diff options
| author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2014-01-31 17:58:42 -0500 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2014-01-31 17:58:42 -0500 |
| commit | ed01558c873673cee913fac6b3017de22980bbd3 (patch) | |
| tree | 3e01a964e1a108a9a810e028bb1a9ec5f817f70e | |
| parent | 7d8b27bfbb2f5b67599752496f925f6061f1094f (diff) | |
- rebuild because I tagged the previous build wrongkrb5-1.11.5-2.fc20
Also delete some patches which we're not applying any more.
| -rw-r--r-- | krb5-1.11.3-client-loop.patch | 34 | ||||
| -rw-r--r-- | krb5-1.11.3-copy_context.patch | 302 | ||||
| -rw-r--r-- | krb5-1.11.3-spnego_error_messages.patch | 175 | ||||
| -rw-r--r-- | krb5-master-gss_oid_leak.patch | 28 | ||||
| -rw-r--r-- | krb5-master-ignore-empty-unnecessary-final-token.patch | 37 | ||||
| -rw-r--r-- | krb5-master-keytab_close.patch | 39 | ||||
| -rw-r--r-- | krb5.spec | 5 |
7 files changed, 4 insertions, 616 deletions
diff --git a/krb5-1.11.3-client-loop.patch b/krb5-1.11.3-client-loop.patch deleted file mode 100644 index f9b7c13..0000000 --- a/krb5-1.11.3-client-loop.patch +++ /dev/null @@ -1,34 +0,0 @@ -Tweaked for 1.11.3. - -commit 53e5c850e05f011e9e7f25c2032aec51d8b352a9 -Author: Viktor Dukhovni <viktor@twosigma.com> -Date: Tue Jun 25 12:27:42 2013 -0400 - - Fix spin loop reading from KDC TCP socket - - In the k5_sendto code for reading from a TCP socket, detect - end-of-stream when reading the length. Otherwise we can get stuck in - an infinite loop of poll() and read(). - - [ghudson@mit.edu: commit message] - - ticket: 7508 - target_version: 1.11.4 - tags: pullup - -diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c -index 3e4ec7e..3c31d9f 100644 ---- a/src/lib/krb5/os/sendto_kdc.c -+++ b/src/lib/krb5/os/sendto_kdc.c -@@ -853,9 +853,9 @@ service_tcp_fd(krb5_context context, struct conn_state *conn, - nread = SOCKET_READ(conn->fd, - conn->x.in.bufsizebytes + conn->x.in.bufsizebytes_read, - 4 - conn->x.in.bufsizebytes_read); -- if (nread < 0) { -+ if (nread <= 0) { -+ e = nread ? SOCKET_ERRNO : ECONNRESET; - TRACE_SENDTO_KDC_TCP_ERROR_RECV_LEN(context, conn, e); -- e = SOCKET_ERRNO; - goto kill_conn; - } - conn->x.in.bufsizebytes_read += nread; diff --git a/krb5-1.11.3-copy_context.patch b/krb5-1.11.3-copy_context.patch deleted file mode 100644 index fbd35c4..0000000 --- a/krb5-1.11.3-copy_context.patch +++ /dev/null @@ -1,302 +0,0 @@ -Adjusted for 1.11.3, which still had vtbl, locate_fptrs, and (vestigial) -profile_in_memory fields, but didn't have localauth_handles, -hostrealm_handles, or dns_canonicalize_hostname, and drop the hunk that -touched .gitignore. - -commit c452644d91d57d8b05ef396a029e34d0c7a48920 -Author: Greg Hudson <ghudson@mit.edu> -Date: Wed Dec 18 15:03:03 2013 -0500 - - Fix krb5_copy_context - - krb5_copy_context has been broken since 1.8 (it broke in r22456) - because k5_copy_etypes crashes on null enctype lists. Subsequent - additions to the context structure were not reflected in - krb5_copy_context, creating double-free bugs. Make k5_copy_etypes - handle null input and account for all new fields in krb5_copy_context. - Reported by Arran Cudbard-Bell. - - ticket: 7807 (new) - target_version: 1.12.1 - tags: pullup - -diff --git a/src/lib/krb5/krb/copy_ctx.c b/src/lib/krb5/krb/copy_ctx.c -index 0bc92f8..4237023 100644 ---- a/src/lib/krb5/krb/copy_ctx.c -+++ b/src/lib/krb5/krb/copy_ctx.c -@@ -77,13 +77,24 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) - nctx->ser_ctx_count = 0; - nctx->ser_ctx = NULL; - nctx->prompt_types = NULL; -+ nctx->preauth_context = NULL; -+ nctx->ccselect_handles = NULL; -+ nctx->kdblog_context = NULL; -+ nctx->trace_callback = NULL; -+ nctx->trace_callback_data = NULL; -+ nctx->plugin_base_dir = NULL; - nctx->os_context.default_ccname = NULL; - -+#ifdef KRB5_DNS_LOOKUP -+ nctx->profile_in_memory = 0; -+#endif /* KRB5_DNS_LOOKUP */ -+ - memset(&nctx->libkrb5_plugins, 0, sizeof(nctx->libkrb5_plugins)); - nctx->vtbl = NULL; - nctx->locate_fptrs = NULL; - - memset(&nctx->err, 0, sizeof(nctx->err)); -+ memset(&nctx->plugins, 0, sizeof(nctx->plugins)); - - ret = k5_copy_etypes(ctx->in_tkt_etypes, &nctx->in_tkt_etypes); - if (ret) -@@ -101,6 +109,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) - ret = krb5_get_profile(ctx, &nctx->profile); - if (ret) - goto errout; -+ nctx->plugin_base_dir = strdup(ctx->plugin_base_dir); -+ if (nctx->plugin_base_dir == NULL) { -+ ret = ENOMEM; -+ goto errout; -+ } - - errout: - if (ret) { -diff --git a/src/lib/krb5/krb/etype_list.c b/src/lib/krb5/krb/etype_list.c -index 9efe2e0..71f664f 100644 ---- a/src/lib/krb5/krb/etype_list.c -+++ b/src/lib/krb5/krb/etype_list.c -@@ -49,6 +49,8 @@ k5_copy_etypes(const krb5_enctype *old_list, krb5_enctype **new_list) - krb5_enctype *list; - - *new_list = NULL; -+ if (old_list == NULL) -+ return 0; - count = k5_count_etypes(old_list); - list = malloc(sizeof(krb5_enctype) * (count + 1)); - if (list == NULL) - -commit b78c3c8c5025aec870d20472f80d4a652062f921 -Author: Greg Hudson <ghudson@mit.edu> -Date: Wed Dec 18 13:08:25 2013 -0500 - - Add a test program for krb5_copy_context - - This test program isn't completely proof against the kind of mistakes - we've made with krb5_copy_context in the past, but it at least - exercises krb5_copy_context and can detect some kinds of bugs. - - ticket: 7807 - -diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in -index 7d1682d..3b58219 100644 ---- a/src/lib/krb5/krb/Makefile.in -+++ b/src/lib/krb5/krb/Makefile.in -@@ -349,6 +349,7 @@ SRCS= $(srcdir)/addr_comp.c \ - $(srcdir)/t_expire_warn.c \ - $(srcdir)/t_authdata.c \ - $(srcdir)/t_cc_config.c \ -+ $(srcdir)/t_copy_context.c \ - $(srcdir)/t_in_ccache.c \ - $(srcdir)/t_response_items.c \ - $(srcdir)/t_vfy_increds.c -@@ -429,11 +430,14 @@ t_in_ccache: t_in_ccache.o $(KRB5_BASE_DEPLIBS) - t_cc_config: t_cc_config.o $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_cc_config.o $(KRB5_BASE_LIBS) - -+t_copy_context: t_copy_context.o $(KRB5_BASE_DEPLIBS) -+ $(CC_LINK) -o $@ t_copy_context.o $(KRB5_BASE_LIBS) -+ - t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_response_items.o response_items.o $(KRB5_BASE_LIBS) - - TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \ -- t_in_ccache t_cc_config \ -+ t_in_ccache t_cc_config t_copy_context \ - t_princ t_etypes t_vfy_increds t_response_items - - check-unix:: $(TEST_PROGS) -@@ -473,6 +477,8 @@ check-unix:: $(TEST_PROGS) - $(RUN_SETUP) $(VALGRIND) ./t_princ - $(RUN_SETUP) $(VALGRIND) ./t_etypes - $(RUN_SETUP) $(VALGRIND) ./t_response_items -+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ -+ $(RUN_SETUP) $(VALGRIND) ./t_copy_context - - check-pytests:: t_expire_warn t_vfy_increds - $(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS) -@@ -491,6 +497,7 @@ clean:: - $(OUTPRE)t_pac$(EXEEXT) $(OUTPRE)t_pac.$(OBJEXT) \ - $(OUTPRE)t_princ$(EXEEXT) $(OUTPRE)t_princ.$(OBJEXT) \ - $(OUTPRE)t_authdata$(EXEEXT) $(OUTPRE)t_authdata.$(OBJEXT) \ -+ $(OUTPRE)t_copy_context(EXEEXT) $(OUTPRE)t_copy_context.$(OBJEXT) \ - $(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \ - $(OUTPRE)t_response_items$(EXEEXT) $(OUTPRE)t_response_items.$(OBJEXT) - -diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c -new file mode 100644 -index 0000000..522fa0c ---- /dev/null -+++ b/src/lib/krb5/krb/t_copy_context.c -@@ -0,0 +1,162 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* lib/krb5/krb/t_copy_context.C - Test program for krb5_copy_context */ -+/* -+ * Copyright (C) 2013 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include <k5-int.h> -+ -+static void -+trace(krb5_context ctx, const krb5_trace_info *info, void *data) -+{ -+} -+ -+static void -+check(int cond) -+{ -+ if (!cond) -+ abort(); -+} -+ -+static void -+compare_string(const char *str1, const char *str2) -+{ -+ check((str1 == NULL) == (str2 == NULL)); -+ if (str1 != NULL) -+ check(strcmp(str1, str2) == 0); -+} -+ -+static void -+compare_etypes(krb5_enctype *list1, krb5_enctype *list2) -+{ -+ check((list1 == NULL) == (list2 == NULL)); -+ if (list1 == NULL) -+ return; -+ while (*list1 != ENCTYPE_NULL && *list1 == *list2) -+ list1++, list2++; -+ check(*list1 == *list2); -+} -+ -+/* Check that the context c is a valid copy of the reference context r. */ -+static void -+check_context(krb5_context c, krb5_context r) -+{ -+ int i; -+ -+ /* Check fields which should have been propagated from r. */ -+ compare_etypes(c->in_tkt_etypes, r->in_tkt_etypes); -+ compare_etypes(c->tgs_etypes, r->tgs_etypes); -+ check(c->os_context.time_offset == r->os_context.time_offset); -+ check(c->os_context.usec_offset == r->os_context.usec_offset); -+ check(c->os_context.os_flags == r->os_context.os_flags); -+ compare_string(c->os_context.default_ccname, r->os_context.default_ccname); -+ check(c->clockskew == r->clockskew); -+ check(c->kdc_req_sumtype == r->kdc_req_sumtype); -+ check(c->default_ap_req_sumtype == r->default_ap_req_sumtype); -+ check(c->default_safe_sumtype == r->default_safe_sumtype); -+ check(c->kdc_default_options == r->kdc_default_options); -+ check(c->library_options == r->library_options); -+ check(c->profile_secure == r->profile_secure); -+ check(c->fcc_default_format == r->fcc_default_format); -+ check(c->udp_pref_limit == r->udp_pref_limit); -+ check(c->use_conf_ktypes == r->use_conf_ktypes); -+ check(c->allow_weak_crypto == r->allow_weak_crypto); -+ check(c->ignore_acceptor_hostname == r->ignore_acceptor_hostname); -+ compare_string(c->plugin_base_dir, r->plugin_base_dir); -+ -+ /* Check fields which don't propagate. */ -+ check(c->dal_handle == NULL); -+ check(c->ser_ctx_count == 0); -+ check(c->ser_ctx == NULL); -+ check(c->prompt_types == NULL); -+ check(c->libkrb5_plugins.files == NULL); -+ check(c->preauth_context == NULL); -+ check(c->ccselect_handles == NULL); -+ check(c->err.code == 0); -+ check(c->err.msg == NULL); -+ check(c->kdblog_context == NULL); -+ check(c->trace_callback == NULL); -+ check(c->trace_callback_data == NULL); -+ for (i = 0; i < PLUGIN_NUM_INTERFACES; i++) { -+ check(c->plugins[i].modules == NULL); -+ check(!c->plugins[i].configured); -+ } -+} -+ -+int -+main(int argc, char **argv) -+{ -+ krb5_context ctx, ctx2; -+ krb5_plugin_initvt_fn *mods; -+ const krb5_enctype etypes1[] = { ENCTYPE_DES3_CBC_SHA1, 0 }; -+ const krb5_enctype etypes2[] = { ENCTYPE_AES128_CTS_HMAC_SHA1_96, -+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }; -+ krb5_prompt_type ptypes[] = { KRB5_PROMPT_TYPE_PASSWORD }; -+ -+ /* Copy a default context and verify the result. */ -+ check(krb5_init_context(&ctx) == 0); -+ check(krb5_copy_context(ctx, &ctx2) == 0); -+ check_context(ctx2, ctx); -+ krb5_free_context(ctx2); -+ -+ /* Set non-default values for all of the propagated fields in ctx. */ -+ ctx->allow_weak_crypto = TRUE; -+ check(krb5_set_default_in_tkt_ktypes(ctx, etypes1) == 0); -+ check(krb5_set_default_tgs_enctypes(ctx, etypes2) == 0); -+ check(krb5_set_debugging_time(ctx, 1234, 5678) == 0); -+ check(krb5_cc_set_default_name(ctx, "defccname") == 0); -+ check(krb5_set_default_realm(ctx, "defrealm") == 0); -+ ctx->clockskew = 18; -+ ctx->kdc_req_sumtype = CKSUMTYPE_NIST_SHA; -+ ctx->default_ap_req_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES128; -+ ctx->default_safe_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES256; -+ ctx->kdc_default_options = KDC_OPT_FORWARDABLE; -+ ctx->library_options = 0; -+ ctx->profile_secure = TRUE; -+ ctx->udp_pref_limit = 2345; -+ ctx->use_conf_ktypes = TRUE; -+ ctx->ignore_acceptor_hostname = TRUE; -+ free(ctx->plugin_base_dir); -+ check((ctx->plugin_base_dir = strdup("/a/b/c/d")) != NULL); -+ -+ /* Also set some of the non-propagated fields. */ -+ ctx->prompt_types = ptypes; -+ check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &mods) == 0); -+ k5_plugin_free_modules(ctx, mods); -+ krb5_set_error_message(ctx, ENOMEM, "nooooooooo"); -+ krb5_set_trace_callback(ctx, trace, ctx); -+ -+ /* Copy the intentionally messy context and verify the result. */ -+ check(krb5_copy_context(ctx, &ctx2) == 0); -+ check_context(ctx2, ctx); -+ krb5_free_context(ctx2); -+ -+ krb5_free_context(ctx); -+ return 0; -+} diff --git a/krb5-1.11.3-spnego_error_messages.patch b/krb5-1.11.3-spnego_error_messages.patch deleted file mode 100644 index 0a14bd3..0000000 --- a/krb5-1.11.3-spnego_error_messages.patch +++ /dev/null @@ -1,175 +0,0 @@ -Test tweaked for 1.11.3. - -commit d160bc733a3dbeb6d84f4e175234ff18738d9f66 -Author: Simo Sorce <simo@redhat.com> -Date: Tue Dec 17 16:15:14 2013 -0500 - - Let SPNEGO display mechanism errors - - To avoid potential recursion we use a thread local variable that tells - us whether the ancestor was called via spnego_gss_display_name(). If - we detect recursion, we assume that we returned a com_err code like - ENOMEM and call error_message(); in the worst case that will result in - an "Unknown error" message. - - [ghudson@mit.edu: Edited comments and commit message; removed an - unneeded line of code.] - - ticket: 7045 - target_version: 1.12.1 - tags: pullup - -diff --git a/src/include/k5-thread.h b/src/include/k5-thread.h -index 1b7fa69..ab46ec3 100644 ---- a/src/include/k5-thread.h -+++ b/src/include/k5-thread.h -@@ -406,6 +406,7 @@ typedef enum { - K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, - K5_KEY_GSS_KRB5_CCACHE_NAME, - K5_KEY_GSS_KRB5_ERROR_MESSAGE, -+ K5_KEY_GSS_SPNEGO_STATUS, - #if defined(__MACH__) && defined(__APPLE__) - K5_KEY_IPC_CONNECTION_INFO, - #endif -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 06cfab0..7e4bf90 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -85,8 +85,8 @@ extern int gssint_put_der_length(unsigned int, unsigned char **, unsigned int); - - - /* private routines for spnego_mechanism */ --static spnego_token_t make_spnego_token(char *); --static gss_buffer_desc make_err_msg(char *); -+static spnego_token_t make_spnego_token(const char *); -+static gss_buffer_desc make_err_msg(const char *); - static int g_token_size(gss_OID_const, unsigned int); - static int g_make_token_header(gss_OID_const, unsigned int, - unsigned char **, unsigned int); -@@ -316,6 +316,12 @@ int gss_krb5int_lib_init(void); - - int gss_spnegoint_lib_init(void) - { -+ int err; -+ -+ err = k5_key_register(K5_KEY_GSS_SPNEGO_STATUS, NULL); -+ if (err) -+ return err; -+ - #ifdef _GSS_STATIC_LINK - return gss_spnegomechglue_init(); - #else -@@ -1791,7 +1797,6 @@ cleanup: - } - #endif /* LEAN_CLIENT */ - -- - /*ARGSUSED*/ - OM_uint32 KRB5_CALLCONV - spnego_gss_display_status( -@@ -1802,6 +1807,9 @@ spnego_gss_display_status( - OM_uint32 *message_context, - gss_buffer_t status_string) - { -+ OM_uint32 maj = GSS_S_COMPLETE; -+ int ret; -+ - dsyslog("Entering display_status\n"); - - *message_context = 0; -@@ -1832,13 +1840,31 @@ spnego_gss_display_status( - "return a valid token")); - break; - default: -- status_string->length = 0; -- status_string->value = ""; -+ /* Not one of our minor codes; might be from a mech. Call back -+ * to gss_display_status, but first check for recursion. */ -+ if (k5_getspecific(K5_KEY_GSS_SPNEGO_STATUS) != NULL) { -+ /* Perhaps we returned a com_err code like ENOMEM. */ -+ const char *err = error_message(status_value); -+ *status_string = make_err_msg(err); -+ break; -+ } -+ /* Set a non-null pointer value; doesn't matter which one. */ -+ ret = k5_setspecific(K5_KEY_GSS_SPNEGO_STATUS, &ret); -+ if (ret != 0) { -+ *minor_status = ret; -+ maj = GSS_S_FAILURE; -+ break; -+ } -+ maj = gss_display_status(minor_status, status_value, -+ status_type, mech_type, -+ message_context, status_string); -+ /* This is unlikely to fail; not much we can do if it does. */ -+ (void)k5_setspecific(K5_KEY_GSS_SPNEGO_STATUS, NULL); - break; - } - - dsyslog("Leaving display_status\n"); -- return (GSS_S_COMPLETE); -+ return maj; - } - - -@@ -3550,13 +3576,13 @@ negotiate_mech(gss_OID_set supported, gss_OID_set received, - * these routines will be changes to return the error string. - */ - static spnego_token_t --make_spnego_token(char *name) -+make_spnego_token(const char *name) - { - return (spnego_token_t)strdup(name); - } - - static gss_buffer_desc --make_err_msg(char *name) -+make_err_msg(const char *name) - { - gss_buffer_desc buffer; - -commit 4faca53e3a8ee213d43da8998f6889e7bfd36248 -Author: Greg Hudson <ghudson@mit.edu> -Date: Wed Dec 18 16:03:16 2013 -0500 - - Test SPNEGO error message in t_s4u.py - - Now that #7045 is fixed, we can check for the correct error message - from t_s4u2proxy_krb5 with --spnego. - - ticket: 7045 - -diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py -index 67dc810..e4aa259 100644 ---- a/src/tests/gssapi/t_s4u.py -+++ b/src/tests/gssapi/t_s4u.py -@@ -30,12 +30,12 @@ if ('auth1: ' + realm.user_princ not in output or - 'NOT_ALLOWED_TO_DELEGATE' not in output): - fail('krb5 -> s4u2proxy') - --# Again with SPNEGO. Bug #7045 prevents us from checking the error --# message, but we can at least exercise the code. -+# Again with SPNEGO. - output = realm.run_as_server(['./t_s4u2proxy_krb5', '--spnego', usercache, - storagecache, '-', pservice1, pservice2], - expected_code=1) --if ('auth1: ' + realm.user_princ not in output): -+if ('auth1: ' + realm.user_princ not in output or -+ 'NOT_ALLOWED_TO_DELEGATE' not in output): - fail('krb5 -> s4u2proxy (SPNEGO)') - - # Try krb5 -> S4U2Proxy without forwardable user creds. This should -@@ -66,10 +66,9 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output: - fail('s4u2self') - - # Again with SPNEGO. This uses SPNEGO for the initial authentication, --# but still uses krb5 for S4U2Proxy (the delegated cred is returned as -+# but still uses krb5 for S4U2Proxy--the delegated cred is returned as - # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred --# directly rather than saving and reacquiring it) so bug #7045 does --# not apply and we can verify the error message. -+# directly rather than saving and reacquiring it. - output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2], - expected_code=1) - if 'NOT_ALLOWED_TO_DELEGATE' not in output: - fail('s4u2self') diff --git a/krb5-master-gss_oid_leak.patch b/krb5-master-gss_oid_leak.patch deleted file mode 100644 index 9613823..0000000 --- a/krb5-master-gss_oid_leak.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a -Author: Simo Sorce <simo@redhat.com> -Date: Fri Dec 13 12:00:41 2013 -0500 - - Fix memory leak in SPNEGO initiator - - If we eliminate a mechanism from the initiator list because - gss_init_sec_context fails, free the memory for that mech OID before - removing it from the list. - - [ghudson@mit.edu: clarified commit message] - - ticket: 7803 (new) - target_version: 1.12.1 - tags: pullup - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 818a1b4..06cfab0 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -890,6 +890,7 @@ init_ctx_call_init(OM_uint32 *minor_status, - * can do this with recursion. If all mechanisms produce errors, the - * caller should get the error from the first mech in the list. - */ -+ gssalloc_free(sc->mech_set->elements->elements); - memmove(sc->mech_set->elements, sc->mech_set->elements + 1, - --sc->mech_set->count * sizeof(*sc->mech_set->elements)); - if (sc->mech_set->count == 0) diff --git a/krb5-master-ignore-empty-unnecessary-final-token.patch b/krb5-master-ignore-empty-unnecessary-final-token.patch deleted file mode 100644 index 3ebb888..0000000 --- a/krb5-master-ignore-empty-unnecessary-final-token.patch +++ /dev/null @@ -1,37 +0,0 @@ -commit 37af638b742dbd642eb70092e4f7781c3f69d86d -Author: Greg Hudson <ghudson@mit.edu> -Date: Tue Dec 10 12:04:18 2013 -0500 - - Fix SPNEGO one-hop interop against old IIS - - IIS 6.0 and similar return a zero length reponse buffer in the last - SPNEGO packet when context initiation is performed without mutual - authentication. In this case the underlying Kerberos mechanism has - already completed successfully on the first invocation, and SPNEGO - does not expect a mech response token in the answer. If we get an - empty mech response token when the mech is complete during - negotiation, ignore it. - - [ghudson@mit.edu: small code style and commit message changes] - - ticket: 7797 (new) - target_version: 1.12.1 - tags: pullup - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 3937662..d82934b 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, - map_errcode(minor_status); - ret = GSS_S_DEFECTIVE_TOKEN; - } -+ } else if ((*responseToken)->length == 0 && sc->mech_complete) { -+ /* Handle old IIS servers returning empty token instead of -+ * null tokens in the non-mutual auth case. */ -+ *negState = ACCEPT_COMPLETE; -+ *tokflag = NO_TOKEN_SEND; -+ ret = GSS_S_COMPLETE; - } else if (sc->mech_complete) { - /* Reject spurious mech token. */ - ret = GSS_S_DEFECTIVE_TOKEN; diff --git a/krb5-master-keytab_close.patch b/krb5-master-keytab_close.patch deleted file mode 100644 index d020ae6..0000000 --- a/krb5-master-keytab_close.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit decccbcb5075f8fbc28a535a9b337afc84a15dee -Author: Greg Hudson <ghudson@mit.edu> -Date: Mon Dec 16 15:37:56 2013 -0500 - - Fix GSS krb5 acceptor acquire_cred error handling - - When acquiring acceptor creds with a specified name, if we fail to - open a replay cache, we leak the keytab handle. If there is no - specified name and we discover that there is no content in the keytab, - we leak the keytab handle and return the wrong major code. Memory - leak reported by Andrea Campi. - - ticket: 7805 - target_version: 1.12.1 - tags: pullup - -diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c -index 0efcad4..9547207 100644 ---- a/src/lib/gssapi/krb5/acquire_cred.c -+++ b/src/lib/gssapi/krb5/acquire_cred.c -@@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context, - code = krb5_get_server_rcache(context, &cred->name->princ->data[0], - &cred->rcache); - if (code) { -+ krb5_kt_close(context, kt); - *minor_status = code; - return GSS_S_FAILURE; - } -@@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context, - /* Make sure we have a keytab with keys in it. */ - code = krb5_kt_have_content(context, kt); - if (code) { -+ krb5_kt_close(context, kt); - *minor_status = code; -- return GSS_S_FAILURE; -+ return GSS_S_CRED_UNAVAIL; - } - } - @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.11.5 -Release: 1%{?dist} +Release: 2%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.5-signed.tar Source0: krb5-%{version}.tar.gz @@ -1048,6 +1048,9 @@ exit 0 %{_sbindir}/uuserver %changelog +* Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.11.5-2 +- rebuild because I tagged the previous package wrong + * Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.11.5-1 - update to 1.11.5 - remove patch for RT#7650, obsoleted in 1.11.4 |