mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-05-08 05:29:22 +00:00
krb5: Upgrade to 1.17
License-Update: Copyright year updated to 2019. Remove one backported patch. Fix below do_package issue: ERROR: krb5-1.17-r0 do_package: QA Issue: krb5: Files/directories were installed but not shipped in any package: /usr/lib/krb5/plugins/preauth/spake.so Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
Mingli Yu
Khem Raj
-80
@@ -1,80 +0,0 @@
|
||||
From 6fad7d45701234c8e81300d50dd5b8037d846d11 Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Wed, 27 Feb 2019 23:59:59 -0800
|
||||
Subject: [PATCH] Ignore password attributes for S4U2Self requests
|
||||
|
||||
For consistency with Windows KDCs, allow protocol transition to work
|
||||
even if the password has expired or needs changing.
|
||||
|
||||
Also, when looking up an enterprise principal with an AS request,
|
||||
treat ERR_KEY_EXP as confirmation that the client is present in the
|
||||
realm.
|
||||
|
||||
[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited
|
||||
commit message]
|
||||
|
||||
ticket: 8763 (new)
|
||||
tags: pullup
|
||||
target_version: 1.17
|
||||
|
||||
Upsteam-Status: Backport [https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086]
|
||||
CVE: CVE-2018-20217
|
||||
|
||||
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
|
||||
---
|
||||
src/kdc/kdc_util.c | 5 +++++
|
||||
src/lib/krb5/krb/s4u_creds.c | 2 +-
|
||||
src/tests/gssapi/t_s4u.py | 8 ++++++++
|
||||
3 files changed, 14 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||
index 754570c..034c979 100644
|
||||
--- a/src/kdc/kdc_util.c
|
||||
+++ b/src/kdc/kdc_util.c
|
||||
@@ -1574,6 +1574,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
|
||||
|
||||
memset(&no_server, 0, sizeof(no_server));
|
||||
|
||||
+ /* Ignore password expiration and needchange attributes (as Windows
|
||||
+ * does), since S4U2Self is not password authentication. */
|
||||
+ princ->pw_expiration = 0;
|
||||
+ clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);
|
||||
+
|
||||
code = validate_as_request(kdc_active_realm, request, *princ,
|
||||
no_server, kdc_time, status, &e_data);
|
||||
if (code) {
|
||||
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
|
||||
index 91c02aa..2037984 100644
|
||||
--- a/src/lib/krb5/krb/s4u_creds.c
|
||||
+++ b/src/lib/krb5/krb/s4u_creds.c
|
||||
@@ -117,7 +117,7 @@ s4u_identify_user(krb5_context context,
|
||||
code = k5_get_init_creds(context, &creds, client, NULL, NULL, 0, NULL,
|
||||
opts, krb5_get_as_key_noop, &userid, &use_master,
|
||||
NULL);
|
||||
- if (code == 0 || code == KRB5_PREAUTH_FAILED) {
|
||||
+ if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) {
|
||||
*canon_user = userid.user;
|
||||
userid.user = NULL;
|
||||
code = 0;
|
||||
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
|
||||
index 3da6544..ba0469e 100755
|
||||
--- a/src/tests/gssapi/t_s4u.py
|
||||
+++ b/src/tests/gssapi/t_s4u.py
|
||||
@@ -20,6 +20,14 @@ pservice2 = 'p:' + service2
|
||||
# Get forwardable creds for service1 in the default cache.
|
||||
realm.kinit(service1, None, ['-f', '-k'])
|
||||
|
||||
+# Try S4U2Self for user with a restricted password.
|
||||
+realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
|
||||
+realm.run(['./t_s4u', 'e:user', '-'])
|
||||
+realm.run([kadminl, 'modprinc', '-needchange',
|
||||
+ '-pwexpire', '1/1/2000', realm.user_princ])
|
||||
+realm.run(['./t_s4u', 'e:user', '-'])
|
||||
+realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
|
||||
+
|
||||
# Try krb5 -> S4U2Proxy with forwardable user creds. This should fail
|
||||
# at the S4U2Proxy step since the DB2 back end currently has no
|
||||
# support for allowing it.
|
||||
--
|
||||
2.17.1
|
||||
|
||||
+5
-4
@@ -14,7 +14,7 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n
|
||||
HOMEPAGE = "http://web.mit.edu/Kerberos/"
|
||||
SECTION = "console/network"
|
||||
LICENSE = "MIT"
|
||||
LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=7f95bc3d8d0351aa481d56d5e9de20c3"
|
||||
LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=aff541e7261f1926ac6a2a9a7bbab839"
|
||||
DEPENDS = "bison-native ncurses util-linux e2fsprogs e2fsprogs-native openssl"
|
||||
|
||||
inherit autotools-brokensep binconfig perlnative systemd update-rc.d
|
||||
@@ -30,10 +30,9 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
|
||||
file://etc/default/krb5-admin-server \
|
||||
file://krb5-kdc.service \
|
||||
file://krb5-admin-server.service \
|
||||
file://0001-Ignore-password-attributes-for-S4U2Self-requests.patch;striplevel=2 \
|
||||
"
|
||||
SRC_URI[md5sum] = "ffd52595e969fb700d37313606e4dc3d"
|
||||
SRC_URI[sha256sum] = "9f721e1fe593c219174740c71de514c7228a97d23eb7be7597b2ae14e487f027"
|
||||
SRC_URI[md5sum] = "3b729d89eb441150e146780c4138481b"
|
||||
SRC_URI[sha256sum] = "5a6e2284a53de5702d3dc2be3b9339c963f9b5397d3fbbc53beb249380a781f5"
|
||||
|
||||
CVE_PRODUCT = "kerberos"
|
||||
|
||||
@@ -105,6 +104,7 @@ PACKAGES =+ "${PN}-admin-server \
|
||||
${PN}-kpropd \
|
||||
${PN}-otp \
|
||||
${PN}-pkinit \
|
||||
${PN}-spake \
|
||||
${PN}-user \
|
||||
libgssapi-krb5 \
|
||||
libgssrpc \
|
||||
@@ -151,6 +151,7 @@ FILES_${PN}-kdc-ldap = "${libdir}/krb5/libkdb_ldap${SOLIBS} \
|
||||
FILES_${PN}-kpropd = "${sbindir}/kpropd"
|
||||
FILES_${PN}-otp = "${libdir}/krb5/plugins/preauth/otp.so"
|
||||
FILES_${PN}-pkinit = "${libdir}/krb5/plugins/preauth/pkinit.so"
|
||||
FILES_${PN}-spake = "${libdir}/krb5/plugins/preauth/spake.so"
|
||||
FILES_${PN}-user = "${bindir}/k*"
|
||||
|
||||
FILES_libgssapi-krb5 = "${libdir}/libgssapi_krb5${SOLIBS}"
|
||||
Reference in New Issue
Block a user