Compare commits

...

No commits in common. 'i10c-beta' and 'c9' have entirely different histories.

2
.gitignore vendored

@ -1 +1 @@
SOURCES/krb5-1.21.3.tar.gz SOURCES/krb5-1.21.1.tar.gz

@ -1 +1 @@
3e383bbe88cbed56bdad4ba655c40abf0e961cf7 SOURCES/krb5-1.21.3.tar.gz 505440658a00e009c430439dba60e13a98067cd3 SOURCES/krb5-1.21.1.tar.gz

@ -1,8 +1,8 @@
From 6f7fd964539dfe4a885068f43a91db9738661870 Mon Sep 17 00:00:00 2001 From 93bb4f5ba6fd79e72a75de20e209db219118a3a1 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com> From: Julien Rische <jrische@redhat.com>
Date: Tue, 9 Jul 2024 11:15:33 +0200 Date: Wed, 2 Aug 2023 10:19:28 +0200
Subject: [PATCH] [downstream] Revert "Don't issue session keys with Subject: [PATCH] [downstream] Revert "Don't issue session keys with deprecated
deprecated enctypes" enctypes"
This reverts commit 1b57a4d134bbd0e7c52d5885a92eccc815726463. This reverts commit 1b57a4d134bbd0e7c52d5885a92eccc815726463.
--- ---
@ -306,5 +306,5 @@ index 8e5f5ba8e9..2a86c5cdfc 100644
'supported_enctypes': 'arcfour-hmac:normal', 'supported_enctypes': 'arcfour-hmac:normal',
'master_key_type': 'arcfour-hmac'}}}), 'master_key_type': 'arcfour-hmac'}}}),
-- --
2.45.1 2.41.0

@ -1,4 +1,4 @@
From de4205c45e310ceaaa7cd7958af7293322fa43a6 Mon Sep 17 00:00:00 2001 From d7be72b066a9b07f0426780c7931614eddf9dd9e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400 Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] [downstream] ksu pam integration Subject: [PATCH] [downstream] ksu pam integration
@ -773,5 +773,5 @@ index 77be7a2025..587221936e 100644
if test "${localedir+set}" != set; then if test "${localedir+set}" != set; then
localedir='$(datadir)/locale' localedir='$(datadir)/locale'
-- --
2.45.1 2.41.0

@ -1,4 +1,4 @@
From 30ff501e4b519396f5aea25e24919be817863e7c Mon Sep 17 00:00:00 2001 From 021f1f1bf690694945a3ab0a5221797a7bcd6a99 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400 Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] [downstream] SELinux integration Subject: [PATCH] [downstream] SELinux integration
@ -238,10 +238,10 @@ index 0000000000..dfaaa847cb
+#endif +#endif
+#endif +#endif
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 4e09ed345d..09f800be52 100644 index 9c76780181..dd6430ece8 100644
--- a/src/include/krb5/krb5.hin --- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin
@@ -83,6 +83,12 @@ @@ -87,6 +87,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z) #define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif #endif
@ -1034,5 +1034,5 @@ index 0000000000..807d039da3
+ +
+#endif /* USE_SELINUX */ +#endif /* USE_SELINUX */
-- --
2.45.1 2.41.0

@ -1,4 +1,4 @@
From 393830d96000ed692aa9a99ef87187d6f2863931 Mon Sep 17 00:00:00 2001 From 780db3e904ada1946b0d1dce04c8daa74273c7b6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400 Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
@ -40,5 +40,5 @@ index 8669c2436c..a22f23c02c 100644
install: install:
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
-- --
2.45.1 2.41.0

@ -1,4 +1,4 @@
From 7d697742abb370cfc7241c1faa78ba08d7650f6a Mon Sep 17 00:00:00 2001 From 1f992f9a857346b8837fd12d8c90f7b2cafb9613 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 26 Mar 2019 18:51:10 -0400 Date: Tue, 26 Mar 2019 18:51:10 -0400
Subject: [PATCH] [downstream] Remove 3des support Subject: [PATCH] [downstream] Remove 3des support
@ -259,7 +259,7 @@ index 45fe160d7f..b4b1f3bd93 100644
CKSUMTYPE_NIST_SHA.rst CKSUMTYPE_NIST_SHA.rst
CKSUMTYPE_RSA_MD4.rst CKSUMTYPE_RSA_MD4.rst
diff --git a/doc/conf.py b/doc/conf.py diff --git a/doc/conf.py b/doc/conf.py
index ecf9020a72..db7fa377ef 100644 index cd76f5999f..1e1cfce80c 100644
--- a/doc/conf.py --- a/doc/conf.py
+++ b/doc/conf.py +++ b/doc/conf.py
@@ -281,7 +281,7 @@ else: @@ -281,7 +281,7 @@ else:
@ -326,10 +326,10 @@ index 69be9030f8..2561e917a2 100644
lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 09f800be52..c5a625db8f 100644 index dd6430ece8..350bcf86f2 100644
--- a/src/include/krb5/krb5.hin --- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin
@@ -422,8 +422,8 @@ typedef struct _krb5_crypto_iov { @@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
#define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */ #define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */
#define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */ #define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */
#define ENCTYPE_DES_CBC_RAW 0x0004 /**< @deprecated no longer supported */ #define ENCTYPE_DES_CBC_RAW 0x0004 /**< @deprecated no longer supported */
@ -340,7 +340,7 @@ index 09f800be52..c5a625db8f 100644
#define ENCTYPE_DES_HMAC_SHA1 0x0008 /**< @deprecated no longer supported */ #define ENCTYPE_DES_HMAC_SHA1 0x0008 /**< @deprecated no longer supported */
/* PKINIT */ /* PKINIT */
#define ENCTYPE_DSA_SHA1_CMS 0x0009 /**< DSA with SHA1, CMS signature */ #define ENCTYPE_DSA_SHA1_CMS 0x0009 /**< DSA with SHA1, CMS signature */
@@ -432,9 +432,9 @@ typedef struct _krb5_crypto_iov { @@ -436,9 +436,9 @@ typedef struct _krb5_crypto_iov {
#define ENCTYPE_RC2_CBC_ENV 0x000c /**< RC2 cbc mode, CMS enveloped data */ #define ENCTYPE_RC2_CBC_ENV 0x000c /**< RC2 cbc mode, CMS enveloped data */
#define ENCTYPE_RSA_ENV 0x000d /**< RSA encryption, CMS enveloped data */ #define ENCTYPE_RSA_ENV 0x000d /**< RSA encryption, CMS enveloped data */
#define ENCTYPE_RSA_ES_OAEP_ENV 0x000e /**< RSA w/OEAP encryption, CMS enveloped data */ #define ENCTYPE_RSA_ES_OAEP_ENV 0x000e /**< RSA w/OEAP encryption, CMS enveloped data */
@ -352,7 +352,7 @@ index 09f800be52..c5a625db8f 100644
#define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 /**< RFC 3962 */ #define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 /**< RFC 3962 */
#define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 /**< RFC 3962 */ #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 /**< RFC 3962 */
#define ENCTYPE_AES128_CTS_HMAC_SHA256_128 0x0013 /**< RFC 8009 */ #define ENCTYPE_AES128_CTS_HMAC_SHA256_128 0x0013 /**< RFC 8009 */
@@ -459,7 +459,7 @@ typedef struct _krb5_crypto_iov { @@ -463,7 +463,7 @@ typedef struct _krb5_crypto_iov {
#define CKSUMTYPE_RSA_MD5 0x0007 #define CKSUMTYPE_RSA_MD5 0x0007
#define CKSUMTYPE_RSA_MD5_DES 0x0008 #define CKSUMTYPE_RSA_MD5_DES 0x0008
#define CKSUMTYPE_NIST_SHA 0x0009 #define CKSUMTYPE_NIST_SHA 0x0009
@ -5491,10 +5491,10 @@ index 9b183bc337..f0cc4a6809 100644
if (sealalg != 0xffff) if (sealalg != 0xffff)
xfree(plain); xfree(plain);
diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
index 21b501731e..6a6585d9af 100644 index 85a9574f36..3ce2a90ce9 100644
--- a/src/lib/gssapi/krb5/k5unsealiov.c --- a/src/lib/gssapi/krb5/k5unsealiov.c
+++ b/src/lib/gssapi/krb5/k5unsealiov.c +++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -103,28 +103,21 @@ kg_unseal_v1_iov(krb5_context context, @@ -102,28 +102,21 @@ kg_unseal_v1_iov(krb5_context context,
} }
if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) || if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
@ -5528,7 +5528,7 @@ index 21b501731e..6a6585d9af 100644
/* get the token parameters */ /* get the token parameters */
code = kg_get_seq_num(context, ctx->seq, ptr + 14, ptr + 6, &direction, code = kg_get_seq_num(context, ctx->seq, ptr + 14, ptr + 6, &direction,
&seqnum); &seqnum);
@@ -182,16 +175,10 @@ kg_unseal_v1_iov(krb5_context context, @@ -181,16 +174,10 @@ kg_unseal_v1_iov(krb5_context context,
/* initialize the checksum */ /* initialize the checksum */
@ -5548,7 +5548,7 @@ index 21b501731e..6a6585d9af 100644
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen); code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
if (code != 0) { if (code != 0) {
@@ -210,18 +197,13 @@ kg_unseal_v1_iov(krb5_context context, @@ -209,18 +196,13 @@ kg_unseal_v1_iov(krb5_context context,
goto cleanup; goto cleanup;
} }
@ -5917,10 +5917,10 @@ index 7494d7fcdb..2f95d89967 100755
# because the ticket session key and initiator subkey are # because the ticket session key and initiator subkey are
# non-permitted. (This is unfortunate if the acceptor's restriction # non-permitted. (This is unfortunate if the acceptor's restriction
diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c
index 882e163634..8192935099 100644 index 9876a11e67..fb8fe55111 100644
--- a/src/tests/gssapi/t_invalid.c --- a/src/tests/gssapi/t_invalid.c
+++ b/src/tests/gssapi/t_invalid.c +++ b/src/tests/gssapi/t_invalid.c
@@ -94,18 +94,6 @@ struct test { @@ -84,18 +84,6 @@ struct test {
size_t toklen; size_t toklen;
const char *token; const char *token;
} tests[] = { } tests[] = {
@ -6201,5 +6201,5 @@ index 1aebdd0b4a..c38eefd2bd 100644
<td>The AES Advanced Encryption Standard <td>The AES Advanced Encryption Standard
family, like 3DES, is a symmetric block cipher and was designed family, like 3DES, is a symmetric block cipher and was designed
-- --
2.45.1 2.41.0

@ -1,4 +1,4 @@
From 7b6453903c248a761d3ceb538dfacebbf3d3a9ff Mon Sep 17 00:00:00 2001 From 2dc9988da95cdd76335a00007b262272ca8c45b3 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500 Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
@ -608,5 +608,5 @@ index 1a772d450f..232e78bc05 100644
vt->name = "spake"; vt->name = "spake";
vt->pa_type_list = pa_types; vt->pa_type_list = pa_types;
-- --
2.45.1 2.41.0

@ -1,8 +1,7 @@
From 707fa7bd2be6327343dc8fc5c20dc77645524518 Mon Sep 17 00:00:00 2001 From 343e4042abdec8697d2c30eb84f70bdbd8388302 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com> From: Julien Rische <jrische@redhat.com>
Date: Thu, 5 May 2022 17:15:12 +0200 Date: Thu, 5 May 2022 17:15:12 +0200
Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection with FIPS
with FIPS
libkrad allows to establish connections only to UNIX socket in FIPS libkrad allows to establish connections only to UNIX socket in FIPS
mode, because MD5 digest is not considered safe enough to be used for mode, because MD5 digest is not considered safe enough to be used for
@ -78,5 +77,5 @@ index 929f1cef67..063f17a613 100644
retval = ESOCKTNOSUPPORT; retval = ESOCKTNOSUPPORT;
goto error; goto error;
-- --
2.45.1 2.41.0

@ -1,4 +1,4 @@
From 1da88bea558348be2974470774aa688f8be634c0 Mon Sep 17 00:00:00 2001 From aa0556348373d6aca0a1bda96fe7a47888051d33 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com> From: Julien Rische <jrische@redhat.com>
Date: Wed, 7 Dec 2022 13:22:42 +0100 Date: Wed, 7 Dec 2022 13:22:42 +0100
Subject: [PATCH] [downstream] Make tests compatible with Subject: [PATCH] [downstream] Make tests compatible with
@ -37,5 +37,5 @@ index 87bac17929..26bc95a8dc 100644
fail('URI answers do not match') fail('URI answers do not match')
j += 1 j += 1
-- --
2.45.1 2.41.0

@ -1,4 +1,4 @@
From 775ed8588cc21385fb16a4cec4a861f0d578ce04 Mon Sep 17 00:00:00 2001 From 52904f3693397dace4e9ef5db1cd7d14eaa3b1fb Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com> From: Julien Rische <jrische@redhat.com>
Date: Thu, 5 Jan 2023 20:06:47 +0100 Date: Thu, 5 Jan 2023 20:06:47 +0100
Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header
@ -116,5 +116,5 @@ index 232e78bc05..3394f8a58e 100644
* The SPAKE kdcpreauth module uses a secure cookie containing the following * The SPAKE kdcpreauth module uses a secure cookie containing the following
* concatenated fields (all integer fields are big-endian): * concatenated fields (all integer fields are big-endian):
-- --
2.45.1 2.41.0

@ -1,4 +1,4 @@
From 4fd20741afcf76085ea62eb015cd589bb9392a7b Mon Sep 17 00:00:00 2001 From f9429a9944b056376a1ff06e84dbf7e94f0d3108 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com> From: Julien Rische <jrische@redhat.com>
Date: Mon, 9 Jan 2023 22:39:52 +0100 Date: Mon, 9 Jan 2023 22:39:52 +0100
Subject: [PATCH] [downstream] Do not set root as ksu file owner Subject: [PATCH] [downstream] Do not set root as ksu file owner
@ -27,5 +27,5 @@ index 7eaa2f351c..e9ae71471e 100644
## ${prefix}. ## ${prefix}.
prefix=@prefix@ prefix=@prefix@
-- --
2.45.1 2.41.0

@ -1,4 +1,4 @@
From 16f90c007036789d8d9343e8a0cbabfd21853b5a Mon Sep 17 00:00:00 2001 From c002d03cce1c82e74a0c76b323c1bf1e619d022e Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com> From: Julien Rische <jrische@redhat.com>
Date: Thu, 19 Jan 2023 19:22:27 +0100 Date: Thu, 19 Jan 2023 19:22:27 +0100
Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode
@ -161,5 +161,5 @@ index 5a43c3d9eb..8528ddc4a9 100644
ret = KRB5_CRYPTO_INTERNAL; ret = KRB5_CRYPTO_INTERNAL;
goto done; goto done;
-- --
2.45.1 2.41.0

@ -1,8 +1,7 @@
From 23b58199db429603802e338db530677b61561335 Mon Sep 17 00:00:00 2001 From 83c99246ae9b157e462142daddccca5e18c2f3fd Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com> From: Julien Rische <jrische@redhat.com>
Date: Wed, 15 Mar 2023 15:56:34 +0100 Date: Wed, 15 Mar 2023 15:56:34 +0100
Subject: [PATCH] [downstream] Allow to set PAC ticket signature as Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional
optional
MS-PAC states that "The ticket signature SHOULD be included in tickets MS-PAC states that "The ticket signature SHOULD be included in tickets
that are not encrypted to the krbtgt account". However, the that are not encrypted to the krbtgt account". However, the
@ -74,10 +73,10 @@ index 745b24f351..6075349e5e 100644
#if !defined(_WIN32) #if !defined(_WIN32)
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index c5a625db8f..2d9b64dc85 100644 index 350bcf86f2..17e1b52266 100644
--- a/src/include/krb5/krb5.hin --- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin
@@ -8329,6 +8329,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, @@ -8356,6 +8356,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
const krb5_keyblock *server, const krb5_keyblock *server,
const krb5_keyblock *privsvr, krb5_pac *pac_out); const krb5_keyblock *privsvr, krb5_pac *pac_out);
@ -259,7 +258,7 @@ index 4c50e935a2..d4b0455c8c 100644
krb5_kt_client_default krb5_kt_client_default
krb5_kt_close krb5_kt_close
diff --git a/src/man/kadmin.man b/src/man/kadmin.man diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 8413e70ccd..f68eb0569d 100644 index c29638a227..1da1609cc8 100644
--- a/src/man/kadmin.man --- a/src/man/kadmin.man
+++ b/src/man/kadmin.man +++ b/src/man/kadmin.man
@@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to @@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to
@ -276,5 +275,5 @@ index 8413e70ccd..f68eb0569d 100644
.sp .sp
This command requires the \fBmodify\fP privilege. This command requires the \fBmodify\fP privilege.
-- --
2.45.1 2.41.0

@ -1,8 +1,8 @@
From 31b9debcf2cbd558f8f315fefb69fc8206b115b4 Mon Sep 17 00:00:00 2001 From fef5896463a50e94d3a68f59f7c78a6e943ac5ad Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com> From: Julien Rische <jrische@redhat.com>
Date: Tue, 23 May 2023 12:19:54 +0200 Date: Tue, 23 May 2023 12:19:54 +0200
Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification
verification available in FIPS mode available in FIPS mode
We recommend using the SHA1 crypto-module in order to allow the We recommend using the SHA1 crypto-module in order to allow the
verification of SHA-1 signature for CMS messages. However, this module verification of SHA-1 signature for CMS messages. However, this module
@ -20,7 +20,7 @@ curve cryptography is implemented for PKINIT in MIT krb5.
1 file changed, 10 insertions(+), 1 deletion(-) 1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index cb9c79626c..17dd18e37d 100644 index f41328763e..263ef7845e 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context, @@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context,
@ -43,5 +43,5 @@ index cb9c79626c..17dd18e37d 100644
goto cleanup; goto cleanup;
} }
-- --
2.45.1 2.41.0

@ -1,4 +1,4 @@
From c24c9faf859ddc04910a6bc591d8ddb2ada93e80 Mon Sep 17 00:00:00 2001 From 906d3441b846ed09882490b6128db6fedf39e63b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu> From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 30 May 2023 01:21:48 -0400 Date: Tue, 30 May 2023 01:21:48 -0400
Subject: [PATCH] Enable PKINIT if at least one group is available Subject: [PATCH] Enable PKINIT if at least one group is available
@ -15,7 +15,6 @@ well-known group parameters successfully decodes.
[ghudson@mit.edu: minor commit message and code edits] [ghudson@mit.edu: minor commit message and code edits]
ticket: 9096 (new) ticket: 9096 (new)
(cherry picked from commit 509d8db922e9ad6f108883838473b6178f89874a)
--- ---
src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +- src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +-
src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +- src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +-
@ -52,7 +51,7 @@ index 9fa315d7a0..8bdbea8e95 100644
krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *); krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 17dd18e37d..8cdc40bfb4 100644 index 263ef7845e..d646073d55 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -47,7 +47,8 @@ @@ -47,7 +47,8 @@
@ -139,7 +138,7 @@ index 17dd18e37d..8cdc40bfb4 100644
} }
static void static void
@@ -2912,11 +2920,11 @@ client_create_dh(krb5_context context, @@ -2910,11 +2918,11 @@ client_create_dh(krb5_context context,
if (cryptoctx->received_params != NULL) if (cryptoctx->received_params != NULL)
params = cryptoctx->received_params; params = cryptoctx->received_params;
@ -154,7 +153,7 @@ index 17dd18e37d..8cdc40bfb4 100644
params = plg_cryptoctx->dh_4096; params = plg_cryptoctx->dh_4096;
else else
goto cleanup; goto cleanup;
@@ -3212,19 +3220,23 @@ pkinit_create_td_dh_parameters(krb5_context context, @@ -3210,19 +3218,23 @@ pkinit_create_td_dh_parameters(krb5_context context,
krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 }; krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 };
krb5_algorithm_identifier *alglist[4]; krb5_algorithm_identifier *alglist[4];
@ -214,5 +213,5 @@ index 259e95c6c2..5ee39c085c 100644
TRACE(c, "PKINIT OpenSSL error: {str}", msg) TRACE(c, "PKINIT OpenSSL error: {str}", msg)
-- --
2.45.1 2.41.0

@ -0,0 +1,48 @@
From 137e424f7ae7c054e1dcb41c929a961bb021ed8b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 4 Aug 2023 09:54:06 +0200
Subject: [PATCH] Fix double-free in KDC TGS processing
When issuing a ticket for a TGS renew or validate request, copy only
the server field from the outer part of the header ticket to the new
ticket. Copying the whole structure causes the enc_part pointer to be
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
resulting in a double-free if handle_authdata() fails.
[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
than check for aliasing before freeing; rewrote commit message]
CVE-2023-39975:
In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
free the same pointer twice if it can induce a failure in
authorization data handling.
ticket: 9101 (new)
tags: pullup
target_version: 1.21-next
(cherry picked from commit 88a1701b423c13991a8064feeb26952d3641d840)
---
src/kdc/do_tgs_req.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 6e4c8fa9f3..0acc45850f 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1010,8 +1010,9 @@ tgs_issue_ticket(kdc_realm_t *realm, struct tgs_req_info *t,
}
if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) {
- /* Copy the whole header ticket except for authorization data. */
- ticket_reply = *t->header_tkt;
+ /* Copy the header ticket server and all enc-part fields except for
+ * authorization data. */
+ ticket_reply.server = t->header_tkt->server;
enc_tkt_reply = *t->header_tkt->enc_part2;
enc_tkt_reply.authorization_data = NULL;
} else {
--
2.41.0

@ -1,4 +1,4 @@
From b09d402db9ff6dc89b2761482933f0bf47778cea Mon Sep 17 00:00:00 2001 From 25015e67106a77dff044421547852f0b0e0fd778 Mon Sep 17 00:00:00 2001
From: Ken Hornstein <kenh@cmf.nrl.navy.mil> From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Date: Fri, 9 Jun 2023 23:53:53 -0400 Date: Fri, 9 Jun 2023 23:53:53 -0400
Subject: [PATCH] Eliminate old-style function declarations Subject: [PATCH] Eliminate old-style function declarations
@ -237,7 +237,7 @@ rewrote commit message; style changes]
src/tests/gssapi/reload.c | 2 +- src/tests/gssapi/reload.c | 2 +-
src/tests/gssapi/t_add_cred.c | 2 +- src/tests/gssapi/t_add_cred.c | 2 +-
src/tests/gssapi/t_enctypes.c | 2 +- src/tests/gssapi/t_enctypes.c | 2 +-
src/tests/gssapi/t_invalid.c | 2 +- src/tests/gssapi/t_invalid.c | 4 +-
src/tests/gssapi/t_oid.c | 2 +- src/tests/gssapi/t_oid.c | 2 +-
src/tests/gssapi/t_spnego.c | 2 +- src/tests/gssapi/t_spnego.c | 2 +-
src/tests/hammer/kdc5_hammer.c | 36 ++-- src/tests/hammer/kdc5_hammer.c | 36 ++--
@ -276,7 +276,7 @@ rewrote commit message; style changes]
src/util/support/t_json.c | 2 +- src/util/support/t_json.c | 2 +-
src/util/support/t_k5buf.c | 16 +- src/util/support/t_k5buf.c | 16 +-
src/util/support/t_unal.c | 3 +- src/util/support/t_unal.c | 3 +-
253 files changed, 1379 insertions(+), 2717 deletions(-) 253 files changed, 1380 insertions(+), 2718 deletions(-)
diff --git a/src/aclocal.m4 b/src/aclocal.m4 diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 3331970930..040d5bdd0c 100644 index 3331970930..040d5bdd0c 100644
@ -9018,10 +9018,10 @@ index f4d4380d5b..8d14091f38 100644
return 0; return 0;
} }
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 8cdc40bfb4..f5aade34cc 100644 index d646073d55..6d96499d77 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -3471,7 +3471,7 @@ load_pkcs11_module(krb5_context context, const char *modname, @@ -3469,7 +3469,7 @@ load_pkcs11_module(krb5_context context, const char *modname,
CK_RV (*getflist)(CK_FUNCTION_LIST_PTR_PTR); CK_RV (*getflist)(CK_FUNCTION_LIST_PTR_PTR);
struct errinfo einfo = EMPTY_ERRINFO; struct errinfo einfo = EMPTY_ERRINFO;
const char *errmsg = NULL; const char *errmsg = NULL;
@ -9030,7 +9030,7 @@ index 8cdc40bfb4..f5aade34cc 100644
long err; long err;
CK_RV rv; CK_RV rv;
@@ -3490,7 +3490,7 @@ load_pkcs11_module(krb5_context context, const char *modname, @@ -3488,7 +3488,7 @@ load_pkcs11_module(krb5_context context, const char *modname,
goto error; goto error;
} }
@ -9464,10 +9464,19 @@ index 3fd31e2f8c..3325db7696 100644
errout("Usage: t_enctypes [-i initenctypes] [-a accenctypes] " errout("Usage: t_enctypes [-i initenctypes] [-a accenctypes] "
"targetname"); "targetname");
diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c
index 8192935099..a052b8ab6e 100644 index fb8fe55111..e08c0039f8 100644
--- a/src/tests/gssapi/t_invalid.c --- a/src/tests/gssapi/t_invalid.c
+++ b/src/tests/gssapi/t_invalid.c +++ b/src/tests/gssapi/t_invalid.c
@@ -547,7 +547,7 @@ try_accept(void *value, size_t len) @@ -99,7 +99,7 @@ struct test {
/* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key. */
static gss_ctx_id_t
-make_fake_cfx_context()
+make_fake_cfx_context(void)
{
gss_union_ctx_id_t uctx;
krb5_gss_ctx_id_t kgctx;
@@ -402,7 +402,7 @@ try_accept(void *value, size_t len)
/* Accept contexts using superficially valid but truncated encapsulations. */ /* Accept contexts using superficially valid but truncated encapsulations. */
static void static void
@ -10681,5 +10690,5 @@ index f67cd31edf..6d097f0f83 100644
/* Test some low-level assumptions the Kerberos code depends /* Test some low-level assumptions the Kerberos code depends
on. */ on. */
-- --
2.45.1 2.44.0

@ -1,64 +0,0 @@
From abb95e961f4e6a5482220a64fba843a3adc171df Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 19 Jul 2023 13:43:17 +0200
Subject: [PATCH] Replace ssl.wrap_socket() for tests
The ssl.wrap_socket() function was deprecated in Python 3.7 and is
removed in Python 3.12. The ssl.SSLContext.wrap_socket() method
replaces it.
Bump the required Python version for tests to 3.4 for
ssl.create_default_context().
[ghudson@mit.edu: changed minimum Python version]
(cherry picked from commit 0ceab6c363e65fb21d3312a663f2b9b569ecc415)
---
src/configure.ac | 9 ++++-----
src/util/wsgiref-kdcproxy.py | 4 +++-
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/configure.ac b/src/configure.ac
index 2561e917a2..487f393146 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1157,10 +1157,9 @@ AC_SUBST(PKINIT)
# for lib/apputils
AC_REPLACE_FUNCS(daemon)
-# For Python tests. Python version 3.2.4 is required as prior
-# versions do not accept string input to subprocess.Popen.communicate
-# when universal_newlines is set.
-PYTHON_MINVERSION=3.2.4
+# For Python tests. Python version 3.4 is required for
+# ssl.create_default_context().
+PYTHON_MINVERSION=3.4
AC_SUBST(PYTHON_MINVERSION)
AC_CHECK_PROG(PYTHON,python3,python3)
if test x"$PYTHON" = x; then
@@ -1168,7 +1167,7 @@ if test x"$PYTHON" = x; then
fi
HAVE_PYTHON=no
if test x"$PYTHON" != x; then
- wantver="(sys.hexversion >= 0x30204F0)"
+ wantver="(sys.hexversion >= 0x30400F0)"
if "$PYTHON" -c "import sys; sys.exit(not $wantver and 1 or 0)"; then
HAVE_PYTHON=yes
fi
diff --git a/src/util/wsgiref-kdcproxy.py b/src/util/wsgiref-kdcproxy.py
index 58759696b6..d1d10d733c 100755
--- a/src/util/wsgiref-kdcproxy.py
+++ b/src/util/wsgiref-kdcproxy.py
@@ -14,6 +14,8 @@ else:
pem = '*'
server = make_server('localhost', port, kdcproxy.Application())
-server.socket = ssl.wrap_socket(server.socket, certfile=pem, server_side=True)
+sslctx = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
+sslctx.load_cert_chain(certfile=pem)
+server.socket = sslctx.wrap_socket(server.socket, server_side=True)
os.write(sys.stdout.fileno(), b'proxy server ready\n')
server.serve_forever()
--
2.45.1

@ -1,4 +1,4 @@
From 6e898b880a0c752f83decf33d64a7d8706e6d6f8 Mon Sep 17 00:00:00 2001 From 347079e258e6ded99d8dda162cafaf133b982ab9 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu> From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 27 Oct 2023 00:44:53 -0400 Date: Fri, 27 Oct 2023 00:44:53 -0400
Subject: [PATCH] End connection on KDC_ERR_SVC_UNAVAILABLE Subject: [PATCH] End connection on KDC_ERR_SVC_UNAVAILABLE
@ -30,5 +30,5 @@ index 0f4bf23a95..262edf09b4 100644
if (stop) { if (stop) {
-- --
2.45.1 2.44.0

File diff suppressed because it is too large Load Diff

@ -1,4 +1,4 @@
From fa711b7cb3b7cbb234bd202bc9d9b9d7ca4defad Mon Sep 17 00:00:00 2001 From d71ebaef4619d6281551793c297caed7a025a909 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu> From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 26 Oct 2023 14:20:34 -0400 Date: Thu, 26 Oct 2023 14:20:34 -0400
Subject: [PATCH] Add request_timeout configuration parameter Subject: [PATCH] Add request_timeout configuration parameter
@ -222,5 +222,5 @@ index 262edf09b4..98247a1089 100644
if (sel_state->nfds == 0) if (sel_state->nfds == 0)
break; break;
-- --
2.45.1 2.44.0

@ -1,4 +1,4 @@
From 58b64df22e22b9b89f9c6af96990276a1fc8e3c6 Mon Sep 17 00:00:00 2001 From 0bf66d2018db92c95d3bab54a62f6a3265ceb158 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu> From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 26 Oct 2023 16:26:42 -0400 Date: Thu, 26 Oct 2023 16:26:42 -0400
Subject: [PATCH] Wait indefinitely on KDC TCP connections Subject: [PATCH] Wait indefinitely on KDC TCP connections
@ -134,5 +134,5 @@ index 98247a1089..924f5b2d26 100644
e = cm_select_or_poll(selstate, endtime, seltemp, &selret); e = cm_select_or_poll(selstate, endtime, seltemp, &selret);
if (e == EINTR) if (e == EINTR)
-- --
2.45.1 2.44.0

@ -0,0 +1,381 @@
From 0cb2e6c09fee3863c16664bf180e773f662cd313 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Steffen=20Kie=C3=9F?=
<steffen.kiess@cis.iti.uni-stuttgart.de>
Date: Tue, 13 Feb 2024 18:39:27 +0100
Subject: [PATCH] Avoid strict-prototype compiler errors
Commit 4b9d7f7c107f01a61600fddcd8cde3812d0366a2 added the
-Werror=strict-prototypes parameter to the build process, but left
behind 28 function definitions using "()" instead of "(void)". Most
of these definitions could not cause compiler errors for various
reasons (such as an accompanying prototype), but a few could cause
errors in gcc depending on the build configuration.
For consistency and safety, add "(void)" to all 28 definitions.
[ghudson@mit.edu: rewrote commit message]
(cherry picked from commit 3ae9244cd021a75eba909d872a92c25db490714d)
---
src/clients/kcpytkt/kcpytkt.c | 2 +-
src/clients/kdeltkt/kdeltkt.c | 2 +-
src/clients/kinit/kinit.c | 4 ++--
src/clients/kinit/kinit_kdb.c | 2 +-
src/clients/klist/klist.c | 4 ++--
src/kadmin/cli/kadmin.c | 2 +-
src/kadmin/dbutil/kdb5_util.c | 4 ++--
src/kdc/main.c | 2 +-
src/kprop/kpropd.c | 4 ++--
src/lib/crypto/builtin/enc_provider/aes.c | 2 +-
src/lib/crypto/openssl/hmac.c | 2 +-
src/lib/krb5/ccache/t_memory.c | 4 ++--
src/lib/krb5/ccache/t_stdio.c | 4 ++--
src/plugins/kdb/db2/libdb2/btree/bt_debug.c | 2 +-
src/plugins/kdb/db2/libdb2/btree/bt_open.c | 4 ++--
src/plugins/kdb/db2/libdb2/hash/dbm.c | 2 +-
src/plugins/kdb/db2/libdb2/test/btree.tests/main.c | 2 +-
src/plugins/kdb/db2/libdb2/test/dbtest.c | 2 +-
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 2 +-
src/plugins/tls/k5tls/openssl.c | 2 +-
src/tests/asn.1/make-vectors.c | 2 +-
21 files changed, 28 insertions(+), 28 deletions(-)
diff --git a/src/clients/kcpytkt/kcpytkt.c b/src/clients/kcpytkt/kcpytkt.c
index 0b8802261e..f1d50e5de0 100644
--- a/src/clients/kcpytkt/kcpytkt.c
+++ b/src/clients/kcpytkt/kcpytkt.c
@@ -10,7 +10,7 @@ static char *prog;
static int quiet = 0;
static void
-xusage()
+xusage(void)
{
fprintf(stderr, "xusage: %s [-c from_ccache] [-e etype] [-f flags] "
"dest_ccache service1 service2 ...\n", prog);
diff --git a/src/clients/kdeltkt/kdeltkt.c b/src/clients/kdeltkt/kdeltkt.c
index cd0bf637db..66a32a8bd3 100644
--- a/src/clients/kdeltkt/kdeltkt.c
+++ b/src/clients/kdeltkt/kdeltkt.c
@@ -10,7 +10,7 @@ static char *prog;
static int quiet = 0;
static void
-xusage()
+xusage(void)
{
fprintf(stderr, "xusage: %s [-c ccache] [-e etype] [-f flags] service1 "
"service2 ...\n", prog);
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index 7a33ffae59..b27b723f2d 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -55,7 +55,7 @@ get_name_from_os(void)
#else /* HAVE_PWD_H */
#ifdef _WIN32
static char *
-get_name_from_os()
+get_name_from_os(void)
{
static char name[1024];
DWORD name_size = sizeof(name);
@@ -69,7 +69,7 @@ get_name_from_os()
}
#else /* _WIN32 */
static char *
-get_name_from_os()
+get_name_from_os(void)
{
return NULL;
}
diff --git a/src/clients/kinit/kinit_kdb.c b/src/clients/kinit/kinit_kdb.c
index fbd174bf0c..4e7cd50169 100644
--- a/src/clients/kinit/kinit_kdb.c
+++ b/src/clients/kinit/kinit_kdb.c
@@ -69,7 +69,7 @@ kinit_kdb_init(krb5_context *pcontext, char *realm)
}
void
-kinit_kdb_fini()
+kinit_kdb_fini(void)
{
kadm5_destroy(server_handle);
}
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index c797b1698f..27cf0ee11b 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -359,7 +359,7 @@ do_keytab(const char *name)
}
static void
-list_all_ccaches()
+list_all_ccaches(void)
{
krb5_error_code ret;
krb5_ccache cache;
@@ -451,7 +451,7 @@ show_all_ccaches(void)
}
static void
-do_ccache()
+do_ccache(void)
{
krb5_error_code ret;
krb5_ccache cache;
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index 23b64b0f58..c1256f7708 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -607,7 +607,7 @@ kadmin_startup(int argc, char *argv[], char **request_out, char ***args_out)
}
int
-quit()
+quit(void)
{
kadm5_ret_t retval;
diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c
index 55d529fa4c..b9b61e3f91 100644
--- a/src/kadmin/dbutil/kdb5_util.c
+++ b/src/kadmin/dbutil/kdb5_util.c
@@ -367,7 +367,7 @@ main(int argc, char *argv[])
* program is run).
*/
static int
-open_db_and_mkey()
+open_db_and_mkey(void)
{
krb5_error_code retval;
krb5_data scratch, pwd, seed;
@@ -489,7 +489,7 @@ open_db_and_mkey()
#endif
int
-quit()
+quit(void)
{
krb5_error_code retval;
static krb5_boolean finished = 0;
diff --git a/src/kdc/main.c b/src/kdc/main.c
index b43fe9a082..2dfad5673f 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -854,7 +854,7 @@ write_pid_file(const char *path)
}
static void
-finish_realms()
+finish_realms(void)
{
int i;
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index f883ae2df8..fbb8e37ae9 100644
--- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c
@@ -376,7 +376,7 @@ get_wildcard_addr(struct addrinfo **res)
}
static void
-do_standalone()
+do_standalone(void)
{
struct sockaddr_in frominet;
struct addrinfo *res;
@@ -639,7 +639,7 @@ full_resync(CLIENT *clnt)
* Returns non-zero on failure due to errors.
*/
krb5_error_code
-do_iprop()
+do_iprop(void)
{
kadm5_ret_t retval;
krb5_principal iprop_svc_principal = NULL;
diff --git a/src/lib/crypto/builtin/enc_provider/aes.c b/src/lib/crypto/builtin/enc_provider/aes.c
index 7fa9449797..39e2a84005 100644
--- a/src/lib/crypto/builtin/enc_provider/aes.c
+++ b/src/lib/crypto/builtin/enc_provider/aes.c
@@ -69,7 +69,7 @@ void k5_iEnc256_CBC(struct aes_data *data);
void k5_iDec256_CBC(struct aes_data *data);
static krb5_boolean
-aesni_supported_by_cpu()
+aesni_supported_by_cpu(void)
{
unsigned int a, b, c, d;
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
index 25a419d73a..32dec3022e 100644
--- a/src/lib/crypto/openssl/hmac.c
+++ b/src/lib/crypto/openssl/hmac.c
@@ -71,7 +71,7 @@
#define HMAC_CTX_new compat_hmac_ctx_new
static HMAC_CTX *
-compat_hmac_ctx_new()
+compat_hmac_ctx_new(void)
{
HMAC_CTX *ctx;
diff --git a/src/lib/krb5/ccache/t_memory.c b/src/lib/krb5/ccache/t_memory.c
index 6d103a00d1..0f94e823cb 100644
--- a/src/lib/krb5/ccache/t_memory.c
+++ b/src/lib/krb5/ccache/t_memory.c
@@ -85,7 +85,7 @@ krb5_creds test_creds = {
};
void
-init_test_cred()
+init_test_cred(void)
{
test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3);
test_creds.client[0] = &client1;
@@ -104,7 +104,7 @@ init_test_cred()
};
void
-mcc_test()
+mcc_test(void)
{
krb5_ccache id;
krb5_creds creds;
diff --git a/src/lib/krb5/ccache/t_stdio.c b/src/lib/krb5/ccache/t_stdio.c
index 15185e301c..06a9c2dea1 100644
--- a/src/lib/krb5/ccache/t_stdio.c
+++ b/src/lib/krb5/ccache/t_stdio.c
@@ -98,7 +98,7 @@ krb5_creds test_creds = {
};
void
-init_test_cred()
+init_test_cred(void)
{
test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3);
test_creds.client[0] = &client1;
@@ -118,7 +118,7 @@ init_test_cred()
int flags = 0;
void
-scc_test()
+scc_test(void)
{
krb5_ccache id;
krb5_creds creds;
diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_debug.c b/src/plugins/kdb/db2/libdb2/btree/bt_debug.c
index bc71076a35..5a955e09be 100644
--- a/src/plugins/kdb/db2/libdb2/btree/bt_debug.c
+++ b/src/plugins/kdb/db2/libdb2/btree/bt_debug.c
@@ -56,7 +56,7 @@ static FILE *tracefp;
* initialize debugging.
*/
static void
-__bt_dinit()
+__bt_dinit(void)
{
static int first = 1;
diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
index a2910422eb..ef7515c3d4 100644
--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -391,7 +391,7 @@ nroot(BTREE *t)
}
static int
-tmp()
+tmp(void)
{
#ifdef SIG_BLOCK
sigset_t set, oset;
@@ -438,7 +438,7 @@ tmp()
}
static int
-byteorder()
+byteorder(void)
{
u_int32_t x;
u_char *p;
diff --git a/src/plugins/kdb/db2/libdb2/hash/dbm.c b/src/plugins/kdb/db2/libdb2/hash/dbm.c
index 2dca256dc3..e643634433 100644
--- a/src/plugins/kdb/db2/libdb2/hash/dbm.c
+++ b/src/plugins/kdb/db2/libdb2/hash/dbm.c
@@ -143,7 +143,7 @@ kdb2_store(datum key, datum dat)
}
static void
-no_open_db()
+no_open_db(void)
{
(void)fprintf(stderr, "dbm: no open database.\n");
}
diff --git a/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c b/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c
index 088f903231..eec843d4db 100644
--- a/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c
+++ b/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c
@@ -908,7 +908,7 @@ keydata(key, data)
}
void
-usage()
+usage(void)
{
(void)fprintf(stderr,
"usage: %s [-bdluw] [-c cache] [-i file] [-p page] [file]\n",
diff --git a/src/plugins/kdb/db2/libdb2/test/dbtest.c b/src/plugins/kdb/db2/libdb2/test/dbtest.c
index 04bf34b90d..a2866b4412 100644
--- a/src/plugins/kdb/db2/libdb2/test/dbtest.c
+++ b/src/plugins/kdb/db2/libdb2/test/dbtest.c
@@ -792,7 +792,7 @@ xmalloc(char *text, size_t len)
}
void
-usage()
+usage(void)
{
(void)fprintf(stderr,
"usage: dbtest [-l] [-f file] [-i info] [-o file] type script\n");
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 6d96499d77..af3fa9ee8b 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -3090,7 +3090,7 @@ cleanup:
}
int
-pkinit_openssl_init()
+pkinit_openssl_init(void)
{
/* Initialize OpenSSL. */
ERR_load_crypto_strings();
diff --git a/src/plugins/tls/k5tls/openssl.c b/src/plugins/tls/k5tls/openssl.c
index 99fda7ffcd..aab67c01cb 100644
--- a/src/plugins/tls/k5tls/openssl.c
+++ b/src/plugins/tls/k5tls/openssl.c
@@ -49,7 +49,7 @@ static int ex_handle_id = -1;
MAKE_INIT_FUNCTION(init_openssl);
int
-init_openssl()
+init_openssl(void)
{
SSL_library_init();
SSL_load_error_strings();
diff --git a/src/tests/asn.1/make-vectors.c b/src/tests/asn.1/make-vectors.c
index 2fc85466bb..6f2b7dd021 100644
--- a/src/tests/asn.1/make-vectors.c
+++ b/src/tests/asn.1/make-vectors.c
@@ -224,7 +224,7 @@ printbuf(void)
}
int
-main()
+main(void)
{
/* Initialize values which can't use static initializers. */
asn_long2INTEGER(&otp_format, 2); /* Alphanumeric */
--
2.44.0

@ -0,0 +1,42 @@
From f54763bc90df9c76c69ee9a837cf856bcf93e633 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 5 Mar 2024 17:38:49 -0500
Subject: [PATCH] Fix leak in KDC NDR encoding
If the KDC tries to encode a principal containing encode invalid UTF-8
sequences for inclusion in a PAC delegation info buffer, it will leak
a small amount of memory in enc_wchar_pointer() before failing. Fix
the leak.
ticket: 9115 (new)
tags: pullup
target_version: 1.21-next
(cherry picked from commit 7d0d85bf99caf60c0afd4dcf91b0c4c683b983fe)
---
src/kdc/ndr.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c
index 48395abe52..d438408ee2 100644
--- a/src/kdc/ndr.c
+++ b/src/kdc/ndr.c
@@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out)
size_t utf16len, num_wchars;
uint8_t *utf16;
- k5_buf_init_dynamic(&b);
-
ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len);
if (ret)
return ret;
num_wchars = utf16len / 2;
+ k5_buf_init_dynamic(&b);
k5_buf_add_uint32_le(&b, num_wchars + 1);
k5_buf_add_uint32_le(&b, 0);
k5_buf_add_uint32_le(&b, num_wchars);
--
2.44.0

@ -1,71 +0,0 @@
From fa9dfdc9d85e88b6880edde5de45333b97a53a11 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Mon, 8 Jan 2024 16:52:27 +0100
Subject: [PATCH] Remove klist's defname global variable
Addition of a "cleanup" section in kinit's show_ccache() function as
part of commit 6c5471176f5266564fbc8a7e02f03b4b042202f8 introduced a
double-free bug, because defname is a global variable. After the
first call, successive calls may take place with a dangling pointer in
defname, which will be freed if krb5_cc_get_principal() fails.
Convert "defname" to a local variable initialized at the beginning of
show_ccache().
[ghudson@mit.edu: edited commit message]
(cherry picked from commit 5b00197227231943bd2305328c8260dd0b0dbcf0)
---
src/clients/klist/klist.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index b5ae96a843..b5808e5c93 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -53,7 +53,6 @@ int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0;
int show_etype = 0, show_addresses = 0, no_resolve = 0, print_version = 0;
int show_adtype = 0, show_all = 0, list_all = 0, use_client_keytab = 0;
int show_config = 0;
-char *defname;
char *progname;
krb5_timestamp now;
unsigned int timestamp_width;
@@ -62,7 +61,7 @@ krb5_context context;
static krb5_boolean is_local_tgt(krb5_principal princ, krb5_data *realm);
static char *etype_string(krb5_enctype );
-static void show_credential(krb5_creds *);
+static void show_credential(krb5_creds *, const char *);
static void list_all_ccaches(void);
static int list_ccache(krb5_ccache);
@@ -473,6 +472,7 @@ show_ccache(krb5_ccache cache)
krb5_creds creds;
krb5_principal princ = NULL;
krb5_error_code ret;
+ char *defname = NULL;
int status = 1;
ret = krb5_cc_get_principal(context, cache, &princ);
@@ -503,7 +503,7 @@ show_ccache(krb5_ccache cache)
}
while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
if (show_config || !krb5_is_config_principal(context, creds.server))
- show_credential(&creds);
+ show_credential(&creds, defname);
krb5_free_cred_contents(context, &creds);
}
if (ret == KRB5_CC_END) {
@@ -676,7 +676,7 @@ print_config_data(int col, krb5_data *data)
}
static void
-show_credential(krb5_creds *cred)
+show_credential(krb5_creds *cred, const char *defname)
{
krb5_error_code ret;
krb5_ticket *tkt = NULL;
--
2.45.1

@ -1,4 +1,4 @@
From 313d7b1afdcfca2bc0f6824cfeb25594c2eae176 Mon Sep 17 00:00:00 2001 From d230c72573430803c569817a71b79be8656fa6c5 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu> From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 5 Mar 2024 19:53:07 -0500 Date: Tue, 5 Mar 2024 19:53:07 -0500
Subject: [PATCH] Fix two unlikely memory leaks Subject: [PATCH] Fix two unlikely memory leaks
@ -19,7 +19,7 @@ fails.
2 files changed, 29 insertions(+), 37 deletions(-) 2 files changed, 29 insertions(+), 37 deletions(-)
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index 1fcbdfbb87..d3210c1107 100644 index 3b4f8cb837..e881eee835 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c --- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c +++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, @@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
@ -202,5 +202,5 @@ index 434e4eea65..f55ca46c60 100644
} }
-- --
2.45.1 2.44.0

@ -0,0 +1,535 @@
From 28009fda028c489ae38902b2c513c4208889f043 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 14 Jun 2024 10:56:12 -0400
Subject: [PATCH] Fix vulnerabilities in GSS message token handling
In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
verify the Extra Count field of CFX wrap tokens against the encrypted
header. Reported by Jacob Champion.
In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
length too short to contain the encrypted header and extra count
bytes. Reported by Jacob Champion.
In kg_unseal_iov_token(), separately track the header IOV length and
complete token length when parsing the token's ASN.1 wrapper. This
fix contains modified versions of functions from k5-der.h and
util_token.c; this duplication will be cleaned up in a future commit.
CVE-2024-37370:
In MIT krb5 release 1.3 and later, an attacker can modify the
plaintext Extra Count field of a confidential GSS krb5 wrap token,
causing the unwrapped token to appear truncated to the application.
CVE-2024-37371:
In MIT krb5 release 1.3 and later, an attacker can cause invalid
memory reads by sending message tokens with invalid length fields.
ticket: 9128 (new)
tags: pullup
target_version: 1.21-next
(cherry picked from commit b0a2f8a5365f2eec3e27d78907de9f9d2c80505a)
---
src/lib/gssapi/krb5/k5sealv3.c | 5 +
src/lib/gssapi/krb5/k5sealv3iov.c | 3 +-
src/lib/gssapi/krb5/k5unsealiov.c | 80 +++++++++-
src/tests/gssapi/t_invalid.c | 233 +++++++++++++++++++++++++-----
4 files changed, 275 insertions(+), 46 deletions(-)
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index e881eee835..d3210c1107 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -400,10 +400,15 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr,
/* Don't use bodysize here! Use the fact that
cipher.ciphertext.length has been adjusted to the
correct length. */
+ if (plain.length < 16 + ec) {
+ free(plain.data);
+ goto defective;
+ }
althdr = (unsigned char *)plain.data + plain.length - 16;
if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
|| althdr[2] != ptr[2]
|| althdr[3] != ptr[3]
+ || load_16_be(althdr+4) != ec
|| memcmp(althdr+8, ptr+8, 8)) {
free(plain.data);
goto defective;
diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c
index 333ee124dd..f8e90c35b4 100644
--- a/src/lib/gssapi/krb5/k5sealv3iov.c
+++ b/src/lib/gssapi/krb5/k5sealv3iov.c
@@ -402,9 +402,10 @@ gss_krb5int_unseal_v3_iov(krb5_context context,
if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
|| althdr[2] != ptr[2]
|| althdr[3] != ptr[3]
+ || load_16_be(althdr + 4) != ec
|| memcmp(althdr + 8, ptr + 8, 8) != 0) {
*minor_status = 0;
- return GSS_S_BAD_SIG;
+ return GSS_S_DEFECTIVE_TOKEN;
}
} else {
/* Verify checksum: note EC is checksum size here, not padding */
diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
index 3ce2a90ce9..6a6585d9af 100644
--- a/src/lib/gssapi/krb5/k5unsealiov.c
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -25,6 +25,7 @@
*/
#include "k5-int.h"
+#include "k5-der.h"
#include "gssapiP_krb5.h"
static OM_uint32
@@ -247,6 +248,73 @@ cleanup:
return retval;
}
+/* Similar to k5_der_get_value(), but output an unchecked content length
+ * instead of a k5input containing the contents. */
+static inline bool
+get_der_tag(struct k5input *in, uint8_t idbyte, size_t *len_out)
+{
+ uint8_t lenbyte, i;
+ size_t len;
+
+ /* Do nothing if in is empty or the next byte doesn't match idbyte. */
+ if (in->status || in->len == 0 || *in->ptr != idbyte)
+ return false;
+
+ /* Advance past the identifier byte and decode the length. */
+ (void)k5_input_get_byte(in);
+ lenbyte = k5_input_get_byte(in);
+ if (lenbyte < 128) {
+ len = lenbyte;
+ } else {
+ len = 0;
+ for (i = 0; i < (lenbyte & 0x7F); i++) {
+ if (len > (SIZE_MAX >> 8)) {
+ k5_input_set_status(in, EOVERFLOW);
+ return false;
+ }
+ len = (len << 8) | k5_input_get_byte(in);
+ }
+ }
+
+ if (in->status)
+ return false;
+
+ *len_out = len;
+ return true;
+}
+
+/*
+ * Similar to g_verify_token_header() without toktype or flags, but do not read
+ * more than *header_len bytes of ASN.1 wrapper, and on output set *header_len
+ * to the remaining number of header bytes. Verify the outer DER tag's length
+ * against token_len, which may be larger (but not smaller) than *header_len.
+ */
+static gss_int32
+verify_detached_wrapper(const gss_OID_desc *mech, size_t *header_len,
+ uint8_t **header_in, size_t token_len)
+{
+ struct k5input in, mech_der;
+ gss_OID_desc toid;
+ size_t len;
+
+ k5_input_init(&in, *header_in, *header_len);
+
+ if (get_der_tag(&in, 0x60, &len)) {
+ if (len != token_len - (in.ptr - *header_in))
+ return G_BAD_TOK_HEADER;
+ if (!k5_der_get_value(&in, 0x06, &mech_der))
+ return G_BAD_TOK_HEADER;
+ toid.elements = (uint8_t *)mech_der.ptr;
+ toid.length = mech_der.len;
+ if (!g_OID_equal(&toid, mech))
+ return G_WRONG_MECH;
+ }
+
+ *header_in = (uint8_t *)in.ptr;
+ *header_len = in.len;
+ return 0;
+}
+
/*
* Caller must provide TOKEN | DATA | PADDING | TRAILER, except
* for DCE in which case it can just provide TOKEN | DATA (must
@@ -267,8 +335,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
gss_iov_buffer_t header;
gss_iov_buffer_t padding;
gss_iov_buffer_t trailer;
- size_t input_length;
- unsigned int bodysize;
+ size_t input_length, hlen;
int toktype2;
header = kg_locate_header_iov(iov, iov_count, toktype);
@@ -298,15 +365,14 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
input_length += trailer->buffer.length;
}
- code = g_verify_token_header(ctx->mech_used,
- &bodysize, &ptr, -1,
- input_length, 0);
+ hlen = header->buffer.length;
+ code = verify_detached_wrapper(ctx->mech_used, &hlen, &ptr, input_length);
if (code != 0) {
*minor_status = code;
return GSS_S_DEFECTIVE_TOKEN;
}
- if (bodysize < 2) {
+ if (hlen < 2) {
*minor_status = (OM_uint32)G_BAD_TOK_HEADER;
return GSS_S_DEFECTIVE_TOKEN;
}
@@ -314,7 +380,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
toktype2 = load_16_be(ptr);
ptr += 2;
- bodysize -= 2;
+ hlen -= 2;
switch (toktype2) {
case KG2_TOK_MIC_MSG:
diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c
index e08c0039f8..a052b8ab6e 100644
--- a/src/tests/gssapi/t_invalid.c
+++ b/src/tests/gssapi/t_invalid.c
@@ -36,31 +36,41 @@
*
* 1. A pre-CFX wrap or MIC token processed with a CFX-only context causes a
* null pointer dereference. (The token must use SEAL_ALG_NONE or it will
- * be rejected.)
+ * be rejected.) This vulnerability also applies to IOV unwrap.
*
- * 2. A pre-CFX wrap or MIC token with fewer than 24 bytes after the ASN.1
+ * 2. A CFX wrap token with a different value of EC between the plaintext and
+ * encrypted copies will be erroneously accepted, which allows a message
+ * truncation attack. This vulnerability also applies to IOV unwrap.
+ *
+ * 3. A CFX wrap token with a plaintext length fewer than 16 bytes causes an
+ * access before the beginning of the input buffer, possibly leading to a
+ * crash.
+ *
+ * 4. A CFX wrap token with a plaintext EC value greater than the plaintext
+ * length - 16 causes an integer underflow when computing the result length,
+ * likely causing a crash.
+ *
+ * 5. An IOV unwrap operation will overrun the header buffer if an ASN.1
+ * wrapper longer than the header buffer is present.
+ *
+ * 6. A pre-CFX wrap or MIC token with fewer than 24 bytes after the ASN.1
* header causes an input buffer overrun, usually leading to either a segv
* or a GSS_S_DEFECTIVE_TOKEN error due to garbage algorithm, filler, or
- * sequence number values.
+ * sequence number values. This vulnerability also applies to IOV unwrap.
*
- * 3. A pre-CFX wrap token with fewer than 16 + cksumlen bytes after the ASN.1
+ * 7. A pre-CFX wrap token with fewer than 16 + cksumlen bytes after the ASN.1
* header causes an integer underflow when computing the ciphertext length,
* leading to an allocation error on 32-bit platforms or a segv on 64-bit
* platforms. A pre-CFX MIC token of this size causes an input buffer
* overrun when comparing the checksum, perhaps leading to a segv.
*
- * 4. A pre-CFX wrap token with fewer than conflen + padlen bytes in the
+ * 8. A pre-CFX wrap token with fewer than conflen + padlen bytes in the
* ciphertext (where padlen is the last byte of the decrypted ciphertext)
* causes an integer underflow when computing the original message length,
* leading to an allocation error.
*
- * 5. In the mechglue, truncated encapsulation in the initial context token can
+ * 9. In the mechglue, truncated encapsulation in the initial context token can
* cause input buffer overruns in gss_accept_sec_context().
- *
- * Vulnerabilities #1 and #2 also apply to IOV unwrap, although tokens with
- * fewer than 16 bytes after the ASN.1 header will be rejected.
- * Vulnerabilities #2 and #5 can only be robustly detected using a
- * memory-checking environment such as valgrind.
*/
#include "k5-int.h"
@@ -97,17 +107,25 @@ struct test {
}
};
-/* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key. */
+static void *
+ealloc(size_t len)
+{
+ void *ptr = calloc(len, 1);
+
+ if (ptr == NULL)
+ abort();
+ return ptr;
+}
+
+/* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key.
+ * The context takes ownership of subkey. */
static gss_ctx_id_t
-make_fake_cfx_context(void)
+make_fake_cfx_context(krb5_key subkey)
{
gss_union_ctx_id_t uctx;
krb5_gss_ctx_id_t kgctx;
- krb5_keyblock kb;
- kgctx = calloc(1, sizeof(*kgctx));
- if (kgctx == NULL)
- abort();
+ kgctx = ealloc(sizeof(*kgctx));
kgctx->established = 1;
kgctx->proto = 1;
if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0)
@@ -116,15 +134,10 @@ make_fake_cfx_context(void)
kgctx->sealalg = -1;
kgctx->signalg = -1;
- kb.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
- kb.length = 16;
- kb.contents = (unsigned char *)"1234567887654321";
- if (krb5_k_create_key(NULL, &kb, &kgctx->subkey) != 0)
- abort();
+ kgctx->subkey = subkey;
+ kgctx->cksumtype = CKSUMTYPE_HMAC_SHA1_96_AES128;
- uctx = calloc(1, sizeof(*uctx));
- if (uctx == NULL)
- abort();
+ uctx = ealloc(sizeof(*uctx));
uctx->mech_type = &mech_krb5;
uctx->internal_ctx_id = (gss_ctx_id_t)kgctx;
return (gss_ctx_id_t)uctx;
@@ -138,9 +151,7 @@ make_fake_context(const struct test *test)
krb5_gss_ctx_id_t kgctx;
krb5_keyblock kb;
- kgctx = calloc(1, sizeof(*kgctx));
- if (kgctx == NULL)
- abort();
+ kgctx = ealloc(sizeof(*kgctx));
kgctx->established = 1;
if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0)
abort();
@@ -162,9 +173,7 @@ make_fake_context(const struct test *test)
if (krb5_k_create_key(NULL, &kb, &kgctx->enc) != 0)
abort();
- uctx = calloc(1, sizeof(*uctx));
- if (uctx == NULL)
- abort();
+ uctx = ealloc(sizeof(*uctx));
uctx->mech_type = &mech_krb5;
uctx->internal_ctx_id = (gss_ctx_id_t)kgctx;
return (gss_ctx_id_t)uctx;
@@ -194,9 +203,7 @@ make_token(unsigned char *token, size_t len, gss_buffer_t out)
assert(mech_krb5.length == 9);
assert(len + 11 < 128);
- wrapped = malloc(len + 13);
- if (wrapped == NULL)
- abort();
+ wrapped = ealloc(len + 13);
wrapped[0] = 0x60;
wrapped[1] = len + 11;
wrapped[2] = 0x06;
@@ -207,6 +214,18 @@ make_token(unsigned char *token, size_t len, gss_buffer_t out)
out->value = wrapped;
}
+/* Create a 16-byte header for a CFX confidential wrap token to be processed by
+ * the fake CFX context. */
+static void
+write_cfx_header(uint16_t ec, uint8_t *out)
+{
+ memset(out, 0, 16);
+ store_16_be(KG2_TOK_WRAP_MSG, out);
+ out[2] = FLAG_WRAP_CONFIDENTIAL;
+ out[3] = 0xFF;
+ store_16_be(ec, out + 4);
+}
+
/* Unwrap a superficially valid RFC 1964 token with a CFX-only context, with
* regular and IOV unwrap. */
static void
@@ -238,6 +257,134 @@ test_bogus_1964_token(gss_ctx_id_t ctx)
free(in.value);
}
+static void
+test_cfx_altered_ec(gss_ctx_id_t ctx, krb5_key subkey)
+{
+ OM_uint32 major, minor;
+ uint8_t tokbuf[128], plainbuf[24];
+ krb5_data plain;
+ krb5_enc_data cipher;
+ gss_buffer_desc in, out;
+ gss_iov_buffer_desc iov[2];
+
+ /* Construct a header with a plaintext EC value of 3. */
+ write_cfx_header(3, tokbuf);
+
+ /* Encrypt a plaintext and a copy of the header with the EC value 0. */
+ memcpy(plainbuf, "truncate", 8);
+ memcpy(plainbuf + 8, tokbuf, 16);
+ store_16_be(0, plainbuf + 12);
+ plain = make_data(plainbuf, 24);
+ cipher.ciphertext.data = (char *)tokbuf + 16;
+ cipher.ciphertext.length = sizeof(tokbuf) - 16;
+ cipher.enctype = subkey->keyblock.enctype;
+ if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
+ &plain, &cipher) != 0)
+ abort();
+
+ /* Verify that the token is rejected by gss_unwrap(). */
+ in.value = tokbuf;
+ in.length = 16 + cipher.ciphertext.length;
+ major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
+ if (major != GSS_S_DEFECTIVE_TOKEN)
+ abort();
+ (void)gss_release_buffer(&minor, &out);
+
+ /* Verify that the token is rejected by gss_unwrap_iov(). */
+ iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
+ iov[0].buffer = in;
+ iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
+ major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2);
+ if (major != GSS_S_DEFECTIVE_TOKEN)
+ abort();
+}
+
+static void
+test_cfx_short_plaintext(gss_ctx_id_t ctx, krb5_key subkey)
+{
+ OM_uint32 major, minor;
+ uint8_t tokbuf[128], zerobyte = 0;
+ krb5_data plain;
+ krb5_enc_data cipher;
+ gss_buffer_desc in, out;
+
+ write_cfx_header(0, tokbuf);
+
+ /* Encrypt a single byte, with no copy of the header. */
+ plain = make_data(&zerobyte, 1);
+ cipher.ciphertext.data = (char *)tokbuf + 16;
+ cipher.ciphertext.length = sizeof(tokbuf) - 16;
+ cipher.enctype = subkey->keyblock.enctype;
+ if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
+ &plain, &cipher) != 0)
+ abort();
+
+ /* Verify that the token is rejected by gss_unwrap(). */
+ in.value = tokbuf;
+ in.length = 16 + cipher.ciphertext.length;
+ major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
+ if (major != GSS_S_DEFECTIVE_TOKEN)
+ abort();
+ (void)gss_release_buffer(&minor, &out);
+}
+
+static void
+test_cfx_large_ec(gss_ctx_id_t ctx, krb5_key subkey)
+{
+ OM_uint32 major, minor;
+ uint8_t tokbuf[128] = { 0 }, plainbuf[20];
+ krb5_data plain;
+ krb5_enc_data cipher;
+ gss_buffer_desc in, out;
+
+ /* Construct a header with an EC value of 5. */
+ write_cfx_header(5, tokbuf);
+
+ /* Encrypt a 4-byte plaintext plus the header. */
+ memcpy(plainbuf, "abcd", 4);
+ memcpy(plainbuf + 4, tokbuf, 16);
+ plain = make_data(plainbuf, 20);
+ cipher.ciphertext.data = (char *)tokbuf + 16;
+ cipher.ciphertext.length = sizeof(tokbuf) - 16;
+ cipher.enctype = subkey->keyblock.enctype;
+ if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
+ &plain, &cipher) != 0)
+ abort();
+
+ /* Verify that the token is rejected by gss_unwrap(). */
+ in.value = tokbuf;
+ in.length = 16 + cipher.ciphertext.length;
+ major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
+ if (major != GSS_S_DEFECTIVE_TOKEN)
+ abort();
+ (void)gss_release_buffer(&minor, &out);
+}
+
+static void
+test_iov_large_asn1_wrapper(gss_ctx_id_t ctx)
+{
+ OM_uint32 minor, major;
+ uint8_t databuf[10] = { 0 };
+ gss_iov_buffer_desc iov[2];
+
+ /*
+ * In this IOV array, the header contains a DER tag with a dangling eight
+ * bytes of length field. The data IOV indicates a total token length
+ * sufficient to contain the length bytes.
+ */
+ iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
+ iov[0].buffer.value = ealloc(2);
+ iov[0].buffer.length = 2;
+ memcpy(iov[0].buffer.value, "\x60\x88", 2);
+ iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
+ iov[1].buffer.value = databuf;
+ iov[1].buffer.length = 10;
+ major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2);
+ if (major != GSS_S_DEFECTIVE_TOKEN)
+ abort();
+ free(iov[0].buffer.value);
+}
+
/* Process wrap and MIC tokens with incomplete headers. */
static void
test_short_header(gss_ctx_id_t ctx)
@@ -387,9 +534,7 @@ try_accept(void *value, size_t len)
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
/* Copy the provided value to make input overruns more obvious. */
- in.value = malloc(len);
- if (in.value == NULL)
- abort();
+ in.value = ealloc(len);
memcpy(in.value, value, len);
in.length = len;
(void)gss_accept_sec_context(&minor, &ctx, GSS_C_NO_CREDENTIAL, &in,
@@ -424,11 +569,23 @@ test_short_encapsulation(void)
int
main(int argc, char **argv)
{
+ krb5_keyblock kb;
+ krb5_key cfx_subkey;
gss_ctx_id_t ctx;
size_t i;
- ctx = make_fake_cfx_context();
+ kb.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+ kb.length = 16;
+ kb.contents = (unsigned char *)"1234567887654321";
+ if (krb5_k_create_key(NULL, &kb, &cfx_subkey) != 0)
+ abort();
+
+ ctx = make_fake_cfx_context(cfx_subkey);
test_bogus_1964_token(ctx);
+ test_cfx_altered_ec(ctx, cfx_subkey);
+ test_cfx_short_plaintext(ctx, cfx_subkey);
+ test_cfx_large_ec(ctx, cfx_subkey);
+ test_iov_large_asn1_wrapper(ctx);
free_fake_context(ctx);
for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
--
2.45.1

File diff suppressed because it is too large Load Diff

@ -0,0 +1,175 @@
From 5464ad5b64f7ce7c3d78082352189af7c8feb95f Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Fri, 6 Sep 2024 17:18:11 +0200
Subject: [PATCH] Fix various issues detected by static analysis
(cherry picked from commit 53d352949941ee236461658d01f03c37abafc6f6)
---
src/clients/klist/klist.c | 13 +++++++------
src/kadmin/dbutil/dump.c | 5 +++++
src/kdc/ndr.c | 2 +-
src/lib/kdb/decrypt_key.c | 2 +-
src/lib/rpc/svc_auth_gss.c | 5 ++++-
src/lib/rpc/svc_udp.c | 13 +++++++------
src/util/support/threads.c | 2 --
7 files changed, 25 insertions(+), 17 deletions(-)
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index 27cf0ee11b..9db66f6072 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -666,7 +666,7 @@ show_credential(krb5_creds *cred)
krb5_error_code ret;
krb5_ticket *tkt = NULL;
char *name = NULL, *sname = NULL, *tktsname, *flags;
- int extra_field = 0, ccol = 0, i;
+ int extra_field = 0, ccol = 0, i, r;
krb5_boolean is_config = krb5_is_config_principal(context, cred->server);
ret = krb5_unparse_name(context, cred->client, &name);
@@ -696,11 +696,12 @@ show_credential(krb5_creds *cred)
fputs("config: ", stdout);
ccol = 8;
for (i = 1; i < cred->server->length; i++) {
- ccol += printf("%s%.*s%s",
- i > 1 ? "(" : "",
- (int)cred->server->data[i].length,
- cred->server->data[i].data,
- i > 1 ? ")" : "");
+ r = printf("%s%.*s%s", i > 1 ? "(" : "",
+ (int)cred->server->data[i].length,
+ cred->server->data[i].data,
+ i > 1 ? ")" : "");
+ if (r >= 0)
+ ccol += r;
}
fputs(" = ", stdout);
ccol += 3;
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 4d6cc0bdf9..feb053d834 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -704,6 +704,11 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
dbentry->len = u1;
dbentry->n_key_data = u4;
+
+ if (u5 > UINT16_MAX) {
+ load_err(fname, *linenop, _("invalid principal extra data size"));
+ goto fail;
+ }
dbentry->e_length = u5;
if (kp != NULL) {
diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c
index d438408ee2..38be9fe42a 100644
--- a/src/kdc/ndr.c
+++ b/src/kdc/ndr.c
@@ -242,7 +242,7 @@ ndr_enc_delegation_info(struct pac_s4u_delegation_info *in, krb5_data *out)
{
krb5_error_code ret;
size_t i;
- struct k5buf b;
+ struct k5buf b = EMPTY_K5BUF;
struct encoded_wchars pt_encoded = { 0 }, *tss_encoded = NULL;
uint32_t pointer = 0;
diff --git a/src/lib/kdb/decrypt_key.c b/src/lib/kdb/decrypt_key.c
index 82bbed6312..c971793c9d 100644
--- a/src/lib/kdb/decrypt_key.c
+++ b/src/lib/kdb/decrypt_key.c
@@ -60,7 +60,7 @@ krb5_dbe_def_decrypt_key_data(krb5_context context, const krb5_keyblock *mkey,
krb5_keyblock *dbkey_out,
krb5_keysalt *keysalt_out)
{
- krb5_error_code ret;
+ krb5_error_code ret = KRB5_CRYPTO_INTERNAL;
int16_t keylen;
krb5_enc_data cipher;
krb5_data plain = empty_data();
diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
index 98d601c8ab..461e5de542 100644
--- a/src/lib/rpc/svc_auth_gss.c
+++ b/src/lib/rpc/svc_auth_gss.c
@@ -297,7 +297,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
struct opaque_auth *oa;
gss_buffer_desc rpcbuf, checksum;
OM_uint32 maj_stat, min_stat, qop_state;
- u_char rpchdr[128];
+ u_char rpchdr[32 + MAX_AUTH_BYTES];
int32_t *buf;
log_debug("in svcauth_gss_validate()");
@@ -315,6 +315,8 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
return (FALSE);
buf = (int32_t *)(void *)rpchdr;
+
+ /* Write the 32 first bytes of the header. */
IXDR_PUT_LONG(buf, msg->rm_xid);
IXDR_PUT_ENUM(buf, msg->rm_direction);
IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers);
@@ -323,6 +325,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
IXDR_PUT_ENUM(buf, oa->oa_flavor);
IXDR_PUT_LONG(buf, oa->oa_length);
+
if (oa->oa_length) {
memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
buf += RNDUP(oa->oa_length) / sizeof(int32_t);
diff --git a/src/lib/rpc/svc_udp.c b/src/lib/rpc/svc_udp.c
index 8ecbdf2b33..3aff277eb7 100644
--- a/src/lib/rpc/svc_udp.c
+++ b/src/lib/rpc/svc_udp.c
@@ -248,8 +248,9 @@ static bool_t svcudp_reply(
{
struct svcudp_data *su = su_data(xprt);
XDR *xdrs = &su->su_xdrs;
- int slen;
+ u_int slen;
bool_t stat = FALSE;
+ ssize_t r;
xdrproc_t xdr_results = NULL;
caddr_t xdr_location = 0;
@@ -272,12 +273,12 @@ static bool_t svcudp_reply(
if (xdr_replymsg(xdrs, msg) &&
(!has_args ||
(SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) {
- slen = (int)XDR_GETPOS(xdrs);
- if (sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,
- (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen)
- == slen) {
+ slen = XDR_GETPOS(xdrs);
+ r = sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,
+ (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen);
+ if (r >= 0 && (u_int)r == slen) {
stat = TRUE;
- if (su->su_cache && slen >= 0) {
+ if (su->su_cache) {
cache_set(xprt, (uint32_t) slen);
}
}
diff --git a/src/util/support/threads.c b/src/util/support/threads.c
index be7e4c2e3f..4ded805b79 100644
--- a/src/util/support/threads.c
+++ b/src/util/support/threads.c
@@ -118,7 +118,6 @@ struct tsd_block {
# pragma weak pthread_mutex_destroy
# pragma weak pthread_mutex_init
# pragma weak pthread_self
-# pragma weak pthread_equal
# pragma weak pthread_getspecific
# pragma weak pthread_setspecific
# pragma weak pthread_key_create
@@ -151,7 +150,6 @@ int krb5int_pthread_loaded (void)
|| &pthread_mutex_destroy == 0
|| &pthread_mutex_init == 0
|| &pthread_self == 0
- || &pthread_equal == 0
/* Any program that's really multithreaded will have to be
able to create threads. */
|| &pthread_create == 0
--
2.46.0

@ -0,0 +1,629 @@
From 023dcf87d34e29649dd76d33ce7d896c2b6f61d2 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Thu, 22 Aug 2024 17:15:50 +0200
Subject: [PATCH] Generate and verify message MACs in libkrad
Implement some of the measures specified in
draft-ietf-radext-deprecating-radius-03 for mitigating the BlastRADIUS
attack (CVE-2024-3596):
* Include a Message-Authenticator MAC as the first attribute when
generating a packet of type Access-Request, Access-Reject,
Access-Accept, or Access-Challenge (sections 5.2.1 and 5.2.4), if
the secret is non-empty. (An empty secret indicates the use of Unix
domain socket transport.)
* Validate the Message-Authenticator MAC in received packets, if
present.
FreeRADIUS enforces Message-Authenticator as of versions 3.2.5 and
3.0.27. libkrad must generate Message-Authenticator attributes in
order to remain compatible with these implementations.
[ghudson@mit.edu: adjusted style and naming; simplified some
functions; edited commit message]
ticket: 9142 (new)
tags: pullup
target_version: 1.21-next
(cherry picked from commit 871125fea8ce0370a972bf65f7d1de63f619b06c)
---
src/include/k5-int.h | 5 +
src/lib/crypto/krb/checksum_hmac_md5.c | 28 ++++
src/lib/crypto/libk5crypto.exports | 1 +
src/lib/krad/attr.c | 17 ++
src/lib/krad/attrset.c | 59 +++++--
src/lib/krad/internal.h | 7 +-
src/lib/krad/packet.c | 206 +++++++++++++++++++++++--
src/lib/krad/t_attrset.c | 2 +-
src/lib/krad/t_daemon.py | 3 +-
src/lib/krad/t_packet.c | 11 ++
src/tests/t_otp.py | 3 +
11 files changed, 311 insertions(+), 31 deletions(-)
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 69d6a6f569..b7789a2dd8 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -2403,4 +2403,9 @@ krb5_boolean
k5_sname_compare(krb5_context context, krb5_const_principal sname,
krb5_const_principal princ);
+/* Generate an HMAC-MD5 keyed checksum as specified by RFC 2104. */
+krb5_error_code
+k5_hmac_md5(const krb5_data *key, const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output);
+
#endif /* _KRB5_INT_H */
diff --git a/src/lib/crypto/krb/checksum_hmac_md5.c b/src/lib/crypto/krb/checksum_hmac_md5.c
index ec024f3966..a809388549 100644
--- a/src/lib/crypto/krb/checksum_hmac_md5.c
+++ b/src/lib/crypto/krb/checksum_hmac_md5.c
@@ -92,3 +92,31 @@ cleanup:
free(hash_iov);
return ret;
}
+
+krb5_error_code
+k5_hmac_md5(const krb5_data *key, const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output)
+{
+ krb5_error_code ret;
+ const struct krb5_hash_provider *hash = &krb5int_hash_md5;
+ krb5_keyblock keyblock = { 0 };
+ krb5_data hashed_key;
+ uint8_t hkeybuf[16];
+ krb5_crypto_iov iov;
+
+ /* Hash the key if it is longer than the block size. */
+ if (key->length > hash->blocksize) {
+ hashed_key = make_data(hkeybuf, sizeof(hkeybuf));
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+ iov.data = *key;
+ ret = hash->hash(&iov, 1, &hashed_key);
+ if (ret)
+ return ret;
+ key = &hashed_key;
+ }
+
+ keyblock.magic = KV5M_KEYBLOCK;
+ keyblock.length = key->length;
+ keyblock.contents = (uint8_t *)key->data;
+ return krb5int_hmac_keyblock(hash, &keyblock, data, num_data, output);
+}
diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports
index d8ffa63304..00e0ce1812 100644
--- a/src/lib/crypto/libk5crypto.exports
+++ b/src/lib/crypto/libk5crypto.exports
@@ -102,3 +102,4 @@ krb5_c_prfplus
krb5_c_derive_prfplus
k5_enctype_to_ssf
krb5int_c_deprecated_enctype
+k5_hmac_md5
diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c
index 42d354a3b5..65ed1d35e7 100644
--- a/src/lib/krad/attr.c
+++ b/src/lib/krad/attr.c
@@ -125,6 +125,23 @@ static const attribute_record attributes[UCHAR_MAX] = {
{"NAS-Port-Type", 4, 4, NULL, NULL},
{"Port-Limit", 4, 4, NULL, NULL},
{"Login-LAT-Port", 1, MAX_ATTRSIZE, NULL, NULL},
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
+ {NULL, 0, 0, NULL, NULL}, /* Password-Retry */
+ {NULL, 0, 0, NULL, NULL}, /* Prompt */
+ {NULL, 0, 0, NULL, NULL}, /* Connect-Info */
+ {NULL, 0, 0, NULL, NULL}, /* Configuration-Token */
+ {NULL, 0, 0, NULL, NULL}, /* EAP-Message */
+ {"Message-Authenticator", MD5_DIGEST_SIZE, MD5_DIGEST_SIZE, NULL, NULL},
};
/* Encode User-Password attribute. */
diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c
index 6ec031e320..e5457ebfd7 100644
--- a/src/lib/krad/attrset.c
+++ b/src/lib/krad/attrset.c
@@ -164,15 +164,44 @@ krad_attrset_copy(const krad_attrset *set, krad_attrset **copy)
return 0;
}
+/* Place an encoded attributes into outbuf at position *i. Increment *i by the
+ * length of the encoding. */
+static krb5_error_code
+append_attr(krb5_context ctx, const char *secret,
+ const uint8_t *auth, krad_attr type, const krb5_data *data,
+ uint8_t outbuf[MAX_ATTRSETSIZE], size_t *i, krb5_boolean *is_fips)
+{
+ uint8_t buffer[MAX_ATTRSIZE];
+ size_t attrlen;
+ krb5_error_code retval;
+
+ retval = kr_attr_encode(ctx, secret, auth, type, data, buffer, &attrlen,
+ is_fips);
+ if (retval)
+ return retval;
+
+ if (attrlen > MAX_ATTRSETSIZE - *i - 2)
+ return EMSGSIZE;
+
+ outbuf[(*i)++] = type;
+ outbuf[(*i)++] = attrlen + 2;
+ memcpy(outbuf + *i, buffer, attrlen);
+ *i += attrlen;
+
+ return 0;
+}
+
krb5_error_code
kr_attrset_encode(const krad_attrset *set, const char *secret,
- const unsigned char *auth,
+ const uint8_t *auth, krb5_boolean add_msgauth,
unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen,
krb5_boolean *is_fips)
{
- unsigned char buffer[MAX_ATTRSIZE];
krb5_error_code retval;
- size_t i = 0, attrlen;
+ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
+ const uint8_t zeroes[MD5_DIGEST_SIZE] = { 0 };
+ krb5_data zerodata;
+ size_t i = 0;
attr *a;
if (set == NULL) {
@@ -180,19 +209,21 @@ kr_attrset_encode(const krad_attrset *set, const char *secret,
return 0;
}
- K5_TAILQ_FOREACH(a, &set->list, list) {
- retval = kr_attr_encode(set->ctx, secret, auth, a->type, &a->attr,
- buffer, &attrlen, is_fips);
- if (retval != 0)
+ if (add_msgauth) {
+ /* Encode Message-Authenticator as the first attribute, per
+ * draft-ietf-radext-deprecating-radius-03 section 5.2. */
+ zerodata = make_data((uint8_t *)zeroes, MD5_DIGEST_SIZE);
+ retval = append_attr(set->ctx, secret, auth, msgauth_type, &zerodata,
+ outbuf, &i, is_fips);
+ if (retval)
return retval;
+ }
- if (i + attrlen + 2 > MAX_ATTRSETSIZE)
- return EMSGSIZE;
-
- outbuf[i++] = a->type;
- outbuf[i++] = attrlen + 2;
- memcpy(&outbuf[i], buffer, attrlen);
- i += attrlen;
+ K5_TAILQ_FOREACH(a, &set->list, list) {
+ retval = append_attr(set->ctx, secret, auth, a->type, &a->attr,
+ outbuf, &i, is_fips);
+ if (retval)
+ return retval;
}
*outlen = i;
diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
index a17b6f39b1..ca66f3ec68 100644
--- a/src/lib/krad/internal.h
+++ b/src/lib/krad/internal.h
@@ -49,6 +49,8 @@
#define UCHAR_MAX 255
#endif
+#define MD5_DIGEST_SIZE 16
+
/* RFC 2865 */
#define MAX_ATTRSIZE (UCHAR_MAX - 2)
#define MAX_ATTRSETSIZE (KRAD_PACKET_SIZE_MAX - 20)
@@ -79,10 +81,11 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
krad_attr type, const krb5_data *in,
unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
-/* Encode the attributes into the buffer. */
+/* Encode set into outbuf. If add_msgauth is true, include a zeroed
+ * Message-Authenticator as the first attribute. */
krb5_error_code
kr_attrset_encode(const krad_attrset *set, const char *secret,
- const unsigned char *auth,
+ const uint8_t *auth, krb5_boolean add_msgauth,
unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen,
krb5_boolean *is_fips);
diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c
index c5446b890c..3c1a4d507e 100644
--- a/src/lib/krad/packet.c
+++ b/src/lib/krad/packet.c
@@ -36,6 +36,7 @@
typedef unsigned char uchar;
/* RFC 2865 */
+#define MSGAUTH_SIZE (2 + MD5_DIGEST_SIZE)
#define OFFSET_CODE 0
#define OFFSET_ID 1
#define OFFSET_LENGTH 2
@@ -222,6 +223,106 @@ packet_set_attrset(krb5_context ctx, const char *secret, krad_packet *pkt)
return kr_attrset_decode(ctx, &tmp, secret, pkt_auth(pkt), &pkt->attrset);
}
+/* Determine if a packet requires a Message-Authenticator attribute. */
+static inline krb5_boolean
+requires_msgauth(const char *secret, krad_code code)
+{
+ /* If no secret is provided, assume that the transport is a UNIX socket.
+ * Message-Authenticator is required only on UDP and TCP connections. */
+ if (*secret == '\0')
+ return FALSE;
+
+ /*
+ * Per draft-ietf-radext-deprecating-radius-03 sections 5.2.1 and 5.2.4,
+ * Message-Authenticator is required in Access-Request packets and all
+ * potential responses when UDP or TCP transport is used.
+ */
+ return code == krad_code_name2num("Access-Request") ||
+ code == krad_code_name2num("Access-Reject") ||
+ code == krad_code_name2num("Access-Accept") ||
+ code == krad_code_name2num("Access-Challenge");
+}
+
+/* Check if the packet has a Message-Authenticator attribute. */
+static inline krb5_boolean
+has_pkt_msgauth(const krad_packet *pkt)
+{
+ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
+
+ return krad_attrset_get(pkt->attrset, msgauth_type, 0) != NULL;
+}
+
+/* Return the beginning of the Message-Authenticator attribute in pkt, or NULL
+ * if no such attribute is present. */
+static const uint8_t *
+lookup_msgauth_addr(const krad_packet *pkt)
+{
+ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
+ size_t i;
+ uint8_t *p;
+
+ i = OFFSET_ATTR;
+ while (i + 2 < pkt->pkt.length) {
+ p = (uint8_t *)offset(&pkt->pkt, i);
+ if (msgauth_type == *p)
+ return p;
+ i += p[1];
+ }
+
+ return NULL;
+}
+
+/*
+ * Calculate the message authenticator MAC for pkt as specified in RFC 2869
+ * section 5.14, placing the result in mac_out. Use the provided authenticator
+ * auth, which may be from pkt or from a corresponding request.
+ */
+static krb5_error_code
+calculate_mac(const char *secret, const krad_packet *pkt,
+ const uint8_t auth[AUTH_FIELD_SIZE],
+ uint8_t mac_out[MD5_DIGEST_SIZE])
+{
+ uint8_t zeroed_msgauth[MSGAUTH_SIZE];
+ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
+ const uint8_t *msgauth_attr, *msgauth_end, *pkt_end;
+ krb5_crypto_iov input[5];
+ krb5_data ksecr, mac;
+
+ msgauth_attr = lookup_msgauth_addr(pkt);
+ if (msgauth_attr == NULL)
+ return EINVAL;
+ msgauth_end = msgauth_attr + MSGAUTH_SIZE;
+ pkt_end = (const uint8_t *)pkt->pkt.data + pkt->pkt.length;
+
+ /* Read code, id, and length from the packet. */
+ input[0].flags = KRB5_CRYPTO_TYPE_DATA;
+ input[0].data = make_data(pkt->pkt.data, OFFSET_AUTH);
+
+ /* Read the provided authenticator. */
+ input[1].flags = KRB5_CRYPTO_TYPE_DATA;
+ input[1].data = make_data((uint8_t *)auth, AUTH_FIELD_SIZE);
+
+ /* Read any attributes before Message-Authenticator. */
+ input[2].flags = KRB5_CRYPTO_TYPE_DATA;
+ input[2].data = make_data(pkt_attr(pkt), msgauth_attr - pkt_attr(pkt));
+
+ /* Read Message-Authenticator with the data bytes all set to zero, per RFC
+ * 2869 section 5.14. */
+ zeroed_msgauth[0] = msgauth_type;
+ zeroed_msgauth[1] = MSGAUTH_SIZE;
+ memset(zeroed_msgauth + 2, 0, MD5_DIGEST_SIZE);
+ input[3].flags = KRB5_CRYPTO_TYPE_DATA;
+ input[3].data = make_data(zeroed_msgauth, MSGAUTH_SIZE);
+
+ /* Read any attributes after Message-Authenticator. */
+ input[4].flags = KRB5_CRYPTO_TYPE_DATA;
+ input[4].data = make_data((uint8_t *)msgauth_end, pkt_end - msgauth_end);
+
+ mac = make_data(mac_out, MD5_DIGEST_SIZE);
+ ksecr = string2data((char *)secret);
+ return k5_hmac_md5(&ksecr, input, 5, &mac);
+}
+
ssize_t
krad_packet_bytes_needed(const krb5_data *buffer)
{
@@ -255,6 +356,7 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code,
krad_packet *pkt;
uchar id;
size_t attrset_len;
+ krb5_boolean msgauth_required;
pkt = packet_new();
if (pkt == NULL) {
@@ -274,9 +376,13 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code,
if (retval != 0)
goto error;
+ /* Determine if Message-Authenticator is required. */
+ msgauth_required = (*secret != '\0' &&
+ code == krad_code_name2num("Access-Request"));
+
/* Encode the attributes. */
- retval = kr_attrset_encode(set, secret, pkt_auth(pkt), pkt_attr(pkt),
- &attrset_len, &pkt->is_fips);
+ retval = kr_attrset_encode(set, secret, pkt_auth(pkt), msgauth_required,
+ pkt_attr(pkt), &attrset_len, &pkt->is_fips);
if (retval != 0)
goto error;
@@ -285,6 +391,13 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code,
pkt_code_set(pkt, code);
pkt_len_set(pkt, pkt->pkt.length);
+ if (msgauth_required) {
+ /* Calculate and set the Message-Authenticator MAC. */
+ retval = calculate_mac(secret, pkt, pkt_auth(pkt), pkt_attr(pkt) + 2);
+ if (retval != 0)
+ goto error;
+ }
+
/* Copy the attrset for future use. */
retval = packet_set_attrset(ctx, secret, pkt);
if (retval != 0)
@@ -307,14 +420,19 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code,
krb5_error_code retval;
krad_packet *pkt;
size_t attrset_len;
+ krb5_boolean msgauth_required;
pkt = packet_new();
if (pkt == NULL)
return ENOMEM;
+ /* Determine if Message-Authenticator is required. */
+ msgauth_required = requires_msgauth(secret, code);
+
/* Encode the attributes. */
- retval = kr_attrset_encode(set, secret, pkt_auth(request), pkt_attr(pkt),
- &attrset_len, &pkt->is_fips);
+ retval = kr_attrset_encode(set, secret, pkt_auth(request),
+ msgauth_required, pkt_attr(pkt), &attrset_len,
+ &pkt->is_fips);
if (retval != 0)
goto error;
@@ -330,6 +448,18 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code,
if (retval != 0)
goto error;
+ if (msgauth_required) {
+ /*
+ * Calculate and replace the Message-Authenticator MAC. Per RFC 2869
+ * section 5.14, use the authenticator from the request, not from the
+ * response.
+ */
+ retval = calculate_mac(secret, pkt, pkt_auth(request),
+ pkt_attr(pkt) + 2);
+ if (retval != 0)
+ goto error;
+ }
+
/* Copy the attrset for future use. */
retval = packet_set_attrset(ctx, secret, pkt);
if (retval != 0)
@@ -343,6 +473,34 @@ error:
return retval;
}
+/* Verify the Message-Authenticator value in pkt, using the provided
+ * authenticator (which may be from pkt or from a corresponding request). */
+static krb5_error_code
+verify_msgauth(const char *secret, const krad_packet *pkt,
+ const uint8_t auth[AUTH_FIELD_SIZE])
+{
+ uint8_t mac[MD5_DIGEST_SIZE];
+ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
+ const krb5_data *msgauth;
+ krb5_error_code retval;
+
+ msgauth = krad_packet_get_attr(pkt, msgauth_type, 0);
+ if (msgauth == NULL)
+ return ENODATA;
+
+ retval = calculate_mac(secret, pkt, auth, mac);
+ if (retval)
+ return retval;
+
+ if (msgauth->length != MD5_DIGEST_SIZE)
+ return EMSGSIZE;
+
+ if (k5_bcmp(mac, msgauth->data, MD5_DIGEST_SIZE) != 0)
+ return EBADMSG;
+
+ return 0;
+}
+
/* Decode a packet. */
static krb5_error_code
decode_packet(krb5_context ctx, const char *secret, const krb5_data *buffer,
@@ -394,21 +552,35 @@ krad_packet_decode_request(krb5_context ctx, const char *secret,
krad_packet **reqpkt)
{
const krad_packet *tmp = NULL;
+ krad_packet *req;
krb5_error_code retval;
- retval = decode_packet(ctx, secret, buffer, reqpkt);
- if (cb != NULL && retval == 0) {
+ retval = decode_packet(ctx, secret, buffer, &req);
+ if (retval)
+ return retval;
+
+ /* Verify Message-Authenticator if present. */
+ if (has_pkt_msgauth(req)) {
+ retval = verify_msgauth(secret, req, pkt_auth(req));
+ if (retval) {
+ krad_packet_free(req);
+ return retval;
+ }
+ }
+
+ if (cb != NULL) {
for (tmp = (*cb)(data, FALSE); tmp != NULL; tmp = (*cb)(data, FALSE)) {
if (pkt_id_get(*reqpkt) == pkt_id_get(tmp))
break;
}
- }
- if (cb != NULL && (retval != 0 || tmp != NULL))
- (*cb)(data, TRUE);
+ if (tmp != NULL)
+ (*cb)(data, TRUE);
+ }
+ *reqpkt = req;
*duppkt = tmp;
- return retval;
+ return 0;
}
krb5_error_code
@@ -435,9 +607,17 @@ krad_packet_decode_response(krb5_context ctx, const char *secret,
break;
}
- /* If the authenticator matches, then the response is valid. */
- if (memcmp(pkt_auth(*rsppkt), auth, sizeof(auth)) == 0)
- break;
+ /* Verify the response authenticator. */
+ if (k5_bcmp(pkt_auth(*rsppkt), auth, sizeof(auth)) != 0)
+ continue;
+
+ /* Verify Message-Authenticator if present. */
+ if (has_pkt_msgauth(*rsppkt)) {
+ if (verify_msgauth(secret, *rsppkt, pkt_auth(tmp)) != 0)
+ continue;
+ }
+
+ break;
}
}
diff --git a/src/lib/krad/t_attrset.c b/src/lib/krad/t_attrset.c
index 4cdb8b7d8e..f9c66509bd 100644
--- a/src/lib/krad/t_attrset.c
+++ b/src/lib/krad/t_attrset.c
@@ -63,7 +63,7 @@ main(void)
noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp));
/* Encode attrset. */
- noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len,
+ noerror(kr_attrset_encode(set, "foo", auth, FALSE, buffer, &encode_len,
&is_fips));
krad_attrset_free(set);
diff --git a/src/lib/krad/t_daemon.py b/src/lib/krad/t_daemon.py
index 4a3de079c7..647d4894eb 100755
--- a/src/lib/krad/t_daemon.py
+++ b/src/lib/krad/t_daemon.py
@@ -40,6 +40,7 @@ DICTIONARY = """
ATTRIBUTE\tUser-Name\t1\tstring
ATTRIBUTE\tUser-Password\t2\toctets
ATTRIBUTE\tNAS-Identifier\t32\tstring
+ATTRIBUTE\tMessage-Authenticator\t80\toctets
"""
class TestServer(server.Server):
@@ -52,7 +53,7 @@ class TestServer(server.Server):
if key == "User-Password":
passwd = [pkt.PwDecrypt(x) for x in pkt[key]]
- reply = self.CreateReplyPacket(pkt)
+ reply = self.CreateReplyPacket(pkt, message_authenticator=True)
if passwd == ['accept']:
reply.code = packet.AccessAccept
else:
diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c
index c22489144f..104b6507a2 100644
--- a/src/lib/krad/t_packet.c
+++ b/src/lib/krad/t_packet.c
@@ -172,6 +172,9 @@ main(int argc, const char **argv)
krb5_data username, password;
krb5_boolean auth = FALSE;
krb5_context ctx;
+ const krad_packet *dupreq;
+ const krb5_data *encpkt;
+ krad_packet *decreq;
username = string2data("testUser");
@@ -184,9 +187,17 @@ main(int argc, const char **argv)
password = string2data("accept");
noerror(make_packet(ctx, &username, &password, &packets[ACCEPT_PACKET]));
+ encpkt = krad_packet_encode(packets[ACCEPT_PACKET]);
+ noerror(krad_packet_decode_request(ctx, "foo", encpkt, NULL, NULL,
+ &dupreq, &decreq));
+ krad_packet_free(decreq);
password = string2data("reject");
noerror(make_packet(ctx, &username, &password, &packets[REJECT_PACKET]));
+ encpkt = krad_packet_encode(packets[REJECT_PACKET]);
+ noerror(krad_packet_decode_request(ctx, "foo", encpkt, NULL, NULL,
+ &dupreq, &decreq));
+ krad_packet_free(decreq);
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
diff --git a/src/tests/t_otp.py b/src/tests/t_otp.py
index c3b820a411..dd5cdc5c26 100755
--- a/src/tests/t_otp.py
+++ b/src/tests/t_otp.py
@@ -49,6 +49,7 @@ ATTRIBUTE User-Name 1 string
ATTRIBUTE User-Password 2 octets
ATTRIBUTE Service-Type 6 integer
ATTRIBUTE NAS-Identifier 32 string
+ATTRIBUTE Message-Authenticator 80 octets
'''
class RadiusDaemon(Process):
@@ -97,6 +98,8 @@ class RadiusDaemon(Process):
reply.code = packet.AccessReject
replyq['reply'] = False
+ reply.add_message_authenticator()
+
outq.put(replyq)
if addr is None:
sock.send(reply.ReplyPacket())
--
2.46.0

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmSsc/kACgkQDLoIV1+D
ct+wPxAArlkJs5WpFIm2JDJXGF82BNw/FEhg+OkWcPHeLMWJF8qO0AxVp8Yq4g1g
qFpTABwY8V2tfr84XQJ6rw7Qq93NjRjFHr1z1tDmCceLisXof6Tu7/RKjHwNmJt8
M3srmsXPlmx/7cXuaYIljJfftun3D/iuEaydWluGb1DZicaU/OsofGhKE8/YEZrN
H0XdIC45raG4O9t6CGjQRcAIv5Z4afCtXH4aaEmLg6E2+aTUyx+czu7nBASCaTyv
s4df8fhbVpdBi6iA6BQJC296Rc1gyDnuxnjyCH8Rj2gTuiI4Oa2dxRPGT3mjksz3
OheYcXK9XGCtUbG22zrxqUuHDA3jF6KKmsVSXnbygB6XSS/c0bqmeDRTQGPksWH6
RJbmlKG9PQ0BavlXRa7Nupaa7f0jblFiduScYujRsyWxi/8YkckedugYyuww59gV
piUwGGRDWldy+JIAYtvzirsfe6Oum0/SKY5wYXyKv0flM95pbfBEw+TzRxmlCQ5J
+i8L9Frr4gTmT576GHB6WzBlOEPf6mRc8jg0DyyUOoDHXyj4MCyJGEJxvcyVV1WX
tJlu0uH1f8pMZx4IQ279PsNFimO/NsdSTefqiVGXA7FWK1EPLc+l9ZBcrLi9KEmJ
7TfVq9cAg6+m2tql+gjAQrfXHUU1mNdPLFMnShYlqHjTle4cQKE=
=AIvQ
-----END PGP SIGNATURE-----

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmZ8eHkACgkQDLoIV1+D
ct//gw//bmvy6zXbKL6epNaExVgRdqzfQWm6WqeyGNxg59BQyJwsRsArsQRbSTZl
uUExbV4HDTI/SemnYT8MfNOUtGZBCcAMYUr79Zmwi9S2pc30ZHIGcOf5E7HvIj6y
ZZUvddoxWvxpruCuJHb9dP4ZUPE0iU2rJnLsXR/H4E574WlrWBjXu3gimLen7+yg
aCLxIvw6lk4f/X8l+aqbK+haWHwMnca+kWSPbmL2iblHVqmoJVEmWhy7/9WjiT5S
5HhDJIObO2qn1pbE1ZTQqfGOfFgOUVxTl2myMxX1RXEDVFzdLDdnoUJRt4o4GG27
Y0WfLtmN6NisVF91dkl2+F7js+xVI3m9uZnpeccKO2Uq6BQRrfOMWUAHVKMUJZjh
h0GMeTzOhw7qGKitAiuhauyDMMTgMx78bC0DpLYtq24fp7BSvD0jNZnfjUXVCk8D
al9cfxC5m843aKiJ01Of13PziZsTQFz/TUsOrcpx4h7+qY7nldrovkQBiyVbbtn4
MncYq8d84G/0vsbJ/6ftJ6Y+OL20jyzfC5xgmKtK/y1D987aum2BSudISUCylOOt
j5/KiTRe0rWUjBNtoCjrtw4xlSbygmjuiE/xtcow0CHXDtMjlo8PrDi8W+xccBv2
zQ2B+e9ywkF4uC/M91s/bVSMkOtxv2JCoUUHOMF4ku5vzKSOhyk=
=TH0A
-----END PGP SIGNATURE-----

@ -1,18 +0,0 @@
#!/bin/sh
set -e
export RPM_PACKAGE_NAME={{ name }}
export RPM_PACKAGE_VERSION={{ version }}
export RPM_PACKAGE_RELEASE={{ release }}
export RPM_ARCH={{ arch }}
export RPM_BUILD_NCPUS="$(getconf _NPROCESSORS_ONLN)"
testdir="$(mktemp -d)"
trap "rm -rf ${testdir}" EXIT
build_flags="$(eval "echo $(rpm --eval '%{_smp_mflags}')")"
mkdir "${testdir}/{{ name }}-tests"
cp -rp /usr/share/{{ name }}-tests/{{ arch }} "${testdir}/{{ name }}-tests/"
make -C "${testdir}/{{ name }}-tests/{{ arch }}/" $build_flags
keyctl session - make -C "${testdir}/{{ name }}-tests/{{ arch }}/" check

@ -1,3 +1,27 @@
%bcond_without check
%if %{without check}
%global skipcheck 1
%endif
# COPR doesn't work right with the tests. I suspect keyring issues,
# but can't actually debug, so...
%if 0%{?copr_username:1}
%global skipcheck 1
%endif
# There are 0 test machines for this architecture, very few builders, and
# they're not very well provisioned / maintained. I can't support it.
# Patches welcome, but there's nothing I can do - it fails more than half the
# for "infrastructure issues" that I can't hope to debug.
%ifarch s390x
%global skipcheck 1
%endif
# RHEL runs upstream's test suite in a separate pass after build.
%if 0%{?rhel}
%global skipcheck 1
%endif
# Set this so that find-lang.sh will recognize the .po files. # Set this so that find-lang.sh will recognize the .po files.
%global gettext_domain mit-krb5 %global gettext_domain mit-krb5
# Guess where the -libs subpackage's docs are going to go. # Guess where the -libs subpackage's docs are going to go.
@ -10,7 +34,7 @@
# #
# baserelease is what we have standardized across Fedora and what # baserelease is what we have standardized across Fedora and what
# rpmdev-bumpspec knows how to handle. # rpmdev-bumpspec knows how to handle.
%global baserelease 2 %global baserelease 4
# This should be e.g. beta1 or %%nil # This should be e.g. beta1 or %%nil
%global pre_release %nil %global pre_release %nil
@ -24,7 +48,7 @@
%global krb5_version_major 1 %global krb5_version_major 1
%global krb5_version_minor 21 %global krb5_version_minor 21
# For a release without a patch number set to %%nil # For a release without a patch number set to %%nil
%global krb5_version_patch 3 %global krb5_version_patch 1
%global krb5_version_major_minor %{krb5_version_major}.%{krb5_version_minor} %global krb5_version_major_minor %{krb5_version_major}.%{krb5_version_minor}
%global krb5_version %{krb5_version_major_minor} %global krb5_version %{krb5_version_major_minor}
@ -44,6 +68,7 @@ Release: %{krb5_release}%{?dist}
Source0: https://web.mit.edu/kerberos/dist/krb5/%{krb5_version_major_minor}/krb5-%{krb5_version}%{?krb5_pre_release}.tar.gz Source0: https://web.mit.edu/kerberos/dist/krb5/%{krb5_version_major_minor}/krb5-%{krb5_version}%{?krb5_pre_release}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/%{krb5_version_major_minor}/krb5-%{krb5_version}%{?krb5_pre_release}.tar.gz.asc Source1: https://web.mit.edu/kerberos/dist/krb5/%{krb5_version_major_minor}/krb5-%{krb5_version}%{?krb5_pre_release}.tar.gz.asc
# Numbering is a relic of old init systems etc. It's easiest to just leave.
Source2: kprop.service Source2: kprop.service
Source3: kadmin.service Source3: kadmin.service
Source4: krb5kdc.service Source4: krb5kdc.service
@ -57,7 +82,6 @@ Source11: ksu.pamd
Source12: krb5kdc.logrotate Source12: krb5kdc.logrotate
Source13: kadmind.logrotate Source13: kadmind.logrotate
Source14: krb5-krb5kdc.conf Source14: krb5-krb5kdc.conf
Source15: %{name}-tests
Patch0001: 0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch Patch0001: 0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch
Patch0002: 0002-downstream-ksu-pam-integration.patch Patch0002: 0002-downstream-ksu-pam-integration.patch
@ -73,16 +97,20 @@ Patch0011: 0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch
Patch0012: 0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch Patch0012: 0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch
Patch0013: 0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch Patch0013: 0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch
Patch0014: 0014-Enable-PKINIT-if-at-least-one-group-is-available.patch Patch0014: 0014-Enable-PKINIT-if-at-least-one-group-is-available.patch
Patch0015: 0015-Eliminate-old-style-function-declarations.patch Patch0015: 0015-Fix-double-free-in-KDC-TGS-processing.patch
Patch0016: 0016-Replace-ssl.wrap_socket-for-tests.patch Patch0016: 0016-Eliminate-old-style-function-declarations.patch
Patch0017: 0017-Fix-unimportant-memory-leaks.patch Patch0017: 0017-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch
Patch0018: 0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch Patch0018: 0018-Add-request_timeout-configuration-parameter.patch
Patch0019: 0019-Add-request_timeout-configuration-parameter.patch Patch0019: 0019-Wait-indefinitely-on-KDC-TCP-connections.patch
Patch0020: 0020-Wait-indefinitely-on-KDC-TCP-connections.patch Patch0020: 0020-Avoid-strict-prototype-compiler-errors.patch
Patch0021: 0021-Remove-klist-s-defname-global-variable.patch Patch0021: 0021-Fix-leak-in-KDC-NDR-encoding.patch
Patch0022: 0022-Fix-two-unlikely-memory-leaks.patch Patch0022: 0022-Fix-two-unlikely-memory-leaks.patch
Patch0023: 0023-Fix-vulnerabilities-in-GSS-message-token-handling.patch
Patch0024: 0024-Remove-PKINIT-RSA-support.patch
Patch0025: 0025-Fix-various-issues-detected-by-static-analysis.patch
Patch0026: 0026-Generate-and-verify-message-MACs-in-libkrad.patch
License: Brian-Gladman-2-Clause AND BSD-2-Clause AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-first-lines AND BSD-3-Clause AND BSD-4-Clause AND CMU-Mach-nodoc AND FSFULLRWD AND HPND AND HPND-export2-US AND HPND-export-US AND HPND-export-US-acknowledgement AND HPND-export-US-modify AND ISC AND MIT AND MIT-CMU AND OLDAP-2.8 AND OpenVision License: MIT
URL: https://web.mit.edu/kerberos/www/ URL: https://web.mit.edu/kerberos/www/
BuildRequires: autoconf, bison, make, flex, gawk, gettext, pkgconfig, sed BuildRequires: autoconf, bison, make, flex, gawk, gettext, pkgconfig, sed
BuildRequires: gcc, gcc-c++ BuildRequires: gcc, gcc-c++
@ -102,18 +130,17 @@ BuildRequires: perl-interpreter
# For autosetup # For autosetup
BuildRequires: git BuildRequires: git
%if 0%{?fedora} > 35 || 0%{?rhel} >= 9 %if 0%{?skipcheck}
# Need KDFs. This is the "real" version
BuildRequires: openssl-devel >= 1:3.0.0
%else %else
# Need KDFs. This is the backported version BuildRequires: dejagnu
BuildRequires: openssl-devel >= 1:1.1.1d-4 BuildRequires: net-tools, rpcbind
BuildRequires: openssl-devel < 1:3.0.0 BuildRequires: hostname
BuildRequires: iproute
BuildRequires: python3-pyrad
%endif %endif
# Enable compilation of optional tests # Need KDFs. This is the "real" version
BuildRequires: resolv_wrapper BuildRequires: openssl-devel >= 1:3.0.0
BuildRequires: libcmocka-devel
%description %description
Kerberos V5 is a trusted-third-party network authentication system, Kerberos V5 is a trusted-third-party network authentication system,
@ -139,13 +166,8 @@ to install this package.
%package libs %package libs
Summary: The non-admin shared libraries used by Kerberos 5 Summary: The non-admin shared libraries used by Kerberos 5
%if 0%{?fedora} > 35 || 0%{?rhel} >= 9
Requires: openssl-libs >= 1:3.0.0 Requires: openssl-libs >= 1:3.0.0
%else Requires: coreutils, gawk, grep, sed
Requires: openssl-libs >= 1:1.1.1d-4
Requires: openssl-libs < 1:3.0.0
%endif
Requires: coreutils, gawk, sed
Requires: keyutils-libs >= 1.5.8 Requires: keyutils-libs >= 1.5.8
Requires: /etc/crypto-policies/back-ends/krb5.config Requires: /etc/crypto-policies/back-ends/krb5.config
@ -163,8 +185,8 @@ Requires(preun): systemd-units
Requires(postun): systemd-units Requires(postun): systemd-units
# we drop files in its directory, but we don't want to own that directory # we drop files in its directory, but we don't want to own that directory
Requires: logrotate Requires: logrotate
# we specify /usr/share/dict/words (provided by words) as the default dict_file in kdc.conf # we specify /usr/share/dict/words as the default dict_file in kdc.conf
Requires: words Requires: /usr/share/dict/words
# for run-time, and for parts of the test suite # for run-time, and for parts of the test suite
BuildRequires: libverto-module-base BuildRequires: libverto-module-base
Requires: libverto-module-base Requires: libverto-module-base
@ -224,50 +246,6 @@ Kerberos is a network authentication system. The libkadm5 package
contains only the libkadm5clnt and libkadm5serv shared objects. This contains only the libkadm5clnt and libkadm5serv shared objects. This
interface is not considered stable. interface is not considered stable.
%package tests
Summary: Test sources for krb5 build
# Build dependencies
Requires: coreutils, gawk, sed
Requires: gcc-c++
Requires: gettext
Requires: libcom_err-devel
Requires: libselinux-devel
Requires: libss-devel
Requires: libverto-devel
Requires: lmdb-devel
Requires: openldap-devel
Requires: pam-devel
Requires: redhat-rpm-config
%if 0%{?fedora} > 35 || 0%{?rhel} >= 9
Requires: openssl-devel >= 1:3.0.0
%else
Requires: openssl-devel >= 1:1.1.1d-4
Requires: openssl-devel < 1:3.0.0
%endif
# Test dependencies
Requires: dejagnu
Requires: hostname
Requires: iproute
Requires: keyutils, keyutils-libs-devel >= 1.5.8
Requires: libcmocka-devel
Requires: libverto-module-base
Requires: logrotate
Requires: net-tools, rpcbind
Requires: perl-interpreter
Requires: procps-ng
Requires: python3-kdcproxy
Requires: python3-pyrad
Requires: resolv_wrapper
Requires: /etc/crypto-policies/back-ends/krb5.config
Requires: words
#Requires: openldap-servers, openldap-clients
%description tests
FOR TESTING PURPOSE ONLY
Test sources for krb5 build, with pre-defined compilation parameters
%prep %prep
%autosetup -S git_am -n %{name}-%{version}%{?dashpre} %autosetup -S git_am -n %{name}-%{version}%{?dashpre}
ln NOTICE LICENSE ln NOTICE LICENSE
@ -310,7 +288,6 @@ sed -i -e \
"s,params.kadmind_port = 61001;,params.kadmind_port = $((PORT + 1));," \ "s,params.kadmind_port = 61001;,params.kadmind_port = $((PORT + 1));," \
src/lib/kadm5/t_kadm5.c src/lib/kadm5/t_kadm5.c
%build %build
# Go ahead and supply tcl info, because configure doesn't know how to find it. # Go ahead and supply tcl info, because configure doesn't know how to find it.
source %{_libdir}/tclConfig.sh source %{_libdir}/tclConfig.sh
@ -378,6 +355,17 @@ sphinx-build -a -b man -t pathsubs doc build-man
sphinx-build -a -b html -t pathsubs doc build-html sphinx-build -a -b html -t pathsubs doc build-html
rm -fr build-html/_sources rm -fr build-html/_sources
%if 0%{?skipcheck}
%else
%check
pushd src
# The build system may give us a revoked session keyring, so run affected
# tests with a new one.
keyctl session - make check OFFLINE=yes TMPDIR=%{_tmppath}
popd
%endif
%install %install
[ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- "$RPM_BUILD_ROOT" [ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- "$RPM_BUILD_ROOT"
@ -466,10 +454,9 @@ install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/authdata
# list of link flags, and it helps prevent file conflicts on multilib systems. # list of link flags, and it helps prevent file conflicts on multilib systems.
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{_bindir}/krb5-config sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{_bindir}/krb5-config
# Workaround krb5-config reading too much from LDFLAGS. # Workaround for krb5-config reading too much from LDFLAGS.
# https://bugzilla.redhat.com/show_bug.cgi?id=1997021 # https://bugzilla.redhat.com/show_bug.cgi?id=1997021
# https://bugzilla.redhat.com/show_bug.cgi?id=2048909 sed -r -i -e "s/-specs=[^ ]*//g" $RPM_BUILD_ROOT%{_bindir}/krb5-config
sed -i -r -e 's/^(LDFLAGS=).*/\1/' $RPM_BUILD_ROOT%{_bindir}/krb5-config
# Install processed man pages. # Install processed man pages.
for section in 1 5 8 ; do for section in 1 5 8 ; do
@ -494,43 +481,16 @@ rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/services.append"
# This is only needed for tests # This is only needed for tests
rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so" rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so"
# Generate tests launching script
sed -e 's/{{ name }}/%{name}/g' \
-e 's/{{ version }}/%{krb5_version}/g' \
-e 's/{{ release }}/%{krb5_release}/g' \
-e 's/{{ arch }}/%{_arch}/g' \
-i %{SOURCE15}
mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
install -pm 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/%{name}-tests-%{_arch}
# Copy source files from build folder to system data folder
install -pdm 755 $RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}
pushd src
cp -p --parents -t "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/" \
$(find . -type f -exec file -i "{}" + \
| sed -ne 's|^\./\([^:]\+\): \+text/.\+$|\1|p' | grep -Ev '~$')
popd
# Copy binary test files
install -pm 644 src/tests/pkinit-certs/*.p12 \
"$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/tests/pkinit-certs/"
install -pm 644 src/tests/au_dict.json \
"$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/tests/"
# Unset executable bit if no shebang in script
for f in $(find "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/" -type f -executable)
do
head -n1 "$f" | grep -Eq '^#!' || chmod a-x "$f"
done
# Remove broken shebang Perl scripts
rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/config/wconfig.pl"
rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/kadmin/kdbkeys/do-test.pl"
%find_lang %{gettext_domain} %find_lang %{gettext_domain}
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%triggerun libs -- krb5-libs < 1.15.1-5
if ! grep -q 'includedir /etc/krb5.conf.d' /etc/krb5.conf ; then
sed -i '1i # To opt out of the system crypto-policies configuration of krb5, remove the\n# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.\nincludedir /etc/krb5.conf.d/\n' /etc/krb5.conf
fi
exit 0
%ldconfig_scriptlets server-ldap %ldconfig_scriptlets server-ldap
%post server %post server
@ -712,219 +672,166 @@ exit 0
%{_libdir}/libkadm5clnt_mit.so.* %{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%files tests
%{_libexecdir}/%{name}-tests-%{_arch}
%{_datarootdir}/%{name}-tests/%{_arch}
%changelog %changelog
* Tue Nov 26 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 1.21.3-2 * Thu Oct 17 2024 Julien Rische <jrische@redhat.com> - 1.21.1-4
- Rebuilt for MSVSphere 10 - libkrad: implement support for Message-Authenticator (CVE-2024-3596)
Resolves: RHEL-55423
* Fri Jul 12 2024 Julien Rische <jrische@redhat.com> - 1.21.3-2 - Fix various issues detected by static analysis
- Do not include files with "~" termination in krb5-tests Resolves: RHEL-58216
Resolves: RHEL-45995 - Remove RSA protocol for PKINIT
Resolves: RHEL-15323
* Fri Jul 12 2024 Julien Rische <jrische@redhat.com> - 1.21.3-1
- New upstream version (1.21.3) * Fri Jul 05 2024 Julien Rische <jrische@redhat.com> - 1.21.1-3
- CVE-2024-37370 CVE-2024-37371 - CVE-2024-37370 CVE-2024-37371
Fix vulnerabilities in GSS message token handling Fix vulnerabilities in GSS message token handling
Resolves: RHEL-45387 RHEL-45378 Resolves: RHEL-45402 RHEL-45392
* Wed Mar 20 2024 Julien Rische <jrische@redhat.com> - 1.21.1-2
- Fix memory leak in GSSAPI interface - Fix memory leak in GSSAPI interface
Resolves: RHEL-47284 Resolves: RHEL-27251
- Fix memory leak in PMAP RPC interface - Fix memory leak in PMAP RPC interface
Resolves: RHEL-47287 Resolves: RHEL-27245
- Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC - Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC
Resolves: RHEL-47285 Resolves: RHEL-27253
- Make TCP waiting time configurable - Make TCP waiting time configurable
Resolves: RHEL-47278 Resolves: RHEL-17132
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.21.2-7
- Bump release for June 2024 mass rebuild
* Wed Jun 19 2024 Julien Rische <jrische@redhat.com> - 1.21.2-6
- Add missing SPDX license identifiers
Resolves: RHEL-44383
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.21.2-5 * Tue Aug 08 2023 Julien Rische <jrische@redhat.com> - 1.21.1-1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - New upstream version (1.21.1)
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.21.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Jan 17 2024 Julien Rische <jrische@redhat.com> - 1.21.2-3
- Fix double free in klist's show_ccache()
Resolves: rhbz#2257301
- Store krb5-tests files in architecture-specific directories
Resolves: rhbz#2244601
* Tue Oct 10 2023 Julien Rische <jrische@redhat.com> - 1.21.2-2
- Use SPDX expression for license tag
- Fix unimportant memory leaks
Resolves: rhbz#2223274
* Wed Aug 16 2023 Julien Rische <jrische@redhat.com> - 1.21.2-1
- New upstream version (1.21.2)
- Fix double-free in KDC TGS processing (CVE-2023-39975) - Fix double-free in KDC TGS processing (CVE-2023-39975)
Resolves: rhbz#2229113 - Add support for "pac_privsvr_enctype" KDB string attribute
- Make tests compatible with Python 3.12 Resolves: rhbz#2060421
Resolves: rhbz#2224013
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.21-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jun 29 2023 Marek Blaha <mblaha@redhat.com> - 1.21-2 * Thu Jun 08 2023 Julien Rische <jrische@redhat.com> - 1.20.1-9
- Replace file dependency with package name
Resolves: rhbz#2216903
* Mon Jun 12 2023 Julien Rische <jrische@redhat.com> - 1.21-1
- New upstream version (1.21)
- Do not disable PKINIT if some of the well-known DH groups are unavailable - Do not disable PKINIT if some of the well-known DH groups are unavailable
Resolves: rhbz#2214297 Resolves: rhbz#2187722
- Make PKINIT CMS SHA-1 signature verification available in FIPS mode - Make PKINIT CMS SHA-1 signature verification available in FIPS mode
Resolves: rhbz#2214300 Resolves: rhbz#2155607
- Allow to set PAC ticket signature as optional - Allow to set PAC ticket signature as optional
Resolves: rhbz#2181311 Resolves: rhbz#2178298
- Add support for MS-PAC extended KDC signature (CVE-2022-37967)
Resolves: rhbz#2166001 * Wed Feb 22 2023 Julien Rische <jrische@redhat.com> - 1.20.1-8
- Fix syntax error in aclocal.m4 - Fix datetime parsing in kadmin on s390x
Resolves: rhbz#2143306 Resolves: rhbz#2169985
* Tue Jan 31 2023 Julien Rische <jrische@redhat.com> - 1.20.1-9 * Tue Feb 14 2023 Julien Rische <jrische@redhat.com> - 1.20.1-7
- Fix double free on kdb5_util key creation failure
Resolves: rhbz#2166603
* Tue Jan 31 2023 Julien Rische <jrische@redhat.com> - 1.20.1-6
- Add support for MS-PAC extended KDC signature (CVE-2022-37967) - Add support for MS-PAC extended KDC signature (CVE-2022-37967)
Resolves: rhbz#2166001 Resolves: rhbz#2165827
* Mon Jan 30 2023 Julien Rische <jrische@redhat.com> - 1.20.1-8 * Thu Jan 19 2023 Julien Rische <jrische@redhat.com> - 1.20.1-5
- Bypass FIPS restrictions to use KRB5KDF in case AES SHA-1 HMAC is enabled - Bypass FIPS restrictions to use KRB5KDF in case AES SHA-1 HMAC is enabled
- Lazily load MD4/5 from OpenSSL if using RADIUS or RC4 enctype in FIPS mode - Lazily load MD4/5 from OpenSSL if using RADIUS or RC4 enctype in FIPS mode
Resolves: rhbz#2162461
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.1-7 * Thu Jan 12 2023 Julien Rische <jrische@redhat.com> - 1.20.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Jan 18 2023 Julien Rische <jrische@redhat.com> - 1.20.1-6
- Set aes256-cts-hmac-sha384-192 as EXAMLE.COM master key in kdc.conf - Set aes256-cts-hmac-sha384-192 as EXAMLE.COM master key in kdc.conf
- Add AES SHA-2 HMAC family as EXAMPLE.COM supported etypes in kdc.conf - Add AES SHA-2 HMAC family as EXAMPLE.COM supported etypes in kdc.conf
Resolves: rhbz#2114771 Resolves: rhbz#2068535
* Mon Jan 09 2023 Julien Rische <jrische@redhat.com> - 1.20.1-5 * Tue Jan 10 2023 Julien Rische <jrische@redhat.com> - 1.20.1-2
- Strip debugging data from ksu executable file - Strip debugging data from ksu executable file
Resolves: rhbz#2159643
* Thu Jan 05 2023 Julien Rische <jrische@redhat.com> - 1.20.1-4 * Wed Dec 07 2022 Julien Rische <jrische@redhat.com> - 1.20.1-1
- Include missing OpenSSL FIPS header - Make tests compatible with sssd-client
- Make tests compatible with sssd_krb5_locator_plugin.so Resolves: rhbz#2151513
- Remove invalid password expiry warning
* Tue Dec 06 2022 Julien Rische <jrische@redhat.com> - 1.20.1-3 Resolves: rhbz#2121099
- Enable TMT integration with Fedora CI - Update error checking for OpenSSL CMS_verify
Resolves: rhbz#2063838
- New upstream version (1.20.1)
Resolves: rhbz#2016312
- Fix integer overflows in PAC parsing (CVE-2022-42898)
Resolves: rhbz#2140971
* Thu Dec 1 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.20.1-2 * Tue Oct 18 2022 Julien Rische <jrische@redhat.com> - 1.19.1-23
- Bump KDB ABI version provide to 9.0 - Fix kprop for propagating dump files larger than 4GB
Resolves: rhbz#2133014
* Wed Nov 23 2022 Julien Rische <jrische@redhat.com> - 1.20.1-1 * Fri Jul 08 2022 Julien Rische <jrische@redhat.com> - 1.19.1-22
- New upstream version (1.20.1)
Resolves: rhbz#2124463
- Restore "supportedCMSTypes" attribute in PKINIT preauth requests - Restore "supportedCMSTypes" attribute in PKINIT preauth requests
- Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms - Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms
Resolves: rhbz#2114766 Resolves: rhbz#2068935
- Update error checking for OpenSSL CMS_verify
Resolves: rhbz#2119704
- Remove invalid password expiry warning
Resolves: rhbz#2129113
* Wed Nov 09 2022 Julien Rische <jrische@redhat.com> - 1.19.2-13
- Fix integer overflows in PAC parsing (CVE-2022-42898)
Resolves: rhbz#2143011
* Tue Aug 02 2022 Andreas Schneider <asn@redhat.com> - 1.19.2-12
- Use baserelease to set the release number
- Do not define netlib, but use autoconf detection for res_* functions
- Add missing BR for resolv_wrapper to run t_discover_uri.py
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.19.2-11.1 * Thu Jun 23 2022 Julien Rische <jrische@redhat.com> - 1.19.1-21
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - Fix libkrad client cleanup
- Allow use of larger RADIUS attributes in krad library
Resolves: rhbz#2100351
* Wed Jun 15 2022 Julien Rische <jrische@redhat.com> - 1.19.2-11 * Thu May 12 2022 Julien Rische <jrische@redhat.com> - 1.19.1-20
- Fix OpenSSL 3 MD5 encyption in FIPS mode
- Allow libkrad UDP/TCP connection to localhost in FIPS mode - Allow libkrad UDP/TCP connection to localhost in FIPS mode
Resolves: rhbz#2082189 Resolves: rhbz#2068458
- Read GSS configuration files with mtime 0
* Mon May 2 2022 Julien Rische <jrische@redhat.com> - 1.19.2-10 * Mon May 02 2022 Julien Rische <jrische@redhat.com> - 1.19.1-19
- Use p11-kit as default PKCS11 module - Use p11-kit as default PKCS11 module
Resolves: rhbz#2073274 Resolves: rhbz#2030981
- Try harder to avoid password change replay errors
Resolves: rhbz#2072059
* Tue Apr 05 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.19.2-9
- Fix libkrad client cleanup
- Fixes rhbz#2072059
* Tue Apr 05 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.19.2-8 * Tue Apr 26 2022 Julien Rische <jrische@redhat.com> - 1.19.1-18
- Allow use of larger RADIUS attributes in krad library - Try harder to avoid password change replay errors
Resolves: rhbz#2075186
* Wed Mar 23 2022 Julien Rische <jrische@redhat.com> - 1.19.2-7 * Mon Mar 14 2022 Julien Rische <jrische@redhat.com> - 1.19.1-15
- Use SHA-256 instead of SHA-1 for PKINIT CMS digest - Use SHA-256 instead of SHA-1 for PKINIT CMS digest
* Tue Feb 8 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.19.2-6 * Thu Feb 24 2022 Julien Rische <jrische@redhat.com> - 1.19.1-14
- Drop old trigger scriplet - Bypass FIPS restrictions to use KRB5KDF in case AES SHA-1 HMAC is enabled
- Reenable package notes and strip LDFLAGS from krb5-config (rhbz#2048909) - Lazily load MD4/5 from OpenSSL if using RADIUS or RC4 enctype in FIPS mode
* Wed Feb 02 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.19.2-5
- Temporarily remove package note to unblock krb5-dependent packages
Resolves: rhbz#2048909
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.19.2-4.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Dec 3 2021 Antonio Torres <antorres@redhat.com> - 1.19.2-4
- Add patches to support OpenSLL 3.0.0
- Remove TCL-based libkadm5 API tests
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.19.2-3.1
- Rebuilt with OpenSSL 3.0.0
* Tue Aug 24 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.2-3 * Fri Dec 17 2021 Antonio Torres <antorres@redhat.com> - 1.19.1-13
- Remove -specs= from krb5-config output - Remove -specs= from krb5-config output
- Resolves rhbz#1997021
* Thu Aug 19 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.2-2 * Wed Oct 20 2021 Antonio Torres <antorres@redhat.com> - 1.19.1-12
- Fix KDC null deref on TGS inner body null server (CVE-2021-37750) - Fix KDC null deref on TGS inner body null server (CVE-2021-37750)
Resolves: rhbz#1997602
* Mon Jul 26 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.2-1 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.19.1-11.1
- New upstream version (1.19.2) - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-15 * Tue Jul 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-11
- Fix defcred leak in krb5 gss_inquire_cred()
* Mon Jul 12 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-14
- Fix KDC null deref on bad encrypted challenge (CVE-2021-36222) - Fix KDC null deref on bad encrypted challenge (CVE-2021-36222)
Resolves: rhbz#1983733
* Thu Jul 01 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-13 * Wed Jul 14 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-10
- Fix use-after-free during krad remote_shutdown() - Update OpenSSL 3 provider handling to clean up properly
Resolves: rhbz#1955873
* Mon Jun 28 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-12
- MEMORY locking fix and static analysis pullup
* Mon Jun 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-11 * Mon Jun 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-9
- Add the backward-compatible parts of openssl3 support - Sync openssl3 patches with upstream
Resolves: rhbz#1955873
* Wed Jun 09 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-10 * Thu Jun 17 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-8
- Fix three canonicalization cases for fallback - Rebuild for rpminspect and mass rebuild cleanup; no code changes
Resolves: rhbz#1967505
* Wed Jun 02 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-9 * Thu Jun 17 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-7
- Fix doc build for Sphinx 4.0 - Fix several fallback canonicalization problems
Resolves: rhbz#1967505
* Thu May 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-8 * Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.19.1-6.1
- Add all the sssd-kcm workarounds - Rebuilt for RHEL 9 BETA for openssl 3.0
Resolves: rhbz#1971065
* Thu May 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-7 * Thu Jun 10 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-6
- Fix context for previous backport - Backport KCM retrieval fixes
Resolves: rhbz#1956403
* Thu May 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-6 * Thu May 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-5
- Add KCM_OP_GET_CRED_LIST and KCM_OP_RETRIEVE support - Fix DES3 mention in KDFs
Resolves: rhbz#1955873
* Tue May 04 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-5 * Wed May 19 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-4
- Suppress static analyzer warning in FIPS override - Port to OpenSSL 3 (alpha 15)
Resolves: rhbz#1955873
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.19.1-3.1 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.19.1-3.1
- Rebuilt for updated systemd-rpm-macros - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
See https://pagure.io/fesco/issue/2583.
* Mon Mar 01 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-3 * Mon Mar 01 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-3
- Further test dependency fixes; no code changes - Further test dependency fixes; no code changes
@ -1892,8 +1799,8 @@ exit 0
* Thu Jun 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-5 * Thu Jun 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-5
- Remove Zanata test glue and related workarounds - Remove Zanata test glue and related workarounds
- rhbz#1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind") - Bug rhbz#1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind")
- rhbz#1234326 ("krb5-server introduces new rpm dependency on ksh") - Bug rhbz#1234326 ("krb5-server introduces new rpm dependency on ksh")
* Thu Jun 18 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-4 * Thu Jun 18 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-4
- Fix dependicy on binfmt.service - Fix dependicy on binfmt.service
@ -1902,12 +1809,12 @@ exit 0
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Jun 2 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-2 * Tue Jun 2 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-2
- Add patch to fix Redhat rhbz#1227542 ("[SELinux] AVC denials may appear - Add patch to fix Redhat Bug rhbz#1227542 ("[SELinux] AVC denials may appear
when kadmind starts"). The issue was caused by an unneeded |htons()| when kadmind starts"). The issue was caused by an unneeded |htons()|
which triggered SELinux AVC denials due to the "random" port usage. which triggered SELinux AVC denials due to the "random" port usage.
* Thu May 21 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-1 * Thu May 21 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-1
- Add fix for RedHat rhbz#1164304 ("Upstream unit tests loads - Add fix for RedHat Bug rhbz#1164304 ("Upstream unit tests loads
the installed shared libraries instead the ones from the build") the installed shared libraries instead the ones from the build")
* Thu May 14 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-0 * Thu May 14 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-0
@ -1928,7 +1835,7 @@ exit 0
dictionary attack against the user's password. dictionary attack against the user's password.
* Wed Mar 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-3 * Wed Mar 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-3
- Add temporay workaround for RH rhbz#1204646 ("krb5-config - Add temporay workaround for RH bug rhbz#1204646 ("krb5-config
returns wrong -specs path") which modifies krb5-config post returns wrong -specs path") which modifies krb5-config post
build so that development of krb5 dependicies gets unstuck. build so that development of krb5 dependicies gets unstuck.
This MUST be removed before rawhide becomes F23 ... This MUST be removed before rawhide becomes F23 ...
@ -2087,7 +1994,7 @@ exit 0
* Tue Jan 21 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-2 * Tue Jan 21 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-2
- pull in multiple changes to allow replay caches to be added to a GSS - pull in multiple changes to allow replay caches to be added to a GSS
credential store as "rcache"-type credentials (RT#7818/rhbz#7819/rhbz#7836, credential store as "rcache"-type credentials (RT#7818/#7819/#7836,
rhbz#1056078/rhbz#1056080) rhbz#1056078/rhbz#1056080)
* Fri Jan 17 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-1 * Fri Jan 17 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-1
@ -2490,9 +2397,9 @@ exit 0
* Thu Nov 15 2012 Nalin Dahyabhai <nalin@redhat.com> * Thu Nov 15 2012 Nalin Dahyabhai <nalin@redhat.com>
- update to 1.11 alpha 1 - update to 1.11 alpha 1
- drop backported patch for RT rhbz#7406 - drop backported patch for RT #7406
- drop backported patch for RT rhbz#7407 - drop backported patch for RT #7407
- drop backported patch for RT rhbz#7408 - drop backported patch for RT #7408
- the new docs system generates PDFs, so stop including them as sources - the new docs system generates PDFs, so stop including them as sources
- drop backported patch to allow deltat.y to build with the usual - drop backported patch to allow deltat.y to build with the usual
warning flags and the current gcc warning flags and the current gcc
@ -2682,7 +2589,7 @@ exit 0
should be able to run inside of the build system without issue should be able to run inside of the build system without issue
* Wed Oct 26 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.9.1-19 * Wed Oct 26 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.9.1-19
- Rebuilt for glibc rhbz#747377 - Rebuilt for glibc bugrhbz#747377
* Tue Oct 18 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-18 * Tue Oct 18 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-18
- apply upstream patch to fix a null pointer dereference with the LDAP kdb - apply upstream patch to fix a null pointer dereference with the LDAP kdb
@ -2875,7 +2782,7 @@ exit 0
k5login_directory settings for krb5.conf (rhbz#539423) k5login_directory settings for krb5.conf (rhbz#539423)
* Wed Sep 29 2010 jkeating - 1.8.3-5 * Wed Sep 29 2010 jkeating - 1.8.3-5
- Rebuilt for gcc rhbz#634757 - Rebuilt for gcc bug 634757
* Wed Sep 15 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.3-4 * Wed Sep 15 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.3-4
- fix reading of keyUsage extensions when attempting to select pkinit client - fix reading of keyUsage extensions when attempting to select pkinit client
@ -2895,20 +2802,20 @@ exit 0
- update to 1.8.3 - update to 1.8.3
- drop backports of fixes for gss context expiration and error table - drop backports of fixes for gss context expiration and error table
registration/deregistration mismatch registration/deregistration mismatch
- drop patch for upstream rhbz#6750 - drop patch for upstream #6750
* Wed Jul 7 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.2-3 * Wed Jul 7 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.2-3
- tell krb5kdc and kadmind to create pid files, since they can - tell krb5kdc and kadmind to create pid files, since they can
- add logrotate configuration files for krb5kdc and kadmind (rhbz#462658) - add logrotate configuration files for krb5kdc and kadmind (rhbz#462658)
- fix parsing of the pidfile option in the KDC (upstream rhbz#6750) - fix parsing of the pidfile option in the KDC (upstream #6750)
* Mon Jun 21 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.2-2 * Mon Jun 21 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.2-2
- libgssapi: pull in patch from svn to stop returning context-expired errors - libgssapi: pull in patch from svn to stop returning context-expired errors
when the ticket which was used to set up the context expires (rhbz#605366, when the ticket which was used to set up the context expires (rhbz#605366,
upstream rhbz#6739) upstream #6739)
* Mon Jun 21 2010 Nalin Dahyabhai <nalin@redhat.com> * Mon Jun 21 2010 Nalin Dahyabhai <nalin@redhat.com>
- pull up fix for upstream rhbz#6745, in which the gssapi library would add the - pull up fix for upstream #6745, in which the gssapi library would add the
wrong error table but subsequently attempt to unload the right one wrong error table but subsequently attempt to unload the right one
* Thu Jun 10 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.2-1 * Thu Jun 10 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.2-1
@ -3500,7 +3407,7 @@ exit 0
* Mon Jan 22 2007 Nalin Dahyabhai <nalin@redhat.com> * Mon Jan 22 2007 Nalin Dahyabhai <nalin@redhat.com>
- initial update to 1.6, pre-package-reorg - initial update to 1.6, pre-package-reorg
- move workstation daemons to a new subpackage (rhbz#81836, rhbz#216356, rhbz#217301), and - move workstation daemons to a new subpackage (#81836, rhbz#216356, rhbz#217301), and
make the new subpackage require xinetd (rhbz#211885) make the new subpackage require xinetd (rhbz#211885)
* Mon Jan 22 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.5-18 * Mon Jan 22 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.5-18
@ -3534,7 +3441,7 @@ exit 0
* Wed Oct 18 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.5-10 * Wed Oct 18 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.5-10
- rename krb5.sh and krb5.csh so that they don't overlap (rhbz#210623) - rename krb5.sh and krb5.csh so that they don't overlap (rhbz#210623)
- way-late application of added error info in kadmind.init (rhbz#65853) - way-late application of added error info in kadmind.init (#65853)
* Wed Oct 18 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.5-9.pal_18695 * Wed Oct 18 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.5-9.pal_18695
- add backport of in-development preauth module interface (rhbz#208643) - add backport of in-development preauth module interface (rhbz#208643)
@ -3636,7 +3543,7 @@ exit 0
* Wed Aug 31 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.2-2 * Wed Aug 31 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.2-2
- change the default configured encryption type for KDC databases to the - change the default configured encryption type for KDC databases to the
compiled-in default of des3-hmac-sha1 (rhbz#57847) compiled-in default of des3-hmac-sha1 (#57847)
* Thu Aug 11 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.2-1 * Thu Aug 11 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.2-1
- update to 1.4.2, incorporating the fixes for MIT-KRB5-SA-2005-002 and - update to 1.4.2, incorporating the fixes for MIT-KRB5-SA-2005-002 and
@ -4198,7 +4105,7 @@ exit 0
* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com> * Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com>
- use %%{_infodir} to better comply with FHS - use %%{_infodir} to better comply with FHS
- move .so files to -devel subpackage - move .so files to -devel subpackage
- tweak xinetd config files (bugs rhbz#11833, rhbz#11835, rhbz#11836, rhbz#11840) - tweak xinetd config files (bugs #11833, #11835, #11836, #11840)
- fix package descriptions again - fix package descriptions again
* Wed May 24 2000 Nalin Dahyabhai <nalin@redhat.com> * Wed May 24 2000 Nalin Dahyabhai <nalin@redhat.com>
@ -4235,7 +4142,7 @@ exit 0
- fix configure stuff for ia64 - fix configure stuff for ia64
* Mon Apr 10 2000 Nalin Dahyabhai <nalin@redhat.com> * Mon Apr 10 2000 Nalin Dahyabhai <nalin@redhat.com>
- add LDCOMBINE=-lc to configure invocation to use libc versioning (rhbz#10653) - add LDCOMBINE=-lc to configure invocation to use libc versioning (bug #10653)
- change Requires: for/in subpackages to include %%{version} - change Requires: for/in subpackages to include %%{version}
* Wed Apr 05 2000 Nalin Dahyabhai <nalin@redhat.com> * Wed Apr 05 2000 Nalin Dahyabhai <nalin@redhat.com>

Loading…
Cancel
Save