Avoid private krb5_locate_kdc usage

resolves: #754783 Guenther
2012-04-20 15:21:12 +02:00 · 2012-04-20 15:21:12 +02:00 · 1908343761
parent f7cab41e8f
commit 1908343761
2 changed files with 169 additions and 1 deletions
--- a/samba-3.6.4-krb5_locate_kdc.patch
+++ b/samba-3.6.4-krb5_locate_kdc.patch
@ -0,0 +1,162 @@
+From 2464a7b0ddb556bed86a845c9400e26c4d7f584a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 30 Nov 2011 17:58:30 +0100
+Subject: [PATCH] s3-libsmb: Remove obsolete smb_krb5_locate_kdc.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+
+Autobuild-User: Günther Deschner <gd@samba.org>
+Autobuild-Date: Thu Feb  9 14:58:57 CET 2012 on sn-devel-104
+---
+ source3/configure.in          |    1 -
+ source3/include/krb5_protos.h |    4 --
+ source3/libsmb/clikrb5.c      |   89 -----------------------------------------
+ source3/wscript               |    2 +-
+ 4 files changed, 1 insertions(+), 95 deletions(-)
+
+diff --git a/source3/configure.in b/source3/configure.in
+index 298fe1b..1ce1a5b 100644
+--- a/source3/configure.in
+++ b/source3/configure.in
+@@ -3860,7 +3860,6 @@ if test x"$with_ads_support" != x"no"; then
+   AC_CHECK_FUNC_EXT(krb5_string_to_key_salt, $KRB5_LIBS)
+   AC_CHECK_FUNC_EXT(krb5_auth_con_setkey, $KRB5_LIBS)
+   AC_CHECK_FUNC_EXT(krb5_auth_con_setuseruserkey, $KRB5_LIBS)
+-  AC_CHECK_FUNC_EXT(krb5_locate_kdc, $KRB5_LIBS)
+   AC_CHECK_FUNC_EXT(krb5_get_permitted_enctypes, $KRB5_LIBS)
+   AC_CHECK_FUNC_EXT(krb5_get_default_in_tkt_etypes, $KRB5_LIBS)
+   AC_CHECK_FUNC_EXT(krb5_free_data_contents, $KRB5_LIBS)
+diff --git a/source3/include/krb5_protos.h b/source3/include/krb5_protos.h
+index 32f995c..f16cafd 100644
+--- a/source3/include/krb5_protos.h
+++ b/source3/include/krb5_protos.h
+@@ -67,10 +67,6 @@ bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr);
+ int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt);
+ bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt);
+ krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
+-krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
+-#if defined(HAVE_KRB5_LOCATE_KDC)
+-krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
+-#endif
+ krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
+ bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx,
+ 			      krb5_context context,
+diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
+index 9af3e49..8cea29c 100644
+--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
+@@ -488,95 +488,6 @@
+ #endif
+ }
+ 
+-#if !defined(HAVE_KRB5_LOCATE_KDC)
+-
+-/* krb5_locate_kdc is an internal MIT symbol. MIT are not yet willing to commit
+- * to a public interface for this functionality, so we have to be able to live
+- * without it if the MIT libraries are hiding their internal symbols.
+- */
+-
+-#if defined(KRB5_KRBHST_INIT)
+-/* Heimdal */
+- krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters)
+-{
+-	krb5_krbhst_handle hnd;
+-	krb5_krbhst_info *hinfo;
+-	krb5_error_code rc;
+-	int num_kdcs, i;
+-	struct sockaddr *sa;
+-	struct addrinfo *ai;
+-
+-	*addr_pp = NULL;
+-	*naddrs = 0;
+-
+-	rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd);
+-	if (rc) {
+-		DEBUG(0, ("smb_krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc)));
+-		return rc;
+-	}
+-
+-	for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++)
+-		;
+-
+-	krb5_krbhst_reset(ctx, hnd);
+-
+-	if (!num_kdcs) {
+-		DEBUG(0, ("smb_krb5_locate_kdc: zero kdcs found !\n"));
+-		krb5_krbhst_free(ctx, hnd);
+-		return -1;
+-	}
+-
+-	sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs );
+-	if (!sa) {
+-		DEBUG(0, ("smb_krb5_locate_kdc: malloc failed\n"));
+-		krb5_krbhst_free(ctx, hnd);
+-		naddrs = 0;
+-		return -1;
+-	}
+-
+-	memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs );
+-
+-	for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) {
+-
+-#if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO)
+-		rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai);
+-		if (rc) {
+-			DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc)));
+-			continue;
+-		}
+-#endif
+-		if (hinfo->ai && hinfo->ai->ai_family == AF_INET) 
+-			memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr));
+-	}
+-
+-	krb5_krbhst_free(ctx, hnd);
+-
+-	*naddrs = num_kdcs;
+-	*addr_pp = sa;
+-	return 0;
+-}
+-
+-#else /* ! defined(KRB5_KRBHST_INIT) */
+-
+- krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
+-		struct sockaddr **addr_pp, int *naddrs, int get_masters)
+-{
+-	DEBUG(0, ("unable to explicitly locate the KDC on this platform\n"));
+-	return KRB5_KDC_UNREACH;
+-}
+-
+-#endif /* KRB5_KRBHST_INIT */
+-
+-#else /* ! HAVE_KRB5_LOCATE_KDC */
+-
+- krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
+-		struct sockaddr **addr_pp, int *naddrs, int get_masters)
+-{
+-	return krb5_locate_kdc(ctx, realm, addr_pp, naddrs, get_masters);
+-}
+-
+-#endif /* HAVE_KRB5_LOCATE_KDC */
+-
+ #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
+  void krb5_free_unparsed_name(krb5_context context, char *val)
+ {
+diff --git a/source3/wscript b/source3/wscript
+index 901d2b6..40b2cde 100644
+--- a/source3/wscript
+++ b/source3/wscript
+@@ -585,7 +585,7 @@ msg.msg_acctrightslen = sizeof(fd);
+ krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes
+ krb5_set_default_tgs_ktypes krb5_principal2salt krb5_use_enctype
+ krb5_string_to_key krb5_get_pw_salt krb5_string_to_key_salt krb5_auth_con_setkey
+-krb5_auth_con_setuseruserkey krb5_locate_kdc krb5_get_permitted_enctypes
+krb5_auth_con_setuseruserkey krb5_get_permitted_enctypes
+ krb5_get_default_in_tkt_etypes krb5_free_data_contents
+ krb5_principal_get_comp_string krb5_free_unparsed_name
+ krb5_free_keytab_entry_contents krb5_kt_free_entry krb5_krbhst_init
+-- 
+1.7.7.6
+
--- a/samba.spec
+++ b/samba.spec
@ -1,4 +1,4 @@
-%define main_release 82
+%define main_release 83
 %define samba_version 3.6.4
 %define tdb_version 1.2.9
 %define talloc_version 2.0.5
@ -45,6 +45,7 @@ Patch104: samba-3.0.0rc3-nmbd-netbiosname.patch
 # The passwd part has been applied, but not the group part
 Patch107: samba-3.2.0pre1-grouppwd.patch
 Patch200: samba-3.2.5-inotify.patch
+Patch201: samba-3.6.4-krb5_locate_kdc.patch

 Requires(pre): samba-common = %{epoch}:%{samba_version}-%{release}
 Requires: pam >= 0:0.64
@ -229,6 +230,7 @@ cp %{SOURCE11} packaging/Fedora/
 #%patch104 -p1 -b .nmbd-netbiosname # FIXME: does not apply
 %patch107 -p1 -b .grouppwd
 %patch200 -p0 -b .inotify
+%patch201 -p1 -b .krb5_locate_kdc

 mv %samba_source/VERSION %samba_source/VERSION.orig
 sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{samba_release}\"/' < %samba_source/VERSION.orig > %samba_source/VERSION
@ -688,6 +690,10 @@ fi
 %{_datadir}/pixmaps/samba/logo-small.png

 %changelog
+* Fri Apr 20 2012 Guenther Deschner <gdeschner@redhat.com> - 1:3.6.4-83
+- Avoid private krb5_locate_kdc usage
+- resolves: #754783
+
 * Thu Apr 12 2012 Jon Ciesla <limburgher@gmail.com> - 1:3.6.4-82
 - Update to 3.6.4
 - Fixes CVE-2012-1182