diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2014-01-06 18:53:03 -0500 |
---|---|---|
committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2014-01-06 18:53:03 -0500 |
commit | 75edc7c7ca7caf48f10272b0e7f6c37f3a9cf8c0 (patch) | |
tree | ae916fbed200d9dc5394a02b80aaaf56e0a74baf | |
parent | 05c4140d32a4ab98a1551bcbee7c59c0df868575 (diff) | |
download | krb5-75edc7c7ca7caf48f10272b0e7f6c37f3a9cf8c0.tar.gz krb5-75edc7c7ca7caf48f10272b0e7f6c37f3a9cf8c0.tar.xz krb5-75edc7c7ca7caf48f10272b0e7f6c37f3a9cf8c0.zip |
Try to remove execmod from 32-bit AES-NI k5cryptokrb5-1.12-9.fc21
- make a guess at making the 32-bit AES-NI implementation sufficiently
position-independent to not require execmod permissions for libk5crypto
(more of #1045699)
-rw-r--r-- | krb5-1.12-pic-aes-ni.patch | 38 | ||||
-rw-r--r-- | krb5.spec | 9 |
2 files changed, 45 insertions, 2 deletions
diff --git a/krb5-1.12-pic-aes-ni.patch b/krb5-1.12-pic-aes-ni.patch new file mode 100644 index 0000000..61c6c82 --- /dev/null +++ b/krb5-1.12-pic-aes-ni.patch @@ -0,0 +1,38 @@ +--- krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s ++++ krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s +@@ -256,6 +256,7 @@ DD 0 + section .text + + ++extern _GLOBAL_OFFSET_TABLE_ + + align 16 + key_expansion256: +@@ -318,7 +319,12 @@ _iEncExpandKey128: + + movdqu [edx], xmm1 + +- movdqa xmm5, [shuffle_mask] ++ call .get_GOT ++.get_GOT: ++ pop ebx ++ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc ++ ++ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] + + add edx,16 + +@@ -421,7 +430,12 @@ _iEncExpandKey256: + + add edx,32 + +- movdqa xmm5, [shuffle_mask] ; this mask is used by key_expansion ++ call .get_GOT ++.get_GOT: ++ pop ebx ++ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc ++ ++ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] ; this mask is used by key_expansion + + aeskeygenassist xmm2, xmm3, 0x1 ; + call key_expansion256 @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.12 -Release: 8%{?dist} +Release: 9%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12-signed.tar Source0: krb5-%{version}.tar.gz @@ -97,6 +97,7 @@ Patch138: krb5-master-keytab_close.patch Patch139: krb5-1.12-copy_context.patch Patch140: krb5-master-spnego_error_messages.patch Patch141: krb5-1.12-enable-NX.patch +Patch142: krb5-1.12-pic-aes-ni.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -322,6 +323,7 @@ ln -s NOTICE LICENSE %patch139 -p1 -b .copy_context %patch140 -p1 -b .spnego_error_messages %patch141 -p1 -b .enable-NX +%patch142 -p1 -b .pic-aes-ni # Apply when the hard-wired or configured default location is # DIR:/run/user/%%{uid}/krb5cc. @@ -976,9 +978,12 @@ exit 0 %{_sbindir}/uuserver %changelog -* Mon Jan 6 2014 Nalin Dahyabhai <nalin@redhat.com> +* Mon Jan 6 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-9 - grab a more-commented version of the most recent patch from upstream master +- make a guess at making the 32-bit AES-NI implementation sufficiently + position-independent to not require execmod permissions for libk5crypto + (more of #1045699) * Thu Jan 2 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-8 - add patch from Dhiru Kholia for the AES-NI implementations to allow |