[krb5] - pull in patch from trunk to rename krb5int_pac_sign() to krb5_pac_sign() and make it public (#74
Nalin Dahyabhai
nalin at fedoraproject.org
Thu Oct 13 19:31:52 UTC 2011
commit 73b7dd3ece7cca6d86654c833991f64ed4c445bd
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Thu Oct 13 15:31:36 2011 -0400
- pull in patch from trunk to rename krb5int_pac_sign() to krb5_pac_sign() and
make it public (#745533)
krb5-trunk-ext_pac_sign.patch | 150 +++++++++++++++++++++++++++++++++++++++++
krb5.spec | 8 ++-
2 files changed, 157 insertions(+), 1 deletions(-)
---
diff --git a/krb5-trunk-ext_pac_sign.patch b/krb5-trunk-ext_pac_sign.patch
new file mode 100644
index 0000000..9bcb977
--- /dev/null
+++ b/krb5-trunk-ext_pac_sign.patch
@@ -0,0 +1,150 @@
+* dropped hunk that modified src/lib/krb5_32.def
+* adjusted to apply to 1.9.1
+* try to keep the old symbol name around in case someone's basing which one
+ they use on a version check (a wild guess, but it's inexpensive to do it)
+
+commit 297cb47b92892daa52092c932bc5345b2fcb9285
+Author: ghudson <ghudson at dc483132-0cff-0310-8789-dd5450dbe970>
+Date: Wed Oct 12 16:34:07 2011 +0000
+
+ ticket: 6974
+ subject: Make krb5_pac_sign public
+
+ krb5int_pac_sign was created as a private API because it is only
+ needed by the KDC. But it is actually used by DAL or authdata plugin
+ modules, not the core KDC code. Since plugin modules should not need
+ to consume internal libkrb5 functions, rename krb5int_pac_sign to
+ krb5_pac_sign and make it public.
+
+ git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25325 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+index 1682a34..d2498a8 100644
+--- a/src/include/k5-int.h
++++ b/src/include/k5-int.h
+@@ -2786,15 +2786,6 @@ k5alloc(size_t len, krb5_error_code *code)
+ }
+
+ krb5_error_code KRB5_CALLCONV
+-krb5int_pac_sign(krb5_context context,
+- krb5_pac pac,
+- krb5_timestamp authtime,
+- krb5_const_principal principal,
+- const krb5_keyblock *server_key,
+- const krb5_keyblock *privsvr_key,
+- krb5_data *data);
+-
+-krb5_error_code KRB5_CALLCONV
+ krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
+ krb5_ccache ccache,
+ krb5_creds *in_creds,
+diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
+index 3d9dbbf..3327977 100644
+--- a/src/include/krb5/krb5.hin
++++ b/src/include/krb5/krb5.hin
+@@ -7495,6 +7495,27 @@ krb5_pac_verify(krb5_context context, const krb5_pac pac,
+ krb5_timestamp authtime, krb5_const_principal principal,
+ const krb5_keyblock *server, const krb5_keyblock *privsvr);
+
++/**
++ * Sign a PAC.
++ *
++ * @param [in] context Library context
++ * @param [in] pac PAC handle
++ * @param [in] authtime Expected timestamp
++ * @param [in] principal Expected principal name (or NULL)
++ * @param [in] server Key for server checksum
++ * @param [in] privsvr Key for KDC checksum
++ * @param [out] data Signed PAC encoding
++ *
++ * This function signs @a pac using the keys @a server and @a privsvr and
++ * returns the signed encoding in @a data. @a pac is modified to include the
++ * server and KDC checksum buffers. Use krb5_free_data_contents() to free @a
++ * data when it is no longer needed.
++ */
++krb5_error_code KRB5_CALLCONV
++krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
++ krb5_const_principal principal, const krb5_keyblock *server_key,
++ const krb5_keyblock *privsvr_key, krb5_data *data);
++
+ /* Allows the appplication to override the profile's allow_weak_crypto setting.
+ * Primarily for use by aklog. */
+ krb5_error_code KRB5_CALLCONV
+diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c
+index ae11a0c..26b1f13 100644
+--- a/src/lib/krb5/krb/pac_sign.c
++++ b/src/lib/krb5/krb/pac_sign.c
+@@ -190,6 +190,15 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac)
+ const krb5_keyblock *server_key,
+ const krb5_keyblock *privsvr_key,
+ krb5_data *data)
++{
++ return krb5_pac_sign(context, pac, authtime, principal,
++ server_key, privsvr_key, data);
++}
++
++krb5_error_code KRB5_CALLCONV
++krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
++ krb5_const_principal principal, const krb5_keyblock *server_key,
++ const krb5_keyblock *privsvr_key, krb5_data *data)
+ {
+ krb5_error_code ret;
+ krb5_data server_cksum, privsvr_cksum;
+diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
+index 9e96b69..61fb51a 100644
+--- a/src/lib/krb5/krb/t_pac.c
++++ b/src/lib/krb5/krb/t_pac.c
+@@ -149,10 +149,10 @@ main(int argc, char **argv)
+ if (ret)
+ err(context, ret, "krb5_pac_verify");
+
+- ret = krb5int_pac_sign(context, pac, authtime, p,
+- &member_keyblock, &kdc_keyblock, &data);
++ ret = krb5_pac_sign(context, pac, authtime, p,
++ &member_keyblock, &kdc_keyblock, &data);
+ if (ret)
+- err(context, ret, "krb5int_pac_sign");
++ err(context, ret, "krb5_pac_sign");
+
+ krb5_pac_free(context, pac);
+
+@@ -204,10 +204,10 @@ main(int argc, char **argv)
+ }
+ free(list);
+
+- ret = krb5int_pac_sign(context, pac2, authtime, p,
+- &member_keyblock, &kdc_keyblock, &data);
++ ret = krb5_pac_sign(context, pac2, authtime, p,
++ &member_keyblock, &kdc_keyblock, &data);
+ if (ret)
+- err(context, ret, "krb5int_pac_sign 4");
++ err(context, ret, "krb5_pac_sign 4");
+
+ krb5_pac_free(context, pac2);
+
+@@ -283,10 +283,10 @@ main(int argc, char **argv)
+ krb5_free_data_contents(context, &data);
+ }
+
+- ret = krb5int_pac_sign(context, pac, authtime, p,
+- &member_keyblock, &kdc_keyblock, &data);
++ ret = krb5_pac_sign(context, pac, authtime, p,
++ &member_keyblock, &kdc_keyblock, &data);
+ if (ret)
+- err(context, ret, "krb5int_pac_sign");
++ err(context, ret, "krb5_pac_sign");
+
+ krb5_pac_free(context, pac);
+
+diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
+index e31ebb9..c4a0015 100644
+--- a/src/lib/krb5/libkrb5.exports
++++ b/src/lib/krb5/libkrb5.exports
+@@ -465,6 +465,7 @@ krb5_pac_get_buffer
+ krb5_pac_get_types
+ krb5_pac_init
+ krb5_pac_parse
++krb5_pac_sign
+ krb5_pac_verify
+ krb5_parse_name
+ krb5_parse_name_flags
diff --git a/krb5.spec b/krb5.spec
index b08679b..ed2a2fd 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -6,7 +6,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.9.1
-Release: 16%{?dist}
+Release: 17%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -63,6 +63,7 @@ Patch86: krb5-1.9-debuginfo.patch
Patch87: krb5-1.9.1-sendto_poll2.patch
Patch88: krb5-1.9-crossrealm.patch
Patch89: krb5-1.9.1-sendto_poll3.patch
+Patch90: krb5-trunk-ext_pac_sign.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -223,6 +224,7 @@ ln -s NOTICE LICENSE
%patch87 -p1 -b .sendto_poll2
%patch88 -p1 -b .crossrealm
%patch89 -p1 -b .sendto_poll3
+%patch90 -p1 -b .ext_pac_sign
gzip doc/*.ps
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -701,6 +703,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Thu Oct 13 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-17
+- pull in patch from trunk to rename krb5int_pac_sign() to krb5_pac_sign() and
+ make it public (#745533)
+
* Fri Oct 7 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-16
- kadmin.service: fix #723723 again
- kadmin.service,krb5kdc.service: remove optional use of $KRB5REALM in command
More information about the scm-commits
mailing list