diff --git a/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch b/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch index 63a3deb..17ecec6 100644 --- a/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch +++ b/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch @@ -1,7 +1,7 @@ From 21330cb3db69fc5a004844a1e4dec8998eb50068 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 3 Mar 2016 18:53:31 +0100 -Subject: [PATCH 14/19] Add KDC pre-send and post-receive KDC hooks +Subject: [PATCH] Add KDC pre-send and post-receive KDC hooks Add two new APIs, krb5_set_kdc_send_hook() and krb5_set_kdc_recv_hook(), which can be used to inspect and override diff --git a/Add-OS-prng-intended-for-use-with-getrandom.patch b/Add-OS-prng-intended-for-use-with-getrandom.patch new file mode 100644 index 0000000..964eca6 --- /dev/null +++ b/Add-OS-prng-intended-for-use-with-getrandom.patch @@ -0,0 +1,100 @@ +From 5d38da6d4eb29bf87e98a5cb4577b870dbf405ed Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 14 Sep 2016 16:12:57 -0400 +Subject: [PATCH] Add OS prng intended for use with getrandom() + +Add the prng_os.c module, using the name previously occupied by what +is now prng_device.c. Unlike prng_device.c, this PRNG module +maintains no file descriptor and just uses k5_os_random(), which is +most efficient on platforms which have a getrandom() system call. + +[ghudson@mit.edu: expanded on commit message] + +ticket: 8499 +(cherry picked from commit 0be7642b2b6f7b9e0acebb2c3d60aa6c3f7543aa) +--- + src/lib/crypto/krb/prng_os.c | 72 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 72 insertions(+) + create mode 100644 src/lib/crypto/krb/prng_os.c + +diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_os.c +new file mode 100644 +index 0000000..8ea13e7 +--- /dev/null ++++ b/src/lib/crypto/krb/prng_os.c +@@ -0,0 +1,72 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* lib/crypto/krb/prng_os.c - OS PRNG implementation */ ++/* ++ * Copyright (C) 2016 by the Massachusetts Institute of Technology. ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS ++ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ++ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++/* ++ * This file implements a PRNG module which relies on the system's PRNG. An ++ * OS packager can select this module given sufficient confidence in the ++ * operating system's native PRNG quality. ++ */ ++ ++#include "crypto_int.h" ++ ++int ++k5_prng_init(void) ++{ ++ return 0; ++} ++ ++void ++k5_prng_cleanup(void) ++{ ++} ++ ++krb5_error_code KRB5_CALLCONV ++krb5_c_random_add_entropy(krb5_context context, unsigned int randsource, ++ const krb5_data *indata) ++{ ++ return 0; ++} ++ ++krb5_error_code KRB5_CALLCONV ++krb5_c_random_make_octets(krb5_context context, krb5_data *outdata) ++{ ++ krb5_boolean res; ++ ++ res = k5_get_os_entropy((uint8_t *)outdata->data, outdata->length, 0); ++ return res ? 0 : KRB5_CRYPTO_INTERNAL; ++} ++ ++krb5_error_code KRB5_CALLCONV ++krb5_c_random_os_entropy(krb5_context context, int strong, int *success) ++{ ++ return 0; ++} +-- +2.9.3 + diff --git a/Add-getrandom-to-k5_get_os_entropy-using-syscall.patch b/Add-getrandom-to-k5_get_os_entropy-using-syscall.patch new file mode 100644 index 0000000..d694f3c --- /dev/null +++ b/Add-getrandom-to-k5_get_os_entropy-using-syscall.patch @@ -0,0 +1,62 @@ +From 3a8bf57bd3008b2f5338bbd8ba1db5e9e2622c92 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 14 Sep 2016 16:10:34 -0400 +Subject: [PATCH] Add getrandom to k5_get_os_entropy() using syscall + +ticket: 8499 +(cherry picked from commit a9a48392c088b53d8dd86b8008b4059ab78a3679) +--- + src/lib/crypto/krb/prng.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c +index 9ad24c1..22948a4 100644 +--- a/src/lib/crypto/krb/prng.c ++++ b/src/lib/crypto/krb/prng.c +@@ -58,6 +58,9 @@ k5_get_os_entropy(unsigned char *buf, size_t len, int strong) + #ifdef HAVE_SYS_STAT_H + #include + #endif ++#ifdef __linux__ ++#include ++#endif /* __linux__ */ + + /* Open device, ensure that it is not a regular file, and read entropy. Return + * true on success, false on failure. */ +@@ -96,6 +99,33 @@ krb5_boolean + k5_get_os_entropy(unsigned char *buf, size_t len, int strong) + { + const char *device; ++#if defined(__linux__) && defined(SYS_getrandom) ++ int r; ++ ++ while (len > 0) { ++ /* ++ * Pull from the /dev/urandom pool, but it to have been seeded. This ++ * ensures strong randomness while only blocking during first system ++ * boot. ++ * ++ * glibc does not currently provide a binding for getrandom: ++ * https://sourceware.org/bugzilla/show_bug.cgi?id=17252 ++ */ ++ errno = 0; ++ r = syscall(SYS_getrandom, buf, len, 0); ++ if (r <= 0) { ++ if (errno == EINTR) ++ continue; ++ ++ /* ENOSYS or other unrecoverable failure */ ++ break; ++ } ++ len -= r; ++ buf += r; ++ } ++ if (len == 0) ++ return TRUE; ++#endif /* defined(__linux__) && defined(SYS_getrandom) */ + + device = strong ? "/dev/random" : "/dev/urandom"; + return read_entropy_from_device(device, buf, len); +-- +2.9.3 + diff --git a/Add-krb5_db_register_keytab.patch b/Add-krb5_db_register_keytab.patch index fd77167..e6dd30f 100644 --- a/Add-krb5_db_register_keytab.patch +++ b/Add-krb5_db_register_keytab.patch @@ -1,7 +1,7 @@ -From 2047b7b227a4e2a07b5e2ef149fd968406c8f750 Mon Sep 17 00:00:00 2001 +From 4514bc6f0b32471d1a9081ee3677d41eb373d3ff Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 7 Sep 2016 18:33:43 +0200 -Subject: [PATCH 19/19] Add krb5_db_register_keytab() +Subject: [PATCH] Add krb5_db_register_keytab() Add a public libkdb5 function to register the KDB keytab type. This functionality is needed for out-of-tree KDC servers such as the Samba diff --git a/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch b/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch index 7237327..a47f81a 100644 --- a/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch +++ b/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch @@ -1,7 +1,7 @@ -From b54a8377972db8cfc5f74c42831f61445c6f82d9 Mon Sep 17 00:00:00 2001 +From db601cd51030a1e48f38078dd706e95db069ead7 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 7 Mar 2016 17:59:07 +0100 -Subject: [PATCH 15/19] Add tests for send and receive sendto_kdc hooks +Subject: [PATCH] Add tests for send and receive sendto_kdc hooks [ghudson@mit.edu: style changes] @@ -10,13 +10,13 @@ ticket: 8386 Conflicts: src/tests/Makefile.in [rharwood@redhat.com: fix cherry-pick merge conflicts] -[rharwood@redhat.com: locally remove gitignore] +[rharwood@redhat.com: delete .gitignore] --- src/tests/Makefile.in | 12 ++- src/tests/deps | 10 ++ src/tests/hooks.c | 253 ++++++++++++++++++++++++++++++++++++++++++++++++++ src/tests/t_hooks.py | 9 ++ - 5 files changed, 281 insertions(+), 4 deletions(-) + 4 files changed, 280 insertions(+), 4 deletions(-) create mode 100644 src/tests/hooks.c create mode 100755 src/tests/t_hooks.py diff --git a/Change-KDC-error-for-encrypted-timestamp-preauth.patch b/Change-KDC-error-for-encrypted-timestamp-preauth.patch index a66d004..c14c736 100644 --- a/Change-KDC-error-for-encrypted-timestamp-preauth.patch +++ b/Change-KDC-error-for-encrypted-timestamp-preauth.patch @@ -1,7 +1,7 @@ -From ad1af1b23bd716fc3129de16e3fbf7edca0daa6b Mon Sep 17 00:00:00 2001 +From 709ed799a4f266de9846adb3393ec9f59e6bdecd Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 8 Aug 2016 18:03:55 +0200 -Subject: [PATCH 18/19] Change KDC error for encrypted timestamp preauth +Subject: [PATCH] Change KDC error for encrypted timestamp preauth When encrypted timestamp pre-authentication fails, respond with error code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for diff --git a/Create-KDC-and-kadmind-log-files-with-mode-0640.patch b/Create-KDC-and-kadmind-log-files-with-mode-0640.patch index 9810acd..7b9b4ae 100644 --- a/Create-KDC-and-kadmind-log-files-with-mode-0640.patch +++ b/Create-KDC-and-kadmind-log-files-with-mode-0640.patch @@ -1,7 +1,7 @@ From 6b126bfc40ba416746e4d30edb0b6b72c21c8b10 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:58:44 -0400 -Subject: [PATCH 13/19] Create KDC and kadmind log files with mode 0640 +Subject: [PATCH] Create KDC and kadmind log files with mode 0640 In krb5_klog_init(), use open() and fdopen() to open log files so that we can specify a mode. Specify a mode which doesn't include the diff --git a/Don-t-feed-OS-RNG-output-into-the-OS-RNG.patch b/Don-t-feed-OS-RNG-output-into-the-OS-RNG.patch new file mode 100644 index 0000000..3467adf --- /dev/null +++ b/Don-t-feed-OS-RNG-output-into-the-OS-RNG.patch @@ -0,0 +1,187 @@ +From dd0c141bfc858caa8470271205220a968db7ab51 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 12 Sep 2016 12:25:05 -0400 +Subject: [PATCH] Don't feed OS RNG output into the OS RNG + +krb5_c_random_os_entropy() now must be provided by PRNG modules. + +ticket: 8499 +(cherry picked from commit 0bbbc2bd3a42cfbd9e6eb34c273da8aaa077c29f) +--- + src/lib/crypto/krb/crypto_int.h | 3 +- + src/lib/crypto/krb/prng.c | 60 +++++---------------------------------- + src/lib/crypto/krb/prng_fortuna.c | 26 ++++++++++++++++- + src/lib/crypto/krb/prng_os.c | 6 ++++ + 4 files changed, 40 insertions(+), 55 deletions(-) + +diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h +index c054144..a205e3f 100644 +--- a/src/lib/crypto/krb/crypto_int.h ++++ b/src/lib/crypto/krb/crypto_int.h +@@ -508,6 +508,7 @@ void krb5int_crypto_impl_cleanup(void); + * PRNG modules must implement the following APIs from krb5.h: + * krb5_c_random_add_entropy + * krb5_c_random_make_octets ++ * krb5_c_random_os_entropy + * + * PRNG modules should implement these functions. They are called from the + * crypto library init and cleanup functions, and can be used to setup and tear +@@ -517,7 +518,7 @@ int k5_prng_init(void); + void k5_prng_cleanup(void); + + /* Used by PRNG modules to gather OS entropy. Returns true on success. */ +-krb5_boolean k5_get_os_entropy(unsigned char *buf, size_t len); ++krb5_boolean k5_get_os_entropy(unsigned char *buf, size_t len, int strong); + + /*** Inline helper functions ***/ + +diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c +index e478b19..9ad24c1 100644 +--- a/src/lib/crypto/krb/prng.c ++++ b/src/lib/crypto/krb/prng.c +@@ -36,11 +36,13 @@ krb5_c_random_seed(krb5_context context, krb5_data *data) + #if defined(_WIN32) + + krb5_boolean +-k5_get_os_entropy(unsigned char *buf, size_t len) ++k5_get_os_entropy(unsigned char *buf, size_t len, int strong) + { + krb5_boolean result; + HCRYPTPROV provider; + ++ /* CryptGenRandom is always considered strong. */ ++ + if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL, + CRYPT_VERIFYCONTEXT)) + return FALSE; +@@ -49,22 +51,6 @@ k5_get_os_entropy(unsigned char *buf, size_t len) + return result; + } + +-krb5_error_code KRB5_CALLCONV +-krb5_c_random_os_entropy(krb5_context context, int strong, int *success) +-{ +- int oursuccess = 0; +- char buf[1024]; +- krb5_data data = make_data(buf, sizeof(buf)); +- +- if (k5_get_os_entropy(buf, sizeof(buf)) && +- krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND, +- &data) == 0) +- oursuccess = 1; +- if (success != NULL) +- *success = oursuccess; +- return 0; +-} +- + #else /* not Windows */ + #ifdef HAVE_UNISTD_H + #include +@@ -107,44 +93,12 @@ cleanup: + } + + krb5_boolean +-k5_get_os_entropy(unsigned char *buf, size_t len) ++k5_get_os_entropy(unsigned char *buf, size_t len, int strong) + { +- return read_entropy_from_device("/dev/urandom", buf, len); +-} ++ const char *device; + +-/* Read entropy from device and contribute it to the PRNG. Returns true on +- * success. */ +-static krb5_boolean +-add_entropy_from_device(krb5_context context, const char *device) +-{ +- krb5_data data; +- unsigned char buf[64]; +- +- if (!read_entropy_from_device(device, buf, sizeof(buf))) +- return FALSE; +- data = make_data(buf, sizeof(buf)); +- return (krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND, +- &data) == 0); +-} +- +-krb5_error_code KRB5_CALLCONV +-krb5_c_random_os_entropy(krb5_context context, int strong, int *success) +-{ +- int unused; +- int *oursuccess = (success != NULL) ? success : &unused; +- +- *oursuccess = 0; +- /* If we are getting strong data then try that first. We are +- guaranteed to cause a reseed of some kind if strong is true and +- we have both /dev/random and /dev/urandom. We want the strong +- data included in the reseed so we get it first.*/ +- if (strong) { +- if (add_entropy_from_device(context, "/dev/random")) +- *oursuccess = 1; +- } +- if (add_entropy_from_device(context, "/dev/urandom")) +- *oursuccess = 1; +- return 0; ++ device = strong ? "/dev/random" : "/dev/urandom"; ++ return read_entropy_from_device(device, buf, len); + } + + #endif /* not Windows */ +diff --git a/src/lib/crypto/krb/prng_fortuna.c b/src/lib/crypto/krb/prng_fortuna.c +index e70ffa3..017a119 100644 +--- a/src/lib/crypto/krb/prng_fortuna.c ++++ b/src/lib/crypto/krb/prng_fortuna.c +@@ -366,7 +366,7 @@ k5_prng_init(void) + #else + last_pid = getpid(); + #endif +- if (k5_get_os_entropy(osbuf, sizeof(osbuf))) { ++ if (k5_get_os_entropy(osbuf, sizeof(osbuf), 0)) { + generator_reseed(&main_state, osbuf, sizeof(osbuf)); + have_entropy = TRUE; + } +@@ -443,4 +443,28 @@ krb5_c_random_make_octets(krb5_context context, krb5_data *outdata) + return 0; + } + ++krb5_error_code KRB5_CALLCONV ++krb5_c_random_os_entropy(krb5_context context, int strong, int *success) ++{ ++ krb5_error_code ret; ++ krb5_data data; ++ uint8_t buf[64]; ++ int status = 0; ++ ++ if (!k5_get_os_entropy(buf, sizeof(buf), strong)) ++ goto done; ++ ++ data = make_data(buf, sizeof(buf)); ++ ret = krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND, &data); ++ if (ret) ++ goto done; ++ ++ status = 1; ++ ++done: ++ if (success != NULL) ++ *success = status; ++ return 0; ++} ++ + #endif /* not TEST */ +diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_os.c +index 730ed2e..ecfe351 100644 +--- a/src/lib/crypto/krb/prng_os.c ++++ b/src/lib/crypto/krb/prng_os.c +@@ -91,3 +91,9 @@ krb5_c_random_make_octets(krb5_context context, krb5_data *outdata) + } + return 0; + } ++ ++krb5_error_code KRB5_CALLCONV ++krb5_c_random_os_entropy(krb5_context context, int strong, int *success) ++{ ++ return 0; ++} +-- +2.9.3 + diff --git a/Fix-impersonate_name-to-work-with-interposers.patch b/Fix-impersonate_name-to-work-with-interposers.patch index 84e9e00..5baebb0 100644 --- a/Fix-impersonate_name-to-work-with-interposers.patch +++ b/Fix-impersonate_name-to-work-with-interposers.patch @@ -1,7 +1,7 @@ From 748617c1b8d1550284157a79bc7aeb6295a27bf4 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 13 Nov 2015 14:54:11 -0500 -Subject: [PATCH 12/19] Fix impersonate_name to work with interposers +Subject: [PATCH] Fix impersonate_name to work with interposers This follows the same modifications applied to gss_acquire_cred_with_password() when interposer plugins were diff --git a/Improve-bad-password-inference-in-kinit.patch b/Improve-bad-password-inference-in-kinit.patch index 23b0536..b6c17e8 100644 --- a/Improve-bad-password-inference-in-kinit.patch +++ b/Improve-bad-password-inference-in-kinit.patch @@ -1,7 +1,7 @@ -From e9517473b649a50ab7414788fb5d6c2715ac8ee4 Mon Sep 17 00:00:00 2001 +From 79d626dde9e7e38da79da1911338e18998e348df Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 25 Jul 2016 13:28:43 -0400 -Subject: [PATCH 17/19] Improve bad password inference in kinit +Subject: [PATCH] Improve bad password inference in kinit kinit currently outputs "Password incorrect" if it sees a bad-integrity error code, which results if the KDC reply couldn't be diff --git a/Rename-prng_os.c-to-prng_device.c.patch b/Rename-prng_os.c-to-prng_device.c.patch new file mode 100644 index 0000000..327ee07 --- /dev/null +++ b/Rename-prng_os.c-to-prng_device.c.patch @@ -0,0 +1,29 @@ +From 8ca87ac2ab358d9fa6756636a6c5280858a72e3b Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 14 Sep 2016 12:53:10 -0400 +Subject: [PATCH] Rename prng_os.c to prng_device.c + +ticket: 8499 +(cherry picked from commit 5e54525fbe40d56f44368e216c92938403cad96d) +--- + src/lib/crypto/krb/{prng_os.c => prng_device.c} | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + rename src/lib/crypto/krb/{prng_os.c => prng_device.c} (97%) + +diff --git a/src/lib/crypto/krb/prng_os.c b/src/lib/crypto/krb/prng_device.c +similarity index 97% +rename from src/lib/crypto/krb/prng_os.c +rename to src/lib/crypto/krb/prng_device.c +index ecfe351..bef5b37 100644 +--- a/src/lib/crypto/krb/prng_os.c ++++ b/src/lib/crypto/krb/prng_device.c +@@ -1,5 +1,5 @@ + /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/krb/prng_os.c - OS-native PRNG implementation */ ++/* lib/crypto/krb/prng_device.c - OS device-based PRNG implementation */ + /* + * Copyright (C) 2011 by the Massachusetts Institute of Technology. + * All rights reserved. +-- +2.9.3 + diff --git a/Set-prompt-type-for-OTP-preauth-prompt.patch b/Set-prompt-type-for-OTP-preauth-prompt.patch index 343df6b..391dc80 100644 --- a/Set-prompt-type-for-OTP-preauth-prompt.patch +++ b/Set-prompt-type-for-OTP-preauth-prompt.patch @@ -1,7 +1,7 @@ -From dc032c01a5c23eb199a267d9ab650eef02c2dd01 Mon Sep 17 00:00:00 2001 +From 59ffbc2016ae2e164a0da7bacc5449bd9898337c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 25 Jul 2016 13:23:31 -0400 -Subject: [PATCH 16/19] Set prompt type for OTP preauth prompt +Subject: [PATCH] Set prompt type for OTP preauth prompt Add k5_set_prompt_type() calls around the prompter invocation in preauth_otp.c, and add the comment we conventionally put before diff --git a/krb5-1.11-kpasswdtest.patch b/krb5-1.11-kpasswdtest.patch index d2ab8b0..d86d224 100644 --- a/krb5-1.11-kpasswdtest.patch +++ b/krb5-1.11-kpasswdtest.patch @@ -1,7 +1,7 @@ From 61389fb098b36c1927ad01e4efa51f38da39176a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:52:01 -0400 -Subject: [PATCH 11/19] krb5-1.11-kpasswdtest.patch +Subject: [PATCH] krb5-1.11-kpasswdtest.patch --- src/kadmin/testing/proto/krb5.conf.proto | 1 + diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch index 454b731..d9c49c1 100644 --- a/krb5-1.11-run_user_0.patch +++ b/krb5-1.11-run_user_0.patch @@ -1,7 +1,7 @@ From 8f81af0f10a917a000a12c9b344b3f801c939666 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:57 -0400 -Subject: [PATCH 10/19] krb5-1.11-run_user_0.patch +Subject: [PATCH] krb5-1.11-run_user_0.patch A hack: if we're looking at creating a ccache directory directly below the /run/user/0 directory, and /run/user/0 doesn't exist, try to create diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch index 61417f1..2031529 100644 --- a/krb5-1.12-api.patch +++ b/krb5-1.12-api.patch @@ -1,7 +1,7 @@ From 9ca4f0e1081e667ebc9150097559f5fe85595e33 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:47:00 -0400 -Subject: [PATCH 07/19] krb5-1.12-api.patch +Subject: [PATCH] krb5-1.12-api.patch Reference docs don't define what happens if you call krb5_realm_compare() with malformed krb5_principal structures. Define a behavior which keeps it from diff --git a/krb5-1.12-buildconf.patch b/krb5-1.12-buildconf.patch index efe9106..da7bd84 100644 --- a/krb5-1.12-buildconf.patch +++ b/krb5-1.12-buildconf.patch @@ -1,7 +1,7 @@ From 1df0a74f88f044f1e538e3d4fda13bbceb76e68b Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:45:26 -0400 -Subject: [PATCH 05/19] krb5-1.12-buildconf.patch +Subject: [PATCH] krb5-1.12-buildconf.patch Build binaries in this package as RELRO PIEs, libraries as partial RELRO, and install shared libraries with the execute bit set on them. Prune out diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch index 61f654a..40ca7ae 100644 --- a/krb5-1.12-ksu-path.patch +++ b/krb5-1.12-ksu-path.patch @@ -1,7 +1,7 @@ From a33c34eabf9cd4d98d633994bfcf19359ff087a6 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:32:09 -0400 -Subject: [PATCH 03/19] krb5-1.12-ksu-path.patch +Subject: [PATCH] krb5-1.12-ksu-path.patch Set the default PATH to the one set by login. --- diff --git a/krb5-1.12-ktany.patch b/krb5-1.12-ktany.patch index 4ca1c75..43b8306 100644 --- a/krb5-1.12-ktany.patch +++ b/krb5-1.12-ktany.patch @@ -1,7 +1,7 @@ From f02d4a098b5e94df15ae39e9fad79e861e6c6483 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:33:53 -0400 -Subject: [PATCH 04/19] krb5-1.12-ktany.patch +Subject: [PATCH] krb5-1.12-ktany.patch Adds an "ANY" keytab type which is a list of other keytab locations to search when searching for a specific entry. When iterated through, it only presents diff --git a/krb5-1.12.1-pam.patch b/krb5-1.12.1-pam.patch index 39d296d..1c26f81 100644 --- a/krb5-1.12.1-pam.patch +++ b/krb5-1.12.1-pam.patch @@ -1,7 +1,7 @@ From 74b07bf5a3c73f2d46ddfa4a03baa76b19ee1681 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 -Subject: [PATCH 01/19] krb5-1.12.1-pam.patch +Subject: [PATCH] krb5-1.12.1-pam.patch Modify ksu so that it performs account and session management on behalf of the target user account, mimicking the action of regular su. The default diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch index bb35ffe..4c0b699 100644 --- a/krb5-1.13-dirsrv-accountlock.patch +++ b/krb5-1.13-dirsrv-accountlock.patch @@ -1,7 +1,7 @@ From f7538a0621d6b593e31f2031570a6f4678940241 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:47:44 -0400 -Subject: [PATCH 08/19] krb5-1.13-dirsrv-accountlock.patch +Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from original version filed as RT#5891. diff --git a/krb5-1.13-selinux-label.patch b/krb5-1.13-selinux-label.patch index feb034f..c770524 100644 --- a/krb5-1.13-selinux-label.patch +++ b/krb5-1.13-selinux-label.patch @@ -1,7 +1,7 @@ From 2af05336edb5a2f86db22ee2937626a219f090f6 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 -Subject: [PATCH 02/19] krb5-1.13-selinux-label.patch +Subject: [PATCH] krb5-1.13-selinux-label.patch SELinux bases access to files on the domain of the requesting process, the operation being performed, and the context applied to the file. diff --git a/krb5-1.3.1-dns.patch b/krb5-1.3.1-dns.patch index 589e18d..d7a705d 100644 --- a/krb5-1.3.1-dns.patch +++ b/krb5-1.3.1-dns.patch @@ -1,7 +1,7 @@ From 95b7e75522dd905eea23e853f062d89749a17799 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:46:21 -0400 -Subject: [PATCH 06/19] krb5-1.3.1-dns.patch +Subject: [PATCH] krb5-1.3.1-dns.patch We want to be able to use --with-netlib and --enable-dns at the same time. --- diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index c9c1109..496915e 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -1,7 +1,7 @@ From 3743c3636fd23e62f996b119a1536ecd882a5e80 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 -Subject: [PATCH 09/19] krb5-1.9-debuginfo.patch +Subject: [PATCH] krb5-1.9-debuginfo.patch We want to keep these y.tab.c files around because the debuginfo points to them. It would be more elegant at the end to use symbolic links, but that diff --git a/krb5.spec b/krb5.spec index fb6d0c1..5f6b7cd 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14.4 -Release: 1%{?dist} +Release: 2%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -64,6 +64,10 @@ Patch16: Set-prompt-type-for-OTP-preauth-prompt.patch Patch17: Improve-bad-password-inference-in-kinit.patch Patch18: Change-KDC-error-for-encrypted-timestamp-preauth.patch Patch19: Add-krb5_db_register_keytab.patch +Patch20: Don-t-feed-OS-RNG-output-into-the-OS-RNG.patch +Patch21: Rename-prng_os.c-to-prng_device.c.patch +Patch22: Add-getrandom-to-k5_get_os_entropy-using-syscall.patch +Patch23: Add-OS-prng-intended-for-use-with-getrandom.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -265,6 +269,10 @@ ln NOTICE LICENSE %patch17 -p1 -b .Improve-bad-password-inference-in-kinit %patch18 -p1 -b .Change-KDC-error-for-encrypted-timestamp-preauth %patch19 -p1 -b .Add-krb5_db_register_keytab +%patch20 -p1 -b .Don-t-feed-OS-RNG-output-into-the-OS-RNG +%patch21 -p1 -b .Rename-prng_os.c-to-prng_device.c +%patch22 -p1 -b .Add-getrandom-to-k5_get_os_entropy-using-syscall +%patch23 -p1 -b .Add-OS-prng-intended-for-use-with-getrandom # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -341,7 +349,8 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" --with-tls-impl=openssl \ --with-system-verto \ --with-pam \ - --with-selinux + --with-selinux \ + --with-prng-alg=os # Now build it. make popd @@ -734,6 +743,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Thu Sep 22 2016 Robbie Harwood - 1.14.4-2 +- Backport getrandom() support +- Remove patch numbering + * Mon Sep 19 2016 Robbie Harwood - 1.14.4-1 - New upstream release - Update names and numbers to match external git