From 869a682f2decfaccfd0d53f7c292babf5081ba01ee826c839cd458734c921c2d Mon Sep 17 00:00:00 2001 From: Christian Kornacker Date: Tue, 21 Jan 2014 15:06:23 +0000 Subject: [PATCH] - update to version 1.12.1 * Make KDC log service principal names more consistently during some error conditions, instead of "" * Fix several bugs related to building AES-NI support on less common configurations * Fix several bugs related to keyring credential caches - upstream obsoletes: krb5-1.12-copy_context.patch krb5-1.12-enable-NX.patch krb5-1.12-pic-aes-ni.patch krb5-master-no-malloc0.patch krb5-master-ignore-empty-unnecessary-final-token.patch OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=117 --- krb5-1.12-copy_context.patch | 306 ------------------ krb5-1.12-enable-NX.patch | 57 ---- krb5-1.12-pic-aes-ni.patch | 70 ---- krb5-1.12.1.tar.gz | 3 + krb5-1.12.tar.gz | 3 - krb5-master-gss_oid_leak.patch | 28 -- ...ignore-empty-unnecessary-final-token.patch | 37 --- krb5-master-keyring-kdcsync.patch | 108 +++++++ krb5-master-keytab_close.patch | 39 --- krb5-master-no-malloc0.patch | 39 --- krb5-master-spnego_error_messages.patch | 44 --- krb5-mini.changes | 21 ++ krb5-mini.spec | 20 +- krb5.changes | 21 ++ krb5.spec | 20 +- 15 files changed, 159 insertions(+), 657 deletions(-) delete mode 100644 krb5-1.12-copy_context.patch delete mode 100644 krb5-1.12-enable-NX.patch delete mode 100644 krb5-1.12-pic-aes-ni.patch create mode 100644 krb5-1.12.1.tar.gz delete mode 100644 krb5-1.12.tar.gz delete mode 100644 krb5-master-gss_oid_leak.patch delete mode 100644 krb5-master-ignore-empty-unnecessary-final-token.patch create mode 100644 krb5-master-keyring-kdcsync.patch delete mode 100644 krb5-master-keytab_close.patch delete mode 100644 krb5-master-no-malloc0.patch delete mode 100644 krb5-master-spnego_error_messages.patch diff --git a/krb5-1.12-copy_context.patch b/krb5-1.12-copy_context.patch deleted file mode 100644 index b1f7d6c..0000000 --- a/krb5-1.12-copy_context.patch +++ /dev/null @@ -1,306 +0,0 @@ -Adjusted for 1.12, which still had vtbl, locate_fptrs, and (vestigial) -profile_in_memory fields, and drop the hunk that touched .gitignore. - -commit c452644d91d57d8b05ef396a029e34d0c7a48920 -Author: Greg Hudson -Date: Wed Dec 18 15:03:03 2013 -0500 - - Fix krb5_copy_context - - krb5_copy_context has been broken since 1.8 (it broke in r22456) - because k5_copy_etypes crashes on null enctype lists. Subsequent - additions to the context structure were not reflected in - krb5_copy_context, creating double-free bugs. Make k5_copy_etypes - handle null input and account for all new fields in krb5_copy_context. - Reported by Arran Cudbard-Bell. - - ticket: 7807 (new) - target_version: 1.12.1 - tags: pullup - -diff --git a/src/lib/krb5/krb/copy_ctx.c b/src/lib/krb5/krb/copy_ctx.c -index 0bc92f8..4237023 100644 ---- a/src/lib/krb5/krb/copy_ctx.c -+++ b/src/lib/krb5/krb/copy_ctx.c -@@ -77,13 +77,26 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) - nctx->ser_ctx_count = 0; - nctx->ser_ctx = NULL; - nctx->prompt_types = NULL; -+ nctx->preauth_context = NULL; -+ nctx->ccselect_handles = NULL; -+ nctx->localauth_handles = NULL; -+ nctx->hostrealm_handles = NULL; -+ nctx->kdblog_context = NULL; -+ nctx->trace_callback = NULL; -+ nctx->trace_callback_data = NULL; -+ nctx->plugin_base_dir = NULL; - nctx->os_context.default_ccname = NULL; - -+#ifdef KRB5_DNS_LOOKUP -+ nctx->profile_in_memory = 0; -+#endif /* KRB5_DNS_LOOKUP */ -+ - memset(&nctx->libkrb5_plugins, 0, sizeof(nctx->libkrb5_plugins)); - nctx->vtbl = NULL; - nctx->locate_fptrs = NULL; - - memset(&nctx->err, 0, sizeof(nctx->err)); -+ memset(&nctx->plugins, 0, sizeof(nctx->plugins)); - - ret = k5_copy_etypes(ctx->in_tkt_etypes, &nctx->in_tkt_etypes); - if (ret) -@@ -101,6 +109,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) - ret = krb5_get_profile(ctx, &nctx->profile); - if (ret) - goto errout; -+ nctx->plugin_base_dir = strdup(ctx->plugin_base_dir); -+ if (nctx->plugin_base_dir == NULL) { -+ ret = ENOMEM; -+ goto errout; -+ } - - errout: - if (ret) { -diff --git a/src/lib/krb5/krb/etype_list.c b/src/lib/krb5/krb/etype_list.c -index 9efe2e0..71f664f 100644 ---- a/src/lib/krb5/krb/etype_list.c -+++ b/src/lib/krb5/krb/etype_list.c -@@ -49,6 +49,8 @@ k5_copy_etypes(const krb5_enctype *old_list, krb5_enctype **new_list) - krb5_enctype *list; - - *new_list = NULL; -+ if (old_list == NULL) -+ return 0; - count = k5_count_etypes(old_list); - list = malloc(sizeof(krb5_enctype) * (count + 1)); - if (list == NULL) - -commit b78c3c8c5025aec870d20472f80d4a652062f921 -Author: Greg Hudson -Date: Wed Dec 18 13:08:25 2013 -0500 - - Add a test program for krb5_copy_context - - This test program isn't completely proof against the kind of mistakes - we've made with krb5_copy_context in the past, but it at least - exercises krb5_copy_context and can detect some kinds of bugs. - - ticket: 7807 - -diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in -index 7d1682d..3b58219 100644 ---- a/src/lib/krb5/krb/Makefile.in -+++ b/src/lib/krb5/krb/Makefile.in -@@ -349,6 +349,7 @@ SRCS= $(srcdir)/addr_comp.c \ - $(srcdir)/t_expire_warn.c \ - $(srcdir)/t_authdata.c \ - $(srcdir)/t_cc_config.c \ -+ $(srcdir)/t_copy_context.c \ - $(srcdir)/t_in_ccache.c \ - $(srcdir)/t_response_items.c \ - $(srcdir)/t_vfy_increds.c -@@ -429,11 +430,14 @@ t_in_ccache: t_in_ccache.o $(KRB5_BASE_DEPLIBS) - t_cc_config: t_cc_config.o $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_cc_config.o $(KRB5_BASE_LIBS) - -+t_copy_context: t_copy_context.o $(KRB5_BASE_DEPLIBS) -+ $(CC_LINK) -o $@ t_copy_context.o $(KRB5_BASE_LIBS) -+ - t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_response_items.o response_items.o $(KRB5_BASE_LIBS) - - TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \ -- t_in_ccache t_cc_config \ -+ t_in_ccache t_cc_config t_copy_context \ - t_princ t_etypes t_vfy_increds t_response_items - - check-unix:: $(TEST_PROGS) -@@ -473,6 +477,8 @@ check-unix:: $(TEST_PROGS) - $(RUN_SETUP) $(VALGRIND) ./t_princ - $(RUN_SETUP) $(VALGRIND) ./t_etypes - $(RUN_SETUP) $(VALGRIND) ./t_response_items -+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ -+ $(RUN_SETUP) $(VALGRIND) ./t_copy_context - - check-pytests:: t_expire_warn t_vfy_increds - $(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS) -@@ -491,6 +497,7 @@ clean:: - $(OUTPRE)t_princ$(EXEEXT) $(OUTPRE)t_princ.$(OBJEXT) \ - $(OUTPRE)t_authdata$(EXEEXT) $(OUTPRE)t_authdata.$(OBJEXT) \ - $(OUTPRE)t_cc_config$(EXEEXT) $(OUTPRE)t_cc_config.$(OBJEXT) \ -+ $(OUTPRE)t_copy_context(EXEEXT) $(OUTPRE)t_copy_context.$(OBJEXT) \ - $(OUTPRE)t_in_ccache$(EXEEXT) $(OUTPRE)t_in_ccache.$(OBJEXT) \ - $(OUTPRE)t_ad_fx_armor$(EXEEXT) $(OUTPRE)t_ad_fx_armor.$(OBJEXT) \ - $(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \ -diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c -new file mode 100644 -index 0000000..522fa0c ---- /dev/null -+++ b/src/lib/krb5/krb/t_copy_context.c -@@ -0,0 +1,166 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* lib/krb5/krb/t_copy_context.C - Test program for krb5_copy_context */ -+/* -+ * Copyright (C) 2013 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include -+ -+static void -+trace(krb5_context ctx, const krb5_trace_info *info, void *data) -+{ -+} -+ -+static void -+check(int cond) -+{ -+ if (!cond) -+ abort(); -+} -+ -+static void -+compare_string(const char *str1, const char *str2) -+{ -+ check((str1 == NULL) == (str2 == NULL)); -+ if (str1 != NULL) -+ check(strcmp(str1, str2) == 0); -+} -+ -+static void -+compare_etypes(krb5_enctype *list1, krb5_enctype *list2) -+{ -+ check((list1 == NULL) == (list2 == NULL)); -+ if (list1 == NULL) -+ return; -+ while (*list1 != ENCTYPE_NULL && *list1 == *list2) -+ list1++, list2++; -+ check(*list1 == *list2); -+} -+ -+/* Check that the context c is a valid copy of the reference context r. */ -+static void -+check_context(krb5_context c, krb5_context r) -+{ -+ int i; -+ -+ /* Check fields which should have been propagated from r. */ -+ compare_etypes(c->in_tkt_etypes, r->in_tkt_etypes); -+ compare_etypes(c->tgs_etypes, r->tgs_etypes); -+ check(c->os_context.time_offset == r->os_context.time_offset); -+ check(c->os_context.usec_offset == r->os_context.usec_offset); -+ check(c->os_context.os_flags == r->os_context.os_flags); -+ compare_string(c->os_context.default_ccname, r->os_context.default_ccname); -+ check(c->clockskew == r->clockskew); -+ check(c->kdc_req_sumtype == r->kdc_req_sumtype); -+ check(c->default_ap_req_sumtype == r->default_ap_req_sumtype); -+ check(c->default_safe_sumtype == r->default_safe_sumtype); -+ check(c->kdc_default_options == r->kdc_default_options); -+ check(c->library_options == r->library_options); -+ check(c->profile_secure == r->profile_secure); -+ check(c->fcc_default_format == r->fcc_default_format); -+ check(c->udp_pref_limit == r->udp_pref_limit); -+ check(c->use_conf_ktypes == r->use_conf_ktypes); -+ check(c->allow_weak_crypto == r->allow_weak_crypto); -+ check(c->ignore_acceptor_hostname == r->ignore_acceptor_hostname); -+ check(c->dns_canonicalize_hostname == r->dns_canonicalize_hostname); -+ compare_string(c->plugin_base_dir, r->plugin_base_dir); -+ -+ /* Check fields which don't propagate. */ -+ check(c->dal_handle == NULL); -+ check(c->ser_ctx_count == 0); -+ check(c->ser_ctx == NULL); -+ check(c->prompt_types == NULL); -+ check(c->libkrb5_plugins.files == NULL); -+ check(c->preauth_context == NULL); -+ check(c->ccselect_handles == NULL); -+ check(c->localauth_handles == NULL); -+ check(c->hostrealm_handles == NULL); -+ check(c->err.code == 0); -+ check(c->err.msg == NULL); -+ check(c->kdblog_context == NULL); -+ check(c->trace_callback == NULL); -+ check(c->trace_callback_data == NULL); -+ for (i = 0; i < PLUGIN_NUM_INTERFACES; i++) { -+ check(c->plugins[i].modules == NULL); -+ check(!c->plugins[i].configured); -+ } -+} -+ -+int -+main(int argc, char **argv) -+{ -+ krb5_context ctx, ctx2; -+ krb5_plugin_initvt_fn *mods; -+ const krb5_enctype etypes1[] = { ENCTYPE_DES3_CBC_SHA1, 0 }; -+ const krb5_enctype etypes2[] = { ENCTYPE_AES128_CTS_HMAC_SHA1_96, -+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }; -+ krb5_prompt_type ptypes[] = { KRB5_PROMPT_TYPE_PASSWORD }; -+ -+ /* Copy a default context and verify the result. */ -+ check(krb5_init_context(&ctx) == 0); -+ check(krb5_copy_context(ctx, &ctx2) == 0); -+ check_context(ctx2, ctx); -+ krb5_free_context(ctx2); -+ -+ /* Set non-default values for all of the propagated fields in ctx. */ -+ ctx->allow_weak_crypto = TRUE; -+ check(krb5_set_default_in_tkt_ktypes(ctx, etypes1) == 0); -+ check(krb5_set_default_tgs_enctypes(ctx, etypes2) == 0); -+ check(krb5_set_debugging_time(ctx, 1234, 5678) == 0); -+ check(krb5_cc_set_default_name(ctx, "defccname") == 0); -+ check(krb5_set_default_realm(ctx, "defrealm") == 0); -+ ctx->clockskew = 18; -+ ctx->kdc_req_sumtype = CKSUMTYPE_NIST_SHA; -+ ctx->default_ap_req_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES128; -+ ctx->default_safe_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES256; -+ ctx->kdc_default_options = KDC_OPT_FORWARDABLE; -+ ctx->library_options = 0; -+ ctx->profile_secure = TRUE; -+ ctx->udp_pref_limit = 2345; -+ ctx->use_conf_ktypes = TRUE; -+ ctx->ignore_acceptor_hostname = TRUE; -+ ctx->dns_canonicalize_hostname = FALSE; -+ free(ctx->plugin_base_dir); -+ check((ctx->plugin_base_dir = strdup("/a/b/c/d")) != NULL); -+ -+ /* Also set some of the non-propagated fields. */ -+ ctx->prompt_types = ptypes; -+ check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &mods) == 0); -+ k5_plugin_free_modules(ctx, mods); -+ krb5_set_error_message(ctx, ENOMEM, "nooooooooo"); -+ krb5_set_trace_callback(ctx, trace, ctx); -+ -+ /* Copy the intentionally messy context and verify the result. */ -+ check(krb5_copy_context(ctx, &ctx2) == 0); -+ check_context(ctx2, ctx); -+ krb5_free_context(ctx2); -+ -+ krb5_free_context(ctx); -+ return 0; -+} diff --git a/krb5-1.12-enable-NX.patch b/krb5-1.12-enable-NX.patch deleted file mode 100644 index 63c8bb6..0000000 --- a/krb5-1.12-enable-NX.patch +++ /dev/null @@ -1,57 +0,0 @@ -commit c64e39c69a9a7ee32c00b0cf7918f6274a565544 -Author: Greg Hudson -Date: Fri Jan 3 13:50:48 2014 -0500 - - Mark AESNI files as not needing executable stacks - - Some Linux systems now come with facilities to mark the stack as - non-executable, making it more difficult to exploit buffer overrun - bugs. For this to work, object files built from assembly need a - section added to note whether they require an executable stack. - - Patch from Dhiru Kholia with comments added. More information at: - https://bugzilla.redhat.com/show_bug.cgi?id=1045699 - https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart - - ticket: 7813 - target_version: 1.12.1 - tags: pullup - -diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s -index 1c091c1..d03c859 100644 ---- a/src/lib/crypto/builtin/aes/iaesx64.s -+++ b/src/lib/crypto/builtin/aes/iaesx64.s -@@ -834,3 +834,14 @@ lp256encsingle_CBC: - movdqu [r9],xmm1 - add rsp,16*16+8 - ret -+ -+; Mark this file as not needing an executable stack. -+%ifidn __OUTPUT_FORMAT__,elf -+section .note.GNU-stack noalloc noexec nowrite progbits -+%endif -+%ifidn __OUTPUT_FORMAT__,elf32 -+section .note.GNU-stack noalloc noexec nowrite progbits -+%endif -+%ifidn __OUTPUT_FORMAT__,elf64 -+section .note.GNU-stack noalloc noexec nowrite progbits -+%endif -diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s -index b667acd..1aa12e6 100644 ---- a/src/lib/crypto/builtin/aes/iaesx86.s -+++ b/src/lib/crypto/builtin/aes/iaesx86.s -@@ -871,3 +871,14 @@ lp256encsingle_CBC: - movdqu [ecx],xmm1 ; store last iv for chaining - - ret -+ -+; Mark this file as not needing an executable stack. -+%ifidn __OUTPUT_FORMAT__,elf -+section .note.GNU-stack noalloc noexec nowrite progbits -+%endif -+%ifidn __OUTPUT_FORMAT__,elf32 -+section .note.GNU-stack noalloc noexec nowrite progbits -+%endif -+%ifidn __OUTPUT_FORMAT__,elf64 -+section .note.GNU-stack noalloc noexec nowrite progbits -+%endif diff --git a/krb5-1.12-pic-aes-ni.patch b/krb5-1.12-pic-aes-ni.patch deleted file mode 100644 index 070da6c..0000000 --- a/krb5-1.12-pic-aes-ni.patch +++ /dev/null @@ -1,70 +0,0 @@ ---- krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s -+++ krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s -@@ -256,6 +256,7 @@ DD 0 - section .text - - -+extern _GLOBAL_OFFSET_TABLE_ - - align 16 - key_expansion256: -@@ -318,12 +319,18 @@ _iEncExpandKey128: - - mov ecx,[esp-4+8] ;input - mov edx,[esp-4+12] ;ctx -+ push ebx - - movdqu xmm1, [ecx] ; loading the key - - movdqu [edx], xmm1 - -- movdqa xmm5, [shuffle_mask] -+ call .get_GOT -+.get_GOT: -+ pop ebx -+ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc -+ -+ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] - - add edx,16 - -@@ -348,6 +355,8 @@ _iEncExpandKey128: - aeskeygenassist xmm2, xmm1, 0x36 ; Generating round key 10 - call key_expansion128 - -+ pop ebx -+ - ret - - -@@ -412,6 +421,7 @@ global _iEncExpandKey256 - _iEncExpandKey256: - mov ecx, [esp-4+8] ;input - mov edx, [esp-4+12] ;expanded key -+ push ebx - - - movdqu xmm1, [ecx] ; loading the key -@@ -421,7 +431,12 @@ _iEncExpandKey256: - - add edx,32 - -- movdqa xmm5, [shuffle_mask] ; this mask is used by key_expansion -+ call .get_GOT -+.get_GOT: -+ pop ebx -+ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc -+ -+ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] ; this mask is used by key_expansion - - aeskeygenassist xmm2, xmm3, 0x1 ; - call key_expansion256 -@@ -452,6 +467,8 @@ _iEncExpandKey256: - movdqu [edx], xmm1 - - -+ pop ebx -+ - ret - - diff --git a/krb5-1.12.1.tar.gz b/krb5-1.12.1.tar.gz new file mode 100644 index 0000000..f24d5ad --- /dev/null +++ b/krb5-1.12.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:86f01c1aae54014fa91ad9a5a69558a6cbd821185528d627362b79b517b7b345 +size 11938756 diff --git a/krb5-1.12.tar.gz b/krb5-1.12.tar.gz deleted file mode 100644 index 3ae2072..0000000 --- a/krb5-1.12.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7199ba74bdfd06caf02d1ee189563c33aa0274b809ab511ab0f1fb3e05ccce5a -size 11925134 diff --git a/krb5-master-gss_oid_leak.patch b/krb5-master-gss_oid_leak.patch deleted file mode 100644 index 1002738..0000000 --- a/krb5-master-gss_oid_leak.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a -Author: Simo Sorce -Date: Fri Dec 13 12:00:41 2013 -0500 - - Fix memory leak in SPNEGO initiator - - If we eliminate a mechanism from the initiator list because - gss_init_sec_context fails, free the memory for that mech OID before - removing it from the list. - - [ghudson@mit.edu: clarified commit message] - - ticket: 7803 (new) - target_version: 1.12.1 - tags: pullup - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 818a1b4..06cfab0 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -890,6 +890,7 @@ init_ctx_call_init(OM_uint32 *minor_status, - * can do this with recursion. If all mechanisms produce errors, the - * caller should get the error from the first mech in the list. - */ -+ gssalloc_free(sc->mech_set->elements->elements); - memmove(sc->mech_set->elements, sc->mech_set->elements + 1, - --sc->mech_set->count * sizeof(*sc->mech_set->elements)); - if (sc->mech_set->count == 0) diff --git a/krb5-master-ignore-empty-unnecessary-final-token.patch b/krb5-master-ignore-empty-unnecessary-final-token.patch deleted file mode 100644 index 6659251..0000000 --- a/krb5-master-ignore-empty-unnecessary-final-token.patch +++ /dev/null @@ -1,37 +0,0 @@ -commit 37af638b742dbd642eb70092e4f7781c3f69d86d -Author: Greg Hudson -Date: Tue Dec 10 12:04:18 2013 -0500 - - Fix SPNEGO one-hop interop against old IIS - - IIS 6.0 and similar return a zero length reponse buffer in the last - SPNEGO packet when context initiation is performed without mutual - authentication. In this case the underlying Kerberos mechanism has - already completed successfully on the first invocation, and SPNEGO - does not expect a mech response token in the answer. If we get an - empty mech response token when the mech is complete during - negotiation, ignore it. - - [ghudson@mit.edu: small code style and commit message changes] - - ticket: 7797 (new) - target_version: 1.12.1 - tags: pullup - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 3937662..d82934b 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, - map_errcode(minor_status); - ret = GSS_S_DEFECTIVE_TOKEN; - } -+ } else if ((*responseToken)->length == 0 && sc->mech_complete) { -+ /* Handle old IIS servers returning empty token instead of -+ * null tokens in the non-mutual auth case. */ -+ *negState = ACCEPT_COMPLETE; -+ *tokflag = NO_TOKEN_SEND; -+ ret = GSS_S_COMPLETE; - } else if (sc->mech_complete) { - /* Reject spurious mech token. */ - ret = GSS_S_DEFECTIVE_TOKEN; diff --git a/krb5-master-keyring-kdcsync.patch b/krb5-master-keyring-kdcsync.patch new file mode 100644 index 0000000..b095814 --- /dev/null +++ b/krb5-master-keyring-kdcsync.patch @@ -0,0 +1,108 @@ +commit e99c688913a7761c6adea9488ea9355f43539883 +Author: Greg Hudson +Date: Thu Jan 16 17:48:54 2014 -0500 + + Get time offsets for all keyring ccaches + + Move the time offset lookup from krb5_krcc_resolve to make_cache, so + that we fetch time offsets for caches created by + krb5_krcc_ptcursor_next. + + ticket: 7820 + target_version: 1.12.2 + tags: pullup + +diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c +index a0c8035..27bad9d 100644 +--- a/src/lib/krb5/ccache/cc_keyring.c ++++ b/src/lib/krb5/ccache/cc_keyring.c +@@ -1077,11 +1077,13 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id) + + /* Create a cache handle for a cache ID. */ + static krb5_error_code +-make_cache(key_serial_t collection_id, key_serial_t cache_id, +- const char *anchor_name, const char *collection_name, +- const char *subsidiary_name, krb5_ccache *cache_out) ++make_cache(krb5_context context, key_serial_t collection_id, ++ key_serial_t cache_id, const char *anchor_name, ++ const char *collection_name, const char *subsidiary_name, ++ krb5_ccache *cache_out) + { + krb5_error_code ret; ++ krb5_os_context os_ctx = &context->os_context; + krb5_ccache ccache = NULL; + krb5_krcc_data *d; + key_serial_t pkey = 0; +@@ -1108,6 +1110,18 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id, + ccache->data = d; + ccache->magic = KV5M_CCACHE; + *cache_out = ccache; ++ ++ /* Lookup time offsets if necessary. */ ++ if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) && ++ !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) { ++ if (krb5_krcc_get_time_offsets(context, ccache, ++ &os_ctx->time_offset, ++ &os_ctx->usec_offset) == 0) { ++ os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME; ++ os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID; ++ } ++ } ++ + return 0; + } + +@@ -1134,7 +1148,6 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id, + static krb5_error_code KRB5_CALLCONV + krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual) + { +- krb5_os_context os_ctx = &context->os_context; + krb5_error_code ret; + key_serial_t collection_id, cache_id; + char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL; +@@ -1161,22 +1174,11 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual) + if (cache_id < 0) + cache_id = 0; + +- ret = make_cache(collection_id, cache_id, anchor_name, collection_name, +- subsidiary_name, id); ++ ret = make_cache(context, collection_id, cache_id, anchor_name, ++ collection_name, subsidiary_name, id); + if (ret) + goto cleanup; + +- /* Lookup time offsets if necessary. */ +- if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) && +- !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) { +- if (krb5_krcc_get_time_offsets(context, *id, +- &os_ctx->time_offset, +- &os_ctx->usec_offset) == 0) { +- os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME; +- os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID; +- } +- } +- + cleanup: + free(anchor_name); + free(collection_name); +@@ -1928,8 +1930,9 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor, + cache_id = keyctl_search(data->collection_id, KRCC_KEY_TYPE_KEYRING, + first_name, 0); + if (cache_id != -1) { +- return make_cache(data->collection_id, cache_id, data->anchor_name, +- data->collection_name, first_name, cache_out); ++ return make_cache(context, data->collection_id, cache_id, ++ data->anchor_name, data->collection_name, ++ first_name, cache_out); + } + } + +@@ -1967,7 +1970,7 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor, + + /* We found a valid key */ + data->next_key++; +- ret = make_cache(data->collection_id, key, data->anchor_name, ++ ret = make_cache(context, data->collection_id, key, data->anchor_name, + data->collection_name, subsidiary_name, cache_out); + free(description); + return ret; diff --git a/krb5-master-keytab_close.patch b/krb5-master-keytab_close.patch deleted file mode 100644 index e04a58b..0000000 --- a/krb5-master-keytab_close.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit decccbcb5075f8fbc28a535a9b337afc84a15dee -Author: Greg Hudson -Date: Mon Dec 16 15:37:56 2013 -0500 - - Fix GSS krb5 acceptor acquire_cred error handling - - When acquiring acceptor creds with a specified name, if we fail to - open a replay cache, we leak the keytab handle. If there is no - specified name and we discover that there is no content in the keytab, - we leak the keytab handle and return the wrong major code. Memory - leak reported by Andrea Campi. - - ticket: 7805 - target_version: 1.12.1 - tags: pullup - -diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c -index 0efcad4..9547207 100644 ---- a/src/lib/gssapi/krb5/acquire_cred.c -+++ b/src/lib/gssapi/krb5/acquire_cred.c -@@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context, - code = krb5_get_server_rcache(context, &cred->name->princ->data[0], - &cred->rcache); - if (code) { -+ krb5_kt_close(context, kt); - *minor_status = code; - return GSS_S_FAILURE; - } -@@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context, - /* Make sure we have a keytab with keys in it. */ - code = krb5_kt_have_content(context, kt); - if (code) { -+ krb5_kt_close(context, kt); - *minor_status = code; -- return GSS_S_FAILURE; -+ return GSS_S_CRED_UNAVAIL; - } - } - diff --git a/krb5-master-no-malloc0.patch b/krb5-master-no-malloc0.patch deleted file mode 100644 index c502ab3..0000000 --- a/krb5-master-no-malloc0.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit 13fd26e1863c79f616653f6a10a58c01f65fceff -Author: Greg Hudson -Date: Fri Dec 6 18:56:56 2013 -0500 - - Avoid malloc(0) in SPNEGO get_input_token - - If we read a zero-length token in spnego_mech.c's get_input_token(), - set the value pointer to NULL instead of calling malloc(0). - - ticket: 7794 (new) - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 24c3440..3937662 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -3140,14 +3140,17 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length) - return (NULL); - - input_token->length = len; -- input_token->value = gssalloc_malloc(input_token->length); -+ if (input_token->length > 0) { -+ input_token->value = gssalloc_malloc(input_token->length); -+ if (input_token->value == NULL) { -+ free(input_token); -+ return (NULL); -+ } - -- if (input_token->value == NULL) { -- free(input_token); -- return (NULL); -+ memcpy(input_token->value, *buff_in, input_token->length); -+ } else { -+ input_token->value = NULL; - } -- -- (void) memcpy(input_token->value, *buff_in, input_token->length); - *buff_in += input_token->length; - return (input_token); - } diff --git a/krb5-master-spnego_error_messages.patch b/krb5-master-spnego_error_messages.patch deleted file mode 100644 index efe4678..0000000 --- a/krb5-master-spnego_error_messages.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit 4faca53e3a8ee213d43da8998f6889e7bfd36248 -Author: Greg Hudson -Date: Wed Dec 18 16:03:16 2013 -0500 - - Test SPNEGO error message in t_s4u.py - - Now that #7045 is fixed, we can check for the correct error message - from t_s4u2proxy_krb5 with --spnego. - - ticket: 7045 - -diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py -index 67dc810..e4aa259 100644 ---- a/src/tests/gssapi/t_s4u.py -+++ b/src/tests/gssapi/t_s4u.py -@@ -30,12 +30,12 @@ if ('auth1: ' + realm.user_princ not in output or - 'NOT_ALLOWED_TO_DELEGATE' not in output): - fail('krb5 -> s4u2proxy') - --# Again with SPNEGO. Bug #7045 prevents us from checking the error --# message, but we can at least exercise the code. -+# Again with SPNEGO. - output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache, - '-', pservice1, pservice2], - expected_code=1) --if ('auth1: ' + realm.user_princ not in output): -+if ('auth1: ' + realm.user_princ not in output or -+ 'NOT_ALLOWED_TO_DELEGATE' not in output): - fail('krb5 -> s4u2proxy (SPNEGO)') - - # Try krb5 -> S4U2Proxy without forwardable user creds. This should -@@ -66,10 +66,9 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output: - fail('s4u2self') - - # Again with SPNEGO. This uses SPNEGO for the initial authentication, --# but still uses krb5 for S4U2Proxy (the delegated cred is returned as -+# but still uses krb5 for S4U2Proxy--the delegated cred is returned as - # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred --# directly rather than saving and reacquiring it) so bug #7045 does --# not apply and we can verify the error message. -+# directly rather than saving and reacquiring it. - output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1) - if 'NOT_ALLOWED_TO_DELEGATE' not in output: - fail('s4u2self') diff --git a/krb5-mini.changes b/krb5-mini.changes index e5a76ab..f58b3e4 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Tue Jan 21 14:28:05 UTC 2014 - ckornacker@suse.com + +- update to version 1.12.1 + * Make KDC log service principal names more consistently during + some error conditions, instead of "" + * Fix several bugs related to building AES-NI support on less + common configurations + * Fix several bugs related to keyring credential caches +- upstream obsoletes: + krb5-1.12-copy_context.patch + krb5-1.12-enable-NX.patch + krb5-1.12-pic-aes-ni.patch + krb5-master-no-malloc0.patch + krb5-master-ignore-empty-unnecessary-final-token.patch + krb5-master-gss_oid_leak.patch + krb5-master-keytab_close.patch + krb5-master-spnego_error_messages.patch +- Fix Get time offsets for all keyring ccaches + krb5-master-keyring-kdcsync.patch (RT#7820) + ------------------------------------------------------------------- Mon Jan 13 15:40:18 UTC 2014 - ckornacker@suse.com diff --git a/krb5-mini.spec b/krb5-mini.spec index 7f4eee6..ff96b5f 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -17,7 +17,7 @@ %define build_mini 1 -%define srcRoot krb5-1.12 +%define srcRoot krb5-1.12.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,7 +30,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.12 +Version: 1.12.1 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -78,14 +78,7 @@ Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch -Patch15: krb5-1.12-copy_context.patch -Patch16: krb5-1.12-enable-NX.patch -Patch17: krb5-1.12-pic-aes-ni.patch -Patch18: krb5-master-no-malloc0.patch -Patch19: krb5-master-ignore-empty-unnecessary-final-token.patch -Patch20: krb5-master-gss_oid_leak.patch -Patch21: krb5-master-keytab_close.patch -Patch22: krb5-master-spnego_error_messages.patch +Patch15: krb5-master-keyring-kdcsync.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -206,13 +199,6 @@ Include Files for Development %patch13 -p0 %patch14 -p1 %patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 %build # needs to be re-generated diff --git a/krb5.changes b/krb5.changes index c214316..641ed61 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com + +- update to version 1.12.1 + * Make KDC log service principal names more consistently during + some error conditions, instead of "" + * Fix several bugs related to building AES-NI support on less + common configurations + * Fix several bugs related to keyring credential caches +- upstream obsoletes: + krb5-1.12-copy_context.patch + krb5-1.12-enable-NX.patch + krb5-1.12-pic-aes-ni.patch + krb5-master-no-malloc0.patch + krb5-master-ignore-empty-unnecessary-final-token.patch + krb5-master-gss_oid_leak.patch + krb5-master-keytab_close.patch + krb5-master-spnego_error_messages.patch +- Fix Get time offsets for all keyring ccaches + krb5-master-keyring-kdcsync.patch (RT#7820) + ------------------------------------------------------------------- Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com diff --git a/krb5.spec b/krb5.spec index 9005874..9f0dad7 100644 --- a/krb5.spec +++ b/krb5.spec @@ -17,7 +17,7 @@ %define build_mini 0 -%define srcRoot krb5-1.12 +%define srcRoot krb5-1.12.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,7 +30,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.12 +Version: 1.12.1 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -78,14 +78,7 @@ Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch -Patch15: krb5-1.12-copy_context.patch -Patch16: krb5-1.12-enable-NX.patch -Patch17: krb5-1.12-pic-aes-ni.patch -Patch18: krb5-master-no-malloc0.patch -Patch19: krb5-master-ignore-empty-unnecessary-final-token.patch -Patch20: krb5-master-gss_oid_leak.patch -Patch21: krb5-master-keytab_close.patch -Patch22: krb5-master-spnego_error_messages.patch +Patch15: krb5-master-keyring-kdcsync.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -206,13 +199,6 @@ Include Files for Development %patch13 -p0 %patch14 -p1 %patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 %build # needs to be re-generated