From 9e5f5995cd6a29944fa6ddaf5de07353c476ba69 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mon, 30 Jan 2012 19:49:10 -0500 Subject: [PATCH] - add patch to accept keytab entries with vno==0 as matches when we're searching for an entry with a specific name/kvno (#230382/#782211,RT#3349) --- krb5-kvno-230379.patch | 53 ++++++++++++++++++++++++++++++++++++++++++ krb5.spec | 8 ++++++- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 krb5-kvno-230379.patch diff --git a/krb5-kvno-230379.patch b/krb5-kvno-230379.patch new file mode 100644 index 0000000..ea9b69f --- /dev/null +++ b/krb5-kvno-230379.patch @@ -0,0 +1,53 @@ +From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349, +at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted +as needed to apply to 1.10. FIXME: I'd like to better handle cases where we +have a new key with the right version stored later in the keytab file. +Currently, we're setting up to overlook that possibility. + +Note that this only affects the path taken when krb5_rd_rep() is passed a +server principal name, as without a server principal name it already tries +all of the keys it finds in the keytab, regardless of version numbers. + +Index: krb5/src/kadmin/ktutil/ktutil.c +=================================================================== +--- krb5/src/kadmin/ktutil/ktutil.c (revision 3367) ++++ krb5/src/kadmin/ktutil/ktutil.c (working copy) +@@ -155,7 +155,7 @@ + char *princ = NULL; + char *enctype = NULL; + krb5_kvno kvno = 0; +- int use_pass = 0, use_key = 0, i; ++ int use_pass = 0, use_key = 0, use_kvno = 0, i; + + for (i = 1; i < argc; i++) { + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) { +@@ -164,6 +164,7 @@ + } + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { + kvno = (krb5_kvno) atoi(argv[++i]); ++ use_kvno++; + continue; + } + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { +@@ -180,7 +181,7 @@ + } + } + +- if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) { ++ if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) { + fprintf(stderr, _("usage: %s (-key | -password) -p principal " + "-k kvno -e enctype\n"), argv[0]); + return; +Index: krb5/src/lib/krb5/keytab/kt_file.c +=================================================================== +--- krb5/src/lib/krb5/keytab/kt_file.c (revision 3367) ++++ krb5/src/lib/krb5/keytab/kt_file.c (working copy) +@@ -349,7 +349,7 @@ + higher than that. Short-term workaround: only compare + the low 8 bits. */ + +- if (new_entry.vno == (kvno & 0xff)) { ++ if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) { + krb5_kt_free_entry(context, &cur_entry); + cur_entry = new_entry; + break; diff --git a/krb5.spec b/krb5.spec index f73cb7a..22f154d 100644 --- a/krb5.spec +++ b/krb5.spec @@ -15,7 +15,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.10 -Release: 1%{?dist} +Release: 2%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-signed.tar Source0: krb5-%{version}.tar.gz @@ -62,6 +62,7 @@ Patch101: krb5-trunk-7047.patch Patch102: krb5-trunk-7048.patch Patch103: krb5-1.10-gcc47.patch Patch104: krb5-1.10-crashfix.patch +Patch105: krb5-kvno-230379.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -232,6 +233,7 @@ ln -s NOTICE LICENSE %patch102 -p1 -b .7048 %patch103 -p0 -b .gcc47 %patch104 -p1 -b .crashfix +%patch105 -p1 -b .kvno rm src/lib/krb5/krb/deltat.c gzip doc/*.ps @@ -743,6 +745,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon Jan 30 2012 Nalin Dahyabhai 1.10-2 +- add patch to accept keytab entries with vno==0 as matches when we're + searching for an entry with a specific name/kvno (#230382/#782211,RT#3349) + * Mon Jan 30 2012 Nalin Dahyabhai 1.10-1 - update to 1.10 final