diff --git a/krb5-1.12-buildconf.patch b/krb5-1.12-buildconf.patch index 01b6b2f..62a7081 100644 --- a/krb5-1.12-buildconf.patch +++ b/krb5-1.12-buildconf.patch @@ -4,18 +4,18 @@ the -L/usr/lib* and PIE flags where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. ---- krb5/src/config/shlib.conf -+++ krb5/src/config/shlib.conf -@@ -419,7 +419,7 @@ mips-*-netbsd*) - SHLIBEXT=.so +--- krb5-1.15.orig/src/config/shlib.conf 2016-12-01 23:31:24.000000000 +0100 ++++ krb5-1.15/src/config/shlib.conf 2016-12-03 16:58:48.378478508 +0100 +@@ -423,7 +423,7 @@ # Linux ld doesn't default to stuffing the SONAME field... # Use objdump -x to examine the fields of the library -- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined' -+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro' - # - LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' - SHLIB_EXPORT_FILE_DEP=binutils.versions -@@ -430,7 +430,8 @@ + # UNDEF_CHECK is suppressed by --enable-asan +- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' ++ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro' + UNDEF_CHECK='-Wl,--no-undefined' + # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. + LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' +@@ -435,7 +435,8 @@ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' PROFFLAGS=-pg PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' diff --git a/krb5-1.12-pam.patch b/krb5-1.12-pam.patch index f1ceab6..8562128 100644 --- a/krb5-1.12-pam.patch +++ b/krb5-1.12-pam.patch @@ -245,9 +245,9 @@ and session management before dropping privileges. exit (1); } } ---- krb5-1.13.orig/src/clients/ksu/Makefile.in -+++ krb5-1.13/src/clients/ksu/Makefile.in -@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. +--- krb5-1.15.orig/src/clients/ksu/Makefile.in 2016-12-01 23:31:24.000000000 +0100 ++++ krb5-1.15/src/clients/ksu/Makefile.in 2016-12-03 16:08:50.583613246 +0100 +@@ -3,12 +3,14 @@ DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' KSU_LIBS=@KSU_LIBS@ @@ -262,7 +262,7 @@ and session management before dropping privileges. $(srcdir)/heuristic.c \ $(srcdir)/xmalloc.c \ $(srcdir)/setenv.c -@@ -17,13 +19,17 @@ OBJS = \ +@@ -17,13 +19,17 @@ ccache.o \ authorization.o \ main.o \ @@ -270,7 +270,7 @@ and session management before dropping privileges. heuristic.o \ xmalloc.o @SETENVOBJ@ - all:: ksu + all: ksu ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) @@ -279,7 +279,7 @@ and session management before dropping privileges. +pam.o: pam.c + $(CC) $(ALL_CFLAGS) -c $< - clean:: + clean: $(RM) ksu --- /dev/null +++ krb5-1.13/src/clients/ksu/pam.c diff --git a/krb5-1.12-selinux-label.patch b/krb5-1.12-selinux-label.patch index e9fa6ff..d6913fc 100644 --- a/krb5-1.12-selinux-label.patch +++ b/krb5-1.12-selinux-label.patch @@ -235,18 +235,18 @@ which we used earlier, is some improvement. # here. echo $lib_flags ---- krb5-1.13.orig/src/lib/kadm5/logger.c -+++ krb5-1.13/src/lib/kadm5/logger.c -@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch - * Check for append/overwrite, then open the file. +--- krb5-1.15.orig/src/lib/kadm5/logger.c 2016-12-01 23:31:24.000000000 +0100 ++++ krb5-1.15/src/lib/kadm5/logger.c 2016-12-03 21:08:16.107101435 +0100 +@@ -414,7 +414,7 @@ */ - if (cp[4] == ':' || cp[4] == '=') { -- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w"); -+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); - if (f) { - set_cloexec_file(f); - log_control.log_entries[i].lfu_filep = f; -@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext) + append = (cp[4] == ':') ? O_APPEND : 0; + if (append || cp[4] == '=') { +- fd = open(&cp[5], O_CREAT | O_WRONLY | append, ++ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append, + S_IRUSR | S_IWUSR | S_IRGRP); + if (fd != -1) + f = fdopen(fd, append ? "a" : "w"); +@@ -918,7 +918,7 @@ * In case the old logfile did not get moved out of the * way, open for append to prevent squashing the old logs. */ @@ -255,32 +255,31 @@ which we used earlier, is some improvement. if (f) { set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; ---- krb5-1.13.orig/src/lib/krb5/keytab/kt_file.c -+++ krb5-1.13/src/lib/krb5/keytab/kt_file.c -@@ -1024,7 +1024,7 @@ krb5_ktfileint_open(krb5_context context +--- krb5-1.15.orig/src/lib/krb5/keytab/kt_file.c 2016-12-01 23:31:25.000000000 +0100 ++++ krb5-1.15/src/lib/krb5/keytab/kt_file.c 2016-12-03 17:33:05.520679326 +0100 +@@ -1022,14 +1022,14 @@ KTCHECKLOCK(id); errno = 0; - KTFILEP(id) = fopen(KTFILENAME(id), + KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), - (mode == KRB5_LOCKMODE_EXCLUSIVE) ? - fopen_mode_rbplus : fopen_mode_rb); + (mode == KRB5_LOCKMODE_EXCLUSIVE) ? "rb+" : "rb"); if (!KTFILEP(id)) { -@@ -1032,7 +1032,7 @@ krb5_ktfileint_open(krb5_context context + if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) { /* try making it first time around */ k5_create_secure_file(context, KTFILENAME(id)); errno = 0; -- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); -+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus); +- KTFILEP(id) = fopen(KTFILENAME(id), "rb+"); ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), "rb+"); if (!KTFILEP(id)) goto report_errno; writevno = 1; ---- krb5-1.13.orig/src/plugins/kdb/db2/adb_openclose.c -+++ krb5-1.13/src/plugins/kdb/db2/adb_openclose.c -@@ -147,7 +147,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char +--- krb5-1.15.orig/src/plugins/kdb/db2/adb_openclose.c 2016-12-01 23:31:25.000000000 +0100 ++++ krb5-1.15/src/plugins/kdb/db2/adb_openclose.c 2016-12-03 17:34:40.565150626 +0100 +@@ -152,7 +152,7 @@ + * needs be open read/write so that write locking can work with * POSIX systems */ - lockp->lockinfo.filename = strdup(lockfilename); - if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { + if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { /* @@ -914,30 +913,6 @@ which we used earlier, is some improvement. if (file == NULL) return errno; pid = (unsigned long) getpid(); ---- krb5-1.13.orig/src/util/gss-kernel-lib/Makefile.in -+++ krb5-1.13/src/util/gss-kernel-lib/Makefile.in -@@ -61,6 +61,7 @@ HEADERS= \ - gssapi_err_generic.h \ - k5-int.h \ - k5-int-pkinit.h \ -+ k5-label.h \ - k5-thread.h \ - k5-platform.h \ - k5-buf.h \ -@@ -162,10 +163,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_ - $(CP) $(GSS_GENERIC)/gssapi_generic.h $@ - gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h - $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@ --k5-int.h: $(INCLUDE)/k5-int.h -+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h - $(CP) $(INCLUDE)/k5-int.h $@ - k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h - $(CP) $(INCLUDE)/k5-int-pkinit.h $@ -+k5-label.h: $(INCLUDE)/k5-label.h -+ $(CP) $(INCLUDE)/k5-label.h $@ - k5-thread.h: $(INCLUDE)/k5-thread.h - $(CP) $(INCLUDE)/k5-thread.h $@ - k5-platform.h: $(INCLUDE)/k5-platform.h --- krb5-1.13.orig/src/lib/kdb/kdb_log.c +++ krb5-1.13/src/lib/kdb/kdb_log.c @@ -464,7 +464,7 @@ ulog_map(krb5_context context, const cha diff --git a/krb5-1.14.3.tar.gz b/krb5-1.14.3.tar.gz deleted file mode 100644 index 6d8962e..0000000 --- a/krb5-1.14.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:cd4620d520cf0df0dd8791309912df2bb20fcba76790b9fba4e25c1da08ff2c9 -size 12279888 diff --git a/krb5-1.14.3.tar.gz.asc b/krb5-1.14.3.tar.gz.asc deleted file mode 100644 index 389755e..0000000 --- a/krb5-1.14.3.tar.gz.asc +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQGcBAABAgAGBQJXj/41AAoJEKMvF/0AVcMFKWkMAIpdTej1sku6sIm39+NjaTDr -1tPTdRFtX5zb7hFlv4PelZzMWNtylbKmD1WgriTcJ9AGvKY5IexbYrHreEbvHr3s -hlcnXxhKy4TXWqRyEHQ20K0n2fJYLwJBSVKFM9joCOmfuj2BWPqhh1UxHnNlTsjQ -k9q1T9iDY2hEiHlIrvLRjiTEZBr/ldr1fzkuAflyDg/7FydjLgl9Jm1HPU08Hofz -dLh+ozy6hsNTbteTBsngm51iFKSETr5Ugxxba7nXZ7KVaruCawjixDzfQRXgEuh2 -dHAJd6vVOixGcDOxDOSVTy/LaMqERC5K/qc0X2ubjwbPZn798919+szJ90jZwA2j -19aqxGkOxfHi3LUponAXZ1kgPUbN2x7FIe1byowwnXnAX7i4DJ3HgxWkn5dWnRX3 -ntFsQb5D0YFul5PApXYLpjACQt0gu+WNAwOYDQxSISRkMU5L2yXw7E32qSMdR7j7 -AWZzE8XXuhl8LN/UPxj7+1zOftCOv7xcKtQJgL6Quw== -=QiOC ------END PGP SIGNATURE----- diff --git a/krb5-1.15.tar.gz b/krb5-1.15.tar.gz new file mode 100644 index 0000000..5f5ae43 --- /dev/null +++ b/krb5-1.15.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd34752774c808ab4f6f864f935c49945f5a56b62240b1ad4ab1af7b4ded127c +size 9327157 diff --git a/krb5-1.15.tar.gz.asc b/krb5-1.15.tar.gz.asc new file mode 100644 index 0000000..c34ccef --- /dev/null +++ b/krb5-1.15.tar.gz.asc @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQGcBAABAgAGBQJYQKmiAAoJEKMvF/0AVcMFfisL/j4xfA/HF0ElUB9X6nSboR8P +60BSDZZe38gCQyONHn1CiZA5nY7xUy45oXmtffED32NZRIq/8R0CHkSoTd+wCtev +EEGAACK0cbFMA8YDvlF5R1Hdt2Vgghr+BYGg8TbuhiZadp4I8VZ13WePR5gToaV0 ++35lOwgqRYV+Jxijp8N92KuZyZnH88tGbAh9gvPLxps2L7xA+MWwU2R71rraTIVj +b+saDBldKubh5Hamf+3Qle+lsvJuC7ErUifnjth+tpOonIlgeiLHs6+VwyHlOiv4 +i+Uf0diN/gzWZd62Y+Fl42JDevTXyschWp+HxKLkbQXley04gS0nujRLpvaDkNlR +L+4Yy873q0yS6o4x7Pmcm3nb/nJQxQyvBJMy8MjLE3pEdynFZK9o0KGBkLtNIYVt +VwlqHrTGEsOtXYQKdhq9bGvpJa4jwrR2MIDaKvR5i1zc2xtZcWkvhlKJ67FGuRRD +eSbZR00NXP2wETo7Bu8BsJR5t9/1j+4US9vA15CUQg== +=iCzw +-----END PGP SIGNATURE----- diff --git a/krb5-1.7-doublelog.patch b/krb5-1.7-doublelog.patch deleted file mode 100644 index 15a3cb6..0000000 --- a/krb5-1.7-doublelog.patch +++ /dev/null @@ -1,18 +0,0 @@ -Don't double-log (actually, don't process /etc/krb5.conf twice) just -because we built with --sysconfdir=/etc. RT#3277 - ---- - src/include/Makefile.in | 2 ++ - 1 file changed, 2 insertions(+) - ---- krb5-1.13.orig/src/include/Makefile.in -+++ krb5-1.13/src/include/Makefile.in -@@ -70,6 +70,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$( - -e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \ - -e 's+@RUNSTATEDIR+$(RUNSTATEDIR)+' \ - -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \ -+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \ -+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \ - -e 's+@DYNOBJEXT+$(DYNOBJEXT)+' \ - -e 's+@SYSCONFCONF+$(SYSCONFCONF)+' - diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index 74eef39..8709137 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -2,11 +2,9 @@ We want to keep these y.tab.c files around because the debuginfo points to them. It would be more elegant at the end to use symbolic links, but that could mess up people working in the tree on other things. -Index: src/kadmin/cli/Makefile.in -=================================================================== ---- src/kadmin/cli/Makefile.in.orig -+++ src/kadmin/cli/Makefile.in -@@ -43,3 +43,8 @@ clean-unix:: +--- krb5-1.15.orig/src/kadmin/cli/Makefile.in ++++ krb5-1.15/src/kadmin/cli/Makefile.in +@@ -37,3 +37,8 @@ # CC_LINK is not meant for compilation and this use may break in the future. datetest: getdate.c $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c @@ -15,16 +13,14 @@ Index: src/kadmin/cli/Makefile.in + $(RM) y.tab.c $@ + $(YACC.y) $< + $(CP) y.tab.c $@ -Index: src/plugins/kdb/ldap/ldap_util/Makefile.in -=================================================================== ---- src/plugins/kdb/ldap/ldap_util/Makefile.in.orig -+++ src/plugins/kdb/ldap/ldap_util/Makefile.in -@@ -22,7 +22,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KR +--- krb5-1.15.orig/src/plugins/kdb/ldap/ldap_util/Makefile.in ++++ krb5-1.15/src/plugins/kdb/ldap/ldap_util/Makefile.in +@@ -20,7 +20,7 @@ getdate.c: $(GETDATE) $(RM) getdate.c y.tab.c $(YACC) $(GETDATE) - $(MV) y.tab.c getdate.c + $(CP) y.tab.c getdate.c - install:: + install: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) diff --git a/krb5-fix_interposer.patch b/krb5-fix_interposer.patch deleted file mode 100644 index fb01883..0000000 --- a/krb5-fix_interposer.patch +++ /dev/null @@ -1,218 +0,0 @@ -From a6b7ccabf383f1f667c5d2b549909dfd59df12f6 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Fri, 13 Nov 2015 14:54:11 -0500 -Subject: [PATCH] Fix impersonate_name to work with interposers - -This follows the same modifications applied to -gss_acquire_cred_with_password() when interposer plugins were -introduced. - -[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in -spnego_gss_acquire_cred_impersonate_name() since it is released in the -cleanup handler] - -ticket: 8280 (new) - -diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c -index 0dd4f87..9eab25e 100644 ---- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c -+++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c -@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - gss_cred_id_t cred = NULL; - gss_OID new_mechs_array = NULL; - gss_cred_id_t * new_cred_array = NULL; -+ gss_OID_set target_mechs = GSS_C_NO_OID_SET; -+ gss_OID selected_mech = GSS_C_NO_OID; - - status = val_add_cred_impersonate_name_args(minor_status, - input_cred_handle, -@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - if (status != GSS_S_COMPLETE) - return (status); - -- mech = gssint_get_mechanism(desired_mech); -+ status = gssint_select_mech_type(minor_status, desired_mech, -+ &selected_mech); -+ if (status != GSS_S_COMPLETE) -+ return status; -+ -+ mech = gssint_get_mechanism(selected_mech); - if (!mech) - return GSS_S_BAD_MECH; - else if (!mech->gss_acquire_cred_impersonate_name) -@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - internal_name = GSS_C_NO_NAME; - } else { - union_cred = (gss_union_cred_t)input_cred_handle; -- if (gssint_get_mechanism_cred(union_cred, desired_mech) != -+ if (gssint_get_mechanism_cred(union_cred, selected_mech) != - GSS_C_NO_CREDENTIAL) - return (GSS_S_DUPLICATE_ELEMENT); - } - - mech_impersonator_cred = - gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle, -- desired_mech); -+ selected_mech); - if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL) - return (GSS_S_NO_CRED); - - /* may need to create a mechanism specific name */ - union_name = (gss_union_name_t)desired_name; - if (union_name->mech_type && -- g_OID_equal(union_name->mech_type, -- &mech->mech_type)) -+ g_OID_equal(union_name->mech_type, selected_mech)) - internal_name = union_name->mech_name; - else { - if (gssint_import_internal_name(minor_status, -- &mech->mech_type, union_name, -- &allocated_name) != GSS_S_COMPLETE) -+ selected_mech, union_name, -+ &allocated_name) != GSS_S_COMPLETE) - return (GSS_S_BAD_NAME); - internal_name = allocated_name; - } -@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - else - time_req = 0; - -+ status = gss_create_empty_oid_set(minor_status, &target_mechs); -+ if (status != GSS_S_COMPLETE) -+ goto errout; -+ -+ status = gss_add_oid_set_member(minor_status, -+ gssint_get_public_oid(selected_mech), -+ &target_mechs); -+ if (status != GSS_S_COMPLETE) -+ goto errout; -+ - status = mech->gss_acquire_cred_impersonate_name(minor_status, - mech_impersonator_cred, - internal_name, - time_req, -- GSS_C_NULL_OID_SET, -+ target_mechs, - cred_usage, - &cred, - NULL, -@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - - new_cred_array[union_cred->count] = cred; - if ((new_mechs_array[union_cred->count].elements = -- malloc(mech->mech_type.length)) == NULL) -+ malloc(selected_mech->length)) == NULL) - goto errout; - -- g_OID_copy(&new_mechs_array[union_cred->count], -- &mech->mech_type); -+ g_OID_copy(&new_mechs_array[union_cred->count], selected_mech); - - if (actual_mechs != NULL) { -- gss_OID_set_desc oids; -- -- oids.count = union_cred->count + 1; -- oids.elements = new_mechs_array; -- -- status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs); -+ status = gssint_make_public_oid_set(minor_status, new_mechs_array, -+ union_cred->count + 1, -+ actual_mechs); - if (GSS_ERROR(status)) { - free(new_mechs_array[union_cred->count].elements); - goto errout; -@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - /* We're done with the internal name. Free it if we allocated it. */ - - if (allocated_name) -- (void) gssint_release_internal_name(&temp_minor_status, -- &mech->mech_type, -+ (void) gssint_release_internal_name(&temp_minor_status, selected_mech, - &allocated_name); - -+ if (target_mechs) -+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); -+ - return (GSS_S_COMPLETE); - - errout: -@@ -503,8 +517,10 @@ errout: - - if (allocated_name) - (void) gssint_release_internal_name(&temp_minor_status, -- &mech->mech_type, -- &allocated_name); -+ selected_mech, &allocated_name); -+ -+ if (target_mechs) -+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); - - if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred) - free(union_cred); -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 5f1ca33..bb754d9 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -2620,10 +2620,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, - gss_OID_set *actual_mechs, - OM_uint32 *time_rec) - { -- OM_uint32 status; -+ OM_uint32 status, tmpmin; - gss_OID_set amechs = GSS_C_NULL_OID_SET; - spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL; -- gss_cred_id_t imp_mcred, out_mcred; -+ gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL; - - dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n"); - -@@ -2635,31 +2635,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, - - imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle; - imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL; -- if (desired_mechs == GSS_C_NO_OID_SET) { -- status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, -- NULL, &amechs); -- if (status != GSS_S_COMPLETE) -- return status; -- -- desired_mechs = amechs; -- } -+ status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, -+ NULL, &amechs); -+ if (status != GSS_S_COMPLETE) -+ return status; - - status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred, - desired_name, time_req, -- desired_mechs, cred_usage, -+ amechs, cred_usage, - &out_mcred, actual_mechs, - time_rec); -- -- if (amechs != GSS_C_NULL_OID_SET) -- (void) gss_release_oid_set(minor_status, &amechs); -+ if (status != GSS_S_COMPLETE) -+ goto cleanup; - - status = create_spnego_cred(minor_status, out_mcred, &out_spcred); -- if (status != GSS_S_COMPLETE) { -- gss_release_cred(minor_status, &out_mcred); -- return (status); -- } -+ if (status != GSS_S_COMPLETE) -+ goto cleanup; -+ -+ out_mcred = GSS_C_NO_CREDENTIAL; - *output_cred_handle = (gss_cred_id_t)out_spcred; - -+cleanup: -+ (void) gss_release_oid_set(&tmpmin, &amechs); -+ (void) gss_release_cred(&tmpmin, &out_mcred); -+ - dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n"); - return (status); - } --- -2.7.4 - diff --git a/krb5-mini.changes b/krb5-mini.changes index 8a561d2..acb7910 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,56 @@ +------------------------------------------------------------------- +Sat Dec 3 13:04:11 UTC 2016 - michael@stroeder.com + +- Upgrade to 1.15 +- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2 +- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since + file is not available in upstream source anymore +- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15 +- doc/CHANGES not available in 1.15 source anymore + +- Upgrade from 1.14.4 to 1.15 - major changes: + Administrator experience: + * Add support to kadmin for remote extraction of current keys without + changing them (requires a special kadmin permission that is excluded + from the wildcard permission), with the exception of highly + protected keys. + * Add a lockdown_keys principal attribute to prevent retrieval of the + principal's keys (old or new) via the kadmin protocol. In newly + created databases, this attribute is set on the krbtgt and kadmin + principals. + * Restore recursive dump capability for DB2 back end, so sites can + more easily recover from database corruption resulting from power + failure events. + * Add DNS auto-discovery of KDC and kpasswd servers from URI records, + in addition to SRV records. URI records can convey TCP and UDP + servers and master KDC status in a single DNS lookup, and can also + point to HTTPS proxy servers. + * Add support for password history to the LDAP back end. + * Add support for principal renaming to the LDAP back end. + * Use the getrandom system call on supported Linux kernels to avoid + blocking problems when getting entropy from the operating system. + * In the PKINIT client, use the correct DigestInfo encoding for PKCS + #1 signatures, so that some especially strict smart cards will work. + Code quality: + * Clean up numerous compilation warnings. + * Remove various infrequently built modules, including some preauth + modules that were not built by default. + Developer experience: + * Add support for building with OpenSSL 1.1. + * Use SHA-256 instead of MD5 for (non-cryptographic) hashing of + authenticators in the replay cache. This helps sites that must + build with FIPS 140 conformant libraries that lack MD5. + Protocol evolution: + * Add support for the AES-SHA2 enctypes, which allows sites to conform + to Suite B crypto requirements. + +- Upgrade from 1.14.3 to 1.14.4 - major changes: + * Fix some rare btree data corruption bugs + * Fix numerous minor memory leaks + * Improve portability (Linux-ppc64el, FreeBSD) + * Improve some error messages + * Improve documentation + ------------------------------------------------------------------- Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com diff --git a/krb5-mini.spec b/krb5-mini.spec index d7b86da..b3bda88 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -16,7 +16,7 @@ # -%define srcRoot krb5-1.14.3 +%define srcRoot krb5-1.15 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -29,7 +29,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.14.3 +Version: 1.15 Release: 0 Summary: MIT Kerberos5 implementation and libraries with minimal dependencies License: MIT @@ -59,12 +59,10 @@ Patch2: krb5-1.9-manpaths.dif Patch3: krb5-1.12-buildconf.patch Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif Patch6: krb5-1.6.3-ktutil-manpage.dif -Patch7: krb5-1.7-doublelog.patch Patch8: krb5-1.12-api.patch Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch -Patch15: krb5-fix_interposer.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -104,18 +102,16 @@ Include Files for Development %patch3 -p1 %patch4 -p1 %patch6 -p1 -%patch7 -p1 %patch8 -p1 %patch11 -p1 %patch12 -p1 -%patch13 -p0 -%patch15 -p1 +%patch13 -p1 %build # needs to be re-generated rm -f src/lib/krb5/krb/deltat.c cd src -./util/reconf +autoreconf -fi DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME ./configure \ CC="%{__cc}" \ diff --git a/krb5.changes b/krb5.changes index c5734e5..adb9e3c 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,55 @@ +------------------------------------------------------------------- +Sat Dec 3 13:04:11 UTC 2016 - michael@stroeder.com + +- Upgrade to 1.15 +- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2 +- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since + file is not available in upstream source anymore +- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15 + +- Upgrade from 1.14.4 to 1.15 - major changes: + Administrator experience: + * Add support to kadmin for remote extraction of current keys without + changing them (requires a special kadmin permission that is excluded + from the wildcard permission), with the exception of highly + protected keys. + * Add a lockdown_keys principal attribute to prevent retrieval of the + principal's keys (old or new) via the kadmin protocol. In newly + created databases, this attribute is set on the krbtgt and kadmin + principals. + * Restore recursive dump capability for DB2 back end, so sites can + more easily recover from database corruption resulting from power + failure events. + * Add DNS auto-discovery of KDC and kpasswd servers from URI records, + in addition to SRV records. URI records can convey TCP and UDP + servers and master KDC status in a single DNS lookup, and can also + point to HTTPS proxy servers. + * Add support for password history to the LDAP back end. + * Add support for principal renaming to the LDAP back end. + * Use the getrandom system call on supported Linux kernels to avoid + blocking problems when getting entropy from the operating system. + * In the PKINIT client, use the correct DigestInfo encoding for PKCS + #1 signatures, so that some especially strict smart cards will work. + Code quality: + * Clean up numerous compilation warnings. + * Remove various infrequently built modules, including some preauth + modules that were not built by default. + Developer experience: + * Add support for building with OpenSSL 1.1. + * Use SHA-256 instead of MD5 for (non-cryptographic) hashing of + authenticators in the replay cache. This helps sites that must + build with FIPS 140 conformant libraries that lack MD5. + Protocol evolution: + * Add support for the AES-SHA2 enctypes, which allows sites to conform + to Suite B crypto requirements. + +- Upgrade from 1.14.3 to 1.14.4 - major changes: + * Fix some rare btree data corruption bugs + * Fix numerous minor memory leaks + * Improve portability (Linux-ppc64el, FreeBSD) + * Improve some error messages + * Improve documentation + ------------------------------------------------------------------- Mon Nov 14 08:36:06 UTC 2016 - christof.hanke@rzg.mpg.de diff --git a/krb5.spec b/krb5.spec index 8aab904..9ebfd64 100644 --- a/krb5.spec +++ b/krb5.spec @@ -25,7 +25,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.14.3 +Version: 1.15 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -59,12 +59,10 @@ Patch2: krb5-1.9-manpaths.dif Patch3: krb5-1.12-buildconf.patch Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif Patch6: krb5-1.6.3-ktutil-manpage.dif -Patch7: krb5-1.7-doublelog.patch Patch8: krb5-1.12-api.patch Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch -Patch15: krb5-fix_interposer.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -175,18 +173,16 @@ Include Files for Development %patch3 -p1 %patch4 -p1 %patch6 -p1 -%patch7 -p1 %patch8 -p1 %patch11 -p1 %patch12 -p1 -%patch13 -p0 -%patch15 -p1 +%patch13 -p1 %build # needs to be re-generated rm -f src/lib/krb5/krb/deltat.c cd src -./util/reconf +autoreconf -fi DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME ./configure \ CC="%{__cc}" \ @@ -531,6 +527,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %files doc %defattr(-,root,root) -%doc html doc/CHANGES doc/README +%doc html doc/README %changelog