From 14f028579db3f19c38efec9e683e4837ddb860b7 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 19 Sep 2016 23:49:29 +0000 Subject: New upstream release and integrate with external git --- .gitignore | 3 + Add-KDC-pre-send-and-post-receive-KDC-hooks.patch | 314 +++++++++++ Add-krb5_db_register_keytab.patch | 69 +++ ...sts-for-send-and-receive-sendto_kdc-hooks.patch | 367 +++++++++++++ ...KDC-error-for-encrypted-timestamp-preauth.patch | 68 +++ ...-KDC-and-kadmind-log-files-with-mode-0640.patch | 65 +++ ...impersonate_name-to-work-with-interposers.patch | 222 ++++++++ Improve-bad-password-inference-in-kinit.patch | 82 +++ Set-prompt-type-for-OTP-preauth-prompt.patch | 49 ++ krb5-1.11-kpasswdtest.patch | 20 +- krb5-1.11-run_user_0.patch | 19 +- krb5-1.12-api.patch | 21 +- krb5-1.12-buildconf.patch | 73 ++- krb5-1.12-ksu-path.patch | 17 +- krb5-1.12-ktany.patch | 86 +-- krb5-1.12.1-pam.patch | 144 ++--- krb5-1.13-dirsrv-accountlock.patch | 41 +- krb5-1.13-selinux-label.patch | 584 ++++++++++++--------- krb5-1.14.1-log_file_permissions.patch | 63 --- krb5-1.14.4-SNI-HTTP-Host.patch | 108 ---- krb5-1.14.4-ofd-lock-workaround.patch | 73 --- krb5-1.14.4-responder-non-preauth.patch | 86 --- krb5-1.14.4-samba-client-mutual-flag.patch | 37 -- krb5-1.15-improve-bad-password-inference.patch | 82 --- krb5-1.15-kdc-error-encrypted-timestamp.patch | 68 --- krb5-1.15-kdc_hooks_test.patch | 367 ------------- krb5-1.15-kdc_send_receive_hooks.patch | 314 ----------- krb5-1.15-krb5_db_register_keytab.patch | 69 --- krb5-1.15-otp-preauth-prompt-type.patch | 49 -- krb5-1.3.1-dns.patch | 21 +- krb5-1.6.3-kdc_listen_all.patch | 247 --------- krb5-1.9-debuginfo.patch | 28 +- krb5-acquire_cred_interposer.patch | 222 -------- krb5-disable_ofd_locks.patch | 18 - krb5-kdcdir2.patch | 17 - krb5-pkinit-debug.patch | 99 ---- krb5.spec | 108 ++-- sources | 6 +- 38 files changed, 1939 insertions(+), 2387 deletions(-) create mode 100644 Add-KDC-pre-send-and-post-receive-KDC-hooks.patch create mode 100644 Add-krb5_db_register_keytab.patch create mode 100644 Add-tests-for-send-and-receive-sendto_kdc-hooks.patch create mode 100644 Change-KDC-error-for-encrypted-timestamp-preauth.patch create mode 100644 Create-KDC-and-kadmind-log-files-with-mode-0640.patch create mode 100644 Fix-impersonate_name-to-work-with-interposers.patch create mode 100644 Improve-bad-password-inference-in-kinit.patch create mode 100644 Set-prompt-type-for-OTP-preauth-prompt.patch delete mode 100644 krb5-1.14.1-log_file_permissions.patch delete mode 100644 krb5-1.14.4-SNI-HTTP-Host.patch delete mode 100644 krb5-1.14.4-ofd-lock-workaround.patch delete mode 100644 krb5-1.14.4-responder-non-preauth.patch delete mode 100644 krb5-1.14.4-samba-client-mutual-flag.patch delete mode 100644 krb5-1.15-improve-bad-password-inference.patch delete mode 100644 krb5-1.15-kdc-error-encrypted-timestamp.patch delete mode 100644 krb5-1.15-kdc_hooks_test.patch delete mode 100644 krb5-1.15-kdc_send_receive_hooks.patch delete mode 100644 krb5-1.15-krb5_db_register_keytab.patch delete mode 100644 krb5-1.15-otp-preauth-prompt-type.patch delete mode 100644 krb5-1.6.3-kdc_listen_all.patch delete mode 100644 krb5-acquire_cred_interposer.patch delete mode 100644 krb5-disable_ofd_locks.patch delete mode 100644 krb5-kdcdir2.patch delete mode 100644 krb5-pkinit-debug.patch diff --git a/.gitignore b/.gitignore index fb86978..c75f856 100644 --- a/.gitignore +++ b/.gitignore @@ -136,3 +136,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.14.3.tar.gz /krb5-1.14.3.tar.gz.asc /krb5-1.14.3-pdfs.tar +/krb5-1.14.4.tar.gz +/krb5-1.14.4.tar.gz.asc +/krb5-1.14.4-pdfs.tar diff --git a/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch b/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch new file mode 100644 index 0000000..63a3deb --- /dev/null +++ b/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch @@ -0,0 +1,314 @@ +From 21330cb3db69fc5a004844a1e4dec8998eb50068 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 3 Mar 2016 18:53:31 +0100 +Subject: [PATCH 14/19] Add KDC pre-send and post-receive KDC hooks + +Add two new APIs, krb5_set_kdc_send_hook() and +krb5_set_kdc_recv_hook(), which can be used to inspect and override +messages sent to KDCs. + +[ghudson@mit.edu: style and documentation changes] + +ticket: 8386 (new) +--- + doc/appdev/refs/api/index.rst | 2 + + doc/appdev/refs/types/index.rst | 2 + + src/include/k5-int.h | 6 +++ + src/include/krb5/krb5.hin | 104 ++++++++++++++++++++++++++++++++++++++++ + src/lib/krb5/libkrb5.exports | 2 + + src/lib/krb5/os/sendto_kdc.c | 56 +++++++++++++++++++++- + src/lib/krb5_32.def | 4 ++ + 7 files changed, 174 insertions(+), 2 deletions(-) + +diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst +index 8df351d..e97cbca 100644 +--- a/doc/appdev/refs/api/index.rst ++++ b/doc/appdev/refs/api/index.rst +@@ -268,6 +268,8 @@ Rarely used public interfaces + krb5_server_decrypt_ticket_keytab.rst + krb5_set_default_tgs_enctypes.rst + krb5_set_error_message.rst ++ krb5_set_kdc_recv_hook.rst ++ krb5_set_kdc_send_hook.rst + krb5_set_real_time.rst + krb5_string_to_cksumtype.rst + krb5_string_to_deltat.rst +diff --git a/doc/appdev/refs/types/index.rst b/doc/appdev/refs/types/index.rst +index 51c4093..dc414cf 100644 +--- a/doc/appdev/refs/types/index.rst ++++ b/doc/appdev/refs/types/index.rst +@@ -57,6 +57,8 @@ Public + krb5_pa_svr_referral_data.rst + krb5_pa_data.rst + krb5_pointer.rst ++ krb5_post_recv_fn.rst ++ krb5_pre_send_fn.rst + krb5_preauthtype.rst + krb5_principal.rst + krb5_principal_data.rst +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 6b7b2e3..045abfc 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -1238,6 +1238,12 @@ struct _krb5_context { + krb5_trace_callback trace_callback; + void *trace_callback_data; + ++ krb5_pre_send_fn kdc_send_hook; ++ void *kdc_send_hook_data; ++ ++ krb5_post_recv_fn kdc_recv_hook; ++ void *kdc_recv_hook_data; ++ + struct plugin_interface plugins[PLUGIN_NUM_INTERFACES]; + char *plugin_base_dir; + }; +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index c93a0f2..2b0d59e 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin +@@ -8300,6 +8300,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, + krb5_error_code KRB5_CALLCONV + krb5_set_trace_filename(krb5_context context, const char *filename); + ++ ++/** ++ * Hook function for inspecting or modifying messages sent to KDCs. ++ * ++ * If the hook function returns an error code, the KDC communication will be ++ * aborted and the error code will be returned to the library operation which ++ * initiated the communication. ++ * ++ * If the hook function sets @a reply_out, @a message will not be sent to the ++ * KDC, and the given reply will used instead. ++ * ++ * If the hook function sets @a new_message_out, the given message will be sent ++ * to the KDC in place of @a message. ++ * ++ * If the hook function returns successfully without setting either output, ++ * @a message will be sent to the KDC normally. ++ * ++ * The hook function should use krb5_copy_data() to construct the value for ++ * @a new_message_out or @a reply_out, to ensure that it can be freed correctly ++ * by the library. ++ * ++ * @param [in] context Library context ++ * @param [in] data Callback data ++ * @param [in] realm The realm the message will be sent to ++ * @param [in] message The original message to be sent to the KDC ++ * @param [out] new_message_out Optional replacement message to be sent ++ * @param [out] reply_out Optional synthetic reply ++ * ++ * @retval 0 Success ++ * @return A Kerberos error code ++ */ ++typedef krb5_error_code ++(KRB5_CALLCONV *krb5_pre_send_fn)(krb5_context context, void *data, ++ const krb5_data *realm, ++ const krb5_data *message, ++ krb5_data **new_message_out, ++ krb5_data **new_reply_out); ++ ++/** ++ * Hook function for inspecting or overriding KDC replies. ++ * ++ * If @a code is zero, @a reply contains the reply received from the KDC. The ++ * hook function may return an error code to simulate an error, may synthesize ++ * a different reply by setting @a new_reply_out, or may simply return ++ * successfully to do nothing. ++ * ++ * If @a code is non-zero, KDC communication failed and @a reply should be ++ * ignored. The hook function may return @a code or a different error code, or ++ * may synthesize a reply by setting @a new_reply_out and return successfully. ++ * ++ * The hook function should use krb5_copy_data() to construct the value for ++ * @a new_reply_out, to ensure that it can be freed correctly by the library. ++ * ++ * @param [in] context Library context ++ * @param [in] data Callback data ++ * @param [in] code Status of KDC communication ++ * @param [in] realm The realm the reply was received from ++ * @param [in] message The message sent to the realm's KDC ++ * @param [in] reply The reply received from the KDC ++ * @param [out] new_reply_out Optional replacement reply ++ * ++ * @retval 0 Success ++ * @return A Kerberos error code ++ */ ++typedef krb5_error_code ++(KRB5_CALLCONV *krb5_post_recv_fn)(krb5_context context, void *data, ++ krb5_error_code code, ++ const krb5_data *realm, ++ const krb5_data *message, ++ const krb5_data *reply, ++ krb5_data **new_reply_out); ++ ++/** ++ * Set a KDC pre-send hook function. ++ * ++ * @a send_hook will be called before messages are sent to KDCs by library ++ * functions such as krb5_get_credentials(). The hook function may inspect, ++ * override, or synthesize its own reply to the message. ++ * ++ * @param [in] context Library context ++ * @param [in] send_hook Hook function (or NULL to disable the hook) ++ * @param [in] data Callback data to be passed to @a send_hook ++ */ ++void KRB5_CALLCONV ++krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, ++ void *data); ++ ++/** ++ * Set a KDC post-receive hook function. ++ * ++ * @a recv_hook will be called after a reply is received from a KDC during a ++ * call to a library function such as krb5_get_credentials(). The hook ++ * function may inspect or override the reply. This hook will not be executed ++ * if the pre-send hook returns a synthetic reply. ++ * ++ * @param [in] context The library context. ++ * @param [in] recv_hook Hook function (or NULL to disable the hook) ++ * @param [in] data Callback data to be passed to @a recv_hook ++ */ ++void KRB5_CALLCONV ++krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, ++ void *data); ++ ++ + #if TARGET_OS_MAC + # pragma pack(pop) + #endif +diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports +index c623409..ea6982d 100644 +--- a/src/lib/krb5/libkrb5.exports ++++ b/src/lib/krb5/libkrb5.exports +@@ -581,6 +581,8 @@ krb5_set_password + krb5_set_password_using_ccache + krb5_set_principal_realm + krb5_set_real_time ++krb5_set_kdc_send_hook ++krb5_set_kdc_recv_hook + krb5_set_time_offsets + krb5_set_trace_callback + krb5_set_trace_filename +diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c +index 6231de2..be00b8f 100644 +--- a/src/lib/krb5/os/sendto_kdc.c ++++ b/src/lib/krb5/os/sendto_kdc.c +@@ -403,6 +403,22 @@ check_for_svc_unavailable (krb5_context context, + return 1; + } + ++void ++krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, ++ void *data) ++{ ++ context->kdc_send_hook = send_hook; ++ context->kdc_send_hook_data = data; ++} ++ ++void ++krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, ++ void *data) ++{ ++ context->kdc_recv_hook = recv_hook; ++ context->kdc_recv_hook_data = data; ++} ++ + /* + * send the formatted request 'message' to a KDC for realm 'realm' and + * return the response (if any) in 'reply'. +@@ -416,13 +432,16 @@ check_for_svc_unavailable (krb5_context context, + + krb5_error_code + krb5_sendto_kdc(krb5_context context, const krb5_data *message, +- const krb5_data *realm, krb5_data *reply, int *use_master, ++ const krb5_data *realm, krb5_data *reply_out, int *use_master, + int no_udp) + { + krb5_error_code retval, err; + struct serverlist servers; + int server_used; + k5_transport_strategy strategy; ++ krb5_data reply = empty_data(), *hook_message = NULL, *hook_reply = NULL; ++ ++ *reply_out = empty_data(); + + /* + * find KDC location(s) for realm +@@ -467,9 +486,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, + if (retval) + return retval; + ++ if (context->kdc_send_hook != NULL) { ++ retval = context->kdc_send_hook(context, context->kdc_send_hook_data, ++ realm, message, &hook_message, ++ &hook_reply); ++ if (retval) ++ goto cleanup; ++ ++ if (hook_reply != NULL) { ++ *reply_out = *hook_reply; ++ free(hook_reply); ++ goto cleanup; ++ } ++ ++ if (hook_message != NULL) ++ message = hook_message; ++ } ++ + err = 0; + retval = k5_sendto(context, message, realm, &servers, strategy, NULL, +- reply, NULL, NULL, &server_used, ++ &reply, NULL, NULL, &server_used, + check_for_svc_unavailable, &err); + if (retval == KRB5_KDC_UNREACH) { + if (err == KDC_ERR_SVC_UNAVAILABLE) { +@@ -480,9 +516,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, + realm->length, realm->data); + } + } ++ ++ if (context->kdc_recv_hook != NULL) { ++ retval = context->kdc_recv_hook(context, context->kdc_recv_hook_data, ++ retval, realm, message, &reply, ++ &hook_reply); ++ } + if (retval) + goto cleanup; + ++ if (hook_reply != NULL) { ++ *reply_out = *hook_reply; ++ free(hook_reply); ++ } else { ++ *reply_out = reply; ++ reply = empty_data(); ++ } ++ + /* Set use_master to 1 if we ended up talking to a master when we didn't + * explicitly request to. */ + if (*use_master == 0) { +@@ -492,6 +542,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, + } + + cleanup: ++ krb5_free_data(context, hook_message); ++ krb5_free_data_contents(context, &reply); + k5_free_serverlist(&servers); + return retval; + } +diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def +index 3734e9b..8d58ea1 100644 +--- a/src/lib/krb5_32.def ++++ b/src/lib/krb5_32.def +@@ -463,3 +463,7 @@ EXPORTS + krb5_vwrap_error_message @430 + krb5_c_prfplus @431 + krb5_c_derive_prfplus @432 ++ ++; new in 1.15 ++ krb5_set_kdc_send_hook @433 ++ krb5_set_kdc_recv_hook @434 +-- +2.9.3 + diff --git a/Add-krb5_db_register_keytab.patch b/Add-krb5_db_register_keytab.patch new file mode 100644 index 0000000..fd77167 --- /dev/null +++ b/Add-krb5_db_register_keytab.patch @@ -0,0 +1,69 @@ +From 2047b7b227a4e2a07b5e2ef149fd968406c8f750 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 7 Sep 2016 18:33:43 +0200 +Subject: [PATCH 19/19] Add krb5_db_register_keytab() + +Add a public libkdb5 function to register the KDB keytab type. This +functionality is needed for out-of-tree KDC servers such as the Samba +kpasswd service. + +[ghudson@mit.edu: edited comments, whitespace, commit message] + +ticket: 8494 (new) +(cherry picked from commit 2e99582062d9d6a70f2adb00fd8fe58a1f95b9b7) +--- + src/include/kdb.h | 7 +++++++ + src/lib/kdb/keytab.c | 6 ++++++ + src/lib/kdb/libkdb5.exports | 1 + + 3 files changed, 14 insertions(+) + +diff --git a/src/include/kdb.h b/src/include/kdb.h +index 9d3bf9d..048327c 100644 +--- a/src/include/kdb.h ++++ b/src/include/kdb.h +@@ -797,6 +797,13 @@ krb5_dbe_free_strings(krb5_context, krb5_string_attr *, int count); + void + krb5_dbe_free_string(krb5_context, char *); + ++/* ++ * Register the KDB keytab type, allowing "KDB:" to be used as a keytab name. ++ * For this type to work, the context used for keytab operations must have an ++ * associated database handle (via krb5_db_open()). ++ */ ++krb5_error_code krb5_db_register_keytab(krb5_context context); ++ + #define KRB5_KDB_DEF_FLAGS 0 + + #define KDB_MAX_DB_NAME 128 +diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c +index b85b67d..c6aa100 100644 +--- a/src/lib/kdb/keytab.c ++++ b/src/lib/kdb/keytab.c +@@ -66,6 +66,12 @@ typedef struct krb5_ktkdb_data { + } krb5_ktkdb_data; + + krb5_error_code ++krb5_db_register_keytab(krb5_context context) ++{ ++ return krb5_kt_register(context, &krb5_kt_kdb_ops); ++} ++ ++krb5_error_code + krb5_ktkdb_resolve(context, name, id) + krb5_context context; + const char * name; +diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports +index cb4c3df..e5d1045 100644 +--- a/src/lib/kdb/libkdb5.exports ++++ b/src/lib/kdb/libkdb5.exports +@@ -85,6 +85,7 @@ krb5_db_delete_policy + krb5_db_free_policy + krb5_def_store_mkey_list + krb5_db_promote ++krb5_db_register_keytab + ulog_add_update + ulog_init_header + ulog_map +-- +2.9.3 + diff --git a/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch b/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch new file mode 100644 index 0000000..7237327 --- /dev/null +++ b/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch @@ -0,0 +1,367 @@ +From b54a8377972db8cfc5f74c42831f61445c6f82d9 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 7 Mar 2016 17:59:07 +0100 +Subject: [PATCH 15/19] Add tests for send and receive sendto_kdc hooks + +[ghudson@mit.edu: style changes] + +ticket: 8386 + +Conflicts: + src/tests/Makefile.in +[rharwood@redhat.com: fix cherry-pick merge conflicts] +[rharwood@redhat.com: locally remove gitignore] +--- + src/tests/Makefile.in | 12 ++- + src/tests/deps | 10 ++ + src/tests/hooks.c | 253 ++++++++++++++++++++++++++++++++++++++++++++++++++ + src/tests/t_hooks.py | 9 ++ + 5 files changed, 281 insertions(+), 4 deletions(-) + create mode 100644 src/tests/hooks.c + create mode 100755 src/tests/t_hooks.py + +diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in +index b24e197..0fc0ea9 100644 +--- a/src/tests/Makefile.in ++++ b/src/tests/Makefile.in +@@ -6,9 +6,9 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \ + RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \ + LC_ALL=C $(VALGRIND) + +-OBJS= adata.o etinfo.o gcred.o hist.o hrealm.o kdbtest.o plugorder.o \ ++OBJS= adata.o etinfo.o gcred.o hist.o hooks.o hrealm.o kdbtest.o plugorder.o \ + t_init_creds.o t_localauth.o rdreq.o responder.o s2p.o s4u2proxy.o +-EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hrealm.c kdbtest.c plugorder.c \ ++EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hooks.c hrealm.c kdbtest.c plugorder.c \ + t_init_creds.c t_localauth.c rdreq.o responder.c s2p.c s4u2proxy.c + + TEST_DB = ./testdb +@@ -33,6 +33,9 @@ gcred: gcred.o $(KRB5_BASE_DEPLIBS) + hist: hist.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ hist.o $(KDB5_LIBS) $(KADMSRV_LIBS) $(KRB5_BASE_LIBS) + ++hooks: hooks.o $(KRB5_BASE_DEPLIBS) ++ $(CC_LINK) -o $@ hooks.o $(KRB5_BASE_LIBS) ++ + hrealm: hrealm.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ hrealm.o $(KRB5_BASE_LIBS) + +@@ -107,9 +110,10 @@ kdb_check: kdc.conf krb5.conf + $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f + $(RM) $(TEST_DB)* stash_file + +-check-pytests:: adata etinfo gcred hist hrealm kdbtest plugorder rdreq ++check-pytests:: adata etinfo gcred hist hooks hrealm kdbtest plugorder rdreq + check-pytests:: responder s2p s4u2proxy t_init_creds t_localauth unlockiter + $(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS) ++ $(RUNPYTEST) $(srcdir)/t_hooks.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS) +@@ -159,7 +163,7 @@ check-pytests:: responder s2p s4u2proxy t_init_creds t_localauth unlockiter + $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS) + + clean:: +- $(RM) gcred hist hrealm kdbtest plugorder rdreq responder s2p ++ $(RM) gcred hist hooks hrealm kdbtest plugorder rdreq responder s2p + $(RM) adata etinfo gcred hist hrealm kdbtest plugorder rdreq responder + $(RM) s2p s4u2proxy t_init_creds t_localauth krb5.conf kdc.conf + $(RM) -rf kdc_realm/sandbox ldap +diff --git a/src/tests/deps b/src/tests/deps +index de33c55..3634dc4 100644 +--- a/src/tests/deps ++++ b/src/tests/deps +@@ -50,6 +50,16 @@ $(OUTPRE)hist.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + hist.c ++$(OUTPRE)hooks.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ ++ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ ++ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ ++ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ ++ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ ++ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ ++ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ ++ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ ++ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ ++ $(top_srcdir)/include/socket-utils.h hooks.c + $(OUTPRE)hrealm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ +diff --git a/src/tests/hooks.c b/src/tests/hooks.c +new file mode 100644 +index 0000000..fabdb89 +--- /dev/null ++++ b/src/tests/hooks.c +@@ -0,0 +1,253 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* tests/hooks.c - test harness for KDC send and recv hooks */ ++/* ++ * Copyright (C) 2016 by the Massachusetts Institute of Technology. ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS ++ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ++ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "k5-int.h" ++ ++static krb5_context ctx; ++ ++static void ++check_code(krb5_error_code code, const char *file, int line) ++{ ++ const char *errmsg; ++ ++ if (code) { ++ errmsg = krb5_get_error_message(ctx, code); ++ fprintf(stderr, "%s:%d -- %s (code=%d)\n", file, line, errmsg, ++ (int)code); ++ krb5_free_error_message(ctx, errmsg); ++ exit(1); ++ } ++} ++ ++#define check(code) check_code((code), __FILE__, __LINE__) ++ ++/* Verify that the canonicalize bit is set in an AS-REQ and remove it. */ ++static krb5_error_code ++test_send_as_req(krb5_context context, void *data, const krb5_data *realm, ++ const krb5_data *message, krb5_data **new_message_out, ++ krb5_data **reply_out) ++{ ++ krb5_kdc_req *as_req; ++ int cmp; ++ ++ assert(krb5_is_as_req(message)); ++ check(decode_krb5_as_req(message, &as_req)); ++ ++ assert(as_req->msg_type == KRB5_AS_REQ); ++ assert(as_req->kdc_options & KDC_OPT_CANONICALIZE); ++ assert(as_req->client->realm.length == realm->length); ++ cmp = memcmp(as_req->client->realm.data, realm->data, realm->length); ++ assert(cmp == 0); ++ ++ /* Remove the canonicalize flag and create a new message. */ ++ as_req->kdc_options &= ~KDC_OPT_CANONICALIZE; ++ check(encode_krb5_as_req(as_req, new_message_out)); ++ ++ krb5_free_kdc_req(context, as_req); ++ return 0; ++} ++ ++/* Verify that reply is an AS-REP with kvno 1 and a valid enctype. */ ++static krb5_error_code ++test_recv_as_rep(krb5_context context, void *data, krb5_error_code code, ++ const krb5_data *realm, const krb5_data *message, ++ const krb5_data *reply, krb5_data **new_reply) ++{ ++ krb5_kdc_rep *as_rep; ++ ++ assert(code == 0); ++ assert(krb5_is_as_rep(reply)); ++ check(decode_krb5_as_rep(reply, &as_rep)); ++ ++ assert(as_rep->msg_type == KRB5_AS_REP); ++ assert(as_rep->ticket->enc_part.kvno == 1); ++ assert(krb5_c_valid_enctype(as_rep->ticket->enc_part.enctype)); ++ ++ krb5_free_kdc_rep(context, as_rep); ++ return 0; ++} ++ ++/* Create a fake error reply. */ ++static krb5_error_code ++test_send_error(krb5_context context, void *data, const krb5_data *realm, ++ const krb5_data *message, krb5_data **new_message_out, ++ krb5_data **reply_out) ++{ ++ krb5_error_code ret; ++ krb5_error err; ++ krb5_principal client, server; ++ char *realm_str, *princ_str; ++ int r; ++ ++ realm_str = k5memdup0(realm->data, realm->length, &ret); ++ check(ret); ++ ++ r = asprintf(&princ_str, "invalid@%s", realm_str); ++ assert(r > 0); ++ check(krb5_parse_name(ctx, princ_str, &client)); ++ free(princ_str); ++ ++ r = asprintf(&princ_str, "krbtgt@%s", realm_str); ++ assert(r > 0); ++ check(krb5_parse_name(ctx, princ_str, &server)); ++ free(princ_str); ++ free(realm_str); ++ ++ err.magic = KV5M_ERROR; ++ err.ctime = 1971196337; ++ err.cusec = 0; ++ err.susec = 97008; ++ err.stime = 1458219390; ++ err.error = 6; ++ err.client = client; ++ err.server = server; ++ err.text = string2data("CLIENT_NOT_FOUND"); ++ err.e_data = empty_data(); ++ check(encode_krb5_error(&err, reply_out)); ++ ++ krb5_free_principal(ctx, client); ++ krb5_free_principal(ctx, server); ++ return 0; ++} ++ ++static krb5_error_code ++test_recv_error(krb5_context context, void *data, krb5_error_code code, ++ const krb5_data *realm, const krb5_data *message, ++ const krb5_data *reply, krb5_data **new_reply) ++{ ++ /* The send hook created a reply, so this hook should not be executed. */ ++ abort(); ++} ++ ++/* Modify an AS-REP reply, change the msg_type to KRB5_TGS_REP. */ ++static krb5_error_code ++test_recv_modify_reply(krb5_context context, void *data, krb5_error_code code, ++ const krb5_data *realm, const krb5_data *message, ++ const krb5_data *reply, krb5_data **new_reply) ++{ ++ krb5_kdc_rep *as_rep; ++ ++ assert(code == 0); ++ assert(krb5_is_as_rep(reply)); ++ check(decode_krb5_as_rep(reply, &as_rep)); ++ ++ as_rep->msg_type = KRB5_TGS_REP; ++ check(encode_krb5_as_rep(as_rep, new_reply)); ++ ++ krb5_free_kdc_rep(context, as_rep); ++ return 0; ++} ++ ++/* Return an error given by the callback data argument. */ ++static krb5_error_code ++test_send_return_value(krb5_context context, void *data, ++ const krb5_data *realm, const krb5_data *message, ++ krb5_data **new_message_out, krb5_data **reply_out) ++{ ++ assert(data != NULL); ++ return *(krb5_error_code *)data; ++} ++ ++/* Return an error given by the callback argument. */ ++static krb5_error_code ++test_recv_return_value(krb5_context context, void *data, krb5_error_code code, ++ const krb5_data *realm, const krb5_data *message, ++ const krb5_data *reply, krb5_data **new_reply) ++{ ++ assert(data != NULL); ++ return *(krb5_error_code *)data; ++} ++ ++int ++main(int argc, char *argv[]) ++{ ++ const char *principal, *password; ++ krb5_principal client; ++ krb5_get_init_creds_opt *opts; ++ krb5_creds creds; ++ krb5_error_code ret, test_return_code; ++ ++ if (argc != 3) { ++ fprintf(stderr, "Usage: %s princname password\n", argv[0]); ++ exit(1); ++ } ++ principal = argv[1]; ++ password = argv[2]; ++ ++ check(krb5_init_context(&ctx)); ++ check(krb5_parse_name(ctx, principal, &client)); ++ ++ /* Use a send hook to modify an outgoing AS-REQ. The library will detect ++ * the modification in the reply. */ ++ check(krb5_get_init_creds_opt_alloc(ctx, &opts)); ++ krb5_get_init_creds_opt_set_canonicalize(opts, 1); ++ krb5_set_kdc_send_hook(ctx, test_send_as_req, NULL); ++ krb5_set_kdc_recv_hook(ctx, test_recv_as_rep, NULL); ++ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, ++ NULL, 0, NULL, opts); ++ assert(ret == KRB5_KDCREP_MODIFIED); ++ krb5_get_init_creds_opt_free(ctx, opts); ++ ++ /* Use a send hook to synthesize a KRB-ERROR reply. */ ++ krb5_set_kdc_send_hook(ctx, test_send_error, NULL); ++ krb5_set_kdc_recv_hook(ctx, test_recv_error, NULL); ++ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, ++ NULL, 0, NULL, NULL); ++ assert(ret == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN); ++ ++ /* Use a recv hook to modify a KDC reply. */ ++ krb5_set_kdc_send_hook(ctx, NULL, NULL); ++ krb5_set_kdc_recv_hook(ctx, test_recv_modify_reply, NULL); ++ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, ++ NULL, 0, NULL, NULL); ++ assert(ret == KRB5KRB_AP_ERR_MSG_TYPE); ++ ++ /* Verify that the user data pointer works in the send hook. */ ++ test_return_code = KRB5KDC_ERR_PREAUTH_FAILED; ++ krb5_set_kdc_send_hook(ctx, test_send_return_value, &test_return_code); ++ krb5_set_kdc_recv_hook(ctx, NULL, NULL); ++ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, ++ NULL, 0, NULL, NULL); ++ assert(ret == KRB5KDC_ERR_PREAUTH_FAILED); ++ ++ /* Verify that the user data pointer works in the recv hook. */ ++ test_return_code = KRB5KDC_ERR_NULL_KEY; ++ krb5_set_kdc_send_hook(ctx, NULL, NULL); ++ krb5_set_kdc_recv_hook(ctx, test_recv_return_value, &test_return_code); ++ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, ++ NULL, 0, NULL, NULL); ++ assert(ret == KRB5KDC_ERR_NULL_KEY); ++ ++ krb5_free_principal(ctx, client); ++ krb5_free_context(ctx); ++ return 0; ++} +diff --git a/src/tests/t_hooks.py b/src/tests/t_hooks.py +new file mode 100755 +index 0000000..58dff3a +--- /dev/null ++++ b/src/tests/t_hooks.py +@@ -0,0 +1,9 @@ ++#!/usr/bin/python ++from k5test import * ++ ++# Test that KDC send and recv hooks work correctly. ++realm = K5Realm(create_host=False, get_creds=False) ++realm.run(['./hooks', realm.user_princ, password('user')]) ++realm.stop() ++ ++success('send and recv hook tests') +-- +2.9.3 + diff --git a/Change-KDC-error-for-encrypted-timestamp-preauth.patch b/Change-KDC-error-for-encrypted-timestamp-preauth.patch new file mode 100644 index 0000000..a66d004 --- /dev/null +++ b/Change-KDC-error-for-encrypted-timestamp-preauth.patch @@ -0,0 +1,68 @@ +From ad1af1b23bd716fc3129de16e3fbf7edca0daa6b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 8 Aug 2016 18:03:55 +0200 +Subject: [PATCH 18/19] Change KDC error for encrypted timestamp preauth + +When encrypted timestamp pre-authentication fails, respond with error +code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for +consistency with other Kerberos implementations. + +[ghudson@mit.edu: clarified commit message and comment] + +ticket: 8471 (new) +(cherry picked from commit 2653d69e0705a925597dff10083a24a77e2a20af) +--- + src/kdc/kdc_preauth_encts.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c +index 65f7c36..e80dc12 100644 +--- a/src/kdc/kdc_preauth_encts.c ++++ b/src/kdc/kdc_preauth_encts.c +@@ -59,7 +59,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_key_data * client_key; + krb5_int32 start; + krb5_timestamp timenow; +- krb5_error_code decrypt_err = 0; + + scratch.data = (char *)pa->contents; + scratch.length = pa->length; +@@ -74,7 +73,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + goto cleanup; + + start = 0; +- decrypt_err = 0; + while (1) { + if ((retval = krb5_dbe_search_enctype(context, rock->client, + &start, enc_data->enctype, +@@ -92,8 +90,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_free_keyblock_contents(context, &key); + if (retval == 0) + break; +- else +- decrypt_err = retval; + } + + if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0) +@@ -119,14 +115,10 @@ cleanup: + krb5_free_data_contents(context, &enc_ts_data); + if (pa_enc) + free(pa_enc); +- /* +- * If we get NO_MATCHING_KEY and decryption previously failed, and +- * we failed to find any other keys of the correct enctype after +- * that failed decryption, it probably means that the password was +- * incorrect. +- */ +- if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0) +- retval = decrypt_err; ++ /* If we get NO_MATCHING_KEY, it probably means that the password was ++ * incorrect. */ ++ if (retval == KRB5_KDB_NO_MATCHING_KEY) ++ retval = KRB5KDC_ERR_PREAUTH_FAILED; + + (*respond)(arg, retval, NULL, NULL, NULL); + } +-- +2.9.3 + diff --git a/Create-KDC-and-kadmind-log-files-with-mode-0640.patch b/Create-KDC-and-kadmind-log-files-with-mode-0640.patch new file mode 100644 index 0000000..9810acd --- /dev/null +++ b/Create-KDC-and-kadmind-log-files-with-mode-0640.patch @@ -0,0 +1,65 @@ +From 6b126bfc40ba416746e4d30edb0b6b72c21c8b10 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:58:44 -0400 +Subject: [PATCH 13/19] Create KDC and kadmind log files with mode 0640 + +In krb5_klog_init(), use open() and fdopen() to open log files so that +we can specify a mode. Specify a mode which doesn't include the +group-write, other-read, or other-write bits even if the process umask +allows them. + +[ghudson@mit.edu: wrote commit message, de-indented post-open setup +code] +[rharwood@redhat.com: backport not clean due to SELinux patching] + +ticket: 8344 (new) +--- + src/lib/kadm5/logger.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c +index 64f9641..0517efe 100644 +--- a/src/lib/kadm5/logger.c ++++ b/src/lib/kadm5/logger.c +@@ -354,7 +354,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do + const char *logging_profent[3]; + const char *logging_defent[3]; + char **logging_specs; +- int i, ngood; ++ int i, ngood, fd, append; + char *cp, *cp2; + char savec = '\0'; + int error; +@@ -422,18 +422,21 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do + /* + * Check for append/overwrite, then open the file. + */ +- if (cp[4] == ':' || cp[4] == '=') { +- f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); +- if (f) { +- set_cloexec_file(f); +- log_control.log_entries[i].lfu_filep = f; +- log_control.log_entries[i].log_type = K_LOG_FILE; +- log_control.log_entries[i].lfu_fname = &cp[5]; +- } else { ++ append = (cp[4] == ':') ? O_APPEND : 0; ++ if (append || cp[4] == '=') { ++ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append, ++ S_IRUSR | S_IWUSR | S_IRGRP); ++ if (fd != -1) ++ f = fdopen(fd, append ? "a" : "w"); ++ if (fd == -1 || f == NULL) { + fprintf(stderr,"Couldn't open log file %s: %s\n", + &cp[5], error_message(errno)); + continue; + } ++ set_cloexec_file(f); ++ log_control.log_entries[i].lfu_filep = f; ++ log_control.log_entries[i].log_type = K_LOG_FILE; ++ log_control.log_entries[i].lfu_fname = &cp[5]; + } + } + #ifdef HAVE_SYSLOG +-- +2.9.3 + diff --git a/Fix-impersonate_name-to-work-with-interposers.patch b/Fix-impersonate_name-to-work-with-interposers.patch new file mode 100644 index 0000000..84e9e00 --- /dev/null +++ b/Fix-impersonate_name-to-work-with-interposers.patch @@ -0,0 +1,222 @@ +From 748617c1b8d1550284157a79bc7aeb6295a27bf4 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 13 Nov 2015 14:54:11 -0500 +Subject: [PATCH 12/19] Fix impersonate_name to work with interposers + +This follows the same modifications applied to +gss_acquire_cred_with_password() when interposer plugins were +introduced. + +[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in +spnego_gss_acquire_cred_impersonate_name() since it is released in the +cleanup handler] + +ticket: 8280 (new) +--- + src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++-------- + src/lib/gssapi/spnego/spnego_mech.c | 35 +++++++------- + 2 files changed, 54 insertions(+), 39 deletions(-) + +diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c +index 0dd4f87..9eab25e 100644 +--- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c ++++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c +@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + gss_cred_id_t cred = NULL; + gss_OID new_mechs_array = NULL; + gss_cred_id_t * new_cred_array = NULL; ++ gss_OID_set target_mechs = GSS_C_NO_OID_SET; ++ gss_OID selected_mech = GSS_C_NO_OID; + + status = val_add_cred_impersonate_name_args(minor_status, + input_cred_handle, +@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + if (status != GSS_S_COMPLETE) + return (status); + +- mech = gssint_get_mechanism(desired_mech); ++ status = gssint_select_mech_type(minor_status, desired_mech, ++ &selected_mech); ++ if (status != GSS_S_COMPLETE) ++ return status; ++ ++ mech = gssint_get_mechanism(selected_mech); + if (!mech) + return GSS_S_BAD_MECH; + else if (!mech->gss_acquire_cred_impersonate_name) +@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + internal_name = GSS_C_NO_NAME; + } else { + union_cred = (gss_union_cred_t)input_cred_handle; +- if (gssint_get_mechanism_cred(union_cred, desired_mech) != ++ if (gssint_get_mechanism_cred(union_cred, selected_mech) != + GSS_C_NO_CREDENTIAL) + return (GSS_S_DUPLICATE_ELEMENT); + } + + mech_impersonator_cred = + gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle, +- desired_mech); ++ selected_mech); + if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL) + return (GSS_S_NO_CRED); + + /* may need to create a mechanism specific name */ + union_name = (gss_union_name_t)desired_name; + if (union_name->mech_type && +- g_OID_equal(union_name->mech_type, +- &mech->mech_type)) ++ g_OID_equal(union_name->mech_type, selected_mech)) + internal_name = union_name->mech_name; + else { + if (gssint_import_internal_name(minor_status, +- &mech->mech_type, union_name, +- &allocated_name) != GSS_S_COMPLETE) ++ selected_mech, union_name, ++ &allocated_name) != GSS_S_COMPLETE) + return (GSS_S_BAD_NAME); + internal_name = allocated_name; + } +@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + else + time_req = 0; + ++ status = gss_create_empty_oid_set(minor_status, &target_mechs); ++ if (status != GSS_S_COMPLETE) ++ goto errout; ++ ++ status = gss_add_oid_set_member(minor_status, ++ gssint_get_public_oid(selected_mech), ++ &target_mechs); ++ if (status != GSS_S_COMPLETE) ++ goto errout; ++ + status = mech->gss_acquire_cred_impersonate_name(minor_status, + mech_impersonator_cred, + internal_name, + time_req, +- GSS_C_NULL_OID_SET, ++ target_mechs, + cred_usage, + &cred, + NULL, +@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + + new_cred_array[union_cred->count] = cred; + if ((new_mechs_array[union_cred->count].elements = +- malloc(mech->mech_type.length)) == NULL) ++ malloc(selected_mech->length)) == NULL) + goto errout; + +- g_OID_copy(&new_mechs_array[union_cred->count], +- &mech->mech_type); ++ g_OID_copy(&new_mechs_array[union_cred->count], selected_mech); + + if (actual_mechs != NULL) { +- gss_OID_set_desc oids; +- +- oids.count = union_cred->count + 1; +- oids.elements = new_mechs_array; +- +- status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs); ++ status = gssint_make_public_oid_set(minor_status, new_mechs_array, ++ union_cred->count + 1, ++ actual_mechs); + if (GSS_ERROR(status)) { + free(new_mechs_array[union_cred->count].elements); + goto errout; +@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + /* We're done with the internal name. Free it if we allocated it. */ + + if (allocated_name) +- (void) gssint_release_internal_name(&temp_minor_status, +- &mech->mech_type, ++ (void) gssint_release_internal_name(&temp_minor_status, selected_mech, + &allocated_name); + ++ if (target_mechs) ++ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); ++ + return (GSS_S_COMPLETE); + + errout: +@@ -503,8 +517,10 @@ errout: + + if (allocated_name) + (void) gssint_release_internal_name(&temp_minor_status, +- &mech->mech_type, +- &allocated_name); ++ selected_mech, &allocated_name); ++ ++ if (target_mechs) ++ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); + + if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred) + free(union_cred); +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 07435d8..99e374f 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -2620,10 +2620,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, + gss_OID_set *actual_mechs, + OM_uint32 *time_rec) + { +- OM_uint32 status; ++ OM_uint32 status, tmpmin; + gss_OID_set amechs = GSS_C_NULL_OID_SET; + spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL; +- gss_cred_id_t imp_mcred, out_mcred; ++ gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL; + + dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n"); + +@@ -2635,31 +2635,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, + + imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle; + imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL; +- if (desired_mechs == GSS_C_NO_OID_SET) { +- status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, +- NULL, &amechs); +- if (status != GSS_S_COMPLETE) +- return status; +- +- desired_mechs = amechs; +- } ++ status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, ++ NULL, &amechs); ++ if (status != GSS_S_COMPLETE) ++ return status; + + status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred, + desired_name, time_req, +- desired_mechs, cred_usage, ++ amechs, cred_usage, + &out_mcred, actual_mechs, + time_rec); +- +- if (amechs != GSS_C_NULL_OID_SET) +- (void) gss_release_oid_set(minor_status, &amechs); ++ if (status != GSS_S_COMPLETE) ++ goto cleanup; + + status = create_spnego_cred(minor_status, out_mcred, &out_spcred); +- if (status != GSS_S_COMPLETE) { +- gss_release_cred(minor_status, &out_mcred); +- return (status); +- } ++ if (status != GSS_S_COMPLETE) ++ goto cleanup; ++ ++ out_mcred = GSS_C_NO_CREDENTIAL; + *output_cred_handle = (gss_cred_id_t)out_spcred; + ++cleanup: ++ (void) gss_release_oid_set(&tmpmin, &amechs); ++ (void) gss_release_cred(&tmpmin, &out_mcred); ++ + dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n"); + return (status); + } +-- +2.9.3 + diff --git a/Improve-bad-password-inference-in-kinit.patch b/Improve-bad-password-inference-in-kinit.patch new file mode 100644 index 0000000..23b0536 --- /dev/null +++ b/Improve-bad-password-inference-in-kinit.patch @@ -0,0 +1,82 @@ +From e9517473b649a50ab7414788fb5d6c2715ac8ee4 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 25 Jul 2016 13:28:43 -0400 +Subject: [PATCH 17/19] Improve bad password inference in kinit + +kinit currently outputs "Password incorrect" if it sees a +bad-integrity error code, which results if the KDC reply couldn't be +decrypted, or when encrypted timestamp preauth fails against an MIT +krb5 1.14 or earlier KDC. Expand this check to include general +preauth failures reported by the KDC, but only if a password was +prompted for. + +ticket: 8465 (new) +(cherry picked from commit 1a83ffad4d8e405ce696536c06d9bce1f8100595) +--- + src/clients/kinit/kinit.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c +index eba36b9..990fd11 100644 +--- a/src/clients/kinit/kinit.c ++++ b/src/clients/kinit/kinit.c +@@ -700,9 +700,18 @@ kinit_prompter( + krb5_prompt prompts[] + ) + { +- krb5_error_code rc = +- krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); +- return rc; ++ krb5_boolean *pwprompt = data; ++ krb5_prompt_type *ptypes; ++ int i; ++ ++ /* Make a note if we receive a password prompt. */ ++ ptypes = krb5_get_prompt_types(ctx); ++ for (i = 0; i < num_prompts; i++) { ++ if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD) ++ *pwprompt = TRUE; ++ } ++ ++ return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); + } + + static int +@@ -715,6 +724,7 @@ k5_kinit(opts, k5) + krb5_creds my_creds; + krb5_error_code code = 0; + krb5_get_init_creds_opt *options = NULL; ++ krb5_boolean pwprompt = FALSE; + int i; + + memset(&my_creds, 0, sizeof(my_creds)); +@@ -819,7 +829,7 @@ k5_kinit(opts, k5) + switch (opts->action) { + case INIT_PW: + code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, +- 0, kinit_prompter, 0, ++ 0, kinit_prompter, &pwprompt, + opts->starttime, + opts->service_name, + options); +@@ -856,11 +866,15 @@ k5_kinit(opts, k5) + break; + } + +- if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) ++ /* If reply decryption failed, or if pre-authentication failed and we ++ * were prompted for a password, assume the password was wrong. */ ++ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY || ++ (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) { + fprintf(stderr, _("%s: Password incorrect while %s\n"), progname, + doing); +- else ++ } else { + com_err(progname, code, _("while %s"), doing); ++ } + goto cleanup; + } + +-- +2.9.3 + diff --git a/Set-prompt-type-for-OTP-preauth-prompt.patch b/Set-prompt-type-for-OTP-preauth-prompt.patch new file mode 100644 index 0000000..343df6b --- /dev/null +++ b/Set-prompt-type-for-OTP-preauth-prompt.patch @@ -0,0 +1,49 @@ +From dc032c01a5c23eb199a267d9ab650eef02c2dd01 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 25 Jul 2016 13:23:31 -0400 +Subject: [PATCH 16/19] Set prompt type for OTP preauth prompt + +Add k5_set_prompt_type() calls around the prompter invocation in +preauth_otp.c, and add the comment we conventionally put before +prompter invocations. + +ticket: 8464 (new) +(cherry picked from commit 7d497a56279dcb59b6be9f8994257e76788d2e89) +--- + src/lib/krb5/krb/preauth_otp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c +index 37f98b2..48fcbb5 100644 +--- a/src/lib/krb5/krb/preauth_otp.c ++++ b/src/lib/krb5/krb/preauth_otp.c +@@ -31,6 +31,7 @@ + #include "k5-int.h" + #include "k5-json.h" + #include "int-proto.h" ++#include "os-proto.h" + + #include + #include +@@ -475,6 +476,7 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data, + krb5_prompt prompt; + krb5_data prompt_reply; + krb5_error_code retval; ++ krb5_prompt_type prompt_type = KRB5_PROMPT_TYPE_PREAUTH; + + if (prompttxt == NULL || out == NULL) + return EINVAL; +@@ -486,7 +488,10 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data, + prompt.prompt = (char *)prompttxt; + prompt.hidden = 1; + ++ /* PROMPTER_INVOCATION */ ++ k5_set_prompt_types(context, &prompt_type); + retval = (*prompter)(context, prompter_data, NULL, banner, 1, &prompt); ++ k5_set_prompt_types(context, NULL); + if (retval != 0) + return retval; + +-- +2.9.3 + diff --git a/krb5-1.11-kpasswdtest.patch b/krb5-1.11-kpasswdtest.patch index f07b225..d2ab8b0 100644 --- a/krb5-1.11-kpasswdtest.patch +++ b/krb5-1.11-kpasswdtest.patch @@ -1,6 +1,17 @@ ---- krb5-1.11.3/src/kadmin/testing/proto/krb5.conf.proto -+++ krb5-1.11.3/src/kadmin/testing/proto/krb5.conf.proto -@@ -7,6 +7,7 @@ +From 61389fb098b36c1927ad01e4efa51f38da39176a Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:52:01 -0400 +Subject: [PATCH 11/19] krb5-1.11-kpasswdtest.patch + +--- + src/kadmin/testing/proto/krb5.conf.proto | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto +index e9702bb..482fda6 100644 +--- a/src/kadmin/testing/proto/krb5.conf.proto ++++ b/src/kadmin/testing/proto/krb5.conf.proto +@@ -8,6 +8,7 @@ __REALM__ = { kdc = __KDCHOST__:1750 admin_server = __KDCHOST__:1751 @@ -8,3 +19,6 @@ database_module = foobar_db2_module_blah } +-- +2.9.3 + diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch index 6be760a..454b731 100644 --- a/krb5-1.11-run_user_0.patch +++ b/krb5-1.11-run_user_0.patch @@ -1,9 +1,19 @@ +From 8f81af0f10a917a000a12c9b344b3f801c939666 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:49:57 -0400 +Subject: [PATCH 10/19] krb5-1.11-run_user_0.patch + A hack: if we're looking at creating a ccache directory directly below the /run/user/0 directory, and /run/user/0 doesn't exist, try to create it, too. +--- + src/lib/krb5/ccache/cc_dir.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) ---- krb5/src/lib/krb5/ccache/cc_dir.c -+++ krb5/src/lib/krb5/ccache/cc_dir.c +diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c +index 73f0fe6..4850c0d 100644 +--- a/src/lib/krb5/ccache/cc_dir.c ++++ b/src/lib/krb5/ccache/cc_dir.c @@ -61,6 +61,8 @@ #include @@ -13,7 +23,7 @@ it, too. extern const krb5_cc_ops krb5_dcc_ops; extern const krb5_cc_ops krb5_fcc_ops; -@@ -239,6 +241,18 @@ +@@ -237,6 +239,18 @@ verify_dir(krb5_context context, const char *dirname) if (stat(dirname, &st) < 0) { if (errno == ENOENT) { @@ -32,3 +42,6 @@ it, too. #ifdef USE_SELINUX selabel = krb5int_push_fscreatecon_for(dirname); #endif +-- +2.9.3 + diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch index f5432a3..61417f1 100644 --- a/krb5-1.12-api.patch +++ b/krb5-1.12-api.patch @@ -1,10 +1,20 @@ +From 9ca4f0e1081e667ebc9150097559f5fe85595e33 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:47:00 -0400 +Subject: [PATCH 07/19] krb5-1.12-api.patch + Reference docs don't define what happens if you call krb5_realm_compare() with malformed krb5_principal structures. Define a behavior which keeps it from crashing if applications don't check ahead of time. +--- + src/lib/krb5/krb/princ_comp.c | 7 +++++++ + 1 file changed, 7 insertions(+) ---- krb5/src/lib/krb5/krb/princ_comp.c -+++ krb5/src/lib/krb5/krb/princ_comp.c -@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context +diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c +index a693610..0ed7883 100644 +--- a/src/lib/krb5/krb/princ_comp.c ++++ b/src/lib/krb5/krb/princ_comp.c +@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context, const krb5_data *realm1 = &princ1->realm; const krb5_data *realm2 = &princ2->realm; @@ -15,7 +25,7 @@ crashing if applications don't check ahead of time. if (realm1->length != realm2->length) return FALSE; if (realm1->length == 0) -@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex +@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context, krb5_principal upn2 = NULL; krb5_boolean ret = FALSE; @@ -25,3 +35,6 @@ crashing if applications don't check ahead of time. if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { /* Treat UPNs as if they were real principals */ if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { +-- +2.9.3 + diff --git a/krb5-1.12-buildconf.patch b/krb5-1.12-buildconf.patch index 11b816f..efe9106 100644 --- a/krb5-1.12-buildconf.patch +++ b/krb5-1.12-buildconf.patch @@ -1,33 +1,24 @@ +From 1df0a74f88f044f1e538e3d4fda13bbceb76e68b Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:45:26 -0400 +Subject: [PATCH 05/19] krb5-1.12-buildconf.patch + Build binaries in this package as RELRO PIEs, libraries as partial RELRO, and install shared libraries with the execute bit set on them. Prune out the -L/usr/lib* and PIE flags where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. +--- + src/build-tools/krb5-config.in | 7 +++++++ + src/config/pre.in | 2 +- + src/config/shlib.conf | 5 +++-- + 3 files changed, 11 insertions(+), 3 deletions(-) ---- krb5/src/config/shlib.conf -+++ krb5/src/config/shlib.conf -@@ -419,7 +419,7 @@ mips-*-netbsd*) - SHLIBEXT=.so - # Linux ld doesn't default to stuffing the SONAME field... - # Use objdump -x to examine the fields of the library -- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined' -+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro -Wl,--warn-shared-textrel' - # - LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' - SHLIB_EXPORT_FILE_DEP=binutils.versions -@@ -430,7 +430,8 @@ - SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' - PROFFLAGS=-pg - PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' -- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' -+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' -+ INSTALL_SHLIB='${INSTALL} -m755' - CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' - CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' - CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' ---- krb5/src/build-tools/krb5-config.in -+++ krb5/src/build-tools/krb5-config.in -@@ -189,6 +189,13 @@ if test -n "$do_libs"; then +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index c17cb5e..1891dea 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -226,6 +226,13 @@ if test -n "$do_libs"; then -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(CFLAGS)##'` @@ -41,9 +32,11 @@ not just assume that the compiler supports using these flags. if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 ---- krb5/src/config/pre.in -+++ krb5/src/config/pre.in -@@ -188,7 +188,7 @@ +diff --git a/src/config/pre.in b/src/config/pre.in +index 63271e7..c100fef 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -182,7 +182,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP) INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_DATA=@INSTALL_DATA@ INSTALL_SHLIB=@INSTALL_SHLIB@ @@ -52,3 +45,29 @@ not just assume that the compiler supports using these flags. ## This is needed because autoconf will sometimes define @exec_prefix@ to be ## ${prefix}. prefix=@prefix@ +diff --git a/src/config/shlib.conf b/src/config/shlib.conf +index 55f16be..f4a762c 100644 +--- a/src/config/shlib.conf ++++ b/src/config/shlib.conf +@@ -422,7 +422,7 @@ mips-*-netbsd*) + SHLIBEXT=.so + # Linux ld doesn't default to stuffing the SONAME field... + # Use objdump -x to examine the fields of the library +- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined' ++ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro -Wl,--warn-shared-textrel' + # + LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' + SHLIB_EXPORT_FILE_DEP=binutils.versions +@@ -433,7 +433,8 @@ mips-*-netbsd*) + SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' + PROFFLAGS=-pg + PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' +- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' ++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' ++ INSTALL_SHLIB='${INSTALL} -m755' + CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' + CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' + CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' +-- +2.9.3 + diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch index 65552c9..61f654a 100644 --- a/krb5-1.12-ksu-path.patch +++ b/krb5-1.12-ksu-path.patch @@ -1,7 +1,17 @@ +From a33c34eabf9cd4d98d633994bfcf19359ff087a6 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:32:09 -0400 +Subject: [PATCH 03/19] krb5-1.12-ksu-path.patch + Set the default PATH to the one set by login. +--- + src/clients/ksu/Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) ---- krb5/src/clients/ksu/Makefile.in -+++ krb5/src/clients/ksu/Makefile.in +diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in +index ad2406a..1379c4a 100644 +--- a/src/clients/ksu/Makefile.in ++++ b/src/clients/ksu/Makefile.in @@ -1,6 +1,6 @@ mydir=clients$(S)ksu BUILDTOP=$(REL)..$(S).. @@ -10,3 +20,6 @@ Set the default PATH to the one set by login. KSU_LIBS=@KSU_LIBS@ PAM_LIBS=@PAM_LIBS@ +-- +2.9.3 + diff --git a/krb5-1.12-ktany.patch b/krb5-1.12-ktany.patch index 88f1a7e..4ca1c75 100644 --- a/krb5-1.12-ktany.patch +++ b/krb5-1.12-ktany.patch @@ -1,10 +1,51 @@ +From f02d4a098b5e94df15ae39e9fad79e861e6c6483 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:33:53 -0400 +Subject: [PATCH 04/19] krb5-1.12-ktany.patch + Adds an "ANY" keytab type which is a list of other keytab locations to search when searching for a specific entry. When iterated through, it only presents the contents of the first keytab. +--- + src/lib/krb5/keytab/Makefile.in | 3 + + src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++++++++++ + src/lib/krb5/keytab/ktbase.c | 7 +- + 3 files changed, 301 insertions(+), 1 deletion(-) + create mode 100644 src/lib/krb5/keytab/kt_any.c -diff -up /dev/null krb5-1.7/src/lib/krb5/keytab/kt_any.c ---- /dev/null 2009-06-04 10:34:55.169007373 -0400 -+++ krb5-1.7/src/lib/krb5/keytab/kt_any.c 2009-06-04 13:54:36.000000000 -0400 +diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in +index 28485d5..c17ab82 100644 +--- a/src/lib/krb5/keytab/Makefile.in ++++ b/src/lib/krb5/keytab/Makefile.in +@@ -12,6 +12,7 @@ STLIBOBJS= \ + ktfr_entry.o \ + ktremove.o \ + ktfns.o \ ++ kt_any.o \ + kt_file.o \ + kt_memory.o \ + kt_srvtab.o \ +@@ -24,6 +25,7 @@ OBJS= \ + $(OUTPRE)ktfr_entry.$(OBJEXT) \ + $(OUTPRE)ktremove.$(OBJEXT) \ + $(OUTPRE)ktfns.$(OBJEXT) \ ++ $(OUTPRE)kt_any.$(OBJEXT) \ + $(OUTPRE)kt_file.$(OBJEXT) \ + $(OUTPRE)kt_memory.$(OBJEXT) \ + $(OUTPRE)kt_srvtab.$(OBJEXT) \ +@@ -36,6 +38,7 @@ SRCS= \ + $(srcdir)/ktfr_entry.c \ + $(srcdir)/ktremove.c \ + $(srcdir)/ktfns.c \ ++ $(srcdir)/kt_any.c \ + $(srcdir)/kt_file.c \ + $(srcdir)/kt_memory.c \ + $(srcdir)/kt_srvtab.c \ +diff --git a/src/lib/krb5/keytab/kt_any.c b/src/lib/krb5/keytab/kt_any.c +new file mode 100644 +index 0000000..1b9b776 +--- /dev/null ++++ b/src/lib/krb5/keytab/kt_any.c @@ -0,0 +1,292 @@ +/* + * lib/krb5/keytab/kt_any.c @@ -298,10 +339,11 @@ diff -up /dev/null krb5-1.7/src/lib/krb5/keytab/kt_any.c + free(data->choices); + free(data); +} -diff -up krb5-1.7/src/lib/krb5/keytab/ktbase.c krb5-1.7/src/lib/krb5/keytab/ktbase.c ---- krb5-1.7/src/lib/krb5/keytab/ktbase.c 2009-02-18 13:18:56.000000000 -0500 -+++ krb5-1.7/src/lib/krb5/keytab/ktbase.c 2009-06-04 13:54:36.000000000 -0400 -@@ -59,14 +59,19 @@ extern const krb5_kt_ops krb5_ktf_ops; +diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c +index 0d39b29..6534d7c 100644 +--- a/src/lib/krb5/keytab/ktbase.c ++++ b/src/lib/krb5/keytab/ktbase.c +@@ -57,14 +57,19 @@ extern const krb5_kt_ops krb5_ktf_ops; extern const krb5_kt_ops krb5_ktf_writable_ops; extern const krb5_kt_ops krb5_kts_ops; extern const krb5_kt_ops krb5_mkt_ops; @@ -322,30 +364,6 @@ diff -up krb5-1.7/src/lib/krb5/keytab/ktbase.c krb5-1.7/src/lib/krb5/keytab/ktba }; const static struct krb5_kt_typelist krb5_kt_typelist_memory = { &krb5_mkt_ops, -diff -up krb5-1.7/src/lib/krb5/keytab/Makefile.in krb5-1.7/src/lib/krb5/keytab/Makefile.in ---- krb5-1.7/src/lib/krb5/keytab/Makefile.in 2009-01-05 15:27:53.000000000 -0500 -+++ krb5-1.7/src/lib/krb5/keytab/Makefile.in 2009-06-04 13:54:36.000000000 -0400 -@@ -19,6 +19,7 @@ STLIBOBJS= \ - ktfr_entry.o \ - ktremove.o \ - ktfns.o \ -+ kt_any.o \ - kt_file.o \ - kt_memory.o \ - kt_srvtab.o \ -@@ -31,6 +32,7 @@ OBJS= \ - $(OUTPRE)ktfr_entry.$(OBJEXT) \ - $(OUTPRE)ktremove.$(OBJEXT) \ - $(OUTPRE)ktfns.$(OBJEXT) \ -+ $(OUTPRE)kt_any.$(OBJEXT) \ - $(OUTPRE)kt_file.$(OBJEXT) \ - $(OUTPRE)kt_memory.$(OBJEXT) \ - $(OUTPRE)kt_srvtab.$(OBJEXT) \ -@@ -43,6 +45,7 @@ SRCS= \ - $(srcdir)/ktfr_entry.c \ - $(srcdir)/ktremove.c \ - $(srcdir)/ktfns.c \ -+ $(srcdir)/kt_any.c \ - $(srcdir)/kt_file.c \ - $(srcdir)/kt_memory.c \ - $(srcdir)/kt_srvtab.c \ +-- +2.9.3 + diff --git a/krb5-1.12.1-pam.patch b/krb5-1.12.1-pam.patch index 5a8e65e..39d296d 100644 --- a/krb5-1.12.1-pam.patch +++ b/krb5-1.12.1-pam.patch @@ -1,3 +1,8 @@ +From 74b07bf5a3c73f2d46ddfa4a03baa76b19ee1681 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:29:58 -0400 +Subject: [PATCH 01/19] krb5-1.12.1-pam.patch + Modify ksu so that it performs account and session management on behalf of the target user account, mimicking the action of regular su. The default service name is "ksu", because on Fedora at least the configuration used @@ -11,11 +16,22 @@ When enabled, ksu gains a dependency on libpam. Originally RT#5939, though it's changed since then to perform the account and session management before dropping privileges, and to apply on top of changes we're proposing for how it handles cache collections. +--- + src/aclocal.m4 | 67 ++++++++ + src/clients/ksu/Makefile.in | 8 +- + src/clients/ksu/main.c | 88 +++++++++- + src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++++++++++ + src/clients/ksu/pam.h | 57 +++++++ + src/configure.in | 2 + + 6 files changed, 608 insertions(+), 3 deletions(-) + create mode 100644 src/clients/ksu/pam.c + create mode 100644 src/clients/ksu/pam.h -diff -up krb5/src/aclocal.m4.pam krb5/src/aclocal.m4 ---- krb5/src/aclocal.m4.pam 2009-11-22 12:00:45.000000000 -0500 -+++ krb5/src/aclocal.m4 2010-03-05 10:48:08.000000000 -0500 -@@ -1703,3 +1703,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index dbb7db2..ce045ab 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -1672,3 +1672,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[ ])) ])dnl dnl @@ -86,9 +102,48 @@ diff -up krb5/src/aclocal.m4.pam krb5/src/aclocal.m4 +AC_SUBST(PAM_MAN) +AC_SUBST(NON_PAM_MAN) +])dnl -diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c ---- krb5/src/clients/ksu/main.c.pam 2009-11-02 22:27:56.000000000 -0500 -+++ krb5/src/clients/ksu/main.c 2010-03-05 10:48:08.000000000 -0500 +diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in +index c705fda..ad2406a 100644 +--- a/src/clients/ksu/Makefile.in ++++ b/src/clients/ksu/Makefile.in +@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. + DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' + + KSU_LIBS=@KSU_LIBS@ ++PAM_LIBS=@PAM_LIBS@ + + SRCS = \ + $(srcdir)/krb_auth_su.c \ + $(srcdir)/ccache.c \ + $(srcdir)/authorization.c \ + $(srcdir)/main.c \ ++ $(srcdir)/pam.c \ + $(srcdir)/heuristic.c \ + $(srcdir)/xmalloc.c \ + $(srcdir)/setenv.c +@@ -17,13 +19,17 @@ OBJS = \ + ccache.o \ + authorization.o \ + main.o \ ++ pam.o \ + heuristic.o \ + xmalloc.o @SETENVOBJ@ + + all:: ksu + + ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) +- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) ++ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) ++ ++pam.o: pam.c ++ $(CC) $(ALL_CFLAGS) -c $< + + clean:: + $(RM) ksu +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index 2f8d8e1..1b2ca83 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c @@ -26,6 +26,7 @@ * KSU was writen by: Ari Medvinsky, ari@isi.edu */ @@ -116,7 +171,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c /***********/ #define KS_TEMPORARY_CACHE "MEMORY:_ksu" -@@ -586,6 +592,23 @@ main (argc, argv) +@@ -514,6 +520,23 @@ main (argc, argv) prog_name,target_user,client_name, source_user,ontty()); @@ -140,7 +195,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " -@@ -651,6 +676,24 @@ +@@ -574,6 +597,24 @@ main (argc, argv) exit(1); } @@ -165,7 +220,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c } if( some_rest_copy){ -@@ -720,6 +745,30 @@ +@@ -631,6 +672,30 @@ main (argc, argv) exit(1); } @@ -196,7 +251,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -792,7 +817,7 @@ main (argc, argv) +@@ -728,7 +793,7 @@ main (argc, argv) fprintf(stderr, "program to be execed %s\n",params[0]); } @@ -205,7 +260,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c execv(params[0], params); com_err(prog_name, errno, _("while trying to execv %s"), params[0]); sweep_up(ksu_context, cc_target); -@@ -823,16 +875,35 @@ main (argc, argv) +@@ -758,16 +823,35 @@ main (argc, argv) if (ret_pid == -1) { com_err(prog_name, errno, _("while calling waitpid")); } @@ -242,46 +297,11 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c exit (1); } } -diff -up krb5/src/clients/ksu/Makefile.in.pam krb5/src/clients/ksu/Makefile.in ---- krb5/src/clients/ksu/Makefile.in.pam 2009-11-22 13:13:29.000000000 -0500 -+++ krb5/src/clients/ksu/Makefile.in 2010-03-05 11:55:14.000000000 -0500 -@@ -7,12 +7,14 @@ - DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' - - KSU_LIBS=@KSU_LIBS@ -+PAM_LIBS=@PAM_LIBS@ - - SRCS = \ - $(srcdir)/krb_auth_su.c \ - $(srcdir)/ccache.c \ - $(srcdir)/authorization.c \ - $(srcdir)/main.c \ -+ $(srcdir)/pam.c \ - $(srcdir)/heuristic.c \ - $(srcdir)/xmalloc.c \ - $(srcdir)/setenv.c -@@ -21,13 +23,17 @@ OBJS = \ - ccache.o \ - authorization.o \ - main.o \ -+ pam.o \ - heuristic.o \ - xmalloc.o @SETENVOBJ@ - - all:: ksu - - ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) -- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) -+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) -+ -+pam.o: pam.c -+ $(CC) $(ALL_CFLAGS) -c $< - - clean:: - $(RM) ksu -diff -up krb5/src/clients/ksu/pam.c.pam krb5/src/clients/ksu/pam.c ---- krb5/src/clients/ksu/pam.c.pam 2010-03-05 10:48:08.000000000 -0500 -+++ krb5/src/clients/ksu/pam.c 2010-03-05 10:48:08.000000000 -0500 +diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c +new file mode 100644 +index 0000000..cbfe487 +--- /dev/null ++++ b/src/clients/ksu/pam.c @@ -0,0 +1,389 @@ +/* + * src/clients/ksu/pam.c @@ -672,9 +692,11 @@ diff -up krb5/src/clients/ksu/pam.c.pam krb5/src/clients/ksu/pam.c + return ret; +} +#endif -diff -up krb5/src/clients/ksu/pam.h.pam krb5/src/clients/ksu/pam.h ---- krb5/src/clients/ksu/pam.h.pam 2010-03-05 10:48:08.000000000 -0500 -+++ krb5/src/clients/ksu/pam.h 2010-03-05 10:48:08.000000000 -0500 +diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h +new file mode 100644 +index 0000000..0ab7656 +--- /dev/null ++++ b/src/clients/ksu/pam.h @@ -0,0 +1,57 @@ +/* + * src/clients/ksu/pam.h @@ -733,10 +755,11 @@ diff -up krb5/src/clients/ksu/pam.h.pam krb5/src/clients/ksu/pam.h +int appl_pam_cred_init(void); +void appl_pam_cleanup(void); +#endif -diff -up krb5/src/configure.in.pam krb5/src/configure.in ---- krb5/src/configure.in.pam 2009-12-31 18:13:56.000000000 -0500 -+++ krb5/src/configure.in 2010-03-05 10:48:08.000000000 -0500 -@@ -1051,6 +1051,8 @@ if test "$ac_cv_lib_socket" = "yes" -a " +diff --git a/src/configure.in b/src/configure.in +index b2a8675..8846ca0 100644 +--- a/src/configure.in ++++ b/src/configure.in +@@ -1327,6 +1327,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) @@ -745,3 +768,6 @@ diff -up krb5/src/configure.in.pam krb5/src/configure.in # Make localedir work in autoconf 2.5x. if test "${localedir+set}" != set; then localedir='$(datadir)/locale' +-- +2.9.3 + diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch index 0a6661c..bb35ffe 100644 --- a/krb5-1.13-dirsrv-accountlock.patch +++ b/krb5-1.13-dirsrv-accountlock.patch @@ -1,10 +1,21 @@ +From f7538a0621d6b593e31f2031570a6f4678940241 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:47:44 -0400 +Subject: [PATCH 08/19] krb5-1.13-dirsrv-accountlock.patch + Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from original version filed as RT#5891. +--- + src/aclocal.m4 | 9 +++++++++ + src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++ + src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c | 3 +++ + 3 files changed, 29 insertions(+) -diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4 ---- krb5-1.8/src/aclocal.m4.dirsrv-accountlock 2010-03-05 11:03:09.000000000 -0500 -+++ krb5-1.8/src/aclocal.m4 2010-03-05 11:03:10.000000000 -0500 -@@ -1656,6 +1656,15 @@ if test $with_ldap = yes; then +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index ed343c5..f67eef7 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -1653,6 +1653,15 @@ if test "$with_ldap" = yes; then AC_MSG_NOTICE(enabling OpenLDAP database backend module support) OPENLDAP_PLUGIN=yes fi @@ -20,10 +31,11 @@ diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4 ])dnl dnl dnl If libkeyutils exists (on Linux) include it and use keyring ccache -diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ---- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500 -+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2010-03-05 11:03:10.000000000 -0500 -@@ -1546,6 +1546,23 @@ populate_krb5_db_entry(krb5_context cont +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +index aca8f31..0a0968c 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +@@ -1545,6 +1545,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data); if (ret) goto cleanup; @@ -47,11 +59,11 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountloc ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname); if (ret) - goto cleanup; -diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c ---- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500 -+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2010-03-05 11:03:10.000000000 -0500 -@@ -59,6 +59,9 @@ char *principal_attributes[] = { "kr +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +index 6a06f55..1f87e21 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +@@ -54,6 +54,9 @@ char *principal_attributes[] = { "krbprincipalname", "krbLastFailedAuth", "krbLoginFailedCount", "krbLastSuccessfulAuth", @@ -61,3 +73,6 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accou "krbLastPwdChange", "krbLastAdminUnlock", "krbExtraData", +-- +2.9.3 + diff --git a/krb5-1.13-selinux-label.patch b/krb5-1.13-selinux-label.patch index 1cd86c0..feb034f 100644 --- a/krb5-1.13-selinux-label.patch +++ b/krb5-1.13-selinux-label.patch @@ -1,3 +1,8 @@ +From 2af05336edb5a2f86db22ee2937626a219f090f6 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:30:53 -0400 +Subject: [PATCH 02/19] krb5-1.13-selinux-label.patch + SELinux bases access to files on the domain of the requesting process, the operation being performed, and the context applied to the file. @@ -30,10 +35,42 @@ stomp all over us. The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. +--- + src/aclocal.m4 | 49 +++ + src/build-tools/krb5-config.in | 3 +- + src/config/pre.in | 3 +- + src/configure.in | 2 + + src/include/k5-int.h | 1 + + src/include/k5-label.h | 32 ++ + src/include/krb5/krb5.hin | 6 + + src/kadmin/dbutil/dump.c | 11 +- + src/kdc/main.c | 2 +- + src/lib/kadm5/logger.c | 4 +- + src/lib/kdb/kdb_log.c | 2 +- + src/lib/krb5/ccache/cc_dir.c | 26 +- + src/lib/krb5/keytab/kt_file.c | 4 +- + src/lib/krb5/os/trace.c | 2 +- + src/lib/krb5/rcache/rc_dfl.c | 13 + + src/plugins/kdb/db2/adb_openclose.c | 2 +- + src/plugins/kdb/db2/kdb_db2.c | 4 +- + src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +- + src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +- + src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +- + .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- + src/slave/kpropd.c | 9 + + src/util/gss-kernel-lib/Makefile.in | 5 +- + src/util/profile/prof_file.c | 3 +- + src/util/support/Makefile.in | 3 +- + src/util/support/selinux.c | 381 +++++++++++++++++++++ + 26 files changed, 566 insertions(+), 22 deletions(-) + create mode 100644 src/include/k5-label.h + create mode 100644 src/util/support/selinux.c ---- krb5/src/aclocal.m4 -+++ krb5/src/aclocal.m4 -@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag) +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index ce045ab..311f099 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -87,6 +87,7 @@ AC_SUBST_FILE(libnodeps_frag) dnl KRB5_AC_PRAGMA_WEAK_REF WITH_LDAP @@ -41,7 +78,7 @@ which we used earlier, is some improvement. KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir) +@@ -1739,3 +1740,51 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -93,9 +130,32 @@ which we used earlier, is some improvement. +LIBS="$old_LIBS" +AC_SUBST(SELINUX_LIBS) +])dnl ---- krb5/src/config/pre.in -+++ krb5/src/config/pre.in -@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@ +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index f6184da..c17cb5e 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' + DEFCCNAME='@DEFCCNAME@' + DEFKTNAME='@DEFKTNAME@' + DEFCKTNAME='@DEFCKTNAME@' ++SELINUX_LIBS='@SELINUX_LIBS@' + + LIBS='@LIBS@' + GEN_LIB=@GEN_LIB@ +@@ -255,7 +256,7 @@ if test -n "$do_libs"; then + fi + + # If we ever support a flag to generate output suitable for static +- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" ++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + # here. + + echo $lib_flags +diff --git a/src/config/pre.in b/src/config/pre.in +index b0d9015..63271e7 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -174,6 +174,7 @@ LD = $(PURE) @LD@ KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include LDFLAGS = @LDFLAGS@ LIBS = @LIBS@ @@ -103,7 +163,7 @@ which we used earlier, is some improvement. INSTALL=@INSTALL@ INSTALL_STRIP= -@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) +@@ -395,7 +396,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ @@ -112,9 +172,11 @@ which we used earlier, is some improvement. KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on Mac OS X! ---- krb5/src/configure.in -+++ krb5/src/configure.in -@@ -1053,6 +1053,8 @@ fi +diff --git a/src/configure.in b/src/configure.in +index 8846ca0..9ec8d84 100644 +--- a/src/configure.in ++++ b/src/configure.in +@@ -1329,6 +1329,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -123,8 +185,10 @@ which we used earlier, is some improvement. # Make localedir work in autoconf 2.5x. if test "${localedir+set}" != set; then localedir='$(datadir)/locale' ---- krb5/src/include/k5-int.h -+++ krb5/src/include/k5-int.h +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 41c3d1b..6b7b2e3 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h @@ -129,6 +129,7 @@ typedef unsigned char u_char; @@ -133,8 +197,11 @@ which we used earlier, is some improvement. #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ ---- krb5/src/include/k5-label.h -+++ krb5/src/include/k5-label.h +diff --git a/src/include/k5-label.h b/src/include/k5-label.h +new file mode 100644 +index 0000000..dfaaa84 +--- /dev/null ++++ b/src/include/k5-label.h @@ -0,0 +1,32 @@ +#ifndef _KRB5_LABEL_H +#define _KRB5_LABEL_H @@ -168,8 +235,10 @@ which we used earlier, is some improvement. +#define THREEPARAMOPEN(x,y,z) open(x,y,z) +#endif +#endif ---- krb5/src/include/krb5/krb5.hin -+++ krb5/src/include/krb5/krb5.hin +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index e2c08ae..c93a0f2 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ #define THREEPARAMOPEN(x,y,z) open(x,y,z) #endif @@ -183,9 +252,11 @@ which we used earlier, is some improvement. #define KRB5_OLD_CRYPTO #include ---- krb5/src/kadmin/dbutil/dump.c -+++ krb5/src/kadmin/dbutil/dump.c -@@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname +diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c +index 253bf3f..9c8c3dc 100644 +--- a/src/kadmin/dbutil/dump.c ++++ b/src/kadmin/dbutil/dump.c +@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) { int fd = -1; FILE *f; @@ -207,7 +278,7 @@ which we used earlier, is some improvement. if (fd == -1) goto error; -@@ -514,7 +514,7 @@ prep_ok_file(krb5_context context, char +@@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd) return 0; } @@ -216,28 +287,24 @@ which we used earlier, is some improvement. if (*fd == -1) { com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); exit_status++; ---- krb5/src/build-tools/krb5-config.in -+++ krb5/src/build-tools/krb5-config.in -@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@' - DEFCCNAME='@DEFCCNAME@' - DEFKTNAME='@DEFKTNAME@' - DEFCKTNAME='@DEFCKTNAME@' -+SELINUX_LIBS='@SELINUX_LIBS@' - - LIBS='@LIBS@' - GEN_LIB=@GEN_LIB@ -@@ -218,7 +219,7 @@ - fi - - # If we ever support a flag to generate output suitable for static -- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" -+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" - # here. +diff --git a/src/kdc/main.c b/src/kdc/main.c +index 82dfc0e..936f46b 100644 +--- a/src/kdc/main.c ++++ b/src/kdc/main.c +@@ -847,7 +847,7 @@ write_pid_file(const char *path) + FILE *file; + unsigned long pid; - echo $lib_flags ---- krb5/src/lib/kadm5/logger.c -+++ krb5/src/lib/kadm5/logger.c -@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch +- file = fopen(path, "w"); ++ file = WRITABLEFOPEN(path, "w"); + if (file == NULL) + return errno; + pid = (unsigned long) getpid(); +diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c +index 19c4355..64f9641 100644 +--- a/src/lib/kadm5/logger.c ++++ b/src/lib/kadm5/logger.c +@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do * Check for append/overwrite, then open the file. */ if (cp[4] == ':' || cp[4] == '=') { @@ -246,7 +313,7 @@ which we used earlier, is some improvement. if (f) { set_cloexec_file(f); log_control.log_entries[i].lfu_filep = f; -@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext) +@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext) * In case the old logfile did not get moved out of the * way, open for append to prevent squashing the old logs. */ @@ -255,9 +322,74 @@ which we used earlier, is some improvement. if (f) { set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; ---- krb5/src/lib/krb5/keytab/kt_file.c -+++ krb5/src/lib/krb5/keytab/kt_file.c -@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context +diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c +index 99cda59..523b99a 100644 +--- a/src/lib/kdb/kdb_log.c ++++ b/src/lib/kdb/kdb_log.c +@@ -476,7 +476,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) + int ulogfd = -1; + + if (stat(logname, &st) == -1) { +- ulogfd = open(logname, O_RDWR | O_CREAT, 0600); ++ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); + if (ulogfd == -1) + return errno; + +diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c +index bba64e5..73f0fe6 100644 +--- a/src/lib/krb5/ccache/cc_dir.c ++++ b/src/lib/krb5/ccache/cc_dir.c +@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents) + char *newpath = NULL; + FILE *fp = NULL; + int fd = -1, status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) + return ENOMEM; ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(primary_path); ++#endif + fd = mkstemp(newpath); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (fd < 0) + goto cleanup; + #ifdef HAVE_CHMOD +@@ -221,10 +230,23 @@ static krb5_error_code + verify_dir(krb5_context context, const char *dirname) + { + struct stat st; ++ int status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (stat(dirname, &st) < 0) { +- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) +- return 0; ++ if (errno == ENOENT) { ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(dirname); ++#endif ++ status = mkdir(dirname, S_IRWXU); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif ++ if (status == 0) ++ return 0; ++ } + k5_setmsg(context, KRB5_FCC_NOFILE, + _("Credential cache directory %s does not exist"), + dirname); +diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c +index e105a51..ff1fc54 100644 +--- a/src/lib/krb5/keytab/kt_file.c ++++ b/src/lib/krb5/keytab/kt_file.c +@@ -1030,7 +1030,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) KTCHECKLOCK(id); errno = 0; @@ -266,7 +398,7 @@ which we used earlier, is some improvement. (mode == KRB5_LOCKMODE_EXCLUSIVE) ? fopen_mode_rbplus : fopen_mode_rb); if (!KTFILEP(id)) { -@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context +@@ -1038,7 +1038,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) /* try making it first time around */ k5_create_secure_file(context, KTFILENAME(id)); errno = 0; @@ -275,20 +407,84 @@ which we used earlier, is some improvement. if (!KTFILEP(id)) goto report_errno; writevno = 1; ---- krb5/src/plugins/kdb/db2/adb_openclose.c -+++ krb5/src/plugins/kdb/db2/adb_openclose.c -@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char +diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c +index 83c8d4d..a192461 100644 +--- a/src/lib/krb5/os/trace.c ++++ b/src/lib/krb5/os/trace.c +@@ -397,7 +397,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) + fd = malloc(sizeof(*fd)); + if (fd == NULL) + return ENOMEM; +- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); ++ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); + if (*fd == -1) { + free(fd); + return errno; +diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c +index 2fb6aa0..c453189 100644 +--- a/src/lib/krb5/rcache/rc_dfl.c ++++ b/src/lib/krb5/rcache/rc_dfl.c +@@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) + krb5_error_code retval = 0; + krb5_rcache tmp; + krb5_deltat lifespan = t->lifespan; /* save original lifespan */ ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (! t->recovering) { + name = t->name; +@@ -815,7 +818,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) + retval = krb5_rc_resolve(context, tmp, 0); + if (retval) + goto cleanup; ++#ifdef USE_SELINUX ++ if (t->d.fn != NULL) ++ selabel = krb5int_push_fscreatecon_for(t->d.fn); ++ else ++ selabel = NULL; ++#endif + retval = krb5_rc_initialize(context, tmp, lifespan); ++#ifdef USE_SELINUX ++ if (selabel != NULL) ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (retval) + goto cleanup; + for (q = t->a; q; q = q->na) { +diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c +index 7db30a3..2b9d019 100644 +--- a/src/plugins/kdb/db2/adb_openclose.c ++++ b/src/plugins/kdb/db2/adb_openclose.c +@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, + * needs be open read/write so that write locking can work with * POSIX systems */ - lockp->lockinfo.filename = strdup(lockfilename); - if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { + if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { /* * maybe someone took away write permission so we could only * get shared locks? ---- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c -+++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c -@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. +diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c +index e97b841..5d1cd61 100644 +--- a/src/plugins/kdb/db2/kdb_db2.c ++++ b/src/plugins/kdb/db2/kdb_db2.c +@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) + if (retval) + return retval; + +- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, +- 0600); ++ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, ++ O_CREAT | O_RDWR | O_TRUNC, 0600); + if (dbc->db_lf_file < 0) { + retval = errno; + goto cleanup; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +index 2977b17..d5809a5 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95"; #include #include @@ -296,7 +492,7 @@ which we used earlier, is some improvement. #include "db-int.h" #include "btree.h" -@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, +@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags) goto einval; } @@ -305,9 +501,11 @@ which we used earlier, is some improvement. goto err; } else { ---- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c -+++ krb5/src/plugins/kdb/db2/libdb2/hash/hash.c -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 +diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c +index 2a5b4f8..7239d03 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hash.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; #include #endif @@ -315,7 +513,7 @@ which we used earlier, is some improvement. #include "db-int.h" #include "hash.h" #include "page.h" -@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info +@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags) new_table = 1; } if (file) { @@ -324,9 +522,33 @@ which we used earlier, is some improvement. RETURN_ERROR(errno, error0); (void)fcntl(hashp->fp, F_SETFD, 1); } ---- krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -+++ krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -179,7 +179,7 @@ done: +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +index d8b26e7..b0daa7c 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94"; + #include + #include + ++#include "k5-int.h" + #include "db-int.h" + #include "recno.h" + +@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags) + int rfd = -1, sverrno; + + /* Open the user's file -- if this fails, we're done. */ +- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) ++ if (fname != NULL && ++ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + return (NULL); + + if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { +diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +index 64d0f91..5d5c0a6 100644 +--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -178,7 +178,7 @@ done: /* set password in the file */ old_mode = umask(0177); @@ -335,7 +557,7 @@ which we used earlier, is some improvement. if (pfile == NULL) { com_err(me, errno, _("Failed to open file %s: %s"), file_name, strerror (errno)); -@@ -220,6 +220,9 @@ done: +@@ -219,6 +219,9 @@ done: * Delete the existing entry and add the new entry */ FILE *newfile; @@ -345,7 +567,7 @@ which we used earlier, is some improvement. mode_t omask; -@@ -231,7 +234,13 @@ done: +@@ -230,7 +233,13 @@ done: } omask = umask(077); @@ -359,9 +581,11 @@ which we used earlier, is some improvement. umask (omask); if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); ---- krb5/src/slave/kpropd.c -+++ krb5/src/slave/kpropd.c -@@ -437,6 +437,9 @@ void doit(fd) +diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c +index 1383156..a950924 100644 +--- a/src/slave/kpropd.c ++++ b/src/slave/kpropd.c +@@ -464,6 +464,9 @@ doit(int fd) krb5_enctype etype; int database_fd; char host[INET6_ADDRSTRLEN + 1]; @@ -371,7 +595,7 @@ which we used earlier, is some improvement. signal_wrapper(SIGALRM, alarm_handler); alarm(params.iprop_resync_timeout); -@@ -515,9 +518,15 @@ void doit(fd) +@@ -520,9 +523,15 @@ doit(int fd) free(name); exit(1); } @@ -387,9 +611,37 @@ which we used earlier, is some improvement. retval = krb5_lock_file(kpropd_context, lock_fd, KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); if (retval) { ---- krb5/src/util/profile/prof_file.c -+++ krb5/src/util/profile/prof_file.c -@@ -30,6 +30,7 @@ +diff --git a/src/util/gss-kernel-lib/Makefile.in b/src/util/gss-kernel-lib/Makefile.in +index f70f3c6..7a2f9cc 100644 +--- a/src/util/gss-kernel-lib/Makefile.in ++++ b/src/util/gss-kernel-lib/Makefile.in +@@ -61,6 +61,7 @@ HEADERS= \ + gssapi_err_generic.h \ + k5-int.h \ + k5-int-pkinit.h \ ++ k5-label.h \ + k5-thread.h \ + k5-platform.h \ + k5-buf.h \ +@@ -162,10 +163,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_generic.h + $(CP) $(GSS_GENERIC)/gssapi_generic.h $@ + gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h + $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@ +-k5-int.h: $(INCLUDE)/k5-int.h ++k5-int.h: $(INCLUDE)/k5-int.h k5-label.h + $(CP) $(INCLUDE)/k5-int.h $@ + k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h + $(CP) $(INCLUDE)/k5-int-pkinit.h $@ ++k5-label.h: $(INCLUDE)/k5-label.h ++ $(CP) $(INCLUDE)/k5-label.h $@ + k5-thread.h: $(INCLUDE)/k5-thread.h + $(CP) $(INCLUDE)/k5-thread.h $@ + k5-platform.h: $(INCLUDE)/k5-platform.h +diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c +index 907c119..0f5462a 100644 +--- a/src/util/profile/prof_file.c ++++ b/src/util/profile/prof_file.c +@@ -33,6 +33,7 @@ #endif #include "k5-platform.h" @@ -397,7 +649,7 @@ which we used earlier, is some improvement. struct global_shared_profile_data { /* This is the head of the global list of shared trees */ -@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_ +@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile, errno = 0; @@ -406,9 +658,11 @@ which we used earlier, is some improvement. if (!f) { retval = errno; if (retval == 0) ---- krb5/src/util/support/Makefile.in -+++ krb5/src/util/support/Makefile.in -@@ -54,6 +54,7 @@ IPC_SYMS= \ +diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in +index 5181762..f77acd4 100644 +--- a/src/util/support/Makefile.in ++++ b/src/util/support/Makefile.in +@@ -59,6 +59,7 @@ IPC_SYMS= \ STLIBOBJS= \ threads.o \ @@ -416,7 +670,7 @@ which we used earlier, is some improvement. init-addrinfo.o \ plugins.o \ errors.o \ -@@ -108,7 +109,7 @@ SRCS=\ +@@ -131,7 +132,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. @@ -425,8 +679,11 @@ which we used earlier, is some improvement. DEPLIBS= ---- krb5/src/util/support/selinux.c -+++ krb5/src/util/support/selinux.c +diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c +new file mode 100644 +index 0000000..ffba6a9 +--- /dev/null ++++ b/src/util/support/selinux.c @@ -0,0 +1,381 @@ +/* + * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved. @@ -809,171 +1066,6 @@ which we used earlier, is some improvement. +} + +#endif ---- krb5/src/lib/krb5/rcache/rc_dfl.c -+++ krb5/src/lib/krb5/rcache/rc_dfl.c -@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context - krb5_error_code retval = 0; - krb5_rcache tmp; - krb5_deltat lifespan = t->lifespan; /* save original lifespan */ -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (! t->recovering) { - name = t->name; -@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context - retval = krb5_rc_resolve(context, tmp, 0); - if (retval) - goto cleanup; -+#ifdef USE_SELINUX -+ if (t->d.fn != NULL) -+ selabel = krb5int_push_fscreatecon_for(t->d.fn); -+ else -+ selabel = NULL; -+#endif - retval = krb5_rc_initialize(context, tmp, lifespan); -+#ifdef USE_SELINUX -+ if (selabel != NULL) -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (retval) - goto cleanup; - for (q = t->a; q; q = q->na) { ---- krb5/src/lib/krb5/ccache/cc_dir.c -+++ krb5/src/lib/krb5/ccache/cc_dir.c -@@ -185,10 +185,19 @@ write_primary_file(const char *primary_p - char *newpath = NULL; - FILE *fp = NULL; - int fd = -1, status; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) - return ENOMEM; -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(primary_path); -+#endif - fd = mkstemp(newpath); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (fd < 0) - goto cleanup; - #ifdef HAVE_CHMOD -@@ -223,10 +232,23 @@ - verify_dir(krb5_context context, const char *dirname) - { - struct stat st; -+ int status; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (stat(dirname, &st) < 0) { -- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) -- return 0; -+ if (errno == ENOENT) { -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(dirname); -+#endif -+ status = mkdir(dirname, S_IRWXU); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif -+ if (status == 0) -+ return 0; -+ } - k5_setmsg(context, KRB5_FCC_NOFILE, - _("Credential cache directory %s does not exist"), - dirname); ---- krb5/src/lib/krb5/os/trace.c -+++ krb5/src/lib/krb5/os/trace.c -@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con - fd = malloc(sizeof(*fd)); - if (fd == NULL) - return ENOMEM; -- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); -+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); - if (*fd == -1) { - free(fd); - return errno; ---- krb5/src/plugins/kdb/db2/kdb_db2.c -+++ krb5/src/plugins/kdb/db2/kdb_db2.c -@@ -683,8 +683,8 @@ - if (retval) - return retval; - -- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, -- 0600); -+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, -+ O_CREAT | O_RDWR | O_TRUNC, 0600); - if (dbc->db_lf_file < 0) { - retval = errno; - goto cleanup; ---- krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c -+++ krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c -@@ -51,6 +51,7 @@ - #include - #include - -+#include "k5-int.h" - #include "db-int.h" - #include "recno.h" - -@@ -68,7 +69,8 @@ - int rfd = -1, sverrno; - - /* Open the user's file -- if this fails, we're done. */ -- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) -+ if (fname != NULL && -+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) - return (NULL); - - if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { ---- krb5/src/kdc/main.c -+++ krb5/src/kdc/main.c -@@ -905,7 +905,7 @@ write_pid_file(const char *path) - FILE *file; - unsigned long pid; - -- file = fopen(path, "w"); -+ file = WRITABLEFOPEN(path, "w"); - if (file == NULL) - return errno; - pid = (unsigned long) getpid(); ---- krb5/src/lib/kdb/kdb_log.c -+++ krb5/src/lib/kdb/kdb_log.c -@@ -456,7 +456,7 @@ ulog_map(krb5_context context, const cha - int ulogfd = -1; - - if (stat(logname, &st) == -1) { -- ulogfd = open(logname, O_RDWR | O_CREAT, 0600); -+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); - if (ulogfd == -1) - return errno; - ---- krb5/src/util/gss-kernel-lib/Makefile.in -+++ krb5/src/util/gss-kernel-lib/Makefile.in -@@ -60,6 +60,7 @@ HEADERS= \ - gssapi_err_generic.h \ - k5-int.h \ - k5-int-pkinit.h \ -+ k5-label.h \ - k5-thread.h \ - k5-platform.h \ - k5-buf.h \ -@@ -166,10 +167,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_ - $(CP) $(GSS_GENERIC)/gssapi_generic.h $@ - gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h - $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@ --k5-int.h: $(INCLUDE)/k5-int.h -+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h - $(CP) $(INCLUDE)/k5-int.h $@ - k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h - $(CP) $(INCLUDE)/k5-int-pkinit.h $@ -+k5-label.h: $(INCLUDE)/k5-label.h -+ $(CP) $(INCLUDE)/k5-label.h $@ - k5-thread.h: $(INCLUDE)/k5-thread.h - $(CP) $(INCLUDE)/k5-thread.h $@ - k5-platform.h: $(INCLUDE)/k5-platform.h +-- +2.9.3 + diff --git a/krb5-1.14.1-log_file_permissions.patch b/krb5-1.14.1-log_file_permissions.patch deleted file mode 100644 index 0fb965c..0000000 --- a/krb5-1.14.1-log_file_permissions.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 9914b93516bbce9b1123ed5f9f796b7028944892 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 17 Dec 2015 13:31:39 -0500 -Subject: [PATCH] Create KDC and kadmind log files with mode 0640 - -In krb5_klog_init(), use open() and fdopen() to open log files so that -we can specify a mode. Specify a mode which doesn't include the -group-write, other-read, or other-write bits even if the process umask -allows them. - -[ghudson@mit.edu: wrote commit message, de-indented post-open setup -code] -[rharwood@redhat.com: backport not clean due to SELinux patching] - -ticket: 8344 (new) ---- - src/lib/kadm5/logger.c | 21 ++++++++++++--------- - 1 file changed, 12 insertions(+), 9 deletions(-) - -diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c -index 19c4355..f4a9387 100644 - ---- a/src/lib/kadm5/logger.c 2016-01-21 18:52:52.529544902 +0000 -+++ b/src/lib/kadm5/logger.c 2016-01-21 18:57:22.923972419 +0000 -@@ -354,7 +354,7 @@ - const char *logging_profent[3]; - const char *logging_defent[3]; - char **logging_specs; -- int i, ngood; -+ int i, ngood, fd, append; - char *cp, *cp2; - char savec = '\0'; - int error; -@@ -422,18 +422,21 @@ - /* - * Check for append/overwrite, then open the file. - */ -- if (cp[4] == ':' || cp[4] == '=') { -- f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); -- if (f) { -- set_cloexec_file(f); -- log_control.log_entries[i].lfu_filep = f; -- log_control.log_entries[i].log_type = K_LOG_FILE; -- log_control.log_entries[i].lfu_fname = &cp[5]; -- } else { -+ append = (cp[4] == ':') ? O_APPEND : 0; -+ if (append || cp[4] == '=') { -+ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append, -+ S_IRUSR | S_IWUSR | S_IRGRP); -+ if (fd != -1) -+ f = fdopen(fd, append ? "a" : "w"); -+ if (fd == -1 || f == NULL) { - fprintf(stderr,"Couldn't open log file %s: %s\n", - &cp[5], error_message(errno)); - continue; - } -+ set_cloexec_file(f); -+ log_control.log_entries[i].lfu_filep = f; -+ log_control.log_entries[i].log_type = K_LOG_FILE; -+ log_control.log_entries[i].lfu_fname = &cp[5]; - } - } - #ifdef HAVE_SYSLOG diff --git a/krb5-1.14.4-SNI-HTTP-Host.patch b/krb5-1.14.4-SNI-HTTP-Host.patch deleted file mode 100644 index a34faad..0000000 --- a/krb5-1.14.4-SNI-HTTP-Host.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 69c8662190bcd46f2300d0cea139681001ea5b26 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 8 Aug 2016 12:38:17 +0200 -Subject: [PATCH] Add Host HTTP header to MS-KKDCP requests - -Some web servers require a Host HTTP header for TLS connections with -SNI (server name indicator). It is also required for virtual hosts. - -ticket: 8472 (new) -target_version: 1.14-next -tags: pullup ---- - src/lib/krb5/os/sendto_kdc.c | 18 +++++++++++++----- - 1 file changed, 13 insertions(+), 5 deletions(-) - -diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c -index c85fdba..a2b7359 100644 ---- a/src/lib/krb5/os/sendto_kdc.c -+++ b/src/lib/krb5/os/sendto_kdc.c -@@ -78,6 +78,7 @@ - #define MAX_PASS 3 - #define DEFAULT_UDP_PREF_LIMIT 1465 - #define HARD_UDP_LIMIT 32700 /* could probably do 64K-epsilon ? */ -+#define PORT_LENGTH 6 /* decimal repr of UINT16_MAX */ - - /* Select state flags. */ - #define SSF_READ 0x01 -@@ -138,6 +139,7 @@ struct conn_state { - struct { - const char *uri_path; - const char *servername; -+ char port[PORT_LENGTH]; - char *https_request; - k5_tls_handle tls; - } http; -@@ -611,6 +613,8 @@ make_proxy_request(struct conn_state *state, const krb5_data *realm, - k5_buf_init_dynamic(&buf); - uri_path = (state->http.uri_path != NULL) ? state->http.uri_path : ""; - k5_buf_add_fmt(&buf, "POST /%s HTTP/1.0\r\n", uri_path); -+ k5_buf_add_fmt(&buf, "Host: %s:%s\r\n", state->http.servername, -+ state->http.port); - k5_buf_add(&buf, "Cache-Control: no-cache\r\n"); - k5_buf_add(&buf, "Pragma: no-cache\r\n"); - k5_buf_add(&buf, "User-Agent: kerberos/1.0\r\n"); -@@ -673,7 +677,7 @@ static krb5_error_code - add_connection(struct conn_state **conns, k5_transport transport, - krb5_boolean defer, struct addrinfo *ai, size_t server_index, - const krb5_data *realm, const char *hostname, -- const char *uri_path, char **udpbufp) -+ const char *port, const char *uri_path, char **udpbufp) - { - struct conn_state *state, **tailptr; - -@@ -695,11 +699,13 @@ add_connection(struct conn_state **conns, k5_transport transport, - state->service_write = service_tcp_write; - state->service_read = service_tcp_read; - } else if (transport == HTTPS) { -+ assert(hostname != NULL && port != NULL); - state->service_connect = service_tcp_connect; - state->service_write = service_https_write; - state->service_read = service_https_read; - state->http.uri_path = uri_path; - state->http.servername = hostname; -+ strlcpy(state->http.port, port, PORT_LENGTH); - } else { - state->service_connect = NULL; - state->service_write = NULL; -@@ -785,7 +791,7 @@ resolve_server(krb5_context context, const krb5_data *realm, - struct addrinfo *addrs, *a, hint, ai; - krb5_boolean defer; - int err, result; -- char portbuf[64]; -+ char portbuf[PORT_LENGTH]; - - /* Skip UDP entries if we don't want UDP. */ - if (strategy == NO_UDP && entry->transport == UDP) -@@ -800,7 +806,7 @@ resolve_server(krb5_context context, const krb5_data *realm, - ai.ai_addr = (struct sockaddr *)&entry->addr; - defer = (entry->transport != transport); - return add_connection(conns, entry->transport, defer, &ai, ind, realm, -- NULL, entry->uri_path, udpbufp); -+ NULL, NULL, entry->uri_path, udpbufp); - } - - /* If the entry has a specified transport, use it. */ -@@ -826,7 +832,8 @@ resolve_server(krb5_context context, const krb5_data *realm, - retval = 0; - for (a = addrs; a != 0 && retval == 0; a = a->ai_next) { - retval = add_connection(conns, transport, FALSE, a, ind, realm, -- entry->hostname, entry->uri_path, udpbufp); -+ entry->hostname, portbuf, entry->uri_path, -+ udpbufp); - } - - /* For TCP_OR_UDP entries, add each address again with the non-preferred -@@ -836,7 +843,8 @@ resolve_server(krb5_context context, const krb5_data *realm, - for (a = addrs; a != 0 && retval == 0; a = a->ai_next) { - a->ai_socktype = socktype_for_transport(transport); - retval = add_connection(conns, transport, TRUE, a, ind, realm, -- entry->hostname, entry->uri_path, udpbufp); -+ entry->hostname, portbuf, -+ entry->uri_path, udpbufp); - } - } - freeaddrinfo(addrs); --- -2.8.1 - diff --git a/krb5-1.14.4-ofd-lock-workaround.patch b/krb5-1.14.4-ofd-lock-workaround.patch deleted file mode 100644 index 3786afd..0000000 --- a/krb5-1.14.4-ofd-lock-workaround.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 65110210b75d38908cdd84cb202cf013ccf6ed0e Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Sun, 14 Aug 2016 12:08:16 -0400 -Subject: [PATCH] Work around glibc OFD lock bug on 32-bit Linux - -A bug in Gnu libc causes OFD locking to fail unpredictably on 32-bit -Linux, typically leading to deadlocks. Work around this bug by using -the fcntl64 system call and struct flock64. - -See also: https://sourceware.org/bugzilla/show_bug.cgi?id=20251 - -ticket: 8474 -target_version: 1.14-next -tags: pullup ---- - src/lib/krb5/os/lock_file.c | 26 ++++++++++++++++++++++++-- - 1 file changed, 24 insertions(+), 2 deletions(-) - -diff --git a/src/lib/krb5/os/lock_file.c b/src/lib/krb5/os/lock_file.c -index a2f247c..2360c96 100644 ---- a/src/lib/krb5/os/lock_file.c -+++ b/src/lib/krb5/os/lock_file.c -@@ -43,7 +43,29 @@ - - #if defined(HAVE_FCNTL_H) && defined(F_SETLKW) && defined(F_RDLCK) - #define POSIX_FILE_LOCKS -+ -+/* -+ * Gnu libc bug 20251, currently unfixed, breaks OFD lock support on -+ * 32-bit platforms. Work around this bug by explicitly using the -+ * fcntl64 system call and struct flock64. -+ */ -+#if defined(__linux__) && __WORDSIZE == 32 -+#include -+#ifdef SYS_fcntl64 -+#define USE_FCNTL64 - #endif -+#endif -+#ifdef USE_FCNTL64 -+/* Use the fcntl64 system call and struct flock64. (Gnu libc does not -+ * define a fcntl64() function, so we must use syscall().) */ -+#define fcntl(fd, cmd, arg) syscall(SYS_fcntl64, fd, cmd, arg) -+typedef struct flock64 fcntl_lock_st; -+#else -+/* Use regular fcntl() and struct flock. */ -+typedef struct flock fcntl_lock_st; -+#endif -+ -+#endif /* defined(HAVE_FCNTL_H) && defined(F_SETLKW) && defined(F_RDLCK) */ - - #ifdef HAVE_FLOCK - #ifndef sysvimp -@@ -66,7 +88,7 @@ - * older kernel than we were built with. - */ - static int --ofdlock(int fd, int cmd, struct flock *lock_arg) -+ofdlock(int fd, int cmd, fcntl_lock_st *lock_arg) - { - #ifdef F_OFD_SETLKW - int st, ofdcmd; -@@ -89,7 +111,7 @@ krb5_lock_file(krb5_context context, int fd, int mode) - krb5_error_code retval = 0; - #ifdef POSIX_FILE_LOCKS - int lock_cmd = F_SETLKW; -- struct flock lock_arg = { 0 }; -+ fcntl_lock_st lock_arg = { 0 }; - #endif - - switch (mode & ~KRB5_LOCKMODE_DONTBLOCK) { --- -2.8.1 - diff --git a/krb5-1.14.4-responder-non-preauth.patch b/krb5-1.14.4-responder-non-preauth.patch deleted file mode 100644 index fc22104..0000000 --- a/krb5-1.14.4-responder-non-preauth.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 60824edc278fe2207ead773baca6fe56416e2874 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Fri, 5 Aug 2016 12:28:03 -0400 -Subject: [PATCH] Use responder for non-preauth AS requests - -If no AS reply key is computed during pre-authentication (typically -because no pre-authentication was required by the KDC), ask for the -password using the responder before calling gak_fct for the key, and -supply any resulting responder items to gak_fct. - -ticket: 8454 -target_version: 1.14-next -target_version: 1.13-next -tags: pullup ---- - src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++- - src/tests/t_general.py | 5 +++++ - 2 files changed, 28 insertions(+), 1 deletion(-) - -diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index b78e19a..659be66 100644 ---- a/src/lib/krb5/krb/get_in_tkt.c -+++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -1351,6 +1351,8 @@ init_creds_step_reply(krb5_context context, - krb5_keyblock encrypting_key; - krb5_boolean fast_avail; - krb5_ccache out_ccache = k5_gic_opt_get_out_ccache(ctx->opt); -+ krb5_responder_fn responder; -+ void *responder_data; - - encrypting_key.length = 0; - encrypting_key.contents = NULL; -@@ -1509,13 +1511,33 @@ init_creds_step_reply(krb5_context context, - code = -1; - - if (code != 0) { -+ /* If a responder was provided and we are using a password, ask for the -+ * password using the responder before falling back to the prompter. */ -+ k5_gic_opt_get_responder(ctx->opt, &responder, &responder_data); -+ if (responder != NULL && !ctx->as_key.length) { -+ /* Indicate a need for the AS key by calling the gak_fct with a -+ * NULL as_key. */ -+ code = ctx->gak_fct(context, ctx->request->client, ctx->etype, -+ NULL, NULL, NULL, NULL, NULL, ctx->gak_data, -+ ctx->rctx.items); -+ if (code != 0) -+ goto cleanup; -+ -+ /* If that produced a responder question, invoke the responder. */ -+ if (!k5_response_items_empty(ctx->rctx.items)) { -+ code = (*responder)(context, responder_data, &ctx->rctx); -+ if (code != 0) -+ goto cleanup; -+ } -+ } -+ - /* if we haven't get gotten a key, get it now */ - TRACE_INIT_CREDS_GAK(context, &ctx->salt, &ctx->s2kparams); - code = (*ctx->gak_fct)(context, ctx->request->client, - ctx->reply->enc_part.enctype, - ctx->prompter, ctx->prompter_data, - &ctx->salt, &ctx->s2kparams, -- &ctx->as_key, ctx->gak_data, NULL); -+ &ctx->as_key, ctx->gak_data, ctx->rctx.items); - if (code != 0) - goto cleanup; - TRACE_INIT_CREDS_AS_KEY_GAK(context, &ctx->as_key); -diff --git a/src/tests/t_general.py b/src/tests/t_general.py -index c3629e6..13dd99b 100755 ---- a/src/tests/t_general.py -+++ b/src/tests/t_general.py -@@ -34,6 +34,11 @@ realm.stop() - - realm = K5Realm(create_host=False) - -+# Regression test for #8454 (responder callback isn't used when -+# preauth is not required). -+realm.run(['./responder', '-r', 'password=%s' % password('user'), -+ realm.user_princ]) -+ - # Test that WRONG_REALM responses aren't treated as referrals unless - # they contain a crealm field pointing to a different realm. - # (Regression test for #8060.) --- -2.9.3 - diff --git a/krb5-1.14.4-samba-client-mutual-flag.patch b/krb5-1.14.4-samba-client-mutual-flag.patch deleted file mode 100644 index e628af6..0000000 --- a/krb5-1.14.4-samba-client-mutual-flag.patch +++ /dev/null @@ -1,37 +0,0 @@ -From dcb523a4201dc882b2c466824ee1913eaed2e30d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 25 Aug 2016 10:41:33 +0200 -Subject: [PATCH] Guess Samba client mutual flag using ap_options - -To work correctly with older Samba clients, we should guess the mutual -flag based on the ap_options from the AP-REQ and not set it -unconditionally. Found by the Samba torture testsuite. - -[ghudson@mit.edu: edited comments and commit message] - -ticket: 8486 (new) -target_version: 1.14-next -tags: pullup ---- - src/lib/gssapi/krb5/accept_sec_context.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c -index b7fffeb..580d08c 100644 ---- a/src/lib/gssapi/krb5/accept_sec_context.c -+++ b/src/lib/gssapi/krb5/accept_sec_context.c -@@ -699,7 +699,10 @@ kg_accept_krb5(minor_status, context_handle, - goto fail; - } - -- gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; -+ /* Use ap_options from the request to guess the mutual flag. */ -+ gss_flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; -+ if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) -+ gss_flags |= GSS_C_MUTUAL_FLAG; - } else { - /* gss krb5 v1 */ - --- -2.9.3 - diff --git a/krb5-1.15-improve-bad-password-inference.patch b/krb5-1.15-improve-bad-password-inference.patch deleted file mode 100644 index 8e1424a..0000000 --- a/krb5-1.15-improve-bad-password-inference.patch +++ /dev/null @@ -1,82 +0,0 @@ -From c8938509344921906aa74d31eb6befe58055fc1d Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Mon, 25 Jul 2016 13:28:43 -0400 -Subject: [PATCH 2/3] Improve bad password inference in kinit - -kinit currently outputs "Password incorrect" if it sees a -bad-integrity error code, which results if the KDC reply couldn't be -decrypted, or when encrypted timestamp preauth fails against an MIT -krb5 1.14 or earlier KDC. Expand this check to include general -preauth failures reported by the KDC, but only if a password was -prompted for. - -ticket: 8465 (new) -(cherry picked from commit 1a83ffad4d8e405ce696536c06d9bce1f8100595) ---- - src/clients/kinit/kinit.c | 26 ++++++++++++++++++++------ - 1 file changed, 20 insertions(+), 6 deletions(-) - -diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c -index eba36b9..990fd11 100644 ---- a/src/clients/kinit/kinit.c -+++ b/src/clients/kinit/kinit.c -@@ -700,9 +700,18 @@ kinit_prompter( - krb5_prompt prompts[] - ) - { -- krb5_error_code rc = -- krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); -- return rc; -+ krb5_boolean *pwprompt = data; -+ krb5_prompt_type *ptypes; -+ int i; -+ -+ /* Make a note if we receive a password prompt. */ -+ ptypes = krb5_get_prompt_types(ctx); -+ for (i = 0; i < num_prompts; i++) { -+ if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD) -+ *pwprompt = TRUE; -+ } -+ -+ return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); - } - - static int -@@ -715,6 +724,7 @@ k5_kinit(opts, k5) - krb5_creds my_creds; - krb5_error_code code = 0; - krb5_get_init_creds_opt *options = NULL; -+ krb5_boolean pwprompt = FALSE; - int i; - - memset(&my_creds, 0, sizeof(my_creds)); -@@ -819,7 +829,7 @@ k5_kinit(opts, k5) - switch (opts->action) { - case INIT_PW: - code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, -- 0, kinit_prompter, 0, -+ 0, kinit_prompter, &pwprompt, - opts->starttime, - opts->service_name, - options); -@@ -856,11 +866,15 @@ k5_kinit(opts, k5) - break; - } - -- if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) -+ /* If reply decryption failed, or if pre-authentication failed and we -+ * were prompted for a password, assume the password was wrong. */ -+ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY || -+ (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) { - fprintf(stderr, _("%s: Password incorrect while %s\n"), progname, - doing); -- else -+ } else { - com_err(progname, code, _("while %s"), doing); -+ } - goto cleanup; - } - --- -2.9.3 - diff --git a/krb5-1.15-kdc-error-encrypted-timestamp.patch b/krb5-1.15-kdc-error-encrypted-timestamp.patch deleted file mode 100644 index cbf9309..0000000 --- a/krb5-1.15-kdc-error-encrypted-timestamp.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 7b072ef4135e776982a61fae62cda9a5f0fe001b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 8 Aug 2016 18:03:55 +0200 -Subject: [PATCH 3/3] Change KDC error for encrypted timestamp preauth - -When encrypted timestamp pre-authentication fails, respond with error -code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for -consistency with other Kerberos implementations. - -[ghudson@mit.edu: clarified commit message and comment] - -ticket: 8471 (new) -(cherry picked from commit 2653d69e0705a925597dff10083a24a77e2a20af) ---- - src/kdc/kdc_preauth_encts.c | 16 ++++------------ - 1 file changed, 4 insertions(+), 12 deletions(-) - -diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c -index 65f7c36..e80dc12 100644 ---- a/src/kdc/kdc_preauth_encts.c -+++ b/src/kdc/kdc_preauth_encts.c -@@ -59,7 +59,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_key_data * client_key; - krb5_int32 start; - krb5_timestamp timenow; -- krb5_error_code decrypt_err = 0; - - scratch.data = (char *)pa->contents; - scratch.length = pa->length; -@@ -74,7 +73,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, - goto cleanup; - - start = 0; -- decrypt_err = 0; - while (1) { - if ((retval = krb5_dbe_search_enctype(context, rock->client, - &start, enc_data->enctype, -@@ -92,8 +90,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_free_keyblock_contents(context, &key); - if (retval == 0) - break; -- else -- decrypt_err = retval; - } - - if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0) -@@ -119,14 +115,10 @@ cleanup: - krb5_free_data_contents(context, &enc_ts_data); - if (pa_enc) - free(pa_enc); -- /* -- * If we get NO_MATCHING_KEY and decryption previously failed, and -- * we failed to find any other keys of the correct enctype after -- * that failed decryption, it probably means that the password was -- * incorrect. -- */ -- if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0) -- retval = decrypt_err; -+ /* If we get NO_MATCHING_KEY, it probably means that the password was -+ * incorrect. */ -+ if (retval == KRB5_KDB_NO_MATCHING_KEY) -+ retval = KRB5KDC_ERR_PREAUTH_FAILED; - - (*respond)(arg, retval, NULL, NULL, NULL); - } --- -2.9.3 - diff --git a/krb5-1.15-kdc_hooks_test.patch b/krb5-1.15-kdc_hooks_test.patch deleted file mode 100644 index 97385db..0000000 --- a/krb5-1.15-kdc_hooks_test.patch +++ /dev/null @@ -1,367 +0,0 @@ -From e60e5e0a8e8e98edae8c678e5c300b30368006fb Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 7 Mar 2016 17:59:07 +0100 -Subject: [PATCH 2/2] Add tests for send and receive sendto_kdc hooks - -[ghudson@mit.edu: style changes] - -ticket: 8386 - -Conflicts: - src/tests/Makefile.in -[rharwood@redhat.com: fix cherry-pick merge conflicts] -[rharwood@redhat.com: remove references to .gitignore] ---- - src/tests/Makefile.in | 12 ++- - src/tests/deps | 10 ++ - src/tests/hooks.c | 253 ++++++++++++++++++++++++++++++++++++++++++++++++++ - src/tests/t_hooks.py | 9 ++ - 5 files changed, 281 insertions(+), 4 deletions(-) - create mode 100644 src/tests/hooks.c - create mode 100755 src/tests/t_hooks.py - -diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in -index b24e197..0fc0ea9 100644 ---- a/src/tests/Makefile.in -+++ b/src/tests/Makefile.in -@@ -6,9 +6,9 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \ - RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \ - LC_ALL=C $(VALGRIND) - --OBJS= adata.o etinfo.o gcred.o hist.o hrealm.o kdbtest.o plugorder.o \ -+OBJS= adata.o etinfo.o gcred.o hist.o hooks.o hrealm.o kdbtest.o plugorder.o \ - t_init_creds.o t_localauth.o rdreq.o responder.o s2p.o s4u2proxy.o --EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hrealm.c kdbtest.c plugorder.c \ -+EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hooks.c hrealm.c kdbtest.c plugorder.c \ - t_init_creds.c t_localauth.c rdreq.o responder.c s2p.c s4u2proxy.c - - TEST_DB = ./testdb -@@ -33,6 +33,9 @@ gcred: gcred.o $(KRB5_BASE_DEPLIBS) - hist: hist.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ hist.o $(KDB5_LIBS) $(KADMSRV_LIBS) $(KRB5_BASE_LIBS) - -+hooks: hooks.o $(KRB5_BASE_DEPLIBS) -+ $(CC_LINK) -o $@ hooks.o $(KRB5_BASE_LIBS) -+ - hrealm: hrealm.o $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ hrealm.o $(KRB5_BASE_LIBS) - -@@ -107,9 +110,10 @@ kdb_check: kdc.conf krb5.conf - $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f - $(RM) $(TEST_DB)* stash_file - --check-pytests:: adata etinfo gcred hist hrealm kdbtest plugorder rdreq -+check-pytests:: adata etinfo gcred hist hooks hrealm kdbtest plugorder rdreq - check-pytests:: responder s2p s4u2proxy t_init_creds t_localauth unlockiter - $(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS) -+ $(RUNPYTEST) $(srcdir)/t_hooks.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS) -@@ -159,7 +163,7 @@ check-pytests:: responder s2p s4u2proxy t_init_creds t_localauth unlockiter - $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS) - - clean:: -- $(RM) gcred hist hrealm kdbtest plugorder rdreq responder s2p -+ $(RM) gcred hist hooks hrealm kdbtest plugorder rdreq responder s2p - $(RM) adata etinfo gcred hist hrealm kdbtest plugorder rdreq responder - $(RM) s2p s4u2proxy t_init_creds t_localauth krb5.conf kdc.conf - $(RM) -rf kdc_realm/sandbox ldap -diff --git a/src/tests/deps b/src/tests/deps -index de33c55..3634dc4 100644 ---- a/src/tests/deps -+++ b/src/tests/deps -@@ -50,6 +50,16 @@ $(OUTPRE)hist.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - hist.c -+$(OUTPRE)hooks.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ -+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ -+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ -+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ -+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ -+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -+ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ -+ $(top_srcdir)/include/socket-utils.h hooks.c - $(OUTPRE)hrealm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ -diff --git a/src/tests/hooks.c b/src/tests/hooks.c -new file mode 100644 -index 0000000..fabdb89 ---- /dev/null -+++ b/src/tests/hooks.c -@@ -0,0 +1,253 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* tests/hooks.c - test harness for KDC send and recv hooks */ -+/* -+ * Copyright (C) 2016 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "k5-int.h" -+ -+static krb5_context ctx; -+ -+static void -+check_code(krb5_error_code code, const char *file, int line) -+{ -+ const char *errmsg; -+ -+ if (code) { -+ errmsg = krb5_get_error_message(ctx, code); -+ fprintf(stderr, "%s:%d -- %s (code=%d)\n", file, line, errmsg, -+ (int)code); -+ krb5_free_error_message(ctx, errmsg); -+ exit(1); -+ } -+} -+ -+#define check(code) check_code((code), __FILE__, __LINE__) -+ -+/* Verify that the canonicalize bit is set in an AS-REQ and remove it. */ -+static krb5_error_code -+test_send_as_req(krb5_context context, void *data, const krb5_data *realm, -+ const krb5_data *message, krb5_data **new_message_out, -+ krb5_data **reply_out) -+{ -+ krb5_kdc_req *as_req; -+ int cmp; -+ -+ assert(krb5_is_as_req(message)); -+ check(decode_krb5_as_req(message, &as_req)); -+ -+ assert(as_req->msg_type == KRB5_AS_REQ); -+ assert(as_req->kdc_options & KDC_OPT_CANONICALIZE); -+ assert(as_req->client->realm.length == realm->length); -+ cmp = memcmp(as_req->client->realm.data, realm->data, realm->length); -+ assert(cmp == 0); -+ -+ /* Remove the canonicalize flag and create a new message. */ -+ as_req->kdc_options &= ~KDC_OPT_CANONICALIZE; -+ check(encode_krb5_as_req(as_req, new_message_out)); -+ -+ krb5_free_kdc_req(context, as_req); -+ return 0; -+} -+ -+/* Verify that reply is an AS-REP with kvno 1 and a valid enctype. */ -+static krb5_error_code -+test_recv_as_rep(krb5_context context, void *data, krb5_error_code code, -+ const krb5_data *realm, const krb5_data *message, -+ const krb5_data *reply, krb5_data **new_reply) -+{ -+ krb5_kdc_rep *as_rep; -+ -+ assert(code == 0); -+ assert(krb5_is_as_rep(reply)); -+ check(decode_krb5_as_rep(reply, &as_rep)); -+ -+ assert(as_rep->msg_type == KRB5_AS_REP); -+ assert(as_rep->ticket->enc_part.kvno == 1); -+ assert(krb5_c_valid_enctype(as_rep->ticket->enc_part.enctype)); -+ -+ krb5_free_kdc_rep(context, as_rep); -+ return 0; -+} -+ -+/* Create a fake error reply. */ -+static krb5_error_code -+test_send_error(krb5_context context, void *data, const krb5_data *realm, -+ const krb5_data *message, krb5_data **new_message_out, -+ krb5_data **reply_out) -+{ -+ krb5_error_code ret; -+ krb5_error err; -+ krb5_principal client, server; -+ char *realm_str, *princ_str; -+ int r; -+ -+ realm_str = k5memdup0(realm->data, realm->length, &ret); -+ check(ret); -+ -+ r = asprintf(&princ_str, "invalid@%s", realm_str); -+ assert(r > 0); -+ check(krb5_parse_name(ctx, princ_str, &client)); -+ free(princ_str); -+ -+ r = asprintf(&princ_str, "krbtgt@%s", realm_str); -+ assert(r > 0); -+ check(krb5_parse_name(ctx, princ_str, &server)); -+ free(princ_str); -+ free(realm_str); -+ -+ err.magic = KV5M_ERROR; -+ err.ctime = 1971196337; -+ err.cusec = 0; -+ err.susec = 97008; -+ err.stime = 1458219390; -+ err.error = 6; -+ err.client = client; -+ err.server = server; -+ err.text = string2data("CLIENT_NOT_FOUND"); -+ err.e_data = empty_data(); -+ check(encode_krb5_error(&err, reply_out)); -+ -+ krb5_free_principal(ctx, client); -+ krb5_free_principal(ctx, server); -+ return 0; -+} -+ -+static krb5_error_code -+test_recv_error(krb5_context context, void *data, krb5_error_code code, -+ const krb5_data *realm, const krb5_data *message, -+ const krb5_data *reply, krb5_data **new_reply) -+{ -+ /* The send hook created a reply, so this hook should not be executed. */ -+ abort(); -+} -+ -+/* Modify an AS-REP reply, change the msg_type to KRB5_TGS_REP. */ -+static krb5_error_code -+test_recv_modify_reply(krb5_context context, void *data, krb5_error_code code, -+ const krb5_data *realm, const krb5_data *message, -+ const krb5_data *reply, krb5_data **new_reply) -+{ -+ krb5_kdc_rep *as_rep; -+ -+ assert(code == 0); -+ assert(krb5_is_as_rep(reply)); -+ check(decode_krb5_as_rep(reply, &as_rep)); -+ -+ as_rep->msg_type = KRB5_TGS_REP; -+ check(encode_krb5_as_rep(as_rep, new_reply)); -+ -+ krb5_free_kdc_rep(context, as_rep); -+ return 0; -+} -+ -+/* Return an error given by the callback data argument. */ -+static krb5_error_code -+test_send_return_value(krb5_context context, void *data, -+ const krb5_data *realm, const krb5_data *message, -+ krb5_data **new_message_out, krb5_data **reply_out) -+{ -+ assert(data != NULL); -+ return *(krb5_error_code *)data; -+} -+ -+/* Return an error given by the callback argument. */ -+static krb5_error_code -+test_recv_return_value(krb5_context context, void *data, krb5_error_code code, -+ const krb5_data *realm, const krb5_data *message, -+ const krb5_data *reply, krb5_data **new_reply) -+{ -+ assert(data != NULL); -+ return *(krb5_error_code *)data; -+} -+ -+int -+main(int argc, char *argv[]) -+{ -+ const char *principal, *password; -+ krb5_principal client; -+ krb5_get_init_creds_opt *opts; -+ krb5_creds creds; -+ krb5_error_code ret, test_return_code; -+ -+ if (argc != 3) { -+ fprintf(stderr, "Usage: %s princname password\n", argv[0]); -+ exit(1); -+ } -+ principal = argv[1]; -+ password = argv[2]; -+ -+ check(krb5_init_context(&ctx)); -+ check(krb5_parse_name(ctx, principal, &client)); -+ -+ /* Use a send hook to modify an outgoing AS-REQ. The library will detect -+ * the modification in the reply. */ -+ check(krb5_get_init_creds_opt_alloc(ctx, &opts)); -+ krb5_get_init_creds_opt_set_canonicalize(opts, 1); -+ krb5_set_kdc_send_hook(ctx, test_send_as_req, NULL); -+ krb5_set_kdc_recv_hook(ctx, test_recv_as_rep, NULL); -+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, -+ NULL, 0, NULL, opts); -+ assert(ret == KRB5_KDCREP_MODIFIED); -+ krb5_get_init_creds_opt_free(ctx, opts); -+ -+ /* Use a send hook to synthesize a KRB-ERROR reply. */ -+ krb5_set_kdc_send_hook(ctx, test_send_error, NULL); -+ krb5_set_kdc_recv_hook(ctx, test_recv_error, NULL); -+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, -+ NULL, 0, NULL, NULL); -+ assert(ret == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN); -+ -+ /* Use a recv hook to modify a KDC reply. */ -+ krb5_set_kdc_send_hook(ctx, NULL, NULL); -+ krb5_set_kdc_recv_hook(ctx, test_recv_modify_reply, NULL); -+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, -+ NULL, 0, NULL, NULL); -+ assert(ret == KRB5KRB_AP_ERR_MSG_TYPE); -+ -+ /* Verify that the user data pointer works in the send hook. */ -+ test_return_code = KRB5KDC_ERR_PREAUTH_FAILED; -+ krb5_set_kdc_send_hook(ctx, test_send_return_value, &test_return_code); -+ krb5_set_kdc_recv_hook(ctx, NULL, NULL); -+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, -+ NULL, 0, NULL, NULL); -+ assert(ret == KRB5KDC_ERR_PREAUTH_FAILED); -+ -+ /* Verify that the user data pointer works in the recv hook. */ -+ test_return_code = KRB5KDC_ERR_NULL_KEY; -+ krb5_set_kdc_send_hook(ctx, NULL, NULL); -+ krb5_set_kdc_recv_hook(ctx, test_recv_return_value, &test_return_code); -+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL, -+ NULL, 0, NULL, NULL); -+ assert(ret == KRB5KDC_ERR_NULL_KEY); -+ -+ krb5_free_principal(ctx, client); -+ krb5_free_context(ctx); -+ return 0; -+} -diff --git a/src/tests/t_hooks.py b/src/tests/t_hooks.py -new file mode 100755 -index 0000000..58dff3a ---- /dev/null -+++ b/src/tests/t_hooks.py -@@ -0,0 +1,9 @@ -+#!/usr/bin/python -+from k5test import * -+ -+# Test that KDC send and recv hooks work correctly. -+realm = K5Realm(create_host=False, get_creds=False) -+realm.run(['./hooks', realm.user_princ, password('user')]) -+realm.stop() -+ -+success('send and recv hook tests') --- -2.8.0.rc3 - diff --git a/krb5-1.15-kdc_send_receive_hooks.patch b/krb5-1.15-kdc_send_receive_hooks.patch deleted file mode 100644 index d5addf2..0000000 --- a/krb5-1.15-kdc_send_receive_hooks.patch +++ /dev/null @@ -1,314 +0,0 @@ -From 700f0921e891c5986e31e8394a9e7287a7c16524 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 3 Mar 2016 18:53:31 +0100 -Subject: [PATCH 1/2] Add KDC pre-send and post-receive KDC hooks - -Add two new APIs, krb5_set_kdc_send_hook() and -krb5_set_kdc_recv_hook(), which can be used to inspect and override -messages sent to KDCs. - -[ghudson@mit.edu: style and documentation changes] - -ticket: 8386 (new) ---- - doc/appdev/refs/api/index.rst | 2 + - doc/appdev/refs/types/index.rst | 2 + - src/include/k5-int.h | 6 +++ - src/include/krb5/krb5.hin | 104 ++++++++++++++++++++++++++++++++++++++++ - src/lib/krb5/libkrb5.exports | 2 + - src/lib/krb5/os/sendto_kdc.c | 56 +++++++++++++++++++++- - src/lib/krb5_32.def | 4 ++ - 7 files changed, 174 insertions(+), 2 deletions(-) - -diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst -index 8df351d..e97cbca 100644 ---- a/doc/appdev/refs/api/index.rst -+++ b/doc/appdev/refs/api/index.rst -@@ -268,6 +268,8 @@ Rarely used public interfaces - krb5_server_decrypt_ticket_keytab.rst - krb5_set_default_tgs_enctypes.rst - krb5_set_error_message.rst -+ krb5_set_kdc_recv_hook.rst -+ krb5_set_kdc_send_hook.rst - krb5_set_real_time.rst - krb5_string_to_cksumtype.rst - krb5_string_to_deltat.rst -diff --git a/doc/appdev/refs/types/index.rst b/doc/appdev/refs/types/index.rst -index 51c4093..dc414cf 100644 ---- a/doc/appdev/refs/types/index.rst -+++ b/doc/appdev/refs/types/index.rst -@@ -57,6 +57,8 @@ Public - krb5_pa_svr_referral_data.rst - krb5_pa_data.rst - krb5_pointer.rst -+ krb5_post_recv_fn.rst -+ krb5_pre_send_fn.rst - krb5_preauthtype.rst - krb5_principal.rst - krb5_principal_data.rst -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 41c3d1b..a4266d9 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -1237,6 +1237,12 @@ struct _krb5_context { - krb5_trace_callback trace_callback; - void *trace_callback_data; - -+ krb5_pre_send_fn kdc_send_hook; -+ void *kdc_send_hook_data; -+ -+ krb5_post_recv_fn kdc_recv_hook; -+ void *kdc_recv_hook_data; -+ - struct plugin_interface plugins[PLUGIN_NUM_INTERFACES]; - char *plugin_base_dir; - }; -diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index 851cea3..59baf70 100644 ---- a/src/include/krb5/krb5.hin -+++ b/src/include/krb5/krb5.hin -@@ -8288,6 +8288,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, - krb5_error_code KRB5_CALLCONV - krb5_set_trace_filename(krb5_context context, const char *filename); - -+ -+/** -+ * Hook function for inspecting or modifying messages sent to KDCs. -+ * -+ * If the hook function returns an error code, the KDC communication will be -+ * aborted and the error code will be returned to the library operation which -+ * initiated the communication. -+ * -+ * If the hook function sets @a reply_out, @a message will not be sent to the -+ * KDC, and the given reply will used instead. -+ * -+ * If the hook function sets @a new_message_out, the given message will be sent -+ * to the KDC in place of @a message. -+ * -+ * If the hook function returns successfully without setting either output, -+ * @a message will be sent to the KDC normally. -+ * -+ * The hook function should use krb5_copy_data() to construct the value for -+ * @a new_message_out or @a reply_out, to ensure that it can be freed correctly -+ * by the library. -+ * -+ * @param [in] context Library context -+ * @param [in] data Callback data -+ * @param [in] realm The realm the message will be sent to -+ * @param [in] message The original message to be sent to the KDC -+ * @param [out] new_message_out Optional replacement message to be sent -+ * @param [out] reply_out Optional synthetic reply -+ * -+ * @retval 0 Success -+ * @return A Kerberos error code -+ */ -+typedef krb5_error_code -+(KRB5_CALLCONV *krb5_pre_send_fn)(krb5_context context, void *data, -+ const krb5_data *realm, -+ const krb5_data *message, -+ krb5_data **new_message_out, -+ krb5_data **new_reply_out); -+ -+/** -+ * Hook function for inspecting or overriding KDC replies. -+ * -+ * If @a code is zero, @a reply contains the reply received from the KDC. The -+ * hook function may return an error code to simulate an error, may synthesize -+ * a different reply by setting @a new_reply_out, or may simply return -+ * successfully to do nothing. -+ * -+ * If @a code is non-zero, KDC communication failed and @a reply should be -+ * ignored. The hook function may return @a code or a different error code, or -+ * may synthesize a reply by setting @a new_reply_out and return successfully. -+ * -+ * The hook function should use krb5_copy_data() to construct the value for -+ * @a new_reply_out, to ensure that it can be freed correctly by the library. -+ * -+ * @param [in] context Library context -+ * @param [in] data Callback data -+ * @param [in] code Status of KDC communication -+ * @param [in] realm The realm the reply was received from -+ * @param [in] message The message sent to the realm's KDC -+ * @param [in] reply The reply received from the KDC -+ * @param [out] new_reply_out Optional replacement reply -+ * -+ * @retval 0 Success -+ * @return A Kerberos error code -+ */ -+typedef krb5_error_code -+(KRB5_CALLCONV *krb5_post_recv_fn)(krb5_context context, void *data, -+ krb5_error_code code, -+ const krb5_data *realm, -+ const krb5_data *message, -+ const krb5_data *reply, -+ krb5_data **new_reply_out); -+ -+/** -+ * Set a KDC pre-send hook function. -+ * -+ * @a send_hook will be called before messages are sent to KDCs by library -+ * functions such as krb5_get_credentials(). The hook function may inspect, -+ * override, or synthesize its own reply to the message. -+ * -+ * @param [in] context Library context -+ * @param [in] send_hook Hook function (or NULL to disable the hook) -+ * @param [in] data Callback data to be passed to @a send_hook -+ */ -+void KRB5_CALLCONV -+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, -+ void *data); -+ -+/** -+ * Set a KDC post-receive hook function. -+ * -+ * @a recv_hook will be called after a reply is received from a KDC during a -+ * call to a library function such as krb5_get_credentials(). The hook -+ * function may inspect or override the reply. This hook will not be executed -+ * if the pre-send hook returns a synthetic reply. -+ * -+ * @param [in] context The library context. -+ * @param [in] recv_hook Hook function (or NULL to disable the hook) -+ * @param [in] data Callback data to be passed to @a recv_hook -+ */ -+void KRB5_CALLCONV -+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, -+ void *data); -+ -+ - #if TARGET_OS_MAC - # pragma pack(pop) - #endif -diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports -index c623409..ea6982d 100644 ---- a/src/lib/krb5/libkrb5.exports -+++ b/src/lib/krb5/libkrb5.exports -@@ -581,6 +581,8 @@ krb5_set_password - krb5_set_password_using_ccache - krb5_set_principal_realm - krb5_set_real_time -+krb5_set_kdc_send_hook -+krb5_set_kdc_recv_hook - krb5_set_time_offsets - krb5_set_trace_callback - krb5_set_trace_filename -diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c -index 3b3b438..a2bc591 100644 ---- a/src/lib/krb5/os/sendto_kdc.c -+++ b/src/lib/krb5/os/sendto_kdc.c -@@ -399,6 +399,22 @@ check_for_svc_unavailable (krb5_context context, - return 1; - } - -+void -+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, -+ void *data) -+{ -+ context->kdc_send_hook = send_hook; -+ context->kdc_send_hook_data = data; -+} -+ -+void -+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, -+ void *data) -+{ -+ context->kdc_recv_hook = recv_hook; -+ context->kdc_recv_hook_data = data; -+} -+ - /* - * send the formatted request 'message' to a KDC for realm 'realm' and - * return the response (if any) in 'reply'. -@@ -412,13 +428,16 @@ check_for_svc_unavailable (krb5_context context, - - krb5_error_code - krb5_sendto_kdc(krb5_context context, const krb5_data *message, -- const krb5_data *realm, krb5_data *reply, int *use_master, -+ const krb5_data *realm, krb5_data *reply_out, int *use_master, - int no_udp) - { - krb5_error_code retval, err; - struct serverlist servers; - int server_used; - k5_transport_strategy strategy; -+ krb5_data reply = empty_data(), *hook_message = NULL, *hook_reply = NULL; -+ -+ *reply_out = empty_data(); - - /* - * find KDC location(s) for realm -@@ -463,9 +482,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, - if (retval) - return retval; - -+ if (context->kdc_send_hook != NULL) { -+ retval = context->kdc_send_hook(context, context->kdc_send_hook_data, -+ realm, message, &hook_message, -+ &hook_reply); -+ if (retval) -+ goto cleanup; -+ -+ if (hook_reply != NULL) { -+ *reply_out = *hook_reply; -+ free(hook_reply); -+ goto cleanup; -+ } -+ -+ if (hook_message != NULL) -+ message = hook_message; -+ } -+ - err = 0; - retval = k5_sendto(context, message, realm, &servers, strategy, NULL, -- reply, NULL, NULL, &server_used, -+ &reply, NULL, NULL, &server_used, - check_for_svc_unavailable, &err); - if (retval == KRB5_KDC_UNREACH) { - if (err == KDC_ERR_SVC_UNAVAILABLE) { -@@ -476,9 +512,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, - realm->length, realm->data); - } - } -+ -+ if (context->kdc_recv_hook != NULL) { -+ retval = context->kdc_recv_hook(context, context->kdc_recv_hook_data, -+ retval, realm, message, &reply, -+ &hook_reply); -+ } - if (retval) - goto cleanup; - -+ if (hook_reply != NULL) { -+ *reply_out = *hook_reply; -+ free(hook_reply); -+ } else { -+ *reply_out = reply; -+ reply = empty_data(); -+ } -+ - /* Set use_master to 1 if we ended up talking to a master when we didn't - * explicitly request to. */ - if (*use_master == 0) { -@@ -488,6 +538,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, - } - - cleanup: -+ krb5_free_data(context, hook_message); -+ krb5_free_data_contents(context, &reply); - k5_free_serverlist(&servers); - return retval; - } -diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def -index 3734e9b..8d58ea1 100644 ---- a/src/lib/krb5_32.def -+++ b/src/lib/krb5_32.def -@@ -463,3 +463,7 @@ EXPORTS - krb5_vwrap_error_message @430 - krb5_c_prfplus @431 - krb5_c_derive_prfplus @432 -+ -+; new in 1.15 -+ krb5_set_kdc_send_hook @433 -+ krb5_set_kdc_recv_hook @434 --- -2.8.0.rc3 - diff --git a/krb5-1.15-krb5_db_register_keytab.patch b/krb5-1.15-krb5_db_register_keytab.patch deleted file mode 100644 index bf35520..0000000 --- a/krb5-1.15-krb5_db_register_keytab.patch +++ /dev/null @@ -1,69 +0,0 @@ -From c9136272512a6158d77e74035d52869443403a10 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 7 Sep 2016 18:33:43 +0200 -Subject: [PATCH] Add krb5_db_register_keytab() - -Add a public libkdb5 function to register the KDB keytab type. This -functionality is needed for out-of-tree KDC servers such as the Samba -kpasswd service. - -[ghudson@mit.edu: edited comments, whitespace, commit message] - -ticket: 8494 (new) -(cherry picked from commit 2e99582062d9d6a70f2adb00fd8fe58a1f95b9b7) ---- - src/include/kdb.h | 7 +++++++ - src/lib/kdb/keytab.c | 6 ++++++ - src/lib/kdb/libkdb5.exports | 1 + - 3 files changed, 14 insertions(+) - -diff --git a/src/include/kdb.h b/src/include/kdb.h -index 9d3bf9d..048327c 100644 ---- a/src/include/kdb.h -+++ b/src/include/kdb.h -@@ -797,6 +797,13 @@ krb5_dbe_free_strings(krb5_context, krb5_string_attr *, int count); - void - krb5_dbe_free_string(krb5_context, char *); - -+/* -+ * Register the KDB keytab type, allowing "KDB:" to be used as a keytab name. -+ * For this type to work, the context used for keytab operations must have an -+ * associated database handle (via krb5_db_open()). -+ */ -+krb5_error_code krb5_db_register_keytab(krb5_context context); -+ - #define KRB5_KDB_DEF_FLAGS 0 - - #define KDB_MAX_DB_NAME 128 -diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c -index b85b67d..c6aa100 100644 ---- a/src/lib/kdb/keytab.c -+++ b/src/lib/kdb/keytab.c -@@ -66,6 +66,12 @@ typedef struct krb5_ktkdb_data { - } krb5_ktkdb_data; - - krb5_error_code -+krb5_db_register_keytab(krb5_context context) -+{ -+ return krb5_kt_register(context, &krb5_kt_kdb_ops); -+} -+ -+krb5_error_code - krb5_ktkdb_resolve(context, name, id) - krb5_context context; - const char * name; -diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports -index cb4c3df..e5d1045 100644 ---- a/src/lib/kdb/libkdb5.exports -+++ b/src/lib/kdb/libkdb5.exports -@@ -85,6 +85,7 @@ krb5_db_delete_policy - krb5_db_free_policy - krb5_def_store_mkey_list - krb5_db_promote -+krb5_db_register_keytab - ulog_add_update - ulog_init_header - ulog_map --- -2.9.3 - diff --git a/krb5-1.15-otp-preauth-prompt-type.patch b/krb5-1.15-otp-preauth-prompt-type.patch deleted file mode 100644 index 2c3d975..0000000 --- a/krb5-1.15-otp-preauth-prompt-type.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 4885a9b10ddf457f290ff5e9ce4a9a99765cfd1d Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Mon, 25 Jul 2016 13:23:31 -0400 -Subject: [PATCH 1/3] Set prompt type for OTP preauth prompt - -Add k5_set_prompt_type() calls around the prompter invocation in -preauth_otp.c, and add the comment we conventionally put before -prompter invocations. - -ticket: 8464 (new) -(cherry picked from commit 7d497a56279dcb59b6be9f8994257e76788d2e89) ---- - src/lib/krb5/krb/preauth_otp.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c -index 3de528b..01c48b4 100644 ---- a/src/lib/krb5/krb/preauth_otp.c -+++ b/src/lib/krb5/krb/preauth_otp.c -@@ -31,6 +31,7 @@ - #include "k5-int.h" - #include "k5-json.h" - #include "int-proto.h" -+#include "os-proto.h" - - #include - #include -@@ -475,6 +476,7 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data, - krb5_prompt prompt; - krb5_data prompt_reply; - krb5_error_code retval; -+ krb5_prompt_type prompt_type = KRB5_PROMPT_TYPE_PREAUTH; - - if (prompttxt == NULL || out == NULL) - return EINVAL; -@@ -486,7 +488,10 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data, - prompt.prompt = (char *)prompttxt; - prompt.hidden = 1; - -+ /* PROMPTER_INVOCATION */ -+ k5_set_prompt_types(context, &prompt_type); - retval = (*prompter)(context, prompter_data, NULL, banner, 1, &prompt); -+ k5_set_prompt_types(context, NULL); - if (retval != 0) - return retval; - --- -2.9.3 - diff --git a/krb5-1.3.1-dns.patch b/krb5-1.3.1-dns.patch index 5d27689..589e18d 100644 --- a/krb5-1.3.1-dns.patch +++ b/krb5-1.3.1-dns.patch @@ -1,8 +1,18 @@ +From 95b7e75522dd905eea23e853f062d89749a17799 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:46:21 -0400 +Subject: [PATCH 06/19] krb5-1.3.1-dns.patch + We want to be able to use --with-netlib and --enable-dns at the same time. -RT#2022 ---- krb5-1.3.1/src/aclocal.m4 2003-11-24 11:17:30.000000000 -0500 -+++ krb5-1.3.1/src/aclocal.m4 2003-11-24 11:18:45.000000000 -0500 -@@ -647,6 +647,7 @@ +--- + src/aclocal.m4 | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index 311f099..ed343c5 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -701,6 +701,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library), LIBS="$LIBS $withval" AC_MSG_RESULT("netlib will use \'$withval\'") fi @@ -10,3 +20,6 @@ RT#2022 ],dnl [AC_LIBRARY_NET] )])dnl +-- +2.9.3 + diff --git a/krb5-1.6.3-kdc_listen_all.patch b/krb5-1.6.3-kdc_listen_all.patch deleted file mode 100644 index 946199e..0000000 --- a/krb5-1.6.3-kdc_listen_all.patch +++ /dev/null @@ -1,247 +0,0 @@ -Provide an option to make the KDC also listen on loopback interfaces for -datagram requests. Adds an internal symbol to libkrb5 which the KDC -needs if listening on loopback is enabled. - -The default might be better changed from FALSE to TRUE so that the -default matches what we do with stream sockets. - -FIXME: doesn't add documentation anywhere. - -diff -up src/include/foreachaddr.h src/include/foreachaddr.h ---- src/include/foreachaddr.h 2004-05-05 18:44:46.000000000 -0400 -+++ src/include/foreachaddr.h 2008-04-04 15:39:28.000000000 -0400 -@@ -62,3 +62,18 @@ krb5int_foreach_localaddr (/*@null@*/ vo - ; - - #define foreach_localaddr krb5int_foreach_localaddr -+ -+extern int -+krb5int_foreach_localaddr_ext (/*@null@*/ void *data, -+ int (*pass1fn) (/*@null@*/ void *, -+ struct sockaddr *) /*@*/, -+ /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/, -+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, -+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *, -+ struct sockaddr *) /*@*/) -+#if defined(DEBUG) || defined(TEST) -+ /*@modifies fileSystem@*/ -+#endif -+ ; -+ -+#define foreach_localaddr_ext krb5int_foreach_localaddr_ext -diff -up src/kdc/kdc_util.h src/kdc/kdc_util.h ---- src/kdc/kdc_util.h 2008-04-04 16:28:18.000000000 -0400 -+++ src/kdc/kdc_util.h 2008-04-04 16:51:27.000000000 -0400 -@@ -126,6 +126,7 @@ krb5_error_code kdc_initialize_rcache (k - krb5_error_code setup_server_realm (krb5_principal); - - /* network.c */ -+void process_listen_loopback (krb5_boolean); - krb5_error_code listen_and_process (const char *); - krb5_error_code setup_network (const char *); - krb5_error_code closedown_network (const char *); -diff -up src/kdc/main.c src/kdc/main.c ---- src/kdc/main.c 2008-04-04 16:22:43.000000000 -0400 -+++ src/kdc/main.c 2008-04-04 16:55:22.000000000 -0400 -@@ -422,6 +422,7 @@ initialize_realms(krb5_context kcontext, - krb5_enctype menctype = ENCTYPE_UNKNOWN; - kdc_realm_t *rdatap; - krb5_boolean manual = FALSE; -+ krb5_boolean listen_loopback = FALSE; - char *default_udp_ports = 0; - char *default_tcp_ports = 0; - krb5_pointer aprof; -@@ -448,6 +449,9 @@ initialize_realms(krb5_context kcontext, - if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &v4mode)) - v4mode = 0; - #endif -+ hierarchy[1] = "kdc_listen_loopback"; -+ if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &listen_loopback)) -+ listen_loopback = FALSE; - /* aprof_init can return 0 with aprof == NULL */ - if (aprof) - krb5_aprof_finish(aprof); -@@ -587,6 +591,8 @@ initialize_realms(krb5_context kcontext, - free(v4mode); - #endif - -+ process_listen_loopback(listen_loopback); -+ - /* - * Check to see if we processed any realms. - */ -diff -up src/kdc/network.c src/kdc/network.c ---- src/kdc/network.c 2008-04-04 15:39:28.000000000 -0400 -+++ src/kdc/network.c 2008-04-04 16:51:44.000000000 -0400 -@@ -221,6 +221,7 @@ static SET(u_short) udp_port_data, tcp_p - #include "cm.h" - - static struct select_state sstate; -+static krb5_boolean listen_loopback; - - static krb5_error_code add_udp_port(int port) - { -@@ -604,6 +605,12 @@ scan_for_newlines: - } - #endif - -+void -+process_listen_loopback(krb5_boolean listen_loop) -+{ -+ listen_loopback = listen_loop; -+} -+ - /* XXX */ - extern int krb5int_debug_sendto_kdc; - extern void (*krb5int_sendtokdc_debug_handler)(const void*, size_t); -@@ -662,7 +669,9 @@ setup_network(const char *prog) - so we might need only one UDP socket; fall back to binding - sockets on each address only if IPV6_PKTINFO isn't - supported. */ -- if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) { -+ if (listen_loopback ? -+ foreach_localaddr_ext (&setup_data, setup_udp_port, 0, 0, 0) : -+ foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) { - return setup_data.retval; - } - setup_tcp_listener_ports(&setup_data); -diff -up src/lib/krb5/os/localaddr.c src/lib/krb5/os/localaddr.c ---- src/lib/krb5/os/localaddr.c 2005-04-13 12:55:43.000000000 -0400 -+++ src/lib/krb5/os/localaddr.c 2008-04-04 15:39:28.000000000 -0400 -@@ -242,6 +242,17 @@ addr_eq (const struct sockaddr *s1, cons - } - #endif - -+static krb5_boolean -+skip_loopback (struct sockaddr *addr, int flags) -+{ -+#ifdef IFF_LOOPBACK -+ if (flags & IFF_LOOPBACK) { -+ return TRUE; -+ } -+#endif -+ return FALSE; -+} -+ - #ifndef HAVE_IFADDRS_H - /*@-usereleased@*/ /* lclint doesn't understand realloc */ - static /*@null@*/ void * -@@ -413,14 +424,27 @@ get_linux_ipv6_addrs () - indication, it should do it via some field pointed to by the DATA - argument. */ - --#ifdef HAVE_IFADDRS_H -- - int - foreach_localaddr (/*@null@*/ void *data, - int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, - /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, - /*@null@*/ int (*pass2fn) (/*@null@*/ void *, - struct sockaddr *) /*@*/) -+{ -+ return foreach_localaddr_ext(data, pass1fn, -+ &skip_loopback, betweenfn, -+ pass2fn); -+} -+ -+#ifdef HAVE_IFADDRS_H -+ -+int -+foreach_localaddr_ext (/*@null@*/ void *data, -+ int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, -+ /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/, -+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, -+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *, -+ struct sockaddr *) /*@*/) - #if defined(DEBUG) || defined(TEST) - /*@modifies fileSystem@*/ - #endif -@@ -436,7 +460,7 @@ foreach_localaddr (/*@null@*/ void *data - #endif - if ((ifp->ifa_flags & IFF_UP) == 0) - continue; -- if (ifp->ifa_flags & IFF_LOOPBACK) { -+ if (skipfn && (*skipfn)(ifp->ifa_addr, ifp->ifa_flags)) { - /* Pretend it's not up, so the second pass will skip - it. */ - ifp->ifa_flags &= ~IFF_UP; -@@ -459,7 +483,7 @@ foreach_localaddr (/*@null@*/ void *data - for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) { - if ((ifp2->ifa_flags & IFF_UP) == 0) - continue; -- if (ifp2->ifa_flags & IFF_LOOPBACK) -+ if (skipfn && (*skipfn)(ifp2->ifa_addr, ifp2->ifa_flags)) - continue; - if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) { - match = 1; -@@ -488,11 +512,12 @@ foreach_localaddr (/*@null@*/ void *data - #elif defined (SIOCGLIFNUM) && defined(HAVE_STRUCT_LIFCONF) /* Solaris 8 and later; Sol 7? */ - - int --foreach_localaddr (/*@null@*/ void *data, -- int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, -- /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, -- /*@null@*/ int (*pass2fn) (/*@null@*/ void *, -- struct sockaddr *) /*@*/) -+foreach_localaddr_ext (/*@null@*/ void *data, -+ int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, -+ /*@null@*/ int (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/, -+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, -+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *, -+ struct sockaddr *) /*@*/) - #if defined(DEBUG) || defined(TEST) - /*@modifies fileSystem@*/ - #endif -@@ -583,13 +608,12 @@ foreach_localaddr (/*@null@*/ void *data - } - /*@=moduncon@*/ - --#ifdef IFF_LOOPBACK -- /* None of the current callers want loopback addresses. */ -- if (lifreq.lifr_flags & IFF_LOOPBACK) { -- Tprintf ((" loopback\n")); -+ if (skipfn && (*skipfn)(lifreq.lifr_addr, lifreq.lifr_flags)) -+ if (skipfn && (skipfn == &skip_loopback)) -+ Tprintf ((" loopback\n")); - goto skip; - } --#endif -+ - /* Ignore interfaces that are down. */ - if ((lifreq.lifr_flags & IFF_UP) == 0) { - Tprintf ((" down\n")); -@@ -755,13 +779,12 @@ foreach_localaddr (/*@null@*/ void *data - } - /*@=moduncon@*/ - --#ifdef IFF_LOOPBACK - /* None of the current callers want loopback addresses. */ -- if (lifreq.iflr_flags & IFF_LOOPBACK) { -- Tprintf ((" loopback\n")); -+ if (skipfn && (*skipfn)(ifp2->ifa_addr, lifreq.lifr_flags)) -+ if (skipfn && (skipfn == &skip_loopback)) -+ Tprintf ((" loopback\n")); - goto skip; - } --#endif - /* Ignore interfaces that are down. */ - if ((lifreq.iflr_flags & IFF_UP) == 0) { - Tprintf ((" down\n")); -@@ -971,13 +994,12 @@ foreach_localaddr (/*@null@*/ void *data - } - /*@=moduncon@*/ - --#ifdef IFF_LOOPBACK -- /* None of the current callers want loopback addresses. */ -- if (ifreq.ifr_flags & IFF_LOOPBACK) { -- Tprintf ((" loopback\n")); -+ if (skipfn && (*skipfn)(NULL, ifreq.ifr_flags)) -+ if (skipfn && (skipfn == &skip_loopback)) -+ Tprintf ((" loopback\n")); - goto skip; - } --#endif -+ - /* Ignore interfaces that are down. */ - if ((ifreq.ifr_flags & IFF_UP) == 0) { - Tprintf ((" down\n")); diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index ae81f7c..c9c1109 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -1,10 +1,21 @@ +From 3743c3636fd23e62f996b119a1536ecd882a5e80 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:49:25 -0400 +Subject: [PATCH 09/19] krb5-1.9-debuginfo.patch + We want to keep these y.tab.c files around because the debuginfo points to them. It would be more elegant at the end to use symbolic links, but that could mess up people working in the tree on other things. +--- + src/kadmin/cli/Makefile.in | 5 +++++ + src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) ---- src/kadmin/cli/Makefile.in -+++ src/kadmin/cli/Makefile.in -@@ -43,3 +43,8 @@ clean-unix:: +diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in +index 789c597..7e7a148 100644 +--- a/src/kadmin/cli/Makefile.in ++++ b/src/kadmin/cli/Makefile.in +@@ -37,3 +37,8 @@ clean-unix:: # CC_LINK is not meant for compilation and this use may break in the future. datetest: getdate.c $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c @@ -13,9 +24,11 @@ could mess up people working in the tree on other things. + $(RM) y.tab.c $@ + $(YACC.y) $< + $(CP) y.tab.c $@ ---- src/plugins/kdb/ldap/ldap_util/Makefile.in -+++ src/plugins/kdb/ldap/ldap_util/Makefile.in -@@ -22,7 +22,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KR +diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in +index b9ea339..060f500 100644 +--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in ++++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in +@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE) getdate.c: $(GETDATE) $(RM) getdate.c y.tab.c $(YACC) $(GETDATE) @@ -24,3 +37,6 @@ could mess up people working in the tree on other things. install:: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) +-- +2.9.3 + diff --git a/krb5-acquire_cred_interposer.patch b/krb5-acquire_cred_interposer.patch deleted file mode 100644 index fa1c532..0000000 --- a/krb5-acquire_cred_interposer.patch +++ /dev/null @@ -1,222 +0,0 @@ -From b3901af6970fb7bde88eb16d51c8d05db6f37746 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Fri, 13 Nov 2015 14:54:11 -0500 -Subject: [PATCH] Fix impersonate_name to work with interposers - -This follows the same modifications applied to -gss_acquire_cred_with_password() when interposer plugins were -introduced. - -[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in -spnego_gss_acquire_cred_impersonate_name() since it is released in the -cleanup handler] - -ticket: 8280 (new) ---- - src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++-------- - src/lib/gssapi/spnego/spnego_mech.c | 35 +++++++------- - 2 files changed, 54 insertions(+), 39 deletions(-) - -diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c -index 0dd4f87..9eab25e 100644 ---- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c -+++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c -@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - gss_cred_id_t cred = NULL; - gss_OID new_mechs_array = NULL; - gss_cred_id_t * new_cred_array = NULL; -+ gss_OID_set target_mechs = GSS_C_NO_OID_SET; -+ gss_OID selected_mech = GSS_C_NO_OID; - - status = val_add_cred_impersonate_name_args(minor_status, - input_cred_handle, -@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - if (status != GSS_S_COMPLETE) - return (status); - -- mech = gssint_get_mechanism(desired_mech); -+ status = gssint_select_mech_type(minor_status, desired_mech, -+ &selected_mech); -+ if (status != GSS_S_COMPLETE) -+ return status; -+ -+ mech = gssint_get_mechanism(selected_mech); - if (!mech) - return GSS_S_BAD_MECH; - else if (!mech->gss_acquire_cred_impersonate_name) -@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - internal_name = GSS_C_NO_NAME; - } else { - union_cred = (gss_union_cred_t)input_cred_handle; -- if (gssint_get_mechanism_cred(union_cred, desired_mech) != -+ if (gssint_get_mechanism_cred(union_cred, selected_mech) != - GSS_C_NO_CREDENTIAL) - return (GSS_S_DUPLICATE_ELEMENT); - } - - mech_impersonator_cred = - gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle, -- desired_mech); -+ selected_mech); - if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL) - return (GSS_S_NO_CRED); - - /* may need to create a mechanism specific name */ - union_name = (gss_union_name_t)desired_name; - if (union_name->mech_type && -- g_OID_equal(union_name->mech_type, -- &mech->mech_type)) -+ g_OID_equal(union_name->mech_type, selected_mech)) - internal_name = union_name->mech_name; - else { - if (gssint_import_internal_name(minor_status, -- &mech->mech_type, union_name, -- &allocated_name) != GSS_S_COMPLETE) -+ selected_mech, union_name, -+ &allocated_name) != GSS_S_COMPLETE) - return (GSS_S_BAD_NAME); - internal_name = allocated_name; - } -@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - else - time_req = 0; - -+ status = gss_create_empty_oid_set(minor_status, &target_mechs); -+ if (status != GSS_S_COMPLETE) -+ goto errout; -+ -+ status = gss_add_oid_set_member(minor_status, -+ gssint_get_public_oid(selected_mech), -+ &target_mechs); -+ if (status != GSS_S_COMPLETE) -+ goto errout; -+ - status = mech->gss_acquire_cred_impersonate_name(minor_status, - mech_impersonator_cred, - internal_name, - time_req, -- GSS_C_NULL_OID_SET, -+ target_mechs, - cred_usage, - &cred, - NULL, -@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - - new_cred_array[union_cred->count] = cred; - if ((new_mechs_array[union_cred->count].elements = -- malloc(mech->mech_type.length)) == NULL) -+ malloc(selected_mech->length)) == NULL) - goto errout; - -- g_OID_copy(&new_mechs_array[union_cred->count], -- &mech->mech_type); -+ g_OID_copy(&new_mechs_array[union_cred->count], selected_mech); - - if (actual_mechs != NULL) { -- gss_OID_set_desc oids; -- -- oids.count = union_cred->count + 1; -- oids.elements = new_mechs_array; -- -- status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs); -+ status = gssint_make_public_oid_set(minor_status, new_mechs_array, -+ union_cred->count + 1, -+ actual_mechs); - if (GSS_ERROR(status)) { - free(new_mechs_array[union_cred->count].elements); - goto errout; -@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - /* We're done with the internal name. Free it if we allocated it. */ - - if (allocated_name) -- (void) gssint_release_internal_name(&temp_minor_status, -- &mech->mech_type, -+ (void) gssint_release_internal_name(&temp_minor_status, selected_mech, - &allocated_name); - -+ if (target_mechs) -+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); -+ - return (GSS_S_COMPLETE); - - errout: -@@ -503,8 +517,10 @@ errout: - - if (allocated_name) - (void) gssint_release_internal_name(&temp_minor_status, -- &mech->mech_type, -- &allocated_name); -+ selected_mech, &allocated_name); -+ -+ if (target_mechs) -+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); - - if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred) - free(union_cred); -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index e6703eb..28fb9b1 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -2619,10 +2619,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, - gss_OID_set *actual_mechs, - OM_uint32 *time_rec) - { -- OM_uint32 status; -+ OM_uint32 status, tmpmin; - gss_OID_set amechs = GSS_C_NULL_OID_SET; - spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL; -- gss_cred_id_t imp_mcred, out_mcred; -+ gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL; - - dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n"); - -@@ -2634,31 +2634,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, - - imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle; - imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL; -- if (desired_mechs == GSS_C_NO_OID_SET) { -- status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, -- NULL, &amechs); -- if (status != GSS_S_COMPLETE) -- return status; -- -- desired_mechs = amechs; -- } -+ status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, -+ NULL, &amechs); -+ if (status != GSS_S_COMPLETE) -+ return status; - - status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred, - desired_name, time_req, -- desired_mechs, cred_usage, -+ amechs, cred_usage, - &out_mcred, actual_mechs, - time_rec); -- -- if (amechs != GSS_C_NULL_OID_SET) -- (void) gss_release_oid_set(minor_status, &amechs); -+ if (status != GSS_S_COMPLETE) -+ goto cleanup; - - status = create_spnego_cred(minor_status, out_mcred, &out_spcred); -- if (status != GSS_S_COMPLETE) { -- gss_release_cred(minor_status, &out_mcred); -- return (status); -- } -+ if (status != GSS_S_COMPLETE) -+ goto cleanup; -+ -+ out_mcred = GSS_C_NO_CREDENTIAL; - *output_cred_handle = (gss_cred_id_t)out_spcred; - -+cleanup: -+ (void) gss_release_oid_set(&tmpmin, &amechs); -+ (void) gss_release_cred(&tmpmin, &out_mcred); -+ - dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n"); - return (status); - } --- -2.6.2 - diff --git a/krb5-disable_ofd_locks.patch b/krb5-disable_ofd_locks.patch deleted file mode 100644 index 5535cfd..0000000 --- a/krb5-disable_ofd_locks.patch +++ /dev/null @@ -1,18 +0,0 @@ -On x86 rawhide, usage of OFD locks causes deadlock in the test suite. -TEMPORARILY revert their usage until I can investigate the deeper issue with -their usage here. - -diff --git a/src/lib/krb5/os/lock_file.c b/src/lib/krb5/os/lock_file.c -index a2f247c..f7f5bb4 100644 ---- a/src/lib/krb5/os/lock_file.c -+++ b/src/lib/krb5/os/lock_file.c -@@ -68,7 +68,8 @@ - static int - ofdlock(int fd, int cmd, struct flock *lock_arg) - { --#ifdef F_OFD_SETLKW -+#if 0 -+/* #ifdef F_OFD_SETLKW */ - int st, ofdcmd; - - assert(cmd == F_SETLKW || cmd == F_SETLK); diff --git a/krb5-kdcdir2.patch b/krb5-kdcdir2.patch deleted file mode 100644 index 57aefe4..0000000 --- a/krb5-kdcdir2.patch +++ /dev/null @@ -1,17 +0,0 @@ -Remove an extra "/krb5kdc" from any paths under KDC_DIR, which already -includes that component. ---- krb5/src/include/osconf.hin -+++ krb5/src/include/osconf.hin -@@ -63,10 +63,10 @@ - #define DEFAULT_KEYFILE_STUB KDC_DIR "/.k5." - #define KRB5_DEFAULT_ADMIN_ACL KDC_DIR "/krb5_adm.acl" - /* Used by old admin server */ --#define DEFAULT_ADMIN_ACL KDC_DIR "/krb5kdc/kadm_old.acl" -+#define DEFAULT_ADMIN_ACL KDC_DIR "/kadm_old.acl" - - /* Location of KDC profile */ --#define DEFAULT_KDC_PROFILE KDC_DIR "/krb5kdc/kdc.conf" -+#define DEFAULT_KDC_PROFILE KDC_DIR "/kdc.conf" - #define KDC_PROFILE_ENV "KRB5_KDC_PROFILE" - - #if TARGET_OS_MAC diff --git a/krb5-pkinit-debug.patch b/krb5-pkinit-debug.patch deleted file mode 100644 index 201c45d..0000000 --- a/krb5-pkinit-debug.patch +++ /dev/null @@ -1,99 +0,0 @@ -This is a cheap, non-very-portable way to make debugging a run-time option. - -diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h -index 6598482..85e1c0d 100644 ---- a/src/plugins/preauth/pkinit/pkinit.h -+++ b/src/plugins/preauth/pkinit/pkinit.h -@@ -34,6 +34,7 @@ - #include - #include - #include -+#include - #include - #include "pkinit_accessor.h" - -@@ -96,12 +97,15 @@ extern int longhorn; /* XXX Talking to a Longhorn server? */ - #define pkiDebug printf - #else - /* Still evaluates for side effects. */ --static inline void pkiDebug (const char *fmt, ...) { } -+/* static inline void pkiDebug (const char *fmt, ...) { } */ -+#define pkiDebug if (pkinit_debug_is_enabled()) printf - /* This is better if the compiler doesn't inline variadic functions - well, but gcc will warn about "left-hand operand of comma - expression has no effect". Still evaluates for side effects. */ - /* #define pkiDebug (void) */ - #endif -+extern void pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc); -+extern int pkinit_debug_is_enabled(void); - - /* Solaris compiler doesn't grok __FUNCTION__ - * hack for now. Fix all the uses eventually. */ -diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c -index 6888c1b..bb39fce 100644 ---- a/src/plugins/preauth/pkinit/pkinit_clnt.c -+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c -@@ -1002,6 +1002,8 @@ pkinit_client_process(krb5_context context, - pkinit_req_context reqctx = (pkinit_req_context)request_context; - krb5_keyblock *armor_key = NULL; - -+ pkinit_debug_init(context, &(request->server->realm), 0); -+ - pkiDebug("pkinit_client_process %p %p %p %p\n", - context, plgctx, reqctx, request); - -diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c -index a6d7762..2b59fd0 100644 ---- a/src/plugins/preauth/pkinit/pkinit_lib.c -+++ b/src/plugins/preauth/pkinit/pkinit_lib.c -@@ -452,3 +452,28 @@ print_buffer_bin(unsigned char *buf, unsigned int len, char *filename) - - fclose(f); - } -+ -+/* This is a cheat to avoid having to rewrite every caller of pkiDebug() to pass -+ in a context structure, which is where this flag would be better placed. */ -+static __thread int pkinit_debug_enabled = 0; -+ -+void -+pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc) -+{ -+ pkinit_debug_enabled = -1; -+ if (kdc) { -+ pkinit_kdcdefault_boolean(context, realm, "pkinit_debug", -+ -1, &pkinit_debug_enabled); -+ } -+ if (pkinit_debug_enabled == -1) { -+ pkinit_libdefault_boolean(context, realm, "pkinit_debug", -+ 0, &pkinit_debug_enabled); -+ } -+ printf("pkinit_debug: %d\n", pkinit_debug_enabled); -+} -+ -+int -+pkinit_debug_is_enabled(void) -+{ -+ return (pkinit_debug_enabled == 1); -+} -diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c -index 5a7a5ad..d7a0a44 100644 ---- a/src/plugins/preauth/pkinit/pkinit_srv.c -+++ b/src/plugins/preauth/pkinit/pkinit_srv.c -@@ -108,6 +108,8 @@ pkinit_server_get_edata(krb5_context context, - pkinit_kdc_context plgctx = NULL; - krb5_keyblock *armor_key = NULL; - -+ pkinit_debug_init(context, &(request->server->realm), 1); -+ - pkiDebug("pkinit_server_get_edata: entered!\n"); - - /* Remove (along with armor_key) when FAST PKINIT is settled. */ -@@ -315,6 +317,8 @@ pkinit_server_verify_padata(krb5_context context, - int is_signed = 1; - krb5_keyblock *armor_key; - -+ pkinit_debug_init(context, &(request->server->realm), 1); -+ - pkiDebug("pkinit_verify_padata: entered!\n"); - if (data == NULL || data->length <= 0 || data->contents == NULL) - return 0; diff --git a/krb5.spec b/krb5.spec index bceb489..fb6d0c1 100644 --- a/krb5.spec +++ b/krb5.spec @@ -12,8 +12,8 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.14.3 -Release: 9%{?dist} +Version: 1.14.4 +Release: 1%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -45,33 +45,25 @@ Source39: krb5-krb5kdc.conf # Carry this locally until it's available in a packaged form. Source100: noport.c -Patch6: krb5-1.12-ksu-path.patch -Patch12: krb5-1.12-ktany.patch -Patch16: krb5-1.12-buildconf.patch -Patch23: krb5-1.3.1-dns.patch -Patch39: krb5-1.12-api.patch -Patch60: krb5-1.12.1-pam.patch -Patch63: krb5-1.13-selinux-label.patch -Patch71: krb5-1.13-dirsrv-accountlock.patch -Patch86: krb5-1.9-debuginfo.patch -Patch129: krb5-1.11-run_user_0.patch -Patch134: krb5-1.11-kpasswdtest.patch -Patch148: krb5-1.14.4-ofd-lock-workaround.patch -Patch150: krb5-acquire_cred_interposer.patch -Patch153: krb5-1.14.1-log_file_permissions.patch - -Patch164: krb5-1.15-kdc_send_receive_hooks.patch -Patch165: krb5-1.15-kdc_hooks_test.patch - -Patch166: krb5-1.14.4-SNI-HTTP-Host.patch - -Patch167: krb5-1.15-otp-preauth-prompt-type.patch -Patch168: krb5-1.15-improve-bad-password-inference.patch -Patch169: krb5-1.15-kdc-error-encrypted-timestamp.patch -Patch170: krb5-1.14.4-samba-client-mutual-flag.patch - -Patch171: krb5-1.14.4-responder-non-preauth.patch -Patch172: krb5-1.15-krb5_db_register_keytab.patch +Patch1: krb5-1.12.1-pam.patch +Patch2: krb5-1.13-selinux-label.patch +Patch3: krb5-1.12-ksu-path.patch +Patch4: krb5-1.12-ktany.patch +Patch5: krb5-1.12-buildconf.patch +Patch6: krb5-1.3.1-dns.patch +Patch7: krb5-1.12-api.patch +Patch8: krb5-1.13-dirsrv-accountlock.patch +Patch9: krb5-1.9-debuginfo.patch +Patch10: krb5-1.11-run_user_0.patch +Patch11: krb5-1.11-kpasswdtest.patch +Patch12: Fix-impersonate_name-to-work-with-interposers.patch +Patch13: Create-KDC-and-kadmind-log-files-with-mode-0640.patch +Patch14: Add-KDC-pre-send-and-post-receive-KDC-hooks.patch +Patch15: Add-tests-for-send-and-receive-sendto_kdc-hooks.patch +Patch16: Set-prompt-type-for-OTP-preauth-prompt.patch +Patch17: Improve-bad-password-inference-in-kinit.patch +Patch18: Change-KDC-error-for-encrypted-timestamp-preauth.patch +Patch19: Add-krb5_db_register_keytab.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -254,41 +246,25 @@ interface is not considered stable. %setup -q -n %{name}-%{version}%{prerelease} -a 3 ln NOTICE LICENSE -%patch60 -p1 -b .pam - -%patch63 -p1 -b .selinux-label - -%patch6 -p1 -b .ksu-path -%patch12 -p1 -b .ktany -%patch16 -p1 -b .buildconf %{?_rawbuild} -%patch23 -p1 -b .dns %{?_rawbuild} -%patch39 -p1 -b .api -%patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild} -%patch86 -p0 -b .debuginfo - -# Apply when the hard-wired or configured default location is -# DIR:/run/user/%%{uid}/krb5cc. -%patch129 -p1 -b .run_user_0 - -%patch134 -p1 -b .kpasswdtest - -%patch148 -p1 -b .ofd-lock-workaround - -%patch150 -p1 -b .fix_interposer -%patch153 -p1 -b .log_file_permissions - -%patch164 -p1 -b .kdc_send_receive_hooks -%patch165 -p1 -b .kdc_hooks_test - -%patch166 -p1 -b .SNI-HTTP-Host - -%patch167 -p1 -b .otp-preauth-prompt-type -%patch168 -p1 -b .improve-bad-password-inference -%patch169 -p1 -b .kdc-error-encrypted-timestamp -%patch170 -p1 -b .samba-client-mutual-flag - -%patch171 -p1 -b .responder-non-preauth -%patch172 -p1 -b .krb5_db_register_keytab +%patch1 -p1 -b .krb5-1.12.1-pam +%patch2 -p1 -b .krb5-1.13-selinux-label +%patch3 -p1 -b .krb5-1.12-ksu-path +%patch4 -p1 -b .krb5-1.12-ktany +%patch5 -p1 -b .krb5-1.12-buildconf +%patch6 -p1 -b .krb5-1.3.1-dns +%patch7 -p1 -b .krb5-1.12-api +%patch8 -p1 -b .krb5-1.13-dirsrv-accountlock +%patch9 -p1 -b .krb5-1.9-debuginfo +%patch10 -p1 -b .krb5-1.11-run_user_0 +%patch11 -p1 -b .krb5-1.11-kpasswdtest +%patch12 -p1 -b .Fix-impersonate_name-to-work-with-interposers +%patch13 -p1 -b .Create-KDC-and-kadmind-log-files-with-mode-0640 +%patch14 -p1 -b .Add-KDC-pre-send-and-post-receive-KDC-hooks +%patch15 -p1 -b .Add-tests-for-send-and-receive-sendto_kdc-hooks +%patch16 -p1 -b .Set-prompt-type-for-OTP-preauth-prompt +%patch17 -p1 -b .Improve-bad-password-inference-in-kinit +%patch18 -p1 -b .Change-KDC-error-for-encrypted-timestamp-preauth +%patch19 -p1 -b .Add-krb5_db_register_keytab # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -758,6 +734,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon Sep 19 2016 Robbie Harwood - 1.14.4-1 +- New upstream release +- Update names and numbers to match external git + * Mon Sep 19 2016 Robbie Harwood - 1.14.3-9 - Add krb5_db_register_keytab - Resolves: #1376812 diff --git a/sources b/sources index ed8a704..98973aa 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -f76e4f8a3c95bb59980dd5ef4b48aea9 krb5-1.14.3.tar.gz -438c48157c7b7daf6f133ffe6369342e krb5-1.14.3.tar.gz.asc -c2385c39dfed8ecad41052abd09a49c9 krb5-1.14.3-pdfs.tar +ba90f5701fc2dda76133c1f34ba4ee80 krb5-1.14.4.tar.gz +1d91e165f25519bbb60b4715bcabda0f krb5-1.14.4.tar.gz.asc +c2385c39dfed8ecad41052abd09a49c9 krb5-1.14.4-pdfs.tar -- cgit