Accepting request 443689 from home:stroeder:branches:network

Update to upstream release 1.15.
Successfully tested KDC with LDAP backend with one kinit on Tumbleweed x86_64 (but without selinux).
Please carefully review the updated C code patches!

OBS-URL: https://build.opensuse.org/request/show/443689
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=177
This commit is contained in:
Michael Ströder 2016-12-05 17:34:31 +00:00 committed by Git OBS Bridge
parent e30e1bbad9
commit 6fe08c82e5
14 changed files with 175 additions and 343 deletions

View File

@ -4,18 +4,18 @@ the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags. not just assume that the compiler supports using these flags.
--- krb5/src/config/shlib.conf --- krb5-1.15.orig/src/config/shlib.conf 2016-12-01 23:31:24.000000000 +0100
+++ krb5/src/config/shlib.conf +++ krb5-1.15/src/config/shlib.conf 2016-12-03 16:58:48.378478508 +0100
@@ -419,7 +419,7 @@ mips-*-netbsd*) @@ -423,7 +423,7 @@
SHLIBEXT=.so
# Linux ld doesn't default to stuffing the SONAME field... # Linux ld doesn't default to stuffing the SONAME field...
# Use objdump -x to examine the fields of the library # Use objdump -x to examine the fields of the library
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined' # UNDEF_CHECK is suppressed by --enable-asan
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro' - LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
# + LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro'
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' UNDEF_CHECK='-Wl,--no-undefined'
SHLIB_EXPORT_FILE_DEP=binutils.versions # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
@@ -430,7 +430,8 @@ LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
@@ -435,7 +435,8 @@
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'

View File

@ -245,9 +245,9 @@ and session management before dropping privileges.
exit (1); exit (1);
} }
} }
--- krb5-1.13.orig/src/clients/ksu/Makefile.in --- krb5-1.15.orig/src/clients/ksu/Makefile.in 2016-12-01 23:31:24.000000000 +0100
+++ krb5-1.13/src/clients/ksu/Makefile.in +++ krb5-1.15/src/clients/ksu/Makefile.in 2016-12-03 16:08:50.583613246 +0100
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. @@ -3,12 +3,14 @@
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
KSU_LIBS=@KSU_LIBS@ KSU_LIBS=@KSU_LIBS@
@ -262,7 +262,7 @@ and session management before dropping privileges.
$(srcdir)/heuristic.c \ $(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \ $(srcdir)/xmalloc.c \
$(srcdir)/setenv.c $(srcdir)/setenv.c
@@ -17,13 +19,17 @@ OBJS = \ @@ -17,13 +19,17 @@
ccache.o \ ccache.o \
authorization.o \ authorization.o \
main.o \ main.o \
@ -270,7 +270,7 @@ and session management before dropping privileges.
heuristic.o \ heuristic.o \
xmalloc.o @SETENVOBJ@ xmalloc.o @SETENVOBJ@
all:: ksu all: ksu
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) - $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
@ -279,7 +279,7 @@ and session management before dropping privileges.
+pam.o: pam.c +pam.o: pam.c
+ $(CC) $(ALL_CFLAGS) -c $< + $(CC) $(ALL_CFLAGS) -c $<
clean:: clean:
$(RM) ksu $(RM) ksu
--- /dev/null --- /dev/null
+++ krb5-1.13/src/clients/ksu/pam.c +++ krb5-1.13/src/clients/ksu/pam.c

View File

@ -235,18 +235,18 @@ which we used earlier, is some improvement.
# here. # here.
echo $lib_flags echo $lib_flags
--- krb5-1.13.orig/src/lib/kadm5/logger.c --- krb5-1.15.orig/src/lib/kadm5/logger.c 2016-12-01 23:31:24.000000000 +0100
+++ krb5-1.13/src/lib/kadm5/logger.c +++ krb5-1.15/src/lib/kadm5/logger.c 2016-12-03 21:08:16.107101435 +0100
@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch @@ -414,7 +414,7 @@
* Check for append/overwrite, then open the file.
*/ */
if (cp[4] == ':' || cp[4] == '=') { append = (cp[4] == ':') ? O_APPEND : 0;
- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w"); if (append || cp[4] == '=') {
+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); - fd = open(&cp[5], O_CREAT | O_WRONLY | append,
if (f) { + fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append,
set_cloexec_file(f); S_IRUSR | S_IWUSR | S_IRGRP);
log_control.log_entries[i].lfu_filep = f; if (fd != -1)
@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext) f = fdopen(fd, append ? "a" : "w");
@@ -918,7 +918,7 @@
* In case the old logfile did not get moved out of the * In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs. * way, open for append to prevent squashing the old logs.
*/ */
@ -255,32 +255,31 @@ which we used earlier, is some improvement.
if (f) { if (f) {
set_cloexec_file(f); set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f; log_control.log_entries[lindex].lfu_filep = f;
--- krb5-1.13.orig/src/lib/krb5/keytab/kt_file.c --- krb5-1.15.orig/src/lib/krb5/keytab/kt_file.c 2016-12-01 23:31:25.000000000 +0100
+++ krb5-1.13/src/lib/krb5/keytab/kt_file.c +++ krb5-1.15/src/lib/krb5/keytab/kt_file.c 2016-12-03 17:33:05.520679326 +0100
@@ -1024,7 +1024,7 @@ krb5_ktfileint_open(krb5_context context @@ -1022,14 +1022,14 @@
KTCHECKLOCK(id); KTCHECKLOCK(id);
errno = 0; errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id), - KTFILEP(id) = fopen(KTFILENAME(id),
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), + KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id),
(mode == KRB5_LOCKMODE_EXCLUSIVE) ? (mode == KRB5_LOCKMODE_EXCLUSIVE) ? "rb+" : "rb");
fopen_mode_rbplus : fopen_mode_rb);
if (!KTFILEP(id)) { if (!KTFILEP(id)) {
@@ -1032,7 +1032,7 @@ krb5_ktfileint_open(krb5_context context if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) {
/* try making it first time around */ /* try making it first time around */
k5_create_secure_file(context, KTFILENAME(id)); k5_create_secure_file(context, KTFILENAME(id));
errno = 0; errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); - KTFILEP(id) = fopen(KTFILENAME(id), "rb+");
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus); + KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), "rb+");
if (!KTFILEP(id)) if (!KTFILEP(id))
goto report_errno; goto report_errno;
writevno = 1; writevno = 1;
--- krb5-1.13.orig/src/plugins/kdb/db2/adb_openclose.c --- krb5-1.15.orig/src/plugins/kdb/db2/adb_openclose.c 2016-12-01 23:31:25.000000000 +0100
+++ krb5-1.13/src/plugins/kdb/db2/adb_openclose.c +++ krb5-1.15/src/plugins/kdb/db2/adb_openclose.c 2016-12-03 17:34:40.565150626 +0100
@@ -147,7 +147,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char @@ -152,7 +152,7 @@
* needs be open read/write so that write locking can work with
* POSIX systems * POSIX systems
*/ */
lockp->lockinfo.filename = strdup(lockfilename);
- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { - if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {
+ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { + if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) {
/* /*
@ -914,30 +913,6 @@ which we used earlier, is some improvement.
if (file == NULL) if (file == NULL)
return errno; return errno;
pid = (unsigned long) getpid(); pid = (unsigned long) getpid();
--- krb5-1.13.orig/src/util/gss-kernel-lib/Makefile.in
+++ krb5-1.13/src/util/gss-kernel-lib/Makefile.in
@@ -61,6 +61,7 @@ HEADERS= \
gssapi_err_generic.h \
k5-int.h \
k5-int-pkinit.h \
+ k5-label.h \
k5-thread.h \
k5-platform.h \
k5-buf.h \
@@ -162,10 +163,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
-k5-int.h: $(INCLUDE)/k5-int.h
+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h
$(CP) $(INCLUDE)/k5-int.h $@
k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
$(CP) $(INCLUDE)/k5-int-pkinit.h $@
+k5-label.h: $(INCLUDE)/k5-label.h
+ $(CP) $(INCLUDE)/k5-label.h $@
k5-thread.h: $(INCLUDE)/k5-thread.h
$(CP) $(INCLUDE)/k5-thread.h $@
k5-platform.h: $(INCLUDE)/k5-platform.h
--- krb5-1.13.orig/src/lib/kdb/kdb_log.c --- krb5-1.13.orig/src/lib/kdb/kdb_log.c
+++ krb5-1.13/src/lib/kdb/kdb_log.c +++ krb5-1.13/src/lib/kdb/kdb_log.c
@@ -464,7 +464,7 @@ ulog_map(krb5_context context, const cha @@ -464,7 +464,7 @@ ulog_map(krb5_context context, const cha

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cd4620d520cf0df0dd8791309912df2bb20fcba76790b9fba4e25c1da08ff2c9
size 12279888

View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJXj/41AAoJEKMvF/0AVcMFKWkMAIpdTej1sku6sIm39+NjaTDr
1tPTdRFtX5zb7hFlv4PelZzMWNtylbKmD1WgriTcJ9AGvKY5IexbYrHreEbvHr3s
hlcnXxhKy4TXWqRyEHQ20K0n2fJYLwJBSVKFM9joCOmfuj2BWPqhh1UxHnNlTsjQ
k9q1T9iDY2hEiHlIrvLRjiTEZBr/ldr1fzkuAflyDg/7FydjLgl9Jm1HPU08Hofz
dLh+ozy6hsNTbteTBsngm51iFKSETr5Ugxxba7nXZ7KVaruCawjixDzfQRXgEuh2
dHAJd6vVOixGcDOxDOSVTy/LaMqERC5K/qc0X2ubjwbPZn798919+szJ90jZwA2j
19aqxGkOxfHi3LUponAXZ1kgPUbN2x7FIe1byowwnXnAX7i4DJ3HgxWkn5dWnRX3
ntFsQb5D0YFul5PApXYLpjACQt0gu+WNAwOYDQxSISRkMU5L2yXw7E32qSMdR7j7
AWZzE8XXuhl8LN/UPxj7+1zOftCOv7xcKtQJgL6Quw==
=QiOC
-----END PGP SIGNATURE-----

3
krb5-1.15.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fd34752774c808ab4f6f864f935c49945f5a56b62240b1ad4ab1af7b4ded127c
size 9327157

14
krb5-1.15.tar.gz.asc Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJYQKmiAAoJEKMvF/0AVcMFfisL/j4xfA/HF0ElUB9X6nSboR8P
60BSDZZe38gCQyONHn1CiZA5nY7xUy45oXmtffED32NZRIq/8R0CHkSoTd+wCtev
EEGAACK0cbFMA8YDvlF5R1Hdt2Vgghr+BYGg8TbuhiZadp4I8VZ13WePR5gToaV0
+35lOwgqRYV+Jxijp8N92KuZyZnH88tGbAh9gvPLxps2L7xA+MWwU2R71rraTIVj
b+saDBldKubh5Hamf+3Qle+lsvJuC7ErUifnjth+tpOonIlgeiLHs6+VwyHlOiv4
i+Uf0diN/gzWZd62Y+Fl42JDevTXyschWp+HxKLkbQXley04gS0nujRLpvaDkNlR
L+4Yy873q0yS6o4x7Pmcm3nb/nJQxQyvBJMy8MjLE3pEdynFZK9o0KGBkLtNIYVt
VwlqHrTGEsOtXYQKdhq9bGvpJa4jwrR2MIDaKvR5i1zc2xtZcWkvhlKJ67FGuRRD
eSbZR00NXP2wETo7Bu8BsJR5t9/1j+4US9vA15CUQg==
=iCzw
-----END PGP SIGNATURE-----

View File

@ -1,18 +0,0 @@
Don't double-log (actually, don't process /etc/krb5.conf twice) just
because we built with --sysconfdir=/etc. RT#3277
---
src/include/Makefile.in | 2 ++
1 file changed, 2 insertions(+)
--- krb5-1.13.orig/src/include/Makefile.in
+++ krb5-1.13/src/include/Makefile.in
@@ -70,6 +70,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
-e 's+@RUNSTATEDIR+$(RUNSTATEDIR)+' \
-e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \
-e 's+@DYNOBJEXT+$(DYNOBJEXT)+' \
-e 's+@SYSCONFCONF+$(SYSCONFCONF)+'

View File

@ -2,11 +2,9 @@ We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that them. It would be more elegant at the end to use symbolic links, but that
could mess up people working in the tree on other things. could mess up people working in the tree on other things.
Index: src/kadmin/cli/Makefile.in --- krb5-1.15.orig/src/kadmin/cli/Makefile.in
=================================================================== +++ krb5-1.15/src/kadmin/cli/Makefile.in
--- src/kadmin/cli/Makefile.in.orig @@ -37,3 +37,8 @@
+++ src/kadmin/cli/Makefile.in
@@ -43,3 +43,8 @@ clean-unix::
# CC_LINK is not meant for compilation and this use may break in the future. # CC_LINK is not meant for compilation and this use may break in the future.
datetest: getdate.c datetest: getdate.c
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
@ -15,16 +13,14 @@ Index: src/kadmin/cli/Makefile.in
+ $(RM) y.tab.c $@ + $(RM) y.tab.c $@
+ $(YACC.y) $< + $(YACC.y) $<
+ $(CP) y.tab.c $@ + $(CP) y.tab.c $@
Index: src/plugins/kdb/ldap/ldap_util/Makefile.in --- krb5-1.15.orig/src/plugins/kdb/ldap/ldap_util/Makefile.in
=================================================================== +++ krb5-1.15/src/plugins/kdb/ldap/ldap_util/Makefile.in
--- src/plugins/kdb/ldap/ldap_util/Makefile.in.orig @@ -20,7 +20,7 @@
+++ src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -22,7 +22,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KR
getdate.c: $(GETDATE) getdate.c: $(GETDATE)
$(RM) getdate.c y.tab.c $(RM) getdate.c y.tab.c
$(YACC) $(GETDATE) $(YACC) $(GETDATE)
- $(MV) y.tab.c getdate.c - $(MV) y.tab.c getdate.c
+ $(CP) y.tab.c getdate.c + $(CP) y.tab.c getdate.c
install:: install:
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)

View File

@ -1,218 +0,0 @@
From a6b7ccabf383f1f667c5d2b549909dfd59df12f6 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 13 Nov 2015 14:54:11 -0500
Subject: [PATCH] Fix impersonate_name to work with interposers
This follows the same modifications applied to
gss_acquire_cred_with_password() when interposer plugins were
introduced.
[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in
spnego_gss_acquire_cred_impersonate_name() since it is released in the
cleanup handler]
ticket: 8280 (new)
diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
index 0dd4f87..9eab25e 100644
--- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
+++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
gss_cred_id_t cred = NULL;
gss_OID new_mechs_array = NULL;
gss_cred_id_t * new_cred_array = NULL;
+ gss_OID_set target_mechs = GSS_C_NO_OID_SET;
+ gss_OID selected_mech = GSS_C_NO_OID;
status = val_add_cred_impersonate_name_args(minor_status,
input_cred_handle,
@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
if (status != GSS_S_COMPLETE)
return (status);
- mech = gssint_get_mechanism(desired_mech);
+ status = gssint_select_mech_type(minor_status, desired_mech,
+ &selected_mech);
+ if (status != GSS_S_COMPLETE)
+ return status;
+
+ mech = gssint_get_mechanism(selected_mech);
if (!mech)
return GSS_S_BAD_MECH;
else if (!mech->gss_acquire_cred_impersonate_name)
@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
internal_name = GSS_C_NO_NAME;
} else {
union_cred = (gss_union_cred_t)input_cred_handle;
- if (gssint_get_mechanism_cred(union_cred, desired_mech) !=
+ if (gssint_get_mechanism_cred(union_cred, selected_mech) !=
GSS_C_NO_CREDENTIAL)
return (GSS_S_DUPLICATE_ELEMENT);
}
mech_impersonator_cred =
gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle,
- desired_mech);
+ selected_mech);
if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL)
return (GSS_S_NO_CRED);
/* may need to create a mechanism specific name */
union_name = (gss_union_name_t)desired_name;
if (union_name->mech_type &&
- g_OID_equal(union_name->mech_type,
- &mech->mech_type))
+ g_OID_equal(union_name->mech_type, selected_mech))
internal_name = union_name->mech_name;
else {
if (gssint_import_internal_name(minor_status,
- &mech->mech_type, union_name,
- &allocated_name) != GSS_S_COMPLETE)
+ selected_mech, union_name,
+ &allocated_name) != GSS_S_COMPLETE)
return (GSS_S_BAD_NAME);
internal_name = allocated_name;
}
@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
else
time_req = 0;
+ status = gss_create_empty_oid_set(minor_status, &target_mechs);
+ if (status != GSS_S_COMPLETE)
+ goto errout;
+
+ status = gss_add_oid_set_member(minor_status,
+ gssint_get_public_oid(selected_mech),
+ &target_mechs);
+ if (status != GSS_S_COMPLETE)
+ goto errout;
+
status = mech->gss_acquire_cred_impersonate_name(minor_status,
mech_impersonator_cred,
internal_name,
time_req,
- GSS_C_NULL_OID_SET,
+ target_mechs,
cred_usage,
&cred,
NULL,
@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
new_cred_array[union_cred->count] = cred;
if ((new_mechs_array[union_cred->count].elements =
- malloc(mech->mech_type.length)) == NULL)
+ malloc(selected_mech->length)) == NULL)
goto errout;
- g_OID_copy(&new_mechs_array[union_cred->count],
- &mech->mech_type);
+ g_OID_copy(&new_mechs_array[union_cred->count], selected_mech);
if (actual_mechs != NULL) {
- gss_OID_set_desc oids;
-
- oids.count = union_cred->count + 1;
- oids.elements = new_mechs_array;
-
- status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs);
+ status = gssint_make_public_oid_set(minor_status, new_mechs_array,
+ union_cred->count + 1,
+ actual_mechs);
if (GSS_ERROR(status)) {
free(new_mechs_array[union_cred->count].elements);
goto errout;
@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
/* We're done with the internal name. Free it if we allocated it. */
if (allocated_name)
- (void) gssint_release_internal_name(&temp_minor_status,
- &mech->mech_type,
+ (void) gssint_release_internal_name(&temp_minor_status, selected_mech,
&allocated_name);
+ if (target_mechs)
+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs);
+
return (GSS_S_COMPLETE);
errout:
@@ -503,8 +517,10 @@ errout:
if (allocated_name)
(void) gssint_release_internal_name(&temp_minor_status,
- &mech->mech_type,
- &allocated_name);
+ selected_mech, &allocated_name);
+
+ if (target_mechs)
+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs);
if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred)
free(union_cred);
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 5f1ca33..bb754d9 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -2620,10 +2620,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
- OM_uint32 status;
+ OM_uint32 status, tmpmin;
gss_OID_set amechs = GSS_C_NULL_OID_SET;
spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL;
- gss_cred_id_t imp_mcred, out_mcred;
+ gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL;
dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n");
@@ -2635,31 +2635,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle;
imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL;
- if (desired_mechs == GSS_C_NO_OID_SET) {
- status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL,
- NULL, &amechs);
- if (status != GSS_S_COMPLETE)
- return status;
-
- desired_mechs = amechs;
- }
+ status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL,
+ NULL, &amechs);
+ if (status != GSS_S_COMPLETE)
+ return status;
status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred,
desired_name, time_req,
- desired_mechs, cred_usage,
+ amechs, cred_usage,
&out_mcred, actual_mechs,
time_rec);
-
- if (amechs != GSS_C_NULL_OID_SET)
- (void) gss_release_oid_set(minor_status, &amechs);
+ if (status != GSS_S_COMPLETE)
+ goto cleanup;
status = create_spnego_cred(minor_status, out_mcred, &out_spcred);
- if (status != GSS_S_COMPLETE) {
- gss_release_cred(minor_status, &out_mcred);
- return (status);
- }
+ if (status != GSS_S_COMPLETE)
+ goto cleanup;
+
+ out_mcred = GSS_C_NO_CREDENTIAL;
*output_cred_handle = (gss_cred_id_t)out_spcred;
+cleanup:
+ (void) gss_release_oid_set(&tmpmin, &amechs);
+ (void) gss_release_cred(&tmpmin, &out_mcred);
+
dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n");
return (status);
}
--
2.7.4

View File

@ -1,3 +1,56 @@
-------------------------------------------------------------------
Sat Dec 3 13:04:11 UTC 2016 - michael@stroeder.com
- Upgrade to 1.15
- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2
- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since
file is not available in upstream source anymore
- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15
- doc/CHANGES not available in 1.15 source anymore
- Upgrade from 1.14.4 to 1.15 - major changes:
Administrator experience:
* Add support to kadmin for remote extraction of current keys without
changing them (requires a special kadmin permission that is excluded
from the wildcard permission), with the exception of highly
protected keys.
* Add a lockdown_keys principal attribute to prevent retrieval of the
principal's keys (old or new) via the kadmin protocol. In newly
created databases, this attribute is set on the krbtgt and kadmin
principals.
* Restore recursive dump capability for DB2 back end, so sites can
more easily recover from database corruption resulting from power
failure events.
* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
in addition to SRV records. URI records can convey TCP and UDP
servers and master KDC status in a single DNS lookup, and can also
point to HTTPS proxy servers.
* Add support for password history to the LDAP back end.
* Add support for principal renaming to the LDAP back end.
* Use the getrandom system call on supported Linux kernels to avoid
blocking problems when getting entropy from the operating system.
* In the PKINIT client, use the correct DigestInfo encoding for PKCS
#1 signatures, so that some especially strict smart cards will work.
Code quality:
* Clean up numerous compilation warnings.
* Remove various infrequently built modules, including some preauth
modules that were not built by default.
Developer experience:
* Add support for building with OpenSSL 1.1.
* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
authenticators in the replay cache. This helps sites that must
build with FIPS 140 conformant libraries that lack MD5.
Protocol evolution:
* Add support for the AES-SHA2 enctypes, which allows sites to conform
to Suite B crypto requirements.
- Upgrade from 1.14.3 to 1.14.4 - major changes:
* Fix some rare btree data corruption bugs
* Fix numerous minor memory leaks
* Improve portability (Linux-ppc64el, FreeBSD)
* Improve some error messages
* Improve documentation
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com

View File

@ -16,7 +16,7 @@
# #
%define srcRoot krb5-1.14.3 %define srcRoot krb5-1.15
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5 %define krb5docdir %{_defaultdocdir}/krb5
@ -29,7 +29,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
BuildRequires: ncurses-devel BuildRequires: ncurses-devel
Version: 1.14.3 Version: 1.15
Release: 0 Release: 0
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
License: MIT License: MIT
@ -59,12 +59,10 @@ Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.12-buildconf.patch Patch3: krb5-1.12-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.6.3-ktutil-manpage.dif Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch7: krb5-1.7-doublelog.patch
Patch8: krb5-1.12-api.patch Patch8: krb5-1.12-api.patch
Patch11: krb5-1.12-ksu-path.patch Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch Patch13: krb5-1.9-debuginfo.patch
Patch15: krb5-fix_interposer.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq PreReq: %fillup_prereq
@ -104,18 +102,16 @@ Include Files for Development
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1
%patch8 -p1 %patch8 -p1
%patch11 -p1 %patch11 -p1
%patch12 -p1 %patch12 -p1
%patch13 -p0 %patch13 -p1
%patch15 -p1
%build %build
# needs to be re-generated # needs to be re-generated
rm -f src/lib/krb5/krb/deltat.c rm -f src/lib/krb5/krb/deltat.c
cd src cd src
./util/reconf autoreconf -fi
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
./configure \ ./configure \
CC="%{__cc}" \ CC="%{__cc}" \

View File

@ -1,3 +1,55 @@
-------------------------------------------------------------------
Sat Dec 3 13:04:11 UTC 2016 - michael@stroeder.com
- Upgrade to 1.15
- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2
- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since
file is not available in upstream source anymore
- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15
- Upgrade from 1.14.4 to 1.15 - major changes:
Administrator experience:
* Add support to kadmin for remote extraction of current keys without
changing them (requires a special kadmin permission that is excluded
from the wildcard permission), with the exception of highly
protected keys.
* Add a lockdown_keys principal attribute to prevent retrieval of the
principal's keys (old or new) via the kadmin protocol. In newly
created databases, this attribute is set on the krbtgt and kadmin
principals.
* Restore recursive dump capability for DB2 back end, so sites can
more easily recover from database corruption resulting from power
failure events.
* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
in addition to SRV records. URI records can convey TCP and UDP
servers and master KDC status in a single DNS lookup, and can also
point to HTTPS proxy servers.
* Add support for password history to the LDAP back end.
* Add support for principal renaming to the LDAP back end.
* Use the getrandom system call on supported Linux kernels to avoid
blocking problems when getting entropy from the operating system.
* In the PKINIT client, use the correct DigestInfo encoding for PKCS
#1 signatures, so that some especially strict smart cards will work.
Code quality:
* Clean up numerous compilation warnings.
* Remove various infrequently built modules, including some preauth
modules that were not built by default.
Developer experience:
* Add support for building with OpenSSL 1.1.
* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
authenticators in the replay cache. This helps sites that must
build with FIPS 140 conformant libraries that lack MD5.
Protocol evolution:
* Add support for the AES-SHA2 enctypes, which allows sites to conform
to Suite B crypto requirements.
- Upgrade from 1.14.3 to 1.14.4 - major changes:
* Fix some rare btree data corruption bugs
* Fix numerous minor memory leaks
* Improve portability (Linux-ppc64el, FreeBSD)
* Improve some error messages
* Improve documentation
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Nov 14 08:36:06 UTC 2016 - christof.hanke@rzg.mpg.de Mon Nov 14 08:36:06 UTC 2016 - christof.hanke@rzg.mpg.de

View File

@ -25,7 +25,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
BuildRequires: ncurses-devel BuildRequires: ncurses-devel
Version: 1.14.3 Version: 1.15
Release: 0 Release: 0
Summary: MIT Kerberos5 Implementation--Libraries Summary: MIT Kerberos5 Implementation--Libraries
License: MIT License: MIT
@ -59,12 +59,10 @@ Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.12-buildconf.patch Patch3: krb5-1.12-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.6.3-ktutil-manpage.dif Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch7: krb5-1.7-doublelog.patch
Patch8: krb5-1.12-api.patch Patch8: krb5-1.12-api.patch
Patch11: krb5-1.12-ksu-path.patch Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch Patch13: krb5-1.9-debuginfo.patch
Patch15: krb5-fix_interposer.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq PreReq: %fillup_prereq
@ -175,18 +173,16 @@ Include Files for Development
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1
%patch8 -p1 %patch8 -p1
%patch11 -p1 %patch11 -p1
%patch12 -p1 %patch12 -p1
%patch13 -p0 %patch13 -p1
%patch15 -p1
%build %build
# needs to be re-generated # needs to be re-generated
rm -f src/lib/krb5/krb/deltat.c rm -f src/lib/krb5/krb/deltat.c
cd src cd src
./util/reconf autoreconf -fi
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
./configure \ ./configure \
CC="%{__cc}" \ CC="%{__cc}" \
@ -531,6 +527,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%files doc %files doc
%defattr(-,root,root) %defattr(-,root,root)
%doc html doc/CHANGES doc/README %doc html doc/README
%changelog %changelog