[Pkg-sssd-devel] sssd: Changes to 'debian-unstable'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Wed May 23 12:30:04 UTC 2012
debian/changelog | 11 +
debian/patches/fix-upstream-1297.diff | 254 ++++++++++++++++++++++++++++++++++
debian/patches/fix-upstream-1298.diff | 51 ++++++
debian/patches/fix-upstream-1330.diff | 40 +++++
debian/patches/fix-upstream-1343.diff | 52 ++++++
debian/patches/series | 5
6 files changed, 412 insertions(+), 1 deletion(-)
New commits:
commit d0932afea38137adb158bbebb6d1ee73a4c72f98
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed May 23 15:27:53 2012 +0300
add patches/fix-upstream-1343.diff
* patches/fix-upstream-1343.diff
- LDAP nested groups: Do not process callback with _post deep in the nested
structure (LP: #981125)
diff --git a/debian/changelog b/debian/changelog
index cd4a267..9b0c12d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -54,6 +54,9 @@ sssd (1.8.3-1) UNRELEASED; urgency=low
Limit krb5_get_init_creds_keytab() to etypes in keytab
- patches/fix-upstream-1330.diff
KRB5: Avoid NULL-dereference with empty keytab
+ * patches/fix-upstream-1343.diff
+ - LDAP nested groups: Do not process callback with _post deep in the nested
+ structure (LP: #981125)
-- Timo Aaltonen <tjaalton at ubuntu.com> Wed, 04 Apr 2012 11:40:40 +0300
diff --git a/debian/patches/fix-upstream-1343.diff b/debian/patches/fix-upstream-1343.diff
new file mode 100644
index 0000000..4fb589e
--- /dev/null
+++ b/debian/patches/fix-upstream-1343.diff
@@ -0,0 +1,52 @@
+commit 6efb62b8b94405cfd0afecbf2d04985b6f44419b
+Author: Jakub Hrozek <jhrozek at redhat.com>
+Date: Tue May 22 17:41:52 2012 +0200
+
+ LDAP nested groups: Do not process callback with _post deep in the nested structure
+
+ https://fedorahosted.org/sssd/ticket/1343
+
+diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
+index 84eb7cb..b587f66 100644
+--- a/src/providers/ldap/sdap_async_groups.c
++++ b/src/providers/ldap/sdap_async_groups.c
+@@ -2498,14 +2498,13 @@ static errno_t sdap_nested_group_lookup_user(struct tevent_req *req,
+ ret = sdap_nested_group_process_step(req);
+ }
+
+- if (ret == EOK) {
+- /* EOK means it's complete */
+- tevent_req_done(req);
+- tevent_req_post(req, state->ev);
+- } else if (ret != EAGAIN) {
++ if (ret != EOK && ret != EAGAIN) {
++ DEBUG(SSSDBG_OP_FAILURE, ("Nested group processing failed\n"));
+ return ret;
++ } else if (ret == EOK) {
++ DEBUG(SSSDBG_TRACE_FUNC, ("All done.\n"));
++ tevent_req_done(req);
+ }
+-
+ return EOK;
+ }
+ /*
+@@ -2583,14 +2582,13 @@ static errno_t sdap_nested_group_lookup_group(struct tevent_req *req)
+ ret = sdap_nested_group_process_step(req);
+ }
+
+- if (ret == EOK) {
+- /* EOK means it's complete */
+- tevent_req_done(req);
+- tevent_req_post(req, state->ev);
+- } else if (ret != EAGAIN) {
++ if (ret != EOK && ret != EAGAIN) {
++ DEBUG(SSSDBG_OP_FAILURE, ("Nested group processing failed\n"));
+ return ret;
++ } else if (ret == EOK) {
++ DEBUG(SSSDBG_TRACE_FUNC, ("All done.\n"));
++ tevent_req_done(req);
+ }
+-
+ return EOK;
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 9b2e472..a8f55b1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
fix-upstream-1297.diff
fix-upstream-1298.diff
fix-upstream-1330.diff
+fix-upstream-1343.diff
commit 07ca4a2b6ca22ebf8581fcd2952bd1f3a3e425bb
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed May 23 13:14:53 2012 +0300
backport upstream commits to fix LP: 985031
diff --git a/debian/changelog b/debian/changelog
index 257b025..cd4a267 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -46,6 +46,14 @@ sssd (1.8.3-1) UNRELEASED; urgency=low
kernel keyring manipulation.
* sssd.logrotate: Rotate logs weekly, keep four previous rotations.
(Closes: #672984)
+ * Pull patches from the stable branch to fix an issue that results in broken
+ credential cache (LP: #985031)
+ - patches/fix-upstream-1298.diff
+ If canon'ing principals, write ccache with updated default principal
+ - patches/fix-upstream-1297.diff
+ Limit krb5_get_init_creds_keytab() to etypes in keytab
+ - patches/fix-upstream-1330.diff
+ KRB5: Avoid NULL-dereference with empty keytab
-- Timo Aaltonen <tjaalton at ubuntu.com> Wed, 04 Apr 2012 11:40:40 +0300
diff --git a/debian/patches/fix-upstream-1297.diff b/debian/patches/fix-upstream-1297.diff
new file mode 100644
index 0000000..46a3b12
--- /dev/null
+++ b/debian/patches/fix-upstream-1297.diff
@@ -0,0 +1,254 @@
+commit fbd3a264e5ab80f8aa8918732cd5360389b42a90
+Author: Stef Walter <stefw at gnome.org>
+Date: Tue Apr 10 22:20:53 2012 +0200
+
+ Limit krb5_get_init_creds_keytab() to etypes in keytab
+
+ * Load the enctypes for the keys in the keytab and pass
+ them to krb5_get_init_creds_keytab().
+ * This fixes the problem where the server offers a enctype
+ that krb5 supports, but we don't have a key for in the keytab.
+
+ https://bugzilla.redhat.com/show_bug.cgi?id=811375
+
+diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
+index 209643a..9a84684 100644
+--- a/src/providers/krb5/krb5_child.c
++++ b/src/providers/krb5/krb5_child.c
+@@ -610,6 +610,14 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
+ krb5_error_code kerr = 0;
+ krb5_creds creds;
+ krb5_get_init_creds_opt options;
++ krb5_enctype *etype_list;
++ krb5_error_code krberr;
++ TALLOC_CTX *tmp_ctx;
++ int n_etype_list;
++
++ tmp_ctx = talloc_new(NULL);
++ if (tmp_ctx == NULL)
++ return ENOMEM;
+
+ memset(&creds, 0, sizeof(creds));
+ memset(&options, 0, sizeof(options));
+@@ -619,6 +627,18 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
+ krb5_get_init_creds_opt_set_proxiable(&options, 0);
+ krb5_set_canonicalize(&options);
+
++ krberr = sss_krb5_read_etypes_for_keytab(tmp_ctx, ctx, keytab, princ,
++ &etype_list, &n_etype_list);
++ if (krberr) {
++ DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to load etypes from keytab: %s\n",
++ sss_krb5_get_error_message(ctx, krberr)));
++ } else if (n_etype_list > 0) {
++ krb5_get_init_creds_opt_set_etype_list(&options, etype_list,
++ n_etype_list);
++ DEBUG(SSSDBG_FUNC_DATA, ("Loaded %d enctypes from keytab\n",
++ n_etype_list));
++ }
++
+ kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL,
+ &options);
+ if (kerr != 0) {
+@@ -635,6 +655,7 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
+
+ done:
+ krb5_free_cred_contents(ctx, &creds);
++ talloc_free(tmp_ctx);
+
+ return kerr;
+
+diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
+index e66406c..0679dbf 100644
+--- a/src/providers/ldap/ldap_child.c
++++ b/src/providers/ldap/ldap_child.c
+@@ -155,6 +155,8 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
+ krb5_get_init_creds_opt options;
+ krb5_error_code krberr;
+ krb5_timestamp kdc_time_offset;
++ krb5_enctype *etype_list;
++ int n_etype_list;
+ int canonicalize = 0;
+ int kdc_time_offset_usec;
+ int ret;
+@@ -270,6 +272,19 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
+ }
+ sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
+
++ krberr = sss_krb5_read_etypes_for_keytab(memctx, context, keytab, kprinc,
++ &etype_list, &n_etype_list);
++ if (krberr) {
++ DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to load etypes from keytab: %s\n",
++ sss_krb5_get_error_message(context,
++ krberr)));
++ } else if (n_etype_list > 0) {
++ krb5_get_init_creds_opt_set_etype_list(&options, etype_list,
++ n_etype_list);
++ DEBUG(SSSDBG_FUNC_DATA, ("Loaded %d enctypes from keytab for %s\n",
++ n_etype_list, full_princ));
++ }
++
+ krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
+ keytab, 0, NULL, &options);
+
+diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
+index a38a0c1..a59afb2 100644
+--- a/src/util/sss_krb5.c
++++ b/src/util/sss_krb5.c
+@@ -981,3 +981,140 @@ sss_krb5_free_keytab_entry_contents(krb5_context context,
+ return krb5_kt_free_entry(context, entry);
+ }
+ #endif
++
++static int
++is_preferred_etype (krb5_enctype etype)
++{
++ static const krb5_enctype preferred[] = {
++ ENCTYPE_DES3_CBC_SHA1,
++ ENCTYPE_ARCFOUR_HMAC,
++ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
++ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
++#ifdef ENCTYPE_CAMELLIA128_CTS_CMAC
++ ENCTYPE_CAMELLIA128_CTS_CMAC,
++#endif
++#ifdef ENCTYPE_CAMELLIA128_CTS_CMAC
++ ENCTYPE_CAMELLIA256_CTS_CMAC,
++#endif
++ 0
++ };
++ int i;
++
++ for (i = 0; preferred[i] != 0; i++) {
++ if (preferred[i] == etype) {
++ return 1;
++ }
++ }
++
++ return 0;
++}
++
++static int
++compare_etypes (const void *one,
++ const void *two)
++{
++ const krb5_enctype *e1 = one;
++ const krb5_enctype *e2 = two;
++ int p1, p2;
++
++ p1 = is_preferred_etype(*e1);
++ p2 = is_preferred_etype(*e2);
++
++ if (p1 == p2) {
++ return (int)*e2 - (int)*e1;
++ }
++
++ /* Sort preferred etypes first */
++ return p2 - p1;
++}
++
++krb5_error_code
++sss_krb5_read_etypes_for_keytab(TALLOC_CTX *mem_ctx,
++ krb5_context context,
++ krb5_keytab keytab,
++ krb5_principal princ,
++ krb5_enctype **etype_list,
++ int *n_etype_list)
++{
++ krb5_kt_cursor cursor;
++ krb5_keytab_entry entry;
++ krb5_enctype *etypes = NULL;
++ krb5_kvno max_kvno = 0;
++ int allocated = 0;
++ TALLOC_CTX *tmp_ctx;
++ int count = 0;
++ int ret;
++
++ tmp_ctx = talloc_new(NULL);
++ if (!tmp_ctx) return ENOMEM;
++
++ ret = krb5_kt_start_seq_get(context, keytab, &cursor);
++ if (ret != 0) {
++ talloc_free(tmp_ctx);
++ return ret;
++ }
++
++ for (;;) {
++ ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
++ if (ret != 0) {
++ break;
++ }
++
++ if (!krb5_c_valid_enctype(entry.key.enctype) ||
++ !krb5_principal_compare(context, entry.principal, princ)) {
++ continue;
++ }
++
++ /* Make sure our list is for the highest kvno found for client. */
++ if (entry.vno > max_kvno) {
++ count = 0;
++ max_kvno = entry.vno;
++ } else if (entry.vno != max_kvno) {
++ continue;
++ }
++
++ /*
++ * Reallocate and add enctype. When reallocating always reserve
++ * one for extra logic below.
++ */
++ if (count + 1 >= allocated) {
++ allocated += 16;
++ etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, allocated);
++ if (etypes == NULL) {
++ ret = ENOMEM;
++ break;
++ }
++ }
++ etypes[count] = entry.key.enctype;
++ count++;
++
++ /* All DES key types work with des-cbc-crc, which is more likely to be
++ * accepted by the KDC (since MIT KDCs refuse des-cbc-md5). */
++ if (entry.key.enctype == ENCTYPE_DES_CBC_MD5 ||
++ entry.key.enctype == ENCTYPE_DES_CBC_MD4) {
++ etypes[count] = ENCTYPE_DES_CBC_CRC;
++ count++;
++ }
++ }
++
++ krb5_kt_end_seq_get(context, keytab, &cursor);
++
++ if (ret == KRB5_KT_END) {
++ ret = 0;
++ }
++
++ if (ret == 0) {
++ /* Sort the preferred enctypes first */
++ qsort(etypes, count, sizeof(*etypes), compare_etypes);
++ etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, count);
++ if (etypes == NULL) {
++ ret = ENOMEM;
++ } else {
++ *etype_list = talloc_steal(mem_ctx, etypes);
++ *n_etype_list = count;
++ }
++ }
++
++ talloc_free(tmp_ctx);
++ return ret;
++}
+diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
+index 50c4b69..349dbaa 100644
+--- a/src/util/sss_krb5.h
++++ b/src/util/sss_krb5.h
+@@ -132,4 +132,12 @@ typedef krb5_ticket_times sss_krb5_ticket_times;
+ typedef krb5_times sss_krb5_ticket_times;
+ #endif
+
++krb5_error_code
++sss_krb5_read_etypes_for_keytab(TALLOC_CTX *mem_ctx,
++ krb5_context context,
++ krb5_keytab keytab,
++ krb5_principal princ,
++ krb5_enctype **etype_list,
++ int *n_etype_list);
++
+ #endif /* __SSS_KRB5_H__ */
diff --git a/debian/patches/fix-upstream-1298.diff b/debian/patches/fix-upstream-1298.diff
new file mode 100644
index 0000000..dbb59fa
--- /dev/null
+++ b/debian/patches/fix-upstream-1298.diff
@@ -0,0 +1,51 @@
+commit 4d1a261202d828efc84e3a84d16c30548f29f76d
+Author: Stef Walter <stefw at gnome.org>
+Date: Wed Apr 11 12:12:57 2012 +0200
+
+ If canon'ing principals, write ccache with updated default principal
+
+ * When calling krb5_get_init_creds_keytab() with
+ krb5_get_init_creds_opt_set_canonicalize() the credential
+ principal can get updated.
+ * Create the cache file with the correct default credential.
+ * LDAP GSSAPI SASL would fail due to the mismatched credentials
+ before this patch.
+
+ https://bugzilla.redhat.com/show_bug.cgi?id=811518
+
+--- a/src/providers/krb5/krb5_child.c
++++ b/src/providers/krb5/krb5_child.c
+@@ -626,7 +626,8 @@
+ return kerr;
+ }
+
+- kerr = create_ccache_file(ctx, princ, ccname, &creds);
++ /* Use the updated principal in the creds in case canonicalized */
++ kerr = create_ccache_file(ctx, creds.client, ccname, &creds);
+ if (kerr != 0) {
+ KRB5_DEBUG(1, kerr);
+ goto done;
+@@ -683,7 +684,10 @@
+ }
+ }
+
+- kerr = create_ccache_file(kr->ctx, kr->princ, kr->ccname, kr->creds);
++ /* Use the updated principal in the creds in case canonicalized */
++ kerr = create_ccache_file(kr->ctx,
++ kr->creds ? kr->creds->client : kr->princ,
++ kr->ccname, kr->creds);
+ if (kerr != 0) {
+ KRB5_DEBUG(1, kerr);
+ goto done;
+--- a/src/providers/ldap/ldap_child.c
++++ b/src/providers/ldap/ldap_child.c
+@@ -285,7 +285,8 @@
+ goto done;
+ }
+
+- krberr = krb5_cc_initialize(context, ccache, kprinc);
++ /* Use updated principal if changed due to canonicalization. */
++ krberr = krb5_cc_initialize(context, ccache, my_creds.client);
+ if (krberr) {
+ DEBUG(2, ("Failed to init ccache: %s\n",
+ sss_krb5_get_error_message(context, krberr)));
diff --git a/debian/patches/fix-upstream-1330.diff b/debian/patches/fix-upstream-1330.diff
new file mode 100644
index 0000000..e6251c0
--- /dev/null
+++ b/debian/patches/fix-upstream-1330.diff
@@ -0,0 +1,40 @@
+commit 6da9b3bcbee97fbfdb02c652ddcd0ab048224997
+Author: Stephen Gallagher <sgallagh at redhat.com>
+Date: Mon May 21 20:36:44 2012 -0400
+
+ KRB5: Avoid NULL-dereference with empty keytab
+
+ https://fedorahosted.org/sssd/ticket/1330
+
+diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
+index a59afb2..c944bf0 100644
+--- a/src/util/sss_krb5.c
++++ b/src/util/sss_krb5.c
+@@ -1104,14 +1104,20 @@ sss_krb5_read_etypes_for_keytab(TALLOC_CTX *mem_ctx,
+ }
+
+ if (ret == 0) {
+- /* Sort the preferred enctypes first */
+- qsort(etypes, count, sizeof(*etypes), compare_etypes);
+- etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, count);
+- if (etypes == NULL) {
+- ret = ENOMEM;
++ if (etypes) {
++ /* Sort the preferred enctypes first */
++ qsort(etypes, count, sizeof(*etypes), compare_etypes);
++ etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, count);
++ if (etypes == NULL) {
++ ret = ENOMEM;
++ } else {
++ *etype_list = talloc_steal(mem_ctx, etypes);
++ *n_etype_list = count;
++ }
+ } else {
+- *etype_list = talloc_steal(mem_ctx, etypes);
+- *n_etype_list = count;
++ /* The key table was empty. There are no enctypes to match */
++ *etype_list = NULL;
++ *n_etype_list = 0;
+ }
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index a82d1b4..9b2e472 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
-#placeholder
+fix-upstream-1297.diff
+fix-upstream-1298.diff
+fix-upstream-1330.diff
More information about the Pkg-sssd-devel
mailing list