[krb5/f15] - add patch to accept keytab entries with vno==0 as matches when we're searching for an entry with a

Tue Jan 31 00:30:12 UTC 2012

commit fc7bc822609f3442f023f0382bbd1cace4b8aa16
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Mon Jan 30 19:29:25 2012 -0500

    - add patch to accept keytab entries with vno==0 as matches when we're searching for an entry with a specific name/kvno (#230382/#782211,RT#3349)

 krb5-kvno-230379.patch |   53 ++++++++++++++++++++++++++++++++++++++++++++++++
 krb5.spec              |    8 ++++++-
 2 files changed, 60 insertions(+), 1 deletions(-)
---

diff --git a/krb5-kvno-230379.patch b/krb5-kvno-230379.patch
new file mode 100644
index 0000000..7d1ae9e
--- /dev/null
+++ b/krb5-kvno-230379.patch
@@ -0,0 +1,53 @@
+From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349,
+at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted
+as needed to apply to 1.9.  FIXME: I'd like to better handle cases where we
+have a new key with the right version stored later in the keytab file.
+Currently, we're setting up to overlook that possibility.
+
+Note that this only affects the path taken when krb5_rd_rep() is passed a
+server principal name, as without a server principal name it already tries
+all of the keys it finds in the keytab, regardless of version numbers.
+
+Index: krb5/src/kadmin/ktutil/ktutil.c
+===================================================================
+--- krb5/src/kadmin/ktutil/ktutil.c	(revision 3367)
++++ krb5/src/kadmin/ktutil/ktutil.c	(working copy)
+@@ -155,7 +155,7 @@
+     char *princ = NULL;
+     char *enctype = NULL;
+     krb5_kvno kvno = 0;
+-    int use_pass = 0, use_key = 0, i;
++    int use_pass = 0, use_key = 0, use_kvno = 0, i;
+ 
+     for (i = 1; i < argc; i++) {
+         if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
+@@ -164,6 +164,7 @@
+         }
+         if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
+             kvno = (krb5_kvno) atoi(argv[++i]);
++            use_kvno++;
+             continue;
+         }
+         if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
+@@ -180,7 +181,7 @@
+         }
+     }
+ 
+-    if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) {
++    if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) {
+         fprintf(stderr, "usage: %s (-key | -password) -p principal "
+                 "-k kvno -e enctype\n", argv[0]);
+         return;
+Index: krb5/src/lib/krb5/keytab/kt_file.c
+===================================================================
+--- krb5/src/lib/krb5/keytab/kt_file.c	(revision 3367)
++++ krb5/src/lib/krb5/keytab/kt_file.c	(working copy)
+@@ -349,7 +349,7 @@
+                higher than that.  Short-term workaround: only compare
+                the low 8 bits.  */
+ 
+-            if (new_entry.vno == (kvno & 0xff)) {
++            if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) {
+                 krb5_kt_free_entry(context, &cur_entry);
+                 cur_entry = new_entry;
+                 break;
diff --git a/krb5.spec b/krb5.spec
index 16bcb4a..5f29eb4 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -6,7 +6,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.9.2
-Release: 5%{?dist}
+Release: 6%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -64,6 +64,7 @@ Patch91: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
 Patch100: krb5-1.9-7046.patch
 Patch101: krb5-trunk-7047.patch
 Patch102: krb5-1.9-7048.patch
+Patch103: krb5-kvno-230379.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -221,6 +222,7 @@ ln -s NOTICE LICENSE
 %patch100 -p1 -b .7046
 %patch101 -p1 -b .7047
 %patch102 -p1 -b .7048
+%patch103 -p1 -b .kvno
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -682,6 +684,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Mon Jan 30 2012 Nalin Dahyabhai <nalin at redhat.com> 1.9.2-6
+- add patch to accept keytab entries with vno==0 as matches when we're
+  searching for an entry with a specific name/kvno (#230382/#782211,RT#3349)
+
 * Mon Jan 30 2012 Nalin Dahyabhai <nalin at redhat.com> 1.9.2-5
 - backport patch for RT#7046: tag a ccache containing credentials obtained via
   S4U2Proxy with the principal name of the proxying principal (part of #761317)
