Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at Mon Aug 22 15:22:24 CEST 2011. -------- --- krb5/krb5-doc.changes 2010-04-09 12:47:36.000000000 +0200 +++ /mounts/work_src_done/STABLE/krb5/krb5-doc.changes 2011-08-22 10:22:11.000000000 +0200 @@ -1,0 +2,5 @@ +Mon Aug 22 10:21:56 CEST 2011 - mc@suse.de + +- update to version 1.9.1 + +------------------------------------------------------------------- --- krb5/krb5-mini.changes 2011-04-14 11:34:57.000000000 +0200 +++ /mounts/work_src_done/STABLE/krb5/krb5-mini.changes 2011-08-22 10:17:47.000000000 +0200 @@ -1,0 +2,19 @@ +Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com + +- add patches from Fedora and upstream +- fix init scripts (bnc#689006) + +------------------------------------------------------------------- +Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com + +- update to version 1.9.1 + * obsolete patches: + MITKRB5-SA-2010-007-1.8.dif + krb5-1.8-MITKRB5-SA-2010-006.dif + krb5-1.8-MITKRB5-SA-2011-001.dif + krb5-1.8-MITKRB5-SA-2011-002.dif + krb5-1.8-MITKRB5-SA-2011-003.dif + krb5-1.8-MITKRB5-SA-2011-004.dif + krb5-1.4.3-enospc.dif + * replace krb5-1.6.1-compile_pie.dif +------------------------------------------------------------------- krb5.changes: same change calling whatdependson for head-i586 Old: ---- MITKRB5-SA-2010-007-1.8.dif krb5-1.4.3-enospc.dif krb5-1.6.1-compile_pie.dif krb5-1.6.3-fix-ipv6-query.dif krb5-1.6.3-kprop-use-mkstemp.dif krb5-1.7-manpaths.dif krb5-1.7-manpaths.txt krb5-1.8-MITKRB5-SA-2010-006.dif krb5-1.8-MITKRB5-SA-2011-001.dif krb5-1.8-MITKRB5-SA-2011-002.dif krb5-1.8-MITKRB5-SA-2011-003.dif krb5-1.8-MITKRB5-SA-2011-004.dif krb5-1.8.3-rpmlintrc krb5-1.8.3.tar.bz2 krb5-doc-1.8.3-rpmlintrc New: ---- krb5-1.7-doublelog.patch krb5-1.7-nodeplibs.patch krb5-1.8-api.patch krb5-1.8-manpaths.txt krb5-1.8-pam.patch krb5-1.9-buildconf.patch krb5-1.9-canonicalize-fallback.patch krb5-1.9-kprop-mktemp.patch krb5-1.9-ksu-path.patch krb5-1.9-manpaths.dif krb5-1.9-paren.patch krb5-1.9-selinux-label.patch krb5-1.9.1-ai_addrconfig.patch krb5-1.9.1-ai_addrconfig2.patch krb5-1.9.1-sendto_poll.patch krb5-1.9.1.tar.bz2 krb5-doc-rpmlintrc krb5-klist_s.patch krb5-pkinit-cms2.patch krb5-rpmlintrc krb5-trunk-chpw-err.patch krb5-trunk-gss_delete_sec.patch krb5-trunk-kadmin-oldproto.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-doc.spec ++++++ --- /var/tmp/diff_new_pack.dRm5I9/_old 2011-08-22 15:18:26.000000000 +0200 +++ /var/tmp/diff_new_pack.dRm5I9/_new 2011-08-22 15:18:26.000000000 +0200 @@ -20,15 +20,15 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive -Version: 1.8.3 -Release: 6 -%define srcRoot krb5-1.8.3 +Version: 1.9.1 +Release: 1 +%define srcRoot krb5-1.9.1 Summary: MIT Kerberos5 Implementation--Documentation License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ Group: Documentation/Other -Source: krb5-1.8.3.tar.bz2 -Source3: %{name}-%{version}-rpmlintrc +Source: krb5-%{version}.tar.bz2 +Source3: %{name}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ krb5-mini.spec ++++++ --- /var/tmp/diff_new_pack.dRm5I9/_old 2011-08-22 15:18:26.000000000 +0200 +++ /var/tmp/diff_new_pack.dRm5I9/_new 2011-08-22 15:18:26.000000000 +0200 @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 1 -%define srcRoot krb5-1.8.3 +%define srcRoot krb5-1.9.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,10 +27,12 @@ Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8.3 -Release: 6 +BuildRequires: libselinux-devel +Version: 1.9.1 +Release: 1 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel +BuildRequires: pam-devel # bug437293 %ifarch ppc64 Obsoletes: krb5-64bit @@ -42,25 +44,33 @@ Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.3.tar.bz2 +Source: krb5-1.9.1.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf -Source5: krb5-%{version}-rpmlintrc -Source10: krb5-1.7-manpaths.txt -Patch1: krb5-1.6.1-compile_pie.dif -Patch2: krb5-1.6.3-kprop-use-mkstemp.dif -Patch3: krb5-1.7-manpaths.dif -Patch4: krb5-1.4.3-enospc.dif +Source5: krb5-rpmlintrc +Source10: krb5-1.8-manpaths.txt +Patch1: krb5-1.9-buildconf.patch +Patch3: krb5-1.9-manpaths.dif Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif Patch6: krb5-1.6.3-kpasswd_tcp.patch Patch7: krb5-1.6.3-ktutil-manpage.dif -Patch8: krb5-1.6.3-fix-ipv6-query.dif -Patch12: krb5-1.8-MITKRB5-SA-2010-006.dif -Patch13: MITKRB5-SA-2010-007-1.8.dif -Patch14: krb5-1.8-MITKRB5-SA-2011-001.dif -Patch15: krb5-1.8-MITKRB5-SA-2011-002.dif -Patch16: krb5-1.8-MITKRB5-SA-2011-003.dif -Patch17: krb5-1.8-MITKRB5-SA-2011-004.dif +Patch10: krb5-1.7-doublelog.patch +Patch11: krb5-1.7-nodeplibs.patch +Patch12: krb5-1.8-api.patch +Patch13: krb5-1.8-pam.patch +Patch14: krb5-1.9.1-ai_addrconfig.patch +Patch15: krb5-1.9.1-ai_addrconfig2.patch +Patch16: krb5-1.9.1-sendto_poll.patch +Patch17: krb5-1.9-canonicalize-fallback.patch +Patch18: krb5-1.9-kprop-mktemp.patch +Patch19: krb5-1.9-ksu-path.patch +Patch20: krb5-1.9-paren.patch +Patch21: krb5-1.9-selinux-label.patch +Patch22: krb5-klist_s.patch +Patch23: krb5-pkinit-cms2.patch +Patch24: krb5-trunk-chpw-err.patch +Patch25: krb5-trunk-gss_delete_sec.patch +Patch26: krb5-trunk-kadmin-oldproto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -200,20 +210,28 @@ %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -%patch1 -%patch2 +%patch13 -p1 %patch3 -p1 -%patch4 -p1 +%patch21 -p1 +%patch1 -p1 %patch5 -p1 %patch6 %patch7 -p1 -%patch8 -p1 +%patch10 -p1 +%patch11 -p1 %patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p0 -%patch16 -p1 +%patch14 +%patch15 +%patch16 %patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 +%patch25 -p1 +%patch26 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -242,6 +260,9 @@ --disable-rpath \ %if ! %{build_mini} --with-ldap \ + --with-pam \ + --enable-pkinit \ + --with-selinux \ %else --disable-pkinit \ %endif ++++++ krb5.spec ++++++ --- /var/tmp/diff_new_pack.dRm5I9/_old 2011-08-22 15:18:26.000000000 +0200 +++ /var/tmp/diff_new_pack.dRm5I9/_new 2011-08-22 15:18:26.000000000 +0200 @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 0 -%define srcRoot krb5-1.8.3 +%define srcRoot krb5-1.9.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,10 +27,12 @@ Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8.3 -Release: 19 +BuildRequires: libselinux-devel +Version: 1.9.1 +Release: 1 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel +BuildRequires: pam-devel # bug437293 %ifarch ppc64 Obsoletes: krb5-64bit @@ -42,25 +44,33 @@ Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.3.tar.bz2 +Source: krb5-1.9.1.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf -Source5: krb5-%{version}-rpmlintrc -Source10: krb5-1.7-manpaths.txt -Patch1: krb5-1.6.1-compile_pie.dif -Patch2: krb5-1.6.3-kprop-use-mkstemp.dif -Patch3: krb5-1.7-manpaths.dif -Patch4: krb5-1.4.3-enospc.dif +Source5: krb5-rpmlintrc +Source10: krb5-1.8-manpaths.txt +Patch1: krb5-1.9-buildconf.patch +Patch3: krb5-1.9-manpaths.dif Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif Patch6: krb5-1.6.3-kpasswd_tcp.patch Patch7: krb5-1.6.3-ktutil-manpage.dif -Patch8: krb5-1.6.3-fix-ipv6-query.dif -Patch12: krb5-1.8-MITKRB5-SA-2010-006.dif -Patch13: MITKRB5-SA-2010-007-1.8.dif -Patch14: krb5-1.8-MITKRB5-SA-2011-001.dif -Patch15: krb5-1.8-MITKRB5-SA-2011-002.dif -Patch16: krb5-1.8-MITKRB5-SA-2011-003.dif -Patch17: krb5-1.8-MITKRB5-SA-2011-004.dif +Patch10: krb5-1.7-doublelog.patch +Patch11: krb5-1.7-nodeplibs.patch +Patch12: krb5-1.8-api.patch +Patch13: krb5-1.8-pam.patch +Patch14: krb5-1.9.1-ai_addrconfig.patch +Patch15: krb5-1.9.1-ai_addrconfig2.patch +Patch16: krb5-1.9.1-sendto_poll.patch +Patch17: krb5-1.9-canonicalize-fallback.patch +Patch18: krb5-1.9-kprop-mktemp.patch +Patch19: krb5-1.9-ksu-path.patch +Patch20: krb5-1.9-paren.patch +Patch21: krb5-1.9-selinux-label.patch +Patch22: krb5-klist_s.patch +Patch23: krb5-pkinit-cms2.patch +Patch24: krb5-trunk-chpw-err.patch +Patch25: krb5-trunk-gss_delete_sec.patch +Patch26: krb5-trunk-kadmin-oldproto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -200,20 +210,28 @@ %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -%patch1 -%patch2 +%patch13 -p1 %patch3 -p1 -%patch4 -p1 +%patch21 -p1 +%patch1 -p1 %patch5 -p1 %patch6 %patch7 -p1 -%patch8 -p1 +%patch10 -p1 +%patch11 -p1 %patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p0 -%patch16 -p1 +%patch14 +%patch15 +%patch16 %patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 +%patch25 -p1 +%patch26 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -242,6 +260,9 @@ --disable-rpath \ %if ! %{build_mini} --with-ldap \ + --with-pam \ + --enable-pkinit \ + --with-selinux \ %else --disable-pkinit \ %endif ++++++ krb5-1.6.3-kpasswd_tcp.patch ++++++ --- /var/tmp/diff_new_pack.dRm5I9/_old 2011-08-22 15:18:27.000000000 +0200 +++ /var/tmp/diff_new_pack.dRm5I9/_new 2011-08-22 15:18:27.000000000 +0200 @@ -5,7 +5,7 @@ =================================================================== --- src/lib/krb5/os/changepw.c.orig +++ src/lib/krb5/os/changepw.c -@@ -280,10 +280,22 @@ change_set_password(krb5_context context +@@ -282,10 +282,22 @@ change_set_password(krb5_context context NULL ))) { ++++++ krb5-1.7-doublelog.patch ++++++ Don't double-log (actually, don't process /etc/krb5.conf twice) just because we built with --sysconfdir=/etc. RT#3277 Index: krb5-1.9.1/src/include/Makefile.in =================================================================== --- krb5-1.9.1.orig/src/include/Makefile.in +++ krb5-1.9.1/src/include/Makefile.in @@ -66,7 +66,9 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$( -e "s+@MODULEDIR+$(MODULE_DIR)+" \ -e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \ -e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \ - -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' + -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \ + -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \ + -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' OSCONFSRC = $(srcdir)/osconf.hin ++++++ krb5-1.7-nodeplibs.patch ++++++ Omit extra libraries because their interfaces aren't exposed to applications by libkrb5, unless do_deps is set to 1, which indicates that the caller wants the whole list. Index: krb5-1.9.1/src/krb5-config.in =================================================================== --- krb5-1.9.1.orig/src/krb5-config.in +++ krb5-1.9.1/src/krb5-config.in @@ -221,7 +221,11 @@ if test -n "$do_libs"; then fi if test $library = 'krb5'; then - lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + if test 0$do_deps -eq 1 ; then + lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + else + lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err" + fi fi echo $lib_flags ++++++ krb5-1.8-api.patch ++++++ Reference docs don't define what happens if you call krb5_realm_compare() with malformed krb5_principal structures. Define a behavior which keeps it from crashing if applications don't check ahead of time. diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c --- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400 +++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500 @@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context const krb5_data *realm1 = krb5_princ_realm(context, princ1); const krb5_data *realm2 = krb5_princ_realm(context, princ2); + if ((princ1 == NULL) || (princ2 == NULL)) + return FALSE; + + if ((realm1 == NULL) || (realm2 == NULL)) + return FALSE; + if (realm1->length != realm2->length) return FALSE; @@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex krb5_principal upn2 = NULL; krb5_boolean ret = FALSE; + if ((princ1 == NULL) || (princ2 == NULL)) + return FALSE; + if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { /* Treat UPNs as if they were real principals */ if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { ++++++ krb5-1.7-manpaths.txt -> krb5-1.8-manpaths.txt ++++++ --- krb5/krb5-1.7-manpaths.txt 2010-01-08 15:25:29.000000000 +0100 +++ /mounts/work_src_done/STABLE/krb5/krb5-1.8-manpaths.txt 2011-03-15 04:13:45.000000000 +0100 @@ -1,30 +1,6 @@ -appl/sample/sclient/sclient.M appl/sample/sserver/sserver.M -clients/kcpytkt/kcpytkt.M -clients/kdeltkt/kdeltkt.M -clients/kdestroy/kdestroy.M -clients/kinit/kinit.M -clients/klist/klist.M -clients/kpasswd/kpasswd.M -clients/ksu/ksu.M -clients/kvno/kvno.M config-files/kdc.conf.M config-files/krb5.conf.M -gen-manpages/k5login.M -gen-manpages/kerberos.M -kadmin/cli/k5srvutil.M -kadmin/cli/kadmin.local.M kadmin/cli/kadmin.M -kadmin/dbutil/kdb5_util.M -kadmin/ktutil/ktutil.M -kadmin/server/kadmind.M -kdc/krb5kdc.M -krb5-config.M -plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M slave/kpropd.M slave/kprop.M -tests/create/kdb5_mkdums.M -util/et/com_err.3 -util/et/compile_et.1 -util/profile/profile.5 -util/send-pr/send-pr.1 ++++++ krb5-1.8-pam.patch ++++++ ++++ 757 lines (skipped) ++++++ krb5-1.9-buildconf.patch ++++++ Build binaries in this package as RELRO PIEs and install shared libraries with the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf --- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500 +++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400 @@ -430,7 +430,8 @@ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' PROFFLAGS=-pg PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' - CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' + CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)' + INSTALL_SHLIB='${INSTALL} -m755' CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in --- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 +++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 @@ -187,8 +187,14 @@ if test -n "$do_libs"; then -e 's#$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ -e 's#$(LDFLAGS)#'"$LDFLAGS"'#' \ -e 's#$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ - -e 's#$(CFLAGS)#'"$CFLAGS"'#'` + -e 's#$(CFLAGS)##'` + if test `dirname $libdir` = /usr ; then + lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` + fi + lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"` + lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"` + if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 ++++++ krb5-1.9-canonicalize-fallback.patch ++++++
From RT#6917.
Index: krb5-1.9.1/src/lib/krb5/krb/get_creds.c =================================================================== --- krb5-1.9.1.orig/src/lib/krb5/krb/get_creds.c +++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c @@ -470,13 +470,10 @@ begin_non_referral(krb5_context context, /***** STATE_REFERRALS *****/ -/* - * Possibly retry a request in the fallback realm after a referral request - * failure in the local realm. Expects ctx->reply_code to be set to the error - * from a referral request. - */ +/* Possibly try a non-referral request after a referral request failure. + * Expects ctx->reply_code to be set to the error from a referral request. */ static krb5_error_code -try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) +try_fallback(krb5_context context, krb5_tkt_creds_context ctx) { krb5_error_code code; char **hrealms; @@ -485,9 +482,10 @@ try_fallback_realm(krb5_context context, if (ctx->referral_count > 1) return ctx->reply_code; - /* Only fall back if the original request used the referral realm. */ + /* If the request used a specified realm, make a non-referral request to + * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */ if (!krb5_is_referral_realm(&ctx->req_server->realm)) - return ctx->reply_code; + return begin_non_referral(context, ctx); if (ctx->server->length < 2) { /* We need a type/host format principal to find a fallback realm. */ @@ -500,10 +498,10 @@ try_fallback_realm(krb5_context context, if (code != 0) return code; - /* Give up if the fallback realm isn't any different. */ + /* If the fallback realm isn't any different, use the existing TGT. */ if (data_eq_string(ctx->server->realm, hrealms[0])) { krb5_free_host_realm(context, hrealms); - return ctx->reply_code; + return begin_non_referral(context, ctx); } /* Rewrite server->realm to be the fallback realm. */ @@ -540,9 +538,9 @@ step_referrals(krb5_context context, krb krb5_error_code code; const krb5_data *referral_realm; - /* Possibly retry with the fallback realm on error. */ + /* Possibly try a non-referral fallback request on error. */ if (ctx->reply_code != 0) - return try_fallback_realm(context, ctx); + return try_fallback(context, ctx); if (krb5_principal_compare(context, ctx->reply_creds->server, ctx->server)) { ++++++ krb5-1.9-kprop-mktemp.patch ++++++ Use an in-memory ccache to silence a compiler warning, for RT#6414. Index: krb5-1.9.1/src/slave/kprop.c =================================================================== --- krb5-1.9.1.orig/src/slave/kprop.c +++ krb5-1.9.1/src/slave/kprop.c @@ -188,9 +188,8 @@ void PRS(argc, argv) void get_tickets(context) krb5_context context; { - char buf[BUFSIZ], *def_realm; + char buf[] = "MEMORY:_kproptkt", *def_realm; krb5_error_code retval; - static char tkstring[] = "/tmp/kproptktXXXXXX"; krb5_keytab keytab = NULL; /* @@ -229,11 +228,8 @@ void get_tickets(context) #endif /* - * Initialize cache file which we're going to be using + * Initialize an in-memory cache for temporary use */ - (void) mktemp(tkstring); - snprintf(buf, sizeof(buf), "FILE:%s", tkstring); - retval = krb5_cc_resolve(context, buf, &ccache); if (retval) { com_err(progname, retval, "while opening credential cache %s", ++++++ krb5-1.9-ksu-path.patch ++++++ Set the default PATH to the one set by login. diff -up krb5-1.9/src/clients/ksu/Makefile.in.ksu-path krb5-1.9/src/clients/ksu/Makefile.in --- krb5-1.9/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500 +++ krb5-1.9/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500 @@ -1,6 +1,6 @@ mydir=clients$(S)ksu BUILDTOP=$(REL)..$(S).. -DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' +DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"' DEFS= PROG_LIBPATH=-L$(TOPLIBD) ++++++ krb5-1.7-manpaths.dif -> krb5-1.9-manpaths.dif ++++++ --- krb5/krb5-1.7-manpaths.dif 2010-10-22 11:17:26.000000000 +0200 +++ /mounts/work_src_done/STABLE/krb5/krb5-1.9-manpaths.dif 2011-08-21 11:42:57.000000000 +0200 @@ -1,9 +1,41 @@ +Change the absolute paths included in the man pages so that the correct +values can be dropped in by config.status. After applying this patch, +these files should be renamed to their ".in" counterparts, and then the +configure scripts should be rebuilt. Originally RT#6525 - -Index: krb5-1.8.3/src/appl/sample/sserver/sserver.M +Index: krb5-1.9.1/src/aclocal.m4 +=================================================================== +--- krb5-1.9.1.orig/src/aclocal.m4 ++++ krb5-1.9.1/src/aclocal.m4 +@@ -1782,3 +1782,24 @@ AC_SUBST(PAM_LIBS) + AC_SUBST(PAM_MAN) + AC_SUBST(NON_PAM_MAN) + ])dnl ++AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[ ++mansysconfdir=$sysconfdir ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` ++mansbindir=$sbindir ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlocalstatedir=$localstatedir ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlibexecdir=$libexecdir ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` ++AC_SUBST(mansysconfdir) ++AC_SUBST(mansbindir) ++AC_SUBST(manlocalstatedir) ++AC_SUBST(manlibexecdir) ++AC_CONFIG_FILES($1) ++]) +Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M =================================================================== ---- krb5-1.8.3.orig/src/appl/sample/sserver/sserver.M -+++ krb5-1.8.3/src/appl/sample/sserver/sserver.M +--- krb5-1.9.1.orig/src/appl/sample/sserver/sserver.M ++++ krb5-1.9.1/src/appl/sample/sserver/sserver.M @@ -59,7 +59,7 @@ option allows for a different keytab tha using a line in /etc/inetd.conf that looks like this: @@ -13,10 +45,10 @@ .PP Since \fBsample\fP is normally not a port defined in /etc/services, you will usually have to add a line to /etc/services which looks like this: -Index: krb5-1.8.3/src/config-files/kdc.conf.M +Index: krb5-1.9.1/src/config-files/kdc.conf.M =================================================================== ---- krb5-1.8.3.orig/src/config-files/kdc.conf.M -+++ krb5-1.8.3/src/config-files/kdc.conf.M +--- krb5-1.9.1.orig/src/config-files/kdc.conf.M ++++ krb5-1.9.1/src/config-files/kdc.conf.M @@ -92,14 +92,14 @@ This .B string specifies the location of the access control list (acl) file that @@ -43,74 +75,44 @@ .SH SEE ALSO krb5.conf(5), krb5kdc(8) -Index: krb5-1.8.3/src/configure.in +Index: krb5-1.9.1/src/config-files/krb5.conf.M =================================================================== ---- krb5-1.8.3.orig/src/configure.in -+++ krb5-1.8.3/src/configure.in -@@ -1057,6 +1057,58 @@ if test "$ac_cv_lib_socket" = "yes" -a " - fi +--- krb5-1.9.1.orig/src/config-files/krb5.conf.M ++++ krb5-1.9.1/src/config-files/krb5.conf.M +@@ -768,6 +768,6 @@ with another database such as Active Dir + in for this interface. + + .SH FILES +-/etc/krb5.conf ++@mansysconfdir@/krb5.conf + .SH SEE ALSO + syslog(3) +Index: krb5-1.9.1/src/configure.in +=================================================================== +--- krb5-1.9.1.orig/src/configure.in ++++ krb5-1.9.1/src/configure.in +@@ -1128,6 +1128,16 @@ fi + KRB5_WITH_PAM AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + -+mansysconfdir=$sysconfdir -+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` -+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` -+mansbindir=$sbindir -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` -+manlocalstatedir=$localstatedir -+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` -+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` -+manlibexecdir=$libexecdir -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` -+AC_SUBST(mansysconfdir) -+AC_SUBST(mansbindir) -+AC_SUBST(manlocalstatedir) -+AC_SUBST(manlibexecdir) -+AC_OUTPUT([ -+ appl/sample/sclient/sclient.M ++V5_AC_OUTPUT_MANPAGE([ + appl/sample/sserver/sserver.M -+ clients/kcpytkt/kcpytkt.M -+ clients/kdeltkt/kdeltkt.M -+ clients/kdestroy/kdestroy.M -+ clients/kinit/kinit.M -+ clients/klist/klist.M -+ clients/kpasswd/kpasswd.M -+ clients/ksu/ksu.M -+ clients/kvno/kvno.M + config-files/kdc.conf.M + config-files/krb5.conf.M -+ gen-manpages/k5login.M -+ gen-manpages/kerberos.M -+ kadmin/cli/k5srvutil.M -+ kadmin/cli/kadmin.local.M + kadmin/cli/kadmin.M -+ kadmin/dbutil/kdb5_util.M -+ kadmin/ktutil/ktutil.M -+ kadmin/server/kadmind.M -+ kdc/krb5kdc.M -+ krb5-config.M -+ plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M + slave/kpropd.M + slave/kprop.M -+ tests/create/kdb5_mkdums.M -+ util/et/com_err.3 -+ util/et/compile_et.1 -+ util/profile/profile.5 -+ util/send-pr/send-pr.1 +]) + V5_AC_OUTPUT_MAKEFILE(. util util/support util/profile util/send-pr -Index: krb5-1.8.3/src/kadmin/cli/kadmin.M +Index: krb5-1.9.1/src/kadmin/cli/kadmin.M =================================================================== ---- krb5-1.8.3.orig/src/kadmin/cli/kadmin.M -+++ krb5-1.8.3/src/kadmin/cli/kadmin.M -@@ -869,9 +869,9 @@ option is specified, less verbose status +--- krb5-1.9.1.orig/src/kadmin/cli/kadmin.M ++++ krb5-1.9.1/src/kadmin/cli/kadmin.M +@@ -880,9 +880,9 @@ option is specified, less verbose status .RS .TP EXAMPLE: @@ -122,7 +124,7 @@ kadmin: .RE .fi -@@ -913,7 +913,7 @@ passwords. +@@ -924,7 +924,7 @@ passwords. .SH HISTORY The .B kadmin @@ -131,32 +133,10 @@ OpenVision Kerberos administration program. .SH SEE ALSO .IR kerberos (1), -Index: krb5-1.8.3/src/slave/kprop.M -=================================================================== ---- krb5-1.8.3.orig/src/slave/kprop.M -+++ krb5-1.8.3/src/slave/kprop.M -@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv - This is done by transmitting the dumped database file to the slave - server over an encrypted, secure channel. The dump file must be created - by kdb5_util, and is normally KPROP_DEFAULT_FILE --(/usr/local/var/krb5kdc/slave_datatrans). -+(@manlocalstatedir@/krb5kdc/slave_datatrans). - .SH OPTIONS - .TP - \fB-r\fP \fIrealm\fP -@@ -51,7 +51,7 @@ is used. - \fB-f\fP \fIfile\fP - specifies the filename where the dumped principal database file is to be - found; by default the dumped database file is KPROP_DEFAULT_FILE --(normally /usr/local/var/krb5kdc/slave_datatrans). -+(normally @manlocalstatedir@/krb5kdc/slave_datatrans). - .TP - \fB-P\fP \fIport\fP - specifies the port to use to contact the -Index: krb5-1.8.3/src/slave/kpropd.M +Index: krb5-1.9.1/src/slave/kpropd.M =================================================================== ---- krb5-1.8.3.orig/src/slave/kpropd.M -+++ krb5-1.8.3/src/slave/kpropd.M +--- krb5-1.9.1.orig/src/slave/kpropd.M ++++ krb5-1.9.1/src/slave/kpropd.M @@ -74,7 +74,7 @@ Normally, kpropd is invoked out of This is done by adding a line to the inetd.conf file which looks like this: @@ -199,3 +179,25 @@ Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via kprop. .SH SEE ALSO +Index: krb5-1.9.1/src/slave/kprop.M +=================================================================== +--- krb5-1.9.1.orig/src/slave/kprop.M ++++ krb5-1.9.1/src/slave/kprop.M +@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv + This is done by transmitting the dumped database file to the slave + server over an encrypted, secure channel. The dump file must be created + by kdb5_util, and is normally KPROP_DEFAULT_FILE +-(/usr/local/var/krb5kdc/slave_datatrans). ++(@manlocalstatedir@/krb5kdc/slave_datatrans). + .SH OPTIONS + .TP + \fB-r\fP \fIrealm\fP +@@ -51,7 +51,7 @@ is used. + \fB-f\fP \fIfile\fP + specifies the filename where the dumped principal database file is to be + found; by default the dumped database file is KPROP_DEFAULT_FILE +-(normally /usr/local/var/krb5kdc/slave_datatrans). ++(normally @manlocalstatedir@/krb5kdc/slave_datatrans). + .TP + \fB-P\fP \fIport\fP + specifies the port to use to contact the ++++++ krb5-1.9-paren.patch ++++++ Upstream commit #24477. diff -up krb5-1.9/src/slave/kpropd.c krb5-1.9/src/slave/kpropd.c --- krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:24.020999947 -0400 +++ krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:34.159999947 -0400 @@ -993,7 +993,7 @@ unsigned int backoff_from_master(int *cn btime = (unsigned int)(2<<(*cnt)); if (btime > MAX_BACKOFF) { btime = MAX_BACKOFF; - *cnt--; + (*cnt)--; } return (btime); ++++++ krb5-1.9-selinux-label.patch ++++++ ++++ 919 lines (skipped) ++++++ krb5-1.9.1-ai_addrconfig.patch ++++++
From RT#6922. When we're converting a host/service pair into a principal name, specify AF_UNSPEC instead of AF_INET4 and then maybe AF_INET6 to try to avoid libc having doing a PTR lookup because we also specify AI_CANONNAME. Add AI_ADDRCONFIG because it's usually the right idea.
Index: src/lib/krb5/os/sn2princ.c =================================================================== --- src/lib/krb5/os/sn2princ.c.orig +++ src/lib/krb5/os/sn2princ.c @@ -107,19 +107,12 @@ krb5_sname_to_principal(krb5_context con hostnames associated. */ memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_INET; - hints.ai_flags = AI_CANONNAME; - try_getaddrinfo_again: + hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; err = getaddrinfo(hostname, 0, &hints, &ai); if (err) { #ifdef DEBUG_REFERRALS printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname); #endif - if (hints.ai_family == AF_INET) { - /* Just in case it's an IPv6-only name. */ - hints.ai_family = 0; - goto try_getaddrinfo_again; - } return KRB5_ERR_BAD_HOSTNAME; } remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname); ++++++ krb5-1.9.1-ai_addrconfig2.patch ++++++ Most of RT#6923, except for the part that depends on the sendto_kdc rewrite (it's still in locate_kdc in this version): pass AI_ADDRCONFIG whenever we specify hints to getaddrinfo() to get the address of a server. Index: src/plugins/locate/python/py-locate.c =================================================================== --- src/plugins/locate/python/py-locate.c.orig +++ src/plugins/locate/python/py-locate.c @@ -303,6 +303,7 @@ lookup(void *blob, enum locate_service_t return -1; } aihints.ai_socktype = thissocktype; + aihints.ai_flags = AI_ADDRCONFIG; x = getaddrinfo (hoststr, portstr, &aihints, &airesult); if (x != 0) continue; Index: src/appl/sample/sclient/sclient.c =================================================================== --- src/appl/sample/sclient/sclient.c.orig +++ src/appl/sample/sclient/sclient.c @@ -124,6 +124,7 @@ main(int argc, char *argv[]) memset(&aihints, 0, sizeof(aihints)); aihints.ai_socktype = SOCK_STREAM; + aihints.ai_flags = AI_ADDRCONFIG; aierr = getaddrinfo(argv[1], portstr, &aihints, &ap); if (aierr) { fprintf(stderr, "%s: error looking up host '%s' port '%s'/tcp: %s\n", Index: src/kadmin/dbutil/kadm5_create.c =================================================================== --- src/kadmin/dbutil/kadm5_create.c.orig +++ src/kadmin/dbutil/kadm5_create.c @@ -182,7 +182,7 @@ static int add_admin_princs(void *handle goto clean_and_exit; } memset(&ai_hints, 0, sizeof(ai_hints)); - ai_hints.ai_flags = AI_CANONNAME; + ai_hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai); if (gai_error) { ret = EINVAL; Index: src/lib/kadm5/alt_prof.c =================================================================== --- src/lib/kadm5/alt_prof.c.orig +++ src/lib/kadm5/alt_prof.c @@ -901,7 +901,7 @@ kadm5_get_admin_service_name(krb5_contex } memset(&hint, 0, sizeof(hint)); - hint.ai_flags = AI_CANONNAME; + hint.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; err = getaddrinfo(params_out.admin_server, NULL, &hint, &ai); if (err != 0) { ret = KADM5_CANT_RESOLVE; Index: src/lib/kadm5/clnt/client_init.c =================================================================== --- src/lib/kadm5/clnt/client_init.c.orig +++ src/lib/kadm5/clnt/client_init.c @@ -563,8 +563,9 @@ connect_to_server(const char *hostname, (void) snprintf(portbuf, sizeof(portbuf), "%d", port); memset(&hint, 0, sizeof(hint)); hint.ai_socktype = SOCK_STREAM; + hint.ai_flags = AI_ADDRCONFIG; #ifdef AI_NUMERICSERV - hint.ai_flags = AI_NUMERICSERV; + hint.ai_flags |= AI_NUMERICSERV; #endif err = getaddrinfo(hostname, portbuf, &hint, &addrs); if (err != 0) Index: src/lib/krb5/os/hostaddr.c =================================================================== --- src/lib/krb5/os/hostaddr.c.orig +++ src/lib/krb5/os/hostaddr.c @@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c return KRB5_ERR_BAD_HOSTNAME; memset (&hints, 0, sizeof (hints)); - hints.ai_flags = AI_NUMERICHOST; + hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG; /* We don't care what kind at this point, really, but without this, we can get back multiple sockaddrs per address, for SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if Index: src/lib/krb5/os/hst_realm.c =================================================================== --- src/lib/krb5/os/hst_realm.c.orig +++ src/lib/krb5/os/hst_realm.c @@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz int err; memset (&hints, 0, sizeof (hints)); - hints.ai_flags = AI_CANONNAME; + hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; err = getaddrinfo (name, 0, &hints, &ai); if (err) return krb5int_translate_gai_error (err); Index: src/slave/kprop.c =================================================================== --- src/slave/kprop.c.orig +++ src/slave/kprop.c @@ -325,6 +325,7 @@ open_connection(krb5_context context, ch memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_ADDRCONFIG; error = getaddrinfo(host, port, &hints, &answers); if (error != 0) { com_err(progname, 0, "%s: %s", host, gai_strerror(error)); Index: src/lib/krb5/os/locate_kdc.c =================================================================== --- src/lib/krb5/os/locate_kdc.c.orig +++ src/lib/krb5/os/locate_kdc.c @@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis memset(&hint, 0, sizeof(hint)); hint.ai_family = family; hint.ai_socktype = socktype; + hint.ai_flags = AI_ADDRCONFIG; #ifdef AI_NUMERICSERV - hint.ai_flags = AI_NUMERICSERV; + hint.ai_flags |= AI_NUMERICSERV; #endif result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)); if (SNPRINTF_OVERFLOW(result, sizeof(portbuf))) ++++++ krb5-1.9.1-sendto_poll.patch ++++++ ++++ 624 lines (skipped) ++++++ krb5-1.8.3.tar.bz2 -> krb5-1.9.1.tar.bz2 ++++++ krb5/krb5-1.8.3.tar.bz2 /mounts/work_src_done/STABLE/krb5/krb5-1.9.1.tar.bz2 differ: char 11, line 1 ++++++ krb5-doc-rpmlintrc ++++++ addFilter("files-duplicate .*css") addFilter("files-duplicate .*img.*png") ++++++ krb5-klist_s.patch ++++++ Don't trip over referral entries. RT#6915 Index: krb5-1.9.1/src/clients/klist/klist.c =================================================================== --- krb5-1.9.1.orig/src/clients/klist/klist.c +++ krb5-1.9.1/src/clients/klist/klist.c @@ -28,7 +28,7 @@ * List out the contents of your credential cache or keytab. */ -#include "autoconf.h" +#include "k5-int.h" #include <krb5.h> #include <com_err.h> #include <stdlib.h> @@ -390,10 +390,9 @@ void do_ccache(name) continue; if (status_only) { if (exit_status && creds.server->length == 2 && - strcmp(creds.server->realm.data, princ->realm.data) == 0 && - strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 && - strcmp((char *)creds.server->data[1].data, - princ->realm.data) == 0 && + data_eq(creds.server->realm, princ->realm) && + data_eq_string(creds.server->data[0], "krbtgt") && + data_eq(creds.server->data[1], princ->realm) && creds.times.endtime > now) exit_status = 0; } else { ++++++ krb5-pkinit-cms2.patch ++++++ When verifying signed-data, use the OpenSSL CMS APIs if we're building with a version of OpenSSL which supplies them (1.0.0 or later). Revised proposal for RT#6851. diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index bb8f036..6aedec4 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -41,6 +41,34 @@ #include "pkinit_crypto_openssl.h" +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#include <openssl/cms.h> +#define pkinit_CMS_free1_crls(_sk_x509crl) sk_X509_CRL_free((_sk_x509crl)) +#define pkinit_CMS_free1_certs(_sk_x509) sk_X509_free((_sk_x509)) +#define pkinit_CMS_SignerInfo_get_cert(_cms,_si,_x509_pp) CMS_SignerInfo_get0_algs(_si,NULL,_x509_pp,NULL,NULL) +#else +#define pkinit_CMS_free1_crls(_stack_of_x509crls) /* don't free these CRLs */ +#define pkinit_CMS_free1_certs(_stack_of_x509certs) /* don't free these certs */ +#define CMS_NO_SIGNER_CERT_VERIFY PKCS7_NOVERIFY +#define CMS_NOATTR PKCS7_NOATTR +#define CMS_ContentInfo PKCS7 +#define CMS_SignerInfo PKCS7_SIGNER_INFO +#define d2i_CMS_ContentInfo d2i_PKCS7 +#define CMS_get0_type(_p7) ((_p7)->type) +#define CMS_get0_content(_p7) (&((_p7)->d.other->value.octet_string)) +#define CMS_set1_signers_certs(_p7,_stack_of_x509,_uint) +#define CMS_get0_SignerInfos PKCS7_get_signer_info +#define stack_st_CMS_SignerInfo stack_st_PKCS7_SIGNER_INFO +#undef sk_CMS_SignerInfo_value +#define sk_CMS_SignerInfo_value sk_PKCS7_SIGNER_INFO_value +#define CMS_get0_eContentType(_p7) (_p7->d.sign->contents->type) +#define CMS_verify PKCS7_verify +#define CMS_get1_crls(_p7) (_p7->d.sign->crl) +#define CMS_get1_certs(_p7) (_p7->d.sign->cert) +#define CMS_ContentInfo_free(_p7) PKCS7_free(_p7) +#define pkinit_CMS_SignerInfo_get_cert(_p7,_si,_x509_pp) (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si) +#endif + static struct pkcs11_errstrings { short code; char *text; @@ -1127,21 +1155,25 @@ cms_signeddata_verify(krb5_context context, int *is_signed) { krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; - PKCS7 *p7 = NULL; + CMS_ContentInfo *cms = NULL; BIO *out = NULL; - int flags = PKCS7_NOVERIFY; + int flags = CMS_NO_SIGNER_CERT_VERIFY; unsigned int i = 0; unsigned int vflags = 0, size = 0; const unsigned char *p = signed_data; - STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL; - PKCS7_SIGNER_INFO *si = NULL; + STACK_OF(CMS_SignerInfo) *si_sk = NULL; + CMS_SignerInfo *si = NULL; X509 *x = NULL; X509_STORE *store = NULL; X509_STORE_CTX cert_ctx; + STACK_OF(X509) *signerCerts = NULL; STACK_OF(X509) *intermediateCAs = NULL; + STACK_OF(X509_CRL) *signerRevoked = NULL; STACK_OF(X509_CRL) *revoked = NULL; STACK_OF(X509) *verified_chain = NULL; ASN1_OBJECT *oid = NULL; + const ASN1_OBJECT *type = NULL, *etype = NULL; + ASN1_OCTET_STRING **octets; krb5_external_principal_identifier **krb5_verified_chain = NULL; krb5_data *authz = NULL; char buf[DN_BUF_LEN]; @@ -1157,8 +1189,8 @@ cms_signeddata_verify(krb5_context context, if (oid == NULL) goto cleanup; - /* decode received PKCS7 message */ - if ((p7 = d2i_PKCS7(NULL, &p, (int)signed_data_len)) == NULL) { + /* decode received CMS message */ + if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) { unsigned long err = ERR_peek_error(); krb5_set_error_message(context, retval, "%s\n", ERR_error_string(err, NULL)); @@ -1168,37 +1200,39 @@ cms_signeddata_verify(krb5_context context, } /* Handle the case in pkinit anonymous where we get unsigned data. */ - if (is_signed && !OBJ_cmp(p7->type, oid)) { + type = CMS_get0_type(cms); + if (is_signed && !OBJ_cmp(type, oid)) { unsigned char *d; *is_signed = 0; - if (p7->d.other->type != V_ASN1_OCTET_STRING) { + octets = CMS_get0_content(cms); + if (!octets || ((*octets)->type != V_ASN1_OCTET_STRING)) { retval = KRB5KDC_ERR_PREAUTH_FAILED; krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Invalid pkinit packet: octet string " "expected"); goto cleanup; } - *data_len = ASN1_STRING_length(p7->d.other->value.octet_string); + *data_len = ASN1_STRING_length(*octets); d = malloc(*data_len); if (d == NULL) { retval = ENOMEM; goto cleanup; } - memcpy(d, ASN1_STRING_data(p7->d.other->value.octet_string), + memcpy(d, ASN1_STRING_data(*octets), *data_len); *data = d; goto out; } else { - /* Verify that the received message is PKCS7 SignedData message. */ - if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed) { - pkiDebug("Expected id-signedData PKCS7 msg (received type = %d)\n", - OBJ_obj2nid(p7->type)); + /* Verify that the received message is CMS SignedData message. */ + if (OBJ_obj2nid(type) != NID_pkcs7_signed) { + pkiDebug("Expected id-signedData CMS msg (received type = %d)\n", + OBJ_obj2nid(type)); krb5_set_error_message(context, retval, "wrong oid\n"); goto cleanup; } } - /* setup to verify X509 certificate used to sign PKCS7 message */ + /* setup to verify X509 certificate used to sign CMS message */ if (!(store = X509_STORE_new())) goto cleanup; @@ -1210,37 +1244,41 @@ cms_signeddata_verify(krb5_context context, X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls); X509_STORE_set_flags(store, vflags); - /* get the signer's information from the PKCS7 message */ - if ((si_sk = PKCS7_get_signer_info(p7)) == NULL) + /* get the signer's information from the CMS message */ + CMS_set1_signers_certs(cms, NULL, 0); + if ((si_sk = CMS_get0_SignerInfos(cms)) == NULL) goto cleanup; - if ((si = sk_PKCS7_SIGNER_INFO_value(si_sk, 0)) == NULL) + if ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL) goto cleanup; - if ((x = PKCS7_cert_from_signer_info(p7, si)) == NULL) + pkinit_CMS_SignerInfo_get_cert(cms, si, &x); + if (x == NULL) goto cleanup; /* create available CRL information (get local CRLs and include CRLs - * received in the PKCS7 message + * received in the CMS message */ + signerRevoked = CMS_get1_crls(cms); if (idctx->revoked == NULL) - revoked = p7->d.sign->crl; - else if (p7->d.sign->crl == NULL) + revoked = signerRevoked; + else if (signerRevoked == NULL) revoked = idctx->revoked; else { size = sk_X509_CRL_num(idctx->revoked); revoked = sk_X509_CRL_new_null(); for (i = 0; i < size; i++) sk_X509_CRL_push(revoked, sk_X509_CRL_value(idctx->revoked, i)); - size = sk_X509_CRL_num(p7->d.sign->crl); + size = sk_X509_CRL_num(signerRevoked); for (i = 0; i < size; i++) - sk_X509_CRL_push(revoked, sk_X509_CRL_value(p7->d.sign->crl, i)); + sk_X509_CRL_push(revoked, sk_X509_CRL_value(signerRevoked, i)); } /* create available intermediate CAs chains (get local intermediateCAs and - * include the CA chain received in the PKCS7 message + * include the CA chain received in the CMS message */ + signerCerts = CMS_get1_certs(cms); if (idctx->intermediateCAs == NULL) - intermediateCAs = p7->d.sign->cert; - else if (p7->d.sign->cert == NULL) + intermediateCAs = signerCerts; + else if (signerCerts == NULL) intermediateCAs = idctx->intermediateCAs; else { size = sk_X509_num(idctx->intermediateCAs); @@ -1249,9 +1287,9 @@ cms_signeddata_verify(krb5_context context, sk_X509_push(intermediateCAs, sk_X509_value(idctx->intermediateCAs, i)); } - size = sk_X509_num(p7->d.sign->cert); + size = sk_X509_num(signerCerts); for (i = 0; i < size; i++) { - sk_X509_push(intermediateCAs, sk_X509_value(p7->d.sign->cert, i)); + sk_X509_push(intermediateCAs, sk_X509_value(signerCerts, i)); } } @@ -1329,10 +1367,10 @@ cms_signeddata_verify(krb5_context context, krb5_set_error_message(context, retval, "%s\n", X509_verify_cert_error_string(j)); #ifdef DEBUG_CERTCHAIN - size = sk_X509_num(p7->d.sign->cert); + size = sk_X509_num(signerCerts); pkiDebug("received cert chain of size %d\n", size); for (j = 0; j < size; j++) { - X509 *tmp_cert = sk_X509_value(p7->d.sign->cert, j); + X509 *tmp_cert = sk_X509_value(signerCerts, j); X509_NAME_oneline(X509_get_subject_name(tmp_cert), buf, sizeof(buf)); pkiDebug("cert #%d: %s\n", j, buf); } @@ -1348,11 +1386,12 @@ cms_signeddata_verify(krb5_context context, out = BIO_new(BIO_s_mem()); if (cms_msg_type == CMS_SIGN_DRAFT9) - flags |= PKCS7_NOATTR; - if (PKCS7_verify(p7, NULL, store, NULL, out, flags)) { + flags |= CMS_NOATTR; + etype = CMS_get0_eContentType(cms); + if (CMS_verify(cms, NULL, store, NULL, out, flags)) { int valid_oid = 0; - if (!OBJ_cmp(p7->d.sign->contents->type, oid)) + if (!OBJ_cmp(etype, oid)) valid_oid = 1; else if (cms_msg_type == CMS_SIGN_DRAFT9) { /* @@ -1364,18 +1403,18 @@ cms_signeddata_verify(krb5_context context, client_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_CLIENT); server_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_SERVER); rsa_oid = pkinit_pkcs7type2oid(plgctx, CMS_ENVEL_SERVER); - if (!OBJ_cmp(p7->d.sign->contents->type, client_oid) || - !OBJ_cmp(p7->d.sign->contents->type, server_oid) || - !OBJ_cmp(p7->d.sign->contents->type, rsa_oid)) + if (!OBJ_cmp(etype, client_oid) || + !OBJ_cmp(etype, server_oid) || + !OBJ_cmp(etype, rsa_oid)) valid_oid = 1; } if (valid_oid) - pkiDebug("PKCS7 Verification successful\n"); + pkiDebug("CMS Verification successful\n"); else { pkiDebug("wrong oid in eContentType\n"); - print_buffer(p7->d.sign->contents->type->data, - (unsigned int)p7->d.sign->contents->type->length); + print_buffer(etype->data, + (unsigned int)etype->length); retval = KRB5KDC_ERR_PREAUTH_FAILED; krb5_set_error_message(context, retval, "wrong oid\n"); goto cleanup; @@ -1391,13 +1430,13 @@ cms_signeddata_verify(krb5_context context, default: retval = KRB5KDC_ERR_INVALID_SIG; } - pkiDebug("PKCS7 Verification failure\n"); + pkiDebug("CMS Verification failure\n"); krb5_set_error_message(context, retval, "%s\n", ERR_error_string(err, NULL)); goto cleanup; } - /* transfer the data from PKCS7 message into return buffer */ + /* transfer the data from CMS message into return buffer */ for (size = 0;;) { int remain; retval = ENOMEM; @@ -1452,12 +1491,16 @@ cleanup: BIO_free(out); if (store != NULL) X509_STORE_free(store); - if (p7 != NULL) { - if (idctx->intermediateCAs != NULL && p7->d.sign->cert) + if (cms != NULL) { + if (signerCerts != NULL) + pkinit_CMS_free1_certs(signerCerts); + if (idctx->intermediateCAs != NULL && signerCerts) sk_X509_free(intermediateCAs); - if (idctx->revoked != NULL && p7->d.sign->crl) + if (signerRevoked != NULL) + pkinit_CMS_free1_crls(signerRevoked); + if (idctx->revoked != NULL && signerRevoked) sk_X509_CRL_free(revoked); - PKCS7_free(p7); + CMS_ContentInfo_free(cms); } if (verified_chain != NULL) sk_X509_pop_free(verified_chain, X509_free); ++++++ krb5-1.8.3-rpmlintrc -> krb5-rpmlintrc ++++++ ++++++ krb5-trunk-chpw-err.patch ++++++ Don't suppress the error code from an error message when the error message contains e-data. RT#6893 Index: src/lib/krb5/krb/chpw.c =================================================================== --- src/lib/krb5/krb/chpw.c (revision 24838) +++ src/lib/krb5/krb/chpw.c (working copy) @@ -111,15 +111,11 @@ if ((ret = krb5_rd_error(context, packet, &krberror))) return(ret); - if (krberror->e_data.data == NULL) - ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; - else - ret = KRB5KRB_AP_ERR_MODIFIED; + ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; krb5_free_error(context, krberror); return(ret); - } else { - return(KRB5KRB_AP_ERR_MODIFIED); } + return(KRB5KRB_AP_ERR_MODIFIED); } ++++++ krb5-trunk-gss_delete_sec.patch ++++++ Author: ghudson Date: Mon May 9 17:28:07 2011 +0000 ticket: 6908 subject: Delete sec context properly in gss_krb5_export_lucid_sec_context target_version: 1.9.2 tags: pullup Since r21690, gss_krb5_export_lucid_sec_context() has been passing a union context to krb5_gss_delete_sec_context(), causing a crash as the krb5 routine attempts to interpret a union context structure as a krb5 GSS context. Call the mechglue gss_delete_sec_context instead. svn://anonsvn.mit.edu:/krb5/trunk@24917 --- a/src/lib/gssapi/krb5/krb5_gss_glue.c +++ b/src/lib/gssapi/krb5/krb5_gss_glue.c @@ -196,7 +196,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, /* Clean up the context state (it is an error for * someone to attempt to use this context again) */ - (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); + (void)gss_delete_sec_context(minor_status, context_handle, NULL); *context_handle = GSS_C_NO_CONTEXT; generic_gss_release_buffer_set(&minor, &data_set); ++++++ krb5-trunk-kadmin-oldproto.patch ++++++ ------------------------------------------------------------------------ r24967 | ghudson | 2011-06-13 14:54:33 -0400 (Mon, 13 Jun 2011) | 11 lines ticket: 6920 subject: Fix old-style GSSRPC authentication target_version: 1.9.2 tags: pullup r24147 (ticket #6746) made libgssrpc ignorant of the remote address of the kadmin socket, even when it's IPv4. This made old-style GSSAPI authentication fail because it uses the wrong channel bindings. Fix this problem by making clnttcp_create() get the remote address from the socket using getpeername() if the caller doesn't provide it and it's an IPv4 address. ------------------------------------------------------------------------ Index: src/lib/rpc/clnt_tcp.c =================================================================== --- src/lib/rpc/clnt_tcp.c (revision 24966) +++ src/lib/rpc/clnt_tcp.c (revision 24967) @@ -187,9 +187,16 @@ ct->ct_sock = *sockp; ct->ct_wait.tv_usec = 0; ct->ct_waitset = FALSE; - if (raddr == NULL) - memset(&ct->ct_addr, 0, sizeof(ct->ct_addr)); - else + if (raddr == NULL) { + /* Get the remote address from the socket, if it's IPv4. */ + struct sockaddr_in sin; + socklen_t len = sizeof(sin); + int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len); + if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET) + ct->ct_addr = sin; + else + memset(&ct->ct_addr, 0, sizeof(ct->ct_addr)); + } else ct->ct_addr = *raddr; /* ++++++ vendor-files.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/kadmind.init new/vendor-files/kadmind.init --- old/vendor-files/kadmind.init 2007-10-18 14:34:55.000000000 +0200 +++ new/vendor-files/kadmind.init 2011-08-21 15:51:44.000000000 +0200 @@ -49,19 +49,25 @@ # then we don't know for sure that this is an error. if ! grep -q 'db_library.*=.*kldap' /etc/krb5.conf ; then echo "Error. Default principal database does not exist." - exit 0 + rc_failed 6 + rc_status -v + rc_exit fi fi if [ -f $krbdir/kpropd.acl ] ; then echo "This seems to be a slave server, found kpropd.acl" - exit 0 + rc_failed 6 + rc_status -v + rc_exit else if [ ! -f $krbdir/kadm5.keytab ] ; then echo "Extracting kadm5 Service Keys: " /usr/lib/mit/sbin/kadmin.local -q "ktadd -k $krbdir/kadm5.keytab kadmin/admin kadmin/changepw" if [ $? -ne 0 ] ; then echo "Extracting failed" - exit 1 + rc_failed 1 + rc_status -v + rc_exit fi fi fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/kpropd.init new/vendor-files/kpropd.init --- old/vendor-files/kpropd.init 2007-10-18 14:57:05.000000000 +0200 +++ new/vendor-files/kpropd.init 2011-08-21 15:52:58.000000000 +0200 @@ -43,17 +43,23 @@ start() { if ! grep -q ^krb5_prop /etc/services ; then echo "krb5_prop not in /etc/services. Please add 'krb5_prop 754/tcp' to /etc/services ." - exit 1 + rc_failed 1 + rc_status -v + rc_exit fi if ! grep -q ^eklogin /etc/services ; then echo "eklogin not in /etc/services." echo "Please add 'eklogin 2105/tcp' to /etc/services and enable this service in /etc/xinetd.d/eklogin." - exit 1 + rc_failed 1 + rc_status -v + rc_exit fi if [ ! -f $krbdir/kpropd.acl ] ; then echo "Could not find an ACL file for the propagation server, exiting." - exit 1 + rc_failed 1 + rc_status -v + rc_exit fi echo -n "Starting $prog" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/krb5kdc.init new/vendor-files/krb5kdc.init --- old/vendor-files/krb5kdc.init 2008-09-26 18:09:07.000000000 +0200 +++ new/vendor-files/krb5kdc.init 2011-08-21 15:53:59.000000000 +0200 @@ -48,7 +48,9 @@ # then we don't know for sure that this is an error. if ! grep -q 'db_library.*=.*kldap' /etc/krb5.conf ; then echo "Error. Default principal database does not exist." - exit 0 + rc_failed 6 + rc_status -v + rc_exit fi fi echo -n "Starting $prog" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org