rpm/krb5
SHA256
1
0
Fork 0
forked from pool/krb5
Code Pull Requests Activity

Accepting request 353069 from network

Browse Source 
- Add two patches from Fedora, fixing two crashes:
  * krb5-fix_interposer.patch
  * krb5-mechglue_inqure_attrs.patch

- Update to 1.14
- dropped krb5-kvno-230379.patch
- added krbdev.mit.edu-8301.patch fixing wrong function call
Major changes in 1.14 (2015-11-20)
==================================
Administrator experience:
* Add a new kdb5_util tabdump command to provide reporting-friendly
  tabular dump formats (tab-separated or CSV) for the KDC database.
  Unlike the normal dump format, each output table has a fixed number
  of fields.  Some tables include human-readable forms of data that
  are opaque in ordinary dump files.  This format is also suitable for
  importing into relational databases for complex queries.
* Add support to kadmin and kadmin.local for specifying a single
  command line following any global options, where the command
  arguments are split by the shell--for example, "kadmin getprinc
  principalname".  Commands issued this way do not prompt for
  confirmation or display warning messages, and exit with non-zero
  status if the operation fails.
* Accept the same principal flag names in kadmin as we do for the
  default_principal_flags kdc.conf variable, and vice versa.  Also
  accept flag specifiers in the form that kadmin prints, as well as
  hexadecimal numbers.
* Remove the triple-DES and RC4 encryption types from the default
  value of supported_enctypes, which determines the default key and
  salt types for new password-derived keys.  By default, keys will
  only created only for AES128 and AES256.  This mitigates some types

OBS-URL: https://build.opensuse.org/request/show/353069
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=114
This commit is contained in:
Dominique Leuenberger 2016-01-13 21:43:58 +00:00 committed by Git OBS Bridge
commit 7d356ebc8e
12 changed files with 596 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
krb5-1.13.3.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5d4af08ead9b7a1e9493cfd65e821234f151a46736e1ce586f886c8a8e65fabe
size 12133347

14
krb5-1.13.3.tar.gz.asc
View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJWYePPAAoJEKMvF/0AVcMFExYMAIJ4l6N0p00Gsh2smjTCrGcr
4ZemT6ovZW1bYhqKjnfeN1Csg0OEUKHUN20NRUuLhqOfDSU9UxJHXJ8azLTjopQr
yqe5teby2ki+cOcfcYbDUkRmLaG9wkrDiTIPV9SIObJCwuQfEhB4MMAw6hhMzLWZ
ENKqsGOxXrCCuDlcmHYgc7kRV2oa7ko72Lti70PpM3/mENGUHURz9tu/c8cratv8
cJYLQibi7w1lA8qg2tKjqzwXJTLRfxm44cUOBWmD3Ph3XtfME7qmo56tYiiD2LIB
LiYBjipxWwK5LCTYb+2v1WMUcRamZ1J2JhzkNAwetocduuM3DRLCFcFlgTZS39n4
AqIX7vmpbHljFY8IJ0UBfYTuR9+McfkXSKZN+QiQKr0BMNJbFPhjonSWkotXS39S
zyX2jDzBj5zXaBQ0aTL4w82XqIalIDWR9NXOPWggfSRcxMSiMSywl19eBAXk5Qfm
VGCb4CRB7CKBIsQbq2El5c2gTJP/lh/fnOqRfsvQXA==
=UvFL
-----END PGP SIGNATURE-----

3
krb5-1.14.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cedb07fad8331e3ff2983d26e977a2ddba622f379c2b19bfea85bd695930f9e9
size 12255176

14
krb5-1.14.tar.gz.asc Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJWT4hUAAoJEKMvF/0AVcMFE44L/iuBH47TzpEn9RudgxMvxp7L
rREaBF/sIdMg0I8aUONtxw7nvh091s8SXus8UZiRYqPO+trB2pB52P1iQ4G9TBPX
IOkAEtxu/Sojfp2BxRd6NCBw+n90axNQDWogSN8U6XmK1szpiQz2KdaxfNTv5Lzm
Jtx/6p39DM7M72gkrFl8ZDEi2xKqyA1+fcCti3Q/Wdwx73HqWctHYNcjUtJH5bvN
GlTQq1PynPoHf8LqxVz6jquhuBgb2d2z8Q4hhQKlJF8x131vppeiWuDv3ExkcWKP
cvssUz8C1Ty7LF0ax0fwzQo22yEeTIHayvpbVidSiW8RUGUEiMzhaHcD3BTsQ5WF
X+l+xKqvZniB9Vs6KtbP4ErM6Rj+tNQJy8iMzEyDFTIuEFjK0497XGgBIp9FpgOl
6Rh9EXY66GUuU5FTnmGpmm3HxnhYWFDdj/vxj8DKTr5EmxAoc4j0fUp/ze4ZMZ02
P14WS5B4DSfqZO+vaOKHmtmZH0J/ZS/8x7JIuz4cQA==
=xlir
-----END PGP SIGNATURE-----

222
krb5-fix_interposer.patch Normal file
View File

@ -0,0 +1,222 @@
From b3901af6970fb7bde88eb16d51c8d05db6f37746 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 13 Nov 2015 14:54:11 -0500
Subject: [PATCH] Fix impersonate_name to work with interposers
This follows the same modifications applied to
gss_acquire_cred_with_password() when interposer plugins were
introduced.
[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in
spnego_gss_acquire_cred_impersonate_name() since it is released in the
cleanup handler]
ticket: 8280 (new)
---
src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++--------
src/lib/gssapi/spnego/spnego_mech.c | 35 +++++++-------
2 files changed, 54 insertions(+), 39 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
index 0dd4f87..9eab25e 100644
--- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
+++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
gss_cred_id_t cred = NULL;
gss_OID new_mechs_array = NULL;
gss_cred_id_t * new_cred_array = NULL;
+ gss_OID_set target_mechs = GSS_C_NO_OID_SET;
+ gss_OID selected_mech = GSS_C_NO_OID;
status = val_add_cred_impersonate_name_args(minor_status,
input_cred_handle,
@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
if (status != GSS_S_COMPLETE)
return (status);
- mech = gssint_get_mechanism(desired_mech);
+ status = gssint_select_mech_type(minor_status, desired_mech,
+ &selected_mech);
+ if (status != GSS_S_COMPLETE)
+ return status;
+
+ mech = gssint_get_mechanism(selected_mech);
if (!mech)
return GSS_S_BAD_MECH;
else if (!mech->gss_acquire_cred)
@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
internal_name = GSS_C_NO_NAME;
} else {
union_cred = (gss_union_cred_t)input_cred_handle;
- if (gssint_get_mechanism_cred(union_cred, desired_mech) !=
+ if (gssint_get_mechanism_cred(union_cred, selected_mech) !=
GSS_C_NO_CREDENTIAL)
return (GSS_S_DUPLICATE_ELEMENT);
}
mech_impersonator_cred =
gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle,
- desired_mech);
+ selected_mech);
if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL)
return (GSS_S_NO_CRED);
/* may need to create a mechanism specific name */
union_name = (gss_union_name_t)desired_name;
if (union_name->mech_type &&
- g_OID_equal(union_name->mech_type,
- &mech->mech_type))
+ g_OID_equal(union_name->mech_type, selected_mech))
internal_name = union_name->mech_name;
else {
if (gssint_import_internal_name(minor_status,
- &mech->mech_type, union_name,
- &allocated_name) != GSS_S_COMPLETE)
+ selected_mech, union_name,
+ &allocated_name) != GSS_S_COMPLETE)
return (GSS_S_BAD_NAME);
internal_name = allocated_name;
}
@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
else
time_req = 0;
+ status = gss_create_empty_oid_set(minor_status, &target_mechs);
+ if (status != GSS_S_COMPLETE)
+ goto errout;
+
+ status = gss_add_oid_set_member(minor_status,
+ gssint_get_public_oid(selected_mech),
+ &target_mechs);
+ if (status != GSS_S_COMPLETE)
+ goto errout;
+
status = mech->gss_acquire_cred_impersonate_name(minor_status,
mech_impersonator_cred,
internal_name,
time_req,
- GSS_C_NULL_OID_SET,
+ target_mechs,
cred_usage,
&cred,
NULL,
@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
new_cred_array[union_cred->count] = cred;
if ((new_mechs_array[union_cred->count].elements =
- malloc(mech->mech_type.length)) == NULL)
+ malloc(selected_mech->length)) == NULL)
goto errout;
- g_OID_copy(&new_mechs_array[union_cred->count],
- &mech->mech_type);
+ g_OID_copy(&new_mechs_array[union_cred->count], selected_mech);
if (actual_mechs != NULL) {
- gss_OID_set_desc oids;
-
- oids.count = union_cred->count + 1;
- oids.elements = new_mechs_array;
-
- status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs);
+ status = gssint_make_public_oid_set(minor_status, new_mechs_array,
+ union_cred->count + 1,
+ actual_mechs);
if (GSS_ERROR(status)) {
free(new_mechs_array[union_cred->count].elements);
goto errout;
@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
/* We're done with the internal name. Free it if we allocated it. */
if (allocated_name)
- (void) gssint_release_internal_name(&temp_minor_status,
- &mech->mech_type,
+ (void) gssint_release_internal_name(&temp_minor_status, selected_mech,
&allocated_name);
+ if (target_mechs)
+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs);
+
return (GSS_S_COMPLETE);
errout:
@@ -503,8 +517,10 @@ errout:
if (allocated_name)
(void) gssint_release_internal_name(&temp_minor_status,
- &mech->mech_type,
- &allocated_name);
+ selected_mech, &allocated_name);
+
+ if (target_mechs)
+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs);
if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred)
free(union_cred);
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index e6703eb..28fb9b1 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -2619,10 +2619,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
- OM_uint32 status;
+ OM_uint32 status, tmpmin;
gss_OID_set amechs = GSS_C_NULL_OID_SET;
spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL;
- gss_cred_id_t imp_mcred, out_mcred;
+ gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL;
dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n");
@@ -2634,31 +2634,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle;
imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL;
- if (desired_mechs == GSS_C_NO_OID_SET) {
- status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL,
- NULL, &amechs);
- if (status != GSS_S_COMPLETE)
- return status;
-
- desired_mechs = amechs;
- }
+ status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL,
+ NULL, &amechs);
+ if (status != GSS_S_COMPLETE)
+ return status;
status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred,
desired_name, time_req,
- desired_mechs, cred_usage,
+ amechs, cred_usage,
&out_mcred, actual_mechs,
time_rec);
-
- if (amechs != GSS_C_NULL_OID_SET)
- (void) gss_release_oid_set(minor_status, &amechs);
+ if (status != GSS_S_COMPLETE)
+ goto cleanup;
status = create_spnego_cred(minor_status, out_mcred, &out_spcred);
- if (status != GSS_S_COMPLETE) {
- gss_release_cred(minor_status, &out_mcred);
- return (status);
- }
+ if (status != GSS_S_COMPLETE)
+ goto cleanup;
+
+ out_mcred = GSS_C_NO_CREDENTIAL;
*output_cred_handle = (gss_cred_id_t)out_spcred;
+cleanup:
+ (void) gss_release_oid_set(&tmpmin, &amechs);
+ (void) gss_release_cred(&tmpmin, &out_mcred);
+
dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n");
return (status);
}
--
2.6.2

53
krb5-kvno-230379.patch
View File

@ -1,53 +0,0 @@
From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349,
at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted
as needed to apply to 1.10. FIXME: I'd like to better handle cases where we
have a new key with the right version stored later in the keytab file.
Currently, we're setting up to overlook that possibility.
Note that this only affects the path taken when krb5_rd_rep() is passed a
server principal name, as without a server principal name it already tries
all of the keys it finds in the keytab, regardless of version numbers.
Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c
===================================================================
--- krb5-1.11.1.orig/src/kadmin/ktutil/ktutil.c
+++ krb5-1.11.1/src/kadmin/ktutil/ktutil.c
@@ -155,7 +155,7 @@ void ktutil_add_entry(argc, argv)
char *princ = NULL;
char *enctype = NULL;
krb5_kvno kvno = 0;
- int use_pass = 0, use_key = 0, i;
+ int use_pass = 0, use_key = 0, use_kvno = 0, i;
for (i = 1; i < argc; i++) {
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
@@ -164,6 +164,7 @@ void ktutil_add_entry(argc, argv)
}
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
kvno = (krb5_kvno) atoi(argv[++i]);
+ use_kvno++;
continue;
}
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
@@ -180,7 +181,7 @@ void ktutil_add_entry(argc, argv)
}
}
- if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) {
+ if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) {
fprintf(stderr, _("usage: %s (-key | -password) -p principal "
"-k kvno -e enctype\n"), argv[0]);
return;
Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
===================================================================
--- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
@@ -349,7 +349,7 @@ krb5_ktfile_get_entry(krb5_context conte
higher than that. Short-term workaround: only compare
the low 8 bits. */
- if (new_entry.vno == (kvno & 0xff)) {
+ if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) {
krb5_kt_free_entry(context, &cur_entry);
cur_entry = new_entry;
break;

56
krb5-mechglue_inqure_attrs.patch Normal file
View File

@ -0,0 +1,56 @@
From 26f94f6e8fd99ee0dfc2f71afb38c74a12482601 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 16 Dec 2015 19:31:22 -0500
Subject: [PATCH] Fix mechglue on gss_inquire_attrs_for_mech()
This includes proper mechanism selection in gss_inquire_attrs_for_mech()
itself as well as passing the correct mech down from gss_accept_sec_context()
through allow_mech_by_default().
Also-authored-by: Simo Sorce <simo@redhat.com>
---
src/lib/gssapi/mechglue/g_accept_sec_context.c | 2 +-
src/lib/gssapi/mechglue/g_mechattr.c | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index 6c72d1f..4a86024 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -245,7 +245,7 @@ gss_cred_id_t * d_cred;
status = GSS_S_NO_CRED;
goto error_out;
}
- } else if (!allow_mech_by_default(selected_mech)) {
+ } else if (!allow_mech_by_default(gssint_get_public_oid(selected_mech))) {
status = GSS_S_NO_CRED;
goto error_out;
}
diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c
index e9299f4..4bd44b5 100644
--- a/src/lib/gssapi/mechglue/g_mechattr.c
+++ b/src/lib/gssapi/mechglue/g_mechattr.c
@@ -161,6 +161,7 @@ gss_inquire_attrs_for_mech(
{
OM_uint32 status, tmpMinor;
gss_mechanism mech;
+ gss_OID selected_mech;
if (minor == NULL)
return GSS_S_CALL_INACCESSIBLE_WRITE;
@@ -173,7 +174,11 @@ gss_inquire_attrs_for_mech(
if (known_mech_attrs != NULL)
*known_mech_attrs = GSS_C_NO_OID_SET;
- mech = gssint_get_mechanism((gss_OID)mech_oid);
+ status = gssint_select_mech_type(minor, mech_oid, &selected_mech);
+ if (status != GSS_S_COMPLETE)
+ return (status);
+
+ mech = gssint_get_mechanism(selected_mech);
if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) {
status = mech->gss_inquire_attrs_for_mech(minor,
mech_oid,
--
2.6.4

148
krb5-mini.changes
View File

@ -1,7 +1,131 @@
-------------------------------------------------------------------
Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com
- Add two patches from Fedora, fixing two crashes:
* krb5-fix_interposer.patch
* krb5-mechglue_inqure_attrs.patch
-------------------------------------------------------------------
Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com
- Update to 1.14
- dropped krb5-kvno-230379.patch
- added krbdev.mit.edu-8301.patch fixing wrong function call
Major changes in 1.14 (2015-11-20)
==================================
Administrator experience:
* Add a new kdb5_util tabdump command to provide reporting-friendly
tabular dump formats (tab-separated or CSV) for the KDC database.
Unlike the normal dump format, each output table has a fixed number
of fields. Some tables include human-readable forms of data that
are opaque in ordinary dump files. This format is also suitable for
importing into relational databases for complex queries.
* Add support to kadmin and kadmin.local for specifying a single
command line following any global options, where the command
arguments are split by the shell--for example, "kadmin getprinc
principalname". Commands issued this way do not prompt for
confirmation or display warning messages, and exit with non-zero
status if the operation fails.
* Accept the same principal flag names in kadmin as we do for the
default_principal_flags kdc.conf variable, and vice versa. Also
accept flag specifiers in the form that kadmin prints, as well as
hexadecimal numbers.
* Remove the triple-DES and RC4 encryption types from the default
value of supported_enctypes, which determines the default key and
salt types for new password-derived keys. By default, keys will
only created only for AES128 and AES256. This mitigates some types
of password guessing attacks.
* Add support for directory names in the KRB5_CONFIG and
KRB5_KDC_PROFILE environment variables.
* Add support for authentication indicators, which are ticket
annotations to indicate the strength of the initial authentication.
Add support for the "require_auth" string attribute, which can be
set on server principal entries to require an indicator when
authenticating to the server.
* Add support for key version numbers larger than 255 in keytab files,
and for version numbers up to 65535 in KDC databases.
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
during pre-authentication, corresponding to the client's most
preferred encryption type.
* Add support for server name identification (SNI) when proxying KDC
requests over HTTPS.
* Add support for the err_fmt profile parameter, which can be used to
generate custom-formatted error messages.
Code quality:
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
[CVE-2015-2698]
* Fix build_principal memory bug that could cause a KDC
crash. [CVE-2015-2697]
Developer experience:
* Change gss_acquire_cred_with_password() to acquire credentials into
a private memory credential cache. Applications can use
gss_store_cred() to make the resulting credentials visible to other
processes.
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
IAKERB or for non-standard variants of the krb5 mechanism OID unless
explicitly requested. (SPNEGO will still accept the Microsoft
variant of the krb5 mechanism OID during negotiation.)
* Change gss_accept_sec_context() not to accept tokens for IAKERB or
for non-standard variants of the krb5 mechanism OID unless an
acceptor credential is acquired for those mechanisms.
* Change gss_acquire_cred() to immediately resolve credentials if the
time_rec parameter is not NULL, so that a correct expiration time
can be returned. Normally credential resolution is delayed until
the target name is known.
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
which can be used by plugin modules or applications to add prefixes
to existing detailed error messages.
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
implement the RFC 6113 PRF+ operation and key derivation using PRF+.
* Add support for pre-authentication mechanisms which use multiple
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth
interface; these callbacks can be used to save marshalled state
information in an encrypted cookie for the next request.
* Add a client_key() callback to the kdcpreauth interface to retrieve
the chosen client key, corresponding to the ETYPE-INFO2 entry sent
by the KDC.
* Add an add_auth_indicator() callback to the kdcpreauth interface,
allowing pre-authentication modules to assert authentication
indicators.
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
suppress sending the confidentiality and integrity flags in GSS
initiator tokens unless they are requested by the caller. These
flags control the negotiated SASL security layer for the Microsoft
GSS-SPNEGO SASL mechanism.
* Make the FILE credential cache implementation less prone to
corruption issues in multi-threaded programs, especially on
platforms with support for open file description locks.
Performance:
* On slave KDCs, poll the master KDC immediately after processing a
full resync, and do not require two full resyncs after the master
KDC's log file is reset.
User experience:
* Make gss_accept_sec_context() accept tickets near their expiration
but within clock skew tolerances, rather than rejecting them
immediately after the server's view of the ticket expiration time.
-------------------------------------------------------------------
Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com
- Udapte to 1.13.3
- Update to 1.13.3
- removed patches for security fixes now in upstream source:
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
Major changes in 1.13.3 (2015-12-04)
====================================
@ -19,10 +143,28 @@ krb5-1.14 release series or later.
krb5-1.10 or earlier.
-------------------------------------------------------------------
Mon Jun 1 07:38:15 UTC 2015 - hguo@suse.com
Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com
- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
to fix a memory corruption regression introduced by resolution of
CVE-2015-2698. bsc#954204
-------------------------------------------------------------------
Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com
- Make kadmin.local man page available without having to install krb5-client. bsc#948011
- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
to fix build_principal memory bug [CVE-2015-2697] bsc#952190
- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189
- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188
-------------------------------------------------------------------
Mon Jun 1 07:31:52 UTC 2015 - hguo@suse.com
- Let server depend on libev (module of libverto). This was the
embedded implementation before the seperation of libverto from krb.
preferred implementation before the seperation of libverto from krb.
-------------------------------------------------------------------
Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org

18
krb5-mini.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
%define build_mini 1
%define srcRoot krb5-1.13.3
%define srcRoot krb5-1.14
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.13.3
Version: 1.14
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -82,7 +82,10 @@ Patch8: krb5-1.12-api.patch
Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301
Patch14: krbdev.mit.edu-8301.patch
Patch15: krb5-fix_interposer.patch
Patch16: krb5-mechglue_inqure_attrs.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@ -201,6 +204,8 @@ Include Files for Development
%patch12 -p1
%patch13 -p0
%patch14 -p1
%patch15 -p1
%patch16 -p1
%build
# needs to be re-generated
@ -247,6 +252,9 @@ cp -a html_subst ../../html
cd ..
%endif
# Copy kadmin manual page into kadmin.local's due to the split between client and server package
cp man/kadmin.man man/kadmin.local.8
%install
# Where per-user keytabs live by default.
@ -349,6 +357,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
# doesn't support disabling it at build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%endif
# manually remove test plugin since configure doesn't support disabling it at build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%find_lang mit-krb5

121
krb5.changes
View File

@ -1,7 +1,126 @@
-------------------------------------------------------------------
Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com
- Add two patches from Fedora, fixing two crashes:
* krb5-fix_interposer.patch
* krb5-mechglue_inqure_attrs.patch
-------------------------------------------------------------------
Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com
- Update to 1.14
- dropped krb5-kvno-230379.patch
- added krbdev.mit.edu-8301.patch fixing wrong function call
Major changes in 1.14 (2015-11-20)
==================================
Administrator experience:
* Add a new kdb5_util tabdump command to provide reporting-friendly
tabular dump formats (tab-separated or CSV) for the KDC database.
Unlike the normal dump format, each output table has a fixed number
of fields. Some tables include human-readable forms of data that
are opaque in ordinary dump files. This format is also suitable for
importing into relational databases for complex queries.
* Add support to kadmin and kadmin.local for specifying a single
command line following any global options, where the command
arguments are split by the shell--for example, "kadmin getprinc
principalname". Commands issued this way do not prompt for
confirmation or display warning messages, and exit with non-zero
status if the operation fails.
* Accept the same principal flag names in kadmin as we do for the
default_principal_flags kdc.conf variable, and vice versa. Also
accept flag specifiers in the form that kadmin prints, as well as
hexadecimal numbers.
* Remove the triple-DES and RC4 encryption types from the default
value of supported_enctypes, which determines the default key and
salt types for new password-derived keys. By default, keys will
only created only for AES128 and AES256. This mitigates some types
of password guessing attacks.
* Add support for directory names in the KRB5_CONFIG and
KRB5_KDC_PROFILE environment variables.
* Add support for authentication indicators, which are ticket
annotations to indicate the strength of the initial authentication.
Add support for the "require_auth" string attribute, which can be
set on server principal entries to require an indicator when
authenticating to the server.
* Add support for key version numbers larger than 255 in keytab files,
and for version numbers up to 65535 in KDC databases.
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
during pre-authentication, corresponding to the client's most
preferred encryption type.
* Add support for server name identification (SNI) when proxying KDC
requests over HTTPS.
* Add support for the err_fmt profile parameter, which can be used to
generate custom-formatted error messages.
Code quality:
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
[CVE-2015-2698]
* Fix build_principal memory bug that could cause a KDC
crash. [CVE-2015-2697]
Developer experience:
* Change gss_acquire_cred_with_password() to acquire credentials into
a private memory credential cache. Applications can use
gss_store_cred() to make the resulting credentials visible to other
processes.
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
IAKERB or for non-standard variants of the krb5 mechanism OID unless
explicitly requested. (SPNEGO will still accept the Microsoft
variant of the krb5 mechanism OID during negotiation.)
* Change gss_accept_sec_context() not to accept tokens for IAKERB or
for non-standard variants of the krb5 mechanism OID unless an
acceptor credential is acquired for those mechanisms.
* Change gss_acquire_cred() to immediately resolve credentials if the
time_rec parameter is not NULL, so that a correct expiration time
can be returned. Normally credential resolution is delayed until
the target name is known.
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
which can be used by plugin modules or applications to add prefixes
to existing detailed error messages.
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
implement the RFC 6113 PRF+ operation and key derivation using PRF+.
* Add support for pre-authentication mechanisms which use multiple
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth
interface; these callbacks can be used to save marshalled state
information in an encrypted cookie for the next request.
* Add a client_key() callback to the kdcpreauth interface to retrieve
the chosen client key, corresponding to the ETYPE-INFO2 entry sent
by the KDC.
* Add an add_auth_indicator() callback to the kdcpreauth interface,
allowing pre-authentication modules to assert authentication
indicators.
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
suppress sending the confidentiality and integrity flags in GSS
initiator tokens unless they are requested by the caller. These
flags control the negotiated SASL security layer for the Microsoft
GSS-SPNEGO SASL mechanism.
* Make the FILE credential cache implementation less prone to
corruption issues in multi-threaded programs, especially on
platforms with support for open file description locks.
Performance:
* On slave KDCs, poll the master KDC immediately after processing a
full resync, and do not require two full resyncs after the master
KDC's log file is reset.
User experience:
* Make gss_accept_sec_context() accept tickets near their expiration
but within clock skew tolerances, rather than rejecting them
immediately after the server's view of the ticket expiration time.
-------------------------------------------------------------------
Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com
- Udapte to 1.13.3
- Update to 1.13.3
- removed patches for security fixes now in upstream source:
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch

15
krb5.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package krb5
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
%define build_mini 0
%define srcRoot krb5-1.13.3
%define srcRoot krb5-1.14
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.13.3
Version: 1.14
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -82,7 +82,10 @@ Patch8: krb5-1.12-api.patch
Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301
Patch14: krbdev.mit.edu-8301.patch
Patch15: krb5-fix_interposer.patch
Patch16: krb5-mechglue_inqure_attrs.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@ -201,6 +204,8 @@ Include Files for Development
%patch12 -p1
%patch13 -p0
%patch14 -p1
%patch15 -p1
%patch16 -p1
%build
# needs to be re-generated
@ -352,6 +357,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
# doesn't support disabling it at build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%endif
# manually remove test plugin since configure doesn't support disabling it at build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%find_lang mit-krb5

11
krbdev.mit.edu-8301.patch Normal file
View File

@ -0,0 +1,11 @@
--- krb5-1.14.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-11-20 21:28:42.000000000 +0100
+++ krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-12-09 20:17:00.465765527 +0100
@@ -684,7 +684,7 @@
if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
int ost = st;
st = EINVAL;
- k5_prependmsg(context, ost, st, _("'%s' not found"),
+ k5_wrapmsg(context, ost, st, _("'%s' not found"),
xargs.containerdn);
}
goto cleanup;