From 8be74302ae55c91deefdb6f1cf3697ffeaae39a3 Mon Sep 17 00:00:00 2001
From: Jonas Gorski <jogo@openwrt.org>
Date: Wed, 20 Feb 2013 13:54:57 +0000
Subject: [PATCH] packages: krb5: update to 1.11
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

The version currently in openwrt (1.8) has known security issues (see
the release announcements for the subsequent releases) and is quite
outdated (March 2010 as compared to Dec 2012).

The following patch bumps the version and also cleans up the build
script (mostly removing dead configure options, removing obsolete
patches, etc).

The testing binary "sclient" is dropped and kadmind is reintroduced in
krb5-server (I know it was removed to "save space", but kadmind is
around 60kB out of a total of around 700kB for a krb5-server
installation and an installation without kadmind is pretty gimped).

I hope this can be applied both to trunk and the attitude_adjustment
branch.

Signed-off-by: David HÃ¤rdeman <david@hardeman.nu>

SVN-Revision: 35700
---
 net/krb5/Makefile                             |  22 ++--
 net/krb5/files/krb5kdc                        |   2 +
 net/krb5/patches/001-fix-build-warning.patch  |  12 ++
 net/krb5/patches/001-krb5kdc-dir-to-etc.patch |  51 --------
 .../patches/002-MITKRB5-SA-2011-002.patch     | 112 ------------------
 5 files changed, 24 insertions(+), 175 deletions(-)
 create mode 100644 net/krb5/patches/001-fix-build-warning.patch

diff --git a/net/krb5/Makefile b/net/krb5/Makefile
index 58b5a072e0..8fcb5a48af 100644
--- a/net/krb5/Makefile
+++ b/net/krb5/Makefile
@@ -1,12 +1,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=krb5
-PKG_VERSION:=1.8
-PKG_RELEASE:=2
+PKG_VERSION:=1.11
+PKG_RELEASE:=1
 
 PKG_SOURCE:=krb5-$(PKG_VERSION)-signed.tar
 PKG_SOURCE_URL:=http://web.mit.edu/kerberos/dist/krb5/$(PKG_VERSION)/
-PKG_MD5SUM:=74257d68373a8df8b9391fc093d594be
+PKG_MD5SUM:=1a13c53899806c4da99a798a04d25545
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 
@@ -47,7 +47,7 @@ define Package/krb5-client
 	TITLE:=Kerberos 5 Client
 endef
 
-define Package/krb5/decription
+define Package/krb5/description
 	Kerberos
 endef
 
@@ -56,8 +56,7 @@ define Build/Prepare
 	# containing source code.
 	tar xf "$(DL_DIR)/$(PKG_SOURCE)" -C "$(BUILD_DIR)"
 	tar xzf "$(BUILD_DIR)/krb5-$(PKG_VERSION).tar.gz" -C "$(BUILD_DIR)"
-	patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/001-krb5kdc-dir-to-etc.patch"
-	patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/002-MITKRB5-SA-2011-002.patch"
+	patch -p1 -d "$(PKG_BUILD_DIR)" < "$(PATCH_DIR)/001-fix-build-warning.patch"
 endef
 
 CONFIGURE_PATH = ./src
@@ -71,10 +70,9 @@ CONFIGURE_VARS += \
 	ac_cv_file__etc_TIMEZONE=no
 
 CONFIGURE_ARGS += \
-	--enable-thread-support \
-	--without-krb4 \
 	--without-tcl \
-	--disable-ipv6
+	--without-libedit \
+	--localstatedir=/etc
 
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/include
@@ -113,11 +111,11 @@ endef
 define Package/krb5-server/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/krb5kdc $(1)/etc/init.d/krb5kdc
-	$(INSTALL_DIR) $(1)/usr/bin
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sclient $(1)/usr/bin
+#	$(INSTALL_DIR) $(1)/usr/bin
+#	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sclient $(1)/usr/bin
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmin.local $(1)/usr/sbin
-#	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmind $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kadmind $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kdb5_util $(1)/usr/sbin
 #	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kprop $(1)/usr/sbin
 #	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/kpropd $(1)/usr/sbin
diff --git a/net/krb5/files/krb5kdc b/net/krb5/files/krb5kdc
index 5962683168..dec7188e9b 100644
--- a/net/krb5/files/krb5kdc
+++ b/net/krb5/files/krb5kdc
@@ -10,8 +10,10 @@ start() {
 	[ -f /etc/krb5kdc/principal ] || ( echo; echo ) | kdb5_util create -s
 	
 	/usr/sbin/krb5kdc
+	/usr/sbin/kadmind
 }
 
 stop() {
 	killall krb5kdc 2> /dev/null
+	killall kadmind 2> /dev/null
 }
diff --git a/net/krb5/patches/001-fix-build-warning.patch b/net/krb5/patches/001-fix-build-warning.patch
new file mode 100644
index 0000000000..d1993987a9
--- /dev/null
+++ b/net/krb5/patches/001-fix-build-warning.patch
@@ -0,0 +1,12 @@
+diff -ur krb5-1.11-vanilla/src/lib/krb5/krb/preauth2.c krb5-1.11/src/lib/krb5/krb/preauth2.c
+--- krb5-1.11-vanilla/src/lib/krb5/krb/preauth2.c	2012-12-18 03:47:05.000000000 +0100
++++ krb5-1.11/src/lib/krb5/krb/preauth2.c	2013-02-18 03:53:20.580840173 +0100
+@@ -956,7 +956,7 @@
+     size_t i, h;
+     int out_pa_list_size = 0;
+     krb5_pa_data **out_pa_list = NULL;
+-    krb5_error_code ret, module_ret;
++    krb5_error_code ret, module_ret = 0;
+     krb5_responder_fn responder = opte->opt_private->responder;
+     static const int paorder[] = { PA_INFO, PA_REAL };
+ 
diff --git a/net/krb5/patches/001-krb5kdc-dir-to-etc.patch b/net/krb5/patches/001-krb5kdc-dir-to-etc.patch
index a017125030..e69de29bb2 100644
--- a/net/krb5/patches/001-krb5kdc-dir-to-etc.patch
+++ b/net/krb5/patches/001-krb5kdc-dir-to-etc.patch
@@ -1,51 +0,0 @@
-diff -u --recursive krb5-1.8-vanilla/src/include/osconf.hin krb5-1.8/src/include/osconf.hin
---- krb5-1.8-vanilla/src/include/osconf.hin	2010-04-01 16:28:29.408661301 -0500
-+++ krb5-1.8/src/include/osconf.hin	2010-04-01 16:30:52.235467788 -0500
-@@ -61,14 +61,14 @@
- #define DEFAULT_LNAME_FILENAME  "@PREFIX/lib/krb5.aname"
- #endif /* _WINDOWS  */
- 
--#define DEFAULT_KDB_FILE        "@LOCALSTATEDIR/krb5kdc/principal"
--#define DEFAULT_KEYFILE_STUB    "@LOCALSTATEDIR/krb5kdc/.k5."
--#define KRB5_DEFAULT_ADMIN_ACL  "@LOCALSTATEDIR/krb5kdc/krb5_adm.acl"
-+#define DEFAULT_KDB_FILE        "/etc/krb5kdc/principal"
-+#define DEFAULT_KEYFILE_STUB    "/etc/krb5kdc/.k5."
-+#define KRB5_DEFAULT_ADMIN_ACL  "/etc/krb5kdc/krb5_adm.acl"
- /* Used by old admin server */
--#define DEFAULT_ADMIN_ACL       "@LOCALSTATEDIR/krb5kdc/kadm_old.acl"
-+#define DEFAULT_ADMIN_ACL       "/etc/krb5kdc/kadm_old.acl"
- 
- /* Location of KDC profile */
--#define DEFAULT_KDC_PROFILE     "@LOCALSTATEDIR/krb5kdc/kdc.conf"
-+#define DEFAULT_KDC_PROFILE     "/etc/krb5kdc/kdc.conf"
- #define KDC_PROFILE_ENV         "KRB5_KDC_PROFILE"
- 
- #if TARGET_OS_MAC
-@@ -97,8 +97,8 @@
- /*
-  * Defaults for the KADM5 admin system.
-  */
--#define DEFAULT_KADM5_KEYTAB    "@LOCALSTATEDIR/krb5kdc/kadm5.keytab"
--#define DEFAULT_KADM5_ACL_FILE  "@LOCALSTATEDIR/krb5kdc/kadm5.acl"
-+#define DEFAULT_KADM5_KEYTAB    "/etc/krb5kdc/kadm5.keytab"
-+#define DEFAULT_KADM5_ACL_FILE  "/etc/krb5kdc/kadm5.acl"
- #define DEFAULT_KADM5_PORT      749 /* assigned by IANA */
- 
- #define KRB5_DEFAULT_SUPPORTED_ENCTYPES                 \
-@@ -123,13 +123,13 @@
-  * krb5 slave support follows
-  */
- 
--#define KPROP_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/slave_datatrans"
--#define KPROPD_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/from_master"
-+#define KPROP_DEFAULT_FILE "/etc/krb5kdc/slave_datatrans"
-+#define KPROPD_DEFAULT_FILE "/etc/krb5kdc/from_master"
- #define KPROPD_DEFAULT_KDB5_UTIL "@SBINDIR/kdb5_util"
- #define KPROPD_DEFAULT_KDB5_EDIT "@SBINDIR/kdb5_edit"
- #define KPROPD_DEFAULT_KPROP "@SBINDIR/kprop"
- #define KPROPD_DEFAULT_KRB_DB DEFAULT_KDB_FILE
--#define KPROPD_ACL_FILE "@LOCALSTATEDIR/krb5kdc/kpropd.acl"
-+#define KPROPD_ACL_FILE "/etc/krb5kdc/kpropd.acl"
- 
- /*
-  * GSS mechglue
diff --git a/net/krb5/patches/002-MITKRB5-SA-2011-002.patch b/net/krb5/patches/002-MITKRB5-SA-2011-002.patch
index 5e0da20c88..e69de29bb2 100644
--- a/net/krb5/patches/002-MITKRB5-SA-2011-002.patch
+++ b/net/krb5/patches/002-MITKRB5-SA-2011-002.patch
@@ -1,112 +0,0 @@
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-index 1ca09b4..60caf3d 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er
- #define LDAP_SEARCH(base, scope, filter, attrs)   LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
- 
- #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check)         \
--    do {                                                                \
--        st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
--        if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
--            tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
--            if (ldap_server_handle)                                     \
--                ld = ldap_server_handle->ldap_handle;                   \
--        }                                                               \
--    }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
-+    tempst = 0;                                                         \
-+    st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL,     \
-+                           NULL, &timelimit, LDAP_NO_LIMIT, &result);   \
-+    if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
-+        tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle);   \
-+        if (ldap_server_handle)                                         \
-+            ld = ldap_server_handle->ldap_handle;                       \
-+        if (tempst == 0)                                                \
-+            st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0,   \
-+                                   NULL, NULL, &timelimit,              \
-+                                   LDAP_NO_LIMIT, &result);             \
-+    }                                                                   \
-                                                                         \
-     if (status_check != IGNORE_STATUS) {                                \
-         if (tempst != 0) {                                              \
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-index 82b0333..84e80ee 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context,
- {
-     krb5_ldap_server_handle     *handle = *ldap_server_handle;
- 
-+    ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
-     if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
-         || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
-         return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-index f549e23..b70940f 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-@@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context,
-      * portion, then the first portion of the principal name SHOULD be
-      * "krbtgt".  All this check is done in the immediate block.
-      */
--    if (searchfor->length == 2)
--        if ((strncasecmp(searchfor->data[0].data, "krbtgt",
--                         FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
--            (strncasecmp(searchfor->data[1].data, defrealm,
--                         FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
-+    if (searchfor->length == 2) {
-+        if (data_eq_string(searchfor->data[0], "krbtgt") &&
-+            data_eq_string(searchfor->data[1], defrealm))
-             return 0;
-+    }
- 
-     /* first check the length, if they are not equal, then they are not same */
-     if (strlen(defrealm) != searchfor->realm.length)
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-index 7ad31da..626ed1f 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-@@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
-                         unsigned int flags, krb5_db_entry *entries,
-                         int *nentries, krb5_boolean *more)
- {
--    char                        *user=NULL, *filter=NULL, **subtree=NULL;
-+    char                        *user=NULL, *filter=NULL, *filtuser=NULL;
-     unsigned int                tree=0, ntrees=1, princlen=0;
-     krb5_error_code             tempst=0, st=0;
--    char                        **values=NULL, *cname=NULL;
-+    char                        **values=NULL, **subtree=NULL, *cname=NULL;
-     LDAP                        *ld=NULL;
-     LDAPMessage                 *result=NULL, *ent=NULL;
-     krb5_ldap_context           *ldap_context=NULL;
-@@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
-     if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
-         goto cleanup;
- 
--    princlen = strlen(FILTER) + strlen(user) + 2 + 1;      /* 2 for closing brackets */
-+    filtuser = ldap_filter_correct(user);
-+    if (filtuser == NULL) {
-+        st = ENOMEM;
-+        goto cleanup;
-+    }
-+
-+    princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1;  /* 2 for closing brackets */
-     if ((filter = malloc(princlen)) == NULL) {
-         st = ENOMEM;
-         goto cleanup;
-     }
--    snprintf(filter, princlen, FILTER"%s))", user);
-+    snprintf(filter, princlen, FILTER"%s))", filtuser);
- 
-     if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
-         goto cleanup;
-@@ -231,6 +237,9 @@ cleanup:
-     if (user)
-         free(user);
- 
-+    if (filtuser)
-+        free(filtuser);
-+
-     if (cname)
-         free(cname);
- 
-- 
2.30.2