Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 838662 Details for
Bug 1044747
rlm_krb5 memory corruption
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
upstream fixes for rlm_krb5
freeradius-rlm_krb5.patch (text/plain), 26.11 KB, created by
John Dennis
on 2013-12-18 22:07:42 UTC
(
hide
)
Description:
upstream fixes for rlm_krb5
Filename:
MIME Type:
Creator:
John Dennis
Created:
2013-12-18 22:07:42 UTC
Size:
26.11 KB
patch
obsolete
>diff -u -r freeradius-server-3.0.0.orig/src/modules/rlm_krb5/configure freeradius-server/src/modules/rlm_krb5/configure >--- freeradius-server-3.0.0.orig/src/modules/rlm_krb5/configure 2013-10-07 15:49:47.000000000 -0400 >+++ freeradius-server/src/modules/rlm_krb5/configure 2013-12-18 12:00:06.222640752 -0500 >@@ -588,6 +588,7 @@ > targetname > mod_cflags > mod_ldflags >+krb5_config > CPP > OBJEXT > EXEEXT >@@ -637,8 +638,7 @@ > ac_subst_files='' > ac_user_opts=' > enable_option_checking >-with_rlm_krb5_lib_dir >-with_rlm_krb5_include_dir >+with_rlm_krb5_dir > ' > ac_precious_vars='build_alias > host_alias >@@ -1255,8 +1255,7 @@ > Optional Packages: > --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] > --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) >- --with-rlm-krb5-lib-dir=DIR Directory for krb5 library files >- --with-rlm-krb5-include-dir=DIR Directory for krb5 include files >+ --with-rlm-krb5-dir=DIR Directory for krb5 files > > Some influential environment variables: > CC C compiler command >@@ -2794,43 +2793,114 @@ > ac_compiler_gnu=$ac_cv_c_compiler_gnu > > >- rlm_krb5_lib_dir= >+ rlm_krb5_dir= > >-# Check whether --with-rlm-krb5-lib-dir was given. >-if test "${with_rlm_krb5_lib_dir+set}" = set; then : >- withval=$with_rlm_krb5_lib_dir; case "$withval" in >+# Check whether --with-rlm-krb5-dir was given. >+if test "${with_rlm_krb5_dir+set}" = set; then : >+ withval=$with_rlm_krb5_dir; case "$withval" in > no) >- as_fn_error $? "Need rlm-krb5-lib-dir" "$LINENO" 5 >+ as_fn_error $? "Need rlm-krb5-dir" "$LINENO" 5 > ;; > yes) > ;; > *) >- rlm_krb5_lib_dir="$withval" >+ rlm_krb5_dir="$withval" > ;; > esac > > fi > > >- rlm_krb5_inc_dir= >- >-# Check whether --with-rlm-krb5-include-dir was given. >-if test "${with_rlm_krb5_include_dir+set}" = set; then : >- withval=$with_rlm_krb5_include_dir; case "$withval" in >- no) >- as_fn_error $? "Need rlm-krb5-include-dir" "$LINENO" 5 >- ;; >- yes) >- ;; >- *) >- rlm_krb5_include_dir="$withval" >- ;; >- esac >+ # Extract the first word of "krb5-config", so it can be a program name with args. >+set dummy krb5-config; ac_word=$2 >+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 >+$as_echo_n "checking for $ac_word... " >&6; } >+if ${ac_cv_path_krb5_config+:} false; then : >+ $as_echo_n "(cached) " >&6 >+else >+ case $krb5_config in >+ [\\/]* | ?:[\\/]*) >+ ac_cv_path_krb5_config="$krb5_config" # Let the user override the test with a path. >+ ;; >+ *) >+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR >+as_dummy="${rlm_krb5_dir}/bin:${PATH}:/usr/bin:/usr/local/bin" >+for as_dir in $as_dummy >+do >+ IFS=$as_save_IFS >+ test -z "$as_dir" && as_dir=. >+ for ac_exec_ext in '' $ac_executable_extensions; do >+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then >+ ac_cv_path_krb5_config="$as_dir/$ac_word$ac_exec_ext" >+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 >+ break 2 >+ fi >+done >+ done >+IFS=$as_save_IFS > >+ test -z "$ac_cv_path_krb5_config" && ac_cv_path_krb5_config="not-found" >+ ;; >+esac >+fi >+krb5_config=$ac_cv_path_krb5_config >+if test -n "$krb5_config"; then >+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_config" >&5 >+$as_echo "$krb5_config" >&6; } >+else >+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 >+$as_echo "no" >&6; } > fi > > >- smart_try_dir=$rlm_krb5_include_dir >+ if test "$krb5_config" != 'not-found'; then >+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config CFLAGS" >&5 >+$as_echo_n "checking krb5-config CFLAGS... " >&6; } >+ SMART_CFLAGS=$($krb5_config --cflags) >+ SMART_CFLAGS=$(echo "$SMART_CFLAGS" | sed 's/-I[ ]*/-isystem /g') >+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${SMART_CFLAGS}" >&5 >+$as_echo "${SMART_CFLAGS}" >&6; } >+ >+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config LDFLAGS" >&5 >+$as_echo_n "checking krb5-config LDFLAGS... " >&6; } >+ SMART_LIBS=$($krb5_config --libs) >+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${SMART_LIBS}" >&5 >+$as_echo "${SMART_LIBS}" >&6; } >+ >+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config reported version" >&5 >+$as_echo_n "checking krb5-config reported version... " >&6; } >+ krb5_version_raw=$($krb5_config --version) >+ >+ krb5_version=$(echo "$krb5_version_raw" | head -n 1 | \ >+ awk '{split($(4),v,"."); if (v["3"] == "") v["3"] = "0"; print v["1"]v["2"]v["3"] }') >+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${krb5_version_raw} ($krb5_version)" >&5 >+$as_echo "${krb5_version_raw} ($krb5_version)" >&6; } >+ >+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config reported vendor" >&5 >+$as_echo_n "checking krb5-config reported vendor... " >&6; } >+ krb5_vendor=$($krb5_config --vendor) >+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${krb5_vendor}" >&5 >+$as_echo "${krb5_vendor}" >&6; } >+ >+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking canonical API type" >&5 >+$as_echo_n "checking canonical API type... " >&6; } >+ if test "$krb5_vendor" = "Massachusetts Institute of Technology" || \ >+ echo "$krb5_vendor" | grep -i 'MIT' > /dev/null 2>&1 ; then >+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: MIT" >&5 >+$as_echo "MIT" >&6; } >+ >+ if test "$krb5_version" -le 1114 > /dev/null 2>&1; then >+ krb5threadsafe='no' >+ { $as_echo "$as_me:${as_lineno-$LINENO}: marking libkrb5 as non-threadsafe due to defects in MIT libkrb5 <= 1.11.4" >&5 >+$as_echo "$as_me: marking libkrb5 as non-threadsafe due to defects in MIT libkrb5 <= 1.11.4" >&6;} >+ fi >+ else >+ krb5mod_cflags="$krb5mod_cflags -DHEIMDAL_KRB5" >+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: HEIMDAL" >&5 >+$as_echo "HEIMDAL" >&6; } >+ fi >+ else >+ smart_try_dir="$rlm_krb5_dir/include" > > > >@@ -2976,9 +3046,9 @@ > SMART_CFLAGS="$SMART_CFLAGS $smart_include" > fi > >- if test "$ac_cv_header_krb5_h" != "yes"; then >- fail="$fail krb5.h" >- fi >+ if test "$ac_cv_header_krb5_h" != "yes"; then >+ fail="$fail krb5.h" >+ fi > > > >@@ -3125,7 +3195,7 @@ > SMART_CFLAGS="$SMART_CFLAGS $smart_include" > fi > >- if test "$ac_cv_header_com_err_h" != "yes"; then >+ if test "$ac_cv_header_com_err_h" != "yes"; then > > > ac_safe=`echo "et/com_err.h" | sed 'y%./+-%__pm%'` >@@ -3270,15 +3340,15 @@ > SMART_CFLAGS="$SMART_CFLAGS $smart_include" > fi > >- if test "$ac_cv_header_et_com_err_h" != "yes"; then >- fail="$fail com_err.h" >- else >- krb5mod_cflags="$krb5mod_cflags -DET_COMM_ERR " >- fi >- fi >+ if test "$ac_cv_header_et_com_err_h" != "yes"; then >+ fail="$fail com_err.h" >+ else >+ krb5mod_cflags="$krb5mod_cflags -DET_COMM_ERR " >+ fi >+ fi > >- krb5libcrypto= >- smart_try_dir=$rlm_krb5_lib_dir >+ krb5libcrypto= >+ smart_try_dir="$rlm_krb5_dir/lib" > > > sm_lib_safe=`echo "k5crypto" | sed 'y%./+-%__p_%'` >@@ -3445,11 +3515,11 @@ > SMART_LIBS="$smart_lib $SMART_LIBS" > fi > >- if test "x$ac_cv_lib_k5crypto_krb5_encrypt_data" = xyes; then >- krb5libcrypto="-lk5crypto" >- fi >+ if test "x$ac_cv_lib_k5crypto_krb5_encrypt_data" = xyes; then >+ krb5libcrypto="-lk5crypto" >+ fi > >- if test "x$krb5libcrypto" = x; then >+ if test "x$krb5libcrypto" = x; then > > > sm_lib_safe=`echo "crypto" | sed 'y%./+-%__p_%'` >@@ -3616,15 +3686,15 @@ > SMART_LIBS="$smart_lib $SMART_LIBS" > fi > >- if test "x$ac_cv_lib_crypto_DH_new" = xyes; then >- krb5libcrypto="-lcrypto" >+ if test "x$ac_cv_lib_crypto_DH_new" = xyes; then >+ krb5libcrypto="-lcrypto" >+ fi > fi >- fi > >- if test "x$krb5libcrypto" = x; then >- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found!" >&5 >+ if test "x$krb5libcrypto" = x; then >+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found!" >&5 > $as_echo "$as_me: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found!" >&2;} >- fi >+ fi > > > >@@ -3792,10 +3862,10 @@ > SMART_LIBS="$smart_lib $SMART_LIBS" > fi > >- if test "x$ac_cv_lib_com_err_set_com_err_hook" != xyes; then >- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the comm_err library isn't found!" >&5 >+ if test "x$ac_cv_lib_com_err_set_com_err_hook" != xyes; then >+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the comm_err library isn't found!" >&5 > $as_echo "$as_me: WARNING: the comm_err library isn't found!" >&2;} >- fi >+ fi > > > >@@ -3963,9 +4033,9 @@ > SMART_LIBS="$smart_lib $SMART_LIBS" > fi > >- if test "x$ac_cv_lib_krb5_krb5_verify_user_opt" == xyes; then >- krb5mod_cflags="$krb5mod_cflags -DHEIMDAL_KRB5" >- else >+ if test "x$ac_cv_lib_krb5_krb5_verify_user_opt" == xyes; then >+ krb5mod_cflags="$krb5mod_cflags -DHEIMDAL_KRB5" >+ else > > > sm_lib_safe=`echo "krb5" | sed 'y%./+-%__p_%'` >@@ -4132,12 +4202,15 @@ > SMART_LIBS="$smart_lib $SMART_LIBS" > fi > >- if test "x$ac_cv_lib_krb5_krb5_get_init_creds_password" != xyes; then >- fail="$fail krb5" >- fi >+ if test "x$ac_cv_lib_krb5_krb5_get_init_creds_password" != xyes; then >+ fail="$fail krb5" >+ fi >+ fi >+ > fi > >- krb5threadsafe= >+ if test "$krb5threadsafe" != "no"; then >+ krb5threadsafe= > > > sm_lib_safe=`echo "krb5" | sed 'y%./+-%__p_%'` >@@ -4304,8 +4377,9 @@ > SMART_LIBS="$smart_lib $SMART_LIBS" > fi > >- if test "x$ac_cv_lib_krb5_krb5_is_thread_safe" == xyes; then >- if test "$cross_compiling" = yes; then : >+ >+ if test "x$ac_cv_lib_krb5_krb5_is_thread_safe" == xyes; then >+ if test "$cross_compiling" = yes; then : > { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 > $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} > as_fn_error $? "cannot run test program while cross compiling >@@ -4332,8 +4406,10 @@ > conftest.$ac_objext conftest.beam conftest.$ac_ext > fi > >+ fi >+ else >+ krb5threadsafe="" > fi >- > targetname=rlm_krb5 > else > targetname= >@@ -4352,7 +4428,7 @@ > fi > fi > >-mod_ldflags="${krb5libcrypto} ${SMART_LIBS}" >+mod_ldflags="${krb5mod_ldflags} ${krb5libcrypto} ${SMART_LIBS}" > mod_cflags="${krb5mod_cflags} ${krb5threadsafe} ${SMART_CFLAGS}" > > >diff -u -r freeradius-server-3.0.0.orig/src/modules/rlm_krb5/configure.ac freeradius-server/src/modules/rlm_krb5/configure.ac >--- freeradius-server-3.0.0.orig/src/modules/rlm_krb5/configure.ac 2013-10-07 15:49:47.000000000 -0400 >+++ freeradius-server/src/modules/rlm_krb5/configure.ac 2013-12-18 12:00:06.232640742 -0500 >@@ -8,99 +8,133 @@ > AC_PROG_CC > AC_PROG_CPP > >- dnl extra argument: --with-rlm-krb5-lib-dir >- rlm_krb5_lib_dir= >- AC_ARG_WITH(rlm-krb5-lib-dir, >- [ --with-rlm-krb5-lib-dir=DIR Directory for krb5 library files []], >+ dnl extra argument: --with-rlm-krb5-dir >+ rlm_krb5_dir= >+ AC_ARG_WITH(rlm-krb5-dir, >+ [ --with-rlm-krb5-dir=DIR Directory for krb5 files []], > [ case "$withval" in > no) >- AC_MSG_ERROR(Need rlm-krb5-lib-dir) >+ AC_MSG_ERROR(Need rlm-krb5-dir) > ;; > yes) > ;; > *) >- rlm_krb5_lib_dir="$withval" >+ rlm_krb5_dir="$withval" > ;; > esac ] > ) > >- dnl extra argument: --with-rlm-krb5-include-dir >- rlm_krb5_inc_dir= >- AC_ARG_WITH(rlm-krb5-include-dir, >- [ --with-rlm-krb5-include-dir=DIR Directory for krb5 include files []], >- [ case "$withval" in >- no) >- AC_MSG_ERROR(Need rlm-krb5-include-dir) >- ;; >- yes) >- ;; >- *) >- rlm_krb5_include_dir="$withval" >- ;; >- esac ] >- ) >+ AC_PATH_PROG(krb5_config, krb5-config, not-found, [${rlm_krb5_dir}/bin:${PATH}:/usr/bin:/usr/local/bin]) >+ dnl # >+ dnl # If we can find krb5-config we can get the version of the library and determine >+ dnl # whether it's safe to enable threading. >+ dnl # >+ if test "$krb5_config" != 'not-found'; then >+ AC_MSG_CHECKING([krb5-config CFLAGS]) >+ SMART_CFLAGS=$($krb5_config --cflags) >+ SMART_CFLAGS=[$(echo "$SMART_CFLAGS" | sed 's/-I[ ]*/-isystem /g')] >+ AC_MSG_RESULT(${SMART_CFLAGS}) >+ >+ AC_MSG_CHECKING([krb5-config LDFLAGS]) >+ SMART_LIBS=$($krb5_config --libs) >+ AC_MSG_RESULT(${SMART_LIBS}) >+ >+ AC_MSG_CHECKING([krb5-config reported version]) >+ krb5_version_raw=$($krb5_config --version) >+ >+ dnl # AWK originally from from https://github.com/hpc/lustre >+ krb5_version=$(echo "$krb5_version_raw" | head -n 1 | \ >+ awk '{split($(4),v,"."); if (v@<:@"3"@:>@ == "") v@<:@"3"@:>@ = "0"; print v@<:@"1"@:>@v@<:@"2"@:>@v@<:@"3"@:>@ }') >+ AC_MSG_RESULT([${krb5_version_raw} ($krb5_version)]) >+ >+ AC_MSG_CHECKING([krb5-config reported vendor]) >+ krb5_vendor=$($krb5_config --vendor) >+ AC_MSG_RESULT([${krb5_vendor}]) >+ >+ AC_MSG_CHECKING([canonical API type]) >+ if test "$krb5_vendor" = "Massachusetts Institute of Technology" || \ >+ echo "$krb5_vendor" | grep -i 'MIT' > /dev/null 2>&1 ; then >+ AC_MSG_RESULT([MIT]) >+ >+ if test "$krb5_version" -le 1114 > /dev/null 2>&1; then >+ krb5threadsafe='no' >+ AC_MSG_NOTICE([marking libkrb5 as non-threadsafe due to defects in MIT libkrb5 <= 1.11.4]) >+ fi >+ else >+ krb5mod_cflags="$krb5mod_cflags -DHEIMDAL_KRB5" >+ AC_MSG_RESULT([HEIMDAL]) >+ fi >+ else >+ smart_try_dir="$rlm_krb5_dir/include" >+ FR_SMART_CHECK_INCLUDE(krb5.h) >+ if test "$ac_cv_header_krb5_h" != "yes"; then >+ fail="$fail krb5.h" >+ fi > >- smart_try_dir=$rlm_krb5_include_dir >- FR_SMART_CHECK_INCLUDE(krb5.h) >- if test "$ac_cv_header_krb5_h" != "yes"; then >- fail="$fail krb5.h" >- fi >+ dnl # >+ dnl # This lives in different places depending on the distro >+ dnl # >+ >+ FR_SMART_CHECK_INCLUDE([com_err.h]) >+ if test "$ac_cv_header_com_err_h" != "yes"; then >+ FR_SMART_CHECK_INCLUDE([et/com_err.h]) >+ if test "$ac_cv_header_et_com_err_h" != "yes"; then >+ fail="$fail com_err.h" >+ else >+ krb5mod_cflags="$krb5mod_cflags -DET_COMM_ERR " >+ fi >+ fi > >- dnl # >- dnl # This lives in different places depending on the distro >- dnl # >- >- FR_SMART_CHECK_INCLUDE([com_err.h]) >- if test "$ac_cv_header_com_err_h" != "yes"; then >- FR_SMART_CHECK_INCLUDE([et/com_err.h]) >- if test "$ac_cv_header_et_com_err_h" != "yes"; then >- fail="$fail com_err.h" >- else >- krb5mod_cflags="$krb5mod_cflags -DET_COMM_ERR " >- fi >- fi >+ krb5libcrypto= >+ smart_try_dir="$rlm_krb5_dir/lib" >+ FR_SMART_CHECK_LIB(k5crypto, krb5_encrypt_data) >+ if test "x$ac_cv_lib_k5crypto_krb5_encrypt_data" = xyes; then >+ krb5libcrypto="-lk5crypto" >+ fi > >- krb5libcrypto= >- smart_try_dir=$rlm_krb5_lib_dir >- FR_SMART_CHECK_LIB(k5crypto, krb5_encrypt_data) >- if test "x$ac_cv_lib_k5crypto_krb5_encrypt_data" = xyes; then >- krb5libcrypto="-lk5crypto" >- fi >+ if test "x$krb5libcrypto" = x; then >+ FR_SMART_CHECK_LIB(crypto, DH_new) >+ if test "x$ac_cv_lib_crypto_DH_new" = xyes; then >+ krb5libcrypto="-lcrypto" >+ fi >+ fi > >- if test "x$krb5libcrypto" = x; then >- FR_SMART_CHECK_LIB(crypto, DH_new) >- if test "x$ac_cv_lib_crypto_DH_new" = xyes; then >- krb5libcrypto="-lcrypto" >+ if test "x$krb5libcrypto" = x; then >+ AC_MSG_WARN([neither krb5 'k5crypto' nor 'crypto' libraries are found!]) >+ fi >+ >+ FR_SMART_CHECK_LIB(com_err, set_com_err_hook) >+ if test "x$ac_cv_lib_com_err_set_com_err_hook" != xyes; then >+ AC_MSG_WARN([the comm_err library isn't found!]) >+ fi >+ >+ dnl Only the heimdal version of the library has this function >+ FR_SMART_CHECK_LIB(krb5, krb5_verify_user_opt) >+ if test "x$ac_cv_lib_krb5_krb5_verify_user_opt" == xyes; then >+ krb5mod_cflags="$krb5mod_cflags -DHEIMDAL_KRB5" >+ else >+ FR_SMART_CHECK_LIB(krb5, krb5_get_init_creds_password) >+ if test "x$ac_cv_lib_krb5_krb5_get_init_creds_password" != xyes; then >+ fail="$fail krb5" >+ fi > fi >- fi > >- if test "x$krb5libcrypto" = x; then >- AC_MSG_WARN([neither krb5 'k5crypto' nor 'crypto' libraries are found!]) >- fi >- >- FR_SMART_CHECK_LIB(com_err, set_com_err_hook) >- if test "x$ac_cv_lib_com_err_set_com_err_hook" != xyes; then >- AC_MSG_WARN([the comm_err library isn't found!]) > fi >- >- dnl Only the heimdal version of the library has this function >- FR_SMART_CHECK_LIB(krb5, krb5_verify_user_opt) >- if test "x$ac_cv_lib_krb5_krb5_verify_user_opt" == xyes; then >- krb5mod_cflags="$krb5mod_cflags -DHEIMDAL_KRB5" >+ >+ dnl # >+ dnl # Only check if version checks have not found kerberos to be thread unsafe >+ dnl # >+ if test "$krb5threadsafe" != "no"; then >+ krb5threadsafe= >+ FR_SMART_CHECK_LIB(krb5, krb5_is_thread_safe) >+ >+ if test "x$ac_cv_lib_krb5_krb5_is_thread_safe" == xyes; then >+ AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[return krb5_is_thread_safe() ? 0 : 1]])], >+ [krb5threadsafe="-DKRB5_IS_THREAD_SAFE"], [AC_MSG_WARN([[libkrb5 is not threadsafe]])]) >+ fi > else >- FR_SMART_CHECK_LIB(krb5, krb5_get_init_creds_password) >- if test "x$ac_cv_lib_krb5_krb5_get_init_creds_password" != xyes; then >- fail="$fail krb5" >- fi >- fi >- >- krb5threadsafe= >- FR_SMART_CHECK_LIB(krb5, krb5_is_thread_safe) >- if test "x$ac_cv_lib_krb5_krb5_is_thread_safe" == xyes; then >- AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[return krb5_is_thread_safe() ? 0 : 1]])], >- [krb5threadsafe="-DKRB5_IS_THREAD_SAFE"], [AC_MSG_WARN([[libkrb5 is not threadsafe]])]) >+ krb5threadsafe="" > fi >- > targetname=modname > else > targetname= >@@ -117,7 +151,7 @@ > fi > fi > >-mod_ldflags="${krb5libcrypto} ${SMART_LIBS}" >+mod_ldflags="${krb5mod_ldflags} ${krb5libcrypto} ${SMART_LIBS}" > mod_cflags="${krb5mod_cflags} ${krb5threadsafe} ${SMART_CFLAGS}" > > AC_SUBST(mod_ldflags) >diff -u -r freeradius-server-3.0.0.orig/src/modules/rlm_krb5/rlm_krb5.c freeradius-server/src/modules/rlm_krb5/rlm_krb5.c >--- freeradius-server-3.0.0.orig/src/modules/rlm_krb5/rlm_krb5.c 2013-10-07 15:49:47.000000000 -0400 >+++ freeradius-server/src/modules/rlm_krb5/rlm_krb5.c 2013-12-15 10:35:43.978794206 -0500 >@@ -14,8 +14,10 @@ > * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA > */ > >+#define KRB5_STRERROR_BUFSIZE (2048) >+ > /** >- * $Id: 24e7f3a9ae3815189a3ae1b8053f52bb56841fa4 $ >+ * $Id: 54f3a59886268de30470631c19bc157ee3cd63c9 $ > * @file rlm_krb5.c > * @brief Authenticate users, retrieving their TGT from a Kerberos V5 TDC. > * >@@ -24,7 +26,7 @@ > * @copyright 2000 Nathan Neulinger <nneul@umr.edu> > * @copyright 2000 Alan DeKok <aland@ox.org> > */ >-RCSID("$Id: 24e7f3a9ae3815189a3ae1b8053f52bb56841fa4 $") >+RCSID("$Id: 54f3a59886268de30470631c19bc157ee3cd63c9 $") > > #include <freeradius-devel/radiusd.h> > #include <freeradius-devel/modules.h> >@@ -39,6 +41,58 @@ > # include <com_err.h> > #endif > >+#ifndef HEIMDAL_KRB5 >+# define rlm_krb5_error(_x, _y) error_message(_y) >+#else >+fr_thread_local_setup(char *, krb5_error_buffer) /* macro */ >+ >+/* >+ * Explicitly cleanup the memory allocated to the error buffer, >+ * just in case valgrind complains about it. >+ */ >+static void _krb5_logging_free(void *arg) >+{ >+ free(arg); >+} >+ >+static char const *rlm_krb5_error(krb5_context context, krb5_error_code code) >+{ >+ char *msg; >+ char *buffer; >+ >+ buffer = fr_thread_local_init(krb5_error_buffer, _krb5_logging_free); >+ if (!buffer) { >+ int ret; >+ >+ /* >+ * malloc is thread safe, talloc is not >+ */ >+ buffer = malloc(sizeof(char) * KRB5_STRERROR_BUFSIZE); >+ if (!buffer) { >+ ERROR("Failed allocating memory for krb5 error buffer"); >+ return NULL; >+ } >+ >+ ret = fr_thread_local_set(krb5_error_buffer, buffer); >+ if (ret != 0) { >+ ERROR("Failed setting up TLS for krb5 error buffer: %s", fr_syserror(ret)); >+ free(buffer); >+ return NULL; >+ } >+ } >+ >+ msg = krb5_get_error_message(context, code); >+ if (msg) { >+ strlcpy(buffer, msg, KRB5_STRERROR_BUFSIZE); >+ krb5_free_error_message(context, msg); >+ } else { >+ strlcpy(buffer, "Unknown error", KRB5_STRERROR_BUFSIZE); >+ } >+ >+ return buffer; >+} >+#endif >+ > /** Instance configuration for rlm_krb5 > * > * Holds the configuration and preparsed data for a instance of rlm_krb5. >@@ -83,6 +137,10 @@ > if (inst->gic_options) { > krb5_get_init_creds_opt_free(inst->context, inst->gic_options); > } >+ >+ if (inst->server) { >+ krb5_free_principal(inst->context, inst->server); >+ } > #endif > > /* Don't free hostname, it's just a pointer into service_princ */ >@@ -128,7 +186,8 @@ > > ret = krb5_init_context(&inst->context); > if (ret) { >- EDEBUG("rlm_krb5 (%s): Context initialisation failed: %s", inst->xlat_name, error_message(ret)); >+ EDEBUG("rlm_krb5 (%s): Context initialisation failed: %s", inst->xlat_name, >+ rlm_krb5_error(NULL, ret)); > > return -1; > } >@@ -169,7 +228,8 @@ > */ > ret = krb5_sname_to_principal(inst->context, inst->hostname, inst->service, KRB5_NT_SRV_HST, &(inst->server)); > if (ret) { >- EDEBUG("rlm_krb5 (%s): Failed parsing service principal: %s", inst->xlat_name, error_message(ret)); >+ EDEBUG("rlm_krb5 (%s): Failed parsing service principal: %s", inst->xlat_name, >+ rlm_krb5_error(inst->context, ret)); > > return -1; > } >@@ -178,7 +238,7 @@ > if (ret) { > /* Uh? */ > EDEBUG("rlm_krb5 (%s): Failed constructing service principal string: %s", inst->xlat_name, >- error_message(ret)); >+ rlm_krb5_error(inst->context, ret)); > > return -1; > } >@@ -198,7 +258,7 @@ > ret = krb5_get_init_creds_opt_alloc(inst->context, &(inst->gic_options)); > if (ret) { > EDEBUG("rlm_krb5 (%s): Couldn't allocated inital credential options: %s", inst->xlat_name, >- error_message(ret)); >+ rlm_krb5_error(inst->context, ret)); > > return -1; > } >@@ -210,7 +270,8 @@ > krb5_kt_resolve(inst->context, inst->keytabname, &keytab) : > krb5_kt_default(inst->context, &keytab); > if (ret) { >- EDEBUG("rlm_krb5 (%s): Resolving keytab failed: %s", inst->xlat_name, error_message(ret)); >+ EDEBUG("rlm_krb5 (%s): Resolving keytab failed: %s", inst->xlat_name, >+ rlm_krb5_error(inst->context, ret)); > > return -1; > } >@@ -218,7 +279,8 @@ > ret = krb5_kt_get_name(inst->context, keytab, keytab_name, sizeof(keytab_name)); > krb5_kt_close(inst->context, keytab); > if (ret) { >- EDEBUG("rlm_krb5 (%s): Can't retrieve keytab name: %s", inst->xlat_name, error_message(ret)); >+ EDEBUG("rlm_krb5 (%s): Can't retrieve keytab name: %s", inst->xlat_name, >+ rlm_krb5_error(inst->context, ret)); > > return -1; > } >@@ -229,7 +291,6 @@ > > krb5_verify_init_creds_opt_init(inst->vic_options); > krb5_verify_init_creds_opt_set_ap_req_nofail(inst->vic_options, true); >- > #endif > > return 0; >@@ -266,14 +327,14 @@ > */ > if (request->password->da->attr != PW_USER_PASSWORD) { > REDEBUG("Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", >- request->password->da->name); >+ request->password->da->name); > > return RLM_MODULE_INVALID; > } > > ret = krb5_parse_name(context, request->username->vp_strvalue, client); > if (ret) { >- REDEBUG("Failed parsing username as principal: %s", error_message(ret)); >+ REDEBUG("Failed parsing username as principal: %s", rlm_krb5_error(context, ret)); > > return RLM_MODULE_FAIL; > } >@@ -314,7 +375,7 @@ > */ > ret = krb5_copy_context(inst->context, &context); > if (ret) { >- REDEBUG("Error cloning krb5 context: %s", error_message(ret)); >+ REDEBUG("Error cloning krb5 context: %s", rlm_krb5_error(inst->context, ret)); > > return RLM_MODULE_FAIL; > } >@@ -343,7 +404,7 @@ > krb5_kt_resolve(context, inst->keytabname, &keytab) : > krb5_kt_default(context, &keytab); > if (ret) { >- REDEBUG("Resolving keytab failed: %s", error_message(ret)); >+ REDEBUG("Resolving keytab failed: %s", rlm_krb5_error(context, ret)); > rcode = RLM_MODULE_FAIL; > > goto cleanup; >@@ -367,23 +428,23 @@ > switch (ret) { > case KRB5_LIBOS_BADPWDMATCH: > case KRB5KRB_AP_ERR_BAD_INTEGRITY: >- REDEBUG("Provided password was incorrect (%i): %s", ret, error_message(ret)); >+ REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(context, ret)); > rcode = RLM_MODULE_REJECT; > > break; > case KRB5KDC_ERR_KEY_EXP: > case KRB5KDC_ERR_CLIENT_REVOKED: > case KRB5KDC_ERR_SERVICE_REVOKED: >- REDEBUG("Account has been locked out (%i): %s", ret, error_message(ret)); >+ REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(context, ret)); > rcode = RLM_MODULE_USERLOCK; > > break; > case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: >- RDEBUG("User not found: %s (%i)", ret, error_message(ret)); >+ RDEBUG("User not found: %s (%i)", ret, rlm_krb5_error(context, ret)); > rcode = RLM_MODULE_NOTFOUND; > > default: >- REDEBUG("Error verifying credentials (%i): %s", ret, error_message(ret)); >+ REDEBUG("Error verifying credentials (%i): %s", ret, rlm_krb5_error(context, ret)); > rcode = RLM_MODULE_FAIL; > > break; >@@ -405,7 +466,7 @@ > return rcode; > } > >-#else >+#else /* HEIMDAL_KRB5 */ > > /* > * Validate userid/passwd (MIT) >@@ -437,7 +498,7 @@ > */ > ret = krb5_copy_context(inst->context, &context); > if (ret) { >- REDEBUG("Error cloning krb5 context: %s", error_message(ret)); >+ REDEBUG("Error cloning krb5 context: %s", rlm_krb5_error(inst->context, ret)); > > return RLM_MODULE_FAIL; > } >@@ -467,7 +528,7 @@ > krb5_kt_resolve(context, inst->keytabname, &keytab) : > krb5_kt_default(context, &keytab); > if (ret) { >- REDEBUG("Resolving keytab failed: %s", error_message(ret)); >+ REDEBUG("Resolving keytab failed: %s", rlm_krb5_error(context, ret)); > > goto cleanup; > } >@@ -475,7 +536,7 @@ > /* > * Retrieve the TGT from the TGS/KDC and check we can decrypt it. > */ >- memcpy(&password, request->password->vp_strvalue, sizeof(password)); >+ memcpy(&password, &request->password->vp_strvalue, sizeof(password)); > ret = krb5_get_init_creds_password(context, &init_creds, client, password, > NULL, NULL, 0, NULL, inst->gic_options); > password = NULL; >@@ -484,24 +545,25 @@ > switch (ret) { > case KRB5_LIBOS_BADPWDMATCH: > case KRB5KRB_AP_ERR_BAD_INTEGRITY: >- REDEBUG("Provided password was incorrect (%i): %s", ret, error_message(ret)); >+ REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(context, ret)); > rcode = RLM_MODULE_REJECT; > break; > > case KRB5KDC_ERR_KEY_EXP: > case KRB5KDC_ERR_CLIENT_REVOKED: > case KRB5KDC_ERR_SERVICE_REVOKED: >- REDEBUG("Account has been locked out (%i): %s", ret, error_message(ret)); >+ REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(context, ret)); > rcode = RLM_MODULE_USERLOCK; > break; > > case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: >- RDEBUG("User not found (%i): %s", ret, error_message(ret)); >+ REDEBUG("User not found (%i): %s", ret, rlm_krb5_error(context, ret)); > rcode = RLM_MODULE_NOTFOUND; > break; > > default: >- REDEBUG("Error retrieving or verifying credentials (%i): %s", ret, error_message(ret)); >+ REDEBUG("Error retrieving or verifying credentials (%i): %s", ret, >+ rlm_krb5_error(context, ret)); > rcode = RLM_MODULE_FAIL; > break; > } >@@ -534,7 +596,7 @@ > return rcode; > } > >-#endif /* HEIMDAL_KRB5 */ >+#endif /* MIT_KRB5 */ > > module_t rlm_krb5 = { > RLM_MODULE_INIT,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=838662">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1044747
: 838662