summaryrefslogtreecommitdiff
path: root/core/krb5
diff options
context:
space:
mode:
authorroot <root@rshg054.dnsready.net>2011-10-04 23:14:30 +0000
committerroot <root@rshg054.dnsready.net>2011-10-04 23:14:30 +0000
commit3567a49f79d2dbf828b723ab54982fa6c7ea1c80 (patch)
tree15fc309d3681df4da7a56189050fd5aa16fa9794 /core/krb5
parent57d05f7209f022aa99a8850aafbeec4cb85c3b5b (diff)
Tue Oct 4 23:14:30 UTC 2011
Diffstat (limited to 'core/krb5')
-rw-r--r--core/krb5/PKGBUILD24
-rw-r--r--core/krb5/krb5-1.9.1-canonicalize-fallback.patch58
-rw-r--r--core/krb5/krb5-1.9.1-config-script.patch18
3 files changed, 86 insertions, 14 deletions
diff --git a/core/krb5/PKGBUILD b/core/krb5/PKGBUILD
index 94356ab28..b86c0a91c 100644
--- a/core/krb5/PKGBUILD
+++ b/core/krb5/PKGBUILD
@@ -1,9 +1,9 @@
-# $Id: PKGBUILD 133509 2011-07-28 19:16:56Z stephane $
+# $Id: PKGBUILD 139635 2011-10-03 23:42:42Z stephane $
# Maintainer: Stéphane Gaudreault <stephane@archlinux.org>
pkgname=krb5
pkgver=1.9.1
-pkgrel=3
+pkgrel=4
pkgdesc="The Kerberos network authentication system"
arch=('i686' 'x86_64')
url="http://web.mit.edu/kerberos/"
@@ -17,11 +17,13 @@ backup=('etc/krb5.conf' 'var/lib/krb5kdc/kdc.conf')
source=(http://web.mit.edu/kerberos/dist/${pkgname}/1.9/${pkgname}-${pkgver}-signed.tar
krb5-kadmind
krb5-kdc
- krb5-1.9.1-config-script.patch)
+ krb5-1.9.1-config-script.patch
+ krb5-1.9.1-canonicalize-fallback.patch)
sha1sums=('e23a1795a237521493da9cf3443ac8b98a90c066'
'2aa229369079ed1bbb201a1ef72c47bf143f4dbe'
'77d2312ecd8bf12a6e72cc8fd871a8ac93b23393'
- '8d1ec8bdb39fec230caace112d1a41ad792f7d97')
+ '7342410760cf44bfa01bb99bb4c49e12496cb46f'
+ '238c268fa6cb42fc7324ab54db9abda5cd77f833')
options=('!emptydirs')
build() {
@@ -30,14 +32,21 @@ build() {
# - Make krb5-config suppress CFLAGS output when called with --libs
# cf https://bugzilla.redhat.com/show_bug.cgi?id=544391
- # http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-buildconf.patch
#
# - Omit extra libraries because their interfaces are not exposed to applications
# by libkrb5, unless do_deps is set to 1, which indicates that the caller
# wants the whole list.
- # cf http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs.patch
+ #
+ # Patch from upstream :
+ # http://anonsvn.mit.edu/viewvc/krb5/trunk/src/krb5-config.in?r1=23662&r2=25236
patch -Np2 -i ${srcdir}/krb5-1.9.1-config-script.patch
+ # FS#25515
+ patch -Np2 -i ${srcdir}/krb5-1.9.1-canonicalize-fallback.patch
+
+ # FS#25384
+ sed -i "/KRB5ROOT=/s/\/local//" util/ac_check_krb5.m4
+
export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all"
export CPPFLAGS+=" -I/usr/include/et"
./configure --prefix=/usr \
@@ -69,5 +78,8 @@ package() {
install -m 755 ../../krb5-kdc "${pkgdir}"/etc/rc.d
install -m 755 ../../krb5-kadmind "${pkgdir}"/etc/rc.d
+ install -dm 755 "${pkgdir}"/usr/share/aclocal
+ install -m 644 util/ac_check_krb5.m4 "${pkgdir}"/usr/share/aclocal
+
install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE
}
diff --git a/core/krb5/krb5-1.9.1-canonicalize-fallback.patch b/core/krb5/krb5-1.9.1-canonicalize-fallback.patch
new file mode 100644
index 000000000..e5a38498f
--- /dev/null
+++ b/core/krb5/krb5-1.9.1-canonicalize-fallback.patch
@@ -0,0 +1,58 @@
+diff -Naur krb5-1.9.1.ori/src/lib/krb5/krb/get_creds.c krb5-1.9.1/src/lib/krb5/krb/get_creds.c
+--- krb5-1.9.1.ori/src/lib/krb5/krb/get_creds.c 2011-02-09 16:55:36.000000000 -0500
++++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c 2011-09-26 18:42:01.465190278 -0400
+@@ -470,13 +470,10 @@
+
+ /***** STATE_REFERRALS *****/
+
+-/*
+- * Possibly retry a request in the fallback realm after a referral request
+- * failure in the local realm. Expects ctx->reply_code to be set to the error
+- * from a referral request.
+- */
++/* Possibly try a non-referral request after a referral request failure.
++ * Expects ctx->reply_code to be set to the error from a referral request. */
+ static krb5_error_code
+-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
++try_fallback(krb5_context context, krb5_tkt_creds_context ctx)
+ {
+ krb5_error_code code;
+ char **hrealms;
+@@ -485,9 +482,10 @@
+ if (ctx->referral_count > 1)
+ return ctx->reply_code;
+
+- /* Only fall back if the original request used the referral realm. */
++ /* If the request used a specified realm, make a non-referral request to
++ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */
+ if (!krb5_is_referral_realm(&ctx->req_server->realm))
+- return ctx->reply_code;
++ return begin_non_referral(context, ctx);
+
+ if (ctx->server->length < 2) {
+ /* We need a type/host format principal to find a fallback realm. */
+@@ -500,10 +498,10 @@
+ if (code != 0)
+ return code;
+
+- /* Give up if the fallback realm isn't any different. */
++ /* If the fallback realm isn't any different, use the existing TGT. */
+ if (data_eq_string(ctx->server->realm, hrealms[0])) {
+ krb5_free_host_realm(context, hrealms);
+- return ctx->reply_code;
++ return begin_non_referral(context, ctx);
+ }
+
+ /* Rewrite server->realm to be the fallback realm. */
+@@ -540,9 +538,9 @@
+ krb5_error_code code;
+ const krb5_data *referral_realm;
+
+- /* Possibly retry with the fallback realm on error. */
++ /* Possibly try a non-referral fallback request on error. */
+ if (ctx->reply_code != 0)
+- return try_fallback_realm(context, ctx);
++ return try_fallback(context, ctx);
+
+ if (krb5_principal_compare(context, ctx->reply_creds->server,
+ ctx->server)) {
diff --git a/core/krb5/krb5-1.9.1-config-script.patch b/core/krb5/krb5-1.9.1-config-script.patch
index 96ee6b001..a72a75edf 100644
--- a/core/krb5/krb5-1.9.1-config-script.patch
+++ b/core/krb5/krb5-1.9.1-config-script.patch
@@ -1,25 +1,27 @@
diff -Naur krb5-1.9.1.ori/src/krb5-config.in krb5-1.9.1/src/krb5-config.in
--- krb5-1.9.1.ori/src/krb5-config.in 2010-01-19 13:44:57.000000000 -0500
-+++ krb5-1.9.1/src/krb5-config.in 2011-07-28 14:32:00.546990621 -0400
++++ krb5-1.9.1/src/krb5-config.in 2011-09-26 18:27:09.018487087 -0400
@@ -186,7 +186,7 @@
-e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
-e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
- -e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
-+ -e 's#\$(CFLAGS)##'`
++ -e 's#\$(CFLAGS)##'`
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
-@@ -214,7 +214,11 @@
+@@ -214,9 +214,13 @@
fi
if test $library = 'krb5'; then
- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB"
-+ if test 0$do_deps -eq 1 ; then
-+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB"
-+ else
-+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err"
-+ fi
++ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err"
fi
++ # If we ever support a flag to generate output suitable for static
++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
++ # here.
++
echo $lib_flags
+ fi
+