import krb5-1.18.2-21.el8
This commit is contained in:
		
							parent
							
								
									ca46c1e298
								
							
						
					
					
						commit
						fe9b3af2d1
					
				
							
								
								
									
										365
									
								
								SOURCES/Make-kprop-work-for-dump-files-larger-than-4GB.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										365
									
								
								SOURCES/Make-kprop-work-for-dump-files-larger-than-4GB.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,365 @@ | ||||
| From 5d541f1f0b468b1c976acf8ec2359bd0c8c73be7 Mon Sep 17 00:00:00 2001 | ||||
| From: Julien Rische <jrische@redhat.com> | ||||
| Date: Wed, 19 Jan 2022 19:46:08 +0100 | ||||
| Subject: [PATCH] Make kprop work for dump files larger than 4GB | ||||
| 
 | ||||
| If the dump file size does not fit in 32 bits, encode four zero bytes | ||||
| (forcing an error for unmodified kpropd) followed by the size in the | ||||
| next 64 bits. | ||||
| 
 | ||||
| Add a functional test case, but only run it when an environment | ||||
| variable is set, as processing a 4GB dump file is too | ||||
| resource-intensive for make check. | ||||
| 
 | ||||
| [ghudson@mit.edu: edited comments and commit message; eliminated use | ||||
| of defined constant in some cases; added test case] | ||||
| 
 | ||||
| ticket: 9053 (new) | ||||
| ---
 | ||||
|  src/kprop/kprop.c      | 37 +++++++++++++++++++++---------------- | ||||
|  src/kprop/kprop.h      | 12 ++++++++++++ | ||||
|  src/kprop/kprop_util.c | 42 ++++++++++++++++++++++++++++++++++++++++++ | ||||
|  src/kprop/kpropd.c     | 33 +++++++++++++++++++++------------ | ||||
|  src/tests/t_kprop.py   | 34 ++++++++++++++++++++++++++++++++++ | ||||
|  5 files changed, 130 insertions(+), 28 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/kprop/kprop.c b/src/kprop/kprop.c
 | ||||
| index 0b53aae7e..5adb4d31f 100644
 | ||||
| --- a/src/kprop/kprop.c
 | ||||
| +++ b/src/kprop/kprop.c
 | ||||
| @@ -25,6 +25,7 @@
 | ||||
|   */ | ||||
|   | ||||
|  #include "k5-int.h" | ||||
| +#include <inttypes.h>
 | ||||
|  #include <locale.h> | ||||
|  #include <sys/file.h> | ||||
|  #include <signal.h> | ||||
| @@ -71,11 +72,11 @@ static void open_connection(krb5_context context, char *host, int *fd_out);
 | ||||
|  static void kerberos_authenticate(krb5_context context, | ||||
|                                    krb5_auth_context *auth_context, int fd, | ||||
|                                    krb5_principal me, krb5_creds **new_creds); | ||||
| -static int open_database(krb5_context context, char *data_fn, int *size);
 | ||||
| +static int open_database(krb5_context context, char *data_fn, off_t *size);
 | ||||
|  static void close_database(krb5_context context, int fd); | ||||
|  static void xmit_database(krb5_context context, | ||||
|                            krb5_auth_context auth_context, krb5_creds *my_creds, | ||||
| -                          int fd, int database_fd, int in_database_size);
 | ||||
| +                          int fd, int database_fd, off_t in_database_size);
 | ||||
|  static void send_error(krb5_context context, krb5_creds *my_creds, int fd, | ||||
|                         char *err_text, krb5_error_code err_code); | ||||
|  static void update_last_prop_file(char *hostname, char *file_name); | ||||
| @@ -90,7 +91,8 @@ static void usage()
 | ||||
|  int | ||||
|  main(int argc, char **argv) | ||||
|  { | ||||
| -    int fd, database_fd, database_size;
 | ||||
| +    int fd, database_fd;
 | ||||
| +    off_t database_size;
 | ||||
|      krb5_error_code retval; | ||||
|      krb5_context context; | ||||
|      krb5_creds *my_creds; | ||||
| @@ -339,7 +341,7 @@ kerberos_authenticate(krb5_context context, krb5_auth_context *auth_context,
 | ||||
|   * in the size of the database file. | ||||
|   */ | ||||
|  static int | ||||
| -open_database(krb5_context context, char *data_fn, int *size)
 | ||||
| +open_database(krb5_context context, char *data_fn, off_t *size)
 | ||||
|  { | ||||
|      struct stat stbuf, stbuf_ok; | ||||
|      char *data_ok_fn; | ||||
| @@ -413,19 +415,18 @@ close_database(krb5_context context, int fd)
 | ||||
|  static void | ||||
|  xmit_database(krb5_context context, krb5_auth_context auth_context, | ||||
|                krb5_creds *my_creds, int fd, int database_fd, | ||||
| -              int in_database_size)
 | ||||
| +              off_t in_database_size)
 | ||||
|  { | ||||
|      krb5_int32 n; | ||||
|      krb5_data inbuf, outbuf; | ||||
| -    char buf[KPROP_BUFSIZ];
 | ||||
| +    char buf[KPROP_BUFSIZ], dbsize_buf[KPROP_DBSIZE_MAX_BUFSIZ];
 | ||||
|      krb5_error_code retval; | ||||
|      krb5_error *error; | ||||
| -    krb5_ui_4 database_size = in_database_size, send_size, sent_size;
 | ||||
| +    uint64_t database_size = in_database_size, send_size, sent_size;
 | ||||
|   | ||||
|      /* Send over the size. */ | ||||
| -    send_size = htonl(database_size);
 | ||||
| -    inbuf.data = (char *)&send_size;
 | ||||
| -    inbuf.length = sizeof(send_size); /* must be 4, really */
 | ||||
| +    inbuf = make_data(dbsize_buf, sizeof(dbsize_buf));
 | ||||
| +    encode_database_size(database_size, &inbuf);
 | ||||
|      /* KPROP_CKSUMTYPE */ | ||||
|      retval = krb5_mk_safe(context, auth_context, &inbuf, &outbuf, NULL); | ||||
|      if (retval) { | ||||
| @@ -460,7 +461,7 @@ xmit_database(krb5_context context, krb5_auth_context auth_context,
 | ||||
|          retval = krb5_mk_priv(context, auth_context, &inbuf, &outbuf, NULL); | ||||
|          if (retval) { | ||||
|              snprintf(buf, sizeof(buf), | ||||
| -                     "while encoding database block starting at %d",
 | ||||
| +                     "while encoding database block starting at %"PRIu64,
 | ||||
|                       sent_size); | ||||
|              com_err(progname, retval, "%s", buf); | ||||
|              send_error(context, my_creds, fd, buf, retval); | ||||
| @@ -471,14 +472,14 @@ xmit_database(krb5_context context, krb5_auth_context auth_context,
 | ||||
|          if (retval) { | ||||
|              krb5_free_data_contents(context, &outbuf); | ||||
|              com_err(progname, retval, | ||||
| -                    _("while sending database block starting at %d"),
 | ||||
| +                    _("while sending database block starting at %"PRIu64),
 | ||||
|                      sent_size); | ||||
|              exit(1); | ||||
|          } | ||||
|          krb5_free_data_contents(context, &outbuf); | ||||
|          sent_size += n; | ||||
|          if (debug) | ||||
| -            printf("%d bytes sent.\n", sent_size);
 | ||||
| +            printf("%"PRIu64" bytes sent.\n", sent_size);
 | ||||
|      } | ||||
|      if (sent_size != database_size) { | ||||
|          com_err(progname, 0, _("Premature EOF found for database file!")); | ||||
| @@ -533,10 +534,14 @@ xmit_database(krb5_context context, krb5_auth_context auth_context,
 | ||||
|          exit(1); | ||||
|      } | ||||
|   | ||||
| -    memcpy(&send_size, outbuf.data, sizeof(send_size));
 | ||||
| -    send_size = ntohl(send_size);
 | ||||
| +    retval = decode_database_size(&outbuf, &send_size);
 | ||||
| +    if (retval) {
 | ||||
| +        com_err(progname, retval, _("malformed sent database size message"));
 | ||||
| +        exit(1);
 | ||||
| +    }
 | ||||
|      if (send_size != database_size) { | ||||
| -        com_err(progname, 0, _("Kpropd sent database size %d, expecting %d"),
 | ||||
| +        com_err(progname, 0, _("Kpropd sent database size %"PRIu64
 | ||||
| +                               ", expecting %"PRIu64),
 | ||||
|                  send_size, database_size); | ||||
|          exit(1); | ||||
|      } | ||||
| diff --git a/src/kprop/kprop.h b/src/kprop/kprop.h
 | ||||
| index 75331cc8a..3a319b535 100644
 | ||||
| --- a/src/kprop/kprop.h
 | ||||
| +++ b/src/kprop/kprop.h
 | ||||
| @@ -32,6 +32,7 @@
 | ||||
|  #define KPROP_PROT_VERSION "kprop5_01" | ||||
|   | ||||
|  #define KPROP_BUFSIZ 32768 | ||||
| +#define KPROP_DBSIZE_MAX_BUFSIZ 12  /* max length of an encoded DB size */
 | ||||
|   | ||||
|  /* pathnames are in osconf.h, included via k5-int.h */ | ||||
|   | ||||
| @@ -41,3 +42,14 @@ int sockaddr2krbaddr(krb5_context context, int family, struct sockaddr *sa,
 | ||||
|  krb5_error_code | ||||
|  sn2princ_realm(krb5_context context, const char *hostname, const char *sname, | ||||
|                 const char *realm, krb5_principal *princ_out); | ||||
| +
 | ||||
| +/*
 | ||||
| + * Encode size in four bytes (for backward compatibility) if it fits; otherwise
 | ||||
| + * use the larger encoding.  buf must be allocated with at least
 | ||||
| + * KPROP_DBSIZE_MAX_BUFSIZ bytes.
 | ||||
| + */
 | ||||
| +void encode_database_size(uint64_t size, krb5_data *buf);
 | ||||
| +
 | ||||
| +/* Decode a database size.  Return KRB5KRB_ERR_GENERIC if buf has an invalid
 | ||||
| + * length or did not encode a 32-bit size compactly. */
 | ||||
| +krb5_error_code decode_database_size(const krb5_data *buf, uint64_t *size_out);
 | ||||
| diff --git a/src/kprop/kprop_util.c b/src/kprop/kprop_util.c
 | ||||
| index c32d174b9..9d6b25389 100644
 | ||||
| --- a/src/kprop/kprop_util.c
 | ||||
| +++ b/src/kprop/kprop_util.c
 | ||||
| @@ -96,3 +96,45 @@ sn2princ_realm(krb5_context context, const char *hostname, const char *sname,
 | ||||
|          (*princ_out)->type = KRB5_NT_SRV_HST; | ||||
|      return ret; | ||||
|  } | ||||
| +
 | ||||
| +void
 | ||||
| +encode_database_size(uint64_t size, krb5_data *buf)
 | ||||
| +{
 | ||||
| +    assert(buf->length >= 12);
 | ||||
| +    if (size > 0 && size <= UINT32_MAX) {
 | ||||
| +        /* Encode in 32 bits for backward compatibility. */
 | ||||
| +        store_32_be(size, buf->data);
 | ||||
| +        buf->length = 4;
 | ||||
| +    } else {
 | ||||
| +        /* Set the first 32 bits to 0 and encode in the following 64 bits. */
 | ||||
| +        store_32_be(0, buf->data);
 | ||||
| +        store_64_be(size, buf->data + 4);
 | ||||
| +        buf->length = 12;
 | ||||
| +    }
 | ||||
| +}
 | ||||
| +
 | ||||
| +krb5_error_code
 | ||||
| +decode_database_size(const krb5_data *buf, uint64_t *size_out)
 | ||||
| +{
 | ||||
| +    uint64_t size;
 | ||||
| +
 | ||||
| +    if (buf->length == 12) {
 | ||||
| +        /* A 12-byte buffer must have the first four bytes zeroed. */
 | ||||
| +        if (load_32_be(buf->data) != 0)
 | ||||
| +            return KRB5KRB_ERR_GENERIC;
 | ||||
| +
 | ||||
| +        /* The size is stored in the next 64 bits.  Values from 1..2^32-1 must
 | ||||
| +         * be encoded in four bytes. */
 | ||||
| +        size = load_64_be(buf->data + 4);
 | ||||
| +        if (size > 0 && size <= UINT32_MAX)
 | ||||
| +            return KRB5KRB_ERR_GENERIC;
 | ||||
| +    } else if (buf->length == 4) {
 | ||||
| +        size = load_32_be(buf->data);
 | ||||
| +    } else {
 | ||||
| +        /* Invalid buffer size. */
 | ||||
| +        return KRB5KRB_ERR_GENERIC;
 | ||||
| +    }
 | ||||
| +
 | ||||
| +    *size_out = size;
 | ||||
| +    return 0;
 | ||||
| +}
 | ||||
| diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
 | ||||
| index 356e3e0e6..a83a86866 100644
 | ||||
| --- a/src/kprop/kpropd.c
 | ||||
| +++ b/src/kprop/kpropd.c
 | ||||
| @@ -55,6 +55,7 @@
 | ||||
|  #include "com_err.h" | ||||
|  #include "fake-addrinfo.h" | ||||
|   | ||||
| +#include <inttypes.h>
 | ||||
|  #include <locale.h> | ||||
|  #include <ctype.h> | ||||
|  #include <sys/file.h> | ||||
| @@ -1354,9 +1355,10 @@ static void
 | ||||
|  recv_database(krb5_context context, int fd, int database_fd, | ||||
|                krb5_data *confmsg) | ||||
|  { | ||||
| -    krb5_ui_4 database_size, received_size;
 | ||||
| +    uint64_t database_size, received_size;
 | ||||
|      int n; | ||||
|      char buf[1024]; | ||||
| +    char dbsize_buf[KPROP_DBSIZE_MAX_BUFSIZ];
 | ||||
|      krb5_data inbuf, outbuf; | ||||
|      krb5_error_code retval; | ||||
|   | ||||
| @@ -1378,10 +1380,17 @@ recv_database(krb5_context context, int fd, int database_fd,
 | ||||
|                  _("while decoding database size from client")); | ||||
|          exit(1); | ||||
|      } | ||||
| -    memcpy(&database_size, outbuf.data, sizeof(database_size));
 | ||||
| +
 | ||||
| +    retval = decode_database_size(&outbuf, &database_size);
 | ||||
| +    if (retval) {
 | ||||
| +        send_error(context, fd, retval, "malformed database size message");
 | ||||
| +        com_err(progname, retval,
 | ||||
| +                _("malformed database size message from client"));
 | ||||
| +        exit(1);
 | ||||
| +    }
 | ||||
| +
 | ||||
|      krb5_free_data_contents(context, &inbuf); | ||||
|      krb5_free_data_contents(context, &outbuf); | ||||
| -    database_size = ntohl(database_size);
 | ||||
|   | ||||
|      /* Initialize the initial vector. */ | ||||
|      retval = krb5_auth_con_initivector(context, auth_context); | ||||
| @@ -1401,7 +1410,7 @@ recv_database(krb5_context context, int fd, int database_fd,
 | ||||
|          retval = krb5_read_message(context, &fd, &inbuf); | ||||
|          if (retval) { | ||||
|              snprintf(buf, sizeof(buf), | ||||
| -                     "while reading database block starting at offset %d",
 | ||||
| +                     "while reading database block starting at offset %"PRIu64,
 | ||||
|                       received_size); | ||||
|              com_err(progname, retval, "%s", buf); | ||||
|              send_error(context, fd, retval, buf); | ||||
| @@ -1412,8 +1421,8 @@ recv_database(krb5_context context, int fd, int database_fd,
 | ||||
|          retval = krb5_rd_priv(context, auth_context, &inbuf, &outbuf, NULL); | ||||
|          if (retval) { | ||||
|              snprintf(buf, sizeof(buf), | ||||
| -                     "while decoding database block starting at offset %d",
 | ||||
| -                     received_size);
 | ||||
| +                     "while decoding database block starting at offset %"
 | ||||
| +                     PRIu64, received_size);
 | ||||
|              com_err(progname, retval, "%s", buf); | ||||
|              send_error(context, fd, retval, buf); | ||||
|              krb5_free_data_contents(context, &inbuf); | ||||
| @@ -1424,13 +1433,13 @@ recv_database(krb5_context context, int fd, int database_fd,
 | ||||
|          krb5_free_data_contents(context, &outbuf); | ||||
|          if (n < 0) { | ||||
|              snprintf(buf, sizeof(buf), | ||||
| -                     "while writing database block starting at offset %d",
 | ||||
| +                     "while writing database block starting at offset %"PRIu64,
 | ||||
|                       received_size); | ||||
|              send_error(context, fd, errno, buf); | ||||
|          } else if ((unsigned int)n != outbuf.length) { | ||||
|              snprintf(buf, sizeof(buf), | ||||
|                       "incomplete write while writing database block starting " | ||||
| -                     "at \noffset %d (%d written, %d expected)",
 | ||||
| +                     "at \noffset %"PRIu64" (%d written, %d expected)",
 | ||||
|                       received_size, n, outbuf.length); | ||||
|              send_error(context, fd, KRB5KRB_ERR_GENERIC, buf); | ||||
|          } | ||||
| @@ -1440,7 +1449,8 @@ recv_database(krb5_context context, int fd, int database_fd,
 | ||||
|      /* OK, we've seen the entire file.  Did we get too many bytes? */ | ||||
|      if (received_size > database_size) { | ||||
|          snprintf(buf, sizeof(buf), | ||||
| -                 "Received %d bytes, expected %d bytes for database file",
 | ||||
| +                 "Received %"PRIu64" bytes, expected %"PRIu64
 | ||||
| +                 " bytes for database file",
 | ||||
|                   received_size, database_size); | ||||
|          send_error(context, fd, KRB5KRB_ERR_GENERIC, buf); | ||||
|      } | ||||
| @@ -1450,9 +1460,8 @@ recv_database(krb5_context context, int fd, int database_fd,
 | ||||
|   | ||||
|      /* Create message acknowledging number of bytes received, but | ||||
|       * don't send it until kdb5_util returns successfully. */ | ||||
| -    database_size = htonl(database_size);
 | ||||
| -    inbuf.data = (char *)&database_size;
 | ||||
| -    inbuf.length = sizeof(database_size);
 | ||||
| +    inbuf = make_data(dbsize_buf, sizeof(dbsize_buf));
 | ||||
| +    encode_database_size(database_size, &inbuf);
 | ||||
|      retval = krb5_mk_safe(context,auth_context,&inbuf,confmsg,NULL); | ||||
|      if (retval) { | ||||
|          com_err(progname, retval, "while encoding # of receieved bytes"); | ||||
| diff --git a/src/tests/t_kprop.py b/src/tests/t_kprop.py
 | ||||
| index c33e4fea2..f8ffd653a 100755
 | ||||
| --- a/src/tests/t_kprop.py
 | ||||
| +++ b/src/tests/t_kprop.py
 | ||||
| @@ -87,5 +87,39 @@ realm.run([kdb5_util, 'dump', dumpfile])
 | ||||
|  realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname]) | ||||
|  check_output(kpropd) | ||||
|  realm.run([kadminl, 'listprincs'], replica3, expected_msg='wakawaka') | ||||
| +stop_daemon(kpropd)
 | ||||
| +
 | ||||
| +# This test is too resource-intensive to be included in "make check"
 | ||||
| +# by default, but it can be enabled in the environment to test the
 | ||||
| +# propagation of databases large enough to require a 12-byte encoding
 | ||||
| +# of the database size.
 | ||||
| +if 'KPROP_LARGE_DB_TEST' in os.environ:
 | ||||
| +    output('Generating >4GB dumpfile\n')
 | ||||
| +    with open(dumpfile, 'w') as f:
 | ||||
| +        f.write('kdb5_util load_dump version 6\n')
 | ||||
| +        f.write('princ\t38\t15\t3\t1\t0\tK/M@KRBTEST.COM\t64\t86400\t0\t0\t0'
 | ||||
| +                '\t0\t0\t0\t8\t2\t0100\t9\t8\t0100010000000000\t2\t28'
 | ||||
| +                '\tb93e105164625f6372656174696f6e404b5242544553542e434f4d00'
 | ||||
| +                '\t1\t1\t18\t62\t2000408c027c250e8cc3b81476414f2214d57c1ce'
 | ||||
| +                '38891e29792e87258247c73547df4d5756266931dd6686b62270e6568'
 | ||||
| +                '95a31ec66bfe913b4f15226227\t-1;\n')
 | ||||
| +        for i in range(1, 20000000):
 | ||||
| +            f.write('princ\t38\t21\t1\t1\t0\tp%08d@KRBTEST.COM' % i)
 | ||||
| +            f.write('\t0\t86400\t0\t0\t0\t0\t0\t0\t2\t27'
 | ||||
| +                    '\td73e1051757365722f61646d696e404b5242544553542e434f4d00'
 | ||||
| +                    '\t1\t1\t17\t46'
 | ||||
| +                    '\t10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c49'
 | ||||
| +                    '5605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf\t-1;\n')
 | ||||
| +    assert os.path.getsize(dumpfile) > 4 * 1024 * 1024 * 1024
 | ||||
| +    with open(dumpfile + '.dump_ok', 'w') as f:
 | ||||
| +        f.write('\0')
 | ||||
| +    conf_large = {'dbmodules': {'db': {'database_name': '$testdir/db.large'}},
 | ||||
| +                  'realms': {'$realm': {'iprop_resync_timeout': '3600'}}}
 | ||||
| +    large = realm.special_env('large', True, kdc_conf=conf_large)
 | ||||
| +    kpropd = realm.start_kpropd(large, ['-d'])
 | ||||
| +    realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname])
 | ||||
| +    check_output(kpropd)
 | ||||
| +    realm.run([kadminl, 'getprinc', 'p19999999'], env=large,
 | ||||
| +              expected_msg='Principal: p19999999')
 | ||||
|   | ||||
|  success('kprop tests') | ||||
| -- 
 | ||||
| 2.35.1 | ||||
| 
 | ||||
| @ -0,0 +1,91 @@ | ||||
| From 6b4cdaac48e6b736b66ccc21f4eed7c6fc4c2e4a Mon Sep 17 00:00:00 2001 | ||||
| From: Greg Hudson <ghudson@mit.edu> | ||||
| Date: Fri, 4 Mar 2022 00:45:00 -0500 | ||||
| Subject: [PATCH] Try harder to avoid password change replay errors | ||||
| 
 | ||||
| Commit d7b3018d338fc9c989c3fa17505870f23c3759a8 (ticket 7905) changed | ||||
| change_set_password() to prefer TCP.  However, because UDP_LAST falls | ||||
| back to UDP after one second, we can still get a replay error due to a | ||||
| dropped packet, before the TCP layer has a chance to retry. | ||||
| 
 | ||||
| Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after | ||||
| TCP fails completely without reaching a server.  In sendto_kdc.c, | ||||
| implement an ONLY_UDP transport strategy to allow the UDP fallback. | ||||
| 
 | ||||
| ticket: 9037 | ||||
| ---
 | ||||
|  src/lib/krb5/os/changepw.c   |  9 ++++++++- | ||||
|  src/lib/krb5/os/os-proto.h   |  1 + | ||||
|  src/lib/krb5/os/sendto_kdc.c | 12 ++++++++---- | ||||
|  3 files changed, 17 insertions(+), 5 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
 | ||||
| index 9f968da7f..c59232586 100644
 | ||||
| --- a/src/lib/krb5/os/changepw.c
 | ||||
| +++ b/src/lib/krb5/os/changepw.c
 | ||||
| @@ -255,9 +255,16 @@ change_set_password(krb5_context context,
 | ||||
|      callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup; | ||||
|      krb5_free_data_contents(callback_ctx.context, &chpw_rep); | ||||
|   | ||||
| +    /* UDP retransmits may be seen as replays.  Only try UDP after other
 | ||||
| +     * transports fail completely. */
 | ||||
|      code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm, | ||||
| -                     &sl, UDP_LAST, &callback_info, &chpw_rep,
 | ||||
| +                     &sl, NO_UDP, &callback_info, &chpw_rep,
 | ||||
|                       ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL); | ||||
| +    if (code == KRB5_KDC_UNREACH) {
 | ||||
| +        code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm,
 | ||||
| +                         &sl, ONLY_UDP, &callback_info, &chpw_rep,
 | ||||
| +                         ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL);
 | ||||
| +    }
 | ||||
|      if (code) | ||||
|          goto cleanup; | ||||
|   | ||||
| diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
 | ||||
| index a16a34b74..ad3839131 100644
 | ||||
| --- a/src/lib/krb5/os/os-proto.h
 | ||||
| +++ b/src/lib/krb5/os/os-proto.h
 | ||||
| @@ -49,6 +49,7 @@ typedef enum {
 | ||||
|      UDP_FIRST = 0, | ||||
|      UDP_LAST, | ||||
|      NO_UDP, | ||||
| +    ONLY_UDP
 | ||||
|  } k5_transport_strategy; | ||||
|   | ||||
|  /* A single server hostname or address. */ | ||||
| diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
 | ||||
| index 82523c561..d76e24ccf 100644
 | ||||
| --- a/src/lib/krb5/os/sendto_kdc.c
 | ||||
| +++ b/src/lib/krb5/os/sendto_kdc.c
 | ||||
| @@ -799,11 +799,14 @@ resolve_server(krb5_context context, const krb5_data *realm,
 | ||||
|      int err, result; | ||||
|      char portbuf[PORT_LENGTH]; | ||||
|   | ||||
| -    /* Skip UDP entries if we don't want UDP. */
 | ||||
| +    /* Skip entries excluded by the strategy. */
 | ||||
|      if (strategy == NO_UDP && entry->transport == UDP) | ||||
|          return 0; | ||||
| +    if (strategy == ONLY_UDP && entry->transport != UDP &&
 | ||||
| +        entry->transport != TCP_OR_UDP)
 | ||||
| +        return 0;
 | ||||
|   | ||||
| -    transport = (strategy == UDP_FIRST) ? UDP : TCP;
 | ||||
| +    transport = (strategy == UDP_FIRST || strategy == ONLY_UDP) ? UDP : TCP;
 | ||||
|      if (entry->hostname == NULL) { | ||||
|          /* Added by a module, so transport is either TCP or UDP. */ | ||||
|          ai.ai_socktype = socktype_for_transport(entry->transport); | ||||
| @@ -847,8 +850,9 @@ resolve_server(krb5_context context, const krb5_data *realm,
 | ||||
|      } | ||||
|   | ||||
|      /* For TCP_OR_UDP entries, add each address again with the non-preferred | ||||
| -     * transport, unless we are avoiding UDP.  Flag these as deferred. */
 | ||||
| -    if (retval == 0 && entry->transport == TCP_OR_UDP && strategy != NO_UDP) {
 | ||||
| +     * transport, if there is one.  Flag these as deferred. */
 | ||||
| +    if (retval == 0 && entry->transport == TCP_OR_UDP &&
 | ||||
| +        (strategy == UDP_FIRST || strategy == UDP_LAST)) {
 | ||||
|          transport = (strategy == UDP_FIRST) ? TCP : UDP; | ||||
|          for (a = addrs; a != 0 && retval == 0; a = a->ai_next) { | ||||
|              a->ai_socktype = socktype_for_transport(transport); | ||||
| -- 
 | ||||
| 2.35.1 | ||||
| 
 | ||||
							
								
								
									
										124
									
								
								SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										124
									
								
								SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,124 @@ | ||||
| From baa2a485190d1b31f3dae06a18dc24d71dbe35bf Mon Sep 17 00:00:00 2001 | ||||
| From: Julien Rische <jrische@redhat.com> | ||||
| Date: Fri, 11 Mar 2022 12:04:14 +0100 | ||||
| Subject: [PATCH] Use SHA-256 instead of SHA-1 for PKINIT CMS digest | ||||
| 
 | ||||
| Various organizations including NIST have been strongly recommending to | ||||
| stop using SHA-1 for digital signatures for some years already. CMS | ||||
| digest is used to generate such signatures, hence it should be upgraded | ||||
| to use SHA-256. | ||||
| ---
 | ||||
|  .../preauth/pkinit/pkinit_crypto_openssl.c    | 40 ++++++++++--------- | ||||
|  1 file changed, 22 insertions(+), 18 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
 | ||||
| index dbb054378..32291e3ac 100644
 | ||||
| --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
 | ||||
| +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
 | ||||
| @@ -1234,7 +1234,7 @@ cms_signeddata_create(krb5_context context,
 | ||||
|          /* will not fill-out EVP_PKEY because it's on the smartcard */ | ||||
|   | ||||
|          /* Set digest algs */ | ||||
| -        p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha1);
 | ||||
| +        p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha256);
 | ||||
|   | ||||
|          if (p7si->digest_alg->parameter != NULL) | ||||
|              ASN1_TYPE_free(p7si->digest_alg->parameter); | ||||
| @@ -1245,17 +1245,18 @@ cms_signeddata_create(krb5_context context,
 | ||||
|          /* Set sig algs */ | ||||
|          if (p7si->digest_enc_alg->parameter != NULL) | ||||
|              ASN1_TYPE_free(p7si->digest_enc_alg->parameter); | ||||
| -        p7si->digest_enc_alg->algorithm = OBJ_nid2obj(NID_sha1WithRSAEncryption);
 | ||||
| +        p7si->digest_enc_alg->algorithm =
 | ||||
| +            OBJ_nid2obj(NID_sha256WithRSAEncryption);
 | ||||
|          if (!(p7si->digest_enc_alg->parameter = ASN1_TYPE_new())) | ||||
|              goto cleanup; | ||||
|          p7si->digest_enc_alg->parameter->type = V_ASN1_NULL; | ||||
|   | ||||
|          /* add signed attributes */ | ||||
| -        /* compute sha1 digest over the EncapsulatedContentInfo */
 | ||||
| +        /* compute sha256 digest over the EncapsulatedContentInfo */
 | ||||
|          ctx = EVP_MD_CTX_new(); | ||||
|          if (ctx == NULL) | ||||
|              goto cleanup; | ||||
| -        EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
 | ||||
| +        EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
 | ||||
|          EVP_DigestUpdate(ctx, data, data_len); | ||||
|          md_tmp = EVP_MD_CTX_md(ctx); | ||||
|          EVP_DigestFinal_ex(ctx, md_data, &md_len); | ||||
| @@ -1283,12 +1284,14 @@ cms_signeddata_create(krb5_context context,
 | ||||
|              goto cleanup2; | ||||
|   | ||||
|  #ifndef WITHOUT_PKCS11 | ||||
| -        /* Some tokens can only do RSAEncryption without sha1 hash */
 | ||||
| -        /* to compute sha1WithRSAEncryption, encode the algorithm ID for the hash
 | ||||
| -         * function and the hash value into an ASN.1 value of type DigestInfo
 | ||||
| -         * DigestInfo::=SEQUENCE {
 | ||||
| -         *  digestAlgorithm  AlgorithmIdentifier,
 | ||||
| -         *  digest OCTET STRING }
 | ||||
| +        /*
 | ||||
| +         * Some tokens can only do RSAEncryption without a hash.  To compute
 | ||||
| +         * sha256WithRSAEncryption, encode the algorithm ID for the hash
 | ||||
| +         * function and the hash value into an ASN.1 value of type DigestInfo:
 | ||||
| +         * DigestInfo ::= SEQUENCE {
 | ||||
| +         *   digestAlgorithm  AlgorithmIdentifier,
 | ||||
| +         *   digest  OCTET STRING
 | ||||
| +         * }
 | ||||
|           */ | ||||
|          if (id_cryptoctx->pkcs11_method == 1 && | ||||
|              id_cryptoctx->mech == CKM_RSA_PKCS) { | ||||
| @@ -1304,7 +1307,7 @@ cms_signeddata_create(krb5_context context,
 | ||||
|              alg = X509_ALGOR_new(); | ||||
|              if (alg == NULL) | ||||
|                  goto cleanup2; | ||||
| -            X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha1), V_ASN1_NULL, NULL);
 | ||||
| +            X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha256), V_ASN1_NULL, NULL);
 | ||||
|              alg_len = i2d_X509_ALGOR(alg, NULL); | ||||
|   | ||||
|              digest = ASN1_OCTET_STRING_new(); | ||||
| @@ -1333,7 +1336,7 @@ cms_signeddata_create(krb5_context context,
 | ||||
|  #endif | ||||
|          { | ||||
|              pkiDebug("mech = %s\n", | ||||
| -                     id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA1_RSA_PKCS" : "FS");
 | ||||
| +                     id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA256_RSA_PKCS" : "FS");
 | ||||
|              retval = pkinit_sign_data(context, id_cryptoctx, abuf, alen, | ||||
|                                        &sig, &sig_len); | ||||
|          } | ||||
| @@ -4147,7 +4150,7 @@ create_signature(unsigned char **sig, unsigned int *sig_len,
 | ||||
|      ctx = EVP_MD_CTX_new(); | ||||
|      if (ctx == NULL) | ||||
|          return ENOMEM; | ||||
| -    EVP_SignInit(ctx, EVP_sha1());
 | ||||
| +    EVP_SignInit(ctx, EVP_sha256());
 | ||||
|      EVP_SignUpdate(ctx, data, data_len); | ||||
|      *sig_len = EVP_PKEY_size(pkey); | ||||
|      if ((*sig = malloc(*sig_len)) == NULL) | ||||
| @@ -4623,10 +4626,11 @@ pkinit_get_certs_pkcs11(krb5_context context,
 | ||||
|   | ||||
|  #ifndef PKINIT_USE_MECH_LIST | ||||
|      /* | ||||
| -     * We'd like to use CKM_SHA1_RSA_PKCS for signing if it's available, but
 | ||||
| -     * many cards seems to be confused about whether they are capable of
 | ||||
| -     * this or not. The safe thing seems to be to ignore the mechanism list,
 | ||||
| -     * always use CKM_RSA_PKCS and calculate the sha1 digest ourselves.
 | ||||
| +     * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
 | ||||
| +     * historically many cards seem to be confused about whether they are
 | ||||
| +     * capable of mechanisms or not. The safe thing seems to be to ignore the
 | ||||
| +     * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest
 | ||||
| +     * ourselves.
 | ||||
|       */ | ||||
|   | ||||
|      id_cryptoctx->mech = CKM_RSA_PKCS; | ||||
| @@ -4654,7 +4658,7 @@ pkinit_get_certs_pkcs11(krb5_context context,
 | ||||
|          if (mechp[i] == CKM_RSA_PKCS) { | ||||
|              /* This seems backwards... */ | ||||
|              id_cryptoctx->mech = | ||||
| -                (info.flags & CKF_SIGN) ? CKM_SHA1_RSA_PKCS : CKM_RSA_PKCS;
 | ||||
| +                (info.flags & CKF_SIGN) ? CKM_SHA256_RSA_PKCS : CKM_RSA_PKCS;
 | ||||
|          } | ||||
|      } | ||||
|      free(mechp); | ||||
| -- 
 | ||||
| 2.35.1 | ||||
| 
 | ||||
| @ -0,0 +1,156 @@ | ||||
| From 10b32480395a01798b21818e884a593930b400d1 Mon Sep 17 00:00:00 2001 | ||||
| From: Julien Rische <jrische@redhat.com> | ||||
| Date: Wed, 27 Apr 2022 15:29:08 +0200 | ||||
| Subject: [PATCH] Fix dejagnu unit tests directory name for RPC lib | ||||
| 
 | ||||
| This commit renames RPC library's unit tests directory to match the | ||||
| newly enforced naming convention of dejagnu. | ||||
| 
 | ||||
| Resolves: rhbz#2070879 | ||||
| 
 | ||||
| Signed-off-by: Julien Rische <jrische@redhat.com> | ||||
| ---
 | ||||
|  src/configure.ac                                       |  2 +- | ||||
|  src/lib/rpc/Makefile.in                                |  2 +- | ||||
|  src/lib/rpc/{unit-test => testsuite}/Makefile.in       | 10 +++++----- | ||||
|  src/lib/rpc/{unit-test => testsuite}/client.c          |  0 | ||||
|  src/lib/rpc/{unit-test => testsuite}/config/unix.exp   |  0 | ||||
|  src/lib/rpc/{unit-test => testsuite}/deps              |  0 | ||||
|  src/lib/rpc/{unit-test => testsuite}/lib/helpers.exp   |  0 | ||||
|  .../rpc/{unit-test => testsuite}/rpc_test.0/expire.exp |  0 | ||||
|  .../{unit-test => testsuite}/rpc_test.0/fullrun.exp    |  0 | ||||
|  .../rpc/{unit-test => testsuite}/rpc_test.0/gsserr.exp |  0 | ||||
|  src/lib/rpc/{unit-test => testsuite}/rpc_test.h        |  0 | ||||
|  src/lib/rpc/{unit-test => testsuite}/rpc_test.x        |  0 | ||||
|  src/lib/rpc/{unit-test => testsuite}/rpc_test_clnt.c   |  0 | ||||
|  src/lib/rpc/{unit-test => testsuite}/rpc_test_svc.c    |  0 | ||||
|  src/lib/rpc/{unit-test => testsuite}/server.c          |  0 | ||||
|  15 files changed, 7 insertions(+), 7 deletions(-) | ||||
|  rename src/lib/rpc/{unit-test => testsuite}/Makefile.in (93%) | ||||
|  rename src/lib/rpc/{unit-test => testsuite}/client.c (100%) | ||||
|  rename src/lib/rpc/{unit-test => testsuite}/config/unix.exp (100%) | ||||
|  rename src/lib/rpc/{unit-test => testsuite}/deps (100%) | ||||
|  rename src/lib/rpc/{unit-test => testsuite}/lib/helpers.exp (100%) | ||||
|  rename src/lib/rpc/{unit-test => testsuite}/rpc_test.0/expire.exp (100%) | ||||
|  rename src/lib/rpc/{unit-test => testsuite}/rpc_test.0/fullrun.exp (100%) | ||||
|  rename src/lib/rpc/{unit-test => testsuite}/rpc_test.0/gsserr.exp (100%) | ||||
|  rename src/lib/rpc/{unit-test => testsuite}/rpc_test.h (100%) | ||||
|  rename src/lib/rpc/{unit-test => testsuite}/rpc_test.x (100%) | ||||
|  rename src/lib/rpc/{unit-test => testsuite}/rpc_test_clnt.c (100%) | ||||
|  rename src/lib/rpc/{unit-test => testsuite}/rpc_test_svc.c (100%) | ||||
|  rename src/lib/rpc/{unit-test => testsuite}/server.c (100%) | ||||
| 
 | ||||
| diff --git a/src/configure.ac b/src/configure.ac
 | ||||
| index 37e36b76d..2a48aa83d 100644
 | ||||
| --- a/src/configure.ac
 | ||||
| +++ b/src/configure.ac
 | ||||
| @@ -1497,7 +1497,7 @@ V5_AC_OUTPUT_MAKEFILE(.
 | ||||
|  	lib/gssapi lib/gssapi/generic lib/gssapi/krb5 lib/gssapi/spnego | ||||
|  	lib/gssapi/mechglue | ||||
|   | ||||
| -	lib/rpc lib/rpc/unit-test
 | ||||
| +	lib/rpc lib/rpc/testsuite
 | ||||
|   | ||||
|  	lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/testsuite | ||||
|  	lib/krad | ||||
| diff --git a/src/lib/rpc/Makefile.in b/src/lib/rpc/Makefile.in
 | ||||
| index 6b5f1e70a..78c7a1326 100644
 | ||||
| --- a/src/lib/rpc/Makefile.in
 | ||||
| +++ b/src/lib/rpc/Makefile.in
 | ||||
| @@ -2,7 +2,7 @@ mydir=lib$(S)rpc
 | ||||
|  BUILDTOP=$(REL)..$(S).. | ||||
|  DEFINES = -DGSSAPI_KRB5 -DDEBUG_GSSAPI=0 -DGSSRPC__IMPL | ||||
|   | ||||
| -SUBDIRS=unit-test
 | ||||
| +SUBDIRS=testsuite
 | ||||
|   | ||||
|  ##DOSBUILDTOP = ..\.. | ||||
|  ##DOSLIBNAME=libgssrpc.lib | ||||
| diff --git a/src/lib/rpc/unit-test/Makefile.in b/src/lib/rpc/testsuite/Makefile.in
 | ||||
| similarity index 93% | ||||
| rename from src/lib/rpc/unit-test/Makefile.in | ||||
| rename to src/lib/rpc/testsuite/Makefile.in | ||||
| index 0b6e5203d..0fab26c10 100644
 | ||||
| --- a/src/lib/rpc/unit-test/Makefile.in
 | ||||
| +++ b/src/lib/rpc/testsuite/Makefile.in
 | ||||
| @@ -1,4 +1,4 @@
 | ||||
| -mydir=lib$(S)rpc$(S)unit-test
 | ||||
| +mydir=lib$(S)rpc$(S)testsuite
 | ||||
|  BUILDTOP=$(REL)..$(S)..$(S).. | ||||
|   | ||||
|  OBJS= client.o rpc_test_clnt.o rpc_test_svc.o server.o | ||||
| @@ -34,19 +34,19 @@ runenv.exp: Makefile
 | ||||
|  # 	rm -f rpc_test.h rpc_test_clnt.c rpc_test_svc.c | ||||
|  #  | ||||
|   | ||||
| -check unit-test: unit-test-@DO_TEST@
 | ||||
| +check testsuite: testsuite-@DO_TEST@
 | ||||
|   | ||||
| -unit-test-:
 | ||||
| +testsuite-:
 | ||||
|  	@echo "+++" | ||||
|  	@echo "+++ WARNING: lib/rpc unit tests not run." | ||||
|  	@echo "+++ Either tcl, runtest, or Perl is unavailable." | ||||
|  	@echo "+++" | ||||
|  	@echo 'Skipped rpc tests: runtest or Perl not found' >> $(SKIPTESTS) | ||||
|   | ||||
| -unit-test-ok: unit-test-body
 | ||||
| +testsuite-ok: testsuite-body
 | ||||
|   | ||||
|  PASS=@PASS@ | ||||
| -unit-test-body: runenv.sh runenv.exp
 | ||||
| +testsuite-body: runenv.sh runenv.exp
 | ||||
|  	$(RM) krb5cc_rpc_test_* | ||||
|  	$(ENV_SETUP) $(VALGRIND) $(START_SERVERS) | ||||
|  	RPC_TEST_KEYTAB=/tmp/rpc_test_keytab.$$$$ ; export RPC_TEST_KEYTAB ; \ | ||||
| diff --git a/src/lib/rpc/unit-test/client.c b/src/lib/rpc/testsuite/client.c
 | ||||
| similarity index 100% | ||||
| rename from src/lib/rpc/unit-test/client.c | ||||
| rename to src/lib/rpc/testsuite/client.c | ||||
| diff --git a/src/lib/rpc/unit-test/config/unix.exp b/src/lib/rpc/testsuite/config/unix.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/rpc/unit-test/config/unix.exp | ||||
| rename to src/lib/rpc/testsuite/config/unix.exp | ||||
| diff --git a/src/lib/rpc/unit-test/deps b/src/lib/rpc/testsuite/deps
 | ||||
| similarity index 100% | ||||
| rename from src/lib/rpc/unit-test/deps | ||||
| rename to src/lib/rpc/testsuite/deps | ||||
| diff --git a/src/lib/rpc/unit-test/lib/helpers.exp b/src/lib/rpc/testsuite/lib/helpers.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/rpc/unit-test/lib/helpers.exp | ||||
| rename to src/lib/rpc/testsuite/lib/helpers.exp | ||||
| diff --git a/src/lib/rpc/unit-test/rpc_test.0/expire.exp b/src/lib/rpc/testsuite/rpc_test.0/expire.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/rpc/unit-test/rpc_test.0/expire.exp | ||||
| rename to src/lib/rpc/testsuite/rpc_test.0/expire.exp | ||||
| diff --git a/src/lib/rpc/unit-test/rpc_test.0/fullrun.exp b/src/lib/rpc/testsuite/rpc_test.0/fullrun.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/rpc/unit-test/rpc_test.0/fullrun.exp | ||||
| rename to src/lib/rpc/testsuite/rpc_test.0/fullrun.exp | ||||
| diff --git a/src/lib/rpc/unit-test/rpc_test.0/gsserr.exp b/src/lib/rpc/testsuite/rpc_test.0/gsserr.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/rpc/unit-test/rpc_test.0/gsserr.exp | ||||
| rename to src/lib/rpc/testsuite/rpc_test.0/gsserr.exp | ||||
| diff --git a/src/lib/rpc/unit-test/rpc_test.h b/src/lib/rpc/testsuite/rpc_test.h
 | ||||
| similarity index 100% | ||||
| rename from src/lib/rpc/unit-test/rpc_test.h | ||||
| rename to src/lib/rpc/testsuite/rpc_test.h | ||||
| diff --git a/src/lib/rpc/unit-test/rpc_test.x b/src/lib/rpc/testsuite/rpc_test.x
 | ||||
| similarity index 100% | ||||
| rename from src/lib/rpc/unit-test/rpc_test.x | ||||
| rename to src/lib/rpc/testsuite/rpc_test.x | ||||
| diff --git a/src/lib/rpc/unit-test/rpc_test_clnt.c b/src/lib/rpc/testsuite/rpc_test_clnt.c
 | ||||
| similarity index 100% | ||||
| rename from src/lib/rpc/unit-test/rpc_test_clnt.c | ||||
| rename to src/lib/rpc/testsuite/rpc_test_clnt.c | ||||
| diff --git a/src/lib/rpc/unit-test/rpc_test_svc.c b/src/lib/rpc/testsuite/rpc_test_svc.c
 | ||||
| similarity index 100% | ||||
| rename from src/lib/rpc/unit-test/rpc_test_svc.c | ||||
| rename to src/lib/rpc/testsuite/rpc_test_svc.c | ||||
| diff --git a/src/lib/rpc/unit-test/server.c b/src/lib/rpc/testsuite/server.c
 | ||||
| similarity index 100% | ||||
| rename from src/lib/rpc/unit-test/server.c | ||||
| rename to src/lib/rpc/testsuite/server.c | ||||
| -- 
 | ||||
| 2.35.1 | ||||
| 
 | ||||
| @ -0,0 +1,342 @@ | ||||
| From cc1cd235a6a8c066531a17d5773f601455bedb52 Mon Sep 17 00:00:00 2001 | ||||
| From: Julien Rische <jrische@redhat.com> | ||||
| Date: Thu, 31 Mar 2022 18:24:39 +0200 | ||||
| Subject: [PATCH] Use newly enforced dejagnu path naming convention | ||||
| 
 | ||||
| Since version 1.6.3, dejagnu started to enforce a naming convention that | ||||
| was already in place, but not mandatory: dejagnu test directories have | ||||
| to be named "testsuite". If they don't implicit relative sub-paths | ||||
| resolution (e.g. "lib", "config") is not forking. | ||||
| 
 | ||||
| This commit renames kadm5 library's unit tests directory to match this | ||||
| requirement. | ||||
| 
 | ||||
| Resolves: rhbz#2070879 | ||||
| 
 | ||||
| Signed-off-by: Julien Rische <jrische@redhat.com> | ||||
| ---
 | ||||
|  src/configure.ac                              |  2 +- | ||||
|  src/lib/kadm5/Makefile.in                     |  2 +- | ||||
|  .../{unit-test => testsuite}/Makefile.in      | 28 +++++++++---------- | ||||
|  .../api.2/crte-policy.exp                     |  0 | ||||
|  .../api.2/get-policy.exp                      |  0 | ||||
|  .../api.2/mod-policy.exp                      |  0 | ||||
|  .../api.current/chpass-principal-v2.exp       |  0 | ||||
|  .../api.current/chpass-principal.exp          |  0 | ||||
|  .../api.current/crte-policy.exp               |  0 | ||||
|  .../api.current/crte-principal.exp            |  0 | ||||
|  .../api.current/destroy.exp                   |  0 | ||||
|  .../api.current/dlte-policy.exp               |  0 | ||||
|  .../api.current/dlte-principal.exp            |  0 | ||||
|  .../api.current/get-policy.exp                |  0 | ||||
|  .../api.current/get-principal-v2.exp          |  0 | ||||
|  .../api.current/get-principal.exp             |  0 | ||||
|  .../api.current/init-v2.exp                   |  0 | ||||
|  .../api.current/init.exp                      |  0 | ||||
|  .../api.current/mod-policy.exp                |  0 | ||||
|  .../api.current/mod-principal-v2.exp          |  0 | ||||
|  .../api.current/mod-principal.exp             |  0 | ||||
|  .../api.current/randkey-principal-v2.exp      |  0 | ||||
|  .../api.current/randkey-principal.exp         |  0 | ||||
|  .../{unit-test => testsuite}/config/unix.exp  |  0 | ||||
|  src/lib/kadm5/{unit-test => testsuite}/deps   |  0 | ||||
|  .../{unit-test => testsuite}/destroy-test.c   |  0 | ||||
|  .../diff-files/destroy-1                      |  0 | ||||
|  .../diff-files/no-diffs                       |  0 | ||||
|  .../{unit-test => testsuite}/handle-test.c    |  0 | ||||
|  .../{unit-test => testsuite}/init-test.c      |  0 | ||||
|  .../{unit-test => testsuite}/iter-test.c      |  0 | ||||
|  .../kadm5/{unit-test => testsuite}/lib/lib.t  |  2 +- | ||||
|  .../{unit-test => testsuite}/lock-test.c      |  0 | ||||
|  .../{unit-test => testsuite}/randkey-test.c   |  0 | ||||
|  .../{unit-test => testsuite}/setkey-test.c    |  0 | ||||
|  .../kadm5/{unit-test => testsuite}/site.exp   |  0 | ||||
|  36 files changed, 17 insertions(+), 17 deletions(-) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/Makefile.in (86%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.2/crte-policy.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.2/get-policy.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.2/mod-policy.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal-v2.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-policy.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-principal.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/destroy.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-policy.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-principal.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-policy.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal-v2.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/init-v2.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/init.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-policy.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal-v2.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal-v2.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/config/unix.exp (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/deps (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/destroy-test.c (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/diff-files/destroy-1 (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/diff-files/no-diffs (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/handle-test.c (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/init-test.c (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/iter-test.c (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/lib/lib.t (99%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/lock-test.c (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/randkey-test.c (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/setkey-test.c (100%) | ||||
|  rename src/lib/kadm5/{unit-test => testsuite}/site.exp (100%) | ||||
| 
 | ||||
| diff --git a/src/configure.ac b/src/configure.ac
 | ||||
| index 29be532cb..37e36b76d 100644
 | ||||
| --- a/src/configure.ac
 | ||||
| +++ b/src/configure.ac
 | ||||
| @@ -1499,7 +1499,7 @@ V5_AC_OUTPUT_MAKEFILE(.
 | ||||
|   | ||||
|  	lib/rpc lib/rpc/unit-test | ||||
|   | ||||
| -	lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/unit-test
 | ||||
| +	lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/testsuite
 | ||||
|  	lib/krad | ||||
|  	lib/apputils | ||||
|   | ||||
| diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in
 | ||||
| index c4eaad38d..76fc4b548 100644
 | ||||
| --- a/src/lib/kadm5/Makefile.in
 | ||||
| +++ b/src/lib/kadm5/Makefile.in
 | ||||
| @@ -1,6 +1,6 @@
 | ||||
|  mydir=lib$(S)kadm5 | ||||
|  BUILDTOP=$(REL)..$(S).. | ||||
| -SUBDIRS = clnt srv unit-test
 | ||||
| +SUBDIRS = clnt srv testsuite
 | ||||
|   | ||||
|  ##DOSBUILDTOP = ..\.. | ||||
|   | ||||
| diff --git a/src/lib/kadm5/unit-test/Makefile.in b/src/lib/kadm5/testsuite/Makefile.in
 | ||||
| similarity index 86% | ||||
| rename from src/lib/kadm5/unit-test/Makefile.in | ||||
| rename to src/lib/kadm5/testsuite/Makefile.in | ||||
| index 68fa097ff..5a55b786b 100644
 | ||||
| --- a/src/lib/kadm5/unit-test/Makefile.in
 | ||||
| +++ b/src/lib/kadm5/testsuite/Makefile.in
 | ||||
| @@ -1,4 +1,4 @@
 | ||||
| -mydir=lib$(S)kadm5$(S)unit-test
 | ||||
| +mydir=lib$(S)kadm5$(S)testsuite
 | ||||
|  BUILDTOP=$(REL)..$(S)..$(S).. | ||||
|  KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS) | ||||
|   | ||||
| @@ -61,7 +61,7 @@ runenv.exp: Makefile
 | ||||
|  		eval echo "set env\($$i\) \$$$$i"; done > runenv.exp | ||||
|   | ||||
|  # | ||||
| -# The unit-test targets
 | ||||
| +# The testsuite targets
 | ||||
|  # | ||||
|   | ||||
|  check: check-@DO_TEST@ | ||||
| @@ -72,13 +72,13 @@ check-:
 | ||||
|  	@echo "+++ Either tcl, runtest, or Perl is unavailable." | ||||
|  	@echo "+++" | ||||
|   | ||||
| -check-ok unit-test: unit-test-client unit-test-server
 | ||||
| +check-ok testsuite: testsuite-client testsuite-server
 | ||||
|   | ||||
| -unit-test-client: unit-test-client-setup unit-test-client-body \
 | ||||
| -	unit-test-client-cleanup
 | ||||
| +testsuite-client: testsuite-client-setup testsuite-client-body \
 | ||||
| +	testsuite-client-cleanup
 | ||||
|   | ||||
| -unit-test-server: unit-test-server-setup unit-test-server-body \
 | ||||
| -	unit-test-server-cleanup
 | ||||
| +testsuite-server: testsuite-server-setup testsuite-server-body \
 | ||||
| +	testsuite-server-cleanup
 | ||||
|   | ||||
|  test-randkey: randkey-test | ||||
|  	$(ENV_SETUP) $(VALGRIND) ./randkey-test | ||||
| @@ -98,19 +98,19 @@ test-destroy: destroy-test
 | ||||
|  test-setkey-client: client-setkey-test | ||||
|  	$(ENV_SETUP) $(VALGRIND) ./client-setkey-test testkeys admin admin | ||||
|   | ||||
| -unit-test-client-setup: runenv.sh
 | ||||
| +testsuite-client-setup: runenv.sh
 | ||||
|  	$(ENV_SETUP) $(VALGRIND) $(START_SERVERS) | ||||
|   | ||||
| -unit-test-client-cleanup:
 | ||||
| +testsuite-client-cleanup:
 | ||||
|  	$(ENV_SETUP) $(STOP_SERVERS) | ||||
|   | ||||
| -unit-test-server-setup: runenv.sh
 | ||||
| +testsuite-server-setup: runenv.sh
 | ||||
|  	$(ENV_SETUP) $(VALGRIND) $(START_SERVERS_LOCAL) | ||||
|   | ||||
| -unit-test-server-cleanup:
 | ||||
| +testsuite-server-cleanup:
 | ||||
|  	$(ENV_SETUP) $(STOP_SERVERS_LOCAL) | ||||
|   | ||||
| -unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \
 | ||||
| +testsuite-client-body: site.exp test-noauth test-destroy test-handle-client \
 | ||||
|  	test-setkey-client runenv.exp | ||||
|  	$(ENV_SETUP) $(RUNTEST) --tool api RPC=1 API=$(CLNTTCL) \ | ||||
|  		KINIT=$(BUILDTOP)/clients/kinit/kinit \ | ||||
| @@ -121,7 +121,7 @@ unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \
 | ||||
|  	-mv api.log capi.log | ||||
|  	-mv api.sum capi.sum | ||||
|   | ||||
| -unit-test-server-body: site.exp test-handle-server lock-test 
 | ||||
| +testsuite-server-body: site.exp test-handle-server lock-test 
 | ||||
|  	$(ENV_SETUP) $(RUNTEST) --tool api RPC=0 API=$(SRVTCL) \ | ||||
|  		LOCKTEST=./lock-test \ | ||||
|  		KADMIN_LOCAL=$(BUILDTOP)/kadmin/cli/kadmin.local \ | ||||
| @@ -140,4 +140,4 @@ clean:
 | ||||
|  	$(RM) lock-test lock-test.o | ||||
|  	$(RM) server-iter-test iter-test.o | ||||
|  	$(RM) server-setkey-test client-setkey-test setkey-test.o | ||||
| -	$(RM) *.log *.plog *.sum *.psum unit-test-log.* runenv.exp
 | ||||
| +	$(RM) *.log *.plog *.sum *.psum testsuite-log.* runenv.exp
 | ||||
| diff --git a/src/lib/kadm5/unit-test/api.2/crte-policy.exp b/src/lib/kadm5/testsuite/api.2/crte-policy.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.2/crte-policy.exp | ||||
| rename to src/lib/kadm5/testsuite/api.2/crte-policy.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.2/get-policy.exp b/src/lib/kadm5/testsuite/api.2/get-policy.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.2/get-policy.exp | ||||
| rename to src/lib/kadm5/testsuite/api.2/get-policy.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.2/mod-policy.exp b/src/lib/kadm5/testsuite/api.2/mod-policy.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.2/mod-policy.exp | ||||
| rename to src/lib/kadm5/testsuite/api.2/mod-policy.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/chpass-principal.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/chpass-principal.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/crte-policy.exp b/src/lib/kadm5/testsuite/api.current/crte-policy.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/crte-policy.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/crte-policy.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/crte-principal.exp b/src/lib/kadm5/testsuite/api.current/crte-principal.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/crte-principal.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/crte-principal.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/destroy.exp b/src/lib/kadm5/testsuite/api.current/destroy.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/destroy.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/destroy.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp b/src/lib/kadm5/testsuite/api.current/dlte-policy.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/dlte-policy.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/dlte-policy.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp b/src/lib/kadm5/testsuite/api.current/dlte-principal.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/dlte-principal.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/dlte-principal.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/get-policy.exp b/src/lib/kadm5/testsuite/api.current/get-policy.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/get-policy.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/get-policy.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/get-principal-v2.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/get-principal-v2.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/get-principal-v2.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/get-principal.exp b/src/lib/kadm5/testsuite/api.current/get-principal.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/get-principal.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/get-principal.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/testsuite/api.current/init-v2.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/init-v2.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/init-v2.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/init.exp b/src/lib/kadm5/testsuite/api.current/init.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/init.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/init.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/mod-policy.exp b/src/lib/kadm5/testsuite/api.current/mod-policy.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/mod-policy.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/mod-policy.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal.exp b/src/lib/kadm5/testsuite/api.current/mod-principal.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/mod-principal.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/mod-principal.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/api.current/randkey-principal.exp | ||||
| rename to src/lib/kadm5/testsuite/api.current/randkey-principal.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/config/unix.exp b/src/lib/kadm5/testsuite/config/unix.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/config/unix.exp | ||||
| rename to src/lib/kadm5/testsuite/config/unix.exp | ||||
| diff --git a/src/lib/kadm5/unit-test/deps b/src/lib/kadm5/testsuite/deps
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/deps | ||||
| rename to src/lib/kadm5/testsuite/deps | ||||
| diff --git a/src/lib/kadm5/unit-test/destroy-test.c b/src/lib/kadm5/testsuite/destroy-test.c
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/destroy-test.c | ||||
| rename to src/lib/kadm5/testsuite/destroy-test.c | ||||
| diff --git a/src/lib/kadm5/unit-test/diff-files/destroy-1 b/src/lib/kadm5/testsuite/diff-files/destroy-1
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/diff-files/destroy-1 | ||||
| rename to src/lib/kadm5/testsuite/diff-files/destroy-1 | ||||
| diff --git a/src/lib/kadm5/unit-test/diff-files/no-diffs b/src/lib/kadm5/testsuite/diff-files/no-diffs
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/diff-files/no-diffs | ||||
| rename to src/lib/kadm5/testsuite/diff-files/no-diffs | ||||
| diff --git a/src/lib/kadm5/unit-test/handle-test.c b/src/lib/kadm5/testsuite/handle-test.c
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/handle-test.c | ||||
| rename to src/lib/kadm5/testsuite/handle-test.c | ||||
| diff --git a/src/lib/kadm5/unit-test/init-test.c b/src/lib/kadm5/testsuite/init-test.c
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/init-test.c | ||||
| rename to src/lib/kadm5/testsuite/init-test.c | ||||
| diff --git a/src/lib/kadm5/unit-test/iter-test.c b/src/lib/kadm5/testsuite/iter-test.c
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/iter-test.c | ||||
| rename to src/lib/kadm5/testsuite/iter-test.c | ||||
| diff --git a/src/lib/kadm5/unit-test/lib/lib.t b/src/lib/kadm5/testsuite/lib/lib.t
 | ||||
| similarity index 99% | ||||
| rename from src/lib/kadm5/unit-test/lib/lib.t | ||||
| rename to src/lib/kadm5/testsuite/lib/lib.t | ||||
| index 3444775cf..327946849 100644
 | ||||
| --- a/src/lib/kadm5/unit-test/lib/lib.t
 | ||||
| +++ b/src/lib/kadm5/testsuite/lib/lib.t
 | ||||
| @@ -226,7 +226,7 @@ proc end_dump_compare {name} {
 | ||||
|      global  RPC | ||||
|   | ||||
|      if { ! $RPC } {  | ||||
| -#	set file $TOP/admin/lib/unit-test/diff-files/$name
 | ||||
| +#	set file $TOP/admin/lib/testsuite/diff-files/$name
 | ||||
|  #	exec $env(SIMPLE_DUMP) > /tmp/dump.after | ||||
|  #	exec $env(COMPARE_DUMP) /tmp/dump.before /tmp/dump.after $file | ||||
|      } | ||||
| diff --git a/src/lib/kadm5/unit-test/lock-test.c b/src/lib/kadm5/testsuite/lock-test.c
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/lock-test.c | ||||
| rename to src/lib/kadm5/testsuite/lock-test.c | ||||
| diff --git a/src/lib/kadm5/unit-test/randkey-test.c b/src/lib/kadm5/testsuite/randkey-test.c
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/randkey-test.c | ||||
| rename to src/lib/kadm5/testsuite/randkey-test.c | ||||
| diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/testsuite/setkey-test.c
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/setkey-test.c | ||||
| rename to src/lib/kadm5/testsuite/setkey-test.c | ||||
| diff --git a/src/lib/kadm5/unit-test/site.exp b/src/lib/kadm5/testsuite/site.exp
 | ||||
| similarity index 100% | ||||
| rename from src/lib/kadm5/unit-test/site.exp | ||||
| rename to src/lib/kadm5/testsuite/site.exp | ||||
| -- 
 | ||||
| 2.35.1 | ||||
| 
 | ||||
							
								
								
									
										69
									
								
								SOURCES/krb5-krad-larger-attrs.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										69
									
								
								SOURCES/krb5-krad-larger-attrs.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,69 @@ | ||||
| From b2b7729d71e7ab2cde9c73b40b8e972c82a875a2 Mon Sep 17 00:00:00 2001 | ||||
| From: Sumit Bose <sbose@redhat.com> | ||||
| Date: Mon, 8 Nov 2021 17:48:50 +0100 | ||||
| Subject: [PATCH] Support larger RADIUS attributes in libkrad | ||||
| 
 | ||||
| In kr_attrset_decode(), explicitly treat the length byte as unsigned. | ||||
| Otherwise attributes longer than 125 characters will be rejected with | ||||
| EBADMSG. | ||||
| 
 | ||||
| Add a 253-character-long NAS-Identifier attribute to the tests to make | ||||
| sure that attributes with the maximal number of characters are working | ||||
| as expected. | ||||
| 
 | ||||
| [ghudson@mit.edu: used uint8_t cast per current practices; edited | ||||
| commit message] | ||||
| 
 | ||||
| ticket: 9036 (new) | ||||
| ---
 | ||||
|  src/lib/krad/attrset.c  |  2 +- | ||||
|  src/lib/krad/t_packet.c | 13 +++++++++++++ | ||||
|  2 files changed, 14 insertions(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c
 | ||||
| index d89982a13..6ec031e32 100644
 | ||||
| --- a/src/lib/krad/attrset.c
 | ||||
| +++ b/src/lib/krad/attrset.c
 | ||||
| @@ -218,7 +218,7 @@ kr_attrset_decode(krb5_context ctx, const krb5_data *in, const char *secret,
 | ||||
|   | ||||
|      for (i = 0; i + 2 < in->length; ) { | ||||
|          type = in->data[i++]; | ||||
| -        tmp = make_data(&in->data[i + 1], in->data[i] - 2);
 | ||||
| +        tmp = make_data(&in->data[i + 1], (uint8_t)in->data[i] - 2);
 | ||||
|          i += tmp.length + 1; | ||||
|   | ||||
|          retval = (in->length < i) ? EBADMSG : 0; | ||||
| diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c
 | ||||
| index 0a92e9cc2..c22489144 100644
 | ||||
| --- a/src/lib/krad/t_packet.c
 | ||||
| +++ b/src/lib/krad/t_packet.c
 | ||||
| @@ -57,6 +57,14 @@ make_packet(krb5_context ctx, const krb5_data *username,
 | ||||
|      krb5_error_code retval; | ||||
|      const krb5_data *data; | ||||
|      int i = 0; | ||||
| +    krb5_data nas_id;
 | ||||
| +
 | ||||
| +    nas_id = string2data("12345678901234567890123456789012345678901234567890"
 | ||||
| +                         "12345678901234567890123456789012345678901234567890"
 | ||||
| +                         "12345678901234567890123456789012345678901234567890"
 | ||||
| +                         "12345678901234567890123456789012345678901234567890"
 | ||||
| +                         "12345678901234567890123456789012345678901234567890"
 | ||||
| +                         "123");
 | ||||
|   | ||||
|      retval = krad_attrset_new(ctx, &set); | ||||
|      if (retval != 0) | ||||
| @@ -71,6 +79,11 @@ make_packet(krb5_context ctx, const krb5_data *username,
 | ||||
|      if (retval != 0) | ||||
|          goto out; | ||||
|   | ||||
| +    retval = krad_attrset_add(set, krad_attr_name2num("NAS-Identifier"),
 | ||||
| +                              &nas_id);
 | ||||
| +    if (retval != 0)
 | ||||
| +        goto out;
 | ||||
| +
 | ||||
|      retval = krad_packet_new_request(ctx, "foo", | ||||
|                                       krad_code_name2num("Access-Request"), | ||||
|                                       set, iterator, &i, &tmp); | ||||
| -- 
 | ||||
| 2.35.3 | ||||
| 
 | ||||
							
								
								
									
										171
									
								
								SOURCES/krb5-krad-remote.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										171
									
								
								SOURCES/krb5-krad-remote.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,171 @@ | ||||
| From da677b071dadda3700d12d037f5896b166d3546d Mon Sep 17 00:00:00 2001 | ||||
| From: Greg Hudson <ghudson@mit.edu> | ||||
| Date: Tue, 9 Nov 2021 13:00:43 -0500 | ||||
| Subject: [PATCH] Avoid use after free during libkrad cleanup | ||||
| 
 | ||||
| libkrad client requests contain a list of references to remotes, with | ||||
| no back-references or reference counts.  To prevent accesses to | ||||
| dangling references during cleanup, cancel all requests on all remotes | ||||
| before freeing any remotes. | ||||
| 
 | ||||
| Remove the code for aging out unused servers.  This code was fairly | ||||
| safe as all requests referencing a remote should have completed or | ||||
| timed out during an hour of disuse, but in the current design we have | ||||
| no way to guarantee or check that.  The set of addresses we send | ||||
| RADIUS requests to will generally be small, so aging out servers is | ||||
| unnecessary. | ||||
| 
 | ||||
| ticket: 9035 (new) | ||||
| ---
 | ||||
|  src/lib/krad/client.c   | 42 ++++++++++++++--------------------------- | ||||
|  src/lib/krad/internal.h |  4 ++++ | ||||
|  src/lib/krad/remote.c   | 11 ++++++++--- | ||||
|  3 files changed, 26 insertions(+), 31 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/lib/krad/client.c b/src/lib/krad/client.c
 | ||||
| index 6365dd1c6..810940afc 100644
 | ||||
| --- a/src/lib/krad/client.c
 | ||||
| +++ b/src/lib/krad/client.c
 | ||||
| @@ -64,7 +64,6 @@ struct request_st {
 | ||||
|   | ||||
|  struct server_st { | ||||
|      krad_remote *serv; | ||||
| -    time_t last;
 | ||||
|      K5_LIST_ENTRY(server_st) list; | ||||
|  }; | ||||
|   | ||||
| @@ -81,15 +80,10 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret,
 | ||||
|             krad_remote **out) | ||||
|  { | ||||
|      krb5_error_code retval; | ||||
| -    time_t currtime;
 | ||||
|      server *srv; | ||||
|   | ||||
| -    if (time(&currtime) == (time_t)-1)
 | ||||
| -        return errno;
 | ||||
| -
 | ||||
|      K5_LIST_FOREACH(srv, &rc->servers, list) { | ||||
|          if (kr_remote_equals(srv->serv, ai, secret)) { | ||||
| -            srv->last = currtime;
 | ||||
|              *out = srv->serv; | ||||
|              return 0; | ||||
|          } | ||||
| @@ -98,7 +92,6 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret,
 | ||||
|      srv = calloc(1, sizeof(server)); | ||||
|      if (srv == NULL) | ||||
|          return ENOMEM; | ||||
| -    srv->last = currtime;
 | ||||
|   | ||||
|      retval = kr_remote_new(rc->kctx, rc->vctx, ai, secret, &srv->serv); | ||||
|      if (retval != 0) { | ||||
| @@ -173,28 +166,12 @@ request_new(krad_client *rc, krad_code code, const krad_attrset *attrs,
 | ||||
|      return 0; | ||||
|  } | ||||
|   | ||||
| -/* Close remotes that haven't been used in a while. */
 | ||||
| -static void
 | ||||
| -age(struct server_head *head, time_t currtime)
 | ||||
| -{
 | ||||
| -    server *srv, *tmp;
 | ||||
| -
 | ||||
| -    K5_LIST_FOREACH_SAFE(srv, head, list, tmp) {
 | ||||
| -        if (currtime == (time_t)-1 || currtime - srv->last > 60 * 60) {
 | ||||
| -            K5_LIST_REMOVE(srv, list);
 | ||||
| -            kr_remote_free(srv->serv);
 | ||||
| -            free(srv);
 | ||||
| -        }
 | ||||
| -    }
 | ||||
| -}
 | ||||
| -
 | ||||
|  /* Handle a response from a server (or related errors). */ | ||||
|  static void | ||||
|  on_response(krb5_error_code retval, const krad_packet *reqp, | ||||
|              const krad_packet *rspp, void *data) | ||||
|  { | ||||
|      request *req = data; | ||||
| -    time_t currtime;
 | ||||
|      size_t i; | ||||
|   | ||||
|      /* Do nothing if we are already completed. */ | ||||
| @@ -221,10 +198,6 @@ on_response(krb5_error_code retval, const krad_packet *reqp,
 | ||||
|      for (i = 0; req->remotes[i].remote != NULL; i++) | ||||
|          kr_remote_cancel(req->remotes[i].remote, req->remotes[i].packet); | ||||
|   | ||||
| -    /* Age out servers that haven't been used in a while. */
 | ||||
| -    if (time(&currtime) != (time_t)-1)
 | ||||
| -        age(&req->rc->servers, currtime);
 | ||||
| -
 | ||||
|      request_free(req); | ||||
|  } | ||||
|   | ||||
| @@ -247,10 +220,23 @@ krad_client_new(krb5_context kctx, verto_ctx *vctx, krad_client **out)
 | ||||
|  void | ||||
|  krad_client_free(krad_client *rc) | ||||
|  { | ||||
| +    server *srv;
 | ||||
| +
 | ||||
|      if (rc == NULL) | ||||
|          return; | ||||
|   | ||||
| -    age(&rc->servers, -1);
 | ||||
| +    /* Cancel all requests before freeing any remotes, since each request's
 | ||||
| +     * callback data may contain references to multiple remotes. */
 | ||||
| +    K5_LIST_FOREACH(srv, &rc->servers, list)
 | ||||
| +        kr_remote_cancel_all(srv->serv);
 | ||||
| +
 | ||||
| +    while (!K5_LIST_EMPTY(&rc->servers)) {
 | ||||
| +        srv = K5_LIST_FIRST(&rc->servers);
 | ||||
| +        K5_LIST_REMOVE(srv, list);
 | ||||
| +        kr_remote_free(srv->serv);
 | ||||
| +        free(srv);
 | ||||
| +    }
 | ||||
| +
 | ||||
|      free(rc); | ||||
|  } | ||||
|   | ||||
| diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
 | ||||
| index 312dc8258..b086598fb 100644
 | ||||
| --- a/src/lib/krad/internal.h
 | ||||
| +++ b/src/lib/krad/internal.h
 | ||||
| @@ -120,6 +120,10 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
 | ||||
|  void | ||||
|  kr_remote_cancel(krad_remote *rr, const krad_packet *pkt); | ||||
|   | ||||
| +/* Cancel all requests awaiting responses. */
 | ||||
| +void
 | ||||
| +kr_remote_cancel_all(krad_remote *rr);
 | ||||
| +
 | ||||
|  /* Determine if this remote object refers to the remote resource identified | ||||
|   * by the addrinfo struct and the secret. */ | ||||
|  krb5_boolean | ||||
| diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
 | ||||
| index 0f90443ce..b5dd8cd19 100644
 | ||||
| --- a/src/lib/krad/remote.c
 | ||||
| +++ b/src/lib/krad/remote.c
 | ||||
| @@ -421,15 +421,20 @@ error:
 | ||||
|      return retval; | ||||
|  } | ||||
|   | ||||
| +void
 | ||||
| +kr_remote_cancel_all(krad_remote *rr)
 | ||||
| +{
 | ||||
| +    while (!K5_TAILQ_EMPTY(&rr->list))
 | ||||
| +        request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL);
 | ||||
| +}
 | ||||
| +
 | ||||
|  void | ||||
|  kr_remote_free(krad_remote *rr) | ||||
|  { | ||||
|      if (rr == NULL) | ||||
|          return; | ||||
|   | ||||
| -    while (!K5_TAILQ_EMPTY(&rr->list))
 | ||||
| -        request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL);
 | ||||
| -
 | ||||
| +    kr_remote_cancel_all(rr);
 | ||||
|      free(rr->secret); | ||||
|      if (rr->info != NULL) | ||||
|          free(rr->info->ai_addr); | ||||
| -- 
 | ||||
| 2.35.3 | ||||
| 
 | ||||
| @ -18,7 +18,7 @@ Summary: The Kerberos network authentication system | ||||
| Name: krb5 | ||||
| Version: 1.18.2 | ||||
| # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) | ||||
| Release: 14%{?dist} | ||||
| Release: 21%{?dist} | ||||
| 
 | ||||
| # lookaside-cached sources; two downloads and a build artifact | ||||
| Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz | ||||
| @ -86,6 +86,13 @@ Patch140: Use-KCM_OP_RETRIEVE-in-KCM-client.patch | ||||
| Patch141: Fix-KCM-retrieval-support-for-sssd.patch | ||||
| Patch142: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch | ||||
| Patch143: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch | ||||
| Patch144: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch | ||||
| Patch145: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch | ||||
| Patch146: Make-kprop-work-for-dump-files-larger-than-4GB.patch | ||||
| Patch147: Try-harder-to-avoid-password-change-replay-errors.patch | ||||
| Patch148: downstream-Fix-dejagnu-unit-tests-directory-name-for-RPC-lib.patch | ||||
| Patch149: krb5-krad-larger-attrs.patch | ||||
| Patch150: krb5-krad-remote.patch | ||||
| 
 | ||||
| License: MIT | ||||
| URL: http://web.mit.edu/kerberos/www/ | ||||
| @ -291,7 +298,7 @@ popd | ||||
| # builds going on the same host don't step on each other. | ||||
| cfg="src/kadmin/testing/proto/kdc.conf.proto \ | ||||
|      src/kadmin/testing/proto/krb5.conf.proto \ | ||||
|      src/lib/kadm5/unit-test/api.current/init-v2.exp \ | ||||
|      src/lib/kadm5/testsuite/api.current/init-v2.exp \ | ||||
|      src/util/k5test.py" | ||||
| LONG_BIT=`getconf LONG_BIT` | ||||
| PORT=`expr 61000 + $LONG_BIT - 48` | ||||
| @ -696,6 +703,23 @@ exit 0 | ||||
| %{_libdir}/libkadm5srv_mit.so.* | ||||
| 
 | ||||
| %changelog | ||||
| * Fri Jul 01 2022 Julien Rische <jrische@redhat.com> - 1.18.2-21 | ||||
| - Backport fix of memory use after free during libkrad cleanup | ||||
| - Backport support for larger RADIUS attributes in libkrad | ||||
| - Resolves: rhbz#2103125 | ||||
| 
 | ||||
| * Wed Apr 27 2022 Julien Rische <jrische@redhat.com> - 1.18.2-19 | ||||
| - Try harder to avoid password change replay errors | ||||
| - Resolves: #2077563 | ||||
| 
 | ||||
| * Wed Apr 13 2022 Julien Rische <jrische@redhat.com> - 1.18.2-18 | ||||
| - Fix kprop for propagating dump files larger than 4GB | ||||
| - Resolves: #2026462 | ||||
| 
 | ||||
| * Mon Mar 21 2022 Julien Rische <jrische@redhat.com> - 1.18.2-15 | ||||
| - Backport usage of SHA-256 instead of SHA-1 for PKINIT CMS digest | ||||
| - Resolves: #2066316 | ||||
| 
 | ||||
| * Wed Aug 25 2021 Robbie Harwood <rharwood@redhat.com> - 1.18.2-14 | ||||
| - Fix KDC null deref on TGS inner body null server (CVE-2021-37750) | ||||
| - Resolves: #1997601 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user