rpms/ipsec-tools/devel ipsec-tools-0.7.3-gssapi-guard.patch, NONE, 1.1 ipsec-tools-0.7.3-gssapi-mech.patch, NONE, 1.1 ipsec-tools.spec, 1.69, 1.70 racoon.pam, 1.1, 1.2
Tomáš Mráz
tmraz at fedoraproject.org
Fri Sep 25 14:06:23 UTC 2009
Author: tmraz
Update of /cvs/pkgs/rpms/ipsec-tools/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20460
Modified Files:
ipsec-tools.spec racoon.pam
Added Files:
ipsec-tools-0.7.3-gssapi-guard.patch
ipsec-tools-0.7.3-gssapi-mech.patch
Log Message:
* Fri Sep 25 2009 Tomas Mraz <tmraz at redhat.com> - 0.7.3-4
- properly check for errors on gssapi_get_token_to_send()
- use proper mechanism when canonicalizing gss names
- use password-auth common PAM configuration instead of system-auth
ipsec-tools-0.7.3-gssapi-guard.patch:
isakmp_agg.c | 12 ++++++++++--
isakmp_ident.c | 12 ++++++++++--
2 files changed, 20 insertions(+), 4 deletions(-)
--- NEW FILE ipsec-tools-0.7.3-gssapi-guard.patch ---
diff -up ipsec-tools-0.7.3/src/racoon/isakmp_agg.c.guard ipsec-tools-0.7.3/src/racoon/isakmp_agg.c
--- ipsec-tools-0.7.3/src/racoon/isakmp_agg.c.guard 2006-09-30 23:49:37.000000000 +0200
+++ ipsec-tools-0.7.3/src/racoon/isakmp_agg.c 2009-09-03 14:15:08.000000000 +0200
@@ -246,7 +246,11 @@ agg_i1send(iph1, msg)
#ifdef HAVE_GSSAPI
if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
- gssapi_get_token_to_send(iph1, &gsstoken);
+ if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to get gssapi token.\n");
+ goto end;
+ }
plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
}
#endif
@@ -1254,7 +1258,11 @@ agg_r1send(iph1, msg)
iph1->id, ISAKMP_NPTYPE_ID);
/* create GSS payload */
- gssapi_get_token_to_send(iph1, &gsstoken);
+ if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to get gssapi token.\n");
+ goto end;
+ }
plist = isakmp_plist_append(plist,
gsstoken, ISAKMP_NPTYPE_GSS);
diff -up ipsec-tools-0.7.3/src/racoon/isakmp_ident.c.guard ipsec-tools-0.7.3/src/racoon/isakmp_ident.c
--- ipsec-tools-0.7.3/src/racoon/isakmp_ident.c.guard 2006-10-02 23:41:59.000000000 +0200
+++ ipsec-tools-0.7.3/src/racoon/isakmp_ident.c 2009-09-03 14:17:00.000000000 +0200
@@ -1721,7 +1721,11 @@ ident_ir2mx(iph1)
#ifdef HAVE_GSSAPI
if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
- gssapi_get_token_to_send(iph1, &gsstoken);
+ if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to get gssapi token.\n");
+ goto end;
+ }
#endif
/* create isakmp KE payload */
@@ -1891,7 +1895,11 @@ ident_ir3mx(iph1)
if (gsshash == NULL)
goto end;
} else {
- gssapi_get_token_to_send(iph1, &gsstoken);
+ if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to get gssapi token.\n");
+ goto end;
+ }
}
if (!gssapi_id_sent(iph1)) {
ipsec-tools-0.7.3-gssapi-mech.patch:
gssapi.c | 4 ++--
gssapi.h | 1 +
2 files changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE ipsec-tools-0.7.3-gssapi-mech.patch ---
diff -up ipsec-tools-0.7.3/src/racoon/doc/README.gssapi ipsec-tools-0.7.3/src/racoon/doc/README
diff -up ipsec-tools-0.7.3/src/racoon/gssapi.c.gssapi ipsec-tools-0.7.3/src/racoon/gssapi.c
--- ipsec-tools-0.7.3/src/racoon/gssapi.c.gssapi 2006-09-09 18:22:09.000000000 +0200
+++ ipsec-tools-0.7.3/src/racoon/gssapi.c 2009-09-25 15:55:05.000000000 +0200
@@ -215,7 +215,7 @@ gssapi_init(struct ph1handle *iph1)
} else
gssapi_get_default_name(iph1, 0, &princ);
- maj_stat = gss_canonicalize_name(&min_stat, princ, GSS_C_NO_OID,
+ maj_stat = gss_canonicalize_name(&min_stat, princ, (gss_OID_desc *)gss_mech_krb5,
&canon_princ);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "canonicalize name\n");
@@ -695,7 +695,7 @@ gssapi_get_id(struct ph1handle *iph1)
if (gssapi_get_default_name(iph1, 0, &defname) < 0)
return NULL;
- maj_stat = gss_canonicalize_name(&min_stat, defname, GSS_C_NO_OID,
+ maj_stat = gss_canonicalize_name(&min_stat, defname, (gss_OID_desc *)gss_mech_krb5,
&canon_name);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "canonicalize name\n");
diff -up ipsec-tools-0.7.3/src/racoon/gssapi.h.gssapi ipsec-tools-0.7.3/src/racoon/gssapi.h
--- ipsec-tools-0.7.3/src/racoon/gssapi.h.gssapi 2006-09-09 18:22:09.000000000 +0200
+++ ipsec-tools-0.7.3/src/racoon/gssapi.h 2009-09-25 15:53:29.000000000 +0200
@@ -38,6 +38,7 @@
#include "/usr/include/gssapi.h"
#else
#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
#endif
#define GSSAPI_DEF_NAME "host"
Index: ipsec-tools.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/devel/ipsec-tools.spec,v
retrieving revision 1.69
retrieving revision 1.70
diff -u -p -r1.69 -r1.70
--- ipsec-tools.spec 21 Aug 2009 13:59:20 -0000 1.69
+++ ipsec-tools.spec 25 Sep 2009 14:06:23 -0000 1.70
@@ -1,6 +1,6 @@
Name: ipsec-tools
Version: 0.7.3
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Tools for configuring and using IPSEC
License: BSD
Group: System Environment/Base
@@ -23,6 +23,8 @@ Patch13: ipsec-tools-0.7.1-dpd-fixes.pat
Patch14: ipsec-tools-0.7.2-moreleaks.patch
Patch15: ipsec-tools-0.7.3-aliasing.patch
Patch16: ipsec-tools-0.7.2-nodevel.patch
+Patch17: ipsec-tools-0.7.3-gssapi-guard.patch
+Patch18: ipsec-tools-0.7.3-gssapi-mech.patch
BuildRequires: openssl-devel, krb5-devel, bison, flex, automake, libtool
BuildRequires: libselinux-devel >= 1.30.28-2, pam-devel
@@ -53,6 +55,8 @@ package builds:
%patch14 -p1 -b .moreleaks
%patch15 -p1 -b .review
%patch16 -p1 -b .nodevel
+%patch17 -p1 -b .gssapi-guard
+%patch18 -p1 -b .gssapi-mech
./bootstrap
@@ -129,6 +133,11 @@ fi
%config(noreplace) %{_sysconfdir}/pam.d/racoon
%changelog
+* Fri Sep 25 2009 Tomas Mraz <tmraz at redhat.com> - 0.7.3-4
+- properly check for errors on gssapi_get_token_to_send()
+- use proper mechanism when canonicalizing gss names
+- use password-auth common PAM configuration instead of system-auth
+
* Fri Aug 21 2009 Tomas Mraz <tmraz at redhat.com> - 0.7.3-3
- rebuilt with new openssl
Index: racoon.pam
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/devel/racoon.pam,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- racoon.pam 19 Aug 2009 13:54:10 -0000 1.1
+++ racoon.pam 25 Sep 2009 14:06:23 -0000 1.2
@@ -1,8 +1,8 @@
#%PAM-1.0
# do not allow ipsec xauth for root
auth required pam_succeed_if.so user != root
-auth include system-auth
+auth include password-auth
account required pam_nologin.so
-account include system-auth
-password include system-auth
-session include system-auth
+account include password-auth
+password include password-auth
+session include password-auth
More information about the fedora-extras-commits
mailing list