diff --git a/0000-add-ldflags-to-shared-libs.patch b/0000-add-ldflags-to-shared-libs.patch deleted file mode 100644 index 58900dc5e07707a7c63fc3e7f88e52eb2e88e3e3..0000000000000000000000000000000000000000 --- a/0000-add-ldflags-to-shared-libs.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- krb5-1.20.1/src/config/shlib.conf.orig 2023-03-09 17:40:09.401258956 +0800 -+++ krb5-1.20.1/src/config/shlib.conf 2023-03-09 17:40:32.985258956 +0800 -@@ -424,7 +424,7 @@ - # Linux ld doesn't default to stuffing the SONAME field... - # Use objdump -x to examine the fields of the library - # UNDEF_CHECK is suppressed by --enable-asan -- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' -+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) $(LDFLAGS)' - UNDEF_CHECK='-Wl,--no-undefined' - # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. - LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' diff --git a/0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch b/0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch new file mode 100644 index 0000000000000000000000000000000000000000..cc457ae43082ab8132e465075440b53ba7940054 --- /dev/null +++ b/0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch @@ -0,0 +1,309 @@ +From 087d150e4afe47a8d269d5e80dcef2204b007ceb Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 16 Aug 2023 10:00:30 +0200 +Subject: [PATCH] Revert "Don't issue session keys with deprecated enctypes" + +This reverts commit 1b57a4d134bbd0e7c52d5885a92eccc815726463. +--- + doc/admin/conf_files/krb5_conf.rst | 12 ------------ + doc/admin/enctypes.rst | 23 +++------------------- + src/include/k5-int.h | 4 ---- + src/kdc/kdc_util.c | 10 ---------- + src/lib/krb5/krb/get_in_tkt.c | 31 +++++++++++------------------- + src/lib/krb5/krb/init_ctx.c | 10 ---------- + src/tests/gssapi/t_enctypes.py | 3 +-- + src/tests/t_etype_info.py | 2 +- + src/tests/t_sesskeynego.py | 28 ++------------------------- + src/util/k5test.py | 4 ++-- + 10 files changed, 20 insertions(+), 107 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index ecdf917501..f22d5db11b 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -95,18 +95,6 @@ Additionally, krb5.conf may include any of the relations described in + + The libdefaults section may contain any of the following relations: + +-**allow_des3** +- Permit the KDC to issue tickets with des3-cbc-sha1 session keys. +- In future releases, this flag will allow des3-cbc-sha1 to be used +- at all. The default value for this tag is false. (Added in +- release 1.21.) +- +-**allow_rc4** +- Permit the KDC to issue tickets with arcfour-hmac session keys. +- In future releases, this flag will allow arcfour-hmac to be used +- at all. The default value for this tag is false. (Added in +- release 1.21.) +- + **allow_weak_crypto** + If this flag is set to false, then weak encryption types (as noted + in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered +diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst +index dce19ad43e..694922c0d9 100644 +--- a/doc/admin/enctypes.rst ++++ b/doc/admin/enctypes.rst +@@ -48,15 +48,12 @@ Session key selection + The KDC chooses the session key enctype by taking the intersection of + its **permitted_enctypes** list, the list of long-term keys for the + most recent kvno of the service, and the client's requested list of +-enctypes. Starting in krb5-1.21, all services are assumed to support +-aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session +-keys will not be issued by default. ++enctypes. + + Starting in krb5-1.11, it is possible to set a string attribute on a + service principal to control what session key enctypes the KDC may +-issue for service tickets for that principal, overriding the service's +-long-term keys and the assumption of aes256-cts-hmac-sha1-96 support. +-See :ref:`set_string` in :ref:`kadmin(1)` for details. ++issue for service tickets for that principal. See :ref:`set_string` ++in :ref:`kadmin(1)` for details. + + + Choosing enctypes for a service +@@ -90,20 +87,6 @@ affect how enctypes are chosen. + acceptable risk for your environment and the weak enctypes are + required for backward compatibility. + +-**allow_des3** +- was added in release 1.21 and defaults to *false*. Unless this +- flag is set to *true*, the KDC will not issue tickets with +- des3-cbc-sha1 session keys. In a future release, this flag will +- control whether des3-cbc-sha1 is permitted in similar fashion to +- weak enctypes. +- +-**allow_rc4** +- was added in release 1.21 and defaults to *false*. Unless this +- flag is set to *true*, the KDC will not issue tickets with +- arcfour-hmac session keys. In a future release, this flag will +- control whether arcfour-hmac is permitted in similar fashion to +- weak enctypes. +- + **permitted_enctypes** + controls the set of enctypes that a service will permit for + session keys and for ticket and authenticator encryption. The KDC +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 2f7791b775..1d1c8293f4 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -180,8 +180,6 @@ typedef unsigned char u_char; + * matches the variable name. Keep these alphabetized. */ + #define KRB5_CONF_ACL_FILE "acl_file" + #define KRB5_CONF_ADMIN_SERVER "admin_server" +-#define KRB5_CONF_ALLOW_DES3 "allow_des3" +-#define KRB5_CONF_ALLOW_RC4 "allow_rc4" + #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto" + #define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local" + #define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names" +@@ -1240,8 +1238,6 @@ struct _krb5_context { + struct _kdb_log_context *kdblog_context; + + krb5_boolean allow_weak_crypto; +- krb5_boolean allow_des3; +- krb5_boolean allow_rc4; + krb5_boolean ignore_acceptor_hostname; + krb5_boolean enforce_ok_as_delegate; + enum dns_canonhost dns_canonicalize_hostname; +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index e54cc751f9..75e04b73db 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1088,16 +1088,6 @@ select_session_keytype(krb5_context context, krb5_db_entry *server, + if (!krb5_is_permitted_enctype(context, ktype[i])) + continue; + +- /* +- * Prevent these deprecated enctypes from being used as session keys +- * unless they are explicitly allowed. In the future they will be more +- * comprehensively disabled and eventually removed. +- */ +- if (ktype[i] == ENCTYPE_DES3_CBC_SHA1 && !context->allow_des3) +- continue; +- if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !context->allow_rc4) +- continue; +- + if (dbentry_supports_enctype(context, server, ktype[i])) + return ktype[i]; + } +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index ea089f0fcc..1b420a3ac2 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1582,31 +1582,22 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, + (*prompter)(context, data, 0, banner, 0, 0); + } + +-/* Display a warning via the prompter if a deprecated enctype was used for +- * either the reply key or the session key. */ ++/* Display a warning via the prompter if des3-cbc-sha1 was used for either the ++ * reply key or the session key. */ + static void +-warn_deprecated(krb5_context context, krb5_init_creds_context ctx, +- krb5_enctype as_key_enctype) ++warn_des3(krb5_context context, krb5_init_creds_context ctx, ++ krb5_enctype as_key_enctype) + { +- krb5_enctype etype; +- char encbuf[128], banner[256]; ++ const char *banner; + +- if (ctx->prompter == NULL) +- return; +- +- if (krb5int_c_deprecated_enctype(as_key_enctype)) +- etype = as_key_enctype; +- else if (krb5int_c_deprecated_enctype(ctx->cred.keyblock.enctype)) +- etype = ctx->cred.keyblock.enctype; +- else ++ if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 && ++ ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1) + return; +- +- if (krb5_enctype_to_name(etype, FALSE, encbuf, sizeof(encbuf)) != 0) ++ if (ctx->prompter == NULL) + return; +- snprintf(banner, sizeof(banner), +- _("Warning: encryption type %s used for authentication is " +- "deprecated and will be disabled"), encbuf); + ++ banner = _("Warning: encryption type des3-cbc-sha1 used for " ++ "authentication is weak and will be disabled"); + /* PROMPTER_INVOCATION */ + (*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL); + } +@@ -1857,7 +1848,7 @@ init_creds_step_reply(krb5_context context, + ctx->complete = TRUE; + warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data, + ctx->in_tkt_service, ctx->reply); +- warn_deprecated(context, ctx, encrypting_key.enctype); ++ warn_des3(context, ctx, encrypting_key.enctype); + + cleanup: + krb5_free_pa_data(context, kdc_padata); +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index a6c2bbeb54..87b486c53f 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -221,16 +221,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + goto cleanup; + ctx->allow_weak_crypto = tmp; + +- retval = get_boolean(ctx, KRB5_CONF_ALLOW_DES3, 0, &tmp); +- if (retval) +- goto cleanup; +- ctx->allow_des3 = tmp; +- +- retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp); +- if (retval) +- goto cleanup; +- ctx->allow_rc4 = tmp; +- + retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp); + if (retval) + goto cleanup; +diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py +index f5f11842e2..7494d7fcdb 100755 +--- a/src/tests/gssapi/t_enctypes.py ++++ b/src/tests/gssapi/t_enctypes.py +@@ -18,8 +18,7 @@ d_rc4 = 'DEPRECATED:arcfour-hmac' + # These tests make assumptions about the default enctype lists, so set + # them explicitly rather than relying on the library defaults. + supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal' +-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4', +- 'allow_des3': 'true', 'allow_rc4': 'true'}, ++conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'}, + 'realms': {'$realm': {'supported_enctypes': supp}}} + realm = K5Realm(krb5_conf=conf) + shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save')) +diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py +index 38cf96ca8f..c982508d8b 100644 +--- a/src/tests/t_etype_info.py ++++ b/src/tests/t_etype_info.py +@@ -1,7 +1,7 @@ + from k5test import * + + supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac' +-conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'}, ++conf = {'libdefaults': {'allow_weak_crypto': 'true'}, + 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} + realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) + +diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py +index 5a213617b5..9024aee838 100755 +--- a/src/tests/t_sesskeynego.py ++++ b/src/tests/t_sesskeynego.py +@@ -25,8 +25,6 @@ conf3 = {'libdefaults': { + 'default_tkt_enctypes': 'aes128-cts', + 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}} + conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}} +-conf5 = {'libdefaults': {'allow_rc4': 'true'}} +-conf6 = {'libdefaults': {'allow_des3': 'true'}} + # Test with client request and session_enctypes preferring aes128, but + # aes256 long-term key. + realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) +@@ -56,12 +54,10 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'aes128-cts,aes256-cts']) + test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') + +-# 3b: Skip RC4 (as the KDC does not allow it for session keys by +-# default) and negotiate aes128-cts session key, with only an aes256 +-# long-term service key. ++# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term. + realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'rc4-hmac,aes128-cts,aes256-cts']) +-test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') ++test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') + realm.stop() + + # 4: Check that permitted_enctypes is a default for session key enctypes. +@@ -71,24 +67,4 @@ realm.run([kvno, 'user'], + expected_trace=('etypes requested in TGS request: aes256-cts',)) + realm.stop() + +-# 5: allow_rc4 permits negotiation of rc4-hmac session key. +-realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False) +-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) +-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac']) +-test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') +-realm.stop() +- +-# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key. +-realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False) +-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) +-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1']) +-test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96') +-realm.stop() +- +-# 7: default config negotiates aes256-sha1 session key for RC4-only service. +-realm = K5Realm(create_host=False, get_creds=False) +-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server']) +-test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac') +-realm.stop() +- + success('sesskeynego') +diff --git a/src/util/k5test.py b/src/util/k5test.py +index 8e5f5ba8e9..2a86c5cdfc 100644 +--- a/src/util/k5test.py ++++ b/src/util/k5test.py +@@ -1340,14 +1340,14 @@ _passes = [ + + # Exercise the DES3 enctype. + ('des3', None, +- {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}}, ++ {'libdefaults': {'permitted_enctypes': 'des3'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'des3-cbc-sha1:normal', + 'master_key_type': 'des3-cbc-sha1'}}}), + + # Exercise the arcfour enctype. + ('arcfour', None, +- {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}}, ++ {'libdefaults': {'permitted_enctypes': 'rc4'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'arcfour-hmac:normal', + 'master_key_type': 'arcfour-hmac'}}}), +-- +2.41.0 + diff --git a/0001-downstream-ksu-pam-integration.patch b/0002-downstream-ksu-pam-integration.patch similarity index 99% rename from 0001-downstream-ksu-pam-integration.patch rename to 0002-downstream-ksu-pam-integration.patch index 2b737c05b185f0e94da16eb57e6808f1e2d1b45f..08bfeabec7dc3fa3e6876a48d2fdfd5790ad6d1b 100644 --- a/0001-downstream-ksu-pam-integration.patch +++ b/0002-downstream-ksu-pam-integration.patch @@ -1,4 +1,4 @@ -From 37d69135d0be7f46732c401cdbb3abc075bf4117 Mon Sep 17 00:00:00 2001 +From 2080ff4c57d29e74466987d673aaf25273160534 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] [downstream] ksu pam integration @@ -30,7 +30,7 @@ Last-updated: krb5-1.18-beta1 create mode 100644 src/clients/ksu/pam.h diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 9920476f91..bf9da35bbc 100644 +index 3d66a876b3..ce3c5a9bac 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -1458,3 +1458,72 @@ if test "$with_ldap" = yes; then @@ -760,10 +760,10 @@ index 0000000000..0ab76569cb +void appl_pam_cleanup(void); +#endif diff --git a/src/configure.ac b/src/configure.ac -index f03028b5fd..aa970b0447 100644 +index 77be7a2025..587221936e 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1400,6 +1400,8 @@ AC_SUBST([VERTO_VERSION]) +@@ -1399,6 +1399,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) @@ -773,5 +773,5 @@ index f03028b5fd..aa970b0447 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' -- -2.38.1 +2.41.0 diff --git a/0002-downstream-SELinux-integration.patch b/0003-downstream-SELinux-integration.patch similarity index 97% rename from 0002-downstream-SELinux-integration.patch rename to 0003-downstream-SELinux-integration.patch index 4271d6652d9cdbc04fb52a1f63057b20492c5d3d..cac0604fbc83485eaa893d753b8cd8f9781025fb 100644 --- a/0002-downstream-SELinux-integration.patch +++ b/0003-downstream-SELinux-integration.patch @@ -1,4 +1,4 @@ -From c6b58ed180ed91b579d322ff5004f68750f1eb4f Mon Sep 17 00:00:00 2001 +From 3efc0e3ce4ccc8a89700f35bef041794982d95ca Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 Subject: [PATCH] [downstream] SELinux integration @@ -69,7 +69,7 @@ Last-updated: krb5-1.20.1 create mode 100644 src/util/support/selinux.c diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index bf9da35bbc..01283f482e 100644 +index ce3c5a9bac..3331970930 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag) @@ -133,10 +133,10 @@ index bf9da35bbc..01283f482e 100644 +AC_SUBST(SELINUX_LIBS) +])dnl diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in -index dead0dddce..fef3e054fc 100755 +index 8e6eb86601..7677f37359 100755 --- a/src/build-tools/krb5-config.in +++ b/src/build-tools/krb5-config.in -@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' +@@ -40,6 +40,7 @@ DL_LIB='@DL_LIB@' DEFCCNAME='@DEFCCNAME@' DEFKTNAME='@DEFKTNAME@' DEFCKTNAME='@DEFCKTNAME@' @@ -144,7 +144,7 @@ index dead0dddce..fef3e054fc 100755 LIBS='@LIBS@' GEN_LIB=@GEN_LIB@ -@@ -254,7 +255,7 @@ if test -n "$do_libs"; then +@@ -253,7 +254,7 @@ if test -n "$do_libs"; then fi # If we ever support a flag to generate output suitable for static @@ -175,10 +175,10 @@ index a0c60c70b3..7eaa2f351c 100644 GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on macOS! diff --git a/src/configure.ac b/src/configure.ac -index aa970b0447..40545f2bfc 100644 +index 587221936e..69be9030f8 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1402,6 +1402,8 @@ AC_PATH_PROG(GROFF, groff) +@@ -1401,6 +1401,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -188,7 +188,7 @@ index aa970b0447..40545f2bfc 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 44dc1eeb3f..c3aecba7d4 100644 +index 1d1c8293f4..768110e5ef 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -128,6 +128,7 @@ typedef unsigned char u_char; @@ -238,7 +238,7 @@ index 0000000000..dfaaa847cb +#endif +#endif diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index c0194c3c94..7e1dea2cbf 100644 +index 9c76780181..dd6430ece8 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ @@ -290,10 +290,10 @@ index a89b5144f6..4d6cc0bdf9 100644 com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); goto cleanup; diff --git a/src/kdc/main.c b/src/kdc/main.c -index 38b9299066..085afc9220 100644 +index bfdfef5c48..b43fe9a082 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c -@@ -848,7 +848,7 @@ write_pid_file(const char *path) +@@ -844,7 +844,7 @@ write_pid_file(const char *path) FILE *file; unsigned long pid; @@ -303,7 +303,7 @@ index 38b9299066..085afc9220 100644 return errno; pid = (unsigned long) getpid(); diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c -index f2341d720f..ffdac9f397 100644 +index aa3c81ea30..cb9785aaeb 100644 --- a/src/kprop/kpropd.c +++ b/src/kprop/kpropd.c @@ -488,6 +488,9 @@ doit(int fd) @@ -333,10 +333,10 @@ index f2341d720f..ffdac9f397 100644 KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); if (retval) { diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c -index c6885edf2a..9aec3c05e8 100644 +index e14da53790..b879a4049b 100644 --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c -@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do +@@ -310,7 +310,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do */ append = (cp[4] == ':') ? O_APPEND : 0; if (append || cp[4] == '=') { @@ -345,7 +345,7 @@ index c6885edf2a..9aec3c05e8 100644 S_IRUSR | S_IWUSR | S_IRGRP); if (fd != -1) f = fdopen(fd, append ? "a" : "w"); -@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext) +@@ -777,7 +777,7 @@ krb5_klog_reopen(krb5_context kcontext) * In case the old logfile did not get moved out of the * way, open for append to prevent squashing the old logs. */ @@ -439,10 +439,10 @@ index e510211fc5..f3ea28c8ec 100644 goto report_errno; writevno = 1; diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c -index 3369fc4ba6..95f82cda03 100644 +index 4cbbbb270a..c4058ddc96 100644 --- a/src/lib/krb5/os/trace.c +++ b/src/lib/krb5/os/trace.c -@@ -459,7 +459,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) +@@ -460,7 +460,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) fd = malloc(sizeof(*fd)); if (fd == NULL) return ENOMEM; @@ -452,7 +452,7 @@ index 3369fc4ba6..95f82cda03 100644 free(fd); return errno; diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c -index 7db30a33b0..2b9d01921d 100644 +index 9a506e9d44..f92ab47143 100644 --- a/src/plugins/kdb/db2/adb_openclose.c +++ b/src/plugins/kdb/db2/adb_openclose.c @@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, @@ -1034,5 +1034,5 @@ index 0000000000..807d039da3 + +#endif /* USE_SELINUX */ -- -2.38.1 +2.41.0 diff --git a/0003-downstream-fix-debuginfo-with-y.tab.c.patch b/0004-downstream-fix-debuginfo-with-y.tab.c.patch similarity index 95% rename from 0003-downstream-fix-debuginfo-with-y.tab.c.patch rename to 0004-downstream-fix-debuginfo-with-y.tab.c.patch index 3c58cc1ff90858f5b2959304033006b50d4eb0b3..9368aa6e8ccaa4f7caacb51c4fb7ca042ef05684 100644 --- a/0003-downstream-fix-debuginfo-with-y.tab.c.patch +++ b/0004-downstream-fix-debuginfo-with-y.tab.c.patch @@ -1,4 +1,4 @@ -From c7fe7cbd61f7debf052ddcc6cc5f01bb7e4f5385 Mon Sep 17 00:00:00 2001 +From 28677b932c200eba07576358b4e5df2ae22c8ecd Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] [downstream] fix debuginfo with y.tab.c @@ -40,5 +40,5 @@ index 8669c2436c..a22f23c02c 100644 install: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) -- -2.38.1 +2.41.0 diff --git a/0004-downstream-Remove-3des-support.patch b/0005-downstream-Remove-3des-support.patch similarity index 98% rename from 0004-downstream-Remove-3des-support.patch rename to 0005-downstream-Remove-3des-support.patch index 4ec3a0ff32138222d89205acab1a5ba332d44d1c..6c8ce3bd239fbd3f77d2f69ab9e74f80fdf5f151 100644 --- a/0004-downstream-Remove-3des-support.patch +++ b/0005-downstream-Remove-3des-support.patch @@ -1,4 +1,4 @@ -From 7b40250066bbcc529b5348b68199c58fbad82376 Mon Sep 17 00:00:00 2001 +From 6734a067c600ea6ad81d08fcc481609c2bad9fbb Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 26 Mar 2019 18:51:10 -0400 Subject: [PATCH] [downstream] Remove 3des support @@ -8,7 +8,7 @@ des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain their constants. -Last-updated: 1.20-final +Last-updated: 1.21.1-final [antorres@redhat.com: remove diffs for: - src/kdamin/testing/proto/kdc.conf.proto - src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp @@ -32,7 +32,7 @@ Last-updated: 1.20-final src/include/krb5/krb5.hin | 10 +- src/kdc/kdc_util.c | 4 - src/lib/crypto/Makefile.in | 8 +- - src/lib/crypto/builtin/Makefile.in | 6 +- + src/lib/crypto/builtin/Makefile.in | 4 +- src/lib/crypto/builtin/des/ISSUES | 13 - src/lib/crypto/builtin/des/Makefile.in | 82 ---- src/lib/crypto/builtin/des/d3_aead.c | 137 ------ @@ -74,7 +74,7 @@ Last-updated: 1.20-final src/lib/crypto/krb/prf_des.c | 47 --- src/lib/crypto/krb/random_to_key.c | 28 -- src/lib/crypto/libk5crypto.exports | 1 - - src/lib/crypto/openssl/Makefile.in | 8 +- + src/lib/crypto/openssl/Makefile.in | 4 +- src/lib/crypto/openssl/des/Makefile.in | 20 - src/lib/crypto/openssl/des/deps | 14 - src/lib/crypto/openssl/des/des_keys.c | 39 -- @@ -103,13 +103,13 @@ Last-updated: 1.20-final src/tests/gssapi/t_pcontok.c | 16 +- src/tests/gssapi/t_prf.c | 7 - src/tests/t_authdata.py | 2 +- - src/tests/t_etype_info.py | 18 +- + src/tests/t_etype_info.py | 21 +- src/tests/t_keyrollover.py | 8 +- src/tests/t_mkey.py | 35 -- src/tests/t_salt.py | 5 +- src/util/k5test.py | 7 - .../leash/htmlhelp/html/Encryption_Types.htm | 13 - - 89 files changed, 151 insertions(+), 4713 deletions(-) + 89 files changed, 149 insertions(+), 4712 deletions(-) delete mode 100644 src/lib/crypto/builtin/des/ISSUES delete mode 100644 src/lib/crypto/builtin/des/Makefile.in delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c @@ -247,7 +247,7 @@ index ade5e1f87a..e4dc54f7e5 100644 .. _err_cert_chain_cert_expired: diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst -index a0d4f26701..5f34dea5e8 100644 +index 45fe160d7f..b4b1f3bd93 100644 --- a/doc/appdev/refs/macros/index.rst +++ b/doc/appdev/refs/macros/index.rst @@ -36,7 +36,6 @@ Public @@ -259,10 +259,10 @@ index a0d4f26701..5f34dea5e8 100644 CKSUMTYPE_NIST_SHA.rst CKSUMTYPE_RSA_MD4.rst diff --git a/doc/conf.py b/doc/conf.py -index fa0eb80f1f..12168fa695 100644 +index cd76f5999f..1e1cfce80c 100644 --- a/doc/conf.py +++ b/doc/conf.py -@@ -278,7 +278,7 @@ else: +@@ -281,7 +281,7 @@ else: rst_epilog += ''' .. |krb5conf| replace:: ``/etc/krb5.conf`` .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` @@ -272,7 +272,7 @@ index fa0eb80f1f..12168fa695 100644 .. |copy| unicode:: U+000A9 ''' diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst -index ca2d6ef117..100c64a1c1 100644 +index 10effcf175..cad0855724 100644 --- a/doc/mitK5features.rst +++ b/doc/mitK5features.rst @@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB @@ -307,10 +307,10 @@ index 8f14e9bf2c..ba3bb18eec 100644 ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP) diff --git a/src/configure.ac b/src/configure.ac -index 40545f2bfc..8dc864718d 100644 +index 69be9030f8..2561e917a2 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1489,12 +1489,12 @@ V5_AC_OUTPUT_MAKEFILE(. +@@ -1513,12 +1513,12 @@ V5_AC_OUTPUT_MAKEFILE(. lib lib/kdb lib/crypto lib/crypto/krb lib/crypto/crypto_tests @@ -326,7 +326,7 @@ index 40545f2bfc..8dc864718d 100644 lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index 7e1dea2cbf..fb9f2a366c 100644 +index dd6430ece8..350bcf86f2 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov { @@ -362,10 +362,10 @@ index 7e1dea2cbf..fb9f2a366c 100644 #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with ENCTYPE_AES128_CTS_HMAC_SHA1_96 */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 9f2a67d189..b7a9aa4992 100644 +index 75e04b73db..fe4e48209a 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c -@@ -1111,8 +1111,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) +@@ -1154,8 +1154,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) name = "rsaEncryption-EnvOID"; else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV) name = "id-RSAES-OAEP-EnvOID"; @@ -374,7 +374,7 @@ index 9f2a67d189..b7a9aa4992 100644 else return krb5_enctype_to_name(ktype, FALSE, buf, buflen); -@@ -1704,8 +1702,6 @@ krb5_boolean +@@ -1647,8 +1645,6 @@ krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype) { switch(enctype) { @@ -414,7 +414,7 @@ index 10e8c74cf8..25c4f40cc3 100644 all-unix: all-liblinks install-unix: install-libs diff --git a/src/lib/crypto/builtin/Makefile.in b/src/lib/crypto/builtin/Makefile.in -index daf19da195..c9e967c807 100644 +index 243bb17ba3..30bfcd30c0 100644 --- a/src/lib/crypto/builtin/Makefile.in +++ b/src/lib/crypto/builtin/Makefile.in @@ -1,6 +1,6 @@ @@ -429,15 +429,6 @@ index daf19da195..c9e967c807 100644 $(srcdir)/kdf.c \ $(srcdir)/pbkdf2.c --STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ -+STOBJLISTS= md4/OBJS.ST \ - md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ - enc_provider/OBJS.ST \ - hash_provider/OBJS.ST \ -@@ -33,7 +33,7 @@ STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ - camellia/OBJS.ST \ - OBJS.ST - -SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \ +SUBDIROBJLISTS= md4/OBJS.ST \ md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ @@ -4862,7 +4853,7 @@ index 052f4d4b51..d8ffa63304 100644 krb5int_camellia_encrypt krb5int_cmac_checksum diff --git a/src/lib/crypto/openssl/Makefile.in b/src/lib/crypto/openssl/Makefile.in -index 08de047d0a..88f7fd0a09 100644 +index cf11f6847b..8e4cdb8bbf 100644 --- a/src/lib/crypto/openssl/Makefile.in +++ b/src/lib/crypto/openssl/Makefile.in @@ -1,6 +1,6 @@ @@ -4873,32 +4864,15 @@ index 08de047d0a..88f7fd0a09 100644 LOCALINCLUDES=-I$(srcdir)/../krb $(CRYPTO_IMPL_CFLAGS) STLIBOBJS=\ -@@ -24,14 +24,14 @@ SRCS=\ +@@ -24,7 +24,7 @@ SRCS=\ $(srcdir)/pbkdf2.c \ $(srcdir)/sha256.c --STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ -+STOBJLISTS= md4/OBJS.ST \ - md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ - enc_provider/OBJS.ST \ - hash_provider/OBJS.ST \ - aes/OBJS.ST \ - OBJS.ST - -SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \ +SUBDIROBJLISTS= md4/OBJS.ST \ md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ enc_provider/OBJS.ST \ hash_provider/OBJS.ST \ -@@ -42,7 +42,7 @@ includes: depend - - depend: $(SRCS) - --clean-unix:: clean-libobjs -+clean-unix:: clean-libobjsn - - @lib_frag@ - @libobj_frag@ diff --git a/src/lib/crypto/openssl/des/Makefile.in b/src/lib/crypto/openssl/des/Makefile.in deleted file mode 100644 index a6cece1dd1..0000000000 @@ -5244,10 +5218,10 @@ index 41e845eae0..5a43c3d9eb 100644 } diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c -index d4e90793f9..1bc807172b 100644 +index b35e11bfb6..d7c2ad321e 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c -@@ -1030,7 +1030,6 @@ kg_accept_krb5(minor_status, context_handle, +@@ -1026,7 +1026,6 @@ kg_accept_krb5(minor_status, context_handle, } switch (negotiated_etype) { @@ -5256,7 +5230,7 @@ index d4e90793f9..1bc807172b 100644 case ENCTYPE_ARCFOUR_HMAC_EXP: /* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index a4446530fc..88d41130a7 100644 +index 7364607198..5aeb69aebc 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -125,14 +125,14 @@ enum sgn_alg { @@ -5286,10 +5260,10 @@ index a4446530fc..88d41130a7 100644 }; diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c -index d1cdce486f..7f7146a0a2 100644 +index 99275be53a..0e5d10b115 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c -@@ -136,19 +136,12 @@ make_seal_token_v1 (krb5_context context, +@@ -142,19 +142,12 @@ make_seal_token_v1 (krb5_context context, /* pad the plaintext, encrypt if needed, and stick it in the token */ @@ -5315,7 +5289,7 @@ index d1cdce486f..7f7146a0a2 100644 code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen); if (code) { -@@ -196,20 +189,8 @@ make_seal_token_v1 (krb5_context context, +@@ -203,20 +196,8 @@ make_seal_token_v1 (krb5_context context, gssalloc_free(t); return(code); } @@ -5327,22 +5301,22 @@ index d1cdce486f..7f7146a0a2 100644 - */ - if (md5cksum.length != cksum_size) - abort (); -- memcpy (ptr+14, md5cksum.contents, md5cksum.length); +- memcpy(checksum, md5cksum.contents, md5cksum.length); - break; - case SGN_ALG_HMAC_MD5: -- memcpy (ptr+14, md5cksum.contents, cksum_size); +- memcpy(checksum, md5cksum.contents, cksum_size); - break; - } + -+ memcpy (ptr+14, md5cksum.contents, cksum_size); ++ memcpy(checksum, md5cksum.contents, cksum_size); krb5_free_checksum_contents(context, &md5cksum); diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c -index 9bb2ee1099..9147bb2c78 100644 +index 7bf7609a48..d5e12cb436 100644 --- a/src/lib/gssapi/krb5/k5sealiov.c +++ b/src/lib/gssapi/krb5/k5sealiov.c -@@ -144,18 +144,11 @@ make_seal_token_v1_iov(krb5_context context, +@@ -147,18 +147,11 @@ make_seal_token_v1_iov(krb5_context context, /* pad the plaintext, encrypt if needed, and stick it in the token */ /* initialize the checksum */ @@ -5366,20 +5340,20 @@ index 9bb2ee1099..9147bb2c78 100644 code = krb5_c_checksum_length(context, md5cksum.checksum_type, &k5_trailerlen); if (code != 0) -@@ -177,15 +170,7 @@ make_seal_token_v1_iov(krb5_context context, +@@ -182,15 +175,7 @@ make_seal_token_v1_iov(krb5_context context, if (code != 0) goto cleanup; - switch (ctx->signalg) { - case SGN_ALG_HMAC_SHA1_DES3_KD: - assert(md5cksum.length == ctx->cksum_size); -- memcpy(ptr + 14, md5cksum.contents, md5cksum.length); +- memcpy(checksum, md5cksum.contents, md5cksum.length); - break; - case SGN_ALG_HMAC_MD5: -- memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size); +- memcpy(checksum, md5cksum.contents, ctx->cksum_size); - break; - } -+ memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size); ++ memcpy(checksum, md5cksum.contents, ctx->cksum_size); /* create the seq_num */ code = kg_make_seq_num(context, ctx->seq, ctx->initiate ? 0 : 0xFF, @@ -5769,10 +5743,10 @@ index e3d2846315..586661bb7e 100644 #define CKK_CAST3 (0x17) #define CKK_CAST128 (0x18) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h -index 94a1b22fb1..65f6210727 100644 +index e22798f668..9fa315d7a0 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h -@@ -376,11 +376,11 @@ krb5_error_code server_process_dh +@@ -370,11 +370,11 @@ krb5_error_code server_process_dh * krb5_algorithm_identifier */ krb5_error_code create_krb5_supportedCMSTypes @@ -6019,10 +5993,10 @@ index f71774cdc9..d1857c433f 100644 "3BB3AE288C12B3B9D06B208A4151B3B6", "9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28" diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py -index 97e2474bf8..47ea9e4b47 100644 +index bde1c36844..8fcd30db51 100644 --- a/src/tests/t_authdata.py +++ b/src/tests/t_authdata.py -@@ -164,7 +164,7 @@ realm.run([kvno, 'restricted']) +@@ -179,7 +179,7 @@ realm.run([kvno, 'restricted']) # preferred krbtgt enctype changes. mark('#8139 regression test') realm.kinit(realm.user_princ, password('user'), ['-f']) @@ -6032,18 +6006,21 @@ index 97e2474bf8..47ea9e4b47 100644 realm.run(['./forward']) realm.run([kvno, realm.host_princ]) diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py -index c982508d8b..96e90a69d2 100644 +index c982508d8b..a6f538b66d 100644 --- a/src/tests/t_etype_info.py +++ b/src/tests/t_etype_info.py -@@ -1,6 +1,6 @@ +@@ -1,8 +1,7 @@ from k5test import * -supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac' +-conf = {'libdefaults': {'allow_weak_crypto': 'true'}, +- 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} +supported_enctypes = 'aes128-cts rc4-hmac' - conf = {'libdefaults': {'allow_weak_crypto': 'true'}, - 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} ++conf = {'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) -@@ -26,9 +26,9 @@ def test_etinfo(princ, enctypes, expected_lines): + + realm.run([kadminl, 'addprinc', '-pw', 'pw', '+requires_preauth', +@@ -26,9 +25,9 @@ def test_etinfo(princ, enctypes, expected_lines): # With no newer enctypes in the request, PA-ETYPE-INFO2, # PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one # key for the most preferred matching enctype. @@ -6056,7 +6033,7 @@ index c982508d8b..96e90a69d2 100644 'asrep pw_salt KRBTEST.COMuser']) # With a newer enctype in the request (even if it is not the most -@@ -39,9 +39,9 @@ test_etinfo('user', 'rc4 aes256-cts', +@@ -39,9 +38,9 @@ test_etinfo('user', 'rc4 aes256-cts', # In preauth-required errors, PA-PW-SALT does not appear, but the same # etype-info2 values are expected. @@ -6069,7 +6046,7 @@ index c982508d8b..96e90a69d2 100644 test_etinfo('preauthuser', 'rc4 aes256-cts', ['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser']) -@@ -50,8 +50,8 @@ test_etinfo('preauthuser', 'rc4 aes256-cts', +@@ -50,8 +49,8 @@ test_etinfo('preauthuser', 'rc4 aes256-cts', # (to allow for preauth mechs which don't depend on long-term keys). # An AS-REP cannot be generated without preauth as there is no reply # key. @@ -6081,7 +6058,7 @@ index c982508d8b..96e90a69d2 100644 # Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED # error if the client does optimistic preauth. diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py -index 2c825a6922..f29e0d5500 100755 +index e9840dfae8..583c2fa27e 100755 --- a/src/tests/t_keyrollover.py +++ b/src/tests/t_keyrollover.py @@ -37,9 +37,9 @@ realm.run([klist, '-e'], expected_msg=msg) @@ -6182,10 +6159,10 @@ index 65084bbf35..55ca897459 100755 # Test using different salt types in a principal's key list. # Parameters from one key in the list must not leak over to later ones. diff --git a/src/util/k5test.py b/src/util/k5test.py -index 619f1995f8..771f82e3cc 100644 +index 2a86c5cdfc..d823653aa0 100644 --- a/src/util/k5test.py +++ b/src/util/k5test.py -@@ -1344,13 +1344,6 @@ _passes = [ +@@ -1338,13 +1338,6 @@ _passes = [ # No special settings; exercises AES256. ('default', None, None, None), @@ -6224,5 +6201,5 @@ index 1aebdd0b4a..c38eefd2bd 100644 The AES Advanced Encryption Standard family, like 3DES, is a symmetric block cipher and was designed -- -2.38.1 +2.41.0 diff --git a/0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch similarity index 99% rename from 0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch rename to 0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch index ecf661d4d1de8ff796c72b0231f2e8bccfdee977..d59a5bfb3c0e1338373f64b6900b8e6ac255e03e 100644 --- a/0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +++ b/0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch @@ -1,4 +1,4 @@ -From 239cd24624b801d4fc4bb4686bef8526e7675d77 Mon Sep 17 00:00:00 2001 +From dc3fd927ccd5b7b40049145c3fc7c610d72e9502 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 @@ -41,7 +41,7 @@ Last-updated: krb5-1.20 15 files changed, 155 insertions(+), 33 deletions(-) diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index d5d6e06ebb..2a4962069f 100644 +index f22d5db11b..a33711d918 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -330,6 +330,12 @@ The libdefaults section may contain any of the following relations: @@ -608,5 +608,5 @@ index 1a772d450f..232e78bc05 100644 vt->name = "spake"; vt->pa_type_list = pa_types; -- -2.38.1 +2.41.0 diff --git a/0007-Add-configure-variable-for-default-PKCS-11-module.patch b/0007-Add-configure-variable-for-default-PKCS-11-module.patch deleted file mode 100644 index 144513381954f7ffd220e1f89fd2b39a96aa9312..0000000000000000000000000000000000000000 --- a/0007-Add-configure-variable-for-default-PKCS-11-module.patch +++ /dev/null @@ -1,201 +0,0 @@ -From 842b4c3b5695e2518e6f1a1545db78865c04b59c Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Fri, 22 Apr 2022 14:12:37 +0200 -Subject: [PATCH] Add configure variable for default PKCS#11 module - -[ghudson@mit.edu: added documentation of configure variable and doc -substitution; shortened commit message] - -ticket: 9058 (new) ---- - doc/admin/conf_files/krb5_conf.rst | 2 +- - doc/build/options2configure.rst | 3 +++ - doc/conf.py | 3 +++ - doc/mitK5defaults.rst | 25 +++++++++++++------------ - src/configure.ac | 8 ++++++++ - src/doc/Makefile.in | 2 ++ - src/man/Makefile.in | 4 +++- - src/man/krb5.conf.man | 2 +- - src/plugins/preauth/pkinit/pkinit.h | 1 - - 9 files changed, 34 insertions(+), 16 deletions(-) - -diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index 2a4962069f..a33711d918 100644 ---- a/doc/admin/conf_files/krb5_conf.rst -+++ b/doc/admin/conf_files/krb5_conf.rst -@@ -1017,7 +1017,7 @@ information for PKINIT is as follows: - All keyword/values are optional. *modname* specifies the location - of a library implementing PKCS #11. If a value is encountered - with no keyword, it is assumed to be the *modname*. If no -- module-name is specified, the default is ``opensc-pkcs11.so``. -+ module-name is specified, the default is |pkcs11_modname|. - ``slotid=`` and/or ``token=`` may be specified to force the use of - a particular smard card reader or token if there is more than one - available. ``certid=`` and/or ``certlabel=`` may be specified to -diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst -index 9e355dc2c5..e879b18bd2 100644 ---- a/doc/build/options2configure.rst -+++ b/doc/build/options2configure.rst -@@ -137,6 +137,9 @@ Environment variables - This option allows one to specify libraries to be passed to the - linker (e.g., ``-l``) - -+**PKCS11_MODNAME=**\ *library* -+ Override the built-in default PKCS11 library name. -+ - **SS_LIB=**\ *libs*... - If ``-lss`` is not the correct way to link in your installed ss - library, for example if additional support libraries are needed, -diff --git a/doc/conf.py b/doc/conf.py -index 12168fa695..0ab5ff9606 100644 ---- a/doc/conf.py -+++ b/doc/conf.py -@@ -242,6 +242,7 @@ if 'mansubs' in tags: - ccache = '``@CCNAME@``' - keytab = '``@KTNAME@``' - ckeytab = '``@CKTNAME@``' -+ pkcs11_modname = '``@PKCS11MOD@``' - elif 'pathsubs' in tags: - # Read configured paths from a file produced by the build system. - exec(open("paths.py").read()) -@@ -255,6 +256,7 @@ else: - ccache = ':ref:`DEFCCNAME `' - keytab = ':ref:`DEFKTNAME `' - ckeytab = ':ref:`DEFCKTNAME `' -+ pkcs11_modname = ':ref:`PKCS11_MODNAME `' - - rst_epilog = '\n' - -@@ -275,6 +277,7 @@ else: - rst_epilog += '.. |ccache| replace:: %s\n' % ccache - rst_epilog += '.. |keytab| replace:: %s\n' % keytab - rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab -+ rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname - rst_epilog += ''' - .. |krb5conf| replace:: ``/etc/krb5.conf`` - .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` -diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst -index 74e69f4ad0..aea7af3dbb 100644 ---- a/doc/mitK5defaults.rst -+++ b/doc/mitK5defaults.rst -@@ -59,18 +59,19 @@ subdirectories of ``/usr/local``. When MIT krb5 is integrated into an - operating system, the paths are generally chosen to match the - operating system's filesystem layout. - --========================== ============= =========================== =========================== --Description Symbolic name Custom build path Typical OS path --========================== ============= =========================== =========================== --User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` --Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` --Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` --Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` --Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` --Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` --Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` --Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab`` --========================== ============= =========================== =========================== -+========================== ============== =========================== =========================== -+Description Symbolic name Custom build path Typical OS path -+========================== ============== =========================== =========================== -+User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` -+Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` -+Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` -+Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` -+Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` -+Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` -+Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` -+Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab`` -+Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so`` -+========================== ============== =========================== =========================== - - The default client keytab name (DEFCKTNAME) typically defaults to - ``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom -diff --git a/src/configure.ac b/src/configure.ac -index 8dc864718d..9774cb71ae 100644 ---- a/src/configure.ac -+++ b/src/configure.ac -@@ -1471,6 +1471,14 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name]) - AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"], - [Define to default client keytab name]) - -+AC_ARG_VAR(PKCS11_MODNAME, [Default PKCS11 module name]) -+if test "${PKCS11_MODNAME+set}" != set; then -+ PKCS11_MODNAME=opensc-pkcs11.so -+fi -+AC_MSG_NOTICE([Default PKCS11 module name: $PKCS11_MODNAME]) -+AC_DEFINE_UNQUOTED(PKCS11_MODNAME, ["$PKCS11_MODNAME"], -+ [Default PKCS11 module name]) -+ - AC_CONFIG_FILES([build-tools/krb5-config], [chmod +x build-tools/krb5-config]) - AC_CONFIG_FILES([build-tools/kadm-server.pc - build-tools/kadm-client.pc -diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in -index 379bc36511..a1b0cff0a4 100644 ---- a/src/doc/Makefile.in -+++ b/src/doc/Makefile.in -@@ -10,6 +10,7 @@ sysconfdir=@sysconfdir@ - DEFCCNAME=@DEFCCNAME@ - DEFKTNAME=@DEFKTNAME@ - DEFCKTNAME=@DEFCKTNAME@ -+PKCS11_MODNAME=@PKCS11_MODNAME@ - - RST_SOURCES= _static \ - _templates \ -@@ -118,6 +119,7 @@ paths.py: - echo 'ccache = "``$(DEFCCNAME)``"' >> $@ - echo 'keytab = "``$(DEFKTNAME)``"' >> $@ - echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@ -+ echo 'pkcs11_modname = "``$(PKCS11_MODNAME)``"' >> $@ - - # Dummy rule that man/Makefile can invoke - version.py: $(docsrc)/version.py -diff --git a/src/man/Makefile.in b/src/man/Makefile.in -index 00b1b2de06..85cae0914e 100644 ---- a/src/man/Makefile.in -+++ b/src/man/Makefile.in -@@ -8,6 +8,7 @@ sysconfdir=@sysconfdir@ - DEFCCNAME=@DEFCCNAME@ - DEFKTNAME=@DEFKTNAME@ - DEFCKTNAME=@DEFCKTNAME@ -+PKCS11_MODNAME=@PKCS11_MODNAME@ - - MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \ - kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \ -@@ -47,7 +48,8 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h - -e 's|@SYSCONFDIR@|$(sysconfdir)|g' \ - -e 's|@CCNAME@|$(DEFCCNAME)|g' \ - -e 's|@KTNAME@|$(DEFKTNAME)|g' \ -- -e 's|@CKTNAME@|$(DEFCKTNAME)|g' $? > $@ -+ -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \ -+ -e 's|@PKCS11MOD@|$(PKCS11_MODNAME)|g' $? > $@ - - all: $(MANSUBS) - -diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man -index 51acb38815..fd2c6f2bc4 100644 ---- a/src/man/krb5.conf.man -+++ b/src/man/krb5.conf.man -@@ -1148,7 +1148,7 @@ user\(aqs certificate and private key. - All keyword/values are optional. \fImodname\fP specifies the location - of a library implementing PKCS #11. If a value is encountered - with no keyword, it is assumed to be the \fImodname\fP\&. If no --module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&. -+module\-name is specified, the default is \fB@PKCS11MOD@\fP\&. - \fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of - a particular smard card reader or token if there is more than one - available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to -diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h -index 8135535e2c..66f92d8f03 100644 ---- a/src/plugins/preauth/pkinit/pkinit.h -+++ b/src/plugins/preauth/pkinit/pkinit.h -@@ -42,7 +42,6 @@ - #ifndef WITHOUT_PKCS11 - #include "pkcs11.h" - --#define PKCS11_MODNAME "opensc-pkcs11.so" - #define PK_SIGLEN_GUESS 1000 - #define PK_NOSLOT 999999 - #endif --- -2.38.1 - diff --git a/0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch b/0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch similarity index 96% rename from 0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch rename to 0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch index b8e542945a26f919fab4b2cc84c3aed13bf1f52e..2602e7a1071a11ecba918ad1dd7635b9f16fbd4d 100644 --- a/0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch +++ b/0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch @@ -1,8 +1,7 @@ -From 5587c755b6ca82bde093523e2d17b255158cd90e Mon Sep 17 00:00:00 2001 +From 19db7e5b5d13732c2dfd08b35e2ad3f311553d54 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Thu, 5 May 2022 17:15:12 +0200 -Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection - with FIPS +Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection with FIPS libkrad allows to establish connections only to UNIX socket in FIPS mode, because MD5 digest is not considered safe enough to be used for @@ -78,5 +77,5 @@ index 929f1cef67..063f17a613 100644 retval = ESOCKTNOSUPPORT; goto error; -- -2.38.1 +2.41.0 diff --git a/0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch b/0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch deleted file mode 100644 index 3755c15c3699b289cf273c9cc305f76e6fabaffc..0000000000000000000000000000000000000000 --- a/0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 3fb8c4c68274d2ff4addb44b7b95b4698c2c4f34 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Wed, 1 Jun 2022 18:02:04 +0200 -Subject: [PATCH] Set reasonable supportedCMSTypes in PKINIT - -The PKINIT client uses AuthPack.supportedCMSTypes to let the KDC know -the algorithms it supports for verification of the CMS data signature. -(The MIT krb5 KDC currently ignores this list, but other -implementations use it.) - -Replace 3DES with sha512WithRSAEncryption and sha256WithRSAEncryption. - -[ghudson@mit.edu: simplified code and used appropriate helpers; edited -commit message] - -ticket: 9066 (new) ---- - src/plugins/preauth/pkinit/pkinit_constants.c | 33 ++++++++++++- - src/plugins/preauth/pkinit/pkinit_crypto.h | 4 ++ - .../preauth/pkinit/pkinit_crypto_openssl.c | 49 ++++++++++--------- - 3 files changed, 60 insertions(+), 26 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c -index 652897fa14..1da482e0b4 100644 ---- a/src/plugins/preauth/pkinit/pkinit_constants.c -+++ b/src/plugins/preauth/pkinit/pkinit_constants.c -@@ -32,9 +32,14 @@ - - #include "pkinit.h" - --/* statically declare OID constants for all three algorithms */ --static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01}; -+/* RFC 8636 id-pkinit-kdf-ah-sha1: iso(1) identified-organization(3) dod(6) -+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha1(1) */ -+static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01 }; -+/* RFC 8636 id-pkinit-kdf-ah-sha256: iso(1) identified-organization(3) dod(6) -+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha256(2) */ - static char sha256_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x02 }; -+/* RFC 8636 id-pkinit-kdf-ah-sha512: iso(1) identified-organization(3) dod(6) -+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha512(3) */ - static char sha512_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x03 }; - - const krb5_data sha1_id = { KV5M_DATA, sizeof(sha1_oid), sha1_oid }; -@@ -48,6 +53,30 @@ krb5_data const * const supported_kdf_alg_ids[] = { - NULL - }; - -+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840) -+ * rsadsi(113549) pkcs(1) 1 11 */ -+static char sha256WithRSAEncr_oid[9] = { -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b -+}; -+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840) -+ * rsadsi(113549) pkcs(1) 1 13 */ -+static char sha512WithRSAEncr_oid[9] = { -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d -+}; -+ -+const krb5_data sha256WithRSAEncr_id = { -+ KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid -+}; -+const krb5_data sha512WithRSAEncr_id = { -+ KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid -+}; -+ -+krb5_data const * const supported_cms_algs[] = { -+ &sha512WithRSAEncr_id, -+ &sha256WithRSAEncr_id, -+ NULL -+}; -+ - /* RFC 2412 section E.2 (well-known group 2) parameters, DER-encoded as - * DomainParameters (RFC 3279 section 2.3.3). */ - static const uint8_t o1024[] = { -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h -index 65f6210727..64300da856 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto.h -+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h -@@ -620,6 +620,10 @@ extern const krb5_data oakley_4096; - */ - extern krb5_data const * const supported_kdf_alg_ids[]; - -+/* CMS signature algorithms supported by this implementation, in order of -+ * decreasing preference. */ -+extern krb5_data const * const supported_cms_algs[]; -+ - krb5_error_code - crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, - uint8_t **der_out, size_t *der_len); -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index d500455dec..1c2aa02827 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -5475,37 +5475,38 @@ create_krb5_supportedCMSTypes(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, -- krb5_algorithm_identifier ***oids) -+ krb5_algorithm_identifier ***algs_out) - { -+ krb5_error_code ret; -+ krb5_algorithm_identifier **algs = NULL; -+ size_t i, count; - -- krb5_error_code retval = ENOMEM; -- krb5_algorithm_identifier **loids = NULL; -- krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" }; -+ *algs_out = NULL; - -- *oids = NULL; -- loids = malloc(2 * sizeof(krb5_algorithm_identifier *)); -- if (loids == NULL) -- goto cleanup; -- loids[1] = NULL; -- loids[0] = malloc(sizeof(krb5_algorithm_identifier)); -- if (loids[0] == NULL) { -- free(loids); -- goto cleanup; -- } -- retval = pkinit_copy_krb5_data(&loids[0]->algorithm, &des3oid); -- if (retval) { -- free(loids[0]); -- free(loids); -+ /* Count supported OIDs and allocate list (including null terminator). */ -+ for (count = 0; supported_cms_algs[count] != NULL; count++); -+ algs = k5calloc(count + 1, sizeof(*algs), &ret); -+ if (algs == NULL) - goto cleanup; -+ -+ /* Add an algorithm identifier for each OID, with no parameters. */ -+ for (i = 0; i < count; i++) { -+ algs[i] = k5alloc(sizeof(*algs[i]), &ret); -+ if (algs[i] == NULL) -+ goto cleanup; -+ ret = krb5int_copy_data_contents(context, supported_cms_algs[i], -+ &algs[i]->algorithm); -+ if (ret) -+ goto cleanup; -+ algs[i]->parameters = empty_data(); - } -- loids[0]->parameters.length = 0; -- loids[0]->parameters.data = NULL; - -- *oids = loids; -- retval = 0; --cleanup: -+ *algs_out = algs; -+ algs = NULL; - -- return retval; -+cleanup: -+ free_krb5_algorithm_identifiers(&algs); -+ return ret; - } - - krb5_error_code --- -2.38.1 - diff --git a/0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch b/0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch similarity index 94% rename from 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch rename to 0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch index 5840faa8d82de0f0fe0460cfc515b3c68ce85c0b..844890e3c139b5371db026e5e786ca62ef37052a 100644 --- a/0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch +++ b/0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch @@ -1,4 +1,4 @@ -From 9a536113196d8b32e3143964a655356ac8af1347 Mon Sep 17 00:00:00 2001 +From 16d3f9a54d4707ae9de18f108a7b61965e83ceaf Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Wed, 7 Dec 2022 13:22:42 +0100 Subject: [PATCH] [downstream] Make tests compatible with @@ -37,5 +37,5 @@ index 87bac17929..26bc95a8dc 100644 fail('URI answers do not match') j += 1 -- -2.38.1 +2.41.0 diff --git a/0009-Simplify-plugin-loading-code.patch b/0009-Simplify-plugin-loading-code.patch deleted file mode 100644 index 42802e56c82c61d51a84a9ea6b4cf1eb6d050509..0000000000000000000000000000000000000000 --- a/0009-Simplify-plugin-loading-code.patch +++ /dev/null @@ -1,622 +0,0 @@ -From ffb47e4120d68aef015453350a3a50a9bab1ec58 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 23 Jun 2022 16:41:40 -0400 -Subject: [PATCH] Simplify plugin loading code - -Remove the USE_CFBUNDLE code, which was only used by KfM. Handle -platform conditionals according to current practice. Use -k5_dir_filenames() instead of opendir() and remove the Windows -implementation of opendir(). ---- - src/util/support/plugins.c | 507 +++++++++++-------------------------- - 1 file changed, 150 insertions(+), 357 deletions(-) - -diff --git a/src/util/support/plugins.c b/src/util/support/plugins.c -index c6a9a21d57..0850565687 100644 ---- a/src/util/support/plugins.c -+++ b/src/util/support/plugins.c -@@ -29,16 +29,6 @@ - #if USE_DLOPEN - #include - #endif --#include --#ifdef HAVE_SYS_STAT_H --#include --#endif --#ifdef HAVE_SYS_PARAM_H --#include --#endif --#ifdef HAVE_UNISTD_H --#include --#endif - - #if USE_DLOPEN - #ifdef RTLD_GROUP -@@ -68,16 +58,6 @@ - #endif - #endif - --#if USE_DLOPEN && USE_CFBUNDLE --#include -- --/* Currently CoreFoundation only exists on the Mac so we just use -- * pthreads directly to avoid creating empty function calls on other -- * platforms. If a thread initializer ever gets created in the common -- * plugin code, move this there */ --static pthread_mutex_t krb5int_bundle_mutex = PTHREAD_MUTEX_INITIALIZER; --#endif -- - #include - static void Tprintf (const char *fmt, ...) - { -@@ -90,374 +70,193 @@ static void Tprintf (const char *fmt, ...) - } - - struct plugin_file_handle { --#if USE_DLOPEN -+#if defined(USE_DLOPEN) - void *dlhandle; --#endif --#ifdef _WIN32 -- HMODULE hinstPlugin; --#endif --#if !defined (USE_DLOPEN) && !defined (_WIN32) -+#elif defined(_WIN32) -+ HMODULE module; -+#else - char dummy; - #endif - }; - --#ifdef _WIN32 --struct dirent { -- long d_ino; /* inode (always 1 in WIN32) */ -- off_t d_off; /* offset to this dirent */ -- unsigned short d_reclen; /* length of d_name */ -- char d_name[_MAX_FNAME+1]; /* filename (null terminated) */ --}; -- --typedef struct { -- intptr_t handle; /* _findfirst/_findnext handle */ -- short offset; /* offset into directory */ -- short finished; /* 1 if there are not more files */ -- struct _finddata_t fileinfo;/* from _findfirst/_findnext */ -- char *dir; /* the dir we are reading */ -- struct dirent dent; /* the dirent to return */ --} DIR; -+#if defined(USE_DLOPEN) - --DIR * opendir(const char *dir) -+static long -+open_plugin_dlfcn(struct plugin_file_handle *h, const char *filename, -+ struct errinfo *ep) - { -- DIR *dp; -- char *filespec; -- intptr_t handle; -- int index; -- -- filespec = malloc(strlen(dir) + 2 + 1); -- strcpy(filespec, dir); -- index = strlen(filespec) - 1; -- if (index >= 0 && (filespec[index] == '/' || filespec[index] == '\\')) -- filespec[index] = '\0'; -- strcat(filespec, "/*"); -- -- dp = (DIR *)malloc(sizeof(DIR)); -- dp->offset = 0; -- dp->finished = 0; -- dp->dir = strdup(dir); -- -- if ((handle = _findfirst(filespec, &(dp->fileinfo))) < 0) { -- if (errno == ENOENT) -- dp->finished = 1; -- else { -- free(filespec); -- free(dp->dir); -- free(dp); -- return NULL; -- } -+ const char *e; -+ -+ h->dlhandle = dlopen(filename, PLUGIN_DLOPEN_FLAGS); -+ if (h->dlhandle == NULL) { -+ e = dlerror(); -+ if (e == NULL) -+ e = _("unknown failure"); -+ Tprintf("dlopen(%s): %s\n", filename, e); -+ k5_set_error(ep, ENOENT, _("unable to load plugin [%s]: %s"), -+ filename, e); -+ return ENOENT; - } -- -- dp->handle = handle; -- free(filespec); -- -- return dp; -+ return 0; - } -+#define open_plugin open_plugin_dlfcn - --struct dirent * readdir(DIR *dp) -+static long -+get_sym_dlfcn(struct plugin_file_handle *h, const char *csymname, -+ void **sym_out, struct errinfo *ep) - { -- if (!dp || dp->finished) return NULL; -- -- if (dp->offset != 0) { -- if (_findnext(dp->handle, &(dp->fileinfo)) < 0) { -- dp->finished = 1; -- return NULL; -- } -+ const char *e; -+ -+ if (h->dlhandle == NULL) -+ return ENOENT; -+ *sym_out = dlsym(h->dlhandle, csymname); -+ if (*sym_out == NULL) { -+ e = dlerror(); -+ if (e == NULL) -+ e = _("unknown failure"); -+ Tprintf("dlsym(%s): %s\n", csymname, e); -+ k5_set_error(ep, ENOENT, "%s", e); -+ return ENOENT; - } -- dp->offset++; -- -- strncpy(dp->dent.d_name, dp->fileinfo.name, _MAX_FNAME); -- dp->dent.d_ino = 1; -- dp->dent.d_reclen = (unsigned short)strlen(dp->dent.d_name); -- dp->dent.d_off = dp->offset; -- -- return &(dp->dent); --} -- --int closedir(DIR *dp) --{ -- if (!dp) return 0; -- _findclose(dp->handle); -- free(dp->dir); -- free(dp); -- - return 0; - } --#endif -+#define get_sym get_sym_dlfcn - --long KRB5_CALLCONV --krb5int_open_plugin (const char *filepath, struct plugin_file_handle **h, struct errinfo *ep) -+static void -+close_plugin_dlfcn(struct plugin_file_handle *h) - { -- long err = 0; -- struct plugin_file_handle *htmp = NULL; -- int got_plugin = 0; --#if defined(USE_CFBUNDLE) || defined(_WIN32) -- struct stat statbuf; -- -- if (!err) { -- if (stat (filepath, &statbuf) < 0) { -- err = errno; -- Tprintf ("stat(%s): %s\n", filepath, strerror (err)); -- k5_set_error(ep, err, _("unable to find plugin [%s]: %s"), -- filepath, strerror(err)); -- } -- } --#endif -- -- if (!err) { -- htmp = calloc (1, sizeof (*htmp)); /* calloc initializes ptrs to NULL */ -- if (htmp == NULL) { err = ENOMEM; } -- } -- --#if USE_DLOPEN -- if (!err --#if USE_CFBUNDLE -- && ((statbuf.st_mode & S_IFMT) == S_IFREG -- || (statbuf.st_mode & S_IFMT) == S_IFDIR) --#endif /* USE_CFBUNDLE */ -- ) { -- void *handle = NULL; -- --#if USE_CFBUNDLE -- char executablepath[MAXPATHLEN]; -- -- if ((statbuf.st_mode & S_IFMT) == S_IFDIR) { -- int lock_err = 0; -- CFStringRef pluginString = NULL; -- CFURLRef pluginURL = NULL; -- CFBundleRef pluginBundle = NULL; -- CFURLRef executableURL = NULL; -- -- /* Lock around CoreFoundation calls since objects are refcounted -- * and the refcounts are not thread-safe. Using pthreads directly -- * because this code is Mac-specific */ -- lock_err = pthread_mutex_lock(&krb5int_bundle_mutex); -- if (lock_err) { err = lock_err; } -- -- if (!err) { -- pluginString = CFStringCreateWithCString (kCFAllocatorDefault, -- filepath, -- kCFStringEncodingASCII); -- if (pluginString == NULL) { err = ENOMEM; } -- } -- -- if (!err) { -- pluginURL = CFURLCreateWithFileSystemPath (kCFAllocatorDefault, -- pluginString, -- kCFURLPOSIXPathStyle, -- true); -- if (pluginURL == NULL) { err = ENOMEM; } -- } -- -- if (!err) { -- pluginBundle = CFBundleCreate (kCFAllocatorDefault, pluginURL); -- if (pluginBundle == NULL) { err = ENOENT; } /* XXX need better error */ -- } -- -- if (!err) { -- executableURL = CFBundleCopyExecutableURL (pluginBundle); -- if (executableURL == NULL) { err = ENOMEM; } -- } -- -- if (!err) { -- if (!CFURLGetFileSystemRepresentation (executableURL, -- true, /* absolute */ -- (UInt8 *)executablepath, -- sizeof (executablepath))) { -- err = ENOMEM; -- } -- } -- -- if (!err) { -- /* override the path the caller passed in */ -- filepath = executablepath; -- } -- -- if (executableURL != NULL) { CFRelease (executableURL); } -- if (pluginBundle != NULL) { CFRelease (pluginBundle); } -- if (pluginURL != NULL) { CFRelease (pluginURL); } -- if (pluginString != NULL) { CFRelease (pluginString); } -- -- /* unlock after CFRelease calls since they modify refcounts */ -- if (!lock_err) { pthread_mutex_unlock (&krb5int_bundle_mutex); } -- } --#endif /* USE_CFBUNDLE */ -- -- if (!err) { -- handle = dlopen(filepath, PLUGIN_DLOPEN_FLAGS); -- if (handle == NULL) { -- const char *e = dlerror(); -- if (e == NULL) -- e = _("unknown failure"); -- Tprintf ("dlopen(%s): %s\n", filepath, e); -- err = ENOENT; /* XXX */ -- k5_set_error(ep, err, _("unable to load plugin [%s]: %s"), -- filepath, e); -- } -- } -+ if (h->dlhandle != NULL) -+ dlclose(h->dlhandle); -+} -+#define close_plugin close_plugin_dlfcn - -- if (!err) { -- got_plugin = 1; -- htmp->dlhandle = handle; -- handle = NULL; -- } -+#elif defined(_WIN32) - -- if (handle != NULL) { dlclose (handle); } -+static long -+open_plugin_win32(struct plugin_file_handle *h, const char *filename, -+ struct errinfo *ep) -+{ -+ h->module = LoadLibrary(filename); -+ if (h == NULL) { -+ Tprintf("Unable to load dll: %s\n", filename); -+ k5_set_error(ep, ENOENT, _("unable to load DLL [%s]"), filename); -+ return ENOENT; - } --#endif /* USE_DLOPEN */ -- --#ifdef _WIN32 -- if (!err && (statbuf.st_mode & S_IFMT) == S_IFREG) { -- HMODULE handle = NULL; -+ return 0; -+} -+#define open_plugin open_plugin_win32 - -- handle = LoadLibrary(filepath); -- if (handle == NULL) { -- Tprintf ("Unable to load dll: %s\n", filepath); -- err = ENOENT; /* XXX */ -- k5_set_error(ep, err, _("unable to load DLL [%s]"), filepath); -- } -+static long -+get_sym_win32(struct plugin_file_handle *h, const char *csymname, -+ void **sym_out, struct errinfo *ep) -+{ -+ LPVOID lpMsgBuf; -+ DWORD dw; - -- if (!err) { -- got_plugin = 1; -- htmp->hinstPlugin = handle; -- handle = NULL; -+ if (h->module == NULL) -+ return ENOENT; -+ *sym_out = GetProcAddress(h->module, csymname); -+ if (*sym_out == NULL) { -+ Tprintf("GetProcAddress(%s): %i\n", csymname, GetLastError()); -+ dw = GetLastError(); -+ if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | -+ FORMAT_MESSAGE_FROM_SYSTEM, -+ NULL, dw, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), -+ (LPTSTR)&lpMsgBuf, 0, NULL)) { -+ k5_set_error(ep, ENOENT, _("unable to get DLL Symbol: %s"), -+ (char *)lpMsgBuf); -+ LocalFree(lpMsgBuf); - } -- -- if (handle != NULL) -- FreeLibrary(handle); -- } --#endif -- -- if (!err && !got_plugin) { -- err = ENOENT; /* no plugin or no way to load plugins */ -- k5_set_error(ep, err, _("plugin unavailable: %s"), strerror(err)); -+ return ENOENT; - } -+ return 0; -+} -+#define get_sym get_sym_win32 - -- if (!err) { -- *h = htmp; -- htmp = NULL; /* h takes ownership */ -- } -+static void -+close_plugin_win32(struct plugin_file_handle *h) -+{ -+ if (h->module != NULL) -+ FreeLibrary(h->module); -+} -+#define close_plugin close_plugin_win32 - -- free(htmp); -+#else - -- return err; -+static long -+open_plugin_dummy(struct plugin_file_handle *h, const char *filename, -+ struct errinfo *ep) -+{ -+ k5_set_error(ep, ENOENT, _("plugin loading unavailable")); -+ return ENOENT; - } -+#define open_plugin open_plugin_dummy - - static long --krb5int_get_plugin_sym (struct plugin_file_handle *h, -- const char *csymname, int isfunc, void **ptr, -- struct errinfo *ep) -+get_sym_dummy(struct plugin_file_handle *h, const char *csymname, -+ void **sym_out, struct errinfo *ep) - { -- long err = 0; -- void *sym = NULL; -+ return ENOENT; -+} -+#define get_sym get_sym_dummy -+ -+static void -+close_plugin_dummy(struct plugin_file_handle *h) -+{ -+} -+#define close_plugin close_plugin_dummy - --#if USE_DLOPEN -- if (!err && !sym && (h->dlhandle != NULL)) { -- /* XXX Do we need to add a leading "_" to the symbol name on any -- modern platforms? */ -- sym = dlsym (h->dlhandle, csymname); -- if (sym == NULL) { -- const char *e = dlerror (); /* XXX copy and save away */ -- if (e == NULL) -- e = "unknown failure"; -- Tprintf ("dlsym(%s): %s\n", csymname, e); -- err = ENOENT; /* XXX */ -- k5_set_error(ep, err, "%s", e); -- } -- } - #endif - --#ifdef _WIN32 -- LPVOID lpMsgBuf; -- DWORD dw; -+long KRB5_CALLCONV -+krb5int_open_plugin(const char *filename, -+ struct plugin_file_handle **handle_out, struct errinfo *ep) -+{ -+ long ret; -+ struct plugin_file_handle *h; - -- if (!err && !sym && (h->hinstPlugin != NULL)) { -- sym = GetProcAddress(h->hinstPlugin, csymname); -- if (sym == NULL) { -- const char *e = "unable to get dll symbol"; /* XXX copy and save away */ -- Tprintf ("GetProcAddress(%s): %i\n", csymname, GetLastError()); -- err = ENOENT; /* XXX */ -- k5_set_error(ep, err, "%s", e); -- -- dw = GetLastError(); -- if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | -- FORMAT_MESSAGE_FROM_SYSTEM, -- NULL, -- dw, -- MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), -- (LPTSTR) &lpMsgBuf, -- 0, NULL )) { -- -- fprintf (stderr, "unable to get dll symbol, %s\n", (LPCTSTR)lpMsgBuf); -- LocalFree(lpMsgBuf); -- } -- } -- } --#endif -+ *handle_out = NULL; - -- if (!err && (sym == NULL)) { -- err = ENOENT; /* unimplemented */ -- } -+ h = calloc(1, sizeof(*h)); -+ if (h == NULL) -+ return ENOMEM; - -- if (!err) { -- *ptr = sym; -+ ret = open_plugin(h, filename, ep); -+ if (ret) { -+ free(h); -+ return ret; - } - -- return err; -+ *handle_out = h; -+ return 0; - } - - long KRB5_CALLCONV --krb5int_get_plugin_data (struct plugin_file_handle *h, const char *csymname, -- void **ptr, struct errinfo *ep) -+krb5int_get_plugin_data(struct plugin_file_handle *h, const char *csymname, -+ void **sym_out, struct errinfo *ep) - { -- return krb5int_get_plugin_sym (h, csymname, 0, ptr, ep); -+ return get_sym(h, csymname, sym_out, ep); - } - - long KRB5_CALLCONV --krb5int_get_plugin_func (struct plugin_file_handle *h, const char *csymname, -- void (**ptr)(), struct errinfo *ep) -+krb5int_get_plugin_func(struct plugin_file_handle *h, const char *csymname, -+ void (**sym_out)(), struct errinfo *ep) - { - void *dptr = NULL; -- long err = krb5int_get_plugin_sym (h, csymname, 1, &dptr, ep); -- if (!err) { -- /* Cast function pointers to avoid code duplication */ -- *ptr = (void (*)()) dptr; -- } -- return err; -+ long ret = get_sym(h, csymname, &dptr, ep); -+ -+ if (!ret) -+ *sym_out = (void (*)())dptr; -+ return ret; - } - - void KRB5_CALLCONV - krb5int_close_plugin (struct plugin_file_handle *h) - { --#if USE_DLOPEN -- if (h->dlhandle != NULL) { dlclose(h->dlhandle); } --#endif --#ifdef _WIN32 -- if (h->hinstPlugin != NULL) { FreeLibrary(h->hinstPlugin); } --#endif -- free (h); -+ close_plugin(h); -+ free(h); - } - --/* autoconf docs suggest using this preference order */ --#if HAVE_DIRENT_H || USE_DIRENT_H --#include --#define NAMELEN(D) strlen((D)->d_name) --#else --#ifndef _WIN32 --#define dirent direct --#define NAMELEN(D) ((D)->d->namlen) --#else --#define NAMELEN(D) strlen((D)->d_name) --#endif --#if HAVE_SYS_NDIR_H --# include --#elif HAVE_SYS_DIR_H --# include --#elif HAVE_NDIR_H --# include --#endif --#endif -- - static long - krb5int_plugin_file_handle_array_init (struct plugin_file_handle ***harray) - { -@@ -619,42 +418,36 @@ krb5int_open_plugin_dirs (const char * const *dirnames, - if (handle != NULL) { krb5int_close_plugin (handle); } - } - } else { -- /* load all plugins in each directory */ -- DIR *dir = opendir (dirnames[i]); -+ char **fnames = NULL; -+ int j; - -- while (dir != NULL && !err) { -- struct dirent *d = NULL; -+ err = k5_dir_filenames(dirnames[i], &fnames); -+ for (j = 0; !err && fnames[j] != NULL; j++) { - char *filepath = NULL; - struct plugin_file_handle *handle = NULL; - -- d = readdir (dir); -- if (d == NULL) { break; } -- -- if ((strcmp (d->d_name, ".") == 0) || -- (strcmp (d->d_name, "..") == 0)) { -+ if (strcmp(fnames[j], ".") == 0 || -+ strcmp(fnames[j], "..") == 0) - continue; -- } - -- if (!err) { -- int len = NAMELEN (d); -- if (asprintf(&filepath, "%s/%*s", dirnames[i], len, d->d_name) < 0) { -- filepath = NULL; -- err = ENOMEM; -- } -+ if (asprintf(&filepath, "%s/%s", dirnames[i], fnames[j]) < 0) { -+ filepath = NULL; -+ err = ENOMEM; - } - -- if (!err) { -- if (krb5int_open_plugin (filepath, &handle, ep) == 0) { -- err = krb5int_plugin_file_handle_array_add (&h, &count, handle); -- if (!err) { handle = NULL; } /* h takes ownership */ -- } -+ if (!err && krb5int_open_plugin(filepath, &handle, ep) == 0) { -+ err = krb5int_plugin_file_handle_array_add(&h, &count, -+ handle); -+ if (!err) -+ handle = NULL; /* h takes ownership */ - } - - free(filepath); -- if (handle != NULL) { krb5int_close_plugin (handle); } -+ if (handle != NULL) -+ krb5int_close_plugin(handle); - } - -- if (dir != NULL) { closedir (dir); } -+ k5_free_filenames(fnames); - } - } - --- -2.38.1 - diff --git a/0014-downstream-Include-missing-OpenSSL-FIPS-header.patch b/0009-downstream-Include-missing-OpenSSL-FIPS-header.patch similarity index 98% rename from 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch rename to 0009-downstream-Include-missing-OpenSSL-FIPS-header.patch index 24ba48a9e0270841442b14a262a6588a8306e2a3..ea123f7ddd69340fcde847d14ed379075892754e 100644 --- a/0014-downstream-Include-missing-OpenSSL-FIPS-header.patch +++ b/0009-downstream-Include-missing-OpenSSL-FIPS-header.patch @@ -1,4 +1,4 @@ -From d57a804136c5ebf473ce053a9517edd71a56389f Mon Sep 17 00:00:00 2001 +From 511a6260f0dadc3fe5ebe075f8b548eae026a1cc Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Thu, 5 Jan 2023 20:06:47 +0100 Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header @@ -116,5 +116,5 @@ index 232e78bc05..3394f8a58e 100644 * The SPAKE kdcpreauth module uses a secure cookie containing the following * concatenated fields (all integer fields are big-endian): -- -2.38.1 +2.41.0 diff --git a/0015-downstream-Do-not-set-root-as-ksu-file-owner.patch b/0010-downstream-Do-not-set-root-as-ksu-file-owner.patch similarity index 93% rename from 0015-downstream-Do-not-set-root-as-ksu-file-owner.patch rename to 0010-downstream-Do-not-set-root-as-ksu-file-owner.patch index 5c53868c4c1fe2962f1046ca1bcc70ed74fcb9ce..46e759e87cb4f3d2aeaf88c8b6d991add12696dc 100644 --- a/0015-downstream-Do-not-set-root-as-ksu-file-owner.patch +++ b/0010-downstream-Do-not-set-root-as-ksu-file-owner.patch @@ -1,4 +1,4 @@ -From 59d3ecdab7210e87ec475f4ae0d64888d5416b29 Mon Sep 17 00:00:00 2001 +From 1b0bb0c3e5575559ea9135af5b9a1e91fe0f79f3 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Mon, 9 Jan 2023 22:39:52 +0100 Subject: [PATCH] [downstream] Do not set root as ksu file owner @@ -27,5 +27,5 @@ index 7eaa2f351c..e9ae71471e 100644 ## ${prefix}. prefix=@prefix@ -- -2.38.1 +2.41.0 diff --git a/0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch b/0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch similarity index 98% rename from 0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch rename to 0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch index 227650e83b18cf4370974de979dcf3f493dc3e08..2d34be0da377b7b0990dda16c06dc27776159e34 100644 --- a/0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch +++ b/0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch @@ -1,4 +1,4 @@ -From d8f67df42efd68142aa904040f9e8cc0f9138c10 Mon Sep 17 00:00:00 2001 +From 6e239888cdb938ddda2bf49ec03ad2af3923c381 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Thu, 19 Jan 2023 19:22:27 +0100 Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode @@ -161,5 +161,5 @@ index 5a43c3d9eb..8528ddc4a9 100644 ret = KRB5_CRYPTO_INTERNAL; goto done; -- -2.39.1 +2.41.0 diff --git a/0012-Add-and-use-ts_interval-helper.patch b/0012-Add-and-use-ts_interval-helper.patch deleted file mode 100644 index 5f9647e966bd2a4a1b63c229e068791e8755a4f3..0000000000000000000000000000000000000000 --- a/0012-Add-and-use-ts_interval-helper.patch +++ /dev/null @@ -1,239 +0,0 @@ -From 07ec260c65ec036d44362868df0f796a53495f27 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Mon, 19 Sep 2022 15:18:50 -0400 -Subject: [PATCH] Add and use ts_interval() helper - -ts_delta() returns a signed result, which cannot hold an interval -larger than 2^31-1 seconds. Intervals like this have been seen when -admins set password expiration dates more than 68 years in the future. - -Add a second helper ts_interval() which returns a signed result, and -has the arguments reversed so that the start time is first. Use it in -warn_pw_expiry() to handle the password expiration case, in the GSS -krb5 mech where we return an unsigned context or credential lifetime -to the caller, and in the KEYRING ccache type where we compute an -unsigned keyring timeout. - -ticket: 9071 (new) ---- - src/include/k5-int.h | 9 +++++++++ - src/lib/gssapi/krb5/accept_sec_context.c | 10 ++++++---- - src/lib/gssapi/krb5/acquire_cred.c | 3 +-- - src/lib/gssapi/krb5/context_time.c | 2 +- - src/lib/gssapi/krb5/init_sec_context.c | 4 ++-- - src/lib/gssapi/krb5/inq_context.c | 2 +- - src/lib/gssapi/krb5/inq_cred.c | 2 +- - src/lib/gssapi/krb5/s4u_gss_glue.c | 2 +- - src/lib/krb5/ccache/cc_keyring.c | 4 ++-- - src/lib/krb5/krb/get_in_tkt.c | 15 +++++++-------- - 10 files changed, 31 insertions(+), 22 deletions(-) - -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index c3aecba7d4..768110e5ef 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -2325,6 +2325,15 @@ ts_delta(krb5_timestamp a, krb5_timestamp b) - return (krb5_deltat)((uint32_t)a - (uint32_t)b); - } - -+/* Return (end - start) as an unsigned 32-bit value, or 0 if start > end. */ -+static inline uint32_t -+ts_interval(krb5_timestamp start, krb5_timestamp end) -+{ -+ if ((uint32_t)start > (uint32_t)end) -+ return 0; -+ return (uint32_t)end - (uint32_t)start; -+} -+ - /* Increment a timestamp by a signed 32-bit interval, without relying on - * undefined behavior. */ - static inline krb5_timestamp -diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c -index 1bc807172b..7de2c9fd77 100644 ---- a/src/lib/gssapi/krb5/accept_sec_context.c -+++ b/src/lib/gssapi/krb5/accept_sec_context.c -@@ -353,8 +353,8 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle, - *mech_type = ctx->mech_used; - - if (time_rec) { -- *time_rec = ts_delta(ctx->krb_times.endtime, now) + -- ctx->k5_context->clockskew; -+ *time_rec = ts_interval(now - ctx->k5_context->clockskew, -+ ctx->krb_times.endtime); - } - - /* Never return GSS_C_DELEG_FLAG since we don't support DCE credential -@@ -1151,8 +1151,10 @@ kg_accept_krb5(minor_status, context_handle, - - /* Add the maximum allowable clock skew as a grace period for context - * expiration, just as we do for the ticket. */ -- if (time_rec) -- *time_rec = ts_delta(ctx->krb_times.endtime, now) + context->clockskew; -+ if (time_rec) { -+ *time_rec = ts_interval(now - context->clockskew, -+ ctx->krb_times.endtime); -+ } - - if (ret_flags) - *ret_flags = ctx->gss_flags; -diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c -index e226a02692..006eba114d 100644 ---- a/src/lib/gssapi/krb5/acquire_cred.c -+++ b/src/lib/gssapi/krb5/acquire_cred.c -@@ -879,8 +879,7 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status, - GSS_C_NO_NAME); - if (GSS_ERROR(ret)) - goto error_out; -- *time_rec = ts_after(cred->expire, now) ? -- ts_delta(cred->expire, now) : 0; -+ *time_rec = ts_interval(now, cred->expire); - k5_mutex_unlock(&cred->lock); - } - } -diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c -index 1fdb5a16f2..5469d8154c 100644 ---- a/src/lib/gssapi/krb5/context_time.c -+++ b/src/lib/gssapi/krb5/context_time.c -@@ -51,7 +51,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec) - return(GSS_S_FAILURE); - } - -- lifetime = ts_delta(ctx->krb_times.endtime, now); -+ lifetime = ts_interval(now, ctx->krb_times.endtime); - if (!ctx->initiate) - lifetime += ctx->k5_context->clockskew; - if (lifetime <= 0) { -diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c -index ea87cf6432..f0f094ccb7 100644 ---- a/src/lib/gssapi/krb5/init_sec_context.c -+++ b/src/lib/gssapi/krb5/init_sec_context.c -@@ -664,7 +664,7 @@ kg_new_connection( - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto cleanup; -- *time_rec = ts_delta(ctx->krb_times.endtime, now); -+ *time_rec = ts_interval(now, ctx->krb_times.endtime); - } - - /* set the other returns */ -@@ -878,7 +878,7 @@ mutual_auth( - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto fail; -- *time_rec = ts_delta(ctx->krb_times.endtime, now); -+ *time_rec = ts_interval(now, ctx->krb_times.endtime); - } - - if (ret_flags) -diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c -index cac024da1f..51c484fdfe 100644 ---- a/src/lib/gssapi/krb5/inq_context.c -+++ b/src/lib/gssapi/krb5/inq_context.c -@@ -120,7 +120,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name, - - /* Add the maximum allowable clock skew as a grace period for context - * expiration, just as we do for the ticket during authentication. */ -- lifetime = ts_delta(ctx->krb_times.endtime, now); -+ lifetime = ts_interval(now, ctx->krb_times.endtime); - if (!ctx->initiate) - lifetime += context->clockskew; - if (lifetime < 0) -diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c -index bb63b726c8..0e675959a3 100644 ---- a/src/lib/gssapi/krb5/inq_cred.c -+++ b/src/lib/gssapi/krb5/inq_cred.c -@@ -131,7 +131,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, - } - - if (cred->expire != 0) { -- lifetime = ts_delta(cred->expire, now); -+ lifetime = ts_interval(now, cred->expire); - if (lifetime < 0) - lifetime = 0; - } -diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c -index 7dcfe4e1eb..fa7f980af7 100644 ---- a/src/lib/gssapi/krb5/s4u_gss_glue.c -+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c -@@ -279,7 +279,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status, - if (code != 0) - goto cleanup; - -- *time_rec = ts_delta(cred->expire, now); -+ *time_rec = ts_interval(now, cred->expire); - } - - major_status = GSS_S_COMPLETE; -diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c -index ebef37d607..1dadeef64f 100644 ---- a/src/lib/krb5/ccache/cc_keyring.c -+++ b/src/lib/krb5/ccache/cc_keyring.c -@@ -762,7 +762,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id) - - /* Setting the timeout to zero would reset the timeout, so we set it to one - * second instead if creds are already expired. */ -- timeout = ts_after(endtime, now) ? ts_delta(endtime, now) : 1; -+ timeout = ts_after(endtime, now) ? ts_interval(now, endtime) : 1; - (void)keyctl_set_timeout(data->cache_id, timeout); - } - -@@ -1343,7 +1343,7 @@ krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds) - - if (ts_after(creds->times.endtime, now)) { - (void)keyctl_set_timeout(cred_key, -- ts_delta(creds->times.endtime, now)); -+ ts_interval(now, creds->times.endtime)); - } - - update_keyring_expiration(context, id); -diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index 8b5ab595e9..1b420a3ac2 100644 ---- a/src/lib/krb5/krb/get_in_tkt.c -+++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -1522,7 +1522,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, - void *expire_data; - krb5_timestamp pw_exp, acct_exp, now; - krb5_boolean is_last_req; -- krb5_deltat delta; -+ uint32_t interval; - char ts[256], banner[1024]; - - if (as_reply == NULL || as_reply->enc_part2 == NULL) -@@ -1553,8 +1553,8 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, - ret = krb5_timeofday(context, &now); - if (ret != 0) - return; -- if (!is_last_req && -- (ts_after(now, pw_exp) || ts_delta(pw_exp, now) > 7 * 24 * 60 * 60)) -+ interval = ts_interval(now, pw_exp); -+ if (!is_last_req && (!interval || interval > 7 * 24 * 60 * 60)) - return; - - if (!prompter) -@@ -1564,19 +1564,18 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, - if (ret != 0) - return; - -- delta = ts_delta(pw_exp, now); -- if (delta < 3600) { -+ if (interval < 3600) { - snprintf(banner, sizeof(banner), - _("Warning: Your password will expire in less than one hour " - "on %s"), ts); -- } else if (delta < 86400 * 2) { -+ } else if (interval < 86400 * 2) { - snprintf(banner, sizeof(banner), - _("Warning: Your password will expire in %d hour%s on %s"), -- delta / 3600, delta < 7200 ? "" : "s", ts); -+ interval / 3600, interval < 7200 ? "" : "s", ts); - } else { - snprintf(banner, sizeof(banner), - _("Warning: Your password will expire in %d days on %s"), -- delta / 86400, ts); -+ interval / 86400, ts); - } - - /* PROMPTER_INVOCATION */ --- -2.38.1 - diff --git a/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch b/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch new file mode 100644 index 0000000000000000000000000000000000000000..00d2d0b0561f6a3efa0dd04c9840ad5ed3359879 --- /dev/null +++ b/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch @@ -0,0 +1,279 @@ +From 640492ecb4ee42edf33c343c08c01a549ed68a52 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 15 Mar 2023 15:56:34 +0100 +Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional + +MS-PAC states that "The ticket signature SHOULD be included in tickets +that are not encrypted to the krbtgt account". However, the +implementation of krb5_kdc_verify_ticket() will require the ticket +signature to be present in case the target of the request is a service +principal. + +In gradual upgrade environments, it results in S4U2Proxy requests +against a 1.20 KDC using a service ticket generated by an older version +KDC to fail. + +This commit adds a krb5_kdc_verify_ticket_ext() function with an extra +switch parameter to tolerate the absence of ticket signature in this +scenario. If the ticket signature is present, it has to be valid, +regardless of this parameter. + +This parameter is set based on the "optional_pac_tkt_chksum" string +attribute of the TGT KDB entry. +--- + doc/admin/admin_commands/kadmin_local.rst | 6 ++++ + doc/appdev/refs/api/index.rst | 1 + + src/include/kdb.h | 1 + + src/include/krb5/krb5.hin | 40 +++++++++++++++++++++++ + src/kdc/kdc_util.c | 32 ++++++++++++++---- + src/lib/krb5/krb/pac.c | 31 +++++++++++++++--- + src/lib/krb5/libkrb5.exports | 1 + + src/man/kadmin.man | 6 ++++ + 8 files changed, 108 insertions(+), 10 deletions(-) + +diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst +index 2435b3c361..58ac79549f 100644 +--- a/doc/admin/admin_commands/kadmin_local.rst ++++ b/doc/admin/admin_commands/kadmin_local.rst +@@ -658,6 +658,12 @@ KDC: + Directory realm when using aes-sha2 keys on the local krbtgt + entry. + ++**optional_pac_tkt_chksum** ++ Boolean value defining the behavior of the KDC in case an expected ++ ticket checksum signed with one of this principal keys is not ++ present in the PAC. This is typically the case for TGS or ++ cross-realm TGS principals when processing S4U2Proxy requests. ++ + This command requires the **modify** privilege. + + Alias: **setstr** +diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst +index d12be47c3c..9b95ebd0f9 100644 +--- a/doc/appdev/refs/api/index.rst ++++ b/doc/appdev/refs/api/index.rst +@@ -225,6 +225,7 @@ Rarely used public interfaces + krb5_is_referral_realm.rst + krb5_kdc_sign_ticket.rst + krb5_kdc_verify_ticket.rst ++ krb5_kdc_verify_ticket_ext.rst + krb5_kt_add_entry.rst + krb5_kt_end_seq_get.rst + krb5_kt_get_entry.rst +diff --git a/src/include/kdb.h b/src/include/kdb.h +index 745b24f351..6075349e5e 100644 +--- a/src/include/kdb.h ++++ b/src/include/kdb.h +@@ -136,6 +136,7 @@ + #define KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE "pac_privsvr_enctype" + #define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes" + #define KRB5_KDB_SK_REQUIRE_AUTH "require_auth" ++#define KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM "optional_pac_tkt_chksum" + + #if !defined(_WIN32) + +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index 350bcf86f2..17e1b52266 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin +@@ -8356,6 +8356,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + const krb5_keyblock *server, + const krb5_keyblock *privsvr, krb5_pac *pac_out); + ++/** ++ * Verify a PAC, possibly including ticket signature ++ * ++ * @param [in] context Library context ++ * @param [in] enc_tkt Ticket enc-part, possibly containing a PAC ++ * @param [in] server_princ Canonicalized name of ticket server ++ * @param [in] server Key to validate server checksum (or NULL) ++ * @param [in] privsvr Key to validate KDC checksum (or NULL) ++ * @paran [in] optional_tkt_chksum Whether to require a ticket checksum ++ * @param [out] pac_out Verified PAC (NULL if no PAC included) ++ * ++ * This function is an extension of krb5_kdc_verify_ticket(), adding the @a ++ * optional_tkt_chksum parameter allowing to tolerate the absence of the PAC ++ * ticket signature. ++ * ++ * If a PAC is present in @a enc_tkt, verify its signatures. If @a privsvr is ++ * not NULL and @a server_princ is not a krbtgt or kadmin/changepw service and ++ * @a optional_tkt_chksum is FALSE, require a ticket signature over @a enc_tkt ++ * in addition to the KDC signature. Place the verified PAC in @a pac_out. If ++ * an invalid PAC signature is found, return an error matching the Windows KDC ++ * protocol code for that condition as closely as possible. ++ * ++ * If no PAC is present in @a enc_tkt, set @a pac_out to NULL and return ++ * successfully. ++ * ++ * @note This function does not validate the PAC_CLIENT_INFO buffer. If a ++ * specific value is expected, the caller can make a separate call to ++ * krb5_pac_verify_ext() with a principal but no keys. ++ * ++ * @retval 0 Success; otherwise - Kerberos error codes ++ */ ++krb5_error_code KRB5_CALLCONV ++krb5_kdc_verify_ticket_ext(krb5_context context, ++ const krb5_enc_tkt_part *enc_tkt, ++ krb5_const_principal server_princ, ++ const krb5_keyblock *server, ++ const krb5_keyblock *privsvr, ++ krb5_boolean optional_tkt_chksum, ++ krb5_pac *pac_out); ++ + /** @deprecated Use krb5_kdc_sign_ticket() instead. */ + krb5_error_code KRB5_CALLCONV + krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index fe4e48209a..93415ba862 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -560,16 +560,36 @@ cleanup: + static krb5_error_code + try_verify_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + krb5_db_entry *server, krb5_keyblock *server_key, +- const krb5_keyblock *tgt_key, krb5_pac *pac_out) ++ krb5_db_entry *tgt, const krb5_keyblock *tgt_key, ++ krb5_pac *pac_out) + { + krb5_error_code ret; ++ krb5_boolean optional_tkt_chksum; ++ char *str = NULL; + krb5_keyblock *privsvr_key; + + ret = pac_privsvr_key(context, server, tgt_key, &privsvr_key); + if (ret) + return ret; +- ret = krb5_kdc_verify_ticket(context, enc_tkt, server->princ, server_key, +- privsvr_key, pac_out); ++ ++ /* Check if the absence of ticket signature is tolerated for this realm */ ++ ret = krb5_dbe_get_string(context, tgt, ++ KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM, &str); ++ /* TODO: should be using _krb5_conf_boolean(), but os-proto.h is not ++ * available here. ++ */ ++ optional_tkt_chksum = !ret && str && (strncasecmp(str, "true", 4) == 0 ++ || strncasecmp(str, "t", 1) == 0 ++ || strncasecmp(str, "yes", 3) == 0 ++ || strncasecmp(str, "y", 1) == 0 ++ || strncasecmp(str, "1", 1) == 0 ++ || strncasecmp(str, "on", 2) == 0); ++ ++ krb5_dbe_free_string(context, str); ++ ++ ret = krb5_kdc_verify_ticket_ext(context, enc_tkt, server->princ, ++ server_key, privsvr_key, ++ optional_tkt_chksum, pac_out); + krb5_free_keyblock(context, privsvr_key); + return ret; + } +@@ -599,7 +619,7 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + server_key, NULL, pac_out); + } + +- ret = try_verify_pac(context, enc_tkt, server, server_key, tgt_key, ++ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt, tgt_key, + pac_out); + if (ret != KRB5KRB_AP_ERR_MODIFIED && ret != KRB5_BAD_ENCTYPE) + return ret; +@@ -613,8 +633,8 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &old_key, NULL); + if (ret) + return ret; +- ret = try_verify_pac(context, enc_tkt, server, server_key, &old_key, +- pac_out); ++ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt, ++ &old_key, pac_out); + krb5_free_keyblock_contents(context, &old_key); + if (!ret) + return 0; +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index 5d1fdf1ba0..0c0e2ada68 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -594,6 +594,19 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + krb5_const_principal server_princ, + const krb5_keyblock *server, + const krb5_keyblock *privsvr, krb5_pac *pac_out) ++{ ++ return krb5_kdc_verify_ticket_ext(context, enc_tkt, server_princ, server, ++ privsvr, FALSE, pac_out); ++} ++ ++krb5_error_code KRB5_CALLCONV ++krb5_kdc_verify_ticket_ext(krb5_context context, ++ const krb5_enc_tkt_part *enc_tkt, ++ krb5_const_principal server_princ, ++ const krb5_keyblock *server, ++ const krb5_keyblock *privsvr, ++ krb5_boolean optional_tkt_chksum, ++ krb5_pac *pac_out) + { + krb5_error_code ret; + krb5_pac pac = NULL; +@@ -602,7 +615,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + krb5_authdata *orig, **ifrel = NULL, **recoded_ifrel = NULL; + uint8_t z = 0; + krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z }; +- krb5_boolean is_service_tkt; ++ krb5_boolean is_service_tkt, has_tkt_chksum = FALSE; + size_t i, j; + + *pac_out = NULL; +@@ -667,11 +680,21 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + + ret = verify_checksum(context, pac, KRB5_PAC_TICKET_CHECKSUM, privsvr, + KRB5_KEYUSAGE_APP_DATA_CKSUM, recoded_tkt); +- if (ret) +- goto cleanup; ++ if (ret) { ++ if (!optional_tkt_chksum) ++ goto cleanup; ++ else if (ret != ENOENT) ++ goto cleanup; ++ /* Otherwise ticket signature is absent but optional. Proceed... */ ++ } else { ++ has_tkt_chksum = TRUE; ++ } + } ++ /* Else, we make the assumption the ticket signature is absent in case this ++ * is not a service ticket. ++ */ + +- ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr); ++ ret = verify_pac_checksums(context, pac, has_tkt_chksum, server, privsvr); + if (ret) + goto cleanup; + +diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports +index 4c50e935a2..d4b0455c8c 100644 +--- a/src/lib/krb5/libkrb5.exports ++++ b/src/lib/krb5/libkrb5.exports +@@ -463,6 +463,7 @@ krb5_is_thread_safe + krb5_kdc_rep_decrypt_proc + krb5_kdc_sign_ticket + krb5_kdc_verify_ticket ++krb5_kdc_verify_ticket_ext + krb5_kt_add_entry + krb5_kt_client_default + krb5_kt_close +diff --git a/src/man/kadmin.man b/src/man/kadmin.man +index 461207021b..e8d78309cb 100644 +--- a/src/man/kadmin.man ++++ b/src/man/kadmin.man +@@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to + "aes256\-sha1" on the cross\-realm krbtgt entry for an Active + Directory realm when using aes\-sha2 keys on the local krbtgt + entry. ++.TP ++\fBoptional_pac_tkt_chksum\fP ++Boolean value defining the behavior of the KDC in case an expected ticket ++checksum signed with one of this principal keys is not present in the PAC. This ++is typically the case for TGS or cross-realm TGS principals when processing ++S4U2Proxy requests. + .UNINDENT + .sp + This command requires the \fBmodify\fP privilege. +-- +2.41.0 + diff --git a/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch b/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch new file mode 100644 index 0000000000000000000000000000000000000000..ba2c6af70d849a7288eb4b626cc288065b357b7b --- /dev/null +++ b/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch @@ -0,0 +1,47 @@ +From 1b2f64d66e01c1abeefdb7cbef7b04035c2128c0 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 23 May 2023 12:19:54 +0200 +Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification + available in FIPS mode + +We recommend using the SHA1 crypto-module in order to allow the +verification of SHA-1 signature for CMS messages. However, this module +does not work in FIPS mode, because the SHA-1 algorithm is absent from +the OpenSSL FIPS provider. + +This commit enables the signature verification process to fetch the +algorithm from a non-FIPS OpenSSL provider. + +Support for SHA-1 CMS signature is still required, especially in order +to interoperate with Active Directory. At least it is until elliptic +curve cryptography is implemented for PKINIT in MIT krb5. +--- + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index f41328763e..263ef7845e 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context, + if (oid == NULL) + goto cleanup; + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ /* Do not use FIPS provider (even in FIPS mode) because it keeps from ++ * allowing SHA-1 signature verification using the SHA1 crypto-module ++ */ ++ cms = CMS_ContentInfo_new_ex(NULL, "-fips"); ++ if (!cms) ++ goto cleanup; ++#endif ++ + /* decode received CMS message */ +- if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) { ++ if (!d2i_CMS_ContentInfo(&cms, &p, (int)signed_data_len)) { + retval = oerr(context, 0, _("Failed to decode CMS message")); + goto cleanup; + } +-- +2.41.0 + diff --git a/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch b/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch new file mode 100644 index 0000000000000000000000000000000000000000..717eb43c136a62d220d9372127dd70d5a5c0163b --- /dev/null +++ b/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch @@ -0,0 +1,218 @@ +From d2b061bea524012edde2915aa95fc4cb6a6f3ae9 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 30 May 2023 01:21:48 -0400 +Subject: [PATCH] Enable PKINIT if at least one group is available + +OpenSSL may no longer allow decoding of non-well-known Diffie-Hellman +group parameters as EVP_PKEY objects in FIPS mode. However, OpenSSL +does not know about MODP group 2 (1024-bit), which is considered as a +custom group. As a consequence, the PKINIT kdcpreauth module fails to +load in FIPS mode. + +Allow initialization of PKINIT plugin if at least one of the MODP +well-known group parameters successfully decodes. + +[ghudson@mit.edu: minor commit message and code edits] + +ticket: 9096 (new) +(cherry picked from commit 509d8db922e9ad6f108883838473b6178f89874a) +--- + src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +- + src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +- + .../preauth/pkinit/pkinit_crypto_openssl.c | 76 +++++++++++-------- + src/plugins/preauth/pkinit/pkinit_srv.c | 2 +- + src/plugins/preauth/pkinit/pkinit_trace.h | 3 + + 5 files changed, 51 insertions(+), 35 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c +index 725d5bc438..ea9ba454df 100644 +--- a/src/plugins/preauth/pkinit/pkinit_clnt.c ++++ b/src/plugins/preauth/pkinit/pkinit_clnt.c +@@ -1378,7 +1378,7 @@ pkinit_client_plugin_init(krb5_context context, + if (retval) + goto errout; + +- retval = pkinit_init_plg_crypto(&ctx->cryptoctx); ++ retval = pkinit_init_plg_crypto(context, &ctx->cryptoctx); + if (retval) + goto errout; + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h +index 9fa315d7a0..8bdbea8e95 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto.h ++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +@@ -103,7 +103,8 @@ typedef struct _pkinit_cert_matching_data { + /* + * Functions to initialize and cleanup crypto contexts + */ +-krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *); ++krb5_error_code pkinit_init_plg_crypto(krb5_context, ++ pkinit_plg_crypto_context *); + void pkinit_fini_plg_crypto(pkinit_plg_crypto_context); + + krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *); +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 263ef7845e..d646073d55 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -47,7 +47,8 @@ + static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context ); + static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ); + +-static krb5_error_code pkinit_init_dh_params(pkinit_plg_crypto_context ); ++static krb5_error_code pkinit_init_dh_params(krb5_context, ++ pkinit_plg_crypto_context); + static void pkinit_fini_dh_params(pkinit_plg_crypto_context ); + + static krb5_error_code pkinit_init_certs(pkinit_identity_crypto_context ctx); +@@ -951,7 +952,8 @@ oerr_cert(krb5_context context, krb5_error_code code, X509_STORE_CTX *certctx, + } + + krb5_error_code +-pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx) ++pkinit_init_plg_crypto(krb5_context context, ++ pkinit_plg_crypto_context *cryptoctx) + { + krb5_error_code retval = ENOMEM; + pkinit_plg_crypto_context ctx = NULL; +@@ -969,7 +971,7 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx) + if (retval) + goto out; + +- retval = pkinit_init_dh_params(ctx); ++ retval = pkinit_init_dh_params(context, ctx); + if (retval) + goto out; + +@@ -1278,30 +1280,36 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx) + ASN1_OBJECT_free(ctx->id_kp_serverAuth); + } + +-static krb5_error_code +-pkinit_init_dh_params(pkinit_plg_crypto_context plgctx) ++static int ++try_import_group(krb5_context context, const krb5_data *params, ++ const char *name, EVP_PKEY **pkey_out) + { +- krb5_error_code retval = ENOMEM; +- +- plgctx->dh_1024 = decode_dh_params(&oakley_1024); +- if (plgctx->dh_1024 == NULL) +- goto cleanup; +- +- plgctx->dh_2048 = decode_dh_params(&oakley_2048); +- if (plgctx->dh_2048 == NULL) +- goto cleanup; ++ *pkey_out = decode_dh_params(params); ++ if (*pkey_out == NULL) ++ TRACE_PKINIT_DH_GROUP_UNAVAILABLE(context, name); ++ return (*pkey_out != NULL) ? 1 : 0; ++} + +- plgctx->dh_4096 = decode_dh_params(&oakley_4096); +- if (plgctx->dh_4096 == NULL) +- goto cleanup; ++static krb5_error_code ++pkinit_init_dh_params(krb5_context context, pkinit_plg_crypto_context plgctx) ++{ ++ int n = 0; + +- retval = 0; ++ n += try_import_group(context, &oakley_1024, "MODP 2 (1024-bit)", ++ &plgctx->dh_1024); ++ n += try_import_group(context, &oakley_2048, "MODP 14 (2048-bit)", ++ &plgctx->dh_2048); ++ n += try_import_group(context, &oakley_4096, "MODP 16 (4096-bit)", ++ &plgctx->dh_4096); + +-cleanup: +- if (retval) ++ if (n == 0) { + pkinit_fini_dh_params(plgctx); ++ k5_setmsg(context, ENOMEM, ++ _("PKINIT cannot initialize any key exchange groups")); ++ return ENOMEM; ++ } + +- return retval; ++ return 0; + } + + static void +@@ -2910,11 +2918,11 @@ client_create_dh(krb5_context context, + + if (cryptoctx->received_params != NULL) + params = cryptoctx->received_params; +- else if (dh_size == 1024) ++ else if (plg_cryptoctx->dh_1024 != NULL && dh_size == 1024) + params = plg_cryptoctx->dh_1024; +- else if (dh_size == 2048) ++ else if (plg_cryptoctx->dh_2048 != NULL && dh_size == 2048) + params = plg_cryptoctx->dh_2048; +- else if (dh_size == 4096) ++ else if (plg_cryptoctx->dh_4096 != NULL && dh_size == 4096) + params = plg_cryptoctx->dh_4096; + else + goto cleanup; +@@ -3210,19 +3218,23 @@ pkinit_create_td_dh_parameters(krb5_context context, + krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 }; + krb5_algorithm_identifier *alglist[4]; + +- if (opts->dh_min_bits > 4096) { +- ret = KRB5KRB_ERR_GENERIC; +- goto cleanup; +- } +- + i = 0; +- if (opts->dh_min_bits <= 2048) ++ if (plg_cryptoctx->dh_2048 != NULL && opts->dh_min_bits <= 2048) + alglist[i++] = &alg_2048; +- alglist[i++] = &alg_4096; +- if (opts->dh_min_bits <= 1024) ++ if (plg_cryptoctx->dh_4096 != NULL && opts->dh_min_bits <= 4096) ++ alglist[i++] = &alg_4096; ++ if (plg_cryptoctx->dh_1024 != NULL && opts->dh_min_bits <= 1024) + alglist[i++] = &alg_1024; + alglist[i] = NULL; + ++ if (i == 0) { ++ ret = KRB5KRB_ERR_GENERIC; ++ k5_setmsg(context, ret, ++ _("OpenSSL has no supported key exchange groups for " ++ "pkinit_dh_min_bits=%d"), opts->dh_min_bits); ++ goto cleanup; ++ } ++ + ret = k5int_encode_krb5_td_dh_parameters(alglist, &der_alglist); + if (ret) + goto cleanup; +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 1b3bf6d4d0..768a4e559f 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -1222,7 +1222,7 @@ pkinit_server_plugin_init_realm(krb5_context context, const char *realmname, + goto errout; + plgctx->realmname_len = strlen(plgctx->realmname); + +- retval = pkinit_init_plg_crypto(&plgctx->cryptoctx); ++ retval = pkinit_init_plg_crypto(context, &plgctx->cryptoctx); + if (retval) + goto errout; + +diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h +index 259e95c6c2..5ee39c085c 100644 +--- a/src/plugins/preauth/pkinit/pkinit_trace.h ++++ b/src/plugins/preauth/pkinit/pkinit_trace.h +@@ -90,6 +90,9 @@ + #define TRACE_PKINIT_CLIENT_TRYAGAIN(c) \ + TRACE(c, "PKINIT client trying again with KDC-provided parameters") + ++#define TRACE_PKINIT_DH_GROUP_UNAVAILABLE(c, name) \ ++ TRACE(c, "PKINIT key exchange group {str} unsupported", name) ++ + #define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \ + TRACE(c, "PKINIT OpenSSL error: {str}", msg) + +-- +2.41.0 + diff --git a/0015-Replace-ssl.wrap_socket-for-tests.patch b/0015-Replace-ssl.wrap_socket-for-tests.patch new file mode 100644 index 0000000000000000000000000000000000000000..d5eb3f4c3561c0a3692b71f31821591d4b911dac --- /dev/null +++ b/0015-Replace-ssl.wrap_socket-for-tests.patch @@ -0,0 +1,64 @@ +From 42e831da09bd196068aeb7fe6bfe380bb46b846c Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 19 Jul 2023 13:43:17 +0200 +Subject: [PATCH] Replace ssl.wrap_socket() for tests + +The ssl.wrap_socket() function was deprecated in Python 3.7 and is +removed in Python 3.12. The ssl.SSLContext.wrap_socket() method +replaces it. + +Bump the required Python version for tests to 3.4 for +ssl.create_default_context(). + +[ghudson@mit.edu: changed minimum Python version] + +(cherry picked from commit 0ceab6c363e65fb21d3312a663f2b9b569ecc415) +--- + src/configure.ac | 9 ++++----- + src/util/wsgiref-kdcproxy.py | 4 +++- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/src/configure.ac b/src/configure.ac +index 2561e917a2..487f393146 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1157,10 +1157,9 @@ AC_SUBST(PKINIT) + # for lib/apputils + AC_REPLACE_FUNCS(daemon) + +-# For Python tests. Python version 3.2.4 is required as prior +-# versions do not accept string input to subprocess.Popen.communicate +-# when universal_newlines is set. +-PYTHON_MINVERSION=3.2.4 ++# For Python tests. Python version 3.4 is required for ++# ssl.create_default_context(). ++PYTHON_MINVERSION=3.4 + AC_SUBST(PYTHON_MINVERSION) + AC_CHECK_PROG(PYTHON,python3,python3) + if test x"$PYTHON" = x; then +@@ -1168,7 +1167,7 @@ if test x"$PYTHON" = x; then + fi + HAVE_PYTHON=no + if test x"$PYTHON" != x; then +- wantver="(sys.hexversion >= 0x30204F0)" ++ wantver="(sys.hexversion >= 0x30400F0)" + if "$PYTHON" -c "import sys; sys.exit(not $wantver and 1 or 0)"; then + HAVE_PYTHON=yes + fi +diff --git a/src/util/wsgiref-kdcproxy.py b/src/util/wsgiref-kdcproxy.py +index 58759696b6..d1d10d733c 100755 +--- a/src/util/wsgiref-kdcproxy.py ++++ b/src/util/wsgiref-kdcproxy.py +@@ -14,6 +14,8 @@ else: + pem = '*' + + server = make_server('localhost', port, kdcproxy.Application()) +-server.socket = ssl.wrap_socket(server.socket, certfile=pem, server_side=True) ++sslctx = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH) ++sslctx.load_cert_chain(certfile=pem) ++server.socket = sslctx.wrap_socket(server.socket, server_side=True) + os.write(sys.stdout.fileno(), b'proxy server ready\n') + server.serve_forever() +-- +2.41.0 + diff --git a/0017-Add-PAC-full-checksums.patch b/0017-Add-PAC-full-checksums.patch deleted file mode 100644 index f0a20f6429e00e51a61a7a6db0b52cbce9b1f967..0000000000000000000000000000000000000000 --- a/0017-Add-PAC-full-checksums.patch +++ /dev/null @@ -1,672 +0,0 @@ -From 5801da1ddc3b0984ad6997bb7a692eac85ff7dd3 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 22 Dec 2022 03:05:23 -0500 -Subject: [PATCH] Add PAC full checksums - -A paper by Tom Tervoort noted that computing the PAC privsvr checksum -over only the server checksum is vulnerable to collision attacks -(CVE-2022-37967). In response, Microsoft has added a second KDC -checksum over the full contents of the PAC. Generate and verify full -KDC checksums in PACs for service tickets. Update the t_pac.c ticket -test case to use a ticket issued by a recent version of Active -Directory (provided by Stefan Metzmacher). - -ticket: 9084 (new) ---- - doc/appdev/refs/macros/index.rst | 1 + - src/include/krb5/krb5.hin | 1 + - src/lib/krb5/krb/pac.c | 92 +++++++++-------- - src/lib/krb5/krb/pac_sign.c | 146 +++++++++++++++----------- - src/lib/krb5/krb/t_pac.c | 171 ++++++++++++++++++------------- - src/tests/t_authdata.py | 4 +- - 6 files changed, 240 insertions(+), 175 deletions(-) - -diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst -index 5f34dea5e8..3eeee25593 100644 ---- a/doc/appdev/refs/macros/index.rst -+++ b/doc/appdev/refs/macros/index.rst -@@ -247,6 +247,7 @@ Public - KRB5_PAC_SERVER_CHECKSUM.rst - KRB5_PAC_TICKET_CHECKSUM.rst - KRB5_PAC_UPN_DNS_INFO.rst -+ KRB5_PAC_FULL_CHECKSUM.rst - KRB5_PADATA_AFS3_SALT.rst - KRB5_PADATA_AP_REQ.rst - KRB5_PADATA_AS_CHECKSUM.rst -diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index fb9f2a366c..2ba4010514 100644 ---- a/src/include/krb5/krb5.hin -+++ b/src/include/krb5/krb5.hin -@@ -8164,6 +8164,7 @@ krb5_verify_authdata_kdc_issued(krb5_context context, - #define KRB5_PAC_TICKET_CHECKSUM 16 /**< Ticket checksum */ - #define KRB5_PAC_ATTRIBUTES_INFO 17 /**< PAC attributes */ - #define KRB5_PAC_REQUESTOR 18 /**< PAC requestor SID */ -+#define KRB5_PAC_FULL_CHECKSUM 19 /**< KDC full checksum */ - - struct krb5_pac_data; - /** PAC data structure to convey authorization information */ -diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c -index f6c4373de0..954482e0c7 100644 ---- a/src/lib/krb5/krb/pac.c -+++ b/src/lib/krb5/krb/pac.c -@@ -490,7 +490,8 @@ zero_signature(krb5_context context, const krb5_pac pac, krb5_ui_4 type, - size_t i; - - assert(type == KRB5_PAC_SERVER_CHECKSUM || -- type == KRB5_PAC_PRIVSVR_CHECKSUM); -+ type == KRB5_PAC_PRIVSVR_CHECKSUM || -+ type == KRB5_PAC_FULL_CHECKSUM); - assert(data->length >= pac->data.length); - - for (i = 0; i < pac->pac->cBuffers; i++) { -@@ -557,17 +558,17 @@ verify_checksum(krb5_context context, const krb5_pac pac, uint32_t buffer_type, - } - - static krb5_error_code --verify_server_checksum(krb5_context context, const krb5_pac pac, -- const krb5_keyblock *server) -+verify_pac_checksums(krb5_context context, const krb5_pac pac, -+ krb5_boolean expect_full_checksum, -+ const krb5_keyblock *server, const krb5_keyblock *privsvr) - { - krb5_error_code ret; -- krb5_data copy; /* PAC with zeroed checksums */ -+ krb5_data copy, server_checksum; - -+ /* Make a copy of the PAC with zeroed out server and privsvr checksums. */ - ret = krb5int_copy_data_contents(context, &pac->data, ©); - if (ret) - return ret; -- -- /* Zero out both checksum buffers */ - ret = zero_signature(context, pac, KRB5_PAC_SERVER_CHECKSUM, ©); - if (ret) - goto cleanup; -@@ -575,32 +576,46 @@ verify_server_checksum(krb5_context context, const krb5_pac pac, - if (ret) - goto cleanup; - -- ret = verify_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, server, -- KRB5_KEYUSAGE_APP_DATA_CKSUM, ©); -+ if (server != NULL) { -+ /* Verify the server checksum over the PAC copy. */ -+ ret = verify_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, server, -+ KRB5_KEYUSAGE_APP_DATA_CKSUM, ©); -+ } - --cleanup: -- free(copy.data); -- return ret; --} -+ if (privsvr != NULL && expect_full_checksum) { -+ /* Zero the full checksum buffer in the copy and verify the full -+ * checksum over the copy with all three checksums zeroed. */ -+ ret = zero_signature(context, pac, KRB5_PAC_FULL_CHECKSUM, ©); -+ if (ret) -+ goto cleanup; -+ ret = verify_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM, privsvr, -+ KRB5_KEYUSAGE_APP_DATA_CKSUM, ©); -+ if (ret) -+ goto cleanup; -+ } - --static krb5_error_code --verify_kdc_checksum(krb5_context context, const krb5_pac pac, -- const krb5_keyblock *privsvr) --{ -- krb5_error_code ret; -- krb5_data server_checksum; -+ if (privsvr != NULL) { -+ /* Verify the privsvr checksum over the server checksum. */ -+ ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM, -+ &server_checksum); -+ if (ret) -+ return ret; -+ if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH) -+ return KRB5_BAD_MSIZE; -+ server_checksum.data += PAC_SIGNATURE_DATA_LENGTH; -+ server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH; - -- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM, -- &server_checksum); -- if (ret) -- return ret; -- if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH) -- return KRB5_BAD_MSIZE; -- server_checksum.data += PAC_SIGNATURE_DATA_LENGTH; -- server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH; -+ ret = verify_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, privsvr, -+ KRB5_KEYUSAGE_APP_DATA_CKSUM, &server_checksum); -+ if (ret) -+ goto cleanup; -+ } -+ -+ pac->verified = TRUE; - -- return verify_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, privsvr, -- KRB5_KEYUSAGE_APP_DATA_CKSUM, &server_checksum); -+cleanup: -+ free(copy.data); -+ return ret; - } - - /* Per MS-PAC 2.8.3, tickets encrypted to TGS and password change principals -@@ -628,6 +643,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, - krb5_authdata **authdata, *orig, **ifrel = NULL, **recoded_ifrel = NULL; - uint8_t z = 0; - krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z }; -+ krb5_boolean is_service_tkt; - size_t i, j; - - *pac_out = NULL; -@@ -669,7 +685,8 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, - if (ret) - goto cleanup; - -- if (privsvr != NULL && k5_pac_should_have_ticket_signature(server_princ)) { -+ is_service_tkt = k5_pac_should_have_ticket_signature(server_princ); -+ if (privsvr != NULL && is_service_tkt) { - /* To check the PAC ticket signatures, re-encode the ticket with the - * PAC contents replaced by a single zero. */ - orig = ifrel[j]; -@@ -693,8 +710,9 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, - goto cleanup; - } - -- ret = krb5_pac_verify_ext(context, pac, enc_tkt->times.authtime, NULL, -- server, privsvr, FALSE); -+ ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr); -+ if (ret) -+ goto cleanup; - - *pac_out = pac; - pac = NULL; -@@ -730,14 +748,8 @@ krb5_pac_verify_ext(krb5_context context, - { - krb5_error_code ret; - -- if (server != NULL) { -- ret = verify_server_checksum(context, pac, server); -- if (ret != 0) -- return ret; -- } -- -- if (privsvr != NULL) { -- ret = verify_kdc_checksum(context, pac, privsvr); -+ if (server != NULL || privsvr != NULL) { -+ ret = verify_pac_checksums(context, pac, FALSE, server, privsvr); - if (ret != 0) - return ret; - } -@@ -749,8 +761,6 @@ krb5_pac_verify_ext(krb5_context context, - return ret; - } - -- pac->verified = TRUE; -- - return 0; - } - -diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c -index 0f9581abbb..8ea61ac17b 100644 ---- a/src/lib/krb5/krb/pac_sign.c -+++ b/src/lib/krb5/krb/pac_sign.c -@@ -187,26 +187,41 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac) - return 0; - } - --krb5_error_code KRB5_CALLCONV --krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -- krb5_const_principal principal, const krb5_keyblock *server_key, -- const krb5_keyblock *privsvr_key, krb5_data *data) -+/* Find the buffer of type buftype in pac and write within it a checksum of -+ * type cksumtype over data. Set *cksum_out to the checksum. */ -+static krb5_error_code -+compute_pac_checksum(krb5_context context, krb5_pac pac, uint32_t buftype, -+ const krb5_keyblock *key, krb5_cksumtype cksumtype, -+ const krb5_data *data, krb5_data *cksum_out) - { -- return krb5_pac_sign_ext(context, pac, authtime, principal, server_key, -- privsvr_key, FALSE, data); -+ krb5_error_code ret; -+ krb5_data buf; -+ krb5_crypto_iov iov[2]; -+ -+ ret = k5_pac_locate_buffer(context, pac, buftype, &buf); -+ if (ret) -+ return ret; -+ -+ assert(buf.length > PAC_SIGNATURE_DATA_LENGTH); -+ *cksum_out = make_data(buf.data + PAC_SIGNATURE_DATA_LENGTH, -+ buf.length - PAC_SIGNATURE_DATA_LENGTH); -+ iov[0].flags = KRB5_CRYPTO_TYPE_DATA; -+ iov[0].data = *data; -+ iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM; -+ iov[1].data = *cksum_out; -+ return krb5_c_make_checksum_iov(context, cksumtype, key, -+ KRB5_KEYUSAGE_APP_DATA_CKSUM, iov, 2); - } - --krb5_error_code KRB5_CALLCONV --krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -- krb5_const_principal principal, -- const krb5_keyblock *server_key, -- const krb5_keyblock *privsvr_key, krb5_boolean with_realm, -- krb5_data *data) -+static krb5_error_code -+sign_pac(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -+ krb5_const_principal principal, const krb5_keyblock *server_key, -+ const krb5_keyblock *privsvr_key, krb5_boolean with_realm, -+ krb5_boolean is_service_tkt, krb5_data *data) - { - krb5_error_code ret; -- krb5_data server_cksum, privsvr_cksum; -+ krb5_data full_cksum, server_cksum, privsvr_cksum; - krb5_cksumtype server_cksumtype, privsvr_cksumtype; -- krb5_crypto_iov iov[2]; - - data->length = 0; - data->data = NULL; -@@ -214,67 +229,53 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, - if (principal != NULL) { - ret = k5_insert_client_info(context, pac, authtime, principal, - with_realm); -- if (ret != 0) -+ if (ret) - return ret; - } - -- /* Create zeroed buffers for both checksums */ -+ /* Create zeroed buffers for all checksums. */ - ret = k5_insert_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, - server_key, &server_cksumtype); -- if (ret != 0) -+ if (ret) - return ret; -- - ret = k5_insert_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, - privsvr_key, &privsvr_cksumtype); -- if (ret != 0) -+ if (ret) - return ret; -+ if (is_service_tkt) { -+ ret = k5_insert_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM, -+ privsvr_key, &privsvr_cksumtype); -+ if (ret) -+ return ret; -+ } - -- /* Now, encode the PAC header so that the checksums will include it */ -+ /* Encode the PAC header so that the checksums will include it. */ - ret = k5_pac_encode_header(context, pac); -- if (ret != 0) -- return ret; -- -- /* Generate the server checksum over the entire PAC */ -- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM, -- &server_cksum); -- if (ret != 0) -+ if (ret) - return ret; - -- assert(server_cksum.length > PAC_SIGNATURE_DATA_LENGTH); -- -- iov[0].flags = KRB5_CRYPTO_TYPE_DATA; -- iov[0].data = pac->data; -- -- iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM; -- iov[1].data.data = server_cksum.data + PAC_SIGNATURE_DATA_LENGTH; -- iov[1].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH; -+ if (is_service_tkt) { -+ /* Generate a full KDC checksum over the whole PAC. */ -+ ret = compute_pac_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM, -+ privsvr_key, privsvr_cksumtype, -+ &pac->data, &full_cksum); -+ if (ret) -+ return ret; -+ } - -- ret = krb5_c_make_checksum_iov(context, server_cksumtype, -- server_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, -- iov, sizeof(iov)/sizeof(iov[0])); -- if (ret != 0) -+ /* Generate the server checksum over the whole PAC, including the full KDC -+ * checksum if we added one. */ -+ ret = compute_pac_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, -+ server_key, server_cksumtype, &pac->data, -+ &server_cksum); -+ if (ret) - return ret; - -- /* Generate the privsvr checksum over the server checksum buffer */ -- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, -+ /* Generate the privsvr checksum over the server checksum buffer. */ -+ ret = compute_pac_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, -+ privsvr_key, privsvr_cksumtype, &server_cksum, - &privsvr_cksum); -- if (ret != 0) -- return ret; -- -- assert(privsvr_cksum.length > PAC_SIGNATURE_DATA_LENGTH); -- -- iov[0].flags = KRB5_CRYPTO_TYPE_DATA; -- iov[0].data.data = server_cksum.data + PAC_SIGNATURE_DATA_LENGTH; -- iov[0].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH; -- -- iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM; -- iov[1].data.data = privsvr_cksum.data + PAC_SIGNATURE_DATA_LENGTH; -- iov[1].data.length = privsvr_cksum.length - PAC_SIGNATURE_DATA_LENGTH; -- -- ret = krb5_c_make_checksum_iov(context, privsvr_cksumtype, -- privsvr_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, -- iov, sizeof(iov)/sizeof(iov[0])); -- if (ret != 0) -+ if (ret) - return ret; - - data->data = k5memdup(pac->data.data, pac->data.length, &ret); -@@ -288,6 +289,26 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, - return 0; - } - -+krb5_error_code KRB5_CALLCONV -+krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -+ krb5_const_principal principal, const krb5_keyblock *server_key, -+ const krb5_keyblock *privsvr_key, krb5_data *data) -+{ -+ return sign_pac(context, pac, authtime, principal, server_key, -+ privsvr_key, FALSE, FALSE, data); -+} -+ -+krb5_error_code KRB5_CALLCONV -+krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, -+ krb5_const_principal principal, -+ const krb5_keyblock *server_key, -+ const krb5_keyblock *privsvr_key, krb5_boolean with_realm, -+ krb5_data *data) -+{ -+ return sign_pac(context, pac, authtime, principal, server_key, privsvr_key, -+ with_realm, FALSE, data); -+} -+ - /* Add a signature over der_enc_tkt in privsvr to pac. der_enc_tkt should be - * encoded with a dummy PAC authdata element containing a single zero byte. */ - static krb5_error_code -@@ -359,6 +380,7 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt, - krb5_error_code ret; - krb5_data *der_enc_tkt = NULL, pac_data = empty_data(); - krb5_authdata **list, *pac_ad; -+ krb5_boolean is_service_tkt; - size_t count; - - /* Reallocate space for another authdata element in enc_tkt. */ -@@ -377,7 +399,8 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt, - memmove(list + 1, list, (count + 1) * sizeof(*list)); - list[0] = pac_ad; - -- if (k5_pac_should_have_ticket_signature(server_princ)) { -+ is_service_tkt = k5_pac_should_have_ticket_signature(server_princ); -+ if (is_service_tkt) { - ret = encode_krb5_enc_tkt_part(enc_tkt, &der_enc_tkt); - if (ret) - goto cleanup; -@@ -388,9 +411,8 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt, - goto cleanup; - } - -- ret = krb5_pac_sign_ext(context, pac, enc_tkt->times.authtime, -- client_princ, server, privsvr, with_realm, -- &pac_data); -+ ret = sign_pac(context, pac, enc_tkt->times.authtime, client_princ, server, -+ privsvr, with_realm, is_service_tkt, &pac_data); - if (ret) - goto cleanup; - -diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c -index 173bde7bab..81f1642ab0 100644 ---- a/src/lib/krb5/krb/t_pac.c -+++ b/src/lib/krb5/krb/t_pac.c -@@ -607,78 +607,102 @@ check_pac(krb5_context context, int index, const unsigned char *pdata, - - static const krb5_keyblock ticket_sig_krbtgt_key = { - 0, ENCTYPE_AES256_CTS_HMAC_SHA1_96, -- 32, U("\x7a\x58\x98\xd2\xaf\xa6\xaf\xc0\x6a\xce\x06\x04\x4b\xc2\x70\x84" -- "\x9b\x8e\x0a\x6c\x4c\x07\xdc\x6f\xbb\x48\x43\xe1\xd2\xaa\x97\xf7") -+ 32, U("\x03\x73\x81\xEC\x43\x96\x7B\xC2\xAC\x3D\xF5\x2A\xAE\x95\xA6\x8E" -+ "\xBE\x24\x58\xDB\xCE\x52\x28\x20\xAF\x5E\xB7\x04\xA2\x22\x71\x4F") - }; - - static const krb5_keyblock ticket_sig_server_key = { -- 0, ENCTYPE_ARCFOUR_HMAC, -- 16, U("\xed\x23\x11\x20\x7a\x21\x44\x20\xbf\xc0\x8d\x36\xf7\xf6\xb2\x3e") -+ 0, ENCTYPE_AES256_CTS_HMAC_SHA1_96, -+ 32, U("\x11\x4A\x84\xE3\x14\x8F\xAA\xB1\xFA\x7B\x53\x51\xB2\x8A\xC2\xF1" -+ "\xFD\x19\x6D\x61\xE0\xF3\xF2\x3E\x1F\xDB\xD3\xC1\x79\x7D\xC1\xEE") - }; - -+/* A ticket issued by an Active Directory KDC (Windows Server 2022), containing -+ * a PAC with a full checksum. */ - static const krb5_data ticket_data = { -- .length = 972, .data = -- "\x61\x82\x03\xC8\x30\x82\x03\xC4\xA0\x03\x02\x01\x05\xA1\x0A\x1B" -- "\x08\x43\x44\x4F\x4D\x2E\x43\x4F\x4D\xA2\x0F\x30\x0D\xA0\x03\x02" -- "\x01\x01\xA1\x06\x30\x04\x1B\x02\x73\x31\xA3\x82\x03\x9E\x30\x82" -- "\x03\x9A\xA0\x03\x02\x01\x17\xA1\x03\x02\x01\x03\xA2\x82\x03\x8C" -- "\x04\x82\x03\x88\x44\x31\x61\x20\x17\xC9\xFE\xBC\xAC\x46\xB5\x77" -- "\xE9\x68\x04\x4C\x9B\x31\x91\x0C\xC1\xD4\xDD\xEF\xC7\x34\x20\x08" -- "\x90\x91\xE8\x79\xE0\xB5\x03\x26\xA4\x65\xDE\xEC\x47\x03\x2A\x8F" -- "\x61\xE7\x4D\x38\x5A\x42\x95\x5A\xF9\x2F\x41\x2C\x2A\x6E\x60\xA1" -- "\xEB\x51\xB3\xBD\x4C\x00\x41\x2A\x44\x76\x08\x37\x1A\x51\xFD\x65" -- "\x67\x7E\xBF\x3D\x90\x86\xE3\x9A\x54\x6B\x67\xA8\x08\x7A\x73\xCC" -- "\xC3\xB7\x4B\xD5\x5C\x3A\x14\x6C\xC1\x5F\x54\x4B\x92\x55\xB4\xB7" -- "\x92\x23\x3F\x53\x89\x47\x8E\x1F\x8B\xB9\xDB\x3B\x93\xE8\x70\xE4" -- "\x24\xB8\x9D\xF0\x0E\x35\x28\xF8\x7A\x27\x5D\xF7\x25\x97\x9C\xF5" -- "\x9F\x9F\x64\x04\xF2\xA3\xAB\x11\x15\xB6\xDA\x18\xD6\x46\xD5\xE6" -- "\xB8\x08\xDE\x0A\x62\xFD\xF8\xAA\x52\x90\xD9\x67\x29\xB2\xCD\x06" -- "\xB6\xB0\x50\x2B\x3F\x0F\xA3\xA5\xBF\xAA\x6E\x40\x03\xD6\x5F\x02" -- "\xBC\xD8\x18\x47\x97\x09\xD7\xE4\x96\x3B\xCB\xEB\x92\x2C\x3C\x49" -- "\xFF\x1F\x71\xE0\x52\x94\x0F\x8B\x9F\xB8\x2A\xBB\x9C\xE2\xA3\xDD" -- "\x38\x89\xE2\xB1\x0B\x9E\x1F\x7A\xB3\xE3\xD2\xB0\x94\xDC\x87\xBE" -- "\x37\xA6\xD3\xB3\x29\x35\x9A\x72\xC3\x7A\xF1\xA9\xE6\xC5\xD1\x26" -- "\x83\x65\x44\x17\xBA\x55\xA8\x5E\x94\x26\xED\xE9\x8A\x93\x11\x5D" -- "\x7E\x20\x1B\x9C\x15\x9E\x13\x37\x03\x4D\xDD\x99\x51\xD8\x66\x29" -- "\x6A\xB9\xFB\x49\xFE\x52\x78\xDA\x86\x85\xA9\xA3\xB9\xEF\xEC\xAD" -- "\x35\xA6\x8D\xAC\x0F\x75\x22\xBB\x0B\x49\x1C\x13\x52\x40\xC9\x52" -- "\x69\x09\x54\xD1\x0F\x94\x3F\x22\x48\x67\xB0\x96\x28\xAA\xE6\x28" -- "\xD9\x0C\x08\xEF\x51\xED\x15\x5E\xA2\x53\x59\xA5\x03\xB4\x06\x20" -- "\x3D\xCC\xB4\xC5\xF8\x8C\x73\x67\xA3\x21\x3D\x19\xCD\xD4\x12\x28" -- "\xD2\x93\xDE\x0D\xF0\x71\x10\x50\xD6\x33\x35\x04\x11\x64\x43\x39" -- "\xC3\xDF\x96\xE3\x66\xE3\x85\xCA\xE7\x67\x14\x3A\xF0\x43\xAA\xBB" -- "\xD4\x1D\xB5\x24\xB5\x74\x90\x25\xA7\x87\x7E\xDB\xD3\x83\x8A\x3A" -- "\x69\xA8\x2D\xAF\xB7\xB8\xF3\xDC\x13\xAF\x45\x61\x3F\x59\x39\x7E" -- "\x69\xDE\x0C\x04\xF1\x10\x6B\xB4\x56\xFA\x21\x9F\x72\x2B\x60\x86" -- "\xE3\x23\x0E\xC4\x51\xF6\xBE\xD8\xE1\x5F\xEE\x73\x4C\x17\x4C\x2C" -- "\x1B\xFB\x9F\x1F\x7A\x3B\x07\x5B\x8E\xF1\x01\xAC\xD6\x30\x94\x8A" -- "\x5D\x22\x6F\x08\xCE\xED\x5E\xB6\xDB\x86\x8C\x87\xEB\x8D\x91\xFF" -- "\x0A\x86\x30\xBD\xC0\xF8\x25\xE7\xAE\x24\x35\xF2\xFC\xE5\xFD\x1B" -- "\xB0\x05\x4A\xA3\xE5\xEB\x2E\x05\xAD\x99\x67\x49\x87\xE6\xB3\x87" -- "\x82\xA4\x59\xA7\x6E\xDD\xF2\xB6\x66\xE8\xF7\x70\xF5\xBD\xC9\x0E" -- "\xFA\x9C\x79\x84\xD4\x9B\x05\x0E\xBB\xF5\xDB\xEF\xFC\xCC\x26\xF2" -- "\x93\xCF\xD2\x04\x3C\xA9\x2C\x65\x42\x97\x86\xD8\x38\x0A\x1E\xF6" -- "\xD6\xCA\x30\xB5\x1A\xEC\xFB\xBA\x3B\x84\x57\xB0\xFD\xFB\xE6\xBC" -- "\xF2\x76\xF6\x4C\xBB\xAB\xB1\x31\xA1\x27\x7C\xE6\xE6\x81\xB6\xCE" -- "\x84\x86\x40\xB6\x40\x33\xC4\xF8\xB4\x15\xCF\xAA\xA5\x51\x78\xB9" -- "\x8B\x50\x25\xB2\x88\x86\x96\x72\x8C\x71\x4D\xB5\x3A\x94\x86\x77" -- "\x0E\x95\x9B\x16\x93\xEF\x3A\x11\x79\xBA\x83\xF7\x74\xD3\x8D\xBA" -- "\x15\xE1\x2C\x04\x57\xA8\x92\x1E\x9D\x00\x8E\x20\xFD\x30\x70\xE7" -- "\xF5\x65\x2F\x19\x0C\x94\xBA\x03\x71\x12\x96\xCD\xC8\xB4\x96\xDB" -- "\xCE\x19\xC2\xDF\x3C\xC2\xF6\x3D\x53\xED\x98\xA5\x41\x72\x2A\x22" -- "\x7B\xF3\x2B\x17\x6C\xE1\x39\x7D\xAE\x9B\x11\xF9\xC1\xA6\x9E\x9F" -- "\x89\x3C\x12\xAA\x94\x74\xA7\x4F\x70\xE8\xB9\xDE\x04\xF0\x9D\x39" -- "\x24\x2D\x92\xE8\x46\x2D\x2E\xF0\x40\x66\x1A\xD9\x27\xF9\x98\xF1" -- "\x81\x1D\x70\x62\x63\x30\x6D\xCD\x84\x04\x5F\xFA\x83\xD3\xEC\x8D" -- "\x86\xFB\x40\x61\xC1\x8A\x45\xFF\x7B\xD9\xD4\x18\x61\x7F\x51\xE3" -- "\xFC\x1E\x18\xF0\xAF\xC6\x18\x2C\xE1\x6D\x5D\xF9\x62\xFC\x20\xA3" -- "\xB2\x8A\x5F\xE5\xBB\x29\x0F\x99\x63\x07\x88\x38\x3A\x3B\x73\x2A" -- "\x6D\xDA\x3D\xA8\x0D\x8F\x56\x41\x89\x82\xE5\xB8\x61\x00\x64\x7D" -- "\x17\x0C\xCE\x03\x55\x8F\xF4\x5B\x0D\x50\xF2\xEB\x05\x67\xBE\xDB" -- "\x7B\x75\xC5\xEA\xA1\xAB\x1D\xB0\x3C\x6D\x42\x08\x0B\x9A\x45\x20" -- "\xA8\x8F\xE5\x67\x47\x30\xDE\x93\x5F\x43\x05\xEB\xA8\x2D\x80\xF5" -- "\x1A\xB8\x4A\x4E\x42\x2D\x0B\x7A\xDC\x46\x20\x2D\x13\x17\xDD\x4B" -- "\x94\x96\xAA\x1F\x06\x0C\x1F\x62\x07\x9C\x40\xA1" -+ .length = 1307, .data = -+ "\x61\x82\x05\x17\x30\x82\x05\x13\xA0\x03\x02\x01\x05\xA1\x0F\x1B" -+ "\x0D\x57\x32\x30\x32\x32\x2D\x4C\x37\x2E\x42\x41\x53\x45\xA2\x2A" -+ "\x30\x28\xA0\x03\x02\x01\x01\xA1\x21\x30\x1F\x1B\x04\x63\x69\x66" -+ "\x73\x1B\x17\x77\x32\x30\x32\x32\x2D\x31\x31\x38\x2E\x77\x32\x30" -+ "\x32\x32\x2D\x6C\x37\x2E\x62\x61\x73\x65\xA3\x82\x04\xCD\x30\x82" -+ "\x04\xC9\xA0\x03\x02\x01\x12\xA1\x03\x02\x01\x05\xA2\x82\x04\xBB" -+ "\x04\x82\x04\xB7\x44\x5C\x7B\x5A\x3F\x2E\xA3\x50\x34\xDE\xB0\x69" -+ "\x23\x2D\x47\x89\x2C\xC0\xA3\xF9\xDD\x70\xAA\xA5\x1E\xFE\x74\xE5" -+ "\x19\xA2\x4F\x65\x6C\x9E\x00\xB4\x60\x00\x7C\x0C\x29\x43\x31\x99" -+ "\x77\x02\x73\xED\xB9\x40\xF5\xD2\xD1\xC9\x20\x0F\xE3\x38\xF9\xCC" -+ "\x5E\x2A\xBD\x1F\x91\x66\x1A\xD8\x2A\x80\x3C\x2C\x00\x3C\x1E\xC9" -+ "\x2A\x29\x19\x19\x96\x18\x54\x03\x97\x8F\x1D\x5F\xDB\xE9\x66\x68" -+ "\xCD\xB1\xD5\x00\x35\x69\x49\x45\xF1\x6A\x78\x7B\x37\x71\x87\x14" -+ "\x1C\x98\x4D\x69\xCB\x1B\xD8\xF5\xA3\xD8\x53\x4A\x75\x76\x62\xBA" -+ "\x6C\x3F\xEA\x8B\x97\x21\xCA\x8A\x46\x4B\x38\xDA\x09\x9F\x5A\xC8" -+ "\x38\xFF\x34\x97\x5B\xA2\xE5\xBA\xC9\x87\x17\xD8\x08\x05\x7A\x83" -+ "\x04\xD6\x02\x8E\x9B\x18\xB6\x40\x1A\xF7\x47\x25\x24\x3E\x37\x1E" -+ "\xF6\xC1\x3A\x1F\xCA\xB3\x43\x5A\xAE\x94\x83\x31\xAF\xFB\xEE\xED" -+ "\x46\x71\xEF\xE2\x37\x37\x15\xFE\x1B\x0B\x9E\xF8\x3E\x0C\x43\x96" -+ "\xB6\x0A\x04\x78\xF8\x5E\xAA\x33\x1F\xE2\x07\x5A\x8D\xC4\x4E\x32" -+ "\x6D\xD6\xA0\xC5\xEA\x3D\x12\x59\xD4\x41\x40\x4E\xA1\xD8\xBE\xED" -+ "\x17\xCB\x68\xCC\x59\xCB\x53\xB2\x0E\x58\x8A\xA9\x33\x7F\x6F\x2B" -+ "\x37\x89\x08\x44\xBA\xC7\x67\x17\xBB\x91\xF7\xC3\x0F\x00\xF8\xAA" -+ "\xA1\x33\xA6\x08\x47\xCA\xFA\xE8\x49\x27\x45\x46\xF1\xC1\xC3\x5F" -+ "\xE2\x45\x0A\x7D\x64\x52\x8C\x2E\xE1\xDE\xFF\xB2\x64\xEC\x69\x98" -+ "\x15\xDF\x9E\xB1\xEB\xD6\x9D\x08\x06\x4E\x73\xC1\x0B\x71\x21\x05" -+ "\x9E\xBC\xA2\x17\xCF\xB3\x70\xF4\xEF\xB8\x69\xA9\x94\x27\xFD\x5E" -+ "\x72\xB1\x2D\xD2\x20\x1B\x57\x80\xAB\x38\x97\xCF\x22\x68\x4F\xB8" -+ "\xB7\x17\x53\x25\x67\x0B\xED\xD1\x58\x20\x0D\x45\xF9\x09\xFA\xE7" -+ "\x61\x3E\xDB\xC2\x59\x7B\x3A\x3B\x59\x81\x51\xAA\xA4\x81\xF4\x96" -+ "\x3B\xE1\x6F\x6F\xF4\x8E\x68\x9E\xBA\x1E\x0F\xF2\x44\x68\x11\xFC" -+ "\x2B\x5F\xBE\xF2\xEA\x07\x80\xB9\xCA\x9E\x41\xBD\x2F\x81\xF5\x11" -+ "\x2A\x12\xF3\x4F\xD6\x12\x16\x0F\x21\x90\xF1\xD3\x1E\xF1\xA4\x94" -+ "\x46\xEA\x30\xF3\x84\x06\xC1\xA4\x51\xFC\x43\x35\xBD\xEF\x4D\x89" -+ "\x1D\xA5\x44\xB2\x69\xC4\x0F\xBF\x86\x01\x08\x44\x77\xD5\xB4\xB7" -+ "\x5C\x3F\xA7\xD4\x2F\x39\x73\x85\x88\xEE\xB1\x64\x1D\x80\x6C\xEE" -+ "\x6E\x31\x90\x92\x0D\xA1\xB7\xC4\x5C\xCC\xEE\x91\xC8\xCB\x11\x2D" -+ "\x4A\x1A\x7D\x43\x8F\xEB\x60\x09\xED\x1B\x07\x58\xBE\xBC\xBD\x29" -+ "\xF3\xB3\xA3\x4F\xC5\x8A\x30\x33\xB9\xA9\x9F\x43\x08\x27\x15\xC4" -+ "\x9C\x5D\x8E\xBD\x5C\x05\xC6\x05\x9C\x87\x60\x08\x1E\xE2\x52\xB8" -+ "\x45\x8D\x28\xB6\x2C\x15\x46\x74\x9F\x0E\xAA\x6B\x70\x3A\x2A\x55" -+ "\x45\x26\xB2\x58\x4D\x35\xA6\xF1\x96\xBE\x60\xB2\x71\x7B\xF8\x54" -+ "\xB9\x90\x21\x8E\xB9\x0F\x35\x98\x5E\x88\xEB\x1A\x53\xB4\x59\x7F" -+ "\xAF\x69\x1C\x61\x67\xF4\xF6\xBD\xAC\x24\xCD\xB7\xA9\x67\xE8\xA1" -+ "\x83\x85\x5F\x11\x74\x1F\xF7\x4C\x78\x36\xEF\x50\x74\x88\x58\x4B" -+ "\x1A\x9F\x84\x9A\x9A\x05\x92\xEC\x1D\xD5\xF3\xC4\x95\x51\x28\xE2" -+ "\x3F\x32\x87\xB2\xFD\x21\x27\x66\xE4\x6B\x85\x2F\xDC\x7B\xC0\x22" -+ "\xEB\x7A\x94\x20\x5A\x7B\xD3\x7A\xB9\x5B\xF8\x1A\x5A\x84\x4E\xA1" -+ "\x73\x41\x53\xD2\x60\xF7\x7C\xEE\x68\x59\x85\x80\xFC\x3D\x70\x4B" -+ "\x04\x32\xE7\xF2\xFD\xBD\xB3\xD9\x21\xE2\x37\x56\xA2\x16\xCC\xDE" -+ "\x8A\xD3\xBC\x71\xEF\x58\x19\x0E\x45\x8A\x5B\x53\xD6\x77\x30\x6A" -+ "\xA7\xF8\x68\x06\x4E\x07\xCA\xCE\x30\xD7\x35\xAB\x1A\xC7\x18\xD4" -+ "\xC6\x2F\x1A\xFF\xE9\x7A\x94\x0B\x76\x5E\x7E\x29\x0C\xE6\xD3\x3B" -+ "\x5B\x44\x96\xA8\xF1\x29\x23\x95\xD9\x79\xB3\x39\xFC\x76\xED\xE1" -+ "\x1E\x67\x4E\xF7\xE8\x7B\x7A\x12\x9E\xD8\x4B\x35\x09\x0A\xF2\xC1" -+ "\x63\x5B\xEE\xFD\x2A\xC2\xA6\x66\x30\x3C\x1F\x95\xAF\x65\x22\x95" -+ "\x14\x1D\xF5\xD5\xDC\x38\x79\x35\x1C\xCD\x24\x47\xE0\xFD\x08\xC8" -+ "\xF4\x15\x55\x9F\xD9\xC7\xAC\x3F\x67\xB3\x4F\xEB\x26\x7C\x8E\xD6" -+ "\x74\xB3\x0A\xCD\xE7\xFA\xBE\x7E\xA3\x3E\xEC\x61\x50\x77\x52\x56" -+ "\xCF\x90\x5D\x48\xFB\xD4\x2C\x6C\x61\x8B\xDD\x2B\xF5\x92\x1F\x30" -+ "\xBF\x3F\x80\x0D\x31\xDB\xB2\x0B\x7D\x84\xE3\xA6\x42\x7F\x00\x38" -+ "\x44\x02\xC5\xB8\xD9\x58\x29\x9D\x68\x5C\x32\x8B\x76\xAE\xED\x15" -+ "\xF9\x7C\xAE\x7B\xB6\x8E\xD6\x54\x24\xFF\xFA\x87\x05\xEF\x15\x08" -+ "\x5E\x4B\x21\xA2\x2F\x49\xE7\x0F\xC3\xD0\xB9\x49\x22\xEF\xD5\xCA" -+ "\xB2\x11\xF2\x17\xB6\x77\x24\x68\x76\xB2\x07\xF8\x0A\x73\xDD\x65" -+ "\x9C\x75\x64\xF7\xA1\xC6\x23\x08\x84\x72\x3E\x54\x2E\xEB\x9B\x40" -+ "\xA6\x83\x87\xEB\xB5\x00\x40\x4F\xE1\x72\x2A\x59\x3A\x06\x60\x29" -+ "\x7E\x25\x2F\xD8\x80\x40\x8C\x59\xCA\xCF\x8E\x44\xE4\x2D\x84\x7E" -+ "\xCB\xFD\x1E\x3B\xD5\xFF\x9A\xB9\x66\x93\x6D\x5E\xC8\xB7\x13\x26" -+ "\xD6\x38\x1B\x2B\xE1\x87\x96\x05\xD5\xF3\xAB\x68\xF7\x12\x62\x2C" -+ "\x58\xC1\xC9\x85\x3C\x72\xF1\x26\xEE\xC0\x09\x5F\x1D\x4B\xAC\x01" -+ "\x41\xC8\x12\xF8\xF3\x93\x43\x41\xFF\xEC\x0B\x80\xE2\xEE\x20\x85" -+ "\x25\xCD\x6C\x30\x8C\x0D\x24\x2E\xBA\x19\xEA\x28\x7F\xCF\xD5\x10" -+ "\x5C\xE9\xB2\x9D\x5F\x16\xE4\xC0\xF3\xCC\xD9\x68\x4A\x05\x08\x70" -+ "\x17\x26\xC8\x5C\x4A\xBF\x94\x6A\x0E\xD5\xDA\x67\x47\x4B\xAF\x44" -+ "\xE3\x94\xAA\x05\xDB\xA2\x49\x74\xFA\x5C\x69\xAB\x44\xB7\xF7\xBA" -+ "\xAE\x7A\x23\x87\xEB\x54\x7E\x80\xF1\x5B\x60\xA5\x93\xE5\xD4\x24" -+ "\x84\xF7\x0A\x16\x10\xBE\xE9\x4D\xD8\x6B\x15\x40\x5D\x74\xDA\x1B" -+ "\xFF\x2E\x4D\x17\x9D\x35\xF7\x0D\xCF\x66\x38\x0D\x8A\xE4\xDD\x6B" -+ "\xE1\x0F\x1F\xBD\xFD\x4F\x30\x37\x3F\x96\xB4\x92\x54\xD3\x9A\x7A" -+ "\xD1\x5B\x5B\xA9\x54\x16\xE6\x24\xAB\xD4\x23\x39\x7D\xD2\xC7\x09" -+ "\xFA\xD4\x86\x55\x4D\x60\xC2\x87\x67\x6B\xE6" - }; - - static void -@@ -686,7 +710,7 @@ test_pac_ticket_signature(krb5_context context) - { - krb5_error_code ret; - krb5_ticket *ticket; -- krb5_principal sprinc; -+ krb5_principal cprinc, sprinc; - krb5_authdata **authdata1, **authdata2; - krb5_pac pac, pac2, pac3; - uint32_t *list; -@@ -701,7 +725,13 @@ test_pac_ticket_signature(krb5_context context) - if (ret) - err(context, ret, "while decrypting ticket"); - -- ret = krb5_parse_name(context, "s1@CDOM.COM", &sprinc); -+ ret = krb5_parse_name(context, "administrator@W2022-L7.BASE", &cprinc); -+ if (ret) -+ err(context, ret, "krb5_parse_name"); -+ -+ ret = krb5_parse_name(context, -+ "cifs/w2022-118.w2022-l7.base@W2022-L7.BASE", -+ &sprinc); - if (ret) - err(context, ret, "krb5_parse_name"); - -@@ -713,7 +743,7 @@ test_pac_ticket_signature(krb5_context context) - - /* In this test, the server is also the client. */ - ret = krb5_pac_verify(context, pac, ticket->enc_part2->times.authtime, -- ticket->server, NULL, NULL); -+ cprinc, NULL, NULL); - if (ret) - err(context, ret, "while verifying PAC client info"); - -@@ -722,7 +752,7 @@ test_pac_ticket_signature(krb5_context context) - ticket->enc_part2->authorization_data = NULL; - - ret = krb5_kdc_sign_ticket(context, ticket->enc_part2, pac, sprinc, -- sprinc, &ticket_sig_server_key, -+ cprinc, &ticket_sig_server_key, - &ticket_sig_krbtgt_key, FALSE); - if (ret) - err(context, ret, "while signing ticket"); -@@ -781,6 +811,7 @@ test_pac_ticket_signature(krb5_context context) - krb5_pac_free(context, pac); - krb5_pac_free(context, pac2); - krb5_pac_free(context, pac3); -+ krb5_free_principal(context, cprinc); - krb5_free_principal(context, sprinc); - krb5_free_ticket(context, ticket); - } -diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py -index 47ea9e4b47..e934799268 100644 ---- a/src/tests/t_authdata.py -+++ b/src/tests/t_authdata.py -@@ -11,7 +11,7 @@ realm = K5Realm(krb5_conf=conf) - # container. - mark('baseline authdata') - out = realm.run(['./adata', realm.host_princ]) --if '?128: [6, 7, 10, 16]' not in out or '^-42: Hello' not in out: -+if '?128: [6, 7, 10, 16, 19]' not in out or '^-42: Hello' not in out: - fail('expected authdata not seen for basic request') - - # Requested authdata is copied into the ticket, with KDC-only types -@@ -243,7 +243,7 @@ out = realm.run(['./adata', '-p', realm.user_princ, 'service/2']) - if '+97: [indcl]' not in out or '[inds1]' in out: - fail('correct auth-indicator not seen for S4U2Proxy req') - # Make sure a PAC with an S4U_DELEGATION_INFO(11) buffer is included. --if '?128: [1, 6, 7, 10, 11, 16]' not in out: -+if '?128: [1, 6, 7, 10, 11, 16, 19]' not in out: - fail('PAC with delegation info not seen for S4U2Proxy req') - - # Get another S4U2Proxy ticket including request-authdata. --- -2.39.1 - diff --git a/README.md b/README.md deleted file mode 100644 index 7342728d557c602f51c6d278bba9f3dd9faaf356..0000000000000000000000000000000000000000 --- a/README.md +++ /dev/null @@ -1,11 +0,0 @@ -Anolis OS -======================================= -# 代码仓库说明 -## 分支说明 ->进行代码开发工作时,请注意选择当前版本对应的分支 -* aX分支为对应大版本的主分支,如a8分支对应当前最新版本 -* aX.Y分支为对应小版本的维护分支,如a8.2分支对应8.2版本 -## 开发流程 -1. 首先fork目标分支到自己的namespace -2. 在自己的fork分支上做出修改 -3. 向对应的仓库中提交merge request,源分支为fork分支 diff --git a/krb5-1.20.2.tar.gz b/krb5-1.21.1.tar.gz similarity index 52% rename from krb5-1.20.2.tar.gz rename to krb5-1.21.1.tar.gz index 10cac7806cf91f735e92e9f50ed4a9b2b5505b63..8620787b8e42879a3544b642bd83bab38448b117 100644 Binary files a/krb5-1.20.2.tar.gz and b/krb5-1.21.1.tar.gz differ diff --git a/krb5-1.21.1.tar.gz.asc b/krb5-1.21.1.tar.gz.asc new file mode 100644 index 0000000000000000000000000000000000000000..e137e353eea77b9e97651379454c62c75fd40a68 --- /dev/null +++ b/krb5-1.21.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmSsc/kACgkQDLoIV1+D +ct+wPxAArlkJs5WpFIm2JDJXGF82BNw/FEhg+OkWcPHeLMWJF8qO0AxVp8Yq4g1g +qFpTABwY8V2tfr84XQJ6rw7Qq93NjRjFHr1z1tDmCceLisXof6Tu7/RKjHwNmJt8 +M3srmsXPlmx/7cXuaYIljJfftun3D/iuEaydWluGb1DZicaU/OsofGhKE8/YEZrN +H0XdIC45raG4O9t6CGjQRcAIv5Z4afCtXH4aaEmLg6E2+aTUyx+czu7nBASCaTyv +s4df8fhbVpdBi6iA6BQJC296Rc1gyDnuxnjyCH8Rj2gTuiI4Oa2dxRPGT3mjksz3 +OheYcXK9XGCtUbG22zrxqUuHDA3jF6KKmsVSXnbygB6XSS/c0bqmeDRTQGPksWH6 +RJbmlKG9PQ0BavlXRa7Nupaa7f0jblFiduScYujRsyWxi/8YkckedugYyuww59gV +piUwGGRDWldy+JIAYtvzirsfe6Oum0/SKY5wYXyKv0flM95pbfBEw+TzRxmlCQ5J ++i8L9Frr4gTmT576GHB6WzBlOEPf6mRc8jg0DyyUOoDHXyj4MCyJGEJxvcyVV1WX +tJlu0uH1f8pMZx4IQ279PsNFimO/NsdSTefqiVGXA7FWK1EPLc+l9ZBcrLi9KEmJ +7TfVq9cAg6+m2tql+gjAQrfXHUU1mNdPLFMnShYlqHjTle4cQKE= +=AIvQ +-----END PGP SIGNATURE----- diff --git a/krb5-tests b/krb5-tests index cbbb302f7c463ca37e16cd77332619f265bd40d2..beaeb2bd552b3e5c5bdf322e61cba8baa6c5d44e 100644 --- a/krb5-tests +++ b/krb5-tests @@ -5,10 +5,13 @@ export RPM_PACKAGE_NAME={{ name }} export RPM_PACKAGE_VERSION={{ version }} export RPM_PACKAGE_RELEASE={{ release }} export RPM_ARCH={{ arch }} +export RPM_BUILD_NCPUS="$(getconf _NPROCESSORS_ONLN)" testdir="$(mktemp -d)" trap "rm -rf ${testdir}" EXIT +build_flags="$(eval "echo $(rpm --eval '%{_smp_mflags}')")" + cp -rp /usr/share/{{ name }}-tests "${testdir}/" -make -C "${testdir}/{{ name }}-tests" $(rpm --eval '%{_smp_mflags}') +make -C "${testdir}/{{ name }}-tests" $build_flags keyctl session - make -C "${testdir}/{{ name }}-tests" check diff --git a/krb5.spec b/krb5.spec index 03fefa4f8153e4f3cf0579e570967ca64a86777d..162d8f727d3c8accc0f0176de98330cdbffd9f74 100644 --- a/krb5.spec +++ b/krb5.spec @@ -8,16 +8,37 @@ %global configure_default_ccache_name 1 %global configured_default_ccache_name KEYRING:persistent:%%{uid} +# This should be e.g. beta1 or %%nil +%global pre_release %nil + +%global krb5_release %{anolis_release} +%if "x%{?pre_release}" != "x" +%global krb5_release 0.%{anolis_release}.%{pre_release} +%global krb5_pre_release -%{pre_release} +%endif + +%global krb5_version_major 1 +%global krb5_version_minor 21 +# For a release without a patch number set to %%nil +%global krb5_version_patch 1 + +%global krb5_version_major_minor %{krb5_version_major}.%{krb5_version_minor} +%global krb5_version %{krb5_version_major_minor} +%if "x%{?krb5_version_patch}" != "x" +%global krb5_version %{krb5_version_major_minor}.%{krb5_version_patch} +%endif + # Should be in form 5.0, 6.1, etc. %global kdbversion 9.0 Summary: The Kerberos network authentication system Name: krb5 -Version: 1.20.2 -Release: %{anolis_release}%{?dist} +Version: %{krb5_version} +Release: %{krb5_release}%{?dist} # rharwood has trust path to signing key and verifies on check-in -Source0: https://web.mit.edu/kerberos/dist/krb5/1.20/krb5-%{version}.tar.gz +Source0: https://web.mit.edu/kerberos/dist/krb5/%{krb5_version_major_minor}/krb5-%{krb5_version}%{?krb5_pre_release}.tar.gz +Source1: https://web.mit.edu/kerberos/dist/krb5/%{krb5_version_major_minor}/krb5-%{krb5_version}%{?krb5_pre_release}.tar.gz.asc Source2: kprop.service Source3: kadmin.service @@ -34,22 +55,21 @@ Source13: kadmind.logrotate Source14: krb5-krb5kdc.conf Source15: %{name}-tests -Patch0: 0000-add-ldflags-to-shared-libs.patch -Patch1: 0001-downstream-ksu-pam-integration.patch -Patch2: 0002-downstream-SELinux-integration.patch -Patch3: 0003-downstream-fix-debuginfo-with-y.tab.c.patch -Patch4: 0004-downstream-Remove-3des-support.patch -Patch5: 0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch -Patch6: 0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch -Patch7: 0007-Add-configure-variable-for-default-PKCS-11-module.patch -Patch8: 0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch -Patch9: 0009-Simplify-plugin-loading-code.patch -Patch12: 0012-Add-and-use-ts_interval-helper.patch -Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch -Patch14: 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch -Patch15: 0015-downstream-Do-not-set-root-as-ksu-file-owner.patch -Patch16: 0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch -Patch17: 0017-Add-PAC-full-checksums.patch +Patch0001: 0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch +Patch0002: 0002-downstream-ksu-pam-integration.patch +Patch0003: 0003-downstream-SELinux-integration.patch +Patch0004: 0004-downstream-fix-debuginfo-with-y.tab.c.patch +Patch0005: 0005-downstream-Remove-3des-support.patch +Patch0006: 0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +Patch0007: 0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch +Patch0008: 0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch +Patch0009: 0009-downstream-Include-missing-OpenSSL-FIPS-header.patch +Patch0010: 0010-downstream-Do-not-set-root-as-ksu-file-owner.patch +Patch0011: 0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch +Patch0012: 0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch +Patch0013: 0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch +Patch0014: 0014-Enable-PKINIT-if-at-least-one-group-is-available.patch +Patch0015: 0015-Replace-ssl.wrap_socket-for-tests.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -62,11 +82,15 @@ BuildRequires: keyutils, keyutils-libs-devel >= 1.5.8 BuildRequires: libselinux-devel BuildRequires: pam-devel BuildRequires: systemd-units +BuildRequires: tcl-devel BuildRequires: libverto-devel BuildRequires: openldap-devel BuildRequires: lmdb-devel BuildRequires: perl-interpreter +# For autosetup +BuildRequires: git + # Need KDFs. This is the "real" version BuildRequires: openssl-devel >= 1:3.0.0 @@ -98,7 +122,7 @@ to install this package. %package libs Summary: The non-admin shared libraries used by Kerberos 5 -Requires: openssl-libs >= %{installed_version_of openssl-libs} +Requires: openssl-libs >= 1:3.0.0 Requires: coreutils, gawk, sed Requires: keyutils-libs >= 1.5.8 Requires: /etc/crypto-policies/back-ends/krb5.config @@ -125,8 +149,8 @@ Requires(preun): systemd-units Requires(postun): systemd-units # we drop files in its directory, but we don't want to own that directory Requires: logrotate -# we specify /usr/share/dict/words as the default dict_file in kdc.conf -Requires: /usr/share/dict/words +# we specify /usr/share/dict/words (provided by words) as the default dict_file in kdc.conf +Requires: words # for run-time, and for parts of the test suite BuildRequires: libverto-module-base Requires: libverto-module-base @@ -201,7 +225,7 @@ Requires: lmdb-devel Requires: openldap-devel Requires: pam-devel Requires: system-rpm-config -Requires: openssl-devel >= %{installed_version_of openssl-devel} +Requires: openssl-devel >= 1:3.0.0 # Test dependencies Requires: dejagnu @@ -218,7 +242,7 @@ Requires: python3-kdcproxy Requires: python3-pyrad Requires: resolv_wrapper Requires: /etc/crypto-policies/back-ends/krb5.config -Requires: /usr/share/dict/words +Requires: words #Requires: openldap-servers, openldap-clients %description tests @@ -227,6 +251,7 @@ Test sources for krb5 build, with pre-defined compilation parameters %prep %autosetup -p1 -n %{name}-%{version} +#%%autosetup -S git_am -n %{name}-%{version}%{?dashpre} ln NOTICE LICENSE # Generate an FDS-compatible LDIF file. @@ -269,6 +294,8 @@ sed -i -e \ %build +# Go ahead and supply tcl info, because configure doesn't know how to find it. +source %{_libdir}/tclConfig.sh pushd src # This should be safe to remove once we have autoconf >= 2.70 @@ -291,14 +318,17 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" --without-krb5-config \ --with-system-et \ --with-system-ss \ + --with-tcl \ --enable-dns-for-realm \ --with-ldap \ + --with-dirsrv-account-locking \ --enable-pkinit \ --with-crypto-impl=openssl \ --with-tls-impl=openssl \ --with-system-verto \ --with-pam \ --with-selinux \ + --with-prng-alg=os \ --with-lmdb \ || (cat config.log; exit 1) @@ -331,6 +361,8 @@ sphinx-build -a -b html -t pathsubs doc build-html rm -fr build-html/_sources %install +[ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- "$RPM_BUILD_ROOT" + # Sample KDC config files (bundled kdc.conf and kadm5.acl). mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc install -pm 600 %{SOURCE6} $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/ @@ -446,8 +478,8 @@ rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so" # Generate tests launching script sed -e 's/{{ name }}/%{name}/' \ - -e 's/{{ version }}/%{version}/' \ - -e 's/{{ release }}/%{release}/' \ + -e 's/{{ version }}/%{krb5_version}/' \ + -e 's/{{ release }}/%{krb5_release}/' \ -e 's/{{ arch }}/%{_arch}/' \ -i %{SOURCE15} mkdir -p $RPM_BUILD_ROOT%{_libexecdir} @@ -481,6 +513,9 @@ rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/kadmin/kdbkeys/do-test.pl" %find_lang %{gettext_domain} +%ldconfig_scriptlets libs + +%ldconfig_scriptlets server-ldap %post server %systemd_post krb5kdc.service kadmin.service kprop.service @@ -496,6 +531,8 @@ exit 0 %systemd_postun_with_restart krb5kdc.service kadmin.service kprop.service exit 0 +%ldconfig_scriptlets -n libkadm5 + %files workstation %doc src/config-files/services.append %doc src/config-files/krb5.conf @@ -597,27 +634,29 @@ exit 0 %{_libdir}/krb5/plugins/kdb/kldap.so %{_libdir}/libkdb_ldap.so %{_libdir}/libkdb_ldap.so.* -%{abidir}/libkdb_ldap.dump -%{abidir}/kldap.dump -%{_mandir}/man8/kdb5_ldap_util.8* +%{_mandir}/man8/kdb5_ldap_util.8.* %{_sbindir}/kdb5_ldap_util %{abidir}/kdb5_ldap_util-option.list +%{abidir}/kldap.dump +%{abidir}/libkdb_ldap.dump %files libs -f %{gettext_domain}.lang +%{!?_licensedir:%global license %%doc} %license LICENSE %dir %{abidir} +%docdir %{_mandir} # These are hard-coded, not-dependent-on-the-configure-script paths. %dir /etc/gss %dir /etc/gss/mech.d %dir /etc/krb5.conf.d %config(noreplace) /etc/krb5.conf %config(noreplace,missingok) /etc/krb5.conf.d/crypto-policies -%{_mandir}/man5/.k5identity.5* -%{_mandir}/man5/.k5login.5* -%{_mandir}/man5/k5identity.5* -%{_mandir}/man5/k5login.5* -%{_mandir}/man5/krb5.conf.5* -%{_mandir}/man7/kerberos.7* +/%{_mandir}/man5/.k5identity.5* +/%{_mandir}/man5/.k5login.5* +/%{_mandir}/man5/k5identity.5* +/%{_mandir}/man5/k5login.5* +/%{_mandir}/man5/krb5.conf.5* +/%{_mandir}/man7/kerberos.7* %{_libdir}/libgssapi_krb5.so.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* @@ -685,6 +724,9 @@ exit 0 %{_datarootdir}/%{name}-tests/ %changelog +* Wed Feb 21 2024 mgb01105731 - 1.21.1-1 +- update to 1.21.1 + * Thu Aug 10 2023 Funda Wang - 1.20.2-1 - New version 1.20.2