diff options
| author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2012-06-13 18:15:22 -0400 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2012-06-13 18:15:22 -0400 |
| commit | 1c3aace857b9a734c24a13b452c4f8d4146a214b (patch) | |
| tree | 5fd8ac1525184c178d641d8551b26185b1f79d46 | |
| parent | 1d265fd9dd678ec9e136d8d59c0765300500b7db (diff) | |
| parent | 16a5c7affc451cfc44f7381022e40ed799eb0187 (diff) | |
| download | krb5-1c3aace857b9a734c24a13b452c4f8d4146a214b.tar.gz krb5-1c3aace857b9a734c24a13b452c4f8d4146a214b.tar.xz krb5-1c3aace857b9a734c24a13b452c4f8d4146a214b.zip | |
Merge remote-tracking branch 'origin/master' into f17
Conflicts:
krb5.spec
| -rw-r--r-- | .gitignore | 6 | ||||
| -rw-r--r-- | krb5-1.10-crashfix.patch | 39 | ||||
| -rw-r--r-- | krb5-1.10-lookaside.patch | 101 | ||||
| -rw-r--r-- | krb5-1.10-string-rpc-acl-fix.patch | 61 | ||||
| -rw-r--r-- | krb5-1.10.2-keytab-etype.patch | 332 | ||||
| -rw-r--r-- | krb5-1.10.2-manpaths.patch (renamed from krb5-1.10-manpaths.patch) | 2 | ||||
| -rw-r--r-- | krb5-1.10.2-pam.patch (renamed from krb5-1.10-pam.patch) | 6 | ||||
| -rw-r--r-- | krb5-1.10.2-selinux-label.patch (renamed from krb5-1.10-selinux-label.patch) | 6 | ||||
| -rw-r--r-- | krb5.spec | 81 | ||||
| -rw-r--r-- | sources | 6 |
10 files changed, 403 insertions, 237 deletions
@@ -66,3 +66,9 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.10.tar.gz /krb5-1.10.tar.gz.asc /krb5-1.10-pdf.tar.xz +/krb5-1.10.1.tar.gz +/krb5-1.10.1.tar.gz.asc +/krb5-1.10.1-pdf.tar.xz +/krb5-1.10.2.tar.gz +/krb5-1.10.2.tar.gz.asc +/krb5-1.10.2-pdf.tar.xz diff --git a/krb5-1.10-crashfix.patch b/krb5-1.10-crashfix.patch deleted file mode 100644 index 3f4a86b..0000000 --- a/krb5-1.10-crashfix.patch +++ /dev/null @@ -1,39 +0,0 @@ -RT #7081 - -diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c -index 5e69653..4651b72 100644 ---- a/src/kdc/do_as_req.c -+++ b/src/kdc/do_as_req.c -@@ -102,6 +102,7 @@ struct as_req_state { - loop_respond_fn respond; - void *arg; - -+ krb5_principal_data client_princ; - krb5_enc_tkt_part enc_tkt_reply; - krb5_enc_kdc_rep_part reply_encpart; - krb5_ticket ticket_reply; -@@ -458,7 +459,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, - krb5_error_code errcode; - krb5_timestamp rtime; - unsigned int s_flags = 0; -- krb5_principal_data client_princ; - krb5_data encoded_req_body; - krb5_enctype useenctype; - struct as_req_state *state; -@@ -680,13 +680,13 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, - - state->enc_tkt_reply.session = &state->session_key; - if (isflagset(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE)) { -- client_princ = *(state->client->princ); -+ state->client_princ = *(state->client->princ); - } else { -- client_princ = *(state->request->client); -+ state->client_princ = *(state->request->client); - /* The realm is always canonicalized */ -- client_princ.realm = state->client->princ->realm; -+ state->client_princ.realm = state->client->princ->realm; - } -- state->enc_tkt_reply.client = &client_princ; -+ state->enc_tkt_reply.client = &state->client_princ; - state->enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; - state->enc_tkt_reply.transited.tr_contents = empty_string; diff --git a/krb5-1.10-lookaside.patch b/krb5-1.10-lookaside.patch deleted file mode 100644 index 1afdd82..0000000 --- a/krb5-1.10-lookaside.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 4b9eb1f3dc538f7b29e50b6852983f5b4ddc7536 Mon Sep 17 00:00:00 2001 -From: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970> -Date: Thu, 26 Jan 2012 21:56:16 +0000 -Subject: [PATCH 1/3] ticket: 7082 subject: Various lookaside cache fixes - target_version: 1.10 tags: pullup - -Don't touch the lookaside cache if we're responding with a lookaside -cache entry. Also, leave the null entry behind if we're deliberately -dropping a request (a rare case) so that we don't have to process it -again. Fixes several lookaside problems in 1.10: - -* When dropping a request because it was already being processed, we - were erroneously removing the null entry, causing us to process the - request again upon a second retransmit. - -* When responding to a finished request with a lookaside entry, we - were removing and re-adding the entry to the cache, resetting its - time and performing unnecessary work. - -* We were not caching responses we couldn't deliver because they were - too big for UDP, causing us to re-process the request when it came - in again via TCP instead of simply delivering the cached response. - -git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25660 dc483132-0cff-0310-8789-dd5450dbe970 ---- - src/kdc/dispatch.c | 40 ++++++++++++++++++++++------------------ - 1 files changed, 22 insertions(+), 18 deletions(-) - -diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c -index b4c02f3..efe7098 100644 ---- a/src/kdc/dispatch.c -+++ b/src/kdc/dispatch.c -@@ -44,20 +44,11 @@ struct dispatch_state { - }; - - static void --finish_dispatch(void *arg, krb5_error_code code, krb5_data *response) -+finish_dispatch(struct dispatch_state *state, krb5_error_code code, -+ krb5_data *response) - { -- struct dispatch_state *state = arg; -- loop_respond_fn oldrespond; -- void *oldarg; -- -- assert(state); -- oldrespond = state->respond; -- oldarg = state->arg; -- --#ifndef NOCACHE -- /* Remove our NULL cache entry to indicate request completion. */ -- kdc_remove_lookaside(kdc_context, state->request); --#endif -+ loop_respond_fn oldrespond = state->respond; -+ void *oldarg = state->arg; - - if (state->is_tcp == 0 && response && - response->length > max_dgram_reply_size) { -@@ -70,14 +61,27 @@ finish_dispatch(void *arg, krb5_error_code code, krb5_data *response) - error_message(code)); - } - -+ free(state); -+ (*oldrespond)(oldarg, code, response); -+} -+ -+static void -+finish_dispatch_cache(void *arg, krb5_error_code code, krb5_data *response) -+{ -+ struct dispatch_state *state = arg; -+ - #ifndef NOCACHE -- /* put the response into the lookaside buffer */ -- else if (!code && response) -+ /* Remove the null cache entry unless we actually want to discard this -+ * request. */ -+ if (code != KRB5KDC_ERR_DISCARD) -+ kdc_remove_lookaside(kdc_context, state->request); -+ -+ /* Put the response into the lookaside buffer (if we produced one). */ -+ if (code == 0 && response != NULL) - kdc_insert_lookaside(state->request, response); - #endif - -- free(state); -- (*oldrespond)(oldarg, code, response); -+ finish_dispatch(state, code, response); - } - - void -@@ -167,7 +171,7 @@ dispatch(void *cb, struct sockaddr *local_saddr, - * process_as_req frees the request if it is called - */ - if (!(retval = setup_server_realm(as_req->server))) { -- process_as_req(as_req, pkt, from, vctx, finish_dispatch, -+ process_as_req(as_req, pkt, from, vctx, finish_dispatch_cache, - state); - return; - } --- -1.7.7.5 - diff --git a/krb5-1.10-string-rpc-acl-fix.patch b/krb5-1.10-string-rpc-acl-fix.patch deleted file mode 100644 index bd82356..0000000 --- a/krb5-1.10-string-rpc-acl-fix.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 725b97bfba7067907a5fc534c21349c0d28bf6b8 Mon Sep 17 00:00:00 2001 -From: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970> -Date: Tue, 21 Feb 2012 19:14:47 +0000 -Subject: [PATCH] ticket: 7093 subject: Access controls for string RPCs - [CVE-2012-1012] target_version: 1.10.1 tags: pullup - -In the kadmin protocol, make the access controls for -get_strings/set_string mirror those of get_principal/modify_principal. -Previously, anyone with global list privileges could get or modify -string attributes on any principal. The impact of this depends on how -generous the kadmind acl is with list permission and whether string -attributes are used in a deployment (nothing in the core code uses -them yet). - -CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C - -git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25704 dc483132-0cff-0310-8789-dd5450dbe970 ---- - src/kadmin/server/server_stubs.c | 19 +++++++++++-------- - 1 files changed, 11 insertions(+), 8 deletions(-) - -diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c -index 8dbe756..0de627f 100644 ---- a/src/kadmin/server/server_stubs.c -+++ b/src/kadmin/server/server_stubs.c -@@ -1634,10 +1634,13 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) - goto exit_func; - } - -- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, -- rqst2name(rqstp), -- ACL_LIST, NULL, NULL)) { -- ret.code = KADM5_AUTH_LIST; -+ if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && -+ (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, -+ rqst2name(rqstp), -+ ACL_INQUIRE, -+ arg->princ, -+ NULL))) { -+ ret.code = KADM5_AUTH_GET; - log_unauth("kadm5_get_strings", prime_arg, - &client_name, &service_name, rqstp); - } else { -@@ -1690,10 +1693,10 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) - goto exit_func; - } - -- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, -- rqst2name(rqstp), -- ACL_LIST, NULL, NULL)) { -- ret.code = KADM5_AUTH_LIST; -+ if (CHANGEPW_SERVICE(rqstp) -+ || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, -+ arg->princ, NULL)) { -+ ret.code = KADM5_AUTH_MODIFY; - log_unauth("kadm5_mod_strings", prime_arg, - &client_name, &service_name, rqstp); - } else { --- -1.7.7.6 - diff --git a/krb5-1.10.2-keytab-etype.patch b/krb5-1.10.2-keytab-etype.patch new file mode 100644 index 0000000..4750a5c --- /dev/null +++ b/krb5-1.10.2-keytab-etype.patch @@ -0,0 +1,332 @@ +(Had to drop the changes to src/tests/t_keytab.py, which didn't exist in 1.10.) + +commit d1da158f47ea604bed4d5db5e98a976a9e54ccd0 +Author: Greg Hudson <ghudson@mit.edu> +Date: Thu Apr 19 17:55:10 2012 +0000 + + Unify krb5_get_init_creds_keytab code paths + + Use krb5_init_creds_set_keytab in krb5_get_init_creds_keytab, so that + processing added to the former will be used by the latter. This is + slightly awkward because of the way we do the use_master fallback, in + that we have to duplicate some of krb5int_get_init_creds. + + Based on a patch from Stef Walter. + + git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25817 dc483132-0cff-0310-8789-dd5450dbe970 + +diff --git a/src/lib/krb5/krb/deps b/src/lib/krb5/krb/deps +index fe2d54c..8c4db77 100644 +--- a/src/lib/krb5/krb/deps ++++ b/src/lib/krb5/krb/deps +@@ -473,7 +473,8 @@ gic_keytab.so gic_keytab.po $(OUTPRE)gic_keytab.$(OBJEXT): \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h gic_keytab.c init_creds_ctx.h ++ $(top_srcdir)/include/socket-utils.h gic_keytab.c init_creds_ctx.h \ ++ int-proto.h + gic_opt.so gic_opt.po $(OUTPRE)gic_opt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index aaabc4e..681b648 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -542,10 +542,9 @@ krb5_init_creds_free(krb5_context context, + free(ctx); + } + +-static krb5_error_code +-init_creds_get(krb5_context context, +- krb5_init_creds_context ctx, +- int *use_master) ++krb5_error_code ++k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx, ++ int *use_master) + { + krb5_error_code code; + krb5_data request; +@@ -599,7 +598,7 @@ krb5_init_creds_get(krb5_context context, + { + int use_master = 0; + +- return init_creds_get(context, ctx, &use_master); ++ return k5_init_creds_get(context, ctx, &use_master); + } + + krb5_error_code KRB5_CALLCONV +@@ -1664,7 +1663,7 @@ krb5int_get_init_creds(krb5_context context, + goto cleanup; + } + +- code = init_creds_get(context, ctx, use_master); ++ code = k5_init_creds_get(context, ctx, use_master); + if (code != 0) + goto cleanup; + +diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c +index 88de6a8..e59177f 100644 +--- a/src/lib/krb5/krb/gic_keytab.c ++++ b/src/lib/krb5/krb/gic_keytab.c +@@ -26,6 +26,7 @@ + #ifndef LEAN_CLIENT + + #include "k5-int.h" ++#include "int-proto.h" + #include "init_creds_ctx.h" + + static krb5_error_code +@@ -87,6 +88,44 @@ krb5_init_creds_set_keytab(krb5_context context, + return 0; + } + ++static krb5_error_code ++get_init_creds_keytab(krb5_context context, krb5_creds *creds, ++ krb5_principal client, krb5_keytab keytab, ++ krb5_deltat start_time, char *in_tkt_service, ++ krb5_get_init_creds_opt *options, int *use_master) ++{ ++ krb5_error_code ret; ++ krb5_init_creds_context ctx = NULL; ++ ++ ret = krb5_init_creds_init(context, client, NULL, NULL, start_time, ++ options, &ctx); ++ if (ret != 0) ++ goto cleanup; ++ ++ if (in_tkt_service) { ++ ret = krb5_init_creds_set_service(context, ctx, in_tkt_service); ++ if (ret != 0) ++ goto cleanup; ++ } ++ ++ ret = krb5_init_creds_set_keytab(context, ctx, keytab); ++ if (ret != 0) ++ goto cleanup; ++ ++ ret = k5_init_creds_get(context, ctx, use_master); ++ if (ret != 0) ++ goto cleanup; ++ ++ ret = krb5_init_creds_get_creds(context, ctx, creds); ++ if (ret != 0) ++ goto cleanup; ++ ++cleanup: ++ krb5_init_creds_free(context, ctx); ++ ++ return ret; ++} ++ + krb5_error_code KRB5_CALLCONV + krb5_get_init_creds_keytab(krb5_context context, + krb5_creds *creds, +@@ -111,10 +150,8 @@ krb5_get_init_creds_keytab(krb5_context context, + + /* first try: get the requested tkt from any kdc */ + +- ret = krb5int_get_init_creds(context, creds, client, NULL, NULL, +- start_time, in_tkt_service, options, +- get_as_key_keytab, (void *) keytab, +- &use_master,NULL); ++ ret = get_init_creds_keytab(context, creds, client, keytab, start_time, ++ in_tkt_service, options, &use_master); + + /* check for success */ + +@@ -132,10 +169,9 @@ krb5_get_init_creds_keytab(krb5_context context, + if (!use_master) { + use_master = 1; + +- ret2 = krb5int_get_init_creds(context, creds, client, NULL, NULL, +- start_time, in_tkt_service, options, +- get_as_key_keytab, (void *) keytab, +- &use_master, NULL); ++ ret2 = get_init_creds_keytab(context, creds, client, keytab, ++ start_time, in_tkt_service, options, ++ &use_master); + + if (ret2 == 0) { + ret = 0; +diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h +index 6b16095..899579f 100644 +--- a/src/lib/krb5/krb/int-proto.h ++++ b/src/lib/krb5/krb/int-proto.h +@@ -196,4 +196,8 @@ krb5int_mk_setpw_req(krb5_context context, krb5_auth_context auth_context, + void + k5_ccselect_free_context(krb5_context context); + ++krb5_error_code ++k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx, ++ int *use_master); ++ + #endif /* KRB5_INT_FUNC_PROTO__ */ + +commit 8230c4b7b7323cdef2a6c877deb710a15380f40f +Author: Greg Hudson <ghudson@mit.edu> +Date: Thu Apr 19 17:55:14 2012 +0000 + + Use etypes from keytab in krb5_gic_keytab + + When getting initial credentials with a keytab, filter the list of + request enctypes based on the keys in the keytab. + + Based on a patch from Stef Walter. + + ticket: 2131 + + git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25818 dc483132-0cff-0310-8789-dd5450dbe970 + +diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h +index 3749cf9..36eb23b 100644 +--- a/src/include/k5-trace.h ++++ b/src/include/k5-trace.h +@@ -187,6 +187,10 @@ + #define TRACE_INIT_CREDS_GAK(c, salt, s2kparams) \ + TRACE(c, (c, "Getting AS key, salt \"{data}\", params \"{data}\"", \ + salt, s2kparams)) ++#define TRACE_INIT_CREDS_KEYTAB_LOOKUP(c, etypes) \ ++ TRACE(c, (c, "Looked up etypes in keytab: {etypes}", etypes)) ++#define TRACE_INIT_CREDS_KEYTAB_LOOKUP_FAILED(c, code) \ ++ TRACE(c, (c, "Couldn't lookup etypes in keytab: {kerr}", code)) + #define TRACE_INIT_CREDS_PREAUTH_DECRYPT_FAIL(c, code) \ + TRACE(c, (c, "Decrypt with preauth AS key failed: {kerr}", code)) + #define TRACE_INIT_CREDS_RESTART_FAST(c) \ +diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c +index e59177f..3554b25 100644 +--- a/src/lib/krb5/krb/gic_keytab.c ++++ b/src/lib/krb5/krb/gic_keytab.c +@@ -77,14 +77,132 @@ get_as_key_keytab(krb5_context context, + return(ret); + } + ++/* Return the list of etypes available for client in keytab. */ ++static krb5_error_code ++lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab, ++ krb5_principal client, krb5_enctype **etypes_out) ++{ ++ krb5_kt_cursor cursor; ++ krb5_keytab_entry entry; ++ krb5_enctype *p, *etypes = NULL; ++ krb5_kvno max_kvno = 0; ++ krb5_error_code ret; ++ size_t count = 0; ++ ++ *etypes_out = NULL; ++ ++ if (keytab->ops->start_seq_get == NULL) ++ return EINVAL; ++ ret = krb5_kt_start_seq_get(context, keytab, &cursor); ++ if (ret != 0) ++ return ret; ++ ++ for (;;) { ++ ret = krb5_kt_next_entry(context, keytab, &entry, &cursor); ++ if (ret == KRB5_KT_END) ++ break; ++ if (ret) ++ goto cleanup; ++ ++ if (!krb5_c_valid_enctype(entry.key.enctype)) ++ continue; ++ if (!krb5_principal_compare(context, entry.principal, client)) ++ continue; ++ /* Make sure our list is for the highest kvno found for client. */ ++ if (entry.vno > max_kvno) { ++ free(etypes); ++ etypes = NULL; ++ count = 0; ++ max_kvno = entry.vno; ++ } else if (entry.vno != max_kvno) ++ continue; ++ ++ /* Leave room for the terminator and possibly a second entry. */ ++ p = realloc(etypes, (count + 3) * sizeof(*etypes)); ++ if (p == NULL) { ++ ret = ENOMEM; ++ goto cleanup; ++ } ++ etypes = p; ++ etypes[count++] = entry.key.enctype; ++ /* All DES key types work with des-cbc-crc, which is more likely to be ++ * accepted by the KDC (since MIT KDCs refuse des-cbc-md5). */ ++ if (entry.key.enctype == ENCTYPE_DES_CBC_MD5 || ++ entry.key.enctype == ENCTYPE_DES_CBC_MD4) ++ etypes[count++] = ENCTYPE_DES_CBC_CRC; ++ etypes[count] = 0; ++ } ++ ++ ret = 0; ++ *etypes_out = etypes; ++ etypes = NULL; ++cleanup: ++ krb5_kt_end_seq_get(context, keytab, &cursor); ++ free(etypes); ++ return ret; ++} ++ ++/* Return true if search_for is in etype_list. */ ++static krb5_boolean ++check_etypes_have(krb5_enctype *etype_list, krb5_enctype search_for) ++{ ++ int i; ++ ++ if (!etype_list) ++ return FALSE; ++ ++ for (i = 0; etype_list[i] != 0; i++) { ++ if (etype_list[i] == search_for) ++ return TRUE; ++ } ++ ++ return FALSE; ++} ++ + krb5_error_code KRB5_CALLCONV + krb5_init_creds_set_keytab(krb5_context context, + krb5_init_creds_context ctx, + krb5_keytab keytab) + { ++ krb5_enctype *etype_list; ++ krb5_error_code ret; ++ int i, j; ++ char *name; ++ + ctx->gak_fct = get_as_key_keytab; + ctx->gak_data = keytab; + ++ ret = lookup_etypes_for_keytab(context, keytab, ctx->request->client, ++ &etype_list); ++ if (ret) { ++ TRACE_INIT_CREDS_KEYTAB_LOOKUP_FAILED(context, ret); ++ return 0; ++ } ++ ++ TRACE_INIT_CREDS_KEYTAB_LOOKUP(context, etype_list); ++ ++ /* Filter the ktypes list based on what's in the keytab */ ++ for (i = 0, j = 0; i < ctx->request->nktypes; i++) { ++ if (check_etypes_have(etype_list, ctx->request->ktype[i])) { ++ ctx->request->ktype[j] = ctx->request->ktype[i]; ++ j++; ++ } ++ } ++ ctx->request->nktypes = j; ++ free(etype_list); ++ ++ /* Error out now if there's no overlap. */ ++ if (ctx->request->nktypes == 0) { ++ ret = krb5_unparse_name(context, ctx->request->client, &name); ++ if (ret == 0) { ++ krb5_set_error_message(context, KRB5_KT_NOTFOUND, ++ _("Keytab contains no suitable keys for " ++ "%s"), name); ++ } ++ krb5_free_unparsed_name(context, name); ++ return KRB5_KT_NOTFOUND; ++ } ++ + return 0; + } + diff --git a/krb5-1.10-manpaths.patch b/krb5-1.10.2-manpaths.patch index 39dc620..2ef0a83 100644 --- a/krb5-1.10-manpaths.patch +++ b/krb5-1.10.2-manpaths.patch @@ -33,7 +33,7 @@ configure scripts should be rebuilt. Originally RT#6525 --- krb5/src/configure.in +++ krb5/src/configure.in @@ -1054,6 +1054,17 @@ fi - KRB5_WITH_PAM + AC_SUBST(localedir) AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + diff --git a/krb5-1.10-pam.patch b/krb5-1.10.2-pam.patch index 365af4a..4d7c054 100644 --- a/krb5-1.10-pam.patch +++ b/krb5-1.10.2-pam.patch @@ -747,6 +747,6 @@ diff -up krb5-1.8/src/configure.in.pam krb5-1.8/src/configure.in +KRB5_WITH_PAM + - AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) - V5_AC_OUTPUT_MAKEFILE(. - + # Make localedir work in autoconf 2.5x. + if test "${localedir+set}" != set; then + localedir='$(datadir)/locale' diff --git a/krb5-1.10-selinux-label.patch b/krb5-1.10.2-selinux-label.patch index 7ff50a5..448aaec 100644 --- a/krb5-1.10-selinux-label.patch +++ b/krb5-1.10.2-selinux-label.patch @@ -120,9 +120,9 @@ which we used earlier, is some improvement. +KRB5_WITH_SELINUX + - AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) - - V5_AC_OUTPUT_MANPAGE([ + # Make localedir work in autoconf 2.5x. + if test "${localedir+set}" != set; then + localedir='$(datadir)/locale' --- krb5/src/include/k5-int.h +++ krb5/src/include/k5-int.h @@ -133,6 +133,7 @@ typedef unsigned char u_char; @@ -10,14 +10,19 @@ %global WITH_NSS 0 %global WITH_SYSVERTO 0 %endif +%if 0%{?fedora} >= 17 || 0%{?rhel} > 6 +%global no_separate_usr 1 +%else +%global no_separate_usr 0 +%endif %global gettext_domain mit-krb5 Summary: The Kerberos network authentication system Name: krb5 -Version: 1.10 -Release: 7%{?dist} +Version: 1.10.2 +Release: 2%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? -# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-signed.tar +# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar Source0: krb5-%{version}.tar.gz Source1: krb5-%{version}.tar.gz.asc Source2: kprop.service @@ -51,9 +56,9 @@ Patch30: krb5-1.3.4-send-pr-tempfile.patch Patch39: krb5-1.8-api.patch Patch56: krb5-1.10-doublelog.patch Patch59: krb5-1.10-kpasswd_tcp.patch -Patch60: krb5-1.10-pam.patch -Patch61: krb5-1.10-manpaths.patch -Patch63: krb5-1.10-selinux-label.patch +Patch60: krb5-1.10.2-pam.patch +Patch61: krb5-1.10.2-manpaths.patch +Patch63: krb5-1.10.2-selinux-label.patch Patch71: krb5-1.9-dirsrv-accountlock.patch Patch75: krb5-pkinit-debug.patch Patch86: krb5-1.9-debuginfo.patch @@ -61,11 +66,8 @@ Patch100: krb5-trunk-7046.patch Patch101: krb5-trunk-7047.patch Patch102: krb5-trunk-7048.patch Patch103: krb5-1.10-gcc47.patch -Patch104: krb5-1.10-crashfix.patch Patch105: krb5-kvno-230379.patch -Patch106: krb5-1.10-lookaside.patch -Patch107: krb5-1.10-string-rpc-acl-fix.patch -Patch108: krb5-kadmind-null-password.patch +Patch106: krb5-1.10.2-keytab-etype.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -83,6 +85,10 @@ BuildRequires: pam-devel BuildRequires: systemd-units # For the test framework. BuildRequires: perl, dejagnu, tcl-devel +BuildRequires: net-tools +%if 0%{?fedora} >= 13 || 0%{?rhel} > 6 +BuildRequires: hostname +%endif %if %{WITH_LDAP} BuildRequires: openldap-devel @@ -142,6 +148,8 @@ Requires: logrotate Requires(preun): /sbin/install-info # mktemp is used by krb5-send-pr Requires: coreutils +# we specify /usr/share/dict/words as the default dict_file in kdc.conf +Requires: /usr/share/dict/words # portreserve is used by init scripts for kadmind, kpropd, and krb5kdc Requires: portreserve %if %{WITH_SYSVERTO} @@ -235,11 +243,8 @@ ln -s NOTICE LICENSE %patch101 -p1 -b .7047 %patch102 -p1 -b .7048 %patch103 -p0 -b .gcc47 -%patch104 -p1 -b .crashfix %patch105 -p1 -b .kvno -%patch106 -p1 -b .7082 -%patch107 -p1 -b .7093 -%patch108 -p1 -b .kadmind-null-password +%patch106 -p1 -b .keytab-etype rm src/lib/krb5/krb/deltat.c gzip doc/*.ps @@ -268,10 +273,6 @@ popd sh %{SOURCE24} check << EOF doc/api library krb5 doc/implement implement -doc/kadm5 adb-unit-test -doc/kadm5 api-unit-test -doc/kadm5 api-funcspec -doc/kadm5 api-server-design EOF # Generate an FDS-compatible LDIF file. @@ -438,6 +439,7 @@ make -C src DESTDIR=$RPM_BUILD_ROOT EXAMPLEDIR=%{_docdir}/krb5-libs-%{version}/e # list of link flags, and it helps prevent file conflicts on multilib systems. sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{_bindir}/krb5-config +%if %{no_separate_usr} # Move specific libraries from %{_libdir} to /%{_lib}, and fixup the symlinks. touch $RPM_BUILD_ROOT/rootfile rellibdir=.. @@ -452,6 +454,7 @@ for library in libgssapi_krb5 libgssrpc libk5crypto libkrb5 libkrb5support ; do ln -fs ${rellibdir}/%{_lib}/${library}.so.*.* ${library}.so popd done +%endif # A sanity checker for upgrades. install -m 755 kdb_check_weak $RPM_BUILD_ROOT/%{_libdir}/krb5/ @@ -541,7 +544,7 @@ exit 0 %files workstation %defattr(-,root,root,-) -%doc doc/user*.ps.gz src/config-files/services.append +%doc doc/user*.ps.gz doc/user*.pdf src/config-files/services.append %doc doc/{kdestroy,kinit,klist,kpasswd,ksu}.html %doc doc/krb5-user.html %attr(0755,root,root) %doc src/config-files/convert-config-files @@ -595,6 +598,8 @@ exit 0 %config(noreplace) /etc/logrotate.d/krb5kdc %config(noreplace) /etc/logrotate.d/kadmind +%doc doc/admin*.pdf +%doc doc/install*.pdf %doc doc/admin*.ps.gz %doc doc/install*.ps.gz %doc doc/krb5-admin.html @@ -711,10 +716,7 @@ exit 0 %files devel %defattr(-,root,root,-) %docdir %{_mandir} -%doc doc/api/*.pdf %doc doc/ccapi -%doc doc/implement/*.pdf -%doc doc/kadm5/*.pdf %doc doc/kadmin %doc doc/kim %doc doc/krb5-protocol @@ -751,18 +753,45 @@ exit 0 %{_sbindir}/uuserver %changelog -* Fri Jun 1 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10-7 -- pull up the patch to correct a possible NULL pointer dereference in - kadmind (CVE-2012-1013, #827598) +* Tue Jun 5 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-2 +- back out this labeling change (dwalsh): + - when building the new label for a file we're about to create, also mix + in the current range, in addition to the current user + +* Fri Jun 1 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-1 +- update to 1.10.2 + - when building the new label for a file we're about to create, also mix + in the current range, in addition to the current user + - also package the PDF format admin, user, and install guides + - drop some PDFs that no longer get built right +- add a backport of Stef's patch to set the client's list of supported + enctypes to match the types of keys that we have when we are using a + keytab to try to get initial credentials, so that a KDC won't send us + an AS reply that we can't encrypt (RT#2131, #748528) +- don't shuffle around any shared libraries on releases with no-separate-/usr, + since /usr/lib is the same place as /lib +- add explicit buildrequires: on 'hostname', for the tests, on systems where + it's in its own package, and require net-tools, which used to provide the + command, everywhere * Mon May 7 2012 Nalin Dahyabhai <nalin@redhat.com> - skip the setfscreatecon() if fopen() is passed "rb" as the open mode (part of #819115) -* Mon Mar 20 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10-6 +* Tue May 1 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.1-3 +- have -server require /usr/share/dict/words, which we set as the default + dict_file in kdc.conf (#817089) + +* Tue Mar 20 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.1-2 - change back dns_lookup_kdc to the default setting (Stef Walter, #805318) - comment out example.com examples in default krb5.conf (Stef Walter, #805320) +* Fri Mar 9 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.1-1 +- update to 1.10.1 + - drop the KDC crash fix + - drop the KDC lookaside cache fix + - drop the fix for kadmind RPC ACLs (CVE-2012-1012) + * Wed Mar 7 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10-5 - when removing -workstation, remove our files from the info index while the file is still there, in %%preun, rather than %%postun, and use the @@ -1,3 +1,3 @@ -ff442dfc34c58ad6f601cc8aec6b84e2 krb5-1.10.tar.gz -24dab4f2d8506eb64e364dc1527ba03c krb5-1.10.tar.gz.asc -54ac50d94320c754b3a9553159c6351f krb5-1.10-pdf.tar.xz +73c89ed430f92df7d10c49167eec889b krb5-1.10.2.tar.gz +53994fb4ccbeaf6d017d657942093502 krb5-1.10.2.tar.gz.asc +ddebe423b4d60fe957ab7c22dbc8a7ea krb5-1.10.2-pdf.tar.xz |