- update to version 1.10.2
obsolte patches: * krb5-1.7-nodeplibs.patch * krb5-1.9.1-ai_addrconfig.patch * krb5-1.9.1-ai_addrconfig2.patch * krb5-1.9.1-sendto_poll.patch * krb5-1.9-canonicalize-fallback.patch * krb5-1.9-paren.patch * krb5-klist_s.patch * krb5-pkinit-cms2.patch * krb5-trunk-chpw-err.patch * krb5-trunk-gss_delete_sec.patch * krb5-trunk-kadmin-oldproto.patch * krb5-1.9-MITKRB5-SA-2011-006.dif * krb5-1.9-gss_display_status-iakerb.patch * krb5-1.9.1-sendto_poll2.patch * krb5-1.9.1-sendto_poll3.patch * krb5-1.9-MITKRB5-SA-2011-007.dif - Fix an interop issue with Windows Server 2008 R2 Read-Only Domain Controllers. - Update a workaround for a glibc bug that would cause DNS PTR queries to occur even when rdns = false. - Fix a kadmind denial of service issue (null pointer dereference), which could only be triggered by an administrator with the "create" privilege. [CVE-2012-1013] - Fix access controls for KDB string attributes [CVE-2012-1012] - Make the ASN.1 encoding of key version numbers interoperate with Windows Read-Only Domain Controllers - Avoid generating spurious password expiry warnings in cases where the KDC sends an account expiry time without a password expiry time OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=65
This commit is contained in:
parent
7d8fd8176d
commit
84f939323f
60
krb5-1.10-buildconf.patch
Normal file
60
krb5-1.10-buildconf.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
|
||||||
|
and install shared libraries with the execute bit set on them. Prune out
|
||||||
|
the -L/usr/lib* and PIE flags where they might leak out and affect
|
||||||
|
apps which just want to link with the libraries. FIXME: needs to check and
|
||||||
|
not just assume that the compiler supports using these flags.
|
||||||
|
|
||||||
|
Index: krb5-1.10.2/src/config/shlib.conf
|
||||||
|
===================================================================
|
||||||
|
--- krb5-1.10.2.orig/src/config/shlib.conf
|
||||||
|
+++ krb5-1.10.2/src/config/shlib.conf
|
||||||
|
@@ -419,7 +419,7 @@ mips-*-netbsd*)
|
||||||
|
SHLIBEXT=.so
|
||||||
|
# Linux ld doesn't default to stuffing the SONAME field...
|
||||||
|
# Use objdump -x to examine the fields of the library
|
||||||
|
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
|
||||||
|
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro'
|
||||||
|
#
|
||||||
|
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
|
||||||
|
SHLIB_EXPORT_FILE_DEP=binutils.versions
|
||||||
|
@@ -430,7 +430,8 @@ mips-*-netbsd*)
|
||||||
|
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
|
||||||
|
PROFFLAGS=-pg
|
||||||
|
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
|
||||||
|
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
|
||||||
|
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
|
||||||
|
+ INSTALL_SHLIB='${INSTALL} -m755'
|
||||||
|
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
|
||||||
|
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
|
||||||
|
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
|
||||||
|
Index: krb5-1.10.2/src/krb5-config.in
|
||||||
|
===================================================================
|
||||||
|
--- krb5-1.10.2.orig/src/krb5-config.in
|
||||||
|
+++ krb5-1.10.2/src/krb5-config.in
|
||||||
|
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
|
||||||
|
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
|
||||||
|
-e 's#\$(CFLAGS)##'`
|
||||||
|
|
||||||
|
+ if test `dirname $libdir` = /usr ; then
|
||||||
|
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
|
||||||
|
+ fi
|
||||||
|
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
|
||||||
|
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
|
||||||
|
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
|
||||||
|
+
|
||||||
|
if test $library = 'kdb'; then
|
||||||
|
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
|
||||||
|
library=krb5
|
||||||
|
Index: krb5-1.10.2/src/config/pre.in
|
||||||
|
===================================================================
|
||||||
|
--- krb5-1.10.2.orig/src/config/pre.in
|
||||||
|
+++ krb5-1.10.2/src/config/pre.in
|
||||||
|
@@ -190,7 +190,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
|
||||||
|
INSTALL_SCRIPT=@INSTALL_PROGRAM@
|
||||||
|
INSTALL_DATA=@INSTALL_DATA@
|
||||||
|
INSTALL_SHLIB=@INSTALL_SHLIB@
|
||||||
|
-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
|
||||||
|
+INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755
|
||||||
|
## This is needed because autoconf will sometimes define @exec_prefix@ to be
|
||||||
|
## ${prefix}.
|
||||||
|
prefix=@prefix@
|
12
krb5-1.10-gcc47.patch
Normal file
12
krb5-1.10-gcc47.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
This file also triggers the maybe-uninitialized warning/error. RT#7080
|
||||||
|
|
||||||
|
--- src/lib/krb5/krb/x-deltat.y
|
||||||
|
+++ src/lib/krb5/krb/x-deltat.y
|
||||||
|
@@ -44,6 +44,7 @@
|
||||||
|
#ifdef __GNUC__
|
||||||
|
#pragma GCC diagnostic push
|
||||||
|
#pragma GCC diagnostic ignored "-Wuninitialized"
|
||||||
|
+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include <ctype.h>
|
@ -1,14 +1,14 @@
|
|||||||
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
|
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
|
||||||
to wait for UDP to fail, so this might not be ideal. RT #5868.
|
to wait for UDP to fail, so this might not be ideal. RT #5868.
|
||||||
|
|
||||||
Index: src/lib/krb5/os/changepw.c
|
Index: krb5-1.10.2/src/lib/krb5/os/changepw.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- src/lib/krb5/os/changepw.c.orig
|
--- krb5-1.10.2.orig/src/lib/krb5/os/changepw.c
|
||||||
+++ src/lib/krb5/os/changepw.c
|
+++ krb5-1.10.2/src/lib/krb5/os/changepw.c
|
||||||
@@ -282,10 +282,22 @@ change_set_password(krb5_context context
|
@@ -274,10 +274,22 @@ change_set_password(krb5_context context
|
||||||
NULL
|
&callback_info, &chpw_rep, ss2sa(&remote_addr),
|
||||||
))) {
|
&addrlen, NULL, NULL, NULL);
|
||||||
|
if (code) {
|
||||||
- /*
|
- /*
|
||||||
- * Here we may want to switch to TCP on some errors.
|
- * Here we may want to switch to TCP on some errors.
|
||||||
- * right?
|
- * right?
|
||||||
@ -16,14 +16,14 @@ Index: src/lib/krb5/os/changepw.c
|
|||||||
+ /* if we're not using a stream socket, and it's an error which
|
+ /* if we're not using a stream socket, and it's an error which
|
||||||
+ * might reasonably be specific to a datagram "connection", try
|
+ * might reasonably be specific to a datagram "connection", try
|
||||||
+ * again with a stream socket */
|
+ * again with a stream socket */
|
||||||
+ if (!useTcp) {
|
+ if (!use_tcp) {
|
||||||
+ switch (code) {
|
+ switch (code) {
|
||||||
+ case KRB5_KDC_UNREACH:
|
+ case KRB5_KDC_UNREACH:
|
||||||
+ case KRB5_REALM_CANT_RESOLVE:
|
+ case KRB5_REALM_CANT_RESOLVE:
|
||||||
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
|
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
|
||||||
+ /* should we do this for more result codes than these? */
|
+ /* should we do this for more result codes than these? */
|
||||||
+ krb5int_free_addrlist (&al);
|
+ k5_free_serverlist (&sl);
|
||||||
+ useTcp = 1;
|
+ use_tcp = 1;
|
||||||
+ continue;
|
+ continue;
|
||||||
+ default:
|
+ default:
|
||||||
+ break;
|
+ break;
|
@ -31,11 +31,11 @@ The selabel APIs for looking up the context should be thread-safe (per
|
|||||||
Red Hat #273081), so switching to using them instead of matchpathcon(),
|
Red Hat #273081), so switching to using them instead of matchpathcon(),
|
||||||
which we used earlier, is some improvement.
|
which we used earlier, is some improvement.
|
||||||
|
|
||||||
Index: krb5-1.9.1/src/aclocal.m4
|
Index: krb5-1.10.2/src/aclocal.m4
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/aclocal.m4
|
--- krb5-1.10.2.orig/src/aclocal.m4
|
||||||
+++ krb5-1.9.1/src/aclocal.m4
|
+++ krb5-1.10.2/src/aclocal.m4
|
||||||
@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag)
|
@@ -84,6 +84,7 @@ AC_SUBST_FILE(libnodeps_frag)
|
||||||
dnl
|
dnl
|
||||||
KRB5_AC_PRAGMA_WEAK_REF
|
KRB5_AC_PRAGMA_WEAK_REF
|
||||||
WITH_LDAP
|
WITH_LDAP
|
||||||
@ -43,7 +43,7 @@ Index: krb5-1.9.1/src/aclocal.m4
|
|||||||
KRB5_LIB_PARAMS
|
KRB5_LIB_PARAMS
|
||||||
KRB5_AC_INITFINI
|
KRB5_AC_INITFINI
|
||||||
KRB5_AC_ENABLE_THREADS
|
KRB5_AC_ENABLE_THREADS
|
||||||
@@ -1803,3 +1804,51 @@ AC_SUBST(manlocalstatedir)
|
@@ -1764,3 +1765,51 @@ AC_SUBST(manlocalstatedir)
|
||||||
AC_SUBST(manlibexecdir)
|
AC_SUBST(manlibexecdir)
|
||||||
AC_CONFIG_FILES($1)
|
AC_CONFIG_FILES($1)
|
||||||
])
|
])
|
||||||
@ -95,11 +95,11 @@ Index: krb5-1.9.1/src/aclocal.m4
|
|||||||
+LIBS="$old_LIBS"
|
+LIBS="$old_LIBS"
|
||||||
+AC_SUBST(SELINUX_LIBS)
|
+AC_SUBST(SELINUX_LIBS)
|
||||||
+])dnl
|
+])dnl
|
||||||
Index: krb5-1.9.1/src/config/pre.in
|
Index: krb5-1.10.2/src/config/pre.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/config/pre.in
|
--- krb5-1.10.2.orig/src/config/pre.in
|
||||||
+++ krb5-1.9.1/src/config/pre.in
|
+++ krb5-1.10.2/src/config/pre.in
|
||||||
@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
|
@@ -182,6 +182,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
|
||||||
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
|
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
|
||||||
LDARGS = @LDARGS@
|
LDARGS = @LDARGS@
|
||||||
LIBS = @LIBS@
|
LIBS = @LIBS@
|
||||||
@ -107,7 +107,7 @@ Index: krb5-1.9.1/src/config/pre.in
|
|||||||
|
|
||||||
INSTALL=@INSTALL@
|
INSTALL=@INSTALL@
|
||||||
INSTALL_STRIP=
|
INSTALL_STRIP=
|
||||||
@@ -382,7 +383,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
|
@@ -406,7 +407,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
|
||||||
# HESIOD_LIBS is -lhesiod...
|
# HESIOD_LIBS is -lhesiod...
|
||||||
HESIOD_LIBS = @HESIOD_LIBS@
|
HESIOD_LIBS = @HESIOD_LIBS@
|
||||||
|
|
||||||
@ -116,11 +116,11 @@ Index: krb5-1.9.1/src/config/pre.in
|
|||||||
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
|
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
|
||||||
GSS_LIBS = $(GSS_KRB5_LIB)
|
GSS_LIBS = $(GSS_KRB5_LIB)
|
||||||
# needs fixing if ever used on Mac OS X!
|
# needs fixing if ever used on Mac OS X!
|
||||||
Index: krb5-1.9.1/src/configure.in
|
Index: krb5-1.10.2/src/configure.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/configure.in
|
--- krb5-1.10.2.orig/src/configure.in
|
||||||
+++ krb5-1.9.1/src/configure.in
|
+++ krb5-1.10.2/src/configure.in
|
||||||
@@ -1127,6 +1127,8 @@ fi
|
@@ -1248,6 +1248,8 @@ AC_SUBST(localedir)
|
||||||
|
|
||||||
KRB5_WITH_PAM
|
KRB5_WITH_PAM
|
||||||
|
|
||||||
@ -129,10 +129,10 @@ Index: krb5-1.9.1/src/configure.in
|
|||||||
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
||||||
|
|
||||||
V5_AC_OUTPUT_MANPAGE([
|
V5_AC_OUTPUT_MANPAGE([
|
||||||
Index: krb5-1.9.1/src/include/k5-int.h
|
Index: krb5-1.10.2/src/include/k5-int.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/include/k5-int.h
|
--- krb5-1.10.2.orig/src/include/k5-int.h
|
||||||
+++ krb5-1.9.1/src/include/k5-int.h
|
+++ krb5-1.10.2/src/include/k5-int.h
|
||||||
@@ -135,6 +135,7 @@ typedef unsigned char u_char;
|
@@ -135,6 +135,7 @@ typedef unsigned char u_char;
|
||||||
typedef UINT64_TYPE krb5_ui_8;
|
typedef UINT64_TYPE krb5_ui_8;
|
||||||
typedef INT64_TYPE krb5_int64;
|
typedef INT64_TYPE krb5_int64;
|
||||||
@ -141,10 +141,10 @@ Index: krb5-1.9.1/src/include/k5-int.h
|
|||||||
|
|
||||||
#define DEFAULT_PWD_STRING1 "Enter password"
|
#define DEFAULT_PWD_STRING1 "Enter password"
|
||||||
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
|
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
|
||||||
Index: krb5-1.9.1/src/include/k5-label.h
|
Index: krb5-1.10.2/src/include/k5-label.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ krb5-1.9.1/src/include/k5-label.h
|
+++ krb5-1.10.2/src/include/k5-label.h
|
||||||
@@ -0,0 +1,32 @@
|
@@ -0,0 +1,32 @@
|
||||||
+#ifndef _KRB5_LABEL_H
|
+#ifndef _KRB5_LABEL_H
|
||||||
+#define _KRB5_LABEL_H
|
+#define _KRB5_LABEL_H
|
||||||
@ -178,11 +178,11 @@ Index: krb5-1.9.1/src/include/k5-label.h
|
|||||||
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
||||||
+#endif
|
+#endif
|
||||||
+#endif
|
+#endif
|
||||||
Index: krb5-1.9.1/src/include/krb5/krb5.hin
|
Index: krb5-1.10.2/src/include/krb5/krb5.hin
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/include/krb5/krb5.hin
|
--- krb5-1.10.2.orig/src/include/krb5/krb5.hin
|
||||||
+++ krb5-1.9.1/src/include/krb5/krb5.hin
|
+++ krb5-1.10.2/src/include/krb5/krb5.hin
|
||||||
@@ -87,6 +87,12 @@
|
@@ -83,6 +83,12 @@
|
||||||
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -195,11 +195,20 @@ Index: krb5-1.9.1/src/include/krb5/krb5.hin
|
|||||||
#define KRB5_OLD_CRYPTO
|
#define KRB5_OLD_CRYPTO
|
||||||
|
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
Index: krb5-1.9.1/src/kadmin/dbutil/dump.c
|
Index: krb5-1.10.2/src/kadmin/dbutil/dump.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/kadmin/dbutil/dump.c
|
--- krb5-1.10.2.orig/src/kadmin/dbutil/dump.c
|
||||||
+++ krb5-1.9.1/src/kadmin/dbutil/dump.c
|
+++ krb5-1.10.2/src/kadmin/dbutil/dump.c
|
||||||
@@ -1257,7 +1257,7 @@ dump_db(argc, argv)
|
@@ -346,7 +346,7 @@ void update_ok_file (file_name)
|
||||||
|
exit_status++;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
- if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
|
||||||
|
+ if ((fd = THREEPARAMOPEN(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
|
||||||
|
com_err(progname, errno, _("while creating 'ok' file, '%s'"),
|
||||||
|
file_ok);
|
||||||
|
exit_status++;
|
||||||
|
@@ -1251,7 +1251,7 @@ dump_db(argc, argv)
|
||||||
* want to get into.
|
* want to get into.
|
||||||
*/
|
*/
|
||||||
unlink(ofile);
|
unlink(ofile);
|
||||||
@ -208,10 +217,10 @@ Index: krb5-1.9.1/src/kadmin/dbutil/dump.c
|
|||||||
fprintf(stderr, ofopen_error,
|
fprintf(stderr, ofopen_error,
|
||||||
progname, ofile, error_message(errno));
|
progname, ofile, error_message(errno));
|
||||||
exit_status++;
|
exit_status++;
|
||||||
Index: krb5-1.9.1/src/krb5-config.in
|
Index: krb5-1.10.2/src/krb5-config.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/krb5-config.in
|
--- krb5-1.10.2.orig/src/krb5-config.in
|
||||||
+++ krb5-1.9.1/src/krb5-config.in
|
+++ krb5-1.10.2/src/krb5-config.in
|
||||||
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
|
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
|
||||||
PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@'
|
PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@'
|
||||||
PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
|
PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
|
||||||
@ -220,20 +229,20 @@ Index: krb5-1.9.1/src/krb5-config.in
|
|||||||
|
|
||||||
LIBS='@LIBS@'
|
LIBS='@LIBS@'
|
||||||
GEN_LIB=@GEN_LIB@
|
GEN_LIB=@GEN_LIB@
|
||||||
@@ -214,7 +215,7 @@ if test -n "$do_libs"; then
|
@@ -218,7 +219,7 @@ if test -n "$do_libs"; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if test $library = 'krb5'; then
|
# If we ever support a flag to generate output suitable for static
|
||||||
- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB"
|
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
|
||||||
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
|
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
|
||||||
fi
|
# here.
|
||||||
|
|
||||||
echo $lib_flags
|
echo $lib_flags
|
||||||
Index: krb5-1.9.1/src/lib/kadm5/logger.c
|
Index: krb5-1.10.2/src/lib/kadm5/logger.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/lib/kadm5/logger.c
|
--- krb5-1.10.2.orig/src/lib/kadm5/logger.c
|
||||||
+++ krb5-1.9.1/src/lib/kadm5/logger.c
|
+++ krb5-1.10.2/src/lib/kadm5/logger.c
|
||||||
@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch
|
@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch
|
||||||
* Check for append/overwrite, then open the file.
|
* Check for append/overwrite, then open the file.
|
||||||
*/
|
*/
|
||||||
if (cp[4] == ':' || cp[4] == '=') {
|
if (cp[4] == ':' || cp[4] == '=') {
|
||||||
@ -242,7 +251,7 @@ Index: krb5-1.9.1/src/lib/kadm5/logger.c
|
|||||||
if (f) {
|
if (f) {
|
||||||
set_cloexec_file(f);
|
set_cloexec_file(f);
|
||||||
log_control.log_entries[i].lfu_filep = f;
|
log_control.log_entries[i].lfu_filep = f;
|
||||||
@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
||||||
* In case the old logfile did not get moved out of the
|
* In case the old logfile did not get moved out of the
|
||||||
* way, open for append to prevent squashing the old logs.
|
* way, open for append to prevent squashing the old logs.
|
||||||
*/
|
*/
|
||||||
@ -251,11 +260,11 @@ Index: krb5-1.9.1/src/lib/kadm5/logger.c
|
|||||||
if (f) {
|
if (f) {
|
||||||
set_cloexec_file(f);
|
set_cloexec_file(f);
|
||||||
log_control.log_entries[lindex].lfu_filep = f;
|
log_control.log_entries[lindex].lfu_filep = f;
|
||||||
Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
|
Index: krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/lib/krb5/keytab/kt_file.c
|
--- krb5-1.10.2.orig/src/lib/krb5/keytab/kt_file.c
|
||||||
+++ krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
|
+++ krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
|
||||||
@@ -1057,7 +1057,7 @@ krb5_ktfileint_open(krb5_context context
|
@@ -1039,7 +1039,7 @@ krb5_ktfileint_open(krb5_context context
|
||||||
|
|
||||||
KTCHECKLOCK(id);
|
KTCHECKLOCK(id);
|
||||||
errno = 0;
|
errno = 0;
|
||||||
@ -264,7 +273,7 @@ Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
|
|||||||
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
|
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
|
||||||
fopen_mode_rbplus : fopen_mode_rb);
|
fopen_mode_rbplus : fopen_mode_rb);
|
||||||
if (!KTFILEP(id)) {
|
if (!KTFILEP(id)) {
|
||||||
@@ -1065,7 +1065,7 @@ krb5_ktfileint_open(krb5_context context
|
@@ -1047,7 +1047,7 @@ krb5_ktfileint_open(krb5_context context
|
||||||
/* try making it first time around */
|
/* try making it first time around */
|
||||||
krb5_create_secure_file(context, KTFILENAME(id));
|
krb5_create_secure_file(context, KTFILENAME(id));
|
||||||
errno = 0;
|
errno = 0;
|
||||||
@ -273,11 +282,11 @@ Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
|
|||||||
if (!KTFILEP(id))
|
if (!KTFILEP(id))
|
||||||
goto report_errno;
|
goto report_errno;
|
||||||
writevno = 1;
|
writevno = 1;
|
||||||
Index: krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c
|
Index: krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/plugins/kdb/db2/adb_openclose.c
|
--- krb5-1.10.2.orig/src/plugins/kdb/db2/adb_openclose.c
|
||||||
+++ krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c
|
+++ krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
|
||||||
@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
|
@@ -197,7 +197,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
|
||||||
* POSIX systems
|
* POSIX systems
|
||||||
*/
|
*/
|
||||||
lockp->lockinfo.filename = strdup(lockfilename);
|
lockp->lockinfo.filename = strdup(lockfilename);
|
||||||
@ -286,43 +295,10 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c
|
|||||||
/*
|
/*
|
||||||
* maybe someone took away write permission so we could only
|
* maybe someone took away write permission so we could only
|
||||||
* get shared locks?
|
* get shared locks?
|
||||||
Index: krb5-1.9.1/src/plugins/kdb/db2/kdb_db2.c
|
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/plugins/kdb/db2/kdb_db2.c
|
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||||
+++ krb5-1.9.1/src/plugins/kdb/db2/kdb_db2.c
|
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||||
@@ -374,8 +374,8 @@ krb5_db2_init(krb5_context context)
|
|
||||||
* should be opened read/write so that write locking can work with
|
|
||||||
* POSIX systems
|
|
||||||
*/
|
|
||||||
- if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) {
|
|
||||||
- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) {
|
|
||||||
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) {
|
|
||||||
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) {
|
|
||||||
retval = errno;
|
|
||||||
goto err_out;
|
|
||||||
}
|
|
||||||
@@ -676,7 +676,7 @@ create_db(krb5_context context, char *db
|
|
||||||
if (!okname)
|
|
||||||
retval = ENOMEM;
|
|
||||||
else {
|
|
||||||
- fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
|
|
||||||
+ fd = THREEPARAMOPEN(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
|
|
||||||
if (fd < 0)
|
|
||||||
retval = errno;
|
|
||||||
else
|
|
||||||
@@ -1532,7 +1532,7 @@ krb5_db2_rename(krb5_context context, ch
|
|
||||||
retval = ENOMEM;
|
|
||||||
goto errout;
|
|
||||||
}
|
|
||||||
- db_ctx->db_lf_file = open(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600);
|
|
||||||
+ db_ctx->db_lf_file = THREEPARAMOPEN(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600);
|
|
||||||
if (db_ctx->db_lf_file < 0) {
|
|
||||||
retval = errno;
|
|
||||||
goto errout;
|
|
||||||
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
|
||||||
===================================================================
|
|
||||||
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
|
||||||
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
|
||||||
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
|
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
|
||||||
|
|
||||||
#include "k5-platform.h" /* mkstemp? */
|
#include "k5-platform.h" /* mkstemp? */
|
||||||
@ -340,10 +316,10 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
|||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c
|
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
|
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||||
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c
|
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
|
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
|
||||||
#include <assert.h>
|
#include <assert.h>
|
||||||
#endif
|
#endif
|
||||||
@ -361,31 +337,10 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c
|
|||||||
RETURN_ERROR(errno, error0);
|
RETURN_ERROR(errno, error0);
|
||||||
(void)fcntl(hashp->fp, F_SETFD, 1);
|
(void)fcntl(hashp->fp, F_SETFD, 1);
|
||||||
}
|
}
|
||||||
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||||
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
|
|
||||||
+#include "k5-int.h"
|
|
||||||
#include "db-int.h"
|
|
||||||
#include "recno.h"
|
|
||||||
|
|
||||||
@@ -68,7 +69,7 @@ __rec_open(fname, flags, mode, openinfo,
|
|
||||||
int rfd, sverrno;
|
|
||||||
|
|
||||||
/* Open the user's file -- if this fails, we're done. */
|
|
||||||
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
|
|
||||||
+ if (fname != NULL && (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
|
|
||||||
return (NULL);
|
|
||||||
|
|
||||||
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
|
|
||||||
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
|
||||||
===================================================================
|
|
||||||
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
|
||||||
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
|
||||||
@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
|
@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
|
||||||
|
|
||||||
KRB5_RUN_ENV= @KRB5_RUN_ENV@
|
KRB5_RUN_ENV= @KRB5_RUN_ENV@
|
||||||
@ -396,11 +351,11 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
|||||||
DB_DEPLIB = ../libdb$(DEPLIBEXT)
|
DB_DEPLIB = ../libdb$(DEPLIBEXT)
|
||||||
|
|
||||||
all::
|
all::
|
||||||
Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
Index: krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
--- krb5-1.10.2.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||||
+++ krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
+++ krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||||
@@ -1091,7 +1091,7 @@ rem_service_entry_from_file(int argc, ch
|
@@ -1088,7 +1088,7 @@ rem_service_entry_from_file(int argc, ch
|
||||||
|
|
||||||
/* Create a temporary file which contains all the entries except the
|
/* Create a temporary file which contains all the entries except the
|
||||||
entry for the given service dn */
|
entry for the given service dn */
|
||||||
@ -409,7 +364,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
|||||||
if (pfile == NULL) {
|
if (pfile == NULL) {
|
||||||
com_err(me, errno, "while deleting entry from file %s", file_name);
|
com_err(me, errno, "while deleting entry from file %s", file_name);
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
@@ -1108,7 +1108,7 @@ rem_service_entry_from_file(int argc, ch
|
@@ -1105,7 +1105,7 @@ rem_service_entry_from_file(int argc, ch
|
||||||
snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
|
snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
|
||||||
|
|
||||||
|
|
||||||
@ -418,7 +373,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
|||||||
umask(omask);
|
umask(omask);
|
||||||
if (tmpfd == -1) {
|
if (tmpfd == -1) {
|
||||||
com_err(me, errno, "while deleting entry from file\n");
|
com_err(me, errno, "while deleting entry from file\n");
|
||||||
@@ -1728,7 +1728,7 @@ kdb5_ldap_set_service_password(int argc,
|
@@ -1725,7 +1725,7 @@ kdb5_ldap_set_service_password(int argc,
|
||||||
|
|
||||||
printf("File does not exist. Creating the file %s...\n", file_name);
|
printf("File does not exist. Creating the file %s...\n", file_name);
|
||||||
omask = umask(077);
|
omask = umask(077);
|
||||||
@ -427,7 +382,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
|||||||
umask(omask);
|
umask(omask);
|
||||||
if (fd == -1) {
|
if (fd == -1) {
|
||||||
com_err(me, errno, "Error creating file %s", file_name);
|
com_err(me, errno, "Error creating file %s", file_name);
|
||||||
@@ -1756,7 +1756,7 @@ kdb5_ldap_set_service_password(int argc,
|
@@ -1753,7 +1753,7 @@ kdb5_ldap_set_service_password(int argc,
|
||||||
|
|
||||||
/* TODO: file lock for the service password file */
|
/* TODO: file lock for the service password file */
|
||||||
/* set password in the file */
|
/* set password in the file */
|
||||||
@ -436,7 +391,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
|||||||
if (pfile == NULL) {
|
if (pfile == NULL) {
|
||||||
com_err(me, errno, "Failed to open file %s", file_name);
|
com_err(me, errno, "Failed to open file %s", file_name);
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
@@ -1797,7 +1797,7 @@ kdb5_ldap_set_service_password(int argc,
|
@@ -1794,7 +1794,7 @@ kdb5_ldap_set_service_password(int argc,
|
||||||
}
|
}
|
||||||
|
|
||||||
omask = umask(077);
|
omask = umask(077);
|
||||||
@ -445,16 +400,16 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
|||||||
umask(omask);
|
umask(omask);
|
||||||
if (newfile == NULL) {
|
if (newfile == NULL) {
|
||||||
com_err(me, errno, "Error creating file %s", tmp_file);
|
com_err(me, errno, "Error creating file %s", tmp_file);
|
||||||
@@ -2019,7 +2019,7 @@ done:
|
@@ -2016,7 +2016,7 @@ done:
|
||||||
|
|
||||||
/* set password in the file */
|
/* set password in the file */
|
||||||
old_mode = umask(0177);
|
old_mode = umask(0177);
|
||||||
- pfile = fopen(file_name, "a+");
|
- pfile = fopen(file_name, "a+");
|
||||||
+ pfile = WRITABLEFOPEN(file_name, "a+");
|
+ pfile = WRITABLEFOPEN(file_name, "a+");
|
||||||
if (pfile == NULL) {
|
if (pfile == NULL) {
|
||||||
com_err(me, errno, "Failed to open file %s: %s", file_name,
|
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
|
||||||
strerror (errno));
|
strerror (errno));
|
||||||
@@ -2069,7 +2069,7 @@ done:
|
@@ -2068,7 +2068,7 @@ done:
|
||||||
}
|
}
|
||||||
|
|
||||||
omask = umask(077);
|
omask = umask(077);
|
||||||
@ -462,12 +417,12 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
|||||||
+ newfile = WRITABLEFOPEN(tmp_file, "w");
|
+ newfile = WRITABLEFOPEN(tmp_file, "w");
|
||||||
umask (omask);
|
umask (omask);
|
||||||
if (newfile == NULL) {
|
if (newfile == NULL) {
|
||||||
com_err(me, errno, "Error creating file %s", tmp_file);
|
com_err(me, errno, _("Error creating file %s"), tmp_file);
|
||||||
Index: krb5-1.9.1/src/slave/kpropd.c
|
Index: krb5-1.10.2/src/slave/kpropd.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/slave/kpropd.c
|
--- krb5-1.10.2.orig/src/slave/kpropd.c
|
||||||
+++ krb5-1.9.1/src/slave/kpropd.c
|
+++ krb5-1.10.2/src/slave/kpropd.c
|
||||||
@@ -338,7 +338,7 @@ retry:
|
@@ -336,7 +336,7 @@ retry:
|
||||||
if (!debug && iproprole != IPROP_SLAVE)
|
if (!debug && iproprole != IPROP_SLAVE)
|
||||||
daemon(1, 0);
|
daemon(1, 0);
|
||||||
#ifdef PID_FILE
|
#ifdef PID_FILE
|
||||||
@ -476,10 +431,36 @@ Index: krb5-1.9.1/src/slave/kpropd.c
|
|||||||
fprintf(pidfile, "%d\n", getpid());
|
fprintf(pidfile, "%d\n", getpid());
|
||||||
fclose(pidfile);
|
fclose(pidfile);
|
||||||
} else
|
} else
|
||||||
Index: krb5-1.9.1/src/util/profile/prof_file.c
|
@@ -437,6 +437,9 @@ void doit(fd)
|
||||||
|
krb5_enctype etype;
|
||||||
|
int database_fd;
|
||||||
|
char host[INET6_ADDRSTRLEN+1];
|
||||||
|
+#ifdef USE_SELINUX
|
||||||
|
+ void *selabel;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
if (kpropd_context->kdblog_context &&
|
||||||
|
kpropd_context->kdblog_context->iproprole == IPROP_SLAVE) {
|
||||||
|
@@ -515,9 +518,15 @@ void doit(fd)
|
||||||
|
free(name);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
+#ifdef USE_SELINUX
|
||||||
|
+ selabel = krb5int_push_fscreatecon_for(file);
|
||||||
|
+#endif
|
||||||
|
omask = umask(077);
|
||||||
|
lock_fd = open(temp_file_name, O_RDWR|O_CREAT, 0600);
|
||||||
|
(void) umask(omask);
|
||||||
|
+#ifdef USE_SELINUX
|
||||||
|
+ krb5int_pop_fscreatecon(selabel);
|
||||||
|
+#endif
|
||||||
|
retval = krb5_lock_file(kpropd_context, lock_fd,
|
||||||
|
KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK);
|
||||||
|
if (retval) {
|
||||||
|
Index: krb5-1.10.2/src/util/profile/prof_file.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/util/profile/prof_file.c
|
--- krb5-1.10.2.orig/src/util/profile/prof_file.c
|
||||||
+++ krb5-1.9.1/src/util/profile/prof_file.c
|
+++ krb5-1.10.2/src/util/profile/prof_file.c
|
||||||
@@ -30,6 +30,7 @@
|
@@ -30,6 +30,7 @@
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -488,7 +469,7 @@ Index: krb5-1.9.1/src/util/profile/prof_file.c
|
|||||||
|
|
||||||
struct global_shared_profile_data {
|
struct global_shared_profile_data {
|
||||||
/* This is the head of the global list of shared trees */
|
/* This is the head of the global list of shared trees */
|
||||||
@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_
|
@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_
|
||||||
|
|
||||||
errno = 0;
|
errno = 0;
|
||||||
|
|
||||||
@ -497,11 +478,11 @@ Index: krb5-1.9.1/src/util/profile/prof_file.c
|
|||||||
if (!f) {
|
if (!f) {
|
||||||
retval = errno;
|
retval = errno;
|
||||||
if (retval == 0)
|
if (retval == 0)
|
||||||
Index: krb5-1.9.1/src/util/support/Makefile.in
|
Index: krb5-1.10.2/src/util/support/Makefile.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/util/support/Makefile.in
|
--- krb5-1.10.2.orig/src/util/support/Makefile.in
|
||||||
+++ krb5-1.9.1/src/util/support/Makefile.in
|
+++ krb5-1.10.2/src/util/support/Makefile.in
|
||||||
@@ -54,6 +54,7 @@ IPC_SYMS= \
|
@@ -64,6 +64,7 @@ IPC_SYMS= \
|
||||||
|
|
||||||
STLIBOBJS= \
|
STLIBOBJS= \
|
||||||
threads.o \
|
threads.o \
|
||||||
@ -509,7 +490,7 @@ Index: krb5-1.9.1/src/util/support/Makefile.in
|
|||||||
init-addrinfo.o \
|
init-addrinfo.o \
|
||||||
plugins.o \
|
plugins.o \
|
||||||
errors.o \
|
errors.o \
|
||||||
@@ -108,7 +109,7 @@ SRCS=\
|
@@ -127,7 +128,7 @@ SRCS=\
|
||||||
|
|
||||||
SHLIB_EXPDEPS =
|
SHLIB_EXPDEPS =
|
||||||
# Add -lm if dumping thread stats, for sqrt.
|
# Add -lm if dumping thread stats, for sqrt.
|
||||||
@ -518,11 +499,11 @@ Index: krb5-1.9.1/src/util/support/Makefile.in
|
|||||||
SHLIB_DIRS=
|
SHLIB_DIRS=
|
||||||
SHLIB_RDIRS=$(KRB5_LIBDIR)
|
SHLIB_RDIRS=$(KRB5_LIBDIR)
|
||||||
|
|
||||||
Index: krb5-1.9.1/src/util/support/selinux.c
|
Index: krb5-1.10.2/src/util/support/selinux.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ krb5-1.9.1/src/util/support/selinux.c
|
+++ krb5-1.10.2/src/util/support/selinux.c
|
||||||
@@ -0,0 +1,362 @@
|
@@ -0,0 +1,372 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved.
|
+ * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved.
|
||||||
+ *
|
+ *
|
||||||
@ -746,16 +727,26 @@ Index: krb5-1.9.1/src/util/support/selinux.c
|
|||||||
+krb5int_push_fscreatecon_for(const char *pathname)
|
+krb5int_push_fscreatecon_for(const char *pathname)
|
||||||
+{
|
+{
|
||||||
+ struct stat st;
|
+ struct stat st;
|
||||||
|
+ void *retval;
|
||||||
|
+ k5_once(&labeled_once, label_mutex_init);
|
||||||
|
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
|
||||||
+ if (stat(pathname, &st) != 0) {
|
+ if (stat(pathname, &st) != 0) {
|
||||||
+ st.st_mode = S_IRUSR | S_IWUSR;
|
+ st.st_mode = S_IRUSR | S_IWUSR;
|
||||||
+ }
|
+ }
|
||||||
+ return push_fscreatecon(pathname, st.st_mode);
|
+ retval = push_fscreatecon(pathname, st.st_mode);
|
||||||
|
+ return retval ? retval : (void *) -1;
|
||||||
|
+ } else {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+void
|
+void
|
||||||
+krb5int_pop_fscreatecon(void *con)
|
+krb5int_pop_fscreatecon(void *con)
|
||||||
+{
|
+{
|
||||||
+ pop_fscreatecon(con);
|
+ if (con != NULL) {
|
||||||
|
+ pop_fscreatecon((con == (void *) -1) ? NULL : con);
|
||||||
|
+ k5_mutex_unlock(&labeled_mutex);
|
||||||
|
+ }
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+FILE *
|
+FILE *
|
||||||
@ -885,11 +876,11 @@ Index: krb5-1.9.1/src/util/support/selinux.c
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+#endif
|
+#endif
|
||||||
Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
|
Index: krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/lib/krb5/rcache/rc_dfl.c
|
--- krb5-1.10.2.orig/src/lib/krb5/rcache/rc_dfl.c
|
||||||
+++ krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
|
+++ krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
|
||||||
@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
|
@@ -812,6 +812,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
|
||||||
krb5_error_code retval = 0;
|
krb5_error_code retval = 0;
|
||||||
krb5_rcache tmp;
|
krb5_rcache tmp;
|
||||||
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
|
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
|
||||||
@ -899,7 +890,7 @@ Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
|
|||||||
|
|
||||||
if (! t->recovering) {
|
if (! t->recovering) {
|
||||||
name = t->name;
|
name = t->name;
|
||||||
@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
|
@@ -833,7 +836,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
|
||||||
retval = krb5_rc_resolve(context, tmp, 0);
|
retval = krb5_rc_resolve(context, tmp, 0);
|
||||||
if (retval)
|
if (retval)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
@ -917,3 +908,92 @@ Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
|
|||||||
if (retval)
|
if (retval)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
for (q = t->a; q; q = q->na) {
|
for (q = t->a; q; q = q->na) {
|
||||||
|
Index: krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
|
||||||
|
===================================================================
|
||||||
|
--- krb5-1.10.2.orig/src/plugins/kdb/db2/kdb_db2.c
|
||||||
|
+++ krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
|
||||||
|
@@ -683,8 +683,8 @@ ctx_create_db(krb5_context context, krb5
|
||||||
|
if (retval)
|
||||||
|
return retval;
|
||||||
|
|
||||||
|
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
|
||||||
|
- 0600);
|
||||||
|
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
|
||||||
|
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
|
||||||
|
if (dbc->db_lf_file < 0) {
|
||||||
|
retval = errno;
|
||||||
|
goto cleanup;
|
||||||
|
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||||
|
===================================================================
|
||||||
|
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||||
|
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||||
|
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
+#include "k5-int.h"
|
||||||
|
#include "db-int.h"
|
||||||
|
#include "recno.h"
|
||||||
|
|
||||||
|
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo,
|
||||||
|
int rfd = -1, sverrno;
|
||||||
|
|
||||||
|
/* Open the user's file -- if this fails, we're done. */
|
||||||
|
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
|
||||||
|
+ if (fname != NULL &&
|
||||||
|
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
|
||||||
|
return (NULL);
|
||||||
|
|
||||||
|
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
|
||||||
|
Index: krb5-1.10.2/src/kdc/main.c
|
||||||
|
===================================================================
|
||||||
|
--- krb5-1.10.2.orig/src/kdc/main.c
|
||||||
|
+++ krb5-1.10.2/src/kdc/main.c
|
||||||
|
@@ -909,7 +909,7 @@ write_pid_file(const char *path)
|
||||||
|
FILE *file;
|
||||||
|
unsigned long pid;
|
||||||
|
|
||||||
|
- file = fopen(path, "w");
|
||||||
|
+ file = WRITABLEFOPEN(path, "w");
|
||||||
|
if (file == NULL)
|
||||||
|
return errno;
|
||||||
|
pid = (unsigned long) getpid();
|
||||||
|
Index: krb5-1.10.2/src/lib/kdb/kdb_log.c
|
||||||
|
===================================================================
|
||||||
|
--- krb5-1.10.2.orig/src/lib/kdb/kdb_log.c
|
||||||
|
+++ krb5-1.10.2/src/lib/kdb/kdb_log.c
|
||||||
|
@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha
|
||||||
|
return (errno);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if ((ulogfd = open(logname, O_RDWR+O_CREAT, 0600)) == -1) {
|
||||||
|
+ if ((ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600)) == -1) {
|
||||||
|
return (errno);
|
||||||
|
}
|
||||||
|
|
||||||
|
Index: krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in
|
||||||
|
===================================================================
|
||||||
|
--- krb5-1.10.2.orig/src/util/gss-kernel-lib/Makefile.in
|
||||||
|
+++ krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in
|
||||||
|
@@ -66,6 +66,7 @@ HEADERS= \
|
||||||
|
gssapi_err_generic.h \
|
||||||
|
k5-int.h \
|
||||||
|
k5-int-pkinit.h \
|
||||||
|
+ k5-label.h \
|
||||||
|
k5-thread.h \
|
||||||
|
k5-platform.h \
|
||||||
|
k5-buf.h \
|
||||||
|
@@ -167,10 +168,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
|
||||||
|
$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
|
||||||
|
gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
|
||||||
|
$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
|
||||||
|
-k5-int.h: $(INCLUDE)/k5-int.h
|
||||||
|
+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h
|
||||||
|
$(CP) $(INCLUDE)/k5-int.h $@
|
||||||
|
k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
|
||||||
|
$(CP) $(INCLUDE)/k5-int-pkinit.h $@
|
||||||
|
+k5-label.h: $(INCLUDE)/k5-label.h
|
||||||
|
+ $(CP) $(INCLUDE)/k5-label.h $@
|
||||||
|
k5-thread.h: $(INCLUDE)/k5-thread.h
|
||||||
|
$(CP) $(INCLUDE)/k5-thread.h $@
|
||||||
|
k5-platform.h: $(INCLUDE)/k5-platform.h
|
3
krb5-1.10.2.tar.bz2
Normal file
3
krb5-1.10.2.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:479d66291ae989d5db9daca5838ff4bddde45c77b703fadcf78ca6d1db315bd8
|
||||||
|
size 9457236
|
@ -1,8 +1,8 @@
|
|||||||
Index: trunk/src/lib/gssapi/generic/disp_com_err_status.c
|
Index: krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- trunk.orig/src/lib/gssapi/generic/disp_com_err_status.c
|
--- krb5-1.10.2.orig/src/lib/gssapi/generic/disp_com_err_status.c
|
||||||
+++ trunk/src/lib/gssapi/generic/disp_com_err_status.c
|
+++ krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
|
||||||
@@ -54,7 +54,7 @@ g_display_com_err_status(minor_status, s
|
@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *mino
|
||||||
status_string->value = NULL;
|
status_string->value = NULL;
|
||||||
|
|
||||||
if (! g_make_string_buffer(((status_value == 0)?no_error:
|
if (! g_make_string_buffer(((status_value == 0)?no_error:
|
||||||
|
@ -1,18 +1,16 @@
|
|||||||
Don't double-log (actually, don't process /etc/krb5.conf twice) just
|
Don't double-log (actually, don't process /etc/krb5.conf twice) just
|
||||||
because we built with --sysconfdir=/etc. RT#3277
|
because we built with --sysconfdir=/etc. RT#3277
|
||||||
|
|
||||||
Index: krb5-1.9.1/src/include/Makefile.in
|
Index: krb5-1.10.2/src/include/Makefile.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/include/Makefile.in
|
--- krb5-1.10.2.orig/src/include/Makefile.in
|
||||||
+++ krb5-1.9.1/src/include/Makefile.in
|
+++ krb5-1.10.2/src/include/Makefile.in
|
||||||
@@ -66,7 +66,9 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
|
@@ -67,6 +67,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
|
||||||
-e "s+@MODULEDIR+$(MODULE_DIR)+" \
|
|
||||||
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
|
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
|
||||||
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
|
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
|
||||||
- -e 's+@SYSCONFDIR+$(SYSCONFDIR)+'
|
-e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
|
||||||
+ -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
|
|
||||||
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
|
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
|
||||||
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+'
|
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \
|
||||||
|
-e 's+@DYNOBJEXT+$(DYNOBJEXT)+'
|
||||||
|
|
||||||
OSCONFSRC = $(srcdir)/osconf.hin
|
OSCONFSRC = $(srcdir)/osconf.hin
|
||||||
|
|
||||||
|
@ -1,21 +0,0 @@
|
|||||||
Omit extra libraries because their interfaces aren't exposed to applications
|
|
||||||
by libkrb5, unless do_deps is set to 1, which indicates that the caller
|
|
||||||
wants the whole list.
|
|
||||||
|
|
||||||
Index: krb5-1.9.1/src/krb5-config.in
|
|
||||||
===================================================================
|
|
||||||
--- krb5-1.9.1.orig/src/krb5-config.in
|
|
||||||
+++ krb5-1.9.1/src/krb5-config.in
|
|
||||||
@@ -221,7 +221,11 @@ if test -n "$do_libs"; then
|
|
||||||
fi
|
|
||||||
|
|
||||||
if test $library = 'krb5'; then
|
|
||||||
- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
|
|
||||||
+ if test 0$do_deps -eq 1 ; then
|
|
||||||
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
|
|
||||||
+ else
|
|
||||||
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err"
|
|
||||||
+ fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo $lib_flags
|
|
@ -2,10 +2,11 @@ Reference docs don't define what happens if you call krb5_realm_compare() with
|
|||||||
malformed krb5_principal structures. Define a behavior which keeps it from
|
malformed krb5_principal structures. Define a behavior which keeps it from
|
||||||
crashing if applications don't check ahead of time.
|
crashing if applications don't check ahead of time.
|
||||||
|
|
||||||
diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c
|
Index: krb5-1.10.2/src/lib/krb5/krb/princ_comp.c
|
||||||
--- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400
|
===================================================================
|
||||||
+++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500
|
--- krb5-1.10.2.orig/src/lib/krb5/krb/princ_comp.c
|
||||||
@@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context
|
+++ krb5-1.10.2/src/lib/krb5/krb/princ_comp.c
|
||||||
|
@@ -36,6 +36,12 @@ realm_compare_flags(krb5_context context
|
||||||
const krb5_data *realm1 = krb5_princ_realm(context, princ1);
|
const krb5_data *realm1 = krb5_princ_realm(context, princ1);
|
||||||
const krb5_data *realm2 = krb5_princ_realm(context, princ2);
|
const krb5_data *realm2 = krb5_princ_realm(context, princ2);
|
||||||
|
|
||||||
@ -18,7 +19,7 @@ diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/pr
|
|||||||
if (realm1->length != realm2->length)
|
if (realm1->length != realm2->length)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
|
@@ -87,6 +93,9 @@ krb5_principal_compare_flags(krb5_contex
|
||||||
krb5_principal upn2 = NULL;
|
krb5_principal upn2 = NULL;
|
||||||
krb5_boolean ret = FALSE;
|
krb5_boolean ret = FALSE;
|
||||||
|
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
appl/sample/sserver/sserver.M
|
appl/sample/sserver/sserver.M
|
||||||
config-files/kdc.conf.M
|
config-files/kdc.conf.M
|
||||||
config-files/krb5.conf.M
|
config-files/krb5.conf.M
|
||||||
|
gen-manpages/kerberos.M
|
||||||
kadmin/cli/kadmin.M
|
kadmin/cli/kadmin.M
|
||||||
slave/kpropd.M
|
slave/kpropd.M
|
||||||
slave/kprop.M
|
slave/kprop.M
|
||||||
|
@ -11,11 +11,11 @@ When enabled, ksu gains a dependency on libpam.
|
|||||||
Originally RT#5939, though it's changed since then to perform the account
|
Originally RT#5939, though it's changed since then to perform the account
|
||||||
and session management before dropping privileges.
|
and session management before dropping privileges.
|
||||||
|
|
||||||
Index: krb5-1.9.1/src/aclocal.m4
|
Index: krb5-1.10.2/src/aclocal.m4
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/aclocal.m4
|
--- krb5-1.10.2.orig/src/aclocal.m4
|
||||||
+++ krb5-1.9.1/src/aclocal.m4
|
+++ krb5-1.10.2/src/aclocal.m4
|
||||||
@@ -1715,3 +1715,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
|
@@ -1676,3 +1676,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
|
||||||
]))
|
]))
|
||||||
])dnl
|
])dnl
|
||||||
dnl
|
dnl
|
||||||
@ -86,10 +86,10 @@ Index: krb5-1.9.1/src/aclocal.m4
|
|||||||
+AC_SUBST(PAM_MAN)
|
+AC_SUBST(PAM_MAN)
|
||||||
+AC_SUBST(NON_PAM_MAN)
|
+AC_SUBST(NON_PAM_MAN)
|
||||||
+])dnl
|
+])dnl
|
||||||
Index: krb5-1.9.1/src/clients/ksu/main.c
|
Index: krb5-1.10.2/src/clients/ksu/main.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/clients/ksu/main.c
|
--- krb5-1.10.2.orig/src/clients/ksu/main.c
|
||||||
+++ krb5-1.9.1/src/clients/ksu/main.c
|
+++ krb5-1.10.2/src/clients/ksu/main.c
|
||||||
@@ -26,6 +26,7 @@
|
@@ -26,6 +26,7 @@
|
||||||
* KSU was writen by: Ari Medvinsky, ari@isi.edu
|
* KSU was writen by: Ari Medvinsky, ari@isi.edu
|
||||||
*/
|
*/
|
||||||
@ -117,7 +117,7 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
|
|||||||
/***********/
|
/***********/
|
||||||
|
|
||||||
#define _DEF_CSH "/bin/csh"
|
#define _DEF_CSH "/bin/csh"
|
||||||
@@ -586,6 +592,25 @@ main (argc, argv)
|
@@ -584,6 +590,25 @@ main (argc, argv)
|
||||||
prog_name,target_user,client_name,
|
prog_name,target_user,client_name,
|
||||||
source_user,ontty());
|
source_user,ontty());
|
||||||
|
|
||||||
@ -142,8 +142,8 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
|
|||||||
+
|
+
|
||||||
/* Run authorization as target.*/
|
/* Run authorization as target.*/
|
||||||
if (krb5_seteuid(target_uid)) {
|
if (krb5_seteuid(target_uid)) {
|
||||||
com_err(prog_name, errno, "while switching to target for authorization check");
|
com_err(prog_name, errno, _("while switching to target for "
|
||||||
@@ -651,6 +676,26 @@ main (argc, argv)
|
@@ -648,6 +673,26 @@ main (argc, argv)
|
||||||
sweep_up(ksu_context, cc_target);
|
sweep_up(ksu_context, cc_target);
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
@ -170,7 +170,7 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
if( some_rest_copy){
|
if( some_rest_copy){
|
||||||
@@ -720,6 +765,32 @@ main (argc, argv)
|
@@ -717,6 +762,32 @@ main (argc, argv)
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -203,18 +203,18 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
|
|||||||
/* set permissions */
|
/* set permissions */
|
||||||
if (setgid(target_pwd->pw_gid) < 0) {
|
if (setgid(target_pwd->pw_gid) < 0) {
|
||||||
perror("ksu: setgid");
|
perror("ksu: setgid");
|
||||||
@@ -792,7 +863,7 @@ main (argc, argv)
|
@@ -789,7 +860,7 @@ main (argc, argv)
|
||||||
fprintf(stderr, "program to be execed %s\n",params[0]);
|
fprintf(stderr, "program to be execed %s\n",params[0]);
|
||||||
}
|
}
|
||||||
|
|
||||||
- if( keep_target_cache ) {
|
- if( keep_target_cache ) {
|
||||||
+ if( keep_target_cache && !force_fork ) {
|
+ if( keep_target_cache && !force_fork ) {
|
||||||
execv(params[0], params);
|
execv(params[0], params);
|
||||||
com_err(prog_name, errno, "while trying to execv %s",
|
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
|
||||||
params[0]);
|
sweep_up(ksu_context, cc_target);
|
||||||
@@ -823,15 +894,34 @@ main (argc, argv)
|
@@ -819,16 +890,35 @@ main (argc, argv)
|
||||||
if (ret_pid == -1) {
|
if (ret_pid == -1) {
|
||||||
com_err(prog_name, errno, "while calling waitpid");
|
com_err(prog_name, errno, _("while calling waitpid"));
|
||||||
}
|
}
|
||||||
- sweep_up(ksu_context, cc_target);
|
- sweep_up(ksu_context, cc_target);
|
||||||
+ if( !keep_target_cache ) {
|
+ if( !keep_target_cache ) {
|
||||||
@ -222,7 +222,7 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
|
|||||||
+ }
|
+ }
|
||||||
exit (statusp);
|
exit (statusp);
|
||||||
case -1:
|
case -1:
|
||||||
com_err(prog_name, errno, "while trying to fork.");
|
com_err(prog_name, errno, _("while trying to fork."));
|
||||||
sweep_up(ksu_context, cc_target);
|
sweep_up(ksu_context, cc_target);
|
||||||
exit (1);
|
exit (1);
|
||||||
case 0:
|
case 0:
|
||||||
@ -241,17 +241,18 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
|
|||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
execv(params[0], params);
|
execv(params[0], params);
|
||||||
com_err(prog_name, errno, "while trying to execv %s", params[0]);
|
com_err(prog_name, errno, _("while trying to execv %s"),
|
||||||
|
params[0]);
|
||||||
+ if( keep_target_cache ) {
|
+ if( keep_target_cache ) {
|
||||||
+ sweep_up(ksu_context, cc_target);
|
+ sweep_up(ksu_context, cc_target);
|
||||||
+ }
|
+ }
|
||||||
exit (1);
|
exit (1);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Index: krb5-1.9.1/src/clients/ksu/Makefile.in
|
Index: krb5-1.10.2/src/clients/ksu/Makefile.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/clients/ksu/Makefile.in
|
--- krb5-1.10.2.orig/src/clients/ksu/Makefile.in
|
||||||
+++ krb5-1.9.1/src/clients/ksu/Makefile.in
|
+++ krb5-1.10.2/src/clients/ksu/Makefile.in
|
||||||
@@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD)
|
@@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD)
|
||||||
PROG_RPATH=$(KRB5_LIBDIR)
|
PROG_RPATH=$(KRB5_LIBDIR)
|
||||||
|
|
||||||
@ -286,10 +287,10 @@ Index: krb5-1.9.1/src/clients/ksu/Makefile.in
|
|||||||
|
|
||||||
clean::
|
clean::
|
||||||
$(RM) ksu
|
$(RM) ksu
|
||||||
Index: krb5-1.9.1/src/clients/ksu/pam.c
|
Index: krb5-1.10.2/src/clients/ksu/pam.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ krb5-1.9.1/src/clients/ksu/pam.c
|
+++ krb5-1.10.2/src/clients/ksu/pam.c
|
||||||
@@ -0,0 +1,389 @@
|
@@ -0,0 +1,389 @@
|
||||||
+/*
|
+/*
|
||||||
+ * src/clients/ksu/pam.c
|
+ * src/clients/ksu/pam.c
|
||||||
@ -680,10 +681,10 @@ Index: krb5-1.9.1/src/clients/ksu/pam.c
|
|||||||
+ return ret;
|
+ return ret;
|
||||||
+}
|
+}
|
||||||
+#endif
|
+#endif
|
||||||
Index: krb5-1.9.1/src/clients/ksu/pam.h
|
Index: krb5-1.10.2/src/clients/ksu/pam.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ krb5-1.9.1/src/clients/ksu/pam.h
|
+++ krb5-1.10.2/src/clients/ksu/pam.h
|
||||||
@@ -0,0 +1,57 @@
|
@@ -0,0 +1,57 @@
|
||||||
+/*
|
+/*
|
||||||
+ * src/clients/ksu/pam.h
|
+ * src/clients/ksu/pam.h
|
||||||
@ -742,13 +743,13 @@ Index: krb5-1.9.1/src/clients/ksu/pam.h
|
|||||||
+int appl_pam_cred_init(void);
|
+int appl_pam_cred_init(void);
|
||||||
+void appl_pam_cleanup(void);
|
+void appl_pam_cleanup(void);
|
||||||
+#endif
|
+#endif
|
||||||
Index: krb5-1.9.1/src/configure.in
|
Index: krb5-1.10.2/src/configure.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/configure.in
|
--- krb5-1.10.2.orig/src/configure.in
|
||||||
+++ krb5-1.9.1/src/configure.in
|
+++ krb5-1.10.2/src/configure.in
|
||||||
@@ -1125,6 +1125,8 @@ if test "$ac_cv_lib_socket" = "yes" -a "
|
@@ -1246,6 +1246,8 @@ if test "${localedir+set}" != set; then
|
||||||
AC_DEFINE(BROKEN_STREAMS_SOCKETS,1,[Define if socket can't be bound to 0.0.0.0])
|
|
||||||
fi
|
fi
|
||||||
|
AC_SUBST(localedir)
|
||||||
|
|
||||||
+KRB5_WITH_PAM
|
+KRB5_WITH_PAM
|
||||||
+
|
+
|
||||||
|
@ -1,75 +0,0 @@
|
|||||||
diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c
|
|
||||||
index b473611..50c60b7 100644
|
|
||||||
--- a/src/plugins/kdb/db2/lockout.c
|
|
||||||
+++ b/src/plugins/kdb/db2/lockout.c
|
|
||||||
@@ -169,6 +169,9 @@ krb5_db2_lockout_audit(krb5_context context,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (entry == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
if (!db_ctx->disable_lockout) {
|
|
||||||
code = lookup_lockout_policy(context, entry, &max_fail,
|
|
||||||
&failcnt_interval, &lockout_duration);
|
|
||||||
@@ -176,6 +179,15 @@ krb5_db2_lockout_audit(krb5_context context,
|
|
||||||
return code;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * Don't continue to modify the DB for an already locked account.
|
|
||||||
+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
|
|
||||||
+ * this check is unneeded, but in rare cases, we can fail with an
|
|
||||||
+ * integrity error or preauth failure before a policy check.)
|
|
||||||
+ */
|
|
||||||
+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
/* Only mark the authentication as successful if the entry
|
|
||||||
* required preauthentication, otherwise we have no idea. */
|
|
||||||
if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
|
|
||||||
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
|
||||||
index 552e39a..c2f44ab 100644
|
|
||||||
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
|
||||||
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
|
||||||
@@ -105,6 +105,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
|
|
||||||
CHECK_LDAP_HANDLE(ldap_context);
|
|
||||||
|
|
||||||
if (is_principal_in_realm(ldap_context, searchfor) != 0) {
|
|
||||||
+ st = KRB5_KDB_NOENTRY;
|
|
||||||
krb5_set_error_message (context, st, "Principal does not belong to realm");
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
|
|
||||||
index a218dc7..fd164dd 100644
|
|
||||||
--- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
|
|
||||||
+++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
|
|
||||||
@@ -165,6 +165,9 @@ krb5_ldap_lockout_audit(krb5_context context,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (entry == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
if (!ldap_context->disable_lockout) {
|
|
||||||
code = lookup_lockout_policy(context, entry, &max_fail,
|
|
||||||
&failcnt_interval,
|
|
||||||
@@ -173,9 +176,16 @@ krb5_ldap_lockout_audit(krb5_context context,
|
|
||||||
return code;
|
|
||||||
}
|
|
||||||
|
|
||||||
- entry->mask = 0;
|
|
||||||
+ /*
|
|
||||||
+ * Don't continue to modify the DB for an already locked account.
|
|
||||||
+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
|
|
||||||
+ * this check is unneeded, but in rare cases, we can fail with an
|
|
||||||
+ * integrity error or preauth failure before a policy check.)
|
|
||||||
+ */
|
|
||||||
+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
|
|
||||||
+ return 0;
|
|
||||||
|
|
||||||
- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry));
|
|
||||||
+ entry->mask = 0;
|
|
||||||
|
|
||||||
/* Only mark the authentication as successful if the entry
|
|
||||||
* required preauthentication, otherwise we have no idea. */
|
|
@ -1,42 +0,0 @@
|
|||||||
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
|
|
||||||
index f46cad3..102fbaa 100644
|
|
||||||
--- a/src/kdc/Makefile.in
|
|
||||||
+++ b/src/kdc/Makefile.in
|
|
||||||
@@ -67,6 +67,7 @@ check-unix:: rtest
|
|
||||||
|
|
||||||
check-pytests::
|
|
||||||
$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
|
|
||||||
+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
|
|
||||||
|
|
||||||
install::
|
|
||||||
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
|
|
||||||
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
|
||||||
index c169c54..840a2ef 100644
|
|
||||||
--- a/src/kdc/do_tgs_req.c
|
|
||||||
+++ b/src/kdc/do_tgs_req.c
|
|
||||||
@@ -243,7 +243,8 @@ tgt_again:
|
|
||||||
if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
|
|
||||||
errcode = find_alternate_tgs(request, &server);
|
|
||||||
firstpass = 0;
|
|
||||||
- goto tgt_again;
|
|
||||||
+ if (errcode == 0)
|
|
||||||
+ goto tgt_again;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
status = "UNKNOWN_SERVER";
|
|
||||||
diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..1760bcd
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/kdc/t_emptytgt.py
|
|
||||||
@@ -0,0 +1,8 @@
|
|
||||||
+#!/usr/bin/python
|
|
||||||
+from k5test import *
|
|
||||||
+
|
|
||||||
+realm = K5Realm(start_kadmind=False, create_host=False)
|
|
||||||
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
|
|
||||||
+if 'not found in Kerberos database' not in output:
|
|
||||||
+ fail('TGT lookup for empty realm failed in unexpected way')
|
|
||||||
+success('Empty tgt lookup.')
|
|
||||||
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
|||||||
Build binaries in this package as RELRO PIEs and install shared libraries with
|
|
||||||
the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS
|
|
||||||
where they might leak out and affect apps which just want to link with the
|
|
||||||
libraries. FIXME: needs to check and not just assume that the compiler supports
|
|
||||||
using these flags.
|
|
||||||
|
|
||||||
diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf
|
|
||||||
--- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500
|
|
||||||
+++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400
|
|
||||||
@@ -430,7 +430,8 @@
|
|
||||||
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
|
|
||||||
PROFFLAGS=-pg
|
|
||||||
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
|
|
||||||
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
|
|
||||||
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)'
|
|
||||||
+ INSTALL_SHLIB='${INSTALL} -m755'
|
|
||||||
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
|
|
||||||
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
|
|
||||||
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
|
|
||||||
diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in
|
|
||||||
--- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
|
|
||||||
+++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
|
|
||||||
@@ -187,8 +187,14 @@ if test -n "$do_libs"; then
|
|
||||||
-e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
|
|
||||||
-e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
|
|
||||||
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
|
|
||||||
- -e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
|
|
||||||
+ -e 's#\$(CFLAGS)##'`
|
|
||||||
|
|
||||||
+ if test `dirname $libdir` = /usr ; then
|
|
||||||
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
|
|
||||||
+ fi
|
|
||||||
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"`
|
|
||||||
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"`
|
|
||||||
+
|
|
||||||
if test $library = 'kdb'; then
|
|
||||||
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
|
|
||||||
library=krb5
|
|
@ -1,61 +0,0 @@
|
|||||||
From RT#6917.
|
|
||||||
|
|
||||||
Index: krb5-1.9.1/src/lib/krb5/krb/get_creds.c
|
|
||||||
===================================================================
|
|
||||||
--- krb5-1.9.1.orig/src/lib/krb5/krb/get_creds.c
|
|
||||||
+++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c
|
|
||||||
@@ -470,13 +470,10 @@ begin_non_referral(krb5_context context,
|
|
||||||
|
|
||||||
/***** STATE_REFERRALS *****/
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * Possibly retry a request in the fallback realm after a referral request
|
|
||||||
- * failure in the local realm. Expects ctx->reply_code to be set to the error
|
|
||||||
- * from a referral request.
|
|
||||||
- */
|
|
||||||
+/* Possibly try a non-referral request after a referral request failure.
|
|
||||||
+ * Expects ctx->reply_code to be set to the error from a referral request. */
|
|
||||||
static krb5_error_code
|
|
||||||
-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
|
|
||||||
+try_fallback(krb5_context context, krb5_tkt_creds_context ctx)
|
|
||||||
{
|
|
||||||
krb5_error_code code;
|
|
||||||
char **hrealms;
|
|
||||||
@@ -485,9 +482,10 @@ try_fallback_realm(krb5_context context,
|
|
||||||
if (ctx->referral_count > 1)
|
|
||||||
return ctx->reply_code;
|
|
||||||
|
|
||||||
- /* Only fall back if the original request used the referral realm. */
|
|
||||||
+ /* If the request used a specified realm, make a non-referral request to
|
|
||||||
+ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */
|
|
||||||
if (!krb5_is_referral_realm(&ctx->req_server->realm))
|
|
||||||
- return ctx->reply_code;
|
|
||||||
+ return begin_non_referral(context, ctx);
|
|
||||||
|
|
||||||
if (ctx->server->length < 2) {
|
|
||||||
/* We need a type/host format principal to find a fallback realm. */
|
|
||||||
@@ -500,10 +498,10 @@ try_fallback_realm(krb5_context context,
|
|
||||||
if (code != 0)
|
|
||||||
return code;
|
|
||||||
|
|
||||||
- /* Give up if the fallback realm isn't any different. */
|
|
||||||
+ /* If the fallback realm isn't any different, use the existing TGT. */
|
|
||||||
if (data_eq_string(ctx->server->realm, hrealms[0])) {
|
|
||||||
krb5_free_host_realm(context, hrealms);
|
|
||||||
- return ctx->reply_code;
|
|
||||||
+ return begin_non_referral(context, ctx);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Rewrite server->realm to be the fallback realm. */
|
|
||||||
@@ -540,9 +538,9 @@ step_referrals(krb5_context context, krb
|
|
||||||
krb5_error_code code;
|
|
||||||
const krb5_data *referral_realm;
|
|
||||||
|
|
||||||
- /* Possibly retry with the fallback realm on error. */
|
|
||||||
+ /* Possibly try a non-referral fallback request on error. */
|
|
||||||
if (ctx->reply_code != 0)
|
|
||||||
- return try_fallback_realm(context, ctx);
|
|
||||||
+ return try_fallback(context, ctx);
|
|
||||||
|
|
||||||
if (krb5_principal_compare(context, ctx->reply_creds->server,
|
|
||||||
ctx->server)) {
|
|
@ -1,14 +0,0 @@
|
|||||||
Index: krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c
|
|
||||||
===================================================================
|
|
||||||
--- krb5-1.9.1.orig/src/lib/gssapi/krb5/disp_status.c
|
|
||||||
+++ krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c
|
|
||||||
@@ -167,7 +167,8 @@ krb5_gss_display_status(minor_status, st
|
|
||||||
|
|
||||||
if ((mech_type != GSS_C_NULL_OID) &&
|
|
||||||
!g_OID_equal(gss_mech_krb5, mech_type) &&
|
|
||||||
- !g_OID_equal(gss_mech_krb5_old, mech_type)) {
|
|
||||||
+ !g_OID_equal(gss_mech_krb5_old, mech_type) &&
|
|
||||||
+ !g_OID_equal(gss_mech_iakerb, mech_type)) {
|
|
||||||
*minor_status = 0;
|
|
||||||
return(GSS_S_BAD_MECH);
|
|
||||||
}
|
|
@ -1,10 +1,10 @@
|
|||||||
Use an in-memory ccache to silence a compiler warning, for RT#6414.
|
Use an in-memory ccache to silence a compiler warning, for RT#6414.
|
||||||
|
|
||||||
Index: krb5-1.9.1/src/slave/kprop.c
|
Index: krb5-1.10.2/src/slave/kprop.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/slave/kprop.c
|
--- krb5-1.10.2.orig/src/slave/kprop.c
|
||||||
+++ krb5-1.9.1/src/slave/kprop.c
|
+++ krb5-1.10.2/src/slave/kprop.c
|
||||||
@@ -188,9 +188,8 @@ void PRS(argc, argv)
|
@@ -186,9 +186,8 @@ void PRS(argc, argv)
|
||||||
void get_tickets(context)
|
void get_tickets(context)
|
||||||
krb5_context context;
|
krb5_context context;
|
||||||
{
|
{
|
||||||
@ -27,4 +27,4 @@ Index: krb5-1.9.1/src/slave/kprop.c
|
|||||||
-
|
-
|
||||||
retval = krb5_cc_resolve(context, buf, &ccache);
|
retval = krb5_cc_resolve(context, buf, &ccache);
|
||||||
if (retval) {
|
if (retval) {
|
||||||
com_err(progname, retval, "while opening credential cache %s",
|
com_err(progname, retval, _("while opening credential cache %s"), buf);
|
||||||
|
@ -3,11 +3,11 @@ values can be dropped in by config.status. After applying this patch,
|
|||||||
these files should be renamed to their ".in" counterparts, and then the
|
these files should be renamed to their ".in" counterparts, and then the
|
||||||
configure scripts should be rebuilt. Originally RT#6525
|
configure scripts should be rebuilt. Originally RT#6525
|
||||||
|
|
||||||
Index: krb5-1.9.1/src/aclocal.m4
|
Index: krb5-1.10.2/src/aclocal.m4
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/aclocal.m4
|
--- krb5-1.10.2.orig/src/aclocal.m4
|
||||||
+++ krb5-1.9.1/src/aclocal.m4
|
+++ krb5-1.10.2/src/aclocal.m4
|
||||||
@@ -1782,3 +1782,24 @@ AC_SUBST(PAM_LIBS)
|
@@ -1743,3 +1743,24 @@ AC_SUBST(PAM_LIBS)
|
||||||
AC_SUBST(PAM_MAN)
|
AC_SUBST(PAM_MAN)
|
||||||
AC_SUBST(NON_PAM_MAN)
|
AC_SUBST(NON_PAM_MAN)
|
||||||
])dnl
|
])dnl
|
||||||
@ -32,10 +32,32 @@ Index: krb5-1.9.1/src/aclocal.m4
|
|||||||
+AC_SUBST(manlibexecdir)
|
+AC_SUBST(manlibexecdir)
|
||||||
+AC_CONFIG_FILES($1)
|
+AC_CONFIG_FILES($1)
|
||||||
+])
|
+])
|
||||||
Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M
|
Index: krb5-1.10.2/src/configure.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/appl/sample/sserver/sserver.M
|
--- krb5-1.10.2.orig/src/configure.in
|
||||||
+++ krb5-1.9.1/src/appl/sample/sserver/sserver.M
|
+++ krb5-1.10.2/src/configure.in
|
||||||
|
@@ -1249,6 +1249,17 @@ AC_SUBST(localedir)
|
||||||
|
KRB5_WITH_PAM
|
||||||
|
|
||||||
|
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
||||||
|
+
|
||||||
|
+V5_AC_OUTPUT_MANPAGE([
|
||||||
|
+ appl/sample/sserver/sserver.M
|
||||||
|
+ config-files/kdc.conf.M
|
||||||
|
+ config-files/krb5.conf.M
|
||||||
|
+ gen-manpages/kerberos.M
|
||||||
|
+ kadmin/cli/kadmin.M
|
||||||
|
+ slave/kpropd.M
|
||||||
|
+ slave/kprop.M
|
||||||
|
+])
|
||||||
|
+
|
||||||
|
V5_AC_OUTPUT_MAKEFILE(.
|
||||||
|
|
||||||
|
util util/support util/profile util/profile/testmod util/send-pr
|
||||||
|
Index: krb5-1.10.2/src/appl/sample/sserver/sserver.M
|
||||||
|
===================================================================
|
||||||
|
--- krb5-1.10.2.orig/src/appl/sample/sserver/sserver.M
|
||||||
|
+++ krb5-1.10.2/src/appl/sample/sserver/sserver.M
|
||||||
@@ -59,7 +59,7 @@ option allows for a different keytab tha
|
@@ -59,7 +59,7 @@ option allows for a different keytab tha
|
||||||
using a line in
|
using a line in
|
||||||
/etc/inetd.conf that looks like this:
|
/etc/inetd.conf that looks like this:
|
||||||
@ -45,10 +67,10 @@ Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M
|
|||||||
.PP
|
.PP
|
||||||
Since \fBsample\fP is normally not a port defined in /etc/services, you will
|
Since \fBsample\fP is normally not a port defined in /etc/services, you will
|
||||||
usually have to add a line to /etc/services which looks like this:
|
usually have to add a line to /etc/services which looks like this:
|
||||||
Index: krb5-1.9.1/src/config-files/kdc.conf.M
|
Index: krb5-1.10.2/src/config-files/kdc.conf.M
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/config-files/kdc.conf.M
|
--- krb5-1.10.2.orig/src/config-files/kdc.conf.M
|
||||||
+++ krb5-1.9.1/src/config-files/kdc.conf.M
|
+++ krb5-1.10.2/src/config-files/kdc.conf.M
|
||||||
@@ -92,14 +92,14 @@ This
|
@@ -92,14 +92,14 @@ This
|
||||||
.B string
|
.B string
|
||||||
specifies the location of the access control list (acl) file that
|
specifies the location of the access control list (acl) file that
|
||||||
@ -75,44 +97,36 @@ Index: krb5-1.9.1/src/config-files/kdc.conf.M
|
|||||||
|
|
||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
krb5.conf(5), krb5kdc(8)
|
krb5.conf(5), krb5kdc(8)
|
||||||
Index: krb5-1.9.1/src/config-files/krb5.conf.M
|
Index: krb5-1.10.2/src/config-files/krb5.conf.M
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/config-files/krb5.conf.M
|
--- krb5-1.10.2.orig/src/config-files/krb5.conf.M
|
||||||
+++ krb5-1.9.1/src/config-files/krb5.conf.M
|
+++ krb5-1.10.2/src/config-files/krb5.conf.M
|
||||||
@@ -768,6 +768,6 @@ with another database such as Active Dir
|
@@ -808,6 +808,6 @@ This module implements the encrypted cha
|
||||||
in for this interface.
|
This module implements the encrypted timestamp mechanism.
|
||||||
|
|
||||||
.SH FILES
|
.SH FILES
|
||||||
-/etc/krb5.conf
|
-/etc/krb5.conf
|
||||||
+@mansysconfdir@/krb5.conf
|
+@mansysconfdir@/krb5.conf
|
||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
syslog(3)
|
syslog(3)
|
||||||
Index: krb5-1.9.1/src/configure.in
|
Index: krb5-1.10.2/src/gen-manpages/kerberos.M
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/configure.in
|
--- krb5-1.10.2.orig/src/gen-manpages/kerberos.M
|
||||||
+++ krb5-1.9.1/src/configure.in
|
+++ krb5-1.10.2/src/gen-manpages/kerberos.M
|
||||||
@@ -1128,6 +1128,16 @@ fi
|
@@ -125,7 +125,7 @@ default is /etc/krb5.conf.
|
||||||
KRB5_WITH_PAM
|
Specifies the location of the KDC configuration file, which contains
|
||||||
|
additional configuration directives for the Key Distribution Center
|
||||||
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
daemon and associated programs. The default is
|
||||||
+
|
-/usr/local/var/krb5kdc/kdc.conf.
|
||||||
+V5_AC_OUTPUT_MANPAGE([
|
+@manlocalstatedir@/krb5kdc/kdc.conf.
|
||||||
+ appl/sample/sserver/sserver.M
|
.TP
|
||||||
+ config-files/kdc.conf.M
|
.B KRB5RCACHETYPE
|
||||||
+ config-files/krb5.conf.M
|
Specifies the default type of replay cache to use for servers. Valid
|
||||||
+ kadmin/cli/kadmin.M
|
Index: krb5-1.10.2/src/kadmin/cli/kadmin.M
|
||||||
+ slave/kpropd.M
|
|
||||||
+ slave/kprop.M
|
|
||||||
+])
|
|
||||||
+
|
|
||||||
V5_AC_OUTPUT_MAKEFILE(.
|
|
||||||
|
|
||||||
util util/support util/profile util/send-pr
|
|
||||||
Index: krb5-1.9.1/src/kadmin/cli/kadmin.M
|
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/kadmin/cli/kadmin.M
|
--- krb5-1.10.2.orig/src/kadmin/cli/kadmin.M
|
||||||
+++ krb5-1.9.1/src/kadmin/cli/kadmin.M
|
+++ krb5-1.10.2/src/kadmin/cli/kadmin.M
|
||||||
@@ -880,9 +880,9 @@ option is specified, less verbose status
|
@@ -924,9 +924,9 @@ option is specified, less verbose status
|
||||||
.RS
|
.RS
|
||||||
.TP
|
.TP
|
||||||
EXAMPLE:
|
EXAMPLE:
|
||||||
@ -124,19 +138,10 @@ Index: krb5-1.9.1/src/kadmin/cli/kadmin.M
|
|||||||
kadmin:
|
kadmin:
|
||||||
.RE
|
.RE
|
||||||
.fi
|
.fi
|
||||||
@@ -924,7 +924,7 @@ passwords.
|
Index: krb5-1.10.2/src/slave/kpropd.M
|
||||||
.SH HISTORY
|
|
||||||
The
|
|
||||||
.B kadmin
|
|
||||||
-prorgam was originally written by Tom Yu at MIT, as an interface to the
|
|
||||||
+program was originally written by Tom Yu at MIT, as an interface to the
|
|
||||||
OpenVision Kerberos administration program.
|
|
||||||
.SH SEE ALSO
|
|
||||||
.IR kerberos (1),
|
|
||||||
Index: krb5-1.9.1/src/slave/kpropd.M
|
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/slave/kpropd.M
|
--- krb5-1.10.2.orig/src/slave/kpropd.M
|
||||||
+++ krb5-1.9.1/src/slave/kpropd.M
|
+++ krb5-1.10.2/src/slave/kpropd.M
|
||||||
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
|
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
|
||||||
This is done by adding a line to the inetd.conf file which looks like
|
This is done by adding a line to the inetd.conf file which looks like
|
||||||
this:
|
this:
|
||||||
@ -179,10 +184,10 @@ Index: krb5-1.9.1/src/slave/kpropd.M
|
|||||||
Each entry is a line containing the principal of a host from which the
|
Each entry is a line containing the principal of a host from which the
|
||||||
local machine will allow Kerberos database propagation via kprop.
|
local machine will allow Kerberos database propagation via kprop.
|
||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
Index: krb5-1.9.1/src/slave/kprop.M
|
Index: krb5-1.10.2/src/slave/kprop.M
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.9.1.orig/src/slave/kprop.M
|
--- krb5-1.10.2.orig/src/slave/kprop.M
|
||||||
+++ krb5-1.9.1/src/slave/kprop.M
|
+++ krb5-1.10.2/src/slave/kprop.M
|
||||||
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
|
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
|
||||||
This is done by transmitting the dumped database file to the slave
|
This is done by transmitting the dumped database file to the slave
|
||||||
server over an encrypted, secure channel. The dump file must be created
|
server over an encrypted, secure channel. The dump file must be created
|
||||||
|
@ -1,13 +0,0 @@
|
|||||||
Upstream commit #24477.
|
|
||||||
diff -up krb5-1.9/src/slave/kpropd.c krb5-1.9/src/slave/kpropd.c
|
|
||||||
--- krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:24.020999947 -0400
|
|
||||||
+++ krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:34.159999947 -0400
|
|
||||||
@@ -993,7 +993,7 @@ unsigned int backoff_from_master(int *cn
|
|
||||||
btime = (unsigned int)(2<<(*cnt));
|
|
||||||
if (btime > MAX_BACKOFF) {
|
|
||||||
btime = MAX_BACKOFF;
|
|
||||||
- *cnt--;
|
|
||||||
+ (*cnt)--;
|
|
||||||
}
|
|
||||||
|
|
||||||
return (btime);
|
|
@ -1,30 +0,0 @@
|
|||||||
From RT#6922. When we're converting a host/service pair into a principal
|
|
||||||
name, specify AF_UNSPEC instead of AF_INET4 and then maybe AF_INET6 to try
|
|
||||||
to avoid libc having doing a PTR lookup because we also specify
|
|
||||||
AI_CANONNAME. Add AI_ADDRCONFIG because it's usually the right idea.
|
|
||||||
|
|
||||||
Index: src/lib/krb5/os/sn2princ.c
|
|
||||||
===================================================================
|
|
||||||
--- src/lib/krb5/os/sn2princ.c.orig
|
|
||||||
+++ src/lib/krb5/os/sn2princ.c
|
|
||||||
@@ -107,19 +107,12 @@ krb5_sname_to_principal(krb5_context con
|
|
||||||
hostnames associated. */
|
|
||||||
|
|
||||||
memset(&hints, 0, sizeof(hints));
|
|
||||||
- hints.ai_family = AF_INET;
|
|
||||||
- hints.ai_flags = AI_CANONNAME;
|
|
||||||
- try_getaddrinfo_again:
|
|
||||||
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
|
|
||||||
err = getaddrinfo(hostname, 0, &hints, &ai);
|
|
||||||
if (err) {
|
|
||||||
#ifdef DEBUG_REFERRALS
|
|
||||||
printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname);
|
|
||||||
#endif
|
|
||||||
- if (hints.ai_family == AF_INET) {
|
|
||||||
- /* Just in case it's an IPv6-only name. */
|
|
||||||
- hints.ai_family = 0;
|
|
||||||
- goto try_getaddrinfo_again;
|
|
||||||
- }
|
|
||||||
return KRB5_ERR_BAD_HOSTNAME;
|
|
||||||
}
|
|
||||||
remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname);
|
|
@ -1,122 +0,0 @@
|
|||||||
Most of RT#6923, except for the part that depends on the sendto_kdc rewrite
|
|
||||||
(it's still in locate_kdc in this version): pass AI_ADDRCONFIG whenever we
|
|
||||||
specify hints to getaddrinfo() to get the address of a server.
|
|
||||||
|
|
||||||
Index: src/plugins/locate/python/py-locate.c
|
|
||||||
===================================================================
|
|
||||||
--- src/plugins/locate/python/py-locate.c.orig
|
|
||||||
+++ src/plugins/locate/python/py-locate.c
|
|
||||||
@@ -303,6 +303,7 @@ lookup(void *blob, enum locate_service_t
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
aihints.ai_socktype = thissocktype;
|
|
||||||
+ aihints.ai_flags = AI_ADDRCONFIG;
|
|
||||||
x = getaddrinfo (hoststr, portstr, &aihints, &airesult);
|
|
||||||
if (x != 0)
|
|
||||||
continue;
|
|
||||||
Index: src/appl/sample/sclient/sclient.c
|
|
||||||
===================================================================
|
|
||||||
--- src/appl/sample/sclient/sclient.c.orig
|
|
||||||
+++ src/appl/sample/sclient/sclient.c
|
|
||||||
@@ -124,6 +124,7 @@ main(int argc, char *argv[])
|
|
||||||
|
|
||||||
memset(&aihints, 0, sizeof(aihints));
|
|
||||||
aihints.ai_socktype = SOCK_STREAM;
|
|
||||||
+ aihints.ai_flags = AI_ADDRCONFIG;
|
|
||||||
aierr = getaddrinfo(argv[1], portstr, &aihints, &ap);
|
|
||||||
if (aierr) {
|
|
||||||
fprintf(stderr, "%s: error looking up host '%s' port '%s'/tcp: %s\n",
|
|
||||||
Index: src/kadmin/dbutil/kadm5_create.c
|
|
||||||
===================================================================
|
|
||||||
--- src/kadmin/dbutil/kadm5_create.c.orig
|
|
||||||
+++ src/kadmin/dbutil/kadm5_create.c
|
|
||||||
@@ -182,7 +182,7 @@ static int add_admin_princs(void *handle
|
|
||||||
goto clean_and_exit;
|
|
||||||
}
|
|
||||||
memset(&ai_hints, 0, sizeof(ai_hints));
|
|
||||||
- ai_hints.ai_flags = AI_CANONNAME;
|
|
||||||
+ ai_hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
|
|
||||||
gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai);
|
|
||||||
if (gai_error) {
|
|
||||||
ret = EINVAL;
|
|
||||||
Index: src/lib/kadm5/alt_prof.c
|
|
||||||
===================================================================
|
|
||||||
--- src/lib/kadm5/alt_prof.c.orig
|
|
||||||
+++ src/lib/kadm5/alt_prof.c
|
|
||||||
@@ -901,7 +901,7 @@ kadm5_get_admin_service_name(krb5_contex
|
|
||||||
}
|
|
||||||
|
|
||||||
memset(&hint, 0, sizeof(hint));
|
|
||||||
- hint.ai_flags = AI_CANONNAME;
|
|
||||||
+ hint.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
|
|
||||||
err = getaddrinfo(params_out.admin_server, NULL, &hint, &ai);
|
|
||||||
if (err != 0) {
|
|
||||||
ret = KADM5_CANT_RESOLVE;
|
|
||||||
Index: src/lib/kadm5/clnt/client_init.c
|
|
||||||
===================================================================
|
|
||||||
--- src/lib/kadm5/clnt/client_init.c.orig
|
|
||||||
+++ src/lib/kadm5/clnt/client_init.c
|
|
||||||
@@ -563,8 +563,9 @@ connect_to_server(const char *hostname,
|
|
||||||
(void) snprintf(portbuf, sizeof(portbuf), "%d", port);
|
|
||||||
memset(&hint, 0, sizeof(hint));
|
|
||||||
hint.ai_socktype = SOCK_STREAM;
|
|
||||||
+ hint.ai_flags = AI_ADDRCONFIG;
|
|
||||||
#ifdef AI_NUMERICSERV
|
|
||||||
- hint.ai_flags = AI_NUMERICSERV;
|
|
||||||
+ hint.ai_flags |= AI_NUMERICSERV;
|
|
||||||
#endif
|
|
||||||
err = getaddrinfo(hostname, portbuf, &hint, &addrs);
|
|
||||||
if (err != 0)
|
|
||||||
Index: src/lib/krb5/os/hostaddr.c
|
|
||||||
===================================================================
|
|
||||||
--- src/lib/krb5/os/hostaddr.c.orig
|
|
||||||
+++ src/lib/krb5/os/hostaddr.c
|
|
||||||
@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c
|
|
||||||
return KRB5_ERR_BAD_HOSTNAME;
|
|
||||||
|
|
||||||
memset (&hints, 0, sizeof (hints));
|
|
||||||
- hints.ai_flags = AI_NUMERICHOST;
|
|
||||||
+ hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG;
|
|
||||||
/* We don't care what kind at this point, really, but without
|
|
||||||
this, we can get back multiple sockaddrs per address, for
|
|
||||||
SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if
|
|
||||||
Index: src/lib/krb5/os/hst_realm.c
|
|
||||||
===================================================================
|
|
||||||
--- src/lib/krb5/os/hst_realm.c.orig
|
|
||||||
+++ src/lib/krb5/os/hst_realm.c
|
|
||||||
@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz
|
|
||||||
int err;
|
|
||||||
|
|
||||||
memset (&hints, 0, sizeof (hints));
|
|
||||||
- hints.ai_flags = AI_CANONNAME;
|
|
||||||
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
|
|
||||||
err = getaddrinfo (name, 0, &hints, &ai);
|
|
||||||
if (err)
|
|
||||||
return krb5int_translate_gai_error (err);
|
|
||||||
Index: src/slave/kprop.c
|
|
||||||
===================================================================
|
|
||||||
--- src/slave/kprop.c.orig
|
|
||||||
+++ src/slave/kprop.c
|
|
||||||
@@ -325,6 +325,7 @@ open_connection(krb5_context context, ch
|
|
||||||
memset(&hints, 0, sizeof(hints));
|
|
||||||
hints.ai_family = PF_UNSPEC;
|
|
||||||
hints.ai_socktype = SOCK_STREAM;
|
|
||||||
+ hints.ai_flags = AI_ADDRCONFIG;
|
|
||||||
error = getaddrinfo(host, port, &hints, &answers);
|
|
||||||
if (error != 0) {
|
|
||||||
com_err(progname, 0, "%s: %s", host, gai_strerror(error));
|
|
||||||
Index: src/lib/krb5/os/locate_kdc.c
|
|
||||||
===================================================================
|
|
||||||
--- src/lib/krb5/os/locate_kdc.c.orig
|
|
||||||
+++ src/lib/krb5/os/locate_kdc.c
|
|
||||||
@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis
|
|
||||||
memset(&hint, 0, sizeof(hint));
|
|
||||||
hint.ai_family = family;
|
|
||||||
hint.ai_socktype = socktype;
|
|
||||||
+ hint.ai_flags = AI_ADDRCONFIG;
|
|
||||||
#ifdef AI_NUMERICSERV
|
|
||||||
- hint.ai_flags = AI_NUMERICSERV;
|
|
||||||
+ hint.ai_flags |= AI_NUMERICSERV;
|
|
||||||
#endif
|
|
||||||
result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port));
|
|
||||||
if (SNPRINTF_OVERFLOW(result, sizeof(portbuf)))
|
|
@ -1,624 +0,0 @@
|
|||||||
Pulled from SVN, then munged to apply to 1.9. Modifies cm.h so that a
|
|
||||||
struct select_state has an alternate layout when USE_POLL is defined,
|
|
||||||
and if we detect <poll.h> at configure-time, have sendto_kdc.c define
|
|
||||||
USE_POLL to force its use. Adapts sendto_kdc.c to handle both cases,
|
|
||||||
so that the previous behavior is preserved when <poll.h> is not found.
|
|
||||||
RT#6905
|
|
||||||
|
|
||||||
Index: src/include/cm.h
|
|
||||||
===================================================================
|
|
||||||
--- src/include/cm.h.orig
|
|
||||||
+++ src/include/cm.h
|
|
||||||
@@ -25,11 +25,20 @@
|
|
||||||
* or implied warranty.
|
|
||||||
*/
|
|
||||||
|
|
||||||
-/* Since fd_set is large on some platforms (8K on AIX 5.2), this
|
|
||||||
- probably shouldn't be allocated in automatic storage. */
|
|
||||||
+/*
|
|
||||||
+ * Since fd_set is large on some platforms (8K on AIX 5.2), this probably
|
|
||||||
+ * shouldn't be allocated in automatic storage. Define USE_POLL and
|
|
||||||
+ * MAX_POLLFDS in the consumer of this header file to use poll state instead of
|
|
||||||
+ * select state.
|
|
||||||
+ */
|
|
||||||
struct select_state {
|
|
||||||
- int max, nfds;
|
|
||||||
+#ifdef USE_POLL
|
|
||||||
+ struct pollfd fds[MAX_POLLFDS];
|
|
||||||
+#else
|
|
||||||
+ int max;
|
|
||||||
fd_set rfds, wfds, xfds;
|
|
||||||
+#endif
|
|
||||||
+ int nfds;
|
|
||||||
struct timeval end_time; /* magic: tv_sec==0 => never time out */
|
|
||||||
};
|
|
||||||
|
|
||||||
Index: src/configure.in
|
|
||||||
===================================================================
|
|
||||||
--- src/configure.in.orig
|
|
||||||
+++ src/configure.in
|
|
||||||
@@ -74,7 +74,7 @@ LIBUTIL=-lutil
|
|
||||||
])
|
|
||||||
AC_SUBST(LIBUTIL)
|
|
||||||
# for kdc
|
|
||||||
-AC_CHECK_HEADERS(syslog.h stdarg.h sys/select.h sys/sockio.h ifaddrs.h unistd.h)
|
|
||||||
+AC_CHECK_HEADERS(syslog.h stdarg.h sys/sockio.h ifaddrs.h unistd.h)
|
|
||||||
AC_CHECK_FUNCS(openlog syslog closelog strftime vsprintf vasprintf vsnprintf)
|
|
||||||
AC_CHECK_FUNCS(strlcpy)
|
|
||||||
EXTRA_SUPPORT_SYMS=
|
|
||||||
@@ -493,7 +493,7 @@ AC_CHECK_HEADER(termios.h,
|
|
||||||
AC_DEFINE(POSIX_TERMIOS,1,[Define if termios.h exists and tcsetattr exists]))])
|
|
||||||
|
|
||||||
KRB5_SIGTYPE
|
|
||||||
-AC_CHECK_HEADERS(stdlib.h string.h stddef.h sys/types.h sys/file.h sys/param.h sys/stat.h sys/time.h netinet/in.h sys/uio.h sys/filio.h sys/select.h time.h paths.h errno.h)
|
|
||||||
+AC_CHECK_HEADERS(poll.h stdlib.h string.h stddef.h sys/types.h sys/file.h sys/param.h sys/stat.h sys/time.h netinet/in.h sys/uio.h sys/filio.h sys/select.h time.h paths.h errno.h)
|
|
||||||
AC_HEADER_STDARG
|
|
||||||
KRB5_AC_INET6
|
|
||||||
|
|
||||||
Index: src/lib/krb5/os/cm.c
|
|
||||||
===================================================================
|
|
||||||
--- /dev/null
|
|
||||||
+++ src/lib/krb5/os/cm.c
|
|
||||||
@@ -0,0 +1,97 @@
|
|
||||||
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
||||||
+/* lib/krb5/os/cm.c - Connection manager functions */
|
|
||||||
+/*
|
|
||||||
+ * Copyright (C) 2011 by the Massachusetts Institute of Technology.
|
|
||||||
+ * All rights reserved.
|
|
||||||
+ *
|
|
||||||
+ * Export of this software from the United States of America may
|
|
||||||
+ * require a specific license from the United States Government.
|
|
||||||
+ * It is the responsibility of any person or organization contemplating
|
|
||||||
+ * export to obtain such a license before exporting.
|
|
||||||
+ *
|
|
||||||
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
|
||||||
+ * distribute this software and its documentation for any purpose and
|
|
||||||
+ * without fee is hereby granted, provided that the above copyright
|
|
||||||
+ * notice appear in all copies and that both that copyright notice and
|
|
||||||
+ * this permission notice appear in supporting documentation, and that
|
|
||||||
+ * the name of M.I.T. not be used in advertising or publicity pertaining
|
|
||||||
+ * to distribution of the software without specific, written prior
|
|
||||||
+ * permission. Furthermore if you modify this software you must label
|
|
||||||
+ * your software as modified software and not distribute it in such a
|
|
||||||
+ * fashion that it might be confused with the original M.I.T. software.
|
|
||||||
+ * M.I.T. makes no representations about the suitability of
|
|
||||||
+ * this software for any purpose. It is provided "as is" without express
|
|
||||||
+ * or implied warranty.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * This file include krb5int_cm_call_select, which is used by
|
|
||||||
+ * lib/apputils/net-server.c and sometimes by sendto_kdc.c.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "k5-int.h"
|
|
||||||
+#ifdef HAVE_SYS_SELECT_H
|
|
||||||
+#include <sys/select.h>
|
|
||||||
+#endif
|
|
||||||
+#ifdef _WIN32
|
|
||||||
+#include <sys/timeb.h>
|
|
||||||
+#endif
|
|
||||||
+#include "cm.h"
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+k5_getcurtime(struct timeval *tvp)
|
|
||||||
+{
|
|
||||||
+#ifdef _WIN32
|
|
||||||
+ struct _timeb tb;
|
|
||||||
+ _ftime(&tb);
|
|
||||||
+ tvp->tv_sec = tb.time;
|
|
||||||
+ tvp->tv_usec = tb.millitm * 1000;
|
|
||||||
+ /* Can _ftime fail? */
|
|
||||||
+ return 0;
|
|
||||||
+#else
|
|
||||||
+ if (gettimeofday(tvp, 0))
|
|
||||||
+ return errno;
|
|
||||||
+ return 0;
|
|
||||||
+#endif
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Call select and return results.
|
|
||||||
+ * Input: interesting file descriptors and absolute timeout
|
|
||||||
+ * Output: select return value (-1 or num fds ready) and fd_sets
|
|
||||||
+ * Return: 0 (for i/o available or timeout) or error code.
|
|
||||||
+ */
|
|
||||||
+krb5_error_code
|
|
||||||
+krb5int_cm_call_select (const struct select_state *in,
|
|
||||||
+ struct select_state *out, int *sret)
|
|
||||||
+{
|
|
||||||
+ struct timeval now, *timo;
|
|
||||||
+ krb5_error_code e;
|
|
||||||
+
|
|
||||||
+ *out = *in;
|
|
||||||
+ e = k5_getcurtime(&now);
|
|
||||||
+ if (e)
|
|
||||||
+ return e;
|
|
||||||
+ if (out->end_time.tv_sec == 0)
|
|
||||||
+ timo = 0;
|
|
||||||
+ else {
|
|
||||||
+ timo = &out->end_time;
|
|
||||||
+ out->end_time.tv_sec -= now.tv_sec;
|
|
||||||
+ out->end_time.tv_usec -= now.tv_usec;
|
|
||||||
+ if (out->end_time.tv_usec < 0) {
|
|
||||||
+ out->end_time.tv_usec += 1000000;
|
|
||||||
+ out->end_time.tv_sec--;
|
|
||||||
+ }
|
|
||||||
+ if (out->end_time.tv_sec < 0) {
|
|
||||||
+ *sret = 0;
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, timo);
|
|
||||||
+ e = SOCKET_ERRNO;
|
|
||||||
+
|
|
||||||
+ if (*sret < 0)
|
|
||||||
+ return e;
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
Index: src/lib/krb5/os/Makefile.in
|
|
||||||
===================================================================
|
|
||||||
--- src/lib/krb5/os/Makefile.in.orig
|
|
||||||
+++ src/lib/krb5/os/Makefile.in
|
|
||||||
@@ -18,6 +18,7 @@ STLIBOBJS= \
|
|
||||||
def_realm.o \
|
|
||||||
ccdefname.o \
|
|
||||||
changepw.o \
|
|
||||||
+ cm.o \
|
|
||||||
dnsglue.o \
|
|
||||||
dnssrv.o \
|
|
||||||
free_krbhs.o \
|
|
||||||
@@ -62,6 +63,7 @@ OBJS= \
|
|
||||||
$(OUTPRE)def_realm.$(OBJEXT) \
|
|
||||||
$(OUTPRE)ccdefname.$(OBJEXT) \
|
|
||||||
$(OUTPRE)changepw.$(OBJEXT) \
|
|
||||||
+ $(OUTPRE)cm.$(OBJEXT) \
|
|
||||||
$(OUTPRE)dnsglue.$(OBJEXT) \
|
|
||||||
$(OUTPRE)dnssrv.$(OBJEXT) \
|
|
||||||
$(OUTPRE)free_krbhs.$(OBJEXT) \
|
|
||||||
@@ -106,6 +108,7 @@ SRCS= \
|
|
||||||
$(srcdir)/def_realm.c \
|
|
||||||
$(srcdir)/ccdefname.c \
|
|
||||||
$(srcdir)/changepw.c \
|
|
||||||
+ $(srcdir)/cm.c \
|
|
||||||
$(srcdir)/dnsglue.c \
|
|
||||||
$(srcdir)/dnssrv.c \
|
|
||||||
$(srcdir)/free_krbhs.c \
|
|
||||||
Index: src/lib/krb5/os/os-proto.h
|
|
||||||
===================================================================
|
|
||||||
--- src/lib/krb5/os/os-proto.h.orig
|
|
||||||
+++ src/lib/krb5/os/os-proto.h
|
|
||||||
@@ -31,6 +31,10 @@
|
|
||||||
#ifndef KRB5_LIBOS_INT_PROTO__
|
|
||||||
#define KRB5_LIBOS_INT_PROTO__
|
|
||||||
|
|
||||||
+#ifdef HAVE_SYS_TIME_H
|
|
||||||
+#include <sys/time.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
struct addrlist;
|
|
||||||
krb5_error_code krb5_locate_kdc(krb5_context, const krb5_data *,
|
|
||||||
struct addrlist *, int, int, int);
|
|
||||||
@@ -75,6 +79,8 @@ krb5_error_code krb5int_get_fq_local_hos
|
|
||||||
/* The io vector is *not* const here, unlike writev()! */
|
|
||||||
int krb5int_net_writev (krb5_context, int, sg_buf *, int);
|
|
||||||
|
|
||||||
+int k5_getcurtime(struct timeval *tvp);
|
|
||||||
+
|
|
||||||
#include "k5-thread.h"
|
|
||||||
extern k5_mutex_t krb5int_us_time_mutex;
|
|
||||||
|
|
||||||
Index: src/lib/krb5/os/sendto_kdc.c
|
|
||||||
===================================================================
|
|
||||||
--- src/lib/krb5/os/sendto_kdc.c.orig
|
|
||||||
+++ src/lib/krb5/os/sendto_kdc.c
|
|
||||||
@@ -32,17 +32,16 @@
|
|
||||||
#include "fake-addrinfo.h"
|
|
||||||
#include "k5-int.h"
|
|
||||||
|
|
||||||
-#ifdef HAVE_SYS_TIME_H
|
|
||||||
-#include <sys/time.h>
|
|
||||||
-#else
|
|
||||||
-#include <time.h>
|
|
||||||
-#endif
|
|
||||||
#include "os-proto.h"
|
|
||||||
#ifdef _WIN32
|
|
||||||
#include <sys/timeb.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#ifdef _AIX
|
|
||||||
+#if defined(HAVE_POLL_H)
|
|
||||||
+#include <poll.h>
|
|
||||||
+#define USE_POLL
|
|
||||||
+#define MAX_POLLFDS 1024
|
|
||||||
+#elif defined(HAVE_SYS_SELECT_H)
|
|
||||||
#include <sys/select.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
@@ -170,29 +169,6 @@ krb5int_debug_fprint (const char *fmt, .
|
|
||||||
p = strerror(err);
|
|
||||||
putstr(p);
|
|
||||||
break;
|
|
||||||
- case 'F':
|
|
||||||
- /* %F => fd_set *, fd_set *, fd_set *, int */
|
|
||||||
- rfds = va_arg(args, fd_set *);
|
|
||||||
- wfds = va_arg(args, fd_set *);
|
|
||||||
- xfds = va_arg(args, fd_set *);
|
|
||||||
- maxfd = va_arg(args, int);
|
|
||||||
-
|
|
||||||
- for (i = 0; i < maxfd; i++) {
|
|
||||||
- int r = FD_ISSET(i, rfds);
|
|
||||||
- int w = wfds && FD_ISSET(i, wfds);
|
|
||||||
- int x = xfds && FD_ISSET(i, xfds);
|
|
||||||
- if (r || w || x) {
|
|
||||||
- putf(" %d", i);
|
|
||||||
- if (r)
|
|
||||||
- putstr("r");
|
|
||||||
- if (w)
|
|
||||||
- putstr("w");
|
|
||||||
- if (x)
|
|
||||||
- putstr("x");
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- putstr(" ");
|
|
||||||
- break;
|
|
||||||
case 's':
|
|
||||||
/* %s => char * */
|
|
||||||
p = va_arg(args, const char *);
|
|
||||||
@@ -506,75 +482,154 @@ krb5_sendto_kdc (krb5_context context, c
|
|
||||||
|
|
||||||
#include "cm.h"
|
|
||||||
|
|
||||||
-static int
|
|
||||||
-getcurtime (struct timeval *tvp)
|
|
||||||
+/*
|
|
||||||
+ * Currently only sendto_kdc.c knows how to use poll(); the other candidate
|
|
||||||
+ * user, lib/apputils/net-server.c, is stuck using select() for the moment
|
|
||||||
+ * since it is entangled with the RPC library. The following cm_* functions
|
|
||||||
+ * are not fully generic, are O(n^2) in the poll case, and are limited to
|
|
||||||
+ * handling 1024 connections (in order to maintain a constant-sized selstate).
|
|
||||||
+ * More rearchitecting would be appropriate before extending this support to
|
|
||||||
+ * the KDC and kadmind.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+cm_init_selstate(struct select_state *selstate)
|
|
||||||
{
|
|
||||||
-#ifdef _WIN32
|
|
||||||
- struct _timeb tb;
|
|
||||||
- _ftime(&tb);
|
|
||||||
- tvp->tv_sec = tb.time;
|
|
||||||
- tvp->tv_usec = tb.millitm * 1000;
|
|
||||||
- /* Can _ftime fail? */
|
|
||||||
- return 0;
|
|
||||||
+ selstate->nfds = 0;
|
|
||||||
+ selstate->end_time.tv_sec = selstate->end_time.tv_usec = 0;
|
|
||||||
+#ifndef USE_POLL
|
|
||||||
+ selstate->max = 0;
|
|
||||||
+ selstate->nfds = 0;
|
|
||||||
+ FD_ZERO(&selstate->rfds);
|
|
||||||
+ FD_ZERO(&selstate->wfds);
|
|
||||||
+ FD_ZERO(&selstate->xfds);
|
|
||||||
+#endif
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static krb5_boolean
|
|
||||||
+cm_add_fd(struct select_state *selstate, int fd, unsigned int ssflags)
|
|
||||||
+{
|
|
||||||
+#ifdef USE_POLL
|
|
||||||
+ if (selstate->nfds >= MAX_POLLFDS)
|
|
||||||
+ return FALSE;
|
|
||||||
+ selstate->fds[selstate->nfds].fd = fd;
|
|
||||||
+ selstate->fds[selstate->nfds].events = 0;
|
|
||||||
+ if (ssflags & SSF_READ)
|
|
||||||
+ selstate->fds[selstate->nfds].events |= POLLIN;
|
|
||||||
+ if (ssflags & SSF_WRITE)
|
|
||||||
+ selstate->fds[selstate->nfds].events |= POLLOUT;
|
|
||||||
+#else
|
|
||||||
+#ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */
|
|
||||||
+ if (fd >= FD_SETSIZE)
|
|
||||||
+ return FALSE;
|
|
||||||
+#endif
|
|
||||||
+ if (ssflags & SSF_READ)
|
|
||||||
+ FD_SET(fd, &selstate->rfds);
|
|
||||||
+ if (ssflags & SSF_WRITE)
|
|
||||||
+ FD_SET(fd, &selstate->wfds);
|
|
||||||
+ if (ssflags & SSF_EXCEPTION)
|
|
||||||
+ FD_SET(fd, &selstate->xfds);
|
|
||||||
+ if (selstate->max <= fd)
|
|
||||||
+ selstate->max = fd + 1;
|
|
||||||
+#endif
|
|
||||||
+ selstate->nfds++;
|
|
||||||
+ return TRUE;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+cm_remove_fd(struct select_state *selstate, int fd)
|
|
||||||
+{
|
|
||||||
+#ifdef USE_POLL
|
|
||||||
+ int i;
|
|
||||||
+
|
|
||||||
+ /* Find the FD in the array and move the last entry to its place. */
|
|
||||||
+ assert(selstate->nfds > 0);
|
|
||||||
+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++);
|
|
||||||
+ assert(i < selstate->nfds);
|
|
||||||
+ selstate->fds[i] = selstate->fds[selstate->nfds - 1];
|
|
||||||
#else
|
|
||||||
- if (gettimeofday(tvp, 0)) {
|
|
||||||
- dperror("gettimeofday");
|
|
||||||
- return errno;
|
|
||||||
+ FD_CLR(fd, &selstate->rfds);
|
|
||||||
+ FD_CLR(fd, &selstate->wfds);
|
|
||||||
+ FD_CLR(fd, &selstate->xfds);
|
|
||||||
+ if (selstate->max == 1 + fd) {
|
|
||||||
+ while (selstate->max > 0
|
|
||||||
+ && ! FD_ISSET(selstate->max-1, &selstate->rfds)
|
|
||||||
+ && ! FD_ISSET(selstate->max-1, &selstate->wfds)
|
|
||||||
+ && ! FD_ISSET(selstate->max-1, &selstate->xfds))
|
|
||||||
+ selstate->max--;
|
|
||||||
+ dprint("new max_fd + 1 is %d\n", selstate->max);
|
|
||||||
}
|
|
||||||
- return 0;
|
|
||||||
#endif
|
|
||||||
+ selstate->nfds--;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * Call select and return results.
|
|
||||||
- * Input: interesting file descriptors and absolute timeout
|
|
||||||
- * Output: select return value (-1 or num fds ready) and fd_sets
|
|
||||||
- * Return: 0 (for i/o available or timeout) or error code.
|
|
||||||
- */
|
|
||||||
-krb5_error_code
|
|
||||||
-krb5int_cm_call_select (const struct select_state *in,
|
|
||||||
- struct select_state *out, int *sret)
|
|
||||||
+static void
|
|
||||||
+cm_unset_write(struct select_state *selstate, int fd)
|
|
||||||
{
|
|
||||||
- struct timeval now, *timo;
|
|
||||||
- krb5_error_code e;
|
|
||||||
+#ifdef USE_POLL
|
|
||||||
+ int i;
|
|
||||||
|
|
||||||
- *out = *in;
|
|
||||||
- e = getcurtime(&now);
|
|
||||||
- if (e)
|
|
||||||
- return e;
|
|
||||||
- if (out->end_time.tv_sec == 0)
|
|
||||||
- timo = 0;
|
|
||||||
+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++);
|
|
||||||
+ assert(i < selstate->nfds);
|
|
||||||
+ selstate->fds[i].events &= ~POLLOUT;
|
|
||||||
+#else
|
|
||||||
+ FD_CLR(fd, &selstate->wfds);
|
|
||||||
+#endif
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static krb5_error_code
|
|
||||||
+cm_select_or_poll(const struct select_state *in, struct select_state *out,
|
|
||||||
+ int *sret)
|
|
||||||
+{
|
|
||||||
+#ifdef USE_POLL
|
|
||||||
+ struct timeval now;
|
|
||||||
+ int e, timeout;
|
|
||||||
+
|
|
||||||
+ if (in->end_time.tv_sec == 0)
|
|
||||||
+ timeout = -1;
|
|
||||||
else {
|
|
||||||
- timo = &out->end_time;
|
|
||||||
- out->end_time.tv_sec -= now.tv_sec;
|
|
||||||
- out->end_time.tv_usec -= now.tv_usec;
|
|
||||||
- if (out->end_time.tv_usec < 0) {
|
|
||||||
- out->end_time.tv_usec += 1000000;
|
|
||||||
- out->end_time.tv_sec--;
|
|
||||||
- }
|
|
||||||
- if (out->end_time.tv_sec < 0) {
|
|
||||||
- *sret = 0;
|
|
||||||
- return 0;
|
|
||||||
- }
|
|
||||||
+ e = k5_getcurtime(&now);
|
|
||||||
+ if (e)
|
|
||||||
+ return e;
|
|
||||||
+ timeout = (in->end_time.tv_sec - now.tv_sec) * 1000 +
|
|
||||||
+ (in->end_time.tv_usec - now.tv_usec) / 1000;
|
|
||||||
}
|
|
||||||
- dprint("selecting on max=%d sockets [%F] timeout %t\n",
|
|
||||||
- out->max,
|
|
||||||
- &out->rfds, &out->wfds, &out->xfds, out->max,
|
|
||||||
- timo);
|
|
||||||
- *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, timo);
|
|
||||||
+ /* We don't need a separate copy of the selstate for poll, but use one
|
|
||||||
+ * anyone for consistency with the select wrapper. */
|
|
||||||
+ *out = *in;
|
|
||||||
+ *sret = poll(out->fds, out->nfds, timeout);
|
|
||||||
e = SOCKET_ERRNO;
|
|
||||||
+ return (*sret < 0) ? e : 0;
|
|
||||||
+#else
|
|
||||||
+ /* Use the select wrapper from cm.c. */
|
|
||||||
+ return krb5int_cm_call_select(in, out, sret);
|
|
||||||
+#endif
|
|
||||||
+}
|
|
||||||
|
|
||||||
- dprint("select returns %d", *sret);
|
|
||||||
- if (*sret < 0)
|
|
||||||
- dprint(", error = %E\n", e);
|
|
||||||
- else if (*sret == 0)
|
|
||||||
- dprint(" (timeout)\n");
|
|
||||||
- else
|
|
||||||
- dprint(":%F\n", &out->rfds, &out->wfds, &out->xfds, out->max);
|
|
||||||
+static unsigned int
|
|
||||||
+cm_get_ssflags(struct select_state *selstate, int fd)
|
|
||||||
+{
|
|
||||||
+ unsigned int ssflags = 0;
|
|
||||||
+#ifdef USE_POLL
|
|
||||||
+ int i;
|
|
||||||
|
|
||||||
- if (*sret < 0)
|
|
||||||
- return e;
|
|
||||||
- return 0;
|
|
||||||
+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++);
|
|
||||||
+ assert(i < selstate->nfds);
|
|
||||||
+ if (selstate->fds[i].revents & POLLIN)
|
|
||||||
+ ssflags |= SSF_READ;
|
|
||||||
+ if (selstate->fds[i].revents & POLLOUT)
|
|
||||||
+ ssflags |= SSF_WRITE;
|
|
||||||
+ if (selstate->fds[i].revents & POLLERR)
|
|
||||||
+ ssflags |= SSF_EXCEPTION;
|
|
||||||
+#else
|
|
||||||
+ if (FD_ISSET(fd, &selstate->rfds))
|
|
||||||
+ ssflags |= SSF_READ;
|
|
||||||
+ if (FD_ISSET(fd, &selstate->wfds))
|
|
||||||
+ ssflags |= SSF_WRITE;
|
|
||||||
+ if (FD_ISSET(fd, &selstate->xfds))
|
|
||||||
+ ssflags |= SSF_EXCEPTION;
|
|
||||||
+#endif
|
|
||||||
+ return ssflags;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int service_tcp_fd(krb5_context context, struct conn_state *conn,
|
|
||||||
@@ -657,6 +712,7 @@ start_connection(krb5_context context, s
|
|
||||||
krb5_data *callback_buffer)
|
|
||||||
{
|
|
||||||
int fd, e;
|
|
||||||
+ unsigned int ssflags;
|
|
||||||
struct addrinfo *ai = state->addr;
|
|
||||||
|
|
||||||
dprint("start_connection(@%p)\ngetting %s socket in family %d...", state,
|
|
||||||
@@ -667,14 +723,6 @@ start_connection(krb5_context context, s
|
|
||||||
dprint("socket: %m creating with af %d\n", state->err, ai->ai_family);
|
|
||||||
return -1; /* try other hosts */
|
|
||||||
}
|
|
||||||
-#ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */
|
|
||||||
- if (fd >= FD_SETSIZE) {
|
|
||||||
- closesocket(fd);
|
|
||||||
- state->err = EMFILE;
|
|
||||||
- dprint("socket: fd %d too high\n", fd);
|
|
||||||
- return -1;
|
|
||||||
- }
|
|
||||||
-#endif
|
|
||||||
set_cloexec_fd(fd);
|
|
||||||
/* Make it non-blocking. */
|
|
||||||
if (ai->ai_socktype == SOCK_STREAM) {
|
|
||||||
@@ -778,16 +826,15 @@ start_connection(krb5_context context, s
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
- FD_SET(state->fd, &selstate->rfds);
|
|
||||||
+ ssflags = SSF_READ | SSF_EXCEPTION;
|
|
||||||
if (state->state == CONNECTING || state->state == WRITING)
|
|
||||||
- FD_SET(state->fd, &selstate->wfds);
|
|
||||||
- FD_SET(state->fd, &selstate->xfds);
|
|
||||||
- if (selstate->max <= state->fd)
|
|
||||||
- selstate->max = state->fd + 1;
|
|
||||||
- selstate->nfds++;
|
|
||||||
-
|
|
||||||
- dprint("new select vectors: %F\n",
|
|
||||||
- &selstate->rfds, &selstate->wfds, &selstate->xfds, selstate->max);
|
|
||||||
+ ssflags |= SSF_WRITE;
|
|
||||||
+ if (!cm_add_fd(selstate, state->fd, ssflags)) {
|
|
||||||
+ (void) closesocket(state->fd);
|
|
||||||
+ state->fd = INVALID_SOCKET;
|
|
||||||
+ state->state = FAILED;
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -849,22 +896,11 @@ static void
|
|
||||||
kill_conn(struct conn_state *conn, struct select_state *selstate, int err)
|
|
||||||
{
|
|
||||||
conn->state = FAILED;
|
|
||||||
- shutdown(conn->fd, SHUTDOWN_BOTH);
|
|
||||||
- FD_CLR(conn->fd, &selstate->rfds);
|
|
||||||
- FD_CLR(conn->fd, &selstate->wfds);
|
|
||||||
- FD_CLR(conn->fd, &selstate->xfds);
|
|
||||||
conn->err = err;
|
|
||||||
+ shutdown(conn->fd, SHUTDOWN_BOTH);
|
|
||||||
+ cm_remove_fd(selstate, conn->fd);
|
|
||||||
dprint("abandoning connection %d: %m\n", conn->fd, err);
|
|
||||||
/* Fix up max fd for next select call. */
|
|
||||||
- if (selstate->max == 1 + conn->fd) {
|
|
||||||
- while (selstate->max > 0
|
|
||||||
- && ! FD_ISSET(selstate->max-1, &selstate->rfds)
|
|
||||||
- && ! FD_ISSET(selstate->max-1, &selstate->wfds)
|
|
||||||
- && ! FD_ISSET(selstate->max-1, &selstate->xfds))
|
|
||||||
- selstate->max--;
|
|
||||||
- dprint("new max_fd + 1 is %d\n", selstate->max);
|
|
||||||
- }
|
|
||||||
- selstate->nfds--;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check socket for error. */
|
|
||||||
@@ -986,7 +1022,7 @@ service_tcp_fd(krb5_context context, str
|
|
||||||
/* Done writing, switch to reading. */
|
|
||||||
/* Don't call shutdown at this point because
|
|
||||||
* some implementations cannot deal with half-closed connections.*/
|
|
||||||
- FD_CLR(conn->fd, &selstate->wfds);
|
|
||||||
+ cm_unset_write(selstate, conn->fd);
|
|
||||||
/* Q: How do we detect failures to send the remaining data
|
|
||||||
to the remote side, since we're in non-blocking mode?
|
|
||||||
Will we always get errors on the reading side? */
|
|
||||||
@@ -1100,7 +1136,8 @@ service_fds (krb5_context context,
|
|
||||||
while (selstate->nfds > 0) {
|
|
||||||
unsigned int i;
|
|
||||||
|
|
||||||
- e = krb5int_cm_call_select(selstate, seltemp, &selret);
|
|
||||||
+ selret = 0;
|
|
||||||
+ e = cm_select_or_poll(selstate, seltemp, &selret);
|
|
||||||
if (e == EINTR)
|
|
||||||
continue;
|
|
||||||
if (e != 0)
|
|
||||||
@@ -1113,18 +1150,12 @@ service_fds (krb5_context context,
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* Got something on a socket, process it. */
|
|
||||||
- for (i = 0; i <= (unsigned int)selstate->max && selret > 0 && i < n_conns; i++) {
|
|
||||||
+ for (i = 0; i < n_conns; i++) {
|
|
||||||
int ssflags;
|
|
||||||
|
|
||||||
if (conns[i].fd == INVALID_SOCKET)
|
|
||||||
continue;
|
|
||||||
- ssflags = 0;
|
|
||||||
- if (FD_ISSET(conns[i].fd, &seltemp->rfds))
|
|
||||||
- ssflags |= SSF_READ, selret--;
|
|
||||||
- if (FD_ISSET(conns[i].fd, &seltemp->wfds))
|
|
||||||
- ssflags |= SSF_WRITE, selret--;
|
|
||||||
- if (FD_ISSET(conns[i].fd, &seltemp->xfds))
|
|
||||||
- ssflags |= SSF_EXCEPTION, selret--;
|
|
||||||
+ ssflags = cm_get_ssflags(seltemp, conns[i].fd);
|
|
||||||
if (!ssflags)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
@@ -1239,12 +1270,7 @@ krb5int_sendto (krb5_context context, co
|
|
||||||
retval = ENOMEM;
|
|
||||||
goto egress;
|
|
||||||
}
|
|
||||||
- sel_state->max = 0;
|
|
||||||
- sel_state->nfds = 0;
|
|
||||||
- sel_state->end_time.tv_sec = sel_state->end_time.tv_usec = 0;
|
|
||||||
- FD_ZERO(&sel_state->rfds);
|
|
||||||
- FD_ZERO(&sel_state->wfds);
|
|
||||||
- FD_ZERO(&sel_state->xfds);
|
|
||||||
+ cm_init_selstate(sel_state);
|
|
||||||
|
|
||||||
|
|
||||||
/* Set up connections. */
|
|
||||||
@@ -1265,7 +1291,7 @@ krb5int_sendto (krb5_context context, co
|
|
||||||
(callback_info ? &callback_data[host] : NULL)))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
- retval = getcurtime(&now);
|
|
||||||
+ retval = k5_getcurtime(&now);
|
|
||||||
if (retval)
|
|
||||||
goto egress;
|
|
||||||
sel_state->end_time = now;
|
|
||||||
@@ -1284,7 +1310,7 @@ krb5int_sendto (krb5_context context, co
|
|
||||||
}
|
|
||||||
if (e)
|
|
||||||
break;
|
|
||||||
- retval = getcurtime(&now);
|
|
||||||
+ retval = k5_getcurtime(&now);
|
|
||||||
if (retval)
|
|
||||||
goto egress;
|
|
||||||
/* Possible optimization: Find a way to integrate this select
|
|
@ -1,22 +0,0 @@
|
|||||||
RT#6951
|
|
||||||
Index: krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c
|
|
||||||
===================================================================
|
|
||||||
--- krb5-1.9.1.orig/src/lib/krb5/os/sendto_kdc.c
|
|
||||||
+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c
|
|
||||||
@@ -895,12 +895,12 @@ maybe_send(krb5_context context, struct
|
|
||||||
static void
|
|
||||||
kill_conn(struct conn_state *conn, struct select_state *selstate, int err)
|
|
||||||
{
|
|
||||||
+ dprint("abandoning connection %d: %m\n", conn->fd, err);
|
|
||||||
+ cm_remove_fd(selstate, conn->fd);
|
|
||||||
+ closesocket(conn->fd);
|
|
||||||
+ conn->fd = INVALID_SOCKET;
|
|
||||||
conn->state = FAILED;
|
|
||||||
conn->err = err;
|
|
||||||
- shutdown(conn->fd, SHUTDOWN_BOTH);
|
|
||||||
- cm_remove_fd(selstate, conn->fd);
|
|
||||||
- dprint("abandoning connection %d: %m\n", conn->fd, err);
|
|
||||||
- /* Fix up max fd for next select call. */
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check socket for error. */
|
|
@ -1,18 +0,0 @@
|
|||||||
If we exit the transmit loop cleanly, don't overestimate the size of the
|
|
||||||
connections array. This bug appears to have been removed upstream when
|
|
||||||
this function was rewritten in trunk, and the select()-based implementation
|
|
||||||
is still what's in 1.9, so this patch has nowhere to go.
|
|
||||||
--- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:20.560811664 -0400
|
|
||||||
+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:11.396812292 -0400
|
|
||||||
@@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co
|
|
||||||
call with the last one from the above loop, if the loop
|
|
||||||
actually calls select. */
|
|
||||||
sel_state->end_time.tv_sec += delay_this_pass;
|
|
||||||
- e = service_fds(context, sel_state, conns, host+1, &winning_conn,
|
|
||||||
+ i = host+1;
|
|
||||||
+ if (i > n_conns)
|
|
||||||
+ i = n_conns;
|
|
||||||
+ e = service_fds(context, sel_state, conns, i, &winning_conn,
|
|
||||||
sel_state+1, msg_handler, msg_handler_data);
|
|
||||||
if (e)
|
|
||||||
break;
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:72dd8f30d605fa2e6f19df32414bc35a46e3ad1954b1b142d987ccd492c7bfbc
|
|
||||||
size 10126613
|
|
@ -16,14 +16,13 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Name: krb5-doc
|
Name: krb5-doc
|
||||||
BuildRequires: ghostscript-library
|
BuildRequires: ghostscript-library
|
||||||
BuildRequires: latex2html
|
BuildRequires: latex2html
|
||||||
BuildRequires: texlive
|
BuildRequires: texlive
|
||||||
Version: 1.9.1
|
Version: 1.10.2
|
||||||
Release: 0
|
Release: 0
|
||||||
%define srcRoot krb5-1.9.1
|
%define srcRoot krb5-1.10.2
|
||||||
Summary: MIT Kerberos5 Implementation--Documentation
|
Summary: MIT Kerberos5 Implementation--Documentation
|
||||||
License: MIT
|
License: MIT
|
||||||
Group: Documentation/Other
|
Group: Documentation/Other
|
||||||
|
@ -1,29 +0,0 @@
|
|||||||
Don't trip over referral entries. RT#6915
|
|
||||||
|
|
||||||
Index: krb5-1.9.1/src/clients/klist/klist.c
|
|
||||||
===================================================================
|
|
||||||
--- krb5-1.9.1.orig/src/clients/klist/klist.c
|
|
||||||
+++ krb5-1.9.1/src/clients/klist/klist.c
|
|
||||||
@@ -28,7 +28,7 @@
|
|
||||||
* List out the contents of your credential cache or keytab.
|
|
||||||
*/
|
|
||||||
|
|
||||||
-#include "autoconf.h"
|
|
||||||
+#include "k5-int.h"
|
|
||||||
#include <krb5.h>
|
|
||||||
#include <com_err.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
@@ -390,10 +390,9 @@ void do_ccache(name)
|
|
||||||
continue;
|
|
||||||
if (status_only) {
|
|
||||||
if (exit_status && creds.server->length == 2 &&
|
|
||||||
- strcmp(creds.server->realm.data, princ->realm.data) == 0 &&
|
|
||||||
- strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 &&
|
|
||||||
- strcmp((char *)creds.server->data[1].data,
|
|
||||||
- princ->realm.data) == 0 &&
|
|
||||||
+ data_eq(creds.server->realm, princ->realm) &&
|
|
||||||
+ data_eq_string(creds.server->data[0], "krbtgt") &&
|
|
||||||
+ data_eq(creds.server->data[1], princ->realm) &&
|
|
||||||
creds.times.endtime > now)
|
|
||||||
exit_status = 0;
|
|
||||||
} else {
|
|
@ -1,7 +1,62 @@
|
|||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Jan 31 15:32:51 CET 2012 - meissner@suse.de
|
Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de
|
||||||
|
|
||||||
- fix License in krb5-mini
|
- update to version 1.10.2
|
||||||
|
obsolte patches:
|
||||||
|
* krb5-1.7-nodeplibs.patch
|
||||||
|
* krb5-1.9.1-ai_addrconfig.patch
|
||||||
|
* krb5-1.9.1-ai_addrconfig2.patch
|
||||||
|
* krb5-1.9.1-sendto_poll.patch
|
||||||
|
* krb5-1.9-canonicalize-fallback.patch
|
||||||
|
* krb5-1.9-paren.patch
|
||||||
|
* krb5-klist_s.patch
|
||||||
|
* krb5-pkinit-cms2.patch
|
||||||
|
* krb5-trunk-chpw-err.patch
|
||||||
|
* krb5-trunk-gss_delete_sec.patch
|
||||||
|
* krb5-trunk-kadmin-oldproto.patch
|
||||||
|
* krb5-1.9-MITKRB5-SA-2011-006.dif
|
||||||
|
* krb5-1.9-gss_display_status-iakerb.patch
|
||||||
|
* krb5-1.9.1-sendto_poll2.patch
|
||||||
|
* krb5-1.9.1-sendto_poll3.patch
|
||||||
|
* krb5-1.9-MITKRB5-SA-2011-007.dif
|
||||||
|
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
|
||||||
|
Controllers.
|
||||||
|
- Update a workaround for a glibc bug that would cause DNS PTR queries
|
||||||
|
to occur even when rdns = false.
|
||||||
|
- Fix a kadmind denial of service issue (null pointer dereference),
|
||||||
|
which could only be triggered by an administrator with the "create"
|
||||||
|
privilege. [CVE-2012-1013]
|
||||||
|
- Fix access controls for KDB string attributes [CVE-2012-1012]
|
||||||
|
- Make the ASN.1 encoding of key version numbers interoperate with
|
||||||
|
Windows Read-Only Domain Controllers
|
||||||
|
- Avoid generating spurious password expiry warnings in cases where
|
||||||
|
the KDC sends an account expiry time without a password expiry time
|
||||||
|
- Make PKINIT work with FAST in the client library.
|
||||||
|
- Add the DIR credential cache type, which can hold a collection of
|
||||||
|
credential caches.
|
||||||
|
- Enhance kinit, klist, and kdestroy to support credential cache
|
||||||
|
collections if the cache type supports it.
|
||||||
|
- Add the kswitch command, which changes the selected default cache
|
||||||
|
within a collection.
|
||||||
|
- Add heuristic support for choosing client credentials based on
|
||||||
|
the service realm.
|
||||||
|
- Add support for $HOME/.k5identity, which allows credential
|
||||||
|
choice based on configured rules.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de
|
||||||
|
|
||||||
|
- add autoconf macro to devel subpackage
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 31 15:33:05 CET 2012 - meissner@suse.de
|
||||||
|
|
||||||
|
- fix license in krb5-mini
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 20 20:57:26 UTC 2011 - coolo@suse.com
|
||||||
|
|
||||||
|
- add autoconf as buildrequire to avoid implicit dependency
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com
|
Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
%define build_mini 1
|
%define build_mini 1
|
||||||
%define srcRoot krb5-1.9.1
|
%define srcRoot krb5-1.10.2
|
||||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||||
%define krb5docdir %{_defaultdocdir}/krb5
|
%define krb5docdir %{_defaultdocdir}/krb5
|
||||||
|
|
||||||
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
|
|||||||
BuildRequires: libcom_err-devel
|
BuildRequires: libcom_err-devel
|
||||||
BuildRequires: libselinux-devel
|
BuildRequires: libselinux-devel
|
||||||
BuildRequires: ncurses-devel
|
BuildRequires: ncurses-devel
|
||||||
Version: 1.9.1
|
Version: 1.10.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: MIT Kerberos5 Implementation--Libraries
|
Summary: MIT Kerberos5 Implementation--Libraries
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -45,38 +45,23 @@ Obsoletes: krb5-64bit
|
|||||||
%endif
|
%endif
|
||||||
#
|
#
|
||||||
%endif
|
%endif
|
||||||
Source: krb5-1.9.1.tar.bz2
|
Source: krb5-%{version}.tar.bz2
|
||||||
Source1: vendor-files.tar.bz2
|
Source1: vendor-files.tar.bz2
|
||||||
Source2: baselibs.conf
|
Source2: baselibs.conf
|
||||||
Source5: krb5-rpmlintrc
|
Source5: krb5-rpmlintrc
|
||||||
Source10: krb5-1.8-manpaths.txt
|
Source10: krb5-1.8-manpaths.txt
|
||||||
Patch1: krb5-1.9-buildconf.patch
|
Patch1: krb5-1.10-buildconf.patch
|
||||||
Patch3: krb5-1.9-manpaths.dif
|
Patch3: krb5-1.9-manpaths.dif
|
||||||
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
|
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
|
||||||
Patch6: krb5-1.6.3-kpasswd_tcp.patch
|
Patch6: krb5-1.10-kpasswd_tcp.patch
|
||||||
Patch7: krb5-1.6.3-ktutil-manpage.dif
|
Patch7: krb5-1.6.3-ktutil-manpage.dif
|
||||||
Patch10: krb5-1.7-doublelog.patch
|
Patch10: krb5-1.7-doublelog.patch
|
||||||
Patch11: krb5-1.7-nodeplibs.patch
|
|
||||||
Patch12: krb5-1.8-api.patch
|
Patch12: krb5-1.8-api.patch
|
||||||
Patch13: krb5-1.8-pam.patch
|
Patch13: krb5-1.8-pam.patch
|
||||||
Patch14: krb5-1.9.1-ai_addrconfig.patch
|
|
||||||
Patch15: krb5-1.9.1-ai_addrconfig2.patch
|
|
||||||
Patch16: krb5-1.9.1-sendto_poll.patch
|
|
||||||
Patch17: krb5-1.9-canonicalize-fallback.patch
|
|
||||||
Patch18: krb5-1.9-kprop-mktemp.patch
|
Patch18: krb5-1.9-kprop-mktemp.patch
|
||||||
Patch19: krb5-1.9-ksu-path.patch
|
Patch19: krb5-1.9-ksu-path.patch
|
||||||
Patch20: krb5-1.9-paren.patch
|
Patch20: krb5-1.10-gcc47.patch
|
||||||
Patch21: krb5-1.9-selinux-label.patch
|
Patch21: krb5-1.10-selinux-label.patch
|
||||||
Patch22: krb5-klist_s.patch
|
|
||||||
Patch23: krb5-pkinit-cms2.patch
|
|
||||||
Patch24: krb5-trunk-chpw-err.patch
|
|
||||||
Patch25: krb5-trunk-gss_delete_sec.patch
|
|
||||||
Patch26: krb5-trunk-kadmin-oldproto.patch
|
|
||||||
Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif
|
|
||||||
Patch31: krb5-1.9-gss_display_status-iakerb.patch
|
|
||||||
Patch32: krb5-1.9.1-sendto_poll2.patch
|
|
||||||
Patch33: krb5-1.9.1-sendto_poll3.patch
|
|
||||||
Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||||
PreReq: %insserv_prereq %fillup_prereq
|
PreReq: %insserv_prereq %fillup_prereq
|
||||||
@ -119,8 +104,9 @@ Authors:
|
|||||||
%package server
|
%package server
|
||||||
Summary: MIT Kerberos5 implementation - server
|
Summary: MIT Kerberos5 implementation - server
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
|
Requires: cron
|
||||||
|
Requires: logrotate
|
||||||
Requires: perl-Date-Calc
|
Requires: perl-Date-Calc
|
||||||
Requires: logrotate cron
|
|
||||||
PreReq: %insserv_prereq %fillup_prereq
|
PreReq: %insserv_prereq %fillup_prereq
|
||||||
|
|
||||||
%description server
|
%description server
|
||||||
@ -182,8 +168,8 @@ Authors:
|
|||||||
Summary: MIT Kerberos5 - Include Files and Libraries
|
Summary: MIT Kerberos5 - Include Files and Libraries
|
||||||
Group: Development/Libraries/C and C++
|
Group: Development/Libraries/C and C++
|
||||||
PreReq: %{name} = %{version}
|
PreReq: %{name} = %{version}
|
||||||
Requires: libcom_err-devel
|
|
||||||
Requires: keyutils-devel
|
Requires: keyutils-devel
|
||||||
|
Requires: libcom_err-devel
|
||||||
# bug437293
|
# bug437293
|
||||||
%ifarch ppc64
|
%ifarch ppc64
|
||||||
Obsoletes: krb5-devel-64bit
|
Obsoletes: krb5-devel-64bit
|
||||||
@ -216,28 +202,13 @@ Authors:
|
|||||||
%patch21 -p1
|
%patch21 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch6
|
%patch6 -p1
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch10 -p1
|
%patch10 -p1
|
||||||
%patch11 -p1
|
|
||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch14
|
|
||||||
%patch15
|
|
||||||
%patch16
|
|
||||||
%patch17 -p1
|
|
||||||
%patch18 -p1
|
%patch18 -p1
|
||||||
%patch19 -p1
|
%patch19 -p1
|
||||||
%patch20 -p1
|
%patch20
|
||||||
%patch22 -p1
|
|
||||||
%patch23 -p1
|
|
||||||
%patch24
|
|
||||||
%patch25 -p1
|
|
||||||
%patch26
|
|
||||||
%patch30 -p1
|
|
||||||
%patch31 -p1
|
|
||||||
%patch32 -p1
|
|
||||||
%patch33 -p1
|
|
||||||
%patch34 -p1
|
|
||||||
# Rename the man pages so that they'll get generated correctly.
|
# Rename the man pages so that they'll get generated correctly.
|
||||||
pushd src
|
pushd src
|
||||||
cat %{SOURCE10} | while read manpage ; do
|
cat %{SOURCE10} | while read manpage ; do
|
||||||
@ -282,6 +253,9 @@ make DESTDIR=%{buildroot} install
|
|||||||
cd ..
|
cd ..
|
||||||
# Munge the krb5-config script to remove rpaths and CFLAGS.
|
# Munge the krb5-config script to remove rpaths and CFLAGS.
|
||||||
sed "s|^CC_LINK=.*|CC_LINK='\$(CC) \$(PROG_LIBPATH)'|g" src/krb5-config > $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
|
sed "s|^CC_LINK=.*|CC_LINK='\$(CC) \$(PROG_LIBPATH)'|g" src/krb5-config > $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
|
||||||
|
# install autoconf macro
|
||||||
|
mkdir -p %{buildroot}/%{_datadir}/aclocal
|
||||||
|
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
|
||||||
# install sample config files
|
# install sample config files
|
||||||
# I'll probably do something about this later on
|
# I'll probably do something about this later on
|
||||||
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
|
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
|
||||||
@ -389,6 +363,7 @@ rm -rf %{buildroot}
|
|||||||
%dir /usr/lib/mit
|
%dir /usr/lib/mit
|
||||||
%dir /usr/lib/mit/bin
|
%dir /usr/lib/mit/bin
|
||||||
%dir /usr/lib/mit/sbin
|
%dir /usr/lib/mit/sbin
|
||||||
|
%dir %{_datadir}/aclocal
|
||||||
%{_libdir}/libgssrpc.so
|
%{_libdir}/libgssrpc.so
|
||||||
%{_libdir}/libk5crypto.so
|
%{_libdir}/libk5crypto.so
|
||||||
%{_libdir}/libkadm5clnt_mit.so
|
%{_libdir}/libkadm5clnt_mit.so
|
||||||
@ -403,6 +378,7 @@ rm -rf %{buildroot}
|
|||||||
/usr/lib/mit/sbin/krb5-send-pr
|
/usr/lib/mit/sbin/krb5-send-pr
|
||||||
%{_mandir}/man1/krb5-send-pr.1*
|
%{_mandir}/man1/krb5-send-pr.1*
|
||||||
%{_mandir}/man1/krb5-config.1*
|
%{_mandir}/man1/krb5-config.1*
|
||||||
|
%{_datadir}/aclocal/ac_check_krb5.m4
|
||||||
%if %{build_mini}
|
%if %{build_mini}
|
||||||
|
|
||||||
%files
|
%files
|
||||||
|
@ -1,290 +0,0 @@
|
|||||||
When verifying signed-data, use the OpenSSL CMS APIs if we're building with a
|
|
||||||
version of OpenSSL which supplies them (1.0.0 or later). Revised proposal for
|
|
||||||
RT#6851.
|
|
||||||
|
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
index bb8f036..6aedec4 100644
|
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
||||||
@@ -41,6 +41,34 @@
|
|
||||||
|
|
||||||
#include "pkinit_crypto_openssl.h"
|
|
||||||
|
|
||||||
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
|
|
||||||
+#include <openssl/cms.h>
|
|
||||||
+#define pkinit_CMS_free1_crls(_sk_x509crl) sk_X509_CRL_free((_sk_x509crl))
|
|
||||||
+#define pkinit_CMS_free1_certs(_sk_x509) sk_X509_free((_sk_x509))
|
|
||||||
+#define pkinit_CMS_SignerInfo_get_cert(_cms,_si,_x509_pp) CMS_SignerInfo_get0_algs(_si,NULL,_x509_pp,NULL,NULL)
|
|
||||||
+#else
|
|
||||||
+#define pkinit_CMS_free1_crls(_stack_of_x509crls) /* don't free these CRLs */
|
|
||||||
+#define pkinit_CMS_free1_certs(_stack_of_x509certs) /* don't free these certs */
|
|
||||||
+#define CMS_NO_SIGNER_CERT_VERIFY PKCS7_NOVERIFY
|
|
||||||
+#define CMS_NOATTR PKCS7_NOATTR
|
|
||||||
+#define CMS_ContentInfo PKCS7
|
|
||||||
+#define CMS_SignerInfo PKCS7_SIGNER_INFO
|
|
||||||
+#define d2i_CMS_ContentInfo d2i_PKCS7
|
|
||||||
+#define CMS_get0_type(_p7) ((_p7)->type)
|
|
||||||
+#define CMS_get0_content(_p7) (&((_p7)->d.other->value.octet_string))
|
|
||||||
+#define CMS_set1_signers_certs(_p7,_stack_of_x509,_uint)
|
|
||||||
+#define CMS_get0_SignerInfos PKCS7_get_signer_info
|
|
||||||
+#define stack_st_CMS_SignerInfo stack_st_PKCS7_SIGNER_INFO
|
|
||||||
+#undef sk_CMS_SignerInfo_value
|
|
||||||
+#define sk_CMS_SignerInfo_value sk_PKCS7_SIGNER_INFO_value
|
|
||||||
+#define CMS_get0_eContentType(_p7) (_p7->d.sign->contents->type)
|
|
||||||
+#define CMS_verify PKCS7_verify
|
|
||||||
+#define CMS_get1_crls(_p7) (_p7->d.sign->crl)
|
|
||||||
+#define CMS_get1_certs(_p7) (_p7->d.sign->cert)
|
|
||||||
+#define CMS_ContentInfo_free(_p7) PKCS7_free(_p7)
|
|
||||||
+#define pkinit_CMS_SignerInfo_get_cert(_p7,_si,_x509_pp) (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
static struct pkcs11_errstrings {
|
|
||||||
short code;
|
|
||||||
char *text;
|
|
||||||
@@ -1127,21 +1155,25 @@ cms_signeddata_verify(krb5_context context,
|
|
||||||
int *is_signed)
|
|
||||||
{
|
|
||||||
krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;
|
|
||||||
- PKCS7 *p7 = NULL;
|
|
||||||
+ CMS_ContentInfo *cms = NULL;
|
|
||||||
BIO *out = NULL;
|
|
||||||
- int flags = PKCS7_NOVERIFY;
|
|
||||||
+ int flags = CMS_NO_SIGNER_CERT_VERIFY;
|
|
||||||
unsigned int i = 0;
|
|
||||||
unsigned int vflags = 0, size = 0;
|
|
||||||
const unsigned char *p = signed_data;
|
|
||||||
- STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL;
|
|
||||||
- PKCS7_SIGNER_INFO *si = NULL;
|
|
||||||
+ STACK_OF(CMS_SignerInfo) *si_sk = NULL;
|
|
||||||
+ CMS_SignerInfo *si = NULL;
|
|
||||||
X509 *x = NULL;
|
|
||||||
X509_STORE *store = NULL;
|
|
||||||
X509_STORE_CTX cert_ctx;
|
|
||||||
+ STACK_OF(X509) *signerCerts = NULL;
|
|
||||||
STACK_OF(X509) *intermediateCAs = NULL;
|
|
||||||
+ STACK_OF(X509_CRL) *signerRevoked = NULL;
|
|
||||||
STACK_OF(X509_CRL) *revoked = NULL;
|
|
||||||
STACK_OF(X509) *verified_chain = NULL;
|
|
||||||
ASN1_OBJECT *oid = NULL;
|
|
||||||
+ const ASN1_OBJECT *type = NULL, *etype = NULL;
|
|
||||||
+ ASN1_OCTET_STRING **octets;
|
|
||||||
krb5_external_principal_identifier **krb5_verified_chain = NULL;
|
|
||||||
krb5_data *authz = NULL;
|
|
||||||
char buf[DN_BUF_LEN];
|
|
||||||
@@ -1157,8 +1189,8 @@ cms_signeddata_verify(krb5_context context,
|
|
||||||
if (oid == NULL)
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
- /* decode received PKCS7 message */
|
|
||||||
- if ((p7 = d2i_PKCS7(NULL, &p, (int)signed_data_len)) == NULL) {
|
|
||||||
+ /* decode received CMS message */
|
|
||||||
+ if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) {
|
|
||||||
unsigned long err = ERR_peek_error();
|
|
||||||
krb5_set_error_message(context, retval, "%s\n",
|
|
||||||
ERR_error_string(err, NULL));
|
|
||||||
@@ -1168,37 +1200,39 @@ cms_signeddata_verify(krb5_context context,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Handle the case in pkinit anonymous where we get unsigned data. */
|
|
||||||
- if (is_signed && !OBJ_cmp(p7->type, oid)) {
|
|
||||||
+ type = CMS_get0_type(cms);
|
|
||||||
+ if (is_signed && !OBJ_cmp(type, oid)) {
|
|
||||||
unsigned char *d;
|
|
||||||
*is_signed = 0;
|
|
||||||
- if (p7->d.other->type != V_ASN1_OCTET_STRING) {
|
|
||||||
+ octets = CMS_get0_content(cms);
|
|
||||||
+ if (!octets || ((*octets)->type != V_ASN1_OCTET_STRING)) {
|
|
||||||
retval = KRB5KDC_ERR_PREAUTH_FAILED;
|
|
||||||
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
|
|
||||||
"Invalid pkinit packet: octet string "
|
|
||||||
"expected");
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
- *data_len = ASN1_STRING_length(p7->d.other->value.octet_string);
|
|
||||||
+ *data_len = ASN1_STRING_length(*octets);
|
|
||||||
d = malloc(*data_len);
|
|
||||||
if (d == NULL) {
|
|
||||||
retval = ENOMEM;
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
- memcpy(d, ASN1_STRING_data(p7->d.other->value.octet_string),
|
|
||||||
+ memcpy(d, ASN1_STRING_data(*octets),
|
|
||||||
*data_len);
|
|
||||||
*data = d;
|
|
||||||
goto out;
|
|
||||||
} else {
|
|
||||||
- /* Verify that the received message is PKCS7 SignedData message. */
|
|
||||||
- if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed) {
|
|
||||||
- pkiDebug("Expected id-signedData PKCS7 msg (received type = %d)\n",
|
|
||||||
- OBJ_obj2nid(p7->type));
|
|
||||||
+ /* Verify that the received message is CMS SignedData message. */
|
|
||||||
+ if (OBJ_obj2nid(type) != NID_pkcs7_signed) {
|
|
||||||
+ pkiDebug("Expected id-signedData CMS msg (received type = %d)\n",
|
|
||||||
+ OBJ_obj2nid(type));
|
|
||||||
krb5_set_error_message(context, retval, "wrong oid\n");
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* setup to verify X509 certificate used to sign PKCS7 message */
|
|
||||||
+ /* setup to verify X509 certificate used to sign CMS message */
|
|
||||||
if (!(store = X509_STORE_new()))
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
@@ -1210,37 +1244,41 @@ cms_signeddata_verify(krb5_context context,
|
|
||||||
X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
|
|
||||||
X509_STORE_set_flags(store, vflags);
|
|
||||||
|
|
||||||
- /* get the signer's information from the PKCS7 message */
|
|
||||||
- if ((si_sk = PKCS7_get_signer_info(p7)) == NULL)
|
|
||||||
+ /* get the signer's information from the CMS message */
|
|
||||||
+ CMS_set1_signers_certs(cms, NULL, 0);
|
|
||||||
+ if ((si_sk = CMS_get0_SignerInfos(cms)) == NULL)
|
|
||||||
goto cleanup;
|
|
||||||
- if ((si = sk_PKCS7_SIGNER_INFO_value(si_sk, 0)) == NULL)
|
|
||||||
+ if ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)
|
|
||||||
goto cleanup;
|
|
||||||
- if ((x = PKCS7_cert_from_signer_info(p7, si)) == NULL)
|
|
||||||
+ pkinit_CMS_SignerInfo_get_cert(cms, si, &x);
|
|
||||||
+ if (x == NULL)
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
/* create available CRL information (get local CRLs and include CRLs
|
|
||||||
- * received in the PKCS7 message
|
|
||||||
+ * received in the CMS message
|
|
||||||
*/
|
|
||||||
+ signerRevoked = CMS_get1_crls(cms);
|
|
||||||
if (idctx->revoked == NULL)
|
|
||||||
- revoked = p7->d.sign->crl;
|
|
||||||
- else if (p7->d.sign->crl == NULL)
|
|
||||||
+ revoked = signerRevoked;
|
|
||||||
+ else if (signerRevoked == NULL)
|
|
||||||
revoked = idctx->revoked;
|
|
||||||
else {
|
|
||||||
size = sk_X509_CRL_num(idctx->revoked);
|
|
||||||
revoked = sk_X509_CRL_new_null();
|
|
||||||
for (i = 0; i < size; i++)
|
|
||||||
sk_X509_CRL_push(revoked, sk_X509_CRL_value(idctx->revoked, i));
|
|
||||||
- size = sk_X509_CRL_num(p7->d.sign->crl);
|
|
||||||
+ size = sk_X509_CRL_num(signerRevoked);
|
|
||||||
for (i = 0; i < size; i++)
|
|
||||||
- sk_X509_CRL_push(revoked, sk_X509_CRL_value(p7->d.sign->crl, i));
|
|
||||||
+ sk_X509_CRL_push(revoked, sk_X509_CRL_value(signerRevoked, i));
|
|
||||||
}
|
|
||||||
|
|
||||||
/* create available intermediate CAs chains (get local intermediateCAs and
|
|
||||||
- * include the CA chain received in the PKCS7 message
|
|
||||||
+ * include the CA chain received in the CMS message
|
|
||||||
*/
|
|
||||||
+ signerCerts = CMS_get1_certs(cms);
|
|
||||||
if (idctx->intermediateCAs == NULL)
|
|
||||||
- intermediateCAs = p7->d.sign->cert;
|
|
||||||
- else if (p7->d.sign->cert == NULL)
|
|
||||||
+ intermediateCAs = signerCerts;
|
|
||||||
+ else if (signerCerts == NULL)
|
|
||||||
intermediateCAs = idctx->intermediateCAs;
|
|
||||||
else {
|
|
||||||
size = sk_X509_num(idctx->intermediateCAs);
|
|
||||||
@@ -1249,9 +1287,9 @@ cms_signeddata_verify(krb5_context context,
|
|
||||||
sk_X509_push(intermediateCAs,
|
|
||||||
sk_X509_value(idctx->intermediateCAs, i));
|
|
||||||
}
|
|
||||||
- size = sk_X509_num(p7->d.sign->cert);
|
|
||||||
+ size = sk_X509_num(signerCerts);
|
|
||||||
for (i = 0; i < size; i++) {
|
|
||||||
- sk_X509_push(intermediateCAs, sk_X509_value(p7->d.sign->cert, i));
|
|
||||||
+ sk_X509_push(intermediateCAs, sk_X509_value(signerCerts, i));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1329,10 +1367,10 @@ cms_signeddata_verify(krb5_context context,
|
|
||||||
krb5_set_error_message(context, retval, "%s\n",
|
|
||||||
X509_verify_cert_error_string(j));
|
|
||||||
#ifdef DEBUG_CERTCHAIN
|
|
||||||
- size = sk_X509_num(p7->d.sign->cert);
|
|
||||||
+ size = sk_X509_num(signerCerts);
|
|
||||||
pkiDebug("received cert chain of size %d\n", size);
|
|
||||||
for (j = 0; j < size; j++) {
|
|
||||||
- X509 *tmp_cert = sk_X509_value(p7->d.sign->cert, j);
|
|
||||||
+ X509 *tmp_cert = sk_X509_value(signerCerts, j);
|
|
||||||
X509_NAME_oneline(X509_get_subject_name(tmp_cert), buf, sizeof(buf));
|
|
||||||
pkiDebug("cert #%d: %s\n", j, buf);
|
|
||||||
}
|
|
||||||
@@ -1348,11 +1386,12 @@ cms_signeddata_verify(krb5_context context,
|
|
||||||
|
|
||||||
out = BIO_new(BIO_s_mem());
|
|
||||||
if (cms_msg_type == CMS_SIGN_DRAFT9)
|
|
||||||
- flags |= PKCS7_NOATTR;
|
|
||||||
- if (PKCS7_verify(p7, NULL, store, NULL, out, flags)) {
|
|
||||||
+ flags |= CMS_NOATTR;
|
|
||||||
+ etype = CMS_get0_eContentType(cms);
|
|
||||||
+ if (CMS_verify(cms, NULL, store, NULL, out, flags)) {
|
|
||||||
int valid_oid = 0;
|
|
||||||
|
|
||||||
- if (!OBJ_cmp(p7->d.sign->contents->type, oid))
|
|
||||||
+ if (!OBJ_cmp(etype, oid))
|
|
||||||
valid_oid = 1;
|
|
||||||
else if (cms_msg_type == CMS_SIGN_DRAFT9) {
|
|
||||||
/*
|
|
||||||
@@ -1364,18 +1403,18 @@ cms_signeddata_verify(krb5_context context,
|
|
||||||
client_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_CLIENT);
|
|
||||||
server_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_SERVER);
|
|
||||||
rsa_oid = pkinit_pkcs7type2oid(plgctx, CMS_ENVEL_SERVER);
|
|
||||||
- if (!OBJ_cmp(p7->d.sign->contents->type, client_oid) ||
|
|
||||||
- !OBJ_cmp(p7->d.sign->contents->type, server_oid) ||
|
|
||||||
- !OBJ_cmp(p7->d.sign->contents->type, rsa_oid))
|
|
||||||
+ if (!OBJ_cmp(etype, client_oid) ||
|
|
||||||
+ !OBJ_cmp(etype, server_oid) ||
|
|
||||||
+ !OBJ_cmp(etype, rsa_oid))
|
|
||||||
valid_oid = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (valid_oid)
|
|
||||||
- pkiDebug("PKCS7 Verification successful\n");
|
|
||||||
+ pkiDebug("CMS Verification successful\n");
|
|
||||||
else {
|
|
||||||
pkiDebug("wrong oid in eContentType\n");
|
|
||||||
- print_buffer(p7->d.sign->contents->type->data,
|
|
||||||
- (unsigned int)p7->d.sign->contents->type->length);
|
|
||||||
+ print_buffer(etype->data,
|
|
||||||
+ (unsigned int)etype->length);
|
|
||||||
retval = KRB5KDC_ERR_PREAUTH_FAILED;
|
|
||||||
krb5_set_error_message(context, retval, "wrong oid\n");
|
|
||||||
goto cleanup;
|
|
||||||
@@ -1391,13 +1430,13 @@ cms_signeddata_verify(krb5_context context,
|
|
||||||
default:
|
|
||||||
retval = KRB5KDC_ERR_INVALID_SIG;
|
|
||||||
}
|
|
||||||
- pkiDebug("PKCS7 Verification failure\n");
|
|
||||||
+ pkiDebug("CMS Verification failure\n");
|
|
||||||
krb5_set_error_message(context, retval, "%s\n",
|
|
||||||
ERR_error_string(err, NULL));
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* transfer the data from PKCS7 message into return buffer */
|
|
||||||
+ /* transfer the data from CMS message into return buffer */
|
|
||||||
for (size = 0;;) {
|
|
||||||
int remain;
|
|
||||||
retval = ENOMEM;
|
|
||||||
@@ -1452,12 +1491,16 @@ cleanup:
|
|
||||||
BIO_free(out);
|
|
||||||
if (store != NULL)
|
|
||||||
X509_STORE_free(store);
|
|
||||||
- if (p7 != NULL) {
|
|
||||||
- if (idctx->intermediateCAs != NULL && p7->d.sign->cert)
|
|
||||||
+ if (cms != NULL) {
|
|
||||||
+ if (signerCerts != NULL)
|
|
||||||
+ pkinit_CMS_free1_certs(signerCerts);
|
|
||||||
+ if (idctx->intermediateCAs != NULL && signerCerts)
|
|
||||||
sk_X509_free(intermediateCAs);
|
|
||||||
- if (idctx->revoked != NULL && p7->d.sign->crl)
|
|
||||||
+ if (signerRevoked != NULL)
|
|
||||||
+ pkinit_CMS_free1_crls(signerRevoked);
|
|
||||||
+ if (idctx->revoked != NULL && signerRevoked)
|
|
||||||
sk_X509_CRL_free(revoked);
|
|
||||||
- PKCS7_free(p7);
|
|
||||||
+ CMS_ContentInfo_free(cms);
|
|
||||||
}
|
|
||||||
if (verified_chain != NULL)
|
|
||||||
sk_X509_pop_free(verified_chain, X509_free);
|
|
@ -1,24 +0,0 @@
|
|||||||
Don't suppress the error code from an error message when the error message
|
|
||||||
contains e-data. RT#6893
|
|
||||||
Index: src/lib/krb5/krb/chpw.c
|
|
||||||
===================================================================
|
|
||||||
--- src/lib/krb5/krb/chpw.c (revision 24838)
|
|
||||||
+++ src/lib/krb5/krb/chpw.c (working copy)
|
|
||||||
@@ -111,15 +111,11 @@
|
|
||||||
if ((ret = krb5_rd_error(context, packet, &krberror)))
|
|
||||||
return(ret);
|
|
||||||
|
|
||||||
- if (krberror->e_data.data == NULL)
|
|
||||||
- ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
|
|
||||||
- else
|
|
||||||
- ret = KRB5KRB_AP_ERR_MODIFIED;
|
|
||||||
+ ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
|
|
||||||
krb5_free_error(context, krberror);
|
|
||||||
return(ret);
|
|
||||||
- } else {
|
|
||||||
- return(KRB5KRB_AP_ERR_MODIFIED);
|
|
||||||
}
|
|
||||||
+ return(KRB5KRB_AP_ERR_MODIFIED);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
Author: ghudson
|
|
||||||
Date: Mon May 9 17:28:07 2011 +0000
|
|
||||||
|
|
||||||
ticket: 6908
|
|
||||||
subject: Delete sec context properly in gss_krb5_export_lucid_sec_context
|
|
||||||
target_version: 1.9.2
|
|
||||||
tags: pullup
|
|
||||||
|
|
||||||
Since r21690, gss_krb5_export_lucid_sec_context() has been passing a
|
|
||||||
union context to krb5_gss_delete_sec_context(), causing a crash as the
|
|
||||||
krb5 routine attempts to interpret a union context structure as a krb5
|
|
||||||
GSS context. Call the mechglue gss_delete_sec_context instead.
|
|
||||||
|
|
||||||
|
|
||||||
svn://anonsvn.mit.edu:/krb5/trunk@24917
|
|
||||||
|
|
||||||
--- a/src/lib/gssapi/krb5/krb5_gss_glue.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/krb5_gss_glue.c
|
|
||||||
@@ -196,7 +196,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
|
|
||||||
/* Clean up the context state (it is an error for
|
|
||||||
* someone to attempt to use this context again)
|
|
||||||
*/
|
|
||||||
- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
|
|
||||||
+ (void)gss_delete_sec_context(minor_status, context_handle, NULL);
|
|
||||||
*context_handle = GSS_C_NO_CONTEXT;
|
|
||||||
|
|
||||||
generic_gss_release_buffer_set(&minor, &data_set);
|
|
@ -1,39 +0,0 @@
|
|||||||
------------------------------------------------------------------------
|
|
||||||
r24967 | ghudson | 2011-06-13 14:54:33 -0400 (Mon, 13 Jun 2011) | 11 lines
|
|
||||||
|
|
||||||
ticket: 6920
|
|
||||||
subject: Fix old-style GSSRPC authentication
|
|
||||||
target_version: 1.9.2
|
|
||||||
tags: pullup
|
|
||||||
|
|
||||||
r24147 (ticket #6746) made libgssrpc ignorant of the remote address of
|
|
||||||
the kadmin socket, even when it's IPv4. This made old-style GSSAPI
|
|
||||||
authentication fail because it uses the wrong channel bindings. Fix
|
|
||||||
this problem by making clnttcp_create() get the remote address from
|
|
||||||
the socket using getpeername() if the caller doesn't provide it and
|
|
||||||
it's an IPv4 address.
|
|
||||||
------------------------------------------------------------------------
|
|
||||||
Index: src/lib/rpc/clnt_tcp.c
|
|
||||||
===================================================================
|
|
||||||
--- src/lib/rpc/clnt_tcp.c (revision 24966)
|
|
||||||
+++ src/lib/rpc/clnt_tcp.c (revision 24967)
|
|
||||||
@@ -187,9 +187,16 @@
|
|
||||||
ct->ct_sock = *sockp;
|
|
||||||
ct->ct_wait.tv_usec = 0;
|
|
||||||
ct->ct_waitset = FALSE;
|
|
||||||
- if (raddr == NULL)
|
|
||||||
- memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
|
|
||||||
- else
|
|
||||||
+ if (raddr == NULL) {
|
|
||||||
+ /* Get the remote address from the socket, if it's IPv4. */
|
|
||||||
+ struct sockaddr_in sin;
|
|
||||||
+ socklen_t len = sizeof(sin);
|
|
||||||
+ int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len);
|
|
||||||
+ if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET)
|
|
||||||
+ ct->ct_addr = sin;
|
|
||||||
+ else
|
|
||||||
+ memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
|
|
||||||
+ } else
|
|
||||||
ct->ct_addr = *raddr;
|
|
||||||
|
|
||||||
/*
|
|
45
krb5.changes
45
krb5.changes
@ -1,3 +1,48 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de
|
||||||
|
|
||||||
|
- update to version 1.10.2
|
||||||
|
obsolte patches:
|
||||||
|
* krb5-1.7-nodeplibs.patch
|
||||||
|
* krb5-1.9.1-ai_addrconfig.patch
|
||||||
|
* krb5-1.9.1-ai_addrconfig2.patch
|
||||||
|
* krb5-1.9.1-sendto_poll.patch
|
||||||
|
* krb5-1.9-canonicalize-fallback.patch
|
||||||
|
* krb5-1.9-paren.patch
|
||||||
|
* krb5-klist_s.patch
|
||||||
|
* krb5-pkinit-cms2.patch
|
||||||
|
* krb5-trunk-chpw-err.patch
|
||||||
|
* krb5-trunk-gss_delete_sec.patch
|
||||||
|
* krb5-trunk-kadmin-oldproto.patch
|
||||||
|
* krb5-1.9-MITKRB5-SA-2011-006.dif
|
||||||
|
* krb5-1.9-gss_display_status-iakerb.patch
|
||||||
|
* krb5-1.9.1-sendto_poll2.patch
|
||||||
|
* krb5-1.9.1-sendto_poll3.patch
|
||||||
|
* krb5-1.9-MITKRB5-SA-2011-007.dif
|
||||||
|
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
|
||||||
|
Controllers.
|
||||||
|
- Update a workaround for a glibc bug that would cause DNS PTR queries
|
||||||
|
to occur even when rdns = false.
|
||||||
|
- Fix a kadmind denial of service issue (null pointer dereference),
|
||||||
|
which could only be triggered by an administrator with the "create"
|
||||||
|
privilege. [CVE-2012-1013]
|
||||||
|
- Fix access controls for KDB string attributes [CVE-2012-1012]
|
||||||
|
- Make the ASN.1 encoding of key version numbers interoperate with
|
||||||
|
Windows Read-Only Domain Controllers
|
||||||
|
- Avoid generating spurious password expiry warnings in cases where
|
||||||
|
the KDC sends an account expiry time without a password expiry time
|
||||||
|
- Make PKINIT work with FAST in the client library.
|
||||||
|
- Add the DIR credential cache type, which can hold a collection of
|
||||||
|
credential caches.
|
||||||
|
- Enhance kinit, klist, and kdestroy to support credential cache
|
||||||
|
collections if the cache type supports it.
|
||||||
|
- Add the kswitch command, which changes the selected default cache
|
||||||
|
within a collection.
|
||||||
|
- Add heuristic support for choosing client credentials based on
|
||||||
|
the service realm.
|
||||||
|
- Add support for $HOME/.k5identity, which allows credential
|
||||||
|
choice based on configured rules.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de
|
Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de
|
||||||
|
|
||||||
|
53
krb5.spec
53
krb5.spec
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
%define build_mini 0
|
%define build_mini 0
|
||||||
%define srcRoot krb5-1.9.1
|
%define srcRoot krb5-1.10.2
|
||||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||||
%define krb5docdir %{_defaultdocdir}/krb5
|
%define krb5docdir %{_defaultdocdir}/krb5
|
||||||
|
|
||||||
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
|
|||||||
BuildRequires: libcom_err-devel
|
BuildRequires: libcom_err-devel
|
||||||
BuildRequires: libselinux-devel
|
BuildRequires: libselinux-devel
|
||||||
BuildRequires: ncurses-devel
|
BuildRequires: ncurses-devel
|
||||||
Version: 1.9.1
|
Version: 1.10.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: MIT Kerberos5 Implementation--Libraries
|
Summary: MIT Kerberos5 Implementation--Libraries
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -45,38 +45,23 @@ Obsoletes: krb5-64bit
|
|||||||
%endif
|
%endif
|
||||||
#
|
#
|
||||||
%endif
|
%endif
|
||||||
Source: krb5-1.9.1.tar.bz2
|
Source: krb5-%{version}.tar.bz2
|
||||||
Source1: vendor-files.tar.bz2
|
Source1: vendor-files.tar.bz2
|
||||||
Source2: baselibs.conf
|
Source2: baselibs.conf
|
||||||
Source5: krb5-rpmlintrc
|
Source5: krb5-rpmlintrc
|
||||||
Source10: krb5-1.8-manpaths.txt
|
Source10: krb5-1.8-manpaths.txt
|
||||||
Patch1: krb5-1.9-buildconf.patch
|
Patch1: krb5-1.10-buildconf.patch
|
||||||
Patch3: krb5-1.9-manpaths.dif
|
Patch3: krb5-1.9-manpaths.dif
|
||||||
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
|
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
|
||||||
Patch6: krb5-1.6.3-kpasswd_tcp.patch
|
Patch6: krb5-1.10-kpasswd_tcp.patch
|
||||||
Patch7: krb5-1.6.3-ktutil-manpage.dif
|
Patch7: krb5-1.6.3-ktutil-manpage.dif
|
||||||
Patch10: krb5-1.7-doublelog.patch
|
Patch10: krb5-1.7-doublelog.patch
|
||||||
Patch11: krb5-1.7-nodeplibs.patch
|
|
||||||
Patch12: krb5-1.8-api.patch
|
Patch12: krb5-1.8-api.patch
|
||||||
Patch13: krb5-1.8-pam.patch
|
Patch13: krb5-1.8-pam.patch
|
||||||
Patch14: krb5-1.9.1-ai_addrconfig.patch
|
|
||||||
Patch15: krb5-1.9.1-ai_addrconfig2.patch
|
|
||||||
Patch16: krb5-1.9.1-sendto_poll.patch
|
|
||||||
Patch17: krb5-1.9-canonicalize-fallback.patch
|
|
||||||
Patch18: krb5-1.9-kprop-mktemp.patch
|
Patch18: krb5-1.9-kprop-mktemp.patch
|
||||||
Patch19: krb5-1.9-ksu-path.patch
|
Patch19: krb5-1.9-ksu-path.patch
|
||||||
Patch20: krb5-1.9-paren.patch
|
Patch20: krb5-1.10-gcc47.patch
|
||||||
Patch21: krb5-1.9-selinux-label.patch
|
Patch21: krb5-1.10-selinux-label.patch
|
||||||
Patch22: krb5-klist_s.patch
|
|
||||||
Patch23: krb5-pkinit-cms2.patch
|
|
||||||
Patch24: krb5-trunk-chpw-err.patch
|
|
||||||
Patch25: krb5-trunk-gss_delete_sec.patch
|
|
||||||
Patch26: krb5-trunk-kadmin-oldproto.patch
|
|
||||||
Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif
|
|
||||||
Patch31: krb5-1.9-gss_display_status-iakerb.patch
|
|
||||||
Patch32: krb5-1.9.1-sendto_poll2.patch
|
|
||||||
Patch33: krb5-1.9.1-sendto_poll3.patch
|
|
||||||
Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||||
PreReq: %insserv_prereq %fillup_prereq
|
PreReq: %insserv_prereq %fillup_prereq
|
||||||
@ -119,8 +104,9 @@ Authors:
|
|||||||
%package server
|
%package server
|
||||||
Summary: MIT Kerberos5 implementation - server
|
Summary: MIT Kerberos5 implementation - server
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
|
Requires: cron
|
||||||
|
Requires: logrotate
|
||||||
Requires: perl-Date-Calc
|
Requires: perl-Date-Calc
|
||||||
Requires: logrotate cron
|
|
||||||
PreReq: %insserv_prereq %fillup_prereq
|
PreReq: %insserv_prereq %fillup_prereq
|
||||||
|
|
||||||
%description server
|
%description server
|
||||||
@ -182,8 +168,8 @@ Authors:
|
|||||||
Summary: MIT Kerberos5 - Include Files and Libraries
|
Summary: MIT Kerberos5 - Include Files and Libraries
|
||||||
Group: Development/Libraries/C and C++
|
Group: Development/Libraries/C and C++
|
||||||
PreReq: %{name} = %{version}
|
PreReq: %{name} = %{version}
|
||||||
Requires: libcom_err-devel
|
|
||||||
Requires: keyutils-devel
|
Requires: keyutils-devel
|
||||||
|
Requires: libcom_err-devel
|
||||||
# bug437293
|
# bug437293
|
||||||
%ifarch ppc64
|
%ifarch ppc64
|
||||||
Obsoletes: krb5-devel-64bit
|
Obsoletes: krb5-devel-64bit
|
||||||
@ -216,28 +202,13 @@ Authors:
|
|||||||
%patch21 -p1
|
%patch21 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch6
|
%patch6 -p1
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch10 -p1
|
%patch10 -p1
|
||||||
%patch11 -p1
|
|
||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch14
|
|
||||||
%patch15
|
|
||||||
%patch16
|
|
||||||
%patch17 -p1
|
|
||||||
%patch18 -p1
|
%patch18 -p1
|
||||||
%patch19 -p1
|
%patch19 -p1
|
||||||
%patch20 -p1
|
%patch20
|
||||||
%patch22 -p1
|
|
||||||
%patch23 -p1
|
|
||||||
%patch24
|
|
||||||
%patch25 -p1
|
|
||||||
%patch26
|
|
||||||
%patch30 -p1
|
|
||||||
%patch31 -p1
|
|
||||||
%patch32 -p1
|
|
||||||
%patch33 -p1
|
|
||||||
%patch34 -p1
|
|
||||||
# Rename the man pages so that they'll get generated correctly.
|
# Rename the man pages so that they'll get generated correctly.
|
||||||
pushd src
|
pushd src
|
||||||
cat %{SOURCE10} | while read manpage ; do
|
cat %{SOURCE10} | while read manpage ; do
|
||||||
|
Loading…
Reference in New Issue
Block a user