diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2011-06-24 14:33:47 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2011-06-24 14:33:47 -0400 |
commit | 6d5c41d78a653926f6ac9b0aa0b00df2eb0d2dbd (patch) | |
tree | d96f433bdbb2ce600f19f3e1187a34e52d35dd11 | |
parent | 6ec2e67b2e7e1588604797d2814be92446caa68e (diff) | |
parent | da69bf39fa3bb69eb30cd716cf38b36c4e2f0b9b (diff) | |
download | krb5-6d5c41d78a653926f6ac9b0aa0b00df2eb0d2dbd.tar.gz krb5-6d5c41d78a653926f6ac9b0aa0b00df2eb0d2dbd.tar.xz krb5-6d5c41d78a653926f6ac9b0aa0b00df2eb0d2dbd.zip |
Merge remote-tracking branch 'origin/master' into f15/masterkrb5-1.9.1-5.fc15
Conflicts:
krb5-klist_s.patch
krb5.spec
-rw-r--r-- | .gitignore | 3 | ||||
-rw-r--r-- | 2011-001-patch.txt | 19 | ||||
-rw-r--r-- | 2011-002-patch.txt | 126 | ||||
-rw-r--r-- | krb5-1.9-buildconf.patch | 12 | ||||
-rw-r--r-- | krb5-1.9-canonicalize-fallback.patch | 59 | ||||
-rw-r--r-- | krb5-1.9-selinux-label.patch | 61 | ||||
-rw-r--r-- | krb5-1.9.1-ai_addrconfig.patch | 30 | ||||
-rw-r--r-- | krb5-1.9.1-ai_addrconfig2.patch | 120 | ||||
-rw-r--r-- | krb5-klist_s.patch | 29 | ||||
-rw-r--r-- | krb5-pkinit-debug.patch | 99 | ||||
-rw-r--r-- | krb5-trunk-chpw-err.patch | 24 | ||||
-rw-r--r-- | krb5-trunk-kadmin-oldproto.patch | 39 | ||||
-rw-r--r-- | krb5.spec | 98 | ||||
-rw-r--r-- | sources | 3 |
14 files changed, 543 insertions, 179 deletions
@@ -53,3 +53,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.9.tar.gz /krb5-1.9.tar.gz.asc /krb5-1.9-pdf.tar.bz2 +/krb5-1.9.1.tar.gz +/krb5-1.9.1.tar.gz.asc +/krb5-1.9.1-pdf.tar.bz2 diff --git a/2011-001-patch.txt b/2011-001-patch.txt deleted file mode 100644 index 30ebf96..0000000 --- a/2011-001-patch.txt +++ /dev/null @@ -1,19 +0,0 @@ -diff -up krb5/src/slave/kpropd.c krb5/src/slave/kpropd.c ---- krb5/src/slave/kpropd.c 2010-12-17 11:14:26.000000000 -0500 -+++ krb5/src/slave/kpropd.c 2010-12-17 11:41:19.000000000 -0500 -@@ -404,11 +404,11 @@ retry: - } - - close(s); -- if (iproprole == IPROP_SLAVE) -+ if (iproprole == IPROP_SLAVE) { - close(finet); -- -- if ((ret = WEXITSTATUS(status)) != 0) -- return (ret); -+ if ((ret = WEXITSTATUS(status)) != 0) -+ return (ret); -+ } - } - if (iproprole == IPROP_SLAVE) - break; diff --git a/2011-002-patch.txt b/2011-002-patch.txt deleted file mode 100644 index e4623e9..0000000 --- a/2011-002-patch.txt +++ /dev/null @@ -1,126 +0,0 @@ -diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c -index 63ff3b3..b4a90bb 100644 ---- a/src/kdc/dispatch.c -+++ b/src/kdc/dispatch.c -@@ -115,7 +115,8 @@ dispatch(void *cb, struct sockaddr *local_saddr, const krb5_fulladdr *from, - kdc_insert_lookaside(pkt, *response); - #endif - -- if (is_tcp == 0 && (*response)->length > max_dgram_reply_size) { -+ if (is_tcp == 0 && *response != NULL && -+ (*response)->length > max_dgram_reply_size) { - too_big_for_udp: - krb5_free_data(kdc_context, *response); - retval = make_too_big_error(response); -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -index d677bb2..a356907 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er - #define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS) - - #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \ -- do { \ -- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \ -- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ -- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ -- if (ldap_server_handle) \ -- ld = ldap_server_handle->ldap_handle; \ -- } \ -- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \ -+ tempst = 0; \ -+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \ -+ NULL, &timelimit, LDAP_NO_LIMIT, &result); \ -+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ -+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ -+ if (ldap_server_handle) \ -+ ld = ldap_server_handle->ldap_handle; \ -+ if (tempst == 0) \ -+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \ -+ NULL, NULL, &timelimit, \ -+ LDAP_NO_LIMIT, &result); \ -+ } \ - \ - if (status_check != IGNORE_STATUS) { \ - if (tempst != 0) { \ -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -index 82b0333..84e80ee 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context, - { - krb5_ldap_server_handle *handle = *ldap_server_handle; - -+ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL); - if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS) - || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)) - return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle); -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -index 86fa4d1..0f49c86 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -@@ -487,12 +487,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context, - * portion, then the first portion of the principal name SHOULD be - * "krbtgt". All this check is done in the immediate block. - */ -- if (searchfor->length == 2) -- if ((strncasecmp(searchfor->data[0].data, "krbtgt", -- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) && -- (strncasecmp(searchfor->data[1].data, defrealm, -- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0)) -+ if (searchfor->length == 2) { -+ if (data_eq_string(searchfor->data[0], "krbtgt") && -+ data_eq_string(searchfor->data[1], defrealm)) - return 0; -+ } - - /* first check the length, if they are not equal, then they are not same */ - if (strlen(defrealm) != searchfor->realm.length) -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 140db1a..552e39a 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -78,10 +78,10 @@ krb5_error_code - krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, - unsigned int flags, krb5_db_entry **entry_ptr) - { -- char *user=NULL, *filter=NULL, **subtree=NULL; -+ char *user=NULL, *filter=NULL, *filtuser=NULL; - unsigned int tree=0, ntrees=1, princlen=0; - krb5_error_code tempst=0, st=0; -- char **values=NULL, *cname=NULL; -+ char **values=NULL, **subtree=NULL, *cname=NULL; - LDAP *ld=NULL; - LDAPMessage *result=NULL, *ent=NULL; - krb5_ldap_context *ldap_context=NULL; -@@ -115,12 +115,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, - if ((st=krb5_ldap_unparse_principal_name(user)) != 0) - goto cleanup; - -- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ -+ filtuser = ldap_filter_correct(user); -+ if (filtuser == NULL) { -+ st = ENOMEM; -+ goto cleanup; -+ } -+ -+ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */ - if ((filter = malloc(princlen)) == NULL) { - st = ENOMEM; - goto cleanup; - } -- snprintf(filter, princlen, FILTER"%s))", user); -+ snprintf(filter, princlen, FILTER"%s))", filtuser); - - if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0) - goto cleanup; -@@ -207,6 +213,9 @@ cleanup: - if (user) - free(user); - -+ if (filtuser) -+ free(filtuser); -+ - if (cname) - free(cname); - diff --git a/krb5-1.9-buildconf.patch b/krb5-1.9-buildconf.patch index 12a3359..8641a24 100644 --- a/krb5-1.9-buildconf.patch +++ b/krb5-1.9-buildconf.patch @@ -36,3 +36,15 @@ diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 +diff -up krb5-1.9/src/config/pre.in krb5-1.9/src/config/pre.in +--- krb5-1.9/src/config/pre.in 2011-04-01 15:45:06.640705226 -0400 ++++ krb5-1.9/src/config/pre.in 2011-04-01 15:45:11.179705234 -0400 +@@ -188,7 +188,7 @@ + INSTALL_SCRIPT=@INSTALL_PROGRAM@ + INSTALL_DATA=@INSTALL_DATA@ + INSTALL_SHLIB=@INSTALL_SHLIB@ +-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root ++INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 + ## This is needed because autoconf will sometimes define @exec_prefix@ to be + ## ${prefix}. + prefix=@prefix@ diff --git a/krb5-1.9-canonicalize-fallback.patch b/krb5-1.9-canonicalize-fallback.patch new file mode 100644 index 0000000..897910b --- /dev/null +++ b/krb5-1.9-canonicalize-fallback.patch @@ -0,0 +1,59 @@ +From RT#6917. + +--- a/src/lib/krb5/krb/get_creds.c ++++ b/src/lib/krb5/krb/get_creds.c +@@ -466,13 +466,10 @@ begin_non_referral(krb5_context context, krb5_tkt_creds_context ctx) + + /***** STATE_REFERRALS *****/ + +-/* +- * Possibly retry a request in the fallback realm after a referral request +- * failure in the local realm. Expects ctx->reply_code to be set to the error +- * from a referral request. +- */ ++/* Possibly try a non-referral request after a referral request failure. ++ * Expects ctx->reply_code to be set to the error from a referral request. */ + static krb5_error_code +-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) ++try_fallback(krb5_context context, krb5_tkt_creds_context ctx) + { + krb5_error_code code; + char **hrealms; +@@ -481,9 +478,10 @@ try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) + if (ctx->referral_count > 1) + return ctx->reply_code; + +- /* Only fall back if the original request used the referral realm. */ ++ /* If the request used a specified realm, make a non-referral request to ++ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */ + if (!krb5_is_referral_realm(&ctx->req_server->realm)) +- return ctx->reply_code; ++ return begin_non_referral(context, ctx); + + if (ctx->server->length < 2) { + /* We need a type/host format principal to find a fallback realm. */ +@@ -496,10 +494,10 @@ try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) + if (code != 0) + return code; + +- /* Give up if the fallback realm isn't any different. */ ++ /* If the fallback realm isn't any different, use the existing TGT. */ + if (data_eq_string(ctx->server->realm, hrealms[0])) { + krb5_free_host_realm(context, hrealms); +- return ctx->reply_code; ++ return begin_non_referral(context, ctx); + } + + /* Rewrite server->realm to be the fallback realm. */ +@@ -536,9 +534,9 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx) + krb5_error_code code; + const krb5_data *referral_realm; + +- /* Possibly retry with the fallback realm on error. */ ++ /* Possibly try a non-referral fallback request on error. */ + if (ctx->reply_code != 0) +- return try_fallback_realm(context, ctx); ++ return try_fallback(context, ctx); + + if (krb5_principal_compare(context, ctx->reply_creds->server, + ctx->server)) { diff --git a/krb5-1.9-selinux-label.patch b/krb5-1.9-selinux-label.patch index 5dd274f..03e58c4 100644 --- a/krb5-1.9-selinux-label.patch +++ b/krb5-1.9-selinux-label.patch @@ -42,7 +42,7 @@ diff -up krb5-1.8/src/aclocal.m4.selinux-label krb5-1.8/src/aclocal.m4 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1791,3 +1792,53 @@ AC_SUBST(manlocalstatedir) +@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir) AC_SUBST(manlibexecdir) AC_CONFIG_FILES($1) ]) @@ -71,9 +71,7 @@ diff -up krb5-1.8/src/aclocal.m4.selinux-label krb5-1.8/src/aclocal.m4 + AC_CHECK_FUNCS(setfscreatecon selabel_open) + if test "x$ac_cv_func_setfscreatecon" = xno ; then + AC_CHECK_LIB(selinux,setfscreatecon) -+ AC_CHECK_LIB(selinux,selabel_open) + unset ac_cv_func_setfscreatecon -+ unset ac_cv_func_selabel_open + AC_CHECK_FUNCS(setfscreatecon selabel_open) + if test "x$ac_cv_func_setfscreatecon" = xyes ; then + SELINUX_LIBS="$LIBS" @@ -90,7 +88,7 @@ diff -up krb5-1.8/src/aclocal.m4.selinux-label krb5-1.8/src/aclocal.m4 + AC_MSG_NOTICE([building with SELinux labeling support]) + AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.]) + SELINUX_LIBS="$LIBS" -+ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen" ++ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon" + fi +fi +LIBS="$old_LIBS" @@ -142,7 +140,7 @@ diff -up krb5-1.8/src/include/k5-int.h.selinux-label krb5-1.8/src/include/k5-int diff -up krb5-1.8/src/include/k5-label.h.selinux-label krb5-1.8/src/include/k5-label.h --- krb5-1.8/src/include/k5-label.h.selinux-label 2010-03-05 10:57:23.000000000 -0500 +++ krb5-1.8/src/include/k5-label.h 2010-03-05 10:57:23.000000000 -0500 -@@ -0,0 +1,30 @@ +@@ -0,0 +1,32 @@ +#ifndef _KRB5_LABEL_H +#define _KRB5_LABEL_H + @@ -168,6 +166,8 @@ diff -up krb5-1.8/src/include/k5-label.h.selinux-label krb5-1.8/src/include/k5-l +int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device); +#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z) +#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y) ++void *krb5int_push_fscreatecon_for(const char *pathname); ++void krb5int_pop_fscreatecon(void *previous); +#else +#define WRITABLEFOPEN(x,y) fopen(x,y) +#define THREEPARAMOPEN(x,y,z) open(x,y,z) @@ -501,9 +501,9 @@ diff -up krb5-1.8/src/util/support/Makefile.in.selinux-label krb5-1.8/src/util/s diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/support/selinux.c --- krb5-1.8/src/util/support/selinux.c.selinux-label 2010-03-05 10:57:23.000000000 -0500 +++ krb5-1.8/src/util/support/selinux.c 2010-03-05 10:57:23.000000000 -0500 -@@ -0,0 +1,346 @@ +@@ -0,0 +1,362 @@ +/* -+ * Copyright 2007,2008,2009 Red Hat, Inc. All Rights Reserved. ++ * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: @@ -721,6 +721,22 @@ diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/sup + } +} + ++void * ++krb5int_push_fscreatecon_for(const char *pathname) ++{ ++ struct stat st; ++ if (stat(pathname, &st) != 0) { ++ st.st_mode = S_IRUSR | S_IWUSR; ++ } ++ return push_fscreatecon(pathname, st.st_mode); ++} ++ ++void ++krb5int_pop_fscreatecon(void *con) ++{ ++ pop_fscreatecon(con); ++} ++ +FILE * +krb5int_labeled_fopen(const char *path, const char *mode) +{ @@ -848,3 +864,34 @@ diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/sup +} + +#endif +diff -up krb5-1.8/src/lib/krb5/rcache/rc_dfl.c krb5-1.8/src/lib/krb5/rcache/rc_dfl.c +--- krb5-1.8/src/lib/krb5/rcache/rc_dfl.c 2011-06-13 21:04:04.994208850 -0400 ++++ krb5-1.8/src/lib/krb5/rcache/rc_dfl.c 2011-06-13 21:05:07.416208760 -0400 +@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context + krb5_error_code retval = 0; + krb5_rcache tmp; + krb5_deltat lifespan = t->lifespan; /* save original lifespan */ ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (! t->recovering) { + name = t->name; +@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context + retval = krb5_rc_resolve(context, tmp, 0); + if (retval) + goto cleanup; ++#ifdef USE_SELINUX ++ if (t->d.fn != NULL) ++ selabel = krb5int_push_fscreatecon_for(t->d.fn); ++ else ++ selabel = NULL; ++#endif + retval = krb5_rc_initialize(context, tmp, lifespan); ++#ifdef USE_SELINUX ++ if (selabel != NULL) ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (retval) + goto cleanup; + for (q = t->a; q; q = q->na) { diff --git a/krb5-1.9.1-ai_addrconfig.patch b/krb5-1.9.1-ai_addrconfig.patch new file mode 100644 index 0000000..5e2d201 --- /dev/null +++ b/krb5-1.9.1-ai_addrconfig.patch @@ -0,0 +1,30 @@ +From RT#6922. When we're converting a host/service pair into a principal +name, specify AF_UNSPEC instead of AF_INET4 and then maybe AF_INET6 to try +to avoid libc having doing a PTR lookup because we also specify +AI_CANONNAME. Add AI_ADDRCONFIG because it's usually the right idea. + +Index: src/lib/krb5/os/sn2princ.c +=================================================================== +--- src/lib/krb5/os/sn2princ.c (revision 24976) ++++ src/lib/krb5/os/sn2princ.c (revision 24977) +@@ -105,19 +105,12 @@ + hostnames associated. */ + + memset(&hints, 0, sizeof(hints)); +- hints.ai_family = AF_INET; +- hints.ai_flags = AI_CANONNAME; +- try_getaddrinfo_again: ++ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; + err = getaddrinfo(hostname, 0, &hints, &ai); + if (err) { + #ifdef DEBUG_REFERRALS + printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname); + #endif +- if (hints.ai_family == AF_INET) { +- /* Just in case it's an IPv6-only name. */ +- hints.ai_family = 0; +- goto try_getaddrinfo_again; +- } + return KRB5_ERR_BAD_HOSTNAME; + } + remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname); diff --git a/krb5-1.9.1-ai_addrconfig2.patch b/krb5-1.9.1-ai_addrconfig2.patch new file mode 100644 index 0000000..5c2e2a7 --- /dev/null +++ b/krb5-1.9.1-ai_addrconfig2.patch @@ -0,0 +1,120 @@ +Most of RT#6923, except for the part that depends on the sendto_kdc rewrite +(it's still in locate_kdc in this version): pass AI_ADDRCONFIG whenever we +specify hints to getaddrinfo() to get the address of a server. + +Index: src/plugins/locate/python/py-locate.c +=================================================================== +--- src/plugins/locate/python/py-locate.c (revision 24977) ++++ src/plugins/locate/python/py-locate.c (revision 24978) +@@ -302,6 +302,7 @@ + return -1; + } + aihints.ai_socktype = thissocktype; ++ aihints.ai_flags = AI_ADDRCONFIG; + x = getaddrinfo (hoststr, portstr, &aihints, &airesult); + if (x != 0) + continue; +Index: src/appl/sample/sclient/sclient.c +=================================================================== +--- src/appl/sample/sclient/sclient.c (revision 24977) ++++ src/appl/sample/sclient/sclient.c (revision 24978) +@@ -125,6 +125,7 @@ + + memset(&aihints, 0, sizeof(aihints)); + aihints.ai_socktype = SOCK_STREAM; ++ aihints.ai_flags = AI_ADDRCONFIG; + aierr = getaddrinfo(argv[1], portstr, &aihints, &ap); + if (aierr) { + fprintf(stderr, "%s: error looking up host '%s' port '%s'/tcp: %s\n", +Index: src/kadmin/dbutil/kadm5_create.c +=================================================================== +--- src/kadmin/dbutil/kadm5_create.c (revision 24977) ++++ src/kadmin/dbutil/kadm5_create.c (revision 24978) +@@ -184,7 +184,7 @@ + goto clean_and_exit; + } + memset(&ai_hints, 0, sizeof(ai_hints)); +- ai_hints.ai_flags = AI_CANONNAME; ++ ai_hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; + gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai); + if (gai_error) { + ret = EINVAL; +Index: src/lib/kadm5/alt_prof.c +=================================================================== +--- src/lib/kadm5/alt_prof.c (revision 24977) ++++ src/lib/kadm5/alt_prof.c (revision 24978) +@@ -897,7 +897,7 @@ + } + + memset(&hint, 0, sizeof(hint)); +- hint.ai_flags = AI_CANONNAME; ++ hint.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; + err = getaddrinfo(params_out.admin_server, NULL, &hint, &ai); + if (err != 0) { + ret = KADM5_CANT_RESOLVE; +Index: src/lib/kadm5/clnt/client_init.c +=================================================================== +--- src/lib/kadm5/clnt/client_init.c (revision 24977) ++++ src/lib/kadm5/clnt/client_init.c (revision 24978) +@@ -563,8 +563,9 @@ + (void) snprintf(portbuf, sizeof(portbuf), "%d", port); + memset(&hint, 0, sizeof(hint)); + hint.ai_socktype = SOCK_STREAM; ++ hint.ai_flags = AI_ADDRCONFIG; + #ifdef AI_NUMERICSERV +- hint.ai_flags = AI_NUMERICSERV; ++ hint.ai_flags |= AI_NUMERICSERV; + #endif + err = getaddrinfo(hostname, portbuf, &hint, &addrs); + if (err != 0) +Index: src/lib/krb5/os/hostaddr.c +=================================================================== +--- src/lib/krb5/os/hostaddr.c (revision 24977) ++++ src/lib/krb5/os/hostaddr.c (revision 24978) +@@ -41,7 +41,7 @@ + return KRB5_ERR_BAD_HOSTNAME; + + memset (&hints, 0, sizeof (hints)); +- hints.ai_flags = AI_NUMERICHOST; ++ hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG; + /* We don't care what kind at this point, really, but without + this, we can get back multiple sockaddrs per address, for + SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if +Index: src/lib/krb5/os/hst_realm.c +=================================================================== +--- src/lib/krb5/os/hst_realm.c (revision 24977) ++++ src/lib/krb5/os/hst_realm.c (revision 24978) +@@ -107,7 +107,7 @@ + int err; + + memset (&hints, 0, sizeof (hints)); +- hints.ai_flags = AI_CANONNAME; ++ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; + err = getaddrinfo (name, 0, &hints, &ai); + if (err) + return krb5int_translate_gai_error (err); +Index: src/slave/kprop.c +=================================================================== +--- src/slave/kprop.c (revision 24977) ++++ src/slave/kprop.c (revision 24978) +@@ -322,6 +322,7 @@ + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; ++ hints.ai_flags = AI_ADDRCONFIG; + error = getaddrinfo(host, port, &hints, &answers); + if (error != 0) { + com_err(progname, 0, "%s: %s", host, gai_strerror(error)); +--- src/lib/krb5/os/locate_kdc.c ++++ src/lib/krb5/os/locate_kdc.c +@@ -259,8 +259,9 @@ + memset(&hint, 0, sizeof(hint)); + hint.ai_family = family; + hint.ai_socktype = socktype; ++ hint.ai_flags = AI_ADDRCONFIG; + #ifdef AI_NUMERICSERV +- hint.ai_flags = AI_NUMERICSERV; ++ hint.ai_flags |= AI_NUMERICSERV; + #endif + result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)); + if (SNPRINTF_OVERFLOW(result, sizeof(portbuf))) diff --git a/krb5-klist_s.patch b/krb5-klist_s.patch index 3a219ee..3e96ed6 100644 --- a/krb5-klist_s.patch +++ b/krb5-klist_s.patch @@ -2,13 +2,28 @@ Don't trip over referral entries. RT#6915 Index: krb5/src/clients/klist/klist.c =================================================================== ---- krb5/src/clients/klist/klist.c (revision 24943) -+++ krb5/src/clients/klist/klist.c (working copy) -@@ -386,6 +386,7 @@ +--- krb5/src/clients/klist/klist.c ++++ krb5/src/clients/klist/klist.c +@@ -24,7 +24,7 @@ + * List out the contents of your credential cache or keytab. + */ + +-#include "autoconf.h" ++#include "k5-int.h" + #include <krb5.h> + #include <com_err.h> + #include <stdlib.h> +@@ -386,10 +386,9 @@ continue; if (status_only) { if (exit_status && creds.server->length == 2 && -+ creds.server->realm.length > 0 && - strcmp(creds.server->realm.data, princ->realm.data) == 0 && - strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 && - strcmp((char *)creds.server->data[1].data, +- strcmp(creds.server->realm.data, princ->realm.data) == 0 && +- strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 && +- strcmp((char *)creds.server->data[1].data, +- princ->realm.data) == 0 && ++ data_eq(creds.server->realm, princ->realm) && ++ data_eq_string(creds.server->data[0], "krbtgt") && ++ data_eq(creds.server->data[1], princ->realm) && + creds.times.endtime > now) + exit_status = 0; + } else { diff --git a/krb5-pkinit-debug.patch b/krb5-pkinit-debug.patch new file mode 100644 index 0000000..201c45d --- /dev/null +++ b/krb5-pkinit-debug.patch @@ -0,0 +1,99 @@ +This is a cheap, non-very-portable way to make debugging a run-time option. + +diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h +index 6598482..85e1c0d 100644 +--- a/src/plugins/preauth/pkinit/pkinit.h ++++ b/src/plugins/preauth/pkinit/pkinit.h +@@ -34,6 +34,7 @@ + #include <krb5/krb5.h> + #include <krb5/preauth_plugin.h> + #include <k5-int-pkinit.h> ++#include <autoconf.h> + #include <profile.h> + #include "pkinit_accessor.h" + +@@ -96,12 +97,15 @@ extern int longhorn; /* XXX Talking to a Longhorn server? */ + #define pkiDebug printf + #else + /* Still evaluates for side effects. */ +-static inline void pkiDebug (const char *fmt, ...) { } ++/* static inline void pkiDebug (const char *fmt, ...) { } */ ++#define pkiDebug if (pkinit_debug_is_enabled()) printf + /* This is better if the compiler doesn't inline variadic functions + well, but gcc will warn about "left-hand operand of comma + expression has no effect". Still evaluates for side effects. */ + /* #define pkiDebug (void) */ + #endif ++extern void pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc); ++extern int pkinit_debug_is_enabled(void); + + /* Solaris compiler doesn't grok __FUNCTION__ + * hack for now. Fix all the uses eventually. */ +diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c +index 6888c1b..bb39fce 100644 +--- a/src/plugins/preauth/pkinit/pkinit_clnt.c ++++ b/src/plugins/preauth/pkinit/pkinit_clnt.c +@@ -1002,6 +1002,8 @@ pkinit_client_process(krb5_context context, + pkinit_req_context reqctx = (pkinit_req_context)request_context; + krb5_keyblock *armor_key = NULL; + ++ pkinit_debug_init(context, &(request->server->realm), 0); ++ + pkiDebug("pkinit_client_process %p %p %p %p\n", + context, plgctx, reqctx, request); + +diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c +index a6d7762..2b59fd0 100644 +--- a/src/plugins/preauth/pkinit/pkinit_lib.c ++++ b/src/plugins/preauth/pkinit/pkinit_lib.c +@@ -452,3 +452,28 @@ print_buffer_bin(unsigned char *buf, unsigned int len, char *filename) + + fclose(f); + } ++ ++/* This is a cheat to avoid having to rewrite every caller of pkiDebug() to pass ++ in a context structure, which is where this flag would be better placed. */ ++static __thread int pkinit_debug_enabled = 0; ++ ++void ++pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc) ++{ ++ pkinit_debug_enabled = -1; ++ if (kdc) { ++ pkinit_kdcdefault_boolean(context, realm, "pkinit_debug", ++ -1, &pkinit_debug_enabled); ++ } ++ if (pkinit_debug_enabled == -1) { ++ pkinit_libdefault_boolean(context, realm, "pkinit_debug", ++ 0, &pkinit_debug_enabled); ++ } ++ printf("pkinit_debug: %d\n", pkinit_debug_enabled); ++} ++ ++int ++pkinit_debug_is_enabled(void) ++{ ++ return (pkinit_debug_enabled == 1); ++} +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 5a7a5ad..d7a0a44 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -108,6 +108,8 @@ pkinit_server_get_edata(krb5_context context, + pkinit_kdc_context plgctx = NULL; + krb5_keyblock *armor_key = NULL; + ++ pkinit_debug_init(context, &(request->server->realm), 1); ++ + pkiDebug("pkinit_server_get_edata: entered!\n"); + + /* Remove (along with armor_key) when FAST PKINIT is settled. */ +@@ -315,6 +317,8 @@ pkinit_server_verify_padata(krb5_context context, + int is_signed = 1; + krb5_keyblock *armor_key; + ++ pkinit_debug_init(context, &(request->server->realm), 1); ++ + pkiDebug("pkinit_verify_padata: entered!\n"); + if (data == NULL || data->length <= 0 || data->contents == NULL) + return 0; diff --git a/krb5-trunk-chpw-err.patch b/krb5-trunk-chpw-err.patch new file mode 100644 index 0000000..5810f29 --- /dev/null +++ b/krb5-trunk-chpw-err.patch @@ -0,0 +1,24 @@ +Don't suppress the error code from an error message when the error message +contains e-data. RT#6893 +Index: src/lib/krb5/krb/chpw.c +=================================================================== +--- src/lib/krb5/krb/chpw.c (revision 24838) ++++ src/lib/krb5/krb/chpw.c (working copy) +@@ -111,15 +111,11 @@ + if ((ret = krb5_rd_error(context, packet, &krberror))) + return(ret); + +- if (krberror->e_data.data == NULL) +- ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; +- else +- ret = KRB5KRB_AP_ERR_MODIFIED; ++ ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; + krb5_free_error(context, krberror); + return(ret); +- } else { +- return(KRB5KRB_AP_ERR_MODIFIED); + } ++ return(KRB5KRB_AP_ERR_MODIFIED); + } + + diff --git a/krb5-trunk-kadmin-oldproto.patch b/krb5-trunk-kadmin-oldproto.patch new file mode 100644 index 0000000..da4172a --- /dev/null +++ b/krb5-trunk-kadmin-oldproto.patch @@ -0,0 +1,39 @@ +------------------------------------------------------------------------ +r24967 | ghudson | 2011-06-13 14:54:33 -0400 (Mon, 13 Jun 2011) | 11 lines + +ticket: 6920 +subject: Fix old-style GSSRPC authentication +target_version: 1.9.2 +tags: pullup + +r24147 (ticket #6746) made libgssrpc ignorant of the remote address of +the kadmin socket, even when it's IPv4. This made old-style GSSAPI +authentication fail because it uses the wrong channel bindings. Fix +this problem by making clnttcp_create() get the remote address from +the socket using getpeername() if the caller doesn't provide it and +it's an IPv4 address. +------------------------------------------------------------------------ +Index: src/lib/rpc/clnt_tcp.c +=================================================================== +--- src/lib/rpc/clnt_tcp.c (revision 24966) ++++ src/lib/rpc/clnt_tcp.c (revision 24967) +@@ -187,9 +187,16 @@ + ct->ct_sock = *sockp; + ct->ct_wait.tv_usec = 0; + ct->ct_waitset = FALSE; +- if (raddr == NULL) +- memset(&ct->ct_addr, 0, sizeof(ct->ct_addr)); +- else ++ if (raddr == NULL) { ++ /* Get the remote address from the socket, if it's IPv4. */ ++ struct sockaddr_in sin; ++ socklen_t len = sizeof(sin); ++ int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len); ++ if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET) ++ ct->ct_addr = sin; ++ else ++ memset(&ct->ct_addr, 0, sizeof(ct->ct_addr)); ++ } else + ct->ct_addr = *raddr; + + /* @@ -5,10 +5,10 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.9 -Release: 8%{?dist} +Version: 1.9.1 +Release: 5%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? -# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-signed.tar +# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar Source0: krb5-%{version}.tar.gz Source1: krb5-%{version}.tar.gz.asc Source2: kpropd.init @@ -49,12 +49,14 @@ Patch63: krb5-1.9-selinux-label.patch Patch70: krb5-trunk-kpasswd_tcp2.patch Patch71: krb5-1.9-dirsrv-accountlock.patch Patch72: krb5-pkinit-cms2.patch -Patch73: http://web.mit.edu/kerberos/advisories/2011-001-patch.txt -Patch74: http://web.mit.edu/kerberos/advisories/2011-002-patch.txt -Patch75: http://web.mit.edu/kerberos/advisories/2011-003-patch.txt -Patch76: krb5-1.9-paren.patch -Patch77: http://web.mit.edu/kerberos/advisories/2011-004-patch.txt -Patch78: krb5-klist_s.patch +Patch75: krb5-pkinit-debug.patch +Patch77: krb5-1.9-paren.patch +Patch78: krb5-trunk-chpw-err.patch +Patch79: krb5-klist_s.patch +Patch80: krb5-trunk-kadmin-oldproto.patch +Patch81: krb5-1.9-canonicalize-fallback.patch +Patch82: krb5-1.9.1-ai_addrconfig.patch +Patch83: krb5-1.9.1-ai_addrconfig2.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -76,6 +78,9 @@ BuildRequires: openldap-devel %if %{WITH_OPENSSL} BuildRequires: openssl-devel >= 0.9.8 %endif +%if %{WITH_NSS} +BuildRequires: nss-devel >= 3.12.10 +%endif %description Kerberos V5 is a trusted-third-party network authentication system, @@ -192,12 +197,14 @@ ln -s NOTICE LICENSE #%patch70 -p0 -b .kpasswd_tcp2 %patch71 -p1 -b .dirsrv-accountlock %patch72 -p1 -b .pkinit_cms2 -%patch73 -p1 -b .2011-001 -%patch74 -p1 -b .2011-002 -%patch75 -p1 -b .2011-003 -%patch76 -p1 -b .paren -%patch77 -p1 -b .2011-004 -%patch78 -p1 -b .klist_s +#%patch75 -p1 -b .pkinit-debug +%patch77 -p1 -b .paren +%patch78 -p0 -b .chpw-err +%patch79 -p1 -b .klist_s +%patch80 -p0 -b .kadmin-oldproto +%patch81 -p1 -b .canonicalize-fallback +%patch82 -p0 -b .ai_addrconfig +%patch83 -p0 -b .ai_addrconfig2 gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -292,6 +299,7 @@ make %{?_smp_mflags} popd # A sanity checker for upgrades. +env LD_LIBRARY_PATH=`pwd`/src/lib \ %{__cc} -o kdb_check_weak \ -I src/include `./src/krb5-config --cflags kdb` \ %{SOURCE35} \ @@ -656,21 +664,71 @@ exit 0 %{_sbindir}/uuserver %changelog -* Wed May 25 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-8 +* Thu Jun 23 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-5 +- pull a fix from SVN to try to avoid triggering a PTR lookup in getaddrinfo() + during krb5_sname_to_principal(), and to let getaddrinfo() decide whether or + not to ask for an IPv6 address based on the set of configured interfaces + (RT#6922) +- pull a fix from SVN to use AI_ADDRCONFIG more often (RT#6923) + +* Mon Jun 20 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-4 +- apply upstream patch by way of Burt Holzman to fall back to a non-referral + method in cases where we might be derailed by a KDC that rejects the + canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#715074) + +* Tue Jun 14 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-3 +- pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating + using the old protocol over IPv4 again (RT#6920) + +* Tue Jun 14 2011 Nalin Dahyabhai <nalin@redhat.com> +- incorporate a fix to teach the file labeling bits about when replay caches + are expunged (#576093) + +* Thu May 26 2011 Nalin Dahyabhai <nalin@redhat.com> +- switch to the upstream patch for #707145 + +* Wed May 25 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-2 - klist: don't trip over referral entries when invoked with -s (#707145, RT#6915) -* Wed Apr 13 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-7 +* Fri May 6 2011 Nalin Dahyabhai <nalin@redhat.com> +- fixup URL in a comment +- when built with NSS, require 3.12.10 rather than 3.12.9 + +* Thu May 5 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-1 +- update to 1.9.1: + - drop no-longer-needed patches for CVE-2010-4022, CVE-2011-0281, + CVE-2011-0282, CVE-2011-0283, CVE-2011-0284, CVE-2011-0285 + +* Wed Apr 13 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-9 - kadmind: add upstream patch to fix free() on an invalid pointer (#696343, MITKRB5-SA-2011-004, CVE-2011-0285) -* Fri Mar 18 2011 Nalin Dahyabhai <nalin@redhat.com> +* Mon Apr 4 2011 Nalin Dahyabhai <nalin@redhat.com> +- don't discard the error code from an error message received in response + to a change-password request (#658871, RT#6893) + +* Fri Apr 1 2011 Nalin Dahyabhai <nalin@redhat.com> +- override INSTALL_SETUID at build-time so that ksu is installed into + the buildroot with the right permissions (part of #225974) + +* Fri Mar 18 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-8 - backport change from SVN to fix a computed-value-not-used warning in kpropd (#684065) -* Tue Mar 15 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-6 +* Tue Mar 15 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-7 +- turn off NSS as the backend for libk5crypto for now to work around its + DES string2key not working (#679012) - add revised upstream patch to fix double-free in KDC while returning - typed-data with errors (CVE-2011-0284, #674325) + typed-data with errors (MITKRB5-SA-2011-003, CVE-2011-0284, #674325) + +* Thu Feb 17 2011 Nalin Dahyabhai <nalin@redhat.com> +- throw in a not-applied-by-default patch to try to make pkinit debugging + into a run-time boolean option named "pkinit_debug" + +* Wed Feb 16 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-6 +- turn on NSS as the backend for libk5crypto, adding nss-devel as a build + dependency when that switch is flipped * Wed Feb 9 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-5 - krb5kdc init script: prototype some changes to do a quick spot-check @@ -1,3 +1,6 @@ f8870f28cdae2e00d2ea0874024bc059 krb5-1.9.tar.gz 998f37422c6739d872e9588e40756312 krb5-1.9.tar.gz.asc 08820591bd2b0067d4b1b9cbf3fefcbd krb5-1.9-pdf.tar.bz2 +88d7bbb869849cd0cce1af3165ac0cc6 krb5-1.9.1.tar.gz +a0bd0c8ff1a2d7e41be77b80e713c319 krb5-1.9.1.tar.gz.asc +9d214707c921ba0887f92fb5408d0370 krb5-1.9.1-pdf.tar.bz2 |