From 10b96098f3977b182c61a7d6297e9c071da48b4f57cb542c5cd41234f34bb8bd Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Tue, 10 Dec 2013 09:48:22 +0000 Subject: [PATCH 1/4] Accepting request 210105 from home:neilbrown:branches:network Reduce build dependencies for krb5-mini This requires a change to e2fsprogs which will include the creation of e2fsprogs-mini, so it shouldn't be accepted before that other change is accepted - Reduce build dependencies for krb5-mini by removing doxygen and changing libcom_err-devel to libcom_err-mini-devel - Small fix to pre_checkin.sh so krb5-mini.spec is correct. - Reduce build dependencies for krb5-mini by removing doxygen and changing libcom_err-devel to libcom_err-mini-devel - Small fix to pre_checkin.sh so krb5-mini.spec is correct. OBS-URL: https://build.opensuse.org/request/show/210105 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=112 --- krb5-mini.changes | 10 +++++++++- krb5-mini.spec | 8 ++++++-- krb5.changes | 8 ++++++++ krb5.spec | 8 ++++++-- pre_checkin.sh | 1 + 5 files changed, 30 insertions(+), 5 deletions(-) diff --git a/krb5-mini.changes b/krb5-mini.changes index 804b407..e63fbaa 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,5 +1,13 @@ ------------------------------------------------------------------- -Fri Nov 15 13:35:09 UTC 2013 - ckornacker@suse.com +Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com + +- Reduce build dependencies for krb5-mini by removing + doxygen and changing libcom_err-devel to + libcom_err-mini-devel +- Small fix to pre_checkin.sh so krb5-mini.spec is correct. + +------------------------------------------------------------------- +Fri Nov 15 13:33:53 UTC 2013 - ckornacker@suse.com - update to version 1.11.4 - Fix a KDC null pointer dereference [CVE-2013-1417] that could diff --git a/krb5-mini.spec b/krb5-mini.spec index 5d24e1d..16c4129 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -25,10 +25,13 @@ Name: krb5-mini Url: http://web.mit.edu/kerberos/www/ BuildRequires: autoconf BuildRequires: bison -BuildRequires: doxygen BuildRequires: keyutils BuildRequires: keyutils-devel -BuildRequires: libcom_err-devel +%if 0%{?suse_version} >= 1310 +BuildRequires: libcom_err-mini-devel +%else +BuildRequires: libcom_err-mini-devel +%endif BuildRequires: libselinux-devel BuildRequires: ncurses-devel Version: 1.11.4 @@ -37,6 +40,7 @@ Summary: MIT Kerberos5 Implementation--Libraries License: MIT Group: Productivity/Networking/Security %if ! 0%{?build_mini} +BuildRequires: doxygen BuildRequires: libopenssl-devel BuildRequires: openldap2-devel BuildRequires: pam-devel diff --git a/krb5.changes b/krb5.changes index aa5dc90..e63fbaa 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com + +- Reduce build dependencies for krb5-mini by removing + doxygen and changing libcom_err-devel to + libcom_err-mini-devel +- Small fix to pre_checkin.sh so krb5-mini.spec is correct. + ------------------------------------------------------------------- Fri Nov 15 13:33:53 UTC 2013 - ckornacker@suse.com diff --git a/krb5.spec b/krb5.spec index 8c366d6..9104f01 100644 --- a/krb5.spec +++ b/krb5.spec @@ -25,10 +25,13 @@ Name: krb5 Url: http://web.mit.edu/kerberos/www/ BuildRequires: autoconf BuildRequires: bison -BuildRequires: doxygen BuildRequires: keyutils BuildRequires: keyutils-devel -BuildRequires: libcom_err-devel +%if 0%{?suse_version} >= 1310 +BuildRequires: libcom_err-mini-devel +%else +BuildRequires: libcom_err-mini-devel +%endif BuildRequires: libselinux-devel BuildRequires: ncurses-devel Version: 1.11.4 @@ -37,6 +40,7 @@ Summary: MIT Kerberos5 Implementation--Libraries License: MIT Group: Productivity/Networking/Security %if ! 0%{?build_mini} +BuildRequires: doxygen BuildRequires: libopenssl-devel BuildRequires: openldap2-devel BuildRequires: pam-devel diff --git a/pre_checkin.sh b/pre_checkin.sh index 611f38f..441ce6d 100644 --- a/pre_checkin.sh +++ b/pre_checkin.sh @@ -1,5 +1,6 @@ #!/bin/sh sed -e 's/Name:.*/Name: krb5-mini/g;' \ + -e 's/spec file for package.*/&-mini/' \ -e 's/%define.*build_mini.*/%define build_mini 1/g' krb5.spec > krb5-mini.spec cp krb5.changes krb5-mini.changes From 9e3edabdc02787b865c4d9549796c72b39ef034d3149e14f3d16527016e2a265 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Tue, 10 Dec 2013 16:50:56 +0000 Subject: [PATCH 2/4] OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=113 --- krb5-mini.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krb5-mini.spec b/krb5-mini.spec index 16c4129..29795f7 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -30,7 +30,7 @@ BuildRequires: keyutils-devel %if 0%{?suse_version} >= 1310 BuildRequires: libcom_err-mini-devel %else -BuildRequires: libcom_err-mini-devel +BuildRequires: libcom_err-devel %endif BuildRequires: libselinux-devel BuildRequires: ncurses-devel From 03254981cb5581726fe8b50f515e2ffd51455ce98a5e4cc5f9982970db0ab045 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Wed, 15 Jan 2014 14:14:20 +0000 Subject: [PATCH 3/4] Accepting request 213903 from home:ckornacker:branches:network - update to version 1.12 * Add GSSAPI extensions for constructing MIC tokens using IOV lists * Add a FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values. * The AES-based encryption types will use AES-NI instructions when possible for improved performance. - revert dependency on libcom_err-mini-devel since it's not yet available - update and rebase patches OBS-URL: https://build.opensuse.org/request/show/213903 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=114 --- krb5-1.11.4.tar.bz2 | 3 - krb5-1.12-api.patch | 27 ++ ...ildconf.patch => krb5-1.12-buildconf.patch | 24 +- krb5-1.12-copy_context.patch | 306 ++++++++++++++ krb5-1.12-enable-NX.patch | 57 +++ krb5-1.12-ksu-path.patch | 12 + krb5-1.11-pam.patch => krb5-1.12-pam.patch | 64 ++- krb5-1.12-pic-aes-ni.patch | 70 ++++ ...bel.patch => krb5-1.12-selinux-label.patch | 392 ++++++++---------- krb5-1.12.tar.gz | 3 + krb5-1.8-api.patch | 31 -- krb5-1.9-debuginfo.patch | 2 +- krb5-1.9-kprop-mktemp.patch | 4 +- krb5-1.9-ksu-path.patch | 13 - krb5-kvno-230379.patch | 8 +- krb5-master-gss_oid_leak.patch | 28 ++ ...ignore-empty-unnecessary-final-token.patch | 37 ++ krb5-master-keytab_close.patch | 39 ++ krb5-master-no-malloc0.patch | 39 ++ krb5-master-spnego_error_messages.patch | 44 ++ krb5-mini.changes | 13 + krb5-mini.spec | 71 +++- krb5.changes | 13 + krb5.spec | 73 +++- 24 files changed, 1014 insertions(+), 359 deletions(-) delete mode 100644 krb5-1.11.4.tar.bz2 create mode 100644 krb5-1.12-api.patch rename krb5-1.10-buildconf.patch => krb5-1.12-buildconf.patch (77%) create mode 100644 krb5-1.12-copy_context.patch create mode 100644 krb5-1.12-enable-NX.patch create mode 100644 krb5-1.12-ksu-path.patch rename krb5-1.11-pam.patch => krb5-1.12-pam.patch (93%) create mode 100644 krb5-1.12-pic-aes-ni.patch rename krb5-1.11-selinux-label.patch => krb5-1.12-selinux-label.patch (71%) create mode 100644 krb5-1.12.tar.gz delete mode 100644 krb5-1.8-api.patch delete mode 100644 krb5-1.9-ksu-path.patch create mode 100644 krb5-master-gss_oid_leak.patch create mode 100644 krb5-master-ignore-empty-unnecessary-final-token.patch create mode 100644 krb5-master-keytab_close.patch create mode 100644 krb5-master-no-malloc0.patch create mode 100644 krb5-master-spnego_error_messages.patch diff --git a/krb5-1.11.4.tar.bz2 b/krb5-1.11.4.tar.bz2 deleted file mode 100644 index 71f919c..0000000 --- a/krb5-1.11.4.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1d9ef56b9280c5af103e24310a2bc79fca8de40fd4ebc1edae3d21e59c6afda3 -size 9449691 diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch new file mode 100644 index 0000000..d059432 --- /dev/null +++ b/krb5-1.12-api.patch @@ -0,0 +1,27 @@ +Reference docs don't define what happens if you call krb5_realm_compare() with +malformed krb5_principal structures. Define a behavior which keeps it from +crashing if applications don't check ahead of time. + +--- krb5/src/lib/krb5/krb/princ_comp.c ++++ krb5/src/lib/krb5/krb/princ_comp.c +@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context + const krb5_data *realm1 = &princ1->realm; + const krb5_data *realm2 = &princ2->realm; + ++ if (princ1 == NULL || princ2 == NULL) ++ return FALSE; ++ if (realm1 == NULL || realm2 == NULL) ++ return FALSE; + if (realm1->length != realm2->length) + return FALSE; + if (realm1->length == 0) +@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex + krb5_principal upn2 = NULL; + krb5_boolean ret = FALSE; + ++ if (princ1 == NULL || princ2 == NULL) ++ return FALSE; ++ + if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { + /* Treat UPNs as if they were real principals */ + if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { diff --git a/krb5-1.10-buildconf.patch b/krb5-1.12-buildconf.patch similarity index 77% rename from krb5-1.10-buildconf.patch rename to krb5-1.12-buildconf.patch index b62e1cf..01b6b2f 100644 --- a/krb5-1.10-buildconf.patch +++ b/krb5-1.12-buildconf.patch @@ -4,10 +4,8 @@ the -L/usr/lib* and PIE flags where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. -Index: krb5-1.11/src/config/shlib.conf -=================================================================== ---- krb5-1.11.orig/src/config/shlib.conf -+++ krb5-1.11/src/config/shlib.conf +--- krb5/src/config/shlib.conf ++++ krb5/src/config/shlib.conf @@ -419,7 +419,7 @@ mips-*-netbsd*) SHLIBEXT=.so # Linux ld doesn't default to stuffing the SONAME field... @@ -17,7 +15,7 @@ Index: krb5-1.11/src/config/shlib.conf # LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' SHLIB_EXPORT_FILE_DEP=binutils.versions -@@ -430,7 +430,8 @@ mips-*-netbsd*) +@@ -430,7 +430,8 @@ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' PROFFLAGS=-pg PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' @@ -27,11 +25,9 @@ Index: krb5-1.11/src/config/shlib.conf CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' -Index: krb5-1.11/src/krb5-config.in -=================================================================== ---- krb5-1.11.orig/src/krb5-config.in -+++ krb5-1.11/src/krb5-config.in -@@ -221,6 +221,13 @@ if test -n "$do_libs"; then +--- krb5/src/build-tools/krb5-config.in ++++ krb5/src/build-tools/krb5-config.in +@@ -189,6 +189,13 @@ if test -n "$do_libs"; then -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(CFLAGS)##'` @@ -45,11 +41,9 @@ Index: krb5-1.11/src/krb5-config.in if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 -Index: krb5-1.11/src/config/pre.in -=================================================================== ---- krb5-1.11.orig/src/config/pre.in -+++ krb5-1.11/src/config/pre.in -@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST +--- krb5/src/config/pre.in ++++ krb5/src/config/pre.in +@@ -188,7 +188,7 @@ INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_DATA=@INSTALL_DATA@ INSTALL_SHLIB=@INSTALL_SHLIB@ diff --git a/krb5-1.12-copy_context.patch b/krb5-1.12-copy_context.patch new file mode 100644 index 0000000..b1f7d6c --- /dev/null +++ b/krb5-1.12-copy_context.patch @@ -0,0 +1,306 @@ +Adjusted for 1.12, which still had vtbl, locate_fptrs, and (vestigial) +profile_in_memory fields, and drop the hunk that touched .gitignore. + +commit c452644d91d57d8b05ef396a029e34d0c7a48920 +Author: Greg Hudson +Date: Wed Dec 18 15:03:03 2013 -0500 + + Fix krb5_copy_context + + krb5_copy_context has been broken since 1.8 (it broke in r22456) + because k5_copy_etypes crashes on null enctype lists. Subsequent + additions to the context structure were not reflected in + krb5_copy_context, creating double-free bugs. Make k5_copy_etypes + handle null input and account for all new fields in krb5_copy_context. + Reported by Arran Cudbard-Bell. + + ticket: 7807 (new) + target_version: 1.12.1 + tags: pullup + +diff --git a/src/lib/krb5/krb/copy_ctx.c b/src/lib/krb5/krb/copy_ctx.c +index 0bc92f8..4237023 100644 +--- a/src/lib/krb5/krb/copy_ctx.c ++++ b/src/lib/krb5/krb/copy_ctx.c +@@ -77,13 +77,26 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) + nctx->ser_ctx_count = 0; + nctx->ser_ctx = NULL; + nctx->prompt_types = NULL; ++ nctx->preauth_context = NULL; ++ nctx->ccselect_handles = NULL; ++ nctx->localauth_handles = NULL; ++ nctx->hostrealm_handles = NULL; ++ nctx->kdblog_context = NULL; ++ nctx->trace_callback = NULL; ++ nctx->trace_callback_data = NULL; ++ nctx->plugin_base_dir = NULL; + nctx->os_context.default_ccname = NULL; + ++#ifdef KRB5_DNS_LOOKUP ++ nctx->profile_in_memory = 0; ++#endif /* KRB5_DNS_LOOKUP */ ++ + memset(&nctx->libkrb5_plugins, 0, sizeof(nctx->libkrb5_plugins)); + nctx->vtbl = NULL; + nctx->locate_fptrs = NULL; + + memset(&nctx->err, 0, sizeof(nctx->err)); ++ memset(&nctx->plugins, 0, sizeof(nctx->plugins)); + + ret = k5_copy_etypes(ctx->in_tkt_etypes, &nctx->in_tkt_etypes); + if (ret) +@@ -101,6 +109,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) + ret = krb5_get_profile(ctx, &nctx->profile); + if (ret) + goto errout; ++ nctx->plugin_base_dir = strdup(ctx->plugin_base_dir); ++ if (nctx->plugin_base_dir == NULL) { ++ ret = ENOMEM; ++ goto errout; ++ } + + errout: + if (ret) { +diff --git a/src/lib/krb5/krb/etype_list.c b/src/lib/krb5/krb/etype_list.c +index 9efe2e0..71f664f 100644 +--- a/src/lib/krb5/krb/etype_list.c ++++ b/src/lib/krb5/krb/etype_list.c +@@ -49,6 +49,8 @@ k5_copy_etypes(const krb5_enctype *old_list, krb5_enctype **new_list) + krb5_enctype *list; + + *new_list = NULL; ++ if (old_list == NULL) ++ return 0; + count = k5_count_etypes(old_list); + list = malloc(sizeof(krb5_enctype) * (count + 1)); + if (list == NULL) + +commit b78c3c8c5025aec870d20472f80d4a652062f921 +Author: Greg Hudson +Date: Wed Dec 18 13:08:25 2013 -0500 + + Add a test program for krb5_copy_context + + This test program isn't completely proof against the kind of mistakes + we've made with krb5_copy_context in the past, but it at least + exercises krb5_copy_context and can detect some kinds of bugs. + + ticket: 7807 + +diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in +index 7d1682d..3b58219 100644 +--- a/src/lib/krb5/krb/Makefile.in ++++ b/src/lib/krb5/krb/Makefile.in +@@ -349,6 +349,7 @@ SRCS= $(srcdir)/addr_comp.c \ + $(srcdir)/t_expire_warn.c \ + $(srcdir)/t_authdata.c \ + $(srcdir)/t_cc_config.c \ ++ $(srcdir)/t_copy_context.c \ + $(srcdir)/t_in_ccache.c \ + $(srcdir)/t_response_items.c \ + $(srcdir)/t_vfy_increds.c +@@ -429,11 +430,14 @@ t_in_ccache: t_in_ccache.o $(KRB5_BASE_DEPLIBS) + t_cc_config: t_cc_config.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ t_cc_config.o $(KRB5_BASE_LIBS) + ++t_copy_context: t_copy_context.o $(KRB5_BASE_DEPLIBS) ++ $(CC_LINK) -o $@ t_copy_context.o $(KRB5_BASE_LIBS) ++ + t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ t_response_items.o response_items.o $(KRB5_BASE_LIBS) + + TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \ +- t_in_ccache t_cc_config \ ++ t_in_ccache t_cc_config t_copy_context \ + t_princ t_etypes t_vfy_increds t_response_items + + check-unix:: $(TEST_PROGS) +@@ -473,6 +477,8 @@ check-unix:: $(TEST_PROGS) + $(RUN_SETUP) $(VALGRIND) ./t_princ + $(RUN_SETUP) $(VALGRIND) ./t_etypes + $(RUN_SETUP) $(VALGRIND) ./t_response_items ++ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ ++ $(RUN_SETUP) $(VALGRIND) ./t_copy_context + + check-pytests:: t_expire_warn t_vfy_increds + $(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS) +@@ -491,6 +497,7 @@ clean:: + $(OUTPRE)t_princ$(EXEEXT) $(OUTPRE)t_princ.$(OBJEXT) \ + $(OUTPRE)t_authdata$(EXEEXT) $(OUTPRE)t_authdata.$(OBJEXT) \ + $(OUTPRE)t_cc_config$(EXEEXT) $(OUTPRE)t_cc_config.$(OBJEXT) \ ++ $(OUTPRE)t_copy_context(EXEEXT) $(OUTPRE)t_copy_context.$(OBJEXT) \ + $(OUTPRE)t_in_ccache$(EXEEXT) $(OUTPRE)t_in_ccache.$(OBJEXT) \ + $(OUTPRE)t_ad_fx_armor$(EXEEXT) $(OUTPRE)t_ad_fx_armor.$(OBJEXT) \ + $(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \ +diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c +new file mode 100644 +index 0000000..522fa0c +--- /dev/null ++++ b/src/lib/krb5/krb/t_copy_context.c +@@ -0,0 +1,166 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* lib/krb5/krb/t_copy_context.C - Test program for krb5_copy_context */ ++/* ++ * Copyright (C) 2013 by the Massachusetts Institute of Technology. ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS ++ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ++ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include ++ ++static void ++trace(krb5_context ctx, const krb5_trace_info *info, void *data) ++{ ++} ++ ++static void ++check(int cond) ++{ ++ if (!cond) ++ abort(); ++} ++ ++static void ++compare_string(const char *str1, const char *str2) ++{ ++ check((str1 == NULL) == (str2 == NULL)); ++ if (str1 != NULL) ++ check(strcmp(str1, str2) == 0); ++} ++ ++static void ++compare_etypes(krb5_enctype *list1, krb5_enctype *list2) ++{ ++ check((list1 == NULL) == (list2 == NULL)); ++ if (list1 == NULL) ++ return; ++ while (*list1 != ENCTYPE_NULL && *list1 == *list2) ++ list1++, list2++; ++ check(*list1 == *list2); ++} ++ ++/* Check that the context c is a valid copy of the reference context r. */ ++static void ++check_context(krb5_context c, krb5_context r) ++{ ++ int i; ++ ++ /* Check fields which should have been propagated from r. */ ++ compare_etypes(c->in_tkt_etypes, r->in_tkt_etypes); ++ compare_etypes(c->tgs_etypes, r->tgs_etypes); ++ check(c->os_context.time_offset == r->os_context.time_offset); ++ check(c->os_context.usec_offset == r->os_context.usec_offset); ++ check(c->os_context.os_flags == r->os_context.os_flags); ++ compare_string(c->os_context.default_ccname, r->os_context.default_ccname); ++ check(c->clockskew == r->clockskew); ++ check(c->kdc_req_sumtype == r->kdc_req_sumtype); ++ check(c->default_ap_req_sumtype == r->default_ap_req_sumtype); ++ check(c->default_safe_sumtype == r->default_safe_sumtype); ++ check(c->kdc_default_options == r->kdc_default_options); ++ check(c->library_options == r->library_options); ++ check(c->profile_secure == r->profile_secure); ++ check(c->fcc_default_format == r->fcc_default_format); ++ check(c->udp_pref_limit == r->udp_pref_limit); ++ check(c->use_conf_ktypes == r->use_conf_ktypes); ++ check(c->allow_weak_crypto == r->allow_weak_crypto); ++ check(c->ignore_acceptor_hostname == r->ignore_acceptor_hostname); ++ check(c->dns_canonicalize_hostname == r->dns_canonicalize_hostname); ++ compare_string(c->plugin_base_dir, r->plugin_base_dir); ++ ++ /* Check fields which don't propagate. */ ++ check(c->dal_handle == NULL); ++ check(c->ser_ctx_count == 0); ++ check(c->ser_ctx == NULL); ++ check(c->prompt_types == NULL); ++ check(c->libkrb5_plugins.files == NULL); ++ check(c->preauth_context == NULL); ++ check(c->ccselect_handles == NULL); ++ check(c->localauth_handles == NULL); ++ check(c->hostrealm_handles == NULL); ++ check(c->err.code == 0); ++ check(c->err.msg == NULL); ++ check(c->kdblog_context == NULL); ++ check(c->trace_callback == NULL); ++ check(c->trace_callback_data == NULL); ++ for (i = 0; i < PLUGIN_NUM_INTERFACES; i++) { ++ check(c->plugins[i].modules == NULL); ++ check(!c->plugins[i].configured); ++ } ++} ++ ++int ++main(int argc, char **argv) ++{ ++ krb5_context ctx, ctx2; ++ krb5_plugin_initvt_fn *mods; ++ const krb5_enctype etypes1[] = { ENCTYPE_DES3_CBC_SHA1, 0 }; ++ const krb5_enctype etypes2[] = { ENCTYPE_AES128_CTS_HMAC_SHA1_96, ++ ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }; ++ krb5_prompt_type ptypes[] = { KRB5_PROMPT_TYPE_PASSWORD }; ++ ++ /* Copy a default context and verify the result. */ ++ check(krb5_init_context(&ctx) == 0); ++ check(krb5_copy_context(ctx, &ctx2) == 0); ++ check_context(ctx2, ctx); ++ krb5_free_context(ctx2); ++ ++ /* Set non-default values for all of the propagated fields in ctx. */ ++ ctx->allow_weak_crypto = TRUE; ++ check(krb5_set_default_in_tkt_ktypes(ctx, etypes1) == 0); ++ check(krb5_set_default_tgs_enctypes(ctx, etypes2) == 0); ++ check(krb5_set_debugging_time(ctx, 1234, 5678) == 0); ++ check(krb5_cc_set_default_name(ctx, "defccname") == 0); ++ check(krb5_set_default_realm(ctx, "defrealm") == 0); ++ ctx->clockskew = 18; ++ ctx->kdc_req_sumtype = CKSUMTYPE_NIST_SHA; ++ ctx->default_ap_req_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES128; ++ ctx->default_safe_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES256; ++ ctx->kdc_default_options = KDC_OPT_FORWARDABLE; ++ ctx->library_options = 0; ++ ctx->profile_secure = TRUE; ++ ctx->udp_pref_limit = 2345; ++ ctx->use_conf_ktypes = TRUE; ++ ctx->ignore_acceptor_hostname = TRUE; ++ ctx->dns_canonicalize_hostname = FALSE; ++ free(ctx->plugin_base_dir); ++ check((ctx->plugin_base_dir = strdup("/a/b/c/d")) != NULL); ++ ++ /* Also set some of the non-propagated fields. */ ++ ctx->prompt_types = ptypes; ++ check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &mods) == 0); ++ k5_plugin_free_modules(ctx, mods); ++ krb5_set_error_message(ctx, ENOMEM, "nooooooooo"); ++ krb5_set_trace_callback(ctx, trace, ctx); ++ ++ /* Copy the intentionally messy context and verify the result. */ ++ check(krb5_copy_context(ctx, &ctx2) == 0); ++ check_context(ctx2, ctx); ++ krb5_free_context(ctx2); ++ ++ krb5_free_context(ctx); ++ return 0; ++} diff --git a/krb5-1.12-enable-NX.patch b/krb5-1.12-enable-NX.patch new file mode 100644 index 0000000..63c8bb6 --- /dev/null +++ b/krb5-1.12-enable-NX.patch @@ -0,0 +1,57 @@ +commit c64e39c69a9a7ee32c00b0cf7918f6274a565544 +Author: Greg Hudson +Date: Fri Jan 3 13:50:48 2014 -0500 + + Mark AESNI files as not needing executable stacks + + Some Linux systems now come with facilities to mark the stack as + non-executable, making it more difficult to exploit buffer overrun + bugs. For this to work, object files built from assembly need a + section added to note whether they require an executable stack. + + Patch from Dhiru Kholia with comments added. More information at: + https://bugzilla.redhat.com/show_bug.cgi?id=1045699 + https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart + + ticket: 7813 + target_version: 1.12.1 + tags: pullup + +diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s +index 1c091c1..d03c859 100644 +--- a/src/lib/crypto/builtin/aes/iaesx64.s ++++ b/src/lib/crypto/builtin/aes/iaesx64.s +@@ -834,3 +834,14 @@ lp256encsingle_CBC: + movdqu [r9],xmm1 + add rsp,16*16+8 + ret ++ ++; Mark this file as not needing an executable stack. ++%ifidn __OUTPUT_FORMAT__,elf ++section .note.GNU-stack noalloc noexec nowrite progbits ++%endif ++%ifidn __OUTPUT_FORMAT__,elf32 ++section .note.GNU-stack noalloc noexec nowrite progbits ++%endif ++%ifidn __OUTPUT_FORMAT__,elf64 ++section .note.GNU-stack noalloc noexec nowrite progbits ++%endif +diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s +index b667acd..1aa12e6 100644 +--- a/src/lib/crypto/builtin/aes/iaesx86.s ++++ b/src/lib/crypto/builtin/aes/iaesx86.s +@@ -871,3 +871,14 @@ lp256encsingle_CBC: + movdqu [ecx],xmm1 ; store last iv for chaining + + ret ++ ++; Mark this file as not needing an executable stack. ++%ifidn __OUTPUT_FORMAT__,elf ++section .note.GNU-stack noalloc noexec nowrite progbits ++%endif ++%ifidn __OUTPUT_FORMAT__,elf32 ++section .note.GNU-stack noalloc noexec nowrite progbits ++%endif ++%ifidn __OUTPUT_FORMAT__,elf64 ++section .note.GNU-stack noalloc noexec nowrite progbits ++%endif diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch new file mode 100644 index 0000000..74f3a5f --- /dev/null +++ b/krb5-1.12-ksu-path.patch @@ -0,0 +1,12 @@ +Set the default PATH to the one set by login. + +--- krb5/src/clients/ksu/Makefile.in ++++ krb5/src/clients/ksu/Makefile.in +@@ -1,6 +1,6 @@ + mydir=clients$(S)ksu + BUILDTOP=$(REL)..$(S).. +-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' ++DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' + + KSU_LIBS=@KSU_LIBS@ + PAM_LIBS=@PAM_LIBS@ diff --git a/krb5-1.11-pam.patch b/krb5-1.12-pam.patch similarity index 93% rename from krb5-1.11-pam.patch rename to krb5-1.12-pam.patch index adf3824..7fb6cae 100644 --- a/krb5-1.11-pam.patch +++ b/krb5-1.12-pam.patch @@ -11,11 +11,10 @@ When enabled, ksu gains a dependency on libpam. Originally RT#5939, though it's changed since then to perform the account and session management before dropping privileges. -Index: krb5-1.11.1/src/aclocal.m4 -=================================================================== ---- krb5-1.11.1.orig/src/aclocal.m4 -+++ krb5-1.11.1/src/aclocal.m4 -@@ -1664,3 +1664,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ +diff -Naur krb5/src/aclocal.m4 krb5/src/aclocal.m4 +--- krb5/src/aclocal.m4 2014-01-13 17:12:47.509022000 +0100 ++++ krb5/src/aclocal.m4 2014-01-13 17:13:24.552689000 +0100 +@@ -1668,3 +1668,70 @@ ])) ])dnl dnl @@ -86,10 +85,9 @@ Index: krb5-1.11.1/src/aclocal.m4 +AC_SUBST(PAM_MAN) +AC_SUBST(NON_PAM_MAN) +])dnl -Index: krb5-1.11.1/src/clients/ksu/main.c -=================================================================== ---- krb5-1.11.1.orig/src/clients/ksu/main.c -+++ krb5-1.11.1/src/clients/ksu/main.c +diff -Naur krb5/src/clients/ksu/main.c krb5/src/clients/ksu/main.c +--- krb5/src/clients/ksu/main.c 2014-01-13 17:12:44.864970000 +0100 ++++ krb5/src/clients/ksu/main.c 2014-01-13 17:13:24.563692000 +0100 @@ -26,6 +26,7 @@ * KSU was writen by: Ari Medvinsky, ari@isi.edu */ @@ -109,7 +107,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c /* globals */ char * prog_name; int auth_debug =0; -@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN]; +@@ -40,6 +45,7 @@ char k5users_path[MAXPATHLEN]; char * gb_err = NULL; int quiet = 0; @@ -117,7 +115,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c /***********/ #define _DEF_CSH "/bin/csh" -@@ -584,6 +590,25 @@ main (argc, argv) +@@ -584,6 +590,25 @@ prog_name,target_user,client_name, source_user,ontty()); @@ -143,7 +141,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " -@@ -648,6 +673,26 @@ main (argc, argv) +@@ -648,6 +673,26 @@ sweep_up(ksu_context, cc_target); exit(1); } @@ -170,7 +168,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c } if( some_rest_copy){ -@@ -717,6 +762,32 @@ main (argc, argv) +@@ -717,6 +762,32 @@ exit(1); } @@ -203,7 +201,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -789,7 +860,7 @@ main (argc, argv) +@@ -789,7 +860,7 @@ fprintf(stderr, "program to be execed %s\n",params[0]); } @@ -212,7 +210,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c execv(params[0], params); com_err(prog_name, errno, _("while trying to execv %s"), params[0]); sweep_up(ksu_context, cc_target); -@@ -819,16 +890,35 @@ main (argc, argv) +@@ -819,16 +890,35 @@ if (ret_pid == -1) { com_err(prog_name, errno, _("while calling waitpid")); } @@ -249,12 +247,11 @@ Index: krb5-1.11.1/src/clients/ksu/main.c exit (1); } } -Index: krb5-1.11.1/src/clients/ksu/Makefile.in -=================================================================== ---- krb5-1.11.1.orig/src/clients/ksu/Makefile.in -+++ krb5-1.11.1/src/clients/ksu/Makefile.in -@@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD) - PROG_RPATH=$(KRB5_LIBDIR) +diff -Naur krb5/src/clients/ksu/Makefile.in krb5/src/clients/ksu/Makefile.in +--- krb5/src/clients/ksu/Makefile.in 2014-01-13 17:12:44.868981000 +0100 ++++ krb5/src/clients/ksu/Makefile.in 2014-01-13 17:13:24.580690000 +0100 +@@ -3,12 +3,14 @@ + DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' KSU_LIBS=@KSU_LIBS@ +PAM_LIBS=@PAM_LIBS@ @@ -268,7 +265,7 @@ Index: krb5-1.11.1/src/clients/ksu/Makefile.in $(srcdir)/heuristic.c \ $(srcdir)/xmalloc.c \ $(srcdir)/setenv.c -@@ -21,13 +23,17 @@ OBJS = \ +@@ -17,13 +19,17 @@ ccache.o \ authorization.o \ main.o \ @@ -287,10 +284,9 @@ Index: krb5-1.11.1/src/clients/ksu/Makefile.in clean:: $(RM) ksu -Index: krb5-1.11.1/src/clients/ksu/pam.c -=================================================================== ---- /dev/null -+++ krb5-1.11.1/src/clients/ksu/pam.c +diff -Naur krb5/src/clients/ksu/pam.c krb5/src/clients/ksu/pam.c +--- krb5/src/clients/ksu/pam.c 1970-01-01 01:00:00.000000000 +0100 ++++ krb5/src/clients/ksu/pam.c 2014-01-13 17:13:24.589692000 +0100 @@ -0,0 +1,389 @@ +/* + * src/clients/ksu/pam.c @@ -681,10 +677,9 @@ Index: krb5-1.11.1/src/clients/ksu/pam.c + return ret; +} +#endif -Index: krb5-1.11.1/src/clients/ksu/pam.h -=================================================================== ---- /dev/null -+++ krb5-1.11.1/src/clients/ksu/pam.h +diff -Naur krb5/src/clients/ksu/pam.h krb5/src/clients/ksu/pam.h +--- krb5/src/clients/ksu/pam.h 1970-01-01 01:00:00.000000000 +0100 ++++ krb5/src/clients/ksu/pam.h 2014-01-13 17:13:24.595690000 +0100 @@ -0,0 +1,57 @@ +/* + * src/clients/ksu/pam.h @@ -743,11 +738,10 @@ Index: krb5-1.11.1/src/clients/ksu/pam.h +int appl_pam_cred_init(void); +void appl_pam_cleanup(void); +#endif -Index: krb5-1.11.1/src/configure.in -=================================================================== ---- krb5-1.11.1.orig/src/configure.in -+++ krb5-1.11.1/src/configure.in -@@ -1244,6 +1244,8 @@ AC_SUBST([VERTO_VERSION]) +diff -Naur krb5/src/configure.in krb5/src/configure.in +--- krb5/src/configure.in 2014-01-13 17:12:48.401059000 +0100 ++++ krb5/src/configure.in 2014-01-13 17:13:24.603693000 +0100 +@@ -1281,6 +1281,8 @@ AC_PATH_PROG(GROFF, groff) diff --git a/krb5-1.12-pic-aes-ni.patch b/krb5-1.12-pic-aes-ni.patch new file mode 100644 index 0000000..070da6c --- /dev/null +++ b/krb5-1.12-pic-aes-ni.patch @@ -0,0 +1,70 @@ +--- krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s ++++ krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s +@@ -256,6 +256,7 @@ DD 0 + section .text + + ++extern _GLOBAL_OFFSET_TABLE_ + + align 16 + key_expansion256: +@@ -318,12 +319,18 @@ _iEncExpandKey128: + + mov ecx,[esp-4+8] ;input + mov edx,[esp-4+12] ;ctx ++ push ebx + + movdqu xmm1, [ecx] ; loading the key + + movdqu [edx], xmm1 + +- movdqa xmm5, [shuffle_mask] ++ call .get_GOT ++.get_GOT: ++ pop ebx ++ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc ++ ++ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] + + add edx,16 + +@@ -348,6 +355,8 @@ _iEncExpandKey128: + aeskeygenassist xmm2, xmm1, 0x36 ; Generating round key 10 + call key_expansion128 + ++ pop ebx ++ + ret + + +@@ -412,6 +421,7 @@ global _iEncExpandKey256 + _iEncExpandKey256: + mov ecx, [esp-4+8] ;input + mov edx, [esp-4+12] ;expanded key ++ push ebx + + + movdqu xmm1, [ecx] ; loading the key +@@ -421,7 +431,12 @@ _iEncExpandKey256: + + add edx,32 + +- movdqa xmm5, [shuffle_mask] ; this mask is used by key_expansion ++ call .get_GOT ++.get_GOT: ++ pop ebx ++ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc ++ ++ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] ; this mask is used by key_expansion + + aeskeygenassist xmm2, xmm3, 0x1 ; + call key_expansion256 +@@ -452,6 +467,8 @@ _iEncExpandKey256: + movdqu [edx], xmm1 + + ++ pop ebx ++ + ret + + diff --git a/krb5-1.11-selinux-label.patch b/krb5-1.12-selinux-label.patch similarity index 71% rename from krb5-1.11-selinux-label.patch rename to krb5-1.12-selinux-label.patch index 6af6440..298e01b 100644 --- a/krb5-1.11-selinux-label.patch +++ b/krb5-1.12-selinux-label.patch @@ -31,11 +31,9 @@ The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. -Index: krb5-1.11.1/src/aclocal.m4 -=================================================================== ---- krb5-1.11.1.orig/src/aclocal.m4 -+++ krb5-1.11.1/src/aclocal.m4 -@@ -84,6 +84,7 @@ AC_SUBST_FILE(libnodeps_frag) +--- krb5/src/aclocal.m4 ++++ krb5/src/aclocal.m4 +@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag) dnl KRB5_AC_PRAGMA_WEAK_REF WITH_LDAP @@ -43,7 +41,7 @@ Index: krb5-1.11.1/src/aclocal.m4 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1731,3 +1732,51 @@ AC_SUBST(PAM_LIBS) +@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -95,19 +93,17 @@ Index: krb5-1.11.1/src/aclocal.m4 +LIBS="$old_LIBS" +AC_SUBST(SELINUX_LIBS) +])dnl -Index: krb5-1.11.1/src/config/pre.in -=================================================================== ---- krb5-1.11.1.orig/src/config/pre.in -+++ krb5-1.11.1/src/config/pre.in -@@ -178,6 +178,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR - LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@ - LDARGS = @LDARGS@ +--- krb5/src/config/pre.in ++++ krb5/src/config/pre.in +@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@ + KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include + LDFLAGS = @LDFLAGS@ LIBS = @LIBS@ +SELINUX_LIBS=@SELINUX_LIBS@ INSTALL=@INSTALL@ INSTALL_STRIP= -@@ -403,7 +404,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) +@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ @@ -116,11 +112,9 @@ Index: krb5-1.11.1/src/config/pre.in KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on Mac OS X! -Index: krb5-1.11.1/src/configure.in -=================================================================== ---- krb5-1.11.1.orig/src/configure.in -+++ krb5-1.11.1/src/configure.in -@@ -1246,6 +1246,8 @@ AC_PATH_PROG(GROFF, groff) +--- krb5/src/configure.in ++++ krb5/src/configure.in +@@ -1053,6 +1053,8 @@ fi KRB5_WITH_PAM @@ -129,22 +123,18 @@ Index: krb5-1.11.1/src/configure.in # Make localedir work in autoconf 2.5x. if test "${localedir+set}" != set; then localedir='$(datadir)/locale' -Index: krb5-1.11.1/src/include/k5-int.h -=================================================================== ---- krb5-1.11.1.orig/src/include/k5-int.h -+++ krb5-1.11.1/src/include/k5-int.h +--- krb5/src/include/k5-int.h ++++ krb5/src/include/k5-int.h @@ -133,6 +133,7 @@ typedef unsigned char u_char; typedef UINT64_TYPE krb5_ui_8; typedef INT64_TYPE krb5_int64; +#include "k5-label.h" - #define DEFAULT_PWD_STRING1 "Enter password" - #define DEFAULT_PWD_STRING2 "Re-enter password for verification" -Index: krb5-1.11.1/src/include/k5-label.h -=================================================================== ---- /dev/null -+++ krb5-1.11.1/src/include/k5-label.h + #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ + #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ +--- krb5/src/include/k5-label.h ++++ krb5/src/include/k5-label.h @@ -0,0 +1,32 @@ +#ifndef _KRB5_LABEL_H +#define _KRB5_LABEL_H @@ -178,10 +168,8 @@ Index: krb5-1.11.1/src/include/k5-label.h +#define THREEPARAMOPEN(x,y,z) open(x,y,z) +#endif +#endif -Index: krb5-1.11.1/src/include/krb5/krb5.hin -=================================================================== ---- krb5-1.11.1.orig/src/include/krb5/krb5.hin -+++ krb5-1.11.1/src/include/krb5/krb5.hin +--- krb5/src/include/krb5/krb5.hin ++++ krb5/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ #define THREEPARAMOPEN(x,y,z) open(x,y,z) #endif @@ -195,10 +183,8 @@ Index: krb5-1.11.1/src/include/krb5/krb5.hin #define KRB5_OLD_CRYPTO #include -Index: krb5-1.11.1/src/kadmin/dbutil/dump.c -=================================================================== ---- krb5-1.11.1.orig/src/kadmin/dbutil/dump.c -+++ krb5-1.11.1/src/kadmin/dbutil/dump.c +--- krb5/src/kadmin/dbutil/dump.c ++++ krb5/src/kadmin/dbutil/dump.c @@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname { int fd = -1; @@ -221,7 +207,7 @@ Index: krb5-1.11.1/src/kadmin/dbutil/dump.c if (fd == -1) goto error; -@@ -505,7 +514,7 @@ prep_ok_file(krb5_context context, char +@@ -514,7 +514,7 @@ prep_ok_file(krb5_context context, char return 0; } @@ -230,11 +216,9 @@ Index: krb5-1.11.1/src/kadmin/dbutil/dump.c if (*fd == -1) { com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); exit_status++; -Index: krb5-1.11.1/src/krb5-config.in -=================================================================== ---- krb5-1.11.1.orig/src/krb5-config.in -+++ krb5-1.11.1/src/krb5-config.in -@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' +--- krb5/src/build-tools/krb5-config.in ++++ krb5/src/build-tools/krb5-config.in +@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@' DEFCCNAME='@DEFCCNAME@' DEFKTNAME='@DEFKTNAME@' DEFCKTNAME='@DEFCKTNAME@' @@ -242,7 +226,7 @@ Index: krb5-1.11.1/src/krb5-config.in LIBS='@LIBS@' GEN_LIB=@GEN_LIB@ -@@ -258,7 +259,7 @@ if test -n "$do_libs"; then +@@ -218,7 +219,7 @@ fi # If we ever support a flag to generate output suitable for static @@ -251,11 +235,9 @@ Index: krb5-1.11.1/src/krb5-config.in # here. echo $lib_flags -Index: krb5-1.11.1/src/lib/kadm5/logger.c -=================================================================== ---- krb5-1.11.1.orig/src/lib/kadm5/logger.c -+++ krb5-1.11.1/src/lib/kadm5/logger.c -@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch +--- krb5/src/lib/kadm5/logger.c ++++ krb5/src/lib/kadm5/logger.c +@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch * Check for append/overwrite, then open the file. */ if (cp[4] == ':' || cp[4] == '=') { @@ -264,7 +246,7 @@ Index: krb5-1.11.1/src/lib/kadm5/logger.c if (f) { set_cloexec_file(f); log_control.log_entries[i].lfu_filep = f; -@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext) +@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext) * In case the old logfile did not get moved out of the * way, open for append to prevent squashing the old logs. */ @@ -273,11 +255,9 @@ Index: krb5-1.11.1/src/lib/kadm5/logger.c if (f) { set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; -Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c -=================================================================== ---- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c -+++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c -@@ -1039,7 +1039,7 @@ krb5_ktfileint_open(krb5_context context +--- krb5/src/lib/krb5/keytab/kt_file.c ++++ krb5/src/lib/krb5/keytab/kt_file.c +@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context KTCHECKLOCK(id); errno = 0; @@ -286,20 +266,18 @@ Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c (mode == KRB5_LOCKMODE_EXCLUSIVE) ? fopen_mode_rbplus : fopen_mode_rb); if (!KTFILEP(id)) { -@@ -1047,7 +1047,7 @@ krb5_ktfileint_open(krb5_context context +@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context /* try making it first time around */ - krb5_create_secure_file(context, KTFILENAME(id)); + k5_create_secure_file(context, KTFILENAME(id)); errno = 0; - KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); + KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus); if (!KTFILEP(id)) goto report_errno; writevno = 1; -Index: krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c -=================================================================== ---- krb5-1.11.1.orig/src/plugins/kdb/db2/adb_openclose.c -+++ krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c -@@ -147,7 +147,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char +--- krb5/src/plugins/kdb/db2/adb_openclose.c ++++ krb5/src/plugins/kdb/db2/adb_openclose.c +@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char * POSIX systems */ lockp->lockinfo.filename = strdup(lockfilename); @@ -308,10 +286,8 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c /* * maybe someone took away write permission so we could only * get shared locks? -Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c -=================================================================== ---- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c -+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c +--- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c @@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. #include "k5-platform.h" /* mkstemp? */ @@ -320,7 +296,7 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c #include "db-int.h" #include "btree.h" -@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, +@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, goto einval; } @@ -329,11 +305,9 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c goto err; } else { -Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c -=================================================================== ---- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c -+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 +--- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ krb5/src/plugins/kdb/db2/libdb2/hash/hash.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 #include #endif @@ -350,24 +324,8 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c RETURN_ERROR(errno, error0); (void)fcntl(hashp->fp, F_SETFD, 1); } -Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/test/Makefile.in -=================================================================== ---- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in -+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/test/Makefile.in -@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR) - - KRB5_RUN_ENV= @KRB5_RUN_ENV@ - --DB_LIB = -ldb -+DB_LIB = -ldb $(SUPPORT_DEPLIB) -+ - DB_DEPLIB = ../libdb$(DEPLIBEXT) - - all:: -Index: krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -=================================================================== ---- krb5-1.11.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -+++ krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +--- krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c @@ -179,7 +179,7 @@ done: /* set password in the file */ @@ -401,11 +359,9 @@ Index: krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c umask (omask); if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); -Index: krb5-1.11.1/src/slave/kpropd.c -=================================================================== ---- krb5-1.11.1.orig/src/slave/kpropd.c -+++ krb5-1.11.1/src/slave/kpropd.c -@@ -459,6 +459,9 @@ void doit(fd) +--- krb5/src/slave/kpropd.c ++++ krb5/src/slave/kpropd.c +@@ -437,6 +437,9 @@ void doit(fd) krb5_enctype etype; int database_fd; char host[INET6_ADDRSTRLEN+1]; @@ -415,7 +371,7 @@ Index: krb5-1.11.1/src/slave/kpropd.c signal_wrapper(SIGALRM, alarm_handler); alarm(params.iprop_resync_timeout); -@@ -516,9 +519,15 @@ void doit(fd) +@@ -515,9 +518,15 @@ void doit(fd) free(name); exit(1); } @@ -431,10 +387,8 @@ Index: krb5-1.11.1/src/slave/kpropd.c retval = krb5_lock_file(kpropd_context, lock_fd, KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK); if (retval) { -Index: krb5-1.11.1/src/util/profile/prof_file.c -=================================================================== ---- krb5-1.11.1.orig/src/util/profile/prof_file.c -+++ krb5-1.11.1/src/util/profile/prof_file.c +--- krb5/src/util/profile/prof_file.c ++++ krb5/src/util/profile/prof_file.c @@ -30,6 +30,7 @@ #endif @@ -443,7 +397,7 @@ Index: krb5-1.11.1/src/util/profile/prof_file.c struct global_shared_profile_data { /* This is the head of the global list of shared trees */ -@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_ +@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_ errno = 0; @@ -452,11 +406,9 @@ Index: krb5-1.11.1/src/util/profile/prof_file.c if (!f) { retval = errno; if (retval == 0) -Index: krb5-1.11.1/src/util/support/Makefile.in -=================================================================== ---- krb5-1.11.1.orig/src/util/support/Makefile.in -+++ krb5-1.11.1/src/util/support/Makefile.in -@@ -64,6 +64,7 @@ IPC_SYMS= \ +--- krb5/src/util/support/Makefile.in ++++ krb5/src/util/support/Makefile.in +@@ -54,6 +54,7 @@ IPC_SYMS= \ STLIBOBJS= \ threads.o \ @@ -464,22 +416,20 @@ Index: krb5-1.11.1/src/util/support/Makefile.in init-addrinfo.o \ plugins.o \ errors.o \ -@@ -135,7 +136,7 @@ SRCS=\ +@@ -108,7 +109,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. -SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) +SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB) - SHLIB_DIRS= - SHLIB_RDIRS=$(KRB5_LIBDIR) -Index: krb5-1.11.1/src/util/support/selinux.c -=================================================================== ---- /dev/null -+++ krb5-1.11.1/src/util/support/selinux.c -@@ -0,0 +1,405 @@ + DEPLIBS= + +--- krb5/src/util/support/selinux.c ++++ krb5/src/util/support/selinux.c +@@ -0,0 +1,381 @@ +/* -+ * Copyright 2007,2008,2009,2011,2012 Red Hat, Inc. All Rights Reserved. ++ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: @@ -735,15 +685,12 @@ Index: krb5-1.11.1/src/util/support/selinux.c + struct stat st; + void *retval; + k5_once(&labeled_once, label_mutex_init); -+ if (k5_mutex_lock(&labeled_mutex) == 0) { -+ if (stat(pathname, &st) != 0) { -+ st.st_mode = S_IRUSR | S_IWUSR; -+ } -+ retval = push_fscreatecon(pathname, st.st_mode); -+ return retval ? retval : (void *) -1; -+ } else { -+ return NULL; ++ k5_mutex_lock(&labeled_mutex); ++ if (stat(pathname, &st) != 0) { ++ st.st_mode = S_IRUSR | S_IWUSR; + } ++ retval = push_fscreatecon(pathname, st.st_mode); ++ return retval ? retval : (void *) -1; +} + +void @@ -768,17 +715,13 @@ Index: krb5-1.11.1/src/util/support/selinux.c + } + + k5_once(&labeled_once, label_mutex_init); -+ if (k5_mutex_lock(&labeled_mutex) == 0) { -+ ctx = push_fscreatecon(path, 0); -+ fp = fopen(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ } else { -+ fp = fopen(path, mode); -+ } -+ ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ fp = fopen(path, mode); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; + return fp; +} + @@ -790,16 +733,13 @@ Index: krb5-1.11.1/src/util/support/selinux.c + security_context_t ctx; + + k5_once(&labeled_once, label_mutex_init); -+ if (k5_mutex_lock(&labeled_mutex) == 0) { -+ ctx = push_fscreatecon(path, 0); -+ fd = creat(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ } else { -+ fd = creat(path, mode); -+ } ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ fd = creat(path, mode); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; + return fd; +} + @@ -811,16 +751,13 @@ Index: krb5-1.11.1/src/util/support/selinux.c + security_context_t ctx; + + k5_once(&labeled_once, label_mutex_init); -+ if (k5_mutex_lock(&labeled_mutex) == 0) { -+ ctx = push_fscreatecon(path, mode); -+ ret = mknod(path, mode, dev); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ } else { -+ ret = mknod(path, mode, dev); -+ } ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, mode); ++ ret = mknod(path, mode, dev); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; + return ret; +} + @@ -832,16 +769,13 @@ Index: krb5-1.11.1/src/util/support/selinux.c + security_context_t ctx; + + k5_once(&labeled_once, label_mutex_init); -+ if (k5_mutex_lock(&labeled_mutex) == 0) { -+ ctx = push_fscreatecon(path, S_IFDIR); -+ ret = mkdir(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ } else { -+ ret = mkdir(path, mode); -+ } ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, S_IFDIR); ++ ret = mkdir(path, mode); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; + return ret; +} + @@ -859,35 +793,25 @@ Index: krb5-1.11.1/src/util/support/selinux.c + } + + k5_once(&labeled_once, label_mutex_init); -+ if (k5_mutex_lock(&labeled_mutex) == 0) { -+ ctx = push_fscreatecon(path, 0); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); + -+ va_start(ap, flags); -+ mode = va_arg(ap, mode_t); -+ fd = open(path, flags, mode); -+ va_end(ap); ++ va_start(ap, flags); ++ mode = va_arg(ap, mode_t); ++ fd = open(path, flags, mode); ++ va_end(ap); + -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ } else { -+ va_start(ap, flags); -+ mode = va_arg(ap, mode_t); -+ fd = open(path, flags, mode); -+ errno_save = errno; -+ va_end(ap); -+ errno = errno_save; -+ } ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; + return fd; +} + +#endif -Index: krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c -=================================================================== ---- krb5-1.11.1.orig/src/lib/krb5/rcache/rc_dfl.c -+++ krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c -@@ -812,6 +812,9 @@ krb5_rc_dfl_expunge_locked(krb5_context +--- krb5/src/lib/krb5/rcache/rc_dfl.c ++++ krb5/src/lib/krb5/rcache/rc_dfl.c +@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context krb5_error_code retval = 0; krb5_rcache tmp; krb5_deltat lifespan = t->lifespan; /* save original lifespan */ @@ -897,7 +821,7 @@ Index: krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c if (! t->recovering) { name = t->name; -@@ -833,7 +836,17 @@ krb5_rc_dfl_expunge_locked(krb5_context +@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context retval = krb5_rc_resolve(context, tmp, 0); if (retval) goto cleanup; @@ -915,10 +839,8 @@ Index: krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c if (retval) goto cleanup; for (q = t->a; q; q = q->na) { -Index: krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c -=================================================================== ---- krb5-1.11.1.orig/src/lib/krb5/ccache/cc_dir.c -+++ krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c +--- krb5/src/lib/krb5/ccache/cc_dir.c ++++ krb5/src/lib/krb5/ccache/cc_dir.c @@ -185,10 +185,19 @@ write_primary_file(const char *primary_p char *newpath = NULL; FILE *fp = NULL; @@ -939,10 +861,34 @@ Index: krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c if (fd < 0) goto cleanup; #ifdef HAVE_CHMOD -Index: krb5-1.11.1/src/lib/krb5/os/trace.c -=================================================================== ---- krb5-1.11.1.orig/src/lib/krb5/os/trace.c -+++ krb5-1.11.1/src/lib/krb5/os/trace.c +@@ -223,10 +232,23 @@ + verify_dir(krb5_context context, const char *dirname) + { + struct stat st; ++ int status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (stat(dirname, &st) < 0) { +- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) +- return 0; ++ if (errno == ENOENT) { ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(dirname); ++#endif ++ status = mkdir(dirname, S_IRWXU); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif ++ if (status == 0) ++ return 0; ++ } + krb5_set_error_message(context, KRB5_FCC_NOFILE, + _("Credential cache directory %s does not " + "exist"), dirname); +--- krb5/src/lib/krb5/os/trace.c ++++ krb5/src/lib/krb5/os/trace.c @@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con fd = malloc(sizeof(*fd)); if (fd == NULL) @@ -952,11 +898,9 @@ Index: krb5-1.11.1/src/lib/krb5/os/trace.c if (*fd == -1) { free(fd); return errno; -Index: krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c -=================================================================== ---- krb5-1.11.1.orig/src/plugins/kdb/db2/kdb_db2.c -+++ krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c -@@ -681,8 +681,8 @@ ctx_create_db(krb5_context context, krb5 +--- krb5/src/plugins/kdb/db2/kdb_db2.c ++++ krb5/src/plugins/kdb/db2/kdb_db2.c +@@ -683,8 +683,8 @@ if (retval) return retval; @@ -967,11 +911,9 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c if (dbc->db_lf_file < 0) { retval = errno; goto cleanup; -Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c -=================================================================== ---- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c -+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8 +--- krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ #include #include @@ -979,7 +921,7 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c #include "db-int.h" #include "recno.h" -@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, +@@ -68,7 +69,8 @@ int rfd = -1, sverrno; /* Open the user's file -- if this fails, we're done. */ @@ -989,11 +931,9 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c return (NULL); if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { -Index: krb5-1.11.1/src/kdc/main.c -=================================================================== ---- krb5-1.11.1.orig/src/kdc/main.c -+++ krb5-1.11.1/src/kdc/main.c -@@ -902,7 +902,7 @@ write_pid_file(const char *path) +--- krb5/src/kdc/main.c ++++ krb5/src/kdc/main.c +@@ -905,7 +905,7 @@ write_pid_file(const char *path) FILE *file; unsigned long pid; @@ -1002,24 +942,20 @@ Index: krb5-1.11.1/src/kdc/main.c if (file == NULL) return errno; pid = (unsigned long) getpid(); -Index: krb5-1.11.1/src/lib/kdb/kdb_log.c -=================================================================== ---- krb5-1.11.1.orig/src/lib/kdb/kdb_log.c -+++ krb5-1.11.1/src/lib/kdb/kdb_log.c -@@ -604,7 +604,7 @@ ulog_map(krb5_context context, const cha - return (errno); - } +--- krb5/src/lib/kdb/kdb_log.c ++++ krb5/src/lib/kdb/kdb_log.c +@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha + if (caller == FKPROPLOG) + return errno; - ulogfd = open(logname, O_RDWR | O_CREAT, 0600); + ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); - if (ulogfd == -1) { - return (errno); - } -Index: krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in -=================================================================== ---- krb5-1.11.1.orig/src/util/gss-kernel-lib/Makefile.in -+++ krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in -@@ -66,6 +66,7 @@ HEADERS= \ + if (ulogfd == -1) + return errno; + +--- krb5/src/util/gss-kernel-lib/Makefile.in ++++ krb5/src/util/gss-kernel-lib/Makefile.in +@@ -60,6 +60,7 @@ HEADERS= \ gssapi_err_generic.h \ k5-int.h \ k5-int-pkinit.h \ @@ -1027,7 +963,7 @@ Index: krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in k5-thread.h \ k5-platform.h \ k5-buf.h \ -@@ -167,10 +168,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_ +@@ -166,10 +167,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_ $(CP) $(GSS_GENERIC)/gssapi_generic.h $@ gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@ diff --git a/krb5-1.12.tar.gz b/krb5-1.12.tar.gz new file mode 100644 index 0000000..3ae2072 --- /dev/null +++ b/krb5-1.12.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7199ba74bdfd06caf02d1ee189563c33aa0274b809ab511ab0f1fb3e05ccce5a +size 11925134 diff --git a/krb5-1.8-api.patch b/krb5-1.8-api.patch deleted file mode 100644 index 986049a..0000000 --- a/krb5-1.8-api.patch +++ /dev/null @@ -1,31 +0,0 @@ -Reference docs don't define what happens if you call krb5_realm_compare() with -malformed krb5_principal structures. Define a behavior which keeps it from -crashing if applications don't check ahead of time. - -Index: krb5-1.10.2/src/lib/krb5/krb/princ_comp.c -=================================================================== ---- krb5-1.10.2.orig/src/lib/krb5/krb/princ_comp.c -+++ krb5-1.10.2/src/lib/krb5/krb/princ_comp.c -@@ -36,6 +36,12 @@ realm_compare_flags(krb5_context context - const krb5_data *realm1 = krb5_princ_realm(context, princ1); - const krb5_data *realm2 = krb5_princ_realm(context, princ2); - -+ if ((princ1 == NULL) || (princ2 == NULL)) -+ return FALSE; -+ -+ if ((realm1 == NULL) || (realm2 == NULL)) -+ return FALSE; -+ - if (realm1->length != realm2->length) - return FALSE; - -@@ -87,6 +93,9 @@ krb5_principal_compare_flags(krb5_contex - krb5_principal upn2 = NULL; - krb5_boolean ret = FALSE; - -+ if ((princ1 == NULL) || (princ2 == NULL)) -+ return FALSE; -+ - if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { - /* Treat UPNs as if they were real principals */ - if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index 0bf795e..74eef39 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -6,7 +6,7 @@ Index: src/kadmin/cli/Makefile.in =================================================================== --- src/kadmin/cli/Makefile.in.orig +++ src/kadmin/cli/Makefile.in -@@ -40,3 +40,8 @@ clean-unix:: +@@ -43,3 +43,8 @@ clean-unix:: # CC_LINK is not meant for compilation and this use may break in the future. datetest: getdate.c $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c diff --git a/krb5-1.9-kprop-mktemp.patch b/krb5-1.9-kprop-mktemp.patch index 70996ce..e84683a 100644 --- a/krb5-1.9-kprop-mktemp.patch +++ b/krb5-1.9-kprop-mktemp.patch @@ -4,7 +4,7 @@ Index: krb5-1.11/src/slave/kprop.c =================================================================== --- krb5-1.11.orig/src/slave/kprop.c +++ krb5-1.11/src/slave/kprop.c -@@ -187,9 +187,8 @@ void PRS(argc, argv) +@@ -202,9 +202,8 @@ void PRS(argc, argv) void get_tickets(context) krb5_context context; { @@ -15,7 +15,7 @@ Index: krb5-1.11/src/slave/kprop.c krb5_keytab keytab = NULL; /* -@@ -230,11 +229,8 @@ void get_tickets(context) +@@ -229,11 +228,8 @@ void get_tickets(context) #endif /* diff --git a/krb5-1.9-ksu-path.patch b/krb5-1.9-ksu-path.patch deleted file mode 100644 index f19a154..0000000 --- a/krb5-1.9-ksu-path.patch +++ /dev/null @@ -1,13 +0,0 @@ -Set the default PATH to the one set by login. - -diff -up krb5-1.9/src/clients/ksu/Makefile.in.ksu-path krb5-1.9/src/clients/ksu/Makefile.in ---- krb5-1.9/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500 -+++ krb5-1.9/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500 -@@ -1,6 +1,6 @@ - mydir=clients$(S)ksu - BUILDTOP=$(REL)..$(S).. --DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' -+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"' - DEFS= - - PROG_LIBPATH=-L$(TOPLIBD) diff --git a/krb5-kvno-230379.patch b/krb5-kvno-230379.patch index e4fed5f..d3dbceb 100644 --- a/krb5-kvno-230379.patch +++ b/krb5-kvno-230379.patch @@ -12,7 +12,7 @@ Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c =================================================================== --- krb5-1.11.1.orig/src/kadmin/ktutil/ktutil.c +++ krb5-1.11.1/src/kadmin/ktutil/ktutil.c -@@ -140,7 +140,7 @@ void ktutil_add_entry(argc, argv) +@@ -155,7 +155,7 @@ void ktutil_add_entry(argc, argv) char *princ = NULL; char *enctype = NULL; krb5_kvno kvno = 0; @@ -21,7 +21,7 @@ Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c for (i = 1; i < argc; i++) { if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) { -@@ -149,6 +149,7 @@ void ktutil_add_entry(argc, argv) +@@ -164,6 +164,7 @@ void ktutil_add_entry(argc, argv) } if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { kvno = (krb5_kvno) atoi(argv[++i]); @@ -29,7 +29,7 @@ Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c continue; } if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { -@@ -165,7 +166,7 @@ void ktutil_add_entry(argc, argv) +@@ -180,7 +181,7 @@ void ktutil_add_entry(argc, argv) } } @@ -42,7 +42,7 @@ Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c =================================================================== --- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c +++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c -@@ -376,7 +376,7 @@ krb5_ktfile_get_entry(krb5_context conte +@@ -349,7 +349,7 @@ krb5_ktfile_get_entry(krb5_context conte higher than that. Short-term workaround: only compare the low 8 bits. */ diff --git a/krb5-master-gss_oid_leak.patch b/krb5-master-gss_oid_leak.patch new file mode 100644 index 0000000..1002738 --- /dev/null +++ b/krb5-master-gss_oid_leak.patch @@ -0,0 +1,28 @@ +commit 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a +Author: Simo Sorce +Date: Fri Dec 13 12:00:41 2013 -0500 + + Fix memory leak in SPNEGO initiator + + If we eliminate a mechanism from the initiator list because + gss_init_sec_context fails, free the memory for that mech OID before + removing it from the list. + + [ghudson@mit.edu: clarified commit message] + + ticket: 7803 (new) + target_version: 1.12.1 + tags: pullup + +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 818a1b4..06cfab0 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -890,6 +890,7 @@ init_ctx_call_init(OM_uint32 *minor_status, + * can do this with recursion. If all mechanisms produce errors, the + * caller should get the error from the first mech in the list. + */ ++ gssalloc_free(sc->mech_set->elements->elements); + memmove(sc->mech_set->elements, sc->mech_set->elements + 1, + --sc->mech_set->count * sizeof(*sc->mech_set->elements)); + if (sc->mech_set->count == 0) diff --git a/krb5-master-ignore-empty-unnecessary-final-token.patch b/krb5-master-ignore-empty-unnecessary-final-token.patch new file mode 100644 index 0000000..6659251 --- /dev/null +++ b/krb5-master-ignore-empty-unnecessary-final-token.patch @@ -0,0 +1,37 @@ +commit 37af638b742dbd642eb70092e4f7781c3f69d86d +Author: Greg Hudson +Date: Tue Dec 10 12:04:18 2013 -0500 + + Fix SPNEGO one-hop interop against old IIS + + IIS 6.0 and similar return a zero length reponse buffer in the last + SPNEGO packet when context initiation is performed without mutual + authentication. In this case the underlying Kerberos mechanism has + already completed successfully on the first invocation, and SPNEGO + does not expect a mech response token in the answer. If we get an + empty mech response token when the mech is complete during + negotiation, ignore it. + + [ghudson@mit.edu: small code style and commit message changes] + + ticket: 7797 (new) + target_version: 1.12.1 + tags: pullup + +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 3937662..d82934b 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, + map_errcode(minor_status); + ret = GSS_S_DEFECTIVE_TOKEN; + } ++ } else if ((*responseToken)->length == 0 && sc->mech_complete) { ++ /* Handle old IIS servers returning empty token instead of ++ * null tokens in the non-mutual auth case. */ ++ *negState = ACCEPT_COMPLETE; ++ *tokflag = NO_TOKEN_SEND; ++ ret = GSS_S_COMPLETE; + } else if (sc->mech_complete) { + /* Reject spurious mech token. */ + ret = GSS_S_DEFECTIVE_TOKEN; diff --git a/krb5-master-keytab_close.patch b/krb5-master-keytab_close.patch new file mode 100644 index 0000000..e04a58b --- /dev/null +++ b/krb5-master-keytab_close.patch @@ -0,0 +1,39 @@ +commit decccbcb5075f8fbc28a535a9b337afc84a15dee +Author: Greg Hudson +Date: Mon Dec 16 15:37:56 2013 -0500 + + Fix GSS krb5 acceptor acquire_cred error handling + + When acquiring acceptor creds with a specified name, if we fail to + open a replay cache, we leak the keytab handle. If there is no + specified name and we discover that there is no content in the keytab, + we leak the keytab handle and return the wrong major code. Memory + leak reported by Andrea Campi. + + ticket: 7805 + target_version: 1.12.1 + tags: pullup + +diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c +index 0efcad4..9547207 100644 +--- a/src/lib/gssapi/krb5/acquire_cred.c ++++ b/src/lib/gssapi/krb5/acquire_cred.c +@@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context, + code = krb5_get_server_rcache(context, &cred->name->princ->data[0], + &cred->rcache); + if (code) { ++ krb5_kt_close(context, kt); + *minor_status = code; + return GSS_S_FAILURE; + } +@@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context, + /* Make sure we have a keytab with keys in it. */ + code = krb5_kt_have_content(context, kt); + if (code) { ++ krb5_kt_close(context, kt); + *minor_status = code; +- return GSS_S_FAILURE; ++ return GSS_S_CRED_UNAVAIL; + } + } + diff --git a/krb5-master-no-malloc0.patch b/krb5-master-no-malloc0.patch new file mode 100644 index 0000000..c502ab3 --- /dev/null +++ b/krb5-master-no-malloc0.patch @@ -0,0 +1,39 @@ +commit 13fd26e1863c79f616653f6a10a58c01f65fceff +Author: Greg Hudson +Date: Fri Dec 6 18:56:56 2013 -0500 + + Avoid malloc(0) in SPNEGO get_input_token + + If we read a zero-length token in spnego_mech.c's get_input_token(), + set the value pointer to NULL instead of calling malloc(0). + + ticket: 7794 (new) + +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 24c3440..3937662 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -3140,14 +3140,17 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length) + return (NULL); + + input_token->length = len; +- input_token->value = gssalloc_malloc(input_token->length); ++ if (input_token->length > 0) { ++ input_token->value = gssalloc_malloc(input_token->length); ++ if (input_token->value == NULL) { ++ free(input_token); ++ return (NULL); ++ } + +- if (input_token->value == NULL) { +- free(input_token); +- return (NULL); ++ memcpy(input_token->value, *buff_in, input_token->length); ++ } else { ++ input_token->value = NULL; + } +- +- (void) memcpy(input_token->value, *buff_in, input_token->length); + *buff_in += input_token->length; + return (input_token); + } diff --git a/krb5-master-spnego_error_messages.patch b/krb5-master-spnego_error_messages.patch new file mode 100644 index 0000000..efe4678 --- /dev/null +++ b/krb5-master-spnego_error_messages.patch @@ -0,0 +1,44 @@ +commit 4faca53e3a8ee213d43da8998f6889e7bfd36248 +Author: Greg Hudson +Date: Wed Dec 18 16:03:16 2013 -0500 + + Test SPNEGO error message in t_s4u.py + + Now that #7045 is fixed, we can check for the correct error message + from t_s4u2proxy_krb5 with --spnego. + + ticket: 7045 + +diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py +index 67dc810..e4aa259 100644 +--- a/src/tests/gssapi/t_s4u.py ++++ b/src/tests/gssapi/t_s4u.py +@@ -30,12 +30,12 @@ if ('auth1: ' + realm.user_princ not in output or + 'NOT_ALLOWED_TO_DELEGATE' not in output): + fail('krb5 -> s4u2proxy') + +-# Again with SPNEGO. Bug #7045 prevents us from checking the error +-# message, but we can at least exercise the code. ++# Again with SPNEGO. + output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache, + '-', pservice1, pservice2], + expected_code=1) +-if ('auth1: ' + realm.user_princ not in output): ++if ('auth1: ' + realm.user_princ not in output or ++ 'NOT_ALLOWED_TO_DELEGATE' not in output): + fail('krb5 -> s4u2proxy (SPNEGO)') + + # Try krb5 -> S4U2Proxy without forwardable user creds. This should +@@ -66,10 +66,9 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output: + fail('s4u2self') + + # Again with SPNEGO. This uses SPNEGO for the initial authentication, +-# but still uses krb5 for S4U2Proxy (the delegated cred is returned as ++# but still uses krb5 for S4U2Proxy--the delegated cred is returned as + # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred +-# directly rather than saving and reacquiring it) so bug #7045 does +-# not apply and we can verify the error message. ++# directly rather than saving and reacquiring it. + output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1) + if 'NOT_ALLOWED_TO_DELEGATE' not in output: + fail('s4u2self') diff --git a/krb5-mini.changes b/krb5-mini.changes index e63fbaa..633df96 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Mon Jan 13 15:40:18 UTC 2014 - ckornacker@suse.com + +- update to version 1.12 + * Add GSSAPI extensions for constructing MIC tokens using IOV lists + * Add a FAST OTP preauthentication module for the KDC which uses + RADIUS to validate OTP token values. + * The AES-based encryption types will use AES-NI instructions + when possible for improved performance. +- revert dependency on libcom_err-mini-devel since it's not yet + available +- update and rebase patches + ------------------------------------------------------------------- Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com diff --git a/krb5-mini.spec b/krb5-mini.spec index 29795f7..7f4eee6 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ %define build_mini 1 -%define srcRoot krb5-1.11.4 +%define srcRoot krb5-1.12 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,14 +27,10 @@ BuildRequires: autoconf BuildRequires: bison BuildRequires: keyutils BuildRequires: keyutils-devel -%if 0%{?suse_version} >= 1310 -BuildRequires: libcom_err-mini-devel -%else BuildRequires: libcom_err-devel -%endif BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.11.4 +Version: 1.12 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -62,25 +58,34 @@ Conflicts: krb5-client Conflicts: krb5-server Conflicts: krb5-plugin-kdb-ldap Conflicts: krb5-plugin-preauth-pkinit +Conflicts: krb5-plugin-preauth-otp %endif -Source: krb5-%{version}.tar.bz2 +Source: krb5-%{version}.tar.gz Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-rpmlintrc -Patch1: krb5-1.11-pam.patch +Patch1: krb5-1.12-pam.patch Patch2: krb5-1.9-manpaths.dif -Patch3: krb5-1.10-buildconf.patch +Patch3: krb5-1.12-buildconf.patch Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif Patch5: krb5-1.10-kpasswd_tcp.patch Patch6: krb5-1.6.3-ktutil-manpage.dif Patch7: krb5-1.7-doublelog.patch -Patch8: krb5-1.8-api.patch +Patch8: krb5-1.12-api.patch Patch9: krb5-1.9-kprop-mktemp.patch Patch10: krb5-1.10-ksu-access.patch -Patch11: krb5-1.9-ksu-path.patch -Patch12: krb5-1.11-selinux-label.patch +Patch11: krb5-1.12-ksu-path.patch +Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch +Patch15: krb5-1.12-copy_context.patch +Patch16: krb5-1.12-enable-NX.patch +Patch17: krb5-1.12-pic-aes-ni.patch +Patch18: krb5-master-no-malloc0.patch +Patch19: krb5-master-ignore-empty-unnecessary-final-token.patch +Patch20: krb5-master-gss_oid_leak.patch +Patch21: krb5-master-keytab_close.patch +Patch22: krb5-master-spnego_error_messages.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -138,6 +143,15 @@ Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. This package includes a PKINIT plugin. +%package plugin-preauth-otp +Summary: MIT Kerberos5 Implementation--OTP preauth Plugin +Group: Productivity/Networking/Security + +%description plugin-preauth-otp +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes a OTP plugin. + %package doc Summary: MIT Kerberos5 Implementation--Documentation Group: Documentation/Other @@ -191,6 +205,14 @@ Include Files for Development %patch12 -p1 %patch13 -p0 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 %build # needs to be re-generated @@ -319,6 +341,11 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* rm -rf %{buildroot}/usr/lib/mit/share/examples +%if %{build_mini} +# manually remove otp plugin for krb5-mini since configure +# doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so +%endif %find_lang mit-krb5 @@ -429,6 +456,15 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples %{_libdir}/libkrb5.so %{_libdir}/libkrb5support.so %{_libdir}/libverto.so +%{_libdir}/libkrad.so +%{_libdir}/pkgconfig/gssrpc.pc +%{_libdir}/pkgconfig/kadm-client.pc +%{_libdir}/pkgconfig/kadm-server.pc +%{_libdir}/pkgconfig/kdb.pc +%{_libdir}/pkgconfig/krb5-gssapi.pc +%{_libdir}/pkgconfig/krb5.pc +%{_libdir}/pkgconfig/mit-krb5-gssapi.pc +%{_libdir}/pkgconfig/mit-krb5.pc %{_includedir}/* /usr/lib/mit/bin/krb5-config /usr/lib/mit/sbin/krb5-send-pr @@ -480,6 +516,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* +%{_libdir}/libkrad.so.* %{_libdir}/krb5/plugins/kdb/* #/usr/lib/mit/sbin/* /usr/lib/mit/sbin/kadmin.local @@ -551,6 +588,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* +%{_libdir}/libkrad.so.* %files server %defattr(-,root,root) @@ -662,6 +700,13 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/pkinit.so +%files plugin-preauth-otp +%defattr(-,root,root) +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/otp.so + %files doc %defattr(-,root,root) %doc html doc/CHANGES doc/README diff --git a/krb5.changes b/krb5.changes index e63fbaa..e8ab2d8 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com + +- update to version 1.12 + * Add GSSAPI extensions for constructing MIC tokens using IOV lists + * Add a FAST OTP preauthentication module for the KDC which uses + RADIUS to validate OTP token values. + * The AES-based encryption types will use AES-NI instructions + when possible for improved performance. +- revert dependency on libcom_err-mini-devel since it's not yet + available +- update and rebase patches + ------------------------------------------------------------------- Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com diff --git a/krb5.spec b/krb5.spec index 9104f01..9005874 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ %define build_mini 0 -%define srcRoot krb5-1.11.4 +%define srcRoot krb5-1.12 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,14 +27,10 @@ BuildRequires: autoconf BuildRequires: bison BuildRequires: keyutils BuildRequires: keyutils-devel -%if 0%{?suse_version} >= 1310 -BuildRequires: libcom_err-mini-devel -%else -BuildRequires: libcom_err-mini-devel -%endif +BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.11.4 +Version: 1.12 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -62,25 +58,34 @@ Conflicts: krb5-client Conflicts: krb5-server Conflicts: krb5-plugin-kdb-ldap Conflicts: krb5-plugin-preauth-pkinit +Conflicts: krb5-plugin-preauth-otp %endif -Source: krb5-%{version}.tar.bz2 +Source: krb5-%{version}.tar.gz Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-rpmlintrc -Patch1: krb5-1.11-pam.patch +Patch1: krb5-1.12-pam.patch Patch2: krb5-1.9-manpaths.dif -Patch3: krb5-1.10-buildconf.patch +Patch3: krb5-1.12-buildconf.patch Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif Patch5: krb5-1.10-kpasswd_tcp.patch Patch6: krb5-1.6.3-ktutil-manpage.dif Patch7: krb5-1.7-doublelog.patch -Patch8: krb5-1.8-api.patch +Patch8: krb5-1.12-api.patch Patch9: krb5-1.9-kprop-mktemp.patch Patch10: krb5-1.10-ksu-access.patch -Patch11: krb5-1.9-ksu-path.patch -Patch12: krb5-1.11-selinux-label.patch +Patch11: krb5-1.12-ksu-path.patch +Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch +Patch15: krb5-1.12-copy_context.patch +Patch16: krb5-1.12-enable-NX.patch +Patch17: krb5-1.12-pic-aes-ni.patch +Patch18: krb5-master-no-malloc0.patch +Patch19: krb5-master-ignore-empty-unnecessary-final-token.patch +Patch20: krb5-master-gss_oid_leak.patch +Patch21: krb5-master-keytab_close.patch +Patch22: krb5-master-spnego_error_messages.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -138,6 +143,15 @@ Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. This package includes a PKINIT plugin. +%package plugin-preauth-otp +Summary: MIT Kerberos5 Implementation--OTP preauth Plugin +Group: Productivity/Networking/Security + +%description plugin-preauth-otp +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes a OTP plugin. + %package doc Summary: MIT Kerberos5 Implementation--Documentation Group: Documentation/Other @@ -191,6 +205,14 @@ Include Files for Development %patch12 -p1 %patch13 -p0 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 %build # needs to be re-generated @@ -319,6 +341,11 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* rm -rf %{buildroot}/usr/lib/mit/share/examples +%if %{build_mini} +# manually remove otp plugin for krb5-mini since configure +# doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so +%endif %find_lang mit-krb5 @@ -429,6 +456,15 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples %{_libdir}/libkrb5.so %{_libdir}/libkrb5support.so %{_libdir}/libverto.so +%{_libdir}/libkrad.so +%{_libdir}/pkgconfig/gssrpc.pc +%{_libdir}/pkgconfig/kadm-client.pc +%{_libdir}/pkgconfig/kadm-server.pc +%{_libdir}/pkgconfig/kdb.pc +%{_libdir}/pkgconfig/krb5-gssapi.pc +%{_libdir}/pkgconfig/krb5.pc +%{_libdir}/pkgconfig/mit-krb5-gssapi.pc +%{_libdir}/pkgconfig/mit-krb5.pc %{_includedir}/* /usr/lib/mit/bin/krb5-config /usr/lib/mit/sbin/krb5-send-pr @@ -480,6 +516,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* +%{_libdir}/libkrad.so.* %{_libdir}/krb5/plugins/kdb/* #/usr/lib/mit/sbin/* /usr/lib/mit/sbin/kadmin.local @@ -551,6 +588,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* +%{_libdir}/libkrad.so.* %files server %defattr(-,root,root) @@ -662,6 +700,13 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/pkinit.so +%files plugin-preauth-otp +%defattr(-,root,root) +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/otp.so + %files doc %defattr(-,root,root) %doc html doc/CHANGES doc/README From 673bd84f012fc78f00b1e651fbe4e93b37afed2f086dddd697a080f506c2f12d Mon Sep 17 00:00:00 2001 From: Christian Kornacker Date: Thu, 16 Jan 2014 13:19:42 +0000 Subject: [PATCH 4/4] extended changelog for Factory OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=115 --- krb5-mini.changes | 24 ++++++++++++++++++++++++ krb5.changes | 24 ++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/krb5-mini.changes b/krb5-mini.changes index 633df96..e5a76ab 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -10,6 +10,30 @@ Mon Jan 13 15:40:18 UTC 2014 - ckornacker@suse.com - revert dependency on libcom_err-mini-devel since it's not yet available - update and rebase patches + * krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch + * krb5-1.11-pam.patch -> krb5-1.12-pam.patch + * krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch + * krb5-1.8-api.patch -> krb5-1.12-api.patch + * krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch + * krb5-1.9-debuginfo.patch + * krb5-1.9-kprop-mktemp.patch + * krb5-kvno-230379.patch +- added upstream patches + - Fix krb5_copy_context + * krb5-1.12-copy_context.patch + - Mark AESNI files as not needing executable stacks + * krb5-1.12-enable-NX.patch + * krb5-1.12-pic-aes-ni.patch + - Fix memory leak in SPNEGO initiator + * krb5-master-gss_oid_leak.patch + - Fix SPNEGO one-hop interop against old IIS + * krb5-master-ignore-empty-unnecessary-final-token.patch + - Fix GSS krb5 acceptor acquire_cred error handling + * krb5-master-keytab_close.patch + - Avoid malloc(0) in SPNEGO get_input_token + * krb5-master-no-malloc0.patch + - Test SPNEGO error message in t_s4u.py + * krb5-master-spnego_error_messages.patch ------------------------------------------------------------------- Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com diff --git a/krb5.changes b/krb5.changes index e8ab2d8..c214316 100644 --- a/krb5.changes +++ b/krb5.changes @@ -10,6 +10,30 @@ Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com - revert dependency on libcom_err-mini-devel since it's not yet available - update and rebase patches + * krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch + * krb5-1.11-pam.patch -> krb5-1.12-pam.patch + * krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch + * krb5-1.8-api.patch -> krb5-1.12-api.patch + * krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch + * krb5-1.9-debuginfo.patch + * krb5-1.9-kprop-mktemp.patch + * krb5-kvno-230379.patch +- added upstream patches + - Fix krb5_copy_context + * krb5-1.12-copy_context.patch + - Mark AESNI files as not needing executable stacks + * krb5-1.12-enable-NX.patch + * krb5-1.12-pic-aes-ni.patch + - Fix memory leak in SPNEGO initiator + * krb5-master-gss_oid_leak.patch + - Fix SPNEGO one-hop interop against old IIS + * krb5-master-ignore-empty-unnecessary-final-token.patch + - Fix GSS krb5 acceptor acquire_cred error handling + * krb5-master-keytab_close.patch + - Avoid malloc(0) in SPNEGO get_input_token + * krb5-master-no-malloc0.patch + - Test SPNEGO error message in t_s4u.py + * krb5-master-spnego_error_messages.patch ------------------------------------------------------------------- Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com