From f29ff7186e1bc6902997e779103474351b2290ba Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Jan 09 2023 12:28:16 +0000 Subject: [PATCH 1/2] Make tests compatible with sssd_krb5_locator_plugin.so --- diff --git a/0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch b/0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch new file mode 100644 index 0000000..5840faa --- /dev/null +++ b/0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch @@ -0,0 +1,41 @@ +From 9a536113196d8b32e3143964a655356ac8af1347 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 7 Dec 2022 13:22:42 +0100 +Subject: [PATCH] [downstream] Make tests compatible with + sssd_krb5_locator_plugin.so + +The sssd_krb5_locator_plugin.so plugin provided by sssd-client conflicts +with the upstream test t_discover_uri.py. The test has to be modified in +order to avoid false positive. +--- + src/lib/krb5/os/t_discover_uri.py | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/lib/krb5/os/t_discover_uri.py b/src/lib/krb5/os/t_discover_uri.py +index 87bac17929..26bc95a8dc 100644 +--- a/src/lib/krb5/os/t_discover_uri.py ++++ b/src/lib/krb5/os/t_discover_uri.py +@@ -1,3 +1,4 @@ ++from os.path import exists + from k5test import * + + entries = ('URI _kerberos.TEST krb5srv::kkdcp:https://kdc1 1 1\n', +@@ -37,8 +38,14 @@ realm.env['RESOLV_WRAPPER_HOSTS'] = hosts_filename + out = realm.run(['./t_locate_kdc', 'TEST'], env=realm.env) + l = out.splitlines() + ++if (exists('/usr/lib/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so') ++ or exists('/usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so')): ++ line_range = range(6, 14) ++else: ++ line_range = range(4, 12) ++ + j = 0 +-for i in range(4, 12): ++for i in line_range: + if l[i].strip() != expected[j]: + fail('URI answers do not match') + j += 1 +-- +2.38.1 + diff --git a/krb5.spec b/krb5.spec index b197f0b..44696f6 100644 --- a/krb5.spec +++ b/krb5.spec @@ -10,7 +10,7 @@ # # baserelease is what we have standardized across Fedora and what # rpmdev-bumpspec knows how to handle. -%global baserelease 3 +%global baserelease 4 # This should be e.g. beta1 or %%nil %global pre_release %nil @@ -71,6 +71,7 @@ Patch9: 0009-Simplify-plugin-loading-code.patch Patch10: 0010-Update-error-checking-for-OpenSSL-CMS_verify.patch Patch11: 0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch Patch12: 0012-Add-and-use-ts_interval-helper.patch +Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -254,9 +255,6 @@ Requires: /etc/crypto-policies/back-ends/krb5.config Requires: /usr/share/dict/words #Requires: openldap-servers, openldap-clients -# sssd_krb5_locator_plugin.so conflicts with t_discover_uri.py -Conflicts: sssd-client - %description tests FOR TESTING PURPOSE ONLY Test sources for krb5 build, with pre-defined compilation parameters @@ -710,6 +708,9 @@ exit 0 %{_datarootdir}/%{name}-tests/ %changelog +* Tue Dec 20 2022 Julien Rische - 1.20.1-4 +- Make tests compatible with sssd_krb5_locator_plugin.so + * Tue Dec 06 2022 Julien Rische - 1.20.1-3 - Enable TMT integration with Fedora CI diff --git a/plans/tests.fmf b/plans/tests.fmf index 9d368f3..970ae2e 100644 --- a/plans/tests.fmf +++ b/plans/tests.fmf @@ -1,9 +1,5 @@ summary: Tests discover: how: fmf -prepare: -- how: shell - script: - - dnf remove -y sssd-client execute: how: tmt From f0b4f85e9e3715cf90d634cd4cd21452fda2620a Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Jan 09 2023 12:28:16 +0000 Subject: [PATCH 2/2] Include missing OpenSSL FIPS header Signed-off-by: Julien Rische --- diff --git a/0014-downstream-Include-missing-OpenSSL-FIPS-header.patch b/0014-downstream-Include-missing-OpenSSL-FIPS-header.patch new file mode 100644 index 0000000..24ba48a --- /dev/null +++ b/0014-downstream-Include-missing-OpenSSL-FIPS-header.patch @@ -0,0 +1,120 @@ +From d57a804136c5ebf473ce053a9517edd71a56389f Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 5 Jan 2023 20:06:47 +0100 +Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header + +The inclusion of openssl/fips.h, which provides the declaration of +FIPS_mode(), was removed from openssl/crypto.h. As a consequence, this +header file has to be included explicitly in krb5 code. +--- + src/lib/crypto/krb/prng.c | 4 +++- + src/lib/crypto/openssl/enc_provider/camellia.c | 1 + + src/lib/crypto/openssl/enc_provider/rc4.c | 4 ++++ + src/lib/crypto/openssl/hmac.c | 1 + + src/lib/krad/internal.h | 4 ++++ + src/plugins/preauth/spake/spake_client.c | 4 ++++ + src/plugins/preauth/spake/spake_kdc.c | 4 ++++ + 7 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c +index 9e80a03d21..ae37c77518 100644 +--- a/src/lib/crypto/krb/prng.c ++++ b/src/lib/crypto/krb/prng.c +@@ -28,7 +28,9 @@ + + #include + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#else + #include + #endif + +diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c +index d9f327add6..3dd3b0624f 100644 +--- a/src/lib/crypto/openssl/enc_provider/camellia.c ++++ b/src/lib/crypto/openssl/enc_provider/camellia.c +@@ -32,6 +32,7 @@ + #include + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include ++#include + #else + #include + #endif +diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c +index ce63cb5f1b..6a83f10d27 100644 +--- a/src/lib/crypto/openssl/enc_provider/rc4.c ++++ b/src/lib/crypto/openssl/enc_provider/rc4.c +@@ -38,6 +38,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + /* + * The loopback field is a pointer to the structure. If the application copies + * the state (not a valid operation, but one which happens to works with some +diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c +index f21e268f7f..25a419d73a 100644 +--- a/src/lib/crypto/openssl/hmac.c ++++ b/src/lib/crypto/openssl/hmac.c +@@ -59,6 +59,7 @@ + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include + #include ++#include + #else + #include + #endif +diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h +index e123763954..a17b6f39b1 100644 +--- a/src/lib/krad/internal.h ++++ b/src/lib/krad/internal.h +@@ -41,6 +41,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + #ifndef UCHAR_MAX + #define UCHAR_MAX 255 + #endif +diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c +index a3ce22b70f..13c699071f 100644 +--- a/src/plugins/preauth/spake/spake_client.c ++++ b/src/plugins/preauth/spake/spake_client.c +@@ -40,6 +40,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + typedef struct reqstate_st { + krb5_pa_spake *msg; /* set in prep_questions, used in process */ + krb5_keyblock *initial_key; +diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c +index 232e78bc05..3394f8a58e 100644 +--- a/src/plugins/preauth/spake/spake_kdc.c ++++ b/src/plugins/preauth/spake/spake_kdc.c +@@ -43,6 +43,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + /* + * The SPAKE kdcpreauth module uses a secure cookie containing the following + * concatenated fields (all integer fields are big-endian): +-- +2.38.1 + diff --git a/krb5.spec b/krb5.spec index 44696f6..3593e7d 100644 --- a/krb5.spec +++ b/krb5.spec @@ -72,6 +72,7 @@ Patch10: 0010-Update-error-checking-for-OpenSSL-CMS_verify.patch Patch11: 0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch Patch12: 0012-Add-and-use-ts_interval-helper.patch Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch +Patch14: 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -708,7 +709,8 @@ exit 0 %{_datarootdir}/%{name}-tests/ %changelog -* Tue Dec 20 2022 Julien Rische - 1.20.1-4 +* Thu Jan 05 2023 Julien Rische - 1.20.1-4 +- Include missing OpenSSL FIPS header - Make tests compatible with sssd_krb5_locator_plugin.so * Tue Dec 06 2022 Julien Rische - 1.20.1-3