|
1 # |
|
2 # Since we will not migrate kwarn code to useland, we created a libkwarn in |
|
3 # ON gate. This patch is to let kinit, kdestroy and GSSAPI utilize libkwarn |
|
4 # functionality. |
|
5 # |
|
6 # This patch will not be pushed upstream, since it's Solaris specific feature. |
|
7 # Patch source: in-house |
|
8 # |
|
9 |
|
10 diff -Napur ORIGINAL/src/clients/kdestroy/Makefile.in krb5-1.13.1/src/clients/kdestroy/Makefile.in |
|
11 --- ORIGINAL/src/clients/kdestroy/Makefile.in 2015-02-11 19:16:43.000000000 -0800 |
|
12 +++ krb5-1.13.1/src/clients/kdestroy/Makefile.in 2015-04-22 09:11:09.523911895 -0700 |
|
13 @@ -19,7 +19,7 @@ all-unix:: kdestroy |
|
14 ##WIN32##all-windows:: $(KDESTROY) |
|
15 |
|
16 kdestroy: kdestroy.o $(KRB5_BASE_DEPLIBS) |
|
17 - $(CC_LINK) -o $@ kdestroy.o $(KRB5_BASE_LIBS) |
|
18 + $(CC_LINK) -o $@ kdestroy.o $(KRB5_BASE_LIBS) -lkwarn |
|
19 |
|
20 ##WIN32##$(KDESTROY): $(OUTPRE)kdestroy.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.obj $(KLIB) $(CLIB) $(EXERES) |
|
21 ##WIN32## link $(EXE_LINKOPTS) -out:$@ $** |
|
22 diff -Napur ORIGINAL/src/clients/kdestroy/kdestroy.c krb5-1.13.1/src/clients/kdestroy/kdestroy.c |
|
23 --- ORIGINAL/src/clients/kdestroy/kdestroy.c 2015-02-11 19:16:43.000000000 -0800 |
|
24 +++ krb5-1.13.1/src/clients/kdestroy/kdestroy.c 2015-04-22 14:52:01.310510058 -0700 |
|
25 @@ -24,6 +24,12 @@ |
|
26 * or implied warranty. |
|
27 */ |
|
28 |
|
29 +/* Solaris Kerberos */ |
|
30 +#include <rpc/types.h> |
|
31 +#include <rpc/rpcsys.h> |
|
32 +#include <rpc/rpcsec_gss.h> |
|
33 +#include <kerberosv5/private/ktwarn.h> |
|
34 + |
|
35 #include "k5-platform.h" |
|
36 #include <krb5.h> |
|
37 #include <com_err.h> |
|
38 @@ -46,6 +52,13 @@ |
|
39 extern int optind; |
|
40 extern char *optarg; |
|
41 |
|
42 +/* |
|
43 + * We add _rpcsys extern declariation because that ON build suppresses warning |
|
44 + * of implicit declarition, while MIT kerberos build treats the warning |
|
45 + * as an error. |
|
46 + */ |
|
47 +extern int _rpcsys(int, void *); |
|
48 + |
|
49 #ifndef _WIN32 |
|
50 #define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x)) |
|
51 #else |
|
52 @@ -82,6 +95,13 @@ |
|
53 int quiet = 0; |
|
54 int all = 0; |
|
55 |
|
56 + /* Solaris Kerberos */ |
|
57 + krb5_principal me = NULL; |
|
58 + char *client_name = NULL; |
|
59 + struct krpc_revauth desarg; |
|
60 + static rpc_gss_OID_desc oid = {9, "\052\206\110\206\367\022\001\002\002"}; |
|
61 + static rpc_gss_OID krb5_mech_type = &oid; |
|
62 + |
|
63 setlocale(LC_ALL, ""); |
|
64 progname = GET_PROGNAME(argv[0]); |
|
65 |
|
66 @@ -165,6 +185,49 @@ |
|
67 } |
|
68 } |
|
69 |
|
70 + /* |
|
71 + * Solaris Kerberos |
|
72 + * Let us destroy the kernel cache first. |
|
73 + */ |
|
74 + desarg.version = 1; |
|
75 + desarg.uid_1 = geteuid(); |
|
76 + desarg.rpcsec_flavor_1 = RPCSEC_GSS; |
|
77 + desarg.flavor_data_1 = (void *) krb5_mech_type; |
|
78 + code = _rpcsys(KRPC_REVAUTH, (void *)&desarg); |
|
79 + if (code != 0) { |
|
80 + fprintf(stderr, _("%s: kernel creds cache error %d \n"), |
|
81 + progname, code); |
|
82 + } |
|
83 + |
|
84 + if (cache_name) { |
|
85 + code = krb5_cc_resolve (kcontext, cache_name, &cache); |
|
86 + if (code != 0) { |
|
87 + com_err (progname, code, _("while resolving %s"), cache_name); |
|
88 + exit(1); |
|
89 + } |
|
90 + } else { |
|
91 + code = krb5_cc_default(kcontext, &cache); |
|
92 + if (code) { |
|
93 + com_err(progname, code, _("while getting default ccache")); |
|
94 + exit(1); |
|
95 + } |
|
96 + } |
|
97 + |
|
98 + /* |
|
99 + * Solaris Kerberos |
|
100 + * Get client name for ktkt_warnd(1M) msg. |
|
101 + */ |
|
102 + code = krb5_cc_get_principal(kcontext, cache, &me); |
|
103 + if (code != 0) |
|
104 + fprintf(stderr, |
|
105 + _("%s: Could not obtain principal name from cache\n"), |
|
106 + progname); |
|
107 + else |
|
108 + if ((code = krb5_unparse_name(kcontext, me, &client_name))) |
|
109 + fprintf(stderr, |
|
110 + _("%s: Could not unparse principal name found in cache\n"), |
|
111 + progname); |
|
112 + |
|
113 code = krb5_cc_destroy (kcontext, cache); |
|
114 if (code != 0) { |
|
115 com_err (progname, code, _("while destroying cache")); |
|
116 @@ -178,5 +241,17 @@ |
|
117 errflg = 1; |
|
118 } |
|
119 } |
|
120 + |
|
121 + /* Solaris Kerberos - Delete ktkt_warnd(1M) entry. */ |
|
122 + if (!errflg && client_name) |
|
123 + kwarn_del_warning(client_name); |
|
124 + else |
|
125 + fprintf(stderr, _("%s: TGT expire warning NOT deleted\n"), |
|
126 + progname); |
|
127 + |
|
128 + /* Solaris Kerberos */ |
|
129 + free(client_name); |
|
130 + krb5_free_principal(kcontext, me); |
|
131 + |
|
132 return errflg; |
|
133 } |
|
134 diff -Napur ORIGINAL/src/clients/kinit/Makefile.in krb5-1.13.1/src/clients/kinit/Makefile.in |
|
135 --- ORIGINAL/src/clients/kinit/Makefile.in 2015-02-11 19:16:43.000000000 -0800 |
|
136 +++ krb5-1.13.1/src/clients/kinit/Makefile.in 2015-04-22 09:11:09.525770418 -0700 |
|
137 @@ -20,7 +20,7 @@ all-unix:: kinit |
|
138 ##WIN32##all-windows:: $(KINIT) |
|
139 |
|
140 kinit: kinit.o kinit_kdb.o $(KRB5_BASE_DEPLIBS) $(KADMSRV_DEPLIBS) |
|
141 - $(CC_LINK) -o $@ kinit.o kinit_kdb.o $(KADMSRV_LIBS) $(KRB5_BASE_LIBS) |
|
142 + $(CC_LINK) -o $@ kinit.o kinit_kdb.o $(KADMSRV_LIBS) $(KRB5_BASE_LIBS) -lkwarn |
|
143 |
|
144 ##WIN32##$(KINIT): $(OUTPRE)kinit.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib $(KLIB) $(CLIB) $(EXERES) |
|
145 ##WIN32## link $(EXE_LINKOPTS) -out:$@ $** advapi32.lib |
|
146 diff -Napur ORIGINAL/src/clients/kinit/kinit.c krb5-1.13.1/src/clients/kinit/kinit.c |
|
147 --- ORIGINAL/src/clients/kinit/kinit.c 2015-02-11 19:16:43.000000000 -0800 |
|
148 +++ krb5-1.13.1/src/clients/kinit/kinit.c 2015-04-22 14:17:16.415936121 -0700 |
|
149 @@ -35,6 +35,7 @@ |
|
150 #include <time.h> |
|
151 #include <errno.h> |
|
152 #include <com_err.h> |
|
153 +#include <kerberosv5/private/ktwarn.h> |
|
154 |
|
155 #ifdef GETOPT_LONG |
|
156 #include <getopt.h> |
|
157 @@ -94,6 +95,9 @@ char * get_name_from_os() |
|
158 |
|
159 static char *progname; |
|
160 |
|
161 +static void _kwarnd_add_warning(char *, char *, time_t); |
|
162 +static void _kwarnd_del_warning(char *, char *); |
|
163 + |
|
164 typedef enum { INIT_PW, INIT_KT, RENEW, VALIDATE } action_type; |
|
165 |
|
166 struct k_opts |
|
167 @@ -883,6 +887,15 @@ k5_kinit(opts, k5) |
|
168 if (opts->verbose) |
|
169 fprintf(stderr, _("Stored credentials\n")); |
|
170 } |
|
171 + |
|
172 + /* Solaris Kerberos: support our ktkt_warnd */ |
|
173 + if (opts->action == RENEW) { |
|
174 + _kwarnd_del_warning(progname, opts->principal_name); |
|
175 + _kwarnd_add_warning(progname, opts->principal_name, my_creds.times.endtime); |
|
176 + } else if ((opts->action == INIT_KT) || (opts->action == INIT_PW)) { |
|
177 + _kwarnd_add_warning(progname, opts->principal_name, my_creds.times.endtime); |
|
178 + } |
|
179 + |
|
180 notix = 0; |
|
181 |
|
182 if (k5->switch_to_cache) { |
|
183 @@ -951,3 +964,25 @@ main(argc, argv) |
|
184 exit(1); |
|
185 return 0; |
|
186 } |
|
187 + |
|
188 +/* Solaris Kerberos start */ |
|
189 + |
|
190 +static void |
|
191 +_kwarnd_add_warning(char *progname, char *me, time_t endtime) |
|
192 +{ |
|
193 + if (kwarn_add_warning(me, endtime) != 0) |
|
194 + fprintf(stderr, gettext( |
|
195 + "%s: no ktkt_warnd warning possible\n"), progname); |
|
196 + return; |
|
197 +} |
|
198 + |
|
199 +static void |
|
200 +_kwarnd_del_warning(char *progname, char *me) |
|
201 +{ |
|
202 + if (kwarn_del_warning(me) != 0) |
|
203 + fprintf(stderr, gettext( |
|
204 + "%s: unable to delete ktkt_warnd message for %s\n"), |
|
205 + progname, me); |
|
206 + return; |
|
207 +} |
|
208 +/* Solaris Kerberos end */ |
|
209 diff -Napur ORIGINAL/src/lib/gssapi/Makefile.in krb5-1.13.1/src/lib/gssapi/Makefile.in |
|
210 --- ORIGINAL/src/lib/gssapi/Makefile.in 2015-02-11 19:16:43.000000000 -0800 |
|
211 +++ krb5-1.13.1/src/lib/gssapi/Makefile.in 2015-04-22 09:11:09.527753282 -0700 |
|
212 @@ -27,7 +27,7 @@ STOBJLISTS=OBJS.ST generic/OBJS.ST mechg |
|
213 SUBDIROBJLISTS=generic/OBJS.ST mechglue/OBJS.ST krb5/OBJS.ST spnego/OBJS.ST |
|
214 SHLIB_EXPDEPS=\ |
|
215 $(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) $(COM_ERR_DEPLIB) |
|
216 -SHLIB_EXPLIBS=-lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) $(DL_LIB) $(LIBS) |
|
217 +SHLIB_EXPLIBS=-lkrb5 -lk5crypto -lcom_err -lkwarn $(SUPPORT_LIB) $(DL_LIB) $(LIBS) |
|
218 RELDIR=gssapi |
|
219 |
|
220 all-unix:: all-liblinks @MAINT@ verify-calling-conventions-gssapi |
|
221 diff -Napur ORIGINAL/src/lib/gssapi/krb5/store_cred.c krb5-1.13.1/src/lib/gssapi/krb5/store_cred.c |
|
222 --- ORIGINAL/src/lib/gssapi/krb5/store_cred.c 2015-04-22 08:37:33.146728757 -0700 |
|
223 +++ krb5-1.13.1/src/lib/gssapi/krb5/store_cred.c 2015-04-22 14:19:34.769508399 -0700 |
|
224 @@ -26,6 +26,9 @@ |
|
225 |
|
226 #include "k5-int.h" |
|
227 #include "gssapiP_krb5.h" |
|
228 +#include <syslog.h> |
|
229 +#include <kerberosv5/private/ktwarn.h> |
|
230 + |
|
231 |
|
232 static int |
|
233 has_unexpired_creds(krb5_gss_cred_id_t kcred, |
|
234 @@ -71,6 +74,7 @@ copy_initiator_creds(OM_uint32 *minor_st |
|
235 krb5_context context = NULL; |
|
236 krb5_ccache ccache = NULL; |
|
237 const char *ccache_name; |
|
238 + char *client_name = NULL; |
|
239 |
|
240 *minor_status = 0; |
|
241 |
|
242 @@ -162,6 +166,17 @@ copy_initiator_creds(OM_uint32 *minor_st |
|
243 *minor_status = 0; |
|
244 major_status = GSS_S_COMPLETE; |
|
245 |
|
246 + /* Alert ktkt_warnd(1M) */ |
|
247 + major_status = krb5_unparse_name(context, kcred->name->princ, &client_name); |
|
248 + if (GSS_ERROR(major_status)) |
|
249 + goto cleanup; |
|
250 + (void) kwarn_del_warning(client_name); |
|
251 + if (kwarn_add_warning(client_name, kcred->expire) != 0) { |
|
252 + syslog(LOG_AUTH|LOG_NOTICE, "store_cred: kwarn_add_warning" |
|
253 + " failed: ktkt_warnd(1M) down? "); |
|
254 + } |
|
255 + free(client_name); |
|
256 + |
|
257 cleanup: |
|
258 if (kcred != NULL) |
|
259 k5_mutex_unlock(&kcred->lock); |