SHA256
1
0
forked from pool/krb5

- update to version 1.10.2

obsolte patches:
  * krb5-1.7-nodeplibs.patch
  * krb5-1.9.1-ai_addrconfig.patch
  * krb5-1.9.1-ai_addrconfig2.patch
  * krb5-1.9.1-sendto_poll.patch
  * krb5-1.9-canonicalize-fallback.patch
  * krb5-1.9-paren.patch
  * krb5-klist_s.patch
  * krb5-pkinit-cms2.patch
  * krb5-trunk-chpw-err.patch
  * krb5-trunk-gss_delete_sec.patch
  * krb5-trunk-kadmin-oldproto.patch
  * krb5-1.9-MITKRB5-SA-2011-006.dif
  * krb5-1.9-gss_display_status-iakerb.patch
  * krb5-1.9.1-sendto_poll2.patch
  * krb5-1.9.1-sendto_poll3.patch
  * krb5-1.9-MITKRB5-SA-2011-007.dif
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
  Controllers.
- Update a workaround for a glibc bug that would cause DNS PTR queries
  to occur even when rdns = false.
- Fix a kadmind denial of service issue (null pointer dereference),
  which could only be triggered by an administrator with the "create"
  privilege.  [CVE-2012-1013]
- Fix access controls for KDB string attributes [CVE-2012-1012]
- Make the ASN.1 encoding of key version numbers interoperate with
  Windows Read-Only Domain Controllers
- Avoid generating spurious password expiry warnings in cases where
  the KDC sends an account expiry time without a password expiry time

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=65
This commit is contained in:
Michael Calmer 2012-06-06 14:55:51 +00:00 committed by Git OBS Bridge
parent 7d8fd8176d
commit 84f939323f
35 changed files with 564 additions and 1849 deletions

60
krb5-1.10-buildconf.patch Normal file
View File

@ -0,0 +1,60 @@
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
and install shared libraries with the execute bit set on them. Prune out
the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.
Index: krb5-1.10.2/src/config/shlib.conf
===================================================================
--- krb5-1.10.2.orig/src/config/shlib.conf
+++ krb5-1.10.2/src/config/shlib.conf
@@ -419,7 +419,7 @@ mips-*-netbsd*)
SHLIBEXT=.so
# Linux ld doesn't default to stuffing the SONAME field...
# Use objdump -x to examine the fields of the library
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro'
#
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
SHLIB_EXPORT_FILE_DEP=binutils.versions
@@ -430,7 +430,8 @@ mips-*-netbsd*)
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
Index: krb5-1.10.2/src/krb5-config.in
===================================================================
--- krb5-1.10.2.orig/src/krb5-config.in
+++ krb5-1.10.2/src/krb5-config.in
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)##'`
+ if test `dirname $libdir` = /usr ; then
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
+ fi
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
+
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
Index: krb5-1.10.2/src/config/pre.in
===================================================================
--- krb5-1.10.2.orig/src/config/pre.in
+++ krb5-1.10.2/src/config/pre.in
@@ -190,7 +190,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
INSTALL_SCRIPT=@INSTALL_PROGRAM@
INSTALL_DATA=@INSTALL_DATA@
INSTALL_SHLIB=@INSTALL_SHLIB@
-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
+INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755
## This is needed because autoconf will sometimes define @exec_prefix@ to be
## ${prefix}.
prefix=@prefix@

12
krb5-1.10-gcc47.patch Normal file
View File

@ -0,0 +1,12 @@
This file also triggers the maybe-uninitialized warning/error. RT#7080
--- src/lib/krb5/krb/x-deltat.y
+++ src/lib/krb5/krb/x-deltat.y
@@ -44,6 +44,7 @@
#ifdef __GNUC__
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wuninitialized"
+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
#endif
#include <ctype.h>

View File

@ -1,14 +1,14 @@
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
to wait for UDP to fail, so this might not be ideal. RT #5868.
Index: src/lib/krb5/os/changepw.c
Index: krb5-1.10.2/src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c.orig
+++ src/lib/krb5/os/changepw.c
@@ -282,10 +282,22 @@ change_set_password(krb5_context context
NULL
))) {
--- krb5-1.10.2.orig/src/lib/krb5/os/changepw.c
+++ krb5-1.10.2/src/lib/krb5/os/changepw.c
@@ -274,10 +274,22 @@ change_set_password(krb5_context context
&callback_info, &chpw_rep, ss2sa(&remote_addr),
&addrlen, NULL, NULL, NULL);
if (code) {
- /*
- * Here we may want to switch to TCP on some errors.
- * right?
@ -16,14 +16,14 @@ Index: src/lib/krb5/os/changepw.c
+ /* if we're not using a stream socket, and it's an error which
+ * might reasonably be specific to a datagram "connection", try
+ * again with a stream socket */
+ if (!useTcp) {
+ if (!use_tcp) {
+ switch (code) {
+ case KRB5_KDC_UNREACH:
+ case KRB5_REALM_CANT_RESOLVE:
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
+ /* should we do this for more result codes than these? */
+ krb5int_free_addrlist (&al);
+ useTcp = 1;
+ k5_free_serverlist (&sl);
+ use_tcp = 1;
+ continue;
+ default:
+ break;

View File

@ -31,11 +31,11 @@ The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
Index: krb5-1.9.1/src/aclocal.m4
Index: krb5-1.10.2/src/aclocal.m4
===================================================================
--- krb5-1.9.1.orig/src/aclocal.m4
+++ krb5-1.9.1/src/aclocal.m4
@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag)
--- krb5-1.10.2.orig/src/aclocal.m4
+++ krb5-1.10.2/src/aclocal.m4
@@ -84,6 +84,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP
@ -43,7 +43,7 @@ Index: krb5-1.9.1/src/aclocal.m4
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1803,3 +1804,51 @@ AC_SUBST(manlocalstatedir)
@@ -1764,3 +1765,51 @@ AC_SUBST(manlocalstatedir)
AC_SUBST(manlibexecdir)
AC_CONFIG_FILES($1)
])
@ -95,11 +95,11 @@ Index: krb5-1.9.1/src/aclocal.m4
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
Index: krb5-1.9.1/src/config/pre.in
Index: krb5-1.10.2/src/config/pre.in
===================================================================
--- krb5-1.9.1.orig/src/config/pre.in
+++ krb5-1.9.1/src/config/pre.in
@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
--- krb5-1.10.2.orig/src/config/pre.in
+++ krb5-1.10.2/src/config/pre.in
@@ -182,6 +182,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
LDARGS = @LDARGS@
LIBS = @LIBS@
@ -107,7 +107,7 @@ Index: krb5-1.9.1/src/config/pre.in
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -382,7 +383,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
@@ -406,7 +407,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
@ -116,11 +116,11 @@ Index: krb5-1.9.1/src/config/pre.in
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X!
Index: krb5-1.9.1/src/configure.in
Index: krb5-1.10.2/src/configure.in
===================================================================
--- krb5-1.9.1.orig/src/configure.in
+++ krb5-1.9.1/src/configure.in
@@ -1127,6 +1127,8 @@ fi
--- krb5-1.10.2.orig/src/configure.in
+++ krb5-1.10.2/src/configure.in
@@ -1248,6 +1248,8 @@ AC_SUBST(localedir)
KRB5_WITH_PAM
@ -129,10 +129,10 @@ Index: krb5-1.9.1/src/configure.in
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
V5_AC_OUTPUT_MANPAGE([
Index: krb5-1.9.1/src/include/k5-int.h
Index: krb5-1.10.2/src/include/k5-int.h
===================================================================
--- krb5-1.9.1.orig/src/include/k5-int.h
+++ krb5-1.9.1/src/include/k5-int.h
--- krb5-1.10.2.orig/src/include/k5-int.h
+++ krb5-1.10.2/src/include/k5-int.h
@@ -135,6 +135,7 @@ typedef unsigned char u_char;
typedef UINT64_TYPE krb5_ui_8;
typedef INT64_TYPE krb5_int64;
@ -141,10 +141,10 @@ Index: krb5-1.9.1/src/include/k5-int.h
#define DEFAULT_PWD_STRING1 "Enter password"
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
Index: krb5-1.9.1/src/include/k5-label.h
Index: krb5-1.10.2/src/include/k5-label.h
===================================================================
--- /dev/null
+++ krb5-1.9.1/src/include/k5-label.h
+++ krb5-1.10.2/src/include/k5-label.h
@@ -0,0 +1,32 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
@ -178,11 +178,11 @@ Index: krb5-1.9.1/src/include/k5-label.h
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif
+#endif
Index: krb5-1.9.1/src/include/krb5/krb5.hin
Index: krb5-1.10.2/src/include/krb5/krb5.hin
===================================================================
--- krb5-1.9.1.orig/src/include/krb5/krb5.hin
+++ krb5-1.9.1/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
--- krb5-1.10.2.orig/src/include/krb5/krb5.hin
+++ krb5-1.10.2/src/include/krb5/krb5.hin
@@ -83,6 +83,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
@ -195,11 +195,20 @@ Index: krb5-1.9.1/src/include/krb5/krb5.hin
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
Index: krb5-1.9.1/src/kadmin/dbutil/dump.c
Index: krb5-1.10.2/src/kadmin/dbutil/dump.c
===================================================================
--- krb5-1.9.1.orig/src/kadmin/dbutil/dump.c
+++ krb5-1.9.1/src/kadmin/dbutil/dump.c
@@ -1257,7 +1257,7 @@ dump_db(argc, argv)
--- krb5-1.10.2.orig/src/kadmin/dbutil/dump.c
+++ krb5-1.10.2/src/kadmin/dbutil/dump.c
@@ -346,7 +346,7 @@ void update_ok_file (file_name)
exit_status++;
return;
}
- if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
+ if ((fd = THREEPARAMOPEN(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
com_err(progname, errno, _("while creating 'ok' file, '%s'"),
file_ok);
exit_status++;
@@ -1251,7 +1251,7 @@ dump_db(argc, argv)
* want to get into.
*/
unlink(ofile);
@ -208,10 +217,10 @@ Index: krb5-1.9.1/src/kadmin/dbutil/dump.c
fprintf(stderr, ofopen_error,
progname, ofile, error_message(errno));
exit_status++;
Index: krb5-1.9.1/src/krb5-config.in
Index: krb5-1.10.2/src/krb5-config.in
===================================================================
--- krb5-1.9.1.orig/src/krb5-config.in
+++ krb5-1.9.1/src/krb5-config.in
--- krb5-1.10.2.orig/src/krb5-config.in
+++ krb5-1.10.2/src/krb5-config.in
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@'
PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
@ -220,20 +229,20 @@ Index: krb5-1.9.1/src/krb5-config.in
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -214,7 +215,7 @@ if test -n "$do_libs"; then
@@ -218,7 +219,7 @@ if test -n "$do_libs"; then
fi
if test $library = 'krb5'; then
- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB"
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
fi
# If we ever support a flag to generate output suitable for static
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
# here.
echo $lib_flags
Index: krb5-1.9.1/src/lib/kadm5/logger.c
Index: krb5-1.10.2/src/lib/kadm5/logger.c
===================================================================
--- krb5-1.9.1.orig/src/lib/kadm5/logger.c
+++ krb5-1.9.1/src/lib/kadm5/logger.c
@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch
--- krb5-1.10.2.orig/src/lib/kadm5/logger.c
+++ krb5-1.10.2/src/lib/kadm5/logger.c
@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch
* Check for append/overwrite, then open the file.
*/
if (cp[4] == ':' || cp[4] == '=') {
@ -242,7 +251,7 @@ Index: krb5-1.9.1/src/lib/kadm5/logger.c
if (f) {
set_cloexec_file(f);
log_control.log_entries[i].lfu_filep = f;
@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext)
@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs.
*/
@ -251,11 +260,11 @@ Index: krb5-1.9.1/src/lib/kadm5/logger.c
if (f) {
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
Index: krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
===================================================================
--- krb5-1.9.1.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
@@ -1057,7 +1057,7 @@ krb5_ktfileint_open(krb5_context context
--- krb5-1.10.2.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
@@ -1039,7 +1039,7 @@ krb5_ktfileint_open(krb5_context context
KTCHECKLOCK(id);
errno = 0;
@ -264,7 +273,7 @@ Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
fopen_mode_rbplus : fopen_mode_rb);
if (!KTFILEP(id)) {
@@ -1065,7 +1065,7 @@ krb5_ktfileint_open(krb5_context context
@@ -1047,7 +1047,7 @@ krb5_ktfileint_open(krb5_context context
/* try making it first time around */
krb5_create_secure_file(context, KTFILENAME(id));
errno = 0;
@ -273,11 +282,11 @@ Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
if (!KTFILEP(id))
goto report_errno;
writevno = 1;
Index: krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c
Index: krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/db2/adb_openclose.c
+++ krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c
@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
--- krb5-1.10.2.orig/src/plugins/kdb/db2/adb_openclose.c
+++ krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
@@ -197,7 +197,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
* POSIX systems
*/
lockp->lockinfo.filename = strdup(lockfilename);
@ -286,43 +295,10 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c
/*
* maybe someone took away write permission so we could only
* get shared locks?
Index: krb5-1.9.1/src/plugins/kdb/db2/kdb_db2.c
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/db2/kdb_db2.c
+++ krb5-1.9.1/src/plugins/kdb/db2/kdb_db2.c
@@ -374,8 +374,8 @@ krb5_db2_init(krb5_context context)
* should be opened read/write so that write locking can work with
* POSIX systems
*/
- if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) {
- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) {
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) {
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) {
retval = errno;
goto err_out;
}
@@ -676,7 +676,7 @@ create_db(krb5_context context, char *db
if (!okname)
retval = ENOMEM;
else {
- fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
+ fd = THREEPARAMOPEN(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
if (fd < 0)
retval = errno;
else
@@ -1532,7 +1532,7 @@ krb5_db2_rename(krb5_context context, ch
retval = ENOMEM;
goto errout;
}
- db_ctx->db_lf_file = open(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600);
+ db_ctx->db_lf_file = THREEPARAMOPEN(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600);
if (db_ctx->db_lf_file < 0) {
retval = errno;
goto errout;
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
#include "k5-platform.h" /* mkstemp? */
@ -340,10 +316,10 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
goto err;
} else {
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
#include <assert.h>
#endif
@ -361,31 +337,10 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c
RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1);
}
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
#include <stdio.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,7 @@ __rec_open(fname, flags, mode, openinfo,
int rfd, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
+ if (fname != NULL && (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
KRB5_RUN_ENV= @KRB5_RUN_ENV@
@ -396,11 +351,11 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
DB_DEPLIB = ../libdb$(DEPLIBEXT)
all::
Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
Index: krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -1091,7 +1091,7 @@ rem_service_entry_from_file(int argc, ch
--- krb5-1.10.2.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -1088,7 +1088,7 @@ rem_service_entry_from_file(int argc, ch
/* Create a temporary file which contains all the entries except the
entry for the given service dn */
@ -409,7 +364,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
if (pfile == NULL) {
com_err(me, errno, "while deleting entry from file %s", file_name);
goto cleanup;
@@ -1108,7 +1108,7 @@ rem_service_entry_from_file(int argc, ch
@@ -1105,7 +1105,7 @@ rem_service_entry_from_file(int argc, ch
snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
@ -418,7 +373,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
umask(omask);
if (tmpfd == -1) {
com_err(me, errno, "while deleting entry from file\n");
@@ -1728,7 +1728,7 @@ kdb5_ldap_set_service_password(int argc,
@@ -1725,7 +1725,7 @@ kdb5_ldap_set_service_password(int argc,
printf("File does not exist. Creating the file %s...\n", file_name);
omask = umask(077);
@ -427,7 +382,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
umask(omask);
if (fd == -1) {
com_err(me, errno, "Error creating file %s", file_name);
@@ -1756,7 +1756,7 @@ kdb5_ldap_set_service_password(int argc,
@@ -1753,7 +1753,7 @@ kdb5_ldap_set_service_password(int argc,
/* TODO: file lock for the service password file */
/* set password in the file */
@ -436,7 +391,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
if (pfile == NULL) {
com_err(me, errno, "Failed to open file %s", file_name);
goto cleanup;
@@ -1797,7 +1797,7 @@ kdb5_ldap_set_service_password(int argc,
@@ -1794,7 +1794,7 @@ kdb5_ldap_set_service_password(int argc,
}
omask = umask(077);
@ -445,16 +400,16 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
umask(omask);
if (newfile == NULL) {
com_err(me, errno, "Error creating file %s", tmp_file);
@@ -2019,7 +2019,7 @@ done:
@@ -2016,7 +2016,7 @@ done:
/* set password in the file */
old_mode = umask(0177);
- pfile = fopen(file_name, "a+");
+ pfile = WRITABLEFOPEN(file_name, "a+");
if (pfile == NULL) {
com_err(me, errno, "Failed to open file %s: %s", file_name,
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
strerror (errno));
@@ -2069,7 +2069,7 @@ done:
@@ -2068,7 +2068,7 @@ done:
}
omask = umask(077);
@ -462,12 +417,12 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+ newfile = WRITABLEFOPEN(tmp_file, "w");
umask (omask);
if (newfile == NULL) {
com_err(me, errno, "Error creating file %s", tmp_file);
Index: krb5-1.9.1/src/slave/kpropd.c
com_err(me, errno, _("Error creating file %s"), tmp_file);
Index: krb5-1.10.2/src/slave/kpropd.c
===================================================================
--- krb5-1.9.1.orig/src/slave/kpropd.c
+++ krb5-1.9.1/src/slave/kpropd.c
@@ -338,7 +338,7 @@ retry:
--- krb5-1.10.2.orig/src/slave/kpropd.c
+++ krb5-1.10.2/src/slave/kpropd.c
@@ -336,7 +336,7 @@ retry:
if (!debug && iproprole != IPROP_SLAVE)
daemon(1, 0);
#ifdef PID_FILE
@ -476,10 +431,36 @@ Index: krb5-1.9.1/src/slave/kpropd.c
fprintf(pidfile, "%d\n", getpid());
fclose(pidfile);
} else
Index: krb5-1.9.1/src/util/profile/prof_file.c
@@ -437,6 +437,9 @@ void doit(fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN+1];
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (kpropd_context->kdblog_context &&
kpropd_context->kdblog_context->iproprole == IPROP_SLAVE) {
@@ -515,9 +518,15 @@ void doit(fd)
free(name);
exit(1);
}
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(file);
+#endif
omask = umask(077);
lock_fd = open(temp_file_name, O_RDWR|O_CREAT, 0600);
(void) umask(omask);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK);
if (retval) {
Index: krb5-1.10.2/src/util/profile/prof_file.c
===================================================================
--- krb5-1.9.1.orig/src/util/profile/prof_file.c
+++ krb5-1.9.1/src/util/profile/prof_file.c
--- krb5-1.10.2.orig/src/util/profile/prof_file.c
+++ krb5-1.10.2/src/util/profile/prof_file.c
@@ -30,6 +30,7 @@
#endif
@ -488,7 +469,7 @@ Index: krb5-1.9.1/src/util/profile/prof_file.c
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_
@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_
errno = 0;
@ -497,11 +478,11 @@ Index: krb5-1.9.1/src/util/profile/prof_file.c
if (!f) {
retval = errno;
if (retval == 0)
Index: krb5-1.9.1/src/util/support/Makefile.in
Index: krb5-1.10.2/src/util/support/Makefile.in
===================================================================
--- krb5-1.9.1.orig/src/util/support/Makefile.in
+++ krb5-1.9.1/src/util/support/Makefile.in
@@ -54,6 +54,7 @@ IPC_SYMS= \
--- krb5-1.10.2.orig/src/util/support/Makefile.in
+++ krb5-1.10.2/src/util/support/Makefile.in
@@ -64,6 +64,7 @@ IPC_SYMS= \
STLIBOBJS= \
threads.o \
@ -509,7 +490,7 @@ Index: krb5-1.9.1/src/util/support/Makefile.in
init-addrinfo.o \
plugins.o \
errors.o \
@@ -108,7 +109,7 @@ SRCS=\
@@ -127,7 +128,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
@ -518,11 +499,11 @@ Index: krb5-1.9.1/src/util/support/Makefile.in
SHLIB_DIRS=
SHLIB_RDIRS=$(KRB5_LIBDIR)
Index: krb5-1.9.1/src/util/support/selinux.c
Index: krb5-1.10.2/src/util/support/selinux.c
===================================================================
--- /dev/null
+++ krb5-1.9.1/src/util/support/selinux.c
@@ -0,0 +1,362 @@
+++ krb5-1.10.2/src/util/support/selinux.c
@@ -0,0 +1,372 @@
+/*
+ * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved.
+ *
@ -746,16 +727,26 @@ Index: krb5-1.9.1/src/util/support/selinux.c
+krb5int_push_fscreatecon_for(const char *pathname)
+{
+ struct stat st;
+ if (stat(pathname, &st) != 0) {
+ st.st_mode = S_IRUSR | S_IWUSR;
+ void *retval;
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ if (stat(pathname, &st) != 0) {
+ st.st_mode = S_IRUSR | S_IWUSR;
+ }
+ retval = push_fscreatecon(pathname, st.st_mode);
+ return retval ? retval : (void *) -1;
+ } else {
+ return NULL;
+ }
+ return push_fscreatecon(pathname, st.st_mode);
+}
+
+void
+krb5int_pop_fscreatecon(void *con)
+{
+ pop_fscreatecon(con);
+ if (con != NULL) {
+ pop_fscreatecon((con == (void *) -1) ? NULL : con);
+ k5_mutex_unlock(&labeled_mutex);
+ }
+}
+
+FILE *
@ -885,11 +876,11 @@ Index: krb5-1.9.1/src/util/support/selinux.c
+}
+
+#endif
Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
Index: krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
===================================================================
--- krb5-1.9.1.orig/src/lib/krb5/rcache/rc_dfl.c
+++ krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
--- krb5-1.10.2.orig/src/lib/krb5/rcache/rc_dfl.c
+++ krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
@@ -812,6 +812,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
@ -899,7 +890,7 @@ Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
if (! t->recovering) {
name = t->name;
@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
@@ -833,7 +836,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
@ -917,3 +908,92 @@ Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
Index: krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/kdb_db2.c
+++ krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
@@ -683,8 +683,8 @@ ctx_create_db(krb5_context context, krb5
if (retval)
return retval;
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
- 0600);
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
if (dbc->db_lf_file < 0) {
retval = errno;
goto cleanup;
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
#include <stdio.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo,
int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
+ if (fname != NULL &&
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
Index: krb5-1.10.2/src/kdc/main.c
===================================================================
--- krb5-1.10.2.orig/src/kdc/main.c
+++ krb5-1.10.2/src/kdc/main.c
@@ -909,7 +909,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
- file = fopen(path, "w");
+ file = WRITABLEFOPEN(path, "w");
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
Index: krb5-1.10.2/src/lib/kdb/kdb_log.c
===================================================================
--- krb5-1.10.2.orig/src/lib/kdb/kdb_log.c
+++ krb5-1.10.2/src/lib/kdb/kdb_log.c
@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha
return (errno);
}
- if ((ulogfd = open(logname, O_RDWR+O_CREAT, 0600)) == -1) {
+ if ((ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600)) == -1) {
return (errno);
}
Index: krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in
===================================================================
--- krb5-1.10.2.orig/src/util/gss-kernel-lib/Makefile.in
+++ krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in
@@ -66,6 +66,7 @@ HEADERS= \
gssapi_err_generic.h \
k5-int.h \
k5-int-pkinit.h \
+ k5-label.h \
k5-thread.h \
k5-platform.h \
k5-buf.h \
@@ -167,10 +168,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
-k5-int.h: $(INCLUDE)/k5-int.h
+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h
$(CP) $(INCLUDE)/k5-int.h $@
k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
$(CP) $(INCLUDE)/k5-int-pkinit.h $@
+k5-label.h: $(INCLUDE)/k5-label.h
+ $(CP) $(INCLUDE)/k5-label.h $@
k5-thread.h: $(INCLUDE)/k5-thread.h
$(CP) $(INCLUDE)/k5-thread.h $@
k5-platform.h: $(INCLUDE)/k5-platform.h

3
krb5-1.10.2.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:479d66291ae989d5db9daca5838ff4bddde45c77b703fadcf78ca6d1db315bd8
size 9457236

View File

@ -1,8 +1,8 @@
Index: trunk/src/lib/gssapi/generic/disp_com_err_status.c
Index: krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
===================================================================
--- trunk.orig/src/lib/gssapi/generic/disp_com_err_status.c
+++ trunk/src/lib/gssapi/generic/disp_com_err_status.c
@@ -54,7 +54,7 @@ g_display_com_err_status(minor_status, s
--- krb5-1.10.2.orig/src/lib/gssapi/generic/disp_com_err_status.c
+++ krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *mino
status_string->value = NULL;
if (! g_make_string_buffer(((status_value == 0)?no_error:

View File

@ -1,18 +1,16 @@
Don't double-log (actually, don't process /etc/krb5.conf twice) just
because we built with --sysconfdir=/etc. RT#3277
Index: krb5-1.9.1/src/include/Makefile.in
Index: krb5-1.10.2/src/include/Makefile.in
===================================================================
--- krb5-1.9.1.orig/src/include/Makefile.in
+++ krb5-1.9.1/src/include/Makefile.in
@@ -66,7 +66,9 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
-e "s+@MODULEDIR+$(MODULE_DIR)+" \
--- krb5-1.10.2.orig/src/include/Makefile.in
+++ krb5-1.10.2/src/include/Makefile.in
@@ -67,6 +67,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
- -e 's+@SYSCONFDIR+$(SYSCONFDIR)+'
+ -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+'
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
-e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \
-e 's+@DYNOBJEXT+$(DYNOBJEXT)+'
OSCONFSRC = $(srcdir)/osconf.hin

View File

@ -1,21 +0,0 @@
Omit extra libraries because their interfaces aren't exposed to applications
by libkrb5, unless do_deps is set to 1, which indicates that the caller
wants the whole list.
Index: krb5-1.9.1/src/krb5-config.in
===================================================================
--- krb5-1.9.1.orig/src/krb5-config.in
+++ krb5-1.9.1/src/krb5-config.in
@@ -221,7 +221,11 @@ if test -n "$do_libs"; then
fi
if test $library = 'krb5'; then
- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
+ if test 0$do_deps -eq 1 ; then
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
+ else
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err"
+ fi
fi
echo $lib_flags

View File

@ -2,10 +2,11 @@ Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c
--- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400
+++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500
@@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context
Index: krb5-1.10.2/src/lib/krb5/krb/princ_comp.c
===================================================================
--- krb5-1.10.2.orig/src/lib/krb5/krb/princ_comp.c
+++ krb5-1.10.2/src/lib/krb5/krb/princ_comp.c
@@ -36,6 +36,12 @@ realm_compare_flags(krb5_context context
const krb5_data *realm1 = krb5_princ_realm(context, princ1);
const krb5_data *realm2 = krb5_princ_realm(context, princ2);
@ -18,7 +19,7 @@ diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/pr
if (realm1->length != realm2->length)
return FALSE;
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
@@ -87,6 +93,9 @@ krb5_principal_compare_flags(krb5_contex
krb5_principal upn2 = NULL;
krb5_boolean ret = FALSE;

View File

@ -1,6 +1,7 @@
appl/sample/sserver/sserver.M
config-files/kdc.conf.M
config-files/krb5.conf.M
gen-manpages/kerberos.M
kadmin/cli/kadmin.M
slave/kpropd.M
slave/kprop.M

View File

@ -11,11 +11,11 @@ When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges.
Index: krb5-1.9.1/src/aclocal.m4
Index: krb5-1.10.2/src/aclocal.m4
===================================================================
--- krb5-1.9.1.orig/src/aclocal.m4
+++ krb5-1.9.1/src/aclocal.m4
@@ -1715,3 +1715,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
--- krb5-1.10.2.orig/src/aclocal.m4
+++ krb5-1.10.2/src/aclocal.m4
@@ -1676,3 +1676,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
]))
])dnl
dnl
@ -86,10 +86,10 @@ Index: krb5-1.9.1/src/aclocal.m4
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
Index: krb5-1.9.1/src/clients/ksu/main.c
Index: krb5-1.10.2/src/clients/ksu/main.c
===================================================================
--- krb5-1.9.1.orig/src/clients/ksu/main.c
+++ krb5-1.9.1/src/clients/ksu/main.c
--- krb5-1.10.2.orig/src/clients/ksu/main.c
+++ krb5-1.10.2/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu
*/
@ -117,7 +117,7 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
/***********/
#define _DEF_CSH "/bin/csh"
@@ -586,6 +592,25 @@ main (argc, argv)
@@ -584,6 +590,25 @@ main (argc, argv)
prog_name,target_user,client_name,
source_user,ontty());
@ -142,8 +142,8 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
+
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, "while switching to target for authorization check");
@@ -651,6 +676,26 @@ main (argc, argv)
com_err(prog_name, errno, _("while switching to target for "
@@ -648,6 +673,26 @@ main (argc, argv)
sweep_up(ksu_context, cc_target);
exit(1);
}
@ -170,7 +170,7 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
}
if( some_rest_copy){
@@ -720,6 +765,32 @@ main (argc, argv)
@@ -717,6 +762,32 @@ main (argc, argv)
exit(1);
}
@ -203,18 +203,18 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -792,7 +863,7 @@ main (argc, argv)
@@ -789,7 +860,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
- if( keep_target_cache ) {
+ if( keep_target_cache && !force_fork ) {
execv(params[0], params);
com_err(prog_name, errno, "while trying to execv %s",
params[0]);
@@ -823,15 +894,34 @@ main (argc, argv)
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target);
@@ -819,16 +890,35 @@ main (argc, argv)
if (ret_pid == -1) {
com_err(prog_name, errno, "while calling waitpid");
com_err(prog_name, errno, _("while calling waitpid"));
}
- sweep_up(ksu_context, cc_target);
+ if( !keep_target_cache ) {
@ -222,7 +222,7 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
+ }
exit (statusp);
case -1:
com_err(prog_name, errno, "while trying to fork.");
com_err(prog_name, errno, _("while trying to fork."));
sweep_up(ksu_context, cc_target);
exit (1);
case 0:
@ -241,17 +241,18 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
+ }
+#endif
execv(params[0], params);
com_err(prog_name, errno, "while trying to execv %s", params[0]);
com_err(prog_name, errno, _("while trying to execv %s"),
params[0]);
+ if( keep_target_cache ) {
+ sweep_up(ksu_context, cc_target);
+ }
exit (1);
}
}
Index: krb5-1.9.1/src/clients/ksu/Makefile.in
Index: krb5-1.10.2/src/clients/ksu/Makefile.in
===================================================================
--- krb5-1.9.1.orig/src/clients/ksu/Makefile.in
+++ krb5-1.9.1/src/clients/ksu/Makefile.in
--- krb5-1.10.2.orig/src/clients/ksu/Makefile.in
+++ krb5-1.10.2/src/clients/ksu/Makefile.in
@@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
@ -286,10 +287,10 @@ Index: krb5-1.9.1/src/clients/ksu/Makefile.in
clean::
$(RM) ksu
Index: krb5-1.9.1/src/clients/ksu/pam.c
Index: krb5-1.10.2/src/clients/ksu/pam.c
===================================================================
--- /dev/null
+++ krb5-1.9.1/src/clients/ksu/pam.c
+++ krb5-1.10.2/src/clients/ksu/pam.c
@@ -0,0 +1,389 @@
+/*
+ * src/clients/ksu/pam.c
@ -680,10 +681,10 @@ Index: krb5-1.9.1/src/clients/ksu/pam.c
+ return ret;
+}
+#endif
Index: krb5-1.9.1/src/clients/ksu/pam.h
Index: krb5-1.10.2/src/clients/ksu/pam.h
===================================================================
--- /dev/null
+++ krb5-1.9.1/src/clients/ksu/pam.h
+++ krb5-1.10.2/src/clients/ksu/pam.h
@@ -0,0 +1,57 @@
+/*
+ * src/clients/ksu/pam.h
@ -742,13 +743,13 @@ Index: krb5-1.9.1/src/clients/ksu/pam.h
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
Index: krb5-1.9.1/src/configure.in
Index: krb5-1.10.2/src/configure.in
===================================================================
--- krb5-1.9.1.orig/src/configure.in
+++ krb5-1.9.1/src/configure.in
@@ -1125,6 +1125,8 @@ if test "$ac_cv_lib_socket" = "yes" -a "
AC_DEFINE(BROKEN_STREAMS_SOCKETS,1,[Define if socket can't be bound to 0.0.0.0])
--- krb5-1.10.2.orig/src/configure.in
+++ krb5-1.10.2/src/configure.in
@@ -1246,6 +1246,8 @@ if test "${localedir+set}" != set; then
fi
AC_SUBST(localedir)
+KRB5_WITH_PAM
+

View File

@ -1,75 +0,0 @@
diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c
index b473611..50c60b7 100644
--- a/src/plugins/kdb/db2/lockout.c
+++ b/src/plugins/kdb/db2/lockout.c
@@ -169,6 +169,9 @@ krb5_db2_lockout_audit(krb5_context context,
return 0;
}
+ if (entry == NULL)
+ return 0;
+
if (!db_ctx->disable_lockout) {
code = lookup_lockout_policy(context, entry, &max_fail,
&failcnt_interval, &lockout_duration);
@@ -176,6 +179,15 @@ krb5_db2_lockout_audit(krb5_context context,
return code;
}
+ /*
+ * Don't continue to modify the DB for an already locked account.
+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
+ * this check is unneeded, but in rare cases, we can fail with an
+ * integrity error or preauth failure before a policy check.)
+ */
+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
+ return 0;
+
/* Only mark the authentication as successful if the entry
* required preauthentication, otherwise we have no idea. */
if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 552e39a..c2f44ab 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -105,6 +105,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
CHECK_LDAP_HANDLE(ldap_context);
if (is_principal_in_realm(ldap_context, searchfor) != 0) {
+ st = KRB5_KDB_NOENTRY;
krb5_set_error_message (context, st, "Principal does not belong to realm");
goto cleanup;
}
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
index a218dc7..fd164dd 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
@@ -165,6 +165,9 @@ krb5_ldap_lockout_audit(krb5_context context,
return 0;
}
+ if (entry == NULL)
+ return 0;
+
if (!ldap_context->disable_lockout) {
code = lookup_lockout_policy(context, entry, &max_fail,
&failcnt_interval,
@@ -173,9 +176,16 @@ krb5_ldap_lockout_audit(krb5_context context,
return code;
}
- entry->mask = 0;
+ /*
+ * Don't continue to modify the DB for an already locked account.
+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
+ * this check is unneeded, but in rare cases, we can fail with an
+ * integrity error or preauth failure before a policy check.)
+ */
+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
+ return 0;
- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry));
+ entry->mask = 0;
/* Only mark the authentication as successful if the entry
* required preauthentication, otherwise we have no idea. */

View File

@ -1,42 +0,0 @@
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index f46cad3..102fbaa 100644
--- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
@@ -67,6 +67,7 @@ check-unix:: rtest
check-pytests::
$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
install::
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c169c54..840a2ef 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -243,7 +243,8 @@ tgt_again:
if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
errcode = find_alternate_tgs(request, &server);
firstpass = 0;
- goto tgt_again;
+ if (errcode == 0)
+ goto tgt_again;
}
}
status = "UNKNOWN_SERVER";
diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
new file mode 100644
index 0000000..1760bcd
--- /dev/null
+++ b/src/kdc/t_emptytgt.py
@@ -0,0 +1,8 @@
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(start_kadmind=False, create_host=False)
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
+if 'not found in Kerberos database' not in output:
+ fail('TGT lookup for empty realm failed in unexpected way')
+success('Empty tgt lookup.')

View File

@ -1,38 +0,0 @@
Build binaries in this package as RELRO PIEs and install shared libraries with
the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS
where they might leak out and affect apps which just want to link with the
libraries. FIXME: needs to check and not just assume that the compiler supports
using these flags.
diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf
--- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500
+++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400
@@ -430,7 +430,8 @@
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in
--- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
+++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
@@ -187,8 +187,14 @@ if test -n "$do_libs"; then
-e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
-e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
- -e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
+ -e 's#\$(CFLAGS)##'`
+ if test `dirname $libdir` = /usr ; then
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
+ fi
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"`
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"`
+
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5

View File

@ -1,61 +0,0 @@
From RT#6917.
Index: krb5-1.9.1/src/lib/krb5/krb/get_creds.c
===================================================================
--- krb5-1.9.1.orig/src/lib/krb5/krb/get_creds.c
+++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c
@@ -470,13 +470,10 @@ begin_non_referral(krb5_context context,
/***** STATE_REFERRALS *****/
-/*
- * Possibly retry a request in the fallback realm after a referral request
- * failure in the local realm. Expects ctx->reply_code to be set to the error
- * from a referral request.
- */
+/* Possibly try a non-referral request after a referral request failure.
+ * Expects ctx->reply_code to be set to the error from a referral request. */
static krb5_error_code
-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
+try_fallback(krb5_context context, krb5_tkt_creds_context ctx)
{
krb5_error_code code;
char **hrealms;
@@ -485,9 +482,10 @@ try_fallback_realm(krb5_context context,
if (ctx->referral_count > 1)
return ctx->reply_code;
- /* Only fall back if the original request used the referral realm. */
+ /* If the request used a specified realm, make a non-referral request to
+ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */
if (!krb5_is_referral_realm(&ctx->req_server->realm))
- return ctx->reply_code;
+ return begin_non_referral(context, ctx);
if (ctx->server->length < 2) {
/* We need a type/host format principal to find a fallback realm. */
@@ -500,10 +498,10 @@ try_fallback_realm(krb5_context context,
if (code != 0)
return code;
- /* Give up if the fallback realm isn't any different. */
+ /* If the fallback realm isn't any different, use the existing TGT. */
if (data_eq_string(ctx->server->realm, hrealms[0])) {
krb5_free_host_realm(context, hrealms);
- return ctx->reply_code;
+ return begin_non_referral(context, ctx);
}
/* Rewrite server->realm to be the fallback realm. */
@@ -540,9 +538,9 @@ step_referrals(krb5_context context, krb
krb5_error_code code;
const krb5_data *referral_realm;
- /* Possibly retry with the fallback realm on error. */
+ /* Possibly try a non-referral fallback request on error. */
if (ctx->reply_code != 0)
- return try_fallback_realm(context, ctx);
+ return try_fallback(context, ctx);
if (krb5_principal_compare(context, ctx->reply_creds->server,
ctx->server)) {

View File

@ -1,14 +0,0 @@
Index: krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c
===================================================================
--- krb5-1.9.1.orig/src/lib/gssapi/krb5/disp_status.c
+++ krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c
@@ -167,7 +167,8 @@ krb5_gss_display_status(minor_status, st
if ((mech_type != GSS_C_NULL_OID) &&
!g_OID_equal(gss_mech_krb5, mech_type) &&
- !g_OID_equal(gss_mech_krb5_old, mech_type)) {
+ !g_OID_equal(gss_mech_krb5_old, mech_type) &&
+ !g_OID_equal(gss_mech_iakerb, mech_type)) {
*minor_status = 0;
return(GSS_S_BAD_MECH);
}

View File

@ -1,10 +1,10 @@
Use an in-memory ccache to silence a compiler warning, for RT#6414.
Index: krb5-1.9.1/src/slave/kprop.c
Index: krb5-1.10.2/src/slave/kprop.c
===================================================================
--- krb5-1.9.1.orig/src/slave/kprop.c
+++ krb5-1.9.1/src/slave/kprop.c
@@ -188,9 +188,8 @@ void PRS(argc, argv)
--- krb5-1.10.2.orig/src/slave/kprop.c
+++ krb5-1.10.2/src/slave/kprop.c
@@ -186,9 +186,8 @@ void PRS(argc, argv)
void get_tickets(context)
krb5_context context;
{
@ -27,4 +27,4 @@ Index: krb5-1.9.1/src/slave/kprop.c
-
retval = krb5_cc_resolve(context, buf, &ccache);
if (retval) {
com_err(progname, retval, "while opening credential cache %s",
com_err(progname, retval, _("while opening credential cache %s"), buf);

View File

@ -3,11 +3,11 @@ values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. Originally RT#6525
Index: krb5-1.9.1/src/aclocal.m4
Index: krb5-1.10.2/src/aclocal.m4
===================================================================
--- krb5-1.9.1.orig/src/aclocal.m4
+++ krb5-1.9.1/src/aclocal.m4
@@ -1782,3 +1782,24 @@ AC_SUBST(PAM_LIBS)
--- krb5-1.10.2.orig/src/aclocal.m4
+++ krb5-1.10.2/src/aclocal.m4
@@ -1743,3 +1743,24 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
@ -32,10 +32,32 @@ Index: krb5-1.9.1/src/aclocal.m4
+AC_SUBST(manlibexecdir)
+AC_CONFIG_FILES($1)
+])
Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M
Index: krb5-1.10.2/src/configure.in
===================================================================
--- krb5-1.9.1.orig/src/appl/sample/sserver/sserver.M
+++ krb5-1.9.1/src/appl/sample/sserver/sserver.M
--- krb5-1.10.2.orig/src/configure.in
+++ krb5-1.10.2/src/configure.in
@@ -1249,6 +1249,17 @@ AC_SUBST(localedir)
KRB5_WITH_PAM
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+
+V5_AC_OUTPUT_MANPAGE([
+ appl/sample/sserver/sserver.M
+ config-files/kdc.conf.M
+ config-files/krb5.conf.M
+ gen-manpages/kerberos.M
+ kadmin/cli/kadmin.M
+ slave/kpropd.M
+ slave/kprop.M
+])
+
V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/profile/testmod util/send-pr
Index: krb5-1.10.2/src/appl/sample/sserver/sserver.M
===================================================================
--- krb5-1.10.2.orig/src/appl/sample/sserver/sserver.M
+++ krb5-1.10.2/src/appl/sample/sserver/sserver.M
@@ -59,7 +59,7 @@ option allows for a different keytab tha
using a line in
/etc/inetd.conf that looks like this:
@ -45,10 +67,10 @@ Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M
.PP
Since \fBsample\fP is normally not a port defined in /etc/services, you will
usually have to add a line to /etc/services which looks like this:
Index: krb5-1.9.1/src/config-files/kdc.conf.M
Index: krb5-1.10.2/src/config-files/kdc.conf.M
===================================================================
--- krb5-1.9.1.orig/src/config-files/kdc.conf.M
+++ krb5-1.9.1/src/config-files/kdc.conf.M
--- krb5-1.10.2.orig/src/config-files/kdc.conf.M
+++ krb5-1.10.2/src/config-files/kdc.conf.M
@@ -92,14 +92,14 @@ This
.B string
specifies the location of the access control list (acl) file that
@ -75,44 +97,36 @@ Index: krb5-1.9.1/src/config-files/kdc.conf.M
.SH SEE ALSO
krb5.conf(5), krb5kdc(8)
Index: krb5-1.9.1/src/config-files/krb5.conf.M
Index: krb5-1.10.2/src/config-files/krb5.conf.M
===================================================================
--- krb5-1.9.1.orig/src/config-files/krb5.conf.M
+++ krb5-1.9.1/src/config-files/krb5.conf.M
@@ -768,6 +768,6 @@ with another database such as Active Dir
in for this interface.
--- krb5-1.10.2.orig/src/config-files/krb5.conf.M
+++ krb5-1.10.2/src/config-files/krb5.conf.M
@@ -808,6 +808,6 @@ This module implements the encrypted cha
This module implements the encrypted timestamp mechanism.
.SH FILES
-/etc/krb5.conf
+@mansysconfdir@/krb5.conf
.SH SEE ALSO
syslog(3)
Index: krb5-1.9.1/src/configure.in
Index: krb5-1.10.2/src/gen-manpages/kerberos.M
===================================================================
--- krb5-1.9.1.orig/src/configure.in
+++ krb5-1.9.1/src/configure.in
@@ -1128,6 +1128,16 @@ fi
KRB5_WITH_PAM
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+
+V5_AC_OUTPUT_MANPAGE([
+ appl/sample/sserver/sserver.M
+ config-files/kdc.conf.M
+ config-files/krb5.conf.M
+ kadmin/cli/kadmin.M
+ slave/kpropd.M
+ slave/kprop.M
+])
+
V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/send-pr
Index: krb5-1.9.1/src/kadmin/cli/kadmin.M
--- krb5-1.10.2.orig/src/gen-manpages/kerberos.M
+++ krb5-1.10.2/src/gen-manpages/kerberos.M
@@ -125,7 +125,7 @@ default is /etc/krb5.conf.
Specifies the location of the KDC configuration file, which contains
additional configuration directives for the Key Distribution Center
daemon and associated programs. The default is
-/usr/local/var/krb5kdc/kdc.conf.
+@manlocalstatedir@/krb5kdc/kdc.conf.
.TP
.B KRB5RCACHETYPE
Specifies the default type of replay cache to use for servers. Valid
Index: krb5-1.10.2/src/kadmin/cli/kadmin.M
===================================================================
--- krb5-1.9.1.orig/src/kadmin/cli/kadmin.M
+++ krb5-1.9.1/src/kadmin/cli/kadmin.M
@@ -880,9 +880,9 @@ option is specified, less verbose status
--- krb5-1.10.2.orig/src/kadmin/cli/kadmin.M
+++ krb5-1.10.2/src/kadmin/cli/kadmin.M
@@ -924,9 +924,9 @@ option is specified, less verbose status
.RS
.TP
EXAMPLE:
@ -124,19 +138,10 @@ Index: krb5-1.9.1/src/kadmin/cli/kadmin.M
kadmin:
.RE
.fi
@@ -924,7 +924,7 @@ passwords.
.SH HISTORY
The
.B kadmin
-prorgam was originally written by Tom Yu at MIT, as an interface to the
+program was originally written by Tom Yu at MIT, as an interface to the
OpenVision Kerberos administration program.
.SH SEE ALSO
.IR kerberos (1),
Index: krb5-1.9.1/src/slave/kpropd.M
Index: krb5-1.10.2/src/slave/kpropd.M
===================================================================
--- krb5-1.9.1.orig/src/slave/kpropd.M
+++ krb5-1.9.1/src/slave/kpropd.M
--- krb5-1.10.2.orig/src/slave/kpropd.M
+++ krb5-1.10.2/src/slave/kpropd.M
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
This is done by adding a line to the inetd.conf file which looks like
this:
@ -179,10 +184,10 @@ Index: krb5-1.9.1/src/slave/kpropd.M
Each entry is a line containing the principal of a host from which the
local machine will allow Kerberos database propagation via kprop.
.SH SEE ALSO
Index: krb5-1.9.1/src/slave/kprop.M
Index: krb5-1.10.2/src/slave/kprop.M
===================================================================
--- krb5-1.9.1.orig/src/slave/kprop.M
+++ krb5-1.9.1/src/slave/kprop.M
--- krb5-1.10.2.orig/src/slave/kprop.M
+++ krb5-1.10.2/src/slave/kprop.M
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created

View File

@ -1,13 +0,0 @@
Upstream commit #24477.
diff -up krb5-1.9/src/slave/kpropd.c krb5-1.9/src/slave/kpropd.c
--- krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:24.020999947 -0400
+++ krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:34.159999947 -0400
@@ -993,7 +993,7 @@ unsigned int backoff_from_master(int *cn
btime = (unsigned int)(2<<(*cnt));
if (btime > MAX_BACKOFF) {
btime = MAX_BACKOFF;
- *cnt--;
+ (*cnt)--;
}
return (btime);

View File

@ -1,30 +0,0 @@
From RT#6922. When we're converting a host/service pair into a principal
name, specify AF_UNSPEC instead of AF_INET4 and then maybe AF_INET6 to try
to avoid libc having doing a PTR lookup because we also specify
AI_CANONNAME. Add AI_ADDRCONFIG because it's usually the right idea.
Index: src/lib/krb5/os/sn2princ.c
===================================================================
--- src/lib/krb5/os/sn2princ.c.orig
+++ src/lib/krb5/os/sn2princ.c
@@ -107,19 +107,12 @@ krb5_sname_to_principal(krb5_context con
hostnames associated. */
memset(&hints, 0, sizeof(hints));
- hints.ai_family = AF_INET;
- hints.ai_flags = AI_CANONNAME;
- try_getaddrinfo_again:
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
#ifdef DEBUG_REFERRALS
printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname);
#endif
- if (hints.ai_family == AF_INET) {
- /* Just in case it's an IPv6-only name. */
- hints.ai_family = 0;
- goto try_getaddrinfo_again;
- }
return KRB5_ERR_BAD_HOSTNAME;
}
remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname);

View File

@ -1,122 +0,0 @@
Most of RT#6923, except for the part that depends on the sendto_kdc rewrite
(it's still in locate_kdc in this version): pass AI_ADDRCONFIG whenever we
specify hints to getaddrinfo() to get the address of a server.
Index: src/plugins/locate/python/py-locate.c
===================================================================
--- src/plugins/locate/python/py-locate.c.orig
+++ src/plugins/locate/python/py-locate.c
@@ -303,6 +303,7 @@ lookup(void *blob, enum locate_service_t
return -1;
}
aihints.ai_socktype = thissocktype;
+ aihints.ai_flags = AI_ADDRCONFIG;
x = getaddrinfo (hoststr, portstr, &aihints, &airesult);
if (x != 0)
continue;
Index: src/appl/sample/sclient/sclient.c
===================================================================
--- src/appl/sample/sclient/sclient.c.orig
+++ src/appl/sample/sclient/sclient.c
@@ -124,6 +124,7 @@ main(int argc, char *argv[])
memset(&aihints, 0, sizeof(aihints));
aihints.ai_socktype = SOCK_STREAM;
+ aihints.ai_flags = AI_ADDRCONFIG;
aierr = getaddrinfo(argv[1], portstr, &aihints, &ap);
if (aierr) {
fprintf(stderr, "%s: error looking up host '%s' port '%s'/tcp: %s\n",
Index: src/kadmin/dbutil/kadm5_create.c
===================================================================
--- src/kadmin/dbutil/kadm5_create.c.orig
+++ src/kadmin/dbutil/kadm5_create.c
@@ -182,7 +182,7 @@ static int add_admin_princs(void *handle
goto clean_and_exit;
}
memset(&ai_hints, 0, sizeof(ai_hints));
- ai_hints.ai_flags = AI_CANONNAME;
+ ai_hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai);
if (gai_error) {
ret = EINVAL;
Index: src/lib/kadm5/alt_prof.c
===================================================================
--- src/lib/kadm5/alt_prof.c.orig
+++ src/lib/kadm5/alt_prof.c
@@ -901,7 +901,7 @@ kadm5_get_admin_service_name(krb5_contex
}
memset(&hint, 0, sizeof(hint));
- hint.ai_flags = AI_CANONNAME;
+ hint.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo(params_out.admin_server, NULL, &hint, &ai);
if (err != 0) {
ret = KADM5_CANT_RESOLVE;
Index: src/lib/kadm5/clnt/client_init.c
===================================================================
--- src/lib/kadm5/clnt/client_init.c.orig
+++ src/lib/kadm5/clnt/client_init.c
@@ -563,8 +563,9 @@ connect_to_server(const char *hostname,
(void) snprintf(portbuf, sizeof(portbuf), "%d", port);
memset(&hint, 0, sizeof(hint));
hint.ai_socktype = SOCK_STREAM;
+ hint.ai_flags = AI_ADDRCONFIG;
#ifdef AI_NUMERICSERV
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
err = getaddrinfo(hostname, portbuf, &hint, &addrs);
if (err != 0)
Index: src/lib/krb5/os/hostaddr.c
===================================================================
--- src/lib/krb5/os/hostaddr.c.orig
+++ src/lib/krb5/os/hostaddr.c
@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c
return KRB5_ERR_BAD_HOSTNAME;
memset (&hints, 0, sizeof (hints));
- hints.ai_flags = AI_NUMERICHOST;
+ hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG;
/* We don't care what kind at this point, really, but without
this, we can get back multiple sockaddrs per address, for
SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if
Index: src/lib/krb5/os/hst_realm.c
===================================================================
--- src/lib/krb5/os/hst_realm.c.orig
+++ src/lib/krb5/os/hst_realm.c
@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz
int err;
memset (&hints, 0, sizeof (hints));
- hints.ai_flags = AI_CANONNAME;
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo (name, 0, &hints, &ai);
if (err)
return krb5int_translate_gai_error (err);
Index: src/slave/kprop.c
===================================================================
--- src/slave/kprop.c.orig
+++ src/slave/kprop.c
@@ -325,6 +325,7 @@ open_connection(krb5_context context, ch
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_ADDRCONFIG;
error = getaddrinfo(host, port, &hints, &answers);
if (error != 0) {
com_err(progname, 0, "%s: %s", host, gai_strerror(error));
Index: src/lib/krb5/os/locate_kdc.c
===================================================================
--- src/lib/krb5/os/locate_kdc.c.orig
+++ src/lib/krb5/os/locate_kdc.c
@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis
memset(&hint, 0, sizeof(hint));
hint.ai_family = family;
hint.ai_socktype = socktype;
+ hint.ai_flags = AI_ADDRCONFIG;
#ifdef AI_NUMERICSERV
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port));
if (SNPRINTF_OVERFLOW(result, sizeof(portbuf)))

View File

@ -1,624 +0,0 @@
Pulled from SVN, then munged to apply to 1.9. Modifies cm.h so that a
struct select_state has an alternate layout when USE_POLL is defined,
and if we detect <poll.h> at configure-time, have sendto_kdc.c define
USE_POLL to force its use. Adapts sendto_kdc.c to handle both cases,
so that the previous behavior is preserved when <poll.h> is not found.
RT#6905
Index: src/include/cm.h
===================================================================
--- src/include/cm.h.orig
+++ src/include/cm.h
@@ -25,11 +25,20 @@
* or implied warranty.
*/
-/* Since fd_set is large on some platforms (8K on AIX 5.2), this
- probably shouldn't be allocated in automatic storage. */
+/*
+ * Since fd_set is large on some platforms (8K on AIX 5.2), this probably
+ * shouldn't be allocated in automatic storage. Define USE_POLL and
+ * MAX_POLLFDS in the consumer of this header file to use poll state instead of
+ * select state.
+ */
struct select_state {
- int max, nfds;
+#ifdef USE_POLL
+ struct pollfd fds[MAX_POLLFDS];
+#else
+ int max;
fd_set rfds, wfds, xfds;
+#endif
+ int nfds;
struct timeval end_time; /* magic: tv_sec==0 => never time out */
};
Index: src/configure.in
===================================================================
--- src/configure.in.orig
+++ src/configure.in
@@ -74,7 +74,7 @@ LIBUTIL=-lutil
])
AC_SUBST(LIBUTIL)
# for kdc
-AC_CHECK_HEADERS(syslog.h stdarg.h sys/select.h sys/sockio.h ifaddrs.h unistd.h)
+AC_CHECK_HEADERS(syslog.h stdarg.h sys/sockio.h ifaddrs.h unistd.h)
AC_CHECK_FUNCS(openlog syslog closelog strftime vsprintf vasprintf vsnprintf)
AC_CHECK_FUNCS(strlcpy)
EXTRA_SUPPORT_SYMS=
@@ -493,7 +493,7 @@ AC_CHECK_HEADER(termios.h,
AC_DEFINE(POSIX_TERMIOS,1,[Define if termios.h exists and tcsetattr exists]))])
KRB5_SIGTYPE
-AC_CHECK_HEADERS(stdlib.h string.h stddef.h sys/types.h sys/file.h sys/param.h sys/stat.h sys/time.h netinet/in.h sys/uio.h sys/filio.h sys/select.h time.h paths.h errno.h)
+AC_CHECK_HEADERS(poll.h stdlib.h string.h stddef.h sys/types.h sys/file.h sys/param.h sys/stat.h sys/time.h netinet/in.h sys/uio.h sys/filio.h sys/select.h time.h paths.h errno.h)
AC_HEADER_STDARG
KRB5_AC_INET6
Index: src/lib/krb5/os/cm.c
===================================================================
--- /dev/null
+++ src/lib/krb5/os/cm.c
@@ -0,0 +1,97 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/krb5/os/cm.c - Connection manager functions */
+/*
+ * Copyright (C) 2011 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * This file include krb5int_cm_call_select, which is used by
+ * lib/apputils/net-server.c and sometimes by sendto_kdc.c.
+ */
+
+#include "k5-int.h"
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef _WIN32
+#include <sys/timeb.h>
+#endif
+#include "cm.h"
+
+int
+k5_getcurtime(struct timeval *tvp)
+{
+#ifdef _WIN32
+ struct _timeb tb;
+ _ftime(&tb);
+ tvp->tv_sec = tb.time;
+ tvp->tv_usec = tb.millitm * 1000;
+ /* Can _ftime fail? */
+ return 0;
+#else
+ if (gettimeofday(tvp, 0))
+ return errno;
+ return 0;
+#endif
+}
+
+/*
+ * Call select and return results.
+ * Input: interesting file descriptors and absolute timeout
+ * Output: select return value (-1 or num fds ready) and fd_sets
+ * Return: 0 (for i/o available or timeout) or error code.
+ */
+krb5_error_code
+krb5int_cm_call_select (const struct select_state *in,
+ struct select_state *out, int *sret)
+{
+ struct timeval now, *timo;
+ krb5_error_code e;
+
+ *out = *in;
+ e = k5_getcurtime(&now);
+ if (e)
+ return e;
+ if (out->end_time.tv_sec == 0)
+ timo = 0;
+ else {
+ timo = &out->end_time;
+ out->end_time.tv_sec -= now.tv_sec;
+ out->end_time.tv_usec -= now.tv_usec;
+ if (out->end_time.tv_usec < 0) {
+ out->end_time.tv_usec += 1000000;
+ out->end_time.tv_sec--;
+ }
+ if (out->end_time.tv_sec < 0) {
+ *sret = 0;
+ return 0;
+ }
+ }
+
+ *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, timo);
+ e = SOCKET_ERRNO;
+
+ if (*sret < 0)
+ return e;
+ return 0;
+}
Index: src/lib/krb5/os/Makefile.in
===================================================================
--- src/lib/krb5/os/Makefile.in.orig
+++ src/lib/krb5/os/Makefile.in
@@ -18,6 +18,7 @@ STLIBOBJS= \
def_realm.o \
ccdefname.o \
changepw.o \
+ cm.o \
dnsglue.o \
dnssrv.o \
free_krbhs.o \
@@ -62,6 +63,7 @@ OBJS= \
$(OUTPRE)def_realm.$(OBJEXT) \
$(OUTPRE)ccdefname.$(OBJEXT) \
$(OUTPRE)changepw.$(OBJEXT) \
+ $(OUTPRE)cm.$(OBJEXT) \
$(OUTPRE)dnsglue.$(OBJEXT) \
$(OUTPRE)dnssrv.$(OBJEXT) \
$(OUTPRE)free_krbhs.$(OBJEXT) \
@@ -106,6 +108,7 @@ SRCS= \
$(srcdir)/def_realm.c \
$(srcdir)/ccdefname.c \
$(srcdir)/changepw.c \
+ $(srcdir)/cm.c \
$(srcdir)/dnsglue.c \
$(srcdir)/dnssrv.c \
$(srcdir)/free_krbhs.c \
Index: src/lib/krb5/os/os-proto.h
===================================================================
--- src/lib/krb5/os/os-proto.h.orig
+++ src/lib/krb5/os/os-proto.h
@@ -31,6 +31,10 @@
#ifndef KRB5_LIBOS_INT_PROTO__
#define KRB5_LIBOS_INT_PROTO__
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+
struct addrlist;
krb5_error_code krb5_locate_kdc(krb5_context, const krb5_data *,
struct addrlist *, int, int, int);
@@ -75,6 +79,8 @@ krb5_error_code krb5int_get_fq_local_hos
/* The io vector is *not* const here, unlike writev()! */
int krb5int_net_writev (krb5_context, int, sg_buf *, int);
+int k5_getcurtime(struct timeval *tvp);
+
#include "k5-thread.h"
extern k5_mutex_t krb5int_us_time_mutex;
Index: src/lib/krb5/os/sendto_kdc.c
===================================================================
--- src/lib/krb5/os/sendto_kdc.c.orig
+++ src/lib/krb5/os/sendto_kdc.c
@@ -32,17 +32,16 @@
#include "fake-addrinfo.h"
#include "k5-int.h"
-#ifdef HAVE_SYS_TIME_H
-#include <sys/time.h>
-#else
-#include <time.h>
-#endif
#include "os-proto.h"
#ifdef _WIN32
#include <sys/timeb.h>
#endif
-#ifdef _AIX
+#if defined(HAVE_POLL_H)
+#include <poll.h>
+#define USE_POLL
+#define MAX_POLLFDS 1024
+#elif defined(HAVE_SYS_SELECT_H)
#include <sys/select.h>
#endif
@@ -170,29 +169,6 @@ krb5int_debug_fprint (const char *fmt, .
p = strerror(err);
putstr(p);
break;
- case 'F':
- /* %F => fd_set *, fd_set *, fd_set *, int */
- rfds = va_arg(args, fd_set *);
- wfds = va_arg(args, fd_set *);
- xfds = va_arg(args, fd_set *);
- maxfd = va_arg(args, int);
-
- for (i = 0; i < maxfd; i++) {
- int r = FD_ISSET(i, rfds);
- int w = wfds && FD_ISSET(i, wfds);
- int x = xfds && FD_ISSET(i, xfds);
- if (r || w || x) {
- putf(" %d", i);
- if (r)
- putstr("r");
- if (w)
- putstr("w");
- if (x)
- putstr("x");
- }
- }
- putstr(" ");
- break;
case 's':
/* %s => char * */
p = va_arg(args, const char *);
@@ -506,75 +482,154 @@ krb5_sendto_kdc (krb5_context context, c
#include "cm.h"
-static int
-getcurtime (struct timeval *tvp)
+/*
+ * Currently only sendto_kdc.c knows how to use poll(); the other candidate
+ * user, lib/apputils/net-server.c, is stuck using select() for the moment
+ * since it is entangled with the RPC library. The following cm_* functions
+ * are not fully generic, are O(n^2) in the poll case, and are limited to
+ * handling 1024 connections (in order to maintain a constant-sized selstate).
+ * More rearchitecting would be appropriate before extending this support to
+ * the KDC and kadmind.
+ */
+
+static void
+cm_init_selstate(struct select_state *selstate)
{
-#ifdef _WIN32
- struct _timeb tb;
- _ftime(&tb);
- tvp->tv_sec = tb.time;
- tvp->tv_usec = tb.millitm * 1000;
- /* Can _ftime fail? */
- return 0;
+ selstate->nfds = 0;
+ selstate->end_time.tv_sec = selstate->end_time.tv_usec = 0;
+#ifndef USE_POLL
+ selstate->max = 0;
+ selstate->nfds = 0;
+ FD_ZERO(&selstate->rfds);
+ FD_ZERO(&selstate->wfds);
+ FD_ZERO(&selstate->xfds);
+#endif
+}
+
+static krb5_boolean
+cm_add_fd(struct select_state *selstate, int fd, unsigned int ssflags)
+{
+#ifdef USE_POLL
+ if (selstate->nfds >= MAX_POLLFDS)
+ return FALSE;
+ selstate->fds[selstate->nfds].fd = fd;
+ selstate->fds[selstate->nfds].events = 0;
+ if (ssflags & SSF_READ)
+ selstate->fds[selstate->nfds].events |= POLLIN;
+ if (ssflags & SSF_WRITE)
+ selstate->fds[selstate->nfds].events |= POLLOUT;
+#else
+#ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */
+ if (fd >= FD_SETSIZE)
+ return FALSE;
+#endif
+ if (ssflags & SSF_READ)
+ FD_SET(fd, &selstate->rfds);
+ if (ssflags & SSF_WRITE)
+ FD_SET(fd, &selstate->wfds);
+ if (ssflags & SSF_EXCEPTION)
+ FD_SET(fd, &selstate->xfds);
+ if (selstate->max <= fd)
+ selstate->max = fd + 1;
+#endif
+ selstate->nfds++;
+ return TRUE;
+}
+
+static void
+cm_remove_fd(struct select_state *selstate, int fd)
+{
+#ifdef USE_POLL
+ int i;
+
+ /* Find the FD in the array and move the last entry to its place. */
+ assert(selstate->nfds > 0);
+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++);
+ assert(i < selstate->nfds);
+ selstate->fds[i] = selstate->fds[selstate->nfds - 1];
#else
- if (gettimeofday(tvp, 0)) {
- dperror("gettimeofday");
- return errno;
+ FD_CLR(fd, &selstate->rfds);
+ FD_CLR(fd, &selstate->wfds);
+ FD_CLR(fd, &selstate->xfds);
+ if (selstate->max == 1 + fd) {
+ while (selstate->max > 0
+ && ! FD_ISSET(selstate->max-1, &selstate->rfds)
+ && ! FD_ISSET(selstate->max-1, &selstate->wfds)
+ && ! FD_ISSET(selstate->max-1, &selstate->xfds))
+ selstate->max--;
+ dprint("new max_fd + 1 is %d\n", selstate->max);
}
- return 0;
#endif
+ selstate->nfds--;
}
-/*
- * Call select and return results.
- * Input: interesting file descriptors and absolute timeout
- * Output: select return value (-1 or num fds ready) and fd_sets
- * Return: 0 (for i/o available or timeout) or error code.
- */
-krb5_error_code
-krb5int_cm_call_select (const struct select_state *in,
- struct select_state *out, int *sret)
+static void
+cm_unset_write(struct select_state *selstate, int fd)
{
- struct timeval now, *timo;
- krb5_error_code e;
+#ifdef USE_POLL
+ int i;
- *out = *in;
- e = getcurtime(&now);
- if (e)
- return e;
- if (out->end_time.tv_sec == 0)
- timo = 0;
+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++);
+ assert(i < selstate->nfds);
+ selstate->fds[i].events &= ~POLLOUT;
+#else
+ FD_CLR(fd, &selstate->wfds);
+#endif
+}
+
+static krb5_error_code
+cm_select_or_poll(const struct select_state *in, struct select_state *out,
+ int *sret)
+{
+#ifdef USE_POLL
+ struct timeval now;
+ int e, timeout;
+
+ if (in->end_time.tv_sec == 0)
+ timeout = -1;
else {
- timo = &out->end_time;
- out->end_time.tv_sec -= now.tv_sec;
- out->end_time.tv_usec -= now.tv_usec;
- if (out->end_time.tv_usec < 0) {
- out->end_time.tv_usec += 1000000;
- out->end_time.tv_sec--;
- }
- if (out->end_time.tv_sec < 0) {
- *sret = 0;
- return 0;
- }
+ e = k5_getcurtime(&now);
+ if (e)
+ return e;
+ timeout = (in->end_time.tv_sec - now.tv_sec) * 1000 +
+ (in->end_time.tv_usec - now.tv_usec) / 1000;
}
- dprint("selecting on max=%d sockets [%F] timeout %t\n",
- out->max,
- &out->rfds, &out->wfds, &out->xfds, out->max,
- timo);
- *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, timo);
+ /* We don't need a separate copy of the selstate for poll, but use one
+ * anyone for consistency with the select wrapper. */
+ *out = *in;
+ *sret = poll(out->fds, out->nfds, timeout);
e = SOCKET_ERRNO;
+ return (*sret < 0) ? e : 0;
+#else
+ /* Use the select wrapper from cm.c. */
+ return krb5int_cm_call_select(in, out, sret);
+#endif
+}
- dprint("select returns %d", *sret);
- if (*sret < 0)
- dprint(", error = %E\n", e);
- else if (*sret == 0)
- dprint(" (timeout)\n");
- else
- dprint(":%F\n", &out->rfds, &out->wfds, &out->xfds, out->max);
+static unsigned int
+cm_get_ssflags(struct select_state *selstate, int fd)
+{
+ unsigned int ssflags = 0;
+#ifdef USE_POLL
+ int i;
- if (*sret < 0)
- return e;
- return 0;
+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++);
+ assert(i < selstate->nfds);
+ if (selstate->fds[i].revents & POLLIN)
+ ssflags |= SSF_READ;
+ if (selstate->fds[i].revents & POLLOUT)
+ ssflags |= SSF_WRITE;
+ if (selstate->fds[i].revents & POLLERR)
+ ssflags |= SSF_EXCEPTION;
+#else
+ if (FD_ISSET(fd, &selstate->rfds))
+ ssflags |= SSF_READ;
+ if (FD_ISSET(fd, &selstate->wfds))
+ ssflags |= SSF_WRITE;
+ if (FD_ISSET(fd, &selstate->xfds))
+ ssflags |= SSF_EXCEPTION;
+#endif
+ return ssflags;
}
static int service_tcp_fd(krb5_context context, struct conn_state *conn,
@@ -657,6 +712,7 @@ start_connection(krb5_context context, s
krb5_data *callback_buffer)
{
int fd, e;
+ unsigned int ssflags;
struct addrinfo *ai = state->addr;
dprint("start_connection(@%p)\ngetting %s socket in family %d...", state,
@@ -667,14 +723,6 @@ start_connection(krb5_context context, s
dprint("socket: %m creating with af %d\n", state->err, ai->ai_family);
return -1; /* try other hosts */
}
-#ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */
- if (fd >= FD_SETSIZE) {
- closesocket(fd);
- state->err = EMFILE;
- dprint("socket: fd %d too high\n", fd);
- return -1;
- }
-#endif
set_cloexec_fd(fd);
/* Make it non-blocking. */
if (ai->ai_socktype == SOCK_STREAM) {
@@ -778,16 +826,15 @@ start_connection(krb5_context context, s
}
}
#endif
- FD_SET(state->fd, &selstate->rfds);
+ ssflags = SSF_READ | SSF_EXCEPTION;
if (state->state == CONNECTING || state->state == WRITING)
- FD_SET(state->fd, &selstate->wfds);
- FD_SET(state->fd, &selstate->xfds);
- if (selstate->max <= state->fd)
- selstate->max = state->fd + 1;
- selstate->nfds++;
-
- dprint("new select vectors: %F\n",
- &selstate->rfds, &selstate->wfds, &selstate->xfds, selstate->max);
+ ssflags |= SSF_WRITE;
+ if (!cm_add_fd(selstate, state->fd, ssflags)) {
+ (void) closesocket(state->fd);
+ state->fd = INVALID_SOCKET;
+ state->state = FAILED;
+ return -1;
+ }
return 0;
}
@@ -849,22 +896,11 @@ static void
kill_conn(struct conn_state *conn, struct select_state *selstate, int err)
{
conn->state = FAILED;
- shutdown(conn->fd, SHUTDOWN_BOTH);
- FD_CLR(conn->fd, &selstate->rfds);
- FD_CLR(conn->fd, &selstate->wfds);
- FD_CLR(conn->fd, &selstate->xfds);
conn->err = err;
+ shutdown(conn->fd, SHUTDOWN_BOTH);
+ cm_remove_fd(selstate, conn->fd);
dprint("abandoning connection %d: %m\n", conn->fd, err);
/* Fix up max fd for next select call. */
- if (selstate->max == 1 + conn->fd) {
- while (selstate->max > 0
- && ! FD_ISSET(selstate->max-1, &selstate->rfds)
- && ! FD_ISSET(selstate->max-1, &selstate->wfds)
- && ! FD_ISSET(selstate->max-1, &selstate->xfds))
- selstate->max--;
- dprint("new max_fd + 1 is %d\n", selstate->max);
- }
- selstate->nfds--;
}
/* Check socket for error. */
@@ -986,7 +1022,7 @@ service_tcp_fd(krb5_context context, str
/* Done writing, switch to reading. */
/* Don't call shutdown at this point because
* some implementations cannot deal with half-closed connections.*/
- FD_CLR(conn->fd, &selstate->wfds);
+ cm_unset_write(selstate, conn->fd);
/* Q: How do we detect failures to send the remaining data
to the remote side, since we're in non-blocking mode?
Will we always get errors on the reading side? */
@@ -1100,7 +1136,8 @@ service_fds (krb5_context context,
while (selstate->nfds > 0) {
unsigned int i;
- e = krb5int_cm_call_select(selstate, seltemp, &selret);
+ selret = 0;
+ e = cm_select_or_poll(selstate, seltemp, &selret);
if (e == EINTR)
continue;
if (e != 0)
@@ -1113,18 +1150,12 @@ service_fds (krb5_context context,
return 0;
/* Got something on a socket, process it. */
- for (i = 0; i <= (unsigned int)selstate->max && selret > 0 && i < n_conns; i++) {
+ for (i = 0; i < n_conns; i++) {
int ssflags;
if (conns[i].fd == INVALID_SOCKET)
continue;
- ssflags = 0;
- if (FD_ISSET(conns[i].fd, &seltemp->rfds))
- ssflags |= SSF_READ, selret--;
- if (FD_ISSET(conns[i].fd, &seltemp->wfds))
- ssflags |= SSF_WRITE, selret--;
- if (FD_ISSET(conns[i].fd, &seltemp->xfds))
- ssflags |= SSF_EXCEPTION, selret--;
+ ssflags = cm_get_ssflags(seltemp, conns[i].fd);
if (!ssflags)
continue;
@@ -1239,12 +1270,7 @@ krb5int_sendto (krb5_context context, co
retval = ENOMEM;
goto egress;
}
- sel_state->max = 0;
- sel_state->nfds = 0;
- sel_state->end_time.tv_sec = sel_state->end_time.tv_usec = 0;
- FD_ZERO(&sel_state->rfds);
- FD_ZERO(&sel_state->wfds);
- FD_ZERO(&sel_state->xfds);
+ cm_init_selstate(sel_state);
/* Set up connections. */
@@ -1265,7 +1291,7 @@ krb5int_sendto (krb5_context context, co
(callback_info ? &callback_data[host] : NULL)))
continue;
- retval = getcurtime(&now);
+ retval = k5_getcurtime(&now);
if (retval)
goto egress;
sel_state->end_time = now;
@@ -1284,7 +1310,7 @@ krb5int_sendto (krb5_context context, co
}
if (e)
break;
- retval = getcurtime(&now);
+ retval = k5_getcurtime(&now);
if (retval)
goto egress;
/* Possible optimization: Find a way to integrate this select

View File

@ -1,22 +0,0 @@
RT#6951
Index: krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c
===================================================================
--- krb5-1.9.1.orig/src/lib/krb5/os/sendto_kdc.c
+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c
@@ -895,12 +895,12 @@ maybe_send(krb5_context context, struct
static void
kill_conn(struct conn_state *conn, struct select_state *selstate, int err)
{
+ dprint("abandoning connection %d: %m\n", conn->fd, err);
+ cm_remove_fd(selstate, conn->fd);
+ closesocket(conn->fd);
+ conn->fd = INVALID_SOCKET;
conn->state = FAILED;
conn->err = err;
- shutdown(conn->fd, SHUTDOWN_BOTH);
- cm_remove_fd(selstate, conn->fd);
- dprint("abandoning connection %d: %m\n", conn->fd, err);
- /* Fix up max fd for next select call. */
}
/* Check socket for error. */

View File

@ -1,18 +0,0 @@
If we exit the transmit loop cleanly, don't overestimate the size of the
connections array. This bug appears to have been removed upstream when
this function was rewritten in trunk, and the select()-based implementation
is still what's in 1.9, so this patch has nowhere to go.
--- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:20.560811664 -0400
+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:11.396812292 -0400
@@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co
call with the last one from the above loop, if the loop
actually calls select. */
sel_state->end_time.tv_sec += delay_this_pass;
- e = service_fds(context, sel_state, conns, host+1, &winning_conn,
+ i = host+1;
+ if (i > n_conns)
+ i = n_conns;
+ e = service_fds(context, sel_state, conns, i, &winning_conn,
sel_state+1, msg_handler, msg_handler_data);
if (e)
break;

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:72dd8f30d605fa2e6f19df32414bc35a46e3ad1954b1b142d987ccd492c7bfbc
size 10126613

View File

@ -16,14 +16,13 @@
#
Name: krb5-doc
BuildRequires: ghostscript-library
BuildRequires: latex2html
BuildRequires: texlive
Version: 1.9.1
Version: 1.10.2
Release: 0
%define srcRoot krb5-1.9.1
%define srcRoot krb5-1.10.2
Summary: MIT Kerberos5 Implementation--Documentation
License: MIT
Group: Documentation/Other

View File

@ -1,29 +0,0 @@
Don't trip over referral entries. RT#6915
Index: krb5-1.9.1/src/clients/klist/klist.c
===================================================================
--- krb5-1.9.1.orig/src/clients/klist/klist.c
+++ krb5-1.9.1/src/clients/klist/klist.c
@@ -28,7 +28,7 @@
* List out the contents of your credential cache or keytab.
*/
-#include "autoconf.h"
+#include "k5-int.h"
#include <krb5.h>
#include <com_err.h>
#include <stdlib.h>
@@ -390,10 +390,9 @@ void do_ccache(name)
continue;
if (status_only) {
if (exit_status && creds.server->length == 2 &&
- strcmp(creds.server->realm.data, princ->realm.data) == 0 &&
- strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 &&
- strcmp((char *)creds.server->data[1].data,
- princ->realm.data) == 0 &&
+ data_eq(creds.server->realm, princ->realm) &&
+ data_eq_string(creds.server->data[0], "krbtgt") &&
+ data_eq(creds.server->data[1], princ->realm) &&
creds.times.endtime > now)
exit_status = 0;
} else {

View File

@ -1,7 +1,62 @@
-------------------------------------------------------------------
Tue Jan 31 15:32:51 CET 2012 - meissner@suse.de
Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de
- fix License in krb5-mini
- update to version 1.10.2
obsolte patches:
* krb5-1.7-nodeplibs.patch
* krb5-1.9.1-ai_addrconfig.patch
* krb5-1.9.1-ai_addrconfig2.patch
* krb5-1.9.1-sendto_poll.patch
* krb5-1.9-canonicalize-fallback.patch
* krb5-1.9-paren.patch
* krb5-klist_s.patch
* krb5-pkinit-cms2.patch
* krb5-trunk-chpw-err.patch
* krb5-trunk-gss_delete_sec.patch
* krb5-trunk-kadmin-oldproto.patch
* krb5-1.9-MITKRB5-SA-2011-006.dif
* krb5-1.9-gss_display_status-iakerb.patch
* krb5-1.9.1-sendto_poll2.patch
* krb5-1.9.1-sendto_poll3.patch
* krb5-1.9-MITKRB5-SA-2011-007.dif
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
Controllers.
- Update a workaround for a glibc bug that would cause DNS PTR queries
to occur even when rdns = false.
- Fix a kadmind denial of service issue (null pointer dereference),
which could only be triggered by an administrator with the "create"
privilege. [CVE-2012-1013]
- Fix access controls for KDB string attributes [CVE-2012-1012]
- Make the ASN.1 encoding of key version numbers interoperate with
Windows Read-Only Domain Controllers
- Avoid generating spurious password expiry warnings in cases where
the KDC sends an account expiry time without a password expiry time
- Make PKINIT work with FAST in the client library.
- Add the DIR credential cache type, which can hold a collection of
credential caches.
- Enhance kinit, klist, and kdestroy to support credential cache
collections if the cache type supports it.
- Add the kswitch command, which changes the selected default cache
within a collection.
- Add heuristic support for choosing client credentials based on
the service realm.
- Add support for $HOME/.k5identity, which allows credential
choice based on configured rules.
-------------------------------------------------------------------
Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de
- add autoconf macro to devel subpackage
-------------------------------------------------------------------
Tue Jan 31 15:33:05 CET 2012 - meissner@suse.de
- fix license in krb5-mini
-------------------------------------------------------------------
Tue Dec 20 20:57:26 UTC 2011 - coolo@suse.com
- add autoconf as buildrequire to avoid implicit dependency
-------------------------------------------------------------------
Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com

View File

@ -17,7 +17,7 @@
%define build_mini 1
%define srcRoot krb5-1.9.1
%define srcRoot krb5-1.10.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.9.1
Version: 1.10.2
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -45,38 +45,23 @@ Obsoletes: krb5-64bit
%endif
#
%endif
Source: krb5-1.9.1.tar.bz2
Source: krb5-%{version}.tar.bz2
Source1: vendor-files.tar.bz2
Source2: baselibs.conf
Source5: krb5-rpmlintrc
Source10: krb5-1.8-manpaths.txt
Patch1: krb5-1.9-buildconf.patch
Patch1: krb5-1.10-buildconf.patch
Patch3: krb5-1.9-manpaths.dif
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.6.3-kpasswd_tcp.patch
Patch6: krb5-1.10-kpasswd_tcp.patch
Patch7: krb5-1.6.3-ktutil-manpage.dif
Patch10: krb5-1.7-doublelog.patch
Patch11: krb5-1.7-nodeplibs.patch
Patch12: krb5-1.8-api.patch
Patch13: krb5-1.8-pam.patch
Patch14: krb5-1.9.1-ai_addrconfig.patch
Patch15: krb5-1.9.1-ai_addrconfig2.patch
Patch16: krb5-1.9.1-sendto_poll.patch
Patch17: krb5-1.9-canonicalize-fallback.patch
Patch18: krb5-1.9-kprop-mktemp.patch
Patch19: krb5-1.9-ksu-path.patch
Patch20: krb5-1.9-paren.patch
Patch21: krb5-1.9-selinux-label.patch
Patch22: krb5-klist_s.patch
Patch23: krb5-pkinit-cms2.patch
Patch24: krb5-trunk-chpw-err.patch
Patch25: krb5-trunk-gss_delete_sec.patch
Patch26: krb5-trunk-kadmin-oldproto.patch
Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif
Patch31: krb5-1.9-gss_display_status-iakerb.patch
Patch32: krb5-1.9.1-sendto_poll2.patch
Patch33: krb5-1.9.1-sendto_poll3.patch
Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif
Patch20: krb5-1.10-gcc47.patch
Patch21: krb5-1.10-selinux-label.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -119,8 +104,9 @@ Authors:
%package server
Summary: MIT Kerberos5 implementation - server
Group: Productivity/Networking/Security
Requires: cron
Requires: logrotate
Requires: perl-Date-Calc
Requires: logrotate cron
PreReq: %insserv_prereq %fillup_prereq
%description server
@ -182,8 +168,8 @@ Authors:
Summary: MIT Kerberos5 - Include Files and Libraries
Group: Development/Libraries/C and C++
PreReq: %{name} = %{version}
Requires: libcom_err-devel
Requires: keyutils-devel
Requires: libcom_err-devel
# bug437293
%ifarch ppc64
Obsoletes: krb5-devel-64bit
@ -209,35 +195,20 @@ Authors:
Tom Yu <tlyu@mit.edu>
%prep
%setup -q -n %{srcRoot}
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
%patch13 -p1
%patch3 -p1
%patch21 -p1
%patch1 -p1
%patch5 -p1
%patch6
%patch6 -p1
%patch7 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch14
%patch15
%patch16
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch22 -p1
%patch23 -p1
%patch24
%patch25 -p1
%patch26
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch20
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
@ -282,6 +253,9 @@ make DESTDIR=%{buildroot} install
cd ..
# Munge the krb5-config script to remove rpaths and CFLAGS.
sed "s|^CC_LINK=.*|CC_LINK='\$(CC) \$(PROG_LIBPATH)'|g" src/krb5-config > $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
# install autoconf macro
mkdir -p %{buildroot}/%{_datadir}/aclocal
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
# install sample config files
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
@ -389,6 +363,7 @@ rm -rf %{buildroot}
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
%dir %{_datadir}/aclocal
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
%{_libdir}/libkadm5clnt_mit.so
@ -403,6 +378,7 @@ rm -rf %{buildroot}
/usr/lib/mit/sbin/krb5-send-pr
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
%if %{build_mini}
%files

View File

@ -1,290 +0,0 @@
When verifying signed-data, use the OpenSSL CMS APIs if we're building with a
version of OpenSSL which supplies them (1.0.0 or later). Revised proposal for
RT#6851.
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index bb8f036..6aedec4 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -41,6 +41,34 @@
#include "pkinit_crypto_openssl.h"
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#include <openssl/cms.h>
+#define pkinit_CMS_free1_crls(_sk_x509crl) sk_X509_CRL_free((_sk_x509crl))
+#define pkinit_CMS_free1_certs(_sk_x509) sk_X509_free((_sk_x509))
+#define pkinit_CMS_SignerInfo_get_cert(_cms,_si,_x509_pp) CMS_SignerInfo_get0_algs(_si,NULL,_x509_pp,NULL,NULL)
+#else
+#define pkinit_CMS_free1_crls(_stack_of_x509crls) /* don't free these CRLs */
+#define pkinit_CMS_free1_certs(_stack_of_x509certs) /* don't free these certs */
+#define CMS_NO_SIGNER_CERT_VERIFY PKCS7_NOVERIFY
+#define CMS_NOATTR PKCS7_NOATTR
+#define CMS_ContentInfo PKCS7
+#define CMS_SignerInfo PKCS7_SIGNER_INFO
+#define d2i_CMS_ContentInfo d2i_PKCS7
+#define CMS_get0_type(_p7) ((_p7)->type)
+#define CMS_get0_content(_p7) (&((_p7)->d.other->value.octet_string))
+#define CMS_set1_signers_certs(_p7,_stack_of_x509,_uint)
+#define CMS_get0_SignerInfos PKCS7_get_signer_info
+#define stack_st_CMS_SignerInfo stack_st_PKCS7_SIGNER_INFO
+#undef sk_CMS_SignerInfo_value
+#define sk_CMS_SignerInfo_value sk_PKCS7_SIGNER_INFO_value
+#define CMS_get0_eContentType(_p7) (_p7->d.sign->contents->type)
+#define CMS_verify PKCS7_verify
+#define CMS_get1_crls(_p7) (_p7->d.sign->crl)
+#define CMS_get1_certs(_p7) (_p7->d.sign->cert)
+#define CMS_ContentInfo_free(_p7) PKCS7_free(_p7)
+#define pkinit_CMS_SignerInfo_get_cert(_p7,_si,_x509_pp) (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
+#endif
+
static struct pkcs11_errstrings {
short code;
char *text;
@@ -1127,21 +1155,25 @@ cms_signeddata_verify(krb5_context context,
int *is_signed)
{
krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;
- PKCS7 *p7 = NULL;
+ CMS_ContentInfo *cms = NULL;
BIO *out = NULL;
- int flags = PKCS7_NOVERIFY;
+ int flags = CMS_NO_SIGNER_CERT_VERIFY;
unsigned int i = 0;
unsigned int vflags = 0, size = 0;
const unsigned char *p = signed_data;
- STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL;
- PKCS7_SIGNER_INFO *si = NULL;
+ STACK_OF(CMS_SignerInfo) *si_sk = NULL;
+ CMS_SignerInfo *si = NULL;
X509 *x = NULL;
X509_STORE *store = NULL;
X509_STORE_CTX cert_ctx;
+ STACK_OF(X509) *signerCerts = NULL;
STACK_OF(X509) *intermediateCAs = NULL;
+ STACK_OF(X509_CRL) *signerRevoked = NULL;
STACK_OF(X509_CRL) *revoked = NULL;
STACK_OF(X509) *verified_chain = NULL;
ASN1_OBJECT *oid = NULL;
+ const ASN1_OBJECT *type = NULL, *etype = NULL;
+ ASN1_OCTET_STRING **octets;
krb5_external_principal_identifier **krb5_verified_chain = NULL;
krb5_data *authz = NULL;
char buf[DN_BUF_LEN];
@@ -1157,8 +1189,8 @@ cms_signeddata_verify(krb5_context context,
if (oid == NULL)
goto cleanup;
- /* decode received PKCS7 message */
- if ((p7 = d2i_PKCS7(NULL, &p, (int)signed_data_len)) == NULL) {
+ /* decode received CMS message */
+ if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) {
unsigned long err = ERR_peek_error();
krb5_set_error_message(context, retval, "%s\n",
ERR_error_string(err, NULL));
@@ -1168,37 +1200,39 @@ cms_signeddata_verify(krb5_context context,
}
/* Handle the case in pkinit anonymous where we get unsigned data. */
- if (is_signed && !OBJ_cmp(p7->type, oid)) {
+ type = CMS_get0_type(cms);
+ if (is_signed && !OBJ_cmp(type, oid)) {
unsigned char *d;
*is_signed = 0;
- if (p7->d.other->type != V_ASN1_OCTET_STRING) {
+ octets = CMS_get0_content(cms);
+ if (!octets || ((*octets)->type != V_ASN1_OCTET_STRING)) {
retval = KRB5KDC_ERR_PREAUTH_FAILED;
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
"Invalid pkinit packet: octet string "
"expected");
goto cleanup;
}
- *data_len = ASN1_STRING_length(p7->d.other->value.octet_string);
+ *data_len = ASN1_STRING_length(*octets);
d = malloc(*data_len);
if (d == NULL) {
retval = ENOMEM;
goto cleanup;
}
- memcpy(d, ASN1_STRING_data(p7->d.other->value.octet_string),
+ memcpy(d, ASN1_STRING_data(*octets),
*data_len);
*data = d;
goto out;
} else {
- /* Verify that the received message is PKCS7 SignedData message. */
- if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed) {
- pkiDebug("Expected id-signedData PKCS7 msg (received type = %d)\n",
- OBJ_obj2nid(p7->type));
+ /* Verify that the received message is CMS SignedData message. */
+ if (OBJ_obj2nid(type) != NID_pkcs7_signed) {
+ pkiDebug("Expected id-signedData CMS msg (received type = %d)\n",
+ OBJ_obj2nid(type));
krb5_set_error_message(context, retval, "wrong oid\n");
goto cleanup;
}
}
- /* setup to verify X509 certificate used to sign PKCS7 message */
+ /* setup to verify X509 certificate used to sign CMS message */
if (!(store = X509_STORE_new()))
goto cleanup;
@@ -1210,37 +1244,41 @@ cms_signeddata_verify(krb5_context context,
X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
X509_STORE_set_flags(store, vflags);
- /* get the signer's information from the PKCS7 message */
- if ((si_sk = PKCS7_get_signer_info(p7)) == NULL)
+ /* get the signer's information from the CMS message */
+ CMS_set1_signers_certs(cms, NULL, 0);
+ if ((si_sk = CMS_get0_SignerInfos(cms)) == NULL)
goto cleanup;
- if ((si = sk_PKCS7_SIGNER_INFO_value(si_sk, 0)) == NULL)
+ if ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)
goto cleanup;
- if ((x = PKCS7_cert_from_signer_info(p7, si)) == NULL)
+ pkinit_CMS_SignerInfo_get_cert(cms, si, &x);
+ if (x == NULL)
goto cleanup;
/* create available CRL information (get local CRLs and include CRLs
- * received in the PKCS7 message
+ * received in the CMS message
*/
+ signerRevoked = CMS_get1_crls(cms);
if (idctx->revoked == NULL)
- revoked = p7->d.sign->crl;
- else if (p7->d.sign->crl == NULL)
+ revoked = signerRevoked;
+ else if (signerRevoked == NULL)
revoked = idctx->revoked;
else {
size = sk_X509_CRL_num(idctx->revoked);
revoked = sk_X509_CRL_new_null();
for (i = 0; i < size; i++)
sk_X509_CRL_push(revoked, sk_X509_CRL_value(idctx->revoked, i));
- size = sk_X509_CRL_num(p7->d.sign->crl);
+ size = sk_X509_CRL_num(signerRevoked);
for (i = 0; i < size; i++)
- sk_X509_CRL_push(revoked, sk_X509_CRL_value(p7->d.sign->crl, i));
+ sk_X509_CRL_push(revoked, sk_X509_CRL_value(signerRevoked, i));
}
/* create available intermediate CAs chains (get local intermediateCAs and
- * include the CA chain received in the PKCS7 message
+ * include the CA chain received in the CMS message
*/
+ signerCerts = CMS_get1_certs(cms);
if (idctx->intermediateCAs == NULL)
- intermediateCAs = p7->d.sign->cert;
- else if (p7->d.sign->cert == NULL)
+ intermediateCAs = signerCerts;
+ else if (signerCerts == NULL)
intermediateCAs = idctx->intermediateCAs;
else {
size = sk_X509_num(idctx->intermediateCAs);
@@ -1249,9 +1287,9 @@ cms_signeddata_verify(krb5_context context,
sk_X509_push(intermediateCAs,
sk_X509_value(idctx->intermediateCAs, i));
}
- size = sk_X509_num(p7->d.sign->cert);
+ size = sk_X509_num(signerCerts);
for (i = 0; i < size; i++) {
- sk_X509_push(intermediateCAs, sk_X509_value(p7->d.sign->cert, i));
+ sk_X509_push(intermediateCAs, sk_X509_value(signerCerts, i));
}
}
@@ -1329,10 +1367,10 @@ cms_signeddata_verify(krb5_context context,
krb5_set_error_message(context, retval, "%s\n",
X509_verify_cert_error_string(j));
#ifdef DEBUG_CERTCHAIN
- size = sk_X509_num(p7->d.sign->cert);
+ size = sk_X509_num(signerCerts);
pkiDebug("received cert chain of size %d\n", size);
for (j = 0; j < size; j++) {
- X509 *tmp_cert = sk_X509_value(p7->d.sign->cert, j);
+ X509 *tmp_cert = sk_X509_value(signerCerts, j);
X509_NAME_oneline(X509_get_subject_name(tmp_cert), buf, sizeof(buf));
pkiDebug("cert #%d: %s\n", j, buf);
}
@@ -1348,11 +1386,12 @@ cms_signeddata_verify(krb5_context context,
out = BIO_new(BIO_s_mem());
if (cms_msg_type == CMS_SIGN_DRAFT9)
- flags |= PKCS7_NOATTR;
- if (PKCS7_verify(p7, NULL, store, NULL, out, flags)) {
+ flags |= CMS_NOATTR;
+ etype = CMS_get0_eContentType(cms);
+ if (CMS_verify(cms, NULL, store, NULL, out, flags)) {
int valid_oid = 0;
- if (!OBJ_cmp(p7->d.sign->contents->type, oid))
+ if (!OBJ_cmp(etype, oid))
valid_oid = 1;
else if (cms_msg_type == CMS_SIGN_DRAFT9) {
/*
@@ -1364,18 +1403,18 @@ cms_signeddata_verify(krb5_context context,
client_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_CLIENT);
server_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_SERVER);
rsa_oid = pkinit_pkcs7type2oid(plgctx, CMS_ENVEL_SERVER);
- if (!OBJ_cmp(p7->d.sign->contents->type, client_oid) ||
- !OBJ_cmp(p7->d.sign->contents->type, server_oid) ||
- !OBJ_cmp(p7->d.sign->contents->type, rsa_oid))
+ if (!OBJ_cmp(etype, client_oid) ||
+ !OBJ_cmp(etype, server_oid) ||
+ !OBJ_cmp(etype, rsa_oid))
valid_oid = 1;
}
if (valid_oid)
- pkiDebug("PKCS7 Verification successful\n");
+ pkiDebug("CMS Verification successful\n");
else {
pkiDebug("wrong oid in eContentType\n");
- print_buffer(p7->d.sign->contents->type->data,
- (unsigned int)p7->d.sign->contents->type->length);
+ print_buffer(etype->data,
+ (unsigned int)etype->length);
retval = KRB5KDC_ERR_PREAUTH_FAILED;
krb5_set_error_message(context, retval, "wrong oid\n");
goto cleanup;
@@ -1391,13 +1430,13 @@ cms_signeddata_verify(krb5_context context,
default:
retval = KRB5KDC_ERR_INVALID_SIG;
}
- pkiDebug("PKCS7 Verification failure\n");
+ pkiDebug("CMS Verification failure\n");
krb5_set_error_message(context, retval, "%s\n",
ERR_error_string(err, NULL));
goto cleanup;
}
- /* transfer the data from PKCS7 message into return buffer */
+ /* transfer the data from CMS message into return buffer */
for (size = 0;;) {
int remain;
retval = ENOMEM;
@@ -1452,12 +1491,16 @@ cleanup:
BIO_free(out);
if (store != NULL)
X509_STORE_free(store);
- if (p7 != NULL) {
- if (idctx->intermediateCAs != NULL && p7->d.sign->cert)
+ if (cms != NULL) {
+ if (signerCerts != NULL)
+ pkinit_CMS_free1_certs(signerCerts);
+ if (idctx->intermediateCAs != NULL && signerCerts)
sk_X509_free(intermediateCAs);
- if (idctx->revoked != NULL && p7->d.sign->crl)
+ if (signerRevoked != NULL)
+ pkinit_CMS_free1_crls(signerRevoked);
+ if (idctx->revoked != NULL && signerRevoked)
sk_X509_CRL_free(revoked);
- PKCS7_free(p7);
+ CMS_ContentInfo_free(cms);
}
if (verified_chain != NULL)
sk_X509_pop_free(verified_chain, X509_free);

View File

@ -1,24 +0,0 @@
Don't suppress the error code from an error message when the error message
contains e-data. RT#6893
Index: src/lib/krb5/krb/chpw.c
===================================================================
--- src/lib/krb5/krb/chpw.c (revision 24838)
+++ src/lib/krb5/krb/chpw.c (working copy)
@@ -111,15 +111,11 @@
if ((ret = krb5_rd_error(context, packet, &krberror)))
return(ret);
- if (krberror->e_data.data == NULL)
- ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
- else
- ret = KRB5KRB_AP_ERR_MODIFIED;
+ ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
krb5_free_error(context, krberror);
return(ret);
- } else {
- return(KRB5KRB_AP_ERR_MODIFIED);
}
+ return(KRB5KRB_AP_ERR_MODIFIED);
}

View File

@ -1,27 +0,0 @@
Author: ghudson
Date: Mon May 9 17:28:07 2011 +0000
ticket: 6908
subject: Delete sec context properly in gss_krb5_export_lucid_sec_context
target_version: 1.9.2
tags: pullup
Since r21690, gss_krb5_export_lucid_sec_context() has been passing a
union context to krb5_gss_delete_sec_context(), causing a crash as the
krb5 routine attempts to interpret a union context structure as a krb5
GSS context. Call the mechglue gss_delete_sec_context instead.
svn://anonsvn.mit.edu:/krb5/trunk@24917
--- a/src/lib/gssapi/krb5/krb5_gss_glue.c
+++ b/src/lib/gssapi/krb5/krb5_gss_glue.c
@@ -196,7 +196,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
/* Clean up the context state (it is an error for
* someone to attempt to use this context again)
*/
- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
+ (void)gss_delete_sec_context(minor_status, context_handle, NULL);
*context_handle = GSS_C_NO_CONTEXT;
generic_gss_release_buffer_set(&minor, &data_set);

View File

@ -1,39 +0,0 @@
------------------------------------------------------------------------
r24967 | ghudson | 2011-06-13 14:54:33 -0400 (Mon, 13 Jun 2011) | 11 lines
ticket: 6920
subject: Fix old-style GSSRPC authentication
target_version: 1.9.2
tags: pullup
r24147 (ticket #6746) made libgssrpc ignorant of the remote address of
the kadmin socket, even when it's IPv4. This made old-style GSSAPI
authentication fail because it uses the wrong channel bindings. Fix
this problem by making clnttcp_create() get the remote address from
the socket using getpeername() if the caller doesn't provide it and
it's an IPv4 address.
------------------------------------------------------------------------
Index: src/lib/rpc/clnt_tcp.c
===================================================================
--- src/lib/rpc/clnt_tcp.c (revision 24966)
+++ src/lib/rpc/clnt_tcp.c (revision 24967)
@@ -187,9 +187,16 @@
ct->ct_sock = *sockp;
ct->ct_wait.tv_usec = 0;
ct->ct_waitset = FALSE;
- if (raddr == NULL)
- memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
- else
+ if (raddr == NULL) {
+ /* Get the remote address from the socket, if it's IPv4. */
+ struct sockaddr_in sin;
+ socklen_t len = sizeof(sin);
+ int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len);
+ if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET)
+ ct->ct_addr = sin;
+ else
+ memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
+ } else
ct->ct_addr = *raddr;
/*

View File

@ -1,3 +1,48 @@
-------------------------------------------------------------------
Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de
- update to version 1.10.2
obsolte patches:
* krb5-1.7-nodeplibs.patch
* krb5-1.9.1-ai_addrconfig.patch
* krb5-1.9.1-ai_addrconfig2.patch
* krb5-1.9.1-sendto_poll.patch
* krb5-1.9-canonicalize-fallback.patch
* krb5-1.9-paren.patch
* krb5-klist_s.patch
* krb5-pkinit-cms2.patch
* krb5-trunk-chpw-err.patch
* krb5-trunk-gss_delete_sec.patch
* krb5-trunk-kadmin-oldproto.patch
* krb5-1.9-MITKRB5-SA-2011-006.dif
* krb5-1.9-gss_display_status-iakerb.patch
* krb5-1.9.1-sendto_poll2.patch
* krb5-1.9.1-sendto_poll3.patch
* krb5-1.9-MITKRB5-SA-2011-007.dif
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
Controllers.
- Update a workaround for a glibc bug that would cause DNS PTR queries
to occur even when rdns = false.
- Fix a kadmind denial of service issue (null pointer dereference),
which could only be triggered by an administrator with the "create"
privilege. [CVE-2012-1013]
- Fix access controls for KDB string attributes [CVE-2012-1012]
- Make the ASN.1 encoding of key version numbers interoperate with
Windows Read-Only Domain Controllers
- Avoid generating spurious password expiry warnings in cases where
the KDC sends an account expiry time without a password expiry time
- Make PKINIT work with FAST in the client library.
- Add the DIR credential cache type, which can hold a collection of
credential caches.
- Enhance kinit, klist, and kdestroy to support credential cache
collections if the cache type supports it.
- Add the kswitch command, which changes the selected default cache
within a collection.
- Add heuristic support for choosing client credentials based on
the service realm.
- Add support for $HOME/.k5identity, which allows credential
choice based on configured rules.
-------------------------------------------------------------------
Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de

View File

@ -17,7 +17,7 @@
%define build_mini 0
%define srcRoot krb5-1.9.1
%define srcRoot krb5-1.10.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.9.1
Version: 1.10.2
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -45,38 +45,23 @@ Obsoletes: krb5-64bit
%endif
#
%endif
Source: krb5-1.9.1.tar.bz2
Source: krb5-%{version}.tar.bz2
Source1: vendor-files.tar.bz2
Source2: baselibs.conf
Source5: krb5-rpmlintrc
Source10: krb5-1.8-manpaths.txt
Patch1: krb5-1.9-buildconf.patch
Patch1: krb5-1.10-buildconf.patch
Patch3: krb5-1.9-manpaths.dif
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.6.3-kpasswd_tcp.patch
Patch6: krb5-1.10-kpasswd_tcp.patch
Patch7: krb5-1.6.3-ktutil-manpage.dif
Patch10: krb5-1.7-doublelog.patch
Patch11: krb5-1.7-nodeplibs.patch
Patch12: krb5-1.8-api.patch
Patch13: krb5-1.8-pam.patch
Patch14: krb5-1.9.1-ai_addrconfig.patch
Patch15: krb5-1.9.1-ai_addrconfig2.patch
Patch16: krb5-1.9.1-sendto_poll.patch
Patch17: krb5-1.9-canonicalize-fallback.patch
Patch18: krb5-1.9-kprop-mktemp.patch
Patch19: krb5-1.9-ksu-path.patch
Patch20: krb5-1.9-paren.patch
Patch21: krb5-1.9-selinux-label.patch
Patch22: krb5-klist_s.patch
Patch23: krb5-pkinit-cms2.patch
Patch24: krb5-trunk-chpw-err.patch
Patch25: krb5-trunk-gss_delete_sec.patch
Patch26: krb5-trunk-kadmin-oldproto.patch
Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif
Patch31: krb5-1.9-gss_display_status-iakerb.patch
Patch32: krb5-1.9.1-sendto_poll2.patch
Patch33: krb5-1.9.1-sendto_poll3.patch
Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif
Patch20: krb5-1.10-gcc47.patch
Patch21: krb5-1.10-selinux-label.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -119,8 +104,9 @@ Authors:
%package server
Summary: MIT Kerberos5 implementation - server
Group: Productivity/Networking/Security
Requires: cron
Requires: logrotate
Requires: perl-Date-Calc
Requires: logrotate cron
PreReq: %insserv_prereq %fillup_prereq
%description server
@ -182,8 +168,8 @@ Authors:
Summary: MIT Kerberos5 - Include Files and Libraries
Group: Development/Libraries/C and C++
PreReq: %{name} = %{version}
Requires: libcom_err-devel
Requires: keyutils-devel
Requires: libcom_err-devel
# bug437293
%ifarch ppc64
Obsoletes: krb5-devel-64bit
@ -209,35 +195,20 @@ Authors:
Tom Yu <tlyu@mit.edu>
%prep
%setup -q -n %{srcRoot}
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
%patch13 -p1
%patch3 -p1
%patch21 -p1
%patch1 -p1
%patch5 -p1
%patch6
%patch6 -p1
%patch7 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch14
%patch15
%patch16
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch22 -p1
%patch23 -p1
%patch24
%patch25 -p1
%patch26
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch20
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do