SHA256
1
0
forked from pool/krb5

Accepting request 79468 from network

- update to version 1.9.1

- add patches from Fedora and upstream 
- fix init scripts (bnc#689006)

- update to version 1.9.1
  * obsolete patches:
    MITKRB5-SA-2010-007-1.8.dif
    krb5-1.8-MITKRB5-SA-2010-006.dif
    krb5-1.8-MITKRB5-SA-2011-001.dif
    krb5-1.8-MITKRB5-SA-2011-002.dif
    krb5-1.8-MITKRB5-SA-2011-003.dif
    krb5-1.8-MITKRB5-SA-2011-004.dif
    krb5-1.4.3-enospc.dif
  * replace krb5-1.6.1-compile_pie.dif

- add patches from Fedora and upstream 
- fix init scripts (bnc#689006)

- update to version 1.9.1
  * obsolete patches:
    MITKRB5-SA-2010-007-1.8.dif
    krb5-1.8-MITKRB5-SA-2010-006.dif
    krb5-1.8-MITKRB5-SA-2011-001.dif
    krb5-1.8-MITKRB5-SA-2011-002.dif
    krb5-1.8-MITKRB5-SA-2011-003.dif
    krb5-1.8-MITKRB5-SA-2011-004.dif
    krb5-1.4.3-enospc.dif
  * replace krb5-1.6.1-compile_pie.dif

OBS-URL: https://build.opensuse.org/request/show/79468
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=69
This commit is contained in:
Sascha Peilicke 2011-08-22 13:22:15 +00:00 committed by Git OBS Bridge
commit fbdae2856b
43 changed files with 3323 additions and 725 deletions

View File

@ -1,204 +0,0 @@
Index: krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c
===================================================================
--- krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (revision 24455)
+++ krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (working copy)
@@ -691,8 +691,7 @@
krb5_reply_key_pack *key_pack = NULL;
krb5_reply_key_pack_draft9 *key_pack9 = NULL;
krb5_data *encoded_key_pack = NULL;
- unsigned int num_types;
- krb5_cksumtype *cksum_types = NULL;
+ krb5_cksumtype cksum_type;
pkinit_kdc_context plgctx;
pkinit_kdc_req_context reqctx;
@@ -882,14 +881,25 @@
retval = ENOMEM;
goto cleanup;
}
- /* retrieve checksums for a given enctype of the reply key */
- retval = krb5_c_keyed_checksum_types(context,
- encrypting_key->enctype, &num_types, &cksum_types);
- if (retval)
- goto cleanup;
- /* pick the first of acceptable enctypes for the checksum */
- retval = krb5_c_make_checksum(context, cksum_types[0],
+ switch (encrypting_key->enctype) {
+ case ENCTYPE_DES_CBC_MD4:
+ cksum_type = CKSUMTYPE_RSA_MD4_DES;
+ break;
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_CRC:
+ cksum_type = CKSUMTYPE_RSA_MD5_DES;
+ break;
+ default:
+ retval = krb5int_c_mandatory_cksumtype(context,
+ encrypting_key->enctype,
+ &cksum_type);
+ if (retval)
+ goto cleanup;
+ break;
+ }
+
+ retval = krb5_c_make_checksum(context, cksum_type,
encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
req_pkt, &key_pack->asChecksum);
if (retval) {
@@ -1033,7 +1043,6 @@
krb5_free_data(context, encoded_key_pack);
free(dh_pubkey);
free(server_key);
- free(cksum_types);
switch ((int)padata->pa_type) {
case KRB5_PADATA_PK_AS_REQ:
Index: krb5-1.8/src/lib/crypto/krb/cksumtypes.c
===================================================================
--- krb5-1.8/src/lib/crypto/krb/cksumtypes.c (revision 24455)
+++ krb5-1.8/src/lib/crypto/krb/cksumtypes.c (working copy)
@@ -101,7 +101,7 @@
{ CKSUMTYPE_MD5_HMAC_ARCFOUR,
"md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC",
- NULL, &krb5int_hash_md5,
+ &krb5int_enc_arcfour, &krb5int_hash_md5,
krb5int_hmacmd5_checksum, NULL,
16, 16, 0 },
};
Index: krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c
===================================================================
--- krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (revision 24455)
+++ krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (working copy)
@@ -35,6 +35,13 @@
{
if (ctp->flags & CKSUM_UNKEYED)
return FALSE;
+ /* Stream ciphers do not play well with RFC 3961 key derivation, so be
+ * conservative with RC4. */
+ if ((ktp->etype == ENCTYPE_ARCFOUR_HMAC ||
+ ktp->etype == ENCTYPE_ARCFOUR_HMAC_EXP) &&
+ ctp->ctype != CKSUMTYPE_HMAC_MD5_ARCFOUR &&
+ ctp->ctype != CKSUMTYPE_MD5_HMAC_ARCFOUR)
+ return FALSE;
return (!ctp->enc || ktp->enc == ctp->enc);
}
Index: krb5-1.8/src/lib/crypto/krb/dk/derive.c
===================================================================
--- krb5-1.8/src/lib/crypto/krb/dk/derive.c (revision 24455)
+++ krb5-1.8/src/lib/crypto/krb/dk/derive.c (working copy)
@@ -91,6 +91,8 @@
blocksize = enc->block_size;
keybytes = enc->keybytes;
+ if (blocksize == 1)
+ return KRB5_BAD_ENCTYPE;
if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes)
return KRB5_CRYPTO_INTERNAL;
Index: krb5-1.8/src/lib/gssapi/krb5/util_crypt.c
===================================================================
--- krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (revision 24455)
+++ krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (working copy)
@@ -119,10 +119,22 @@
if (code != 0)
return code;
- code = (*kaccess.mandatory_cksumtype)(context, subkey->keyblock.enctype,
- cksumtype);
- if (code != 0)
- return code;
+ switch (subkey->keyblock.enctype) {
+ case ENCTYPE_DES_CBC_MD4:
+ *cksumtype = CKSUMTYPE_RSA_MD4_DES;
+ break;
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_CRC:
+ *cksumtype = CKSUMTYPE_RSA_MD5_DES;
+ break;
+ default:
+ code = (*kaccess.mandatory_cksumtype)(context,
+ subkey->keyblock.enctype,
+ cksumtype);
+ if (code != 0)
+ return code;
+ break;
+ }
switch (subkey->keyblock.enctype) {
case ENCTYPE_DES_CBC_MD5:
Index: krb5-1.8/src/lib/krb5/krb/pac.c
===================================================================
--- krb5-1.8/src/lib/krb5/krb/pac.c (revision 24455)
+++ krb5-1.8/src/lib/krb5/krb/pac.c (working copy)
@@ -582,6 +582,8 @@
checksum.checksum_type = load_32_le(p);
checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH;
checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;
+ if (!krb5_c_is_keyed_cksum(checksum.checksum_type))
+ return KRB5KRB_AP_ERR_INAPP_CKSUM;
pac_data.length = pac->data.length;
pac_data.data = malloc(pac->data.length);
Index: krb5-1.8/src/lib/krb5/krb/preauth2.c
===================================================================
--- krb5-1.8/src/lib/krb5/krb/preauth2.c (revision 24455)
+++ krb5-1.8/src/lib/krb5/krb/preauth2.c (working copy)
@@ -1578,7 +1578,9 @@
cksum = sc2->sam_cksum;
- while (*cksum) {
+ for (; *cksum; cksum++) {
+ if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type))
+ continue;
/* Check this cksum */
retval = krb5_c_verify_checksum(context, as_key,
KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM,
@@ -1592,7 +1594,6 @@
}
if (valid_cksum)
break;
- cksum++;
}
if (!valid_cksum) {
Index: krb5-1.8/src/lib/krb5/krb/mk_safe.c
===================================================================
--- krb5-1.8/src/lib/krb5/krb/mk_safe.c (revision 24455)
+++ krb5-1.8/src/lib/krb5/krb/mk_safe.c (working copy)
@@ -215,10 +215,28 @@
for (i = 0; i < nsumtypes; i++)
if (auth_context->safe_cksumtype == sumtypes[i])
break;
- if (i == nsumtypes)
- i = 0;
- sumtype = sumtypes[i];
krb5_free_cksumtypes (context, sumtypes);
+ if (i < nsumtypes)
+ sumtype = auth_context->safe_cksumtype;
+ else {
+ switch (enctype) {
+ case ENCTYPE_DES_CBC_MD4:
+ sumtype = CKSUMTYPE_RSA_MD4_DES;
+ break;
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_CRC:
+ sumtype = CKSUMTYPE_RSA_MD5_DES;
+ break;
+ default:
+ retval = krb5int_c_mandatory_cksumtype(context, enctype,
+ &sumtype);
+ if (retval) {
+ CLEANUP_DONE();
+ goto error;
+ }
+ break;
+ }
+ }
}
if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata,
plocal_fulladdr, premote_fulladdr,

View File

@ -1,24 +0,0 @@
If the error message is going to be ambiguous, try to give the user some clue
by returning the last error reported by the OS.
Index: krb5-1.8-alpha1/src/clients/kinit/kinit.c
===================================================================
--- krb5-1.8-alpha1.orig/src/clients/kinit/kinit.c
+++ krb5-1.8-alpha1/src/clients/kinit/kinit.c
@@ -712,8 +712,14 @@ k5_kinit(opts, k5)
code = krb5_cc_initialize(k5->ctx, k5->cc, opts->canonicalize ?
my_creds.client : k5->me);
if (code) {
- com_err(progname, code, "when initializing cache %s",
- opts->k5_cache_name?opts->k5_cache_name:"");
+ if ((code == KRB5_CC_IO) && (errno != 0)) {
+ com_err(progname, code, "when initializing cache %s: %s",
+ opts->k5_cache_name?opts->k5_cache_name:"",
+ strerror(errno));
+ } else {
+ com_err(progname, code, "when initializing cache %s",
+ opts->k5_cache_name?opts->k5_cache_name:"");
+ }
goto cleanup;
}

View File

@ -1,27 +0,0 @@
Index: src/krb5-config.in
===================================================================
--- src/krb5-config.in.orig
+++ src/krb5-config.in
@@ -188,6 +188,8 @@ if test -n "$do_libs"; then
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"`
+
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
Index: src/config/shlib.conf
===================================================================
--- src/config/shlib.conf.orig
+++ src/config/shlib.conf
@@ -419,7 +419,8 @@ mips-*-netbsd*)
PROFFLAGS=-pg
RPATH_FLAG='-Wl,-rpath -Wl,'
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'

View File

@ -1,54 +0,0 @@
Index: krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c
===================================================================
--- krb5-1.8-alpha1.orig/src/lib/krb5/os/hostaddr.c
+++ krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c
@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c
return KRB5_ERR_BAD_HOSTNAME;
memset (&hints, 0, sizeof (hints));
- hints.ai_flags = AI_NUMERICHOST;
+ hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG;
/* We don't care what kind at this point, really, but without
this, we can get back multiple sockaddrs per address, for
SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if
Index: krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c
===================================================================
--- krb5-1.8-alpha1.orig/src/lib/krb5/os/hst_realm.c
+++ krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c
@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz
int err;
memset (&hints, 0, sizeof (hints));
- hints.ai_flags = AI_CANONNAME;
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo (name, 0, &hints, &ai);
if (err)
return krb5int_translate_gai_error (err);
Index: krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c
===================================================================
--- krb5-1.8-alpha1.orig/src/lib/krb5/os/locate_kdc.c
+++ krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c
@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis
memset(&hint, 0, sizeof(hint));
hint.ai_family = family;
hint.ai_socktype = socktype;
+ hint.ai_flags = AI_ADDRCONFIG;
#ifdef AI_NUMERICSERV
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port));
if (SNPRINTF_OVERFLOW(result, sizeof(portbuf)))
Index: krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c
===================================================================
--- krb5-1.8-alpha1.orig/src/lib/krb5/os/sn2princ.c
+++ krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c
@@ -108,7 +108,7 @@ krb5_sname_to_principal(krb5_context con
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
- hints.ai_flags = AI_CANONNAME;
+ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG;
try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {

View File

@ -5,7 +5,7 @@ Index: src/lib/krb5/os/changepw.c
=================================================================== ===================================================================
--- src/lib/krb5/os/changepw.c.orig --- src/lib/krb5/os/changepw.c.orig
+++ src/lib/krb5/os/changepw.c +++ src/lib/krb5/os/changepw.c
@@ -280,10 +280,22 @@ change_set_password(krb5_context context @@ -282,10 +282,22 @@ change_set_password(krb5_context context
NULL NULL
))) { ))) {

View File

@ -1,28 +0,0 @@
Index: src/slave/kprop.c
===================================================================
--- src/slave/kprop.c.orig
+++ src/slave/kprop.c
@@ -206,6 +206,7 @@ void get_tickets(context)
krb5_error_code retval;
static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
+ int ret = 0;
/*
* Figure out what tickets we'll be using to send stuff
@@ -231,7 +232,15 @@ void get_tickets(context)
/*
* Initialize cache file which we're going to be using
*/
+#ifdef HAVE_MKSTEMP
+ ret = mkstemp(tkstring);
+ if (ret == -1) {
+ com_err(progname, errno, "while initialize cache file");
+ exit(1);
+ } else close(ret);
+#else
(void) mktemp(tkstring);
+#endif
snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
retval = krb5_cc_resolve(context, buf, &ccache);

18
krb5-1.7-doublelog.patch Normal file
View File

@ -0,0 +1,18 @@
Don't double-log (actually, don't process /etc/krb5.conf twice) just
because we built with --sysconfdir=/etc. RT#3277
Index: krb5-1.9.1/src/include/Makefile.in
===================================================================
--- krb5-1.9.1.orig/src/include/Makefile.in
+++ krb5-1.9.1/src/include/Makefile.in
@@ -66,7 +66,9 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
-e "s+@MODULEDIR+$(MODULE_DIR)+" \
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
- -e 's+@SYSCONFDIR+$(SYSCONFDIR)+'
+ -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+'
OSCONFSRC = $(srcdir)/osconf.hin

View File

@ -1,30 +0,0 @@
appl/sample/sclient/sclient.M
appl/sample/sserver/sserver.M
clients/kcpytkt/kcpytkt.M
clients/kdeltkt/kdeltkt.M
clients/kdestroy/kdestroy.M
clients/kinit/kinit.M
clients/klist/klist.M
clients/kpasswd/kpasswd.M
clients/ksu/ksu.M
clients/kvno/kvno.M
config-files/kdc.conf.M
config-files/krb5.conf.M
gen-manpages/k5login.M
gen-manpages/kerberos.M
kadmin/cli/k5srvutil.M
kadmin/cli/kadmin.local.M
kadmin/cli/kadmin.M
kadmin/dbutil/kdb5_util.M
kadmin/ktutil/ktutil.M
kadmin/server/kadmind.M
kdc/krb5kdc.M
krb5-config.M
plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
slave/kpropd.M
slave/kprop.M
tests/create/kdb5_mkdums.M
util/et/com_err.3
util/et/compile_et.1
util/profile/profile.5
util/send-pr/send-pr.1

21
krb5-1.7-nodeplibs.patch Normal file
View File

@ -0,0 +1,21 @@
Omit extra libraries because their interfaces aren't exposed to applications
by libkrb5, unless do_deps is set to 1, which indicates that the caller
wants the whole list.
Index: krb5-1.9.1/src/krb5-config.in
===================================================================
--- krb5-1.9.1.orig/src/krb5-config.in
+++ krb5-1.9.1/src/krb5-config.in
@@ -221,7 +221,11 @@ if test -n "$do_libs"; then
fi
if test $library = 'krb5'; then
- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
+ if test 0$do_deps -eq 1 ; then
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
+ else
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err"
+ fi
fi
echo $lib_flags

View File

@ -1,33 +0,0 @@
Index: krb5-1.8.1/src/kdc/kdc_authdata.c
===================================================================
--- krb5-1.8.1.orig/src/kdc/kdc_authdata.c
+++ krb5-1.8.1/src/kdc/kdc_authdata.c
@@ -495,7 +495,7 @@ merge_authdata (krb5_context context,
krb5_boolean copy,
krb5_boolean ignore_kdc_issued)
{
- size_t i, nadata = 0;
+ size_t i, j, nadata = 0;
krb5_authdata **authdata = *out_authdata;
if (in_authdata == NULL || in_authdata[0] == NULL)
@@ -529,16 +529,16 @@ merge_authdata (krb5_context context,
in_authdata = tmp;
}
- for (i = 0; in_authdata[i] != NULL; i++) {
+ for (i = 0, j = 0; in_authdata[i] != NULL; i++) {
if (ignore_kdc_issued &&
is_kdc_issued_authdatum(context, in_authdata[i], 0)) {
free(in_authdata[i]->contents);
free(in_authdata[i]);
} else
- authdata[nadata + i] = in_authdata[i];
+ authdata[nadata + j++] = in_authdata[i];
}
- authdata[nadata + i] = NULL;
+ authdata[nadata + j] = NULL;
free(in_authdata);

View File

@ -1,20 +0,0 @@
Index: krb5-1.8.1/src/slave/kpropd.c
===================================================================
--- krb5-1.8.1.orig/src/slave/kpropd.c
+++ krb5-1.8.1/src/slave/kpropd.c
@@ -404,11 +404,12 @@ retry:
}
close(s);
- if (iproprole == IPROP_SLAVE)
+ if (iproprole == IPROP_SLAVE) {
close(finet);
- if ((ret = WEXITSTATUS(status)) != 0)
- return (ret);
+ if ((ret = WEXITSTATUS(status)) != 0)
+ return (ret);
+ }
}
if (iproprole == IPROP_SLAVE)
break;

View File

@ -1,112 +0,0 @@
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c.orig
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context con
unsigned int flags, krb5_db_entry *entries,
int *nentries, krb5_boolean *more)
{
- char *user=NULL, *filter=NULL, **subtree=NULL;
+ char *user=NULL, *filter=NULL, *filtuser=NULL;
unsigned int tree=0, ntrees=1, princlen=0;
krb5_error_code tempst=0, st=0;
- char **values=NULL, *cname=NULL;
+ char **values=NULL, **subtree=NULL, *cname=NULL;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
krb5_ldap_context *ldap_context=NULL;
@@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context con
if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
goto cleanup;
- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
+ filtuser = ldap_filter_correct(user);
+ if (filtuser == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+
+ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */
if ((filter = malloc(princlen)) == NULL) {
st = ENOMEM;
goto cleanup;
}
- snprintf(filter, princlen, FILTER"%s))", user);
+ snprintf(filter, princlen, FILTER"%s))", filtuser);
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
goto cleanup;
@@ -231,6 +237,9 @@ cleanup:
if (user)
free(user);
+ if (filtuser)
+ free(filtuser);
+
if (cname)
free(cname);
Index: src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h.orig
+++ src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_contex
#define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
#define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \
- do { \
- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
- if (ldap_server_handle) \
- ld = ldap_server_handle->ldap_handle; \
- } \
- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
+ tempst = 0; \
+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \
+ NULL, &timelimit, LDAP_NO_LIMIT, &result); \
+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
+ if (ldap_server_handle) \
+ ld = ldap_server_handle->ldap_handle; \
+ if (tempst == 0) \
+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \
+ NULL, NULL, &timelimit, \
+ LDAP_NO_LIMIT, &result); \
+ } \
\
if (status_check != IGNORE_STATUS) { \
if (tempst != 0) { \
Index: src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c.orig
+++ src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap
{
krb5_ldap_server_handle *handle = *ldap_server_handle;
+ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
|| (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.orig
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context
* portion, then the first portion of the principal name SHOULD be
* "krbtgt". All this check is done in the immediate block.
*/
- if (searchfor->length == 2)
- if ((strncasecmp(searchfor->data[0].data, "krbtgt",
- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
- (strncasecmp(searchfor->data[1].data, defrealm,
- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
+ if (searchfor->length == 2) {
+ if (data_eq_string(searchfor->data[0], "krbtgt") &&
+ data_eq_string(searchfor->data[1], defrealm))
return 0;
+ }
/* first check the length, if they are not equal, then they are not same */
if (strlen(defrealm) != searchfor->realm.length)

View File

@ -1,13 +0,0 @@
Index: krb5-1.8.1/src/kdc/do_as_req.c
===================================================================
--- krb5-1.8.1.orig/src/kdc/do_as_req.c
+++ krb5-1.8.1/src/kdc/do_as_req.c
@@ -784,6 +784,8 @@ prepare_error_as (struct kdc_request_sta
pad->contents = td[size]->data;
pad->length = td[size]->length;
pa[size] = pad;
+ td[size]->data = NULL;
+ td[size]->length = 0;
}
krb5_free_typed_data(kdc_context, td);
}

View File

@ -1,35 +0,0 @@
diff --git a/src/kadmin/server/network.c b/src/kadmin/server/network.c
index c8ce4f1..bb911ff 100644
--- a/src/kadmin/server/network.c
+++ b/src/kadmin/server/network.c
@@ -1384,6 +1384,10 @@ cleanup:
if (local_kaddrs != NULL)
krb5_free_addresses(server_handle->context, local_kaddrs);
+ if ((*response)->data == NULL) {
+ free(*response);
+ *response = NULL;
+ }
krb5_kt_close(server_handle->context, kt);
return ret;
diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
index c1b2217..992b55f 100644
--- a/src/kadmin/server/schpw.c
+++ b/src/kadmin/server/schpw.c
@@ -74,8 +74,13 @@ process_chpw_request(context, server_handle, realm, keytab,
plen = (*ptr++ & 0xff);
plen = (plen<<8) | (*ptr++ & 0xff);
- if (plen != req->length)
- return(KRB5KRB_AP_ERR_MODIFIED);
+ if (plen != req->length) {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ numresult = KRB5_KPASSWD_MALFORMED;
+ strlcpy(strresult, "Request length was inconsistent",
+ sizeof(strresult));
+ goto chpwfail;
+ }
/* verify version number */

30
krb5-1.8-api.patch Normal file
View File

@ -0,0 +1,30 @@
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c
--- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400
+++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500
@@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context
const krb5_data *realm1 = krb5_princ_realm(context, princ1);
const krb5_data *realm2 = krb5_princ_realm(context, princ2);
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
+ if ((realm1 == NULL) || (realm2 == NULL))
+ return FALSE;
+
if (realm1->length != realm2->length)
return FALSE;
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
krb5_principal upn2 = NULL;
krb5_boolean ret = FALSE;
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
/* Treat UPNs as if they were real principals */
if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) {

6
krb5-1.8-manpaths.txt Normal file
View File

@ -0,0 +1,6 @@
appl/sample/sserver/sserver.M
config-files/kdc.conf.M
config-files/krb5.conf.M
kadmin/cli/kadmin.M
slave/kpropd.M
slave/kprop.M

757
krb5-1.8-pam.patch Normal file
View File

@ -0,0 +1,757 @@
Modify ksu so that it performs account and session management on behalf of
the target user account, mimicking the action of regular su. The default
service name is "ksu", because on Fedora at least the configuration used
is determined by whether or not a login shell is being opened, and so
this may need to vary, too. At run-time, ksu's behavior can be reset to
the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
section of /etc/krb5.conf.
When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges.
Index: krb5-1.9.1/src/aclocal.m4
===================================================================
--- krb5-1.9.1.orig/src/aclocal.m4
+++ krb5-1.9.1/src/aclocal.m4
@@ -1715,3 +1715,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
]))
])dnl
dnl
+dnl
+dnl Use PAM instead of local crypt() compare for checking local passwords,
+dnl and perform PAM account, session management, and password-changing where
+dnl appropriate.
+dnl
+AC_DEFUN(KRB5_WITH_PAM,[
+AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])],
+ withpam="$withval",withpam=auto)
+AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])],
+ withksupamservice="$withval",withksupamservice=ksu)
+old_LIBS="$LIBS"
+if test "$withpam" != no ; then
+ AC_MSG_RESULT([checking for PAM...])
+ PAM_LIBS=
+
+ AC_CHECK_HEADERS(security/pam_appl.h)
+ if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then
+ if test "$withpam" = auto ; then
+ AC_MSG_RESULT([Unable to locate security/pam_appl.h.])
+ withpam=no
+ else
+ AC_MSG_ERROR([Unable to locate security/pam_appl.h.])
+ fi
+ fi
+
+ LIBS=
+ unset ac_cv_func_pam_start
+ AC_CHECK_FUNCS(putenv pam_start)
+ if test "x$ac_cv_func_pam_start" = xno ; then
+ unset ac_cv_func_pam_start
+ AC_CHECK_LIB(dl,dlopen)
+ AC_CHECK_FUNCS(pam_start)
+ if test "x$ac_cv_func_pam_start" = xno ; then
+ AC_CHECK_LIB(pam,pam_start)
+ unset ac_cv_func_pam_start
+ unset ac_cv_func_pam_getenvlist
+ AC_CHECK_FUNCS(pam_start pam_getenvlist)
+ if test "x$ac_cv_func_pam_start" = xyes ; then
+ PAM_LIBS="$LIBS"
+ else
+ if test "$withpam" = auto ; then
+ AC_MSG_RESULT([Unable to locate libpam.])
+ withpam=no
+ else
+ AC_MSG_ERROR([Unable to locate libpam.])
+ fi
+ fi
+ fi
+ fi
+ if test "$withpam" != no ; then
+ AC_MSG_NOTICE([building with PAM support])
+ AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM])
+ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice",
+ [Define to the name of the PAM service name to be used by ksu.])
+ PAM_LIBS="$LIBS"
+ NON_PAM_MAN=".\\\" "
+ PAM_MAN=
+ else
+ PAM_MAN=".\\\" "
+ NON_PAM_MAN=
+ fi
+fi
+LIBS="$old_LIBS"
+AC_SUBST(PAM_LIBS)
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
Index: krb5-1.9.1/src/clients/ksu/main.c
===================================================================
--- krb5-1.9.1.orig/src/clients/ksu/main.c
+++ krb5-1.9.1/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu
*/
+#include "autoconf.h"
#include "ksu.h"
#include "adm_proto.h"
#include <sys/types.h>
@@ -33,6 +34,10 @@
#include <signal.h>
#include <grp.h>
+#ifdef USE_PAM
+#include "pam.h"
+#endif
+
/* globals */
char * prog_name;
int auth_debug =0;
@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN];
char k5users_path[MAXPATHLEN];
char * gb_err = NULL;
int quiet = 0;
+int force_fork = 0;
/***********/
#define _DEF_CSH "/bin/csh"
@@ -586,6 +592,25 @@ main (argc, argv)
prog_name,target_user,client_name,
source_user,ontty());
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
+ NULL, source_user,
+ ttyname(STDERR_FILENO)) != 0) {
+ fprintf(stderr, "Access denied for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ if (appl_pam_requires_chauthtok()) {
+ fprintf(stderr, "Password change required for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ force_fork++;
+ }
+#endif
+
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, "while switching to target for authorization check");
@@ -651,6 +676,26 @@ main (argc, argv)
sweep_up(ksu_context, cc_target);
exit(1);
}
+#ifdef USE_PAM
+ } else {
+ /* we always do PAM account management, even for root */
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
+ NULL, source_user,
+ ttyname(STDERR_FILENO)) != 0) {
+ fprintf(stderr, "Access denied for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ if (appl_pam_requires_chauthtok()) {
+ fprintf(stderr, "Password change required for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ force_fork++;
+ }
+#endif
}
if( some_rest_copy){
@@ -720,6 +765,32 @@ main (argc, argv)
exit(1);
}
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_session_open() != 0) {
+ fprintf(stderr, "Error opening session for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Opened PAM session.\n");
+ }
+#endif
+ if (appl_pam_cred_init()) {
+ fprintf(stderr, "Error initializing credentials for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Initialized PAM credentials.\n");
+ }
+#endif
+ }
+#endif
+
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -792,7 +863,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
- if( keep_target_cache ) {
+ if( keep_target_cache && !force_fork ) {
execv(params[0], params);
com_err(prog_name, errno, "while trying to execv %s",
params[0]);
@@ -823,15 +894,34 @@ main (argc, argv)
if (ret_pid == -1) {
com_err(prog_name, errno, "while calling waitpid");
}
- sweep_up(ksu_context, cc_target);
+ if( !keep_target_cache ) {
+ sweep_up(ksu_context, cc_target);
+ }
exit (statusp);
case -1:
com_err(prog_name, errno, "while trying to fork.");
sweep_up(ksu_context, cc_target);
exit (1);
case 0:
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_setenv() != 0) {
+ fprintf(stderr, "Error setting up environment for %s.\n",
+ target_user);
+ exit (1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Set up PAM environment.\n");
+ }
+#endif
+ }
+#endif
execv(params[0], params);
com_err(prog_name, errno, "while trying to execv %s", params[0]);
+ if( keep_target_cache ) {
+ sweep_up(ksu_context, cc_target);
+ }
exit (1);
}
}
Index: krb5-1.9.1/src/clients/ksu/Makefile.in
===================================================================
--- krb5-1.9.1.orig/src/clients/ksu/Makefile.in
+++ krb5-1.9.1/src/clients/ksu/Makefile.in
@@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
KSU_LIBS=@KSU_LIBS@
+PAM_LIBS=@PAM_LIBS@
SRCS = \
$(srcdir)/krb_auth_su.c \
$(srcdir)/ccache.c \
$(srcdir)/authorization.c \
$(srcdir)/main.c \
+ $(srcdir)/pam.c \
$(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \
$(srcdir)/setenv.c
@@ -21,13 +23,17 @@ OBJS = \
ccache.o \
authorization.o \
main.o \
+ pam.o \
heuristic.o \
xmalloc.o @SETENVOBJ@
all:: ksu
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
+
+pam.o: pam.c
+ $(CC) $(ALL_CFLAGS) -c $<
clean::
$(RM) ksu
Index: krb5-1.9.1/src/clients/ksu/pam.c
===================================================================
--- /dev/null
+++ krb5-1.9.1/src/clients/ksu/pam.c
@@ -0,0 +1,389 @@
+/*
+ * src/clients/ksu/pam.c
+ *
+ * Copyright 2007,2009,2010 Red Hat, Inc.
+ *
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Convenience wrappers for using PAM.
+ */
+
+#include "autoconf.h"
+#ifdef USE_PAM
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "k5-int.h"
+#include "pam.h"
+
+#ifndef MAXPWSIZE
+#define MAXPWSIZE 128
+#endif
+
+static int appl_pam_started;
+static pid_t appl_pam_starter = -1;
+static int appl_pam_session_opened;
+static int appl_pam_creds_initialized;
+static int appl_pam_pwchange_required;
+static pam_handle_t *appl_pamh;
+static struct pam_conv appl_pam_conv;
+static char *appl_pam_user;
+struct appl_pam_non_interactive_args {
+ const char *user;
+ const char *password;
+};
+
+int
+appl_pam_enabled(krb5_context context, const char *section)
+{
+ int enabled = 1;
+ if ((context != NULL) && (context->profile != NULL)) {
+ if (profile_get_boolean(context->profile,
+ section,
+ USE_PAM_CONFIGURATION_KEYWORD,
+ NULL,
+ enabled, &enabled) != 0) {
+ enabled = 1;
+ }
+ }
+ return enabled;
+}
+
+void
+appl_pam_cleanup(void)
+{
+ if (getpid() != appl_pam_starter) {
+ return;
+ }
+#ifdef DEBUG
+ printf("Called to clean up PAM.\n");
+#endif
+ if (appl_pam_creds_initialized) {
+#ifdef DEBUG
+ printf("Deleting PAM credentials.\n");
+#endif
+ pam_setcred(appl_pamh, PAM_DELETE_CRED);
+ appl_pam_creds_initialized = 0;
+ }
+ if (appl_pam_session_opened) {
+#ifdef DEBUG
+ printf("Closing PAM session.\n");
+#endif
+ pam_close_session(appl_pamh, 0);
+ appl_pam_session_opened = 0;
+ }
+ appl_pam_pwchange_required = 0;
+ if (appl_pam_started) {
+#ifdef DEBUG
+ printf("Shutting down PAM.\n");
+#endif
+ pam_end(appl_pamh, 0);
+ appl_pam_started = 0;
+ appl_pam_starter = -1;
+ free(appl_pam_user);
+ appl_pam_user = NULL;
+ }
+}
+static int
+appl_pam_interactive_converse(int num_msg, const struct pam_message **msg,
+ struct pam_response **presp, void *appdata_ptr)
+{
+ const struct pam_message *message;
+ struct pam_response *resp;
+ int i, code;
+ char *pwstring, pwbuf[MAXPWSIZE];
+ unsigned int pwsize;
+ resp = malloc(sizeof(struct pam_response) * num_msg);
+ if (resp == NULL) {
+ return PAM_BUF_ERR;
+ }
+ memset(resp, 0, sizeof(struct pam_response) * num_msg);
+ code = PAM_SUCCESS;
+ for (i = 0; i < num_msg; i++) {
+ message = &(msg[0][i]); /* XXX */
+ message = msg[i]; /* XXX */
+ pwstring = NULL;
+ switch (message->msg_style) {
+ case PAM_TEXT_INFO:
+ case PAM_ERROR_MSG:
+ printf("[%s]\n", message->msg ? message->msg : "");
+ fflush(stdout);
+ resp[i].resp = NULL;
+ resp[i].resp_retcode = PAM_SUCCESS;
+ break;
+ case PAM_PROMPT_ECHO_ON:
+ case PAM_PROMPT_ECHO_OFF:
+ if (message->msg_style == PAM_PROMPT_ECHO_ON) {
+ if (fgets(pwbuf, sizeof(pwbuf),
+ stdin) != NULL) {
+ pwbuf[strcspn(pwbuf, "\r\n")] = '\0';
+ pwstring = pwbuf;
+ }
+ } else {
+ pwstring = getpass(message->msg ?
+ message->msg :
+ "");
+ }
+ if ((pwstring != NULL) && (pwstring[0] != '\0')) {
+ pwsize = strlen(pwstring);
+ resp[i].resp = malloc(pwsize + 1);
+ if (resp[i].resp == NULL) {
+ resp[i].resp_retcode = PAM_BUF_ERR;
+ } else {
+ memcpy(resp[i].resp, pwstring, pwsize);
+ resp[i].resp[pwsize] = '\0';
+ resp[i].resp_retcode = PAM_SUCCESS;
+ }
+ } else {
+ resp[i].resp_retcode = PAM_CONV_ERR;
+ code = PAM_CONV_ERR;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ *presp = resp;
+ return code;
+}
+static int
+appl_pam_non_interactive_converse(int num_msg,
+ const struct pam_message **msg,
+ struct pam_response **presp,
+ void *appdata_ptr)
+{
+ const struct pam_message *message;
+ struct pam_response *resp;
+ int i, code;
+ unsigned int pwsize;
+ struct appl_pam_non_interactive_args *args;
+ const char *pwstring;
+ resp = malloc(sizeof(struct pam_response) * num_msg);
+ if (resp == NULL) {
+ return PAM_BUF_ERR;
+ }
+ args = appdata_ptr;
+ memset(resp, 0, sizeof(struct pam_response) * num_msg);
+ code = PAM_SUCCESS;
+ for (i = 0; i < num_msg; i++) {
+ message = &((*msg)[i]);
+ message = msg[i];
+ pwstring = NULL;
+ switch (message->msg_style) {
+ case PAM_TEXT_INFO:
+ case PAM_ERROR_MSG:
+ break;
+ case PAM_PROMPT_ECHO_ON:
+ case PAM_PROMPT_ECHO_OFF:
+ if (message->msg_style == PAM_PROMPT_ECHO_ON) {
+ /* assume "user" */
+ pwstring = args->user;
+ } else {
+ /* assume "password" */
+ pwstring = args->password;
+ }
+ if ((pwstring != NULL) && (pwstring[0] != '\0')) {
+ pwsize = strlen(pwstring);
+ resp[i].resp = malloc(pwsize + 1);
+ if (resp[i].resp == NULL) {
+ resp[i].resp_retcode = PAM_BUF_ERR;
+ } else {
+ memcpy(resp[i].resp, pwstring, pwsize);
+ resp[i].resp[pwsize] = '\0';
+ resp[i].resp_retcode = PAM_SUCCESS;
+ }
+ } else {
+ resp[i].resp_retcode = PAM_CONV_ERR;
+ code = PAM_CONV_ERR;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ *presp = resp;
+ return code;
+}
+static int
+appl_pam_start(const char *service, int interactive,
+ const char *login_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *ruser,
+ const char *tty)
+{
+ static int exit_handler_registered;
+ static struct appl_pam_non_interactive_args args;
+ int ret = 0;
+ if (appl_pam_started &&
+ (strcmp(login_username, appl_pam_user) != 0)) {
+ appl_pam_cleanup();
+ appl_pam_user = NULL;
+ }
+ if (!appl_pam_started) {
+#ifdef DEBUG
+ printf("Starting PAM up (service=\"%s\",user=\"%s\").\n",
+ service, login_username);
+#endif
+ memset(&appl_pam_conv, 0, sizeof(appl_pam_conv));
+ appl_pam_conv.conv = interactive ?
+ &appl_pam_interactive_converse :
+ &appl_pam_non_interactive_converse;
+ memset(&args, 0, sizeof(args));
+ args.user = strdup(login_username);
+ args.password = non_interactive_password ?
+ strdup(non_interactive_password) :
+ NULL;
+ appl_pam_conv.appdata_ptr = &args;
+ ret = pam_start(service, login_username,
+ &appl_pam_conv, &appl_pamh);
+ if (ret == 0) {
+ if (hostname != NULL) {
+#ifdef DEBUG
+ printf("Setting PAM_RHOST to \"%s\".\n", hostname);
+#endif
+ pam_set_item(appl_pamh, PAM_RHOST, hostname);
+ }
+ if (ruser != NULL) {
+#ifdef DEBUG
+ printf("Setting PAM_RUSER to \"%s\".\n", ruser);
+#endif
+ pam_set_item(appl_pamh, PAM_RUSER, ruser);
+ }
+ if (tty != NULL) {
+#ifdef DEBUG
+ printf("Setting PAM_TTY to \"%s\".\n", tty);
+#endif
+ pam_set_item(appl_pamh, PAM_TTY, tty);
+ }
+ if (!exit_handler_registered &&
+ (atexit(appl_pam_cleanup) != 0)) {
+ pam_end(appl_pamh, 0);
+ appl_pamh = NULL;
+ ret = -1;
+ } else {
+ appl_pam_started = 1;
+ appl_pam_starter = getpid();
+ appl_pam_user = strdup(login_username);
+ exit_handler_registered = 1;
+ }
+ }
+ }
+ return ret;
+}
+int
+appl_pam_acct_mgmt(const char *service, int interactive,
+ const char *login_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *ruser,
+ const char *tty)
+{
+ int ret;
+ appl_pam_pwchange_required = 0;
+ ret = appl_pam_start(service, interactive, login_username,
+ non_interactive_password, hostname, ruser, tty);
+ if (ret == 0) {
+#ifdef DEBUG
+ printf("Calling pam_acct_mgmt().\n");
+#endif
+ ret = pam_acct_mgmt(appl_pamh, 0);
+ switch (ret) {
+ case PAM_IGNORE:
+ ret = 0;
+ break;
+ case PAM_NEW_AUTHTOK_REQD:
+ appl_pam_pwchange_required = 1;
+ ret = 0;
+ break;
+ default:
+ break;
+ }
+ }
+ return ret;
+}
+int
+appl_pam_requires_chauthtok(void)
+{
+ return appl_pam_pwchange_required;
+}
+int
+appl_pam_session_open(void)
+{
+ int ret = 0;
+ if (appl_pam_started) {
+#ifdef DEBUG
+ printf("Opening PAM session.\n");
+#endif
+ ret = pam_open_session(appl_pamh, 0);
+ if (ret == 0) {
+ appl_pam_session_opened = 1;
+ }
+ }
+ return ret;
+}
+int
+appl_pam_setenv(void)
+{
+ int ret = 0;
+#ifdef HAVE_PAM_GETENVLIST
+#ifdef HAVE_PUTENV
+ int i;
+ char **list;
+ if (appl_pam_started) {
+ list = pam_getenvlist(appl_pamh);
+ for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) {
+#ifdef DEBUG
+ printf("Setting \"%s\" in environment.\n", list[i]);
+#endif
+ putenv(list[i]);
+ }
+ }
+#endif
+#endif
+ return ret;
+}
+int
+appl_pam_cred_init(void)
+{
+ int ret = 0;
+ if (appl_pam_started) {
+#ifdef DEBUG
+ printf("Initializing PAM credentials.\n");
+#endif
+ ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED);
+ if (ret == 0) {
+ appl_pam_creds_initialized = 1;
+ }
+ }
+ return ret;
+}
+#endif
Index: krb5-1.9.1/src/clients/ksu/pam.h
===================================================================
--- /dev/null
+++ krb5-1.9.1/src/clients/ksu/pam.h
@@ -0,0 +1,57 @@
+/*
+ * src/clients/ksu/pam.h
+ *
+ * Copyright 2007,2009,2010 Red Hat, Inc.
+ *
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Convenience wrappers for using PAM.
+ */
+
+#include <krb5.h>
+#ifdef HAVE_SECURITY_PAM_APPL_H
+#include <security/pam_appl.h>
+#endif
+
+#define USE_PAM_CONFIGURATION_KEYWORD "use_pam"
+
+#ifdef USE_PAM
+int appl_pam_enabled(krb5_context context, const char *section);
+int appl_pam_acct_mgmt(const char *service, int interactive,
+ const char *local_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *ruser,
+ const char *tty);
+int appl_pam_requires_chauthtok(void);
+int appl_pam_session_open(void);
+int appl_pam_setenv(void);
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
Index: krb5-1.9.1/src/configure.in
===================================================================
--- krb5-1.9.1.orig/src/configure.in
+++ krb5-1.9.1/src/configure.in
@@ -1125,6 +1125,8 @@ if test "$ac_cv_lib_socket" = "yes" -a "
AC_DEFINE(BROKEN_STREAMS_SOCKETS,1,[Define if socket can't be bound to 0.0.0.0])
fi
+KRB5_WITH_PAM
+
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
V5_AC_OUTPUT_MAKEFILE(.

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:93fa3b1f604a35a6a00fc32a65764b25ba218dd921ed00d79cbffa0d7cd64e3f
size 9968381

38
krb5-1.9-buildconf.patch Normal file
View File

@ -0,0 +1,38 @@
Build binaries in this package as RELRO PIEs and install shared libraries with
the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS
where they might leak out and affect apps which just want to link with the
libraries. FIXME: needs to check and not just assume that the compiler supports
using these flags.
diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf
--- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500
+++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400
@@ -430,7 +430,8 @@
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in
--- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
+++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
@@ -187,8 +187,14 @@ if test -n "$do_libs"; then
-e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
-e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
- -e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
+ -e 's#\$(CFLAGS)##'`
+ if test `dirname $libdir` = /usr ; then
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
+ fi
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"`
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"`
+
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5

View File

@ -0,0 +1,61 @@
From RT#6917.
Index: krb5-1.9.1/src/lib/krb5/krb/get_creds.c
===================================================================
--- krb5-1.9.1.orig/src/lib/krb5/krb/get_creds.c
+++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c
@@ -470,13 +470,10 @@ begin_non_referral(krb5_context context,
/***** STATE_REFERRALS *****/
-/*
- * Possibly retry a request in the fallback realm after a referral request
- * failure in the local realm. Expects ctx->reply_code to be set to the error
- * from a referral request.
- */
+/* Possibly try a non-referral request after a referral request failure.
+ * Expects ctx->reply_code to be set to the error from a referral request. */
static krb5_error_code
-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
+try_fallback(krb5_context context, krb5_tkt_creds_context ctx)
{
krb5_error_code code;
char **hrealms;
@@ -485,9 +482,10 @@ try_fallback_realm(krb5_context context,
if (ctx->referral_count > 1)
return ctx->reply_code;
- /* Only fall back if the original request used the referral realm. */
+ /* If the request used a specified realm, make a non-referral request to
+ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */
if (!krb5_is_referral_realm(&ctx->req_server->realm))
- return ctx->reply_code;
+ return begin_non_referral(context, ctx);
if (ctx->server->length < 2) {
/* We need a type/host format principal to find a fallback realm. */
@@ -500,10 +498,10 @@ try_fallback_realm(krb5_context context,
if (code != 0)
return code;
- /* Give up if the fallback realm isn't any different. */
+ /* If the fallback realm isn't any different, use the existing TGT. */
if (data_eq_string(ctx->server->realm, hrealms[0])) {
krb5_free_host_realm(context, hrealms);
- return ctx->reply_code;
+ return begin_non_referral(context, ctx);
}
/* Rewrite server->realm to be the fallback realm. */
@@ -540,9 +538,9 @@ step_referrals(krb5_context context, krb
krb5_error_code code;
const krb5_data *referral_realm;
- /* Possibly retry with the fallback realm on error. */
+ /* Possibly try a non-referral fallback request on error. */
if (ctx->reply_code != 0)
- return try_fallback_realm(context, ctx);
+ return try_fallback(context, ctx);
if (krb5_principal_compare(context, ctx->reply_creds->server,
ctx->server)) {

View File

@ -0,0 +1,30 @@
Use an in-memory ccache to silence a compiler warning, for RT#6414.
Index: krb5-1.9.1/src/slave/kprop.c
===================================================================
--- krb5-1.9.1.orig/src/slave/kprop.c
+++ krb5-1.9.1/src/slave/kprop.c
@@ -188,9 +188,8 @@ void PRS(argc, argv)
void get_tickets(context)
krb5_context context;
{
- char buf[BUFSIZ], *def_realm;
+ char buf[] = "MEMORY:_kproptkt", *def_realm;
krb5_error_code retval;
- static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
/*
@@ -229,11 +228,8 @@ void get_tickets(context)
#endif
/*
- * Initialize cache file which we're going to be using
+ * Initialize an in-memory cache for temporary use
*/
- (void) mktemp(tkstring);
- snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
-
retval = krb5_cc_resolve(context, buf, &ccache);
if (retval) {
com_err(progname, retval, "while opening credential cache %s",

13
krb5-1.9-ksu-path.patch Normal file
View File

@ -0,0 +1,13 @@
Set the default PATH to the one set by login.
diff -up krb5-1.9/src/clients/ksu/Makefile.in.ksu-path krb5-1.9/src/clients/ksu/Makefile.in
--- krb5-1.9/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500
+++ krb5-1.9/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"'
DEFS=
PROG_LIBPATH=-L$(TOPLIBD)

View File

@ -1,9 +1,41 @@
Change the absolute paths included in the man pages so that the correct
values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. Originally RT#6525
Index: krb5-1.9.1/src/aclocal.m4
Index: krb5-1.8.3/src/appl/sample/sserver/sserver.M
=================================================================== ===================================================================
--- krb5-1.8.3.orig/src/appl/sample/sserver/sserver.M --- krb5-1.9.1.orig/src/aclocal.m4
+++ krb5-1.8.3/src/appl/sample/sserver/sserver.M +++ krb5-1.9.1/src/aclocal.m4
@@ -1782,3 +1782,24 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[
+mansysconfdir=$sysconfdir
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"`
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"`
+mansbindir=$sbindir
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlocalstatedir=$localstatedir
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"`
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlibexecdir=$libexecdir
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"`
+AC_SUBST(mansysconfdir)
+AC_SUBST(mansbindir)
+AC_SUBST(manlocalstatedir)
+AC_SUBST(manlibexecdir)
+AC_CONFIG_FILES($1)
+])
Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M
===================================================================
--- krb5-1.9.1.orig/src/appl/sample/sserver/sserver.M
+++ krb5-1.9.1/src/appl/sample/sserver/sserver.M
@@ -59,7 +59,7 @@ option allows for a different keytab tha @@ -59,7 +59,7 @@ option allows for a different keytab tha
using a line in using a line in
/etc/inetd.conf that looks like this: /etc/inetd.conf that looks like this:
@ -13,10 +45,10 @@ Index: krb5-1.8.3/src/appl/sample/sserver/sserver.M
.PP .PP
Since \fBsample\fP is normally not a port defined in /etc/services, you will Since \fBsample\fP is normally not a port defined in /etc/services, you will
usually have to add a line to /etc/services which looks like this: usually have to add a line to /etc/services which looks like this:
Index: krb5-1.8.3/src/config-files/kdc.conf.M Index: krb5-1.9.1/src/config-files/kdc.conf.M
=================================================================== ===================================================================
--- krb5-1.8.3.orig/src/config-files/kdc.conf.M --- krb5-1.9.1.orig/src/config-files/kdc.conf.M
+++ krb5-1.8.3/src/config-files/kdc.conf.M +++ krb5-1.9.1/src/config-files/kdc.conf.M
@@ -92,14 +92,14 @@ This @@ -92,14 +92,14 @@ This
.B string .B string
specifies the location of the access control list (acl) file that specifies the location of the access control list (acl) file that
@ -43,74 +75,44 @@ Index: krb5-1.8.3/src/config-files/kdc.conf.M
.SH SEE ALSO .SH SEE ALSO
krb5.conf(5), krb5kdc(8) krb5.conf(5), krb5kdc(8)
Index: krb5-1.8.3/src/configure.in Index: krb5-1.9.1/src/config-files/krb5.conf.M
=================================================================== ===================================================================
--- krb5-1.8.3.orig/src/configure.in --- krb5-1.9.1.orig/src/config-files/krb5.conf.M
+++ krb5-1.8.3/src/configure.in +++ krb5-1.9.1/src/config-files/krb5.conf.M
@@ -1057,6 +1057,58 @@ if test "$ac_cv_lib_socket" = "yes" -a " @@ -768,6 +768,6 @@ with another database such as Active Dir
fi in for this interface.
.SH FILES
-/etc/krb5.conf
+@mansysconfdir@/krb5.conf
.SH SEE ALSO
syslog(3)
Index: krb5-1.9.1/src/configure.in
===================================================================
--- krb5-1.9.1.orig/src/configure.in
+++ krb5-1.9.1/src/configure.in
@@ -1128,6 +1128,16 @@ fi
KRB5_WITH_PAM
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+ +
+mansysconfdir=$sysconfdir +V5_AC_OUTPUT_MANPAGE([
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"`
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"`
+mansbindir=$sbindir
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlocalstatedir=$localstatedir
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"`
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlibexecdir=$libexecdir
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"`
+AC_SUBST(mansysconfdir)
+AC_SUBST(mansbindir)
+AC_SUBST(manlocalstatedir)
+AC_SUBST(manlibexecdir)
+AC_OUTPUT([
+ appl/sample/sclient/sclient.M
+ appl/sample/sserver/sserver.M + appl/sample/sserver/sserver.M
+ clients/kcpytkt/kcpytkt.M
+ clients/kdeltkt/kdeltkt.M
+ clients/kdestroy/kdestroy.M
+ clients/kinit/kinit.M
+ clients/klist/klist.M
+ clients/kpasswd/kpasswd.M
+ clients/ksu/ksu.M
+ clients/kvno/kvno.M
+ config-files/kdc.conf.M + config-files/kdc.conf.M
+ config-files/krb5.conf.M + config-files/krb5.conf.M
+ gen-manpages/k5login.M
+ gen-manpages/kerberos.M
+ kadmin/cli/k5srvutil.M
+ kadmin/cli/kadmin.local.M
+ kadmin/cli/kadmin.M + kadmin/cli/kadmin.M
+ kadmin/dbutil/kdb5_util.M
+ kadmin/ktutil/ktutil.M
+ kadmin/server/kadmind.M
+ kdc/krb5kdc.M
+ krb5-config.M
+ plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
+ slave/kpropd.M + slave/kpropd.M
+ slave/kprop.M + slave/kprop.M
+ tests/create/kdb5_mkdums.M
+ util/et/com_err.3
+ util/et/compile_et.1
+ util/profile/profile.5
+ util/send-pr/send-pr.1
+]) +])
+ +
V5_AC_OUTPUT_MAKEFILE(. V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/send-pr util util/support util/profile util/send-pr
Index: krb5-1.8.3/src/kadmin/cli/kadmin.M Index: krb5-1.9.1/src/kadmin/cli/kadmin.M
=================================================================== ===================================================================
--- krb5-1.8.3.orig/src/kadmin/cli/kadmin.M --- krb5-1.9.1.orig/src/kadmin/cli/kadmin.M
+++ krb5-1.8.3/src/kadmin/cli/kadmin.M +++ krb5-1.9.1/src/kadmin/cli/kadmin.M
@@ -869,9 +869,9 @@ option is specified, less verbose status @@ -880,9 +880,9 @@ option is specified, less verbose status
.RS .RS
.TP .TP
EXAMPLE: EXAMPLE:
@ -122,7 +124,7 @@ Index: krb5-1.8.3/src/kadmin/cli/kadmin.M
kadmin: kadmin:
.RE .RE
.fi .fi
@@ -913,7 +913,7 @@ passwords. @@ -924,7 +924,7 @@ passwords.
.SH HISTORY .SH HISTORY
The The
.B kadmin .B kadmin
@ -131,32 +133,10 @@ Index: krb5-1.8.3/src/kadmin/cli/kadmin.M
OpenVision Kerberos administration program. OpenVision Kerberos administration program.
.SH SEE ALSO .SH SEE ALSO
.IR kerberos (1), .IR kerberos (1),
Index: krb5-1.8.3/src/slave/kprop.M Index: krb5-1.9.1/src/slave/kpropd.M
=================================================================== ===================================================================
--- krb5-1.8.3.orig/src/slave/kprop.M --- krb5-1.9.1.orig/src/slave/kpropd.M
+++ krb5-1.8.3/src/slave/kprop.M +++ krb5-1.9.1/src/slave/kpropd.M
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created
by kdb5_util, and is normally KPROP_DEFAULT_FILE
-(/usr/local/var/krb5kdc/slave_datatrans).
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
.SH OPTIONS
.TP
\fB\-r\fP \fIrealm\fP
@@ -51,7 +51,7 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
found; by default the dumped database file is KPROP_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/slave_datatrans).
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
.TP
\fB\-P\fP \fIport\fP
specifies the port to use to contact the
Index: krb5-1.8.3/src/slave/kpropd.M
===================================================================
--- krb5-1.8.3.orig/src/slave/kpropd.M
+++ krb5-1.8.3/src/slave/kpropd.M
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of @@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
This is done by adding a line to the inetd.conf file which looks like This is done by adding a line to the inetd.conf file which looks like
this: this:
@ -199,3 +179,25 @@ Index: krb5-1.8.3/src/slave/kpropd.M
Each entry is a line containing the principal of a host from which the Each entry is a line containing the principal of a host from which the
local machine will allow Kerberos database propagation via kprop. local machine will allow Kerberos database propagation via kprop.
.SH SEE ALSO .SH SEE ALSO
Index: krb5-1.9.1/src/slave/kprop.M
===================================================================
--- krb5-1.9.1.orig/src/slave/kprop.M
+++ krb5-1.9.1/src/slave/kprop.M
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created
by kdb5_util, and is normally KPROP_DEFAULT_FILE
-(/usr/local/var/krb5kdc/slave_datatrans).
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
.SH OPTIONS
.TP
\fB\-r\fP \fIrealm\fP
@@ -51,7 +51,7 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
found; by default the dumped database file is KPROP_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/slave_datatrans).
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
.TP
\fB\-P\fP \fIport\fP
specifies the port to use to contact the

13
krb5-1.9-paren.patch Normal file
View File

@ -0,0 +1,13 @@
Upstream commit #24477.
diff -up krb5-1.9/src/slave/kpropd.c krb5-1.9/src/slave/kpropd.c
--- krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:24.020999947 -0400
+++ krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:34.159999947 -0400
@@ -993,7 +993,7 @@ unsigned int backoff_from_master(int *cn
btime = (unsigned int)(2<<(*cnt));
if (btime > MAX_BACKOFF) {
btime = MAX_BACKOFF;
- *cnt--;
+ (*cnt)--;
}
return (btime);

View File

@ -0,0 +1,919 @@
SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file.
In many cases, applications needn't be SELinux aware to work properly,
because SELinux can apply a default label to a file based on the label
of the directory in which it's created.
In the case of files such as /etc/krb5.keytab, however, this isn't
sufficient, as /etc/krb5.keytab will almost always need to be given a
label which differs from that of /etc/issue or /etc/resolv.conf. The
the kdb stash file needs a different label than the database for which
it's holding a master key, even though both typically live in the same
directory.
To give the file the correct label, we can either force a "restorecon"
call to fix a file's label after it's created, or create the file with
the right label, as we attempt to do here. We lean on THREEPARAMOPEN
and define a similar macro named WRITABLEFOPEN with which we replace
several uses of fopen().
The file creation context that we're manipulating here is a process-wide
attribute. While for the most part, applications which need to label
files when they're created have tended to be single-threaded, there's
not much we can do to avoid interfering with an application that
manipulates the creation context directly. Right now we're mediating
access using a library-local mutex, but that can only work for consumers
that are part of this package -- an unsuspecting application will still
stomp all over us.
The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
Index: krb5-1.9.1/src/aclocal.m4
===================================================================
--- krb5-1.9.1.orig/src/aclocal.m4
+++ krb5-1.9.1/src/aclocal.m4
@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP
+KRB5_WITH_SELINUX
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1803,3 +1804,51 @@ AC_SUBST(manlocalstatedir)
AC_SUBST(manlibexecdir)
AC_CONFIG_FILES($1)
])
+dnl
+dnl Use libselinux to set file contexts on newly-created files.
+dnl
+AC_DEFUN(KRB5_WITH_SELINUX,[
+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])],
+ withselinux="$withval",withselinux=auto)
+old_LIBS="$LIBS"
+if test "$withselinux" != no ; then
+ AC_MSG_RESULT([checking for libselinux...])
+ SELINUX_LIBS=
+ AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h)
+ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate selinux/selinux.h.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.])
+ fi
+ fi
+
+ LIBS=
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
+ if test "x$ac_cv_func_setfscreatecon" = xno ; then
+ AC_CHECK_LIB(selinux,setfscreatecon)
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then
+ SELINUX_LIBS="$LIBS"
+ else
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate libselinux.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate libselinux.])
+ fi
+ fi
+ fi
+ if test "$withselinux" != no ; then
+ AC_MSG_NOTICE([building with SELinux labeling support])
+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.])
+ SELINUX_LIBS="$LIBS"
+ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon"
+ fi
+fi
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
Index: krb5-1.9.1/src/config/pre.in
===================================================================
--- krb5-1.9.1.orig/src/config/pre.in
+++ krb5-1.9.1/src/config/pre.in
@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
LDARGS = @LDARGS@
LIBS = @LIBS@
+SELINUX_LIBS=@SELINUX_LIBS@
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -382,7 +383,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB)
+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X!
Index: krb5-1.9.1/src/configure.in
===================================================================
--- krb5-1.9.1.orig/src/configure.in
+++ krb5-1.9.1/src/configure.in
@@ -1127,6 +1127,8 @@ fi
KRB5_WITH_PAM
+KRB5_WITH_SELINUX
+
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
V5_AC_OUTPUT_MANPAGE([
Index: krb5-1.9.1/src/include/k5-int.h
===================================================================
--- krb5-1.9.1.orig/src/include/k5-int.h
+++ krb5-1.9.1/src/include/k5-int.h
@@ -135,6 +135,7 @@ typedef unsigned char u_char;
typedef UINT64_TYPE krb5_ui_8;
typedef INT64_TYPE krb5_int64;
+#include "k5-label.h"
#define DEFAULT_PWD_STRING1 "Enter password"
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
Index: krb5-1.9.1/src/include/k5-label.h
===================================================================
--- /dev/null
+++ krb5-1.9.1/src/include/k5-label.h
@@ -0,0 +1,32 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
+
+#ifdef THREEPARAMOPEN
+#undef THREEPARAMOPEN
+#endif
+#ifdef WRITABLEFOPEN
+#undef WRITABLEFOPEN
+#endif
+
+/* Wrapper functions which help us create files and directories with the right
+ * context labels. */
+#ifdef USE_SELINUX
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+FILE *krb5int_labeled_fopen(const char *path, const char *mode);
+int krb5int_labeled_creat(const char *path, mode_t mode);
+int krb5int_labeled_open(const char *path, int flags, ...);
+int krb5int_labeled_mkdir(const char *path, mode_t mode);
+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device);
+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)
+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)
+void *krb5int_push_fscreatecon_for(const char *pathname);
+void krb5int_pop_fscreatecon(void *previous);
+#else
+#define WRITABLEFOPEN(x,y) fopen(x,y)
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif
+#endif
Index: krb5-1.9.1/src/include/krb5/krb5.hin
===================================================================
--- krb5-1.9.1.orig/src/include/krb5/krb5.hin
+++ krb5-1.9.1/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
+#if KRB5_PRIVATE
+#ifndef WRITABLEFOPEN
+#define WRITABLEFOPEN(x,y) fopen(x,y)
+#endif
+#endif
+
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
Index: krb5-1.9.1/src/kadmin/dbutil/dump.c
===================================================================
--- krb5-1.9.1.orig/src/kadmin/dbutil/dump.c
+++ krb5-1.9.1/src/kadmin/dbutil/dump.c
@@ -1257,7 +1257,7 @@ dump_db(argc, argv)
* want to get into.
*/
unlink(ofile);
- if (!(f = fopen(ofile, "w"))) {
+ if (!(f = WRITABLEFOPEN(ofile, "w"))) {
fprintf(stderr, ofopen_error,
progname, ofile, error_message(errno));
exit_status++;
Index: krb5-1.9.1/src/krb5-config.in
===================================================================
--- krb5-1.9.1.orig/src/krb5-config.in
+++ krb5-1.9.1/src/krb5-config.in
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@'
PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
DL_LIB='@DL_LIB@'
+SELINUX_LIBS='@SELINUX_LIBS@'
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -214,7 +215,7 @@ if test -n "$do_libs"; then
fi
if test $library = 'krb5'; then
- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB"
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
fi
echo $lib_flags
Index: krb5-1.9.1/src/lib/kadm5/logger.c
===================================================================
--- krb5-1.9.1.orig/src/lib/kadm5/logger.c
+++ krb5-1.9.1/src/lib/kadm5/logger.c
@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch
* Check for append/overwrite, then open the file.
*/
if (cp[4] == ':' || cp[4] == '=') {
- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w");
+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w");
if (f) {
set_cloexec_file(f);
log_control.log_entries[i].lfu_filep = f;
@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs.
*/
- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+");
+ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+");
if (f) {
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
===================================================================
--- krb5-1.9.1.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.9.1/src/lib/krb5/keytab/kt_file.c
@@ -1057,7 +1057,7 @@ krb5_ktfileint_open(krb5_context context
KTCHECKLOCK(id);
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id),
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id),
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
fopen_mode_rbplus : fopen_mode_rb);
if (!KTFILEP(id)) {
@@ -1065,7 +1065,7 @@ krb5_ktfileint_open(krb5_context context
/* try making it first time around */
krb5_create_secure_file(context, KTFILENAME(id));
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus);
if (!KTFILEP(id))
goto report_errno;
writevno = 1;
Index: krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/db2/adb_openclose.c
+++ krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c
@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
* POSIX systems
*/
lockp->lockinfo.filename = strdup(lockfilename);
- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {
+ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) {
/*
* maybe someone took away write permission so we could only
* get shared locks?
Index: krb5-1.9.1/src/plugins/kdb/db2/kdb_db2.c
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/db2/kdb_db2.c
+++ krb5-1.9.1/src/plugins/kdb/db2/kdb_db2.c
@@ -374,8 +374,8 @@ krb5_db2_init(krb5_context context)
* should be opened read/write so that write locking can work with
* POSIX systems
*/
- if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) {
- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) {
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) {
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) {
retval = errno;
goto err_out;
}
@@ -676,7 +676,7 @@ create_db(krb5_context context, char *db
if (!okname)
retval = ENOMEM;
else {
- fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
+ fd = THREEPARAMOPEN(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
if (fd < 0)
retval = errno;
else
@@ -1532,7 +1532,7 @@ krb5_db2_rename(krb5_context context, ch
retval = ENOMEM;
goto errout;
}
- db_ctx->db_lf_file = open(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600);
+ db_ctx->db_lf_file = THREEPARAMOPEN(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600);
if (db_ctx->db_lf_file < 0) {
retval = errno;
goto errout;
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
#include "k5-platform.h" /* mkstemp? */
+#include "k5-int.h"
#include "db-int.h"
#include "btree.h"
@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo,
goto einval;
}
- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0)
+ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
goto err;
} else {
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
#include <assert.h>
#endif
+#include "k5-int.h"
#include "db-int.h"
#include "hash.h"
#include "page.h"
@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info
new_table = 1;
}
if (file) {
- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1)
+ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1)
RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1);
}
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
#include <stdio.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,7 @@ __rec_open(fname, flags, mode, openinfo,
int rfd, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
+ if (fname != NULL && (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
KRB5_RUN_ENV= @KRB5_RUN_ENV@
-DB_LIB = -ldb
+DB_LIB = -ldb $(SUPPORT_DEPLIB)
+
DB_DEPLIB = ../libdb$(DEPLIBEXT)
all::
Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
===================================================================
--- krb5-1.9.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -1091,7 +1091,7 @@ rem_service_entry_from_file(int argc, ch
/* Create a temporary file which contains all the entries except the
entry for the given service dn */
- pfile = fopen(file_name, "r+");
+ pfile = WRITABLEFOPEN(file_name, "r+");
if (pfile == NULL) {
com_err(me, errno, "while deleting entry from file %s", file_name);
goto cleanup;
@@ -1108,7 +1108,7 @@ rem_service_entry_from_file(int argc, ch
snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
- tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR);
+ tmpfd = THREEPARAMOPEN(tmp_file, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
umask(omask);
if (tmpfd == -1) {
com_err(me, errno, "while deleting entry from file\n");
@@ -1728,7 +1728,7 @@ kdb5_ldap_set_service_password(int argc,
printf("File does not exist. Creating the file %s...\n", file_name);
omask = umask(077);
- fd = creat(file_name, S_IRUSR|S_IWUSR);
+ fd = THREEPARAMOPEN(file_name, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
umask(omask);
if (fd == -1) {
com_err(me, errno, "Error creating file %s", file_name);
@@ -1756,7 +1756,7 @@ kdb5_ldap_set_service_password(int argc,
/* TODO: file lock for the service password file */
/* set password in the file */
- pfile = fopen(file_name, "r+");
+ pfile = WRITABLEFOPEN(file_name, "r+");
if (pfile == NULL) {
com_err(me, errno, "Failed to open file %s", file_name);
goto cleanup;
@@ -1797,7 +1797,7 @@ kdb5_ldap_set_service_password(int argc,
}
omask = umask(077);
- newfile = fopen(tmp_file, "w+");
+ newfile = WRITABLEFOPEN(tmp_file, "w+");
umask(omask);
if (newfile == NULL) {
com_err(me, errno, "Error creating file %s", tmp_file);
@@ -2019,7 +2019,7 @@ done:
/* set password in the file */
old_mode = umask(0177);
- pfile = fopen(file_name, "a+");
+ pfile = WRITABLEFOPEN(file_name, "a+");
if (pfile == NULL) {
com_err(me, errno, "Failed to open file %s: %s", file_name,
strerror (errno));
@@ -2069,7 +2069,7 @@ done:
}
omask = umask(077);
- newfile = fopen(tmp_file, "w");
+ newfile = WRITABLEFOPEN(tmp_file, "w");
umask (omask);
if (newfile == NULL) {
com_err(me, errno, "Error creating file %s", tmp_file);
Index: krb5-1.9.1/src/slave/kpropd.c
===================================================================
--- krb5-1.9.1.orig/src/slave/kpropd.c
+++ krb5-1.9.1/src/slave/kpropd.c
@@ -338,7 +338,7 @@ retry:
if (!debug && iproprole != IPROP_SLAVE)
daemon(1, 0);
#ifdef PID_FILE
- if ((pidfile = fopen(PID_FILE, "w")) != NULL) {
+ if ((pidfile = WRITABLEFOPEN(PID_FILE, "w")) != NULL) {
fprintf(pidfile, "%d\n", getpid());
fclose(pidfile);
} else
Index: krb5-1.9.1/src/util/profile/prof_file.c
===================================================================
--- krb5-1.9.1.orig/src/util/profile/prof_file.c
+++ krb5-1.9.1/src/util/profile/prof_file.c
@@ -30,6 +30,7 @@
#endif
#include "k5-platform.h"
+#include "k5-label.h"
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_
errno = 0;
- f = fopen(new_file, "w");
+ f = WRITABLEFOPEN(new_file, "w");
if (!f) {
retval = errno;
if (retval == 0)
Index: krb5-1.9.1/src/util/support/Makefile.in
===================================================================
--- krb5-1.9.1.orig/src/util/support/Makefile.in
+++ krb5-1.9.1/src/util/support/Makefile.in
@@ -54,6 +54,7 @@ IPC_SYMS= \
STLIBOBJS= \
threads.o \
+ selinux.o \
init-addrinfo.o \
plugins.o \
errors.o \
@@ -108,7 +109,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB)
+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
SHLIB_DIRS=
SHLIB_RDIRS=$(KRB5_LIBDIR)
Index: krb5-1.9.1/src/util/support/selinux.c
===================================================================
--- /dev/null
+++ krb5-1.9.1/src/util/support/selinux.c
@@ -0,0 +1,362 @@
+/*
+ * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * File-opening wrappers for creating correctly-labeled files. So far, we can
+ * assume that this is Linux-specific, so we make many simplifying assumptions.
+ */
+
+#include "../../include/autoconf.h"
+
+#ifdef USE_SELINUX
+
+#include <k5-label.h>
+#include <k5-thread.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <pthread.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#ifdef HAVE_SELINUX_LABEL_H
+#include <selinux/label.h>
+#endif
+
+/* #define DEBUG 1 */
+
+/* Mutex used to serialize use of the process-global file creation context. */
+k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
+
+/* Make sure we finish initializing that mutex before attempting to use it. */
+k5_once_t labeled_once = K5_ONCE_INIT;
+static void
+label_mutex_init(void)
+{
+ k5_mutex_finish_init(&labeled_mutex);
+}
+
+static security_context_t
+push_fscreatecon(const char *pathname, mode_t mode)
+{
+ security_context_t previous, configuredsc, currentsc, derivedsc;
+ context_t current, derived;
+ const char *fullpath, *currentuser;
+#ifdef HAVE_SELINUX_LABEL_H
+ struct selabel_handle *ctx;
+#endif
+
+ previous = NULL;
+ if (is_selinux_enabled()) {
+ if (getfscreatecon(&previous) == 0) {
+ char *genpath;
+ genpath = NULL;
+ if (pathname[0] != '/') {
+ char *wd;
+ size_t len;
+ len = 0;
+ wd = getcwd(NULL, len);
+ if (wd == NULL) {
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ len = strlen(wd) + 1 + strlen(pathname) + 1;
+ genpath = malloc(len);
+ if (genpath == NULL) {
+ free(wd);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ sprintf(genpath, "%s/%s", wd, pathname);
+ free(wd);
+ fullpath = genpath;
+ } else {
+ fullpath = pathname;
+ }
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Looking up context for "
+ "\"%s\"(%05o).\n", fullpath, mode);
+ }
+#endif
+ configuredsc = NULL;
+#ifdef HAVE_SELINUX_LABEL_H
+ ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ if (ctx != NULL) {
+ if (selabel_lookup(ctx, &configuredsc,
+ fullpath, mode) != 0) {
+ selabel_close(ctx);
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ selabel_close(ctx);
+ }
+#else
+ if (matchpathcon(fullpath, mode, &configuredsc) != 0) {
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+#endif
+ free(genpath);
+ if (configuredsc == NULL) {
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ currentsc = NULL;
+ getcon(&currentsc);
+ if (currentsc != NULL) {
+ derived = context_new(configuredsc);
+ if (derived != NULL) {
+ current = context_new(currentsc);
+ if (current != NULL) {
+ currentuser = context_user_get(current);
+ if (currentuser != NULL) {
+ if (context_user_set(derived,
+ currentuser) == 0) {
+ derivedsc = context_str(derived);
+ if (derivedsc != NULL) {
+ freecon(configuredsc);
+ configuredsc = strdup(derivedsc);
+ }
+ }
+ }
+ context_free(current);
+ }
+ context_free(derived);
+ }
+ freecon(currentsc);
+ }
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Setting file creation context "
+ "to \"%s\".\n", configuredsc);
+ }
+#endif
+ if (setfscreatecon(configuredsc) != 0) {
+ freecon(configuredsc);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ freecon(configuredsc);
+#ifdef DEBUG
+ } else {
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Unable to determine "
+ "current context.\n");
+ }
+#endif
+ }
+ }
+ return previous;
+}
+
+static void
+pop_fscreatecon(security_context_t previous)
+{
+ if (is_selinux_enabled()) {
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ if (previous != NULL) {
+ fprintf(stderr, "Resetting file creation "
+ "context to \"%s\".\n", previous);
+ } else {
+ fprintf(stderr, "Resetting file creation "
+ "context to default.\n");
+ }
+ }
+#endif
+ setfscreatecon(previous);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ }
+}
+
+void *
+krb5int_push_fscreatecon_for(const char *pathname)
+{
+ struct stat st;
+ if (stat(pathname, &st) != 0) {
+ st.st_mode = S_IRUSR | S_IWUSR;
+ }
+ return push_fscreatecon(pathname, st.st_mode);
+}
+
+void
+krb5int_pop_fscreatecon(void *con)
+{
+ pop_fscreatecon(con);
+}
+
+FILE *
+krb5int_labeled_fopen(const char *path, const char *mode)
+{
+ FILE *fp;
+ int errno_save;
+ security_context_t ctx;
+
+ if (strcmp(mode, "r") == 0) {
+ return fopen(path, mode);
+ }
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, 0);
+ fp = fopen(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ fp = fopen(path, mode);
+ }
+
+ return fp;
+}
+
+int
+krb5int_labeled_creat(const char *path, mode_t mode)
+{
+ int fd;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, 0);
+ fd = creat(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ fd = creat(path, mode);
+ }
+ return fd;
+}
+
+int
+krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev)
+{
+ int ret;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, mode);
+ ret = mknod(path, mode, dev);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ ret = mknod(path, mode, dev);
+ }
+ return ret;
+}
+
+int
+krb5int_labeled_mkdir(const char *path, mode_t mode)
+{
+ int ret;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, S_IFDIR);
+ ret = mkdir(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ ret = mkdir(path, mode);
+ }
+ return ret;
+}
+
+int
+krb5int_labeled_open(const char *path, int flags, ...)
+{
+ int fd;
+ int errno_save;
+ security_context_t ctx;
+ mode_t mode;
+ va_list ap;
+
+ if ((flags & O_CREAT) == 0) {
+ return open(path, flags);
+ }
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, 0);
+
+ va_start(ap, flags);
+ mode = va_arg(ap, mode_t);
+ fd = open(path, flags, mode);
+ va_end(ap);
+
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ va_start(ap, flags);
+ mode = va_arg(ap, mode_t);
+ fd = open(path, flags, mode);
+ errno_save = errno;
+ va_end(ap);
+ errno = errno_save;
+ }
+ return fd;
+}
+
+#endif
Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
===================================================================
--- krb5-1.9.1.orig/src/lib/krb5/rcache/rc_dfl.c
+++ krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c
@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (! t->recovering) {
name = t->name;
@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
+#ifdef USE_SELINUX
+ if (t->d.fn != NULL)
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
+ else
+ selabel = NULL;
+#endif
retval = krb5_rc_initialize(context, tmp, lifespan);
+#ifdef USE_SELINUX
+ if (selabel != NULL)
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {

View File

@ -0,0 +1,30 @@
From RT#6922. When we're converting a host/service pair into a principal
name, specify AF_UNSPEC instead of AF_INET4 and then maybe AF_INET6 to try
to avoid libc having doing a PTR lookup because we also specify
AI_CANONNAME. Add AI_ADDRCONFIG because it's usually the right idea.
Index: src/lib/krb5/os/sn2princ.c
===================================================================
--- src/lib/krb5/os/sn2princ.c.orig
+++ src/lib/krb5/os/sn2princ.c
@@ -107,19 +107,12 @@ krb5_sname_to_principal(krb5_context con
hostnames associated. */
memset(&hints, 0, sizeof(hints));
- hints.ai_family = AF_INET;
- hints.ai_flags = AI_CANONNAME;
- try_getaddrinfo_again:
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
#ifdef DEBUG_REFERRALS
printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname);
#endif
- if (hints.ai_family == AF_INET) {
- /* Just in case it's an IPv6-only name. */
- hints.ai_family = 0;
- goto try_getaddrinfo_again;
- }
return KRB5_ERR_BAD_HOSTNAME;
}
remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname);

View File

@ -0,0 +1,122 @@
Most of RT#6923, except for the part that depends on the sendto_kdc rewrite
(it's still in locate_kdc in this version): pass AI_ADDRCONFIG whenever we
specify hints to getaddrinfo() to get the address of a server.
Index: src/plugins/locate/python/py-locate.c
===================================================================
--- src/plugins/locate/python/py-locate.c.orig
+++ src/plugins/locate/python/py-locate.c
@@ -303,6 +303,7 @@ lookup(void *blob, enum locate_service_t
return -1;
}
aihints.ai_socktype = thissocktype;
+ aihints.ai_flags = AI_ADDRCONFIG;
x = getaddrinfo (hoststr, portstr, &aihints, &airesult);
if (x != 0)
continue;
Index: src/appl/sample/sclient/sclient.c
===================================================================
--- src/appl/sample/sclient/sclient.c.orig
+++ src/appl/sample/sclient/sclient.c
@@ -124,6 +124,7 @@ main(int argc, char *argv[])
memset(&aihints, 0, sizeof(aihints));
aihints.ai_socktype = SOCK_STREAM;
+ aihints.ai_flags = AI_ADDRCONFIG;
aierr = getaddrinfo(argv[1], portstr, &aihints, &ap);
if (aierr) {
fprintf(stderr, "%s: error looking up host '%s' port '%s'/tcp: %s\n",
Index: src/kadmin/dbutil/kadm5_create.c
===================================================================
--- src/kadmin/dbutil/kadm5_create.c.orig
+++ src/kadmin/dbutil/kadm5_create.c
@@ -182,7 +182,7 @@ static int add_admin_princs(void *handle
goto clean_and_exit;
}
memset(&ai_hints, 0, sizeof(ai_hints));
- ai_hints.ai_flags = AI_CANONNAME;
+ ai_hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai);
if (gai_error) {
ret = EINVAL;
Index: src/lib/kadm5/alt_prof.c
===================================================================
--- src/lib/kadm5/alt_prof.c.orig
+++ src/lib/kadm5/alt_prof.c
@@ -901,7 +901,7 @@ kadm5_get_admin_service_name(krb5_contex
}
memset(&hint, 0, sizeof(hint));
- hint.ai_flags = AI_CANONNAME;
+ hint.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo(params_out.admin_server, NULL, &hint, &ai);
if (err != 0) {
ret = KADM5_CANT_RESOLVE;
Index: src/lib/kadm5/clnt/client_init.c
===================================================================
--- src/lib/kadm5/clnt/client_init.c.orig
+++ src/lib/kadm5/clnt/client_init.c
@@ -563,8 +563,9 @@ connect_to_server(const char *hostname,
(void) snprintf(portbuf, sizeof(portbuf), "%d", port);
memset(&hint, 0, sizeof(hint));
hint.ai_socktype = SOCK_STREAM;
+ hint.ai_flags = AI_ADDRCONFIG;
#ifdef AI_NUMERICSERV
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
err = getaddrinfo(hostname, portbuf, &hint, &addrs);
if (err != 0)
Index: src/lib/krb5/os/hostaddr.c
===================================================================
--- src/lib/krb5/os/hostaddr.c.orig
+++ src/lib/krb5/os/hostaddr.c
@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c
return KRB5_ERR_BAD_HOSTNAME;
memset (&hints, 0, sizeof (hints));
- hints.ai_flags = AI_NUMERICHOST;
+ hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG;
/* We don't care what kind at this point, really, but without
this, we can get back multiple sockaddrs per address, for
SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if
Index: src/lib/krb5/os/hst_realm.c
===================================================================
--- src/lib/krb5/os/hst_realm.c.orig
+++ src/lib/krb5/os/hst_realm.c
@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz
int err;
memset (&hints, 0, sizeof (hints));
- hints.ai_flags = AI_CANONNAME;
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo (name, 0, &hints, &ai);
if (err)
return krb5int_translate_gai_error (err);
Index: src/slave/kprop.c
===================================================================
--- src/slave/kprop.c.orig
+++ src/slave/kprop.c
@@ -325,6 +325,7 @@ open_connection(krb5_context context, ch
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_ADDRCONFIG;
error = getaddrinfo(host, port, &hints, &answers);
if (error != 0) {
com_err(progname, 0, "%s: %s", host, gai_strerror(error));
Index: src/lib/krb5/os/locate_kdc.c
===================================================================
--- src/lib/krb5/os/locate_kdc.c.orig
+++ src/lib/krb5/os/locate_kdc.c
@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis
memset(&hint, 0, sizeof(hint));
hint.ai_family = family;
hint.ai_socktype = socktype;
+ hint.ai_flags = AI_ADDRCONFIG;
#ifdef AI_NUMERICSERV
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port));
if (SNPRINTF_OVERFLOW(result, sizeof(portbuf)))

View File

@ -0,0 +1,624 @@
Pulled from SVN, then munged to apply to 1.9. Modifies cm.h so that a
struct select_state has an alternate layout when USE_POLL is defined,
and if we detect <poll.h> at configure-time, have sendto_kdc.c define
USE_POLL to force its use. Adapts sendto_kdc.c to handle both cases,
so that the previous behavior is preserved when <poll.h> is not found.
RT#6905
Index: src/include/cm.h
===================================================================
--- src/include/cm.h.orig
+++ src/include/cm.h
@@ -25,11 +25,20 @@
* or implied warranty.
*/
-/* Since fd_set is large on some platforms (8K on AIX 5.2), this
- probably shouldn't be allocated in automatic storage. */
+/*
+ * Since fd_set is large on some platforms (8K on AIX 5.2), this probably
+ * shouldn't be allocated in automatic storage. Define USE_POLL and
+ * MAX_POLLFDS in the consumer of this header file to use poll state instead of
+ * select state.
+ */
struct select_state {
- int max, nfds;
+#ifdef USE_POLL
+ struct pollfd fds[MAX_POLLFDS];
+#else
+ int max;
fd_set rfds, wfds, xfds;
+#endif
+ int nfds;
struct timeval end_time; /* magic: tv_sec==0 => never time out */
};
Index: src/configure.in
===================================================================
--- src/configure.in.orig
+++ src/configure.in
@@ -74,7 +74,7 @@ LIBUTIL=-lutil
])
AC_SUBST(LIBUTIL)
# for kdc
-AC_CHECK_HEADERS(syslog.h stdarg.h sys/select.h sys/sockio.h ifaddrs.h unistd.h)
+AC_CHECK_HEADERS(syslog.h stdarg.h sys/sockio.h ifaddrs.h unistd.h)
AC_CHECK_FUNCS(openlog syslog closelog strftime vsprintf vasprintf vsnprintf)
AC_CHECK_FUNCS(strlcpy)
EXTRA_SUPPORT_SYMS=
@@ -493,7 +493,7 @@ AC_CHECK_HEADER(termios.h,
AC_DEFINE(POSIX_TERMIOS,1,[Define if termios.h exists and tcsetattr exists]))])
KRB5_SIGTYPE
-AC_CHECK_HEADERS(stdlib.h string.h stddef.h sys/types.h sys/file.h sys/param.h sys/stat.h sys/time.h netinet/in.h sys/uio.h sys/filio.h sys/select.h time.h paths.h errno.h)
+AC_CHECK_HEADERS(poll.h stdlib.h string.h stddef.h sys/types.h sys/file.h sys/param.h sys/stat.h sys/time.h netinet/in.h sys/uio.h sys/filio.h sys/select.h time.h paths.h errno.h)
AC_HEADER_STDARG
KRB5_AC_INET6
Index: src/lib/krb5/os/cm.c
===================================================================
--- /dev/null
+++ src/lib/krb5/os/cm.c
@@ -0,0 +1,97 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/krb5/os/cm.c - Connection manager functions */
+/*
+ * Copyright (C) 2011 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * This file include krb5int_cm_call_select, which is used by
+ * lib/apputils/net-server.c and sometimes by sendto_kdc.c.
+ */
+
+#include "k5-int.h"
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef _WIN32
+#include <sys/timeb.h>
+#endif
+#include "cm.h"
+
+int
+k5_getcurtime(struct timeval *tvp)
+{
+#ifdef _WIN32
+ struct _timeb tb;
+ _ftime(&tb);
+ tvp->tv_sec = tb.time;
+ tvp->tv_usec = tb.millitm * 1000;
+ /* Can _ftime fail? */
+ return 0;
+#else
+ if (gettimeofday(tvp, 0))
+ return errno;
+ return 0;
+#endif
+}
+
+/*
+ * Call select and return results.
+ * Input: interesting file descriptors and absolute timeout
+ * Output: select return value (-1 or num fds ready) and fd_sets
+ * Return: 0 (for i/o available or timeout) or error code.
+ */
+krb5_error_code
+krb5int_cm_call_select (const struct select_state *in,
+ struct select_state *out, int *sret)
+{
+ struct timeval now, *timo;
+ krb5_error_code e;
+
+ *out = *in;
+ e = k5_getcurtime(&now);
+ if (e)
+ return e;
+ if (out->end_time.tv_sec == 0)
+ timo = 0;
+ else {
+ timo = &out->end_time;
+ out->end_time.tv_sec -= now.tv_sec;
+ out->end_time.tv_usec -= now.tv_usec;
+ if (out->end_time.tv_usec < 0) {
+ out->end_time.tv_usec += 1000000;
+ out->end_time.tv_sec--;
+ }
+ if (out->end_time.tv_sec < 0) {
+ *sret = 0;
+ return 0;
+ }
+ }
+
+ *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, timo);
+ e = SOCKET_ERRNO;
+
+ if (*sret < 0)
+ return e;
+ return 0;
+}
Index: src/lib/krb5/os/Makefile.in
===================================================================
--- src/lib/krb5/os/Makefile.in.orig
+++ src/lib/krb5/os/Makefile.in
@@ -18,6 +18,7 @@ STLIBOBJS= \
def_realm.o \
ccdefname.o \
changepw.o \
+ cm.o \
dnsglue.o \
dnssrv.o \
free_krbhs.o \
@@ -62,6 +63,7 @@ OBJS= \
$(OUTPRE)def_realm.$(OBJEXT) \
$(OUTPRE)ccdefname.$(OBJEXT) \
$(OUTPRE)changepw.$(OBJEXT) \
+ $(OUTPRE)cm.$(OBJEXT) \
$(OUTPRE)dnsglue.$(OBJEXT) \
$(OUTPRE)dnssrv.$(OBJEXT) \
$(OUTPRE)free_krbhs.$(OBJEXT) \
@@ -106,6 +108,7 @@ SRCS= \
$(srcdir)/def_realm.c \
$(srcdir)/ccdefname.c \
$(srcdir)/changepw.c \
+ $(srcdir)/cm.c \
$(srcdir)/dnsglue.c \
$(srcdir)/dnssrv.c \
$(srcdir)/free_krbhs.c \
Index: src/lib/krb5/os/os-proto.h
===================================================================
--- src/lib/krb5/os/os-proto.h.orig
+++ src/lib/krb5/os/os-proto.h
@@ -31,6 +31,10 @@
#ifndef KRB5_LIBOS_INT_PROTO__
#define KRB5_LIBOS_INT_PROTO__
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+
struct addrlist;
krb5_error_code krb5_locate_kdc(krb5_context, const krb5_data *,
struct addrlist *, int, int, int);
@@ -75,6 +79,8 @@ krb5_error_code krb5int_get_fq_local_hos
/* The io vector is *not* const here, unlike writev()! */
int krb5int_net_writev (krb5_context, int, sg_buf *, int);
+int k5_getcurtime(struct timeval *tvp);
+
#include "k5-thread.h"
extern k5_mutex_t krb5int_us_time_mutex;
Index: src/lib/krb5/os/sendto_kdc.c
===================================================================
--- src/lib/krb5/os/sendto_kdc.c.orig
+++ src/lib/krb5/os/sendto_kdc.c
@@ -32,17 +32,16 @@
#include "fake-addrinfo.h"
#include "k5-int.h"
-#ifdef HAVE_SYS_TIME_H
-#include <sys/time.h>
-#else
-#include <time.h>
-#endif
#include "os-proto.h"
#ifdef _WIN32
#include <sys/timeb.h>
#endif
-#ifdef _AIX
+#if defined(HAVE_POLL_H)
+#include <poll.h>
+#define USE_POLL
+#define MAX_POLLFDS 1024
+#elif defined(HAVE_SYS_SELECT_H)
#include <sys/select.h>
#endif
@@ -170,29 +169,6 @@ krb5int_debug_fprint (const char *fmt, .
p = strerror(err);
putstr(p);
break;
- case 'F':
- /* %F => fd_set *, fd_set *, fd_set *, int */
- rfds = va_arg(args, fd_set *);
- wfds = va_arg(args, fd_set *);
- xfds = va_arg(args, fd_set *);
- maxfd = va_arg(args, int);
-
- for (i = 0; i < maxfd; i++) {
- int r = FD_ISSET(i, rfds);
- int w = wfds && FD_ISSET(i, wfds);
- int x = xfds && FD_ISSET(i, xfds);
- if (r || w || x) {
- putf(" %d", i);
- if (r)
- putstr("r");
- if (w)
- putstr("w");
- if (x)
- putstr("x");
- }
- }
- putstr(" ");
- break;
case 's':
/* %s => char * */
p = va_arg(args, const char *);
@@ -506,75 +482,154 @@ krb5_sendto_kdc (krb5_context context, c
#include "cm.h"
-static int
-getcurtime (struct timeval *tvp)
+/*
+ * Currently only sendto_kdc.c knows how to use poll(); the other candidate
+ * user, lib/apputils/net-server.c, is stuck using select() for the moment
+ * since it is entangled with the RPC library. The following cm_* functions
+ * are not fully generic, are O(n^2) in the poll case, and are limited to
+ * handling 1024 connections (in order to maintain a constant-sized selstate).
+ * More rearchitecting would be appropriate before extending this support to
+ * the KDC and kadmind.
+ */
+
+static void
+cm_init_selstate(struct select_state *selstate)
{
-#ifdef _WIN32
- struct _timeb tb;
- _ftime(&tb);
- tvp->tv_sec = tb.time;
- tvp->tv_usec = tb.millitm * 1000;
- /* Can _ftime fail? */
- return 0;
+ selstate->nfds = 0;
+ selstate->end_time.tv_sec = selstate->end_time.tv_usec = 0;
+#ifndef USE_POLL
+ selstate->max = 0;
+ selstate->nfds = 0;
+ FD_ZERO(&selstate->rfds);
+ FD_ZERO(&selstate->wfds);
+ FD_ZERO(&selstate->xfds);
+#endif
+}
+
+static krb5_boolean
+cm_add_fd(struct select_state *selstate, int fd, unsigned int ssflags)
+{
+#ifdef USE_POLL
+ if (selstate->nfds >= MAX_POLLFDS)
+ return FALSE;
+ selstate->fds[selstate->nfds].fd = fd;
+ selstate->fds[selstate->nfds].events = 0;
+ if (ssflags & SSF_READ)
+ selstate->fds[selstate->nfds].events |= POLLIN;
+ if (ssflags & SSF_WRITE)
+ selstate->fds[selstate->nfds].events |= POLLOUT;
+#else
+#ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */
+ if (fd >= FD_SETSIZE)
+ return FALSE;
+#endif
+ if (ssflags & SSF_READ)
+ FD_SET(fd, &selstate->rfds);
+ if (ssflags & SSF_WRITE)
+ FD_SET(fd, &selstate->wfds);
+ if (ssflags & SSF_EXCEPTION)
+ FD_SET(fd, &selstate->xfds);
+ if (selstate->max <= fd)
+ selstate->max = fd + 1;
+#endif
+ selstate->nfds++;
+ return TRUE;
+}
+
+static void
+cm_remove_fd(struct select_state *selstate, int fd)
+{
+#ifdef USE_POLL
+ int i;
+
+ /* Find the FD in the array and move the last entry to its place. */
+ assert(selstate->nfds > 0);
+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++);
+ assert(i < selstate->nfds);
+ selstate->fds[i] = selstate->fds[selstate->nfds - 1];
#else
- if (gettimeofday(tvp, 0)) {
- dperror("gettimeofday");
- return errno;
+ FD_CLR(fd, &selstate->rfds);
+ FD_CLR(fd, &selstate->wfds);
+ FD_CLR(fd, &selstate->xfds);
+ if (selstate->max == 1 + fd) {
+ while (selstate->max > 0
+ && ! FD_ISSET(selstate->max-1, &selstate->rfds)
+ && ! FD_ISSET(selstate->max-1, &selstate->wfds)
+ && ! FD_ISSET(selstate->max-1, &selstate->xfds))
+ selstate->max--;
+ dprint("new max_fd + 1 is %d\n", selstate->max);
}
- return 0;
#endif
+ selstate->nfds--;
}
-/*
- * Call select and return results.
- * Input: interesting file descriptors and absolute timeout
- * Output: select return value (-1 or num fds ready) and fd_sets
- * Return: 0 (for i/o available or timeout) or error code.
- */
-krb5_error_code
-krb5int_cm_call_select (const struct select_state *in,
- struct select_state *out, int *sret)
+static void
+cm_unset_write(struct select_state *selstate, int fd)
{
- struct timeval now, *timo;
- krb5_error_code e;
+#ifdef USE_POLL
+ int i;
- *out = *in;
- e = getcurtime(&now);
- if (e)
- return e;
- if (out->end_time.tv_sec == 0)
- timo = 0;
+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++);
+ assert(i < selstate->nfds);
+ selstate->fds[i].events &= ~POLLOUT;
+#else
+ FD_CLR(fd, &selstate->wfds);
+#endif
+}
+
+static krb5_error_code
+cm_select_or_poll(const struct select_state *in, struct select_state *out,
+ int *sret)
+{
+#ifdef USE_POLL
+ struct timeval now;
+ int e, timeout;
+
+ if (in->end_time.tv_sec == 0)
+ timeout = -1;
else {
- timo = &out->end_time;
- out->end_time.tv_sec -= now.tv_sec;
- out->end_time.tv_usec -= now.tv_usec;
- if (out->end_time.tv_usec < 0) {
- out->end_time.tv_usec += 1000000;
- out->end_time.tv_sec--;
- }
- if (out->end_time.tv_sec < 0) {
- *sret = 0;
- return 0;
- }
+ e = k5_getcurtime(&now);
+ if (e)
+ return e;
+ timeout = (in->end_time.tv_sec - now.tv_sec) * 1000 +
+ (in->end_time.tv_usec - now.tv_usec) / 1000;
}
- dprint("selecting on max=%d sockets [%F] timeout %t\n",
- out->max,
- &out->rfds, &out->wfds, &out->xfds, out->max,
- timo);
- *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, timo);
+ /* We don't need a separate copy of the selstate for poll, but use one
+ * anyone for consistency with the select wrapper. */
+ *out = *in;
+ *sret = poll(out->fds, out->nfds, timeout);
e = SOCKET_ERRNO;
+ return (*sret < 0) ? e : 0;
+#else
+ /* Use the select wrapper from cm.c. */
+ return krb5int_cm_call_select(in, out, sret);
+#endif
+}
- dprint("select returns %d", *sret);
- if (*sret < 0)
- dprint(", error = %E\n", e);
- else if (*sret == 0)
- dprint(" (timeout)\n");
- else
- dprint(":%F\n", &out->rfds, &out->wfds, &out->xfds, out->max);
+static unsigned int
+cm_get_ssflags(struct select_state *selstate, int fd)
+{
+ unsigned int ssflags = 0;
+#ifdef USE_POLL
+ int i;
- if (*sret < 0)
- return e;
- return 0;
+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++);
+ assert(i < selstate->nfds);
+ if (selstate->fds[i].revents & POLLIN)
+ ssflags |= SSF_READ;
+ if (selstate->fds[i].revents & POLLOUT)
+ ssflags |= SSF_WRITE;
+ if (selstate->fds[i].revents & POLLERR)
+ ssflags |= SSF_EXCEPTION;
+#else
+ if (FD_ISSET(fd, &selstate->rfds))
+ ssflags |= SSF_READ;
+ if (FD_ISSET(fd, &selstate->wfds))
+ ssflags |= SSF_WRITE;
+ if (FD_ISSET(fd, &selstate->xfds))
+ ssflags |= SSF_EXCEPTION;
+#endif
+ return ssflags;
}
static int service_tcp_fd(krb5_context context, struct conn_state *conn,
@@ -657,6 +712,7 @@ start_connection(krb5_context context, s
krb5_data *callback_buffer)
{
int fd, e;
+ unsigned int ssflags;
struct addrinfo *ai = state->addr;
dprint("start_connection(@%p)\ngetting %s socket in family %d...", state,
@@ -667,14 +723,6 @@ start_connection(krb5_context context, s
dprint("socket: %m creating with af %d\n", state->err, ai->ai_family);
return -1; /* try other hosts */
}
-#ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */
- if (fd >= FD_SETSIZE) {
- closesocket(fd);
- state->err = EMFILE;
- dprint("socket: fd %d too high\n", fd);
- return -1;
- }
-#endif
set_cloexec_fd(fd);
/* Make it non-blocking. */
if (ai->ai_socktype == SOCK_STREAM) {
@@ -778,16 +826,15 @@ start_connection(krb5_context context, s
}
}
#endif
- FD_SET(state->fd, &selstate->rfds);
+ ssflags = SSF_READ | SSF_EXCEPTION;
if (state->state == CONNECTING || state->state == WRITING)
- FD_SET(state->fd, &selstate->wfds);
- FD_SET(state->fd, &selstate->xfds);
- if (selstate->max <= state->fd)
- selstate->max = state->fd + 1;
- selstate->nfds++;
-
- dprint("new select vectors: %F\n",
- &selstate->rfds, &selstate->wfds, &selstate->xfds, selstate->max);
+ ssflags |= SSF_WRITE;
+ if (!cm_add_fd(selstate, state->fd, ssflags)) {
+ (void) closesocket(state->fd);
+ state->fd = INVALID_SOCKET;
+ state->state = FAILED;
+ return -1;
+ }
return 0;
}
@@ -849,22 +896,11 @@ static void
kill_conn(struct conn_state *conn, struct select_state *selstate, int err)
{
conn->state = FAILED;
- shutdown(conn->fd, SHUTDOWN_BOTH);
- FD_CLR(conn->fd, &selstate->rfds);
- FD_CLR(conn->fd, &selstate->wfds);
- FD_CLR(conn->fd, &selstate->xfds);
conn->err = err;
+ shutdown(conn->fd, SHUTDOWN_BOTH);
+ cm_remove_fd(selstate, conn->fd);
dprint("abandoning connection %d: %m\n", conn->fd, err);
/* Fix up max fd for next select call. */
- if (selstate->max == 1 + conn->fd) {
- while (selstate->max > 0
- && ! FD_ISSET(selstate->max-1, &selstate->rfds)
- && ! FD_ISSET(selstate->max-1, &selstate->wfds)
- && ! FD_ISSET(selstate->max-1, &selstate->xfds))
- selstate->max--;
- dprint("new max_fd + 1 is %d\n", selstate->max);
- }
- selstate->nfds--;
}
/* Check socket for error. */
@@ -986,7 +1022,7 @@ service_tcp_fd(krb5_context context, str
/* Done writing, switch to reading. */
/* Don't call shutdown at this point because
* some implementations cannot deal with half-closed connections.*/
- FD_CLR(conn->fd, &selstate->wfds);
+ cm_unset_write(selstate, conn->fd);
/* Q: How do we detect failures to send the remaining data
to the remote side, since we're in non-blocking mode?
Will we always get errors on the reading side? */
@@ -1100,7 +1136,8 @@ service_fds (krb5_context context,
while (selstate->nfds > 0) {
unsigned int i;
- e = krb5int_cm_call_select(selstate, seltemp, &selret);
+ selret = 0;
+ e = cm_select_or_poll(selstate, seltemp, &selret);
if (e == EINTR)
continue;
if (e != 0)
@@ -1113,18 +1150,12 @@ service_fds (krb5_context context,
return 0;
/* Got something on a socket, process it. */
- for (i = 0; i <= (unsigned int)selstate->max && selret > 0 && i < n_conns; i++) {
+ for (i = 0; i < n_conns; i++) {
int ssflags;
if (conns[i].fd == INVALID_SOCKET)
continue;
- ssflags = 0;
- if (FD_ISSET(conns[i].fd, &seltemp->rfds))
- ssflags |= SSF_READ, selret--;
- if (FD_ISSET(conns[i].fd, &seltemp->wfds))
- ssflags |= SSF_WRITE, selret--;
- if (FD_ISSET(conns[i].fd, &seltemp->xfds))
- ssflags |= SSF_EXCEPTION, selret--;
+ ssflags = cm_get_ssflags(seltemp, conns[i].fd);
if (!ssflags)
continue;
@@ -1239,12 +1270,7 @@ krb5int_sendto (krb5_context context, co
retval = ENOMEM;
goto egress;
}
- sel_state->max = 0;
- sel_state->nfds = 0;
- sel_state->end_time.tv_sec = sel_state->end_time.tv_usec = 0;
- FD_ZERO(&sel_state->rfds);
- FD_ZERO(&sel_state->wfds);
- FD_ZERO(&sel_state->xfds);
+ cm_init_selstate(sel_state);
/* Set up connections. */
@@ -1265,7 +1291,7 @@ krb5int_sendto (krb5_context context, co
(callback_info ? &callback_data[host] : NULL)))
continue;
- retval = getcurtime(&now);
+ retval = k5_getcurtime(&now);
if (retval)
goto egress;
sel_state->end_time = now;
@@ -1284,7 +1310,7 @@ krb5int_sendto (krb5_context context, co
}
if (e)
break;
- retval = getcurtime(&now);
+ retval = k5_getcurtime(&now);
if (retval)
goto egress;
/* Possible optimization: Find a way to integrate this select

3
krb5-1.9.1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:72dd8f30d605fa2e6f19df32414bc35a46e3ad1954b1b142d987ccd492c7bfbc
size 10126613

View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Mon Aug 22 10:21:56 CEST 2011 - mc@suse.de
- update to version 1.9.1
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Apr 9 12:45:30 CEST 2010 - mc@suse.de Fri Apr 9 12:45:30 CEST 2010 - mc@suse.de

View File

@ -20,15 +20,15 @@
Name: krb5-doc Name: krb5-doc
BuildRequires: ghostscript-library latex2html texlive BuildRequires: ghostscript-library latex2html texlive
Version: 1.8.3 Version: 1.9.1
Release: 6 Release: 6
%define srcRoot krb5-1.8.3 %define srcRoot krb5-1.9.1
Summary: MIT Kerberos5 Implementation--Documentation Summary: MIT Kerberos5 Implementation--Documentation
License: MIT License (or similar) License: MIT License (or similar)
Url: http://web.mit.edu/kerberos/www/ Url: http://web.mit.edu/kerberos/www/
Group: Documentation/Other Group: Documentation/Other
Source: krb5-1.8.3.tar.bz2 Source: krb5-%{version}.tar.bz2
Source3: %{name}-%{version}-rpmlintrc Source3: %{name}-rpmlintrc
Patch0: krb5-1.3.5-perlfix.dif Patch0: krb5-1.3.5-perlfix.dif
Patch1: krb5-1.6.3-texi2dvi-fix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build

29
krb5-klist_s.patch Normal file
View File

@ -0,0 +1,29 @@
Don't trip over referral entries. RT#6915
Index: krb5-1.9.1/src/clients/klist/klist.c
===================================================================
--- krb5-1.9.1.orig/src/clients/klist/klist.c
+++ krb5-1.9.1/src/clients/klist/klist.c
@@ -28,7 +28,7 @@
* List out the contents of your credential cache or keytab.
*/
-#include "autoconf.h"
+#include "k5-int.h"
#include <krb5.h>
#include <com_err.h>
#include <stdlib.h>
@@ -390,10 +390,9 @@ void do_ccache(name)
continue;
if (status_only) {
if (exit_status && creds.server->length == 2 &&
- strcmp(creds.server->realm.data, princ->realm.data) == 0 &&
- strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 &&
- strcmp((char *)creds.server->data[1].data,
- princ->realm.data) == 0 &&
+ data_eq(creds.server->realm, princ->realm) &&
+ data_eq_string(creds.server->data[0], "krbtgt") &&
+ data_eq(creds.server->data[1], princ->realm) &&
creds.times.endtime > now)
exit_status = 0;
} else {

View File

@ -1,4 +1,23 @@
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com
- add patches from Fedora and upstream
- fix init scripts (bnc#689006)
-------------------------------------------------------------------
Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com
- update to version 1.9.1
* obsolete patches:
MITKRB5-SA-2010-007-1.8.dif
krb5-1.8-MITKRB5-SA-2010-006.dif
krb5-1.8-MITKRB5-SA-2011-001.dif
krb5-1.8-MITKRB5-SA-2011-002.dif
krb5-1.8-MITKRB5-SA-2011-003.dif
krb5-1.8-MITKRB5-SA-2011-004.dif
krb5-1.4.3-enospc.dif
* replace krb5-1.6.1-compile_pie.dif
-------------------------------------------------------------------
Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de
- fix kadmind invalid pointer free() - fix kadmind invalid pointer free()

View File

@ -1,5 +1,5 @@
# #
# spec file for package krb5-mini # spec file for package krb5
# #
# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
@ -18,7 +18,7 @@
# norootforbuild # norootforbuild
%define build_mini 1 %define build_mini 1
%define srcRoot krb5-1.8.3 %define srcRoot krb5-1.9.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5 %define krb5docdir %{_defaultdocdir}/krb5
@ -27,10 +27,12 @@ License: MIT License (or similar)
Url: http://web.mit.edu/kerberos/www/ Url: http://web.mit.edu/kerberos/www/
BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: bison libcom_err-devel ncurses-devel
BuildRequires: keyutils keyutils-devel BuildRequires: keyutils keyutils-devel
Version: 1.8.3 BuildRequires: libselinux-devel
Release: 6 Version: 1.9.1
Release: 19
%if ! 0%{?build_mini} %if ! 0%{?build_mini}
BuildRequires: libopenssl-devel openldap2-devel BuildRequires: libopenssl-devel openldap2-devel
BuildRequires: pam-devel
# bug437293 # bug437293
%ifarch ppc64 %ifarch ppc64
Obsoletes: krb5-64bit Obsoletes: krb5-64bit
@ -42,25 +44,33 @@ Group: Productivity/Networking/Security
Summary: MIT Kerberos5 Implementation--Libraries Summary: MIT Kerberos5 Implementation--Libraries
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
%endif %endif
Source: krb5-1.8.3.tar.bz2 Source: krb5-1.9.1.tar.bz2
Source1: vendor-files.tar.bz2 Source1: vendor-files.tar.bz2
Source2: baselibs.conf Source2: baselibs.conf
Source5: krb5-%{version}-rpmlintrc Source5: krb5-rpmlintrc
Source10: krb5-1.7-manpaths.txt Source10: krb5-1.8-manpaths.txt
Patch1: krb5-1.6.1-compile_pie.dif Patch1: krb5-1.9-buildconf.patch
Patch2: krb5-1.6.3-kprop-use-mkstemp.dif Patch3: krb5-1.9-manpaths.dif
Patch3: krb5-1.7-manpaths.dif
Patch4: krb5-1.4.3-enospc.dif
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.6.3-kpasswd_tcp.patch Patch6: krb5-1.6.3-kpasswd_tcp.patch
Patch7: krb5-1.6.3-ktutil-manpage.dif Patch7: krb5-1.6.3-ktutil-manpage.dif
Patch8: krb5-1.6.3-fix-ipv6-query.dif Patch10: krb5-1.7-doublelog.patch
Patch12: krb5-1.8-MITKRB5-SA-2010-006.dif Patch11: krb5-1.7-nodeplibs.patch
Patch13: MITKRB5-SA-2010-007-1.8.dif Patch12: krb5-1.8-api.patch
Patch14: krb5-1.8-MITKRB5-SA-2011-001.dif Patch13: krb5-1.8-pam.patch
Patch15: krb5-1.8-MITKRB5-SA-2011-002.dif Patch14: krb5-1.9.1-ai_addrconfig.patch
Patch16: krb5-1.8-MITKRB5-SA-2011-003.dif Patch15: krb5-1.9.1-ai_addrconfig2.patch
Patch17: krb5-1.8-MITKRB5-SA-2011-004.dif Patch16: krb5-1.9.1-sendto_poll.patch
Patch17: krb5-1.9-canonicalize-fallback.patch
Patch18: krb5-1.9-kprop-mktemp.patch
Patch19: krb5-1.9-ksu-path.patch
Patch20: krb5-1.9-paren.patch
Patch21: krb5-1.9-selinux-label.patch
Patch22: krb5-klist_s.patch
Patch23: krb5-pkinit-cms2.patch
Patch24: krb5-trunk-chpw-err.patch
Patch25: krb5-trunk-gss_delete_sec.patch
Patch26: krb5-trunk-kadmin-oldproto.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq PreReq: %insserv_prereq %fillup_prereq
@ -200,20 +210,28 @@ Authors:
%prep %prep
%setup -q -n %{srcRoot} %setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot}
%patch1 %patch13 -p1
%patch2
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch21 -p1
%patch1 -p1
%patch5 -p1 %patch5 -p1
%patch6 %patch6
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch10 -p1
%patch11 -p1
%patch12 -p1 %patch12 -p1
%patch13 -p1 %patch14
%patch14 -p1 %patch15
%patch15 -p0 %patch16
%patch16 -p1
%patch17 -p1 %patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch22 -p1
%patch23 -p1
%patch24
%patch25 -p1
%patch26
# Rename the man pages so that they'll get generated correctly. # Rename the man pages so that they'll get generated correctly.
pushd src pushd src
cat %{SOURCE10} | while read manpage ; do cat %{SOURCE10} | while read manpage ; do
@ -242,6 +260,9 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
--disable-rpath \ --disable-rpath \
%if ! %{build_mini} %if ! %{build_mini}
--with-ldap \ --with-ldap \
--with-pam \
--enable-pkinit \
--with-selinux \
%else %else
--disable-pkinit \ --disable-pkinit \
%endif %endif

290
krb5-pkinit-cms2.patch Normal file
View File

@ -0,0 +1,290 @@
When verifying signed-data, use the OpenSSL CMS APIs if we're building with a
version of OpenSSL which supplies them (1.0.0 or later). Revised proposal for
RT#6851.
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index bb8f036..6aedec4 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -41,6 +41,34 @@
#include "pkinit_crypto_openssl.h"
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#include <openssl/cms.h>
+#define pkinit_CMS_free1_crls(_sk_x509crl) sk_X509_CRL_free((_sk_x509crl))
+#define pkinit_CMS_free1_certs(_sk_x509) sk_X509_free((_sk_x509))
+#define pkinit_CMS_SignerInfo_get_cert(_cms,_si,_x509_pp) CMS_SignerInfo_get0_algs(_si,NULL,_x509_pp,NULL,NULL)
+#else
+#define pkinit_CMS_free1_crls(_stack_of_x509crls) /* don't free these CRLs */
+#define pkinit_CMS_free1_certs(_stack_of_x509certs) /* don't free these certs */
+#define CMS_NO_SIGNER_CERT_VERIFY PKCS7_NOVERIFY
+#define CMS_NOATTR PKCS7_NOATTR
+#define CMS_ContentInfo PKCS7
+#define CMS_SignerInfo PKCS7_SIGNER_INFO
+#define d2i_CMS_ContentInfo d2i_PKCS7
+#define CMS_get0_type(_p7) ((_p7)->type)
+#define CMS_get0_content(_p7) (&((_p7)->d.other->value.octet_string))
+#define CMS_set1_signers_certs(_p7,_stack_of_x509,_uint)
+#define CMS_get0_SignerInfos PKCS7_get_signer_info
+#define stack_st_CMS_SignerInfo stack_st_PKCS7_SIGNER_INFO
+#undef sk_CMS_SignerInfo_value
+#define sk_CMS_SignerInfo_value sk_PKCS7_SIGNER_INFO_value
+#define CMS_get0_eContentType(_p7) (_p7->d.sign->contents->type)
+#define CMS_verify PKCS7_verify
+#define CMS_get1_crls(_p7) (_p7->d.sign->crl)
+#define CMS_get1_certs(_p7) (_p7->d.sign->cert)
+#define CMS_ContentInfo_free(_p7) PKCS7_free(_p7)
+#define pkinit_CMS_SignerInfo_get_cert(_p7,_si,_x509_pp) (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
+#endif
+
static struct pkcs11_errstrings {
short code;
char *text;
@@ -1127,21 +1155,25 @@ cms_signeddata_verify(krb5_context context,
int *is_signed)
{
krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;
- PKCS7 *p7 = NULL;
+ CMS_ContentInfo *cms = NULL;
BIO *out = NULL;
- int flags = PKCS7_NOVERIFY;
+ int flags = CMS_NO_SIGNER_CERT_VERIFY;
unsigned int i = 0;
unsigned int vflags = 0, size = 0;
const unsigned char *p = signed_data;
- STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL;
- PKCS7_SIGNER_INFO *si = NULL;
+ STACK_OF(CMS_SignerInfo) *si_sk = NULL;
+ CMS_SignerInfo *si = NULL;
X509 *x = NULL;
X509_STORE *store = NULL;
X509_STORE_CTX cert_ctx;
+ STACK_OF(X509) *signerCerts = NULL;
STACK_OF(X509) *intermediateCAs = NULL;
+ STACK_OF(X509_CRL) *signerRevoked = NULL;
STACK_OF(X509_CRL) *revoked = NULL;
STACK_OF(X509) *verified_chain = NULL;
ASN1_OBJECT *oid = NULL;
+ const ASN1_OBJECT *type = NULL, *etype = NULL;
+ ASN1_OCTET_STRING **octets;
krb5_external_principal_identifier **krb5_verified_chain = NULL;
krb5_data *authz = NULL;
char buf[DN_BUF_LEN];
@@ -1157,8 +1189,8 @@ cms_signeddata_verify(krb5_context context,
if (oid == NULL)
goto cleanup;
- /* decode received PKCS7 message */
- if ((p7 = d2i_PKCS7(NULL, &p, (int)signed_data_len)) == NULL) {
+ /* decode received CMS message */
+ if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) {
unsigned long err = ERR_peek_error();
krb5_set_error_message(context, retval, "%s\n",
ERR_error_string(err, NULL));
@@ -1168,37 +1200,39 @@ cms_signeddata_verify(krb5_context context,
}
/* Handle the case in pkinit anonymous where we get unsigned data. */
- if (is_signed && !OBJ_cmp(p7->type, oid)) {
+ type = CMS_get0_type(cms);
+ if (is_signed && !OBJ_cmp(type, oid)) {
unsigned char *d;
*is_signed = 0;
- if (p7->d.other->type != V_ASN1_OCTET_STRING) {
+ octets = CMS_get0_content(cms);
+ if (!octets || ((*octets)->type != V_ASN1_OCTET_STRING)) {
retval = KRB5KDC_ERR_PREAUTH_FAILED;
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
"Invalid pkinit packet: octet string "
"expected");
goto cleanup;
}
- *data_len = ASN1_STRING_length(p7->d.other->value.octet_string);
+ *data_len = ASN1_STRING_length(*octets);
d = malloc(*data_len);
if (d == NULL) {
retval = ENOMEM;
goto cleanup;
}
- memcpy(d, ASN1_STRING_data(p7->d.other->value.octet_string),
+ memcpy(d, ASN1_STRING_data(*octets),
*data_len);
*data = d;
goto out;
} else {
- /* Verify that the received message is PKCS7 SignedData message. */
- if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed) {
- pkiDebug("Expected id-signedData PKCS7 msg (received type = %d)\n",
- OBJ_obj2nid(p7->type));
+ /* Verify that the received message is CMS SignedData message. */
+ if (OBJ_obj2nid(type) != NID_pkcs7_signed) {
+ pkiDebug("Expected id-signedData CMS msg (received type = %d)\n",
+ OBJ_obj2nid(type));
krb5_set_error_message(context, retval, "wrong oid\n");
goto cleanup;
}
}
- /* setup to verify X509 certificate used to sign PKCS7 message */
+ /* setup to verify X509 certificate used to sign CMS message */
if (!(store = X509_STORE_new()))
goto cleanup;
@@ -1210,37 +1244,41 @@ cms_signeddata_verify(krb5_context context,
X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
X509_STORE_set_flags(store, vflags);
- /* get the signer's information from the PKCS7 message */
- if ((si_sk = PKCS7_get_signer_info(p7)) == NULL)
+ /* get the signer's information from the CMS message */
+ CMS_set1_signers_certs(cms, NULL, 0);
+ if ((si_sk = CMS_get0_SignerInfos(cms)) == NULL)
goto cleanup;
- if ((si = sk_PKCS7_SIGNER_INFO_value(si_sk, 0)) == NULL)
+ if ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)
goto cleanup;
- if ((x = PKCS7_cert_from_signer_info(p7, si)) == NULL)
+ pkinit_CMS_SignerInfo_get_cert(cms, si, &x);
+ if (x == NULL)
goto cleanup;
/* create available CRL information (get local CRLs and include CRLs
- * received in the PKCS7 message
+ * received in the CMS message
*/
+ signerRevoked = CMS_get1_crls(cms);
if (idctx->revoked == NULL)
- revoked = p7->d.sign->crl;
- else if (p7->d.sign->crl == NULL)
+ revoked = signerRevoked;
+ else if (signerRevoked == NULL)
revoked = idctx->revoked;
else {
size = sk_X509_CRL_num(idctx->revoked);
revoked = sk_X509_CRL_new_null();
for (i = 0; i < size; i++)
sk_X509_CRL_push(revoked, sk_X509_CRL_value(idctx->revoked, i));
- size = sk_X509_CRL_num(p7->d.sign->crl);
+ size = sk_X509_CRL_num(signerRevoked);
for (i = 0; i < size; i++)
- sk_X509_CRL_push(revoked, sk_X509_CRL_value(p7->d.sign->crl, i));
+ sk_X509_CRL_push(revoked, sk_X509_CRL_value(signerRevoked, i));
}
/* create available intermediate CAs chains (get local intermediateCAs and
- * include the CA chain received in the PKCS7 message
+ * include the CA chain received in the CMS message
*/
+ signerCerts = CMS_get1_certs(cms);
if (idctx->intermediateCAs == NULL)
- intermediateCAs = p7->d.sign->cert;
- else if (p7->d.sign->cert == NULL)
+ intermediateCAs = signerCerts;
+ else if (signerCerts == NULL)
intermediateCAs = idctx->intermediateCAs;
else {
size = sk_X509_num(idctx->intermediateCAs);
@@ -1249,9 +1287,9 @@ cms_signeddata_verify(krb5_context context,
sk_X509_push(intermediateCAs,
sk_X509_value(idctx->intermediateCAs, i));
}
- size = sk_X509_num(p7->d.sign->cert);
+ size = sk_X509_num(signerCerts);
for (i = 0; i < size; i++) {
- sk_X509_push(intermediateCAs, sk_X509_value(p7->d.sign->cert, i));
+ sk_X509_push(intermediateCAs, sk_X509_value(signerCerts, i));
}
}
@@ -1329,10 +1367,10 @@ cms_signeddata_verify(krb5_context context,
krb5_set_error_message(context, retval, "%s\n",
X509_verify_cert_error_string(j));
#ifdef DEBUG_CERTCHAIN
- size = sk_X509_num(p7->d.sign->cert);
+ size = sk_X509_num(signerCerts);
pkiDebug("received cert chain of size %d\n", size);
for (j = 0; j < size; j++) {
- X509 *tmp_cert = sk_X509_value(p7->d.sign->cert, j);
+ X509 *tmp_cert = sk_X509_value(signerCerts, j);
X509_NAME_oneline(X509_get_subject_name(tmp_cert), buf, sizeof(buf));
pkiDebug("cert #%d: %s\n", j, buf);
}
@@ -1348,11 +1386,12 @@ cms_signeddata_verify(krb5_context context,
out = BIO_new(BIO_s_mem());
if (cms_msg_type == CMS_SIGN_DRAFT9)
- flags |= PKCS7_NOATTR;
- if (PKCS7_verify(p7, NULL, store, NULL, out, flags)) {
+ flags |= CMS_NOATTR;
+ etype = CMS_get0_eContentType(cms);
+ if (CMS_verify(cms, NULL, store, NULL, out, flags)) {
int valid_oid = 0;
- if (!OBJ_cmp(p7->d.sign->contents->type, oid))
+ if (!OBJ_cmp(etype, oid))
valid_oid = 1;
else if (cms_msg_type == CMS_SIGN_DRAFT9) {
/*
@@ -1364,18 +1403,18 @@ cms_signeddata_verify(krb5_context context,
client_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_CLIENT);
server_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_SERVER);
rsa_oid = pkinit_pkcs7type2oid(plgctx, CMS_ENVEL_SERVER);
- if (!OBJ_cmp(p7->d.sign->contents->type, client_oid) ||
- !OBJ_cmp(p7->d.sign->contents->type, server_oid) ||
- !OBJ_cmp(p7->d.sign->contents->type, rsa_oid))
+ if (!OBJ_cmp(etype, client_oid) ||
+ !OBJ_cmp(etype, server_oid) ||
+ !OBJ_cmp(etype, rsa_oid))
valid_oid = 1;
}
if (valid_oid)
- pkiDebug("PKCS7 Verification successful\n");
+ pkiDebug("CMS Verification successful\n");
else {
pkiDebug("wrong oid in eContentType\n");
- print_buffer(p7->d.sign->contents->type->data,
- (unsigned int)p7->d.sign->contents->type->length);
+ print_buffer(etype->data,
+ (unsigned int)etype->length);
retval = KRB5KDC_ERR_PREAUTH_FAILED;
krb5_set_error_message(context, retval, "wrong oid\n");
goto cleanup;
@@ -1391,13 +1430,13 @@ cms_signeddata_verify(krb5_context context,
default:
retval = KRB5KDC_ERR_INVALID_SIG;
}
- pkiDebug("PKCS7 Verification failure\n");
+ pkiDebug("CMS Verification failure\n");
krb5_set_error_message(context, retval, "%s\n",
ERR_error_string(err, NULL));
goto cleanup;
}
- /* transfer the data from PKCS7 message into return buffer */
+ /* transfer the data from CMS message into return buffer */
for (size = 0;;) {
int remain;
retval = ENOMEM;
@@ -1452,12 +1491,16 @@ cleanup:
BIO_free(out);
if (store != NULL)
X509_STORE_free(store);
- if (p7 != NULL) {
- if (idctx->intermediateCAs != NULL && p7->d.sign->cert)
+ if (cms != NULL) {
+ if (signerCerts != NULL)
+ pkinit_CMS_free1_certs(signerCerts);
+ if (idctx->intermediateCAs != NULL && signerCerts)
sk_X509_free(intermediateCAs);
- if (idctx->revoked != NULL && p7->d.sign->crl)
+ if (signerRevoked != NULL)
+ pkinit_CMS_free1_crls(signerRevoked);
+ if (idctx->revoked != NULL && signerRevoked)
sk_X509_CRL_free(revoked);
- PKCS7_free(p7);
+ CMS_ContentInfo_free(cms);
}
if (verified_chain != NULL)
sk_X509_pop_free(verified_chain, X509_free);

24
krb5-trunk-chpw-err.patch Normal file
View File

@ -0,0 +1,24 @@
Don't suppress the error code from an error message when the error message
contains e-data. RT#6893
Index: src/lib/krb5/krb/chpw.c
===================================================================
--- src/lib/krb5/krb/chpw.c (revision 24838)
+++ src/lib/krb5/krb/chpw.c (working copy)
@@ -111,15 +111,11 @@
if ((ret = krb5_rd_error(context, packet, &krberror)))
return(ret);
- if (krberror->e_data.data == NULL)
- ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
- else
- ret = KRB5KRB_AP_ERR_MODIFIED;
+ ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
krb5_free_error(context, krberror);
return(ret);
- } else {
- return(KRB5KRB_AP_ERR_MODIFIED);
}
+ return(KRB5KRB_AP_ERR_MODIFIED);
}

View File

@ -0,0 +1,27 @@
Author: ghudson
Date: Mon May 9 17:28:07 2011 +0000
ticket: 6908
subject: Delete sec context properly in gss_krb5_export_lucid_sec_context
target_version: 1.9.2
tags: pullup
Since r21690, gss_krb5_export_lucid_sec_context() has been passing a
union context to krb5_gss_delete_sec_context(), causing a crash as the
krb5 routine attempts to interpret a union context structure as a krb5
GSS context. Call the mechglue gss_delete_sec_context instead.
svn://anonsvn.mit.edu:/krb5/trunk@24917
--- a/src/lib/gssapi/krb5/krb5_gss_glue.c
+++ b/src/lib/gssapi/krb5/krb5_gss_glue.c
@@ -196,7 +196,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
/* Clean up the context state (it is an error for
* someone to attempt to use this context again)
*/
- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
+ (void)gss_delete_sec_context(minor_status, context_handle, NULL);
*context_handle = GSS_C_NO_CONTEXT;
generic_gss_release_buffer_set(&minor, &data_set);

View File

@ -0,0 +1,39 @@
------------------------------------------------------------------------
r24967 | ghudson | 2011-06-13 14:54:33 -0400 (Mon, 13 Jun 2011) | 11 lines
ticket: 6920
subject: Fix old-style GSSRPC authentication
target_version: 1.9.2
tags: pullup
r24147 (ticket #6746) made libgssrpc ignorant of the remote address of
the kadmin socket, even when it's IPv4. This made old-style GSSAPI
authentication fail because it uses the wrong channel bindings. Fix
this problem by making clnttcp_create() get the remote address from
the socket using getpeername() if the caller doesn't provide it and
it's an IPv4 address.
------------------------------------------------------------------------
Index: src/lib/rpc/clnt_tcp.c
===================================================================
--- src/lib/rpc/clnt_tcp.c (revision 24966)
+++ src/lib/rpc/clnt_tcp.c (revision 24967)
@@ -187,9 +187,16 @@
ct->ct_sock = *sockp;
ct->ct_wait.tv_usec = 0;
ct->ct_waitset = FALSE;
- if (raddr == NULL)
- memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
- else
+ if (raddr == NULL) {
+ /* Get the remote address from the socket, if it's IPv4. */
+ struct sockaddr_in sin;
+ socklen_t len = sizeof(sin);
+ int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len);
+ if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET)
+ ct->ct_addr = sin;
+ else
+ memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
+ } else
ct->ct_addr = *raddr;
/*

View File

@ -1,4 +1,23 @@
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com
- add patches from Fedora and upstream
- fix init scripts (bnc#689006)
-------------------------------------------------------------------
Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com
- update to version 1.9.1
* obsolete patches:
MITKRB5-SA-2010-007-1.8.dif
krb5-1.8-MITKRB5-SA-2010-006.dif
krb5-1.8-MITKRB5-SA-2011-001.dif
krb5-1.8-MITKRB5-SA-2011-002.dif
krb5-1.8-MITKRB5-SA-2011-003.dif
krb5-1.8-MITKRB5-SA-2011-004.dif
krb5-1.4.3-enospc.dif
* replace krb5-1.6.1-compile_pie.dif
-------------------------------------------------------------------
Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de
- fix kadmind invalid pointer free() - fix kadmind invalid pointer free()

View File

@ -18,7 +18,7 @@
# norootforbuild # norootforbuild
%define build_mini 0 %define build_mini 0
%define srcRoot krb5-1.8.3 %define srcRoot krb5-1.9.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5 %define krb5docdir %{_defaultdocdir}/krb5
@ -27,10 +27,12 @@ License: MIT License (or similar)
Url: http://web.mit.edu/kerberos/www/ Url: http://web.mit.edu/kerberos/www/
BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: bison libcom_err-devel ncurses-devel
BuildRequires: keyutils keyutils-devel BuildRequires: keyutils keyutils-devel
Version: 1.8.3 BuildRequires: libselinux-devel
Version: 1.9.1
Release: 19 Release: 19
%if ! 0%{?build_mini} %if ! 0%{?build_mini}
BuildRequires: libopenssl-devel openldap2-devel BuildRequires: libopenssl-devel openldap2-devel
BuildRequires: pam-devel
# bug437293 # bug437293
%ifarch ppc64 %ifarch ppc64
Obsoletes: krb5-64bit Obsoletes: krb5-64bit
@ -42,25 +44,33 @@ Group: Productivity/Networking/Security
Summary: MIT Kerberos5 Implementation--Libraries Summary: MIT Kerberos5 Implementation--Libraries
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
%endif %endif
Source: krb5-1.8.3.tar.bz2 Source: krb5-1.9.1.tar.bz2
Source1: vendor-files.tar.bz2 Source1: vendor-files.tar.bz2
Source2: baselibs.conf Source2: baselibs.conf
Source5: krb5-%{version}-rpmlintrc Source5: krb5-rpmlintrc
Source10: krb5-1.7-manpaths.txt Source10: krb5-1.8-manpaths.txt
Patch1: krb5-1.6.1-compile_pie.dif Patch1: krb5-1.9-buildconf.patch
Patch2: krb5-1.6.3-kprop-use-mkstemp.dif Patch3: krb5-1.9-manpaths.dif
Patch3: krb5-1.7-manpaths.dif
Patch4: krb5-1.4.3-enospc.dif
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.6.3-kpasswd_tcp.patch Patch6: krb5-1.6.3-kpasswd_tcp.patch
Patch7: krb5-1.6.3-ktutil-manpage.dif Patch7: krb5-1.6.3-ktutil-manpage.dif
Patch8: krb5-1.6.3-fix-ipv6-query.dif Patch10: krb5-1.7-doublelog.patch
Patch12: krb5-1.8-MITKRB5-SA-2010-006.dif Patch11: krb5-1.7-nodeplibs.patch
Patch13: MITKRB5-SA-2010-007-1.8.dif Patch12: krb5-1.8-api.patch
Patch14: krb5-1.8-MITKRB5-SA-2011-001.dif Patch13: krb5-1.8-pam.patch
Patch15: krb5-1.8-MITKRB5-SA-2011-002.dif Patch14: krb5-1.9.1-ai_addrconfig.patch
Patch16: krb5-1.8-MITKRB5-SA-2011-003.dif Patch15: krb5-1.9.1-ai_addrconfig2.patch
Patch17: krb5-1.8-MITKRB5-SA-2011-004.dif Patch16: krb5-1.9.1-sendto_poll.patch
Patch17: krb5-1.9-canonicalize-fallback.patch
Patch18: krb5-1.9-kprop-mktemp.patch
Patch19: krb5-1.9-ksu-path.patch
Patch20: krb5-1.9-paren.patch
Patch21: krb5-1.9-selinux-label.patch
Patch22: krb5-klist_s.patch
Patch23: krb5-pkinit-cms2.patch
Patch24: krb5-trunk-chpw-err.patch
Patch25: krb5-trunk-gss_delete_sec.patch
Patch26: krb5-trunk-kadmin-oldproto.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq PreReq: %insserv_prereq %fillup_prereq
@ -200,20 +210,28 @@ Authors:
%prep %prep
%setup -q -n %{srcRoot} %setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot}
%patch1 %patch13 -p1
%patch2
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch21 -p1
%patch1 -p1
%patch5 -p1 %patch5 -p1
%patch6 %patch6
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch10 -p1
%patch11 -p1
%patch12 -p1 %patch12 -p1
%patch13 -p1 %patch14
%patch14 -p1 %patch15
%patch15 -p0 %patch16
%patch16 -p1
%patch17 -p1 %patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch22 -p1
%patch23 -p1
%patch24
%patch25 -p1
%patch26
# Rename the man pages so that they'll get generated correctly. # Rename the man pages so that they'll get generated correctly.
pushd src pushd src
cat %{SOURCE10} | while read manpage ; do cat %{SOURCE10} | while read manpage ; do
@ -242,6 +260,9 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
--disable-rpath \ --disable-rpath \
%if ! %{build_mini} %if ! %{build_mini}
--with-ldap \ --with-ldap \
--with-pam \
--enable-pkinit \
--with-selinux \
%else %else
--disable-pkinit \ --disable-pkinit \
%endif %endif

View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1 version https://git-lfs.github.com/spec/v1
oid sha256:7d61e2ba73a57830342b6bb32c7c0ee3c0bd84cf2ae865c86d7f28dd0edc62c5 oid sha256:f3ddbe33faa51dc418985ce06509394c23144a7eb3ddaae495f70a28203ad31a
size 182064 size 182094