48740ad192f51e9a382a205e2ea0e60ad)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
doc/admin/conf_files/krb5_conf.rst | 4 ++-
src/util/profile/prof_parse.c | 56 +++++-------------------------

1
Refactor-KDC-krb5_pa_data-utility-functions.patch
View File

@ -16,7 +16,6 @@ callers accordingly, making small simplifications to memory handling
where applicable.
(cherry picked from commit 4af478c18b02e1d2444a328bb79e6976ef3d312b)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kdc/fast_util.c | 28 +------
src/kdc/kdc_preauth.c | 14 ++--

1
Remove-nodes-option-from-make-certs-scripts.patch
View File

@ -12,7 +12,6 @@ pkcs12 subcommands, but genrsa creates unencrypted keys by default.
[ghudson@mit.edu: edited commit message]
(cherry picked from commit 928a36aae326d496c9a73f2cd41b4da45eef577c)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/tests/dejagnu/pkinit-certs/make-certs.sh | 2 +-
src/tests/dejagnu/proxy-certs/make-certs.sh | 2 +-

1
Remove-outdated-note-in-krb5kdc-man-page.patch
View File

@ -13,7 +13,6 @@ tags: pullup
target_version: 1.16-next
(cherry picked from commit 728b66ab867e31c4c338c6a6309d629d39a4ec3f)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
doc/admin/admin_commands/krb5kdc.rst | 7 -------
1 file changed, 7 deletions(-)

1
Report-extended-errors-in-kinit-k-t-KDB.patch
View File

@ -9,7 +9,6 @@ extended error messages.
ticket: 8652 (new)
(cherry picked from commit d4d902d317a2acc46ee71094a33a9203b6135275)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/clients/kinit/kinit.c | 1 +
1 file changed, 1 insertion(+)

1
Restrict-pre-authentication-fallback-cases.patch
View File

@ -16,7 +16,6 @@ retried after a failure.
ticket: 8654
(cherry picked from commit 7a24a088c16d326127dd2b29084d4ca085c70d10)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/include/krb5/clpreauth_plugin.h | 14 ++++
src/lib/krb5/krb/get_in_tkt.c | 21 +++---

1
Simplify-kdc_preauth.c-systems-table.patch
View File

@ -15,7 +15,6 @@ padata types. The KRB5_PADATA_SERVER_REFERRAL entry has been disabled
since it was first added.
(cherry picked from commit fea1a488924faa3938ef723feaa1ff12d22a91ff)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kdc/kdc_preauth.c | 526 +++++++++++++++---------------------------
1 file changed, 184 insertions(+), 342 deletions(-)

1
Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch
View File

@ -5,7 +5,6 @@ Subject: [PATCH] Use SHA-256 instead of MD5 for audit ticket IDs
ticket: 8711 (new)
(cherry picked from commit c1e1bfa26bd2f045e88e6013c500fca9428c98f3)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kdc/kdc_audit.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)

1
Use-k5_buf_init_dynamic_zap-where-appropriate.patch
View File

@ -4,7 +4,6 @@ Date: Mon, 26 Mar 2018 11:24:49 -0400
Subject: [PATCH] Use k5_buf_init_dynamic_zap where appropriate
(cherry picked from commit 9172599008f3a6790d4a9a67acff58049742dcb6)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/krb5/ccache/cc_file.c | 4 ++--
src/lib/krb5/ccache/cc_keyring.c | 2 +-

1
Use-libkrb5support-hex-functions-where-appropriate.patch
View File

@ -4,7 +4,6 @@ Date: Mon, 19 Feb 2018 00:52:35 -0500
Subject: [PATCH] Use libkrb5support hex functions where appropriate
(cherry picked from commit b0c700608be7455041a8afc0e4502e8783ee7f30)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kadmin/dbutil/deps | 16 ++---
src/kadmin/dbutil/tabdump.c | 19 +++---

1
Zap-copy-of-secret-in-RC4-string-to-key.patch
View File

@ -11,7 +11,6 @@ freed as the input string typically contains a password.
[ghudson@mit.edu: rewrote commit message]
ticket: 8713 (new)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/crypto/krb/s2k_rc4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

1
Zap-data-when-freeing-krb5_spake_factor.patch
View File

@ -8,7 +8,6 @@ second-factor SPAKE is implemented, so should be zapped when freed.
ticket: 8647
(cherry picked from commit 9cc94a3f1ce06a4430f684300a747ec079102403)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/krb5/krb/kfree.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

1
krb5-1.11-kpasswdtest.patch
View File

@ -3,7 +3,6 @@ From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:52:01 -0400
Subject: [PATCH] krb5-1.11-kpasswdtest.patch
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kadmin/testing/proto/krb5.conf.proto | 1 +
1 file changed, 1 insertion(+)

2
krb5-1.11-run_user_0.patch
View File

@ -6,8 +6,6 @@ Subject: [PATCH] krb5-1.11-run_user_0.patch
A hack: if we're looking at creating a ccache directory directly below
the /run/user/0 directory, and /run/user/0 doesn't exist, try to create
it, too.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/krb5/ccache/cc_dir.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)

2
krb5-1.12-api.patch
View File

@ -6,8 +6,6 @@ Subject: [PATCH] krb5-1.12-api.patch
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/krb5/krb/princ_comp.c | 7 +++++++
1 file changed, 7 insertions(+)

2
krb5-1.12-ksu-path.patch
View File

@ -4,8 +4,6 @@ Date: Tue, 23 Aug 2016 16:32:09 -0400
Subject: [PATCH] krb5-1.12-ksu-path.patch
Set the default PATH to the one set by login.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/clients/ksu/Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

2
krb5-1.12-ktany.patch
View File

@ -6,8 +6,6 @@ Subject: [PATCH] krb5-1.12-ktany.patch
Adds an "ANY" keytab type which is a list of other keytab locations to search
when searching for a specific entry. When iterated through, it only presents
the contents of the first keytab.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/krb5/keytab/Makefile.in | 3 +
src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++

2
krb5-1.12.1-pam.patch
View File

@ -16,8 +16,6 @@ When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges, and to apply on top of
changes we're proposing for how it handles cache collections.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/aclocal.m4 | 67 +++++++
src/clients/ksu/Makefile.in | 8 +-

2
krb5-1.13-dirsrv-accountlock.patch
View File

@ -5,8 +5,6 @@ Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from
original version filed as RT#5891.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/aclocal.m4 | 9 +++++++++
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++

2
krb5-1.15-beta1-buildconf.patch
View File

@ -8,8 +8,6 @@ and install shared libraries with the execute bit set on them. Prune out
the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/build-tools/krb5-config.in | 7 +++++++
src/config/pre.in | 2 +-

2
krb5-1.15.1-selinux-label.patch
View File

@ -35,8 +35,6 @@ stomp all over us.
The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/aclocal.m4 | 49 +++
src/build-tools/krb5-config.in | 3 +-

2
krb5-1.3.1-dns.patch
View File

@ -4,8 +4,6 @@ Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH] krb5-1.3.1-dns.patch
We want to be able to use --with-netlib and --enable-dns at the same time.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/aclocal.m4 | 1 +
1 file changed, 1 insertion(+)

2
krb5-1.9-debuginfo.patch
View File

@ -6,8 +6,6 @@ Subject: [PATCH] krb5-1.9-debuginfo.patch
We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that
could mess up people working in the tree on other things.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kadmin/cli/Makefile.in | 5 +++++
src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-

6
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.16.1
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 18%{?dist}
Release: 19%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@ -102,6 +102,7 @@ Patch82: Eliminate-preprocessor-disabled-dead-code.patch
Patch83: Make-krb5kdc-p-affect-TCP-ports.patch
Patch84: Remove-outdated-note-in-krb5kdc-man-page.patch
Patch85: Fix-k5test-prompts-for-Python-3.patch
Patch86: In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -748,6 +749,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Wed Aug 01 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-19
- In FIPS mode, add plaintext fallback for RC4 usages and taint
* Thu Jul 26 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-18
- Fix k5test prompts for Python 3