[krb5] - pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating using the old protocol

Nalin Dahyabhai nalin at fedoraproject.org
Tue Jun 14 18:45:14 UTC 2011 

commit 17c9104b1d019d4140967694d9e29911328d53fb
Author: Nalin Dahyabhai <nalin at redhat.com>
Date:   Tue Jun 14 14:25:28 2011 -0400

    - pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating
      using the old protocol over IPv4 again (RT#6920)

 krb5-trunk-kadmin-oldproto.patch |   39 ++++++++++++++++++++++++++++++++++++++
 krb5.spec                        |    6 +++++
 2 files changed, 45 insertions(+), 0 deletions(-)
---
diff --git a/krb5-trunk-kadmin-oldproto.patch b/krb5-trunk-kadmin-oldproto.patch
new file mode 100644
index 0000000..da4172a
--- /dev/null
+++ b/krb5-trunk-kadmin-oldproto.patch
@@ -0,0 +1,39 @@
+------------------------------------------------------------------------
+r24967 | ghudson | 2011-06-13 14:54:33 -0400 (Mon, 13 Jun 2011) | 11 lines
+
+ticket: 6920
+subject: Fix old-style GSSRPC authentication
+target_version: 1.9.2
+tags: pullup
+
+r24147 (ticket #6746) made libgssrpc ignorant of the remote address of
+the kadmin socket, even when it's IPv4.  This made old-style GSSAPI
+authentication fail because it uses the wrong channel bindings.  Fix
+this problem by making clnttcp_create() get the remote address from
+the socket using getpeername() if the caller doesn't provide it and
+it's an IPv4 address.
+------------------------------------------------------------------------
+Index: src/lib/rpc/clnt_tcp.c
+===================================================================
+--- src/lib/rpc/clnt_tcp.c	(revision 24966)
++++ src/lib/rpc/clnt_tcp.c	(revision 24967)
+@@ -187,9 +187,16 @@
+ 	ct->ct_sock = *sockp;
+ 	ct->ct_wait.tv_usec = 0;
+ 	ct->ct_waitset = FALSE;
+-	if (raddr == NULL)
+-	    memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
+-	else
++	if (raddr == NULL) {
++	    /* Get the remote address from the socket, if it's IPv4. */
++	    struct sockaddr_in sin;
++	    socklen_t len = sizeof(sin);
++	    int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len);
++	    if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET)
++		ct->ct_addr = sin;
++	    else
++		memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
++	} else
+ 	    ct->ct_addr = *raddr;
+ 
+ 	/*
diff --git a/krb5.spec b/krb5.spec
index 2c3ca15..740644a 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -53,6 +53,7 @@ Patch75: krb5-pkinit-debug.patch
 Patch77: krb5-1.9-paren.patch
 Patch78: krb5-trunk-chpw-err.patch
 Patch79: krb5-klist_s.patch
+Patch80: krb5-trunk-kadmin-oldproto.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -197,6 +198,7 @@ ln -s NOTICE LICENSE
 %patch77 -p1 -b .paren
 %patch78 -p0 -b .chpw-err
 %patch79 -p1 -b .klist_s
+%patch80 -p0 -b .kadmin-oldproto
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -657,6 +659,10 @@ exit 0
 
 %changelog
 * Tue Jun 14 2011 Nalin Dahyabhai <nalin at redhat.com>
+- pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating
+  using the old protocol over IPv4 again (RT#6920)
+
+* Tue Jun 14 2011 Nalin Dahyabhai <nalin at redhat.com>
 - incorporate a fix to teach the file labeling bits about when replay caches
   are expunged (#576093)

More information about the scm-commits mailing list