- update to version 1.12.1
* Make KDC log service principal names more consistently during some error conditions, instead of "<unknown server>" * Fix several bugs related to building AES-NI support on less common configurations * Fix several bugs related to keyring credential caches - upstream obsoletes: krb5-1.12-copy_context.patch krb5-1.12-enable-NX.patch krb5-1.12-pic-aes-ni.patch krb5-master-no-malloc0.patch krb5-master-ignore-empty-unnecessary-final-token.patch OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=117
This commit is contained in:
parent
673bd84f01
commit
869a682f2d
@ -1,306 +0,0 @@
|
||||
Adjusted for 1.12, which still had vtbl, locate_fptrs, and (vestigial)
|
||||
profile_in_memory fields, and drop the hunk that touched .gitignore.
|
||||
|
||||
commit c452644d91d57d8b05ef396a029e34d0c7a48920
|
||||
Author: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed Dec 18 15:03:03 2013 -0500
|
||||
|
||||
Fix krb5_copy_context
|
||||
|
||||
krb5_copy_context has been broken since 1.8 (it broke in r22456)
|
||||
because k5_copy_etypes crashes on null enctype lists. Subsequent
|
||||
additions to the context structure were not reflected in
|
||||
krb5_copy_context, creating double-free bugs. Make k5_copy_etypes
|
||||
handle null input and account for all new fields in krb5_copy_context.
|
||||
Reported by Arran Cudbard-Bell.
|
||||
|
||||
ticket: 7807 (new)
|
||||
target_version: 1.12.1
|
||||
tags: pullup
|
||||
|
||||
diff --git a/src/lib/krb5/krb/copy_ctx.c b/src/lib/krb5/krb/copy_ctx.c
|
||||
index 0bc92f8..4237023 100644
|
||||
--- a/src/lib/krb5/krb/copy_ctx.c
|
||||
+++ b/src/lib/krb5/krb/copy_ctx.c
|
||||
@@ -77,13 +77,26 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
|
||||
nctx->ser_ctx_count = 0;
|
||||
nctx->ser_ctx = NULL;
|
||||
nctx->prompt_types = NULL;
|
||||
+ nctx->preauth_context = NULL;
|
||||
+ nctx->ccselect_handles = NULL;
|
||||
+ nctx->localauth_handles = NULL;
|
||||
+ nctx->hostrealm_handles = NULL;
|
||||
+ nctx->kdblog_context = NULL;
|
||||
+ nctx->trace_callback = NULL;
|
||||
+ nctx->trace_callback_data = NULL;
|
||||
+ nctx->plugin_base_dir = NULL;
|
||||
nctx->os_context.default_ccname = NULL;
|
||||
|
||||
+#ifdef KRB5_DNS_LOOKUP
|
||||
+ nctx->profile_in_memory = 0;
|
||||
+#endif /* KRB5_DNS_LOOKUP */
|
||||
+
|
||||
memset(&nctx->libkrb5_plugins, 0, sizeof(nctx->libkrb5_plugins));
|
||||
nctx->vtbl = NULL;
|
||||
nctx->locate_fptrs = NULL;
|
||||
|
||||
memset(&nctx->err, 0, sizeof(nctx->err));
|
||||
+ memset(&nctx->plugins, 0, sizeof(nctx->plugins));
|
||||
|
||||
ret = k5_copy_etypes(ctx->in_tkt_etypes, &nctx->in_tkt_etypes);
|
||||
if (ret)
|
||||
@@ -101,6 +109,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
|
||||
ret = krb5_get_profile(ctx, &nctx->profile);
|
||||
if (ret)
|
||||
goto errout;
|
||||
+ nctx->plugin_base_dir = strdup(ctx->plugin_base_dir);
|
||||
+ if (nctx->plugin_base_dir == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto errout;
|
||||
+ }
|
||||
|
||||
errout:
|
||||
if (ret) {
|
||||
diff --git a/src/lib/krb5/krb/etype_list.c b/src/lib/krb5/krb/etype_list.c
|
||||
index 9efe2e0..71f664f 100644
|
||||
--- a/src/lib/krb5/krb/etype_list.c
|
||||
+++ b/src/lib/krb5/krb/etype_list.c
|
||||
@@ -49,6 +49,8 @@ k5_copy_etypes(const krb5_enctype *old_list, krb5_enctype **new_list)
|
||||
krb5_enctype *list;
|
||||
|
||||
*new_list = NULL;
|
||||
+ if (old_list == NULL)
|
||||
+ return 0;
|
||||
count = k5_count_etypes(old_list);
|
||||
list = malloc(sizeof(krb5_enctype) * (count + 1));
|
||||
if (list == NULL)
|
||||
|
||||
commit b78c3c8c5025aec870d20472f80d4a652062f921
|
||||
Author: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed Dec 18 13:08:25 2013 -0500
|
||||
|
||||
Add a test program for krb5_copy_context
|
||||
|
||||
This test program isn't completely proof against the kind of mistakes
|
||||
we've made with krb5_copy_context in the past, but it at least
|
||||
exercises krb5_copy_context and can detect some kinds of bugs.
|
||||
|
||||
ticket: 7807
|
||||
|
||||
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
|
||||
index 7d1682d..3b58219 100644
|
||||
--- a/src/lib/krb5/krb/Makefile.in
|
||||
+++ b/src/lib/krb5/krb/Makefile.in
|
||||
@@ -349,6 +349,7 @@ SRCS= $(srcdir)/addr_comp.c \
|
||||
$(srcdir)/t_expire_warn.c \
|
||||
$(srcdir)/t_authdata.c \
|
||||
$(srcdir)/t_cc_config.c \
|
||||
+ $(srcdir)/t_copy_context.c \
|
||||
$(srcdir)/t_in_ccache.c \
|
||||
$(srcdir)/t_response_items.c \
|
||||
$(srcdir)/t_vfy_increds.c
|
||||
@@ -429,11 +430,14 @@ t_in_ccache: t_in_ccache.o $(KRB5_BASE_DEPLIBS)
|
||||
t_cc_config: t_cc_config.o $(KRB5_BASE_DEPLIBS)
|
||||
$(CC_LINK) -o $@ t_cc_config.o $(KRB5_BASE_LIBS)
|
||||
|
||||
+t_copy_context: t_copy_context.o $(KRB5_BASE_DEPLIBS)
|
||||
+ $(CC_LINK) -o $@ t_copy_context.o $(KRB5_BASE_LIBS)
|
||||
+
|
||||
t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS)
|
||||
$(CC_LINK) -o $@ t_response_items.o response_items.o $(KRB5_BASE_LIBS)
|
||||
|
||||
TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \
|
||||
- t_in_ccache t_cc_config \
|
||||
+ t_in_ccache t_cc_config t_copy_context \
|
||||
t_princ t_etypes t_vfy_increds t_response_items
|
||||
|
||||
check-unix:: $(TEST_PROGS)
|
||||
@@ -473,6 +477,8 @@ check-unix:: $(TEST_PROGS)
|
||||
$(RUN_SETUP) $(VALGRIND) ./t_princ
|
||||
$(RUN_SETUP) $(VALGRIND) ./t_etypes
|
||||
$(RUN_SETUP) $(VALGRIND) ./t_response_items
|
||||
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
|
||||
+ $(RUN_SETUP) $(VALGRIND) ./t_copy_context
|
||||
|
||||
check-pytests:: t_expire_warn t_vfy_increds
|
||||
$(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS)
|
||||
@@ -491,6 +497,7 @@ clean::
|
||||
$(OUTPRE)t_princ$(EXEEXT) $(OUTPRE)t_princ.$(OBJEXT) \
|
||||
$(OUTPRE)t_authdata$(EXEEXT) $(OUTPRE)t_authdata.$(OBJEXT) \
|
||||
$(OUTPRE)t_cc_config$(EXEEXT) $(OUTPRE)t_cc_config.$(OBJEXT) \
|
||||
+ $(OUTPRE)t_copy_context(EXEEXT) $(OUTPRE)t_copy_context.$(OBJEXT) \
|
||||
$(OUTPRE)t_in_ccache$(EXEEXT) $(OUTPRE)t_in_ccache.$(OBJEXT) \
|
||||
$(OUTPRE)t_ad_fx_armor$(EXEEXT) $(OUTPRE)t_ad_fx_armor.$(OBJEXT) \
|
||||
$(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \
|
||||
diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c
|
||||
new file mode 100644
|
||||
index 0000000..522fa0c
|
||||
--- /dev/null
|
||||
+++ b/src/lib/krb5/krb/t_copy_context.c
|
||||
@@ -0,0 +1,166 @@
|
||||
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
||||
+/* lib/krb5/krb/t_copy_context.C - Test program for krb5_copy_context */
|
||||
+/*
|
||||
+ * Copyright (C) 2013 by the Massachusetts Institute of Technology.
|
||||
+ * All rights reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ *
|
||||
+ * * Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ *
|
||||
+ * * Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in
|
||||
+ * the documentation and/or other materials provided with the
|
||||
+ * distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include <k5-int.h>
|
||||
+
|
||||
+static void
|
||||
+trace(krb5_context ctx, const krb5_trace_info *info, void *data)
|
||||
+{
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+check(int cond)
|
||||
+{
|
||||
+ if (!cond)
|
||||
+ abort();
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+compare_string(const char *str1, const char *str2)
|
||||
+{
|
||||
+ check((str1 == NULL) == (str2 == NULL));
|
||||
+ if (str1 != NULL)
|
||||
+ check(strcmp(str1, str2) == 0);
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+compare_etypes(krb5_enctype *list1, krb5_enctype *list2)
|
||||
+{
|
||||
+ check((list1 == NULL) == (list2 == NULL));
|
||||
+ if (list1 == NULL)
|
||||
+ return;
|
||||
+ while (*list1 != ENCTYPE_NULL && *list1 == *list2)
|
||||
+ list1++, list2++;
|
||||
+ check(*list1 == *list2);
|
||||
+}
|
||||
+
|
||||
+/* Check that the context c is a valid copy of the reference context r. */
|
||||
+static void
|
||||
+check_context(krb5_context c, krb5_context r)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ /* Check fields which should have been propagated from r. */
|
||||
+ compare_etypes(c->in_tkt_etypes, r->in_tkt_etypes);
|
||||
+ compare_etypes(c->tgs_etypes, r->tgs_etypes);
|
||||
+ check(c->os_context.time_offset == r->os_context.time_offset);
|
||||
+ check(c->os_context.usec_offset == r->os_context.usec_offset);
|
||||
+ check(c->os_context.os_flags == r->os_context.os_flags);
|
||||
+ compare_string(c->os_context.default_ccname, r->os_context.default_ccname);
|
||||
+ check(c->clockskew == r->clockskew);
|
||||
+ check(c->kdc_req_sumtype == r->kdc_req_sumtype);
|
||||
+ check(c->default_ap_req_sumtype == r->default_ap_req_sumtype);
|
||||
+ check(c->default_safe_sumtype == r->default_safe_sumtype);
|
||||
+ check(c->kdc_default_options == r->kdc_default_options);
|
||||
+ check(c->library_options == r->library_options);
|
||||
+ check(c->profile_secure == r->profile_secure);
|
||||
+ check(c->fcc_default_format == r->fcc_default_format);
|
||||
+ check(c->udp_pref_limit == r->udp_pref_limit);
|
||||
+ check(c->use_conf_ktypes == r->use_conf_ktypes);
|
||||
+ check(c->allow_weak_crypto == r->allow_weak_crypto);
|
||||
+ check(c->ignore_acceptor_hostname == r->ignore_acceptor_hostname);
|
||||
+ check(c->dns_canonicalize_hostname == r->dns_canonicalize_hostname);
|
||||
+ compare_string(c->plugin_base_dir, r->plugin_base_dir);
|
||||
+
|
||||
+ /* Check fields which don't propagate. */
|
||||
+ check(c->dal_handle == NULL);
|
||||
+ check(c->ser_ctx_count == 0);
|
||||
+ check(c->ser_ctx == NULL);
|
||||
+ check(c->prompt_types == NULL);
|
||||
+ check(c->libkrb5_plugins.files == NULL);
|
||||
+ check(c->preauth_context == NULL);
|
||||
+ check(c->ccselect_handles == NULL);
|
||||
+ check(c->localauth_handles == NULL);
|
||||
+ check(c->hostrealm_handles == NULL);
|
||||
+ check(c->err.code == 0);
|
||||
+ check(c->err.msg == NULL);
|
||||
+ check(c->kdblog_context == NULL);
|
||||
+ check(c->trace_callback == NULL);
|
||||
+ check(c->trace_callback_data == NULL);
|
||||
+ for (i = 0; i < PLUGIN_NUM_INTERFACES; i++) {
|
||||
+ check(c->plugins[i].modules == NULL);
|
||||
+ check(!c->plugins[i].configured);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char **argv)
|
||||
+{
|
||||
+ krb5_context ctx, ctx2;
|
||||
+ krb5_plugin_initvt_fn *mods;
|
||||
+ const krb5_enctype etypes1[] = { ENCTYPE_DES3_CBC_SHA1, 0 };
|
||||
+ const krb5_enctype etypes2[] = { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
||||
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 };
|
||||
+ krb5_prompt_type ptypes[] = { KRB5_PROMPT_TYPE_PASSWORD };
|
||||
+
|
||||
+ /* Copy a default context and verify the result. */
|
||||
+ check(krb5_init_context(&ctx) == 0);
|
||||
+ check(krb5_copy_context(ctx, &ctx2) == 0);
|
||||
+ check_context(ctx2, ctx);
|
||||
+ krb5_free_context(ctx2);
|
||||
+
|
||||
+ /* Set non-default values for all of the propagated fields in ctx. */
|
||||
+ ctx->allow_weak_crypto = TRUE;
|
||||
+ check(krb5_set_default_in_tkt_ktypes(ctx, etypes1) == 0);
|
||||
+ check(krb5_set_default_tgs_enctypes(ctx, etypes2) == 0);
|
||||
+ check(krb5_set_debugging_time(ctx, 1234, 5678) == 0);
|
||||
+ check(krb5_cc_set_default_name(ctx, "defccname") == 0);
|
||||
+ check(krb5_set_default_realm(ctx, "defrealm") == 0);
|
||||
+ ctx->clockskew = 18;
|
||||
+ ctx->kdc_req_sumtype = CKSUMTYPE_NIST_SHA;
|
||||
+ ctx->default_ap_req_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES128;
|
||||
+ ctx->default_safe_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES256;
|
||||
+ ctx->kdc_default_options = KDC_OPT_FORWARDABLE;
|
||||
+ ctx->library_options = 0;
|
||||
+ ctx->profile_secure = TRUE;
|
||||
+ ctx->udp_pref_limit = 2345;
|
||||
+ ctx->use_conf_ktypes = TRUE;
|
||||
+ ctx->ignore_acceptor_hostname = TRUE;
|
||||
+ ctx->dns_canonicalize_hostname = FALSE;
|
||||
+ free(ctx->plugin_base_dir);
|
||||
+ check((ctx->plugin_base_dir = strdup("/a/b/c/d")) != NULL);
|
||||
+
|
||||
+ /* Also set some of the non-propagated fields. */
|
||||
+ ctx->prompt_types = ptypes;
|
||||
+ check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &mods) == 0);
|
||||
+ k5_plugin_free_modules(ctx, mods);
|
||||
+ krb5_set_error_message(ctx, ENOMEM, "nooooooooo");
|
||||
+ krb5_set_trace_callback(ctx, trace, ctx);
|
||||
+
|
||||
+ /* Copy the intentionally messy context and verify the result. */
|
||||
+ check(krb5_copy_context(ctx, &ctx2) == 0);
|
||||
+ check_context(ctx2, ctx);
|
||||
+ krb5_free_context(ctx2);
|
||||
+
|
||||
+ krb5_free_context(ctx);
|
||||
+ return 0;
|
||||
+}
|
@ -1,57 +0,0 @@
|
||||
commit c64e39c69a9a7ee32c00b0cf7918f6274a565544
|
||||
Author: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri Jan 3 13:50:48 2014 -0500
|
||||
|
||||
Mark AESNI files as not needing executable stacks
|
||||
|
||||
Some Linux systems now come with facilities to mark the stack as
|
||||
non-executable, making it more difficult to exploit buffer overrun
|
||||
bugs. For this to work, object files built from assembly need a
|
||||
section added to note whether they require an executable stack.
|
||||
|
||||
Patch from Dhiru Kholia with comments added. More information at:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1045699
|
||||
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
|
||||
|
||||
ticket: 7813
|
||||
target_version: 1.12.1
|
||||
tags: pullup
|
||||
|
||||
diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s
|
||||
index 1c091c1..d03c859 100644
|
||||
--- a/src/lib/crypto/builtin/aes/iaesx64.s
|
||||
+++ b/src/lib/crypto/builtin/aes/iaesx64.s
|
||||
@@ -834,3 +834,14 @@ lp256encsingle_CBC:
|
||||
movdqu [r9],xmm1
|
||||
add rsp,16*16+8
|
||||
ret
|
||||
+
|
||||
+; Mark this file as not needing an executable stack.
|
||||
+%ifidn __OUTPUT_FORMAT__,elf
|
||||
+section .note.GNU-stack noalloc noexec nowrite progbits
|
||||
+%endif
|
||||
+%ifidn __OUTPUT_FORMAT__,elf32
|
||||
+section .note.GNU-stack noalloc noexec nowrite progbits
|
||||
+%endif
|
||||
+%ifidn __OUTPUT_FORMAT__,elf64
|
||||
+section .note.GNU-stack noalloc noexec nowrite progbits
|
||||
+%endif
|
||||
diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s
|
||||
index b667acd..1aa12e6 100644
|
||||
--- a/src/lib/crypto/builtin/aes/iaesx86.s
|
||||
+++ b/src/lib/crypto/builtin/aes/iaesx86.s
|
||||
@@ -871,3 +871,14 @@ lp256encsingle_CBC:
|
||||
movdqu [ecx],xmm1 ; store last iv for chaining
|
||||
|
||||
ret
|
||||
+
|
||||
+; Mark this file as not needing an executable stack.
|
||||
+%ifidn __OUTPUT_FORMAT__,elf
|
||||
+section .note.GNU-stack noalloc noexec nowrite progbits
|
||||
+%endif
|
||||
+%ifidn __OUTPUT_FORMAT__,elf32
|
||||
+section .note.GNU-stack noalloc noexec nowrite progbits
|
||||
+%endif
|
||||
+%ifidn __OUTPUT_FORMAT__,elf64
|
||||
+section .note.GNU-stack noalloc noexec nowrite progbits
|
||||
+%endif
|
@ -1,70 +0,0 @@
|
||||
--- krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
|
||||
+++ krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
|
||||
@@ -256,6 +256,7 @@ DD 0
|
||||
section .text
|
||||
|
||||
|
||||
+extern _GLOBAL_OFFSET_TABLE_
|
||||
|
||||
align 16
|
||||
key_expansion256:
|
||||
@@ -318,12 +319,18 @@ _iEncExpandKey128:
|
||||
|
||||
mov ecx,[esp-4+8] ;input
|
||||
mov edx,[esp-4+12] ;ctx
|
||||
+ push ebx
|
||||
|
||||
movdqu xmm1, [ecx] ; loading the key
|
||||
|
||||
movdqu [edx], xmm1
|
||||
|
||||
- movdqa xmm5, [shuffle_mask]
|
||||
+ call .get_GOT
|
||||
+.get_GOT:
|
||||
+ pop ebx
|
||||
+ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
|
||||
+
|
||||
+ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff]
|
||||
|
||||
add edx,16
|
||||
|
||||
@@ -348,6 +355,8 @@ _iEncExpandKey128:
|
||||
aeskeygenassist xmm2, xmm1, 0x36 ; Generating round key 10
|
||||
call key_expansion128
|
||||
|
||||
+ pop ebx
|
||||
+
|
||||
ret
|
||||
|
||||
|
||||
@@ -412,6 +421,7 @@ global _iEncExpandKey256
|
||||
_iEncExpandKey256:
|
||||
mov ecx, [esp-4+8] ;input
|
||||
mov edx, [esp-4+12] ;expanded key
|
||||
+ push ebx
|
||||
|
||||
|
||||
movdqu xmm1, [ecx] ; loading the key
|
||||
@@ -421,7 +431,12 @@ _iEncExpandKey256:
|
||||
|
||||
add edx,32
|
||||
|
||||
- movdqa xmm5, [shuffle_mask] ; this mask is used by key_expansion
|
||||
+ call .get_GOT
|
||||
+.get_GOT:
|
||||
+ pop ebx
|
||||
+ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
|
||||
+
|
||||
+ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] ; this mask is used by key_expansion
|
||||
|
||||
aeskeygenassist xmm2, xmm3, 0x1 ;
|
||||
call key_expansion256
|
||||
@@ -452,6 +467,8 @@ _iEncExpandKey256:
|
||||
movdqu [edx], xmm1
|
||||
|
||||
|
||||
+ pop ebx
|
||||
+
|
||||
ret
|
||||
|
||||
|
3
krb5-1.12.1.tar.gz
Normal file
3
krb5-1.12.1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:86f01c1aae54014fa91ad9a5a69558a6cbd821185528d627362b79b517b7b345
|
||||
size 11938756
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:7199ba74bdfd06caf02d1ee189563c33aa0274b809ab511ab0f1fb3e05ccce5a
|
||||
size 11925134
|
@ -1,28 +0,0 @@
|
||||
commit 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a
|
||||
Author: Simo Sorce <simo@redhat.com>
|
||||
Date: Fri Dec 13 12:00:41 2013 -0500
|
||||
|
||||
Fix memory leak in SPNEGO initiator
|
||||
|
||||
If we eliminate a mechanism from the initiator list because
|
||||
gss_init_sec_context fails, free the memory for that mech OID before
|
||||
removing it from the list.
|
||||
|
||||
[ghudson@mit.edu: clarified commit message]
|
||||
|
||||
ticket: 7803 (new)
|
||||
target_version: 1.12.1
|
||||
tags: pullup
|
||||
|
||||
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
index 818a1b4..06cfab0 100644
|
||||
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
||||
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
@@ -890,6 +890,7 @@ init_ctx_call_init(OM_uint32 *minor_status,
|
||||
* can do this with recursion. If all mechanisms produce errors, the
|
||||
* caller should get the error from the first mech in the list.
|
||||
*/
|
||||
+ gssalloc_free(sc->mech_set->elements->elements);
|
||||
memmove(sc->mech_set->elements, sc->mech_set->elements + 1,
|
||||
--sc->mech_set->count * sizeof(*sc->mech_set->elements));
|
||||
if (sc->mech_set->count == 0)
|
@ -1,37 +0,0 @@
|
||||
commit 37af638b742dbd642eb70092e4f7781c3f69d86d
|
||||
Author: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue Dec 10 12:04:18 2013 -0500
|
||||
|
||||
Fix SPNEGO one-hop interop against old IIS
|
||||
|
||||
IIS 6.0 and similar return a zero length reponse buffer in the last
|
||||
SPNEGO packet when context initiation is performed without mutual
|
||||
authentication. In this case the underlying Kerberos mechanism has
|
||||
already completed successfully on the first invocation, and SPNEGO
|
||||
does not expect a mech response token in the answer. If we get an
|
||||
empty mech response token when the mech is complete during
|
||||
negotiation, ignore it.
|
||||
|
||||
[ghudson@mit.edu: small code style and commit message changes]
|
||||
|
||||
ticket: 7797 (new)
|
||||
target_version: 1.12.1
|
||||
tags: pullup
|
||||
|
||||
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
index 3937662..d82934b 100644
|
||||
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
||||
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
|
||||
map_errcode(minor_status);
|
||||
ret = GSS_S_DEFECTIVE_TOKEN;
|
||||
}
|
||||
+ } else if ((*responseToken)->length == 0 && sc->mech_complete) {
|
||||
+ /* Handle old IIS servers returning empty token instead of
|
||||
+ * null tokens in the non-mutual auth case. */
|
||||
+ *negState = ACCEPT_COMPLETE;
|
||||
+ *tokflag = NO_TOKEN_SEND;
|
||||
+ ret = GSS_S_COMPLETE;
|
||||
} else if (sc->mech_complete) {
|
||||
/* Reject spurious mech token. */
|
||||
ret = GSS_S_DEFECTIVE_TOKEN;
|
108
krb5-master-keyring-kdcsync.patch
Normal file
108
krb5-master-keyring-kdcsync.patch
Normal file
@ -0,0 +1,108 @@
|
||||
commit e99c688913a7761c6adea9488ea9355f43539883
|
||||
Author: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu Jan 16 17:48:54 2014 -0500
|
||||
|
||||
Get time offsets for all keyring ccaches
|
||||
|
||||
Move the time offset lookup from krb5_krcc_resolve to make_cache, so
|
||||
that we fetch time offsets for caches created by
|
||||
krb5_krcc_ptcursor_next.
|
||||
|
||||
ticket: 7820
|
||||
target_version: 1.12.2
|
||||
tags: pullup
|
||||
|
||||
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
|
||||
index a0c8035..27bad9d 100644
|
||||
--- a/src/lib/krb5/ccache/cc_keyring.c
|
||||
+++ b/src/lib/krb5/ccache/cc_keyring.c
|
||||
@@ -1077,11 +1077,13 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id)
|
||||
|
||||
/* Create a cache handle for a cache ID. */
|
||||
static krb5_error_code
|
||||
-make_cache(key_serial_t collection_id, key_serial_t cache_id,
|
||||
- const char *anchor_name, const char *collection_name,
|
||||
- const char *subsidiary_name, krb5_ccache *cache_out)
|
||||
+make_cache(krb5_context context, key_serial_t collection_id,
|
||||
+ key_serial_t cache_id, const char *anchor_name,
|
||||
+ const char *collection_name, const char *subsidiary_name,
|
||||
+ krb5_ccache *cache_out)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
+ krb5_os_context os_ctx = &context->os_context;
|
||||
krb5_ccache ccache = NULL;
|
||||
krb5_krcc_data *d;
|
||||
key_serial_t pkey = 0;
|
||||
@@ -1108,6 +1110,18 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
|
||||
ccache->data = d;
|
||||
ccache->magic = KV5M_CCACHE;
|
||||
*cache_out = ccache;
|
||||
+
|
||||
+ /* Lookup time offsets if necessary. */
|
||||
+ if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
|
||||
+ !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
|
||||
+ if (krb5_krcc_get_time_offsets(context, ccache,
|
||||
+ &os_ctx->time_offset,
|
||||
+ &os_ctx->usec_offset) == 0) {
|
||||
+ os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
|
||||
+ os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -1134,7 +1148,6 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
|
||||
static krb5_error_code KRB5_CALLCONV
|
||||
krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
|
||||
{
|
||||
- krb5_os_context os_ctx = &context->os_context;
|
||||
krb5_error_code ret;
|
||||
key_serial_t collection_id, cache_id;
|
||||
char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL;
|
||||
@@ -1161,22 +1174,11 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
|
||||
if (cache_id < 0)
|
||||
cache_id = 0;
|
||||
|
||||
- ret = make_cache(collection_id, cache_id, anchor_name, collection_name,
|
||||
- subsidiary_name, id);
|
||||
+ ret = make_cache(context, collection_id, cache_id, anchor_name,
|
||||
+ collection_name, subsidiary_name, id);
|
||||
if (ret)
|
||||
goto cleanup;
|
||||
|
||||
- /* Lookup time offsets if necessary. */
|
||||
- if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
|
||||
- !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
|
||||
- if (krb5_krcc_get_time_offsets(context, *id,
|
||||
- &os_ctx->time_offset,
|
||||
- &os_ctx->usec_offset) == 0) {
|
||||
- os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
|
||||
- os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
cleanup:
|
||||
free(anchor_name);
|
||||
free(collection_name);
|
||||
@@ -1928,8 +1930,9 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
|
||||
cache_id = keyctl_search(data->collection_id, KRCC_KEY_TYPE_KEYRING,
|
||||
first_name, 0);
|
||||
if (cache_id != -1) {
|
||||
- return make_cache(data->collection_id, cache_id, data->anchor_name,
|
||||
- data->collection_name, first_name, cache_out);
|
||||
+ return make_cache(context, data->collection_id, cache_id,
|
||||
+ data->anchor_name, data->collection_name,
|
||||
+ first_name, cache_out);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1967,7 +1970,7 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
|
||||
|
||||
/* We found a valid key */
|
||||
data->next_key++;
|
||||
- ret = make_cache(data->collection_id, key, data->anchor_name,
|
||||
+ ret = make_cache(context, data->collection_id, key, data->anchor_name,
|
||||
data->collection_name, subsidiary_name, cache_out);
|
||||
free(description);
|
||||
return ret;
|
@ -1,39 +0,0 @@
|
||||
commit decccbcb5075f8fbc28a535a9b337afc84a15dee
|
||||
Author: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon Dec 16 15:37:56 2013 -0500
|
||||
|
||||
Fix GSS krb5 acceptor acquire_cred error handling
|
||||
|
||||
When acquiring acceptor creds with a specified name, if we fail to
|
||||
open a replay cache, we leak the keytab handle. If there is no
|
||||
specified name and we discover that there is no content in the keytab,
|
||||
we leak the keytab handle and return the wrong major code. Memory
|
||||
leak reported by Andrea Campi.
|
||||
|
||||
ticket: 7805
|
||||
target_version: 1.12.1
|
||||
tags: pullup
|
||||
|
||||
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
|
||||
index 0efcad4..9547207 100644
|
||||
--- a/src/lib/gssapi/krb5/acquire_cred.c
|
||||
+++ b/src/lib/gssapi/krb5/acquire_cred.c
|
||||
@@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context,
|
||||
code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
|
||||
&cred->rcache);
|
||||
if (code) {
|
||||
+ krb5_kt_close(context, kt);
|
||||
*minor_status = code;
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
@@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context,
|
||||
/* Make sure we have a keytab with keys in it. */
|
||||
code = krb5_kt_have_content(context, kt);
|
||||
if (code) {
|
||||
+ krb5_kt_close(context, kt);
|
||||
*minor_status = code;
|
||||
- return GSS_S_FAILURE;
|
||||
+ return GSS_S_CRED_UNAVAIL;
|
||||
}
|
||||
}
|
||||
|
@ -1,39 +0,0 @@
|
||||
commit 13fd26e1863c79f616653f6a10a58c01f65fceff
|
||||
Author: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri Dec 6 18:56:56 2013 -0500
|
||||
|
||||
Avoid malloc(0) in SPNEGO get_input_token
|
||||
|
||||
If we read a zero-length token in spnego_mech.c's get_input_token(),
|
||||
set the value pointer to NULL instead of calling malloc(0).
|
||||
|
||||
ticket: 7794 (new)
|
||||
|
||||
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
index 24c3440..3937662 100644
|
||||
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
||||
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
@@ -3140,14 +3140,17 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length)
|
||||
return (NULL);
|
||||
|
||||
input_token->length = len;
|
||||
- input_token->value = gssalloc_malloc(input_token->length);
|
||||
+ if (input_token->length > 0) {
|
||||
+ input_token->value = gssalloc_malloc(input_token->length);
|
||||
+ if (input_token->value == NULL) {
|
||||
+ free(input_token);
|
||||
+ return (NULL);
|
||||
+ }
|
||||
|
||||
- if (input_token->value == NULL) {
|
||||
- free(input_token);
|
||||
- return (NULL);
|
||||
+ memcpy(input_token->value, *buff_in, input_token->length);
|
||||
+ } else {
|
||||
+ input_token->value = NULL;
|
||||
}
|
||||
-
|
||||
- (void) memcpy(input_token->value, *buff_in, input_token->length);
|
||||
*buff_in += input_token->length;
|
||||
return (input_token);
|
||||
}
|
@ -1,44 +0,0 @@
|
||||
commit 4faca53e3a8ee213d43da8998f6889e7bfd36248
|
||||
Author: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed Dec 18 16:03:16 2013 -0500
|
||||
|
||||
Test SPNEGO error message in t_s4u.py
|
||||
|
||||
Now that #7045 is fixed, we can check for the correct error message
|
||||
from t_s4u2proxy_krb5 with --spnego.
|
||||
|
||||
ticket: 7045
|
||||
|
||||
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
|
||||
index 67dc810..e4aa259 100644
|
||||
--- a/src/tests/gssapi/t_s4u.py
|
||||
+++ b/src/tests/gssapi/t_s4u.py
|
||||
@@ -30,12 +30,12 @@ if ('auth1: ' + realm.user_princ not in output or
|
||||
'NOT_ALLOWED_TO_DELEGATE' not in output):
|
||||
fail('krb5 -> s4u2proxy')
|
||||
|
||||
-# Again with SPNEGO. Bug #7045 prevents us from checking the error
|
||||
-# message, but we can at least exercise the code.
|
||||
+# Again with SPNEGO.
|
||||
output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache,
|
||||
'-', pservice1, pservice2],
|
||||
expected_code=1)
|
||||
-if ('auth1: ' + realm.user_princ not in output):
|
||||
+if ('auth1: ' + realm.user_princ not in output or
|
||||
+ 'NOT_ALLOWED_TO_DELEGATE' not in output):
|
||||
fail('krb5 -> s4u2proxy (SPNEGO)')
|
||||
|
||||
# Try krb5 -> S4U2Proxy without forwardable user creds. This should
|
||||
@@ -66,10 +66,9 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output:
|
||||
fail('s4u2self')
|
||||
|
||||
# Again with SPNEGO. This uses SPNEGO for the initial authentication,
|
||||
-# but still uses krb5 for S4U2Proxy (the delegated cred is returned as
|
||||
+# but still uses krb5 for S4U2Proxy--the delegated cred is returned as
|
||||
# a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred
|
||||
-# directly rather than saving and reacquiring it) so bug #7045 does
|
||||
-# not apply and we can verify the error message.
|
||||
+# directly rather than saving and reacquiring it.
|
||||
output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1)
|
||||
if 'NOT_ALLOWED_TO_DELEGATE' not in output:
|
||||
fail('s4u2self')
|
@ -1,3 +1,24 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 21 14:28:05 UTC 2014 - ckornacker@suse.com
|
||||
|
||||
- update to version 1.12.1
|
||||
* Make KDC log service principal names more consistently during
|
||||
some error conditions, instead of "<unknown server>"
|
||||
* Fix several bugs related to building AES-NI support on less
|
||||
common configurations
|
||||
* Fix several bugs related to keyring credential caches
|
||||
- upstream obsoletes:
|
||||
krb5-1.12-copy_context.patch
|
||||
krb5-1.12-enable-NX.patch
|
||||
krb5-1.12-pic-aes-ni.patch
|
||||
krb5-master-no-malloc0.patch
|
||||
krb5-master-ignore-empty-unnecessary-final-token.patch
|
||||
krb5-master-gss_oid_leak.patch
|
||||
krb5-master-keytab_close.patch
|
||||
krb5-master-spnego_error_messages.patch
|
||||
- Fix Get time offsets for all keyring ccaches
|
||||
krb5-master-keyring-kdcsync.patch (RT#7820)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 13 15:40:18 UTC 2014 - ckornacker@suse.com
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
%define build_mini 1
|
||||
%define srcRoot krb5-1.12
|
||||
%define srcRoot krb5-1.12.1
|
||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||
%define krb5docdir %{_defaultdocdir}/krb5
|
||||
|
||||
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
|
||||
BuildRequires: libcom_err-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: ncurses-devel
|
||||
Version: 1.12
|
||||
Version: 1.12.1
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 Implementation--Libraries
|
||||
License: MIT
|
||||
@ -78,14 +78,7 @@ Patch11: krb5-1.12-ksu-path.patch
|
||||
Patch12: krb5-1.12-selinux-label.patch
|
||||
Patch13: krb5-1.9-debuginfo.patch
|
||||
Patch14: krb5-kvno-230379.patch
|
||||
Patch15: krb5-1.12-copy_context.patch
|
||||
Patch16: krb5-1.12-enable-NX.patch
|
||||
Patch17: krb5-1.12-pic-aes-ni.patch
|
||||
Patch18: krb5-master-no-malloc0.patch
|
||||
Patch19: krb5-master-ignore-empty-unnecessary-final-token.patch
|
||||
Patch20: krb5-master-gss_oid_leak.patch
|
||||
Patch21: krb5-master-keytab_close.patch
|
||||
Patch22: krb5-master-spnego_error_messages.patch
|
||||
Patch15: krb5-master-keyring-kdcsync.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||
PreReq: %insserv_prereq %fillup_prereq
|
||||
@ -206,13 +199,6 @@ Include Files for Development
|
||||
%patch13 -p0
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
|
||||
%build
|
||||
# needs to be re-generated
|
||||
|
21
krb5.changes
21
krb5.changes
@ -1,3 +1,24 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com
|
||||
|
||||
- update to version 1.12.1
|
||||
* Make KDC log service principal names more consistently during
|
||||
some error conditions, instead of "<unknown server>"
|
||||
* Fix several bugs related to building AES-NI support on less
|
||||
common configurations
|
||||
* Fix several bugs related to keyring credential caches
|
||||
- upstream obsoletes:
|
||||
krb5-1.12-copy_context.patch
|
||||
krb5-1.12-enable-NX.patch
|
||||
krb5-1.12-pic-aes-ni.patch
|
||||
krb5-master-no-malloc0.patch
|
||||
krb5-master-ignore-empty-unnecessary-final-token.patch
|
||||
krb5-master-gss_oid_leak.patch
|
||||
krb5-master-keytab_close.patch
|
||||
krb5-master-spnego_error_messages.patch
|
||||
- Fix Get time offsets for all keyring ccaches
|
||||
krb5-master-keyring-kdcsync.patch (RT#7820)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com
|
||||
|
||||
|
20
krb5.spec
20
krb5.spec
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
%define build_mini 0
|
||||
%define srcRoot krb5-1.12
|
||||
%define srcRoot krb5-1.12.1
|
||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||
%define krb5docdir %{_defaultdocdir}/krb5
|
||||
|
||||
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
|
||||
BuildRequires: libcom_err-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: ncurses-devel
|
||||
Version: 1.12
|
||||
Version: 1.12.1
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 Implementation--Libraries
|
||||
License: MIT
|
||||
@ -78,14 +78,7 @@ Patch11: krb5-1.12-ksu-path.patch
|
||||
Patch12: krb5-1.12-selinux-label.patch
|
||||
Patch13: krb5-1.9-debuginfo.patch
|
||||
Patch14: krb5-kvno-230379.patch
|
||||
Patch15: krb5-1.12-copy_context.patch
|
||||
Patch16: krb5-1.12-enable-NX.patch
|
||||
Patch17: krb5-1.12-pic-aes-ni.patch
|
||||
Patch18: krb5-master-no-malloc0.patch
|
||||
Patch19: krb5-master-ignore-empty-unnecessary-final-token.patch
|
||||
Patch20: krb5-master-gss_oid_leak.patch
|
||||
Patch21: krb5-master-keytab_close.patch
|
||||
Patch22: krb5-master-spnego_error_messages.patch
|
||||
Patch15: krb5-master-keyring-kdcsync.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||
PreReq: %insserv_prereq %fillup_prereq
|
||||
@ -206,13 +199,6 @@ Include Files for Development
|
||||
%patch13 -p0
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
|
||||
%build
|
||||
# needs to be re-generated
|
||||
|
Loading…
Reference in New Issue
Block a user