diff --git a/krb5-1.11.1-rpcbind.patch b/krb5-1.11.1-rpcbind.patch deleted file mode 100644 index 6379462..0000000 --- a/krb5-1.11.1-rpcbind.patch +++ /dev/null @@ -1,14 +0,0 @@ -We sort of sabotage the test here, changing the result when the local -portmapper is running but won't allow us to register so that it's treated the -same as a portmapper-not-running case. - ---- krb5/src/lib/rpc/unit-test/server.c -+++ krb5/src/lib/rpc/unit-test/server.c -@@ -116,6 +116,7 @@ main(int argc, char **argv) - if (!svc_register(transp, RPC_TEST_PROG, RPC_TEST_VERS_1, - rpc_test_prog_1_svc, prot)) { - fprintf(stderr, -+ "Cannot register service: " /* don't bail fatally just because rpcbind isn't obliging us */ - "unable to register (RPC_TEST_PROG, RPC_TEST_VERS_1, %s).", - prot == IPPROTO_TCP ? "tcp" : "udp"); - exit(1); diff --git a/krb5-master-test_gss_no_udp.patch b/krb5-master-test_gss_no_udp.patch new file mode 100644 index 0000000..866647d --- /dev/null +++ b/krb5-master-test_gss_no_udp.patch @@ -0,0 +1,41 @@ +commit 11bd102c0e3793204111f712e5bd4bf54f2d9573 +Author: Greg Hudson +Date: Wed May 1 14:40:31 2013 -0400 + + Disable UDP pass of gssrpc tests on all platforms + + The AUTH_GSSAPI flavor of rpc authentication uses IP address channel + bindings. These are broken over UDP, because svcudp_recv() fails to + get the destination address of incoming packets (it tries to use the + recvmsg() msg_name field to get the destination IP address, which + instead gets the source address; see ticket #5540). + + There is no simple or comprehensive way to fix this; using IP_PKTINFO + is a fair amount of code and only works on some platforms. It's also + not very important--nobody should be using AUTH_GSSAPI except perhaps + for compatibility with really old kadmin, and kadmin only runs over + TCP. Since the gssrpc tests are closely wedded to AUTH_GSSAPI, the + simplest fix is to only run the TCP pass. + +diff --git a/src/configure.in b/src/configure.in +index 0c8111b..42a5fd5 100644 +--- a/src/configure.in ++++ b/src/configure.in +@@ -984,16 +984,7 @@ extern void endrpcent();], + AC_MSG_RESULT($k5_cv_type_endrpcent) + AC_DEFINE_UNQUOTED(ENDRPCENT_TYPE, $k5_cv_type_endrpcent, [Define as return type of endrpcent]) + K5_GEN_FILE(include/gssrpc/types.h:include/gssrpc/types.hin) +-changequote(<<, >>) +-case "$krb5_cv_host" in +-*-*-solaris2.[012345]*) +- PASS=tcp +- ;; +-*) +- PASS="tcp udp" +- ;; +-esac +-changequote([, ]) ++PASS=tcp + AC_SUBST(PASS) + + # for pkinit diff --git a/krb5-master-test_no_pmap.patch b/krb5-master-test_no_pmap.patch new file mode 100644 index 0000000..bc6afed --- /dev/null +++ b/krb5-master-test_no_pmap.patch @@ -0,0 +1,244 @@ +commit 5454da3bcaa383f5b47984283f11f010d3d2b73e +Author: Greg Hudson +Date: Wed May 1 13:07:36 2013 -0400 + + Don't use portmapper in RPC tests + + On many Linux systems, due to what is arguably a bug in rpcbind, the + portmapper doesn't allow service registration from non-root processes. + This causes the RPC tests to be frequently skipped. Modify the tests + so that they don't need the portmapper, by grabbing the port number + from the server process and passing it to the client. + +diff --git a/doc/build/doing_build.rst b/doc/build/doing_build.rst +index bc438c8..3c686cc 100644 +--- a/doc/build/doing_build.rst ++++ b/doc/build/doing_build.rst +@@ -149,9 +149,6 @@ However, there are several prerequisites that must be satisfied first: + **-**\ **-disable-rpath**, which renders the build tree less suitable for + installation, but allows testing without interference from + previously installed libraries. +-* In order to test the RPC layer, the local system has to be running +- the portmap daemon and it has to be listening to the regular network +- interface (not just localhost). + + There are additional regression tests available, which are not run + by ``make check``. These tests require manual setup and teardown of +diff --git a/src/lib/rpc/unit-test/client.c b/src/lib/rpc/unit-test/client.c +index a70cf38..6ab4534 100644 +--- a/src/lib/rpc/unit-test/client.c ++++ b/src/lib/rpc/unit-test/client.c +@@ -7,12 +7,15 @@ + + #include + #include ++#include ++#include + #include "autoconf.h" + #ifdef HAVE_UNISTD_H + #include + #endif + #include + #include ++#include + #include + #include + #include "rpc_test.h" +@@ -51,17 +54,19 @@ main(argc, argv) + int argc; + char **argv; + { +- char *host, *target, *echo_arg, **echo_resp, buf[BIG_BUF]; +- char *prot; ++ char *host, *port, *target, *echo_arg, **echo_resp, buf[BIG_BUF]; + CLIENT *clnt; + AUTH *tmp_auth; + struct rpc_err e; +- int i, auth_once; ++ int i, auth_once, sock, use_tcp; + unsigned int count; + extern int optind; + extern char *optarg; + extern int svc_debug_gssapi, misc_debug_gssapi, auth_debug_gssapi; + int c; ++ struct sockaddr_in sin; ++ struct hostent *h; ++ struct timeval tv; + + extern int krb5_gss_dbg_client_expcreds; + krb5_gss_dbg_client_expcreds = 1; +@@ -69,7 +74,7 @@ main(argc, argv) + whoami = argv[0]; + count = 1026; + auth_once = 0; +- prot = NULL; ++ use_tcp = -1; + + while ((c = getopt(argc, argv, "a:m:os:tu")) != -1) { + switch (c) { +@@ -86,39 +91,60 @@ main(argc, argv) + svc_debug_gssapi = atoi(optarg); + break; + case 't': +- prot = "tcp"; ++ use_tcp = 1; + break; + case 'u': +- prot = "udp"; ++ use_tcp = 0; + break; + case '?': + usage(); + break; + } + } +- if (prot == NULL) ++ if (use_tcp == -1) + usage(); + + argv += optind; + argc -= optind; + + switch (argc) { +- case 3: +- count = atoi(argv[2]); ++ case 4: ++ count = atoi(argv[3]); + if (count > BIG_BUF-1) { + fprintf(stderr, "Test count cannot exceed %d.\n", BIG_BUF-1); + usage(); + } +- case 2: ++ case 3: + host = argv[0]; +- target = argv[1]; ++ port = argv[1]; ++ target = argv[2]; + break; + default: + usage(); + } + ++ /* get server address */ ++ h = gethostbyname(host); ++ if (h == NULL) { ++ fprintf(stderr, "Can't resolve hostname %s\n", host); ++ exit(1); ++ } ++ memset(&sin, 0, sizeof(sin)); ++ sin.sin_family = h->h_addrtype; ++ sin.sin_port = ntohs(atoi(port)); ++ memmove(&sin.sin_addr, h->h_addr, sizeof(sin.sin_addr)); ++ + /* client handle to rstat */ +- clnt = clnt_create(host, RPC_TEST_PROG, RPC_TEST_VERS_1, prot); ++ sock = RPC_ANYSOCK; ++ if (use_tcp) { ++ clnt = clnttcp_create(&sin, RPC_TEST_PROG, RPC_TEST_VERS_1, &sock, 0, ++ 0); ++ } else { ++ tv.tv_sec = 5; ++ tv.tv_usec = 0; ++ clnt = clntudp_create(&sin, RPC_TEST_PROG, RPC_TEST_VERS_1, tv, ++ &sock); ++ } + if (clnt == NULL) { + clnt_pcreateerror(whoami); + exit(1); +diff --git a/src/lib/rpc/unit-test/config/unix.exp b/src/lib/rpc/unit-test/config/unix.exp +index f02116e..ba57b70 100644 +--- a/src/lib/rpc/unit-test/config/unix.exp ++++ b/src/lib/rpc/unit-test/config/unix.exp +@@ -112,10 +112,6 @@ proc rpc_test_exit {} { + global server_started + global kill + +- if { [info exists server_started] && $server_started == 0 } { +- return +- } +- + if {[catch { + expect { + -i $server_id +@@ -138,6 +134,7 @@ proc rpc_test_start { } { + global server_id + global server_pid + global server_started ++ global server_port + global env + + if [info exists server_pid] { rpc_test_exit } +@@ -148,25 +145,17 @@ proc rpc_test_start { } { + set server_pid [spawn $SERVER $PROT] + set server_id $spawn_id + set server_started 1 ++ set server_port -1 + + unset env(KRB5_KTNAME) + + set timeout 30 + + expect { ++ -re "port: (\[0-9\]*)\r\n" { ++ set server_port $expect_out(1,string) ++ } + "running" { } +- "Cannot register service" { +- send_error "Server cannot register with portmap/rpcbind!!\n" +- note "+++" +- note "+++ These tests require the ability to register with portmap/rpcbind" +- note "+++ Either the server is not running or it does not" +- note "+++ allow registration using a loopback connection" +- note "+++" +- verbose $expect_out(buffer) 1 +- set server_started 0 +- unsupported "Server registration" +- return +- } + eof { + send_error "server exited!" + verbose $expect_out(buffer) 1 +diff --git a/src/lib/rpc/unit-test/lib/helpers.exp b/src/lib/rpc/unit-test/lib/helpers.exp +index 963fff4..a1b0783 100644 +--- a/src/lib/rpc/unit-test/lib/helpers.exp ++++ b/src/lib/rpc/unit-test/lib/helpers.exp +@@ -170,7 +170,7 @@ proc flush_server {} { + + proc start_client {testname ccname user password lifetime count + {target ""}} { +- global env CLIENT PROT hostname spawn_id verbose ++ global env CLIENT PROT hostname server_port spawn_id verbose + + if {$target == ""} { + set target "server@$hostname" +@@ -180,9 +180,9 @@ proc start_client {testname ccname user password lifetime count + kinit $user $password $lifetime + + if {$verbose > 0} { +- spawn $CLIENT -a 1 -s 1 -m 1 $PROT $hostname $target $count ++ spawn $CLIENT -a 1 -s 1 -m 1 $PROT $hostname $server_port $target $count + } else { +- spawn $CLIENT $PROT $hostname $target $count ++ spawn $CLIENT $PROT $hostname $server_port $target $count + } + + verbose "$testname: client $ccname started" +diff --git a/src/lib/rpc/unit-test/server.c b/src/lib/rpc/unit-test/server.c +index c2cb30c..7451558 100644 +--- a/src/lib/rpc/unit-test/server.c ++++ b/src/lib/rpc/unit-test/server.c +@@ -114,12 +114,13 @@ main(int argc, char **argv) + exit(1); + } + if (!svc_register(transp, RPC_TEST_PROG, RPC_TEST_VERS_1, +- rpc_test_prog_1_svc, prot)) { ++ rpc_test_prog_1_svc, 0)) { + fprintf(stderr, + "unable to register (RPC_TEST_PROG, RPC_TEST_VERS_1, %s).", + prot == IPPROTO_TCP ? "tcp" : "udp"); + exit(1); + } ++ printf("port: %d\n", (int)transp->xp_port); + + if (svcauth_gssapi_set_names(names, 0) == FALSE) { + fprintf(stderr, "unable to set gssapi names\n"); diff --git a/krb5.spec b/krb5.spec index d33d4f0..6d3d4f0 100644 --- a/krb5.spec +++ b/krb5.spec @@ -30,7 +30,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.11.2 -Release: 7%{?dist} +Release: 8%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -75,7 +75,6 @@ Patch105: krb5-kvno-230379.patch Patch113: krb5-1.11-alpha1-init.patch Patch116: http://ausil.fedorapeople.org/aarch64/krb5/krb5-aarch64.patch Patch117: krb5-1.11-gss-client-keytab.patch -Patch118: krb5-1.11.1-rpcbind.patch Patch119: krb5-fast-msg_type.patch Patch120: krb5-1.11.2-kpasswd_pingpong.patch Patch121: krb5-cccol-primary.patch @@ -84,6 +83,8 @@ Patch123: krb5-1.11.2-empty_passwords.patch Patch124: krb5-1.11.2-arcfour_short.patch Patch125: krb5-1.11.2-skew1.patch Patch126: krb5-1.11.2-skew2.patch +Patch127: krb5-master-test_gss_no_udp.patch +Patch128: krb5-master-test_no_pmap.patch # Patches for otp plugin backport Patch201: krb5-1.11.2-keycheck.patch @@ -301,7 +302,6 @@ ln -s NOTICE LICENSE %patch113 -p1 -b .init %patch116 -p1 -b .aarch64 %patch117 -p1 -b .gss-client-keytab -%patch118 -p1 -b .rpcbind %patch119 -p1 -b .fast-msg_type %patch120 -p1 -b .kpasswd_pingpong %patch121 -p1 -b .cccol-primary @@ -310,6 +310,8 @@ ln -s NOTICE LICENSE %patch124 -p1 -b .arcfour_short %patch125 -p1 -b .skew1 %patch126 -p1 -b .skew2 +%patch127 -p1 -b .test_gss_no_udp +%patch128 -p1 -b .test_no_pmap %patch201 -p1 -b .keycheck %patch202 -p1 -b .otp @@ -835,6 +837,11 @@ exit 0 %{_sbindir}/uuserver %changelog +* Thu May 30 2013 Nalin Dahyabhai 1.11.2-8 +- pull in patches from master to not test GSSRPC-over-UDP and to not + depend on the portmapper, which are areas where our build systems + often give us trouble, too + * Tue May 28 2013 Nalin Dahyabhai 1.11.2-7 - backport fix for not being able to verify the list of transited realms in GSS acceptors (RT#7639, #959685)