From 13a890c18230468dbe0167b311b5398c2b2385de Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 22 Sep 2023 18:10:08 +0300 Subject: [PATCH] import krb5-1.21.1-1.el9 --- .gitignore | 2 +- .krb5.metadata | 2 +- ...t-Don-t-issue-session-keys-with-depr.patch | 310 ++++++++ ...0002-downstream-ksu-pam-integration.patch} | 10 +- ...0003-downstream-SELinux-integration.patch} | 38 +- ...wnstream-fix-debuginfo-with-y.tab.c.patch} | 4 +- ...0005-downstream-Remove-3des-support.patch} | 127 ++- ...m-FIPS-with-PRNG-and-RADIUS-and-MD4.patch} | 117 +-- ...-variable-for-default-PKCS-11-module.patch | 201 ----- ...krad-UDP-TCP-localhost-connection-w.patch} | 7 +- ...asonable-supportedCMSTypes-in-PKINIT.patch | 159 ---- ...ests-compatible-with-sssd_krb5_loca.patch} | 4 +- .../0009-Simplify-plugin-loading-code.patch | 622 --------------- ...-Include-missing-OpenSSL-FIPS-header.patch | 120 +++ ...rror-checking-for-OpenSSL-CMS_verify.patch | 48 -- ...m-Do-not-set-root-as-ksu-file-owner.patch} | 4 +- ...ow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch} | 4 +- ...-SHA-1-digest-disallowed-error-for-P.patch | 28 - .../0012-Add-and-use-ts_interval-helper.patch | 239 ------ ...-to-set-PAC-ticket-signature-as-opti.patch | 279 +++++++ ...PKINIT-CMS-SHA-1-signature-verificat.patch | 47 ++ ...T-if-at-least-one-group-is-available.patch | 217 ++++++ ...ix-double-free-in-KDC-TGS-processing.patch | 48 ++ SOURCES/0016-Add-PAC-full-checksums.patch | 672 ---------------- ...ible-double-free-during-KDB-creation.patch | 45 -- ...idian-type-in-kadmin-datetime-parser.patch | 36 - SOURCES/krb5-1.20.1.tar.gz.asc | 16 - SOURCES/krb5-1.21.1.tar.gz.asc | 16 + SPECS/krb5.spec | 737 +++++++++--------- 29 files changed, 1537 insertions(+), 2622 deletions(-) create mode 100644 SOURCES/0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch rename SOURCES/{0001-downstream-ksu-pam-integration.patch => 0002-downstream-ksu-pam-integration.patch} (99%) rename SOURCES/{0002-downstream-SELinux-integration.patch => 0003-downstream-SELinux-integration.patch} (97%) rename SOURCES/{0003-downstream-fix-debuginfo-with-y.tab.c.patch => 0004-downstream-fix-debuginfo-with-y.tab.c.patch} (95%) rename SOURCES/{0004-downstream-Remove-3des-support.patch => 0005-downstream-Remove-3des-support.patch} (98%) rename SOURCES/{0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch => 0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch} (88%) delete mode 100644 SOURCES/0007-Add-configure-variable-for-default-PKCS-11-module.patch rename SOURCES/{0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch => 0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch} (96%) delete mode 100644 SOURCES/0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch rename SOURCES/{0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch => 0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch} (94%) delete mode 100644 SOURCES/0009-Simplify-plugin-loading-code.patch create mode 100644 SOURCES/0009-downstream-Include-missing-OpenSSL-FIPS-header.patch delete mode 100644 SOURCES/0010-Update-error-checking-for-OpenSSL-CMS_verify.patch rename SOURCES/{0014-downstream-Do-not-set-root-as-ksu-file-owner.patch => 0010-downstream-Do-not-set-root-as-ksu-file-owner.patch} (93%) rename SOURCES/{0015-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch => 0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch} (98%) delete mode 100644 SOURCES/0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch delete mode 100644 SOURCES/0012-Add-and-use-ts_interval-helper.patch create mode 100644 SOURCES/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch create mode 100644 SOURCES/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch create mode 100644 SOURCES/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch create mode 100644 SOURCES/0015-Fix-double-free-in-KDC-TGS-processing.patch delete mode 100644 SOURCES/0016-Add-PAC-full-checksums.patch delete mode 100644 SOURCES/0017-Fix-possible-double-free-during-KDB-creation.patch delete mode 100644 SOURCES/0018-Fix-meridian-type-in-kadmin-datetime-parser.patch delete mode 100644 SOURCES/krb5-1.20.1.tar.gz.asc create mode 100644 SOURCES/krb5-1.21.1.tar.gz.asc diff --git a/.gitignore b/.gitignore index 1a1ce9f..34dfc5f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/krb5-1.20.1.tar.gz +SOURCES/krb5-1.21.1.tar.gz diff --git a/.krb5.metadata b/.krb5.metadata index 6c32258..7e07b45 100644 --- a/.krb5.metadata +++ b/.krb5.metadata @@ -1 +1 @@ -06278439a6cd5a2aa861d8e877451b794487534b SOURCES/krb5-1.20.1.tar.gz +505440658a00e009c430439dba60e13a98067cd3 SOURCES/krb5-1.21.1.tar.gz diff --git a/SOURCES/0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch b/SOURCES/0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch new file mode 100644 index 0000000..d567e2d --- /dev/null +++ b/SOURCES/0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch @@ -0,0 +1,310 @@ +From 93bb4f5ba6fd79e72a75de20e209db219118a3a1 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 2 Aug 2023 10:19:28 +0200 +Subject: [PATCH] [downstream] Revert "Don't issue session keys with deprecated + enctypes" + +This reverts commit 1b57a4d134bbd0e7c52d5885a92eccc815726463. +--- + doc/admin/conf_files/krb5_conf.rst | 12 ------------ + doc/admin/enctypes.rst | 23 +++------------------- + src/include/k5-int.h | 4 ---- + src/kdc/kdc_util.c | 10 ---------- + src/lib/krb5/krb/get_in_tkt.c | 31 +++++++++++------------------- + src/lib/krb5/krb/init_ctx.c | 10 ---------- + src/tests/gssapi/t_enctypes.py | 3 +-- + src/tests/t_etype_info.py | 2 +- + src/tests/t_sesskeynego.py | 28 ++------------------------- + src/util/k5test.py | 4 ++-- + 10 files changed, 20 insertions(+), 107 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index ecdf917501..f22d5db11b 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -95,18 +95,6 @@ Additionally, krb5.conf may include any of the relations described in + + The libdefaults section may contain any of the following relations: + +-**allow_des3** +- Permit the KDC to issue tickets with des3-cbc-sha1 session keys. +- In future releases, this flag will allow des3-cbc-sha1 to be used +- at all. The default value for this tag is false. (Added in +- release 1.21.) +- +-**allow_rc4** +- Permit the KDC to issue tickets with arcfour-hmac session keys. +- In future releases, this flag will allow arcfour-hmac to be used +- at all. The default value for this tag is false. (Added in +- release 1.21.) +- + **allow_weak_crypto** + If this flag is set to false, then weak encryption types (as noted + in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered +diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst +index dce19ad43e..694922c0d9 100644 +--- a/doc/admin/enctypes.rst ++++ b/doc/admin/enctypes.rst +@@ -48,15 +48,12 @@ Session key selection + The KDC chooses the session key enctype by taking the intersection of + its **permitted_enctypes** list, the list of long-term keys for the + most recent kvno of the service, and the client's requested list of +-enctypes. Starting in krb5-1.21, all services are assumed to support +-aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session +-keys will not be issued by default. ++enctypes. + + Starting in krb5-1.11, it is possible to set a string attribute on a + service principal to control what session key enctypes the KDC may +-issue for service tickets for that principal, overriding the service's +-long-term keys and the assumption of aes256-cts-hmac-sha1-96 support. +-See :ref:`set_string` in :ref:`kadmin(1)` for details. ++issue for service tickets for that principal. See :ref:`set_string` ++in :ref:`kadmin(1)` for details. + + + Choosing enctypes for a service +@@ -90,20 +87,6 @@ affect how enctypes are chosen. + acceptable risk for your environment and the weak enctypes are + required for backward compatibility. + +-**allow_des3** +- was added in release 1.21 and defaults to *false*. Unless this +- flag is set to *true*, the KDC will not issue tickets with +- des3-cbc-sha1 session keys. In a future release, this flag will +- control whether des3-cbc-sha1 is permitted in similar fashion to +- weak enctypes. +- +-**allow_rc4** +- was added in release 1.21 and defaults to *false*. Unless this +- flag is set to *true*, the KDC will not issue tickets with +- arcfour-hmac session keys. In a future release, this flag will +- control whether arcfour-hmac is permitted in similar fashion to +- weak enctypes. +- + **permitted_enctypes** + controls the set of enctypes that a service will permit for + session keys and for ticket and authenticator encryption. The KDC +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 2f7791b775..1d1c8293f4 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -180,8 +180,6 @@ typedef unsigned char u_char; + * matches the variable name. Keep these alphabetized. */ + #define KRB5_CONF_ACL_FILE "acl_file" + #define KRB5_CONF_ADMIN_SERVER "admin_server" +-#define KRB5_CONF_ALLOW_DES3 "allow_des3" +-#define KRB5_CONF_ALLOW_RC4 "allow_rc4" + #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto" + #define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local" + #define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names" +@@ -1240,8 +1238,6 @@ struct _krb5_context { + struct _kdb_log_context *kdblog_context; + + krb5_boolean allow_weak_crypto; +- krb5_boolean allow_des3; +- krb5_boolean allow_rc4; + krb5_boolean ignore_acceptor_hostname; + krb5_boolean enforce_ok_as_delegate; + enum dns_canonhost dns_canonicalize_hostname; +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index e54cc751f9..75e04b73db 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1088,16 +1088,6 @@ select_session_keytype(krb5_context context, krb5_db_entry *server, + if (!krb5_is_permitted_enctype(context, ktype[i])) + continue; + +- /* +- * Prevent these deprecated enctypes from being used as session keys +- * unless they are explicitly allowed. In the future they will be more +- * comprehensively disabled and eventually removed. +- */ +- if (ktype[i] == ENCTYPE_DES3_CBC_SHA1 && !context->allow_des3) +- continue; +- if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !context->allow_rc4) +- continue; +- + if (dbentry_supports_enctype(context, server, ktype[i])) + return ktype[i]; + } +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index ea089f0fcc..1b420a3ac2 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1582,31 +1582,22 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, + (*prompter)(context, data, 0, banner, 0, 0); + } + +-/* Display a warning via the prompter if a deprecated enctype was used for +- * either the reply key or the session key. */ ++/* Display a warning via the prompter if des3-cbc-sha1 was used for either the ++ * reply key or the session key. */ + static void +-warn_deprecated(krb5_context context, krb5_init_creds_context ctx, +- krb5_enctype as_key_enctype) ++warn_des3(krb5_context context, krb5_init_creds_context ctx, ++ krb5_enctype as_key_enctype) + { +- krb5_enctype etype; +- char encbuf[128], banner[256]; ++ const char *banner; + +- if (ctx->prompter == NULL) +- return; +- +- if (krb5int_c_deprecated_enctype(as_key_enctype)) +- etype = as_key_enctype; +- else if (krb5int_c_deprecated_enctype(ctx->cred.keyblock.enctype)) +- etype = ctx->cred.keyblock.enctype; +- else ++ if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 && ++ ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1) + return; +- +- if (krb5_enctype_to_name(etype, FALSE, encbuf, sizeof(encbuf)) != 0) ++ if (ctx->prompter == NULL) + return; +- snprintf(banner, sizeof(banner), +- _("Warning: encryption type %s used for authentication is " +- "deprecated and will be disabled"), encbuf); + ++ banner = _("Warning: encryption type des3-cbc-sha1 used for " ++ "authentication is weak and will be disabled"); + /* PROMPTER_INVOCATION */ + (*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL); + } +@@ -1857,7 +1848,7 @@ init_creds_step_reply(krb5_context context, + ctx->complete = TRUE; + warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data, + ctx->in_tkt_service, ctx->reply); +- warn_deprecated(context, ctx, encrypting_key.enctype); ++ warn_des3(context, ctx, encrypting_key.enctype); + + cleanup: + krb5_free_pa_data(context, kdc_padata); +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index a6c2bbeb54..87b486c53f 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -221,16 +221,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + goto cleanup; + ctx->allow_weak_crypto = tmp; + +- retval = get_boolean(ctx, KRB5_CONF_ALLOW_DES3, 0, &tmp); +- if (retval) +- goto cleanup; +- ctx->allow_des3 = tmp; +- +- retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp); +- if (retval) +- goto cleanup; +- ctx->allow_rc4 = tmp; +- + retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp); + if (retval) + goto cleanup; +diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py +index f5f11842e2..7494d7fcdb 100755 +--- a/src/tests/gssapi/t_enctypes.py ++++ b/src/tests/gssapi/t_enctypes.py +@@ -18,8 +18,7 @@ d_rc4 = 'DEPRECATED:arcfour-hmac' + # These tests make assumptions about the default enctype lists, so set + # them explicitly rather than relying on the library defaults. + supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal' +-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4', +- 'allow_des3': 'true', 'allow_rc4': 'true'}, ++conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'}, + 'realms': {'$realm': {'supported_enctypes': supp}}} + realm = K5Realm(krb5_conf=conf) + shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save')) +diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py +index 38cf96ca8f..c982508d8b 100644 +--- a/src/tests/t_etype_info.py ++++ b/src/tests/t_etype_info.py +@@ -1,7 +1,7 @@ + from k5test import * + + supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac' +-conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'}, ++conf = {'libdefaults': {'allow_weak_crypto': 'true'}, + 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} + realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) + +diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py +index 5a213617b5..9024aee838 100755 +--- a/src/tests/t_sesskeynego.py ++++ b/src/tests/t_sesskeynego.py +@@ -25,8 +25,6 @@ conf3 = {'libdefaults': { + 'default_tkt_enctypes': 'aes128-cts', + 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}} + conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}} +-conf5 = {'libdefaults': {'allow_rc4': 'true'}} +-conf6 = {'libdefaults': {'allow_des3': 'true'}} + # Test with client request and session_enctypes preferring aes128, but + # aes256 long-term key. + realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) +@@ -56,12 +54,10 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'aes128-cts,aes256-cts']) + test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') + +-# 3b: Skip RC4 (as the KDC does not allow it for session keys by +-# default) and negotiate aes128-cts session key, with only an aes256 +-# long-term service key. ++# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term. + realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'rc4-hmac,aes128-cts,aes256-cts']) +-test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') ++test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') + realm.stop() + + # 4: Check that permitted_enctypes is a default for session key enctypes. +@@ -71,24 +67,4 @@ realm.run([kvno, 'user'], + expected_trace=('etypes requested in TGS request: aes256-cts',)) + realm.stop() + +-# 5: allow_rc4 permits negotiation of rc4-hmac session key. +-realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False) +-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) +-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac']) +-test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') +-realm.stop() +- +-# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key. +-realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False) +-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) +-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1']) +-test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96') +-realm.stop() +- +-# 7: default config negotiates aes256-sha1 session key for RC4-only service. +-realm = K5Realm(create_host=False, get_creds=False) +-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server']) +-test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac') +-realm.stop() +- + success('sesskeynego') +diff --git a/src/util/k5test.py b/src/util/k5test.py +index 8e5f5ba8e9..2a86c5cdfc 100644 +--- a/src/util/k5test.py ++++ b/src/util/k5test.py +@@ -1340,14 +1340,14 @@ _passes = [ + + # Exercise the DES3 enctype. + ('des3', None, +- {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}}, ++ {'libdefaults': {'permitted_enctypes': 'des3'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'des3-cbc-sha1:normal', + 'master_key_type': 'des3-cbc-sha1'}}}), + + # Exercise the arcfour enctype. + ('arcfour', None, +- {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}}, ++ {'libdefaults': {'permitted_enctypes': 'rc4'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'arcfour-hmac:normal', + 'master_key_type': 'arcfour-hmac'}}}), +-- +2.41.0 + diff --git a/SOURCES/0001-downstream-ksu-pam-integration.patch b/SOURCES/0002-downstream-ksu-pam-integration.patch similarity index 99% rename from SOURCES/0001-downstream-ksu-pam-integration.patch rename to SOURCES/0002-downstream-ksu-pam-integration.patch index 2b737c0..a5fcc00 100644 --- a/SOURCES/0001-downstream-ksu-pam-integration.patch +++ b/SOURCES/0002-downstream-ksu-pam-integration.patch @@ -1,4 +1,4 @@ -From 37d69135d0be7f46732c401cdbb3abc075bf4117 Mon Sep 17 00:00:00 2001 +From d7be72b066a9b07f0426780c7931614eddf9dd9e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] [downstream] ksu pam integration @@ -30,7 +30,7 @@ Last-updated: krb5-1.18-beta1 create mode 100644 src/clients/ksu/pam.h diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 9920476f91..bf9da35bbc 100644 +index 3d66a876b3..ce3c5a9bac 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -1458,3 +1458,72 @@ if test "$with_ldap" = yes; then @@ -760,10 +760,10 @@ index 0000000000..0ab76569cb +void appl_pam_cleanup(void); +#endif diff --git a/src/configure.ac b/src/configure.ac -index f03028b5fd..aa970b0447 100644 +index 77be7a2025..587221936e 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1400,6 +1400,8 @@ AC_SUBST([VERTO_VERSION]) +@@ -1399,6 +1399,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) @@ -773,5 +773,5 @@ index f03028b5fd..aa970b0447 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' -- -2.38.1 +2.41.0 diff --git a/SOURCES/0002-downstream-SELinux-integration.patch b/SOURCES/0003-downstream-SELinux-integration.patch similarity index 97% rename from SOURCES/0002-downstream-SELinux-integration.patch rename to SOURCES/0003-downstream-SELinux-integration.patch index 4271d66..7fe6540 100644 --- a/SOURCES/0002-downstream-SELinux-integration.patch +++ b/SOURCES/0003-downstream-SELinux-integration.patch @@ -1,4 +1,4 @@ -From c6b58ed180ed91b579d322ff5004f68750f1eb4f Mon Sep 17 00:00:00 2001 +From 021f1f1bf690694945a3ab0a5221797a7bcd6a99 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 Subject: [PATCH] [downstream] SELinux integration @@ -69,7 +69,7 @@ Last-updated: krb5-1.20.1 create mode 100644 src/util/support/selinux.c diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index bf9da35bbc..01283f482e 100644 +index ce3c5a9bac..3331970930 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag) @@ -133,10 +133,10 @@ index bf9da35bbc..01283f482e 100644 +AC_SUBST(SELINUX_LIBS) +])dnl diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in -index dead0dddce..fef3e054fc 100755 +index 8e6eb86601..7677f37359 100755 --- a/src/build-tools/krb5-config.in +++ b/src/build-tools/krb5-config.in -@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' +@@ -40,6 +40,7 @@ DL_LIB='@DL_LIB@' DEFCCNAME='@DEFCCNAME@' DEFKTNAME='@DEFKTNAME@' DEFCKTNAME='@DEFCKTNAME@' @@ -144,7 +144,7 @@ index dead0dddce..fef3e054fc 100755 LIBS='@LIBS@' GEN_LIB=@GEN_LIB@ -@@ -254,7 +255,7 @@ if test -n "$do_libs"; then +@@ -253,7 +254,7 @@ if test -n "$do_libs"; then fi # If we ever support a flag to generate output suitable for static @@ -175,10 +175,10 @@ index a0c60c70b3..7eaa2f351c 100644 GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on macOS! diff --git a/src/configure.ac b/src/configure.ac -index aa970b0447..40545f2bfc 100644 +index 587221936e..69be9030f8 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1402,6 +1402,8 @@ AC_PATH_PROG(GROFF, groff) +@@ -1401,6 +1401,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -188,7 +188,7 @@ index aa970b0447..40545f2bfc 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 44dc1eeb3f..c3aecba7d4 100644 +index 1d1c8293f4..768110e5ef 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -128,6 +128,7 @@ typedef unsigned char u_char; @@ -238,7 +238,7 @@ index 0000000000..dfaaa847cb +#endif +#endif diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index c0194c3c94..7e1dea2cbf 100644 +index 9c76780181..dd6430ece8 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ @@ -290,10 +290,10 @@ index a89b5144f6..4d6cc0bdf9 100644 com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); goto cleanup; diff --git a/src/kdc/main.c b/src/kdc/main.c -index 38b9299066..085afc9220 100644 +index bfdfef5c48..b43fe9a082 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c -@@ -848,7 +848,7 @@ write_pid_file(const char *path) +@@ -844,7 +844,7 @@ write_pid_file(const char *path) FILE *file; unsigned long pid; @@ -303,7 +303,7 @@ index 38b9299066..085afc9220 100644 return errno; pid = (unsigned long) getpid(); diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c -index f2341d720f..ffdac9f397 100644 +index aa3c81ea30..cb9785aaeb 100644 --- a/src/kprop/kpropd.c +++ b/src/kprop/kpropd.c @@ -488,6 +488,9 @@ doit(int fd) @@ -333,10 +333,10 @@ index f2341d720f..ffdac9f397 100644 KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); if (retval) { diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c -index c6885edf2a..9aec3c05e8 100644 +index e14da53790..b879a4049b 100644 --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c -@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do +@@ -310,7 +310,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do */ append = (cp[4] == ':') ? O_APPEND : 0; if (append || cp[4] == '=') { @@ -345,7 +345,7 @@ index c6885edf2a..9aec3c05e8 100644 S_IRUSR | S_IWUSR | S_IRGRP); if (fd != -1) f = fdopen(fd, append ? "a" : "w"); -@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext) +@@ -777,7 +777,7 @@ krb5_klog_reopen(krb5_context kcontext) * In case the old logfile did not get moved out of the * way, open for append to prevent squashing the old logs. */ @@ -439,10 +439,10 @@ index e510211fc5..f3ea28c8ec 100644 goto report_errno; writevno = 1; diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c -index 3369fc4ba6..95f82cda03 100644 +index 4cbbbb270a..c4058ddc96 100644 --- a/src/lib/krb5/os/trace.c +++ b/src/lib/krb5/os/trace.c -@@ -459,7 +459,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) +@@ -460,7 +460,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) fd = malloc(sizeof(*fd)); if (fd == NULL) return ENOMEM; @@ -452,7 +452,7 @@ index 3369fc4ba6..95f82cda03 100644 free(fd); return errno; diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c -index 7db30a33b0..2b9d01921d 100644 +index 9a506e9d44..f92ab47143 100644 --- a/src/plugins/kdb/db2/adb_openclose.c +++ b/src/plugins/kdb/db2/adb_openclose.c @@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, @@ -1034,5 +1034,5 @@ index 0000000000..807d039da3 + +#endif /* USE_SELINUX */ -- -2.38.1 +2.41.0 diff --git a/SOURCES/0003-downstream-fix-debuginfo-with-y.tab.c.patch b/SOURCES/0004-downstream-fix-debuginfo-with-y.tab.c.patch similarity index 95% rename from SOURCES/0003-downstream-fix-debuginfo-with-y.tab.c.patch rename to SOURCES/0004-downstream-fix-debuginfo-with-y.tab.c.patch index 3c58cc1..16081f7 100644 --- a/SOURCES/0003-downstream-fix-debuginfo-with-y.tab.c.patch +++ b/SOURCES/0004-downstream-fix-debuginfo-with-y.tab.c.patch @@ -1,4 +1,4 @@ -From c7fe7cbd61f7debf052ddcc6cc5f01bb7e4f5385 Mon Sep 17 00:00:00 2001 +From 780db3e904ada1946b0d1dce04c8daa74273c7b6 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] [downstream] fix debuginfo with y.tab.c @@ -40,5 +40,5 @@ index 8669c2436c..a22f23c02c 100644 install: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) -- -2.38.1 +2.41.0 diff --git a/SOURCES/0004-downstream-Remove-3des-support.patch b/SOURCES/0005-downstream-Remove-3des-support.patch similarity index 98% rename from SOURCES/0004-downstream-Remove-3des-support.patch rename to SOURCES/0005-downstream-Remove-3des-support.patch index 4ec3a0f..f319952 100644 --- a/SOURCES/0004-downstream-Remove-3des-support.patch +++ b/SOURCES/0005-downstream-Remove-3des-support.patch @@ -1,4 +1,4 @@ -From 7b40250066bbcc529b5348b68199c58fbad82376 Mon Sep 17 00:00:00 2001 +From 1f992f9a857346b8837fd12d8c90f7b2cafb9613 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 26 Mar 2019 18:51:10 -0400 Subject: [PATCH] [downstream] Remove 3des support @@ -8,7 +8,7 @@ des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain their constants. -Last-updated: 1.20-final +Last-updated: 1.21.1-final [antorres@redhat.com: remove diffs for: - src/kdamin/testing/proto/kdc.conf.proto - src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp @@ -32,7 +32,7 @@ Last-updated: 1.20-final src/include/krb5/krb5.hin | 10 +- src/kdc/kdc_util.c | 4 - src/lib/crypto/Makefile.in | 8 +- - src/lib/crypto/builtin/Makefile.in | 6 +- + src/lib/crypto/builtin/Makefile.in | 4 +- src/lib/crypto/builtin/des/ISSUES | 13 - src/lib/crypto/builtin/des/Makefile.in | 82 ---- src/lib/crypto/builtin/des/d3_aead.c | 137 ------ @@ -74,7 +74,7 @@ Last-updated: 1.20-final src/lib/crypto/krb/prf_des.c | 47 --- src/lib/crypto/krb/random_to_key.c | 28 -- src/lib/crypto/libk5crypto.exports | 1 - - src/lib/crypto/openssl/Makefile.in | 8 +- + src/lib/crypto/openssl/Makefile.in | 4 +- src/lib/crypto/openssl/des/Makefile.in | 20 - src/lib/crypto/openssl/des/deps | 14 - src/lib/crypto/openssl/des/des_keys.c | 39 -- @@ -103,13 +103,13 @@ Last-updated: 1.20-final src/tests/gssapi/t_pcontok.c | 16 +- src/tests/gssapi/t_prf.c | 7 - src/tests/t_authdata.py | 2 +- - src/tests/t_etype_info.py | 18 +- + src/tests/t_etype_info.py | 21 +- src/tests/t_keyrollover.py | 8 +- src/tests/t_mkey.py | 35 -- src/tests/t_salt.py | 5 +- src/util/k5test.py | 7 - .../leash/htmlhelp/html/Encryption_Types.htm | 13 - - 89 files changed, 151 insertions(+), 4713 deletions(-) + 89 files changed, 149 insertions(+), 4712 deletions(-) delete mode 100644 src/lib/crypto/builtin/des/ISSUES delete mode 100644 src/lib/crypto/builtin/des/Makefile.in delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c @@ -247,7 +247,7 @@ index ade5e1f87a..e4dc54f7e5 100644 .. _err_cert_chain_cert_expired: diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst -index a0d4f26701..5f34dea5e8 100644 +index 45fe160d7f..b4b1f3bd93 100644 --- a/doc/appdev/refs/macros/index.rst +++ b/doc/appdev/refs/macros/index.rst @@ -36,7 +36,6 @@ Public @@ -259,10 +259,10 @@ index a0d4f26701..5f34dea5e8 100644 CKSUMTYPE_NIST_SHA.rst CKSUMTYPE_RSA_MD4.rst diff --git a/doc/conf.py b/doc/conf.py -index fa0eb80f1f..12168fa695 100644 +index cd76f5999f..1e1cfce80c 100644 --- a/doc/conf.py +++ b/doc/conf.py -@@ -278,7 +278,7 @@ else: +@@ -281,7 +281,7 @@ else: rst_epilog += ''' .. |krb5conf| replace:: ``/etc/krb5.conf`` .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` @@ -272,7 +272,7 @@ index fa0eb80f1f..12168fa695 100644 .. |copy| unicode:: U+000A9 ''' diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst -index ca2d6ef117..100c64a1c1 100644 +index 10effcf175..cad0855724 100644 --- a/doc/mitK5features.rst +++ b/doc/mitK5features.rst @@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB @@ -307,10 +307,10 @@ index 8f14e9bf2c..ba3bb18eec 100644 ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP) diff --git a/src/configure.ac b/src/configure.ac -index 40545f2bfc..8dc864718d 100644 +index 69be9030f8..2561e917a2 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1489,12 +1489,12 @@ V5_AC_OUTPUT_MAKEFILE(. +@@ -1513,12 +1513,12 @@ V5_AC_OUTPUT_MAKEFILE(. lib lib/kdb lib/crypto lib/crypto/krb lib/crypto/crypto_tests @@ -326,7 +326,7 @@ index 40545f2bfc..8dc864718d 100644 lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index 7e1dea2cbf..fb9f2a366c 100644 +index dd6430ece8..350bcf86f2 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov { @@ -362,10 +362,10 @@ index 7e1dea2cbf..fb9f2a366c 100644 #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with ENCTYPE_AES128_CTS_HMAC_SHA1_96 */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 9f2a67d189..b7a9aa4992 100644 +index 75e04b73db..fe4e48209a 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c -@@ -1111,8 +1111,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) +@@ -1154,8 +1154,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) name = "rsaEncryption-EnvOID"; else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV) name = "id-RSAES-OAEP-EnvOID"; @@ -374,7 +374,7 @@ index 9f2a67d189..b7a9aa4992 100644 else return krb5_enctype_to_name(ktype, FALSE, buf, buflen); -@@ -1704,8 +1702,6 @@ krb5_boolean +@@ -1647,8 +1645,6 @@ krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype) { switch(enctype) { @@ -414,7 +414,7 @@ index 10e8c74cf8..25c4f40cc3 100644 all-unix: all-liblinks install-unix: install-libs diff --git a/src/lib/crypto/builtin/Makefile.in b/src/lib/crypto/builtin/Makefile.in -index daf19da195..c9e967c807 100644 +index 243bb17ba3..30bfcd30c0 100644 --- a/src/lib/crypto/builtin/Makefile.in +++ b/src/lib/crypto/builtin/Makefile.in @@ -1,6 +1,6 @@ @@ -429,15 +429,6 @@ index daf19da195..c9e967c807 100644 $(srcdir)/kdf.c \ $(srcdir)/pbkdf2.c --STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ -+STOBJLISTS= md4/OBJS.ST \ - md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ - enc_provider/OBJS.ST \ - hash_provider/OBJS.ST \ -@@ -33,7 +33,7 @@ STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ - camellia/OBJS.ST \ - OBJS.ST - -SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \ +SUBDIROBJLISTS= md4/OBJS.ST \ md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ @@ -4862,7 +4853,7 @@ index 052f4d4b51..d8ffa63304 100644 krb5int_camellia_encrypt krb5int_cmac_checksum diff --git a/src/lib/crypto/openssl/Makefile.in b/src/lib/crypto/openssl/Makefile.in -index 08de047d0a..88f7fd0a09 100644 +index cf11f6847b..8e4cdb8bbf 100644 --- a/src/lib/crypto/openssl/Makefile.in +++ b/src/lib/crypto/openssl/Makefile.in @@ -1,6 +1,6 @@ @@ -4873,32 +4864,15 @@ index 08de047d0a..88f7fd0a09 100644 LOCALINCLUDES=-I$(srcdir)/../krb $(CRYPTO_IMPL_CFLAGS) STLIBOBJS=\ -@@ -24,14 +24,14 @@ SRCS=\ +@@ -24,7 +24,7 @@ SRCS=\ $(srcdir)/pbkdf2.c \ $(srcdir)/sha256.c --STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ -+STOBJLISTS= md4/OBJS.ST \ - md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ - enc_provider/OBJS.ST \ - hash_provider/OBJS.ST \ - aes/OBJS.ST \ - OBJS.ST - -SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \ +SUBDIROBJLISTS= md4/OBJS.ST \ md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ enc_provider/OBJS.ST \ hash_provider/OBJS.ST \ -@@ -42,7 +42,7 @@ includes: depend - - depend: $(SRCS) - --clean-unix:: clean-libobjs -+clean-unix:: clean-libobjsn - - @lib_frag@ - @libobj_frag@ diff --git a/src/lib/crypto/openssl/des/Makefile.in b/src/lib/crypto/openssl/des/Makefile.in deleted file mode 100644 index a6cece1dd1..0000000000 @@ -5244,10 +5218,10 @@ index 41e845eae0..5a43c3d9eb 100644 } diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c -index d4e90793f9..1bc807172b 100644 +index b35e11bfb6..d7c2ad321e 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c -@@ -1030,7 +1030,6 @@ kg_accept_krb5(minor_status, context_handle, +@@ -1026,7 +1026,6 @@ kg_accept_krb5(minor_status, context_handle, } switch (negotiated_etype) { @@ -5256,7 +5230,7 @@ index d4e90793f9..1bc807172b 100644 case ENCTYPE_ARCFOUR_HMAC_EXP: /* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index a4446530fc..88d41130a7 100644 +index 7364607198..5aeb69aebc 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -125,14 +125,14 @@ enum sgn_alg { @@ -5286,10 +5260,10 @@ index a4446530fc..88d41130a7 100644 }; diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c -index d1cdce486f..7f7146a0a2 100644 +index 99275be53a..0e5d10b115 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c -@@ -136,19 +136,12 @@ make_seal_token_v1 (krb5_context context, +@@ -142,19 +142,12 @@ make_seal_token_v1 (krb5_context context, /* pad the plaintext, encrypt if needed, and stick it in the token */ @@ -5315,7 +5289,7 @@ index d1cdce486f..7f7146a0a2 100644 code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen); if (code) { -@@ -196,20 +189,8 @@ make_seal_token_v1 (krb5_context context, +@@ -203,20 +196,8 @@ make_seal_token_v1 (krb5_context context, gssalloc_free(t); return(code); } @@ -5327,22 +5301,22 @@ index d1cdce486f..7f7146a0a2 100644 - */ - if (md5cksum.length != cksum_size) - abort (); -- memcpy (ptr+14, md5cksum.contents, md5cksum.length); +- memcpy(checksum, md5cksum.contents, md5cksum.length); - break; - case SGN_ALG_HMAC_MD5: -- memcpy (ptr+14, md5cksum.contents, cksum_size); +- memcpy(checksum, md5cksum.contents, cksum_size); - break; - } + -+ memcpy (ptr+14, md5cksum.contents, cksum_size); ++ memcpy(checksum, md5cksum.contents, cksum_size); krb5_free_checksum_contents(context, &md5cksum); diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c -index 9bb2ee1099..9147bb2c78 100644 +index 7bf7609a48..d5e12cb436 100644 --- a/src/lib/gssapi/krb5/k5sealiov.c +++ b/src/lib/gssapi/krb5/k5sealiov.c -@@ -144,18 +144,11 @@ make_seal_token_v1_iov(krb5_context context, +@@ -147,18 +147,11 @@ make_seal_token_v1_iov(krb5_context context, /* pad the plaintext, encrypt if needed, and stick it in the token */ /* initialize the checksum */ @@ -5366,20 +5340,20 @@ index 9bb2ee1099..9147bb2c78 100644 code = krb5_c_checksum_length(context, md5cksum.checksum_type, &k5_trailerlen); if (code != 0) -@@ -177,15 +170,7 @@ make_seal_token_v1_iov(krb5_context context, +@@ -182,15 +175,7 @@ make_seal_token_v1_iov(krb5_context context, if (code != 0) goto cleanup; - switch (ctx->signalg) { - case SGN_ALG_HMAC_SHA1_DES3_KD: - assert(md5cksum.length == ctx->cksum_size); -- memcpy(ptr + 14, md5cksum.contents, md5cksum.length); +- memcpy(checksum, md5cksum.contents, md5cksum.length); - break; - case SGN_ALG_HMAC_MD5: -- memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size); +- memcpy(checksum, md5cksum.contents, ctx->cksum_size); - break; - } -+ memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size); ++ memcpy(checksum, md5cksum.contents, ctx->cksum_size); /* create the seq_num */ code = kg_make_seq_num(context, ctx->seq, ctx->initiate ? 0 : 0xFF, @@ -5769,10 +5743,10 @@ index e3d2846315..586661bb7e 100644 #define CKK_CAST3 (0x17) #define CKK_CAST128 (0x18) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h -index 94a1b22fb1..65f6210727 100644 +index e22798f668..9fa315d7a0 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h -@@ -376,11 +376,11 @@ krb5_error_code server_process_dh +@@ -370,11 +370,11 @@ krb5_error_code server_process_dh * krb5_algorithm_identifier */ krb5_error_code create_krb5_supportedCMSTypes @@ -6019,10 +5993,10 @@ index f71774cdc9..d1857c433f 100644 "3BB3AE288C12B3B9D06B208A4151B3B6", "9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28" diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py -index 97e2474bf8..47ea9e4b47 100644 +index bde1c36844..8fcd30db51 100644 --- a/src/tests/t_authdata.py +++ b/src/tests/t_authdata.py -@@ -164,7 +164,7 @@ realm.run([kvno, 'restricted']) +@@ -179,7 +179,7 @@ realm.run([kvno, 'restricted']) # preferred krbtgt enctype changes. mark('#8139 regression test') realm.kinit(realm.user_princ, password('user'), ['-f']) @@ -6032,18 +6006,21 @@ index 97e2474bf8..47ea9e4b47 100644 realm.run(['./forward']) realm.run([kvno, realm.host_princ]) diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py -index c982508d8b..96e90a69d2 100644 +index c982508d8b..a6f538b66d 100644 --- a/src/tests/t_etype_info.py +++ b/src/tests/t_etype_info.py -@@ -1,6 +1,6 @@ +@@ -1,8 +1,7 @@ from k5test import * -supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac' +-conf = {'libdefaults': {'allow_weak_crypto': 'true'}, +- 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} +supported_enctypes = 'aes128-cts rc4-hmac' - conf = {'libdefaults': {'allow_weak_crypto': 'true'}, - 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} ++conf = {'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) -@@ -26,9 +26,9 @@ def test_etinfo(princ, enctypes, expected_lines): + + realm.run([kadminl, 'addprinc', '-pw', 'pw', '+requires_preauth', +@@ -26,9 +25,9 @@ def test_etinfo(princ, enctypes, expected_lines): # With no newer enctypes in the request, PA-ETYPE-INFO2, # PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one # key for the most preferred matching enctype. @@ -6056,7 +6033,7 @@ index c982508d8b..96e90a69d2 100644 'asrep pw_salt KRBTEST.COMuser']) # With a newer enctype in the request (even if it is not the most -@@ -39,9 +39,9 @@ test_etinfo('user', 'rc4 aes256-cts', +@@ -39,9 +38,9 @@ test_etinfo('user', 'rc4 aes256-cts', # In preauth-required errors, PA-PW-SALT does not appear, but the same # etype-info2 values are expected. @@ -6069,7 +6046,7 @@ index c982508d8b..96e90a69d2 100644 test_etinfo('preauthuser', 'rc4 aes256-cts', ['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser']) -@@ -50,8 +50,8 @@ test_etinfo('preauthuser', 'rc4 aes256-cts', +@@ -50,8 +49,8 @@ test_etinfo('preauthuser', 'rc4 aes256-cts', # (to allow for preauth mechs which don't depend on long-term keys). # An AS-REP cannot be generated without preauth as there is no reply # key. @@ -6081,7 +6058,7 @@ index c982508d8b..96e90a69d2 100644 # Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED # error if the client does optimistic preauth. diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py -index 2c825a6922..f29e0d5500 100755 +index e9840dfae8..583c2fa27e 100755 --- a/src/tests/t_keyrollover.py +++ b/src/tests/t_keyrollover.py @@ -37,9 +37,9 @@ realm.run([klist, '-e'], expected_msg=msg) @@ -6182,10 +6159,10 @@ index 65084bbf35..55ca897459 100755 # Test using different salt types in a principal's key list. # Parameters from one key in the list must not leak over to later ones. diff --git a/src/util/k5test.py b/src/util/k5test.py -index 619f1995f8..771f82e3cc 100644 +index 2a86c5cdfc..d823653aa0 100644 --- a/src/util/k5test.py +++ b/src/util/k5test.py -@@ -1344,13 +1344,6 @@ _passes = [ +@@ -1338,13 +1338,6 @@ _passes = [ # No special settings; exercises AES256. ('default', None, None, None), @@ -6224,5 +6201,5 @@ index 1aebdd0b4a..c38eefd2bd 100644 The AES Advanced Encryption Standard family, like 3DES, is a symmetric block cipher and was designed -- -2.38.1 +2.41.0 diff --git a/SOURCES/0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/SOURCES/0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch similarity index 88% rename from SOURCES/0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch rename to SOURCES/0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch index b4db298..fa30355 100644 --- a/SOURCES/0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +++ b/SOURCES/0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch @@ -1,4 +1,4 @@ -From b8e3a859f8904d395ea0e1a7d6c49a791029711c Mon Sep 17 00:00:00 2001 +From 2dc9988da95cdd76335a00007b262272ca8c45b3 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 @@ -21,29 +21,27 @@ post7 restores MD5 and adds radius_md5_fips_override. post8 silences a static analyzer warning. -post9 add missing includes for FIPS_mode() macro - -Last-updated: krb5-1.20.1 +Last-updated: krb5-1.20 --- doc/admin/conf_files/krb5_conf.rst | 6 +++ - src/lib/crypto/krb/prng.c | 17 ++++++- - .../crypto/openssl/enc_provider/camellia.c | 7 +++ - src/lib/crypto/openssl/enc_provider/rc4.c | 17 ++++++- + src/lib/crypto/krb/prng.c | 15 +++++- + .../crypto/openssl/enc_provider/camellia.c | 6 +++ + src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++++- .../crypto/openssl/hash_provider/hash_evp.c | 12 +++++ - src/lib/crypto/openssl/hmac.c | 7 ++- + src/lib/crypto/openssl/hmac.c | 6 ++- src/lib/krad/attr.c | 46 ++++++++++++++----- src/lib/krad/attrset.c | 5 +- - src/lib/krad/internal.h | 32 ++++++++++++- + src/lib/krad/internal.h | 28 ++++++++++- src/lib/krad/packet.c | 22 +++++---- src/lib/krad/remote.c | 10 +++- src/lib/krad/t_attr.c | 3 +- src/lib/krad/t_attrset.c | 4 +- - src/plugins/preauth/spake/spake_client.c | 10 ++++ - src/plugins/preauth/spake/spake_kdc.c | 10 ++++ - 15 files changed, 175 insertions(+), 33 deletions(-) + src/plugins/preauth/spake/spake_client.c | 6 +++ + src/plugins/preauth/spake/spake_kdc.c | 6 +++ + 15 files changed, 155 insertions(+), 33 deletions(-) diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index d5d6e06ebb..2a4962069f 100644 +index f22d5db11b..a33711d918 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -330,6 +330,12 @@ The libdefaults section may contain any of the following relations: @@ -60,25 +58,23 @@ index d5d6e06ebb..2a4962069f 100644 If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c -index d6b79e2dea..ae37c77518 100644 +index d6b79e2dea..9e80a03d21 100644 --- a/src/lib/crypto/krb/prng.c +++ b/src/lib/crypto/krb/prng.c -@@ -26,6 +26,14 @@ +@@ -26,6 +26,12 @@ #include "crypto_int.h" +#include + -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#include -+#else ++#if OPENSSL_VERSION_NUMBER < 0x30000000L +#include +#endif + krb5_error_code KRB5_CALLCONV krb5_c_random_seed(krb5_context context, krb5_data *data) { -@@ -96,9 +104,16 @@ cleanup: +@@ -96,9 +102,16 @@ cleanup: static krb5_boolean get_os_entropy(unsigned char *buf, size_t len) { @@ -97,18 +93,10 @@ index d6b79e2dea..ae37c77518 100644 /* * Pull from the /dev/urandom pool, but require it to have been seeded. diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c -index 01920e6ce1..3dd3b0624f 100644 +index 01920e6ce1..d9f327add6 100644 --- a/src/lib/crypto/openssl/enc_provider/camellia.c +++ b/src/lib/crypto/openssl/enc_provider/camellia.c -@@ -32,6 +32,7 @@ - #include - #if OPENSSL_VERSION_NUMBER >= 0x30000000L - #include -+#include - #else - #include - #endif -@@ -387,6 +388,9 @@ krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data, +@@ -387,6 +387,9 @@ krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data, unsigned char blockY[CAMELLIA_BLOCK_SIZE], blockB[CAMELLIA_BLOCK_SIZE]; struct iov_cursor cursor; @@ -118,7 +106,7 @@ index 01920e6ce1..3dd3b0624f 100644 if (output->length < CAMELLIA_BLOCK_SIZE) return KRB5_BAD_MSIZE; -@@ -418,6 +422,9 @@ static krb5_error_code +@@ -418,6 +421,9 @@ static krb5_error_code krb5int_camellia_init_state (const krb5_keyblock *key, krb5_keyusage usage, krb5_data *state) { @@ -129,21 +117,10 @@ index 01920e6ce1..3dd3b0624f 100644 state->data = (void *) malloc(16); if (state->data == NULL) diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c -index 448d563348..6a83f10d27 100644 +index 448d563348..ce63cb5f1b 100644 --- a/src/lib/crypto/openssl/enc_provider/rc4.c +++ b/src/lib/crypto/openssl/enc_provider/rc4.c -@@ -38,6 +38,10 @@ - - #include - -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#include -+#endif -+ - /* - * The loopback field is a pointer to the structure. If the application copies - * the state (not a valid operation, but one which happens to works with some -@@ -69,6 +73,9 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data, +@@ -69,6 +69,9 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data, EVP_CIPHER_CTX *ctx = NULL; struct arcfour_state *arcstate; @@ -153,7 +130,7 @@ index 448d563348..6a83f10d27 100644 arcstate = (state != NULL) ? (void *)state->data : NULL; if (arcstate != NULL) { ctx = arcstate->ctx; -@@ -116,7 +123,12 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data, +@@ -116,7 +119,12 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data, static void k5_arcfour_free_state(krb5_data *state) { @@ -167,7 +144,7 @@ index 448d563348..6a83f10d27 100644 EVP_CIPHER_CTX_free(arcstate->ctx); free(arcstate); -@@ -128,6 +140,9 @@ k5_arcfour_init_state(const krb5_keyblock *key, +@@ -128,6 +136,9 @@ k5_arcfour_init_state(const krb5_keyblock *key, { struct arcfour_state *arcstate; @@ -215,18 +192,10 @@ index f2fbffdb29..11659908bb 100644 } diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c -index bf12b8d6a0..25a419d73a 100644 +index bf12b8d6a0..f21e268f7f 100644 --- a/src/lib/crypto/openssl/hmac.c +++ b/src/lib/crypto/openssl/hmac.c -@@ -59,6 +59,7 @@ - #if OPENSSL_VERSION_NUMBER >= 0x30000000L - #include - #include -+#include - #else - #include - #endif -@@ -111,7 +112,11 @@ map_digest(const struct krb5_hash_provider *hash) +@@ -111,7 +111,11 @@ map_digest(const struct krb5_hash_provider *hash) return EVP_sha256(); else if (hash == &krb5int_hash_sha384) return EVP_sha384(); @@ -387,23 +356,19 @@ index f309f1581c..6ec031e320 100644 return retval; diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h -index 7619563fc5..a17b6f39b1 100644 +index 7619563fc5..e123763954 100644 --- a/src/lib/krad/internal.h +++ b/src/lib/krad/internal.h -@@ -39,6 +39,12 @@ +@@ -39,6 +39,8 @@ #include #include +#include -+ -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#include -+#endif + #ifndef UCHAR_MAX #define UCHAR_MAX 255 #endif -@@ -49,6 +55,13 @@ +@@ -49,6 +51,13 @@ typedef struct krad_remote_st krad_remote; @@ -417,7 +382,7 @@ index 7619563fc5..a17b6f39b1 100644 /* Validate constraints of an attribute. */ krb5_error_code kr_attr_valid(krad_attr type, const krb5_data *data); -@@ -57,7 +70,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data); +@@ -57,7 +66,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data); krb5_error_code kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth, krad_attr type, const krb5_data *in, @@ -427,7 +392,7 @@ index 7619563fc5..a17b6f39b1 100644 /* Decode an attribute. */ krb5_error_code -@@ -69,7 +83,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, +@@ -69,7 +79,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, krb5_error_code kr_attrset_encode(const krad_attrset *set, const char *secret, const unsigned char *auth, @@ -437,7 +402,7 @@ index 7619563fc5..a17b6f39b1 100644 /* Decode attributes from a buffer. */ krb5_error_code -@@ -156,4 +171,17 @@ gai_error_code(int err) +@@ -156,4 +167,17 @@ gai_error_code(int err) } } @@ -595,23 +560,19 @@ index 7928335ca4..0f95762534 100644 /* Manually encode User-Name. */ diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c -index 00734a13b5..13c699071f 100644 +index 00734a13b5..a3ce22b70f 100644 --- a/src/plugins/preauth/spake/spake_client.c +++ b/src/plugins/preauth/spake/spake_client.c -@@ -38,6 +38,12 @@ +@@ -38,6 +38,8 @@ #include "groups.h" #include +#include -+ -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#include -+#endif + typedef struct reqstate_st { krb5_pa_spake *msg; /* set in prep_questions, used in process */ krb5_keyblock *initial_key; -@@ -375,6 +381,10 @@ clpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, +@@ -375,6 +377,10 @@ clpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, if (maj_ver != 1) return KRB5_PLUGIN_VER_NOTSUPP; @@ -623,23 +584,19 @@ index 00734a13b5..13c699071f 100644 vt->name = "spake"; vt->pa_type_list = pa_types; diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c -index 1a772d450f..3394f8a58e 100644 +index 1a772d450f..232e78bc05 100644 --- a/src/plugins/preauth/spake/spake_kdc.c +++ b/src/plugins/preauth/spake/spake_kdc.c -@@ -41,6 +41,12 @@ +@@ -41,6 +41,8 @@ #include +#include -+ -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#include -+#endif + /* * The SPAKE kdcpreauth module uses a secure cookie containing the following * concatenated fields (all integer fields are big-endian): -@@ -551,6 +557,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, +@@ -551,6 +553,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, if (maj_ver != 1) return KRB5_PLUGIN_VER_NOTSUPP; @@ -651,5 +608,5 @@ index 1a772d450f..3394f8a58e 100644 vt->name = "spake"; vt->pa_type_list = pa_types; -- -2.38.1 +2.41.0 diff --git a/SOURCES/0007-Add-configure-variable-for-default-PKCS-11-module.patch b/SOURCES/0007-Add-configure-variable-for-default-PKCS-11-module.patch deleted file mode 100644 index e07d85e..0000000 --- a/SOURCES/0007-Add-configure-variable-for-default-PKCS-11-module.patch +++ /dev/null @@ -1,201 +0,0 @@ -From c0a6d66e98e62b94d72bb51b8d6c00130a951215 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Fri, 22 Apr 2022 14:12:37 +0200 -Subject: [PATCH] Add configure variable for default PKCS#11 module - -[ghudson@mit.edu: added documentation of configure variable and doc -substitution; shortened commit message] - -ticket: 9058 (new) ---- - doc/admin/conf_files/krb5_conf.rst | 2 +- - doc/build/options2configure.rst | 3 +++ - doc/conf.py | 3 +++ - doc/mitK5defaults.rst | 25 +++++++++++++------------ - src/configure.ac | 8 ++++++++ - src/doc/Makefile.in | 2 ++ - src/man/Makefile.in | 4 +++- - src/man/krb5.conf.man | 2 +- - src/plugins/preauth/pkinit/pkinit.h | 1 - - 9 files changed, 34 insertions(+), 16 deletions(-) - -diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index 2a4962069f..a33711d918 100644 ---- a/doc/admin/conf_files/krb5_conf.rst -+++ b/doc/admin/conf_files/krb5_conf.rst -@@ -1017,7 +1017,7 @@ information for PKINIT is as follows: - All keyword/values are optional. *modname* specifies the location - of a library implementing PKCS #11. If a value is encountered - with no keyword, it is assumed to be the *modname*. If no -- module-name is specified, the default is ``opensc-pkcs11.so``. -+ module-name is specified, the default is |pkcs11_modname|. - ``slotid=`` and/or ``token=`` may be specified to force the use of - a particular smard card reader or token if there is more than one - available. ``certid=`` and/or ``certlabel=`` may be specified to -diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst -index 9e355dc2c5..e879b18bd2 100644 ---- a/doc/build/options2configure.rst -+++ b/doc/build/options2configure.rst -@@ -137,6 +137,9 @@ Environment variables - This option allows one to specify libraries to be passed to the - linker (e.g., ``-l``) - -+**PKCS11_MODNAME=**\ *library* -+ Override the built-in default PKCS11 library name. -+ - **SS_LIB=**\ *libs*... - If ``-lss`` is not the correct way to link in your installed ss - library, for example if additional support libraries are needed, -diff --git a/doc/conf.py b/doc/conf.py -index 12168fa695..0ab5ff9606 100644 ---- a/doc/conf.py -+++ b/doc/conf.py -@@ -242,6 +242,7 @@ if 'mansubs' in tags: - ccache = '``@CCNAME@``' - keytab = '``@KTNAME@``' - ckeytab = '``@CKTNAME@``' -+ pkcs11_modname = '``@PKCS11MOD@``' - elif 'pathsubs' in tags: - # Read configured paths from a file produced by the build system. - exec(open("paths.py").read()) -@@ -255,6 +256,7 @@ else: - ccache = ':ref:`DEFCCNAME `' - keytab = ':ref:`DEFKTNAME `' - ckeytab = ':ref:`DEFCKTNAME `' -+ pkcs11_modname = ':ref:`PKCS11_MODNAME `' - - rst_epilog = '\n' - -@@ -275,6 +277,7 @@ else: - rst_epilog += '.. |ccache| replace:: %s\n' % ccache - rst_epilog += '.. |keytab| replace:: %s\n' % keytab - rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab -+ rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname - rst_epilog += ''' - .. |krb5conf| replace:: ``/etc/krb5.conf`` - .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` -diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst -index 74e69f4ad0..aea7af3dbb 100644 ---- a/doc/mitK5defaults.rst -+++ b/doc/mitK5defaults.rst -@@ -59,18 +59,19 @@ subdirectories of ``/usr/local``. When MIT krb5 is integrated into an - operating system, the paths are generally chosen to match the - operating system's filesystem layout. - --========================== ============= =========================== =========================== --Description Symbolic name Custom build path Typical OS path --========================== ============= =========================== =========================== --User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` --Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` --Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` --Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` --Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` --Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` --Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` --Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab`` --========================== ============= =========================== =========================== -+========================== ============== =========================== =========================== -+Description Symbolic name Custom build path Typical OS path -+========================== ============== =========================== =========================== -+User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` -+Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` -+Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` -+Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` -+Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` -+Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` -+Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` -+Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab`` -+Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so`` -+========================== ============== =========================== =========================== - - The default client keytab name (DEFCKTNAME) typically defaults to - ``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom -diff --git a/src/configure.ac b/src/configure.ac -index 8dc864718d..9774cb71ae 100644 ---- a/src/configure.ac -+++ b/src/configure.ac -@@ -1471,6 +1471,14 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name]) - AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"], - [Define to default client keytab name]) - -+AC_ARG_VAR(PKCS11_MODNAME, [Default PKCS11 module name]) -+if test "${PKCS11_MODNAME+set}" != set; then -+ PKCS11_MODNAME=opensc-pkcs11.so -+fi -+AC_MSG_NOTICE([Default PKCS11 module name: $PKCS11_MODNAME]) -+AC_DEFINE_UNQUOTED(PKCS11_MODNAME, ["$PKCS11_MODNAME"], -+ [Default PKCS11 module name]) -+ - AC_CONFIG_FILES([build-tools/krb5-config], [chmod +x build-tools/krb5-config]) - AC_CONFIG_FILES([build-tools/kadm-server.pc - build-tools/kadm-client.pc -diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in -index 379bc36511..a1b0cff0a4 100644 ---- a/src/doc/Makefile.in -+++ b/src/doc/Makefile.in -@@ -10,6 +10,7 @@ sysconfdir=@sysconfdir@ - DEFCCNAME=@DEFCCNAME@ - DEFKTNAME=@DEFKTNAME@ - DEFCKTNAME=@DEFCKTNAME@ -+PKCS11_MODNAME=@PKCS11_MODNAME@ - - RST_SOURCES= _static \ - _templates \ -@@ -118,6 +119,7 @@ paths.py: - echo 'ccache = "``$(DEFCCNAME)``"' >> $@ - echo 'keytab = "``$(DEFKTNAME)``"' >> $@ - echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@ -+ echo 'pkcs11_modname = "``$(PKCS11_MODNAME)``"' >> $@ - - # Dummy rule that man/Makefile can invoke - version.py: $(docsrc)/version.py -diff --git a/src/man/Makefile.in b/src/man/Makefile.in -index 00b1b2de06..85cae0914e 100644 ---- a/src/man/Makefile.in -+++ b/src/man/Makefile.in -@@ -8,6 +8,7 @@ sysconfdir=@sysconfdir@ - DEFCCNAME=@DEFCCNAME@ - DEFKTNAME=@DEFKTNAME@ - DEFCKTNAME=@DEFCKTNAME@ -+PKCS11_MODNAME=@PKCS11_MODNAME@ - - MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \ - kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \ -@@ -47,7 +48,8 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h - -e 's|@SYSCONFDIR@|$(sysconfdir)|g' \ - -e 's|@CCNAME@|$(DEFCCNAME)|g' \ - -e 's|@KTNAME@|$(DEFKTNAME)|g' \ -- -e 's|@CKTNAME@|$(DEFCKTNAME)|g' $? > $@ -+ -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \ -+ -e 's|@PKCS11MOD@|$(PKCS11_MODNAME)|g' $? > $@ - - all: $(MANSUBS) - -diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man -index 51acb38815..fd2c6f2bc4 100644 ---- a/src/man/krb5.conf.man -+++ b/src/man/krb5.conf.man -@@ -1148,7 +1148,7 @@ user\(aqs certificate and private key. - All keyword/values are optional. \fImodname\fP specifies the location - of a library implementing PKCS #11. If a value is encountered - with no keyword, it is assumed to be the \fImodname\fP\&. If no --module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&. -+module\-name is specified, the default is \fB@PKCS11MOD@\fP\&. - \fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of - a particular smard card reader or token if there is more than one - available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to -diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h -index 8135535e2c..66f92d8f03 100644 ---- a/src/plugins/preauth/pkinit/pkinit.h -+++ b/src/plugins/preauth/pkinit/pkinit.h -@@ -42,7 +42,6 @@ - #ifndef WITHOUT_PKCS11 - #include "pkcs11.h" - --#define PKCS11_MODNAME "opensc-pkcs11.so" - #define PK_SIGLEN_GUESS 1000 - #define PK_NOSLOT 999999 - #endif --- -2.38.1 - diff --git a/SOURCES/0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch b/SOURCES/0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch similarity index 96% rename from SOURCES/0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch rename to SOURCES/0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch index 5363d87..6b77732 100644 --- a/SOURCES/0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch +++ b/SOURCES/0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch @@ -1,8 +1,7 @@ -From 813f3840c7b9f32c1d96dcd847be91fe545653eb Mon Sep 17 00:00:00 2001 +From 343e4042abdec8697d2c30eb84f70bdbd8388302 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Thu, 5 May 2022 17:15:12 +0200 -Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection - with FIPS +Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection with FIPS libkrad allows to establish connections only to UNIX socket in FIPS mode, because MD5 digest is not considered safe enough to be used for @@ -78,5 +77,5 @@ index 929f1cef67..063f17a613 100644 retval = ESOCKTNOSUPPORT; goto error; -- -2.38.1 +2.41.0 diff --git a/SOURCES/0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch b/SOURCES/0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch deleted file mode 100644 index 83dfe5b..0000000 --- a/SOURCES/0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 3cc9ef956342f55cc9ae283e30fc3ba080248cf3 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Wed, 1 Jun 2022 18:02:04 +0200 -Subject: [PATCH] Set reasonable supportedCMSTypes in PKINIT - -The PKINIT client uses AuthPack.supportedCMSTypes to let the KDC know -the algorithms it supports for verification of the CMS data signature. -(The MIT krb5 KDC currently ignores this list, but other -implementations use it.) - -Replace 3DES with sha512WithRSAEncryption and sha256WithRSAEncryption. - -[ghudson@mit.edu: simplified code and used appropriate helpers; edited -commit message] - -ticket: 9066 (new) ---- - src/plugins/preauth/pkinit/pkinit_constants.c | 33 ++++++++++++- - src/plugins/preauth/pkinit/pkinit_crypto.h | 4 ++ - .../preauth/pkinit/pkinit_crypto_openssl.c | 49 ++++++++++--------- - 3 files changed, 60 insertions(+), 26 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c -index 652897fa14..1da482e0b4 100644 ---- a/src/plugins/preauth/pkinit/pkinit_constants.c -+++ b/src/plugins/preauth/pkinit/pkinit_constants.c -@@ -32,9 +32,14 @@ - - #include "pkinit.h" - --/* statically declare OID constants for all three algorithms */ --static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01}; -+/* RFC 8636 id-pkinit-kdf-ah-sha1: iso(1) identified-organization(3) dod(6) -+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha1(1) */ -+static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01 }; -+/* RFC 8636 id-pkinit-kdf-ah-sha256: iso(1) identified-organization(3) dod(6) -+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha256(2) */ - static char sha256_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x02 }; -+/* RFC 8636 id-pkinit-kdf-ah-sha512: iso(1) identified-organization(3) dod(6) -+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha512(3) */ - static char sha512_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x03 }; - - const krb5_data sha1_id = { KV5M_DATA, sizeof(sha1_oid), sha1_oid }; -@@ -48,6 +53,30 @@ krb5_data const * const supported_kdf_alg_ids[] = { - NULL - }; - -+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840) -+ * rsadsi(113549) pkcs(1) 1 11 */ -+static char sha256WithRSAEncr_oid[9] = { -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b -+}; -+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840) -+ * rsadsi(113549) pkcs(1) 1 13 */ -+static char sha512WithRSAEncr_oid[9] = { -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d -+}; -+ -+const krb5_data sha256WithRSAEncr_id = { -+ KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid -+}; -+const krb5_data sha512WithRSAEncr_id = { -+ KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid -+}; -+ -+krb5_data const * const supported_cms_algs[] = { -+ &sha512WithRSAEncr_id, -+ &sha256WithRSAEncr_id, -+ NULL -+}; -+ - /* RFC 2412 section E.2 (well-known group 2) parameters, DER-encoded as - * DomainParameters (RFC 3279 section 2.3.3). */ - static const uint8_t o1024[] = { -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h -index 65f6210727..64300da856 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto.h -+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h -@@ -620,6 +620,10 @@ extern const krb5_data oakley_4096; - */ - extern krb5_data const * const supported_kdf_alg_ids[]; - -+/* CMS signature algorithms supported by this implementation, in order of -+ * decreasing preference. */ -+extern krb5_data const * const supported_cms_algs[]; -+ - krb5_error_code - crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, - uint8_t **der_out, size_t *der_len); -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index d500455dec..1c2aa02827 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -5475,37 +5475,38 @@ create_krb5_supportedCMSTypes(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, -- krb5_algorithm_identifier ***oids) -+ krb5_algorithm_identifier ***algs_out) - { -+ krb5_error_code ret; -+ krb5_algorithm_identifier **algs = NULL; -+ size_t i, count; - -- krb5_error_code retval = ENOMEM; -- krb5_algorithm_identifier **loids = NULL; -- krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" }; -+ *algs_out = NULL; - -- *oids = NULL; -- loids = malloc(2 * sizeof(krb5_algorithm_identifier *)); -- if (loids == NULL) -- goto cleanup; -- loids[1] = NULL; -- loids[0] = malloc(sizeof(krb5_algorithm_identifier)); -- if (loids[0] == NULL) { -- free(loids); -- goto cleanup; -- } -- retval = pkinit_copy_krb5_data(&loids[0]->algorithm, &des3oid); -- if (retval) { -- free(loids[0]); -- free(loids); -+ /* Count supported OIDs and allocate list (including null terminator). */ -+ for (count = 0; supported_cms_algs[count] != NULL; count++); -+ algs = k5calloc(count + 1, sizeof(*algs), &ret); -+ if (algs == NULL) - goto cleanup; -+ -+ /* Add an algorithm identifier for each OID, with no parameters. */ -+ for (i = 0; i < count; i++) { -+ algs[i] = k5alloc(sizeof(*algs[i]), &ret); -+ if (algs[i] == NULL) -+ goto cleanup; -+ ret = krb5int_copy_data_contents(context, supported_cms_algs[i], -+ &algs[i]->algorithm); -+ if (ret) -+ goto cleanup; -+ algs[i]->parameters = empty_data(); - } -- loids[0]->parameters.length = 0; -- loids[0]->parameters.data = NULL; - -- *oids = loids; -- retval = 0; --cleanup: -+ *algs_out = algs; -+ algs = NULL; - -- return retval; -+cleanup: -+ free_krb5_algorithm_identifiers(&algs); -+ return ret; - } - - krb5_error_code --- -2.38.1 - diff --git a/SOURCES/0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch b/SOURCES/0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch similarity index 94% rename from SOURCES/0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch rename to SOURCES/0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch index a094f87..211f7b6 100644 --- a/SOURCES/0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch +++ b/SOURCES/0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch @@ -1,4 +1,4 @@ -From 9aa12e932f08651785519890896647069e7a30b1 Mon Sep 17 00:00:00 2001 +From aa0556348373d6aca0a1bda96fe7a47888051d33 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Wed, 7 Dec 2022 13:22:42 +0100 Subject: [PATCH] [downstream] Make tests compatible with @@ -37,5 +37,5 @@ index 87bac17929..26bc95a8dc 100644 fail('URI answers do not match') j += 1 -- -2.38.1 +2.41.0 diff --git a/SOURCES/0009-Simplify-plugin-loading-code.patch b/SOURCES/0009-Simplify-plugin-loading-code.patch deleted file mode 100644 index 5caf10e..0000000 --- a/SOURCES/0009-Simplify-plugin-loading-code.patch +++ /dev/null @@ -1,622 +0,0 @@ -From 593109802b52e3f89c3a65436bfdba78f8c517c4 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 23 Jun 2022 16:41:40 -0400 -Subject: [PATCH] Simplify plugin loading code - -Remove the USE_CFBUNDLE code, which was only used by KfM. Handle -platform conditionals according to current practice. Use -k5_dir_filenames() instead of opendir() and remove the Windows -implementation of opendir(). ---- - src/util/support/plugins.c | 507 +++++++++++-------------------------- - 1 file changed, 150 insertions(+), 357 deletions(-) - -diff --git a/src/util/support/plugins.c b/src/util/support/plugins.c -index c6a9a21d57..0850565687 100644 ---- a/src/util/support/plugins.c -+++ b/src/util/support/plugins.c -@@ -29,16 +29,6 @@ - #if USE_DLOPEN - #include - #endif --#include --#ifdef HAVE_SYS_STAT_H --#include --#endif --#ifdef HAVE_SYS_PARAM_H --#include --#endif --#ifdef HAVE_UNISTD_H --#include --#endif - - #if USE_DLOPEN - #ifdef RTLD_GROUP -@@ -68,16 +58,6 @@ - #endif - #endif - --#if USE_DLOPEN && USE_CFBUNDLE --#include -- --/* Currently CoreFoundation only exists on the Mac so we just use -- * pthreads directly to avoid creating empty function calls on other -- * platforms. If a thread initializer ever gets created in the common -- * plugin code, move this there */ --static pthread_mutex_t krb5int_bundle_mutex = PTHREAD_MUTEX_INITIALIZER; --#endif -- - #include - static void Tprintf (const char *fmt, ...) - { -@@ -90,374 +70,193 @@ static void Tprintf (const char *fmt, ...) - } - - struct plugin_file_handle { --#if USE_DLOPEN -+#if defined(USE_DLOPEN) - void *dlhandle; --#endif --#ifdef _WIN32 -- HMODULE hinstPlugin; --#endif --#if !defined (USE_DLOPEN) && !defined (_WIN32) -+#elif defined(_WIN32) -+ HMODULE module; -+#else - char dummy; - #endif - }; - --#ifdef _WIN32 --struct dirent { -- long d_ino; /* inode (always 1 in WIN32) */ -- off_t d_off; /* offset to this dirent */ -- unsigned short d_reclen; /* length of d_name */ -- char d_name[_MAX_FNAME+1]; /* filename (null terminated) */ --}; -- --typedef struct { -- intptr_t handle; /* _findfirst/_findnext handle */ -- short offset; /* offset into directory */ -- short finished; /* 1 if there are not more files */ -- struct _finddata_t fileinfo;/* from _findfirst/_findnext */ -- char *dir; /* the dir we are reading */ -- struct dirent dent; /* the dirent to return */ --} DIR; -+#if defined(USE_DLOPEN) - --DIR * opendir(const char *dir) -+static long -+open_plugin_dlfcn(struct plugin_file_handle *h, const char *filename, -+ struct errinfo *ep) - { -- DIR *dp; -- char *filespec; -- intptr_t handle; -- int index; -- -- filespec = malloc(strlen(dir) + 2 + 1); -- strcpy(filespec, dir); -- index = strlen(filespec) - 1; -- if (index >= 0 && (filespec[index] == '/' || filespec[index] == '\\')) -- filespec[index] = '\0'; -- strcat(filespec, "/*"); -- -- dp = (DIR *)malloc(sizeof(DIR)); -- dp->offset = 0; -- dp->finished = 0; -- dp->dir = strdup(dir); -- -- if ((handle = _findfirst(filespec, &(dp->fileinfo))) < 0) { -- if (errno == ENOENT) -- dp->finished = 1; -- else { -- free(filespec); -- free(dp->dir); -- free(dp); -- return NULL; -- } -+ const char *e; -+ -+ h->dlhandle = dlopen(filename, PLUGIN_DLOPEN_FLAGS); -+ if (h->dlhandle == NULL) { -+ e = dlerror(); -+ if (e == NULL) -+ e = _("unknown failure"); -+ Tprintf("dlopen(%s): %s\n", filename, e); -+ k5_set_error(ep, ENOENT, _("unable to load plugin [%s]: %s"), -+ filename, e); -+ return ENOENT; - } -- -- dp->handle = handle; -- free(filespec); -- -- return dp; -+ return 0; - } -+#define open_plugin open_plugin_dlfcn - --struct dirent * readdir(DIR *dp) -+static long -+get_sym_dlfcn(struct plugin_file_handle *h, const char *csymname, -+ void **sym_out, struct errinfo *ep) - { -- if (!dp || dp->finished) return NULL; -- -- if (dp->offset != 0) { -- if (_findnext(dp->handle, &(dp->fileinfo)) < 0) { -- dp->finished = 1; -- return NULL; -- } -+ const char *e; -+ -+ if (h->dlhandle == NULL) -+ return ENOENT; -+ *sym_out = dlsym(h->dlhandle, csymname); -+ if (*sym_out == NULL) { -+ e = dlerror(); -+ if (e == NULL) -+ e = _("unknown failure"); -+ Tprintf("dlsym(%s): %s\n", csymname, e); -+ k5_set_error(ep, ENOENT, "%s", e); -+ return ENOENT; - } -- dp->offset++; -- -- strncpy(dp->dent.d_name, dp->fileinfo.name, _MAX_FNAME); -- dp->dent.d_ino = 1; -- dp->dent.d_reclen = (unsigned short)strlen(dp->dent.d_name); -- dp->dent.d_off = dp->offset; -- -- return &(dp->dent); --} -- --int closedir(DIR *dp) --{ -- if (!dp) return 0; -- _findclose(dp->handle); -- free(dp->dir); -- free(dp); -- - return 0; - } --#endif -+#define get_sym get_sym_dlfcn - --long KRB5_CALLCONV --krb5int_open_plugin (const char *filepath, struct plugin_file_handle **h, struct errinfo *ep) -+static void -+close_plugin_dlfcn(struct plugin_file_handle *h) - { -- long err = 0; -- struct plugin_file_handle *htmp = NULL; -- int got_plugin = 0; --#if defined(USE_CFBUNDLE) || defined(_WIN32) -- struct stat statbuf; -- -- if (!err) { -- if (stat (filepath, &statbuf) < 0) { -- err = errno; -- Tprintf ("stat(%s): %s\n", filepath, strerror (err)); -- k5_set_error(ep, err, _("unable to find plugin [%s]: %s"), -- filepath, strerror(err)); -- } -- } --#endif -- -- if (!err) { -- htmp = calloc (1, sizeof (*htmp)); /* calloc initializes ptrs to NULL */ -- if (htmp == NULL) { err = ENOMEM; } -- } -- --#if USE_DLOPEN -- if (!err --#if USE_CFBUNDLE -- && ((statbuf.st_mode & S_IFMT) == S_IFREG -- || (statbuf.st_mode & S_IFMT) == S_IFDIR) --#endif /* USE_CFBUNDLE */ -- ) { -- void *handle = NULL; -- --#if USE_CFBUNDLE -- char executablepath[MAXPATHLEN]; -- -- if ((statbuf.st_mode & S_IFMT) == S_IFDIR) { -- int lock_err = 0; -- CFStringRef pluginString = NULL; -- CFURLRef pluginURL = NULL; -- CFBundleRef pluginBundle = NULL; -- CFURLRef executableURL = NULL; -- -- /* Lock around CoreFoundation calls since objects are refcounted -- * and the refcounts are not thread-safe. Using pthreads directly -- * because this code is Mac-specific */ -- lock_err = pthread_mutex_lock(&krb5int_bundle_mutex); -- if (lock_err) { err = lock_err; } -- -- if (!err) { -- pluginString = CFStringCreateWithCString (kCFAllocatorDefault, -- filepath, -- kCFStringEncodingASCII); -- if (pluginString == NULL) { err = ENOMEM; } -- } -- -- if (!err) { -- pluginURL = CFURLCreateWithFileSystemPath (kCFAllocatorDefault, -- pluginString, -- kCFURLPOSIXPathStyle, -- true); -- if (pluginURL == NULL) { err = ENOMEM; } -- } -- -- if (!err) { -- pluginBundle = CFBundleCreate (kCFAllocatorDefault, pluginURL); -- if (pluginBundle == NULL) { err = ENOENT; } /* XXX need better error */ -- } -- -- if (!err) { -- executableURL = CFBundleCopyExecutableURL (pluginBundle); -- if (executableURL == NULL) { err = ENOMEM; } -- } -- -- if (!err) { -- if (!CFURLGetFileSystemRepresentation (executableURL, -- true, /* absolute */ -- (UInt8 *)executablepath, -- sizeof (executablepath))) { -- err = ENOMEM; -- } -- } -- -- if (!err) { -- /* override the path the caller passed in */ -- filepath = executablepath; -- } -- -- if (executableURL != NULL) { CFRelease (executableURL); } -- if (pluginBundle != NULL) { CFRelease (pluginBundle); } -- if (pluginURL != NULL) { CFRelease (pluginURL); } -- if (pluginString != NULL) { CFRelease (pluginString); } -- -- /* unlock after CFRelease calls since they modify refcounts */ -- if (!lock_err) { pthread_mutex_unlock (&krb5int_bundle_mutex); } -- } --#endif /* USE_CFBUNDLE */ -- -- if (!err) { -- handle = dlopen(filepath, PLUGIN_DLOPEN_FLAGS); -- if (handle == NULL) { -- const char *e = dlerror(); -- if (e == NULL) -- e = _("unknown failure"); -- Tprintf ("dlopen(%s): %s\n", filepath, e); -- err = ENOENT; /* XXX */ -- k5_set_error(ep, err, _("unable to load plugin [%s]: %s"), -- filepath, e); -- } -- } -+ if (h->dlhandle != NULL) -+ dlclose(h->dlhandle); -+} -+#define close_plugin close_plugin_dlfcn - -- if (!err) { -- got_plugin = 1; -- htmp->dlhandle = handle; -- handle = NULL; -- } -+#elif defined(_WIN32) - -- if (handle != NULL) { dlclose (handle); } -+static long -+open_plugin_win32(struct plugin_file_handle *h, const char *filename, -+ struct errinfo *ep) -+{ -+ h->module = LoadLibrary(filename); -+ if (h == NULL) { -+ Tprintf("Unable to load dll: %s\n", filename); -+ k5_set_error(ep, ENOENT, _("unable to load DLL [%s]"), filename); -+ return ENOENT; - } --#endif /* USE_DLOPEN */ -- --#ifdef _WIN32 -- if (!err && (statbuf.st_mode & S_IFMT) == S_IFREG) { -- HMODULE handle = NULL; -+ return 0; -+} -+#define open_plugin open_plugin_win32 - -- handle = LoadLibrary(filepath); -- if (handle == NULL) { -- Tprintf ("Unable to load dll: %s\n", filepath); -- err = ENOENT; /* XXX */ -- k5_set_error(ep, err, _("unable to load DLL [%s]"), filepath); -- } -+static long -+get_sym_win32(struct plugin_file_handle *h, const char *csymname, -+ void **sym_out, struct errinfo *ep) -+{ -+ LPVOID lpMsgBuf; -+ DWORD dw; - -- if (!err) { -- got_plugin = 1; -- htmp->hinstPlugin = handle; -- handle = NULL; -+ if (h->module == NULL) -+ return ENOENT; -+ *sym_out = GetProcAddress(h->module, csymname); -+ if (*sym_out == NULL) { -+ Tprintf("GetProcAddress(%s): %i\n", csymname, GetLastError()); -+ dw = GetLastError(); -+ if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | -+ FORMAT_MESSAGE_FROM_SYSTEM, -+ NULL, dw, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), -+ (LPTSTR)&lpMsgBuf, 0, NULL)) { -+ k5_set_error(ep, ENOENT, _("unable to get DLL Symbol: %s"), -+ (char *)lpMsgBuf); -+ LocalFree(lpMsgBuf); - } -- -- if (handle != NULL) -- FreeLibrary(handle); -- } --#endif -- -- if (!err && !got_plugin) { -- err = ENOENT; /* no plugin or no way to load plugins */ -- k5_set_error(ep, err, _("plugin unavailable: %s"), strerror(err)); -+ return ENOENT; - } -+ return 0; -+} -+#define get_sym get_sym_win32 - -- if (!err) { -- *h = htmp; -- htmp = NULL; /* h takes ownership */ -- } -+static void -+close_plugin_win32(struct plugin_file_handle *h) -+{ -+ if (h->module != NULL) -+ FreeLibrary(h->module); -+} -+#define close_plugin close_plugin_win32 - -- free(htmp); -+#else - -- return err; -+static long -+open_plugin_dummy(struct plugin_file_handle *h, const char *filename, -+ struct errinfo *ep) -+{ -+ k5_set_error(ep, ENOENT, _("plugin loading unavailable")); -+ return ENOENT; - } -+#define open_plugin open_plugin_dummy - - static long --krb5int_get_plugin_sym (struct plugin_file_handle *h, -- const char *csymname, int isfunc, void **ptr, -- struct errinfo *ep) -+get_sym_dummy(struct plugin_file_handle *h, const char *csymname, -+ void **sym_out, struct errinfo *ep) - { -- long err = 0; -- void *sym = NULL; -+ return ENOENT; -+} -+#define get_sym get_sym_dummy -+ -+static void -+close_plugin_dummy(struct plugin_file_handle *h) -+{ -+} -+#define close_plugin close_plugin_dummy - --#if USE_DLOPEN -- if (!err && !sym && (h->dlhandle != NULL)) { -- /* XXX Do we need to add a leading "_" to the symbol name on any -- modern platforms? */ -- sym = dlsym (h->dlhandle, csymname); -- if (sym == NULL) { -- const char *e = dlerror (); /* XXX copy and save away */ -- if (e == NULL) -- e = "unknown failure"; -- Tprintf ("dlsym(%s): %s\n", csymname, e); -- err = ENOENT; /* XXX */ -- k5_set_error(ep, err, "%s", e); -- } -- } - #endif - --#ifdef _WIN32 -- LPVOID lpMsgBuf; -- DWORD dw; -+long KRB5_CALLCONV -+krb5int_open_plugin(const char *filename, -+ struct plugin_file_handle **handle_out, struct errinfo *ep) -+{ -+ long ret; -+ struct plugin_file_handle *h; - -- if (!err && !sym && (h->hinstPlugin != NULL)) { -- sym = GetProcAddress(h->hinstPlugin, csymname); -- if (sym == NULL) { -- const char *e = "unable to get dll symbol"; /* XXX copy and save away */ -- Tprintf ("GetProcAddress(%s): %i\n", csymname, GetLastError()); -- err = ENOENT; /* XXX */ -- k5_set_error(ep, err, "%s", e); -- -- dw = GetLastError(); -- if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | -- FORMAT_MESSAGE_FROM_SYSTEM, -- NULL, -- dw, -- MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), -- (LPTSTR) &lpMsgBuf, -- 0, NULL )) { -- -- fprintf (stderr, "unable to get dll symbol, %s\n", (LPCTSTR)lpMsgBuf); -- LocalFree(lpMsgBuf); -- } -- } -- } --#endif -+ *handle_out = NULL; - -- if (!err && (sym == NULL)) { -- err = ENOENT; /* unimplemented */ -- } -+ h = calloc(1, sizeof(*h)); -+ if (h == NULL) -+ return ENOMEM; - -- if (!err) { -- *ptr = sym; -+ ret = open_plugin(h, filename, ep); -+ if (ret) { -+ free(h); -+ return ret; - } - -- return err; -+ *handle_out = h; -+ return 0; - } - - long KRB5_CALLCONV --krb5int_get_plugin_data (struct plugin_file_handle *h, const char *csymname, -- void **ptr, struct errinfo *ep) -+krb5int_get_plugin_data(struct plugin_file_handle *h, const char *csymname, -+ void **sym_out, struct errinfo *ep) - { -- return krb5int_get_plugin_sym (h, csymname, 0, ptr, ep); -+ return get_sym(h, csymname, sym_out, ep); - } - - long KRB5_CALLCONV --krb5int_get_plugin_func (struct plugin_file_handle *h, const char *csymname, -- void (**ptr)(), struct errinfo *ep) -+krb5int_get_plugin_func(struct plugin_file_handle *h, const char *csymname, -+ void (**sym_out)(), struct errinfo *ep) - { - void *dptr = NULL; -- long err = krb5int_get_plugin_sym (h, csymname, 1, &dptr, ep); -- if (!err) { -- /* Cast function pointers to avoid code duplication */ -- *ptr = (void (*)()) dptr; -- } -- return err; -+ long ret = get_sym(h, csymname, &dptr, ep); -+ -+ if (!ret) -+ *sym_out = (void (*)())dptr; -+ return ret; - } - - void KRB5_CALLCONV - krb5int_close_plugin (struct plugin_file_handle *h) - { --#if USE_DLOPEN -- if (h->dlhandle != NULL) { dlclose(h->dlhandle); } --#endif --#ifdef _WIN32 -- if (h->hinstPlugin != NULL) { FreeLibrary(h->hinstPlugin); } --#endif -- free (h); -+ close_plugin(h); -+ free(h); - } - --/* autoconf docs suggest using this preference order */ --#if HAVE_DIRENT_H || USE_DIRENT_H --#include --#define NAMELEN(D) strlen((D)->d_name) --#else --#ifndef _WIN32 --#define dirent direct --#define NAMELEN(D) ((D)->d->namlen) --#else --#define NAMELEN(D) strlen((D)->d_name) --#endif --#if HAVE_SYS_NDIR_H --# include --#elif HAVE_SYS_DIR_H --# include --#elif HAVE_NDIR_H --# include --#endif --#endif -- - static long - krb5int_plugin_file_handle_array_init (struct plugin_file_handle ***harray) - { -@@ -619,42 +418,36 @@ krb5int_open_plugin_dirs (const char * const *dirnames, - if (handle != NULL) { krb5int_close_plugin (handle); } - } - } else { -- /* load all plugins in each directory */ -- DIR *dir = opendir (dirnames[i]); -+ char **fnames = NULL; -+ int j; - -- while (dir != NULL && !err) { -- struct dirent *d = NULL; -+ err = k5_dir_filenames(dirnames[i], &fnames); -+ for (j = 0; !err && fnames[j] != NULL; j++) { - char *filepath = NULL; - struct plugin_file_handle *handle = NULL; - -- d = readdir (dir); -- if (d == NULL) { break; } -- -- if ((strcmp (d->d_name, ".") == 0) || -- (strcmp (d->d_name, "..") == 0)) { -+ if (strcmp(fnames[j], ".") == 0 || -+ strcmp(fnames[j], "..") == 0) - continue; -- } - -- if (!err) { -- int len = NAMELEN (d); -- if (asprintf(&filepath, "%s/%*s", dirnames[i], len, d->d_name) < 0) { -- filepath = NULL; -- err = ENOMEM; -- } -+ if (asprintf(&filepath, "%s/%s", dirnames[i], fnames[j]) < 0) { -+ filepath = NULL; -+ err = ENOMEM; - } - -- if (!err) { -- if (krb5int_open_plugin (filepath, &handle, ep) == 0) { -- err = krb5int_plugin_file_handle_array_add (&h, &count, handle); -- if (!err) { handle = NULL; } /* h takes ownership */ -- } -+ if (!err && krb5int_open_plugin(filepath, &handle, ep) == 0) { -+ err = krb5int_plugin_file_handle_array_add(&h, &count, -+ handle); -+ if (!err) -+ handle = NULL; /* h takes ownership */ - } - - free(filepath); -- if (handle != NULL) { krb5int_close_plugin (handle); } -+ if (handle != NULL) -+ krb5int_close_plugin(handle); - } - -- if (dir != NULL) { closedir (dir); } -+ k5_free_filenames(fnames); - } - } - --- -2.38.1 - diff --git a/SOURCES/0009-downstream-Include-missing-OpenSSL-FIPS-header.patch b/SOURCES/0009-downstream-Include-missing-OpenSSL-FIPS-header.patch new file mode 100644 index 0000000..e1693bc --- /dev/null +++ b/SOURCES/0009-downstream-Include-missing-OpenSSL-FIPS-header.patch @@ -0,0 +1,120 @@ +From 52904f3693397dace4e9ef5db1cd7d14eaa3b1fb Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 5 Jan 2023 20:06:47 +0100 +Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header + +The inclusion of openssl/fips.h, which provides the declaration of +FIPS_mode(), was removed from openssl/crypto.h. As a consequence, this +header file has to be included explicitly in krb5 code. +--- + src/lib/crypto/krb/prng.c | 4 +++- + src/lib/crypto/openssl/enc_provider/camellia.c | 1 + + src/lib/crypto/openssl/enc_provider/rc4.c | 4 ++++ + src/lib/crypto/openssl/hmac.c | 1 + + src/lib/krad/internal.h | 4 ++++ + src/plugins/preauth/spake/spake_client.c | 4 ++++ + src/plugins/preauth/spake/spake_kdc.c | 4 ++++ + 7 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c +index 9e80a03d21..ae37c77518 100644 +--- a/src/lib/crypto/krb/prng.c ++++ b/src/lib/crypto/krb/prng.c +@@ -28,7 +28,9 @@ + + #include + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#else + #include + #endif + +diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c +index d9f327add6..3dd3b0624f 100644 +--- a/src/lib/crypto/openssl/enc_provider/camellia.c ++++ b/src/lib/crypto/openssl/enc_provider/camellia.c +@@ -32,6 +32,7 @@ + #include + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include ++#include + #else + #include + #endif +diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c +index ce63cb5f1b..6a83f10d27 100644 +--- a/src/lib/crypto/openssl/enc_provider/rc4.c ++++ b/src/lib/crypto/openssl/enc_provider/rc4.c +@@ -38,6 +38,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + /* + * The loopback field is a pointer to the structure. If the application copies + * the state (not a valid operation, but one which happens to works with some +diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c +index f21e268f7f..25a419d73a 100644 +--- a/src/lib/crypto/openssl/hmac.c ++++ b/src/lib/crypto/openssl/hmac.c +@@ -59,6 +59,7 @@ + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include + #include ++#include + #else + #include + #endif +diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h +index e123763954..a17b6f39b1 100644 +--- a/src/lib/krad/internal.h ++++ b/src/lib/krad/internal.h +@@ -41,6 +41,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + #ifndef UCHAR_MAX + #define UCHAR_MAX 255 + #endif +diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c +index a3ce22b70f..13c699071f 100644 +--- a/src/plugins/preauth/spake/spake_client.c ++++ b/src/plugins/preauth/spake/spake_client.c +@@ -40,6 +40,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + typedef struct reqstate_st { + krb5_pa_spake *msg; /* set in prep_questions, used in process */ + krb5_keyblock *initial_key; +diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c +index 232e78bc05..3394f8a58e 100644 +--- a/src/plugins/preauth/spake/spake_kdc.c ++++ b/src/plugins/preauth/spake/spake_kdc.c +@@ -43,6 +43,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + /* + * The SPAKE kdcpreauth module uses a secure cookie containing the following + * concatenated fields (all integer fields are big-endian): +-- +2.41.0 + diff --git a/SOURCES/0010-Update-error-checking-for-OpenSSL-CMS_verify.patch b/SOURCES/0010-Update-error-checking-for-OpenSSL-CMS_verify.patch deleted file mode 100644 index 79652f8..0000000 --- a/SOURCES/0010-Update-error-checking-for-OpenSSL-CMS_verify.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 75f71ace74449a6e5154314229bfa61960cd326c Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Thu, 28 Jul 2022 15:20:12 +0200 -Subject: [PATCH] Update error checking for OpenSSL CMS_verify - -The code for CMS data verification was initially written for OpenSSL's -PKCS7_verify() function. It now uses CMS_verify(), but error handling -is still done using PKCS7_verify() error identifiers. Update the -recognized error codes so that the KDC generates -KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate. -Use ERR_peek_last_error() to observe the error generated closest to -the API surface. - -[ghudson@mit.edu: edited commit message] - -ticket: 9069 (new) -tags: pullup -target_version: 1.20-next ---- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 1c2aa02827..16edf15cb2 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -2102,12 +2102,15 @@ cms_signeddata_verify(krb5_context context, - goto cleanup; - out = BIO_new(BIO_s_mem()); - if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) { -- unsigned long err = ERR_peek_error(); -+ unsigned long err = ERR_peek_last_error(); - switch(ERR_GET_REASON(err)) { -- case PKCS7_R_DIGEST_FAILURE: -+ case RSA_R_DIGEST_NOT_ALLOWED: -+ case CMS_R_UNKNOWN_DIGEST_ALGORITHM: -+ case CMS_R_NO_MATCHING_DIGEST: -+ case CMS_R_NO_MATCHING_SIGNATURE: - retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED; - break; -- case PKCS7_R_SIGNATURE_FAILURE: -+ case CMS_R_VERIFICATION_FAILURE: - default: - retval = KRB5KDC_ERR_INVALID_SIG; - } --- -2.38.1 - diff --git a/SOURCES/0014-downstream-Do-not-set-root-as-ksu-file-owner.patch b/SOURCES/0010-downstream-Do-not-set-root-as-ksu-file-owner.patch similarity index 93% rename from SOURCES/0014-downstream-Do-not-set-root-as-ksu-file-owner.patch rename to SOURCES/0010-downstream-Do-not-set-root-as-ksu-file-owner.patch index 8c5b484..6c38fcd 100644 --- a/SOURCES/0014-downstream-Do-not-set-root-as-ksu-file-owner.patch +++ b/SOURCES/0010-downstream-Do-not-set-root-as-ksu-file-owner.patch @@ -1,4 +1,4 @@ -From fb13766f8fbd78acfcf7a150332a4e5474e4f52a Mon Sep 17 00:00:00 2001 +From f9429a9944b056376a1ff06e84dbf7e94f0d3108 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Mon, 9 Jan 2023 22:39:52 +0100 Subject: [PATCH] [downstream] Do not set root as ksu file owner @@ -27,5 +27,5 @@ index 7eaa2f351c..e9ae71471e 100644 ## ${prefix}. prefix=@prefix@ -- -2.38.1 +2.41.0 diff --git a/SOURCES/0015-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch b/SOURCES/0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch similarity index 98% rename from SOURCES/0015-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch rename to SOURCES/0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch index 8b0ba6e..b09e303 100644 --- a/SOURCES/0015-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch +++ b/SOURCES/0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch @@ -1,4 +1,4 @@ -From 6aea69170c2064aaea73ad3283b6d7dd0cae47e1 Mon Sep 17 00:00:00 2001 +From c002d03cce1c82e74a0c76b323c1bf1e619d022e Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Thu, 19 Jan 2023 19:22:27 +0100 Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode @@ -161,5 +161,5 @@ index 5a43c3d9eb..8528ddc4a9 100644 ret = KRB5_CRYPTO_INTERNAL; goto done; -- -2.38.1 +2.41.0 diff --git a/SOURCES/0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch b/SOURCES/0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch deleted file mode 100644 index c27d4ca..0000000 --- a/SOURCES/0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 3f8a3b57cf0e057635e570d5038fb52c19ca5744 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Fri, 19 Aug 2022 10:34:52 +0200 -Subject: [PATCH] [downstream] Catch SHA-1 digest disallowed error for - PKINIT - -An OpenSSL patch causes EVP_R_INVALID_DIGEST error to be raised if -CMS_verify is called to verify a SHA-1 signature. If this error is -caught, it will now return KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED. ---- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 16edf15cb2..bfa3fe8e91 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -2104,6 +2104,7 @@ cms_signeddata_verify(krb5_context context, - if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) { - unsigned long err = ERR_peek_last_error(); - switch(ERR_GET_REASON(err)) { -+ case EVP_R_INVALID_DIGEST: - case RSA_R_DIGEST_NOT_ALLOWED: - case CMS_R_UNKNOWN_DIGEST_ALGORITHM: - case CMS_R_NO_MATCHING_DIGEST: --- -2.38.1 - diff --git a/SOURCES/0012-Add-and-use-ts_interval-helper.patch b/SOURCES/0012-Add-and-use-ts_interval-helper.patch deleted file mode 100644 index b19b79a..0000000 --- a/SOURCES/0012-Add-and-use-ts_interval-helper.patch +++ /dev/null @@ -1,239 +0,0 @@ -From 6ba011d89f9cf4661eb7110bf810cfdb514b69fa Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Mon, 19 Sep 2022 15:18:50 -0400 -Subject: [PATCH] Add and use ts_interval() helper - -ts_delta() returns a signed result, which cannot hold an interval -larger than 2^31-1 seconds. Intervals like this have been seen when -admins set password expiration dates more than 68 years in the future. - -Add a second helper ts_interval() which returns a signed result, and -has the arguments reversed so that the start time is first. Use it in -warn_pw_expiry() to handle the password expiration case, in the GSS -krb5 mech where we return an unsigned context or credential lifetime -to the caller, and in the KEYRING ccache type where we compute an -unsigned keyring timeout. - -ticket: 9071 (new) ---- - src/include/k5-int.h | 9 +++++++++ - src/lib/gssapi/krb5/accept_sec_context.c | 10 ++++++---- - src/lib/gssapi/krb5/acquire_cred.c | 3 +-- - src/lib/gssapi/krb5/context_time.c | 2 +- - src/lib/gssapi/krb5/init_sec_context.c | 4 ++-- - src/lib/gssapi/krb5/inq_context.c | 2 +- - src/lib/gssapi/krb5/inq_cred.c | 2 +- - src/lib/gssapi/krb5/s4u_gss_glue.c | 2 +- - src/lib/krb5/ccache/cc_keyring.c | 4 ++-- - src/lib/krb5/krb/get_in_tkt.c | 15 +++++++-------- - 10 files changed, 31 insertions(+), 22 deletions(-) - -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index c3aecba7d4..768110e5ef 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -2325,6 +2325,15 @@ ts_delta(krb5_timestamp a, krb5_timestamp b) - return (krb5_deltat)((uint32_t)a - (uint32_t)b); - } - -+/* Return (end - start) as an unsigned 32-bit value, or 0 if start > end. */ -+static inline uint32_t -+ts_interval(krb5_timestamp start, krb5_timestamp end) -+{ -+ if ((uint32_t)start > (uint32_t)end) -+ return 0; -+ return (uint32_t)end - (uint32_t)start; -+} -+ - /* Increment a timestamp by a signed 32-bit interval, without relying on - * undefined behavior. */ - static inline krb5_timestamp -diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c -index 1bc807172b..7de2c9fd77 100644 ---- a/src/lib/gssapi/krb5/accept_sec_context.c -+++ b/src/lib/gssapi/krb5/accept_sec_context.c -@@ -353,8 +353,8 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle, - *mech_type = ctx->mech_used; - - if (time_rec) { -- *time_rec = ts_delta(ctx->krb_times.endtime, now) + -- ctx->k5_context->clockskew; -+ *time_rec = ts_interval(now - ctx->k5_context->clockskew, -+ ctx->krb_times.endtime); - } - - /* Never return GSS_C_DELEG_FLAG since we don't support DCE credential -@@ -1151,8 +1151,10 @@ kg_accept_krb5(minor_status, context_handle, - - /* Add the maximum allowable clock skew as a grace period for context - * expiration, just as we do for the ticket. */ -- if (time_rec) -- *time_rec = ts_delta(ctx->krb_times.endtime, now) + context->clockskew; -+ if (time_rec) { -+ *time_rec = ts_interval(now - context->clockskew, -+ ctx->krb_times.endtime); -+ } - - if (ret_flags) - *ret_flags = ctx->gss_flags; -diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c -index e226a02692..006eba114d 100644 ---- a/src/lib/gssapi/krb5/acquire_cred.c -+++ b/src/lib/gssapi/krb5/acquire_cred.c -@@ -879,8 +879,7 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status, - GSS_C_NO_NAME); - if (GSS_ERROR(ret)) - goto error_out; -- *time_rec = ts_after(cred->expire, now) ? -- ts_delta(cred->expire, now) : 0; -+ *time_rec = ts_interval(now, cred->expire); - k5_mutex_unlock(&cred->lock); - } - } -diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c -index 1fdb5a16f2..5469d8154c 100644 ---- a/src/lib/gssapi/krb5/context_time.c -+++ b/src/lib/gssapi/krb5/context_time.c -@@ -51,7 +51,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec) - return(GSS_S_FAILURE); - } - -- lifetime = ts_delta(ctx->krb_times.endtime, now); -+ lifetime = ts_interval(now, ctx->krb_times.endtime); - if (!ctx->initiate) - lifetime += ctx->k5_context->clockskew; - if (lifetime <= 0) { -diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c -index ea87cf6432..f0f094ccb7 100644 ---- a/src/lib/gssapi/krb5/init_sec_context.c -+++ b/src/lib/gssapi/krb5/init_sec_context.c -@@ -664,7 +664,7 @@ kg_new_connection( - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto cleanup; -- *time_rec = ts_delta(ctx->krb_times.endtime, now); -+ *time_rec = ts_interval(now, ctx->krb_times.endtime); - } - - /* set the other returns */ -@@ -878,7 +878,7 @@ mutual_auth( - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto fail; -- *time_rec = ts_delta(ctx->krb_times.endtime, now); -+ *time_rec = ts_interval(now, ctx->krb_times.endtime); - } - - if (ret_flags) -diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c -index cac024da1f..51c484fdfe 100644 ---- a/src/lib/gssapi/krb5/inq_context.c -+++ b/src/lib/gssapi/krb5/inq_context.c -@@ -120,7 +120,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name, - - /* Add the maximum allowable clock skew as a grace period for context - * expiration, just as we do for the ticket during authentication. */ -- lifetime = ts_delta(ctx->krb_times.endtime, now); -+ lifetime = ts_interval(now, ctx->krb_times.endtime); - if (!ctx->initiate) - lifetime += context->clockskew; - if (lifetime < 0) -diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c -index bb63b726c8..0e675959a3 100644 ---- a/src/lib/gssapi/krb5/inq_cred.c -+++ b/src/lib/gssapi/krb5/inq_cred.c -@@ -131,7 +131,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, - } - - if (cred->expire != 0) { -- lifetime = ts_delta(cred->expire, now); -+ lifetime = ts_interval(now, cred->expire); - if (lifetime < 0) - lifetime = 0; - } -diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c -index 7dcfe4e1eb..fa7f980af7 100644 ---- a/src/lib/gssapi/krb5/s4u_gss_glue.c -+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c -@@ -279,7 +279,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status, - if (code != 0) - goto cleanup; - -- *time_rec = ts_delta(cred->expire, now); -+ *time_rec = ts_interval(now, cred->expire); - } - - major_status = GSS_S_COMPLETE; -diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c -index ebef37d607..1dadeef64f 100644 ---- a/src/lib/krb5/ccache/cc_keyring.c -+++ b/src/lib/krb5/ccache/cc_keyring.c -@@ -762,7 +762,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id) - - /* Setting the timeout to zero would reset the timeout, so we set it to one - * second instead if creds are already expired. */ -- timeout = ts_after(endtime, now) ? ts_delta(endtime, now) : 1; -+ timeout = ts_after(endtime, now) ? ts_interval(now, endtime) : 1; - (void)keyctl_set_timeout(data->cache_id, timeout); - } - -@@ -1343,7 +1343,7 @@ krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds) - - if (ts_after(creds->times.endtime, now)) { - (void)keyctl_set_timeout(cred_key, -- ts_delta(creds->times.endtime, now)); -+ ts_interval(now, creds->times.endtime)); - } - - update_keyring_expiration(context, id); -diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index 8b5ab595e9..1b420a3ac2 100644 ---- a/src/lib/krb5/krb/get_in_tkt.c -+++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -1522,7 +1522,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, - void *expire_data; - krb5_timestamp pw_exp, acct_exp, now; - krb5_boolean is_last_req; -- krb5_deltat delta; -+ uint32_t interval; - char ts[256], banner[1024]; - - if (as_reply == NULL || as_reply->enc_part2 == NULL) -@@ -1553,8 +1553,8 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, - ret = krb5_timeofday(context, &now); - if (ret != 0) - return; -- if (!is_last_req && -- (ts_after(now, pw_exp) || ts_delta(pw_exp, now) > 7 * 24 * 60 * 60)) -+ interval = ts_interval(now, pw_exp); -+ if (!is_last_req && (!interval || interval > 7 * 24 * 60 * 60)) - return; - - if (!prompter) -@@ -1564,19 +1564,18 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, - if (ret != 0) - return; - -- delta = ts_delta(pw_exp, now); -- if (delta < 3600) { -+ if (interval < 3600) { - snprintf(banner, sizeof(banner), - _("Warning: Your password will expire in less than one hour " - "on %s"), ts); -- } else if (delta < 86400 * 2) { -+ } else if (interval < 86400 * 2) { - snprintf(banner, sizeof(banner), - _("Warning: Your password will expire in %d hour%s on %s"), -- delta / 3600, delta < 7200 ? "" : "s", ts); -+ interval / 3600, interval < 7200 ? "" : "s", ts); - } else { - snprintf(banner, sizeof(banner), - _("Warning: Your password will expire in %d days on %s"), -- delta / 86400, ts); -+ interval / 86400, ts); - } - - /* PROMPTER_INVOCATION */ --- -2.38.1 - diff --git a/SOURCES/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch b/SOURCES/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch new file mode 100644 index 0000000..a782e57 --- /dev/null +++ b/SOURCES/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch @@ -0,0 +1,279 @@ +From 83c99246ae9b157e462142daddccca5e18c2f3fd Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 15 Mar 2023 15:56:34 +0100 +Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional + +MS-PAC states that "The ticket signature SHOULD be included in tickets +that are not encrypted to the krbtgt account". However, the +implementation of krb5_kdc_verify_ticket() will require the ticket +signature to be present in case the target of the request is a service +principal. + +In gradual upgrade environments, it results in S4U2Proxy requests +against a 1.20 KDC using a service ticket generated by an older version +KDC to fail. + +This commit adds a krb5_kdc_verify_ticket_ext() function with an extra +switch parameter to tolerate the absence of ticket signature in this +scenario. If the ticket signature is present, it has to be valid, +regardless of this parameter. + +This parameter is set based on the "optional_pac_tkt_chksum" string +attribute of the TGT KDB entry. +--- + doc/admin/admin_commands/kadmin_local.rst | 6 ++++ + doc/appdev/refs/api/index.rst | 1 + + src/include/kdb.h | 1 + + src/include/krb5/krb5.hin | 40 +++++++++++++++++++++++ + src/kdc/kdc_util.c | 32 ++++++++++++++---- + src/lib/krb5/krb/pac.c | 31 +++++++++++++++--- + src/lib/krb5/libkrb5.exports | 1 + + src/man/kadmin.man | 6 ++++ + 8 files changed, 108 insertions(+), 10 deletions(-) + +diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst +index 2435b3c361..58ac79549f 100644 +--- a/doc/admin/admin_commands/kadmin_local.rst ++++ b/doc/admin/admin_commands/kadmin_local.rst +@@ -658,6 +658,12 @@ KDC: + Directory realm when using aes-sha2 keys on the local krbtgt + entry. + ++**optional_pac_tkt_chksum** ++ Boolean value defining the behavior of the KDC in case an expected ++ ticket checksum signed with one of this principal keys is not ++ present in the PAC. This is typically the case for TGS or ++ cross-realm TGS principals when processing S4U2Proxy requests. ++ + This command requires the **modify** privilege. + + Alias: **setstr** +diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst +index d12be47c3c..9b95ebd0f9 100644 +--- a/doc/appdev/refs/api/index.rst ++++ b/doc/appdev/refs/api/index.rst +@@ -225,6 +225,7 @@ Rarely used public interfaces + krb5_is_referral_realm.rst + krb5_kdc_sign_ticket.rst + krb5_kdc_verify_ticket.rst ++ krb5_kdc_verify_ticket_ext.rst + krb5_kt_add_entry.rst + krb5_kt_end_seq_get.rst + krb5_kt_get_entry.rst +diff --git a/src/include/kdb.h b/src/include/kdb.h +index 745b24f351..6075349e5e 100644 +--- a/src/include/kdb.h ++++ b/src/include/kdb.h +@@ -136,6 +136,7 @@ + #define KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE "pac_privsvr_enctype" + #define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes" + #define KRB5_KDB_SK_REQUIRE_AUTH "require_auth" ++#define KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM "optional_pac_tkt_chksum" + + #if !defined(_WIN32) + +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index 350bcf86f2..17e1b52266 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin +@@ -8356,6 +8356,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + const krb5_keyblock *server, + const krb5_keyblock *privsvr, krb5_pac *pac_out); + ++/** ++ * Verify a PAC, possibly including ticket signature ++ * ++ * @param [in] context Library context ++ * @param [in] enc_tkt Ticket enc-part, possibly containing a PAC ++ * @param [in] server_princ Canonicalized name of ticket server ++ * @param [in] server Key to validate server checksum (or NULL) ++ * @param [in] privsvr Key to validate KDC checksum (or NULL) ++ * @paran [in] optional_tkt_chksum Whether to require a ticket checksum ++ * @param [out] pac_out Verified PAC (NULL if no PAC included) ++ * ++ * This function is an extension of krb5_kdc_verify_ticket(), adding the @a ++ * optional_tkt_chksum parameter allowing to tolerate the absence of the PAC ++ * ticket signature. ++ * ++ * If a PAC is present in @a enc_tkt, verify its signatures. If @a privsvr is ++ * not NULL and @a server_princ is not a krbtgt or kadmin/changepw service and ++ * @a optional_tkt_chksum is FALSE, require a ticket signature over @a enc_tkt ++ * in addition to the KDC signature. Place the verified PAC in @a pac_out. If ++ * an invalid PAC signature is found, return an error matching the Windows KDC ++ * protocol code for that condition as closely as possible. ++ * ++ * If no PAC is present in @a enc_tkt, set @a pac_out to NULL and return ++ * successfully. ++ * ++ * @note This function does not validate the PAC_CLIENT_INFO buffer. If a ++ * specific value is expected, the caller can make a separate call to ++ * krb5_pac_verify_ext() with a principal but no keys. ++ * ++ * @retval 0 Success; otherwise - Kerberos error codes ++ */ ++krb5_error_code KRB5_CALLCONV ++krb5_kdc_verify_ticket_ext(krb5_context context, ++ const krb5_enc_tkt_part *enc_tkt, ++ krb5_const_principal server_princ, ++ const krb5_keyblock *server, ++ const krb5_keyblock *privsvr, ++ krb5_boolean optional_tkt_chksum, ++ krb5_pac *pac_out); ++ + /** @deprecated Use krb5_kdc_sign_ticket() instead. */ + krb5_error_code KRB5_CALLCONV + krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index fe4e48209a..93415ba862 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -560,16 +560,36 @@ cleanup: + static krb5_error_code + try_verify_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + krb5_db_entry *server, krb5_keyblock *server_key, +- const krb5_keyblock *tgt_key, krb5_pac *pac_out) ++ krb5_db_entry *tgt, const krb5_keyblock *tgt_key, ++ krb5_pac *pac_out) + { + krb5_error_code ret; ++ krb5_boolean optional_tkt_chksum; ++ char *str = NULL; + krb5_keyblock *privsvr_key; + + ret = pac_privsvr_key(context, server, tgt_key, &privsvr_key); + if (ret) + return ret; +- ret = krb5_kdc_verify_ticket(context, enc_tkt, server->princ, server_key, +- privsvr_key, pac_out); ++ ++ /* Check if the absence of ticket signature is tolerated for this realm */ ++ ret = krb5_dbe_get_string(context, tgt, ++ KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM, &str); ++ /* TODO: should be using _krb5_conf_boolean(), but os-proto.h is not ++ * available here. ++ */ ++ optional_tkt_chksum = !ret && str && (strncasecmp(str, "true", 4) == 0 ++ || strncasecmp(str, "t", 1) == 0 ++ || strncasecmp(str, "yes", 3) == 0 ++ || strncasecmp(str, "y", 1) == 0 ++ || strncasecmp(str, "1", 1) == 0 ++ || strncasecmp(str, "on", 2) == 0); ++ ++ krb5_dbe_free_string(context, str); ++ ++ ret = krb5_kdc_verify_ticket_ext(context, enc_tkt, server->princ, ++ server_key, privsvr_key, ++ optional_tkt_chksum, pac_out); + krb5_free_keyblock(context, privsvr_key); + return ret; + } +@@ -599,7 +619,7 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + server_key, NULL, pac_out); + } + +- ret = try_verify_pac(context, enc_tkt, server, server_key, tgt_key, ++ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt, tgt_key, + pac_out); + if (ret != KRB5KRB_AP_ERR_MODIFIED && ret != KRB5_BAD_ENCTYPE) + return ret; +@@ -613,8 +633,8 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &old_key, NULL); + if (ret) + return ret; +- ret = try_verify_pac(context, enc_tkt, server, server_key, &old_key, +- pac_out); ++ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt, ++ &old_key, pac_out); + krb5_free_keyblock_contents(context, &old_key); + if (!ret) + return 0; +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index 5d1fdf1ba0..0c0e2ada68 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -594,6 +594,19 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + krb5_const_principal server_princ, + const krb5_keyblock *server, + const krb5_keyblock *privsvr, krb5_pac *pac_out) ++{ ++ return krb5_kdc_verify_ticket_ext(context, enc_tkt, server_princ, server, ++ privsvr, FALSE, pac_out); ++} ++ ++krb5_error_code KRB5_CALLCONV ++krb5_kdc_verify_ticket_ext(krb5_context context, ++ const krb5_enc_tkt_part *enc_tkt, ++ krb5_const_principal server_princ, ++ const krb5_keyblock *server, ++ const krb5_keyblock *privsvr, ++ krb5_boolean optional_tkt_chksum, ++ krb5_pac *pac_out) + { + krb5_error_code ret; + krb5_pac pac = NULL; +@@ -602,7 +615,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + krb5_authdata *orig, **ifrel = NULL, **recoded_ifrel = NULL; + uint8_t z = 0; + krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z }; +- krb5_boolean is_service_tkt; ++ krb5_boolean is_service_tkt, has_tkt_chksum = FALSE; + size_t i, j; + + *pac_out = NULL; +@@ -667,11 +680,21 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + + ret = verify_checksum(context, pac, KRB5_PAC_TICKET_CHECKSUM, privsvr, + KRB5_KEYUSAGE_APP_DATA_CKSUM, recoded_tkt); +- if (ret) +- goto cleanup; ++ if (ret) { ++ if (!optional_tkt_chksum) ++ goto cleanup; ++ else if (ret != ENOENT) ++ goto cleanup; ++ /* Otherwise ticket signature is absent but optional. Proceed... */ ++ } else { ++ has_tkt_chksum = TRUE; ++ } + } ++ /* Else, we make the assumption the ticket signature is absent in case this ++ * is not a service ticket. ++ */ + +- ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr); ++ ret = verify_pac_checksums(context, pac, has_tkt_chksum, server, privsvr); + if (ret) + goto cleanup; + +diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports +index 4c50e935a2..d4b0455c8c 100644 +--- a/src/lib/krb5/libkrb5.exports ++++ b/src/lib/krb5/libkrb5.exports +@@ -463,6 +463,7 @@ krb5_is_thread_safe + krb5_kdc_rep_decrypt_proc + krb5_kdc_sign_ticket + krb5_kdc_verify_ticket ++krb5_kdc_verify_ticket_ext + krb5_kt_add_entry + krb5_kt_client_default + krb5_kt_close +diff --git a/src/man/kadmin.man b/src/man/kadmin.man +index c29638a227..1da1609cc8 100644 +--- a/src/man/kadmin.man ++++ b/src/man/kadmin.man +@@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to + "aes256\-sha1" on the cross\-realm krbtgt entry for an Active + Directory realm when using aes\-sha2 keys on the local krbtgt + entry. ++.TP ++\fBoptional_pac_tkt_chksum\fP ++Boolean value defining the behavior of the KDC in case an expected ticket ++checksum signed with one of this principal keys is not present in the PAC. This ++is typically the case for TGS or cross-realm TGS principals when processing ++S4U2Proxy requests. + .UNINDENT + .sp + This command requires the \fBmodify\fP privilege. +-- +2.41.0 + diff --git a/SOURCES/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch b/SOURCES/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch new file mode 100644 index 0000000..0548dd0 --- /dev/null +++ b/SOURCES/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch @@ -0,0 +1,47 @@ +From fef5896463a50e94d3a68f59f7c78a6e943ac5ad Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 23 May 2023 12:19:54 +0200 +Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification + available in FIPS mode + +We recommend using the SHA1 crypto-module in order to allow the +verification of SHA-1 signature for CMS messages. However, this module +does not work in FIPS mode, because the SHA-1 algorithm is absent from +the OpenSSL FIPS provider. + +This commit enables the signature verification process to fetch the +algorithm from a non-FIPS OpenSSL provider. + +Support for SHA-1 CMS signature is still required, especially in order +to interoperate with Active Directory. At least it is until elliptic +curve cryptography is implemented for PKINIT in MIT krb5. +--- + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index f41328763e..263ef7845e 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context, + if (oid == NULL) + goto cleanup; + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ /* Do not use FIPS provider (even in FIPS mode) because it keeps from ++ * allowing SHA-1 signature verification using the SHA1 crypto-module ++ */ ++ cms = CMS_ContentInfo_new_ex(NULL, "-fips"); ++ if (!cms) ++ goto cleanup; ++#endif ++ + /* decode received CMS message */ +- if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) { ++ if (!d2i_CMS_ContentInfo(&cms, &p, (int)signed_data_len)) { + retval = oerr(context, 0, _("Failed to decode CMS message")); + goto cleanup; + } +-- +2.41.0 + diff --git a/SOURCES/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch b/SOURCES/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch new file mode 100644 index 0000000..e06f782 --- /dev/null +++ b/SOURCES/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch @@ -0,0 +1,217 @@ +From 906d3441b846ed09882490b6128db6fedf39e63b Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 30 May 2023 01:21:48 -0400 +Subject: [PATCH] Enable PKINIT if at least one group is available + +OpenSSL may no longer allow decoding of non-well-known Diffie-Hellman +group parameters as EVP_PKEY objects in FIPS mode. However, OpenSSL +does not know about MODP group 2 (1024-bit), which is considered as a +custom group. As a consequence, the PKINIT kdcpreauth module fails to +load in FIPS mode. + +Allow initialization of PKINIT plugin if at least one of the MODP +well-known group parameters successfully decodes. + +[ghudson@mit.edu: minor commit message and code edits] + +ticket: 9096 (new) +--- + src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +- + src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +- + .../preauth/pkinit/pkinit_crypto_openssl.c | 76 +++++++++++-------- + src/plugins/preauth/pkinit/pkinit_srv.c | 2 +- + src/plugins/preauth/pkinit/pkinit_trace.h | 3 + + 5 files changed, 51 insertions(+), 35 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c +index 725d5bc438..ea9ba454df 100644 +--- a/src/plugins/preauth/pkinit/pkinit_clnt.c ++++ b/src/plugins/preauth/pkinit/pkinit_clnt.c +@@ -1378,7 +1378,7 @@ pkinit_client_plugin_init(krb5_context context, + if (retval) + goto errout; + +- retval = pkinit_init_plg_crypto(&ctx->cryptoctx); ++ retval = pkinit_init_plg_crypto(context, &ctx->cryptoctx); + if (retval) + goto errout; + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h +index 9fa315d7a0..8bdbea8e95 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto.h ++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +@@ -103,7 +103,8 @@ typedef struct _pkinit_cert_matching_data { + /* + * Functions to initialize and cleanup crypto contexts + */ +-krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *); ++krb5_error_code pkinit_init_plg_crypto(krb5_context, ++ pkinit_plg_crypto_context *); + void pkinit_fini_plg_crypto(pkinit_plg_crypto_context); + + krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *); +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 263ef7845e..d646073d55 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -47,7 +47,8 @@ + static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context ); + static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ); + +-static krb5_error_code pkinit_init_dh_params(pkinit_plg_crypto_context ); ++static krb5_error_code pkinit_init_dh_params(krb5_context, ++ pkinit_plg_crypto_context); + static void pkinit_fini_dh_params(pkinit_plg_crypto_context ); + + static krb5_error_code pkinit_init_certs(pkinit_identity_crypto_context ctx); +@@ -951,7 +952,8 @@ oerr_cert(krb5_context context, krb5_error_code code, X509_STORE_CTX *certctx, + } + + krb5_error_code +-pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx) ++pkinit_init_plg_crypto(krb5_context context, ++ pkinit_plg_crypto_context *cryptoctx) + { + krb5_error_code retval = ENOMEM; + pkinit_plg_crypto_context ctx = NULL; +@@ -969,7 +971,7 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx) + if (retval) + goto out; + +- retval = pkinit_init_dh_params(ctx); ++ retval = pkinit_init_dh_params(context, ctx); + if (retval) + goto out; + +@@ -1278,30 +1280,36 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx) + ASN1_OBJECT_free(ctx->id_kp_serverAuth); + } + +-static krb5_error_code +-pkinit_init_dh_params(pkinit_plg_crypto_context plgctx) ++static int ++try_import_group(krb5_context context, const krb5_data *params, ++ const char *name, EVP_PKEY **pkey_out) + { +- krb5_error_code retval = ENOMEM; +- +- plgctx->dh_1024 = decode_dh_params(&oakley_1024); +- if (plgctx->dh_1024 == NULL) +- goto cleanup; +- +- plgctx->dh_2048 = decode_dh_params(&oakley_2048); +- if (plgctx->dh_2048 == NULL) +- goto cleanup; ++ *pkey_out = decode_dh_params(params); ++ if (*pkey_out == NULL) ++ TRACE_PKINIT_DH_GROUP_UNAVAILABLE(context, name); ++ return (*pkey_out != NULL) ? 1 : 0; ++} + +- plgctx->dh_4096 = decode_dh_params(&oakley_4096); +- if (plgctx->dh_4096 == NULL) +- goto cleanup; ++static krb5_error_code ++pkinit_init_dh_params(krb5_context context, pkinit_plg_crypto_context plgctx) ++{ ++ int n = 0; + +- retval = 0; ++ n += try_import_group(context, &oakley_1024, "MODP 2 (1024-bit)", ++ &plgctx->dh_1024); ++ n += try_import_group(context, &oakley_2048, "MODP 14 (2048-bit)", ++ &plgctx->dh_2048); ++ n += try_import_group(context, &oakley_4096, "MODP 16 (4096-bit)", ++ &plgctx->dh_4096); + +-cleanup: +- if (retval) ++ if (n == 0) { + pkinit_fini_dh_params(plgctx); ++ k5_setmsg(context, ENOMEM, ++ _("PKINIT cannot initialize any key exchange groups")); ++ return ENOMEM; ++ } + +- return retval; ++ return 0; + } + + static void +@@ -2910,11 +2918,11 @@ client_create_dh(krb5_context context, + + if (cryptoctx->received_params != NULL) + params = cryptoctx->received_params; +- else if (dh_size == 1024) ++ else if (plg_cryptoctx->dh_1024 != NULL && dh_size == 1024) + params = plg_cryptoctx->dh_1024; +- else if (dh_size == 2048) ++ else if (plg_cryptoctx->dh_2048 != NULL && dh_size == 2048) + params = plg_cryptoctx->dh_2048; +- else if (dh_size == 4096) ++ else if (plg_cryptoctx->dh_4096 != NULL && dh_size == 4096) + params = plg_cryptoctx->dh_4096; + else + goto cleanup; +@@ -3210,19 +3218,23 @@ pkinit_create_td_dh_parameters(krb5_context context, + krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 }; + krb5_algorithm_identifier *alglist[4]; + +- if (opts->dh_min_bits > 4096) { +- ret = KRB5KRB_ERR_GENERIC; +- goto cleanup; +- } +- + i = 0; +- if (opts->dh_min_bits <= 2048) ++ if (plg_cryptoctx->dh_2048 != NULL && opts->dh_min_bits <= 2048) + alglist[i++] = &alg_2048; +- alglist[i++] = &alg_4096; +- if (opts->dh_min_bits <= 1024) ++ if (plg_cryptoctx->dh_4096 != NULL && opts->dh_min_bits <= 4096) ++ alglist[i++] = &alg_4096; ++ if (plg_cryptoctx->dh_1024 != NULL && opts->dh_min_bits <= 1024) + alglist[i++] = &alg_1024; + alglist[i] = NULL; + ++ if (i == 0) { ++ ret = KRB5KRB_ERR_GENERIC; ++ k5_setmsg(context, ret, ++ _("OpenSSL has no supported key exchange groups for " ++ "pkinit_dh_min_bits=%d"), opts->dh_min_bits); ++ goto cleanup; ++ } ++ + ret = k5int_encode_krb5_td_dh_parameters(alglist, &der_alglist); + if (ret) + goto cleanup; +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 1b3bf6d4d0..768a4e559f 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -1222,7 +1222,7 @@ pkinit_server_plugin_init_realm(krb5_context context, const char *realmname, + goto errout; + plgctx->realmname_len = strlen(plgctx->realmname); + +- retval = pkinit_init_plg_crypto(&plgctx->cryptoctx); ++ retval = pkinit_init_plg_crypto(context, &plgctx->cryptoctx); + if (retval) + goto errout; + +diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h +index 259e95c6c2..5ee39c085c 100644 +--- a/src/plugins/preauth/pkinit/pkinit_trace.h ++++ b/src/plugins/preauth/pkinit/pkinit_trace.h +@@ -90,6 +90,9 @@ + #define TRACE_PKINIT_CLIENT_TRYAGAIN(c) \ + TRACE(c, "PKINIT client trying again with KDC-provided parameters") + ++#define TRACE_PKINIT_DH_GROUP_UNAVAILABLE(c, name) \ ++ TRACE(c, "PKINIT key exchange group {str} unsupported", name) ++ + #define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \ + TRACE(c, "PKINIT OpenSSL error: {str}", msg) + +-- +2.41.0 + diff --git a/SOURCES/0015-Fix-double-free-in-KDC-TGS-processing.patch b/SOURCES/0015-Fix-double-free-in-KDC-TGS-processing.patch new file mode 100644 index 0000000..055ea0e --- /dev/null +++ b/SOURCES/0015-Fix-double-free-in-KDC-TGS-processing.patch @@ -0,0 +1,48 @@ +From 137e424f7ae7c054e1dcb41c929a961bb021ed8b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 4 Aug 2023 09:54:06 +0200 +Subject: [PATCH] Fix double-free in KDC TGS processing + +When issuing a ticket for a TGS renew or validate request, copy only +the server field from the outer part of the header ticket to the new +ticket. Copying the whole structure causes the enc_part pointer to be +aliased to the header ticket until krb5_encrypt_tkt_part() is called, +resulting in a double-free if handle_authdata() fails. + +[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather +than check for aliasing before freeing; rewrote commit message] + +CVE-2023-39975: + +In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to +free the same pointer twice if it can induce a failure in +authorization data handling. + +ticket: 9101 (new) +tags: pullup +target_version: 1.21-next + +(cherry picked from commit 88a1701b423c13991a8064feeb26952d3641d840) +--- + src/kdc/do_tgs_req.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index 6e4c8fa9f3..0acc45850f 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -1010,8 +1010,9 @@ tgs_issue_ticket(kdc_realm_t *realm, struct tgs_req_info *t, + } + + if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) { +- /* Copy the whole header ticket except for authorization data. */ +- ticket_reply = *t->header_tkt; ++ /* Copy the header ticket server and all enc-part fields except for ++ * authorization data. */ ++ ticket_reply.server = t->header_tkt->server; + enc_tkt_reply = *t->header_tkt->enc_part2; + enc_tkt_reply.authorization_data = NULL; + } else { +-- +2.41.0 + diff --git a/SOURCES/0016-Add-PAC-full-checksums.patch b/SOURCES/0016-Add-PAC-full-checksums.patch deleted file mode 100644 index fe4edbf..0000000 --- a/SOURCES/0016-Add-PAC-full-checksums.patch +++ /dev/null @@ -1,672 +0,0 @@ -From f09300d9a9988215263775ac122b7ea2898d04db Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 22 Dec 2022 03:05:23 -0500 -Subject: [PATCH] Add PAC full checksums - -A paper by Tom Tervoort noted that computing the PAC privsvr checksum -over only the server checksum is vulnerable to collision attacks -(CVE-2022-37967). In response, Microsoft has added a second KDC -checksum over the full contents of the PAC. Generate and verify full -KDC checksums in PACs for service tickets. Update the t_pac.c ticket -test case to use a ticket issued by a recent version of Active -Directory (provided by Stefan Metzmacher). - -ticket: 9084 (new) ---- - doc/appdev/refs/macros/index.rst | 1 + - src/include/krb5/krb5.hin | 1 + - src/lib/krb5/krb/pac.c | 92 +++++++++-------- - src/lib/krb5/krb/pac_sign.c | 146 +++++++++++++++----------- - src/lib/krb5/krb/t_pac.c | 171 ++++++++++++++++++------------- - src/tests/t_authdata.py | 4 +- - 6 files changed, 240 insertions(+), 175 deletions(-) - -diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst -index 5f34dea5e8..3eeee25593 100644 ---- a/doc/appdev/refs/macros/index.rst -+++ b/doc/appdev/refs/macros/index.rst -@@ -247,6 +247,7 @@ Public - KRB5_PAC_SERVER_CHECKSUM.rst - KRB5_PAC_TICKET_CHECKSUM.rst - KRB5_PAC_UPN_DNS_INFO.rst -+ KRB5_PAC_FULL_CHECKSUM.rst - KRB5_PADATA_AFS3_SALT.rst - KRB5_PADATA_AP_REQ.rst - KRB5_PADATA_AS_CHECKSUM.rst -diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index fb9f2a366c..2ba4010514 100644 ---- a/src/include/krb5/krb5.hin -+++ b/src/include/krb5/krb5.hin -@@ -8164,6 +8164,7 @@ krb5_verify_authdata_kdc_issued(krb5_context context, - #define KRB5_PAC_TICKET_CHECKSUM 16 /**< Ticket checksum */ - #define KRB5_PAC_ATTRIBUTES_INFO 17 /**< PAC attributes */ - #define KRB5_PAC_REQUESTOR 18 /**< PAC requestor SID */ -+#define KRB5_PAC_FULL_CHECKSUM 19 /**< KDC full checksum */ - - struct krb5_pac_data; - /** PAC data structure to convey authorization information */ -diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c -index f6c4373de0..954482e0c7 100644 ---- a/src/lib/krb5/krb/pac.c -+++ b/src/lib/krb5/krb/pac.c -@@ -490,7 +490,8 @@ zero_signature(krb5_context context, const krb5_pac pac, krb5_ui_4 type, - size_t i; - - assert(type == KRB5_PAC_SERVER_CHECKSUM || -- type == KRB5_PAC_PRIVSVR_CHECKSUM); -+ type == KRB5_PAC_PRIVSVR_CHECKSUM || -+ type == KRB5_PAC_FULL_CHECKSUM); - assert(data->length >= pac->data.length); - - for (i = 0; i < pac->pac->cBuffers; i++) { -@@ -557,17 +558,17 @@ verify_checksum(krb5_context context, const krb5_pac pac, uint32_t buffer_type, - } - - static krb5_error_code --verify_server_checksum(krb5_context context, const krb5_pac pac, -- const krb5_keyblock *server) -+verify_pac_checksums(krb5_context context, const krb5_pac pac, -+ krb5_boolean expect_full_checksum, -+ const krb5_keyblock *server, const krb5_keyblock *privsvr) - { - krb5_error_code ret; -- krb5_data copy; /* PAC with zeroed checksums */ -+ krb5_data copy, server_checksum; - -+ /* Make a copy of the PAC with zeroed out server and privsvr checksums. */ - ret = krb5int_copy_data_contents(context, &pac->data, ©); - if (ret) - return ret; -- -- /* Zero out both checksum buffers */ - ret = zero_signature(context, pac, KRB5_PAC_SERVER_CHECKSUM, ©); - if (ret) - goto cleanup; -@@ -575,32 +576,46 @@ verify_server_checksum(krb5_context context, const krb5_pac pac, - if (ret) - goto cleanup; - -- ret = verify_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, server, -- KRB5_KEYUSAGE_APP_DATA_CKSUM, ©); -+ if (server != NULL) { -+ /* Verify the server checksum over the PAC copy. */ -+ ret = verify_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, server, -+ KRB5_KEYUSAGE_APP_DATA_CKSUM, ©); -+ } - --cleanup: -- free(copy.data); -- return ret; --} -+ if (privsvr != NULL && expect_full_checksum) { -+ /* Zero the full checksum buffer in the copy and verify the full -+ * checksum over the copy with all three checksums zeroed. */ -+ ret = zero_signature(context, pac, KRB5_PAC_FULL_CHECKSUM, ©); -+ if (ret) -+ goto cleanup; -+ ret = verify_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM, privsvr, -+ KRB5_KEYUSAGE_APP_DATA_CKSUM, ©); -+ if (ret) -+ goto cleanup; -+ } - --static krb5_error_code --verify_kdc_checksum(krb5_context context, const krb5_pac pac, -- const krb5_keyblock *privsvr) --{ -- krb5_error_code ret; -- krb5_data server_checksum; -+ if (privsvr != NULL) { -+ /* Verify the privsvr checksum over the server checksum. */ -+ ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM, -+ &server_checksum); -+ if (ret) -+ return ret; -+ if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH) -+ return KRB5_BAD_MSIZE; -+ server_checksum.data += PAC_SIGNATURE_DATA_LENGTH; -+ server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH; - -- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM, -- &server_checksum); -- if (ret) -- return ret; -- if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH) -- return KRB5_BAD_MSIZE; -- server_checksum.data += PAC_SIGNATURE_DATA_LENGTH; -- server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH; -+ ret = verify_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, privsvr, -+ KRB5_KEYUSAGE_APP_DATA_CKSUM, &server_checksum); -+ if (ret) -+ goto cleanup; -+ } -+ -+ pac->verified = TRUE; - -- return verify_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, privsvr, -- KRB5_KEYUSAGE_APP_DATA_CKSUM, &server_checksum); -+cleanup: -+ free(copy.data); -+ return ret; - } - - /* Per MS-PAC 2.8.3, tickets encrypted to TGS and password change principals -@@ -628,6 +643,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, - krb5_authdata **authdata, *orig, **ifrel = NULL, **recoded_ifrel = NULL; - uint8_t z = 0; - krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z }; -+ krb5_boolean is_service_tkt; - size_t i, j; - - *pac_out = NULL; -@@ -669,7 +685,8 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, - if (ret) - goto cleanup; - -- if (privsvr != NULL && k5_pac_should_have_ticket_signature(server_princ)) { -+ is_service_tkt = k5_pac_should_have_ticket_signature(server_princ); -+ if (privsvr != NULL && is_service_tkt) { - /* To check the PAC ticket signatures, re-encode the ticket with the - * PAC contents replaced by a single zero. */ - orig = ifrel[j]; -@@ -693,8 +710,9 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, - goto cleanup; - } - -- ret = krb5_pac_verify_ext(context, pac, enc_tkt->times.authtime, NULL, -- server, privsvr, FALSE); -+ ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr); -+ if (ret) -+ goto cleanup; - - *pac_out = pac; - pac = NULL; -@@ -730,14 +748,8 @@ krb5_pac_verify_ext(krb5_context context, - { - krb5_error_code ret; - -- if (server != NULL) { -- ret = verify_server_checksum(context, pac, server); -- if (ret != 0) -- return ret; -- } -- -- if (privsvr != NULL) { -- ret = verify_kdc_checksum(context, pac, privsvr); -+ if (server != NULL || privsvr != NULL) { -+ ret = verify_pac_checksums(context, pac, FALSE, server, privsvr); - if (ret != 0) - return ret; - } -@@ -749,8 +761,6 @@ krb5_pac_verify_ext(krb5_context context, - return ret; - } - -- pac->verified = TRUE; -- - return 0; - } - -diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c -index 0f9581abbb..8ea61ac17b 100644 ---- a/src/lib/krb5/krb/pac_sign.c -+++ b/src/lib/krb5/krb/pac_sign.c -@@ -187,26 +187,41 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac) - return 0; - } - --krb5_error_code KRB5_CALLCONV --krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -- krb5_const_principal principal, const krb5_keyblock *server_key, -- const krb5_keyblock *privsvr_key, krb5_data *data) -+/* Find the buffer of type buftype in pac and write within it a checksum of -+ * type cksumtype over data. Set *cksum_out to the checksum. */ -+static krb5_error_code -+compute_pac_checksum(krb5_context context, krb5_pac pac, uint32_t buftype, -+ const krb5_keyblock *key, krb5_cksumtype cksumtype, -+ const krb5_data *data, krb5_data *cksum_out) - { -- return krb5_pac_sign_ext(context, pac, authtime, principal, server_key, -- privsvr_key, FALSE, data); -+ krb5_error_code ret; -+ krb5_data buf; -+ krb5_crypto_iov iov[2]; -+ -+ ret = k5_pac_locate_buffer(context, pac, buftype, &buf); -+ if (ret) -+ return ret; -+ -+ assert(buf.length > PAC_SIGNATURE_DATA_LENGTH); -+ *cksum_out = make_data(buf.data + PAC_SIGNATURE_DATA_LENGTH, -+ buf.length - PAC_SIGNATURE_DATA_LENGTH); -+ iov[0].flags = KRB5_CRYPTO_TYPE_DATA; -+ iov[0].data = *data; -+ iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM; -+ iov[1].data = *cksum_out; -+ return krb5_c_make_checksum_iov(context, cksumtype, key, -+ KRB5_KEYUSAGE_APP_DATA_CKSUM, iov, 2); - } - --krb5_error_code KRB5_CALLCONV --krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -- krb5_const_principal principal, -- const krb5_keyblock *server_key, -- const krb5_keyblock *privsvr_key, krb5_boolean with_realm, -- krb5_data *data) -+static krb5_error_code -+sign_pac(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -+ krb5_const_principal principal, const krb5_keyblock *server_key, -+ const krb5_keyblock *privsvr_key, krb5_boolean with_realm, -+ krb5_boolean is_service_tkt, krb5_data *data) - { - krb5_error_code ret; -- krb5_data server_cksum, privsvr_cksum; -+ krb5_data full_cksum, server_cksum, privsvr_cksum; - krb5_cksumtype server_cksumtype, privsvr_cksumtype; -- krb5_crypto_iov iov[2]; - - data->length = 0; - data->data = NULL; -@@ -214,67 +229,53 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, - if (principal != NULL) { - ret = k5_insert_client_info(context, pac, authtime, principal, - with_realm); -- if (ret != 0) -+ if (ret) - return ret; - } - -- /* Create zeroed buffers for both checksums */ -+ /* Create zeroed buffers for all checksums. */ - ret = k5_insert_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, - server_key, &server_cksumtype); -- if (ret != 0) -+ if (ret) - return ret; -- - ret = k5_insert_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, - privsvr_key, &privsvr_cksumtype); -- if (ret != 0) -+ if (ret) - return ret; -+ if (is_service_tkt) { -+ ret = k5_insert_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM, -+ privsvr_key, &privsvr_cksumtype); -+ if (ret) -+ return ret; -+ } - -- /* Now, encode the PAC header so that the checksums will include it */ -+ /* Encode the PAC header so that the checksums will include it. */ - ret = k5_pac_encode_header(context, pac); -- if (ret != 0) -- return ret; -- -- /* Generate the server checksum over the entire PAC */ -- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM, -- &server_cksum); -- if (ret != 0) -+ if (ret) - return ret; - -- assert(server_cksum.length > PAC_SIGNATURE_DATA_LENGTH); -- -- iov[0].flags = KRB5_CRYPTO_TYPE_DATA; -- iov[0].data = pac->data; -- -- iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM; -- iov[1].data.data = server_cksum.data + PAC_SIGNATURE_DATA_LENGTH; -- iov[1].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH; -+ if (is_service_tkt) { -+ /* Generate a full KDC checksum over the whole PAC. */ -+ ret = compute_pac_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM, -+ privsvr_key, privsvr_cksumtype, -+ &pac->data, &full_cksum); -+ if (ret) -+ return ret; -+ } - -- ret = krb5_c_make_checksum_iov(context, server_cksumtype, -- server_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, -- iov, sizeof(iov)/sizeof(iov[0])); -- if (ret != 0) -+ /* Generate the server checksum over the whole PAC, including the full KDC -+ * checksum if we added one. */ -+ ret = compute_pac_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, -+ server_key, server_cksumtype, &pac->data, -+ &server_cksum); -+ if (ret) - return ret; - -- /* Generate the privsvr checksum over the server checksum buffer */ -- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, -+ /* Generate the privsvr checksum over the server checksum buffer. */ -+ ret = compute_pac_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, -+ privsvr_key, privsvr_cksumtype, &server_cksum, - &privsvr_cksum); -- if (ret != 0) -- return ret; -- -- assert(privsvr_cksum.length > PAC_SIGNATURE_DATA_LENGTH); -- -- iov[0].flags = KRB5_CRYPTO_TYPE_DATA; -- iov[0].data.data = server_cksum.data + PAC_SIGNATURE_DATA_LENGTH; -- iov[0].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH; -- -- iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM; -- iov[1].data.data = privsvr_cksum.data + PAC_SIGNATURE_DATA_LENGTH; -- iov[1].data.length = privsvr_cksum.length - PAC_SIGNATURE_DATA_LENGTH; -- -- ret = krb5_c_make_checksum_iov(context, privsvr_cksumtype, -- privsvr_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, -- iov, sizeof(iov)/sizeof(iov[0])); -- if (ret != 0) -+ if (ret) - return ret; - - data->data = k5memdup(pac->data.data, pac->data.length, &ret); -@@ -288,6 +289,26 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, - return 0; - } - -+krb5_error_code KRB5_CALLCONV -+krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -+ krb5_const_principal principal, const krb5_keyblock *server_key, -+ const krb5_keyblock *privsvr_key, krb5_data *data) -+{ -+ return sign_pac(context, pac, authtime, principal, server_key, -+ privsvr_key, FALSE, FALSE, data); -+} -+ -+krb5_error_code KRB5_CALLCONV -+krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -+ krb5_const_principal principal, -+ const krb5_keyblock *server_key, -+ const krb5_keyblock *privsvr_key, krb5_boolean with_realm, -+ krb5_data *data) -+{ -+ return sign_pac(context, pac, authtime, principal, server_key, privsvr_key, -+ with_realm, FALSE, data); -+} -+ - /* Add a signature over der_enc_tkt in privsvr to pac. der_enc_tkt should be - * encoded with a dummy PAC authdata element containing a single zero byte. */ - static krb5_error_code -@@ -359,6 +380,7 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt, - krb5_error_code ret; - krb5_data *der_enc_tkt = NULL, pac_data = empty_data(); - krb5_authdata **list, *pac_ad; -+ krb5_boolean is_service_tkt; - size_t count; - - /* Reallocate space for another authdata element in enc_tkt. */ -@@ -377,7 +399,8 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt, - memmove(list + 1, list, (count + 1) * sizeof(*list)); - list[0] = pac_ad; - -- if (k5_pac_should_have_ticket_signature(server_princ)) { -+ is_service_tkt = k5_pac_should_have_ticket_signature(server_princ); -+ if (is_service_tkt) { - ret = encode_krb5_enc_tkt_part(enc_tkt, &der_enc_tkt); - if (ret) - goto cleanup; -@@ -388,9 +411,8 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt, - goto cleanup; - } - -- ret = krb5_pac_sign_ext(context, pac, enc_tkt->times.authtime, -- client_princ, server, privsvr, with_realm, -- &pac_data); -+ ret = sign_pac(context, pac, enc_tkt->times.authtime, client_princ, server, -+ privsvr, with_realm, is_service_tkt, &pac_data); - if (ret) - goto cleanup; - -diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c -index 173bde7bab..81f1642ab0 100644 ---- a/src/lib/krb5/krb/t_pac.c -+++ b/src/lib/krb5/krb/t_pac.c -@@ -607,78 +607,102 @@ check_pac(krb5_context context, int index, const unsigned char *pdata, - - static const krb5_keyblock ticket_sig_krbtgt_key = { - 0, ENCTYPE_AES256_CTS_HMAC_SHA1_96, -- 32, U("\x7a\x58\x98\xd2\xaf\xa6\xaf\xc0\x6a\xce\x06\x04\x4b\xc2\x70\x84" -- "\x9b\x8e\x0a\x6c\x4c\x07\xdc\x6f\xbb\x48\x43\xe1\xd2\xaa\x97\xf7") -+ 32, U("\x03\x73\x81\xEC\x43\x96\x7B\xC2\xAC\x3D\xF5\x2A\xAE\x95\xA6\x8E" -+ "\xBE\x24\x58\xDB\xCE\x52\x28\x20\xAF\x5E\xB7\x04\xA2\x22\x71\x4F") - }; - - static const krb5_keyblock ticket_sig_server_key = { -- 0, ENCTYPE_ARCFOUR_HMAC, -- 16, U("\xed\x23\x11\x20\x7a\x21\x44\x20\xbf\xc0\x8d\x36\xf7\xf6\xb2\x3e") -+ 0, ENCTYPE_AES256_CTS_HMAC_SHA1_96, -+ 32, U("\x11\x4A\x84\xE3\x14\x8F\xAA\xB1\xFA\x7B\x53\x51\xB2\x8A\xC2\xF1" -+ "\xFD\x19\x6D\x61\xE0\xF3\xF2\x3E\x1F\xDB\xD3\xC1\x79\x7D\xC1\xEE") - }; - -+/* A ticket issued by an Active Directory KDC (Windows Server 2022), containing -+ * a PAC with a full checksum. */ - static const krb5_data ticket_data = { -- .length = 972, .data = -- "\x61\x82\x03\xC8\x30\x82\x03\xC4\xA0\x03\x02\x01\x05\xA1\x0A\x1B" -- "\x08\x43\x44\x4F\x4D\x2E\x43\x4F\x4D\xA2\x0F\x30\x0D\xA0\x03\x02" -- "\x01\x01\xA1\x06\x30\x04\x1B\x02\x73\x31\xA3\x82\x03\x9E\x30\x82" -- "\x03\x9A\xA0\x03\x02\x01\x17\xA1\x03\x02\x01\x03\xA2\x82\x03\x8C" -- "\x04\x82\x03\x88\x44\x31\x61\x20\x17\xC9\xFE\xBC\xAC\x46\xB5\x77" -- "\xE9\x68\x04\x4C\x9B\x31\x91\x0C\xC1\xD4\xDD\xEF\xC7\x34\x20\x08" -- "\x90\x91\xE8\x79\xE0\xB5\x03\x26\xA4\x65\xDE\xEC\x47\x03\x2A\x8F" -- "\x61\xE7\x4D\x38\x5A\x42\x95\x5A\xF9\x2F\x41\x2C\x2A\x6E\x60\xA1" -- "\xEB\x51\xB3\xBD\x4C\x00\x41\x2A\x44\x76\x08\x37\x1A\x51\xFD\x65" -- "\x67\x7E\xBF\x3D\x90\x86\xE3\x9A\x54\x6B\x67\xA8\x08\x7A\x73\xCC" -- "\xC3\xB7\x4B\xD5\x5C\x3A\x14\x6C\xC1\x5F\x54\x4B\x92\x55\xB4\xB7" -- "\x92\x23\x3F\x53\x89\x47\x8E\x1F\x8B\xB9\xDB\x3B\x93\xE8\x70\xE4" -- "\x24\xB8\x9D\xF0\x0E\x35\x28\xF8\x7A\x27\x5D\xF7\x25\x97\x9C\xF5" -- "\x9F\x9F\x64\x04\xF2\xA3\xAB\x11\x15\xB6\xDA\x18\xD6\x46\xD5\xE6" -- "\xB8\x08\xDE\x0A\x62\xFD\xF8\xAA\x52\x90\xD9\x67\x29\xB2\xCD\x06" -- "\xB6\xB0\x50\x2B\x3F\x0F\xA3\xA5\xBF\xAA\x6E\x40\x03\xD6\x5F\x02" -- "\xBC\xD8\x18\x47\x97\x09\xD7\xE4\x96\x3B\xCB\xEB\x92\x2C\x3C\x49" -- "\xFF\x1F\x71\xE0\x52\x94\x0F\x8B\x9F\xB8\x2A\xBB\x9C\xE2\xA3\xDD" -- "\x38\x89\xE2\xB1\x0B\x9E\x1F\x7A\xB3\xE3\xD2\xB0\x94\xDC\x87\xBE" -- "\x37\xA6\xD3\xB3\x29\x35\x9A\x72\xC3\x7A\xF1\xA9\xE6\xC5\xD1\x26" -- "\x83\x65\x44\x17\xBA\x55\xA8\x5E\x94\x26\xED\xE9\x8A\x93\x11\x5D" -- "\x7E\x20\x1B\x9C\x15\x9E\x13\x37\x03\x4D\xDD\x99\x51\xD8\x66\x29" -- "\x6A\xB9\xFB\x49\xFE\x52\x78\xDA\x86\x85\xA9\xA3\xB9\xEF\xEC\xAD" -- "\x35\xA6\x8D\xAC\x0F\x75\x22\xBB\x0B\x49\x1C\x13\x52\x40\xC9\x52" -- "\x69\x09\x54\xD1\x0F\x94\x3F\x22\x48\x67\xB0\x96\x28\xAA\xE6\x28" -- "\xD9\x0C\x08\xEF\x51\xED\x15\x5E\xA2\x53\x59\xA5\x03\xB4\x06\x20" -- "\x3D\xCC\xB4\xC5\xF8\x8C\x73\x67\xA3\x21\x3D\x19\xCD\xD4\x12\x28" -- "\xD2\x93\xDE\x0D\xF0\x71\x10\x50\xD6\x33\x35\x04\x11\x64\x43\x39" -- "\xC3\xDF\x96\xE3\x66\xE3\x85\xCA\xE7\x67\x14\x3A\xF0\x43\xAA\xBB" -- "\xD4\x1D\xB5\x24\xB5\x74\x90\x25\xA7\x87\x7E\xDB\xD3\x83\x8A\x3A" -- "\x69\xA8\x2D\xAF\xB7\xB8\xF3\xDC\x13\xAF\x45\x61\x3F\x59\x39\x7E" -- "\x69\xDE\x0C\x04\xF1\x10\x6B\xB4\x56\xFA\x21\x9F\x72\x2B\x60\x86" -- "\xE3\x23\x0E\xC4\x51\xF6\xBE\xD8\xE1\x5F\xEE\x73\x4C\x17\x4C\x2C" -- "\x1B\xFB\x9F\x1F\x7A\x3B\x07\x5B\x8E\xF1\x01\xAC\xD6\x30\x94\x8A" -- "\x5D\x22\x6F\x08\xCE\xED\x5E\xB6\xDB\x86\x8C\x87\xEB\x8D\x91\xFF" -- "\x0A\x86\x30\xBD\xC0\xF8\x25\xE7\xAE\x24\x35\xF2\xFC\xE5\xFD\x1B" -- "\xB0\x05\x4A\xA3\xE5\xEB\x2E\x05\xAD\x99\x67\x49\x87\xE6\xB3\x87" -- "\x82\xA4\x59\xA7\x6E\xDD\xF2\xB6\x66\xE8\xF7\x70\xF5\xBD\xC9\x0E" -- "\xFA\x9C\x79\x84\xD4\x9B\x05\x0E\xBB\xF5\xDB\xEF\xFC\xCC\x26\xF2" -- "\x93\xCF\xD2\x04\x3C\xA9\x2C\x65\x42\x97\x86\xD8\x38\x0A\x1E\xF6" -- "\xD6\xCA\x30\xB5\x1A\xEC\xFB\xBA\x3B\x84\x57\xB0\xFD\xFB\xE6\xBC" -- "\xF2\x76\xF6\x4C\xBB\xAB\xB1\x31\xA1\x27\x7C\xE6\xE6\x81\xB6\xCE" -- "\x84\x86\x40\xB6\x40\x33\xC4\xF8\xB4\x15\xCF\xAA\xA5\x51\x78\xB9" -- "\x8B\x50\x25\xB2\x88\x86\x96\x72\x8C\x71\x4D\xB5\x3A\x94\x86\x77" -- "\x0E\x95\x9B\x16\x93\xEF\x3A\x11\x79\xBA\x83\xF7\x74\xD3\x8D\xBA" -- "\x15\xE1\x2C\x04\x57\xA8\x92\x1E\x9D\x00\x8E\x20\xFD\x30\x70\xE7" -- "\xF5\x65\x2F\x19\x0C\x94\xBA\x03\x71\x12\x96\xCD\xC8\xB4\x96\xDB" -- "\xCE\x19\xC2\xDF\x3C\xC2\xF6\x3D\x53\xED\x98\xA5\x41\x72\x2A\x22" -- "\x7B\xF3\x2B\x17\x6C\xE1\x39\x7D\xAE\x9B\x11\xF9\xC1\xA6\x9E\x9F" -- "\x89\x3C\x12\xAA\x94\x74\xA7\x4F\x70\xE8\xB9\xDE\x04\xF0\x9D\x39" -- "\x24\x2D\x92\xE8\x46\x2D\x2E\xF0\x40\x66\x1A\xD9\x27\xF9\x98\xF1" -- "\x81\x1D\x70\x62\x63\x30\x6D\xCD\x84\x04\x5F\xFA\x83\xD3\xEC\x8D" -- "\x86\xFB\x40\x61\xC1\x8A\x45\xFF\x7B\xD9\xD4\x18\x61\x7F\x51\xE3" -- "\xFC\x1E\x18\xF0\xAF\xC6\x18\x2C\xE1\x6D\x5D\xF9\x62\xFC\x20\xA3" -- "\xB2\x8A\x5F\xE5\xBB\x29\x0F\x99\x63\x07\x88\x38\x3A\x3B\x73\x2A" -- "\x6D\xDA\x3D\xA8\x0D\x8F\x56\x41\x89\x82\xE5\xB8\x61\x00\x64\x7D" -- "\x17\x0C\xCE\x03\x55\x8F\xF4\x5B\x0D\x50\xF2\xEB\x05\x67\xBE\xDB" -- "\x7B\x75\xC5\xEA\xA1\xAB\x1D\xB0\x3C\x6D\x42\x08\x0B\x9A\x45\x20" -- "\xA8\x8F\xE5\x67\x47\x30\xDE\x93\x5F\x43\x05\xEB\xA8\x2D\x80\xF5" -- "\x1A\xB8\x4A\x4E\x42\x2D\x0B\x7A\xDC\x46\x20\x2D\x13\x17\xDD\x4B" -- "\x94\x96\xAA\x1F\x06\x0C\x1F\x62\x07\x9C\x40\xA1" -+ .length = 1307, .data = -+ "\x61\x82\x05\x17\x30\x82\x05\x13\xA0\x03\x02\x01\x05\xA1\x0F\x1B" -+ "\x0D\x57\x32\x30\x32\x32\x2D\x4C\x37\x2E\x42\x41\x53\x45\xA2\x2A" -+ "\x30\x28\xA0\x03\x02\x01\x01\xA1\x21\x30\x1F\x1B\x04\x63\x69\x66" -+ "\x73\x1B\x17\x77\x32\x30\x32\x32\x2D\x31\x31\x38\x2E\x77\x32\x30" -+ "\x32\x32\x2D\x6C\x37\x2E\x62\x61\x73\x65\xA3\x82\x04\xCD\x30\x82" -+ "\x04\xC9\xA0\x03\x02\x01\x12\xA1\x03\x02\x01\x05\xA2\x82\x04\xBB" -+ "\x04\x82\x04\xB7\x44\x5C\x7B\x5A\x3F\x2E\xA3\x50\x34\xDE\xB0\x69" -+ "\x23\x2D\x47\x89\x2C\xC0\xA3\xF9\xDD\x70\xAA\xA5\x1E\xFE\x74\xE5" -+ "\x19\xA2\x4F\x65\x6C\x9E\x00\xB4\x60\x00\x7C\x0C\x29\x43\x31\x99" -+ "\x77\x02\x73\xED\xB9\x40\xF5\xD2\xD1\xC9\x20\x0F\xE3\x38\xF9\xCC" -+ "\x5E\x2A\xBD\x1F\x91\x66\x1A\xD8\x2A\x80\x3C\x2C\x00\x3C\x1E\xC9" -+ "\x2A\x29\x19\x19\x96\x18\x54\x03\x97\x8F\x1D\x5F\xDB\xE9\x66\x68" -+ "\xCD\xB1\xD5\x00\x35\x69\x49\x45\xF1\x6A\x78\x7B\x37\x71\x87\x14" -+ "\x1C\x98\x4D\x69\xCB\x1B\xD8\xF5\xA3\xD8\x53\x4A\x75\x76\x62\xBA" -+ "\x6C\x3F\xEA\x8B\x97\x21\xCA\x8A\x46\x4B\x38\xDA\x09\x9F\x5A\xC8" -+ "\x38\xFF\x34\x97\x5B\xA2\xE5\xBA\xC9\x87\x17\xD8\x08\x05\x7A\x83" -+ "\x04\xD6\x02\x8E\x9B\x18\xB6\x40\x1A\xF7\x47\x25\x24\x3E\x37\x1E" -+ "\xF6\xC1\x3A\x1F\xCA\xB3\x43\x5A\xAE\x94\x83\x31\xAF\xFB\xEE\xED" -+ "\x46\x71\xEF\xE2\x37\x37\x15\xFE\x1B\x0B\x9E\xF8\x3E\x0C\x43\x96" -+ "\xB6\x0A\x04\x78\xF8\x5E\xAA\x33\x1F\xE2\x07\x5A\x8D\xC4\x4E\x32" -+ "\x6D\xD6\xA0\xC5\xEA\x3D\x12\x59\xD4\x41\x40\x4E\xA1\xD8\xBE\xED" -+ "\x17\xCB\x68\xCC\x59\xCB\x53\xB2\x0E\x58\x8A\xA9\x33\x7F\x6F\x2B" -+ "\x37\x89\x08\x44\xBA\xC7\x67\x17\xBB\x91\xF7\xC3\x0F\x00\xF8\xAA" -+ "\xA1\x33\xA6\x08\x47\xCA\xFA\xE8\x49\x27\x45\x46\xF1\xC1\xC3\x5F" -+ "\xE2\x45\x0A\x7D\x64\x52\x8C\x2E\xE1\xDE\xFF\xB2\x64\xEC\x69\x98" -+ "\x15\xDF\x9E\xB1\xEB\xD6\x9D\x08\x06\x4E\x73\xC1\x0B\x71\x21\x05" -+ "\x9E\xBC\xA2\x17\xCF\xB3\x70\xF4\xEF\xB8\x69\xA9\x94\x27\xFD\x5E" -+ "\x72\xB1\x2D\xD2\x20\x1B\x57\x80\xAB\x38\x97\xCF\x22\x68\x4F\xB8" -+ "\xB7\x17\x53\x25\x67\x0B\xED\xD1\x58\x20\x0D\x45\xF9\x09\xFA\xE7" -+ "\x61\x3E\xDB\xC2\x59\x7B\x3A\x3B\x59\x81\x51\xAA\xA4\x81\xF4\x96" -+ "\x3B\xE1\x6F\x6F\xF4\x8E\x68\x9E\xBA\x1E\x0F\xF2\x44\x68\x11\xFC" -+ "\x2B\x5F\xBE\xF2\xEA\x07\x80\xB9\xCA\x9E\x41\xBD\x2F\x81\xF5\x11" -+ "\x2A\x12\xF3\x4F\xD6\x12\x16\x0F\x21\x90\xF1\xD3\x1E\xF1\xA4\x94" -+ "\x46\xEA\x30\xF3\x84\x06\xC1\xA4\x51\xFC\x43\x35\xBD\xEF\x4D\x89" -+ "\x1D\xA5\x44\xB2\x69\xC4\x0F\xBF\x86\x01\x08\x44\x77\xD5\xB4\xB7" -+ "\x5C\x3F\xA7\xD4\x2F\x39\x73\x85\x88\xEE\xB1\x64\x1D\x80\x6C\xEE" -+ "\x6E\x31\x90\x92\x0D\xA1\xB7\xC4\x5C\xCC\xEE\x91\xC8\xCB\x11\x2D" -+ "\x4A\x1A\x7D\x43\x8F\xEB\x60\x09\xED\x1B\x07\x58\xBE\xBC\xBD\x29" -+ "\xF3\xB3\xA3\x4F\xC5\x8A\x30\x33\xB9\xA9\x9F\x43\x08\x27\x15\xC4" -+ "\x9C\x5D\x8E\xBD\x5C\x05\xC6\x05\x9C\x87\x60\x08\x1E\xE2\x52\xB8" -+ "\x45\x8D\x28\xB6\x2C\x15\x46\x74\x9F\x0E\xAA\x6B\x70\x3A\x2A\x55" -+ "\x45\x26\xB2\x58\x4D\x35\xA6\xF1\x96\xBE\x60\xB2\x71\x7B\xF8\x54" -+ "\xB9\x90\x21\x8E\xB9\x0F\x35\x98\x5E\x88\xEB\x1A\x53\xB4\x59\x7F" -+ "\xAF\x69\x1C\x61\x67\xF4\xF6\xBD\xAC\x24\xCD\xB7\xA9\x67\xE8\xA1" -+ "\x83\x85\x5F\x11\x74\x1F\xF7\x4C\x78\x36\xEF\x50\x74\x88\x58\x4B" -+ "\x1A\x9F\x84\x9A\x9A\x05\x92\xEC\x1D\xD5\xF3\xC4\x95\x51\x28\xE2" -+ "\x3F\x32\x87\xB2\xFD\x21\x27\x66\xE4\x6B\x85\x2F\xDC\x7B\xC0\x22" -+ "\xEB\x7A\x94\x20\x5A\x7B\xD3\x7A\xB9\x5B\xF8\x1A\x5A\x84\x4E\xA1" -+ "\x73\x41\x53\xD2\x60\xF7\x7C\xEE\x68\x59\x85\x80\xFC\x3D\x70\x4B" -+ "\x04\x32\xE7\xF2\xFD\xBD\xB3\xD9\x21\xE2\x37\x56\xA2\x16\xCC\xDE" -+ "\x8A\xD3\xBC\x71\xEF\x58\x19\x0E\x45\x8A\x5B\x53\xD6\x77\x30\x6A" -+ "\xA7\xF8\x68\x06\x4E\x07\xCA\xCE\x30\xD7\x35\xAB\x1A\xC7\x18\xD4" -+ "\xC6\x2F\x1A\xFF\xE9\x7A\x94\x0B\x76\x5E\x7E\x29\x0C\xE6\xD3\x3B" -+ "\x5B\x44\x96\xA8\xF1\x29\x23\x95\xD9\x79\xB3\x39\xFC\x76\xED\xE1" -+ "\x1E\x67\x4E\xF7\xE8\x7B\x7A\x12\x9E\xD8\x4B\x35\x09\x0A\xF2\xC1" -+ "\x63\x5B\xEE\xFD\x2A\xC2\xA6\x66\x30\x3C\x1F\x95\xAF\x65\x22\x95" -+ "\x14\x1D\xF5\xD5\xDC\x38\x79\x35\x1C\xCD\x24\x47\xE0\xFD\x08\xC8" -+ "\xF4\x15\x55\x9F\xD9\xC7\xAC\x3F\x67\xB3\x4F\xEB\x26\x7C\x8E\xD6" -+ "\x74\xB3\x0A\xCD\xE7\xFA\xBE\x7E\xA3\x3E\xEC\x61\x50\x77\x52\x56" -+ "\xCF\x90\x5D\x48\xFB\xD4\x2C\x6C\x61\x8B\xDD\x2B\xF5\x92\x1F\x30" -+ "\xBF\x3F\x80\x0D\x31\xDB\xB2\x0B\x7D\x84\xE3\xA6\x42\x7F\x00\x38" -+ "\x44\x02\xC5\xB8\xD9\x58\x29\x9D\x68\x5C\x32\x8B\x76\xAE\xED\x15" -+ "\xF9\x7C\xAE\x7B\xB6\x8E\xD6\x54\x24\xFF\xFA\x87\x05\xEF\x15\x08" -+ "\x5E\x4B\x21\xA2\x2F\x49\xE7\x0F\xC3\xD0\xB9\x49\x22\xEF\xD5\xCA" -+ "\xB2\x11\xF2\x17\xB6\x77\x24\x68\x76\xB2\x07\xF8\x0A\x73\xDD\x65" -+ "\x9C\x75\x64\xF7\xA1\xC6\x23\x08\x84\x72\x3E\x54\x2E\xEB\x9B\x40" -+ "\xA6\x83\x87\xEB\xB5\x00\x40\x4F\xE1\x72\x2A\x59\x3A\x06\x60\x29" -+ "\x7E\x25\x2F\xD8\x80\x40\x8C\x59\xCA\xCF\x8E\x44\xE4\x2D\x84\x7E" -+ "\xCB\xFD\x1E\x3B\xD5\xFF\x9A\xB9\x66\x93\x6D\x5E\xC8\xB7\x13\x26" -+ "\xD6\x38\x1B\x2B\xE1\x87\x96\x05\xD5\xF3\xAB\x68\xF7\x12\x62\x2C" -+ "\x58\xC1\xC9\x85\x3C\x72\xF1\x26\xEE\xC0\x09\x5F\x1D\x4B\xAC\x01" -+ "\x41\xC8\x12\xF8\xF3\x93\x43\x41\xFF\xEC\x0B\x80\xE2\xEE\x20\x85" -+ "\x25\xCD\x6C\x30\x8C\x0D\x24\x2E\xBA\x19\xEA\x28\x7F\xCF\xD5\x10" -+ "\x5C\xE9\xB2\x9D\x5F\x16\xE4\xC0\xF3\xCC\xD9\x68\x4A\x05\x08\x70" -+ "\x17\x26\xC8\x5C\x4A\xBF\x94\x6A\x0E\xD5\xDA\x67\x47\x4B\xAF\x44" -+ "\xE3\x94\xAA\x05\xDB\xA2\x49\x74\xFA\x5C\x69\xAB\x44\xB7\xF7\xBA" -+ "\xAE\x7A\x23\x87\xEB\x54\x7E\x80\xF1\x5B\x60\xA5\x93\xE5\xD4\x24" -+ "\x84\xF7\x0A\x16\x10\xBE\xE9\x4D\xD8\x6B\x15\x40\x5D\x74\xDA\x1B" -+ "\xFF\x2E\x4D\x17\x9D\x35\xF7\x0D\xCF\x66\x38\x0D\x8A\xE4\xDD\x6B" -+ "\xE1\x0F\x1F\xBD\xFD\x4F\x30\x37\x3F\x96\xB4\x92\x54\xD3\x9A\x7A" -+ "\xD1\x5B\x5B\xA9\x54\x16\xE6\x24\xAB\xD4\x23\x39\x7D\xD2\xC7\x09" -+ "\xFA\xD4\x86\x55\x4D\x60\xC2\x87\x67\x6B\xE6" - }; - - static void -@@ -686,7 +710,7 @@ test_pac_ticket_signature(krb5_context context) - { - krb5_error_code ret; - krb5_ticket *ticket; -- krb5_principal sprinc; -+ krb5_principal cprinc, sprinc; - krb5_authdata **authdata1, **authdata2; - krb5_pac pac, pac2, pac3; - uint32_t *list; -@@ -701,7 +725,13 @@ test_pac_ticket_signature(krb5_context context) - if (ret) - err(context, ret, "while decrypting ticket"); - -- ret = krb5_parse_name(context, "s1@CDOM.COM", &sprinc); -+ ret = krb5_parse_name(context, "administrator@W2022-L7.BASE", &cprinc); -+ if (ret) -+ err(context, ret, "krb5_parse_name"); -+ -+ ret = krb5_parse_name(context, -+ "cifs/w2022-118.w2022-l7.base@W2022-L7.BASE", -+ &sprinc); - if (ret) - err(context, ret, "krb5_parse_name"); - -@@ -713,7 +743,7 @@ test_pac_ticket_signature(krb5_context context) - - /* In this test, the server is also the client. */ - ret = krb5_pac_verify(context, pac, ticket->enc_part2->times.authtime, -- ticket->server, NULL, NULL); -+ cprinc, NULL, NULL); - if (ret) - err(context, ret, "while verifying PAC client info"); - -@@ -722,7 +752,7 @@ test_pac_ticket_signature(krb5_context context) - ticket->enc_part2->authorization_data = NULL; - - ret = krb5_kdc_sign_ticket(context, ticket->enc_part2, pac, sprinc, -- sprinc, &ticket_sig_server_key, -+ cprinc, &ticket_sig_server_key, - &ticket_sig_krbtgt_key, FALSE); - if (ret) - err(context, ret, "while signing ticket"); -@@ -781,6 +811,7 @@ test_pac_ticket_signature(krb5_context context) - krb5_pac_free(context, pac); - krb5_pac_free(context, pac2); - krb5_pac_free(context, pac3); -+ krb5_free_principal(context, cprinc); - krb5_free_principal(context, sprinc); - krb5_free_ticket(context, ticket); - } -diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py -index 47ea9e4b47..e934799268 100644 ---- a/src/tests/t_authdata.py -+++ b/src/tests/t_authdata.py -@@ -11,7 +11,7 @@ realm = K5Realm(krb5_conf=conf) - # container. - mark('baseline authdata') - out = realm.run(['./adata', realm.host_princ]) --if '?128: [6, 7, 10, 16]' not in out or '^-42: Hello' not in out: -+if '?128: [6, 7, 10, 16, 19]' not in out or '^-42: Hello' not in out: - fail('expected authdata not seen for basic request') - - # Requested authdata is copied into the ticket, with KDC-only types -@@ -243,7 +243,7 @@ out = realm.run(['./adata', '-p', realm.user_princ, 'service/2']) - if '+97: [indcl]' not in out or '[inds1]' in out: - fail('correct auth-indicator not seen for S4U2Proxy req') - # Make sure a PAC with an S4U_DELEGATION_INFO(11) buffer is included. --if '?128: [1, 6, 7, 10, 11, 16]' not in out: -+if '?128: [1, 6, 7, 10, 11, 16, 19]' not in out: - fail('PAC with delegation info not seen for S4U2Proxy req') - - # Get another S4U2Proxy ticket including request-authdata. --- -2.39.1 - diff --git a/SOURCES/0017-Fix-possible-double-free-during-KDB-creation.patch b/SOURCES/0017-Fix-possible-double-free-during-KDB-creation.patch deleted file mode 100644 index 59b6c48..0000000 --- a/SOURCES/0017-Fix-possible-double-free-during-KDB-creation.patch +++ /dev/null @@ -1,45 +0,0 @@ -From ff9c99b689855a646c371379d30a668dfd7a87a7 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Wed, 1 Feb 2023 15:57:26 +0100 -Subject: [PATCH] Fix possible double-free during KDB creation - -In krb5_dbe_def_encrypt_key_data(), when we free -key_data->key_data_contents[0], reset it to null so the caller doesn't -free it as well. - -Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug -manifests as a double-free during KDB creation if master key -encryption fails. - -[ghudson@mit.edu: edited commit message] - -ticket: 9086 (new) -tags: pullup -target_version: 1.20-next ---- - src/lib/kdb/encrypt_key.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c -index dc612c810e..91debea533 100644 ---- a/src/lib/kdb/encrypt_key.c -+++ b/src/lib/kdb/encrypt_key.c -@@ -109,6 +109,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context, - if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0, - &plain, &cipher))) { - free(key_data->key_data_contents[0]); -+ key_data->key_data_contents[0] = NULL; - return retval; - } - -@@ -121,6 +122,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context, - key_data->key_data_contents[1] = malloc(keysalt->data.length); - if (key_data->key_data_contents[1] == NULL) { - free(key_data->key_data_contents[0]); -+ key_data->key_data_contents[0] = NULL; - return ENOMEM; - } - memcpy(key_data->key_data_contents[1], keysalt->data.data, --- -2.39.1 - diff --git a/SOURCES/0018-Fix-meridian-type-in-kadmin-datetime-parser.patch b/SOURCES/0018-Fix-meridian-type-in-kadmin-datetime-parser.patch deleted file mode 100644 index 2973380..0000000 --- a/SOURCES/0018-Fix-meridian-type-in-kadmin-datetime-parser.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 604fce63b468d0efce4438df4ba0286f00bfce8d Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Tue, 21 Feb 2023 10:03:35 +0100 -Subject: [PATCH] Fix meridian type in kadmin datetime parser - -The meridian suffix is typed as "Number" in kadmin YACC file for -datetime parsing, while it should be using the "Meridian" enumeration -one. - -This results in invalid Meridian value on 64-bit IBM zSystems (s390x), -causing core dumped errors on most kadmin commands where meridian -suffices are used. - -Upstream PR: -https://github.com/krb5/krb5/pull/1290 ---- - src/kadmin/cli/getdate.y | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/kadmin/cli/getdate.y b/src/kadmin/cli/getdate.y -index b9dceec1ee..d14cf963c5 100644 ---- a/src/kadmin/cli/getdate.y -+++ b/src/kadmin/cli/getdate.y -@@ -181,7 +181,8 @@ static time_t yyRelSeconds; - - %token tAGO tID tDST tNEVER - %token tDAY tDAYZONE tMINUTE_UNIT tMONTH tMONTH_UNIT --%token tSEC_UNIT tSNUMBER tUNUMBER tZONE tMERIDIAN -+%token tSEC_UNIT tSNUMBER tUNUMBER tZONE -+%token tMERIDIAN - %type o_merid - - %% --- -2.39.1 - diff --git a/SOURCES/krb5-1.20.1.tar.gz.asc b/SOURCES/krb5-1.20.1.tar.gz.asc deleted file mode 100644 index b928cb8..0000000 --- a/SOURCES/krb5-1.20.1.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNvED8ACgkQDLoIV1+D -ct9uKw/8C5GS8mdh335lB+bkfjYYCZLD+oQToDAAbdCddrIcuLftvnTfXJ8cMtMc -UT2hsp8u7ZupjJRevdhaH7fFwomc0V8iSES5J2cQHTNd9aK93j/W6NaMoqWLrQWg -jx99oqLn7orvp8N5RufEQcNMNWhFIX4XSfrA3vPfHbbffA2vkjJzOGno4UHi8zUn -6nye7jbrBpiQIeFIJSS3VPsvGrKdRgb9BqGTUsqPIuFvr3Qvo42lKr5X8CWYSXjK -0aKlOpfbWdkteEe2o84/wyMpuGvmYkmOgaMB5xQ3jfEuvPNAWX2CWHNDamiqwBT/ -YxwhZimNa1B9r3P1yDHvpUu8cJaRzw2UDRi2f3Kztrmn2jlqzmoZ31WBALJA7lmL -SrVFdXi7AcWwppMp1kbe9SvurCXID8/Q4n+qAdzSvqrXbeWerVUkdYFvtxQ1bMJR -jnqN11iZFYaoCaaR2lFEhjoMdR80jUa2m6vdF7a7xhH1UvuPHDnzLT9X/TiPvx0R -Itrp5MMIrUQHcZUL9hM5hrg3nxEsGsSCnjB0zWDmgXdLGwd4CvcOF4HPQR3BBlEH -CLtAa27bBXMJTYVvmmKt06hw+U3ALDfUlFrV6ZNLr9ug69l29n7JoChAbZ97Hx1m -twPwJpKd8AiUz+j3KCfgGU21qMbHNP3jEn3q9tkq0qcs/z7RCmU= -=1WIq ------END PGP SIGNATURE----- diff --git a/SOURCES/krb5-1.21.1.tar.gz.asc b/SOURCES/krb5-1.21.1.tar.gz.asc new file mode 100644 index 0000000..e137e35 --- /dev/null +++ b/SOURCES/krb5-1.21.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmSsc/kACgkQDLoIV1+D +ct+wPxAArlkJs5WpFIm2JDJXGF82BNw/FEhg+OkWcPHeLMWJF8qO0AxVp8Yq4g1g +qFpTABwY8V2tfr84XQJ6rw7Qq93NjRjFHr1z1tDmCceLisXof6Tu7/RKjHwNmJt8 +M3srmsXPlmx/7cXuaYIljJfftun3D/iuEaydWluGb1DZicaU/OsofGhKE8/YEZrN +H0XdIC45raG4O9t6CGjQRcAIv5Z4afCtXH4aaEmLg6E2+aTUyx+czu7nBASCaTyv +s4df8fhbVpdBi6iA6BQJC296Rc1gyDnuxnjyCH8Rj2gTuiI4Oa2dxRPGT3mjksz3 +OheYcXK9XGCtUbG22zrxqUuHDA3jF6KKmsVSXnbygB6XSS/c0bqmeDRTQGPksWH6 +RJbmlKG9PQ0BavlXRa7Nupaa7f0jblFiduScYujRsyWxi/8YkckedugYyuww59gV +piUwGGRDWldy+JIAYtvzirsfe6Oum0/SKY5wYXyKv0flM95pbfBEw+TzRxmlCQ5J ++i8L9Frr4gTmT576GHB6WzBlOEPf6mRc8jg0DyyUOoDHXyj4MCyJGEJxvcyVV1WX +tJlu0uH1f8pMZx4IQ279PsNFimO/NsdSTefqiVGXA7FWK1EPLc+l9ZBcrLi9KEmJ +7TfVq9cAg6+m2tql+gjAQrfXHUU1mNdPLFMnShYlqHjTle4cQKE= +=AIvQ +-----END PGP SIGNATURE----- diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index 316ee71..dc886a0 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -34,7 +34,7 @@ # # baserelease is what we have standardized across Fedora and what # rpmdev-bumpspec knows how to handle. -%global baserelease 8 +%global baserelease 1 # This should be e.g. beta1 or %%nil %global pre_release %nil @@ -46,7 +46,7 @@ %endif %global krb5_version_major 1 -%global krb5_version_minor 20 +%global krb5_version_minor 21 # For a release without a patch number set to %%nil %global krb5_version_patch 1 @@ -83,24 +83,21 @@ Source12: krb5kdc.logrotate Source13: kadmind.logrotate Source14: krb5-krb5kdc.conf -Patch01: 0001-downstream-ksu-pam-integration.patch -Patch02: 0002-downstream-SELinux-integration.patch -Patch03: 0003-downstream-fix-debuginfo-with-y.tab.c.patch -Patch04: 0004-downstream-Remove-3des-support.patch -Patch05: 0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch -Patch06: 0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch -Patch07: 0007-Add-configure-variable-for-default-PKCS-11-module.patch -Patch08: 0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch -Patch09: 0009-Simplify-plugin-loading-code.patch -Patch10: 0010-Update-error-checking-for-OpenSSL-CMS_verify.patch -Patch11: 0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch -Patch12: 0012-Add-and-use-ts_interval-helper.patch -Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch -Patch14: 0014-downstream-Do-not-set-root-as-ksu-file-owner.patch -Patch15: 0015-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch -Patch16: 0016-Add-PAC-full-checksums.patch -Patch17: 0017-Fix-possible-double-free-during-KDB-creation.patch -Patch18: 0018-Fix-meridian-type-in-kadmin-datetime-parser.patch +Patch0001: 0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch +Patch0002: 0002-downstream-ksu-pam-integration.patch +Patch0003: 0003-downstream-SELinux-integration.patch +Patch0004: 0004-downstream-fix-debuginfo-with-y.tab.c.patch +Patch0005: 0005-downstream-Remove-3des-support.patch +Patch0006: 0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +Patch0007: 0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch +Patch0008: 0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch +Patch0009: 0009-downstream-Include-missing-OpenSSL-FIPS-header.patch +Patch0010: 0010-downstream-Do-not-set-root-as-ksu-file-owner.patch +Patch0011: 0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch +Patch0012: 0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch +Patch0013: 0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch +Patch0014: 0014-Enable-PKINIT-if-at-least-one-group-is-available.patch +Patch0015: 0015-Fix-double-free-in-KDC-TGS-processing.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -665,73 +662,87 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Aug 08 2023 Julien Rische - 1.21.1-1 +- New upstream version (1.21.1) +- Fix double-free in KDC TGS processing (CVE-2023-39975) +- Add support for "pac_privsvr_enctype" KDB string attribute + Resolves: rhbz#2060421 + +* Thu Jun 08 2023 Julien Rische - 1.20.1-9 +- Do not disable PKINIT if some of the well-known DH groups are unavailable + Resolves: rhbz#2187722 +- Make PKINIT CMS SHA-1 signature verification available in FIPS mode + Resolves: rhbz#2155607 +- Allow to set PAC ticket signature as optional + Resolves: rhbz#2178298 + * Fri Apr 14 2023 MSVSphere Packaging Team - 1.20.1-8 - Rebuilt for MSVSphere 9.2 beta * Wed Feb 22 2023 Julien Rische - 1.20.1-8 - Fix datetime parsing in kadmin on s390x -- Resolves: rhbz#2169985 + Resolves: rhbz#2169985 * Tue Feb 14 2023 Julien Rische - 1.20.1-7 - Fix double free on kdb5_util key creation failure -- Resolves: rhbz#2166603 + Resolves: rhbz#2166603 * Tue Jan 31 2023 Julien Rische - 1.20.1-6 - Add support for MS-PAC extended KDC signature (CVE-2022-37967) -- Resolves: rhbz#2165827 + Resolves: rhbz#2165827 * Thu Jan 19 2023 Julien Rische - 1.20.1-5 - Bypass FIPS restrictions to use KRB5KDF in case AES SHA-1 HMAC is enabled - Lazily load MD4/5 from OpenSSL if using RADIUS or RC4 enctype in FIPS mode -- Resolves: rhbz#2162461 + Resolves: rhbz#2162461 * Thu Jan 12 2023 Julien Rische - 1.20.1-4 - Set aes256-cts-hmac-sha384-192 as EXAMLE.COM master key in kdc.conf - Add AES SHA-2 HMAC family as EXAMPLE.COM supported etypes in kdc.conf -- Resolves: rhbz#2068535 + Resolves: rhbz#2068535 * Tue Jan 10 2023 Julien Rische - 1.20.1-2 - Strip debugging data from ksu executable file -- Resolves: rhbz#2159643 + Resolves: rhbz#2159643 * Wed Dec 07 2022 Julien Rische - 1.20.1-1 - Make tests compatible with sssd-client -- Resolves: rhbz#2151513 + Resolves: rhbz#2151513 - Remove invalid password expiry warning -- Resolves: rhbz#2121099 + Resolves: rhbz#2121099 - Update error checking for OpenSSL CMS_verify -- Resolves: rhbz#2063838 + Resolves: rhbz#2063838 - New upstream version (1.20.1) -- Resolves: rhbz#2016312 + Resolves: rhbz#2016312 - Fix integer overflows in PAC parsing (CVE-2022-42898) -- Resolves: rhbz#2140971 + Resolves: rhbz#2140971 * Tue Oct 18 2022 Julien Rische - 1.19.1-23 - Fix kprop for propagating dump files larger than 4GB -- Resolves: rhbz#2133014 + Resolves: rhbz#2133014 * Fri Jul 08 2022 Julien Rische - 1.19.1-22 - Restore "supportedCMSTypes" attribute in PKINIT preauth requests - Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms -- Resolves: rhbz#2068935 + Resolves: rhbz#2068935 * Thu Jun 23 2022 Julien Rische - 1.19.1-21 - Fix libkrad client cleanup - Allow use of larger RADIUS attributes in krad library -- Resolves: rhbz#2100351 + Resolves: rhbz#2100351 * Thu May 12 2022 Julien Rische - 1.19.1-20 - Fix OpenSSL 3 MD5 encyption in FIPS mode - Allow libkrad UDP/TCP connection to localhost in FIPS mode -- Resolves: rhbz#2068458 + Resolves: rhbz#2068458 * Mon May 02 2022 Julien Rische - 1.19.1-19 - Use p11-kit as default PKCS11 module -- Resolves: rhbz#2030981 + Resolves: rhbz#2030981 * Tue Apr 26 2022 Julien Rische - 1.19.1-18 - Try harder to avoid password change replay errors -- Resolves: rhbz#2075186 + Resolves: rhbz#2075186 * Mon Mar 14 2022 Julien Rische - 1.19.1-15 - Use SHA-256 instead of SHA-1 for PKINIT CMS digest @@ -742,11 +753,11 @@ exit 0 * Fri Dec 17 2021 Antonio Torres - 1.19.1-13 - Remove -specs= from krb5-config output -- Resolves #1997021 +- Resolves rhbz#1997021 * Wed Oct 20 2021 Antonio Torres - 1.19.1-12 - Fix KDC null deref on TGS inner body null server (CVE-2021-37750) -- Resolves: #1997602 + Resolves: rhbz#1997602 * Mon Aug 09 2021 Mohan Boddu - 1.19.1-11.1 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags @@ -754,39 +765,39 @@ exit 0 * Tue Jul 20 2021 Robbie Harwood - 1.19.1-11 - Fix KDC null deref on bad encrypted challenge (CVE-2021-36222) -- Resolves: #1983733 + Resolves: rhbz#1983733 * Wed Jul 14 2021 Robbie Harwood - 1.19.1-10 - Update OpenSSL 3 provider handling to clean up properly -- Resolves: #1955873 + Resolves: rhbz#1955873 * Mon Jun 21 2021 Robbie Harwood - 1.19.1-9 - Sync openssl3 patches with upstream -- Resolves: #1955873 + Resolves: rhbz#1955873 * Thu Jun 17 2021 Robbie Harwood - 1.19.1-8 - Rebuild for rpminspect and mass rebuild cleanup; no code changes -- Resolves: #1967505 + Resolves: rhbz#1967505 * Thu Jun 17 2021 Robbie Harwood - 1.19.1-7 - Fix several fallback canonicalization problems -- Resolves: #1967505 + Resolves: rhbz#1967505 * Tue Jun 15 2021 Mohan Boddu - 1.19.1-6.1 - Rebuilt for RHEL 9 BETA for openssl 3.0 -- Resolves: rhbz#1971065 + Resolves: rhbz#1971065 * Thu Jun 10 2021 Robbie Harwood - 1.19.1-6 - Backport KCM retrieval fixes -- Resolves: #1956403 + Resolves: rhbz#1956403 * Thu May 20 2021 Robbie Harwood - 1.19.1-5 - Fix DES3 mention in KDFs -- Resolves: #1955873 + Resolves: rhbz#1955873 * Wed May 19 2021 Robbie Harwood - 1.19.1-4 - Port to OpenSSL 3 (alpha 15) -- Resolves: #1955873 + Resolves: rhbz#1955873 * Fri Apr 16 2021 Mohan Boddu - 1.19.1-3.1 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 @@ -851,7 +862,7 @@ exit 0 * Tue Nov 17 2020 Robbie Harwood - 1.18.2-30 - Migrate /var/run to /run, an exercise in pointlessness -- Resolves: #1898410 + Resolves: rhbz#1898410 * Thu Nov 05 2020 Robbie Harwood - 1.18.2-29 - Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196) @@ -863,7 +874,7 @@ exit 0 - Fix build of previous * Wed Oct 21 2020 Robbie Harwood - 1.18.2-26 -- Cross-realm s4u fixes for samba (#1836630) +- Cross-realm s4u fixes for samba (rhbz#1836630) * Thu Oct 15 2020 Robbie Harwood - 1.18.2-25 - Unify kvno option documentation @@ -873,14 +884,14 @@ exit 0 * Thu Sep 10 2020 Robbie Harwood - 1.18.2-23 - Use `systemctl reload` to HUP the KDC during logrotate -- Resolves: #1877692 + Resolves: rhbz#1877692 * Wed Sep 09 2020 Robbie Harwood - 1.18.2-22 - Fix input length checking in SPNEGO DER decoding * Fri Aug 28 2020 Robbie Harwood - 1.18.2-21 - Mark crypto-polices snippet as missingok -- Resolves: #1868379 + Resolves: rhbz#1868379 * Thu Aug 13 2020 Robbie Harwood - 1.18.2-20 - Temporarily dns_canonicalize_hostname=fallback changes @@ -897,7 +908,7 @@ exit 0 * Mon Aug 03 2020 Robbie Harwood - 1.18.2-16 - Disable tests on s390x -- Resolves: #1863952 + Resolves: rhbz#1863952 * Sat Aug 01 2020 Fedora Release Engineering - 1.18.2-15 - Second attempt - Rebuilt for @@ -918,7 +929,7 @@ exit 0 * Wed Jul 08 2020 Robbie Harwood - 1.18.2-10 - Set qualify_shortname empty in default configuration -- Resolves: #1852041 + Resolves: rhbz#1852041 * Mon Jun 15 2020 Robbie Harwood - 1.18.2-9 - Use two queues for concurrent t_otp.py daemons @@ -1092,7 +1103,7 @@ exit 0 * Mon Jul 15 2019 Robbie Harwood - 1.17-35 - Don't error on invalid enctypes in keytab -- Resolves: #1724380 + Resolves: rhbz#1724380 * Tue Jul 02 2019 Robbie Harwood - 1.17-34 - Remove now-unused checksum functions @@ -1177,7 +1188,7 @@ exit 0 * Thu Apr 11 2019 Robbie Harwood - 1.17-8 - Implement krb5_cc_remove_cred for remaining types -- Resolves: #1693836 + Resolves: rhbz#1693836 * Mon Apr 01 2019 Robbie Harwood - 1.17-7 - FIPS-aware SPAKE group negotiation @@ -1212,7 +1223,7 @@ exit 0 * Mon Dec 17 2018 Robbie Harwood - 1.17-1.beta2.2 - Restore pdfs source file -- Resolves: #1659716 + Resolves: rhbz#1659716 * Thu Dec 06 2018 Robbie Harwood - 1.17-1.beta2.1 - New upstream release (1.17-beta2) @@ -1226,26 +1237,26 @@ exit 0 * Thu Nov 08 2018 Robbie Harwood - 1.17-1.beta1.1 - Fix spurious errors from kcmio_unix_socket_write -- Resolves: #1645912 + Resolves: rhbz#1645912 * Thu Nov 01 2018 Robbie Harwood - 1.17-0.beta1.1 - New upstream beta release * Wed Oct 24 2018 Robbie Harwood - 1.16.1-25 - Update man pages to reference kerberos(7) -- Resolves: #1143767 + Resolves: rhbz#1143767 * Wed Oct 17 2018 Robbie Harwood - 1.16.1-24 - Use port-sockets.h macros in cc_kcm, sendto_kdc -- Resolves: #1631998 + Resolves: rhbz#1631998 * Wed Oct 17 2018 Robbie Harwood - 1.16.1-23 - Correct kpasswd_server description in krb5.conf(5) -- Resolves: #1640272 + Resolves: rhbz#1640272 * Mon Oct 15 2018 Robbie Harwood - 1.16.1-22 - Prefer TCP to UDP for password changes -- Resolves: #1637611 + Resolves: rhbz#1637611 * Tue Oct 09 2018 Adam Williamson - 1.16.1-21 - Revert the patch from -20 for now as it seems to make FreeIPA worse @@ -1294,18 +1305,18 @@ exit 0 * Thu Jun 14 2018 Robbie Harwood - 1.16.1-6 - Switch to python3-sphinx for docs -- Resolves: #1590928 + Resolves: rhbz#1590928 * Thu Jun 14 2018 Robbie Harwood - 1.16.1-5 - Make docs build python3-compatible -- Resolves: #1590928 + Resolves: rhbz#1590928 * Thu Jun 07 2018 Robbie Harwood - 1.16.1-4 - Update includedir processing to match upstream * Fri Jun 01 2018 Robbie Harwood - 1.16.1-3 - Log when non-root ksu authorization fails -- Resolves: #1575771 + Resolves: rhbz#1575771 * Fri May 04 2018 Robbie Harwood - 1.16.1-2 - Remove "-nodes" option from make-certs scripts @@ -1327,7 +1338,7 @@ exit 0 * Mon Apr 23 2018 Robbie Harwood - 1.16-23 - Explicitly use openssl rather than builtin crypto -- Resolves: #1570910 + Resolves: rhbz#1570910 * Tue Apr 17 2018 Robbie Harwood - 1.16-22 - Merge duplicate subsections in profile library @@ -1377,7 +1388,7 @@ exit 0 * Wed Mar 07 2018 Robbie Harwood - 1.16-8 - Fix capaths "." values on client -- Resolves: 1551099 + Resolves: 1551099 * Tue Feb 13 2018 Robbie Harwood - 1.16-7 - Fix flaws in LDAP DN checking @@ -1386,7 +1397,7 @@ exit 0 * Mon Feb 12 2018 Robbie Harwood - 1.16-6 - Fix a leak in the previous commit - Restore dist macro that was accidentally removed -- Resolves: #1540939 + Resolves: rhbz#1540939 * Wed Feb 07 2018 Fedora Release Engineering - 1.16-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild @@ -1399,7 +1410,7 @@ exit 0 * Tue Dec 12 2017 Robbie Harwood - 1.16-2 - Fix network service dependencies -- Resolves: #1525230 + Resolves: rhbz#1525230 * Wed Dec 06 2017 Robbie Harwood - 1.16-1 - New upstream release (1.16) @@ -1429,12 +1440,12 @@ exit 0 * Wed Sep 06 2017 Robbie Harwood - 1.15.1-28 - Save other programs from worrying about CVE-2017-11462 -- Resolves: #1488873 -- Resolves: #1488874 + Resolves: rhbz#1488873 + Resolves: rhbz#1488874 * Tue Sep 05 2017 Robbie Harwood - 1.15.1-27 - Add hostname-based ccselect module -- Resolves: #1463665 + Resolves: rhbz#1463665 * Tue Sep 05 2017 Robbie Harwood - 1.15.1-26 - Backport upstream certauth EKU fixes @@ -1477,15 +1488,15 @@ exit 0 * Mon Jun 26 2017 Robbie Harwood - 1.15.1-13 - Fix arch name (ppc64le, not ppc64el) -- Related-to: #1464381 +- Related-to: rhbz#1464381 * Mon Jun 26 2017 Robbie Harwood - 1.15.1-12 - Skip test suite on ppc64el -- Related-to: #1464381 +- Related-to: rhbz#1464381 * Fri Jun 23 2017 Robbie Harwood - 1.15.1-11 - Include more test suite changes from upstream -- Resolves: #1464381 + Resolves: rhbz#1464381 * Wed Jun 07 2017 Robbie Harwood - 1.15.1-10 - Fix custom build with -DDEBUG @@ -1501,12 +1512,12 @@ exit 0 * Thu Apr 13 2017 Robbie Harwood - 1.15.1-6 - Include fixes for previous commit -- Resolves: #1433083 + Resolves: rhbz#1433083 * Thu Apr 13 2017 Robbie Harwood - 1.15.1-5 - Automatically add includedir where not present - Try removing sleep statement to see if it is still needed -- Resolves: #1433083 + Resolves: rhbz#1433083 * Fri Apr 07 2017 Robbie Harwood - 1.15.1-4 - Fix use of enterprise principals with forwarding @@ -1516,7 +1527,7 @@ exit 0 * Tue Mar 07 2017 Robbie Harwood - 1.15.1-2 - Remove duplication between subpackages -- Resolves: #1250228 + Resolves: rhbz#1250228 * Fri Mar 03 2017 Robbie Harwood - 1.15.1-1 - New upstream release - 1.15.1 @@ -1550,14 +1561,14 @@ exit 0 * Thu Oct 20 2016 Robbie Harwood - 1.15-beta1-1 - New upstream release - Update selinux with RHEL hygene -- Resolves: #1314096 + Resolves: rhbz#1314096 * Tue Oct 11 2016 Tomáš Mráz - 1.14.4-6 - rebuild with OpenSSL 1.1.0, added backported upstream patch * Fri Sep 30 2016 Robbie Harwood - 1.14.4-5 - Properly close krad sockets -- Resolves: #1380836 + Resolves: rhbz#1380836 * Fri Sep 30 2016 Robbie Harwood - 1.14.4-4 - Fix backward check in kprop.service @@ -1576,42 +1587,42 @@ exit 0 * Mon Sep 19 2016 Robbie Harwood - 1.14.3-9 - Add krb5_db_register_keytab -- Resolves: #1376812 + Resolves: rhbz#1376812 * Mon Aug 29 2016 Robbie Harwood - 1.14.3-8 - Use responder for non-preauth AS requests -- Resolves: #1370622 + Resolves: rhbz#1370622 * Mon Aug 29 2016 Robbie Harwood - 1.14.3-7 - Guess Samba client mutual flag using ap_option -- Resolves: #1370980 + Resolves: rhbz#1370980 * Thu Aug 25 2016 Robbie Harwood - 1.14.3-6 - Fix KDC return code and set prompt types for OTP client preauth -- Resolves: #1370072 + Resolves: rhbz#1370072 * Mon Aug 15 2016 Robbie Harwood - 1.14.3-5 - Turn OFD locks back on with glibc workaround -- Resolves: #1274922 + Resolves: rhbz#1274922 * Wed Aug 10 2016 Robbie Harwood - 1.14.3-4 - Fix use of KKDCPP with SNI -- Resolves: #1365027 + Resolves: rhbz#1365027 * Fri Aug 05 2016 Robbie Harwood - 1.14.3-3 - Make krb5-devel depend on libkadm5 -- Resolves: #1364487 + Resolves: rhbz#1364487 * Wed Aug 03 2016 Robbie Harwood - 1.14.3-2 - Up-port a bunch of stuff from the el-7.3 cycle -- Resolves: #1255450, #1314989 + Resolves: rhbz#1255450, rhbz#1314989 * Mon Aug 01 2016 Robbie Harwood - 1.14.3-1 - New upstream version 1.14.3 * Thu Jul 28 2016 Robbie Harwood - 1.14.1-9 - Fix CVE-2016-3120 -- Resolves: #1361051 + Resolves: rhbz#1361051 * Wed Jun 22 2016 Robbie Harwood - 1.14.1-8 - Fix incorrect recv() size calculation in libkrad @@ -1624,18 +1635,18 @@ exit 0 * Tue Apr 05 2016 Robbie Harwood - 1.14.1-5 - Use the correct patches this time. -- Resolves: #1321135 + Resolves: rhbz#1321135 * Mon Apr 04 2016 Robbie Harwood - 1.14.1-4 - Add send/receive sendto_kdc hooks and corresponding tests -- Resolves: #1321135 + Resolves: rhbz#1321135 * Fri Mar 18 2016 Robbie Harwood - 1.14.1-3 - Fix CVE-2016-3119 (NULL deref in LDAP module) * Thu Mar 17 2016 Robbie Harwood - 1.14.1-2 - Backport OID mech fix -- Resolves: #1317609 + Resolves: rhbz#1317609 * Mon Feb 29 2016 Robbie Harwood - 1.14.1-1 - New rawhide, new upstream version @@ -1645,7 +1656,7 @@ exit 0 * Mon Feb 22 2016 Robbie Harwood - 1.14-23 - Fix log file permissions patch with our selinux -- Resolves: #1309421 + Resolves: rhbz#1309421 * Fri Feb 19 2016 Robbie Harwood - 1.14-22 - Backport my interposer fixes from upstream @@ -1654,7 +1665,7 @@ exit 0 * Tue Feb 16 2016 Robbie Harwood - 1.14-21 - Adjust dependency on crypto-polices to be just the file we want - Patch courtesy of lslebodn -- Resolves: #1308984 + Resolves: rhbz#1308984 * Thu Feb 04 2016 Fedora Release Engineering - 1.14-20 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild @@ -1662,21 +1673,21 @@ exit 0 * Thu Jan 28 2016 Robbie Harwood - 1.14-19 - Replace _kadmin/_kprop with systemd macros - Remove traces of upstart from fedora package per policy -- Resolves: #1290185 + Resolves: rhbz#1290185 * Wed Jan 27 2016 Robbie Harwood - 1.14-18 - Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631 * Thu Jan 21 2016 Robbie Harwood - 1.14-17 - Make krb5kdc.log not world-readable by default -- Resolves: #1276484 + Resolves: rhbz#1276484 * Thu Jan 21 2016 Robbie Harwood - 1.14-16 - Allow verification of attributes on krb5.conf * Wed Jan 20 2016 Robbie Harwood - 1.14-15 - Use "new" systemd macros for service handling. (Thanks vpavlin!) -- Resolves: #850399 + Resolves: rhbz#850399 * Wed Jan 20 2016 Robbie Harwood - 1.14-14 - Remove WITH_NSS macro (always false) @@ -1686,13 +1697,13 @@ exit 0 * Fri Jan 08 2016 Robbie Harwood - 1.14-13 - Backport fix for chrome crash in spnego_gss_inquire_context -- Resolves: #1295893 + Resolves: rhbz#1295893 * Wed Dec 16 2015 Robbie Harwood - 1.14-12 - Backport patch to fix mechglue for gss_inqure_attrs_for_mech() * Thu Dec 03 2015 Robbie Harwood - 1.14-11 -- Backport interposer fix (#1284985) +- Backport interposer fix (rhbz#1284985) - Drop workaround pwsize initialization patch (gcc has been fixed) * Tue Nov 24 2015 Robbie Harwood - 1.14-10 @@ -1727,7 +1738,7 @@ exit 0 - New upstream beta version * Thu Oct 08 2015 Robbie Harwood - 1.13.2-13 -- Work around KDC client prinicipal in referrals issue (#1259844) +- Work around KDC client prinicipal in referrals issue (rhbz#1259844) * Thu Oct 01 2015 Robbie Harwood - 1.13.2-12 - Enable building with bad system /etc/krb5.conf @@ -1740,7 +1751,7 @@ exit 0 - Nix /usr/share/krb5.conf.d to reduce complexity * Wed Sep 23 2015 Robbie Harwood - 1.13.2-9 -- Depend on crypto-policies which provides /etc/krb5.conf.d (#1225792) +- Depend on crypto-policies which provides /etc/krb5.conf.d (rhbz#1225792) * Thu Sep 10 2015 Robbie Harwood - 1.13.2-8 - Remove dependency on systemd-sysv which is no longer needed for fedora > 20 @@ -1749,7 +1760,7 @@ exit 0 * Thu Sep 10 2015 Robbie Harwood - 1.13.2-7 - Support config snippets in /etc/krb5.conf.d/ and /usr/share/krb5.conf.d/ - (#1225792, #1146370, #1145808) + (rhbz#1225792, rhbz#1146370, rhbz#1145808) * Thu Jun 25 2015 Roland Mainz - 1.13.2-6 - Use system nss_wrapper and socket_wrapper for testing. @@ -1757,8 +1768,8 @@ exit 0 * Thu Jun 25 2015 Roland Mainz - 1.13.2-5 - Remove Zanata test glue and related workarounds - - Bug #1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind") - - Bug #1234326 ("krb5-server introduces new rpm dependency on ksh") + - Bug rhbz#1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind") + - Bug rhbz#1234326 ("krb5-server introduces new rpm dependency on ksh") * Thu Jun 18 2015 Roland Mainz - 1.13.2-4 - Fix dependicy on binfmt.service @@ -1767,12 +1778,12 @@ exit 0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild * Tue Jun 2 2015 Roland Mainz - 1.13.2-2 -- Add patch to fix Redhat Bug #1227542 ("[SELinux] AVC denials may appear +- Add patch to fix Redhat Bug rhbz#1227542 ("[SELinux] AVC denials may appear when kadmind starts"). The issue was caused by an unneeded |htons()| which triggered SELinux AVC denials due to the "random" port usage. * Thu May 21 2015 Roland Mainz - 1.13.2-1 -- Add fix for RedHat Bug #1164304 ("Upstream unit tests loads +- Add fix for RedHat Bug rhbz#1164304 ("Upstream unit tests loads the installed shared libraries instead the ones from the build") * Thu May 14 2015 Roland Mainz - 1.13.2-0 @@ -1783,7 +1794,7 @@ exit 0 - Minor spec cleanup * Mon May 4 2015 Roland Mainz - 1.13.1-4 -- fix for CVE-2015-2694 (#1216133) "requires_preauth bypass +- fix for CVE-2015-2694 (rhbz#1216133) "requires_preauth bypass in PKINIT-enabled KDC". In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can @@ -1793,13 +1804,13 @@ exit 0 dictionary attack against the user's password. * Wed Mar 25 2015 Roland Mainz - 1.13.1-3 -- Add temporay workaround for RH bug #1204646 ("krb5-config +- Add temporay workaround for RH bug rhbz#1204646 ("krb5-config returns wrong -specs path") which modifies krb5-config post build so that development of krb5 dependicies gets unstuck. This MUST be removed before rawhide becomes F23 ... * Thu Mar 19 2015 Roland Mainz - 1.13.1-2 -- fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated +- fix for CVE-2014-5355 (rhbz#1193939) "krb5: unauthenticated denial of service in recvauth_common() and others" * Fri Feb 13 2015 Roland Mainz - 1.13.1-1 @@ -1810,13 +1821,13 @@ exit 0 - Minor spec cleanup * Wed Feb 4 2015 Roland Mainz - 1.13-8 -- fix for CVE-2014-5352 (#1179856) "gss_process_context_token() +- fix for CVE-2014-5352 (rhbz#1179856) "gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)" -- fix for CVE-2014-9421 (#1179857) "kadmind doubly frees partial +- fix for CVE-2014-9421 (rhbz#1179857) "kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)" -- fix for CVE-2014-9422 (#1179861) "kadmind incorrectly +- fix for CVE-2014-9422 (rhbz#1179861) "kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)" -- fix for CVE-2014-9423 (#1179863) "libgssrpc server applications +- fix for CVE-2014-9423 (rhbz#1179863) "libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)" * Wed Feb 4 2015 Roland Mainz - 1.13-7 @@ -1828,17 +1839,17 @@ exit 0 - Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (RT#8063) * Mon Jan 26 2015 Roland Mainz - 1.13-5 -- fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not +- fix for kinit -C loops (rhbz#1184629, MIT/krb5 issue 243, "Do not loop on principal unknown errors"). - Added "python-sphinx-latex" to the build requirements to fix build failures on F22 machines. * Thu Dec 18 2014 Roland Mainz - 1.13-4 -- fix for CVE-2014-5354 (#1174546) "krb5: NULL pointer +- fix for CVE-2014-5354 (rhbz#1174546) "krb5: NULL pointer dereference when using keyless entries" * Wed Dec 17 2014 Roland Mainz - 1.13-3 -- fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy +- fix for CVE-2014-5353 (rhbz#1174543) "Fix LDAP misused policy name crash" * Wed Oct 29 2014 Roland Mainz - 1.13-2 @@ -1848,18 +1859,18 @@ exit 0 * Wed Oct 29 2014 Roland Mainz - 1.13-1 - Update from krb5-1.13-alpha1 to final krb5-1.13 -- Removed patch for CVE-2014-5351 (#1145425) "krb5: current +- Removed patch for CVE-2014-5351 (rhbz#1145425) "krb5: current keys returned when randomizing the keys for a service principal" - now part of upstream sources -- Use patch for glibc |eventfd()| prototype mismatch (#1147887) only +- Use patch for glibc |eventfd()| prototype mismatch (rhbz#1147887) only for Fedora > 20 * Tue Sep 30 2014 Roland Mainz - 1.13-0.alpha1.3 - fix build failure caused by change of prototype for glibc - |eventfd()| (#1147887) + |eventfd()| (rhbz#1147887) * Mon Sep 29 2014 Roland Mainz - 1.13-0.alpha1.3 -- fix for CVE-2014-5351 (#1145425) "krb5: current keys returned when +- fix for CVE-2014-5351 (rhbz#1145425) "krb5: current keys returned when randomizing the keys for a service principal" * Mon Sep 8 2014 Nalin Dahyabhai - 1.13-0.alpha1.3 @@ -1875,7 +1886,7 @@ exit 0 * Wed Aug 20 2014 Nalin Dahyabhai - 1.12.2-3 - pull in upstream fix for an incorrect check on the value returned by a - strdup() call (#1132062) + strdup() call (rhbz#1132062) * Sun Aug 17 2014 Fedora Release Engineering - 1.12.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild @@ -1883,7 +1894,7 @@ exit 0 * Fri Aug 15 2014 Nalin Dahyabhai - 1.12.2-1 - update to 1.12.2 - drop patch for RT#7820, fixed in 1.12.2 - - drop patch for #231147, fixed as RT#3277 in 1.12.2 + - drop patch for rhbz#231147, fixed as RT#3277 in 1.12.2 - drop patch for RT#7818, fixed in 1.12.2 - drop patch for RT#7836, fixed in 1.12.2 - drop patch for RT#7858, fixed in 1.12.2 @@ -1894,7 +1905,7 @@ exit 0 - drop patch for CVE-2014-4344, included in 1.12.2 - drop patch for CVE-2014-4345, included in 1.12.2 - replace older proposed changes for ksu with backports of the changes - after review and merging upstream (#1015559, #1026099, #1118347) + after review and merging upstream (rhbz#1015559, rhbz#1026099, rhbz#1118347) * Thu Aug 7 2014 Nalin Dahyabhai - 1.12.1-14 - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345) @@ -1905,21 +1916,21 @@ exit 0 * Wed Jul 16 2014 Nalin Dahyabhai - 1.12.1-12 - gssapi: pull in proposed fix for a double free in initiators (David - Woodhouse, CVE-2014-4343, #1117963) + Woodhouse, CVE-2014-4343, rhbz#1117963) * Sat Jul 12 2014 Tom Callaway - 1.12.1-11 - fix license handling * Mon Jul 7 2014 Nalin Dahyabhai - 1.12.1-10 - pull in fix for denial of service by injection of malformed GSSAPI tokens - (CVE-2014-4341, CVE-2014-4342, #1116181) + (CVE-2014-4341, CVE-2014-4342, rhbz#1116181) * Tue Jun 24 2014 Nalin Dahyabhai - 1.12.1-9 - pull in changes from upstream which add processing of the contents of - /etc/gss/mech.d/*.conf when loading GSS modules (#1102839) + /etc/gss/mech.d/*.conf when loading GSS modules (rhbz#1102839) * Thu Jun 12 2014 Nalin Dahyabhai - 1.12.1-8 -- pull in fix for building against tcl 8.6 (#1107061) +- pull in fix for building against tcl 8.6 (rhbz#1107061) * Sun Jun 08 2014 Fedora Release Engineering - 1.12.1-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild @@ -1931,14 +1942,14 @@ exit 0 - spnego: pull in patch from master to restore preserving the OID of the mechanism the initiator requested when we have multiple OIDs for the same mechanism, so that we reply using the same mechanism OID and the initiator - doesn't get confused (#1066000, RT#7858) + doesn't get confused (rhbz#1066000, RT#7858) * Fri Feb 7 2014 Nalin Dahyabhai - 1.12.1-4 - pull in patch from master to move the default directory which the KDC uses when computing the socket path for a local OTP daemon from the database directory (/var/kerberos/krb5kdc) to the newly-added run directory (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859, more - of #1040056 as #1063905) + of rhbz#1040056 as rhbz#1063905) - add a tmpfiles.d configuration file to have /run/krb5kdc created at boot-time - own /var/run/krb5kdc @@ -1948,12 +1959,12 @@ exit 0 * Fri Jan 31 2014 Nalin Dahyabhai - add currently-proposed changes to teach ksu about credential cache - collections and the default_ccache_name setting (#1015559,#1026099) + collections and the default_ccache_name setting (rhbz#1015559,rhbz#1026099) * Tue Jan 21 2014 Nalin Dahyabhai - 1.12.1-2 - pull in multiple changes to allow replay caches to be added to a GSS credential store as "rcache"-type credentials (RT#7818/#7819/#7836, - #1056078/#1056080) + rhbz#1056078/rhbz#1056080) * Fri Jan 17 2014 Nalin Dahyabhai - 1.12.1-1 - update to 1.12.1 @@ -1966,11 +1977,11 @@ exit 0 - drop patches for RT#7813 and RT#7815, included now - add patch to always retrieve the KDC time offsets from keyring caches, so that we don't mistakenly interpret creds as expired before their - time when our clock is ahead of the KDC's (RT#7820, #1030607) + time when our clock is ahead of the KDC's (RT#7820, rhbz#1030607) * Mon Jan 13 2014 Nalin Dahyabhai - 1.12-11 - update the PIC patch for iaesx86.s to not use ELF relocations to the version - that landed upstream (RT#7815, #1045699) + that landed upstream (RT#7815, rhbz#1045699) * Thu Jan 9 2014 Nalin Dahyabhai - pass -Wl,--warn-shared-textrel to the compiler when we're creating shared @@ -1985,16 +1996,16 @@ exit 0 master - make a guess at making the 32-bit AES-NI implementation sufficiently position-independent to not require execmod permissions for libk5crypto - (more of #1045699) + (more of rhbz#1045699) * Thu Jan 2 2014 Nalin Dahyabhai - 1.12-8 - add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack - on arches where they're used (#1045699, and so many others) + on arches where they're used (rhbz#1045699, and so many others) * Thu Jan 2 2014 Nalin Dahyabhai - 1.12-7 - revert that last change for a bit while sorting out execstack when we - use AES-NI (#1045699) + use AES-NI (rhbz#1045699) * Thu Dec 19 2013 Nalin Dahyabhai - 1.12-6 - add yasm as a build requirement for AES-NI support, on arches that have @@ -2002,7 +2013,7 @@ exit 0 * Thu Dec 19 2013 Nalin Dahyabhai - 1.12-5 - pull in fix from master to make reporting of errors encountered by - the SPNEGO mechanism work better (RT#7045, part of #1043962) + the SPNEGO mechanism work better (RT#7045, part of rhbz#1043962) * Thu Dec 19 2013 Nalin Dahyabhai - update a test wrapper to properly handle things that the new libkrad does, @@ -2012,19 +2023,19 @@ exit 0 - revise previous patch to initialize one more element * Wed Dec 18 2013 Nalin Dahyabhai - 1.12-3 -- backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739) +- backport fixes to krb5_copy_context (RT#7807, rhbz#1044735/rhbz#1044739) * Wed Dec 18 2013 Nalin Dahyabhai - 1.12-2 - pull in fix from master to return a NULL pointer rather than allocating zero bytes of memory if we read a zero-length input token (RT#7794, part of - #1043962) + rhbz#1043962) - pull in fix from master to ignore an empty token from an acceptor if - we've already finished authenticating (RT#7797, part of #1043962) + we've already finished authenticating (RT#7797, part of rhbz#1043962) - pull in fix from master to avoid a memory leak when a mechanism's - init_sec_context function fails (RT#7803, part of #1043962) + init_sec_context function fails (RT#7803, part of rhbz#1043962) - pull in fix from master to avoid a memory leak in a couple of error cases which could occur while obtaining acceptor credentials (RT#7805, part - of #1043962) + of rhbz#1043962) * Wed Dec 11 2013 Nalin Dahyabhai - 1.12-1 - update to 1.12 final @@ -2041,9 +2052,9 @@ exit 0 * Mon Nov 18 2013 Nalin Dahyabhai - 1.11.4-2 - pull in fix to store KDC time offsets in keyring credential caches (RT#7768, - #1030607) + rhbz#1030607) - pull in fix to set expiration times on credentials stored in keyring - credential caches (RT#7769, #1031724) + credential caches (RT#7769, rhbz#1031724) * Tue Nov 12 2013 Nalin Dahyabhai - 1.11.4-1 - update to 1.11.4 @@ -2052,21 +2063,21 @@ exit 0 - drop patch for CVE-2013-1418/CVE-2013-6800, included in 1.11.4 * Tue Nov 12 2013 Nalin Dahyabhai - 1.11.3-31 -- switch to the simplified version of the patch for #1029110 (RT#7764) +- switch to the simplified version of the patch for rhbz#1029110 (RT#7764) * Mon Nov 11 2013 Nalin Dahyabhai - 1.11.3-30 - check more thoroughly for errors when resolving KEYRING ccache names of type "persistent", which should only have a numeric UID as the next part of the - name (#1029110) + name (rhbz#1029110) * Tue Nov 5 2013 Nalin Dahyabhai - 1.11.3-29 - incorporate upstream patch for remote crash of KDCs which serve multiple realms simultaneously (RT#7756, CVE-2013-1418/CVE-2013-6800, - #1026997/#1031501) + rhbz#1026997/rhbz#1031501) * Mon Nov 4 2013 Nalin Dahyabhai - 1.11.3-28 - drop patch to add additional access() checks to ksu - they add to breakage - when non-FILE: caches are in use (#1026099), shouldn't be resulting in any + when non-FILE: caches are in use (rhbz#1026099), shouldn't be resulting in any benefit, and clash with proposed changes to fix its cache handling * Tue Oct 22 2013 Nalin Dahyabhai - 1.11.3-27 @@ -2095,22 +2106,22 @@ exit 0 - BuildRequires: pkgconfig, since configure uses it * Wed Oct 16 2013 Nalin Dahyabhai - 1.11.3-26 -- create and own /etc/gss (#1019937) +- create and own /etc/gss (rhbz#1019937) * Tue Oct 15 2013 Nalin Dahyabhai - 1.11.3-25 - pull up fix for importing previously-exported credential caches in the - gssapi library (RT# 7706, #1019420) + gssapi library (RT# 7706, rhbz#1019420) * Mon Oct 14 2013 Nalin Dahyabhai - 1.11.3-24 - backport the callback to use the libkrb5 prompter when we can't load PEM - files for PKINIT (RT#7590, includes part of #965721/#1016690) -- extract the rest of the fix #965721/#1016690 from the changes for RT#7680 + files for PKINIT (RT#7590, includes part of rhbz#965721/rhbz#1016690) +- extract the rest of the fix rhbz#965721/rhbz#1016690 from the changes for RT#7680 * Mon Oct 14 2013 Nalin Dahyabhai - 1.11.3-23 -- fix trigger scriptlet's invocation of sed (#1016945) +- fix trigger scriptlet's invocation of sed (rhbz#1016945) * Fri Oct 4 2013 Nalin Dahyabhai - 1.11.3-22 -- rebuild with keyutils 1.5.8 (part of #1012043) +- rebuild with keyutils 1.5.8 (part of rhbz#1012043) * Wed Oct 2 2013 Nalin Dahyabhai - 1.11.3-21 - switch to the version of persistent-keyring that was just merged to @@ -2120,7 +2131,7 @@ exit 0 * Mon Sep 30 2013 Nalin Dahyabhai - 1.11.3-20 - pull up fix for not calling a kdb plugin's check-transited-path method before calling the library's default version, which only knows - how to read what's in the configuration file (RT#7709, #1013664) + how to read what's in the configuration file (RT#7709, rhbz#1013664) * Thu Sep 26 2013 Nalin Dahyabhai - 1.11.3-19 - configure --without-krb5-config so that we don't pull in the old default @@ -2131,7 +2142,7 @@ exit 0 - fix broken dependency on awk (should be gawk, rdieter) * Wed Sep 25 2013 Nalin Dahyabhai - 1.11.3-17 -- add missing dependency on newer keyutils-libs (#1012034) +- add missing dependency on newer keyutils-libs (rhbz#1012034) * Tue Sep 24 2013 Nalin Dahyabhai - 1.11.3-16 - back out setting default_ccache_name to the new default for now, resetting @@ -2139,11 +2150,11 @@ exit 0 * Mon Sep 23 2013 Nalin Dahyabhai - 1.11.3-15 - add explicit build-time dependency on a version of keyutils that's new - enough to include keyctl_get_persistent() (more of #991148) + enough to include keyctl_get_persistent() (more of rhbz#991148) * Thu Sep 19 2013 Nalin Dahyabhai - 1.11.3-14 - incorporate Simo's updated backport of his updated persistent-keyring changes - (more of #991148) + (more of rhbz#991148) * Fri Sep 13 2013 Nalin Dahyabhai - 1.11.3-13 - don't break during %%check when the session keyring is revoked @@ -2157,17 +2168,17 @@ exit 0 * Mon Sep 9 2013 Nalin Dahyabhai 1.11.3-11 - don't let comments intended for one scriptlet become part of the "script" - that gets passed to ldconfig as part of another one (Mattias Ellert, #1005675) + that gets passed to ldconfig as part of another one (Mattias Ellert, rhbz#1005675) * Fri Sep 6 2013 Nalin Dahyabhai 1.11.3-10 -- incorporate Simo's backport of his persistent-keyring changes (#991148) +- incorporate Simo's backport of his persistent-keyring changes (rhbz#991148) - restore build-time default DEFCCNAME on Fedora 21 and later and EL, and instead set default_ccache_name in the default krb5.conf's [libdefaults] - section (#991148) + section (rhbz#991148) - on releases where we expect krb5.conf to be configured with a default_ccache_name, add it whenever we upgrade from an older version of the package that wouldn't have included it in its default configuration - file (#991148) + file (rhbz#991148) * Fri Aug 23 2013 Nalin Dahyabhai 1.11.3-9 - take another stab at accounting for UnversionedDocdirs for the -libs @@ -2182,7 +2193,7 @@ exit 0 of files which dictate particular exit codes before exec'ing the actual binaries, instead of trying to use ConditionPathExists in the unit files to accomplish that, so that we exit with failure properly when what we - expect isn't actually in effect on the system (#800343) + expect isn't actually in effect on the system (rhbz#800343) * Mon Jul 29 2013 Nalin Dahyabhai 1.11.3-7 - attempt to account for UnversionedDocdirs for the -libs subpackage @@ -2194,11 +2205,11 @@ exit 0 * Mon Jul 22 2013 Nalin Dahyabhai 1.11.3-5 - pull up changes to allow GSSAPI modules to provide more functions - (RT#7682, #986564/#986565) + (RT#7682, rhbz#986564/rhbz#986565) * Fri Jul 19 2013 Nalin Dahyabhai 1.11.3-4 - use (a bundled, for now, copy of) nss_wrapper to let us run some of the - self-tests at build-time in more places than we could previously (#978756) + self-tests at build-time in more places than we could previously (rhbz#978756) - cover inconsistencies in whether or not there's a local caching nameserver that's willing to answer when the build environment doesn't have a resolver configuration, so that nss_wrapper's faking of the local @@ -2206,23 +2217,23 @@ exit 0 * Mon Jul 1 2013 Nalin Dahyabhai 1.11.3-3 - specify dependencies on the same arch of krb5-libs by using the %%{?_isa} - suffix, to avoid dragging 32-bit libraries onto 64-bit systems (#980155) + suffix, to avoid dragging 32-bit libraries onto 64-bit systems (rhbz#980155) * Thu Jun 13 2013 Nalin Dahyabhai 1.11.3-2 - special-case /run/user/0, attempting to create it when resolving a directory cache below it fails due to ENOENT and we find that it doesn't already exist, either, before attempting to create the directory cache - (maybe helping, maybe just making things more confusing for #961235) + (maybe helping, maybe just making things more confusing for rhbz#961235) * Tue Jun 4 2013 Nalin Dahyabhai 1.11.3-1 - update to 1.11.3 - drop patch for RT#7605, fixed in this release - drop patch for CVE-2002-2443, fixed in this release - drop patch for RT#7369, fixed in this release -- pull upstream fix for breaking t_skew.py by adding the patch for #961221 +- pull upstream fix for breaking t_skew.py by adding the patch for rhbz#961221 * Fri May 31 2013 Nalin Dahyabhai 1.11.2-10 -- respin with updated version of patch for RT#7650 (#969331) +- respin with updated version of patch for RT#7650 (rhbz#969331) * Thu May 30 2013 Nalin Dahyabhai 1.11.2-9 - don't forget to set the SELinux label when creating the directory for @@ -2238,22 +2249,22 @@ exit 0 * Tue May 28 2013 Nalin Dahyabhai 1.11.2-7 - backport fix for not being able to verify the list of transited realms - in GSS acceptors (RT#7639, #959685) + in GSS acceptors (RT#7639, rhbz#959685) - backport fix for not being able to pass an empty password to the - get-init-creds APIs and have them actually use it (RT#7642, #960001) + get-init-creds APIs and have them actually use it (RT#7642, rhbz#960001) - add backported proposed fix to use the unauthenticated server time as the basis for computing the requested credential expiration times, rather than the client's idea of the current time, which could be - significantly incorrect (#961221) + significantly incorrect (rhbz#961221) * Tue May 21 2013 Nalin Dahyabhai 1.11.2-6 - pull in upstream fix to start treating a KRB5CCNAME value that begins with DIR:: the same as it would a DIR: value with just one ccache file - in it (RT#7172, #965574) + in it (RT#7172, rhbz#965574) * Mon May 13 2013 Nalin Dahyabhai 1.11.2-5 - pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443, - #962531,#962534) + rhbz#962531,rhbz#962534) * Mon Apr 29 2013 Nathaniel McCallum 1.11.2-4 - Update otp patches @@ -2273,11 +2284,11 @@ exit 0 - drop pulled in patch for RT#7586, included in this release - drop pulled in patch for RT#7592, included in this release - pull in fix for keeping track of the message type when parsing FAST requests - in the KDC (RT#7605, #951843) (also #951965) + in the KDC (RT#7605, rhbz#951843) (also rhbz#951965) * Fri Apr 12 2013 Nalin Dahyabhai 1.11.1-9 - move the compiled-in default ccache location from the previous default of - FILE:/tmp/krb5cc_%%{uid} to DIR:/run/user/%%{uid}/krb5cc (part of #949588) + FILE:/tmp/krb5cc_%%{uid} to DIR:/run/user/%%{uid}/krb5cc (part of rhbz#949588) * Tue Apr 09 2013 Nathaniel McCallum - 1.11.1-8 - Update otp backport patches (libk5radius => libkrad) @@ -2298,8 +2309,8 @@ exit 0 * Tue Mar 26 2013 Nalin Dahyabhai 1.11.1-5 - pull up Simo's patch to mark the correct mechanism on imported GSSAPI contexts (RT#7592) -- go back to using reconf to run autoconf and autoheader (part of #925640) -- add temporary patch to use newer config.guess/config.sub (more of #925640) +- go back to using reconf to run autoconf and autoheader (part of rhbz#925640) +- add temporary patch to use newer config.guess/config.sub (more of rhbz#925640) * Mon Mar 18 2013 Nalin Dahyabhai - fix a version comparison to expect newer texlive build requirements when @@ -2310,12 +2321,12 @@ exit 0 - Add otp support * Thu Feb 28 2013 Nalin Dahyabhai 1.11.1-3 -- fix a memory leak when acquiring credentials using a keytab (RT#7586, #911110) +- fix a memory leak when acquiring credentials using a keytab (RT#7586, rhbz#911110) * Wed Feb 27 2013 Nalin Dahyabhai 1.11.1-2 -- prebuild PDF docs to reduce multilib differences (internal tooling, #884065) +- prebuild PDF docs to reduce multilib differences (internal tooling, rhbz#884065) - drop the kerberos-iv portreserve file, and drop the rest on systemd systems -- escape uses of macros in comments (more of #884065) +- escape uses of macros in comments (more of rhbz#884065) * Mon Feb 25 2013 Nalin Dahyabhai 1.11.1-1 - update to 1.11.1 @@ -2323,7 +2334,7 @@ exit 0 wrapper in the client transmit functions * Fri Feb 8 2013 Nalin Dahyabhai 1.11-2 -- set "rdns = false" in the default krb5.conf (#908323,#908324) +- set "rdns = false" in the default krb5.conf (rhbz#908323,rhbz#908324) * Tue Dec 18 2012 Nalin Dahyabhai 1.11-1 - update to 1.11 release @@ -2333,7 +2344,7 @@ exit 0 * Thu Dec 13 2012 Nalin Dahyabhai - when building with our bundled copy of libverto, package it in with -libs - rather than with -server (#886049) + rather than with -server (rhbz#886049) * Wed Nov 21 2012 Nalin Dahyabhai 1.11-0.beta1.0 - update to 1.11 beta 1 @@ -2381,27 +2392,27 @@ exit 0 %%{?_rawbuild} builds (zmraz) * Tue Sep 25 2012 Nalin Dahyabhai 1.10.3-6 -- actually pull up the patch for RT#7063, and not some other ticket (#773496) +- actually pull up the patch for RT#7063, and not some other ticket (rhbz#773496) * Mon Sep 10 2012 Nalin Dahyabhai 1.10.3-5 - add patch based on one from Filip Krska to not call poll() with a negative - timeout when the caller's intent is for us to just stop calling it (#838548) + timeout when the caller's intent is for us to just stop calling it (rhbz#838548) * Fri Sep 7 2012 Nalin Dahyabhai - on EL6, conflict with libsmbclient before 3.5.10-124, which is when it - stopped linking with a symbol which we no longer export (#771687) + stopped linking with a symbol which we no longer export (rhbz#771687) - pull up patch for RT#7063, in which not noticing a prompt for a long time throws the client library's idea of the time difference between it - and the KDC really far out of whack (#773496) + and the KDC really far out of whack (rhbz#773496) - add a backport of more patches to set the client's list of supported enctypes when using a keytab to be the list of types of keys in the keytab, plus the list of other types the client supports but for which it doesn't have keys, in that order, so that KDCs have a better chance of being able to issue - tickets with session keys of types that the client can use (#837855) + tickets with session keys of types that the client can use (rhbz#837855) * Thu Sep 6 2012 Nalin Dahyabhai 1.10.3-4 - cut down the number of times we load SELinux labeling configuration from - a minimum of two times to actually one (more of #845125) + a minimum of two times to actually one (more of rhbz#845125) * Thu Aug 30 2012 Nalin Dahyabhai 1.10.3-3 - backport patch to disable replay detection in krb5_verify_init_creds() @@ -2419,7 +2430,7 @@ exit 0 * Thu Aug 2 2012 Nalin Dahyabhai 1.10.2-7 - selinux: hang on to the list of selinux contexts, freeing and reloading it only when the file we read it from is modified, freeing it when the - shared library is being unloaded (#845125) + shared library is being unloaded (rhbz#845125) * Thu Aug 2 2012 Nalin Dahyabhai 1.10.2-6 - go back to not messing with library file paths on Fedora 17: it breaks @@ -2429,7 +2440,7 @@ exit 0 * Tue Jul 31 2012 Nalin Dahyabhai 1.10.2-5 - add upstream patch to fix freeing an uninitialized pointer and dereferencing another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014 - and CVE-2012-1015, #844779 and #844777) + and CVE-2012-1015, rhbz#844779 and rhbz#844777) - fix a thinko in whether or not we mess around with devel .so symlinks on systems without a separate /usr (sbose) @@ -2455,7 +2466,7 @@ exit 0 - add a backport of Stef's patch to set the client's list of supported enctypes to match the types of keys that we have when we are using a keytab to try to get initial credentials, so that a KDC won't send us - an AS reply that we can't encrypt (RT#2131, #748528) + an AS reply that we can't encrypt (RT#2131, rhbz#748528) - don't shuffle around any shared libraries on releases with no-separate-/usr, since /usr/lib is the same place as /lib - add explicit buildrequires: on 'hostname', for the tests, on systems where @@ -2464,15 +2475,15 @@ exit 0 * Mon May 7 2012 Nalin Dahyabhai - skip the setfscreatecon() if fopen() is passed "rb" as the open mode (part - of #819115) + of rhbz#819115) * Tue May 1 2012 Nalin Dahyabhai 1.10.1-3 - have -server require /usr/share/dict/words, which we set as the default - dict_file in kdc.conf (#817089) + dict_file in kdc.conf (rhbz#817089) * Tue Mar 20 2012 Nalin Dahyabhai 1.10.1-2 -- change back dns_lookup_kdc to the default setting (Stef Walter, #805318) -- comment out example.com examples in default krb5.conf (Stef Walter, #805320) +- change back dns_lookup_kdc to the default setting (Stef Walter, rhbz#805318) +- comment out example.com examples in default krb5.conf (Stef Walter, rhbz#805320) * Fri Mar 9 2012 Nalin Dahyabhai 1.10.1-1 - update to 1.10.1 @@ -2483,7 +2494,7 @@ exit 0 * Wed Mar 7 2012 Nalin Dahyabhai 1.10-5 - when removing -workstation, remove our files from the info index while the file is still there, in %%preun, rather than %%postun, and use the - compressed file's name (#801035) + compressed file's name (rhbz#801035) * Tue Feb 21 2012 Nathaniel McCallum - 1.10-4 - Fix string RPC ACLs (RT#7093); CVE-2012-1012 @@ -2493,7 +2504,7 @@ exit 0 * Mon Jan 30 2012 Nalin Dahyabhai 1.10-2 - add patch to accept keytab entries with vno==0 as matches when we're - searching for an entry with a specific name/kvno (#230382/#782211,RT#3349) + searching for an entry with a specific name/kvno (rhbz#230382/rhbz#782211,RT#3349) * Mon Jan 30 2012 Nalin Dahyabhai 1.10-1 - update to 1.10 final @@ -2518,21 +2529,21 @@ exit 0 * Tue Dec 13 2011 Nalin Dahyabhai 1.10-0.alpha1.3 - pull in patch for RT#7046: tag a ccache containing credentials obtained via - S4U2Proxy with the principal name of the proxying principal (part of #761317) + S4U2Proxy with the principal name of the proxying principal (part of rhbz#761317) so that the default principal name can be set to that of the client for which it is proxying, which results in the ccache looking more normal to consumers of the ccache that don't care that there's proxying going on - pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached - (more of #761317) + (more of rhbz#761317) - pull in patch for RT#7048: allow PAC verification to only bother trying to - verify the signature with keys that it's given (still more of #761317) + verify the signature with keys that it's given (still more of rhbz#761317) * Tue Dec 6 2011 Nalin Dahyabhai 1.10-0.alpha1.2 - apply upstream patch to fix a null pointer dereference when processing - TGS requests (CVE-2011-1530, #753748) + TGS requests (CVE-2011-1530, rhbz#753748) * Wed Nov 30 2011 Nalin Dahyabhai 1.10-0.alpha1.1 -- correct a bug in the fix for #754001 so that the file creation context is +- correct a bug in the fix for rhbz#754001 so that the file creation context is consistently reset * Tue Nov 15 2011 Nalin Dahyabhai 1.10-0.alpha1.0 @@ -2547,27 +2558,27 @@ exit 0 should be able to run inside of the build system without issue * Wed Oct 26 2011 Fedora Release Engineering - 1.9.1-19 -- Rebuilt for glibc bug#747377 +- Rebuilt for glibc bugrhbz#747377 * Tue Oct 18 2011 Nalin Dahyabhai 1.9.1-18 - apply upstream patch to fix a null pointer dereference with the LDAP kdb - backend (CVE-2011-1527, #744125), an assertion failure with multiple kdb + backend (CVE-2011-1527, rhbz#744125), an assertion failure with multiple kdb backends (CVE-2011-1528), and a null pointer dereference with multiple kdb - backends (CVE-2011-1529) (#737711) + backends (CVE-2011-1529) (rhbz#737711) * Thu Oct 13 2011 Nalin Dahyabhai 1.9.1-17 - pull in patch from trunk to rename krb5int_pac_sign() to krb5_pac_sign() and - make it public (#745533) + make it public (rhbz#745533) * Fri Oct 7 2011 Nalin Dahyabhai 1.9.1-16 -- kadmin.service: fix #723723 again +- kadmin.service: fix rhbz#723723 again - kadmin.service,krb5kdc.service: remove optional use of $KRB5REALM in command lines, because systemd parsing doesn't handle alternate value shell variable syntax - kprop.service: add missing Type=forking so that systemd doesn't assume simple - kprop.service: expect the ACL configuration to be there, not absent - handle a harder-to-trigger assertion failure that starts cropping up when we - exit the transmit loop on time (#739853) + exit the transmit loop on time (rhbz#739853) * Sun Oct 2 2011 Tom Callaway 1.9.1-15 - hardcode pid file as option in krb5kdc.service @@ -2580,50 +2591,50 @@ exit 0 * Tue Sep 6 2011 Nalin Dahyabhai 1.9.1-12 - pull in upstream patch for RT#6952, confusion following referrals for - cross-realm auth (#734341) + cross-realm auth (rhbz#734341) - pull in build-time deps for the tests * Thu Sep 1 2011 Nalin Dahyabhai 1.9.1-11 -- switch to the upstream patch for #727829 +- switch to the upstream patch for rhbz#727829 * Wed Aug 31 2011 Nalin Dahyabhai 1.9.1-10 - handle an assertion failure that starts cropping up when the patch for - using poll (#701446) meets servers that aren't running KDCs or against - which the connection fails for other reasons (#727829, #734172) + using poll (rhbz#701446) meets servers that aren't running KDCs or against + which the connection fails for other reasons (rhbz#727829, rhbz#734172) * Mon Aug 8 2011 Nalin Dahyabhai 1.9.1-9 - override the default build rules to not delete temporary y.tab.c files, so that they can be packaged, allowing debuginfo files which point to them - do so usefully (#729044) + do so usefully (rhbz#729044) * Fri Jul 22 2011 Nalin Dahyabhai 1.9.1-8 -- build shared libraries with partial RELRO support (#723995) +- build shared libraries with partial RELRO support (rhbz#723995) - filter out potentially multiple instances of -Wl,-z,relro from krb5-config output, now that it's in the buildroot's default LDFLAGS - pull in a patch to fix losing track of the replay cache FD, from SVN by way of Kevin Coffman * Wed Jul 20 2011 Nalin Dahyabhai 1.9.1-7 -- kadmind.init: drop the attempt to detect no-database-present errors (#723723), +- kadmind.init: drop the attempt to detect no-database-present errors (rhbz#723723), which is too fragile in cases where the database has been manually moved or is accessed through another kdb plugin * Tue Jul 19 2011 Nalin Dahyabhai 1.9.1-6 - backport fixes to teach libkrb5 to use descriptors higher than FD_SETSIZE - to talk to a KDC by using poll() if it's detected at compile-time (#701446, + to talk to a KDC by using poll() if it's detected at compile-time (rhbz#701446, RT#6905) * Thu Jun 23 2011 Nalin Dahyabhai 1.9.1-5 - pull a fix from SVN to try to avoid triggering a PTR lookup in getaddrinfo() during krb5_sname_to_principal(), and to let getaddrinfo() decide whether or not to ask for an IPv6 address based on the set of configured interfaces - (#717378, RT#6922) + (rhbz#717378, RT#6922) - pull a fix from SVN to use AI_ADDRCONFIG more often (RT#6923) * Mon Jun 20 2011 Nalin Dahyabhai 1.9.1-4 - apply upstream patch by way of Burt Holzman to fall back to a non-referral method in cases where we might be derailed by a KDC that rejects the - canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#715074) + canonicalize option (for example, those from the RHEL 2.1 or 3 era) (rhbz#715074) * Tue Jun 14 2011 Nalin Dahyabhai 1.9.1-3 - pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating @@ -2631,13 +2642,13 @@ exit 0 * Tue Jun 14 2011 Nalin Dahyabhai - incorporate a fix to teach the file labeling bits about when replay caches - are expunged (#576093) + are expunged (rhbz#576093) * Thu May 26 2011 Nalin Dahyabhai -- switch to the upstream patch for #707145 +- switch to the upstream patch for rhbz#707145 * Wed May 25 2011 Nalin Dahyabhai 1.9.1-2 -- klist: don't trip over referral entries when invoked with -s (#707145, +- klist: don't trip over referral entries when invoked with -s (rhbz#707145, RT#6915) * Fri May 6 2011 Nalin Dahyabhai @@ -2650,26 +2661,26 @@ exit 0 CVE-2011-0282, CVE-2011-0283, CVE-2011-0284, CVE-2011-0285 * Wed Apr 13 2011 Nalin Dahyabhai 1.9-9 -- kadmind: add upstream patch to fix free() on an invalid pointer (#696343, +- kadmind: add upstream patch to fix free() on an invalid pointer (rhbz#696343, MITKRB5-SA-2011-004, CVE-2011-0285) * Mon Apr 4 2011 Nalin Dahyabhai - don't discard the error code from an error message received in response - to a change-password request (#658871, RT#6893) + to a change-password request (rhbz#658871, RT#6893) * Fri Apr 1 2011 Nalin Dahyabhai - override INSTALL_SETUID at build-time so that ksu is installed into - the buildroot with the right permissions (part of #225974) + the buildroot with the right permissions (part of rhbz#225974) * Fri Mar 18 2011 Nalin Dahyabhai 1.9-8 - backport change from SVN to fix a computed-value-not-used warning in - kpropd (#684065) + kpropd (rhbz#684065) * Tue Mar 15 2011 Nalin Dahyabhai 1.9-7 - turn off NSS as the backend for libk5crypto for now to work around its - DES string2key not working (#679012) + DES string2key not working (rhbz#679012) - add revised upstream patch to fix double-free in KDC while returning - typed-data with errors (MITKRB5-SA-2011-003, CVE-2011-0284, #674325) + typed-data with errors (MITKRB5-SA-2011-003, CVE-2011-0284, rhbz#674325) * Thu Feb 17 2011 Nalin Dahyabhai - throw in a not-applied-by-default patch to try to make pkinit debugging @@ -2682,14 +2693,14 @@ exit 0 * Wed Feb 9 2011 Nalin Dahyabhai 1.9-5 - krb5kdc init script: prototype some changes to do a quick spot-check of the TGS and kadmind keys and warn if there aren't any non-weak keys - on file for them (to flush out parts of #651466) + on file for them (to flush out parts of rhbz#651466) * Tue Feb 8 2011 Nalin Dahyabhai 1.9-4 - add upstream patches to fix standalone kpropd exiting if the per-client child process exits with an error (MITKRB5-SA-2011-001), a hang or crash in the KDC when using the LDAP kdb backend, and an uninitialized pointer - use in the KDC (MITKRB5-SA-2011-002) (CVE-2010-4022, #664009, - CVE-2011-0281, #668719, CVE-2011-0282, #668726, CVE-2011-0283, #676126) + use in the KDC (MITKRB5-SA-2011-002) (CVE-2010-4022, rhbz#664009, + CVE-2011-0281, rhbz#668719, CVE-2011-0282, rhbz#668726, CVE-2011-0283, rhbz#676126) * Mon Feb 07 2011 Fedora Release Engineering - 1.9-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild @@ -2700,11 +2711,11 @@ exit 0 * Tue Feb 1 2011 Nalin Dahyabhai - properly advertise that the kpropd init script now supports force-reload - (Zbysek Mraz, #630587) + (Zbysek Mraz, rhbz#630587) * Wed Jan 26 2011 Nalin Dahyabhai 1.9-2 - pkinit: when verifying signed data, use the CMS APIs for better - interoperability (#636985, RT#6851) + interoperability (rhbz#636985, RT#6851) * Wed Dec 22 2010 Nalin Dahyabhai 1.9-1 - update to 1.9 final @@ -2724,37 +2735,37 @@ exit 0 * Fri Nov 5 2010 Nalin Dahyabhai 1.9-0.beta1.0 - start moving to 1.9 with beta 1 - drop patches for RT#5755, RT#6762, RT#6774, RT#6775 - - drop no-longer-needed backport patch for #539423 + - drop no-longer-needed backport patch for rhbz#539423 - drop no-longer-needed patch for CVE-2010-1322 - if WITH_NSS is set, built with --with-crypto-impl=nss (requires NSS 3.12.9) * Tue Oct 5 2010 Nalin Dahyabhai 1.8.3-8 - incorporate upstream patch to fix uninitialized pointer crash in the KDC's - authorization data handling (CVE-2010-1322, #636335) + authorization data handling (CVE-2010-1322, rhbz#636335) * Mon Oct 4 2010 Nalin Dahyabhai 1.8.3-7 - rebuild * Mon Oct 4 2010 Nalin Dahyabhai 1.8.3-6 - pull down patches from trunk to implement k5login_authoritative and - k5login_directory settings for krb5.conf (#539423) + k5login_directory settings for krb5.conf (rhbz#539423) * Wed Sep 29 2010 jkeating - 1.8.3-5 - Rebuilt for gcc bug 634757 * Wed Sep 15 2010 Nalin Dahyabhai 1.8.3-4 - fix reading of keyUsage extensions when attempting to select pkinit client - certs (part of #629022, RT#6775) + certs (part of rhbz#629022, RT#6775) - fix selection of pkinit client certs when one or more don't include a - subjectAltName extension (part of #629022, RT#6774) + subjectAltName extension (part of rhbz#629022, RT#6774) * Fri Sep 3 2010 Nalin Dahyabhai 1.8.3-3 - build with -fstack-protector-all instead of the default -fstack-protector, - so that we add checking to more functions (i.e., all of them) (#629950) -- also link binaries with -Wl,-z,relro,-z,now (part of #629950) + so that we add checking to more functions (i.e., all of them) (rhbz#629950) +- also link binaries with -Wl,-z,relro,-z,now (part of rhbz#629950) * Tue Aug 24 2010 Nalin Dahyabhai 1.8.3-2 -- fix a logic bug in computing key expiration times (RT#6762, #627022) +- fix a logic bug in computing key expiration times (RT#6762, rhbz#627022) * Wed Aug 4 2010 Nalin Dahyabhai 1.8.3-1 - update to 1.8.3 @@ -2764,12 +2775,12 @@ exit 0 * Wed Jul 7 2010 Nalin Dahyabhai 1.8.2-3 - tell krb5kdc and kadmind to create pid files, since they can -- add logrotate configuration files for krb5kdc and kadmind (#462658) +- add logrotate configuration files for krb5kdc and kadmind (rhbz#462658) - fix parsing of the pidfile option in the KDC (upstream #6750) * Mon Jun 21 2010 Nalin Dahyabhai 1.8.2-2 - libgssapi: pull in patch from svn to stop returning context-expired errors - when the ticket which was used to set up the context expires (#605366, + when the ticket which was used to set up the context expires (rhbz#605366, upstream #6739) * Mon Jun 21 2010 Nalin Dahyabhai @@ -2785,8 +2796,8 @@ exit 0 * Thu May 27 2010 Nalin Dahyabhai - ksu: move session management calls to before we drop privileges, like - su does (#596887), and don't skip the PAM account check for root or the - same user (more of #540769) + su does (rhbz#596887), and don't skip the PAM account check for root or the + same user (more of rhbz#540769) * Mon May 24 2010 Nalin Dahyabhai 1.8.1-6 - make krb5-server-ldap also depend on the same version-release of krb5-libs, @@ -2799,20 +2810,20 @@ exit 0 * Tue May 18 2010 Nalin Dahyabhai 1.8.1-5 - add patch to correct GSSAPI library null pointer dereference which could be - triggered by malformed client requests (CVE-2010-1321, #582466) + triggered by malformed client requests (CVE-2010-1321, rhbz#582466) * Tue May 4 2010 Nalin Dahyabhai 1.8.1-4 -- fix output of kprop's init script's "status" and "reload" commands (#588222) +- fix output of kprop's init script's "status" and "reload" commands (rhbz#588222) * Tue Apr 20 2010 Nalin Dahyabhai 1.8.1-3 -- incorporate patch to fix double-free in the KDC (CVE-2010-1320, #581922) +- incorporate patch to fix double-free in the KDC (CVE-2010-1320, rhbz#581922) * Wed Apr 14 2010 Nalin Dahyabhai 1.8.1-2 - fix a typo in kerberos.ldif * Fri Apr 9 2010 Nalin Dahyabhai 1.8.1-1 - update to 1.8.1 - - no longer need patches for #555875, #561174, #563431, RT#6661, CVE-2010-0628 + - no longer need patches for rhbz#555875, rhbz#561174, rhbz#563431, RT#6661, CVE-2010-0628 - replace buildrequires on tetex-latex with one on texlive-latex, which is the package that provides it now @@ -2822,21 +2833,21 @@ exit 0 * Thu Apr 8 2010 Nalin Dahyabhai - drop patch to suppress key expiration warnings sent from the KDC in the last-req field, as the KDC is expected to just be configured to either - send them or not as a particular key approaches expiration (#556495) + send them or not as a particular key approaches expiration (rhbz#556495) * Tue Mar 23 2010 Nalin Dahyabhai - 1.8-5 -- add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628, #576325) +- add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628, rhbz#576325) - kdc.conf: no more need to suggest keeping keys with v4-compatible salting * Fri Mar 19 2010 Nalin Dahyabhai - 1.8-4 - remove the krb5-appl bits (the -workstation-clients and -workstation-servers subpackages) now that krb5-appl is its own package -- replace our patch for #563431 (kpasswd doesn't fall back to guessing your +- replace our patch for rhbz#563431 (kpasswd doesn't fall back to guessing your principal name using your user name if you don't have a ccache) with the one upstream uses * Fri Mar 12 2010 Nalin Dahyabhai - 1.8-3 -- add documentation for the ticket_lifetime option (#561174) +- add documentation for the ticket_lifetime option (rhbz#561174) * Mon Mar 8 2010 Nalin Dahyabhai - 1.8-2 - pull up patch to get the client libraries to correctly perform password @@ -2856,10 +2867,10 @@ exit 0 - fix a null pointer dereference and crash introduced in our PAM patch that would happen if ftpd was given the name of a user who wasn't known to the local system, limited to being triggerable by gssapi-authenticated clients by - the default xinetd config (Olivier Fourdan, #569472) + the default xinetd config (Olivier Fourdan, rhbz#569472) * Tue Mar 2 2010 Nalin Dahyabhai - 1.7.1-5 -- fix a regression (not labeling a kdb database lock file correctly, #569902) +- fix a regression (not labeling a kdb database lock file correctly, rhbz#569902) * Thu Feb 25 2010 Nalin Dahyabhai - 1.7.1-4 - move the package changelog to the end to match the usual style (jdennis) @@ -2869,15 +2880,15 @@ exit 0 * Wed Feb 17 2010 Nalin Dahyabhai - 1.7.1-3 - pull up the change to make kpasswd's behavior better match the docs - when there's no ccache (#563431) + when there's no ccache (rhbz#563431) * Tue Feb 16 2010 Nalin Dahyabhai - 1.7.1-2 - apply patch from upstream to fix KDC denial of service (CVE-2010-0283, - #566002) + rhbz#566002) * Wed Feb 3 2010 Nalin Dahyabhai - 1.7.1-1 - update to 1.7.1 - - don't trip AD lockout on wrong password (#542687, #554351) + - don't trip AD lockout on wrong password (rhbz#542687, rhbz#554351) - incorporates fixes for CVE-2009-4212 and CVE-2009-3295 - fixes gss_krb5_copy_ccache() when SPNEGO is used - move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to @@ -2887,7 +2898,7 @@ exit 0 depends on -workstation which also includes them * Mon Jan 25 2010 Nalin Dahyabhai - 1.7-23 -- tighten up default permissions on kdc.conf and kadm5.acl (#558343) +- tighten up default permissions on kdc.conf and kadm5.acl (rhbz#558343) * Fri Jan 22 2010 Nalin Dahyabhai - 1.7-22 - use portreserve correctly -- portrelease takes the basename of the file @@ -2896,47 +2907,47 @@ exit 0 * Mon Jan 18 2010 Nalin Dahyabhai - 1.7-21 - suppress warnings of impending password expiration if expiration is more than seven days away when the KDC reports it via the last-req field, just as we - already do when it reports expiration via the key-expiration field (#556495) + already do when it reports expiration via the key-expiration field (rhbz#556495) - link with libtinfo rather than libncurses, when we can, in future RHEL * Fri Jan 15 2010 Nalin Dahyabhai - 1.7-20 - krb5_get_init_creds_password: check opte->flags instead of options->flags - when checking whether or not we get to use the prompter callback (#555875) + when checking whether or not we get to use the prompter callback (rhbz#555875) * Thu Jan 14 2010 Nalin Dahyabhai - 1.7-19 - use portreserve to make sure the KDC can always bind to the kerberos-iv port, kpropd can always bind to the krb5_prop port, and that kadmind can - always bind to the kerberos-adm port (#555279) + always bind to the kerberos-adm port (rhbz#555279) - correct inadvertent use of macros in the changelog (rpmlint) * Tue Jan 12 2010 Nalin Dahyabhai - 1.7-18 - add upstream patch for integer underflow during AES and RC4 decryption - (CVE-2009-4212), via Tom Yu (#545015) + (CVE-2009-4212), via Tom Yu (rhbz#545015) * Wed Jan 6 2010 Nalin Dahyabhai - 1.7-17 - put the conditional back for the -devel subpackage -- back down to the earlier version of the patch for #551764; the backported +- back down to the earlier version of the patch for rhbz#551764; the backported alternate version was incomplete * Tue Jan 5 2010 Nalin Dahyabhai - 1.7-16 - use %%global instead of %%define - pull up proposed patch for creating previously-not-there lock files for - kdb databases when 'kdb5_util' is called to 'load' (#551764) + kdb databases when 'kdb5_util' is called to 'load' (rhbz#551764) * Mon Jan 4 2010 Dennis Gregorovic - fix conditional for future RHEL * Mon Jan 4 2010 Nalin Dahyabhai - 1.7-15 - add upstream patch for KDC crash during referral processing (CVE-2009-3295), - via Tom Yu (#545002) + via Tom Yu (rhbz#545002) * Mon Dec 21 2009 Nalin Dahyabhai - 1.7-14 -- refresh patch for #542868 from trunk +- refresh patch for rhbz#542868 from trunk * Thu Dec 10 2009 Nalin Dahyabhai - move man pages that live in the -libs subpackage into the regular %%{_mandir} tree where they'll still be found if that package is the - only one installed (#529319) + only one installed (rhbz#529319) * Wed Dec 9 2009 Nalin Dahyabhai - 1.7-13 - and put it back in @@ -2945,14 +2956,14 @@ exit 0 - back that last change out * Tue Dec 8 2009 Nalin Dahyabhai - 1.7-12 -- try to make gss_krb5_copy_ccache() work correctly for spnego (#542868) +- try to make gss_krb5_copy_ccache() work correctly for spnego (rhbz#542868) * Fri Dec 4 2009 Nalin Dahyabhai -- make krb5-config suppress CFLAGS output when called with --libs (#544391) +- make krb5-config suppress CFLAGS output when called with --libs (rhbz#544391) * Thu Dec 3 2009 Nalin Dahyabhai - 1.7-11 - ksu: move account management checks to before we drop privileges, like - su does (#540769) + su does (rhbz#540769) - selinux: set the user part of file creation contexts to match the current context instead of what we looked up - configure with --enable-dns-for-realm instead of --enable-dns, which isn't @@ -2960,7 +2971,7 @@ exit 0 * Fri Nov 20 2009 Nalin Dahyabhai - 1.7-10 - move /etc/pam.d/ksu from krb5-workstation-servers to krb5-workstation, - where it's actually needed (#538703) + where it's actually needed (rhbz#538703) * Fri Oct 23 2009 Nalin Dahyabhai - 1.7-9 - add some conditional logic to simplify building on older Fedora releases @@ -2971,11 +2982,11 @@ exit 0 * Mon Sep 14 2009 Nalin Dahyabhai - 1.7-8 - specify the location of the subsystem lock when using the status() function in the kadmind and kpropd init scripts, so that we get the right error when - we're dead but have a lock file - requires initscripts 8.99 (#521772) + we're dead but have a lock file - requires initscripts 8.99 (rhbz#521772) * Tue Sep 8 2009 Nalin Dahyabhai - if the init script fails to start krb5kdc/kadmind/kpropd because it's already - running (according to status()), return 0 (part of #521772) + running (according to status()), return 0 (part of rhbz#521772) * Mon Aug 24 2009 Nalin Dahyabhai - 1.7-7 - work around a compile problem with new openssl @@ -3034,7 +3045,7 @@ exit 0 - drop static build logic - drop pam_krb5-specific configuration from the default krb5.conf - drop only-use-v5 flags being passed to various things started by xinetd -- put %%{krb5prefix}/sbin in everyone's path, too (#504525) +- put %%{krb5prefix}/sbin in everyone's path, too (rhbz#504525) * Tue May 19 2009 Nalin Dahyabhai 1.6.3-106 - add an auth stack to ksu's PAM configuration so that pam_setcred() calls @@ -3058,7 +3069,7 @@ exit 0 - add LSB-style init script info * Fri Apr 17 2009 Nalin Dahyabhai -- explicitly run the pdf generation script using sh (part of #225974) +- explicitly run the pdf generation script using sh (part of rhbz#225974) * Tue Apr 7 2009 Nalin Dahyabhai 1.6.3-101 - add patches for read overflow and null pointer dereference in the @@ -3074,14 +3085,14 @@ exit 0 - use triggeruns to properly shut down and disable krb524d when -server and -workstation-servers gets upgraded, because it's gone now - move the libraries to /%%{_lib}, but leave --libdir alone so that plugins - get installed and are searched for in the same locations (#473333) + get installed and are searched for in the same locations (rhbz#473333) - clean up buildprereq/prereqs, explicit mktemp requires, and add the - ldconfig for the -server-ldap subpackage (part of #225974) -- escape possible macros in the changelog (part of #225974) -- fixup summary texts (part of #225974) -- take the execute bit off of the protocol docs (part of #225974) -- unflag init scripts as configuration files (part of #225974) -- make the kpropd init script treat 'reload' as 'restart' (part of #225974) + ldconfig for the -server-ldap subpackage (part of rhbz#225974) +- escape possible macros in the changelog (part of rhbz#225974) +- fixup summary texts (part of rhbz#225974) +- take the execute bit off of the protocol docs (part of rhbz#225974) +- unflag init scripts as configuration files (part of rhbz#225974) +- make the kpropd init script treat 'reload' as 'restart' (part of rhbz#225974) * Tue Mar 17 2009 Nalin Dahyabhai 1.6.3-19 - libgssapi_krb5: backport fix for some errors which can occur when @@ -3096,7 +3107,7 @@ exit 0 * Thu Sep 4 2008 Nalin Dahyabhai - if we successfully change the user's password during an attempt to get initial credentials, but then fail to get initial creds from a non-master - using the new password, retry against the master (#432334) + using the new password, retry against the master (rhbz#432334) * Tue Aug 5 2008 Tom "spot" Callaway 1.6.3-16 - fix license tag @@ -3119,7 +3130,7 @@ exit 0 * Wed Apr 16 2008 Nalin Dahyabhai 1.6.3-13 - ftp: use the correct local filename during mget when the 'case' option is - enabled (#442713) + enabled (rhbz#442713) * Fri Apr 4 2008 Nalin Dahyabhai 1.6.3-12 - stop exporting kadmin keys to a keytab file when kadmind starts -- the @@ -3133,17 +3144,17 @@ exit 0 * Tue Mar 18 2008 Nalin Dahyabhai 1.6.3-10 - add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063, - #432620, #432621) + rhbz#432620, rhbz#432621) - add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when - high-numbered descriptors are used (CVE-2008-0947, #433596) + high-numbered descriptors are used (CVE-2008-0947, rhbz#433596) - add backport bug fix for an attempt to free non-heap memory in - libgssapi_krb5 (CVE-2007-5901, #415321) + libgssapi_krb5 (CVE-2007-5901, rhbz#415321) - add backport bug fix for a double-free in out-of-memory situations in - libgssapi_krb5 (CVE-2007-5971, #415351) + libgssapi_krb5 (CVE-2007-5971, rhbz#415351) * Tue Mar 18 2008 Nalin Dahyabhai 1.6.3-9 - rework file labeling patch to not depend on fragile preprocessor trickery, - in another attempt at fixing #428355 and friends + in another attempt at fixing rhbz#428355 and friends * Tue Feb 26 2008 Nalin Dahyabhai 1.6.3-8 - ftp: add patch to fix "runique on" case when globbing fixes applied @@ -3151,12 +3162,12 @@ exit 0 * Mon Feb 25 2008 Nalin Dahyabhai - add patch to suppress double-processing of /etc/krb5.conf when we build - with --sysconfdir=/etc, thereby suppressing double-logging (#231147) + with --sysconfdir=/etc, thereby suppressing double-logging (rhbz#231147) * Mon Feb 25 2008 Nalin Dahyabhai - remove a patch, to fix problems with interfaces which are "up" but which have no address assigned, which conflicted with a different fix for the same - problem in 1.5 (#200979) + problem in 1.5 (rhbz#200979) * Mon Feb 25 2008 Nalin Dahyabhai - ftp: don't lose track of a descriptor on passive get when the server fails to @@ -3180,22 +3191,22 @@ exit 0 * Tue Feb 12 2008 Nalin Dahyabhai 1.6.3-5 - enable patch for key-expiration reporting -- enable patch to make kpasswd fall back to TCP if UDP fails (#251206) +- enable patch to make kpasswd fall back to TCP if UDP fails (rhbz#251206) - enable patch to make kpasswd use the right sequence number on retransmit - enable patch to allow mech-specific creds delegated under spnego to be found when searching for creds * Wed Jan 2 2008 Nalin Dahyabhai 1.6.3-4 - some init script cleanups - - drop unquoted check and silent exit for "$NETWORKING" (#426852, #242502) + - drop unquoted check and silent exit for "$NETWORKING" (rhbz#426852, rhbz#242502) - krb524: don't barf on missing database if it looks like we're using kldap, same as for kadmin - return non-zero status for missing files which cause startup to - fail (#242502) + fail (rhbz#242502) * Tue Dec 18 2007 Nalin Dahyabhai 1.6.3-3 - allocate space for the nul-terminator in the local pathname when looking up - a file context, and properly free a previous context (Jose Plans, #426085) + a file context, and properly free a previous context (Jose Plans, rhbz#426085) * Wed Dec 5 2007 Nalin Dahyabhai 1.6.3-2 - rebuild @@ -3211,7 +3222,7 @@ exit 0 * Fri Oct 12 2007 Nalin Dahyabhai - make krb5.conf %%verify(not md5 size mtime) in addition to - %%config(noreplace), like /etc/nsswitch.conf (#329811) + %%config(noreplace), like /etc/nsswitch.conf (rhbz#329811) * Mon Oct 1 2007 Nalin Dahyabhai 1.6.2-9 - apply the fix for CVE-2007-4000 instead of the experimental patch for @@ -3228,7 +3239,7 @@ exit 0 * Thu Sep 6 2007 Nalin Dahyabhai 1.6.2-6 - incorporate updated fix for CVE-2007-3999 (CVE-2007-4743) -- fix incorrect call to "test" in the kadmin init script (#252322,#287291) +- fix incorrect call to "test" in the kadmin init script (rhbz#252322,rhbz#287291) * Tue Sep 4 2007 Nalin Dahyabhai 1.6.2-5 - incorporate fixes for MITKRB5-SA-2007-006 (CVE-2007-3999, CVE-2007-4000) @@ -3241,7 +3252,7 @@ exit 0 - rebuild * Thu Jul 26 2007 Nalin Dahyabhai 1.6.2-2 -- kdc.conf: default to listening for TCP clients, too (#248415) +- kdc.conf: default to listening for TCP clients, too (rhbz#248415) * Thu Jul 19 2007 Nalin Dahyabhai 1.6.2-1 - update to 1.6.2 @@ -3267,13 +3278,13 @@ exit 0 - rebuild * Sun Jun 24 2007 Nalin Dahyabhai 1.6.1-3 -- label all files at creation-time according to the SELinux policy (#228157) +- label all files at creation-time according to the SELinux policy (rhbz#228157) * Fri Jun 22 2007 Nalin Dahyabhai -- perform PAM account / session management in krshd (#182195,#195922) +- perform PAM account / session management in krshd (rhbz#182195,rhbz#195922) - perform PAM authentication and account / session management in ftpd - perform PAM authentication, account / session management, and password- - changing in login.krb5 (#182195,#195922) + changing in login.krb5 (rhbz#182195,rhbz#195922) * Fri Jun 22 2007 Nalin Dahyabhai - preprocess kerberos.ldif into a format FDS will like better, and include @@ -3283,7 +3294,7 @@ exit 0 - switch man pages to being generated with the right paths in them - drop old, incomplete SELinux patch - add patch from Greg Hudson to make srvtab routines report missing-file errors - at same point that keytab routines do (#241805) + at same point that keytab routines do (rhbz#241805) * Thu May 24 2007 Nalin Dahyabhai 1.6.1-2 - pull patch from svn to undo unintentional chattiness in ftp @@ -3304,7 +3315,7 @@ exit 0 * Wed May 16 2007 Nalin Dahyabhai 1.6-6 - omit dependent libraries from the krb5-config --libs output, as using shared libraries (no more static libraries) makes them unnecessary and - they're not part of the libkrb5 interface (patch by Rex Dieter, #240220) + they're not part of the libkrb5 interface (patch by Rex Dieter, rhbz#240220) (strips out libkeyutils, libresolv, libdl) * Fri May 4 2007 Nalin Dahyabhai 1.6-5 @@ -3319,17 +3330,17 @@ exit 0 * Fri Apr 13 2007 Nalin Dahyabhai - move the default acl_file, dict_file, and admin_keytab settings to the part of the default/example kdc.conf where they'll actually have - an effect (#236417) + an effect (rhbz#236417) * Thu Apr 5 2007 Nalin Dahyabhai 1.5-24 - merge security fixes from RHSA-2007:0095 * Tue Apr 3 2007 Nalin Dahyabhai 1.6-3 - add patch to correct unauthorized access via krb5-aware telnet - daemon (#229782, CVE-2007-0956) + daemon (rhbz#229782, CVE-2007-0956) - add patch to fix buffer overflow in krb5kdc and kadmind - (#231528, CVE-2007-0957) -- add patch to fix double-free in kadmind (#231537, CVE-2007-1216) + (rhbz#231528, CVE-2007-0957) +- add patch to fix double-free in kadmind (rhbz#231537, CVE-2007-1216) * Thu Mar 22 2007 Nalin Dahyabhai - back out buildrequires: keyutils-libs-devel for now @@ -3345,19 +3356,19 @@ exit 0 * Thu Mar 15 2007 Nalin Dahyabhai 1.5-21 - add preliminary patch to fix buffer overflow in krb5kdc and kadmind - (#231528, CVE-2007-0957) -- add preliminary patch to fix double-free in kadmind (#231537, CVE-2007-1216) + (rhbz#231528, CVE-2007-0957) +- add preliminary patch to fix double-free in kadmind (rhbz#231537, CVE-2007-1216) * Wed Feb 28 2007 Nalin Dahyabhai - add patch to build semi-useful static libraries, but don't apply it unless we need them * Tue Feb 27 2007 Nalin Dahyabhai - 1.5-20 -- temporarily back out %%post changes, fix for #143289 for security update +- temporarily back out %%post changes, fix for rhbz#143289 for security update - add preliminary patch to correct unauthorized access via krb5-aware telnet * Mon Feb 19 2007 Nalin Dahyabhai -- make profile.d scriptlets mode 644 instead of 755 (part of #225974) +- make profile.d scriptlets mode 644 instead of 755 (part of rhbz#225974) * Tue Jan 30 2007 Nalin Dahyabhai 1.6-1 - clean up quoting of command-line arguments passed to the krsh/krlogin @@ -3365,22 +3376,22 @@ exit 0 * Mon Jan 22 2007 Nalin Dahyabhai - initial update to 1.6, pre-package-reorg -- move workstation daemons to a new subpackage (#81836, #216356, #217301), and - make the new subpackage require xinetd (#211885) +- move workstation daemons to a new subpackage (#81836, rhbz#216356, rhbz#217301), and + make the new subpackage require xinetd (rhbz#211885) * Mon Jan 22 2007 Nalin Dahyabhai - 1.5-18 -- make use of install-info more failsafe (Ville Skyttä, #223704) +- make use of install-info more failsafe (Ville Skyttä, rhbz#223704) - preserve timestamps on shell scriptlets at %%install-time * Tue Jan 16 2007 Nalin Dahyabhai - 1.5-17 -- move to using pregenerated PDF docs to cure multilib conflicts (#222721) +- move to using pregenerated PDF docs to cure multilib conflicts (rhbz#222721) * Fri Jan 12 2007 Nalin Dahyabhai - 1.5-16 -- update backport of the preauth module interface (part of #194654) +- update backport of the preauth module interface (part of rhbz#194654) * Tue Jan 9 2007 Nalin Dahyabhai - 1.5-14 -- apply fixes from Tom Yu for MITKRB5-SA-2006-002 (CVE-2006-6143) (#218456) -- apply fixes from Tom Yu for MITKRB5-SA-2006-003 (CVE-2006-6144) (#218456) +- apply fixes from Tom Yu for MITKRB5-SA-2006-002 (CVE-2006-6143) (rhbz#218456) +- apply fixes from Tom Yu for MITKRB5-SA-2006-003 (CVE-2006-6144) (rhbz#218456) * Wed Dec 20 2006 Nalin Dahyabhai - 1.5-12 - update backport of the preauth module interface @@ -3398,21 +3409,21 @@ exit 0 been applicable for a while * Wed Oct 18 2006 Nalin Dahyabhai - 1.5-10 -- rename krb5.sh and krb5.csh so that they don't overlap (#210623) +- rename krb5.sh and krb5.csh so that they don't overlap (rhbz#210623) - way-late application of added error info in kadmind.init (#65853) * Wed Oct 18 2006 Nalin Dahyabhai - 1.5-9.pal_18695 -- add backport of in-development preauth module interface (#208643) +- add backport of in-development preauth module interface (rhbz#208643) * Mon Oct 9 2006 Nalin Dahyabhai - 1.5-9 -- provide docs in PDF format instead of as tex source (Enrico Scholz, #209943) +- provide docs in PDF format instead of as tex source (Enrico Scholz, rhbz#209943) * Wed Oct 4 2006 Nalin Dahyabhai - 1.5-8 -- add missing shebang headers to krsh and krlogin wrapper scripts (#209238) +- add missing shebang headers to krsh and krlogin wrapper scripts (rhbz#209238) * Wed Sep 6 2006 Nalin Dahyabhai - 1.5-7 - set SS_LIB at configure-time so that libss-using apps get working readline - support (#197044) + support (rhbz#197044) * Fri Aug 18 2006 Nalin Dahyabhai - 1.5-6 - switch to the updated patch for MITKRB-SA-2006-001 @@ -3423,7 +3434,7 @@ exit 0 * Mon Aug 7 2006 Nalin Dahyabhai - 1.5-4 - ensure that the gssapi library's been initialized before walking the internal mechanism list in gss_release_oid(), needed if called from - gss_release_name() right after a gss_import_name() (#198092) + gss_release_name() right after a gss_import_name() (rhbz#198092) * Tue Jul 25 2006 Nalin Dahyabhai - 1.5-3 - rebuild @@ -3444,7 +3455,7 @@ exit 0 - update to 1.5 * Fri Jun 23 2006 Nalin Dahyabhai 1.4.3-9 -- mark profile.d config files noreplace (Laurent Rineau, #196447) +- mark profile.d config files noreplace (Laurent Rineau, rhbz#196447) * Thu Jun 8 2006 Nalin Dahyabhai 1.4.3-8 - add buildprereq for autoconf @@ -3452,11 +3463,11 @@ exit 0 * Mon May 22 2006 Nalin Dahyabhai 1.4.3-7 - further munge krb5-config so that 'libdir=/usr/lib' is given even on 64-bit architectures, to avoid multilib conflicts; other changes will conspire to - strip out the -L flag which uses this, so it should be harmless (#192692) + strip out the -L flag which uses this, so it should be harmless (rhbz#192692) * Fri Apr 28 2006 Nalin Dahyabhai 1.4.3-6 - adjust the patch which removes the use of rpath to also produce a - krb5-config which is okay in multilib environments (#190118) + krb5-config which is okay in multilib environments (rhbz#190118) - make the name-of-the-tempfile comment which compile_et adds to error code headers always list the same file to avoid conflicts on multilib installations - strip SIZEOF_LONG out of krb5.h so that it doesn't conflict on multilib boxes @@ -3471,7 +3482,7 @@ exit 0 * Mon Feb 6 2006 Nalin Dahyabhai 1.4.3-4 - give a little bit more information to the user when kinit gets the catch-all - I/O error (#180175) + I/O error (rhbz#180175) * Thu Jan 19 2006 Nalin Dahyabhai 1.4.3-3 - rebuild properly when pthread_mutexattr_setrobust_np() is defined but not @@ -3485,19 +3496,19 @@ exit 0 * Thu Dec 1 2005 Nalin Dahyabhai - login: don't truncate passwords before passing them into crypt(), in - case they're significant (#149476) + case they're significant (rhbz#149476) * Thu Nov 17 2005 Nalin Dahyabhai 1.4.3-1 - update to 1.4.3 -- make ksu setuid again (#137934, others) +- make ksu setuid again (rhbz#137934, others) * Tue Sep 13 2005 Nalin Dahyabhai 1.4.2-4 - mark %%{krb5prefix}/man so that files which are packaged within it are - flagged as %%doc (#168163) + flagged as %%doc (rhbz#168163) * Tue Sep 6 2005 Nalin Dahyabhai 1.4.2-3 - add an xinetd configuration file for encryption-only telnetd, parallelling - the kshell/ekshell pair (#167535) + the kshell/ekshell pair (rhbz#167535) * Wed Aug 31 2005 Nalin Dahyabhai 1.4.2-2 - change the default configured encryption type for KDC databases to the @@ -3512,23 +3523,23 @@ exit 0 * Wed Jun 29 2005 Nalin Dahyabhai 1.4.1-5 - fix telnet client environment variable disclosure the same way NetKit's - telnet client did (CAN-2005-0488) (#159305) + telnet client did (CAN-2005-0488) (rhbz#159305) - keep apps which call krb5_principal_compare() or krb5_realm_compare() with malformed or NULL principal structures from crashing outright (Thomas Biege) - (#161475) + (rhbz#161475) * Tue Jun 28 2005 Nalin Dahyabhai - apply fixes from draft of MIT-KRB5-SA-2005-002 (CAN-2005-1174,CAN-2005-1175) - (#157104) -- apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (#159755) + (rhbz#157104) +- apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (rhbz#159755) * Fri Jun 24 2005 Nalin Dahyabhai 1.4.1-4 - fix double-close in keytab handling -- add port of fixes for CAN-2004-0175 to krb5-aware rcp (#151612) +- add port of fixes for CAN-2004-0175 to krb5-aware rcp (rhbz#151612) * Fri May 13 2005 Nalin Dahyabhai 1.4.1-3 - prevent spurious EBADF in krshd when stdin is closed by the client while - the command is running (#151111) + the command is running (rhbz#151111) * Fri May 13 2005 Martin Stransky 1.4.1-2 - add deadlock patch, removed old patch @@ -3587,18 +3598,18 @@ exit 0 - rebuild * Mon Nov 22 2004 Nalin Dahyabhai 1.3.5-3 -- fix predictable-tempfile-name bug in krb5-send-pr (CAN-2004-0971, #140036) +- fix predictable-tempfile-name bug in krb5-send-pr (CAN-2004-0971, rhbz#140036) * Tue Nov 16 2004 Nalin Dahyabhai - silence compiler warning in kprop by using an in-memory ccache with a fixed name instead of an on-disk ccache with a name generated by tmpnam() * Tue Nov 16 2004 Nalin Dahyabhai 1.3.5-2 -- fix globbing patch port mode (#139075) +- fix globbing patch port mode (rhbz#139075) * Mon Nov 1 2004 Nalin Dahyabhai 1.3.5-1 - fix segfault in telnet due to incorrect checking of gethostbyname_r result - codes (#129059) + codes (rhbz#129059) * Fri Oct 15 2004 Nalin Dahyabhai - remove rc4-hmac:norealm and rc4-hmac:onlyrealm from the default list of @@ -3623,11 +3634,11 @@ exit 0 * Mon Aug 23 2004 Nalin Dahyabhai 1.3.4-3 - incorporate fixes from Tom Yu for CAN-2004-0642, CAN-2004-0772 - (MITKRB5-SA-2004-002, #130732) -- incorporate fixes from Tom Yu for CAN-2004-0644 (MITKRB5-SA-2004-003, #130732) + (MITKRB5-SA-2004-002, rhbz#130732) +- incorporate fixes from Tom Yu for CAN-2004-0644 (MITKRB5-SA-2004-003, rhbz#130732) * Tue Jul 27 2004 Nalin Dahyabhai 1.3.4-2 -- fix indexing error in server sorting patch (#127336) +- fix indexing error in server sorting patch (rhbz#127336) * Tue Jun 15 2004 Elliot Lee - rebuilt @@ -3652,7 +3663,7 @@ exit 0 - rebuild * Tue Jun 1 2004 Nalin Dahyabhai 1.3.3-4 -- apply patch from MITKRB5-SA-2004-001 (#125001) +- apply patch from MITKRB5-SA-2004-001 (rhbz#125001) * Wed May 12 2004 Thomas Woerner 1.3.3-3 - removed rpath @@ -3682,17 +3693,17 @@ exit 0 * Mon Feb 2 2004 Nalin Dahyabhai 1.3.1-9 - remove patch to set TERM in klogind which, combined with the upstream fix in - 1.3.1, actually produces the bug now (#114762) + 1.3.1, actually produces the bug now (rhbz#114762) * Mon Jan 19 2004 Nalin Dahyabhai 1.3.1-8 - when iterating over lists of interfaces which are "up" from getifaddrs(), - skip over those which have no address (#113347) + skip over those which have no address (rhbz#113347) * Mon Jan 12 2004 Nalin Dahyabhai - prefer the kdc which last replied to a request when sending requests to kdcs * Mon Nov 24 2003 Nalin Dahyabhai 1.3.1-7 -- fix combination of --with-netlib and --enable-dns (#82176) +- fix combination of --with-netlib and --enable-dns (rhbz#82176) * Tue Nov 18 2003 Nalin Dahyabhai - remove libdefault ticket_lifetime option from the default krb5.conf, it is @@ -3901,12 +3912,12 @@ exit 0 * Wed Jun 27 2001 Nalin Dahyabhai - add patch to support "ANY" keytab type (i.e., "default_keytab_name = ANY:FILE:/etc/krb5.keytab,SRVTAB:/etc/srvtab" - patch from Gerald Britton, #42551) -- build with -D_FILE_OFFSET_BITS=64 to get large file I/O in ftpd (#30697) + patch from Gerald Britton, rhbz#42551) +- build with -D_FILE_OFFSET_BITS=64 to get large file I/O in ftpd (rhbz#30697) - patch ftpd to use long long and %%lld format specifiers to support the SIZE - command on large files (also #30697) -- don't use LOG_AUTH as an option value when calling openlog() in ksu (#45965) -- implement reload in krb5kdc and kadmind init scripts (#41911) + command on large files (also rhbz#30697) +- don't use LOG_AUTH as an option value when calling openlog() in ksu (rhbz#45965) +- implement reload in krb5kdc and kadmind init scripts (rhbz#41911) - lose the krb5server init script (not using it any more) * Sun Jun 24 2001 Elliot Lee @@ -3919,7 +3930,7 @@ exit 0 - rebuild in new environment * Thu Apr 26 2001 Nalin Dahyabhai -- add patch from Tom Yu to fix ftpd overflows (#37731) +- add patch from Tom Yu to fix ftpd overflows (rhbz#37731) * Wed Apr 18 2001 Than Ngo - disable optimizations on the alpha again @@ -3943,7 +3954,7 @@ exit 0 - own %%{_var}/kerberos * Tue Feb 6 2001 Nalin Dahyabhai -- own the directories which are created for each package (#26342) +- own the directories which are created for each package (rhbz#26342) * Tue Jan 23 2001 Nalin Dahyabhai - gettextize init scripts @@ -3953,7 +3964,7 @@ exit 0 - re-enable optimization on alphas * Mon Jan 15 2001 Nalin Dahyabhai -- fix krb5-send-pr (#18932) and move it from -server to -workstation +- fix krb5-send-pr (rhbz#18932) and move it from -server to -workstation - buildprereq libtermcap-devel - temporariliy disable optimization on alphas - gettextize init scripts @@ -3965,29 +3976,29 @@ exit 0 - rebuild in new environment * Tue Oct 31 2000 Nalin Dahyabhai -- add bison as a BuildPrereq (#20091) +- add bison as a BuildPrereq (rhbz#20091) * Mon Oct 30 2000 Nalin Dahyabhai -- change /usr/dict/words to /usr/share/dict/words in default kdc.conf (#20000) +- change /usr/dict/words to /usr/share/dict/words in default kdc.conf (rhbz#20000) * Thu Oct 5 2000 Nalin Dahyabhai - apply kpasswd bug fixes from David Wragg * Wed Oct 4 2000 Nalin Dahyabhai -- make krb5-libs obsolete the old krb5-configs package (#18351) +- make krb5-libs obsolete the old krb5-configs package (rhbz#18351) - don't quit from the kpropd init script if there's no principal database so that you can propagate the first time without running kpropd manually - don't complain if /etc/ld.so.conf doesn't exist in the -libs %%post * Tue Sep 12 2000 Nalin Dahyabhai - fix credential forwarding problem in klogind (goof in KRB5CCNAME handling) - (#11588) -- fix heap corruption bug in FTP client (#14301) + (rhbz#11588) +- fix heap corruption bug in FTP client (rhbz#14301) * Wed Aug 16 2000 Nalin Dahyabhai - fix summaries and descriptions - switched the default transfer protocol from PORT to PASV as proposed on - bugzilla (#16134), and to match the regular ftp package's behavior + bugzilla (rhbz#16134), and to match the regular ftp package's behavior * Wed Jul 19 2000 Jeff Johnson - rebuild to compress man pages.