From 7a79e440bef4f5e0efb57331ce008dbaaf3fdf3674c584155b749d126718805f Mon Sep 17 00:00:00 2001
From: OBS User unknown <null@suse.de>
Date: Sat, 17 May 2008 00:39:26 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=33

---
 krb5-doc.spec                |  2 +-
 krb5-plugins.spec            |  6 ++++-
 krb5-trunk-kpasswd_tcp.patch | 35 ++++++++++++++++++++++++++
 krb5-trunk-seqnum.patch      | 49 ++++++++++++++++++++++++++++++++++++
 krb5.changes                 |  7 ++++++
 krb5.spec                    | 10 +++++++-
 6 files changed, 106 insertions(+), 3 deletions(-)
 create mode 100644 krb5-trunk-kpasswd_tcp.patch
 create mode 100644 krb5-trunk-seqnum.patch

diff --git a/krb5-doc.spec b/krb5-doc.spec
index 2383244..4c635b1 100644
--- a/krb5-doc.spec
+++ b/krb5-doc.spec
@@ -14,7 +14,7 @@
 Name:           krb5-doc
 BuildRequires:  ghostscript-library latex2html texlive
 Version:        1.6.3
-Release:        63
+Release:        77
 %define srcRoot krb5-1.6.3
 Summary:        MIT Kerberos5 Implementation--Documentation
 License:        X11/MIT
diff --git a/krb5-plugins.spec b/krb5-plugins.spec
index 087f29e..e4d8c9d 100644
--- a/krb5-plugins.spec
+++ b/krb5-plugins.spec
@@ -14,7 +14,7 @@
 
 Name:           krb5-plugins
 Version:        1.6.3
-Release:        7
+Release:        8
 BuildRequires:  bison krb5-devel ncurses-devel openldap2-devel
 %define srcRoot krb5-1.6.3
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
@@ -55,6 +55,8 @@ Patch37:        krb5-1.6-fix-CVE-2007-5971.dif
 Patch38:        krb5-1.6-fix-CVE-2007-5972.dif
 Patch39:        krb5-1.6-MITKRB5-SA-2008-001.dif
 Patch40:        krb5-1.6-MITKRB5-SA-2008-002.dif
+Patch41:        krb5-trunk-kpasswd_tcp.patch
+Patch42:        krb5-trunk-seqnum.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -148,6 +150,8 @@ fi
 %patch38
 %patch39 -p1
 %patch40
+%patch41
+%patch42
 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c
 # Rename the man pages so that they'll get generated correctly.
 pushd src
diff --git a/krb5-trunk-kpasswd_tcp.patch b/krb5-trunk-kpasswd_tcp.patch
new file mode 100644
index 0000000..47c6df8
--- /dev/null
+++ b/krb5-trunk-kpasswd_tcp.patch
@@ -0,0 +1,35 @@
+Fall back to TCP on kdc-unresolvable/unreachable errors.  We still have
+to wait for UDP to fail, so this might not be ideal.  RT #5868.
+
+Index: src/lib/krb5/os/changepw.c
+===================================================================
+--- src/lib/krb5/os/changepw.c	(revision 20199)
++++ src/lib/krb5/os/changepw.c	(working copy)
+@@ -251,11 +251,22 @@
+ 				   NULL,
+ 				   NULL
+ 		 ))) {
+-
+-	    /*
+-	     * Here we may want to switch to TCP on some errors.
+-	     * right?
+-	     */
++	    /* if we're not using a stream socket, and it's an error which
++	     * might reasonably be specific to a datagram "connection", try
++	     * again with a stream socket */
++	    if (!useTcp) {
++		switch (code) {
++		case KRB5_KDC_UNREACH:
++		case KRB5_REALM_CANT_RESOLVE:
++		case KRB5KRB_ERR_RESPONSE_TOO_BIG:
++		/* should we do this for more result codes than these? */
++		    krb5int_free_addrlist (&al);
++		    useTcp = 1;
++		    continue;
++		default:
++		    break;
++		}
++	    }
+ 	    break;
+ 	}
+ 
diff --git a/krb5-trunk-seqnum.patch b/krb5-trunk-seqnum.patch
new file mode 100644
index 0000000..31a7121
--- /dev/null
+++ b/krb5-trunk-seqnum.patch
@@ -0,0 +1,49 @@
+Every KRB-PRIV message we generate to include as part of a password change
+request we create (after the first one) will include sequence numbers which
+look "wrong" to the recipient, because previously generating other KRB-PRIV
+messages will mess with the counters in the auth_context.  Because the
+current code attempts to reuse auth_context structures (and changing that
+would be more invasive), we'll just save the sequence number values as they
+are after we build the AP-REQ, and restore them before generating requests.
+RT#5867.
+
+Index: src/lib/krb5/os/changepw.c
+===================================================================
+--- src/lib/krb5/os/changepw.c	(revision 20195)
++++ src/lib/krb5/os/changepw.c	(working copy)
+@@ -34,6 +34,7 @@
+ #include "k5-int.h"
+ #include "os-proto.h"
+ #include "cm.h"
++#include "../krb/auth_con.h"
+ 
+ #include <stdio.h>
+ #include <errno.h>
+@@ -48,6 +49,7 @@
+     krb5_principal 	set_password_for;
+     char 		*newpw;
+     krb5_data 		ap_req;
++    krb5_ui_4		remote_seq_num, local_seq_num;
+ };
+ 
+ 
+@@ -159,6 +161,9 @@
+ 				       &local_kaddr, NULL))) 
+ 	goto cleanup;
+ 
++    ctx->auth_context->remote_seq_number = ctx->remote_seq_num;
++    ctx->auth_context->local_seq_number = ctx->local_seq_num;
++
+     if (ctx->set_password_for)
+ 	code = krb5int_mk_setpw_req(ctx->context, 
+ 				    ctx->auth_context, 
+@@ -225,6 +230,9 @@
+ 				     &callback_ctx.ap_req)))
+ 	goto cleanup;
+ 
++    callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number;
++    callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number;
++
+     do {
+ 	if ((code = krb5_locate_kpasswd(callback_ctx.context,
+ 					krb5_princ_realm(callback_ctx.context,
diff --git a/krb5.changes b/krb5.changes
index 5d5aa62..f363db1 100644
--- a/krb5.changes
+++ b/krb5.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed May 14 17:44:59 CEST 2008 - mc@suse.de
+
+- Fall back to TCP on kdc-unresolvable/unreachable errors.
+- restore valid sequence number before generating requests
+  (fix changing passwords in mixed ipv4/ipv6 enviroments) 
+
 -------------------------------------------------------------------
 Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
 
diff --git a/krb5.spec b/krb5.spec
index 71f0183..0279d5c 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -13,7 +13,7 @@
 
 Name:           krb5
 Version:        1.6.3
-Release:        40
+Release:        47
 BuildRequires:  bison libcom_err-devel ncurses-devel
 %if %{suse_version} > 1010
 BuildRequires:  keyutils keyutils-devel
@@ -59,6 +59,8 @@ Patch37:        krb5-1.6-fix-CVE-2007-5971.dif
 Patch38:        krb5-1.6-fix-CVE-2007-5972.dif
 Patch39:        krb5-1.6-MITKRB5-SA-2008-001.dif
 Patch40:        krb5-1.6-MITKRB5-SA-2008-002.dif
+Patch41:        krb5-trunk-kpasswd_tcp.patch
+Patch42:        krb5-trunk-seqnum.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils 
 
@@ -224,6 +226,8 @@ fi
 %patch38
 %patch39 -p1
 %patch40
+%patch41 
+%patch42
 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c
 # Rename the man pages so that they'll get generated correctly.
 pushd src
@@ -542,6 +546,10 @@ rm -rf %{buildroot}
 %{_mandir}/man1/krb5-config.1*
 
 %changelog
+* Wed May 14 2008 mc@suse.de
+- Fall back to TCP on kdc-unresolvable/unreachable errors.
+- restore valid sequence number before generating requests
+  (fix changing passwords in mixed ipv4/ipv6 enviroments)
 * Thu Apr 10 2008 ro@suse.de
 - added baselibs.conf file to build xxbit packages
   for multilib support