diff options
Diffstat (limited to 'app-crypt/mit-krb5/files')
4 files changed, 0 insertions, 441 deletions
diff --git a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch deleted file mode 100644 index 114cfe688e73..000000000000 --- a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch +++ /dev/null @@ -1,297 +0,0 @@ -diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c -index 2420f2c2be..a59a65e8f6 100644 ---- a/src/lib/kadm5/srv/svr_principal.c -+++ b/src/lib/kadm5/srv/svr_principal.c -@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle, - return KADM5_BAD_MASK; - if((mask & ~ALL_PRINC_MASK)) - return KADM5_BAD_MASK; -+ if (mask & KADM5_TL_DATA) { -+ for (tl_data_tail = entry->tl_data; tl_data_tail != NULL; -+ tl_data_tail = tl_data_tail->tl_data_next) { -+ if (tl_data_tail->tl_data_type < 256) -+ return KADM5_BAD_TL_TYPE; -+ } -+ } - - /* - * Check to see if the principal exists -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -index 535a1f309e..8b8420faa9 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op); - #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr)) - #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr)) - --#define KDB_TL_USER_INFO 0x7ffe -+#define KDB_TL_USER_INFO 0xff - - #define KDB_TL_PRINCTYPE 0x01 - #define KDB_TL_PRINCCOUNT 0x02 -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 88a1704950..b7c9212cb2 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -651,6 +651,107 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry, - return ret; - } - -+static krb5_error_code -+check_dn_in_container(krb5_context context, const char *dn, -+ char *const *subtrees, unsigned int ntrees) -+{ -+ unsigned int i; -+ size_t dnlen = strlen(dn), stlen; -+ -+ for (i = 0; i < ntrees; i++) { -+ if (subtrees[i] == NULL || *subtrees[i] == '\0') -+ return 0; -+ stlen = strlen(subtrees[i]); -+ if (dnlen >= stlen && -+ strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 && -+ (dnlen == stlen || dn[dnlen - stlen - 1] == ',')) -+ return 0; -+ } -+ -+ k5_setmsg(context, EINVAL, _("DN is out of the realm subtree")); -+ return EINVAL; -+} -+ -+static krb5_error_code -+check_dn_exists(krb5_context context, -+ krb5_ldap_server_handle *ldap_server_handle, -+ const char *dn, krb5_boolean nonkrb_only) -+{ -+ krb5_error_code st = 0, tempst; -+ krb5_ldap_context *ldap_context = context->dal_handle->db_context; -+ LDAP *ld = ldap_server_handle->ldap_handle; -+ LDAPMessage *result = NULL, *ent; -+ char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL }; -+ char **values; -+ -+ LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS); -+ if (st != LDAP_SUCCESS) -+ return set_ldap_error(context, st, OP_SEARCH); -+ -+ ent = ldap_first_entry(ld, result); -+ CHECK_NULL(ent); -+ -+ values = ldap_get_values(ld, ent, "krbticketpolicyreference"); -+ if (values != NULL) -+ ldap_value_free(values); -+ -+ values = ldap_get_values(ld, ent, "krbprincipalname"); -+ if (values != NULL) { -+ ldap_value_free(values); -+ if (nonkrb_only) { -+ st = EINVAL; -+ k5_setmsg(context, st, _("ldap object is already kerberized")); -+ goto cleanup; -+ } -+ } -+ -+cleanup: -+ ldap_msgfree(result); -+ return st; -+} -+ -+static krb5_error_code -+validate_xargs(krb5_context context, -+ krb5_ldap_server_handle *ldap_server_handle, -+ const xargs_t *xargs, const char *standalone_dn, -+ char *const *subtrees, unsigned int ntrees) -+{ -+ krb5_error_code st; -+ -+ if (xargs->dn != NULL) { -+ /* The supplied dn must be within a realm container. */ -+ st = check_dn_in_container(context, xargs->dn, subtrees, ntrees); -+ if (st) -+ return st; -+ /* The supplied dn must exist without Kerberos attributes. */ -+ st = check_dn_exists(context, ldap_server_handle, xargs->dn, TRUE); -+ if (st) -+ return st; -+ } -+ -+ if (xargs->linkdn != NULL) { -+ /* The supplied linkdn must be within a realm container. */ -+ st = check_dn_in_container(context, xargs->linkdn, subtrees, ntrees); -+ if (st) -+ return st; -+ /* The supplied linkdn must exist. */ -+ st = check_dn_exists(context, ldap_server_handle, xargs->linkdn, -+ FALSE); -+ if (st) -+ return st; -+ } -+ -+ if (xargs->containerdn != NULL && standalone_dn != NULL) { -+ /* standalone_dn (likely composed using containerdn) must be within a -+ * container. */ -+ st = check_dn_in_container(context, standalone_dn, subtrees, ntrees); -+ if (st) -+ return st; -+ } -+ -+ return 0; -+} -+ - krb5_error_code - krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, - char **db_args) -@@ -662,12 +763,12 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, - LDAPMessage *result=NULL, *ent=NULL; - char **subtreelist = NULL; - char *user=NULL, *subtree=NULL, *principal_dn=NULL; -- char **values=NULL, *strval[10]={NULL}, errbuf[1024]; -+ char *strval[10]={NULL}, errbuf[1024]; - char *filtuser=NULL; - struct berval **bersecretkey=NULL; - LDAPMod **mods=NULL; - krb5_boolean create_standalone=FALSE; -- krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE; -+ krb5_boolean establish_links=FALSE; - char *standalone_principal_dn=NULL; - krb5_tl_data *tl_data=NULL; - krb5_key_data **keys=NULL; -@@ -860,24 +961,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, - * any of the subtrees - */ - if (xargs.dn_from_kbd == TRUE) { -- /* make sure the DN falls in the subtree */ -- int dnlen=0, subtreelen=0; -- char *dn=NULL; -- krb5_boolean outofsubtree=TRUE; -- -- if (xargs.dn != NULL) { -- dn = xargs.dn; -- } else if (xargs.linkdn != NULL) { -- dn = xargs.linkdn; -- } else if (standalone_principal_dn != NULL) { -- /* -- * Even though the standalone_principal_dn is constructed -- * within this function, there is the containerdn input -- * from the user that can become part of the it. -- */ -- dn = standalone_principal_dn; -- } -- - /* Get the current subtree list if we haven't already done so. */ - if (subtreelist == NULL) { - st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees); -@@ -885,81 +968,10 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, - goto cleanup; - } - -- for (tre=0; tre<ntrees; ++tre) { -- if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) { -- outofsubtree = FALSE; -- break; -- } else { -- dnlen = strlen (dn); -- subtreelen = strlen(subtreelist[tre]); -- if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { -- outofsubtree = FALSE; -- break; -- } -- } -- } -- -- if (outofsubtree == TRUE) { -- st = EINVAL; -- k5_setmsg(context, st, _("DN is out of the realm subtree")); -+ st = validate_xargs(context, ldap_server_handle, &xargs, -+ standalone_principal_dn, subtreelist, ntrees); -+ if (st) - goto cleanup; -- } -- -- /* -- * dn value will be set either by dn, linkdn or the standalone_principal_dn -- * In the first 2 cases, the dn should be existing and in the last case we -- * are supposed to create the ldap object. so the below should not be -- * executed for the last case. -- */ -- -- if (standalone_principal_dn == NULL) { -- /* -- * If the ldap object is missing, this results in an error. -- */ -- -- /* -- * Search for krbprincipalname attribute here. -- * This is to find if a kerberos identity is already present -- * on the ldap object, in which case adding a kerberos identity -- * on the ldap object should result in an error. -- */ -- char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL}; -- -- ldap_msgfree(result); -- result = NULL; -- LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); -- if (st == LDAP_SUCCESS) { -- ent = ldap_first_entry(ld, result); -- if (ent != NULL) { -- if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { -- ldap_value_free(values); -- } -- -- if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { -- krb_identity_exists = TRUE; -- ldap_value_free(values); -- } -- } -- } else { -- st = set_ldap_error(context, st, OP_SEARCH); -- goto cleanup; -- } -- } -- } -- -- /* -- * If xargs.dn is set then the request is to add a -- * kerberos principal on a ldap object, but if -- * there is one already on the ldap object this -- * should result in an error. -- */ -- -- if (xargs.dn != NULL && krb_identity_exists == TRUE) { -- st = EINVAL; -- snprintf(errbuf, sizeof(errbuf), -- _("ldap object is already kerberized")); -- k5_setmsg(context, st, "%s", errbuf); -- goto cleanup; - } - - if (xargs.linkdn != NULL) { -diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py -index 217f2cdc3b..6e563b1032 100755 ---- a/src/tests/t_kdb.py -+++ b/src/tests/t_kdb.py -@@ -203,6 +203,12 @@ def ldap_add(dn, objectclass, attrs=[]): - # in the test LDAP server. - realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'], - expected_code=1, expected_msg='DN is out of the realm subtree') -+# Check that the DN container check is a hierarchy test, not a simple -+# suffix match (CVE-2018-5730). We expect this operation to fail -+# either way (because "xcn" isn't a valid DN tag) but the container -+# check should happen before the DN is parsed. -+realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'], -+ expected_code=1, expected_msg='DN is out of the realm subtree') - realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1']) - realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1') - realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'], -@@ -226,6 +232,11 @@ def ldap_add(dn, objectclass, attrs=[]): - 'princ3']) - realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'], - expected_code=1, expected_msg='containerdn option not supported') -+# Verify that containerdn is checked when linkdn is also supplied -+# (CVE-2018-5730). -+realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', -+ '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1, -+ expected_msg='DN is out of the realm subtree') - - # Create and modify a ticket policy. - kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour', diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch deleted file mode 100644 index 7a655fb9a1d8..000000000000 --- a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 58263cbf3106f4c9c9a2252794093014a2f9c01f Mon Sep 17 00:00:00 2001 -From: Stefan Strogin <stefan.strogin@gmail.com> -Date: Thu, 25 Apr 2019 03:48:10 +0300 -Subject: [PATCH] Fix build for LibreSSL 2.9.x - -asn1_mac.h is removed from LibreSSL 2.9.0, but static_ASN1_*() methods -are not defined. Define them. - -Upstream-Status: Pending -[Needs to be amended if -https://github.com/libressl-portable/openbsd/pull/109 is accepted] -Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com> ---- - .../preauth/pkinit/pkinit_crypto_openssl.c | 13 ++++++++---- - .../preauth/pkinit/pkinit_crypto_openssl.h | 20 ++++++++++++++++++- - 2 files changed, 28 insertions(+), 5 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 2064eb7bd..81d5d3cf2 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -188,14 +188,16 @@ pkinit_pkcs11_code_to_text(int err); - (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si) - #endif - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - --/* 1.1 standardizes constructor and destructor names, renaming -- * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */ -+/* 1.1 (and LibreSSL 2.7) standardizes constructor and destructor names, -+ * renaming EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */ - -+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL - #define EVP_MD_CTX_new EVP_MD_CTX_create - #define EVP_MD_CTX_free EVP_MD_CTX_destroy - #define ASN1_STRING_get0_data ASN1_STRING_data -+#endif - - /* 1.1 makes many handle types opaque and adds accessors. Add compatibility - * versions of the new accessors we use for pre-1.1. */ -@@ -203,6 +205,7 @@ pkinit_pkcs11_code_to_text(int err); - #define OBJ_get0_data(o) ((o)->data) - #define OBJ_length(o) ((o)->length) - -+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL - #define DH_set0_pqg compat_dh_set0_pqg - static int compat_dh_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) - { -@@ -235,6 +238,7 @@ static void compat_dh_get0_key(const DH *dh, const BIGNUM **pub, - if (priv != NULL) - *priv = dh->priv_key; - } -+#endif /* LIBRESSL_VERSION_NUMBER */ - - /* Return true if the cert c includes a key usage which doesn't include u. - * Define using direct member access for pre-1.1. */ -@@ -3040,7 +3044,8 @@ cleanup: - return retval; - } - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || \ -+ LIBRESSL_VERSION_NUMBER >= 0x2090000fL - - /* - * We need to decode DomainParameters from RFC 3279 section 2.3.3. We would -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h -index 7411348fa..ac91408c4 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h -@@ -46,7 +46,25 @@ - #include <openssl/asn1.h> - #include <openssl/pem.h> - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || \ -+ LIBRESSL_VERSION_NUMBER >= 0x2090000fL -+ -+#ifndef static_ASN1_SEQUENCE_END_name -+#define static_ASN1_ITEM_start(itname) \ -+ static const ASN1_ITEM itname##_it = { -+#define static_ASN1_SEQUENCE_END_name(stname, tname) \ -+ ;\ -+ static_ASN1_ITEM_start(tname) \ -+ ASN1_ITYPE_SEQUENCE,\ -+ V_ASN1_SEQUENCE,\ -+ tname##_seq_tt,\ -+ sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ -+ NULL,\ -+ sizeof(stname),\ -+ #stname \ -+ ASN1_ITEM_end(tname) -+#endif /* !defined(static_ASN1_SEQUENCE_END_name) */ -+ - #include <openssl/asn1t.h> - #else - #include <openssl/asn1_mac.h> --- -2.21.0 - diff --git a/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS.patch b/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS.patch deleted file mode 100644 index 8490e629a377..000000000000 --- a/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS.patch +++ /dev/null @@ -1,12 +0,0 @@ -Bug #448778 ---- a/src/build-tools/krb5-config.in 2012-12-18 02:47:04.000000000 +0000 -+++ b/src/build-tools/krb5-config.in 2012-12-28 07:13:16.582693363 +0000 -@@ -217,7 +217,7 @@ - -e 's#\$(PROG_RPATH)#'$libdir'#' \ - -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \ - -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ -- -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ -+ -e 's#\$(LDFLAGS)##' \ - -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ - -e 's#\$(CFLAGS)##'` - diff --git a/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch b/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch deleted file mode 100644 index 5c979cfd1ef7..000000000000 --- a/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch +++ /dev/null @@ -1,31 +0,0 @@ ---- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -191,7 +191,7 @@ pkinit_pkcs11_code_to_text(int err); - (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si) - #endif - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - - /* 1.1 standardizes constructor and destructor names, renaming - * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */ -@@ -3059,7 +3059,7 @@ cleanup: - return retval; - } - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - - /* - * We need to decode DomainParameters from RFC 3279 section 2.3.3. We would ---- src/plugins/preauth/pkinit/pkinit_crypto_openssl.h -+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.h -@@ -46,7 +46,7 @@ - #include <openssl/asn1.h> - #include <openssl/pem.h> - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - #include <openssl/asn1t.h> - #else - #include <openssl/asn1_mac.h> |