[krb5] - add patch to accept keytab entries with vno==0 as matches when we're searching for an entry with a
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Jan 31 00:51:39 UTC 2012
commit 9e5f5995cd6a29944fa6ddaf5de07353c476ba69
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Mon Jan 30 19:49:10 2012 -0500
- add patch to accept keytab entries with vno==0 as matches when we're searching for an entry with a specific name/kvno (#230382/#782211,RT#3349)
krb5-kvno-230379.patch | 53 ++++++++++++++++++++++++++++++++++++++++++++++++
krb5.spec | 8 ++++++-
2 files changed, 60 insertions(+), 1 deletions(-)
---
diff --git a/krb5-kvno-230379.patch b/krb5-kvno-230379.patch
new file mode 100644
index 0000000..ea9b69f
--- /dev/null
+++ b/krb5-kvno-230379.patch
@@ -0,0 +1,53 @@
+From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349,
+at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted
+as needed to apply to 1.10. FIXME: I'd like to better handle cases where we
+have a new key with the right version stored later in the keytab file.
+Currently, we're setting up to overlook that possibility.
+
+Note that this only affects the path taken when krb5_rd_rep() is passed a
+server principal name, as without a server principal name it already tries
+all of the keys it finds in the keytab, regardless of version numbers.
+
+Index: krb5/src/kadmin/ktutil/ktutil.c
+===================================================================
+--- krb5/src/kadmin/ktutil/ktutil.c (revision 3367)
++++ krb5/src/kadmin/ktutil/ktutil.c (working copy)
+@@ -155,7 +155,7 @@
+ char *princ = NULL;
+ char *enctype = NULL;
+ krb5_kvno kvno = 0;
+- int use_pass = 0, use_key = 0, i;
++ int use_pass = 0, use_key = 0, use_kvno = 0, i;
+
+ for (i = 1; i < argc; i++) {
+ if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
+@@ -164,6 +164,7 @@
+ }
+ if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
+ kvno = (krb5_kvno) atoi(argv[++i]);
++ use_kvno++;
+ continue;
+ }
+ if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
+@@ -180,7 +181,7 @@
+ }
+ }
+
+- if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) {
++ if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) {
+ fprintf(stderr, _("usage: %s (-key | -password) -p principal "
+ "-k kvno -e enctype\n"), argv[0]);
+ return;
+Index: krb5/src/lib/krb5/keytab/kt_file.c
+===================================================================
+--- krb5/src/lib/krb5/keytab/kt_file.c (revision 3367)
++++ krb5/src/lib/krb5/keytab/kt_file.c (working copy)
+@@ -349,7 +349,7 @@
+ higher than that. Short-term workaround: only compare
+ the low 8 bits. */
+
+- if (new_entry.vno == (kvno & 0xff)) {
++ if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) {
+ krb5_kt_free_entry(context, &cur_entry);
+ cur_entry = new_entry;
+ break;
diff --git a/krb5.spec b/krb5.spec
index f73cb7a..22f154d 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -15,7 +15,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10
-Release: 1%{?dist}
+Release: 2%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -62,6 +62,7 @@ Patch101: krb5-trunk-7047.patch
Patch102: krb5-trunk-7048.patch
Patch103: krb5-1.10-gcc47.patch
Patch104: krb5-1.10-crashfix.patch
+Patch105: krb5-kvno-230379.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -232,6 +233,7 @@ ln -s NOTICE LICENSE
%patch102 -p1 -b .7048
%patch103 -p0 -b .gcc47
%patch104 -p1 -b .crashfix
+%patch105 -p1 -b .kvno
rm src/lib/krb5/krb/deltat.c
gzip doc/*.ps
@@ -743,6 +745,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Mon Jan 30 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10-2
+- add patch to accept keytab entries with vno==0 as matches when we're
+ searching for an entry with a specific name/kvno (#230382/#782211,RT#3349)
+
* Mon Jan 30 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10-1
- update to 1.10 final
More information about the scm-commits
mailing list