bakabtw/packages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

packages: krb5: update to 1.11

Browse Source 
The version currently in openwrt (1.8) has known security issues (see
the release announcements for the subsequent releases) and is quite
outdated (March 2010 as compared to Dec 2012).

The following patch bumps the version and also cleans up the build
script (mostly removing dead configure options, removing obsolete
patches, etc).

The testing binary "sclient" is dropped and kadmind is reintroduced in
krb5-server (I know it was removed to "save space", but kadmind is
around 60kB out of a total of around 700kB for a krb5-server
installation and an installation without kadmind is pretty gimped).

I hope this can be applied both to trunk and the attitude_adjustment
branch.

Signed-off-by: David Härdeman <david@hardeman.nu>

git-svn-id: svn://svn.openwrt.org/openwrt/packages@35700 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
jogo 2013-02-20 13:54:57 +00:00
parent 6d1d2eb756
commit cdf2765d83
5 changed files with 24 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
net/krb5/Makefile
View File

@ -1,12 +1,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=krb5
PKG_VERSION:=1.8
PKG_RELEASE:=2
PKG_VERSION:=1.11
PKG_RELEASE:=1
PKG_SOURCE:=krb5-$(PKG_VERSION)-signed.tar
PKG_SOURCE_URL:=http://web.mit.edu/kerberos/dist/krb5/$(PKG_VERSION)/
PKG_MD5SUM:=74257d68373a8df8b9391fc093d594be
PKG_MD5SUM:=1a13c53899806c4da99a798a04d25545
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
@ -47,7 +47,7 @@ define Package/krb5-client
TITLE:=Kerberos 5 Client
endef
define Package/krb5/decription
define Package/krb5/description
Kerberos
endef
@ -56,8 +56,7 @@ define Build/Prepare
# containing source code.
tar xf "$(DL_DIR)/$(PKG_SOURCE)" -C "$(BUILD_DIR)"
tar xzf "$(BUILD_DIR)/krb5-$(PKG_VERSION).tar.gz" -C "$(BUILD_DIR)"
patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/001-krb5kdc-dir-to-etc.patch"
patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/002-MITKRB5-SA-2011-002.patch"
patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/001-fix-build-warning.patch"
endef
CONFIGURE_PATH = ./src
@ -71,10 +70,9 @@ CONFIGURE_VARS += \
ac_cv_file__etc_TIMEZONE=no
CONFIGURE_ARGS += \
--enable-thread-support \
--without-krb4 \
--without-tcl \
--disable-ipv6
--without-libedit \
--localstatedir=/etc
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include
@ -113,11 +111,11 @@ endef
define Package/krb5-server/install
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/krb5kdc $(1)/etc/init.d/krb5kdc
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sclient $(1)/usr/bin
# $(INSTALL_DIR) $(1)/usr/bin
# $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sclient $(1)/usr/bin
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmin.local $(1)/usr/sbin
# $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmind $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmind $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kdb5_util $(1)/usr/sbin
# $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kprop $(1)/usr/sbin
# $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kpropd $(1)/usr/sbin

2
net/krb5/files/krb5kdc
View File

@ -10,8 +10,10 @@ start() {
[ -f /etc/krb5kdc/principal ] || ( echo; echo ) | kdb5_util create -s
/usr/sbin/krb5kdc
/usr/sbin/kadmind
}
stop() {
killall krb5kdc 2> /dev/null
killall kadmind 2> /dev/null
}

12
net/krb5/patches/001-fix-build-warning.patch Normal file
View File

@ -0,0 +1,12 @@
diff -ur krb5-1.11-vanilla/src/lib/krb5/krb/preauth2.c krb5-1.11/src/lib/krb5/krb/preauth2.c
--- krb5-1.11-vanilla/src/lib/krb5/krb/preauth2.c 2012-12-18 03:47:05.000000000 +0100
+++ krb5-1.11/src/lib/krb5/krb/preauth2.c 2013-02-18 03:53:20.580840173 +0100
@@ -956,7 +956,7 @@
size_t i, h;
int out_pa_list_size = 0;
krb5_pa_data **out_pa_list = NULL;
- krb5_error_code ret, module_ret;
+ krb5_error_code ret, module_ret = 0;
krb5_responder_fn responder = opte->opt_private->responder;
static const int paorder[] = { PA_INFO, PA_REAL };

51
net/krb5/patches/001-krb5kdc-dir-to-etc.patch
View File

@ -1,51 +0,0 @@
diff -u --recursive krb5-1.8-vanilla/src/include/osconf.hin krb5-1.8/src/include/osconf.hin
--- krb5-1.8-vanilla/src/include/osconf.hin 2010-04-01 16:28:29.408661301 -0500
+++ krb5-1.8/src/include/osconf.hin 2010-04-01 16:30:52.235467788 -0500
@@ -61,14 +61,14 @@
#define DEFAULT_LNAME_FILENAME "@PREFIX/lib/krb5.aname"
#endif /* _WINDOWS */
-#define DEFAULT_KDB_FILE "@LOCALSTATEDIR/krb5kdc/principal"
-#define DEFAULT_KEYFILE_STUB "@LOCALSTATEDIR/krb5kdc/.k5."
-#define KRB5_DEFAULT_ADMIN_ACL "@LOCALSTATEDIR/krb5kdc/krb5_adm.acl"
+#define DEFAULT_KDB_FILE "/etc/krb5kdc/principal"
+#define DEFAULT_KEYFILE_STUB "/etc/krb5kdc/.k5."
+#define KRB5_DEFAULT_ADMIN_ACL "/etc/krb5kdc/krb5_adm.acl"
/* Used by old admin server */
-#define DEFAULT_ADMIN_ACL "@LOCALSTATEDIR/krb5kdc/kadm_old.acl"
+#define DEFAULT_ADMIN_ACL "/etc/krb5kdc/kadm_old.acl"
/* Location of KDC profile */
-#define DEFAULT_KDC_PROFILE "@LOCALSTATEDIR/krb5kdc/kdc.conf"
+#define DEFAULT_KDC_PROFILE "/etc/krb5kdc/kdc.conf"
#define KDC_PROFILE_ENV "KRB5_KDC_PROFILE"
#if TARGET_OS_MAC
@@ -97,8 +97,8 @@
/*
* Defaults for the KADM5 admin system.
*/
-#define DEFAULT_KADM5_KEYTAB "@LOCALSTATEDIR/krb5kdc/kadm5.keytab"
-#define DEFAULT_KADM5_ACL_FILE "@LOCALSTATEDIR/krb5kdc/kadm5.acl"
+#define DEFAULT_KADM5_KEYTAB "/etc/krb5kdc/kadm5.keytab"
+#define DEFAULT_KADM5_ACL_FILE "/etc/krb5kdc/kadm5.acl"
#define DEFAULT_KADM5_PORT 749 /* assigned by IANA */
#define KRB5_DEFAULT_SUPPORTED_ENCTYPES \
@@ -123,13 +123,13 @@
* krb5 slave support follows
*/
-#define KPROP_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/slave_datatrans"
-#define KPROPD_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/from_master"
+#define KPROP_DEFAULT_FILE "/etc/krb5kdc/slave_datatrans"
+#define KPROPD_DEFAULT_FILE "/etc/krb5kdc/from_master"
#define KPROPD_DEFAULT_KDB5_UTIL "@SBINDIR/kdb5_util"
#define KPROPD_DEFAULT_KDB5_EDIT "@SBINDIR/kdb5_edit"
#define KPROPD_DEFAULT_KPROP "@SBINDIR/kprop"
#define KPROPD_DEFAULT_KRB_DB DEFAULT_KDB_FILE
-#define KPROPD_ACL_FILE "@LOCALSTATEDIR/krb5kdc/kpropd.acl"
+#define KPROPD_ACL_FILE "/etc/krb5kdc/kpropd.acl"
/*
* GSS mechglue

112
net/krb5/patches/002-MITKRB5-SA-2011-002.patch
View File

@ -1,112 +0,0 @@
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
index 1ca09b4..60caf3d 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er
#define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
#define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \
- do { \
- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
- if (ldap_server_handle) \
- ld = ldap_server_handle->ldap_handle; \
- } \
- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
+ tempst = 0; \
+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \
+ NULL, &timelimit, LDAP_NO_LIMIT, &result); \
+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
+ if (ldap_server_handle) \
+ ld = ldap_server_handle->ldap_handle; \
+ if (tempst == 0) \
+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \
+ NULL, NULL, &timelimit, \
+ LDAP_NO_LIMIT, &result); \
+ } \
\
if (status_check != IGNORE_STATUS) { \
if (tempst != 0) { \
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
index 82b0333..84e80ee 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context,
{
krb5_ldap_server_handle *handle = *ldap_server_handle;
+ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
|| (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index f549e23..b70940f 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context,
* portion, then the first portion of the principal name SHOULD be
* "krbtgt". All this check is done in the immediate block.
*/
- if (searchfor->length == 2)
- if ((strncasecmp(searchfor->data[0].data, "krbtgt",
- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
- (strncasecmp(searchfor->data[1].data, defrealm,
- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
+ if (searchfor->length == 2) {
+ if (data_eq_string(searchfor->data[0], "krbtgt") &&
+ data_eq_string(searchfor->data[1], defrealm))
return 0;
+ }
/* first check the length, if they are not equal, then they are not same */
if (strlen(defrealm) != searchfor->realm.length)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 7ad31da..626ed1f 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
unsigned int flags, krb5_db_entry *entries,
int *nentries, krb5_boolean *more)
{
- char *user=NULL, *filter=NULL, **subtree=NULL;
+ char *user=NULL, *filter=NULL, *filtuser=NULL;
unsigned int tree=0, ntrees=1, princlen=0;
krb5_error_code tempst=0, st=0;
- char **values=NULL, *cname=NULL;
+ char **values=NULL, **subtree=NULL, *cname=NULL;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
krb5_ldap_context *ldap_context=NULL;
@@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
goto cleanup;
- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
+ filtuser = ldap_filter_correct(user);
+ if (filtuser == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+
+ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */
if ((filter = malloc(princlen)) == NULL) {
st = ENOMEM;
goto cleanup;
}
- snprintf(filter, princlen, FILTER"%s))", user);
+ snprintf(filter, princlen, FILTER"%s))", filtuser);
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
goto cleanup;
@@ -231,6 +237,9 @@ cleanup:
if (user)
free(user);
+ if (filtuser)
+ free(filtuser);
+
if (cname)
free(cname);