- pull in patch from trunk to rename krb5int_pac_sign() to krb5_pac_sign() and

make it public (#745533)
2011-10-13 15:31:36 -04:00 · 2011-10-13 15:31:36 -04:00 · 73b7dd3ece
commit 73b7dd3ece
parent 28837545d5
2 changed files with 157 additions and 1 deletions
--- a/krb5-trunk-ext_pac_sign.patch
+++ b/krb5-trunk-ext_pac_sign.patch
@ -0,0 +1,150 @@
+* dropped hunk that modified src/lib/krb5_32.def
+* adjusted to apply to 1.9.1
+* try to keep the old symbol name around in case someone's basing which one
+  they use on a version check (a wild guess, but it's inexpensive to do it)
+
+commit 297cb47b92892daa52092c932bc5345b2fcb9285
+Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
+Date:   Wed Oct 12 16:34:07 2011 +0000
+
+    ticket: 6974
+    subject: Make krb5_pac_sign public
+    
+    krb5int_pac_sign was created as a private API because it is only
+    needed by the KDC.  But it is actually used by DAL or authdata plugin
+    modules, not the core KDC code.  Since plugin modules should not need
+    to consume internal libkrb5 functions, rename krb5int_pac_sign to
+    krb5_pac_sign and make it public.
+    
+    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25325 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+index 1682a34..d2498a8 100644
+--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
+@@ -2786,15 +2786,6 @@ k5alloc(size_t len, krb5_error_code *code)
+ }
+ 
+ krb5_error_code KRB5_CALLCONV
+-krb5int_pac_sign(krb5_context context,
+-                 krb5_pac pac,
+-                 krb5_timestamp authtime,
+-                 krb5_const_principal principal,
+-                 const krb5_keyblock *server_key,
+-                 const krb5_keyblock *privsvr_key,
+-                 krb5_data *data);
+-
+-krb5_error_code KRB5_CALLCONV
+ krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
+                               krb5_ccache ccache,
+                               krb5_creds *in_creds,
+diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
+index 3d9dbbf..3327977 100644
+--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
+@@ -7495,6 +7495,27 @@ krb5_pac_verify(krb5_context context, const krb5_pac pac,
+                 krb5_timestamp authtime, krb5_const_principal principal,
+                 const krb5_keyblock *server, const krb5_keyblock *privsvr);
+ 
+/**
+ * Sign a PAC.
+ *
+ * @param [in]  context         Library context
+ * @param [in]  pac             PAC handle
+ * @param [in]  authtime        Expected timestamp
+ * @param [in]  principal       Expected principal name (or NULL)
+ * @param [in]  server          Key for server checksum
+ * @param [in]  privsvr         Key for KDC checksum
+ * @param [out] data            Signed PAC encoding
+ *
+ * This function signs @a pac using the keys @a server and @a privsvr and
+ * returns the signed encoding in @a data.  @a pac is modified to include the
+ * server and KDC checksum buffers.  Use krb5_free_data_contents() to free @a
+ * data when it is no longer needed.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
+              krb5_const_principal principal, const krb5_keyblock *server_key,
+              const krb5_keyblock *privsvr_key, krb5_data *data);
+
+ /* Allows the appplication to override the profile's allow_weak_crypto setting.
+  * Primarily for use by aklog. */
+ krb5_error_code KRB5_CALLCONV
+diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c
+index ae11a0c..26b1f13 100644
+--- a/src/lib/krb5/krb/pac_sign.c
+++ b/src/lib/krb5/krb/pac_sign.c
+@@ -190,6 +190,15 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac)
+                  const krb5_keyblock *server_key,
+                  const krb5_keyblock *privsvr_key,
+                  krb5_data *data)
+{
+    return krb5_pac_sign(context, pac, authtime, principal,
+                         server_key, privsvr_key, data);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
+              krb5_const_principal principal, const krb5_keyblock *server_key,
+              const krb5_keyblock *privsvr_key, krb5_data *data)
+ {
+     krb5_error_code ret;
+     krb5_data server_cksum, privsvr_cksum;
+diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
+index 9e96b69..61fb51a 100644
+--- a/src/lib/krb5/krb/t_pac.c
+++ b/src/lib/krb5/krb/t_pac.c
+@@ -149,10 +149,10 @@ main(int argc, char **argv)
+     if (ret)
+         err(context, ret, "krb5_pac_verify");
+ 
+-    ret = krb5int_pac_sign(context, pac, authtime, p,
+-                           &member_keyblock, &kdc_keyblock, &data);
+    ret = krb5_pac_sign(context, pac, authtime, p,
+                        &member_keyblock, &kdc_keyblock, &data);
+     if (ret)
+-        err(context, ret, "krb5int_pac_sign");
+        err(context, ret, "krb5_pac_sign");
+ 
+     krb5_pac_free(context, pac);
+ 
+@@ -204,10 +204,10 @@ main(int argc, char **argv)
+         }
+         free(list);
+ 
+-        ret = krb5int_pac_sign(context, pac2, authtime, p,
+-                               &member_keyblock, &kdc_keyblock, &data);
+        ret = krb5_pac_sign(context, pac2, authtime, p,
+                            &member_keyblock, &kdc_keyblock, &data);
+         if (ret)
+-            err(context, ret, "krb5int_pac_sign 4");
+            err(context, ret, "krb5_pac_sign 4");
+ 
+         krb5_pac_free(context, pac2);
+ 
+@@ -283,10 +283,10 @@ main(int argc, char **argv)
+         krb5_free_data_contents(context, &data);
+     }
+ 
+-    ret = krb5int_pac_sign(context, pac, authtime, p,
+-                           &member_keyblock, &kdc_keyblock, &data);
+    ret = krb5_pac_sign(context, pac, authtime, p,
+                        &member_keyblock, &kdc_keyblock, &data);
+     if (ret)
+-        err(context, ret, "krb5int_pac_sign");
+        err(context, ret, "krb5_pac_sign");
+ 
+     krb5_pac_free(context, pac);
+ 
+diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
+index e31ebb9..c4a0015 100644
+--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
+@@ -465,6 +465,7 @@ krb5_pac_get_buffer
+ krb5_pac_get_types
+ krb5_pac_init
+ krb5_pac_parse
+krb5_pac_sign
+ krb5_pac_verify
+ krb5_parse_name
+ krb5_parse_name_flags
--- a/krb5.spec
+++ b/krb5.spec
@ -6,7 +6,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.9.1
-Release: 16%{?dist}
+Release: 17%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -63,6 +63,7 @@ Patch86: krb5-1.9-debuginfo.patch
 Patch87: krb5-1.9.1-sendto_poll2.patch
 Patch88: krb5-1.9-crossrealm.patch
 Patch89: krb5-1.9.1-sendto_poll3.patch
+Patch90: krb5-trunk-ext_pac_sign.patch

 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -223,6 +224,7 @@ ln -s NOTICE LICENSE
 %patch87 -p1 -b .sendto_poll2
 %patch88 -p1 -b .crossrealm
 %patch89 -p1 -b .sendto_poll3
+%patch90 -p1 -b .ext_pac_sign
 gzip doc/*.ps

 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@ -701,6 +703,10 @@ exit 0
 %{_sbindir}/uuserver

 %changelog
+* Thu Oct 13 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-17
+- pull in patch from trunk to rename krb5int_pac_sign() to krb5_pac_sign() and
+  make it public (#745533)
+
 * Fri Oct  7 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-16
 - kadmin.service: fix #723723 again
 - kadmin.service,krb5kdc.service: remove optional use of $KRB5REALM in command