Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2014-01-17 16:40:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5" Changes: -------- --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2013-11-28 07:27:34.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2014-01-23 15:46:48.000000000 +0100 @@ -2 +2,46 @@ -Fri Nov 15 13:35:09 UTC 2013 - [email protected] +Mon Jan 13 15:40:18 UTC 2014 - [email protected] + +- update to version 1.12 + * Add GSSAPI extensions for constructing MIC tokens using IOV lists + * Add a FAST OTP preauthentication module for the KDC which uses + RADIUS to validate OTP token values. + * The AES-based encryption types will use AES-NI instructions + when possible for improved performance. +- revert dependency on libcom_err-mini-devel since it's not yet + available +- update and rebase patches + * krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch + * krb5-1.11-pam.patch -> krb5-1.12-pam.patch + * krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch + * krb5-1.8-api.patch -> krb5-1.12-api.patch + * krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch + * krb5-1.9-debuginfo.patch + * krb5-1.9-kprop-mktemp.patch + * krb5-kvno-230379.patch +- added upstream patches + - Fix krb5_copy_context + * krb5-1.12-copy_context.patch + - Mark AESNI files as not needing executable stacks + * krb5-1.12-enable-NX.patch + * krb5-1.12-pic-aes-ni.patch + - Fix memory leak in SPNEGO initiator + * krb5-master-gss_oid_leak.patch + - Fix SPNEGO one-hop interop against old IIS + * krb5-master-ignore-empty-unnecessary-final-token.patch + - Fix GSS krb5 acceptor acquire_cred error handling + * krb5-master-keytab_close.patch + - Avoid malloc(0) in SPNEGO get_input_token + * krb5-master-no-malloc0.patch + - Test SPNEGO error message in t_s4u.py + * krb5-master-spnego_error_messages.patch + +------------------------------------------------------------------- +Tue Dec 10 02:43:32 UTC 2013 - [email protected] + +- Reduce build dependencies for krb5-mini by removing + doxygen and changing libcom_err-devel to + libcom_err-mini-devel +- Small fix to pre_checkin.sh so krb5-mini.spec is correct. + +------------------------------------------------------------------- +Fri Nov 15 13:33:53 UTC 2013 - [email protected] --- /work/SRC/openSUSE:Factory/krb5/krb5.changes 2013-11-28 07:27:34.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2014-01-23 15:46:48.000000000 +0100 @@ -1,0 +2,45 @@ +Mon Jan 13 15:37:16 UTC 2014 - [email protected] + +- update to version 1.12 + * Add GSSAPI extensions for constructing MIC tokens using IOV lists + * Add a FAST OTP preauthentication module for the KDC which uses + RADIUS to validate OTP token values. + * The AES-based encryption types will use AES-NI instructions + when possible for improved performance. +- revert dependency on libcom_err-mini-devel since it's not yet + available +- update and rebase patches + * krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch + * krb5-1.11-pam.patch -> krb5-1.12-pam.patch + * krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch + * krb5-1.8-api.patch -> krb5-1.12-api.patch + * krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch + * krb5-1.9-debuginfo.patch + * krb5-1.9-kprop-mktemp.patch + * krb5-kvno-230379.patch +- added upstream patches + - Fix krb5_copy_context + * krb5-1.12-copy_context.patch + - Mark AESNI files as not needing executable stacks + * krb5-1.12-enable-NX.patch + * krb5-1.12-pic-aes-ni.patch + - Fix memory leak in SPNEGO initiator + * krb5-master-gss_oid_leak.patch + - Fix SPNEGO one-hop interop against old IIS + * krb5-master-ignore-empty-unnecessary-final-token.patch + - Fix GSS krb5 acceptor acquire_cred error handling + * krb5-master-keytab_close.patch + - Avoid malloc(0) in SPNEGO get_input_token + * krb5-master-no-malloc0.patch + - Test SPNEGO error message in t_s4u.py + * krb5-master-spnego_error_messages.patch + +------------------------------------------------------------------- +Tue Dec 10 02:43:32 UTC 2013 - [email protected] + +- Reduce build dependencies for krb5-mini by removing + doxygen and changing libcom_err-devel to + libcom_err-mini-devel +- Small fix to pre_checkin.sh so krb5-mini.spec is correct. + +------------------------------------------------------------------- Old: ---- krb5-1.10-buildconf.patch krb5-1.11-pam.patch krb5-1.11-selinux-label.patch krb5-1.11.4.tar.bz2 krb5-1.8-api.patch krb5-1.9-ksu-path.patch New: ---- krb5-1.12-api.patch krb5-1.12-buildconf.patch krb5-1.12-copy_context.patch krb5-1.12-enable-NX.patch krb5-1.12-ksu-path.patch krb5-1.12-pam.patch krb5-1.12-pic-aes-ni.patch krb5-1.12-selinux-label.patch krb5-1.12.tar.gz krb5-master-gss_oid_leak.patch krb5-master-ignore-empty-unnecessary-final-token.patch krb5-master-keytab_close.patch krb5-master-no-malloc0.patch krb5-master-spnego_error_messages.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-mini.spec ++++++ --- /var/tmp/diff_new_pack.FHnbV6/_old 2014-01-23 15:46:49.000000000 +0100 +++ /var/tmp/diff_new_pack.FHnbV6/_new 2014-01-23 15:46:49.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ %define build_mini 1 -%define srcRoot krb5-1.11.4 +%define srcRoot krb5-1.12 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -25,18 +25,18 @@ Url: http://web.mit.edu/kerberos/www/ BuildRequires: autoconf BuildRequires: bison -BuildRequires: doxygen BuildRequires: keyutils BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.11.4 +Version: 1.12 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT Group: Productivity/Networking/Security %if ! 0%{?build_mini} +BuildRequires: doxygen BuildRequires: libopenssl-devel BuildRequires: openldap2-devel BuildRequires: pam-devel @@ -58,25 +58,34 @@ Conflicts: krb5-server Conflicts: krb5-plugin-kdb-ldap Conflicts: krb5-plugin-preauth-pkinit +Conflicts: krb5-plugin-preauth-otp %endif -Source: krb5-%{version}.tar.bz2 +Source: krb5-%{version}.tar.gz Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-rpmlintrc -Patch1: krb5-1.11-pam.patch +Patch1: krb5-1.12-pam.patch Patch2: krb5-1.9-manpaths.dif -Patch3: krb5-1.10-buildconf.patch +Patch3: krb5-1.12-buildconf.patch Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif Patch5: krb5-1.10-kpasswd_tcp.patch Patch6: krb5-1.6.3-ktutil-manpage.dif Patch7: krb5-1.7-doublelog.patch -Patch8: krb5-1.8-api.patch +Patch8: krb5-1.12-api.patch Patch9: krb5-1.9-kprop-mktemp.patch Patch10: krb5-1.10-ksu-access.patch -Patch11: krb5-1.9-ksu-path.patch -Patch12: krb5-1.11-selinux-label.patch +Patch11: krb5-1.12-ksu-path.patch +Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch +Patch15: krb5-1.12-copy_context.patch +Patch16: krb5-1.12-enable-NX.patch +Patch17: krb5-1.12-pic-aes-ni.patch +Patch18: krb5-master-no-malloc0.patch +Patch19: krb5-master-ignore-empty-unnecessary-final-token.patch +Patch20: krb5-master-gss_oid_leak.patch +Patch21: krb5-master-keytab_close.patch +Patch22: krb5-master-spnego_error_messages.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -134,6 +143,15 @@ which can improve your network's security by eliminating the insecure practice of cleartext passwords. This package includes a PKINIT plugin. +%package plugin-preauth-otp +Summary: MIT Kerberos5 Implementation--OTP preauth Plugin +Group: Productivity/Networking/Security + +%description plugin-preauth-otp +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes a OTP plugin. + %package doc Summary: MIT Kerberos5 Implementation--Documentation Group: Documentation/Other @@ -187,6 +205,14 @@ %patch12 -p1 %patch13 -p0 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 %build # needs to be re-generated @@ -315,6 +341,11 @@ rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* rm -rf %{buildroot}/usr/lib/mit/share/examples +%if %{build_mini} +# manually remove otp plugin for krb5-mini since configure +# doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so +%endif %find_lang mit-krb5 @@ -425,6 +456,15 @@ %{_libdir}/libkrb5.so %{_libdir}/libkrb5support.so %{_libdir}/libverto.so +%{_libdir}/libkrad.so +%{_libdir}/pkgconfig/gssrpc.pc +%{_libdir}/pkgconfig/kadm-client.pc +%{_libdir}/pkgconfig/kadm-server.pc +%{_libdir}/pkgconfig/kdb.pc +%{_libdir}/pkgconfig/krb5-gssapi.pc +%{_libdir}/pkgconfig/krb5.pc +%{_libdir}/pkgconfig/mit-krb5-gssapi.pc +%{_libdir}/pkgconfig/mit-krb5.pc %{_includedir}/* /usr/lib/mit/bin/krb5-config /usr/lib/mit/sbin/krb5-send-pr @@ -476,6 +516,7 @@ %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* +%{_libdir}/libkrad.so.* %{_libdir}/krb5/plugins/kdb/* #/usr/lib/mit/sbin/* /usr/lib/mit/sbin/kadmin.local @@ -547,6 +588,7 @@ %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* +%{_libdir}/libkrad.so.* %files server %defattr(-,root,root) @@ -658,6 +700,13 @@ %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/pkinit.so +%files plugin-preauth-otp +%defattr(-,root,root) +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/otp.so + %files doc %defattr(-,root,root) %doc html doc/CHANGES doc/README ++++++ krb5.spec ++++++ --- /var/tmp/diff_new_pack.FHnbV6/_old 2014-01-23 15:46:49.000000000 +0100 +++ /var/tmp/diff_new_pack.FHnbV6/_new 2014-01-23 15:46:49.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ %define build_mini 0 -%define srcRoot krb5-1.11.4 +%define srcRoot krb5-1.12 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -25,18 +25,18 @@ Url: http://web.mit.edu/kerberos/www/ BuildRequires: autoconf BuildRequires: bison -BuildRequires: doxygen BuildRequires: keyutils BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.11.4 +Version: 1.12 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT Group: Productivity/Networking/Security %if ! 0%{?build_mini} +BuildRequires: doxygen BuildRequires: libopenssl-devel BuildRequires: openldap2-devel BuildRequires: pam-devel @@ -58,25 +58,34 @@ Conflicts: krb5-server Conflicts: krb5-plugin-kdb-ldap Conflicts: krb5-plugin-preauth-pkinit +Conflicts: krb5-plugin-preauth-otp %endif -Source: krb5-%{version}.tar.bz2 +Source: krb5-%{version}.tar.gz Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-rpmlintrc -Patch1: krb5-1.11-pam.patch +Patch1: krb5-1.12-pam.patch Patch2: krb5-1.9-manpaths.dif -Patch3: krb5-1.10-buildconf.patch +Patch3: krb5-1.12-buildconf.patch Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif Patch5: krb5-1.10-kpasswd_tcp.patch Patch6: krb5-1.6.3-ktutil-manpage.dif Patch7: krb5-1.7-doublelog.patch -Patch8: krb5-1.8-api.patch +Patch8: krb5-1.12-api.patch Patch9: krb5-1.9-kprop-mktemp.patch Patch10: krb5-1.10-ksu-access.patch -Patch11: krb5-1.9-ksu-path.patch -Patch12: krb5-1.11-selinux-label.patch +Patch11: krb5-1.12-ksu-path.patch +Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch +Patch15: krb5-1.12-copy_context.patch +Patch16: krb5-1.12-enable-NX.patch +Patch17: krb5-1.12-pic-aes-ni.patch +Patch18: krb5-master-no-malloc0.patch +Patch19: krb5-master-ignore-empty-unnecessary-final-token.patch +Patch20: krb5-master-gss_oid_leak.patch +Patch21: krb5-master-keytab_close.patch +Patch22: krb5-master-spnego_error_messages.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -134,6 +143,15 @@ which can improve your network's security by eliminating the insecure practice of cleartext passwords. This package includes a PKINIT plugin. +%package plugin-preauth-otp +Summary: MIT Kerberos5 Implementation--OTP preauth Plugin +Group: Productivity/Networking/Security + +%description plugin-preauth-otp +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes a OTP plugin. + %package doc Summary: MIT Kerberos5 Implementation--Documentation Group: Documentation/Other @@ -187,6 +205,14 @@ %patch12 -p1 %patch13 -p0 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 %build # needs to be re-generated @@ -315,6 +341,11 @@ rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* rm -rf %{buildroot}/usr/lib/mit/share/examples +%if %{build_mini} +# manually remove otp plugin for krb5-mini since configure +# doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so +%endif %find_lang mit-krb5 @@ -425,6 +456,15 @@ %{_libdir}/libkrb5.so %{_libdir}/libkrb5support.so %{_libdir}/libverto.so +%{_libdir}/libkrad.so +%{_libdir}/pkgconfig/gssrpc.pc +%{_libdir}/pkgconfig/kadm-client.pc +%{_libdir}/pkgconfig/kadm-server.pc +%{_libdir}/pkgconfig/kdb.pc +%{_libdir}/pkgconfig/krb5-gssapi.pc +%{_libdir}/pkgconfig/krb5.pc +%{_libdir}/pkgconfig/mit-krb5-gssapi.pc +%{_libdir}/pkgconfig/mit-krb5.pc %{_includedir}/* /usr/lib/mit/bin/krb5-config /usr/lib/mit/sbin/krb5-send-pr @@ -476,6 +516,7 @@ %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* +%{_libdir}/libkrad.so.* %{_libdir}/krb5/plugins/kdb/* #/usr/lib/mit/sbin/* /usr/lib/mit/sbin/kadmin.local @@ -547,6 +588,7 @@ %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* +%{_libdir}/libkrad.so.* %files server %defattr(-,root,root) @@ -658,6 +700,13 @@ %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/pkinit.so +%files plugin-preauth-otp +%defattr(-,root,root) +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/otp.so + %files doc %defattr(-,root,root) %doc html doc/CHANGES doc/README ++++++ krb5-1.8-api.patch -> krb5-1.12-api.patch ++++++ --- /work/SRC/openSUSE:Factory/krb5/krb5-1.8-api.patch 2012-06-10 21:52:56.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-1.12-api.patch 2014-01-23 15:46:48.000000000 +0100 @@ -2,30 +2,26 @@ malformed krb5_principal structures. Define a behavior which keeps it from crashing if applications don't check ahead of time. -Index: krb5-1.10.2/src/lib/krb5/krb/princ_comp.c -=================================================================== ---- krb5-1.10.2.orig/src/lib/krb5/krb/princ_comp.c -+++ krb5-1.10.2/src/lib/krb5/krb/princ_comp.c -@@ -36,6 +36,12 @@ realm_compare_flags(krb5_context context - const krb5_data *realm1 = krb5_princ_realm(context, princ1); - const krb5_data *realm2 = krb5_princ_realm(context, princ2); +--- krb5/src/lib/krb5/krb/princ_comp.c ++++ krb5/src/lib/krb5/krb/princ_comp.c +@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context + const krb5_data *realm1 = &princ1->realm; + const krb5_data *realm2 = &princ2->realm; -+ if ((princ1 == NULL) || (princ2 == NULL)) ++ if (princ1 == NULL || princ2 == NULL) + return FALSE; -+ -+ if ((realm1 == NULL) || (realm2 == NULL)) ++ if (realm1 == NULL || realm2 == NULL) + return FALSE; -+ if (realm1->length != realm2->length) return FALSE; - -@@ -87,6 +93,9 @@ krb5_principal_compare_flags(krb5_contex + if (realm1->length == 0) +@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex krb5_principal upn2 = NULL; krb5_boolean ret = FALSE; -+ if ((princ1 == NULL) || (princ2 == NULL)) ++ if (princ1 == NULL || princ2 == NULL) + return FALSE; + if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { /* Treat UPNs as if they were real principals */ - if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { + if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { ++++++ krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch ++++++ --- /work/SRC/openSUSE:Factory/krb5/krb5-1.10-buildconf.patch 2013-04-05 09:26:18.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-1.12-buildconf.patch 2014-01-23 15:46:48.000000000 +0100 @@ -4,10 +4,8 @@ apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. -Index: krb5-1.11/src/config/shlib.conf -=================================================================== ---- krb5-1.11.orig/src/config/shlib.conf -+++ krb5-1.11/src/config/shlib.conf +--- krb5/src/config/shlib.conf ++++ krb5/src/config/shlib.conf @@ -419,7 +419,7 @@ mips-*-netbsd*) SHLIBEXT=.so # Linux ld doesn't default to stuffing the SONAME field... @@ -17,7 +15,7 @@ # LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' SHLIB_EXPORT_FILE_DEP=binutils.versions -@@ -430,7 +430,8 @@ mips-*-netbsd*) +@@ -430,7 +430,8 @@ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' PROFFLAGS=-pg PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' @@ -27,11 +25,9 @@ CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' -Index: krb5-1.11/src/krb5-config.in -=================================================================== ---- krb5-1.11.orig/src/krb5-config.in -+++ krb5-1.11/src/krb5-config.in -@@ -221,6 +221,13 @@ if test -n "$do_libs"; then +--- krb5/src/build-tools/krb5-config.in ++++ krb5/src/build-tools/krb5-config.in +@@ -189,6 +189,13 @@ if test -n "$do_libs"; then -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(CFLAGS)##'` @@ -45,11 +41,9 @@ if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 -Index: krb5-1.11/src/config/pre.in -=================================================================== ---- krb5-1.11.orig/src/config/pre.in -+++ krb5-1.11/src/config/pre.in -@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST +--- krb5/src/config/pre.in ++++ krb5/src/config/pre.in +@@ -188,7 +188,7 @@ INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_DATA=@INSTALL_DATA@ INSTALL_SHLIB=@INSTALL_SHLIB@ ++++++ krb5-1.12-copy_context.patch ++++++ Adjusted for 1.12, which still had vtbl, locate_fptrs, and (vestigial) profile_in_memory fields, and drop the hunk that touched .gitignore. commit c452644d91d57d8b05ef396a029e34d0c7a48920 Author: Greg Hudson <[email protected]> Date: Wed Dec 18 15:03:03 2013 -0500 Fix krb5_copy_context krb5_copy_context has been broken since 1.8 (it broke in r22456) because k5_copy_etypes crashes on null enctype lists. Subsequent additions to the context structure were not reflected in krb5_copy_context, creating double-free bugs. Make k5_copy_etypes handle null input and account for all new fields in krb5_copy_context. Reported by Arran Cudbard-Bell. ticket: 7807 (new) target_version: 1.12.1 tags: pullup diff --git a/src/lib/krb5/krb/copy_ctx.c b/src/lib/krb5/krb/copy_ctx.c index 0bc92f8..4237023 100644 --- a/src/lib/krb5/krb/copy_ctx.c +++ b/src/lib/krb5/krb/copy_ctx.c @@ -77,13 +77,26 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) nctx->ser_ctx_count = 0; nctx->ser_ctx = NULL; nctx->prompt_types = NULL; + nctx->preauth_context = NULL; + nctx->ccselect_handles = NULL; + nctx->localauth_handles = NULL; + nctx->hostrealm_handles = NULL; + nctx->kdblog_context = NULL; + nctx->trace_callback = NULL; + nctx->trace_callback_data = NULL; + nctx->plugin_base_dir = NULL; nctx->os_context.default_ccname = NULL; +#ifdef KRB5_DNS_LOOKUP + nctx->profile_in_memory = 0; +#endif /* KRB5_DNS_LOOKUP */ + memset(&nctx->libkrb5_plugins, 0, sizeof(nctx->libkrb5_plugins)); nctx->vtbl = NULL; nctx->locate_fptrs = NULL; memset(&nctx->err, 0, sizeof(nctx->err)); + memset(&nctx->plugins, 0, sizeof(nctx->plugins)); ret = k5_copy_etypes(ctx->in_tkt_etypes, &nctx->in_tkt_etypes); if (ret) @@ -101,6 +109,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) ret = krb5_get_profile(ctx, &nctx->profile); if (ret) goto errout; + nctx->plugin_base_dir = strdup(ctx->plugin_base_dir); + if (nctx->plugin_base_dir == NULL) { + ret = ENOMEM; + goto errout; + } errout: if (ret) { diff --git a/src/lib/krb5/krb/etype_list.c b/src/lib/krb5/krb/etype_list.c index 9efe2e0..71f664f 100644 --- a/src/lib/krb5/krb/etype_list.c +++ b/src/lib/krb5/krb/etype_list.c @@ -49,6 +49,8 @@ k5_copy_etypes(const krb5_enctype *old_list, krb5_enctype **new_list) krb5_enctype *list; *new_list = NULL; + if (old_list == NULL) + return 0; count = k5_count_etypes(old_list); list = malloc(sizeof(krb5_enctype) * (count + 1)); if (list == NULL) commit b78c3c8c5025aec870d20472f80d4a652062f921 Author: Greg Hudson <[email protected]> Date: Wed Dec 18 13:08:25 2013 -0500 Add a test program for krb5_copy_context This test program isn't completely proof against the kind of mistakes we've made with krb5_copy_context in the past, but it at least exercises krb5_copy_context and can detect some kinds of bugs. ticket: 7807 diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in index 7d1682d..3b58219 100644 --- a/src/lib/krb5/krb/Makefile.in +++ b/src/lib/krb5/krb/Makefile.in @@ -349,6 +349,7 @@ SRCS= $(srcdir)/addr_comp.c \ $(srcdir)/t_expire_warn.c \ $(srcdir)/t_authdata.c \ $(srcdir)/t_cc_config.c \ + $(srcdir)/t_copy_context.c \ $(srcdir)/t_in_ccache.c \ $(srcdir)/t_response_items.c \ $(srcdir)/t_vfy_increds.c @@ -429,11 +430,14 @@ t_in_ccache: t_in_ccache.o $(KRB5_BASE_DEPLIBS) t_cc_config: t_cc_config.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o $@ t_cc_config.o $(KRB5_BASE_LIBS) +t_copy_context: t_copy_context.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ t_copy_context.o $(KRB5_BASE_LIBS) + t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o $@ t_response_items.o response_items.o $(KRB5_BASE_LIBS) TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \ - t_in_ccache t_cc_config \ + t_in_ccache t_cc_config t_copy_context \ t_princ t_etypes t_vfy_increds t_response_items check-unix:: $(TEST_PROGS) @@ -473,6 +477,8 @@ check-unix:: $(TEST_PROGS) $(RUN_SETUP) $(VALGRIND) ./t_princ $(RUN_SETUP) $(VALGRIND) ./t_etypes $(RUN_SETUP) $(VALGRIND) ./t_response_items + KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ + $(RUN_SETUP) $(VALGRIND) ./t_copy_context check-pytests:: t_expire_warn t_vfy_increds $(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS) @@ -491,6 +497,7 @@ clean:: $(OUTPRE)t_princ$(EXEEXT) $(OUTPRE)t_princ.$(OBJEXT) \ $(OUTPRE)t_authdata$(EXEEXT) $(OUTPRE)t_authdata.$(OBJEXT) \ $(OUTPRE)t_cc_config$(EXEEXT) $(OUTPRE)t_cc_config.$(OBJEXT) \ + $(OUTPRE)t_copy_context(EXEEXT) $(OUTPRE)t_copy_context.$(OBJEXT) \ $(OUTPRE)t_in_ccache$(EXEEXT) $(OUTPRE)t_in_ccache.$(OBJEXT) \ $(OUTPRE)t_ad_fx_armor$(EXEEXT) $(OUTPRE)t_ad_fx_armor.$(OBJEXT) \ $(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \ diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c new file mode 100644 index 0000000..522fa0c --- /dev/null +++ b/src/lib/krb5/krb/t_copy_context.c @@ -0,0 +1,166 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* lib/krb5/krb/t_copy_context.C - Test program for krb5_copy_context */ +/* + * Copyright (C) 2013 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <k5-int.h> + +static void +trace(krb5_context ctx, const krb5_trace_info *info, void *data) +{ +} + +static void +check(int cond) +{ + if (!cond) + abort(); +} + +static void +compare_string(const char *str1, const char *str2) +{ + check((str1 == NULL) == (str2 == NULL)); + if (str1 != NULL) + check(strcmp(str1, str2) == 0); +} + +static void +compare_etypes(krb5_enctype *list1, krb5_enctype *list2) +{ + check((list1 == NULL) == (list2 == NULL)); + if (list1 == NULL) + return; + while (*list1 != ENCTYPE_NULL && *list1 == *list2) + list1++, list2++; + check(*list1 == *list2); +} + +/* Check that the context c is a valid copy of the reference context r. */ +static void +check_context(krb5_context c, krb5_context r) +{ + int i; + + /* Check fields which should have been propagated from r. */ + compare_etypes(c->in_tkt_etypes, r->in_tkt_etypes); + compare_etypes(c->tgs_etypes, r->tgs_etypes); + check(c->os_context.time_offset == r->os_context.time_offset); + check(c->os_context.usec_offset == r->os_context.usec_offset); + check(c->os_context.os_flags == r->os_context.os_flags); + compare_string(c->os_context.default_ccname, r->os_context.default_ccname); + check(c->clockskew == r->clockskew); + check(c->kdc_req_sumtype == r->kdc_req_sumtype); + check(c->default_ap_req_sumtype == r->default_ap_req_sumtype); + check(c->default_safe_sumtype == r->default_safe_sumtype); + check(c->kdc_default_options == r->kdc_default_options); + check(c->library_options == r->library_options); + check(c->profile_secure == r->profile_secure); + check(c->fcc_default_format == r->fcc_default_format); + check(c->udp_pref_limit == r->udp_pref_limit); + check(c->use_conf_ktypes == r->use_conf_ktypes); + check(c->allow_weak_crypto == r->allow_weak_crypto); + check(c->ignore_acceptor_hostname == r->ignore_acceptor_hostname); + check(c->dns_canonicalize_hostname == r->dns_canonicalize_hostname); + compare_string(c->plugin_base_dir, r->plugin_base_dir); + + /* Check fields which don't propagate. */ + check(c->dal_handle == NULL); + check(c->ser_ctx_count == 0); + check(c->ser_ctx == NULL); + check(c->prompt_types == NULL); + check(c->libkrb5_plugins.files == NULL); + check(c->preauth_context == NULL); + check(c->ccselect_handles == NULL); + check(c->localauth_handles == NULL); + check(c->hostrealm_handles == NULL); + check(c->err.code == 0); + check(c->err.msg == NULL); + check(c->kdblog_context == NULL); + check(c->trace_callback == NULL); + check(c->trace_callback_data == NULL); + for (i = 0; i < PLUGIN_NUM_INTERFACES; i++) { + check(c->plugins[i].modules == NULL); + check(!c->plugins[i].configured); + } +} + +int +main(int argc, char **argv) +{ + krb5_context ctx, ctx2; + krb5_plugin_initvt_fn *mods; + const krb5_enctype etypes1[] = { ENCTYPE_DES3_CBC_SHA1, 0 }; + const krb5_enctype etypes2[] = { ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }; + krb5_prompt_type ptypes[] = { KRB5_PROMPT_TYPE_PASSWORD }; + + /* Copy a default context and verify the result. */ + check(krb5_init_context(&ctx) == 0); + check(krb5_copy_context(ctx, &ctx2) == 0); + check_context(ctx2, ctx); + krb5_free_context(ctx2); + + /* Set non-default values for all of the propagated fields in ctx. */ + ctx->allow_weak_crypto = TRUE; + check(krb5_set_default_in_tkt_ktypes(ctx, etypes1) == 0); + check(krb5_set_default_tgs_enctypes(ctx, etypes2) == 0); + check(krb5_set_debugging_time(ctx, 1234, 5678) == 0); + check(krb5_cc_set_default_name(ctx, "defccname") == 0); + check(krb5_set_default_realm(ctx, "defrealm") == 0); + ctx->clockskew = 18; + ctx->kdc_req_sumtype = CKSUMTYPE_NIST_SHA; + ctx->default_ap_req_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES128; + ctx->default_safe_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES256; + ctx->kdc_default_options = KDC_OPT_FORWARDABLE; + ctx->library_options = 0; + ctx->profile_secure = TRUE; + ctx->udp_pref_limit = 2345; + ctx->use_conf_ktypes = TRUE; + ctx->ignore_acceptor_hostname = TRUE; + ctx->dns_canonicalize_hostname = FALSE; + free(ctx->plugin_base_dir); + check((ctx->plugin_base_dir = strdup("/a/b/c/d")) != NULL); + + /* Also set some of the non-propagated fields. */ + ctx->prompt_types = ptypes; + check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &mods) == 0); + k5_plugin_free_modules(ctx, mods); + krb5_set_error_message(ctx, ENOMEM, "nooooooooo"); + krb5_set_trace_callback(ctx, trace, ctx); + + /* Copy the intentionally messy context and verify the result. */ + check(krb5_copy_context(ctx, &ctx2) == 0); + check_context(ctx2, ctx); + krb5_free_context(ctx2); + + krb5_free_context(ctx); + return 0; +} ++++++ krb5-1.12-enable-NX.patch ++++++ commit c64e39c69a9a7ee32c00b0cf7918f6274a565544 Author: Greg Hudson <[email protected]> Date: Fri Jan 3 13:50:48 2014 -0500 Mark AESNI files as not needing executable stacks Some Linux systems now come with facilities to mark the stack as non-executable, making it more difficult to exploit buffer overrun bugs. For this to work, object files built from assembly need a section added to note whether they require an executable stack. Patch from Dhiru Kholia with comments added. More information at: https://bugzilla.redhat.com/show_bug.cgi?id=1045699 https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart ticket: 7813 target_version: 1.12.1 tags: pullup diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s index 1c091c1..d03c859 100644 --- a/src/lib/crypto/builtin/aes/iaesx64.s +++ b/src/lib/crypto/builtin/aes/iaesx64.s @@ -834,3 +834,14 @@ lp256encsingle_CBC: movdqu [r9],xmm1 add rsp,16*16+8 ret + +; Mark this file as not needing an executable stack. +%ifidn __OUTPUT_FORMAT__,elf +section .note.GNU-stack noalloc noexec nowrite progbits +%endif +%ifidn __OUTPUT_FORMAT__,elf32 +section .note.GNU-stack noalloc noexec nowrite progbits +%endif +%ifidn __OUTPUT_FORMAT__,elf64 +section .note.GNU-stack noalloc noexec nowrite progbits +%endif diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s index b667acd..1aa12e6 100644 --- a/src/lib/crypto/builtin/aes/iaesx86.s +++ b/src/lib/crypto/builtin/aes/iaesx86.s @@ -871,3 +871,14 @@ lp256encsingle_CBC: movdqu [ecx],xmm1 ; store last iv for chaining ret + +; Mark this file as not needing an executable stack. +%ifidn __OUTPUT_FORMAT__,elf +section .note.GNU-stack noalloc noexec nowrite progbits +%endif +%ifidn __OUTPUT_FORMAT__,elf32 +section .note.GNU-stack noalloc noexec nowrite progbits +%endif +%ifidn __OUTPUT_FORMAT__,elf64 +section .note.GNU-stack noalloc noexec nowrite progbits +%endif ++++++ krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch ++++++ --- /work/SRC/openSUSE:Factory/krb5/krb5-1.9-ksu-path.patch 2011-09-23 02:07:14.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-1.12-ksu-path.patch 2014-01-23 15:46:48.000000000 +0100 @@ -1,13 +1,12 @@ Set the default PATH to the one set by login. -diff -up krb5-1.9/src/clients/ksu/Makefile.in.ksu-path krb5-1.9/src/clients/ksu/Makefile.in ---- krb5-1.9/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500 -+++ krb5-1.9/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500 +--- krb5/src/clients/ksu/Makefile.in ++++ krb5/src/clients/ksu/Makefile.in @@ -1,6 +1,6 @@ mydir=clients$(S)ksu BUILDTOP=$(REL)..$(S).. -DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' -+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"' - DEFS= ++DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' - PROG_LIBPATH=-L$(TOPLIBD) + KSU_LIBS=@KSU_LIBS@ + PAM_LIBS=@PAM_LIBS@ ++++++ krb5-1.11-pam.patch -> krb5-1.12-pam.patch ++++++ --- /work/SRC/openSUSE:Factory/krb5/krb5-1.11-pam.patch 2013-04-05 09:26:19.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-1.12-pam.patch 2014-01-23 15:46:48.000000000 +0100 @@ -11,11 +11,10 @@ Originally RT#5939, though it's changed since then to perform the account and session management before dropping privileges. -Index: krb5-1.11.1/src/aclocal.m4 -=================================================================== ---- krb5-1.11.1.orig/src/aclocal.m4 -+++ krb5-1.11.1/src/aclocal.m4 -@@ -1664,3 +1664,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ +diff -Naur krb5/src/aclocal.m4 krb5/src/aclocal.m4 +--- krb5/src/aclocal.m4 2014-01-13 17:12:47.509022000 +0100 ++++ krb5/src/aclocal.m4 2014-01-13 17:13:24.552689000 +0100 +@@ -1668,3 +1668,70 @@ ])) ])dnl dnl @@ -86,10 +85,9 @@ +AC_SUBST(PAM_MAN) +AC_SUBST(NON_PAM_MAN) +])dnl -Index: krb5-1.11.1/src/clients/ksu/main.c -=================================================================== ---- krb5-1.11.1.orig/src/clients/ksu/main.c -+++ krb5-1.11.1/src/clients/ksu/main.c +diff -Naur krb5/src/clients/ksu/main.c krb5/src/clients/ksu/main.c +--- krb5/src/clients/ksu/main.c 2014-01-13 17:12:44.864970000 +0100 ++++ krb5/src/clients/ksu/main.c 2014-01-13 17:13:24.563692000 +0100 @@ -26,6 +26,7 @@ * KSU was writen by: Ari Medvinsky, [email protected] */ @@ -109,7 +107,7 @@ /* globals */ char * prog_name; int auth_debug =0; -@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN]; +@@ -40,6 +45,7 @@ char k5users_path[MAXPATHLEN]; char * gb_err = NULL; int quiet = 0; @@ -117,7 +115,7 @@ /***********/ #define _DEF_CSH "/bin/csh" -@@ -584,6 +590,25 @@ main (argc, argv) +@@ -584,6 +590,25 @@ prog_name,target_user,client_name, source_user,ontty()); @@ -143,7 +141,7 @@ /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " -@@ -648,6 +673,26 @@ main (argc, argv) +@@ -648,6 +673,26 @@ sweep_up(ksu_context, cc_target); exit(1); } @@ -170,7 +168,7 @@ } if( some_rest_copy){ -@@ -717,6 +762,32 @@ main (argc, argv) +@@ -717,6 +762,32 @@ exit(1); } @@ -203,7 +201,7 @@ /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -789,7 +860,7 @@ main (argc, argv) +@@ -789,7 +860,7 @@ fprintf(stderr, "program to be execed %s\n",params[0]); } @@ -212,7 +210,7 @@ execv(params[0], params); com_err(prog_name, errno, _("while trying to execv %s"), params[0]); sweep_up(ksu_context, cc_target); -@@ -819,16 +890,35 @@ main (argc, argv) +@@ -819,16 +890,35 @@ if (ret_pid == -1) { com_err(prog_name, errno, _("while calling waitpid")); } @@ -249,12 +247,11 @@ exit (1); } } -Index: krb5-1.11.1/src/clients/ksu/Makefile.in -=================================================================== ---- krb5-1.11.1.orig/src/clients/ksu/Makefile.in -+++ krb5-1.11.1/src/clients/ksu/Makefile.in -@@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD) - PROG_RPATH=$(KRB5_LIBDIR) +diff -Naur krb5/src/clients/ksu/Makefile.in krb5/src/clients/ksu/Makefile.in +--- krb5/src/clients/ksu/Makefile.in 2014-01-13 17:12:44.868981000 +0100 ++++ krb5/src/clients/ksu/Makefile.in 2014-01-13 17:13:24.580690000 +0100 +@@ -3,12 +3,14 @@ + DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' KSU_LIBS=@KSU_LIBS@ +PAM_LIBS=@PAM_LIBS@ @@ -268,7 +265,7 @@ $(srcdir)/heuristic.c \ $(srcdir)/xmalloc.c \ $(srcdir)/setenv.c -@@ -21,13 +23,17 @@ OBJS = \ +@@ -17,13 +19,17 @@ ccache.o \ authorization.o \ main.o \ @@ -287,10 +284,9 @@ clean:: $(RM) ksu -Index: krb5-1.11.1/src/clients/ksu/pam.c -=================================================================== ---- /dev/null -+++ krb5-1.11.1/src/clients/ksu/pam.c +diff -Naur krb5/src/clients/ksu/pam.c krb5/src/clients/ksu/pam.c +--- krb5/src/clients/ksu/pam.c 1970-01-01 01:00:00.000000000 +0100 ++++ krb5/src/clients/ksu/pam.c 2014-01-13 17:13:24.589692000 +0100 @@ -0,0 +1,389 @@ +/* + * src/clients/ksu/pam.c @@ -681,10 +677,9 @@ + return ret; +} +#endif -Index: krb5-1.11.1/src/clients/ksu/pam.h -=================================================================== ---- /dev/null -+++ krb5-1.11.1/src/clients/ksu/pam.h +diff -Naur krb5/src/clients/ksu/pam.h krb5/src/clients/ksu/pam.h +--- krb5/src/clients/ksu/pam.h 1970-01-01 01:00:00.000000000 +0100 ++++ krb5/src/clients/ksu/pam.h 2014-01-13 17:13:24.595690000 +0100 @@ -0,0 +1,57 @@ +/* + * src/clients/ksu/pam.h @@ -743,11 +738,10 @@ +int appl_pam_cred_init(void); +void appl_pam_cleanup(void); +#endif -Index: krb5-1.11.1/src/configure.in -=================================================================== ---- krb5-1.11.1.orig/src/configure.in -+++ krb5-1.11.1/src/configure.in -@@ -1244,6 +1244,8 @@ AC_SUBST([VERTO_VERSION]) +diff -Naur krb5/src/configure.in krb5/src/configure.in +--- krb5/src/configure.in 2014-01-13 17:12:48.401059000 +0100 ++++ krb5/src/configure.in 2014-01-13 17:13:24.603693000 +0100 +@@ -1281,6 +1281,8 @@ AC_PATH_PROG(GROFF, groff) ++++++ krb5-1.12-pic-aes-ni.patch ++++++ --- krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s +++ krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s @@ -256,6 +256,7 @@ DD 0 section .text +extern _GLOBAL_OFFSET_TABLE_ align 16 key_expansion256: @@ -318,12 +319,18 @@ _iEncExpandKey128: mov ecx,[esp-4+8] ;input mov edx,[esp-4+12] ;ctx + push ebx movdqu xmm1, [ecx] ; loading the key movdqu [edx], xmm1 - movdqa xmm5, [shuffle_mask] + call .get_GOT +.get_GOT: + pop ebx + add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc + + movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] add edx,16 @@ -348,6 +355,8 @@ _iEncExpandKey128: aeskeygenassist xmm2, xmm1, 0x36 ; Generating round key 10 call key_expansion128 + pop ebx + ret @@ -412,6 +421,7 @@ global _iEncExpandKey256 _iEncExpandKey256: mov ecx, [esp-4+8] ;input mov edx, [esp-4+12] ;expanded key + push ebx movdqu xmm1, [ecx] ; loading the key @@ -421,7 +431,12 @@ _iEncExpandKey256: add edx,32 - movdqa xmm5, [shuffle_mask] ; this mask is used by key_expansion + call .get_GOT +.get_GOT: + pop ebx + add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc + + movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] ; this mask is used by key_expansion aeskeygenassist xmm2, xmm3, 0x1 ; call key_expansion256 @@ -452,6 +467,8 @@ _iEncExpandKey256: movdqu [edx], xmm1 + pop ebx + ret ++++++ krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch ++++++ ++++ 703 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/krb5/krb5-1.11-selinux-label.patch ++++ and /work/SRC/openSUSE:Factory/.krb5.new/krb5-1.12-selinux-label.patch ++++++ krb5-1.9-debuginfo.patch ++++++ --- /var/tmp/diff_new_pack.FHnbV6/_old 2014-01-23 15:46:49.000000000 +0100 +++ /var/tmp/diff_new_pack.FHnbV6/_new 2014-01-23 15:46:49.000000000 +0100 @@ -6,7 +6,7 @@ =================================================================== --- src/kadmin/cli/Makefile.in.orig +++ src/kadmin/cli/Makefile.in -@@ -40,3 +40,8 @@ clean-unix:: +@@ -43,3 +43,8 @@ clean-unix:: # CC_LINK is not meant for compilation and this use may break in the future. datetest: getdate.c $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c ++++++ krb5-1.9-kprop-mktemp.patch ++++++ --- /var/tmp/diff_new_pack.FHnbV6/_old 2014-01-23 15:46:49.000000000 +0100 +++ /var/tmp/diff_new_pack.FHnbV6/_new 2014-01-23 15:46:49.000000000 +0100 @@ -4,7 +4,7 @@ =================================================================== --- krb5-1.11.orig/src/slave/kprop.c +++ krb5-1.11/src/slave/kprop.c -@@ -187,9 +187,8 @@ void PRS(argc, argv) +@@ -202,9 +202,8 @@ void PRS(argc, argv) void get_tickets(context) krb5_context context; { @@ -15,7 +15,7 @@ krb5_keytab keytab = NULL; /* -@@ -230,11 +229,8 @@ void get_tickets(context) +@@ -229,11 +228,8 @@ void get_tickets(context) #endif /* ++++++ krb5-kvno-230379.patch ++++++ --- /var/tmp/diff_new_pack.FHnbV6/_old 2014-01-23 15:46:49.000000000 +0100 +++ /var/tmp/diff_new_pack.FHnbV6/_new 2014-01-23 15:46:49.000000000 +0100 @@ -12,7 +12,7 @@ =================================================================== --- krb5-1.11.1.orig/src/kadmin/ktutil/ktutil.c +++ krb5-1.11.1/src/kadmin/ktutil/ktutil.c -@@ -140,7 +140,7 @@ void ktutil_add_entry(argc, argv) +@@ -155,7 +155,7 @@ void ktutil_add_entry(argc, argv) char *princ = NULL; char *enctype = NULL; krb5_kvno kvno = 0; @@ -21,7 +21,7 @@ for (i = 1; i < argc; i++) { if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) { -@@ -149,6 +149,7 @@ void ktutil_add_entry(argc, argv) +@@ -164,6 +164,7 @@ void ktutil_add_entry(argc, argv) } if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { kvno = (krb5_kvno) atoi(argv[++i]); @@ -29,7 +29,7 @@ continue; } if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { -@@ -165,7 +166,7 @@ void ktutil_add_entry(argc, argv) +@@ -180,7 +181,7 @@ void ktutil_add_entry(argc, argv) } } @@ -42,7 +42,7 @@ =================================================================== --- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c +++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c -@@ -376,7 +376,7 @@ krb5_ktfile_get_entry(krb5_context conte +@@ -349,7 +349,7 @@ krb5_ktfile_get_entry(krb5_context conte higher than that. Short-term workaround: only compare the low 8 bits. */ ++++++ krb5-master-gss_oid_leak.patch ++++++ commit 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a Author: Simo Sorce <[email protected]> Date: Fri Dec 13 12:00:41 2013 -0500 Fix memory leak in SPNEGO initiator If we eliminate a mechanism from the initiator list because gss_init_sec_context fails, free the memory for that mech OID before removing it from the list. [[email protected]: clarified commit message] ticket: 7803 (new) target_version: 1.12.1 tags: pullup diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 818a1b4..06cfab0 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -890,6 +890,7 @@ init_ctx_call_init(OM_uint32 *minor_status, * can do this with recursion. If all mechanisms produce errors, the * caller should get the error from the first mech in the list. */ + gssalloc_free(sc->mech_set->elements->elements); memmove(sc->mech_set->elements, sc->mech_set->elements + 1, --sc->mech_set->count * sizeof(*sc->mech_set->elements)); if (sc->mech_set->count == 0) ++++++ krb5-master-ignore-empty-unnecessary-final-token.patch ++++++ commit 37af638b742dbd642eb70092e4f7781c3f69d86d Author: Greg Hudson <[email protected]> Date: Tue Dec 10 12:04:18 2013 -0500 Fix SPNEGO one-hop interop against old IIS IIS 6.0 and similar return a zero length reponse buffer in the last SPNEGO packet when context initiation is performed without mutual authentication. In this case the underlying Kerberos mechanism has already completed successfully on the first invocation, and SPNEGO does not expect a mech response token in the answer. If we get an empty mech response token when the mech is complete during negotiation, ignore it. [[email protected]: small code style and commit message changes] ticket: 7797 (new) target_version: 1.12.1 tags: pullup diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 3937662..d82934b 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, map_errcode(minor_status); ret = GSS_S_DEFECTIVE_TOKEN; } + } else if ((*responseToken)->length == 0 && sc->mech_complete) { + /* Handle old IIS servers returning empty token instead of + * null tokens in the non-mutual auth case. */ + *negState = ACCEPT_COMPLETE; + *tokflag = NO_TOKEN_SEND; + ret = GSS_S_COMPLETE; } else if (sc->mech_complete) { /* Reject spurious mech token. */ ret = GSS_S_DEFECTIVE_TOKEN; ++++++ krb5-master-keytab_close.patch ++++++ commit decccbcb5075f8fbc28a535a9b337afc84a15dee Author: Greg Hudson <[email protected]> Date: Mon Dec 16 15:37:56 2013 -0500 Fix GSS krb5 acceptor acquire_cred error handling When acquiring acceptor creds with a specified name, if we fail to open a replay cache, we leak the keytab handle. If there is no specified name and we discover that there is no content in the keytab, we leak the keytab handle and return the wrong major code. Memory leak reported by Andrea Campi. ticket: 7805 target_version: 1.12.1 tags: pullup diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index 0efcad4..9547207 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context, code = krb5_get_server_rcache(context, &cred->name->princ->data[0], &cred->rcache); if (code) { + krb5_kt_close(context, kt); *minor_status = code; return GSS_S_FAILURE; } @@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context, /* Make sure we have a keytab with keys in it. */ code = krb5_kt_have_content(context, kt); if (code) { + krb5_kt_close(context, kt); *minor_status = code; - return GSS_S_FAILURE; + return GSS_S_CRED_UNAVAIL; } } ++++++ krb5-master-no-malloc0.patch ++++++ commit 13fd26e1863c79f616653f6a10a58c01f65fceff Author: Greg Hudson <[email protected]> Date: Fri Dec 6 18:56:56 2013 -0500 Avoid malloc(0) in SPNEGO get_input_token If we read a zero-length token in spnego_mech.c's get_input_token(), set the value pointer to NULL instead of calling malloc(0). ticket: 7794 (new) diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 24c3440..3937662 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -3140,14 +3140,17 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length) return (NULL); input_token->length = len; - input_token->value = gssalloc_malloc(input_token->length); + if (input_token->length > 0) { + input_token->value = gssalloc_malloc(input_token->length); + if (input_token->value == NULL) { + free(input_token); + return (NULL); + } - if (input_token->value == NULL) { - free(input_token); - return (NULL); + memcpy(input_token->value, *buff_in, input_token->length); + } else { + input_token->value = NULL; } - - (void) memcpy(input_token->value, *buff_in, input_token->length); *buff_in += input_token->length; return (input_token); } ++++++ krb5-master-spnego_error_messages.patch ++++++ commit 4faca53e3a8ee213d43da8998f6889e7bfd36248 Author: Greg Hudson <[email protected]> Date: Wed Dec 18 16:03:16 2013 -0500 Test SPNEGO error message in t_s4u.py Now that #7045 is fixed, we can check for the correct error message from t_s4u2proxy_krb5 with --spnego. ticket: 7045 diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py index 67dc810..e4aa259 100644 --- a/src/tests/gssapi/t_s4u.py +++ b/src/tests/gssapi/t_s4u.py @@ -30,12 +30,12 @@ if ('auth1: ' + realm.user_princ not in output or 'NOT_ALLOWED_TO_DELEGATE' not in output): fail('krb5 -> s4u2proxy') -# Again with SPNEGO. Bug #7045 prevents us from checking the error -# message, but we can at least exercise the code. +# Again with SPNEGO. output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache, '-', pservice1, pservice2], expected_code=1) -if ('auth1: ' + realm.user_princ not in output): +if ('auth1: ' + realm.user_princ not in output or + 'NOT_ALLOWED_TO_DELEGATE' not in output): fail('krb5 -> s4u2proxy (SPNEGO)') # Try krb5 -> S4U2Proxy without forwardable user creds. This should @@ -66,10 +66,9 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output: fail('s4u2self') # Again with SPNEGO. This uses SPNEGO for the initial authentication, -# but still uses krb5 for S4U2Proxy (the delegated cred is returned as +# but still uses krb5 for S4U2Proxy--the delegated cred is returned as # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred -# directly rather than saving and reacquiring it) so bug #7045 does -# not apply and we can verify the error message. +# directly rather than saving and reacquiring it. output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1) if 'NOT_ALLOWED_TO_DELEGATE' not in output: fail('s4u2self') ++++++ pre_checkin.sh ++++++ --- /var/tmp/diff_new_pack.FHnbV6/_old 2014-01-23 15:46:49.000000000 +0100 +++ /var/tmp/diff_new_pack.FHnbV6/_new 2014-01-23 15:46:49.000000000 +0100 @@ -1,5 +1,6 @@ #!/bin/sh sed -e 's/Name:.*/Name: krb5-mini/g;' \ + -e 's/spec file for package.*/&-mini/' \ -e 's/%define.*build_mini.*/%define build_mini 1/g' krb5.spec > krb5-mini.spec cp krb5.changes krb5-mini.changes -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
