packages: krb5/krb5-trunk-doublelog.patch (NEW), krb5/krb5-trunk-ftp_mget_c...
baggins
baggins at pld-linux.org
Wed Jun 3 16:02:36 CEST 2009
Author: baggins Date: Wed Jun 3 14:02:36 2009 GMT
Module: packages Tag: HEAD
---- Log message:
- fixes from krb5 repo trunk
---- Files affected:
packages/krb5:
krb5-trunk-doublelog.patch (NONE -> 1.1) (NEW), krb5-trunk-ftp_mget_case.patch (NONE -> 1.1) (NEW), krb5-trunk-kpasswd_tcp.patch (NONE -> 1.1) (NEW), krb5-trunk-preauth-master.patch (NONE -> 1.1) (NEW), krb5-trunk-seqnum.patch (NONE -> 1.1) (NEW), krb5-trunk-spnego_delegation.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: packages/krb5/krb5-trunk-doublelog.patch
diff -u /dev/null packages/krb5/krb5-trunk-doublelog.patch:1.1
--- /dev/null Wed Jun 3 16:02:36 2009
+++ packages/krb5/krb5-trunk-doublelog.patch Wed Jun 3 16:02:30 2009
@@ -0,0 +1,18 @@
+Don't double-log (actually, don't process /etc/krb5.conf twice) just
+because we built with --sysconfdir=/etc. RT#3277
+
+Index: src/include/Makefile.in
+===================================================================
+--- src/include/Makefile.in (revision 20235)
++++ src/include/Makefile.in (working copy)
+@@ -61,7 +61,9 @@
+ -e "s+ at SBINDIR+$(SBINDIR)+" \
+ -e "s+ at MODULEDIR+$(MODULE_DIR)+" \
+ -e 's+ at LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
+- -e 's+ at SYSCONFDIR+$(SYSCONFDIR)+'
++ -e 's+ at SYSCONFDIR+$(SYSCONFDIR)+' \
++ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
++ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+'
+
+ OSCONFSRC = $(srcdir)/stock/osconf.h
+
================================================================
Index: packages/krb5/krb5-trunk-ftp_mget_case.patch
diff -u /dev/null packages/krb5/krb5-trunk-ftp_mget_case.patch:1.1
--- /dev/null Wed Jun 3 16:02:36 2009
+++ packages/krb5/krb5-trunk-ftp_mget_case.patch Wed Jun 3 16:02:31 2009
@@ -0,0 +1,19 @@
+When "case" is enabled, we've been setting the target filename to the buffer
+in which we'd store the lower-cased version of the name, even if we ended up
+not generating a lower-cased version of the name, causing the client to store
+the incoming data in whichever file whose name we'd last generated. ITS#5940.
+diff -up src/appl/gssftp/ftp/cmds.c src/appl/gssftp/ftp/cmds.c
+--- src/appl/gssftp/ftp/cmds.c 2008-04-16 10:36:13.000000000 -0400
++++ src/appl/gssftp/ftp/cmds.c 2008-04-16 10:36:16.000000000 -0400
+@@ -1013,8 +1013,10 @@ void mget(argc, argv)
+ tp++;
+ tp2++;
+ }
++ tp = tmpbuf;
++ } else {
++ tp = cp;
+ }
+- tp = tmpbuf;
+ }
+ if (ntflag) {
+ tp = dotrans(tp);
================================================================
Index: packages/krb5/krb5-trunk-kpasswd_tcp.patch
diff -u /dev/null packages/krb5/krb5-trunk-kpasswd_tcp.patch:1.1
--- /dev/null Wed Jun 3 16:02:36 2009
+++ packages/krb5/krb5-trunk-kpasswd_tcp.patch Wed Jun 3 16:02:31 2009
@@ -0,0 +1,35 @@
+Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
+to wait for UDP to fail, so this might not be ideal. RT #5868.
+
+Index: src/lib/krb5/os/changepw.c
+===================================================================
+--- src/lib/krb5/os/changepw.c (revision 20199)
++++ src/lib/krb5/os/changepw.c (working copy)
+@@ -251,11 +251,22 @@
+ NULL,
+ NULL
+ ))) {
+-
+- /*
+- * Here we may want to switch to TCP on some errors.
+- * right?
+- */
++ /* if we're not using a stream socket, and it's an error which
++ * might reasonably be specific to a datagram "connection", try
++ * again with a stream socket */
++ if (!useTcp) {
++ switch (code) {
++ case KRB5_KDC_UNREACH:
++ case KRB5_REALM_CANT_RESOLVE:
++ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
++ /* should we do this for more result codes than these? */
++ krb5int_free_addrlist (&al);
++ useTcp = 1;
++ continue;
++ default:
++ break;
++ }
++ }
+ break;
+ }
+
================================================================
Index: packages/krb5/krb5-trunk-preauth-master.patch
diff -u /dev/null packages/krb5/krb5-trunk-preauth-master.patch:1.1
--- /dev/null Wed Jun 3 16:02:36 2009
+++ packages/krb5/krb5-trunk-preauth-master.patch Wed Jun 3 16:02:31 2009
@@ -0,0 +1,48 @@
+Assume that KRB5_PREAUTH_FAILED is subject to propagation delay between the
+master and replicas (this error is only returned when ENC_TIMESTAMP fails),
+and if we get a key-expired error right after changing the password, try
+again against the master KDC. RT#6108
+
+Index: src/lib/krb5/krb/gic_pwd.c
+===================================================================
+--- src/lib/krb5/krb/gic_pwd.c (revision 20704)
++++ src/lib/krb5/krb/gic_pwd.c (working copy)
+@@ -147,10 +147,10 @@
+ goto cleanup;
+
+ /* If all the kdc's are unavailable, or if the error was due to a
+- user interrupt, or preauth errored out, fail */
++ user interrupt, or preauth errored out against the master, fail */
+
+ if ((ret == KRB5_KDC_UNREACH) ||
+- (ret == KRB5_PREAUTH_FAILED) ||
++ ((ret == KRB5_PREAUTH_FAILED) && use_master) ||
+ (ret == KRB5_LIBOS_PWDINTR) ||
+ (ret == KRB5_REALM_CANT_RESOLVE))
+ goto cleanup;
+@@ -320,6 +320,25 @@
+ krb5_get_as_key_password, (void *) &pw0,
+ &use_master, &as_reply);
+
++ if ((ret != KRB5KDC_ERR_KEY_EXP) || use_master)
++ goto cleanup;
++ else {
++ /* Okay, we *just* changed the password. Retry against a master KDC,
++ * because either the non-master's using outdated data or the admin
++ * has set an impossibly low maximum password lifetime. */
++ use_master = 1;
++ ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
++ start_time, in_tkt_service, opte,
++ krb5_get_as_key_password, (void *) &pw0,
++ &use_master, &as_reply);
++ if ((ret2 != KRB5_KDC_UNREACH) &&
++ (ret2 != KRB5_REALM_CANT_RESOLVE) &&
++ (ret2 != KRB5_REALM_UNKNOWN))
++ ret = ret2;
++ else
++ use_master = 0;
++ }
++
+ cleanup:
+ krb5int_set_prompt_types(context, 0);
+ /* if getting the password was successful, then check to see if the
================================================================
Index: packages/krb5/krb5-trunk-seqnum.patch
diff -u /dev/null packages/krb5/krb5-trunk-seqnum.patch:1.1
--- /dev/null Wed Jun 3 16:02:36 2009
+++ packages/krb5/krb5-trunk-seqnum.patch Wed Jun 3 16:02:31 2009
@@ -0,0 +1,49 @@
+Every KRB-PRIV message we generate to include as part of a password change
+request we create (after the first one) will include sequence numbers which
+look "wrong" to the recipient, because previously generating other KRB-PRIV
+messages will mess with the counters in the auth_context. Because the
+current code attempts to reuse auth_context structures (and changing that
+would be more invasive), we'll just save the sequence number values as they
+are after we build the AP-REQ, and restore them before generating requests.
+RT#5867.
+
+Index: src/lib/krb5/os/changepw.c
+===================================================================
+--- src/lib/krb5/os/changepw.c (revision 20195)
++++ src/lib/krb5/os/changepw.c (working copy)
+@@ -34,6 +34,7 @@
+ #include "k5-int.h"
+ #include "os-proto.h"
+ #include "cm.h"
++#include "../krb/auth_con.h"
+
+ #include <stdio.h>
+ #include <errno.h>
+@@ -48,6 +49,7 @@
+ krb5_principal set_password_for;
+ char *newpw;
+ krb5_data ap_req;
++ krb5_ui_4 remote_seq_num, local_seq_num;
+ };
+
+
+@@ -159,6 +161,9 @@
+ &local_kaddr, NULL)))
+ goto cleanup;
+
++ ctx->auth_context->remote_seq_number = ctx->remote_seq_num;
++ ctx->auth_context->local_seq_number = ctx->local_seq_num;
++
+ if (ctx->set_password_for)
+ code = krb5int_mk_setpw_req(ctx->context,
+ ctx->auth_context,
+@@ -225,6 +230,9 @@
+ &callback_ctx.ap_req)))
+ goto cleanup;
+
++ callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number;
++ callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number;
++
+ do {
+ if ((code = krb5_locate_kpasswd(callback_ctx.context,
+ krb5_princ_realm(callback_ctx.context,
================================================================
Index: packages/krb5/krb5-trunk-spnego_delegation.patch
diff -u /dev/null packages/krb5/krb5-trunk-spnego_delegation.patch:1.1
--- /dev/null Wed Jun 3 16:02:36 2009
+++ packages/krb5/krb5-trunk-spnego_delegation.patch Wed Jun 3 16:02:31 2009
@@ -0,0 +1,44 @@
+An spnego credential is itself a union credential, so search through it
+when we're looking for credentials of a mechanism which may already have
+been wrapped by spnego. RT #5807.
+
+Index: src/lib/gssapi/mechglue/g_glue.c
+===================================================================
+--- src/lib/gssapi/mechglue/g_glue.c (revision 20093)
++++ src/lib/gssapi/mechglue/g_glue.c (working copy)
+@@ -33,6 +33,8 @@
+ #define MSO_BIT (8*(sizeof (int) - 1)) /* Most significant octet bit */
+
+ extern gss_mechanism *gssint_mechs_array;
++#define SPNEGO_OID_LENGTH 6
++#define SPNEGO_OID "\053\006\001\005\005\002"
+
+ /*
+ * This file contains the support routines for the glue layer.
+@@ -548,6 +550,8 @@
+ gss_OID mech_type;
+ {
+ int i;
++ gss_union_cred_t spnego_cred;
++ gss_cred_id_t mech_cred;
+
+ if (union_cred == GSS_C_NO_CREDENTIAL)
+ return GSS_C_NO_CREDENTIAL;
+@@ -555,6 +559,17 @@
+ for (i=0; i < union_cred->count; i++) {
+ if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))
+ return union_cred->cred_array[i];
++
++ /* if this is an spnego credential, search its contents */
++ if ((union_cred->mechs_array[i].length == SPNEGO_OID_LENGTH) &&
++ (memcmp(union_cred->mechs_array[i].elements,
++ SPNEGO_OID,
++ SPNEGO_OID_LENGTH) == 0)) {
++ spnego_cred = union_cred->cred_array[i];
++ mech_cred = gssint_get_mechanism_cred(spnego_cred, mech_type);
++ if (mech_cred != GSS_C_NO_CREDENTIAL)
++ return mech_cred;
++ }
+ }
+ return GSS_C_NO_CREDENTIAL;
+ }
================================================================
More information about the pld-cvs-commit
mailing list