New upstream version (1.21.2)
- Fix double-free in KDC TGS processing (CVE-2023-39975) Resolves: rhbz#2229113 - Make tests compatible with Python 3.12 Resolves: rhbz#2224013 Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
parent
ae2cf9bef3
commit
f5676fd233
2
.gitignore
vendored
2
.gitignore
vendored
@ -204,3 +204,5 @@
|
||||
/krb5-1.20.1.tar.gz.asc
|
||||
/krb5-1.21.tar.gz
|
||||
/krb5-1.21.tar.gz.asc
|
||||
/krb5-1.21.2.tar.gz
|
||||
/krb5-1.21.2.tar.gz.asc
|
||||
|
309
0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch
Normal file
309
0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch
Normal file
@ -0,0 +1,309 @@
|
||||
From 087d150e4afe47a8d269d5e80dcef2204b007ceb Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Wed, 16 Aug 2023 10:00:30 +0200
|
||||
Subject: [PATCH] Revert "Don't issue session keys with deprecated enctypes"
|
||||
|
||||
This reverts commit 1b57a4d134bbd0e7c52d5885a92eccc815726463.
|
||||
---
|
||||
doc/admin/conf_files/krb5_conf.rst | 12 ------------
|
||||
doc/admin/enctypes.rst | 23 +++-------------------
|
||||
src/include/k5-int.h | 4 ----
|
||||
src/kdc/kdc_util.c | 10 ----------
|
||||
src/lib/krb5/krb/get_in_tkt.c | 31 +++++++++++-------------------
|
||||
src/lib/krb5/krb/init_ctx.c | 10 ----------
|
||||
src/tests/gssapi/t_enctypes.py | 3 +--
|
||||
src/tests/t_etype_info.py | 2 +-
|
||||
src/tests/t_sesskeynego.py | 28 ++-------------------------
|
||||
src/util/k5test.py | 4 ++--
|
||||
10 files changed, 20 insertions(+), 107 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index ecdf917501..f22d5db11b 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -95,18 +95,6 @@ Additionally, krb5.conf may include any of the relations described in
|
||||
|
||||
The libdefaults section may contain any of the following relations:
|
||||
|
||||
-**allow_des3**
|
||||
- Permit the KDC to issue tickets with des3-cbc-sha1 session keys.
|
||||
- In future releases, this flag will allow des3-cbc-sha1 to be used
|
||||
- at all. The default value for this tag is false. (Added in
|
||||
- release 1.21.)
|
||||
-
|
||||
-**allow_rc4**
|
||||
- Permit the KDC to issue tickets with arcfour-hmac session keys.
|
||||
- In future releases, this flag will allow arcfour-hmac to be used
|
||||
- at all. The default value for this tag is false. (Added in
|
||||
- release 1.21.)
|
||||
-
|
||||
**allow_weak_crypto**
|
||||
If this flag is set to false, then weak encryption types (as noted
|
||||
in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered
|
||||
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
|
||||
index dce19ad43e..694922c0d9 100644
|
||||
--- a/doc/admin/enctypes.rst
|
||||
+++ b/doc/admin/enctypes.rst
|
||||
@@ -48,15 +48,12 @@ Session key selection
|
||||
The KDC chooses the session key enctype by taking the intersection of
|
||||
its **permitted_enctypes** list, the list of long-term keys for the
|
||||
most recent kvno of the service, and the client's requested list of
|
||||
-enctypes. Starting in krb5-1.21, all services are assumed to support
|
||||
-aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session
|
||||
-keys will not be issued by default.
|
||||
+enctypes.
|
||||
|
||||
Starting in krb5-1.11, it is possible to set a string attribute on a
|
||||
service principal to control what session key enctypes the KDC may
|
||||
-issue for service tickets for that principal, overriding the service's
|
||||
-long-term keys and the assumption of aes256-cts-hmac-sha1-96 support.
|
||||
-See :ref:`set_string` in :ref:`kadmin(1)` for details.
|
||||
+issue for service tickets for that principal. See :ref:`set_string`
|
||||
+in :ref:`kadmin(1)` for details.
|
||||
|
||||
|
||||
Choosing enctypes for a service
|
||||
@@ -90,20 +87,6 @@ affect how enctypes are chosen.
|
||||
acceptable risk for your environment and the weak enctypes are
|
||||
required for backward compatibility.
|
||||
|
||||
-**allow_des3**
|
||||
- was added in release 1.21 and defaults to *false*. Unless this
|
||||
- flag is set to *true*, the KDC will not issue tickets with
|
||||
- des3-cbc-sha1 session keys. In a future release, this flag will
|
||||
- control whether des3-cbc-sha1 is permitted in similar fashion to
|
||||
- weak enctypes.
|
||||
-
|
||||
-**allow_rc4**
|
||||
- was added in release 1.21 and defaults to *false*. Unless this
|
||||
- flag is set to *true*, the KDC will not issue tickets with
|
||||
- arcfour-hmac session keys. In a future release, this flag will
|
||||
- control whether arcfour-hmac is permitted in similar fashion to
|
||||
- weak enctypes.
|
||||
-
|
||||
**permitted_enctypes**
|
||||
controls the set of enctypes that a service will permit for
|
||||
session keys and for ticket and authenticator encryption. The KDC
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index 2f7791b775..1d1c8293f4 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -180,8 +180,6 @@ typedef unsigned char u_char;
|
||||
* matches the variable name. Keep these alphabetized. */
|
||||
#define KRB5_CONF_ACL_FILE "acl_file"
|
||||
#define KRB5_CONF_ADMIN_SERVER "admin_server"
|
||||
-#define KRB5_CONF_ALLOW_DES3 "allow_des3"
|
||||
-#define KRB5_CONF_ALLOW_RC4 "allow_rc4"
|
||||
#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
|
||||
#define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local"
|
||||
#define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names"
|
||||
@@ -1240,8 +1238,6 @@ struct _krb5_context {
|
||||
struct _kdb_log_context *kdblog_context;
|
||||
|
||||
krb5_boolean allow_weak_crypto;
|
||||
- krb5_boolean allow_des3;
|
||||
- krb5_boolean allow_rc4;
|
||||
krb5_boolean ignore_acceptor_hostname;
|
||||
krb5_boolean enforce_ok_as_delegate;
|
||||
enum dns_canonhost dns_canonicalize_hostname;
|
||||
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||
index e54cc751f9..75e04b73db 100644
|
||||
--- a/src/kdc/kdc_util.c
|
||||
+++ b/src/kdc/kdc_util.c
|
||||
@@ -1088,16 +1088,6 @@ select_session_keytype(krb5_context context, krb5_db_entry *server,
|
||||
if (!krb5_is_permitted_enctype(context, ktype[i]))
|
||||
continue;
|
||||
|
||||
- /*
|
||||
- * Prevent these deprecated enctypes from being used as session keys
|
||||
- * unless they are explicitly allowed. In the future they will be more
|
||||
- * comprehensively disabled and eventually removed.
|
||||
- */
|
||||
- if (ktype[i] == ENCTYPE_DES3_CBC_SHA1 && !context->allow_des3)
|
||||
- continue;
|
||||
- if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !context->allow_rc4)
|
||||
- continue;
|
||||
-
|
||||
if (dbentry_supports_enctype(context, server, ktype[i]))
|
||||
return ktype[i];
|
||||
}
|
||||
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
||||
index ea089f0fcc..1b420a3ac2 100644
|
||||
--- a/src/lib/krb5/krb/get_in_tkt.c
|
||||
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
||||
@@ -1582,31 +1582,22 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
|
||||
(*prompter)(context, data, 0, banner, 0, 0);
|
||||
}
|
||||
|
||||
-/* Display a warning via the prompter if a deprecated enctype was used for
|
||||
- * either the reply key or the session key. */
|
||||
+/* Display a warning via the prompter if des3-cbc-sha1 was used for either the
|
||||
+ * reply key or the session key. */
|
||||
static void
|
||||
-warn_deprecated(krb5_context context, krb5_init_creds_context ctx,
|
||||
- krb5_enctype as_key_enctype)
|
||||
+warn_des3(krb5_context context, krb5_init_creds_context ctx,
|
||||
+ krb5_enctype as_key_enctype)
|
||||
{
|
||||
- krb5_enctype etype;
|
||||
- char encbuf[128], banner[256];
|
||||
+ const char *banner;
|
||||
|
||||
- if (ctx->prompter == NULL)
|
||||
- return;
|
||||
-
|
||||
- if (krb5int_c_deprecated_enctype(as_key_enctype))
|
||||
- etype = as_key_enctype;
|
||||
- else if (krb5int_c_deprecated_enctype(ctx->cred.keyblock.enctype))
|
||||
- etype = ctx->cred.keyblock.enctype;
|
||||
- else
|
||||
+ if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 &&
|
||||
+ ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1)
|
||||
return;
|
||||
-
|
||||
- if (krb5_enctype_to_name(etype, FALSE, encbuf, sizeof(encbuf)) != 0)
|
||||
+ if (ctx->prompter == NULL)
|
||||
return;
|
||||
- snprintf(banner, sizeof(banner),
|
||||
- _("Warning: encryption type %s used for authentication is "
|
||||
- "deprecated and will be disabled"), encbuf);
|
||||
|
||||
+ banner = _("Warning: encryption type des3-cbc-sha1 used for "
|
||||
+ "authentication is weak and will be disabled");
|
||||
/* PROMPTER_INVOCATION */
|
||||
(*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL);
|
||||
}
|
||||
@@ -1857,7 +1848,7 @@ init_creds_step_reply(krb5_context context,
|
||||
ctx->complete = TRUE;
|
||||
warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data,
|
||||
ctx->in_tkt_service, ctx->reply);
|
||||
- warn_deprecated(context, ctx, encrypting_key.enctype);
|
||||
+ warn_des3(context, ctx, encrypting_key.enctype);
|
||||
|
||||
cleanup:
|
||||
krb5_free_pa_data(context, kdc_padata);
|
||||
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
|
||||
index a6c2bbeb54..87b486c53f 100644
|
||||
--- a/src/lib/krb5/krb/init_ctx.c
|
||||
+++ b/src/lib/krb5/krb/init_ctx.c
|
||||
@@ -221,16 +221,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
|
||||
goto cleanup;
|
||||
ctx->allow_weak_crypto = tmp;
|
||||
|
||||
- retval = get_boolean(ctx, KRB5_CONF_ALLOW_DES3, 0, &tmp);
|
||||
- if (retval)
|
||||
- goto cleanup;
|
||||
- ctx->allow_des3 = tmp;
|
||||
-
|
||||
- retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp);
|
||||
- if (retval)
|
||||
- goto cleanup;
|
||||
- ctx->allow_rc4 = tmp;
|
||||
-
|
||||
retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp);
|
||||
if (retval)
|
||||
goto cleanup;
|
||||
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
|
||||
index f5f11842e2..7494d7fcdb 100755
|
||||
--- a/src/tests/gssapi/t_enctypes.py
|
||||
+++ b/src/tests/gssapi/t_enctypes.py
|
||||
@@ -18,8 +18,7 @@ d_rc4 = 'DEPRECATED:arcfour-hmac'
|
||||
# These tests make assumptions about the default enctype lists, so set
|
||||
# them explicitly rather than relying on the library defaults.
|
||||
supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
|
||||
-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4',
|
||||
- 'allow_des3': 'true', 'allow_rc4': 'true'},
|
||||
+conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'},
|
||||
'realms': {'$realm': {'supported_enctypes': supp}}}
|
||||
realm = K5Realm(krb5_conf=conf)
|
||||
shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
|
||||
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
|
||||
index 38cf96ca8f..c982508d8b 100644
|
||||
--- a/src/tests/t_etype_info.py
|
||||
+++ b/src/tests/t_etype_info.py
|
||||
@@ -1,7 +1,7 @@
|
||||
from k5test import *
|
||||
|
||||
supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
|
||||
-conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'},
|
||||
+conf = {'libdefaults': {'allow_weak_crypto': 'true'},
|
||||
'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
|
||||
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
|
||||
|
||||
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
|
||||
index 5a213617b5..9024aee838 100755
|
||||
--- a/src/tests/t_sesskeynego.py
|
||||
+++ b/src/tests/t_sesskeynego.py
|
||||
@@ -25,8 +25,6 @@ conf3 = {'libdefaults': {
|
||||
'default_tkt_enctypes': 'aes128-cts',
|
||||
'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
|
||||
conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}}
|
||||
-conf5 = {'libdefaults': {'allow_rc4': 'true'}}
|
||||
-conf6 = {'libdefaults': {'allow_des3': 'true'}}
|
||||
# Test with client request and session_enctypes preferring aes128, but
|
||||
# aes256 long-term key.
|
||||
realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
|
||||
@@ -56,12 +54,10 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
|
||||
'aes128-cts,aes256-cts'])
|
||||
test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
|
||||
|
||||
-# 3b: Skip RC4 (as the KDC does not allow it for session keys by
|
||||
-# default) and negotiate aes128-cts session key, with only an aes256
|
||||
-# long-term service key.
|
||||
+# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term.
|
||||
realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
|
||||
'rc4-hmac,aes128-cts,aes256-cts'])
|
||||
-test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
|
||||
+test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
|
||||
realm.stop()
|
||||
|
||||
# 4: Check that permitted_enctypes is a default for session key enctypes.
|
||||
@@ -71,24 +67,4 @@ realm.run([kvno, 'user'],
|
||||
expected_trace=('etypes requested in TGS request: aes256-cts',))
|
||||
realm.stop()
|
||||
|
||||
-# 5: allow_rc4 permits negotiation of rc4-hmac session key.
|
||||
-realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False)
|
||||
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
||||
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac'])
|
||||
-test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
|
||||
-realm.stop()
|
||||
-
|
||||
-# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key.
|
||||
-realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False)
|
||||
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
||||
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1'])
|
||||
-test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96')
|
||||
-realm.stop()
|
||||
-
|
||||
-# 7: default config negotiates aes256-sha1 session key for RC4-only service.
|
||||
-realm = K5Realm(create_host=False, get_creds=False)
|
||||
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server'])
|
||||
-test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac')
|
||||
-realm.stop()
|
||||
-
|
||||
success('sesskeynego')
|
||||
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
||||
index 8e5f5ba8e9..2a86c5cdfc 100644
|
||||
--- a/src/util/k5test.py
|
||||
+++ b/src/util/k5test.py
|
||||
@@ -1340,14 +1340,14 @@ _passes = [
|
||||
|
||||
# Exercise the DES3 enctype.
|
||||
('des3', None,
|
||||
- {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}},
|
||||
+ {'libdefaults': {'permitted_enctypes': 'des3'}},
|
||||
{'realms': {'$realm': {
|
||||
'supported_enctypes': 'des3-cbc-sha1:normal',
|
||||
'master_key_type': 'des3-cbc-sha1'}}}),
|
||||
|
||||
# Exercise the arcfour enctype.
|
||||
('arcfour', None,
|
||||
- {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}},
|
||||
+ {'libdefaults': {'permitted_enctypes': 'rc4'}},
|
||||
{'realms': {'$realm': {
|
||||
'supported_enctypes': 'arcfour-hmac:normal',
|
||||
'master_key_type': 'arcfour-hmac'}}}),
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 67c82a09c6c53713c281045cd55de2720cd06907 Mon Sep 17 00:00:00 2001
|
||||
From 2080ff4c57d29e74466987d673aaf25273160534 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:29:58 -0400
|
||||
Subject: [PATCH] [downstream] ksu pam integration
|
||||
@ -773,5 +773,5 @@ index 77be7a2025..587221936e 100644
|
||||
if test "${localedir+set}" != set; then
|
||||
localedir='$(datadir)/locale'
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
From dfbac76ab7bb7e6e2c3171eefcaa93573e6b630e Mon Sep 17 00:00:00 2001
|
||||
From 3efc0e3ce4ccc8a89700f35bef041794982d95ca Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:30:53 -0400
|
||||
Subject: [PATCH] [downstream] SELinux integration
|
||||
@ -188,7 +188,7 @@ index 587221936e..69be9030f8 100644
|
||||
if test "${localedir+set}" != set; then
|
||||
localedir='$(datadir)/locale'
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index 2f7791b775..9c534faa8a 100644
|
||||
index 1d1c8293f4..768110e5ef 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -128,6 +128,7 @@ typedef unsigned char u_char;
|
||||
@ -1034,5 +1034,5 @@ index 0000000000..807d039da3
|
||||
+
|
||||
+#endif /* USE_SELINUX */
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
From a9c463ed5988c860ebb18de212d6c56da1cb1169 Mon Sep 17 00:00:00 2001
|
||||
From 28677b932c200eba07576358b4e5df2ae22c8ecd Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:49:25 -0400
|
||||
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
|
||||
@ -40,5 +40,5 @@ index 8669c2436c..a22f23c02c 100644
|
||||
install:
|
||||
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 0691db92e13e0d224c2c9dd72c1421d8f7c3c078 Mon Sep 17 00:00:00 2001
|
||||
From 6734a067c600ea6ad81d08fcc481609c2bad9fbb Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 26 Mar 2019 18:51:10 -0400
|
||||
Subject: [PATCH] [downstream] Remove 3des support
|
||||
@ -8,7 +8,7 @@ des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation
|
||||
to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain
|
||||
their constants.
|
||||
|
||||
Last-updated: 1.20-final
|
||||
Last-updated: 1.21.1-final
|
||||
[antorres@redhat.com: remove diffs for:
|
||||
- src/kdamin/testing/proto/kdc.conf.proto
|
||||
- src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
|
||||
@ -98,19 +98,18 @@ Last-updated: 1.20-final
|
||||
src/plugins/preauth/pkinit/pkinit_crypto.h | 10 +-
|
||||
src/plugins/preauth/pkinit/pkinit_kdf_test.c | 30 --
|
||||
src/plugins/preauth/spake/t_vectors.c | 25 --
|
||||
src/tests/gssapi/t_enctypes.py | 34 +-
|
||||
src/tests/gssapi/t_enctypes.py | 33 +-
|
||||
src/tests/gssapi/t_invalid.c | 12 -
|
||||
src/tests/gssapi/t_pcontok.c | 16 +-
|
||||
src/tests/gssapi/t_prf.c | 7 -
|
||||
src/tests/t_authdata.py | 2 +-
|
||||
src/tests/t_etype_info.py | 20 +-
|
||||
src/tests/t_etype_info.py | 21 +-
|
||||
src/tests/t_keyrollover.py | 8 +-
|
||||
src/tests/t_mkey.py | 35 --
|
||||
src/tests/t_salt.py | 5 +-
|
||||
src/tests/t_sesskeynego.py | 8 -
|
||||
src/util/k5test.py | 7 -
|
||||
.../leash/htmlhelp/html/Encryption_Types.htm | 13 -
|
||||
90 files changed, 149 insertions(+), 4720 deletions(-)
|
||||
89 files changed, 149 insertions(+), 4712 deletions(-)
|
||||
delete mode 100644 src/lib/crypto/builtin/des/ISSUES
|
||||
delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
|
||||
delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
|
||||
@ -200,10 +199,10 @@ index 74a0a2acef..846c58ed82 100644
|
||||
|
||||
While **aes128-cts** and **aes256-cts** are supported for all Kerberos
|
||||
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
|
||||
index dce19ad43e..2b4ed7da0b 100644
|
||||
index 694922c0d9..c4d5499d3b 100644
|
||||
--- a/doc/admin/enctypes.rst
|
||||
+++ b/doc/admin/enctypes.rst
|
||||
@@ -146,7 +146,7 @@ enctype weak? krb5 Windows
|
||||
@@ -129,7 +129,7 @@ enctype weak? krb5 Windows
|
||||
des-cbc-crc weak <1.18 >=2000
|
||||
des-cbc-md4 weak <1.18 ?
|
||||
des-cbc-md5 weak <1.18 >=2000
|
||||
@ -212,7 +211,7 @@ index dce19ad43e..2b4ed7da0b 100644
|
||||
arcfour-hmac deprecated >=1.3 >=2000
|
||||
arcfour-hmac-exp weak >=1.3 >=2000
|
||||
aes128-cts-hmac-sha1-96 >=1.3 >=Vista
|
||||
@@ -165,9 +165,11 @@ default.
|
||||
@@ -148,9 +148,11 @@ default.
|
||||
krb5 releases 1.17 and later flag deprecated encryption types
|
||||
(including ``des3-cbc-sha1`` and ``arcfour-hmac``) in KDC logs and
|
||||
kadmin output. krb5 release 1.19 issues a warning during initial
|
||||
@ -363,10 +362,10 @@ index dd6430ece8..350bcf86f2 100644
|
||||
#define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with
|
||||
ENCTYPE_AES128_CTS_HMAC_SHA1_96 */
|
||||
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||
index e54cc751f9..ea10e23a95 100644
|
||||
index 75e04b73db..fe4e48209a 100644
|
||||
--- a/src/kdc/kdc_util.c
|
||||
+++ b/src/kdc/kdc_util.c
|
||||
@@ -1164,8 +1164,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
|
||||
@@ -1154,8 +1154,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
|
||||
name = "rsaEncryption-EnvOID";
|
||||
else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV)
|
||||
name = "id-RSAES-OAEP-EnvOID";
|
||||
@ -375,7 +374,7 @@ index e54cc751f9..ea10e23a95 100644
|
||||
else
|
||||
return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
|
||||
|
||||
@@ -1657,8 +1655,6 @@ krb5_boolean
|
||||
@@ -1647,8 +1645,6 @@ krb5_boolean
|
||||
enctype_requires_etype_info_2(krb5_enctype enctype)
|
||||
{
|
||||
switch(enctype) {
|
||||
@ -5593,7 +5592,7 @@ index 84f1949887..32150f5e34 100644
|
||||
case ENCTYPE_ARCFOUR_HMAC_EXP:
|
||||
/* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" enctype,
|
||||
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
|
||||
index a6c2bbeb54..18290b764b 100644
|
||||
index 87b486c53f..2b5abcd817 100644
|
||||
--- a/src/lib/krb5/krb/init_ctx.c
|
||||
+++ b/src/lib/krb5/krb/init_ctx.c
|
||||
@@ -59,7 +59,6 @@
|
||||
@ -5604,7 +5603,7 @@ index a6c2bbeb54..18290b764b 100644
|
||||
ENCTYPE_ARCFOUR_HMAC,
|
||||
ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC,
|
||||
0
|
||||
@@ -460,8 +459,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey,
|
||||
@@ -450,8 +449,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey,
|
||||
/* Set all enctypes in the default list. */
|
||||
for (i = 0; default_list[i]; i++)
|
||||
mod_list(default_list[i], sel, weak, &list);
|
||||
@ -5849,10 +5848,10 @@ index 2279202d3a..96b0307d78 100644
|
||||
/* initial key, w, x, y, T, S, K */
|
||||
"8846F7EAEE8FB117AD06BDD830B7586C",
|
||||
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
|
||||
index f5f11842e2..1bb8c40b6b 100755
|
||||
index 7494d7fcdb..2f95d89967 100755
|
||||
--- a/src/tests/gssapi/t_enctypes.py
|
||||
+++ b/src/tests/gssapi/t_enctypes.py
|
||||
@@ -1,25 +1,17 @@
|
||||
@@ -1,24 +1,17 @@
|
||||
from k5test import *
|
||||
|
||||
-# Define some convenience abbreviations for enctypes we will see in
|
||||
@ -5876,14 +5875,13 @@ index f5f11842e2..1bb8c40b6b 100755
|
||||
# These tests make assumptions about the default enctype lists, so set
|
||||
# them explicitly rather than relying on the library defaults.
|
||||
-supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
|
||||
-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4',
|
||||
- 'allow_des3': 'true', 'allow_rc4': 'true'},
|
||||
-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'},
|
||||
+supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal'
|
||||
+conf = {'libdefaults': {'permitted_enctypes': 'aes rc4', 'allow_rc4': 'true'},
|
||||
+conf = {'libdefaults': {'permitted_enctypes': 'aes rc4'},
|
||||
'realms': {'$realm': {'supported_enctypes': supp}}}
|
||||
realm = K5Realm(krb5_conf=conf)
|
||||
shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
|
||||
@@ -88,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts',
|
||||
@@ -87,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts',
|
||||
test_err('acc aes128', None, 'aes128-cts',
|
||||
'Encryption type aes256-cts-hmac-sha1-96 not permitted')
|
||||
|
||||
@ -5904,7 +5902,7 @@ index f5f11842e2..1bb8c40b6b 100755
|
||||
# subkey.
|
||||
test('upgrade noargs', None, None,
|
||||
tktenc=aes256, tktsession=d_rc4,
|
||||
@@ -116,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None,
|
||||
@@ -115,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None,
|
||||
tktenc=aes256, tktsession=d_rc4,
|
||||
proto='cfx', isubkey=rc4, asubkey=aes128)
|
||||
|
||||
@ -6008,20 +6006,21 @@ index bde1c36844..8fcd30db51 100644
|
||||
realm.run(['./forward'])
|
||||
realm.run([kvno, realm.host_princ])
|
||||
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
|
||||
index 38cf96ca8f..e82ff7ff07 100644
|
||||
index c982508d8b..a6f538b66d 100644
|
||||
--- a/src/tests/t_etype_info.py
|
||||
+++ b/src/tests/t_etype_info.py
|
||||
@@ -1,7 +1,7 @@
|
||||
@@ -1,8 +1,7 @@
|
||||
from k5test import *
|
||||
|
||||
-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
|
||||
-conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'},
|
||||
-conf = {'libdefaults': {'allow_weak_crypto': 'true'},
|
||||
- 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
|
||||
+supported_enctypes = 'aes128-cts rc4-hmac'
|
||||
+conf = {'libdefaults': {'allow_rc4': 'true'},
|
||||
'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
|
||||
+conf = {'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
|
||||
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
|
||||
|
||||
@@ -26,9 +26,9 @@ def test_etinfo(princ, enctypes, expected_lines):
|
||||
realm.run([kadminl, 'addprinc', '-pw', 'pw', '+requires_preauth',
|
||||
@@ -26,9 +25,9 @@ def test_etinfo(princ, enctypes, expected_lines):
|
||||
# With no newer enctypes in the request, PA-ETYPE-INFO2,
|
||||
# PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one
|
||||
# key for the most preferred matching enctype.
|
||||
@ -6034,7 +6033,7 @@ index 38cf96ca8f..e82ff7ff07 100644
|
||||
'asrep pw_salt KRBTEST.COMuser'])
|
||||
|
||||
# With a newer enctype in the request (even if it is not the most
|
||||
@@ -39,9 +39,9 @@ test_etinfo('user', 'rc4 aes256-cts',
|
||||
@@ -39,9 +38,9 @@ test_etinfo('user', 'rc4 aes256-cts',
|
||||
|
||||
# In preauth-required errors, PA-PW-SALT does not appear, but the same
|
||||
# etype-info2 values are expected.
|
||||
@ -6047,7 +6046,7 @@ index 38cf96ca8f..e82ff7ff07 100644
|
||||
test_etinfo('preauthuser', 'rc4 aes256-cts',
|
||||
['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser'])
|
||||
|
||||
@@ -50,8 +50,8 @@ test_etinfo('preauthuser', 'rc4 aes256-cts',
|
||||
@@ -50,8 +49,8 @@ test_etinfo('preauthuser', 'rc4 aes256-cts',
|
||||
# (to allow for preauth mechs which don't depend on long-term keys).
|
||||
# An AS-REP cannot be generated without preauth as there is no reply
|
||||
# key.
|
||||
@ -6159,34 +6158,8 @@ index 65084bbf35..55ca897459 100755
|
||||
|
||||
# Test using different salt types in a principal's key list.
|
||||
# Parameters from one key in the list must not leak over to later ones.
|
||||
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
|
||||
index 5a213617b5..c7dba0ff5b 100755
|
||||
--- a/src/tests/t_sesskeynego.py
|
||||
+++ b/src/tests/t_sesskeynego.py
|
||||
@@ -26,7 +26,6 @@ conf3 = {'libdefaults': {
|
||||
'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
|
||||
conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}}
|
||||
conf5 = {'libdefaults': {'allow_rc4': 'true'}}
|
||||
-conf6 = {'libdefaults': {'allow_des3': 'true'}}
|
||||
# Test with client request and session_enctypes preferring aes128, but
|
||||
# aes256 long-term key.
|
||||
realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
|
||||
@@ -78,13 +77,6 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac'])
|
||||
test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
|
||||
realm.stop()
|
||||
|
||||
-# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key.
|
||||
-realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False)
|
||||
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
||||
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1'])
|
||||
-test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96')
|
||||
-realm.stop()
|
||||
-
|
||||
# 7: default config negotiates aes256-sha1 session key for RC4-only service.
|
||||
realm = K5Realm(create_host=False, get_creds=False)
|
||||
realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server'])
|
||||
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
||||
index 8e5f5ba8e9..b953827018 100644
|
||||
index 2a86c5cdfc..d823653aa0 100644
|
||||
--- a/src/util/k5test.py
|
||||
+++ b/src/util/k5test.py
|
||||
@@ -1338,13 +1338,6 @@ _passes = [
|
||||
@ -6195,14 +6168,14 @@ index 8e5f5ba8e9..b953827018 100644
|
||||
|
||||
- # Exercise the DES3 enctype.
|
||||
- ('des3', None,
|
||||
- {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}},
|
||||
- {'libdefaults': {'permitted_enctypes': 'des3'}},
|
||||
- {'realms': {'$realm': {
|
||||
- 'supported_enctypes': 'des3-cbc-sha1:normal',
|
||||
- 'master_key_type': 'des3-cbc-sha1'}}}),
|
||||
-
|
||||
# Exercise the arcfour enctype.
|
||||
('arcfour', None,
|
||||
{'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}},
|
||||
{'libdefaults': {'permitted_enctypes': 'rc4'}},
|
||||
diff --git a/src/windows/leash/htmlhelp/html/Encryption_Types.htm b/src/windows/leash/htmlhelp/html/Encryption_Types.htm
|
||||
index 1aebdd0b4a..c38eefd2bd 100644
|
||||
--- a/src/windows/leash/htmlhelp/html/Encryption_Types.htm
|
||||
@ -6228,5 +6201,5 @@ index 1aebdd0b4a..c38eefd2bd 100644
|
||||
<td>The AES Advanced Encryption Standard
|
||||
family, like 3DES, is a symmetric block cipher and was designed
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 53191fd3a1acfeefa8e5c26e7e9d130688daf745 Mon Sep 17 00:00:00 2001
|
||||
From dc3fd927ccd5b7b40049145c3fc7c610d72e9502 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 9 Nov 2018 15:12:21 -0500
|
||||
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
|
||||
@ -41,10 +41,10 @@ Last-updated: krb5-1.20
|
||||
15 files changed, 155 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index ecdf917501..b78a3faf0a 100644
|
||||
index f22d5db11b..a33711d918 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -342,6 +342,12 @@ The libdefaults section may contain any of the following relations:
|
||||
@@ -330,6 +330,12 @@ The libdefaults section may contain any of the following relations:
|
||||
qualification of shortnames, set this relation to the empty string
|
||||
with ``qualify_shortname = ""``. (New in release 1.18.)
|
||||
|
||||
@ -608,5 +608,5 @@ index 1a772d450f..232e78bc05 100644
|
||||
vt->name = "spake";
|
||||
vt->pa_type_list = pa_types;
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
From c19d0bd35cde40172118c67c38a44f164bce1e16 Mon Sep 17 00:00:00 2001
|
||||
From 19db7e5b5d13732c2dfd08b35e2ad3f311553d54 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Thu, 5 May 2022 17:15:12 +0200
|
||||
Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection with FIPS
|
||||
@ -77,5 +77,5 @@ index 929f1cef67..063f17a613 100644
|
||||
retval = ESOCKTNOSUPPORT;
|
||||
goto error;
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 0366e8b5b2f960cb8305fd95839376b6c18aae42 Mon Sep 17 00:00:00 2001
|
||||
From 16d3f9a54d4707ae9de18f108a7b61965e83ceaf Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Wed, 7 Dec 2022 13:22:42 +0100
|
||||
Subject: [PATCH] [downstream] Make tests compatible with
|
||||
@ -37,5 +37,5 @@ index 87bac17929..26bc95a8dc 100644
|
||||
fail('URI answers do not match')
|
||||
j += 1
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
From a567b9de563cd8ad262f77cf97a8bc528a884745 Mon Sep 17 00:00:00 2001
|
||||
From 511a6260f0dadc3fe5ebe075f8b548eae026a1cc Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Thu, 5 Jan 2023 20:06:47 +0100
|
||||
Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header
|
||||
@ -116,5 +116,5 @@ index 232e78bc05..3394f8a58e 100644
|
||||
* The SPAKE kdcpreauth module uses a secure cookie containing the following
|
||||
* concatenated fields (all integer fields are big-endian):
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 6adfd97a3558aae4ace346685266bac9dae8bba9 Mon Sep 17 00:00:00 2001
|
||||
From 1b0bb0c3e5575559ea9135af5b9a1e91fe0f79f3 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Mon, 9 Jan 2023 22:39:52 +0100
|
||||
Subject: [PATCH] [downstream] Do not set root as ksu file owner
|
||||
@ -27,5 +27,5 @@ index 7eaa2f351c..e9ae71471e 100644
|
||||
## ${prefix}.
|
||||
prefix=@prefix@
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 73640dc4899494d010b83b080b3a65bd3e69177c Mon Sep 17 00:00:00 2001
|
||||
From 6e239888cdb938ddda2bf49ec03ad2af3923c381 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Thu, 19 Jan 2023 19:22:27 +0100
|
||||
Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode
|
||||
@ -161,5 +161,5 @@ index 5a43c3d9eb..8528ddc4a9 100644
|
||||
ret = KRB5_CRYPTO_INTERNAL;
|
||||
goto done;
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
From f47c9eb8618006012600a906367295ed53c558d0 Mon Sep 17 00:00:00 2001
|
||||
From 640492ecb4ee42edf33c343c08c01a549ed68a52 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Wed, 15 Mar 2023 15:56:34 +0100
|
||||
Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional
|
||||
@ -124,7 +124,7 @@ index 350bcf86f2..17e1b52266 100644
|
||||
krb5_error_code KRB5_CALLCONV
|
||||
krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
||||
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||
index ea10e23a95..c7b6e4090d 100644
|
||||
index fe4e48209a..93415ba862 100644
|
||||
--- a/src/kdc/kdc_util.c
|
||||
+++ b/src/kdc/kdc_util.c
|
||||
@@ -560,16 +560,36 @@ cleanup:
|
||||
@ -258,7 +258,7 @@ index 4c50e935a2..d4b0455c8c 100644
|
||||
krb5_kt_client_default
|
||||
krb5_kt_close
|
||||
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
|
||||
index d028dc2975..2c8d10067f 100644
|
||||
index 461207021b..e8d78309cb 100644
|
||||
--- a/src/man/kadmin.man
|
||||
+++ b/src/man/kadmin.man
|
||||
@@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to
|
||||
@ -275,5 +275,5 @@ index d028dc2975..2c8d10067f 100644
|
||||
.sp
|
||||
This command requires the \fBmodify\fP privilege.
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
From d1322546dca51100759eac318ce554bd301c50c3 Mon Sep 17 00:00:00 2001
|
||||
From 1b2f64d66e01c1abeefdb7cbef7b04035c2128c0 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Tue, 23 May 2023 12:19:54 +0200
|
||||
Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification
|
||||
@ -43,5 +43,5 @@ index f41328763e..263ef7845e 100644
|
||||
goto cleanup;
|
||||
}
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
From a378b1970d92692baeddf6a8681f47efb13e343d Mon Sep 17 00:00:00 2001
|
||||
From d2b061bea524012edde2915aa95fc4cb6a6f3ae9 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 30 May 2023 01:21:48 -0400
|
||||
Subject: [PATCH] Enable PKINIT if at least one group is available
|
||||
@ -214,5 +214,5 @@ index 259e95c6c2..5ee39c085c 100644
|
||||
TRACE(c, "PKINIT OpenSSL error: {str}", msg)
|
||||
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
64
0015-Replace-ssl.wrap_socket-for-tests.patch
Normal file
64
0015-Replace-ssl.wrap_socket-for-tests.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From 42e831da09bd196068aeb7fe6bfe380bb46b846c Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Wed, 19 Jul 2023 13:43:17 +0200
|
||||
Subject: [PATCH] Replace ssl.wrap_socket() for tests
|
||||
|
||||
The ssl.wrap_socket() function was deprecated in Python 3.7 and is
|
||||
removed in Python 3.12. The ssl.SSLContext.wrap_socket() method
|
||||
replaces it.
|
||||
|
||||
Bump the required Python version for tests to 3.4 for
|
||||
ssl.create_default_context().
|
||||
|
||||
[ghudson@mit.edu: changed minimum Python version]
|
||||
|
||||
(cherry picked from commit 0ceab6c363e65fb21d3312a663f2b9b569ecc415)
|
||||
---
|
||||
src/configure.ac | 9 ++++-----
|
||||
src/util/wsgiref-kdcproxy.py | 4 +++-
|
||||
2 files changed, 7 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/configure.ac b/src/configure.ac
|
||||
index 2561e917a2..487f393146 100644
|
||||
--- a/src/configure.ac
|
||||
+++ b/src/configure.ac
|
||||
@@ -1157,10 +1157,9 @@ AC_SUBST(PKINIT)
|
||||
# for lib/apputils
|
||||
AC_REPLACE_FUNCS(daemon)
|
||||
|
||||
-# For Python tests. Python version 3.2.4 is required as prior
|
||||
-# versions do not accept string input to subprocess.Popen.communicate
|
||||
-# when universal_newlines is set.
|
||||
-PYTHON_MINVERSION=3.2.4
|
||||
+# For Python tests. Python version 3.4 is required for
|
||||
+# ssl.create_default_context().
|
||||
+PYTHON_MINVERSION=3.4
|
||||
AC_SUBST(PYTHON_MINVERSION)
|
||||
AC_CHECK_PROG(PYTHON,python3,python3)
|
||||
if test x"$PYTHON" = x; then
|
||||
@@ -1168,7 +1167,7 @@ if test x"$PYTHON" = x; then
|
||||
fi
|
||||
HAVE_PYTHON=no
|
||||
if test x"$PYTHON" != x; then
|
||||
- wantver="(sys.hexversion >= 0x30204F0)"
|
||||
+ wantver="(sys.hexversion >= 0x30400F0)"
|
||||
if "$PYTHON" -c "import sys; sys.exit(not $wantver and 1 or 0)"; then
|
||||
HAVE_PYTHON=yes
|
||||
fi
|
||||
diff --git a/src/util/wsgiref-kdcproxy.py b/src/util/wsgiref-kdcproxy.py
|
||||
index 58759696b6..d1d10d733c 100755
|
||||
--- a/src/util/wsgiref-kdcproxy.py
|
||||
+++ b/src/util/wsgiref-kdcproxy.py
|
||||
@@ -14,6 +14,8 @@ else:
|
||||
pem = '*'
|
||||
|
||||
server = make_server('localhost', port, kdcproxy.Application())
|
||||
-server.socket = ssl.wrap_socket(server.socket, certfile=pem, server_side=True)
|
||||
+sslctx = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
|
||||
+sslctx.load_cert_chain(certfile=pem)
|
||||
+server.socket = sslctx.wrap_socket(server.socket, server_side=True)
|
||||
os.write(sys.stdout.fileno(), b'proxy server ready\n')
|
||||
server.serve_forever()
|
||||
--
|
||||
2.41.0
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (krb5-1.21.tar.gz) = 8ee2366888f6d553a44fc642a89c69a57dbc1ec4c89a36b9ba8b00584a9a32c73a2b0566ba5f21852ad9617046666c276dac402393bf8eb19fbe0c07a838071a
|
||||
SHA512 (krb5-1.21.tar.gz.asc) = 7147a44a13f4f26c5c1d9aba738b32892b50e351ad149dcaf0b6f2c010e3c51d7d51540d0a51b085450ffa31d5027b5f2e5841109d7af8bdaddbdd3a569582d5
|
||||
SHA512 (krb5-1.21.2.tar.gz) = 4e09296b412383d53872661718dbfaa90201e0d85f69db48e57a8d4bd73c95a90c7ec7b6f0f325f6bc967f8d203b256b071c0191facf080aca0e2caec5d0ac49
|
||||
SHA512 (krb5-1.21.2.tar.gz.asc) = 1cee1ed77047067d7b6fb3620ffa6f5807d4182ae7cfeec6d5cc847c99f30c6dd2a5c1a160d992a13eb6d84754b202895a982111618711f3c14f4aa33c07d9e9
|
||||
|
Loading…
Reference in New Issue
Block a user