Changeset 35700


Ignore:
Timestamp:
2013-02-20T14:54:57+01:00 (5 years ago)
Author:
jogo
Message:

packages: krb5: update to 1.11

The version currently in openwrt (1.8) has known security issues (see
the release announcements for the subsequent releases) and is quite
outdated (March 2010 as compared to Dec 2012).

The following patch bumps the version and also cleans up the build
script (mostly removing dead configure options, removing obsolete
patches, etc).

The testing binary "sclient" is dropped and kadmind is reintroduced in
krb5-server (I know it was removed to "save space", but kadmind is
around 60kB out of a total of around 700kB for a krb5-server
installation and an installation without kadmind is pretty gimped).

I hope this can be applied both to trunk and the attitude_adjustment
branch.

Signed-off-by: David Härdeman <david@…>

Location:
packages/net/krb5
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed
  • packages/net/krb5/Makefile

    r32361 r35700  
    22 
    33PKG_NAME:=krb5 
    4 PKG_VERSION:=1.8 
    5 PKG_RELEASE:=2 
     4PKG_VERSION:=1.11 
     5PKG_RELEASE:=1 
    66 
    77PKG_SOURCE:=krb5-$(PKG_VERSION)-signed.tar 
    88PKG_SOURCE_URL:=http://web.mit.edu/kerberos/dist/krb5/$(PKG_VERSION)/ 
    9 PKG_MD5SUM:=74257d68373a8df8b9391fc093d594be 
     9PKG_MD5SUM:=1a13c53899806c4da99a798a04d25545 
    1010 
    1111PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) 
     
    4848endef 
    4949 
    50 define Package/krb5/decription 
     50define Package/krb5/description 
    5151        Kerberos 
    5252endef 
     
    5757        tar xf "$(DL_DIR)/$(PKG_SOURCE)" -C "$(BUILD_DIR)" 
    5858        tar xzf "$(BUILD_DIR)/krb5-$(PKG_VERSION).tar.gz" -C "$(BUILD_DIR)" 
    59         patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/001-krb5kdc-dir-to-etc.patch" 
    60         patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/002-MITKRB5-SA-2011-002.patch" 
     59        patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/001-fix-build-warning.patch" 
    6160endef 
    6261 
     
    7271 
    7372CONFIGURE_ARGS += \ 
    74         --enable-thread-support \ 
    75         --without-krb4 \ 
    7673        --without-tcl \ 
    77         --disable-ipv6 
     74        --without-libedit \ 
     75        --localstatedir=/etc 
    7876 
    7977define Build/InstallDev 
     
    114112        $(INSTALL_DIR) $(1)/etc/init.d 
    115113        $(INSTALL_BIN) ./files/krb5kdc $(1)/etc/init.d/krb5kdc 
    116         $(INSTALL_DIR) $(1)/usr/bin 
    117         $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sclient $(1)/usr/bin 
     114#       $(INSTALL_DIR) $(1)/usr/bin 
     115#       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sclient $(1)/usr/bin 
    118116        $(INSTALL_DIR) $(1)/usr/sbin 
    119117        $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmin.local $(1)/usr/sbin 
    120 #       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmind $(1)/usr/sbin 
     118        $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmind $(1)/usr/sbin 
    121119        $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kdb5_util $(1)/usr/sbin 
    122120#       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kprop $(1)/usr/sbin 
  • packages/net/krb5/files/krb5kdc

    r19124 r35700  
    1111         
    1212        /usr/sbin/krb5kdc 
     13        /usr/sbin/kadmind 
    1314} 
    1415 
    1516stop() { 
    1617        killall krb5kdc 2> /dev/null 
     18        killall kadmind 2> /dev/null 
    1719} 
  • packages/net/krb5/patches/001-krb5kdc-dir-to-etc.patch

    r23471 r35700  
    1 diff -u --recursive krb5-1.8-vanilla/src/include/osconf.hin krb5-1.8/src/include/osconf.hin 
    2 --- krb5-1.8-vanilla/src/include/osconf.hin     2010-04-01 16:28:29.408661301 -0500 
    3 +++ krb5-1.8/src/include/osconf.hin     2010-04-01 16:30:52.235467788 -0500 
    4 @@ -61,14 +61,14 @@ 
    5  #define DEFAULT_LNAME_FILENAME  "@PREFIX/lib/krb5.aname" 
    6  #endif /* _WINDOWS  */ 
    7   
    8 -#define DEFAULT_KDB_FILE        "@LOCALSTATEDIR/krb5kdc/principal" 
    9 -#define DEFAULT_KEYFILE_STUB    "@LOCALSTATEDIR/krb5kdc/.k5." 
    10 -#define KRB5_DEFAULT_ADMIN_ACL  "@LOCALSTATEDIR/krb5kdc/krb5_adm.acl" 
    11 +#define DEFAULT_KDB_FILE        "/etc/krb5kdc/principal" 
    12 +#define DEFAULT_KEYFILE_STUB    "/etc/krb5kdc/.k5." 
    13 +#define KRB5_DEFAULT_ADMIN_ACL  "/etc/krb5kdc/krb5_adm.acl" 
    14  /* Used by old admin server */ 
    15 -#define DEFAULT_ADMIN_ACL       "@LOCALSTATEDIR/krb5kdc/kadm_old.acl" 
    16 +#define DEFAULT_ADMIN_ACL       "/etc/krb5kdc/kadm_old.acl" 
    17   
    18  /* Location of KDC profile */ 
    19 -#define DEFAULT_KDC_PROFILE     "@LOCALSTATEDIR/krb5kdc/kdc.conf" 
    20 +#define DEFAULT_KDC_PROFILE     "/etc/krb5kdc/kdc.conf" 
    21  #define KDC_PROFILE_ENV         "KRB5_KDC_PROFILE" 
    22   
    23  #if TARGET_OS_MAC 
    24 @@ -97,8 +97,8 @@ 
    25  /* 
    26   * Defaults for the KADM5 admin system. 
    27   */ 
    28 -#define DEFAULT_KADM5_KEYTAB    "@LOCALSTATEDIR/krb5kdc/kadm5.keytab" 
    29 -#define DEFAULT_KADM5_ACL_FILE  "@LOCALSTATEDIR/krb5kdc/kadm5.acl" 
    30 +#define DEFAULT_KADM5_KEYTAB    "/etc/krb5kdc/kadm5.keytab" 
    31 +#define DEFAULT_KADM5_ACL_FILE  "/etc/krb5kdc/kadm5.acl" 
    32  #define DEFAULT_KADM5_PORT      749 /* assigned by IANA */ 
    33   
    34  #define KRB5_DEFAULT_SUPPORTED_ENCTYPES                 \ 
    35 @@ -123,13 +123,13 @@ 
    36   * krb5 slave support follows 
    37   */ 
    38   
    39 -#define KPROP_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/slave_datatrans" 
    40 -#define KPROPD_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/from_master" 
    41 +#define KPROP_DEFAULT_FILE "/etc/krb5kdc/slave_datatrans" 
    42 +#define KPROPD_DEFAULT_FILE "/etc/krb5kdc/from_master" 
    43  #define KPROPD_DEFAULT_KDB5_UTIL "@SBINDIR/kdb5_util" 
    44  #define KPROPD_DEFAULT_KDB5_EDIT "@SBINDIR/kdb5_edit" 
    45  #define KPROPD_DEFAULT_KPROP "@SBINDIR/kprop" 
    46  #define KPROPD_DEFAULT_KRB_DB DEFAULT_KDB_FILE 
    47 -#define KPROPD_ACL_FILE "@LOCALSTATEDIR/krb5kdc/kpropd.acl" 
    48 +#define KPROPD_ACL_FILE "/etc/krb5kdc/kpropd.acl" 
    49   
    50  /* 
    51   * GSS mechglue 
  • packages/net/krb5/patches/002-MITKRB5-SA-2011-002.patch

    r25549 r35700  
    1 diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 
    2 index 1ca09b4..60caf3d 100644 
    3 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 
    4 +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 
    5 @@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er 
    6  #define LDAP_SEARCH(base, scope, filter, attrs)   LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS) 
    7   
    8  #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check)         \ 
    9 -    do {                                                                \ 
    10 -        st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \ 
    11 -        if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ 
    12 -            tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ 
    13 -            if (ldap_server_handle)                                     \ 
    14 -                ld = ldap_server_handle->ldap_handle;                   \ 
    15 -        }                                                               \ 
    16 -    }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \ 
    17 +    tempst = 0;                                                         \ 
    18 +    st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL,     \ 
    19 +                           NULL, &timelimit, LDAP_NO_LIMIT, &result);   \ 
    20 +    if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ 
    21 +        tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle);   \ 
    22 +        if (ldap_server_handle)                                         \ 
    23 +            ld = ldap_server_handle->ldap_handle;                       \ 
    24 +        if (tempst == 0)                                                \ 
    25 +            st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0,   \ 
    26 +                                   NULL, NULL, &timelimit,              \ 
    27 +                                   LDAP_NO_LIMIT, &result);             \ 
    28 +    }                                                                   \ 
    29                                                                          \ 
    30      if (status_check != IGNORE_STATUS) {                                \ 
    31          if (tempst != 0) {                                              \ 
    32 diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c 
    33 index 82b0333..84e80ee 100644 
    34 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c 
    35 +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c 
    36 @@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context, 
    37  { 
    38      krb5_ldap_server_handle     *handle = *ldap_server_handle; 
    39   
    40 +    ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL); 
    41      if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS) 
    42          || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)) 
    43          return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle); 
    44 diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 
    45 index f549e23..b70940f 100644 
    46 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 
    47 +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 
    48 @@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context, 
    49       * portion, then the first portion of the principal name SHOULD be 
    50       * "krbtgt".  All this check is done in the immediate block. 
    51       */ 
    52 -    if (searchfor->length == 2) 
    53 -        if ((strncasecmp(searchfor->data[0].data, "krbtgt", 
    54 -                         FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) && 
    55 -            (strncasecmp(searchfor->data[1].data, defrealm, 
    56 -                         FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0)) 
    57 +    if (searchfor->length == 2) { 
    58 +        if (data_eq_string(searchfor->data[0], "krbtgt") && 
    59 +            data_eq_string(searchfor->data[1], defrealm)) 
    60              return 0; 
    61 +    } 
    62   
    63      /* first check the length, if they are not equal, then they are not same */ 
    64      if (strlen(defrealm) != searchfor->realm.length) 
    65 diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 
    66 index 7ad31da..626ed1f 100644 
    67 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 
    68 +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 
    69 @@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, 
    70                          unsigned int flags, krb5_db_entry *entries, 
    71                          int *nentries, krb5_boolean *more) 
    72  { 
    73 -    char                        *user=NULL, *filter=NULL, **subtree=NULL; 
    74 +    char                        *user=NULL, *filter=NULL, *filtuser=NULL; 
    75      unsigned int                tree=0, ntrees=1, princlen=0; 
    76      krb5_error_code             tempst=0, st=0; 
    77 -    char                        **values=NULL, *cname=NULL; 
    78 +    char                        **values=NULL, **subtree=NULL, *cname=NULL; 
    79      LDAP                        *ld=NULL; 
    80      LDAPMessage                 *result=NULL, *ent=NULL; 
    81      krb5_ldap_context           *ldap_context=NULL; 
    82 @@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, 
    83      if ((st=krb5_ldap_unparse_principal_name(user)) != 0) 
    84          goto cleanup; 
    85   
    86 -    princlen = strlen(FILTER) + strlen(user) + 2 + 1;      /* 2 for closing brackets */ 
    87 +    filtuser = ldap_filter_correct(user); 
    88 +    if (filtuser == NULL) { 
    89 +        st = ENOMEM; 
    90 +        goto cleanup; 
    91 +    } 
    92 + 
    93 +    princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1;  /* 2 for closing brackets */ 
    94      if ((filter = malloc(princlen)) == NULL) { 
    95          st = ENOMEM; 
    96          goto cleanup; 
    97      } 
    98 -    snprintf(filter, princlen, FILTER"%s))", user); 
    99 +    snprintf(filter, princlen, FILTER"%s))", filtuser); 
    100   
    101      if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0) 
    102          goto cleanup; 
    103 @@ -231,6 +237,9 @@ cleanup: 
    104      if (user) 
    105          free(user); 
    106   
    107 +    if (filtuser) 
    108 +        free(filtuser); 
    109 + 
    110      if (cname) 
    111          free(cname); 
    112   
Note: See TracChangeset for help on using the changeset viewer.