Commit Graph

1202 Commits

Author SHA1 Message Date
Julien Rische
2bc63920d3 krb5 1.21.2-6
- Add missing SPDX license identifiers
  Resolves: RHEL-44383

Some MIT krb5 licenses where not registered by the SPDX project. They
were recently added to the official list. The SPDX expression is
complete at this point.

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-06-21 16:25:41 +02:00
Fedora Release Engineering
5cc4a0d8bc Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-25 00:53:41 +00:00
Fedora Release Engineering
87d784ddd7 Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-21 02:56:15 +00:00
Julien Rische
1ed0e3a2d8 krb5 1.21.2-3
- Fix double free in klist's show_ccache()
  Resolves: rhbz#2257301
- Store krb5-tests files in architecture-specific directories
  Resolves: rhbz#2244601

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-01-17 14:06:16 +01:00
Julien Rische
0fe5c327ec Fix memory leaks and use SPDX license expression
- Use SPDX expression for license tag
- Fix unimportant memory leaks
  Resolves: rhbz#2223274

Signed-off-by: Julien Rische <jrische@redhat.com>
2023-10-16 16:10:43 +02:00
Julien Rische
f5676fd233 New upstream version (1.21.2)
- Fix double-free in KDC TGS processing (CVE-2023-39975)
  Resolves: rhbz#2229113
- Make tests compatible with Python 3.12
  Resolves: rhbz#2224013

Signed-off-by: Julien Rische <jrische@redhat.com>
2023-08-16 11:30:37 +02:00
Fedora Release Engineering
ae2cf9bef3 Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-07-20 09:33:35 +00:00
Marek Blaha
a2c04215f0 Replace file dependency by package name
By default, dnf5 does not download the filelists repository metadata
required to resolve file dependencies outside of /usr/(s)bin or /etc.
This causes the krb5-server file to become uninstallable.

$ dnf5 install krb5-server
Repositories loaded.
Failed to resolve the transaction:
Problem: conflicting requests
  - nothing provides /usr/share/dict/words needed by krb5-server-1.21-1.fc39.x86_64

This change aligns with the Fedora packaging guidelines, as stated here:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_file_and_directory_dependencies

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2216903
2023-06-29 08:32:10 +02:00
Julien Rische
0b340d0ef3 New upstream version (1.21)
Do not disable PKINIT if some of the well-known DH groups are unavailable
  Resolves: rhbz#2214297
Make PKINIT CMS SHA-1 signature verification available in FIPS mode
  Resolves: rhbz#2214300
Allow to set PAC ticket signature as optional
  Resolves: rhbz#2181311
Add support for MS-PAC extended KDC signature (CVE-2022-37967)
  Resolves: rhbz#2166001
Fix syntax error in aclocal.m4
  Resolves: rhbz#2143306

Signed-off-by: Julien Rische <jrische@redhat.com>
2023-06-12 17:29:15 +02:00
Julien Rische
7058594eab Add support for MS-PAC extended KDC signature (CVE-2022-37967)
Resolves: rhbz#2166001
Signed-off-by: Julien Rische <jrische@redhat.com>
2023-01-31 17:56:02 +01:00
Julien Rische
ec957f5711 Do not block KRB5KDF and MD4/5 in FIPS mode
Bypass OpenSSL's restrictions to use KRB5KDF in FIPS mode in case at
least one of AES SHA-1 HMAC encryption types are used.

Use OpenSSL 3.0 library context to access MD4 and MD5 lazily from
legacy provider if RADIUS is being used or RC4 encryption type is
enabled, without affecting global context.

Such exceptions should not be allowed by the default FIPS crypto
policy.

Signed-off-by: Julien Rische <jrische@redhat.com>
2023-01-30 12:52:50 +01:00
Fedora Release Engineering
dca288bae2 Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-01-19 15:08:24 +00:00
Julien Rische
4a4fd39d5e Add AES SHA-2 HMAC family as default KDC etypes
Resolves: rhbz#2114771
Signed-off-by: Julien Rische <jrische@redhat.com>
2023-01-18 16:08:42 +01:00
Julien Rische
4eee9bbb50 Strip debugging data from ksu executable file
Signed-off-by: Julien Rische <jrische@redhat.com>
2023-01-18 16:08:41 +01:00
Julien Rische
f0b4f85e9e Include missing OpenSSL FIPS header
Signed-off-by: Julien Rische <jrische@redhat.com>
2023-01-09 13:28:16 +01:00
Julien Rische
f29ff7186e Make tests compatible with sssd_krb5_locator_plugin.so 2023-01-09 13:28:16 +01:00
Yaakov Selkowitz
ba968605e7 Fix openssl dependencies for RHEL/ELN 2022-12-07 19:18:54 -05:00
Julien Rische
f003c0755c Enable TMT integration with Fedora CI
Signed-off-by: Julien Rische <jrische@redhat.com>
2022-12-06 14:48:31 +01:00
Alexander Bokovoy
a206938c15 Bump KDB version to 9.0
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2022-12-01 17:57:01 +02:00
Julien Rische
95288a2fb9 Use TMT for gating tests
Signed-off-by: Julien Rische <jrische@redhat.com>
2022-12-01 15:16:23 +01:00
Julien Rische
3668746b8f Remove invalid password expiry warning
Resolves: rhbz#2129113
Signed-off-by: Julien Rische <jrische@redhat.com>
2022-11-24 11:35:42 +01:00
Julien Rische
603ad7099e Update error checking for OpenSSL CMS_verify
Resolves: rhbz#2119704
Signed-off-by: Julien Rische <jrische@redhat.com>
2022-11-24 11:35:26 +01:00
Julien Rische
56cee506e7 New upstream version (1.20.1)
Also set "supportedCMSTypes" to SHA-512/256 with RSA encryption

Resolves: rhbz#2124463
Resolves: rhbz#2114766
Signed-off-by: Julien Rische <jrische@redhat.com>
2022-11-24 11:35:10 +01:00
Julien Rische
c13bf943d8 Fix integer overflows in PAC parsing (CVE-2022-42898)
Resolves: rhbz#2143011
Signed-off-by: Julien Rische <jrische@redhat.com>
2022-11-16 10:35:01 +01:00
Andreas Schneider
0c2f5dcbe5 Add missing BR for resolv_wrapper to run t_discover_uri.py 2022-08-03 13:17:09 +02:00
Andreas Schneider
f5aa40a4a2 Do not define netlib, but use autoconf detection for res_* functions
This looks like an ancient patch and is not needed anymore.
2022-08-03 13:17:09 +02:00
Andreas Schneider
440331a1e4 Fix the Source0 and Source1 variables 2022-08-03 13:15:15 +02:00
Andreas Schneider
3907ec760c Use baserelease to set the release number 2022-08-02 12:13:54 +02:00
Fedora Release Engineering
e138eb8125 Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-07-21 16:36:11 +00:00
Julien Rische
601b89387b Read GSS configuration files with mtime 0
There is at least one case (with flatpaks) where configuration files
in the special read-only /etc all have an mtime of 0.  Using an
initial last modified time of 0 in g_initialize.c causes these files
to never be read.

Change the initial high value to the be the "invalid" value
(time_t)-1.  Since the C and POSIX standards do not require time_t to
be signed, special-case the checks in load_if_changed() and
updateMechList() to treat all mod times as newer than -1.

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-06-15 15:38:15 +02:00
Julien Rische
e9188f0caa Allow krad UDP/TCP localhost connection with FIPS
libkrad allows to establish connections only to UNIX socket in FIPS
mode, because MD5 digest is not considered safe enough to be used for
network communication. However, FreeRadius requires connection on TCP or
UDP ports.

This commit allows TCP or UDP connections in FIPS mode if destination is
localhost.

Resolves: rhbz#2082189

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-05-25 11:50:56 +02:00
Julien Rische
c25a51c969 Use p11-kit as default PKCS11 module
Resolves: rhbz#2073274

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-05-02 19:03:37 +02:00
Julien Rische
04513849e3 Try harder to avoid password change replay errors
change_set_password() was changed to prefer TCP.  However, because
UDP_LAST falls back to UDP after one second, we can still get a replay
error due to a dropped packet, before the TCP layer has a chance to
retry.

Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
TCP fails completely without reaching a server.  In sendto_kdc.c,
implement an ONLY_UDP transport strategy to allow the UDP fallback.

Resolves: rhbz#2076965

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-04-26 13:38:51 +02:00
Alexander Bokovoy
fc958d4773 Fix libkrad client cleanup code
Resolves: rhbz#2072059

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2022-04-05 22:18:53 +03:00
Alexander Bokovoy
29a69aee06 fix dist macro 2022-04-05 16:52:33 +03:00
Alexander Bokovoy
0ceb166d96 Allow use of larger RADIUS attributes in krad library
In kr_attrset_decode(), explicitly treat the length byte as unsigned.
    Otherwise attributes longer than 125 characters will be rejected with
    EBADMSG.

    Add a 253-character-long NAS-Identifier attribute to the tests to make
    sure that attributes with the maximal number of characters are working
    as expected.

    [ghudson@mit.edu: used uint8_t cast per current practices; edited
    commit message]

    ticket: 9036 (new)

From upstream, needed in preparation for OAuth2 support for FreeIPA and
SSSD.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2022-04-05 16:51:11 +03:00
Julien Rische
2ef37ab30d Use SHA-256 instead of SHA-1 for PKINIT CMS digest
CMS digest and signature algorithm for the anonymous PKINIT is changed
from SHA-1 to SHA-256. SHA-1 hasn't been considered secure anymore for
this kind of purposes for some years already.

Resolves: rhbz#2067121

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-03-23 12:28:27 +01:00
Zbigniew Jędrzejewski-Szmek
970430cbff Drop link flags from krb5-config
Introspecing krb5-config shows that all of the flags in LDFLAGS= are
inappropriate for export, so just drop them all.
2022-02-09 10:54:56 +01:00
Zbigniew Jędrzejewski-Szmek
f858c7e550 Drop old trigger scriptlet
1.15.1 was ~2017, so there is no need to support upgrades from such old
systemd. This allows the dependency on grep to be dropped. grep pulls
in pcre, but most other programs in the core group depend on the newer
pcre2, so it's nicer to avoid pulling in pcre in minimal installations.
2022-02-08 14:07:47 +01:00
Alexander Bokovoy
b998554176 Temporarily remove package note to unblock krb5-dependent packages
Resolves: rhbz#2048909

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2022-02-03 12:27:25 +02:00
Fedora Release Engineering
75355e197a - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-01-20 15:08:32 +00:00
Antonio Torres
ad88d4fd50 Add patches to support OpenSSL 3.0.0
Signed-off-by: Antonio Torres <antorres@redhat.com>
2021-12-03 11:25:46 +01:00
Sahana Prasad
70255ea5b0 Rebuilt with OpenSSL 3.0.0 2021-09-14 19:05:45 +02:00
Robbie Harwood
91c904e5df Remove -specs= from krb5-config output 2021-08-24 17:13:22 +00:00
Robbie Harwood
ca196a9d6b Fix KDC null deref on TGS inner body null server (CVE-2021-37750) 2021-08-19 12:29:56 -04:00
Robbie Harwood
03e8c69837 Add sources 2021-07-26 14:50:12 -04:00
Robbie Harwood
c4016b4e4c New upstream version (1.19.2) 2021-07-26 14:49:39 -04:00
Robbie Harwood
2484569caa Fix defcred leak in krb5 gss_inquire_cred() 2021-07-21 12:44:26 -04:00
Robbie Harwood
6a2eeb9666 Fix KDC null deref on bad encrypted challenge (CVE-2021-36222) 2021-07-12 13:11:12 -04:00
Robbie Harwood
af96dc0c6c Fix use-after-free during krad remote_shutdown() 2021-07-01 13:17:47 -04:00