[arch-commits] Commit in krb5/trunk (PKGBUILD krb5-1.9.1-canonicalize-fallback.patch)

Stéphane Gaudreault stephane at archlinux.org
Mon Sep 26 22:50:56 UTC 2011 

    Date: Monday, September 26, 2011 @ 18:50:55
  Author: stephane
Revision: 138529

Support old KDCs (FS#25515); Install aclocal file (FS#25384)

Added:
  krb5/trunk/krb5-1.9.1-canonicalize-fallback.patch
Modified:
  krb5/trunk/PKGBUILD

----------------------------------------+
 PKGBUILD                               |   13 +++++-
 krb5-1.9.1-canonicalize-fallback.patch |   58 +++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 3 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2011-09-26 22:48:37 UTC (rev 138528)
+++ PKGBUILD	2011-09-26 22:50:55 UTC (rev 138529)
@@ -3,7 +3,7 @@
 
 pkgname=krb5
 pkgver=1.9.1
-pkgrel=3
+pkgrel=4
 pkgdesc="The Kerberos network authentication system"
 arch=('i686' 'x86_64')
 url="http://web.mit.edu/kerberos/"
@@ -17,11 +17,13 @@
 source=(http://web.mit.edu/kerberos/dist/${pkgname}/1.9/${pkgname}-${pkgver}-signed.tar
         krb5-kadmind
         krb5-kdc
-        krb5-1.9.1-config-script.patch)
+        krb5-1.9.1-config-script.patch
+        krb5-1.9.1-canonicalize-fallback.patch)
 sha1sums=('e23a1795a237521493da9cf3443ac8b98a90c066'
           '2aa229369079ed1bbb201a1ef72c47bf143f4dbe'
           '77d2312ecd8bf12a6e72cc8fd871a8ac93b23393'
-          '7342410760cf44bfa01bb99bb4c49e12496cb46f')
+          '7342410760cf44bfa01bb99bb4c49e12496cb46f'
+          '238c268fa6cb42fc7324ab54db9abda5cd77f833')
 options=('!emptydirs')
 
 build() {
@@ -39,6 +41,9 @@
    #   http://anonsvn.mit.edu/viewvc/krb5/trunk/src/krb5-config.in?r1=23662&r2=25236
    patch -Np2 -i ${srcdir}/krb5-1.9.1-config-script.patch
 
+   # Fix FS#25515
+   patch -Np2 -i ${srcdir}/krb5-1.9.1-canonicalize-fallback.patch
+
    export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all"
    export CPPFLAGS+=" -I/usr/include/et"
    ./configure --prefix=/usr \
@@ -70,5 +75,7 @@
    install -m 755 ../../krb5-kdc "${pkgdir}"/etc/rc.d
    install -m 755 ../../krb5-kadmind  "${pkgdir}"/etc/rc.d
 
+   install -m 644 util/ac_check_krb5.m4 "${pkgdir}"/usr/share/aclocal
+
    install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE
 }

Added: krb5-1.9.1-canonicalize-fallback.patch
===================================================================
--- krb5-1.9.1-canonicalize-fallback.patch	                        (rev 0)
+++ krb5-1.9.1-canonicalize-fallback.patch	2011-09-26 22:50:55 UTC (rev 138529)
@@ -0,0 +1,58 @@
+diff -Naur krb5-1.9.1.ori/src/lib/krb5/krb/get_creds.c krb5-1.9.1/src/lib/krb5/krb/get_creds.c
+--- krb5-1.9.1.ori/src/lib/krb5/krb/get_creds.c	2011-02-09 16:55:36.000000000 -0500
++++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c	2011-09-26 18:42:01.465190278 -0400
+@@ -470,13 +470,10 @@
+ 
+ /***** STATE_REFERRALS *****/
+ 
+-/*
+- * Possibly retry a request in the fallback realm after a referral request
+- * failure in the local realm.  Expects ctx->reply_code to be set to the error
+- * from a referral request.
+- */
++/* Possibly try a non-referral request after a referral request failure.
++ * Expects ctx->reply_code to be set to the error from a referral request. */
+ static krb5_error_code
+-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
++try_fallback(krb5_context context, krb5_tkt_creds_context ctx)
+ {
+     krb5_error_code code;
+     char **hrealms;
+@@ -485,9 +482,10 @@
+     if (ctx->referral_count > 1)
+         return ctx->reply_code;
+ 
+-    /* Only fall back if the original request used the referral realm. */
++    /* If the request used a specified realm, make a non-referral request to
++     * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */
+     if (!krb5_is_referral_realm(&ctx->req_server->realm))
+-        return ctx->reply_code;
++        return begin_non_referral(context, ctx);
+ 
+     if (ctx->server->length < 2) {
+         /* We need a type/host format principal to find a fallback realm. */
+@@ -500,10 +498,10 @@
+     if (code != 0)
+         return code;
+ 
+-    /* Give up if the fallback realm isn't any different. */
++    /* If the fallback realm isn't any different, use the existing TGT. */
+     if (data_eq_string(ctx->server->realm, hrealms[0])) {
+         krb5_free_host_realm(context, hrealms);
+-        return ctx->reply_code;
++        return begin_non_referral(context, ctx);
+     }
+ 
+     /* Rewrite server->realm to be the fallback realm. */
+@@ -540,9 +538,9 @@
+     krb5_error_code code;
+     const krb5_data *referral_realm;
+ 
+-    /* Possibly retry with the fallback realm on error. */
++    /* Possibly try a non-referral fallback request on error. */
+     if (ctx->reply_code != 0)
+-        return try_fallback_realm(context, ctx);
++        return try_fallback(context, ctx);
+ 
+     if (krb5_principal_compare(context, ctx->reply_creds->server,
+                                ctx->server)) {

More information about the arch-commits mailing list