From c26930347500ab656d3f033274eb5a3b066eab7a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 27 2022 20:21:07 +0000 Subject: import krb5-1.18.2-21.el8 --- diff --git a/SOURCES/Make-kprop-work-for-dump-files-larger-than-4GB.patch b/SOURCES/Make-kprop-work-for-dump-files-larger-than-4GB.patch new file mode 100644 index 0000000..8358d7e --- /dev/null +++ b/SOURCES/Make-kprop-work-for-dump-files-larger-than-4GB.patch @@ -0,0 +1,365 @@ +From 5d541f1f0b468b1c976acf8ec2359bd0c8c73be7 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 19 Jan 2022 19:46:08 +0100 +Subject: [PATCH] Make kprop work for dump files larger than 4GB + +If the dump file size does not fit in 32 bits, encode four zero bytes +(forcing an error for unmodified kpropd) followed by the size in the +next 64 bits. + +Add a functional test case, but only run it when an environment +variable is set, as processing a 4GB dump file is too +resource-intensive for make check. + +[ghudson@mit.edu: edited comments and commit message; eliminated use +of defined constant in some cases; added test case] + +ticket: 9053 (new) +--- + src/kprop/kprop.c | 37 +++++++++++++++++++++---------------- + src/kprop/kprop.h | 12 ++++++++++++ + src/kprop/kprop_util.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + src/kprop/kpropd.c | 33 +++++++++++++++++++++------------ + src/tests/t_kprop.py | 34 ++++++++++++++++++++++++++++++++++ + 5 files changed, 130 insertions(+), 28 deletions(-) + +diff --git a/src/kprop/kprop.c b/src/kprop/kprop.c +index 0b53aae7e..5adb4d31f 100644 +--- a/src/kprop/kprop.c ++++ b/src/kprop/kprop.c +@@ -25,6 +25,7 @@ + */ + + #include "k5-int.h" ++#include + #include + #include + #include +@@ -71,11 +72,11 @@ static void open_connection(krb5_context context, char *host, int *fd_out); + static void kerberos_authenticate(krb5_context context, + krb5_auth_context *auth_context, int fd, + krb5_principal me, krb5_creds **new_creds); +-static int open_database(krb5_context context, char *data_fn, int *size); ++static int open_database(krb5_context context, char *data_fn, off_t *size); + static void close_database(krb5_context context, int fd); + static void xmit_database(krb5_context context, + krb5_auth_context auth_context, krb5_creds *my_creds, +- int fd, int database_fd, int in_database_size); ++ int fd, int database_fd, off_t in_database_size); + static void send_error(krb5_context context, krb5_creds *my_creds, int fd, + char *err_text, krb5_error_code err_code); + static void update_last_prop_file(char *hostname, char *file_name); +@@ -90,7 +91,8 @@ static void usage() + int + main(int argc, char **argv) + { +- int fd, database_fd, database_size; ++ int fd, database_fd; ++ off_t database_size; + krb5_error_code retval; + krb5_context context; + krb5_creds *my_creds; +@@ -339,7 +341,7 @@ kerberos_authenticate(krb5_context context, krb5_auth_context *auth_context, + * in the size of the database file. + */ + static int +-open_database(krb5_context context, char *data_fn, int *size) ++open_database(krb5_context context, char *data_fn, off_t *size) + { + struct stat stbuf, stbuf_ok; + char *data_ok_fn; +@@ -413,19 +415,18 @@ close_database(krb5_context context, int fd) + static void + xmit_database(krb5_context context, krb5_auth_context auth_context, + krb5_creds *my_creds, int fd, int database_fd, +- int in_database_size) ++ off_t in_database_size) + { + krb5_int32 n; + krb5_data inbuf, outbuf; +- char buf[KPROP_BUFSIZ]; ++ char buf[KPROP_BUFSIZ], dbsize_buf[KPROP_DBSIZE_MAX_BUFSIZ]; + krb5_error_code retval; + krb5_error *error; +- krb5_ui_4 database_size = in_database_size, send_size, sent_size; ++ uint64_t database_size = in_database_size, send_size, sent_size; + + /* Send over the size. */ +- send_size = htonl(database_size); +- inbuf.data = (char *)&send_size; +- inbuf.length = sizeof(send_size); /* must be 4, really */ ++ inbuf = make_data(dbsize_buf, sizeof(dbsize_buf)); ++ encode_database_size(database_size, &inbuf); + /* KPROP_CKSUMTYPE */ + retval = krb5_mk_safe(context, auth_context, &inbuf, &outbuf, NULL); + if (retval) { +@@ -460,7 +461,7 @@ xmit_database(krb5_context context, krb5_auth_context auth_context, + retval = krb5_mk_priv(context, auth_context, &inbuf, &outbuf, NULL); + if (retval) { + snprintf(buf, sizeof(buf), +- "while encoding database block starting at %d", ++ "while encoding database block starting at %"PRIu64, + sent_size); + com_err(progname, retval, "%s", buf); + send_error(context, my_creds, fd, buf, retval); +@@ -471,14 +472,14 @@ xmit_database(krb5_context context, krb5_auth_context auth_context, + if (retval) { + krb5_free_data_contents(context, &outbuf); + com_err(progname, retval, +- _("while sending database block starting at %d"), ++ _("while sending database block starting at %"PRIu64), + sent_size); + exit(1); + } + krb5_free_data_contents(context, &outbuf); + sent_size += n; + if (debug) +- printf("%d bytes sent.\n", sent_size); ++ printf("%"PRIu64" bytes sent.\n", sent_size); + } + if (sent_size != database_size) { + com_err(progname, 0, _("Premature EOF found for database file!")); +@@ -533,10 +534,14 @@ xmit_database(krb5_context context, krb5_auth_context auth_context, + exit(1); + } + +- memcpy(&send_size, outbuf.data, sizeof(send_size)); +- send_size = ntohl(send_size); ++ retval = decode_database_size(&outbuf, &send_size); ++ if (retval) { ++ com_err(progname, retval, _("malformed sent database size message")); ++ exit(1); ++ } + if (send_size != database_size) { +- com_err(progname, 0, _("Kpropd sent database size %d, expecting %d"), ++ com_err(progname, 0, _("Kpropd sent database size %"PRIu64 ++ ", expecting %"PRIu64), + send_size, database_size); + exit(1); + } +diff --git a/src/kprop/kprop.h b/src/kprop/kprop.h +index 75331cc8a..3a319b535 100644 +--- a/src/kprop/kprop.h ++++ b/src/kprop/kprop.h +@@ -32,6 +32,7 @@ + #define KPROP_PROT_VERSION "kprop5_01" + + #define KPROP_BUFSIZ 32768 ++#define KPROP_DBSIZE_MAX_BUFSIZ 12 /* max length of an encoded DB size */ + + /* pathnames are in osconf.h, included via k5-int.h */ + +@@ -41,3 +42,14 @@ int sockaddr2krbaddr(krb5_context context, int family, struct sockaddr *sa, + krb5_error_code + sn2princ_realm(krb5_context context, const char *hostname, const char *sname, + const char *realm, krb5_principal *princ_out); ++ ++/* ++ * Encode size in four bytes (for backward compatibility) if it fits; otherwise ++ * use the larger encoding. buf must be allocated with at least ++ * KPROP_DBSIZE_MAX_BUFSIZ bytes. ++ */ ++void encode_database_size(uint64_t size, krb5_data *buf); ++ ++/* Decode a database size. Return KRB5KRB_ERR_GENERIC if buf has an invalid ++ * length or did not encode a 32-bit size compactly. */ ++krb5_error_code decode_database_size(const krb5_data *buf, uint64_t *size_out); +diff --git a/src/kprop/kprop_util.c b/src/kprop/kprop_util.c +index c32d174b9..9d6b25389 100644 +--- a/src/kprop/kprop_util.c ++++ b/src/kprop/kprop_util.c +@@ -96,3 +96,45 @@ sn2princ_realm(krb5_context context, const char *hostname, const char *sname, + (*princ_out)->type = KRB5_NT_SRV_HST; + return ret; + } ++ ++void ++encode_database_size(uint64_t size, krb5_data *buf) ++{ ++ assert(buf->length >= 12); ++ if (size > 0 && size <= UINT32_MAX) { ++ /* Encode in 32 bits for backward compatibility. */ ++ store_32_be(size, buf->data); ++ buf->length = 4; ++ } else { ++ /* Set the first 32 bits to 0 and encode in the following 64 bits. */ ++ store_32_be(0, buf->data); ++ store_64_be(size, buf->data + 4); ++ buf->length = 12; ++ } ++} ++ ++krb5_error_code ++decode_database_size(const krb5_data *buf, uint64_t *size_out) ++{ ++ uint64_t size; ++ ++ if (buf->length == 12) { ++ /* A 12-byte buffer must have the first four bytes zeroed. */ ++ if (load_32_be(buf->data) != 0) ++ return KRB5KRB_ERR_GENERIC; ++ ++ /* The size is stored in the next 64 bits. Values from 1..2^32-1 must ++ * be encoded in four bytes. */ ++ size = load_64_be(buf->data + 4); ++ if (size > 0 && size <= UINT32_MAX) ++ return KRB5KRB_ERR_GENERIC; ++ } else if (buf->length == 4) { ++ size = load_32_be(buf->data); ++ } else { ++ /* Invalid buffer size. */ ++ return KRB5KRB_ERR_GENERIC; ++ } ++ ++ *size_out = size; ++ return 0; ++} +diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c +index 356e3e0e6..a83a86866 100644 +--- a/src/kprop/kpropd.c ++++ b/src/kprop/kpropd.c +@@ -55,6 +55,7 @@ + #include "com_err.h" + #include "fake-addrinfo.h" + ++#include + #include + #include + #include +@@ -1354,9 +1355,10 @@ static void + recv_database(krb5_context context, int fd, int database_fd, + krb5_data *confmsg) + { +- krb5_ui_4 database_size, received_size; ++ uint64_t database_size, received_size; + int n; + char buf[1024]; ++ char dbsize_buf[KPROP_DBSIZE_MAX_BUFSIZ]; + krb5_data inbuf, outbuf; + krb5_error_code retval; + +@@ -1378,10 +1380,17 @@ recv_database(krb5_context context, int fd, int database_fd, + _("while decoding database size from client")); + exit(1); + } +- memcpy(&database_size, outbuf.data, sizeof(database_size)); ++ ++ retval = decode_database_size(&outbuf, &database_size); ++ if (retval) { ++ send_error(context, fd, retval, "malformed database size message"); ++ com_err(progname, retval, ++ _("malformed database size message from client")); ++ exit(1); ++ } ++ + krb5_free_data_contents(context, &inbuf); + krb5_free_data_contents(context, &outbuf); +- database_size = ntohl(database_size); + + /* Initialize the initial vector. */ + retval = krb5_auth_con_initivector(context, auth_context); +@@ -1401,7 +1410,7 @@ recv_database(krb5_context context, int fd, int database_fd, + retval = krb5_read_message(context, &fd, &inbuf); + if (retval) { + snprintf(buf, sizeof(buf), +- "while reading database block starting at offset %d", ++ "while reading database block starting at offset %"PRIu64, + received_size); + com_err(progname, retval, "%s", buf); + send_error(context, fd, retval, buf); +@@ -1412,8 +1421,8 @@ recv_database(krb5_context context, int fd, int database_fd, + retval = krb5_rd_priv(context, auth_context, &inbuf, &outbuf, NULL); + if (retval) { + snprintf(buf, sizeof(buf), +- "while decoding database block starting at offset %d", +- received_size); ++ "while decoding database block starting at offset %" ++ PRIu64, received_size); + com_err(progname, retval, "%s", buf); + send_error(context, fd, retval, buf); + krb5_free_data_contents(context, &inbuf); +@@ -1424,13 +1433,13 @@ recv_database(krb5_context context, int fd, int database_fd, + krb5_free_data_contents(context, &outbuf); + if (n < 0) { + snprintf(buf, sizeof(buf), +- "while writing database block starting at offset %d", ++ "while writing database block starting at offset %"PRIu64, + received_size); + send_error(context, fd, errno, buf); + } else if ((unsigned int)n != outbuf.length) { + snprintf(buf, sizeof(buf), + "incomplete write while writing database block starting " +- "at \noffset %d (%d written, %d expected)", ++ "at \noffset %"PRIu64" (%d written, %d expected)", + received_size, n, outbuf.length); + send_error(context, fd, KRB5KRB_ERR_GENERIC, buf); + } +@@ -1440,7 +1449,8 @@ recv_database(krb5_context context, int fd, int database_fd, + /* OK, we've seen the entire file. Did we get too many bytes? */ + if (received_size > database_size) { + snprintf(buf, sizeof(buf), +- "Received %d bytes, expected %d bytes for database file", ++ "Received %"PRIu64" bytes, expected %"PRIu64 ++ " bytes for database file", + received_size, database_size); + send_error(context, fd, KRB5KRB_ERR_GENERIC, buf); + } +@@ -1450,9 +1460,8 @@ recv_database(krb5_context context, int fd, int database_fd, + + /* Create message acknowledging number of bytes received, but + * don't send it until kdb5_util returns successfully. */ +- database_size = htonl(database_size); +- inbuf.data = (char *)&database_size; +- inbuf.length = sizeof(database_size); ++ inbuf = make_data(dbsize_buf, sizeof(dbsize_buf)); ++ encode_database_size(database_size, &inbuf); + retval = krb5_mk_safe(context,auth_context,&inbuf,confmsg,NULL); + if (retval) { + com_err(progname, retval, "while encoding # of receieved bytes"); +diff --git a/src/tests/t_kprop.py b/src/tests/t_kprop.py +index c33e4fea2..f8ffd653a 100755 +--- a/src/tests/t_kprop.py ++++ b/src/tests/t_kprop.py +@@ -87,5 +87,39 @@ realm.run([kdb5_util, 'dump', dumpfile]) + realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname]) + check_output(kpropd) + realm.run([kadminl, 'listprincs'], replica3, expected_msg='wakawaka') ++stop_daemon(kpropd) ++ ++# This test is too resource-intensive to be included in "make check" ++# by default, but it can be enabled in the environment to test the ++# propagation of databases large enough to require a 12-byte encoding ++# of the database size. ++if 'KPROP_LARGE_DB_TEST' in os.environ: ++ output('Generating >4GB dumpfile\n') ++ with open(dumpfile, 'w') as f: ++ f.write('kdb5_util load_dump version 6\n') ++ f.write('princ\t38\t15\t3\t1\t0\tK/M@KRBTEST.COM\t64\t86400\t0\t0\t0' ++ '\t0\t0\t0\t8\t2\t0100\t9\t8\t0100010000000000\t2\t28' ++ '\tb93e105164625f6372656174696f6e404b5242544553542e434f4d00' ++ '\t1\t1\t18\t62\t2000408c027c250e8cc3b81476414f2214d57c1ce' ++ '38891e29792e87258247c73547df4d5756266931dd6686b62270e6568' ++ '95a31ec66bfe913b4f15226227\t-1;\n') ++ for i in range(1, 20000000): ++ f.write('princ\t38\t21\t1\t1\t0\tp%08d@KRBTEST.COM' % i) ++ f.write('\t0\t86400\t0\t0\t0\t0\t0\t0\t2\t27' ++ '\td73e1051757365722f61646d696e404b5242544553542e434f4d00' ++ '\t1\t1\t17\t46' ++ '\t10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c49' ++ '5605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf\t-1;\n') ++ assert os.path.getsize(dumpfile) > 4 * 1024 * 1024 * 1024 ++ with open(dumpfile + '.dump_ok', 'w') as f: ++ f.write('\0') ++ conf_large = {'dbmodules': {'db': {'database_name': '$testdir/db.large'}}, ++ 'realms': {'$realm': {'iprop_resync_timeout': '3600'}}} ++ large = realm.special_env('large', True, kdc_conf=conf_large) ++ kpropd = realm.start_kpropd(large, ['-d']) ++ realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname]) ++ check_output(kpropd) ++ realm.run([kadminl, 'getprinc', 'p19999999'], env=large, ++ expected_msg='Principal: p19999999') + + success('kprop tests') +-- +2.35.1 + diff --git a/SOURCES/Try-harder-to-avoid-password-change-replay-errors.patch b/SOURCES/Try-harder-to-avoid-password-change-replay-errors.patch new file mode 100644 index 0000000..382559f --- /dev/null +++ b/SOURCES/Try-harder-to-avoid-password-change-replay-errors.patch @@ -0,0 +1,91 @@ +From 6b4cdaac48e6b736b66ccc21f4eed7c6fc4c2e4a Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 4 Mar 2022 00:45:00 -0500 +Subject: [PATCH] Try harder to avoid password change replay errors + +Commit d7b3018d338fc9c989c3fa17505870f23c3759a8 (ticket 7905) changed +change_set_password() to prefer TCP. However, because UDP_LAST falls +back to UDP after one second, we can still get a replay error due to a +dropped packet, before the TCP layer has a chance to retry. + +Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after +TCP fails completely without reaching a server. In sendto_kdc.c, +implement an ONLY_UDP transport strategy to allow the UDP fallback. + +ticket: 9037 +--- + src/lib/krb5/os/changepw.c | 9 ++++++++- + src/lib/krb5/os/os-proto.h | 1 + + src/lib/krb5/os/sendto_kdc.c | 12 ++++++++---- + 3 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c +index 9f968da7f..c59232586 100644 +--- a/src/lib/krb5/os/changepw.c ++++ b/src/lib/krb5/os/changepw.c +@@ -255,9 +255,16 @@ change_set_password(krb5_context context, + callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup; + krb5_free_data_contents(callback_ctx.context, &chpw_rep); + ++ /* UDP retransmits may be seen as replays. Only try UDP after other ++ * transports fail completely. */ + code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm, +- &sl, UDP_LAST, &callback_info, &chpw_rep, ++ &sl, NO_UDP, &callback_info, &chpw_rep, + ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL); ++ if (code == KRB5_KDC_UNREACH) { ++ code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm, ++ &sl, ONLY_UDP, &callback_info, &chpw_rep, ++ ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL); ++ } + if (code) + goto cleanup; + +diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h +index a16a34b74..ad3839131 100644 +--- a/src/lib/krb5/os/os-proto.h ++++ b/src/lib/krb5/os/os-proto.h +@@ -49,6 +49,7 @@ typedef enum { + UDP_FIRST = 0, + UDP_LAST, + NO_UDP, ++ ONLY_UDP + } k5_transport_strategy; + + /* A single server hostname or address. */ +diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c +index 82523c561..d76e24ccf 100644 +--- a/src/lib/krb5/os/sendto_kdc.c ++++ b/src/lib/krb5/os/sendto_kdc.c +@@ -799,11 +799,14 @@ resolve_server(krb5_context context, const krb5_data *realm, + int err, result; + char portbuf[PORT_LENGTH]; + +- /* Skip UDP entries if we don't want UDP. */ ++ /* Skip entries excluded by the strategy. */ + if (strategy == NO_UDP && entry->transport == UDP) + return 0; ++ if (strategy == ONLY_UDP && entry->transport != UDP && ++ entry->transport != TCP_OR_UDP) ++ return 0; + +- transport = (strategy == UDP_FIRST) ? UDP : TCP; ++ transport = (strategy == UDP_FIRST || strategy == ONLY_UDP) ? UDP : TCP; + if (entry->hostname == NULL) { + /* Added by a module, so transport is either TCP or UDP. */ + ai.ai_socktype = socktype_for_transport(entry->transport); +@@ -847,8 +850,9 @@ resolve_server(krb5_context context, const krb5_data *realm, + } + + /* For TCP_OR_UDP entries, add each address again with the non-preferred +- * transport, unless we are avoiding UDP. Flag these as deferred. */ +- if (retval == 0 && entry->transport == TCP_OR_UDP && strategy != NO_UDP) { ++ * transport, if there is one. Flag these as deferred. */ ++ if (retval == 0 && entry->transport == TCP_OR_UDP && ++ (strategy == UDP_FIRST || strategy == UDP_LAST)) { + transport = (strategy == UDP_FIRST) ? TCP : UDP; + for (a = addrs; a != 0 && retval == 0; a = a->ai_next) { + a->ai_socktype = socktype_for_transport(transport); +-- +2.35.1 + diff --git a/SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch b/SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch new file mode 100644 index 0000000..9d0939f --- /dev/null +++ b/SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch @@ -0,0 +1,124 @@ +From baa2a485190d1b31f3dae06a18dc24d71dbe35bf Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Fri, 11 Mar 2022 12:04:14 +0100 +Subject: [PATCH] Use SHA-256 instead of SHA-1 for PKINIT CMS digest + +Various organizations including NIST have been strongly recommending to +stop using SHA-1 for digital signatures for some years already. CMS +digest is used to generate such signatures, hence it should be upgraded +to use SHA-256. +--- + .../preauth/pkinit/pkinit_crypto_openssl.c | 40 ++++++++++--------- + 1 file changed, 22 insertions(+), 18 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index dbb054378..32291e3ac 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -1234,7 +1234,7 @@ cms_signeddata_create(krb5_context context, + /* will not fill-out EVP_PKEY because it's on the smartcard */ + + /* Set digest algs */ +- p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha1); ++ p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha256); + + if (p7si->digest_alg->parameter != NULL) + ASN1_TYPE_free(p7si->digest_alg->parameter); +@@ -1245,17 +1245,18 @@ cms_signeddata_create(krb5_context context, + /* Set sig algs */ + if (p7si->digest_enc_alg->parameter != NULL) + ASN1_TYPE_free(p7si->digest_enc_alg->parameter); +- p7si->digest_enc_alg->algorithm = OBJ_nid2obj(NID_sha1WithRSAEncryption); ++ p7si->digest_enc_alg->algorithm = ++ OBJ_nid2obj(NID_sha256WithRSAEncryption); + if (!(p7si->digest_enc_alg->parameter = ASN1_TYPE_new())) + goto cleanup; + p7si->digest_enc_alg->parameter->type = V_ASN1_NULL; + + /* add signed attributes */ +- /* compute sha1 digest over the EncapsulatedContentInfo */ ++ /* compute sha256 digest over the EncapsulatedContentInfo */ + ctx = EVP_MD_CTX_new(); + if (ctx == NULL) + goto cleanup; +- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); ++ EVP_DigestInit_ex(ctx, EVP_sha256(), NULL); + EVP_DigestUpdate(ctx, data, data_len); + md_tmp = EVP_MD_CTX_md(ctx); + EVP_DigestFinal_ex(ctx, md_data, &md_len); +@@ -1283,12 +1284,14 @@ cms_signeddata_create(krb5_context context, + goto cleanup2; + + #ifndef WITHOUT_PKCS11 +- /* Some tokens can only do RSAEncryption without sha1 hash */ +- /* to compute sha1WithRSAEncryption, encode the algorithm ID for the hash +- * function and the hash value into an ASN.1 value of type DigestInfo +- * DigestInfo::=SEQUENCE { +- * digestAlgorithm AlgorithmIdentifier, +- * digest OCTET STRING } ++ /* ++ * Some tokens can only do RSAEncryption without a hash. To compute ++ * sha256WithRSAEncryption, encode the algorithm ID for the hash ++ * function and the hash value into an ASN.1 value of type DigestInfo: ++ * DigestInfo ::= SEQUENCE { ++ * digestAlgorithm AlgorithmIdentifier, ++ * digest OCTET STRING ++ * } + */ + if (id_cryptoctx->pkcs11_method == 1 && + id_cryptoctx->mech == CKM_RSA_PKCS) { +@@ -1304,7 +1307,7 @@ cms_signeddata_create(krb5_context context, + alg = X509_ALGOR_new(); + if (alg == NULL) + goto cleanup2; +- X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha1), V_ASN1_NULL, NULL); ++ X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha256), V_ASN1_NULL, NULL); + alg_len = i2d_X509_ALGOR(alg, NULL); + + digest = ASN1_OCTET_STRING_new(); +@@ -1333,7 +1336,7 @@ cms_signeddata_create(krb5_context context, + #endif + { + pkiDebug("mech = %s\n", +- id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA1_RSA_PKCS" : "FS"); ++ id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA256_RSA_PKCS" : "FS"); + retval = pkinit_sign_data(context, id_cryptoctx, abuf, alen, + &sig, &sig_len); + } +@@ -4147,7 +4150,7 @@ create_signature(unsigned char **sig, unsigned int *sig_len, + ctx = EVP_MD_CTX_new(); + if (ctx == NULL) + return ENOMEM; +- EVP_SignInit(ctx, EVP_sha1()); ++ EVP_SignInit(ctx, EVP_sha256()); + EVP_SignUpdate(ctx, data, data_len); + *sig_len = EVP_PKEY_size(pkey); + if ((*sig = malloc(*sig_len)) == NULL) +@@ -4623,10 +4626,11 @@ pkinit_get_certs_pkcs11(krb5_context context, + + #ifndef PKINIT_USE_MECH_LIST + /* +- * We'd like to use CKM_SHA1_RSA_PKCS for signing if it's available, but +- * many cards seems to be confused about whether they are capable of +- * this or not. The safe thing seems to be to ignore the mechanism list, +- * always use CKM_RSA_PKCS and calculate the sha1 digest ourselves. ++ * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but ++ * historically many cards seem to be confused about whether they are ++ * capable of mechanisms or not. The safe thing seems to be to ignore the ++ * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest ++ * ourselves. + */ + + id_cryptoctx->mech = CKM_RSA_PKCS; +@@ -4654,7 +4658,7 @@ pkinit_get_certs_pkcs11(krb5_context context, + if (mechp[i] == CKM_RSA_PKCS) { + /* This seems backwards... */ + id_cryptoctx->mech = +- (info.flags & CKF_SIGN) ? CKM_SHA1_RSA_PKCS : CKM_RSA_PKCS; ++ (info.flags & CKF_SIGN) ? CKM_SHA256_RSA_PKCS : CKM_RSA_PKCS; + } + } + free(mechp); +-- +2.35.1 + diff --git a/SOURCES/downstream-Fix-dejagnu-unit-tests-directory-name-for-RPC-lib.patch b/SOURCES/downstream-Fix-dejagnu-unit-tests-directory-name-for-RPC-lib.patch new file mode 100644 index 0000000..7028373 --- /dev/null +++ b/SOURCES/downstream-Fix-dejagnu-unit-tests-directory-name-for-RPC-lib.patch @@ -0,0 +1,156 @@ +From 10b32480395a01798b21818e884a593930b400d1 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 27 Apr 2022 15:29:08 +0200 +Subject: [PATCH] Fix dejagnu unit tests directory name for RPC lib + +This commit renames RPC library's unit tests directory to match the +newly enforced naming convention of dejagnu. + +Resolves: rhbz#2070879 + +Signed-off-by: Julien Rische +--- + src/configure.ac | 2 +- + src/lib/rpc/Makefile.in | 2 +- + src/lib/rpc/{unit-test => testsuite}/Makefile.in | 10 +++++----- + src/lib/rpc/{unit-test => testsuite}/client.c | 0 + src/lib/rpc/{unit-test => testsuite}/config/unix.exp | 0 + src/lib/rpc/{unit-test => testsuite}/deps | 0 + src/lib/rpc/{unit-test => testsuite}/lib/helpers.exp | 0 + .../rpc/{unit-test => testsuite}/rpc_test.0/expire.exp | 0 + .../{unit-test => testsuite}/rpc_test.0/fullrun.exp | 0 + .../rpc/{unit-test => testsuite}/rpc_test.0/gsserr.exp | 0 + src/lib/rpc/{unit-test => testsuite}/rpc_test.h | 0 + src/lib/rpc/{unit-test => testsuite}/rpc_test.x | 0 + src/lib/rpc/{unit-test => testsuite}/rpc_test_clnt.c | 0 + src/lib/rpc/{unit-test => testsuite}/rpc_test_svc.c | 0 + src/lib/rpc/{unit-test => testsuite}/server.c | 0 + 15 files changed, 7 insertions(+), 7 deletions(-) + rename src/lib/rpc/{unit-test => testsuite}/Makefile.in (93%) + rename src/lib/rpc/{unit-test => testsuite}/client.c (100%) + rename src/lib/rpc/{unit-test => testsuite}/config/unix.exp (100%) + rename src/lib/rpc/{unit-test => testsuite}/deps (100%) + rename src/lib/rpc/{unit-test => testsuite}/lib/helpers.exp (100%) + rename src/lib/rpc/{unit-test => testsuite}/rpc_test.0/expire.exp (100%) + rename src/lib/rpc/{unit-test => testsuite}/rpc_test.0/fullrun.exp (100%) + rename src/lib/rpc/{unit-test => testsuite}/rpc_test.0/gsserr.exp (100%) + rename src/lib/rpc/{unit-test => testsuite}/rpc_test.h (100%) + rename src/lib/rpc/{unit-test => testsuite}/rpc_test.x (100%) + rename src/lib/rpc/{unit-test => testsuite}/rpc_test_clnt.c (100%) + rename src/lib/rpc/{unit-test => testsuite}/rpc_test_svc.c (100%) + rename src/lib/rpc/{unit-test => testsuite}/server.c (100%) + +diff --git a/src/configure.ac b/src/configure.ac +index 37e36b76d..2a48aa83d 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1497,7 +1497,7 @@ V5_AC_OUTPUT_MAKEFILE(. + lib/gssapi lib/gssapi/generic lib/gssapi/krb5 lib/gssapi/spnego + lib/gssapi/mechglue + +- lib/rpc lib/rpc/unit-test ++ lib/rpc lib/rpc/testsuite + + lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/testsuite + lib/krad +diff --git a/src/lib/rpc/Makefile.in b/src/lib/rpc/Makefile.in +index 6b5f1e70a..78c7a1326 100644 +--- a/src/lib/rpc/Makefile.in ++++ b/src/lib/rpc/Makefile.in +@@ -2,7 +2,7 @@ mydir=lib$(S)rpc + BUILDTOP=$(REL)..$(S).. + DEFINES = -DGSSAPI_KRB5 -DDEBUG_GSSAPI=0 -DGSSRPC__IMPL + +-SUBDIRS=unit-test ++SUBDIRS=testsuite + + ##DOSBUILDTOP = ..\.. + ##DOSLIBNAME=libgssrpc.lib +diff --git a/src/lib/rpc/unit-test/Makefile.in b/src/lib/rpc/testsuite/Makefile.in +similarity index 93% +rename from src/lib/rpc/unit-test/Makefile.in +rename to src/lib/rpc/testsuite/Makefile.in +index 0b6e5203d..0fab26c10 100644 +--- a/src/lib/rpc/unit-test/Makefile.in ++++ b/src/lib/rpc/testsuite/Makefile.in +@@ -1,4 +1,4 @@ +-mydir=lib$(S)rpc$(S)unit-test ++mydir=lib$(S)rpc$(S)testsuite + BUILDTOP=$(REL)..$(S)..$(S).. + + OBJS= client.o rpc_test_clnt.o rpc_test_svc.o server.o +@@ -34,19 +34,19 @@ runenv.exp: Makefile + # rm -f rpc_test.h rpc_test_clnt.c rpc_test_svc.c + # + +-check unit-test: unit-test-@DO_TEST@ ++check testsuite: testsuite-@DO_TEST@ + +-unit-test-: ++testsuite-: + @echo "+++" + @echo "+++ WARNING: lib/rpc unit tests not run." + @echo "+++ Either tcl, runtest, or Perl is unavailable." + @echo "+++" + @echo 'Skipped rpc tests: runtest or Perl not found' >> $(SKIPTESTS) + +-unit-test-ok: unit-test-body ++testsuite-ok: testsuite-body + + PASS=@PASS@ +-unit-test-body: runenv.sh runenv.exp ++testsuite-body: runenv.sh runenv.exp + $(RM) krb5cc_rpc_test_* + $(ENV_SETUP) $(VALGRIND) $(START_SERVERS) + RPC_TEST_KEYTAB=/tmp/rpc_test_keytab.$$$$ ; export RPC_TEST_KEYTAB ; \ +diff --git a/src/lib/rpc/unit-test/client.c b/src/lib/rpc/testsuite/client.c +similarity index 100% +rename from src/lib/rpc/unit-test/client.c +rename to src/lib/rpc/testsuite/client.c +diff --git a/src/lib/rpc/unit-test/config/unix.exp b/src/lib/rpc/testsuite/config/unix.exp +similarity index 100% +rename from src/lib/rpc/unit-test/config/unix.exp +rename to src/lib/rpc/testsuite/config/unix.exp +diff --git a/src/lib/rpc/unit-test/deps b/src/lib/rpc/testsuite/deps +similarity index 100% +rename from src/lib/rpc/unit-test/deps +rename to src/lib/rpc/testsuite/deps +diff --git a/src/lib/rpc/unit-test/lib/helpers.exp b/src/lib/rpc/testsuite/lib/helpers.exp +similarity index 100% +rename from src/lib/rpc/unit-test/lib/helpers.exp +rename to src/lib/rpc/testsuite/lib/helpers.exp +diff --git a/src/lib/rpc/unit-test/rpc_test.0/expire.exp b/src/lib/rpc/testsuite/rpc_test.0/expire.exp +similarity index 100% +rename from src/lib/rpc/unit-test/rpc_test.0/expire.exp +rename to src/lib/rpc/testsuite/rpc_test.0/expire.exp +diff --git a/src/lib/rpc/unit-test/rpc_test.0/fullrun.exp b/src/lib/rpc/testsuite/rpc_test.0/fullrun.exp +similarity index 100% +rename from src/lib/rpc/unit-test/rpc_test.0/fullrun.exp +rename to src/lib/rpc/testsuite/rpc_test.0/fullrun.exp +diff --git a/src/lib/rpc/unit-test/rpc_test.0/gsserr.exp b/src/lib/rpc/testsuite/rpc_test.0/gsserr.exp +similarity index 100% +rename from src/lib/rpc/unit-test/rpc_test.0/gsserr.exp +rename to src/lib/rpc/testsuite/rpc_test.0/gsserr.exp +diff --git a/src/lib/rpc/unit-test/rpc_test.h b/src/lib/rpc/testsuite/rpc_test.h +similarity index 100% +rename from src/lib/rpc/unit-test/rpc_test.h +rename to src/lib/rpc/testsuite/rpc_test.h +diff --git a/src/lib/rpc/unit-test/rpc_test.x b/src/lib/rpc/testsuite/rpc_test.x +similarity index 100% +rename from src/lib/rpc/unit-test/rpc_test.x +rename to src/lib/rpc/testsuite/rpc_test.x +diff --git a/src/lib/rpc/unit-test/rpc_test_clnt.c b/src/lib/rpc/testsuite/rpc_test_clnt.c +similarity index 100% +rename from src/lib/rpc/unit-test/rpc_test_clnt.c +rename to src/lib/rpc/testsuite/rpc_test_clnt.c +diff --git a/src/lib/rpc/unit-test/rpc_test_svc.c b/src/lib/rpc/testsuite/rpc_test_svc.c +similarity index 100% +rename from src/lib/rpc/unit-test/rpc_test_svc.c +rename to src/lib/rpc/testsuite/rpc_test_svc.c +diff --git a/src/lib/rpc/unit-test/server.c b/src/lib/rpc/testsuite/server.c +similarity index 100% +rename from src/lib/rpc/unit-test/server.c +rename to src/lib/rpc/testsuite/server.c +-- +2.35.1 + diff --git a/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch b/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch new file mode 100644 index 0000000..3b8ccec --- /dev/null +++ b/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch @@ -0,0 +1,342 @@ +From cc1cd235a6a8c066531a17d5773f601455bedb52 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 31 Mar 2022 18:24:39 +0200 +Subject: [PATCH] Use newly enforced dejagnu path naming convention + +Since version 1.6.3, dejagnu started to enforce a naming convention that +was already in place, but not mandatory: dejagnu test directories have +to be named "testsuite". If they don't implicit relative sub-paths +resolution (e.g. "lib", "config") is not forking. + +This commit renames kadm5 library's unit tests directory to match this +requirement. + +Resolves: rhbz#2070879 + +Signed-off-by: Julien Rische +--- + src/configure.ac | 2 +- + src/lib/kadm5/Makefile.in | 2 +- + .../{unit-test => testsuite}/Makefile.in | 28 +++++++++---------- + .../api.2/crte-policy.exp | 0 + .../api.2/get-policy.exp | 0 + .../api.2/mod-policy.exp | 0 + .../api.current/chpass-principal-v2.exp | 0 + .../api.current/chpass-principal.exp | 0 + .../api.current/crte-policy.exp | 0 + .../api.current/crte-principal.exp | 0 + .../api.current/destroy.exp | 0 + .../api.current/dlte-policy.exp | 0 + .../api.current/dlte-principal.exp | 0 + .../api.current/get-policy.exp | 0 + .../api.current/get-principal-v2.exp | 0 + .../api.current/get-principal.exp | 0 + .../api.current/init-v2.exp | 0 + .../api.current/init.exp | 0 + .../api.current/mod-policy.exp | 0 + .../api.current/mod-principal-v2.exp | 0 + .../api.current/mod-principal.exp | 0 + .../api.current/randkey-principal-v2.exp | 0 + .../api.current/randkey-principal.exp | 0 + .../{unit-test => testsuite}/config/unix.exp | 0 + src/lib/kadm5/{unit-test => testsuite}/deps | 0 + .../{unit-test => testsuite}/destroy-test.c | 0 + .../diff-files/destroy-1 | 0 + .../diff-files/no-diffs | 0 + .../{unit-test => testsuite}/handle-test.c | 0 + .../{unit-test => testsuite}/init-test.c | 0 + .../{unit-test => testsuite}/iter-test.c | 0 + .../kadm5/{unit-test => testsuite}/lib/lib.t | 2 +- + .../{unit-test => testsuite}/lock-test.c | 0 + .../{unit-test => testsuite}/randkey-test.c | 0 + .../{unit-test => testsuite}/setkey-test.c | 0 + .../kadm5/{unit-test => testsuite}/site.exp | 0 + 36 files changed, 17 insertions(+), 17 deletions(-) + rename src/lib/kadm5/{unit-test => testsuite}/Makefile.in (86%) + rename src/lib/kadm5/{unit-test => testsuite}/api.2/crte-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.2/get-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.2/mod-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/destroy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/init-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/init.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/config/unix.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/deps (100%) + rename src/lib/kadm5/{unit-test => testsuite}/destroy-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/diff-files/destroy-1 (100%) + rename src/lib/kadm5/{unit-test => testsuite}/diff-files/no-diffs (100%) + rename src/lib/kadm5/{unit-test => testsuite}/handle-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/init-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/iter-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/lib/lib.t (99%) + rename src/lib/kadm5/{unit-test => testsuite}/lock-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/randkey-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/setkey-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/site.exp (100%) + +diff --git a/src/configure.ac b/src/configure.ac +index 29be532cb..37e36b76d 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1499,7 +1499,7 @@ V5_AC_OUTPUT_MAKEFILE(. + + lib/rpc lib/rpc/unit-test + +- lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/unit-test ++ lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/testsuite + lib/krad + lib/apputils + +diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in +index c4eaad38d..76fc4b548 100644 +--- a/src/lib/kadm5/Makefile.in ++++ b/src/lib/kadm5/Makefile.in +@@ -1,6 +1,6 @@ + mydir=lib$(S)kadm5 + BUILDTOP=$(REL)..$(S).. +-SUBDIRS = clnt srv unit-test ++SUBDIRS = clnt srv testsuite + + ##DOSBUILDTOP = ..\.. + +diff --git a/src/lib/kadm5/unit-test/Makefile.in b/src/lib/kadm5/testsuite/Makefile.in +similarity index 86% +rename from src/lib/kadm5/unit-test/Makefile.in +rename to src/lib/kadm5/testsuite/Makefile.in +index 68fa097ff..5a55b786b 100644 +--- a/src/lib/kadm5/unit-test/Makefile.in ++++ b/src/lib/kadm5/testsuite/Makefile.in +@@ -1,4 +1,4 @@ +-mydir=lib$(S)kadm5$(S)unit-test ++mydir=lib$(S)kadm5$(S)testsuite + BUILDTOP=$(REL)..$(S)..$(S).. + KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS) + +@@ -61,7 +61,7 @@ runenv.exp: Makefile + eval echo "set env\($$i\) \$$$$i"; done > runenv.exp + + # +-# The unit-test targets ++# The testsuite targets + # + + check: check-@DO_TEST@ +@@ -72,13 +72,13 @@ check-: + @echo "+++ Either tcl, runtest, or Perl is unavailable." + @echo "+++" + +-check-ok unit-test: unit-test-client unit-test-server ++check-ok testsuite: testsuite-client testsuite-server + +-unit-test-client: unit-test-client-setup unit-test-client-body \ +- unit-test-client-cleanup ++testsuite-client: testsuite-client-setup testsuite-client-body \ ++ testsuite-client-cleanup + +-unit-test-server: unit-test-server-setup unit-test-server-body \ +- unit-test-server-cleanup ++testsuite-server: testsuite-server-setup testsuite-server-body \ ++ testsuite-server-cleanup + + test-randkey: randkey-test + $(ENV_SETUP) $(VALGRIND) ./randkey-test +@@ -98,19 +98,19 @@ test-destroy: destroy-test + test-setkey-client: client-setkey-test + $(ENV_SETUP) $(VALGRIND) ./client-setkey-test testkeys admin admin + +-unit-test-client-setup: runenv.sh ++testsuite-client-setup: runenv.sh + $(ENV_SETUP) $(VALGRIND) $(START_SERVERS) + +-unit-test-client-cleanup: ++testsuite-client-cleanup: + $(ENV_SETUP) $(STOP_SERVERS) + +-unit-test-server-setup: runenv.sh ++testsuite-server-setup: runenv.sh + $(ENV_SETUP) $(VALGRIND) $(START_SERVERS_LOCAL) + +-unit-test-server-cleanup: ++testsuite-server-cleanup: + $(ENV_SETUP) $(STOP_SERVERS_LOCAL) + +-unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \ ++testsuite-client-body: site.exp test-noauth test-destroy test-handle-client \ + test-setkey-client runenv.exp + $(ENV_SETUP) $(RUNTEST) --tool api RPC=1 API=$(CLNTTCL) \ + KINIT=$(BUILDTOP)/clients/kinit/kinit \ +@@ -121,7 +121,7 @@ unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \ + -mv api.log capi.log + -mv api.sum capi.sum + +-unit-test-server-body: site.exp test-handle-server lock-test ++testsuite-server-body: site.exp test-handle-server lock-test + $(ENV_SETUP) $(RUNTEST) --tool api RPC=0 API=$(SRVTCL) \ + LOCKTEST=./lock-test \ + KADMIN_LOCAL=$(BUILDTOP)/kadmin/cli/kadmin.local \ +@@ -140,4 +140,4 @@ clean: + $(RM) lock-test lock-test.o + $(RM) server-iter-test iter-test.o + $(RM) server-setkey-test client-setkey-test setkey-test.o +- $(RM) *.log *.plog *.sum *.psum unit-test-log.* runenv.exp ++ $(RM) *.log *.plog *.sum *.psum testsuite-log.* runenv.exp +diff --git a/src/lib/kadm5/unit-test/api.2/crte-policy.exp b/src/lib/kadm5/testsuite/api.2/crte-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.2/crte-policy.exp +rename to src/lib/kadm5/testsuite/api.2/crte-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.2/get-policy.exp b/src/lib/kadm5/testsuite/api.2/get-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.2/get-policy.exp +rename to src/lib/kadm5/testsuite/api.2/get-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.2/mod-policy.exp b/src/lib/kadm5/testsuite/api.2/mod-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.2/mod-policy.exp +rename to src/lib/kadm5/testsuite/api.2/mod-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp +rename to src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/chpass-principal.exp +rename to src/lib/kadm5/testsuite/api.current/chpass-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/crte-policy.exp b/src/lib/kadm5/testsuite/api.current/crte-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/crte-policy.exp +rename to src/lib/kadm5/testsuite/api.current/crte-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/crte-principal.exp b/src/lib/kadm5/testsuite/api.current/crte-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/crte-principal.exp +rename to src/lib/kadm5/testsuite/api.current/crte-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/destroy.exp b/src/lib/kadm5/testsuite/api.current/destroy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/destroy.exp +rename to src/lib/kadm5/testsuite/api.current/destroy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp b/src/lib/kadm5/testsuite/api.current/dlte-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/dlte-policy.exp +rename to src/lib/kadm5/testsuite/api.current/dlte-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp b/src/lib/kadm5/testsuite/api.current/dlte-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/dlte-principal.exp +rename to src/lib/kadm5/testsuite/api.current/dlte-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/get-policy.exp b/src/lib/kadm5/testsuite/api.current/get-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/get-policy.exp +rename to src/lib/kadm5/testsuite/api.current/get-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/get-principal-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/get-principal-v2.exp +rename to src/lib/kadm5/testsuite/api.current/get-principal-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/get-principal.exp b/src/lib/kadm5/testsuite/api.current/get-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/get-principal.exp +rename to src/lib/kadm5/testsuite/api.current/get-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/testsuite/api.current/init-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/init-v2.exp +rename to src/lib/kadm5/testsuite/api.current/init-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/init.exp b/src/lib/kadm5/testsuite/api.current/init.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/init.exp +rename to src/lib/kadm5/testsuite/api.current/init.exp +diff --git a/src/lib/kadm5/unit-test/api.current/mod-policy.exp b/src/lib/kadm5/testsuite/api.current/mod-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/mod-policy.exp +rename to src/lib/kadm5/testsuite/api.current/mod-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp +rename to src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal.exp b/src/lib/kadm5/testsuite/api.current/mod-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/mod-principal.exp +rename to src/lib/kadm5/testsuite/api.current/mod-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp +rename to src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/randkey-principal.exp +rename to src/lib/kadm5/testsuite/api.current/randkey-principal.exp +diff --git a/src/lib/kadm5/unit-test/config/unix.exp b/src/lib/kadm5/testsuite/config/unix.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/config/unix.exp +rename to src/lib/kadm5/testsuite/config/unix.exp +diff --git a/src/lib/kadm5/unit-test/deps b/src/lib/kadm5/testsuite/deps +similarity index 100% +rename from src/lib/kadm5/unit-test/deps +rename to src/lib/kadm5/testsuite/deps +diff --git a/src/lib/kadm5/unit-test/destroy-test.c b/src/lib/kadm5/testsuite/destroy-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/destroy-test.c +rename to src/lib/kadm5/testsuite/destroy-test.c +diff --git a/src/lib/kadm5/unit-test/diff-files/destroy-1 b/src/lib/kadm5/testsuite/diff-files/destroy-1 +similarity index 100% +rename from src/lib/kadm5/unit-test/diff-files/destroy-1 +rename to src/lib/kadm5/testsuite/diff-files/destroy-1 +diff --git a/src/lib/kadm5/unit-test/diff-files/no-diffs b/src/lib/kadm5/testsuite/diff-files/no-diffs +similarity index 100% +rename from src/lib/kadm5/unit-test/diff-files/no-diffs +rename to src/lib/kadm5/testsuite/diff-files/no-diffs +diff --git a/src/lib/kadm5/unit-test/handle-test.c b/src/lib/kadm5/testsuite/handle-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/handle-test.c +rename to src/lib/kadm5/testsuite/handle-test.c +diff --git a/src/lib/kadm5/unit-test/init-test.c b/src/lib/kadm5/testsuite/init-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/init-test.c +rename to src/lib/kadm5/testsuite/init-test.c +diff --git a/src/lib/kadm5/unit-test/iter-test.c b/src/lib/kadm5/testsuite/iter-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/iter-test.c +rename to src/lib/kadm5/testsuite/iter-test.c +diff --git a/src/lib/kadm5/unit-test/lib/lib.t b/src/lib/kadm5/testsuite/lib/lib.t +similarity index 99% +rename from src/lib/kadm5/unit-test/lib/lib.t +rename to src/lib/kadm5/testsuite/lib/lib.t +index 3444775cf..327946849 100644 +--- a/src/lib/kadm5/unit-test/lib/lib.t ++++ b/src/lib/kadm5/testsuite/lib/lib.t +@@ -226,7 +226,7 @@ proc end_dump_compare {name} { + global RPC + + if { ! $RPC } { +-# set file $TOP/admin/lib/unit-test/diff-files/$name ++# set file $TOP/admin/lib/testsuite/diff-files/$name + # exec $env(SIMPLE_DUMP) > /tmp/dump.after + # exec $env(COMPARE_DUMP) /tmp/dump.before /tmp/dump.after $file + } +diff --git a/src/lib/kadm5/unit-test/lock-test.c b/src/lib/kadm5/testsuite/lock-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/lock-test.c +rename to src/lib/kadm5/testsuite/lock-test.c +diff --git a/src/lib/kadm5/unit-test/randkey-test.c b/src/lib/kadm5/testsuite/randkey-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/randkey-test.c +rename to src/lib/kadm5/testsuite/randkey-test.c +diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/testsuite/setkey-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/setkey-test.c +rename to src/lib/kadm5/testsuite/setkey-test.c +diff --git a/src/lib/kadm5/unit-test/site.exp b/src/lib/kadm5/testsuite/site.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/site.exp +rename to src/lib/kadm5/testsuite/site.exp +-- +2.35.1 + diff --git a/SOURCES/krb5-krad-larger-attrs.patch b/SOURCES/krb5-krad-larger-attrs.patch new file mode 100644 index 0000000..8437921 --- /dev/null +++ b/SOURCES/krb5-krad-larger-attrs.patch @@ -0,0 +1,69 @@ +From b2b7729d71e7ab2cde9c73b40b8e972c82a875a2 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 8 Nov 2021 17:48:50 +0100 +Subject: [PATCH] Support larger RADIUS attributes in libkrad + +In kr_attrset_decode(), explicitly treat the length byte as unsigned. +Otherwise attributes longer than 125 characters will be rejected with +EBADMSG. + +Add a 253-character-long NAS-Identifier attribute to the tests to make +sure that attributes with the maximal number of characters are working +as expected. + +[ghudson@mit.edu: used uint8_t cast per current practices; edited +commit message] + +ticket: 9036 (new) +--- + src/lib/krad/attrset.c | 2 +- + src/lib/krad/t_packet.c | 13 +++++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c +index d89982a13..6ec031e32 100644 +--- a/src/lib/krad/attrset.c ++++ b/src/lib/krad/attrset.c +@@ -218,7 +218,7 @@ kr_attrset_decode(krb5_context ctx, const krb5_data *in, const char *secret, + + for (i = 0; i + 2 < in->length; ) { + type = in->data[i++]; +- tmp = make_data(&in->data[i + 1], in->data[i] - 2); ++ tmp = make_data(&in->data[i + 1], (uint8_t)in->data[i] - 2); + i += tmp.length + 1; + + retval = (in->length < i) ? EBADMSG : 0; +diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c +index 0a92e9cc2..c22489144 100644 +--- a/src/lib/krad/t_packet.c ++++ b/src/lib/krad/t_packet.c +@@ -57,6 +57,14 @@ make_packet(krb5_context ctx, const krb5_data *username, + krb5_error_code retval; + const krb5_data *data; + int i = 0; ++ krb5_data nas_id; ++ ++ nas_id = string2data("12345678901234567890123456789012345678901234567890" ++ "12345678901234567890123456789012345678901234567890" ++ "12345678901234567890123456789012345678901234567890" ++ "12345678901234567890123456789012345678901234567890" ++ "12345678901234567890123456789012345678901234567890" ++ "123"); + + retval = krad_attrset_new(ctx, &set); + if (retval != 0) +@@ -71,6 +79,11 @@ make_packet(krb5_context ctx, const krb5_data *username, + if (retval != 0) + goto out; + ++ retval = krad_attrset_add(set, krad_attr_name2num("NAS-Identifier"), ++ &nas_id); ++ if (retval != 0) ++ goto out; ++ + retval = krad_packet_new_request(ctx, "foo", + krad_code_name2num("Access-Request"), + set, iterator, &i, &tmp); +-- +2.35.3 + diff --git a/SOURCES/krb5-krad-remote.patch b/SOURCES/krb5-krad-remote.patch new file mode 100644 index 0000000..d9c4d9e --- /dev/null +++ b/SOURCES/krb5-krad-remote.patch @@ -0,0 +1,171 @@ +From da677b071dadda3700d12d037f5896b166d3546d Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 9 Nov 2021 13:00:43 -0500 +Subject: [PATCH] Avoid use after free during libkrad cleanup + +libkrad client requests contain a list of references to remotes, with +no back-references or reference counts. To prevent accesses to +dangling references during cleanup, cancel all requests on all remotes +before freeing any remotes. + +Remove the code for aging out unused servers. This code was fairly +safe as all requests referencing a remote should have completed or +timed out during an hour of disuse, but in the current design we have +no way to guarantee or check that. The set of addresses we send +RADIUS requests to will generally be small, so aging out servers is +unnecessary. + +ticket: 9035 (new) +--- + src/lib/krad/client.c | 42 ++++++++++++++--------------------------- + src/lib/krad/internal.h | 4 ++++ + src/lib/krad/remote.c | 11 ++++++++--- + 3 files changed, 26 insertions(+), 31 deletions(-) + +diff --git a/src/lib/krad/client.c b/src/lib/krad/client.c +index 6365dd1c6..810940afc 100644 +--- a/src/lib/krad/client.c ++++ b/src/lib/krad/client.c +@@ -64,7 +64,6 @@ struct request_st { + + struct server_st { + krad_remote *serv; +- time_t last; + K5_LIST_ENTRY(server_st) list; + }; + +@@ -81,15 +80,10 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret, + krad_remote **out) + { + krb5_error_code retval; +- time_t currtime; + server *srv; + +- if (time(&currtime) == (time_t)-1) +- return errno; +- + K5_LIST_FOREACH(srv, &rc->servers, list) { + if (kr_remote_equals(srv->serv, ai, secret)) { +- srv->last = currtime; + *out = srv->serv; + return 0; + } +@@ -98,7 +92,6 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret, + srv = calloc(1, sizeof(server)); + if (srv == NULL) + return ENOMEM; +- srv->last = currtime; + + retval = kr_remote_new(rc->kctx, rc->vctx, ai, secret, &srv->serv); + if (retval != 0) { +@@ -173,28 +166,12 @@ request_new(krad_client *rc, krad_code code, const krad_attrset *attrs, + return 0; + } + +-/* Close remotes that haven't been used in a while. */ +-static void +-age(struct server_head *head, time_t currtime) +-{ +- server *srv, *tmp; +- +- K5_LIST_FOREACH_SAFE(srv, head, list, tmp) { +- if (currtime == (time_t)-1 || currtime - srv->last > 60 * 60) { +- K5_LIST_REMOVE(srv, list); +- kr_remote_free(srv->serv); +- free(srv); +- } +- } +-} +- + /* Handle a response from a server (or related errors). */ + static void + on_response(krb5_error_code retval, const krad_packet *reqp, + const krad_packet *rspp, void *data) + { + request *req = data; +- time_t currtime; + size_t i; + + /* Do nothing if we are already completed. */ +@@ -221,10 +198,6 @@ on_response(krb5_error_code retval, const krad_packet *reqp, + for (i = 0; req->remotes[i].remote != NULL; i++) + kr_remote_cancel(req->remotes[i].remote, req->remotes[i].packet); + +- /* Age out servers that haven't been used in a while. */ +- if (time(&currtime) != (time_t)-1) +- age(&req->rc->servers, currtime); +- + request_free(req); + } + +@@ -247,10 +220,23 @@ krad_client_new(krb5_context kctx, verto_ctx *vctx, krad_client **out) + void + krad_client_free(krad_client *rc) + { ++ server *srv; ++ + if (rc == NULL) + return; + +- age(&rc->servers, -1); ++ /* Cancel all requests before freeing any remotes, since each request's ++ * callback data may contain references to multiple remotes. */ ++ K5_LIST_FOREACH(srv, &rc->servers, list) ++ kr_remote_cancel_all(srv->serv); ++ ++ while (!K5_LIST_EMPTY(&rc->servers)) { ++ srv = K5_LIST_FIRST(&rc->servers); ++ K5_LIST_REMOVE(srv, list); ++ kr_remote_free(srv->serv); ++ free(srv); ++ } ++ + free(rc); + } + +diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h +index 312dc8258..b086598fb 100644 +--- a/src/lib/krad/internal.h ++++ b/src/lib/krad/internal.h +@@ -120,6 +120,10 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs, + void + kr_remote_cancel(krad_remote *rr, const krad_packet *pkt); + ++/* Cancel all requests awaiting responses. */ ++void ++kr_remote_cancel_all(krad_remote *rr); ++ + /* Determine if this remote object refers to the remote resource identified + * by the addrinfo struct and the secret. */ + krb5_boolean +diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c +index 0f90443ce..b5dd8cd19 100644 +--- a/src/lib/krad/remote.c ++++ b/src/lib/krad/remote.c +@@ -421,15 +421,20 @@ error: + return retval; + } + ++void ++kr_remote_cancel_all(krad_remote *rr) ++{ ++ while (!K5_TAILQ_EMPTY(&rr->list)) ++ request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL); ++} ++ + void + kr_remote_free(krad_remote *rr) + { + if (rr == NULL) + return; + +- while (!K5_TAILQ_EMPTY(&rr->list)) +- request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL); +- ++ kr_remote_cancel_all(rr); + free(rr->secret); + if (rr->info != NULL) + free(rr->info->ai_addr); +-- +2.35.3 + diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index 5e13c23..8c2049b 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 14%{?dist} +Release: 21%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -86,6 +86,13 @@ Patch140: Use-KCM_OP_RETRIEVE-in-KCM-client.patch Patch141: Fix-KCM-retrieval-support-for-sssd.patch Patch142: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch Patch143: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch +Patch144: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch +Patch145: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch +Patch146: Make-kprop-work-for-dump-files-larger-than-4GB.patch +Patch147: Try-harder-to-avoid-password-change-replay-errors.patch +Patch148: downstream-Fix-dejagnu-unit-tests-directory-name-for-RPC-lib.patch +Patch149: krb5-krad-larger-attrs.patch +Patch150: krb5-krad-remote.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -291,7 +298,7 @@ popd # builds going on the same host don't step on each other. cfg="src/kadmin/testing/proto/kdc.conf.proto \ src/kadmin/testing/proto/krb5.conf.proto \ - src/lib/kadm5/unit-test/api.current/init-v2.exp \ + src/lib/kadm5/testsuite/api.current/init-v2.exp \ src/util/k5test.py" LONG_BIT=`getconf LONG_BIT` PORT=`expr 61000 + $LONG_BIT - 48` @@ -696,6 +703,23 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Fri Jul 01 2022 Julien Rische - 1.18.2-21 +- Backport fix of memory use after free during libkrad cleanup +- Backport support for larger RADIUS attributes in libkrad +- Resolves: rhbz#2103125 + +* Wed Apr 27 2022 Julien Rische - 1.18.2-19 +- Try harder to avoid password change replay errors +- Resolves: #2077563 + +* Wed Apr 13 2022 Julien Rische - 1.18.2-18 +- Fix kprop for propagating dump files larger than 4GB +- Resolves: #2026462 + +* Mon Mar 21 2022 Julien Rische - 1.18.2-15 +- Backport usage of SHA-256 instead of SHA-1 for PKINIT CMS digest +- Resolves: #2066316 + * Wed Aug 25 2021 Robbie Harwood - 1.18.2-14 - Fix KDC null deref on TGS inner body null server (CVE-2021-37750) - Resolves: #1997601