projects / openwrt / svn-archive / archive.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 05fc8d8)
packages: krb5: update to 1.11
authorJonas Gorski <jogo@openwrt.org>
Wed, 20 Feb 2013 13:54:57 +0000 (13:54 +0000)
committerJonas Gorski <jogo@openwrt.org>
Wed, 20 Feb 2013 13:54:57 +0000 (13:54 +0000)
The version currently in openwrt (1.8) has known security issues (see
the release announcements for the subsequent releases) and is quite
outdated (March 2010 as compared to Dec 2012).

The following patch bumps the version and also cleans up the build
script (mostly removing dead configure options, removing obsolete
patches, etc).

The testing binary "sclient" is dropped and kadmind is reintroduced in
krb5-server (I know it was removed to "save space", but kadmind is
around 60kB out of a total of around 700kB for a krb5-server
installation and an installation without kadmind is pretty gimped).

I hope this can be applied both to trunk and the attitude_adjustment
branch.

Signed-off-by: David Härdeman <david@hardeman.nu>
SVN-Revision: 35700

net/krb5/Makefile patch | blob | history
net/krb5/files/krb5kdc patch | blob | history
net/krb5/patches/001-fix-build-warning.patch [new file with mode: 0644] patch | blob
net/krb5/patches/001-krb5kdc-dir-to-etc.patch patch | blob | history
net/krb5/patches/002-MITKRB5-SA-2011-002.patch patch | blob | history

diff --git a/net/krb5/Makefile b/net/krb5/Makefile
index 58b5a072e044cbdc7c34f85caf742651cc0ce139..8fcb5a48af13c4b1d5cae58a1380f4c73208ab72 100644 (file)
--- a/net/krb5/Makefile
+++ b/net/krb5/Makefile
@@ -1,12 +1,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=krb5
-PKG_VERSION:=1.8
-PKG_RELEASE:=2
+PKG_VERSION:=1.11
+PKG_RELEASE:=1
 
 PKG_SOURCE:=krb5-$(PKG_VERSION)-signed.tar
 PKG_SOURCE_URL:=http://web.mit.edu/kerberos/dist/krb5/$(PKG_VERSION)/
-PKG_MD5SUM:=74257d68373a8df8b9391fc093d594be
+PKG_MD5SUM:=1a13c53899806c4da99a798a04d25545
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 
@@ -47,7 +47,7 @@ define Package/krb5-client
        TITLE:=Kerberos 5 Client
 endef
 
-define Package/krb5/decription
+define Package/krb5/description
        Kerberos
 endef
 
@@ -56,8 +56,7 @@ define Build/Prepare
        # containing source code.
        tar xf "$(DL_DIR)/$(PKG_SOURCE)" -C "$(BUILD_DIR)"
        tar xzf "$(BUILD_DIR)/krb5-$(PKG_VERSION).tar.gz" -C "$(BUILD_DIR)"
-       patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/001-krb5kdc-dir-to-etc.patch"
-       patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/002-MITKRB5-SA-2011-002.patch"
+       patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/001-fix-build-warning.patch"
 endef
 
 CONFIGURE_PATH = ./src
@@ -71,10 +70,9 @@ CONFIGURE_VARS += \
        ac_cv_file__etc_TIMEZONE=no
 
 CONFIGURE_ARGS += \
-       --enable-thread-support \
-       --without-krb4 \
        --without-tcl \
-       --disable-ipv6
+       --without-libedit \
+       --localstatedir=/etc
 
 define Build/InstallDev
        $(INSTALL_DIR) $(1)/usr/include
@@ -113,11 +111,11 @@ endef
 define Package/krb5-server/install
        $(INSTALL_DIR) $(1)/etc/init.d
        $(INSTALL_BIN) ./files/krb5kdc $(1)/etc/init.d/krb5kdc
-       $(INSTALL_DIR) $(1)/usr/bin
-       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sclient $(1)/usr/bin
+#      $(INSTALL_DIR) $(1)/usr/bin
+#      $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sclient $(1)/usr/bin
        $(INSTALL_DIR) $(1)/usr/sbin
        $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmin.local $(1)/usr/sbin
-#      $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmind $(1)/usr/sbin
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmind $(1)/usr/sbin
        $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kdb5_util $(1)/usr/sbin
 #      $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kprop $(1)/usr/sbin
 #      $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kpropd $(1)/usr/sbin
diff --git a/net/krb5/files/krb5kdc b/net/krb5/files/krb5kdc
index 5962683168a7dd8860f360b01ed6d96915c9d60b..dec7188e9b01e32f03b5fafbd300ce7780a182e4 100644 (file)
--- a/net/krb5/files/krb5kdc
+++ b/net/krb5/files/krb5kdc
@@ -10,8 +10,10 @@ start() {
        [ -f /etc/krb5kdc/principal ] || ( echo; echo ) | kdb5_util create -s
        
        /usr/sbin/krb5kdc
+       /usr/sbin/kadmind
 }
 
 stop() {
        killall krb5kdc 2> /dev/null
+       killall kadmind 2> /dev/null
 }
diff --git a/net/krb5/patches/001-fix-build-warning.patch b/net/krb5/patches/001-fix-build-warning.patch
new file mode 100644 (file)
index 0000000..d199398
--- /dev/null
+++ b/net/krb5/patches/001-fix-build-warning.patch
@@ -0,0 +1,12 @@
+diff -ur krb5-1.11-vanilla/src/lib/krb5/krb/preauth2.c krb5-1.11/src/lib/krb5/krb/preauth2.c
+--- krb5-1.11-vanilla/src/lib/krb5/krb/preauth2.c      2012-12-18 03:47:05.000000000 +0100
++++ krb5-1.11/src/lib/krb5/krb/preauth2.c      2013-02-18 03:53:20.580840173 +0100
+@@ -956,7 +956,7 @@
+     size_t i, h;
+     int out_pa_list_size = 0;
+     krb5_pa_data **out_pa_list = NULL;
+-    krb5_error_code ret, module_ret;
++    krb5_error_code ret, module_ret = 0;
+     krb5_responder_fn responder = opte->opt_private->responder;
+     static const int paorder[] = { PA_INFO, PA_REAL };
diff --git a/net/krb5/patches/001-krb5kdc-dir-to-etc.patch b/net/krb5/patches/001-krb5kdc-dir-to-etc.patch
index a017125030a1ad9c6f23817eba66863789e481d4..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 100644 (file)
--- a/net/krb5/patches/001-krb5kdc-dir-to-etc.patch
+++ b/net/krb5/patches/001-krb5kdc-dir-to-etc.patch
@@ -1,51 +0,0 @@
-diff -u --recursive krb5-1.8-vanilla/src/include/osconf.hin krb5-1.8/src/include/osconf.hin
---- krb5-1.8-vanilla/src/include/osconf.hin    2010-04-01 16:28:29.408661301 -0500
-+++ krb5-1.8/src/include/osconf.hin    2010-04-01 16:30:52.235467788 -0500
-@@ -61,14 +61,14 @@
- #define DEFAULT_LNAME_FILENAME  "@PREFIX/lib/krb5.aname"
- #endif /* _WINDOWS  */
--#define DEFAULT_KDB_FILE        "@LOCALSTATEDIR/krb5kdc/principal"
--#define DEFAULT_KEYFILE_STUB    "@LOCALSTATEDIR/krb5kdc/.k5."
--#define KRB5_DEFAULT_ADMIN_ACL  "@LOCALSTATEDIR/krb5kdc/krb5_adm.acl"
-+#define DEFAULT_KDB_FILE        "/etc/krb5kdc/principal"
-+#define DEFAULT_KEYFILE_STUB    "/etc/krb5kdc/.k5."
-+#define KRB5_DEFAULT_ADMIN_ACL  "/etc/krb5kdc/krb5_adm.acl"
- /* Used by old admin server */
--#define DEFAULT_ADMIN_ACL       "@LOCALSTATEDIR/krb5kdc/kadm_old.acl"
-+#define DEFAULT_ADMIN_ACL       "/etc/krb5kdc/kadm_old.acl"
- /* Location of KDC profile */
--#define DEFAULT_KDC_PROFILE     "@LOCALSTATEDIR/krb5kdc/kdc.conf"
-+#define DEFAULT_KDC_PROFILE     "/etc/krb5kdc/kdc.conf"
- #define KDC_PROFILE_ENV         "KRB5_KDC_PROFILE"
- #if TARGET_OS_MAC
-@@ -97,8 +97,8 @@
- /*
-  * Defaults for the KADM5 admin system.
-  */
--#define DEFAULT_KADM5_KEYTAB    "@LOCALSTATEDIR/krb5kdc/kadm5.keytab"
--#define DEFAULT_KADM5_ACL_FILE  "@LOCALSTATEDIR/krb5kdc/kadm5.acl"
-+#define DEFAULT_KADM5_KEYTAB    "/etc/krb5kdc/kadm5.keytab"
-+#define DEFAULT_KADM5_ACL_FILE  "/etc/krb5kdc/kadm5.acl"
- #define DEFAULT_KADM5_PORT      749 /* assigned by IANA */
- #define KRB5_DEFAULT_SUPPORTED_ENCTYPES                 \
-@@ -123,13 +123,13 @@
-  * krb5 slave support follows
-  */
--#define KPROP_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/slave_datatrans"
--#define KPROPD_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/from_master"
-+#define KPROP_DEFAULT_FILE "/etc/krb5kdc/slave_datatrans"
-+#define KPROPD_DEFAULT_FILE "/etc/krb5kdc/from_master"
- #define KPROPD_DEFAULT_KDB5_UTIL "@SBINDIR/kdb5_util"
- #define KPROPD_DEFAULT_KDB5_EDIT "@SBINDIR/kdb5_edit"
- #define KPROPD_DEFAULT_KPROP "@SBINDIR/kprop"
- #define KPROPD_DEFAULT_KRB_DB DEFAULT_KDB_FILE
--#define KPROPD_ACL_FILE "@LOCALSTATEDIR/krb5kdc/kpropd.acl"
-+#define KPROPD_ACL_FILE "/etc/krb5kdc/kpropd.acl"
- /*
-  * GSS mechglue
diff --git a/net/krb5/patches/002-MITKRB5-SA-2011-002.patch b/net/krb5/patches/002-MITKRB5-SA-2011-002.patch
index 5e0da20c882cdf4e61e8b40423a7447ffcbf83fc..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 100644 (file)
--- a/net/krb5/patches/002-MITKRB5-SA-2011-002.patch
+++ b/net/krb5/patches/002-MITKRB5-SA-2011-002.patch
@@ -1,112 +0,0 @@
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-index 1ca09b4..60caf3d 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er
- #define LDAP_SEARCH(base, scope, filter, attrs)   LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
- #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check)         \
--    do {                                                                \
--        st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
--        if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
--            tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
--            if (ldap_server_handle)                                     \
--                ld = ldap_server_handle->ldap_handle;                   \
--        }                                                               \
--    }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
-+    tempst = 0;                                                         \
-+    st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL,     \
-+                           NULL, &timelimit, LDAP_NO_LIMIT, &result);   \
-+    if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
-+        tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle);   \
-+        if (ldap_server_handle)                                         \
-+            ld = ldap_server_handle->ldap_handle;                       \
-+        if (tempst == 0)                                                \
-+            st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0,   \
-+                                   NULL, NULL, &timelimit,              \
-+                                   LDAP_NO_LIMIT, &result);             \
-+    }                                                                   \
-                                                                         \
-     if (status_check != IGNORE_STATUS) {                                \
-         if (tempst != 0) {                                              \
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-index 82b0333..84e80ee 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context,
- {
-     krb5_ldap_server_handle     *handle = *ldap_server_handle;
-+    ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
-     if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
-         || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
-         return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-index f549e23..b70940f 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-@@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context,
-      * portion, then the first portion of the principal name SHOULD be
-      * "krbtgt".  All this check is done in the immediate block.
-      */
--    if (searchfor->length == 2)
--        if ((strncasecmp(searchfor->data[0].data, "krbtgt",
--                         FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
--            (strncasecmp(searchfor->data[1].data, defrealm,
--                         FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
-+    if (searchfor->length == 2) {
-+        if (data_eq_string(searchfor->data[0], "krbtgt") &&
-+            data_eq_string(searchfor->data[1], defrealm))
-             return 0;
-+    }
-     /* first check the length, if they are not equal, then they are not same */
-     if (strlen(defrealm) != searchfor->realm.length)
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-index 7ad31da..626ed1f 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-@@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
-                         unsigned int flags, krb5_db_entry *entries,
-                         int *nentries, krb5_boolean *more)
- {
--    char                        *user=NULL, *filter=NULL, **subtree=NULL;
-+    char                        *user=NULL, *filter=NULL, *filtuser=NULL;
-     unsigned int                tree=0, ntrees=1, princlen=0;
-     krb5_error_code             tempst=0, st=0;
--    char                        **values=NULL, *cname=NULL;
-+    char                        **values=NULL, **subtree=NULL, *cname=NULL;
-     LDAP                        *ld=NULL;
-     LDAPMessage                 *result=NULL, *ent=NULL;
-     krb5_ldap_context           *ldap_context=NULL;
-@@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
-     if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
-         goto cleanup;
--    princlen = strlen(FILTER) + strlen(user) + 2 + 1;      /* 2 for closing brackets */
-+    filtuser = ldap_filter_correct(user);
-+    if (filtuser == NULL) {
-+        st = ENOMEM;
-+        goto cleanup;
-+    }
-+
-+    princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1;  /* 2 for closing brackets */
-     if ((filter = malloc(princlen)) == NULL) {
-         st = ENOMEM;
-         goto cleanup;
-     }
--    snprintf(filter, princlen, FILTER"%s))", user);
-+    snprintf(filter, princlen, FILTER"%s))", filtuser);
-     if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
-         goto cleanup;
-@@ -231,6 +237,9 @@ cleanup:
-     if (user)
-         free(user);
-+    if (filtuser)
-+        free(filtuser);
-+
-     if (cname)
-         free(cname);
OpenWrt SVN history