packages/krb5
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update version to 1.20.1

Browse Source 
Signed-off-by: zhouchenchen123 <zhouchenchen@huawei.com>
This commit is contained in:
zhouchenchen123 2023-02-01 16:31:18 +08:00
parent d8acb364d9
commit bdaa6c8306
10 changed files with 523 additions and 1351 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

568
FIPS-with-PRNG-and-RADIUS-and-MD4.patch
View File

@ -1,568 +0,0 @@
From 5978878bcee5ec39e4357f408470d39e9540d2bf Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
NB: Use openssl's PRNG in FIPS mode and taint within krad.
A lot of the FIPS error conditions from OpenSSL are incredibly
mysterious (at best, things return NULL unexpectedly; at worst,
internal assertions are tripped; most of the time, you just get
ENOMEM). In order to cope with this, we need to have some level of
awareness of what we can and can't safely call.
This will slow down some calls slightly (FIPS_mode() takes multiple
locks), but not for any ciphers we care about - which is to say that
AES is fine. Shame about SPAKE though.
post6 restores MD4 (and therefore keygen-only RC4).
Last-updated: krb5-1.17
---
src/lib/crypto/krb/prng.c | 11 ++++-
.../crypto/openssl/enc_provider/camellia.c | 6 +++
src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++++-
.../crypto/openssl/hash_provider/hash_evp.c | 12 +++++
src/lib/crypto/openssl/hmac.c | 6 ++-
src/lib/krad/attr.c | 45 ++++++++++++++-----
src/lib/krad/attrset.c | 5 ++-
src/lib/krad/internal.h | 13 +++++-
src/lib/krad/packet.c | 22 ++++-----
src/lib/krad/remote.c | 10 ++++-
src/lib/krad/t_attr.c | 3 +-
src/lib/krad/t_attrset.c | 4 +-
src/plugins/preauth/spake/spake_client.c | 6 +++
src/plugins/preauth/spake/spake_kdc.c | 6 +++
14 files changed, 129 insertions(+), 33 deletions(-)
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
index cb9ca9b98..f0e9984ca 100644
--- a/src/lib/crypto/krb/prng.c
+++ b/src/lib/crypto/krb/prng.c
@@ -26,6 +26,8 @@
#include "crypto_int.h"
+#include <openssl/rand.h>
+
krb5_error_code KRB5_CALLCONV
krb5_c_random_seed(krb5_context context, krb5_data *data)
{
@@ -99,9 +101,16 @@ krb5_boolean
k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
{
const char *device;
-#if defined(__linux__) && defined(SYS_getrandom)
int r;
+ /* A wild FIPS mode appeared! */
+ if (FIPS_mode()) {
+ /* The return codes on this API are not good */
+ r = RAND_bytes(buf, len);
+ return r == 1;
+ }
+
+#if defined(__linux__) && defined(SYS_getrandom)
while (len > 0) {
/*
* Pull from the /dev/urandom pool, but require it to have been seeded.
diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c
index 2da691329..f79679a0b 100644
--- a/src/lib/crypto/openssl/enc_provider/camellia.c
+++ b/src/lib/crypto/openssl/enc_provider/camellia.c
@@ -304,6 +304,9 @@ krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
unsigned char blockY[CAMELLIA_BLOCK_SIZE], blockB[CAMELLIA_BLOCK_SIZE];
struct iov_cursor cursor;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
if (output->length < CAMELLIA_BLOCK_SIZE)
return KRB5_BAD_MSIZE;
@@ -331,6 +334,9 @@ static krb5_error_code
krb5int_camellia_init_state (const krb5_keyblock *key, krb5_keyusage usage,
krb5_data *state)
{
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
state->length = 16;
state->data = (void *) malloc(16);
if (state->data == NULL)
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
index a65d57b7a..6ccaca94a 100644
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
@@ -66,6 +66,9 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx = NULL;
struct arcfour_state *arcstate;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
arcstate = (state != NULL) ? (void *)state->data : NULL;
if (arcstate != NULL) {
ctx = arcstate->ctx;
@@ -113,7 +116,12 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
static void
k5_arcfour_free_state(krb5_data *state)
{
- struct arcfour_state *arcstate = (void *)state->data;
+ struct arcfour_state *arcstate;
+
+ if (FIPS_mode())
+ return;
+
+ arcstate = (void *) state->data;
EVP_CIPHER_CTX_free(arcstate->ctx);
free(arcstate);
@@ -125,6 +133,9 @@ k5_arcfour_init_state(const krb5_keyblock *key,
{
struct arcfour_state *arcstate;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
/*
* The cipher state here is a saved pointer to a struct arcfour_state
* object, rather than a flat byte array as in most enc providers. The
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
index 1e0fb8fc3..feb5eda99 100644
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
@@ -49,6 +49,11 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
if (ctx == NULL)
return ENOMEM;
+ if (type == EVP_md4()) {
+ /* See comment below in hash_md4(). */
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ }
+
ok = EVP_DigestInit_ex(ctx, type, NULL);
for (i = 0; i < num_data; i++) {
if (!SIGN_IOV(&data[i]))
@@ -64,12 +69,19 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
static krb5_error_code
hash_md4(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
{
+ /*
+ * MD4 is needed in FIPS mode to perform key generation for RC4 keys used
+ * by IPA. These keys are only used along a (separately) secured channel
+ * for legacy reasons when performing trusts to Active Directory.
+ */
return hash_evp(EVP_md4(), data, num_data, output);
}
static krb5_error_code
hash_md5(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
{
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
return hash_evp(EVP_md5(), data, num_data, output);
}
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
index 7dc59dcc0..769a50c00 100644
--- a/src/lib/crypto/openssl/hmac.c
+++ b/src/lib/crypto/openssl/hmac.c
@@ -103,7 +103,11 @@ map_digest(const struct krb5_hash_provider *hash)
return EVP_sha256();
else if (!strncmp(hash->hash_name, "SHA-384",7))
return EVP_sha384();
- else if (!strncmp(hash->hash_name, "MD5", 3))
+
+ if (FIPS_mode())
+ return NULL;
+
+ if (!strncmp(hash->hash_name, "MD5", 3))
return EVP_md5();
else if (!strncmp(hash->hash_name, "MD4", 3))
return EVP_md4();
diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c
index 9c13d9d75..275327e67 100644
--- a/src/lib/krad/attr.c
+++ b/src/lib/krad/attr.c
@@ -30,6 +30,7 @@
#include <k5-int.h>
#include "internal.h"
+#include <openssl/crypto.h>
#include <string.h>
/* RFC 2865 */
@@ -38,7 +39,8 @@
typedef krb5_error_code
(*attribute_transform_fn)(krb5_context ctx, const char *secret,
const unsigned char *auth, const krb5_data *in,
- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen,
+ krb5_boolean *is_fips);
typedef struct {
const char *name;
@@ -51,12 +53,14 @@ typedef struct {
static krb5_error_code
user_password_encode(krb5_context ctx, const char *secret,
const unsigned char *auth, const krb5_data *in,
- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen,
+ krb5_boolean *is_fips);
static krb5_error_code
user_password_decode(krb5_context ctx, const char *secret,
const unsigned char *auth, const krb5_data *in,
- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen,
+ krb5_boolean *ignored);
static const attribute_record attributes[UCHAR_MAX] = {
{"User-Name", 1, MAX_ATTRSIZE, NULL, NULL},
@@ -128,7 +132,8 @@ static const attribute_record attributes[UCHAR_MAX] = {
static krb5_error_code
user_password_encode(krb5_context ctx, const char *secret,
const unsigned char *auth, const krb5_data *in,
- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen)
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen,
+ krb5_boolean *is_fips)
{
const unsigned char *indx;
krb5_error_code retval;
@@ -154,8 +159,14 @@ user_password_encode(krb5_context ctx, const char *secret,
for (blck = 0, indx = auth; blck * BLOCKSIZE < len; blck++) {
memcpy(tmp.data + seclen, indx, BLOCKSIZE);
- retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp,
- &sum);
+ if (FIPS_mode()) {
+ /* Skip encryption here. Taint so that we won't pass it out of
+ * the machine by accident. */
+ *is_fips = TRUE;
+ sum.contents = calloc(1, BLOCKSIZE);
+ } else
+ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp,
+ &sum);
if (retval != 0) {
zap(tmp.data, tmp.length);
zap(outbuf, len);
@@ -180,7 +191,8 @@ user_password_encode(krb5_context ctx, const char *secret,
static krb5_error_code
user_password_decode(krb5_context ctx, const char *secret,
const unsigned char *auth, const krb5_data *in,
- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen)
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen,
+ krb5_boolean *is_fips)
{
const unsigned char *indx;
krb5_error_code retval;
@@ -204,8 +216,14 @@ user_password_decode(krb5_context ctx, const char *secret,
for (blck = 0, indx = auth; blck * BLOCKSIZE < in->length; blck++) {
memcpy(tmp.data + seclen, indx, BLOCKSIZE);
- retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0,
- &tmp, &sum);
+ if (FIPS_mode()) {
+ /* Skip encryption here. Taint so that we won't pass it out of
+ * the machine by accident. */
+ *is_fips = TRUE;
+ sum.contents = calloc(1, BLOCKSIZE);
+ } else
+ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0,
+ &tmp, &sum);
if (retval != 0) {
zap(tmp.data, tmp.length);
zap(outbuf, in->length);
@@ -248,7 +266,7 @@ krb5_error_code
kr_attr_encode(krb5_context ctx, const char *secret,
const unsigned char *auth, krad_attr type,
const krb5_data *in, unsigned char outbuf[MAX_ATTRSIZE],
- size_t *outlen)
+ size_t *outlen, krb5_boolean *is_fips)
{
krb5_error_code retval;
@@ -265,7 +283,8 @@ kr_attr_encode(krb5_context ctx, const char *secret,
return 0;
}
- return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen);
+ return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen,
+ is_fips);
}
krb5_error_code
@@ -274,6 +293,7 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen)
{
krb5_error_code retval;
+ krb5_boolean ignored;
retval = kr_attr_valid(type, in);
if (retval != 0)
@@ -288,7 +308,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
return 0;
}
- return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen);
+ return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen,
+ &ignored);
}
krad_attr
diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c
index 03c613716..d89982a13 100644
--- a/src/lib/krad/attrset.c
+++ b/src/lib/krad/attrset.c
@@ -167,7 +167,8 @@ krad_attrset_copy(const krad_attrset *set, krad_attrset **copy)
krb5_error_code
kr_attrset_encode(const krad_attrset *set, const char *secret,
const unsigned char *auth,
- unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen)
+ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen,
+ krb5_boolean *is_fips)
{
unsigned char buffer[MAX_ATTRSIZE];
krb5_error_code retval;
@@ -181,7 +182,7 @@ kr_attrset_encode(const krad_attrset *set, const char *secret,
K5_TAILQ_FOREACH(a, &set->list, list) {
retval = kr_attr_encode(set->ctx, secret, auth, a->type, &a->attr,
- buffer, &attrlen);
+ buffer, &attrlen, is_fips);
if (retval != 0)
return retval;
diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
index 996a89372..a53ce31ce 100644
--- a/src/lib/krad/internal.h
+++ b/src/lib/krad/internal.h
@@ -49,6 +49,13 @@
typedef struct krad_remote_st krad_remote;
+struct krad_packet_st {
+ char buffer[KRAD_PACKET_SIZE_MAX];
+ krad_attrset *attrset;
+ krb5_data pkt;
+ krb5_boolean is_fips;
+};
+
/* Validate constraints of an attribute. */
krb5_error_code
kr_attr_valid(krad_attr type, const krb5_data *data);
@@ -57,7 +64,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data);
krb5_error_code
kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth,
krad_attr type, const krb5_data *in,
- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen,
+ krb5_boolean *is_fips);
/* Decode an attribute. */
krb5_error_code
@@ -69,7 +77,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
krb5_error_code
kr_attrset_encode(const krad_attrset *set, const char *secret,
const unsigned char *auth,
- unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen);
+ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen,
+ krb5_boolean *is_fips);
/* Decode attributes from a buffer. */
krb5_error_code
diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c
index c597174b6..794ac84c4 100644
--- a/src/lib/krad/packet.c
+++ b/src/lib/krad/packet.c
@@ -32,6 +32,7 @@
#include <string.h>
#include <arpa/inet.h>
+#include <openssl/crypto.h>
typedef unsigned char uchar;
@@ -53,12 +54,6 @@ typedef unsigned char uchar;
#define pkt_auth(p) ((uchar *)offset(&(p)->pkt, OFFSET_AUTH))
#define pkt_attr(p) ((unsigned char *)offset(&(p)->pkt, OFFSET_ATTR))
-struct krad_packet_st {
- char buffer[KRAD_PACKET_SIZE_MAX];
- krad_attrset *attrset;
- krb5_data pkt;
-};
-
typedef struct {
uchar x[(UCHAR_MAX + 1) / 8];
} idmap;
@@ -187,8 +182,13 @@ auth_generate_response(krb5_context ctx, const char *secret,
memcpy(data.data + response->pkt.length, secret, strlen(secret));
/* Hash it. */
- retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data,
- &hash);
+ if (FIPS_mode()) {
+ /* This checksum does very little security-wise anyway, so don't
+ * taint. */
+ hash.contents = calloc(1, AUTH_FIELD_SIZE);
+ } else
+ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data,
+ &hash);
free(data.data);
if (retval != 0)
return retval;
@@ -276,7 +276,7 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code,
/* Encode the attributes. */
retval = kr_attrset_encode(set, secret, pkt_auth(pkt), pkt_attr(pkt),
- &attrset_len);
+ &attrset_len, &pkt->is_fips);
if (retval != 0)
goto error;
@@ -314,7 +314,7 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code,
/* Encode the attributes. */
retval = kr_attrset_encode(set, secret, pkt_auth(request), pkt_attr(pkt),
- &attrset_len);
+ &attrset_len, &pkt->is_fips);
if (retval != 0)
goto error;
@@ -451,6 +451,8 @@ krad_packet_decode_response(krb5_context ctx, const char *secret,
const krb5_data *
krad_packet_encode(const krad_packet *pkt)
{
+ if (pkt->is_fips)
+ return NULL;
return &pkt->pkt;
}
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index 437f7e91a..0f90443ce 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -263,7 +263,7 @@ on_io_write(krad_remote *rr)
request *r;
K5_TAILQ_FOREACH(r, &rr->list, list) {
- tmp = krad_packet_encode(r->request);
+ tmp = &r->request->pkt;
/* If the packet has already been sent, do nothing. */
if (r->sent == tmp->length)
@@ -359,7 +359,7 @@ on_io_read(krad_remote *rr)
if (req != NULL) {
K5_TAILQ_FOREACH(r, &rr->list, list) {
if (r->request == req &&
- r->sent == krad_packet_encode(req)->length) {
+ r->sent == req->pkt.length) {
request_finish(r, 0, rsp);
break;
}
@@ -455,6 +455,12 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
(krad_packet_iter_cb)iterator, &r, &tmp);
if (retval != 0)
goto error;
+ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL &&
+ rr->info->ai_family != AF_UNIX) {
+ /* This would expose cleartext passwords, so abort. */
+ retval = ESOCKTNOSUPPORT;
+ goto error;
+ }
K5_TAILQ_FOREACH(r, &rr->list, list) {
if (r->request == tmp) {
diff --git a/src/lib/krad/t_attr.c b/src/lib/krad/t_attr.c
index eb2a780c8..4d285ad9d 100644
--- a/src/lib/krad/t_attr.c
+++ b/src/lib/krad/t_attr.c
@@ -50,6 +50,7 @@ main()
const char *tmp;
krb5_data in;
size_t len;
+ krb5_boolean is_fips = FALSE;
noerror(krb5_init_context(&ctx));
@@ -73,7 +74,7 @@ main()
in = string2data((char *)decoded);
retval = kr_attr_encode(ctx, secret, auth,
krad_attr_name2num("User-Password"),
- &in, outbuf, &len);
+ &in, outbuf, &len, &is_fips);
insist(retval == 0);
insist(len == sizeof(encoded));
insist(memcmp(outbuf, encoded, len) == 0);
diff --git a/src/lib/krad/t_attrset.c b/src/lib/krad/t_attrset.c
index 7928335ca..0f9576253 100644
--- a/src/lib/krad/t_attrset.c
+++ b/src/lib/krad/t_attrset.c
@@ -49,6 +49,7 @@ main()
krb5_context ctx;
size_t len = 0, encode_len;
krb5_data tmp;
+ krb5_boolean is_fips = FALSE;
noerror(krb5_init_context(&ctx));
noerror(krad_attrset_new(ctx, &set));
@@ -62,7 +63,8 @@ main()
noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp));
/* Encode attrset. */
- noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len));
+ noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len,
+ &is_fips));
krad_attrset_free(set);
/* Manually encode User-Name. */
diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c
index 00734a13b..a3ce22b70 100644
--- a/src/plugins/preauth/spake/spake_client.c
+++ b/src/plugins/preauth/spake/spake_client.c
@@ -38,6 +38,8 @@
#include "groups.h"
#include <krb5/clpreauth_plugin.h>
+#include <openssl/crypto.h>
+
typedef struct reqstate_st {
krb5_pa_spake *msg; /* set in prep_questions, used in process */
krb5_keyblock *initial_key;
@@ -375,6 +377,10 @@ clpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver,
if (maj_ver != 1)
return KRB5_PLUGIN_VER_NOTSUPP;
+
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
vt = (krb5_clpreauth_vtable)vtable;
vt->name = "spake";
vt->pa_type_list = pa_types;
diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c
index 88c964ce1..c7df0392f 100644
--- a/src/plugins/preauth/spake/spake_kdc.c
+++ b/src/plugins/preauth/spake/spake_kdc.c
@@ -41,6 +41,8 @@
#include <krb5/kdcpreauth_plugin.h>
+#include <openssl/crypto.h>
+
/*
* The SPAKE kdcpreauth module uses a secure cookie containing the following
* concatenated fields (all integer fields are big-endian):
@@ -571,6 +573,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver,
if (maj_ver != 1)
return KRB5_PLUGIN_VER_NOTSUPP;
+
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
vt = (krb5_kdcpreauth_vtable)vtable;
vt->name = "spake";
vt->pa_type_list = pa_types;

1085
Remove-3des-support.patch
View File

File diff suppressed because it is too large Load Diff

100
SELinux-integration.patch
View File

@ -1,4 +1,4 @@
From e787771b618a344d45ac515927e914602f48946f Mon Sep 17 00:00:00 2001 From c6b58ed180ed91b579d322ff5004f68750f1eb4f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400 Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] [downstream] SELinux integration Subject: [PATCH] [downstream] SELinux integration
@ -36,7 +36,9 @@ The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(), Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement. which we used earlier, is some improvement.
Last-updated: krb5-1.18-beta1 Last-updated: krb5-1.20.1
[jrische@redhat.com: Replace deprecated security_context_t by char *:
- src/util/support/selinux.c]
--- ---
src/aclocal.m4 | 48 +++ src/aclocal.m4 | 48 +++
src/build-tools/krb5-config.in | 3 +- src/build-tools/krb5-config.in | 3 +-
@ -61,13 +63,13 @@ Last-updated: krb5-1.18-beta1
.../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +-
src/util/profile/prof_file.c | 3 +- src/util/profile/prof_file.c | 3 +-
src/util/support/Makefile.in | 3 +- src/util/support/Makefile.in | 3 +-
src/util/support/selinux.c | 406 ++++++++++++++++++ src/util/support/selinux.c | 405 ++++++++++++++++++
24 files changed, 573 insertions(+), 21 deletions(-) 24 files changed, 572 insertions(+), 21 deletions(-)
create mode 100644 src/include/k5-label.h create mode 100644 src/include/k5-label.h
create mode 100644 src/util/support/selinux.c create mode 100644 src/util/support/selinux.c
diff --git a/src/aclocal.m4 b/src/aclocal.m4 diff --git a/src/aclocal.m4 b/src/aclocal.m4
index ca9fcf664..5afb96e58 100644 index bf9da35bbc..01283f482e 100644
--- a/src/aclocal.m4 --- a/src/aclocal.m4
+++ b/src/aclocal.m4 +++ b/src/aclocal.m4
@@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag) @@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag)
@ -78,7 +80,7 @@ index ca9fcf664..5afb96e58 100644
KRB5_LIB_PARAMS KRB5_LIB_PARAMS
KRB5_AC_INITFINI KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS KRB5_AC_ENABLE_THREADS
@@ -1745,4 +1746,51 @@ AC_SUBST(PAM_LIBS) @@ -1526,4 +1527,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN) AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN) AC_SUBST(NON_PAM_MAN)
])dnl ])dnl
@ -131,7 +133,7 @@ index ca9fcf664..5afb96e58 100644
+AC_SUBST(SELINUX_LIBS) +AC_SUBST(SELINUX_LIBS)
+])dnl +])dnl
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
index dead0dddc..fef3e054f 100755 index dead0dddce..fef3e054fc 100755
--- a/src/build-tools/krb5-config.in --- a/src/build-tools/krb5-config.in
+++ b/src/build-tools/krb5-config.in +++ b/src/build-tools/krb5-config.in
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' @@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
@ -152,7 +154,7 @@ index dead0dddc..fef3e054f 100755
echo $lib_flags echo $lib_flags
diff --git a/src/config/pre.in b/src/config/pre.in diff --git a/src/config/pre.in b/src/config/pre.in
index 3752174c7..0d2068575 100644 index a0c60c70b3..7eaa2f351c 100644
--- a/src/config/pre.in --- a/src/config/pre.in
+++ b/src/config/pre.in +++ b/src/config/pre.in
@@ -177,6 +177,7 @@ LD = $(PURE) @LD@ @@ -177,6 +177,7 @@ LD = $(PURE) @LD@
@ -163,7 +165,7 @@ index 3752174c7..0d2068575 100644
INSTALL=@INSTALL@ INSTALL=@INSTALL@
INSTALL_STRIP= INSTALL_STRIP=
@@ -403,7 +404,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) @@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod... # HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@ HESIOD_LIBS = @HESIOD_LIBS@
@ -173,10 +175,10 @@ index 3752174c7..0d2068575 100644
GSS_LIBS = $(GSS_KRB5_LIB) GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on macOS! # needs fixing if ever used on macOS!
diff --git a/src/configure.ac b/src/configure.ac diff --git a/src/configure.ac b/src/configure.ac
index 693f76a81..dd2cad3ee 100644 index aa970b0447..40545f2bfc 100644
--- a/src/configure.ac --- a/src/configure.ac
+++ b/src/configure.ac +++ b/src/configure.ac
@@ -1391,6 +1391,8 @@ AC_PATH_PROG(GROFF, groff) @@ -1402,6 +1402,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM KRB5_WITH_PAM
@ -186,7 +188,7 @@ index 693f76a81..dd2cad3ee 100644
if test "${localedir+set}" != set; then if test "${localedir+set}" != set; then
localedir='$(datadir)/locale' localedir='$(datadir)/locale'
diff --git a/src/include/k5-int.h b/src/include/k5-int.h diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index cf524252f..efb523689 100644 index 44dc1eeb3f..c3aecba7d4 100644
--- a/src/include/k5-int.h --- a/src/include/k5-int.h
+++ b/src/include/k5-int.h +++ b/src/include/k5-int.h
@@ -128,6 +128,7 @@ typedef unsigned char u_char; @@ -128,6 +128,7 @@ typedef unsigned char u_char;
@ -199,7 +201,7 @@ index cf524252f..efb523689 100644
#define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
diff --git a/src/include/k5-label.h b/src/include/k5-label.h diff --git a/src/include/k5-label.h b/src/include/k5-label.h
new file mode 100644 new file mode 100644
index 000000000..dfaaa847c index 0000000000..dfaaa847cb
--- /dev/null --- /dev/null
+++ b/src/include/k5-label.h +++ b/src/include/k5-label.h
@@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
@ -236,7 +238,7 @@ index 000000000..dfaaa847c
+#endif +#endif
+#endif +#endif
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 045334a08..db80063eb 100644 index c0194c3c94..7e1dea2cbf 100644
--- a/src/include/krb5/krb5.hin --- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@ @@ -87,6 +87,12 @@
@ -253,7 +255,7 @@ index 045334a08..db80063eb 100644
#include <stdlib.h> #include <stdlib.h>
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 634ba4a8b..cea7939f4 100644 index a89b5144f6..4d6cc0bdf9 100644
--- a/src/kadmin/dbutil/dump.c --- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) @@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
@ -288,10 +290,10 @@ index 634ba4a8b..cea7939f4 100644
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
goto cleanup; goto cleanup;
diff --git a/src/kdc/main.c b/src/kdc/main.c diff --git a/src/kdc/main.c b/src/kdc/main.c
index 3be6dcb07..24d441e16 100644 index 38b9299066..085afc9220 100644
--- a/src/kdc/main.c --- a/src/kdc/main.c
+++ b/src/kdc/main.c +++ b/src/kdc/main.c
@@ -872,7 +872,7 @@ write_pid_file(const char *path) @@ -848,7 +848,7 @@ write_pid_file(const char *path)
FILE *file; FILE *file;
unsigned long pid; unsigned long pid;
@ -301,10 +303,10 @@ index 3be6dcb07..24d441e16 100644
return errno; return errno;
pid = (unsigned long) getpid(); pid = (unsigned long) getpid();
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index 498ca599a..c6b8efc28 100644 index f2341d720f..ffdac9f397 100644
--- a/src/kprop/kpropd.c --- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c +++ b/src/kprop/kpropd.c
@@ -487,6 +487,9 @@ doit(int fd) @@ -488,6 +488,9 @@ doit(int fd)
krb5_enctype etype; krb5_enctype etype;
int database_fd; int database_fd;
char host[INET6_ADDRSTRLEN + 1]; char host[INET6_ADDRSTRLEN + 1];
@ -314,7 +316,7 @@ index 498ca599a..c6b8efc28 100644
signal_wrapper(SIGALRM, alarm_handler); signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout); alarm(params.iprop_resync_timeout);
@@ -542,9 +545,15 @@ doit(int fd) @@ -543,9 +546,15 @@ doit(int fd)
free(name); free(name);
exit(1); exit(1);
} }
@ -331,7 +333,7 @@ index 498ca599a..c6b8efc28 100644
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
if (retval) { if (retval) {
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index c6885edf2..9aec3c05e 100644 index c6885edf2a..9aec3c05e8 100644
--- a/src/lib/kadm5/logger.c --- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c
@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do @@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
@ -353,7 +355,7 @@ index c6885edf2..9aec3c05e 100644
set_cloexec_file(f); set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f; log_control.log_entries[lindex].lfu_filep = f;
diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
index 2659a2501..e9b95fce5 100644 index 2659a25018..e9b95fce59 100644
--- a/src/lib/kdb/kdb_log.c --- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c +++ b/src/lib/kdb/kdb_log.c
@@ -480,7 +480,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) @@ -480,7 +480,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
@ -366,7 +368,7 @@ index 2659a2501..e9b95fce5 100644
retval = errno; retval = errno;
goto cleanup; goto cleanup;
diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
index 7b100a0ec..5683a0433 100644 index 1da40b51d0..f3ab7340a6 100644
--- a/src/lib/krb5/ccache/cc_dir.c --- a/src/lib/krb5/ccache/cc_dir.c
+++ b/src/lib/krb5/ccache/cc_dir.c +++ b/src/lib/krb5/ccache/cc_dir.c
@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents) @@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents)
@ -416,7 +418,7 @@ index 7b100a0ec..5683a0433 100644
_("Credential cache directory %s does not exist"), _("Credential cache directory %s does not exist"),
dirname); dirname);
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index e510211fc..f3ea28c8e 100644 index e510211fc5..f3ea28c8ec 100644
--- a/src/lib/krb5/keytab/kt_file.c --- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c
@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) @@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
@ -437,10 +439,10 @@ index e510211fc..f3ea28c8e 100644
goto report_errno; goto report_errno;
writevno = 1; writevno = 1;
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 7073459f0..e9b99f4ca 100644 index 3369fc4ba6..95f82cda03 100644
--- a/src/lib/krb5/os/trace.c --- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c +++ b/src/lib/krb5/os/trace.c
@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) @@ -459,7 +459,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
fd = malloc(sizeof(*fd)); fd = malloc(sizeof(*fd));
if (fd == NULL) if (fd == NULL)
return ENOMEM; return ENOMEM;
@ -450,7 +452,7 @@ index 7073459f0..e9b99f4ca 100644
free(fd); free(fd);
return errno; return errno;
diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
index 7db30a33b..2b9d01921 100644 index 7db30a33b0..2b9d01921d 100644
--- a/src/plugins/kdb/db2/adb_openclose.c --- a/src/plugins/kdb/db2/adb_openclose.c
+++ b/src/plugins/kdb/db2/adb_openclose.c +++ b/src/plugins/kdb/db2/adb_openclose.c
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, @@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
@ -463,7 +465,7 @@ index 7db30a33b..2b9d01921 100644
* maybe someone took away write permission so we could only * maybe someone took away write permission so we could only
* get shared locks? * get shared locks?
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
index 1a476b586..b40bb2240 100644 index 2c163d91cc..9a344a603e 100644
--- a/src/plugins/kdb/db2/kdb_db2.c --- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) @@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
@ -478,7 +480,7 @@ index 1a476b586..b40bb2240 100644
retval = errno; retval = errno;
goto cleanup; goto cleanup;
diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
index 2977b17f3..d5809a5a9 100644 index 2977b17f3a..d5809a5a93 100644
--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c --- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95"; @@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95";
@ -499,7 +501,7 @@ index 2977b17f3..d5809a5a9 100644
} else { } else {
diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
index 862dbb164..686a960c9 100644 index 862dbb1640..686a960c96 100644
--- a/src/plugins/kdb/db2/libdb2/hash/hash.c --- a/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c +++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95";
@ -520,7 +522,7 @@ index 862dbb164..686a960c9 100644
(void)fcntl(hashp->fp, F_SETFD, 1); (void)fcntl(hashp->fp, F_SETFD, 1);
} }
diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
index d8b26e701..b0daa7c02 100644 index d8b26e7011..b0daa7c021 100644
--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c --- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94"; @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94";
@ -542,7 +544,7 @@ index d8b26e701..b0daa7c02 100644
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
index e87688d66..30f7c00ab 100644 index e87688d666..30f7c00ab5 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) @@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
@ -579,7 +581,7 @@ index e87688d66..30f7c00ab 100644
if (newfile == NULL) { if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file); com_err(me, errno, _("Error creating file %s"), tmp_file);
diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
index aa951df05..79f9500f6 100644 index aa951df05f..79f9500f69 100644
--- a/src/util/profile/prof_file.c --- a/src/util/profile/prof_file.c
+++ b/src/util/profile/prof_file.c +++ b/src/util/profile/prof_file.c
@@ -33,6 +33,7 @@ @@ -33,6 +33,7 @@
@ -600,7 +602,7 @@ index aa951df05..79f9500f6 100644
retval = errno; retval = errno;
if (retval == 0) if (retval == 0)
diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
index 86d5a950a..1052d53a1 100644 index 86d5a950a6..1052d53a1e 100644
--- a/src/util/support/Makefile.in --- a/src/util/support/Makefile.in
+++ b/src/util/support/Makefile.in +++ b/src/util/support/Makefile.in
@@ -74,6 +74,7 @@ IPC_SYMS= \ @@ -74,6 +74,7 @@ IPC_SYMS= \
@ -622,10 +624,10 @@ index 86d5a950a..1052d53a1 100644
diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c
new file mode 100644 new file mode 100644
index 000000000..6d41f3244 index 0000000000..807d039da3
--- /dev/null --- /dev/null
+++ b/src/util/support/selinux.c +++ b/src/util/support/selinux.c
@@ -0,0 +1,406 @@ @@ -0,0 +1,405 @@
+/* +/*
+ * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved. + * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved.
+ * + *
@ -724,17 +726,16 @@ index 000000000..6d41f3244
+ } + }
+} +}
+ +
+static security_context_t +static char *
+push_fscreatecon(const char *pathname, mode_t mode) +push_fscreatecon(const char *pathname, mode_t mode)
+{ +{
+ security_context_t previous, configuredsc, currentsc, derivedsc; + char *previous, *configuredsc, *currentsc, *genpath;
+ const char *derivedsc, *fullpath, *currentuser;
+ context_t current, derived; + context_t current, derived;
+ const char *fullpath, *currentuser;
+ char *genpath;
+ +
+ previous = configuredsc = currentsc = derivedsc = NULL; + previous = configuredsc = currentsc = genpath = NULL;
+ derivedsc = NULL;
+ current = derived = NULL; + current = derived = NULL;
+ genpath = NULL;
+ +
+ fullpath = pathname; + fullpath = pathname;
+ +
@ -862,7 +863,7 @@ index 000000000..6d41f3244
+} +}
+ +
+static void +static void
+pop_fscreatecon(security_context_t previous) +pop_fscreatecon(char *previous)
+{ +{
+ if (!is_selinux_enabled()) { + if (!is_selinux_enabled()) {
+ return; + return;
@ -916,7 +917,7 @@ index 000000000..6d41f3244
+{ +{
+ FILE *fp; + FILE *fp;
+ int errno_save; + int errno_save;
+ security_context_t ctx; + char *ctx;
+ +
+ if ((strcmp(mode, "r") == 0) || + if ((strcmp(mode, "r") == 0) ||
+ (strcmp(mode, "rb") == 0)) { + (strcmp(mode, "rb") == 0)) {
@ -942,7 +943,7 @@ index 000000000..6d41f3244
+{ +{
+ int fd; + int fd;
+ int errno_save; + int errno_save;
+ security_context_t ctx; + char *ctx;
+ +
+ k5_once(&labeled_once, label_mutex_init); + k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex); + k5_mutex_lock(&labeled_mutex);
@ -963,7 +964,7 @@ index 000000000..6d41f3244
+{ +{
+ int ret; + int ret;
+ int errno_save; + int errno_save;
+ security_context_t ctx; + char *ctx;
+ +
+ k5_once(&labeled_once, label_mutex_init); + k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex); + k5_mutex_lock(&labeled_mutex);
@ -984,7 +985,7 @@ index 000000000..6d41f3244
+{ +{
+ int ret; + int ret;
+ int errno_save; + int errno_save;
+ security_context_t ctx; + char *ctx;
+ +
+ k5_once(&labeled_once, label_mutex_init); + k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex); + k5_mutex_lock(&labeled_mutex);
@ -1005,7 +1006,7 @@ index 000000000..6d41f3244
+{ +{
+ int fd; + int fd;
+ int errno_save; + int errno_save;
+ security_context_t ctx; + char *ctx;
+ mode_t mode; + mode_t mode;
+ va_list ap; + va_list ap;
+ +
@ -1032,3 +1033,6 @@ index 000000000..6d41f3244
+} +}
+ +
+#endif /* USE_SELINUX */ +#endif /* USE_SELINUX */
--
2.38.1

46
backport-CVE-2021-37750.patch
View File

@ -1,46 +0,0 @@
From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 3 Aug 2021 01:15:27 -0400
Subject: [PATCH] Fix KDC null deref on TGS inner body null server
After the KDC decodes a FAST inner body, it does not check for a null
server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
would typically result in an error from krb5_unparse_name(), but with
the addition of get_local_tgt() it results in a null dereference. Add
a null check.
Reported by Joseph Sutton of Catalyst.
CVE-2021-37750:
In MIT krb5 releases 1.14 and later, an authenticated attacker can
cause a null dereference in the KDC by sending a FAST TGS request with
no server field.
ticket: 9008 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
---
src/kdc/do_tgs_req.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 582e497..32dc65f 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -207,6 +207,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
status = "FIND_FAST";
goto cleanup;
}
+ if (sprinc == NULL) {
+ status = "NULL_SERVER";
+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto cleanup;
+ }
errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
&local_tgt, &local_tgt_storage, &local_tgt_key);
--
1.8.3.1

9
fix-debuginfo-with-y.tab.c.patch
View File

@ -1,4 +1,4 @@
From ed161c3f3cb642d025f0fee6d4af6f56bba711e9 Mon Sep 17 00:00:00 2001 From c7fe7cbd61f7debf052ddcc6cc5f01bb7e4f5385 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400 Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
@ -14,7 +14,7 @@ Last-updated: krb5-1.9
2 files changed, 6 insertions(+), 1 deletion(-) 2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
index adfea6e2b..d1327e400 100644 index adfea6e2b5..d1327e400b 100644
--- a/src/kadmin/cli/Makefile.in --- a/src/kadmin/cli/Makefile.in
+++ b/src/kadmin/cli/Makefile.in +++ b/src/kadmin/cli/Makefile.in
@@ -37,3 +37,8 @@ clean-unix:: @@ -37,3 +37,8 @@ clean-unix::
@ -27,7 +27,7 @@ index adfea6e2b..d1327e400 100644
+ $(YACC.y) $< + $(YACC.y) $<
+ $(CP) y.tab.c $@ + $(CP) y.tab.c $@
diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
index 8669c2436..a22f23c02 100644 index 8669c2436c..a22f23c02c 100644
--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in --- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
+++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in +++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE) @@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE)
@ -39,3 +39,6 @@ index 8669c2436..a22f23c02 100644
install: install:
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
--
2.38.1

16
krb5-1.19.2.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmD5qLoACgkQDLoIV1+D
ct9NEw//XhDJPE38UzvURT/RsuL3TQZoHGHtRA/seXcKkrX1wFLUjnOUK39RxzkS
5y0BGOBoByGlqMxcpBlQv3mdtOAkdbgUtb9sT90eUObsG3cqa/0ou3Nm2ta+UNb7
UC72UC9ZCXzUEl3be2/q/geHHE69e62t4YGcnwZ4koI3b/cZU6xL3N0ox9Gxdi37
+rUe7i5TZAKvKo+eKhLpC/k1F0HSvLzxcPyRlfpAYb607lvc4MYNvbOZZUk8aNEt
0OhoSak1mXSdYwt4HHTj2NY1q5d+wviGOYby/Q1Wv7qVZHLFvCCr7Lr7ba0bIWas
cYl13OgLq2uwA85k9/BzAxIgPVpMpt0aRaoTeiH2fKm8kNA9YfIagyRgX4vNfFWp
RKXpVu5SFNMgFVAHJu/QID8Lf8YV/PU4H7kdMyFy9gA66nTN4KvdeoRyrHgv2r1c
c5MhV9bJDDFalC1VLYTJ3iSZFy5Y95wrr59KI2OTQKgQxsylfGXW+OR1hWKua5Y5
nqF0b/TKiryrdah3aw2Ac78MggC+3RDHQ8yHG4tC0/nJzbf4WnP6lqUJhQIat+lE
g62Kh+fAUjuYw/8tuxVUFlMMa9cDHV7XGGYQS/JoUq/BaGWheNYrvPXxr4u0oSOa
kJyOUfZuJvgiDakbEAuVNm8Gr6lKDH/omn8dl9r/CHdyEANqvi0=
=QM0F
-----END PGP SIGNATURE-----

BIN
krb5-1.19.2.tar.gz → krb5-1.20.1.tar.gz
View File

Binary file not shown.

16
krb5-1.20.1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNvED8ACgkQDLoIV1+D
ct9uKw/8C5GS8mdh335lB+bkfjYYCZLD+oQToDAAbdCddrIcuLftvnTfXJ8cMtMc
UT2hsp8u7ZupjJRevdhaH7fFwomc0V8iSES5J2cQHTNd9aK93j/W6NaMoqWLrQWg
jx99oqLn7orvp8N5RufEQcNMNWhFIX4XSfrA3vPfHbbffA2vkjJzOGno4UHi8zUn
6nye7jbrBpiQIeFIJSS3VPsvGrKdRgb9BqGTUsqPIuFvr3Qvo42lKr5X8CWYSXjK
0aKlOpfbWdkteEe2o84/wyMpuGvmYkmOgaMB5xQ3jfEuvPNAWX2CWHNDamiqwBT/
YxwhZimNa1B9r3P1yDHvpUu8cJaRzw2UDRi2f3Kztrmn2jlqzmoZ31WBALJA7lmL
SrVFdXi7AcWwppMp1kbe9SvurCXID8/Q4n+qAdzSvqrXbeWerVUkdYFvtxQ1bMJR
jnqN11iZFYaoCaaR2lFEhjoMdR80jUa2m6vdF7a7xhH1UvuPHDnzLT9X/TiPvx0R
Itrp5MMIrUQHcZUL9hM5hrg3nxEsGsSCnjB0zWDmgXdLGwd4CvcOF4HPQR3BBlEH
CLtAa27bBXMJTYVvmmKt06hw+U3ALDfUlFrV6ZNLr9ug69l29n7JoChAbZ97Hx1m
twPwJpKd8AiUz+j3KCfgGU21qMbHNP3jEn3q9tkq0qcs/z7RCmU=
=1WIq
-----END PGP SIGNATURE-----

13
krb5.spec
View File

@ -2,13 +2,13 @@
%global WITH_DIRSRV 1 %global WITH_DIRSRV 1
Name: krb5 Name: krb5
Version: 1.19.2 Version: 1.20.1
Release: 2 Release: 1
Summary: The Kerberos network authentication protocol Summary: The Kerberos network authentication protocol
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
Source0: https://web.mit.edu/kerberos/dist/krb5/1.19/%{name}-%{version}.tar.gz Source0: https://web.mit.edu/kerberos/dist/krb5/1.20/%{name}-%{version}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/1.19/%{name}-%{version}.tar.gz.asc Source1: https://web.mit.edu/kerberos/dist/krb5/1.20/%{name}-%{version}.tar.gz.asc
Source2: kprop.service Source2: kprop.service
Source3: kadmin.service Source3: kadmin.service
Source4: krb5kdc.service Source4: krb5kdc.service
@ -25,8 +25,6 @@ Patch2: Adjust-build-configuration.patch
Patch3: netlib-and-dns.patch Patch3: netlib-and-dns.patch
Patch4: fix-debuginfo-with-y.tab.c.patch Patch4: fix-debuginfo-with-y.tab.c.patch
Patch5: Remove-3des-support.patch Patch5: Remove-3des-support.patch
Patch6: FIPS-with-PRNG-and-RADIUS-and-MD4.patch
Patch7: backport-CVE-2021-37750.patch
BuildRequires: gettext BuildRequires: gettext
BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@ -318,6 +316,9 @@ make -C src check || :
%{_mandir}/man8/* %{_mandir}/man8/*
%changelog %changelog
* Wed Feb 1 2023 zhouchenchen123 <zhouchenchen@huawei.com> - 1.20.1-1
- update to 1.20.1
* Tue Mar 8 2022 yixiangzhike <yixiangzhike007@163.com> - 1.19.2-2 * Tue Mar 8 2022 yixiangzhike <yixiangzhike007@163.com> - 1.19.2-2
- Add ExecStartPost option to krb5kdc.service for solving error message when krb5kdc starting - Add ExecStartPost option to krb5kdc.service for solving error message when krb5kdc starting

21
ksu-pam-integration.patch
View File

@ -1,4 +1,4 @@
From 90ba715be48c2e1b6c7ca53cb1d75f3af2c388d6 Mon Sep 17 00:00:00 2001 From 37d69135d0be7f46732c401cdbb3abc075bf4117 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400 Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] [downstream] ksu pam integration Subject: [PATCH] [downstream] ksu pam integration
@ -30,10 +30,10 @@ Last-updated: krb5-1.18-beta1
create mode 100644 src/clients/ksu/pam.h create mode 100644 src/clients/ksu/pam.h
diff --git a/src/aclocal.m4 b/src/aclocal.m4 diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 024d6370c..ca9fcf664 100644 index 9920476f91..bf9da35bbc 100644
--- a/src/aclocal.m4 --- a/src/aclocal.m4
+++ b/src/aclocal.m4 +++ b/src/aclocal.m4
@@ -1677,3 +1677,72 @@ if test "$with_ldap" = yes; then @@ -1458,3 +1458,72 @@ if test "$with_ldap" = yes; then
OPENLDAP_PLUGIN=yes OPENLDAP_PLUGIN=yes
fi fi
])dnl ])dnl
@ -107,7 +107,7 @@ index 024d6370c..ca9fcf664 100644
+])dnl +])dnl
+ +
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index 8b4edce4d..9d58f29b5 100644 index 8b4edce4d8..9d58f29b5d 100644
--- a/src/clients/ksu/Makefile.in --- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in +++ b/src/clients/ksu/Makefile.in
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. @@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
@ -145,7 +145,7 @@ index 8b4edce4d..9d58f29b5 100644
clean: clean:
$(RM) ksu $(RM) ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index af1286172..931f05404 100644 index af12861729..931f054041 100644
--- a/src/clients/ksu/main.c --- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@ @@ -26,6 +26,7 @@
@ -303,7 +303,7 @@ index af1286172..931f05404 100644
} }
diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c
new file mode 100644 new file mode 100644
index 000000000..cbfe48704 index 0000000000..cbfe487047
--- /dev/null --- /dev/null
+++ b/src/clients/ksu/pam.c +++ b/src/clients/ksu/pam.c
@@ -0,0 +1,389 @@ @@ -0,0 +1,389 @@
@ -698,7 +698,7 @@ index 000000000..cbfe48704
+#endif +#endif
diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h
new file mode 100644 new file mode 100644
index 000000000..0ab76569c index 0000000000..0ab76569cb
--- /dev/null --- /dev/null
+++ b/src/clients/ksu/pam.h +++ b/src/clients/ksu/pam.h
@@ -0,0 +1,57 @@ @@ -0,0 +1,57 @@
@ -760,10 +760,10 @@ index 000000000..0ab76569c
+void appl_pam_cleanup(void); +void appl_pam_cleanup(void);
+#endif +#endif
diff --git a/src/configure.ac b/src/configure.ac diff --git a/src/configure.ac b/src/configure.ac
index 4eb080784..693f76a81 100644 index f03028b5fd..aa970b0447 100644
--- a/src/configure.ac --- a/src/configure.ac
+++ b/src/configure.ac +++ b/src/configure.ac
@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION]) @@ -1400,6 +1400,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff) AC_PATH_PROG(GROFF, groff)
@ -772,3 +772,6 @@ index 4eb080784..693f76a81 100644
# Make localedir work in autoconf 2.5x. # Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then if test "${localedir+set}" != set; then
localedir='$(datadir)/locale' localedir='$(datadir)/locale'
--
2.38.1