SHA256
1
0
forked from pool/krb5
Stephan Kulow 2014-01-17 15:40:41 +00:00 committed by Git OBS Bridge
commit 79d8b3686a
25 changed files with 1081 additions and 353 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1d9ef56b9280c5af103e24310a2bc79fca8de40fd4ebc1edae3d21e59c6afda3
size 9449691

27
krb5-1.12-api.patch Normal file
View File

@ -0,0 +1,27 @@
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
--- krb5/src/lib/krb5/krb/princ_comp.c
+++ krb5/src/lib/krb5/krb/princ_comp.c
@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context
const krb5_data *realm1 = &princ1->realm;
const krb5_data *realm2 = &princ2->realm;
+ if (princ1 == NULL || princ2 == NULL)
+ return FALSE;
+ if (realm1 == NULL || realm2 == NULL)
+ return FALSE;
if (realm1->length != realm2->length)
return FALSE;
if (realm1->length == 0)
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
krb5_principal upn2 = NULL;
krb5_boolean ret = FALSE;
+ if (princ1 == NULL || princ2 == NULL)
+ return FALSE;
+
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
/* Treat UPNs as if they were real principals */
if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {

View File

@ -4,10 +4,8 @@ the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.
Index: krb5-1.11/src/config/shlib.conf
===================================================================
--- krb5-1.11.orig/src/config/shlib.conf
+++ krb5-1.11/src/config/shlib.conf
--- krb5/src/config/shlib.conf
+++ krb5/src/config/shlib.conf
@@ -419,7 +419,7 @@ mips-*-netbsd*)
SHLIBEXT=.so
# Linux ld doesn't default to stuffing the SONAME field...
@ -17,7 +15,7 @@ Index: krb5-1.11/src/config/shlib.conf
#
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
SHLIB_EXPORT_FILE_DEP=binutils.versions
@@ -430,7 +430,8 @@ mips-*-netbsd*)
@@ -430,7 +430,8 @@
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
@ -27,11 +25,9 @@ Index: krb5-1.11/src/config/shlib.conf
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
Index: krb5-1.11/src/krb5-config.in
===================================================================
--- krb5-1.11.orig/src/krb5-config.in
+++ krb5-1.11/src/krb5-config.in
@@ -221,6 +221,13 @@ if test -n "$do_libs"; then
--- krb5/src/build-tools/krb5-config.in
+++ krb5/src/build-tools/krb5-config.in
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)##'`
@ -45,11 +41,9 @@ Index: krb5-1.11/src/krb5-config.in
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
Index: krb5-1.11/src/config/pre.in
===================================================================
--- krb5-1.11.orig/src/config/pre.in
+++ krb5-1.11/src/config/pre.in
@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
--- krb5/src/config/pre.in
+++ krb5/src/config/pre.in
@@ -188,7 +188,7 @@
INSTALL_SCRIPT=@INSTALL_PROGRAM@
INSTALL_DATA=@INSTALL_DATA@
INSTALL_SHLIB=@INSTALL_SHLIB@

View File

@ -0,0 +1,306 @@
Adjusted for 1.12, which still had vtbl, locate_fptrs, and (vestigial)
profile_in_memory fields, and drop the hunk that touched .gitignore.
commit c452644d91d57d8b05ef396a029e34d0c7a48920
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Dec 18 15:03:03 2013 -0500
Fix krb5_copy_context
krb5_copy_context has been broken since 1.8 (it broke in r22456)
because k5_copy_etypes crashes on null enctype lists. Subsequent
additions to the context structure were not reflected in
krb5_copy_context, creating double-free bugs. Make k5_copy_etypes
handle null input and account for all new fields in krb5_copy_context.
Reported by Arran Cudbard-Bell.
ticket: 7807 (new)
target_version: 1.12.1
tags: pullup
diff --git a/src/lib/krb5/krb/copy_ctx.c b/src/lib/krb5/krb/copy_ctx.c
index 0bc92f8..4237023 100644
--- a/src/lib/krb5/krb/copy_ctx.c
+++ b/src/lib/krb5/krb/copy_ctx.c
@@ -77,13 +77,26 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
nctx->ser_ctx_count = 0;
nctx->ser_ctx = NULL;
nctx->prompt_types = NULL;
+ nctx->preauth_context = NULL;
+ nctx->ccselect_handles = NULL;
+ nctx->localauth_handles = NULL;
+ nctx->hostrealm_handles = NULL;
+ nctx->kdblog_context = NULL;
+ nctx->trace_callback = NULL;
+ nctx->trace_callback_data = NULL;
+ nctx->plugin_base_dir = NULL;
nctx->os_context.default_ccname = NULL;
+#ifdef KRB5_DNS_LOOKUP
+ nctx->profile_in_memory = 0;
+#endif /* KRB5_DNS_LOOKUP */
+
memset(&nctx->libkrb5_plugins, 0, sizeof(nctx->libkrb5_plugins));
nctx->vtbl = NULL;
nctx->locate_fptrs = NULL;
memset(&nctx->err, 0, sizeof(nctx->err));
+ memset(&nctx->plugins, 0, sizeof(nctx->plugins));
ret = k5_copy_etypes(ctx->in_tkt_etypes, &nctx->in_tkt_etypes);
if (ret)
@@ -101,6 +109,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
ret = krb5_get_profile(ctx, &nctx->profile);
if (ret)
goto errout;
+ nctx->plugin_base_dir = strdup(ctx->plugin_base_dir);
+ if (nctx->plugin_base_dir == NULL) {
+ ret = ENOMEM;
+ goto errout;
+ }
errout:
if (ret) {
diff --git a/src/lib/krb5/krb/etype_list.c b/src/lib/krb5/krb/etype_list.c
index 9efe2e0..71f664f 100644
--- a/src/lib/krb5/krb/etype_list.c
+++ b/src/lib/krb5/krb/etype_list.c
@@ -49,6 +49,8 @@ k5_copy_etypes(const krb5_enctype *old_list, krb5_enctype **new_list)
krb5_enctype *list;
*new_list = NULL;
+ if (old_list == NULL)
+ return 0;
count = k5_count_etypes(old_list);
list = malloc(sizeof(krb5_enctype) * (count + 1));
if (list == NULL)
commit b78c3c8c5025aec870d20472f80d4a652062f921
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Dec 18 13:08:25 2013 -0500
Add a test program for krb5_copy_context
This test program isn't completely proof against the kind of mistakes
we've made with krb5_copy_context in the past, but it at least
exercises krb5_copy_context and can detect some kinds of bugs.
ticket: 7807
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
index 7d1682d..3b58219 100644
--- a/src/lib/krb5/krb/Makefile.in
+++ b/src/lib/krb5/krb/Makefile.in
@@ -349,6 +349,7 @@ SRCS= $(srcdir)/addr_comp.c \
$(srcdir)/t_expire_warn.c \
$(srcdir)/t_authdata.c \
$(srcdir)/t_cc_config.c \
+ $(srcdir)/t_copy_context.c \
$(srcdir)/t_in_ccache.c \
$(srcdir)/t_response_items.c \
$(srcdir)/t_vfy_increds.c
@@ -429,11 +430,14 @@ t_in_ccache: t_in_ccache.o $(KRB5_BASE_DEPLIBS)
t_cc_config: t_cc_config.o $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ t_cc_config.o $(KRB5_BASE_LIBS)
+t_copy_context: t_copy_context.o $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ t_copy_context.o $(KRB5_BASE_LIBS)
+
t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ t_response_items.o response_items.o $(KRB5_BASE_LIBS)
TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \
- t_in_ccache t_cc_config \
+ t_in_ccache t_cc_config t_copy_context \
t_princ t_etypes t_vfy_increds t_response_items
check-unix:: $(TEST_PROGS)
@@ -473,6 +477,8 @@ check-unix:: $(TEST_PROGS)
$(RUN_SETUP) $(VALGRIND) ./t_princ
$(RUN_SETUP) $(VALGRIND) ./t_etypes
$(RUN_SETUP) $(VALGRIND) ./t_response_items
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) ./t_copy_context
check-pytests:: t_expire_warn t_vfy_increds
$(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS)
@@ -491,6 +497,7 @@ clean::
$(OUTPRE)t_princ$(EXEEXT) $(OUTPRE)t_princ.$(OBJEXT) \
$(OUTPRE)t_authdata$(EXEEXT) $(OUTPRE)t_authdata.$(OBJEXT) \
$(OUTPRE)t_cc_config$(EXEEXT) $(OUTPRE)t_cc_config.$(OBJEXT) \
+ $(OUTPRE)t_copy_context(EXEEXT) $(OUTPRE)t_copy_context.$(OBJEXT) \
$(OUTPRE)t_in_ccache$(EXEEXT) $(OUTPRE)t_in_ccache.$(OBJEXT) \
$(OUTPRE)t_ad_fx_armor$(EXEEXT) $(OUTPRE)t_ad_fx_armor.$(OBJEXT) \
$(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \
diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c
new file mode 100644
index 0000000..522fa0c
--- /dev/null
+++ b/src/lib/krb5/krb/t_copy_context.c
@@ -0,0 +1,166 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/krb5/krb/t_copy_context.C - Test program for krb5_copy_context */
+/*
+ * Copyright (C) 2013 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <k5-int.h>
+
+static void
+trace(krb5_context ctx, const krb5_trace_info *info, void *data)
+{
+}
+
+static void
+check(int cond)
+{
+ if (!cond)
+ abort();
+}
+
+static void
+compare_string(const char *str1, const char *str2)
+{
+ check((str1 == NULL) == (str2 == NULL));
+ if (str1 != NULL)
+ check(strcmp(str1, str2) == 0);
+}
+
+static void
+compare_etypes(krb5_enctype *list1, krb5_enctype *list2)
+{
+ check((list1 == NULL) == (list2 == NULL));
+ if (list1 == NULL)
+ return;
+ while (*list1 != ENCTYPE_NULL && *list1 == *list2)
+ list1++, list2++;
+ check(*list1 == *list2);
+}
+
+/* Check that the context c is a valid copy of the reference context r. */
+static void
+check_context(krb5_context c, krb5_context r)
+{
+ int i;
+
+ /* Check fields which should have been propagated from r. */
+ compare_etypes(c->in_tkt_etypes, r->in_tkt_etypes);
+ compare_etypes(c->tgs_etypes, r->tgs_etypes);
+ check(c->os_context.time_offset == r->os_context.time_offset);
+ check(c->os_context.usec_offset == r->os_context.usec_offset);
+ check(c->os_context.os_flags == r->os_context.os_flags);
+ compare_string(c->os_context.default_ccname, r->os_context.default_ccname);
+ check(c->clockskew == r->clockskew);
+ check(c->kdc_req_sumtype == r->kdc_req_sumtype);
+ check(c->default_ap_req_sumtype == r->default_ap_req_sumtype);
+ check(c->default_safe_sumtype == r->default_safe_sumtype);
+ check(c->kdc_default_options == r->kdc_default_options);
+ check(c->library_options == r->library_options);
+ check(c->profile_secure == r->profile_secure);
+ check(c->fcc_default_format == r->fcc_default_format);
+ check(c->udp_pref_limit == r->udp_pref_limit);
+ check(c->use_conf_ktypes == r->use_conf_ktypes);
+ check(c->allow_weak_crypto == r->allow_weak_crypto);
+ check(c->ignore_acceptor_hostname == r->ignore_acceptor_hostname);
+ check(c->dns_canonicalize_hostname == r->dns_canonicalize_hostname);
+ compare_string(c->plugin_base_dir, r->plugin_base_dir);
+
+ /* Check fields which don't propagate. */
+ check(c->dal_handle == NULL);
+ check(c->ser_ctx_count == 0);
+ check(c->ser_ctx == NULL);
+ check(c->prompt_types == NULL);
+ check(c->libkrb5_plugins.files == NULL);
+ check(c->preauth_context == NULL);
+ check(c->ccselect_handles == NULL);
+ check(c->localauth_handles == NULL);
+ check(c->hostrealm_handles == NULL);
+ check(c->err.code == 0);
+ check(c->err.msg == NULL);
+ check(c->kdblog_context == NULL);
+ check(c->trace_callback == NULL);
+ check(c->trace_callback_data == NULL);
+ for (i = 0; i < PLUGIN_NUM_INTERFACES; i++) {
+ check(c->plugins[i].modules == NULL);
+ check(!c->plugins[i].configured);
+ }
+}
+
+int
+main(int argc, char **argv)
+{
+ krb5_context ctx, ctx2;
+ krb5_plugin_initvt_fn *mods;
+ const krb5_enctype etypes1[] = { ENCTYPE_DES3_CBC_SHA1, 0 };
+ const krb5_enctype etypes2[] = { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 };
+ krb5_prompt_type ptypes[] = { KRB5_PROMPT_TYPE_PASSWORD };
+
+ /* Copy a default context and verify the result. */
+ check(krb5_init_context(&ctx) == 0);
+ check(krb5_copy_context(ctx, &ctx2) == 0);
+ check_context(ctx2, ctx);
+ krb5_free_context(ctx2);
+
+ /* Set non-default values for all of the propagated fields in ctx. */
+ ctx->allow_weak_crypto = TRUE;
+ check(krb5_set_default_in_tkt_ktypes(ctx, etypes1) == 0);
+ check(krb5_set_default_tgs_enctypes(ctx, etypes2) == 0);
+ check(krb5_set_debugging_time(ctx, 1234, 5678) == 0);
+ check(krb5_cc_set_default_name(ctx, "defccname") == 0);
+ check(krb5_set_default_realm(ctx, "defrealm") == 0);
+ ctx->clockskew = 18;
+ ctx->kdc_req_sumtype = CKSUMTYPE_NIST_SHA;
+ ctx->default_ap_req_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES128;
+ ctx->default_safe_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES256;
+ ctx->kdc_default_options = KDC_OPT_FORWARDABLE;
+ ctx->library_options = 0;
+ ctx->profile_secure = TRUE;
+ ctx->udp_pref_limit = 2345;
+ ctx->use_conf_ktypes = TRUE;
+ ctx->ignore_acceptor_hostname = TRUE;
+ ctx->dns_canonicalize_hostname = FALSE;
+ free(ctx->plugin_base_dir);
+ check((ctx->plugin_base_dir = strdup("/a/b/c/d")) != NULL);
+
+ /* Also set some of the non-propagated fields. */
+ ctx->prompt_types = ptypes;
+ check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &mods) == 0);
+ k5_plugin_free_modules(ctx, mods);
+ krb5_set_error_message(ctx, ENOMEM, "nooooooooo");
+ krb5_set_trace_callback(ctx, trace, ctx);
+
+ /* Copy the intentionally messy context and verify the result. */
+ check(krb5_copy_context(ctx, &ctx2) == 0);
+ check_context(ctx2, ctx);
+ krb5_free_context(ctx2);
+
+ krb5_free_context(ctx);
+ return 0;
+}

57
krb5-1.12-enable-NX.patch Normal file
View File

@ -0,0 +1,57 @@
commit c64e39c69a9a7ee32c00b0cf7918f6274a565544
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Jan 3 13:50:48 2014 -0500
Mark AESNI files as not needing executable stacks
Some Linux systems now come with facilities to mark the stack as
non-executable, making it more difficult to exploit buffer overrun
bugs. For this to work, object files built from assembly need a
section added to note whether they require an executable stack.
Patch from Dhiru Kholia with comments added. More information at:
https://bugzilla.redhat.com/show_bug.cgi?id=1045699
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
ticket: 7813
target_version: 1.12.1
tags: pullup
diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s
index 1c091c1..d03c859 100644
--- a/src/lib/crypto/builtin/aes/iaesx64.s
+++ b/src/lib/crypto/builtin/aes/iaesx64.s
@@ -834,3 +834,14 @@ lp256encsingle_CBC:
movdqu [r9],xmm1
add rsp,16*16+8
ret
+
+; Mark this file as not needing an executable stack.
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s
index b667acd..1aa12e6 100644
--- a/src/lib/crypto/builtin/aes/iaesx86.s
+++ b/src/lib/crypto/builtin/aes/iaesx86.s
@@ -871,3 +871,14 @@ lp256encsingle_CBC:
movdqu [ecx],xmm1 ; store last iv for chaining
ret
+
+; Mark this file as not needing an executable stack.
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif

12
krb5-1.12-ksu-path.patch Normal file
View File

@ -0,0 +1,12 @@
Set the default PATH to the one set by login.
--- krb5/src/clients/ksu/Makefile.in
+++ krb5/src/clients/ksu/Makefile.in
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
KSU_LIBS=@KSU_LIBS@
PAM_LIBS=@PAM_LIBS@

View File

@ -11,11 +11,10 @@ When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges.
Index: krb5-1.11.1/src/aclocal.m4
===================================================================
--- krb5-1.11.1.orig/src/aclocal.m4
+++ krb5-1.11.1/src/aclocal.m4
@@ -1664,3 +1664,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
diff -Naur krb5/src/aclocal.m4 krb5/src/aclocal.m4
--- krb5/src/aclocal.m4 2014-01-13 17:12:47.509022000 +0100
+++ krb5/src/aclocal.m4 2014-01-13 17:13:24.552689000 +0100
@@ -1668,3 +1668,70 @@
]))
])dnl
dnl
@ -86,10 +85,9 @@ Index: krb5-1.11.1/src/aclocal.m4
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
Index: krb5-1.11.1/src/clients/ksu/main.c
===================================================================
--- krb5-1.11.1.orig/src/clients/ksu/main.c
+++ krb5-1.11.1/src/clients/ksu/main.c
diff -Naur krb5/src/clients/ksu/main.c krb5/src/clients/ksu/main.c
--- krb5/src/clients/ksu/main.c 2014-01-13 17:12:44.864970000 +0100
+++ krb5/src/clients/ksu/main.c 2014-01-13 17:13:24.563692000 +0100
@@ -26,6 +26,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu
*/
@ -109,7 +107,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
/* globals */
char * prog_name;
int auth_debug =0;
@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN];
@@ -40,6 +45,7 @@
char k5users_path[MAXPATHLEN];
char * gb_err = NULL;
int quiet = 0;
@ -117,7 +115,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
/***********/
#define _DEF_CSH "/bin/csh"
@@ -584,6 +590,25 @@ main (argc, argv)
@@ -584,6 +590,25 @@
prog_name,target_user,client_name,
source_user,ontty());
@ -143,7 +141,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
@@ -648,6 +673,26 @@ main (argc, argv)
@@ -648,6 +673,26 @@
sweep_up(ksu_context, cc_target);
exit(1);
}
@ -170,7 +168,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
}
if( some_rest_copy){
@@ -717,6 +762,32 @@ main (argc, argv)
@@ -717,6 +762,32 @@
exit(1);
}
@ -203,7 +201,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -789,7 +860,7 @@ main (argc, argv)
@@ -789,7 +860,7 @@
fprintf(stderr, "program to be execed %s\n",params[0]);
}
@ -212,7 +210,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target);
@@ -819,16 +890,35 @@ main (argc, argv)
@@ -819,16 +890,35 @@
if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid"));
}
@ -249,12 +247,11 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
exit (1);
}
}
Index: krb5-1.11.1/src/clients/ksu/Makefile.in
===================================================================
--- krb5-1.11.1.orig/src/clients/ksu/Makefile.in
+++ krb5-1.11.1/src/clients/ksu/Makefile.in
@@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
diff -Naur krb5/src/clients/ksu/Makefile.in krb5/src/clients/ksu/Makefile.in
--- krb5/src/clients/ksu/Makefile.in 2014-01-13 17:12:44.868981000 +0100
+++ krb5/src/clients/ksu/Makefile.in 2014-01-13 17:13:24.580690000 +0100
@@ -3,12 +3,14 @@
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
KSU_LIBS=@KSU_LIBS@
+PAM_LIBS=@PAM_LIBS@
@ -268,7 +265,7 @@ Index: krb5-1.11.1/src/clients/ksu/Makefile.in
$(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \
$(srcdir)/setenv.c
@@ -21,13 +23,17 @@ OBJS = \
@@ -17,13 +19,17 @@
ccache.o \
authorization.o \
main.o \
@ -287,10 +284,9 @@ Index: krb5-1.11.1/src/clients/ksu/Makefile.in
clean::
$(RM) ksu
Index: krb5-1.11.1/src/clients/ksu/pam.c
===================================================================
--- /dev/null
+++ krb5-1.11.1/src/clients/ksu/pam.c
diff -Naur krb5/src/clients/ksu/pam.c krb5/src/clients/ksu/pam.c
--- krb5/src/clients/ksu/pam.c 1970-01-01 01:00:00.000000000 +0100
+++ krb5/src/clients/ksu/pam.c 2014-01-13 17:13:24.589692000 +0100
@@ -0,0 +1,389 @@
+/*
+ * src/clients/ksu/pam.c
@ -681,10 +677,9 @@ Index: krb5-1.11.1/src/clients/ksu/pam.c
+ return ret;
+}
+#endif
Index: krb5-1.11.1/src/clients/ksu/pam.h
===================================================================
--- /dev/null
+++ krb5-1.11.1/src/clients/ksu/pam.h
diff -Naur krb5/src/clients/ksu/pam.h krb5/src/clients/ksu/pam.h
--- krb5/src/clients/ksu/pam.h 1970-01-01 01:00:00.000000000 +0100
+++ krb5/src/clients/ksu/pam.h 2014-01-13 17:13:24.595690000 +0100
@@ -0,0 +1,57 @@
+/*
+ * src/clients/ksu/pam.h
@ -743,11 +738,10 @@ Index: krb5-1.11.1/src/clients/ksu/pam.h
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
Index: krb5-1.11.1/src/configure.in
===================================================================
--- krb5-1.11.1.orig/src/configure.in
+++ krb5-1.11.1/src/configure.in
@@ -1244,6 +1244,8 @@ AC_SUBST([VERTO_VERSION])
diff -Naur krb5/src/configure.in krb5/src/configure.in
--- krb5/src/configure.in 2014-01-13 17:12:48.401059000 +0100
+++ krb5/src/configure.in 2014-01-13 17:13:24.603693000 +0100
@@ -1281,6 +1281,8 @@
AC_PATH_PROG(GROFF, groff)

View File

@ -0,0 +1,70 @@
--- krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
+++ krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
@@ -256,6 +256,7 @@ DD 0
section .text
+extern _GLOBAL_OFFSET_TABLE_
align 16
key_expansion256:
@@ -318,12 +319,18 @@ _iEncExpandKey128:
mov ecx,[esp-4+8] ;input
mov edx,[esp-4+12] ;ctx
+ push ebx
movdqu xmm1, [ecx] ; loading the key
movdqu [edx], xmm1
- movdqa xmm5, [shuffle_mask]
+ call .get_GOT
+.get_GOT:
+ pop ebx
+ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
+
+ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff]
add edx,16
@@ -348,6 +355,8 @@ _iEncExpandKey128:
aeskeygenassist xmm2, xmm1, 0x36 ; Generating round key 10
call key_expansion128
+ pop ebx
+
ret
@@ -412,6 +421,7 @@ global _iEncExpandKey256
_iEncExpandKey256:
mov ecx, [esp-4+8] ;input
mov edx, [esp-4+12] ;expanded key
+ push ebx
movdqu xmm1, [ecx] ; loading the key
@@ -421,7 +431,12 @@ _iEncExpandKey256:
add edx,32
- movdqa xmm5, [shuffle_mask] ; this mask is used by key_expansion
+ call .get_GOT
+.get_GOT:
+ pop ebx
+ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
+
+ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] ; this mask is used by key_expansion
aeskeygenassist xmm2, xmm3, 0x1 ;
call key_expansion256
@@ -452,6 +467,8 @@ _iEncExpandKey256:
movdqu [edx], xmm1
+ pop ebx
+
ret

View File

@ -31,11 +31,9 @@ The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
Index: krb5-1.11.1/src/aclocal.m4
===================================================================
--- krb5-1.11.1.orig/src/aclocal.m4
+++ krb5-1.11.1/src/aclocal.m4
@@ -84,6 +84,7 @@ AC_SUBST_FILE(libnodeps_frag)
--- krb5/src/aclocal.m4
+++ krb5/src/aclocal.m4
@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP
@ -43,7 +41,7 @@ Index: krb5-1.11.1/src/aclocal.m4
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1731,3 +1732,51 @@ AC_SUBST(PAM_LIBS)
@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
@ -95,19 +93,17 @@ Index: krb5-1.11.1/src/aclocal.m4
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
Index: krb5-1.11.1/src/config/pre.in
===================================================================
--- krb5-1.11.1.orig/src/config/pre.in
+++ krb5-1.11.1/src/config/pre.in
@@ -178,6 +178,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
LDARGS = @LDARGS@
--- krb5/src/config/pre.in
+++ krb5/src/config/pre.in
@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@
KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
LDFLAGS = @LDFLAGS@
LIBS = @LIBS@
+SELINUX_LIBS=@SELINUX_LIBS@
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -403,7 +404,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
@ -116,11 +112,9 @@ Index: krb5-1.11.1/src/config/pre.in
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X!
Index: krb5-1.11.1/src/configure.in
===================================================================
--- krb5-1.11.1.orig/src/configure.in
+++ krb5-1.11.1/src/configure.in
@@ -1246,6 +1246,8 @@ AC_PATH_PROG(GROFF, groff)
--- krb5/src/configure.in
+++ krb5/src/configure.in
@@ -1053,6 +1053,8 @@ fi
KRB5_WITH_PAM
@ -129,22 +123,18 @@ Index: krb5-1.11.1/src/configure.in
# Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
Index: krb5-1.11.1/src/include/k5-int.h
===================================================================
--- krb5-1.11.1.orig/src/include/k5-int.h
+++ krb5-1.11.1/src/include/k5-int.h
--- krb5/src/include/k5-int.h
+++ krb5/src/include/k5-int.h
@@ -133,6 +133,7 @@ typedef unsigned char u_char;
typedef UINT64_TYPE krb5_ui_8;
typedef INT64_TYPE krb5_int64;
+#include "k5-label.h"
#define DEFAULT_PWD_STRING1 "Enter password"
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
Index: krb5-1.11.1/src/include/k5-label.h
===================================================================
--- /dev/null
+++ krb5-1.11.1/src/include/k5-label.h
#define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
#define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
--- krb5/src/include/k5-label.h
+++ krb5/src/include/k5-label.h
@@ -0,0 +1,32 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
@ -178,10 +168,8 @@ Index: krb5-1.11.1/src/include/k5-label.h
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif
+#endif
Index: krb5-1.11.1/src/include/krb5/krb5.hin
===================================================================
--- krb5-1.11.1.orig/src/include/krb5/krb5.hin
+++ krb5-1.11.1/src/include/krb5/krb5.hin
--- krb5/src/include/krb5/krb5.hin
+++ krb5/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
@ -195,10 +183,8 @@ Index: krb5-1.11.1/src/include/krb5/krb5.hin
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
Index: krb5-1.11.1/src/kadmin/dbutil/dump.c
===================================================================
--- krb5-1.11.1.orig/src/kadmin/dbutil/dump.c
+++ krb5-1.11.1/src/kadmin/dbutil/dump.c
--- krb5/src/kadmin/dbutil/dump.c
+++ krb5/src/kadmin/dbutil/dump.c
@@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname
{
int fd = -1;
@ -221,7 +207,7 @@ Index: krb5-1.11.1/src/kadmin/dbutil/dump.c
if (fd == -1)
goto error;
@@ -505,7 +514,7 @@ prep_ok_file(krb5_context context, char
@@ -514,7 +514,7 @@ prep_ok_file(krb5_context context, char
return 0;
}
@ -230,11 +216,9 @@ Index: krb5-1.11.1/src/kadmin/dbutil/dump.c
if (*fd == -1) {
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
exit_status++;
Index: krb5-1.11.1/src/krb5-config.in
===================================================================
--- krb5-1.11.1.orig/src/krb5-config.in
+++ krb5-1.11.1/src/krb5-config.in
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
--- krb5/src/build-tools/krb5-config.in
+++ krb5/src/build-tools/krb5-config.in
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
DEFCCNAME='@DEFCCNAME@'
DEFKTNAME='@DEFKTNAME@'
DEFCKTNAME='@DEFCKTNAME@'
@ -242,7 +226,7 @@ Index: krb5-1.11.1/src/krb5-config.in
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -258,7 +259,7 @@ if test -n "$do_libs"; then
@@ -218,7 +219,7 @@
fi
# If we ever support a flag to generate output suitable for static
@ -251,11 +235,9 @@ Index: krb5-1.11.1/src/krb5-config.in
# here.
echo $lib_flags
Index: krb5-1.11.1/src/lib/kadm5/logger.c
===================================================================
--- krb5-1.11.1.orig/src/lib/kadm5/logger.c
+++ krb5-1.11.1/src/lib/kadm5/logger.c
@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch
--- krb5/src/lib/kadm5/logger.c
+++ krb5/src/lib/kadm5/logger.c
@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch
* Check for append/overwrite, then open the file.
*/
if (cp[4] == ':' || cp[4] == '=') {
@ -264,7 +246,7 @@ Index: krb5-1.11.1/src/lib/kadm5/logger.c
if (f) {
set_cloexec_file(f);
log_control.log_entries[i].lfu_filep = f;
@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext)
@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs.
*/
@ -273,11 +255,9 @@ Index: krb5-1.11.1/src/lib/kadm5/logger.c
if (f) {
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
===================================================================
--- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
@@ -1039,7 +1039,7 @@ krb5_ktfileint_open(krb5_context context
--- krb5/src/lib/krb5/keytab/kt_file.c
+++ krb5/src/lib/krb5/keytab/kt_file.c
@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context
KTCHECKLOCK(id);
errno = 0;
@ -286,20 +266,18 @@ Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
fopen_mode_rbplus : fopen_mode_rb);
if (!KTFILEP(id)) {
@@ -1047,7 +1047,7 @@ krb5_ktfileint_open(krb5_context context
@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context
/* try making it first time around */
krb5_create_secure_file(context, KTFILENAME(id));
k5_create_secure_file(context, KTFILENAME(id));
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus);
if (!KTFILEP(id))
goto report_errno;
writevno = 1;
Index: krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c
===================================================================
--- krb5-1.11.1.orig/src/plugins/kdb/db2/adb_openclose.c
+++ krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c
@@ -147,7 +147,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
--- krb5/src/plugins/kdb/db2/adb_openclose.c
+++ krb5/src/plugins/kdb/db2/adb_openclose.c
@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
* POSIX systems
*/
lockp->lockinfo.filename = strdup(lockfilename);
@ -308,10 +286,8 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c
/*
* maybe someone took away write permission so we could only
* get shared locks?
Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
===================================================================
--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
--- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
#include "k5-platform.h" /* mkstemp? */
@ -329,10 +305,8 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
goto err;
} else {
Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c
===================================================================
--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c
--- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
#include <assert.h>
#endif
@ -350,24 +324,8 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c
RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1);
}
Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
===================================================================
--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
KRB5_RUN_ENV= @KRB5_RUN_ENV@
-DB_LIB = -ldb
+DB_LIB = -ldb $(SUPPORT_DEPLIB)
+
DB_DEPLIB = ../libdb$(DEPLIBEXT)
all::
Index: krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
===================================================================
--- krb5-1.11.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
--- krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -179,7 +179,7 @@ done:
/* set password in the file */
@ -401,11 +359,9 @@ Index: krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
umask (omask);
if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file);
Index: krb5-1.11.1/src/slave/kpropd.c
===================================================================
--- krb5-1.11.1.orig/src/slave/kpropd.c
+++ krb5-1.11.1/src/slave/kpropd.c
@@ -459,6 +459,9 @@ void doit(fd)
--- krb5/src/slave/kpropd.c
+++ krb5/src/slave/kpropd.c
@@ -437,6 +437,9 @@ void doit(fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN+1];
@ -415,7 +371,7 @@ Index: krb5-1.11.1/src/slave/kpropd.c
signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout);
@@ -516,9 +519,15 @@ void doit(fd)
@@ -515,9 +518,15 @@ void doit(fd)
free(name);
exit(1);
}
@ -431,10 +387,8 @@ Index: krb5-1.11.1/src/slave/kpropd.c
retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK);
if (retval) {
Index: krb5-1.11.1/src/util/profile/prof_file.c
===================================================================
--- krb5-1.11.1.orig/src/util/profile/prof_file.c
+++ krb5-1.11.1/src/util/profile/prof_file.c
--- krb5/src/util/profile/prof_file.c
+++ krb5/src/util/profile/prof_file.c
@@ -30,6 +30,7 @@
#endif
@ -443,7 +397,7 @@ Index: krb5-1.11.1/src/util/profile/prof_file.c
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_
@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_
errno = 0;
@ -452,11 +406,9 @@ Index: krb5-1.11.1/src/util/profile/prof_file.c
if (!f) {
retval = errno;
if (retval == 0)
Index: krb5-1.11.1/src/util/support/Makefile.in
===================================================================
--- krb5-1.11.1.orig/src/util/support/Makefile.in
+++ krb5-1.11.1/src/util/support/Makefile.in
@@ -64,6 +64,7 @@ IPC_SYMS= \
--- krb5/src/util/support/Makefile.in
+++ krb5/src/util/support/Makefile.in
@@ -54,6 +54,7 @@ IPC_SYMS= \
STLIBOBJS= \
threads.o \
@ -464,22 +416,20 @@ Index: krb5-1.11.1/src/util/support/Makefile.in
init-addrinfo.o \
plugins.o \
errors.o \
@@ -135,7 +136,7 @@ SRCS=\
@@ -108,7 +109,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB)
+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
SHLIB_DIRS=
SHLIB_RDIRS=$(KRB5_LIBDIR)
Index: krb5-1.11.1/src/util/support/selinux.c
===================================================================
--- /dev/null
+++ krb5-1.11.1/src/util/support/selinux.c
@@ -0,0 +1,405 @@
DEPLIBS=
--- krb5/src/util/support/selinux.c
+++ krb5/src/util/support/selinux.c
@@ -0,0 +1,381 @@
+/*
+ * Copyright 2007,2008,2009,2011,2012 Red Hat, Inc. All Rights Reserved.
+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
@ -735,15 +685,12 @@ Index: krb5-1.11.1/src/util/support/selinux.c
+ struct stat st;
+ void *retval;
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ k5_mutex_lock(&labeled_mutex);
+ if (stat(pathname, &st) != 0) {
+ st.st_mode = S_IRUSR | S_IWUSR;
+ }
+ retval = push_fscreatecon(pathname, st.st_mode);
+ return retval ? retval : (void *) -1;
+ } else {
+ return NULL;
+ }
+}
+
+void
@ -768,17 +715,13 @@ Index: krb5-1.11.1/src/util/support/selinux.c
+ }
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+ fp = fopen(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ fp = fopen(path, mode);
+ }
+
+ return fp;
+}
+
@ -790,16 +733,13 @@ Index: krb5-1.11.1/src/util/support/selinux.c
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+ fd = creat(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ fd = creat(path, mode);
+ }
+ return fd;
+}
+
@ -811,16 +751,13 @@ Index: krb5-1.11.1/src/util/support/selinux.c
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, mode);
+ ret = mknod(path, mode, dev);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ ret = mknod(path, mode, dev);
+ }
+ return ret;
+}
+
@ -832,16 +769,13 @@ Index: krb5-1.11.1/src/util/support/selinux.c
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, S_IFDIR);
+ ret = mkdir(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ ret = mkdir(path, mode);
+ }
+ return ret;
+}
+
@ -859,7 +793,7 @@ Index: krb5-1.11.1/src/util/support/selinux.c
+ }
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+
+ va_start(ap, flags);
@ -871,23 +805,13 @@ Index: krb5-1.11.1/src/util/support/selinux.c
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ va_start(ap, flags);
+ mode = va_arg(ap, mode_t);
+ fd = open(path, flags, mode);
+ errno_save = errno;
+ va_end(ap);
+ errno = errno_save;
+ }
+ return fd;
+}
+
+#endif
Index: krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c
===================================================================
--- krb5-1.11.1.orig/src/lib/krb5/rcache/rc_dfl.c
+++ krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c
@@ -812,6 +812,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
--- krb5/src/lib/krb5/rcache/rc_dfl.c
+++ krb5/src/lib/krb5/rcache/rc_dfl.c
@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
@ -897,7 +821,7 @@ Index: krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c
if (! t->recovering) {
name = t->name;
@@ -833,7 +836,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
@ -915,10 +839,8 @@ Index: krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
Index: krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c
===================================================================
--- krb5-1.11.1.orig/src/lib/krb5/ccache/cc_dir.c
+++ krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c
--- krb5/src/lib/krb5/ccache/cc_dir.c
+++ krb5/src/lib/krb5/ccache/cc_dir.c
@@ -185,10 +185,19 @@ write_primary_file(const char *primary_p
char *newpath = NULL;
FILE *fp = NULL;
@ -939,10 +861,34 @@ Index: krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c
if (fd < 0)
goto cleanup;
#ifdef HAVE_CHMOD
Index: krb5-1.11.1/src/lib/krb5/os/trace.c
===================================================================
--- krb5-1.11.1.orig/src/lib/krb5/os/trace.c
+++ krb5-1.11.1/src/lib/krb5/os/trace.c
@@ -223,10 +232,23 @@
verify_dir(krb5_context context, const char *dirname)
{
struct stat st;
+ int status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (stat(dirname, &st) < 0) {
- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
- return 0;
+ if (errno == ENOENT) {
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(dirname);
+#endif
+ status = mkdir(dirname, S_IRWXU);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
+ if (status == 0)
+ return 0;
+ }
krb5_set_error_message(context, KRB5_FCC_NOFILE,
_("Credential cache directory %s does not "
"exist"), dirname);
--- krb5/src/lib/krb5/os/trace.c
+++ krb5/src/lib/krb5/os/trace.c
@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con
fd = malloc(sizeof(*fd));
if (fd == NULL)
@ -952,11 +898,9 @@ Index: krb5-1.11.1/src/lib/krb5/os/trace.c
if (*fd == -1) {
free(fd);
return errno;
Index: krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c
===================================================================
--- krb5-1.11.1.orig/src/plugins/kdb/db2/kdb_db2.c
+++ krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c
@@ -681,8 +681,8 @@ ctx_create_db(krb5_context context, krb5
--- krb5/src/plugins/kdb/db2/kdb_db2.c
+++ krb5/src/plugins/kdb/db2/kdb_db2.c
@@ -683,8 +683,8 @@
if (retval)
return retval;
@ -967,11 +911,9 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c
if (dbc->db_lf_file < 0) {
retval = errno;
goto cleanup;
Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
===================================================================
--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
--- krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@
#include <stdio.h>
#include <unistd.h>
@ -979,7 +921,7 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo,
@@ -68,7 +69,8 @@
int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
@ -989,11 +931,9 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
Index: krb5-1.11.1/src/kdc/main.c
===================================================================
--- krb5-1.11.1.orig/src/kdc/main.c
+++ krb5-1.11.1/src/kdc/main.c
@@ -902,7 +902,7 @@ write_pid_file(const char *path)
--- krb5/src/kdc/main.c
+++ krb5/src/kdc/main.c
@@ -905,7 +905,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
@ -1002,24 +942,20 @@ Index: krb5-1.11.1/src/kdc/main.c
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
Index: krb5-1.11.1/src/lib/kdb/kdb_log.c
===================================================================
--- krb5-1.11.1.orig/src/lib/kdb/kdb_log.c
+++ krb5-1.11.1/src/lib/kdb/kdb_log.c
@@ -604,7 +604,7 @@ ulog_map(krb5_context context, const cha
return (errno);
}
--- krb5/src/lib/kdb/kdb_log.c
+++ krb5/src/lib/kdb/kdb_log.c
@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha
if (caller == FKPROPLOG)
return errno;
- ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
if (ulogfd == -1) {
return (errno);
}
Index: krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in
===================================================================
--- krb5-1.11.1.orig/src/util/gss-kernel-lib/Makefile.in
+++ krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in
@@ -66,6 +66,7 @@ HEADERS= \
if (ulogfd == -1)
return errno;
--- krb5/src/util/gss-kernel-lib/Makefile.in
+++ krb5/src/util/gss-kernel-lib/Makefile.in
@@ -60,6 +60,7 @@ HEADERS= \
gssapi_err_generic.h \
k5-int.h \
k5-int-pkinit.h \
@ -1027,7 +963,7 @@ Index: krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in
k5-thread.h \
k5-platform.h \
k5-buf.h \
@@ -167,10 +168,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
@@ -166,10 +167,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@

3
krb5-1.12.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7199ba74bdfd06caf02d1ee189563c33aa0274b809ab511ab0f1fb3e05ccce5a
size 11925134

View File

@ -1,31 +0,0 @@
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
Index: krb5-1.10.2/src/lib/krb5/krb/princ_comp.c
===================================================================
--- krb5-1.10.2.orig/src/lib/krb5/krb/princ_comp.c
+++ krb5-1.10.2/src/lib/krb5/krb/princ_comp.c
@@ -36,6 +36,12 @@ realm_compare_flags(krb5_context context
const krb5_data *realm1 = krb5_princ_realm(context, princ1);
const krb5_data *realm2 = krb5_princ_realm(context, princ2);
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
+ if ((realm1 == NULL) || (realm2 == NULL))
+ return FALSE;
+
if (realm1->length != realm2->length)
return FALSE;
@@ -87,6 +93,9 @@ krb5_principal_compare_flags(krb5_contex
krb5_principal upn2 = NULL;
krb5_boolean ret = FALSE;
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
/* Treat UPNs as if they were real principals */
if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) {

View File

@ -6,7 +6,7 @@ Index: src/kadmin/cli/Makefile.in
===================================================================
--- src/kadmin/cli/Makefile.in.orig
+++ src/kadmin/cli/Makefile.in
@@ -40,3 +40,8 @@ clean-unix::
@@ -43,3 +43,8 @@ clean-unix::
# CC_LINK is not meant for compilation and this use may break in the future.
datetest: getdate.c
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c

View File

@ -4,7 +4,7 @@ Index: krb5-1.11/src/slave/kprop.c
===================================================================
--- krb5-1.11.orig/src/slave/kprop.c
+++ krb5-1.11/src/slave/kprop.c
@@ -187,9 +187,8 @@ void PRS(argc, argv)
@@ -202,9 +202,8 @@ void PRS(argc, argv)
void get_tickets(context)
krb5_context context;
{
@ -15,7 +15,7 @@ Index: krb5-1.11/src/slave/kprop.c
krb5_keytab keytab = NULL;
/*
@@ -230,11 +229,8 @@ void get_tickets(context)
@@ -229,11 +228,8 @@ void get_tickets(context)
#endif
/*

View File

@ -1,13 +0,0 @@
Set the default PATH to the one set by login.
diff -up krb5-1.9/src/clients/ksu/Makefile.in.ksu-path krb5-1.9/src/clients/ksu/Makefile.in
--- krb5-1.9/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500
+++ krb5-1.9/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"'
DEFS=
PROG_LIBPATH=-L$(TOPLIBD)

View File

@ -12,7 +12,7 @@ Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c
===================================================================
--- krb5-1.11.1.orig/src/kadmin/ktutil/ktutil.c
+++ krb5-1.11.1/src/kadmin/ktutil/ktutil.c
@@ -140,7 +140,7 @@ void ktutil_add_entry(argc, argv)
@@ -155,7 +155,7 @@ void ktutil_add_entry(argc, argv)
char *princ = NULL;
char *enctype = NULL;
krb5_kvno kvno = 0;
@ -21,7 +21,7 @@ Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c
for (i = 1; i < argc; i++) {
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
@@ -149,6 +149,7 @@ void ktutil_add_entry(argc, argv)
@@ -164,6 +164,7 @@ void ktutil_add_entry(argc, argv)
}
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
kvno = (krb5_kvno) atoi(argv[++i]);
@ -29,7 +29,7 @@ Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c
continue;
}
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
@@ -165,7 +166,7 @@ void ktutil_add_entry(argc, argv)
@@ -180,7 +181,7 @@ void ktutil_add_entry(argc, argv)
}
}
@ -42,7 +42,7 @@ Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
===================================================================
--- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
@@ -376,7 +376,7 @@ krb5_ktfile_get_entry(krb5_context conte
@@ -349,7 +349,7 @@ krb5_ktfile_get_entry(krb5_context conte
higher than that. Short-term workaround: only compare
the low 8 bits. */

View File

@ -0,0 +1,28 @@
commit 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a
Author: Simo Sorce <simo@redhat.com>
Date: Fri Dec 13 12:00:41 2013 -0500
Fix memory leak in SPNEGO initiator
If we eliminate a mechanism from the initiator list because
gss_init_sec_context fails, free the memory for that mech OID before
removing it from the list.
[ghudson@mit.edu: clarified commit message]
ticket: 7803 (new)
target_version: 1.12.1
tags: pullup
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 818a1b4..06cfab0 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -890,6 +890,7 @@ init_ctx_call_init(OM_uint32 *minor_status,
* can do this with recursion. If all mechanisms produce errors, the
* caller should get the error from the first mech in the list.
*/
+ gssalloc_free(sc->mech_set->elements->elements);
memmove(sc->mech_set->elements, sc->mech_set->elements + 1,
--sc->mech_set->count * sizeof(*sc->mech_set->elements));
if (sc->mech_set->count == 0)

View File

@ -0,0 +1,37 @@
commit 37af638b742dbd642eb70092e4f7781c3f69d86d
Author: Greg Hudson <ghudson@mit.edu>
Date: Tue Dec 10 12:04:18 2013 -0500
Fix SPNEGO one-hop interop against old IIS
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication. In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer. If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.
[ghudson@mit.edu: small code style and commit message changes]
ticket: 7797 (new)
target_version: 1.12.1
tags: pullup
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 3937662..d82934b 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
map_errcode(minor_status);
ret = GSS_S_DEFECTIVE_TOKEN;
}
+ } else if ((*responseToken)->length == 0 && sc->mech_complete) {
+ /* Handle old IIS servers returning empty token instead of
+ * null tokens in the non-mutual auth case. */
+ *negState = ACCEPT_COMPLETE;
+ *tokflag = NO_TOKEN_SEND;
+ ret = GSS_S_COMPLETE;
} else if (sc->mech_complete) {
/* Reject spurious mech token. */
ret = GSS_S_DEFECTIVE_TOKEN;

View File

@ -0,0 +1,39 @@
commit decccbcb5075f8fbc28a535a9b337afc84a15dee
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon Dec 16 15:37:56 2013 -0500
Fix GSS krb5 acceptor acquire_cred error handling
When acquiring acceptor creds with a specified name, if we fail to
open a replay cache, we leak the keytab handle. If there is no
specified name and we discover that there is no content in the keytab,
we leak the keytab handle and return the wrong major code. Memory
leak reported by Andrea Campi.
ticket: 7805
target_version: 1.12.1
tags: pullup
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 0efcad4..9547207 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context,
code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
&cred->rcache);
if (code) {
+ krb5_kt_close(context, kt);
*minor_status = code;
return GSS_S_FAILURE;
}
@@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context,
/* Make sure we have a keytab with keys in it. */
code = krb5_kt_have_content(context, kt);
if (code) {
+ krb5_kt_close(context, kt);
*minor_status = code;
- return GSS_S_FAILURE;
+ return GSS_S_CRED_UNAVAIL;
}
}

View File

@ -0,0 +1,39 @@
commit 13fd26e1863c79f616653f6a10a58c01f65fceff
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Dec 6 18:56:56 2013 -0500
Avoid malloc(0) in SPNEGO get_input_token
If we read a zero-length token in spnego_mech.c's get_input_token(),
set the value pointer to NULL instead of calling malloc(0).
ticket: 7794 (new)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 24c3440..3937662 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3140,14 +3140,17 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length)
return (NULL);
input_token->length = len;
- input_token->value = gssalloc_malloc(input_token->length);
+ if (input_token->length > 0) {
+ input_token->value = gssalloc_malloc(input_token->length);
+ if (input_token->value == NULL) {
+ free(input_token);
+ return (NULL);
+ }
- if (input_token->value == NULL) {
- free(input_token);
- return (NULL);
+ memcpy(input_token->value, *buff_in, input_token->length);
+ } else {
+ input_token->value = NULL;
}
-
- (void) memcpy(input_token->value, *buff_in, input_token->length);
*buff_in += input_token->length;
return (input_token);
}

View File

@ -0,0 +1,44 @@
commit 4faca53e3a8ee213d43da8998f6889e7bfd36248
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Dec 18 16:03:16 2013 -0500
Test SPNEGO error message in t_s4u.py
Now that #7045 is fixed, we can check for the correct error message
from t_s4u2proxy_krb5 with --spnego.
ticket: 7045
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index 67dc810..e4aa259 100644
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -30,12 +30,12 @@ if ('auth1: ' + realm.user_princ not in output or
'NOT_ALLOWED_TO_DELEGATE' not in output):
fail('krb5 -> s4u2proxy')
-# Again with SPNEGO. Bug #7045 prevents us from checking the error
-# message, but we can at least exercise the code.
+# Again with SPNEGO.
output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache,
'-', pservice1, pservice2],
expected_code=1)
-if ('auth1: ' + realm.user_princ not in output):
+if ('auth1: ' + realm.user_princ not in output or
+ 'NOT_ALLOWED_TO_DELEGATE' not in output):
fail('krb5 -> s4u2proxy (SPNEGO)')
# Try krb5 -> S4U2Proxy without forwardable user creds. This should
@@ -66,10 +66,9 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output:
fail('s4u2self')
# Again with SPNEGO. This uses SPNEGO for the initial authentication,
-# but still uses krb5 for S4U2Proxy (the delegated cred is returned as
+# but still uses krb5 for S4U2Proxy--the delegated cred is returned as
# a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred
-# directly rather than saving and reacquiring it) so bug #7045 does
-# not apply and we can verify the error message.
+# directly rather than saving and reacquiring it.
output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1)
if 'NOT_ALLOWED_TO_DELEGATE' not in output:
fail('s4u2self')

View File

@ -1,5 +1,50 @@
-------------------------------------------------------------------
Fri Nov 15 13:35:09 UTC 2013 - ckornacker@suse.com
Mon Jan 13 15:40:18 UTC 2014 - ckornacker@suse.com
- update to version 1.12
* Add GSSAPI extensions for constructing MIC tokens using IOV lists
* Add a FAST OTP preauthentication module for the KDC which uses
RADIUS to validate OTP token values.
* The AES-based encryption types will use AES-NI instructions
when possible for improved performance.
- revert dependency on libcom_err-mini-devel since it's not yet
available
- update and rebase patches
* krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch
* krb5-1.11-pam.patch -> krb5-1.12-pam.patch
* krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch
* krb5-1.8-api.patch -> krb5-1.12-api.patch
* krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch
* krb5-1.9-debuginfo.patch
* krb5-1.9-kprop-mktemp.patch
* krb5-kvno-230379.patch
- added upstream patches
- Fix krb5_copy_context
* krb5-1.12-copy_context.patch
- Mark AESNI files as not needing executable stacks
* krb5-1.12-enable-NX.patch
* krb5-1.12-pic-aes-ni.patch
- Fix memory leak in SPNEGO initiator
* krb5-master-gss_oid_leak.patch
- Fix SPNEGO one-hop interop against old IIS
* krb5-master-ignore-empty-unnecessary-final-token.patch
- Fix GSS krb5 acceptor acquire_cred error handling
* krb5-master-keytab_close.patch
- Avoid malloc(0) in SPNEGO get_input_token
* krb5-master-no-malloc0.patch
- Test SPNEGO error message in t_s4u.py
* krb5-master-spnego_error_messages.patch
-------------------------------------------------------------------
Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com
- Reduce build dependencies for krb5-mini by removing
doxygen and changing libcom_err-devel to
libcom_err-mini-devel
- Small fix to pre_checkin.sh so krb5-mini.spec is correct.
-------------------------------------------------------------------
Fri Nov 15 13:33:53 UTC 2013 - ckornacker@suse.com
- update to version 1.11.4
- Fix a KDC null pointer dereference [CVE-2013-1417] that could

View File

@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
%define build_mini 1
%define srcRoot krb5-1.11.4
%define srcRoot krb5-1.12
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -25,18 +25,18 @@ Name: krb5-mini
Url: http://web.mit.edu/kerberos/www/
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: doxygen
BuildRequires: keyutils
BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.11.4
Version: 1.12
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
Group: Productivity/Networking/Security
%if ! 0%{?build_mini}
BuildRequires: doxygen
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
@ -58,25 +58,34 @@ Conflicts: krb5-client
Conflicts: krb5-server
Conflicts: krb5-plugin-kdb-ldap
Conflicts: krb5-plugin-preauth-pkinit
Conflicts: krb5-plugin-preauth-otp
%endif
Source: krb5-%{version}.tar.bz2
Source: krb5-%{version}.tar.gz
Source1: vendor-files.tar.bz2
Source2: baselibs.conf
Source5: krb5-rpmlintrc
Patch1: krb5-1.11-pam.patch
Patch1: krb5-1.12-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.10-buildconf.patch
Patch3: krb5-1.12-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch5: krb5-1.10-kpasswd_tcp.patch
Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch7: krb5-1.7-doublelog.patch
Patch8: krb5-1.8-api.patch
Patch8: krb5-1.12-api.patch
Patch9: krb5-1.9-kprop-mktemp.patch
Patch10: krb5-1.10-ksu-access.patch
Patch11: krb5-1.9-ksu-path.patch
Patch12: krb5-1.11-selinux-label.patch
Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
Patch15: krb5-1.12-copy_context.patch
Patch16: krb5-1.12-enable-NX.patch
Patch17: krb5-1.12-pic-aes-ni.patch
Patch18: krb5-master-no-malloc0.patch
Patch19: krb5-master-ignore-empty-unnecessary-final-token.patch
Patch20: krb5-master-gss_oid_leak.patch
Patch21: krb5-master-keytab_close.patch
Patch22: krb5-master-spnego_error_messages.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -134,6 +143,15 @@ Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
%package plugin-preauth-otp
Summary: MIT Kerberos5 Implementation--OTP preauth Plugin
Group: Productivity/Networking/Security
%description plugin-preauth-otp
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a OTP plugin.
%package doc
Summary: MIT Kerberos5 Implementation--Documentation
Group: Documentation/Other
@ -187,6 +205,14 @@ Include Files for Development
%patch12 -p1
%patch13 -p0
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%build
# needs to be re-generated
@ -315,6 +341,11 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf %{buildroot}/usr/lib/mit/share/examples
%if %{build_mini}
# manually remove otp plugin for krb5-mini since configure
# doesn't support disabling it at build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%endif
%find_lang mit-krb5
@ -425,6 +456,15 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
%{_libdir}/libkrb5.so
%{_libdir}/libkrb5support.so
%{_libdir}/libverto.so
%{_libdir}/libkrad.so
%{_libdir}/pkgconfig/gssrpc.pc
%{_libdir}/pkgconfig/kadm-client.pc
%{_libdir}/pkgconfig/kadm-server.pc
%{_libdir}/pkgconfig/kdb.pc
%{_libdir}/pkgconfig/krb5-gssapi.pc
%{_libdir}/pkgconfig/krb5.pc
%{_libdir}/pkgconfig/mit-krb5-gssapi.pc
%{_libdir}/pkgconfig/mit-krb5.pc
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
@ -476,6 +516,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libkrad.so.*
%{_libdir}/krb5/plugins/kdb/*
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
@ -547,6 +588,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libkrad.so.*
%files server
%defattr(-,root,root)
@ -658,6 +700,13 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%files plugin-preauth-otp
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/otp.so
%files doc
%defattr(-,root,root)
%doc html doc/CHANGES doc/README

View File

@ -1,3 +1,48 @@
-------------------------------------------------------------------
Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com
- update to version 1.12
* Add GSSAPI extensions for constructing MIC tokens using IOV lists
* Add a FAST OTP preauthentication module for the KDC which uses
RADIUS to validate OTP token values.
* The AES-based encryption types will use AES-NI instructions
when possible for improved performance.
- revert dependency on libcom_err-mini-devel since it's not yet
available
- update and rebase patches
* krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch
* krb5-1.11-pam.patch -> krb5-1.12-pam.patch
* krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch
* krb5-1.8-api.patch -> krb5-1.12-api.patch
* krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch
* krb5-1.9-debuginfo.patch
* krb5-1.9-kprop-mktemp.patch
* krb5-kvno-230379.patch
- added upstream patches
- Fix krb5_copy_context
* krb5-1.12-copy_context.patch
- Mark AESNI files as not needing executable stacks
* krb5-1.12-enable-NX.patch
* krb5-1.12-pic-aes-ni.patch
- Fix memory leak in SPNEGO initiator
* krb5-master-gss_oid_leak.patch
- Fix SPNEGO one-hop interop against old IIS
* krb5-master-ignore-empty-unnecessary-final-token.patch
- Fix GSS krb5 acceptor acquire_cred error handling
* krb5-master-keytab_close.patch
- Avoid malloc(0) in SPNEGO get_input_token
* krb5-master-no-malloc0.patch
- Test SPNEGO error message in t_s4u.py
* krb5-master-spnego_error_messages.patch
-------------------------------------------------------------------
Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com
- Reduce build dependencies for krb5-mini by removing
doxygen and changing libcom_err-devel to
libcom_err-mini-devel
- Small fix to pre_checkin.sh so krb5-mini.spec is correct.
-------------------------------------------------------------------
Fri Nov 15 13:33:53 UTC 2013 - ckornacker@suse.com

View File

@ -1,7 +1,7 @@
#
# spec file for package krb5
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
%define build_mini 0
%define srcRoot krb5-1.11.4
%define srcRoot krb5-1.12
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -25,18 +25,18 @@ Name: krb5
Url: http://web.mit.edu/kerberos/www/
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: doxygen
BuildRequires: keyutils
BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.11.4
Version: 1.12
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
Group: Productivity/Networking/Security
%if ! 0%{?build_mini}
BuildRequires: doxygen
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
@ -58,25 +58,34 @@ Conflicts: krb5-client
Conflicts: krb5-server
Conflicts: krb5-plugin-kdb-ldap
Conflicts: krb5-plugin-preauth-pkinit
Conflicts: krb5-plugin-preauth-otp
%endif
Source: krb5-%{version}.tar.bz2
Source: krb5-%{version}.tar.gz
Source1: vendor-files.tar.bz2
Source2: baselibs.conf
Source5: krb5-rpmlintrc
Patch1: krb5-1.11-pam.patch
Patch1: krb5-1.12-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.10-buildconf.patch
Patch3: krb5-1.12-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch5: krb5-1.10-kpasswd_tcp.patch
Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch7: krb5-1.7-doublelog.patch
Patch8: krb5-1.8-api.patch
Patch8: krb5-1.12-api.patch
Patch9: krb5-1.9-kprop-mktemp.patch
Patch10: krb5-1.10-ksu-access.patch
Patch11: krb5-1.9-ksu-path.patch
Patch12: krb5-1.11-selinux-label.patch
Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
Patch15: krb5-1.12-copy_context.patch
Patch16: krb5-1.12-enable-NX.patch
Patch17: krb5-1.12-pic-aes-ni.patch
Patch18: krb5-master-no-malloc0.patch
Patch19: krb5-master-ignore-empty-unnecessary-final-token.patch
Patch20: krb5-master-gss_oid_leak.patch
Patch21: krb5-master-keytab_close.patch
Patch22: krb5-master-spnego_error_messages.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -134,6 +143,15 @@ Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
%package plugin-preauth-otp
Summary: MIT Kerberos5 Implementation--OTP preauth Plugin
Group: Productivity/Networking/Security
%description plugin-preauth-otp
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a OTP plugin.
%package doc
Summary: MIT Kerberos5 Implementation--Documentation
Group: Documentation/Other
@ -187,6 +205,14 @@ Include Files for Development
%patch12 -p1
%patch13 -p0
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%build
# needs to be re-generated
@ -315,6 +341,11 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf %{buildroot}/usr/lib/mit/share/examples
%if %{build_mini}
# manually remove otp plugin for krb5-mini since configure
# doesn't support disabling it at build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%endif
%find_lang mit-krb5
@ -425,6 +456,15 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
%{_libdir}/libkrb5.so
%{_libdir}/libkrb5support.so
%{_libdir}/libverto.so
%{_libdir}/libkrad.so
%{_libdir}/pkgconfig/gssrpc.pc
%{_libdir}/pkgconfig/kadm-client.pc
%{_libdir}/pkgconfig/kadm-server.pc
%{_libdir}/pkgconfig/kdb.pc
%{_libdir}/pkgconfig/krb5-gssapi.pc
%{_libdir}/pkgconfig/krb5.pc
%{_libdir}/pkgconfig/mit-krb5-gssapi.pc
%{_libdir}/pkgconfig/mit-krb5.pc
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
@ -476,6 +516,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libkrad.so.*
%{_libdir}/krb5/plugins/kdb/*
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
@ -547,6 +588,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libkrad.so.*
%files server
%defattr(-,root,root)
@ -658,6 +700,13 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%files plugin-preauth-otp
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/otp.so
%files doc
%defattr(-,root,root)
%doc html doc/CHANGES doc/README

View File

@ -1,5 +1,6 @@
#!/bin/sh
sed -e 's/Name:.*/Name: krb5-mini/g;' \
-e 's/spec file for package.*/&-mini/' \
-e 's/%define.*build_mini.*/%define build_mini 1/g' krb5.spec > krb5-mini.spec
cp krb5.changes krb5-mini.changes