SHA256
1
0
forked from pool/krb5

- update to version 1.12.1

* Make KDC log service principal names more consistently during
    some error conditions, instead of "<unknown server>"
  * Fix several bugs related to building AES-NI support on less
    common configurations
  * Fix several bugs related to keyring credential caches
- upstream obsoletes:
  krb5-1.12-copy_context.patch
  krb5-1.12-enable-NX.patch
  krb5-1.12-pic-aes-ni.patch
  krb5-master-no-malloc0.patch
  krb5-master-ignore-empty-unnecessary-final-token.patch

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=117
This commit is contained in:
Christian Kornacker 2014-01-21 15:06:23 +00:00 committed by Git OBS Bridge
parent 673bd84f01
commit 869a682f2d
15 changed files with 159 additions and 657 deletions

View File

@ -1,306 +0,0 @@
Adjusted for 1.12, which still had vtbl, locate_fptrs, and (vestigial)
profile_in_memory fields, and drop the hunk that touched .gitignore.
commit c452644d91d57d8b05ef396a029e34d0c7a48920
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Dec 18 15:03:03 2013 -0500
Fix krb5_copy_context
krb5_copy_context has been broken since 1.8 (it broke in r22456)
because k5_copy_etypes crashes on null enctype lists. Subsequent
additions to the context structure were not reflected in
krb5_copy_context, creating double-free bugs. Make k5_copy_etypes
handle null input and account for all new fields in krb5_copy_context.
Reported by Arran Cudbard-Bell.
ticket: 7807 (new)
target_version: 1.12.1
tags: pullup
diff --git a/src/lib/krb5/krb/copy_ctx.c b/src/lib/krb5/krb/copy_ctx.c
index 0bc92f8..4237023 100644
--- a/src/lib/krb5/krb/copy_ctx.c
+++ b/src/lib/krb5/krb/copy_ctx.c
@@ -77,13 +77,26 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
nctx->ser_ctx_count = 0;
nctx->ser_ctx = NULL;
nctx->prompt_types = NULL;
+ nctx->preauth_context = NULL;
+ nctx->ccselect_handles = NULL;
+ nctx->localauth_handles = NULL;
+ nctx->hostrealm_handles = NULL;
+ nctx->kdblog_context = NULL;
+ nctx->trace_callback = NULL;
+ nctx->trace_callback_data = NULL;
+ nctx->plugin_base_dir = NULL;
nctx->os_context.default_ccname = NULL;
+#ifdef KRB5_DNS_LOOKUP
+ nctx->profile_in_memory = 0;
+#endif /* KRB5_DNS_LOOKUP */
+
memset(&nctx->libkrb5_plugins, 0, sizeof(nctx->libkrb5_plugins));
nctx->vtbl = NULL;
nctx->locate_fptrs = NULL;
memset(&nctx->err, 0, sizeof(nctx->err));
+ memset(&nctx->plugins, 0, sizeof(nctx->plugins));
ret = k5_copy_etypes(ctx->in_tkt_etypes, &nctx->in_tkt_etypes);
if (ret)
@@ -101,6 +109,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
ret = krb5_get_profile(ctx, &nctx->profile);
if (ret)
goto errout;
+ nctx->plugin_base_dir = strdup(ctx->plugin_base_dir);
+ if (nctx->plugin_base_dir == NULL) {
+ ret = ENOMEM;
+ goto errout;
+ }
errout:
if (ret) {
diff --git a/src/lib/krb5/krb/etype_list.c b/src/lib/krb5/krb/etype_list.c
index 9efe2e0..71f664f 100644
--- a/src/lib/krb5/krb/etype_list.c
+++ b/src/lib/krb5/krb/etype_list.c
@@ -49,6 +49,8 @@ k5_copy_etypes(const krb5_enctype *old_list, krb5_enctype **new_list)
krb5_enctype *list;
*new_list = NULL;
+ if (old_list == NULL)
+ return 0;
count = k5_count_etypes(old_list);
list = malloc(sizeof(krb5_enctype) * (count + 1));
if (list == NULL)
commit b78c3c8c5025aec870d20472f80d4a652062f921
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Dec 18 13:08:25 2013 -0500
Add a test program for krb5_copy_context
This test program isn't completely proof against the kind of mistakes
we've made with krb5_copy_context in the past, but it at least
exercises krb5_copy_context and can detect some kinds of bugs.
ticket: 7807
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
index 7d1682d..3b58219 100644
--- a/src/lib/krb5/krb/Makefile.in
+++ b/src/lib/krb5/krb/Makefile.in
@@ -349,6 +349,7 @@ SRCS= $(srcdir)/addr_comp.c \
$(srcdir)/t_expire_warn.c \
$(srcdir)/t_authdata.c \
$(srcdir)/t_cc_config.c \
+ $(srcdir)/t_copy_context.c \
$(srcdir)/t_in_ccache.c \
$(srcdir)/t_response_items.c \
$(srcdir)/t_vfy_increds.c
@@ -429,11 +430,14 @@ t_in_ccache: t_in_ccache.o $(KRB5_BASE_DEPLIBS)
t_cc_config: t_cc_config.o $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ t_cc_config.o $(KRB5_BASE_LIBS)
+t_copy_context: t_copy_context.o $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ t_copy_context.o $(KRB5_BASE_LIBS)
+
t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ t_response_items.o response_items.o $(KRB5_BASE_LIBS)
TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \
- t_in_ccache t_cc_config \
+ t_in_ccache t_cc_config t_copy_context \
t_princ t_etypes t_vfy_increds t_response_items
check-unix:: $(TEST_PROGS)
@@ -473,6 +477,8 @@ check-unix:: $(TEST_PROGS)
$(RUN_SETUP) $(VALGRIND) ./t_princ
$(RUN_SETUP) $(VALGRIND) ./t_etypes
$(RUN_SETUP) $(VALGRIND) ./t_response_items
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) ./t_copy_context
check-pytests:: t_expire_warn t_vfy_increds
$(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS)
@@ -491,6 +497,7 @@ clean::
$(OUTPRE)t_princ$(EXEEXT) $(OUTPRE)t_princ.$(OBJEXT) \
$(OUTPRE)t_authdata$(EXEEXT) $(OUTPRE)t_authdata.$(OBJEXT) \
$(OUTPRE)t_cc_config$(EXEEXT) $(OUTPRE)t_cc_config.$(OBJEXT) \
+ $(OUTPRE)t_copy_context(EXEEXT) $(OUTPRE)t_copy_context.$(OBJEXT) \
$(OUTPRE)t_in_ccache$(EXEEXT) $(OUTPRE)t_in_ccache.$(OBJEXT) \
$(OUTPRE)t_ad_fx_armor$(EXEEXT) $(OUTPRE)t_ad_fx_armor.$(OBJEXT) \
$(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \
diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c
new file mode 100644
index 0000000..522fa0c
--- /dev/null
+++ b/src/lib/krb5/krb/t_copy_context.c
@@ -0,0 +1,166 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/krb5/krb/t_copy_context.C - Test program for krb5_copy_context */
+/*
+ * Copyright (C) 2013 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <k5-int.h>
+
+static void
+trace(krb5_context ctx, const krb5_trace_info *info, void *data)
+{
+}
+
+static void
+check(int cond)
+{
+ if (!cond)
+ abort();
+}
+
+static void
+compare_string(const char *str1, const char *str2)
+{
+ check((str1 == NULL) == (str2 == NULL));
+ if (str1 != NULL)
+ check(strcmp(str1, str2) == 0);
+}
+
+static void
+compare_etypes(krb5_enctype *list1, krb5_enctype *list2)
+{
+ check((list1 == NULL) == (list2 == NULL));
+ if (list1 == NULL)
+ return;
+ while (*list1 != ENCTYPE_NULL && *list1 == *list2)
+ list1++, list2++;
+ check(*list1 == *list2);
+}
+
+/* Check that the context c is a valid copy of the reference context r. */
+static void
+check_context(krb5_context c, krb5_context r)
+{
+ int i;
+
+ /* Check fields which should have been propagated from r. */
+ compare_etypes(c->in_tkt_etypes, r->in_tkt_etypes);
+ compare_etypes(c->tgs_etypes, r->tgs_etypes);
+ check(c->os_context.time_offset == r->os_context.time_offset);
+ check(c->os_context.usec_offset == r->os_context.usec_offset);
+ check(c->os_context.os_flags == r->os_context.os_flags);
+ compare_string(c->os_context.default_ccname, r->os_context.default_ccname);
+ check(c->clockskew == r->clockskew);
+ check(c->kdc_req_sumtype == r->kdc_req_sumtype);
+ check(c->default_ap_req_sumtype == r->default_ap_req_sumtype);
+ check(c->default_safe_sumtype == r->default_safe_sumtype);
+ check(c->kdc_default_options == r->kdc_default_options);
+ check(c->library_options == r->library_options);
+ check(c->profile_secure == r->profile_secure);
+ check(c->fcc_default_format == r->fcc_default_format);
+ check(c->udp_pref_limit == r->udp_pref_limit);
+ check(c->use_conf_ktypes == r->use_conf_ktypes);
+ check(c->allow_weak_crypto == r->allow_weak_crypto);
+ check(c->ignore_acceptor_hostname == r->ignore_acceptor_hostname);
+ check(c->dns_canonicalize_hostname == r->dns_canonicalize_hostname);
+ compare_string(c->plugin_base_dir, r->plugin_base_dir);
+
+ /* Check fields which don't propagate. */
+ check(c->dal_handle == NULL);
+ check(c->ser_ctx_count == 0);
+ check(c->ser_ctx == NULL);
+ check(c->prompt_types == NULL);
+ check(c->libkrb5_plugins.files == NULL);
+ check(c->preauth_context == NULL);
+ check(c->ccselect_handles == NULL);
+ check(c->localauth_handles == NULL);
+ check(c->hostrealm_handles == NULL);
+ check(c->err.code == 0);
+ check(c->err.msg == NULL);
+ check(c->kdblog_context == NULL);
+ check(c->trace_callback == NULL);
+ check(c->trace_callback_data == NULL);
+ for (i = 0; i < PLUGIN_NUM_INTERFACES; i++) {
+ check(c->plugins[i].modules == NULL);
+ check(!c->plugins[i].configured);
+ }
+}
+
+int
+main(int argc, char **argv)
+{
+ krb5_context ctx, ctx2;
+ krb5_plugin_initvt_fn *mods;
+ const krb5_enctype etypes1[] = { ENCTYPE_DES3_CBC_SHA1, 0 };
+ const krb5_enctype etypes2[] = { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 };
+ krb5_prompt_type ptypes[] = { KRB5_PROMPT_TYPE_PASSWORD };
+
+ /* Copy a default context and verify the result. */
+ check(krb5_init_context(&ctx) == 0);
+ check(krb5_copy_context(ctx, &ctx2) == 0);
+ check_context(ctx2, ctx);
+ krb5_free_context(ctx2);
+
+ /* Set non-default values for all of the propagated fields in ctx. */
+ ctx->allow_weak_crypto = TRUE;
+ check(krb5_set_default_in_tkt_ktypes(ctx, etypes1) == 0);
+ check(krb5_set_default_tgs_enctypes(ctx, etypes2) == 0);
+ check(krb5_set_debugging_time(ctx, 1234, 5678) == 0);
+ check(krb5_cc_set_default_name(ctx, "defccname") == 0);
+ check(krb5_set_default_realm(ctx, "defrealm") == 0);
+ ctx->clockskew = 18;
+ ctx->kdc_req_sumtype = CKSUMTYPE_NIST_SHA;
+ ctx->default_ap_req_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES128;
+ ctx->default_safe_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES256;
+ ctx->kdc_default_options = KDC_OPT_FORWARDABLE;
+ ctx->library_options = 0;
+ ctx->profile_secure = TRUE;
+ ctx->udp_pref_limit = 2345;
+ ctx->use_conf_ktypes = TRUE;
+ ctx->ignore_acceptor_hostname = TRUE;
+ ctx->dns_canonicalize_hostname = FALSE;
+ free(ctx->plugin_base_dir);
+ check((ctx->plugin_base_dir = strdup("/a/b/c/d")) != NULL);
+
+ /* Also set some of the non-propagated fields. */
+ ctx->prompt_types = ptypes;
+ check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &mods) == 0);
+ k5_plugin_free_modules(ctx, mods);
+ krb5_set_error_message(ctx, ENOMEM, "nooooooooo");
+ krb5_set_trace_callback(ctx, trace, ctx);
+
+ /* Copy the intentionally messy context and verify the result. */
+ check(krb5_copy_context(ctx, &ctx2) == 0);
+ check_context(ctx2, ctx);
+ krb5_free_context(ctx2);
+
+ krb5_free_context(ctx);
+ return 0;
+}

View File

@ -1,57 +0,0 @@
commit c64e39c69a9a7ee32c00b0cf7918f6274a565544
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Jan 3 13:50:48 2014 -0500
Mark AESNI files as not needing executable stacks
Some Linux systems now come with facilities to mark the stack as
non-executable, making it more difficult to exploit buffer overrun
bugs. For this to work, object files built from assembly need a
section added to note whether they require an executable stack.
Patch from Dhiru Kholia with comments added. More information at:
https://bugzilla.redhat.com/show_bug.cgi?id=1045699
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
ticket: 7813
target_version: 1.12.1
tags: pullup
diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s
index 1c091c1..d03c859 100644
--- a/src/lib/crypto/builtin/aes/iaesx64.s
+++ b/src/lib/crypto/builtin/aes/iaesx64.s
@@ -834,3 +834,14 @@ lp256encsingle_CBC:
movdqu [r9],xmm1
add rsp,16*16+8
ret
+
+; Mark this file as not needing an executable stack.
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s
index b667acd..1aa12e6 100644
--- a/src/lib/crypto/builtin/aes/iaesx86.s
+++ b/src/lib/crypto/builtin/aes/iaesx86.s
@@ -871,3 +871,14 @@ lp256encsingle_CBC:
movdqu [ecx],xmm1 ; store last iv for chaining
ret
+
+; Mark this file as not needing an executable stack.
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif

View File

@ -1,70 +0,0 @@
--- krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
+++ krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
@@ -256,6 +256,7 @@ DD 0
section .text
+extern _GLOBAL_OFFSET_TABLE_
align 16
key_expansion256:
@@ -318,12 +319,18 @@ _iEncExpandKey128:
mov ecx,[esp-4+8] ;input
mov edx,[esp-4+12] ;ctx
+ push ebx
movdqu xmm1, [ecx] ; loading the key
movdqu [edx], xmm1
- movdqa xmm5, [shuffle_mask]
+ call .get_GOT
+.get_GOT:
+ pop ebx
+ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
+
+ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff]
add edx,16
@@ -348,6 +355,8 @@ _iEncExpandKey128:
aeskeygenassist xmm2, xmm1, 0x36 ; Generating round key 10
call key_expansion128
+ pop ebx
+
ret
@@ -412,6 +421,7 @@ global _iEncExpandKey256
_iEncExpandKey256:
mov ecx, [esp-4+8] ;input
mov edx, [esp-4+12] ;expanded key
+ push ebx
movdqu xmm1, [ecx] ; loading the key
@@ -421,7 +431,12 @@ _iEncExpandKey256:
add edx,32
- movdqa xmm5, [shuffle_mask] ; this mask is used by key_expansion
+ call .get_GOT
+.get_GOT:
+ pop ebx
+ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
+
+ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] ; this mask is used by key_expansion
aeskeygenassist xmm2, xmm3, 0x1 ;
call key_expansion256
@@ -452,6 +467,8 @@ _iEncExpandKey256:
movdqu [edx], xmm1
+ pop ebx
+
ret

3
krb5-1.12.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:86f01c1aae54014fa91ad9a5a69558a6cbd821185528d627362b79b517b7b345
size 11938756

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7199ba74bdfd06caf02d1ee189563c33aa0274b809ab511ab0f1fb3e05ccce5a
size 11925134

View File

@ -1,28 +0,0 @@
commit 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a
Author: Simo Sorce <simo@redhat.com>
Date: Fri Dec 13 12:00:41 2013 -0500
Fix memory leak in SPNEGO initiator
If we eliminate a mechanism from the initiator list because
gss_init_sec_context fails, free the memory for that mech OID before
removing it from the list.
[ghudson@mit.edu: clarified commit message]
ticket: 7803 (new)
target_version: 1.12.1
tags: pullup
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 818a1b4..06cfab0 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -890,6 +890,7 @@ init_ctx_call_init(OM_uint32 *minor_status,
* can do this with recursion. If all mechanisms produce errors, the
* caller should get the error from the first mech in the list.
*/
+ gssalloc_free(sc->mech_set->elements->elements);
memmove(sc->mech_set->elements, sc->mech_set->elements + 1,
--sc->mech_set->count * sizeof(*sc->mech_set->elements));
if (sc->mech_set->count == 0)

View File

@ -1,37 +0,0 @@
commit 37af638b742dbd642eb70092e4f7781c3f69d86d
Author: Greg Hudson <ghudson@mit.edu>
Date: Tue Dec 10 12:04:18 2013 -0500
Fix SPNEGO one-hop interop against old IIS
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication. In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer. If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.
[ghudson@mit.edu: small code style and commit message changes]
ticket: 7797 (new)
target_version: 1.12.1
tags: pullup
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 3937662..d82934b 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
map_errcode(minor_status);
ret = GSS_S_DEFECTIVE_TOKEN;
}
+ } else if ((*responseToken)->length == 0 && sc->mech_complete) {
+ /* Handle old IIS servers returning empty token instead of
+ * null tokens in the non-mutual auth case. */
+ *negState = ACCEPT_COMPLETE;
+ *tokflag = NO_TOKEN_SEND;
+ ret = GSS_S_COMPLETE;
} else if (sc->mech_complete) {
/* Reject spurious mech token. */
ret = GSS_S_DEFECTIVE_TOKEN;

View File

@ -0,0 +1,108 @@
commit e99c688913a7761c6adea9488ea9355f43539883
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Jan 16 17:48:54 2014 -0500
Get time offsets for all keyring ccaches
Move the time offset lookup from krb5_krcc_resolve to make_cache, so
that we fetch time offsets for caches created by
krb5_krcc_ptcursor_next.
ticket: 7820
target_version: 1.12.2
tags: pullup
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
index a0c8035..27bad9d 100644
--- a/src/lib/krb5/ccache/cc_keyring.c
+++ b/src/lib/krb5/ccache/cc_keyring.c
@@ -1077,11 +1077,13 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id)
/* Create a cache handle for a cache ID. */
static krb5_error_code
-make_cache(key_serial_t collection_id, key_serial_t cache_id,
- const char *anchor_name, const char *collection_name,
- const char *subsidiary_name, krb5_ccache *cache_out)
+make_cache(krb5_context context, key_serial_t collection_id,
+ key_serial_t cache_id, const char *anchor_name,
+ const char *collection_name, const char *subsidiary_name,
+ krb5_ccache *cache_out)
{
krb5_error_code ret;
+ krb5_os_context os_ctx = &context->os_context;
krb5_ccache ccache = NULL;
krb5_krcc_data *d;
key_serial_t pkey = 0;
@@ -1108,6 +1110,18 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
ccache->data = d;
ccache->magic = KV5M_CCACHE;
*cache_out = ccache;
+
+ /* Lookup time offsets if necessary. */
+ if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
+ !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
+ if (krb5_krcc_get_time_offsets(context, ccache,
+ &os_ctx->time_offset,
+ &os_ctx->usec_offset) == 0) {
+ os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
+ os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
+ }
+ }
+
return 0;
}
@@ -1134,7 +1148,6 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
static krb5_error_code KRB5_CALLCONV
krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
{
- krb5_os_context os_ctx = &context->os_context;
krb5_error_code ret;
key_serial_t collection_id, cache_id;
char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL;
@@ -1161,22 +1174,11 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
if (cache_id < 0)
cache_id = 0;
- ret = make_cache(collection_id, cache_id, anchor_name, collection_name,
- subsidiary_name, id);
+ ret = make_cache(context, collection_id, cache_id, anchor_name,
+ collection_name, subsidiary_name, id);
if (ret)
goto cleanup;
- /* Lookup time offsets if necessary. */
- if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
- !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
- if (krb5_krcc_get_time_offsets(context, *id,
- &os_ctx->time_offset,
- &os_ctx->usec_offset) == 0) {
- os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
- os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
- }
- }
-
cleanup:
free(anchor_name);
free(collection_name);
@@ -1928,8 +1930,9 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
cache_id = keyctl_search(data->collection_id, KRCC_KEY_TYPE_KEYRING,
first_name, 0);
if (cache_id != -1) {
- return make_cache(data->collection_id, cache_id, data->anchor_name,
- data->collection_name, first_name, cache_out);
+ return make_cache(context, data->collection_id, cache_id,
+ data->anchor_name, data->collection_name,
+ first_name, cache_out);
}
}
@@ -1967,7 +1970,7 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
/* We found a valid key */
data->next_key++;
- ret = make_cache(data->collection_id, key, data->anchor_name,
+ ret = make_cache(context, data->collection_id, key, data->anchor_name,
data->collection_name, subsidiary_name, cache_out);
free(description);
return ret;

View File

@ -1,39 +0,0 @@
commit decccbcb5075f8fbc28a535a9b337afc84a15dee
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon Dec 16 15:37:56 2013 -0500
Fix GSS krb5 acceptor acquire_cred error handling
When acquiring acceptor creds with a specified name, if we fail to
open a replay cache, we leak the keytab handle. If there is no
specified name and we discover that there is no content in the keytab,
we leak the keytab handle and return the wrong major code. Memory
leak reported by Andrea Campi.
ticket: 7805
target_version: 1.12.1
tags: pullup
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 0efcad4..9547207 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context,
code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
&cred->rcache);
if (code) {
+ krb5_kt_close(context, kt);
*minor_status = code;
return GSS_S_FAILURE;
}
@@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context,
/* Make sure we have a keytab with keys in it. */
code = krb5_kt_have_content(context, kt);
if (code) {
+ krb5_kt_close(context, kt);
*minor_status = code;
- return GSS_S_FAILURE;
+ return GSS_S_CRED_UNAVAIL;
}
}

View File

@ -1,39 +0,0 @@
commit 13fd26e1863c79f616653f6a10a58c01f65fceff
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Dec 6 18:56:56 2013 -0500
Avoid malloc(0) in SPNEGO get_input_token
If we read a zero-length token in spnego_mech.c's get_input_token(),
set the value pointer to NULL instead of calling malloc(0).
ticket: 7794 (new)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 24c3440..3937662 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3140,14 +3140,17 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length)
return (NULL);
input_token->length = len;
- input_token->value = gssalloc_malloc(input_token->length);
+ if (input_token->length > 0) {
+ input_token->value = gssalloc_malloc(input_token->length);
+ if (input_token->value == NULL) {
+ free(input_token);
+ return (NULL);
+ }
- if (input_token->value == NULL) {
- free(input_token);
- return (NULL);
+ memcpy(input_token->value, *buff_in, input_token->length);
+ } else {
+ input_token->value = NULL;
}
-
- (void) memcpy(input_token->value, *buff_in, input_token->length);
*buff_in += input_token->length;
return (input_token);
}

View File

@ -1,44 +0,0 @@
commit 4faca53e3a8ee213d43da8998f6889e7bfd36248
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Dec 18 16:03:16 2013 -0500
Test SPNEGO error message in t_s4u.py
Now that #7045 is fixed, we can check for the correct error message
from t_s4u2proxy_krb5 with --spnego.
ticket: 7045
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index 67dc810..e4aa259 100644
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -30,12 +30,12 @@ if ('auth1: ' + realm.user_princ not in output or
'NOT_ALLOWED_TO_DELEGATE' not in output):
fail('krb5 -> s4u2proxy')
-# Again with SPNEGO. Bug #7045 prevents us from checking the error
-# message, but we can at least exercise the code.
+# Again with SPNEGO.
output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache,
'-', pservice1, pservice2],
expected_code=1)
-if ('auth1: ' + realm.user_princ not in output):
+if ('auth1: ' + realm.user_princ not in output or
+ 'NOT_ALLOWED_TO_DELEGATE' not in output):
fail('krb5 -> s4u2proxy (SPNEGO)')
# Try krb5 -> S4U2Proxy without forwardable user creds. This should
@@ -66,10 +66,9 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output:
fail('s4u2self')
# Again with SPNEGO. This uses SPNEGO for the initial authentication,
-# but still uses krb5 for S4U2Proxy (the delegated cred is returned as
+# but still uses krb5 for S4U2Proxy--the delegated cred is returned as
# a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred
-# directly rather than saving and reacquiring it) so bug #7045 does
-# not apply and we can verify the error message.
+# directly rather than saving and reacquiring it.
output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1)
if 'NOT_ALLOWED_TO_DELEGATE' not in output:
fail('s4u2self')

View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Tue Jan 21 14:28:05 UTC 2014 - ckornacker@suse.com
- update to version 1.12.1
* Make KDC log service principal names more consistently during
some error conditions, instead of "<unknown server>"
* Fix several bugs related to building AES-NI support on less
common configurations
* Fix several bugs related to keyring credential caches
- upstream obsoletes:
krb5-1.12-copy_context.patch
krb5-1.12-enable-NX.patch
krb5-1.12-pic-aes-ni.patch
krb5-master-no-malloc0.patch
krb5-master-ignore-empty-unnecessary-final-token.patch
krb5-master-gss_oid_leak.patch
krb5-master-keytab_close.patch
krb5-master-spnego_error_messages.patch
- Fix Get time offsets for all keyring ccaches
krb5-master-keyring-kdcsync.patch (RT#7820)
-------------------------------------------------------------------
Mon Jan 13 15:40:18 UTC 2014 - ckornacker@suse.com

View File

@ -17,7 +17,7 @@
%define build_mini 1
%define srcRoot krb5-1.12
%define srcRoot krb5-1.12.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.12
Version: 1.12.1
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -78,14 +78,7 @@ Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
Patch15: krb5-1.12-copy_context.patch
Patch16: krb5-1.12-enable-NX.patch
Patch17: krb5-1.12-pic-aes-ni.patch
Patch18: krb5-master-no-malloc0.patch
Patch19: krb5-master-ignore-empty-unnecessary-final-token.patch
Patch20: krb5-master-gss_oid_leak.patch
Patch21: krb5-master-keytab_close.patch
Patch22: krb5-master-spnego_error_messages.patch
Patch15: krb5-master-keyring-kdcsync.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -206,13 +199,6 @@ Include Files for Development
%patch13 -p0
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%build
# needs to be re-generated

View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com
- update to version 1.12.1
* Make KDC log service principal names more consistently during
some error conditions, instead of "<unknown server>"
* Fix several bugs related to building AES-NI support on less
common configurations
* Fix several bugs related to keyring credential caches
- upstream obsoletes:
krb5-1.12-copy_context.patch
krb5-1.12-enable-NX.patch
krb5-1.12-pic-aes-ni.patch
krb5-master-no-malloc0.patch
krb5-master-ignore-empty-unnecessary-final-token.patch
krb5-master-gss_oid_leak.patch
krb5-master-keytab_close.patch
krb5-master-spnego_error_messages.patch
- Fix Get time offsets for all keyring ccaches
krb5-master-keyring-kdcsync.patch (RT#7820)
-------------------------------------------------------------------
Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com

View File

@ -17,7 +17,7 @@
%define build_mini 0
%define srcRoot krb5-1.12
%define srcRoot krb5-1.12.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.12
Version: 1.12.1
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -78,14 +78,7 @@ Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
Patch15: krb5-1.12-copy_context.patch
Patch16: krb5-1.12-enable-NX.patch
Patch17: krb5-1.12-pic-aes-ni.patch
Patch18: krb5-master-no-malloc0.patch
Patch19: krb5-master-ignore-empty-unnecessary-final-token.patch
Patch20: krb5-master-gss_oid_leak.patch
Patch21: krb5-master-keytab_close.patch
Patch22: krb5-master-spnego_error_messages.patch
Patch15: krb5-master-keyring-kdcsync.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -206,13 +199,6 @@ Include Files for Development
%patch13 -p0
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%build
# needs to be re-generated