diff options
author | Sam Hartman <hartmans@debian.org> | 2017-04-19 16:38:12 -0400 |
---|---|---|
committer | Sam Hartman <hartmans@debian.org> | 2017-04-19 16:38:13 -0400 |
commit | 2131f1db9ebcaf4eb181881a7a13e3504d60d076 (patch) | |
tree | 8e8f0f45585ab1dd44ad1c991a1d2f2448b2b393 | |
parent | c923f5ca962f885e33181b03534dabb7ff879ee8 (diff) | |
parent | ef132243ba16cfdae31d4c44c0dce7e78afb4879 (diff) |
merge patched into master
17 files changed, 245 insertions, 40 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index c6910273e..0676aaba9 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -7f866a47894f28f3065936d45de17e3e2df9ab18 -7f866a47894f28f3065936d45de17e3e2df9ab18 +ef132243ba16cfdae31d4c44c0dce7e78afb4879 +ef132243ba16cfdae31d4c44c0dce7e78afb4879 33a6a841b455f9d0fbc6a1bd5463d3960d5b95fe 33a6a841b455f9d0fbc6a1bd5463d3960d5b95fe krb5_1.15.orig.tar.gz diff --git a/debian/patches/0010-Initial-German-translations.patch b/debian/patches/0010-Initial-German-translations.patch index e7d5011e5..0c7d198a5 100644 --- a/debian/patches/0010-Initial-German-translations.patch +++ b/debian/patches/0010-Initial-German-translations.patch @@ -13,7 +13,7 @@ modified 2016-11-04 to actually build the German catalogue. create mode 100644 src/po/de.po diff --git a/src/po/Makefile.in b/src/po/Makefile.in -index fdaf872..6753447 100644 +index fdaf872a16..6753447dc7 100644 --- a/src/po/Makefile.in +++ b/src/po/Makefile.in @@ -18,7 +18,7 @@ ETSRCS= $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.c \ @@ -27,7 +27,7 @@ index fdaf872..6753447 100644 .po.mo: diff --git a/src/po/de.po b/src/po/de.po new file mode 100644 -index 0000000..fd199b3 +index 0000000000..fd199b372a --- /dev/null +++ b/src/po/de.po @@ -0,0 +1,9301 @@ diff --git a/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch b/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch index 790400e80..bd93b7681 100644 --- a/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch +++ b/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch @@ -18,7 +18,7 @@ Patch-Category: debian-local 8 files changed, 30 insertions(+) diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h -index ee8e9d6..695305f 100644 +index ee8e9d6a0f..695305fe7d 100644 --- a/src/clients/ksu/ksu.h +++ b/src/clients/ksu/ksu.h @@ -56,6 +56,10 @@ @@ -33,7 +33,7 @@ index ee8e9d6..695305f 100644 extern int optind; extern char * optarg; diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 6499173..63c509a 100644 +index 64991738a3..63c509a2a1 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -580,6 +580,9 @@ extern char *strdup (const char *); @@ -47,7 +47,7 @@ index 6499173..63c509a 100644 #ifdef HAVE_SYS_FILE_H #include <sys/file.h> /* prototypes for file-related diff --git a/src/kadmin/ktutil/ktutil_funcs.c b/src/kadmin/ktutil/ktutil_funcs.c -index 20a348c..b8b61ce 100644 +index 20a348c805..b8b61cef84 100644 --- a/src/kadmin/ktutil/ktutil_funcs.c +++ b/src/kadmin/ktutil/ktutil_funcs.c @@ -33,6 +33,10 @@ @@ -62,7 +62,7 @@ index 20a348c..b8b61ce 100644 * Free a kt_list */ diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 9d6027c..585d8a6 100644 +index 9d6027ce80..585d8a6581 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -65,6 +65,9 @@ @@ -76,7 +76,7 @@ index 9d6027c..585d8a6 100644 #undef g_token_size #undef g_verify_token_header diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c -index 5932fd9..187daa8 100644 +index 5932fd9b3f..187daa84d6 100644 --- a/src/lib/krb5/os/sn2princ.c +++ b/src/lib/krb5/os/sn2princ.c @@ -126,6 +126,10 @@ find_trailer(const char *hostname) @@ -91,7 +91,7 @@ index 5932fd9..187daa8 100644 krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname, krb5_int32 type, diff --git a/src/plugins/kdb/db2/libdb2/include/db-int.h b/src/plugins/kdb/db2/libdb2/include/db-int.h -index 7e981d4..d83b3b6 100644 +index 7e981d4a5f..d83b3b6a6f 100644 --- a/src/plugins/kdb/db2/libdb2/include/db-int.h +++ b/src/plugins/kdb/db2/libdb2/include/db-int.h @@ -280,4 +280,8 @@ void __dbpanic __P((DB *dbp)); @@ -104,7 +104,7 @@ index 7e981d4..d83b3b6 100644 +#endif #endif /* _DB_INT_H_ */ diff --git a/src/slave/kprop_util.c b/src/slave/kprop_util.c -index f182554..0658390 100644 +index f182554e61..06583909ea 100644 --- a/src/slave/kprop_util.c +++ b/src/slave/kprop_util.c @@ -32,6 +32,10 @@ @@ -119,7 +119,7 @@ index f182554..0658390 100644 * Convert an IPv4 or IPv6 socket address to a newly allocated krb5_address. * There is similar code elsewhere in the tree, so this should possibly become diff --git a/src/tests/resolve/resolve.c b/src/tests/resolve/resolve.c -index 7339d21..38f7253 100644 +index 7339d21bd9..38f725322b 100644 --- a/src/tests/resolve/resolve.c +++ b/src/tests/resolve/resolve.c @@ -73,6 +73,10 @@ char *strchr(); diff --git a/debian/patches/debian-local/0002-debian-suppress-multi-arch-paths-in-krb5-config.patch b/debian/patches/debian-local/0002-debian-suppress-multi-arch-paths-in-krb5-config.patch index 7d274c2dd..271b56399 100644 --- a/debian/patches/debian-local/0002-debian-suppress-multi-arch-paths-in-krb5-config.patch +++ b/debian/patches/debian-local/0002-debian-suppress-multi-arch-paths-in-krb5-config.patch @@ -14,7 +14,7 @@ Patch-Category: debian-local 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in -index f6184da..637bad7 100755 +index f6184da3fb..637bad7c75 100755 --- a/src/build-tools/krb5-config.in +++ b/src/build-tools/krb5-config.in @@ -138,6 +138,7 @@ if test -n "$do_help"; then diff --git a/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch b/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch index 76bfbc385..4234b3e2f 100644 --- a/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch +++ b/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch @@ -9,7 +9,7 @@ Patch-Category: debian-local 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/include/osconf.hin b/src/include/osconf.hin -index 98a4674..2f51cc1 100644 +index 98a467454b..2f51cc13c7 100644 --- a/src/include/osconf.hin +++ b/src/include/osconf.hin @@ -59,7 +59,7 @@ diff --git a/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch b/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch index 6338aa3b1..dcc512a5a 100644 --- a/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch +++ b/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch @@ -16,7 +16,7 @@ Patch-Category: debian-local 2 files changed, 2 insertions(+) diff --git a/src/plugins/kdb/ldap/Makefile.in b/src/plugins/kdb/ldap/Makefile.in -index 94df816..2ed562b 100644 +index 94df816eb5..2ed562b110 100644 --- a/src/plugins/kdb/ldap/Makefile.in +++ b/src/plugins/kdb/ldap/Makefile.in @@ -20,6 +20,7 @@ SHLIB_EXPDEPS = \ @@ -28,7 +28,7 @@ index 94df816..2ed562b 100644 SRCS= $(srcdir)/ldap_exp.c diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in -index 8669c24..2d92a26 100644 +index 8669c2436c..2d92a26be5 100644 --- a/src/plugins/kdb/ldap/ldap_util/Makefile.in +++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in @@ -2,6 +2,7 @@ mydir=plugins$(S)kdb$(S)ldap$(S)ldap_util diff --git a/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch b/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch index abf290bfc..0b1bb8f7b 100644 --- a/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch +++ b/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch @@ -20,7 +20,7 @@ Patch-Category: debian-local 1 file changed, 2 deletions(-) diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c -index 9197666..890bd2c 100644 +index 9197666e10..890bd2c037 100644 --- a/src/lib/gssapi/mechglue/g_initialize.c +++ b/src/lib/gssapi/mechglue/g_initialize.c @@ -562,8 +562,6 @@ releaseMechInfo(gss_mech_info *pCf) diff --git a/debian/patches/debian-local/0006-Add-substpdf-target.patch b/debian/patches/debian-local/0006-Add-substpdf-target.patch index 6bcca358c..2f89ed74c 100644 --- a/debian/patches/debian-local/0006-Add-substpdf-target.patch +++ b/debian/patches/debian-local/0006-Add-substpdf-target.patch @@ -13,7 +13,7 @@ Patch-Category: debian-local 1 file changed, 15 insertions(+) diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in -index 1fb5fea..043de76 100644 +index 1fb5fea927..043de76fa5 100644 --- a/src/doc/Makefile.in +++ b/src/doc/Makefile.in @@ -87,6 +87,21 @@ pdf: $(PDFDIR) diff --git a/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch b/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch index b47e7b793..60aa69498 100644 --- a/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch +++ b/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch @@ -17,7 +17,7 @@ Patch-Category: debian-local 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/build-tools/gssrpc.pc.in b/src/build-tools/gssrpc.pc.in -index ca90921..e08c2e8 100644 +index ca909217eb..e08c2e840a 100644 --- a/src/build-tools/gssrpc.pc.in +++ b/src/build-tools/gssrpc.pc.in @@ -1,7 +1,7 @@ @@ -31,7 +31,7 @@ index ca90921..e08c2e8 100644 Name: gssrpc diff --git a/src/build-tools/kadm-client.pc.in b/src/build-tools/kadm-client.pc.in -index c8d1cd1..de56a75 100644 +index c8d1cd1262..de56a75213 100644 --- a/src/build-tools/kadm-client.pc.in +++ b/src/build-tools/kadm-client.pc.in @@ -1,7 +1,7 @@ @@ -45,7 +45,7 @@ index c8d1cd1..de56a75 100644 Name: kadm-client Description: Kerberos administration client library diff --git a/src/build-tools/kadm-server.pc.in b/src/build-tools/kadm-server.pc.in -index cd2f86c..a73ff86 100644 +index cd2f86c649..a73ff86cfe 100644 --- a/src/build-tools/kadm-server.pc.in +++ b/src/build-tools/kadm-server.pc.in @@ -1,7 +1,7 @@ @@ -59,7 +59,7 @@ index cd2f86c..a73ff86 100644 Name: kadm-server Description: Kerberos administration server library diff --git a/src/build-tools/kdb.pc.in b/src/build-tools/kdb.pc.in -index 461a8d01d0..356501d 100644 +index 461a8d01d0..356501d38c 100644 --- a/src/build-tools/kdb.pc.in +++ b/src/build-tools/kdb.pc.in @@ -1,7 +1,7 @@ @@ -73,7 +73,7 @@ index 461a8d01d0..356501d 100644 KDB5_DB_LIB=@KDB5_DB_LIB@ diff --git a/src/build-tools/mit-krb5-gssapi.pc.in b/src/build-tools/mit-krb5-gssapi.pc.in -index 7b91b19..b2b2436 100644 +index 7b91b19f19..b2b243630c 100644 --- a/src/build-tools/mit-krb5-gssapi.pc.in +++ b/src/build-tools/mit-krb5-gssapi.pc.in @@ -1,7 +1,7 @@ @@ -87,7 +87,7 @@ index 7b91b19..b2b2436 100644 Name: mit-krb5-gssapi Description: Kerberos implementation of the GSSAPI diff --git a/src/build-tools/mit-krb5.pc.in b/src/build-tools/mit-krb5.pc.in -index 0308815..058e75f 100644 +index 030881512f..058e75f24d 100644 --- a/src/build-tools/mit-krb5.pc.in +++ b/src/build-tools/mit-krb5.pc.in @@ -1,7 +1,7 @@ diff --git a/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch b/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch index 4e91c2571..f7416bf36 100644 --- a/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch +++ b/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch @@ -26,7 +26,7 @@ Patch-Category: debian-local 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/build-tools/gssrpc.pc.in b/src/build-tools/gssrpc.pc.in -index e08c2e8..fb4f489 100644 +index e08c2e840a..fb4f489f87 100644 --- a/src/build-tools/gssrpc.pc.in +++ b/src/build-tools/gssrpc.pc.in @@ -7,6 +7,6 @@ vendor=MIT @@ -38,7 +38,7 @@ index e08c2e8..fb4f489 100644 Libs: -L${libdir} -lgssrpc Requires.private: mit-krb5-gssapi diff --git a/src/build-tools/kadm-client.pc.in b/src/build-tools/kadm-client.pc.in -index de56a75..47541ac 100644 +index de56a75213..47541ac2af 100644 --- a/src/build-tools/kadm-client.pc.in +++ b/src/build-tools/kadm-client.pc.in @@ -7,5 +7,5 @@ Name: kadm-client @@ -49,7 +49,7 @@ index de56a75..47541ac 100644 +Cflags: -isystem ${includedir} Libs: -L${libdir} -lkadm5clnt_mit diff --git a/src/build-tools/kadm-server.pc.in b/src/build-tools/kadm-server.pc.in -index a73ff86..5ce4b73 100644 +index a73ff86cfe..5ce4b733c4 100644 --- a/src/build-tools/kadm-server.pc.in +++ b/src/build-tools/kadm-server.pc.in @@ -7,5 +7,5 @@ Name: kadm-server @@ -60,7 +60,7 @@ index a73ff86..5ce4b73 100644 +Cflags: -isystem ${includedir} Libs: -L${libdir} -lkadm5srv_mit diff --git a/src/build-tools/kdb.pc.in b/src/build-tools/kdb.pc.in -index 356501d..d39eeef 100644 +index 356501d38c..d39eeef889 100644 --- a/src/build-tools/kdb.pc.in +++ b/src/build-tools/kdb.pc.in @@ -9,6 +9,6 @@ Name: kdb @@ -72,7 +72,7 @@ index 356501d..d39eeef 100644 Libs: -L${libdir} -lkdb5 Libs.private: ${KDB5_DB_LIB} diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in -index 637bad7..5a109b0 100755 +index 637bad7c75..5a109b0145 100755 --- a/src/build-tools/krb5-config.in +++ b/src/build-tools/krb5-config.in @@ -201,7 +201,7 @@ fi @@ -85,7 +85,7 @@ index 637bad7..5a109b0 100755 echo '' fi diff --git a/src/build-tools/mit-krb5-gssapi.pc.in b/src/build-tools/mit-krb5-gssapi.pc.in -index b2b2436..f919222 100644 +index b2b243630c..f919222699 100644 --- a/src/build-tools/mit-krb5-gssapi.pc.in +++ b/src/build-tools/mit-krb5-gssapi.pc.in @@ -7,5 +7,5 @@ Name: mit-krb5-gssapi @@ -96,7 +96,7 @@ index b2b2436..f919222 100644 +Cflags: -isystem ${includedir} Libs: -L${libdir} -lgssapi_krb5 diff --git a/src/build-tools/mit-krb5.pc.in b/src/build-tools/mit-krb5.pc.in -index 058e75f..455427a 100644 +index 058e75f24d..455427a42e 100644 --- a/src/build-tools/mit-krb5.pc.in +++ b/src/build-tools/mit-krb5.pc.in @@ -10,6 +10,6 @@ defcktname=@DEFCKTNAME@ diff --git a/debian/patches/debian-local/0009-Fix-krb5-config-paths.patch b/debian/patches/debian-local/0009-Fix-krb5-config-paths.patch index f3b1edde8..8c1c584b3 100644 --- a/debian/patches/debian-local/0009-Fix-krb5-config-paths.patch +++ b/debian/patches/debian-local/0009-Fix-krb5-config-paths.patch @@ -14,7 +14,7 @@ Patch-Category: debian-local 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in -index 5a109b0..723d1eb 100755 +index 5a109b0145..723d1ebac8 100755 --- a/src/build-tools/krb5-config.in +++ b/src/build-tools/krb5-config.in @@ -29,8 +29,8 @@ version_string="Kerberos 5 release @KRB5_VERSION@" diff --git a/debian/patches/series b/debian/patches/series index b849ed1b8..b85fc85c7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,6 @@ debian-local/0007-Fix-pkg-config-library-include-paths.patch debian-local/0008-Use-isystem-for-include-paths.patch debian-local/0009-Fix-krb5-config-paths.patch 0010-Initial-German-translations.patch +upstream/0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch +upstream/0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch +upstream/0013-Fix-udp_preference_limit-with-SRV-records.patch diff --git a/debian/patches/upstream/0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch b/debian/patches/upstream/0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch new file mode 100644 index 000000000..a57c7ab88 --- /dev/null +++ b/debian/patches/upstream/0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch @@ -0,0 +1,65 @@ +From b4eac5addfcaa5a73484de551ba8c32535ad7679 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Mon, 26 Dec 2016 15:09:24 -0500 +Subject: Fix KDC/kadmind startup on some IPv4-only systems + +getaddrinfo(NULL, ...) may yield an IPv6 wildcard address on IPv4-only +systems, and creating a socket for that address may result in an +EAFNOSUPPORT error. Tolerate that error as long as we can bind at +least one socket for the address. + +(cherry picked from commit 04c2bb56f5203b296b24314810eca02f5dc7e491) + +ticket: 8531 +version_fixed: 1.15.1 + +(cherry picked from commit 552a129fb857e7f6fa734011d69785ad912b3fc5) +Patch-Category: upstream +--- + src/lib/apputils/net-server.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c +index 171ecc4047..d64ffddd68 100644 +--- a/src/lib/apputils/net-server.c ++++ b/src/lib/apputils/net-server.c +@@ -834,7 +834,7 @@ setup_addresses(struct socksetup *data) + }; + krb5_error_code ret = 0; + size_t i; +- int err; ++ int err, bound_any; + struct bind_address addr; + struct addrinfo hints, *ai_list = NULL, *ai = NULL; + verto_callback vcb; +@@ -871,8 +871,12 @@ setup_addresses(struct socksetup *data) + * Loop through all the sockets that getaddrinfo could find to match + * the requested address. For wildcard listeners, this should usually + * have two results, one for each of IPv4 and IPv6, or one or the +- * other, depending on the system. ++ * other, depending on the system. On IPv4-only systems, getaddrinfo() ++ * may return both IPv4 and IPv6 addresses, but creating an IPv6 socket ++ * may give an EAFNOSUPPORT error, so tolerate that error as long as we ++ * can bind at least one socket. + */ ++ bound_any = 0; + for (ai = ai_list; ai != NULL; ai = ai->ai_next) { + /* Make sure getaddrinfo returned a socket with the same type that + * was requested. */ +@@ -889,9 +893,15 @@ setup_addresses(struct socksetup *data) + _("Failed setting up a %s socket (for %s)"), + bind_type_names[addr.type], + paddr(ai->ai_addr)); +- goto cleanup; ++ if (ret != EAFNOSUPPORT) ++ goto cleanup; ++ } else { ++ bound_any = 1; + } + } ++ if (!bound_any) ++ goto cleanup; ++ ret = 0; + + if (ai_list != NULL) + freeaddrinfo(ai_list); diff --git a/debian/patches/upstream/0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch b/debian/patches/upstream/0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch new file mode 100644 index 000000000..834cd2428 --- /dev/null +++ b/debian/patches/upstream/0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch @@ -0,0 +1,52 @@ +From 989711330dbf4b0b527538d547e35eb4c1146a47 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Mon, 26 Dec 2016 15:18:05 -0500 +Subject: Use pktinfo for explicit UDP wildcard listeners + +In net-server.c, use pktinfo on UDP server sockets if they are bound +to wildcard addresses, whether that is explicit or implicit in the +address specification. + +(cherry picked from commit d005beaa72c70bc28b2b0b49b9d83eff160ca8f1) + +ticket: 8530 +version_fixed: 1.15.1 + +(cherry picked from commit e23d062471bf9071072aaf2df39054508fe74cc1) + +Patch-Category: upstream +--- + src/lib/apputils/net-server.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c +index d64ffddd68..29ec84a15b 100644 +--- a/src/lib/apputils/net-server.c ++++ b/src/lib/apputils/net-server.c +@@ -105,6 +105,17 @@ paddr(struct sockaddr *sa) + return buf; + } + ++/* Return true if sa is an IPv4 or IPv6 wildcard address. */ ++static int ++is_wildcard(struct sockaddr *sa) ++{ ++ if (sa->sa_family == AF_INET6) ++ return IN6_IS_ADDR_UNSPECIFIED(&sa2sin6(sa)->sin6_addr); ++ else if (sa->sa_family == AF_INET) ++ return sa2sin(sa)->sin_addr.s_addr == INADDR_ANY; ++ return 0; ++} ++ + /* KDC data. */ + + enum conn_type { +@@ -753,7 +764,7 @@ setup_socket(struct socksetup *data, struct bind_address *ba, + } + + /* Try to turn on pktinfo for UDP wildcard sockets. */ +- if (ba->type == UDP && ba->address == NULL) { ++ if (ba->type == UDP && is_wildcard(sock_address)) { + krb5_klog_syslog(LOG_DEBUG, _("Setting pktinfo on socket %s"), + paddr(sock_address)); + ret = set_pktinfo(sock, sock_address->sa_family); diff --git a/debian/patches/upstream/0013-Fix-udp_preference_limit-with-SRV-records.patch b/debian/patches/upstream/0013-Fix-udp_preference_limit-with-SRV-records.patch new file mode 100644 index 000000000..86348bb70 --- /dev/null +++ b/debian/patches/upstream/0013-Fix-udp_preference_limit-with-SRV-records.patch @@ -0,0 +1,60 @@ +From ef132243ba16cfdae31d4c44c0dce7e78afb4879 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Mon, 27 Feb 2017 22:35:07 -0500 +Subject: Fix udp_preference_limit with SRV records + +In sendto_kdc:resolve_server() when resolving a server entry with a +specified transport, defer the resulting addresses if the strategy +dictates that the specified transport is not preferred. Reported by +Jochen Hein. + +(cherry picked from commit bc7594058011c2f9711f24af4fa15a421a8d5b62) + +ticket: 8554 +version_fixed: 1.15.1 + +(cherry picked from commit 59a3449f13c63048b44f56cad2d528c0805d3627) + +Patch-Category: upstream +--- + src/lib/krb5/os/sendto_kdc.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c +index ef80991c1d..fffe0262f6 100644 +--- a/src/lib/krb5/os/sendto_kdc.c ++++ b/src/lib/krb5/os/sendto_kdc.c +@@ -791,7 +791,7 @@ resolve_server(krb5_context context, const krb5_data *realm, + struct server_entry *entry = &servers->servers[ind]; + k5_transport transport; + struct addrinfo *addrs, *a, hint, ai; +- krb5_boolean defer; ++ krb5_boolean defer = FALSE; + int err, result; + char portbuf[PORT_LENGTH]; + +@@ -811,9 +811,13 @@ resolve_server(krb5_context context, const krb5_data *realm, + NULL, NULL, entry->uri_path, udpbufp); + } + +- /* If the entry has a specified transport, use it. */ +- if (entry->transport != TCP_OR_UDP) ++ /* If the entry has a specified transport, use it, but possibly defer the ++ * addresses we add based on the strategy. */ ++ if (entry->transport != TCP_OR_UDP) { + transport = entry->transport; ++ defer = (entry->transport == TCP && strategy == UDP_FIRST) || ++ (entry->transport == UDP && strategy == UDP_LAST); ++ } + + memset(&hint, 0, sizeof(hint)); + hint.ai_family = entry->family; +@@ -833,7 +837,7 @@ resolve_server(krb5_context context, const krb5_data *realm, + /* Add each address with the specified or preferred transport. */ + retval = 0; + for (a = addrs; a != 0 && retval == 0; a = a->ai_next) { +- retval = add_connection(conns, transport, FALSE, a, ind, realm, ++ retval = add_connection(conns, transport, defer, a, ind, realm, + entry->hostname, portbuf, entry->uri_path, + udpbufp); + } diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c index 171ecc404..29ec84a15 100644 --- a/src/lib/apputils/net-server.c +++ b/src/lib/apputils/net-server.c @@ -105,6 +105,17 @@ paddr(struct sockaddr *sa) return buf; } +/* Return true if sa is an IPv4 or IPv6 wildcard address. */ +static int +is_wildcard(struct sockaddr *sa) +{ + if (sa->sa_family == AF_INET6) + return IN6_IS_ADDR_UNSPECIFIED(&sa2sin6(sa)->sin6_addr); + else if (sa->sa_family == AF_INET) + return sa2sin(sa)->sin_addr.s_addr == INADDR_ANY; + return 0; +} + /* KDC data. */ enum conn_type { @@ -753,7 +764,7 @@ setup_socket(struct socksetup *data, struct bind_address *ba, } /* Try to turn on pktinfo for UDP wildcard sockets. */ - if (ba->type == UDP && ba->address == NULL) { + if (ba->type == UDP && is_wildcard(sock_address)) { krb5_klog_syslog(LOG_DEBUG, _("Setting pktinfo on socket %s"), paddr(sock_address)); ret = set_pktinfo(sock, sock_address->sa_family); @@ -834,7 +845,7 @@ setup_addresses(struct socksetup *data) }; krb5_error_code ret = 0; size_t i; - int err; + int err, bound_any; struct bind_address addr; struct addrinfo hints, *ai_list = NULL, *ai = NULL; verto_callback vcb; @@ -871,8 +882,12 @@ setup_addresses(struct socksetup *data) * Loop through all the sockets that getaddrinfo could find to match * the requested address. For wildcard listeners, this should usually * have two results, one for each of IPv4 and IPv6, or one or the - * other, depending on the system. + * other, depending on the system. On IPv4-only systems, getaddrinfo() + * may return both IPv4 and IPv6 addresses, but creating an IPv6 socket + * may give an EAFNOSUPPORT error, so tolerate that error as long as we + * can bind at least one socket. */ + bound_any = 0; for (ai = ai_list; ai != NULL; ai = ai->ai_next) { /* Make sure getaddrinfo returned a socket with the same type that * was requested. */ @@ -889,9 +904,15 @@ setup_addresses(struct socksetup *data) _("Failed setting up a %s socket (for %s)"), bind_type_names[addr.type], paddr(ai->ai_addr)); - goto cleanup; + if (ret != EAFNOSUPPORT) + goto cleanup; + } else { + bound_any = 1; } } + if (!bound_any) + goto cleanup; + ret = 0; if (ai_list != NULL) freeaddrinfo(ai_list); diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c index ef80991c1..fffe0262f 100644 --- a/src/lib/krb5/os/sendto_kdc.c +++ b/src/lib/krb5/os/sendto_kdc.c @@ -791,7 +791,7 @@ resolve_server(krb5_context context, const krb5_data *realm, struct server_entry *entry = &servers->servers[ind]; k5_transport transport; struct addrinfo *addrs, *a, hint, ai; - krb5_boolean defer; + krb5_boolean defer = FALSE; int err, result; char portbuf[PORT_LENGTH]; @@ -811,9 +811,13 @@ resolve_server(krb5_context context, const krb5_data *realm, NULL, NULL, entry->uri_path, udpbufp); } - /* If the entry has a specified transport, use it. */ - if (entry->transport != TCP_OR_UDP) + /* If the entry has a specified transport, use it, but possibly defer the + * addresses we add based on the strategy. */ + if (entry->transport != TCP_OR_UDP) { transport = entry->transport; + defer = (entry->transport == TCP && strategy == UDP_FIRST) || + (entry->transport == UDP && strategy == UDP_LAST); + } memset(&hint, 0, sizeof(hint)); hint.ai_family = entry->family; @@ -833,7 +837,7 @@ resolve_server(krb5_context context, const krb5_data *realm, /* Add each address with the specified or preferred transport. */ retval = 0; for (a = addrs; a != 0 && retval == 0; a = a->ai_next) { - retval = add_connection(conns, transport, FALSE, a, ind, realm, + retval = add_connection(conns, transport, defer, a, ind, realm, entry->hostname, portbuf, entry->uri_path, udpbufp); } |