diff options
| author | Robbie Harwood <rharwood@redhat.com> | 2016-09-19 23:49:29 +0000 |
|---|---|---|
| committer | Robbie Harwood <rharwood@redhat.com> | 2016-09-19 23:49:31 +0000 |
| commit | 14f028579db3f19c38efec9e683e4837ddb860b7 (patch) | |
| tree | 2e148374ec51cdd9486ca1786dd7e8977da7ad82 | |
| parent | 4f5955da728b5fb86fb88f094a11add78ce93aef (diff) | |
| download | krb5-14f028579db3f19c38efec9e683e4837ddb860b7.tar.gz krb5-14f028579db3f19c38efec9e683e4837ddb860b7.tar.xz krb5-14f028579db3f19c38efec9e683e4837ddb860b7.zip | |
New upstream release and integrate with external git
30 files changed, 746 insertions, 1194 deletions
@@ -136,3 +136,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.14.3.tar.gz /krb5-1.14.3.tar.gz.asc /krb5-1.14.3-pdfs.tar +/krb5-1.14.4.tar.gz +/krb5-1.14.4.tar.gz.asc +/krb5-1.14.4-pdfs.tar diff --git a/krb5-1.15-kdc_send_receive_hooks.patch b/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch index d5addf2..63a3deb 100644 --- a/krb5-1.15-kdc_send_receive_hooks.patch +++ b/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch @@ -1,7 +1,7 @@ -From 700f0921e891c5986e31e8394a9e7287a7c16524 Mon Sep 17 00:00:00 2001 +From 21330cb3db69fc5a004844a1e4dec8998eb50068 Mon Sep 17 00:00:00 2001 From: Andreas Schneider <asn@samba.org> Date: Thu, 3 Mar 2016 18:53:31 +0100 -Subject: [PATCH 1/2] Add KDC pre-send and post-receive KDC hooks +Subject: [PATCH 14/19] Add KDC pre-send and post-receive KDC hooks Add two new APIs, krb5_set_kdc_send_hook() and krb5_set_kdc_recv_hook(), which can be used to inspect and override @@ -47,10 +47,10 @@ index 51c4093..dc414cf 100644 krb5_principal.rst krb5_principal_data.rst diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 41c3d1b..a4266d9 100644 +index 6b7b2e3..045abfc 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h -@@ -1237,6 +1237,12 @@ struct _krb5_context { +@@ -1238,6 +1238,12 @@ struct _krb5_context { krb5_trace_callback trace_callback; void *trace_callback_data; @@ -64,10 +64,10 @@ index 41c3d1b..a4266d9 100644 char *plugin_base_dir; }; diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index 851cea3..59baf70 100644 +index c93a0f2..2b0d59e 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin -@@ -8288,6 +8288,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, +@@ -8300,6 +8300,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, krb5_error_code KRB5_CALLCONV krb5_set_trace_filename(krb5_context context, const char *filename); @@ -192,10 +192,10 @@ index c623409..ea6982d 100644 krb5_set_trace_callback krb5_set_trace_filename diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c -index 3b3b438..a2bc591 100644 +index 6231de2..be00b8f 100644 --- a/src/lib/krb5/os/sendto_kdc.c +++ b/src/lib/krb5/os/sendto_kdc.c -@@ -399,6 +399,22 @@ check_for_svc_unavailable (krb5_context context, +@@ -403,6 +403,22 @@ check_for_svc_unavailable (krb5_context context, return 1; } @@ -218,7 +218,7 @@ index 3b3b438..a2bc591 100644 /* * send the formatted request 'message' to a KDC for realm 'realm' and * return the response (if any) in 'reply'. -@@ -412,13 +428,16 @@ check_for_svc_unavailable (krb5_context context, +@@ -416,13 +432,16 @@ check_for_svc_unavailable (krb5_context context, krb5_error_code krb5_sendto_kdc(krb5_context context, const krb5_data *message, @@ -236,7 +236,7 @@ index 3b3b438..a2bc591 100644 /* * find KDC location(s) for realm -@@ -463,9 +482,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, +@@ -467,9 +486,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, if (retval) return retval; @@ -264,7 +264,7 @@ index 3b3b438..a2bc591 100644 check_for_svc_unavailable, &err); if (retval == KRB5_KDC_UNREACH) { if (err == KDC_ERR_SVC_UNAVAILABLE) { -@@ -476,9 +512,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, +@@ -480,9 +516,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, realm->length, realm->data); } } @@ -288,7 +288,7 @@ index 3b3b438..a2bc591 100644 /* Set use_master to 1 if we ended up talking to a master when we didn't * explicitly request to. */ if (*use_master == 0) { -@@ -488,6 +538,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, +@@ -492,6 +542,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, } cleanup: @@ -310,5 +310,5 @@ index 3734e9b..8d58ea1 100644 + krb5_set_kdc_send_hook @433 + krb5_set_kdc_recv_hook @434 -- -2.8.0.rc3 +2.9.3 diff --git a/krb5-1.15-krb5_db_register_keytab.patch b/Add-krb5_db_register_keytab.patch index bf35520..fd77167 100644 --- a/krb5-1.15-krb5_db_register_keytab.patch +++ b/Add-krb5_db_register_keytab.patch @@ -1,7 +1,7 @@ -From c9136272512a6158d77e74035d52869443403a10 Mon Sep 17 00:00:00 2001 +From 2047b7b227a4e2a07b5e2ef149fd968406c8f750 Mon Sep 17 00:00:00 2001 From: Andreas Schneider <asn@samba.org> Date: Wed, 7 Sep 2016 18:33:43 +0200 -Subject: [PATCH] Add krb5_db_register_keytab() +Subject: [PATCH 19/19] Add krb5_db_register_keytab() Add a public libkdb5 function to register the KDB keytab type. This functionality is needed for out-of-tree KDC servers such as the Samba diff --git a/krb5-1.15-kdc_hooks_test.patch b/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch index 97385db..7237327 100644 --- a/krb5-1.15-kdc_hooks_test.patch +++ b/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch @@ -1,7 +1,7 @@ -From e60e5e0a8e8e98edae8c678e5c300b30368006fb Mon Sep 17 00:00:00 2001 +From b54a8377972db8cfc5f74c42831f61445c6f82d9 Mon Sep 17 00:00:00 2001 From: Andreas Schneider <asn@samba.org> Date: Mon, 7 Mar 2016 17:59:07 +0100 -Subject: [PATCH 2/2] Add tests for send and receive sendto_kdc hooks +Subject: [PATCH 15/19] Add tests for send and receive sendto_kdc hooks [ghudson@mit.edu: style changes] @@ -10,7 +10,7 @@ ticket: 8386 Conflicts: src/tests/Makefile.in [rharwood@redhat.com: fix cherry-pick merge conflicts] -[rharwood@redhat.com: remove references to .gitignore] +[rharwood@redhat.com: locally remove gitignore] --- src/tests/Makefile.in | 12 ++- src/tests/deps | 10 ++ @@ -363,5 +363,5 @@ index 0000000..58dff3a + +success('send and recv hook tests') -- -2.8.0.rc3 +2.9.3 diff --git a/krb5-1.15-kdc-error-encrypted-timestamp.patch b/Change-KDC-error-for-encrypted-timestamp-preauth.patch index cbf9309..a66d004 100644 --- a/krb5-1.15-kdc-error-encrypted-timestamp.patch +++ b/Change-KDC-error-for-encrypted-timestamp-preauth.patch @@ -1,7 +1,7 @@ -From 7b072ef4135e776982a61fae62cda9a5f0fe001b Mon Sep 17 00:00:00 2001 +From ad1af1b23bd716fc3129de16e3fbf7edca0daa6b Mon Sep 17 00:00:00 2001 From: Andreas Schneider <asn@samba.org> Date: Mon, 8 Aug 2016 18:03:55 +0200 -Subject: [PATCH 3/3] Change KDC error for encrypted timestamp preauth +Subject: [PATCH 18/19] Change KDC error for encrypted timestamp preauth When encrypted timestamp pre-authentication fails, respond with error code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for diff --git a/krb5-1.14.1-log_file_permissions.patch b/Create-KDC-and-kadmind-log-files-with-mode-0640.patch index 0fb965c..9810acd 100644 --- a/krb5-1.14.1-log_file_permissions.patch +++ b/Create-KDC-and-kadmind-log-files-with-mode-0640.patch @@ -1,7 +1,7 @@ -From 9914b93516bbce9b1123ed5f9f796b7028944892 Mon Sep 17 00:00:00 2001 +From 6b126bfc40ba416746e4d30edb0b6b72c21c8b10 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> -Date: Thu, 17 Dec 2015 13:31:39 -0500 -Subject: [PATCH] Create KDC and kadmind log files with mode 0640 +Date: Tue, 23 Aug 2016 16:58:44 -0400 +Subject: [PATCH 13/19] Create KDC and kadmind log files with mode 0640 In krb5_klog_init(), use open() and fdopen() to open log files so that we can specify a mode. Specify a mode which doesn't include the @@ -18,11 +18,10 @@ ticket: 8344 (new) 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c -index 19c4355..f4a9387 100644 - ---- a/src/lib/kadm5/logger.c 2016-01-21 18:52:52.529544902 +0000 -+++ b/src/lib/kadm5/logger.c 2016-01-21 18:57:22.923972419 +0000 -@@ -354,7 +354,7 @@ +index 64f9641..0517efe 100644 +--- a/src/lib/kadm5/logger.c ++++ b/src/lib/kadm5/logger.c +@@ -354,7 +354,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do const char *logging_profent[3]; const char *logging_defent[3]; char **logging_specs; @@ -31,7 +30,7 @@ index 19c4355..f4a9387 100644 char *cp, *cp2; char savec = '\0'; int error; -@@ -422,18 +422,21 @@ +@@ -422,18 +422,21 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do /* * Check for append/overwrite, then open the file. */ @@ -61,3 +60,6 @@ index 19c4355..f4a9387 100644 } } #ifdef HAVE_SYSLOG +-- +2.9.3 + diff --git a/krb5-acquire_cred_interposer.patch b/Fix-impersonate_name-to-work-with-interposers.patch index fa1c532..84e9e00 100644 --- a/krb5-acquire_cred_interposer.patch +++ b/Fix-impersonate_name-to-work-with-interposers.patch @@ -1,7 +1,7 @@ -From b3901af6970fb7bde88eb16d51c8d05db6f37746 Mon Sep 17 00:00:00 2001 +From 748617c1b8d1550284157a79bc7aeb6295a27bf4 Mon Sep 17 00:00:00 2001 From: Simo Sorce <simo@redhat.com> Date: Fri, 13 Nov 2015 14:54:11 -0500 -Subject: [PATCH] Fix impersonate_name to work with interposers +Subject: [PATCH 12/19] Fix impersonate_name to work with interposers This follows the same modifications applied to gss_acquire_cred_with_password() when interposer plugins were @@ -154,10 +154,10 @@ index 0dd4f87..9eab25e 100644 if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred) free(union_cred); diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index e6703eb..28fb9b1 100644 +index 07435d8..99e374f 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -2619,10 +2619,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, +@@ -2620,10 +2620,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, gss_OID_set *actual_mechs, OM_uint32 *time_rec) { @@ -170,7 +170,7 @@ index e6703eb..28fb9b1 100644 dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n"); -@@ -2634,31 +2634,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, +@@ -2635,31 +2635,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle; imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL; @@ -218,5 +218,5 @@ index e6703eb..28fb9b1 100644 return (status); } -- -2.6.2 +2.9.3 diff --git a/krb5-1.15-improve-bad-password-inference.patch b/Improve-bad-password-inference-in-kinit.patch index 8e1424a..23b0536 100644 --- a/krb5-1.15-improve-bad-password-inference.patch +++ b/Improve-bad-password-inference-in-kinit.patch @@ -1,7 +1,7 @@ -From c8938509344921906aa74d31eb6befe58055fc1d Mon Sep 17 00:00:00 2001 +From e9517473b649a50ab7414788fb5d6c2715ac8ee4 Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Mon, 25 Jul 2016 13:28:43 -0400 -Subject: [PATCH 2/3] Improve bad password inference in kinit +Subject: [PATCH 17/19] Improve bad password inference in kinit kinit currently outputs "Password incorrect" if it sees a bad-integrity error code, which results if the KDC reply couldn't be diff --git a/krb5-1.15-otp-preauth-prompt-type.patch b/Set-prompt-type-for-OTP-preauth-prompt.patch index 2c3d975..343df6b 100644 --- a/krb5-1.15-otp-preauth-prompt-type.patch +++ b/Set-prompt-type-for-OTP-preauth-prompt.patch @@ -1,7 +1,7 @@ -From 4885a9b10ddf457f290ff5e9ce4a9a99765cfd1d Mon Sep 17 00:00:00 2001 +From dc032c01a5c23eb199a267d9ab650eef02c2dd01 Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Mon, 25 Jul 2016 13:23:31 -0400 -Subject: [PATCH 1/3] Set prompt type for OTP preauth prompt +Subject: [PATCH 16/19] Set prompt type for OTP preauth prompt Add k5_set_prompt_type() calls around the prompter invocation in preauth_otp.c, and add the comment we conventionally put before @@ -14,7 +14,7 @@ ticket: 8464 (new) 1 file changed, 5 insertions(+) diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c -index 3de528b..01c48b4 100644 +index 37f98b2..48fcbb5 100644 --- a/src/lib/krb5/krb/preauth_otp.c +++ b/src/lib/krb5/krb/preauth_otp.c @@ -31,6 +31,7 @@ diff --git a/krb5-1.11-kpasswdtest.patch b/krb5-1.11-kpasswdtest.patch index f07b225..d2ab8b0 100644 --- a/krb5-1.11-kpasswdtest.patch +++ b/krb5-1.11-kpasswdtest.patch @@ -1,6 +1,17 @@ ---- krb5-1.11.3/src/kadmin/testing/proto/krb5.conf.proto -+++ krb5-1.11.3/src/kadmin/testing/proto/krb5.conf.proto -@@ -7,6 +7,7 @@ +From 61389fb098b36c1927ad01e4efa51f38da39176a Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Tue, 23 Aug 2016 16:52:01 -0400 +Subject: [PATCH 11/19] krb5-1.11-kpasswdtest.patch + +--- + src/kadmin/testing/proto/krb5.conf.proto | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto +index e9702bb..482fda6 100644 +--- a/src/kadmin/testing/proto/krb5.conf.proto ++++ b/src/kadmin/testing/proto/krb5.conf.proto +@@ -8,6 +8,7 @@ __REALM__ = { kdc = __KDCHOST__:1750 admin_server = __KDCHOST__:1751 @@ -8,3 +19,6 @@ database_module = foobar_db2_module_blah } +-- +2.9.3 + diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch index 6be760a..454b731 100644 --- a/krb5-1.11-run_user_0.patch +++ b/krb5-1.11-run_user_0.patch @@ -1,9 +1,19 @@ +From 8f81af0f10a917a000a12c9b344b3f801c939666 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Tue, 23 Aug 2016 16:49:57 -0400 +Subject: [PATCH 10/19] krb5-1.11-run_user_0.patch + A hack: if we're looking at creating a ccache directory directly below the /run/user/0 directory, and /run/user/0 doesn't exist, try to create it, too. +--- + src/lib/krb5/ccache/cc_dir.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) ---- krb5/src/lib/krb5/ccache/cc_dir.c -+++ krb5/src/lib/krb5/ccache/cc_dir.c +diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c +index 73f0fe6..4850c0d 100644 +--- a/src/lib/krb5/ccache/cc_dir.c ++++ b/src/lib/krb5/ccache/cc_dir.c @@ -61,6 +61,8 @@ #include <dirent.h> @@ -13,7 +23,7 @@ it, too. extern const krb5_cc_ops krb5_dcc_ops; extern const krb5_cc_ops krb5_fcc_ops; -@@ -239,6 +241,18 @@ +@@ -237,6 +239,18 @@ verify_dir(krb5_context context, const char *dirname) if (stat(dirname, &st) < 0) { if (errno == ENOENT) { @@ -32,3 +42,6 @@ it, too. #ifdef USE_SELINUX selabel = krb5int_push_fscreatecon_for(dirname); #endif +-- +2.9.3 + diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch index f5432a3..61417f1 100644 --- a/krb5-1.12-api.patch +++ b/krb5-1.12-api.patch @@ -1,10 +1,20 @@ +From 9ca4f0e1081e667ebc9150097559f5fe85595e33 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Tue, 23 Aug 2016 16:47:00 -0400 +Subject: [PATCH 07/19] krb5-1.12-api.patch + Reference docs don't define what happens if you call krb5_realm_compare() with malformed krb5_principal structures. Define a behavior which keeps it from crashing if applications don't check ahead of time. +--- + src/lib/krb5/krb/princ_comp.c | 7 +++++++ + 1 file changed, 7 insertions(+) ---- krb5/src/lib/krb5/krb/princ_comp.c -+++ krb5/src/lib/krb5/krb/princ_comp.c -@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context +diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c +index a693610..0ed7883 100644 +--- a/src/lib/krb5/krb/princ_comp.c ++++ b/src/lib/krb5/krb/princ_comp.c +@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context, const krb5_data *realm1 = &princ1->realm; const krb5_data *realm2 = &princ2->realm; @@ -15,7 +25,7 @@ crashing if applications don't check ahead of time. if (realm1->length != realm2->length) return FALSE; if (realm1->length == 0) -@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex +@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context, krb5_principal upn2 = NULL; krb5_boolean ret = FALSE; @@ -25,3 +35,6 @@ crashing if applications don't check ahead of time. if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { /* Treat UPNs as if they were real principals */ if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { +-- +2.9.3 + diff --git a/krb5-1.12-buildconf.patch b/krb5-1.12-buildconf.patch index 11b816f..efe9106 100644 --- a/krb5-1.12-buildconf.patch +++ b/krb5-1.12-buildconf.patch @@ -1,33 +1,24 @@ +From 1df0a74f88f044f1e538e3d4fda13bbceb76e68b Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Tue, 23 Aug 2016 16:45:26 -0400 +Subject: [PATCH 05/19] krb5-1.12-buildconf.patch + Build binaries in this package as RELRO PIEs, libraries as partial RELRO, and install shared libraries with the execute bit set on them. Prune out the -L/usr/lib* and PIE flags where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. +--- + src/build-tools/krb5-config.in | 7 +++++++ + src/config/pre.in | 2 +- + src/config/shlib.conf | 5 +++-- + 3 files changed, 11 insertions(+), 3 deletions(-) ---- krb5/src/config/shlib.conf -+++ krb5/src/config/shlib.conf -@@ -419,7 +419,7 @@ mips-*-netbsd*) - SHLIBEXT=.so - # Linux ld doesn't default to stuffing the SONAME field... - # Use objdump -x to examine the fields of the library -- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined' -+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro -Wl,--warn-shared-textrel' - # - LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' - SHLIB_EXPORT_FILE_DEP=binutils.versions -@@ -430,7 +430,8 @@ - SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' - PROFFLAGS=-pg - PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' -- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' -+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' -+ INSTALL_SHLIB='${INSTALL} -m755' - CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' - CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' - CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' ---- krb5/src/build-tools/krb5-config.in -+++ krb5/src/build-tools/krb5-config.in -@@ -189,6 +189,13 @@ if test -n "$do_libs"; then +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index c17cb5e..1891dea 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -226,6 +226,13 @@ if test -n "$do_libs"; then -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(CFLAGS)##'` @@ -41,9 +32,11 @@ not just assume that the compiler supports using these flags. if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 ---- krb5/src/config/pre.in -+++ krb5/src/config/pre.in -@@ -188,7 +188,7 @@ +diff --git a/src/config/pre.in b/src/config/pre.in +index 63271e7..c100fef 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -182,7 +182,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP) INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_DATA=@INSTALL_DATA@ INSTALL_SHLIB=@INSTALL_SHLIB@ @@ -52,3 +45,29 @@ not just assume that the compiler supports using these flags. ## This is needed because autoconf will sometimes define @exec_prefix@ to be ## ${prefix}. prefix=@prefix@ +diff --git a/src/config/shlib.conf b/src/config/shlib.conf +index 55f16be..f4a762c 100644 +--- a/src/config/shlib.conf ++++ b/src/config/shlib.conf +@@ -422,7 +422,7 @@ mips-*-netbsd*) + SHLIBEXT=.so + # Linux ld doesn't default to stuffing the SONAME field... + # Use objdump -x to examine the fields of the library +- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined' ++ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro -Wl,--warn-shared-textrel' + # + LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' + SHLIB_EXPORT_FILE_DEP=binutils.versions +@@ -433,7 +433,8 @@ mips-*-netbsd*) + SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' + PROFFLAGS=-pg + PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' +- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' ++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' ++ INSTALL_SHLIB='${INSTALL} -m755' + CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' + CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' + CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' +-- +2.9.3 + diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch index 65552c9..61f654a 100644 --- a/krb5-1.12-ksu-path.patch +++ b/krb5-1.12-ksu-path.patch @@ -1,7 +1,17 @@ +From a33c34eabf9cd4d98d633994bfcf19359ff087a6 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Tue, 23 Aug 2016 16:32:09 -0400 +Subject: [PATCH 03/19] krb5-1.12-ksu-path.patch + Set the default PATH to the one set by login. +--- + src/clients/ksu/Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) ---- krb5/src/clients/ksu/Makefile.in -+++ krb5/src/clients/ksu/Makefile.in +diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in +index ad2406a..1379c4a 100644 +--- a/src/clients/ksu/Makefile.in ++++ b/src/clients/ksu/Makefile.in @@ -1,6 +1,6 @@ mydir=clients$(S)ksu BUILDTOP=$(REL)..$(S).. @@ -10,3 +20,6 @@ Set the default PATH to the one set by login. KSU_LIBS=@KSU_LIBS@ PAM_LIBS=@PAM_LIBS@ +-- +2.9.3 + diff --git a/krb5-1.12-ktany.patch b/krb5-1.12-ktany.patch index 88f1a7e..4ca1c75 100644 --- a/krb5-1.12-ktany.patch +++ b/krb5-1.12-ktany.patch @@ -1,10 +1,51 @@ +From f02d4a098b5e94df15ae39e9fad79e861e6c6483 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Tue, 23 Aug 2016 16:33:53 -0400 +Subject: [PATCH 04/19] krb5-1.12-ktany.patch + Adds an "ANY" keytab type which is a list of other keytab locations to search when searching for a specific entry. When iterated through, it only presents the contents of the first keytab. +--- + src/lib/krb5/keytab/Makefile.in | 3 + + src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++++++++++ + src/lib/krb5/keytab/ktbase.c | 7 +- + 3 files changed, 301 insertions(+), 1 deletion(-) + create mode 100644 src/lib/krb5/keytab/kt_any.c -diff -up /dev/null krb5-1.7/src/lib/krb5/keytab/kt_any.c ---- /dev/null 2009-06-04 10:34:55.169007373 -0400 -+++ krb5-1.7/src/lib/krb5/keytab/kt_any.c 2009-06-04 13:54:36.000000000 -0400 +diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in +index 28485d5..c17ab82 100644 +--- a/src/lib/krb5/keytab/Makefile.in ++++ b/src/lib/krb5/keytab/Makefile.in +@@ -12,6 +12,7 @@ STLIBOBJS= \ + ktfr_entry.o \ + ktremove.o \ + ktfns.o \ ++ kt_any.o \ + kt_file.o \ + kt_memory.o \ + kt_srvtab.o \ +@@ -24,6 +25,7 @@ OBJS= \ + $(OUTPRE)ktfr_entry.$(OBJEXT) \ + $(OUTPRE)ktremove.$(OBJEXT) \ + $(OUTPRE)ktfns.$(OBJEXT) \ ++ $(OUTPRE)kt_any.$(OBJEXT) \ + $(OUTPRE)kt_file.$(OBJEXT) \ + $(OUTPRE)kt_memory.$(OBJEXT) \ + $(OUTPRE)kt_srvtab.$(OBJEXT) \ +@@ -36,6 +38,7 @@ SRCS= \ + $(srcdir)/ktfr_entry.c \ + $(srcdir)/ktremove.c \ + $(srcdir)/ktfns.c \ ++ $(srcdir)/kt_any.c \ + $(srcdir)/kt_file.c \ + $(srcdir)/kt_memory.c \ + $(srcdir)/kt_srvtab.c \ +diff --git a/src/lib/krb5/keytab/kt_any.c b/src/lib/krb5/keytab/kt_any.c +new file mode 100644 +index 0000000..1b9b776 +--- /dev/null ++++ b/src/lib/krb5/keytab/kt_any.c @@ -0,0 +1,292 @@ +/* + * lib/krb5/keytab/kt_any.c @@ -298,10 +339,11 @@ diff -up /dev/null krb5-1.7/src/lib/krb5/keytab/kt_any.c + free(data->choices); + free(data); +} -diff -up krb5-1.7/src/lib/krb5/keytab/ktbase.c krb5-1.7/src/lib/krb5/keytab/ktbase.c ---- krb5-1.7/src/lib/krb5/keytab/ktbase.c 2009-02-18 13:18:56.000000000 -0500 -+++ krb5-1.7/src/lib/krb5/keytab/ktbase.c 2009-06-04 13:54:36.000000000 -0400 -@@ -59,14 +59,19 @@ extern const krb5_kt_ops krb5_ktf_ops; +diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c +index 0d39b29..6534d7c 100644 +--- a/src/lib/krb5/keytab/ktbase.c ++++ b/src/lib/krb5/keytab/ktbase.c +@@ -57,14 +57,19 @@ extern const krb5_kt_ops krb5_ktf_ops; extern const krb5_kt_ops krb5_ktf_writable_ops; extern const krb5_kt_ops krb5_kts_ops; extern const krb5_kt_ops krb5_mkt_ops; @@ -322,30 +364,6 @@ diff -up krb5-1.7/src/lib/krb5/keytab/ktbase.c krb5-1.7/src/lib/krb5/keytab/ktba }; const static struct krb5_kt_typelist krb5_kt_typelist_memory = { &krb5_mkt_ops, -diff -up krb5-1.7/src/lib/krb5/keytab/Makefile.in krb5-1.7/src/lib/krb5/keytab/Makefile.in ---- krb5-1.7/src/lib/krb5/keytab/Makefile.in 2009-01-05 15:27:53.000000000 -0500 -+++ krb5-1.7/src/lib/krb5/keytab/Makefile.in 2009-06-04 13:54:36.000000000 -0400 -@@ -19,6 +19,7 @@ STLIBOBJS= \ - ktfr_entry.o \ - ktremove.o \ - ktfns.o \ -+ kt_any.o \ - kt_file.o \ - kt_memory.o \ - kt_srvtab.o \ -@@ -31,6 +32,7 @@ OBJS= \ - $(OUTPRE)ktfr_entry.$(OBJEXT) \ - $(OUTPRE)ktremove.$(OBJEXT) \ - $(OUTPRE)ktfns.$(OBJEXT) \ -+ $(OUTPRE)kt_any.$(OBJEXT) \ - $(OUTPRE)kt_file.$(OBJEXT) \ - $(OUTPRE)kt_memory.$(OBJEXT) \ - $(OUTPRE)kt_srvtab.$(OBJEXT) \ -@@ -43,6 +45,7 @@ SRCS= \ - $(srcdir)/ktfr_entry.c \ - $(srcdir)/ktremove.c \ - $(srcdir)/ktfns.c \ -+ $(srcdir)/kt_any.c \ - $(srcdir)/kt_file.c \ - $(srcdir)/kt_memory.c \ - $(srcdir)/kt_srvtab.c \ +-- +2.9.3 + diff --git a/krb5-1.12.1-pam.patch b/krb5-1.12.1-pam.patch index 5a8e65e..39d296d 100644 --- a/krb5-1.12.1-pam.patch +++ b/krb5-1.12.1-pam.patch @@ -1,3 +1,8 @@ +From 74b07bf5a3c73f2d46ddfa4a03baa76b19ee1681 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Tue, 23 Aug 2016 16:29:58 -0400 +Subject: [PATCH 01/19] krb5-1.12.1-pam.patch + Modify ksu so that it performs account and session management on behalf of the target user account, mimicking the action of regular su. The default service name is "ksu", because on Fedora at least the configuration used @@ -11,11 +16,22 @@ When enabled, ksu gains a dependency on libpam. Originally RT#5939, though it's changed since then to perform the account and session management before dropping privileges, and to apply on top of changes we're proposing for how it handles cache collections. +--- + src/aclocal.m4 | 67 ++++++++ + src/clients/ksu/Makefile.in | 8 +- + src/clients/ksu/main.c | 88 +++++++++- + src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++++++++++ + src/clients/ksu/pam.h | 57 +++++++ + src/configure.in | 2 + + 6 files changed, 608 insertions(+), 3 deletions(-) + create mode 100644 src/clients/ksu/pam.c + create mode 100644 src/clients/ksu/pam.h -diff -up krb5/src/aclocal.m4.pam krb5/src/aclocal.m4 ---- krb5/src/aclocal.m4.pam 2009-11-22 12:00:45.000000000 -0500 -+++ krb5/src/aclocal.m4 2010-03-05 10:48:08.000000000 -0500 -@@ -1703,3 +1703,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index dbb7db2..ce045ab 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -1672,3 +1672,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[ ])) ])dnl dnl @@ -86,9 +102,48 @@ diff -up krb5/src/aclocal.m4.pam krb5/src/aclocal.m4 +AC_SUBST(PAM_MAN) +AC_SUBST(NON_PAM_MAN) +])dnl -diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c ---- krb5/src/clients/ksu/main.c.pam 2009-11-02 22:27:56.000000000 -0500 -+++ krb5/src/clients/ksu/main.c 2010-03-05 10:48:08.000000000 -0500 +diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in +index c705fda..ad2406a 100644 +--- a/src/clients/ksu/Makefile.in ++++ b/src/clients/ksu/Makefile.in +@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. + DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' + + KSU_LIBS=@KSU_LIBS@ ++PAM_LIBS=@PAM_LIBS@ + + SRCS = \ + $(srcdir)/krb_auth_su.c \ + $(srcdir)/ccache.c \ + $(srcdir)/authorization.c \ + $(srcdir)/main.c \ ++ $(srcdir)/pam.c \ + $(srcdir)/heuristic.c \ + $(srcdir)/xmalloc.c \ + $(srcdir)/setenv.c +@@ -17,13 +19,17 @@ OBJS = \ + ccache.o \ + authorization.o \ + main.o \ ++ pam.o \ + heuristic.o \ + xmalloc.o @SETENVOBJ@ + + all:: ksu + + ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) +- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) ++ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) ++ ++pam.o: pam.c ++ $(CC) $(ALL_CFLAGS) -c $< + + clean:: + $(RM) ksu +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index 2f8d8e1..1b2ca83 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c @@ -26,6 +26,7 @@ * KSU was writen by: Ari Medvinsky, ari@isi.edu */ @@ -116,7 +171,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c /***********/ #define KS_TEMPORARY_CACHE "MEMORY:_ksu" -@@ -586,6 +592,23 @@ main (argc, argv) +@@ -514,6 +520,23 @@ main (argc, argv) prog_name,target_user,client_name, source_user,ontty()); @@ -140,7 +195,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " -@@ -651,6 +676,24 @@ +@@ -574,6 +597,24 @@ main (argc, argv) exit(1); } @@ -165,7 +220,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c } if( some_rest_copy){ -@@ -720,6 +745,30 @@ +@@ -631,6 +672,30 @@ main (argc, argv) exit(1); } @@ -196,7 +251,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -792,7 +817,7 @@ main (argc, argv) +@@ -728,7 +793,7 @@ main (argc, argv) fprintf(stderr, "program to be execed %s\n",params[0]); } @@ -205,7 +260,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c execv(params[0], params); com_err(prog_name, errno, _("while trying to execv %s"), params[0]); sweep_up(ksu_context, cc_target); -@@ -823,16 +875,35 @@ main (argc, argv) +@@ -758,16 +823,35 @@ main (argc, argv) if (ret_pid == -1) { com_err(prog_name, errno, _("while calling waitpid")); } @@ -242,46 +297,11 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c exit (1); } } -diff -up krb5/src/clients/ksu/Makefile.in.pam krb5/src/clients/ksu/Makefile.in ---- krb5/src/clients/ksu/Makefile.in.pam 2009-11-22 13:13:29.000000000 -0500 -+++ krb5/src/clients/ksu/Makefile.in 2010-03-05 11:55:14.000000000 -0500 -@@ -7,12 +7,14 @@ - DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' - - KSU_LIBS=@KSU_LIBS@ -+PAM_LIBS=@PAM_LIBS@ - - SRCS = \ - $(srcdir)/krb_auth_su.c \ - $(srcdir)/ccache.c \ - $(srcdir)/authorization.c \ - $(srcdir)/main.c \ -+ $(srcdir)/pam.c \ - $(srcdir)/heuristic.c \ - $(srcdir)/xmalloc.c \ - $(srcdir)/setenv.c -@@ -21,13 +23,17 @@ OBJS = \ - ccache.o \ - authorization.o \ - main.o \ -+ pam.o \ - heuristic.o \ - xmalloc.o @SETENVOBJ@ - - all:: ksu - - ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) -- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) -+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) -+ -+pam.o: pam.c -+ $(CC) $(ALL_CFLAGS) -c $< - - clean:: - $(RM) ksu -diff -up krb5/src/clients/ksu/pam.c.pam krb5/src/clients/ksu/pam.c ---- krb5/src/clients/ksu/pam.c.pam 2010-03-05 10:48:08.000000000 -0500 -+++ krb5/src/clients/ksu/pam.c 2010-03-05 10:48:08.000000000 -0500 +diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c +new file mode 100644 +index 0000000..cbfe487 +--- /dev/null ++++ b/src/clients/ksu/pam.c @@ -0,0 +1,389 @@ +/* + * src/clients/ksu/pam.c @@ -672,9 +692,11 @@ diff -up krb5/src/clients/ksu/pam.c.pam krb5/src/clients/ksu/pam.c + return ret; +} +#endif -diff -up krb5/src/clients/ksu/pam.h.pam krb5/src/clients/ksu/pam.h ---- krb5/src/clients/ksu/pam.h.pam 2010-03-05 10:48:08.000000000 -0500 -+++ krb5/src/clients/ksu/pam.h 2010-03-05 10:48:08.000000000 -0500 +diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h +new file mode 100644 +index 0000000..0ab7656 +--- /dev/null ++++ b/src/clients/ksu/pam.h @@ -0,0 +1,57 @@ +/* + * src/clients/ksu/pam.h @@ -733,10 +755,11 @@ diff -up krb5/src/clients/ksu/pam.h.pam krb5/src/clients/ksu/pam.h +int appl_pam_cred_init(void); +void appl_pam_cleanup(void); +#endif -diff -up krb5/src/configure.in.pam krb5/src/configure.in ---- krb5/src/configure.in.pam 2009-12-31 18:13:56.000000000 -0500 -+++ krb5/src/configure.in 2010-03-05 10:48:08.000000000 -0500 -@@ -1051,6 +1051,8 @@ if test "$ac_cv_lib_socket" = "yes" -a " +diff --git a/src/configure.in b/src/configure.in +index b2a8675..8846ca0 100644 +--- a/src/configure.in ++++ b/src/configure.in +@@ -1327,6 +1327,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) @@ -745,3 +768,6 @@ diff -up krb5/src/configure.in.pam krb5/src/configure.in # Make localedir work in autoconf 2.5x. if test "${localedir+set}" != set; then localedir='$(datadir)/locale' +-- +2.9.3 + diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch index 0a6661c..bb35ffe 100644 --- a/krb5-1.13-dirsrv-accountlock.patch +++ b/krb5-1.13-dirsrv-accountlock.patch @@ -1,10 +1,21 @@ +From f7538a0621d6b593e31f2031570a6f4678940241 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Tue, 23 Aug 2016 16:47:44 -0400 +Subject: [PATCH 08/19] krb5-1.13-dirsrv-accountlock.patch + Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from original version filed as RT#5891. +--- + src/aclocal.m4 | 9 +++++++++ + src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++ + src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c | 3 +++ + 3 files changed, 29 insertions(+) -diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4 ---- krb5-1.8/src/aclocal.m4.dirsrv-accountlock 2010-03-05 11:03:09.000000000 -0500 -+++ krb5-1.8/src/aclocal.m4 2010-03-05 11:03:10.000000000 -0500 -@@ -1656,6 +1656,15 @@ if test $with_ldap = yes; then +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index ed343c5..f67eef7 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -1653,6 +1653,15 @@ if test "$with_ldap" = yes; then AC_MSG_NOTICE(enabling OpenLDAP database backend module support) OPENLDAP_PLUGIN=yes fi @@ -20,10 +31,11 @@ diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4 ])dnl dnl dnl If libkeyutils exists (on Linux) include it and use keyring ccache -diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ---- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500 -+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2010-03-05 11:03:10.000000000 -0500 -@@ -1546,6 +1546,23 @@ populate_krb5_db_entry(krb5_context cont +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +index aca8f31..0a0968c 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +@@ -1545,6 +1545,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data); if (ret) goto cleanup; @@ -47,11 +59,11 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountloc ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname); if (ret) - goto cleanup; -diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c ---- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500 -+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2010-03-05 11:03:10.000000000 -0500 -@@ -59,6 +59,9 @@ char *principal_attributes[] = { "kr +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +index 6a06f55..1f87e21 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +@@ -54,6 +54,9 @@ char *principal_attributes[] = { "krbprincipalname", "krbLastFailedAuth", "krbLoginFailedCount", "krbLastSuccessfulAuth", @@ -61,3 +73,6 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accou "krbLastPwdChange", "krbLastAdminUnlock", "krbExtraData", +-- +2.9.3 + diff --git a/krb5-1.13-selinux-label.patch b/krb5-1.13-selinux-label.patch index 1cd86c0..feb034f 100644 --- a/krb5-1.13-selinux-label.patch +++ b/krb5-1.13-selinux-label.patch @@ -1,3 +1,8 @@ +From 2af05336edb5a2f86db22ee2937626a219f090f6 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Tue, 23 Aug 2016 16:30:53 -0400 +Subject: [PATCH 02/19] krb5-1.13-selinux-label.patch + SELinux bases access to files on the domain of the requesting process, the operation being performed, and the context applied to the file. @@ -30,10 +35,42 @@ stomp all over us. The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. +--- + src/aclocal.m4 | 49 +++ + src/build-tools/krb5-config.in | 3 +- + src/config/pre.in | 3 +- + src/configure.in | 2 + + src/include/k5-int.h | 1 + + src/include/k5-label.h | 32 ++ + src/include/krb5/krb5.hin | 6 + + src/kadmin/dbutil/dump.c | 11 +- + src/kdc/main.c | 2 +- + src/lib/kadm5/logger.c | 4 +- + src/lib/kdb/kdb_log.c | 2 +- + src/lib/krb5/ccache/cc_dir.c | 26 +- + src/lib/krb5/keytab/kt_file.c | 4 +- + src/lib/krb5/os/trace.c | 2 +- + src/lib/krb5/rcache/rc_dfl.c | 13 + + src/plugins/kdb/db2/adb_openclose.c | 2 +- + src/plugins/kdb/db2/kdb_db2.c | 4 +- + src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +- + src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +- + src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +- + .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- + src/slave/kpropd.c | 9 + + src/util/gss-kernel-lib/Makefile.in | 5 +- + src/util/profile/prof_file.c | 3 +- + src/util/support/Makefile.in | 3 +- + src/util/support/selinux.c | 381 +++++++++++++++++++++ + 26 files changed, 566 insertions(+), 22 deletions(-) + create mode 100644 src/include/k5-label.h + create mode 100644 src/util/support/selinux.c ---- krb5/src/aclocal.m4 -+++ krb5/src/aclocal.m4 -@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag) +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index ce045ab..311f099 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -87,6 +87,7 @@ AC_SUBST_FILE(libnodeps_frag) dnl KRB5_AC_PRAGMA_WEAK_REF WITH_LDAP @@ -41,7 +78,7 @@ which we used earlier, is some improvement. KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir) +@@ -1739,3 +1740,51 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -93,9 +130,32 @@ which we used earlier, is some improvement. +LIBS="$old_LIBS" +AC_SUBST(SELINUX_LIBS) +])dnl ---- krb5/src/config/pre.in -+++ krb5/src/config/pre.in -@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@ +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index f6184da..c17cb5e 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' + DEFCCNAME='@DEFCCNAME@' + DEFKTNAME='@DEFKTNAME@' + DEFCKTNAME='@DEFCKTNAME@' ++SELINUX_LIBS='@SELINUX_LIBS@' + + LIBS='@LIBS@' + GEN_LIB=@GEN_LIB@ +@@ -255,7 +256,7 @@ if test -n "$do_libs"; then + fi + + # If we ever support a flag to generate output suitable for static +- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" ++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + # here. + + echo $lib_flags +diff --git a/src/config/pre.in b/src/config/pre.in +index b0d9015..63271e7 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -174,6 +174,7 @@ LD = $(PURE) @LD@ KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include LDFLAGS = @LDFLAGS@ LIBS = @LIBS@ @@ -103,7 +163,7 @@ which we used earlier, is some improvement. INSTALL=@INSTALL@ INSTALL_STRIP= -@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) +@@ -395,7 +396,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ @@ -112,9 +172,11 @@ which we used earlier, is some improvement. KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on Mac OS X! ---- krb5/src/configure.in -+++ krb5/src/configure.in -@@ -1053,6 +1053,8 @@ fi +diff --git a/src/configure.in b/src/configure.in +index 8846ca0..9ec8d84 100644 +--- a/src/configure.in ++++ b/src/configure.in +@@ -1329,6 +1329,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -123,8 +185,10 @@ which we used earlier, is some improvement. # Make localedir work in autoconf 2.5x. if test "${localedir+set}" != set; then localedir='$(datadir)/locale' ---- krb5/src/include/k5-int.h -+++ krb5/src/include/k5-int.h +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 41c3d1b..6b7b2e3 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h @@ -129,6 +129,7 @@ typedef unsigned char u_char; @@ -133,8 +197,11 @@ which we used earlier, is some improvement. #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ ---- krb5/src/include/k5-label.h -+++ krb5/src/include/k5-label.h +diff --git a/src/include/k5-label.h b/src/include/k5-label.h +new file mode 100644 +index 0000000..dfaaa84 +--- /dev/null ++++ b/src/include/k5-label.h @@ -0,0 +1,32 @@ +#ifndef _KRB5_LABEL_H +#define _KRB5_LABEL_H @@ -168,8 +235,10 @@ which we used earlier, is some improvement. +#define THREEPARAMOPEN(x,y,z) open(x,y,z) +#endif +#endif ---- krb5/src/include/krb5/krb5.hin -+++ krb5/src/include/krb5/krb5.hin +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index e2c08ae..c93a0f2 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ #define THREEPARAMOPEN(x,y,z) open(x,y,z) #endif @@ -183,9 +252,11 @@ which we used earlier, is some improvement. #define KRB5_OLD_CRYPTO #include <stdlib.h> ---- krb5/src/kadmin/dbutil/dump.c -+++ krb5/src/kadmin/dbutil/dump.c -@@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname +diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c +index 253bf3f..9c8c3dc 100644 +--- a/src/kadmin/dbutil/dump.c ++++ b/src/kadmin/dbutil/dump.c +@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) { int fd = -1; FILE *f; @@ -207,7 +278,7 @@ which we used earlier, is some improvement. if (fd == -1) goto error; -@@ -514,7 +514,7 @@ prep_ok_file(krb5_context context, char +@@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd) return 0; } @@ -216,28 +287,24 @@ which we used earlier, is some improvement. if (*fd == -1) { com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); exit_status++; ---- krb5/src/build-tools/krb5-config.in -+++ krb5/src/build-tools/krb5-config.in -@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@' - DEFCCNAME='@DEFCCNAME@' - DEFKTNAME='@DEFKTNAME@' - DEFCKTNAME='@DEFCKTNAME@' -+SELINUX_LIBS='@SELINUX_LIBS@' - - LIBS='@LIBS@' - GEN_LIB=@GEN_LIB@ -@@ -218,7 +219,7 @@ - fi - - # If we ever support a flag to generate output suitable for static -- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" -+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" - # here. +diff --git a/src/kdc/main.c b/src/kdc/main.c +index 82dfc0e..936f46b 100644 +--- a/src/kdc/main.c ++++ b/src/kdc/main.c +@@ -847,7 +847,7 @@ write_pid_file(const char *path) + FILE *file; + unsigned long pid; - echo $lib_flags ---- krb5/src/lib/kadm5/logger.c -+++ krb5/src/lib/kadm5/logger.c -@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch +- file = fopen(path, "w"); ++ file = WRITABLEFOPEN(path, "w"); + if (file == NULL) + return errno; + pid = (unsigned long) getpid(); +diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c +index 19c4355..64f9641 100644 +--- a/src/lib/kadm5/logger.c ++++ b/src/lib/kadm5/logger.c +@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do * Check for append/overwrite, then open the file. */ if (cp[4] == ':' || cp[4] == '=') { @@ -246,7 +313,7 @@ which we used earlier, is some improvement. if (f) { set_cloexec_file(f); log_control.log_entries[i].lfu_filep = f; -@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext) +@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext) * In case the old logfile did not get moved out of the * way, open for append to prevent squashing the old logs. */ @@ -255,9 +322,74 @@ which we used earlier, is some improvement. if (f) { set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; ---- krb5/src/lib/krb5/keytab/kt_file.c -+++ krb5/src/lib/krb5/keytab/kt_file.c -@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context +diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c +index 99cda59..523b99a 100644 +--- a/src/lib/kdb/kdb_log.c ++++ b/src/lib/kdb/kdb_log.c +@@ -476,7 +476,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) + int ulogfd = -1; + + if (stat(logname, &st) == -1) { +- ulogfd = open(logname, O_RDWR | O_CREAT, 0600); ++ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); + if (ulogfd == -1) + return errno; + +diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c +index bba64e5..73f0fe6 100644 +--- a/src/lib/krb5/ccache/cc_dir.c ++++ b/src/lib/krb5/ccache/cc_dir.c +@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents) + char *newpath = NULL; + FILE *fp = NULL; + int fd = -1, status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) + return ENOMEM; ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(primary_path); ++#endif + fd = mkstemp(newpath); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (fd < 0) + goto cleanup; + #ifdef HAVE_CHMOD +@@ -221,10 +230,23 @@ static krb5_error_code + verify_dir(krb5_context context, const char *dirname) + { + struct stat st; ++ int status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (stat(dirname, &st) < 0) { +- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) +- return 0; ++ if (errno == ENOENT) { ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(dirname); ++#endif ++ status = mkdir(dirname, S_IRWXU); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif ++ if (status == 0) ++ return 0; ++ } + k5_setmsg(context, KRB5_FCC_NOFILE, + _("Credential cache directory %s does not exist"), + dirname); +diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c +index e105a51..ff1fc54 100644 +--- a/src/lib/krb5/keytab/kt_file.c ++++ b/src/lib/krb5/keytab/kt_file.c +@@ -1030,7 +1030,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) KTCHECKLOCK(id); errno = 0; @@ -266,7 +398,7 @@ which we used earlier, is some improvement. (mode == KRB5_LOCKMODE_EXCLUSIVE) ? fopen_mode_rbplus : fopen_mode_rb); if (!KTFILEP(id)) { -@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context +@@ -1038,7 +1038,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) /* try making it first time around */ k5_create_secure_file(context, KTFILENAME(id)); errno = 0; @@ -275,20 +407,84 @@ which we used earlier, is some improvement. if (!KTFILEP(id)) goto report_errno; writevno = 1; ---- krb5/src/plugins/kdb/db2/adb_openclose.c -+++ krb5/src/plugins/kdb/db2/adb_openclose.c -@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char +diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c +index 83c8d4d..a192461 100644 +--- a/src/lib/krb5/os/trace.c ++++ b/src/lib/krb5/os/trace.c +@@ -397,7 +397,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) + fd = malloc(sizeof(*fd)); + if (fd == NULL) + return ENOMEM; +- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); ++ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); + if (*fd == -1) { + free(fd); + return errno; +diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c +index 2fb6aa0..c453189 100644 +--- a/src/lib/krb5/rcache/rc_dfl.c ++++ b/src/lib/krb5/rcache/rc_dfl.c +@@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) + krb5_error_code retval = 0; + krb5_rcache tmp; + krb5_deltat lifespan = t->lifespan; /* save original lifespan */ ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (! t->recovering) { + name = t->name; +@@ -815,7 +818,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) + retval = krb5_rc_resolve(context, tmp, 0); + if (retval) + goto cleanup; ++#ifdef USE_SELINUX ++ if (t->d.fn != NULL) ++ selabel = krb5int_push_fscreatecon_for(t->d.fn); ++ else ++ selabel = NULL; ++#endif + retval = krb5_rc_initialize(context, tmp, lifespan); ++#ifdef USE_SELINUX ++ if (selabel != NULL) ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (retval) + goto cleanup; + for (q = t->a; q; q = q->na) { +diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c +index 7db30a3..2b9d019 100644 +--- a/src/plugins/kdb/db2/adb_openclose.c ++++ b/src/plugins/kdb/db2/adb_openclose.c +@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, + * needs be open read/write so that write locking can work with * POSIX systems */ - lockp->lockinfo.filename = strdup(lockfilename); - if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { + if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { /* * maybe someone took away write permission so we could only * get shared locks? ---- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c -+++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c -@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. +diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c +index e97b841..5d1cd61 100644 +--- a/src/plugins/kdb/db2/kdb_db2.c ++++ b/src/plugins/kdb/db2/kdb_db2.c +@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) + if (retval) + return retval; + +- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, +- 0600); ++ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, ++ O_CREAT | O_RDWR | O_TRUNC, 0600); + if (dbc->db_lf_file < 0) { + retval = errno; + goto cleanup; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +index 2977b17..d5809a5 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95"; #include <string.h> #include <unistd.h> @@ -296,7 +492,7 @@ which we used earlier, is some improvement. #include "db-int.h" #include "btree.h" -@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, +@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags) goto einval; } @@ -305,9 +501,11 @@ which we used earlier, is some improvement. goto err; } else { ---- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c -+++ krb5/src/plugins/kdb/db2/libdb2/hash/hash.c -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 +diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c +index 2a5b4f8..7239d03 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hash.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; #include <assert.h> #endif @@ -315,7 +513,7 @@ which we used earlier, is some improvement. #include "db-int.h" #include "hash.h" #include "page.h" -@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info +@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags) new_table = 1; } if (file) { @@ -324,9 +522,33 @@ which we used earlier, is some improvement. RETURN_ERROR(errno, error0); (void)fcntl(hashp->fp, F_SETFD, 1); } ---- krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -+++ krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -179,7 +179,7 @@ done: +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +index d8b26e7..b0daa7c 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94"; + #include <stdio.h> + #include <unistd.h> + ++#include "k5-int.h" + #include "db-int.h" + #include "recno.h" + +@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags) + int rfd = -1, sverrno; + + /* Open the user's file -- if this fails, we're done. */ +- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) ++ if (fname != NULL && ++ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + return (NULL); + + if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { +diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +index 64d0f91..5d5c0a6 100644 +--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -178,7 +178,7 @@ done: /* set password in the file */ old_mode = umask(0177); @@ -335,7 +557,7 @@ which we used earlier, is some improvement. if (pfile == NULL) { com_err(me, errno, _("Failed to open file %s: %s"), file_name, strerror (errno)); -@@ -220,6 +220,9 @@ done: +@@ -219,6 +219,9 @@ done: * Delete the existing entry and add the new entry */ FILE *newfile; @@ -345,7 +567,7 @@ which we used earlier, is some improvement. mode_t omask; -@@ -231,7 +234,13 @@ done: +@@ -230,7 +233,13 @@ done: } omask = umask(077); @@ -359,9 +581,11 @@ which we used earlier, is some improvement. umask (omask); if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); ---- krb5/src/slave/kpropd.c -+++ krb5/src/slave/kpropd.c -@@ -437,6 +437,9 @@ void doit(fd) +diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c +index 1383156..a950924 100644 +--- a/src/slave/kpropd.c ++++ b/src/slave/kpropd.c +@@ -464,6 +464,9 @@ doit(int fd) krb5_enctype etype; int database_fd; char host[INET6_ADDRSTRLEN + 1]; @@ -371,7 +595,7 @@ which we used earlier, is some improvement. signal_wrapper(SIGALRM, alarm_handler); alarm(params.iprop_resync_timeout); -@@ -515,9 +518,15 @@ void doit(fd) +@@ -520,9 +523,15 @@ doit(int fd) free(name); exit(1); } @@ -387,9 +611,37 @@ which we used earlier, is some improvement. retval = krb5_lock_file(kpropd_context, lock_fd, KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); if (retval) { ---- krb5/src/util/profile/prof_file.c -+++ krb5/src/util/profile/prof_file.c -@@ -30,6 +30,7 @@ +diff --git a/src/util/gss-kernel-lib/Makefile.in b/src/util/gss-kernel-lib/Makefile.in +index f70f3c6..7a2f9cc 100644 +--- a/src/util/gss-kernel-lib/Makefile.in ++++ b/src/util/gss-kernel-lib/Makefile.in +@@ -61,6 +61,7 @@ HEADERS= \ + gssapi_err_generic.h \ + k5-int.h \ + k5-int-pkinit.h \ ++ k5-label.h \ + k5-thread.h \ + k5-platform.h \ + k5-buf.h \ +@@ -162,10 +163,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_generic.h + $(CP) $(GSS_GENERIC)/gssapi_generic.h $@ + gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h + $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@ +-k5-int.h: $(INCLUDE)/k5-int.h ++k5-int.h: $(INCLUDE)/k5-int.h k5-label.h + $(CP) $(INCLUDE)/k5-int.h $@ + k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h + $(CP) $(INCLUDE)/k5-int-pkinit.h $@ ++k5-label.h: $(INCLUDE)/k5-label.h ++ $(CP) $(INCLUDE)/k5-label.h $@ + k5-thread.h: $(INCLUDE)/k5-thread.h + $(CP) $(INCLUDE)/k5-thread.h $@ + k5-platform.h: $(INCLUDE)/k5-platform.h +diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c +index 907c119..0f5462a 100644 +--- a/src/util/profile/prof_file.c ++++ b/src/util/profile/prof_file.c +@@ -33,6 +33,7 @@ #endif #include "k5-platform.h" @@ -397,7 +649,7 @@ which we used earlier, is some improvement. struct global_shared_profile_data { /* This is the head of the global list of shared trees */ -@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_ +@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile, errno = 0; @@ -406,9 +658,11 @@ which we used earlier, is some improvement. if (!f) { retval = errno; if (retval == 0) ---- krb5/src/util/support/Makefile.in -+++ krb5/src/util/support/Makefile.in -@@ -54,6 +54,7 @@ IPC_SYMS= \ +diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in +index 5181762..f77acd4 100644 +--- a/src/util/support/Makefile.in ++++ b/src/util/support/Makefile.in +@@ -59,6 +59,7 @@ IPC_SYMS= \ STLIBOBJS= \ threads.o \ @@ -416,7 +670,7 @@ which we used earlier, is some improvement. init-addrinfo.o \ plugins.o \ errors.o \ -@@ -108,7 +109,7 @@ SRCS=\ +@@ -131,7 +132,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. @@ -425,8 +679,11 @@ which we used earlier, is some improvement. DEPLIBS= ---- krb5/src/util/support/selinux.c -+++ krb5/src/util/support/selinux.c +diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c +new file mode 100644 +index 0000000..ffba6a9 +--- /dev/null ++++ b/src/util/support/selinux.c @@ -0,0 +1,381 @@ +/* + * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved. @@ -809,171 +1066,6 @@ which we used earlier, is some improvement. +} + +#endif ---- krb5/src/lib/krb5/rcache/rc_dfl.c -+++ krb5/src/lib/krb5/rcache/rc_dfl.c -@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context - krb5_error_code retval = 0; - krb5_rcache tmp; - krb5_deltat lifespan = t->lifespan; /* save original lifespan */ -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (! t->recovering) { - name = t->name; -@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context - retval = krb5_rc_resolve(context, tmp, 0); - if (retval) - goto cleanup; -+#ifdef USE_SELINUX -+ if (t->d.fn != NULL) -+ selabel = krb5int_push_fscreatecon_for(t->d.fn); -+ else -+ selabel = NULL; -+#endif - retval = krb5_rc_initialize(context, tmp, lifespan); -+#ifdef USE_SELINUX -+ if (selabel != NULL) -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (retval) - goto cleanup; - for (q = t->a; q; q = q->na) { ---- krb5/src/lib/krb5/ccache/cc_dir.c -+++ krb5/src/lib/krb5/ccache/cc_dir.c -@@ -185,10 +185,19 @@ write_primary_file(const char *primary_p - char *newpath = NULL; - FILE *fp = NULL; - int fd = -1, status; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) - return ENOMEM; -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(primary_path); -+#endif - fd = mkstemp(newpath); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (fd < 0) - goto cleanup; - #ifdef HAVE_CHMOD -@@ -223,10 +232,23 @@ - verify_dir(krb5_context context, const char *dirname) - { - struct stat st; -+ int status; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (stat(dirname, &st) < 0) { -- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) -- return 0; -+ if (errno == ENOENT) { -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(dirname); -+#endif -+ status = mkdir(dirname, S_IRWXU); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif -+ if (status == 0) -+ return 0; -+ } - k5_setmsg(context, KRB5_FCC_NOFILE, - _("Credential cache directory %s does not exist"), - dirname); ---- krb5/src/lib/krb5/os/trace.c -+++ krb5/src/lib/krb5/os/trace.c -@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con - fd = malloc(sizeof(*fd)); - if (fd == NULL) - return ENOMEM; -- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); -+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); - if (*fd == -1) { - free(fd); - return errno; ---- krb5/src/plugins/kdb/db2/kdb_db2.c -+++ krb5/src/plugins/kdb/db2/kdb_db2.c -@@ -683,8 +683,8 @@ - if (retval) - return retval; - -- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, -- 0600); -+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, -+ O_CREAT | O_RDWR | O_TRUNC, 0600); - if (dbc->db_lf_file < 0) { - retval = errno; - goto cleanup; ---- krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c -+++ krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c -@@ -51,6 +51,7 @@ - #include <stdio.h> - #include <unistd.h> - -+#include "k5-int.h" - #include "db-int.h" - #include "recno.h" - -@@ -68,7 +69,8 @@ - int rfd = -1, sverrno; - - /* Open the user's file -- if this fails, we're done. */ -- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) -+ if (fname != NULL && -+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) - return (NULL); - - if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { ---- krb5/src/kdc/main.c -+++ krb5/src/kdc/main.c -@@ -905,7 +905,7 @@ write_pid_file(const char *path) - FILE *file; - unsigned long pid; - -- file = fopen(path, "w"); -+ file = WRITABLEFOPEN(path, "w"); - if (file == NULL) - return errno; - pid = (unsigned long) getpid(); ---- krb5/src/lib/kdb/kdb_log.c -+++ krb5/src/lib/kdb/kdb_log.c -@@ -456,7 +456,7 @@ ulog_map(krb5_context context, const cha - int ulogfd = -1; - - if (stat(logname, &st) == -1) { -- ulogfd = open(logname, O_RDWR | O_CREAT, 0600); -+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); - if (ulogfd == -1) - return errno; - ---- krb5/src/util/gss-kernel-lib/Makefile.in -+++ krb5/src/util/gss-kernel-lib/Makefile.in -@@ -60,6 +60,7 @@ HEADERS= \ - gssapi_err_generic.h \ - k5-int.h \ - k5-int-pkinit.h \ -+ k5-label.h \ - k5-thread.h \ - k5-platform.h \ - k5-buf.h \ -@@ -166,10 +167,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_ - $(CP) $(GSS_GENERIC)/gssapi_generic.h $@ - gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h - $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@ --k5-int.h: $(INCLUDE)/k5-int.h -+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h - $(CP) $(INCLUDE)/k5-int.h $@ - k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h - $(CP) $(INCLUDE)/k5-int-pkinit.h $@ -+k5-label.h: $(INCLUDE)/k5-label.h -+ $(CP) $(INCLUDE)/k5-label.h $@ - k5-thread.h: $(INCLUDE)/k5-thread.h - $(CP) $(INCLUDE)/k5-thread.h $@ - k5-platform.h: $(INCLUDE)/k5-platform.h +-- +2.9.3 + diff --git a/krb5-1.14.4-SNI-HTTP-Host.patch b/krb5-1.14.4-SNI-HTTP-Host.patch deleted file mode 100644 index a34faad..0000000 --- a/krb5-1.14.4-SNI-HTTP-Host.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 69c8662190bcd46f2300d0cea139681001ea5b26 Mon Sep 17 00:00:00 2001 -From: Christian Heimes <cheimes@redhat.com> -Date: Mon, 8 Aug 2016 12:38:17 +0200 -Subject: [PATCH] Add Host HTTP header to MS-KKDCP requests - -Some web servers require a Host HTTP header for TLS connections with -SNI (server name indicator). It is also required for virtual hosts. - -ticket: 8472 (new) -target_version: 1.14-next -tags: pullup ---- - src/lib/krb5/os/sendto_kdc.c | 18 +++++++++++++----- - 1 file changed, 13 insertions(+), 5 deletions(-) - -diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c -index c85fdba..a2b7359 100644 ---- a/src/lib/krb5/os/sendto_kdc.c -+++ b/src/lib/krb5/os/sendto_kdc.c -@@ -78,6 +78,7 @@ - #define MAX_PASS 3 - #define DEFAULT_UDP_PREF_LIMIT 1465 - #define HARD_UDP_LIMIT 32700 /* could probably do 64K-epsilon ? */ -+#define PORT_LENGTH 6 /* decimal repr of UINT16_MAX */ - - /* Select state flags. */ - #define SSF_READ 0x01 -@@ -138,6 +139,7 @@ struct conn_state { - struct { - const char *uri_path; - const char *servername; -+ char port[PORT_LENGTH]; - char *https_request; - k5_tls_handle tls; - } http; -@@ -611,6 +613,8 @@ make_proxy_request(struct conn_state *state, const krb5_data *realm, - k5_buf_init_dynamic(&buf); - uri_path = (state->http.uri_path != NULL) ? state->http.uri_path : ""; - k5_buf_add_fmt(&buf, "POST /%s HTTP/1.0\r\n", uri_path); -+ k5_buf_add_fmt(&buf, "Host: %s:%s\r\n", state->http.servername, -+ state->http.port); - k5_buf_add(&buf, "Cache-Control: no-cache\r\n"); - k5_buf_add(&buf, "Pragma: no-cache\r\n"); - k5_buf_add(&buf, "User-Agent: kerberos/1.0\r\n"); -@@ -673,7 +677,7 @@ static krb5_error_code - add_connection(struct conn_state **conns, k5_transport transport, - krb5_boolean defer, struct addrinfo *ai, size_t server_index, - const krb5_data *realm, const char *hostname, -- const char *uri_path, char **udpbufp) -+ const char *port, const char *uri_path, char **udpbufp) - { - struct conn_state *state, **tailptr; - -@@ -695,11 +699,13 @@ add_connection(struct conn_state **conns, k5_transport transport, - state->service_write = service_tcp_write; - state->service_read = service_tcp_read; - } else if (transport == HTTPS) { -+ assert(hostname != NULL && port != NULL); - state->service_connect = service_tcp_connect; - state->service_write = service_https_write; - state->service_read = service_https_read; - state->http.uri_path = uri_path; - state->http.servername = hostname; -+ strlcpy(state->http.port, port, PORT_LENGTH); - } else { - state->service_connect = NULL; - state->service_write = NULL; -@@ -785,7 +791,7 @@ resolve_server(krb5_context context, const krb5_data *realm, - struct addrinfo *addrs, *a, hint, ai; - krb5_boolean defer; - int err, result; -- char portbuf[64]; -+ char portbuf[PORT_LENGTH]; - - /* Skip UDP entries if we don't want UDP. */ - if (strategy == NO_UDP && entry->transport == UDP) -@@ -800,7 +806,7 @@ resolve_server(krb5_context context, const krb5_data *realm, - ai.ai_addr = (struct sockaddr *)&entry->addr; - defer = (entry->transport != transport); - return add_connection(conns, entry->transport, defer, &ai, ind, realm, -- NULL, entry->uri_path, udpbufp); -+ NULL, NULL, entry->uri_path, udpbufp); - } - - /* If the entry has a specified transport, use it. */ -@@ -826,7 +832,8 @@ resolve_server(krb5_context context, const krb5_data *realm, - retval = 0; - for (a = addrs; a != 0 && retval == 0; a = a->ai_next) { - retval = add_connection(conns, transport, FALSE, a, ind, realm, -- entry->hostname, entry->uri_path, udpbufp); -+ entry->hostname, portbuf, entry->uri_path, -+ udpbufp); - } - - /* For TCP_OR_UDP entries, add each address again with the non-preferred -@@ -836,7 +843,8 @@ resolve_server(krb5_context context, const krb5_data *realm, - for (a = addrs; a != 0 && retval == 0; a = a->ai_next) { - a->ai_socktype = socktype_for_transport(transport); - retval = add_connection(conns, transport, TRUE, a, ind, realm, -- entry->hostname, entry->uri_path, udpbufp); -+ entry->hostname, portbuf, -+ entry->uri_path, udpbufp); - } - } - freeaddrinfo(addrs); --- -2.8.1 - diff --git a/krb5-1.14.4-ofd-lock-workaround.patch b/krb5-1.14.4-ofd-lock-workaround.patch deleted file mode 100644 index 3786afd..0000000 --- a/krb5-1.14.4-ofd-lock-workaround.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 65110210b75d38908cdd84cb202cf013ccf6ed0e Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Sun, 14 Aug 2016 12:08:16 -0400 -Subject: [PATCH] Work around glibc OFD lock bug on 32-bit Linux - -A bug in Gnu libc causes OFD locking to fail unpredictably on 32-bit -Linux, typically leading to deadlocks. Work around this bug by using -the fcntl64 system call and struct flock64. - -See also: https://sourceware.org/bugzilla/show_bug.cgi?id=20251 - -ticket: 8474 -target_version: 1.14-next -tags: pullup ---- - src/lib/krb5/os/lock_file.c | 26 ++++++++++++++++++++++++-- - 1 file changed, 24 insertions(+), 2 deletions(-) - -diff --git a/src/lib/krb5/os/lock_file.c b/src/lib/krb5/os/lock_file.c -index a2f247c..2360c96 100644 ---- a/src/lib/krb5/os/lock_file.c -+++ b/src/lib/krb5/os/lock_file.c -@@ -43,7 +43,29 @@ - - #if defined(HAVE_FCNTL_H) && defined(F_SETLKW) && defined(F_RDLCK) - #define POSIX_FILE_LOCKS -+ -+/* -+ * Gnu libc bug 20251, currently unfixed, breaks OFD lock support on -+ * 32-bit platforms. Work around this bug by explicitly using the -+ * fcntl64 system call and struct flock64. -+ */ -+#if defined(__linux__) && __WORDSIZE == 32 -+#include <sys/syscall.h> -+#ifdef SYS_fcntl64 -+#define USE_FCNTL64 - #endif -+#endif -+#ifdef USE_FCNTL64 -+/* Use the fcntl64 system call and struct flock64. (Gnu libc does not -+ * define a fcntl64() function, so we must use syscall().) */ -+#define fcntl(fd, cmd, arg) syscall(SYS_fcntl64, fd, cmd, arg) -+typedef struct flock64 fcntl_lock_st; -+#else -+/* Use regular fcntl() and struct flock. */ -+typedef struct flock fcntl_lock_st; -+#endif -+ -+#endif /* defined(HAVE_FCNTL_H) && defined(F_SETLKW) && defined(F_RDLCK) */ - - #ifdef HAVE_FLOCK - #ifndef sysvimp -@@ -66,7 +88,7 @@ - * older kernel than we were built with. - */ - static int --ofdlock(int fd, int cmd, struct flock *lock_arg) -+ofdlock(int fd, int cmd, fcntl_lock_st *lock_arg) - { - #ifdef F_OFD_SETLKW - int st, ofdcmd; -@@ -89,7 +111,7 @@ krb5_lock_file(krb5_context context, int fd, int mode) - krb5_error_code retval = 0; - #ifdef POSIX_FILE_LOCKS - int lock_cmd = F_SETLKW; -- struct flock lock_arg = { 0 }; -+ fcntl_lock_st lock_arg = { 0 }; - #endif - - switch (mode & ~KRB5_LOCKMODE_DONTBLOCK) { --- -2.8.1 - diff --git a/krb5-1.14.4-responder-non-preauth.patch b/krb5-1.14.4-responder-non-preauth.patch deleted file mode 100644 index fc22104..0000000 --- a/krb5-1.14.4-responder-non-preauth.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 60824edc278fe2207ead773baca6fe56416e2874 Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Fri, 5 Aug 2016 12:28:03 -0400 -Subject: [PATCH] Use responder for non-preauth AS requests - -If no AS reply key is computed during pre-authentication (typically -because no pre-authentication was required by the KDC), ask for the -password using the responder before calling gak_fct for the key, and -supply any resulting responder items to gak_fct. - -ticket: 8454 -target_version: 1.14-next -target_version: 1.13-next -tags: pullup ---- - src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++- - src/tests/t_general.py | 5 +++++ - 2 files changed, 28 insertions(+), 1 deletion(-) - -diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index b78e19a..659be66 100644 ---- a/src/lib/krb5/krb/get_in_tkt.c -+++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -1351,6 +1351,8 @@ init_creds_step_reply(krb5_context context, - krb5_keyblock encrypting_key; - krb5_boolean fast_avail; - krb5_ccache out_ccache = k5_gic_opt_get_out_ccache(ctx->opt); -+ krb5_responder_fn responder; -+ void *responder_data; - - encrypting_key.length = 0; - encrypting_key.contents = NULL; -@@ -1509,13 +1511,33 @@ init_creds_step_reply(krb5_context context, - code = -1; - - if (code != 0) { -+ /* If a responder was provided and we are using a password, ask for the -+ * password using the responder before falling back to the prompter. */ -+ k5_gic_opt_get_responder(ctx->opt, &responder, &responder_data); -+ if (responder != NULL && !ctx->as_key.length) { -+ /* Indicate a need for the AS key by calling the gak_fct with a -+ * NULL as_key. */ -+ code = ctx->gak_fct(context, ctx->request->client, ctx->etype, -+ NULL, NULL, NULL, NULL, NULL, ctx->gak_data, -+ ctx->rctx.items); -+ if (code != 0) -+ goto cleanup; -+ -+ /* If that produced a responder question, invoke the responder. */ -+ if (!k5_response_items_empty(ctx->rctx.items)) { -+ code = (*responder)(context, responder_data, &ctx->rctx); -+ if (code != 0) -+ goto cleanup; -+ } -+ } -+ - /* if we haven't get gotten a key, get it now */ - TRACE_INIT_CREDS_GAK(context, &ctx->salt, &ctx->s2kparams); - code = (*ctx->gak_fct)(context, ctx->request->client, - ctx->reply->enc_part.enctype, - ctx->prompter, ctx->prompter_data, - &ctx->salt, &ctx->s2kparams, -- &ctx->as_key, ctx->gak_data, NULL); -+ &ctx->as_key, ctx->gak_data, ctx->rctx.items); - if (code != 0) - goto cleanup; - TRACE_INIT_CREDS_AS_KEY_GAK(context, &ctx->as_key); -diff --git a/src/tests/t_general.py b/src/tests/t_general.py -index c3629e6..13dd99b 100755 ---- a/src/tests/t_general.py -+++ b/src/tests/t_general.py -@@ -34,6 +34,11 @@ realm.stop() - - realm = K5Realm(create_host=False) - -+# Regression test for #8454 (responder callback isn't used when -+# preauth is not required). -+realm.run(['./responder', '-r', 'password=%s' % password('user'), -+ realm.user_princ]) -+ - # Test that WRONG_REALM responses aren't treated as referrals unless - # they contain a crealm field pointing to a different realm. - # (Regression test for #8060.) --- -2.9.3 - diff --git a/krb5-1.14.4-samba-client-mutual-flag.patch b/krb5-1.14.4-samba-client-mutual-flag.patch deleted file mode 100644 index e628af6..0000000 --- a/krb5-1.14.4-samba-client-mutual-flag.patch +++ /dev/null @@ -1,37 +0,0 @@ -From dcb523a4201dc882b2c466824ee1913eaed2e30d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@cryptomilk.org> -Date: Thu, 25 Aug 2016 10:41:33 +0200 -Subject: [PATCH] Guess Samba client mutual flag using ap_options - -To work correctly with older Samba clients, we should guess the mutual -flag based on the ap_options from the AP-REQ and not set it -unconditionally. Found by the Samba torture testsuite. - -[ghudson@mit.edu: edited comments and commit message] - -ticket: 8486 (new) -target_version: 1.14-next -tags: pullup ---- - src/lib/gssapi/krb5/accept_sec_context.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c -index b7fffeb..580d08c 100644 ---- a/src/lib/gssapi/krb5/accept_sec_context.c -+++ b/src/lib/gssapi/krb5/accept_sec_context.c -@@ -699,7 +699,10 @@ kg_accept_krb5(minor_status, context_handle, - goto fail; - } - -- gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; -+ /* Use ap_options from the request to guess the mutual flag. */ -+ gss_flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; -+ if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) -+ gss_flags |= GSS_C_MUTUAL_FLAG; - } else { - /* gss krb5 v1 */ - --- -2.9.3 - diff --git a/krb5-1.3.1-dns.patch b/krb5-1.3.1-dns.patch index 5d27689..589e18d 100644 --- a/krb5-1.3.1-dns.patch +++ b/krb5-1.3.1-dns.patch @@ -1,8 +1,18 @@ +From 95b7e75522dd905eea23e853f062d89749a17799 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Tue, 23 Aug 2016 16:46:21 -0400 +Subject: [PATCH 06/19] krb5-1.3.1-dns.patch + We want to be able to use --with-netlib and --enable-dns at the same time. -RT#2022 ---- krb5-1.3.1/src/aclocal.m4 2003-11-24 11:17:30.000000000 -0500 -+++ krb5-1.3.1/src/aclocal.m4 2003-11-24 11:18:45.000000000 -0500 -@@ -647,6 +647,7 @@ +--- + src/aclocal.m4 | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index 311f099..ed343c5 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -701,6 +701,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library), LIBS="$LIBS $withval" AC_MSG_RESULT("netlib will use \'$withval\'") fi @@ -10,3 +20,6 @@ RT#2022 ],dnl [AC_LIBRARY_NET] )])dnl +-- +2.9.3 + diff --git a/krb5-1.6.3-kdc_listen_all.patch b/krb5-1.6.3-kdc_listen_all.patch deleted file mode 100644 index 946199e..0000000 --- a/krb5-1.6.3-kdc_listen_all.patch +++ /dev/null @@ -1,247 +0,0 @@ -Provide an option to make the KDC also listen on loopback interfaces for -datagram requests. Adds an internal symbol to libkrb5 which the KDC -needs if listening on loopback is enabled. - -The default might be better changed from FALSE to TRUE so that the -default matches what we do with stream sockets. - -FIXME: doesn't add documentation anywhere. - -diff -up src/include/foreachaddr.h src/include/foreachaddr.h ---- src/include/foreachaddr.h 2004-05-05 18:44:46.000000000 -0400 -+++ src/include/foreachaddr.h 2008-04-04 15:39:28.000000000 -0400 -@@ -62,3 +62,18 @@ krb5int_foreach_localaddr (/*@null@*/ vo - ; - - #define foreach_localaddr krb5int_foreach_localaddr -+ -+extern int -+krb5int_foreach_localaddr_ext (/*@null@*/ void *data, -+ int (*pass1fn) (/*@null@*/ void *, -+ struct sockaddr *) /*@*/, -+ /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/, -+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, -+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *, -+ struct sockaddr *) /*@*/) -+#if defined(DEBUG) || defined(TEST) -+ /*@modifies fileSystem@*/ -+#endif -+ ; -+ -+#define foreach_localaddr_ext krb5int_foreach_localaddr_ext -diff -up src/kdc/kdc_util.h src/kdc/kdc_util.h ---- src/kdc/kdc_util.h 2008-04-04 16:28:18.000000000 -0400 -+++ src/kdc/kdc_util.h 2008-04-04 16:51:27.000000000 -0400 -@@ -126,6 +126,7 @@ krb5_error_code kdc_initialize_rcache (k - krb5_error_code setup_server_realm (krb5_principal); - - /* network.c */ -+void process_listen_loopback (krb5_boolean); - krb5_error_code listen_and_process (const char *); - krb5_error_code setup_network (const char *); - krb5_error_code closedown_network (const char *); -diff -up src/kdc/main.c src/kdc/main.c ---- src/kdc/main.c 2008-04-04 16:22:43.000000000 -0400 -+++ src/kdc/main.c 2008-04-04 16:55:22.000000000 -0400 -@@ -422,6 +422,7 @@ initialize_realms(krb5_context kcontext, - krb5_enctype menctype = ENCTYPE_UNKNOWN; - kdc_realm_t *rdatap; - krb5_boolean manual = FALSE; -+ krb5_boolean listen_loopback = FALSE; - char *default_udp_ports = 0; - char *default_tcp_ports = 0; - krb5_pointer aprof; -@@ -448,6 +449,9 @@ initialize_realms(krb5_context kcontext, - if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &v4mode)) - v4mode = 0; - #endif -+ hierarchy[1] = "kdc_listen_loopback"; -+ if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &listen_loopback)) -+ listen_loopback = FALSE; - /* aprof_init can return 0 with aprof == NULL */ - if (aprof) - krb5_aprof_finish(aprof); -@@ -587,6 +591,8 @@ initialize_realms(krb5_context kcontext, - free(v4mode); - #endif - -+ process_listen_loopback(listen_loopback); -+ - /* - * Check to see if we processed any realms. - */ -diff -up src/kdc/network.c src/kdc/network.c ---- src/kdc/network.c 2008-04-04 15:39:28.000000000 -0400 -+++ src/kdc/network.c 2008-04-04 16:51:44.000000000 -0400 -@@ -221,6 +221,7 @@ static SET(u_short) udp_port_data, tcp_p - #include "cm.h" - - static struct select_state sstate; -+static krb5_boolean listen_loopback; - - static krb5_error_code add_udp_port(int port) - { -@@ -604,6 +605,12 @@ scan_for_newlines: - } - #endif - -+void -+process_listen_loopback(krb5_boolean listen_loop) -+{ -+ listen_loopback = listen_loop; -+} -+ - /* XXX */ - extern int krb5int_debug_sendto_kdc; - extern void (*krb5int_sendtokdc_debug_handler)(const void*, size_t); -@@ -662,7 +669,9 @@ setup_network(const char *prog) - so we might need only one UDP socket; fall back to binding - sockets on each address only if IPV6_PKTINFO isn't - supported. */ -- if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) { -+ if (listen_loopback ? -+ foreach_localaddr_ext (&setup_data, setup_udp_port, 0, 0, 0) : -+ foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) { - return setup_data.retval; - } - setup_tcp_listener_ports(&setup_data); -diff -up src/lib/krb5/os/localaddr.c src/lib/krb5/os/localaddr.c ---- src/lib/krb5/os/localaddr.c 2005-04-13 12:55:43.000000000 -0400 -+++ src/lib/krb5/os/localaddr.c 2008-04-04 15:39:28.000000000 -0400 -@@ -242,6 +242,17 @@ addr_eq (const struct sockaddr *s1, cons - } - #endif - -+static krb5_boolean -+skip_loopback (struct sockaddr *addr, int flags) -+{ -+#ifdef IFF_LOOPBACK -+ if (flags & IFF_LOOPBACK) { -+ return TRUE; -+ } -+#endif -+ return FALSE; -+} -+ - #ifndef HAVE_IFADDRS_H - /*@-usereleased@*/ /* lclint doesn't understand realloc */ - static /*@null@*/ void * -@@ -413,14 +424,27 @@ get_linux_ipv6_addrs () - indication, it should do it via some field pointed to by the DATA - argument. */ - --#ifdef HAVE_IFADDRS_H -- - int - foreach_localaddr (/*@null@*/ void *data, - int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, - /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, - /*@null@*/ int (*pass2fn) (/*@null@*/ void *, - struct sockaddr *) /*@*/) -+{ -+ return foreach_localaddr_ext(data, pass1fn, -+ &skip_loopback, betweenfn, -+ pass2fn); -+} -+ -+#ifdef HAVE_IFADDRS_H -+ -+int -+foreach_localaddr_ext (/*@null@*/ void *data, -+ int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, -+ /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/, -+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, -+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *, -+ struct sockaddr *) /*@*/) - #if defined(DEBUG) || defined(TEST) - /*@modifies fileSystem@*/ - #endif -@@ -436,7 +460,7 @@ foreach_localaddr (/*@null@*/ void *data - #endif - if ((ifp->ifa_flags & IFF_UP) == 0) - continue; -- if (ifp->ifa_flags & IFF_LOOPBACK) { -+ if (skipfn && (*skipfn)(ifp->ifa_addr, ifp->ifa_flags)) { - /* Pretend it's not up, so the second pass will skip - it. */ - ifp->ifa_flags &= ~IFF_UP; -@@ -459,7 +483,7 @@ foreach_localaddr (/*@null@*/ void *data - for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) { - if ((ifp2->ifa_flags & IFF_UP) == 0) - continue; -- if (ifp2->ifa_flags & IFF_LOOPBACK) -+ if (skipfn && (*skipfn)(ifp2->ifa_addr, ifp2->ifa_flags)) - continue; - if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) { - match = 1; -@@ -488,11 +512,12 @@ foreach_localaddr (/*@null@*/ void *data - #elif defined (SIOCGLIFNUM) && defined(HAVE_STRUCT_LIFCONF) /* Solaris 8 and later; Sol 7? */ - - int --foreach_localaddr (/*@null@*/ void *data, -- int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, -- /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, -- /*@null@*/ int (*pass2fn) (/*@null@*/ void *, -- struct sockaddr *) /*@*/) -+foreach_localaddr_ext (/*@null@*/ void *data, -+ int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, -+ /*@null@*/ int (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/, -+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, -+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *, -+ struct sockaddr *) /*@*/) - #if defined(DEBUG) || defined(TEST) - /*@modifies fileSystem@*/ - #endif -@@ -583,13 +608,12 @@ foreach_localaddr (/*@null@*/ void *data - } - /*@=moduncon@*/ - --#ifdef IFF_LOOPBACK -- /* None of the current callers want loopback addresses. */ -- if (lifreq.lifr_flags & IFF_LOOPBACK) { -- Tprintf ((" loopback\n")); -+ if (skipfn && (*skipfn)(lifreq.lifr_addr, lifreq.lifr_flags)) -+ if (skipfn && (skipfn == &skip_loopback)) -+ Tprintf ((" loopback\n")); - goto skip; - } --#endif -+ - /* Ignore interfaces that are down. */ - if ((lifreq.lifr_flags & IFF_UP) == 0) { - Tprintf ((" down\n")); -@@ -755,13 +779,12 @@ foreach_localaddr (/*@null@*/ void *data - } - /*@=moduncon@*/ - --#ifdef IFF_LOOPBACK - /* None of the current callers want loopback addresses. */ -- if (lifreq.iflr_flags & IFF_LOOPBACK) { -- Tprintf ((" loopback\n")); -+ if (skipfn && (*skipfn)(ifp2->ifa_addr, lifreq.lifr_flags)) -+ if (skipfn && (skipfn == &skip_loopback)) -+ Tprintf ((" loopback\n")); - goto skip; - } --#endif - /* Ignore interfaces that are down. */ - if ((lifreq.iflr_flags & IFF_UP) == 0) { - Tprintf ((" down\n")); -@@ -971,13 +994,12 @@ foreach_localaddr (/*@null@*/ void *data - } - /*@=moduncon@*/ - --#ifdef IFF_LOOPBACK -- /* None of the current callers want loopback addresses. */ -- if (ifreq.ifr_flags & IFF_LOOPBACK) { -- Tprintf ((" loopback\n")); -+ if (skipfn && (*skipfn)(NULL, ifreq.ifr_flags)) -+ if (skipfn && (skipfn == &skip_loopback)) -+ Tprintf ((" loopback\n")); - goto skip; - } --#endif -+ - /* Ignore interfaces that are down. */ - if ((ifreq.ifr_flags & IFF_UP) == 0) { - Tprintf ((" down\n")); diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index ae81f7c..c9c1109 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -1,10 +1,21 @@ +From 3743c3636fd23e62f996b119a1536ecd882a5e80 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Tue, 23 Aug 2016 16:49:25 -0400 +Subject: [PATCH 09/19] krb5-1.9-debuginfo.patch + We want to keep these y.tab.c files around because the debuginfo points to them. It would be more elegant at the end to use symbolic links, but that could mess up people working in the tree on other things. +--- + src/kadmin/cli/Makefile.in | 5 +++++ + src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) ---- src/kadmin/cli/Makefile.in -+++ src/kadmin/cli/Makefile.in -@@ -43,3 +43,8 @@ clean-unix:: +diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in +index 789c597..7e7a148 100644 +--- a/src/kadmin/cli/Makefile.in ++++ b/src/kadmin/cli/Makefile.in +@@ -37,3 +37,8 @@ clean-unix:: # CC_LINK is not meant for compilation and this use may break in the future. datetest: getdate.c $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c @@ -13,9 +24,11 @@ could mess up people working in the tree on other things. + $(RM) y.tab.c $@ + $(YACC.y) $< + $(CP) y.tab.c $@ ---- src/plugins/kdb/ldap/ldap_util/Makefile.in -+++ src/plugins/kdb/ldap/ldap_util/Makefile.in -@@ -22,7 +22,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KR +diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in +index b9ea339..060f500 100644 +--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in ++++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in +@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE) getdate.c: $(GETDATE) $(RM) getdate.c y.tab.c $(YACC) $(GETDATE) @@ -24,3 +37,6 @@ could mess up people working in the tree on other things. install:: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) +-- +2.9.3 + diff --git a/krb5-disable_ofd_locks.patch b/krb5-disable_ofd_locks.patch deleted file mode 100644 index 5535cfd..0000000 --- a/krb5-disable_ofd_locks.patch +++ /dev/null @@ -1,18 +0,0 @@ -On x86 rawhide, usage of OFD locks causes deadlock in the test suite. -TEMPORARILY revert their usage until I can investigate the deeper issue with -their usage here. - -diff --git a/src/lib/krb5/os/lock_file.c b/src/lib/krb5/os/lock_file.c -index a2f247c..f7f5bb4 100644 ---- a/src/lib/krb5/os/lock_file.c -+++ b/src/lib/krb5/os/lock_file.c -@@ -68,7 +68,8 @@ - static int - ofdlock(int fd, int cmd, struct flock *lock_arg) - { --#ifdef F_OFD_SETLKW -+#if 0 -+/* #ifdef F_OFD_SETLKW */ - int st, ofdcmd; - - assert(cmd == F_SETLKW || cmd == F_SETLK); diff --git a/krb5-kdcdir2.patch b/krb5-kdcdir2.patch deleted file mode 100644 index 57aefe4..0000000 --- a/krb5-kdcdir2.patch +++ /dev/null @@ -1,17 +0,0 @@ -Remove an extra "/krb5kdc" from any paths under KDC_DIR, which already -includes that component. ---- krb5/src/include/osconf.hin -+++ krb5/src/include/osconf.hin -@@ -63,10 +63,10 @@ - #define DEFAULT_KEYFILE_STUB KDC_DIR "/.k5." - #define KRB5_DEFAULT_ADMIN_ACL KDC_DIR "/krb5_adm.acl" - /* Used by old admin server */ --#define DEFAULT_ADMIN_ACL KDC_DIR "/krb5kdc/kadm_old.acl" -+#define DEFAULT_ADMIN_ACL KDC_DIR "/kadm_old.acl" - - /* Location of KDC profile */ --#define DEFAULT_KDC_PROFILE KDC_DIR "/krb5kdc/kdc.conf" -+#define DEFAULT_KDC_PROFILE KDC_DIR "/kdc.conf" - #define KDC_PROFILE_ENV "KRB5_KDC_PROFILE" - - #if TARGET_OS_MAC diff --git a/krb5-pkinit-debug.patch b/krb5-pkinit-debug.patch deleted file mode 100644 index 201c45d..0000000 --- a/krb5-pkinit-debug.patch +++ /dev/null @@ -1,99 +0,0 @@ -This is a cheap, non-very-portable way to make debugging a run-time option. - -diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h -index 6598482..85e1c0d 100644 ---- a/src/plugins/preauth/pkinit/pkinit.h -+++ b/src/plugins/preauth/pkinit/pkinit.h -@@ -34,6 +34,7 @@ - #include <krb5/krb5.h> - #include <krb5/preauth_plugin.h> - #include <k5-int-pkinit.h> -+#include <autoconf.h> - #include <profile.h> - #include "pkinit_accessor.h" - -@@ -96,12 +97,15 @@ extern int longhorn; /* XXX Talking to a Longhorn server? */ - #define pkiDebug printf - #else - /* Still evaluates for side effects. */ --static inline void pkiDebug (const char *fmt, ...) { } -+/* static inline void pkiDebug (const char *fmt, ...) { } */ -+#define pkiDebug if (pkinit_debug_is_enabled()) printf - /* This is better if the compiler doesn't inline variadic functions - well, but gcc will warn about "left-hand operand of comma - expression has no effect". Still evaluates for side effects. */ - /* #define pkiDebug (void) */ - #endif -+extern void pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc); -+extern int pkinit_debug_is_enabled(void); - - /* Solaris compiler doesn't grok __FUNCTION__ - * hack for now. Fix all the uses eventually. */ -diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c -index 6888c1b..bb39fce 100644 ---- a/src/plugins/preauth/pkinit/pkinit_clnt.c -+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c -@@ -1002,6 +1002,8 @@ pkinit_client_process(krb5_context context, - pkinit_req_context reqctx = (pkinit_req_context)request_context; - krb5_keyblock *armor_key = NULL; - -+ pkinit_debug_init(context, &(request->server->realm), 0); -+ - pkiDebug("pkinit_client_process %p %p %p %p\n", - context, plgctx, reqctx, request); - -diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c -index a6d7762..2b59fd0 100644 ---- a/src/plugins/preauth/pkinit/pkinit_lib.c -+++ b/src/plugins/preauth/pkinit/pkinit_lib.c -@@ -452,3 +452,28 @@ print_buffer_bin(unsigned char *buf, unsigned int len, char *filename) - - fclose(f); - } -+ -+/* This is a cheat to avoid having to rewrite every caller of pkiDebug() to pass -+ in a context structure, which is where this flag would be better placed. */ -+static __thread int pkinit_debug_enabled = 0; -+ -+void -+pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc) -+{ -+ pkinit_debug_enabled = -1; -+ if (kdc) { -+ pkinit_kdcdefault_boolean(context, realm, "pkinit_debug", -+ -1, &pkinit_debug_enabled); -+ } -+ if (pkinit_debug_enabled == -1) { -+ pkinit_libdefault_boolean(context, realm, "pkinit_debug", -+ 0, &pkinit_debug_enabled); -+ } -+ printf("pkinit_debug: %d\n", pkinit_debug_enabled); -+} -+ -+int -+pkinit_debug_is_enabled(void) -+{ -+ return (pkinit_debug_enabled == 1); -+} -diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c -index 5a7a5ad..d7a0a44 100644 ---- a/src/plugins/preauth/pkinit/pkinit_srv.c -+++ b/src/plugins/preauth/pkinit/pkinit_srv.c -@@ -108,6 +108,8 @@ pkinit_server_get_edata(krb5_context context, - pkinit_kdc_context plgctx = NULL; - krb5_keyblock *armor_key = NULL; - -+ pkinit_debug_init(context, &(request->server->realm), 1); -+ - pkiDebug("pkinit_server_get_edata: entered!\n"); - - /* Remove (along with armor_key) when FAST PKINIT is settled. */ -@@ -315,6 +317,8 @@ pkinit_server_verify_padata(krb5_context context, - int is_signed = 1; - krb5_keyblock *armor_key; - -+ pkinit_debug_init(context, &(request->server->realm), 1); -+ - pkiDebug("pkinit_verify_padata: entered!\n"); - if (data == NULL || data->length <= 0 || data->contents == NULL) - return 0; @@ -12,8 +12,8 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.14.3 -Release: 9%{?dist} +Version: 1.14.4 +Release: 1%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -45,33 +45,25 @@ Source39: krb5-krb5kdc.conf # Carry this locally until it's available in a packaged form. Source100: noport.c -Patch6: krb5-1.12-ksu-path.patch -Patch12: krb5-1.12-ktany.patch -Patch16: krb5-1.12-buildconf.patch -Patch23: krb5-1.3.1-dns.patch -Patch39: krb5-1.12-api.patch -Patch60: krb5-1.12.1-pam.patch -Patch63: krb5-1.13-selinux-label.patch -Patch71: krb5-1.13-dirsrv-accountlock.patch -Patch86: krb5-1.9-debuginfo.patch -Patch129: krb5-1.11-run_user_0.patch -Patch134: krb5-1.11-kpasswdtest.patch -Patch148: krb5-1.14.4-ofd-lock-workaround.patch -Patch150: krb5-acquire_cred_interposer.patch -Patch153: krb5-1.14.1-log_file_permissions.patch - -Patch164: krb5-1.15-kdc_send_receive_hooks.patch -Patch165: krb5-1.15-kdc_hooks_test.patch - -Patch166: krb5-1.14.4-SNI-HTTP-Host.patch - -Patch167: krb5-1.15-otp-preauth-prompt-type.patch -Patch168: krb5-1.15-improve-bad-password-inference.patch -Patch169: krb5-1.15-kdc-error-encrypted-timestamp.patch -Patch170: krb5-1.14.4-samba-client-mutual-flag.patch - -Patch171: krb5-1.14.4-responder-non-preauth.patch -Patch172: krb5-1.15-krb5_db_register_keytab.patch +Patch1: krb5-1.12.1-pam.patch +Patch2: krb5-1.13-selinux-label.patch +Patch3: krb5-1.12-ksu-path.patch +Patch4: krb5-1.12-ktany.patch +Patch5: krb5-1.12-buildconf.patch +Patch6: krb5-1.3.1-dns.patch +Patch7: krb5-1.12-api.patch +Patch8: krb5-1.13-dirsrv-accountlock.patch +Patch9: krb5-1.9-debuginfo.patch +Patch10: krb5-1.11-run_user_0.patch +Patch11: krb5-1.11-kpasswdtest.patch +Patch12: Fix-impersonate_name-to-work-with-interposers.patch +Patch13: Create-KDC-and-kadmind-log-files-with-mode-0640.patch +Patch14: Add-KDC-pre-send-and-post-receive-KDC-hooks.patch +Patch15: Add-tests-for-send-and-receive-sendto_kdc-hooks.patch +Patch16: Set-prompt-type-for-OTP-preauth-prompt.patch +Patch17: Improve-bad-password-inference-in-kinit.patch +Patch18: Change-KDC-error-for-encrypted-timestamp-preauth.patch +Patch19: Add-krb5_db_register_keytab.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -254,41 +246,25 @@ interface is not considered stable. %setup -q -n %{name}-%{version}%{prerelease} -a 3 ln NOTICE LICENSE -%patch60 -p1 -b .pam - -%patch63 -p1 -b .selinux-label - -%patch6 -p1 -b .ksu-path -%patch12 -p1 -b .ktany -%patch16 -p1 -b .buildconf %{?_rawbuild} -%patch23 -p1 -b .dns %{?_rawbuild} -%patch39 -p1 -b .api -%patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild} -%patch86 -p0 -b .debuginfo - -# Apply when the hard-wired or configured default location is -# DIR:/run/user/%%{uid}/krb5cc. -%patch129 -p1 -b .run_user_0 - -%patch134 -p1 -b .kpasswdtest - -%patch148 -p1 -b .ofd-lock-workaround - -%patch150 -p1 -b .fix_interposer -%patch153 -p1 -b .log_file_permissions - -%patch164 -p1 -b .kdc_send_receive_hooks -%patch165 -p1 -b .kdc_hooks_test - -%patch166 -p1 -b .SNI-HTTP-Host - -%patch167 -p1 -b .otp-preauth-prompt-type -%patch168 -p1 -b .improve-bad-password-inference -%patch169 -p1 -b .kdc-error-encrypted-timestamp -%patch170 -p1 -b .samba-client-mutual-flag - -%patch171 -p1 -b .responder-non-preauth -%patch172 -p1 -b .krb5_db_register_keytab +%patch1 -p1 -b .krb5-1.12.1-pam +%patch2 -p1 -b .krb5-1.13-selinux-label +%patch3 -p1 -b .krb5-1.12-ksu-path +%patch4 -p1 -b .krb5-1.12-ktany +%patch5 -p1 -b .krb5-1.12-buildconf +%patch6 -p1 -b .krb5-1.3.1-dns +%patch7 -p1 -b .krb5-1.12-api +%patch8 -p1 -b .krb5-1.13-dirsrv-accountlock +%patch9 -p1 -b .krb5-1.9-debuginfo +%patch10 -p1 -b .krb5-1.11-run_user_0 +%patch11 -p1 -b .krb5-1.11-kpasswdtest +%patch12 -p1 -b .Fix-impersonate_name-to-work-with-interposers +%patch13 -p1 -b .Create-KDC-and-kadmind-log-files-with-mode-0640 +%patch14 -p1 -b .Add-KDC-pre-send-and-post-receive-KDC-hooks +%patch15 -p1 -b .Add-tests-for-send-and-receive-sendto_kdc-hooks +%patch16 -p1 -b .Set-prompt-type-for-OTP-preauth-prompt +%patch17 -p1 -b .Improve-bad-password-inference-in-kinit +%patch18 -p1 -b .Change-KDC-error-for-encrypted-timestamp-preauth +%patch19 -p1 -b .Add-krb5_db_register_keytab # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -758,6 +734,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon Sep 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.4-1 +- New upstream release +- Update names and numbers to match external git + * Mon Sep 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-9 - Add krb5_db_register_keytab - Resolves: #1376812 @@ -1,3 +1,3 @@ -f76e4f8a3c95bb59980dd5ef4b48aea9 krb5-1.14.3.tar.gz -438c48157c7b7daf6f133ffe6369342e krb5-1.14.3.tar.gz.asc -c2385c39dfed8ecad41052abd09a49c9 krb5-1.14.3-pdfs.tar +ba90f5701fc2dda76133c1f34ba4ee80 krb5-1.14.4.tar.gz +1d91e165f25519bbb60b4715bcabda0f krb5-1.14.4.tar.gz.asc +c2385c39dfed8ecad41052abd09a49c9 krb5-1.14.4-pdfs.tar |