rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream release - krb5-1.15.2

Browse Source 
Adjust patches as appropriate
This commit is contained in:
Robbie Harwood 2017-09-25 13:54:57 -04:00
parent 11b90e9e6e
commit f1e535bb81
51 changed files with 91 additions and 681 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -151,3 +151,6 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.15.1-pdfs.tar
/krb5-1.15.1.tar.gz
/krb5-1.15.1.tar.gz.asc
/krb5-1.15.2-pdfs.tar
/krb5-1.15.2.tar.gz
/krb5-1.15.2.tar.gz.asc

2
Add-KDC-policy-pluggable-interface.patch
View File

@ -1,4 +1,4 @@
From 648fa08747a5f2025f47e5b0bc2589f55a65218a Mon Sep 17 00:00:00 2001
From 78a1f155701f94a228c4f58f98846195a39991c4 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 27 Jun 2017 17:15:39 -0400
Subject: [PATCH] Add KDC policy pluggable interface

2
Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
View File

@ -1,4 +1,4 @@
From 2f84634c8227d2f43daf9a6135766c6e1901851f Mon Sep 17 00:00:00 2001
From 6ce3a9416ee73fee41d0190e3fd0fde0a097c774 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Fri, 9 Dec 2016 11:43:27 -0500
Subject: [PATCH] Add PKINIT UPN tests to t_pkinit.py

2
Add-PKINIT-test-case-for-generic-client-cert.patch
View File

@ -1,4 +1,4 @@
From 22e89e4e2d2819b7371efb848be525914b2750e8 Mon Sep 17 00:00:00 2001
From e267849bcc3813989470c03565b22d25c71af91e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 25 Aug 2017 12:39:14 -0400
Subject: [PATCH] Add PKINIT test case for generic client cert

6
Add-certauth-pluggable-interface.patch
View File

@ -1,4 +1,4 @@
From 14455b071bab5ed93e42df84dc0b0e5f889cb98b Mon Sep 17 00:00:00 2001
From 43418f21de72060932661242126fe611b6b17d84 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Tue, 28 Feb 2017 15:55:24 -0500
Subject: [PATCH] Add certauth pluggable interface
@ -52,10 +52,10 @@ ticket: 8561 (new)
create mode 100644 src/tests/t_certauth.py
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 653aad613..c0e4349c0 100644
index 02a935961..1d9bc9e34 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -858,6 +858,27 @@ built-in modules exist for this interface:
@@ -859,6 +859,27 @@ built-in modules exist for this interface:
This module authorizes a principal to a local account if the
principal name maps to the local account name.

6
Add-hostname-based-ccselect-module.patch
View File

@ -1,4 +1,4 @@
From 624060dabcc06ea40847ffd98c9b05c66e65d6ba Mon Sep 17 00:00:00 2001
From 632575ab12fc5d6c9bdc83cb8200fb8f4f422b83 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 23 Aug 2017 17:25:17 -0400
Subject: [PATCH] Add hostname-based ccselect module
@ -21,10 +21,10 @@ ticket: 8613 (new)
create mode 100644 src/lib/krb5/ccache/ccselect_hostname.c
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index c0e4349c0..5f1de2e50 100644
index 1d9bc9e34..9c1ee94a4 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -744,6 +744,10 @@ disabled with the disable tag):
@@ -745,6 +745,10 @@ disabled with the disable tag):
Uses the service realm to guess an appropriate cache from the
collection

4
Add-k5test-expected_msg-expected_trace.patch
View File

@ -1,4 +1,4 @@
From 1f7e1ce67d885bce613030099df9a95e7671055e Mon Sep 17 00:00:00 2001
From 9c6f61e30e11eca5c04daa3f0dce398602ef5801 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 17 Jan 2017 11:24:41 -0500
Subject: [PATCH] Add k5test expected_msg, expected_trace
@ -17,7 +17,7 @@ substrings in the trace output.
2 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/src/config/post.in b/src/config/post.in
index 77a9bffdf..aecac9d3b 100644
index 7c7d86dc9..3643abad1 100644
--- a/src/config/post.in
+++ b/src/config/post.in
@@ -156,7 +156,7 @@ clean: clean-$(WHAT)

2
Add-support-to-query-the-SSF-of-a-GSS-context.patch
View File

@ -1,4 +1,4 @@
From 2a7ea306e35a35296314484eec9eff5d8e38f02a Mon Sep 17 00:00:00 2001
From a3408731e3d73f99028f20c3f33caa5a411b430c Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 30 Mar 2017 11:27:09 -0400
Subject: [PATCH] Add support to query the SSF of a GSS context

2
Add-test-case-for-PKINIT-DH-renegotiation.patch
View File

@ -1,4 +1,4 @@
From 9cd133e626f114c9a11d6d731f7f97072d59e20f Mon Sep 17 00:00:00 2001
From 5faadd66bb278bcc1c618e199444e3012eeec215 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 11 Jan 2017 10:49:30 -0500
Subject: [PATCH] Add test case for PKINIT DH renegotiation

2
Add-test-cert-generation-to-make-certs.sh.patch
View File

@ -1,4 +1,4 @@
From d81c0069df0f18574bc0beb7e45139f6d2bc3849 Mon Sep 17 00:00:00 2001
From 5e3885e9d7c7cd2a19a291cdb1e54312ca7f7e1f Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Mon, 5 Dec 2016 12:22:45 -0500
Subject: [PATCH] Add test cert generation to make-certs.sh

2
Add-test-cert-with-no-extensions.patch
View File

@ -1,4 +1,4 @@
From 03402d8462c44c16f85368c803c1a3823507e0f9 Mon Sep 17 00:00:00 2001
From 565311d74c7532f9948b7b0b803f093aaa40afed Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 25 Aug 2017 12:33:33 -0400
Subject: [PATCH] Add test cert with no extensions

2
Add-the-client_name-kdcpreauth-callback.patch
View File

@ -1,4 +1,4 @@
From 405a88caf62483bd077f6d98aa5f1adc9fbdff64 Mon Sep 17 00:00:00 2001
From 42469712239d3eb0e47d9aa306567464dd1f392a Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Tue, 4 Apr 2017 16:54:56 -0400
Subject: [PATCH] Add the client_name() kdcpreauth callback

2
Add-timestamp-helper-functions.patch
View File

@ -1,4 +1,4 @@
From 38b7fbd7ee64a205c4dcfc345c30132e73f5b249 Mon Sep 17 00:00:00 2001
From 9b50a75e97cbe9cc8c0a4e37158b56b58e966f25 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 22 Apr 2017 09:49:12 -0400
Subject: [PATCH] Add timestamp helper functions

2
Add-timestamp-tests.patch
View File

@ -1,4 +1,4 @@
From 1b351445b4b938f54025728ba786f05ee82c47d1 Mon Sep 17 00:00:00 2001
From 3a06f6a3cfad62da6dd8878d3446003f8293c3ae Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 29 Apr 2017 17:30:36 -0400
Subject: [PATCH] Add timestamp tests

2
Add-y2038-documentation.patch
View File

@ -1,4 +1,4 @@
From ebedc35a70f184030c4aab32e782fa2a8610cf73 Mon Sep 17 00:00:00 2001
From 69ca5ff168f24792924b3cab0a9f27ada3eb4c4b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 4 May 2017 17:03:35 -0400
Subject: [PATCH] Add y2038 documentation

36
Allow-clock-skew-in-krb5-gss_context_time.patch
View File

@ -1,36 +0,0 @@
From 2944d7c0fcc8d3a87d0bb6f544b4a04c358df732 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 22 Apr 2017 16:51:23 -0400
Subject: [PATCH] Allow clock skew in krb5 gss_context_time()
Commit b496ce4095133536e0ace36b74130e4b9ecb5e11 (ticket #8268) adds
the clock skew to krb5 acceptor context lifetimes for
gss_accept_sec_context() and gss_inquire_context(), but not for
gss_context_time(). Add the clock skew in gss_context_time() as well.
ticket: 8581 (new)
target_version: 1.14-next
target_version: 1.15-next
tags: pullup
(cherry picked from commit b0a072e6431261734e7350996a363801f180e8ea)
---
src/lib/gssapi/krb5/context_time.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c
index a18cfb05b..450593288 100644
--- a/src/lib/gssapi/krb5/context_time.c
+++ b/src/lib/gssapi/krb5/context_time.c
@@ -51,7 +51,10 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)
return(GSS_S_FAILURE);
}
- if ((lifetime = ctx->krb_times.endtime - now) <= 0) {
+ lifetime = ctx->krb_times.endtime - now;
+ if (!ctx->initiate)
+ lifetime += ctx->k5_context->clockskew;
+ if (lifetime <= 0) {
*time_rec = 0;
*minor_status = 0;
return(GSS_S_CONTEXT_EXPIRED);

2
Build-with-Werror-implicit-int-where-supported.patch
View File

@ -1,4 +1,4 @@
From b87501b9051a1befbd84165295b8ed775adafd62 Mon Sep 17 00:00:00 2001
From 5f2ea38f7ecd60184e510558bdb551d0153432e0 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 10 Nov 2016 13:20:49 -0500
Subject: [PATCH] Build with -Werror-implicit-int where supported

2
Convert-some-pkiDebug-messages-to-TRACE-macros.patch
View File

@ -1,4 +1,4 @@
From 4dcab7d706331b469678f3a516cd67fffd331058 Mon Sep 17 00:00:00 2001
From 686fa6476eb759532d566794fa8d430774d44cf7 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Wed, 29 Mar 2017 10:35:13 -0400
Subject: [PATCH] Convert some pkiDebug messages to TRACE macros

2
Correct-error-handling-bug-in-prior-commit.patch
View File

@ -1,4 +1,4 @@
From 7fa2848a550bda947a6e425babb3f529b7e28ab6 Mon Sep 17 00:00:00 2001
From 08d995aaf48e75c174525ae0b47e12c3170b3f5f Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 23 Mar 2017 13:42:55 -0400
Subject: [PATCH] Correct error handling bug in prior commit

2
Deindent-crypto_retrieve_X509_sans.patch
View File

@ -1,4 +1,4 @@
From ca1ab893b3590ab887f7c0f4a41ad6b2fddf3421 Mon Sep 17 00:00:00 2001
From d5462c96c9918ffa7d3f05de310c5aed34181941 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 4 Jan 2017 11:33:57 -0500
Subject: [PATCH] Deindent crypto_retrieve_X509_sans()

2
Fix-bugs-in-kdcpolicy-commit.patch
View File

@ -1,4 +1,4 @@
From 7ab7253c617364ffe8facd870e286c5876e6c30f Mon Sep 17 00:00:00 2001
From c8c704cdaaa15a0908024f0917344048c0df5940 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 19 Aug 2017 19:09:24 -0400
Subject: [PATCH] Fix bugs in kdcpolicy commit

2
Fix-certauth-built-in-module-returns.patch
View File

@ -1,4 +1,4 @@
From d507d9a78e12418f83c6db6e22052543f3e5db37 Mon Sep 17 00:00:00 2001
From 0d93e336e2cb8319bfd3e0fa096e5ee8ea3bbbbf Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 24 Aug 2017 11:11:46 -0400
Subject: [PATCH] Fix certauth built-in module returns

2
Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
View File

@ -1,4 +1,4 @@
From b0351efa57654f06477ab7540e6c0624e3a64f4e Mon Sep 17 00:00:00 2001
From e2d34698687c00504b83e1c0deb56dc6232bef42 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 24 Apr 2017 02:02:36 -0400
Subject: [PATCH] Fix in_clock_skew() and use it in AS client code

35
Fix-leaks-in-gss_inquire_cred_by_oid.patch
View File

@ -1,35 +0,0 @@
From e53073b6e1d36b682d8524fcfaec7bdf56b7f81e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 12 Mar 2017 12:30:59 -0400
Subject: [PATCH] Fix leaks in gss_inquire_cred_by_oid()
In the mechglue gss_inquire_cred_by_oid(), remove an unnecessary
allocation of ret_set which is overwritten by the first mechanism's
result.
ticket: 8559 (new)
target_version: 1.15-next
target_version: 1.14-next
tags: pullup
(cherry picked from commit 0d39d46852587d36fcc5024d5766586faba9044a)
---
src/lib/gssapi/mechglue/g_inq_cred_oid.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_inq_cred_oid.c b/src/lib/gssapi/mechglue/g_inq_cred_oid.c
index 4c23dfcbd..df51b44e9 100644
--- a/src/lib/gssapi/mechglue/g_inq_cred_oid.c
+++ b/src/lib/gssapi/mechglue/g_inq_cred_oid.c
@@ -85,11 +85,6 @@ gss_inquire_cred_by_oid(OM_uint32 *minor_status,
union_cred = (gss_union_cred_t) cred_handle;
- status = gss_create_empty_buffer_set(minor_status, &ret_set);
- if (status != GSS_S_COMPLETE) {
- return status;
- }
-
status = GSS_S_UNAVAILABLE;
for (i = 0; i < union_cred->count; i++) {

2
Fix-more-time-manipulations-for-y2038.patch
View File

@ -1,4 +1,4 @@
From c9fca85329f4b25509f83837239bf882841caccc Mon Sep 17 00:00:00 2001
From 7b28a408650c58d0ea98fddab5034642af32fdaf Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 17 May 2017 14:52:09 -0400
Subject: [PATCH] Fix more time manipulations for y2038

2
Improve-PKINIT-UPN-SAN-matching.patch
View File

@ -1,4 +1,4 @@
From 84e4545db26e31ae69da8559128513157f533858 Mon Sep 17 00:00:00 2001
From 03265620488b84238c31170356b5f41c80f0e9d9 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Mon, 5 Dec 2016 12:17:59 -0500
Subject: [PATCH] Improve PKINIT UPN SAN matching

20
Make-timestamp-manipulations-y2038-safe.patch
View File

@ -1,4 +1,4 @@
From 0c0fe06500401d694a4720544c7ed661275d819e Mon Sep 17 00:00:00 2001
From ac30f4753f157dafe93df2941a216fde591fcb69 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 22 Apr 2017 12:52:17 -0400
Subject: [PATCH] Make timestamp manipulations y2038-safe
@ -766,7 +766,7 @@ index 2dc4d0c1a..bb1072fe4 100644
/* Make an AS request if we have no creds or it's time to refresh them. */
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 70f7955ae..8e5cc37fb 100644
index 2a7467f54..1be1b5878 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -214,7 +214,8 @@ static krb5_error_code get_credentials(context, cred, server, now,
@ -779,7 +779,7 @@ index 70f7955ae..8e5cc37fb 100644
code = KRB5KRB_AP_ERR_TKT_EXPIRED;
goto cleanup;
}
@@ -575,7 +576,7 @@ kg_new_connection(
@@ -573,7 +574,7 @@ kg_new_connection(
if (time_req == 0 || time_req == GSS_C_INDEFINITE) {
ctx->krb_times.endtime = 0;
} else {
@ -788,7 +788,7 @@ index 70f7955ae..8e5cc37fb 100644
}
if ((code = kg_duplicate_name(context, cred->name, &ctx->here)))
@@ -659,7 +660,7 @@ kg_new_connection(
@@ -657,7 +658,7 @@ kg_new_connection(
if (time_rec) {
if ((code = krb5_timeofday(context, &now)))
goto cleanup;
@ -797,7 +797,7 @@ index 70f7955ae..8e5cc37fb 100644
}
/* set the other returns */
@@ -873,7 +874,7 @@ mutual_auth(
@@ -871,7 +872,7 @@ mutual_auth(
if (time_rec) {
if ((code = krb5_timeofday(context, &now)))
goto fail;
@ -879,7 +879,7 @@ index 408b0eb31..1680a5504 100644
time_string = ctime(&until);
if (*(ptr = &time_string[strlen(time_string)-1]) == '\n')
diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
index 59ed0b975..656dddff5 100644
index 3c2844d14..c4bb16dc7 100644
--- a/src/lib/kadm5/srv/server_acl.c
+++ b/src/lib/kadm5/srv/server_acl.c
@@ -408,13 +408,14 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
@ -900,7 +900,7 @@ index 59ed0b975..656dddff5 100644
*maskp |= KADM5_PW_EXPIRATION;
}
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 0640b47c4..f4a9a2ad2 100644
index 8f4da0e52..137e1fb64 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -400,7 +400,7 @@ kadm5_create_principal_3(void *server_handle,
@ -948,7 +948,7 @@ index 0640b47c4..f4a9a2ad2 100644
else
kdb->pw_expiration = 0;
} else {
@@ -2024,7 +2024,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
@@ -2027,7 +2027,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
}
if (have_pol) {
if (pol.pw_max_life)
@ -958,10 +958,10 @@ index 0640b47c4..f4a9a2ad2 100644
kdb->pw_expiration = 0;
} else {
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index 4adf0fcbb..7f33c7e68 100644
index 690725765..07392572e 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -1296,7 +1296,7 @@ find_actkvno(krb5_actkvno_node *list, krb5_timestamp now)
@@ -1297,7 +1297,7 @@ find_actkvno(krb5_actkvno_node *list, krb5_timestamp now)
* are in the future, we will return the first node; if all are in the
* past, we will return the last node.
*/

413
Preserve-GSS-context-on-init-accept-failure.patch
View File

@ -1,413 +0,0 @@
From d730a62c2d3f6f75a0fa28b7a8c952fb29dd7aa0 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 14 Jul 2017 13:02:46 -0400
Subject: [PATCH] Preserve GSS context on init/accept failure
After gss_init_sec_context() or gss_accept_sec_context() has created a
context, don't delete the mechglue context on failures from subsequent
calls, even if the mechanism deletes the mech-specific context (which
is allowed by RFC 2744 but not preferred). Check for union contexts
with no mechanism context in each GSS function which accepts a
gss_ctx_id_t.
CVE-2017-11462:
RFC 2744 permits a GSS-API implementation to delete an existing
security context on a second or subsequent call to
gss_init_sec_context() or gss_accept_sec_context() if the call results
in an error. This API behavior has been found to be dangerous,
leading to the possibility of memory errors in some callers. For
safety, GSS-API implementations should instead preserve existing
security contexts on error until the caller deletes them.
All versions of MIT krb5 prior to this change may delete acceptor
contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through
1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts on
error.
ticket: 8598 (new)
target_version: 1.15-next
target_version: 1.14-next
tags: pullup
(cherry picked from commit 56f7b1bc95a2a3eeb420e069e7655fb181ade5cf)
---
src/lib/gssapi/mechglue/g_accept_sec_context.c | 22 +++++++++++++++-------
src/lib/gssapi/mechglue/g_complete_auth_token.c | 2 ++
src/lib/gssapi/mechglue/g_context_time.c | 2 ++
src/lib/gssapi/mechglue/g_delete_sec_context.c | 14 ++++++++------
src/lib/gssapi/mechglue/g_exp_sec_context.c | 2 ++
src/lib/gssapi/mechglue/g_init_sec_context.c | 19 +++++++++++--------
src/lib/gssapi/mechglue/g_inq_context.c | 2 ++
src/lib/gssapi/mechglue/g_prf.c | 2 ++
src/lib/gssapi/mechglue/g_process_context.c | 2 ++
src/lib/gssapi/mechglue/g_seal.c | 4 ++++
src/lib/gssapi/mechglue/g_sign.c | 2 ++
src/lib/gssapi/mechglue/g_unseal.c | 2 ++
src/lib/gssapi/mechglue/g_unwrap_aead.c | 2 ++
src/lib/gssapi/mechglue/g_unwrap_iov.c | 4 ++++
src/lib/gssapi/mechglue/g_verify.c | 2 ++
src/lib/gssapi/mechglue/g_wrap_aead.c | 2 ++
src/lib/gssapi/mechglue/g_wrap_iov.c | 8 ++++++++
17 files changed, 72 insertions(+), 21 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index ddaf87412..f28e2b14a 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -216,6 +216,8 @@ gss_cred_id_t * d_cred;
} else {
union_ctx_id = (gss_union_ctx_id_t)*context_handle;
selected_mech = union_ctx_id->mech_type;
+ if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
}
/* Now create a new context if we didn't get one. */
@@ -234,9 +236,6 @@ gss_cred_id_t * d_cred;
free(union_ctx_id);
return (status);
}
-
- /* set the new context handle to caller's data */
- *context_handle = (gss_ctx_id_t)union_ctx_id;
}
/*
@@ -277,8 +276,10 @@ gss_cred_id_t * d_cred;
d_cred ? &tmp_d_cred : NULL);
/* If there's more work to do, keep going... */
- if (status == GSS_S_CONTINUE_NEEDED)
+ if (status == GSS_S_CONTINUE_NEEDED) {
+ *context_handle = (gss_ctx_id_t)union_ctx_id;
return GSS_S_CONTINUE_NEEDED;
+ }
/* if the call failed, return with failure */
if (status != GSS_S_COMPLETE) {
@@ -364,14 +365,22 @@ gss_cred_id_t * d_cred;
*mech_type = gssint_get_public_oid(actual_mech);
if (ret_flags != NULL)
*ret_flags = temp_ret_flags;
- return (status);
+ *context_handle = (gss_ctx_id_t)union_ctx_id;
+ return GSS_S_COMPLETE;
} else {
status = GSS_S_BAD_MECH;
}
error_out:
- if (union_ctx_id) {
+ /*
+ * RFC 2744 5.1 requires that we not create a context on a failed first
+ * call to accept, and recommends that on a failed subsequent call we
+ * make the caller responsible for calling gss_delete_sec_context.
+ * Even if the mech deleted its context, keep the union context around
+ * for the caller to delete.
+ */
+ if (union_ctx_id && *context_handle == GSS_C_NO_CONTEXT) {
if (union_ctx_id->mech_type) {
if (union_ctx_id->mech_type->elements)
free(union_ctx_id->mech_type->elements);
@@ -384,7 +393,6 @@ error_out:
GSS_C_NO_BUFFER);
}
free(union_ctx_id);
- *context_handle = GSS_C_NO_CONTEXT;
}
if (src_name)
diff --git a/src/lib/gssapi/mechglue/g_complete_auth_token.c b/src/lib/gssapi/mechglue/g_complete_auth_token.c
index 918155130..4bcb47e84 100644
--- a/src/lib/gssapi/mechglue/g_complete_auth_token.c
+++ b/src/lib/gssapi/mechglue/g_complete_auth_token.c
@@ -52,6 +52,8 @@ gss_complete_auth_token (OM_uint32 *minor_status,
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
mech = gssint_get_mechanism (ctx->mech_type);
if (mech != NULL) {
diff --git a/src/lib/gssapi/mechglue/g_context_time.c b/src/lib/gssapi/mechglue/g_context_time.c
index 2ff8d0996..c947e7646 100644
--- a/src/lib/gssapi/mechglue/g_context_time.c
+++ b/src/lib/gssapi/mechglue/g_context_time.c
@@ -58,6 +58,8 @@ OM_uint32 * time_rec;
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (mech) {
diff --git a/src/lib/gssapi/mechglue/g_delete_sec_context.c b/src/lib/gssapi/mechglue/g_delete_sec_context.c
index 4bf0dec5c..574ff0294 100644
--- a/src/lib/gssapi/mechglue/g_delete_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_delete_sec_context.c
@@ -87,12 +87,14 @@ gss_buffer_t output_token;
if (GSSINT_CHK_LOOP(ctx))
return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT);
- status = gssint_delete_internal_sec_context(minor_status,
- ctx->mech_type,
- &ctx->internal_ctx_id,
- output_token);
- if (status)
- return status;
+ if (ctx->internal_ctx_id != GSS_C_NO_CONTEXT) {
+ status = gssint_delete_internal_sec_context(minor_status,
+ ctx->mech_type,
+ &ctx->internal_ctx_id,
+ output_token);
+ if (status)
+ return status;
+ }
/* now free up the space for the union context structure */
free(ctx->mech_type->elements);
diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c
index b63745299..1d7990b1c 100644
--- a/src/lib/gssapi/mechglue/g_exp_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c
@@ -95,6 +95,8 @@ gss_buffer_t interprocess_token;
*/
ctx = (gss_union_ctx_id_t) *context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (!mech)
return GSS_S_BAD_MECH;
diff --git a/src/lib/gssapi/mechglue/g_init_sec_context.c b/src/lib/gssapi/mechglue/g_init_sec_context.c
index 9f154b893..e2df1ce26 100644
--- a/src/lib/gssapi/mechglue/g_init_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_init_sec_context.c
@@ -192,8 +192,13 @@ OM_uint32 * time_rec;
/* copy the supplied context handle */
union_ctx_id->internal_ctx_id = GSS_C_NO_CONTEXT;
- } else
+ } else {
union_ctx_id = (gss_union_ctx_id_t)*context_handle;
+ if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT) {
+ status = GSS_S_NO_CONTEXT;
+ goto end;
+ }
+ }
/*
* get the appropriate cred handle from the union cred struct.
@@ -224,15 +229,13 @@ OM_uint32 * time_rec;
if (status != GSS_S_COMPLETE && status != GSS_S_CONTINUE_NEEDED) {
/*
- * The spec says the preferred method is to delete all context info on
- * the first call to init, and on all subsequent calls make the caller
- * responsible for calling gss_delete_sec_context. However, if the
- * mechanism decided to delete the internal context, we should also
- * delete the union context.
+ * RFC 2744 5.19 requires that we not create a context on a failed
+ * first call to init, and recommends that on a failed subsequent call
+ * we make the caller responsible for calling gss_delete_sec_context.
+ * Even if the mech deleted its context, keep the union context around
+ * for the caller to delete.
*/
map_error(minor_status, mech);
- if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT)
- *context_handle = GSS_C_NO_CONTEXT;
if (*context_handle == GSS_C_NO_CONTEXT) {
free(union_ctx_id->mech_type->elements);
free(union_ctx_id->mech_type);
diff --git a/src/lib/gssapi/mechglue/g_inq_context.c b/src/lib/gssapi/mechglue/g_inq_context.c
index 6f1c71eed..6c0d98dd3 100644
--- a/src/lib/gssapi/mechglue/g_inq_context.c
+++ b/src/lib/gssapi/mechglue/g_inq_context.c
@@ -104,6 +104,8 @@ gss_inquire_context(
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (!mech || !mech->gss_inquire_context || !mech->gss_display_name ||
diff --git a/src/lib/gssapi/mechglue/g_prf.c b/src/lib/gssapi/mechglue/g_prf.c
index fcca3e44c..9e168adfe 100644
--- a/src/lib/gssapi/mechglue/g_prf.c
+++ b/src/lib/gssapi/mechglue/g_prf.c
@@ -59,6 +59,8 @@ gss_pseudo_random (OM_uint32 *minor_status,
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
mech = gssint_get_mechanism (ctx->mech_type);
if (mech != NULL) {
diff --git a/src/lib/gssapi/mechglue/g_process_context.c b/src/lib/gssapi/mechglue/g_process_context.c
index bc260aeb1..3968b5d9c 100644
--- a/src/lib/gssapi/mechglue/g_process_context.c
+++ b/src/lib/gssapi/mechglue/g_process_context.c
@@ -61,6 +61,8 @@ gss_buffer_t token_buffer;
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (mech) {
diff --git a/src/lib/gssapi/mechglue/g_seal.c b/src/lib/gssapi/mechglue/g_seal.c
index f17241c90..3db1ee095 100644
--- a/src/lib/gssapi/mechglue/g_seal.c
+++ b/src/lib/gssapi/mechglue/g_seal.c
@@ -92,6 +92,8 @@ gss_wrap( OM_uint32 *minor_status,
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (mech) {
@@ -226,6 +228,8 @@ gss_wrap_size_limit(OM_uint32 *minor_status,
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (!mech)
diff --git a/src/lib/gssapi/mechglue/g_sign.c b/src/lib/gssapi/mechglue/g_sign.c
index 86d641aa2..03fbd8c01 100644
--- a/src/lib/gssapi/mechglue/g_sign.c
+++ b/src/lib/gssapi/mechglue/g_sign.c
@@ -94,6 +94,8 @@ gss_buffer_t msg_token;
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (mech) {
diff --git a/src/lib/gssapi/mechglue/g_unseal.c b/src/lib/gssapi/mechglue/g_unseal.c
index 3e8053c6e..c208635b6 100644
--- a/src/lib/gssapi/mechglue/g_unseal.c
+++ b/src/lib/gssapi/mechglue/g_unseal.c
@@ -76,6 +76,8 @@ gss_qop_t * qop_state;
* call it.
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (mech) {
diff --git a/src/lib/gssapi/mechglue/g_unwrap_aead.c b/src/lib/gssapi/mechglue/g_unwrap_aead.c
index e78bff2d3..0682bd899 100644
--- a/src/lib/gssapi/mechglue/g_unwrap_aead.c
+++ b/src/lib/gssapi/mechglue/g_unwrap_aead.c
@@ -186,6 +186,8 @@ gss_qop_t *qop_state;
* call it.
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (!mech)
diff --git a/src/lib/gssapi/mechglue/g_unwrap_iov.c b/src/lib/gssapi/mechglue/g_unwrap_iov.c
index c0dd314b1..599be2c7b 100644
--- a/src/lib/gssapi/mechglue/g_unwrap_iov.c
+++ b/src/lib/gssapi/mechglue/g_unwrap_iov.c
@@ -89,6 +89,8 @@ int iov_count;
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (mech) {
@@ -128,6 +130,8 @@ gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
/* Select the approprate underlying mechanism routine and call it. */
ctx = (gss_union_ctx_id_t)context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
mech = gssint_get_mechanism(ctx->mech_type);
if (mech == NULL)
return GSS_S_BAD_MECH;
diff --git a/src/lib/gssapi/mechglue/g_verify.c b/src/lib/gssapi/mechglue/g_verify.c
index 1578ae111..8996fce8d 100644
--- a/src/lib/gssapi/mechglue/g_verify.c
+++ b/src/lib/gssapi/mechglue/g_verify.c
@@ -65,6 +65,8 @@ gss_qop_t * qop_state;
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (mech) {
diff --git a/src/lib/gssapi/mechglue/g_wrap_aead.c b/src/lib/gssapi/mechglue/g_wrap_aead.c
index 96cdf3ce6..7fe3b7b35 100644
--- a/src/lib/gssapi/mechglue/g_wrap_aead.c
+++ b/src/lib/gssapi/mechglue/g_wrap_aead.c
@@ -256,6 +256,8 @@ gss_buffer_t output_message_buffer;
* call it.
*/
ctx = (gss_union_ctx_id_t)context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (!mech)
return (GSS_S_BAD_MECH);
diff --git a/src/lib/gssapi/mechglue/g_wrap_iov.c b/src/lib/gssapi/mechglue/g_wrap_iov.c
index 40cd98fc9..14447c4ee 100644
--- a/src/lib/gssapi/mechglue/g_wrap_iov.c
+++ b/src/lib/gssapi/mechglue/g_wrap_iov.c
@@ -93,6 +93,8 @@ int iov_count;
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (mech) {
@@ -151,6 +153,8 @@ int iov_count;
*/
ctx = (gss_union_ctx_id_t) context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
mech = gssint_get_mechanism (ctx->mech_type);
if (mech) {
@@ -190,6 +194,8 @@ gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
/* Select the approprate underlying mechanism routine and call it. */
ctx = (gss_union_ctx_id_t)context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
mech = gssint_get_mechanism(ctx->mech_type);
if (mech == NULL)
return GSS_S_BAD_MECH;
@@ -218,6 +224,8 @@ gss_get_mic_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
/* Select the approprate underlying mechanism routine and call it. */
ctx = (gss_union_ctx_id_t)context_handle;
+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
mech = gssint_get_mechanism(ctx->mech_type);
if (mech == NULL)
return GSS_S_BAD_MECH;

109
Prevent-KDC-unset-status-assertion-failures.patch
View File

@ -1,109 +0,0 @@
From af6570ad6c306fe8e2bf425810236dd8c6271885 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 13 Jul 2017 12:14:20 -0400
Subject: [PATCH] Prevent KDC unset status assertion failures
Assign status values if S4U2Self padata fails to decode, if an
S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
uses an evidence ticket which does not match the canonicalized request
server principal name. Reported by Samuel Cabrero.
If a status value is not assigned during KDC processing, default to
"UNKNOWN_REASON" rather than failing an assertion. This change will
prevent future denial of service bugs due to similar mistakes, and
will allow us to omit assigning status values for unlikely errors such
as small memory allocation failures.
CVE-2017-11368:
In MIT krb5 1.7 and later, an authenticated attacker can cause an
assertion failure in krb5kdc by sending an invalid S4U2Self or
S4U2Proxy request.
CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
ticket: 8599 (new)
target_version: 1.15-next
target_version: 1.14-next
tags: pullup
(cherry picked from commit a860385dd8fbd239fdb31b347e07f4e6b2fbdcc2)
---
src/kdc/do_as_req.c | 4 ++--
src/kdc/do_tgs_req.c | 3 ++-
src/kdc/kdc_util.c | 10 ++++++++--
3 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 712ccb794..a4bf91b1b 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -365,8 +365,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
did_log = 1;
egress:
- if (errcode != 0)
- assert (state->status != 0);
+ if (errcode != 0 && state->status == NULL)
+ state->status = "UNKNOWN_REASON";
au_state->status = state->status;
au_state->reply = &state->reply;
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 547a41441..339259fd1 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
free(reply.enc_part.ciphertext.data);
cleanup:
- assert(status != NULL);
+ if (status == NULL)
+ status = "UNKNOWN_REASON";
if (reply_key)
krb5_free_keyblock(kdc_context, reply_key);
if (errcode)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 29f9dbbf0..30c501c67 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
req_data.data = (char *)pa_data->contents;
code = decode_krb5_pa_for_user(&req_data, &for_user);
- if (code)
+ if (code) {
+ *status = "DECODE_PA_FOR_USER";
return code;
+ }
code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
if (code) {
@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
req_data.data = (char *)pa_data->contents;
code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
- if (code)
+ if (code) {
+ *status = "DECODE_PA_S4U_X509_USER";
return code;
+ }
code = verify_s4u_x509_user_checksum(context,
tgs_subkey ? tgs_subkey :
@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
* that is validated previously in validate_tgs_request().
*/
if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
+ *status = "INVALID_S4U2PROXY_OPTIONS";
return KRB5KDC_ERR_BADOPTION;
}
@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
if (!krb5_principal_compare(kdc_context,
server->princ, /* after canon */
server_princ)) {
+ *status = "EVIDENCE_TICKET_MISMATCH";
return KRB5KDC_ERR_SERVER_NOMATCH;
}

6
Remove-incomplete-PKINIT-OCSP-support.patch
View File

@ -1,4 +1,4 @@
From 3a9d6156a57fb17285e238ec0633ea2b24db91d6 Mon Sep 17 00:00:00 2001
From 466d09c9b2c456d663672cb6d5f661ef86e8536e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 31 Jul 2017 16:03:41 -0400
Subject: [PATCH] Remove incomplete PKINIT OCSP support
@ -19,7 +19,7 @@ ticket: 8603 (new)
5 files changed, 11 insertions(+), 20 deletions(-)
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 13077ecf4..a4b2a5432 100644
index 4e54f7e1d..d00e7926c 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -765,9 +765,6 @@ For information about the syntax of some of these options, see
@ -33,7 +33,7 @@ index 13077ecf4..a4b2a5432 100644
Specifies the location of intermediate certificates which may be
used by the KDC to complete the trust chain between a client's
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 10b333c38..166e68f9a 100644
index d207ebd7f..c47da0117 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -886,9 +886,6 @@ Specifies an authentication indicator to include in the ticket if

2
Use-GSSAPI-fallback-skiptest.patch
View File

@ -1,4 +1,4 @@
From ad17859c5d428be38bb51b6202e1ce256790beb5 Mon Sep 17 00:00:00 2001
From 6d0b40b26e7fea1cd394618c1ab6d5e366bbc069 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 1 Mar 2017 17:46:22 -0500
Subject: [PATCH] Use GSSAPI fallback skiptest

2
Use-expected_msg-in-test-scripts.patch
View File

@ -1,4 +1,4 @@
From 9b2d26cf4cfebdce46430a7ab891e3a7faad5f47 Mon Sep 17 00:00:00 2001
From 24ac588502b1731a7fd2629804f8d9ed1668297e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 18 Jan 2017 11:22:58 -0500
Subject: [PATCH] Use expected_msg in test scripts

2
Use-expected_trace-in-test-scripts.patch
View File

@ -1,4 +1,4 @@
From 52eeabfdeb9a91c6e4c7124b38fa6915df37f8bf Mon Sep 17 00:00:00 2001
From 35a00879008457d21ccc6e623835976a21f5000b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 17 Jan 2017 11:25:22 -0500
Subject: [PATCH] Use expected_trace in test scripts

2
Use-fallback-realm-for-GSSAPI-ccache-selection.patch
View File

@ -1,4 +1,4 @@
From 4963152dc973e8ff74f257f64b0960a7716b480c Mon Sep 17 00:00:00 2001
From feee4c633a7db348ef99f1f0c99a5c2e6cb70f92 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Fri, 10 Feb 2017 12:53:42 -0500
Subject: [PATCH] Use fallback realm for GSSAPI ccache selection

8
Use-krb5_timestamp-where-appropriate.patch
View File

@ -1,4 +1,4 @@
From f0f0a503f58ed4f6ccf924751b356a70f515dd4b Mon Sep 17 00:00:00 2001
From 0ae9141d53a8d9fe048542f89d17760990bd5bc4 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 17 May 2017 15:14:15 -0400
Subject: [PATCH] Use krb5_timestamp where appropriate
@ -81,7 +81,7 @@ index 16a35d2be..4ecc23481 100644
retval = krb5_crypto_us_timeofday(&now, &now_usec);
diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
index 656dddff5..c2cf69169 100644
index c4bb16dc7..679fc7c41 100644
--- a/src/lib/kadm5/srv/server_acl.c
+++ b/src/lib/kadm5/srv/server_acl.c
@@ -375,7 +375,7 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
@ -107,7 +107,7 @@ index 612553ba3..f4b8aef2b 100644
krb5_tl_data tl_data;
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index f4a9a2ad2..0d4f0a632 100644
index 137e1fb64..89f34482b 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -296,7 +296,7 @@ kadm5_create_principal_3(void *server_handle,
@ -146,7 +146,7 @@ index f4a9a2ad2..0d4f0a632 100644
kadm5_policy_ent_rec pol;
krb5_keysalt keysalt;
int i, kvno, ret;
@@ -1888,7 +1888,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
@@ -1891,7 +1891,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
{
krb5_db_entry *kdb;
osa_princ_ent_rec adb;

2
Use-the-canonical-client-principal-name-for-OTP.patch
View File

@ -1,4 +1,4 @@
From 1d729e7bd01cd0a5e4db0ba16fc5058b21b4abb2 Mon Sep 17 00:00:00 2001
From 7998de0b9ccd0c8813159cc3f1d49fe107e3e0ba Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Wed, 5 Apr 2017 16:48:55 -0400
Subject: [PATCH] Use the canonical client principal name for OTP

1
kerberos-adm.portreserve
View File

@ -1 +0,0 @@
kerberos-adm/tcp

2
krb5-1.11-kpasswdtest.patch
View File

@ -1,4 +1,4 @@
From b932cd580f6c78bcec06620770444b480cb7899c Mon Sep 17 00:00:00 2001
From fb8f32ebdf3293d8a6bdb9478fe1f902a399ba7a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:52:01 -0400
Subject: [PATCH] krb5-1.11-kpasswdtest.patch

2
krb5-1.11-run_user_0.patch
View File

@ -1,4 +1,4 @@
From 85c019fe805d801ad3b65cad61fd9b2f1eef8d7f Mon Sep 17 00:00:00 2001
From 9c45f66fbc6afb472589dbeb5166f46ad266d319 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:57 -0400
Subject: [PATCH] krb5-1.11-run_user_0.patch

2
krb5-1.12-api.patch
View File

@ -1,4 +1,4 @@
From 3bd2daf49b882deeaadd846d138c06d72de589fe Mon Sep 17 00:00:00 2001
From 107a2b8728f1b76feb16df9201919444482e3981 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:00 -0400
Subject: [PATCH] krb5-1.12-api.patch

2
krb5-1.12-ksu-path.patch
View File

@ -1,4 +1,4 @@
From b3b35bbf939f05b9caece64f93c012c2f241f1c7 Mon Sep 17 00:00:00 2001
From 93b86d94b871aed49b14d7fc1a2a9f23c16cbe0f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:32:09 -0400
Subject: [PATCH] krb5-1.12-ksu-path.patch

2
krb5-1.12-ktany.patch
View File

@ -1,4 +1,4 @@
From 259f691fac41a06c238aea1d812b0f3889f06877 Mon Sep 17 00:00:00 2001
From efee9f8598ba84f2be0983fc1d07a9a72d0ff1b7 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:33:53 -0400
Subject: [PATCH] krb5-1.12-ktany.patch

2
krb5-1.12.1-pam.patch
View File

@ -1,4 +1,4 @@
From 461ae27581ad3b132b9b2d8c07777102fba015f3 Mon Sep 17 00:00:00 2001
From e0924e10dd431a898c9c95faa04b51edbe59c5ef Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] krb5-1.12.1-pam.patch

2
krb5-1.13-dirsrv-accountlock.patch
View File

@ -1,4 +1,4 @@
From d183995c587fc0f32a76011858703308d751e17c Mon Sep 17 00:00:00 2001
From f2df0b75dfbc9796bf8e1477f4661dfb7cdcf8d4 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:44 -0400
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch

2
krb5-1.15-beta1-buildconf.patch
View File

@ -1,4 +1,4 @@
From 35e09ba633eb14cc207b59de7ce60324ea86554f Mon Sep 17 00:00:00 2001
From ae5bb11c0f06fdf92f51d237e94c1d410c59aa04 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch

2
krb5-1.15.1-selinux-label.patch
View File

@ -1,4 +1,4 @@
From a3280e7ec607b9eb7b79cf75cd323fbbdd125b02 Mon Sep 17 00:00:00 2001
From aaf74b66a51cbda90ba40f73eb8def9b192ab262 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] krb5-1.15.1-selinux-label.patch

2
krb5-1.3.1-dns.patch
View File

@ -1,4 +1,4 @@
From 2ecbf6ba30520f908188521eb903876bc64905ae Mon Sep 17 00:00:00 2001
From 1b95f8a488d1e70bf7698c8b49412306a1b8aba0 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH] krb5-1.3.1-dns.patch

2
krb5-1.9-debuginfo.patch
View File

@ -1,4 +1,4 @@
From 06349d595ba0baa72a9d5aabeedee5926419d6bc Mon Sep 17 00:00:00 2001
From e1d7fcf9713fe322ad5740045650dac86427e6ae Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] krb5-1.9-debuginfo.patch

46
krb5.spec
View File

@ -14,38 +14,38 @@
# Should be in form 5.0, 6.1, etc.
%global kdbversion 6.1
%global majmin 1.15
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.15.1
# for prerelease, should be e.g., 0.3.beta2%{?dist}
Release: 28%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
# $ fedpkg upload krb5-1.13.2.tar.gz krb5-1.13.2.tar.gz.asc # (and don't
# remove, otherwise you can't go back or branch from a previous point)
Source0: krb5-%{version}%{prerelease}.tar.gz
Source1: krb5-%{version}%{prerelease}.tar.gz.asc
Version: %{majmin}.2
# for prerelease, should be e.g., 0.3.beta2% { ?dist } (without spaces)
Release: 1%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/%{majmin}/krb5-%{version}%{prerelease}.tar.gz
# rharwood has trust path to signing key and verifies on check-in
Source1: https://web.mit.edu/kerberos/dist/krb5/%{majmin}/krb5-%{version}%{prerelease}.tar.gz.asc
# This source is generated during the build because it is documentation.
# To override this behavior (e.g., new upstream version), do:
# tar cfT krb5-1.15.2-pdfs.tar /dev/null
# or the like. This logic persists due to how slow the stranger Fedora
# architecture builders are. 5 minutes on my laptop, 45 on koji easy.
Source3: krb5-%{version}%{prerelease}-pdfs.tar
# Numbering is a relic of old init systems etc. It's easiest to just leave.
Source2: kprop.service
Source4: kadmin.service
Source5: krb5kdc.service
Source6: krb5.conf
#Source7: _kpropd
#Source8: _kadmind
Source10: kdc.conf
Source11: kadm5.acl
Source19: krb5kdc.sysconfig
Source20: kadmin.sysconfig
Source21: kprop.sysconfig
Source29: ksu.pamd
Source31: kerberos-adm.portreserve
Source32: krb5_prop.portreserve
Source33: krb5kdc.logrotate
Source34: kadmind.logrotate
#Source36: kpropd.init
#Source37: kadmind.init
#Source38: krb5kdc.init
Source39: krb5-krb5kdc.conf
# Carry this locally until it's available in a packaged form.
@ -77,11 +77,8 @@ Patch48: Use-the-canonical-client-principal-name-for-OTP.patch
Patch49: Add-certauth-pluggable-interface.patch
Patch50: Correct-error-handling-bug-in-prior-commit.patch
Patch51: Add-k5test-expected_msg-expected_trace.patch
Patch52: Fix-leaks-in-gss_inquire_cred_by_oid.patch
Patch53: Add-support-to-query-the-SSF-of-a-GSS-context.patch
Patch54: Prevent-KDC-unset-status-assertion-failures.patch
Patch55: Remove-incomplete-PKINIT-OCSP-support.patch
Patch56: Allow-clock-skew-in-krb5-gss_context_time.patch
Patch57: Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
Patch58: Add-timestamp-helper-functions.patch
Patch59: Make-timestamp-manipulations-y2038-safe.patch
@ -96,7 +93,6 @@ Patch67: Fix-certauth-built-in-module-returns.patch
Patch68: Add-test-cert-with-no-extensions.patch
Patch69: Add-PKINIT-test-case-for-generic-client-cert.patch
Patch70: Add-hostname-based-ccselect-module.patch
Patch71: Preserve-GSS-context-on-init-accept-failure.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -105,7 +101,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf, bison, cmake, flex, gawk, gettext, pkgconfig, sed
BuildRequires: libcom_err-devel, libedit-devel, libss-devel
BuildRequires: gzip, ncurses-devel
BuildRequires: python2-sphinx, texlive-pdftex
BuildRequires: python2-sphinx, texlive-pdftex, latexmk
# For autosetup
BuildRequires: git
@ -124,7 +120,9 @@ BuildRequires: tex(ifthen.sty)
BuildRequires: tex(inputenc.sty)
BuildRequires: tex(longtable.sty)
BuildRequires: tex(multirow.sty)
BuildRequires: tex(needspace.sty)
BuildRequires: tex(report.cls)
BuildRequires: tex(tabulary.sty)
BuildRequires: tex(threeparttable.sty)
BuildRequires: tex(times.sty)
BuildRequires: tex(titlesec.sty)
@ -748,6 +746,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Mon Sep 25 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.2-1
- New upstream release - krb5-1.15.2
- Adjust patches as appropriate
* Wed Sep 06 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-28
- Save other programs from worrying about CVE-2017-11462
- Resolves: #1488873

1
krb5_prop.portreserve
View File

@ -1 +0,0 @@
krb5_prop/tcp

6
sources
View File

@ -1,3 +1,3 @@
SHA512 (krb5-1.15.1-pdfs.tar) = f014d5da5e4cc74a19d51df658f52c6ae2f6f64663b29342e81f81ddb6e734a44c452b3f0d02f90c43baeb0618438f8b264d4f68424b0d98300a9dbe59a28552
SHA512 (krb5-1.15.1.tar.gz) = 068b4c012722d8c232049d2a617f7ee28ceeaba6be94a78439e69e37b66cfdc49085641e42cfb03b2fbb72d21517b537e437061ec4dd2bf864f31e55e05fe918
SHA512 (krb5-1.15.1.tar.gz.asc) = 48d2b1382970d4117340fbfd82a88ecd9342aaddad3e06a26db2b5e4766654e2e4cda03a3af6803e463e6ddcfbfbb32323379d9ccc70561c3f296b406bfee905
SHA512 (krb5-1.15.2-pdfs.tar) = 5875efde7ed88dcccd6f624a5252c5c70844fe94015ce4acfdf7f6ccabf52c86965c5a661b161c73e37b46e51aa5e9ea19602ab32e8b50682ecb0a450f0553b6
SHA512 (krb5-1.15.2.tar.gz) = e5814bb66384b13637c37918df694c6b9933c29c2d952da0ed0dcd2e623b269060b4c16b6c02162039dadebdab99ff1085e37e7621ae4748dafb036424e612c2
SHA512 (krb5-1.15.2.tar.gz.asc) = 37cee442de29229fa821539c3f1724eb4d37fa9ce5eee644869a7311c8fe10218dac36da3a5297d45168d8fb1ad64dbd614f10d3384d54e4070e56e7fe8a1e63