- rebuild properly when pthread_mutexattr_setrobust_np() is defined but notkrb5-1_4_3-3

declared, such as with recent glibc when _GNU_SOURCE isn't being used
author: Nalin Dahyabhai <nalin@fedoraproject.org> 2006-01-20 00:28:41 +0000
committer: Nalin Dahyabhai <nalin@fedoraproject.org> 2006-01-20 00:28:41 +0000
commit: 5bf2d7bd12579781f6e471f26d00c492a1552e55 (patch)
tree: cc3bba45fbc6e02b00af0a5bef45f35f262334fb
parent: a6fb2997f19dcf84250a41dc4bcfe7c08523e289 (diff)
download: krb5-5bf2d7bd12579781f6e471f26d00c492a1552e55.tar.gz
krb5-5bf2d7bd12579781f6e471f26d00c492a1552e55.tar.xz
krb5-5bf2d7bd12579781f6e471f26d00c492a1552e55.zip
2 files changed, 378 insertions, 2 deletions
diff --git a/krb5-1.4.3-kdc_max_dgram_size.patch b/krb5-1.4.3-kdc_max_dgram_size.patch
new file mode 100644
index 0000000..fdcb76a
--- /dev/null
+++ b/krb5-1.4.3-kdc_max_dgram_size.patch
@@ -0,0 +1,367 @@
+Implement a "max_dgram_size" parameter for realms, which will control when/if
+the server will respond with KRB_ERR_RESPONSE_TOO_BIG errors to requests from
+its clients.
+
+Because the reads settings by using libkadm5's krb5_read_realm_params function,
+its returned structure type needs to be expanded to hold this information,
+which breaks the ABI.
+
+When processing AS or TGS requests, the server needs to keep track of whether
+or not the client is issuing a request over a connected socket so that it
+won't issue RESPONSE_TOO_BIG errors to connected clients.
+
+The lookaside cache also needs to take note of the distinction so that it
+doesn't replay error messages to clients who've switched from using a
+connectionless socket to a connected socket and are sending the same request.
+
+--- krb5-1.4.3/doc/definitions.texinfo	2006-01-05 15:12:12.000000000 -0500
++++ krb5-1.4.3/doc/definitions.texinfo	2006-01-05 15:12:50.000000000 -0500
+@@ -97,6 +97,8 @@
+ @set DefaultKDCRCache krb5kdc_rcache
+ @comment KDCRCACHE
+ @set DefaultRCTmpDirs /var/tmp, /usr/tmp, /var/usr/tmp, and /tmp
++@comment MAX_DGRAM_SIZE
++@set DefaultMaxDgramSize 4096
+ 
+ @ignore
+ the following defaults should be consistent with the numbers set in
+--- krb5-1.4.3/doc/admin.texinfo	2006-01-05 15:13:04.000000000 -0500
++++ krb5-1.4.3/doc/admin.texinfo	2006-01-05 15:14:22.000000000 -0500
+@@ -1264,6 +1264,14 @@
+ valid ticket may be renewed in this realm.  The default value is
+ @value{DefaultMaxRenewableLife}.
+ 
++@itemx max_dgram_size
++(Numeric value.)  Specifies the maximum allowed size for responses to
++client requests which are received over unconnected sockets (usually,
++UDP, as opposed to TCP).  If the response to a request would be larger
++than the specified size, a KRB_ERR_RESPONSE_TOO_BIG error is sent in
++its stead.  The default value is
++@value{DefaultMaxDgramSize}.
++
+ @itemx supported_enctypes
+ List of key:salt strings.  Specifies the default key/salt combinations of
+ principals for this realm.  Any principals created through @code{kadmin}
+--- krb5-1.4.3/src/lib/kadm5/srv/Makefile.in	2004-06-16 21:56:34.000000000 -0400
++++ krb5-1.4.3/src/lib/kadm5/srv/Makefile.in	2006-01-05 15:08:23.000000000 -0500
+@@ -9,8 +9,8 @@
+ ##DOSLIBNAME = libkadm5srv.lib
+ 
+ LIBBASE=kadm5srv
+-LIBMAJOR=5
+-LIBMINOR=1
++LIBMAJOR=6
++LIBMINOR=0
+ STOBJLISTS=../OBJS.ST OBJS.ST
+ 
+ SHLIB_EXPDEPS=\
+--- krb5-1.4.3/src/lib/kadm5/clnt/Makefile.in	2004-06-16 16:18:10.000000000 -0400
++++ krb5-1.4.3/src/lib/kadm5/clnt/Makefile.in	2006-01-05 15:08:23.000000000 -0500
+@@ -5,8 +5,8 @@
+ LOCALINCLUDES = -I$(BUILDTOP)/include/kadm5
+ 
+ LIBBASE=kadm5clnt
+-LIBMAJOR=5
+-LIBMINOR=1
++LIBMAJOR=6
++LIBMINOR=0
+ STOBJLISTS=../OBJS.ST OBJS.ST
+ SHLIB_EXPDEPS=\
+ 	$(TOPLIBD)/libgssrpc$(SHLIBEXT) \
+--- krb5-1.4.3/src/lib/kadm5/alt_prof.c	2004-06-24 16:08:30.000000000 -0400
++++ krb5-1.4.3/src/lib/kadm5/alt_prof.c	2006-01-05 15:08:23.000000000 -0500
+@@ -936,6 +936,13 @@
+ 	krb5_xfree(svalue);
+     }
+ 
++    /* Get the value for the maximum datagram response size */
++    hierarchy[2] = "max_dgram_size";
++    if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) {
++	rparams->realm_max_dgram_size = ivalue;
++	rparams->realm_max_dgram_size_valid = 1;
++    }
++	    
+     hierarchy[2] = "reject_bad_transit";
+     if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) {
+ 	rparams->realm_reject_bad_transit = bvalue;
+--- krb5-1.4.3/src/kdc/extern.h	2003-06-03 00:32:41.000000000 -0400
++++ krb5-1.4.3/src/kdc/extern.h	2006-01-05 15:08:23.000000000 -0500
+@@ -64,6 +64,7 @@
+     krb5_deltat		realm_maxlife;	/* Maximum ticket life for realm    */
+     krb5_deltat		realm_maxrlife;	/* Maximum renewable life for realm */
+     krb5_boolean	realm_reject_bad_transit; /* Accept unverifiable transited_realm ? */
++    int			realm_max_dgram_size; /* Maximum datagram response size */
+ } kdc_realm_t;
+ 
+ extern kdc_realm_t	**kdc_realmlist;
+@@ -87,6 +88,7 @@
+ #define	dbm_db_name			kdc_active_realm->realm_dbname
+ #define	primary_port			kdc_active_realm->realm_pport
+ #define reject_bad_transit		kdc_active_realm->realm_reject_bad_transit
++#define max_dgram_size			kdc_active_realm->realm_max_dgram_size
+ 
+ /* various externs for KDC */
+ extern krb5_data 	empty_string;	/* an empty string */
+--- krb5-1.4.3/src/lib/kadm5/admin.h	2005-03-22 18:53:59.000000000 -0500
++++ krb5-1.4.3/src/lib/kadm5/admin.h	2006-01-05 15:08:23.000000000 -0500
+@@ -263,6 +263,7 @@
+     krb5_deltat		realm_max_rlife;
+     krb5_timestamp	realm_expiration;
+     krb5_flags		realm_flags;
++    int			realm_max_dgram_size;
+     krb5_key_salt_tuple	*realm_keysalts;
+     unsigned int	realm_reject_bad_transit:1;
+     unsigned int	realm_kadmind_port_valid:1;
+@@ -272,6 +273,7 @@
+     unsigned int	realm_expiration_valid:1;
+     unsigned int	realm_flags_valid:1;
+     unsigned int	realm_reject_bad_transit_valid:1;
++    unsigned int	realm_max_dgram_size_valid:1;
+     krb5_int32		realm_num_keysalts;
+ } krb5_realm_params;
+ 
+--- krb5-1.4.3/src/kdc/do_as_req.c	2005-07-12 16:59:52.000000000 -0400
++++ krb5-1.4.3/src/kdc/do_as_req.c	2006-01-05 15:08:23.000000000 -0500
+@@ -52,7 +52,7 @@
+ /*ARGSUSED*/
+ krb5_error_code
+ process_as_req(krb5_kdc_req *request, const krb5_fulladdr *from,
+-	       krb5_data **response)
++	       krb5_boolean connected, krb5_data **response)
+ {
+     krb5_db_entry client, server;
+     krb5_kdc_rep reply;
+@@ -403,6 +403,13 @@
+ 	status = "ENCODE_KDC_REP";
+ 	goto errout;
+     }
++
++    if (!connected && ((*response)->length > max_dgram_size)) {
++	errcode = KRB5KRB_ERR_RESPONSE_TOO_BIG;
++	krb5_free_data(kdc_context, *response);
++	*response = NULL;
++	goto errout;
++    }
+     
+     /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
+        can use them in raw form if needed.  But, we don't... */
+--- krb5-1.4.3/src/kdc/dispatch.c	2002-09-10 23:59:27.000000000 -0400
++++ krb5-1.4.3/src/kdc/dispatch.c	2006-01-05 15:08:23.000000000 -0500
+@@ -39,7 +39,8 @@
+ static krb5_int32 last_usec = 0, last_os_random = 0;
+ 
+ krb5_error_code
+-dispatch(krb5_data *pkt, const krb5_fulladdr *from, krb5_data **response)
++dispatch(krb5_data *pkt, const krb5_fulladdr *from, krb5_boolean connected,
++	 krb5_data **response)
+ {
+ 
+     krb5_error_code retval;
+@@ -50,7 +51,7 @@
+ 
+ #ifndef NOCACHE
+     /* try the replay lookaside buffer */
+-    if (kdc_check_lookaside(pkt, from, response)) {
++    if (kdc_check_lookaside(pkt, from, connected, response)) {
+ 	/* a hit! */
+ 	const char *name = 0;
+ 	char buf[46];
+@@ -87,7 +88,7 @@
+     /* try TGS_REQ first; they are more common! */
+ 
+     if (krb5_is_tgs_req(pkt)) {
+-	retval = process_tgs_req(pkt, from, response);
++	retval = process_tgs_req(pkt, from, connected, response);
+     } else if (krb5_is_as_req(pkt)) {
+ 	if (!(retval = decode_krb5_as_req(pkt, &as_req))) {
+ 	    /*
+@@ -95,7 +96,7 @@
+ 	     * pointer.
+ 	     */
+ 	    if (!(retval = setup_server_realm(as_req->server))) {
+-		retval = process_as_req(as_req, from, response);
++		retval = process_as_req(as_req, from, connected, response);
+ 	    }
+ 	    krb5_free_kdc_req(kdc_context, as_req);
+ 	}
+@@ -109,7 +110,7 @@
+ #ifndef NOCACHE
+     /* put the response into the lookaside buffer */
+     if (!retval)
+-	kdc_insert_lookaside(pkt, from, *response);
++	kdc_insert_lookaside(pkt, from, connected, *response);
+ #endif
+ 
+     return retval;
+--- krb5-1.4.3/src/kdc/network.c	2005-07-12 16:59:52.000000000 -0400
++++ krb5-1.4.3/src/kdc/network.c	2006-01-05 15:08:23.000000000 -0500
+@@ -744,7 +744,7 @@
+     faddr.address = &addr;
+     init_addr(&faddr, ss2sa(&saddr));
+     /* this address is in net order */
+-    if ((retval = dispatch(&request, &faddr, &response))) {
++    if ((retval = dispatch(&request, &faddr, FALSE, &response))) {
+ 	com_err(prog, retval, "while dispatching (udp)");
+ 	return;
+     }
+@@ -982,7 +982,7 @@
+ 	    /* have a complete message, and exactly one message */
+ 	    request.length = conn->u.tcp.msglen;
+ 	    request.data = conn->u.tcp.buffer + 4;
+-	    err = dispatch(&request, &conn->u.tcp.faddr,
++	    err = dispatch(&request, &conn->u.tcp.faddr, TRUE,
+ 			   &conn->u.tcp.response);
+ 	    if (err) {
+ 		com_err(prog, err, "while dispatching (tcp)");
+--- krb5-1.4.3/src/kdc/kdc_util.h	2004-09-23 22:19:42.000000000 -0400
++++ krb5-1.4.3/src/kdc/kdc_util.h	2006-01-05 15:08:23.000000000 -0500
+@@ -107,15 +107,18 @@
+ /* do_as_req.c */
+ krb5_error_code process_as_req (krb5_kdc_req *,
+ 					  const krb5_fulladdr *,
++					  krb5_boolean,
+ 					  krb5_data ** );
+ 
+ /* do_tgs_req.c */
+ krb5_error_code process_tgs_req (krb5_data *,
+ 					   const krb5_fulladdr *,
++					   krb5_boolean,
+ 					   krb5_data ** );
+ /* dispatch.c */
+ krb5_error_code dispatch (krb5_data *,
+ 				    const krb5_fulladdr *,
++				    krb5_boolean,
+ 				    krb5_data **);
+ 
+ /* main.c */
+@@ -155,9 +158,9 @@
+     
+ /* replay.c */
+ krb5_boolean kdc_check_lookaside (krb5_data *, const krb5_fulladdr *,
+-					    krb5_data **);
+-void kdc_insert_lookaside (krb5_data *, const krb5_fulladdr *,
+-				     krb5_data *);
++			   krb5_boolean, krb5_data **);
++void kdc_insert_lookaside (krb5_data *, const krb5_fulladdr *, krb5_boolean,
++			   krb5_data *);
+ void kdc_free_lookaside(krb5_context);
+ 
+ /* which way to convert key? */
+--- krb5-1.4.3/src/kdc/replay.c	2003-01-12 08:07:49.000000000 -0500
++++ krb5-1.4.3/src/kdc/replay.c	2006-01-05 15:08:23.000000000 -0500
+@@ -42,6 +42,7 @@
+     krb5_data *req_packet;
+     krb5_data *reply_packet;
+     krb5_address *addr;		/* XXX should these not be pointers? */
++    krb5_boolean connected;
+ } krb5_kdc_replay_ent;
+ 
+ static krb5_kdc_replay_ent root_ptr = {0};
+@@ -62,6 +63,7 @@
+ 		    !memcmp((ptr)->addr->contents,			\
+ 			    from->address->contents,			\
+ 			    from->address->length)&&			\
++		    (ptr->connected == connected) &&		\
+ 		    ((ptr)->db_age == db_age))
+ /* XXX
+    Todo:  quench the size of the queue...
+@@ -72,7 +74,7 @@
+ 
+ krb5_boolean
+ kdc_check_lookaside(krb5_data *inpkt, const krb5_fulladdr *from,
+-		    krb5_data **outpkt)
++		    krb5_boolean connected, krb5_data **outpkt)
+ {
+     krb5_int32 timenow;
+     register krb5_kdc_replay_ent *eptr, *last, *hold;
+@@ -126,7 +128,7 @@
+ 
+ void
+ kdc_insert_lookaside(krb5_data *inpkt, const krb5_fulladdr *from,
+-		     krb5_data *outpkt)
++		     krb5_boolean connected, krb5_data *outpkt)
+ {
+     register krb5_kdc_replay_ent *eptr;    
+     krb5_int32 timenow;
+@@ -142,6 +144,7 @@
+ 	return;
+     eptr->timein = timenow;
+     eptr->db_age = db_age;
++    eptr->connected = connected;
+     /*
+      * This is going to hurt a lot malloc()-wise due to the need to
+      * allocate memory for the krb5_data and krb5_address elements.
+--- krb5-1.4.3/src/kdc/main.c	2004-02-24 16:07:22.000000000 -0500
++++ krb5-1.4.3/src/kdc/main.c	2006-01-05 15:08:23.000000000 -0500
+@@ -231,6 +231,10 @@
+     rdp->realm_maxrlife = (rparams && rparams->realm_max_rlife_valid) ?
+ 	rparams->realm_max_rlife : KRB5_KDB_MAX_RLIFE;
+ 
++    /* Handle maximum datagram response size */
++    rdp->realm_max_dgram_size = (rparams && rparams->realm_max_dgram_size_valid) ?
++	rparams->realm_max_dgram_size : MAX_DGRAM_SIZE;
++
+     if (rparams)
+ 	krb5_free_realm_params(rdp->realm_context, rparams);
+ 
+--- krb5-1.4.3/src/kdc/do_tgs_req.c	2005-07-12 16:59:52.000000000 -0400
++++ krb5-1.4.3/src/kdc/do_tgs_req.c	2006-01-05 15:08:23.000000000 -0500
+@@ -56,7 +56,7 @@
+ /*ARGSUSED*/
+ krb5_error_code
+ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
+-		krb5_data **response)
++		krb5_boolean connected, krb5_data **response)
+ {
+     krb5_keyblock * subkey;
+     krb5_kdc_req *request = 0;
+@@ -630,7 +630,13 @@
+     if (errcode) {
+ 	status = "ENCODE_KDC_REP";
+     } else {
+-	status = "ISSUE";
++	if (!connected && ((*response)->length > max_dgram_size)) {
++	    errcode = KRB5KRB_ERR_RESPONSE_TOO_BIG;
++	    krb5_free_data(kdc_context, *response);
++	    *response = NULL;
++	} else {
++	    status = "ISSUE";
++	}
+     }
+ 
+     memset(ticket_reply.enc_part.ciphertext.data, 0,
+--- krb5-1.4.3/src/config-files/kdc.conf.M	2006-01-05 15:06:30.000000000 -0500
++++ krb5-1.4.3/src/config-files/kdc.conf.M	2006-01-05 15:08:23.000000000 -0500
+@@ -208,6 +208,14 @@
+ .B key type string
+ represents the master key's key type.
+ 
++.IP max_dgram_size
++This
++.B size
++specifes the maximum size for a response which the KDC will provide
++to clients which use datagrams to communicate with it.  Clients whose
++requests require larger responses will instead receive RESPONSE_TOO_BIG
++errors.
++
+ .IP max_life
+ This
+ .B delta time string
+--- krb5-1.4.3/src/include/krb5/adm.h	2002-09-18 16:45:36.000000000 -0400
++++ krb5-1.4.3/src/include/krb5/adm.h	2006-01-05 15:08:23.000000000 -0500
+@@ -208,6 +208,7 @@
+     krb5_deltat		realm_max_rlife;
+     krb5_timestamp	realm_expiration;
+     krb5_flags		realm_flags;
++    krb5_int32		realm_max_dgram_size;
+     krb5_key_salt_tuple	*realm_keysalts;
+     unsigned int	realm_reject_bad_transit:1;
+     unsigned int	realm_kadmind_port_valid:1;
+@@ -217,6 +218,7 @@
+     unsigned int	realm_expiration_valid:1;
+     unsigned int	realm_flags_valid:1;
+     unsigned int	realm_reject_bad_transit_valid:1;
++    unsigned int	realm_max_dgram_size_valid:1;
+     krb5_int32		realm_num_keysalts;
+ } krb5_realm_params;
+ #endif	/* KRB5_ADM_H__ */
diff --git a/krb5.spec b/krb5.spec
index 894d55e..10774ed 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -10,9 +10,9 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.4.3
-Release: 2
+Release: 3
 # Maybe we should explode from the now-available-to-everybody tarball instead?
-# http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4.2-signed.tar
+# http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4.3-signed.tar
 Source0: krb5-%{version}.tar.gz
 Source1: krb5-%{version}.tar.gz.asc
 Source2: kpropd.init
@@ -71,6 +71,8 @@ Patch36: krb5-1.3.3-rcp-markus.patch
 Patch39: krb5-1.4.1-api.patch
 Patch40: krb5-1.4.1-telnet-environ.patch
 Patch41: krb5-1.2.7-login-lpass.patch
+Patch42: krb5-1.4.3-pthread_np.patch
+Patch43: krb5-1.4.3-kdc_max_dgram_size.patch
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@@ -135,6 +137,10 @@ network uses Kerberos, this package should be installed on every
 workstation.
 
 %changelog
+* Thu Jan 19 2006 Nalin Dahyabhai <nalin@redhat.com> 1.4.3-3
+- rebuild properly when pthread_mutexattr_setrobust_np() is defined but not
+  declared, such as with recent glibc when _GNU_SOURCE isn't being used
+
 * Thu Jan 19 2006 Matthias Clasen <mclasen@redhat.com> 1.4.3-2
 - Use full paths in krb5.sh to avoid path lookups
 
@@ -892,6 +898,9 @@ workstation.
 %patch39 -p1 -b .api
 %patch40 -p1 -b .telnet-environ
 %patch41 -p1 -b .login-lpass
+%patch42 -p1 -b .pthread_np
+# Don't apply this until we hear back from upstream.
+#%patch43 -p1 -b .kdc_max_dgram_size
 cp src/krb524/README README.krb524
 find . -type f -name "*.info-dir" -exec rm -fv "{}" ";"
 gzip doc/*.ps
author	Nalin Dahyabhai <nalin@fedoraproject.org>	2006-01-20 00:28:41 +0000
committer	Nalin Dahyabhai <nalin@fedoraproject.org>	2006-01-20 00:28:41 +0000
commit	5bf2d7bd12579781f6e471f26d00c492a1552e55 (patch)
tree	cc3bba45fbc6e02b00af0a5bef45f35f262334fb
parent	a6fb2997f19dcf84250a41dc4bcfe7c08523e289 (diff)
download	krb5-5bf2d7bd12579781f6e471f26d00c492a1552e55.tar.gz krb5-5bf2d7bd12579781f6e471f26d00c492a1552e55.tar.xz krb5-5bf2d7bd12579781f6e471f26d00c492a1552e55.zip