diff options
| author | Robbie Harwood <rharwood@redhat.com> | 2016-10-20 23:34:28 +0000 |
|---|---|---|
| committer | Robbie Harwood <rharwood@redhat.com> | 2016-10-20 23:34:55 +0000 |
| commit | 821dac42eda537c5ade066007252c6c454eecaba (patch) | |
| tree | 6123ab3535d8822af7ee998033376b6ae2ea04c0 | |
| parent | 895d0bdfea59408674c84f07a8ce9382e616e449 (diff) | |
| download | krb5-821dac42eda537c5ade066007252c6c454eecaba.tar.gz krb5-821dac42eda537c5ade066007252c6c454eecaba.tar.xz krb5-821dac42eda537c5ade066007252c6c454eecaba.zip | |
Upstream release 1.15-beta1
Also update selinux with RHEL hygene.
Resolves: #1314096
28 files changed, 402 insertions, 4015 deletions
@@ -139,3 +139,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.14.4.tar.gz /krb5-1.14.4.tar.gz.asc /krb5-1.14.4-pdfs.tar +/krb5-1.15-beta1.tar.gz +/krb5-1.15-beta1.tar.gz.asc +/krb5-1.15-beta1-pdfs.tar diff --git a/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch b/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch deleted file mode 100644 index 17ecec6..0000000 --- a/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch +++ /dev/null @@ -1,314 +0,0 @@ -From 21330cb3db69fc5a004844a1e4dec8998eb50068 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Thu, 3 Mar 2016 18:53:31 +0100 -Subject: [PATCH] Add KDC pre-send and post-receive KDC hooks - -Add two new APIs, krb5_set_kdc_send_hook() and -krb5_set_kdc_recv_hook(), which can be used to inspect and override -messages sent to KDCs. - -[ghudson@mit.edu: style and documentation changes] - -ticket: 8386 (new) ---- - doc/appdev/refs/api/index.rst | 2 + - doc/appdev/refs/types/index.rst | 2 + - src/include/k5-int.h | 6 +++ - src/include/krb5/krb5.hin | 104 ++++++++++++++++++++++++++++++++++++++++ - src/lib/krb5/libkrb5.exports | 2 + - src/lib/krb5/os/sendto_kdc.c | 56 +++++++++++++++++++++- - src/lib/krb5_32.def | 4 ++ - 7 files changed, 174 insertions(+), 2 deletions(-) - -diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst -index 8df351d..e97cbca 100644 ---- a/doc/appdev/refs/api/index.rst -+++ b/doc/appdev/refs/api/index.rst -@@ -268,6 +268,8 @@ Rarely used public interfaces - krb5_server_decrypt_ticket_keytab.rst - krb5_set_default_tgs_enctypes.rst - krb5_set_error_message.rst -+ krb5_set_kdc_recv_hook.rst -+ krb5_set_kdc_send_hook.rst - krb5_set_real_time.rst - krb5_string_to_cksumtype.rst - krb5_string_to_deltat.rst -diff --git a/doc/appdev/refs/types/index.rst b/doc/appdev/refs/types/index.rst -index 51c4093..dc414cf 100644 ---- a/doc/appdev/refs/types/index.rst -+++ b/doc/appdev/refs/types/index.rst -@@ -57,6 +57,8 @@ Public - krb5_pa_svr_referral_data.rst - krb5_pa_data.rst - krb5_pointer.rst -+ krb5_post_recv_fn.rst -+ krb5_pre_send_fn.rst - krb5_preauthtype.rst - krb5_principal.rst - krb5_principal_data.rst -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 6b7b2e3..045abfc 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -1238,6 +1238,12 @@ struct _krb5_context { - krb5_trace_callback trace_callback; - void *trace_callback_data; - -+ krb5_pre_send_fn kdc_send_hook; -+ void *kdc_send_hook_data; -+ -+ krb5_post_recv_fn kdc_recv_hook; -+ void *kdc_recv_hook_data; -+ - struct plugin_interface plugins[PLUGIN_NUM_INTERFACES]; - char *plugin_base_dir; - }; -diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index c93a0f2..2b0d59e 100644 ---- a/src/include/krb5/krb5.hin -+++ b/src/include/krb5/krb5.hin -@@ -8300,6 +8300,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, - krb5_error_code KRB5_CALLCONV - krb5_set_trace_filename(krb5_context context, const char *filename); - -+ -+/** -+ * Hook function for inspecting or modifying messages sent to KDCs. -+ * -+ * If the hook function returns an error code, the KDC communication will be -+ * aborted and the error code will be returned to the library operation which -+ * initiated the communication. -+ * -+ * If the hook function sets @a reply_out, @a message will not be sent to the -+ * KDC, and the given reply will used instead. -+ * -+ * If the hook function sets @a new_message_out, the given message will be sent -+ * to the KDC in place of @a message. -+ * -+ * If the hook function returns successfully without setting either output, -+ * @a message will be sent to the KDC normally. -+ * -+ * The hook function should use krb5_copy_data() to construct the value for -+ * @a new_message_out or @a reply_out, to ensure that it can be freed correctly -+ * by the library. -+ * -+ * @param [in] context Library context -+ * @param [in] data Callback data -+ * @param [in] realm The realm the message will be sent to -+ * @param [in] message The original message to be sent to the KDC -+ * @param [out] new_message_out Optional replacement message to be sent -+ * @param [out] reply_out Optional synthetic reply -+ * -+ * @retval 0 Success -+ * @return A Kerberos error code -+ */ -+typedef krb5_error_code -+(KRB5_CALLCONV *krb5_pre_send_fn)(krb5_context context, void *data, -+ const krb5_data *realm, -+ const krb5_data *message, -+ krb5_data **new_message_out, -+ krb5_data **new_reply_out); -+ -+/** -+ * Hook function for inspecting or overriding KDC replies. -+ * -+ * If @a code is zero, @a reply contains the reply received from the KDC. The -+ * hook function may return an error code to simulate an error, may synthesize -+ * a different reply by setting @a new_reply_out, or may simply return -+ * successfully to do nothing. -+ * -+ * If @a code is non-zero, KDC communication failed and @a reply should be -+ * ignored. The hook function may return @a code or a different error code, or -+ * may synthesize a reply by setting @a new_reply_out and return successfully. -+ * -+ * The hook function should use krb5_copy_data() to construct the value for -+ * @a new_reply_out, to ensure that it can be freed correctly by the library. -+ * -+ * @param [in] context Library context -+ * @param [in] data Callback data -+ * @param [in] code Status of KDC communication -+ * @param [in] realm The realm the reply was received from -+ * @param [in] message The message sent to the realm's KDC -+ * @param [in] reply The reply received from the KDC -+ * @param [out] new_reply_out Optional replacement reply -+ * -+ * @retval 0 Success -+ * @return A Kerberos error code -+ */ -+typedef krb5_error_code -+(KRB5_CALLCONV *krb5_post_recv_fn)(krb5_context context, void *data, -+ krb5_error_code code, -+ const krb5_data *realm, -+ const krb5_data *message, -+ const krb5_data *reply, -+ krb5_data **new_reply_out); -+ -+/** -+ * Set a KDC pre-send hook function. -+ * -+ * @a send_hook will be called before messages are sent to KDCs by library -+ * functions such as krb5_get_credentials(). The hook function may inspect, -+ * override, or synthesize its own reply to the message. -+ * -+ * @param [in] context Library context -+ * @param [in] send_hook Hook function (or NULL to disable the hook) -+ * @param [in] data Callback data to be passed to @a send_hook -+ */ -+void KRB5_CALLCONV -+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, -+ void *data); -+ -+/** -+ * Set a KDC post-receive hook function. -+ * -+ * @a recv_hook will be called after a reply is received from a KDC during a -+ * call to a library function such as krb5_get_credentials(). The hook -+ * function may inspect or override the reply. This hook will not be executed -+ * if the pre-send hook returns a synthetic reply. -+ * -+ * @param [in] context The library context. -+ * @param [in] recv_hook Hook function (or NULL to disable the hook) -+ * @param [in] data Callback data to be passed to @a recv_hook -+ */ -+void KRB5_CALLCONV -+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, -+ void *data); -+ -+ - #if TARGET_OS_MAC - # pragma pack(pop) - #endif -diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports -index c623409..ea6982d 100644 ---- a/src/lib/krb5/libkrb5.exports -+++ b/src/lib/krb5/libkrb5.exports -@@ -581,6 +581,8 @@ krb5_set_password - krb5_set_password_using_ccache - krb5_set_principal_realm - krb5_set_real_time -+krb5_set_kdc_send_hook -+krb5_set_kdc_recv_hook - krb5_set_time_offsets - krb5_set_trace_callback - krb5_set_trace_filename -diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c -index 6231de2..be00b8f 100644 ---- a/src/lib/krb5/os/sendto_kdc.c -+++ b/src/lib/krb5/os/sendto_kdc.c -@@ -403,6 +403,22 @@ check_for_svc_unavailable (krb5_context context, - return 1; - } - -+void -+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, -+ void *data) -+{ -+ context->kdc_send_hook = send_hook; -+ context->kdc_send_hook_data = data; -+} -+ -+void -+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, -+ void *data) -+{ -+ context->kdc_recv_hook = recv_hook; -+ context->kdc_recv_hook_data = data; -+} -+ - /* - * send the formatted request 'message' to a KDC for realm 'realm' and - * return the response (if any) in 'reply'. -@@ -416,13 +432,16 @@ check_for_svc_unavailable (krb5_context context, - - krb5_error_code - krb5_sendto_kdc(krb5_context context, const krb5_data *message, -- const krb5_data *realm, krb5_data *reply, int *use_master, -+ const krb5_data *realm, krb5_data *reply_out, int *use_master, - int no_udp) - { - krb5_error_code retval, err; - struct serverlist servers; - int server_used; - k5_transport_strategy strategy; -+ krb5_data reply = empty_data(), *hook_message = NULL, *hook_reply = NULL; -+ -+ *reply_out = empty_data(); - - /* - * find KDC location(s) for realm -@@ -467,9 +486,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, - if (retval) - return retval; - -+ if (context->kdc_send_hook != NULL) { -+ retval = context->kdc_send_hook(context, context->kdc_send_hook_data, -+ realm, message, &hook_message, -+ &hook_reply); -+ if (retval) -+ goto cleanup; -+ -+ if (hook_reply != NULL) { -+ *reply_out = *hook_reply; -+ free(hook_reply); -+ goto cleanup; -+ } -+ -+ if (hook_message != NULL) -+ message = hook_message; -+ } -+ - err = 0; - retval = k5_sendto(context, message, realm, &servers, strategy, NULL, -- reply, NULL, NULL, &server_used, -+ &reply, NULL, NULL, &server_used, - check_for_svc_unavailable, &err); - if (retval == KRB5_KDC_UNREACH) { - if (err == KDC_ERR_SVC_UNAVAILABLE) { -@@ -480,9 +516,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, - realm->length, realm->data); - } - } -+ -+ if (context->kdc_recv_hook != NULL) { -+ retval = context->kdc_recv_hook(context, context->kdc_recv_hook_data, -+ retval, realm, message, &reply, -+ &hook_reply); -+ } - if (retval) - goto cleanup; - -+ if (hook_reply != NULL) { -+ *reply_out = *hook_reply; -+ free(hook_reply); -+ } else { -+ *reply_out = reply; -+ reply = empty_data(); -+ } -+ - /* Set use_master to 1 if we ended up talking to a master when we didn't - * explicitly request to. */ - if (*use_master == 0) { -@@ -492,6 +542,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, - } - - cleanup: -+ krb5_free_data(context, hook_message); -+ krb5_free_data_contents(context, &reply); - k5_free_serverlist(&servers); - return retval; - } -diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def -index 3734e9b..8d58ea1 100644 ---- a/src/lib/krb5_32.def -+++ b/src/lib/krb5_32.def -@@ -463,3 +463,7 @@ EXPORTS - krb5_vwrap_error_message @430 - krb5_c_prfplus @431 - krb5_c_derive_prfplus @432 -+ -+; new in 1.15 -+ krb5_set_kdc_send_hook @433 -+ krb5_set_kdc_recv_hook @434 --- -2.9.3 - diff --git a/Add-OS-prng-intended-for-use-with-getrandom.patch b/Add-OS-prng-intended-for-use-with-getrandom.patch deleted file mode 100644 index 964eca6..0000000 --- a/Add-OS-prng-intended-for-use-with-getrandom.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 5d38da6d4eb29bf87e98a5cb4577b870dbf405ed Mon Sep 17 00:00:00 2001 -From: Robbie Harwood <rharwood@redhat.com> -Date: Wed, 14 Sep 2016 16:12:57 -0400 -Subject: [PATCH] Add OS prng intended for use with getrandom() - -Add the prng_os.c module, using the name previously occupied by what -is now prng_device.c. Unlike prng_device.c, this PRNG module -maintains no file descriptor and just uses k5_os_random(), which is -most efficient on platforms which have a getrandom() system call. - -[ghudson@mit.edu: expanded on commit message] - -ticket: 8499 -(cherry picked from commit 0be7642b2b6f7b9e0acebb2c3d60aa6c3f7543aa) ---- - src/lib/crypto/krb/prng_os.c | 72 ++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 72 insertions(+) - create mode 100644 src/lib/crypto/krb/prng_os.c - -diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_os.c -new file mode 100644 -index 0000000..8ea13e7 ---- /dev/null -+++ b/src/lib/crypto/krb/prng_os.c -@@ -0,0 +1,72 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* lib/crypto/krb/prng_os.c - OS PRNG implementation */ -+/* -+ * Copyright (C) 2016 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+/* -+ * This file implements a PRNG module which relies on the system's PRNG. An -+ * OS packager can select this module given sufficient confidence in the -+ * operating system's native PRNG quality. -+ */ -+ -+#include "crypto_int.h" -+ -+int -+k5_prng_init(void) -+{ -+ return 0; -+} -+ -+void -+k5_prng_cleanup(void) -+{ -+} -+ -+krb5_error_code KRB5_CALLCONV -+krb5_c_random_add_entropy(krb5_context context, unsigned int randsource, -+ const krb5_data *indata) -+{ -+ return 0; -+} -+ -+krb5_error_code KRB5_CALLCONV -+krb5_c_random_make_octets(krb5_context context, krb5_data *outdata) -+{ -+ krb5_boolean res; -+ -+ res = k5_get_os_entropy((uint8_t *)outdata->data, outdata->length, 0); -+ return res ? 0 : KRB5_CRYPTO_INTERNAL; -+} -+ -+krb5_error_code KRB5_CALLCONV -+krb5_c_random_os_entropy(krb5_context context, int strong, int *success) -+{ -+ return 0; -+} --- -2.9.3 - diff --git a/Add-getrandom-to-k5_get_os_entropy-using-syscall.patch b/Add-getrandom-to-k5_get_os_entropy-using-syscall.patch deleted file mode 100644 index d694f3c..0000000 --- a/Add-getrandom-to-k5_get_os_entropy-using-syscall.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 3a8bf57bd3008b2f5338bbd8ba1db5e9e2622c92 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood <rharwood@redhat.com> -Date: Wed, 14 Sep 2016 16:10:34 -0400 -Subject: [PATCH] Add getrandom to k5_get_os_entropy() using syscall - -ticket: 8499 -(cherry picked from commit a9a48392c088b53d8dd86b8008b4059ab78a3679) ---- - src/lib/crypto/krb/prng.c | 30 ++++++++++++++++++++++++++++++ - 1 file changed, 30 insertions(+) - -diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c -index 9ad24c1..22948a4 100644 ---- a/src/lib/crypto/krb/prng.c -+++ b/src/lib/crypto/krb/prng.c -@@ -58,6 +58,9 @@ k5_get_os_entropy(unsigned char *buf, size_t len, int strong) - #ifdef HAVE_SYS_STAT_H - #include <sys/stat.h> - #endif -+#ifdef __linux__ -+#include <sys/syscall.h> -+#endif /* __linux__ */ - - /* Open device, ensure that it is not a regular file, and read entropy. Return - * true on success, false on failure. */ -@@ -96,6 +99,33 @@ krb5_boolean - k5_get_os_entropy(unsigned char *buf, size_t len, int strong) - { - const char *device; -+#if defined(__linux__) && defined(SYS_getrandom) -+ int r; -+ -+ while (len > 0) { -+ /* -+ * Pull from the /dev/urandom pool, but it to have been seeded. This -+ * ensures strong randomness while only blocking during first system -+ * boot. -+ * -+ * glibc does not currently provide a binding for getrandom: -+ * https://sourceware.org/bugzilla/show_bug.cgi?id=17252 -+ */ -+ errno = 0; -+ r = syscall(SYS_getrandom, buf, len, 0); -+ if (r <= 0) { -+ if (errno == EINTR) -+ continue; -+ -+ /* ENOSYS or other unrecoverable failure */ -+ break; -+ } -+ len -= r; -+ buf += r; -+ } -+ if (len == 0) -+ return TRUE; -+#endif /* defined(__linux__) && defined(SYS_getrandom) */ - - device = strong ? "/dev/random" : "/dev/urandom"; - return read_entropy_from_device(device, buf, len); --- -2.9.3 - diff --git a/Add-krb5_db_register_keytab.patch b/Add-krb5_db_register_keytab.patch deleted file mode 100644 index e6dd30f..0000000 --- a/Add-krb5_db_register_keytab.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 4514bc6f0b32471d1a9081ee3677d41eb373d3ff Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Wed, 7 Sep 2016 18:33:43 +0200 -Subject: [PATCH] Add krb5_db_register_keytab() - -Add a public libkdb5 function to register the KDB keytab type. This -functionality is needed for out-of-tree KDC servers such as the Samba -kpasswd service. - -[ghudson@mit.edu: edited comments, whitespace, commit message] - -ticket: 8494 (new) -(cherry picked from commit 2e99582062d9d6a70f2adb00fd8fe58a1f95b9b7) ---- - src/include/kdb.h | 7 +++++++ - src/lib/kdb/keytab.c | 6 ++++++ - src/lib/kdb/libkdb5.exports | 1 + - 3 files changed, 14 insertions(+) - -diff --git a/src/include/kdb.h b/src/include/kdb.h -index 9d3bf9d..048327c 100644 ---- a/src/include/kdb.h -+++ b/src/include/kdb.h -@@ -797,6 +797,13 @@ krb5_dbe_free_strings(krb5_context, krb5_string_attr *, int count); - void - krb5_dbe_free_string(krb5_context, char *); - -+/* -+ * Register the KDB keytab type, allowing "KDB:" to be used as a keytab name. -+ * For this type to work, the context used for keytab operations must have an -+ * associated database handle (via krb5_db_open()). -+ */ -+krb5_error_code krb5_db_register_keytab(krb5_context context); -+ - #define KRB5_KDB_DEF_FLAGS 0 - - #define KDB_MAX_DB_NAME 128 -diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c -index b85b67d..c6aa100 100644 ---- a/src/lib/kdb/keytab.c -+++ b/src/lib/kdb/keytab.c -@@ -66,6 +66,12 @@ typedef struct krb5_ktkdb_data { - } krb5_ktkdb_data; - - krb5_error_code -+krb5_db_register_keytab(krb5_context context) -+{ -+ return krb5_kt_register(context, &krb5_kt_kdb_ops); -+} -+ -+krb5_error_code - krb5_ktkdb_resolve(context, name, id) - krb5_context context; - const char * name; -diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports -index cb4c3df..e5d1045 100644 ---- a/src/lib/kdb/libkdb5.exports -+++ b/src/lib/kdb/libkdb5.exports -@@ -85,6 +85,7 @@ krb5_db_delete_policy - krb5_db_free_policy - krb5_def_store_mkey_list - krb5_db_promote -+krb5_db_register_keytab - ulog_add_update - ulog_init_header - ulog_map --- -2.9.3 - diff --git a/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch b/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch deleted file mode 100644 index a47f81a..0000000 --- a/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch +++ /dev/null @@ -1,367 +0,0 @@ -From db601cd51030a1e48f38078dd706e95db069ead7 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Mon, 7 Mar 2016 17:59:07 +0100 -Subject: [PATCH] Add tests for send and receive sendto_kdc hooks - -[ghudson@mit.edu: style changes] - -ticket: 8386 - -Conflicts: - src/tests/Makefile.in -[rharwood@redhat.com: fix cherry-pick merge conflicts] -[rharwood@redhat.com: delete .gitignore] ---- - src/tests/Makefile.in | 12 ++- - src/tests/deps | 10 ++ - src/tests/hooks.c | 253 ++++++++++++++++++++++++++++++++++++++++++++++++++ - src/tests/t_hooks.py | 9 ++ - 4 files changed, 280 insertions(+), 4 deletions(-) - create mode 100644 src/tests/hooks.c - create mode 100755 src/tests/t_hooks.py - -diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in -index b24e197..0fc0ea9 100644 ---- a/src/tests/Makefile.in -+++ b/src/tests/Makefile.in -@@ -6,9 +6,9 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \ - RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \ - LC_ALL=C $(VALGRIND) - --OBJS= adata.o etinfo.o gcred.o hist.o hrealm.o kdbtest.o plugorder.o \ -+OBJS= adata.o etinfo.o gcred.o hist.o hooks.o hrealm.o kdbtest.o plugorder.o \ - t_init_creds.o t_localauth.o rdreq.o responder.o s2p.o s4u2proxy.o --EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hrealm.c kdbtest.c plugorder.c \ -+EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hooks.c hrealm.c kdbtest.c plugorder.c \ - t_init_creds.c t_localauth.c rdreq.o responder.c s2p.c s4u2proxy.c - - TEST_DB = ./testdb -@@ -33,6 +33,9 @@ gcred: gcred.o $(KRB5_BASE_DEPLIBS) - hist: hist.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ hist.o $(KDB5_LIBS) $(KADMSRV_LIBS) $(KRB5_BASE_LIBS) - -+hooks: hooks.o $(KRB5_BASE_DEPLIBS) -+ $(CC_LINK) -o $@ hooks.o $(KRB5_BASE_LIBS) -+ - hrealm: hrealm.o $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ hrealm.o $(KRB5_BASE_LIBS) - -@@ -107,9 +110,10 @@ kdb_check: kdc.conf krb5.conf - $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f - $(RM) $(TEST_DB)* stash_file - --check-pytests:: adata etinfo gcred hist hrealm kdbtest plugorder rdreq -+check-pytests:: adata etinfo gcred hist hooks hrealm kdbtest plugorder rdreq - check-pytests:: responder s2p s4u2proxy t_init_creds t_localauth unlockiter - $(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS) -+ $(RUNPYTEST) $(srcdir)/t_hooks.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS) -@@ -159,7 +163,7 @@ check-pytests:: responder s2p s4u2proxy t_init_creds t_localauth unlockiter - $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS) - - clean:: -- $(RM) gcred hist hrealm kdbtest plugorder rdreq responder s2p -+ $(RM) gcred hist hooks hrealm kdbtest plugorder rdreq responder s2p - $(RM) adata etinfo gcred hist hrealm kdbtest plugorder rdreq responder - $(RM) s2p s4u2proxy t_init_creds t_localauth krb5.conf kdc.conf - $(RM) -rf kdc_realm/sandbox ldap -diff --git a/src/tests/deps b/src/tests/deps -index de33c55..3634dc4 100644 ---- a/src/tests/deps -+++ b/src/tests/deps -@@ -50,6 +50,16 @@ $(OUTPRE)hist.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - hist.c -+$(OUTPRE)hooks.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ -+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ -+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ -+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ -+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ -+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -+ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ -+ $(top_srcdir)/include/socket-utils.h hooks.c - $(OUTPRE)hrealm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ -diff --git a/src/tests/hooks.c b/src/tests/hooks.c -new file mode 100644 -index 0000000..fabdb89 ---- /dev/null -+++ b/src/tests/hooks.c -@@ -0,0 +1,253 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* tests/hooks.c - test harness for KDC send and recv hooks */ -+/* -+ * Copyright (C) 2016 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "k5-int.h" -+ -+static krb5_context ctx; -+ -+static void -+check_code(krb5_error_code code, const char *file, int line) -+{ -+ const char *errmsg; -+ -+ if (code) { -+ errmsg = krb5_get_error_message(ctx, code); -+ fprintf(stderr, "%s:%d -- %s (code=%d)\n", file, line, errmsg, -+ (int)code); -+ krb5_free_error_message(ctx, errmsg); -+ exit(1); -+ } -+} -+ -+#define check(code) check_code((code), __FILE__, __LINE__) -+ -+/* Verify that the canonicalize bit is set in an AS-REQ and remove it. */ -+static krb5_error_code -+test_send_as_req(krb5_context context, void *data, const krb5_data *realm, -+ const krb5_data *message, krb5_data **new_message_out, -+ krb5_data **reply_out) -+{ -+ krb5_kdc_req *as_req; -+ int cmp; -+ -+ assert(krb5_is_as_req(message)); -+ check(decode_krb5_as_req(message, &as_req)); -+ -+ assert(as_req->msg_type == KRB5_AS_REQ); -+ assert(as_req->kdc_options & KDC_OPT_CANONICALIZE); -+ assert(as_req->client->realm.length == realm->length); -+ cmp = memcmp(as_req->client->realm.data, realm->data, realm->length); -+ assert(cmp == 0); -+ -+ /* Remove the canonicalize flag and create a new message. */ -+ as_req->kdc_options &= ~KDC_OPT_CANONICALIZE; -+ check(encode_krb5_as_req(as_req, new_message_out)); -+ -+ krb5_free_kdc_req(context, as_req); -+ return 0; -+} -+ -+/* Verify that reply is an AS-REP with kvno 1 and a valid enctype. */ -+static krb5_error_code -+test_recv_as_rep(krb5_context context, void *data, krb5_error_code code, -+ const krb5_data *realm, const krb5_data *message, -+ const krb5_data *reply, krb5_data **new_reply) -+{ -+ krb5_kdc_rep *as_rep; -+ -+ assert(code == 0); -+ assert(krb5_is_as_rep(reply)); -+ check(decode_krb5_as_rep(reply, &as_rep)); -+ -+ assert(as_rep->msg_type == KRB5_AS_REP); -+ assert(as_rep->ticket->enc_part.kvno == 1); -+ assert(krb5_c_valid_enctype(as_rep->ticket->enc_part.enctype)); -+ -+ krb5_free_kdc_rep(context, as_rep); -+ return 0; -+} -+ -+/* Create a fake error reply. */ -+static krb5_error_code -+test_send_error(krb5_context context, void *data, const krb5_data *realm, -+ const krb5_data *message, krb5_data **new_message_out, -+ krb5_data **reply_out) -+{ -+ krb5_error_code ret; -+ krb5_error err; -+ krb5_principal client, server; -+ char *realm_str, *princ_str; -+ int r; -+ -+ realm_str = k5memdup0(realm->data, realm->length, &ret); -+ check(ret); -+ -+ r = asprintf(&princ_str, "invalid@%s", realm_str); -+ assert(r > 0); -+ check(krb5_parse_name(ctx, princ_str, &client)); -+ free(princ_str); -+ -+ r = asprintf(&princ_str, "krbtgt@%s", realm_str); -+ assert(r > 0); -+ check(krb5_parse_name(ctx, princ_str, &server)); -+ free(princ_str); -+ free(realm_str); -+ -+ err.magic = KV5M_ERROR; -+ err.ctime = 1971196337; -+ err.cusec = 0; -+ err.susec = 97008; -+ err.stime = 1458219390; -+ err.error = 6; -+ err.client = client; -+ err.server = server; -+ err.text = string2data("CLIENT_NOT_FOUND"); -+ err.e_data = empty_data(); -+ check(encode_krb5_error(&err, reply_out)); -+ -+ krb5_free_principal(ctx, client); -+ krb5_free_principal(ctx, server); -+ return 0; -+} -+ -+static krb5_error_code -+test_recv_error(krb5_context context, void *data, krb5_error_code code, -+ const krb5_data *realm, const krb5_data *message, -+ const krb5_data *reply, krb5_data **new_reply) -+{ -+ /* The send hook created a reply, so this hook should not be executed. */ -+ abort(); -+} -+ -+/* Modify an AS-REP reply, change the msg_type to KRB5_TGS_REP. */ -+static krb5_error_code -+test_recv_modify_reply(krb5_context context, void *data, krb5_error_code code, -+ const krb5_data *realm, const krb5_data *message, -+ const krb5_data *reply, krb5_data **new_reply) -+{ -+ krb5_kdc_rep *as_rep; -+ -+ assert(code == 0); -+ assert(krb5_is_as_rep(reply)); -+ check(decode_krb5_as_rep(reply, &as_rep)); -+ -+ as_rep->msg_type = KRB5_TGS_REP; -+ check(encode_krb5_as_rep(as_rep, new_reply)); -+ -+ krb5_free_kdc_rep(context, as_rep); -+ return 0; -+} -+ -+/* Return an error given by the callback data argument. */ -+static krb5_error_code -+test_send_return_value(krb5_context context, void *data, -+ const krb5_data *realm, const krb5_data *message, -+ krb5_data **new_message_out, krb5_data **reply_out) -+{ -+ assert(data != NULL); -+ return *(krb5_error_code *)data; -+} -+ -+/* Return an error given by the callback argument. */ -+static krb5_error_code -+test_recv_return_value(krb5_context context, void *data, krb5_error_code code, -+ const krb5_data *realm, const krb5_data *message, -+ const krb5_data *reply, krb5_data **new_reply) -+{ -+ assert(data != NULL); -+ return *(krb5_error_code *)data; -+} -+ -+int -+main(int argc, char *argv[]) -+{ -+ const char *principal, *password; -+ krb5_principal client; -+ krb5_get_init_creds_opt *opts; -+ krb5_creds creds; -+ krb5_error_code ret, test_return_code; -+ -+ if (argc != 3) { -+ fprintf(stderr, "Usage: %s princname password\n", argv[0]); -+ exit(1); -+ } -+ principal = argv[1]; -+ password = argv[2]; -+ -+ check(krb5_init_context(&ctx)); -+ check(krb5_parse_name(ctx, principal, &client)); -+ -+ /* Use a send hook to modify an outgoing AS-REQ. The library will detect -+ * the modification in the reply. */ -+ check(krb5_get_init_creds_opt_alloc(ctx, &opts)); -+ krb5_get_init_creds_opt_set_canonicalize(opts, 1); -+ krb5_set_kdc_send_hook(ctx, test_send_as_req, NULL); -+ krb5_set_kdc_recv_hook(ctx, test_recv_as_rep, NULL); -+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, -+ NULL, 0, NULL, opts); -+ assert(ret == KRB5_KDCREP_MODIFIED); -+ krb5_get_init_creds_opt_free(ctx, opts); -+ -+ /* Use a send hook to synthesize a KRB-ERROR reply. */ -+ krb5_set_kdc_send_hook(ctx, test_send_error, NULL); -+ krb5_set_kdc_recv_hook(ctx, test_recv_error, NULL); -+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, -+ NULL, 0, NULL, NULL); -+ assert(ret == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN); -+ -+ /* Use a recv hook to modify a KDC reply. */ -+ krb5_set_kdc_send_hook(ctx, NULL, NULL); -+ krb5_set_kdc_recv_hook(ctx, test_recv_modify_reply, NULL); -+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, -+ NULL, 0, NULL, NULL); -+ assert(ret == KRB5KRB_AP_ERR_MSG_TYPE); -+ -+ /* Verify that the user data pointer works in the send hook. */ -+ test_return_code = KRB5KDC_ERR_PREAUTH_FAILED; -+ krb5_set_kdc_send_hook(ctx, test_send_return_value, &test_return_code); -+ krb5_set_kdc_recv_hook(ctx, NULL, NULL); -+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, -+ NULL, 0, NULL, NULL); -+ assert(ret == KRB5KDC_ERR_PREAUTH_FAILED); -+ -+ /* Verify that the user data pointer works in the recv hook. */ -+ test_return_code = KRB5KDC_ERR_NULL_KEY; -+ krb5_set_kdc_send_hook(ctx, NULL, NULL); -+ krb5_set_kdc_recv_hook(ctx, test_recv_return_value, &test_return_code); -+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, -+ NULL, 0, NULL, NULL); -+ assert(ret == KRB5KDC_ERR_NULL_KEY); -+ -+ krb5_free_principal(ctx, client); -+ krb5_free_context(ctx); -+ return 0; -+} -diff --git a/src/tests/t_hooks.py b/src/tests/t_hooks.py -new file mode 100755 -index 0000000..58dff3a ---- /dev/null -+++ b/src/tests/t_hooks.py -@@ -0,0 +1,9 @@ -+#!/usr/bin/python -+from k5test import * -+ -+# Test that KDC send and recv hooks work correctly. -+realm = K5Realm(create_host=False, get_creds=False) -+realm.run(['./hooks', realm.user_princ, password('user')]) -+realm.stop() -+ -+success('send and recv hook tests') --- -2.9.3 - diff --git a/Change-KDC-error-for-encrypted-timestamp-preauth.patch b/Change-KDC-error-for-encrypted-timestamp-preauth.patch deleted file mode 100644 index c14c736..0000000 --- a/Change-KDC-error-for-encrypted-timestamp-preauth.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 709ed799a4f266de9846adb3393ec9f59e6bdecd Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Mon, 8 Aug 2016 18:03:55 +0200 -Subject: [PATCH] Change KDC error for encrypted timestamp preauth - -When encrypted timestamp pre-authentication fails, respond with error -code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for -consistency with other Kerberos implementations. - -[ghudson@mit.edu: clarified commit message and comment] - -ticket: 8471 (new) -(cherry picked from commit 2653d69e0705a925597dff10083a24a77e2a20af) ---- - src/kdc/kdc_preauth_encts.c | 16 ++++------------ - 1 file changed, 4 insertions(+), 12 deletions(-) - -diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c -index 65f7c36..e80dc12 100644 ---- a/src/kdc/kdc_preauth_encts.c -+++ b/src/kdc/kdc_preauth_encts.c -@@ -59,7 +59,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_key_data * client_key; - krb5_int32 start; - krb5_timestamp timenow; -- krb5_error_code decrypt_err = 0; - - scratch.data = (char *)pa->contents; - scratch.length = pa->length; -@@ -74,7 +73,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, - goto cleanup; - - start = 0; -- decrypt_err = 0; - while (1) { - if ((retval = krb5_dbe_search_enctype(context, rock->client, - &start, enc_data->enctype, -@@ -92,8 +90,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_free_keyblock_contents(context, &key); - if (retval == 0) - break; -- else -- decrypt_err = retval; - } - - if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0) -@@ -119,14 +115,10 @@ cleanup: - krb5_free_data_contents(context, &enc_ts_data); - if (pa_enc) - free(pa_enc); -- /* -- * If we get NO_MATCHING_KEY and decryption previously failed, and -- * we failed to find any other keys of the correct enctype after -- * that failed decryption, it probably means that the password was -- * incorrect. -- */ -- if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0) -- retval = decrypt_err; -+ /* If we get NO_MATCHING_KEY, it probably means that the password was -+ * incorrect. */ -+ if (retval == KRB5_KDB_NO_MATCHING_KEY) -+ retval = KRB5KDC_ERR_PREAUTH_FAILED; - - (*respond)(arg, retval, NULL, NULL, NULL); - } --- -2.9.3 - diff --git a/Create-KDC-and-kadmind-log-files-with-mode-0640.patch b/Create-KDC-and-kadmind-log-files-with-mode-0640.patch deleted file mode 100644 index 7b9b4ae..0000000 --- a/Create-KDC-and-kadmind-log-files-with-mode-0640.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 6b126bfc40ba416746e4d30edb0b6b72c21c8b10 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood <rharwood@redhat.com> -Date: Tue, 23 Aug 2016 16:58:44 -0400 -Subject: [PATCH] Create KDC and kadmind log files with mode 0640 - -In krb5_klog_init(), use open() and fdopen() to open log files so that -we can specify a mode. Specify a mode which doesn't include the -group-write, other-read, or other-write bits even if the process umask -allows them. - -[ghudson@mit.edu: wrote commit message, de-indented post-open setup -code] -[rharwood@redhat.com: backport not clean due to SELinux patching] - -ticket: 8344 (new) ---- - src/lib/kadm5/logger.c | 21 ++++++++++++--------- - 1 file changed, 12 insertions(+), 9 deletions(-) - -diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c -index 64f9641..0517efe 100644 ---- a/src/lib/kadm5/logger.c -+++ b/src/lib/kadm5/logger.c -@@ -354,7 +354,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do - const char *logging_profent[3]; - const char *logging_defent[3]; - char **logging_specs; -- int i, ngood; -+ int i, ngood, fd, append; - char *cp, *cp2; - char savec = '\0'; - int error; -@@ -422,18 +422,21 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do - /* - * Check for append/overwrite, then open the file. - */ -- if (cp[4] == ':' || cp[4] == '=') { -- f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); -- if (f) { -- set_cloexec_file(f); -- log_control.log_entries[i].lfu_filep = f; -- log_control.log_entries[i].log_type = K_LOG_FILE; -- log_control.log_entries[i].lfu_fname = &cp[5]; -- } else { -+ append = (cp[4] == ':') ? O_APPEND : 0; -+ if (append || cp[4] == '=') { -+ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append, -+ S_IRUSR | S_IWUSR | S_IRGRP); -+ if (fd != -1) -+ f = fdopen(fd, append ? "a" : "w"); -+ if (fd == -1 || f == NULL) { - fprintf(stderr,"Couldn't open log file %s: %s\n", - &cp[5], error_message(errno)); - continue; - } -+ set_cloexec_file(f); -+ log_control.log_entries[i].lfu_filep = f; -+ log_control.log_entries[i].log_type = K_LOG_FILE; -+ log_control.log_entries[i].lfu_fname = &cp[5]; - } - } - #ifdef HAVE_SYSLOG --- -2.9.3 - diff --git a/Don-t-feed-OS-RNG-output-into-the-OS-RNG.patch b/Don-t-feed-OS-RNG-output-into-the-OS-RNG.patch deleted file mode 100644 index 3467adf..0000000 --- a/Don-t-feed-OS-RNG-output-into-the-OS-RNG.patch +++ /dev/null @@ -1,187 +0,0 @@ -From dd0c141bfc858caa8470271205220a968db7ab51 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood <rharwood@redhat.com> -Date: Mon, 12 Sep 2016 12:25:05 -0400 -Subject: [PATCH] Don't feed OS RNG output into the OS RNG - -krb5_c_random_os_entropy() now must be provided by PRNG modules. - -ticket: 8499 -(cherry picked from commit 0bbbc2bd3a42cfbd9e6eb34c273da8aaa077c29f) ---- - src/lib/crypto/krb/crypto_int.h | 3 +- - src/lib/crypto/krb/prng.c | 60 +++++---------------------------------- - src/lib/crypto/krb/prng_fortuna.c | 26 ++++++++++++++++- - src/lib/crypto/krb/prng_os.c | 6 ++++ - 4 files changed, 40 insertions(+), 55 deletions(-) - -diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h -index c054144..a205e3f 100644 ---- a/src/lib/crypto/krb/crypto_int.h -+++ b/src/lib/crypto/krb/crypto_int.h -@@ -508,6 +508,7 @@ void krb5int_crypto_impl_cleanup(void); - * PRNG modules must implement the following APIs from krb5.h: - * krb5_c_random_add_entropy - * krb5_c_random_make_octets -+ * krb5_c_random_os_entropy - * - * PRNG modules should implement these functions. They are called from the - * crypto library init and cleanup functions, and can be used to setup and tear -@@ -517,7 +518,7 @@ int k5_prng_init(void); - void k5_prng_cleanup(void); - - /* Used by PRNG modules to gather OS entropy. Returns true on success. */ --krb5_boolean k5_get_os_entropy(unsigned char *buf, size_t len); -+krb5_boolean k5_get_os_entropy(unsigned char *buf, size_t len, int strong); - - /*** Inline helper functions ***/ - -diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c -index e478b19..9ad24c1 100644 ---- a/src/lib/crypto/krb/prng.c -+++ b/src/lib/crypto/krb/prng.c -@@ -36,11 +36,13 @@ krb5_c_random_seed(krb5_context context, krb5_data *data) - #if defined(_WIN32) - - krb5_boolean --k5_get_os_entropy(unsigned char *buf, size_t len) -+k5_get_os_entropy(unsigned char *buf, size_t len, int strong) - { - krb5_boolean result; - HCRYPTPROV provider; - -+ /* CryptGenRandom is always considered strong. */ -+ - if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL, - CRYPT_VERIFYCONTEXT)) - return FALSE; -@@ -49,22 +51,6 @@ k5_get_os_entropy(unsigned char *buf, size_t len) - return result; - } - --krb5_error_code KRB5_CALLCONV --krb5_c_random_os_entropy(krb5_context context, int strong, int *success) --{ -- int oursuccess = 0; -- char buf[1024]; -- krb5_data data = make_data(buf, sizeof(buf)); -- -- if (k5_get_os_entropy(buf, sizeof(buf)) && -- krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND, -- &data) == 0) -- oursuccess = 1; -- if (success != NULL) -- *success = oursuccess; -- return 0; --} -- - #else /* not Windows */ - #ifdef HAVE_UNISTD_H - #include <unistd.h> -@@ -107,44 +93,12 @@ cleanup: - } - - krb5_boolean --k5_get_os_entropy(unsigned char *buf, size_t len) -+k5_get_os_entropy(unsigned char *buf, size_t len, int strong) - { -- return read_entropy_from_device("/dev/urandom", buf, len); --} -+ const char *device; - --/* Read entropy from device and contribute it to the PRNG. Returns true on -- * success. */ --static krb5_boolean --add_entropy_from_device(krb5_context context, const char *device) --{ -- krb5_data data; -- unsigned char buf[64]; -- -- if (!read_entropy_from_device(device, buf, sizeof(buf))) -- return FALSE; -- data = make_data(buf, sizeof(buf)); -- return (krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND, -- &data) == 0); --} -- --krb5_error_code KRB5_CALLCONV --krb5_c_random_os_entropy(krb5_context context, int strong, int *success) --{ -- int unused; -- int *oursuccess = (success != NULL) ? success : &unused; -- -- *oursuccess = 0; -- /* If we are getting strong data then try that first. We are -- guaranteed to cause a reseed of some kind if strong is true and -- we have both /dev/random and /dev/urandom. We want the strong -- data included in the reseed so we get it first.*/ -- if (strong) { -- if (add_entropy_from_device(context, "/dev/random")) -- *oursuccess = 1; -- } -- if (add_entropy_from_device(context, "/dev/urandom")) -- *oursuccess = 1; -- return 0; -+ device = strong ? "/dev/random" : "/dev/urandom"; -+ return read_entropy_from_device(device, buf, len); - } - - #endif /* not Windows */ -diff --git a/src/lib/crypto/krb/prng_fortuna.c b/src/lib/crypto/krb/prng_fortuna.c -index e70ffa3..017a119 100644 ---- a/src/lib/crypto/krb/prng_fortuna.c -+++ b/src/lib/crypto/krb/prng_fortuna.c -@@ -366,7 +366,7 @@ k5_prng_init(void) - #else - last_pid = getpid(); - #endif -- if (k5_get_os_entropy(osbuf, sizeof(osbuf))) { -+ if (k5_get_os_entropy(osbuf, sizeof(osbuf), 0)) { - generator_reseed(&main_state, osbuf, sizeof(osbuf)); - have_entropy = TRUE; - } -@@ -443,4 +443,28 @@ krb5_c_random_make_octets(krb5_context context, krb5_data *outdata) - return 0; - } - -+krb5_error_code KRB5_CALLCONV -+krb5_c_random_os_entropy(krb5_context context, int strong, int *success) -+{ -+ krb5_error_code ret; -+ krb5_data data; -+ uint8_t buf[64]; -+ int status = 0; -+ -+ if (!k5_get_os_entropy(buf, sizeof(buf), strong)) -+ goto done; -+ -+ data = make_data(buf, sizeof(buf)); -+ ret = krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND, &data); -+ if (ret) -+ goto done; -+ -+ status = 1; -+ -+done: -+ if (success != NULL) -+ *success = status; -+ return 0; -+} -+ - #endif /* not TEST */ -diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_os.c -index 730ed2e..ecfe351 100644 ---- a/src/lib/crypto/krb/prng_os.c -+++ b/src/lib/crypto/krb/prng_os.c -@@ -91,3 +91,9 @@ krb5_c_random_make_octets(krb5_context context, krb5_data *outdata) - } - return 0; - } -+ -+krb5_error_code KRB5_CALLCONV -+krb5_c_random_os_entropy(krb5_context context, int strong, int *success) -+{ -+ return 0; -+} --- -2.9.3 - diff --git a/Fix-impersonate_name-to-work-with-interposers.patch b/Fix-impersonate_name-to-work-with-interposers.patch deleted file mode 100644 index 5baebb0..0000000 --- a/Fix-impersonate_name-to-work-with-interposers.patch +++ /dev/null @@ -1,222 +0,0 @@ -From 748617c1b8d1550284157a79bc7aeb6295a27bf4 Mon Sep 17 00:00:00 2001 -From: Simo Sorce <simo@redhat.com> -Date: Fri, 13 Nov 2015 14:54:11 -0500 -Subject: [PATCH] Fix impersonate_name to work with interposers - -This follows the same modifications applied to -gss_acquire_cred_with_password() when interposer plugins were -introduced. - -[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in -spnego_gss_acquire_cred_impersonate_name() since it is released in the -cleanup handler] - -ticket: 8280 (new) ---- - src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++-------- - src/lib/gssapi/spnego/spnego_mech.c | 35 +++++++------- - 2 files changed, 54 insertions(+), 39 deletions(-) - -diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c -index 0dd4f87..9eab25e 100644 ---- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c -+++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c -@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - gss_cred_id_t cred = NULL; - gss_OID new_mechs_array = NULL; - gss_cred_id_t * new_cred_array = NULL; -+ gss_OID_set target_mechs = GSS_C_NO_OID_SET; -+ gss_OID selected_mech = GSS_C_NO_OID; - - status = val_add_cred_impersonate_name_args(minor_status, - input_cred_handle, -@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - if (status != GSS_S_COMPLETE) - return (status); - -- mech = gssint_get_mechanism(desired_mech); -+ status = gssint_select_mech_type(minor_status, desired_mech, -+ &selected_mech); -+ if (status != GSS_S_COMPLETE) -+ return status; -+ -+ mech = gssint_get_mechanism(selected_mech); - if (!mech) - return GSS_S_BAD_MECH; - else if (!mech->gss_acquire_cred_impersonate_name) -@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - internal_name = GSS_C_NO_NAME; - } else { - union_cred = (gss_union_cred_t)input_cred_handle; -- if (gssint_get_mechanism_cred(union_cred, desired_mech) != -+ if (gssint_get_mechanism_cred(union_cred, selected_mech) != - GSS_C_NO_CREDENTIAL) - return (GSS_S_DUPLICATE_ELEMENT); - } - - mech_impersonator_cred = - gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle, -- desired_mech); -+ selected_mech); - if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL) - return (GSS_S_NO_CRED); - - /* may need to create a mechanism specific name */ - union_name = (gss_union_name_t)desired_name; - if (union_name->mech_type && -- g_OID_equal(union_name->mech_type, -- &mech->mech_type)) -+ g_OID_equal(union_name->mech_type, selected_mech)) - internal_name = union_name->mech_name; - else { - if (gssint_import_internal_name(minor_status, -- &mech->mech_type, union_name, -- &allocated_name) != GSS_S_COMPLETE) -+ selected_mech, union_name, -+ &allocated_name) != GSS_S_COMPLETE) - return (GSS_S_BAD_NAME); - internal_name = allocated_name; - } -@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - else - time_req = 0; - -+ status = gss_create_empty_oid_set(minor_status, &target_mechs); -+ if (status != GSS_S_COMPLETE) -+ goto errout; -+ -+ status = gss_add_oid_set_member(minor_status, -+ gssint_get_public_oid(selected_mech), -+ &target_mechs); -+ if (status != GSS_S_COMPLETE) -+ goto errout; -+ - status = mech->gss_acquire_cred_impersonate_name(minor_status, - mech_impersonator_cred, - internal_name, - time_req, -- GSS_C_NULL_OID_SET, -+ target_mechs, - cred_usage, - &cred, - NULL, -@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - - new_cred_array[union_cred->count] = cred; - if ((new_mechs_array[union_cred->count].elements = -- malloc(mech->mech_type.length)) == NULL) -+ malloc(selected_mech->length)) == NULL) - goto errout; - -- g_OID_copy(&new_mechs_array[union_cred->count], -- &mech->mech_type); -+ g_OID_copy(&new_mechs_array[union_cred->count], selected_mech); - - if (actual_mechs != NULL) { -- gss_OID_set_desc oids; -- -- oids.count = union_cred->count + 1; -- oids.elements = new_mechs_array; -- -- status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs); -+ status = gssint_make_public_oid_set(minor_status, new_mechs_array, -+ union_cred->count + 1, -+ actual_mechs); - if (GSS_ERROR(status)) { - free(new_mechs_array[union_cred->count].elements); - goto errout; -@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - /* We're done with the internal name. Free it if we allocated it. */ - - if (allocated_name) -- (void) gssint_release_internal_name(&temp_minor_status, -- &mech->mech_type, -+ (void) gssint_release_internal_name(&temp_minor_status, selected_mech, - &allocated_name); - -+ if (target_mechs) -+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); -+ - return (GSS_S_COMPLETE); - - errout: -@@ -503,8 +517,10 @@ errout: - - if (allocated_name) - (void) gssint_release_internal_name(&temp_minor_status, -- &mech->mech_type, -- &allocated_name); -+ selected_mech, &allocated_name); -+ -+ if (target_mechs) -+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); - - if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred) - free(union_cred); -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 07435d8..99e374f 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -2620,10 +2620,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, - gss_OID_set *actual_mechs, - OM_uint32 *time_rec) - { -- OM_uint32 status; -+ OM_uint32 status, tmpmin; - gss_OID_set amechs = GSS_C_NULL_OID_SET; - spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL; -- gss_cred_id_t imp_mcred, out_mcred; -+ gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL; - - dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n"); - -@@ -2635,31 +2635,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, - - imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle; - imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL; -- if (desired_mechs == GSS_C_NO_OID_SET) { -- status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, -- NULL, &amechs); -- if (status != GSS_S_COMPLETE) -- return status; -- -- desired_mechs = amechs; -- } -+ status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, -+ NULL, &amechs); -+ if (status != GSS_S_COMPLETE) -+ return status; - - status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred, - desired_name, time_req, -- desired_mechs, cred_usage, -+ amechs, cred_usage, - &out_mcred, actual_mechs, - time_rec); -- -- if (amechs != GSS_C_NULL_OID_SET) -- (void) gss_release_oid_set(minor_status, &amechs); -+ if (status != GSS_S_COMPLETE) -+ goto cleanup; - - status = create_spnego_cred(minor_status, out_mcred, &out_spcred); -- if (status != GSS_S_COMPLETE) { -- gss_release_cred(minor_status, &out_mcred); -- return (status); -- } -+ if (status != GSS_S_COMPLETE) -+ goto cleanup; -+ -+ out_mcred = GSS_C_NO_CREDENTIAL; - *output_cred_handle = (gss_cred_id_t)out_spcred; - -+cleanup: -+ (void) gss_release_oid_set(&tmpmin, &amechs); -+ (void) gss_release_cred(&tmpmin, &out_mcred); -+ - dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n"); - return (status); - } --- -2.9.3 - diff --git a/Improve-bad-password-inference-in-kinit.patch b/Improve-bad-password-inference-in-kinit.patch deleted file mode 100644 index b6c17e8..0000000 --- a/Improve-bad-password-inference-in-kinit.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 79d626dde9e7e38da79da1911338e18998e348df Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Mon, 25 Jul 2016 13:28:43 -0400 -Subject: [PATCH] Improve bad password inference in kinit - -kinit currently outputs "Password incorrect" if it sees a -bad-integrity error code, which results if the KDC reply couldn't be -decrypted, or when encrypted timestamp preauth fails against an MIT -krb5 1.14 or earlier KDC. Expand this check to include general -preauth failures reported by the KDC, but only if a password was -prompted for. - -ticket: 8465 (new) -(cherry picked from commit 1a83ffad4d8e405ce696536c06d9bce1f8100595) ---- - src/clients/kinit/kinit.c | 26 ++++++++++++++++++++------ - 1 file changed, 20 insertions(+), 6 deletions(-) - -diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c -index eba36b9..990fd11 100644 ---- a/src/clients/kinit/kinit.c -+++ b/src/clients/kinit/kinit.c -@@ -700,9 +700,18 @@ kinit_prompter( - krb5_prompt prompts[] - ) - { -- krb5_error_code rc = -- krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); -- return rc; -+ krb5_boolean *pwprompt = data; -+ krb5_prompt_type *ptypes; -+ int i; -+ -+ /* Make a note if we receive a password prompt. */ -+ ptypes = krb5_get_prompt_types(ctx); -+ for (i = 0; i < num_prompts; i++) { -+ if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD) -+ *pwprompt = TRUE; -+ } -+ -+ return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); - } - - static int -@@ -715,6 +724,7 @@ k5_kinit(opts, k5) - krb5_creds my_creds; - krb5_error_code code = 0; - krb5_get_init_creds_opt *options = NULL; -+ krb5_boolean pwprompt = FALSE; - int i; - - memset(&my_creds, 0, sizeof(my_creds)); -@@ -819,7 +829,7 @@ k5_kinit(opts, k5) - switch (opts->action) { - case INIT_PW: - code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, -- 0, kinit_prompter, 0, -+ 0, kinit_prompter, &pwprompt, - opts->starttime, - opts->service_name, - options); -@@ -856,11 +866,15 @@ k5_kinit(opts, k5) - break; - } - -- if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) -+ /* If reply decryption failed, or if pre-authentication failed and we -+ * were prompted for a password, assume the password was wrong. */ -+ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY || -+ (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) { - fprintf(stderr, _("%s: Password incorrect while %s\n"), progname, - doing); -- else -+ } else { - com_err(progname, code, _("while %s"), doing); -+ } - goto cleanup; - } - --- -2.9.3 - diff --git a/Properly-handle-EOF-condition-on-libkrad-sockets.patch b/Properly-handle-EOF-condition-on-libkrad-sockets.patch deleted file mode 100644 index 7c989d0..0000000 --- a/Properly-handle-EOF-condition-on-libkrad-sockets.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 9a3a64665819a0e1ee82953bf879f57d6f433358 Mon Sep 17 00:00:00 2001 -From: Nathaniel McCallum <npmccallum@redhat.com> -Date: Fri, 30 Sep 2016 10:03:33 -0400 -Subject: [PATCH] Properly handle EOF condition on libkrad sockets - -In the previous code, when the remote peer performed an orderly shutdown -on the socket, libkrad would enter a state in which all future requests -timed out. Instead, if the peer shuts down its socket, we need to -attempt to reopen it. - -ticket: 8504 (new) -target_version: 1.14-next -tags: pullup - -(cherry picked from commit 248497427d5a45225817b6c22e9224e8ad969872) ---- - src/lib/krad/remote.c | 13 ++++++------- - 1 file changed, 6 insertions(+), 7 deletions(-) - -diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c -index df3de3a..68cd16f 100644 ---- a/src/lib/krad/remote.c -+++ b/src/lib/krad/remote.c -@@ -329,16 +329,15 @@ on_io_read(krad_remote *rr) - /* Read the packet. */ - i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length, - pktlen, 0); -- if (i < 0) { -- /* Should we try again? */ -- if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR) -- return; - -- /* The socket is unrecoverable. */ -+ /* On these errors, try again. */ -+ if (i < 0 && (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR)) -+ return; -+ -+ /* On any other errors or on EOF, the socket is unrecoverable. */ -+ if (i <= 0) { - remote_shutdown(rr); - return; -- } else if (i == 0) { -- remote_del_flags(rr, FLAGS_READ); - } - - /* If we have a partial read or just the header, try again. */ --- -2.9.3 - diff --git a/Rename-prng_os.c-to-prng_device.c.patch b/Rename-prng_os.c-to-prng_device.c.patch deleted file mode 100644 index 327ee07..0000000 --- a/Rename-prng_os.c-to-prng_device.c.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 8ca87ac2ab358d9fa6756636a6c5280858a72e3b Mon Sep 17 00:00:00 2001 -From: Robbie Harwood <rharwood@redhat.com> -Date: Wed, 14 Sep 2016 12:53:10 -0400 -Subject: [PATCH] Rename prng_os.c to prng_device.c - -ticket: 8499 -(cherry picked from commit 5e54525fbe40d56f44368e216c92938403cad96d) ---- - src/lib/crypto/krb/{prng_os.c => prng_device.c} | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - rename src/lib/crypto/krb/{prng_os.c => prng_device.c} (97%) - -diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_device.c -similarity index 97% -rename from src/lib/crypto/krb/prng_os.c -rename to src/lib/crypto/krb/prng_device.c -index ecfe351..bef5b37 100644 ---- a/src/lib/crypto/krb/prng_os.c -+++ b/src/lib/crypto/krb/prng_device.c -@@ -1,5 +1,5 @@ - /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* lib/crypto/krb/prng_os.c - OS-native PRNG implementation */ -+/* lib/crypto/krb/prng_device.c - OS device-based PRNG implementation */ - /* - * Copyright (C) 2011 by the Massachusetts Institute of Technology. - * All rights reserved. --- -2.9.3 - diff --git a/Set-prompt-type-for-OTP-preauth-prompt.patch b/Set-prompt-type-for-OTP-preauth-prompt.patch deleted file mode 100644 index 391dc80..0000000 --- a/Set-prompt-type-for-OTP-preauth-prompt.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 59ffbc2016ae2e164a0da7bacc5449bd9898337c Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Mon, 25 Jul 2016 13:23:31 -0400 -Subject: [PATCH] Set prompt type for OTP preauth prompt - -Add k5_set_prompt_type() calls around the prompter invocation in -preauth_otp.c, and add the comment we conventionally put before -prompter invocations. - -ticket: 8464 (new) -(cherry picked from commit 7d497a56279dcb59b6be9f8994257e76788d2e89) ---- - src/lib/krb5/krb/preauth_otp.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c -index 37f98b2..48fcbb5 100644 ---- a/src/lib/krb5/krb/preauth_otp.c -+++ b/src/lib/krb5/krb/preauth_otp.c -@@ -31,6 +31,7 @@ - #include "k5-int.h" - #include "k5-json.h" - #include "int-proto.h" -+#include "os-proto.h" - - #include <krb5/clpreauth_plugin.h> - #include <ctype.h> -@@ -475,6 +476,7 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data, - krb5_prompt prompt; - krb5_data prompt_reply; - krb5_error_code retval; -+ krb5_prompt_type prompt_type = KRB5_PROMPT_TYPE_PREAUTH; - - if (prompttxt == NULL || out == NULL) - return EINVAL; -@@ -486,7 +488,10 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data, - prompt.prompt = (char *)prompttxt; - prompt.hidden = 1; - -+ /* PROMPTER_INVOCATION */ -+ k5_set_prompt_types(context, &prompt_type); - retval = (*prompter)(context, prompter_data, NULL, banner, 1, &prompt); -+ k5_set_prompt_types(context, NULL); - if (retval != 0) - return retval; - --- -2.9.3 - diff --git a/krb5-1.11-kpasswdtest.patch b/krb5-1.11-kpasswdtest.patch index d86d224..5487a8b 100644 --- a/krb5-1.11-kpasswdtest.patch +++ b/krb5-1.11-kpasswdtest.patch @@ -1,4 +1,4 @@ -From 61389fb098b36c1927ad01e4efa51f38da39176a Mon Sep 17 00:00:00 2001 +From a8750a1a2d0925c6ad01096e09bdbf18c058cb70 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:52:01 -0400 Subject: [PATCH] krb5-1.11-kpasswdtest.patch @@ -8,10 +8,10 @@ Subject: [PATCH] krb5-1.11-kpasswdtest.patch 1 file changed, 1 insertion(+) diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto -index e9702bb..482fda6 100644 +index 00c4429..9c4bc1d 100644 --- a/src/kadmin/testing/proto/krb5.conf.proto +++ b/src/kadmin/testing/proto/krb5.conf.proto -@@ -8,6 +8,7 @@ +@@ -9,6 +9,7 @@ __REALM__ = { kdc = __KDCHOST__:1750 admin_server = __KDCHOST__:1751 diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch index d9c49c1..049e5e1 100644 --- a/krb5-1.11-run_user_0.patch +++ b/krb5-1.11-run_user_0.patch @@ -1,4 +1,4 @@ -From 8f81af0f10a917a000a12c9b344b3f801c939666 Mon Sep 17 00:00:00 2001 +From 9ad4aa0ba462b3bee535b4e579f8247258742d59 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:49:57 -0400 Subject: [PATCH] krb5-1.11-run_user_0.patch diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch index 2031529..849453b 100644 --- a/krb5-1.12-api.patch +++ b/krb5-1.12-api.patch @@ -1,4 +1,4 @@ -From 9ca4f0e1081e667ebc9150097559f5fe85595e33 Mon Sep 17 00:00:00 2001 +From a7903a70342d35bfba50d3d1c080d481f3d725c6 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:47:00 -0400 Subject: [PATCH] krb5-1.12-api.patch diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch index 40ca7ae..ae8ec8e 100644 --- a/krb5-1.12-ksu-path.patch +++ b/krb5-1.12-ksu-path.patch @@ -1,4 +1,4 @@ -From a33c34eabf9cd4d98d633994bfcf19359ff087a6 Mon Sep 17 00:00:00 2001 +From d60c3784417faad05fffb5bb4d6db4c44e79c8cb Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:32:09 -0400 Subject: [PATCH] krb5-1.12-ksu-path.patch @@ -9,7 +9,7 @@ Set the default PATH to the one set by login. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in -index ad2406a..1379c4a 100644 +index 5755bb5..9d58f29 100644 --- a/src/clients/ksu/Makefile.in +++ b/src/clients/ksu/Makefile.in @@ -1,6 +1,6 @@ diff --git a/krb5-1.12-ktany.patch b/krb5-1.12-ktany.patch index 43b8306..9f2a578 100644 --- a/krb5-1.12-ktany.patch +++ b/krb5-1.12-ktany.patch @@ -1,4 +1,4 @@ -From f02d4a098b5e94df15ae39e9fad79e861e6c6483 Mon Sep 17 00:00:00 2001 +From 813d3e2617057252ad1f9ffa30624f36629903b7 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:33:53 -0400 Subject: [PATCH] krb5-1.12-ktany.patch @@ -14,7 +14,7 @@ the contents of the first keytab. create mode 100644 src/lib/krb5/keytab/kt_any.c diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in -index 28485d5..c17ab82 100644 +index 2a8fceb..ffd179f 100644 --- a/src/lib/krb5/keytab/Makefile.in +++ b/src/lib/krb5/keytab/Makefile.in @@ -12,6 +12,7 @@ STLIBOBJS= \ diff --git a/krb5-1.12.1-pam.patch b/krb5-1.12.1-pam.patch index 1c26f81..cb5dbcc 100644 --- a/krb5-1.12.1-pam.patch +++ b/krb5-1.12.1-pam.patch @@ -1,4 +1,4 @@ -From 74b07bf5a3c73f2d46ddfa4a03baa76b19ee1681 Mon Sep 17 00:00:00 2001 +From 551bd300005a8c45bad3a26f813ae99f31f4a641 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] krb5-1.12.1-pam.patch @@ -28,10 +28,10 @@ changes we're proposing for how it handles cache collections. create mode 100644 src/clients/ksu/pam.h diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index dbb7db2..ce045ab 100644 +index bd2eb48..5fc7f3e 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -1672,3 +1672,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[ +@@ -1673,3 +1673,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[ ])) ])dnl dnl @@ -103,7 +103,7 @@ index dbb7db2..ce045ab 100644 +AC_SUBST(NON_PAM_MAN) +])dnl diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in -index c705fda..ad2406a 100644 +index b2fcbf2..5755bb5 100644 --- a/src/clients/ksu/Makefile.in +++ b/src/clients/ksu/Makefile.in @@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. @@ -129,7 +129,7 @@ index c705fda..ad2406a 100644 heuristic.o \ xmalloc.o @SETENVOBJ@ - all:: ksu + all: ksu ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) @@ -138,10 +138,10 @@ index c705fda..ad2406a 100644 +pam.o: pam.c + $(CC) $(ALL_CFLAGS) -c $< - clean:: + clean: $(RM) ksu diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index 2f8d8e1..1b2ca83 100644 +index 28342c2..cab0c18 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -26,6 +26,7 @@ @@ -171,7 +171,7 @@ index 2f8d8e1..1b2ca83 100644 /***********/ #define KS_TEMPORARY_CACHE "MEMORY:_ksu" -@@ -514,6 +520,23 @@ main (argc, argv) +@@ -515,6 +521,23 @@ main (argc, argv) prog_name,target_user,client_name, source_user,ontty()); @@ -195,7 +195,7 @@ index 2f8d8e1..1b2ca83 100644 /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " -@@ -574,6 +597,24 @@ main (argc, argv) +@@ -575,6 +598,24 @@ main (argc, argv) exit(1); } @@ -220,7 +220,7 @@ index 2f8d8e1..1b2ca83 100644 } if( some_rest_copy){ -@@ -631,6 +672,30 @@ main (argc, argv) +@@ -632,6 +673,30 @@ main (argc, argv) exit(1); } @@ -251,7 +251,7 @@ index 2f8d8e1..1b2ca83 100644 /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -728,7 +793,7 @@ main (argc, argv) +@@ -729,7 +794,7 @@ main (argc, argv) fprintf(stderr, "program to be execed %s\n",params[0]); } @@ -260,7 +260,7 @@ index 2f8d8e1..1b2ca83 100644 execv(params[0], params); com_err(prog_name, errno, _("while trying to execv %s"), params[0]); sweep_up(ksu_context, cc_target); -@@ -758,16 +823,35 @@ main (argc, argv) +@@ -759,16 +824,35 @@ main (argc, argv) if (ret_pid == -1) { com_err(prog_name, errno, _("while calling waitpid")); } @@ -756,10 +756,10 @@ index 0000000..0ab7656 +void appl_pam_cleanup(void); +#endif diff --git a/src/configure.in b/src/configure.in -index b2a8675..8846ca0 100644 +index fde09a1..79c0fe2 100644 --- a/src/configure.in +++ b/src/configure.in -@@ -1327,6 +1327,8 @@ AC_SUBST([VERTO_VERSION]) +@@ -1336,6 +1336,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch index 4c0b699..b4fc641 100644 --- a/krb5-1.13-dirsrv-accountlock.patch +++ b/krb5-1.13-dirsrv-accountlock.patch @@ -1,4 +1,4 @@ -From f7538a0621d6b593e31f2031570a6f4678940241 Mon Sep 17 00:00:00 2001 +From 71c4e4b129b33d8b71262c5f2eea55267b6b33cb Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:47:44 -0400 Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch @@ -12,10 +12,10 @@ original version filed as RT#5891. 3 files changed, 29 insertions(+) diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index ed343c5..f67eef7 100644 +index d49b7c1..9076016 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -1653,6 +1653,15 @@ if test "$with_ldap" = yes; then +@@ -1654,6 +1654,15 @@ if test "$with_ldap" = yes; then AC_MSG_NOTICE(enabling OpenLDAP database backend module support) OPENLDAP_PLUGIN=yes fi @@ -32,10 +32,10 @@ index ed343c5..f67eef7 100644 dnl dnl If libkeyutils exists (on Linux) include it and use keyring ccache diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -index aca8f31..0a0968c 100644 +index 32efc4f..af8b2db 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -@@ -1545,6 +1545,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, +@@ -1674,6 +1674,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data); if (ret) goto cleanup; @@ -60,7 +60,7 @@ index aca8f31..0a0968c 100644 ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname); if (ret) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c -index 6a06f55..1f87e21 100644 +index d722dbf..5e8e9a8 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c @@ -54,6 +54,9 @@ char *principal_attributes[] = { "krbprincipalname", @@ -72,7 +72,7 @@ index 6a06f55..1f87e21 100644 +#endif "krbLastPwdChange", "krbLastAdminUnlock", - "krbExtraData", + "krbPrincipalAuthInd", -- 2.9.3 diff --git a/krb5-1.14.4-openssl11.patch b/krb5-1.14.4-openssl11.patch deleted file mode 100644 index 3bf9077..0000000 --- a/krb5-1.14.4-openssl11.patch +++ /dev/null @@ -1,1940 +0,0 @@ -diff -up krb5-1.14.4/src/configure.in.openssl11 krb5-1.14.4/src/configure.in ---- krb5-1.14.4/src/configure.in.openssl11 2016-09-29 18:02:15.298136450 +0200 -+++ krb5-1.14.4/src/configure.in 2016-09-29 23:30:52.337207353 +0200 -@@ -1080,8 +1080,8 @@ enable_pkinit=try) - if test "$enable_pkinit" = yes || test "$enable_pkinit" = try; then - AC_CACHE_CHECK(for a recent enough OpenSSL, k5_cv_openssl_version_okay, - [AC_COMPILE_IFELSE([AC_LANG_SOURCE([#include <openssl/opensslv.h> --#if OPENSSL_VERSION_NUMBER < 0x00908000L --# error openssl is too old, need 0.9.8 -+#if OPENSSL_VERSION_NUMBER < 0x10000000L -+# error openssl is too old, need 1.0.0 - #endif - int i = 1; - ])], k5_cv_openssl_version_okay=yes, k5_cv_openssl_version_okay=no)]) -diff -up krb5-1.14.4/src/lib/crypto/openssl/crypto_mod.h.openssl11 krb5-1.14.4/src/lib/crypto/openssl/crypto_mod.h ---- krb5-1.14.4/src/lib/crypto/openssl/crypto_mod.h.openssl11 2016-09-13 21:59:44.000000000 +0200 -+++ krb5-1.14.4/src/lib/crypto/openssl/crypto_mod.h 2016-09-29 23:29:55.700877637 +0200 -@@ -33,9 +33,17 @@ - #ifndef CRYPTO_MOD_H - #define CRYPTO_MOD_H - -+#include <openssl/crypto.h> - #include <openssl/aes.h> - #include <openssl/sha.h> - -+/* 1.1 standardizes constructor and destructor names, renaming -+ * EVP_MD_CTX_create and EVP_MD_CTX_destroy. */ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define EVP_MD_CTX_new EVP_MD_CTX_create -+#define EVP_MD_CTX_free EVP_MD_CTX_destroy -+#endif -+ - #define aes_ctx AES_KEY - #define krb5int_aes_enc_key(k, len, ctx) AES_set_encrypt_key(k, 8*(len), ctx) - #define krb5int_aes_enc_blk(in, out, ctx) AES_encrypt(in, out, ctx) -diff -up krb5-1.14.4/src/lib/crypto/openssl/enc_provider/aes.c.openssl11 krb5-1.14.4/src/lib/crypto/openssl/enc_provider/aes.c ---- krb5-1.14.4/src/lib/crypto/openssl/enc_provider/aes.c.openssl11 2016-09-13 21:59:44.000000000 +0200 -+++ krb5-1.14.4/src/lib/crypto/openssl/enc_provider/aes.c 2016-09-29 23:29:55.700877637 +0200 -@@ -65,22 +65,27 @@ cbc_enc(krb5_key key, const krb5_data *i - { - int ret, olen = BLOCK_SIZE; - unsigned char iblock[BLOCK_SIZE], oblock[BLOCK_SIZE]; -- EVP_CIPHER_CTX ciph_ctx; -+ EVP_CIPHER_CTX *ctx; - struct iov_cursor cursor; - -- EVP_CIPHER_CTX_init(&ciph_ctx); -- ret = EVP_EncryptInit_ex(&ciph_ctx, map_mode(key->keyblock.length), -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; -+ -+ ret = EVP_EncryptInit_ex(ctx, map_mode(key->keyblock.length), - NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL); -- if (ret == 0) -+ if (ret == 0) { -+ EVP_CIPHER_CTX_free(ctx); - return KRB5_CRYPTO_INTERNAL; -+ } - - k5_iov_cursor_init(&cursor, data, num_data, BLOCK_SIZE, FALSE); - k5_iov_cursor_get(&cursor, iblock); -- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); -- ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &olen, iblock, BLOCK_SIZE); -+ EVP_CIPHER_CTX_set_padding(ctx,0); -+ ret = EVP_EncryptUpdate(ctx, oblock, &olen, iblock, BLOCK_SIZE); - if (ret == 1) - k5_iov_cursor_put(&cursor, oblock); -- EVP_CIPHER_CTX_cleanup(&ciph_ctx); -+ EVP_CIPHER_CTX_free(ctx); - - zap(iblock, BLOCK_SIZE); - zap(oblock, BLOCK_SIZE); -@@ -94,22 +99,27 @@ cbc_decr(krb5_key key, const krb5_data * - { - int ret = 0, olen = BLOCK_SIZE; - unsigned char iblock[BLOCK_SIZE], oblock[BLOCK_SIZE]; -- EVP_CIPHER_CTX ciph_ctx; -+ EVP_CIPHER_CTX *ctx; - struct iov_cursor cursor; - -- EVP_CIPHER_CTX_init(&ciph_ctx); -- ret = EVP_DecryptInit_ex(&ciph_ctx, map_mode(key->keyblock.length), -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; -+ -+ ret = EVP_DecryptInit_ex(ctx, map_mode(key->keyblock.length), - NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL); -- if (ret == 0) -+ if (ret == 0) { -+ EVP_CIPHER_CTX_free(ctx); - return KRB5_CRYPTO_INTERNAL; -+ } - - k5_iov_cursor_init(&cursor, data, num_data, BLOCK_SIZE, FALSE); - k5_iov_cursor_get(&cursor, iblock); -- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); -- ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &olen, iblock, BLOCK_SIZE); -+ EVP_CIPHER_CTX_set_padding(ctx,0); -+ ret = EVP_DecryptUpdate(ctx, oblock, &olen, iblock, BLOCK_SIZE); - if (ret == 1) - k5_iov_cursor_put(&cursor, oblock); -- EVP_CIPHER_CTX_cleanup(&ciph_ctx); -+ EVP_CIPHER_CTX_free(ctx); - - zap(iblock, BLOCK_SIZE); - zap(oblock, BLOCK_SIZE); -diff -up krb5-1.14.4/src/lib/crypto/openssl/enc_provider/camellia.c.openssl11 krb5-1.14.4/src/lib/crypto/openssl/enc_provider/camellia.c ---- krb5-1.14.4/src/lib/crypto/openssl/enc_provider/camellia.c.openssl11 2016-09-13 21:59:44.000000000 +0200 -+++ krb5-1.14.4/src/lib/crypto/openssl/enc_provider/camellia.c 2016-09-29 23:29:55.701877642 +0200 -@@ -89,22 +89,27 @@ cbc_enc(krb5_key key, const krb5_data *i - { - int ret, olen = BLOCK_SIZE; - unsigned char iblock[BLOCK_SIZE], oblock[BLOCK_SIZE]; -- EVP_CIPHER_CTX ciph_ctx; -+ EVP_CIPHER_CTX *ctx; - struct iov_cursor cursor; - -- EVP_CIPHER_CTX_init(&ciph_ctx); -- ret = EVP_EncryptInit_ex(&ciph_ctx, map_mode(key->keyblock.length), -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; -+ -+ ret = EVP_EncryptInit_ex(ctx, map_mode(key->keyblock.length), - NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL); -- if (ret == 0) -+ if (ret == 0) { -+ EVP_CIPHER_CTX_free(ctx); - return KRB5_CRYPTO_INTERNAL; -+ } - - k5_iov_cursor_init(&cursor, data, num_data, BLOCK_SIZE, FALSE); - k5_iov_cursor_get(&cursor, iblock); -- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); -- ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &olen, iblock, BLOCK_SIZE); -+ EVP_CIPHER_CTX_set_padding(ctx,0); -+ ret = EVP_EncryptUpdate(ctx, oblock, &olen, iblock, BLOCK_SIZE); - if (ret == 1) - k5_iov_cursor_put(&cursor, oblock); -- EVP_CIPHER_CTX_cleanup(&ciph_ctx); -+ EVP_CIPHER_CTX_free(ctx); - - zap(iblock, BLOCK_SIZE); - zap(oblock, BLOCK_SIZE); -@@ -118,22 +123,27 @@ cbc_decr(krb5_key key, const krb5_data * - { - int ret = 0, olen = BLOCK_SIZE; - unsigned char iblock[BLOCK_SIZE], oblock[BLOCK_SIZE]; -- EVP_CIPHER_CTX ciph_ctx; -+ EVP_CIPHER_CTX *ctx; - struct iov_cursor cursor; - -- EVP_CIPHER_CTX_init(&ciph_ctx); -- ret = EVP_DecryptInit_ex(&ciph_ctx, map_mode(key->keyblock.length), -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; -+ -+ ret = EVP_DecryptInit_ex(ctx, map_mode(key->keyblock.length), - NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL); -- if (ret == 0) -+ if (ret == 0) { -+ EVP_CIPHER_CTX_free(ctx); - return KRB5_CRYPTO_INTERNAL; -+ } - - k5_iov_cursor_init(&cursor, data, num_data, BLOCK_SIZE, FALSE); - k5_iov_cursor_get(&cursor, iblock); -- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); -- ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &olen, iblock, BLOCK_SIZE); -+ EVP_CIPHER_CTX_set_padding(ctx,0); -+ ret = EVP_DecryptUpdate(ctx, oblock, &olen, iblock, BLOCK_SIZE); - if (ret == 1) - k5_iov_cursor_put(&cursor, oblock); -- EVP_CIPHER_CTX_cleanup(&ciph_ctx); -+ EVP_CIPHER_CTX_free(ctx); - - zap(iblock, BLOCK_SIZE); - zap(oblock, BLOCK_SIZE); -diff -up krb5-1.14.4/src/lib/crypto/openssl/enc_provider/des.c.openssl11 krb5-1.14.4/src/lib/crypto/openssl/enc_provider/des.c ---- krb5-1.14.4/src/lib/crypto/openssl/enc_provider/des.c.openssl11 2016-09-13 21:59:44.000000000 +0200 -+++ krb5-1.14.4/src/lib/crypto/openssl/enc_provider/des.c 2016-09-29 23:29:55.701877642 +0200 -@@ -82,26 +82,29 @@ k5_des_encrypt(krb5_key key, const krb5_ - int ret, olen = DES_BLOCK_SIZE; - unsigned char iblock[DES_BLOCK_SIZE], oblock[DES_BLOCK_SIZE]; - struct iov_cursor cursor; -- EVP_CIPHER_CTX ciph_ctx; -+ EVP_CIPHER_CTX *ctx; - krb5_boolean empty; - - ret = validate(key, ivec, data, num_data, &empty); - if (ret != 0 || empty) - return ret; - -- EVP_CIPHER_CTX_init(&ciph_ctx); -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; - -- ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, -+ ret = EVP_EncryptInit_ex(ctx, EVP_des_cbc(), NULL, - key->keyblock.contents, (ivec && ivec->data) ? (unsigned char*)ivec->data : NULL); -- if (!ret) -+ if (!ret) { -+ EVP_CIPHER_CTX_free(ctx); - return KRB5_CRYPTO_INTERNAL; -+ } - -- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); -+ EVP_CIPHER_CTX_set_padding(ctx, 0); - - k5_iov_cursor_init(&cursor, data, num_data, DES_BLOCK_SIZE, FALSE); - while (k5_iov_cursor_get(&cursor, iblock)) { -- ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &olen, -- (unsigned char *)iblock, DES_BLOCK_SIZE); -+ ret = EVP_EncryptUpdate(ctx, oblock, &olen, iblock, DES_BLOCK_SIZE); - if (!ret) - break; - k5_iov_cursor_put(&cursor, oblock); -@@ -110,7 +113,7 @@ k5_des_encrypt(krb5_key key, const krb5_ - if (ivec != NULL) - memcpy(ivec->data, oblock, DES_BLOCK_SIZE); - -- EVP_CIPHER_CTX_cleanup(&ciph_ctx); -+ EVP_CIPHER_CTX_free(ctx); - - zap(iblock, sizeof(iblock)); - zap(oblock, sizeof(oblock)); -@@ -127,27 +130,30 @@ k5_des_decrypt(krb5_key key, const krb5_ - int ret, olen = DES_BLOCK_SIZE; - unsigned char iblock[DES_BLOCK_SIZE], oblock[DES_BLOCK_SIZE]; - struct iov_cursor cursor; -- EVP_CIPHER_CTX ciph_ctx; -+ EVP_CIPHER_CTX *ctx; - krb5_boolean empty; - - ret = validate(key, ivec, data, num_data, &empty); - if (ret != 0 || empty) - return ret; - -- EVP_CIPHER_CTX_init(&ciph_ctx); -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; - -- ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, -+ ret = EVP_DecryptInit_ex(ctx, EVP_des_cbc(), NULL, - key->keyblock.contents, - (ivec) ? (unsigned char*)ivec->data : NULL); -- if (!ret) -+ if (!ret) { -+ EVP_CIPHER_CTX_free(ctx); - return KRB5_CRYPTO_INTERNAL; -+ } - -- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); -+ EVP_CIPHER_CTX_set_padding(ctx,0); - - k5_iov_cursor_init(&cursor, data, num_data, DES_BLOCK_SIZE, FALSE); - while (k5_iov_cursor_get(&cursor, iblock)) { -- ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &olen, -- iblock, DES_BLOCK_SIZE); -+ ret = EVP_DecryptUpdate(ctx, oblock, &olen, iblock, DES_BLOCK_SIZE); - if (!ret) - break; - k5_iov_cursor_put(&cursor, oblock); -@@ -156,7 +162,7 @@ k5_des_decrypt(krb5_key key, const krb5_ - if (ivec != NULL) - memcpy(ivec->data, iblock, DES_BLOCK_SIZE); - -- EVP_CIPHER_CTX_cleanup(&ciph_ctx); -+ EVP_CIPHER_CTX_free(ctx); - - zap(iblock, sizeof(iblock)); - zap(oblock, sizeof(oblock)); -diff -up krb5-1.14.4/src/lib/crypto/openssl/enc_provider/des3.c.openssl11 krb5-1.14.4/src/lib/crypto/openssl/enc_provider/des3.c ---- krb5-1.14.4/src/lib/crypto/openssl/enc_provider/des3.c.openssl11 2016-09-13 21:59:44.000000000 +0200 -+++ krb5-1.14.4/src/lib/crypto/openssl/enc_provider/des3.c 2016-09-29 23:29:55.701877642 +0200 -@@ -81,27 +81,30 @@ k5_des3_encrypt(krb5_key key, const krb5 - int ret, olen = DES3_BLOCK_SIZE; - unsigned char iblock[DES3_BLOCK_SIZE], oblock[DES3_BLOCK_SIZE]; - struct iov_cursor cursor; -- EVP_CIPHER_CTX ciph_ctx; -+ EVP_CIPHER_CTX *ctx; - krb5_boolean empty; - - ret = validate(key, ivec, data, num_data, &empty); - if (ret != 0 || empty) - return ret; - -- EVP_CIPHER_CTX_init(&ciph_ctx); -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; - -- ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, -+ ret = EVP_EncryptInit_ex(ctx, EVP_des_ede3_cbc(), NULL, - key->keyblock.contents, - (ivec) ? (unsigned char*)ivec->data : NULL); -- if (!ret) -+ if (!ret) { -+ EVP_CIPHER_CTX_free(ctx); - return KRB5_CRYPTO_INTERNAL; -+ } - -- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); -+ EVP_CIPHER_CTX_set_padding(ctx,0); - - k5_iov_cursor_init(&cursor, data, num_data, DES3_BLOCK_SIZE, FALSE); - while (k5_iov_cursor_get(&cursor, iblock)) { -- ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &olen, -- (unsigned char *)iblock, DES3_BLOCK_SIZE); -+ ret = EVP_EncryptUpdate(ctx, oblock, &olen, iblock, DES3_BLOCK_SIZE); - if (!ret) - break; - k5_iov_cursor_put(&cursor, oblock); -@@ -110,7 +113,7 @@ k5_des3_encrypt(krb5_key key, const krb5 - if (ivec != NULL) - memcpy(ivec->data, oblock, DES3_BLOCK_SIZE); - -- EVP_CIPHER_CTX_cleanup(&ciph_ctx); -+ EVP_CIPHER_CTX_free(ctx); - - zap(iblock, sizeof(iblock)); - zap(oblock, sizeof(oblock)); -@@ -127,26 +130,30 @@ k5_des3_decrypt(krb5_key key, const krb5 - int ret, olen = DES3_BLOCK_SIZE; - unsigned char iblock[DES3_BLOCK_SIZE], oblock[DES3_BLOCK_SIZE]; - struct iov_cursor cursor; -- EVP_CIPHER_CTX ciph_ctx; -+ EVP_CIPHER_CTX *ctx; - krb5_boolean empty; - - ret = validate(key, ivec, data, num_data, &empty); - if (ret != 0 || empty) - return ret; - -- EVP_CIPHER_CTX_init(&ciph_ctx); -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; - -- ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, -+ ret = EVP_DecryptInit_ex(ctx, EVP_des_ede3_cbc(), NULL, - key->keyblock.contents, - (ivec) ? (unsigned char*)ivec->data : NULL); -- if (!ret) -+ if (!ret) { -+ EVP_CIPHER_CTX_free(ctx); - return KRB5_CRYPTO_INTERNAL; -+ } - -- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); -+ EVP_CIPHER_CTX_set_padding(ctx,0); - - k5_iov_cursor_init(&cursor, data, num_data, DES3_BLOCK_SIZE, FALSE); - while (k5_iov_cursor_get(&cursor, iblock)) { -- ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &olen, -+ ret = EVP_DecryptUpdate(ctx, oblock, &olen, - (unsigned char *)iblock, DES3_BLOCK_SIZE); - if (!ret) - break; -@@ -156,7 +163,7 @@ k5_des3_decrypt(krb5_key key, const krb5 - if (ivec != NULL) - memcpy(ivec->data, iblock, DES3_BLOCK_SIZE); - -- EVP_CIPHER_CTX_cleanup(&ciph_ctx); -+ EVP_CIPHER_CTX_free(ctx); - - zap(iblock, sizeof(iblock)); - zap(oblock, sizeof(oblock)); -diff -up krb5-1.14.4/src/lib/crypto/openssl/enc_provider/rc4.c.openssl11 krb5-1.14.4/src/lib/crypto/openssl/enc_provider/rc4.c ---- krb5-1.14.4/src/lib/crypto/openssl/enc_provider/rc4.c.openssl11 2016-09-13 21:59:44.000000000 +0200 -+++ krb5-1.14.4/src/lib/crypto/openssl/enc_provider/rc4.c 2016-09-29 23:29:55.702877648 +0200 -@@ -36,15 +36,14 @@ - #include <openssl/evp.h> - - /* -- * The loopback field is NULL if ctx is uninitialized (no encrypt or decrypt -- * operation has taken place), or a pointer to the structure address if ctx is -- * initialized. If the application copies the state (not a valid operation, -- * but one which happens to works with some other enc providers), we can detect -- * it via the loopback field and return a sane error code. -+ * The loopback field is a pointer to the structure. If the application copies -+ * the state (not a valid operation, but one which happens to works with some -+ * other enc providers), we can detect it via the loopback field and return a -+ * sane error code. - */ - struct arcfour_state { - struct arcfour_state *loopback; -- EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX *ctx; - }; - - #define RC4_KEY_SIZE 16 -@@ -64,26 +63,30 @@ k5_arcfour_docrypt(krb5_key key,const kr - size_t i; - int ret = 1, tmp_len = 0; - krb5_crypto_iov *iov = NULL; -- EVP_CIPHER_CTX ciph_ctx, *ctx; -+ EVP_CIPHER_CTX *ctx = NULL; - struct arcfour_state *arcstate; -- krb5_boolean do_init = TRUE; - - arcstate = (state != NULL) ? (struct arcfour_state *) state->data : NULL; - if (arcstate != NULL) { -- ctx = &arcstate->ctx; -- if (arcstate->loopback == arcstate) -- do_init = FALSE; -- else if (arcstate->loopback != NULL) -+ ctx = arcstate->ctx; -+ if (arcstate->loopback != arcstate) - return KRB5_CRYPTO_INTERNAL; -- } else { -- ctx = &ciph_ctx; - } -- if (do_init) { -- EVP_CIPHER_CTX_init(ctx); -+ -+ if (ctx == NULL) { -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; -+ - ret = EVP_EncryptInit_ex(ctx, EVP_rc4(), NULL, key->keyblock.contents, - NULL); -- if (!ret) -+ if (!ret) { -+ EVP_CIPHER_CTX_free(ctx); - return KRB5_CRYPTO_INTERNAL; -+ } -+ -+ if (arcstate != NULL) -+ arcstate->ctx = ctx; - } - - for (i = 0; i < num_data; i++) { -@@ -98,10 +101,8 @@ k5_arcfour_docrypt(krb5_key key,const kr - } - } - -- if (arcstate) /* Context is saved; mark as initialized. */ -- arcstate->loopback = arcstate; -- else /* Context is not saved; clean it up now. */ -- EVP_CIPHER_CTX_cleanup(ctx); -+ if (arcstate == NULL) -+ EVP_CIPHER_CTX_free(ctx); - - if (!ret) - return KRB5_CRYPTO_INTERNAL; -@@ -114,9 +115,7 @@ k5_arcfour_free_state(krb5_data *state) - { - struct arcfour_state *arcstate = (struct arcfour_state *) state->data; - -- /* Clean up the OpenSSL context if it was initialized. */ -- if (arcstate && arcstate->loopback == arcstate) -- EVP_CIPHER_CTX_cleanup(&arcstate->ctx); -+ EVP_CIPHER_CTX_free(arcstate->ctx); - free(arcstate); - } - -@@ -130,7 +129,8 @@ k5_arcfour_init_state(const krb5_keybloc - arcstate = calloc(1, sizeof(*arcstate)); - if (arcstate == NULL) - return ENOMEM; -- arcstate->loopback = NULL; -+ arcstate->loopback = arcstate; -+ arcstate->ctx = NULL; - new_state->data = (char *) arcstate; - new_state->length = sizeof(*arcstate); - return 0; -diff -up krb5-1.14.4/src/lib/crypto/openssl/hash_provider/hash_md4.c.openssl11 krb5-1.14.4/src/lib/crypto/openssl/hash_provider/hash_md4.c ---- krb5-1.14.4/src/lib/crypto/openssl/hash_provider/hash_md4.c.openssl11 2016-09-13 21:59:44.000000000 +0200 -+++ krb5-1.14.4/src/lib/crypto/openssl/hash_provider/hash_md4.c 2016-09-29 23:29:55.702877648 +0200 -@@ -32,21 +32,24 @@ - static krb5_error_code - k5_md4_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) - { -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - unsigned int i; - - if (output->length != MD4_DIGEST_LENGTH) - return KRB5_CRYPTO_INTERNAL; - -- EVP_MD_CTX_init(&ctx); -- EVP_DigestInit_ex(&ctx, EVP_md4(), NULL); -+ ctx = EVP_MD_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; -+ -+ EVP_DigestInit_ex(ctx, EVP_md4(), NULL); - for (i = 0; i < num_data; i++) { - const krb5_data *d = &data[i].data; - if (SIGN_IOV(&data[i])) -- EVP_DigestUpdate(&ctx, (unsigned char *)d->data, d->length); -+ EVP_DigestUpdate(ctx, (uint8_t *)d->data, d->length); - } -- EVP_DigestFinal_ex(&ctx, (unsigned char *)output->data, NULL); -- EVP_MD_CTX_cleanup(&ctx); -+ EVP_DigestFinal_ex(ctx, (uint8_t *)output->data, NULL); -+ EVP_MD_CTX_free(ctx); - return 0; - } - -diff -up krb5-1.14.4/src/lib/crypto/openssl/hash_provider/hash_md5.c.openssl11 krb5-1.14.4/src/lib/crypto/openssl/hash_provider/hash_md5.c ---- krb5-1.14.4/src/lib/crypto/openssl/hash_provider/hash_md5.c.openssl11 2016-09-13 21:59:44.000000000 +0200 -+++ krb5-1.14.4/src/lib/crypto/openssl/hash_provider/hash_md5.c 2016-09-29 23:29:55.702877648 +0200 -@@ -32,21 +32,24 @@ - static krb5_error_code - k5_md5_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) - { -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - unsigned int i; - - if (output->length != MD5_DIGEST_LENGTH) - return KRB5_CRYPTO_INTERNAL; - -- EVP_MD_CTX_init(&ctx); -- EVP_DigestInit_ex(&ctx, EVP_md5(), NULL); -+ ctx = EVP_MD_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; -+ -+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL); - for (i = 0; i < num_data; i++) { - const krb5_data *d = &data[i].data; - if (SIGN_IOV(&data[i])) -- EVP_DigestUpdate(&ctx, (unsigned char *)d->data, d->length); -+ EVP_DigestUpdate(ctx, (uint8_t *)d->data, d->length); - } -- EVP_DigestFinal_ex(&ctx, (unsigned char *)output->data, NULL); -- EVP_MD_CTX_cleanup(&ctx); -+ EVP_DigestFinal_ex(ctx, (uint8_t *)output->data, NULL); -+ EVP_MD_CTX_free(ctx); - return 0; - } - -diff -up krb5-1.14.4/src/lib/crypto/openssl/hash_provider/hash_sha1.c.openssl11 krb5-1.14.4/src/lib/crypto/openssl/hash_provider/hash_sha1.c ---- krb5-1.14.4/src/lib/crypto/openssl/hash_provider/hash_sha1.c.openssl11 2016-09-13 21:59:44.000000000 +0200 -+++ krb5-1.14.4/src/lib/crypto/openssl/hash_provider/hash_sha1.c 2016-09-29 23:29:55.702877648 +0200 -@@ -33,21 +33,24 @@ - static krb5_error_code - k5_sha1_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) - { -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - unsigned int i; - - if (output->length != SHA_DIGEST_LENGTH) - return KRB5_CRYPTO_INTERNAL; - -- EVP_MD_CTX_init(&ctx); -- EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL); -+ ctx = EVP_MD_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; -+ -+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); - for (i = 0; i < num_data; i++) { - const krb5_data *d = &data[i].data; - if (SIGN_IOV(&data[i])) -- EVP_DigestUpdate(&ctx, (unsigned char *)d->data, d->length); -+ EVP_DigestUpdate(ctx, (uint8_t *)d->data, d->length); - } -- EVP_DigestFinal_ex(&ctx, (unsigned char *)output->data, NULL); -- EVP_MD_CTX_cleanup(&ctx); -+ EVP_DigestFinal_ex(ctx, (uint8_t *)output->data, NULL); -+ EVP_MD_CTX_free(ctx); - return 0; - } - -diff -up krb5-1.14.4/src/lib/crypto/openssl/hmac.c.openssl11 krb5-1.14.4/src/lib/crypto/openssl/hmac.c ---- krb5-1.14.4/src/lib/crypto/openssl/hmac.c.openssl11 2016-09-13 21:59:44.000000000 +0200 -+++ krb5-1.14.4/src/lib/crypto/openssl/hmac.c 2016-09-29 23:29:55.702877648 +0200 -@@ -55,6 +55,33 @@ - #include <openssl/hmac.h> - #include <openssl/evp.h> - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+/* OpenSSL 1.1 makes HMAC_CTX opaque, while 1.0 does not have pointer -+ * constructors or destructors. */ -+ -+#define HMAC_CTX_new compat_hmac_ctx_new -+static HMAC_CTX * -+compat_hmac_ctx_new() -+{ -+ HMAC_CTX *ctx; -+ -+ ctx = calloc(1, sizeof(*ctx)); -+ if (ctx != NULL) -+ HMAC_CTX_init(ctx); -+ return ctx; -+} -+ -+#define HMAC_CTX_free compat_hmac_ctx_free -+static void -+compat_hmac_ctx_free(HMAC_CTX *ctx) -+{ -+ HMAC_CTX_cleanup(ctx); -+ free(ctx); -+} -+ -+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ -+ - /* - * the HMAC transform looks like: - * -@@ -88,7 +115,7 @@ krb5int_hmac_keyblock(const struct krb5_ - { - unsigned int i = 0, md_len = 0; - unsigned char md[EVP_MAX_MD_SIZE]; -- HMAC_CTX c; -+ HMAC_CTX *ctx; - size_t hashsize, blocksize; - - hashsize = hash->hashsize; -@@ -102,20 +129,23 @@ krb5int_hmac_keyblock(const struct krb5_ - if (!map_digest(hash)) - return(KRB5_CRYPTO_INTERNAL); // unsupported alg - -- HMAC_CTX_init(&c); -- HMAC_Init(&c, keyblock->contents, keyblock->length, map_digest(hash)); -+ ctx = HMAC_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; -+ -+ HMAC_Init(ctx, keyblock->contents, keyblock->length, map_digest(hash)); - for (i = 0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; - - if (SIGN_IOV(iov)) -- HMAC_Update(&c, (unsigned char*) iov->data.data, iov->data.length); -+ HMAC_Update(ctx, (uint8_t *)iov->data.data, iov->data.length); - } -- HMAC_Final(&c,(unsigned char *)md, &md_len); -+ HMAC_Final(ctx, md, &md_len); - if ( md_len <= output->length) { - output->length = md_len; - memcpy(output->data, md, output->length); - } -- HMAC_CTX_cleanup(&c); -+ HMAC_CTX_free(ctx); - return 0; - - -diff -up krb5-1.14.4/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c.openssl11 krb5-1.14.4/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ---- krb5-1.14.4/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c.openssl11 2016-09-13 21:59:45.000000000 +0200 -+++ krb5-1.14.4/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2016-09-30 00:46:51.987555455 +0200 -@@ -49,9 +49,8 @@ static krb5_error_code pkinit_init_pkcs1 - static void pkinit_fini_pkcs11(pkinit_identity_crypto_context ctx); - - static krb5_error_code pkinit_encode_dh_params --(BIGNUM *, BIGNUM *, BIGNUM *, unsigned char **, unsigned int *); --static DH *pkinit_decode_dh_params --(DH **, unsigned char **, unsigned int ); -+(const BIGNUM *, const BIGNUM *, const BIGNUM *, uint8_t **, unsigned int *); -+static DH *decode_dh_params(const uint8_t *, unsigned int ); - static int pkinit_check_dh_params(DH *dh1, DH *dh2); - - static krb5_error_code pkinit_sign_data -@@ -65,12 +64,12 @@ static krb5_error_code create_signature - - static krb5_error_code pkinit_decode_data - (krb5_context context, pkinit_identity_crypto_context cryptoctx, -- unsigned char *data, unsigned int data_len, -- unsigned char **decoded, unsigned int *decoded_len); -+ const uint8_t *data, unsigned int data_len, uint8_t **decoded, -+ unsigned int *decoded_len); - - static krb5_error_code decode_data --(unsigned char **, unsigned int *, unsigned char *, unsigned int, -- EVP_PKEY *pkey, X509 *cert); -+(uint8_t **, unsigned int *, const uint8_t *, unsigned int, EVP_PKEY *pkey, -+ X509 *cert); - - #ifdef DEBUG_DH - static void print_dh(DH *, char *); -@@ -78,8 +77,7 @@ static void print_pubkey(BIGNUM *, char - #endif - - static int prepare_enc_data --(unsigned char *indata, int indata_len, unsigned char **outdata, -- int *outdata_len); -+(const uint8_t *indata, int indata_len, uint8_t **outdata, int *outdata_len); - - static int openssl_callback (int, X509_STORE_CTX *); - static int openssl_callback_ignore_crls (int, X509_STORE_CTX *); -@@ -125,8 +123,8 @@ static krb5_error_code pkinit_sign_data_ - unsigned char **sig, unsigned int *sig_len); - static krb5_error_code pkinit_decode_data_pkcs11 - (krb5_context context, pkinit_identity_crypto_context id_cryptoctx, -- unsigned char *data, unsigned int data_len, -- unsigned char **decoded_data, unsigned int *decoded_data_len); -+ const uint8_t *data, unsigned int data_len, uint8_t **decoded_data, -+ unsigned int *decoded_data_len); - #endif /* WITHOUT_PKCS11 */ - - static krb5_error_code pkinit_sign_data_fs -@@ -135,8 +133,8 @@ static krb5_error_code pkinit_sign_data_ - unsigned char **sig, unsigned int *sig_len); - static krb5_error_code pkinit_decode_data_fs - (krb5_context context, pkinit_identity_crypto_context id_cryptoctx, -- unsigned char *data, unsigned int data_len, -- unsigned char **decoded_data, unsigned int *decoded_data_len); -+ const uint8_t *data, unsigned int data_len, uint8_t **decoded_data, -+ unsigned int *decoded_data_len); - - static krb5_error_code - create_krb5_invalidCertificates(krb5_context context, -@@ -193,6 +191,66 @@ pkinit_pkcs11_code_to_text(int err); - (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si) - #endif - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+/* 1.1 standardizes constructor and destructor names, renaming -+ * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */ -+ -+#define EVP_MD_CTX_new EVP_MD_CTX_create -+#define EVP_MD_CTX_free EVP_MD_CTX_destroy -+#define ASN1_STRING_get0_data ASN1_STRING_data -+ -+/* 1.1 makes many handle types opaque and adds accessors. Add compatibility -+ * versions of the new accessors we use for pre-1.1. */ -+ -+#define OBJ_get0_data(o) ((o)->data) -+#define OBJ_length(o) ((o)->length) -+ -+#define DH_set0_pqg compat_dh_set0_pqg -+static int compat_dh_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) -+{ -+ /* The real function frees the old values and does argument checking, but -+ * our code doesn't need that. */ -+ dh->p = p; -+ dh->q = q; -+ dh->g = g; -+ return 1; -+} -+ -+#define DH_get0_pqg compat_dh_get0_pqg -+static void compat_dh_get0_pqg(const DH *dh, const BIGNUM **p, -+ const BIGNUM **q, const BIGNUM **g) -+{ -+ if (p != NULL) -+ *p = dh->p; -+ if (q != NULL) -+ *q = dh->q; -+ if (g != NULL) -+ *g = dh->g; -+} -+ -+#define DH_get0_key compat_dh_get0_key -+static void compat_dh_get0_key(const DH *dh, const BIGNUM **pub, -+ const BIGNUM **priv) -+{ -+ if (pub != NULL) -+ *pub = dh->pub_key; -+ if (priv != NULL) -+ *priv = dh->priv_key; -+} -+ -+/* Return true if the cert c includes a key usage which doesn't include u. -+ * Define using direct member access for pre-1.1. */ -+#define ku_reject(c, u) \ -+ (((c)->ex_flags & EXFLAG_KUSAGE) && !((c)->ex_kusage & (u))) -+ -+#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ -+ -+/* Return true if the cert x includes a key usage which doesn't include u. */ -+#define ku_reject(c, u) (!(X509_get_key_usage(c) & (u))) -+ -+#endif -+ - static struct pkcs11_errstrings { - short code; - char *text; -@@ -286,7 +344,7 @@ static struct pkcs11_errstrings { - }; - - /* DH parameters */ --unsigned char pkinit_1024_dhprime[128] = { -+static uint8_t oakley_1024[128] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, - 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, -@@ -305,7 +363,7 @@ unsigned char pkinit_1024_dhprime[128] = - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF - }; - --unsigned char pkinit_2048_dhprime[2048/8] = { -+static uint8_t oakley_2048[2048/8] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, - 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, -@@ -340,7 +398,7 @@ unsigned char pkinit_2048_dhprime[2048/8 - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF - }; - --unsigned char pkinit_4096_dhprime[4096/8] = { -+static uint8_t oakley_4096[4096/8] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, - 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, -@@ -802,43 +860,56 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypt - ASN1_OBJECT_free(ctx->id_kp_serverAuth); - } - -+/* Construct an OpenSSL DH object for an Oakley group. */ -+static DH * -+make_oakley_dh(uint8_t *prime, size_t len) -+{ -+ DH *dh = NULL; -+ BIGNUM *p = NULL, *q = NULL, *g = NULL; -+ -+ p = BN_bin2bn(prime, len, NULL); -+ if (p == NULL) -+ goto cleanup; -+ q = BN_new(); -+ if (q == NULL) -+ goto cleanup; -+ if (!BN_rshift1(q, p)) -+ goto cleanup; -+ g = BN_new(); -+ if (g == NULL) -+ goto cleanup; -+ if (!BN_set_word(g, DH_GENERATOR_2)) -+ goto cleanup; -+ -+ dh = DH_new(); -+ if (dh == NULL) -+ goto cleanup; -+ DH_set0_pqg(dh, p, q, g); -+ p = g = q = NULL; -+ -+cleanup: -+ BN_free(p); -+ BN_free(q); -+ BN_free(g); -+ return dh; -+} -+ - static krb5_error_code - pkinit_init_dh_params(pkinit_plg_crypto_context plgctx) - { - krb5_error_code retval = ENOMEM; - -- plgctx->dh_1024 = DH_new(); -+ plgctx->dh_1024 = make_oakley_dh(oakley_1024, sizeof(oakley_1024)); - if (plgctx->dh_1024 == NULL) - goto cleanup; -- plgctx->dh_1024->p = BN_bin2bn(pkinit_1024_dhprime, -- sizeof(pkinit_1024_dhprime), NULL); -- if ((plgctx->dh_1024->g = BN_new()) == NULL || -- (plgctx->dh_1024->q = BN_new()) == NULL) -- goto cleanup; -- BN_set_word(plgctx->dh_1024->g, DH_GENERATOR_2); -- BN_rshift1(plgctx->dh_1024->q, plgctx->dh_1024->p); - -- plgctx->dh_2048 = DH_new(); -+ plgctx->dh_2048 = make_oakley_dh(oakley_2048, sizeof(oakley_2048)); - if (plgctx->dh_2048 == NULL) - goto cleanup; -- plgctx->dh_2048->p = BN_bin2bn(pkinit_2048_dhprime, -- sizeof(pkinit_2048_dhprime), NULL); -- if ((plgctx->dh_2048->g = BN_new()) == NULL || -- (plgctx->dh_2048->q = BN_new()) == NULL) -- goto cleanup; -- BN_set_word(plgctx->dh_2048->g, DH_GENERATOR_2); -- BN_rshift1(plgctx->dh_2048->q, plgctx->dh_2048->p); - -- plgctx->dh_4096 = DH_new(); -+ plgctx->dh_4096 = make_oakley_dh(oakley_4096, sizeof(oakley_4096)); - if (plgctx->dh_4096 == NULL) - goto cleanup; -- plgctx->dh_4096->p = BN_bin2bn(pkinit_4096_dhprime, -- sizeof(pkinit_4096_dhprime), NULL); -- if ((plgctx->dh_4096->g = BN_new()) == NULL || -- (plgctx->dh_4096->q = BN_new()) == NULL) -- goto cleanup; -- BN_set_word(plgctx->dh_4096->g, DH_GENERATOR_2); -- BN_rshift1(plgctx->dh_4096->q, plgctx->dh_4096->p); - - retval = 0; - -@@ -1072,7 +1143,7 @@ cms_signeddata_create(krb5_context conte - unsigned char *p; - STACK_OF(X509) * cert_stack = NULL; - ASN1_OCTET_STRING *digest_attr = NULL; -- EVP_MD_CTX ctx, ctx2; -+ EVP_MD_CTX *ctx; - const EVP_MD *md_tmp = NULL; - unsigned char md_data[EVP_MAX_MD_SIZE], md_data2[EVP_MAX_MD_SIZE]; - unsigned char *digestInfo_buf = NULL, *abuf = NULL; -@@ -1115,7 +1186,7 @@ cms_signeddata_create(krb5_context conte - } else { - /* create a cert chain */ - X509_STORE *certstore = NULL; -- X509_STORE_CTX certctx; -+ X509_STORE_CTX *certctx; - STACK_OF(X509) *certstack = NULL; - char buf[DN_BUF_LEN]; - unsigned int i = 0, size = 0; -@@ -1123,16 +1194,19 @@ cms_signeddata_create(krb5_context conte - if ((certstore = X509_STORE_new()) == NULL) - goto cleanup; - pkiDebug("building certificate chain\n"); -- X509_STORE_set_verify_cb_func(certstore, openssl_callback); -- X509_STORE_CTX_init(&certctx, certstore, cert, -+ X509_STORE_set_verify_cb(certstore, openssl_callback); -+ certctx = X509_STORE_CTX_new(); -+ if (certctx == NULL) -+ goto cleanup; -+ X509_STORE_CTX_init(certctx, certstore, cert, - id_cryptoctx->intermediateCAs); -- X509_STORE_CTX_trusted_stack(&certctx, id_cryptoctx->trustedCAs); -- if (!X509_verify_cert(&certctx)) { -- retval = oerr_cert(context, 0, &certctx, -+ X509_STORE_CTX_trusted_stack(certctx, id_cryptoctx->trustedCAs); -+ if (!X509_verify_cert(certctx)) { -+ retval = oerr_cert(context, 0, certctx, - _("Failed to verify own certificate")); - goto cleanup; - } -- certstack = X509_STORE_CTX_get1_chain(&certctx); -+ certstack = X509_STORE_CTX_get1_chain(certctx); - size = sk_X509_num(certstack); - pkiDebug("size of certificate chain = %d\n", size); - for(i = 0; i < size - 1; i++) { -@@ -1141,7 +1215,7 @@ cms_signeddata_create(krb5_context conte - pkiDebug("cert #%d: %s\n", i, buf); - sk_X509_push(cert_stack, X509_dup(x)); - } -- X509_STORE_CTX_cleanup(&certctx); -+ X509_STORE_CTX_free(certctx); - X509_STORE_free(certstore); - sk_X509_pop_free(certstack, X509_free); - } -@@ -1157,9 +1231,9 @@ cms_signeddata_create(krb5_context conte - goto cleanup; - /* because ASN1_INTEGER_set is used to set a 'long' we will do - * things the ugly way. */ -- M_ASN1_INTEGER_free(p7si->issuer_and_serial->serial); -+ ASN1_INTEGER_free(p7si->issuer_and_serial->serial); - if (!(p7si->issuer_and_serial->serial = -- M_ASN1_INTEGER_dup(X509_get_serialNumber(cert)))) -+ ASN1_INTEGER_dup(X509_get_serialNumber(cert)))) - goto cleanup; - - /* will not fill-out EVP_PKEY because it's on the smartcard */ -@@ -1188,11 +1262,14 @@ cms_signeddata_create(krb5_context conte - } else { - /* add signed attributes */ - /* compute sha1 digest over the EncapsulatedContentInfo */ -- EVP_MD_CTX_init(&ctx); -- EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL); -- EVP_DigestUpdate(&ctx, data, data_len); -- md_tmp = EVP_MD_CTX_md(&ctx); -- EVP_DigestFinal_ex(&ctx, md_data, &md_len); -+ ctx = EVP_MD_CTX_new(); -+ if (ctx == NULL) -+ goto cleanup; -+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); -+ EVP_DigestUpdate(ctx, data, data_len); -+ md_tmp = EVP_MD_CTX_md(ctx); -+ EVP_DigestFinal_ex(ctx, md_data, &md_len); -+ EVP_MD_CTX_free(ctx); - - /* create a message digest attr */ - digest_attr = ASN1_OCTET_STRING_new(); -@@ -1227,14 +1304,17 @@ cms_signeddata_create(krb5_context conte - if (id_cryptoctx->pkcs11_method == 1 && - id_cryptoctx->mech == CKM_RSA_PKCS) { - pkiDebug("mech = CKM_RSA_PKCS\n"); -- EVP_MD_CTX_init(&ctx2); -+ ctx = EVP_MD_CTX_new(); -+ if (ctx == NULL) -+ goto cleanup; - /* if this is not draft9 request, include digest signed attribute */ - if (cms_msg_type != CMS_SIGN_DRAFT9) -- EVP_DigestInit_ex(&ctx2, md_tmp, NULL); -+ EVP_DigestInit_ex(ctx, md_tmp, NULL); - else -- EVP_DigestInit_ex(&ctx2, EVP_sha1(), NULL); -- EVP_DigestUpdate(&ctx2, abuf, alen); -- EVP_DigestFinal_ex(&ctx2, md_data2, &md_len2); -+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); -+ EVP_DigestUpdate(ctx, abuf, alen); -+ EVP_DigestFinal_ex(ctx, md_data2, &md_len2); -+ EVP_MD_CTX_free(ctx); - - alg = X509_ALGOR_new(); - if (alg == NULL) -@@ -1339,11 +1419,9 @@ cms_signeddata_create(krb5_context conte - cleanup2: - if (p7si) { - if (cms_msg_type != CMS_SIGN_DRAFT9) -- EVP_MD_CTX_cleanup(&ctx); - #ifndef WITHOUT_PKCS11 - if (id_cryptoctx->pkcs11_method == 1 && - id_cryptoctx->mech == CKM_RSA_PKCS) { -- EVP_MD_CTX_cleanup(&ctx2); - free(digest_buf); - free(digestInfo_buf); - free(alg_buf); -@@ -1396,7 +1474,7 @@ cms_signeddata_verify(krb5_context conte - CMS_SignerInfo *si = NULL; - X509 *x = NULL; - X509_STORE *store = NULL; -- X509_STORE_CTX cert_ctx; -+ X509_STORE_CTX *cert_ctx; - STACK_OF(X509) *signerCerts = NULL; - STACK_OF(X509) *intermediateCAs = NULL; - STACK_OF(X509_CRL) *signerRevoked = NULL; -@@ -1450,8 +1528,7 @@ cms_signeddata_verify(krb5_context conte - retval = ENOMEM; - goto cleanup; - } -- memcpy(d, ASN1_STRING_data(*octets), -- *data_len); -+ memcpy(d, ASN1_STRING_get0_data(*octets), *data_len); - *data = d; - goto out; - } else { -@@ -1471,9 +1548,9 @@ cms_signeddata_verify(krb5_context conte - /* check if we are inforcing CRL checking */ - vflags = X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; - if (require_crl_checking) -- X509_STORE_set_verify_cb_func(store, openssl_callback); -+ X509_STORE_set_verify_cb(store, openssl_callback); - else -- X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls); -+ X509_STORE_set_verify_cb(store, openssl_callback_ignore_crls); - X509_STORE_set_flags(store, vflags); - - /* -@@ -1544,14 +1621,17 @@ cms_signeddata_verify(krb5_context conte - /* initialize x509 context with the received certificate and - * trusted and intermediate CA chains and CRLs - */ -- if (!X509_STORE_CTX_init(&cert_ctx, store, x, intermediateCAs)) -+ cert_ctx = X509_STORE_CTX_new(); -+ if (cert_ctx == NULL) -+ goto cleanup; -+ if (!X509_STORE_CTX_init(cert_ctx, store, x, intermediateCAs)) - goto cleanup; - -- X509_STORE_CTX_set0_crls(&cert_ctx, revoked); -+ X509_STORE_CTX_set0_crls(cert_ctx, revoked); - - /* add trusted CAs certificates for cert verification */ - if (idctx->trustedCAs != NULL) -- X509_STORE_CTX_trusted_stack(&cert_ctx, idctx->trustedCAs); -+ X509_STORE_CTX_trusted_stack(cert_ctx, idctx->trustedCAs); - else { - pkiDebug("unable to find any trusted CAs\n"); - goto cleanup; -@@ -1586,11 +1666,13 @@ cms_signeddata_verify(krb5_context conte - } - #endif - -- i = X509_verify_cert(&cert_ctx); -+ i = X509_verify_cert(cert_ctx); - if (i <= 0) { -- int j = X509_STORE_CTX_get_error(&cert_ctx); -+ int j = X509_STORE_CTX_get_error(cert_ctx); -+ X509 *cert; - -- reqctx->received_cert = X509_dup(cert_ctx.current_cert); -+ cert = X509_STORE_CTX_get_current_cert(cert_ctx); -+ reqctx->received_cert = X509_dup(cert); - switch(j) { - case X509_V_ERR_CERT_REVOKED: - retval = KRB5KDC_ERR_REVOKED_CERTIFICATE; -@@ -1605,7 +1687,7 @@ cms_signeddata_verify(krb5_context conte - default: - retval = KRB5KDC_ERR_INVALID_CERTIFICATE; - } -- (void)oerr_cert(context, retval, &cert_ctx, -+ (void)oerr_cert(context, retval, cert_ctx, - _("Failed to verify received certificate")); - if (reqctx->received_cert == NULL) - strlcpy(buf, "(none)", sizeof(buf)); -@@ -1626,9 +1708,9 @@ cms_signeddata_verify(krb5_context conte - } else { - /* retrieve verified certificate chain */ - if (cms_msg_type == CMS_SIGN_CLIENT || cms_msg_type == CMS_SIGN_DRAFT9) -- verified_chain = X509_STORE_CTX_get1_chain(&cert_ctx); -+ verified_chain = X509_STORE_CTX_get1_chain(cert_ctx); - } -- X509_STORE_CTX_cleanup(&cert_ctx); -+ X509_STORE_CTX_free(cert_ctx); - if (i <= 0) - goto cleanup; - out = BIO_new(BIO_s_mem()); -@@ -1670,8 +1752,7 @@ cms_signeddata_verify(krb5_context conte - pkiDebug("CMS Verification successful\n"); - else { - pkiDebug("wrong oid in eContentType\n"); -- print_buffer(etype->data, -- (unsigned int)etype->length); -+ print_buffer(OBJ_get0_data(etype), OBJ_length(etype)); - retval = KRB5KDC_ERR_PREAUTH_FAILED; - krb5_set_error_message(context, retval, "wrong oid\n"); - goto cleanup; -@@ -2442,6 +2523,7 @@ pkinit_alg_agility_kdf(krb5_context cont - krb5_data *other_info = NULL; - krb5_data *supp_pub_info = NULL; - krb5_algorithm_identifier alg_id; -+ EVP_MD_CTX *ctx = NULL; - const EVP_MD *(*EVP_func)(void); - - /* initialize random_data here to make clean-up safe */ -@@ -2512,23 +2594,26 @@ pkinit_alg_agility_kdf(krb5_context cont - * - Increment counter (modulo 2^32) - */ - for (counter = 1; counter <= reps; counter++) { -- EVP_MD_CTX c; - uint s = 0; - uint32_t be_counter = htonl(counter); - -- EVP_MD_CTX_init(&c); -+ ctx = EVP_MD_CTX_new(); -+ if (ctx == NULL) { -+ retval = KRB5_CRYPTO_INTERNAL; -+ goto cleanup; -+ } - - /* - Compute Hashi = H(counter || Z || OtherInfo). */ -- if (0 == EVP_DigestInit(&c, EVP_func())) { -+ if (!EVP_DigestInit(ctx, EVP_func())) { - krb5_set_error_message(context, KRB5_CRYPTO_INTERNAL, - "Call to OpenSSL EVP_DigestInit() returned an error."); - retval = KRB5_CRYPTO_INTERNAL; - goto cleanup; - } - -- if ((0 == EVP_DigestUpdate(&c, &be_counter, 4)) || -- (0 == EVP_DigestUpdate(&c, secret->data, secret->length)) || -- (0 == EVP_DigestUpdate(&c, other_info->data, other_info->length))) { -+ if (!EVP_DigestUpdate(ctx, &be_counter, 4) || -+ !EVP_DigestUpdate(ctx, secret->data, secret->length) || -+ !EVP_DigestUpdate(ctx, other_info->data, other_info->length)) { - krb5_set_error_message(context, KRB5_CRYPTO_INTERNAL, - "Call to OpenSSL EVP_DigestUpdate() returned an error."); - retval = KRB5_CRYPTO_INTERNAL; -@@ -2536,7 +2621,7 @@ pkinit_alg_agility_kdf(krb5_context cont - } - - /* 4. Set key = Hash1 || Hash2 || ... so that length of key is K bytes. */ -- if (0 == EVP_DigestFinal(&c, (unsigned char *)(random_data.data + offset), &s)) { -+ if (!EVP_DigestFinal(ctx, (uint8_t *)random_data.data + offset, &s)) { - krb5_set_error_message(context, KRB5_CRYPTO_INTERNAL, - "Call to OpenSSL EVP_DigestUpdate() returned an error."); - retval = KRB5_CRYPTO_INTERNAL; -@@ -2545,13 +2630,16 @@ pkinit_alg_agility_kdf(krb5_context cont - offset += s; - assert(s == hash_len); - -- EVP_MD_CTX_cleanup(&c); -+ EVP_MD_CTX_free(ctx); -+ ctx = NULL; - } - - retval = krb5_c_random_to_key(context, enctype, &random_data, - key_block); - - cleanup: -+ EVP_MD_CTX_free(ctx); -+ - /* If this has been an error, free the allocated key_block, if any */ - if (retval) { - krb5_free_keyblock_contents(context, key_block); -@@ -2597,38 +2685,22 @@ client_create_dh(krb5_context context, - unsigned char *buf = NULL; - int dh_err = 0; - ASN1_INTEGER *pub_key = NULL; -+ const BIGNUM *pubkey_bn, *p, *q, *g; - - if (cryptoctx->dh == NULL) { -- if ((cryptoctx->dh = DH_new()) == NULL) -- goto cleanup; -- if ((cryptoctx->dh->g = BN_new()) == NULL || -- (cryptoctx->dh->q = BN_new()) == NULL) -- goto cleanup; -- -- switch(dh_size) { -- case 1024: -- pkiDebug("client uses 1024 DH keys\n"); -- cryptoctx->dh->p = get_rfc2409_prime_1024(NULL); -- break; -- case 2048: -- pkiDebug("client uses 2048 DH keys\n"); -- cryptoctx->dh->p = BN_bin2bn(pkinit_2048_dhprime, -- sizeof(pkinit_2048_dhprime), NULL); -- break; -- case 4096: -- pkiDebug("client uses 4096 DH keys\n"); -- cryptoctx->dh->p = BN_bin2bn(pkinit_4096_dhprime, -- sizeof(pkinit_4096_dhprime), NULL); -- break; -- default: -+ if (dh_size == 1024) -+ cryptoctx->dh = make_oakley_dh(oakley_1024, sizeof(oakley_1024)); -+ else if (dh_size == 2048) -+ cryptoctx->dh = make_oakley_dh(oakley_2048, sizeof(oakley_2048)); -+ else if (dh_size == 4096) -+ cryptoctx->dh = make_oakley_dh(oakley_4096, sizeof(oakley_4096)); -+ if (cryptoctx->dh == NULL) - goto cleanup; -- } -- -- BN_set_word((cryptoctx->dh->g), DH_GENERATOR_2); -- BN_rshift1(cryptoctx->dh->q, cryptoctx->dh->p); - } - - DH_generate_key(cryptoctx->dh); -+ DH_get0_key(cryptoctx->dh, &pubkey_bn, NULL); -+ - DH_check(cryptoctx->dh, &dh_err); - if (dh_err != 0) { - pkiDebug("Warning: dh_check failed with %d\n", dh_err); -@@ -2646,7 +2718,7 @@ client_create_dh(krb5_context context, - print_pubkey(cryptoctx->dh->pub_key, "client's pub_key="); - #endif - -- DH_check_pub_key(cryptoctx->dh, cryptoctx->dh->pub_key, &dh_err); -+ DH_check_pub_key(cryptoctx->dh, pubkey_bn, &dh_err); - if (dh_err != 0) { - pkiDebug("dh_check_pub_key failed with %d\n", dh_err); - goto cleanup; -@@ -2656,8 +2728,8 @@ client_create_dh(krb5_context context, - /* aglo: usually we could just call i2d_DHparams to encode DH params - * however, PKINIT requires RFC3279 encoding and openssl does pkcs#3. - */ -- retval = pkinit_encode_dh_params(cryptoctx->dh->p, cryptoctx->dh->g, -- cryptoctx->dh->q, dh_params, dh_params_len); -+ DH_get0_pqg(cryptoctx->dh, &p, &q, &g); -+ retval = pkinit_encode_dh_params(p, g, q, dh_params, dh_params_len); - if (retval) - goto cleanup; - -@@ -2667,8 +2739,11 @@ client_create_dh(krb5_context context, - * subjectPublicKey component (a BIT STRING) of the SubjectPublicKeyInfo - * data element - */ -- if ((pub_key = BN_to_ASN1_INTEGER(cryptoctx->dh->pub_key, NULL)) == NULL) -+ pub_key = BN_to_ASN1_INTEGER(pubkey_bn, NULL); -+ if (pub_key == NULL) { -+ retval = ENOMEM; - goto cleanup; -+ } - *dh_pubkey_len = i2d_ASN1_INTEGER(pub_key, NULL); - if ((buf = *dh_pubkey = malloc(*dh_pubkey_len)) == NULL) { - retval = ENOMEM; -@@ -2786,20 +2861,19 @@ server_check_dh(krb5_context context, - int minbits) - { - DH *dh = NULL; -- unsigned char *tmp = NULL; -+ const BIGNUM *p; - int dh_prime_bits; - krb5_error_code retval = KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; - -- tmp = (unsigned char *)dh_params->data; -- dh = DH_new(); -- dh = pkinit_decode_dh_params(&dh, &tmp, dh_params->length); -+ dh = decode_dh_params((uint8_t *)dh_params->data, dh_params->length); - if (dh == NULL) { - pkiDebug("failed to decode dhparams\n"); - goto cleanup; - } - - /* KDC SHOULD check to see if the key parameters satisfy its policy */ -- dh_prime_bits = BN_num_bits(dh->p); -+ DH_get0_pqg(dh, &p, NULL, NULL); -+ dh_prime_bits = BN_num_bits(p); - if (minbits && dh_prime_bits < minbits) { - pkiDebug("client sent dh params with %d bits, we require %d\n", - dh_prime_bits, minbits); -@@ -2818,6 +2892,30 @@ cleanup: - return retval; - } - -+/* Duplicate a DH handle (parameters only, not public or private key). */ -+static DH * -+dup_dh_params(const DH *src) -+{ -+ const BIGNUM *oldp, *oldq, *oldg; -+ BIGNUM *p = NULL, *q = NULL, *g = NULL; -+ DH *dh; -+ -+ DH_get0_pqg(src, &oldp, &oldq, &oldg); -+ p = BN_dup(oldp); -+ q = BN_dup(oldq); -+ g = BN_dup(oldg); -+ dh = DH_new(); -+ if (p == NULL || q == NULL || g == NULL || dh == NULL) { -+ BN_free(p); -+ BN_free(q); -+ BN_free(g); -+ DH_free(dh); -+ return NULL; -+ } -+ DH_set0_pqg(dh, p, q, g); -+ return dh; -+} -+ - /* kdc's dh function */ - krb5_error_code - server_process_dh(krb5_context context, -@@ -2835,43 +2933,42 @@ server_process_dh(krb5_context context, - DH *dh = NULL, *dh_server = NULL; - unsigned char *p = NULL; - ASN1_INTEGER *pub_key = NULL; -+ BIGNUM *client_pubkey = NULL; -+ const BIGNUM *server_pubkey; - - *dh_pubkey = *server_key = NULL; - *dh_pubkey_len = *server_key_len = 0; - - /* get client's received DH parameters that we saved in server_check_dh */ - dh = cryptoctx->dh; -- -- dh_server = DH_new(); -+ dh_server = dup_dh_params(dh); - if (dh_server == NULL) - goto cleanup; -- dh_server->p = BN_dup(dh->p); -- dh_server->g = BN_dup(dh->g); -- dh_server->q = BN_dup(dh->q); - - /* decode client's public key */ - p = data; - pub_key = d2i_ASN1_INTEGER(NULL, (const unsigned char **)&p, (int)data_len); - if (pub_key == NULL) - goto cleanup; -- dh->pub_key = ASN1_INTEGER_to_BN(pub_key, NULL); -- if (dh->pub_key == NULL) -+ client_pubkey = ASN1_INTEGER_to_BN(pub_key, NULL); -+ if (client_pubkey == NULL) - goto cleanup; - ASN1_INTEGER_free(pub_key); - - if (!DH_generate_key(dh_server)) - goto cleanup; -+ DH_get0_key(dh_server, &server_pubkey, NULL); - - /* generate DH session key */ - *server_key_len = DH_size(dh_server); - if ((*server_key = malloc(*server_key_len)) == NULL) - goto cleanup; -- compute_dh(*server_key, *server_key_len, dh->pub_key, dh_server); -+ compute_dh(*server_key, *server_key_len, client_pubkey, dh_server); - - #ifdef DEBUG_DH - print_dh(dh_server, "client&server's DH params\n"); -- print_pubkey(dh->pub_key, "client's pub_key="); -- print_pubkey(dh_server->pub_key, "server's pub_key="); -+ print_pubkey(client_pubkey, "client's pub_key="); -+ print_pubkey(server_pubkey, "server's pub_key="); - pkiDebug("server computed key="); - print_buffer(*server_key, *server_key_len); - #endif -@@ -2883,7 +2980,8 @@ server_process_dh(krb5_context context, - * subjectPublicKey component (a BIT STRING) of the SubjectPublicKeyInfo - * data element - */ -- if ((pub_key = BN_to_ASN1_INTEGER(dh_server->pub_key, NULL)) == NULL) -+ pub_key = BN_to_ASN1_INTEGER(server_pubkey, NULL); -+ if (pub_key == NULL) - goto cleanup; - *dh_pubkey_len = i2d_ASN1_INTEGER(pub_key, NULL); - if ((p = *dh_pubkey = malloc(*dh_pubkey_len)) == NULL) -@@ -2899,8 +2997,8 @@ server_process_dh(krb5_context context, - return retval; - - cleanup: -- if (dh_server != NULL) -- DH_free(dh_server); -+ BN_free(client_pubkey); -+ DH_free(dh_server); - free(*dh_pubkey); - free(*server_key); - -@@ -2911,15 +3009,14 @@ int - pkinit_openssl_init() - { - /* Initialize OpenSSL. */ -- CRYPTO_malloc_init(); - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - return 0; - } - - static krb5_error_code --pkinit_encode_dh_params(BIGNUM *p, BIGNUM *g, BIGNUM *q, -- unsigned char **buf, unsigned int *buf_len) -+pkinit_encode_dh_params(const BIGNUM *p, const BIGNUM *g, const BIGNUM *q, -+ uint8_t **buf, unsigned int *buf_len) - { - krb5_error_code retval = ENOMEM; - int bufsize = 0, r = 0; -@@ -2963,8 +3060,78 @@ cleanup: - return retval; - } - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ -+/* -+ * We need to decode DomainParameters from RFC 3279 section 2.3.3. We would -+ * like to just call d2i_DHxparams(), but Microsoft's implementation may omit -+ * the q value in violation of the RFC. Instead we must copy the internal -+ * structures and sequence declarations from dh_asn1.c, modified to make the q -+ * field optional. -+ */ -+ -+typedef struct { -+ ASN1_BIT_STRING *seed; -+ BIGNUM *counter; -+} int_dhvparams; -+ -+typedef struct { -+ BIGNUM *p; -+ BIGNUM *q; -+ BIGNUM *g; -+ BIGNUM *j; -+ int_dhvparams *vparams; -+} int_dhx942_dh; -+ -+ASN1_SEQUENCE(DHvparams) = { -+ ASN1_SIMPLE(int_dhvparams, seed, ASN1_BIT_STRING), -+ ASN1_SIMPLE(int_dhvparams, counter, BIGNUM) -+} static_ASN1_SEQUENCE_END_name(int_dhvparams, DHvparams) -+ -+ASN1_SEQUENCE(DHxparams) = { -+ ASN1_SIMPLE(int_dhx942_dh, p, BIGNUM), -+ ASN1_SIMPLE(int_dhx942_dh, g, BIGNUM), -+ ASN1_OPT(int_dhx942_dh, q, BIGNUM), -+ ASN1_OPT(int_dhx942_dh, j, BIGNUM), -+ ASN1_OPT(int_dhx942_dh, vparams, DHvparams), -+} static_ASN1_SEQUENCE_END_name(int_dhx942_dh, DHxparams) -+ -+static DH * -+decode_dh_params(const uint8_t *p, unsigned int len) -+{ -+ int_dhx942_dh *params; -+ DH *dh; -+ -+ dh = DH_new(); -+ if (dh == NULL) -+ return NULL; -+ -+ params = (int_dhx942_dh *)ASN1_item_d2i(NULL, &p, len, -+ ASN1_ITEM_rptr(DHxparams)); -+ if (params == NULL) { -+ DH_free(dh); -+ return NULL; -+ } -+ -+ /* Steal the p, q, and g values from dhparams for dh. Ignore j and -+ * vparams. */ -+ DH_set0_pqg(dh, params->p, params->q, params->g); -+ params->p = params->q = params->g = NULL; -+ ASN1_item_free((ASN1_VALUE *)params, ASN1_ITEM_rptr(DHxparams)); -+ return dh; -+} -+ -+#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */ -+ -+/* -+ * Do the same decoding (except without decoding j and vparams or checking the -+ * sequence length) using the pre-OpenSSL-1.1 asn1_mac.h. Define an internal -+ * function in the form demanded by the macros, then wrap it for caller -+ * convenience. -+ */ -+ - static DH * --pkinit_decode_dh_params(DH ** a, unsigned char **pp, unsigned int len) -+decode_dh_params_int(DH ** a, uint8_t **pp, unsigned int len) - { - ASN1_INTEGER ai, *aip = NULL; - long length = (long) len; -@@ -2980,8 +3147,8 @@ pkinit_decode_dh_params(DH ** a, unsigne - if (aip == NULL) - return NULL; - else { -- (*a)->p = ASN1_INTEGER_to_BN(aip, NULL); -- if ((*a)->p == NULL) -+ ret->p = ASN1_INTEGER_to_BN(aip, NULL); -+ if (ret->p == NULL) - return NULL; - if (ai.data != NULL) { - OPENSSL_free(ai.data); -@@ -2993,8 +3160,8 @@ pkinit_decode_dh_params(DH ** a, unsigne - if (aip == NULL) - return NULL; - else { -- (*a)->g = ASN1_INTEGER_to_BN(aip, NULL); -- if ((*a)->g == NULL) -+ ret->g = ASN1_INTEGER_to_BN(aip, NULL); -+ if (ret->g == NULL) - return NULL; - if (ai.data != NULL) { - OPENSSL_free(ai.data); -@@ -3005,10 +3172,10 @@ pkinit_decode_dh_params(DH ** a, unsigne - } - M_ASN1_D2I_get_opt(aip, d2i_ASN1_INTEGER, V_ASN1_INTEGER); - if (aip == NULL || ai.data == NULL) -- (*a)->q = NULL; -+ ret->q = NULL; - else { -- (*a)->q = ASN1_INTEGER_to_BN(aip, NULL); -- if ((*a)->q == NULL) -+ ret->q = ASN1_INTEGER_to_BN(aip, NULL); -+ if (ret->q == NULL) - return NULL; - if (ai.data != NULL) { - OPENSSL_free(ai.data); -@@ -3022,6 +3189,16 @@ pkinit_decode_dh_params(DH ** a, unsigne - - } - -+static DH * -+decode_dh_params(const uint8_t *p, unsigned int len) -+{ -+ uint8_t *ptr = (uint8_t *)p; -+ -+ return decode_dh_params_int(NULL, &ptr, len); -+} -+ -+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ -+ - static krb5_error_code - pkinit_create_sequence_of_principal_identifiers( - krb5_context context, -@@ -3139,27 +3316,25 @@ pkinit_create_td_dh_parameters(krb5_cont - krb5_pa_data **pa_data = NULL; - krb5_data *encoded_algId = NULL; - krb5_algorithm_identifier **algId = NULL; -+ const BIGNUM *p, *q, *g; - - if (opts->dh_min_bits > 4096) - goto cleanup; - - if (opts->dh_min_bits <= 1024) { -- retval = pkinit_encode_dh_params(plg_cryptoctx->dh_1024->p, -- plg_cryptoctx->dh_1024->g, plg_cryptoctx->dh_1024->q, -- &buf1, &buf1_len); -+ DH_get0_pqg(plg_cryptoctx->dh_1024, &p, &q, &g); -+ retval = pkinit_encode_dh_params(p, g, q, &buf1, &buf1_len); - if (retval) - goto cleanup; - } - if (opts->dh_min_bits <= 2048) { -- retval = pkinit_encode_dh_params(plg_cryptoctx->dh_2048->p, -- plg_cryptoctx->dh_2048->g, plg_cryptoctx->dh_2048->q, -- &buf2, &buf2_len); -+ DH_get0_pqg(plg_cryptoctx->dh_2048, &p, &q, &g); -+ retval = pkinit_encode_dh_params(p, g, q, &buf2, &buf2_len); - if (retval) - goto cleanup; - } -- retval = pkinit_encode_dh_params(plg_cryptoctx->dh_4096->p, -- plg_cryptoctx->dh_4096->g, plg_cryptoctx->dh_4096->q, -- &buf3, &buf3_len); -+ DH_get0_pqg(plg_cryptoctx->dh_4096, &p, &q, &g); -+ retval = pkinit_encode_dh_params(p, g, q, &buf3, &buf3_len); - if (retval) - goto cleanup; - -@@ -3320,16 +3495,19 @@ pkinit_check_kdc_pkid(krb5_context conte - static int - pkinit_check_dh_params(DH *dh1, DH *dh2) - { -+ const BIGNUM *p1, *p2, *g1, *g2; - -- if (BN_cmp(dh1->p, dh2->p) != 0) { -+ DH_get0_pqg(dh1, &p1, NULL, &g1); -+ DH_get0_pqg(dh2, &p2, NULL, &g2); -+ if (BN_cmp(p1, p2) != 0) { - pkiDebug("p is not well-known group dhparameter\n"); - return -1; - } -- if (BN_cmp(dh1->g, dh2->g) != 0) { -+ if (BN_cmp(g1, g2) != 0) { - pkiDebug("bad g dhparameter\n"); - return -1; - } -- pkiDebug("good %d dhparams\n", BN_num_bits(dh1->p)); -+ pkiDebug("good %d dhparams\n", BN_num_bits(p1)); - return 0; - } - -@@ -3348,17 +3526,19 @@ pkinit_process_td_dh_params(krb5_context - - while (algId[i] != NULL) { - DH *dh = NULL; -- unsigned char *tmp = NULL; -+ const BIGNUM *p; - int dh_prime_bits = 0; - - if (algId[i]->algorithm.length != dh_oid.length || - memcmp(algId[i]->algorithm.data, dh_oid.data, dh_oid.length)) - goto cleanup; - -- tmp = (unsigned char *)algId[i]->parameters.data; -- dh = DH_new(); -- dh = pkinit_decode_dh_params(&dh, &tmp, algId[i]->parameters.length); -- dh_prime_bits = BN_num_bits(dh->p); -+ dh = decode_dh_params((uint8_t *)algId[i]->parameters.data, -+ algId[i]->parameters.length); -+ if (dh == NULL) -+ goto cleanup; -+ DH_get0_pqg(dh, &p, NULL, NULL); -+ dh_prime_bits = BN_num_bits(p); - pkiDebug("client sent %d DH bits server prefers %d DH bits\n", - *new_dh_size, dh_prime_bits); - ok = check_dh_wellknown(cryptoctx, dh, dh_prime_bits); -@@ -3416,15 +3596,9 @@ openssl_callback(int ok, X509_STORE_CTX - static int - openssl_callback_ignore_crls(int ok, X509_STORE_CTX * ctx) - { -- if (!ok) { -- switch (ctx->error) { -- case X509_V_ERR_UNABLE_TO_GET_CRL: -- return 1; -- default: -- return 0; -- } -- } -- return ok; -+ if (ok) -+ return ok; -+ return X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL; - } - - static ASN1_OBJECT * -@@ -3480,43 +3654,33 @@ wrap_signeddata(unsigned char *data, uns - } - - static int --prepare_enc_data(unsigned char *indata, -- int indata_len, -- unsigned char **outdata, -+prepare_enc_data(const uint8_t *indata, int indata_len, uint8_t **outdata, - int *outdata_len) - { -- int retval = -1; -- ASN1_const_CTX c; -- long length = indata_len; -- int Ttag, Tclass; -- long Tlen; -- -- c.pp = (const unsigned char **)&indata; -- c.q = *(const unsigned char **)&indata; -- c.error = ERR_R_NESTED_ASN1_ERROR; -- c.p= *(const unsigned char **)&indata; -- c.max = (length == 0)?0:(c.p+length); -- -- asn1_GetSequence(&c,&length); -- -- ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); -- c.p += Tlen; -- ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); -+ int tag, class; -+ long tlen, slen; -+ const uint8_t *p = indata, *oldp; - -- asn1_const_Finish(&c); -+ if (ASN1_get_object(&p, &slen, &tag, &class, indata_len) & 0x80) -+ return EINVAL; -+ if (tag != V_ASN1_SEQUENCE) -+ return EINVAL; - -- *outdata = malloc((size_t)Tlen); -- if (*outdata == NULL) { -- retval = ENOMEM; -- goto cleanup; -- } -- memcpy(*outdata, c.p, (size_t)Tlen); -- *outdata_len = Tlen; -+ oldp = p; -+ if (ASN1_get_object(&p, &tlen, &tag, &class, slen) & 0x80) -+ return EINVAL; -+ p += tlen; -+ slen -= (p - oldp); - -- retval = 0; --cleanup: -+ if (ASN1_get_object(&p, &tlen, &tag, &class, slen) & 0x80) -+ return EINVAL; - -- return retval; -+ *outdata = malloc(tlen); -+ if (*outdata == NULL) -+ return ENOMEM; -+ memcpy(*outdata, p, tlen); -+ *outdata_len = tlen; -+ return 0; - } - - #ifndef WITHOUT_PKCS11 -@@ -3813,10 +3977,8 @@ pkinit_find_private_key(pkinit_identity_ - static krb5_error_code - pkinit_decode_data_fs(krb5_context context, - pkinit_identity_crypto_context id_cryptoctx, -- unsigned char *data, -- unsigned int data_len, -- unsigned char **decoded_data, -- unsigned int *decoded_data_len) -+ const uint8_t *data, unsigned int data_len, -+ uint8_t **decoded_data, unsigned int *decoded_data_len) - { - if (decode_data(decoded_data, decoded_data_len, data, data_len, - id_cryptoctx->my_key, sk_X509_value(id_cryptoctx->my_certs, -@@ -3856,15 +4018,14 @@ pkinit_C_Decrypt(pkinit_identity_crypto_ - static krb5_error_code - pkinit_decode_data_pkcs11(krb5_context context, - pkinit_identity_crypto_context id_cryptoctx, -- unsigned char *data, -- unsigned int data_len, -- unsigned char **decoded_data, -+ const uint8_t *data, unsigned int data_len, -+ uint8_t **decoded_data, - unsigned int *decoded_data_len) - { - CK_OBJECT_HANDLE obj; - CK_ULONG len; - CK_MECHANISM mech; -- unsigned char *cp; -+ uint8_t *cp; - int r; - - if (pkinit_open_session(context, id_cryptoctx)) { -@@ -3891,8 +4052,9 @@ pkinit_decode_data_pkcs11(krb5_context c - pkiDebug("session %p edata %p edata_len %d data %p datalen @%p %d\n", - (void *) id_cryptoctx->session, (void *) data, (int) data_len, - (void *) cp, (void *) &len, (int) len); -- if ((r = pkinit_C_Decrypt(id_cryptoctx, data, (CK_ULONG) data_len, -- cp, &len)) != CKR_OK) { -+ r = pkinit_C_Decrypt(id_cryptoctx, (CK_BYTE_PTR) data, (CK_ULONG) data_len, -+ cp, &len); -+ if (r != CKR_OK) { - pkiDebug("C_Decrypt: %s\n", pkinit_pkcs11_code_to_text(r)); - if (r == CKR_BUFFER_TOO_SMALL) - pkiDebug("decrypt %d needs %d\n", (int) data_len, (int) len); -@@ -3909,10 +4071,8 @@ pkinit_decode_data_pkcs11(krb5_context c - krb5_error_code - pkinit_decode_data(krb5_context context, - pkinit_identity_crypto_context id_cryptoctx, -- unsigned char *data, -- unsigned int data_len, -- unsigned char **decoded_data, -- unsigned int *decoded_data_len) -+ const uint8_t *data, unsigned int data_len, -+ uint8_t **decoded_data, unsigned int *decoded_data_len) - { - krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; - -@@ -4030,9 +4190,9 @@ pkinit_sign_data(krb5_context context, - - - static krb5_error_code --decode_data(unsigned char **out_data, unsigned int *out_data_len, -- unsigned char *data, unsigned int data_len, -- EVP_PKEY *pkey, X509 *cert) -+decode_data(uint8_t **out_data, unsigned int *out_data_len, -+ const uint8_t *data, unsigned int data_len, EVP_PKEY *pkey, -+ X509 *cert) - { - krb5_error_code retval = ENOMEM; - unsigned char *buf = NULL; -@@ -4072,22 +4232,25 @@ create_signature(unsigned char **sig, un - unsigned char *data, unsigned int data_len, EVP_PKEY *pkey) - { - krb5_error_code retval = ENOMEM; -- EVP_MD_CTX md_ctx; -+ EVP_MD_CTX *ctx; - - if (pkey == NULL) - return retval; - -- EVP_VerifyInit(&md_ctx, EVP_sha1()); -- EVP_SignUpdate(&md_ctx, data, data_len); -+ ctx = EVP_MD_CTX_new(); -+ if (ctx == NULL) -+ return ENOMEM; -+ EVP_SignInit(ctx, EVP_sha1()); -+ EVP_SignUpdate(ctx, data, data_len); - *sig_len = EVP_PKEY_size(pkey); - if ((*sig = malloc(*sig_len)) == NULL) - goto cleanup; -- EVP_SignFinal(&md_ctx, *sig, sig_len, pkey); -+ EVP_SignFinal(ctx, *sig, sig_len, pkey); - - retval = 0; - - cleanup: -- EVP_MD_CTX_cleanup(&md_ctx); -+ EVP_MD_CTX_free(ctx); - - return retval; - } -@@ -5526,8 +5689,8 @@ create_identifiers_from_stack(STACK_OF(X - if (is == NULL) - goto oom; - X509_NAME_set(&is->issuer, X509_get_issuer_name(x)); -- M_ASN1_INTEGER_free(is->serial); -- is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x)); -+ ASN1_INTEGER_free(is->serial); -+ is->serial = ASN1_INTEGER_dup(X509_get_serialNumber(x)); - if (is->serial == NULL) - goto oom; - len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL); -@@ -5679,8 +5842,8 @@ create_issuerAndSerial(krb5_context cont - - is = PKCS7_ISSUER_AND_SERIAL_new(); - X509_NAME_set(&is->issuer, X509_get_issuer_name(cert)); -- M_ASN1_INTEGER_free(is->serial); -- is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert)); -+ ASN1_INTEGER_free(is->serial); -+ is->serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert)); - len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL); - if ((p = *out = malloc((size_t) len)) == NULL) - goto cleanup; -@@ -5855,10 +6018,10 @@ pkcs7_dataDecode(krb5_context context, - int tmp_ret = 0; - ri=sk_PKCS7_RECIP_INFO_value(rsk,i); - tmp_ret = X509_NAME_cmp(ri->issuer_and_serial->issuer, -- cert->cert_info->issuer); -+ X509_get_issuer_name(cert)); - if (!tmp_ret) { -- tmp_ret = M_ASN1_INTEGER_cmp(cert->cert_info->serialNumber, -- ri->issuer_and_serial->serial); -+ tmp_ret = ASN1_INTEGER_cmp(X509_get_serialNumber(cert), -+ ri->issuer_and_serial->serial); - if (!tmp_ret) - break; - } -@@ -5878,8 +6041,8 @@ pkcs7_dataDecode(krb5_context context, - for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) { - ri=sk_PKCS7_RECIP_INFO_value(rsk,i); - jj = pkinit_decode_data(context, id_cryptoctx, -- M_ASN1_STRING_data(ri->enc_key), -- (unsigned int) M_ASN1_STRING_length(ri->enc_key), -+ ASN1_STRING_get0_data(ri->enc_key), -+ ASN1_STRING_length(ri->enc_key), - &tmp, &tmp_len); - if (jj) { - PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_EVP_LIB); -@@ -5896,14 +6059,13 @@ pkcs7_dataDecode(krb5_context context, - } - - if (ri == NULL) { -- PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_RECIPIENT_MATCHES_KEY); - goto cleanup; - } - } - else { - jj = pkinit_decode_data(context, id_cryptoctx, -- M_ASN1_STRING_data(ri->enc_key), -- (unsigned int) M_ASN1_STRING_length(ri->enc_key), -+ ASN1_STRING_get0_data(ri->enc_key), -+ ASN1_STRING_length(ri->enc_key), - &tmp, &tmp_len); - if (jj || tmp_len <= 0) { - PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_EVP_LIB); -@@ -5925,8 +6087,6 @@ pkcs7_dataDecode(krb5_context context, - * determined by the size of the decrypted RSA key. - */ - if(!EVP_CIPHER_CTX_set_key_length(evp_ctx, (int)jj)) { -- PKCS7err(PKCS7_F_PKCS7_DATADECODE, -- PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH); - goto cleanup; - } - } -diff -up krb5-1.14.4/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h.openssl11 krb5-1.14.4/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h ---- krb5-1.14.4/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h.openssl11 2016-09-13 21:59:45.000000000 +0200 -+++ krb5-1.14.4/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h 2016-09-29 23:30:52.341207376 +0200 -@@ -42,11 +42,16 @@ - #include <openssl/x509v3.h> - #include <openssl/err.h> - #include <openssl/evp.h> --#include <openssl/asn1_mac.h> - #include <openssl/sha.h> - #include <openssl/asn1.h> - #include <openssl/pem.h> - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#include <openssl/asn1t.h> -+#else -+#include <openssl/asn1_mac.h> -+#endif -+ - #define DN_BUF_LEN 256 - #define MAX_CREDS_ALLOWED 20 - -@@ -129,8 +134,4 @@ struct _pkinit_cert_iter_data { - unsigned int index; - }; - --/* This handy macro borrowed from crypto/x509v3/v3_purp.c */ --#define ku_reject(x, usage) \ -- (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) -- - #endif /* _PKINIT_CRYPTO_OPENSSL_H */ -diff -up krb5-1.14.4/src/plugins/tls/k5tls/openssl.c.openssl11 krb5-1.14.4/src/plugins/tls/k5tls/openssl.c ---- krb5-1.14.4/src/plugins/tls/k5tls/openssl.c.openssl11 2016-09-13 21:59:45.000000000 +0200 -+++ krb5-1.14.4/src/plugins/tls/k5tls/openssl.c 2016-09-29 23:30:43.882158131 +0200 -@@ -181,13 +181,13 @@ check_cert_address(X509 *x, const char * - struct in6_addr sin6; - - /* Parse the IP address into an octet string. */ -- ip = M_ASN1_OCTET_STRING_new(); -+ ip = ASN1_OCTET_STRING_new(); - if (ip == NULL) - return FALSE; - if (inet_pton(AF_INET, text, &sin)) { -- M_ASN1_OCTET_STRING_set(ip, &sin, sizeof(sin)); -+ ASN1_OCTET_STRING_set(ip, (unsigned char *)&sin, sizeof(sin)); - } else if (inet_pton(AF_INET6, text, &sin6)) { -- M_ASN1_OCTET_STRING_set(ip, &sin6, sizeof(sin6)); -+ ASN1_OCTET_STRING_set(ip, (unsigned char *)&sin6, sizeof(sin6)); - } else { - ASN1_OCTET_STRING_free(ip); - return FALSE; -@@ -317,7 +317,7 @@ verify_callback(int preverify_ok, X509_S - if (err != X509_V_OK) { - bio = BIO_new(BIO_s_mem()); - if (bio != NULL) { -- X509_NAME_print_ex(bio, x->cert_info->subject, 0, 0); -+ X509_NAME_print_ex(bio, X509_get_subject_name(x), 0, 0); - count = BIO_get_mem_data(bio, &cert); - errstr = X509_verify_cert_error_string(err); - TRACE_TLS_CERT_ERROR(context, depth, count, cert, err, errstr); diff --git a/krb5-1.12-buildconf.patch b/krb5-1.15-beta1-buildconf.patch index da7bd84..441459e 100644 --- a/krb5-1.12-buildconf.patch +++ b/krb5-1.15-beta1-buildconf.patch @@ -1,7 +1,7 @@ -From 1df0a74f88f044f1e538e3d4fda13bbceb76e68b Mon Sep 17 00:00:00 2001 +From e7cea9ceea5a97248384a3bb0cc2bb2d58cce326 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:45:26 -0400 -Subject: [PATCH] krb5-1.12-buildconf.patch +Subject: [PATCH] krb5-1.15-beta1-buildconf.patch Build binaries in this package as RELRO PIEs, libraries as partial RELRO, and install shared libraries with the execute bit set on them. Prune out @@ -33,10 +33,10 @@ index c17cb5e..1891dea 100755 lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 diff --git a/src/config/pre.in b/src/config/pre.in -index 63271e7..c100fef 100644 +index fcea229..d961b56 100644 --- a/src/config/pre.in +++ b/src/config/pre.in -@@ -182,7 +182,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP) +@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP) INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_DATA=@INSTALL_DATA@ INSTALL_SHLIB=@INSTALL_SHLIB@ @@ -46,19 +46,19 @@ index 63271e7..c100fef 100644 ## ${prefix}. prefix=@prefix@ diff --git a/src/config/shlib.conf b/src/config/shlib.conf -index 55f16be..f4a762c 100644 +index 3e4af6c..2b20c3f 100644 --- a/src/config/shlib.conf +++ b/src/config/shlib.conf -@@ -422,7 +422,7 @@ mips-*-netbsd*) - SHLIBEXT=.so +@@ -423,7 +423,7 @@ mips-*-netbsd*) # Linux ld doesn't default to stuffing the SONAME field... # Use objdump -x to examine the fields of the library -- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined' -+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro -Wl,--warn-shared-textrel' - # - LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' - SHLIB_EXPORT_FILE_DEP=binutils.versions -@@ -433,7 +433,8 @@ mips-*-netbsd*) + # UNDEF_CHECK is suppressed by --enable-asan +- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' ++ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel' + UNDEF_CHECK='-Wl,--no-undefined' + # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. + LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' +@@ -435,7 +435,8 @@ mips-*-netbsd*) SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' PROFFLAGS=-pg PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' diff --git a/krb5-1.13-selinux-label.patch b/krb5-1.15-beta1-selinux-label.patch index c770524..0fafbfb 100644 --- a/krb5-1.13-selinux-label.patch +++ b/krb5-1.15-beta1-selinux-label.patch @@ -1,7 +1,7 @@ -From 2af05336edb5a2f86db22ee2937626a219f090f6 Mon Sep 17 00:00:00 2001 +From 7fea764528d0d1b0b2c8bf17d116f3da622f9cb6 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:30:53 -0400 -Subject: [PATCH] krb5-1.13-selinux-label.patch +Subject: [PATCH] krb5-1.15-beta1-selinux-label.patch SELinux bases access to files on the domain of the requesting process, the operation being performed, and the context applied to the file. @@ -58,16 +58,15 @@ which we used earlier, is some improvement. src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +- .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- src/slave/kpropd.c | 9 + - src/util/gss-kernel-lib/Makefile.in | 5 +- src/util/profile/prof_file.c | 3 +- src/util/support/Makefile.in | 3 +- - src/util/support/selinux.c | 381 +++++++++++++++++++++ - 26 files changed, 566 insertions(+), 22 deletions(-) + src/util/support/selinux.c | 406 +++++++++++++++++++++ + 25 files changed, 587 insertions(+), 21 deletions(-) create mode 100644 src/include/k5-label.h create mode 100644 src/util/support/selinux.c diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index ce045ab..311f099 100644 +index 5fc7f3e..5b02b40 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -87,6 +87,7 @@ AC_SUBST_FILE(libnodeps_frag) @@ -78,13 +77,13 @@ index ce045ab..311f099 100644 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1739,3 +1740,51 @@ AC_SUBST(PAM_LIBS) +@@ -1740,3 +1741,51 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl +dnl +dnl Use libselinux to set file contexts on newly-created files. -+dnl ++dnl +AC_DEFUN(KRB5_WITH_SELINUX,[ +AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])], + withselinux="$withval",withselinux=auto) @@ -152,10 +151,10 @@ index f6184da..c17cb5e 100755 echo $lib_flags diff --git a/src/config/pre.in b/src/config/pre.in -index b0d9015..63271e7 100644 +index e062632..fcea229 100644 --- a/src/config/pre.in +++ b/src/config/pre.in -@@ -174,6 +174,7 @@ LD = $(PURE) @LD@ +@@ -177,6 +177,7 @@ LD = $(PURE) @LD@ KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include LDFLAGS = @LDFLAGS@ LIBS = @LIBS@ @@ -163,7 +162,7 @@ index b0d9015..63271e7 100644 INSTALL=@INSTALL@ INSTALL_STRIP= -@@ -395,7 +396,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) +@@ -399,7 +400,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ @@ -173,10 +172,10 @@ index b0d9015..63271e7 100644 GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on Mac OS X! diff --git a/src/configure.in b/src/configure.in -index 8846ca0..9ec8d84 100644 +index 79c0fe2..d085a4b 100644 --- a/src/configure.in +++ b/src/configure.in -@@ -1329,6 +1329,8 @@ AC_PATH_PROG(GROFF, groff) +@@ -1338,6 +1338,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -186,10 +185,10 @@ index 8846ca0..9ec8d84 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 41c3d1b..6b7b2e3 100644 +index 3cc32c3..afefe28 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h -@@ -129,6 +129,7 @@ typedef unsigned char u_char; +@@ -128,6 +128,7 @@ typedef unsigned char u_char; #include "k5-platform.h" @@ -236,7 +235,7 @@ index 0000000..dfaaa84 +#endif +#endif diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index e2c08ae..c93a0f2 100644 +index 64b0d0f..0c9347b 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ @@ -253,7 +252,7 @@ index e2c08ae..c93a0f2 100644 #include <stdlib.h> diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c -index 253bf3f..9c8c3dc 100644 +index f7889bd..cad53cf 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) @@ -288,10 +287,10 @@ index 253bf3f..9c8c3dc 100644 com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); exit_status++; diff --git a/src/kdc/main.c b/src/kdc/main.c -index 82dfc0e..936f46b 100644 +index 6767ef0..70cb256 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c -@@ -847,7 +847,7 @@ write_pid_file(const char *path) +@@ -873,7 +873,7 @@ write_pid_file(const char *path) FILE *file; unsigned long pid; @@ -301,19 +300,19 @@ index 82dfc0e..936f46b 100644 return errno; pid = (unsigned long) getpid(); diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c -index 19c4355..64f9641 100644 +index ce79fab..c53a574 100644 --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c -@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do - * Check for append/overwrite, then open the file. +@@ -414,7 +414,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do */ - if (cp[4] == ':' || cp[4] == '=') { -- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w"); -+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); - if (f) { - set_cloexec_file(f); - log_control.log_entries[i].lfu_filep = f; -@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext) + append = (cp[4] == ':') ? O_APPEND : 0; + if (append || cp[4] == '=') { +- fd = open(&cp[5], O_CREAT | O_WRONLY | append, ++ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append, + S_IRUSR | S_IWUSR | S_IRGRP); + if (fd != -1) + f = fdopen(fd, append ? "a" : "w"); +@@ -918,7 +918,7 @@ krb5_klog_reopen(krb5_context kcontext) * In case the old logfile did not get moved out of the * way, open for append to prevent squashing the old logs. */ @@ -323,7 +322,7 @@ index 19c4355..64f9641 100644 set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c -index 99cda59..523b99a 100644 +index 766d300..6466417 100644 --- a/src/lib/kdb/kdb_log.c +++ b/src/lib/kdb/kdb_log.c @@ -476,7 +476,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) @@ -386,24 +385,23 @@ index bba64e5..73f0fe6 100644 _("Credential cache directory %s does not exist"), dirname); diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c -index e105a51..ff1fc54 100644 +index 6a42f26..674d88b 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c -@@ -1030,7 +1030,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) +@@ -1022,14 +1022,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) KTCHECKLOCK(id); errno = 0; - KTFILEP(id) = fopen(KTFILENAME(id), + KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), - (mode == KRB5_LOCKMODE_EXCLUSIVE) ? - fopen_mode_rbplus : fopen_mode_rb); + (mode == KRB5_LOCKMODE_EXCLUSIVE) ? "rb+" : "rb"); if (!KTFILEP(id)) { -@@ -1038,7 +1038,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) + if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) { /* try making it first time around */ k5_create_secure_file(context, KTFILENAME(id)); errno = 0; -- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); -+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus); +- KTFILEP(id) = fopen(KTFILENAME(id), "rb+"); ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), "rb+"); if (!KTFILEP(id)) goto report_errno; writevno = 1; @@ -421,7 +419,7 @@ index 83c8d4d..a192461 100644 free(fd); return errno; diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c -index 2fb6aa0..c453189 100644 +index c4d2c74..c0f12ed 100644 --- a/src/lib/krb5/rcache/rc_dfl.c +++ b/src/lib/krb5/rcache/rc_dfl.c @@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) @@ -466,7 +464,7 @@ index 7db30a3..2b9d019 100644 * maybe someone took away write permission so we could only * get shared locks? diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c -index e97b841..5d1cd61 100644 +index 4c4036e..d90bdea 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) @@ -502,7 +500,7 @@ index 2977b17..d5809a5 100644 } else { diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c -index 2a5b4f8..7239d03 100644 +index 76f5d47..1fa8b83 100644 --- a/src/plugins/kdb/db2/libdb2/hash/hash.c +++ b/src/plugins/kdb/db2/libdb2/hash/hash.c @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; @@ -545,10 +543,10 @@ index d8b26e7..b0daa7c 100644 if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -index 64d0f91..5d5c0a6 100644 +index 022156a..3d6994c 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -178,7 +178,7 @@ done: +@@ -203,7 +203,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) /* set password in the file */ old_mode = umask(0177); @@ -557,7 +555,7 @@ index 64d0f91..5d5c0a6 100644 if (pfile == NULL) { com_err(me, errno, _("Failed to open file %s: %s"), file_name, strerror (errno)); -@@ -219,6 +219,9 @@ done: +@@ -244,6 +244,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv) * Delete the existing entry and add the new entry */ FILE *newfile; @@ -567,7 +565,7 @@ index 64d0f91..5d5c0a6 100644 mode_t omask; -@@ -230,7 +233,13 @@ done: +@@ -255,7 +258,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv) } omask = umask(077); @@ -582,7 +580,7 @@ index 64d0f91..5d5c0a6 100644 if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c -index 1383156..a950924 100644 +index 056c31a..b78c3d9 100644 --- a/src/slave/kpropd.c +++ b/src/slave/kpropd.c @@ -464,6 +464,9 @@ doit(int fd) @@ -611,32 +609,6 @@ index 1383156..a950924 100644 retval = krb5_lock_file(kpropd_context, lock_fd, KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); if (retval) { -diff --git a/src/util/gss-kernel-lib/Makefile.in b/src/util/gss-kernel-lib/Makefile.in -index f70f3c6..7a2f9cc 100644 ---- a/src/util/gss-kernel-lib/Makefile.in -+++ b/src/util/gss-kernel-lib/Makefile.in -@@ -61,6 +61,7 @@ HEADERS= \ - gssapi_err_generic.h \ - k5-int.h \ - k5-int-pkinit.h \ -+ k5-label.h \ - k5-thread.h \ - k5-platform.h \ - k5-buf.h \ -@@ -162,10 +163,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_generic.h - $(CP) $(GSS_GENERIC)/gssapi_generic.h $@ - gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h - $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@ --k5-int.h: $(INCLUDE)/k5-int.h -+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h - $(CP) $(INCLUDE)/k5-int.h $@ - k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h - $(CP) $(INCLUDE)/k5-int-pkinit.h $@ -+k5-label.h: $(INCLUDE)/k5-label.h -+ $(CP) $(INCLUDE)/k5-label.h $@ - k5-thread.h: $(INCLUDE)/k5-thread.h - $(CP) $(INCLUDE)/k5-thread.h $@ - k5-platform.h: $(INCLUDE)/k5-platform.h diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c index 907c119..0f5462a 100644 --- a/src/util/profile/prof_file.c @@ -659,10 +631,10 @@ index 907c119..0f5462a 100644 retval = errno; if (retval == 0) diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in -index 5181762..f77acd4 100644 +index 6239e41..17bcd2a 100644 --- a/src/util/support/Makefile.in +++ b/src/util/support/Makefile.in -@@ -59,6 +59,7 @@ IPC_SYMS= \ +@@ -69,6 +69,7 @@ IPC_SYMS= \ STLIBOBJS= \ threads.o \ @@ -670,7 +642,7 @@ index 5181762..f77acd4 100644 init-addrinfo.o \ plugins.o \ errors.o \ -@@ -131,7 +132,7 @@ SRCS=\ +@@ -148,7 +149,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. @@ -681,12 +653,12 @@ index 5181762..f77acd4 100644 diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c new file mode 100644 -index 0000000..ffba6a9 +index 0000000..2302634 --- /dev/null +++ b/src/util/support/selinux.c -@@ -0,0 +1,381 @@ +@@ -0,0 +1,406 @@ +/* -+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved. ++ * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: @@ -713,7 +685,7 @@ index 0000000..ffba6a9 + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. -+ * ++ * + * File-opening wrappers for creating correctly-labeled files. So far, we can + * assume that this is Linux-specific, so we make many simplifying assumptions. + */ @@ -724,8 +696,10 @@ index 0000000..ffba6a9 + +#include <k5-label.h> +#include <k5-platform.h> ++ +#include <sys/types.h> +#include <sys/stat.h> ++ +#include <errno.h> +#include <fcntl.h> +#include <limits.h> @@ -735,13 +709,26 @@ index 0000000..ffba6a9 +#include <stdlib.h> +#include <string.h> +#include <unistd.h> ++ +#include <selinux/selinux.h> +#include <selinux/context.h> -+#ifdef HAVE_SELINUX_LABEL_H +#include <selinux/label.h> -+#endif + +/* #define DEBUG 1 */ ++static void ++debug_log(const char *fmt, ...) ++{ ++#ifdef DEBUG ++ va_list ap; ++ va_start(ap, str); ++ if (isatty(fileno(stderr))) { ++ vfprintf(stderr, fmt, ap); ++ } ++ va_end(ap); ++#endif ++ ++ return; ++} + +/* Mutex used to serialize use of the process-global file creation context. */ +k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER; @@ -751,10 +738,9 @@ index 0000000..ffba6a9 +static void +label_mutex_init(void) +{ -+ k5_mutex_finish_init(&labeled_mutex); ++ k5_mutex_finish_init(&labeled_mutex); +} + -+#ifdef HAVE_SELINUX_LABEL_H +static struct selabel_handle *selabel_ctx; +static time_t selabel_last_changed; + @@ -763,309 +749,320 @@ index 0000000..ffba6a9 +static void +cleanup_fscreatecon(void) +{ -+ if (selabel_ctx != NULL) { -+ selabel_close(selabel_ctx); -+ selabel_ctx = NULL; -+ } ++ if (selabel_ctx != NULL) { ++ selabel_close(selabel_ctx); ++ selabel_ctx = NULL; ++ } +} -+#endif + +static security_context_t +push_fscreatecon(const char *pathname, mode_t mode) +{ -+ security_context_t previous, configuredsc, currentsc, derivedsc; -+ context_t current, derived; -+ const char *fullpath, *currentuser; -+ -+ previous = NULL; -+ if (is_selinux_enabled()) { -+ if (getfscreatecon(&previous) == 0) { -+ char *genpath; -+ genpath = NULL; -+ if (pathname[0] != '/') { -+ char *wd; -+ size_t len; -+ len = 0; -+ wd = getcwd(NULL, len); -+ if (wd == NULL) { -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ len = strlen(wd) + 1 + strlen(pathname) + 1; -+ genpath = malloc(len); -+ if (genpath == NULL) { -+ free(wd); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ sprintf(genpath, "%s/%s", wd, pathname); -+ free(wd); -+ fullpath = genpath; -+ } else { -+ fullpath = pathname; -+ } -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Looking up context for " -+ "\"%s\"(%05o).\n", fullpath, mode); -+ } -+#endif -+ configuredsc = NULL; -+#ifdef HAVE_SELINUX_LABEL_H -+ if ((selabel_ctx != NULL) || -+ (selabel_last_changed == 0)) { -+ const char *cpath; -+ struct stat st; -+ int i = -1; -+ cpath = selinux_file_context_path(); -+ if ((cpath == NULL) || -+ ((i = stat(cpath, &st)) != 0) || -+ (st.st_mtime != selabel_last_changed)) { -+ if (selabel_ctx != NULL) { -+ selabel_close(selabel_ctx); -+ selabel_ctx = NULL; -+ } -+ selabel_last_changed = i ? -+ time(NULL) : -+ st.st_mtime; -+ } -+ } -+ if (selabel_ctx == NULL) { -+ selabel_ctx = selabel_open(SELABEL_CTX_FILE, -+ NULL, 0); -+ } -+ if (selabel_ctx != NULL) { -+ if (selabel_lookup(selabel_ctx, &configuredsc, -+ fullpath, mode) != 0) { -+ free(genpath); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ } -+#else -+ if (matchpathcon(fullpath, mode, &configuredsc) != 0) { -+ free(genpath); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+#endif -+ free(genpath); -+ if (configuredsc == NULL) { -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ currentsc = NULL; -+ getcon(¤tsc); -+ if (currentsc != NULL) { -+ derived = context_new(configuredsc); -+ if (derived != NULL) { -+ current = context_new(currentsc); -+ if (current != NULL) { -+ currentuser = context_user_get(current); -+ if (currentuser != NULL) { -+ if (context_user_set(derived, -+ currentuser) == 0) { -+ derivedsc = context_str(derived); -+ if (derivedsc != NULL) { -+ freecon(configuredsc); -+ configuredsc = strdup(derivedsc); -+ } -+ } -+ } -+ context_free(current); -+ } -+ context_free(derived); -+ } -+ freecon(currentsc); -+ } -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Setting file creation context " -+ "to \"%s\".\n", configuredsc); -+ } -+#endif -+ if (setfscreatecon(configuredsc) != 0) { -+ freecon(configuredsc); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ freecon(configuredsc); -+#ifdef DEBUG -+ } else { -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Unable to determine " -+ "current context.\n"); -+ } -+#endif -+ } -+ } -+ return previous; ++ security_context_t previous, configuredsc, currentsc, derivedsc; ++ context_t current, derived; ++ const char *fullpath, *currentuser; ++ char *genpath; ++ ++ previous = configuredsc = currentsc = derivedsc = NULL; ++ current = derived = NULL; ++ genpath = NULL; ++ ++ fullpath = pathname; ++ ++ if (!is_selinux_enabled()) { ++ goto fail; ++ } ++ ++ if (getfscreatecon(&previous) != 0) { ++ goto fail; ++ } ++ ++ /* Canonicalize pathname */ ++ if (pathname[0] != '/') { ++ char *wd; ++ size_t len; ++ len = 0; ++ ++ wd = getcwd(NULL, len); ++ if (wd == NULL) { ++ goto fail; ++ } ++ ++ len = strlen(wd) + 1 + strlen(pathname) + 1; ++ genpath = malloc(len); ++ if (genpath == NULL) { ++ free(wd); ++ goto fail; ++ } ++ ++ sprintf(genpath, "%s/%s", wd, pathname); ++ free(wd); ++ fullpath = genpath; ++ } ++ ++ debug_log("Looking up context for \"%s\"(%05o).\n", fullpath, mode); ++ ++ /* Check whether context file has changed under us */ ++ if (selabel_ctx != NULL || selabel_last_changed == 0) { ++ const char *cpath; ++ struct stat st; ++ int i = -1; ++ ++ cpath = selinux_file_context_path(); ++ if (cpath == NULL || (i = stat(cpath, &st)) != 0 || ++ st.st_mtime != selabel_last_changed) { ++ cleanup_fscreatecon(); ++ ++ selabel_last_changed = i ? time(NULL) : st.st_mtime; ++ } ++ } ++ ++ if (selabel_ctx == NULL) { ++ selabel_ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); ++ } ++ ++ if (selabel_ctx != NULL && ++ selabel_lookup(selabel_ctx, &configuredsc, fullpath, mode) != 0) { ++ goto fail; ++ } ++ ++ if (genpath != NULL) { ++ free(genpath); ++ genpath = NULL; ++ } ++ ++ if (configuredsc == NULL) { ++ goto fail; ++ } ++ ++ getcon(¤tsc); ++ ++ /* AAAAAAAA */ ++ if (currentsc != NULL) { ++ derived = context_new(configuredsc); ++ ++ if (derived != NULL) { ++ current = context_new(currentsc); ++ ++ if (current != NULL) { ++ currentuser = context_user_get(current); ++ ++ if (currentuser != NULL) { ++ if (context_user_set(derived, ++ currentuser) == 0) { ++ derivedsc = context_str(derived); ++ ++ if (derivedsc != NULL) { ++ freecon(configuredsc); ++ configuredsc = strdup(derivedsc); ++ } ++ } ++ } ++ ++ context_free(current); ++ } ++ ++ context_free(derived); ++ } ++ ++ freecon(currentsc); ++ } ++ ++ debug_log("Setting file creation context to \"%s\".\n", configuredsc); ++ if (setfscreatecon(configuredsc) != 0) { ++ debug_log("Unable to determine current context.\n"); ++ goto fail; ++ } ++ ++ freecon(configuredsc); ++ return previous; ++ ++fail: ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ if (genpath != NULL) { ++ free(genpath); ++ } ++ if (configuredsc != NULL) { ++ freecon(configuredsc); ++ } ++ ++ cleanup_fscreatecon(); ++ return NULL; +} + +static void +pop_fscreatecon(security_context_t previous) +{ -+ if (is_selinux_enabled()) { -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ if (previous != NULL) { -+ fprintf(stderr, "Resetting file creation " -+ "context to \"%s\".\n", previous); -+ } else { -+ fprintf(stderr, "Resetting file creation " -+ "context to default.\n"); -+ } -+ } -+#endif -+ setfscreatecon(previous); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ } ++ if (!is_selinux_enabled()) { ++ return; ++ } ++ ++ if (previous != NULL) { ++ debug_log("Resetting file creation context to \"%s\".\n", previous); ++ } else { ++ debug_log("Resetting file creation context to default.\n"); ++ } ++ ++ /* NULL resets to default */ ++ setfscreatecon(previous); ++ ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ ++ /* Need to clean this up here otherwise it leaks */ ++ cleanup_fscreatecon(); +} + +void * +krb5int_push_fscreatecon_for(const char *pathname) +{ -+ struct stat st; -+ void *retval; -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ if (stat(pathname, &st) != 0) { -+ st.st_mode = S_IRUSR | S_IWUSR; -+ } -+ retval = push_fscreatecon(pathname, st.st_mode); -+ return retval ? retval : (void *) -1; ++ struct stat st; ++ void *retval; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ++ if (stat(pathname, &st) != 0) { ++ st.st_mode = S_IRUSR | S_IWUSR; ++ } ++ ++ retval = push_fscreatecon(pathname, st.st_mode); ++ return retval ? retval : (void *) -1; +} + +void +krb5int_pop_fscreatecon(void *con) +{ -+ if (con != NULL) { -+ pop_fscreatecon((con == (void *) -1) ? NULL : con); -+ k5_mutex_unlock(&labeled_mutex); -+ } ++ if (con != NULL) { ++ pop_fscreatecon((con == (void *) -1) ? NULL : con); ++ k5_mutex_unlock(&labeled_mutex); ++ } +} + +FILE * +krb5int_labeled_fopen(const char *path, const char *mode) +{ -+ FILE *fp; -+ int errno_save; -+ security_context_t ctx; -+ -+ if ((strcmp(mode, "r") == 0) || -+ (strcmp(mode, "rb") == 0)) { -+ return fopen(path, mode); -+ } -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, 0); -+ fp = fopen(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return fp; ++ FILE *fp; ++ int errno_save; ++ security_context_t ctx; ++ ++ if ((strcmp(mode, "r") == 0) || ++ (strcmp(mode, "rb") == 0)) { ++ return fopen(path, mode); ++ } ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ fp = fopen(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fp; +} + +int +krb5int_labeled_creat(const char *path, mode_t mode) +{ -+ int fd; -+ int errno_save; -+ security_context_t ctx; -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, 0); -+ fd = creat(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return fd; ++ int fd; ++ int errno_save; ++ security_context_t ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ fd = creat(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fd; +} + +int +krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev) +{ -+ int ret; -+ int errno_save; -+ security_context_t ctx; -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, mode); -+ ret = mknod(path, mode, dev); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return ret; ++ int ret; ++ int errno_save; ++ security_context_t ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, mode); ++ ++ ret = mknod(path, mode, dev); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return ret; +} + +int +krb5int_labeled_mkdir(const char *path, mode_t mode) +{ -+ int ret; -+ int errno_save; -+ security_context_t ctx; -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, S_IFDIR); -+ ret = mkdir(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return ret; ++ int ret; ++ int errno_save; ++ security_context_t ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, S_IFDIR); ++ ++ ret = mkdir(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return ret; +} + +int +krb5int_labeled_open(const char *path, int flags, ...) +{ -+ int fd; -+ int errno_save; -+ security_context_t ctx; -+ mode_t mode; -+ va_list ap; -+ -+ if ((flags & O_CREAT) == 0) { -+ return open(path, flags); -+ } -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, 0); -+ -+ va_start(ap, flags); -+ mode = va_arg(ap, mode_t); -+ fd = open(path, flags, mode); -+ va_end(ap); -+ -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return fd; ++ int fd; ++ int errno_save; ++ security_context_t ctx; ++ mode_t mode; ++ va_list ap; ++ ++ if ((flags & O_CREAT) == 0) { ++ return open(path, flags); ++ } ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ va_start(ap, flags); ++ mode = va_arg(ap, mode_t); ++ fd = open(path, flags, mode); ++ va_end(ap); ++ ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fd; +} + -+#endif ++#endif /* USE_SELINUX */ -- 2.9.3 diff --git a/krb5-1.3.1-dns.patch b/krb5-1.3.1-dns.patch index d7a705d..6a3f3a5 100644 --- a/krb5-1.3.1-dns.patch +++ b/krb5-1.3.1-dns.patch @@ -1,4 +1,4 @@ -From 95b7e75522dd905eea23e853f062d89749a17799 Mon Sep 17 00:00:00 2001 +From e84b0d40e31cdb98a9a87bd1c4925802d963a479 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:46:21 -0400 Subject: [PATCH] krb5-1.3.1-dns.patch @@ -9,7 +9,7 @@ We want to be able to use --with-netlib and --enable-dns at the same time. 1 file changed, 1 insertion(+) diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 311f099..ed343c5 100644 +index 5b02b40..d49b7c1 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -701,6 +701,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library), diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index 496915e..45290df 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -1,4 +1,4 @@ -From 3743c3636fd23e62f996b119a1536ecd882a5e80 Mon Sep 17 00:00:00 2001 +From e2f0b0317c6a251c202500f409976dda3a6a82e7 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] krb5-1.9-debuginfo.patch @@ -12,7 +12,7 @@ could mess up people working in the tree on other things. 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in -index 789c597..7e7a148 100644 +index adfea6e..d1327e4 100644 --- a/src/kadmin/cli/Makefile.in +++ b/src/kadmin/cli/Makefile.in @@ -37,3 +37,8 @@ clean-unix:: @@ -25,7 +25,7 @@ index 789c597..7e7a148 100644 + $(YACC.y) $< + $(CP) y.tab.c $@ diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in -index b9ea339..060f500 100644 +index 8669c24..a22f23c 100644 --- a/src/plugins/kdb/ldap/ldap_util/Makefile.in +++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in @@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE) @@ -35,7 +35,7 @@ index b9ea339..060f500 100644 - $(MV) y.tab.c getdate.c + $(CP) y.tab.c getdate.c - install:: + install: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) -- 2.9.3 @@ -8,12 +8,12 @@ %global configure_default_ccache_name 1 %global configured_default_ccache_name KEYRING:persistent:%%{uid} -%global prerelease %{nil} +%global prerelease -beta1 Summary: The Kerberos network authentication system Name: krb5 -Version: 1.14.4 -Release: 6%{?dist} +Version: 1.15 +Release: 1%{?dist}.beta1.0 # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -46,30 +46,16 @@ Source39: krb5-krb5kdc.conf Source100: noport.c Patch1: krb5-1.12.1-pam.patch -Patch2: krb5-1.13-selinux-label.patch +Patch2: krb5-1.15-beta1-selinux-label.patch Patch3: krb5-1.12-ksu-path.patch Patch4: krb5-1.12-ktany.patch -Patch5: krb5-1.12-buildconf.patch +Patch5: krb5-1.15-beta1-buildconf.patch Patch6: krb5-1.3.1-dns.patch Patch7: krb5-1.12-api.patch Patch8: krb5-1.13-dirsrv-accountlock.patch Patch9: krb5-1.9-debuginfo.patch Patch10: krb5-1.11-run_user_0.patch Patch11: krb5-1.11-kpasswdtest.patch -Patch12: Fix-impersonate_name-to-work-with-interposers.patch -Patch13: Create-KDC-and-kadmind-log-files-with-mode-0640.patch -Patch14: Add-KDC-pre-send-and-post-receive-KDC-hooks.patch -Patch15: Add-tests-for-send-and-receive-sendto_kdc-hooks.patch -Patch16: Set-prompt-type-for-OTP-preauth-prompt.patch -Patch17: Improve-bad-password-inference-in-kinit.patch -Patch18: Change-KDC-error-for-encrypted-timestamp-preauth.patch -Patch19: Add-krb5_db_register_keytab.patch -Patch20: Don-t-feed-OS-RNG-output-into-the-OS-RNG.patch -Patch21: Rename-prng_os.c-to-prng_device.c.patch -Patch22: Add-getrandom-to-k5_get_os_entropy-using-syscall.patch -Patch23: Add-OS-prng-intended-for-use-with-getrandom.patch -Patch24: Properly-handle-EOF-condition-on-libkrad-sockets.patch -Patch25: krb5-1.14.4-openssl11.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -256,7 +242,7 @@ interface is not considered stable. ln NOTICE LICENSE # Take the execute bit off of documentation. -chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html +chmod -x doc/ccapi/*.html # Generate an FDS-compatible LDIF file. inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif @@ -271,7 +257,7 @@ touch -r $inldif 60kerberos.ldif # Rebuild the configure scripts. pushd src -./util/reconf --verbose +autoreconf -fiv popd # Mess with some of the default ports that we use for testing, so that multiple @@ -684,7 +670,6 @@ exit 0 %files devel %defattr(-,root,root,-) %docdir %{_mandir} -%doc doc/krb5-protocol %doc build-pdf/appdev.pdf build-pdf/plugindev.pdf %{_includedir}/* @@ -724,6 +709,11 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Thu Oct 20 2016 Robbie Harwood <rharwood@redhat.com> - 1.15-beta1-1 +- New upstream release +- Update selinux with RHEL hygene +- Resolves: #1314096 + * Tue Oct 11 2016 Tomáš Mráz <tmraz@redhat.com> - 1.14.4-6 - rebuild with OpenSSL 1.1.0, added backported upstream patch @@ -1,3 +1,3 @@ -ba90f5701fc2dda76133c1f34ba4ee80 krb5-1.14.4.tar.gz -1d91e165f25519bbb60b4715bcabda0f krb5-1.14.4.tar.gz.asc -c2385c39dfed8ecad41052abd09a49c9 krb5-1.14.4-pdfs.tar +fa2af49908afa204ab177fb997d8c17f krb5-1.15-beta1-pdfs.tar +aeac2080eb2cb88d02ae1722e2681021 krb5-1.15-beta1.tar.gz +dc8b927e0f6597767e222114540a6f3d krb5-1.15-beta1.tar.gz.asc |