packages: krb5: update to 1.11
packages: krb5: update to 1.11

The version currently in openwrt (1.8) has known security issues (see
the release announcements for the subsequent releases) and is quite
outdated (March 2010 as compared to Dec 2012).

The following patch bumps the version and also cleans up the build
script (mostly removing dead configure options, removing obsolete
patches, etc).

The testing binary "sclient" is dropped and kadmind is reintroduced in
krb5-server (I know it was removed to "save space", but kadmind is
around 60kB out of a total of around 700kB for a krb5-server
installation and an installation without kadmind is pretty gimped).

I hope this can be applied both to trunk and the attitude_adjustment
branch.

Signed-off-by: David Härdeman <david@hardeman.nu>

git-svn-id: svn://svn.openwrt.org/openwrt/packages@35700 3c298f89-4303-0410-b956-a3cf2f4a3e73

--- a/net/krb5/Makefile
+++ b/net/krb5/Makefile
@@ -1,12 +1,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=krb5
-PKG_VERSION:=1.8
-PKG_RELEASE:=2
+PKG_VERSION:=1.11
+PKG_RELEASE:=1
 
 PKG_SOURCE:=krb5-$(PKG_VERSION)-signed.tar
 PKG_SOURCE_URL:=http://web.mit.edu/kerberos/dist/krb5/$(PKG_VERSION)/
-PKG_MD5SUM:=74257d68373a8df8b9391fc093d594be
+PKG_MD5SUM:=1a13c53899806c4da99a798a04d25545
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 
@@ -47,7 +47,7 @@
 	TITLE:=Kerberos 5 Client
 endef
 
-define Package/krb5/decription
+define Package/krb5/description
 	Kerberos
 endef
 
@@ -56,8 +56,7 @@
 	# containing source code.
 	tar xf "$(DL_DIR)/$(PKG_SOURCE)" -C "$(BUILD_DIR)"
 	tar xzf "$(BUILD_DIR)/krb5-$(PKG_VERSION).tar.gz" -C "$(BUILD_DIR)"
-	patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/001-krb5kdc-dir-to-etc.patch"
-	patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/002-MITKRB5-SA-2011-002.patch"
+	patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/001-fix-build-warning.patch"
 endef
 
 CONFIGURE_PATH = ./src
@@ -71,10 +70,9 @@
 	ac_cv_file__etc_TIMEZONE=no
 
 CONFIGURE_ARGS += \
-	--enable-thread-support \
-	--without-krb4 \
 	--without-tcl \
-	--disable-ipv6
+	--without-libedit \
+	--localstatedir=/etc
 
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/include
@@ -113,11 +111,11 @@
 define Package/krb5-server/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/krb5kdc $(1)/etc/init.d/krb5kdc
-	$(INSTALL_DIR) $(1)/usr/bin
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sclient $(1)/usr/bin
+#	$(INSTALL_DIR) $(1)/usr/bin
+#	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sclient $(1)/usr/bin
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmin.local $(1)/usr/sbin
-#	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmind $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmind $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kdb5_util $(1)/usr/sbin
 #	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kprop $(1)/usr/sbin
 #	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kpropd $(1)/usr/sbin

--- a/net/krb5/files/krb5kdc
+++ b/net/krb5/files/krb5kdc
@@ -10,9 +10,11 @@
 	[ -f /etc/krb5kdc/principal ] || ( echo; echo ) | kdb5_util create -s
 	
 	/usr/sbin/krb5kdc
+	/usr/sbin/kadmind
 }
 
 stop() {
 	killall krb5kdc 2> /dev/null
+	killall kadmind 2> /dev/null
 }
 

--- /dev/null
+++ b/net/krb5/patches/001-fix-build-warning.patch
@@ -1,1 +1,13 @@
+diff -ur krb5-1.11-vanilla/src/lib/krb5/krb/preauth2.c krb5-1.11/src/lib/krb5/krb/preauth2.c
+--- krb5-1.11-vanilla/src/lib/krb5/krb/preauth2.c	2012-12-18 03:47:05.000000000 +0100
++++ krb5-1.11/src/lib/krb5/krb/preauth2.c	2013-02-18 03:53:20.580840173 +0100
+@@ -956,7 +956,7 @@
+     size_t i, h;
+     int out_pa_list_size = 0;
+     krb5_pa_data **out_pa_list = NULL;
+-    krb5_error_code ret, module_ret;
++    krb5_error_code ret, module_ret = 0;
+     krb5_responder_fn responder = opte->opt_private->responder;
+     static const int paorder[] = { PA_INFO, PA_REAL };
+ 
 

--- a/net/krb5/patches/001-krb5kdc-dir-to-etc.patch
+++ b/net/krb5/patches/001-krb5kdc-dir-to-etc.patch
@@ -1,52 +1,1 @@
-diff -u --recursive krb5-1.8-vanilla/src/include/osconf.hin krb5-1.8/src/include/osconf.hin
---- krb5-1.8-vanilla/src/include/osconf.hin	2010-04-01 16:28:29.408661301 -0500
-+++ krb5-1.8/src/include/osconf.hin	2010-04-01 16:30:52.235467788 -0500
-@@ -61,14 +61,14 @@
- #define DEFAULT_LNAME_FILENAME  "@PREFIX/lib/krb5.aname"
- #endif /* _WINDOWS  */
- 
--#define DEFAULT_KDB_FILE        "@LOCALSTATEDIR/krb5kdc/principal"
--#define DEFAULT_KEYFILE_STUB    "@LOCALSTATEDIR/krb5kdc/.k5."
--#define KRB5_DEFAULT_ADMIN_ACL  "@LOCALSTATEDIR/krb5kdc/krb5_adm.acl"
-+#define DEFAULT_KDB_FILE        "/etc/krb5kdc/principal"
-+#define DEFAULT_KEYFILE_STUB    "/etc/krb5kdc/.k5."
-+#define KRB5_DEFAULT_ADMIN_ACL  "/etc/krb5kdc/krb5_adm.acl"
- /* Used by old admin server */
--#define DEFAULT_ADMIN_ACL       "@LOCALSTATEDIR/krb5kdc/kadm_old.acl"
-+#define DEFAULT_ADMIN_ACL       "/etc/krb5kdc/kadm_old.acl"
- 
- /* Location of KDC profile */
--#define DEFAULT_KDC_PROFILE     "@LOCALSTATEDIR/krb5kdc/kdc.conf"
-+#define DEFAULT_KDC_PROFILE     "/etc/krb5kdc/kdc.conf"
- #define KDC_PROFILE_ENV         "KRB5_KDC_PROFILE"
- 
- #if TARGET_OS_MAC
-@@ -97,8 +97,8 @@
- /*
-  * Defaults for the KADM5 admin system.
-  */
--#define DEFAULT_KADM5_KEYTAB    "@LOCALSTATEDIR/krb5kdc/kadm5.keytab"
--#define DEFAULT_KADM5_ACL_FILE  "@LOCALSTATEDIR/krb5kdc/kadm5.acl"
-+#define DEFAULT_KADM5_KEYTAB    "/etc/krb5kdc/kadm5.keytab"
-+#define DEFAULT_KADM5_ACL_FILE  "/etc/krb5kdc/kadm5.acl"
- #define DEFAULT_KADM5_PORT      749 /* assigned by IANA */
- 
- #define KRB5_DEFAULT_SUPPORTED_ENCTYPES                 \
-@@ -123,13 +123,13 @@
-  * krb5 slave support follows
-  */
- 
--#define KPROP_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/slave_datatrans"
--#define KPROPD_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/from_master"
-+#define KPROP_DEFAULT_FILE "/etc/krb5kdc/slave_datatrans"
-+#define KPROPD_DEFAULT_FILE "/etc/krb5kdc/from_master"
- #define KPROPD_DEFAULT_KDB5_UTIL "@SBINDIR/kdb5_util"
- #define KPROPD_DEFAULT_KDB5_EDIT "@SBINDIR/kdb5_edit"
- #define KPROPD_DEFAULT_KPROP "@SBINDIR/kprop"
- #define KPROPD_DEFAULT_KRB_DB DEFAULT_KDB_FILE
--#define KPROPD_ACL_FILE "@LOCALSTATEDIR/krb5kdc/kpropd.acl"
-+#define KPROPD_ACL_FILE "/etc/krb5kdc/kpropd.acl"
- 
- /*
-  * GSS mechglue
 

--- a/net/krb5/patches/002-MITKRB5-SA-2011-002.patch
+++ b/net/krb5/patches/002-MITKRB5-SA-2011-002.patch
@@ -1,113 +1,1 @@
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-index 1ca09b4..60caf3d 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er
- #define LDAP_SEARCH(base, scope, filter, attrs)   LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
- 
- #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check)         \
--    do {                                                                \
--        st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
--        if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
--            tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
--            if (ldap_server_handle)                                     \
--                ld = ldap_server_handle->ldap_handle;                   \
--        }                                                               \
--    }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
-+    tempst = 0;                                                         \
-+    st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL,     \
-+                           NULL, &timelimit, LDAP_NO_LIMIT, &result);   \
-+    if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
-+        tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle);   \
-+        if (ldap_server_handle)                                         \
-+            ld = ldap_server_handle->ldap_handle;                       \
-+        if (tempst == 0)                                                \
-+            st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0,   \
-+                                   NULL, NULL, &timelimit,              \
-+                                   LDAP_NO_LIMIT, &result);             \
-+    }                                                                   \
-                                                                         \
-     if (status_check != IGNORE_STATUS) {                                \
-         if (tempst != 0) {                                              \
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-index 82b0333..84e80ee 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context,
- {
-     krb5_ldap_server_handle     *handle = *ldap_server_handle;
- 
-+    ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
-     if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
-         || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
-         return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-index f549e23..b70940f 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-@@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context,
-      * portion, then the first portion of the principal name SHOULD be
-      * "krbtgt".  All this check is done in the immediate block.
-      */
--    if (searchfor->length == 2)
--        if ((strncasecmp(searchfor->data[0].data, "krbtgt",
--                         FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
--            (strncasecmp(searchfor->data[1].data, defrealm,
--                         FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
-+    if (searchfor->length == 2) {
-+        if (data_eq_string(searchfor->data[0], "krbtgt") &&
-+            data_eq_string(searchfor->data[1], defrealm))
-             return 0;
-+    }
- 
-     /* first check the length, if they are not equal, then they are not same */
-     if (strlen(defrealm) != searchfor->realm.length)
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-index 7ad31da..626ed1f 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-@@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
-                         unsigned int flags, krb5_db_entry *entries,
-                         int *nentries, krb5_boolean *more)
- {
--    char                        *user=NULL, *filter=NULL, **subtree=NULL;
-+    char                        *user=NULL, *filter=NULL, *filtuser=NULL;
-     unsigned int                tree=0, ntrees=1, princlen=0;
-     krb5_error_code             tempst=0, st=0;
--    char                        **values=NULL, *cname=NULL;
-+    char                        **values=NULL, **subtree=NULL, *cname=NULL;
-     LDAP                        *ld=NULL;
-     LDAPMessage                 *result=NULL, *ent=NULL;
-     krb5_ldap_context           *ldap_context=NULL;
-@@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
-     if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
-         goto cleanup;
- 
--    princlen = strlen(FILTER) + strlen(user) + 2 + 1;      /* 2 for closing brackets */
-+    filtuser = ldap_filter_correct(user);
-+    if (filtuser == NULL) {
-+        st = ENOMEM;
-+        goto cleanup;
-+    }
-+
-+    princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1;  /* 2 for closing brackets */
-     if ((filter = malloc(princlen)) == NULL) {
-         st = ENOMEM;
-         goto cleanup;
-     }
--    snprintf(filter, princlen, FILTER"%s))", user);
-+    snprintf(filter, princlen, FILTER"%s))", filtuser);
- 
-     if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
-         goto cleanup;
-@@ -231,6 +237,9 @@ cleanup:
-     if (user)
-         free(user);
- 
-+    if (filtuser)
-+        free(filtuser);
-+
-     if (cname)
-         free(cname);
- 
 

comments