Accepting request 124061 from network
- update to version 1.10.2 - fix gcc47 issues - update to version 1.10.2 obsolte patches: * krb5-1.7-nodeplibs.patch * krb5-1.9.1-ai_addrconfig.patch * krb5-1.9.1-ai_addrconfig2.patch * krb5-1.9.1-sendto_poll.patch * krb5-1.9-canonicalize-fallback.patch * krb5-1.9-paren.patch * krb5-klist_s.patch * krb5-pkinit-cms2.patch * krb5-trunk-chpw-err.patch * krb5-trunk-gss_delete_sec.patch * krb5-trunk-kadmin-oldproto.patch * krb5-1.9-MITKRB5-SA-2011-006.dif * krb5-1.9-gss_display_status-iakerb.patch * krb5-1.9.1-sendto_poll2.patch * krb5-1.9.1-sendto_poll3.patch * krb5-1.9-MITKRB5-SA-2011-007.dif - Fix an interop issue with Windows Server 2008 R2 Read-Only Domain Controllers. - Update a workaround for a glibc bug that would cause DNS PTR queries to occur even when rdns = false. - Fix a kadmind denial of service issue (null pointer dereference), which could only be triggered by an administrator with the "create" privilege. [CVE-2012-1013] - Fix access controls for KDB string attributes [CVE-2012-1012] OBS-URL: https://build.opensuse.org/request/show/124061 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=79
This commit is contained in:
commit
caa81fa0d8
60
krb5-1.10-buildconf.patch
Normal file
60
krb5-1.10-buildconf.patch
Normal file
@ -0,0 +1,60 @@
|
||||
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
|
||||
and install shared libraries with the execute bit set on them. Prune out
|
||||
the -L/usr/lib* and PIE flags where they might leak out and affect
|
||||
apps which just want to link with the libraries. FIXME: needs to check and
|
||||
not just assume that the compiler supports using these flags.
|
||||
|
||||
Index: krb5-1.10.2/src/config/shlib.conf
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/config/shlib.conf
|
||||
+++ krb5-1.10.2/src/config/shlib.conf
|
||||
@@ -419,7 +419,7 @@ mips-*-netbsd*)
|
||||
SHLIBEXT=.so
|
||||
# Linux ld doesn't default to stuffing the SONAME field...
|
||||
# Use objdump -x to examine the fields of the library
|
||||
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
|
||||
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro'
|
||||
#
|
||||
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
|
||||
SHLIB_EXPORT_FILE_DEP=binutils.versions
|
||||
@@ -430,7 +430,8 @@ mips-*-netbsd*)
|
||||
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
|
||||
PROFFLAGS=-pg
|
||||
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
|
||||
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
|
||||
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
|
||||
+ INSTALL_SHLIB='${INSTALL} -m755'
|
||||
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
|
||||
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
|
||||
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
|
||||
Index: krb5-1.10.2/src/krb5-config.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/krb5-config.in
|
||||
+++ krb5-1.10.2/src/krb5-config.in
|
||||
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
|
||||
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
|
||||
-e 's#\$(CFLAGS)##'`
|
||||
|
||||
+ if test `dirname $libdir` = /usr ; then
|
||||
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
|
||||
+ fi
|
||||
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
|
||||
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
|
||||
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
|
||||
+
|
||||
if test $library = 'kdb'; then
|
||||
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
|
||||
library=krb5
|
||||
Index: krb5-1.10.2/src/config/pre.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/config/pre.in
|
||||
+++ krb5-1.10.2/src/config/pre.in
|
||||
@@ -190,7 +190,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
|
||||
INSTALL_SCRIPT=@INSTALL_PROGRAM@
|
||||
INSTALL_DATA=@INSTALL_DATA@
|
||||
INSTALL_SHLIB=@INSTALL_SHLIB@
|
||||
-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
|
||||
+INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755
|
||||
## This is needed because autoconf will sometimes define @exec_prefix@ to be
|
||||
## ${prefix}.
|
||||
prefix=@prefix@
|
12
krb5-1.10-gcc47.patch
Normal file
12
krb5-1.10-gcc47.patch
Normal file
@ -0,0 +1,12 @@
|
||||
This file also triggers the maybe-uninitialized warning/error. RT#7080
|
||||
|
||||
--- src/lib/krb5/krb/x-deltat.y
|
||||
+++ src/lib/krb5/krb/x-deltat.y
|
||||
@@ -44,6 +44,7 @@
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic push
|
||||
#pragma GCC diagnostic ignored "-Wuninitialized"
|
||||
+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
|
||||
#endif
|
||||
|
||||
#include <ctype.h>
|
@ -1,14 +1,14 @@
|
||||
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
|
||||
to wait for UDP to fail, so this might not be ideal. RT #5868.
|
||||
|
||||
Index: src/lib/krb5/os/changepw.c
|
||||
Index: krb5-1.10.2/src/lib/krb5/os/changepw.c
|
||||
===================================================================
|
||||
--- src/lib/krb5/os/changepw.c.orig
|
||||
+++ src/lib/krb5/os/changepw.c
|
||||
@@ -282,10 +282,22 @@ change_set_password(krb5_context context
|
||||
NULL
|
||||
))) {
|
||||
|
||||
--- krb5-1.10.2.orig/src/lib/krb5/os/changepw.c
|
||||
+++ krb5-1.10.2/src/lib/krb5/os/changepw.c
|
||||
@@ -274,10 +274,22 @@ change_set_password(krb5_context context
|
||||
&callback_info, &chpw_rep, ss2sa(&remote_addr),
|
||||
&addrlen, NULL, NULL, NULL);
|
||||
if (code) {
|
||||
- /*
|
||||
- * Here we may want to switch to TCP on some errors.
|
||||
- * right?
|
||||
@ -16,14 +16,14 @@ Index: src/lib/krb5/os/changepw.c
|
||||
+ /* if we're not using a stream socket, and it's an error which
|
||||
+ * might reasonably be specific to a datagram "connection", try
|
||||
+ * again with a stream socket */
|
||||
+ if (!useTcp) {
|
||||
+ if (!use_tcp) {
|
||||
+ switch (code) {
|
||||
+ case KRB5_KDC_UNREACH:
|
||||
+ case KRB5_REALM_CANT_RESOLVE:
|
||||
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
|
||||
+ /* should we do this for more result codes than these? */
|
||||
+ krb5int_free_addrlist (&al);
|
||||
+ useTcp = 1;
|
||||
+ k5_free_serverlist (&sl);
|
||||
+ use_tcp = 1;
|
||||
+ continue;
|
||||
+ default:
|
||||
+ break;
|
@ -31,11 +31,11 @@ The selabel APIs for looking up the context should be thread-safe (per
|
||||
Red Hat #273081), so switching to using them instead of matchpathcon(),
|
||||
which we used earlier, is some improvement.
|
||||
|
||||
Index: krb5-1.9.1/src/aclocal.m4
|
||||
Index: krb5-1.10.2/src/aclocal.m4
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/aclocal.m4
|
||||
+++ krb5-1.9.1/src/aclocal.m4
|
||||
@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag)
|
||||
--- krb5-1.10.2.orig/src/aclocal.m4
|
||||
+++ krb5-1.10.2/src/aclocal.m4
|
||||
@@ -84,6 +84,7 @@ AC_SUBST_FILE(libnodeps_frag)
|
||||
dnl
|
||||
KRB5_AC_PRAGMA_WEAK_REF
|
||||
WITH_LDAP
|
||||
@ -43,7 +43,7 @@ Index: krb5-1.9.1/src/aclocal.m4
|
||||
KRB5_LIB_PARAMS
|
||||
KRB5_AC_INITFINI
|
||||
KRB5_AC_ENABLE_THREADS
|
||||
@@ -1803,3 +1804,51 @@ AC_SUBST(manlocalstatedir)
|
||||
@@ -1764,3 +1765,51 @@ AC_SUBST(manlocalstatedir)
|
||||
AC_SUBST(manlibexecdir)
|
||||
AC_CONFIG_FILES($1)
|
||||
])
|
||||
@ -95,11 +95,11 @@ Index: krb5-1.9.1/src/aclocal.m4
|
||||
+LIBS="$old_LIBS"
|
||||
+AC_SUBST(SELINUX_LIBS)
|
||||
+])dnl
|
||||
Index: krb5-1.9.1/src/config/pre.in
|
||||
Index: krb5-1.10.2/src/config/pre.in
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/config/pre.in
|
||||
+++ krb5-1.9.1/src/config/pre.in
|
||||
@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
|
||||
--- krb5-1.10.2.orig/src/config/pre.in
|
||||
+++ krb5-1.10.2/src/config/pre.in
|
||||
@@ -182,6 +182,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
|
||||
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
|
||||
LDARGS = @LDARGS@
|
||||
LIBS = @LIBS@
|
||||
@ -107,7 +107,7 @@ Index: krb5-1.9.1/src/config/pre.in
|
||||
|
||||
INSTALL=@INSTALL@
|
||||
INSTALL_STRIP=
|
||||
@@ -382,7 +383,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
|
||||
@@ -406,7 +407,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
|
||||
# HESIOD_LIBS is -lhesiod...
|
||||
HESIOD_LIBS = @HESIOD_LIBS@
|
||||
|
||||
@ -116,11 +116,11 @@ Index: krb5-1.9.1/src/config/pre.in
|
||||
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
|
||||
GSS_LIBS = $(GSS_KRB5_LIB)
|
||||
# needs fixing if ever used on Mac OS X!
|
||||
Index: krb5-1.9.1/src/configure.in
|
||||
Index: krb5-1.10.2/src/configure.in
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/configure.in
|
||||
+++ krb5-1.9.1/src/configure.in
|
||||
@@ -1127,6 +1127,8 @@ fi
|
||||
--- krb5-1.10.2.orig/src/configure.in
|
||||
+++ krb5-1.10.2/src/configure.in
|
||||
@@ -1248,6 +1248,8 @@ AC_SUBST(localedir)
|
||||
|
||||
KRB5_WITH_PAM
|
||||
|
||||
@ -129,10 +129,10 @@ Index: krb5-1.9.1/src/configure.in
|
||||
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
||||
|
||||
V5_AC_OUTPUT_MANPAGE([
|
||||
Index: krb5-1.9.1/src/include/k5-int.h
|
||||
Index: krb5-1.10.2/src/include/k5-int.h
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/include/k5-int.h
|
||||
+++ krb5-1.9.1/src/include/k5-int.h
|
||||
--- krb5-1.10.2.orig/src/include/k5-int.h
|
||||
+++ krb5-1.10.2/src/include/k5-int.h
|
||||
@@ -135,6 +135,7 @@ typedef unsigned char u_char;
|
||||
typedef UINT64_TYPE krb5_ui_8;
|
||||
typedef INT64_TYPE krb5_int64;
|
||||
@ -141,10 +141,10 @@ Index: krb5-1.9.1/src/include/k5-int.h
|
||||
|
||||
#define DEFAULT_PWD_STRING1 "Enter password"
|
||||
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
|
||||
Index: krb5-1.9.1/src/include/k5-label.h
|
||||
Index: krb5-1.10.2/src/include/k5-label.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ krb5-1.9.1/src/include/k5-label.h
|
||||
+++ krb5-1.10.2/src/include/k5-label.h
|
||||
@@ -0,0 +1,32 @@
|
||||
+#ifndef _KRB5_LABEL_H
|
||||
+#define _KRB5_LABEL_H
|
||||
@ -178,11 +178,11 @@ Index: krb5-1.9.1/src/include/k5-label.h
|
||||
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
||||
+#endif
|
||||
+#endif
|
||||
Index: krb5-1.9.1/src/include/krb5/krb5.hin
|
||||
Index: krb5-1.10.2/src/include/krb5/krb5.hin
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/include/krb5/krb5.hin
|
||||
+++ krb5-1.9.1/src/include/krb5/krb5.hin
|
||||
@@ -87,6 +87,12 @@
|
||||
--- krb5-1.10.2.orig/src/include/krb5/krb5.hin
|
||||
+++ krb5-1.10.2/src/include/krb5/krb5.hin
|
||||
@@ -83,6 +83,12 @@
|
||||
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
||||
#endif
|
||||
|
||||
@ -195,11 +195,20 @@ Index: krb5-1.9.1/src/include/krb5/krb5.hin
|
||||
#define KRB5_OLD_CRYPTO
|
||||
|
||||
#include <stdlib.h>
|
||||
Index: krb5-1.9.1/src/kadmin/dbutil/dump.c
|
||||
Index: krb5-1.10.2/src/kadmin/dbutil/dump.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/kadmin/dbutil/dump.c
|
||||
+++ krb5-1.9.1/src/kadmin/dbutil/dump.c
|
||||
@@ -1257,7 +1257,7 @@ dump_db(argc, argv)
|
||||
--- krb5-1.10.2.orig/src/kadmin/dbutil/dump.c
|
||||
+++ krb5-1.10.2/src/kadmin/dbutil/dump.c
|
||||
@@ -346,7 +346,7 @@ void update_ok_file (file_name)
|
||||
exit_status++;
|
||||
return;
|
||||
}
|
||||
- if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
|
||||
+ if ((fd = THREEPARAMOPEN(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
|
||||
com_err(progname, errno, _("while creating 'ok' file, '%s'"),
|
||||
file_ok);
|
||||
exit_status++;
|
||||
@@ -1251,7 +1251,7 @@ dump_db(argc, argv)
|
||||
* want to get into.
|
||||
*/
|
||||
unlink(ofile);
|
||||
@ -208,10 +217,10 @@ Index: krb5-1.9.1/src/kadmin/dbutil/dump.c
|
||||
fprintf(stderr, ofopen_error,
|
||||
progname, ofile, error_message(errno));
|
||||
exit_status++;
|
||||
Index: krb5-1.9.1/src/krb5-config.in
|
||||
Index: krb5-1.10.2/src/krb5-config.in
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/krb5-config.in
|
||||
+++ krb5-1.9.1/src/krb5-config.in
|
||||
--- krb5-1.10.2.orig/src/krb5-config.in
|
||||
+++ krb5-1.10.2/src/krb5-config.in
|
||||
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
|
||||
PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@'
|
||||
PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
|
||||
@ -220,20 +229,20 @@ Index: krb5-1.9.1/src/krb5-config.in
|
||||
|
||||
LIBS='@LIBS@'
|
||||
GEN_LIB=@GEN_LIB@
|
||||
@@ -214,7 +215,7 @@ if test -n "$do_libs"; then
|
||||
@@ -218,7 +219,7 @@ if test -n "$do_libs"; then
|
||||
fi
|
||||
|
||||
if test $library = 'krb5'; then
|
||||
- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB"
|
||||
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
|
||||
fi
|
||||
# If we ever support a flag to generate output suitable for static
|
||||
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
|
||||
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
|
||||
# here.
|
||||
|
||||
echo $lib_flags
|
||||
Index: krb5-1.9.1/src/lib/kadm5/logger.c
|
||||
Index: krb5-1.10.2/src/lib/kadm5/logger.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/lib/kadm5/logger.c
|
||||
+++ krb5-1.9.1/src/lib/kadm5/logger.c
|
||||
@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch
|
||||
--- krb5-1.10.2.orig/src/lib/kadm5/logger.c
|
||||
+++ krb5-1.10.2/src/lib/kadm5/logger.c
|
||||
@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch
|
||||
* Check for append/overwrite, then open the file.
|
||||
*/
|
||||
if (cp[4] == ':' || cp[4] == '=') {
|
||||
@ -242,7 +251,7 @@ Index: krb5-1.9.1/src/lib/kadm5/logger.c
|
||||
if (f) {
|
||||
set_cloexec_file(f);
|
||||
log_control.log_entries[i].lfu_filep = f;
|
||||
@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
||||
@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
||||
* In case the old logfile did not get moved out of the
|
||||
* way, open for append to prevent squashing the old logs.
|
||||
*/
|
||||
@ -251,11 +260,11 @@ Index: krb5-1.9.1/src/lib/kadm5/logger.c
|
||||
if (f) {
|
||||
set_cloexec_file(f);
|
||||
log_control.log_entries[lindex].lfu_filep = f;
|
||||
Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
|
||||
Index: krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/lib/krb5/keytab/kt_file.c
|
||||
+++ krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
|
||||
@@ -1057,7 +1057,7 @@ krb5_ktfileint_open(krb5_context context
|
||||
--- krb5-1.10.2.orig/src/lib/krb5/keytab/kt_file.c
|
||||
+++ krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
|
||||
@@ -1039,7 +1039,7 @@ krb5_ktfileint_open(krb5_context context
|
||||
|
||||
KTCHECKLOCK(id);
|
||||
errno = 0;
|
||||
@ -264,7 +273,7 @@ Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
|
||||
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
|
||||
fopen_mode_rbplus : fopen_mode_rb);
|
||||
if (!KTFILEP(id)) {
|
||||
@@ -1065,7 +1065,7 @@ krb5_ktfileint_open(krb5_context context
|
||||
@@ -1047,7 +1047,7 @@ krb5_ktfileint_open(krb5_context context
|
||||
/* try making it first time around */
|
||||
krb5_create_secure_file(context, KTFILENAME(id));
|
||||
errno = 0;
|
||||
@ -273,11 +282,11 @@ Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
|
||||
if (!KTFILEP(id))
|
||||
goto report_errno;
|
||||
writevno = 1;
|
||||
Index: krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c
|
||||
Index: krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/plugins/kdb/db2/adb_openclose.c
|
||||
+++ krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c
|
||||
@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/db2/adb_openclose.c
|
||||
+++ krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
|
||||
@@ -197,7 +197,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
|
||||
* POSIX systems
|
||||
*/
|
||||
lockp->lockinfo.filename = strdup(lockfilename);
|
||||
@ -286,43 +295,10 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c
|
||||
/*
|
||||
* maybe someone took away write permission so we could only
|
||||
* get shared locks?
|
||||
Index: krb5-1.9.1/src/plugins/kdb/db2/kdb_db2.c
|
||||
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/plugins/kdb/db2/kdb_db2.c
|
||||
+++ krb5-1.9.1/src/plugins/kdb/db2/kdb_db2.c
|
||||
@@ -374,8 +374,8 @@ krb5_db2_init(krb5_context context)
|
||||
* should be opened read/write so that write locking can work with
|
||||
* POSIX systems
|
||||
*/
|
||||
- if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) {
|
||||
- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) {
|
||||
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) {
|
||||
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) {
|
||||
retval = errno;
|
||||
goto err_out;
|
||||
}
|
||||
@@ -676,7 +676,7 @@ create_db(krb5_context context, char *db
|
||||
if (!okname)
|
||||
retval = ENOMEM;
|
||||
else {
|
||||
- fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
|
||||
+ fd = THREEPARAMOPEN(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
|
||||
if (fd < 0)
|
||||
retval = errno;
|
||||
else
|
||||
@@ -1532,7 +1532,7 @@ krb5_db2_rename(krb5_context context, ch
|
||||
retval = ENOMEM;
|
||||
goto errout;
|
||||
}
|
||||
- db_ctx->db_lf_file = open(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600);
|
||||
+ db_ctx->db_lf_file = THREEPARAMOPEN(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600);
|
||||
if (db_ctx->db_lf_file < 0) {
|
||||
retval = errno;
|
||||
goto errout;
|
||||
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
|
||||
|
||||
#include "k5-platform.h" /* mkstemp? */
|
||||
@ -340,10 +316,10 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
goto err;
|
||||
|
||||
} else {
|
||||
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
|
||||
#include <assert.h>
|
||||
#endif
|
||||
@ -361,31 +337,10 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
RETURN_ERROR(errno, error0);
|
||||
(void)fcntl(hashp->fp, F_SETFD, 1);
|
||||
}
|
||||
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
+#include "k5-int.h"
|
||||
#include "db-int.h"
|
||||
#include "recno.h"
|
||||
|
||||
@@ -68,7 +69,7 @@ __rec_open(fname, flags, mode, openinfo,
|
||||
int rfd, sverrno;
|
||||
|
||||
/* Open the user's file -- if this fails, we're done. */
|
||||
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
|
||||
+ if (fname != NULL && (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
|
||||
return (NULL);
|
||||
|
||||
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
|
||||
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
|
||||
|
||||
KRB5_RUN_ENV= @KRB5_RUN_ENV@
|
||||
@ -396,11 +351,11 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
DB_DEPLIB = ../libdb$(DEPLIBEXT)
|
||||
|
||||
all::
|
||||
Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
Index: krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
+++ krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
@@ -1091,7 +1091,7 @@ rem_service_entry_from_file(int argc, ch
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
+++ krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
@@ -1088,7 +1088,7 @@ rem_service_entry_from_file(int argc, ch
|
||||
|
||||
/* Create a temporary file which contains all the entries except the
|
||||
entry for the given service dn */
|
||||
@ -409,7 +364,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
if (pfile == NULL) {
|
||||
com_err(me, errno, "while deleting entry from file %s", file_name);
|
||||
goto cleanup;
|
||||
@@ -1108,7 +1108,7 @@ rem_service_entry_from_file(int argc, ch
|
||||
@@ -1105,7 +1105,7 @@ rem_service_entry_from_file(int argc, ch
|
||||
snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
|
||||
|
||||
|
||||
@ -418,7 +373,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
umask(omask);
|
||||
if (tmpfd == -1) {
|
||||
com_err(me, errno, "while deleting entry from file\n");
|
||||
@@ -1728,7 +1728,7 @@ kdb5_ldap_set_service_password(int argc,
|
||||
@@ -1725,7 +1725,7 @@ kdb5_ldap_set_service_password(int argc,
|
||||
|
||||
printf("File does not exist. Creating the file %s...\n", file_name);
|
||||
omask = umask(077);
|
||||
@ -427,7 +382,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
umask(omask);
|
||||
if (fd == -1) {
|
||||
com_err(me, errno, "Error creating file %s", file_name);
|
||||
@@ -1756,7 +1756,7 @@ kdb5_ldap_set_service_password(int argc,
|
||||
@@ -1753,7 +1753,7 @@ kdb5_ldap_set_service_password(int argc,
|
||||
|
||||
/* TODO: file lock for the service password file */
|
||||
/* set password in the file */
|
||||
@ -436,7 +391,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
if (pfile == NULL) {
|
||||
com_err(me, errno, "Failed to open file %s", file_name);
|
||||
goto cleanup;
|
||||
@@ -1797,7 +1797,7 @@ kdb5_ldap_set_service_password(int argc,
|
||||
@@ -1794,7 +1794,7 @@ kdb5_ldap_set_service_password(int argc,
|
||||
}
|
||||
|
||||
omask = umask(077);
|
||||
@ -445,16 +400,16 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
umask(omask);
|
||||
if (newfile == NULL) {
|
||||
com_err(me, errno, "Error creating file %s", tmp_file);
|
||||
@@ -2019,7 +2019,7 @@ done:
|
||||
@@ -2016,7 +2016,7 @@ done:
|
||||
|
||||
/* set password in the file */
|
||||
old_mode = umask(0177);
|
||||
- pfile = fopen(file_name, "a+");
|
||||
+ pfile = WRITABLEFOPEN(file_name, "a+");
|
||||
if (pfile == NULL) {
|
||||
com_err(me, errno, "Failed to open file %s: %s", file_name,
|
||||
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
|
||||
strerror (errno));
|
||||
@@ -2069,7 +2069,7 @@ done:
|
||||
@@ -2068,7 +2068,7 @@ done:
|
||||
}
|
||||
|
||||
omask = umask(077);
|
||||
@ -462,12 +417,12 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
+ newfile = WRITABLEFOPEN(tmp_file, "w");
|
||||
umask (omask);
|
||||
if (newfile == NULL) {
|
||||
com_err(me, errno, "Error creating file %s", tmp_file);
|
||||
Index: krb5-1.9.1/src/slave/kpropd.c
|
||||
com_err(me, errno, _("Error creating file %s"), tmp_file);
|
||||
Index: krb5-1.10.2/src/slave/kpropd.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/slave/kpropd.c
|
||||
+++ krb5-1.9.1/src/slave/kpropd.c
|
||||
@@ -338,7 +338,7 @@ retry:
|
||||
--- krb5-1.10.2.orig/src/slave/kpropd.c
|
||||
+++ krb5-1.10.2/src/slave/kpropd.c
|
||||
@@ -336,7 +336,7 @@ retry:
|
||||
if (!debug && iproprole != IPROP_SLAVE)
|
||||
daemon(1, 0);
|
||||
#ifdef PID_FILE
|
||||
@ -476,10 +431,36 @@ Index: krb5-1.9.1/src/slave/kpropd.c
|
||||
fprintf(pidfile, "%d\n", getpid());
|
||||
fclose(pidfile);
|
||||
} else
|
||||
Index: krb5-1.9.1/src/util/profile/prof_file.c
|
||||
@@ -437,6 +437,9 @@ void doit(fd)
|
||||
krb5_enctype etype;
|
||||
int database_fd;
|
||||
char host[INET6_ADDRSTRLEN+1];
|
||||
+#ifdef USE_SELINUX
|
||||
+ void *selabel;
|
||||
+#endif
|
||||
|
||||
if (kpropd_context->kdblog_context &&
|
||||
kpropd_context->kdblog_context->iproprole == IPROP_SLAVE) {
|
||||
@@ -515,9 +518,15 @@ void doit(fd)
|
||||
free(name);
|
||||
exit(1);
|
||||
}
|
||||
+#ifdef USE_SELINUX
|
||||
+ selabel = krb5int_push_fscreatecon_for(file);
|
||||
+#endif
|
||||
omask = umask(077);
|
||||
lock_fd = open(temp_file_name, O_RDWR|O_CREAT, 0600);
|
||||
(void) umask(omask);
|
||||
+#ifdef USE_SELINUX
|
||||
+ krb5int_pop_fscreatecon(selabel);
|
||||
+#endif
|
||||
retval = krb5_lock_file(kpropd_context, lock_fd,
|
||||
KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK);
|
||||
if (retval) {
|
||||
Index: krb5-1.10.2/src/util/profile/prof_file.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/util/profile/prof_file.c
|
||||
+++ krb5-1.9.1/src/util/profile/prof_file.c
|
||||
--- krb5-1.10.2.orig/src/util/profile/prof_file.c
|
||||
+++ krb5-1.10.2/src/util/profile/prof_file.c
|
||||
@@ -30,6 +30,7 @@
|
||||
#endif
|
||||
|
||||
@ -488,7 +469,7 @@ Index: krb5-1.9.1/src/util/profile/prof_file.c
|
||||
|
||||
struct global_shared_profile_data {
|
||||
/* This is the head of the global list of shared trees */
|
||||
@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_
|
||||
@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_
|
||||
|
||||
errno = 0;
|
||||
|
||||
@ -497,11 +478,11 @@ Index: krb5-1.9.1/src/util/profile/prof_file.c
|
||||
if (!f) {
|
||||
retval = errno;
|
||||
if (retval == 0)
|
||||
Index: krb5-1.9.1/src/util/support/Makefile.in
|
||||
Index: krb5-1.10.2/src/util/support/Makefile.in
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/util/support/Makefile.in
|
||||
+++ krb5-1.9.1/src/util/support/Makefile.in
|
||||
@@ -54,6 +54,7 @@ IPC_SYMS= \
|
||||
--- krb5-1.10.2.orig/src/util/support/Makefile.in
|
||||
+++ krb5-1.10.2/src/util/support/Makefile.in
|
||||
@@ -64,6 +64,7 @@ IPC_SYMS= \
|
||||
|
||||
STLIBOBJS= \
|
||||
threads.o \
|
||||
@ -509,7 +490,7 @@ Index: krb5-1.9.1/src/util/support/Makefile.in
|
||||
init-addrinfo.o \
|
||||
plugins.o \
|
||||
errors.o \
|
||||
@@ -108,7 +109,7 @@ SRCS=\
|
||||
@@ -127,7 +128,7 @@ SRCS=\
|
||||
|
||||
SHLIB_EXPDEPS =
|
||||
# Add -lm if dumping thread stats, for sqrt.
|
||||
@ -518,11 +499,11 @@ Index: krb5-1.9.1/src/util/support/Makefile.in
|
||||
SHLIB_DIRS=
|
||||
SHLIB_RDIRS=$(KRB5_LIBDIR)
|
||||
|
||||
Index: krb5-1.9.1/src/util/support/selinux.c
|
||||
Index: krb5-1.10.2/src/util/support/selinux.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ krb5-1.9.1/src/util/support/selinux.c
|
||||
@@ -0,0 +1,362 @@
|
||||
+++ krb5-1.10.2/src/util/support/selinux.c
|
||||
@@ -0,0 +1,372 @@
|
||||
+/*
|
||||
+ * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved.
|
||||
+ *
|
||||
@ -746,16 +727,26 @@ Index: krb5-1.9.1/src/util/support/selinux.c
|
||||
+krb5int_push_fscreatecon_for(const char *pathname)
|
||||
+{
|
||||
+ struct stat st;
|
||||
+ if (stat(pathname, &st) != 0) {
|
||||
+ st.st_mode = S_IRUSR | S_IWUSR;
|
||||
+ void *retval;
|
||||
+ k5_once(&labeled_once, label_mutex_init);
|
||||
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
|
||||
+ if (stat(pathname, &st) != 0) {
|
||||
+ st.st_mode = S_IRUSR | S_IWUSR;
|
||||
+ }
|
||||
+ retval = push_fscreatecon(pathname, st.st_mode);
|
||||
+ return retval ? retval : (void *) -1;
|
||||
+ } else {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ return push_fscreatecon(pathname, st.st_mode);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+krb5int_pop_fscreatecon(void *con)
|
||||
+{
|
||||
+ pop_fscreatecon(con);
|
||||
+ if (con != NULL) {
|
||||
+ pop_fscreatecon((con == (void *) -1) ? NULL : con);
|
||||
+ k5_mutex_unlock(&labeled_mutex);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+FILE *
|
||||
@ -885,11 +876,11 @@ Index: krb5-1.9.1/src/util/support/selinux.c
|
||||
+}
|
||||
+
|
||||
+#endif
|
||||
Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
|
||||
Index: krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/lib/krb5/rcache/rc_dfl.c
|
||||
+++ krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
|
||||
@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
|
||||
--- krb5-1.10.2.orig/src/lib/krb5/rcache/rc_dfl.c
|
||||
+++ krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
|
||||
@@ -812,6 +812,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
|
||||
krb5_error_code retval = 0;
|
||||
krb5_rcache tmp;
|
||||
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
|
||||
@ -899,7 +890,7 @@ Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
|
||||
|
||||
if (! t->recovering) {
|
||||
name = t->name;
|
||||
@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
|
||||
@@ -833,7 +836,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
|
||||
retval = krb5_rc_resolve(context, tmp, 0);
|
||||
if (retval)
|
||||
goto cleanup;
|
||||
@ -917,3 +908,92 @@ Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
|
||||
if (retval)
|
||||
goto cleanup;
|
||||
for (q = t->a; q; q = q->na) {
|
||||
Index: krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/db2/kdb_db2.c
|
||||
+++ krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
|
||||
@@ -683,8 +683,8 @@ ctx_create_db(krb5_context context, krb5
|
||||
if (retval)
|
||||
return retval;
|
||||
|
||||
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
|
||||
- 0600);
|
||||
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
|
||||
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
|
||||
if (dbc->db_lf_file < 0) {
|
||||
retval = errno;
|
||||
goto cleanup;
|
||||
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
+#include "k5-int.h"
|
||||
#include "db-int.h"
|
||||
#include "recno.h"
|
||||
|
||||
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo,
|
||||
int rfd = -1, sverrno;
|
||||
|
||||
/* Open the user's file -- if this fails, we're done. */
|
||||
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
|
||||
+ if (fname != NULL &&
|
||||
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
|
||||
return (NULL);
|
||||
|
||||
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
|
||||
Index: krb5-1.10.2/src/kdc/main.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/kdc/main.c
|
||||
+++ krb5-1.10.2/src/kdc/main.c
|
||||
@@ -909,7 +909,7 @@ write_pid_file(const char *path)
|
||||
FILE *file;
|
||||
unsigned long pid;
|
||||
|
||||
- file = fopen(path, "w");
|
||||
+ file = WRITABLEFOPEN(path, "w");
|
||||
if (file == NULL)
|
||||
return errno;
|
||||
pid = (unsigned long) getpid();
|
||||
Index: krb5-1.10.2/src/lib/kdb/kdb_log.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/lib/kdb/kdb_log.c
|
||||
+++ krb5-1.10.2/src/lib/kdb/kdb_log.c
|
||||
@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha
|
||||
return (errno);
|
||||
}
|
||||
|
||||
- if ((ulogfd = open(logname, O_RDWR+O_CREAT, 0600)) == -1) {
|
||||
+ if ((ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600)) == -1) {
|
||||
return (errno);
|
||||
}
|
||||
|
||||
Index: krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/util/gss-kernel-lib/Makefile.in
|
||||
+++ krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in
|
||||
@@ -66,6 +66,7 @@ HEADERS= \
|
||||
gssapi_err_generic.h \
|
||||
k5-int.h \
|
||||
k5-int-pkinit.h \
|
||||
+ k5-label.h \
|
||||
k5-thread.h \
|
||||
k5-platform.h \
|
||||
k5-buf.h \
|
||||
@@ -167,10 +168,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
|
||||
$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
|
||||
gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
|
||||
$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
|
||||
-k5-int.h: $(INCLUDE)/k5-int.h
|
||||
+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h
|
||||
$(CP) $(INCLUDE)/k5-int.h $@
|
||||
k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
|
||||
$(CP) $(INCLUDE)/k5-int-pkinit.h $@
|
||||
+k5-label.h: $(INCLUDE)/k5-label.h
|
||||
+ $(CP) $(INCLUDE)/k5-label.h $@
|
||||
k5-thread.h: $(INCLUDE)/k5-thread.h
|
||||
$(CP) $(INCLUDE)/k5-thread.h $@
|
||||
k5-platform.h: $(INCLUDE)/k5-platform.h
|
3
krb5-1.10.2.tar.bz2
Normal file
3
krb5-1.10.2.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:479d66291ae989d5db9daca5838ff4bddde45c77b703fadcf78ca6d1db315bd8
|
||||
size 9457236
|
@ -1,8 +1,8 @@
|
||||
Index: trunk/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
Index: krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
===================================================================
|
||||
--- trunk.orig/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
+++ trunk/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
@@ -54,7 +54,7 @@ g_display_com_err_status(minor_status, s
|
||||
--- krb5-1.10.2.orig/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
+++ krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *mino
|
||||
status_string->value = NULL;
|
||||
|
||||
if (! g_make_string_buffer(((status_value == 0)?no_error:
|
||||
|
@ -1,11 +0,0 @@
|
||||
Index: trunk/doc/Makefile
|
||||
===================================================================
|
||||
--- doc/Makefile
|
||||
+++ doc/Makefile
|
||||
@@ -1,5 +1,5 @@
|
||||
SRCDIR=../src
|
||||
-DVI=texi2dvi4a2ps # texi2dvi
|
||||
+DVI=texi2dvi # texi2dvi
|
||||
DVIPS=dvips -o "$@"
|
||||
PSPDF=ps2pdf
|
||||
INFO=makeinfo
|
@ -1,18 +1,16 @@
|
||||
Don't double-log (actually, don't process /etc/krb5.conf twice) just
|
||||
because we built with --sysconfdir=/etc. RT#3277
|
||||
|
||||
Index: krb5-1.9.1/src/include/Makefile.in
|
||||
Index: krb5-1.10.2/src/include/Makefile.in
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/include/Makefile.in
|
||||
+++ krb5-1.9.1/src/include/Makefile.in
|
||||
@@ -66,7 +66,9 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
|
||||
-e "s+@MODULEDIR+$(MODULE_DIR)+" \
|
||||
--- krb5-1.10.2.orig/src/include/Makefile.in
|
||||
+++ krb5-1.10.2/src/include/Makefile.in
|
||||
@@ -67,6 +67,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
|
||||
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
|
||||
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
|
||||
- -e 's+@SYSCONFDIR+$(SYSCONFDIR)+'
|
||||
+ -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
|
||||
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
|
||||
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+'
|
||||
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
|
||||
-e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
|
||||
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
|
||||
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \
|
||||
-e 's+@DYNOBJEXT+$(DYNOBJEXT)+'
|
||||
|
||||
OSCONFSRC = $(srcdir)/osconf.hin
|
||||
|
||||
|
@ -1,21 +0,0 @@
|
||||
Omit extra libraries because their interfaces aren't exposed to applications
|
||||
by libkrb5, unless do_deps is set to 1, which indicates that the caller
|
||||
wants the whole list.
|
||||
|
||||
Index: krb5-1.9.1/src/krb5-config.in
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/krb5-config.in
|
||||
+++ krb5-1.9.1/src/krb5-config.in
|
||||
@@ -221,7 +221,11 @@ if test -n "$do_libs"; then
|
||||
fi
|
||||
|
||||
if test $library = 'krb5'; then
|
||||
- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
|
||||
+ if test 0$do_deps -eq 1 ; then
|
||||
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
|
||||
+ else
|
||||
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err"
|
||||
+ fi
|
||||
fi
|
||||
|
||||
echo $lib_flags
|
@ -2,10 +2,11 @@ Reference docs don't define what happens if you call krb5_realm_compare() with
|
||||
malformed krb5_principal structures. Define a behavior which keeps it from
|
||||
crashing if applications don't check ahead of time.
|
||||
|
||||
diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c
|
||||
--- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400
|
||||
+++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500
|
||||
@@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context
|
||||
Index: krb5-1.10.2/src/lib/krb5/krb/princ_comp.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/lib/krb5/krb/princ_comp.c
|
||||
+++ krb5-1.10.2/src/lib/krb5/krb/princ_comp.c
|
||||
@@ -36,6 +36,12 @@ realm_compare_flags(krb5_context context
|
||||
const krb5_data *realm1 = krb5_princ_realm(context, princ1);
|
||||
const krb5_data *realm2 = krb5_princ_realm(context, princ2);
|
||||
|
||||
@ -18,7 +19,7 @@ diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/pr
|
||||
if (realm1->length != realm2->length)
|
||||
return FALSE;
|
||||
|
||||
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
|
||||
@@ -87,6 +93,9 @@ krb5_principal_compare_flags(krb5_contex
|
||||
krb5_principal upn2 = NULL;
|
||||
krb5_boolean ret = FALSE;
|
||||
|
||||
|
@ -1,6 +1,7 @@
|
||||
appl/sample/sserver/sserver.M
|
||||
config-files/kdc.conf.M
|
||||
config-files/krb5.conf.M
|
||||
gen-manpages/kerberos.M
|
||||
kadmin/cli/kadmin.M
|
||||
slave/kpropd.M
|
||||
slave/kprop.M
|
||||
|
@ -11,11 +11,11 @@ When enabled, ksu gains a dependency on libpam.
|
||||
Originally RT#5939, though it's changed since then to perform the account
|
||||
and session management before dropping privileges.
|
||||
|
||||
Index: krb5-1.9.1/src/aclocal.m4
|
||||
Index: krb5-1.10.2/src/aclocal.m4
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/aclocal.m4
|
||||
+++ krb5-1.9.1/src/aclocal.m4
|
||||
@@ -1715,3 +1715,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
|
||||
--- krb5-1.10.2.orig/src/aclocal.m4
|
||||
+++ krb5-1.10.2/src/aclocal.m4
|
||||
@@ -1676,3 +1676,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
|
||||
]))
|
||||
])dnl
|
||||
dnl
|
||||
@ -86,10 +86,10 @@ Index: krb5-1.9.1/src/aclocal.m4
|
||||
+AC_SUBST(PAM_MAN)
|
||||
+AC_SUBST(NON_PAM_MAN)
|
||||
+])dnl
|
||||
Index: krb5-1.9.1/src/clients/ksu/main.c
|
||||
Index: krb5-1.10.2/src/clients/ksu/main.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/clients/ksu/main.c
|
||||
+++ krb5-1.9.1/src/clients/ksu/main.c
|
||||
--- krb5-1.10.2.orig/src/clients/ksu/main.c
|
||||
+++ krb5-1.10.2/src/clients/ksu/main.c
|
||||
@@ -26,6 +26,7 @@
|
||||
* KSU was writen by: Ari Medvinsky, ari@isi.edu
|
||||
*/
|
||||
@ -117,7 +117,7 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
|
||||
/***********/
|
||||
|
||||
#define _DEF_CSH "/bin/csh"
|
||||
@@ -586,6 +592,25 @@ main (argc, argv)
|
||||
@@ -584,6 +590,25 @@ main (argc, argv)
|
||||
prog_name,target_user,client_name,
|
||||
source_user,ontty());
|
||||
|
||||
@ -142,8 +142,8 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
|
||||
+
|
||||
/* Run authorization as target.*/
|
||||
if (krb5_seteuid(target_uid)) {
|
||||
com_err(prog_name, errno, "while switching to target for authorization check");
|
||||
@@ -651,6 +676,26 @@ main (argc, argv)
|
||||
com_err(prog_name, errno, _("while switching to target for "
|
||||
@@ -648,6 +673,26 @@ main (argc, argv)
|
||||
sweep_up(ksu_context, cc_target);
|
||||
exit(1);
|
||||
}
|
||||
@ -170,7 +170,7 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
|
||||
}
|
||||
|
||||
if( some_rest_copy){
|
||||
@@ -720,6 +765,32 @@ main (argc, argv)
|
||||
@@ -717,6 +762,32 @@ main (argc, argv)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@ -203,18 +203,18 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
|
||||
/* set permissions */
|
||||
if (setgid(target_pwd->pw_gid) < 0) {
|
||||
perror("ksu: setgid");
|
||||
@@ -792,7 +863,7 @@ main (argc, argv)
|
||||
@@ -789,7 +860,7 @@ main (argc, argv)
|
||||
fprintf(stderr, "program to be execed %s\n",params[0]);
|
||||
}
|
||||
|
||||
- if( keep_target_cache ) {
|
||||
+ if( keep_target_cache && !force_fork ) {
|
||||
execv(params[0], params);
|
||||
com_err(prog_name, errno, "while trying to execv %s",
|
||||
params[0]);
|
||||
@@ -823,15 +894,34 @@ main (argc, argv)
|
||||
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
|
||||
sweep_up(ksu_context, cc_target);
|
||||
@@ -819,16 +890,35 @@ main (argc, argv)
|
||||
if (ret_pid == -1) {
|
||||
com_err(prog_name, errno, "while calling waitpid");
|
||||
com_err(prog_name, errno, _("while calling waitpid"));
|
||||
}
|
||||
- sweep_up(ksu_context, cc_target);
|
||||
+ if( !keep_target_cache ) {
|
||||
@ -222,7 +222,7 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
|
||||
+ }
|
||||
exit (statusp);
|
||||
case -1:
|
||||
com_err(prog_name, errno, "while trying to fork.");
|
||||
com_err(prog_name, errno, _("while trying to fork."));
|
||||
sweep_up(ksu_context, cc_target);
|
||||
exit (1);
|
||||
case 0:
|
||||
@ -241,17 +241,18 @@ Index: krb5-1.9.1/src/clients/ksu/main.c
|
||||
+ }
|
||||
+#endif
|
||||
execv(params[0], params);
|
||||
com_err(prog_name, errno, "while trying to execv %s", params[0]);
|
||||
com_err(prog_name, errno, _("while trying to execv %s"),
|
||||
params[0]);
|
||||
+ if( keep_target_cache ) {
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ }
|
||||
exit (1);
|
||||
}
|
||||
}
|
||||
Index: krb5-1.9.1/src/clients/ksu/Makefile.in
|
||||
Index: krb5-1.10.2/src/clients/ksu/Makefile.in
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/clients/ksu/Makefile.in
|
||||
+++ krb5-1.9.1/src/clients/ksu/Makefile.in
|
||||
--- krb5-1.10.2.orig/src/clients/ksu/Makefile.in
|
||||
+++ krb5-1.10.2/src/clients/ksu/Makefile.in
|
||||
@@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD)
|
||||
PROG_RPATH=$(KRB5_LIBDIR)
|
||||
|
||||
@ -286,10 +287,10 @@ Index: krb5-1.9.1/src/clients/ksu/Makefile.in
|
||||
|
||||
clean::
|
||||
$(RM) ksu
|
||||
Index: krb5-1.9.1/src/clients/ksu/pam.c
|
||||
Index: krb5-1.10.2/src/clients/ksu/pam.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ krb5-1.9.1/src/clients/ksu/pam.c
|
||||
+++ krb5-1.10.2/src/clients/ksu/pam.c
|
||||
@@ -0,0 +1,389 @@
|
||||
+/*
|
||||
+ * src/clients/ksu/pam.c
|
||||
@ -680,10 +681,10 @@ Index: krb5-1.9.1/src/clients/ksu/pam.c
|
||||
+ return ret;
|
||||
+}
|
||||
+#endif
|
||||
Index: krb5-1.9.1/src/clients/ksu/pam.h
|
||||
Index: krb5-1.10.2/src/clients/ksu/pam.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ krb5-1.9.1/src/clients/ksu/pam.h
|
||||
+++ krb5-1.10.2/src/clients/ksu/pam.h
|
||||
@@ -0,0 +1,57 @@
|
||||
+/*
|
||||
+ * src/clients/ksu/pam.h
|
||||
@ -742,13 +743,13 @@ Index: krb5-1.9.1/src/clients/ksu/pam.h
|
||||
+int appl_pam_cred_init(void);
|
||||
+void appl_pam_cleanup(void);
|
||||
+#endif
|
||||
Index: krb5-1.9.1/src/configure.in
|
||||
Index: krb5-1.10.2/src/configure.in
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/configure.in
|
||||
+++ krb5-1.9.1/src/configure.in
|
||||
@@ -1125,6 +1125,8 @@ if test "$ac_cv_lib_socket" = "yes" -a "
|
||||
AC_DEFINE(BROKEN_STREAMS_SOCKETS,1,[Define if socket can't be bound to 0.0.0.0])
|
||||
--- krb5-1.10.2.orig/src/configure.in
|
||||
+++ krb5-1.10.2/src/configure.in
|
||||
@@ -1246,6 +1246,8 @@ if test "${localedir+set}" != set; then
|
||||
fi
|
||||
AC_SUBST(localedir)
|
||||
|
||||
+KRB5_WITH_PAM
|
||||
+
|
||||
|
@ -1,75 +0,0 @@
|
||||
diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c
|
||||
index b473611..50c60b7 100644
|
||||
--- a/src/plugins/kdb/db2/lockout.c
|
||||
+++ b/src/plugins/kdb/db2/lockout.c
|
||||
@@ -169,6 +169,9 @@ krb5_db2_lockout_audit(krb5_context context,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (entry == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
if (!db_ctx->disable_lockout) {
|
||||
code = lookup_lockout_policy(context, entry, &max_fail,
|
||||
&failcnt_interval, &lockout_duration);
|
||||
@@ -176,6 +179,15 @@ krb5_db2_lockout_audit(krb5_context context,
|
||||
return code;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Don't continue to modify the DB for an already locked account.
|
||||
+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
|
||||
+ * this check is unneeded, but in rare cases, we can fail with an
|
||||
+ * integrity error or preauth failure before a policy check.)
|
||||
+ */
|
||||
+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
|
||||
+ return 0;
|
||||
+
|
||||
/* Only mark the authentication as successful if the entry
|
||||
* required preauthentication, otherwise we have no idea. */
|
||||
if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
|
||||
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
||||
index 552e39a..c2f44ab 100644
|
||||
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
||||
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
||||
@@ -105,6 +105,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
|
||||
CHECK_LDAP_HANDLE(ldap_context);
|
||||
|
||||
if (is_principal_in_realm(ldap_context, searchfor) != 0) {
|
||||
+ st = KRB5_KDB_NOENTRY;
|
||||
krb5_set_error_message (context, st, "Principal does not belong to realm");
|
||||
goto cleanup;
|
||||
}
|
||||
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
|
||||
index a218dc7..fd164dd 100644
|
||||
--- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
|
||||
+++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
|
||||
@@ -165,6 +165,9 @@ krb5_ldap_lockout_audit(krb5_context context,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (entry == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
if (!ldap_context->disable_lockout) {
|
||||
code = lookup_lockout_policy(context, entry, &max_fail,
|
||||
&failcnt_interval,
|
||||
@@ -173,9 +176,16 @@ krb5_ldap_lockout_audit(krb5_context context,
|
||||
return code;
|
||||
}
|
||||
|
||||
- entry->mask = 0;
|
||||
+ /*
|
||||
+ * Don't continue to modify the DB for an already locked account.
|
||||
+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
|
||||
+ * this check is unneeded, but in rare cases, we can fail with an
|
||||
+ * integrity error or preauth failure before a policy check.)
|
||||
+ */
|
||||
+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
|
||||
+ return 0;
|
||||
|
||||
- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry));
|
||||
+ entry->mask = 0;
|
||||
|
||||
/* Only mark the authentication as successful if the entry
|
||||
* required preauthentication, otherwise we have no idea. */
|
@ -1,42 +0,0 @@
|
||||
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
|
||||
index f46cad3..102fbaa 100644
|
||||
--- a/src/kdc/Makefile.in
|
||||
+++ b/src/kdc/Makefile.in
|
||||
@@ -67,6 +67,7 @@ check-unix:: rtest
|
||||
|
||||
check-pytests::
|
||||
$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
|
||||
+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
|
||||
|
||||
install::
|
||||
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
|
||||
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
||||
index c169c54..840a2ef 100644
|
||||
--- a/src/kdc/do_tgs_req.c
|
||||
+++ b/src/kdc/do_tgs_req.c
|
||||
@@ -243,7 +243,8 @@ tgt_again:
|
||||
if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
|
||||
errcode = find_alternate_tgs(request, &server);
|
||||
firstpass = 0;
|
||||
- goto tgt_again;
|
||||
+ if (errcode == 0)
|
||||
+ goto tgt_again;
|
||||
}
|
||||
}
|
||||
status = "UNKNOWN_SERVER";
|
||||
diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
|
||||
new file mode 100644
|
||||
index 0000000..1760bcd
|
||||
--- /dev/null
|
||||
+++ b/src/kdc/t_emptytgt.py
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/usr/bin/python
|
||||
+from k5test import *
|
||||
+
|
||||
+realm = K5Realm(start_kadmind=False, create_host=False)
|
||||
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
|
||||
+if 'not found in Kerberos database' not in output:
|
||||
+ fail('TGT lookup for empty realm failed in unexpected way')
|
||||
+success('Empty tgt lookup.')
|
||||
|
||||
|
@ -1,38 +0,0 @@
|
||||
Build binaries in this package as RELRO PIEs and install shared libraries with
|
||||
the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS
|
||||
where they might leak out and affect apps which just want to link with the
|
||||
libraries. FIXME: needs to check and not just assume that the compiler supports
|
||||
using these flags.
|
||||
|
||||
diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf
|
||||
--- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500
|
||||
+++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400
|
||||
@@ -430,7 +430,8 @@
|
||||
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
|
||||
PROFFLAGS=-pg
|
||||
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
|
||||
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
|
||||
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)'
|
||||
+ INSTALL_SHLIB='${INSTALL} -m755'
|
||||
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
|
||||
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
|
||||
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
|
||||
diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in
|
||||
--- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
|
||||
+++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
|
||||
@@ -187,8 +187,14 @@ if test -n "$do_libs"; then
|
||||
-e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
|
||||
-e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
|
||||
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
|
||||
- -e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
|
||||
+ -e 's#\$(CFLAGS)##'`
|
||||
|
||||
+ if test `dirname $libdir` = /usr ; then
|
||||
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
|
||||
+ fi
|
||||
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"`
|
||||
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"`
|
||||
+
|
||||
if test $library = 'kdb'; then
|
||||
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
|
||||
library=krb5
|
@ -1,61 +0,0 @@
|
||||
From RT#6917.
|
||||
|
||||
Index: krb5-1.9.1/src/lib/krb5/krb/get_creds.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/lib/krb5/krb/get_creds.c
|
||||
+++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c
|
||||
@@ -470,13 +470,10 @@ begin_non_referral(krb5_context context,
|
||||
|
||||
/***** STATE_REFERRALS *****/
|
||||
|
||||
-/*
|
||||
- * Possibly retry a request in the fallback realm after a referral request
|
||||
- * failure in the local realm. Expects ctx->reply_code to be set to the error
|
||||
- * from a referral request.
|
||||
- */
|
||||
+/* Possibly try a non-referral request after a referral request failure.
|
||||
+ * Expects ctx->reply_code to be set to the error from a referral request. */
|
||||
static krb5_error_code
|
||||
-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
|
||||
+try_fallback(krb5_context context, krb5_tkt_creds_context ctx)
|
||||
{
|
||||
krb5_error_code code;
|
||||
char **hrealms;
|
||||
@@ -485,9 +482,10 @@ try_fallback_realm(krb5_context context,
|
||||
if (ctx->referral_count > 1)
|
||||
return ctx->reply_code;
|
||||
|
||||
- /* Only fall back if the original request used the referral realm. */
|
||||
+ /* If the request used a specified realm, make a non-referral request to
|
||||
+ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */
|
||||
if (!krb5_is_referral_realm(&ctx->req_server->realm))
|
||||
- return ctx->reply_code;
|
||||
+ return begin_non_referral(context, ctx);
|
||||
|
||||
if (ctx->server->length < 2) {
|
||||
/* We need a type/host format principal to find a fallback realm. */
|
||||
@@ -500,10 +498,10 @@ try_fallback_realm(krb5_context context,
|
||||
if (code != 0)
|
||||
return code;
|
||||
|
||||
- /* Give up if the fallback realm isn't any different. */
|
||||
+ /* If the fallback realm isn't any different, use the existing TGT. */
|
||||
if (data_eq_string(ctx->server->realm, hrealms[0])) {
|
||||
krb5_free_host_realm(context, hrealms);
|
||||
- return ctx->reply_code;
|
||||
+ return begin_non_referral(context, ctx);
|
||||
}
|
||||
|
||||
/* Rewrite server->realm to be the fallback realm. */
|
||||
@@ -540,9 +538,9 @@ step_referrals(krb5_context context, krb
|
||||
krb5_error_code code;
|
||||
const krb5_data *referral_realm;
|
||||
|
||||
- /* Possibly retry with the fallback realm on error. */
|
||||
+ /* Possibly try a non-referral fallback request on error. */
|
||||
if (ctx->reply_code != 0)
|
||||
- return try_fallback_realm(context, ctx);
|
||||
+ return try_fallback(context, ctx);
|
||||
|
||||
if (krb5_principal_compare(context, ctx->reply_creds->server,
|
||||
ctx->server)) {
|
@ -1,14 +0,0 @@
|
||||
Index: krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/lib/gssapi/krb5/disp_status.c
|
||||
+++ krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c
|
||||
@@ -167,7 +167,8 @@ krb5_gss_display_status(minor_status, st
|
||||
|
||||
if ((mech_type != GSS_C_NULL_OID) &&
|
||||
!g_OID_equal(gss_mech_krb5, mech_type) &&
|
||||
- !g_OID_equal(gss_mech_krb5_old, mech_type)) {
|
||||
+ !g_OID_equal(gss_mech_krb5_old, mech_type) &&
|
||||
+ !g_OID_equal(gss_mech_iakerb, mech_type)) {
|
||||
*minor_status = 0;
|
||||
return(GSS_S_BAD_MECH);
|
||||
}
|
@ -1,10 +1,10 @@
|
||||
Use an in-memory ccache to silence a compiler warning, for RT#6414.
|
||||
|
||||
Index: krb5-1.9.1/src/slave/kprop.c
|
||||
Index: krb5-1.10.2/src/slave/kprop.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/slave/kprop.c
|
||||
+++ krb5-1.9.1/src/slave/kprop.c
|
||||
@@ -188,9 +188,8 @@ void PRS(argc, argv)
|
||||
--- krb5-1.10.2.orig/src/slave/kprop.c
|
||||
+++ krb5-1.10.2/src/slave/kprop.c
|
||||
@@ -186,9 +186,8 @@ void PRS(argc, argv)
|
||||
void get_tickets(context)
|
||||
krb5_context context;
|
||||
{
|
||||
@ -27,4 +27,4 @@ Index: krb5-1.9.1/src/slave/kprop.c
|
||||
-
|
||||
retval = krb5_cc_resolve(context, buf, &ccache);
|
||||
if (retval) {
|
||||
com_err(progname, retval, "while opening credential cache %s",
|
||||
com_err(progname, retval, _("while opening credential cache %s"), buf);
|
||||
|
@ -3,11 +3,11 @@ values can be dropped in by config.status. After applying this patch,
|
||||
these files should be renamed to their ".in" counterparts, and then the
|
||||
configure scripts should be rebuilt. Originally RT#6525
|
||||
|
||||
Index: krb5-1.9.1/src/aclocal.m4
|
||||
Index: krb5-1.10.2/src/aclocal.m4
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/aclocal.m4
|
||||
+++ krb5-1.9.1/src/aclocal.m4
|
||||
@@ -1782,3 +1782,24 @@ AC_SUBST(PAM_LIBS)
|
||||
--- krb5-1.10.2.orig/src/aclocal.m4
|
||||
+++ krb5-1.10.2/src/aclocal.m4
|
||||
@@ -1743,3 +1743,24 @@ AC_SUBST(PAM_LIBS)
|
||||
AC_SUBST(PAM_MAN)
|
||||
AC_SUBST(NON_PAM_MAN)
|
||||
])dnl
|
||||
@ -32,10 +32,32 @@ Index: krb5-1.9.1/src/aclocal.m4
|
||||
+AC_SUBST(manlibexecdir)
|
||||
+AC_CONFIG_FILES($1)
|
||||
+])
|
||||
Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M
|
||||
Index: krb5-1.10.2/src/configure.in
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/appl/sample/sserver/sserver.M
|
||||
+++ krb5-1.9.1/src/appl/sample/sserver/sserver.M
|
||||
--- krb5-1.10.2.orig/src/configure.in
|
||||
+++ krb5-1.10.2/src/configure.in
|
||||
@@ -1249,6 +1249,17 @@ AC_SUBST(localedir)
|
||||
KRB5_WITH_PAM
|
||||
|
||||
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
||||
+
|
||||
+V5_AC_OUTPUT_MANPAGE([
|
||||
+ appl/sample/sserver/sserver.M
|
||||
+ config-files/kdc.conf.M
|
||||
+ config-files/krb5.conf.M
|
||||
+ gen-manpages/kerberos.M
|
||||
+ kadmin/cli/kadmin.M
|
||||
+ slave/kpropd.M
|
||||
+ slave/kprop.M
|
||||
+])
|
||||
+
|
||||
V5_AC_OUTPUT_MAKEFILE(.
|
||||
|
||||
util util/support util/profile util/profile/testmod util/send-pr
|
||||
Index: krb5-1.10.2/src/appl/sample/sserver/sserver.M
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/appl/sample/sserver/sserver.M
|
||||
+++ krb5-1.10.2/src/appl/sample/sserver/sserver.M
|
||||
@@ -59,7 +59,7 @@ option allows for a different keytab tha
|
||||
using a line in
|
||||
/etc/inetd.conf that looks like this:
|
||||
@ -45,10 +67,10 @@ Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M
|
||||
.PP
|
||||
Since \fBsample\fP is normally not a port defined in /etc/services, you will
|
||||
usually have to add a line to /etc/services which looks like this:
|
||||
Index: krb5-1.9.1/src/config-files/kdc.conf.M
|
||||
Index: krb5-1.10.2/src/config-files/kdc.conf.M
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/config-files/kdc.conf.M
|
||||
+++ krb5-1.9.1/src/config-files/kdc.conf.M
|
||||
--- krb5-1.10.2.orig/src/config-files/kdc.conf.M
|
||||
+++ krb5-1.10.2/src/config-files/kdc.conf.M
|
||||
@@ -92,14 +92,14 @@ This
|
||||
.B string
|
||||
specifies the location of the access control list (acl) file that
|
||||
@ -75,44 +97,36 @@ Index: krb5-1.9.1/src/config-files/kdc.conf.M
|
||||
|
||||
.SH SEE ALSO
|
||||
krb5.conf(5), krb5kdc(8)
|
||||
Index: krb5-1.9.1/src/config-files/krb5.conf.M
|
||||
Index: krb5-1.10.2/src/config-files/krb5.conf.M
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/config-files/krb5.conf.M
|
||||
+++ krb5-1.9.1/src/config-files/krb5.conf.M
|
||||
@@ -768,6 +768,6 @@ with another database such as Active Dir
|
||||
in for this interface.
|
||||
--- krb5-1.10.2.orig/src/config-files/krb5.conf.M
|
||||
+++ krb5-1.10.2/src/config-files/krb5.conf.M
|
||||
@@ -808,6 +808,6 @@ This module implements the encrypted cha
|
||||
This module implements the encrypted timestamp mechanism.
|
||||
|
||||
.SH FILES
|
||||
-/etc/krb5.conf
|
||||
+@mansysconfdir@/krb5.conf
|
||||
.SH SEE ALSO
|
||||
syslog(3)
|
||||
Index: krb5-1.9.1/src/configure.in
|
||||
Index: krb5-1.10.2/src/gen-manpages/kerberos.M
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/configure.in
|
||||
+++ krb5-1.9.1/src/configure.in
|
||||
@@ -1128,6 +1128,16 @@ fi
|
||||
KRB5_WITH_PAM
|
||||
|
||||
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
||||
+
|
||||
+V5_AC_OUTPUT_MANPAGE([
|
||||
+ appl/sample/sserver/sserver.M
|
||||
+ config-files/kdc.conf.M
|
||||
+ config-files/krb5.conf.M
|
||||
+ kadmin/cli/kadmin.M
|
||||
+ slave/kpropd.M
|
||||
+ slave/kprop.M
|
||||
+])
|
||||
+
|
||||
V5_AC_OUTPUT_MAKEFILE(.
|
||||
|
||||
util util/support util/profile util/send-pr
|
||||
Index: krb5-1.9.1/src/kadmin/cli/kadmin.M
|
||||
--- krb5-1.10.2.orig/src/gen-manpages/kerberos.M
|
||||
+++ krb5-1.10.2/src/gen-manpages/kerberos.M
|
||||
@@ -125,7 +125,7 @@ default is /etc/krb5.conf.
|
||||
Specifies the location of the KDC configuration file, which contains
|
||||
additional configuration directives for the Key Distribution Center
|
||||
daemon and associated programs. The default is
|
||||
-/usr/local/var/krb5kdc/kdc.conf.
|
||||
+@manlocalstatedir@/krb5kdc/kdc.conf.
|
||||
.TP
|
||||
.B KRB5RCACHETYPE
|
||||
Specifies the default type of replay cache to use for servers. Valid
|
||||
Index: krb5-1.10.2/src/kadmin/cli/kadmin.M
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/kadmin/cli/kadmin.M
|
||||
+++ krb5-1.9.1/src/kadmin/cli/kadmin.M
|
||||
@@ -880,9 +880,9 @@ option is specified, less verbose status
|
||||
--- krb5-1.10.2.orig/src/kadmin/cli/kadmin.M
|
||||
+++ krb5-1.10.2/src/kadmin/cli/kadmin.M
|
||||
@@ -924,9 +924,9 @@ option is specified, less verbose status
|
||||
.RS
|
||||
.TP
|
||||
EXAMPLE:
|
||||
@ -124,19 +138,10 @@ Index: krb5-1.9.1/src/kadmin/cli/kadmin.M
|
||||
kadmin:
|
||||
.RE
|
||||
.fi
|
||||
@@ -924,7 +924,7 @@ passwords.
|
||||
.SH HISTORY
|
||||
The
|
||||
.B kadmin
|
||||
-prorgam was originally written by Tom Yu at MIT, as an interface to the
|
||||
+program was originally written by Tom Yu at MIT, as an interface to the
|
||||
OpenVision Kerberos administration program.
|
||||
.SH SEE ALSO
|
||||
.IR kerberos (1),
|
||||
Index: krb5-1.9.1/src/slave/kpropd.M
|
||||
Index: krb5-1.10.2/src/slave/kpropd.M
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/slave/kpropd.M
|
||||
+++ krb5-1.9.1/src/slave/kpropd.M
|
||||
--- krb5-1.10.2.orig/src/slave/kpropd.M
|
||||
+++ krb5-1.10.2/src/slave/kpropd.M
|
||||
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
|
||||
This is done by adding a line to the inetd.conf file which looks like
|
||||
this:
|
||||
@ -179,10 +184,10 @@ Index: krb5-1.9.1/src/slave/kpropd.M
|
||||
Each entry is a line containing the principal of a host from which the
|
||||
local machine will allow Kerberos database propagation via kprop.
|
||||
.SH SEE ALSO
|
||||
Index: krb5-1.9.1/src/slave/kprop.M
|
||||
Index: krb5-1.10.2/src/slave/kprop.M
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/slave/kprop.M
|
||||
+++ krb5-1.9.1/src/slave/kprop.M
|
||||
--- krb5-1.10.2.orig/src/slave/kprop.M
|
||||
+++ krb5-1.10.2/src/slave/kprop.M
|
||||
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
|
||||
This is done by transmitting the dumped database file to the slave
|
||||
server over an encrypted, secure channel. The dump file must be created
|
||||
|
@ -1,13 +0,0 @@
|
||||
Upstream commit #24477.
|
||||
diff -up krb5-1.9/src/slave/kpropd.c krb5-1.9/src/slave/kpropd.c
|
||||
--- krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:24.020999947 -0400
|
||||
+++ krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:34.159999947 -0400
|
||||
@@ -993,7 +993,7 @@ unsigned int backoff_from_master(int *cn
|
||||
btime = (unsigned int)(2<<(*cnt));
|
||||
if (btime > MAX_BACKOFF) {
|
||||
btime = MAX_BACKOFF;
|
||||
- *cnt--;
|
||||
+ (*cnt)--;
|
||||
}
|
||||
|
||||
return (btime);
|
@ -1,30 +0,0 @@
|
||||
From RT#6922. When we're converting a host/service pair into a principal
|
||||
name, specify AF_UNSPEC instead of AF_INET4 and then maybe AF_INET6 to try
|
||||
to avoid libc having doing a PTR lookup because we also specify
|
||||
AI_CANONNAME. Add AI_ADDRCONFIG because it's usually the right idea.
|
||||
|
||||
Index: src/lib/krb5/os/sn2princ.c
|
||||
===================================================================
|
||||
--- src/lib/krb5/os/sn2princ.c.orig
|
||||
+++ src/lib/krb5/os/sn2princ.c
|
||||
@@ -107,19 +107,12 @@ krb5_sname_to_principal(krb5_context con
|
||||
hostnames associated. */
|
||||
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
- hints.ai_family = AF_INET;
|
||||
- hints.ai_flags = AI_CANONNAME;
|
||||
- try_getaddrinfo_again:
|
||||
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
|
||||
err = getaddrinfo(hostname, 0, &hints, &ai);
|
||||
if (err) {
|
||||
#ifdef DEBUG_REFERRALS
|
||||
printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname);
|
||||
#endif
|
||||
- if (hints.ai_family == AF_INET) {
|
||||
- /* Just in case it's an IPv6-only name. */
|
||||
- hints.ai_family = 0;
|
||||
- goto try_getaddrinfo_again;
|
||||
- }
|
||||
return KRB5_ERR_BAD_HOSTNAME;
|
||||
}
|
||||
remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname);
|
@ -1,122 +0,0 @@
|
||||
Most of RT#6923, except for the part that depends on the sendto_kdc rewrite
|
||||
(it's still in locate_kdc in this version): pass AI_ADDRCONFIG whenever we
|
||||
specify hints to getaddrinfo() to get the address of a server.
|
||||
|
||||
Index: src/plugins/locate/python/py-locate.c
|
||||
===================================================================
|
||||
--- src/plugins/locate/python/py-locate.c.orig
|
||||
+++ src/plugins/locate/python/py-locate.c
|
||||
@@ -303,6 +303,7 @@ lookup(void *blob, enum locate_service_t
|
||||
return -1;
|
||||
}
|
||||
aihints.ai_socktype = thissocktype;
|
||||
+ aihints.ai_flags = AI_ADDRCONFIG;
|
||||
x = getaddrinfo (hoststr, portstr, &aihints, &airesult);
|
||||
if (x != 0)
|
||||
continue;
|
||||
Index: src/appl/sample/sclient/sclient.c
|
||||
===================================================================
|
||||
--- src/appl/sample/sclient/sclient.c.orig
|
||||
+++ src/appl/sample/sclient/sclient.c
|
||||
@@ -124,6 +124,7 @@ main(int argc, char *argv[])
|
||||
|
||||
memset(&aihints, 0, sizeof(aihints));
|
||||
aihints.ai_socktype = SOCK_STREAM;
|
||||
+ aihints.ai_flags = AI_ADDRCONFIG;
|
||||
aierr = getaddrinfo(argv[1], portstr, &aihints, &ap);
|
||||
if (aierr) {
|
||||
fprintf(stderr, "%s: error looking up host '%s' port '%s'/tcp: %s\n",
|
||||
Index: src/kadmin/dbutil/kadm5_create.c
|
||||
===================================================================
|
||||
--- src/kadmin/dbutil/kadm5_create.c.orig
|
||||
+++ src/kadmin/dbutil/kadm5_create.c
|
||||
@@ -182,7 +182,7 @@ static int add_admin_princs(void *handle
|
||||
goto clean_and_exit;
|
||||
}
|
||||
memset(&ai_hints, 0, sizeof(ai_hints));
|
||||
- ai_hints.ai_flags = AI_CANONNAME;
|
||||
+ ai_hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
|
||||
gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai);
|
||||
if (gai_error) {
|
||||
ret = EINVAL;
|
||||
Index: src/lib/kadm5/alt_prof.c
|
||||
===================================================================
|
||||
--- src/lib/kadm5/alt_prof.c.orig
|
||||
+++ src/lib/kadm5/alt_prof.c
|
||||
@@ -901,7 +901,7 @@ kadm5_get_admin_service_name(krb5_contex
|
||||
}
|
||||
|
||||
memset(&hint, 0, sizeof(hint));
|
||||
- hint.ai_flags = AI_CANONNAME;
|
||||
+ hint.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
|
||||
err = getaddrinfo(params_out.admin_server, NULL, &hint, &ai);
|
||||
if (err != 0) {
|
||||
ret = KADM5_CANT_RESOLVE;
|
||||
Index: src/lib/kadm5/clnt/client_init.c
|
||||
===================================================================
|
||||
--- src/lib/kadm5/clnt/client_init.c.orig
|
||||
+++ src/lib/kadm5/clnt/client_init.c
|
||||
@@ -563,8 +563,9 @@ connect_to_server(const char *hostname,
|
||||
(void) snprintf(portbuf, sizeof(portbuf), "%d", port);
|
||||
memset(&hint, 0, sizeof(hint));
|
||||
hint.ai_socktype = SOCK_STREAM;
|
||||
+ hint.ai_flags = AI_ADDRCONFIG;
|
||||
#ifdef AI_NUMERICSERV
|
||||
- hint.ai_flags = AI_NUMERICSERV;
|
||||
+ hint.ai_flags |= AI_NUMERICSERV;
|
||||
#endif
|
||||
err = getaddrinfo(hostname, portbuf, &hint, &addrs);
|
||||
if (err != 0)
|
||||
Index: src/lib/krb5/os/hostaddr.c
|
||||
===================================================================
|
||||
--- src/lib/krb5/os/hostaddr.c.orig
|
||||
+++ src/lib/krb5/os/hostaddr.c
|
||||
@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c
|
||||
return KRB5_ERR_BAD_HOSTNAME;
|
||||
|
||||
memset (&hints, 0, sizeof (hints));
|
||||
- hints.ai_flags = AI_NUMERICHOST;
|
||||
+ hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG;
|
||||
/* We don't care what kind at this point, really, but without
|
||||
this, we can get back multiple sockaddrs per address, for
|
||||
SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if
|
||||
Index: src/lib/krb5/os/hst_realm.c
|
||||
===================================================================
|
||||
--- src/lib/krb5/os/hst_realm.c.orig
|
||||
+++ src/lib/krb5/os/hst_realm.c
|
||||
@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz
|
||||
int err;
|
||||
|
||||
memset (&hints, 0, sizeof (hints));
|
||||
- hints.ai_flags = AI_CANONNAME;
|
||||
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
|
||||
err = getaddrinfo (name, 0, &hints, &ai);
|
||||
if (err)
|
||||
return krb5int_translate_gai_error (err);
|
||||
Index: src/slave/kprop.c
|
||||
===================================================================
|
||||
--- src/slave/kprop.c.orig
|
||||
+++ src/slave/kprop.c
|
||||
@@ -325,6 +325,7 @@ open_connection(krb5_context context, ch
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = PF_UNSPEC;
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
+ hints.ai_flags = AI_ADDRCONFIG;
|
||||
error = getaddrinfo(host, port, &hints, &answers);
|
||||
if (error != 0) {
|
||||
com_err(progname, 0, "%s: %s", host, gai_strerror(error));
|
||||
Index: src/lib/krb5/os/locate_kdc.c
|
||||
===================================================================
|
||||
--- src/lib/krb5/os/locate_kdc.c.orig
|
||||
+++ src/lib/krb5/os/locate_kdc.c
|
||||
@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis
|
||||
memset(&hint, 0, sizeof(hint));
|
||||
hint.ai_family = family;
|
||||
hint.ai_socktype = socktype;
|
||||
+ hint.ai_flags = AI_ADDRCONFIG;
|
||||
#ifdef AI_NUMERICSERV
|
||||
- hint.ai_flags = AI_NUMERICSERV;
|
||||
+ hint.ai_flags |= AI_NUMERICSERV;
|
||||
#endif
|
||||
result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port));
|
||||
if (SNPRINTF_OVERFLOW(result, sizeof(portbuf)))
|
@ -1,624 +0,0 @@
|
||||
Pulled from SVN, then munged to apply to 1.9. Modifies cm.h so that a
|
||||
struct select_state has an alternate layout when USE_POLL is defined,
|
||||
and if we detect <poll.h> at configure-time, have sendto_kdc.c define
|
||||
USE_POLL to force its use. Adapts sendto_kdc.c to handle both cases,
|
||||
so that the previous behavior is preserved when <poll.h> is not found.
|
||||
RT#6905
|
||||
|
||||
Index: src/include/cm.h
|
||||
===================================================================
|
||||
--- src/include/cm.h.orig
|
||||
+++ src/include/cm.h
|
||||
@@ -25,11 +25,20 @@
|
||||
* or implied warranty.
|
||||
*/
|
||||
|
||||
-/* Since fd_set is large on some platforms (8K on AIX 5.2), this
|
||||
- probably shouldn't be allocated in automatic storage. */
|
||||
+/*
|
||||
+ * Since fd_set is large on some platforms (8K on AIX 5.2), this probably
|
||||
+ * shouldn't be allocated in automatic storage. Define USE_POLL and
|
||||
+ * MAX_POLLFDS in the consumer of this header file to use poll state instead of
|
||||
+ * select state.
|
||||
+ */
|
||||
struct select_state {
|
||||
- int max, nfds;
|
||||
+#ifdef USE_POLL
|
||||
+ struct pollfd fds[MAX_POLLFDS];
|
||||
+#else
|
||||
+ int max;
|
||||
fd_set rfds, wfds, xfds;
|
||||
+#endif
|
||||
+ int nfds;
|
||||
struct timeval end_time; /* magic: tv_sec==0 => never time out */
|
||||
};
|
||||
|
||||
Index: src/configure.in
|
||||
===================================================================
|
||||
--- src/configure.in.orig
|
||||
+++ src/configure.in
|
||||
@@ -74,7 +74,7 @@ LIBUTIL=-lutil
|
||||
])
|
||||
AC_SUBST(LIBUTIL)
|
||||
# for kdc
|
||||
-AC_CHECK_HEADERS(syslog.h stdarg.h sys/select.h sys/sockio.h ifaddrs.h unistd.h)
|
||||
+AC_CHECK_HEADERS(syslog.h stdarg.h sys/sockio.h ifaddrs.h unistd.h)
|
||||
AC_CHECK_FUNCS(openlog syslog closelog strftime vsprintf vasprintf vsnprintf)
|
||||
AC_CHECK_FUNCS(strlcpy)
|
||||
EXTRA_SUPPORT_SYMS=
|
||||
@@ -493,7 +493,7 @@ AC_CHECK_HEADER(termios.h,
|
||||
AC_DEFINE(POSIX_TERMIOS,1,[Define if termios.h exists and tcsetattr exists]))])
|
||||
|
||||
KRB5_SIGTYPE
|
||||
-AC_CHECK_HEADERS(stdlib.h string.h stddef.h sys/types.h sys/file.h sys/param.h sys/stat.h sys/time.h netinet/in.h sys/uio.h sys/filio.h sys/select.h time.h paths.h errno.h)
|
||||
+AC_CHECK_HEADERS(poll.h stdlib.h string.h stddef.h sys/types.h sys/file.h sys/param.h sys/stat.h sys/time.h netinet/in.h sys/uio.h sys/filio.h sys/select.h time.h paths.h errno.h)
|
||||
AC_HEADER_STDARG
|
||||
KRB5_AC_INET6
|
||||
|
||||
Index: src/lib/krb5/os/cm.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ src/lib/krb5/os/cm.c
|
||||
@@ -0,0 +1,97 @@
|
||||
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
||||
+/* lib/krb5/os/cm.c - Connection manager functions */
|
||||
+/*
|
||||
+ * Copyright (C) 2011 by the Massachusetts Institute of Technology.
|
||||
+ * All rights reserved.
|
||||
+ *
|
||||
+ * Export of this software from the United States of America may
|
||||
+ * require a specific license from the United States Government.
|
||||
+ * It is the responsibility of any person or organization contemplating
|
||||
+ * export to obtain such a license before exporting.
|
||||
+ *
|
||||
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
||||
+ * distribute this software and its documentation for any purpose and
|
||||
+ * without fee is hereby granted, provided that the above copyright
|
||||
+ * notice appear in all copies and that both that copyright notice and
|
||||
+ * this permission notice appear in supporting documentation, and that
|
||||
+ * the name of M.I.T. not be used in advertising or publicity pertaining
|
||||
+ * to distribution of the software without specific, written prior
|
||||
+ * permission. Furthermore if you modify this software you must label
|
||||
+ * your software as modified software and not distribute it in such a
|
||||
+ * fashion that it might be confused with the original M.I.T. software.
|
||||
+ * M.I.T. makes no representations about the suitability of
|
||||
+ * this software for any purpose. It is provided "as is" without express
|
||||
+ * or implied warranty.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * This file include krb5int_cm_call_select, which is used by
|
||||
+ * lib/apputils/net-server.c and sometimes by sendto_kdc.c.
|
||||
+ */
|
||||
+
|
||||
+#include "k5-int.h"
|
||||
+#ifdef HAVE_SYS_SELECT_H
|
||||
+#include <sys/select.h>
|
||||
+#endif
|
||||
+#ifdef _WIN32
|
||||
+#include <sys/timeb.h>
|
||||
+#endif
|
||||
+#include "cm.h"
|
||||
+
|
||||
+int
|
||||
+k5_getcurtime(struct timeval *tvp)
|
||||
+{
|
||||
+#ifdef _WIN32
|
||||
+ struct _timeb tb;
|
||||
+ _ftime(&tb);
|
||||
+ tvp->tv_sec = tb.time;
|
||||
+ tvp->tv_usec = tb.millitm * 1000;
|
||||
+ /* Can _ftime fail? */
|
||||
+ return 0;
|
||||
+#else
|
||||
+ if (gettimeofday(tvp, 0))
|
||||
+ return errno;
|
||||
+ return 0;
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Call select and return results.
|
||||
+ * Input: interesting file descriptors and absolute timeout
|
||||
+ * Output: select return value (-1 or num fds ready) and fd_sets
|
||||
+ * Return: 0 (for i/o available or timeout) or error code.
|
||||
+ */
|
||||
+krb5_error_code
|
||||
+krb5int_cm_call_select (const struct select_state *in,
|
||||
+ struct select_state *out, int *sret)
|
||||
+{
|
||||
+ struct timeval now, *timo;
|
||||
+ krb5_error_code e;
|
||||
+
|
||||
+ *out = *in;
|
||||
+ e = k5_getcurtime(&now);
|
||||
+ if (e)
|
||||
+ return e;
|
||||
+ if (out->end_time.tv_sec == 0)
|
||||
+ timo = 0;
|
||||
+ else {
|
||||
+ timo = &out->end_time;
|
||||
+ out->end_time.tv_sec -= now.tv_sec;
|
||||
+ out->end_time.tv_usec -= now.tv_usec;
|
||||
+ if (out->end_time.tv_usec < 0) {
|
||||
+ out->end_time.tv_usec += 1000000;
|
||||
+ out->end_time.tv_sec--;
|
||||
+ }
|
||||
+ if (out->end_time.tv_sec < 0) {
|
||||
+ *sret = 0;
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, timo);
|
||||
+ e = SOCKET_ERRNO;
|
||||
+
|
||||
+ if (*sret < 0)
|
||||
+ return e;
|
||||
+ return 0;
|
||||
+}
|
||||
Index: src/lib/krb5/os/Makefile.in
|
||||
===================================================================
|
||||
--- src/lib/krb5/os/Makefile.in.orig
|
||||
+++ src/lib/krb5/os/Makefile.in
|
||||
@@ -18,6 +18,7 @@ STLIBOBJS= \
|
||||
def_realm.o \
|
||||
ccdefname.o \
|
||||
changepw.o \
|
||||
+ cm.o \
|
||||
dnsglue.o \
|
||||
dnssrv.o \
|
||||
free_krbhs.o \
|
||||
@@ -62,6 +63,7 @@ OBJS= \
|
||||
$(OUTPRE)def_realm.$(OBJEXT) \
|
||||
$(OUTPRE)ccdefname.$(OBJEXT) \
|
||||
$(OUTPRE)changepw.$(OBJEXT) \
|
||||
+ $(OUTPRE)cm.$(OBJEXT) \
|
||||
$(OUTPRE)dnsglue.$(OBJEXT) \
|
||||
$(OUTPRE)dnssrv.$(OBJEXT) \
|
||||
$(OUTPRE)free_krbhs.$(OBJEXT) \
|
||||
@@ -106,6 +108,7 @@ SRCS= \
|
||||
$(srcdir)/def_realm.c \
|
||||
$(srcdir)/ccdefname.c \
|
||||
$(srcdir)/changepw.c \
|
||||
+ $(srcdir)/cm.c \
|
||||
$(srcdir)/dnsglue.c \
|
||||
$(srcdir)/dnssrv.c \
|
||||
$(srcdir)/free_krbhs.c \
|
||||
Index: src/lib/krb5/os/os-proto.h
|
||||
===================================================================
|
||||
--- src/lib/krb5/os/os-proto.h.orig
|
||||
+++ src/lib/krb5/os/os-proto.h
|
||||
@@ -31,6 +31,10 @@
|
||||
#ifndef KRB5_LIBOS_INT_PROTO__
|
||||
#define KRB5_LIBOS_INT_PROTO__
|
||||
|
||||
+#ifdef HAVE_SYS_TIME_H
|
||||
+#include <sys/time.h>
|
||||
+#endif
|
||||
+
|
||||
struct addrlist;
|
||||
krb5_error_code krb5_locate_kdc(krb5_context, const krb5_data *,
|
||||
struct addrlist *, int, int, int);
|
||||
@@ -75,6 +79,8 @@ krb5_error_code krb5int_get_fq_local_hos
|
||||
/* The io vector is *not* const here, unlike writev()! */
|
||||
int krb5int_net_writev (krb5_context, int, sg_buf *, int);
|
||||
|
||||
+int k5_getcurtime(struct timeval *tvp);
|
||||
+
|
||||
#include "k5-thread.h"
|
||||
extern k5_mutex_t krb5int_us_time_mutex;
|
||||
|
||||
Index: src/lib/krb5/os/sendto_kdc.c
|
||||
===================================================================
|
||||
--- src/lib/krb5/os/sendto_kdc.c.orig
|
||||
+++ src/lib/krb5/os/sendto_kdc.c
|
||||
@@ -32,17 +32,16 @@
|
||||
#include "fake-addrinfo.h"
|
||||
#include "k5-int.h"
|
||||
|
||||
-#ifdef HAVE_SYS_TIME_H
|
||||
-#include <sys/time.h>
|
||||
-#else
|
||||
-#include <time.h>
|
||||
-#endif
|
||||
#include "os-proto.h"
|
||||
#ifdef _WIN32
|
||||
#include <sys/timeb.h>
|
||||
#endif
|
||||
|
||||
-#ifdef _AIX
|
||||
+#if defined(HAVE_POLL_H)
|
||||
+#include <poll.h>
|
||||
+#define USE_POLL
|
||||
+#define MAX_POLLFDS 1024
|
||||
+#elif defined(HAVE_SYS_SELECT_H)
|
||||
#include <sys/select.h>
|
||||
#endif
|
||||
|
||||
@@ -170,29 +169,6 @@ krb5int_debug_fprint (const char *fmt, .
|
||||
p = strerror(err);
|
||||
putstr(p);
|
||||
break;
|
||||
- case 'F':
|
||||
- /* %F => fd_set *, fd_set *, fd_set *, int */
|
||||
- rfds = va_arg(args, fd_set *);
|
||||
- wfds = va_arg(args, fd_set *);
|
||||
- xfds = va_arg(args, fd_set *);
|
||||
- maxfd = va_arg(args, int);
|
||||
-
|
||||
- for (i = 0; i < maxfd; i++) {
|
||||
- int r = FD_ISSET(i, rfds);
|
||||
- int w = wfds && FD_ISSET(i, wfds);
|
||||
- int x = xfds && FD_ISSET(i, xfds);
|
||||
- if (r || w || x) {
|
||||
- putf(" %d", i);
|
||||
- if (r)
|
||||
- putstr("r");
|
||||
- if (w)
|
||||
- putstr("w");
|
||||
- if (x)
|
||||
- putstr("x");
|
||||
- }
|
||||
- }
|
||||
- putstr(" ");
|
||||
- break;
|
||||
case 's':
|
||||
/* %s => char * */
|
||||
p = va_arg(args, const char *);
|
||||
@@ -506,75 +482,154 @@ krb5_sendto_kdc (krb5_context context, c
|
||||
|
||||
#include "cm.h"
|
||||
|
||||
-static int
|
||||
-getcurtime (struct timeval *tvp)
|
||||
+/*
|
||||
+ * Currently only sendto_kdc.c knows how to use poll(); the other candidate
|
||||
+ * user, lib/apputils/net-server.c, is stuck using select() for the moment
|
||||
+ * since it is entangled with the RPC library. The following cm_* functions
|
||||
+ * are not fully generic, are O(n^2) in the poll case, and are limited to
|
||||
+ * handling 1024 connections (in order to maintain a constant-sized selstate).
|
||||
+ * More rearchitecting would be appropriate before extending this support to
|
||||
+ * the KDC and kadmind.
|
||||
+ */
|
||||
+
|
||||
+static void
|
||||
+cm_init_selstate(struct select_state *selstate)
|
||||
{
|
||||
-#ifdef _WIN32
|
||||
- struct _timeb tb;
|
||||
- _ftime(&tb);
|
||||
- tvp->tv_sec = tb.time;
|
||||
- tvp->tv_usec = tb.millitm * 1000;
|
||||
- /* Can _ftime fail? */
|
||||
- return 0;
|
||||
+ selstate->nfds = 0;
|
||||
+ selstate->end_time.tv_sec = selstate->end_time.tv_usec = 0;
|
||||
+#ifndef USE_POLL
|
||||
+ selstate->max = 0;
|
||||
+ selstate->nfds = 0;
|
||||
+ FD_ZERO(&selstate->rfds);
|
||||
+ FD_ZERO(&selstate->wfds);
|
||||
+ FD_ZERO(&selstate->xfds);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+static krb5_boolean
|
||||
+cm_add_fd(struct select_state *selstate, int fd, unsigned int ssflags)
|
||||
+{
|
||||
+#ifdef USE_POLL
|
||||
+ if (selstate->nfds >= MAX_POLLFDS)
|
||||
+ return FALSE;
|
||||
+ selstate->fds[selstate->nfds].fd = fd;
|
||||
+ selstate->fds[selstate->nfds].events = 0;
|
||||
+ if (ssflags & SSF_READ)
|
||||
+ selstate->fds[selstate->nfds].events |= POLLIN;
|
||||
+ if (ssflags & SSF_WRITE)
|
||||
+ selstate->fds[selstate->nfds].events |= POLLOUT;
|
||||
+#else
|
||||
+#ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */
|
||||
+ if (fd >= FD_SETSIZE)
|
||||
+ return FALSE;
|
||||
+#endif
|
||||
+ if (ssflags & SSF_READ)
|
||||
+ FD_SET(fd, &selstate->rfds);
|
||||
+ if (ssflags & SSF_WRITE)
|
||||
+ FD_SET(fd, &selstate->wfds);
|
||||
+ if (ssflags & SSF_EXCEPTION)
|
||||
+ FD_SET(fd, &selstate->xfds);
|
||||
+ if (selstate->max <= fd)
|
||||
+ selstate->max = fd + 1;
|
||||
+#endif
|
||||
+ selstate->nfds++;
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+cm_remove_fd(struct select_state *selstate, int fd)
|
||||
+{
|
||||
+#ifdef USE_POLL
|
||||
+ int i;
|
||||
+
|
||||
+ /* Find the FD in the array and move the last entry to its place. */
|
||||
+ assert(selstate->nfds > 0);
|
||||
+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++);
|
||||
+ assert(i < selstate->nfds);
|
||||
+ selstate->fds[i] = selstate->fds[selstate->nfds - 1];
|
||||
#else
|
||||
- if (gettimeofday(tvp, 0)) {
|
||||
- dperror("gettimeofday");
|
||||
- return errno;
|
||||
+ FD_CLR(fd, &selstate->rfds);
|
||||
+ FD_CLR(fd, &selstate->wfds);
|
||||
+ FD_CLR(fd, &selstate->xfds);
|
||||
+ if (selstate->max == 1 + fd) {
|
||||
+ while (selstate->max > 0
|
||||
+ && ! FD_ISSET(selstate->max-1, &selstate->rfds)
|
||||
+ && ! FD_ISSET(selstate->max-1, &selstate->wfds)
|
||||
+ && ! FD_ISSET(selstate->max-1, &selstate->xfds))
|
||||
+ selstate->max--;
|
||||
+ dprint("new max_fd + 1 is %d\n", selstate->max);
|
||||
}
|
||||
- return 0;
|
||||
#endif
|
||||
+ selstate->nfds--;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * Call select and return results.
|
||||
- * Input: interesting file descriptors and absolute timeout
|
||||
- * Output: select return value (-1 or num fds ready) and fd_sets
|
||||
- * Return: 0 (for i/o available or timeout) or error code.
|
||||
- */
|
||||
-krb5_error_code
|
||||
-krb5int_cm_call_select (const struct select_state *in,
|
||||
- struct select_state *out, int *sret)
|
||||
+static void
|
||||
+cm_unset_write(struct select_state *selstate, int fd)
|
||||
{
|
||||
- struct timeval now, *timo;
|
||||
- krb5_error_code e;
|
||||
+#ifdef USE_POLL
|
||||
+ int i;
|
||||
|
||||
- *out = *in;
|
||||
- e = getcurtime(&now);
|
||||
- if (e)
|
||||
- return e;
|
||||
- if (out->end_time.tv_sec == 0)
|
||||
- timo = 0;
|
||||
+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++);
|
||||
+ assert(i < selstate->nfds);
|
||||
+ selstate->fds[i].events &= ~POLLOUT;
|
||||
+#else
|
||||
+ FD_CLR(fd, &selstate->wfds);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+static krb5_error_code
|
||||
+cm_select_or_poll(const struct select_state *in, struct select_state *out,
|
||||
+ int *sret)
|
||||
+{
|
||||
+#ifdef USE_POLL
|
||||
+ struct timeval now;
|
||||
+ int e, timeout;
|
||||
+
|
||||
+ if (in->end_time.tv_sec == 0)
|
||||
+ timeout = -1;
|
||||
else {
|
||||
- timo = &out->end_time;
|
||||
- out->end_time.tv_sec -= now.tv_sec;
|
||||
- out->end_time.tv_usec -= now.tv_usec;
|
||||
- if (out->end_time.tv_usec < 0) {
|
||||
- out->end_time.tv_usec += 1000000;
|
||||
- out->end_time.tv_sec--;
|
||||
- }
|
||||
- if (out->end_time.tv_sec < 0) {
|
||||
- *sret = 0;
|
||||
- return 0;
|
||||
- }
|
||||
+ e = k5_getcurtime(&now);
|
||||
+ if (e)
|
||||
+ return e;
|
||||
+ timeout = (in->end_time.tv_sec - now.tv_sec) * 1000 +
|
||||
+ (in->end_time.tv_usec - now.tv_usec) / 1000;
|
||||
}
|
||||
- dprint("selecting on max=%d sockets [%F] timeout %t\n",
|
||||
- out->max,
|
||||
- &out->rfds, &out->wfds, &out->xfds, out->max,
|
||||
- timo);
|
||||
- *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, timo);
|
||||
+ /* We don't need a separate copy of the selstate for poll, but use one
|
||||
+ * anyone for consistency with the select wrapper. */
|
||||
+ *out = *in;
|
||||
+ *sret = poll(out->fds, out->nfds, timeout);
|
||||
e = SOCKET_ERRNO;
|
||||
+ return (*sret < 0) ? e : 0;
|
||||
+#else
|
||||
+ /* Use the select wrapper from cm.c. */
|
||||
+ return krb5int_cm_call_select(in, out, sret);
|
||||
+#endif
|
||||
+}
|
||||
|
||||
- dprint("select returns %d", *sret);
|
||||
- if (*sret < 0)
|
||||
- dprint(", error = %E\n", e);
|
||||
- else if (*sret == 0)
|
||||
- dprint(" (timeout)\n");
|
||||
- else
|
||||
- dprint(":%F\n", &out->rfds, &out->wfds, &out->xfds, out->max);
|
||||
+static unsigned int
|
||||
+cm_get_ssflags(struct select_state *selstate, int fd)
|
||||
+{
|
||||
+ unsigned int ssflags = 0;
|
||||
+#ifdef USE_POLL
|
||||
+ int i;
|
||||
|
||||
- if (*sret < 0)
|
||||
- return e;
|
||||
- return 0;
|
||||
+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++);
|
||||
+ assert(i < selstate->nfds);
|
||||
+ if (selstate->fds[i].revents & POLLIN)
|
||||
+ ssflags |= SSF_READ;
|
||||
+ if (selstate->fds[i].revents & POLLOUT)
|
||||
+ ssflags |= SSF_WRITE;
|
||||
+ if (selstate->fds[i].revents & POLLERR)
|
||||
+ ssflags |= SSF_EXCEPTION;
|
||||
+#else
|
||||
+ if (FD_ISSET(fd, &selstate->rfds))
|
||||
+ ssflags |= SSF_READ;
|
||||
+ if (FD_ISSET(fd, &selstate->wfds))
|
||||
+ ssflags |= SSF_WRITE;
|
||||
+ if (FD_ISSET(fd, &selstate->xfds))
|
||||
+ ssflags |= SSF_EXCEPTION;
|
||||
+#endif
|
||||
+ return ssflags;
|
||||
}
|
||||
|
||||
static int service_tcp_fd(krb5_context context, struct conn_state *conn,
|
||||
@@ -657,6 +712,7 @@ start_connection(krb5_context context, s
|
||||
krb5_data *callback_buffer)
|
||||
{
|
||||
int fd, e;
|
||||
+ unsigned int ssflags;
|
||||
struct addrinfo *ai = state->addr;
|
||||
|
||||
dprint("start_connection(@%p)\ngetting %s socket in family %d...", state,
|
||||
@@ -667,14 +723,6 @@ start_connection(krb5_context context, s
|
||||
dprint("socket: %m creating with af %d\n", state->err, ai->ai_family);
|
||||
return -1; /* try other hosts */
|
||||
}
|
||||
-#ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */
|
||||
- if (fd >= FD_SETSIZE) {
|
||||
- closesocket(fd);
|
||||
- state->err = EMFILE;
|
||||
- dprint("socket: fd %d too high\n", fd);
|
||||
- return -1;
|
||||
- }
|
||||
-#endif
|
||||
set_cloexec_fd(fd);
|
||||
/* Make it non-blocking. */
|
||||
if (ai->ai_socktype == SOCK_STREAM) {
|
||||
@@ -778,16 +826,15 @@ start_connection(krb5_context context, s
|
||||
}
|
||||
}
|
||||
#endif
|
||||
- FD_SET(state->fd, &selstate->rfds);
|
||||
+ ssflags = SSF_READ | SSF_EXCEPTION;
|
||||
if (state->state == CONNECTING || state->state == WRITING)
|
||||
- FD_SET(state->fd, &selstate->wfds);
|
||||
- FD_SET(state->fd, &selstate->xfds);
|
||||
- if (selstate->max <= state->fd)
|
||||
- selstate->max = state->fd + 1;
|
||||
- selstate->nfds++;
|
||||
-
|
||||
- dprint("new select vectors: %F\n",
|
||||
- &selstate->rfds, &selstate->wfds, &selstate->xfds, selstate->max);
|
||||
+ ssflags |= SSF_WRITE;
|
||||
+ if (!cm_add_fd(selstate, state->fd, ssflags)) {
|
||||
+ (void) closesocket(state->fd);
|
||||
+ state->fd = INVALID_SOCKET;
|
||||
+ state->state = FAILED;
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -849,22 +896,11 @@ static void
|
||||
kill_conn(struct conn_state *conn, struct select_state *selstate, int err)
|
||||
{
|
||||
conn->state = FAILED;
|
||||
- shutdown(conn->fd, SHUTDOWN_BOTH);
|
||||
- FD_CLR(conn->fd, &selstate->rfds);
|
||||
- FD_CLR(conn->fd, &selstate->wfds);
|
||||
- FD_CLR(conn->fd, &selstate->xfds);
|
||||
conn->err = err;
|
||||
+ shutdown(conn->fd, SHUTDOWN_BOTH);
|
||||
+ cm_remove_fd(selstate, conn->fd);
|
||||
dprint("abandoning connection %d: %m\n", conn->fd, err);
|
||||
/* Fix up max fd for next select call. */
|
||||
- if (selstate->max == 1 + conn->fd) {
|
||||
- while (selstate->max > 0
|
||||
- && ! FD_ISSET(selstate->max-1, &selstate->rfds)
|
||||
- && ! FD_ISSET(selstate->max-1, &selstate->wfds)
|
||||
- && ! FD_ISSET(selstate->max-1, &selstate->xfds))
|
||||
- selstate->max--;
|
||||
- dprint("new max_fd + 1 is %d\n", selstate->max);
|
||||
- }
|
||||
- selstate->nfds--;
|
||||
}
|
||||
|
||||
/* Check socket for error. */
|
||||
@@ -986,7 +1022,7 @@ service_tcp_fd(krb5_context context, str
|
||||
/* Done writing, switch to reading. */
|
||||
/* Don't call shutdown at this point because
|
||||
* some implementations cannot deal with half-closed connections.*/
|
||||
- FD_CLR(conn->fd, &selstate->wfds);
|
||||
+ cm_unset_write(selstate, conn->fd);
|
||||
/* Q: How do we detect failures to send the remaining data
|
||||
to the remote side, since we're in non-blocking mode?
|
||||
Will we always get errors on the reading side? */
|
||||
@@ -1100,7 +1136,8 @@ service_fds (krb5_context context,
|
||||
while (selstate->nfds > 0) {
|
||||
unsigned int i;
|
||||
|
||||
- e = krb5int_cm_call_select(selstate, seltemp, &selret);
|
||||
+ selret = 0;
|
||||
+ e = cm_select_or_poll(selstate, seltemp, &selret);
|
||||
if (e == EINTR)
|
||||
continue;
|
||||
if (e != 0)
|
||||
@@ -1113,18 +1150,12 @@ service_fds (krb5_context context,
|
||||
return 0;
|
||||
|
||||
/* Got something on a socket, process it. */
|
||||
- for (i = 0; i <= (unsigned int)selstate->max && selret > 0 && i < n_conns; i++) {
|
||||
+ for (i = 0; i < n_conns; i++) {
|
||||
int ssflags;
|
||||
|
||||
if (conns[i].fd == INVALID_SOCKET)
|
||||
continue;
|
||||
- ssflags = 0;
|
||||
- if (FD_ISSET(conns[i].fd, &seltemp->rfds))
|
||||
- ssflags |= SSF_READ, selret--;
|
||||
- if (FD_ISSET(conns[i].fd, &seltemp->wfds))
|
||||
- ssflags |= SSF_WRITE, selret--;
|
||||
- if (FD_ISSET(conns[i].fd, &seltemp->xfds))
|
||||
- ssflags |= SSF_EXCEPTION, selret--;
|
||||
+ ssflags = cm_get_ssflags(seltemp, conns[i].fd);
|
||||
if (!ssflags)
|
||||
continue;
|
||||
|
||||
@@ -1239,12 +1270,7 @@ krb5int_sendto (krb5_context context, co
|
||||
retval = ENOMEM;
|
||||
goto egress;
|
||||
}
|
||||
- sel_state->max = 0;
|
||||
- sel_state->nfds = 0;
|
||||
- sel_state->end_time.tv_sec = sel_state->end_time.tv_usec = 0;
|
||||
- FD_ZERO(&sel_state->rfds);
|
||||
- FD_ZERO(&sel_state->wfds);
|
||||
- FD_ZERO(&sel_state->xfds);
|
||||
+ cm_init_selstate(sel_state);
|
||||
|
||||
|
||||
/* Set up connections. */
|
||||
@@ -1265,7 +1291,7 @@ krb5int_sendto (krb5_context context, co
|
||||
(callback_info ? &callback_data[host] : NULL)))
|
||||
continue;
|
||||
|
||||
- retval = getcurtime(&now);
|
||||
+ retval = k5_getcurtime(&now);
|
||||
if (retval)
|
||||
goto egress;
|
||||
sel_state->end_time = now;
|
||||
@@ -1284,7 +1310,7 @@ krb5int_sendto (krb5_context context, co
|
||||
}
|
||||
if (e)
|
||||
break;
|
||||
- retval = getcurtime(&now);
|
||||
+ retval = k5_getcurtime(&now);
|
||||
if (retval)
|
||||
goto egress;
|
||||
/* Possible optimization: Find a way to integrate this select
|
@ -1,22 +0,0 @@
|
||||
RT#6951
|
||||
Index: krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/lib/krb5/os/sendto_kdc.c
|
||||
+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c
|
||||
@@ -895,12 +895,12 @@ maybe_send(krb5_context context, struct
|
||||
static void
|
||||
kill_conn(struct conn_state *conn, struct select_state *selstate, int err)
|
||||
{
|
||||
+ dprint("abandoning connection %d: %m\n", conn->fd, err);
|
||||
+ cm_remove_fd(selstate, conn->fd);
|
||||
+ closesocket(conn->fd);
|
||||
+ conn->fd = INVALID_SOCKET;
|
||||
conn->state = FAILED;
|
||||
conn->err = err;
|
||||
- shutdown(conn->fd, SHUTDOWN_BOTH);
|
||||
- cm_remove_fd(selstate, conn->fd);
|
||||
- dprint("abandoning connection %d: %m\n", conn->fd, err);
|
||||
- /* Fix up max fd for next select call. */
|
||||
}
|
||||
|
||||
/* Check socket for error. */
|
@ -1,18 +0,0 @@
|
||||
If we exit the transmit loop cleanly, don't overestimate the size of the
|
||||
connections array. This bug appears to have been removed upstream when
|
||||
this function was rewritten in trunk, and the select()-based implementation
|
||||
is still what's in 1.9, so this patch has nowhere to go.
|
||||
--- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:20.560811664 -0400
|
||||
+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:11.396812292 -0400
|
||||
@@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co
|
||||
call with the last one from the above loop, if the loop
|
||||
actually calls select. */
|
||||
sel_state->end_time.tv_sec += delay_this_pass;
|
||||
- e = service_fds(context, sel_state, conns, host+1, &winning_conn,
|
||||
+ i = host+1;
|
||||
+ if (i > n_conns)
|
||||
+ i = n_conns;
|
||||
+ e = service_fds(context, sel_state, conns, i, &winning_conn,
|
||||
sel_state+1, msg_handler, msg_handler_data);
|
||||
if (e)
|
||||
break;
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:72dd8f30d605fa2e6f19df32414bc35a46e3ad1954b1b142d987ccd492c7bfbc
|
||||
size 10126613
|
@ -1,3 +1,8 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 6 17:34:26 CEST 2012 - mc@suse.de
|
||||
|
||||
- update to version 1.10.2
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 22 10:21:56 CEST 2011 - mc@suse.de
|
||||
|
||||
|
@ -16,14 +16,13 @@
|
||||
#
|
||||
|
||||
|
||||
|
||||
Name: krb5-doc
|
||||
BuildRequires: ghostscript-library
|
||||
BuildRequires: latex2html
|
||||
BuildRequires: texlive
|
||||
Version: 1.9.1
|
||||
Version: 1.10.2
|
||||
Release: 0
|
||||
%define srcRoot krb5-1.9.1
|
||||
%define srcRoot krb5-1.10.2
|
||||
Summary: MIT Kerberos5 Implementation--Documentation
|
||||
License: MIT
|
||||
Group: Documentation/Other
|
||||
@ -31,7 +30,6 @@ Url: http://web.mit.edu/kerberos/www/
|
||||
Source: krb5-%{version}.tar.bz2
|
||||
Source3: %{name}-rpmlintrc
|
||||
Patch0: krb5-1.3.5-perlfix.dif
|
||||
Patch1: krb5-1.6.3-texi2dvi-fix.dif
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildArch: noarch
|
||||
|
||||
@ -53,9 +51,15 @@ Authors:
|
||||
%prep
|
||||
%setup -n %{srcRoot}
|
||||
%patch0
|
||||
%patch1
|
||||
|
||||
%build
|
||||
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
|
||||
sed -i -e '1c\
|
||||
\\documentclass{article}\
|
||||
\\usepackage{fixunder}\
|
||||
\\usepackage{functions}\
|
||||
\\usepackage{fancyheadings}\
|
||||
\\usepackage{hyperref}' doc/implement/implement.tex
|
||||
|
||||
%install
|
||||
cd doc
|
||||
@ -64,13 +68,6 @@ make
|
||||
make implementor.ps
|
||||
make -C api
|
||||
make -C implement
|
||||
#make -C kadm5
|
||||
#cd api
|
||||
#latex2html -dir ../html/library -mkdir library.tex
|
||||
#latex2html -dir ../html/libdes -mkdir libdes.tex
|
||||
#cd ../implement
|
||||
#latex2html -dir ../html/implement -mkdir implement.tex
|
||||
#cd ..
|
||||
mv *.html html/
|
||||
cd ..
|
||||
find . -type f -name '*.ps' -exec gzip -9 {} \;
|
||||
@ -81,26 +78,6 @@ rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
|
||||
rm -f /usr/share/man/man1/tmac.doc*
|
||||
rm -rf /usr/lib/mit/share
|
||||
rm -rf %{buildroot}/usr/lib/mit/share
|
||||
#rm -f doc/html/*/WARNINGS
|
||||
#rm -f doc/html/*/images.aux
|
||||
#rm -f doc/html/*/labels.pl
|
||||
#### check for duplicate files and replace them with a link
|
||||
#cd doc/html/library
|
||||
#if cmp --quiet library.html index.html ; then
|
||||
# rm -f index.html
|
||||
# ln -s library.html index.html
|
||||
#fi
|
||||
#cd ../libdes
|
||||
#if cmp --quiet libdes.html index.html ; then
|
||||
# rm -f index.html
|
||||
# ln -s libdes.html index.html
|
||||
#fi
|
||||
#cd ../implement
|
||||
#if cmp --quiet implement.html index.html ; then
|
||||
# rm -f index.html
|
||||
# ln -s implement.html index.html
|
||||
#fi
|
||||
#cd ../..
|
||||
|
||||
%clean
|
||||
rm -rf %{buildroot}
|
||||
|
@ -1,29 +0,0 @@
|
||||
Don't trip over referral entries. RT#6915
|
||||
|
||||
Index: krb5-1.9.1/src/clients/klist/klist.c
|
||||
===================================================================
|
||||
--- krb5-1.9.1.orig/src/clients/klist/klist.c
|
||||
+++ krb5-1.9.1/src/clients/klist/klist.c
|
||||
@@ -28,7 +28,7 @@
|
||||
* List out the contents of your credential cache or keytab.
|
||||
*/
|
||||
|
||||
-#include "autoconf.h"
|
||||
+#include "k5-int.h"
|
||||
#include <krb5.h>
|
||||
#include <com_err.h>
|
||||
#include <stdlib.h>
|
||||
@@ -390,10 +390,9 @@ void do_ccache(name)
|
||||
continue;
|
||||
if (status_only) {
|
||||
if (exit_status && creds.server->length == 2 &&
|
||||
- strcmp(creds.server->realm.data, princ->realm.data) == 0 &&
|
||||
- strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 &&
|
||||
- strcmp((char *)creds.server->data[1].data,
|
||||
- princ->realm.data) == 0 &&
|
||||
+ data_eq(creds.server->realm, princ->realm) &&
|
||||
+ data_eq_string(creds.server->data[0], "krbtgt") &&
|
||||
+ data_eq(creds.server->data[1], princ->realm) &&
|
||||
creds.times.endtime > now)
|
||||
exit_status = 0;
|
||||
} else {
|
@ -1,7 +1,67 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 31 15:32:51 CET 2012 - meissner@suse.de
|
||||
Thu Jun 7 11:39:18 UTC 2012 - mc@suse.de
|
||||
|
||||
- fix License in krb5-mini
|
||||
- fix gcc47 issues
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de
|
||||
|
||||
- update to version 1.10.2
|
||||
obsolte patches:
|
||||
* krb5-1.7-nodeplibs.patch
|
||||
* krb5-1.9.1-ai_addrconfig.patch
|
||||
* krb5-1.9.1-ai_addrconfig2.patch
|
||||
* krb5-1.9.1-sendto_poll.patch
|
||||
* krb5-1.9-canonicalize-fallback.patch
|
||||
* krb5-1.9-paren.patch
|
||||
* krb5-klist_s.patch
|
||||
* krb5-pkinit-cms2.patch
|
||||
* krb5-trunk-chpw-err.patch
|
||||
* krb5-trunk-gss_delete_sec.patch
|
||||
* krb5-trunk-kadmin-oldproto.patch
|
||||
* krb5-1.9-MITKRB5-SA-2011-006.dif
|
||||
* krb5-1.9-gss_display_status-iakerb.patch
|
||||
* krb5-1.9.1-sendto_poll2.patch
|
||||
* krb5-1.9.1-sendto_poll3.patch
|
||||
* krb5-1.9-MITKRB5-SA-2011-007.dif
|
||||
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
|
||||
Controllers.
|
||||
- Update a workaround for a glibc bug that would cause DNS PTR queries
|
||||
to occur even when rdns = false.
|
||||
- Fix a kadmind denial of service issue (null pointer dereference),
|
||||
which could only be triggered by an administrator with the "create"
|
||||
privilege. [CVE-2012-1013]
|
||||
- Fix access controls for KDB string attributes [CVE-2012-1012]
|
||||
- Make the ASN.1 encoding of key version numbers interoperate with
|
||||
Windows Read-Only Domain Controllers
|
||||
- Avoid generating spurious password expiry warnings in cases where
|
||||
the KDC sends an account expiry time without a password expiry time
|
||||
- Make PKINIT work with FAST in the client library.
|
||||
- Add the DIR credential cache type, which can hold a collection of
|
||||
credential caches.
|
||||
- Enhance kinit, klist, and kdestroy to support credential cache
|
||||
collections if the cache type supports it.
|
||||
- Add the kswitch command, which changes the selected default cache
|
||||
within a collection.
|
||||
- Add heuristic support for choosing client credentials based on
|
||||
the service realm.
|
||||
- Add support for $HOME/.k5identity, which allows credential
|
||||
choice based on configured rules.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de
|
||||
|
||||
- add autoconf macro to devel subpackage
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 31 15:33:05 CET 2012 - meissner@suse.de
|
||||
|
||||
- fix license in krb5-mini
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 20 20:57:26 UTC 2011 - coolo@suse.com
|
||||
|
||||
- add autoconf as buildrequire to avoid implicit dependency
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com
|
||||
|
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
%define build_mini 1
|
||||
%define srcRoot krb5-1.9.1
|
||||
%define srcRoot krb5-1.10.2
|
||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||
%define krb5docdir %{_defaultdocdir}/krb5
|
||||
|
||||
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
|
||||
BuildRequires: libcom_err-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: ncurses-devel
|
||||
Version: 1.9.1
|
||||
Version: 1.10.2
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 Implementation--Libraries
|
||||
License: MIT
|
||||
@ -45,38 +45,23 @@ Obsoletes: krb5-64bit
|
||||
%endif
|
||||
#
|
||||
%endif
|
||||
Source: krb5-1.9.1.tar.bz2
|
||||
Source: krb5-%{version}.tar.bz2
|
||||
Source1: vendor-files.tar.bz2
|
||||
Source2: baselibs.conf
|
||||
Source5: krb5-rpmlintrc
|
||||
Source10: krb5-1.8-manpaths.txt
|
||||
Patch1: krb5-1.9-buildconf.patch
|
||||
Patch1: krb5-1.10-buildconf.patch
|
||||
Patch3: krb5-1.9-manpaths.dif
|
||||
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
|
||||
Patch6: krb5-1.6.3-kpasswd_tcp.patch
|
||||
Patch6: krb5-1.10-kpasswd_tcp.patch
|
||||
Patch7: krb5-1.6.3-ktutil-manpage.dif
|
||||
Patch10: krb5-1.7-doublelog.patch
|
||||
Patch11: krb5-1.7-nodeplibs.patch
|
||||
Patch12: krb5-1.8-api.patch
|
||||
Patch13: krb5-1.8-pam.patch
|
||||
Patch14: krb5-1.9.1-ai_addrconfig.patch
|
||||
Patch15: krb5-1.9.1-ai_addrconfig2.patch
|
||||
Patch16: krb5-1.9.1-sendto_poll.patch
|
||||
Patch17: krb5-1.9-canonicalize-fallback.patch
|
||||
Patch18: krb5-1.9-kprop-mktemp.patch
|
||||
Patch19: krb5-1.9-ksu-path.patch
|
||||
Patch20: krb5-1.9-paren.patch
|
||||
Patch21: krb5-1.9-selinux-label.patch
|
||||
Patch22: krb5-klist_s.patch
|
||||
Patch23: krb5-pkinit-cms2.patch
|
||||
Patch24: krb5-trunk-chpw-err.patch
|
||||
Patch25: krb5-trunk-gss_delete_sec.patch
|
||||
Patch26: krb5-trunk-kadmin-oldproto.patch
|
||||
Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif
|
||||
Patch31: krb5-1.9-gss_display_status-iakerb.patch
|
||||
Patch32: krb5-1.9.1-sendto_poll2.patch
|
||||
Patch33: krb5-1.9.1-sendto_poll3.patch
|
||||
Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif
|
||||
Patch20: krb5-1.10-gcc47.patch
|
||||
Patch21: krb5-1.10-selinux-label.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||
PreReq: %insserv_prereq %fillup_prereq
|
||||
@ -119,8 +104,9 @@ Authors:
|
||||
%package server
|
||||
Summary: MIT Kerberos5 implementation - server
|
||||
Group: Productivity/Networking/Security
|
||||
Requires: cron
|
||||
Requires: logrotate
|
||||
Requires: perl-Date-Calc
|
||||
Requires: logrotate cron
|
||||
PreReq: %insserv_prereq %fillup_prereq
|
||||
|
||||
%description server
|
||||
@ -182,8 +168,8 @@ Authors:
|
||||
Summary: MIT Kerberos5 - Include Files and Libraries
|
||||
Group: Development/Libraries/C and C++
|
||||
PreReq: %{name} = %{version}
|
||||
Requires: libcom_err-devel
|
||||
Requires: keyutils-devel
|
||||
Requires: libcom_err-devel
|
||||
# bug437293
|
||||
%ifarch ppc64
|
||||
Obsoletes: krb5-devel-64bit
|
||||
@ -216,28 +202,13 @@ Authors:
|
||||
%patch21 -p1
|
||||
%patch1 -p1
|
||||
%patch5 -p1
|
||||
%patch6
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch14
|
||||
%patch15
|
||||
%patch16
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24
|
||||
%patch25 -p1
|
||||
%patch26
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
%patch32 -p1
|
||||
%patch33 -p1
|
||||
%patch34 -p1
|
||||
%patch20
|
||||
# Rename the man pages so that they'll get generated correctly.
|
||||
pushd src
|
||||
cat %{SOURCE10} | while read manpage ; do
|
||||
@ -246,6 +217,8 @@ done
|
||||
popd
|
||||
|
||||
%build
|
||||
# needs to be re-generated
|
||||
rm -f src/lib/krb5/krb/deltat.c
|
||||
cd src
|
||||
./util/reconf
|
||||
CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC " \
|
||||
@ -282,6 +255,9 @@ make DESTDIR=%{buildroot} install
|
||||
cd ..
|
||||
# Munge the krb5-config script to remove rpaths and CFLAGS.
|
||||
sed "s|^CC_LINK=.*|CC_LINK='\$(CC) \$(PROG_LIBPATH)'|g" src/krb5-config > $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
|
||||
# install autoconf macro
|
||||
mkdir -p %{buildroot}/%{_datadir}/aclocal
|
||||
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
|
||||
# install sample config files
|
||||
# I'll probably do something about this later on
|
||||
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
|
||||
@ -389,6 +365,7 @@ rm -rf %{buildroot}
|
||||
%dir /usr/lib/mit
|
||||
%dir /usr/lib/mit/bin
|
||||
%dir /usr/lib/mit/sbin
|
||||
%dir %{_datadir}/aclocal
|
||||
%{_libdir}/libgssrpc.so
|
||||
%{_libdir}/libk5crypto.so
|
||||
%{_libdir}/libkadm5clnt_mit.so
|
||||
@ -398,11 +375,14 @@ rm -rf %{buildroot}
|
||||
%{_libdir}/libkdb5.so
|
||||
%{_libdir}/libkrb5.so
|
||||
%{_libdir}/libkrb5support.so
|
||||
%{_libdir}/libverto.so
|
||||
%{_libdir}/libverto-k5ev.so
|
||||
%{_includedir}/*
|
||||
/usr/lib/mit/bin/krb5-config
|
||||
/usr/lib/mit/sbin/krb5-send-pr
|
||||
%{_mandir}/man1/krb5-send-pr.1*
|
||||
%{_mandir}/man1/krb5-config.1*
|
||||
%{_datadir}/aclocal/ac_check_krb5.m4
|
||||
%if %{build_mini}
|
||||
|
||||
%files
|
||||
@ -437,6 +417,8 @@ rm -rf %{buildroot}
|
||||
%{_libdir}/libkdb5.so.*
|
||||
%{_libdir}/libkrb5.so.*
|
||||
%{_libdir}/libkrb5support.so.*
|
||||
%{_libdir}/libverto.so.*
|
||||
%{_libdir}/libverto-k5ev.so.*
|
||||
%{_libdir}/krb5/plugins/kdb/*
|
||||
%{_libdir}/krb5/plugins/preauth/*
|
||||
#/usr/lib/mit/sbin/*
|
||||
@ -459,6 +441,7 @@ rm -rf %{buildroot}
|
||||
/usr/lib/mit/bin/klist
|
||||
/usr/lib/mit/bin/kadmin
|
||||
/usr/lib/mit/bin/ktutil
|
||||
/usr/lib/mit/bin/kswitch
|
||||
%attr(0755,root,root) /usr/lib/mit/bin/ksu
|
||||
/usr/lib/mit/bin/uuclient
|
||||
/usr/lib/mit/bin/sclient
|
||||
@ -479,6 +462,7 @@ rm -rf %{buildroot}
|
||||
%{_mandir}/man1/kadmin.1*
|
||||
%{_mandir}/man1/ktutil.1*
|
||||
%{_mandir}/man1/k5srvutil.1*
|
||||
%{_mandir}/man1/kswitch.1*
|
||||
%{_mandir}/man5/*
|
||||
%{_mandir}/man5/.k5login.5.gz
|
||||
%{_mandir}/man8/*
|
||||
@ -506,7 +490,8 @@ rm -rf %{buildroot}
|
||||
%{_libdir}/libkdb5.so.*
|
||||
%{_libdir}/libkrb5.so.*
|
||||
%{_libdir}/libkrb5support.so.*
|
||||
%{_libdir}/krb5/plugins/preauth/encrypted_challenge.so
|
||||
%{_libdir}/libverto.so.*
|
||||
%{_libdir}/libverto-k5ev.so.*
|
||||
|
||||
%files server
|
||||
%defattr(-,root,root)
|
||||
@ -567,6 +552,7 @@ rm -rf %{buildroot}
|
||||
/usr/lib/mit/bin/sclient
|
||||
/usr/lib/mit/bin/sim_client
|
||||
/usr/lib/mit/bin/uuclient
|
||||
/usr/lib/mit/bin/kswitch
|
||||
/usr/bin/kinit
|
||||
/usr/bin/klist
|
||||
%{_mandir}/man1/kvno.1*
|
||||
@ -578,8 +564,12 @@ rm -rf %{buildroot}
|
||||
%{_mandir}/man1/kadmin.1*
|
||||
%{_mandir}/man1/ktutil.1*
|
||||
%{_mandir}/man1/k5srvutil.1*
|
||||
%{_mandir}/man1/kswitch.1*
|
||||
%{_mandir}/man5/krb5.conf.5*
|
||||
%{_mandir}/man5/.k5login.5*
|
||||
%{_mandir}/man5/.k5identity.5*
|
||||
%{_mandir}/man5/k5identity.5*
|
||||
%{_mandir}/man5/k5login.5*
|
||||
%{_mandir}/man1/ksu.1.gz
|
||||
%{_mandir}/man1/sclient.1.gz
|
||||
|
||||
|
@ -1,290 +0,0 @@
|
||||
When verifying signed-data, use the OpenSSL CMS APIs if we're building with a
|
||||
version of OpenSSL which supplies them (1.0.0 or later). Revised proposal for
|
||||
RT#6851.
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index bb8f036..6aedec4 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -41,6 +41,34 @@
|
||||
|
||||
#include "pkinit_crypto_openssl.h"
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
|
||||
+#include <openssl/cms.h>
|
||||
+#define pkinit_CMS_free1_crls(_sk_x509crl) sk_X509_CRL_free((_sk_x509crl))
|
||||
+#define pkinit_CMS_free1_certs(_sk_x509) sk_X509_free((_sk_x509))
|
||||
+#define pkinit_CMS_SignerInfo_get_cert(_cms,_si,_x509_pp) CMS_SignerInfo_get0_algs(_si,NULL,_x509_pp,NULL,NULL)
|
||||
+#else
|
||||
+#define pkinit_CMS_free1_crls(_stack_of_x509crls) /* don't free these CRLs */
|
||||
+#define pkinit_CMS_free1_certs(_stack_of_x509certs) /* don't free these certs */
|
||||
+#define CMS_NO_SIGNER_CERT_VERIFY PKCS7_NOVERIFY
|
||||
+#define CMS_NOATTR PKCS7_NOATTR
|
||||
+#define CMS_ContentInfo PKCS7
|
||||
+#define CMS_SignerInfo PKCS7_SIGNER_INFO
|
||||
+#define d2i_CMS_ContentInfo d2i_PKCS7
|
||||
+#define CMS_get0_type(_p7) ((_p7)->type)
|
||||
+#define CMS_get0_content(_p7) (&((_p7)->d.other->value.octet_string))
|
||||
+#define CMS_set1_signers_certs(_p7,_stack_of_x509,_uint)
|
||||
+#define CMS_get0_SignerInfos PKCS7_get_signer_info
|
||||
+#define stack_st_CMS_SignerInfo stack_st_PKCS7_SIGNER_INFO
|
||||
+#undef sk_CMS_SignerInfo_value
|
||||
+#define sk_CMS_SignerInfo_value sk_PKCS7_SIGNER_INFO_value
|
||||
+#define CMS_get0_eContentType(_p7) (_p7->d.sign->contents->type)
|
||||
+#define CMS_verify PKCS7_verify
|
||||
+#define CMS_get1_crls(_p7) (_p7->d.sign->crl)
|
||||
+#define CMS_get1_certs(_p7) (_p7->d.sign->cert)
|
||||
+#define CMS_ContentInfo_free(_p7) PKCS7_free(_p7)
|
||||
+#define pkinit_CMS_SignerInfo_get_cert(_p7,_si,_x509_pp) (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
|
||||
+#endif
|
||||
+
|
||||
static struct pkcs11_errstrings {
|
||||
short code;
|
||||
char *text;
|
||||
@@ -1127,21 +1155,25 @@ cms_signeddata_verify(krb5_context context,
|
||||
int *is_signed)
|
||||
{
|
||||
krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;
|
||||
- PKCS7 *p7 = NULL;
|
||||
+ CMS_ContentInfo *cms = NULL;
|
||||
BIO *out = NULL;
|
||||
- int flags = PKCS7_NOVERIFY;
|
||||
+ int flags = CMS_NO_SIGNER_CERT_VERIFY;
|
||||
unsigned int i = 0;
|
||||
unsigned int vflags = 0, size = 0;
|
||||
const unsigned char *p = signed_data;
|
||||
- STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL;
|
||||
- PKCS7_SIGNER_INFO *si = NULL;
|
||||
+ STACK_OF(CMS_SignerInfo) *si_sk = NULL;
|
||||
+ CMS_SignerInfo *si = NULL;
|
||||
X509 *x = NULL;
|
||||
X509_STORE *store = NULL;
|
||||
X509_STORE_CTX cert_ctx;
|
||||
+ STACK_OF(X509) *signerCerts = NULL;
|
||||
STACK_OF(X509) *intermediateCAs = NULL;
|
||||
+ STACK_OF(X509_CRL) *signerRevoked = NULL;
|
||||
STACK_OF(X509_CRL) *revoked = NULL;
|
||||
STACK_OF(X509) *verified_chain = NULL;
|
||||
ASN1_OBJECT *oid = NULL;
|
||||
+ const ASN1_OBJECT *type = NULL, *etype = NULL;
|
||||
+ ASN1_OCTET_STRING **octets;
|
||||
krb5_external_principal_identifier **krb5_verified_chain = NULL;
|
||||
krb5_data *authz = NULL;
|
||||
char buf[DN_BUF_LEN];
|
||||
@@ -1157,8 +1189,8 @@ cms_signeddata_verify(krb5_context context,
|
||||
if (oid == NULL)
|
||||
goto cleanup;
|
||||
|
||||
- /* decode received PKCS7 message */
|
||||
- if ((p7 = d2i_PKCS7(NULL, &p, (int)signed_data_len)) == NULL) {
|
||||
+ /* decode received CMS message */
|
||||
+ if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) {
|
||||
unsigned long err = ERR_peek_error();
|
||||
krb5_set_error_message(context, retval, "%s\n",
|
||||
ERR_error_string(err, NULL));
|
||||
@@ -1168,37 +1200,39 @@ cms_signeddata_verify(krb5_context context,
|
||||
}
|
||||
|
||||
/* Handle the case in pkinit anonymous where we get unsigned data. */
|
||||
- if (is_signed && !OBJ_cmp(p7->type, oid)) {
|
||||
+ type = CMS_get0_type(cms);
|
||||
+ if (is_signed && !OBJ_cmp(type, oid)) {
|
||||
unsigned char *d;
|
||||
*is_signed = 0;
|
||||
- if (p7->d.other->type != V_ASN1_OCTET_STRING) {
|
||||
+ octets = CMS_get0_content(cms);
|
||||
+ if (!octets || ((*octets)->type != V_ASN1_OCTET_STRING)) {
|
||||
retval = KRB5KDC_ERR_PREAUTH_FAILED;
|
||||
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
|
||||
"Invalid pkinit packet: octet string "
|
||||
"expected");
|
||||
goto cleanup;
|
||||
}
|
||||
- *data_len = ASN1_STRING_length(p7->d.other->value.octet_string);
|
||||
+ *data_len = ASN1_STRING_length(*octets);
|
||||
d = malloc(*data_len);
|
||||
if (d == NULL) {
|
||||
retval = ENOMEM;
|
||||
goto cleanup;
|
||||
}
|
||||
- memcpy(d, ASN1_STRING_data(p7->d.other->value.octet_string),
|
||||
+ memcpy(d, ASN1_STRING_data(*octets),
|
||||
*data_len);
|
||||
*data = d;
|
||||
goto out;
|
||||
} else {
|
||||
- /* Verify that the received message is PKCS7 SignedData message. */
|
||||
- if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed) {
|
||||
- pkiDebug("Expected id-signedData PKCS7 msg (received type = %d)\n",
|
||||
- OBJ_obj2nid(p7->type));
|
||||
+ /* Verify that the received message is CMS SignedData message. */
|
||||
+ if (OBJ_obj2nid(type) != NID_pkcs7_signed) {
|
||||
+ pkiDebug("Expected id-signedData CMS msg (received type = %d)\n",
|
||||
+ OBJ_obj2nid(type));
|
||||
krb5_set_error_message(context, retval, "wrong oid\n");
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
- /* setup to verify X509 certificate used to sign PKCS7 message */
|
||||
+ /* setup to verify X509 certificate used to sign CMS message */
|
||||
if (!(store = X509_STORE_new()))
|
||||
goto cleanup;
|
||||
|
||||
@@ -1210,37 +1244,41 @@ cms_signeddata_verify(krb5_context context,
|
||||
X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
|
||||
X509_STORE_set_flags(store, vflags);
|
||||
|
||||
- /* get the signer's information from the PKCS7 message */
|
||||
- if ((si_sk = PKCS7_get_signer_info(p7)) == NULL)
|
||||
+ /* get the signer's information from the CMS message */
|
||||
+ CMS_set1_signers_certs(cms, NULL, 0);
|
||||
+ if ((si_sk = CMS_get0_SignerInfos(cms)) == NULL)
|
||||
goto cleanup;
|
||||
- if ((si = sk_PKCS7_SIGNER_INFO_value(si_sk, 0)) == NULL)
|
||||
+ if ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)
|
||||
goto cleanup;
|
||||
- if ((x = PKCS7_cert_from_signer_info(p7, si)) == NULL)
|
||||
+ pkinit_CMS_SignerInfo_get_cert(cms, si, &x);
|
||||
+ if (x == NULL)
|
||||
goto cleanup;
|
||||
|
||||
/* create available CRL information (get local CRLs and include CRLs
|
||||
- * received in the PKCS7 message
|
||||
+ * received in the CMS message
|
||||
*/
|
||||
+ signerRevoked = CMS_get1_crls(cms);
|
||||
if (idctx->revoked == NULL)
|
||||
- revoked = p7->d.sign->crl;
|
||||
- else if (p7->d.sign->crl == NULL)
|
||||
+ revoked = signerRevoked;
|
||||
+ else if (signerRevoked == NULL)
|
||||
revoked = idctx->revoked;
|
||||
else {
|
||||
size = sk_X509_CRL_num(idctx->revoked);
|
||||
revoked = sk_X509_CRL_new_null();
|
||||
for (i = 0; i < size; i++)
|
||||
sk_X509_CRL_push(revoked, sk_X509_CRL_value(idctx->revoked, i));
|
||||
- size = sk_X509_CRL_num(p7->d.sign->crl);
|
||||
+ size = sk_X509_CRL_num(signerRevoked);
|
||||
for (i = 0; i < size; i++)
|
||||
- sk_X509_CRL_push(revoked, sk_X509_CRL_value(p7->d.sign->crl, i));
|
||||
+ sk_X509_CRL_push(revoked, sk_X509_CRL_value(signerRevoked, i));
|
||||
}
|
||||
|
||||
/* create available intermediate CAs chains (get local intermediateCAs and
|
||||
- * include the CA chain received in the PKCS7 message
|
||||
+ * include the CA chain received in the CMS message
|
||||
*/
|
||||
+ signerCerts = CMS_get1_certs(cms);
|
||||
if (idctx->intermediateCAs == NULL)
|
||||
- intermediateCAs = p7->d.sign->cert;
|
||||
- else if (p7->d.sign->cert == NULL)
|
||||
+ intermediateCAs = signerCerts;
|
||||
+ else if (signerCerts == NULL)
|
||||
intermediateCAs = idctx->intermediateCAs;
|
||||
else {
|
||||
size = sk_X509_num(idctx->intermediateCAs);
|
||||
@@ -1249,9 +1287,9 @@ cms_signeddata_verify(krb5_context context,
|
||||
sk_X509_push(intermediateCAs,
|
||||
sk_X509_value(idctx->intermediateCAs, i));
|
||||
}
|
||||
- size = sk_X509_num(p7->d.sign->cert);
|
||||
+ size = sk_X509_num(signerCerts);
|
||||
for (i = 0; i < size; i++) {
|
||||
- sk_X509_push(intermediateCAs, sk_X509_value(p7->d.sign->cert, i));
|
||||
+ sk_X509_push(intermediateCAs, sk_X509_value(signerCerts, i));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1329,10 +1367,10 @@ cms_signeddata_verify(krb5_context context,
|
||||
krb5_set_error_message(context, retval, "%s\n",
|
||||
X509_verify_cert_error_string(j));
|
||||
#ifdef DEBUG_CERTCHAIN
|
||||
- size = sk_X509_num(p7->d.sign->cert);
|
||||
+ size = sk_X509_num(signerCerts);
|
||||
pkiDebug("received cert chain of size %d\n", size);
|
||||
for (j = 0; j < size; j++) {
|
||||
- X509 *tmp_cert = sk_X509_value(p7->d.sign->cert, j);
|
||||
+ X509 *tmp_cert = sk_X509_value(signerCerts, j);
|
||||
X509_NAME_oneline(X509_get_subject_name(tmp_cert), buf, sizeof(buf));
|
||||
pkiDebug("cert #%d: %s\n", j, buf);
|
||||
}
|
||||
@@ -1348,11 +1386,12 @@ cms_signeddata_verify(krb5_context context,
|
||||
|
||||
out = BIO_new(BIO_s_mem());
|
||||
if (cms_msg_type == CMS_SIGN_DRAFT9)
|
||||
- flags |= PKCS7_NOATTR;
|
||||
- if (PKCS7_verify(p7, NULL, store, NULL, out, flags)) {
|
||||
+ flags |= CMS_NOATTR;
|
||||
+ etype = CMS_get0_eContentType(cms);
|
||||
+ if (CMS_verify(cms, NULL, store, NULL, out, flags)) {
|
||||
int valid_oid = 0;
|
||||
|
||||
- if (!OBJ_cmp(p7->d.sign->contents->type, oid))
|
||||
+ if (!OBJ_cmp(etype, oid))
|
||||
valid_oid = 1;
|
||||
else if (cms_msg_type == CMS_SIGN_DRAFT9) {
|
||||
/*
|
||||
@@ -1364,18 +1403,18 @@ cms_signeddata_verify(krb5_context context,
|
||||
client_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_CLIENT);
|
||||
server_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_SERVER);
|
||||
rsa_oid = pkinit_pkcs7type2oid(plgctx, CMS_ENVEL_SERVER);
|
||||
- if (!OBJ_cmp(p7->d.sign->contents->type, client_oid) ||
|
||||
- !OBJ_cmp(p7->d.sign->contents->type, server_oid) ||
|
||||
- !OBJ_cmp(p7->d.sign->contents->type, rsa_oid))
|
||||
+ if (!OBJ_cmp(etype, client_oid) ||
|
||||
+ !OBJ_cmp(etype, server_oid) ||
|
||||
+ !OBJ_cmp(etype, rsa_oid))
|
||||
valid_oid = 1;
|
||||
}
|
||||
|
||||
if (valid_oid)
|
||||
- pkiDebug("PKCS7 Verification successful\n");
|
||||
+ pkiDebug("CMS Verification successful\n");
|
||||
else {
|
||||
pkiDebug("wrong oid in eContentType\n");
|
||||
- print_buffer(p7->d.sign->contents->type->data,
|
||||
- (unsigned int)p7->d.sign->contents->type->length);
|
||||
+ print_buffer(etype->data,
|
||||
+ (unsigned int)etype->length);
|
||||
retval = KRB5KDC_ERR_PREAUTH_FAILED;
|
||||
krb5_set_error_message(context, retval, "wrong oid\n");
|
||||
goto cleanup;
|
||||
@@ -1391,13 +1430,13 @@ cms_signeddata_verify(krb5_context context,
|
||||
default:
|
||||
retval = KRB5KDC_ERR_INVALID_SIG;
|
||||
}
|
||||
- pkiDebug("PKCS7 Verification failure\n");
|
||||
+ pkiDebug("CMS Verification failure\n");
|
||||
krb5_set_error_message(context, retval, "%s\n",
|
||||
ERR_error_string(err, NULL));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
- /* transfer the data from PKCS7 message into return buffer */
|
||||
+ /* transfer the data from CMS message into return buffer */
|
||||
for (size = 0;;) {
|
||||
int remain;
|
||||
retval = ENOMEM;
|
||||
@@ -1452,12 +1491,16 @@ cleanup:
|
||||
BIO_free(out);
|
||||
if (store != NULL)
|
||||
X509_STORE_free(store);
|
||||
- if (p7 != NULL) {
|
||||
- if (idctx->intermediateCAs != NULL && p7->d.sign->cert)
|
||||
+ if (cms != NULL) {
|
||||
+ if (signerCerts != NULL)
|
||||
+ pkinit_CMS_free1_certs(signerCerts);
|
||||
+ if (idctx->intermediateCAs != NULL && signerCerts)
|
||||
sk_X509_free(intermediateCAs);
|
||||
- if (idctx->revoked != NULL && p7->d.sign->crl)
|
||||
+ if (signerRevoked != NULL)
|
||||
+ pkinit_CMS_free1_crls(signerRevoked);
|
||||
+ if (idctx->revoked != NULL && signerRevoked)
|
||||
sk_X509_CRL_free(revoked);
|
||||
- PKCS7_free(p7);
|
||||
+ CMS_ContentInfo_free(cms);
|
||||
}
|
||||
if (verified_chain != NULL)
|
||||
sk_X509_pop_free(verified_chain, X509_free);
|
@ -1,24 +0,0 @@
|
||||
Don't suppress the error code from an error message when the error message
|
||||
contains e-data. RT#6893
|
||||
Index: src/lib/krb5/krb/chpw.c
|
||||
===================================================================
|
||||
--- src/lib/krb5/krb/chpw.c (revision 24838)
|
||||
+++ src/lib/krb5/krb/chpw.c (working copy)
|
||||
@@ -111,15 +111,11 @@
|
||||
if ((ret = krb5_rd_error(context, packet, &krberror)))
|
||||
return(ret);
|
||||
|
||||
- if (krberror->e_data.data == NULL)
|
||||
- ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
|
||||
- else
|
||||
- ret = KRB5KRB_AP_ERR_MODIFIED;
|
||||
+ ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
|
||||
krb5_free_error(context, krberror);
|
||||
return(ret);
|
||||
- } else {
|
||||
- return(KRB5KRB_AP_ERR_MODIFIED);
|
||||
}
|
||||
+ return(KRB5KRB_AP_ERR_MODIFIED);
|
||||
}
|
||||
|
||||
|
@ -1,27 +0,0 @@
|
||||
Author: ghudson
|
||||
Date: Mon May 9 17:28:07 2011 +0000
|
||||
|
||||
ticket: 6908
|
||||
subject: Delete sec context properly in gss_krb5_export_lucid_sec_context
|
||||
target_version: 1.9.2
|
||||
tags: pullup
|
||||
|
||||
Since r21690, gss_krb5_export_lucid_sec_context() has been passing a
|
||||
union context to krb5_gss_delete_sec_context(), causing a crash as the
|
||||
krb5 routine attempts to interpret a union context structure as a krb5
|
||||
GSS context. Call the mechglue gss_delete_sec_context instead.
|
||||
|
||||
|
||||
svn://anonsvn.mit.edu:/krb5/trunk@24917
|
||||
|
||||
--- a/src/lib/gssapi/krb5/krb5_gss_glue.c
|
||||
+++ b/src/lib/gssapi/krb5/krb5_gss_glue.c
|
||||
@@ -196,7 +196,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
|
||||
/* Clean up the context state (it is an error for
|
||||
* someone to attempt to use this context again)
|
||||
*/
|
||||
- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
|
||||
+ (void)gss_delete_sec_context(minor_status, context_handle, NULL);
|
||||
*context_handle = GSS_C_NO_CONTEXT;
|
||||
|
||||
generic_gss_release_buffer_set(&minor, &data_set);
|
@ -1,39 +0,0 @@
|
||||
------------------------------------------------------------------------
|
||||
r24967 | ghudson | 2011-06-13 14:54:33 -0400 (Mon, 13 Jun 2011) | 11 lines
|
||||
|
||||
ticket: 6920
|
||||
subject: Fix old-style GSSRPC authentication
|
||||
target_version: 1.9.2
|
||||
tags: pullup
|
||||
|
||||
r24147 (ticket #6746) made libgssrpc ignorant of the remote address of
|
||||
the kadmin socket, even when it's IPv4. This made old-style GSSAPI
|
||||
authentication fail because it uses the wrong channel bindings. Fix
|
||||
this problem by making clnttcp_create() get the remote address from
|
||||
the socket using getpeername() if the caller doesn't provide it and
|
||||
it's an IPv4 address.
|
||||
------------------------------------------------------------------------
|
||||
Index: src/lib/rpc/clnt_tcp.c
|
||||
===================================================================
|
||||
--- src/lib/rpc/clnt_tcp.c (revision 24966)
|
||||
+++ src/lib/rpc/clnt_tcp.c (revision 24967)
|
||||
@@ -187,9 +187,16 @@
|
||||
ct->ct_sock = *sockp;
|
||||
ct->ct_wait.tv_usec = 0;
|
||||
ct->ct_waitset = FALSE;
|
||||
- if (raddr == NULL)
|
||||
- memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
|
||||
- else
|
||||
+ if (raddr == NULL) {
|
||||
+ /* Get the remote address from the socket, if it's IPv4. */
|
||||
+ struct sockaddr_in sin;
|
||||
+ socklen_t len = sizeof(sin);
|
||||
+ int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len);
|
||||
+ if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET)
|
||||
+ ct->ct_addr = sin;
|
||||
+ else
|
||||
+ memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
|
||||
+ } else
|
||||
ct->ct_addr = *raddr;
|
||||
|
||||
/*
|
50
krb5.changes
50
krb5.changes
@ -1,3 +1,53 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Jun 7 11:39:18 UTC 2012 - mc@suse.de
|
||||
|
||||
- fix gcc47 issues
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de
|
||||
|
||||
- update to version 1.10.2
|
||||
obsolte patches:
|
||||
* krb5-1.7-nodeplibs.patch
|
||||
* krb5-1.9.1-ai_addrconfig.patch
|
||||
* krb5-1.9.1-ai_addrconfig2.patch
|
||||
* krb5-1.9.1-sendto_poll.patch
|
||||
* krb5-1.9-canonicalize-fallback.patch
|
||||
* krb5-1.9-paren.patch
|
||||
* krb5-klist_s.patch
|
||||
* krb5-pkinit-cms2.patch
|
||||
* krb5-trunk-chpw-err.patch
|
||||
* krb5-trunk-gss_delete_sec.patch
|
||||
* krb5-trunk-kadmin-oldproto.patch
|
||||
* krb5-1.9-MITKRB5-SA-2011-006.dif
|
||||
* krb5-1.9-gss_display_status-iakerb.patch
|
||||
* krb5-1.9.1-sendto_poll2.patch
|
||||
* krb5-1.9.1-sendto_poll3.patch
|
||||
* krb5-1.9-MITKRB5-SA-2011-007.dif
|
||||
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
|
||||
Controllers.
|
||||
- Update a workaround for a glibc bug that would cause DNS PTR queries
|
||||
to occur even when rdns = false.
|
||||
- Fix a kadmind denial of service issue (null pointer dereference),
|
||||
which could only be triggered by an administrator with the "create"
|
||||
privilege. [CVE-2012-1013]
|
||||
- Fix access controls for KDB string attributes [CVE-2012-1012]
|
||||
- Make the ASN.1 encoding of key version numbers interoperate with
|
||||
Windows Read-Only Domain Controllers
|
||||
- Avoid generating spurious password expiry warnings in cases where
|
||||
the KDC sends an account expiry time without a password expiry time
|
||||
- Make PKINIT work with FAST in the client library.
|
||||
- Add the DIR credential cache type, which can hold a collection of
|
||||
credential caches.
|
||||
- Enhance kinit, klist, and kdestroy to support credential cache
|
||||
collections if the cache type supports it.
|
||||
- Add the kswitch command, which changes the selected default cache
|
||||
within a collection.
|
||||
- Add heuristic support for choosing client credentials based on
|
||||
the service realm.
|
||||
- Add support for $HOME/.k5identity, which allows credential
|
||||
choice based on configured rules.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de
|
||||
|
||||
|
69
krb5.spec
69
krb5.spec
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
%define build_mini 0
|
||||
%define srcRoot krb5-1.9.1
|
||||
%define srcRoot krb5-1.10.2
|
||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||
%define krb5docdir %{_defaultdocdir}/krb5
|
||||
|
||||
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
|
||||
BuildRequires: libcom_err-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: ncurses-devel
|
||||
Version: 1.9.1
|
||||
Version: 1.10.2
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 Implementation--Libraries
|
||||
License: MIT
|
||||
@ -45,38 +45,23 @@ Obsoletes: krb5-64bit
|
||||
%endif
|
||||
#
|
||||
%endif
|
||||
Source: krb5-1.9.1.tar.bz2
|
||||
Source: krb5-%{version}.tar.bz2
|
||||
Source1: vendor-files.tar.bz2
|
||||
Source2: baselibs.conf
|
||||
Source5: krb5-rpmlintrc
|
||||
Source10: krb5-1.8-manpaths.txt
|
||||
Patch1: krb5-1.9-buildconf.patch
|
||||
Patch1: krb5-1.10-buildconf.patch
|
||||
Patch3: krb5-1.9-manpaths.dif
|
||||
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
|
||||
Patch6: krb5-1.6.3-kpasswd_tcp.patch
|
||||
Patch6: krb5-1.10-kpasswd_tcp.patch
|
||||
Patch7: krb5-1.6.3-ktutil-manpage.dif
|
||||
Patch10: krb5-1.7-doublelog.patch
|
||||
Patch11: krb5-1.7-nodeplibs.patch
|
||||
Patch12: krb5-1.8-api.patch
|
||||
Patch13: krb5-1.8-pam.patch
|
||||
Patch14: krb5-1.9.1-ai_addrconfig.patch
|
||||
Patch15: krb5-1.9.1-ai_addrconfig2.patch
|
||||
Patch16: krb5-1.9.1-sendto_poll.patch
|
||||
Patch17: krb5-1.9-canonicalize-fallback.patch
|
||||
Patch18: krb5-1.9-kprop-mktemp.patch
|
||||
Patch19: krb5-1.9-ksu-path.patch
|
||||
Patch20: krb5-1.9-paren.patch
|
||||
Patch21: krb5-1.9-selinux-label.patch
|
||||
Patch22: krb5-klist_s.patch
|
||||
Patch23: krb5-pkinit-cms2.patch
|
||||
Patch24: krb5-trunk-chpw-err.patch
|
||||
Patch25: krb5-trunk-gss_delete_sec.patch
|
||||
Patch26: krb5-trunk-kadmin-oldproto.patch
|
||||
Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif
|
||||
Patch31: krb5-1.9-gss_display_status-iakerb.patch
|
||||
Patch32: krb5-1.9.1-sendto_poll2.patch
|
||||
Patch33: krb5-1.9.1-sendto_poll3.patch
|
||||
Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif
|
||||
Patch20: krb5-1.10-gcc47.patch
|
||||
Patch21: krb5-1.10-selinux-label.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||
PreReq: %insserv_prereq %fillup_prereq
|
||||
@ -119,8 +104,9 @@ Authors:
|
||||
%package server
|
||||
Summary: MIT Kerberos5 implementation - server
|
||||
Group: Productivity/Networking/Security
|
||||
Requires: cron
|
||||
Requires: logrotate
|
||||
Requires: perl-Date-Calc
|
||||
Requires: logrotate cron
|
||||
PreReq: %insserv_prereq %fillup_prereq
|
||||
|
||||
%description server
|
||||
@ -182,8 +168,8 @@ Authors:
|
||||
Summary: MIT Kerberos5 - Include Files and Libraries
|
||||
Group: Development/Libraries/C and C++
|
||||
PreReq: %{name} = %{version}
|
||||
Requires: libcom_err-devel
|
||||
Requires: keyutils-devel
|
||||
Requires: libcom_err-devel
|
||||
# bug437293
|
||||
%ifarch ppc64
|
||||
Obsoletes: krb5-devel-64bit
|
||||
@ -216,28 +202,13 @@ Authors:
|
||||
%patch21 -p1
|
||||
%patch1 -p1
|
||||
%patch5 -p1
|
||||
%patch6
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch14
|
||||
%patch15
|
||||
%patch16
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24
|
||||
%patch25 -p1
|
||||
%patch26
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
%patch32 -p1
|
||||
%patch33 -p1
|
||||
%patch34 -p1
|
||||
%patch20
|
||||
# Rename the man pages so that they'll get generated correctly.
|
||||
pushd src
|
||||
cat %{SOURCE10} | while read manpage ; do
|
||||
@ -246,6 +217,8 @@ done
|
||||
popd
|
||||
|
||||
%build
|
||||
# needs to be re-generated
|
||||
rm -f src/lib/krb5/krb/deltat.c
|
||||
cd src
|
||||
./util/reconf
|
||||
CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC " \
|
||||
@ -402,6 +375,8 @@ rm -rf %{buildroot}
|
||||
%{_libdir}/libkdb5.so
|
||||
%{_libdir}/libkrb5.so
|
||||
%{_libdir}/libkrb5support.so
|
||||
%{_libdir}/libverto.so
|
||||
%{_libdir}/libverto-k5ev.so
|
||||
%{_includedir}/*
|
||||
/usr/lib/mit/bin/krb5-config
|
||||
/usr/lib/mit/sbin/krb5-send-pr
|
||||
@ -442,6 +417,8 @@ rm -rf %{buildroot}
|
||||
%{_libdir}/libkdb5.so.*
|
||||
%{_libdir}/libkrb5.so.*
|
||||
%{_libdir}/libkrb5support.so.*
|
||||
%{_libdir}/libverto.so.*
|
||||
%{_libdir}/libverto-k5ev.so.*
|
||||
%{_libdir}/krb5/plugins/kdb/*
|
||||
%{_libdir}/krb5/plugins/preauth/*
|
||||
#/usr/lib/mit/sbin/*
|
||||
@ -464,6 +441,7 @@ rm -rf %{buildroot}
|
||||
/usr/lib/mit/bin/klist
|
||||
/usr/lib/mit/bin/kadmin
|
||||
/usr/lib/mit/bin/ktutil
|
||||
/usr/lib/mit/bin/kswitch
|
||||
%attr(0755,root,root) /usr/lib/mit/bin/ksu
|
||||
/usr/lib/mit/bin/uuclient
|
||||
/usr/lib/mit/bin/sclient
|
||||
@ -484,6 +462,7 @@ rm -rf %{buildroot}
|
||||
%{_mandir}/man1/kadmin.1*
|
||||
%{_mandir}/man1/ktutil.1*
|
||||
%{_mandir}/man1/k5srvutil.1*
|
||||
%{_mandir}/man1/kswitch.1*
|
||||
%{_mandir}/man5/*
|
||||
%{_mandir}/man5/.k5login.5.gz
|
||||
%{_mandir}/man8/*
|
||||
@ -511,7 +490,8 @@ rm -rf %{buildroot}
|
||||
%{_libdir}/libkdb5.so.*
|
||||
%{_libdir}/libkrb5.so.*
|
||||
%{_libdir}/libkrb5support.so.*
|
||||
%{_libdir}/krb5/plugins/preauth/encrypted_challenge.so
|
||||
%{_libdir}/libverto.so.*
|
||||
%{_libdir}/libverto-k5ev.so.*
|
||||
|
||||
%files server
|
||||
%defattr(-,root,root)
|
||||
@ -572,6 +552,7 @@ rm -rf %{buildroot}
|
||||
/usr/lib/mit/bin/sclient
|
||||
/usr/lib/mit/bin/sim_client
|
||||
/usr/lib/mit/bin/uuclient
|
||||
/usr/lib/mit/bin/kswitch
|
||||
/usr/bin/kinit
|
||||
/usr/bin/klist
|
||||
%{_mandir}/man1/kvno.1*
|
||||
@ -583,8 +564,12 @@ rm -rf %{buildroot}
|
||||
%{_mandir}/man1/kadmin.1*
|
||||
%{_mandir}/man1/ktutil.1*
|
||||
%{_mandir}/man1/k5srvutil.1*
|
||||
%{_mandir}/man1/kswitch.1*
|
||||
%{_mandir}/man5/krb5.conf.5*
|
||||
%{_mandir}/man5/.k5login.5*
|
||||
%{_mandir}/man5/.k5identity.5*
|
||||
%{_mandir}/man5/k5identity.5*
|
||||
%{_mandir}/man5/k5login.5*
|
||||
%{_mandir}/man1/ksu.1.gz
|
||||
%{_mandir}/man1/sclient.1.gz
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user