diff --git a/MITKRB5-SA-2010-007-1.8.dif b/MITKRB5-SA-2010-007-1.8.dif deleted file mode 100644 index 401bb6b..0000000 --- a/MITKRB5-SA-2010-007-1.8.dif +++ /dev/null @@ -1,204 +0,0 @@ -Index: krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c -=================================================================== ---- krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (revision 24455) -+++ krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (working copy) -@@ -691,8 +691,7 @@ - krb5_reply_key_pack *key_pack = NULL; - krb5_reply_key_pack_draft9 *key_pack9 = NULL; - krb5_data *encoded_key_pack = NULL; -- unsigned int num_types; -- krb5_cksumtype *cksum_types = NULL; -+ krb5_cksumtype cksum_type; - - pkinit_kdc_context plgctx; - pkinit_kdc_req_context reqctx; -@@ -882,14 +881,25 @@ - retval = ENOMEM; - goto cleanup; - } -- /* retrieve checksums for a given enctype of the reply key */ -- retval = krb5_c_keyed_checksum_types(context, -- encrypting_key->enctype, &num_types, &cksum_types); -- if (retval) -- goto cleanup; - -- /* pick the first of acceptable enctypes for the checksum */ -- retval = krb5_c_make_checksum(context, cksum_types[0], -+ switch (encrypting_key->enctype) { -+ case ENCTYPE_DES_CBC_MD4: -+ cksum_type = CKSUMTYPE_RSA_MD4_DES; -+ break; -+ case ENCTYPE_DES_CBC_MD5: -+ case ENCTYPE_DES_CBC_CRC: -+ cksum_type = CKSUMTYPE_RSA_MD5_DES; -+ break; -+ default: -+ retval = krb5int_c_mandatory_cksumtype(context, -+ encrypting_key->enctype, -+ &cksum_type); -+ if (retval) -+ goto cleanup; -+ break; -+ } -+ -+ retval = krb5_c_make_checksum(context, cksum_type, - encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - req_pkt, &key_pack->asChecksum); - if (retval) { -@@ -1033,7 +1043,6 @@ - krb5_free_data(context, encoded_key_pack); - free(dh_pubkey); - free(server_key); -- free(cksum_types); - - switch ((int)padata->pa_type) { - case KRB5_PADATA_PK_AS_REQ: -Index: krb5-1.8/src/lib/crypto/krb/cksumtypes.c -=================================================================== ---- krb5-1.8/src/lib/crypto/krb/cksumtypes.c (revision 24455) -+++ krb5-1.8/src/lib/crypto/krb/cksumtypes.c (working copy) -@@ -101,7 +101,7 @@ - - { CKSUMTYPE_MD5_HMAC_ARCFOUR, - "md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC", -- NULL, &krb5int_hash_md5, -+ &krb5int_enc_arcfour, &krb5int_hash_md5, - krb5int_hmacmd5_checksum, NULL, - 16, 16, 0 }, - }; -Index: krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c -=================================================================== ---- krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (revision 24455) -+++ krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (working copy) -@@ -35,6 +35,13 @@ - { - if (ctp->flags & CKSUM_UNKEYED) - return FALSE; -+ /* Stream ciphers do not play well with RFC 3961 key derivation, so be -+ * conservative with RC4. */ -+ if ((ktp->etype == ENCTYPE_ARCFOUR_HMAC || -+ ktp->etype == ENCTYPE_ARCFOUR_HMAC_EXP) && -+ ctp->ctype != CKSUMTYPE_HMAC_MD5_ARCFOUR && -+ ctp->ctype != CKSUMTYPE_MD5_HMAC_ARCFOUR) -+ return FALSE; - return (!ctp->enc || ktp->enc == ctp->enc); - } - -Index: krb5-1.8/src/lib/crypto/krb/dk/derive.c -=================================================================== ---- krb5-1.8/src/lib/crypto/krb/dk/derive.c (revision 24455) -+++ krb5-1.8/src/lib/crypto/krb/dk/derive.c (working copy) -@@ -91,6 +91,8 @@ - blocksize = enc->block_size; - keybytes = enc->keybytes; - -+ if (blocksize == 1) -+ return KRB5_BAD_ENCTYPE; - if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes) - return KRB5_CRYPTO_INTERNAL; - -Index: krb5-1.8/src/lib/gssapi/krb5/util_crypt.c -=================================================================== ---- krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (revision 24455) -+++ krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (working copy) -@@ -119,10 +119,22 @@ - if (code != 0) - return code; - -- code = (*kaccess.mandatory_cksumtype)(context, subkey->keyblock.enctype, -- cksumtype); -- if (code != 0) -- return code; -+ switch (subkey->keyblock.enctype) { -+ case ENCTYPE_DES_CBC_MD4: -+ *cksumtype = CKSUMTYPE_RSA_MD4_DES; -+ break; -+ case ENCTYPE_DES_CBC_MD5: -+ case ENCTYPE_DES_CBC_CRC: -+ *cksumtype = CKSUMTYPE_RSA_MD5_DES; -+ break; -+ default: -+ code = (*kaccess.mandatory_cksumtype)(context, -+ subkey->keyblock.enctype, -+ cksumtype); -+ if (code != 0) -+ return code; -+ break; -+ } - - switch (subkey->keyblock.enctype) { - case ENCTYPE_DES_CBC_MD5: -Index: krb5-1.8/src/lib/krb5/krb/pac.c -=================================================================== ---- krb5-1.8/src/lib/krb5/krb/pac.c (revision 24455) -+++ krb5-1.8/src/lib/krb5/krb/pac.c (working copy) -@@ -582,6 +582,8 @@ - checksum.checksum_type = load_32_le(p); - checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH; - checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH; -+ if (!krb5_c_is_keyed_cksum(checksum.checksum_type)) -+ return KRB5KRB_AP_ERR_INAPP_CKSUM; - - pac_data.length = pac->data.length; - pac_data.data = malloc(pac->data.length); -Index: krb5-1.8/src/lib/krb5/krb/preauth2.c -=================================================================== ---- krb5-1.8/src/lib/krb5/krb/preauth2.c (revision 24455) -+++ krb5-1.8/src/lib/krb5/krb/preauth2.c (working copy) -@@ -1578,7 +1578,9 @@ - - cksum = sc2->sam_cksum; - -- while (*cksum) { -+ for (; *cksum; cksum++) { -+ if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type)) -+ continue; - /* Check this cksum */ - retval = krb5_c_verify_checksum(context, as_key, - KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM, -@@ -1592,7 +1594,6 @@ - } - if (valid_cksum) - break; -- cksum++; - } - - if (!valid_cksum) { -Index: krb5-1.8/src/lib/krb5/krb/mk_safe.c -=================================================================== ---- krb5-1.8/src/lib/krb5/krb/mk_safe.c (revision 24455) -+++ krb5-1.8/src/lib/krb5/krb/mk_safe.c (working copy) -@@ -215,10 +215,28 @@ - for (i = 0; i < nsumtypes; i++) - if (auth_context->safe_cksumtype == sumtypes[i]) - break; -- if (i == nsumtypes) -- i = 0; -- sumtype = sumtypes[i]; - krb5_free_cksumtypes (context, sumtypes); -+ if (i < nsumtypes) -+ sumtype = auth_context->safe_cksumtype; -+ else { -+ switch (enctype) { -+ case ENCTYPE_DES_CBC_MD4: -+ sumtype = CKSUMTYPE_RSA_MD4_DES; -+ break; -+ case ENCTYPE_DES_CBC_MD5: -+ case ENCTYPE_DES_CBC_CRC: -+ sumtype = CKSUMTYPE_RSA_MD5_DES; -+ break; -+ default: -+ retval = krb5int_c_mandatory_cksumtype(context, enctype, -+ &sumtype); -+ if (retval) { -+ CLEANUP_DONE(); -+ goto error; -+ } -+ break; -+ } -+ } - } - if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata, - plocal_fulladdr, premote_fulladdr, - - diff --git a/krb5-1.4.3-enospc.dif b/krb5-1.4.3-enospc.dif deleted file mode 100644 index 0a0d9ce..0000000 --- a/krb5-1.4.3-enospc.dif +++ /dev/null @@ -1,24 +0,0 @@ -If the error message is going to be ambiguous, try to give the user some clue -by returning the last error reported by the OS. - -Index: krb5-1.8-alpha1/src/clients/kinit/kinit.c -=================================================================== ---- krb5-1.8-alpha1.orig/src/clients/kinit/kinit.c -+++ krb5-1.8-alpha1/src/clients/kinit/kinit.c -@@ -712,8 +712,14 @@ k5_kinit(opts, k5) - code = krb5_cc_initialize(k5->ctx, k5->cc, opts->canonicalize ? - my_creds.client : k5->me); - if (code) { -- com_err(progname, code, "when initializing cache %s", -- opts->k5_cache_name?opts->k5_cache_name:""); -+ if ((code == KRB5_CC_IO) && (errno != 0)) { -+ com_err(progname, code, "when initializing cache %s: %s", -+ opts->k5_cache_name?opts->k5_cache_name:"", -+ strerror(errno)); -+ } else { -+ com_err(progname, code, "when initializing cache %s", -+ opts->k5_cache_name?opts->k5_cache_name:""); -+ } - goto cleanup; - } - diff --git a/krb5-1.6.1-compile_pie.dif b/krb5-1.6.1-compile_pie.dif deleted file mode 100644 index 08e14fc..0000000 --- a/krb5-1.6.1-compile_pie.dif +++ /dev/null @@ -1,27 +0,0 @@ -Index: src/krb5-config.in -=================================================================== ---- src/krb5-config.in.orig -+++ src/krb5-config.in -@@ -188,6 +188,8 @@ if test -n "$do_libs"; then - -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ - -e 's#\$(CFLAGS)#'"$CFLAGS"'#'` - -+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"` -+ - if test $library = 'kdb'; then - lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" - library=krb5 -Index: src/config/shlib.conf -=================================================================== ---- src/config/shlib.conf.orig -+++ src/config/shlib.conf -@@ -419,7 +419,8 @@ mips-*-netbsd*) - PROFFLAGS=-pg - RPATH_FLAG='-Wl,-rpath -Wl,' - PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' -- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' -+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie $(LDFLAGS)' -+ INSTALL_SHLIB='${INSTALL} -m755' - CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' - CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' - CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' diff --git a/krb5-1.6.3-fix-ipv6-query.dif b/krb5-1.6.3-fix-ipv6-query.dif deleted file mode 100644 index 4ba81b8..0000000 --- a/krb5-1.6.3-fix-ipv6-query.dif +++ /dev/null @@ -1,54 +0,0 @@ -Index: krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c -=================================================================== ---- krb5-1.8-alpha1.orig/src/lib/krb5/os/hostaddr.c -+++ krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c -@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c - return KRB5_ERR_BAD_HOSTNAME; - - memset (&hints, 0, sizeof (hints)); -- hints.ai_flags = AI_NUMERICHOST; -+ hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG; - /* We don't care what kind at this point, really, but without - this, we can get back multiple sockaddrs per address, for - SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if -Index: krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c -=================================================================== ---- krb5-1.8-alpha1.orig/src/lib/krb5/os/hst_realm.c -+++ krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c -@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz - int err; - - memset (&hints, 0, sizeof (hints)); -- hints.ai_flags = AI_CANONNAME; -+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; - err = getaddrinfo (name, 0, &hints, &ai); - if (err) - return krb5int_translate_gai_error (err); -Index: krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c -=================================================================== ---- krb5-1.8-alpha1.orig/src/lib/krb5/os/locate_kdc.c -+++ krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c -@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis - memset(&hint, 0, sizeof(hint)); - hint.ai_family = family; - hint.ai_socktype = socktype; -+ hint.ai_flags = AI_ADDRCONFIG; - #ifdef AI_NUMERICSERV -- hint.ai_flags = AI_NUMERICSERV; -+ hint.ai_flags |= AI_NUMERICSERV; - #endif - result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)); - if (SNPRINTF_OVERFLOW(result, sizeof(portbuf))) -Index: krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c -=================================================================== ---- krb5-1.8-alpha1.orig/src/lib/krb5/os/sn2princ.c -+++ krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c -@@ -108,7 +108,7 @@ krb5_sname_to_principal(krb5_context con - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_INET; -- hints.ai_flags = AI_CANONNAME; -+ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG; - try_getaddrinfo_again: - err = getaddrinfo(hostname, 0, &hints, &ai); - if (err) { diff --git a/krb5-1.6.3-kpasswd_tcp.patch b/krb5-1.6.3-kpasswd_tcp.patch index 1a74d6d..4b10fc7 100644 --- a/krb5-1.6.3-kpasswd_tcp.patch +++ b/krb5-1.6.3-kpasswd_tcp.patch @@ -5,7 +5,7 @@ Index: src/lib/krb5/os/changepw.c =================================================================== --- src/lib/krb5/os/changepw.c.orig +++ src/lib/krb5/os/changepw.c -@@ -280,10 +280,22 @@ change_set_password(krb5_context context +@@ -282,10 +282,22 @@ change_set_password(krb5_context context NULL ))) { diff --git a/krb5-1.6.3-kprop-use-mkstemp.dif b/krb5-1.6.3-kprop-use-mkstemp.dif deleted file mode 100644 index 9ea2577..0000000 --- a/krb5-1.6.3-kprop-use-mkstemp.dif +++ /dev/null @@ -1,28 +0,0 @@ -Index: src/slave/kprop.c -=================================================================== ---- src/slave/kprop.c.orig -+++ src/slave/kprop.c -@@ -206,6 +206,7 @@ void get_tickets(context) - krb5_error_code retval; - static char tkstring[] = "/tmp/kproptktXXXXXX"; - krb5_keytab keytab = NULL; -+ int ret = 0; - - /* - * Figure out what tickets we'll be using to send stuff -@@ -231,7 +232,15 @@ void get_tickets(context) - /* - * Initialize cache file which we're going to be using - */ -+#ifdef HAVE_MKSTEMP -+ ret = mkstemp(tkstring); -+ if (ret == -1) { -+ com_err(progname, errno, "while initialize cache file"); -+ exit(1); -+ } else close(ret); -+#else - (void) mktemp(tkstring); -+#endif - snprintf(buf, sizeof(buf), "FILE:%s", tkstring); - - retval = krb5_cc_resolve(context, buf, &ccache); diff --git a/krb5-1.7-doublelog.patch b/krb5-1.7-doublelog.patch new file mode 100644 index 0000000..10e4777 --- /dev/null +++ b/krb5-1.7-doublelog.patch @@ -0,0 +1,18 @@ +Don't double-log (actually, don't process /etc/krb5.conf twice) just +because we built with --sysconfdir=/etc. RT#3277 + +Index: krb5-1.9.1/src/include/Makefile.in +=================================================================== +--- krb5-1.9.1.orig/src/include/Makefile.in ++++ krb5-1.9.1/src/include/Makefile.in +@@ -66,7 +66,9 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$( + -e "s+@MODULEDIR+$(MODULE_DIR)+" \ + -e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \ + -e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \ +- -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' ++ -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \ ++ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \ ++ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' + + OSCONFSRC = $(srcdir)/osconf.hin + diff --git a/krb5-1.7-manpaths.txt b/krb5-1.7-manpaths.txt deleted file mode 100644 index d6df93e..0000000 --- a/krb5-1.7-manpaths.txt +++ /dev/null @@ -1,30 +0,0 @@ -appl/sample/sclient/sclient.M -appl/sample/sserver/sserver.M -clients/kcpytkt/kcpytkt.M -clients/kdeltkt/kdeltkt.M -clients/kdestroy/kdestroy.M -clients/kinit/kinit.M -clients/klist/klist.M -clients/kpasswd/kpasswd.M -clients/ksu/ksu.M -clients/kvno/kvno.M -config-files/kdc.conf.M -config-files/krb5.conf.M -gen-manpages/k5login.M -gen-manpages/kerberos.M -kadmin/cli/k5srvutil.M -kadmin/cli/kadmin.local.M -kadmin/cli/kadmin.M -kadmin/dbutil/kdb5_util.M -kadmin/ktutil/ktutil.M -kadmin/server/kadmind.M -kdc/krb5kdc.M -krb5-config.M -plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M -slave/kpropd.M -slave/kprop.M -tests/create/kdb5_mkdums.M -util/et/com_err.3 -util/et/compile_et.1 -util/profile/profile.5 -util/send-pr/send-pr.1 diff --git a/krb5-1.7-nodeplibs.patch b/krb5-1.7-nodeplibs.patch new file mode 100644 index 0000000..6ce80be --- /dev/null +++ b/krb5-1.7-nodeplibs.patch @@ -0,0 +1,21 @@ +Omit extra libraries because their interfaces aren't exposed to applications +by libkrb5, unless do_deps is set to 1, which indicates that the caller +wants the whole list. + +Index: krb5-1.9.1/src/krb5-config.in +=================================================================== +--- krb5-1.9.1.orig/src/krb5-config.in ++++ krb5-1.9.1/src/krb5-config.in +@@ -221,7 +221,11 @@ if test -n "$do_libs"; then + fi + + if test $library = 'krb5'; then +- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" ++ if test 0$do_deps -eq 1 ; then ++ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" ++ else ++ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err" ++ fi + fi + + echo $lib_flags diff --git a/krb5-1.8-MITKRB5-SA-2010-006.dif b/krb5-1.8-MITKRB5-SA-2010-006.dif deleted file mode 100644 index 3f5f5bb..0000000 --- a/krb5-1.8-MITKRB5-SA-2010-006.dif +++ /dev/null @@ -1,33 +0,0 @@ -Index: krb5-1.8.1/src/kdc/kdc_authdata.c -=================================================================== ---- krb5-1.8.1.orig/src/kdc/kdc_authdata.c -+++ krb5-1.8.1/src/kdc/kdc_authdata.c -@@ -495,7 +495,7 @@ merge_authdata (krb5_context context, - krb5_boolean copy, - krb5_boolean ignore_kdc_issued) - { -- size_t i, nadata = 0; -+ size_t i, j, nadata = 0; - krb5_authdata **authdata = *out_authdata; - - if (in_authdata == NULL || in_authdata[0] == NULL) -@@ -529,16 +529,16 @@ merge_authdata (krb5_context context, - in_authdata = tmp; - } - -- for (i = 0; in_authdata[i] != NULL; i++) { -+ for (i = 0, j = 0; in_authdata[i] != NULL; i++) { - if (ignore_kdc_issued && - is_kdc_issued_authdatum(context, in_authdata[i], 0)) { - free(in_authdata[i]->contents); - free(in_authdata[i]); - } else -- authdata[nadata + i] = in_authdata[i]; -+ authdata[nadata + j++] = in_authdata[i]; - } - -- authdata[nadata + i] = NULL; -+ authdata[nadata + j] = NULL; - - free(in_authdata); - diff --git a/krb5-1.8-MITKRB5-SA-2011-001.dif b/krb5-1.8-MITKRB5-SA-2011-001.dif deleted file mode 100644 index 813dbc0..0000000 --- a/krb5-1.8-MITKRB5-SA-2011-001.dif +++ /dev/null @@ -1,20 +0,0 @@ -Index: krb5-1.8.1/src/slave/kpropd.c -=================================================================== ---- krb5-1.8.1.orig/src/slave/kpropd.c -+++ krb5-1.8.1/src/slave/kpropd.c -@@ -404,11 +404,12 @@ retry: - } - - close(s); -- if (iproprole == IPROP_SLAVE) -+ if (iproprole == IPROP_SLAVE) { - close(finet); - -- if ((ret = WEXITSTATUS(status)) != 0) -- return (ret); -+ if ((ret = WEXITSTATUS(status)) != 0) -+ return (ret); -+ } - } - if (iproprole == IPROP_SLAVE) - break; diff --git a/krb5-1.8-MITKRB5-SA-2011-002.dif b/krb5-1.8-MITKRB5-SA-2011-002.dif deleted file mode 100644 index 2f1c4f0..0000000 --- a/krb5-1.8-MITKRB5-SA-2011-002.dif +++ /dev/null @@ -1,112 +0,0 @@ -Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -=================================================================== ---- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c.orig -+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context con - unsigned int flags, krb5_db_entry *entries, - int *nentries, krb5_boolean *more) - { -- char *user=NULL, *filter=NULL, **subtree=NULL; -+ char *user=NULL, *filter=NULL, *filtuser=NULL; - unsigned int tree=0, ntrees=1, princlen=0; - krb5_error_code tempst=0, st=0; -- char **values=NULL, *cname=NULL; -+ char **values=NULL, **subtree=NULL, *cname=NULL; - LDAP *ld=NULL; - LDAPMessage *result=NULL, *ent=NULL; - krb5_ldap_context *ldap_context=NULL; -@@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context con - if ((st=krb5_ldap_unparse_principal_name(user)) != 0) - goto cleanup; - -- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ -+ filtuser = ldap_filter_correct(user); -+ if (filtuser == NULL) { -+ st = ENOMEM; -+ goto cleanup; -+ } -+ -+ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */ - if ((filter = malloc(princlen)) == NULL) { - st = ENOMEM; - goto cleanup; - } -- snprintf(filter, princlen, FILTER"%s))", user); -+ snprintf(filter, princlen, FILTER"%s))", filtuser); - - if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0) - goto cleanup; -@@ -231,6 +237,9 @@ cleanup: - if (user) - free(user); - -+ if (filtuser) -+ free(filtuser); -+ - if (cname) - free(cname); - -Index: src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -=================================================================== ---- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h.orig -+++ src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_contex - #define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS) - - #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \ -- do { \ -- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \ -- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ -- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ -- if (ldap_server_handle) \ -- ld = ldap_server_handle->ldap_handle; \ -- } \ -- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \ -+ tempst = 0; \ -+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \ -+ NULL, &timelimit, LDAP_NO_LIMIT, &result); \ -+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ -+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ -+ if (ldap_server_handle) \ -+ ld = ldap_server_handle->ldap_handle; \ -+ if (tempst == 0) \ -+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \ -+ NULL, NULL, &timelimit, \ -+ LDAP_NO_LIMIT, &result); \ -+ } \ - \ - if (status_check != IGNORE_STATUS) { \ - if (tempst != 0) { \ -Index: src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -=================================================================== ---- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c.orig -+++ src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap - { - krb5_ldap_server_handle *handle = *ldap_server_handle; - -+ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL); - if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS) - || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)) - return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle); -Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -=================================================================== ---- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.orig -+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -@@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context - * portion, then the first portion of the principal name SHOULD be - * "krbtgt". All this check is done in the immediate block. - */ -- if (searchfor->length == 2) -- if ((strncasecmp(searchfor->data[0].data, "krbtgt", -- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) && -- (strncasecmp(searchfor->data[1].data, defrealm, -- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0)) -+ if (searchfor->length == 2) { -+ if (data_eq_string(searchfor->data[0], "krbtgt") && -+ data_eq_string(searchfor->data[1], defrealm)) - return 0; -+ } - - /* first check the length, if they are not equal, then they are not same */ - if (strlen(defrealm) != searchfor->realm.length) diff --git a/krb5-1.8-MITKRB5-SA-2011-003.dif b/krb5-1.8-MITKRB5-SA-2011-003.dif deleted file mode 100644 index 9fe77e2..0000000 --- a/krb5-1.8-MITKRB5-SA-2011-003.dif +++ /dev/null @@ -1,13 +0,0 @@ -Index: krb5-1.8.1/src/kdc/do_as_req.c -=================================================================== ---- krb5-1.8.1.orig/src/kdc/do_as_req.c -+++ krb5-1.8.1/src/kdc/do_as_req.c -@@ -784,6 +784,8 @@ prepare_error_as (struct kdc_request_sta - pad->contents = td[size]->data; - pad->length = td[size]->length; - pa[size] = pad; -+ td[size]->data = NULL; -+ td[size]->length = 0; - } - krb5_free_typed_data(kdc_context, td); - } diff --git a/krb5-1.8-MITKRB5-SA-2011-004.dif b/krb5-1.8-MITKRB5-SA-2011-004.dif deleted file mode 100644 index 2b03e85..0000000 --- a/krb5-1.8-MITKRB5-SA-2011-004.dif +++ /dev/null @@ -1,35 +0,0 @@ -diff --git a/src/kadmin/server/network.c b/src/kadmin/server/network.c -index c8ce4f1..bb911ff 100644 ---- a/src/kadmin/server/network.c -+++ b/src/kadmin/server/network.c -@@ -1384,6 +1384,10 @@ cleanup: - if (local_kaddrs != NULL) - krb5_free_addresses(server_handle->context, local_kaddrs); - -+ if ((*response)->data == NULL) { -+ free(*response); -+ *response = NULL; -+ } - krb5_kt_close(server_handle->context, kt); - - return ret; -diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c -index c1b2217..992b55f 100644 ---- a/src/kadmin/server/schpw.c -+++ b/src/kadmin/server/schpw.c -@@ -74,8 +74,13 @@ process_chpw_request(context, server_handle, realm, keytab, - plen = (*ptr++ & 0xff); - plen = (plen<<8) | (*ptr++ & 0xff); - -- if (plen != req->length) -- return(KRB5KRB_AP_ERR_MODIFIED); -+ if (plen != req->length) { -+ ret = KRB5KRB_AP_ERR_MODIFIED; -+ numresult = KRB5_KPASSWD_MALFORMED; -+ strlcpy(strresult, "Request length was inconsistent", -+ sizeof(strresult)); -+ goto chpwfail; -+ } - - /* verify version number */ - diff --git a/krb5-1.8-api.patch b/krb5-1.8-api.patch new file mode 100644 index 0000000..9bbec30 --- /dev/null +++ b/krb5-1.8-api.patch @@ -0,0 +1,30 @@ +Reference docs don't define what happens if you call krb5_realm_compare() with +malformed krb5_principal structures. Define a behavior which keeps it from +crashing if applications don't check ahead of time. + +diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c +--- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400 ++++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500 +@@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context + const krb5_data *realm1 = krb5_princ_realm(context, princ1); + const krb5_data *realm2 = krb5_princ_realm(context, princ2); + ++ if ((princ1 == NULL) || (princ2 == NULL)) ++ return FALSE; ++ ++ if ((realm1 == NULL) || (realm2 == NULL)) ++ return FALSE; ++ + if (realm1->length != realm2->length) + return FALSE; + +@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex + krb5_principal upn2 = NULL; + krb5_boolean ret = FALSE; + ++ if ((princ1 == NULL) || (princ2 == NULL)) ++ return FALSE; ++ + if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { + /* Treat UPNs as if they were real principals */ + if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { diff --git a/krb5-1.8-manpaths.txt b/krb5-1.8-manpaths.txt new file mode 100644 index 0000000..99cbbf0 --- /dev/null +++ b/krb5-1.8-manpaths.txt @@ -0,0 +1,6 @@ +appl/sample/sserver/sserver.M +config-files/kdc.conf.M +config-files/krb5.conf.M +kadmin/cli/kadmin.M +slave/kpropd.M +slave/kprop.M diff --git a/krb5-1.8-pam.patch b/krb5-1.8-pam.patch new file mode 100644 index 0000000..a09fd9e --- /dev/null +++ b/krb5-1.8-pam.patch @@ -0,0 +1,757 @@ +Modify ksu so that it performs account and session management on behalf of +the target user account, mimicking the action of regular su. The default +service name is "ksu", because on Fedora at least the configuration used +is determined by whether or not a login shell is being opened, and so +this may need to vary, too. At run-time, ksu's behavior can be reset to +the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu] +section of /etc/krb5.conf. + +When enabled, ksu gains a dependency on libpam. + +Originally RT#5939, though it's changed since then to perform the account +and session management before dropping privileges. + +Index: krb5-1.9.1/src/aclocal.m4 +=================================================================== +--- krb5-1.9.1.orig/src/aclocal.m4 ++++ krb5-1.9.1/src/aclocal.m4 +@@ -1715,3 +1715,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ + ])) + ])dnl + dnl ++dnl ++dnl Use PAM instead of local crypt() compare for checking local passwords, ++dnl and perform PAM account, session management, and password-changing where ++dnl appropriate. ++dnl ++AC_DEFUN(KRB5_WITH_PAM,[ ++AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])], ++ withpam="$withval",withpam=auto) ++AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])], ++ withksupamservice="$withval",withksupamservice=ksu) ++old_LIBS="$LIBS" ++if test "$withpam" != no ; then ++ AC_MSG_RESULT([checking for PAM...]) ++ PAM_LIBS= ++ ++ AC_CHECK_HEADERS(security/pam_appl.h) ++ if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then ++ if test "$withpam" = auto ; then ++ AC_MSG_RESULT([Unable to locate security/pam_appl.h.]) ++ withpam=no ++ else ++ AC_MSG_ERROR([Unable to locate security/pam_appl.h.]) ++ fi ++ fi ++ ++ LIBS= ++ unset ac_cv_func_pam_start ++ AC_CHECK_FUNCS(putenv pam_start) ++ if test "x$ac_cv_func_pam_start" = xno ; then ++ unset ac_cv_func_pam_start ++ AC_CHECK_LIB(dl,dlopen) ++ AC_CHECK_FUNCS(pam_start) ++ if test "x$ac_cv_func_pam_start" = xno ; then ++ AC_CHECK_LIB(pam,pam_start) ++ unset ac_cv_func_pam_start ++ unset ac_cv_func_pam_getenvlist ++ AC_CHECK_FUNCS(pam_start pam_getenvlist) ++ if test "x$ac_cv_func_pam_start" = xyes ; then ++ PAM_LIBS="$LIBS" ++ else ++ if test "$withpam" = auto ; then ++ AC_MSG_RESULT([Unable to locate libpam.]) ++ withpam=no ++ else ++ AC_MSG_ERROR([Unable to locate libpam.]) ++ fi ++ fi ++ fi ++ fi ++ if test "$withpam" != no ; then ++ AC_MSG_NOTICE([building with PAM support]) ++ AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM]) ++ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice", ++ [Define to the name of the PAM service name to be used by ksu.]) ++ PAM_LIBS="$LIBS" ++ NON_PAM_MAN=".\\\" " ++ PAM_MAN= ++ else ++ PAM_MAN=".\\\" " ++ NON_PAM_MAN= ++ fi ++fi ++LIBS="$old_LIBS" ++AC_SUBST(PAM_LIBS) ++AC_SUBST(PAM_MAN) ++AC_SUBST(NON_PAM_MAN) ++])dnl +Index: krb5-1.9.1/src/clients/ksu/main.c +=================================================================== +--- krb5-1.9.1.orig/src/clients/ksu/main.c ++++ krb5-1.9.1/src/clients/ksu/main.c +@@ -26,6 +26,7 @@ + * KSU was writen by: Ari Medvinsky, ari@isi.edu + */ + ++#include "autoconf.h" + #include "ksu.h" + #include "adm_proto.h" + #include +@@ -33,6 +34,10 @@ + #include + #include + ++#ifdef USE_PAM ++#include "pam.h" ++#endif ++ + /* globals */ + char * prog_name; + int auth_debug =0; +@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN]; + char k5users_path[MAXPATHLEN]; + char * gb_err = NULL; + int quiet = 0; ++int force_fork = 0; + /***********/ + + #define _DEF_CSH "/bin/csh" +@@ -586,6 +592,25 @@ main (argc, argv) + prog_name,target_user,client_name, + source_user,ontty()); + ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, ++ NULL, source_user, ++ ttyname(STDERR_FILENO)) != 0) { ++ fprintf(stderr, "Access denied for %s.\n", target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++ if (appl_pam_requires_chauthtok()) { ++ fprintf(stderr, "Password change required for %s.\n", ++ target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++ force_fork++; ++ } ++#endif ++ + /* Run authorization as target.*/ + if (krb5_seteuid(target_uid)) { + com_err(prog_name, errno, "while switching to target for authorization check"); +@@ -651,6 +676,26 @@ main (argc, argv) + sweep_up(ksu_context, cc_target); + exit(1); + } ++#ifdef USE_PAM ++ } else { ++ /* we always do PAM account management, even for root */ ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, ++ NULL, source_user, ++ ttyname(STDERR_FILENO)) != 0) { ++ fprintf(stderr, "Access denied for %s.\n", target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++ if (appl_pam_requires_chauthtok()) { ++ fprintf(stderr, "Password change required for %s.\n", ++ target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++ force_fork++; ++ } ++#endif + } + + if( some_rest_copy){ +@@ -720,6 +765,32 @@ main (argc, argv) + exit(1); + } + ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_session_open() != 0) { ++ fprintf(stderr, "Error opening session for %s.\n", target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Opened PAM session.\n"); ++ } ++#endif ++ if (appl_pam_cred_init()) { ++ fprintf(stderr, "Error initializing credentials for %s.\n", ++ target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Initialized PAM credentials.\n"); ++ } ++#endif ++ } ++#endif ++ + /* set permissions */ + if (setgid(target_pwd->pw_gid) < 0) { + perror("ksu: setgid"); +@@ -792,7 +863,7 @@ main (argc, argv) + fprintf(stderr, "program to be execed %s\n",params[0]); + } + +- if( keep_target_cache ) { ++ if( keep_target_cache && !force_fork ) { + execv(params[0], params); + com_err(prog_name, errno, "while trying to execv %s", + params[0]); +@@ -823,15 +894,34 @@ main (argc, argv) + if (ret_pid == -1) { + com_err(prog_name, errno, "while calling waitpid"); + } +- sweep_up(ksu_context, cc_target); ++ if( !keep_target_cache ) { ++ sweep_up(ksu_context, cc_target); ++ } + exit (statusp); + case -1: + com_err(prog_name, errno, "while trying to fork."); + sweep_up(ksu_context, cc_target); + exit (1); + case 0: ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_setenv() != 0) { ++ fprintf(stderr, "Error setting up environment for %s.\n", ++ target_user); ++ exit (1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Set up PAM environment.\n"); ++ } ++#endif ++ } ++#endif + execv(params[0], params); + com_err(prog_name, errno, "while trying to execv %s", params[0]); ++ if( keep_target_cache ) { ++ sweep_up(ksu_context, cc_target); ++ } + exit (1); + } + } +Index: krb5-1.9.1/src/clients/ksu/Makefile.in +=================================================================== +--- krb5-1.9.1.orig/src/clients/ksu/Makefile.in ++++ krb5-1.9.1/src/clients/ksu/Makefile.in +@@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD) + PROG_RPATH=$(KRB5_LIBDIR) + + KSU_LIBS=@KSU_LIBS@ ++PAM_LIBS=@PAM_LIBS@ + + SRCS = \ + $(srcdir)/krb_auth_su.c \ + $(srcdir)/ccache.c \ + $(srcdir)/authorization.c \ + $(srcdir)/main.c \ ++ $(srcdir)/pam.c \ + $(srcdir)/heuristic.c \ + $(srcdir)/xmalloc.c \ + $(srcdir)/setenv.c +@@ -21,13 +23,17 @@ OBJS = \ + ccache.o \ + authorization.o \ + main.o \ ++ pam.o \ + heuristic.o \ + xmalloc.o @SETENVOBJ@ + + all:: ksu + + ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) +- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) ++ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) ++ ++pam.o: pam.c ++ $(CC) $(ALL_CFLAGS) -c $< + + clean:: + $(RM) ksu +Index: krb5-1.9.1/src/clients/ksu/pam.c +=================================================================== +--- /dev/null ++++ krb5-1.9.1/src/clients/ksu/pam.c +@@ -0,0 +1,389 @@ ++/* ++ * src/clients/ksu/pam.c ++ * ++ * Copyright 2007,2009,2010 Red Hat, Inc. ++ * ++ * All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * Convenience wrappers for using PAM. ++ */ ++ ++#include "autoconf.h" ++#ifdef USE_PAM ++#include ++#include ++#include ++#include ++#include ++#include "k5-int.h" ++#include "pam.h" ++ ++#ifndef MAXPWSIZE ++#define MAXPWSIZE 128 ++#endif ++ ++static int appl_pam_started; ++static pid_t appl_pam_starter = -1; ++static int appl_pam_session_opened; ++static int appl_pam_creds_initialized; ++static int appl_pam_pwchange_required; ++static pam_handle_t *appl_pamh; ++static struct pam_conv appl_pam_conv; ++static char *appl_pam_user; ++struct appl_pam_non_interactive_args { ++ const char *user; ++ const char *password; ++}; ++ ++int ++appl_pam_enabled(krb5_context context, const char *section) ++{ ++ int enabled = 1; ++ if ((context != NULL) && (context->profile != NULL)) { ++ if (profile_get_boolean(context->profile, ++ section, ++ USE_PAM_CONFIGURATION_KEYWORD, ++ NULL, ++ enabled, &enabled) != 0) { ++ enabled = 1; ++ } ++ } ++ return enabled; ++} ++ ++void ++appl_pam_cleanup(void) ++{ ++ if (getpid() != appl_pam_starter) { ++ return; ++ } ++#ifdef DEBUG ++ printf("Called to clean up PAM.\n"); ++#endif ++ if (appl_pam_creds_initialized) { ++#ifdef DEBUG ++ printf("Deleting PAM credentials.\n"); ++#endif ++ pam_setcred(appl_pamh, PAM_DELETE_CRED); ++ appl_pam_creds_initialized = 0; ++ } ++ if (appl_pam_session_opened) { ++#ifdef DEBUG ++ printf("Closing PAM session.\n"); ++#endif ++ pam_close_session(appl_pamh, 0); ++ appl_pam_session_opened = 0; ++ } ++ appl_pam_pwchange_required = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Shutting down PAM.\n"); ++#endif ++ pam_end(appl_pamh, 0); ++ appl_pam_started = 0; ++ appl_pam_starter = -1; ++ free(appl_pam_user); ++ appl_pam_user = NULL; ++ } ++} ++static int ++appl_pam_interactive_converse(int num_msg, const struct pam_message **msg, ++ struct pam_response **presp, void *appdata_ptr) ++{ ++ const struct pam_message *message; ++ struct pam_response *resp; ++ int i, code; ++ char *pwstring, pwbuf[MAXPWSIZE]; ++ unsigned int pwsize; ++ resp = malloc(sizeof(struct pam_response) * num_msg); ++ if (resp == NULL) { ++ return PAM_BUF_ERR; ++ } ++ memset(resp, 0, sizeof(struct pam_response) * num_msg); ++ code = PAM_SUCCESS; ++ for (i = 0; i < num_msg; i++) { ++ message = &(msg[0][i]); /* XXX */ ++ message = msg[i]; /* XXX */ ++ pwstring = NULL; ++ switch (message->msg_style) { ++ case PAM_TEXT_INFO: ++ case PAM_ERROR_MSG: ++ printf("[%s]\n", message->msg ? message->msg : ""); ++ fflush(stdout); ++ resp[i].resp = NULL; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ break; ++ case PAM_PROMPT_ECHO_ON: ++ case PAM_PROMPT_ECHO_OFF: ++ if (message->msg_style == PAM_PROMPT_ECHO_ON) { ++ if (fgets(pwbuf, sizeof(pwbuf), ++ stdin) != NULL) { ++ pwbuf[strcspn(pwbuf, "\r\n")] = '\0'; ++ pwstring = pwbuf; ++ } ++ } else { ++ pwstring = getpass(message->msg ? ++ message->msg : ++ ""); ++ } ++ if ((pwstring != NULL) && (pwstring[0] != '\0')) { ++ pwsize = strlen(pwstring); ++ resp[i].resp = malloc(pwsize + 1); ++ if (resp[i].resp == NULL) { ++ resp[i].resp_retcode = PAM_BUF_ERR; ++ } else { ++ memcpy(resp[i].resp, pwstring, pwsize); ++ resp[i].resp[pwsize] = '\0'; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ } ++ } else { ++ resp[i].resp_retcode = PAM_CONV_ERR; ++ code = PAM_CONV_ERR; ++ } ++ break; ++ default: ++ break; ++ } ++ } ++ *presp = resp; ++ return code; ++} ++static int ++appl_pam_non_interactive_converse(int num_msg, ++ const struct pam_message **msg, ++ struct pam_response **presp, ++ void *appdata_ptr) ++{ ++ const struct pam_message *message; ++ struct pam_response *resp; ++ int i, code; ++ unsigned int pwsize; ++ struct appl_pam_non_interactive_args *args; ++ const char *pwstring; ++ resp = malloc(sizeof(struct pam_response) * num_msg); ++ if (resp == NULL) { ++ return PAM_BUF_ERR; ++ } ++ args = appdata_ptr; ++ memset(resp, 0, sizeof(struct pam_response) * num_msg); ++ code = PAM_SUCCESS; ++ for (i = 0; i < num_msg; i++) { ++ message = &((*msg)[i]); ++ message = msg[i]; ++ pwstring = NULL; ++ switch (message->msg_style) { ++ case PAM_TEXT_INFO: ++ case PAM_ERROR_MSG: ++ break; ++ case PAM_PROMPT_ECHO_ON: ++ case PAM_PROMPT_ECHO_OFF: ++ if (message->msg_style == PAM_PROMPT_ECHO_ON) { ++ /* assume "user" */ ++ pwstring = args->user; ++ } else { ++ /* assume "password" */ ++ pwstring = args->password; ++ } ++ if ((pwstring != NULL) && (pwstring[0] != '\0')) { ++ pwsize = strlen(pwstring); ++ resp[i].resp = malloc(pwsize + 1); ++ if (resp[i].resp == NULL) { ++ resp[i].resp_retcode = PAM_BUF_ERR; ++ } else { ++ memcpy(resp[i].resp, pwstring, pwsize); ++ resp[i].resp[pwsize] = '\0'; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ } ++ } else { ++ resp[i].resp_retcode = PAM_CONV_ERR; ++ code = PAM_CONV_ERR; ++ } ++ break; ++ default: ++ break; ++ } ++ } ++ *presp = resp; ++ return code; ++} ++static int ++appl_pam_start(const char *service, int interactive, ++ const char *login_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty) ++{ ++ static int exit_handler_registered; ++ static struct appl_pam_non_interactive_args args; ++ int ret = 0; ++ if (appl_pam_started && ++ (strcmp(login_username, appl_pam_user) != 0)) { ++ appl_pam_cleanup(); ++ appl_pam_user = NULL; ++ } ++ if (!appl_pam_started) { ++#ifdef DEBUG ++ printf("Starting PAM up (service=\"%s\",user=\"%s\").\n", ++ service, login_username); ++#endif ++ memset(&appl_pam_conv, 0, sizeof(appl_pam_conv)); ++ appl_pam_conv.conv = interactive ? ++ &appl_pam_interactive_converse : ++ &appl_pam_non_interactive_converse; ++ memset(&args, 0, sizeof(args)); ++ args.user = strdup(login_username); ++ args.password = non_interactive_password ? ++ strdup(non_interactive_password) : ++ NULL; ++ appl_pam_conv.appdata_ptr = &args; ++ ret = pam_start(service, login_username, ++ &appl_pam_conv, &appl_pamh); ++ if (ret == 0) { ++ if (hostname != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_RHOST to \"%s\".\n", hostname); ++#endif ++ pam_set_item(appl_pamh, PAM_RHOST, hostname); ++ } ++ if (ruser != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_RUSER to \"%s\".\n", ruser); ++#endif ++ pam_set_item(appl_pamh, PAM_RUSER, ruser); ++ } ++ if (tty != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_TTY to \"%s\".\n", tty); ++#endif ++ pam_set_item(appl_pamh, PAM_TTY, tty); ++ } ++ if (!exit_handler_registered && ++ (atexit(appl_pam_cleanup) != 0)) { ++ pam_end(appl_pamh, 0); ++ appl_pamh = NULL; ++ ret = -1; ++ } else { ++ appl_pam_started = 1; ++ appl_pam_starter = getpid(); ++ appl_pam_user = strdup(login_username); ++ exit_handler_registered = 1; ++ } ++ } ++ } ++ return ret; ++} ++int ++appl_pam_acct_mgmt(const char *service, int interactive, ++ const char *login_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty) ++{ ++ int ret; ++ appl_pam_pwchange_required = 0; ++ ret = appl_pam_start(service, interactive, login_username, ++ non_interactive_password, hostname, ruser, tty); ++ if (ret == 0) { ++#ifdef DEBUG ++ printf("Calling pam_acct_mgmt().\n"); ++#endif ++ ret = pam_acct_mgmt(appl_pamh, 0); ++ switch (ret) { ++ case PAM_IGNORE: ++ ret = 0; ++ break; ++ case PAM_NEW_AUTHTOK_REQD: ++ appl_pam_pwchange_required = 1; ++ ret = 0; ++ break; ++ default: ++ break; ++ } ++ } ++ return ret; ++} ++int ++appl_pam_requires_chauthtok(void) ++{ ++ return appl_pam_pwchange_required; ++} ++int ++appl_pam_session_open(void) ++{ ++ int ret = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Opening PAM session.\n"); ++#endif ++ ret = pam_open_session(appl_pamh, 0); ++ if (ret == 0) { ++ appl_pam_session_opened = 1; ++ } ++ } ++ return ret; ++} ++int ++appl_pam_setenv(void) ++{ ++ int ret = 0; ++#ifdef HAVE_PAM_GETENVLIST ++#ifdef HAVE_PUTENV ++ int i; ++ char **list; ++ if (appl_pam_started) { ++ list = pam_getenvlist(appl_pamh); ++ for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) { ++#ifdef DEBUG ++ printf("Setting \"%s\" in environment.\n", list[i]); ++#endif ++ putenv(list[i]); ++ } ++ } ++#endif ++#endif ++ return ret; ++} ++int ++appl_pam_cred_init(void) ++{ ++ int ret = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Initializing PAM credentials.\n"); ++#endif ++ ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED); ++ if (ret == 0) { ++ appl_pam_creds_initialized = 1; ++ } ++ } ++ return ret; ++} ++#endif +Index: krb5-1.9.1/src/clients/ksu/pam.h +=================================================================== +--- /dev/null ++++ krb5-1.9.1/src/clients/ksu/pam.h +@@ -0,0 +1,57 @@ ++/* ++ * src/clients/ksu/pam.h ++ * ++ * Copyright 2007,2009,2010 Red Hat, Inc. ++ * ++ * All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * Convenience wrappers for using PAM. ++ */ ++ ++#include ++#ifdef HAVE_SECURITY_PAM_APPL_H ++#include ++#endif ++ ++#define USE_PAM_CONFIGURATION_KEYWORD "use_pam" ++ ++#ifdef USE_PAM ++int appl_pam_enabled(krb5_context context, const char *section); ++int appl_pam_acct_mgmt(const char *service, int interactive, ++ const char *local_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty); ++int appl_pam_requires_chauthtok(void); ++int appl_pam_session_open(void); ++int appl_pam_setenv(void); ++int appl_pam_cred_init(void); ++void appl_pam_cleanup(void); ++#endif +Index: krb5-1.9.1/src/configure.in +=================================================================== +--- krb5-1.9.1.orig/src/configure.in ++++ krb5-1.9.1/src/configure.in +@@ -1125,6 +1125,8 @@ if test "$ac_cv_lib_socket" = "yes" -a " + AC_DEFINE(BROKEN_STREAMS_SOCKETS,1,[Define if socket can't be bound to 0.0.0.0]) + fi + ++KRB5_WITH_PAM ++ + AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + V5_AC_OUTPUT_MAKEFILE(. + diff --git a/krb5-1.8.3.tar.bz2 b/krb5-1.8.3.tar.bz2 deleted file mode 100644 index 1bad97c..0000000 --- a/krb5-1.8.3.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:93fa3b1f604a35a6a00fc32a65764b25ba218dd921ed00d79cbffa0d7cd64e3f -size 9968381 diff --git a/krb5-1.9-buildconf.patch b/krb5-1.9-buildconf.patch new file mode 100644 index 0000000..e4593e3 --- /dev/null +++ b/krb5-1.9-buildconf.patch @@ -0,0 +1,38 @@ +Build binaries in this package as RELRO PIEs and install shared libraries with +the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS +where they might leak out and affect apps which just want to link with the +libraries. FIXME: needs to check and not just assume that the compiler supports +using these flags. + +diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf +--- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500 ++++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400 +@@ -430,7 +430,8 @@ + SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' + PROFFLAGS=-pg + PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' +- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' ++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)' ++ INSTALL_SHLIB='${INSTALL} -m755' + CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' + CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' + CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' +diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in +--- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 ++++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 +@@ -187,8 +187,14 @@ if test -n "$do_libs"; then + -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ + -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ + -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ +- -e 's#\$(CFLAGS)#'"$CFLAGS"'#'` ++ -e 's#\$(CFLAGS)##'` + ++ if test `dirname $libdir` = /usr ; then ++ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` ++ fi ++ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"` ++ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"` ++ + if test $library = 'kdb'; then + lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" + library=krb5 diff --git a/krb5-1.9-canonicalize-fallback.patch b/krb5-1.9-canonicalize-fallback.patch new file mode 100644 index 0000000..d1f994c --- /dev/null +++ b/krb5-1.9-canonicalize-fallback.patch @@ -0,0 +1,61 @@ +From RT#6917. + +Index: krb5-1.9.1/src/lib/krb5/krb/get_creds.c +=================================================================== +--- krb5-1.9.1.orig/src/lib/krb5/krb/get_creds.c ++++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c +@@ -470,13 +470,10 @@ begin_non_referral(krb5_context context, + + /***** STATE_REFERRALS *****/ + +-/* +- * Possibly retry a request in the fallback realm after a referral request +- * failure in the local realm. Expects ctx->reply_code to be set to the error +- * from a referral request. +- */ ++/* Possibly try a non-referral request after a referral request failure. ++ * Expects ctx->reply_code to be set to the error from a referral request. */ + static krb5_error_code +-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) ++try_fallback(krb5_context context, krb5_tkt_creds_context ctx) + { + krb5_error_code code; + char **hrealms; +@@ -485,9 +482,10 @@ try_fallback_realm(krb5_context context, + if (ctx->referral_count > 1) + return ctx->reply_code; + +- /* Only fall back if the original request used the referral realm. */ ++ /* If the request used a specified realm, make a non-referral request to ++ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */ + if (!krb5_is_referral_realm(&ctx->req_server->realm)) +- return ctx->reply_code; ++ return begin_non_referral(context, ctx); + + if (ctx->server->length < 2) { + /* We need a type/host format principal to find a fallback realm. */ +@@ -500,10 +498,10 @@ try_fallback_realm(krb5_context context, + if (code != 0) + return code; + +- /* Give up if the fallback realm isn't any different. */ ++ /* If the fallback realm isn't any different, use the existing TGT. */ + if (data_eq_string(ctx->server->realm, hrealms[0])) { + krb5_free_host_realm(context, hrealms); +- return ctx->reply_code; ++ return begin_non_referral(context, ctx); + } + + /* Rewrite server->realm to be the fallback realm. */ +@@ -540,9 +538,9 @@ step_referrals(krb5_context context, krb + krb5_error_code code; + const krb5_data *referral_realm; + +- /* Possibly retry with the fallback realm on error. */ ++ /* Possibly try a non-referral fallback request on error. */ + if (ctx->reply_code != 0) +- return try_fallback_realm(context, ctx); ++ return try_fallback(context, ctx); + + if (krb5_principal_compare(context, ctx->reply_creds->server, + ctx->server)) { diff --git a/krb5-1.9-kprop-mktemp.patch b/krb5-1.9-kprop-mktemp.patch new file mode 100644 index 0000000..907f453 --- /dev/null +++ b/krb5-1.9-kprop-mktemp.patch @@ -0,0 +1,30 @@ +Use an in-memory ccache to silence a compiler warning, for RT#6414. + +Index: krb5-1.9.1/src/slave/kprop.c +=================================================================== +--- krb5-1.9.1.orig/src/slave/kprop.c ++++ krb5-1.9.1/src/slave/kprop.c +@@ -188,9 +188,8 @@ void PRS(argc, argv) + void get_tickets(context) + krb5_context context; + { +- char buf[BUFSIZ], *def_realm; ++ char buf[] = "MEMORY:_kproptkt", *def_realm; + krb5_error_code retval; +- static char tkstring[] = "/tmp/kproptktXXXXXX"; + krb5_keytab keytab = NULL; + + /* +@@ -229,11 +228,8 @@ void get_tickets(context) + #endif + + /* +- * Initialize cache file which we're going to be using ++ * Initialize an in-memory cache for temporary use + */ +- (void) mktemp(tkstring); +- snprintf(buf, sizeof(buf), "FILE:%s", tkstring); +- + retval = krb5_cc_resolve(context, buf, &ccache); + if (retval) { + com_err(progname, retval, "while opening credential cache %s", diff --git a/krb5-1.9-ksu-path.patch b/krb5-1.9-ksu-path.patch new file mode 100644 index 0000000..f19a154 --- /dev/null +++ b/krb5-1.9-ksu-path.patch @@ -0,0 +1,13 @@ +Set the default PATH to the one set by login. + +diff -up krb5-1.9/src/clients/ksu/Makefile.in.ksu-path krb5-1.9/src/clients/ksu/Makefile.in +--- krb5-1.9/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500 ++++ krb5-1.9/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500 +@@ -1,6 +1,6 @@ + mydir=clients$(S)ksu + BUILDTOP=$(REL)..$(S).. +-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' ++DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"' + DEFS= + + PROG_LIBPATH=-L$(TOPLIBD) diff --git a/krb5-1.7-manpaths.dif b/krb5-1.9-manpaths.dif similarity index 75% rename from krb5-1.7-manpaths.dif rename to krb5-1.9-manpaths.dif index 804b3c2..71cc421 100644 --- a/krb5-1.7-manpaths.dif +++ b/krb5-1.9-manpaths.dif @@ -1,9 +1,41 @@ +Change the absolute paths included in the man pages so that the correct +values can be dropped in by config.status. After applying this patch, +these files should be renamed to their ".in" counterparts, and then the +configure scripts should be rebuilt. Originally RT#6525 - -Index: krb5-1.8.3/src/appl/sample/sserver/sserver.M +Index: krb5-1.9.1/src/aclocal.m4 =================================================================== ---- krb5-1.8.3.orig/src/appl/sample/sserver/sserver.M -+++ krb5-1.8.3/src/appl/sample/sserver/sserver.M +--- krb5-1.9.1.orig/src/aclocal.m4 ++++ krb5-1.9.1/src/aclocal.m4 +@@ -1782,3 +1782,24 @@ AC_SUBST(PAM_LIBS) + AC_SUBST(PAM_MAN) + AC_SUBST(NON_PAM_MAN) + ])dnl ++AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[ ++mansysconfdir=$sysconfdir ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` ++mansbindir=$sbindir ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlocalstatedir=$localstatedir ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlibexecdir=$libexecdir ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` ++AC_SUBST(mansysconfdir) ++AC_SUBST(mansbindir) ++AC_SUBST(manlocalstatedir) ++AC_SUBST(manlibexecdir) ++AC_CONFIG_FILES($1) ++]) +Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M +=================================================================== +--- krb5-1.9.1.orig/src/appl/sample/sserver/sserver.M ++++ krb5-1.9.1/src/appl/sample/sserver/sserver.M @@ -59,7 +59,7 @@ option allows for a different keytab tha using a line in /etc/inetd.conf that looks like this: @@ -13,10 +45,10 @@ Index: krb5-1.8.3/src/appl/sample/sserver/sserver.M .PP Since \fBsample\fP is normally not a port defined in /etc/services, you will usually have to add a line to /etc/services which looks like this: -Index: krb5-1.8.3/src/config-files/kdc.conf.M +Index: krb5-1.9.1/src/config-files/kdc.conf.M =================================================================== ---- krb5-1.8.3.orig/src/config-files/kdc.conf.M -+++ krb5-1.8.3/src/config-files/kdc.conf.M +--- krb5-1.9.1.orig/src/config-files/kdc.conf.M ++++ krb5-1.9.1/src/config-files/kdc.conf.M @@ -92,14 +92,14 @@ This .B string specifies the location of the access control list (acl) file that @@ -43,74 +75,44 @@ Index: krb5-1.8.3/src/config-files/kdc.conf.M .SH SEE ALSO krb5.conf(5), krb5kdc(8) -Index: krb5-1.8.3/src/configure.in +Index: krb5-1.9.1/src/config-files/krb5.conf.M =================================================================== ---- krb5-1.8.3.orig/src/configure.in -+++ krb5-1.8.3/src/configure.in -@@ -1057,6 +1057,58 @@ if test "$ac_cv_lib_socket" = "yes" -a " - fi +--- krb5-1.9.1.orig/src/config-files/krb5.conf.M ++++ krb5-1.9.1/src/config-files/krb5.conf.M +@@ -768,6 +768,6 @@ with another database such as Active Dir + in for this interface. + + .SH FILES +-/etc/krb5.conf ++@mansysconfdir@/krb5.conf + .SH SEE ALSO + syslog(3) +Index: krb5-1.9.1/src/configure.in +=================================================================== +--- krb5-1.9.1.orig/src/configure.in ++++ krb5-1.9.1/src/configure.in +@@ -1128,6 +1128,16 @@ fi + KRB5_WITH_PAM AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + -+mansysconfdir=$sysconfdir -+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` -+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` -+mansbindir=$sbindir -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` -+manlocalstatedir=$localstatedir -+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` -+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` -+manlibexecdir=$libexecdir -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` -+AC_SUBST(mansysconfdir) -+AC_SUBST(mansbindir) -+AC_SUBST(manlocalstatedir) -+AC_SUBST(manlibexecdir) -+AC_OUTPUT([ -+ appl/sample/sclient/sclient.M ++V5_AC_OUTPUT_MANPAGE([ + appl/sample/sserver/sserver.M -+ clients/kcpytkt/kcpytkt.M -+ clients/kdeltkt/kdeltkt.M -+ clients/kdestroy/kdestroy.M -+ clients/kinit/kinit.M -+ clients/klist/klist.M -+ clients/kpasswd/kpasswd.M -+ clients/ksu/ksu.M -+ clients/kvno/kvno.M + config-files/kdc.conf.M + config-files/krb5.conf.M -+ gen-manpages/k5login.M -+ gen-manpages/kerberos.M -+ kadmin/cli/k5srvutil.M -+ kadmin/cli/kadmin.local.M + kadmin/cli/kadmin.M -+ kadmin/dbutil/kdb5_util.M -+ kadmin/ktutil/ktutil.M -+ kadmin/server/kadmind.M -+ kdc/krb5kdc.M -+ krb5-config.M -+ plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M + slave/kpropd.M + slave/kprop.M -+ tests/create/kdb5_mkdums.M -+ util/et/com_err.3 -+ util/et/compile_et.1 -+ util/profile/profile.5 -+ util/send-pr/send-pr.1 +]) + V5_AC_OUTPUT_MAKEFILE(. util util/support util/profile util/send-pr -Index: krb5-1.8.3/src/kadmin/cli/kadmin.M +Index: krb5-1.9.1/src/kadmin/cli/kadmin.M =================================================================== ---- krb5-1.8.3.orig/src/kadmin/cli/kadmin.M -+++ krb5-1.8.3/src/kadmin/cli/kadmin.M -@@ -869,9 +869,9 @@ option is specified, less verbose status +--- krb5-1.9.1.orig/src/kadmin/cli/kadmin.M ++++ krb5-1.9.1/src/kadmin/cli/kadmin.M +@@ -880,9 +880,9 @@ option is specified, less verbose status .RS .TP EXAMPLE: @@ -122,7 +124,7 @@ Index: krb5-1.8.3/src/kadmin/cli/kadmin.M kadmin: .RE .fi -@@ -913,7 +913,7 @@ passwords. +@@ -924,7 +924,7 @@ passwords. .SH HISTORY The .B kadmin @@ -131,32 +133,10 @@ Index: krb5-1.8.3/src/kadmin/cli/kadmin.M OpenVision Kerberos administration program. .SH SEE ALSO .IR kerberos (1), -Index: krb5-1.8.3/src/slave/kprop.M +Index: krb5-1.9.1/src/slave/kpropd.M =================================================================== ---- krb5-1.8.3.orig/src/slave/kprop.M -+++ krb5-1.8.3/src/slave/kprop.M -@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv - This is done by transmitting the dumped database file to the slave - server over an encrypted, secure channel. The dump file must be created - by kdb5_util, and is normally KPROP_DEFAULT_FILE --(/usr/local/var/krb5kdc/slave_datatrans). -+(@manlocalstatedir@/krb5kdc/slave_datatrans). - .SH OPTIONS - .TP - \fB\-r\fP \fIrealm\fP -@@ -51,7 +51,7 @@ is used. - \fB\-f\fP \fIfile\fP - specifies the filename where the dumped principal database file is to be - found; by default the dumped database file is KPROP_DEFAULT_FILE --(normally /usr/local/var/krb5kdc/slave_datatrans). -+(normally @manlocalstatedir@/krb5kdc/slave_datatrans). - .TP - \fB\-P\fP \fIport\fP - specifies the port to use to contact the -Index: krb5-1.8.3/src/slave/kpropd.M -=================================================================== ---- krb5-1.8.3.orig/src/slave/kpropd.M -+++ krb5-1.8.3/src/slave/kpropd.M +--- krb5-1.9.1.orig/src/slave/kpropd.M ++++ krb5-1.9.1/src/slave/kpropd.M @@ -74,7 +74,7 @@ Normally, kpropd is invoked out of This is done by adding a line to the inetd.conf file which looks like this: @@ -199,3 +179,25 @@ Index: krb5-1.8.3/src/slave/kpropd.M Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via kprop. .SH SEE ALSO +Index: krb5-1.9.1/src/slave/kprop.M +=================================================================== +--- krb5-1.9.1.orig/src/slave/kprop.M ++++ krb5-1.9.1/src/slave/kprop.M +@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv + This is done by transmitting the dumped database file to the slave + server over an encrypted, secure channel. The dump file must be created + by kdb5_util, and is normally KPROP_DEFAULT_FILE +-(/usr/local/var/krb5kdc/slave_datatrans). ++(@manlocalstatedir@/krb5kdc/slave_datatrans). + .SH OPTIONS + .TP + \fB\-r\fP \fIrealm\fP +@@ -51,7 +51,7 @@ is used. + \fB\-f\fP \fIfile\fP + specifies the filename where the dumped principal database file is to be + found; by default the dumped database file is KPROP_DEFAULT_FILE +-(normally /usr/local/var/krb5kdc/slave_datatrans). ++(normally @manlocalstatedir@/krb5kdc/slave_datatrans). + .TP + \fB\-P\fP \fIport\fP + specifies the port to use to contact the diff --git a/krb5-1.9-paren.patch b/krb5-1.9-paren.patch new file mode 100644 index 0000000..c5afd7a --- /dev/null +++ b/krb5-1.9-paren.patch @@ -0,0 +1,13 @@ +Upstream commit #24477. +diff -up krb5-1.9/src/slave/kpropd.c krb5-1.9/src/slave/kpropd.c +--- krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:24.020999947 -0400 ++++ krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:34.159999947 -0400 +@@ -993,7 +993,7 @@ unsigned int backoff_from_master(int *cn + btime = (unsigned int)(2<<(*cnt)); + if (btime > MAX_BACKOFF) { + btime = MAX_BACKOFF; +- *cnt--; ++ (*cnt)--; + } + + return (btime); diff --git a/krb5-1.9-selinux-label.patch b/krb5-1.9-selinux-label.patch new file mode 100644 index 0000000..2ddb34b --- /dev/null +++ b/krb5-1.9-selinux-label.patch @@ -0,0 +1,919 @@ +SELinux bases access to files on the domain of the requesting process, +the operation being performed, and the context applied to the file. + +In many cases, applications needn't be SELinux aware to work properly, +because SELinux can apply a default label to a file based on the label +of the directory in which it's created. + +In the case of files such as /etc/krb5.keytab, however, this isn't +sufficient, as /etc/krb5.keytab will almost always need to be given a +label which differs from that of /etc/issue or /etc/resolv.conf. The +the kdb stash file needs a different label than the database for which +it's holding a master key, even though both typically live in the same +directory. + +To give the file the correct label, we can either force a "restorecon" +call to fix a file's label after it's created, or create the file with +the right label, as we attempt to do here. We lean on THREEPARAMOPEN +and define a similar macro named WRITABLEFOPEN with which we replace +several uses of fopen(). + +The file creation context that we're manipulating here is a process-wide +attribute. While for the most part, applications which need to label +files when they're created have tended to be single-threaded, there's +not much we can do to avoid interfering with an application that +manipulates the creation context directly. Right now we're mediating +access using a library-local mutex, but that can only work for consumers +that are part of this package -- an unsuspecting application will still +stomp all over us. + +The selabel APIs for looking up the context should be thread-safe (per +Red Hat #273081), so switching to using them instead of matchpathcon(), +which we used earlier, is some improvement. + +Index: krb5-1.9.1/src/aclocal.m4 +=================================================================== +--- krb5-1.9.1.orig/src/aclocal.m4 ++++ krb5-1.9.1/src/aclocal.m4 +@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag) + dnl + KRB5_AC_PRAGMA_WEAK_REF + WITH_LDAP ++KRB5_WITH_SELINUX + KRB5_LIB_PARAMS + KRB5_AC_INITFINI + KRB5_AC_ENABLE_THREADS +@@ -1803,3 +1804,51 @@ AC_SUBST(manlocalstatedir) + AC_SUBST(manlibexecdir) + AC_CONFIG_FILES($1) + ]) ++dnl ++dnl Use libselinux to set file contexts on newly-created files. ++dnl ++AC_DEFUN(KRB5_WITH_SELINUX,[ ++AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])], ++ withselinux="$withval",withselinux=auto) ++old_LIBS="$LIBS" ++if test "$withselinux" != no ; then ++ AC_MSG_RESULT([checking for libselinux...]) ++ SELINUX_LIBS= ++ AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h) ++ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate selinux/selinux.h.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate selinux/selinux.h.]) ++ fi ++ fi ++ ++ LIBS= ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon selabel_open) ++ if test "x$ac_cv_func_setfscreatecon" = xno ; then ++ AC_CHECK_LIB(selinux,setfscreatecon) ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon selabel_open) ++ if test "x$ac_cv_func_setfscreatecon" = xyes ; then ++ SELINUX_LIBS="$LIBS" ++ else ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate libselinux.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate libselinux.]) ++ fi ++ fi ++ fi ++ if test "$withselinux" != no ; then ++ AC_MSG_NOTICE([building with SELinux labeling support]) ++ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.]) ++ SELINUX_LIBS="$LIBS" ++ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon" ++ fi ++fi ++LIBS="$old_LIBS" ++AC_SUBST(SELINUX_LIBS) ++])dnl +Index: krb5-1.9.1/src/config/pre.in +=================================================================== +--- krb5-1.9.1.orig/src/config/pre.in ++++ krb5-1.9.1/src/config/pre.in +@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR + LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@ + LDARGS = @LDARGS@ + LIBS = @LIBS@ ++SELINUX_LIBS=@SELINUX_LIBS@ + + INSTALL=@INSTALL@ + INSTALL_STRIP= +@@ -382,7 +383,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) + # HESIOD_LIBS is -lhesiod... + HESIOD_LIBS = @HESIOD_LIBS@ + +-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) ++KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) + GSS_LIBS = $(GSS_KRB5_LIB) + # needs fixing if ever used on Mac OS X! +Index: krb5-1.9.1/src/configure.in +=================================================================== +--- krb5-1.9.1.orig/src/configure.in ++++ krb5-1.9.1/src/configure.in +@@ -1127,6 +1127,8 @@ fi + + KRB5_WITH_PAM + ++KRB5_WITH_SELINUX ++ + AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + + V5_AC_OUTPUT_MANPAGE([ +Index: krb5-1.9.1/src/include/k5-int.h +=================================================================== +--- krb5-1.9.1.orig/src/include/k5-int.h ++++ krb5-1.9.1/src/include/k5-int.h +@@ -135,6 +135,7 @@ typedef unsigned char u_char; + typedef UINT64_TYPE krb5_ui_8; + typedef INT64_TYPE krb5_int64; + ++#include "k5-label.h" + + #define DEFAULT_PWD_STRING1 "Enter password" + #define DEFAULT_PWD_STRING2 "Re-enter password for verification" +Index: krb5-1.9.1/src/include/k5-label.h +=================================================================== +--- /dev/null ++++ krb5-1.9.1/src/include/k5-label.h +@@ -0,0 +1,32 @@ ++#ifndef _KRB5_LABEL_H ++#define _KRB5_LABEL_H ++ ++#ifdef THREEPARAMOPEN ++#undef THREEPARAMOPEN ++#endif ++#ifdef WRITABLEFOPEN ++#undef WRITABLEFOPEN ++#endif ++ ++/* Wrapper functions which help us create files and directories with the right ++ * context labels. */ ++#ifdef USE_SELINUX ++#include ++#include ++#include ++#include ++#include ++FILE *krb5int_labeled_fopen(const char *path, const char *mode); ++int krb5int_labeled_creat(const char *path, mode_t mode); ++int krb5int_labeled_open(const char *path, int flags, ...); ++int krb5int_labeled_mkdir(const char *path, mode_t mode); ++int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device); ++#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z) ++#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y) ++void *krb5int_push_fscreatecon_for(const char *pathname); ++void krb5int_pop_fscreatecon(void *previous); ++#else ++#define WRITABLEFOPEN(x,y) fopen(x,y) ++#define THREEPARAMOPEN(x,y,z) open(x,y,z) ++#endif ++#endif +Index: krb5-1.9.1/src/include/krb5/krb5.hin +=================================================================== +--- krb5-1.9.1.orig/src/include/krb5/krb5.hin ++++ krb5-1.9.1/src/include/krb5/krb5.hin +@@ -87,6 +87,12 @@ + #define THREEPARAMOPEN(x,y,z) open(x,y,z) + #endif + ++#if KRB5_PRIVATE ++#ifndef WRITABLEFOPEN ++#define WRITABLEFOPEN(x,y) fopen(x,y) ++#endif ++#endif ++ + #define KRB5_OLD_CRYPTO + + #include +Index: krb5-1.9.1/src/kadmin/dbutil/dump.c +=================================================================== +--- krb5-1.9.1.orig/src/kadmin/dbutil/dump.c ++++ krb5-1.9.1/src/kadmin/dbutil/dump.c +@@ -1257,7 +1257,7 @@ dump_db(argc, argv) + * want to get into. + */ + unlink(ofile); +- if (!(f = fopen(ofile, "w"))) { ++ if (!(f = WRITABLEFOPEN(ofile, "w"))) { + fprintf(stderr, ofopen_error, + progname, ofile, error_message(errno)); + exit_status++; +Index: krb5-1.9.1/src/krb5-config.in +=================================================================== +--- krb5-1.9.1.orig/src/krb5-config.in ++++ krb5-1.9.1/src/krb5-config.in +@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@' + PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@' + PTHREAD_CFLAGS='@PTHREAD_CFLAGS@' + DL_LIB='@DL_LIB@' ++SELINUX_LIBS='@SELINUX_LIBS@' + + LIBS='@LIBS@' + GEN_LIB=@GEN_LIB@ +@@ -214,7 +215,7 @@ if test -n "$do_libs"; then + fi + + if test $library = 'krb5'; then +- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB" ++ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + fi + + echo $lib_flags +Index: krb5-1.9.1/src/lib/kadm5/logger.c +=================================================================== +--- krb5-1.9.1.orig/src/lib/kadm5/logger.c ++++ krb5-1.9.1/src/lib/kadm5/logger.c +@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch + * Check for append/overwrite, then open the file. + */ + if (cp[4] == ':' || cp[4] == '=') { +- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w"); ++ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); + if (f) { + set_cloexec_file(f); + log_control.log_entries[i].lfu_filep = f; +@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext) + * In case the old logfile did not get moved out of the + * way, open for append to prevent squashing the old logs. + */ +- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+"); ++ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+"); + if (f) { + set_cloexec_file(f); + log_control.log_entries[lindex].lfu_filep = f; +Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c +=================================================================== +--- krb5-1.9.1.orig/src/lib/krb5/keytab/kt_file.c ++++ krb5-1.9.1/src/lib/krb5/keytab/kt_file.c +@@ -1057,7 +1057,7 @@ krb5_ktfileint_open(krb5_context context + + KTCHECKLOCK(id); + errno = 0; +- KTFILEP(id) = fopen(KTFILENAME(id), ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), + (mode == KRB5_LOCKMODE_EXCLUSIVE) ? + fopen_mode_rbplus : fopen_mode_rb); + if (!KTFILEP(id)) { +@@ -1065,7 +1065,7 @@ krb5_ktfileint_open(krb5_context context + /* try making it first time around */ + krb5_create_secure_file(context, KTFILENAME(id)); + errno = 0; +- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus); + if (!KTFILEP(id)) + goto report_errno; + writevno = 1; +Index: krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c +=================================================================== +--- krb5-1.9.1.orig/src/plugins/kdb/db2/adb_openclose.c ++++ krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c +@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char + * POSIX systems + */ + lockp->lockinfo.filename = strdup(lockfilename); +- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { ++ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { + /* + * maybe someone took away write permission so we could only + * get shared locks? +Index: krb5-1.9.1/src/plugins/kdb/db2/kdb_db2.c +=================================================================== +--- krb5-1.9.1.orig/src/plugins/kdb/db2/kdb_db2.c ++++ krb5-1.9.1/src/plugins/kdb/db2/kdb_db2.c +@@ -374,8 +374,8 @@ krb5_db2_init(krb5_context context) + * should be opened read/write so that write locking can work with + * POSIX systems + */ +- if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) { +- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) { ++ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) { ++ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) { + retval = errno; + goto err_out; + } +@@ -676,7 +676,7 @@ create_db(krb5_context context, char *db + if (!okname) + retval = ENOMEM; + else { +- fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600); ++ fd = THREEPARAMOPEN(okname, O_CREAT | O_RDWR | O_TRUNC, 0600); + if (fd < 0) + retval = errno; + else +@@ -1532,7 +1532,7 @@ krb5_db2_rename(krb5_context context, ch + retval = ENOMEM; + goto errout; + } +- db_ctx->db_lf_file = open(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600); ++ db_ctx->db_lf_file = THREEPARAMOPEN(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600); + if (db_ctx->db_lf_file < 0) { + retval = errno; + goto errout; +Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c +=================================================================== +--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c +@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. + + #include "k5-platform.h" /* mkstemp? */ + ++#include "k5-int.h" + #include "db-int.h" + #include "btree.h" + +@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, + goto einval; + } + +- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0) ++ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + goto err; + + } else { +Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c +=================================================================== +--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 + #include + #endif + ++#include "k5-int.h" + #include "db-int.h" + #include "hash.h" + #include "page.h" +@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info + new_table = 1; + } + if (file) { +- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1) ++ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1) + RETURN_ERROR(errno, error0); + (void)fcntl(hashp->fp, F_SETFD, 1); + } +Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c +=================================================================== +--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8 + #include + #include + ++#include "k5-int.h" + #include "db-int.h" + #include "recno.h" + +@@ -68,7 +69,7 @@ __rec_open(fname, flags, mode, openinfo, + int rfd, sverrno; + + /* Open the user's file -- if this fails, we're done. */ +- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) ++ if (fname != NULL && (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + return (NULL); + + if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { +Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in +=================================================================== +--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in ++++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in +@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR) + + KRB5_RUN_ENV= @KRB5_RUN_ENV@ + +-DB_LIB = -ldb ++DB_LIB = -ldb $(SUPPORT_DEPLIB) ++ + DB_DEPLIB = ../libdb$(DEPLIBEXT) + + all:: +Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +=================================================================== +--- krb5-1.9.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -1091,7 +1091,7 @@ rem_service_entry_from_file(int argc, ch + + /* Create a temporary file which contains all the entries except the + entry for the given service dn */ +- pfile = fopen(file_name, "r+"); ++ pfile = WRITABLEFOPEN(file_name, "r+"); + if (pfile == NULL) { + com_err(me, errno, "while deleting entry from file %s", file_name); + goto cleanup; +@@ -1108,7 +1108,7 @@ rem_service_entry_from_file(int argc, ch + snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp"); + + +- tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR); ++ tmpfd = THREEPARAMOPEN(tmp_file, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR); + umask(omask); + if (tmpfd == -1) { + com_err(me, errno, "while deleting entry from file\n"); +@@ -1728,7 +1728,7 @@ kdb5_ldap_set_service_password(int argc, + + printf("File does not exist. Creating the file %s...\n", file_name); + omask = umask(077); +- fd = creat(file_name, S_IRUSR|S_IWUSR); ++ fd = THREEPARAMOPEN(file_name, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR); + umask(omask); + if (fd == -1) { + com_err(me, errno, "Error creating file %s", file_name); +@@ -1756,7 +1756,7 @@ kdb5_ldap_set_service_password(int argc, + + /* TODO: file lock for the service password file */ + /* set password in the file */ +- pfile = fopen(file_name, "r+"); ++ pfile = WRITABLEFOPEN(file_name, "r+"); + if (pfile == NULL) { + com_err(me, errno, "Failed to open file %s", file_name); + goto cleanup; +@@ -1797,7 +1797,7 @@ kdb5_ldap_set_service_password(int argc, + } + + omask = umask(077); +- newfile = fopen(tmp_file, "w+"); ++ newfile = WRITABLEFOPEN(tmp_file, "w+"); + umask(omask); + if (newfile == NULL) { + com_err(me, errno, "Error creating file %s", tmp_file); +@@ -2019,7 +2019,7 @@ done: + + /* set password in the file */ + old_mode = umask(0177); +- pfile = fopen(file_name, "a+"); ++ pfile = WRITABLEFOPEN(file_name, "a+"); + if (pfile == NULL) { + com_err(me, errno, "Failed to open file %s: %s", file_name, + strerror (errno)); +@@ -2069,7 +2069,7 @@ done: + } + + omask = umask(077); +- newfile = fopen(tmp_file, "w"); ++ newfile = WRITABLEFOPEN(tmp_file, "w"); + umask (omask); + if (newfile == NULL) { + com_err(me, errno, "Error creating file %s", tmp_file); +Index: krb5-1.9.1/src/slave/kpropd.c +=================================================================== +--- krb5-1.9.1.orig/src/slave/kpropd.c ++++ krb5-1.9.1/src/slave/kpropd.c +@@ -338,7 +338,7 @@ retry: + if (!debug && iproprole != IPROP_SLAVE) + daemon(1, 0); + #ifdef PID_FILE +- if ((pidfile = fopen(PID_FILE, "w")) != NULL) { ++ if ((pidfile = WRITABLEFOPEN(PID_FILE, "w")) != NULL) { + fprintf(pidfile, "%d\n", getpid()); + fclose(pidfile); + } else +Index: krb5-1.9.1/src/util/profile/prof_file.c +=================================================================== +--- krb5-1.9.1.orig/src/util/profile/prof_file.c ++++ krb5-1.9.1/src/util/profile/prof_file.c +@@ -30,6 +30,7 @@ + #endif + + #include "k5-platform.h" ++#include "k5-label.h" + + struct global_shared_profile_data { + /* This is the head of the global list of shared trees */ +@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_ + + errno = 0; + +- f = fopen(new_file, "w"); ++ f = WRITABLEFOPEN(new_file, "w"); + if (!f) { + retval = errno; + if (retval == 0) +Index: krb5-1.9.1/src/util/support/Makefile.in +=================================================================== +--- krb5-1.9.1.orig/src/util/support/Makefile.in ++++ krb5-1.9.1/src/util/support/Makefile.in +@@ -54,6 +54,7 @@ IPC_SYMS= \ + + STLIBOBJS= \ + threads.o \ ++ selinux.o \ + init-addrinfo.o \ + plugins.o \ + errors.o \ +@@ -108,7 +109,7 @@ SRCS=\ + + SHLIB_EXPDEPS = + # Add -lm if dumping thread stats, for sqrt. +-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) ++SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + SHLIB_DIRS= + SHLIB_RDIRS=$(KRB5_LIBDIR) + +Index: krb5-1.9.1/src/util/support/selinux.c +=================================================================== +--- /dev/null ++++ krb5-1.9.1/src/util/support/selinux.c +@@ -0,0 +1,362 @@ ++/* ++ * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * File-opening wrappers for creating correctly-labeled files. So far, we can ++ * assume that this is Linux-specific, so we make many simplifying assumptions. ++ */ ++ ++#include "../../include/autoconf.h" ++ ++#ifdef USE_SELINUX ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#ifdef HAVE_SELINUX_LABEL_H ++#include ++#endif ++ ++/* #define DEBUG 1 */ ++ ++/* Mutex used to serialize use of the process-global file creation context. */ ++k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER; ++ ++/* Make sure we finish initializing that mutex before attempting to use it. */ ++k5_once_t labeled_once = K5_ONCE_INIT; ++static void ++label_mutex_init(void) ++{ ++ k5_mutex_finish_init(&labeled_mutex); ++} ++ ++static security_context_t ++push_fscreatecon(const char *pathname, mode_t mode) ++{ ++ security_context_t previous, configuredsc, currentsc, derivedsc; ++ context_t current, derived; ++ const char *fullpath, *currentuser; ++#ifdef HAVE_SELINUX_LABEL_H ++ struct selabel_handle *ctx; ++#endif ++ ++ previous = NULL; ++ if (is_selinux_enabled()) { ++ if (getfscreatecon(&previous) == 0) { ++ char *genpath; ++ genpath = NULL; ++ if (pathname[0] != '/') { ++ char *wd; ++ size_t len; ++ len = 0; ++ wd = getcwd(NULL, len); ++ if (wd == NULL) { ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ len = strlen(wd) + 1 + strlen(pathname) + 1; ++ genpath = malloc(len); ++ if (genpath == NULL) { ++ free(wd); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ sprintf(genpath, "%s/%s", wd, pathname); ++ free(wd); ++ fullpath = genpath; ++ } else { ++ fullpath = pathname; ++ } ++#ifdef DEBUG ++ if (isatty(fileno(stderr))) { ++ fprintf(stderr, "Looking up context for " ++ "\"%s\"(%05o).\n", fullpath, mode); ++ } ++#endif ++ configuredsc = NULL; ++#ifdef HAVE_SELINUX_LABEL_H ++ ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); ++ if (ctx != NULL) { ++ if (selabel_lookup(ctx, &configuredsc, ++ fullpath, mode) != 0) { ++ selabel_close(ctx); ++ free(genpath); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ selabel_close(ctx); ++ } ++#else ++ if (matchpathcon(fullpath, mode, &configuredsc) != 0) { ++ free(genpath); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++#endif ++ free(genpath); ++ if (configuredsc == NULL) { ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ currentsc = NULL; ++ getcon(¤tsc); ++ if (currentsc != NULL) { ++ derived = context_new(configuredsc); ++ if (derived != NULL) { ++ current = context_new(currentsc); ++ if (current != NULL) { ++ currentuser = context_user_get(current); ++ if (currentuser != NULL) { ++ if (context_user_set(derived, ++ currentuser) == 0) { ++ derivedsc = context_str(derived); ++ if (derivedsc != NULL) { ++ freecon(configuredsc); ++ configuredsc = strdup(derivedsc); ++ } ++ } ++ } ++ context_free(current); ++ } ++ context_free(derived); ++ } ++ freecon(currentsc); ++ } ++#ifdef DEBUG ++ if (isatty(fileno(stderr))) { ++ fprintf(stderr, "Setting file creation context " ++ "to \"%s\".\n", configuredsc); ++ } ++#endif ++ if (setfscreatecon(configuredsc) != 0) { ++ freecon(configuredsc); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ freecon(configuredsc); ++#ifdef DEBUG ++ } else { ++ if (isatty(fileno(stderr))) { ++ fprintf(stderr, "Unable to determine " ++ "current context.\n"); ++ } ++#endif ++ } ++ } ++ return previous; ++} ++ ++static void ++pop_fscreatecon(security_context_t previous) ++{ ++ if (is_selinux_enabled()) { ++#ifdef DEBUG ++ if (isatty(fileno(stderr))) { ++ if (previous != NULL) { ++ fprintf(stderr, "Resetting file creation " ++ "context to \"%s\".\n", previous); ++ } else { ++ fprintf(stderr, "Resetting file creation " ++ "context to default.\n"); ++ } ++ } ++#endif ++ setfscreatecon(previous); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ } ++} ++ ++void * ++krb5int_push_fscreatecon_for(const char *pathname) ++{ ++ struct stat st; ++ if (stat(pathname, &st) != 0) { ++ st.st_mode = S_IRUSR | S_IWUSR; ++ } ++ return push_fscreatecon(pathname, st.st_mode); ++} ++ ++void ++krb5int_pop_fscreatecon(void *con) ++{ ++ pop_fscreatecon(con); ++} ++ ++FILE * ++krb5int_labeled_fopen(const char *path, const char *mode) ++{ ++ FILE *fp; ++ int errno_save; ++ security_context_t ctx; ++ ++ if (strcmp(mode, "r") == 0) { ++ return fopen(path, mode); ++ } ++ ++ k5_once(&labeled_once, label_mutex_init); ++ if (k5_mutex_lock(&labeled_mutex) == 0) { ++ ctx = push_fscreatecon(path, 0); ++ fp = fopen(path, mode); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; ++ } else { ++ fp = fopen(path, mode); ++ } ++ ++ return fp; ++} ++ ++int ++krb5int_labeled_creat(const char *path, mode_t mode) ++{ ++ int fd; ++ int errno_save; ++ security_context_t ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ if (k5_mutex_lock(&labeled_mutex) == 0) { ++ ctx = push_fscreatecon(path, 0); ++ fd = creat(path, mode); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; ++ } else { ++ fd = creat(path, mode); ++ } ++ return fd; ++} ++ ++int ++krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev) ++{ ++ int ret; ++ int errno_save; ++ security_context_t ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ if (k5_mutex_lock(&labeled_mutex) == 0) { ++ ctx = push_fscreatecon(path, mode); ++ ret = mknod(path, mode, dev); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; ++ } else { ++ ret = mknod(path, mode, dev); ++ } ++ return ret; ++} ++ ++int ++krb5int_labeled_mkdir(const char *path, mode_t mode) ++{ ++ int ret; ++ int errno_save; ++ security_context_t ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ if (k5_mutex_lock(&labeled_mutex) == 0) { ++ ctx = push_fscreatecon(path, S_IFDIR); ++ ret = mkdir(path, mode); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; ++ } else { ++ ret = mkdir(path, mode); ++ } ++ return ret; ++} ++ ++int ++krb5int_labeled_open(const char *path, int flags, ...) ++{ ++ int fd; ++ int errno_save; ++ security_context_t ctx; ++ mode_t mode; ++ va_list ap; ++ ++ if ((flags & O_CREAT) == 0) { ++ return open(path, flags); ++ } ++ ++ k5_once(&labeled_once, label_mutex_init); ++ if (k5_mutex_lock(&labeled_mutex) == 0) { ++ ctx = push_fscreatecon(path, 0); ++ ++ va_start(ap, flags); ++ mode = va_arg(ap, mode_t); ++ fd = open(path, flags, mode); ++ va_end(ap); ++ ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; ++ } else { ++ va_start(ap, flags); ++ mode = va_arg(ap, mode_t); ++ fd = open(path, flags, mode); ++ errno_save = errno; ++ va_end(ap); ++ errno = errno_save; ++ } ++ return fd; ++} ++ ++#endif +Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c +=================================================================== +--- krb5-1.9.1.orig/src/lib/krb5/rcache/rc_dfl.c ++++ krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c +@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context + krb5_error_code retval = 0; + krb5_rcache tmp; + krb5_deltat lifespan = t->lifespan; /* save original lifespan */ ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (! t->recovering) { + name = t->name; +@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context + retval = krb5_rc_resolve(context, tmp, 0); + if (retval) + goto cleanup; ++#ifdef USE_SELINUX ++ if (t->d.fn != NULL) ++ selabel = krb5int_push_fscreatecon_for(t->d.fn); ++ else ++ selabel = NULL; ++#endif + retval = krb5_rc_initialize(context, tmp, lifespan); ++#ifdef USE_SELINUX ++ if (selabel != NULL) ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (retval) + goto cleanup; + for (q = t->a; q; q = q->na) { diff --git a/krb5-1.9.1-ai_addrconfig.patch b/krb5-1.9.1-ai_addrconfig.patch new file mode 100644 index 0000000..202dde5 --- /dev/null +++ b/krb5-1.9.1-ai_addrconfig.patch @@ -0,0 +1,30 @@ +From RT#6922. When we're converting a host/service pair into a principal +name, specify AF_UNSPEC instead of AF_INET4 and then maybe AF_INET6 to try +to avoid libc having doing a PTR lookup because we also specify +AI_CANONNAME. Add AI_ADDRCONFIG because it's usually the right idea. + +Index: src/lib/krb5/os/sn2princ.c +=================================================================== +--- src/lib/krb5/os/sn2princ.c.orig ++++ src/lib/krb5/os/sn2princ.c +@@ -107,19 +107,12 @@ krb5_sname_to_principal(krb5_context con + hostnames associated. */ + + memset(&hints, 0, sizeof(hints)); +- hints.ai_family = AF_INET; +- hints.ai_flags = AI_CANONNAME; +- try_getaddrinfo_again: ++ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; + err = getaddrinfo(hostname, 0, &hints, &ai); + if (err) { + #ifdef DEBUG_REFERRALS + printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname); + #endif +- if (hints.ai_family == AF_INET) { +- /* Just in case it's an IPv6-only name. */ +- hints.ai_family = 0; +- goto try_getaddrinfo_again; +- } + return KRB5_ERR_BAD_HOSTNAME; + } + remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname); diff --git a/krb5-1.9.1-ai_addrconfig2.patch b/krb5-1.9.1-ai_addrconfig2.patch new file mode 100644 index 0000000..53f9820 --- /dev/null +++ b/krb5-1.9.1-ai_addrconfig2.patch @@ -0,0 +1,122 @@ +Most of RT#6923, except for the part that depends on the sendto_kdc rewrite +(it's still in locate_kdc in this version): pass AI_ADDRCONFIG whenever we +specify hints to getaddrinfo() to get the address of a server. + +Index: src/plugins/locate/python/py-locate.c +=================================================================== +--- src/plugins/locate/python/py-locate.c.orig ++++ src/plugins/locate/python/py-locate.c +@@ -303,6 +303,7 @@ lookup(void *blob, enum locate_service_t + return -1; + } + aihints.ai_socktype = thissocktype; ++ aihints.ai_flags = AI_ADDRCONFIG; + x = getaddrinfo (hoststr, portstr, &aihints, &airesult); + if (x != 0) + continue; +Index: src/appl/sample/sclient/sclient.c +=================================================================== +--- src/appl/sample/sclient/sclient.c.orig ++++ src/appl/sample/sclient/sclient.c +@@ -124,6 +124,7 @@ main(int argc, char *argv[]) + + memset(&aihints, 0, sizeof(aihints)); + aihints.ai_socktype = SOCK_STREAM; ++ aihints.ai_flags = AI_ADDRCONFIG; + aierr = getaddrinfo(argv[1], portstr, &aihints, &ap); + if (aierr) { + fprintf(stderr, "%s: error looking up host '%s' port '%s'/tcp: %s\n", +Index: src/kadmin/dbutil/kadm5_create.c +=================================================================== +--- src/kadmin/dbutil/kadm5_create.c.orig ++++ src/kadmin/dbutil/kadm5_create.c +@@ -182,7 +182,7 @@ static int add_admin_princs(void *handle + goto clean_and_exit; + } + memset(&ai_hints, 0, sizeof(ai_hints)); +- ai_hints.ai_flags = AI_CANONNAME; ++ ai_hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; + gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai); + if (gai_error) { + ret = EINVAL; +Index: src/lib/kadm5/alt_prof.c +=================================================================== +--- src/lib/kadm5/alt_prof.c.orig ++++ src/lib/kadm5/alt_prof.c +@@ -901,7 +901,7 @@ kadm5_get_admin_service_name(krb5_contex + } + + memset(&hint, 0, sizeof(hint)); +- hint.ai_flags = AI_CANONNAME; ++ hint.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; + err = getaddrinfo(params_out.admin_server, NULL, &hint, &ai); + if (err != 0) { + ret = KADM5_CANT_RESOLVE; +Index: src/lib/kadm5/clnt/client_init.c +=================================================================== +--- src/lib/kadm5/clnt/client_init.c.orig ++++ src/lib/kadm5/clnt/client_init.c +@@ -563,8 +563,9 @@ connect_to_server(const char *hostname, + (void) snprintf(portbuf, sizeof(portbuf), "%d", port); + memset(&hint, 0, sizeof(hint)); + hint.ai_socktype = SOCK_STREAM; ++ hint.ai_flags = AI_ADDRCONFIG; + #ifdef AI_NUMERICSERV +- hint.ai_flags = AI_NUMERICSERV; ++ hint.ai_flags |= AI_NUMERICSERV; + #endif + err = getaddrinfo(hostname, portbuf, &hint, &addrs); + if (err != 0) +Index: src/lib/krb5/os/hostaddr.c +=================================================================== +--- src/lib/krb5/os/hostaddr.c.orig ++++ src/lib/krb5/os/hostaddr.c +@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c + return KRB5_ERR_BAD_HOSTNAME; + + memset (&hints, 0, sizeof (hints)); +- hints.ai_flags = AI_NUMERICHOST; ++ hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG; + /* We don't care what kind at this point, really, but without + this, we can get back multiple sockaddrs per address, for + SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if +Index: src/lib/krb5/os/hst_realm.c +=================================================================== +--- src/lib/krb5/os/hst_realm.c.orig ++++ src/lib/krb5/os/hst_realm.c +@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz + int err; + + memset (&hints, 0, sizeof (hints)); +- hints.ai_flags = AI_CANONNAME; ++ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; + err = getaddrinfo (name, 0, &hints, &ai); + if (err) + return krb5int_translate_gai_error (err); +Index: src/slave/kprop.c +=================================================================== +--- src/slave/kprop.c.orig ++++ src/slave/kprop.c +@@ -325,6 +325,7 @@ open_connection(krb5_context context, ch + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; ++ hints.ai_flags = AI_ADDRCONFIG; + error = getaddrinfo(host, port, &hints, &answers); + if (error != 0) { + com_err(progname, 0, "%s: %s", host, gai_strerror(error)); +Index: src/lib/krb5/os/locate_kdc.c +=================================================================== +--- src/lib/krb5/os/locate_kdc.c.orig ++++ src/lib/krb5/os/locate_kdc.c +@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis + memset(&hint, 0, sizeof(hint)); + hint.ai_family = family; + hint.ai_socktype = socktype; ++ hint.ai_flags = AI_ADDRCONFIG; + #ifdef AI_NUMERICSERV +- hint.ai_flags = AI_NUMERICSERV; ++ hint.ai_flags |= AI_NUMERICSERV; + #endif + result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)); + if (SNPRINTF_OVERFLOW(result, sizeof(portbuf))) diff --git a/krb5-1.9.1-sendto_poll.patch b/krb5-1.9.1-sendto_poll.patch new file mode 100644 index 0000000..b9923ee --- /dev/null +++ b/krb5-1.9.1-sendto_poll.patch @@ -0,0 +1,624 @@ +Pulled from SVN, then munged to apply to 1.9. Modifies cm.h so that a +struct select_state has an alternate layout when USE_POLL is defined, +and if we detect at configure-time, have sendto_kdc.c define +USE_POLL to force its use. Adapts sendto_kdc.c to handle both cases, +so that the previous behavior is preserved when is not found. +RT#6905 + +Index: src/include/cm.h +=================================================================== +--- src/include/cm.h.orig ++++ src/include/cm.h +@@ -25,11 +25,20 @@ + * or implied warranty. + */ + +-/* Since fd_set is large on some platforms (8K on AIX 5.2), this +- probably shouldn't be allocated in automatic storage. */ ++/* ++ * Since fd_set is large on some platforms (8K on AIX 5.2), this probably ++ * shouldn't be allocated in automatic storage. Define USE_POLL and ++ * MAX_POLLFDS in the consumer of this header file to use poll state instead of ++ * select state. ++ */ + struct select_state { +- int max, nfds; ++#ifdef USE_POLL ++ struct pollfd fds[MAX_POLLFDS]; ++#else ++ int max; + fd_set rfds, wfds, xfds; ++#endif ++ int nfds; + struct timeval end_time; /* magic: tv_sec==0 => never time out */ + }; + +Index: src/configure.in +=================================================================== +--- src/configure.in.orig ++++ src/configure.in +@@ -74,7 +74,7 @@ LIBUTIL=-lutil + ]) + AC_SUBST(LIBUTIL) + # for kdc +-AC_CHECK_HEADERS(syslog.h stdarg.h sys/select.h sys/sockio.h ifaddrs.h unistd.h) ++AC_CHECK_HEADERS(syslog.h stdarg.h sys/sockio.h ifaddrs.h unistd.h) + AC_CHECK_FUNCS(openlog syslog closelog strftime vsprintf vasprintf vsnprintf) + AC_CHECK_FUNCS(strlcpy) + EXTRA_SUPPORT_SYMS= +@@ -493,7 +493,7 @@ AC_CHECK_HEADER(termios.h, + AC_DEFINE(POSIX_TERMIOS,1,[Define if termios.h exists and tcsetattr exists]))]) + + KRB5_SIGTYPE +-AC_CHECK_HEADERS(stdlib.h string.h stddef.h sys/types.h sys/file.h sys/param.h sys/stat.h sys/time.h netinet/in.h sys/uio.h sys/filio.h sys/select.h time.h paths.h errno.h) ++AC_CHECK_HEADERS(poll.h stdlib.h string.h stddef.h sys/types.h sys/file.h sys/param.h sys/stat.h sys/time.h netinet/in.h sys/uio.h sys/filio.h sys/select.h time.h paths.h errno.h) + AC_HEADER_STDARG + KRB5_AC_INET6 + +Index: src/lib/krb5/os/cm.c +=================================================================== +--- /dev/null ++++ src/lib/krb5/os/cm.c +@@ -0,0 +1,97 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* lib/krb5/os/cm.c - Connection manager functions */ ++/* ++ * Copyright (C) 2011 by the Massachusetts Institute of Technology. ++ * All rights reserved. ++ * ++ * Export of this software from the United States of America may ++ * require a specific license from the United States Government. ++ * It is the responsibility of any person or organization contemplating ++ * export to obtain such a license before exporting. ++ * ++ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and ++ * distribute this software and its documentation for any purpose and ++ * without fee is hereby granted, provided that the above copyright ++ * notice appear in all copies and that both that copyright notice and ++ * this permission notice appear in supporting documentation, and that ++ * the name of M.I.T. not be used in advertising or publicity pertaining ++ * to distribution of the software without specific, written prior ++ * permission. Furthermore if you modify this software you must label ++ * your software as modified software and not distribute it in such a ++ * fashion that it might be confused with the original M.I.T. software. ++ * M.I.T. makes no representations about the suitability of ++ * this software for any purpose. It is provided "as is" without express ++ * or implied warranty. ++ */ ++ ++/* ++ * This file include krb5int_cm_call_select, which is used by ++ * lib/apputils/net-server.c and sometimes by sendto_kdc.c. ++ */ ++ ++#include "k5-int.h" ++#ifdef HAVE_SYS_SELECT_H ++#include ++#endif ++#ifdef _WIN32 ++#include ++#endif ++#include "cm.h" ++ ++int ++k5_getcurtime(struct timeval *tvp) ++{ ++#ifdef _WIN32 ++ struct _timeb tb; ++ _ftime(&tb); ++ tvp->tv_sec = tb.time; ++ tvp->tv_usec = tb.millitm * 1000; ++ /* Can _ftime fail? */ ++ return 0; ++#else ++ if (gettimeofday(tvp, 0)) ++ return errno; ++ return 0; ++#endif ++} ++ ++/* ++ * Call select and return results. ++ * Input: interesting file descriptors and absolute timeout ++ * Output: select return value (-1 or num fds ready) and fd_sets ++ * Return: 0 (for i/o available or timeout) or error code. ++ */ ++krb5_error_code ++krb5int_cm_call_select (const struct select_state *in, ++ struct select_state *out, int *sret) ++{ ++ struct timeval now, *timo; ++ krb5_error_code e; ++ ++ *out = *in; ++ e = k5_getcurtime(&now); ++ if (e) ++ return e; ++ if (out->end_time.tv_sec == 0) ++ timo = 0; ++ else { ++ timo = &out->end_time; ++ out->end_time.tv_sec -= now.tv_sec; ++ out->end_time.tv_usec -= now.tv_usec; ++ if (out->end_time.tv_usec < 0) { ++ out->end_time.tv_usec += 1000000; ++ out->end_time.tv_sec--; ++ } ++ if (out->end_time.tv_sec < 0) { ++ *sret = 0; ++ return 0; ++ } ++ } ++ ++ *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, timo); ++ e = SOCKET_ERRNO; ++ ++ if (*sret < 0) ++ return e; ++ return 0; ++} +Index: src/lib/krb5/os/Makefile.in +=================================================================== +--- src/lib/krb5/os/Makefile.in.orig ++++ src/lib/krb5/os/Makefile.in +@@ -18,6 +18,7 @@ STLIBOBJS= \ + def_realm.o \ + ccdefname.o \ + changepw.o \ ++ cm.o \ + dnsglue.o \ + dnssrv.o \ + free_krbhs.o \ +@@ -62,6 +63,7 @@ OBJS= \ + $(OUTPRE)def_realm.$(OBJEXT) \ + $(OUTPRE)ccdefname.$(OBJEXT) \ + $(OUTPRE)changepw.$(OBJEXT) \ ++ $(OUTPRE)cm.$(OBJEXT) \ + $(OUTPRE)dnsglue.$(OBJEXT) \ + $(OUTPRE)dnssrv.$(OBJEXT) \ + $(OUTPRE)free_krbhs.$(OBJEXT) \ +@@ -106,6 +108,7 @@ SRCS= \ + $(srcdir)/def_realm.c \ + $(srcdir)/ccdefname.c \ + $(srcdir)/changepw.c \ ++ $(srcdir)/cm.c \ + $(srcdir)/dnsglue.c \ + $(srcdir)/dnssrv.c \ + $(srcdir)/free_krbhs.c \ +Index: src/lib/krb5/os/os-proto.h +=================================================================== +--- src/lib/krb5/os/os-proto.h.orig ++++ src/lib/krb5/os/os-proto.h +@@ -31,6 +31,10 @@ + #ifndef KRB5_LIBOS_INT_PROTO__ + #define KRB5_LIBOS_INT_PROTO__ + ++#ifdef HAVE_SYS_TIME_H ++#include ++#endif ++ + struct addrlist; + krb5_error_code krb5_locate_kdc(krb5_context, const krb5_data *, + struct addrlist *, int, int, int); +@@ -75,6 +79,8 @@ krb5_error_code krb5int_get_fq_local_hos + /* The io vector is *not* const here, unlike writev()! */ + int krb5int_net_writev (krb5_context, int, sg_buf *, int); + ++int k5_getcurtime(struct timeval *tvp); ++ + #include "k5-thread.h" + extern k5_mutex_t krb5int_us_time_mutex; + +Index: src/lib/krb5/os/sendto_kdc.c +=================================================================== +--- src/lib/krb5/os/sendto_kdc.c.orig ++++ src/lib/krb5/os/sendto_kdc.c +@@ -32,17 +32,16 @@ + #include "fake-addrinfo.h" + #include "k5-int.h" + +-#ifdef HAVE_SYS_TIME_H +-#include +-#else +-#include +-#endif + #include "os-proto.h" + #ifdef _WIN32 + #include + #endif + +-#ifdef _AIX ++#if defined(HAVE_POLL_H) ++#include ++#define USE_POLL ++#define MAX_POLLFDS 1024 ++#elif defined(HAVE_SYS_SELECT_H) + #include + #endif + +@@ -170,29 +169,6 @@ krb5int_debug_fprint (const char *fmt, . + p = strerror(err); + putstr(p); + break; +- case 'F': +- /* %F => fd_set *, fd_set *, fd_set *, int */ +- rfds = va_arg(args, fd_set *); +- wfds = va_arg(args, fd_set *); +- xfds = va_arg(args, fd_set *); +- maxfd = va_arg(args, int); +- +- for (i = 0; i < maxfd; i++) { +- int r = FD_ISSET(i, rfds); +- int w = wfds && FD_ISSET(i, wfds); +- int x = xfds && FD_ISSET(i, xfds); +- if (r || w || x) { +- putf(" %d", i); +- if (r) +- putstr("r"); +- if (w) +- putstr("w"); +- if (x) +- putstr("x"); +- } +- } +- putstr(" "); +- break; + case 's': + /* %s => char * */ + p = va_arg(args, const char *); +@@ -506,75 +482,154 @@ krb5_sendto_kdc (krb5_context context, c + + #include "cm.h" + +-static int +-getcurtime (struct timeval *tvp) ++/* ++ * Currently only sendto_kdc.c knows how to use poll(); the other candidate ++ * user, lib/apputils/net-server.c, is stuck using select() for the moment ++ * since it is entangled with the RPC library. The following cm_* functions ++ * are not fully generic, are O(n^2) in the poll case, and are limited to ++ * handling 1024 connections (in order to maintain a constant-sized selstate). ++ * More rearchitecting would be appropriate before extending this support to ++ * the KDC and kadmind. ++ */ ++ ++static void ++cm_init_selstate(struct select_state *selstate) + { +-#ifdef _WIN32 +- struct _timeb tb; +- _ftime(&tb); +- tvp->tv_sec = tb.time; +- tvp->tv_usec = tb.millitm * 1000; +- /* Can _ftime fail? */ +- return 0; ++ selstate->nfds = 0; ++ selstate->end_time.tv_sec = selstate->end_time.tv_usec = 0; ++#ifndef USE_POLL ++ selstate->max = 0; ++ selstate->nfds = 0; ++ FD_ZERO(&selstate->rfds); ++ FD_ZERO(&selstate->wfds); ++ FD_ZERO(&selstate->xfds); ++#endif ++} ++ ++static krb5_boolean ++cm_add_fd(struct select_state *selstate, int fd, unsigned int ssflags) ++{ ++#ifdef USE_POLL ++ if (selstate->nfds >= MAX_POLLFDS) ++ return FALSE; ++ selstate->fds[selstate->nfds].fd = fd; ++ selstate->fds[selstate->nfds].events = 0; ++ if (ssflags & SSF_READ) ++ selstate->fds[selstate->nfds].events |= POLLIN; ++ if (ssflags & SSF_WRITE) ++ selstate->fds[selstate->nfds].events |= POLLOUT; ++#else ++#ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */ ++ if (fd >= FD_SETSIZE) ++ return FALSE; ++#endif ++ if (ssflags & SSF_READ) ++ FD_SET(fd, &selstate->rfds); ++ if (ssflags & SSF_WRITE) ++ FD_SET(fd, &selstate->wfds); ++ if (ssflags & SSF_EXCEPTION) ++ FD_SET(fd, &selstate->xfds); ++ if (selstate->max <= fd) ++ selstate->max = fd + 1; ++#endif ++ selstate->nfds++; ++ return TRUE; ++} ++ ++static void ++cm_remove_fd(struct select_state *selstate, int fd) ++{ ++#ifdef USE_POLL ++ int i; ++ ++ /* Find the FD in the array and move the last entry to its place. */ ++ assert(selstate->nfds > 0); ++ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++); ++ assert(i < selstate->nfds); ++ selstate->fds[i] = selstate->fds[selstate->nfds - 1]; + #else +- if (gettimeofday(tvp, 0)) { +- dperror("gettimeofday"); +- return errno; ++ FD_CLR(fd, &selstate->rfds); ++ FD_CLR(fd, &selstate->wfds); ++ FD_CLR(fd, &selstate->xfds); ++ if (selstate->max == 1 + fd) { ++ while (selstate->max > 0 ++ && ! FD_ISSET(selstate->max-1, &selstate->rfds) ++ && ! FD_ISSET(selstate->max-1, &selstate->wfds) ++ && ! FD_ISSET(selstate->max-1, &selstate->xfds)) ++ selstate->max--; ++ dprint("new max_fd + 1 is %d\n", selstate->max); + } +- return 0; + #endif ++ selstate->nfds--; + } + +-/* +- * Call select and return results. +- * Input: interesting file descriptors and absolute timeout +- * Output: select return value (-1 or num fds ready) and fd_sets +- * Return: 0 (for i/o available or timeout) or error code. +- */ +-krb5_error_code +-krb5int_cm_call_select (const struct select_state *in, +- struct select_state *out, int *sret) ++static void ++cm_unset_write(struct select_state *selstate, int fd) + { +- struct timeval now, *timo; +- krb5_error_code e; ++#ifdef USE_POLL ++ int i; + +- *out = *in; +- e = getcurtime(&now); +- if (e) +- return e; +- if (out->end_time.tv_sec == 0) +- timo = 0; ++ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++); ++ assert(i < selstate->nfds); ++ selstate->fds[i].events &= ~POLLOUT; ++#else ++ FD_CLR(fd, &selstate->wfds); ++#endif ++} ++ ++static krb5_error_code ++cm_select_or_poll(const struct select_state *in, struct select_state *out, ++ int *sret) ++{ ++#ifdef USE_POLL ++ struct timeval now; ++ int e, timeout; ++ ++ if (in->end_time.tv_sec == 0) ++ timeout = -1; + else { +- timo = &out->end_time; +- out->end_time.tv_sec -= now.tv_sec; +- out->end_time.tv_usec -= now.tv_usec; +- if (out->end_time.tv_usec < 0) { +- out->end_time.tv_usec += 1000000; +- out->end_time.tv_sec--; +- } +- if (out->end_time.tv_sec < 0) { +- *sret = 0; +- return 0; +- } ++ e = k5_getcurtime(&now); ++ if (e) ++ return e; ++ timeout = (in->end_time.tv_sec - now.tv_sec) * 1000 + ++ (in->end_time.tv_usec - now.tv_usec) / 1000; + } +- dprint("selecting on max=%d sockets [%F] timeout %t\n", +- out->max, +- &out->rfds, &out->wfds, &out->xfds, out->max, +- timo); +- *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, timo); ++ /* We don't need a separate copy of the selstate for poll, but use one ++ * anyone for consistency with the select wrapper. */ ++ *out = *in; ++ *sret = poll(out->fds, out->nfds, timeout); + e = SOCKET_ERRNO; ++ return (*sret < 0) ? e : 0; ++#else ++ /* Use the select wrapper from cm.c. */ ++ return krb5int_cm_call_select(in, out, sret); ++#endif ++} + +- dprint("select returns %d", *sret); +- if (*sret < 0) +- dprint(", error = %E\n", e); +- else if (*sret == 0) +- dprint(" (timeout)\n"); +- else +- dprint(":%F\n", &out->rfds, &out->wfds, &out->xfds, out->max); ++static unsigned int ++cm_get_ssflags(struct select_state *selstate, int fd) ++{ ++ unsigned int ssflags = 0; ++#ifdef USE_POLL ++ int i; + +- if (*sret < 0) +- return e; +- return 0; ++ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++); ++ assert(i < selstate->nfds); ++ if (selstate->fds[i].revents & POLLIN) ++ ssflags |= SSF_READ; ++ if (selstate->fds[i].revents & POLLOUT) ++ ssflags |= SSF_WRITE; ++ if (selstate->fds[i].revents & POLLERR) ++ ssflags |= SSF_EXCEPTION; ++#else ++ if (FD_ISSET(fd, &selstate->rfds)) ++ ssflags |= SSF_READ; ++ if (FD_ISSET(fd, &selstate->wfds)) ++ ssflags |= SSF_WRITE; ++ if (FD_ISSET(fd, &selstate->xfds)) ++ ssflags |= SSF_EXCEPTION; ++#endif ++ return ssflags; + } + + static int service_tcp_fd(krb5_context context, struct conn_state *conn, +@@ -657,6 +712,7 @@ start_connection(krb5_context context, s + krb5_data *callback_buffer) + { + int fd, e; ++ unsigned int ssflags; + struct addrinfo *ai = state->addr; + + dprint("start_connection(@%p)\ngetting %s socket in family %d...", state, +@@ -667,14 +723,6 @@ start_connection(krb5_context context, s + dprint("socket: %m creating with af %d\n", state->err, ai->ai_family); + return -1; /* try other hosts */ + } +-#ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */ +- if (fd >= FD_SETSIZE) { +- closesocket(fd); +- state->err = EMFILE; +- dprint("socket: fd %d too high\n", fd); +- return -1; +- } +-#endif + set_cloexec_fd(fd); + /* Make it non-blocking. */ + if (ai->ai_socktype == SOCK_STREAM) { +@@ -778,16 +826,15 @@ start_connection(krb5_context context, s + } + } + #endif +- FD_SET(state->fd, &selstate->rfds); ++ ssflags = SSF_READ | SSF_EXCEPTION; + if (state->state == CONNECTING || state->state == WRITING) +- FD_SET(state->fd, &selstate->wfds); +- FD_SET(state->fd, &selstate->xfds); +- if (selstate->max <= state->fd) +- selstate->max = state->fd + 1; +- selstate->nfds++; +- +- dprint("new select vectors: %F\n", +- &selstate->rfds, &selstate->wfds, &selstate->xfds, selstate->max); ++ ssflags |= SSF_WRITE; ++ if (!cm_add_fd(selstate, state->fd, ssflags)) { ++ (void) closesocket(state->fd); ++ state->fd = INVALID_SOCKET; ++ state->state = FAILED; ++ return -1; ++ } + + return 0; + } +@@ -849,22 +896,11 @@ static void + kill_conn(struct conn_state *conn, struct select_state *selstate, int err) + { + conn->state = FAILED; +- shutdown(conn->fd, SHUTDOWN_BOTH); +- FD_CLR(conn->fd, &selstate->rfds); +- FD_CLR(conn->fd, &selstate->wfds); +- FD_CLR(conn->fd, &selstate->xfds); + conn->err = err; ++ shutdown(conn->fd, SHUTDOWN_BOTH); ++ cm_remove_fd(selstate, conn->fd); + dprint("abandoning connection %d: %m\n", conn->fd, err); + /* Fix up max fd for next select call. */ +- if (selstate->max == 1 + conn->fd) { +- while (selstate->max > 0 +- && ! FD_ISSET(selstate->max-1, &selstate->rfds) +- && ! FD_ISSET(selstate->max-1, &selstate->wfds) +- && ! FD_ISSET(selstate->max-1, &selstate->xfds)) +- selstate->max--; +- dprint("new max_fd + 1 is %d\n", selstate->max); +- } +- selstate->nfds--; + } + + /* Check socket for error. */ +@@ -986,7 +1022,7 @@ service_tcp_fd(krb5_context context, str + /* Done writing, switch to reading. */ + /* Don't call shutdown at this point because + * some implementations cannot deal with half-closed connections.*/ +- FD_CLR(conn->fd, &selstate->wfds); ++ cm_unset_write(selstate, conn->fd); + /* Q: How do we detect failures to send the remaining data + to the remote side, since we're in non-blocking mode? + Will we always get errors on the reading side? */ +@@ -1100,7 +1136,8 @@ service_fds (krb5_context context, + while (selstate->nfds > 0) { + unsigned int i; + +- e = krb5int_cm_call_select(selstate, seltemp, &selret); ++ selret = 0; ++ e = cm_select_or_poll(selstate, seltemp, &selret); + if (e == EINTR) + continue; + if (e != 0) +@@ -1113,18 +1150,12 @@ service_fds (krb5_context context, + return 0; + + /* Got something on a socket, process it. */ +- for (i = 0; i <= (unsigned int)selstate->max && selret > 0 && i < n_conns; i++) { ++ for (i = 0; i < n_conns; i++) { + int ssflags; + + if (conns[i].fd == INVALID_SOCKET) + continue; +- ssflags = 0; +- if (FD_ISSET(conns[i].fd, &seltemp->rfds)) +- ssflags |= SSF_READ, selret--; +- if (FD_ISSET(conns[i].fd, &seltemp->wfds)) +- ssflags |= SSF_WRITE, selret--; +- if (FD_ISSET(conns[i].fd, &seltemp->xfds)) +- ssflags |= SSF_EXCEPTION, selret--; ++ ssflags = cm_get_ssflags(seltemp, conns[i].fd); + if (!ssflags) + continue; + +@@ -1239,12 +1270,7 @@ krb5int_sendto (krb5_context context, co + retval = ENOMEM; + goto egress; + } +- sel_state->max = 0; +- sel_state->nfds = 0; +- sel_state->end_time.tv_sec = sel_state->end_time.tv_usec = 0; +- FD_ZERO(&sel_state->rfds); +- FD_ZERO(&sel_state->wfds); +- FD_ZERO(&sel_state->xfds); ++ cm_init_selstate(sel_state); + + + /* Set up connections. */ +@@ -1265,7 +1291,7 @@ krb5int_sendto (krb5_context context, co + (callback_info ? &callback_data[host] : NULL))) + continue; + +- retval = getcurtime(&now); ++ retval = k5_getcurtime(&now); + if (retval) + goto egress; + sel_state->end_time = now; +@@ -1284,7 +1310,7 @@ krb5int_sendto (krb5_context context, co + } + if (e) + break; +- retval = getcurtime(&now); ++ retval = k5_getcurtime(&now); + if (retval) + goto egress; + /* Possible optimization: Find a way to integrate this select diff --git a/krb5-1.9.1.tar.bz2 b/krb5-1.9.1.tar.bz2 new file mode 100644 index 0000000..daa962e --- /dev/null +++ b/krb5-1.9.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:72dd8f30d605fa2e6f19df32414bc35a46e3ad1954b1b142d987ccd492c7bfbc +size 10126613 diff --git a/krb5-doc-1.8.3-rpmlintrc b/krb5-doc-rpmlintrc similarity index 100% rename from krb5-doc-1.8.3-rpmlintrc rename to krb5-doc-rpmlintrc diff --git a/krb5-doc.changes b/krb5-doc.changes index 042615c..9cc71db 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Aug 22 10:21:56 CEST 2011 - mc@suse.de + +- update to version 1.9.1 + ------------------------------------------------------------------- Fri Apr 9 12:45:30 CEST 2010 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index b0b244d..3be88ad 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -20,15 +20,15 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive -Version: 1.8.3 +Version: 1.9.1 Release: 6 -%define srcRoot krb5-1.8.3 +%define srcRoot krb5-1.9.1 Summary: MIT Kerberos5 Implementation--Documentation License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ Group: Documentation/Other -Source: krb5-1.8.3.tar.bz2 -Source3: %{name}-%{version}-rpmlintrc +Source: krb5-%{version}.tar.bz2 +Source3: %{name}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build diff --git a/krb5-klist_s.patch b/krb5-klist_s.patch new file mode 100644 index 0000000..628a495 --- /dev/null +++ b/krb5-klist_s.patch @@ -0,0 +1,29 @@ +Don't trip over referral entries. RT#6915 + +Index: krb5-1.9.1/src/clients/klist/klist.c +=================================================================== +--- krb5-1.9.1.orig/src/clients/klist/klist.c ++++ krb5-1.9.1/src/clients/klist/klist.c +@@ -28,7 +28,7 @@ + * List out the contents of your credential cache or keytab. + */ + +-#include "autoconf.h" ++#include "k5-int.h" + #include + #include + #include +@@ -390,10 +390,9 @@ void do_ccache(name) + continue; + if (status_only) { + if (exit_status && creds.server->length == 2 && +- strcmp(creds.server->realm.data, princ->realm.data) == 0 && +- strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 && +- strcmp((char *)creds.server->data[1].data, +- princ->realm.data) == 0 && ++ data_eq(creds.server->realm, princ->realm) && ++ data_eq_string(creds.server->data[0], "krbtgt") && ++ data_eq(creds.server->data[1], princ->realm) && + creds.times.endtime > now) + exit_status = 0; + } else { diff --git a/krb5-mini.changes b/krb5-mini.changes index 82252d7..b2d9a34 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,4 +1,23 @@ ------------------------------------------------------------------- +Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com + +- add patches from Fedora and upstream +- fix init scripts (bnc#689006) + +------------------------------------------------------------------- +Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com + +- update to version 1.9.1 + * obsolete patches: + MITKRB5-SA-2010-007-1.8.dif + krb5-1.8-MITKRB5-SA-2010-006.dif + krb5-1.8-MITKRB5-SA-2011-001.dif + krb5-1.8-MITKRB5-SA-2011-002.dif + krb5-1.8-MITKRB5-SA-2011-003.dif + krb5-1.8-MITKRB5-SA-2011-004.dif + krb5-1.4.3-enospc.dif + * replace krb5-1.6.1-compile_pie.dif +------------------------------------------------------------------- Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de - fix kadmind invalid pointer free() diff --git a/krb5-mini.spec b/krb5-mini.spec index 6784dc9..54f5ac2 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-mini +# spec file for package krb5 # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 1 -%define srcRoot krb5-1.8.3 +%define srcRoot krb5-1.9.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,10 +27,12 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8.3 -Release: 6 +BuildRequires: libselinux-devel +Version: 1.9.1 +Release: 19 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel +BuildRequires: pam-devel # bug437293 %ifarch ppc64 Obsoletes: krb5-64bit @@ -42,25 +44,33 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.3.tar.bz2 +Source: krb5-1.9.1.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf -Source5: krb5-%{version}-rpmlintrc -Source10: krb5-1.7-manpaths.txt -Patch1: krb5-1.6.1-compile_pie.dif -Patch2: krb5-1.6.3-kprop-use-mkstemp.dif -Patch3: krb5-1.7-manpaths.dif -Patch4: krb5-1.4.3-enospc.dif +Source5: krb5-rpmlintrc +Source10: krb5-1.8-manpaths.txt +Patch1: krb5-1.9-buildconf.patch +Patch3: krb5-1.9-manpaths.dif Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif Patch6: krb5-1.6.3-kpasswd_tcp.patch Patch7: krb5-1.6.3-ktutil-manpage.dif -Patch8: krb5-1.6.3-fix-ipv6-query.dif -Patch12: krb5-1.8-MITKRB5-SA-2010-006.dif -Patch13: MITKRB5-SA-2010-007-1.8.dif -Patch14: krb5-1.8-MITKRB5-SA-2011-001.dif -Patch15: krb5-1.8-MITKRB5-SA-2011-002.dif -Patch16: krb5-1.8-MITKRB5-SA-2011-003.dif -Patch17: krb5-1.8-MITKRB5-SA-2011-004.dif +Patch10: krb5-1.7-doublelog.patch +Patch11: krb5-1.7-nodeplibs.patch +Patch12: krb5-1.8-api.patch +Patch13: krb5-1.8-pam.patch +Patch14: krb5-1.9.1-ai_addrconfig.patch +Patch15: krb5-1.9.1-ai_addrconfig2.patch +Patch16: krb5-1.9.1-sendto_poll.patch +Patch17: krb5-1.9-canonicalize-fallback.patch +Patch18: krb5-1.9-kprop-mktemp.patch +Patch19: krb5-1.9-ksu-path.patch +Patch20: krb5-1.9-paren.patch +Patch21: krb5-1.9-selinux-label.patch +Patch22: krb5-klist_s.patch +Patch23: krb5-pkinit-cms2.patch +Patch24: krb5-trunk-chpw-err.patch +Patch25: krb5-trunk-gss_delete_sec.patch +Patch26: krb5-trunk-kadmin-oldproto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -200,20 +210,28 @@ Authors: %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -%patch1 -%patch2 +%patch13 -p1 %patch3 -p1 -%patch4 -p1 +%patch21 -p1 +%patch1 -p1 %patch5 -p1 %patch6 %patch7 -p1 -%patch8 -p1 +%patch10 -p1 +%patch11 -p1 %patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p0 -%patch16 -p1 +%patch14 +%patch15 +%patch16 %patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 +%patch25 -p1 +%patch26 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -242,6 +260,9 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI --disable-rpath \ %if ! %{build_mini} --with-ldap \ + --with-pam \ + --enable-pkinit \ + --with-selinux \ %else --disable-pkinit \ %endif diff --git a/krb5-pkinit-cms2.patch b/krb5-pkinit-cms2.patch new file mode 100644 index 0000000..5f04da5 --- /dev/null +++ b/krb5-pkinit-cms2.patch @@ -0,0 +1,290 @@ +When verifying signed-data, use the OpenSSL CMS APIs if we're building with a +version of OpenSSL which supplies them (1.0.0 or later). Revised proposal for +RT#6851. + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index bb8f036..6aedec4 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -41,6 +41,34 @@ + + #include "pkinit_crypto_openssl.h" + ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#include ++#define pkinit_CMS_free1_crls(_sk_x509crl) sk_X509_CRL_free((_sk_x509crl)) ++#define pkinit_CMS_free1_certs(_sk_x509) sk_X509_free((_sk_x509)) ++#define pkinit_CMS_SignerInfo_get_cert(_cms,_si,_x509_pp) CMS_SignerInfo_get0_algs(_si,NULL,_x509_pp,NULL,NULL) ++#else ++#define pkinit_CMS_free1_crls(_stack_of_x509crls) /* don't free these CRLs */ ++#define pkinit_CMS_free1_certs(_stack_of_x509certs) /* don't free these certs */ ++#define CMS_NO_SIGNER_CERT_VERIFY PKCS7_NOVERIFY ++#define CMS_NOATTR PKCS7_NOATTR ++#define CMS_ContentInfo PKCS7 ++#define CMS_SignerInfo PKCS7_SIGNER_INFO ++#define d2i_CMS_ContentInfo d2i_PKCS7 ++#define CMS_get0_type(_p7) ((_p7)->type) ++#define CMS_get0_content(_p7) (&((_p7)->d.other->value.octet_string)) ++#define CMS_set1_signers_certs(_p7,_stack_of_x509,_uint) ++#define CMS_get0_SignerInfos PKCS7_get_signer_info ++#define stack_st_CMS_SignerInfo stack_st_PKCS7_SIGNER_INFO ++#undef sk_CMS_SignerInfo_value ++#define sk_CMS_SignerInfo_value sk_PKCS7_SIGNER_INFO_value ++#define CMS_get0_eContentType(_p7) (_p7->d.sign->contents->type) ++#define CMS_verify PKCS7_verify ++#define CMS_get1_crls(_p7) (_p7->d.sign->crl) ++#define CMS_get1_certs(_p7) (_p7->d.sign->cert) ++#define CMS_ContentInfo_free(_p7) PKCS7_free(_p7) ++#define pkinit_CMS_SignerInfo_get_cert(_p7,_si,_x509_pp) (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si) ++#endif ++ + static struct pkcs11_errstrings { + short code; + char *text; +@@ -1127,21 +1155,25 @@ cms_signeddata_verify(krb5_context context, + int *is_signed) + { + krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; +- PKCS7 *p7 = NULL; ++ CMS_ContentInfo *cms = NULL; + BIO *out = NULL; +- int flags = PKCS7_NOVERIFY; ++ int flags = CMS_NO_SIGNER_CERT_VERIFY; + unsigned int i = 0; + unsigned int vflags = 0, size = 0; + const unsigned char *p = signed_data; +- STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL; +- PKCS7_SIGNER_INFO *si = NULL; ++ STACK_OF(CMS_SignerInfo) *si_sk = NULL; ++ CMS_SignerInfo *si = NULL; + X509 *x = NULL; + X509_STORE *store = NULL; + X509_STORE_CTX cert_ctx; ++ STACK_OF(X509) *signerCerts = NULL; + STACK_OF(X509) *intermediateCAs = NULL; ++ STACK_OF(X509_CRL) *signerRevoked = NULL; + STACK_OF(X509_CRL) *revoked = NULL; + STACK_OF(X509) *verified_chain = NULL; + ASN1_OBJECT *oid = NULL; ++ const ASN1_OBJECT *type = NULL, *etype = NULL; ++ ASN1_OCTET_STRING **octets; + krb5_external_principal_identifier **krb5_verified_chain = NULL; + krb5_data *authz = NULL; + char buf[DN_BUF_LEN]; +@@ -1157,8 +1189,8 @@ cms_signeddata_verify(krb5_context context, + if (oid == NULL) + goto cleanup; + +- /* decode received PKCS7 message */ +- if ((p7 = d2i_PKCS7(NULL, &p, (int)signed_data_len)) == NULL) { ++ /* decode received CMS message */ ++ if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) { + unsigned long err = ERR_peek_error(); + krb5_set_error_message(context, retval, "%s\n", + ERR_error_string(err, NULL)); +@@ -1168,37 +1200,39 @@ cms_signeddata_verify(krb5_context context, + } + + /* Handle the case in pkinit anonymous where we get unsigned data. */ +- if (is_signed && !OBJ_cmp(p7->type, oid)) { ++ type = CMS_get0_type(cms); ++ if (is_signed && !OBJ_cmp(type, oid)) { + unsigned char *d; + *is_signed = 0; +- if (p7->d.other->type != V_ASN1_OCTET_STRING) { ++ octets = CMS_get0_content(cms); ++ if (!octets || ((*octets)->type != V_ASN1_OCTET_STRING)) { + retval = KRB5KDC_ERR_PREAUTH_FAILED; + krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, + "Invalid pkinit packet: octet string " + "expected"); + goto cleanup; + } +- *data_len = ASN1_STRING_length(p7->d.other->value.octet_string); ++ *data_len = ASN1_STRING_length(*octets); + d = malloc(*data_len); + if (d == NULL) { + retval = ENOMEM; + goto cleanup; + } +- memcpy(d, ASN1_STRING_data(p7->d.other->value.octet_string), ++ memcpy(d, ASN1_STRING_data(*octets), + *data_len); + *data = d; + goto out; + } else { +- /* Verify that the received message is PKCS7 SignedData message. */ +- if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed) { +- pkiDebug("Expected id-signedData PKCS7 msg (received type = %d)\n", +- OBJ_obj2nid(p7->type)); ++ /* Verify that the received message is CMS SignedData message. */ ++ if (OBJ_obj2nid(type) != NID_pkcs7_signed) { ++ pkiDebug("Expected id-signedData CMS msg (received type = %d)\n", ++ OBJ_obj2nid(type)); + krb5_set_error_message(context, retval, "wrong oid\n"); + goto cleanup; + } + } + +- /* setup to verify X509 certificate used to sign PKCS7 message */ ++ /* setup to verify X509 certificate used to sign CMS message */ + if (!(store = X509_STORE_new())) + goto cleanup; + +@@ -1210,37 +1244,41 @@ cms_signeddata_verify(krb5_context context, + X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls); + X509_STORE_set_flags(store, vflags); + +- /* get the signer's information from the PKCS7 message */ +- if ((si_sk = PKCS7_get_signer_info(p7)) == NULL) ++ /* get the signer's information from the CMS message */ ++ CMS_set1_signers_certs(cms, NULL, 0); ++ if ((si_sk = CMS_get0_SignerInfos(cms)) == NULL) + goto cleanup; +- if ((si = sk_PKCS7_SIGNER_INFO_value(si_sk, 0)) == NULL) ++ if ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL) + goto cleanup; +- if ((x = PKCS7_cert_from_signer_info(p7, si)) == NULL) ++ pkinit_CMS_SignerInfo_get_cert(cms, si, &x); ++ if (x == NULL) + goto cleanup; + + /* create available CRL information (get local CRLs and include CRLs +- * received in the PKCS7 message ++ * received in the CMS message + */ ++ signerRevoked = CMS_get1_crls(cms); + if (idctx->revoked == NULL) +- revoked = p7->d.sign->crl; +- else if (p7->d.sign->crl == NULL) ++ revoked = signerRevoked; ++ else if (signerRevoked == NULL) + revoked = idctx->revoked; + else { + size = sk_X509_CRL_num(idctx->revoked); + revoked = sk_X509_CRL_new_null(); + for (i = 0; i < size; i++) + sk_X509_CRL_push(revoked, sk_X509_CRL_value(idctx->revoked, i)); +- size = sk_X509_CRL_num(p7->d.sign->crl); ++ size = sk_X509_CRL_num(signerRevoked); + for (i = 0; i < size; i++) +- sk_X509_CRL_push(revoked, sk_X509_CRL_value(p7->d.sign->crl, i)); ++ sk_X509_CRL_push(revoked, sk_X509_CRL_value(signerRevoked, i)); + } + + /* create available intermediate CAs chains (get local intermediateCAs and +- * include the CA chain received in the PKCS7 message ++ * include the CA chain received in the CMS message + */ ++ signerCerts = CMS_get1_certs(cms); + if (idctx->intermediateCAs == NULL) +- intermediateCAs = p7->d.sign->cert; +- else if (p7->d.sign->cert == NULL) ++ intermediateCAs = signerCerts; ++ else if (signerCerts == NULL) + intermediateCAs = idctx->intermediateCAs; + else { + size = sk_X509_num(idctx->intermediateCAs); +@@ -1249,9 +1287,9 @@ cms_signeddata_verify(krb5_context context, + sk_X509_push(intermediateCAs, + sk_X509_value(idctx->intermediateCAs, i)); + } +- size = sk_X509_num(p7->d.sign->cert); ++ size = sk_X509_num(signerCerts); + for (i = 0; i < size; i++) { +- sk_X509_push(intermediateCAs, sk_X509_value(p7->d.sign->cert, i)); ++ sk_X509_push(intermediateCAs, sk_X509_value(signerCerts, i)); + } + } + +@@ -1329,10 +1367,10 @@ cms_signeddata_verify(krb5_context context, + krb5_set_error_message(context, retval, "%s\n", + X509_verify_cert_error_string(j)); + #ifdef DEBUG_CERTCHAIN +- size = sk_X509_num(p7->d.sign->cert); ++ size = sk_X509_num(signerCerts); + pkiDebug("received cert chain of size %d\n", size); + for (j = 0; j < size; j++) { +- X509 *tmp_cert = sk_X509_value(p7->d.sign->cert, j); ++ X509 *tmp_cert = sk_X509_value(signerCerts, j); + X509_NAME_oneline(X509_get_subject_name(tmp_cert), buf, sizeof(buf)); + pkiDebug("cert #%d: %s\n", j, buf); + } +@@ -1348,11 +1386,12 @@ cms_signeddata_verify(krb5_context context, + + out = BIO_new(BIO_s_mem()); + if (cms_msg_type == CMS_SIGN_DRAFT9) +- flags |= PKCS7_NOATTR; +- if (PKCS7_verify(p7, NULL, store, NULL, out, flags)) { ++ flags |= CMS_NOATTR; ++ etype = CMS_get0_eContentType(cms); ++ if (CMS_verify(cms, NULL, store, NULL, out, flags)) { + int valid_oid = 0; + +- if (!OBJ_cmp(p7->d.sign->contents->type, oid)) ++ if (!OBJ_cmp(etype, oid)) + valid_oid = 1; + else if (cms_msg_type == CMS_SIGN_DRAFT9) { + /* +@@ -1364,18 +1403,18 @@ cms_signeddata_verify(krb5_context context, + client_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_CLIENT); + server_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_SERVER); + rsa_oid = pkinit_pkcs7type2oid(plgctx, CMS_ENVEL_SERVER); +- if (!OBJ_cmp(p7->d.sign->contents->type, client_oid) || +- !OBJ_cmp(p7->d.sign->contents->type, server_oid) || +- !OBJ_cmp(p7->d.sign->contents->type, rsa_oid)) ++ if (!OBJ_cmp(etype, client_oid) || ++ !OBJ_cmp(etype, server_oid) || ++ !OBJ_cmp(etype, rsa_oid)) + valid_oid = 1; + } + + if (valid_oid) +- pkiDebug("PKCS7 Verification successful\n"); ++ pkiDebug("CMS Verification successful\n"); + else { + pkiDebug("wrong oid in eContentType\n"); +- print_buffer(p7->d.sign->contents->type->data, +- (unsigned int)p7->d.sign->contents->type->length); ++ print_buffer(etype->data, ++ (unsigned int)etype->length); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + krb5_set_error_message(context, retval, "wrong oid\n"); + goto cleanup; +@@ -1391,13 +1430,13 @@ cms_signeddata_verify(krb5_context context, + default: + retval = KRB5KDC_ERR_INVALID_SIG; + } +- pkiDebug("PKCS7 Verification failure\n"); ++ pkiDebug("CMS Verification failure\n"); + krb5_set_error_message(context, retval, "%s\n", + ERR_error_string(err, NULL)); + goto cleanup; + } + +- /* transfer the data from PKCS7 message into return buffer */ ++ /* transfer the data from CMS message into return buffer */ + for (size = 0;;) { + int remain; + retval = ENOMEM; +@@ -1452,12 +1491,16 @@ cleanup: + BIO_free(out); + if (store != NULL) + X509_STORE_free(store); +- if (p7 != NULL) { +- if (idctx->intermediateCAs != NULL && p7->d.sign->cert) ++ if (cms != NULL) { ++ if (signerCerts != NULL) ++ pkinit_CMS_free1_certs(signerCerts); ++ if (idctx->intermediateCAs != NULL && signerCerts) + sk_X509_free(intermediateCAs); +- if (idctx->revoked != NULL && p7->d.sign->crl) ++ if (signerRevoked != NULL) ++ pkinit_CMS_free1_crls(signerRevoked); ++ if (idctx->revoked != NULL && signerRevoked) + sk_X509_CRL_free(revoked); +- PKCS7_free(p7); ++ CMS_ContentInfo_free(cms); + } + if (verified_chain != NULL) + sk_X509_pop_free(verified_chain, X509_free); diff --git a/krb5-1.8.3-rpmlintrc b/krb5-rpmlintrc similarity index 100% rename from krb5-1.8.3-rpmlintrc rename to krb5-rpmlintrc diff --git a/krb5-trunk-chpw-err.patch b/krb5-trunk-chpw-err.patch new file mode 100644 index 0000000..9deabe2 --- /dev/null +++ b/krb5-trunk-chpw-err.patch @@ -0,0 +1,24 @@ +Don't suppress the error code from an error message when the error message +contains e-data. RT#6893 +Index: src/lib/krb5/krb/chpw.c +=================================================================== +--- src/lib/krb5/krb/chpw.c (revision 24838) ++++ src/lib/krb5/krb/chpw.c (working copy) +@@ -111,15 +111,11 @@ + if ((ret = krb5_rd_error(context, packet, &krberror))) + return(ret); + +- if (krberror->e_data.data == NULL) +- ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; +- else +- ret = KRB5KRB_AP_ERR_MODIFIED; ++ ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; + krb5_free_error(context, krberror); + return(ret); +- } else { +- return(KRB5KRB_AP_ERR_MODIFIED); + } ++ return(KRB5KRB_AP_ERR_MODIFIED); + } + + diff --git a/krb5-trunk-gss_delete_sec.patch b/krb5-trunk-gss_delete_sec.patch new file mode 100644 index 0000000..efce4cf --- /dev/null +++ b/krb5-trunk-gss_delete_sec.patch @@ -0,0 +1,27 @@ +Author: ghudson +Date: Mon May 9 17:28:07 2011 +0000 + + ticket: 6908 + subject: Delete sec context properly in gss_krb5_export_lucid_sec_context + target_version: 1.9.2 + tags: pullup + + Since r21690, gss_krb5_export_lucid_sec_context() has been passing a + union context to krb5_gss_delete_sec_context(), causing a crash as the + krb5 routine attempts to interpret a union context structure as a krb5 + GSS context. Call the mechglue gss_delete_sec_context instead. + + + svn://anonsvn.mit.edu:/krb5/trunk@24917 + +--- a/src/lib/gssapi/krb5/krb5_gss_glue.c ++++ b/src/lib/gssapi/krb5/krb5_gss_glue.c +@@ -196,7 +196,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, + /* Clean up the context state (it is an error for + * someone to attempt to use this context again) + */ +- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); ++ (void)gss_delete_sec_context(minor_status, context_handle, NULL); + *context_handle = GSS_C_NO_CONTEXT; + + generic_gss_release_buffer_set(&minor, &data_set); diff --git a/krb5-trunk-kadmin-oldproto.patch b/krb5-trunk-kadmin-oldproto.patch new file mode 100644 index 0000000..0f613c9 --- /dev/null +++ b/krb5-trunk-kadmin-oldproto.patch @@ -0,0 +1,39 @@ +------------------------------------------------------------------------ +r24967 | ghudson | 2011-06-13 14:54:33 -0400 (Mon, 13 Jun 2011) | 11 lines + +ticket: 6920 +subject: Fix old-style GSSRPC authentication +target_version: 1.9.2 +tags: pullup + +r24147 (ticket #6746) made libgssrpc ignorant of the remote address of +the kadmin socket, even when it's IPv4. This made old-style GSSAPI +authentication fail because it uses the wrong channel bindings. Fix +this problem by making clnttcp_create() get the remote address from +the socket using getpeername() if the caller doesn't provide it and +it's an IPv4 address. +------------------------------------------------------------------------ +Index: src/lib/rpc/clnt_tcp.c +=================================================================== +--- src/lib/rpc/clnt_tcp.c (revision 24966) ++++ src/lib/rpc/clnt_tcp.c (revision 24967) +@@ -187,9 +187,16 @@ + ct->ct_sock = *sockp; + ct->ct_wait.tv_usec = 0; + ct->ct_waitset = FALSE; +- if (raddr == NULL) +- memset(&ct->ct_addr, 0, sizeof(ct->ct_addr)); +- else ++ if (raddr == NULL) { ++ /* Get the remote address from the socket, if it's IPv4. */ ++ struct sockaddr_in sin; ++ socklen_t len = sizeof(sin); ++ int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len); ++ if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET) ++ ct->ct_addr = sin; ++ else ++ memset(&ct->ct_addr, 0, sizeof(ct->ct_addr)); ++ } else + ct->ct_addr = *raddr; + + /* diff --git a/krb5.changes b/krb5.changes index 82252d7..b2d9a34 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,4 +1,23 @@ ------------------------------------------------------------------- +Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com + +- add patches from Fedora and upstream +- fix init scripts (bnc#689006) + +------------------------------------------------------------------- +Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com + +- update to version 1.9.1 + * obsolete patches: + MITKRB5-SA-2010-007-1.8.dif + krb5-1.8-MITKRB5-SA-2010-006.dif + krb5-1.8-MITKRB5-SA-2011-001.dif + krb5-1.8-MITKRB5-SA-2011-002.dif + krb5-1.8-MITKRB5-SA-2011-003.dif + krb5-1.8-MITKRB5-SA-2011-004.dif + krb5-1.4.3-enospc.dif + * replace krb5-1.6.1-compile_pie.dif +------------------------------------------------------------------- Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de - fix kadmind invalid pointer free() diff --git a/krb5.spec b/krb5.spec index 83ddc38..af23bce 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 0 -%define srcRoot krb5-1.8.3 +%define srcRoot krb5-1.9.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,10 +27,12 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8.3 +BuildRequires: libselinux-devel +Version: 1.9.1 Release: 19 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel +BuildRequires: pam-devel # bug437293 %ifarch ppc64 Obsoletes: krb5-64bit @@ -42,25 +44,33 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.3.tar.bz2 +Source: krb5-1.9.1.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf -Source5: krb5-%{version}-rpmlintrc -Source10: krb5-1.7-manpaths.txt -Patch1: krb5-1.6.1-compile_pie.dif -Patch2: krb5-1.6.3-kprop-use-mkstemp.dif -Patch3: krb5-1.7-manpaths.dif -Patch4: krb5-1.4.3-enospc.dif +Source5: krb5-rpmlintrc +Source10: krb5-1.8-manpaths.txt +Patch1: krb5-1.9-buildconf.patch +Patch3: krb5-1.9-manpaths.dif Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif Patch6: krb5-1.6.3-kpasswd_tcp.patch Patch7: krb5-1.6.3-ktutil-manpage.dif -Patch8: krb5-1.6.3-fix-ipv6-query.dif -Patch12: krb5-1.8-MITKRB5-SA-2010-006.dif -Patch13: MITKRB5-SA-2010-007-1.8.dif -Patch14: krb5-1.8-MITKRB5-SA-2011-001.dif -Patch15: krb5-1.8-MITKRB5-SA-2011-002.dif -Patch16: krb5-1.8-MITKRB5-SA-2011-003.dif -Patch17: krb5-1.8-MITKRB5-SA-2011-004.dif +Patch10: krb5-1.7-doublelog.patch +Patch11: krb5-1.7-nodeplibs.patch +Patch12: krb5-1.8-api.patch +Patch13: krb5-1.8-pam.patch +Patch14: krb5-1.9.1-ai_addrconfig.patch +Patch15: krb5-1.9.1-ai_addrconfig2.patch +Patch16: krb5-1.9.1-sendto_poll.patch +Patch17: krb5-1.9-canonicalize-fallback.patch +Patch18: krb5-1.9-kprop-mktemp.patch +Patch19: krb5-1.9-ksu-path.patch +Patch20: krb5-1.9-paren.patch +Patch21: krb5-1.9-selinux-label.patch +Patch22: krb5-klist_s.patch +Patch23: krb5-pkinit-cms2.patch +Patch24: krb5-trunk-chpw-err.patch +Patch25: krb5-trunk-gss_delete_sec.patch +Patch26: krb5-trunk-kadmin-oldproto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -200,20 +210,28 @@ Authors: %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -%patch1 -%patch2 +%patch13 -p1 %patch3 -p1 -%patch4 -p1 +%patch21 -p1 +%patch1 -p1 %patch5 -p1 %patch6 %patch7 -p1 -%patch8 -p1 +%patch10 -p1 +%patch11 -p1 %patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p0 -%patch16 -p1 +%patch14 +%patch15 +%patch16 %patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 +%patch25 -p1 +%patch26 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -242,6 +260,9 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI --disable-rpath \ %if ! %{build_mini} --with-ldap \ + --with-pam \ + --enable-pkinit \ + --with-selinux \ %else --disable-pkinit \ %endif diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index db83bea..a1ab2df 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:7d61e2ba73a57830342b6bb32c7c0ee3c0bd84cf2ae865c86d7f28dd0edc62c5 -size 182064 +oid sha256:f3ddbe33faa51dc418985ce06509394c23144a7eb3ddaae495f70a28203ad31a +size 182094