This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 3.x development tree".
The branch, master has been updated via e954b1c1bb274bd8e5a0ab750480f47415bd0ee0 (commit) via 5ac0682c9e769fc7cac235275450c40ab838784a (commit) via 8ae3bb35829817cd71cfd27c5eae4ee23eac7ce2 (commit) via 0d2029527285bf3719254efea863f29d20158051 (commit) via 47db06f6f19fe0b98f81546522500ee01348a027 (commit) via 2c9aa03314578f2d1a59c077cea6d1224ad98f74 (commit) via 6ad249c5076800c59b1449585d8ab546dc5f8fde (commit) via 5ca518126a666b224ad452eb95f30ba08f52d5c3 (commit) via a95b73836a8d2c1e4ec11521fb54e3bfa2a8ccd9 (commit) via 9d365dd7b5a3704504f9f0c7eb1b12839947c56d (commit) via f487503f970eeae4fd0e0d6075afba0cd7d20a4d (commit) via 75f6908fd64657aafa2e54ad9073b5472caf1944 (commit) via c58704ba8e0372ab7df091fecd6a907183ed5b72 (commit) via e5afcdb48b3d179d5afba0b40d2b33957f5d4bfe (commit) via 8bf49f0046f4e9872e515344f4461c3a869fdb16 (commit) via a183af94c25e4703517c5cb5500cbc1e98519831 (commit) via 3b36da39d007b8577ac2a693b61168dd39054812 (commit) via ce6110f743cf1568416459cd2bb507fc08904ec6 (commit) from 1aa277159a548c26bc2e9861c14f5703e9359dc1 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit e954b1c1bb274bd8e5a0ab750480f47415bd0ee0 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 20 17:00:24 2023 +0000
llvm: Drop package
Nothing depends on this.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5ac0682c9e769fc7cac235275450c40ab838784a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 20 17:00:00 2023 +0000
llvm: Update to 15.0.6
This is hopefully a good way to package this.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8ae3bb35829817cd71cfd27c5eae4ee23eac7ce2 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 20 16:48:10 2023 +0000
pam: Delete all patches
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0d2029527285bf3719254efea863f29d20158051 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 20 16:42:44 2023 +0000
chrpath: Update to 0.16
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 47db06f6f19fe0b98f81546522500ee01348a027 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 20 17:41:46 2023 +0100
pam: Update to 1.5.2
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2c9aa03314578f2d1a59c077cea6d1224ad98f74 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 20 15:01:42 2023 +0100
jose: New package
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6ad249c5076800c59b1449585d8ab546dc5f8fde Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 20 13:56:46 2023 +0000
python: Drop package
This has reached EOL: https://www.python.org/doc/sunset-python-2/
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5ca518126a666b224ad452eb95f30ba08f52d5c3 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 20 14:32:50 2023 +0100
chrony: Update to 4.3
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a95b73836a8d2c1e4ec11521fb54e3bfa2a8ccd9 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 17 16:48:22 2023 +0100
systemd: Do not longer depend on authconfig
The pam_systemd module nowadays is part of the default pam auth configuration - so this is not longer required.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9d365dd7b5a3704504f9f0c7eb1b12839947c56d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 17 16:55:09 2023 +0100
authconfig: Drop package
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f487503f970eeae4fd0e0d6075afba0cd7d20a4d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 17 16:55:08 2023 +0100
sssd: Do not longer depend on authconfig
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 75f6908fd64657aafa2e54ad9073b5472caf1944 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 17 16:55:07 2023 +0100
sssd: Cleanup Makefile
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c58704ba8e0372ab7df091fecd6a907183ed5b72 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 20 13:53:18 2023 +0000
dhcp: Drop package
This is now EOL: https://www.isc.org/blogs/isc-dhcp-eol/
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e5afcdb48b3d179d5afba0b40d2b33957f5d4bfe Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 20 13:52:05 2023 +0000
net-snmp: Fix name and template of Python 3 package
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8bf49f0046f4e9872e515344f4461c3a869fdb16 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 17 16:05:48 2023 +0100
sssd: Update to 2.8.2
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a183af94c25e4703517c5cb5500cbc1e98519831 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 17 15:56:14 2023 +0100
samba: Update to 4.17.5
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3b36da39d007b8577ac2a693b61168dd39054812 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 17 15:55:21 2023 +0100
python3-dns: New package
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ce6110f743cf1568416459cd2bb507fc08904ec6 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 17 08:07:11 2023 +0100
net-snmp: Update to 5.9.3
* Update patchset * Drop perl modules * Drop additional script which are related on the SNMP perl modules or depricated ones.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: authconfig/authconfig.nm | 93 -- chrony/chrony.nm | 2 +- chrpath/chrpath.nm | 22 +- chrpath/patches/chrpath-0.13-NULL-entry.patch | 16 - dhcp/dhcp.nm | 170 -- dhcp/systemd/dhclient4@.service | 21 - dhcp/systemd/dhclient6@.service | 19 - dhcp/systemd/dhcpd.service | 10 - dhcp/systemd/dhcpd6.service | 10 - dhcp/systemd/dhcrelay.service | 9 - p11-kit/p11-kit.nm => jose/jose.nm | 40 +- llvm/llvm.nm | 113 -- net-snmp/net-snmp.nm | 50 +- net-snmp/patches/net-snmp-5.5-apsl-copying.patch | 354 ----- net-snmp/patches/net-snmp-5.5-dir-fix.patch | 14 - net-snmp/patches/net-snmp-5.5-perl-linking.patch | 16 - net-snmp/patches/net-snmp-5.6-multilib.patch | 45 - net-snmp/patches/net-snmp-5.6-test-debug.patch | 29 - net-snmp/patches/net-snmp-5.7.2-systemd.patch | 1650 -------------------- net-snmp/patches/net-snmp-5.7.3-iterator-fix.patch | 14 + .../patches/net-snmp-5.8-Remove-U64-typedef.patch | 12 + .../net-snmp-5.8-clientaddr-error-message.patch | 35 + .../patches/net-snmp-5.8-duplicate-ipAddress.patch | 11 + .../net-snmp-5.8-ipAddress-faster-load.patch | 82 + net-snmp/patches/net-snmp-5.8-man-page.patch | 36 + net-snmp/patches/net-snmp-5.9-aes-config.patch | 18 + net-snmp/patches/net-snmp-5.9-autofs-skip.patch | 12 + net-snmp/patches/net-snmp-5.9-coverity.patch | 22 + net-snmp/patches/net-snmp-5.9-dir-fix.patch | 30 + .../patches/net-snmp-5.9-intermediate-certs.patch | 855 ++++++++++ .../patches/net-snmp-5.9-memory-reporting.patch | 28 + ...snmp-5.7.2-pie.patch => net-snmp-5.9-pie.patch} | 20 +- net-snmp/patches/net-snmp-5.9.1-autoconf.patch | 6 + network/network.nm | 3 +- pam/pam.nm | 10 +- pam/patches/Linux-PAM-1.1.0-no-yywrap-1.patch | 28 - pam/patches/pam-1.1.5-unix-build.patch | 34 - python/patches/00001-pydocnogui.patch | 28 - python/patches/00010-2.7.13-binutils-no-dep.patch | 21 - .../patches/00104-lib64-fix-for-test_install.patch | 13 - python/patches/00112-2.7.13-debug-build.patch | 324 ---- .../patches/00113-more-configuration-flags.patch | 50 - .../patches/00114-statvfs-f_flag-constants.patch | 47 - .../patches/00121-add-Modules-to-build-path.patch | 13 - .../patches/00131-disable-tests-in-test_io.patch | 11 - .../00132-add-rpmbuild-hooks-to-unittest.patch | 68 - python/patches/00133-skip-test_dl.patch | 13 - ...6-skip-tests-of-seeking-stdin-in-rpmbuild.patch | 11 - ...kip-distutils-tests-that-fail-in-rpmbuild.patch | 12 - .../00138-fix-distutils-tests-in-debug-build.patch | 68 - ...0139-skip-test_float-known-failure-on-arm.patch | 11 - ...0-skip-test_ctypes-known-failure-on-sparc.patch | 11 - .../00142-skip-failing-pty-tests-in-rpmbuild.patch | 22 - python/patches/00143-tsc-on-ppc.patch | 58 - python/patches/00147-add-debug-malloc-stats.patch | 711 --------- python/patches/00155-avoid-ctypes-thunks.patch | 15 - python/patches/00156-gdb-autoload-safepath.patch | 57 - python/patches/00157-uid-gid-overflows.patch | 49 - ...vigation-tests-when-optimized-in-test_gdb.patch | 47 - python/patches/00168-distutils-cflags.patch | 12 - ...-implicit-usage-of-md5-in-multiprocessing.patch | 41 - python/patches/00170-gc-assertions.patch | 279 ---- python/patches/00174-fix-for-usr-move.patch | 28 - .../00180-python-add-support-for-ppc64p7.patch | 13 - ...allow-arbitrary-timeout-in-condition-wait.patch | 70 - .../00185-urllib2-honors-noproxy-for-ftp.patch | 12 - python/patches/00187-add-RPATH-to-pyexpat.patch | 25 - python/patches/00189-use-rpm-wheels.patch | 71 - ...-gdb-py-bt-dont-raise-exception-from-eval.patch | 11 - python/patches/00191-disable-NOOP.patch | 12 - .../00193-enable-loading-sqlite-extensions.patch | 11 - python/patches/00289-disable-nis-detection.patch | 69 - python/patches/00309-shutil-spawn-subprocess.patch | 61 - .../00310-use-xml-sethashsalt-in-elementtree.patch | 85 - python/patches/05000-autotool-intermediates.patch | 207 --- python/patches/python-2.3.4-lib64-regex.patch | 18 - python/patches/python-2.5-cflags.patch | 11 - python/patches/python-2.5.1-plural-fix.patch | 12 - python/patches/python-2.5.1-sqlite-encoding.patch | 24 - python/patches/python-2.6-rpath.patch | 12 - python/patches/python-2.6.4-distutils-rpath.patch | 20 - python/patches/python-2.7.1-config.patch | 256 --- ...thon-2.7.1-fix_test_abc_with_COUNT_ALLOCS.patch | 27 - ...7.2-add-extension-suffix-to-python-config.patch | 18 - .../python-2.7rc1-socketmodule-constants.patch | 64 - .../python-2.7rc1-socketmodule-constants2.patch | 19 - python/python-2.7-lib64-sysconfig.patch | 44 - python/python-2.7.13-lib64.patch | 193 --- python/python.nm | 107 -- .../patches/python3-dns-no-setup-requires.patch | 26 + .../python3-dns.nm | 25 +- samba/samba.nm | 28 +- ...crypto-Port-libcrypto-code-to-openssl-1.1.patch | 728 --------- ...crypto-Check-right-value-of-CRYPTO_memcmp.patch | 32 - ...s-Add-unit-test-for-sss_encrypt-sss_decry.patch | 78 - ...to-tests-Rename-encrypt-decrypt-test-case.patch | 44 - ...0005-BUILD-Fix-installation-without-samba.patch | 46 - ...ept-krb5-1.15-for-building-the-PAC-plugin.patch | 29 - ...-Use-portable-macro-for-location-of-.libs.patch | 41 - ...t-Add-missing-libraries-to-the-check-list.patch | 53 - ...test-Move-libraries-to-the-right-sections.patch | 63 - ...pen-test-Add-check-for-untested-libraries.patch | 115 -- ...1-sssctl-Flags-for-command-initialization.patch | 202 --- ...dd-parent_dom-to-sysdb_get_direct_parents.patch | 125 -- ...ke-some-nested-group-related-calls-public.patch | 81 - ...olve-domain-local-groups-for-remote-users.patch | 683 -------- .../0015-PAM-add-a-test-for-filter_responses.patch | 121 -- .../0016-PAM-add-pam_response_filter-option.patch | 501 ------ ...-sysdb_try_to_find_expected_dn-into-small.patch | 343 ---- ...nt-sysdb_try_to_find_expected_dn-to-match.patch | 284 ---- ...ad_access_filter-search-for-nested-groups.patch | 55 - .../0020-BUILD-Fix-linking-with-librt.patch | 61 - ...ONITOR-Do-not-set-up-watchdog-for-monitor.patch | 74 - ...0022-SYSDB-Adding-lowercase-sudoUser-form.patch | 107 -- ...23-TESTS-Extending-sysdb-sudo-store-tests.patch | 225 --- ...024-IPA-AD-check-auth-ctx-before-using-it.patch | 93 -- ...-Fix-secrets-rule-in-the-allowed-sections.patch | 50 - ...026-SECRETS-Add-allowed_sec_users_options.patch | 70 - .../0027-ipa-Nested-netgroups-do-not-work.patch | 62 - ...st-user-attribute-in-case-ldap_group_nest.patch | 61 - ...-test-for-group-resolution-with-ldap_grou.patch | 56 - .../0030-BUILD-Fix-a-typo-in-inotify.m4.patch | 37 - ...SDB-Fixing-of-sudorule-without-a-sudoUser.patch | 48 - ...-implicit-declaration-of-function-htobe32.patch | 58 - .../0033-sssctl-Fix-missing-declaration.patch | 46 - ...compilation-of-sss_utf8-with-libunistring.patch | 49 - .../0035-SIFP-Fix-warning-format-security.patch | 40 - ...ault_domain_suffix-for-users-authorized-k.patch | 80 - ...vent-use-after-free-in-fd_input_available.patch | 72 - ...rint-transaction-statistics-if-the-script.patch | 39 - ...do-do-not-store-usn-if-no-rules-are-found.patch | 50 - ...evert-CONFIG-Use-default-config-when-none.patch | 117 -- sssd/patches/0502-SYSTEMD-Use-capabilities.patch | 25 - ...Defer-thread-cancellation-until-completio.patch | 179 --- sssd/sssd.nm | 40 +- systemd/systemd.nm | 10 - 136 files changed, 1298 insertions(+), 11585 deletions(-) delete mode 100644 authconfig/authconfig.nm delete mode 100644 chrpath/patches/chrpath-0.13-NULL-entry.patch delete mode 100644 dhcp/dhcp.nm delete mode 100644 dhcp/systemd/dhclient4@.service delete mode 100644 dhcp/systemd/dhclient6@.service delete mode 100644 dhcp/systemd/dhcpd.service delete mode 100644 dhcp/systemd/dhcpd6.service delete mode 100644 dhcp/systemd/dhcrelay.service copy p11-kit/p11-kit.nm => jose/jose.nm (50%) delete mode 100644 llvm/llvm.nm delete mode 100644 net-snmp/patches/net-snmp-5.5-apsl-copying.patch delete mode 100644 net-snmp/patches/net-snmp-5.5-dir-fix.patch delete mode 100644 net-snmp/patches/net-snmp-5.5-perl-linking.patch delete mode 100644 net-snmp/patches/net-snmp-5.6-multilib.patch delete mode 100644 net-snmp/patches/net-snmp-5.6-test-debug.patch delete mode 100644 net-snmp/patches/net-snmp-5.7.2-systemd.patch create mode 100644 net-snmp/patches/net-snmp-5.7.3-iterator-fix.patch create mode 100644 net-snmp/patches/net-snmp-5.8-Remove-U64-typedef.patch create mode 100644 net-snmp/patches/net-snmp-5.8-clientaddr-error-message.patch create mode 100644 net-snmp/patches/net-snmp-5.8-duplicate-ipAddress.patch create mode 100644 net-snmp/patches/net-snmp-5.8-ipAddress-faster-load.patch create mode 100644 net-snmp/patches/net-snmp-5.8-man-page.patch create mode 100644 net-snmp/patches/net-snmp-5.9-aes-config.patch create mode 100644 net-snmp/patches/net-snmp-5.9-autofs-skip.patch create mode 100644 net-snmp/patches/net-snmp-5.9-coverity.patch create mode 100644 net-snmp/patches/net-snmp-5.9-dir-fix.patch create mode 100644 net-snmp/patches/net-snmp-5.9-intermediate-certs.patch create mode 100644 net-snmp/patches/net-snmp-5.9-memory-reporting.patch rename net-snmp/patches/{net-snmp-5.7.2-pie.patch => net-snmp-5.9-pie.patch} (56%) create mode 100644 net-snmp/patches/net-snmp-5.9.1-autoconf.patch delete mode 100644 pam/patches/Linux-PAM-1.1.0-no-yywrap-1.patch delete mode 100644 pam/patches/pam-1.1.5-unix-build.patch delete mode 100644 python/patches/00001-pydocnogui.patch delete mode 100644 python/patches/00010-2.7.13-binutils-no-dep.patch delete mode 100644 python/patches/00104-lib64-fix-for-test_install.patch delete mode 100644 python/patches/00112-2.7.13-debug-build.patch delete mode 100644 python/patches/00113-more-configuration-flags.patch delete mode 100644 python/patches/00114-statvfs-f_flag-constants.patch delete mode 100644 python/patches/00121-add-Modules-to-build-path.patch delete mode 100644 python/patches/00131-disable-tests-in-test_io.patch delete mode 100644 python/patches/00132-add-rpmbuild-hooks-to-unittest.patch delete mode 100644 python/patches/00133-skip-test_dl.patch delete mode 100644 python/patches/00136-skip-tests-of-seeking-stdin-in-rpmbuild.patch delete mode 100644 python/patches/00137-skip-distutils-tests-that-fail-in-rpmbuild.patch delete mode 100644 python/patches/00138-fix-distutils-tests-in-debug-build.patch delete mode 100644 python/patches/00139-skip-test_float-known-failure-on-arm.patch delete mode 100644 python/patches/00140-skip-test_ctypes-known-failure-on-sparc.patch delete mode 100644 python/patches/00142-skip-failing-pty-tests-in-rpmbuild.patch delete mode 100644 python/patches/00143-tsc-on-ppc.patch delete mode 100644 python/patches/00147-add-debug-malloc-stats.patch delete mode 100644 python/patches/00155-avoid-ctypes-thunks.patch delete mode 100644 python/patches/00156-gdb-autoload-safepath.patch delete mode 100644 python/patches/00157-uid-gid-overflows.patch delete mode 100644 python/patches/00167-disable-stack-navigation-tests-when-optimized-in-test_gdb.patch delete mode 100644 python/patches/00168-distutils-cflags.patch delete mode 100644 python/patches/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch delete mode 100644 python/patches/00170-gc-assertions.patch delete mode 100644 python/patches/00174-fix-for-usr-move.patch delete mode 100644 python/patches/00180-python-add-support-for-ppc64p7.patch delete mode 100644 python/patches/00181-allow-arbitrary-timeout-in-condition-wait.patch delete mode 100644 python/patches/00185-urllib2-honors-noproxy-for-ftp.patch delete mode 100644 python/patches/00187-add-RPATH-to-pyexpat.patch delete mode 100644 python/patches/00189-use-rpm-wheels.patch delete mode 100644 python/patches/00190-gdb-py-bt-dont-raise-exception-from-eval.patch delete mode 100644 python/patches/00191-disable-NOOP.patch delete mode 100644 python/patches/00193-enable-loading-sqlite-extensions.patch delete mode 100644 python/patches/00289-disable-nis-detection.patch delete mode 100644 python/patches/00309-shutil-spawn-subprocess.patch delete mode 100644 python/patches/00310-use-xml-sethashsalt-in-elementtree.patch delete mode 100644 python/patches/05000-autotool-intermediates.patch delete mode 100644 python/patches/python-2.3.4-lib64-regex.patch delete mode 100644 python/patches/python-2.5-cflags.patch delete mode 100644 python/patches/python-2.5.1-plural-fix.patch delete mode 100644 python/patches/python-2.5.1-sqlite-encoding.patch delete mode 100644 python/patches/python-2.6-rpath.patch delete mode 100644 python/patches/python-2.6.4-distutils-rpath.patch delete mode 100644 python/patches/python-2.7.1-config.patch delete mode 100644 python/patches/python-2.7.1-fix_test_abc_with_COUNT_ALLOCS.patch delete mode 100644 python/patches/python-2.7.2-add-extension-suffix-to-python-config.patch delete mode 100644 python/patches/python-2.7rc1-socketmodule-constants.patch delete mode 100644 python/patches/python-2.7rc1-socketmodule-constants2.patch delete mode 100644 python/python-2.7-lib64-sysconfig.patch delete mode 100644 python/python-2.7.13-lib64.patch delete mode 100644 python/python.nm create mode 100644 python3-dns/patches/python3-dns-no-setup-requires.patch copy python3-tornado/python3-tornado.nm => python3-dns/python3-dns.nm (55%) delete mode 100644 sssd/patches/0001-crypto-Port-libcrypto-code-to-openssl-1.1.patch delete mode 100644 sssd/patches/0002-libcrypto-Check-right-value-of-CRYPTO_memcmp.patch delete mode 100644 sssd/patches/0003-crypto-tests-Add-unit-test-for-sss_encrypt-sss_decry.patch delete mode 100644 sssd/patches/0004-crypto-tests-Rename-encrypt-decrypt-test-case.patch delete mode 100644 sssd/patches/0005-BUILD-Fix-installation-without-samba.patch delete mode 100644 sssd/patches/0006-BUILD-Accept-krb5-1.15-for-building-the-PAC-plugin.patch delete mode 100644 sssd/patches/0007-dlopen-test-Use-portable-macro-for-location-of-.libs.patch delete mode 100644 sssd/patches/0008-dlopen-test-Add-missing-libraries-to-the-check-list.patch delete mode 100644 sssd/patches/0009-dlopen-test-Move-libraries-to-the-right-sections.patch delete mode 100644 sssd/patches/0010-dlopen-test-Add-check-for-untested-libraries.patch delete mode 100644 sssd/patches/0011-sssctl-Flags-for-command-initialization.patch delete mode 100644 sssd/patches/0012-sysdb-add-parent_dom-to-sysdb_get_direct_parents.patch delete mode 100644 sssd/patches/0013-sdap-make-some-nested-group-related-calls-public.patch delete mode 100644 sssd/patches/0014-LDAP-AD-resolve-domain-local-groups-for-remote-users.patch delete mode 100644 sssd/patches/0015-PAM-add-a-test-for-filter_responses.patch delete mode 100644 sssd/patches/0016-PAM-add-pam_response_filter-option.patch delete mode 100644 sssd/patches/0017-SYSDB-Split-sysdb_try_to_find_expected_dn-into-small.patch delete mode 100644 sssd/patches/0018-SYSDB-Augment-sysdb_try_to_find_expected_dn-to-match.patch delete mode 100644 sssd/patches/0019-ad_access_filter-search-for-nested-groups.patch delete mode 100644 sssd/patches/0020-BUILD-Fix-linking-with-librt.patch delete mode 100644 sssd/patches/0021-MONITOR-Do-not-set-up-watchdog-for-monitor.patch delete mode 100644 sssd/patches/0022-SYSDB-Adding-lowercase-sudoUser-form.patch delete mode 100644 sssd/patches/0023-TESTS-Extending-sysdb-sudo-store-tests.patch delete mode 100644 sssd/patches/0024-IPA-AD-check-auth-ctx-before-using-it.patch delete mode 100644 sssd/patches/0025-SECRETS-Fix-secrets-rule-in-the-allowed-sections.patch delete mode 100644 sssd/patches/0026-SECRETS-Add-allowed_sec_users_options.patch delete mode 100644 sssd/patches/0027-ipa-Nested-netgroups-do-not-work.patch delete mode 100644 sssd/patches/0028-Qualify-ghost-user-attribute-in-case-ldap_group_nest.patch delete mode 100644 sssd/patches/0029-tests-Add-a-test-for-group-resolution-with-ldap_grou.patch delete mode 100644 sssd/patches/0030-BUILD-Fix-a-typo-in-inotify.m4.patch delete mode 100644 sssd/patches/0031-SYSDB-Fixing-of-sudorule-without-a-sudoUser.patch delete mode 100644 sssd/patches/0032-UTIL-Fix-implicit-declaration-of-function-htobe32.patch delete mode 100644 sssd/patches/0033-sssctl-Fix-missing-declaration.patch delete mode 100644 sssd/patches/0034-UTIL-Fix-compilation-of-sss_utf8-with-libunistring.patch delete mode 100644 sssd/patches/0035-SIFP-Fix-warning-format-security.patch delete mode 100644 sssd/patches/0036-SSH-Use-default_domain_suffix-for-users-authorized-k.patch delete mode 100644 sssd/patches/0037-Prevent-use-after-free-in-fd_input_available.patch delete mode 100644 sssd/patches/0038-STAP-Only-print-transaction-statistics-if-the-script.patch delete mode 100644 sssd/patches/0039-sudo-do-not-store-usn-if-no-rules-are-found.patch delete mode 100644 sssd/patches/0501-Partially-revert-CONFIG-Use-default-config-when-none.patch delete mode 100644 sssd/patches/0502-SYSTEMD-Use-capabilities.patch delete mode 100644 sssd/patches/0503-sss_client-Defer-thread-cancellation-until-completio.patch
Difference in files: diff --git a/authconfig/authconfig.nm b/authconfig/authconfig.nm deleted file mode 100644 index 876b9a1bc..000000000 --- a/authconfig/authconfig.nm +++ /dev/null @@ -1,93 +0,0 @@ -############################################################################### -# IPFire.org - An Open Source Firewall Solution # -# Copyright (C) - IPFire Development Team info@ipfire.org # -############################################################################### - -name = authconfig -version = 6.2.10 -release = 1 - -groups = System/Base -url = https://fedorahosted.org/authconfig -license = GPLv2+ -summary = Command line tool for setting up authentication from network services. - -description - Authconfig is a command line utility which can configure a workstation - to use shadow (more secure) passwords. Authconfig can also configure a - system to be a client for certain networked user information and - authentication schemes. -end - -source_dl = https://fedorahosted.org/releases/a/u/authconfig/ -sources = %{thisapp}.tar.bz2 - -build - requires - intltool - python-devel - end - - # Manually link against libresolv. - export LDFLAGS += -lresolv - - configure_options += \ - --sysconfdir=/etc \ - --localstatedir=/var \ - --disable-static - - # Hack to allow installation of the desktop file - prepare_cmds - ln -s /bin/true /usr/bin/desktop-file-install - end - - install_cmds - # Remove useless symlinks in /usr/bin - rm -rf %{BUILDROOT}/usr/bin - - # Replace absolute symlinks by relative ones - cd %{BUILDROOT}/usr/sbin && ln -sf ../share/authconfig/authconfig.py authconfig - cd %{BUILDROOT}/usr/sbin && ln -sf ../share/authconfig/authconfig-tui.py authconfig-tui - - # Remove symlinks for gtk - rm -rf %{BUILDROOT}/usr/sbin/authconfig-gtk - rm -rf %{BUILDROOT}/usr/sbin/system-config-authentication - - # Remove files for authconfig-gtk and system-config-authentication - rm -rf %{BUILDROOT}/etc/pam.d/authconfig-gtk - rm -rf %{BUILDROOT}/etc/pam.d/system-config-authentication - rm -rf %{BUILDROOT}/etc/security/console.apps/authconfig-gtk - rm -rf %{BUILDROOT}/etc/security/console.apps/system-config-authentication - rm -rf %{BUILDROOT}/usr/share/authconfig/authconfig-gtk.* - rm -rf %{BUILDROOT}/usr/share/man/man8/authconfig-gtk.8 - rm -rf %{BUILDROOT}/usr/share/man/man8/system-config-authentication.8 - - # Remove app icons for authconfig - rm -rf %{BUILDROOT}/usr/share/icons - - # Remove unneded stuff for X11 - rm -rf %{BUILDROOT}/etc/X11 - end -end - -packages - package %{name} - requires - libpwquality - newt-python - end - - configfiles - %{sysconfdir}/sysconfig/authconfig - %{sysconfdir}/pam.d - end - end - - package %{name}-devel - template DEVEL - end - - package %{name}-debuginfo - template DEBUGINFO - end -end diff --git a/chrony/chrony.nm b/chrony/chrony.nm index a0e073db7..10d6a4942 100644 --- a/chrony/chrony.nm +++ b/chrony/chrony.nm @@ -4,7 +4,7 @@ ###############################################################################
name = chrony -version = 3.4 +version = 4.3 release = 1
groups = System/Daemons diff --git a/chrpath/chrpath.nm b/chrpath/chrpath.nm index 610693055..5739082b4 100644 --- a/chrpath/chrpath.nm +++ b/chrpath/chrpath.nm @@ -4,13 +4,13 @@ ###############################################################################
name = chrpath -version = 0.13 +version = 0.16 release = 1
groups = Development/Tools -url = ftp://ftp.hungry.com/pub/hungry/chrpath/ -license = GPL+ -summary = Modify rpath of compiled programs. +url = https://directory.fsf.org/wiki/Chrpath/ +license = GPLv2+ +summary = Modify rpath of compiled programs
description chrpath allows you to modify the dynamic library load path (rpath) of @@ -18,20 +18,12 @@ description is supported. end
-source_dl = %{url} - -build - configure_options += \ - --mandir=/usr/share/man - - install_cmds - rm -rfv %{BUILDROOT}/usr/doc - end -end +# Upstream has gone +source_dl = https://deb.debian.org/debian/pool/main/c/chrpath/ +sources = %{name}_%{version}.orig.tar.gz
packages package %{name} - end
package %{name}-debuginfo template DEBUGINFO diff --git a/chrpath/patches/chrpath-0.13-NULL-entry.patch b/chrpath/patches/chrpath-0.13-NULL-entry.patch deleted file mode 100644 index 27275d2d3..000000000 --- a/chrpath/patches/chrpath-0.13-NULL-entry.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -uNr chrpath-0.13.old/killrpath.c chrpath-0.13/killrpath.c ---- chrpath-0.13.old/killrpath.c 2003-06-24 00:46:15.000000000 +0200 -+++ chrpath-0.13/killrpath.c 2009-07-19 23:05:11.000000000 +0200 -@@ -73,8 +73,11 @@ - if ( ! elf_dynpath_tag(dyns[i].d_tag) ) - dynpos++; - } -- for (; dynpos < i; dynpos++) -+ for (; dynpos < i; dynpos++) { - dyns[dynpos].d_tag = DT_NULL; -+ dyns[dynpos].d_un.d_val = 0x0; -+ } -+ - - if (lseek(fd, phdr.p_offset, SEEK_SET) == -1 - || write(fd, dyns, phdr.p_filesz) != (int)phdr.p_filesz) diff --git a/dhcp/dhcp.nm b/dhcp/dhcp.nm deleted file mode 100644 index f001d9695..000000000 --- a/dhcp/dhcp.nm +++ /dev/null @@ -1,170 +0,0 @@ -############################################################################### -# IPFire.org - An Open Source Firewall Solution # -# Copyright (C) - IPFire Development Team info@ipfire.org # -############################################################################### - -name = dhcp -version = 4.4.3-P1 -release = 1 - -groups = Networking/Daemons -url = https://www.isc.org/dhcp/ -license = ISC -summary = Dynamic host configuration protocol software - -description - DHCP (Dynamic Host Configuration Protocol) is a protocol which allows - individual devices on an IP network to get their own network - configuration information (IP address, subnetmask, broadcast address, - etc.) from a DHCP server. The overall purpose of DHCP is to make it - easier to administer a large network. -end - -source_dl = https://downloads.isc.org/isc/dhcp/%%7Bversion%7D/ - -build - requires - groff - openldap-devel - libcap-ng-devel - systemd-devel - end - - #CFLAGS += -fno-strict-aliasing - - #PARALLELISMFLAGS = # No parallel build. - - configure_options += \ - --sysconfdir=%{sysconfdir}/dhcp \ - --with-srv-lease-file=/var/lib/dhcpd/dhcpd.leases \ - --with-srv6-lease-file=/var/lib/dhcpd/dhcpd6.leases \ - --with-cli-lease-file=/var/lib/dhclient/dhclient.leases \ - --with-cli6-lease-file=/var/lib/dhclient/dhclient6.leases \ - --with-srv-pid-file=/run/dhcpd.pid \ - --with-srv6-pid-file=/run/dhcpd6.pid \ - --with-cli-pid-file=/run/dhclient.pid \ - --with-cli6-pid-file=/run/dhclient6.pid \ - --with-relay-pid-file=/run/dhcrelay.pid \ - --with-ldap \ - --with-ldapcrypto \ - --disable-static \ - --enable-paranoia \ - --enable-early-chroot \ - --enable-binary-leases \ - --with-systemd - - install_cmds - rm -vf %{BUILDROOT}%{sysconfdir}/dhcp/dhclient.conf - - # Create runtime folders. - mkdir -pv %{BUILDROOT}/var/lib/dhclient - mkdir -pv %{BUILDROOT}/var/lib/dhcpd - - # Create empty lease files. - touch %{BUILDROOT}/var/lib/dhclient/dhclient.leases - touch %{BUILDROOT}/var/lib/dhclient/dhclient6.leases - touch %{BUILDROOT}/var/lib/dhcpd/dhcpd.leases - touch %{BUILDROOT}/var/lib/dhcpd/dhcpd6.leases - end -end - -packages - package %{name} - requires - dhcp-common = %{thisver} - /usr/lib/network/helpers/dhcpd-config-helper - end - - prerequires += shadow-utils - - configfiles - %{sysconfdir}/dhcp - end - - script prein - getent group dhcpd >/dev/null || groupadd -r dhcpd - getent passwd dhcpd >/dev/null || \ - useradd -r -g dhcpd -d /var/lib/dhcpd -s /sbin/nologin \ - -c "User for the DHCP server" dhcpd - end - - # Just search for new unit files that were just installed. - script postin - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - end - - # Disable the service that is to be removed and stop it if it is still running. - script preun - /bin/systemctl --no-reload disable dhcpd.service >/dev/null 2>&1 || : - /bin/systemctl --no-reload disable dhcpd6.service >/dev/null 2>&1 || : - /bin/systemctl --no-reload disable dhcrelay.service >/dev/null 2>&1 || : - /bin/systemctl stop dhcpd.service >/dev/null 2>&1 || : - /bin/systemctl stop dhcpd6.service >/dev/null 2>&1 || : - /bin/systemctl stop dhcrelay.service >/dev/null 2>&1 || : - end - - # Just tell systemd that unitfiles have been removed. - script postun - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - end - - # Try to restart the service if it is running. - script postup - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - /bin/systemctl try-restart dhcpd.service >/dev/null 2>&1 || : - /bin/systemctl try-restart dhcpd6.service >/dev/null 2>&1 || : - /bin/systemctl try-restart dhcrelay.service >/dev/null 2>&1 || : - end - end - - package dhclient - summary = DHCP client daemon and dhclient-script. - description = %{summary} - - requires - dhcp-common = %{thisver} - %{sbindir}/dhclient-script - end - - files - %{unitdir}/dhclient*.service - %{sbindir}/dhclient - /usr/share/man/man5/dhclient* - /usr/share/man/man8/dhclient* - /var/lib/dhclient - end - - script postin - systemctl daemon-reload >/dev/null 2>&1 || : - end - - script postun - systemctl daemon-reload >/dev/null 2>&1 || : - end - - script postup - systemctl daemon-reload >/dev/null 2>&1 || : - end - - end - - package %{name}-common - summary = Common files used by the dhcp client and server. - description = %{summary} - - files - /usr/bin/ - /usr/share/man/man1/omshell.1* - /usr/share/man/man5/dhcp-options.5* - /usr/share/man/man5/dhcp-eval.5* - end - end - - package %{name}-devel - template DEVEL - end - - package %{name}-debuginfo - template DEBUGINFO - end -end diff --git a/dhcp/systemd/dhclient4@.service b/dhcp/systemd/dhclient4@.service deleted file mode 100644 index d7023c80e..000000000 --- a/dhcp/systemd/dhclient4@.service +++ /dev/null @@ -1,21 +0,0 @@ -[Unit] -Description=DHCP client daemon for IPv4 on %I -BindTo=dev-%I.device -After=dev-%I.device - -[Service] -Restart=on-failure -ExecStartPre=/usr/lib/network/dhclient-helper start %I ipv4 -ExecStart=/usr/sbin/dhclient -d %I -4 \ - -cf /run/network/dhclient/%I/dhclient4.conf \ - -lf /var/lib/dhclient/dhclient-%I.leases \ - -pf /run/network/dhclient/%I/dhclient4.pid -ExecStop=/usr/lib/network/dhclient-helper stop %I ipv4 - -# This could be used if you want to release a lease. -#ExecStop=/usr/sbin/dhclient -d -r %I -4 \ -# -cf /run/network/dhclient/%I/dhclient4.conf \ -# -lf /var/lib/dhclient/dhclient-%I.leases \ -# -pf /run/network/dhclient/%I/dhclient4.pid - -UtmpIdentifier=%I diff --git a/dhcp/systemd/dhclient6@.service b/dhcp/systemd/dhclient6@.service deleted file mode 100644 index 34f20a257..000000000 --- a/dhcp/systemd/dhclient6@.service +++ /dev/null @@ -1,19 +0,0 @@ -[Unit] -Description=DHCP client daemon for IPv6 on %I - -[Service] -Restart=on-failure -ExecStartPre=/usr/lib/network/dhclient-helper start %I ipv6 -ExecStart=/usr/sbin/dhclient -d %I -6 -P -N \ - -cf /run/network/dhclient/%I/dhclient6.conf \ - -lf /var/lib/dhclient/dhclient6-%I.leases \ - -pf /run/network/dhclient/%I/dhclient6.pid -ExecStop=/usr/lib/network/dhclient-helper stop %I ipv6 - -# This could be used if you want to release a lease. -#ExecStop=/usr/sbin/dhclient -d -r %I -6 \ -# -cf /run/network/dhclient/%I/dhclient6.conf \ -# -lf /var/lib/dhclient/dhclient6-%I.leases \ -# -pf /run/network/dhclient/%I/dhclient6.pid - -UtmpIdentifier=%I diff --git a/dhcp/systemd/dhcpd.service b/dhcp/systemd/dhcpd.service deleted file mode 100644 index d2fdd03fb..000000000 --- a/dhcp/systemd/dhcpd.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=DHCPv4 Server Daemon -After=network.target - -[Service] -ExecStartPre=/usr/lib/network/helpers/dhcpd-config-helper create ipv4 -ExecStart=/usr/sbin/dhcpd -d -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid - -[Install] -WantedBy=multi-user.target diff --git a/dhcp/systemd/dhcpd6.service b/dhcp/systemd/dhcpd6.service deleted file mode 100644 index 54e4c2783..000000000 --- a/dhcp/systemd/dhcpd6.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=DHCPv6 Server Daemon -After=network.target - -[Service] -ExecStartPre=/usr/lib/network/helpers/dhcpd-config-helper create ipv6 -ExecStart=/usr/sbin/dhcpd -d -6 -cf /etc/dhcp/dhcpd6.conf -user dhcpd -group dhcpd --no-pid - -[Install] -WantedBy=multi-user.target diff --git a/dhcp/systemd/dhcrelay.service b/dhcp/systemd/dhcrelay.service deleted file mode 100644 index d47bf63da..000000000 --- a/dhcp/systemd/dhcrelay.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=DHCP Relay Agent Daemon -After=syslog.target network.target - -[Service] -ExecStart=/usr/sbin/dhcrelay -d --no-pid - -[Install] -WantedBy=multi-user.target diff --git a/jose/jose.nm b/jose/jose.nm new file mode 100644 index 000000000..d5eea5194 --- /dev/null +++ b/jose/jose.nm @@ -0,0 +1,63 @@ +############################################################################### +# IPFire.org - An Open Source Firewall Solution # +# Copyright (C) - IPFire Development Team info@ipfire.org # +############################################################################### + +name = jose +version = 11 +release = 1 + +groups = System/Libraries +url = https://github.com/latchset/jose +license = ASL 2.0 +summary = Tools for JSON Object Signing and Encryption (JOSE). + +description + Jose is a command line utility for performing various tasks on JSON + Object Signing and Encryption (JOSE) objects. Jose provides a full + crypto stack including key generation, signing and encryption. +end + +source_dl = https://github.com/latchset/%%7Bname%7D/releases/download/v%%7Bversion%7D/ +sources = %{thisapp}.tar.xz + +build + requires + ninja + meson + asciidoc + jansson-devel + openssl-devel + zlib-devel + end + + build + %{meson} + + %{meson_build} + end + + test + %{meson_test} + end + + install + %{meson_install} + end +end + +packages + package %{name} + + package %{name}-libs + template LIBS + end + + package %{name}-devel + template DEVEL + end + + package %{name}-debuginfo + template DEBUGINFO + end +end diff --git a/llvm/llvm.nm b/llvm/llvm.nm deleted file mode 100644 index fc7d5cfee..000000000 --- a/llvm/llvm.nm +++ /dev/null @@ -1,113 +0,0 @@ -############################################################################### -# IPFire.org - An Open Source Firewall Solution # -# Copyright (C) - IPFire Development Team info@ipfire.org # -############################################################################### - -name = llvm -version = 8.0.0 -release = 1 - -groups = Applications/System -url = http://llvm.org -license = NCSA -summary = The Low Level Virtual Machine. - -description - LLVM is a compiler infrastructure designed for compile-time, link-time, - runtime, and idle-time optimization of programs from arbitrary programming - languages. The compiler infrastructure includes mirror sets of programming - tools as well as libraries with equivalent functionality. -end - -source_dl = http://releases.llvm.org/%%7Bversion%7D/ -sources = %{thisapp}.src.tar.xz - -build - requires - binutils >= 2.32 - cmake >= 3.14.5 - gcc - gcc-c++ - libedit-devel >= 3.1-20190324 - libffi-devel - libxml2-devel - zlib-devel - end - - DIR_APP = %{DIR_SRC}/%{thisapp}.src - - # Limit parallelization to only 2 jobs at the same time. - PARALLELISMFLAGS = -j2 - - # Set suffix for libdir based on the build architecture. - llvm_libdir_suffix = - - if "%{DISTRO_ARCH}" == "x86_64" - llvm_libdir_suffix = 64 - end - - if "%{DISTRO_ARCH}" == "aarch64" - llvm_libdir_suffix = 64 - end - - build - # Create and switch into build directory. - mkdir -pv %{DIR_APP}/build - cd %{DIR_APP}/build - - %{cmake} .. \ - -DLLVM_BUILD_TOOLS=ON \ - -DLLVM_BUILD_UTILS=ON \ - -DLLVM_BUILD_TESTS=OFF \ - -DLLVM_BUILD_EXAMPLES=OFF \ - -DLLVM_BUILD_BENCHMARKS=OFF \ - -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_INSTALL_RPATH=";" \ - -DLLVM_BUILD_LLVM_DYLIB=OFF \ - -DLLVM_LINK_LLVM_DYLIB=OFF \ - -DBUILD_SHARED_LIBS=ON \ - -DLLVM_ENABLE_FFI=ON \ - -DLLVM_ENABLE_RTTI=ON \ - -DLLVM_ENABLE_LIBCXX=OFF \ - -DLLVM_TARGETS_TO_BUILD="host;" \ - -DCMAKE_C_COMPILER=gcc \ - -DCMAKE_CXX_COMPILER=g++ \ - -DCMAKE_CXX_FLAGS_RELEASE:STRING="%{CFLAGS}" \ - -DCMAKE_EXE_LINKER_FLAGS="%{LDFLAGS}" \ - -DENABLE_PIC=1 \ - -DLLVM_PARALLEL_LINK_JOBS=1 \ - -DLLVM_ENABLE_DUMP=ON \ - -DLLVM_LIBDIR_SUFFIX=%{llvm_libdir_suffix} \ - -Wno-dev - - make %{PARALELLISMFLAGS} - end - - test - cd %{DIR_APP}/build - - make check-all %{PARALELLISMFLAGS} - end - - install - cd %{DIR_APP}/build - - make install DESTDIR=%{BUILDROOT} - end -end - -packages - package llvm - - package llvm-libs - template LIBS - end - - package llvm-devel - template DEVEL - end - - package %{name}-debuginfo - template DEBUGINFO - end -end diff --git a/net-snmp/net-snmp.nm b/net-snmp/net-snmp.nm index 9e86e355d..1bcc538ac 100644 --- a/net-snmp/net-snmp.nm +++ b/net-snmp/net-snmp.nm @@ -4,8 +4,8 @@ ###############################################################################
name = net-snmp -version = 5.7.3 -release = 1 +version = 5.9.3 +release = 2
groups = Networking/Daemons url = http://net-snmp.sourceforge.net @@ -29,16 +29,12 @@ build elfutils-devel lm-sensors-devel >= 3 openssl-devel - perl(ExtUtils::Embed) procps - python-setuptools - python-devel + python3-devel + python3-setuptools systemd-devel - systemd-units end
- PARALLELISMFLAGS = # No parallel build - prepare_cmds autoreconf -vfi end @@ -64,25 +60,17 @@ build --enable-ucd-snmp-compatibility \ --with-openssl \ --with-pic \ - --enable-embedded-perl \ --enable-as-needed \ - --with-perl-modules="INSTALLDIRS=vendor" \ --enable-mfd-rewrites \ --enable-local-smux \ --with-temp-file-pattern=/var/run/net-snmp/snmp-tmp-XXXXXX \ --with-transports="DTLSUDP TLSTCP" \ --with-security-modules=tsm \ - --with-systemd - - build_cmds - # Remove rpath from compiled perl libs - find perl/blib -type f -name "*.so" -print -exec chrpath --delete {} ; - - # Compile python module - pushd python - %{python} setup.py --basedir=".." build - popd - end + --with-systemd \ + --with-default-snmp-version="3" \ + --without-perl-modules \ + --disable-embedded-perl \ + --with-python-modules
install_cmds # Remove stuff we don't want to distribute. @@ -95,11 +83,6 @@ build # Copy missing mib2c.conf files. install -v -m 644 local/mib2c.*.conf %{BUILDROOT}%{datadir}/snmp
- # Install python module. - pushd python - %{python} setup.py --basedir=".." install -O1 --skip-build --root %{BUILDROOT} - popd - # Make libs executable. find %{BUILDROOT} -name "*.so" | xargs chmod -v 755
@@ -113,6 +96,17 @@ build # Prepare runtime directories. mkdir -pv %{BUILDROOT}%{localstatedir}/{lib,run}/net-snmp
+ # Remove scripts in /bin which requires the SNMP + # perl bindings. + rm -rvf %{BUILDROOT}%{bindir}/net-snmp-cert + rm -rvf %{BUILDROOT}%{bindir}/tkmib + rm -rvf %{BUILDROOT}%{bindir}/mib2c + rm -rvf %{BUILDROOT}%{bindir}/snmp-bridge-mib + + # Remove checkbandwidth script + # This uses a deprecated perl module (Mail::Sender) + rm -rvf %{BUILDROOT}%{bindir}/checkbandwidth + # Remove more RPATHs. find %{BUILDROOT}%{bindir} -type f -print \ -exec chrpath --delete {} ; @@ -156,8 +150,8 @@ packages template LIBS end
- package %{name}-python - template PYTHON + package python3-%{name} + template PYTHON3 end
package %{name}-devel diff --git a/net-snmp/patches/net-snmp-5.5-apsl-copying.patch b/net-snmp/patches/net-snmp-5.5-apsl-copying.patch deleted file mode 100644 index 5ae7ca30c..000000000 --- a/net-snmp/patches/net-snmp-5.5-apsl-copying.patch +++ /dev/null @@ -1,354 +0,0 @@ -Add APSL 2.0 license to the COPYING file. - -There is only one file covered by this license: -net-snmp-5.5/agent/mibgroup/host/data_access/swrun_darwin.c - -This file is not used on Linux at all, it's only present in source -tarball and net-snmp.src.rpm. - -In addition, it's licensed under APSL 1.1, but it allows to relicense -the code to 'any subsequent version of this License published by Apple'. -According to http://fedoraproject.org/wiki/Licensing, APSL ver. 2.0 is -better for us. - -diff -up net-snmp-5.7.3/COPYING.skiFvk net-snmp-5.7.3/COPYING ---- net-snmp-5.7.3/COPYING.skiFvk 2015-02-17 13:33:15.963257594 +0100 -+++ net-snmp-5.7.3/COPYING 2015-02-17 13:33:37.931241818 +0100 -@@ -325,3 +325,337 @@ PROFITS; OR BUSINESS INTERRUPTION) HOWEV - LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ -+---- Part 11: APPLE PUBLIC SOURCE LICENSE (APSL 2.0) ---- -+ -+Version 2.0 - August 6, 2003 -+ -+Please read this License carefully before downloading this software. By -+downloading or using this software, you are agreeing to be bound by the terms -+of this License. If you do not or cannot agree to the terms of this License, -+please do not download or use the software. -+ -+Apple Note: In January 2007, Apple changed its corporate name from "Apple -+Computer, Inc." to "Apple Inc." This change has been reflected below and -+copyright years updated, but no other changes have been made to the APSL 2.0. -+ -+1. General; Definitions. This License applies to any program or other -+work which Apple Inc. ("Apple") makes publicly available and which contains a -+notice placed by Apple identifying such program or work as "Original Code" and -+stating that it is subject to the terms of this Apple Public Source License -+version 2.0 ("License"). As used in this License: -+ -+1.1 "Applicable Patent Rights" mean: (a) in the case where Apple is the -+grantor of rights, (i) claims of patents that are now or hereafter acquired, -+owned by or assigned to Apple and (ii) that cover subject matter contained in -+the Original Code, but only to the extent necessary to use, reproduce and/or -+distribute the Original Code without infringement; and (b) in the case where -+You are the grantor of rights, (i) claims of patents that are now or hereafter -+acquired, owned by or assigned to You and (ii) that cover subject matter in -+Your Modifications, taken alone or in combination with Original Code. -+ -+1.2 "Contributor" means any person or entity that creates or contributes to -+the creation of Modifications. -+ -+1.3 "Covered Code" means the Original Code, Modifications, the combination -+of Original Code and any Modifications, and/or any respective portions thereof. -+ -+1.4 "Externally Deploy" means: (a) to sublicense, distribute or otherwise -+make Covered Code available, directly or indirectly, to anyone other than You; -+and/or (b) to use Covered Code, alone or as part of a Larger Work, in any way -+to provide a service, including but not limited to delivery of content, through -+electronic communication with a client other than You. -+ -+1.5 "Larger Work" means a work which combines Covered Code or portions -+thereof with code not governed by the terms of this License. -+ -+1.6 "Modifications" mean any addition to, deletion from, and/or change to, -+the substance and/or structure of the Original Code, any previous -+Modifications, the combination of Original Code and any previous Modifications, -+and/or any respective portions thereof. When code is released as a series of -+files, a Modification is: (a) any addition to or deletion from the contents of -+a file containing Covered Code; and/or (b) any new file or other representation -+of computer program statements that contains any part of Covered Code. -+ -+1.7 "Original Code" means (a) the Source Code of a program or other work as -+originally made available by Apple under this License, including the Source -+Code of any updates or upgrades to such programs or works made available by -+Apple under this License, and that has been expressly identified by Apple as -+such in the header file(s) of such work; and (b) the object code compiled from -+such Source Code and originally made available by Apple under this License -+ -+1.8 "Source Code" means the human readable form of a program or other work -+that is suitable for making modifications to it, including all modules it -+contains, plus any associated interface definition files, scripts used to -+control compilation and installation of an executable (object code). -+ -+1.9 "You" or "Your" means an individual or a legal entity exercising rights -+under this License. For legal entities, "You" or "Your" includes any entity -+which controls, is controlled by, or is under common control with, You, where -+"control" means (a) the power, direct or indirect, to cause the direction or -+management of such entity, whether by contract or otherwise, or (b) ownership -+of fifty percent (50%) or more of the outstanding shares or beneficial -+ownership of such entity. -+ -+2. Permitted Uses; Conditions & Restrictions. Subject to the terms and -+conditions of this License, Apple hereby grants You, effective on the date You -+accept this License and download the Original Code, a world-wide, royalty-free, -+non-exclusive license, to the extent of Apple's Applicable Patent Rights and -+copyrights covering the Original Code, to do the following: -+ -+2.1 Unmodified Code. You may use, reproduce, display, perform, internally -+distribute within Your organization, and Externally Deploy verbatim, unmodified -+copies of the Original Code, for commercial or non-commercial purposes, -+provided that in each instance: -+ -+(a) You must retain and reproduce in all copies of Original Code the -+copyright and other proprietary notices and disclaimers of Apple as they appear -+in the Original Code, and keep intact all notices in the Original Code that -+refer to this License; and -+ -+(b) You must include a copy of this License with every copy of Source Code -+of Covered Code and documentation You distribute or Externally Deploy, and You -+may not offer or impose any terms on such Source Code that alter or restrict -+this License or the recipients' rights hereunder, except as permitted under -+Section 6. -+ -+2.2 Modified Code. You may modify Covered Code and use, reproduce, -+display, perform, internally distribute within Your organization, and -+Externally Deploy Your Modifications and Covered Code, for commercial or -+non-commercial purposes, provided that in each instance You also meet all of -+these conditions: -+ -+(a) You must satisfy all the conditions of Section 2.1 with respect to the -+Source Code of the Covered Code; -+ -+(b) You must duplicate, to the extent it does not already exist, the notice -+in Exhibit A in each file of the Source Code of all Your Modifications, and -+cause the modified files to carry prominent notices stating that You changed -+the files and the date of any change; and -+ -+(c) If You Externally Deploy Your Modifications, You must make Source Code -+of all Your Externally Deployed Modifications either available to those to whom -+You have Externally Deployed Your Modifications, or publicly available. Source -+Code of Your Externally Deployed Modifications must be released under the terms -+set forth in this License, including the license grants set forth in Section 3 -+below, for as long as you Externally Deploy the Covered Code or twelve (12) -+months from the date of initial External Deployment, whichever is longer. You -+should preferably distribute the Source Code of Your Externally Deployed -+Modifications electronically (e.g. download from a web site). -+ -+2.3 Distribution of Executable Versions. In addition, if You Externally -+Deploy Covered Code (Original Code and/or Modifications) in object code, -+executable form only, You must include a prominent notice, in the code itself -+as well as in related documentation, stating that Source Code of the Covered -+Code is available under the terms of this License with information on how and -+where to obtain such Source Code. -+ -+2.4 Third Party Rights. You expressly acknowledge and agree that although -+Apple and each Contributor grants the licenses to their respective portions of -+the Covered Code set forth herein, no assurances are provided by Apple or any -+Contributor that the Covered Code does not infringe the patent or other -+intellectual property rights of any other entity. Apple and each Contributor -+disclaim any liability to You for claims brought by any other entity based on -+infringement of intellectual property rights or otherwise. As a condition to -+exercising the rights and licenses granted hereunder, You hereby assume sole -+responsibility to secure any other intellectual property rights needed, if any. -+For example, if a third party patent license is required to allow You to -+distribute the Covered Code, it is Your responsibility to acquire that license -+before distributing the Covered Code. -+ -+3. Your Grants. In consideration of, and as a condition to, the licenses -+granted to You under this License, You hereby grant to any person or entity -+receiving or distributing Covered Code under this License a non-exclusive, -+royalty-free, perpetual, irrevocable license, under Your Applicable Patent -+Rights and other intellectual property rights (other than patent) owned or -+controlled by You, to use, reproduce, display, perform, modify, sublicense, -+distribute and Externally Deploy Your Modifications of the same scope and -+extent as Apple's licenses under Sections 2.1 and 2.2 above. -+ -+4. Larger Works. You may create a Larger Work by combining Covered Code -+with other code not governed by the terms of this License and distribute the -+Larger Work as a single product. In each such instance, You must make sure the -+requirements of this License are fulfilled for the Covered Code or any portion -+thereof. -+ -+5. Limitations on Patent License. Except as expressly stated in Section -+2, no other patent rights, express or implied, are granted by Apple herein. -+Modifications and/or Larger Works may require additional patent licenses from -+Apple which Apple may grant in its sole discretion. -+ -+6. Additional Terms. You may choose to offer, and to charge a fee for, -+warranty, support, indemnity or liability obligations and/or other rights -+consistent with the scope of the license granted herein ("Additional Terms") to -+one or more recipients of Covered Code. However, You may do so only on Your own -+behalf and as Your sole responsibility, and not on behalf of Apple or any -+Contributor. You must obtain the recipient's agreement that any such Additional -+Terms are offered by You alone, and You hereby agree to indemnify, defend and -+hold Apple and every Contributor harmless for any liability incurred by or -+claims asserted against Apple or such Contributor by reason of any such -+Additional Terms. -+ -+7. Versions of the License. Apple may publish revised and/or new versions -+of this License from time to time. Each version will be given a distinguishing -+version number. Once Original Code has been published under a particular -+version of this License, You may continue to use it under the terms of that -+version. You may also choose to use such Original Code under the terms of any -+subsequent version of this License published by Apple. No one other than Apple -+has the right to modify the terms applicable to Covered Code created under this -+License. -+ -+8. NO WARRANTY OR SUPPORT. The Covered Code may contain in whole or in -+part pre-release, untested, or not fully tested works. The Covered Code may -+contain errors that could cause failures or loss of data, and may be incomplete -+or contain inaccuracies. You expressly acknowledge and agree that use of the -+Covered Code, or any portion thereof, is at Your sole and entire risk. THE -+COVERED CODE IS PROVIDED "AS IS" AND WITHOUT WARRANTY, UPGRADES OR SUPPORT OF -+ANY KIND AND APPLE AND APPLE'S LICENSOR(S) (COLLECTIVELY REFERRED TO AS "APPLE" -+FOR THE PURPOSES OF SECTIONS 8 AND 9) AND ALL CONTRIBUTORS EXPRESSLY DISCLAIM -+ALL WARRANTIES AND/OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING, BUT NOT -+LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTABILITY, OF -+SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF ACCURACY, OF -+QUIET ENJOYMENT, AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. APPLE AND EACH -+CONTRIBUTOR DOES NOT WARRANT AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE -+COVERED CODE, THAT THE FUNCTIONS CONTAINED IN THE COVERED CODE WILL MEET YOUR -+REQUIREMENTS, THAT THE OPERATION OF THE COVERED CODE WILL BE UNINTERRUPTED OR -+ERROR-FREE, OR THAT DEFECTS IN THE COVERED CODE WILL BE CORRECTED. NO ORAL OR -+WRITTEN INFORMATION OR ADVICE GIVEN BY APPLE, AN APPLE AUTHORIZED -+REPRESENTATIVE OR ANY CONTRIBUTOR SHALL CREATE A WARRANTY. You acknowledge -+that the Covered Code is not intended for use in the operation of nuclear -+facilities, aircraft navigation, communication systems, or air traffic control -+machines in which case the failure of the Covered Code could lead to death, -+personal injury, or severe physical or environmental damage. -+ -+9. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO -+EVENT SHALL APPLE OR ANY CONTRIBUTOR BE LIABLE FOR ANY INCIDENTAL, SPECIAL, -+INDIRECT OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATING TO THIS LICENSE OR -+YOUR USE OR INABILITY TO USE THE COVERED CODE, OR ANY PORTION THEREOF, WHETHER -+UNDER A THEORY OF CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCTS -+LIABILITY OR OTHERWISE, EVEN IF APPLE OR SUCH CONTRIBUTOR HAS BEEN ADVISED OF -+THE POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL -+PURPOSE OF ANY REMEDY. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF -+LIABILITY OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT -+APPLY TO YOU. In no event shall Apple's total liability to You for all damages -+(other than as may be required by applicable law) under this License exceed the -+amount of fifty dollars ($50.00). -+ -+10. Trademarks. This License does not grant any rights to use the -+trademarks or trade names "Apple", "Mac", "Mac OS", "QuickTime", "QuickTime -+Streaming Server" or any other trademarks, service marks, logos or trade names -+belonging to Apple (collectively "Apple Marks") or to any trademark, service -+mark, logo or trade name belonging to any Contributor. You agree not to use -+any Apple Marks in or as part of the name of products derived from the Original -+Code or to endorse or promote products derived from the Original Code other -+than as expressly permitted by and in strict compliance at all times with -+Apple's third party trademark usage guidelines which are posted at -+http://www.apple.com/legal/guidelinesfor3rdparties.html. -+ -+11. Ownership. Subject to the licenses granted under this License, each -+Contributor retains all rights, title and interest in and to any Modifications -+made by such Contributor. Apple retains all rights, title and interest in and -+to the Original Code and any Modifications made by or on behalf of Apple -+("Apple Modifications"), and such Apple Modifications will not be automatically -+subject to this License. Apple may, at its sole discretion, choose to license -+such Apple Modifications under this License, or on different terms from those -+contained in this License or may choose not to license them at all. -+ -+12. Termination. -+ -+12.1 Termination. This License and the rights granted hereunder will -+terminate: -+ -+(a) automatically without notice from Apple if You fail to comply with any -+term(s) of this License and fail to cure such breach within 30 days of becoming -+aware of such breach; (b) immediately in the event of the circumstances -+described in Section 13.5(b); or (c) automatically without notice from Apple -+if You, at any time during the term of this License, commence an action for -+patent infringement against Apple; provided that Apple did not first commence -+an action for patent infringement against You in that instance. -+ -+12.2 Effect of Termination. Upon termination, You agree to immediately stop -+any further use, reproduction, modification, sublicensing and distribution of -+the Covered Code. All sublicenses to the Covered Code which have been properly -+granted prior to termination shall survive any termination of this License. -+Provisions which, by their nature, should remain in effect beyond the -+termination of this License shall survive, including but not limited to -+Sections 3, 5, 8, 9, 10, 11, 12.2 and 13. No party will be liable to any other -+for compensation, indemnity or damages of any sort solely as a result of -+terminating this License in accordance with its terms, and termination of this -+License will be without prejudice to any other right or remedy of any party. -+ -+13. Miscellaneous. -+ -+13.1 Government End Users. The Covered Code is a "commercial item" as -+defined in FAR 2.101. Government software and technical data rights in the -+Covered Code include only those rights customarily provided to the public as -+defined in this License. This customary commercial license in technical data -+and software is provided in accordance with FAR 12.211 (Technical Data) and -+12.212 (Computer Software) and, for Department of Defense purchases, DFAR -+252.227-7015 (Technical Data -- Commercial Items) and 227.7202-3 (Rights in -+Commercial Computer Software or Computer Software Documentation). Accordingly, -+all U.S. Government End Users acquire Covered Code with only those rights set -+forth herein. -+ -+13.2 Relationship of Parties. This License will not be construed as -+creating an agency, partnership, joint venture or any other form of legal -+association between or among You, Apple or any Contributor, and You will not -+represent to the contrary, whether expressly, by implication, appearance or -+otherwise. -+ -+13.3 Independent Development. Nothing in this License will impair Apple's -+right to acquire, license, develop, have others develop for it, market and/or -+distribute technology or products that perform the same or similar functions -+as, or otherwise compete with, Modifications, Larger Works, technology or -+products that You may develop, produce, market or distribute. -+ -+13.4 Waiver; Construction. Failure by Apple or any Contributor to enforce -+any provision of this License will not be deemed a waiver of future enforcement -+of that or any other provision. Any law or regulation which provides that the -+language of a contract shall be construed against the drafter will not apply to -+this License. -+ -+13.5 Severability. (a) If for any reason a court of competent jurisdiction -+finds any provision of this License, or portion thereof, to be unenforceable, -+that provision of the License will be enforced to the maximum extent -+permissible so as to effect the economic benefits and intent of the parties, -+and the remainder of this License will continue in full force and effect. (b) -+Notwithstanding the foregoing, if applicable law prohibits or restricts You -+from fully and/or specifically complying with Sections 2 and/or 3 or prevents -+the enforceability of either of those Sections, this License will immediately -+terminate and You must immediately discontinue any use of the Covered Code and -+destroy all copies of it that are in your possession or control. -+ -+13.6 Dispute Resolution. Any litigation or other dispute resolution between -+You and Apple relating to this License shall take place in the Northern -+District of California, and You and Apple hereby consent to the personal -+jurisdiction of, and venue in, the state and federal courts within that -+District with respect to this License. The application of the United Nations -+Convention on Contracts for the International Sale of Goods is expressly -+excluded. -+ -+13.7 Entire Agreement; Governing Law. This License constitutes the entire -+agreement between the parties with respect to the subject matter hereof. This -+License shall be governed by the laws of the United States and the State of -+California, except that body of California law concerning conflicts of law. -+ -+Where You are located in the province of Quebec, Canada, the following clause -+applies: The parties hereby confirm that they have requested that this License -+and all related documents be drafted in English. Les parties ont exige que le -+present contrat et tous les documents connexes soient rediges en anglais. -+ -+EXHIBIT A. -+ -+"Portions Copyright (c) 1999-2007 Apple Inc. All Rights Reserved. -+ -+This file contains Original Code and/or Modifications of Original Code as -+defined in and that are subject to the Apple Public Source License Version 2.0 -+(the 'License'). You may not use this file except in compliance with the -+License. Please obtain a copy of the License at -+http://www.opensource.apple.com/apsl/ and read it before using this file. -+ -+The Original Code and all software distributed under the License are -+distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS -+OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT -+LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR -+PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the -+specific language governing rights and limitations under the License." diff --git a/net-snmp/patches/net-snmp-5.5-dir-fix.patch b/net-snmp/patches/net-snmp-5.5-dir-fix.patch deleted file mode 100644 index b726c4713..000000000 --- a/net-snmp/patches/net-snmp-5.5-dir-fix.patch +++ /dev/null @@ -1,14 +0,0 @@ -Let net-snmp-create-v3-user save settings into /etc/ instead of /usr/ - -diff -up net-snmp-5.5/net-snmp-create-v3-user.in.orig net-snmp-5.5/net-snmp-create-v3-user.in ---- net-snmp-5.5/net-snmp-create-v3-user.in.orig 2008-07-22 16:33:25.000000000 +0200 -+++ net-snmp-5.5/net-snmp-create-v3-user.in 2009-09-29 16:30:36.000000000 +0200 -@@ -158,7 +158,7 @@ if test ! -d $outfile ; then - touch $outfile - fi - echo $line >> $outfile --outfile="@datadir@/snmp/snmpd.conf" -+outfile="/etc/snmp/snmpd.conf" - line="$token $user" - echo "adding the following line to $outfile:" - echo " " $line diff --git a/net-snmp/patches/net-snmp-5.5-perl-linking.patch b/net-snmp/patches/net-snmp-5.5-perl-linking.patch deleted file mode 100644 index ceb63630a..000000000 --- a/net-snmp/patches/net-snmp-5.5-perl-linking.patch +++ /dev/null @@ -1,16 +0,0 @@ -554747 - net-snmp-config should not contain perl options - -Remove rpath from net-snmp-config --agent-libs output. - -diff -up net-snmp-5.7/net-snmp-config.in.perl-linking net-snmp-5.7/net-snmp-config.in ---- net-snmp-5.7/net-snmp-config.in.perl-linking 2011-07-02 00:35:46.000000000 +0200 -+++ net-snmp-5.7/net-snmp-config.in 2011-07-07 13:30:01.635798817 +0200 -@@ -50,7 +50,7 @@ NSC_LDFLAGS="@LDFLAGS@" - - NSC_LIBS="@LIBS@" - NSC_LNETSNMPLIBS="@LNETSNMPLIBS@" --NSC_LAGENTLIBS="@LAGENTLIBS@ @PERLLDOPTS_FOR_APPS@" -+NSC_LAGENTLIBS="@LAGENTLIBS@" - NSC_LMIBLIBS="@LMIBLIBS@" - - NSC_INCLUDEDIR=${includedir} diff --git a/net-snmp/patches/net-snmp-5.6-multilib.patch b/net-snmp/patches/net-snmp-5.6-multilib.patch deleted file mode 100644 index 9c12385a1..000000000 --- a/net-snmp/patches/net-snmp-5.6-multilib.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff -up net-snmp-5.7.3/man/netsnmp_config_api.3.def.oSBcEB net-snmp-5.7.3/man/netsnmp_config_api.3.def ---- net-snmp-5.7.3/man/netsnmp_config_api.3.def.oSBcEB 2014-12-08 21:23:22.000000000 +0100 -+++ net-snmp-5.7.3/man/netsnmp_config_api.3.def 2015-02-17 13:32:38.903284207 +0100 -@@ -295,7 +295,7 @@ for one particular machine. - .PP - The default list of directories to search is \fC SYSCONFDIR/snmp\fP, - followed by \fC DATADIR/snmp\fP, --followed by \fC LIBDIR/snmp\fP, -+followed by \fC /usr/lib(64)/snmp\fP, - followed by \fC $HOME/.snmp\fP. - This list can be changed by setting the environmental variable - .I SNMPCONFPATH -@@ -365,7 +365,7 @@ function that it should abort the operat - SNMPCONFPATH - A colon separated list of directories to search for configuration - files in. --Default: SYSCONFDIR/snmp:DATADIR/snmp:LIBDIR/snmp:$HOME/.snmp -+Default: SYSCONFDIR/snmp:DATADIR/snmp:/usr/lib(64)/snmp:$HOME/.snmp - .SH "SEE ALSO" - netsnmp_mib_api(3), snmp_api(3) - ." Local Variables: -diff -up net-snmp-5.7.3/man/snmp_config.5.def.oSBcEB net-snmp-5.7.3/man/snmp_config.5.def ---- net-snmp-5.7.3/man/snmp_config.5.def.oSBcEB 2015-02-17 13:32:04.251309092 +0100 -+++ net-snmp-5.7.3/man/snmp_config.5.def 2015-02-17 13:33:09.217262438 +0100 -@@ -10,7 +10,7 @@ First off, there are numerous places tha - found and read from. By default, the applications look for - configuration files in the following 4 directories, in order: - SYSCONFDIR/snmp, --DATADIR/snmp, LIBDIR/snmp, and $HOME/.snmp. In each of these -+DATADIR/snmp, /usr/lib(64)/snmp, and $HOME/.snmp. In each of these - directories, it looks for files snmp.conf, snmpd.conf and/or - snmptrapd.conf, as well as snmp.local.conf, snmpd.local.conf - and/or snmptrapd.local.conf. *.local.conf are always -diff -up net-snmp-5.7.3/man/snmpd.conf.5.def.oSBcEB net-snmp-5.7.3/man/snmpd.conf.5.def ---- net-snmp-5.7.3/man/snmpd.conf.5.def.oSBcEB 2014-12-08 21:23:22.000000000 +0100 -+++ net-snmp-5.7.3/man/snmpd.conf.5.def 2015-02-17 13:32:04.251309092 +0100 -@@ -1502,7 +1502,7 @@ filename), and call the initialisation r - .RS - .IP "Note:" - If the specified PATH is not a fully qualified filename, it will --be interpreted relative to LIBDIR/snmp/dlmod, and \fC.so\fR -+be interpreted relative to /usr/lib(64)/snmp/dlmod, and \fC.so\fR - will be appended to the filename. - .RE - .PP diff --git a/net-snmp/patches/net-snmp-5.6-test-debug.patch b/net-snmp/patches/net-snmp-5.6-test-debug.patch deleted file mode 100644 index 4ae97fbee..000000000 --- a/net-snmp/patches/net-snmp-5.6-test-debug.patch +++ /dev/null @@ -1,29 +0,0 @@ -Don't check tests which depend on DNS - it's disabled in Koji - -diff -up net-snmp-5.7.2/testing/fulltests/default/T070com2sec_simple.debug net-snmp-5.7.2/testing/fulltests/default/T070com2sec_simple ---- net-snmp-5.7.2/testing/fulltests/default/T070com2sec_simple.debug 2012-10-10 00:28:58.000000000 +0200 -+++ net-snmp-5.7.2/testing/fulltests/default/T070com2sec_simple 2012-10-18 10:16:39.276416510 +0200 -@@ -134,6 +134,10 @@ SAVECHECKAGENT '<"c406a", 255.255.255.25 - SAVECHECKAGENT 'line 30: Error:' # msg from h_strerror so it varies - SAVECHECKAGENT 'line 31: Error:' # msg from h_strerror so it varies - -+FINISHED -+ -+# don't test the later, it depends on DNS, which is not available in Koji -+ - CHECKAGENT '<"c408a"' - if [ "$snmp_last_test_result" -eq 0 ] ; then - CHECKAGENT 'line 32: Error:' -diff -up net-snmp-5.7.2/testing/fulltests/default/T071com2sec6_simple.debug net-snmp-5.7.2/testing/fulltests/default/T071com2sec6_simple ---- net-snmp-5.7.2/testing/fulltests/default/T071com2sec6_simple.debug 2012-10-10 00:28:58.000000000 +0200 -+++ net-snmp-5.7.2/testing/fulltests/default/T071com2sec6_simple 2012-10-18 10:16:39.276416510 +0200 -@@ -132,6 +132,9 @@ SAVECHECKAGENT '<"c606a", ffff:ffff:ffff - SAVECHECKAGENT 'line 27: Error:' - SAVECHECKAGENT 'line 28: Error:' - -+FINISHED -+ -+# don't test the later, it depends on DNS, which is not available in Koji - # 608 - CHECKAGENT '<"c608a"' - if [ "$snmp_last_test_result" -eq 0 ] ; then diff --git a/net-snmp/patches/net-snmp-5.7.2-systemd.patch b/net-snmp/patches/net-snmp-5.7.2-systemd.patch deleted file mode 100644 index 4c89d608e..000000000 --- a/net-snmp/patches/net-snmp-5.7.2-systemd.patch +++ /dev/null @@ -1,1650 +0,0 @@ -718183 - Provide native systemd unit file - -Gathered from following upstream git commits and backported to 5.7. - -commit 19499c3c90bf9d7b2b9e5d08baa26cc6bba28a11 -Author: Jan Safranek jsafranek@users.sourceforge.net -Date: Mon Aug 8 15:48:54 2011 +0200 - - CHANGES: snmpd: integrated with systemd, see README.systemd for details. - - It brings sd-daemon.c and .h directly downloaded from systemd. I've made very - few changes to it to match our NETSNMP_NO_SYSTEMD and include paths. - -commit fef6cddfdb94da1a6b1fb768af62918b80f11fd3 -Author: Jan Safranek jsafranek@users.sourceforge.net -Date: Mon Aug 8 15:48:54 2011 +0200 - - CHANGES: snmptrapd: integrate systemd notification support. - -commit 0641e43c694c485cbbffef0556efc4641bd3ff50 -Author: Jan Safranek jsafranek@users.sourceforge.net -Date: Mon Aug 8 15:48:54 2011 +0200 - - Add sd_find_inet_socket() and sd_find_inet_unisx() helpers into - system-specific code. This will help us to find various sockets - created by systemd much easier. - -commit 76530a89f1c8bbd0b63acce63e10d5d4812a1a16 -Author: Jan Safranek jsafranek@users.sourceforge.net -Date: Mon Aug 8 15:48:54 2011 +0200 - - Check sockets created by systemd when opening new server sockets. - - systemd can pass sockets to our daemons during startup using LISTEN_FDS - environment variable. So check this variable when opening new listening - socket - maybe system has already opened the socket for us. - -commit bf108d7f1354f6276fc43c129963f2c49b9fc242 -Author: Jan Safranek jsafranek@users.sourceforge.net -Date: Mon Aug 8 15:48:54 2011 +0200 - - Added sample systemd service files. - -commit 884ec488a6596380ba283d707827dd926a52e0b2 -Author: Jan Safranek jsafranek@users.sourceforge.net -Date: Mon Aug 8 15:48:55 2011 +0200 - - Run autoheader+autoconf. - -commit 86132e3f1e6ef7b4e0b96d8fa24e37c81b71b0e0 -Author: Jan Safranek jsafranek@users.sourceforge.net -Date: Tue Aug 9 10:53:43 2011 +0200 - - Update systemd documentation and samples. - - - add socket unit for snmpd to paralelize boot - - update WantedBy in socket units as recommended by http://0pointer.de/blog/projects/socket-activation.html - - rephrase README.systemd - -diff -up net-snmp-5.7.3/agent/snmpd.c.MPGqYh net-snmp-5.7.3/agent/snmpd.c ---- net-snmp-5.7.3/agent/snmpd.c.MPGqYh 2014-12-08 21:23:22.000000000 +0100 -+++ net-snmp-5.7.3/agent/snmpd.c 2015-02-17 13:34:05.736221851 +0100 -@@ -164,6 +164,10 @@ typedef long fd_mask; - - #endif - -+#ifndef NETSNMP_NO_SYSTEMD -+#include <net-snmp/library/sd-daemon.h> -+#endif -+ - netsnmp_feature_want(logging_file) - netsnmp_feature_want(logging_stdio) - netsnmp_feature_want(logging_syslog) -@@ -443,18 +447,26 @@ main(int argc, char *argv[]) - int agent_mode = -1; - char *pid_file = NULL; - char option_compatability[] = "-Le"; -+ int prepared_sockets = 0; - #if HAVE_GETPID - int fd; - FILE *PID; - #endif - - #ifndef WIN32 -+#ifndef NETSNMP_NO_SYSYSTEMD -+ /* check if systemd has sockets for us and don't close them */ -+ prepared_sockets = netsnmp_sd_listen_fds(0); -+#endif /* NETSNMP_NO_SYSYSTEMD */ -+ - /* - * close all non-standard file descriptors we may have - * inherited from the shell. - */ -- for (i = getdtablesize() - 1; i > 2; --i) { -- (void) close(i); -+ if (!prepared_sockets) { -+ for (i = getdtablesize() - 1; i > 2; --i) { -+ (void) close(i); -+ } - } - #endif /* #WIN32 */ - -@@ -1107,6 +1119,19 @@ main(int argc, char *argv[]) - netsnmp_addrcache_initialise(); - - /* -+ * Let systemd know we're up. -+ */ -+#ifndef NETSNMP_NO_SYSTEMD -+ netsnmp_sd_notify(1, "READY=1\n"); -+ if (prepared_sockets) -+ /* -+ * Clear the environment variable, we already processed all the sockets -+ * by now. -+ */ -+ netsnmp_sd_listen_fds(1); -+#endif -+ -+ /* - * Forever monitor the dest_port for incoming PDUs. - */ - DEBUGMSGTL(("snmpd/main", "We're up. Starting to process data.\n")); -diff -up net-snmp-5.7.3/apps/snmptrapd.c.MPGqYh net-snmp-5.7.3/apps/snmptrapd.c ---- net-snmp-5.7.3/apps/snmptrapd.c.MPGqYh 2014-12-08 21:23:22.000000000 +0100 -+++ net-snmp-5.7.3/apps/snmptrapd.c 2015-02-17 13:34:05.736221851 +0100 -@@ -125,6 +125,10 @@ SOFTWARE. - - #include <net-snmp/net-snmp-features.h> - -+#ifndef NETSNMP_NO_SYSTEMD -+#include <net-snmp/library/sd-daemon.h> -+#endif -+ - #ifndef BSD4_3 - #define BSD4_2 - #endif -@@ -657,15 +661,22 @@ main(int argc, char *argv[]) - int agentx_subagent = 1; - #endif - netsnmp_trapd_handler *traph; -+ int prepared_sockets = 0; - - - #ifndef WIN32 -+#ifndef NETSNMP_NO_SYSTEMD -+ /* check if systemd has sockets for us and don't close them */ -+ prepared_sockets = netsnmp_sd_listen_fds(0); -+#endif - /* - * close all non-standard file descriptors we may have - * inherited from the shell. - */ -- for (i = getdtablesize() - 1; i > 2; --i) { -- (void) close(i); -+ if (!prepared_sockets) { -+ for (i = getdtablesize() - 1; i > 2; --i) { -+ (void) close(i); -+ } - } - #endif /* #WIN32 */ - -@@ -1318,6 +1329,19 @@ main(int argc, char *argv[]) - #endif - #endif - -+ /* -+ * Let systemd know we're up. -+ */ -+#ifndef NETSNMP_NO_SYSTEMD -+ netsnmp_sd_notify(1, "READY=1\n"); -+ if (prepared_sockets) -+ /* -+ * Clear the environment variable, we already processed all the sockets -+ * by now. -+ */ -+ netsnmp_sd_listen_fds(1); -+#endif -+ - #ifdef WIN32SERVICE - trapd_status = SNMPTRAPD_RUNNING; - #endif -diff -up net-snmp-5.7.3/configure.d/config_modules_lib.MPGqYh net-snmp-5.7.3/configure.d/config_modules_lib ---- net-snmp-5.7.3/configure.d/config_modules_lib.MPGqYh 2014-12-08 21:23:22.000000000 +0100 -+++ net-snmp-5.7.3/configure.d/config_modules_lib 2015-02-17 13:34:05.737221850 +0100 -@@ -53,6 +53,14 @@ if test "x$PARTIALTARGETOS" = "xmingw32" - other_ftobjs_list="$other_ftobjs_list winpipe.ft" - fi - -+# Linux systemd -+if test "x$with_systemd" == "xyes"; then -+ other_src_list="$other_src_list sd-daemon.c" -+ other_objs_list="$other_objs_list sd-daemon.o" -+ other_lobjs_list="$other_lobjs_list sd-daemon.lo" -+ other_ftobjs_list="$other_ftobjs_list sd-daemon.ft" -+fi -+ - AC_SUBST(other_src_list) - AC_SUBST(other_objs_list) - AC_SUBST(other_lobjs_list) -diff -up net-snmp-5.7.3/configure.d/config_project_with_enable.MPGqYh net-snmp-5.7.3/configure.d/config_project_with_enable ---- net-snmp-5.7.3/configure.d/config_project_with_enable.MPGqYh 2014-12-08 21:23:22.000000000 +0100 -+++ net-snmp-5.7.3/configure.d/config_project_with_enable 2015-02-17 13:34:05.737221850 +0100 -@@ -690,6 +690,15 @@ if test "x$with_dummy_values" != "xyes"; - data for]) - fi - -+NETSNMP_ARG_WITH(systemd, -+[ --with-systemd Provide systemd support. See README.systemd -+ for details.]) -+# Define unless specifically suppressed (i.e., option defaults to false). -+if test "x$with_systemd" != "xyes"; then -+ AC_DEFINE(NETSNMP_NO_SYSTEMD, 1, -+ [If you don't want to integrate with systemd.]) -+fi -+ - NETSNMP_ARG_ENABLE(set-support, - [ --disable-set-support Do not allow SNMP set requests.]) - if test "x$enable_set_support" = "xno"; then -diff -up net-snmp-5.7.3/configure.MPGqYh net-snmp-5.7.3/configure ---- net-snmp-5.7.3/configure.MPGqYh 2014-12-08 21:23:37.000000000 +0100 -+++ net-snmp-5.7.3/configure 2015-02-17 13:34:05.744221845 +0100 -@@ -951,6 +951,8 @@ with_kmem_usage - enable_kmem_usage - with_dummy_values - enable_dummy_values -+with_systemd -+enable_systemd - enable_set_support - with_set_support - with_sys_contact -@@ -1867,6 +1869,8 @@ Configuring the agent: - This is technically not compliant with the - SNMP specifications, but was how the agent - operated for versions < 4.0. -+ --with-systemd Provide systemd support. See README.systemd -+ for details. - --with-sys-contact="who@where" Default system contact. - (Default: LOGIN@DOMAINNAME) - --with-sys-location="location" Default system location. -@@ -4398,6 +4402,24 @@ $as_echo "#define NETSNMP_NO_DUMMY_VALUE - - fi - -+ -+# Check whether --with-systemd was given. -+if test "${with_systemd+set}" = set; then : -+ withval=$with_systemd; -+fi -+ -+ # Check whether --enable-systemd was given. -+if test "${enable_systemd+set}" = set; then : -+ enableval=$enable_systemd; as_fn_error $? "Invalid option. Use --with-systemd/--without-systemd instead" "$LINENO" 5 -+fi -+ -+# Define unless specifically suppressed (i.e., option defaults to false). -+if test "x$with_systemd" != "xyes"; then -+ -+$as_echo "#define NETSNMP_NO_SYSTEMD 1" >>confdefs.h -+ -+fi -+ - # Check whether --enable-set-support was given. - if test "${enable_set_support+set}" = set; then : - enableval=$enable_set_support; -@@ -18639,6 +18661,14 @@ if test "x$PARTIALTARGETOS" = "xmingw32" - other_ftobjs_list="$other_ftobjs_list winpipe.ft" - fi - -+# Linux systemd -+if test "x$with_systemd" == "xyes"; then -+ other_src_list="$other_src_list sd-daemon.c" -+ other_objs_list="$other_objs_list sd-daemon.o" -+ other_lobjs_list="$other_lobjs_list sd-daemon.lo" -+ other_ftobjs_list="$other_ftobjs_list sd-daemon.ft" -+fi -+ - - - -diff -up net-snmp-5.7.3/dist/snmpd.service.MPGqYh net-snmp-5.7.3/dist/snmpd.service ---- net-snmp-5.7.3/dist/snmpd.service.MPGqYh 2015-02-17 13:34:05.745221844 +0100 -+++ net-snmp-5.7.3/dist/snmpd.service 2015-02-17 13:34:05.745221844 +0100 -@@ -0,0 +1,18 @@ -+# -+# SNMP agent service file for systemd -+# -+# -+# The service should be enabled, i.e. snmpd should start during machine boot. -+# Socket activation shall not be used. See README.systemd for details. -+ -+[Unit] -+Description=Simple Network Management Protocol (SNMP) daemon. -+After=syslog.target network.target -+ -+[Service] -+# Type=notify is also supported. It should be set when snmpd.socket is not used. -+Type=simple -+ExecStart=/usr/sbin/snmpd -f -+ -+[Install] -+WantedBy=multi-user.target -diff -up net-snmp-5.7.3/dist/snmpd.socket.MPGqYh net-snmp-5.7.3/dist/snmpd.socket ---- net-snmp-5.7.3/dist/snmpd.socket.MPGqYh 2015-02-17 13:34:05.745221844 +0100 -+++ net-snmp-5.7.3/dist/snmpd.socket 2015-02-17 13:34:05.745221844 +0100 -@@ -0,0 +1,17 @@ -+[Unit] -+Description=Socket listening for SNMP and AgentX messages -+ -+[Socket] -+ListenDatagram=0.0.0.0:161 -+# Uncomment other listening addresses as needed - TCP, UDP6, TCP6. -+# It must match listening addresses/ports defined in snmpd.service -+# or snmpd.conf. -+# ListenStream=0.0.0.0:161 -+# ListenDatagram=[::]:161 -+# ListenStream=[::]:161 -+# -+# Uncomment AgentX socket if snmpd.conf enables AgentX protocol. -+# ListenStream=/var/agentx/master -+ -+[Install] -+WantedBy=sockets.target -diff -up net-snmp-5.7.3/dist/snmptrapd.service.MPGqYh net-snmp-5.7.3/dist/snmptrapd.service ---- net-snmp-5.7.3/dist/snmptrapd.service.MPGqYh 2015-02-17 13:34:05.745221844 +0100 -+++ net-snmp-5.7.3/dist/snmptrapd.service 2015-02-17 13:34:05.745221844 +0100 -@@ -0,0 +1,16 @@ -+# -+# SNMP trap-processing service file for systemd -+# -+ -+[Unit] -+Description=Simple Network Management Protocol (SNMP) Trap daemon. -+After=syslog.target network.target -+ -+[Service] -+# Type=notify is also supported. It should be set when snmptrapd.socket is not -+# used. -+Type=simple -+ExecStart=/usr/sbin/snmptrapd -f -+ -+[Install] -+WantedBy=multi-user.target -diff -up net-snmp-5.7.3/dist/snmptrapd.socket.MPGqYh net-snmp-5.7.3/dist/snmptrapd.socket ---- net-snmp-5.7.3/dist/snmptrapd.socket.MPGqYh 2015-02-17 13:34:05.745221844 +0100 -+++ net-snmp-5.7.3/dist/snmptrapd.socket 2015-02-17 13:34:05.745221844 +0100 -@@ -0,0 +1,14 @@ -+[Unit] -+Description=Socket listening for SNMP trap messages -+ -+[Socket] -+ListenDatagram=0.0.0.0:162 -+# Uncomment other listening addresses as needed - TCP, UDP6, TCP6. -+# It must match listening addresses/ports defined in snmptrapd.service -+# or snmptrapd.conf. -+# ListenStream=0.0.0.0:162 -+# ListenDatagram=[::]:162 -+# ListenStream=[::]:162 -+ -+[Install] -+WantedBy=sockets.target -diff -up net-snmp-5.7.3/include/net-snmp/library/sd-daemon.h.MPGqYh net-snmp-5.7.3/include/net-snmp/library/sd-daemon.h ---- net-snmp-5.7.3/include/net-snmp/library/sd-daemon.h.MPGqYh 2015-02-17 13:34:05.746221843 +0100 -+++ net-snmp-5.7.3/include/net-snmp/library/sd-daemon.h 2015-02-17 13:34:05.746221843 +0100 -@@ -0,0 +1,286 @@ -+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ -+ -+#ifndef SNMPD_SD_DAEMON_H -+#define SNMPD_SD_DAEMON_H -+ -+/*** -+ Copyright 2010 Lennart Poettering -+ -+ Permission is hereby granted, free of charge, to any person -+ obtaining a copy of this software and associated documentation files -+ (the "Software"), to deal in the Software without restriction, -+ including without limitation the rights to use, copy, modify, merge, -+ publish, distribute, sublicense, and/or sell copies of the Software, -+ and to permit persons to whom the Software is furnished to do so, -+ subject to the following conditions: -+ -+ The above copyright notice and this permission notice shall be -+ included in all copies or substantial portions of the Software. -+ -+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS -+ BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN -+ ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -+ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ SOFTWARE. -+***/ -+ -+#include <sys/types.h> -+#include <inttypes.h> -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/* -+ Reference implementation of a few systemd related interfaces for -+ writing daemons. These interfaces are trivial to implement. To -+ simplify porting we provide this reference implementation. -+ Applications are welcome to reimplement the algorithms described -+ here if they do not want to include these two source files. -+ -+ The following functionality is provided: -+ -+ - Support for logging with log levels on stderr -+ - File descriptor passing for socket-based activation -+ - Daemon startup and status notification -+ - Detection of systemd boots -+ -+ You may compile this with -DDISABLE_SYSTEMD to disable systemd -+ support. This makes all those calls NOPs that are directly related to -+ systemd (i.e. only sd_is_xxx() will stay useful). -+ -+ Since this is drop-in code we don't want any of our symbols to be -+ exported in any case. Hence we declare hidden visibility for all of -+ them. -+ -+ You may find an up-to-date version of these source files online: -+ -+ http://cgit.freedesktop.org/systemd/plain/src/sd-daemon.h -+ http://cgit.freedesktop.org/systemd/plain/src/sd-daemon.c -+ -+ This should compile on non-Linux systems, too, but with the -+ exception of the sd_is_xxx() calls all functions will become NOPs. -+ -+ See sd-daemon(7) for more information. -+*/ -+ -+#ifndef _sd_printf_attr_ -+#if __GNUC__ >= 4 -+#define _sd_printf_attr_(a,b) __attribute__ ((format (printf, a, b))) -+#else -+#define _sd_printf_attr_(a,b) -+#endif -+#endif -+ -+/* -+ Log levels for usage on stderr: -+ -+ fprintf(stderr, SD_NOTICE "Hello World!\n"); -+ -+ This is similar to printk() usage in the kernel. -+*/ -+#define SD_EMERG "<0>" /* system is unusable */ -+#define SD_ALERT "<1>" /* action must be taken immediately */ -+#define SD_CRIT "<2>" /* critical conditions */ -+#define SD_ERR "<3>" /* error conditions */ -+#define SD_WARNING "<4>" /* warning conditions */ -+#define SD_NOTICE "<5>" /* normal but significant condition */ -+#define SD_INFO "<6>" /* informational */ -+#define SD_DEBUG "<7>" /* debug-level messages */ -+ -+/* The first passed file descriptor is fd 3 */ -+#define SD_LISTEN_FDS_START 3 -+ -+/* -+ Returns how many file descriptors have been passed, or a negative -+ errno code on failure. Optionally, removes the $LISTEN_FDS and -+ $LISTEN_PID file descriptors from the environment (recommended, but -+ problematic in threaded environments). If r is the return value of -+ this function you'll find the file descriptors passed as fds -+ SD_LISTEN_FDS_START to SD_LISTEN_FDS_START+r-1. Returns a negative -+ errno style error code on failure. This function call ensures that -+ the FD_CLOEXEC flag is set for the passed file descriptors, to make -+ sure they are not passed on to child processes. If FD_CLOEXEC shall -+ not be set, the caller needs to unset it after this call for all file -+ descriptors that are used. -+ -+ See sd_listen_fds(3) for more information. -+*/ -+int netsnmp_sd_listen_fds(int unset_environment); -+ -+/* -+ Helper call for identifying a passed file descriptor. Returns 1 if -+ the file descriptor is a FIFO in the file system stored under the -+ specified path, 0 otherwise. If path is NULL a path name check will -+ not be done and the call only verifies if the file descriptor -+ refers to a FIFO. Returns a negative errno style error code on -+ failure. -+ -+ See sd_is_fifo(3) for more information. -+*/ -+int netsnmp_sd_is_fifo(int fd, const char *path); -+ -+/* -+ Helper call for identifying a passed file descriptor. Returns 1 if -+ the file descriptor is a special character device on the file -+ system stored under the specified path, 0 otherwise. -+ If path is NULL a path name check will not be done and the call -+ only verifies if the file descriptor refers to a special character. -+ Returns a negative errno style error code on failure. -+ -+ See sd_is_special(3) for more information. -+*/ -+int netsnmp_sd_is_special(int fd, const char *path); -+ -+/* -+ Helper call for identifying a passed file descriptor. Returns 1 if -+ the file descriptor is a socket of the specified family (AF_INET, -+ ...) and type (SOCK_DGRAM, SOCK_STREAM, ...), 0 otherwise. If -+ family is 0 a socket family check will not be done. If type is 0 a -+ socket type check will not be done and the call only verifies if -+ the file descriptor refers to a socket. If listening is > 0 it is -+ verified that the socket is in listening mode. (i.e. listen() has -+ been called) If listening is == 0 it is verified that the socket is -+ not in listening mode. If listening is < 0 no listening mode check -+ is done. Returns a negative errno style error code on failure. -+ -+ See sd_is_socket(3) for more information. -+*/ -+int netsnmp_sd_is_socket(int fd, int family, int type, int listening); -+ -+/* -+ Helper call for identifying a passed file descriptor. Returns 1 if -+ the file descriptor is an Internet socket, of the specified family -+ (either AF_INET or AF_INET6) and the specified type (SOCK_DGRAM, -+ SOCK_STREAM, ...), 0 otherwise. If version is 0 a protocol version -+ check is not done. If type is 0 a socket type check will not be -+ done. If port is 0 a socket port check will not be done. The -+ listening flag is used the same way as in sd_is_socket(). Returns a -+ negative errno style error code on failure. -+ -+ See sd_is_socket_inet(3) for more information. -+*/ -+int netsnmp_sd_is_socket_inet(int fd, int family, int type, int listening, uint16_t port); -+ -+/* -+ Helper call for identifying a passed file descriptor. Returns 1 if -+ the file descriptor is an AF_UNIX socket of the specified type -+ (SOCK_DGRAM, SOCK_STREAM, ...) and path, 0 otherwise. If type is 0 -+ a socket type check will not be done. If path is NULL a socket path -+ check will not be done. For normal AF_UNIX sockets set length to -+ 0. For abstract namespace sockets set length to the length of the -+ socket name (including the initial 0 byte), and pass the full -+ socket path in path (including the initial 0 byte). The listening -+ flag is used the same way as in sd_is_socket(). Returns a negative -+ errno style error code on failure. -+ -+ See sd_is_socket_unix(3) for more information. -+*/ -+int netsnmp_sd_is_socket_unix(int fd, int type, int listening, const char *path, size_t length); -+ -+/* -+ Informs systemd about changed daemon state. This takes a number of -+ newline separated environment-style variable assignments in a -+ string. The following variables are known: -+ -+ READY=1 Tells systemd that daemon startup is finished (only -+ relevant for services of Type=notify). The passed -+ argument is a boolean "1" or "0". Since there is -+ little value in signaling non-readiness the only -+ value daemons should send is "READY=1". -+ -+ STATUS=... Passes a single-line status string back to systemd -+ that describes the daemon state. This is free-from -+ and can be used for various purposes: general state -+ feedback, fsck-like programs could pass completion -+ percentages and failing programs could pass a human -+ readable error message. Example: "STATUS=Completed -+ 66% of file system check..." -+ -+ ERRNO=... If a daemon fails, the errno-style error code, -+ formatted as string. Example: "ERRNO=2" for ENOENT. -+ -+ BUSERROR=... If a daemon fails, the D-Bus error-style error -+ code. Example: "BUSERROR=org.freedesktop.DBus.Error.TimedOut" -+ -+ MAINPID=... The main pid of a daemon, in case systemd did not -+ fork off the process itself. Example: "MAINPID=4711" -+ -+ Daemons can choose to send additional variables. However, it is -+ recommended to prefix variable names not listed above with X_. -+ -+ Returns a negative errno-style error code on failure. Returns > 0 -+ if systemd could be notified, 0 if it couldn't possibly because -+ systemd is not running. -+ -+ Example: When a daemon finished starting up, it could issue this -+ call to notify systemd about it: -+ -+ sd_notify(0, "READY=1"); -+ -+ See sd_notifyf() for more complete examples. -+ -+ See sd_notify(3) for more information. -+*/ -+int netsnmp_sd_notify(int unset_environment, const char *state); -+ -+/* -+ Similar to sd_notify() but takes a format string. -+ -+ Example 1: A daemon could send the following after initialization: -+ -+ sd_notifyf(0, "READY=1\n" -+ "STATUS=Processing requests...\n" -+ "MAINPID=%lu", -+ (unsigned long) getpid()); -+ -+ Example 2: A daemon could send the following shortly before -+ exiting, on failure: -+ -+ sd_notifyf(0, "STATUS=Failed to start up: %s\n" -+ "ERRNO=%i", -+ strerror(errno), -+ errno); -+ -+ See sd_notifyf(3) for more information. -+*/ -+int netsnmp_sd_notifyf(int unset_environment, const char *format, ...) _sd_printf_attr_(2,3); -+ -+/* -+ Returns > 0 if the system was booted with systemd. Returns < 0 on -+ error. Returns 0 if the system was not booted with systemd. Note -+ that all of the functions above handle non-systemd boots just -+ fine. You should NOT protect them with a call to this function. Also -+ note that this function checks whether the system, not the user -+ session is controlled by systemd. However the functions above work -+ for both user and system services. -+ -+ See sd_booted(3) for more information. -+*/ -+int netsnmp_sd_booted(void); -+ -+/** -+ * Find an socket with given parameters. See man sd_is_socket_inet for -+ * description of the arguments. -+ * -+ * Returns the file descriptor if it is found, 0 otherwise. -+ */ -+int netsnmp_sd_find_inet_socket(int family, int type, int listening, int port); -+ -+/** -+ * Find an unix socket with given parameters. See man sd_is_socket_unix for -+ * description of the arguments. -+ * -+ * Returns the file descriptor if it is found, 0 otherwise. -+ */ -+int -+netsnmp_sd_find_unix_socket(int type, int listening, const char *path); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* SNMPD_SD_DAEMON_H */ -diff -up net-snmp-5.7.3/include/net-snmp/net-snmp-config.h.in.MPGqYh net-snmp-5.7.3/include/net-snmp/net-snmp-config.h.in ---- net-snmp-5.7.3/include/net-snmp/net-snmp-config.h.in.MPGqYh 2014-12-08 21:23:22.000000000 +0100 -+++ net-snmp-5.7.3/include/net-snmp/net-snmp-config.h.in 2015-02-17 13:34:05.746221843 +0100 -@@ -1410,6 +1410,9 @@ - /* If you don't have root access don't exit upon kmem errors */ - #undef NETSNMP_NO_ROOT_ACCESS - -+/* If you don't want to integrate with systemd. */ -+#undef NETSNMP_NO_SYSTEMD -+ - /* Define if you want to remove all SET/write access from the code */ - #undef NETSNMP_NO_WRITE_SUPPORT - -diff -up net-snmp-5.7.3/README.systemd.MPGqYh net-snmp-5.7.3/README.systemd ---- net-snmp-5.7.3/README.systemd.MPGqYh 2015-02-17 13:34:05.747221843 +0100 -+++ net-snmp-5.7.3/README.systemd 2015-02-17 13:34:05.747221843 +0100 -@@ -0,0 +1,41 @@ -+README.systemd -+-------------- -+Net-SNMP provides two daemons, which support systemd system manager. -+See http://www.freedesktop.org/wiki/Software/systemd to learn how -+systemd works. Both socket activation and notification is supported by these -+daemons. -+ -+To enable systemd support, the sources must be compiled with -+--with-systemd configure option. -+ -+snmpd - The SNMP agent -+---------------------- -+Socket activation od snmpd daemon is implemented, but it's discouraged. -+The reason is simple - snmpd not only listens and processes SNMP requests -+from network, but also gathers system statistics counters, sends traps and -+communicates with subagents. It even opens few netlink sockets. -+ -+In other words, snmpd should run from system start to properly work. -+This can be done in two ways: -+1) either as snmpd service unit with 'Type=notification' and without a socket -+ unit -+2) or as snmpd service unit with 'Type=simple', appropriate socket socket unit -+ and the snmpd service enabled. This way systemd creates the snmpd listening -+ socket early during boot and passes the sockets to snmpd slightly later -+ (but still during machine boot). This way systemd can paralelize start of -+ services, which depend on snmpd. Admins must adjust the socket file manually, -+ depending if the snmpd support AgentX, IPv6, SMUX etc. -+ -+snmpd should be started with '-f' command line parameter to disable forking - -+systemd does that for us automatically. -+ -+ -+snmptrapd - The trap processing daemon -+-------------------------------------- -+snmptrapd supports full socket activation and also notification (if needed). -+Both 'Type=simple' (with appropriate socket unit) and 'Type=notify' services -+will work. Again, '-f' parameter should be provided on snmptrapd command line. -+ -+If integration with SNMP agent using AgentX protocol is enabled, snmptrapd should -+start during boot and not after first SNMP trap arrives. Same rules as for snmpd -+applies then. -\ No newline at end of file -diff -up net-snmp-5.7.3/snmplib/sd-daemon.c.MPGqYh net-snmp-5.7.3/snmplib/sd-daemon.c ---- net-snmp-5.7.3/snmplib/sd-daemon.c.MPGqYh 2015-02-17 13:34:05.747221843 +0100 -+++ net-snmp-5.7.3/snmplib/sd-daemon.c 2015-02-17 13:34:05.747221843 +0100 -@@ -0,0 +1,532 @@ -+/* -+ * Systemd integration parts. -+ * -+ * Most of this file is directly copied from systemd sources. -+ * Changes: -+ * - all functions were renamed to have netsnmp_ prefix -+ * - includes were changed to match Net-SNMP style. -+ * - removed gcc export macros -+ * - removed POSIX message queues -+ */ -+ -+#include <net-snmp/net-snmp-config.h> -+#include <net-snmp/net-snmp-features.h> -+#include <net-snmp/types.h> -+#include <net-snmp/library/snmp_debug.h> -+ -+#ifndef NETSNMP_NO_SYSTEMD -+ -+/*** -+ Copyright 2010 Lennart Poettering -+ -+ Permission is hereby granted, free of charge, to any person -+ obtaining a copy of this software and associated documentation files -+ (the "Software"), to deal in the Software without restriction, -+ including without limitation the rights to use, copy, modify, merge, -+ publish, distribute, sublicense, and/or sell copies of the Software, -+ and to permit persons to whom the Software is furnished to do so, -+ subject to the following conditions: -+ -+ The above copyright notice and this permission notice shall be -+ included in all copies or substantial portions of the Software. -+ -+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS -+ BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN -+ ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -+ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ SOFTWARE. -+***/ -+ -+#ifndef _GNU_SOURCE -+#define _GNU_SOURCE -+#endif -+ -+#include <sys/types.h> -+#include <sys/stat.h> -+#include <sys/socket.h> -+#include <sys/un.h> -+#include <sys/fcntl.h> -+#include <netinet/in.h> -+#include <stdlib.h> -+#include <errno.h> -+#include <unistd.h> -+#include <string.h> -+#include <stdarg.h> -+#include <stdio.h> -+#include <stddef.h> -+#include <limits.h> -+ -+#include <net-snmp/library/sd-daemon.h> -+ -+int netsnmp_sd_listen_fds(int unset_environment) { -+ -+ int r, fd; -+ const char *e; -+ char *p = NULL; -+ unsigned long l; -+ -+ if (!(e = getenv("LISTEN_PID"))) { -+ r = 0; -+ goto finish; -+ } -+ -+ errno = 0; -+ l = strtoul(e, &p, 10); -+ -+ if (errno != 0) { -+ r = -errno; -+ goto finish; -+ } -+ -+ if (!p || *p || l <= 0) { -+ r = -EINVAL; -+ goto finish; -+ } -+ -+ /* Is this for us? */ -+ if (getpid() != (pid_t) l) { -+ r = 0; -+ goto finish; -+ } -+ -+ if (!(e = getenv("LISTEN_FDS"))) { -+ r = 0; -+ goto finish; -+ } -+ -+ errno = 0; -+ l = strtoul(e, &p, 10); -+ -+ if (errno != 0) { -+ r = -errno; -+ goto finish; -+ } -+ -+ if (!p || *p) { -+ r = -EINVAL; -+ goto finish; -+ } -+ -+ for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + (int) l; fd ++) { -+ int flags; -+ -+ if ((flags = fcntl(fd, F_GETFD)) < 0) { -+ r = -errno; -+ goto finish; -+ } -+ -+ if (flags & FD_CLOEXEC) -+ continue; -+ -+ if (fcntl(fd, F_SETFD, flags | FD_CLOEXEC) < 0) { -+ r = -errno; -+ goto finish; -+ } -+ } -+ -+ r = (int) l; -+ -+finish: -+ if (unset_environment) { -+ unsetenv("LISTEN_PID"); -+ unsetenv("LISTEN_FDS"); -+ } -+ -+ return r; -+} -+ -+int netsnmp_sd_is_fifo(int fd, const char *path) { -+ struct stat st_fd; -+ -+ if (fd < 0) -+ return -EINVAL; -+ -+ memset(&st_fd, 0, sizeof(st_fd)); -+ if (fstat(fd, &st_fd) < 0) -+ return -errno; -+ -+ if (!S_ISFIFO(st_fd.st_mode)) -+ return 0; -+ -+ if (path) { -+ struct stat st_path; -+ -+ memset(&st_path, 0, sizeof(st_path)); -+ if (stat(path, &st_path) < 0) { -+ -+ if (errno == ENOENT || errno == ENOTDIR) -+ return 0; -+ -+ return -errno; -+ } -+ -+ return -+ st_path.st_dev == st_fd.st_dev && -+ st_path.st_ino == st_fd.st_ino; -+ } -+ -+ return 1; -+} -+ -+int netsnmp_sd_is_special(int fd, const char *path) { -+ struct stat st_fd; -+ -+ if (fd < 0) -+ return -EINVAL; -+ -+ if (fstat(fd, &st_fd) < 0) -+ return -errno; -+ -+ if (!S_ISREG(st_fd.st_mode) && !S_ISCHR(st_fd.st_mode)) -+ return 0; -+ -+ if (path) { -+ struct stat st_path; -+ -+ if (stat(path, &st_path) < 0) { -+ -+ if (errno == ENOENT || errno == ENOTDIR) -+ return 0; -+ -+ return -errno; -+ } -+ -+ if (S_ISREG(st_fd.st_mode) && S_ISREG(st_path.st_mode)) -+ return -+ st_path.st_dev == st_fd.st_dev && -+ st_path.st_ino == st_fd.st_ino; -+ else if (S_ISCHR(st_fd.st_mode) && S_ISCHR(st_path.st_mode)) -+ return st_path.st_rdev == st_fd.st_rdev; -+ else -+ return 0; -+ } -+ -+ return 1; -+} -+ -+static int sd_is_socket_internal(int fd, int type, int listening) { -+ struct stat st_fd; -+ -+ if (fd < 0 || type < 0) -+ return -EINVAL; -+ -+ if (fstat(fd, &st_fd) < 0) -+ return -errno; -+ -+ if (!S_ISSOCK(st_fd.st_mode)) -+ return 0; -+ -+ if (type != 0) { -+ int other_type = 0; -+ socklen_t l = sizeof(other_type); -+ -+ if (getsockopt(fd, SOL_SOCKET, SO_TYPE, &other_type, &l) < 0) -+ return -errno; -+ -+ if (l != sizeof(other_type)) -+ return -EINVAL; -+ -+ if (other_type != type) -+ return 0; -+ } -+ -+ if (listening >= 0) { -+ int accepting = 0; -+ socklen_t l = sizeof(accepting); -+ -+ if (getsockopt(fd, SOL_SOCKET, SO_ACCEPTCONN, &accepting, &l) < 0) -+ return -errno; -+ -+ if (l != sizeof(accepting)) -+ return -EINVAL; -+ -+ if (!accepting != !listening) -+ return 0; -+ } -+ -+ return 1; -+} -+ -+union sockaddr_union { -+ struct sockaddr sa; -+ struct sockaddr_in in4; -+ struct sockaddr_in6 in6; -+ struct sockaddr_un un; -+ struct sockaddr_storage storage; -+}; -+ -+int netsnmp_sd_is_socket(int fd, int family, int type, int listening) { -+ int r; -+ -+ if (family < 0) -+ return -EINVAL; -+ -+ if ((r = sd_is_socket_internal(fd, type, listening)) <= 0) -+ return r; -+ -+ if (family > 0) { -+ union sockaddr_union sockaddr; -+ socklen_t l; -+ -+ memset(&sockaddr, 0, sizeof(sockaddr)); -+ l = sizeof(sockaddr); -+ -+ if (getsockname(fd, &sockaddr.sa, &l) < 0) -+ return -errno; -+ -+ if (l < sizeof(sa_family_t)) -+ return -EINVAL; -+ -+ return sockaddr.sa.sa_family == family; -+ } -+ -+ return 1; -+} -+ -+int netsnmp_sd_is_socket_inet(int fd, int family, int type, int listening, uint16_t port) { -+ union sockaddr_union sockaddr; -+ socklen_t l; -+ int r; -+ -+ if (family != 0 && family != AF_INET && family != AF_INET6) -+ return -EINVAL; -+ -+ if ((r = sd_is_socket_internal(fd, type, listening)) <= 0) -+ return r; -+ -+ memset(&sockaddr, 0, sizeof(sockaddr)); -+ l = sizeof(sockaddr); -+ -+ if (getsockname(fd, &sockaddr.sa, &l) < 0) -+ return -errno; -+ -+ if (l < sizeof(sa_family_t)) -+ return -EINVAL; -+ -+ if (sockaddr.sa.sa_family != AF_INET && -+ sockaddr.sa.sa_family != AF_INET6) -+ return 0; -+ -+ if (family > 0) -+ if (sockaddr.sa.sa_family != family) -+ return 0; -+ -+ if (port > 0) { -+ if (sockaddr.sa.sa_family == AF_INET) { -+ if (l < sizeof(struct sockaddr_in)) -+ return -EINVAL; -+ -+ return htons(port) == sockaddr.in4.sin_port; -+ } else { -+ if (l < sizeof(struct sockaddr_in6)) -+ return -EINVAL; -+ -+ return htons(port) == sockaddr.in6.sin6_port; -+ } -+ } -+ -+ return 1; -+} -+ -+int netsnmp_sd_is_socket_unix(int fd, int type, int listening, const char *path, size_t length) { -+ union sockaddr_union sockaddr; -+ socklen_t l; -+ int r; -+ -+ if ((r = sd_is_socket_internal(fd, type, listening)) <= 0) -+ return r; -+ -+ memset(&sockaddr, 0, sizeof(sockaddr)); -+ l = sizeof(sockaddr); -+ -+ if (getsockname(fd, &sockaddr.sa, &l) < 0) -+ return -errno; -+ -+ if (l < sizeof(sa_family_t)) -+ return -EINVAL; -+ -+ if (sockaddr.sa.sa_family != AF_UNIX) -+ return 0; -+ -+ if (path) { -+ if (length <= 0) -+ length = strlen(path); -+ -+ if (length <= 0) -+ /* Unnamed socket */ -+ return l == offsetof(struct sockaddr_un, sun_path); -+ -+ if (path[0]) -+ /* Normal path socket */ -+ return -+ (l >= offsetof(struct sockaddr_un, sun_path) + length + 1) && -+ memcmp(path, sockaddr.un.sun_path, length+1) == 0; -+ else -+ /* Abstract namespace socket */ -+ return -+ (l == offsetof(struct sockaddr_un, sun_path) + length) && -+ memcmp(path, sockaddr.un.sun_path, length) == 0; -+ } -+ -+ return 1; -+} -+ -+int netsnmp_sd_notify(int unset_environment, const char *state) { -+ int fd = -1, r; -+ struct msghdr msghdr; -+ struct iovec iovec; -+ union sockaddr_union sockaddr; -+ const char *e; -+ -+ if (!state) { -+ r = -EINVAL; -+ goto finish; -+ } -+ -+ if (!(e = getenv("NOTIFY_SOCKET"))) -+ return 0; -+ -+ /* Must be an abstract socket, or an absolute path */ -+ if ((e[0] != '@' && e[0] != '/') || e[1] == 0) { -+ r = -EINVAL; -+ goto finish; -+ } -+ -+ if ((fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0)) < 0) { -+ r = -errno; -+ goto finish; -+ } -+ -+ memset(&sockaddr, 0, sizeof(sockaddr)); -+ sockaddr.sa.sa_family = AF_UNIX; -+ strncpy(sockaddr.un.sun_path, e, sizeof(sockaddr.un.sun_path)); -+ -+ if (sockaddr.un.sun_path[0] == '@') -+ sockaddr.un.sun_path[0] = 0; -+ -+ memset(&iovec, 0, sizeof(iovec)); -+ iovec.iov_base = (char *)state; -+ iovec.iov_len = strlen(state); -+ -+ memset(&msghdr, 0, sizeof(msghdr)); -+ msghdr.msg_name = &sockaddr; -+ msghdr.msg_namelen = offsetof(struct sockaddr_un, sun_path) + strlen(e); -+ -+ if (msghdr.msg_namelen > sizeof(struct sockaddr_un)) -+ msghdr.msg_namelen = sizeof(struct sockaddr_un); -+ -+ msghdr.msg_iov = &iovec; -+ msghdr.msg_iovlen = 1; -+ -+ if (sendmsg(fd, &msghdr, MSG_NOSIGNAL) < 0) { -+ r = -errno; -+ goto finish; -+ } -+ -+ r = 1; -+ -+finish: -+ if (unset_environment) -+ unsetenv("NOTIFY_SOCKET"); -+ -+ if (fd >= 0) -+ close(fd); -+ -+ return r; -+} -+ -+int netsnmp_sd_notifyf(int unset_environment, const char *format, ...) { -+ va_list ap; -+ char *p = NULL; -+ int r; -+ -+ va_start(ap, format); -+ r = vasprintf(&p, format, ap); -+ va_end(ap); -+ -+ if (r < 0 || !p) -+ return -ENOMEM; -+ -+ r = netsnmp_sd_notify(unset_environment, p); -+ free(p); -+ -+ return r; -+} -+ -+int netsnmp_sd_booted(void) { -+ struct stat a, b; -+ -+ /* We simply test whether the systemd cgroup hierarchy is -+ * mounted */ -+ -+ if (lstat("/sys/fs/cgroup", &a) < 0) -+ return 0; -+ -+ if (lstat("/sys/fs/cgroup/systemd", &b) < 0) -+ return 0; -+ -+ return a.st_dev != b.st_dev; -+} -+ -+/* End of original sd-daemon.c from systemd sources */ -+ -+int -+netsnmp_sd_find_inet_socket(int family, int type, int listening, int port) -+{ -+ int count, fd; -+ -+ count = netsnmp_sd_listen_fds(0); -+ if (count <= 0) { -+ DEBUGMSGTL(("systemd:find_inet_socket", "No LISTEN_FDS found.\n")); -+ return 0; -+ } -+ DEBUGMSGTL(("systemd:find_inet_socket", "LISTEN_FDS reports %d sockets.\n", -+ count)); -+ -+ for (fd = 3; fd < 3+count; fd++) { -+ int rc = netsnmp_sd_is_socket_inet(fd, family, type, listening, port); -+ if (rc < 0) -+ DEBUGMSGTL(("systemd:find_inet_socket", -+ "sd_is_socket_inet error: %d\n", rc)); -+ if (rc > 0) { -+ DEBUGMSGTL(("systemd:find_inet_socket", -+ "Found the socket in LISTEN_FDS\n")); -+ return fd; -+ } -+ } -+ DEBUGMSGTL(("systemd:find_inet_socket", "Socket not found in LISTEN_FDS\n")); -+ return 0; -+} -+ -+int -+netsnmp_sd_find_unix_socket(int type, int listening, const char *path) -+{ -+ int count, fd; -+ -+ count = netsnmp_sd_listen_fds(0); -+ if (count <= 0) { -+ DEBUGMSGTL(("systemd:find_unix_socket", "No LISTEN_FDS found.\n")); -+ return 0; -+ } -+ DEBUGMSGTL(("systemd:find_unix_socket", "LISTEN_FDS reports %d sockets.\n", -+ count)); -+ -+ for (fd = 3; fd < 3+count; fd++) { -+ int rc = netsnmp_sd_is_socket_unix(fd, type, listening, path, 0); -+ if (rc < 0) -+ DEBUGMSGTL(("systemd:find_unix_socket", -+ "netsnmp_sd_is_socket_unix error: %d\n", rc)); -+ if (rc > 0) { -+ DEBUGMSGTL(("systemd:find_unix_socket", -+ "Found the socket in LISTEN_FDS\n")); -+ return fd; -+ } -+ } -+ DEBUGMSGTL(("systemd:find_unix_socket", "Socket not found in LISTEN_FDS\n")); -+ return 0; -+} -+ -+#endif /* ! NETSNMP_NO_SYSTEMD */ -diff -up net-snmp-5.7.3/snmplib/transports/snmpTCPDomain.c.MPGqYh net-snmp-5.7.3/snmplib/transports/snmpTCPDomain.c ---- net-snmp-5.7.3/snmplib/transports/snmpTCPDomain.c.MPGqYh 2014-12-08 21:23:22.000000000 +0100 -+++ net-snmp-5.7.3/snmplib/transports/snmpTCPDomain.c 2015-02-17 13:34:05.748221842 +0100 -@@ -43,6 +43,10 @@ - #include <net-snmp/library/snmpTCPBaseDomain.h> - #include <net-snmp/library/tools.h> - -+#ifndef NETSNMP_NO_SYSTEMD -+#include <net-snmp/library/sd-daemon.h> -+#endif -+ - /* - * needs to be in sync with the definitions in snmplib/snmpUDPDomain.c - * and perl/agent/agent.xs -@@ -149,6 +153,7 @@ netsnmp_tcp_transport(struct sockaddr_in - netsnmp_transport *t = NULL; - netsnmp_udp_addr_pair *addr_pair = NULL; - int rc = 0; -+ int socket_initialized = 0; - - #ifdef NETSNMP_NO_LISTEN_SUPPORT - if (local) -@@ -178,7 +183,19 @@ netsnmp_tcp_transport(struct sockaddr_in - t->domain_length = - sizeof(netsnmp_snmpTCPDomain) / sizeof(netsnmp_snmpTCPDomain[0]); - -- t->sock = socket(PF_INET, SOCK_STREAM, 0); -+#ifndef NETSNMP_NO_SYSTEMD -+ /* -+ * Maybe the socket was already provided by systemd... -+ */ -+ if (local) { -+ t->sock = netsnmp_sd_find_inet_socket(PF_INET, SOCK_STREAM, 1, -+ ntohs(addr->sin_port)); -+ if (t->sock) -+ socket_initialized = 1; -+ } -+#endif -+ if (!socket_initialized) -+ t->sock = socket(PF_INET, SOCK_STREAM, 0); - if (t->sock < 0) { - netsnmp_transport_free(t); - return NULL; -@@ -215,11 +232,13 @@ netsnmp_tcp_transport(struct sockaddr_in - setsockopt(t->sock, SOL_SOCKET, SO_REUSEADDR, (void *)&opt, - sizeof(opt)); - -- rc = bind(t->sock, (struct sockaddr *)addr, sizeof(struct sockaddr)); -- if (rc != 0) { -- netsnmp_socketbase_close(t); -- netsnmp_transport_free(t); -- return NULL; -+ if (!socket_initialized) { -+ rc = bind(t->sock, (struct sockaddr *)addr, sizeof(struct sockaddr)); -+ if (rc != 0) { -+ netsnmp_socketbase_close(t); -+ netsnmp_transport_free(t); -+ return NULL; -+ } - } - - /* -@@ -235,12 +254,13 @@ netsnmp_tcp_transport(struct sockaddr_in - /* - * Now sit here and wait for connections to arrive. - */ -- -- rc = listen(t->sock, NETSNMP_STREAM_QUEUE_LEN); -- if (rc != 0) { -- netsnmp_socketbase_close(t); -- netsnmp_transport_free(t); -- return NULL; -+ if (!socket_initialized) { -+ rc = listen(t->sock, NETSNMP_STREAM_QUEUE_LEN); -+ if (rc != 0) { -+ netsnmp_socketbase_close(t); -+ netsnmp_transport_free(t); -+ return NULL; -+ } - } - - /* -diff -up net-snmp-5.7.3/snmplib/transports/snmpTCPIPv6Domain.c.MPGqYh net-snmp-5.7.3/snmplib/transports/snmpTCPIPv6Domain.c ---- net-snmp-5.7.3/snmplib/transports/snmpTCPIPv6Domain.c.MPGqYh 2014-12-08 21:23:22.000000000 +0100 -+++ net-snmp-5.7.3/snmplib/transports/snmpTCPIPv6Domain.c 2015-02-17 13:34:05.748221842 +0100 -@@ -49,6 +49,10 @@ - #include <net-snmp/library/snmpTCPBaseDomain.h> - #include <net-snmp/library/tools.h> - -+#ifndef NETSNMP_NO_SYSTEMD -+#include <net-snmp/library/sd-daemon.h> -+#endif -+ - #include "inet_ntop.h" - - oid netsnmp_TCPIPv6Domain[] = { TRANSPORT_DOMAIN_TCP_IPV6 }; -@@ -140,6 +144,7 @@ netsnmp_tcp6_transport(struct sockaddr_i - { - netsnmp_transport *t = NULL; - int rc = 0; -+ int socket_initialized = 0; - - #ifdef NETSNMP_NO_LISTEN_SUPPORT - if (local) -@@ -174,7 +179,19 @@ netsnmp_tcp6_transport(struct sockaddr_i - t->domain = netsnmp_TCPIPv6Domain; - t->domain_length = sizeof(netsnmp_TCPIPv6Domain) / sizeof(oid); - -- t->sock = socket(PF_INET6, SOCK_STREAM, 0); -+#ifndef NETSNMP_NO_SYSTEMD -+ /* -+ * Maybe the socket was already provided by systemd... -+ */ -+ if (local) { -+ t->sock = netsnmp_sd_find_inet_socket(PF_INET6, SOCK_STREAM, 1, -+ ntohs(addr->sin6_port)); -+ if (t->sock) -+ socket_initialized = 1; -+ } -+#endif -+ if (!socket_initialized) -+ t->sock = socket(PF_INET6, SOCK_STREAM, 0); - if (t->sock < 0) { - netsnmp_transport_free(t); - return NULL; -@@ -220,12 +237,14 @@ netsnmp_tcp6_transport(struct sockaddr_i - - setsockopt(t->sock, SOL_SOCKET, SO_REUSEADDR, (void *)&opt, sizeof(opt)); - -- rc = bind(t->sock, (struct sockaddr *) addr, -- sizeof(struct sockaddr_in6)); -- if (rc != 0) { -- netsnmp_socketbase_close(t); -- netsnmp_transport_free(t); -- return NULL; -+ if (!socket_initialized) { -+ rc = bind(t->sock, (struct sockaddr *) addr, -+ sizeof(struct sockaddr_in6)); -+ if (rc != 0) { -+ netsnmp_socketbase_close(t); -+ netsnmp_transport_free(t); -+ return NULL; -+ } - } - - /* -@@ -242,11 +261,13 @@ netsnmp_tcp6_transport(struct sockaddr_i - * Now sit here and wait for connections to arrive. - */ - -- rc = listen(t->sock, NETSNMP_STREAM_QUEUE_LEN); -- if (rc != 0) { -- netsnmp_socketbase_close(t); -- netsnmp_transport_free(t); -- return NULL; -+ if (!socket_initialized) { -+ rc = listen(t->sock, NETSNMP_STREAM_QUEUE_LEN); -+ if (rc != 0) { -+ netsnmp_socketbase_close(t); -+ netsnmp_transport_free(t); -+ return NULL; -+ } - } - - /* -diff -up net-snmp-5.7.3/snmplib/transports/snmpUDPIPv4BaseDomain.c.MPGqYh net-snmp-5.7.3/snmplib/transports/snmpUDPIPv4BaseDomain.c ---- net-snmp-5.7.3/snmplib/transports/snmpUDPIPv4BaseDomain.c.MPGqYh 2014-12-08 21:23:22.000000000 +0100 -+++ net-snmp-5.7.3/snmplib/transports/snmpUDPIPv4BaseDomain.c 2015-02-17 13:36:22.744123462 +0100 -@@ -40,6 +40,10 @@ - - #include <net-snmp/library/snmpSocketBaseDomain.h> - -+#ifndef NETSNMP_NO_SYSTEMD -+#include <net-snmp/library/sd-daemon.h> -+#endif -+ - #if defined(HAVE_IP_PKTINFO) || defined(HAVE_IP_RECVDSTADDR) - int netsnmp_udpipv4_recvfrom(int s, void *buf, int len, struct sockaddr *from, - socklen_t *fromlen, struct sockaddr *dstip, -@@ -64,6 +68,7 @@ netsnmp_udpipv4base_transport(struct soc - char *client_socket = NULL; - netsnmp_indexed_addr_pair addr_pair; - socklen_t local_addr_len; -+ int socket_initialized = 0; - - #ifdef NETSNMP_NO_LISTEN_SUPPORT - if (local) -@@ -88,7 +93,20 @@ netsnmp_udpipv4base_transport(struct soc - free(str); - } - -- t->sock = socket(PF_INET, SOCK_DGRAM, 0); -+#ifndef NETSNMP_NO_SYSTEMD -+ /* -+ * Maybe the socket was already provided by systemd... -+ */ -+ if (local) { -+ t->sock = netsnmp_sd_find_inet_socket(PF_INET, SOCK_DGRAM, -1, -+ ntohs(addr->sin_port)); -+ if (t->sock) -+ socket_initialized = 1; -+ } -+#endif -+ if (!socket_initialized) -+ t->sock = socket(PF_INET, SOCK_DGRAM, 0); -+ - DEBUGMSGTL(("UDPBase", "openned socket %d as local=%d\n", t->sock, local)); - if (t->sock < 0) { - netsnmp_transport_free(t); -@@ -151,12 +169,14 @@ netsnmp_udpipv4base_transport(struct soc - } - } - #endif /* !defined(WIN32) */ -- rc = bind(t->sock, (struct sockaddr *) addr, -- sizeof(struct sockaddr)); -- if (rc != 0) { -- netsnmp_socketbase_close(t); -- netsnmp_transport_free(t); -- return NULL; -+ if (!socket_initialized) { -+ rc = bind(t->sock, (struct sockaddr *) addr, -+ sizeof(struct sockaddr)); -+ if (rc != 0) { -+ netsnmp_socketbase_close(t); -+ netsnmp_transport_free(t); -+ return NULL; -+ } - } - t->data = NULL; - t->data_length = 0; -diff -up net-snmp-5.7.3/snmplib/transports/snmpUDPIPv6Domain.c.MPGqYh net-snmp-5.7.3/snmplib/transports/snmpUDPIPv6Domain.c ---- net-snmp-5.7.3/snmplib/transports/snmpUDPIPv6Domain.c.MPGqYh 2014-12-08 21:23:22.000000000 +0100 -+++ net-snmp-5.7.3/snmplib/transports/snmpUDPIPv6Domain.c 2015-02-17 13:37:16.256087147 +0100 -@@ -67,6 +67,10 @@ static const struct in6_addr in6addr_any - #include <net-snmp/library/snmpSocketBaseDomain.h> - #include <net-snmp/library/tools.h> - -+#ifndef NETSNMP_NO_SYSTEMD -+#include <net-snmp/library/sd-daemon.h> -+#endif -+ - #include "inet_ntop.h" - #include "inet_pton.h" - -@@ -190,6 +194,7 @@ netsnmp_udp6_transport(struct sockaddr_i - { - netsnmp_transport *t = NULL; - int rc = 0; -+ int socket_initialized = 0; - - #ifdef NETSNMP_NO_LISTEN_SUPPORT - if (local) -@@ -217,7 +222,19 @@ netsnmp_udp6_transport(struct sockaddr_i - t->domain_length = - sizeof(netsnmp_UDPIPv6Domain) / sizeof(netsnmp_UDPIPv6Domain[0]); - -- t->sock = socket(PF_INET6, SOCK_DGRAM, 0); -+#ifndef NETSNMP_NO_SYSTEMD -+ /* -+ * Maybe the socket was already provided by systemd... -+ */ -+ if (local) { -+ t->sock = netsnmp_sd_find_inet_socket(PF_INET6, SOCK_DGRAM, -1, -+ ntohs(addr->sin6_port)); -+ if (t->sock) -+ socket_initialized = 1; -+ } -+#endif -+ if (!socket_initialized) -+ t->sock = socket(PF_INET6, SOCK_DGRAM, 0); - if (t->sock < 0) { - netsnmp_transport_free(t); - return NULL; -@@ -242,13 +259,14 @@ netsnmp_udp6_transport(struct sockaddr_i - } - } - #endif -- -- rc = bind(t->sock, (struct sockaddr *) addr, -- sizeof(struct sockaddr_in6)); -- if (rc != 0) { -- netsnmp_socketbase_close(t); -- netsnmp_transport_free(t); -- return NULL; -+ if (!socket_initialized) { -+ rc = bind(t->sock, (struct sockaddr *) addr, -+ sizeof(struct sockaddr_in6)); -+ if (rc != 0) { -+ netsnmp_socketbase_close(t); -+ netsnmp_transport_free(t); -+ return NULL; -+ } - } - t->local = (unsigned char*)malloc(18); - if (t->local == NULL) { -diff -up net-snmp-5.7.3/snmplib/transports/snmpUnixDomain.c.MPGqYh net-snmp-5.7.3/snmplib/transports/snmpUnixDomain.c ---- net-snmp-5.7.3/snmplib/transports/snmpUnixDomain.c.MPGqYh 2014-12-08 21:23:22.000000000 +0100 -+++ net-snmp-5.7.3/snmplib/transports/snmpUnixDomain.c 2015-02-17 13:34:05.749221841 +0100 -@@ -37,6 +37,10 @@ - #include <net-snmp/library/system.h> /* mkdirhier */ - #include <net-snmp/library/tools.h> - -+#ifndef NETSNMP_NO_SYSTEMD -+#include <net-snmp/library/sd-daemon.h> -+#endif -+ - netsnmp_feature_child_of(transport_unix_socket_all, transport_all) - netsnmp_feature_child_of(unix_socket_paths, transport_unix_socket_all) - -@@ -295,6 +299,7 @@ netsnmp_unix_transport(struct sockaddr_u - netsnmp_transport *t = NULL; - sockaddr_un_pair *sup = NULL; - int rc = 0; -+ int socket_initialized = 0; - - #ifdef NETSNMP_NO_LISTEN_SUPPORT - /* SPECIAL CIRCUMSTANCE: We still want AgentX to be able to operate, -@@ -333,7 +338,18 @@ netsnmp_unix_transport(struct sockaddr_u - t->data_length = sizeof(sockaddr_un_pair); - sup = (sockaddr_un_pair *) t->data; - -- t->sock = socket(PF_UNIX, SOCK_STREAM, 0); -+#ifndef NETSNMP_NO_SYSTEMD -+ /* -+ * Maybe the socket was already provided by systemd... -+ */ -+ if (local) { -+ t->sock = netsnmp_sd_find_unix_socket(SOCK_STREAM, 1, addr->sun_path); -+ if (t->sock) -+ socket_initialized = 1; -+ } -+#endif -+ if (!socket_initialized) -+ t->sock = socket(PF_UNIX, SOCK_STREAM, 0); - if (t->sock < 0) { - netsnmp_transport_free(t); - return NULL; -@@ -357,25 +373,26 @@ netsnmp_unix_transport(struct sockaddr_u - - t->flags |= NETSNMP_TRANSPORT_FLAG_LISTEN; - -- unlink(addr->sun_path); -- rc = bind(t->sock, (struct sockaddr *) addr, SUN_LEN(addr)); -- -- if (rc != 0 && errno == ENOENT && create_path) { -- rc = mkdirhier(addr->sun_path, create_mode, 1); -+ if (!socket_initialized) { -+ unlink(addr->sun_path); -+ rc = bind(t->sock, (struct sockaddr *) addr, SUN_LEN(addr)); -+ if (rc != 0 && errno == ENOENT && create_path) { -+ rc = mkdirhier(addr->sun_path, create_mode, 1); -+ if (rc != 0) { -+ netsnmp_unix_close(t); -+ netsnmp_transport_free(t); -+ return NULL; -+ } -+ rc = bind(t->sock, (struct sockaddr *) addr, SUN_LEN(addr)); -+ } - if (rc != 0) { -+ DEBUGMSGTL(("netsnmp_unix_transport", -+ "couldn't bind "%s", errno %d (%s)\n", -+ addr->sun_path, errno, strerror(errno))); - netsnmp_unix_close(t); - netsnmp_transport_free(t); - return NULL; - } -- rc = bind(t->sock, (struct sockaddr *) addr, SUN_LEN(addr)); -- } -- if (rc != 0) { -- DEBUGMSGTL(("netsnmp_unix_transport", -- "couldn't bind "%s", errno %d (%s)\n", -- addr->sun_path, errno, strerror(errno))); -- netsnmp_unix_close(t); -- netsnmp_transport_free(t); -- return NULL; - } - - /* -@@ -391,16 +408,17 @@ netsnmp_unix_transport(struct sockaddr_u - * Now sit here and listen for connections to arrive. - */ - -- rc = listen(t->sock, NETSNMP_STREAM_QUEUE_LEN); -- if (rc != 0) { -- DEBUGMSGTL(("netsnmp_unix_transport", -- "couldn't listen to "%s", errno %d (%s)\n", -- addr->sun_path, errno, strerror(errno))); -- netsnmp_unix_close(t); -- netsnmp_transport_free(t); -- return NULL; -+ if (!socket_initialized) { -+ rc = listen(t->sock, NETSNMP_STREAM_QUEUE_LEN); -+ if (rc != 0) { -+ DEBUGMSGTL(("netsnmp_unix_transport", -+ "couldn't listen to "%s", errno %d (%s)\n", -+ addr->sun_path, errno, strerror(errno))); -+ netsnmp_unix_close(t); -+ netsnmp_transport_free(t); -+ return NULL; -+ } - } -- - } else { - t->remote = (u_char *)malloc(strlen(addr->sun_path)); - if (t->remote == NULL) { diff --git a/net-snmp/patches/net-snmp-5.7.3-iterator-fix.patch b/net-snmp/patches/net-snmp-5.7.3-iterator-fix.patch new file mode 100644 index 000000000..fb34caff7 --- /dev/null +++ b/net-snmp/patches/net-snmp-5.7.3-iterator-fix.patch @@ -0,0 +1,14 @@ +diff -urNp old/agent/mibgroup/host/data_access/swrun.c new/agent/mibgroup/host/data_access/swrun.c +--- old/agent/mibgroup/host/data_access/swrun.c 2017-07-18 09:44:00.626109526 +0200 ++++ new/agent/mibgroup/host/data_access/swrun.c 2017-07-19 15:27:50.452255836 +0200 +@@ -102,6 +102,10 @@ swrun_count_processes_by_name( char *nam + return 0; /* or -1 */ + + it = CONTAINER_ITERATOR( swrun_container ); ++ if((entry = (netsnmp_swrun_entry*)ITERATOR_FIRST( it )) != NULL) { ++ if (0 == strcmp( entry->hrSWRunName, name )) ++ i++; ++ } + while ((entry = (netsnmp_swrun_entry*)ITERATOR_NEXT( it )) != NULL) { + if (0 == strcmp( entry->hrSWRunName, name )) + i++; diff --git a/net-snmp/patches/net-snmp-5.8-Remove-U64-typedef.patch b/net-snmp/patches/net-snmp-5.8-Remove-U64-typedef.patch new file mode 100644 index 000000000..75a2c6df1 --- /dev/null +++ b/net-snmp/patches/net-snmp-5.8-Remove-U64-typedef.patch @@ -0,0 +1,12 @@ +diff -urNp a/include/net-snmp/library/int64.h b/include/net-snmp/library/int64.h +--- a/include/net-snmp/library/int64.h 2018-07-18 14:37:16.543348832 +0200 ++++ b/include/net-snmp/library/int64.h 2018-07-18 15:31:31.516999288 +0200 +@@ -10,7 +10,7 @@ extern "C" { + * Note: using the U64 typedef is deprecated because this typedef conflicts + * with a typedef with the same name defined in the Perl header files. + */ +- typedef struct counter64 U64; ++// typedef struct counter64 U64; + #endif + + #define I64CHARSZ 21 diff --git a/net-snmp/patches/net-snmp-5.8-clientaddr-error-message.patch b/net-snmp/patches/net-snmp-5.8-clientaddr-error-message.patch new file mode 100644 index 000000000..ef851b1ef --- /dev/null +++ b/net-snmp/patches/net-snmp-5.8-clientaddr-error-message.patch @@ -0,0 +1,35 @@ +diff -urNp a/snmplib/snmp_api.c b/snmplib/snmp_api.c +--- a/snmplib/snmp_api.c 2020-11-26 11:05:51.084788775 +0100 ++++ b/snmplib/snmp_api.c 2020-11-26 11:08:27.850751397 +0100 +@@ -235,7 +235,7 @@ static const char *api_errors[-SNMPERR_M + "No error", /* SNMPERR_SUCCESS */ + "Generic error", /* SNMPERR_GENERR */ + "Invalid local port", /* SNMPERR_BAD_LOCPORT */ +- "Unknown host", /* SNMPERR_BAD_ADDRESS */ ++ "Invalid address", /* SNMPERR_BAD_ADDRESS */ + "Unknown session", /* SNMPERR_BAD_SESSION */ + "Too long", /* SNMPERR_TOO_LONG */ + "No socket", /* SNMPERR_NO_SOCKET */ +@@ -1662,7 +1662,9 @@ _sess_open(netsnmp_session * in_session) + DEBUGMSGTL(("_sess_open", "couldn't interpret peername\n")); + in_session->s_snmp_errno = SNMPERR_BAD_ADDRESS; + in_session->s_errno = errno; +- snmp_set_detail(in_session->peername); ++ if (!netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID, ++ NETSNMP_DS_LIB_CLIENT_ADDR)) ++ snmp_set_detail(in_session->peername); + return NULL; + } + +diff -ruNp a/snmplib/transports/snmpUDPIPv4BaseDomain.c b/snmplib/transports/snmpUDPIPv4BaseDomain.c +--- a/snmplib/transports/snmpUDPIPv4BaseDomain.c 2021-01-06 12:51:51.948106797 +0100 ++++ b/snmplib/transports/snmpUDPIPv4BaseDomain.c 2021-01-06 14:17:31.029745744 +0100 +@@ -209,6 +209,8 @@ netsnmp_udpipv4base_transport_bind(netsn + DEBUGMSGTL(("netsnmp_udpbase", + "failed to bind for clientaddr: %d %s\n", + errno, strerror(errno))); ++ NETSNMP_LOGONCE((LOG_ERR, "Cannot bind for clientaddr: %s\n", ++ strerror(errno))); + goto err; + } + diff --git a/net-snmp/patches/net-snmp-5.8-duplicate-ipAddress.patch b/net-snmp/patches/net-snmp-5.8-duplicate-ipAddress.patch new file mode 100644 index 000000000..075976a4e --- /dev/null +++ b/net-snmp/patches/net-snmp-5.8-duplicate-ipAddress.patch @@ -0,0 +1,11 @@ +diff -urNp a/agent/mibgroup/ip-mib/data_access/ipaddress_common.c b/agent/mibgroup/ip-mib/data_access/ipaddress_common.c +--- a/agent/mibgroup/ip-mib/data_access/ipaddress_common.c 2020-06-10 13:27:03.213904398 +0200 ++++ b/agent/mibgroup/ip-mib/data_access/ipaddress_common.c 2020-06-10 13:28:41.025863050 +0200 +@@ -121,6 +121,7 @@ _remove_duplicates(netsnmp_container *co + for (entry = ITERATOR_FIRST(it); entry; entry = ITERATOR_NEXT(it)) { + if (prev_entry && _access_ipaddress_entry_compare_addr(prev_entry, entry) == 0) { + /* 'entry' is duplicate of the previous one -> delete it */ ++ NETSNMP_LOGONCE((LOG_ERR, "Duplicate IPv4 address detected, some interfaces may not be visible in IP-MIB\n")); + netsnmp_access_ipaddress_entry_free(entry); + } else { + CONTAINER_INSERT(ret, entry); diff --git a/net-snmp/patches/net-snmp-5.8-ipAddress-faster-load.patch b/net-snmp/patches/net-snmp-5.8-ipAddress-faster-load.patch new file mode 100644 index 000000000..db95998f0 --- /dev/null +++ b/net-snmp/patches/net-snmp-5.8-ipAddress-faster-load.patch @@ -0,0 +1,82 @@ +diff -urNp a/agent/mibgroup/mibII/ipAddr.c b/agent/mibgroup/mibII/ipAddr.c +--- a/agent/mibgroup/mibII/ipAddr.c 2020-06-10 14:14:30.113696471 +0200 ++++ b/agent/mibgroup/mibII/ipAddr.c 2020-06-10 14:27:15.345354018 +0200 +@@ -495,14 +495,16 @@ Address_Scan_Next(Index, Retin_ifaddr) + } + + #elif defined(linux) ++#include <errno.h> + static struct ifreq *ifr; + static int ifr_counter; + + static void + Address_Scan_Init(void) + { +- int num_interfaces = 0; ++ int i; + int fd; ++ int lastlen = 0; + + /* get info about all interfaces */ + +@@ -510,28 +512,45 @@ Address_Scan_Init(void) + SNMP_FREE(ifc.ifc_buf); + ifr_counter = 0; + +- do +- { + if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) + { + DEBUGMSGTL(("snmpd", "socket open failure in Address_Scan_Init\n")); + return; + } +- num_interfaces += 16; + +- ifc.ifc_len = sizeof(struct ifreq) * num_interfaces; +- ifc.ifc_buf = (char*) realloc(ifc.ifc_buf, ifc.ifc_len); +- +- if (ioctl(fd, SIOCGIFCONF, &ifc) < 0) +- { +- ifr=NULL; +- close(fd); +- return; +- } +- close(fd); ++ /* ++ * Cope with lots of interfaces and brokenness of ioctl SIOCGIFCONF ++ * on some platforms; see W. R. Stevens, ``Unix Network Programming ++ * Volume I'', p.435... ++ */ ++ ++ for (i = 8;; i *= 2) { ++ ifc.ifc_len = sizeof(struct ifreq) * i; ++ ifc.ifc_req = calloc(i, sizeof(struct ifreq)); ++ ++ if (ioctl(fd, SIOCGIFCONF, &ifc) < 0) { ++ if (errno != EINVAL || lastlen != 0) { ++ /* ++ * Something has gone genuinely wrong... ++ */ ++ snmp_log(LOG_ERR, "bad rc from ioctl, errno %d", errno); ++ SNMP_FREE(ifc.ifc_buf); ++ close(fd); ++ return; ++ } ++ } else { ++ if (ifc.ifc_len == lastlen) { ++ /* ++ * The length is the same as the last time; we're done... ++ */ ++ break; ++ } ++ lastlen = ifc.ifc_len; ++ } ++ free(ifc.ifc_buf); /* no SNMP_FREE, getting ready to reassign */ + } +- while (ifc.ifc_len >= (sizeof(struct ifreq) * num_interfaces)); +- ++ ++ close(fd); + ifr = ifc.ifc_req; + } + diff --git a/net-snmp/patches/net-snmp-5.8-man-page.patch b/net-snmp/patches/net-snmp-5.8-man-page.patch new file mode 100644 index 000000000..dc78e14b6 --- /dev/null +++ b/net-snmp/patches/net-snmp-5.8-man-page.patch @@ -0,0 +1,36 @@ +diff -urNp a/man/net-snmp-create-v3-user.1.def b/man/net-snmp-create-v3-user.1.def +--- a/man/net-snmp-create-v3-user.1.def 2020-06-10 13:43:18.443070961 +0200 ++++ b/man/net-snmp-create-v3-user.1.def 2020-06-10 13:49:25.975363441 +0200 +@@ -3,7 +3,7 @@ + net-snmp-create-v3-user - create a SNMPv3 user in net-snmp configuration file + .SH SYNOPSIS + .PP +-.B net-snmp-create-v3-user [-ro] [-a authpass] [-x privpass] [-X DES|AES] ++.B net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass] [-x DES|AES] + .B [username] + .SH DESCRIPTION + .PP +@@ -16,13 +16,16 @@ new user in net-snmp configuration file + displays the net-snmp version number + .TP + \fB-ro\fR +-create an user with read-only permissions ++creates a user with read-only permissions + .TP +-\fB-a authpass\fR +-specify authentication password ++\fB-A authpass\fR ++specifies the authentication password + .TP +-\fB-x privpass\fR +-specify encryption password ++\fB-a MD5|SHA\fR ++specifies the authentication password hashing algorithm + .TP +-\fB-X DES|AES\fR +-specify encryption algorithm ++\fB-X privpass\fR ++specifies the encryption password ++.TP ++\fB-x DES|AES\fR ++specifies the encryption algorithm diff --git a/net-snmp/patches/net-snmp-5.9-aes-config.patch b/net-snmp/patches/net-snmp-5.9-aes-config.patch new file mode 100644 index 000000000..ceac97c78 --- /dev/null +++ b/net-snmp/patches/net-snmp-5.9-aes-config.patch @@ -0,0 +1,18 @@ +diff --git a/net-snmp-create-v3-user.in b/net-snmp-create-v3-user.in +index afd6fa4..07c26fe 100644 +--- a/net-snmp-create-v3-user.in ++++ b/net-snmp-create-v3-user.in +@@ -58,11 +58,11 @@ case $1 in + exit 1 + fi + case $1 in +- DES|AES|AES128) ++ DES|AES|AES128|AES192|AES256) + Xalgorithm=$1 + shift + ;; +- des|aes|aes128) ++ des|aes|aes128|aes192|aes256) + Xalgorithm=$(echo "$1" | tr a-z A-Z) + shift + ;; diff --git a/net-snmp/patches/net-snmp-5.9-autofs-skip.patch b/net-snmp/patches/net-snmp-5.9-autofs-skip.patch new file mode 100644 index 000000000..bd5c560c1 --- /dev/null +++ b/net-snmp/patches/net-snmp-5.9-autofs-skip.patch @@ -0,0 +1,12 @@ +diff --git a/agent/mibgroup/host/hr_filesys.c b/agent/mibgroup/host/hr_filesys.c +index e7ca92f..80b3e0d 100644 +--- a/agent/mibgroup/host/hr_filesys.c ++++ b/agent/mibgroup/host/hr_filesys.c +@@ -704,6 +704,7 @@ static const char *HRFS_ignores[] = { + "shm", + "sockfs", + "sysfs", ++ "tmpfs", + "usbdevfs", + "usbfs", + #endif diff --git a/net-snmp/patches/net-snmp-5.9-coverity.patch b/net-snmp/patches/net-snmp-5.9-coverity.patch new file mode 100644 index 000000000..fa3e0430d --- /dev/null +++ b/net-snmp/patches/net-snmp-5.9-coverity.patch @@ -0,0 +1,22 @@ +diff --git a/agent/mibgroup/disman/event/mteTrigger.c b/agent/mibgroup/disman/event/mteTrigger.c +index e9a8831..5a1d8e7 100644 +--- a/agent/mibgroup/disman/event/mteTrigger.c ++++ b/agent/mibgroup/disman/event/mteTrigger.c +@@ -1012,7 +1012,7 @@ mteTrigger_run( unsigned int reg, void *clientarg) + * Similarly, if no fallEvent is configured, + * there's no point in trying to fire it either. + */ +- if (entry->mteTThRiseEvent[0] != '\0' ) { ++ if (entry->mteTThFallEvent[0] != '\0' ) { + entry->mteTriggerXOwner = entry->mteTThObjOwner; + entry->mteTriggerXObjects = entry->mteTThObjects; + entry->mteTriggerFired = vp1; +@@ -1105,7 +1105,7 @@ mteTrigger_run( unsigned int reg, void *clientarg) + * Similarly, if no fallEvent is configured, + * there's no point in trying to fire it either. + */ +- if (entry->mteTThDRiseEvent[0] != '\0' ) { ++ if (entry->mteTThDFallEvent[0] != '\0' ) { + entry->mteTriggerXOwner = entry->mteTThObjOwner; + entry->mteTriggerXObjects = entry->mteTThObjects; + entry->mteTriggerFired = vp1; diff --git a/net-snmp/patches/net-snmp-5.9-dir-fix.patch b/net-snmp/patches/net-snmp-5.9-dir-fix.patch new file mode 100644 index 000000000..f7311ca33 --- /dev/null +++ b/net-snmp/patches/net-snmp-5.9-dir-fix.patch @@ -0,0 +1,30 @@ +diff --git a/net-snmp-create-v3-user.in b/net-snmp-create-v3-user.in +index 19895a1..ac3c60f 100644 +--- a/net-snmp-create-v3-user.in ++++ b/net-snmp-create-v3-user.in +@@ -14,6 +14,10 @@ Xalgorithm="DES" + token=rwuser + + while test "x$done" = "x" -a "x$1" != "x" -a "x$usage" != "xyes"; do ++case "$1" in ++ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; ++ *) optarg= ;; ++esac + + unset shifted + case $1 in +@@ -134,11 +138,9 @@ if test ! -d "$outfile"; then + touch "$outfile" + fi + echo "$line" >> "$outfile" +-prefix=@prefix@ +-datarootdir=@datarootdir@ +-# To suppress shellcheck complaints about $prefix and $datarootdir. +-: "$prefix" "$datarootdir" +-outfile="@datadir@/snmp/snmpd.conf" ++# Avoid that configure complains that this script ignores @datarootdir@ ++echo "@datarootdir@" >/dev/null ++outfile="/etc/snmp/snmpd.conf" + line="$token $user" + echo "adding the following line to $outfile:" + echo " $line" diff --git a/net-snmp/patches/net-snmp-5.9-intermediate-certs.patch b/net-snmp/patches/net-snmp-5.9-intermediate-certs.patch new file mode 100644 index 000000000..6b5daf726 --- /dev/null +++ b/net-snmp/patches/net-snmp-5.9-intermediate-certs.patch @@ -0,0 +1,855 @@ +diff --git a/include/net-snmp/library/cert_util.h b/include/net-snmp/library/cert_util.h +index 80e2a19..143adbb 100644 +--- a/include/net-snmp/library/cert_util.h ++++ b/include/net-snmp/library/cert_util.h +@@ -55,7 +55,8 @@ extern "C" { + char *common_name; + + u_char hash_type; +- u_char _pad[3]; /* for future use */ ++ u_char _pad[1]; /* for future use */ ++ u_short offset; + } netsnmp_cert; + + /** types */ +@@ -100,6 +101,7 @@ extern "C" { + + NETSNMP_IMPORT + netsnmp_cert *netsnmp_cert_find(int what, int where, void *hint); ++ netsnmp_void_array *netsnmp_certs_find(int what, int where, void *hint); + + int netsnmp_cert_check_vb_fingerprint(const netsnmp_variable_list *var); + +diff --git a/include/net-snmp/library/dir_utils.h b/include/net-snmp/library/dir_utils.h +index 471bb0b..ac7f69a 100644 +--- a/include/net-snmp/library/dir_utils.h ++++ b/include/net-snmp/library/dir_utils.h +@@ -53,7 +53,8 @@ extern "C" { + #define NETSNMP_DIR_NSFILE 0x0010 + /** load stats in netsnmp_file */ + #define NETSNMP_DIR_NSFILE_STATS 0x0020 +- ++/** allow files to be indexed more than once */ ++#define NETSNMP_DIR_ALLOW_DUPLICATES 0x0040 + + + #ifdef __cplusplus +diff --git a/snmplib/cert_util.c b/snmplib/cert_util.c +index 210ad8b..b1f8144 100644 +--- a/snmplib/cert_util.c ++++ b/snmplib/cert_util.c +@@ -100,7 +100,7 @@ netsnmp_feature_child_of(tls_fingerprint_build, cert_util_all); + * bump this value whenever cert index format changes, so indexes + * will be regenerated with new format. + */ +-#define CERT_INDEX_FORMAT 1 ++#define CERT_INDEX_FORMAT 2 + + static netsnmp_container *_certs = NULL; + static netsnmp_container *_keys = NULL; +@@ -126,6 +126,8 @@ static int _cert_fn_ncompare(netsnmp_cert_common *lhs, + netsnmp_cert_common *rhs); + static void _find_partner(netsnmp_cert *cert, netsnmp_key *key); + static netsnmp_cert *_find_issuer(netsnmp_cert *cert); ++static netsnmp_void_array *_cert_reduce_subset_first(netsnmp_void_array *matching); ++static netsnmp_void_array *_cert_reduce_subset_what(netsnmp_void_array *matching, int what); + static netsnmp_void_array *_cert_find_subset_fn(const char *filename, + const char *directory); + static netsnmp_void_array *_cert_find_subset_sn(const char *subject); +@@ -345,6 +347,8 @@ _get_cert_container(const char *use) + { + netsnmp_container *c; + ++ int rc; ++ + c = netsnmp_container_find("certs:binary_array"); + if (NULL == c) { + snmp_log(LOG_ERR, "could not create container for %s\n", use); +@@ -354,6 +358,8 @@ _get_cert_container(const char *use) + c->free_item = (netsnmp_container_obj_func*)_cert_free; + c->compare = (netsnmp_container_compare*)_cert_compare; + ++ CONTAINER_SET_OPTIONS(c, CONTAINER_KEY_ALLOW_DUPLICATES, rc); ++ + return c; + } + +@@ -362,6 +368,8 @@ _setup_containers(void) + { + netsnmp_container *additional_keys; + ++ int rc; ++ + _certs = _get_cert_container("netsnmp certificates"); + if (NULL == _certs) + return; +@@ -376,6 +384,7 @@ _setup_containers(void) + additional_keys->container_name = strdup("certs_cn"); + additional_keys->free_item = NULL; + additional_keys->compare = (netsnmp_container_compare*)_cert_cn_compare; ++ CONTAINER_SET_OPTIONS(additional_keys, CONTAINER_KEY_ALLOW_DUPLICATES, rc); + netsnmp_container_add_index(_certs, additional_keys); + + /** additional keys: subject name */ +@@ -389,6 +398,7 @@ _setup_containers(void) + additional_keys->free_item = NULL; + additional_keys->compare = (netsnmp_container_compare*)_cert_sn_compare; + additional_keys->ncompare = (netsnmp_container_compare*)_cert_sn_ncompare; ++ CONTAINER_SET_OPTIONS(additional_keys, CONTAINER_KEY_ALLOW_DUPLICATES, rc); + netsnmp_container_add_index(_certs, additional_keys); + + /** additional keys: file name */ +@@ -402,6 +412,7 @@ _setup_containers(void) + additional_keys->free_item = NULL; + additional_keys->compare = (netsnmp_container_compare*)_cert_fn_compare; + additional_keys->ncompare = (netsnmp_container_compare*)_cert_fn_ncompare; ++ CONTAINER_SET_OPTIONS(additional_keys, CONTAINER_KEY_ALLOW_DUPLICATES, rc); + netsnmp_container_add_index(_certs, additional_keys); + + _keys = netsnmp_container_find("cert_keys:binary_array"); +@@ -424,7 +435,7 @@ netsnmp_cert_map_container(void) + } + + static netsnmp_cert * +-_new_cert(const char *dirname, const char *filename, int certType, ++_new_cert(const char *dirname, const char *filename, int certType, int offset, + int hashType, const char *fingerprint, const char *common_name, + const char *subject) + { +@@ -446,8 +457,10 @@ _new_cert(const char *dirname, const char *filename, int certType, + + cert->info.dir = strdup(dirname); + cert->info.filename = strdup(filename); +- cert->info.allowed_uses = NS_CERT_REMOTE_PEER; ++ /* only the first certificate is allowed to be a remote peer */ ++ cert->info.allowed_uses = offset ? 0 : NS_CERT_REMOTE_PEER; + cert->info.type = certType; ++ cert->offset = offset; + if (fingerprint) { + cert->hash_type = hashType; + cert->fingerprint = strdup(fingerprint); +@@ -884,14 +897,86 @@ _certindex_new( const char *dirname ) + * certificate utility functions + * + */ ++static BIO * ++netsnmp_open_bio(const char *dir, const char *filename) ++{ ++ BIO *certbio; ++ char file[SNMP_MAXPATH]; ++ ++ DEBUGMSGT(("9:cert:read", "Checking file %s\n", filename)); ++ ++ certbio = BIO_new(BIO_s_file()); ++ if (NULL == certbio) { ++ snmp_log(LOG_ERR, "error creating BIO\n"); ++ return NULL; ++ } ++ ++ snprintf(file, sizeof(file),"%s/%s", dir, filename); ++ if (BIO_read_filename(certbio, file) <=0) { ++ snmp_log(LOG_ERR, "error reading certificate/key %s into BIO\n", file); ++ BIO_vfree(certbio); ++ return NULL; ++ } ++ ++ return certbio; ++} ++ ++static void ++netsnmp_ocert_parse(netsnmp_cert *cert, X509 *ocert) ++{ ++ int is_ca; ++ ++ cert->ocert = ocert; ++ ++ /* ++ * X509_check_ca return codes: ++ * 0 not a CA ++ * 1 is a CA ++ * 2 basicConstraints absent so "maybe" a CA ++ * 3 basicConstraints absent but self signed V1. ++ * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. ++ * 5 outdated Netscape Certificate Type CA extension. ++ */ ++ is_ca = X509_check_ca(ocert); ++ if (1 == is_ca) ++ cert->info.allowed_uses |= NS_CERT_CA; ++ ++ if (NULL == cert->subject) { ++ cert->subject = X509_NAME_oneline(X509_get_subject_name(ocert), NULL, ++ 0); ++ DEBUGMSGT(("9:cert:add:subject", "subject name: %s\n", cert->subject)); ++ } ++ ++ if (NULL == cert->issuer) { ++ cert->issuer = X509_NAME_oneline(X509_get_issuer_name(ocert), NULL, 0); ++ if (strcmp(cert->subject, cert->issuer) == 0) { ++ free(cert->issuer); ++ cert->issuer = strdup("self-signed"); ++ } ++ DEBUGMSGT(("9:cert:add:issuer", "CA issuer: %s\n", cert->issuer)); ++ } ++ ++ if (NULL == cert->fingerprint) { ++ cert->hash_type = netsnmp_openssl_cert_get_hash_type(ocert); ++ cert->fingerprint = ++ netsnmp_openssl_cert_get_fingerprint(ocert, cert->hash_type); ++ } ++ ++ if (NULL == cert->common_name) { ++ cert->common_name =netsnmp_openssl_cert_get_commonName(ocert, NULL, ++ NULL); ++ DEBUGMSGT(("9:cert:add:name","%s\n", cert->common_name)); ++ } ++ ++} ++ + static X509 * + netsnmp_ocert_get(netsnmp_cert *cert) + { + BIO *certbio; + X509 *ocert = NULL; ++ X509 *ncert = NULL; + EVP_PKEY *okey = NULL; +- char file[SNMP_MAXPATH]; +- int is_ca; + + if (NULL == cert) + return NULL; +@@ -908,51 +993,33 @@ netsnmp_ocert_get(netsnmp_cert *cert) + } + } + +- DEBUGMSGT(("9:cert:read", "Checking file %s\n", cert->info.filename)); +- +- certbio = BIO_new(BIO_s_file()); +- if (NULL == certbio) { +- snmp_log(LOG_ERR, "error creating BIO\n"); +- return NULL; +- } +- +- snprintf(file, sizeof(file),"%s/%s", cert->info.dir, cert->info.filename); +- if (BIO_read_filename(certbio, file) <=0) { +- snmp_log(LOG_ERR, "error reading certificate %s into BIO\n", file); +- BIO_vfree(certbio); ++ certbio = netsnmp_open_bio(cert->info.dir, cert->info.filename); ++ if (!certbio) { + return NULL; + } + +- if (NS_CERT_TYPE_UNKNOWN == cert->info.type) { +- char *pos = strrchr(cert->info.filename, '.'); +- if (NULL == pos) +- return NULL; +- cert->info.type = _cert_ext_type(++pos); +- netsnmp_assert(cert->info.type != NS_CERT_TYPE_UNKNOWN); +- } +- + switch (cert->info.type) { + + case NS_CERT_TYPE_DER: ++ (void)BIO_seek(certbio, cert->offset); + ocert = d2i_X509_bio(certbio,NULL); /* DER/ASN1 */ + if (NULL != ocert) + break; +- (void)BIO_reset(certbio); + /* Check for PEM if DER didn't work */ + /* FALLTHROUGH */ + + case NS_CERT_TYPE_PEM: +- ocert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL); ++ (void)BIO_seek(certbio, cert->offset); ++ ocert = ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL); + if (NULL == ocert) + break; + if (NS_CERT_TYPE_DER == cert->info.type) { + DEBUGMSGT(("9:cert:read", "Changing type from DER to PEM\n")); + cert->info.type = NS_CERT_TYPE_PEM; + } +- /** check for private key too */ +- if (NULL == cert->key) { +- (void)BIO_reset(certbio); +- okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL); ++ /** check for private key too, but only if we're the first certificate */ ++ if (0 == cert->offset && NULL == cert->key) { ++ okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL); + if (NULL != okey) { + netsnmp_key *key; + DEBUGMSGT(("cert:read:key", "found key with cert in %s\n", +@@ -979,7 +1046,7 @@ netsnmp_ocert_get(netsnmp_cert *cert) + break; + #ifdef CERT_PKCS12_SUPPORT_MAYBE_LATER + case NS_CERT_TYPE_PKCS12: +- (void)BIO_reset(certbio); ++ (void)BIO_seek(certbio, cert->offset); + PKCS12 *p12 = d2i_PKCS12_bio(certbio, NULL); + if ( (NULL != p12) && (PKCS12_verify_mac(p12, "", 0) || + PKCS12_verify_mac(p12, NULL, 0))) +@@ -999,46 +1066,7 @@ netsnmp_ocert_get(netsnmp_cert *cert) + return NULL; + } + +- cert->ocert = ocert; +- /* +- * X509_check_ca return codes: +- * 0 not a CA +- * 1 is a CA +- * 2 basicConstraints absent so "maybe" a CA +- * 3 basicConstraints absent but self signed V1. +- * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. +- * 5 outdated Netscape Certificate Type CA extension. +- */ +- is_ca = X509_check_ca(ocert); +- if (1 == is_ca) +- cert->info.allowed_uses |= NS_CERT_CA; +- +- if (NULL == cert->subject) { +- cert->subject = X509_NAME_oneline(X509_get_subject_name(ocert), NULL, +- 0); +- DEBUGMSGT(("9:cert:add:subject", "subject name: %s\n", cert->subject)); +- } +- +- if (NULL == cert->issuer) { +- cert->issuer = X509_NAME_oneline(X509_get_issuer_name(ocert), NULL, 0); +- if (strcmp(cert->subject, cert->issuer) == 0) { +- free(cert->issuer); +- cert->issuer = strdup("self-signed"); +- } +- DEBUGMSGT(("9:cert:add:issuer", "CA issuer: %s\n", cert->issuer)); +- } +- +- if (NULL == cert->fingerprint) { +- cert->hash_type = netsnmp_openssl_cert_get_hash_type(ocert); +- cert->fingerprint = +- netsnmp_openssl_cert_get_fingerprint(ocert, cert->hash_type); +- } +- +- if (NULL == cert->common_name) { +- cert->common_name =netsnmp_openssl_cert_get_commonName(ocert, NULL, +- NULL); +- DEBUGMSGT(("9:cert:add:name","%s\n", cert->common_name)); +- } ++ netsnmp_ocert_parse(cert, ocert); + + return ocert; + } +@@ -1048,7 +1076,6 @@ netsnmp_okey_get(netsnmp_key *key) + { + BIO *keybio; + EVP_PKEY *okey; +- char file[SNMP_MAXPATH]; + + if (NULL == key) + return NULL; +@@ -1056,19 +1083,8 @@ netsnmp_okey_get(netsnmp_key *key) + if (key->okey) + return key->okey; + +- snprintf(file, sizeof(file),"%s/%s", key->info.dir, key->info.filename); +- DEBUGMSGT(("cert:key:read", "Checking file %s\n", key->info.filename)); +- +- keybio = BIO_new(BIO_s_file()); +- if (NULL == keybio) { +- snmp_log(LOG_ERR, "error creating BIO\n"); +- return NULL; +- } +- +- if (BIO_read_filename(keybio, file) <=0) { +- snmp_log(LOG_ERR, "error reading certificate %s into BIO\n", +- key->info.filename); +- BIO_vfree(keybio); ++ keybio = netsnmp_open_bio(key->info.dir, key->info.filename); ++ if (!keybio) { + return NULL; + } + +@@ -1154,7 +1170,7 @@ netsnmp_cert_load_x509(netsnmp_cert *cert) + cert->issuer_cert = _find_issuer(cert); + if (NULL == cert->issuer_cert) { + DEBUGMSGT(("cert:load:warn", +- "couldn't load CA chain for cert %s\n", ++ "couldn't load full CA chain for cert %s\n", + cert->info.filename)); + rc = CERT_LOAD_PARTIAL; + break; +@@ -1163,7 +1179,7 @@ netsnmp_cert_load_x509(netsnmp_cert *cert) + /** get issuer ocert */ + if ((NULL == cert->issuer_cert->ocert) && + (netsnmp_ocert_get(cert->issuer_cert) == NULL)) { +- DEBUGMSGT(("cert:load:warn", "couldn't load cert chain for %s\n", ++ DEBUGMSGT(("cert:load:warn", "couldn't load full cert chain for %s\n", + cert->info.filename)); + rc = CERT_LOAD_PARTIAL; + break; +@@ -1184,7 +1200,7 @@ _find_partner(netsnmp_cert *cert, netsnmp_key *key) + return; + } + +- if(key) { ++ if (key) { + if (key->cert) { + DEBUGMSGT(("cert:partner", "key already has partner\n")); + return; +@@ -1197,7 +1213,8 @@ _find_partner(netsnmp_cert *cert, netsnmp_key *key) + return; + *pos = 0; + +- matching = _cert_find_subset_fn( filename, key->info.dir ); ++ matching = _cert_reduce_subset_first(_cert_find_subset_fn( filename, ++ key->info.dir )); + if (!matching) + return; + if (1 == matching->size) { +@@ -1217,7 +1234,7 @@ _find_partner(netsnmp_cert *cert, netsnmp_key *key) + DEBUGMSGT(("cert:partner", "%s matches multiple certs\n", + key->info.filename)); + } +- else if(cert) { ++ else if (cert) { + if (cert->key) { + DEBUGMSGT(("cert:partner", "cert already has partner\n")); + return; +@@ -1255,76 +1272,182 @@ _find_partner(netsnmp_cert *cert, netsnmp_key *key) + } + } + ++static netsnmp_key * ++_add_key(EVP_PKEY *okey, const char* dirname, const char* filename, FILE *index) ++{ ++ netsnmp_key *key; ++ ++ key = _new_key(dirname, filename); ++ if (NULL == key) { ++ return NULL; ++ } ++ ++ key->okey = okey; ++ ++ if (-1 == CONTAINER_INSERT(_keys, key)) { ++ DEBUGMSGT(("cert:key:file:add:err", ++ "error inserting key into container\n")); ++ netsnmp_key_free(key); ++ key = NULL; ++ } ++ if (index) { ++ fprintf(index, "k:%s\n", filename); ++ } ++ ++ return key; ++} ++ ++static netsnmp_cert * ++_add_cert(X509 *ocert, const char* dirname, const char* filename, int type, int offset, FILE *index) ++{ ++ netsnmp_cert *cert; ++ ++ cert = _new_cert(dirname, filename, type, offset, -1, NULL, NULL, NULL); ++ if (NULL == cert) ++ return NULL; ++ ++ netsnmp_ocert_parse(cert, ocert); ++ ++ if (-1 == CONTAINER_INSERT(_certs, cert)) { ++ DEBUGMSGT(("cert:file:add:err", ++ "error inserting cert into container\n")); ++ netsnmp_cert_free(cert); ++ return NULL; ++ } ++ ++ if (index) { ++ /** filename = NAME_MAX = 255 */ ++ /** fingerprint max = 64*3=192 for sha512 */ ++ /** common name / CN = 64 */ ++ if (cert) ++ fprintf(index, "c:%s %d %d %d %s '%s' '%s'\n", filename, ++ cert->info.type, cert->offset, cert->hash_type, cert->fingerprint, ++ cert->common_name, cert->subject); ++ } ++ ++ return cert; ++} ++ + static int + _add_certfile(const char* dirname, const char* filename, FILE *index) + { +- X509 *ocert; +- EVP_PKEY *okey; ++ BIO *certbio; ++ X509 *ocert = NULL; ++ X509 *ncert; ++ EVP_PKEY *okey = NULL; + netsnmp_cert *cert = NULL; + netsnmp_key *key = NULL; + char certfile[SNMP_MAXPATH]; + int type; ++ int offset = 0; + + if (((const void*)NULL == dirname) || (NULL == filename)) + return -1; + + type = _type_from_filename(filename); +- netsnmp_assert(type != NS_CERT_TYPE_UNKNOWN); ++ if (type == NS_CERT_TYPE_UNKNOWN) { ++ snmp_log(LOG_ERR, "certificate file '%s' type not recognised, ignoring\n", filename); ++ return -1; ++ } + +- snprintf(certfile, sizeof(certfile),"%s/%s", dirname, filename); ++ certbio = netsnmp_open_bio(dirname, filename); ++ if (!certbio) { ++ return -1; ++ } + +- DEBUGMSGT(("9:cert:file:add", "Checking file: %s (type %d)\n", filename, +- type)); ++ switch (type) { + +- if (NS_CERT_TYPE_KEY == type) { +- key = _new_key(dirname, filename); +- if (NULL == key) +- return -1; +- okey = netsnmp_okey_get(key); +- if (NULL == okey) { +- netsnmp_key_free(key); +- return -1; +- } +- key->okey = okey; +- if (-1 == CONTAINER_INSERT(_keys, key)) { +- DEBUGMSGT(("cert:key:file:add:err", +- "error inserting key into container\n")); +- netsnmp_key_free(key); +- key = NULL; +- } +- } +- else { +- cert = _new_cert(dirname, filename, type, -1, NULL, NULL, NULL); +- if (NULL == cert) +- return -1; +- ocert = netsnmp_ocert_get(cert); +- if (NULL == ocert) { +- netsnmp_cert_free(cert); +- return -1; +- } +- cert->ocert = ocert; +- if (-1 == CONTAINER_INSERT(_certs, cert)) { +- DEBUGMSGT(("cert:file:add:err", +- "error inserting cert into container\n")); +- netsnmp_cert_free(cert); +- cert = NULL; +- } +- } +- if ((NULL == cert) && (NULL == key)) { +- DEBUGMSGT(("cert:file:add:failure", "for %s\n", certfile)); +- return -1; ++ case NS_CERT_TYPE_KEY: ++ ++ okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL); ++ if (NULL == okey) ++ snmp_log(LOG_ERR, "error parsing key file %s\n", ++ key->info.filename); ++ else { ++ key = _add_key(okey, dirname, filename, index); ++ if (NULL == key) { ++ EVP_PKEY_free(okey); ++ okey = NULL; ++ } ++ } ++ break; ++ ++ case NS_CERT_TYPE_DER: ++ ++ ocert = d2i_X509_bio(certbio, NULL); /* DER/ASN1 */ ++ if (NULL != ocert) { ++ if (!_add_cert(ocert, dirname, filename, type, 0, index)) { ++ X509_free(ocert); ++ ocert = NULL; ++ } ++ break; ++ } ++ (void)BIO_reset(certbio); ++ /* Check for PEM if DER didn't work */ ++ /* FALLTHROUGH */ ++ ++ case NS_CERT_TYPE_PEM: ++ ++ if (NS_CERT_TYPE_DER == type) { ++ DEBUGMSGT(("9:cert:read", "Changing type from DER to PEM\n")); ++ type = NS_CERT_TYPE_PEM; ++ } ++ ocert = ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL); ++ if (NULL != ocert) { ++ cert = _add_cert(ncert, dirname, filename, type, offset, index); ++ if (NULL == cert) { ++ X509_free(ocert); ++ ocert = ncert = NULL; ++ } ++ } ++ while (NULL != ncert) { ++ offset = BIO_tell(certbio); ++ ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL); ++ if (ncert) { ++ if (NULL == _add_cert(ncert, dirname, filename, type, offset, index)) { ++ X509_free(ncert); ++ ncert = NULL; ++ } ++ } ++ } ++ ++ BIO_seek(certbio, offset); ++ ++ /** check for private key too */ ++ okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL); ++ ++ if (NULL != okey) { ++ DEBUGMSGT(("cert:read:key", "found key with cert in %s\n", ++ cert->info.filename)); ++ key = _add_key(okey, dirname, filename, NULL); ++ if (NULL != key) { ++ DEBUGMSGT(("cert:read:partner", "%s match found!\n", ++ cert->info.filename)); ++ key->cert = cert; ++ cert->key = key; ++ cert->info.allowed_uses |= NS_CERT_IDENTITY; ++ } ++ else { ++ EVP_PKEY_free(okey); ++ okey = NULL; ++ } ++ } ++ ++ break; ++ ++#ifdef CERT_PKCS12_SUPPORT_MAYBE_LATER ++ case NS_CERT_TYPE_PKCS12: ++#endif ++ ++ default: ++ break; + } + +- if (index) { +- /** filename = NAME_MAX = 255 */ +- /** fingerprint max = 64*3=192 for sha512 */ +- /** common name / CN = 64 */ +- if (cert) +- fprintf(index, "c:%s %d %d %s '%s' '%s'\n", filename, +- cert->info.type, cert->hash_type, cert->fingerprint, +- cert->common_name, cert->subject); +- else if (key) +- fprintf(index, "k:%s\n", filename); ++ BIO_vfree(certbio); ++ ++ if ((NULL == ocert) && (NULL == okey)) { ++ snmp_log(LOG_ERR, "certificate file '%s' contained neither certificate nor key, ignoring\n", certfile); ++ return -1; + } + + return 0; +@@ -1338,7 +1461,8 @@ _cert_read_index(const char *dirname, struct stat *dirstat) + struct stat idx_stat; + char tmpstr[SNMP_MAXPATH + 5], filename[NAME_MAX]; + char fingerprint[EVP_MAX_MD_SIZE*3], common_name[64+1], type_str[15]; +- char subject[SNMP_MAXBUF_SMALL], hash_str[15]; ++ char subject[SNMP_MAXBUF_SMALL], hash_str[15], offset_str[15]; ++ ssize_t offset; + int count = 0, type, hash, version; + netsnmp_cert *cert; + netsnmp_key *key; +@@ -1381,7 +1505,8 @@ _cert_read_index(const char *dirname, struct stat *dirstat) + netsnmp_directory_container_read_some(NULL, dirname, + _time_filter, &idx_stat, + NETSNMP_DIR_NSFILE | +- NETSNMP_DIR_NSFILE_STATS); ++ NETSNMP_DIR_NSFILE_STATS | ++ NETSNMP_DIR_ALLOW_DUPLICATES); + if (newer) { + DEBUGMSGT(("cert:index:parse", "Index outdated; files modified\n")); + CONTAINER_FREE_ALL(newer, NULL); +@@ -1426,6 +1551,7 @@ _cert_read_index(const char *dirname, struct stat *dirstat) + pos = &tmpstr[2]; + if ((NULL == (pos=copy_nword(pos, filename, sizeof(filename)))) || + (NULL == (pos=copy_nword(pos, type_str, sizeof(type_str)))) || ++ (NULL == (pos=copy_nword(pos, offset_str, sizeof(offset_str)))) || + (NULL == (pos=copy_nword(pos, hash_str, sizeof(hash_str)))) || + (NULL == (pos=copy_nword(pos, fingerprint, + sizeof(fingerprint)))) || +@@ -1438,8 +1564,9 @@ _cert_read_index(const char *dirname, struct stat *dirstat) + break; + } + type = atoi(type_str); ++ offset = atoi(offset_str); + hash = atoi(hash_str); +- cert = _new_cert(dirname, filename, type, hash, fingerprint, ++ cert = _new_cert(dirname, filename, type, offset, hash, fingerprint, + common_name, subject); + if (cert && 0 == CONTAINER_INSERT(found, cert)) + ++count; +@@ -1546,7 +1673,8 @@ _add_certdir(const char *dirname) + netsnmp_directory_container_read_some(NULL, dirname, + _cert_cert_filter, NULL, + NETSNMP_DIR_RELATIVE_PATH | +- NETSNMP_DIR_EMPTY_OK ); ++ NETSNMP_DIR_EMPTY_OK | ++ NETSNMP_DIR_ALLOW_DUPLICATES); + if (NULL == cert_container) { + DEBUGMSGT(("cert:index:dir", + "error creating container for cert files\n")); +@@ -1634,7 +1762,7 @@ _cert_print(netsnmp_cert *c, void *context) + if (NULL == c) + return; + +- DEBUGMSGT(("cert:dump", "cert %s in %s\n", c->info.filename, c->info.dir)); ++ DEBUGMSGT(("cert:dump", "cert %s in %s at offset %d\n", c->info.filename, c->info.dir, c->offset)); + DEBUGMSGT(("cert:dump", " type %d flags 0x%x (%s)\n", + c->info.type, c->info.allowed_uses, + _mode_str(c->info.allowed_uses))); +@@ -1838,7 +1966,8 @@ netsnmp_cert_find(int what, int where, void *hint) + netsnmp_void_array *matching; + + DEBUGMSGT(("cert:find:params", " hint = %s\n", (char *)hint)); +- matching = _cert_find_subset_fn( filename, NULL ); ++ matching = _cert_reduce_subset_what(_cert_find_subset_fn( ++ filename, NULL ), what); + if (!matching) + return NULL; + if (1 == matching->size) +@@ -2281,6 +2410,124 @@ _reduce_subset_dir(netsnmp_void_array *matching, const char *directory) + } + } + ++/* ++ * reduce subset by eliminating any certificates that are not the ++ * first certficate in a file. This allows us to ignore certificate ++ * chains when testing for specific certificates, and to match keys ++ * to the first certificate only. ++ */ ++static netsnmp_void_array * ++_cert_reduce_subset_first(netsnmp_void_array *matching) ++{ ++ netsnmp_cert *cc; ++ int i = 0, j, newsize; ++ ++ if ((NULL == matching)) ++ return matching; ++ ++ newsize = matching->size; ++ ++ for( ; i < matching->size; ) { ++ /* ++ * if we've shifted matches down we'll hit a NULL entry before ++ * we hit the end of the array. ++ */ ++ if (NULL == matching->array[i]) ++ break; ++ /* ++ * skip over valid matches. The first entry has an offset of zero. ++ */ ++ cc = (netsnmp_cert*)matching->array[i]; ++ if (0 == cc->offset) { ++ ++i; ++ continue; ++ } ++ /* ++ * shrink array by shifting everything down a spot. Might not be ++ * the most efficient soloution, but this is just happening at ++ * startup and hopefully most certs won't have common prefixes. ++ */ ++ --newsize; ++ for ( j=i; j < newsize; ++j ) ++ matching->array[j] = matching->array[j+1]; ++ matching->array[j] = NULL; ++ /** no ++i; just shifted down, need to look at same position again */ ++ } ++ /* ++ * if we shifted, set the new size ++ */ ++ if (newsize != matching->size) { ++ DEBUGMSGT(("9:cert:subset:first", "shrank from %" NETSNMP_PRIz "d to %d\n", ++ matching->size, newsize)); ++ matching->size = newsize; ++ } ++ ++ if (0 == matching->size) { ++ free(matching->array); ++ SNMP_FREE(matching); ++ } ++ ++ return matching; ++} ++ ++/* ++ * reduce subset by eliminating any certificates that do not match ++ * purpose specified. ++ */ ++static netsnmp_void_array * ++_cert_reduce_subset_what(netsnmp_void_array *matching, int what) ++{ ++ netsnmp_cert_common *cc; ++ int i = 0, j, newsize; ++ ++ if ((NULL == matching)) ++ return matching; ++ ++ newsize = matching->size; ++ ++ for( ; i < matching->size; ) { ++ /* ++ * if we've shifted matches down we'll hit a NULL entry before ++ * we hit the end of the array. ++ */ ++ if (NULL == matching->array[i]) ++ break; ++ /* ++ * skip over valid matches. The first entry has an offset of zero. ++ */ ++ cc = (netsnmp_cert_common *)matching->array[i]; ++ if ((cc->allowed_uses & what)) { ++ ++i; ++ continue; ++ } ++ /* ++ * shrink array by shifting everything down a spot. Might not be ++ * the most efficient soloution, but this is just happening at ++ * startup and hopefully most certs won't have common prefixes. ++ */ ++ --newsize; ++ for ( j=i; j < newsize; ++j ) ++ matching->array[j] = matching->array[j+1]; ++ matching->array[j] = NULL; ++ /** no ++i; just shifted down, need to look at same position again */ ++ } ++ /* ++ * if we shifted, set the new size ++ */ ++ if (newsize != matching->size) { ++ DEBUGMSGT(("9:cert:subset:what", "shrank from %" NETSNMP_PRIz "d to %d\n", ++ matching->size, newsize)); ++ matching->size = newsize; ++ } ++ ++ if (0 == matching->size) { ++ free(matching->array); ++ SNMP_FREE(matching); ++ } ++ ++ return matching; ++} ++ + static netsnmp_void_array * + _cert_find_subset_common(const char *filename, netsnmp_container *container) + { +diff --git a/snmplib/dir_utils.c b/snmplib/dir_utils.c +index c2dd989..e7145e4 100644 +--- a/snmplib/dir_utils.c ++++ b/snmplib/dir_utils.c +@@ -107,6 +107,9 @@ netsnmp_directory_container_read_some(netsnmp_container *user_container, + /** default to unsorted */ + if (! (flags & NETSNMP_DIR_SORTED)) + CONTAINER_SET_OPTIONS(container, CONTAINER_KEY_UNSORTED, rc); ++ /** default to duplicates not allowed */ ++ if (! (flags & NETSNMP_DIR_ALLOW_DUPLICATES)) ++ CONTAINER_SET_OPTIONS(container, CONTAINER_KEY_ALLOW_DUPLICATES, rc); + } + + dir = opendir(dirname); diff --git a/net-snmp/patches/net-snmp-5.9-memory-reporting.patch b/net-snmp/patches/net-snmp-5.9-memory-reporting.patch new file mode 100644 index 000000000..3db8d51f6 --- /dev/null +++ b/net-snmp/patches/net-snmp-5.9-memory-reporting.patch @@ -0,0 +1,28 @@ +diff --git a/agent/mibgroup/hardware/memory/memory_linux.c b/agent/mibgroup/hardware/memory/memory_linux.c +index 6d5e86c..68b55d2 100644 +--- a/agent/mibgroup/hardware/memory/memory_linux.c ++++ b/agent/mibgroup/hardware/memory/memory_linux.c +@@ -123,6 +123,13 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) { + if (first) + snmp_log(LOG_ERR, "No SwapTotal line in /proc/meminfo\n"); + } ++ b = strstr(buff, "SReclaimable: "); ++ if (b) ++ sscanf(b, "SReclaimable: %lu", &sreclaimable); ++ else { ++ if (first) ++ snmp_log(LOG_ERR, "No SReclaimable line in /proc/meminfo\n"); ++ } + b = strstr(buff, "SwapFree: "); + if (b) + sscanf(b, "SwapFree: %lu", &swapfree); +@@ -130,9 +137,6 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) { + if (first) + snmp_log(LOG_ERR, "No SwapFree line in /proc/meminfo\n"); + } +- b = strstr(buff, "SReclaimable: "); +- if (b) +- sscanf(b, "SReclaimable: %lu", &sreclaimable); + first = 0; + + diff --git a/net-snmp/patches/net-snmp-5.7.2-pie.patch b/net-snmp/patches/net-snmp-5.9-pie.patch similarity index 56% rename from net-snmp/patches/net-snmp-5.7.2-pie.patch rename to net-snmp/patches/net-snmp-5.9-pie.patch index ee02001b3..a79290413 100644 --- a/net-snmp/patches/net-snmp-5.7.2-pie.patch +++ b/net-snmp/patches/net-snmp-5.9-pie.patch @@ -1,7 +1,8 @@ -diff -up net-snmp-5.7.2/agent/Makefile.in.pie net-snmp-5.7.2/agent/Makefile.in ---- net-snmp-5.7.2/agent/Makefile.in.pie 2012-10-10 00:28:58.000000000 +0200 -+++ net-snmp-5.7.2/agent/Makefile.in 2012-10-18 09:45:13.298613099 +0200 -@@ -294,7 +294,7 @@ getmibstat.o: mibgroup/kernel_sunos5.c +diff --git a/agent/Makefile.in b/agent/Makefile.in +index 047d880..38d40aa 100644 +--- a/agent/Makefile.in ++++ b/agent/Makefile.in +@@ -300,7 +300,7 @@ getmibstat.o: mibgroup/kernel_sunos5.c $(CC) $(CFLAGS) -o $@ -D_GETMIBSTAT_TEST -DDODEBUG -c $?
snmpd$(EXEEXT): ${LAGENTOBJS} $(USELIBS) $(AGENTLIB) $(HELPERLIB) $(MIBLIB) $(LIBTARG) @@ -9,11 +10,12 @@ diff -up net-snmp-5.7.2/agent/Makefile.in.pie net-snmp-5.7.2/agent/Makefile.in + $(LINK) $(CFLAGS) -o $@ -pie ${LAGENTOBJS} ${LDFLAGS} ${OUR_AGENT_LIBS}
libnetsnmpagent.$(LIB_EXTENSION)$(LIB_VERSION): ${LLIBAGENTOBJS} $(USELIBS) - $(LIB_LD_CMD) $(AGENTLIB) ${LLIBAGENTOBJS} $(USELIBS) ${LAGENTLIBS} @LD_NO_UNDEFINED@ $(LDFLAGS) $(PERLLDOPTS_FOR_LIBS) $(LIB_LD_LIBS) @AGENTLIBS@ -diff -up net-snmp-5.7.2/apps/Makefile.in.pie net-snmp-5.7.2/apps/Makefile.in ---- net-snmp-5.7.2/apps/Makefile.in.pie 2012-10-10 00:28:58.000000000 +0200 -+++ net-snmp-5.7.2/apps/Makefile.in 2012-10-18 09:44:27.827774580 +0200 -@@ -170,7 +170,7 @@ snmptest$(EXEEXT): snmptest.$(OSUFFIX + $(LIB_LD_CMD) $(AGENTLIB) ${LLIBAGENTOBJS} $(USELIBS) ${LAGENTLIBS} $(LDFLAGS) $(PERLLDOPTS_FOR_LIBS) @AGENTLIBS@ +diff --git a/apps/Makefile.in b/apps/Makefile.in +index 3dbb1d1..48ed23a 100644 +--- a/apps/Makefile.in ++++ b/apps/Makefile.in +@@ -190,7 +190,7 @@ snmptest$(EXEEXT): snmptest.$(OSUFFIX) $(USELIBS) $(LINK) ${CFLAGS} -o $@ snmptest.$(OSUFFIX) ${LDFLAGS} ${LIBS}
snmptrapd$(EXEEXT): $(TRAPD_OBJECTS) $(USETRAPLIBS) $(INSTALLLIBS) diff --git a/net-snmp/patches/net-snmp-5.9.1-autoconf.patch b/net-snmp/patches/net-snmp-5.9.1-autoconf.patch new file mode 100644 index 000000000..5c6b2a9de --- /dev/null +++ b/net-snmp/patches/net-snmp-5.9.1-autoconf.patch @@ -0,0 +1,6 @@ +diff -urNp a/dist/autoconf-version b/dist/autoconf-version +--- a/dist/autoconf-version 2021-09-01 11:18:14.582110773 +0200 ++++ b/dist/autoconf-version 2021-09-01 11:20:16.804369533 +0200 +@@ -1 +1 @@ +-2.69 ++2.71 diff --git a/network/network.nm b/network/network.nm index 82b51de79..cd7825749 100644 --- a/network/network.nm +++ b/network/network.nm @@ -5,7 +5,7 @@
name = network version = 010 -release = 4 +release = 4.1
maintainer = Michael Tremer michael.tremer@ipfire.org groups = Base Networking/Tools @@ -50,7 +50,6 @@ packages bird >= 2 curl dhclient >= 4.2.4-2 - dhcp >= 4.2.4-1 ebtables hostapd initscripts >= 1:2.99-18 diff --git a/pam/pam.nm b/pam/pam.nm index facedb378..de24a97fb 100644 --- a/pam/pam.nm +++ b/pam/pam.nm @@ -4,8 +4,8 @@ ###############################################################################
name = pam -version = 1.3.0 -release = 2 +version = 1.5.2 +release = 1 thisapp = Linux-PAM-%{version}
groups = System/Base @@ -19,10 +19,8 @@ description having to recompile programs that handle authentication. end
-# This is the old location that might be revived in future -# source_dl = http://ftp.us.kernel.org/pub/linux/libs/pam/library/ - -source_dl = http://www.linux-pam.org/library/ +source_dl = https://github.com/linux-pam/linux-pam/releases/download/v%%7Bversion%7D/ +sources = %{thisapp}.tar.xz
build requires diff --git a/pam/patches/Linux-PAM-1.1.0-no-yywrap-1.patch b/pam/patches/Linux-PAM-1.1.0-no-yywrap-1.patch deleted file mode 100644 index 62a485184..000000000 --- a/pam/patches/Linux-PAM-1.1.0-no-yywrap-1.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff -urN Linux-PAM-0.99.6.3/conf/pam_conv1/pam_conv_l.c Linux-PAM-0.99.6.3.new/conf/pam_conv1/pam_conv_l.c ---- Linux-PAM-0.99.6.3/conf/pam_conv1/pam_conv_l.c 2006-09-06 11:29:19.000000000 +0200 -+++ Linux-PAM-0.99.6.3.new/conf/pam_conv1/pam_conv_l.c 2007-01-10 23:19:05.000000000 +0100 -@@ -494,7 +494,9 @@ - #ifdef __cplusplus - extern "C" int yywrap (void ); - #else --extern int yywrap (void ); -+int yywrap (void ) { -+ return 1; -+} - #endif - #endif - -diff -urN Linux-PAM-0.99.6.3/doc/specs/parse_l.c Linux-PAM-0.99.6.3.new/doc/specs/parse_l.c ---- Linux-PAM-0.99.6.3/doc/specs/parse_l.c 2006-09-06 11:29:19.000000000 +0200 -+++ Linux-PAM-0.99.6.3.new/doc/specs/parse_l.c 2007-01-10 23:21:55.000000000 +0100 -@@ -480,7 +480,9 @@ - #ifdef __cplusplus - extern "C" int yywrap (void ); - #else --extern int yywrap (void ); -+int yywrap (void ) { -+ return 1; -+} - #endif - #endif - diff --git a/pam/patches/pam-1.1.5-unix-build.patch b/pam/patches/pam-1.1.5-unix-build.patch deleted file mode 100644 index d1f30d071..000000000 --- a/pam/patches/pam-1.1.5-unix-build.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c ---- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build 2012-07-23 18:46:27.709804094 +0200 -+++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c 2012-07-23 18:46:27.764805293 +0200 -@@ -47,6 +47,8 @@ - #include <time.h> /* for time() */ - #include <errno.h> - #include <sys/wait.h> -+#include <sys/time.h> -+#include <sys/resource.h> - - #include <security/_pam_macros.h> - -diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c ---- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build 2012-07-23 18:55:16.433314731 +0200 -+++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c 2012-07-23 18:54:48.064697131 +0200 -@@ -53,6 +53,7 @@ - #include <fcntl.h> - #include <ctype.h> - #include <sys/time.h> -+#include <sys/resource.h> - #include <sys/stat.h> - - #include <signal.h> -diff -up Linux-PAM-1.1.5/modules/pam_unix/support.c.build Linux-PAM-1.1.5/modules/pam_unix/support.c ---- Linux-PAM-1.1.5/modules/pam_unix/support.c.build 2012-07-23 18:46:27.000000000 +0200 -+++ Linux-PAM-1.1.5/modules/pam_unix/support.c 2012-07-23 18:54:23.645165507 +0200 -@@ -18,6 +18,7 @@ - #include <signal.h> - #include <ctype.h> - #include <syslog.h> -+#include <sys/time.h> - #include <sys/resource.h> - #ifdef HAVE_RPCSVC_YPCLNT_H - #include <rpcsvc/ypclnt.h> diff --git a/python/patches/00001-pydocnogui.patch b/python/patches/00001-pydocnogui.patch deleted file mode 100644 index 0311f3826..000000000 --- a/python/patches/00001-pydocnogui.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff -up Python-2.7.3/Lib/pydoc.py.no_gui Python-2.7.3/Lib/pydoc.py ---- Python-2.7.3/Lib/pydoc.py.no_gui 2012-04-09 19:07:31.000000000 -0400 -+++ Python-2.7.3/Lib/pydoc.py 2013-02-19 13:48:44.480054515 -0500 -@@ -19,9 +19,6 @@ of all available modules. - local machine to generate documentation web pages. Port number 0 can be - used to get an arbitrary unused port. - --For platforms without a command line, "pydoc -g" starts the HTTP server --and also pops up a little window for controlling it. -- - Run "pydoc -w <name>" to write out the HTML documentation for a module - to a file named "<name>.html". - -@@ -2346,13 +2340,10 @@ def cli(): - Start an HTTP server on the given port on the local machine. Port - number 0 can be used to get an arbitrary unused port. - --%s -g -- Pop up a graphical interface for finding and serving documentation. -- - %s -w <name> ... - Write out the HTML documentation for a module to a file in the current - directory. If <name> contains a '%s', it is treated as a filename; if - it names a directory, documentation is written for all the contents. --""" % (cmd, os.sep, cmd, cmd, cmd, cmd, os.sep) -+""" % (cmd, os.sep, cmd, cmd, cmd, os.sep) - - if __name__ == '__main__': cli() diff --git a/python/patches/00010-2.7.13-binutils-no-dep.patch b/python/patches/00010-2.7.13-binutils-no-dep.patch deleted file mode 100644 index d43262316..000000000 --- a/python/patches/00010-2.7.13-binutils-no-dep.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/Lib/ctypes/util.py b/Lib/ctypes/util.py -index ab10ec5..923d1b7 100644 ---- a/Lib/ctypes/util.py -+++ b/Lib/ctypes/util.py -@@ -140,11 +140,15 @@ elif os.name == "posix": - # assuming GNU binutils / ELF - if not f: - return None -- cmd = 'if ! type objdump >/dev/null 2>&1; then exit; fi;' \ -+ cmd = 'if ! type objdump >/dev/null 2>&1; then exit 10; fi;' \ - 'objdump -p -j .dynamic 2>/dev/null "$1"' - proc = subprocess.Popen((cmd, '_get_soname', f), shell=True, - stdout=subprocess.PIPE) - [dump, _] = proc.communicate() -+ if proc.returncode == 10: -+ return os.path.basename(f) # This is good for GLibc, I think, -+ # and a dep on binutils is big (for -+ # live CDs). - res = re.search(br'\sSONAME\s+([^\s]+)', dump) - if not res: - return None diff --git a/python/patches/00104-lib64-fix-for-test_install.patch b/python/patches/00104-lib64-fix-for-test_install.patch deleted file mode 100644 index 7852bf694..000000000 --- a/python/patches/00104-lib64-fix-for-test_install.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- Python-2.7.2/Lib/distutils/tests/test_install.py.lib64 2011-09-08 17:51:57.851405376 -0400 -+++ Python-2.7.2/Lib/distutils/tests/test_install.py 2011-09-08 18:40:46.754205096 -0400 -@@ -41,8 +41,9 @@ class InstallTestCase(support.TempdirMan - self.assertEqual(got, expected) - - libdir = os.path.join(destination, "lib", "python") -+ platlibdir = os.path.join(destination, "lib64", "python") - check_path(cmd.install_lib, libdir) -- check_path(cmd.install_platlib, libdir) -+ check_path(cmd.install_platlib, platlibdir) - check_path(cmd.install_purelib, libdir) - check_path(cmd.install_headers, - os.path.join(destination, "include", "python", "foopkg")) diff --git a/python/patches/00112-2.7.13-debug-build.patch b/python/patches/00112-2.7.13-debug-build.patch deleted file mode 100644 index 463f4d8b6..000000000 --- a/python/patches/00112-2.7.13-debug-build.patch +++ /dev/null @@ -1,324 +0,0 @@ -From 898f93aa206e577dfe854c59bc62d0cea09cd5ed Mon Sep 17 00:00:00 2001 -From: Tomas Orsava torsava@redhat.com -Date: Tue, 10 Jan 2017 16:19:50 +0100 -Subject: [PATCH] Patch to support building both optimized vs debug stacks DSO - ABIs, - -sharing the same .py and .pyc files, using "_d.so" to signify a debug build of -an extension module. ---- - Lib/distutils/command/build_ext.py | 7 ++++- - Lib/distutils/sysconfig.py | 5 ++-- - Lib/distutils/tests/test_install.py | 3 +- - Makefile.pre.in | 56 ++++++++++++++++++++----------------- - Misc/python-config.in | 2 +- - Modules/makesetup | 2 +- - Python/dynload_shlib.c | 11 ++++++-- - Python/sysmodule.c | 6 ++++ - configure.ac | 14 ++++++++-- - 9 files changed, 69 insertions(+), 37 deletions(-) - -diff --git a/Lib/distutils/command/build_ext.py b/Lib/distutils/command/build_ext.py -index 2c68be3..029d144 100644 ---- a/Lib/distutils/command/build_ext.py -+++ b/Lib/distutils/command/build_ext.py -@@ -677,7 +677,10 @@ class build_ext (Command): - so_ext = get_config_var('SO') - if os.name == 'nt' and self.debug: - return os.path.join(*ext_path) + '_d' + so_ext -- return os.path.join(*ext_path) + so_ext -+ -+ # Similarly, extensions in debug mode are named 'module_d.so', to -+ # avoid adding the _d to the SO config variable: -+ return os.path.join(*ext_path) + (sys.pydebug and "_d" or "") + so_ext - - def get_export_symbols (self, ext): - """Return the list of symbols that a shared extension has to -@@ -762,6 +765,8 @@ class build_ext (Command): - template = "python%d.%d" - pythonlib = (template % - (sys.hexversion >> 24, (sys.hexversion >> 16) & 0xff)) -+ if sys.pydebug: -+ pythonlib += '_d' - return ext.libraries + [pythonlib] - else: - return ext.libraries -diff --git a/Lib/distutils/sysconfig.py b/Lib/distutils/sysconfig.py -index 3e7f077..ec5d584 100644 ---- a/Lib/distutils/sysconfig.py -+++ b/Lib/distutils/sysconfig.py -@@ -90,7 +90,8 @@ def get_python_inc(plat_specific=0, prefix=None): - # Include is located in the srcdir - inc_dir = os.path.join(srcdir, "Include") - return inc_dir -- return os.path.join(prefix, "include", "python" + get_python_version()) -+ return os.path.join(prefix, "include", -+ "python" + get_python_version() + (sys.pydebug and '-debug' or '')) - elif os.name == "nt": - return os.path.join(prefix, "include") - elif os.name == "os2": -@@ -248,7 +249,7 @@ def get_makefile_filename(): - if python_build: - return os.path.join(project_base, "Makefile") - lib_dir = get_python_lib(plat_specific=1, standard_lib=1) -- return os.path.join(lib_dir, "config", "Makefile") -+ return os.path.join(lib_dir, "config" + (sys.pydebug and "-debug" or ""), "Makefile") - - - def parse_config_h(fp, g=None): -diff --git a/Lib/distutils/tests/test_install.py b/Lib/distutils/tests/test_install.py -index 78fac46..d1d0931 100644 ---- a/Lib/distutils/tests/test_install.py -+++ b/Lib/distutils/tests/test_install.py -@@ -20,8 +20,9 @@ from distutils.tests import support - - - def _make_ext_name(modname): -- if os.name == 'nt' and sys.executable.endswith('_d.exe'): -+ if sys.pydebug: - modname += '_d' -+ - return modname + sysconfig.get_config_var('SO') - - -diff --git a/Makefile.pre.in b/Makefile.pre.in -index 997a2fc..467e782 100644 ---- a/Makefile.pre.in -+++ b/Makefile.pre.in -@@ -116,8 +116,8 @@ SCRIPTDIR= $(prefix)/lib64 - # Detailed destination directories - BINLIBDEST= $(LIBDIR)/python$(VERSION) - LIBDEST= $(SCRIPTDIR)/python$(VERSION) --INCLUDEPY= $(INCLUDEDIR)/python$(VERSION) --CONFINCLUDEPY= $(CONFINCLUDEDIR)/python$(VERSION) -+INCLUDEPY= $(INCLUDEDIR)/python$(VERSION)$(DEBUG_SUFFIX) -+CONFINCLUDEPY= $(CONFINCLUDEDIR)/python$(VERSION)$(DEBUG_SUFFIX) - LIBP= $(LIBDIR)/python$(VERSION) - - # Symbols used for using shared libraries -@@ -131,6 +131,12 @@ DESTSHARED= $(BINLIBDEST)/lib-dynload - EXE= @EXEEXT@ - BUILDEXE= @BUILDEXEEXT@ - -+# DEBUG_EXT is used by ELF files (names and SONAMEs); it will be "_d" for a debug build -+# DEBUG_SUFFIX is used by filesystem paths; it will be "-debug" for a debug build -+# Both will be empty in an optimized build -+DEBUG_EXT= @DEBUG_EXT@ -+DEBUG_SUFFIX= @DEBUG_SUFFIX@ -+ - # Short name and location for Mac OS X Python framework - UNIVERSALSDK=@UNIVERSALSDK@ - PYTHONFRAMEWORK= @PYTHONFRAMEWORK@ -@@ -197,8 +203,8 @@ LIBOBJDIR= Python/ - LIBOBJS= @LIBOBJS@ - UNICODE_OBJS= @UNICODE_OBJS@ - --PYTHON= python$(EXE) --BUILDPYTHON= python$(BUILDEXE) -+PYTHON= python$(DEBUG_SUFFIX)$(EXE) -+BUILDPYTHON= python$(DEBUG_SUFFIX)$(BUILDEXE) - - PYTHON_FOR_REGEN=@PYTHON_FOR_REGEN@ - PYTHON_FOR_BUILD=@PYTHON_FOR_BUILD@ -@@ -547,7 +553,7 @@ sharedmods: $(BUILDPYTHON) pybuilddir.txt Modules/_math.o - _TCLTK_INCLUDES='$(TCLTK_INCLUDES)' _TCLTK_LIBS='$(TCLTK_LIBS)' \ - $(PYTHON_FOR_BUILD) $(srcdir)/setup.py $$quiet build - --libpython$(VERSION).so: $(LIBRARY_OBJS) -+libpython$(VERSION)$(DEBUG_EXT).so: $(LIBRARY_OBJS) - if test $(INSTSONAME) != $(LDLIBRARY); then \ - $(BLDSHARED) -Wl,-h$(INSTSONAME) -o $(INSTSONAME) $(LIBRARY_OBJS) $(MODLIBS) $(SHLIBS) $(LIBC) $(LIBM) $(LDLAST); \ - $(LN) -f $(INSTSONAME) $@; \ -@@ -954,18 +960,18 @@ bininstall: altbininstall - then rm -f $(DESTDIR)$(BINDIR)/$(PYTHON); \ - else true; \ - fi -- (cd $(DESTDIR)$(BINDIR); $(LN) -s python2$(EXE) $(PYTHON)) -- -rm -f $(DESTDIR)$(BINDIR)/python2$(EXE) -- (cd $(DESTDIR)$(BINDIR); $(LN) -s python$(VERSION)$(EXE) python2$(EXE)) -- -rm -f $(DESTDIR)$(BINDIR)/python2-config -- (cd $(DESTDIR)$(BINDIR); $(LN) -s python$(VERSION)-config python2-config) -- -rm -f $(DESTDIR)$(BINDIR)/python-config -- (cd $(DESTDIR)$(BINDIR); $(LN) -s python2-config python-config) -+ (cd $(DESTDIR)$(BINDIR); $(LN) -s python2$(DEBUG_SUFFIX)$(EXE) $(PYTHON)) -+ -rm -f $(DESTDIR)$(BINDIR)/python2$(DEBUG_SUFFIX)$(EXE) -+ (cd $(DESTDIR)$(BINDIR); $(LN) -s python$(VERSION)$(DEBUG_SUFFIX)$(EXE) python2$(DEBUG_SUFFIX)$(EXE)) -+ -rm -f $(DESTDIR)$(BINDIR)/python2$(DEBUG_SUFFIX)-config -+ (cd $(DESTDIR)$(BINDIR); $(LN) -s python$(VERSION)$(DEBUG_SUFFIX)-config python2$(DEBUG_SUFFIX)-config) -+ -rm -f $(DESTDIR)$(BINDIR)/python$(DEBUG_SUFFIX)-config -+ (cd $(DESTDIR)$(BINDIR); $(LN) -s python2$(DEBUG_SUFFIX)-config python$(DEBUG_SUFFIX)-config) - -test -d $(DESTDIR)$(LIBPC) || $(INSTALL) -d -m $(DIRMODE) $(DESTDIR)$(LIBPC) -- -rm -f $(DESTDIR)$(LIBPC)/python2.pc -- (cd $(DESTDIR)$(LIBPC); $(LN) -s python-$(VERSION).pc python2.pc) -- -rm -f $(DESTDIR)$(LIBPC)/python.pc -- (cd $(DESTDIR)$(LIBPC); $(LN) -s python2.pc python.pc) -+ -rm -f $(DESTDIR)$(LIBPC)/python2$(DEBUG_SUFFIX).pc -+ (cd $(DESTDIR)$(LIBPC); $(LN) -s python-$(VERSION)$(DEBUG_SUFFIX).pc python2$(DEBUG_SUFFIX).pc) -+ -rm -f $(DESTDIR)$(LIBPC)/python$(DEBUG_SUFFIX).pc -+ (cd $(DESTDIR)$(LIBPC); $(LN) -s python2$(DEBUG_SUFFIX).pc python$(DEBUG_SUFFIX).pc) - - # Install the interpreter with $(VERSION) affixed - # This goes into $(exec_prefix) -@@ -978,7 +984,7 @@ altbininstall: $(BUILDPYTHON) - else true; \ - fi; \ - done -- $(INSTALL_PROGRAM) $(BUILDPYTHON) $(DESTDIR)$(BINDIR)/python$(VERSION)$(EXE) -+ $(INSTALL_PROGRAM) $(BUILDPYTHON) $(DESTDIR)$(BINDIR)/python$(VERSION)$(DEBUG_SUFFIX)$(EXE) - if test -f $(LDLIBRARY); then \ - if test -n "$(DLLLIBRARY)" ; then \ - $(INSTALL_SHARED) $(DLLLIBRARY) $(DESTDIR)$(BINDIR); \ -@@ -1148,10 +1154,11 @@ $(srcdir)/Lib/$(PLATDIR): - fi; \ - cd $(srcdir)/Lib/$(PLATDIR); $(RUNSHARED) ./regen - --python-config: $(srcdir)/Misc/python-config.in -+python$(DEBUG_SUFFIX)-config: $(srcdir)/Misc/python-config.in - # Substitution happens here, as the completely-expanded BINDIR - # is not available in configure -- sed -e "s,@EXENAME@,$(BINDIR)/python$(VERSION)$(EXE)," < $(srcdir)/Misc/python-config.in >python-config -+ sed -e "s,@EXENAME@,$(BINDIR)/python$(VERSION)$(DEBUG_SUFFIX)$(EXE)," < $(srcdir)/Misc/python-config.in >python$(DEBUG_SUFFIX)-config -+ - - # Install the include files - INCLDIRSTOMAKE=$(INCLUDEDIR) $(CONFINCLUDEDIR) $(INCLUDEPY) $(CONFINCLUDEPY) -@@ -1172,13 +1179,13 @@ inclinstall: - $(INSTALL_DATA) pyconfig.h $(DESTDIR)$(CONFINCLUDEPY)/pyconfig.h - - # Install the library and miscellaneous stuff needed for extending/embedding --# This goes into $(exec_prefix) --LIBPL= $(LIBP)/config -+# This goes into $(exec_prefix)$(DEBUG_SUFFIX) -+LIBPL= $(LIBP)/config$(DEBUG_SUFFIX) - - # pkgconfig directory - LIBPC= $(LIBDIR)/pkgconfig - --libainstall: @DEF_MAKE_RULE@ python-config -+libainstall: @DEF_MAKE_RULE@ python$(DEBUG_SUFFIX)-config - @for i in $(LIBDIR) $(LIBP) $(LIBPL) $(LIBPC); \ - do \ - if test ! -d $(DESTDIR)$$i; then \ -@@ -1194,11 +1201,10 @@ libainstall: all python-config - $(INSTALL_DATA) Modules/Setup $(DESTDIR)$(LIBPL)/Setup - $(INSTALL_DATA) Modules/Setup.local $(DESTDIR)$(LIBPL)/Setup.local - $(INSTALL_DATA) Modules/Setup.config $(DESTDIR)$(LIBPL)/Setup.config -- $(INSTALL_DATA) Misc/python.pc $(DESTDIR)$(LIBPC)/python-$(VERSION).pc -+ $(INSTALL_DATA) Misc/python.pc $(DESTDIR)$(LIBPC)/python-$(VERSION)$(DEBUG_SUFFIX).pc - $(INSTALL_SCRIPT) $(srcdir)/Modules/makesetup $(DESTDIR)$(LIBPL)/makesetup - $(INSTALL_SCRIPT) $(srcdir)/install-sh $(DESTDIR)$(LIBPL)/install-sh -- $(INSTALL_SCRIPT) python-config $(DESTDIR)$(BINDIR)/python$(VERSION)-config -- rm python-config -+ $(INSTALL_SCRIPT) python$(DEBUG_SUFFIX)-config $(DESTDIR)$(BINDIR)/python$(VERSION)$(DEBUG_SUFFIX)-config - @if [ -s Modules/python.exp -a \ - "`echo $(MACHDEP) | sed 's/^(...).*/\1/'`" = "aix" ]; then \ - echo; echo "Installing support files for building shared extension modules on AIX:"; \ -diff --git a/Misc/python-config.in b/Misc/python-config.in -index a09e07c..c1691ef 100644 ---- a/Misc/python-config.in -+++ b/Misc/python-config.in -@@ -44,7 +44,7 @@ for opt in opt_flags: - print ' '.join(flags) - - elif opt in ('--libs', '--ldflags'): -- libs = ['-lpython' + pyver] -+ libs = ['-lpython' + pyver + (sys.pydebug and "_d" or "")] - libs += getvar('LIBS').split() - libs += getvar('SYSLIBS').split() - # add the prefix/lib/pythonX.Y/config dir, but only if there is no -diff --git a/Modules/makesetup b/Modules/makesetup -index 1bffcbf..f0bc743 100755 ---- a/Modules/makesetup -+++ b/Modules/makesetup -@@ -233,7 +233,7 @@ sed -e 's/[ ]*#.*//' -e '/^[ ]*$/d' | - *$mod.o*) base=$mod;; - *) base=${mod}module;; - esac -- file="$srcdir/$base$(SO)" -+ file="$srcdir/$base$(DEBUG_EXT)$(SO)" - case $doconfig in - no) SHAREDMODS="$SHAREDMODS $file";; - esac -diff --git a/Python/dynload_shlib.c b/Python/dynload_shlib.c -index 17ebab1..02a94aa 100644 ---- a/Python/dynload_shlib.c -+++ b/Python/dynload_shlib.c -@@ -46,11 +46,16 @@ const struct filedescr _PyImport_DynLoadFiletab[] = { - {"module.exe", "rb", C_EXTENSION}, - {"MODULE.EXE", "rb", C_EXTENSION}, - #else -+#ifdef Py_DEBUG -+ {"_d.so", "rb", C_EXTENSION}, -+ {"module_d.so", "rb", C_EXTENSION}, -+#else - {".so", "rb", C_EXTENSION}, - {"module.so", "rb", C_EXTENSION}, --#endif --#endif --#endif -+#endif /* Py_DEBUG */ -+#endif /* __VMS */ -+#endif /* defined(PYOS_OS2) && defined(PYCC_GCC) */ -+#endif /* __CYGWIN__ */ - {0, 0} - }; - -diff --git a/Python/sysmodule.c b/Python/sysmodule.c -index aeff38a..183e3cc 100644 ---- a/Python/sysmodule.c -+++ b/Python/sysmodule.c -@@ -1524,6 +1524,12 @@ _PySys_Init(void) - PyString_FromString("legacy")); - #endif - -+#ifdef Py_DEBUG -+ PyDict_SetItemString(sysdict, "pydebug", Py_True); -+#else -+ PyDict_SetItemString(sysdict, "pydebug", Py_False); -+#endif -+ - #undef SET_SYS_FROM_STRING - if (PyErr_Occurred()) - return NULL; -diff --git a/configure.ac b/configure.ac -index 0a902c7..5caedb7 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -764,7 +764,7 @@ AC_SUBST(LIBRARY) - AC_MSG_CHECKING(LIBRARY) - if test -z "$LIBRARY" - then -- LIBRARY='libpython$(VERSION).a' -+ LIBRARY='libpython$(VERSION)$(DEBUG_EXT).a' - fi - AC_MSG_RESULT($LIBRARY) - -@@ -910,8 +910,8 @@ if test $enable_shared = "yes"; then - INSTSONAME="$LDLIBRARY".$SOVERSION - ;; - Linux*|GNU*|NetBSD*|FreeBSD*|DragonFly*|OpenBSD*) -- LDLIBRARY='libpython$(VERSION).so' -- BLDLIBRARY='-L. -lpython$(VERSION)' -+ LDLIBRARY='libpython$(VERSION)$(DEBUG_EXT).so' -+ BLDLIBRARY='-L. -lpython$(VERSION)$(DEBUG_EXT)' - RUNSHARED=LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} - case $ac_sys_system in - FreeBSD*) -@@ -1040,6 +1040,14 @@ else AC_MSG_RESULT(no); Py_DEBUG='false' - fi], - [AC_MSG_RESULT(no)]) - -+if test "$Py_DEBUG" = 'true' -+then -+ DEBUG_EXT=_d -+ DEBUG_SUFFIX=-debug -+fi -+AC_SUBST(DEBUG_EXT) -+AC_SUBST(DEBUG_SUFFIX) -+ - # XXX Shouldn't the code above that fiddles with BASECFLAGS and OPT be - # merged with this chunk of code? - --- -2.11.0 - diff --git a/python/patches/00113-more-configuration-flags.patch b/python/patches/00113-more-configuration-flags.patch deleted file mode 100644 index 2d447b243..000000000 --- a/python/patches/00113-more-configuration-flags.patch +++ /dev/null @@ -1,50 +0,0 @@ -diff -up Python-2.6.5/configure.ac.more-configuration-flags Python-2.6.5/configure.ac ---- Python-2.6.5/configure.ac.more-configuration-flags 2010-05-24 18:51:25.410111792 -0400 -+++ Python-2.6.5/configure.ac 2010-05-24 18:59:23.954986388 -0400 -@@ -2515,6 +2515,30 @@ else AC_MSG_RESULT(no) - fi], - [AC_MSG_RESULT(no)]) - -+AC_MSG_CHECKING(for --with-count-allocs) -+AC_ARG_WITH(count-allocs, -+[ --with(out)count-allocs enable/disable per-type instance accounting], [ -+if test "$withval" != no -+then -+ AC_DEFINE(COUNT_ALLOCS, 1, -+ [Define to keep records of the number of instances of each type]) -+ AC_MSG_RESULT(yes) -+else AC_MSG_RESULT(no) -+fi], -+[AC_MSG_RESULT(no)]) -+ -+AC_MSG_CHECKING(for --with-call-profile) -+AC_ARG_WITH(call-profile, -+[ --with(out)-call-profile enable/disable statistics on function call invocation], [ -+if test "$withval" != no -+then -+ AC_DEFINE(CALL_PROFILE, 1, -+ [Define to keep records on function call invocation]) -+ AC_MSG_RESULT(yes) -+else AC_MSG_RESULT(no) -+fi], -+[AC_MSG_RESULT(no)]) -+ - # Check for Python-specific malloc support - AC_MSG_CHECKING(for --with-pymalloc) - AC_ARG_WITH(pymalloc, -diff -up Python-2.6.5/pyconfig.h.in.more-configuration-flags Python-2.6.5/pyconfig.h.in ---- Python-2.6.5/pyconfig.h.in.more-configuration-flags 2010-05-24 18:51:45.677988086 -0400 -+++ Python-2.6.5/pyconfig.h.in 2010-05-24 19:00:44.163987730 -0400 -@@ -1019,6 +1019,12 @@ - /* Define to profile with the Pentium timestamp counter */ - #undef WITH_TSC - -+/* Define to keep records of the number of instances of each type */ -+#undef COUNT_ALLOCS -+ -+/* Define to keep records on function call invocation */ -+#undef CALL_PROFILE -+ - /* Define if you want pymalloc to be disabled when running under valgrind */ - #undef WITH_VALGRIND - diff --git a/python/patches/00114-statvfs-f_flag-constants.patch b/python/patches/00114-statvfs-f_flag-constants.patch deleted file mode 100644 index 83e7b5983..000000000 --- a/python/patches/00114-statvfs-f_flag-constants.patch +++ /dev/null @@ -1,47 +0,0 @@ -diff -up Python-2.7rc1/Modules/posixmodule.c.statvfs-f-flag-constants Python-2.7rc1/Modules/posixmodule.c ---- Python-2.7rc1/Modules/posixmodule.c.statvfs-f-flag-constants 2010-05-15 17:45:30.000000000 -0400 -+++ Python-2.7rc1/Modules/posixmodule.c 2010-06-07 22:54:16.162068624 -0400 -@@ -9174,6 +9174,43 @@ all_ins(PyObject *d) - #endif - #endif - -+ /* These came from statvfs.h */ -+#ifdef ST_RDONLY -+ if (ins(d, "ST_RDONLY", (long)ST_RDONLY)) return -1; -+#endif /* ST_RDONLY */ -+#ifdef ST_NOSUID -+ if (ins(d, "ST_NOSUID", (long)ST_NOSUID)) return -1; -+#endif /* ST_NOSUID */ -+ -+ /* GNU extensions */ -+#ifdef ST_NODEV -+ if (ins(d, "ST_NODEV", (long)ST_NODEV)) return -1; -+#endif /* ST_NODEV */ -+#ifdef ST_NOEXEC -+ if (ins(d, "ST_NOEXEC", (long)ST_NOEXEC)) return -1; -+#endif /* ST_NOEXEC */ -+#ifdef ST_SYNCHRONOUS -+ if (ins(d, "ST_SYNCHRONOUS", (long)ST_SYNCHRONOUS)) return -1; -+#endif /* ST_SYNCHRONOUS */ -+#ifdef ST_MANDLOCK -+ if (ins(d, "ST_MANDLOCK", (long)ST_MANDLOCK)) return -1; -+#endif /* ST_MANDLOCK */ -+#ifdef ST_WRITE -+ if (ins(d, "ST_WRITE", (long)ST_WRITE)) return -1; -+#endif /* ST_WRITE */ -+#ifdef ST_APPEND -+ if (ins(d, "ST_APPEND", (long)ST_APPEND)) return -1; -+#endif /* ST_APPEND */ -+#ifdef ST_NOATIME -+ if (ins(d, "ST_NOATIME", (long)ST_NOATIME)) return -1; -+#endif /* ST_NOATIME */ -+#ifdef ST_NODIRATIME -+ if (ins(d, "ST_NODIRATIME", (long)ST_NODIRATIME)) return -1; -+#endif /* ST_NODIRATIME */ -+#ifdef ST_RELATIME -+ if (ins(d, "ST_RELATIME", (long)ST_RELATIME)) return -1; -+#endif /* ST_RELATIME */ -+ - #if defined(PYOS_OS2) - if (insertvalues(d)) return -1; - #endif diff --git a/python/patches/00121-add-Modules-to-build-path.patch b/python/patches/00121-add-Modules-to-build-path.patch deleted file mode 100644 index 6e3294db4..000000000 --- a/python/patches/00121-add-Modules-to-build-path.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- Python-2.7.5/Lib/site.py.orig 2013-05-16 12:47:55.000000000 +0200 -+++ Python-2.7.5/Lib/site.py 2013-05-16 12:56:20.089058109 +0200 -@@ -529,6 +529,10 @@ def main(): - - abs__file__() - known_paths = removeduppaths() -+ from sysconfig import is_python_build -+ if is_python_build(): -+ from _sysconfigdata import build_time_vars -+ sys.path.append(os.path.join(build_time_vars['abs_builddir'], 'Modules')) - if ENABLE_USER_SITE is None: - ENABLE_USER_SITE = check_enableusersite() - known_paths = addusersitepackages(known_paths) diff --git a/python/patches/00131-disable-tests-in-test_io.patch b/python/patches/00131-disable-tests-in-test_io.patch deleted file mode 100644 index d81a2d0cd..000000000 --- a/python/patches/00131-disable-tests-in-test_io.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up Python-2.7.2/Lib/test/test_io.py.disable-tests-in-test_io Python-2.7.2/Lib/test/test_io.py ---- Python-2.7.2/Lib/test/test_io.py.disable-tests-in-test_io 2011-09-01 14:18:45.963304089 -0400 -+++ Python-2.7.2/Lib/test/test_io.py 2011-09-01 15:08:53.796098413 -0400 -@@ -2669,6 +2669,7 @@ class SignalsTest(unittest.TestCase): - self.check_interrupted_read_retry(lambda x: x, - mode="r") - -+ @unittest.skip('rhbz#732998') - @unittest.skipUnless(threading, 'Threading required for this test.') - def check_interrupted_write_retry(self, item, **fdopen_kwargs): - """Check that a buffered write, when it gets interrupted (either diff --git a/python/patches/00132-add-rpmbuild-hooks-to-unittest.patch b/python/patches/00132-add-rpmbuild-hooks-to-unittest.patch deleted file mode 100644 index e63395fb1..000000000 --- a/python/patches/00132-add-rpmbuild-hooks-to-unittest.patch +++ /dev/null @@ -1,68 +0,0 @@ -diff -up Python-2.7.2/Lib/unittest/case.py.add-rpmbuild-hooks-to-unittest Python-2.7.2/Lib/unittest/case.py ---- Python-2.7.2/Lib/unittest/case.py.add-rpmbuild-hooks-to-unittest 2011-09-08 14:45:47.677169191 -0400 -+++ Python-2.7.2/Lib/unittest/case.py 2011-09-08 16:01:36.287858159 -0400 -@@ -1,6 +1,7 @@ - """Test case implementation""" - - import collections -+import os - import sys - import functools - import difflib -@@ -94,6 +95,43 @@ def expectedFailure(func): - return wrapper - - -+# Non-standard/downstream-only hooks for handling issues with specific test -+# cases: -+ -+def _skipInRpmBuild(reason): -+ """ -+ Non-standard/downstream-only decorator for marking a specific unit test -+ to be skipped when run within the %check of an rpmbuild. -+ -+ Specifically, this takes effect when WITHIN_PYTHON_RPM_BUILD is set within -+ the environment, and has no effect otherwise. -+ """ -+ if 'WITHIN_PYTHON_RPM_BUILD' in os.environ: -+ return skip(reason) -+ else: -+ return _id -+ -+def _expectedFailureInRpmBuild(func): -+ """ -+ Non-standard/downstream-only decorator for marking a specific unit test -+ as expected to fail within the %check of an rpmbuild. -+ -+ Specifically, this takes effect when WITHIN_PYTHON_RPM_BUILD is set within -+ the environment, and has no effect otherwise. -+ """ -+ @functools.wraps(func) -+ def wrapper(*args, **kwargs): -+ if 'WITHIN_PYTHON_RPM_BUILD' in os.environ: -+ try: -+ func(*args, **kwargs) -+ except Exception: -+ raise _ExpectedFailure(sys.exc_info()) -+ raise _UnexpectedSuccess -+ else: -+ # Call directly: -+ func(*args, **kwargs) -+ return wrapper -+ - class _AssertRaisesContext(object): - """A context manager used to implement TestCase.assertRaises* methods.""" - -diff -up Python-2.7.2/Lib/unittest/__init__.py.add-rpmbuild-hooks-to-unittest Python-2.7.2/Lib/unittest/__init__.py ---- Python-2.7.2/Lib/unittest/__init__.py.add-rpmbuild-hooks-to-unittest 2011-09-08 14:59:39.534112310 -0400 -+++ Python-2.7.2/Lib/unittest/__init__.py 2011-09-08 15:07:09.191081562 -0400 -@@ -57,7 +57,8 @@ __unittest = True - - from .result import TestResult - from .case import (TestCase, FunctionTestCase, SkipTest, skip, skipIf, -- skipUnless, expectedFailure) -+ skipUnless, expectedFailure, -+ _skipInRpmBuild, _expectedFailureInRpmBuild) - from .suite import BaseTestSuite, TestSuite - from .loader import (TestLoader, defaultTestLoader, makeSuite, getTestCaseNames, - findTestCases) diff --git a/python/patches/00133-skip-test_dl.patch b/python/patches/00133-skip-test_dl.patch deleted file mode 100644 index 04ad05b96..000000000 --- a/python/patches/00133-skip-test_dl.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up Python-2.7.2/Lib/test/test_dl.py.skip-test_dl Python-2.7.2/Lib/test/test_dl.py ---- Python-2.7.2/Lib/test/test_dl.py.skip-test_dl 2011-09-08 15:18:40.529034289 -0400 -+++ Python-2.7.2/Lib/test/test_dl.py 2011-09-08 16:29:45.184742670 -0400 -@@ -13,6 +13,9 @@ sharedlibs = [ - ('/usr/lib/libc.dylib', 'getpid'), - ] - -+# (also, "dl" is deprecated in favor of ctypes) -+@unittest._skipInRpmBuild('fails on 64-bit builds: ' -+ 'module dl requires sizeof(int) == sizeof(long) == sizeof(char*)') - def test_main(): - for s, func in sharedlibs: - try: diff --git a/python/patches/00136-skip-tests-of-seeking-stdin-in-rpmbuild.patch b/python/patches/00136-skip-tests-of-seeking-stdin-in-rpmbuild.patch deleted file mode 100644 index 4d7626f47..000000000 --- a/python/patches/00136-skip-tests-of-seeking-stdin-in-rpmbuild.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up Python-2.7.6/Lib/test/test_file2k.py.stdin-test Python-2.7.6/Lib/test/test_file2k.py ---- Python-2.7.6/Lib/test/test_file2k.py.stdin-test 2013-11-10 08:36:40.000000000 +0100 -+++ Python-2.7.6/Lib/test/test_file2k.py 2014-01-29 14:28:01.029488055 +0100 -@@ -223,6 +223,7 @@ class OtherFileTests(unittest.TestCase): - else: - f.close() - -+ @unittest._skipInRpmBuild('seems not to raise the exception when run in Koji') - def testStdinSeek(self): - if sys.platform == 'osf1V5': - # This causes the interpreter to exit on OSF1 v5.1. diff --git a/python/patches/00137-skip-distutils-tests-that-fail-in-rpmbuild.patch b/python/patches/00137-skip-distutils-tests-that-fail-in-rpmbuild.patch deleted file mode 100644 index 7122a29d5..000000000 --- a/python/patches/00137-skip-distutils-tests-that-fail-in-rpmbuild.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up Python-2.7.3/Lib/distutils/tests/test_bdist_rpm.py.mark-tests-that-fail-in-rpmbuild Python-2.7.3/Lib/distutils/tests/test_bdist_rpm.py ---- Python-2.7.3/Lib/distutils/tests/test_bdist_rpm.py.mark-tests-that-fail-in-rpmbuild 2012-04-09 19:07:29.000000000 -0400 -+++ Python-2.7.3/Lib/distutils/tests/test_bdist_rpm.py 2012-04-13 00:20:08.223819263 -0400 -@@ -24,6 +24,7 @@ setup(name='foo', version='0.1', py_modu - - """ - -+@unittest._skipInRpmBuild("don't try to nest one rpm build inside another rpm build") - class BuildRpmTestCase(support.TempdirManager, - support.EnvironGuard, - support.LoggingSilencer, -diff -up Python-2.7.3/Lib/distutils/tests/test_build_ext.py.mark-tests-that-fail-in-rpmbuild Python-2.7.3/Lib/distutils/tests/test_build_ext.py diff --git a/python/patches/00138-fix-distutils-tests-in-debug-build.patch b/python/patches/00138-fix-distutils-tests-in-debug-build.patch deleted file mode 100644 index 1fd10914f..000000000 --- a/python/patches/00138-fix-distutils-tests-in-debug-build.patch +++ /dev/null @@ -1,68 +0,0 @@ -diff -up Python-2.7.2/Lib/distutils/tests/test_build_ext.py.mark-tests-that-fail-in-rpmbuild Python-2.7.2/Lib/distutils/tests/test_build_ext.py ---- Python-2.7.2/Lib/distutils/tests/test_build_ext.py.mark-tests-that-fail-in-rpmbuild 2011-09-08 16:07:25.033834312 -0400 -+++ Python-2.7.2/Lib/distutils/tests/test_build_ext.py 2011-09-08 17:43:15.656441082 -0400 -@@ -330,6 +332,7 @@ class BuildExtTestCase(support.TempdirMa - self.assertEqual(lastdir, 'bar') - - def test_ext_fullpath(self): -+ debug_ext = sysconfig.get_config_var("DEBUG_EXT") - ext = sysconfig.get_config_vars()['SO'] - dist = Distribution() - cmd = build_ext(dist) -@@ -337,14 +340,14 @@ class BuildExtTestCase(support.TempdirMa - cmd.distribution.package_dir = {'': 'src'} - cmd.distribution.packages = ['lxml', 'lxml.html'] - curdir = os.getcwd() -- wanted = os.path.join(curdir, 'src', 'lxml', 'etree' + ext) -+ wanted = os.path.join(curdir, 'src', 'lxml', 'etree' + debug_ext + ext) - path = cmd.get_ext_fullpath('lxml.etree') - self.assertEqual(wanted, path) - - # building lxml.etree not inplace - cmd.inplace = 0 - cmd.build_lib = os.path.join(curdir, 'tmpdir') -- wanted = os.path.join(curdir, 'tmpdir', 'lxml', 'etree' + ext) -+ wanted = os.path.join(curdir, 'tmpdir', 'lxml', 'etree' + debug_ext + ext) - path = cmd.get_ext_fullpath('lxml.etree') - self.assertEqual(wanted, path) - -@@ -354,13 +357,13 @@ class BuildExtTestCase(support.TempdirMa - cmd.distribution.packages = ['twisted', 'twisted.runner.portmap'] - path = cmd.get_ext_fullpath('twisted.runner.portmap') - wanted = os.path.join(curdir, 'tmpdir', 'twisted', 'runner', -- 'portmap' + ext) -+ 'portmap' + debug_ext + ext) - self.assertEqual(wanted, path) - - # building twisted.runner.portmap inplace - cmd.inplace = 1 - path = cmd.get_ext_fullpath('twisted.runner.portmap') -- wanted = os.path.join(curdir, 'twisted', 'runner', 'portmap' + ext) -+ wanted = os.path.join(curdir, 'twisted', 'runner', 'portmap' + debug_ext + ext) - self.assertEqual(wanted, path) - - def test_build_ext_inplace(self): -@@ -373,8 +376,9 @@ class BuildExtTestCase(support.TempdirMa - cmd.distribution.package_dir = {'': 'src'} - cmd.distribution.packages = ['lxml', 'lxml.html'] - curdir = os.getcwd() -+ debug_ext = sysconfig.get_config_var("DEBUG_EXT") - ext = sysconfig.get_config_var("SO") -- wanted = os.path.join(curdir, 'src', 'lxml', 'etree' + ext) -+ wanted = os.path.join(curdir, 'src', 'lxml', 'etree' + debug_ext + ext) - path = cmd.get_ext_fullpath('lxml.etree') - self.assertEqual(wanted, path) - -@@ -412,10 +416,11 @@ class BuildExtTestCase(support.TempdirMa - dist = Distribution({'name': 'UpdateManager'}) - cmd = build_ext(dist) - cmd.ensure_finalized() -+ debug_ext = sysconfig.get_config_var("DEBUG_EXT") - ext = sysconfig.get_config_var("SO") - ext_name = os.path.join('UpdateManager', 'fdsend') - ext_path = cmd.get_ext_fullpath(ext_name) -- wanted = os.path.join(cmd.build_lib, 'UpdateManager', 'fdsend' + ext) -+ wanted = os.path.join(cmd.build_lib, 'UpdateManager', 'fdsend' + debug_ext + ext) - self.assertEqual(ext_path, wanted) - - @unittest.skipUnless(sys.platform == 'win32', 'these tests require Windows') diff --git a/python/patches/00139-skip-test_float-known-failure-on-arm.patch b/python/patches/00139-skip-test_float-known-failure-on-arm.patch deleted file mode 100644 index 9d0bfad79..000000000 --- a/python/patches/00139-skip-test_float-known-failure-on-arm.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up Python-2.7.2/Lib/test/test_float.py.skip-test_float-known-failure-on-arm Python-2.7.2/Lib/test/test_float.py ---- Python-2.7.2/Lib/test/test_float.py.skip-test_float-known-failure-on-arm 2011-09-08 19:34:09.000986128 -0400 -+++ Python-2.7.2/Lib/test/test_float.py 2011-09-08 19:34:57.969982779 -0400 -@@ -1072,6 +1072,7 @@ class HexFloatTestCase(unittest.TestCase - self.identical(got, expected) - - -+ @unittest.skip('Known failure on ARM: http://bugs.python.org/issue8265') - def test_from_hex(self): - MIN = self.MIN; - MAX = self.MAX; diff --git a/python/patches/00140-skip-test_ctypes-known-failure-on-sparc.patch b/python/patches/00140-skip-test_ctypes-known-failure-on-sparc.patch deleted file mode 100644 index 95aa41e51..000000000 --- a/python/patches/00140-skip-test_ctypes-known-failure-on-sparc.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up Python-2.7.2/Lib/ctypes/test/test_callbacks.py.skip-test_ctypes-known-failure-on-sparc Python-2.7.2/Lib/ctypes/test/test_callbacks.py ---- Python-2.7.2/Lib/ctypes/test/test_callbacks.py.skip-test_ctypes-known-failure-on-sparc 2011-09-08 19:42:35.541951490 -0400 -+++ Python-2.7.2/Lib/ctypes/test/test_callbacks.py 2011-09-08 19:43:40.676947036 -0400 -@@ -67,6 +67,7 @@ class Callbacks(unittest.TestCase): - self.check_type(c_longlong, 42) - self.check_type(c_longlong, -42) - -+ @unittest.skip('Known failure on Sparc: http://bugs.python.org/issue8314') - def test_ulonglong(self): - # test some 64-bit values, with and without msb set. - self.check_type(c_ulonglong, 10955412242170339782) diff --git a/python/patches/00142-skip-failing-pty-tests-in-rpmbuild.patch b/python/patches/00142-skip-failing-pty-tests-in-rpmbuild.patch deleted file mode 100644 index 2f51165b1..000000000 --- a/python/patches/00142-skip-failing-pty-tests-in-rpmbuild.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up Python-2.7.6/Lib/test/test_openpty.py.tty-fail Python-2.7.6/Lib/test/test_openpty.py ---- Python-2.7.6/Lib/test/test_openpty.py.tty-fail 2014-01-29 14:31:43.761343267 +0100 -+++ Python-2.7.6/Lib/test/test_openpty.py 2014-01-29 14:32:19.284090165 +0100 -@@ -8,6 +8,7 @@ if not hasattr(os, "openpty"): - - - class OpenptyTest(unittest.TestCase): -+ @unittest._skipInRpmBuild('sometimes fails in Koji, possibly due to a mock issue (rhbz#714627)') - def test(self): - master, slave = os.openpty() - self.addCleanup(os.close, master) -diff -up Python-2.7.6/Lib/test/test_pty.py.tty-fail Python-2.7.6/Lib/test/test_pty.py ---- Python-2.7.6/Lib/test/test_pty.py.tty-fail 2013-11-10 08:36:40.000000000 +0100 -+++ Python-2.7.6/Lib/test/test_pty.py 2014-01-29 14:31:43.761343267 +0100 -@@ -111,6 +111,7 @@ class PtyTest(unittest.TestCase): - os.close(master_fd) - - -+ @unittest._skipInRpmBuild('sometimes fails in Koji, possibly due to a mock issue (rhbz#714627)') - def test_fork(self): - debug("calling pty.fork()") - pid, master_fd = pty.fork() diff --git a/python/patches/00143-tsc-on-ppc.patch b/python/patches/00143-tsc-on-ppc.patch deleted file mode 100644 index 447c6e3a1..000000000 --- a/python/patches/00143-tsc-on-ppc.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff -up Python-2.7.2/Python/ceval.c.tsc-on-ppc Python-2.7.2/Python/ceval.c ---- Python-2.7.2/Python/ceval.c.tsc-on-ppc 2011-08-23 14:59:48.051300849 -0400 -+++ Python-2.7.2/Python/ceval.c 2011-08-23 15:33:25.412162902 -0400 -@@ -37,24 +37,42 @@ typedef unsigned long long uint64; - */ - #if defined(__ppc__) || defined (__powerpc__) - --#define READ_TIMESTAMP(var) ppc_getcounter(&var) -+#if defined( __powerpc64__) || defined(__LP64__) -+/* 64-bit PowerPC */ -+#define READ_TIMESTAMP(var) ppc64_getcounter(&var) -+static void -+ppc64_getcounter(uint64 *v) -+{ -+ /* On 64-bit PowerPC we can read the 64-bit timebase directly into a -+ 64-bit register */ -+ uint64 timebase; -+#ifdef _ARCH_PWR4 -+ asm volatile ("mfspr %0,268" : "=r" (timebase)); -+#else -+ asm volatile ("mftb %0" : "=r" (timebase)); -+#endif -+ *v = timebase; -+} -+ -+#else -+/* 32-bit PowerPC */ -+#define READ_TIMESTAMP(var) ppc32_getcounter(&var) - - static void --ppc_getcounter(uint64 *v) -+ppc32_getcounter(uint64 *v) - { -- register unsigned long tbu, tb, tbu2; -+ union { long long ll; long ii[2]; } u; -+ long tmp; - - loop: -- asm volatile ("mftbu %0" : "=r" (tbu) ); -- asm volatile ("mftb %0" : "=r" (tb) ); -- asm volatile ("mftbu %0" : "=r" (tbu2)); -- if (__builtin_expect(tbu != tbu2, 0)) goto loop; -- -- /* The slightly peculiar way of writing the next lines is -- compiled better by GCC than any other way I tried. */ -- ((long*)(v))[0] = tbu; -- ((long*)(v))[1] = tb; -+ asm volatile ("mftbu %0" : "=r" (u.ii[0]) ); -+ asm volatile ("mftb %0" : "=r" (u.ii[1]) ); -+ asm volatile ("mftbu %0" : "=r" (tmp)); -+ if (__builtin_expect(u.ii[0] != tmp, 0)) goto loop; -+ -+ *v = u.ll; - } -+#endif /* powerpc 32/64 bit */ - - #elif defined(__i386__) - diff --git a/python/patches/00147-add-debug-malloc-stats.patch b/python/patches/00147-add-debug-malloc-stats.patch deleted file mode 100644 index 0d783f5b8..000000000 --- a/python/patches/00147-add-debug-malloc-stats.patch +++ /dev/null @@ -1,711 +0,0 @@ -diff -up Python-2.7.2/Include/dictobject.h.add-debug-malloc-stats Python-2.7.2/Include/dictobject.h ---- Python-2.7.2/Include/dictobject.h.add-debug-malloc-stats 2011-06-11 11:46:23.000000000 -0400 -+++ Python-2.7.2/Include/dictobject.h 2011-09-16 19:03:25.105821625 -0400 -@@ -150,6 +150,8 @@ PyAPI_FUNC(PyObject *) PyDict_GetItemStr - PyAPI_FUNC(int) PyDict_SetItemString(PyObject *dp, const char *key, PyObject *item); - PyAPI_FUNC(int) PyDict_DelItemString(PyObject *dp, const char *key); - -+PyAPI_FUNC(void) _PyDict_DebugMallocStats(FILE *out); -+ - #ifdef __cplusplus - } - #endif -diff -up Python-2.7.2/Include/floatobject.h.add-debug-malloc-stats Python-2.7.2/Include/floatobject.h ---- Python-2.7.2/Include/floatobject.h.add-debug-malloc-stats 2011-06-11 11:46:23.000000000 -0400 -+++ Python-2.7.2/Include/floatobject.h 2011-09-16 19:03:25.106821625 -0400 -@@ -132,6 +132,7 @@ PyAPI_FUNC(PyObject *) _PyFloat_FormatAd - failure. Used in builtin_round in bltinmodule.c. */ - PyAPI_FUNC(PyObject *) _Py_double_round(double x, int ndigits); - -+PyAPI_FUNC(void) _PyFloat_DebugMallocStats(FILE* out); - - - #ifdef __cplusplus -diff -up Python-2.7.2/Include/frameobject.h.add-debug-malloc-stats Python-2.7.2/Include/frameobject.h ---- Python-2.7.2/Include/frameobject.h.add-debug-malloc-stats 2011-06-11 11:46:23.000000000 -0400 -+++ Python-2.7.2/Include/frameobject.h 2011-09-16 19:03:25.107821625 -0400 -@@ -80,6 +80,8 @@ PyAPI_FUNC(void) PyFrame_FastToLocals(Py - - PyAPI_FUNC(int) PyFrame_ClearFreeList(void); - -+PyAPI_FUNC(void) _PyFrame_DebugMallocStats(FILE *out); -+ - /* Return the line of code the frame is currently executing. */ - PyAPI_FUNC(int) PyFrame_GetLineNumber(PyFrameObject *); - -diff -up Python-2.7.2/Include/intobject.h.add-debug-malloc-stats Python-2.7.2/Include/intobject.h ---- Python-2.7.2/Include/intobject.h.add-debug-malloc-stats 2011-06-11 11:46:23.000000000 -0400 -+++ Python-2.7.2/Include/intobject.h 2011-09-16 19:03:25.107821625 -0400 -@@ -74,6 +74,8 @@ PyAPI_FUNC(PyObject *) _PyInt_FormatAdva - char *format_spec, - Py_ssize_t format_spec_len); - -+PyAPI_FUNC(void) _PyInt_DebugMallocStats(FILE *out); -+ - #ifdef __cplusplus - } - #endif -diff -up Python-2.7.2/Include/listobject.h.add-debug-malloc-stats Python-2.7.2/Include/listobject.h ---- Python-2.7.2/Include/listobject.h.add-debug-malloc-stats 2011-06-11 11:46:23.000000000 -0400 -+++ Python-2.7.2/Include/listobject.h 2011-09-16 19:03:25.107821625 -0400 -@@ -62,6 +62,8 @@ PyAPI_FUNC(PyObject *) _PyList_Extend(Py - #define PyList_SET_ITEM(op, i, v) (((PyListObject *)(op))->ob_item[i] = (v)) - #define PyList_GET_SIZE(op) Py_SIZE(op) - -+PyAPI_FUNC(void) _PyList_DebugMallocStats(FILE *out); -+ - #ifdef __cplusplus - } - #endif -diff -up Python-2.7.2/Include/methodobject.h.add-debug-malloc-stats Python-2.7.2/Include/methodobject.h ---- Python-2.7.2/Include/methodobject.h.add-debug-malloc-stats 2011-06-11 11:46:23.000000000 -0400 -+++ Python-2.7.2/Include/methodobject.h 2011-09-16 19:03:25.108821625 -0400 -@@ -87,6 +87,10 @@ typedef struct { - - PyAPI_FUNC(int) PyCFunction_ClearFreeList(void); - -+PyAPI_FUNC(void) _PyCFunction_DebugMallocStats(FILE *out); -+PyAPI_FUNC(void) _PyMethod_DebugMallocStats(FILE *out); -+ -+ - #ifdef __cplusplus - } - #endif -diff -up Python-2.7.2/Include/object.h.add-debug-malloc-stats Python-2.7.2/Include/object.h ---- Python-2.7.2/Include/object.h.add-debug-malloc-stats 2011-06-11 11:46:23.000000000 -0400 -+++ Python-2.7.2/Include/object.h 2011-09-16 19:03:25.108821625 -0400 -@@ -980,6 +980,13 @@ PyAPI_DATA(PyObject *) _PyTrash_delete_l - _PyTrash_thread_deposit_object((PyObject*)op); \ - } while (0); - -+PyAPI_FUNC(void) -+_PyDebugAllocatorStats(FILE *out, const char *block_name, int num_blocks, -+ size_t sizeof_block); -+ -+PyAPI_FUNC(void) -+_PyObject_DebugTypeStats(FILE *out); -+ - #ifdef __cplusplus - } - #endif -diff -up Python-2.7.2/Include/objimpl.h.add-debug-malloc-stats Python-2.7.2/Include/objimpl.h ---- Python-2.7.2/Include/objimpl.h.add-debug-malloc-stats 2011-06-11 11:46:23.000000000 -0400 -+++ Python-2.7.2/Include/objimpl.h 2011-09-16 19:03:25.108821625 -0400 -@@ -101,13 +101,13 @@ PyAPI_FUNC(void) PyObject_Free(void *); - - /* Macros */ - #ifdef WITH_PYMALLOC -+PyAPI_FUNC(void) _PyObject_DebugMallocStats(FILE *out); - #ifdef PYMALLOC_DEBUG /* WITH_PYMALLOC && PYMALLOC_DEBUG */ - PyAPI_FUNC(void *) _PyObject_DebugMalloc(size_t nbytes); - PyAPI_FUNC(void *) _PyObject_DebugRealloc(void *p, size_t nbytes); - PyAPI_FUNC(void) _PyObject_DebugFree(void *p); - PyAPI_FUNC(void) _PyObject_DebugDumpAddress(const void *p); - PyAPI_FUNC(void) _PyObject_DebugCheckAddress(const void *p); --PyAPI_FUNC(void) _PyObject_DebugMallocStats(void); - PyAPI_FUNC(void *) _PyObject_DebugMallocApi(char api, size_t nbytes); - PyAPI_FUNC(void *) _PyObject_DebugReallocApi(char api, void *p, size_t nbytes); - PyAPI_FUNC(void) _PyObject_DebugFreeApi(char api, void *p); -diff -up Python-2.7.2/Include/stringobject.h.add-debug-malloc-stats Python-2.7.2/Include/stringobject.h ---- Python-2.7.2/Include/stringobject.h.add-debug-malloc-stats 2011-06-11 11:46:23.000000000 -0400 -+++ Python-2.7.2/Include/stringobject.h 2011-09-16 19:03:25.109821625 -0400 -@@ -204,6 +204,8 @@ PyAPI_FUNC(PyObject *) _PyBytes_FormatAd - char *format_spec, - Py_ssize_t format_spec_len); - -+PyAPI_FUNC(void) _PyString_DebugMallocStats(FILE *out); -+ - #ifdef __cplusplus - } - #endif -diff -up Python-2.7.2/Include/unicodeobject.h.add-debug-malloc-stats Python-2.7.2/Include/unicodeobject.h ---- Python-2.7.2/Include/unicodeobject.h.add-debug-malloc-stats 2011-06-11 11:46:23.000000000 -0400 -+++ Python-2.7.2/Include/unicodeobject.h 2011-09-16 19:03:25.109821625 -0400 -@@ -1406,6 +1406,8 @@ PyAPI_FUNC(int) _PyUnicode_IsAlpha( - Py_UNICODE ch /* Unicode character */ - ); - -+PyAPI_FUNC(void) _PyUnicode_DebugMallocStats(FILE *out); -+ - #ifdef __cplusplus - } - #endif -diff -up Python-2.7.2/Lib/test/test_sys.py.add-debug-malloc-stats Python-2.7.2/Lib/test/test_sys.py ---- Python-2.7.2/Lib/test/test_sys.py.add-debug-malloc-stats 2011-09-16 19:03:25.048821626 -0400 -+++ Python-2.7.2/Lib/test/test_sys.py 2011-09-16 19:03:25.110821625 -0400 -@@ -473,6 +473,32 @@ class SysModuleTest(unittest.TestCase): - p.wait() - self.assertIn(executable, ["''", repr(sys.executable)]) - -+ def test_debugmallocstats(self): -+ # Test sys._debugmallocstats() -+ -+ import subprocess -+ -+ # Verify the default of writing to stderr: -+ p = subprocess.Popen([sys.executable, -+ '-c', 'import sys; sys._debugmallocstats()'], -+ stderr=subprocess.PIPE) -+ out, err = p.communicate() -+ p.wait() -+ self.assertIn("arenas allocated current", err) -+ -+ # Verify that we can redirect the output to a file (not a file-like -+ # object, though): -+ with open('mallocstats.txt', 'w') as out: -+ sys._debugmallocstats(out) -+ result = open('mallocstats.txt').read() -+ self.assertIn("arenas allocated current", result) -+ os.unlink('mallocstats.txt') -+ -+ # Verify that the destination must be a file: -+ with self.assertRaises(TypeError): -+ sys._debugmallocstats(42) -+ -+ - @test.test_support.cpython_only - class SizeofTest(unittest.TestCase): - -diff -up Python-2.7.2/Objects/classobject.c.add-debug-malloc-stats Python-2.7.2/Objects/classobject.c ---- Python-2.7.2/Objects/classobject.c.add-debug-malloc-stats 2011-06-11 11:46:27.000000000 -0400 -+++ Python-2.7.2/Objects/classobject.c 2011-09-16 19:03:25.110821625 -0400 -@@ -2670,3 +2670,12 @@ PyMethod_Fini(void) - { - (void)PyMethod_ClearFreeList(); - } -+ -+/* Print summary info about the state of the optimized allocator */ -+void -+_PyMethod_DebugMallocStats(FILE *out) -+{ -+ _PyDebugAllocatorStats(out, -+ "free PyMethodObject", -+ numfree, sizeof(PyMethodObject)); -+} -diff -up Python-2.7.2/Objects/dictobject.c.add-debug-malloc-stats Python-2.7.2/Objects/dictobject.c ---- Python-2.7.2/Objects/dictobject.c.add-debug-malloc-stats 2011-06-11 11:46:27.000000000 -0400 -+++ Python-2.7.2/Objects/dictobject.c 2011-09-16 19:03:25.111821625 -0400 -@@ -225,6 +225,15 @@ show_track(void) - static PyDictObject *free_list[PyDict_MAXFREELIST]; - static int numfree = 0; - -+/* Print summary info about the state of the optimized allocator */ -+void -+_PyDict_DebugMallocStats(FILE *out) -+{ -+ _PyDebugAllocatorStats(out, -+ "free PyDictObject", numfree, sizeof(PyDictObject)); -+} -+ -+ - void - PyDict_Fini(void) - { -diff -up Python-2.7.2/Objects/floatobject.c.add-debug-malloc-stats Python-2.7.2/Objects/floatobject.c ---- Python-2.7.2/Objects/floatobject.c.add-debug-malloc-stats 2011-06-11 11:46:27.000000000 -0400 -+++ Python-2.7.2/Objects/floatobject.c 2011-09-16 19:03:25.111821625 -0400 -@@ -35,6 +35,22 @@ typedef struct _floatblock PyFloatBlock; - static PyFloatBlock *block_list = NULL; - static PyFloatObject *free_list = NULL; - -+/* Print summary info about the state of the optimized allocator */ -+void -+_PyFloat_DebugMallocStats(FILE *out) -+{ -+ int num_blocks = 0; -+ PyFloatBlock *block; -+ -+ /* Walk the block list, counting */ -+ for (block = block_list; block ; block = block->next) { -+ num_blocks++; -+ } -+ -+ _PyDebugAllocatorStats(out, -+ "PyFloatBlock", num_blocks, sizeof(PyFloatBlock)); -+} -+ - static PyFloatObject * - fill_free_list(void) - { -diff -up Python-2.7.2/Objects/frameobject.c.add-debug-malloc-stats Python-2.7.2/Objects/frameobject.c ---- Python-2.7.2/Objects/frameobject.c.add-debug-malloc-stats 2011-06-11 11:46:27.000000000 -0400 -+++ Python-2.7.2/Objects/frameobject.c 2011-09-16 19:03:25.112821625 -0400 -@@ -980,3 +980,13 @@ PyFrame_Fini(void) - Py_XDECREF(builtin_object); - builtin_object = NULL; - } -+ -+/* Print summary info about the state of the optimized allocator */ -+void -+_PyFrame_DebugMallocStats(FILE *out) -+{ -+ _PyDebugAllocatorStats(out, -+ "free PyFrameObject", -+ numfree, sizeof(PyFrameObject)); -+} -+ -diff -up Python-2.7.2/Objects/intobject.c.add-debug-malloc-stats Python-2.7.2/Objects/intobject.c ---- Python-2.7.2/Objects/intobject.c.add-debug-malloc-stats 2011-06-11 11:46:27.000000000 -0400 -+++ Python-2.7.2/Objects/intobject.c 2011-09-16 19:03:25.112821625 -0400 -@@ -44,6 +44,23 @@ typedef struct _intblock PyIntBlock; - static PyIntBlock *block_list = NULL; - static PyIntObject *free_list = NULL; - -+ -+/* Print summary info about the state of the optimized allocator */ -+void -+_PyInt_DebugMallocStats(FILE *out) -+{ -+ int num_blocks = 0; -+ PyIntBlock *block; -+ -+ /* Walk the block list, counting */ -+ for (block = block_list; block ; block = block->next) { -+ num_blocks++; -+ } -+ -+ _PyDebugAllocatorStats(out, -+ "PyIntBlock", num_blocks, sizeof(PyIntBlock)); -+} -+ - static PyIntObject * - fill_free_list(void) - { -diff -up Python-2.7.2/Objects/listobject.c.add-debug-malloc-stats Python-2.7.2/Objects/listobject.c ---- Python-2.7.2/Objects/listobject.c.add-debug-malloc-stats 2011-06-11 11:46:27.000000000 -0400 -+++ Python-2.7.2/Objects/listobject.c 2011-09-16 19:03:25.113821625 -0400 -@@ -109,6 +109,15 @@ PyList_Fini(void) - } - } - -+/* Print summary info about the state of the optimized allocator */ -+void -+_PyList_DebugMallocStats(FILE *out) -+{ -+ _PyDebugAllocatorStats(out, -+ "free PyListObject", -+ numfree, sizeof(PyListObject)); -+} -+ - PyObject * - PyList_New(Py_ssize_t size) - { -diff -up Python-2.7.2/Objects/methodobject.c.add-debug-malloc-stats Python-2.7.2/Objects/methodobject.c ---- Python-2.7.2/Objects/methodobject.c.add-debug-malloc-stats 2011-06-11 11:46:27.000000000 -0400 -+++ Python-2.7.2/Objects/methodobject.c 2011-09-16 19:03:25.113821625 -0400 -@@ -412,6 +412,15 @@ PyCFunction_Fini(void) - (void)PyCFunction_ClearFreeList(); - } - -+/* Print summary info about the state of the optimized allocator */ -+void -+_PyCFunction_DebugMallocStats(FILE *out) -+{ -+ _PyDebugAllocatorStats(out, -+ "free PyCFunction", -+ numfree, sizeof(PyCFunction)); -+} -+ - /* PyCFunction_New() is now just a macro that calls PyCFunction_NewEx(), - but it's part of the API so we need to keep a function around that - existing C extensions can call. -diff -up Python-2.7.2/Objects/object.c.add-debug-malloc-stats Python-2.7.2/Objects/object.c ---- Python-2.7.2/Objects/object.c.add-debug-malloc-stats 2011-06-11 11:46:27.000000000 -0400 -+++ Python-2.7.2/Objects/object.c 2011-09-16 19:04:46.463820849 -0400 -@@ -2334,6 +2334,23 @@ PyMem_Free(void *p) - PyMem_FREE(p); - } - -+void -+_PyObject_DebugTypeStats(FILE *out) -+{ -+ _PyString_DebugMallocStats(out); -+ _PyCFunction_DebugMallocStats(out); -+ _PyDict_DebugMallocStats(out); -+ _PyFloat_DebugMallocStats(out); -+ _PyFrame_DebugMallocStats(out); -+ _PyInt_DebugMallocStats(out); -+ _PyList_DebugMallocStats(out); -+ _PyMethod_DebugMallocStats(out); -+ _PySet_DebugMallocStats(out); -+ _PyTuple_DebugMallocStats(out); -+#if Py_USING_UNICODE -+ _PyUnicode_DebugMallocStats(out); -+#endif -+} - - /* These methods are used to control infinite recursion in repr, str, print, - etc. Container objects that may recursively contain themselves, -diff -up Python-2.7.2/Objects/obmalloc.c.add-debug-malloc-stats Python-2.7.2/Objects/obmalloc.c ---- Python-2.7.2/Objects/obmalloc.c.add-debug-malloc-stats 2011-06-11 11:46:27.000000000 -0400 -+++ Python-2.7.2/Objects/obmalloc.c 2011-09-16 19:03:25.114821625 -0400 -@@ -508,12 +508,10 @@ static struct arena_object* usable_arena - /* Number of arenas allocated that haven't been free()'d. */ - static size_t narenas_currently_allocated = 0; - --#ifdef PYMALLOC_DEBUG - /* Total number of times malloc() called to allocate an arena. */ - static size_t ntimes_arena_allocated = 0; - /* High water mark (max value ever seen) for narenas_currently_allocated. */ - static size_t narenas_highwater = 0; --#endif - - /* Allocate a new arena. If we run out of memory, return NULL. Else - * allocate a new arena, and return the address of an arena_object -@@ -528,7 +526,7 @@ new_arena(void) - - #ifdef PYMALLOC_DEBUG - if (Py_GETENV("PYTHONMALLOCSTATS")) -- _PyObject_DebugMallocStats(); -+ _PyObject_DebugMallocStats(stderr); - #endif - if (unused_arena_objects == NULL) { - uint i; -@@ -588,11 +586,9 @@ new_arena(void) - arenaobj->address = (uptr)address; - - ++narenas_currently_allocated; --#ifdef PYMALLOC_DEBUG - ++ntimes_arena_allocated; - if (narenas_currently_allocated > narenas_highwater) - narenas_highwater = narenas_currently_allocated; --#endif - arenaobj->freepools = NULL; - /* pool_address <- first pool-aligned address in the arena - nfreepools <- number of whole pools that fit after alignment */ -@@ -1694,17 +1690,19 @@ _PyObject_DebugDumpAddress(const void *p - } - } - -+#endif /* PYMALLOC_DEBUG */ -+ - static size_t --printone(const char* msg, size_t value) -+printone(FILE *out, const char* msg, size_t value) - { - int i, k; - char buf[100]; - size_t origvalue = value; - -- fputs(msg, stderr); -+ fputs(msg, out); - for (i = (int)strlen(msg); i < 35; ++i) -- fputc(' ', stderr); -- fputc('=', stderr); -+ fputc(' ', out); -+ fputc('=', out); - - /* Write the value with commas. */ - i = 22; -@@ -1725,17 +1723,32 @@ printone(const char* msg, size_t value) - - while (i >= 0) - buf[i--] = ' '; -- fputs(buf, stderr); -+ fputs(buf, out); - - return origvalue; - } - --/* Print summary info to stderr about the state of pymalloc's structures. -+void -+_PyDebugAllocatorStats(FILE *out, -+ const char *block_name, int num_blocks, size_t sizeof_block) -+{ -+ char buf1[128]; -+ char buf2[128]; -+ PyOS_snprintf(buf1, sizeof(buf1), -+ "%d %ss * %zd bytes each", -+ num_blocks, block_name, sizeof_block); -+ PyOS_snprintf(buf2, sizeof(buf2), -+ "%48s ", buf1); -+ (void)printone(out, buf2, num_blocks * sizeof_block); -+} -+ -+ -+/* Print summary info to "out" about the state of pymalloc's structures. - * In Py_DEBUG mode, also perform some expensive internal consistency - * checks. - */ - void --_PyObject_DebugMallocStats(void) -+_PyObject_DebugMallocStats(FILE *out) - { - uint i; - const uint numclasses = SMALL_REQUEST_THRESHOLD >> ALIGNMENT_SHIFT; -@@ -1764,7 +1777,7 @@ _PyObject_DebugMallocStats(void) - size_t total; - char buf[128]; - -- fprintf(stderr, "Small block threshold = %d, in %u size classes.\n", -+ fprintf(out, "Small block threshold = %d, in %u size classes.\n", - SMALL_REQUEST_THRESHOLD, numclasses); - - for (i = 0; i < numclasses; ++i) -@@ -1818,10 +1831,10 @@ _PyObject_DebugMallocStats(void) - } - assert(narenas == narenas_currently_allocated); - -- fputc('\n', stderr); -+ fputc('\n', out); - fputs("class size num pools blocks in use avail blocks\n" - "----- ---- --------- ------------- ------------\n", -- stderr); -+ out); - - for (i = 0; i < numclasses; ++i) { - size_t p = numpools[i]; -@@ -1832,7 +1845,7 @@ _PyObject_DebugMallocStats(void) - assert(b == 0 && f == 0); - continue; - } -- fprintf(stderr, "%5u %6u " -+ fprintf(out, "%5u %6u " - "%11" PY_FORMAT_SIZE_T "u " - "%15" PY_FORMAT_SIZE_T "u " - "%13" PY_FORMAT_SIZE_T "u\n", -@@ -1842,36 +1855,35 @@ _PyObject_DebugMallocStats(void) - pool_header_bytes += p * POOL_OVERHEAD; - quantization += p * ((POOL_SIZE - POOL_OVERHEAD) % size); - } -- fputc('\n', stderr); -- (void)printone("# times object malloc called", serialno); -- -- (void)printone("# arenas allocated total", ntimes_arena_allocated); -- (void)printone("# arenas reclaimed", ntimes_arena_allocated - narenas); -- (void)printone("# arenas highwater mark", narenas_highwater); -- (void)printone("# arenas allocated current", narenas); -+ fputc('\n', out); -+#ifdef PYMALLOC_DEBUG -+ (void)printone(out, "# times object malloc called", serialno); -+#endif -+ (void)printone(out, "# arenas allocated total", ntimes_arena_allocated); -+ (void)printone(out, "# arenas reclaimed", ntimes_arena_allocated - narenas); -+ (void)printone(out, "# arenas highwater mark", narenas_highwater); -+ (void)printone(out, "# arenas allocated current", narenas); - - PyOS_snprintf(buf, sizeof(buf), - "%" PY_FORMAT_SIZE_T "u arenas * %d bytes/arena", - narenas, ARENA_SIZE); -- (void)printone(buf, narenas * ARENA_SIZE); -+ (void)printone(out, buf, narenas * ARENA_SIZE); - -- fputc('\n', stderr); -+ fputc('\n', out); - -- total = printone("# bytes in allocated blocks", allocated_bytes); -- total += printone("# bytes in available blocks", available_bytes); -+ total = printone(out, "# bytes in allocated blocks", allocated_bytes); -+ total += printone(out, "# bytes in available blocks", available_bytes); - - PyOS_snprintf(buf, sizeof(buf), - "%u unused pools * %d bytes", numfreepools, POOL_SIZE); -- total += printone(buf, (size_t)numfreepools * POOL_SIZE); -+ total += printone(out, buf, (size_t)numfreepools * POOL_SIZE); - -- total += printone("# bytes lost to pool headers", pool_header_bytes); -- total += printone("# bytes lost to quantization", quantization); -- total += printone("# bytes lost to arena alignment", arena_alignment); -- (void)printone("Total", total); -+ total += printone(out, "# bytes lost to pool headers", pool_header_bytes); -+ total += printone(out, "# bytes lost to quantization", quantization); -+ total += printone(out, "# bytes lost to arena alignment", arena_alignment); -+ (void)printone(out, "Total", total); - } - --#endif /* PYMALLOC_DEBUG */ -- - #ifdef Py_USING_MEMORY_DEBUGGER - /* Make this function last so gcc won't inline it since the definition is - * after the reference. -diff -up Python-2.7.2/Objects/setobject.c.add-debug-malloc-stats Python-2.7.2/Objects/setobject.c ---- Python-2.7.2/Objects/setobject.c.add-debug-malloc-stats 2011-06-11 11:46:27.000000000 -0400 -+++ Python-2.7.2/Objects/setobject.c 2011-09-16 19:03:25.115821625 -0400 -@@ -1088,6 +1088,16 @@ PySet_Fini(void) - Py_CLEAR(emptyfrozenset); - } - -+/* Print summary info about the state of the optimized allocator */ -+void -+_PySet_DebugMallocStats(FILE *out) -+{ -+ _PyDebugAllocatorStats(out, -+ "free PySetObject", -+ numfree, sizeof(PySetObject)); -+} -+ -+ - static PyObject * - set_new(PyTypeObject *type, PyObject *args, PyObject *kwds) - { -diff -up Python-2.7.2/Objects/stringobject.c.add-debug-malloc-stats Python-2.7.2/Objects/stringobject.c ---- Python-2.7.2/Objects/stringobject.c.add-debug-malloc-stats 2011-06-11 11:46:27.000000000 -0400 -+++ Python-2.7.2/Objects/stringobject.c 2011-09-16 19:03:25.116821625 -0400 -@@ -4822,3 +4822,43 @@ void _Py_ReleaseInternedStrings(void) - PyDict_Clear(interned); - Py_CLEAR(interned); - } -+ -+void _PyString_DebugMallocStats(FILE *out) -+{ -+ ssize_t i; -+ int num_immortal = 0, num_mortal = 0; -+ ssize_t immortal_size = 0, mortal_size = 0; -+ -+ if (interned == NULL || !PyDict_Check(interned)) -+ return; -+ -+ for (i = 0; i <= ((PyDictObject*)interned)->ma_mask; i++) { -+ PyDictEntry *ep = ((PyDictObject*)interned)->ma_table + i; -+ PyObject *pvalue = ep->me_value; -+ if (pvalue != NULL) { -+ PyStringObject *s = (PyStringObject *)ep->me_key; -+ -+ switch (s->ob_sstate) { -+ case SSTATE_NOT_INTERNED: -+ /* XXX Shouldn't happen */ -+ break; -+ case SSTATE_INTERNED_IMMORTAL: -+ num_immortal ++; -+ immortal_size += s->ob_size; -+ break; -+ case SSTATE_INTERNED_MORTAL: -+ num_mortal ++; -+ mortal_size += s->ob_size; -+ break; -+ default: -+ Py_FatalError("Inconsistent interned string state."); -+ } -+ } -+ } -+ -+ fprintf(out, "%d mortal interned strings\n", num_mortal); -+ fprintf(out, "%d immortal interned strings\n", num_immortal); -+ fprintf(out, "total size of all interned strings: " -+ "%zi/%zi " -+ "mortal/immortal\n", mortal_size, immortal_size); -+} -diff -up Python-2.7.2/Objects/tupleobject.c.add-debug-malloc-stats Python-2.7.2/Objects/tupleobject.c ---- Python-2.7.2/Objects/tupleobject.c.add-debug-malloc-stats 2011-06-11 11:46:27.000000000 -0400 -+++ Python-2.7.2/Objects/tupleobject.c 2011-09-16 19:03:25.116821625 -0400 -@@ -44,6 +44,22 @@ show_track(void) - } - #endif - -+/* Print summary info about the state of the optimized allocator */ -+void -+_PyTuple_DebugMallocStats(FILE *out) -+{ -+#if PyTuple_MAXSAVESIZE > 0 -+ int i; -+ char buf[128]; -+ for (i = 1; i < PyTuple_MAXSAVESIZE; i++) { -+ PyOS_snprintf(buf, sizeof(buf), -+ "free %d-sized PyTupleObject", i); -+ _PyDebugAllocatorStats(out, -+ buf, -+ numfree[i], _PyObject_VAR_SIZE(&PyTuple_Type, i)); -+ } -+#endif -+} - - PyObject * - PyTuple_New(register Py_ssize_t size) -diff -up Python-2.7.2/Objects/unicodeobject.c.add-debug-malloc-stats Python-2.7.2/Objects/unicodeobject.c ---- Python-2.7.2/Objects/unicodeobject.c.add-debug-malloc-stats 2011-06-11 11:46:27.000000000 -0400 -+++ Python-2.7.2/Objects/unicodeobject.c 2011-09-16 19:03:25.118821625 -0400 -@@ -8883,6 +8883,12 @@ _PyUnicode_Fini(void) - (void)PyUnicode_ClearFreeList(); - } - -+void _PyUnicode_DebugMallocStats(FILE *out) -+{ -+ _PyDebugAllocatorStats(out, "free PyUnicodeObject", numfree, -+ sizeof(PyUnicodeObject)); -+} -+ - #ifdef __cplusplus - } - #endif -diff -up Python-2.7.2/Python/pythonrun.c.add-debug-malloc-stats Python-2.7.2/Python/pythonrun.c ---- Python-2.7.2/Python/pythonrun.c.add-debug-malloc-stats 2011-09-16 19:03:25.025821626 -0400 -+++ Python-2.7.2/Python/pythonrun.c 2011-09-16 19:03:25.118821625 -0400 -@@ -549,7 +549,7 @@ Py_Finalize(void) - #endif /* Py_TRACE_REFS */ - #ifdef PYMALLOC_DEBUG - if (Py_GETENV("PYTHONMALLOCSTATS")) -- _PyObject_DebugMallocStats(); -+ _PyObject_DebugMallocStats(stderr); - #endif - - call_ll_exitfuncs(); -diff -up Python-2.7.2/Python/sysmodule.c.add-debug-malloc-stats Python-2.7.2/Python/sysmodule.c ---- Python-2.7.2/Python/sysmodule.c.add-debug-malloc-stats 2011-09-16 19:03:25.007821626 -0400 -+++ Python-2.7.2/Python/sysmodule.c 2011-09-16 19:03:25.119821625 -0400 -@@ -872,6 +872,57 @@ a 11-tuple where the entries in the tupl - extern "C" { - #endif - -+static PyObject * -+sys_debugmallocstats(PyObject *self, PyObject *args) -+{ -+ PyObject *file = NULL; -+ FILE *fp; -+ -+ if (!PyArg_ParseTuple(args, "|O!", -+ &PyFile_Type, &file)) { -+ return NULL; -+ } -+ if (!file) { -+ /* Default to sys.stderr: */ -+ file = PySys_GetObject("stderr"); -+ if (!file) { -+ PyErr_SetString(PyExc_ValueError, "sys.stderr not set"); -+ return NULL; -+ } -+ if (!PyFile_Check(file)) { -+ PyErr_SetString(PyExc_TypeError, "sys.stderr is not a file"); -+ return NULL; -+ } -+ } -+ -+ Py_INCREF(file); -+ /* OK, we now own a ref on non-NULL "file" */ -+ -+ fp = PyFile_AsFile(file); -+ if (!fp) { -+ PyErr_SetString(PyExc_ValueError, "file is closed"); -+ Py_DECREF(file); -+ return NULL; -+ } -+ -+ _PyObject_DebugMallocStats(fp); -+ fputc('\n', fp); -+ _PyObject_DebugTypeStats(fp); -+ -+ Py_DECREF(file); -+ -+ Py_RETURN_NONE; -+} -+PyDoc_STRVAR(debugmallocstats_doc, -+"_debugmallocstats([file])\n\ -+\n\ -+Print summary info to the given file (or sys.stderr) about the state of\n\ -+pymalloc's structures.\n\ -+\n\ -+In Py_DEBUG mode, also perform some expensive internal consistency\n\ -+checks.\n\ -+"); -+ - #ifdef Py_TRACE_REFS - /* Defined in objects.c because it uses static globals if that file */ - extern PyObject *_Py_GetObjects(PyObject *, PyObject *); -@@ -970,6 +1021,8 @@ static PyMethodDef sys_methods[] = { - {"settrace", sys_settrace, METH_O, settrace_doc}, - {"gettrace", sys_gettrace, METH_NOARGS, gettrace_doc}, - {"call_tracing", sys_call_tracing, METH_VARARGS, call_tracing_doc}, -+ {"_debugmallocstats", sys_debugmallocstats, METH_VARARGS, -+ debugmallocstats_doc}, - {NULL, NULL} /* sentinel */ - }; - diff --git a/python/patches/00155-avoid-ctypes-thunks.patch b/python/patches/00155-avoid-ctypes-thunks.patch deleted file mode 100644 index 92dd66855..000000000 --- a/python/patches/00155-avoid-ctypes-thunks.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up Python-2.7.3/Lib/ctypes/__init__.py.rhbz814391 Python-2.7.3/Lib/ctypes/__init__.py ---- Python-2.7.3/Lib/ctypes/__init__.py.rhbz814391 2012-04-20 14:51:19.390990244 -0400 -+++ Python-2.7.3/Lib/ctypes/__init__.py 2012-04-20 14:51:45.141668316 -0400 -@@ -272,11 +272,6 @@ def _reset_cache(): - # _SimpleCData.c_char_p_from_param - POINTER(c_char).from_param = c_char_p.from_param - _pointer_type_cache[None] = c_void_p -- # XXX for whatever reasons, creating the first instance of a callback -- # function is needed for the unittests on Win64 to succeed. This MAY -- # be a compiler bug, since the problem occurs only when _ctypes is -- # compiled with the MS SDK compiler. Or an uninitialized variable? -- CFUNCTYPE(c_int)(lambda: None) - - try: - from _ctypes import set_conversion_mode diff --git a/python/patches/00156-gdb-autoload-safepath.patch b/python/patches/00156-gdb-autoload-safepath.patch deleted file mode 100644 index a16fe8db9..000000000 --- a/python/patches/00156-gdb-autoload-safepath.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff -up Python-2.7.3/Lib/test/test_gdb.py.gdb-autoload-safepath Python-2.7.3/Lib/test/test_gdb.py ---- Python-2.7.3/Lib/test/test_gdb.py.gdb-autoload-safepath 2012-04-30 15:53:57.254045220 -0400 -+++ Python-2.7.3/Lib/test/test_gdb.py 2012-04-30 16:19:19.569941124 -0400 -@@ -54,6 +54,19 @@ def gdb_has_frame_select(): - - HAS_PYUP_PYDOWN = gdb_has_frame_select() - -+def gdb_has_autoload_safepath(): -+ # Recent GDBs will only auto-load scripts from certain safe -+ # locations, so we will need to turn off this protection. -+ # However, if the GDB doesn't have it, then the following -+ # command will generate noise on stderr (rhbz#817072): -+ cmd = "--eval-command=set auto-load safe-path /" -+ p = subprocess.Popen(["gdb", "--batch", cmd], -+ stderr=subprocess.PIPE) -+ _, stderr = p.communicate() -+ return '"on" or "off" expected.' not in stderr -+ -+HAS_AUTOLOAD_SAFEPATH = gdb_has_autoload_safepath() -+ - class DebuggerTests(unittest.TestCase): - - """Test that the debugger can debug Python.""" -diff -up Python-2.7.10/Lib/test/test_gdb.py.ms Python-2.7.10/Lib/test/test_gdb.py ---- Python-2.7.10/Lib/test/test_gdb.py.ms 2015-05-25 17:00:25.028462615 +0200 -+++ Python-2.7.10/Lib/test/test_gdb.py 2015-05-25 17:01:53.166359822 +0200 -@@ -153,6 +153,17 @@ class DebuggerTests(unittest.TestCase): - - 'run'] - -+ if HAS_AUTOLOAD_SAFEPATH: -+ # Recent GDBs will only auto-load scripts from certain safe -+ # locations. -+ # Where necessary, turn off this protection to ensure that -+ # our -gdb.py script can be loaded - but not on earlier gdb builds -+ # as this would generate noise on stderr (rhbz#817072): -+ init_commands = ['set auto-load safe-path /'] -+ else: -+ init_commands = [] -+ -+ - # GDB as of 7.4 onwards can distinguish between the - # value of a variable at entry vs current value: - # http://sourceware.org/gdb/onlinedocs/gdb/Variables.html -@@ -167,10 +178,11 @@ class DebuggerTests(unittest.TestCase): - else: - commands += ['backtrace'] - -- # print commands -+ # print init_commands - - # Use "commands" to generate the arguments with which to invoke "gdb": - args = ["gdb", "--batch", "-nx"] -+ args += ['--init-eval-command=%s' % cmd for cmd in init_commands] - args += ['--eval-command=%s' % cmd for cmd in commands] - args += ["--args", - sys.executable] diff --git a/python/patches/00157-uid-gid-overflows.patch b/python/patches/00157-uid-gid-overflows.patch deleted file mode 100644 index a31c98af6..000000000 --- a/python/patches/00157-uid-gid-overflows.patch +++ /dev/null @@ -1,49 +0,0 @@ -diff -up Python-2.7.3/Lib/test/test_os.py.uid-gid-overflows Python-2.7.3/Lib/test/test_os.py ---- Python-2.7.3/Lib/test/test_os.py.uid-gid-overflows 2012-04-09 19:07:32.000000000 -0400 -+++ Python-2.7.3/Lib/test/test_os.py 2012-06-26 14:51:36.000817929 -0400 -@@ -677,30 +677,36 @@ if sys.platform != 'win32': - def test_setuid(self): - if os.getuid() != 0: - self.assertRaises(os.error, os.setuid, 0) -+ self.assertRaises(TypeError, os.setuid, 'not an int') - self.assertRaises(OverflowError, os.setuid, 1<<32) - - @unittest.skipUnless(hasattr(os, 'setgid'), 'test needs os.setgid()') - def test_setgid(self): - if os.getuid() != 0: - self.assertRaises(os.error, os.setgid, 0) -+ self.assertRaises(TypeError, os.setgid, 'not an int') - self.assertRaises(OverflowError, os.setgid, 1<<32) - - @unittest.skipUnless(hasattr(os, 'seteuid'), 'test needs os.seteuid()') - def test_seteuid(self): - if os.getuid() != 0: - self.assertRaises(os.error, os.seteuid, 0) -+ self.assertRaises(TypeError, os.seteuid, 'not an int') - self.assertRaises(OverflowError, os.seteuid, 1<<32) - - @unittest.skipUnless(hasattr(os, 'setegid'), 'test needs os.setegid()') - def test_setegid(self): - if os.getuid() != 0: - self.assertRaises(os.error, os.setegid, 0) -+ self.assertRaises(TypeError, os.setegid, 'not an int') - self.assertRaises(OverflowError, os.setegid, 1<<32) - - @unittest.skipUnless(hasattr(os, 'setreuid'), 'test needs os.setreuid()') - def test_setreuid(self): - if os.getuid() != 0: - self.assertRaises(os.error, os.setreuid, 0, 0) -+ self.assertRaises(TypeError, os.setreuid, 'not an int', 0) -+ self.assertRaises(TypeError, os.setreuid, 0, 'not an int') - self.assertRaises(OverflowError, os.setreuid, 1<<32, 0) - self.assertRaises(OverflowError, os.setreuid, 0, 1<<32) - -@@ -715,6 +721,8 @@ if sys.platform != 'win32': - def test_setregid(self): - if os.getuid() != 0: - self.assertRaises(os.error, os.setregid, 0, 0) -+ self.assertRaises(TypeError, os.setregid, 'not an int', 0) -+ self.assertRaises(TypeError, os.setregid, 0, 'not an int') - self.assertRaises(OverflowError, os.setregid, 1<<32, 0) - self.assertRaises(OverflowError, os.setregid, 0, 1<<32) - diff --git a/python/patches/00167-disable-stack-navigation-tests-when-optimized-in-test_gdb.patch b/python/patches/00167-disable-stack-navigation-tests-when-optimized-in-test_gdb.patch deleted file mode 100644 index 9807883cf..000000000 --- a/python/patches/00167-disable-stack-navigation-tests-when-optimized-in-test_gdb.patch +++ /dev/null @@ -1,47 +0,0 @@ -diff --git a/Lib/test/test_gdb.py b/Lib/test/test_gdb.py -index 3354b34..10ba0e5 100644 ---- a/Lib/test/test_gdb.py -+++ b/Lib/test/test_gdb.py -@@ -725,11 +725,10 @@ class PyListTests(DebuggerTests): - ' 2 \n' - ' 3 def foo(a, b, c):\n', - bt) -- -+@unittest.skipUnless(HAS_PYUP_PYDOWN, "test requires py-up/py-down commands") -+@unittest.skipIf(python_is_optimized(), -+ "Python was compiled with optimizations") - class StackNavigationTests(DebuggerTests): -- @unittest.skipUnless(HAS_PYUP_PYDOWN, "test requires py-up/py-down commands") -- @unittest.skipIf(python_is_optimized(), -- "Python was compiled with optimizations") - def test_pyup_command(self): - 'Verify that the "py-up" command works' - bt = self.get_stack_trace(script=self.get_sample_script(), -@@ -740,7 +739,6 @@ class StackNavigationTests(DebuggerTests): - baz(a, b, c) - $''') - -- @unittest.skipUnless(HAS_PYUP_PYDOWN, "test requires py-up/py-down commands") - def test_down_at_bottom(self): - 'Verify handling of "py-down" at the bottom of the stack' - bt = self.get_stack_trace(script=self.get_sample_script(), -@@ -748,9 +746,6 @@ $''') - self.assertEndsWith(bt, - 'Unable to find a newer python frame\n') - -- @unittest.skipUnless(HAS_PYUP_PYDOWN, "test requires py-up/py-down commands") -- @unittest.skipIf(python_is_optimized(), -- "Python was compiled with optimizations") - def test_up_at_top(self): - 'Verify handling of "py-up" at the top of the stack' - bt = self.get_stack_trace(script=self.get_sample_script(), -@@ -758,9 +753,6 @@ $''') - self.assertEndsWith(bt, - 'Unable to find an older python frame\n') - -- @unittest.skipUnless(HAS_PYUP_PYDOWN, "test requires py-up/py-down commands") -- @unittest.skipIf(python_is_optimized(), -- "Python was compiled with optimizations") - def test_up_then_down(self): - 'Verify "py-up" followed by "py-down"' - bt = self.get_stack_trace(script=self.get_sample_script(), diff --git a/python/patches/00168-distutils-cflags.patch b/python/patches/00168-distutils-cflags.patch deleted file mode 100644 index 0c4a8df34..000000000 --- a/python/patches/00168-distutils-cflags.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up Python-2.6.6/Lib/distutils/sysconfig.py.distutils-cflags Python-2.6.6/Lib/distutils/sysconfig.py ---- Python-2.6.6/Lib/distutils/sysconfig.py.distutils-cflags 2011-08-12 17:18:17.833091153 -0400 -+++ Python-2.6.6/Lib/distutils/sysconfig.py 2011-08-12 17:18:27.449106938 -0400 -@@ -187,7 +187,7 @@ def customize_compiler(compiler): - if 'LDFLAGS' in os.environ: - ldshared = ldshared + ' ' + os.environ['LDFLAGS'] - if 'CFLAGS' in os.environ: -- cflags = opt + ' ' + os.environ['CFLAGS'] -+ cflags = cflags + ' ' + os.environ['CFLAGS'] - ldshared = ldshared + ' ' + os.environ['CFLAGS'] - if 'CPPFLAGS' in os.environ: - cpp = cpp + ' ' + os.environ['CPPFLAGS'] diff --git a/python/patches/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch b/python/patches/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch deleted file mode 100644 index debf92f1f..000000000 --- a/python/patches/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py ---- a/Lib/multiprocessing/connection.py -+++ b/Lib/multiprocessing/connection.py -@@ -41,6 +41,10 @@ - # A very generous timeout when it comes to local connections... - CONNECTION_TIMEOUT = 20. - -+# The hmac module implicitly defaults to using MD5. -+# Support using a stronger algorithm for the challenge/response code: -+HMAC_DIGEST_NAME='sha256' -+ - _mmap_counter = itertools.count() - - default_family = 'AF_INET' -@@ -700,12 +704,16 @@ - WELCOME = b'#WELCOME#' - FAILURE = b'#FAILURE#' - -+def get_digestmod_for_hmac(): -+ import hashlib -+ return getattr(hashlib, HMAC_DIGEST_NAME) -+ - def deliver_challenge(connection, authkey): - import hmac - assert isinstance(authkey, bytes) - message = os.urandom(MESSAGE_LENGTH) - connection.send_bytes(CHALLENGE + message) -- digest = hmac.new(authkey, message).digest() -+ digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest() - response = connection.recv_bytes(256) # reject large message - if response == digest: - connection.send_bytes(WELCOME) -@@ -719,7 +727,7 @@ - message = connection.recv_bytes(256) # reject large message - assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message - message = message[len(CHALLENGE):] -- digest = hmac.new(authkey, message).digest() -+ digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest() - connection.send_bytes(digest) - response = connection.recv_bytes(256) # reject large message - if response != WELCOME: diff --git a/python/patches/00170-gc-assertions.patch b/python/patches/00170-gc-assertions.patch deleted file mode 100644 index 9ade29893..000000000 --- a/python/patches/00170-gc-assertions.patch +++ /dev/null @@ -1,279 +0,0 @@ -diff --git a/Lib/test/test_gc.py b/Lib/test/test_gc.py -index 7e47b2d..12a210d 100644 ---- a/Lib/test/test_gc.py -+++ b/Lib/test/test_gc.py -@@ -1,7 +1,8 @@ - import unittest - from test.support import (verbose, run_unittest, start_threads, -- requires_type_collecting) -+ requires_type_collecting, import_module) - import sys -+import sysconfig - import time - import gc - import weakref -@@ -39,6 +40,8 @@ class GC_Detector(object): - self.wr = weakref.ref(C1055820(666), it_happened) - - -+BUILT_WITH_NDEBUG = ('-DNDEBUG' in sysconfig.get_config_vars()['PY_CFLAGS']) -+ - ### Tests - ############################################################################### - -@@ -537,6 +540,49 @@ class GCTests(unittest.TestCase): - # would be damaged, with an empty __dict__. - self.assertEqual(x, None) - -+ @unittest.skipIf(BUILT_WITH_NDEBUG, -+ 'built with -NDEBUG') -+ def test_refcount_errors(self): -+ # Verify the "handling" of objects with broken refcounts -+ -+ import_module("ctypes") #skip if not supported -+ -+ import subprocess -+ code = '''if 1: -+ a = [] -+ b = [a] -+ -+ # Simulate the refcount of "a" being too low (compared to the -+ # references held on it by live data), but keeping it above zero -+ # (to avoid deallocating it): -+ import ctypes -+ ctypes.pythonapi.Py_DecRef(ctypes.py_object(a)) -+ -+ # The garbage collector should now have a fatal error when it reaches -+ # the broken object: -+ import gc -+ gc.collect() -+ ''' -+ p = subprocess.Popen([sys.executable, "-c", code], -+ stdout=subprocess.PIPE, -+ stderr=subprocess.PIPE) -+ stdout, stderr = p.communicate() -+ p.stdout.close() -+ p.stderr.close() -+ # Verify that stderr has a useful error message: -+ self.assertRegexpMatches(stderr, -+ b'Modules/gcmodule.c:[0-9]+: visit_decref: Assertion "gc->gc.gc_refs != 0" failed.') -+ self.assertRegexpMatches(stderr, -+ b'refcount was too small') -+ self.assertRegexpMatches(stderr, -+ b'object : []') -+ self.assertRegexpMatches(stderr, -+ b'type : list') -+ self.assertRegexpMatches(stderr, -+ b'refcount: 1') -+ self.assertRegexpMatches(stderr, -+ b'address : 0x[0-9a-f]+') -+ - class GCTogglingTests(unittest.TestCase): - def setUp(self): - gc.enable() -diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c -index 916e481..0233ce2 100644 ---- a/Modules/gcmodule.c -+++ b/Modules/gcmodule.c -@@ -21,6 +21,73 @@ - #include "Python.h" - #include "frameobject.h" /* for PyFrame_ClearFreeList */ - -+/* -+ Define a pair of assertion macros. -+ -+ These work like the regular C assert(), in that they will abort the -+ process with a message on stderr if the given condition fails to hold, -+ but compile away to nothing if NDEBUG is defined. -+ -+ However, before aborting, Python will also try to call _PyObject_Dump() on -+ the given object. This may be of use when investigating bugs in which a -+ particular object is corrupt (e.g. buggy a tp_visit method in an extension -+ module breaking the garbage collector), to help locate the broken objects. -+ -+ The WITH_MSG variant allows you to supply an additional message that Python -+ will attempt to print to stderr, after the object dump. -+*/ -+#ifdef NDEBUG -+/* No debugging: compile away the assertions: */ -+#define PyObject_ASSERT_WITH_MSG(obj, expr, msg) ((void)0) -+#else -+/* With debugging: generate checks: */ -+#define PyObject_ASSERT_WITH_MSG(obj, expr, msg) \ -+ ((expr) \ -+ ? (void)(0) \ -+ : _PyObject_AssertFailed((obj), \ -+ (msg), \ -+ (__STRING(expr)), \ -+ (__FILE__), \ -+ (__LINE__), \ -+ (__PRETTY_FUNCTION__))) -+#endif -+ -+#define PyObject_ASSERT(obj, expr) \ -+ PyObject_ASSERT_WITH_MSG(obj, expr, NULL) -+ -+static void _PyObject_AssertFailed(PyObject *, const char *, -+ const char *, const char *, int, -+ const char *); -+ -+static void -+_PyObject_AssertFailed(PyObject *obj, const char *msg, const char *expr, -+ const char *file, int line, const char *function) -+{ -+ fprintf(stderr, -+ "%s:%d: %s: Assertion "%s" failed.\n", -+ file, line, function, expr); -+ if (msg) { -+ fprintf(stderr, "%s\n", msg); -+ } -+ -+ fflush(stderr); -+ -+ if (obj) { -+ /* This might succeed or fail, but we're about to abort, so at least -+ try to provide any extra info we can: */ -+ _PyObject_Dump(obj); -+ } -+ else { -+ fprintf(stderr, "NULL object\n"); -+ } -+ -+ fflush(stdout); -+ fflush(stderr); -+ -+ /* Terminate the process: */ -+ abort(); -+} -+ - /* Get an object's GC head */ - #define AS_GC(o) ((PyGC_Head *)(o)-1) - -@@ -328,7 +395,8 @@ update_refs(PyGC_Head *containers) - { - PyGC_Head *gc = containers->gc.gc_next; - for (; gc != containers; gc = gc->gc.gc_next) { -- assert(gc->gc.gc_refs == GC_REACHABLE); -+ PyObject_ASSERT(FROM_GC(gc), -+ gc->gc.gc_refs == GC_REACHABLE); - gc->gc.gc_refs = Py_REFCNT(FROM_GC(gc)); - /* Python's cyclic gc should never see an incoming refcount - * of 0: if something decref'ed to 0, it should have been -@@ -348,7 +416,8 @@ update_refs(PyGC_Head *containers) - * so serious that maybe this should be a release-build - * check instead of an assert? - */ -- assert(gc->gc.gc_refs != 0); -+ PyObject_ASSERT(FROM_GC(gc), -+ gc->gc.gc_refs != 0); - } - } - -@@ -363,7 +432,9 @@ visit_decref(PyObject *op, void *data) - * generation being collected, which can be recognized - * because only they have positive gc_refs. - */ -- assert(gc->gc.gc_refs != 0); /* else refcount was too small */ -+ PyObject_ASSERT_WITH_MSG(FROM_GC(gc), -+ gc->gc.gc_refs != 0, -+ "refcount was too small"); - if (gc->gc.gc_refs > 0) - gc->gc.gc_refs--; - } -@@ -423,9 +494,10 @@ visit_reachable(PyObject *op, PyGC_Head *reachable) - * If gc_refs == GC_UNTRACKED, it must be ignored. - */ - else { -- assert(gc_refs > 0 -- || gc_refs == GC_REACHABLE -- || gc_refs == GC_UNTRACKED); -+ PyObject_ASSERT(FROM_GC(gc), -+ gc_refs > 0 -+ || gc_refs == GC_REACHABLE -+ || gc_refs == GC_UNTRACKED); - } - } - return 0; -@@ -467,7 +539,7 @@ move_unreachable(PyGC_Head *young, PyGC_Head *unreachable) - */ - PyObject *op = FROM_GC(gc); - traverseproc traverse = Py_TYPE(op)->tp_traverse; -- assert(gc->gc.gc_refs > 0); -+ PyObject_ASSERT(op, gc->gc.gc_refs > 0); - gc->gc.gc_refs = GC_REACHABLE; - (void) traverse(op, - (visitproc)visit_reachable, -@@ -545,7 +617,8 @@ move_finalizers(PyGC_Head *unreachable, PyGC_Head *finalizers) - for (gc = unreachable->gc.gc_next; gc != unreachable; gc = next) { - PyObject *op = FROM_GC(gc); - -- assert(IS_TENTATIVELY_UNREACHABLE(op)); -+ PyObject_ASSERT(op, IS_TENTATIVELY_UNREACHABLE(op)); -+ - next = gc->gc.gc_next; - - if (has_finalizer(op)) { -@@ -621,7 +694,7 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) - PyWeakReference **wrlist; - - op = FROM_GC(gc); -- assert(IS_TENTATIVELY_UNREACHABLE(op)); -+ PyObject_ASSERT(op, IS_TENTATIVELY_UNREACHABLE(op)); - next = gc->gc.gc_next; - - if (! PyType_SUPPORTS_WEAKREFS(Py_TYPE(op))) -@@ -642,9 +715,9 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) - * the callback pointer intact. Obscure: it also - * changes *wrlist. - */ -- assert(wr->wr_object == op); -+ PyObject_ASSERT(wr->wr_object, wr->wr_object == op); - _PyWeakref_ClearRef(wr); -- assert(wr->wr_object == Py_None); -+ PyObject_ASSERT(wr->wr_object, wr->wr_object == Py_None); - if (wr->wr_callback == NULL) - continue; /* no callback */ - -@@ -678,7 +751,7 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) - */ - if (IS_TENTATIVELY_UNREACHABLE(wr)) - continue; -- assert(IS_REACHABLE(wr)); -+ PyObject_ASSERT(op, IS_REACHABLE(wr)); - - /* Create a new reference so that wr can't go away - * before we can process it again. -@@ -687,7 +760,8 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) - - /* Move wr to wrcb_to_call, for the next pass. */ - wrasgc = AS_GC(wr); -- assert(wrasgc != next); /* wrasgc is reachable, but -+ PyObject_ASSERT(op, wrasgc != next); -+ /* wrasgc is reachable, but - next isn't, so they can't - be the same */ - gc_list_move(wrasgc, &wrcb_to_call); -@@ -703,11 +777,11 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) - - gc = wrcb_to_call.gc.gc_next; - op = FROM_GC(gc); -- assert(IS_REACHABLE(op)); -- assert(PyWeakref_Check(op)); -+ PyObject_ASSERT(op, IS_REACHABLE(op)); -+ PyObject_ASSERT(op, PyWeakref_Check(op)); - wr = (PyWeakReference *)op; - callback = wr->wr_callback; -- assert(callback != NULL); -+ PyObject_ASSERT(op, callback != NULL); - - /* copy-paste of weakrefobject.c's handle_callback() */ - temp = PyObject_CallFunctionObjArgs(callback, wr, NULL); -@@ -810,7 +884,7 @@ delete_garbage(PyGC_Head *collectable, PyGC_Head *old) - PyGC_Head *gc = collectable->gc.gc_next; - PyObject *op = FROM_GC(gc); - -- assert(IS_TENTATIVELY_UNREACHABLE(op)); -+ PyObject_ASSERT(op, IS_TENTATIVELY_UNREACHABLE(op)); - if (debug & DEBUG_SAVEALL) { - PyList_Append(garbage, op); - } diff --git a/python/patches/00174-fix-for-usr-move.patch b/python/patches/00174-fix-for-usr-move.patch deleted file mode 100644 index b48dc5cfc..000000000 --- a/python/patches/00174-fix-for-usr-move.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff -up Python-2.7.3/Modules/getpath.c.fix-for-usr-move Python-2.7.3/Modules/getpath.c ---- Python-2.7.3/Modules/getpath.c.fix-for-usr-move 2013-03-06 14:25:32.801828698 -0500 -+++ Python-2.7.3/Modules/getpath.c 2013-03-06 15:59:30.872443168 -0500 -@@ -510,6 +510,24 @@ calculate_path(void) - MAXPATHLEN bytes long. - */ - -+ /* -+ Workaround for rhbz#817554, where an empty argv0_path erroneously -+ locates "prefix" as "/lib[64]/python2.7" due to it finding -+ "/lib[64]/python2.7/os.py" via the /lib -> /usr/lib symlink for -+ https://fedoraproject.org/wiki/Features/UsrMove -+ */ -+ if (argv0_path[0] == '\0' && 0 == strcmp(prog, "cmpi_swig")) { -+ /* -+ We have an empty argv0_path, presumably because prog aka -+ Py_GetProgramName() was not found on $PATH. -+ -+ Set argv0_path to "/usr/" so that search_for_prefix() and -+ search_for_exec_prefix() don't erroneously pick up -+ on /lib/ via the UsrMove symlink: -+ */ -+ strcpy(argv0_path, "/usr/"); -+ } -+ - if (!(pfound = search_for_prefix(argv0_path, home))) { - if (!Py_FrozenFlag) - fprintf(stderr, diff --git a/python/patches/00180-python-add-support-for-ppc64p7.patch b/python/patches/00180-python-add-support-for-ppc64p7.patch deleted file mode 100644 index ef94c865f..000000000 --- a/python/patches/00180-python-add-support-for-ppc64p7.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/config.sub b/config.sub -index 3478c1f..e422173 100755 ---- a/config.sub -+++ b/config.sub -@@ -1040,7 +1040,7 @@ case $basic_machine in - ;; - ppc64) basic_machine=powerpc64-unknown - ;; -- ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` -+ ppc64-* | ppc64p7-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppc64le | powerpc64little) - basic_machine=powerpc64le-unknown diff --git a/python/patches/00181-allow-arbitrary-timeout-in-condition-wait.patch b/python/patches/00181-allow-arbitrary-timeout-in-condition-wait.patch deleted file mode 100644 index 757c7dd51..000000000 --- a/python/patches/00181-allow-arbitrary-timeout-in-condition-wait.patch +++ /dev/null @@ -1,70 +0,0 @@ -diff --git a/Lib/threading.py b/Lib/threading.py -index cb49c4a..c9795a5 100644 ---- a/Lib/threading.py -+++ b/Lib/threading.py -@@ -305,7 +305,7 @@ class _Condition(_Verbose): - else: - return True - -- def wait(self, timeout=None): -+ def wait(self, timeout=None, balancing=True): - """Wait until notified or until a timeout occurs. - - If the calling thread has not acquired the lock when this method is -@@ -354,7 +354,10 @@ class _Condition(_Verbose): - remaining = endtime - _time() - if remaining <= 0: - break -- delay = min(delay * 2, remaining, .05) -+ if balancing: -+ delay = min(delay * 2, remaining, 0.05) -+ else: -+ delay = remaining - _sleep(delay) - if not gotit: - if __debug__: -@@ -599,7 +602,7 @@ class _Event(_Verbose): - with self.__cond: - self.__flag = False - -- def wait(self, timeout=None): -+ def wait(self, timeout=None, balancing=True): - """Block until the internal flag is true. - - If the internal flag is true on entry, return immediately. Otherwise, -@@ -617,7 +620,7 @@ class _Event(_Verbose): - """ - with self.__cond: - if not self.__flag: -- self.__cond.wait(timeout) -+ self.__cond.wait(timeout, balancing) - return self.__flag - - # Helper to generate new thread names -@@ -908,7 +911,7 @@ class Thread(_Verbose): - if 'dummy_threading' not in _sys.modules: - raise - -- def join(self, timeout=None): -+ def join(self, timeout=None, balancing=True): - """Wait until the thread terminates. - - This blocks the calling thread until the thread whose join() method is -@@ -957,7 +960,7 @@ class Thread(_Verbose): - if __debug__: - self._note("%s.join(): timed out", self) - break -- self.__block.wait(delay) -+ self.__block.wait(delay, balancing) - else: - if __debug__: - self._note("%s.join(): thread stopped", self) -@@ -1143,7 +1146,7 @@ class _DummyThread(Thread): - def _set_daemon(self): - return True - -- def join(self, timeout=None): -+ def join(self, timeout=None, balancing=True): - assert False, "cannot join a dummy thread" - - diff --git a/python/patches/00185-urllib2-honors-noproxy-for-ftp.patch b/python/patches/00185-urllib2-honors-noproxy-for-ftp.patch deleted file mode 100644 index b26c4d491..000000000 --- a/python/patches/00185-urllib2-honors-noproxy-for-ftp.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up Python-2.7.5/Lib/urllib2.py.orig Python-2.7.5/Lib/urllib2.py ---- Python-2.7.5/Lib/urllib2.py.orig 2013-07-17 12:22:58.595525622 +0200 -+++ Python-2.7.5/Lib/urllib2.py 2013-07-17 12:19:59.875898030 +0200 -@@ -728,6 +728,8 @@ class ProxyHandler(BaseHandler): - if proxy_type is None: - proxy_type = orig_type - -+ req.get_host() -+ - if req.host and proxy_bypass(req.host): - return None - diff --git a/python/patches/00187-add-RPATH-to-pyexpat.patch b/python/patches/00187-add-RPATH-to-pyexpat.patch deleted file mode 100644 index 0ac522780..000000000 --- a/python/patches/00187-add-RPATH-to-pyexpat.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -r e8b8279ca118 setup.py ---- a/setup.py Sun Jul 21 21:57:52 2013 -0400 -+++ b/setup.py Tue Aug 20 09:45:31 2013 +0200 -@@ -1480,12 +1480,21 @@ - 'expat/xmltok_impl.h' - ] - -+ # Add an explicit RPATH to pyexpat.so pointing at the directory -+ # containing the system expat (which has the extra XML_SetHashSalt -+ # symbol), to avoid an ImportError with a link error if there's an -+ # LD_LIBRARY_PATH containing a "vanilla" build of expat (without the -+ # symbol) (rhbz#833271): -+ EXPAT_RPATH = '/usr/lib64' if sys.maxint == 0x7fffffffffffffff else '/usr/lib' -+ -+ - exts.append(Extension('pyexpat', - define_macros = define_macros, - include_dirs = expat_inc, - libraries = expat_lib, - sources = ['pyexpat.c'] + expat_sources, - depends = expat_depends, -+ extra_link_args = ['-Wl,-rpath,%s' % EXPAT_RPATH] - )) - - # Fredrik Lundh's cElementTree module. Note that this also diff --git a/python/patches/00189-use-rpm-wheels.patch b/python/patches/00189-use-rpm-wheels.patch deleted file mode 100644 index d7428f8e6..000000000 --- a/python/patches/00189-use-rpm-wheels.patch +++ /dev/null @@ -1,71 +0,0 @@ -diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py -index 89ed1ef..8008222 100644 ---- a/Lib/ensurepip/__init__.py -+++ b/Lib/ensurepip/__init__.py -@@ -1,9 +1,10 @@ - #!/usr/bin/env python2 - from __future__ import print_function - -+import distutils.version -+import glob - import os - import os.path --import pkgutil - import shutil - import sys - import tempfile -@@ -11,10 +12,20 @@ import tempfile - - __all__ = ["version", "bootstrap"] - -+_WHEEL_DIR = "/usr/share/python-wheels/" - --_SETUPTOOLS_VERSION = "39.0.1" - --_PIP_VERSION = "9.0.3" -+def _get_most_recent_wheel_version(pkg): -+ prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg)) -+ suffix = "-py2.py3-none-any.whl" -+ pattern = "{}*{}".format(prefix, suffix) -+ versions = (p[len(prefix):-len(suffix)] for p in glob.glob(pattern)) -+ return str(max(versions, key=distutils.version.LooseVersion)) -+ -+ -+_SETUPTOOLS_VERSION = _get_most_recent_wheel_version("setuptools") -+ -+_PIP_VERSION = _get_most_recent_wheel_version("pip") - - _PROJECTS = [ - ("setuptools", _SETUPTOOLS_VERSION), -@@ -28,8 +39,13 @@ def _run_pip(args, additional_paths=None): - sys.path = additional_paths + sys.path - - # Install the bundled software -- import pip -- return pip.main(args) -+ try: -+ # pip 10 -+ from pip._internal import main -+ except ImportError: -+ # pip 9 -+ from pip import main -+ return main(args) - - - def version(): -@@ -100,12 +116,9 @@ def _bootstrap(root=None, upgrade=False, user=False, - additional_paths = [] - for project, version in _PROJECTS: - wheel_name = "{}-{}-py2.py3-none-any.whl".format(project, version) -- whl = pkgutil.get_data( -- "ensurepip", -- "_bundled/{}".format(wheel_name), -- ) -- with open(os.path.join(tmpdir, wheel_name), "wb") as fp: -- fp.write(whl) -+ with open(os.path.join(_WHEEL_DIR, wheel_name), "rb") as sfp: -+ with open(os.path.join(tmpdir, wheel_name), "wb") as fp: -+ fp.write(sfp.read()) - - additional_paths.append(os.path.join(tmpdir, wheel_name)) - diff --git a/python/patches/00190-gdb-py-bt-dont-raise-exception-from-eval.patch b/python/patches/00190-gdb-py-bt-dont-raise-exception-from-eval.patch deleted file mode 100644 index 4ef2a5d02..000000000 --- a/python/patches/00190-gdb-py-bt-dont-raise-exception-from-eval.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Python-2.7.5-orig/Tools/gdb/libpython.py 2013-05-12 03:32:54.000000000 +0000 -+++ Python-2.7.5-orig/Tools/gdb/libpython.py 2013-09-15 09:56:25.494000000 +0000 -@@ -887,6 +887,8 @@ - newline character''' - if self.is_optimized_out(): - return '(frame information optimized out)' -+ if self.filename() == '<string>': -+ return '(in an eval block)' - filename = self.filename() - try: - f = open(filename, 'r') diff --git a/python/patches/00191-disable-NOOP.patch b/python/patches/00191-disable-NOOP.patch deleted file mode 100644 index 2d4189a82..000000000 --- a/python/patches/00191-disable-NOOP.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py -index 1bb6690..28ed25d 100644 ---- a/Lib/test/test_smtplib.py -+++ b/Lib/test/test_smtplib.py -@@ -182,6 +182,7 @@ class DebuggingServerTests(unittest.TestCase): - smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost', timeout=15) - smtp.quit() - -+ @unittest._skipInRpmBuild("Does not work in network-free environment") - def testNOOP(self): - smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost', timeout=15) - expected = (250, 'Ok') diff --git a/python/patches/00193-enable-loading-sqlite-extensions.patch b/python/patches/00193-enable-loading-sqlite-extensions.patch deleted file mode 100644 index 36d053a35..000000000 --- a/python/patches/00193-enable-loading-sqlite-extensions.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Python-2.7.5/setup.py.orig 2013-05-11 20:32:54.000000000 -0700 -+++ Python-2.7.5/setup.py 2014-02-18 14:16:07.999004901 -0800 -@@ -1168,7 +1168,7 @@ class PyBuildExt(build_ext): - sqlite_defines.append(('MODULE_NAME', '\"sqlite3\"')) - - # Comment this out if you want the sqlite3 module to be able to load extensions. -- sqlite_defines.append(("SQLITE_OMIT_LOAD_EXTENSION", "1")) -+ #sqlite_defines.append(("SQLITE_OMIT_LOAD_EXTENSION", "1")) - - if host_platform == 'darwin': - # In every directory on the search path search for a dynamic diff --git a/python/patches/00289-disable-nis-detection.patch b/python/patches/00289-disable-nis-detection.patch deleted file mode 100644 index 4e185bb16..000000000 --- a/python/patches/00289-disable-nis-detection.patch +++ /dev/null @@ -1,69 +0,0 @@ -diff --git a/setup.py b/setup.py -index 585e380..9993f11 100644 ---- a/setup.py -+++ b/setup.py -@@ -1346,11 +1346,7 @@ class PyBuildExt(build_ext): - else: - missing.append('resource') - -- nis = self._detect_nis(inc_dirs, lib_dirs) -- if nis is not None: -- exts.append(nis) -- else: -- missing.append('nis') -+ # nis (Sun yellow pages) is handled in Setup.dist - - # Curses support, requiring the System V version of curses, often - # provided by the ncurses library. -@@ -2162,51 +2158,6 @@ class PyBuildExt(build_ext): - # for dlopen, see bpo-32647 - ext.libraries.append('dl') - -- def _detect_nis(self, inc_dirs, lib_dirs): -- if host_platform in {'win32', 'cygwin', 'qnx6'}: -- return None -- -- libs = [] -- library_dirs = [] -- includes_dirs = [] -- -- # bpo-32521: glibc has deprecated Sun RPC for some time. Fedora 28 -- # moved headers and libraries to libtirpc and libnsl. The headers -- # are in tircp and nsl sub directories. -- rpcsvc_inc = find_file( -- 'rpcsvc/yp_prot.h', inc_dirs, -- [os.path.join(inc_dir, 'nsl') for inc_dir in inc_dirs] -- ) -- rpc_inc = find_file( -- 'rpc/rpc.h', inc_dirs, -- [os.path.join(inc_dir, 'tirpc') for inc_dir in inc_dirs] -- ) -- if rpcsvc_inc is None or rpc_inc is None: -- # not found -- return None -- includes_dirs.extend(rpcsvc_inc) -- includes_dirs.extend(rpc_inc) -- -- if self.compiler.find_library_file(lib_dirs, 'nsl'): -- libs.append('nsl') -- else: -- # libnsl-devel: check for libnsl in nsl/ subdirectory -- nsl_dirs = [os.path.join(lib_dir, 'nsl') for lib_dir in lib_dirs] -- libnsl = self.compiler.find_library_file(nsl_dirs, 'nsl') -- if libnsl is not None: -- library_dirs.append(os.path.dirname(libnsl)) -- libs.append('nsl') -- -- if self.compiler.find_library_file(lib_dirs, 'tirpc'): -- libs.append('tirpc') -- -- return Extension( -- 'nis', ['nismodule.c'], -- libraries=libs, -- library_dirs=library_dirs, -- include_dirs=includes_dirs -- ) -- - - class PyBuildInstall(install): - # Suppress the warning about installation into the lib_dynload diff --git a/python/patches/00309-shutil-spawn-subprocess.patch b/python/patches/00309-shutil-spawn-subprocess.patch deleted file mode 100644 index adc56c440..000000000 --- a/python/patches/00309-shutil-spawn-subprocess.patch +++ /dev/null @@ -1,61 +0,0 @@ -From add531a1e55b0a739b0f42582f1c9747e5649ace Mon Sep 17 00:00:00 2001 -From: Benjamin Peterson benjamin@python.org -Date: Tue, 28 Aug 2018 22:12:56 -0700 -Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use - subprocess rather than distutils.spawn. - ---- - Lib/shutil.py | 16 ++++++++++------ - .../2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | 3 +++ - 2 files changed, 13 insertions(+), 6 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst - -diff --git a/Lib/shutil.py b/Lib/shutil.py -index 3462f7c5e91c..0ab1a06f5260 100644 ---- a/Lib/shutil.py -+++ b/Lib/shutil.py -@@ -413,17 +413,21 @@ def _set_uid_gid(tarinfo): - - return archive_name - --def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False): -+def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger): - # XXX see if we want to keep an external call here - if verbose: - zipoptions = "-r" - else: - zipoptions = "-rq" -- from distutils.errors import DistutilsExecError -- from distutils.spawn import spawn -+ cmd = ["zip", zipoptions, zip_filename, base_dir] -+ if logger is not None: -+ logger.info(' '.join(cmd)) -+ if dry_run: -+ return -+ import subprocess - try: -- spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run) -- except DistutilsExecError: -+ subprocess.check_call(cmd) -+ except subprocess.CalledProcessError: - # XXX really should distinguish between "couldn't find - # external 'zip' command" and "zip failed". - raise ExecError, \ -@@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None): - zipfile = None - - if zipfile is None: -- _call_external_zip(base_dir, zip_filename, verbose, dry_run) -+ _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger) - else: - if logger is not None: - logger.info("creating '%s' and adding '%s' to it", -diff --git a/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst -new file mode 100644 -index 000000000000..4f686962a87b ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst -@@ -0,0 +1,3 @@ -+When ``shutil.make_archive`` falls back to the external ``zip`` problem, it -+uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This -+closes a possible shell injection vector. diff --git a/python/patches/00310-use-xml-sethashsalt-in-elementtree.patch b/python/patches/00310-use-xml-sethashsalt-in-elementtree.patch deleted file mode 100644 index 27d8d1c3c..000000000 --- a/python/patches/00310-use-xml-sethashsalt-in-elementtree.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 554c48934c599b3fb04c73d740bba1a745b89b41 Mon Sep 17 00:00:00 2001 -From: Christian Heimes christian@python.org -Date: Tue, 18 Sep 2018 14:38:58 +0200 -Subject: [PATCH] [2.7] bpo-34623: Use XML_SetHashSalt in _elementtree - (GH-9146) - -The C accelerated _elementtree module now initializes hash randomization -salt from _Py_HashSecret instead of libexpat's default CPRNG. - -Signed-off-by: Christian Heimes christian@python.org - -https://bugs.python.org/issue34623. -(cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b) - -Co-authored-by: Christian Heimes christian@python.org ---- - Include/pyexpat.h | 4 +++- - .../next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst | 2 ++ - Modules/_elementtree.c | 5 +++++ - Modules/pyexpat.c | 5 +++++ - 4 files changed, 15 insertions(+), 1 deletion(-) - create mode 100644 Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst - -diff --git a/Include/pyexpat.h b/Include/pyexpat.h -index 5340ef5fa386..3fc5fa54da63 100644 ---- a/Include/pyexpat.h -+++ b/Include/pyexpat.h -@@ -3,7 +3,7 @@ - - /* note: you must import expat.h before importing this module! */ - --#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0" -+#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1" - #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI" - - struct PyExpat_CAPI -@@ -43,6 +43,8 @@ struct PyExpat_CAPI - XML_Parser parser, XML_UnknownEncodingHandler handler, - void *encodingHandlerData); - void (*SetUserData)(XML_Parser parser, void *userData); -+ /* might be none for expat < 2.1.0 */ -+ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt); - /* always add new stuff to the end! */ - }; - -diff --git a/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst -new file mode 100644 -index 000000000000..31ad92ef8582 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst -@@ -0,0 +1,2 @@ -+The C accelerated _elementtree module now initializes hash randomization -+salt from _Py_HashSecret instead of libexpat's default CSPRNG. -diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c -index f7f992dd3a95..b38e0ab329c7 100644 ---- a/Modules/_elementtree.c -+++ b/Modules/_elementtree.c -@@ -2574,6 +2574,11 @@ xmlparser(PyObject* self_, PyObject* args, PyObject* kw) - PyErr_NoMemory(); - return NULL; - } -+ /* expat < 2.1.0 has no XML_SetHashSalt() */ -+ if (EXPAT(SetHashSalt) != NULL) { -+ EXPAT(SetHashSalt)(self->parser, -+ (unsigned long)_Py_HashSecret.prefix); -+ } - - ALLOC(sizeof(XMLParserObject), "create expatparser"); - -diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c -index 2b4d31293c64..1f8c0d70a559 100644 ---- a/Modules/pyexpat.c -+++ b/Modules/pyexpat.c -@@ -2042,6 +2042,11 @@ MODULE_INITFUNC(void) - capi.SetProcessingInstructionHandler = XML_SetProcessingInstructionHandler; - capi.SetUnknownEncodingHandler = XML_SetUnknownEncodingHandler; - capi.SetUserData = XML_SetUserData; -+#if XML_COMBINED_VERSION >= 20100 -+ capi.SetHashSalt = XML_SetHashSalt; -+#else -+ capi.SetHashSalt = NULL; -+#endif - - /* export using capsule */ - capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL); diff --git a/python/patches/05000-autotool-intermediates.patch b/python/patches/05000-autotool-intermediates.patch deleted file mode 100644 index dfe02570a..000000000 --- a/python/patches/05000-autotool-intermediates.patch +++ /dev/null @@ -1,207 +0,0 @@ -diff -up ./configure.autotool-intermediates ./configure ---- ./configure.autotool-intermediates 2013-04-09 11:24:01.024185796 +0200 -+++ ./configure 2013-04-09 11:24:01.780183954 +0200 -@@ -639,6 +639,8 @@ TRUE - MACHDEP_OBJS - DYNLOADFILE - DLINCLDIR -+DTRACEHDRS -+DTRACEOBJS - THREADOBJ - LDLAST - USE_THREAD_MODULE -@@ -659,6 +661,8 @@ OTHER_LIBTOOL_OPT - UNIVERSAL_ARCH_FLAGS - BASECFLAGS - OPT -+DEBUG_SUFFIX -+DEBUG_EXT - LN - MKDIR_P - INSTALL_DATA -@@ -795,8 +799,11 @@ with_pth - enable_ipv6 - with_doc_strings - with_tsc -+with_count_allocs -+with_call_profile - with_pymalloc - with_valgrind -+with_dtrace - with_wctype_functions - with_fpectl - with_libm -@@ -1472,8 +1479,11 @@ Optional Packages: - --with-pth use GNU pth threading libraries - --with(out)-doc-strings disable/enable documentation strings - --with(out)-tsc enable/disable timestamp counter profile -+ --with(out)count-allocs enable/disable per-type instance accounting -+ --with(out)-call-profile enable/disable statistics on function call invocation - --with(out)-pymalloc disable/enable specialized mallocs - --with-valgrind Enable Valgrind support -+ --with(out)-dtrace disable/enable dtrace support - --with-wctype-functions use wctype.h functions - --with-fpectl enable SIGFPE catching - --with-libm=STRING math library -@@ -5343,8 +5353,8 @@ $as_echo "#define Py_ENABLE_SHARED 1" >> - INSTSONAME="$LDLIBRARY".$SOVERSION - ;; - Linux*|GNU*|NetBSD*|FreeBSD*|DragonFly*|OpenBSD*) -- LDLIBRARY='libpython$(VERSION).so' -- BLDLIBRARY='-L. -lpython$(VERSION)' -+ LDLIBRARY='libpython$(VERSION)$(DEBUG_EXT).so' -+ BLDLIBRARY='-L. -lpython$(VERSION)$(DEBUG_EXT)' - RUNSHARED=LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} - case $ac_sys_system in - FreeBSD*) -@@ -5367,7 +5377,7 @@ $as_echo "#define Py_ENABLE_SHARED 1" >> - ;; - OSF*) - LDLIBRARY='libpython$(VERSION).so' -- BLDLIBRARY='-rpath $(LIBDIR) -L. -lpython$(VERSION)' -+ BLDLIBRARY='-L. -lpython$(VERSION)' - RUNSHARED=LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} - ;; - atheos*) -@@ -5894,6 +5904,14 @@ $as_echo "no" >&6; } - fi - - -+if test "$Py_DEBUG" = 'true' -+then -+ DEBUG_EXT=_d -+ DEBUG_SUFFIX=-debug -+fi -+ -+ -+ - # XXX Shouldn't the code above that fiddles with BASECFLAGS and OPT be - # merged with this chunk of code? - -@@ -9958,6 +9976,50 @@ $as_echo "no" >&6; } - fi - - -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for --with-count-allocs" >&5 -+$as_echo_n "checking for --with-count-allocs... " >&6; } -+ -+# Check whether --with-count-allocs was given. -+if test "${with_count_allocs+set}" = set; then : -+ withval=$with_count_allocs; -+if test "$withval" != no -+then -+ -+$as_echo "#define COUNT_ALLOCS 1" >>confdefs.h -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+fi -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+fi -+ -+ -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for --with-call-profile" >&5 -+$as_echo_n "checking for --with-call-profile... " >&6; } -+ -+# Check whether --with-call-profile was given. -+if test "${with_call_profile+set}" = set; then : -+ withval=$with_call_profile; -+if test "$withval" != no -+then -+ -+$as_echo "#define CALL_PROFILE 1" >>confdefs.h -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+fi -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+fi -+ -+ - # Check for Python-specific malloc support - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for --with-pymalloc" >&5 - $as_echo_n "checking for --with-pymalloc... " >&6; } -@@ -10007,6 +10069,46 @@ fi - - fi - -+# Check for dtrace support -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for --with-dtrace" >&5 -+$as_echo_n "checking for --with-dtrace... " >&6; } -+ -+# Check whether --with-dtrace was given. -+if test "${with_dtrace+set}" = set; then : -+ withval=$with_dtrace; -+fi -+ -+ -+if test ! -z "$with_dtrace" -+then -+ if dtrace -G -o /dev/null -s $srcdir/Include/pydtrace.d 2>/dev/null -+ then -+ -+$as_echo "#define WITH_DTRACE 1" >>confdefs.h -+ -+ with_dtrace="Sun" -+ DTRACEOBJS="Python/dtrace.o" -+ DTRADEHDRS="" -+ elif dtrace -h -o /dev/null -s $srcdir/Include/pydtrace.d -+ then -+ -+$as_echo "#define WITH_DTRACE 1" >>confdefs.h -+ -+ with_dtrace="Apple" -+ DTRACEOBJS="" -+ DTRADEHDRS="pydtrace.h" -+ else -+ with_dtrace="no" -+ fi -+else -+ with_dtrace="no" -+fi -+ -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_dtrace" >&5 -+$as_echo "$with_dtrace" >&6; } -+ -+ -+ - # Check for --with-wctype-functions - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for --with-wctype-functions" >&5 - $as_echo_n "checking for --with-wctype-functions... " >&6; } -diff -up ./pyconfig.h.in.autotool-intermediates ./pyconfig.h.in ---- ./pyconfig.h.in.autotool-intermediates 2013-04-09 11:24:01.020185806 +0200 -+++ ./pyconfig.h.in 2013-04-09 11:24:02.088183204 +0200 -@@ -18,6 +18,12 @@ - /* Define this if you have BeOS threads. */ - #undef BEOS_THREADS - -+/* Define to keep records on function call invocation */ -+#undef CALL_PROFILE -+ -+/* Define to keep records of the number of instances of each type */ -+#undef COUNT_ALLOCS -+ - /* Define if you have the Mach cthreads package */ - #undef C_THREADS - -@@ -1119,12 +1125,6 @@ - /* Define to profile with the Pentium timestamp counter */ - #undef WITH_TSC - --/* Define to keep records of the number of instances of each type */ --#undef COUNT_ALLOCS -- --/* Define to keep records on function call invocation */ --#undef CALL_PROFILE -- - /* Define if you want pymalloc to be disabled when running under valgrind */ - #undef WITH_VALGRIND - diff --git a/python/patches/python-2.3.4-lib64-regex.patch b/python/patches/python-2.3.4-lib64-regex.patch deleted file mode 100644 index 2b38d4cbb..000000000 --- a/python/patches/python-2.3.4-lib64-regex.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- Python-2.3.4/Lib/test/test_re.py 2004-04-20 23:32:33.000000000 +0200 -+++ Python-2.3.4/Lib/test/test_re.py.lib64-regex 2004-05-29 17:36:52.000000000 +0200 -@@ -497,6 +497,15 @@ - self.assert_(re.compile('bug_926075') is not - re.compile(eval("u'bug_926075'"))) - -+ def test_bug_931848(self): -+ try: -+ unicode -+ except NameError: -+ pass -+ pattern = eval('u"[\u002E\u3002\uFF0E\uFF61]"') -+ self.assertEqual(re.compile(pattern).split("a.b.c"), -+ ['a','b','c']) -+ - def run_re_tests(): - from test.re_tests import benchmarks, tests, SUCCEED, FAIL, SYNTAX_ERROR - if verbose: diff --git a/python/patches/python-2.5-cflags.patch b/python/patches/python-2.5-cflags.patch deleted file mode 100644 index 32243bf90..000000000 --- a/python/patches/python-2.5-cflags.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Python-2.5c1/Makefile.pre.in.cflags 2006-08-18 11:05:40.000000000 -0400 -+++ Python-2.5c1/Makefile.pre.in 2006-08-18 11:09:26.000000000 -0400 -@@ -334,7 +334,7 @@ - - # Build the interpreter - $(BUILDPYTHON): Modules/python.o $(LIBRARY) $(LDLIBRARY) -- $(LINKCC) $(LDFLAGS) $(LINKFORSHARED) -o $@ \ -+ $(LINKCC) $(CFLAGS) $(LDFLAGS) $(LINKFORSHARED) -o $@ \ - Modules/python.o \ - $(BLDLIBRARY) $(LIBS) $(MODLIBS) $(SYSLIBS) $(LDLAST) - diff --git a/python/patches/python-2.5.1-plural-fix.patch b/python/patches/python-2.5.1-plural-fix.patch deleted file mode 100644 index 5002cb27e..000000000 --- a/python/patches/python-2.5.1-plural-fix.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up Python-2.5.1/Lib/gettext.py.plural Python-2.5.1/Lib/gettext.py ---- Python-2.5.1/Lib/gettext.py.plural 2007-09-10 11:38:57.000000000 -0400 -+++ Python-2.5.1/Lib/gettext.py 2007-09-10 11:39:00.000000000 -0400 -@@ -299,6 +299,8 @@ class GNUTranslations(NullTranslations): - item = item.strip() - if not item: - continue -+ if item.startswith("#"): -+ continue - k = v = None - if ':' in item: - k, v = item.split(':', 1) diff --git a/python/patches/python-2.5.1-sqlite-encoding.patch b/python/patches/python-2.5.1-sqlite-encoding.patch deleted file mode 100644 index ff2a3f87e..000000000 --- a/python/patches/python-2.5.1-sqlite-encoding.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up Python-2.5.1/Lib/sqlite3/dbapi2.py.encoding Python-2.5.1/Lib/sqlite3/dbapi2.py ---- Python-2.5.1/Lib/sqlite3/dbapi2.py.encoding 2007-09-14 10:41:50.000000000 -0400 -+++ Python-2.5.1/Lib/sqlite3/dbapi2.py 2007-09-14 10:42:00.000000000 -0400 -@@ -1,7 +1,6 @@ --# -*- coding: iso-8859-1 -*- - # pysqlite2/dbapi2.py: the DB-API 2.0 interface - # --# Copyright (C) 2004-2005 Gerhard Häring gh@ghaering.de -+# Copyright (C) 2004-2005 Gerhard Haering gh@ghaering.de - # - # This file is part of pysqlite. - # -diff -up Python-2.5.1/Lib/sqlite3/__init__.py.encoding Python-2.5.1/Lib/sqlite3/__init__.py ---- Python-2.5.1/Lib/sqlite3/__init__.py.encoding 2007-09-14 10:41:47.000000000 -0400 -+++ Python-2.5.1/Lib/sqlite3/__init__.py 2007-09-14 10:42:06.000000000 -0400 -@@ -1,7 +1,6 @@ --#-*- coding: ISO-8859-1 -*- - # pysqlite2/__init__.py: the pysqlite2 package. - # --# Copyright (C) 2005 Gerhard Häring gh@ghaering.de -+# Copyright (C) 2005 Gerhard Haering gh@ghaering.de - # - # This file is part of pysqlite. - # diff --git a/python/patches/python-2.6-rpath.patch b/python/patches/python-2.6-rpath.patch deleted file mode 100644 index 33d7cf65e..000000000 --- a/python/patches/python-2.6-rpath.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up Python-2.6/configure.ac.rpath Python-2.6/configure.ac ---- Python-2.6/configure.ac.rpath 2008-11-24 02:51:06.000000000 -0500 -+++ Python-2.6/configure.ac 2008-11-24 02:51:21.000000000 -0500 -@@ -729,7 +729,7 @@ if test $enable_shared = "yes"; then - ;; - OSF*) - LDLIBRARY='libpython$(VERSION).so' -- BLDLIBRARY='-rpath $(LIBDIR) -L. -lpython$(VERSION)' -+ BLDLIBRARY='-L. -lpython$(VERSION)' - RUNSHARED=LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} - ;; - atheos*) diff --git a/python/patches/python-2.6.4-distutils-rpath.patch b/python/patches/python-2.6.4-distutils-rpath.patch deleted file mode 100644 index f1565076c..000000000 --- a/python/patches/python-2.6.4-distutils-rpath.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -up Python-2.6.4/Lib/distutils/unixccompiler.py.distutils-rpath Python-2.6.4/Lib/distutils/unixccompiler.py ---- Python-2.6.4/Lib/distutils/unixccompiler.py.distutils-rpath 2009-09-09 04:34:06.000000000 -0400 -+++ Python-2.6.4/Lib/distutils/unixccompiler.py 2010-03-15 21:33:25.000000000 -0400 -@@ -142,6 +142,16 @@ class UnixCCompiler(CCompiler): - if sys.platform == "cygwin": - exe_extension = ".exe" - -+ def _fix_lib_args(self, libraries, library_dirs, runtime_library_dirs): -+ """Remove standard library path from rpath""" -+ libraries, library_dirs, runtime_library_dirs = \ -+ CCompiler._fix_lib_args(self, libraries, library_dirs, -+ runtime_library_dirs) -+ libdir = sysconfig.get_config_var('LIBDIR') -+ if runtime_library_dirs and (libdir in runtime_library_dirs): -+ runtime_library_dirs.remove(libdir) -+ return libraries, library_dirs, runtime_library_dirs -+ - def preprocess(self, source, - output_file=None, macros=None, include_dirs=None, - extra_preargs=None, extra_postargs=None): diff --git a/python/patches/python-2.7.1-config.patch b/python/patches/python-2.7.1-config.patch deleted file mode 100644 index df9d4a6b6..000000000 --- a/python/patches/python-2.7.1-config.patch +++ /dev/null @@ -1,256 +0,0 @@ ---- Python-2.7.4/Modules/Setup.dist.rhconfig 2013-04-06 16:02:34.000000000 +0200 -+++ Python-2.7.4/Modules/Setup.dist 2013-04-08 10:05:16.369985654 +0200 -@@ -153,7 +153,7 @@ GLHACK=-Dclear=__GLclear - # modules are to be built as shared libraries (see above for more - # detail; also note that *static* reverses this effect): - --#*shared* -+*shared* - - # GNU readline. Unlike previous Python incarnations, GNU readline is - # now incorporated in an optional module, configured in the Setup file -@@ -163,77 +163,77 @@ GLHACK=-Dclear=__GLclear - # it, depending on your system -- see the GNU readline instructions. - # It's okay for this to be a shared library, too. - --#readline readline.c -lreadline -ltermcap -+readline readline.c -lreadline -ltermcap - - - # Modules that should always be present (non UNIX dependent): - --#array arraymodule.c # array objects --#cmath cmathmodule.c _math.c # -lm # complex math library functions --#math mathmodule.c _math.c # -lm # math library functions, e.g. sin() --#_struct _struct.c # binary structure packing/unpacking --#time timemodule.c # -lm # time operations and variables --#operator operator.c # operator.add() and similar goodies --#_testcapi _testcapimodule.c # Python C API test module --#_random _randommodule.c # Random number generator --#_collections _collectionsmodule.c # Container types -+array arraymodule.c # array objects -+cmath cmathmodule.c _math.c # -lm # complex math library functions -+math mathmodule.c _math.c # -lm # math library functions, e.g. sin() -+_struct _struct.c # binary structure packing/unpacking -+time timemodule.c # -lm # time operations and variables -+operator operator.c # operator.add() and similar goodies -+_testcapi _testcapimodule.c # Python C API test module -+_random _randommodule.c # Random number generator -+_collections _collectionsmodule.c # Container types - #_heapq _heapqmodule.c # Heapq type --#itertools itertoolsmodule.c # Functions creating iterators for efficient looping --#strop stropmodule.c # String manipulations --#_functools _functoolsmodule.c # Tools for working with functions and callable objects -+itertools itertoolsmodule.c # Functions creating iterators for efficient looping -+strop stropmodule.c # String manipulations -+_functools _functoolsmodule.c # Tools for working with functions and callable objects - #_elementtree -I$(srcdir)/Modules/expat -DHAVE_EXPAT_CONFIG_H -DUSE_PYEXPAT_CAPI _elementtree.c # elementtree accelerator - #_pickle _pickle.c # pickle accelerator - #datetime datetimemodule.c # date/time type --#_bisect _bisectmodule.c # Bisection algorithms -+_bisect _bisectmodule.c # Bisection algorithms - --#unicodedata unicodedata.c # static Unicode character database -+unicodedata unicodedata.c # static Unicode character database - - # access to ISO C locale support --#_locale _localemodule.c # -lintl -+_locale _localemodule.c # -lintl - - # Standard I/O baseline - #_io -I$(srcdir)/Modules/_io _io/bufferedio.c _io/bytesio.c _io/fileio.c _io/iobase.c _io/_iomodule.c _io/stringio.c _io/textio.c - - - # Modules with some UNIX dependencies -- on by default: - # (If you have a really backward UNIX, select and socket may not be - # supported...) - --#fcntl fcntlmodule.c # fcntl(2) and ioctl(2) --#spwd spwdmodule.c # spwd(3) --#grp grpmodule.c # grp(3) --#select selectmodule.c # select(2); not on ancient System V -+fcntl fcntlmodule.c # fcntl(2) and ioctl(2) -+spwd spwdmodule.c # spwd(3) -+grp grpmodule.c # grp(3) -+select selectmodule.c # select(2); not on ancient System V - - # Memory-mapped files (also works on Win32). --#mmap mmapmodule.c -+mmap mmapmodule.c - - # CSV file helper --#_csv _csv.c -+_csv _csv.c - - # Socket module helper for socket(2) --#_socket socketmodule.c timemodule.c -+_socket socketmodule.c timemodule.c - - # Socket module helper for SSL support; you must comment out the other - # socket line above, and possibly edit the SSL variable: - #SSL=/usr/local/ssl --#_ssl _ssl.c \ --# -DUSE_SSL -I$(SSL)/include -I$(SSL)/include/openssl \ --# -L$(SSL)/lib -lssl -lcrypto -+_ssl _ssl.c \ -+ -DUSE_SSL -I$(SSL)/include -I$(SSL)/include/openssl \ -+ -L$(SSL)/lib -lssl -lcrypto - - # The crypt module is now disabled by default because it breaks builds - # on many systems (where -lcrypt is needed), e.g. Linux (I believe). - # - # First, look at Setup.config; configure may have set this for you. - --#crypt cryptmodule.c # -lcrypt # crypt(3); needs -lcrypt on some systems -+crypt cryptmodule.c # -lcrypt # crypt(3); needs -lcrypt on some systems - - - # Some more UNIX dependent modules -- off by default, since these - # are not supported by all UNIX systems: - --#nis nismodule.c -lnsl # Sun yellow pages -- not everywhere --#termios termios.c # Steen Lumholt's termios module --#resource resource.c # Jeremy Hylton's rlimit interface -+#nis nismodule.c -lnsl -ltirpc -I/usr/include/tirpc -I/usr/include/nsl -L/usr/lib/nsl -+termios termios.c # Steen Lumholt's termios module -+resource resource.c # Jeremy Hylton's rlimit interface - - - # Multimedia modules -- off by default. -@@ -238,8 +238,8 @@ GLHACK=-Dclear=__GLclear - # #993173 says audioop works on 64-bit platforms, though. - # These represent audio samples or images as strings: - --#audioop audioop.c # Operations on audio samples --#imageop imageop.c # Operations on images -+audioop audioop.c # Operations on audio samples -+imageop imageop.c # Operations on images - - - # Note that the _md5 and _sha modules are normally only built if the -@@ -249,14 +249,14 @@ GLHACK=-Dclear=__GLclear - # Message-Digest Algorithm, described in RFC 1321. The necessary files - # md5.c and md5.h are included here. - --#_md5 md5module.c md5.c -+_md5 md5module.c md5.c - - - # The _sha module implements the SHA checksum algorithms. - # (NIST's Secure Hash Algorithms.) --#_sha shamodule.c --#_sha256 sha256module.c --#_sha512 sha512module.c -+_sha shamodule.c -+_sha256 sha256module.c -+_sha512 sha512module.c - - - # SGI IRIX specific modules -- off by default. -@@ -303,12 +303,12 @@ GLHACK=-Dclear=__GLclear - # A Linux specific module -- off by default; this may also work on - # some *BSDs. - --#linuxaudiodev linuxaudiodev.c -+linuxaudiodev linuxaudiodev.c - - - # George Neville-Neil's timing module: - --#timing timingmodule.c -+timing timingmodule.c - - - # The _tkinter module. -@@ -352,7 +352,7 @@ GLHACK=-Dclear=__GLclear - # *** Uncomment for AIX: - # -lld \ - # *** Always uncomment this; X11 libraries to link with: --# -lX11 -+ -lX11 - - # Lance Ellinghaus's syslog module - #syslog syslogmodule.c # syslog daemon interface -@@ -374,7 +374,7 @@ GLHACK=-Dclear=__GLclear - # it is a highly experimental and dangerous device for calling - # *arbitrary* C functions in *arbitrary* shared libraries: - --#dl dlmodule.c -+dl dlmodule.c - - - # Modules that provide persistent dictionary-like semantics. You will -@@ -397,7 +397,7 @@ GLHACK=-Dclear=__GLclear - # - # First, look at Setup.config; configure may have set this for you. - --#gdbm gdbmmodule.c -I/usr/local/include -L/usr/local/lib -lgdbm -+gdbm gdbmmodule.c -lgdbm - - - # Sleepycat Berkeley DB interface. -@@ -412,11 +412,9 @@ GLHACK=-Dclear=__GLclear - # - # Edit the variables DB and DBLIBVERto point to the db top directory - # and the subdirectory of PORT where you built it. --#DB=/usr/local/BerkeleyDB.4.0 --#DBLIBVER=4.0 --#DBINC=$(DB)/include --#DBLIB=$(DB)/lib --#_bsddb _bsddb.c -I$(DBINC) -L$(DBLIB) -ldb-$(DBLIBVER) -+DBINC=/usr/include/libdb -+DBLIB=/usr/lib -+_bsddb _bsddb.c -I$(DBINC) -L$(DBLIB) -ldb - - # Historical Berkeley DB 1.85 - # -@@ -431,14 +430,14 @@ GLHACK=-Dclear=__GLclear - - - # Helper module for various ascii-encoders --#binascii binascii.c -+binascii binascii.c - - # Fred Drake's interface to the Python parser --#parser parsermodule.c -+parser parsermodule.c - - # cStringIO and cPickle --#cStringIO cStringIO.c --#cPickle cPickle.c -+cStringIO cStringIO.c -+cPickle cPickle.c - - - # Lee Busby's SIGFPE modules. -@@ -461,7 +460,7 @@ GLHACK=-Dclear=__GLclear - # Andrew Kuchling's zlib module. - # This require zlib 1.1.3 (or later). - # See http://www.gzip.org/zlib/ --#zlib zlibmodule.c -I$(prefix)/include -L$(exec_prefix)/lib -lz -+zlib zlibmodule.c -I$(prefix)/include -L$(exec_prefix)/lib -lz - - # Interface to the Expat XML parser - # -@@ -480,14 +479,14 @@ GLHACK=-Dclear=__GLclear - # Hye-Shik Chang's CJKCodecs - - # multibytecodec is required for all the other CJK codec modules --#_multibytecodec cjkcodecs/multibytecodec.c -+_multibytecodec cjkcodecs/multibytecodec.c - --#_codecs_cn cjkcodecs/_codecs_cn.c --#_codecs_hk cjkcodecs/_codecs_hk.c --#_codecs_iso2022 cjkcodecs/_codecs_iso2022.c --#_codecs_jp cjkcodecs/_codecs_jp.c --#_codecs_kr cjkcodecs/_codecs_kr.c --#_codecs_tw cjkcodecs/_codecs_tw.c -+_codecs_cn cjkcodecs/_codecs_cn.c -+_codecs_hk cjkcodecs/_codecs_hk.c -+_codecs_iso2022 cjkcodecs/_codecs_iso2022.c -+_codecs_jp cjkcodecs/_codecs_jp.c -+_codecs_kr cjkcodecs/_codecs_kr.c -+_codecs_tw cjkcodecs/_codecs_tw.c - - # Example -- included for reference only: - # xx xxmodule.c diff --git a/python/patches/python-2.7.1-fix_test_abc_with_COUNT_ALLOCS.patch b/python/patches/python-2.7.1-fix_test_abc_with_COUNT_ALLOCS.patch deleted file mode 100644 index bb3828185..000000000 --- a/python/patches/python-2.7.1-fix_test_abc_with_COUNT_ALLOCS.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up Python-2.7.1/Lib/test/test_abc.py.cache_leak Python-2.7.1/Lib/test/test_abc.py ---- Python-2.7.1/Lib/test/test_abc.py.cache_leak 2010-12-28 18:06:35.551938356 -0500 -+++ Python-2.7.1/Lib/test/test_abc.py 2010-12-28 18:09:09.021059202 -0500 -@@ -3,6 +3,8 @@ - - """Unit tests for abc.py.""" - -+import sys -+ - import unittest, weakref - from test import test_support - -@@ -229,8 +231,12 @@ class TestABC(unittest.TestCase): - # Trigger cache. - C().f() - del C -- test_support.gc_collect() -- self.assertEqual(r(), None) -+ # This doesn't work in our debug build, presumably due to its use -+ # of COUNT_ALLOCS, which makes heap-allocated types immortal (once -+ # they've ever had an instance): -+ if not hasattr(sys, 'getcounts'): -+ test_support.gc_collect() -+ self.assertEqual(r(), None) - - def test_main(): - test_support.run_unittest(TestABC) diff --git a/python/patches/python-2.7.2-add-extension-suffix-to-python-config.patch b/python/patches/python-2.7.2-add-extension-suffix-to-python-config.patch deleted file mode 100644 index d1ff05284..000000000 --- a/python/patches/python-2.7.2-add-extension-suffix-to-python-config.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -up Python-2.7.2/Misc/python-config.in.add-extension-suffix-to-python-config Python-2.7.2/Misc/python-config.in ---- Python-2.7.2/Misc/python-config.in.add-extension-suffix-to-python-config 2011-08-23 18:15:41.832497124 -0400 -+++ Python-2.7.2/Misc/python-config.in 2011-08-23 18:17:25.854490011 -0400 -@@ -6,7 +6,7 @@ import getopt - from distutils import sysconfig - - valid_opts = ['prefix', 'exec-prefix', 'includes', 'libs', 'cflags', -- 'ldflags', 'help'] -+ 'ldflags', 'extension-suffix', 'help'] - - def exit_with_usage(code=1): - print >>sys.stderr, "Usage: %s [%s]" % (sys.argv[0], -@@ -54,3 +54,5 @@ for opt in opt_flags: - libs.extend(getvar('LINKFORSHARED').split()) - print ' '.join(libs) - -+ elif opt == '--extension-suffix': -+ print (sys.pydebug and "_d" or "") + sysconfig.get_config_var('SO') diff --git a/python/patches/python-2.7rc1-socketmodule-constants.patch b/python/patches/python-2.7rc1-socketmodule-constants.patch deleted file mode 100644 index c32e1030e..000000000 --- a/python/patches/python-2.7rc1-socketmodule-constants.patch +++ /dev/null @@ -1,64 +0,0 @@ ---- Python-2.7rc1/Modules/socketmodule.c.socketmodule 2010-05-09 10:46:46.000000000 -0400 -+++ Python-2.7rc1/Modules/socketmodule.c 2010-06-07 23:04:19.374234780 -0400 -@@ -4783,6 +4783,61 @@ init_socket(void) - PyModule_AddIntConstant(m, "SO_SETFIB", SO_SETFIB); - #endif - -+#ifdef SO_SNDBUFFORCE -+ PyModule_AddIntConstant(m, "SO_SNDBUFFORCE", SO_SNDBUFFORCE); -+#endif -+#ifdef SO_RCVBUFFORCE -+ PyModule_AddIntConstant(m, "SO_RCVBUFFORCE", SO_RCVBUFFORCE); -+#endif -+#ifdef SO_NO_CHECK -+ PyModule_AddIntConstant(m, "SO_NO_CHECK", SO_NO_CHECK); -+#endif -+#ifdef SO_PRIORITY -+ PyModule_AddIntConstant(m, "SO_PRIORITY", SO_PRIORITY); -+#endif -+#ifdef SO_BSDCOMPAT -+ PyModule_AddIntConstant(m, "SO_BSDCOMPAT", SO_BSDCOMPAT); -+#endif -+#ifdef SO_PASSCRED -+ PyModule_AddIntConstant(m, "SO_PASSCRED", SO_PASSCRED); -+#endif -+#ifdef SO_PEERCRED -+ PyModule_AddIntConstant(m, "SO_PEERCRED", SO_PEERCRED); -+#endif -+#ifdef SO_SECURITY_AUTHENTICATION -+ PyModule_AddIntConstant(m, "SO_SECURITY_AUTHENTICATION", SO_SECURITY_AUTHENTICATION); -+#endif -+#ifdef SO_SECURITY_ENCRYPTION_TRANSPORT -+ PyModule_AddIntConstant(m, "SO_SECURITY_ENCRYPTION_TRANSPORT", SO_SECURITY_ENCRYPTION_TRANSPORT); -+#endif -+#ifdef SO_SECURITY_ENCRYPTION_NETWORK -+ PyModule_AddIntConstant(m, "SO_SECURITY_ENCRYPTION_NETWORK", SO_SECURITY_ENCRYPTION_NETWORK); -+#endif -+#ifdef SO_BINDTODEVICE -+ PyModule_AddIntConstant(m, "SO_BINDTODEVICE", SO_BINDTODEVICE); -+#endif -+#ifdef SO_ATTACH_FILTER -+ PyModule_AddIntConstant(m, "SO_ATTACH_FILTER", SO_ATTACH_FILTER); -+#endif -+#ifdef SO_DETACH_FILTER -+ PyModule_AddIntConstant(m, "SO_DETACH_FILTER", SO_DETACH_FILTER); -+#endif -+#ifdef SO_PEERNAME -+ PyModule_AddIntConstant(m, "SO_PEERNAME", SO_PEERNAME); -+#endif -+#ifdef SO_TIMESTAMP -+ PyModule_AddIntConstant(m, "SO_TIMESTAMP", SO_TIMESTAMP); -+#endif -+#ifdef SO_PEERSEC -+ PyModule_AddIntConstant(m, "SO_PEERSEC", SO_PEERSEC); -+#endif -+#ifdef SO_PASSSEC -+ PyModule_AddIntConstant(m, "SO_PASSSEC", SO_PASSSEC); -+#endif -+#ifdef SO_TIMESTAMPNS -+ PyModule_AddIntConstant(m, "SO_TIMESTAMPNS", SO_TIMESTAMPNS); -+#endif -+ - /* Maximum number of connections for "listen" */ - #ifdef SOMAXCONN - PyModule_AddIntConstant(m, "SOMAXCONN", SOMAXCONN); diff --git a/python/patches/python-2.7rc1-socketmodule-constants2.patch b/python/patches/python-2.7rc1-socketmodule-constants2.patch deleted file mode 100644 index 896ac886c..000000000 --- a/python/patches/python-2.7rc1-socketmodule-constants2.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -up Python-2.7rc1/Modules/socketmodule.c.socketmodule2 Python-2.7rc1/Modules/socketmodule.c ---- Python-2.7rc1/Modules/socketmodule.c.socketmodule2 2010-06-07 23:06:59.133498087 -0400 -+++ Python-2.7rc1/Modules/socketmodule.c 2010-06-07 23:11:51.249520087 -0400 -@@ -5253,6 +5253,15 @@ init_socket(void) - #ifdef TCP_QUICKACK - PyModule_AddIntConstant(m, "TCP_QUICKACK", TCP_QUICKACK); - #endif -+#ifdef TCP_CONGESTION -+ PyModule_AddIntConstant(m, "TCP_CONGESTION", TCP_CONGESTION); -+#endif -+#ifdef TCP_MD5SIG -+ PyModule_AddIntConstant(m, "TCP_MD5SIG", TCP_MD5SIG); -+#endif -+#ifdef TCP_MD5SIG_MAXKEYLEN -+ PyModule_AddIntConstant(m, "TCP_MD5SIG_MAXKEYLEN", TCP_MD5SIG_MAXKEYLEN); -+#endif - - - /* IPX options */ diff --git a/python/python-2.7-lib64-sysconfig.patch b/python/python-2.7-lib64-sysconfig.patch deleted file mode 100644 index 0cef36192..000000000 --- a/python/python-2.7-lib64-sysconfig.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff -up Python-2.7/Lib/sysconfig.py.lib64-sysconfig Python-2.7/Lib/sysconfig.py ---- Python-2.7/Lib/sysconfig.py.lib64-sysconfig 2010-07-08 14:18:41.386898476 -0400 -+++ Python-2.7/Lib/sysconfig.py 2010-07-08 14:22:02.837896461 -0400 -@@ -7,20 +7,20 @@ from os.path import pardir, realpath - - _INSTALL_SCHEMES = { - 'posix_prefix': { -- 'stdlib': '{base}/lib/python{py_version_short}', -- 'platstdlib': '{platbase}/lib/python{py_version_short}', -+ 'stdlib': '{base}/lib64/python{py_version_short}', -+ 'platstdlib': '{platbase}/lib64/python{py_version_short}', - 'purelib': '{base}/lib/python{py_version_short}/site-packages', -- 'platlib': '{platbase}/lib/python{py_version_short}/site-packages', -+ 'platlib': '{platbase}/lib64/python{py_version_short}/site-packages', - 'include': '{base}/include/python{py_version_short}', - 'platinclude': '{platbase}/include/python{py_version_short}', - 'scripts': '{base}/bin', - 'data': '{base}', - }, - 'posix_home': { -- 'stdlib': '{base}/lib/python', -- 'platstdlib': '{base}/lib/python', -+ 'stdlib': '{base}/lib64/python', -+ 'platstdlib': '{base}/lib64/python', - 'purelib': '{base}/lib/python', -- 'platlib': '{base}/lib/python', -+ 'platlib': '{base}/lib64/python', - 'include': '{base}/include/python', - 'platinclude': '{base}/include/python', - 'scripts': '{base}/bin', -@@ -65,10 +65,10 @@ _INSTALL_SCHEMES = { - 'data' : '{userbase}', - }, - 'posix_user': { -- 'stdlib': '{userbase}/lib/python{py_version_short}', -- 'platstdlib': '{userbase}/lib/python{py_version_short}', -+ 'stdlib': '{userbase}/lib64/python{py_version_short}', -+ 'platstdlib': '{userbase}/lib64/python{py_version_short}', - 'purelib': '{userbase}/lib/python{py_version_short}/site-packages', -- 'platlib': '{userbase}/lib/python{py_version_short}/site-packages', -+ 'platlib': '{userbase}/lib64/python{py_version_short}/site-packages', - 'include': '{userbase}/include/python{py_version_short}', - 'scripts': '{userbase}/bin', - 'data' : '{userbase}', diff --git a/python/python-2.7.13-lib64.patch b/python/python-2.7.13-lib64.patch deleted file mode 100644 index b6d24ab33..000000000 --- a/python/python-2.7.13-lib64.patch +++ /dev/null @@ -1,193 +0,0 @@ -diff --git a/Lib/distutils/command/install.py b/Lib/distutils/command/install.py -index b9f1c6c..7b23714 100644 ---- a/Lib/distutils/command/install.py -+++ b/Lib/distutils/command/install.py -@@ -42,14 +42,14 @@ else: - INSTALL_SCHEMES = { - 'unix_prefix': { - 'purelib': '$base/lib/python$py_version_short/site-packages', -- 'platlib': '$platbase/lib/python$py_version_short/site-packages', -+ 'platlib': '$platbase/lib64/python$py_version_short/site-packages', - 'headers': '$base/include/python$py_version_short/$dist_name', - 'scripts': '$base/bin', - 'data' : '$base', - }, - 'unix_home': { - 'purelib': '$base/lib/python', -- 'platlib': '$base/lib/python', -+ 'platlib': '$base/lib64/python', - 'headers': '$base/include/python/$dist_name', - 'scripts': '$base/bin', - 'data' : '$base', -diff --git a/Lib/distutils/sysconfig.py b/Lib/distutils/sysconfig.py -index 068d1ba..3e7f077 100644 ---- a/Lib/distutils/sysconfig.py -+++ b/Lib/distutils/sysconfig.py -@@ -119,8 +119,12 @@ def get_python_lib(plat_specific=0, standard_lib=0, prefix=None): - prefix = plat_specific and EXEC_PREFIX or PREFIX - - if os.name == "posix": -+ if plat_specific or standard_lib: -+ lib = "lib64" -+ else: -+ lib = "lib" - libpython = os.path.join(prefix, -- "lib", "python" + get_python_version()) -+ lib, "python" + get_python_version()) - if standard_lib: - return libpython - else: -diff --git a/Lib/site.py b/Lib/site.py -index c360802..868b7cb 100644 ---- a/Lib/site.py -+++ b/Lib/site.py -@@ -288,12 +288,16 @@ def getsitepackages(): - if sys.platform in ('os2emx', 'riscos'): - sitepackages.append(os.path.join(prefix, "Lib", "site-packages")) - elif os.sep == '/': -+ sitepackages.append(os.path.join(prefix, "lib64", -+ "python" + sys.version[:3], -+ "site-packages")) - sitepackages.append(os.path.join(prefix, "lib", - "python" + sys.version[:3], - "site-packages")) - sitepackages.append(os.path.join(prefix, "lib", "site-python")) - else: - sitepackages.append(prefix) -+ sitepackages.append(os.path.join(prefix, "lib64", "site-packages")) - sitepackages.append(os.path.join(prefix, "lib", "site-packages")) - return sitepackages - -diff --git a/Lib/test/test_site.py b/Lib/test/test_site.py -index d9a9324..e411e5c 100644 ---- a/Lib/test/test_site.py -+++ b/Lib/test/test_site.py -@@ -235,17 +235,20 @@ class HelperFunctionsTests(unittest.TestCase): - self.assertEqual(dirs[0], wanted) - elif os.sep == '/': - # OS X, Linux, FreeBSD, etc -- self.assertEqual(len(dirs), 2) -- wanted = os.path.join('xoxo', 'lib', 'python' + sys.version[:3], -+ self.assertEqual(len(dirs), 3) -+ wanted = os.path.join('xoxo', 'lib64', 'python' + sys.version[:3], - 'site-packages') - self.assertEqual(dirs[0], wanted) -- wanted = os.path.join('xoxo', 'lib', 'site-python') -+ wanted = os.path.join('xoxo', 'lib', 'python' + sys.version[:3], -+ 'site-packages') - self.assertEqual(dirs[1], wanted) -+ wanted = os.path.join('xoxo', 'lib', 'site-python') -+ self.assertEqual(dirs[2], wanted) - else: - # other platforms - self.assertEqual(len(dirs), 2) - self.assertEqual(dirs[0], 'xoxo') -- wanted = os.path.join('xoxo', 'lib', 'site-packages') -+ wanted = os.path.join('xoxo', 'lib64', 'site-packages') - self.assertEqual(dirs[1], wanted) - - class PthFile(object): -diff --git a/Makefile.pre.in b/Makefile.pre.in -index adae76b..ecb27f3 100644 ---- a/Makefile.pre.in -+++ b/Makefile.pre.in -@@ -111,7 +111,7 @@ LIBDIR= @libdir@ - MANDIR= @mandir@ - INCLUDEDIR= @includedir@ - CONFINCLUDEDIR= $(exec_prefix)/include --SCRIPTDIR= $(prefix)/lib -+SCRIPTDIR= $(prefix)/lib64 - - # Detailed destination directories - BINLIBDEST= $(LIBDIR)/python$(VERSION) -diff --git a/Modules/Setup.dist b/Modules/Setup.dist -index fbfa1c1..138fb33 100644 ---- a/Modules/Setup.dist -+++ b/Modules/Setup.dist -@@ -231,7 +231,7 @@ - # Some more UNIX dependent modules -- off by default, since these - # are not supported by all UNIX systems: - --#nis nismodule.c -lnsl -ltirpc -I/usr/include/tirpc -I/usr/include/nsl -L/usr/lib/nsl -+#nis nismodule.c -lnsl -ltirpc -I/usr/include/tirpc -I/usr/include/nsl -L/usr/lib64/nsl - termios termios.c # Steen Lumholt's termios module - resource resource.c # Jeremy Hylton's rlimit interface - -@@ -416,7 +416,7 @@ gdbm gdbmmodule.c -lgdbm - # Edit the variables DB and DBLIBVERto point to the db top directory - # and the subdirectory of PORT where you built it. - DBINC=/usr/include/libdb --DBLIB=/usr/lib -+DBLIB=/usr/lib64 - _bsddb _bsddb.c -I$(DBINC) -L$(DBLIB) -ldb - - # Historical Berkeley DB 1.85 -@@ -462,7 +462,7 @@ cPickle cPickle.c - # Andrew Kuchling's zlib module. - # This require zlib 1.1.3 (or later). - # See http://www.gzip.org/zlib/ --zlib zlibmodule.c -I$(prefix)/include -L$(exec_prefix)/lib -lz -+zlib zlibmodule.c -I$(prefix)/include -L$(exec_prefix)/lib64 -lz - - # Interface to the Expat XML parser - # -diff --git a/Modules/getpath.c b/Modules/getpath.c -index fd33a01..c5c86fd 100644 ---- a/Modules/getpath.c -+++ b/Modules/getpath.c -@@ -108,7 +108,7 @@ static char prefix[MAXPATHLEN+1]; - static char exec_prefix[MAXPATHLEN+1]; - static char progpath[MAXPATHLEN+1]; - static char *module_search_path = NULL; --static char lib_python[] = "lib/python" VERSION; -+static char lib_python[] = "lib64/python" VERSION; - - static void - reduce(char *dir) -@@ -548,7 +548,7 @@ calculate_path(void) - fprintf(stderr, - "Could not find platform dependent libraries <exec_prefix>\n"); - strncpy(exec_prefix, EXEC_PREFIX, MAXPATHLEN); -- joinpath(exec_prefix, "lib/lib-dynload"); -+ joinpath(exec_prefix, "lib64/lib-dynload"); - } - /* If we found EXEC_PREFIX do *not* reduce it! (Yet.) */ - -diff --git a/setup.py b/setup.py -index 99ac359..859b6c4 100644 ---- a/setup.py -+++ b/setup.py -@@ -456,7 +456,7 @@ class PyBuildExt(build_ext): - def detect_modules(self): - # Ensure that /usr/local is always used - if not cross_compiling: -- add_dir_to_list(self.compiler.library_dirs, '/usr/local/lib') -+ add_dir_to_list(self.compiler.library_dirs, '/usr/local/lib64') - add_dir_to_list(self.compiler.include_dirs, '/usr/local/include') - if cross_compiling: - self.add_gcc_paths() -@@ -782,11 +782,11 @@ class PyBuildExt(build_ext): - elif curses_library: - readline_libs.append(curses_library) - elif self.compiler.find_library_file(lib_dirs + -- ['/usr/lib/termcap'], -+ ['/usr/lib64/termcap'], - 'termcap'): - readline_libs.append('termcap') - exts.append( Extension('readline', ['readline.c'], -- library_dirs=['/usr/lib/termcap'], -+ library_dirs=['/usr/lib64/termcap'], - extra_link_args=readline_extra_link_args, - libraries=readline_libs) ) - else: -@@ -821,8 +821,8 @@ class PyBuildExt(build_ext): - if krb5_h: - ssl_incs += krb5_h - ssl_libs = find_library_file(self.compiler, 'ssl',lib_dirs, -- ['/usr/local/ssl/lib', -- '/usr/contrib/ssl/lib/' -+ ['/usr/local/ssl/lib64', -+ '/usr/contrib/ssl/lib64/' - ] ) - - if (ssl_incs is not None and diff --git a/python/python.nm b/python/python.nm deleted file mode 100644 index b312f8be6..000000000 --- a/python/python.nm +++ /dev/null @@ -1,107 +0,0 @@ -############################################################################### -# IPFire.org - An Open Source Firewall Solution # -# Copyright (C) - IPFire Development Team info@ipfire.org # -############################################################################### - -name = python -major_ver = 2.7 -version = %{major_ver}.15 -release = 1 -thisapp = Python-%{version} - -groups = Development/Languages -url = http://www.python.org -license = Python -summary = An interpreted, interactive, object-oriented programming language. - -description - Python is an interpreted, interactive, object-oriented programming - language often compared to Tcl, Perl, Scheme or Java. Python includes - modules, classes, exceptions, very high level dynamic data types and - dynamic typing. Python supports interfaces to many system calls and - libraries, as well as to various windowing systems. -end - -source_dl = http://python.org/ftp/python/%%7Bversion%7D/ -sources = %{thisapp}.tar.xz - -build - requires - autoconf - automake - bzip2-devel - expat-devel - gdbm-devel - glibc-headers >= 2.16-4 - libdb-devel - libffi-devel - ncurses-devel - openssl-devel - pakfire-builder >= 0.9.23-4 - readline-devel - sqlite-devel - tar - util-linux - zlib-devel - end - - export CFLAGS += -D_GNU_SOURCE -fwrapv - export CPPFLAGS = %(pkg-config --cflags-only-I libffi) - export OPT = %{CFLAGS} - export CC = gcc - export LINKCC = gcc - - if "%{lib}" == "lib64" - patches += %{DIR_SOURCE}/python-2.7.13-lib64.patch - patches += %{DIR_SOURCE}/python-2.7-lib64-sysconfig.patch - end - - prepare_cmds - # Remove embedded copies of expat, zlib and libffi - rm -rf Modules/{expat,zlib} - rm -rf Modules/_ctypes/{darwin,libffi,libffi_arm_wince,libffi_msvc,libffi_osx} - - # Reconfigure - autoreconf --force - end - - configure_options += \ - --enable-ipv6 \ - --enable-unicode=ucs4 \ - --with-system-expat \ - --with-system-ffi \ - --enable-shared - - test - WITHIN_PYTHON_RPM_BUILD= EXTRATESTOPTS="--verbose" make test || : - end - - install_cmds - # All *.py files don't need to be executeable... - find %{BUILDROOT}%{libdir}/python*/ -name "*.py" | xargs -r chmod a-x -v - - # Create symlink for shared lib. - ln -svf ../../libpython%{major_ver}.so %{BUILDROOT}%{libdir}/python%{major_ver}/config/ - end -end - -packages - package %{name} - # Define python-abi manually. - provides - python-abi = %{major_ver} - end - end - - package %{name}-devel - template DEVEL - - files += \ - !%{libdir}/python*/config/Makefile \ - !%{includedir}/python*/pyconfig.h - end - - package %{name}-debuginfo - template DEBUGINFO - end -end diff --git a/python3-dns/patches/python3-dns-no-setup-requires.patch b/python3-dns/patches/python3-dns-no-setup-requires.patch new file mode 100644 index 000000000..2cdbda896 --- /dev/null +++ b/python3-dns/patches/python3-dns-no-setup-requires.patch @@ -0,0 +1,26 @@ +From: Scott Kitterman scott@kitterman.com +Date: Fri, 24 Dec 2021 13:42:26 -0500 +Subject: Patch away setup requires + +Debian python stuff takes care of this and does it differently. + +Origin: vendor +Forwarded: not-needed +Last-Update: 2021-12-24 +--- + setup.cfg | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/setup.cfg b/setup.cfg +index 0e28c67..59f364f 100644 +--- a/setup.cfg ++++ b/setup.cfg +@@ -46,7 +46,7 @@ packages = + dns.rdtypes.CH + python_requires = >=3.7 + test_suite = tests +-setup_requires = setuptools>=44; setuptools_scm[toml]>=3.4.3 ++#setup_requires = setuptools>=44; setuptools_scm[toml]>=3.4.3 + + [options.extras_require] + DOH = httpx>=0.21.1; h2>=4.1.0; requests; requests-toolbelt diff --git a/python3-dns/python3-dns.nm b/python3-dns/python3-dns.nm new file mode 100644 index 000000000..20c172403 --- /dev/null +++ b/python3-dns/python3-dns.nm @@ -0,0 +1,47 @@ +############################################################################### +# IPFire.org - An Open Source Firewall Solution # +# Copyright (C) - IPFire Development Team info@ipfire.org # +############################################################################### + +name = python3-dns +version = 2.3.0 +release = 1 +thisapp = dnspython-%{version} + +groups = Development/Libraries +url = https://www.dnspython.org +license = ISC and MIT +summary = A powerful DNS toolkit for python. + +description + dnspython is a DNS toolkit for Python. It supports almost all record types. + It can be used for queries, zone transfers, and dynamic updates. It + supports TSIG authenticated messages and EDNS0. + + dnspython provides both high and low level access to DNS. +end + +source_dl = https://github.com/rthalley/dnspython/archive/refs/tags/v%%7Bversion%7D.tar.... + +build + requires + python3-devel + python3-setuptools + end + + build + %{python3} setup.py build + end + + install + %{python3} setup.py install --skip-build --root=%{BUILDROOT} + end +end + +packages + package %{name} + + package %{name}-debuginfo + template DEBUGINFO + end +end diff --git a/samba/samba.nm b/samba/samba.nm index 7b7c2003f..d5441344f 100644 --- a/samba/samba.nm +++ b/samba/samba.nm @@ -4,7 +4,7 @@ ###############################################################################
name = samba -version = 4.5.1 +version = 4.17.5 release = 1
groups = Networking/Daemons @@ -32,29 +32,41 @@ CFLAGS += \
build requires + /usr/bin/rpcgen autoconf automake + bison avahi-devel cups-devel >= 2.1.4 + dbus-devel docbook-xsl + flex gettext - gnutls-devel + gnutls-devel >= 3.7.8 + gpgme-devel + jansson-devel ncurses-devel libacl-devel + libarchive-devel libattr-devel libcap-devel - libldb-devel >= 1.1.27 + libldb-devel = 2.6.1 libtalloc-devel >= 2.1.8 libtdb-devel >=1.3.11 libtevent-devel >= 0.9.29 openldap-devel openssl-devel pam-devel + perl(JSON) + perl(Parse::Yapp::Driver) >= 1.21 popt-devel - pyldb - pytalloc - pytdb - pytevent + python3-devel + python3-dns + python3-markdown + python3-ldb + python3-talloc + python3-tdb + python3-tevent readline-devel which zlib-devel @@ -70,7 +82,7 @@ build --with-logfilebase=%{localstatedir}/log/samba \ --with-modulesdir=%{libdir}/samba \ --with-configdir=%{sysconfdir}/samba \ - --with-pammodulesdir=/%{lib}/security \ + --with-pammodulesdir=%{libdir}/security \ --with-automount \ --with-pam \ --with-quotas \ diff --git a/sssd/patches/0001-crypto-Port-libcrypto-code-to-openssl-1.1.patch b/sssd/patches/0001-crypto-Port-libcrypto-code-to-openssl-1.1.patch deleted file mode 100644 index b7913fd8b..000000000 --- a/sssd/patches/0001-crypto-Port-libcrypto-code-to-openssl-1.1.patch +++ /dev/null @@ -1,728 +0,0 @@ -From 805494c6ffec6831753891c507a773f3e43b30e5 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lslebodn@redhat.com -Date: Mon, 17 Oct 2016 15:44:20 +0200 -Subject: [PATCH 01/39] crypto: Port libcrypto code to openssl-1.1 - -EVP_MD_CTX and EVP_CIPHER_CTX are opaque in openssl-1.1 - -Reviewed-by: Tomas Mraz tmraz@redhat.com -(cherry picked from commit 8f1316a0c677f211eaaa1346e21a03446b8c4fb1) -(cherry picked from commit 81ebd058ab8f6ab08b05a7e35e04881812404d43) ---- - Makefile.am | 1 + - src/util/cert/libcrypto/cert.c | 23 ++++++-- - src/util/crypto/libcrypto/crypto_hmac_sha1.c | 33 ++++++----- - src/util/crypto/libcrypto/crypto_nite.c | 76 +++++++++++++++---------- - src/util/crypto/libcrypto/crypto_obfuscate.c | 32 +++++++---- - src/util/crypto/libcrypto/crypto_sha512crypt.c | 77 +++++++++++++++----------- - src/util/crypto/libcrypto/sss_openssl.h | 39 +++++++++++++ - 7 files changed, 190 insertions(+), 91 deletions(-) - create mode 100644 src/util/crypto/libcrypto/sss_openssl.h - -diff --git a/Makefile.am b/Makefile.am -index b5f300a37..3d3500918 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -565,6 +565,7 @@ endif - dist_noinst_HEADERS = \ - src/monitor/monitor.h \ - src/util/crypto/sss_crypto.h \ -+ src/util/crypto/libcrypto/sss_openssl.h \ - src/util/cert.h \ - src/util/dlinklist.h \ - src/util/debug.h \ -diff --git a/src/util/cert/libcrypto/cert.c b/src/util/cert/libcrypto/cert.c -index a7752d7c1..aba598d7c 100644 ---- a/src/util/cert/libcrypto/cert.c -+++ b/src/util/cert/libcrypto/cert.c -@@ -182,6 +182,8 @@ errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db, - size_t c; - X509 *cert = NULL; - EVP_PKEY *cert_pub_key = NULL; -+ const BIGNUM *n; -+ const BIGNUM *e; - int modulus_len; - unsigned char modulus[OPENSSL_RSA_MAX_MODULUS_BITS/8]; - int exponent_len; -@@ -208,16 +210,29 @@ errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db, - goto done; - } - -- if (cert_pub_key->type != EVP_PKEY_RSA) { -+ if (EVP_PKEY_base_id(cert_pub_key) != EVP_PKEY_RSA) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Expected RSA public key, found unsupported [%d].\n", -- cert_pub_key->type); -+ EVP_PKEY_base_id(cert_pub_key)); - ret = EINVAL; - goto done; - } - -- modulus_len = BN_bn2bin(cert_pub_key->pkey.rsa->n, modulus); -- exponent_len = BN_bn2bin(cert_pub_key->pkey.rsa->e, exponent); -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ RSA *rsa_pub_key = NULL; -+ rsa_pub_key = EVP_PKEY_get0_RSA(cert_pub_key); -+ if (rsa_pub_key == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ RSA_get0_key(rsa_pub_key, &n, &e, NULL); -+#else -+ n = cert_pub_key->pkey.rsa->n; -+ e = cert_pub_key->pkey.rsa->e; -+#endif -+ modulus_len = BN_bn2bin(n, modulus); -+ exponent_len = BN_bn2bin(e, exponent); - - size = SSH_RSA_HEADER_LEN + 3 * sizeof(uint32_t) - + modulus_len -diff --git a/src/util/crypto/libcrypto/crypto_hmac_sha1.c b/src/util/crypto/libcrypto/crypto_hmac_sha1.c -index 37d25794e..5a4ce356e 100644 ---- a/src/util/crypto/libcrypto/crypto_hmac_sha1.c -+++ b/src/util/crypto/libcrypto/crypto_hmac_sha1.c -@@ -24,6 +24,8 @@ - - #include <openssl/evp.h> - -+#include "sss_openssl.h" -+ - #define HMAC_SHA1_BLOCKSIZE 64 - - int sss_hmac_sha1(const unsigned char *key, -@@ -33,23 +35,26 @@ int sss_hmac_sha1(const unsigned char *key, - unsigned char *out) - { - int ret; -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - unsigned char ikey[HMAC_SHA1_BLOCKSIZE], okey[HMAC_SHA1_BLOCKSIZE]; - size_t i; - unsigned char hash[SSS_SHA1_LENGTH]; - unsigned int res_len; - -- EVP_MD_CTX_init(&ctx); -+ ctx = EVP_MD_CTX_new(); -+ if (ctx == NULL) { -+ return ENOMEM; -+ } - - if (key_len > HMAC_SHA1_BLOCKSIZE) { - /* keys longer than blocksize are shortened */ -- if (!EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL)) { -+ if (!EVP_DigestInit_ex(ctx, EVP_sha1(), NULL)) { - ret = EIO; - goto done; - } - -- EVP_DigestUpdate(&ctx, (const unsigned char *)key, key_len); -- EVP_DigestFinal_ex(&ctx, ikey, &res_len); -+ EVP_DigestUpdate(ctx, (const unsigned char *)key, key_len); -+ EVP_DigestFinal_ex(ctx, ikey, &res_len); - memset(ikey + SSS_SHA1_LENGTH, 0, HMAC_SHA1_BLOCKSIZE - SSS_SHA1_LENGTH); - } else { - /* keys shorter than blocksize are zero-padded */ -@@ -63,25 +68,25 @@ int sss_hmac_sha1(const unsigned char *key, - ikey[i] ^= 0x36; - } - -- if (!EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL)) { -+ if (!EVP_DigestInit_ex(ctx, EVP_sha1(), NULL)) { - ret = EIO; - goto done; - } - -- EVP_DigestUpdate(&ctx, (const unsigned char *)ikey, HMAC_SHA1_BLOCKSIZE); -- EVP_DigestUpdate(&ctx, (const unsigned char *)in, in_len); -- EVP_DigestFinal_ex(&ctx, hash, &res_len); -+ EVP_DigestUpdate(ctx, (const unsigned char *)ikey, HMAC_SHA1_BLOCKSIZE); -+ EVP_DigestUpdate(ctx, (const unsigned char *)in, in_len); -+ EVP_DigestFinal_ex(ctx, hash, &res_len); - -- if (!EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL)) { -+ if (!EVP_DigestInit_ex(ctx, EVP_sha1(), NULL)) { - ret = EIO; - goto done; - } - -- EVP_DigestUpdate(&ctx, (const unsigned char *)okey, HMAC_SHA1_BLOCKSIZE); -- EVP_DigestUpdate(&ctx, (const unsigned char *)hash, SSS_SHA1_LENGTH); -- EVP_DigestFinal_ex(&ctx, out, &res_len); -+ EVP_DigestUpdate(ctx, (const unsigned char *)okey, HMAC_SHA1_BLOCKSIZE); -+ EVP_DigestUpdate(ctx, (const unsigned char *)hash, SSS_SHA1_LENGTH); -+ EVP_DigestFinal_ex(ctx, out, &res_len); - ret = EOK; - done: -- EVP_MD_CTX_cleanup(&ctx); -+ EVP_MD_CTX_free(ctx); - return ret; - } -diff --git a/src/util/crypto/libcrypto/crypto_nite.c b/src/util/crypto/libcrypto/crypto_nite.c -index fa267fbcc..de562f2d2 100644 ---- a/src/util/crypto/libcrypto/crypto_nite.c -+++ b/src/util/crypto/libcrypto/crypto_nite.c -@@ -33,6 +33,8 @@ - #include <openssl/rand.h> - #include <openssl/crypto.h> - -+#include "sss_openssl.h" -+ - struct cipher_mech { - const EVP_CIPHER * (*cipher)(void); - const EVP_MD * (*digest)(void); -@@ -47,9 +49,9 @@ int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, - { - const EVP_CIPHER *cipher; - const EVP_MD *digest; -- EVP_PKEY *hmackey; -- EVP_CIPHER_CTX ctx; -- EVP_MD_CTX mdctx; -+ EVP_PKEY *hmackey = NULL; -+ EVP_CIPHER_CTX *ctx; -+ EVP_MD_CTX *mdctx = NULL; - uint8_t *out = NULL; - int evpkeylen; - int evpivlen; -@@ -86,8 +88,13 @@ int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, - RAND_bytes(out, evpivlen); - } - -- EVP_CIPHER_CTX_init(&ctx); -- ret = EVP_EncryptInit_ex(&ctx, cipher, 0, key, evpivlen ? out : NULL); -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = EVP_EncryptInit_ex(ctx, cipher, 0, key, evpivlen ? out : NULL); - if (ret != 1) { - ret = EFAULT; - goto done; -@@ -95,7 +102,7 @@ int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, - - outlen = evpivlen; - tmplen = 0; -- ret = EVP_EncryptUpdate(&ctx, out + outlen, &tmplen, plaintext, plainlen); -+ ret = EVP_EncryptUpdate(ctx, out + outlen, &tmplen, plaintext, plainlen); - if (ret != 1) { - ret = EFAULT; - goto done; -@@ -103,7 +110,7 @@ int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, - - outlen += tmplen; - -- ret = EVP_EncryptFinal_ex(&ctx, out + outlen, &tmplen); -+ ret = EVP_EncryptFinal_ex(ctx, out + outlen, &tmplen); - if (ret != 1) { - ret = EFAULT; - goto done; -@@ -113,28 +120,32 @@ int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, - - /* Then HMAC */ - -- EVP_MD_CTX_init(&mdctx); -+ mdctx = EVP_MD_CTX_new(); -+ if (mdctx == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } - -- ret = EVP_DigestInit_ex(&mdctx, digest, NULL); -+ ret = EVP_DigestInit_ex(mdctx, digest, NULL); - if (ret != 1) { - ret = EFAULT; - goto done; - } - -- ret = EVP_DigestSignInit(&mdctx, NULL, digest, NULL, hmackey); -+ ret = EVP_DigestSignInit(mdctx, NULL, digest, NULL, hmackey); - if (ret != 1) { - ret = EFAULT; - goto done; - } - -- ret = EVP_DigestSignUpdate(&mdctx, out, outlen); -+ ret = EVP_DigestSignUpdate(mdctx, out, outlen); - if (ret != 1) { - ret = EFAULT; - goto done; - } - - slen = hmaclen; -- ret = EVP_DigestSignFinal(&mdctx, &out[outlen], &slen); -+ ret = EVP_DigestSignFinal(mdctx, &out[outlen], &slen); - if (ret != 1) { - ret = EFAULT; - goto done; -@@ -147,8 +158,8 @@ int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, - ret = EOK; - - done: -- EVP_MD_CTX_cleanup(&mdctx); -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_MD_CTX_free(mdctx); -+ EVP_CIPHER_CTX_free(ctx); - EVP_PKEY_free(hmackey); - return ret; - } -@@ -160,9 +171,9 @@ int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, - { - const EVP_CIPHER *cipher; - const EVP_MD *digest; -- EVP_PKEY *hmackey; -- EVP_CIPHER_CTX ctx; -- EVP_MD_CTX mdctx; -+ EVP_PKEY *hmackey = NULL; -+ EVP_CIPHER_CTX *ctx = NULL; -+ EVP_MD_CTX *mdctx; - const uint8_t *iv = NULL; - uint8_t *out; - int evpkeylen; -@@ -194,28 +205,32 @@ int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, - - /* First check HMAC */ - -- EVP_MD_CTX_init(&mdctx); -+ mdctx = EVP_MD_CTX_new(); -+ if (mdctx == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } - -- ret = EVP_DigestInit_ex(&mdctx, digest, NULL); -+ ret = EVP_DigestInit_ex(mdctx, digest, NULL); - if (ret != 1) { - ret = EFAULT; - goto done; - } - -- ret = EVP_DigestSignInit(&mdctx, NULL, digest, NULL, hmackey); -+ ret = EVP_DigestSignInit(mdctx, NULL, digest, NULL, hmackey); - if (ret != 1) { - ret = EFAULT; - goto done; - } - -- ret = EVP_DigestSignUpdate(&mdctx, ciphertext, cipherlen - hmaclen); -+ ret = EVP_DigestSignUpdate(mdctx, ciphertext, cipherlen - hmaclen); - if (ret != 1) { - ret = EFAULT; - goto done; - } - - slen = hmaclen; -- ret = EVP_DigestSignFinal(&mdctx, out, &slen); -+ ret = EVP_DigestSignFinal(mdctx, out, &slen); - if (ret != 1) { - ret = EFAULT; - goto done; -@@ -233,14 +248,19 @@ int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, - iv = ciphertext; - } - -- EVP_CIPHER_CTX_init(&ctx); -- ret = EVP_DecryptInit_ex(&ctx, cipher, 0, key, iv); -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = EVP_DecryptInit_ex(ctx, cipher, 0, key, iv); - if (ret != 1) { - ret = EFAULT; - goto done; - } - -- ret = EVP_DecryptUpdate(&ctx, out, &outlen, -+ ret = EVP_DecryptUpdate(ctx, out, &outlen, - ciphertext + evpivlen, - cipherlen - evpivlen - hmaclen); - if (ret != 1) { -@@ -248,7 +268,7 @@ int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, - goto done; - } - -- ret = EVP_DecryptFinal_ex(&ctx, out + outlen, &tmplen); -+ ret = EVP_DecryptFinal_ex(ctx, out + outlen, &tmplen); - if (ret != 1) { - ret = EFAULT; - goto done; -@@ -261,8 +281,8 @@ int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, - ret = EOK; - - done: -- EVP_MD_CTX_cleanup(&mdctx); -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_MD_CTX_free(mdctx); -+ EVP_CIPHER_CTX_free(ctx); - EVP_PKEY_free(hmackey); - return ret; - } -diff --git a/src/util/crypto/libcrypto/crypto_obfuscate.c b/src/util/crypto/libcrypto/crypto_obfuscate.c -index 85de333ec..69b622e1d 100644 ---- a/src/util/crypto/libcrypto/crypto_obfuscate.c -+++ b/src/util/crypto/libcrypto/crypto_obfuscate.c -@@ -70,7 +70,7 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, - enum obfmethod meth, char **obfpwd) - { - int ret; -- EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX *ctx; - struct crypto_mech_data *mech_props; - TALLOC_CTX *tmp_ctx = NULL; - unsigned char *keybuf; -@@ -90,7 +90,11 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, - return ENOMEM; - } - -- EVP_CIPHER_CTX_init(&ctx); -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } - - mech_props = get_crypto_mech_data(meth); - if (mech_props == NULL) { -@@ -121,20 +125,20 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, - goto done; - } - -- if (!EVP_EncryptInit_ex(&ctx, mech_props->cipher(), 0, keybuf, ivbuf)) { -+ if (!EVP_EncryptInit_ex(ctx, mech_props->cipher(), 0, keybuf, ivbuf)) { - DEBUG(SSSDBG_CRIT_FAILURE, "Failure to initialize cipher contex\n"); - ret = EIO; - goto done; - } - - /* sample data we'll encrypt and decrypt */ -- if (!EVP_EncryptUpdate(&ctx, cryptotext, &ctlen, (const unsigned char*)password, plen)) { -+ if (!EVP_EncryptUpdate(ctx, cryptotext, &ctlen, (const unsigned char *)password, plen)) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot execute the encryption operation\n"); - ret = EIO; - goto done; - } - -- if(!EVP_EncryptFinal_ex(&ctx, cryptotext+ctlen, &digestlen)) { -+ if (!EVP_EncryptFinal_ex(ctx, cryptotext + ctlen, &digestlen)) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot finialize the encryption operation\n"); - ret = EIO; - goto done; -@@ -185,7 +189,7 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, - - done: - talloc_free(tmp_ctx); -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - return ret; - } - -@@ -193,7 +197,7 @@ int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded, - char **password) - { - int ret; -- EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX *ctx; - TALLOC_CTX *tmp_ctx = NULL; - struct crypto_mech_data *mech_props; - -@@ -217,7 +221,11 @@ int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded, - return ENOMEM; - } - -- EVP_CIPHER_CTX_init(&ctx); -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } - - /* Base64 decode the incoming buffer */ - obfbuf = sss_base64_decode(tmp_ctx, b64encoded, &obflen); -@@ -276,18 +284,18 @@ int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded, - goto done; - } - -- if (!EVP_DecryptInit_ex(&ctx, mech_props->cipher(), 0, keybuf, ivbuf)) { -+ if (!EVP_DecryptInit_ex(ctx, mech_props->cipher(), 0, keybuf, ivbuf)) { - ret = EIO; - goto done; - } - - /* sample data we'll encrypt and decrypt */ -- if (!EVP_DecryptUpdate(&ctx, (unsigned char*)pwdbuf, &plainlen, cryptotext, ctsize)) { -+ if (!EVP_DecryptUpdate(ctx, (unsigned char *)pwdbuf, &plainlen, cryptotext, ctsize)) { - ret = EIO; - goto done; - } - -- if(!EVP_DecryptFinal_ex(&ctx, (unsigned char*)pwdbuf+plainlen, &digestlen)) { -+ if (!EVP_DecryptFinal_ex(ctx, (unsigned char *)pwdbuf + plainlen, &digestlen)) { - ret = EIO; - goto done; - } -@@ -296,6 +304,6 @@ int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded, - ret = EOK; - done: - talloc_free(tmp_ctx); -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - return ret; - } -diff --git a/src/util/crypto/libcrypto/crypto_sha512crypt.c b/src/util/crypto/libcrypto/crypto_sha512crypt.c -index 34547d08a..102356662 100644 ---- a/src/util/crypto/libcrypto/crypto_sha512crypt.c -+++ b/src/util/crypto/libcrypto/crypto_sha512crypt.c -@@ -28,6 +28,9 @@ - #include <openssl/evp.h> - #include <openssl/rand.h> - -+#include "sss_openssl.h" -+ -+ - /* Define our magic string to mark salt for SHA512 "encryption" replacement. */ - const char sha512_salt_prefix[] = "$6$"; - #define SALT_PREF_SIZE (sizeof(sha512_salt_prefix) - 1) -@@ -75,8 +78,8 @@ static int sha512_crypt_r(const char *key, - unsigned char alt_result[64] __attribute__((__aligned__(ALIGN64))); - size_t rounds = ROUNDS_DEFAULT; - bool rounds_custom = false; -- EVP_MD_CTX alt_ctx; -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *alt_ctx = NULL; -+ EVP_MD_CTX *ctx; - size_t salt_len; - size_t key_len; - size_t cnt; -@@ -125,75 +128,83 @@ static int sha512_crypt_r(const char *key, - salt = copied_salt = memcpy(tmp + ALIGN64 - PTR_2_INT(tmp) % ALIGN64, salt, salt_len); - } - -- EVP_MD_CTX_init(&ctx); -+ ctx = EVP_MD_CTX_new(); -+ if (ctx == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } - -- EVP_MD_CTX_init(&alt_ctx); -+ alt_ctx = EVP_MD_CTX_new(); -+ if (alt_ctx == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } - - /* Prepare for the real work. */ -- if (!EVP_DigestInit_ex(&ctx, EVP_sha512(), NULL)) { -+ if (!EVP_DigestInit_ex(ctx, EVP_sha512(), NULL)) { - ret = EIO; - goto done; - } - - /* Add the key string. */ -- EVP_DigestUpdate(&ctx, (const unsigned char *)key, key_len); -+ EVP_DigestUpdate(ctx, (const unsigned char *)key, key_len); - - /* The last part is the salt string. This must be at most 16 - * characters and it ends at the first `$' character (for - * compatibility with existing implementations). */ -- EVP_DigestUpdate(&ctx, (const unsigned char *)salt, salt_len); -+ EVP_DigestUpdate(ctx, (const unsigned char *)salt, salt_len); - - /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. - * The final result will be added to the first context. */ -- if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) { -+ if (!EVP_DigestInit_ex(alt_ctx, EVP_sha512(), NULL)) { - ret = EIO; - goto done; - } - - /* Add key. */ -- EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len); -+ EVP_DigestUpdate(alt_ctx, (const unsigned char *)key, key_len); - - /* Add salt. */ -- EVP_DigestUpdate(&alt_ctx, (const unsigned char *)salt, salt_len); -+ EVP_DigestUpdate(alt_ctx, (const unsigned char *)salt, salt_len); - - /* Add key again. */ -- EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len); -+ EVP_DigestUpdate(alt_ctx, (const unsigned char *)key, key_len); - - /* Now get result of this (64 bytes) and add it to the other context. */ -- EVP_DigestFinal_ex(&alt_ctx, alt_result, &part); -+ EVP_DigestFinal_ex(alt_ctx, alt_result, &part); - - /* Add for any character in the key one byte of the alternate sum. */ - for (cnt = key_len; cnt > 64; cnt -= 64) { -- EVP_DigestUpdate(&ctx, alt_result, 64); -+ EVP_DigestUpdate(ctx, alt_result, 64); - } -- EVP_DigestUpdate(&ctx, alt_result, cnt); -+ EVP_DigestUpdate(ctx, alt_result, cnt); - - /* Take the binary representation of the length of the key and for every - * 1 add the alternate sum, for every 0 the key. */ - for (cnt = key_len; cnt > 0; cnt >>= 1) { - if ((cnt & 1) != 0) { -- EVP_DigestUpdate(&ctx, alt_result, 64); -+ EVP_DigestUpdate(ctx, alt_result, 64); - } else { -- EVP_DigestUpdate(&ctx, (const unsigned char *)key, key_len); -+ EVP_DigestUpdate(ctx, (const unsigned char *)key, key_len); - } - } - - /* Create intermediate result. */ -- EVP_DigestFinal_ex(&ctx, alt_result, &part); -+ EVP_DigestFinal_ex(ctx, alt_result, &part); - - /* Start computation of P byte sequence. */ -- if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) { -+ if (!EVP_DigestInit_ex(alt_ctx, EVP_sha512(), NULL)) { - ret = EIO; - goto done; - } - - /* For every character in the password add the entire password. */ - for (cnt = 0; cnt < key_len; cnt++) { -- EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len); -+ EVP_DigestUpdate(alt_ctx, (const unsigned char *)key, key_len); - } - - /* Finish the digest. */ -- EVP_DigestFinal_ex(&alt_ctx, temp_result, &part); -+ EVP_DigestFinal_ex(alt_ctx, temp_result, &part); - - /* Create byte sequence P. */ - cp = p_bytes = alloca(key_len); -@@ -203,18 +214,18 @@ static int sha512_crypt_r(const char *key, - memcpy(cp, temp_result, cnt); - - /* Start computation of S byte sequence. */ -- if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) { -+ if (!EVP_DigestInit_ex(alt_ctx, EVP_sha512(), NULL)) { - ret = EIO; - goto done; - } - - /* For every character in the password add the entire salt. */ - for (cnt = 0; cnt < 16 + alt_result[0]; cnt++) { -- EVP_DigestUpdate(&alt_ctx, (const unsigned char *)salt, salt_len); -+ EVP_DigestUpdate(alt_ctx, (const unsigned char *)salt, salt_len); - } - - /* Finish the digest. */ -- EVP_DigestFinal_ex(&alt_ctx, temp_result, &part); -+ EVP_DigestFinal_ex(alt_ctx, temp_result, &part); - - /* Create byte sequence S. */ - cp = s_bytes = alloca(salt_len); -@@ -226,37 +237,37 @@ static int sha512_crypt_r(const char *key, - /* Repeatedly run the collected hash value through SHA512 to burn CPU cycles. */ - for (cnt = 0; cnt < rounds; cnt++) { - -- if (!EVP_DigestInit_ex(&ctx, EVP_sha512(), NULL)) { -+ if (!EVP_DigestInit_ex(ctx, EVP_sha512(), NULL)) { - ret = EIO; - goto done; - } - - /* Add key or last result. */ - if ((cnt & 1) != 0) { -- EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len); -+ EVP_DigestUpdate(ctx, (const unsigned char *)p_bytes, key_len); - } else { -- EVP_DigestUpdate(&ctx, alt_result, 64); -+ EVP_DigestUpdate(ctx, alt_result, 64); - } - - /* Add salt for numbers not divisible by 3. */ - if (cnt % 3 != 0) { -- EVP_DigestUpdate(&ctx, (const unsigned char *)s_bytes, salt_len); -+ EVP_DigestUpdate(ctx, (const unsigned char *)s_bytes, salt_len); - } - - /* Add key for numbers not divisible by 7. */ - if (cnt % 7 != 0) { -- EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len); -+ EVP_DigestUpdate(ctx, (const unsigned char *)p_bytes, key_len); - } - - /* Add key or last result. */ - if ((cnt & 1) != 0) { -- EVP_DigestUpdate(&ctx, alt_result, 64); -+ EVP_DigestUpdate(ctx, alt_result, 64); - } else { -- EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len); -+ EVP_DigestUpdate(ctx, (const unsigned char *)p_bytes, key_len); - } - - /* Create intermediate result. */ -- EVP_DigestFinal_ex(&ctx, alt_result, &part); -+ EVP_DigestFinal_ex(ctx, alt_result, &part); - } - - /* Now we can construct the result string. -@@ -318,8 +329,8 @@ done: - * to processes or reading core dumps cannot get any information. We do it - * in this way to clear correct_words[] inside the SHA512 implementation - * as well. */ -- EVP_MD_CTX_cleanup(&ctx); -- EVP_MD_CTX_cleanup(&alt_ctx); -+ EVP_MD_CTX_free(ctx); -+ EVP_MD_CTX_free(alt_ctx); - if (p_bytes) memset(p_bytes, '\0', key_len); - if (s_bytes) memset(s_bytes, '\0', salt_len); - if (copied_key) memset(copied_key, '\0', key_len); -diff --git a/src/util/crypto/libcrypto/sss_openssl.h b/src/util/crypto/libcrypto/sss_openssl.h -new file mode 100644 -index 000000000..a2e2d8523 ---- /dev/null -+++ b/src/util/crypto/libcrypto/sss_openssl.h -@@ -0,0 +1,39 @@ -+/* -+ Authors: -+ Lukas Slebodnik lslebodn@redhat.com -+ -+ Copyright (C) 2016 Red Hat -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see http://www.gnu.org/licenses/. -+*/ -+ -+#ifndef _SSS_LIBCRYTPO_SSS_OPENSSL_H_ -+#define _SSS_LIBCRYTPO_SSS_OPENSSL_H_ -+ -+#include <openssl/evp.h> -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+/* EVP_MD_CTX_create and EVP_MD_CTX_destroy are deprecated macros -+ * in openssl-1.1 but openssl-1.0 does not know anything about -+ * newly added functions EVP_MD_CTX_new, EVP_MD_CTX_free in 1.1 -+ */ -+ -+# define EVP_MD_CTX_new() EVP_MD_CTX_create() -+# define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy((ctx)) -+ -+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ -+ -+ -+#endif /* _SSS_LIBCRYTPO_SSS_OPENSSL_H_ */ --- -2.11.0 - diff --git a/sssd/patches/0002-libcrypto-Check-right-value-of-CRYPTO_memcmp.patch b/sssd/patches/0002-libcrypto-Check-right-value-of-CRYPTO_memcmp.patch deleted file mode 100644 index 440f2cd3b..000000000 --- a/sssd/patches/0002-libcrypto-Check-right-value-of-CRYPTO_memcmp.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 5a6aeb890bdf18729e45cd08cfa244e3da4ed45b Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lslebodn@redhat.com -Date: Wed, 19 Oct 2016 16:46:44 +0200 -Subject: [PATCH 02/39] libcrypto: Check right value of CRYPTO_memcmp - -sss_decrypt failed even though should pass because -we were checking wrong value of CRYPTO_memcmp. -Nobody noticed that because there was not a unit test :-) - -Reviewed-by: Christian Heimes cheimes@redhat.com -(cherry picked from commit 0c2be9700d3b54db33c1a3dd5d230b34bfaceb50) -(cherry picked from commit f4da46bd77f2eed2d04152b75c78bfc561c79354) ---- - src/util/crypto/libcrypto/crypto_nite.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/util/crypto/libcrypto/crypto_nite.c b/src/util/crypto/libcrypto/crypto_nite.c -index de562f2d2..e863d3fc9 100644 ---- a/src/util/crypto/libcrypto/crypto_nite.c -+++ b/src/util/crypto/libcrypto/crypto_nite.c -@@ -237,7 +237,7 @@ int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, - } - - ret = CRYPTO_memcmp(&ciphertext[cipherlen - hmaclen], out, hmaclen); -- if (ret != 1) { -+ if (ret != 0) { - ret = EFAULT; - goto done; - } --- -2.11.0 - diff --git a/sssd/patches/0003-crypto-tests-Add-unit-test-for-sss_encrypt-sss_decry.patch b/sssd/patches/0003-crypto-tests-Add-unit-test-for-sss_encrypt-sss_decry.patch deleted file mode 100644 index 6652b3658..000000000 --- a/sssd/patches/0003-crypto-tests-Add-unit-test-for-sss_encrypt-sss_decry.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 398f89119f9e852df3beec3644420057746dbfd1 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lslebodn@redhat.com -Date: Wed, 19 Oct 2016 16:38:27 +0200 -Subject: [PATCH 03/39] crypto-tests: Add unit test for sss_encrypt + - sss_decrypt - -Reviewed-by: Christian Heimes cheimes@redhat.com -(cherry picked from commit 65c85654d9b32a866caa01c28fe743eeb0bdef67) -(cherry picked from commit 8cb41367912a50d6d9309f82b718af90032d0f02) ---- - src/tests/crypto-tests.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 44 insertions(+) - -diff --git a/src/tests/crypto-tests.c b/src/tests/crypto-tests.c -index ee807c6bc..a4074e474 100644 ---- a/src/tests/crypto-tests.c -+++ b/src/tests/crypto-tests.c -@@ -158,6 +158,49 @@ START_TEST(test_base64_decode) - } - END_TEST - -+START_TEST(test_sss_encrypt_decrypt) -+{ -+ uint8_t key[] = { -+ 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, -+ 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf, -+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, -+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f -+ }; -+ size_t key_len = sizeof(key); /* need to be 32 */ -+ const char input_text[] = "Secret text"; -+ const size_t input_text_len = sizeof(input_text) - 1; -+ uint8_t *cipher_text; -+ size_t cipher_text_len; -+ uint8_t *plain_text; -+ size_t plain_text_len; -+ int ret; -+ -+ test_ctx = talloc_new(NULL); -+ fail_if(test_ctx == NULL); -+ -+ ret = sss_encrypt(test_ctx, AES256CBC_HMAC_SHA256, key, key_len, -+ (const uint8_t *)input_text, input_text_len, -+ &cipher_text, &cipher_text_len); -+ -+ fail_if(ret != 0); -+ fail_if(cipher_text_len == 0); -+ -+ ret = memcmp(input_text, cipher_text, input_text_len); -+ fail_if(ret == 0, "Input and encrypted text has common prefix"); -+ -+ ret = sss_decrypt(test_ctx, AES256CBC_HMAC_SHA256, key, key_len, -+ cipher_text, cipher_text_len, -+ &plain_text, &plain_text_len); -+ fail_if(ret != 0); -+ fail_if(plain_text_len != input_text_len); -+ -+ ret = memcmp(plain_text, input_text, input_text_len); -+ fail_if(ret != 0, "input text is not the same as de-encrypted text"); -+ -+ talloc_free(test_ctx); -+} -+END_TEST -+ - Suite *crypto_suite(void) - { - Suite *s = suite_create("sss_crypto"); -@@ -172,6 +215,7 @@ Suite *crypto_suite(void) - tcase_add_test(tc, test_hmac_sha1); - tcase_add_test(tc, test_base64_encode); - tcase_add_test(tc, test_base64_decode); -+ tcase_add_test(tc, test_sss_encrypt_decrypt); - /* Add all test cases to the test suite */ - suite_add_tcase(s, tc); - --- -2.11.0 - diff --git a/sssd/patches/0004-crypto-tests-Rename-encrypt-decrypt-test-case.patch b/sssd/patches/0004-crypto-tests-Rename-encrypt-decrypt-test-case.patch deleted file mode 100644 index cfbb3cc6d..000000000 --- a/sssd/patches/0004-crypto-tests-Rename-encrypt-decrypt-test-case.patch +++ /dev/null @@ -1,44 +0,0 @@ -From bb53631c770d287dfc9b130754ce3f9320c8b3d4 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lslebodn@redhat.com -Date: Wed, 19 Oct 2016 16:55:37 +0200 -Subject: [PATCH 04/39] crypto-tests: Rename encrypt decrypt test case - -libsss_crypto provide 2 pairs of encrypt + decrypt functions. -sss_password_encrypt + sss_password_decrypt and more generic -sss_encrypt + sss_decrypt. - -The name of one test case was a little bit confusing. -It evokes that different pair of functions were tested. - -Reviewed-by: Christian Heimes cheimes@redhat.com -(cherry picked from commit 96d239e83e671b82525cec760cf0bcaa5ee1c249) -(cherry picked from commit 579daa9099acf848e1062a48a7cd3a5e923da349) ---- - src/tests/crypto-tests.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tests/crypto-tests.c b/src/tests/crypto-tests.c -index a4074e474..c7f0edbb3 100644 ---- a/src/tests/crypto-tests.c -+++ b/src/tests/crypto-tests.c -@@ -48,7 +48,7 @@ START_TEST(test_nss_init) - END_TEST - #endif - --START_TEST(test_encrypt_decrypt) -+START_TEST(test_sss_password_encrypt_decrypt) - { - const char *password[] = { "test123", /* general */ - "12345678901234567", /* just above blocksize */ -@@ -211,7 +211,7 @@ Suite *crypto_suite(void) - #ifdef HAVE_NSS - tcase_add_test(tc, test_nss_init); - #endif -- tcase_add_test(tc, test_encrypt_decrypt); -+ tcase_add_test(tc, test_sss_password_encrypt_decrypt); - tcase_add_test(tc, test_hmac_sha1); - tcase_add_test(tc, test_base64_encode); - tcase_add_test(tc, test_base64_decode); --- -2.11.0 - diff --git a/sssd/patches/0005-BUILD-Fix-installation-without-samba.patch b/sssd/patches/0005-BUILD-Fix-installation-without-samba.patch deleted file mode 100644 index e4b2ab037..000000000 --- a/sssd/patches/0005-BUILD-Fix-installation-without-samba.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 30b240137ea5c8e6927b9a4f93813735a2a477ae Mon Sep 17 00:00:00 2001 -From: Sorah Fukumori her@sorah.jp -Date: Sun, 23 Oct 2016 01:43:05 +0900 -Subject: [PATCH 05/39] BUILD: Fix installation without samba -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -winbindplugindir is defined only when BUILD_SAMBA is on. Also the file -doesn't exist when BUILD_SAMBA is off, so installation will fail. - -Reviewed-by: Fabiano Fidêncio fidencio@redhat.com -Reviewed-by: Lukáš SlebodnÃk lslebodn@redhat.com -(cherry picked from commit 13adcd07000ba3ca1422c6ee863df17d70e2b14c) -(cherry picked from commit 1fb3cccd83ede1bbe99319254c88fce1285b352d) ---- - Makefile.am | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/Makefile.am b/Makefile.am -index 3d3500918..d08e39fa4 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -4130,7 +4130,9 @@ install-data-hook: - if [ ! $(krb5rcachedir) = "__LIBKRB5_DEFAULTS__" ]; then \ - $(MKDIR_P) $(DESTDIR)/$(krb5rcachedir) ; \ - fi -+if BUILD_SAMBA - mv $(DESTDIR)/$(winbindplugindir)/winbind_idmap_sss.so $(DESTDIR)/$(winbindplugindir)/sss.so -+endif - - uninstall-hook: - if [ -f $(abs_builddir)/src/config/.files2 ]; then \ -@@ -4152,7 +4154,9 @@ if BUILD_PYTHON3_BINDINGS - cd $(DESTDIR)$(py3execdir) && \ - rm -f pysss.so pyhbac.so pysss_murmur.so pysss_nss_idmap.so - endif -+if BUILD_SAMBA - rm $(DESTDIR)/$(winbindplugindir)/sss.so -+endif - - clean-local: - if BUILD_PYTHON2_BINDINGS --- -2.11.0 - diff --git a/sssd/patches/0006-BUILD-Accept-krb5-1.15-for-building-the-PAC-plugin.patch b/sssd/patches/0006-BUILD-Accept-krb5-1.15-for-building-the-PAC-plugin.patch deleted file mode 100644 index 0767b724b..000000000 --- a/sssd/patches/0006-BUILD-Accept-krb5-1.15-for-building-the-PAC-plugin.patch +++ /dev/null @@ -1,29 +0,0 @@ -From fe1591bf812979074f11493c74ee87efa6b92609 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lslebodn@redhat.com -Date: Mon, 24 Oct 2016 10:03:32 +0000 -Subject: [PATCH 06/39] BUILD: Accept krb5 1.15 for building the PAC plugin - -Reviewed-by: Sumit Bose sbose@redhat.com -(cherry picked from commit 11d2a1183d7017f3d453d0a7046004b6968fefb5) -(cherry picked from commit 6a96323fb511565908a5a7ce7b1d6e0d40aa647d) ---- - src/external/pac_responder.m4 | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4 -index 928b1d295..6b400d47c 100644 ---- a/src/external/pac_responder.m4 -+++ b/src/external/pac_responder.m4 -@@ -16,7 +16,8 @@ then - Kerberos\ 5\ release\ 1.11* | \ - Kerberos\ 5\ release\ 1.12* | \ - Kerberos\ 5\ release\ 1.13* | \ -- Kerberos\ 5\ release\ 1.14*) -+ Kerberos\ 5\ release\ 1.14* | \ -+ Kerberos\ 5\ release\ 1.15*) - krb5_version_ok=yes - AC_MSG_RESULT([yes]) - ;; --- -2.11.0 - diff --git a/sssd/patches/0007-dlopen-test-Use-portable-macro-for-location-of-.libs.patch b/sssd/patches/0007-dlopen-test-Use-portable-macro-for-location-of-.libs.patch deleted file mode 100644 index fce0123e9..000000000 --- a/sssd/patches/0007-dlopen-test-Use-portable-macro-for-location-of-.libs.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 00efc45a2f2784b8f7bbd823dd7de6b9201d69b1 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lslebodn@redhat.com -Date: Mon, 17 Oct 2016 21:39:57 +0200 -Subject: [PATCH 07/39] dlopen-test: Use portable macro for location of .libs -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Petr Äech pcech@redhat.com -(cherry picked from commit bacc66dc6f446d47be18b61d569721481d70386b) -(cherry picked from commit a64409a528257ee0706cc12a1b974a159edac041) ---- - src/tests/dlopen-tests.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c -index 96cc4db9b..6e37dbed1 100644 ---- a/src/tests/dlopen-tests.c -+++ b/src/tests/dlopen-tests.c -@@ -22,7 +22,8 @@ - along with this program. If not, see http://www.gnu.org/licenses/. - */ - --#define _GNU_SOURCE -+#include "config.h" -+ - #include <stdbool.h> - #include <dlfcn.h> - #include <stdio.h> -@@ -31,7 +32,7 @@ - #include <check.h> - #include "tests/common.h" - --#define LIBPFX ABS_BUILD_DIR"/.libs/" -+#define LIBPFX ABS_BUILD_DIR "/" LT_OBJDIR - - struct so { - const char *name; --- -2.11.0 - diff --git a/sssd/patches/0008-dlopen-test-Add-missing-libraries-to-the-check-list.patch b/sssd/patches/0008-dlopen-test-Add-missing-libraries-to-the-check-list.patch deleted file mode 100644 index 33725707c..000000000 --- a/sssd/patches/0008-dlopen-test-Add-missing-libraries-to-the-check-list.patch +++ /dev/null @@ -1,53 +0,0 @@ -From f60c6cec2a432222308d5b6b05ee7e2f93c16bb0 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lslebodn@redhat.com -Date: Mon, 17 Oct 2016 21:59:18 +0200 -Subject: [PATCH 08/39] dlopen-test: Add missing libraries to the check list -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -nfsidmap plugin(sss.so) and libsss_cert.so were not checked. -Few libraries which are build for testing purposes were added to the list -otherwise we would not be able to detect unchecked libraries. - -Reviewed-by: Petr Äech pcech@redhat.com -(cherry picked from commit 558b8f3cd2439c01e139cf5f812aea9409fe776a) -(cherry picked from commit 9b972260cb805e3537ab9464ef5347348792d7cf) ---- - src/tests/dlopen-tests.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c -index 6e37dbed1..c980ab9f1 100644 ---- a/src/tests/dlopen-tests.c -+++ b/src/tests/dlopen-tests.c -@@ -78,6 +78,7 @@ struct so { - { "libsss_child.so", { LIBPFX"libsss_util.so", - LIBPFX"libsss_child.so", NULL } }, - { "libsss_crypt.so", { LIBPFX"libsss_crypt.so", NULL } }, -+ { "libsss_cert.so", { LIBPFX"libsss_cert.so", NULL } }, - { "libsss_util.so", { LIBPFX"libsss_util.so", NULL } }, - { "libsss_simple.so", { LIBPFX"libdlopen_test_providers.so", - LIBPFX"libsss_simple.so", NULL } }, -@@ -114,6 +115,18 @@ struct so { - #ifdef HAVE_CONFIG_LIB - { "libsss_config.so", { LIBPFX"libsss_config.so", NULL } }, - #endif -+#ifdef BUILD_NFS_IDMAP -+ { "sss.so", { LIBPFX"sss.so", NULL } }, -+#endif -+ /* for testing purposes */ -+ { "libsss_nss_idmap_tests.so", { LIBPFX"libsss_nss_idmap_tests.so", -+ NULL } }, -+#ifdef BUILD_SAMBA -+ { "libdlopen_test_winbind_idmap.so", -+ { LIBPFX"libdlopen_test_winbind_idmap.so", NULL } }, -+ { "libsss_ad_tests.so", { LIBPFX"libdlopen_test_providers.so", -+ LIBPFX"libsss_ad_tests.so", NULL } }, -+#endif - { NULL } - }; - --- -2.11.0 - diff --git a/sssd/patches/0009-dlopen-test-Move-libraries-to-the-right-sections.patch b/sssd/patches/0009-dlopen-test-Move-libraries-to-the-right-sections.patch deleted file mode 100644 index 225f59989..000000000 --- a/sssd/patches/0009-dlopen-test-Move-libraries-to-the-right-sections.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 87ef46f4bd0745b13ee49f5487bc8a45ea2f3c1d Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lslebodn@redhat.com -Date: Mon, 17 Oct 2016 22:17:27 +0200 -Subject: [PATCH 09/39] dlopen-test: Move libraries to the right "sections" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The library winbind_idmap_sss.so is build only when building -with samba. The library libdlopen_test_providers.so was moved -to the group of libraries build for testing purposes. - -Reviewed-by: Petr Äech pcech@redhat.com -(cherry picked from commit d708e53d0df0c1ed4cc0097bebfa2a84d7b20fad) -(cherry picked from commit a52c7df943a7b685609b66c49264c6d1805d31c2) ---- - src/tests/dlopen-tests.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c -index c980ab9f1..c857dff73 100644 ---- a/src/tests/dlopen-tests.c -+++ b/src/tests/dlopen-tests.c -@@ -71,9 +71,6 @@ struct so { - #ifdef HAVE_CIFS_IDMAP_PLUGIN - { "cifs_idmap_sss.so", { LIBPFX"cifs_idmap_sss.so", NULL } }, - #endif -- { "winbind_idmap_sss.so", { LIBPFX"libdlopen_test_winbind_idmap.so", -- LIBPFX"winbind_idmap_sss.so", -- NULL } }, - { "memberof.so", { LIBPFX"memberof.so", NULL } }, - { "libsss_child.so", { LIBPFX"libsss_util.so", - LIBPFX"libsss_child.so", NULL } }, -@@ -87,6 +84,8 @@ struct so { - LIBPFX"libsss_ad.so", NULL } }, - { "libsss_ipa.so", { LIBPFX"libdlopen_test_providers.so", - LIBPFX"libsss_ipa.so", NULL } }, -+ { "winbind_idmap_sss.so", { LIBPFX"libdlopen_test_winbind_idmap.so", -+ LIBPFX"winbind_idmap_sss.so", NULL } }, - #endif /* BUILD_SAMBA */ - { "libsss_krb5.so", { LIBPFX"libdlopen_test_providers.so", - LIBPFX"libsss_krb5.so", NULL } }, -@@ -98,8 +97,6 @@ struct so { - LIBPFX"libsss_ldap_common.so", NULL } }, - { "libsss_proxy.so", { LIBPFX"libdlopen_test_providers.so", - LIBPFX"libsss_proxy.so", NULL } }, -- { "libdlopen_test_providers.so", { LIBPFX"libdlopen_test_providers.so", -- NULL } }, - #ifdef HAVE_PYTHON2_BINDINGS - { "_py2hbac.so", { LIBPFX"_py2hbac.so", NULL } }, - { "_py2sss.so", { LIBPFX"_py2sss.so", NULL } }, -@@ -119,6 +116,8 @@ struct so { - { "sss.so", { LIBPFX"sss.so", NULL } }, - #endif - /* for testing purposes */ -+ { "libdlopen_test_providers.so", { LIBPFX"libdlopen_test_providers.so", -+ NULL } }, - { "libsss_nss_idmap_tests.so", { LIBPFX"libsss_nss_idmap_tests.so", - NULL } }, - #ifdef BUILD_SAMBA --- -2.11.0 - diff --git a/sssd/patches/0010-dlopen-test-Add-check-for-untested-libraries.patch b/sssd/patches/0010-dlopen-test-Add-check-for-untested-libraries.patch deleted file mode 100644 index 40cac80ba..000000000 --- a/sssd/patches/0010-dlopen-test-Add-check-for-untested-libraries.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 916065cfed5ceccfd2ee4127a460b47161c2efd7 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lslebodn@redhat.com -Date: Mon, 17 Oct 2016 21:44:18 +0200 -Subject: [PATCH 10/39] dlopen-test: Add check for untested libraries -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Petr Äech pcech@redhat.com -(cherry picked from commit c7b3c43cf669e39f7ce5f4ef1a2e939b31a8b7b9) -(cherry picked from commit 7251859d8cdb2fc57c969f67ac76904fea331cd0) ---- - src/tests/dlopen-tests.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 69 insertions(+) - -diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c -index c857dff73..520c91f63 100644 ---- a/src/tests/dlopen-tests.c -+++ b/src/tests/dlopen-tests.c -@@ -30,6 +30,7 @@ - #include <stdlib.h> - #include <limits.h> - #include <check.h> -+#include <dirent.h> - #include "tests/common.h" - - #define LIBPFX ABS_BUILD_DIR "/" LT_OBJDIR -@@ -154,16 +155,84 @@ static bool recursive_dlopen(const char **name, int round, char **errmsg) - return ok; - } - -+static int file_so_filter(const struct dirent *ent) -+{ -+ char *suffix; -+ -+ suffix = rindex(ent->d_name, '.'); -+ if (suffix != NULL -+ && strcmp(suffix, ".so") == 0 -+ && suffix[3] == '\0') { -+ return 1; -+ } -+ -+ return 0; -+} -+ -+static char **get_so_files(size_t *_list_size) -+{ -+ int n; -+ struct dirent **namelist; -+ char **libraries; -+ -+ n = scandir(LIBPFX, &namelist, file_so_filter, alphasort); -+ fail_unless(n > 0); -+ -+ libraries = calloc(n + 1, sizeof(char *)); -+ -+ for (int i = 0; i < n; ++i) { -+ libraries[i] = strdup(namelist[i]->d_name); -+ fail_if(libraries[i] == NULL); -+ -+ free(namelist[i]); -+ } -+ free(namelist); -+ -+ *_list_size = (size_t)n; -+ return libraries; -+} -+ -+static void remove_library_from_list(const char *library, char **list, -+ size_t list_size) -+{ -+ for (size_t i = 0; i < list_size; ++i) { -+ if (list[i] != NULL && strcmp(library, list[i]) == 0) { -+ /* found library need to be removed from list */ -+ free(list[i]); -+ list[i] = NULL; -+ return; -+ } -+ } -+ -+ ck_abort_msg("Cannot find expected library: %s", library); -+} -+ - START_TEST(test_dlopen_base) - { - char *errmsg; - bool ok; - int i; -+ size_t found_libraries_size; -+ char **found_libraries = get_so_files(&found_libraries_size); -+ bool unchecked_library = false; - - for (i = 0; so[i].name != NULL; i++) { - ok = recursive_dlopen(so[i].libs, 0, &errmsg); - fail_unless(ok, "Error opening %s: [%s]", so[i].name, errmsg); -+ -+ remove_library_from_list(so[i].name, found_libraries, -+ found_libraries_size); - } -+ -+ for (i = 0; i < found_libraries_size; ++i) { -+ if (found_libraries[i] != NULL) { -+ printf("Unchecked library found: %s\n", found_libraries[i]); -+ unchecked_library = true; -+ } -+ } -+ free(found_libraries); -+ -+ fail_if(unchecked_library); - } - END_TEST - --- -2.11.0 - diff --git a/sssd/patches/0011-sssctl-Flags-for-command-initialization.patch b/sssd/patches/0011-sssctl-Flags-for-command-initialization.patch deleted file mode 100644 index 1aebca33b..000000000 --- a/sssd/patches/0011-sssctl-Flags-for-command-initialization.patch +++ /dev/null @@ -1,202 +0,0 @@ -From 9b31bc45a3d5728af2523725bd5a2b4aff4f4c78 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= mzidek@redhat.com -Date: Wed, 12 Oct 2016 13:09:37 +0200 -Subject: [PATCH 11/39] sssctl: Flags for command initialization -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Allow passing flags for command specific initialization. Currently -only one flag is available to skip the confdb initialization which is -required to improve config-check command. - -Resolves: -https://fedorahosted.org/sssd/ticket/3209 - -Reviewed-by: Lukáš SlebodnÃk lslebodn@redhat.com -(cherry picked from commit cbee11e912bb391ba254b0bac8c1159c1f634533) -(cherry picked from commit ec1829de7cd529c2c68b4bdb9b6d43ac6bb545d3) ---- - src/tools/common/sss_tools.c | 91 +++++++++++++++++++++++++------------------- - src/tools/common/sss_tools.h | 14 +++++-- - src/tools/sssctl/sssctl.c | 2 +- - 3 files changed, 63 insertions(+), 44 deletions(-) - -diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c -index 686b53a07..0f4f46894 100644 ---- a/src/tools/common/sss_tools.c -+++ b/src/tools/common/sss_tools.c -@@ -182,7 +182,6 @@ errno_t sss_tool_init(TALLOC_CTX *mem_ctx, - struct sss_tool_ctx **_tool_ctx) - { - struct sss_tool_ctx *tool_ctx; -- errno_t ret; - - tool_ctx = talloc_zero(mem_ctx, struct sss_tool_ctx); - if (tool_ctx == NULL) { -@@ -192,45 +191,9 @@ errno_t sss_tool_init(TALLOC_CTX *mem_ctx, - - sss_tool_common_opts(tool_ctx, argc, argv); - -- /* Connect to confdb. */ -- ret = sss_tool_confdb_init(tool_ctx, &tool_ctx->confdb); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to open confdb [%d]: %s\n", -- ret, sss_strerror(ret)); -- goto done; -- } -+ *_tool_ctx = tool_ctx; - -- /* Setup domains. */ -- ret = sss_tool_domains_init(tool_ctx, tool_ctx->confdb, &tool_ctx->domains); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup domains [%d]: %s\n", -- ret, sss_strerror(ret)); -- goto done; -- } -- -- ret = confdb_get_string(tool_ctx->confdb, tool_ctx, -- CONFDB_MONITOR_CONF_ENTRY, -- CONFDB_MONITOR_DEFAULT_DOMAIN, -- NULL, &tool_ctx->default_domain); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Cannot get the default domain [%d]: %s\n", -- ret, strerror(ret)); -- goto done; -- } -- -- ret = EOK; -- --done: -- switch (ret) { -- case EOK: -- case ERR_SYSDB_VERSION_TOO_OLD: -- *_tool_ctx = tool_ctx; -- break; -- default: -- break; -- } -- -- return ret; -+ return EOK; - } - - static bool sss_tool_is_delimiter(struct sss_route_cmd *command) -@@ -300,6 +263,47 @@ void sss_tool_usage(const char *tool_name, struct sss_route_cmd *commands) - sss_tool_print_common_opts(min_len); - } - -+static int tool_cmd_init(struct sss_tool_ctx *tool_ctx, -+ struct sss_route_cmd *command) -+{ -+ int ret; -+ -+ if (command->flags & SSS_TOOL_FLAG_SKIP_CMD_INIT) { -+ return EOK; -+ } -+ -+ /* Connect to confdb. */ -+ ret = sss_tool_confdb_init(tool_ctx, &tool_ctx->confdb); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to open confdb [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ /* Setup domains. */ -+ ret = sss_tool_domains_init(tool_ctx, tool_ctx->confdb, &tool_ctx->domains); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup domains [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ ret = confdb_get_string(tool_ctx->confdb, tool_ctx, -+ CONFDB_MONITOR_CONF_ENTRY, -+ CONFDB_MONITOR_DEFAULT_DOMAIN, -+ NULL, &tool_ctx->default_domain); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Cannot get the default domain [%d]: %s\n", -+ ret, strerror(ret)); -+ goto done; -+ } -+ -+ ret = EOK; -+ -+done: -+ return ret; -+} -+ - errno_t sss_tool_route(int argc, const char **argv, - struct sss_tool_ctx *tool_ctx, - struct sss_route_cmd *commands, -@@ -308,6 +312,7 @@ errno_t sss_tool_route(int argc, const char **argv, - struct sss_cmdline cmdline; - const char *cmd; - int i; -+ int ret; - - if (commands == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Bug: commands can't be NULL!\n"); -@@ -339,6 +344,14 @@ errno_t sss_tool_route(int argc, const char **argv, - return tool_ctx->init_err; - } - -+ ret = tool_cmd_init(tool_ctx, &commands[i]); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Command initialization failed [%d] %s\n", -+ ret, sss_strerror(ret)); -+ return ret; -+ } -+ - return commands[i].fn(&cmdline, tool_ctx, pvt); - } - } -diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h -index 6d24642ae..49da7d634 100644 ---- a/src/tools/common/sss_tools.h -+++ b/src/tools/common/sss_tools.h -@@ -45,16 +45,22 @@ typedef errno_t - struct sss_tool_ctx *tool_ctx, - void *pvt); - --#define SSS_TOOL_COMMAND(cmd, msg, err, fn) {cmd, _(msg), err, fn} --#define SSS_TOOL_COMMAND_NOMSG(cmd, err, fn) {cmd, NULL, err, fn} --#define SSS_TOOL_DELIMITER(message) {"", _(message), 0, NULL} --#define SSS_TOOL_LAST {NULL, NULL, 0, NULL} -+#define SSS_TOOL_COMMAND_FLAGS(cmd, msg, err, fn, flags) \ -+ {cmd, _(msg), err, fn, flags} -+#define SSS_TOOL_COMMAND(cmd, msg, err, fn) \ -+ {cmd, _(msg), err, fn, 0} -+#define SSS_TOOL_COMMAND_NOMSG(cmd, err, fn) {cmd, NULL, err, fn, 0} -+#define SSS_TOOL_DELIMITER(message) {"", _(message), 0, NULL, 0} -+#define SSS_TOOL_LAST {NULL, NULL, 0, NULL, 0} -+ -+#define SSS_TOOL_FLAG_SKIP_CMD_INIT 0x01 - - struct sss_route_cmd { - const char *command; - const char *description; - errno_t handles_init_err; - sss_route_fn fn; -+ int flags; - }; - - void sss_tool_usage(const char *tool_name, -diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c -index b0510e6ae..ece1e6df1 100644 ---- a/src/tools/sssctl/sssctl.c -+++ b/src/tools/sssctl/sssctl.c -@@ -276,7 +276,7 @@ int main(int argc, const char **argv) - SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch), - #ifdef HAVE_LIBINI_CONFIG_V1_3 - SSS_TOOL_DELIMITER("Configuration files tools:"), -- SSS_TOOL_COMMAND("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check), -+ SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT), - #endif - SSS_TOOL_LAST - }; --- -2.11.0 - diff --git a/sssd/patches/0012-sysdb-add-parent_dom-to-sysdb_get_direct_parents.patch b/sssd/patches/0012-sysdb-add-parent_dom-to-sysdb_get_direct_parents.patch deleted file mode 100644 index f80451284..000000000 --- a/sssd/patches/0012-sysdb-add-parent_dom-to-sysdb_get_direct_parents.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 0cf03315bc74555aa70a6fec854d6d66826eb608 Mon Sep 17 00:00:00 2001 -From: Sumit Bose sbose@redhat.com -Date: Tue, 18 Oct 2016 14:59:19 +0200 -Subject: [PATCH 12/39] sysdb: add parent_dom to sysdb_get_direct_parents() - -Currently sysdb_get_direct_parents() only return direct parents from the -same domain as the child object. In setups with sub-domains this might -not be sufficient. A new option parent_dom is added which allows to -specify a domain the direct parents should be lookup up in. If it is -NULL the whole cache is searched. - -Reviewed-by: Jakub Hrozek jhrozek@redhat.com -(cherry picked from commit 3dd4c3eca80e9223a65f3318821bd0fb5b45aedd) -(cherry picked from commit 9a243dcdbf5a908d23c1a64f3fb33914eefef9e8) ---- - src/db/sysdb.h | 21 +++++++++++++++++++++ - src/db/sysdb_search.c | 7 ++++++- - src/providers/ldap/sdap_async_initgroups.c | 11 +++++++---- - 3 files changed, 34 insertions(+), 5 deletions(-) - -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index 7de3acdf3..f5d3ddb84 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -1137,8 +1137,29 @@ errno_t sysdb_remove_attrs(struct sss_domain_info *domain, - enum sysdb_member_type type, - char **remove_attrs); - -+/** -+ * @brief Return direct parents of an object in the cache -+ * -+ * @param[in] mem_ctx Memory context the result should be allocated -+ * on -+ * @param[in] dom domain the object is in -+ * @param[in] parent_dom domain which should be searched for direct -+ * parents if NULL all domains in the given cache -+ * are searched -+ * @param[in] mtype Type of the object, SYSDB_MEMBER_USER or -+ * SYSDB_MEMBER_GROUP -+ * @param[in] name Name of the object -+ * @param[out] _direct_parents List of names of the direct parent groups -+ * -+ * -+ * @return -+ * - EOK: success -+ * - EINVAL: wrong mtype -+ * - ENOMEM: Memory allocation failed -+ */ - errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx, - struct sss_domain_info *dom, -+ struct sss_domain_info *parent_dom, - enum sysdb_member_type mtype, - const char *name, - char ***_direct_parents); -diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c -index cfee5784d..4d63c3838 100644 ---- a/src/db/sysdb_search.c -+++ b/src/db/sysdb_search.c -@@ -1981,6 +1981,7 @@ done: - - errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx, - struct sss_domain_info *dom, -+ struct sss_domain_info *parent_dom, - enum sysdb_member_type mtype, - const char *name, - char ***_direct_parents) -@@ -2029,7 +2030,11 @@ errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx, - goto done; - } - -- basedn = sysdb_group_base_dn(tmp_ctx, dom); -+ if (parent_dom == NULL) { -+ basedn = sysdb_base_dn(dom->sysdb, tmp_ctx); -+ } else { -+ basedn = sysdb_group_base_dn(tmp_ctx, parent_dom); -+ } - if (!basedn) { - ret = ENOMEM; - goto done; -diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c -index df39de3cc..7a2eef43d 100644 ---- a/src/providers/ldap/sdap_async_initgroups.c -+++ b/src/providers/ldap/sdap_async_initgroups.c -@@ -1301,7 +1301,8 @@ sdap_initgr_store_user_memberships(struct sdap_initgr_nested_state *state) - } - } - -- ret = sysdb_get_direct_parents(tmp_ctx, state->dom, SYSDB_MEMBER_USER, -+ ret = sysdb_get_direct_parents(tmp_ctx, state->dom, state->dom, -+ SYSDB_MEMBER_USER, - state->username, &sysdb_parent_name_list); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, -@@ -1388,7 +1389,7 @@ sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx, - goto done; - } - -- ret = sysdb_get_direct_parents(tmp_ctx, dom, SYSDB_MEMBER_GROUP, -+ ret = sysdb_get_direct_parents(tmp_ctx, dom, dom, SYSDB_MEMBER_GROUP, - group_name, &sysdb_parents_names_list); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, -@@ -2070,7 +2071,8 @@ rfc2307bis_group_memberships_build(hash_entry_t *item, void *user_data) - goto done; - } - -- ret = sysdb_get_direct_parents(tmp_ctx, mstate->dom, SYSDB_MEMBER_GROUP, -+ ret = sysdb_get_direct_parents(tmp_ctx, mstate->dom, mstate->dom, -+ SYSDB_MEMBER_GROUP, - group_name, &sysdb_parents_names_list); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, -@@ -2130,7 +2132,8 @@ errno_t save_rfc2307bis_user_memberships( - } - in_transaction = true; - -- ret = sysdb_get_direct_parents(tmp_ctx, state->dom, SYSDB_MEMBER_USER, -+ ret = sysdb_get_direct_parents(tmp_ctx, state->dom, state->dom, -+ SYSDB_MEMBER_USER, - state->name, &sysdb_parent_name_list); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, --- -2.11.0 - diff --git a/sssd/patches/0013-sdap-make-some-nested-group-related-calls-public.patch b/sssd/patches/0013-sdap-make-some-nested-group-related-calls-public.patch deleted file mode 100644 index debcf01e8..000000000 --- a/sssd/patches/0013-sdap-make-some-nested-group-related-calls-public.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 79044fc1de2dad656b2c664722b4f8568bf4f8d6 Mon Sep 17 00:00:00 2001 -From: Sumit Bose sbose@redhat.com -Date: Tue, 18 Oct 2016 18:16:30 +0200 -Subject: [PATCH 13/39] sdap: make some nested group related calls public - -sdap_nested_groups_store() and rfc2307bis_nested_groups_send/recv() will -be reused for domain local group lookups. - -Reviewed-by: Jakub Hrozek jhrozek@redhat.com -(cherry picked from commit 49d3f0a487d55571b2bdc9d3f8280b304b964b9d) -(cherry picked from commit f38c62ffe05ab845165f1b597083579d4fe3632f) ---- - src/providers/ldap/sdap_async_initgroups.c | 12 ++---------- - src/providers/ldap/sdap_async_private.h | 16 ++++++++++++++++ - 2 files changed, 18 insertions(+), 10 deletions(-) - -diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c -index 7a2eef43d..0f56b8740 100644 ---- a/src/providers/ldap/sdap_async_initgroups.c -+++ b/src/providers/ldap/sdap_async_initgroups.c -@@ -622,7 +622,7 @@ static int sdap_initgr_rfc2307_recv(struct tevent_req *req) - } - - /* ==Common code for pure RFC2307bis and IPA/AD========================= */ --static errno_t -+errno_t - sdap_nested_groups_store(struct sysdb_ctx *sysdb, - struct sss_domain_info *domain, - struct sdap_options *opts, -@@ -1558,14 +1558,6 @@ static void sdap_initgr_rfc2307bis_process(struct tevent_req *subreq); - static void sdap_initgr_rfc2307bis_done(struct tevent_req *subreq); - errno_t save_rfc2307bis_user_memberships( - struct sdap_initgr_rfc2307bis_state *state); --struct tevent_req *rfc2307bis_nested_groups_send( -- TALLOC_CTX *mem_ctx, struct tevent_context *ev, -- struct sdap_options *opts, struct sysdb_ctx *sysdb, -- struct sss_domain_info *dom, struct sdap_handle *sh, -- struct sdap_search_base **search_bases, -- struct sysdb_attrs **groups, size_t num_groups, -- hash_table_t *group_hash, size_t nesting); --static errno_t rfc2307bis_nested_groups_recv(struct tevent_req *req); - - static struct tevent_req *sdap_initgr_rfc2307bis_send( - TALLOC_CTX *memctx, -@@ -2616,7 +2608,7 @@ static void rfc2307bis_nested_groups_process(struct tevent_req *subreq) - tevent_req_set_callback(subreq, rfc2307bis_nested_groups_done, req); - } - --static errno_t rfc2307bis_nested_groups_recv(struct tevent_req *req) -+errno_t rfc2307bis_nested_groups_recv(struct tevent_req *req) - { - TEVENT_REQ_RETURN_ON_ERROR(req); - return EOK; -diff --git a/src/providers/ldap/sdap_async_private.h b/src/providers/ldap/sdap_async_private.h -index f09ddb71f..4af4f7144 100644 ---- a/src/providers/ldap/sdap_async_private.h -+++ b/src/providers/ldap/sdap_async_private.h -@@ -157,4 +157,20 @@ errno_t sdap_check_ad_group_type(struct sss_domain_info *dom, - struct sysdb_attrs *group_attrs, - const char *group_name, - bool *_need_filter); -+ -+struct tevent_req *rfc2307bis_nested_groups_send( -+ TALLOC_CTX *mem_ctx, struct tevent_context *ev, -+ struct sdap_options *opts, struct sysdb_ctx *sysdb, -+ struct sss_domain_info *dom, struct sdap_handle *sh, -+ struct sdap_search_base **search_bases, -+ struct sysdb_attrs **groups, size_t num_groups, -+ hash_table_t *group_hash, size_t nesting); -+errno_t rfc2307bis_nested_groups_recv(struct tevent_req *req); -+ -+errno_t sdap_nested_groups_store(struct sysdb_ctx *sysdb, -+ struct sss_domain_info *domain, -+ struct sdap_options *opts, -+ struct sysdb_attrs **groups, -+ unsigned long count); -+ - #endif /* _SDAP_ASYNC_PRIVATE_H_ */ --- -2.11.0 - diff --git a/sssd/patches/0014-LDAP-AD-resolve-domain-local-groups-for-remote-users.patch b/sssd/patches/0014-LDAP-AD-resolve-domain-local-groups-for-remote-users.patch deleted file mode 100644 index 80b709bca..000000000 --- a/sssd/patches/0014-LDAP-AD-resolve-domain-local-groups-for-remote-users.patch +++ /dev/null @@ -1,683 +0,0 @@ -From b53bcb7675b6b797c4ba2a590deb4e4578d0e5ef Mon Sep 17 00:00:00 2001 -From: Sumit Bose sbose@redhat.com -Date: Tue, 18 Oct 2016 18:18:44 +0200 -Subject: [PATCH 14/39] LDAP/AD: resolve domain local groups for remote users - -If a user from a trusted domain in the same forest is a direct or -indirect member of domain local groups from the local domain those -memberships must be resolved as well. Since those domain local groups -are not valid in the trusted domain a DC from the trusted domain which -is used to lookup the user data is not aware of them. As a consequence -those memberships must be resolved against a local DC in a second step. - -Resolves https://fedorahosted.org/sssd/ticket/3206 - -Reviewed-by: Jakub Hrozek jhrozek@redhat.com -(cherry picked from commit 25699846bd1c9f8bb513b6271eb4366ab682fbd2) -(cherry picked from commit c1f3b29fee6577714347673d717f71ab997c3006) ---- - src/db/sysdb.h | 1 + - src/providers/ldap/sdap_async_initgroups.c | 158 +++++++++- - src/providers/ldap/sdap_async_initgroups_ad.c | 407 ++++++++++++++++++++++++++ - src/providers/ldap/sdap_async_private.h | 10 + - 4 files changed, 569 insertions(+), 7 deletions(-) - -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index f5d3ddb84..901268390 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -225,6 +225,7 @@ - SYSDB_OVERRIDE_OBJECT_DN, \ - SYSDB_DEFAULT_OVERRIDE_NAME, \ - SYSDB_UUID, \ -+ SYSDB_ORIG_DN, \ - NULL} - - #define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \ -diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c -index 0f56b8740..45fc007e0 100644 ---- a/src/providers/ldap/sdap_async_initgroups.c -+++ b/src/providers/ldap/sdap_async_initgroups.c -@@ -2317,6 +2317,7 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req) - struct sdap_rfc2307bis_nested_ctx *state = - tevent_req_data(req, struct sdap_rfc2307bis_nested_ctx); - char *oc_list; -+ const char *class; - - tmp_ctx = talloc_new(state); - if (!tmp_ctx) { -@@ -2324,9 +2325,21 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req) - goto done; - } - -- ret = sdap_get_group_primary_name(state, state->opts, -- state->groups[state->group_iter], -- state->dom, &state->primary_name); -+ ret = sysdb_attrs_get_string(state->groups[state->group_iter], -+ SYSDB_OBJECTCLASS, &class); -+ if (ret == EOK) { -+ /* If there is a objectClass attribute the object is coming from the -+ * cache and the name attribute of the object already has the primary -+ * name. -+ * If the objectClass attribute is missing the object is coming from -+ * LDAP and we have to find the primary name first. */ -+ ret = sysdb_attrs_get_string(state->groups[state->group_iter], -+ SYSDB_NAME, &state->primary_name); -+ } else { -+ ret = sdap_get_group_primary_name(state, state->opts, -+ state->groups[state->group_iter], -+ state->dom, &state->primary_name); -+ } - if (ret != EOK) { - goto done; - } -@@ -3069,6 +3082,103 @@ fail: - tevent_req_error(req, ret); - } - -+static void sdap_ad_check_domain_local_groups_done(struct tevent_req *subreq); -+ -+errno_t sdap_ad_check_domain_local_groups(struct tevent_req *req) -+{ -+ struct sdap_get_initgr_state *state = tevent_req_data(req, -+ struct sdap_get_initgr_state); -+ int ret; -+ struct sdap_domain *local_sdom; -+ const char *orig_name; -+ const char *sysdb_name; -+ struct ldb_result *res; -+ struct tevent_req *subreq; -+ struct sysdb_attrs **groups; -+ -+ /* We only need to check for domain local groups in the AD case and if the -+ * user is not from our domain, i.e. if the user comes from a sub-domain. -+ */ -+ if (state->opts->schema_type != SDAP_SCHEMA_AD -+ || !IS_SUBDOMAIN(state->dom) -+ || !dp_target_enabled(state->id_ctx->be->provider, "ad", DPT_ID)) { -+ return EOK; -+ } -+ -+ local_sdom = sdap_domain_get(state->id_ctx->opts, state->dom->parent); -+ if (local_sdom == NULL || local_sdom->pvt == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n", -+ state->dom->parent->name); -+ return EINVAL; -+ } -+ -+ ret = sysdb_attrs_get_string(state->orig_user, SYSDB_NAME, &orig_name); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing name in user object.\n"); -+ return ret; -+ } -+ -+ sysdb_name = sss_create_internal_fqname(state, orig_name, state->dom->name); -+ if (sysdb_name == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed.\n"); -+ return ENOMEM; -+ } -+ -+ ret = sysdb_initgroups(state, state->dom, sysdb_name, &res); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_initgroups failed for user [%s].\n", -+ sysdb_name); -+ return ret; -+ } -+ -+ if (res->count == 0) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "sysdb_initgroups returned no results for user [%s].\n", -+ sysdb_name); -+ return EINVAL; -+ } -+ -+ /* The user object, the first entry in the res->msgs, is included as well -+ * to cover the case where the remote user is directly added to -+ * a domain local group. */ -+ ret = sysdb_msg2attrs(state, res->count, res->msgs, &groups); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_msg2attrs failed.\n"); -+ return ret; -+ } -+ -+ subreq = sdap_ad_get_domain_local_groups_send(state, state->ev, local_sdom, -+ state->opts, state->sysdb, state->dom->parent, -+ groups, res->count); -+ if (subreq == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "sdap_ad_get_domain_local_groups_send failed.\n"); -+ return ENOMEM; -+ } -+ -+ tevent_req_set_callback(subreq, sdap_ad_check_domain_local_groups_done, -+ req); -+ -+ return EAGAIN; -+} -+ -+static void sdap_ad_check_domain_local_groups_done(struct tevent_req *subreq) -+{ -+ struct tevent_req *req = tevent_req_callback_data(subreq, -+ struct tevent_req); -+ int ret; -+ -+ ret = sdap_ad_get_domain_local_groups_recv(subreq); -+ talloc_zfree(subreq); -+ if (ret != EOK) { -+ tevent_req_error(req, ret); -+ return; -+ } -+ -+ tevent_req_done(req); -+ -+ return; -+} -+ - static void sdap_get_initgr_pgid(struct tevent_req *req); - static void sdap_get_initgr_done(struct tevent_req *subreq) - { -@@ -3201,8 +3311,6 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) - if (ret == EOK) { - DEBUG(SSSDBG_TRACE_FUNC, - "Primary group already cached, nothing to do.\n"); -- ret = EOK; -- goto done; - } else { - gid = talloc_asprintf(state, "%lu", (unsigned long)primary_gid); - if (gid == NULL) { -@@ -3219,10 +3327,28 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) - goto done; - } - tevent_req_set_callback(subreq, sdap_get_initgr_pgid, req); -+ -+ talloc_free(tmp_ctx); -+ return; - } - -- talloc_free(tmp_ctx); -- return; -+ ret = sdap_ad_check_domain_local_groups(req); -+ if (ret == EAGAIN) { -+ DEBUG(SSSDBG_TRACE_ALL, -+ "Checking for domain local group memberships.\n"); -+ talloc_free(tmp_ctx); -+ return; -+ } else if (ret == EOK) { -+ DEBUG(SSSDBG_TRACE_ALL, -+ "No need to check for domain local group memberships.\n"); -+ } else { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sdap_ad_check_domain_local_groups failed, " -+ "meberships to domain local groups might be missing.\n"); -+ /* do not let the request fail completely because we already have at -+ * least "some" groups */ -+ ret = EOK; -+ } - - done: - talloc_free(tmp_ctx); -@@ -3247,7 +3373,25 @@ static void sdap_get_initgr_pgid(struct tevent_req *subreq) - return; - } - -+ ret = sdap_ad_check_domain_local_groups(req); -+ if (ret == EAGAIN) { -+ DEBUG(SSSDBG_TRACE_ALL, -+ "Checking for domain local group memberships.\n"); -+ return; -+ } else if (ret == EOK) { -+ DEBUG(SSSDBG_TRACE_ALL, -+ "No need to check for domain local group memberships.\n"); -+ } else { -+ DEBUG(SSSDBG_OP_FAILURE, "sdap_ad_check_domain_local_groups failed.\n"); -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sdap_ad_check_domain_local_groups failed, " -+ "meberships to domain local groups might be missing.\n"); -+ /* do not let the request fail completely because we already have at -+ * least "some" groups */ -+ } -+ - tevent_req_done(req); -+ return; - } - - int sdap_get_initgr_recv(struct tevent_req *req) -diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c -index ad54c1fb8..1fee4ab43 100644 ---- a/src/providers/ldap/sdap_async_initgroups_ad.c -+++ b/src/providers/ldap/sdap_async_initgroups_ad.c -@@ -1412,6 +1412,413 @@ static errno_t sdap_ad_tokengroups_initgr_posix_recv(struct tevent_req *req) - return EOK; - } - -+struct sdap_ad_get_domain_local_groups_state { -+ struct tevent_context *ev; -+ struct sdap_id_conn_ctx *conn; -+ struct sdap_options *opts; -+ struct sdap_id_op *op; -+ struct sysdb_ctx *sysdb; -+ struct sss_domain_info *dom; -+ int dp_error; -+ -+ struct sdap_search_base **search_bases; -+ struct sysdb_attrs **groups; -+ size_t num_groups; -+ hash_table_t *group_hash; -+}; -+ -+static void -+sdap_ad_get_domain_local_groups_connect_done(struct tevent_req *subreq); -+static void sdap_ad_get_domain_local_groups_done(struct tevent_req *subreq); -+ -+struct tevent_req * -+sdap_ad_get_domain_local_groups_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct sdap_domain *local_sdom, -+ struct sdap_options *opts, -+ struct sysdb_ctx *sysdb, -+ struct sss_domain_info *dom, -+ struct sysdb_attrs **groups, -+ size_t num_groups) -+{ -+ struct sdap_ad_get_domain_local_groups_state *state; -+ struct tevent_req *req; -+ struct tevent_req *subreq; -+ struct ad_id_ctx *ad_id_ctx; -+ errno_t ret; -+ -+ req = tevent_req_create(mem_ctx, &state, -+ struct sdap_ad_get_domain_local_groups_state); -+ if (req == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); -+ return NULL; -+ } -+ -+ state->ev = ev; -+ ad_id_ctx = talloc_get_type(local_sdom->pvt, struct ad_id_ctx); -+ state->conn = ad_id_ctx->ldap_ctx; -+ state->opts = opts; -+ state->sysdb = sysdb; -+ state->dom = dom; -+ state->search_bases = state->conn->id_ctx->opts->sdom->group_search_bases; -+ state->groups = groups; -+ state->num_groups = num_groups; -+ -+ ret = sss_hash_create(state, 32, &state->group_hash); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n"); -+ goto fail; -+ } -+ -+ state->op = sdap_id_op_create(state, state->conn->conn_cache); -+ if (state->op == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); -+ ret = ENOMEM; -+ goto fail; -+ } -+ -+ subreq = sdap_id_op_connect_send(state->op, state, &ret); -+ if (subreq == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed.\n"); -+ goto fail; -+ } -+ -+ tevent_req_set_callback(subreq, -+ sdap_ad_get_domain_local_groups_connect_done, req); -+ -+ return req; -+ -+fail: -+ tevent_req_error(req, ret); -+ tevent_req_post(req, ev); -+ return req; -+} -+ -+static void -+sdap_ad_get_domain_local_groups_connect_done(struct tevent_req *subreq) -+{ -+ -+ struct tevent_req *req = tevent_req_callback_data(subreq, -+ struct tevent_req); -+ struct sdap_ad_get_domain_local_groups_state *state = tevent_req_data(req, -+ struct sdap_ad_get_domain_local_groups_state); -+ int dp_error = DP_ERR_FATAL; -+ int ret; -+ -+ ret = sdap_id_op_connect_recv(subreq, &dp_error); -+ talloc_zfree(subreq); -+ -+ if (ret != EOK) { -+ state->dp_error = dp_error; -+ tevent_req_error(req, ret); -+ return; -+ } -+ subreq = rfc2307bis_nested_groups_send(state, state->ev, state->opts, -+ state->sysdb, state->dom, -+ sdap_id_op_handle(state->op), -+ state->search_bases, -+ state->groups, state->num_groups, -+ state->group_hash, 0); -+ if (subreq == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "rfc2307bis_nested_groups_send failed.\n"); -+ state->dp_error = DP_ERR_FATAL; -+ tevent_req_error(req, ENOMEM); -+ return; -+ } -+ -+ tevent_req_set_callback(subreq, -+ sdap_ad_get_domain_local_groups_done, req); -+ -+ return; -+} -+ -+struct sdap_nested_group { -+ struct sysdb_attrs *group; -+ struct sysdb_attrs **ldap_parents; -+ size_t parents_count; -+}; -+ -+static errno_t -+sdap_ad_get_domain_local_groups_parse_parents(TALLOC_CTX *mem_ctx, -+ struct sdap_nested_group *gr, -+ struct sss_domain_info *dom, -+ struct sysdb_ctx *sysdb, -+ struct sdap_options *opts, -+ const char **_sysdb_name, -+ enum sysdb_member_type *_type, -+ char ***_add_list, -+ char ***_del_list) -+{ -+ int ret; -+ size_t c; -+ char **groupnamelist = NULL; -+ struct sysdb_attrs *groups[1]; -+ enum sysdb_member_type type; -+ const char *sysdb_name; -+ const char *group_name; -+ const char *class; -+ struct sss_domain_info *obj_dom; -+ char *local_groups_base_dn; -+ char **cached_local_parents = NULL; -+ char **add_list = NULL; -+ char **del_list = NULL; -+ TALLOC_CTX *tmp_ctx; -+ -+ tmp_ctx = talloc_new(NULL); -+ if (tmp_ctx == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); -+ return ENOMEM; -+ } -+ -+ local_groups_base_dn = talloc_asprintf(tmp_ctx, SYSDB_TMPL_GROUP_BASE, -+ dom->name); -+ if (local_groups_base_dn == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ if (gr->parents_count != 0) { -+ /* Store the parents if needed */ -+ ret = sdap_nested_groups_store(sysdb, dom, opts, -+ gr->ldap_parents, gr->parents_count); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_MINOR_FAILURE, "Could not save groups [%d]: %s\n", -+ ret, strerror(ret)); -+ goto done; -+ } -+ -+ ret = sysdb_attrs_primary_fqdn_list(dom, tmp_ctx, -+ gr->ldap_parents, gr->parents_count, -+ opts->group_map[SDAP_AT_GROUP_NAME].name, -+ &groupnamelist); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_primary_fqdn_list failed.\n"); -+ goto done; -+ } -+ } -+ -+ ret = sysdb_attrs_get_string(gr->group, SYSDB_NAME, &sysdb_name); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sysdb_attrs_get_string failed to get SYSDB_NAME, " -+ "skipping.\n"); -+ goto done; -+ } -+ -+ ret = sysdb_attrs_get_string(gr->group, SYSDB_OBJECTCLASS, &class); -+ if (ret != EOK) { -+ /* If objectclass is missing gr->group is a nested parent found during -+ * the nested group lookup. It might not already stored in the cache. -+ */ -+ DEBUG(SSSDBG_TRACE_LIBS, -+ "sysdb_attrs_get_string failed to get SYSDB_OBJECTCLASS " -+ "for [%s], assuming group.\n", sysdb_name); -+ -+ /* make sure group exists in cache */ -+ groups[0]= gr->group; -+ ret = sdap_nested_groups_store(sysdb, dom, opts, groups, 1); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_MINOR_FAILURE, "Could not save groups [%d]: %s\n", -+ ret, strerror(ret)); -+ goto done; -+ } -+ -+ /* Since the object is coming from LDAP it cannot have the internal -+ * fully-qualified name, so we can expand it unconditionally. */ -+ group_name = NULL; -+ ret = sysdb_attrs_primary_name(dom->sysdb, gr->group, -+ opts->group_map[SDAP_AT_GROUP_NAME].name, -+ &group_name); -+ if (ret != EOK || group_name == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Could not determine primary name\n"); -+ group_name = sysdb_name; -+ } -+ -+ group_name = sss_create_internal_fqname(tmp_ctx, group_name, -+ dom->name); -+ if (group_name != NULL) { -+ sysdb_name = group_name; -+ } -+ -+ type = SYSDB_MEMBER_GROUP; -+ } else { -+ if (class != NULL && strcmp(class, SYSDB_USER_CLASS) == 0) { -+ type = SYSDB_MEMBER_USER; -+ } else { -+ type = SYSDB_MEMBER_GROUP; -+ } -+ } -+ -+ /* We need to get the cached list of groups form the local domain the -+ * object is a member of to compare them with the current list just -+ * retrieved (groupnamelist). Even if this list is empty we have to -+ * proceed because the membership might have been removed recently on the -+ * server. */ -+ -+ obj_dom = find_domain_by_object_name(get_domains_head(dom), -+ sysdb_name); -+ if (obj_dom == NULL) { -+ obj_dom = dom; -+ DEBUG(SSSDBG_OP_FAILURE, "Cannot find domain for [%s], " -+ "trying with local domain [%s].\n", -+ sysdb_name, obj_dom->name); -+ } -+ -+ ret = sysdb_get_direct_parents(tmp_ctx, obj_dom, dom, type, sysdb_name, -+ &cached_local_parents); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE,"sysdb_get_direct_parents failed.\n"); -+ goto done; -+ } -+ -+ if (cached_local_parents != NULL && cached_local_parents[0] == NULL) { -+ talloc_zfree(cached_local_parents); -+ } -+ -+ if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) { -+ if (cached_local_parents != NULL) { -+ for (c = 0; cached_local_parents[c] != NULL; c++) { -+ DEBUG(SSSDBG_TRACE_ALL, "[%s] cached_local_parents [%s].\n", -+ sysdb_name, cached_local_parents[c]); -+ } -+ } -+ -+ if (groupnamelist != NULL) { -+ for (c = 0; groupnamelist[c] != NULL; c++) { -+ DEBUG(SSSDBG_TRACE_ALL, "[%s] groupnamelist [%s].\n", -+ sysdb_name, groupnamelist[c]); -+ } -+ } -+ } -+ -+ ret = diff_string_lists(tmp_ctx, cached_local_parents, groupnamelist, -+ &del_list, &add_list, NULL); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n"); -+ goto done; -+ } -+ -+ if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) { -+ if (add_list != NULL) { -+ for (c = 0; add_list[c] != NULL; c++) { -+ DEBUG(SSSDBG_TRACE_ALL, "add: [%s] will be member of [%s].\n", -+ sysdb_name, add_list[c]); -+ } -+ } -+ if (del_list != NULL) { -+ for (c = 0; del_list[c] != NULL; c++) { -+ DEBUG(SSSDBG_TRACE_ALL, "del: [%s] was member of [%s].\n", -+ sysdb_name, del_list[c]); -+ } -+ } -+ } -+ -+ *_type = type; -+ *_sysdb_name = talloc_steal(mem_ctx, sysdb_name); -+ *_add_list = talloc_steal(mem_ctx, groupnamelist); -+ *_del_list = talloc_steal(mem_ctx, del_list); -+ ret = EOK; -+ -+done: -+ talloc_free(tmp_ctx); -+ -+ return ret; -+} -+ -+static void sdap_ad_get_domain_local_groups_done(struct tevent_req *subreq) -+{ -+ -+ struct tevent_req *req = tevent_req_callback_data(subreq, -+ struct tevent_req); -+ struct sdap_ad_get_domain_local_groups_state *state = tevent_req_data(req, -+ struct sdap_ad_get_domain_local_groups_state); -+ int ret; -+ int hret; -+ unsigned long count; -+ hash_value_t *values = NULL; -+ struct sdap_nested_group *gr; -+ size_t c; -+ const char *sysdb_name = NULL; -+ enum sysdb_member_type type; -+ char **add_list = NULL; -+ char **del_list = NULL; -+ -+ ret = rfc2307bis_nested_groups_recv(subreq); -+ talloc_zfree(subreq); -+ if (ret != EOK) { -+ tevent_req_error(req, ret); -+ return; -+ } -+ -+ hret = hash_values(state->group_hash, &count, &values); -+ if (hret != HASH_SUCCESS) { -+ DEBUG(SSSDBG_OP_FAILURE, "hash_values failed.\n"); -+ ret = EIO; -+ goto done; -+ } -+ -+ for (c = 0; c < count; c++) { -+ gr = talloc_get_type(values[c].ptr, -+ struct sdap_nested_group); -+ -+ /* The values from the hash are either user or group objects returned -+ * by sysdb_initgroups() which where used to start the request or -+ * nested parents found during the request. The nested parents contain -+ * the processed LDAP data and can be identified by a missing -+ * objectclass attribute. */ -+ ret = sdap_ad_get_domain_local_groups_parse_parents(state, gr, -+ state->dom, -+ state->sysdb, -+ state->opts, -+ &sysdb_name, -+ &type, -+ &add_list, -+ &del_list); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sdap_ad_get_domain_local_groups_parse_parents failed.\n"); -+ continue; -+ } -+ -+ if ((add_list == NULL && del_list == NULL) -+ || (add_list == NULL && del_list != NULL && del_list[0] == NULL) -+ || (add_list != NULL && add_list[0] == NULL && del_list == NULL) -+ || (add_list != NULL && add_list[0] == NULL -+ && del_list != NULL && del_list[0] == NULL) ) { -+ continue; -+ } -+ -+ DEBUG(SSSDBG_TRACE_INTERNAL, "Updating domain local memberships for %s\n", -+ sysdb_name); -+ ret = sysdb_update_members(state->dom, sysdb_name, type, -+ (const char *const *) add_list, -+ (const char *const *) del_list); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_members failed.\n"); -+ goto done; -+ } -+ } -+ -+ ret = EOK; -+done: -+ talloc_zfree(values); -+ -+ if (ret == EOK) { -+ tevent_req_done(req); -+ } else { -+ tevent_req_error(req, ret); -+ } -+ -+ return; -+} -+ -+errno_t sdap_ad_get_domain_local_groups_recv(struct tevent_req *req) -+{ -+ TEVENT_REQ_RETURN_ON_ERROR(req); -+ return EOK; -+} -+ - struct sdap_ad_tokengroups_initgroups_state { - bool use_id_mapping; - struct sss_domain_info *domain; -diff --git a/src/providers/ldap/sdap_async_private.h b/src/providers/ldap/sdap_async_private.h -index 4af4f7144..266bc0311 100644 ---- a/src/providers/ldap/sdap_async_private.h -+++ b/src/providers/ldap/sdap_async_private.h -@@ -173,4 +173,14 @@ errno_t sdap_nested_groups_store(struct sysdb_ctx *sysdb, - struct sysdb_attrs **groups, - unsigned long count); - -+struct tevent_req * -+sdap_ad_get_domain_local_groups_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct sdap_domain *local_sdom, -+ struct sdap_options *opts, -+ struct sysdb_ctx *sysdb, -+ struct sss_domain_info *dom, -+ struct sysdb_attrs **groups, -+ size_t num_groups); -+errno_t sdap_ad_get_domain_local_groups_recv(struct tevent_req *req); - #endif /* _SDAP_ASYNC_PRIVATE_H_ */ --- -2.11.0 - diff --git a/sssd/patches/0015-PAM-add-a-test-for-filter_responses.patch b/sssd/patches/0015-PAM-add-a-test-for-filter_responses.patch deleted file mode 100644 index e43b619f2..000000000 --- a/sssd/patches/0015-PAM-add-a-test-for-filter_responses.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 84946be361a17bbb593f246849bd1357aa2f79da Mon Sep 17 00:00:00 2001 -From: Sumit Bose sbose@redhat.com -Date: Thu, 20 Oct 2016 11:48:22 +0200 -Subject: [PATCH 15/39] PAM: add a test for filter_responses() - -Reviewed-by: Jakub Hrozek jhrozek@redhat.com -(cherry picked from commit c8fe1d922b254aa92e74f428135ada3c8bde87a1) -(cherry picked from commit 0157678081e299660105c753f2d2ac2081960bca) ---- - src/responder/pam/pamsrv.h | 3 +++ - src/responder/pam/pamsrv_cmd.c | 4 ++-- - src/tests/cmocka/test_pam_srv.c | 52 +++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 57 insertions(+), 2 deletions(-) - -diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h -index e686d03a4..8437d082e 100644 ---- a/src/responder/pam/pamsrv.h -+++ b/src/responder/pam/pamsrv.h -@@ -99,4 +99,7 @@ errno_t - pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain, - const char *username, - uint64_t value); -+ -+errno_t filter_responses(struct confdb_ctx *cdb, -+ struct response_data *resp_list); - #endif /* __PAMSRV_H__ */ -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index e52fc7642..b3690d763 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -470,8 +470,8 @@ fail: - return ret; - } - --static errno_t filter_responses(struct confdb_ctx *cdb, -- struct response_data *resp_list) -+errno_t filter_responses(struct confdb_ctx *cdb, -+ struct response_data *resp_list) - { - int ret; - struct response_data *resp; -diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c -index 4b2dea4be..41d177233 100644 ---- a/src/tests/cmocka/test_pam_srv.c -+++ b/src/tests/cmocka/test_pam_srv.c -@@ -31,6 +31,7 @@ - #include "responder/pam/pam_helpers.h" - #include "sss_client/pam_message.h" - #include "sss_client/sss_cli.h" -+#include "confdb/confdb.h" - - #include "util/crypto/sss_crypto.h" - #ifdef HAVE_NSS -@@ -1759,6 +1760,54 @@ void test_pam_cert_auth(void **state) - assert_int_equal(ret, EOK); - } - -+void test_filter_response(void **state) -+{ -+ int ret; -+ struct pam_data *pd; -+ uint8_t offline_auth_data[(sizeof(uint32_t) + sizeof(int64_t))]; -+ uint32_t info_type; -+ -+ struct sss_test_conf_param pam_params[] = { -+ { CONFDB_PAM_VERBOSITY, "1" }, -+ { NULL, NULL }, /* Sentinel */ -+ }; -+ -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ pd = talloc_zero(pam_test_ctx, struct pam_data); -+ assert_non_null(pd); -+ -+ info_type = SSS_PAM_USER_INFO_OFFLINE_AUTH; -+ memset(offline_auth_data, 0, sizeof(offline_auth_data)); -+ memcpy(offline_auth_data, &info_type, sizeof(uint32_t)); -+ ret = pam_add_response(pd, SSS_PAM_USER_INFO, -+ sizeof(offline_auth_data), offline_auth_data); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list); -+ assert_int_equal(ret, EOK); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ -+ pam_params[0].value = "0"; -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list); -+ assert_int_equal(ret, EOK); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ -+ /* SSS_PAM_USER_INFO_OFFLINE_AUTH message will only be shown with -+ * pam_verbosity 2 or above if cache password never expires. */ -+ pam_params[0].value = "2"; -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list); -+ assert_int_equal(ret, EOK); -+ assert_false(pd->resp_list->do_not_send_to_client); -+} -+ - int main(int argc, const char *argv[]) - { - int rv; -@@ -1870,6 +1919,9 @@ int main(int argc, const char *argv[]) - pam_test_setup_no_verification, - pam_test_teardown), - #endif /* HAVE_NSS */ -+ -+ cmocka_unit_test_setup_teardown(test_filter_response, -+ pam_test_setup, pam_test_teardown), - }; - - /* Set debug level to invalid value so we can deside if -d 0 was used. */ --- -2.11.0 - diff --git a/sssd/patches/0016-PAM-add-pam_response_filter-option.patch b/sssd/patches/0016-PAM-add-pam_response_filter-option.patch deleted file mode 100644 index 1d91a43a3..000000000 --- a/sssd/patches/0016-PAM-add-pam_response_filter-option.patch +++ /dev/null @@ -1,501 +0,0 @@ -From 51cdde0ce897c62a0e29653e896e3e6d43585228 Mon Sep 17 00:00:00 2001 -From: Sumit Bose sbose@redhat.com -Date: Thu, 20 Oct 2016 18:40:01 +0200 -Subject: [PATCH 16/39] PAM: add pam_response_filter option - -Currently the main use-case for this new option is to not set the -KRB5CCNAME environment varible for services like 'sudo-i'. - -Resolves https://fedorahosted.org/sssd/ticket/2296 - -Reviewed-by: Jakub Hrozek jhrozek@redhat.com -(cherry picked from commit ce43f710c9638fbbeae077559cd7514370a10c0c) -(cherry picked from commit 74711db46029415cc9590bb0e3f9cc662dac1d0c) ---- - src/confdb/confdb.h | 1 + - src/config/SSSDConfig/__init__.py.in | 1 + - src/config/cfg_rules.ini | 1 + - src/config/etc/sssd.api.conf | 1 + - src/man/sssd.conf.5.xml | 45 +++++++++++ - src/responder/pam/pamsrv.h | 3 +- - src/responder/pam/pamsrv_cmd.c | 111 ++++++++++++++++++++++++-- - src/tests/cmocka/test_pam_srv.c | 149 +++++++++++++++++++++++++++++++++-- - 8 files changed, 297 insertions(+), 15 deletions(-) - -diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h -index 011792fba..2a1e58184 100644 ---- a/src/confdb/confdb.h -+++ b/src/confdb/confdb.h -@@ -115,6 +115,7 @@ - #define CONFDB_PAM_FAILED_LOGIN_DELAY "offline_failed_login_delay" - #define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5 - #define CONFDB_PAM_VERBOSITY "pam_verbosity" -+#define CONFDB_PAM_RESPONSE_FILTER "pam_response_filter" - #define CONFDB_PAM_ID_TIMEOUT "pam_id_timeout" - #define CONFDB_PAM_PWD_EXPIRATION_WARNING "pam_pwd_expiration_warning" - #define CONFDB_PAM_TRUSTED_USERS "pam_trusted_users" -diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in -index cde196478..381ff9596 100644 ---- a/src/config/SSSDConfig/__init__.py.in -+++ b/src/config/SSSDConfig/__init__.py.in -@@ -88,6 +88,7 @@ option_strings = { - 'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'), - 'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'), - 'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'), -+ 'pam_response_filter' : _('Filter PAM responses send the pam_sss'), - 'pam_id_timeout' : _('How many seconds to keep identity information cached for PAM requests'), - 'pam_pwd_expiration_warning' : _('How many days before password expiration a warning should be displayed'), - 'pam_trusted_users' : _('List of trusted uids or user's name'), -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index b6316be8c..ec716b558 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -99,6 +99,7 @@ option = offline_credentials_expiration - option = offline_failed_login_attempts - option = offline_failed_login_delay - option = pam_verbosity -+option = pam_response_filter - option = pam_id_timeout - option = pam_pwd_expiration_warning - option = get_domains_timeout -diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf -index 567d52efe..be24bcea0 100644 ---- a/src/config/etc/sssd.api.conf -+++ b/src/config/etc/sssd.api.conf -@@ -58,6 +58,7 @@ offline_credentials_expiration = int, None, false - offline_failed_login_attempts = int, None, false - offline_failed_login_delay = int, None, false - pam_verbosity = int, None, false -+pam_response_filter = str, None, false - pam_id_timeout = int, None, false - pam_pwd_expiration_warning = int, None, false - get_domains_timeout = int, None, false -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index 8b862eb0c..71ace5208 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -975,6 +975,51 @@ fallback_homedir = /home/%u - </para> - </listitem> - </varlistentry> -+ -+ <varlistentry> -+ <term>pam_response_filter (integer)</term> -+ <listitem> -+ <para> -+ A comma separated list of strings which allows to -+ remove (filter) data send by the PAM responder to -+ pam_sss PAM module. There are different kind of -+ responses send to pam_sss e.g. messages displayed to -+ the user or environment variables which should be -+ set by pam_sss. -+ </para> -+ <para> -+ While messages already can be controlled with the -+ help of the pam_verbosity option this option allows -+ to filter out other kind of responses as well. -+ </para> -+ <para> -+ Currently the following filters are supported: -+ <variablelist> -+ <varlistentry><term>ENV</term> -+ <listitem><para>Do not sent any environment -+ variables to any service.</para></listitem> -+ </varlistentry> -+ <varlistentry><term>ENV:var_name</term> -+ <listitem><para>Do not sent environment -+ variable var_name to any -+ service.</para></listitem> -+ </varlistentry> -+ <varlistentry><term>ENV:var_name:service</term> -+ <listitem><para>Do not sent environment -+ variable var_name to -+ service.</para></listitem> -+ </varlistentry> -+ </variablelist> -+ </para> -+ <para> -+ Default: not set -+ </para> -+ <para> -+ Example: ENV:KRB5CCNAME:sudo-i -+ </para> -+ </listitem> -+ </varlistentry> -+ - <varlistentry> - <term>pam_id_timeout (integer)</term> - <listitem> -diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h -index 8437d082e..75045d039 100644 ---- a/src/responder/pam/pamsrv.h -+++ b/src/responder/pam/pamsrv.h -@@ -101,5 +101,6 @@ pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain, - uint64_t value); - - errno_t filter_responses(struct confdb_ctx *cdb, -- struct response_data *resp_list); -+ struct response_data *resp_list, -+ struct pam_data *pd); - #endif /* __PAMSRV_H__ */ -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index b3690d763..0c2e6941c 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -470,14 +470,89 @@ fail: - return ret; - } - -+static errno_t filter_responses_env(struct response_data *resp, -+ struct pam_data *pd, -+ char * const *pam_filter_opts) -+{ -+ size_t c; -+ const char *var_name; -+ size_t var_name_len; -+ const char *service; -+ -+ if (pam_filter_opts == NULL) { -+ return EOK; -+ } -+ -+ for (c = 0; pam_filter_opts[c] != NULL; c++) { -+ if (strncmp(pam_filter_opts[c], "ENV", 3) != 0) { -+ continue; -+ } -+ -+ var_name = NULL; -+ var_name_len = 0; -+ service = NULL; -+ if (pam_filter_opts[c][3] != '\0') { -+ if (pam_filter_opts[c][3] != ':') { -+ /* Neither plain ENV nor ENV:, ignored */ -+ continue; -+ } -+ -+ var_name = pam_filter_opts[c] + 4; -+ /* check if there is a second ':' in the option and use the following -+ * data, if any, as service name. */ -+ service = strchr(var_name, ':'); -+ if (service == NULL) { -+ var_name_len = strlen(var_name); -+ } else { -+ var_name_len = service - var_name; -+ -+ service++; -+ /* handle empty service name "ENV:var:" */ -+ if (*service == '\0') { -+ service = NULL; -+ } -+ } -+ } -+ /* handle empty var name "ENV:" or "ENV::service" */ -+ if (var_name_len == 0) { -+ var_name = NULL; -+ } -+ -+ DEBUG(SSSDBG_TRACE_ALL, -+ "Found PAM ENV filter for variable [%.*s] and service [%s].\n", -+ (int) var_name_len, var_name, service); -+ -+ if (service != NULL && pd->service != NULL -+ && strcmp(service, pd->service) != 0) { -+ /* current service does not match the filter */ -+ continue; -+ } -+ -+ if (var_name == NULL) { -+ /* All environment variables should be filtered */ -+ resp->do_not_send_to_client = true; -+ continue; -+ } -+ -+ if (resp->len > var_name_len && resp->data[var_name_len] == '=' -+ && memcmp(resp->data, var_name, var_name_len) == 0) { -+ resp->do_not_send_to_client = true; -+ } -+ } -+ -+ return EOK; -+} -+ - errno_t filter_responses(struct confdb_ctx *cdb, -- struct response_data *resp_list) -+ struct response_data *resp_list, -+ struct pam_data *pd) - { - int ret; - struct response_data *resp; - uint32_t user_info_type; -- int64_t expire_date; -- int pam_verbosity; -+ int64_t expire_date = 0; -+ int pam_verbosity = DEFAULT_PAM_VERBOSITY; -+ char **pam_filter_opts = NULL; - - ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, - CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY, -@@ -488,12 +563,22 @@ errno_t filter_responses(struct confdb_ctx *cdb, - pam_verbosity = DEFAULT_PAM_VERBOSITY; - } - -+ ret = confdb_get_string_as_list(cdb, pd, CONFDB_PAM_CONF_ENTRY, -+ CONFDB_PAM_RESPONSE_FILTER, -+ &pam_filter_opts); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CONF_SETTINGS, "[%s] not available, not fatal.\n", -+ CONFDB_PAM_RESPONSE_FILTER); -+ pam_filter_opts = NULL; -+ } -+ - resp = resp_list; - while(resp != NULL) { - if (resp->type == SSS_PAM_USER_INFO) { - if (resp->len < sizeof(uint32_t)) { - DEBUG(SSSDBG_CRIT_FAILURE, "User info entry is too short.\n"); -- return EINVAL; -+ ret = EINVAL; -+ goto done; - } - - if (pam_verbosity == PAM_VERBOSITY_NO_MESSAGES) { -@@ -511,7 +596,8 @@ errno_t filter_responses(struct confdb_ctx *cdb, - DEBUG(SSSDBG_CRIT_FAILURE, - "User info offline auth entry is " - "too short.\n"); -- return EINVAL; -+ ret = EINVAL; -+ goto done; - } - memcpy(&expire_date, resp->data + sizeof(uint32_t), - sizeof(int64_t)); -@@ -528,6 +614,13 @@ errno_t filter_responses(struct confdb_ctx *cdb, - "User info type [%d] not filtered.\n", - user_info_type); - } -+ } else if (resp->type == SSS_PAM_ENV_ITEM) { -+ resp->do_not_send_to_client = false; -+ ret = filter_responses_env(resp, pd, pam_filter_opts); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "filter_responses_env failed.\n"); -+ goto done; -+ } - } else if (resp->type & SSS_SERVER_INFO) { - resp->do_not_send_to_client = true; - } -@@ -535,7 +628,11 @@ errno_t filter_responses(struct confdb_ctx *cdb, - resp = resp->next; - } - -- return EOK; -+ ret = EOK; -+done: -+ talloc_free(pam_filter_opts); -+ -+ return ret; - } - - static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te, -@@ -782,7 +879,7 @@ static void pam_reply(struct pam_auth_req *preq) - inform_user(pd, pam_account_locked_message); - } - -- ret = filter_responses(pctx->rctx->cdb, pd->resp_list); -+ ret = filter_responses(pctx->rctx->cdb, pd->resp_list, pd); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "filter_responses failed, not fatal.\n"); - } -diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c -index 41d177233..3b8327eb3 100644 ---- a/src/tests/cmocka/test_pam_srv.c -+++ b/src/tests/cmocka/test_pam_srv.c -@@ -1766,9 +1766,11 @@ void test_filter_response(void **state) - struct pam_data *pd; - uint8_t offline_auth_data[(sizeof(uint32_t) + sizeof(int64_t))]; - uint32_t info_type; -+ char *env; - - struct sss_test_conf_param pam_params[] = { - { CONFDB_PAM_VERBOSITY, "1" }, -+ { CONFDB_PAM_RESPONSE_FILTER, NULL }, - { NULL, NULL }, /* Sentinel */ - }; - -@@ -1778,6 +1780,15 @@ void test_filter_response(void **state) - pd = talloc_zero(pam_test_ctx, struct pam_data); - assert_non_null(pd); - -+ pd->service = discard_const("MyService"); -+ -+ env = talloc_asprintf(pd, "%s=%s", "MyEnv", "abcdef"); -+ assert_non_null(env); -+ -+ ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, -+ strlen(env) + 1, (uint8_t *) env); -+ assert_int_equal(ret, EOK); -+ - info_type = SSS_PAM_USER_INFO_OFFLINE_AUTH; - memset(offline_auth_data, 0, sizeof(offline_auth_data)); - memcpy(offline_auth_data, &info_type, sizeof(uint32_t)); -@@ -1785,27 +1796,151 @@ void test_filter_response(void **state) - sizeof(offline_auth_data), offline_auth_data); - assert_int_equal(ret, EOK); - -- ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list); -+ /* pd->resp_list points to the SSS_PAM_USER_INFO and pd->resp_list->next -+ * to the SSS_PAM_ENV_ITEM message. */ -+ -+ -+ /* Test CONFDB_PAM_VERBOSITY option */ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); - assert_int_equal(ret, EOK); - assert_true(pd->resp_list->do_not_send_to_client); -+ assert_false(pd->resp_list->next->do_not_send_to_client); -+ -+ /* SSS_PAM_USER_INFO_OFFLINE_AUTH message will only be shown with -+ * pam_verbosity 2 or above if cache password never expires. */ -+ pam_params[0].value = "2"; -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); -+ assert_int_equal(ret, EOK); -+ assert_false(pd->resp_list->do_not_send_to_client); -+ assert_false(pd->resp_list->next->do_not_send_to_client); - - pam_params[0].value = "0"; - ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); - assert_int_equal(ret, EOK); - -- ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list); -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); - assert_int_equal(ret, EOK); - assert_true(pd->resp_list->do_not_send_to_client); -+ assert_false(pd->resp_list->next->do_not_send_to_client); - -- /* SSS_PAM_USER_INFO_OFFLINE_AUTH message will only be shown with -- * pam_verbosity 2 or above if cache password never expires. */ -- pam_params[0].value = "2"; -+ /* Test CONFDB_PAM_RESPONSE_FILTER option */ -+ pam_params[1].value = "NoSuchOption"; - ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); - assert_int_equal(ret, EOK); - -- ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list); -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); - assert_int_equal(ret, EOK); -- assert_false(pd->resp_list->do_not_send_to_client); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ assert_false(pd->resp_list->next->do_not_send_to_client); -+ -+ pam_params[1].value = "ENV"; /* filter all environment variables */ -+ /* for all services */ -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); -+ assert_int_equal(ret, EOK); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ assert_true(pd->resp_list->next->do_not_send_to_client); -+ -+ pam_params[1].value = "ENV:"; /* filter all environment variables */ -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); -+ assert_int_equal(ret, EOK); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ assert_true(pd->resp_list->next->do_not_send_to_client); -+ -+ pam_params[1].value = "ENV::"; /* filter all environment variables */ -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); -+ assert_int_equal(ret, EOK); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ assert_true(pd->resp_list->next->do_not_send_to_client); -+ -+ pam_params[1].value = "ENV:abc:"; /* variable name does not match */ -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); -+ assert_int_equal(ret, EOK); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ assert_false(pd->resp_list->next->do_not_send_to_client); -+ -+ pam_params[1].value = "ENV:abc:MyService"; /* variable name does not match */ -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); -+ assert_int_equal(ret, EOK); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ assert_false(pd->resp_list->next->do_not_send_to_client); -+ -+ pam_params[1].value = "ENV::abc"; /* service name does not match */ -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); -+ assert_int_equal(ret, EOK); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ assert_false(pd->resp_list->next->do_not_send_to_client); -+ -+ /* service name does not match */ -+ pam_params[1].value = "ENV:MyEnv:abc"; -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); -+ assert_int_equal(ret, EOK); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ assert_false(pd->resp_list->next->do_not_send_to_client); -+ -+ pam_params[1].value = "ENV:MyEnv"; /* match */ -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); -+ assert_int_equal(ret, EOK); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ assert_true(pd->resp_list->next->do_not_send_to_client); -+ -+ pam_params[1].value = "ENV:MyEnv:"; /* match */ -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); -+ assert_int_equal(ret, EOK); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ assert_true(pd->resp_list->next->do_not_send_to_client); -+ -+ pam_params[1].value = "ENV:MyEnv:MyService"; /* match */ -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); -+ assert_int_equal(ret, EOK); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ assert_true(pd->resp_list->next->do_not_send_to_client); -+ -+ /* multiple rules with a match */ -+ pam_params[1].value = "ENV:abc:def, " -+ "ENV:MyEnv:MyService, " -+ "ENV:stu:xyz"; -+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); -+ assert_int_equal(ret, EOK); -+ -+ ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); -+ assert_int_equal(ret, EOK); -+ assert_true(pd->resp_list->do_not_send_to_client); -+ assert_true(pd->resp_list->next->do_not_send_to_client); -+ -+ talloc_free(pd); - } - - int main(int argc, const char *argv[]) --- -2.11.0 - diff --git a/sssd/patches/0017-SYSDB-Split-sysdb_try_to_find_expected_dn-into-small.patch b/sssd/patches/0017-SYSDB-Split-sysdb_try_to_find_expected_dn-into-small.patch deleted file mode 100644 index 278000993..000000000 --- a/sssd/patches/0017-SYSDB-Split-sysdb_try_to_find_expected_dn-into-small.patch +++ /dev/null @@ -1,343 +0,0 @@ -From e6c3d9e680eab264777348389b4bcda73bd5ba6d Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek jhrozek@redhat.com -Date: Fri, 28 Oct 2016 13:46:02 +0200 -Subject: [PATCH 17/39] SYSDB: Split sysdb_try_to_find_expected_dn() into - smaller functions - -The function sysdb_try_to_find_expected_dn was performing several matching -algorithms and thus it was getting big and hard to extend. This patch -doesn't contain any functional changes, only shuffles the code around -and splits the monolithic sysdb_try_to_find_expected_dn function into -smaller blocks. - -Reviewed-by: Sumit Bose sbose@redhat.com -(cherry picked from commit e5a984093ad7921c83da75272cede2b0e52ba2d6) -(cherry picked from commit 3f3dc8c737a8e8cfc4a29d7dbaf526ec3973c7a0) ---- - src/db/sysdb_subdomains.c | 278 +++++++++++++++++++++++++++++----------------- - 1 file changed, 179 insertions(+), 99 deletions(-) - -diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c -index ff83f914f..b011bad6c 100644 ---- a/src/db/sysdb_subdomains.c -+++ b/src/db/sysdb_subdomains.c -@@ -1145,74 +1145,29 @@ done: - return ret; - } - --errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, -- const char *domain_component_name, -- struct sysdb_attrs **usr_attrs, -- size_t count, -- struct sysdb_attrs **exp_usr) -+static errno_t match_cn_users(TALLOC_CTX *tmp_ctx, -+ struct sysdb_attrs **usr_attrs, -+ size_t count, -+ const char *dom_basedn, -+ struct sysdb_attrs **_result) - { -- char *dom_basedn; -- size_t dom_basedn_len; -- char *expected_basedn; -- size_t expected_basedn_len; -- size_t dn_len; -+ errno_t ret; - const char *orig_dn; -- size_t c = 0; -- int ret; -- TALLOC_CTX *tmp_ctx; -- struct ldb_context *ldb_ctx; -- struct ldb_dn *ldb_dom_basedn; -- int dom_basedn_comp_num; -- struct ldb_dn *ldb_dn; -- int dn_comp_num; -- const char *component_name; -+ size_t dn_len; - struct sysdb_attrs *result = NULL; - const char *result_dn_str = NULL; -+ char *cn_users_basedn; -+ size_t cn_users_basedn_len; - -- if (dom == NULL || domain_component_name == NULL || usr_attrs == NULL -- || count == 0) { -- return EINVAL; -- } -- -- tmp_ctx = talloc_new(NULL); -- if (tmp_ctx == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); -- return ENOMEM; -- } -- -- ret = domain_to_basedn(tmp_ctx, dom->name, &dom_basedn); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n"); -- goto done; -- } -- expected_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn); -- if (expected_basedn == NULL) { -- ret = ENOMEM; -- goto done; -- } -- -- ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb); -- if (ldb_ctx == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n"); -- ret = EINVAL; -- goto done; -- } -- -- ldb_dom_basedn = ldb_dn_new(tmp_ctx, ldb_ctx, dom_basedn); -- if (ldb_dom_basedn == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n"); -+ cn_users_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn); -+ if (cn_users_basedn == NULL) { - ret = ENOMEM; - goto done; - } -+ cn_users_basedn_len = strlen(cn_users_basedn); -+ DEBUG(SSSDBG_TRACE_ALL, "cn=users baseDN is [%s].\n", cn_users_basedn); - -- dom_basedn_comp_num = ldb_dn_get_comp_num(ldb_dom_basedn); -- dom_basedn_comp_num++; -- -- DEBUG(SSSDBG_TRACE_ALL, "Expected BaseDN is [%s].\n", expected_basedn); -- expected_basedn_len = strlen(expected_basedn); -- dom_basedn_len = strlen(dom_basedn); -- -- for (c = 0; c < count; c++) { -+ for (size_t c = 0; c < count; c++) { - ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); -@@ -1220,9 +1175,9 @@ errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - } - dn_len = strlen(orig_dn); - -- if (dn_len > expected_basedn_len -- && strcasecmp(orig_dn + (dn_len - expected_basedn_len), -- expected_basedn) == 0) { -+ if (dn_len > cn_users_basedn_len -+ && strcasecmp(orig_dn + (dn_len - cn_users_basedn_len), -+ cn_users_basedn) == 0) { - DEBUG(SSSDBG_TRACE_ALL, - "Found matching dn [%s].\n", orig_dn); - if (result != NULL) { -@@ -1237,52 +1192,177 @@ errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - } - } - -- if (result == NULL) { -- for (c = 0; c < count; c++) { -- ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); -+ ret = EOK; -+done: -+ *_result = result; -+ return ret; -+} -+ -+static errno_t match_non_dc_comp(TALLOC_CTX *tmp_ctx, -+ struct sss_domain_info *dom, -+ struct sysdb_attrs **usr_attrs, -+ size_t count, -+ struct ldb_dn *ldb_basedn, -+ const char *basedn, -+ const char *domain_component_name, -+ struct sysdb_attrs **_result) -+{ -+ errno_t ret; -+ const char *orig_dn; -+ size_t orig_dn_len; -+ size_t basedn_len; -+ struct ldb_context *ldb_ctx; -+ struct ldb_dn *ldb_orig_dn; -+ int dn_comp_num; -+ int basedn_comp_num; -+ const char *component_name; -+ struct sysdb_attrs *result = NULL; -+ const char *result_dn_str = NULL; -+ -+ ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb); -+ if (ldb_ctx == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n"); -+ ret = EINVAL; -+ goto done; -+ } -+ -+ basedn_len = strlen(basedn); -+ -+ basedn_comp_num = ldb_dn_get_comp_num(ldb_basedn); -+ basedn_comp_num++; -+ -+ for (size_t c = 0; c < count; c++) { -+ ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); -+ goto done; -+ } -+ orig_dn_len = strlen(orig_dn); -+ -+ if (orig_dn_len > basedn_len -+ /* Does the user's original DN with the non-domain part -+ * stripped match the domain base DN? -+ */ -+ && strcasecmp(orig_dn + (orig_dn_len - basedn_len), -+ basedn) == 0) { -+ ldb_orig_dn = ldb_dn_new(tmp_ctx, ldb_ctx, orig_dn); -+ if (ldb_orig_dn == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed"); -+ ret = ENOMEM; - goto done; - } -- dn_len = strlen(orig_dn); -- -- if (dn_len > dom_basedn_len -- && strcasecmp(orig_dn + (dn_len - dom_basedn_len), -- dom_basedn) == 0) { -- ldb_dn = ldb_dn_new(tmp_ctx, ldb_ctx, orig_dn); -- if (ldb_dn == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed"); -- ret = ENOMEM; -- goto done; -- } - -- dn_comp_num = ldb_dn_get_comp_num(ldb_dn); -- if (dn_comp_num > dom_basedn_comp_num) { -- component_name = ldb_dn_get_component_name(ldb_dn, -- (dn_comp_num - dom_basedn_comp_num)); -- DEBUG(SSSDBG_TRACE_ALL, "Comparing [%s] and [%s].\n", -- component_name, -- domain_component_name); -- if (component_name != NULL -- && strcasecmp(component_name, -- domain_component_name) != 0) { -- DEBUG(SSSDBG_TRACE_ALL, -- "Found matching dn [%s].\n", orig_dn); -- if (result != NULL) { -- DEBUG(SSSDBG_OP_FAILURE, -- "Found 2 matching DN [%s] and [%s], " -- "expecting only 1.\n", result_dn_str, orig_dn); -- ret = EINVAL; -- goto done; -- } -- result = usr_attrs[c]; -- result_dn_str = orig_dn; -+ dn_comp_num = ldb_dn_get_comp_num(ldb_orig_dn); -+ if (dn_comp_num > basedn_comp_num) { -+ component_name = ldb_dn_get_component_name(ldb_orig_dn, -+ (dn_comp_num - basedn_comp_num)); -+ DEBUG(SSSDBG_TRACE_ALL, "Comparing [%s] and [%s].\n", -+ component_name, -+ domain_component_name); -+ /* If the component is NOT a DC component, then the entry -+ * must come from our domain, perhaps from a child container. -+ * If it matched the DC component, the entry was from a child -+ * subdomain different from this one. -+ */ -+ if (component_name != NULL -+ && strcasecmp(component_name, -+ domain_component_name) != 0) { -+ DEBUG(SSSDBG_TRACE_ALL, -+ "Found matching dn [%s].\n", orig_dn); -+ if (result != NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Found 2 matching DN [%s] and [%s], " -+ "expecting only 1.\n", result_dn_str, orig_dn); -+ ret = EINVAL; -+ goto done; - } -+ result = usr_attrs[c]; -+ result_dn_str = orig_dn; - } - } - } - } - -+ ret = EOK; -+ *_result = result; -+done: -+ return ret; -+} -+ -+static errno_t match_basedn(TALLOC_CTX *tmp_ctx, -+ struct sss_domain_info *dom, -+ struct sysdb_attrs **usr_attrs, -+ size_t count, -+ const char *dom_basedn, -+ const char *domain_component_name, -+ struct sysdb_attrs **_result) -+{ -+ struct ldb_context *ldb_ctx; -+ struct ldb_dn *ldb_dom_basedn; -+ -+ ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb); -+ if (ldb_ctx == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n"); -+ return EINVAL; -+ } -+ -+ -+ ldb_dom_basedn = ldb_dn_new(tmp_ctx, ldb_ctx, dom_basedn); -+ if (ldb_dom_basedn == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n"); -+ return ENOMEM; -+ } -+ -+ return match_non_dc_comp(tmp_ctx, dom, -+ usr_attrs, count, -+ ldb_dom_basedn, dom_basedn, -+ domain_component_name, -+ _result); -+} -+ -+errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, -+ const char *domain_component_name, -+ struct sysdb_attrs **usr_attrs, -+ size_t count, -+ struct sysdb_attrs **exp_usr) -+{ -+ char *dom_basedn; -+ int ret; -+ TALLOC_CTX *tmp_ctx; -+ struct sysdb_attrs *result = NULL; -+ -+ if (dom == NULL || domain_component_name == NULL -+ || usr_attrs == NULL || count == 0) { -+ return EINVAL; -+ } -+ -+ tmp_ctx = talloc_new(NULL); -+ if (tmp_ctx == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); -+ return ENOMEM; -+ } -+ -+ ret = domain_to_basedn(tmp_ctx, dom->name, &dom_basedn); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n"); -+ ret = EINVAL; -+ goto done; -+ } -+ -+ ret = match_cn_users(tmp_ctx, usr_attrs, count, dom_basedn, &result); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ if (result == NULL) { -+ ret = match_basedn(tmp_ctx, dom, usr_attrs, -+ count, dom_basedn, domain_component_name, -+ &result); -+ if (ret != EOK) { -+ goto done; -+ } -+ } -+ - if (result == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "No matching DN found.\n"); - ret = ENOENT; --- -2.11.0 - diff --git a/sssd/patches/0018-SYSDB-Augment-sysdb_try_to_find_expected_dn-to-match.patch b/sssd/patches/0018-SYSDB-Augment-sysdb_try_to_find_expected_dn-to-match.patch deleted file mode 100644 index f7cf4046e..000000000 --- a/sssd/patches/0018-SYSDB-Augment-sysdb_try_to_find_expected_dn-to-match.patch +++ /dev/null @@ -1,284 +0,0 @@ -From 8e08e21b64a9ef67a4c40917786536d69d7ec4d3 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek jhrozek@redhat.com -Date: Mon, 31 Oct 2016 21:39:57 +0100 -Subject: [PATCH 18/39] SYSDB: Augment sysdb_try_to_find_expected_dn to match - search base as well - -In cases where the domain name in sssd.conf does not match the AD -domain, our previous matching process wouldn't match. This patch -augments the matching as follows: - - the search base is known to sysdb_try_to_find_expected_dn and is - expected to be non-NULL - - the existing matching is ran first - - during the search base, matching, all the non-DC components are - stripped from the search base to 'canonicalize' the search base - - if only a single entry that matches with a non-DC DN component - (matching with a DC component would mean the DN comes from a - different domain) then this entry is a match and is returned - -Resolves: -https://fedorahosted.org/sssd/ticket/3199 - -Reviewed-by: Sumit Bose sbose@redhat.com -(cherry picked from commit 24d8c85fae253f988165c112af208198cf48eef6) -(cherry picked from commit 956fdd727f8d7a28f1456146b3b7dfee49f38626) ---- - src/db/sysdb.h | 1 + - src/db/sysdb_subdomains.c | 99 ++++++++++++++++++++++++++++++ - src/providers/ldap/sdap_async_initgroups.c | 8 ++- - src/tests/cmocka/test_sysdb_subdomains.c | 43 +++++++++++-- - 4 files changed, 144 insertions(+), 7 deletions(-) - -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index 901268390..5dedd97dd 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -1297,6 +1297,7 @@ errno_t sysdb_handle_original_uuid(const char *orig_name, - - errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - const char *domain_component_name, -+ const char *ldap_search_base, - struct sysdb_attrs **usr_attrs, - size_t count, - struct sysdb_attrs **exp_usr); -diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c -index b011bad6c..780140484 100644 ---- a/src/db/sysdb_subdomains.c -+++ b/src/db/sysdb_subdomains.c -@@ -1320,8 +1320,97 @@ static errno_t match_basedn(TALLOC_CTX *tmp_ctx, - _result); - } - -+static errno_t match_search_base(TALLOC_CTX *tmp_ctx, -+ struct sss_domain_info *dom, -+ const char *domain_component_name, -+ const char *domain_search_base, -+ struct sysdb_attrs **usr_attrs, -+ size_t count, -+ struct sysdb_attrs **_result) -+{ -+ errno_t ret; -+ bool ok; -+ const char *search_base; -+ struct ldb_context *ldb_ctx; -+ struct sysdb_attrs *result = NULL; -+ struct ldb_dn *ldb_search_base; -+ int search_base_comp_num; -+ int non_dc_comp_num; -+ const char *component_name; -+ -+ ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb); -+ if (ldb_ctx == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n"); -+ ret = EINVAL; -+ goto done; -+ } -+ -+ ldb_search_base = ldb_dn_new(tmp_ctx, ldb_ctx, domain_search_base); -+ if (ldb_search_base == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ /* strip non-DC components from the search base */ -+ search_base_comp_num = ldb_dn_get_comp_num(ldb_search_base); -+ for (non_dc_comp_num = 0; -+ non_dc_comp_num < search_base_comp_num; -+ non_dc_comp_num++) { -+ -+ component_name = ldb_dn_get_component_name(ldb_search_base, -+ non_dc_comp_num); -+ if (strcasecmp(domain_component_name, component_name) == 0) { -+ break; -+ } -+ } -+ -+ if (non_dc_comp_num == search_base_comp_num) { -+ /* The search base does not have any non-DC components, the search wouldn't -+ * match anyway -+ */ -+ ret = EOK; -+ *_result = NULL; -+ goto done; -+ } -+ -+ ok = ldb_dn_remove_child_components(ldb_search_base, non_dc_comp_num); -+ if (!ok) { -+ ret = EINVAL; -+ goto done; -+ } -+ -+ search_base = ldb_dn_get_linearized(ldb_search_base); -+ if (search_base == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = match_cn_users(tmp_ctx, usr_attrs, count, search_base, &result); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ if (result == NULL) { -+ ret = match_non_dc_comp(tmp_ctx, dom, -+ usr_attrs, count, -+ ldb_search_base, search_base, -+ domain_component_name, -+ &result); -+ if (ret != EOK) { -+ goto done; -+ } -+ } -+ -+ ret = EOK; -+ *_result = result; -+done: -+ return ret; -+} -+ - errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - const char *domain_component_name, -+ const char *domain_search_base, - struct sysdb_attrs **usr_attrs, - size_t count, - struct sysdb_attrs **exp_usr) -@@ -1332,6 +1421,7 @@ errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - struct sysdb_attrs *result = NULL; - - if (dom == NULL || domain_component_name == NULL -+ || domain_search_base == NULL - || usr_attrs == NULL || count == 0) { - return EINVAL; - } -@@ -1364,6 +1454,15 @@ errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - } - - if (result == NULL) { -+ ret = match_search_base(tmp_ctx, dom, domain_component_name, -+ domain_search_base, usr_attrs, count, -+ &result); -+ if (ret != EOK) { -+ goto done; -+ } -+ } -+ -+ if (result == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "No matching DN found.\n"); - ret = ENOENT; - goto done; -diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c -index 45fc007e0..9b505e7fa 100644 ---- a/src/providers/ldap/sdap_async_initgroups.c -+++ b/src/providers/ldap/sdap_async_initgroups.c -@@ -2947,7 +2947,13 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) - DEBUG(SSSDBG_OP_FAILURE, - "Expected one user entry and got %zu\n", count); - -- ret = sysdb_try_to_find_expected_dn(state->dom, "dc", usr_attrs, count, -+ /* When matching against a search base, it's sufficient to pick only -+ * the first search base because all bases in a single domain would -+ * have the same DC= components -+ */ -+ ret = sysdb_try_to_find_expected_dn(state->dom, "dc", -+ state->sdom->search_bases[0]->basedn, -+ usr_attrs, count, - &state->orig_user); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, -diff --git a/src/tests/cmocka/test_sysdb_subdomains.c b/src/tests/cmocka/test_sysdb_subdomains.c -index c9db56841..52056e043 100644 ---- a/src/tests/cmocka/test_sysdb_subdomains.c -+++ b/src/tests/cmocka/test_sysdb_subdomains.c -@@ -520,7 +520,9 @@ static void test_try_to_find_expected_dn(void **state) - int ret; - struct sysdb_attrs *result; - struct sysdb_attrs *usr_attrs[10] = { NULL }; -+ struct sysdb_attrs *dom_usr_attrs[10] = { NULL }; - struct sss_domain_info *dom; -+ char *dom_basedn; - struct subdom_test_ctx *test_ctx = - talloc_get_type(*state, struct subdom_test_ctx); - -@@ -528,6 +530,9 @@ static void test_try_to_find_expected_dn(void **state) - "child2.test_sysdb_subdomains_2", true); - assert_non_null(dom); - -+ ret = domain_to_basedn(test_ctx, dom->name, &dom_basedn); -+ assert_int_equal(ret, EOK); -+ - usr_attrs[0] = sysdb_new_attrs(test_ctx); - assert_non_null(usr_attrs[0]); - -@@ -535,13 +540,13 @@ static void test_try_to_find_expected_dn(void **state) - "uid=user,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2"); - assert_int_equal(ret, EOK); - -- ret = sysdb_try_to_find_expected_dn(NULL, NULL, NULL, 0, NULL); -+ ret = sysdb_try_to_find_expected_dn(NULL, NULL, NULL, NULL, 0, NULL); - assert_int_equal(ret, EINVAL); - -- ret = sysdb_try_to_find_expected_dn(dom, "dc", usr_attrs, 1, &result); -+ ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 1, &result); - assert_int_equal(ret, ENOENT); - -- ret = sysdb_try_to_find_expected_dn(dom, "xy", usr_attrs, 1, &result); -+ ret = sysdb_try_to_find_expected_dn(dom, "xy", dom_basedn, usr_attrs, 1, &result); - assert_int_equal(ret, EOK); - assert_ptr_equal(result, usr_attrs[0]); - -@@ -559,11 +564,11 @@ static void test_try_to_find_expected_dn(void **state) - "uid=user2,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2"); - assert_int_equal(ret, EOK); - -- ret = sysdb_try_to_find_expected_dn(dom, "dc", usr_attrs, 3, &result); -+ ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 3, &result); - assert_int_equal(ret, EOK); - assert_ptr_equal(result, usr_attrs[1]); - -- ret = sysdb_try_to_find_expected_dn(dom, "xy", usr_attrs, 3, &result); -+ ret = sysdb_try_to_find_expected_dn(dom, "xy", dom_basedn, usr_attrs, 3, &result); - assert_int_equal(ret, EINVAL); - - /* Make sure cn=users match is preferred */ -@@ -575,10 +580,36 @@ static void test_try_to_find_expected_dn(void **state) - "uid=user2,cn=abc,cn=users,dc=child2,dc=test_sysdb_subdomains_2"); - assert_int_equal(ret, EOK); - -- ret = sysdb_try_to_find_expected_dn(dom, "dc", usr_attrs, 3, &result); -+ ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 3, &result); - assert_int_equal(ret, EOK); - assert_ptr_equal(result, usr_attrs[2]); - -+ /* test a case where the domain name does not match the basedn */ -+ dom->name = discard_const("default"); -+ dom_usr_attrs[0] = usr_attrs[0]; -+ -+ ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 1, &result); -+ assert_int_equal(ret, ENOENT); -+ -+ dom_usr_attrs[1] = usr_attrs[1]; -+ dom_usr_attrs[2] = usr_attrs[2]; -+ -+ /* Make sure cn=users match is preferred */ -+ ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 3, &result); -+ assert_int_equal(ret, EOK); -+ assert_ptr_equal(result, dom_usr_attrs[2]); -+ -+ talloc_free(usr_attrs[2]); -+ usr_attrs[2] = sysdb_new_attrs(test_ctx); -+ assert_non_null(usr_attrs[2]); -+ ret = sysdb_attrs_add_string(usr_attrs[2], SYSDB_ORIG_DN, -+ "uid=user2,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2"); -+ assert_int_equal(ret, EOK); -+ -+ dom_usr_attrs[2] = usr_attrs[2]; -+ ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 3, &result); -+ assert_int_equal(ret, EOK); -+ assert_ptr_equal(result, usr_attrs[1]); - - talloc_free(usr_attrs[0]); - talloc_free(usr_attrs[1]); --- -2.11.0 - diff --git a/sssd/patches/0019-ad_access_filter-search-for-nested-groups.patch b/sssd/patches/0019-ad_access_filter-search-for-nested-groups.patch deleted file mode 100644 index 671758d16..000000000 --- a/sssd/patches/0019-ad_access_filter-search-for-nested-groups.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 7186923d877605f632fa17053a674f8266fd08bb Mon Sep 17 00:00:00 2001 -From: Mike Ely github@taupehat.com -Date: Wed, 2 Nov 2016 11:26:21 -0700 -Subject: [PATCH 19/39] ad_access_filter search for nested groups - -Includes instructions and example for AD nested group access - -Related to https://fedorahosted.org/sssd/ticket/3218 - -Signed-off-by: Mike Ely github@taupehat.com - -Reviewed-by: Sumit Bose sbose@redhat.com -(cherry picked from commit cf5357ae83cc9fe2240038b8bdccec2cb98991fc) -(cherry picked from commit e1c2aead482cd4bf83a7fe5e68630a981389e82b) ---- - src/man/sssd-ad.5.xml | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml -index 8a2f4ade9..2618f8324 100644 ---- a/src/man/sssd-ad.5.xml -+++ b/src/man/sssd-ad.5.xml -@@ -236,6 +236,19 @@ ad_enabled_domains = sales.example.com, eng.example.com - search bases work. - </para> - <para> -+ Nested group membership must be searched for using -+ a special OID <quote>:1.2.840.113556.1.4.1941:</quote> -+ in addition to the full DOM:domain.example.org: syntax -+ to ensure the parser does not attempt to interpret the -+ colon characters associated with the OID. If you do not -+ use this OID then nested group membership will not be -+ resolved. See usage example below and refer here -+ for further information about the OID: -+ <ulink -+ url="https://msdn.microsoft.com/en-us/library/cc223367.aspx%22%3E -+ [MS-ADTS] section LDAP extensions</ulink> -+ </para> -+ <para> - The most specific match is always used. For - example, if the option specified filter - for a domain the user is a member of and a -@@ -255,6 +268,9 @@ DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com) - - # apply filter on forest called EXAMPLE.COM only: - FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) -+ -+# apply filter for a member of a nested group in dom1: -+DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com) - </programlisting> - <para> - Default: Not set --- -2.11.0 - diff --git a/sssd/patches/0020-BUILD-Fix-linking-with-librt.patch b/sssd/patches/0020-BUILD-Fix-linking-with-librt.patch deleted file mode 100644 index 2a57b223c..000000000 --- a/sssd/patches/0020-BUILD-Fix-linking-with-librt.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 90adb9afec7b3cd2f6548d7f050785777492c827 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lslebodn@redhat.com -Date: Mon, 7 Nov 2016 11:53:21 +0100 -Subject: [PATCH 20/39] BUILD: Fix linking with librt - -The posix realime extensions defines timer_* functions -but it does not mention library with these functions. -http://www.unix.org/version2/whatsnew/realtime.html - -The autoconf macro AC_SEARCH_LIBS firstly check the function -timer_create with no libraries, then for each library listed -in 2nd parameter. Possible libraries librt and libposix4 -were used in nspr for similar detection. - -Reviewed-by: Joakim Tjernlund joakim.tjernlund@infinera.com -(cherry picked from commit 6d11fdcd8ef05000dd20b3431f8491790f99a802) -(cherry picked from commit a3b668868a1c10be63be9151d347100172b71c6c) ---- - Makefile.am | 1 + - configure.ac | 13 +++++++++++++ - 2 files changed, 14 insertions(+) - -diff --git a/Makefile.am b/Makefile.am -index d08e39fa4..51c67360d 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -960,6 +960,7 @@ libsss_util_la_CFLAGS = \ - $(SYSTEMD_LOGIN_CFLAGS) \ - $(NULL) - libsss_util_la_LIBADD = \ -+ $(LIBADD_TIMER) \ - $(SSSD_LIBS) \ - $(SYSTEMD_LOGIN_LIBS) \ - $(UNICODE_LIBS) \ -diff --git a/configure.ac b/configure.ac -index 3dbcf9e1f..d3ef1e162 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -70,6 +70,19 @@ AC_CHECK_FUNCS([ pthread_mutexattr_setrobust \ - pthread_mutex_consistent_np ]) - LIBS=$SAVE_LIBS - -+# Check library for the timer_create function -+SAVE_LIBS=$LIBS -+LIBS= -+LIBADD_TIMER= -+AC_SEARCH_LIBS([timer_create], [rt posix4], -+ [AC_DEFINE([HAVE_LIBRT], [1], -+ [Define if you have the librt library or equivalent.]) -+ LIBADD_TIMER="$LIBS"], -+ [AC_MSG_ERROR([unable to find library fot the timer_create() function])]) -+ -+AC_SUBST([LIBADD_TIMER]) -+LIBS=$SAVE_LIBS -+ - # Check for presence of modern functions for setting file timestamps - AC_CHECK_FUNCS([ utimensat \ - futimens ]) --- -2.11.0 - diff --git a/sssd/patches/0021-MONITOR-Do-not-set-up-watchdog-for-monitor.patch b/sssd/patches/0021-MONITOR-Do-not-set-up-watchdog-for-monitor.patch deleted file mode 100644 index 797fe611f..000000000 --- a/sssd/patches/0021-MONITOR-Do-not-set-up-watchdog-for-monitor.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 287acba9b1b7d91811d8e8a22ed5e7824e8a26b3 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek jhrozek@redhat.com -Date: Mon, 7 Nov 2016 11:58:20 +0100 -Subject: [PATCH 21/39] MONITOR: Do not set up watchdog for monitor -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It makes little sense to set up watchdog for monitor because there is no -entity that would restart the monitor. Therefore we should disable the -watchdog for monitor process. - -Resolves: -https://fedorahosted.org/sssd/ticket/3232 - -Reviewed-by: Lukáš SlebodnÃk lslebodn@redhat.com -(cherry picked from commit fbe6644aa28d93f492434950680c5618eb567712) -(cherry picked from commit 2d88a121918e800b266d018d43dad9bd374b10a7) ---- - src/monitor/monitor.c | 2 ++ - src/util/server.c | 11 +++++++---- - src/util/util.h | 1 + - 3 files changed, 10 insertions(+), 4 deletions(-) - -diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c -index 84a144e56..935febb95 100644 ---- a/src/monitor/monitor.c -+++ b/src/monitor/monitor.c -@@ -2603,6 +2603,8 @@ int main(int argc, const char *argv[]) - - /* we want a pid file check */ - flags |= FLAGS_PID_FILE; -+ /* the monitor should not run a watchdog on itself */ -+ flags |= FLAGS_NO_WATCHDOG; - - /* Open before server_setup() does to have logging - * during configuration checking */ -diff --git a/src/util/server.c b/src/util/server.c -index 953cd3d61..013e572e6 100644 ---- a/src/util/server.c -+++ b/src/util/server.c -@@ -666,10 +666,13 @@ int server_setup(const char *name, int flags, - ret, strerror(ret)); - return ret; - } -- ret = setup_watchdog(ctx->event_ctx, watchdog_interval); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Watchdog setup failed.\n"); -- return ret; -+ -+ if ((flags & FLAGS_NO_WATCHDOG) == 0) { -+ ret = setup_watchdog(ctx->event_ctx, watchdog_interval); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Watchdog setup failed.\n"); -+ return ret; -+ } - } - - sss_log(SSS_LOG_INFO, "Starting up"); -diff --git a/src/util/util.h b/src/util/util.h -index 9c39a5cc5..4bfccfa2b 100644 ---- a/src/util/util.h -+++ b/src/util/util.h -@@ -88,6 +88,7 @@ - #define FLAGS_INTERACTIVE 0x0002 - #define FLAGS_PID_FILE 0x0004 - #define FLAGS_GEN_CONF 0x0008 -+#define FLAGS_NO_WATCHDOG 0x0010 - - #define PIPE_INIT { -1, -1 } - --- -2.11.0 - diff --git a/sssd/patches/0022-SYSDB-Adding-lowercase-sudoUser-form.patch b/sssd/patches/0022-SYSDB-Adding-lowercase-sudoUser-form.patch deleted file mode 100644 index ffb4b1959..000000000 --- a/sssd/patches/0022-SYSDB-Adding-lowercase-sudoUser-form.patch +++ /dev/null @@ -1,107 +0,0 @@ -From b87ca4233342e1537fda5ce731db77cf24e422c3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20=C4=8Cech?= pcech@redhat.com -Date: Wed, 12 Oct 2016 16:48:38 +0200 -Subject: [PATCH 22/39] SYSDB: Adding lowercase sudoUser form -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If domain is not case sensitive we add lowercase form of usernames -to sudoUser attributes. So we actually able to apply sudoRule on -user Administrator@... with login admnistrator@... - -Resolves: -https://fedorahosted.org/sssd/ticket/3203 - -Reviewed-by: Pavel BÅezina pbrezina@redhat.com -(cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) -(cherry picked from commit 88239b7f17f599aefa88a8a31c2d0ea44b766c87) ---- - src/db/sysdb_sudo.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 64 insertions(+) - -diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c -index 601fb63f2..4bd93ffc6 100644 ---- a/src/db/sysdb_sudo.c -+++ b/src/db/sysdb_sudo.c -@@ -852,6 +852,65 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, - return EOK; - } - -+static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, -+ struct sysdb_attrs *rule) -+{ -+ TALLOC_CTX *tmp_ctx; -+ const char **users = NULL; -+ const char *lowered = NULL; -+ errno_t ret; -+ -+ if (domain->case_sensitive == true || rule == NULL) { -+ return EOK; -+ } -+ -+ tmp_ctx = talloc_new(NULL); -+ if (tmp_ctx == NULL) { -+ return ENOMEM; -+ } -+ -+ ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, -+ &users); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", -+ SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); -+ goto done; -+ } -+ -+ if (users == NULL) { -+ ret = EOK; -+ goto done; -+ } -+ -+ for (int i = 0; users[i] != NULL; i++) { -+ lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]); -+ if (lowered == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ if (strcmp(users[i], lowered) == 0) { -+ /* It protects us from adding duplicate. */ -+ continue; -+ } -+ -+ ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Unable to add %s attribute [%d]: %s\n", -+ SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); -+ goto done; -+ } -+ } -+ -+ ret = EOK; -+ -+done: -+ talloc_zfree(tmp_ctx); -+ return ret; -+} -+ - static errno_t - sysdb_sudo_store_rule(struct sss_domain_info *domain, - struct sysdb_attrs *rule, -@@ -868,6 +927,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain, - - DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name); - -+ ret = sysdb_sudo_add_lowered_users(domain, rule); -+ if (ret != EOK) { -+ return ret; -+ } -+ - ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now); - if (ret != EOK) { - return ret; --- -2.11.0 - diff --git a/sssd/patches/0023-TESTS-Extending-sysdb-sudo-store-tests.patch b/sssd/patches/0023-TESTS-Extending-sysdb-sudo-store-tests.patch deleted file mode 100644 index 3b6ae0b60..000000000 --- a/sssd/patches/0023-TESTS-Extending-sysdb-sudo-store-tests.patch +++ /dev/null @@ -1,225 +0,0 @@ -From 1cd53e7a9cdb95aeca6a3f9ae4a6e32072f74ee7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20=C4=8Cech?= pcech@redhat.com -Date: Thu, 13 Oct 2016 09:31:52 +0200 -Subject: [PATCH 23/39] TESTS: Extending sysdb sudo store tests -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We covered diference between case sensitive and case insensitive -domains. If domain is case insensitive we add lowercase form of -sudoUser to local sysdb cache. - -Resolves: -https://fedorahosted.org/sssd/ticket/3203 - -Reviewed-by: Pavel BÅezina pbrezina@redhat.com -(cherry picked from commit 23637e2fd2b1fe42bdd2335893a11ac8016f56bc) -(cherry picked from commit 143b1dcbbe865a139616a22b139e19bd772e46f0) ---- - src/tests/cmocka/test_sysdb_sudo.c | 168 ++++++++++++++++++++++++++++++++++++- - 1 file changed, 167 insertions(+), 1 deletion(-) - -diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c -index 889de7237..f21ff3655 100644 ---- a/src/tests/cmocka/test_sysdb_sudo.c -+++ b/src/tests/cmocka/test_sysdb_sudo.c -@@ -44,7 +44,7 @@ struct test_user { - const char *name; - uid_t uid; - gid_t gid; --} users[] = { { "test_user1", 1001, 1001 }, -+} users[] = { { "test_USER1", 1001, 1001 }, - { "test_user2", 1002, 1002 }, - { "test_user3", 1003, 1003 } }; - -@@ -104,6 +104,29 @@ static void create_rule_attrs(struct sysdb_attrs *rule, int i) - assert_int_equal(ret, EOK); - } - -+static void create_rule_attrs_multiple_sudoUser(struct sysdb_attrs *rule) -+{ -+ errno_t ret; -+ -+ ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_CN, -+ rules[0].name); -+ assert_int_equal(ret, EOK); -+ -+ ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_HOST, -+ rules[0].host); -+ assert_int_equal(ret, EOK); -+ -+ ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_RUNASUSER, -+ rules[0].as_user); -+ assert_int_equal(ret, EOK); -+ -+ for (int i = 0; i < 3; i++ ) { -+ ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_USER, -+ users[i].name); -+ assert_int_equal(ret, EOK); -+ } -+} -+ - static int get_stored_rules_count(struct sysdb_test_ctx *test_ctx) - { - errno_t ret; -@@ -217,6 +240,143 @@ void test_store_sudo(void **state) - talloc_zfree(msgs); - } - -+void test_store_sudo_case_sensitive(void **state) -+{ -+ errno_t ret; -+ char *filter; -+ const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_HOST, -+ SYSDB_SUDO_CACHE_AT_RUNASUSER, -+ SYSDB_SUDO_CACHE_AT_USER, NULL }; -+ struct ldb_message **msgs = NULL; -+ size_t msgs_count; -+ const char *result; -+ struct ldb_message_element *element; -+ struct sysdb_attrs *rule; -+ struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, -+ struct sysdb_test_ctx); -+ const char *lowered_name = sss_tc_utf8_str_tolower(test_ctx, users[0].name); -+ -+ rule = sysdb_new_attrs(test_ctx); -+ assert_non_null(rule); -+ create_rule_attrs_multiple_sudoUser(rule); -+ -+ test_ctx->tctx->dom->case_sensitive = true; -+ -+ ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); -+ assert_int_equal(ret, EOK); -+ -+ filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); -+ assert_non_null(filter); -+ -+ ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, -+ attrs, &msgs_count, &msgs); -+ assert_int_equal(ret, EOK); -+ -+ assert_int_equal(msgs_count, 1); -+ -+ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_CN, NULL); -+ assert_non_null(result); -+ assert_string_equal(result, rules[0].name); -+ -+ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_HOST, -+ NULL); -+ assert_non_null(result); -+ assert_string_equal(result, rules[0].host); -+ -+ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_RUNASUSER, -+ NULL); -+ assert_non_null(result); -+ assert_string_equal(result, rules[0].as_user); -+ -+ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, -+ users[0].name); -+ assert_int_equal(ret, 1); -+ -+ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, -+ lowered_name); -+ assert_int_equal(ret, 0); -+ -+ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, -+ users[1].name); -+ assert_int_equal(ret, 1); -+ -+ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, -+ users[2].name); -+ assert_int_equal(ret, 1); -+ -+ element = ldb_msg_find_element(msgs[0], SYSDB_SUDO_CACHE_AT_USER); -+ assert_int_equal(element->num_values, 3); -+ -+ talloc_zfree(lowered_name); -+ talloc_zfree(rule); -+ talloc_zfree(filter); -+ talloc_zfree(msgs); -+} -+ -+void test_store_sudo_case_insensitive(void **state) -+{ -+ errno_t ret; -+ char *filter; -+ const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_HOST, -+ SYSDB_SUDO_CACHE_AT_RUNASUSER, -+ SYSDB_SUDO_CACHE_AT_USER, NULL }; -+ struct ldb_message **msgs = NULL; -+ size_t msgs_count; -+ const char *result; -+ struct ldb_message_element *element; -+ struct sysdb_attrs *rule; -+ struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, -+ struct sysdb_test_ctx); -+ const char *lowered_name = sss_tc_utf8_str_tolower(test_ctx, users[0].name); -+ -+ rule = sysdb_new_attrs(test_ctx); -+ assert_non_null(rule); -+ create_rule_attrs_multiple_sudoUser(rule); -+ -+ test_ctx->tctx->dom->case_sensitive = false; -+ -+ ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); -+ assert_int_equal(ret, EOK); -+ -+ filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); -+ assert_non_null(filter); -+ -+ ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, -+ attrs, &msgs_count, &msgs); -+ assert_int_equal(ret, EOK); -+ -+ assert_int_equal(msgs_count, 1); -+ -+ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_CN, NULL); -+ assert_non_null(result); -+ assert_string_equal(result, rules[0].name); -+ -+ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_HOST, -+ NULL); -+ assert_non_null(result); -+ assert_string_equal(result, rules[0].host); -+ -+ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_RUNASUSER, -+ NULL); -+ assert_non_null(result); -+ assert_string_equal(result, rules[0].as_user); -+ -+ for (int i = 0; i < 3; i++) { -+ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, -+ users[i].name); -+ assert_int_equal(ret, 1); -+ } -+ -+ /* test there is no duplication of lowercase forms */ -+ element = ldb_msg_find_element(msgs[0], SYSDB_SUDO_CACHE_AT_USER); -+ assert_int_equal(element->num_values, 4); -+ -+ talloc_zfree(lowered_name); -+ talloc_zfree(rule); -+ talloc_zfree(filter); -+ talloc_zfree(msgs); -+} -+ - void test_sudo_purge_by_filter(void **state) - { - errno_t ret; -@@ -648,6 +808,12 @@ int main(int argc, const char *argv[]) - cmocka_unit_test_setup_teardown(test_store_sudo, - test_sysdb_setup, - test_sysdb_teardown), -+ cmocka_unit_test_setup_teardown(test_store_sudo_case_sensitive, -+ test_sysdb_setup, -+ test_sysdb_teardown), -+ cmocka_unit_test_setup_teardown(test_store_sudo_case_insensitive, -+ test_sysdb_setup, -+ test_sysdb_teardown), - - /* sysdb_sudo_purge() */ - cmocka_unit_test_setup_teardown(test_sudo_purge_by_filter, --- -2.11.0 - diff --git a/sssd/patches/0024-IPA-AD-check-auth-ctx-before-using-it.patch b/sssd/patches/0024-IPA-AD-check-auth-ctx-before-using-it.patch deleted file mode 100644 index e0d1b7da5..000000000 --- a/sssd/patches/0024-IPA-AD-check-auth-ctx-before-using-it.patch +++ /dev/null @@ -1,93 +0,0 @@ -From a859747b84125124ea794aa422f5b811bb0dba2d Mon Sep 17 00:00:00 2001 -From: Sumit Bose sbose@redhat.com -Date: Tue, 8 Nov 2016 11:51:57 +0100 -Subject: [PATCH 24/39] IPA/AD: check auth ctx before using it - -In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to -set the 'canonicalize' option in the system-wide Kerberos configuration -according to the settings in SSSD if the AD or IPA provider were used. -Unfortunately the patch implied that the auth provider is the same as -the id provider which might not always be the case. A different auth -provider caused a crash in the backend which is fixed by this patch. - -Resolves https://fedorahosted.org/sssd/ticket/3234 - -Reviewed-by: Petr Cech pcech@redhat.com -(cherry picked from commit ea11ed3ea6291488dd762033246edc4ce3951aeb) -(cherry picked from commit 37e070c8c2ea79d8d84bae3da3a34c81212744ab) ---- - src/providers/ad/ad_subdomains.c | 13 +++++++++++-- - src/providers/ipa/ipa_subdomains.c | 20 +++++++++++++++++--- - 2 files changed, 28 insertions(+), 5 deletions(-) - -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index 52bf5361f..5e57d218c 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -618,14 +618,23 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx) - { - const char *path; - errno_t ret; -- bool canonicalize; -+ bool canonicalize = false; - - path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic, - AD_KRB5_CONFD_PATH); - -- canonicalize = dp_opt_get_bool( -+ if (subdoms_ctx->ad_id_ctx->ad_options->auth_ctx != NULL -+ && subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts != NULL) { -+ canonicalize = dp_opt_get_bool( - subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts, - KRB5_CANONICALIZE); -+ } else { -+ DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, " -+ "most probably because the auth provider " -+ "is not 'ad'. Kerberos configuration " -+ "snippet to set the 'canonicalize' option " -+ "will not be created.\n"); -+ } - - ret = sss_write_krb5_conf_snippet(path, canonicalize); - if (ret != EOK) { -diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c -index 8653e3f46..b2e96b204 100644 ---- a/src/providers/ipa/ipa_subdomains.c -+++ b/src/providers/ipa/ipa_subdomains.c -@@ -73,16 +73,30 @@ static errno_t - ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx) - { - errno_t ret; -+ bool canonicalize = false; - - DEBUG(SSSDBG_TRACE_INTERNAL, - "Re-initializing domain %s\n", ctx->be_ctx->domain->name); - -+ if (ctx->ipa_id_ctx->ipa_options->auth_ctx != NULL -+ && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx != NULL -+ && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts != NULL -+ ) { -+ canonicalize = dp_opt_get_bool( -+ ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts, -+ KRB5_CANONICALIZE); -+ } else { -+ DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, " -+ "most probably because the auth provider " -+ "is not 'ipa'. Kerberos configuration " -+ "snippet to set the 'canonicalize' option " -+ "will not be created.\n"); -+ } -+ - ret = sss_write_krb5_conf_snippet( - dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic, - IPA_KRB5_CONFD_PATH), -- dp_opt_get_bool( -- ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts, -- KRB5_CANONICALIZE)); -+ canonicalize); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n"); - /* Just continue */ --- -2.11.0 - diff --git a/sssd/patches/0025-SECRETS-Fix-secrets-rule-in-the-allowed-sections.patch b/sssd/patches/0025-SECRETS-Fix-secrets-rule-in-the-allowed-sections.patch deleted file mode 100644 index 27f461a9d..000000000 --- a/sssd/patches/0025-SECRETS-Fix-secrets-rule-in-the-allowed-sections.patch +++ /dev/null @@ -1,50 +0,0 @@ -From c0a516f5d91290135c6b019a8a9d269edf8214cd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= fidencio@redhat.com -Date: Mon, 17 Oct 2016 17:07:56 +0200 -Subject: [PATCH 25/39] SECRETS: Fix secrets rule in the allowed sections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We have been matching an invalid subsection of the secrets' section, -like: -[secrets/users/] - -Let's ensure that we only match the following cases: -[secrets] -[secrets/users/[0-9]+] - -Signed-off-by: Fabiano Fidêncio fidencio@redhat.com - -Reviewed-by: Lukáš SlebodnÃk lslebodn@redhat.com -(cherry picked from commit da8801c363716533f60bc78e10f3a2100cebc3a1) -(cherry picked from commit 2535993d81c7d0dbbd6c6fab6f45b338845535cf) ---- - src/config/cfg_rules.ini | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index ec716b558..24937c969 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -8,7 +8,7 @@ section = autofs - section = ssh - section = pac - section = ifp --section_re = ^secrets(/users/([0-9]+)?)?$ -+section_re = ^secrets(/users/[0-9]+)?$ - section_re = ^domain/.*$ - - [rule/allowed_sssd_options] -@@ -213,7 +213,7 @@ option = user_attributes - - [rule/allowed_sec_options] - validator = ini_allowed_options --section_re = ^secrets(/users/([0-9]+)?)?$ -+section_re = ^secrets(/users/[0-9]+)?$ - - option = timeout - option = debug --- -2.11.0 - diff --git a/sssd/patches/0026-SECRETS-Add-allowed_sec_users_options.patch b/sssd/patches/0026-SECRETS-Add-allowed_sec_users_options.patch deleted file mode 100644 index 70c3e1e3f..000000000 --- a/sssd/patches/0026-SECRETS-Add-allowed_sec_users_options.patch +++ /dev/null @@ -1,70 +0,0 @@ -From c16214f71f8ab2a5fc122966159ce056e0e9e897 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= fidencio@redhat.com -Date: Mon, 17 Oct 2016 18:58:50 +0200 -Subject: [PATCH 26/39] SECRETS: Add allowed_sec_users_options -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -There are options (the proxying related ones) that only apply to the -secrets' subsections. In order to make config API able to catch those, -let's create a new section called allowed_sec_users_options) and move -there these proxying options. - -Signed-off-by: Fabiano Fidêncio fidencio@redhat.com - -Reviewed-by: Jakub Hrozek jhrozek@redhat.com -(cherry picked from commit 682c9c3467055c2149af28826f7458b857b0f8c4) -(cherry picked from commit 9d4cc96f2951412f647223dfe59060fa1e2b7b14) ---- - src/config/cfg_rules.ini | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index 24937c969..882a185d8 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -8,7 +8,8 @@ section = autofs - section = ssh - section = pac - section = ifp --section_re = ^secrets(/users/[0-9]+)?$ -+section = secrets -+section_re = ^secrets/users/[0-9]+$ - section_re = ^domain/.*$ - - [rule/allowed_sssd_options] -@@ -211,9 +212,10 @@ option = description - option = allowed_uids - option = user_attributes - -+# Secrets service - [rule/allowed_sec_options] - validator = ini_allowed_options --section_re = ^secrets(/users/[0-9]+)?$ -+section_re = ^secrets$ - - option = timeout - option = debug -@@ -226,12 +228,15 @@ option = reconnection_retries - option = fd_limit - option = client_idle_timeout - option = description -- --# Secrets service --option = provider - option = containers_nest_level - option = max_secrets -+ -+[rule/allowed_sec_users_options] -+validator = ini_allowed_options -+section_re = ^secrets/users/[0-9]+$ -+ - # Secrets service - proxy -+option = provider - option = proxy_url - option = auth_type - option = auth_header_name --- -2.11.0 - diff --git a/sssd/patches/0027-ipa-Nested-netgroups-do-not-work.patch b/sssd/patches/0027-ipa-Nested-netgroups-do-not-work.patch deleted file mode 100644 index d6a283811..000000000 --- a/sssd/patches/0027-ipa-Nested-netgroups-do-not-work.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 9ccd49a3bcabd8eb32a559af2cacf2b0fdcfad96 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= mzidek@redhat.com -Date: Thu, 10 Nov 2016 15:04:57 +0100 -Subject: [PATCH 27/39] ipa: Nested netgroups do not work - -We lowercase the keys to the hash table used to store netgroups -but do not lowercase it when reading the table. This results -in nested netgroups not being found when they should and -the processing fails. - -The lowercasing does not seem to be necessary anymore (not -sure if it ever was) so we can skip it. - -Resolves: -https://fedorahosted.org/sssd/ticket/3159 - -Reviewed-by: Petr Cech pcech@redhat.com -(cherry picked from commit ff565da1011aa4312847e28e7af66e57fccf8b90) -(cherry picked from commit 7de33877c7e39f9a5cae6baf815dc18ae5a18597) ---- - src/providers/ipa/ipa_netgroups.c | 15 +++------------ - 1 file changed, 3 insertions(+), 12 deletions(-) - -diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c -index a19e5e03d..17b11af5d 100644 ---- a/src/providers/ipa/ipa_netgroups.c -+++ b/src/providers/ipa/ipa_netgroups.c -@@ -563,7 +563,6 @@ static void ipa_netgr_members_process(struct tevent_req *subreq) - size_t count; - int ret, i; - const char *orig_dn; -- char *orig_dn_lower; - hash_table_t *table; - hash_key_t key; - hash_value_t value; -@@ -638,20 +637,12 @@ static void ipa_netgr_members_process(struct tevent_req *subreq) - goto fail; - } - -- orig_dn_lower = talloc_strdup(table, orig_dn); -- if (orig_dn_lower == NULL) { -+ key.str = talloc_strdup(table, orig_dn); -+ if (key.str == NULL) { - ret = ENOMEM; - goto fail; - } -- /* Transform the DN to lower case. -- * this is important, as the member/memberof attributes -- * have the value also in lower-case -- */ -- key.str = orig_dn_lower; -- while (*orig_dn_lower != '\0') { -- *orig_dn_lower = tolower(*orig_dn_lower); -- orig_dn_lower++; -- } -+ - value.ptr = entities[i]; - ret = hash_enter(table, &key, &value); - if (ret != HASH_SUCCESS) { --- -2.11.0 - diff --git a/sssd/patches/0028-Qualify-ghost-user-attribute-in-case-ldap_group_nest.patch b/sssd/patches/0028-Qualify-ghost-user-attribute-in-case-ldap_group_nest.patch deleted file mode 100644 index ea1476ba3..000000000 --- a/sssd/patches/0028-Qualify-ghost-user-attribute-in-case-ldap_group_nest.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 712f064ed197063016fee16a3438fb22f08759bf Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek jhrozek@redhat.com -Date: Wed, 9 Nov 2016 11:59:10 +0100 -Subject: [PATCH 28/39] Qualify ghost user attribute in case - ldap_group_nesting_level is set to 0 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When the sssd is set to not resolve nested groups with RFC2307bis, then -the LDAP provider takes a different path. We didn't qualify the ghost -users in this case. - -Resolves: -https://fedorahosted.org/sssd/ticket/3236 - -Reviewed-by: Lukáš SlebodnÃk lslebodn@redhat.com -(cherry picked from commit 538a7f1dd8339b90e0cfc64e7919a34d1d5c10d3) -(cherry picked from commit e0b544e6f664c2ce5ddd8df866d996607ce488cc) ---- - src/providers/ldap/sdap_async_groups.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c -index 08dfa01b1..81503798c 100644 ---- a/src/providers/ldap/sdap_async_groups.c -+++ b/src/providers/ldap/sdap_async_groups.c -@@ -1668,7 +1668,7 @@ static void sdap_process_group_members(struct tevent_req *subreq) - struct sdap_process_group_state *state = - tevent_req_data(req, struct sdap_process_group_state); - struct ldb_message_element *el; -- uint8_t* name_string; -+ char *name_string; - - state->check_count--; - DEBUG(SSSDBG_TRACE_ALL, "Members remaining: %zu\n", state->check_count); -@@ -1694,11 +1694,18 @@ static void sdap_process_group_members(struct tevent_req *subreq) - goto next; - } - -- name_string = el[0].values[0].data; -+ name_string = sss_create_internal_fqname(state, -+ (const char *) el[0].values[0].data, -+ state->dom->name); -+ if (name_string == NULL) { -+ ret = ENOMEM; -+ goto next; -+ } -+ - state->ghost_dns->values[state->ghost_dns->num_values].data = -- talloc_steal(state->ghost_dns->values, name_string); -+ talloc_steal(state->ghost_dns->values, (uint8_t *) name_string); - state->ghost_dns->values[state->ghost_dns->num_values].length = -- strlen((char *)name_string); -+ strlen(name_string); - state->ghost_dns->num_values++; - - next: --- -2.11.0 - diff --git a/sssd/patches/0029-tests-Add-a-test-for-group-resolution-with-ldap_grou.patch b/sssd/patches/0029-tests-Add-a-test-for-group-resolution-with-ldap_grou.patch deleted file mode 100644 index d9a763e5a..000000000 --- a/sssd/patches/0029-tests-Add-a-test-for-group-resolution-with-ldap_grou.patch +++ /dev/null @@ -1,56 +0,0 @@ -From a72d7cf57143ca56834c6bb33b289ba98ed02b91 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek jhrozek@redhat.com -Date: Wed, 9 Nov 2016 11:59:34 +0100 -Subject: [PATCH 29/39] tests: Add a test for group resolution with - ldap_group_nesting_level=0 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš SlebodnÃk lslebodn@redhat.com -(cherry picked from commit 65e791f844b4513ca2c3ee23f8cd2979566b3719) -(cherry picked from commit a7be684411aff42e03e181dd81de921185e16c34) ---- - src/tests/intg/test_ldap.py | 29 +++++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py -index 7f0b8ff18..bf25d9509 100644 ---- a/src/tests/intg/test_ldap.py -+++ b/src/tests/intg/test_ldap.py -@@ -951,3 +951,32 @@ def test_remove_user_from_nested_group(ldap_conn, - dict(mem=ent.contains_only("user2"))) - ent.assert_group_by_name("group3", - dict(mem=ent.contains_only())) -+ -+ -+def zero_nesting_sssd_conf(ldap_conn, schema): -+ """Format an SSSD configuration with group nesting disabled""" -+ return \ -+ format_basic_conf(ldap_conn, schema) + \ -+ unindent(""" -+ [domain/LDAP] -+ ldap_group_nesting_level = 0 -+ """).format(INTERACTIVE_TIMEOUT) -+ -+ -+@pytest.fixture -+def rfc2307bis_no_nesting(request, ldap_conn): -+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) -+ ent_list.add_user("user1", 1001, 2001) -+ ent_list.add_group_bis("group1", 20001, member_uids=["user1"]) -+ create_ldap_fixture(request, ldap_conn, ent_list) -+ create_conf_fixture(request, -+ zero_nesting_sssd_conf( -+ ldap_conn, -+ SCHEMA_RFC2307_BIS)) -+ create_sssd_fixture(request) -+ return None -+ -+ -+def test_zero_nesting_level(ldap_conn, rfc2307bis_no_nesting): -+ ent.assert_group_by_name("group1", -+ dict(mem=ent.contains_only("user1"))) --- -2.11.0 - diff --git a/sssd/patches/0030-BUILD-Fix-a-typo-in-inotify.m4.patch b/sssd/patches/0030-BUILD-Fix-a-typo-in-inotify.m4.patch deleted file mode 100644 index b4a8f5968..000000000 --- a/sssd/patches/0030-BUILD-Fix-a-typo-in-inotify.m4.patch +++ /dev/null @@ -1,37 +0,0 @@ -From bf0971190884b664ef38d8fc42199fca8e496e54 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek jhrozek@redhat.com -Date: Fri, 18 Nov 2016 12:19:02 +0100 -Subject: [PATCH 30/39] BUILD: Fix a typo in inotify.m4 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This typo prevented HAVE_INOTIFY from ever being set and as an effect, -prevented /etc/resolv.conf inotify detection from working - -Reviewed-by: Lukáš SlebodnÃk lslebodn@redhat.com -Reviewed-by: Fabiano Fidêncio fidencio@redhat.com -(cherry picked from commit 2927dc45b9bc810f4f55bce165bb96405129e693) -(cherry picked from commit 495289cfa922b00278aa91d433489403e792304e) ---- - src/external/inotify.m4 | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/external/inotify.m4 b/src/external/inotify.m4 -index 9572f6d2f..25259a817 100644 ---- a/src/external/inotify.m4 -+++ b/src/external/inotify.m4 -@@ -6,8 +6,8 @@ AC_DEFUN([AM_CHECK_INOTIFY], - AC_MSG_CHECKING([whether sys/inotify.h actually works]) - AC_LINK_IFELSE( - [AC_LANG_SOURCE([ --#ifdef HAVE_SYS_INOTITY_H --#include <sys/inotify.h>, -+#ifdef HAVE_SYS_INOTIFY_H -+#include <sys/inotify.h> - #endif - int main () { - return (-1 == inotify_init()); --- -2.11.0 - diff --git a/sssd/patches/0031-SYSDB-Fixing-of-sudorule-without-a-sudoUser.patch b/sssd/patches/0031-SYSDB-Fixing-of-sudorule-without-a-sudoUser.patch deleted file mode 100644 index 6e9cccd02..000000000 --- a/sssd/patches/0031-SYSDB-Fixing-of-sudorule-without-a-sudoUser.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 74fb5008403cc7324138740b327bb282aeb19a08 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20=C4=8Cech?= pcech@redhat.com -Date: Wed, 16 Nov 2016 10:09:18 +0100 -Subject: [PATCH 31/39] SYSDB: Fixing of sudorule without a sudoUser - -This patch solved a regression caused by the recent patches -to lowercase sudoUser -- in case sudoUser is missing completely, -we abort the processing of this rule and all others. - -With this patch, we return ERR_MALFORMED_ENTRY and gracefully -skip the malformed rule instead. - -Resolves: -https://fedorahosted.org/sssd/ticket/3241 - -Reviewed-by: Jakub Hrozek jhrozek@redhat.com -(cherry picked from commit 7e23edbaa7a6bbd0b461d5792535896b6a77928b) -(cherry picked from commit 54f176066dafafdc12f6e0dd112ff6339308aa7c) ---- - src/db/sysdb_sudo.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c -index 4bd93ffc6..f5160f190 100644 ---- a/src/db/sysdb_sudo.c -+++ b/src/db/sysdb_sudo.c -@@ -874,6 +874,7 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", - SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); -+ ret = ERR_MALFORMED_ENTRY; - goto done; - } - -@@ -977,6 +978,10 @@ sysdb_sudo_store(struct sss_domain_info *domain, - /* Multiple CNs are error on server side, we can just ignore this - * rule and save the others. Loud debug message is in logs. */ - continue; -+ } else if (ret == ERR_MALFORMED_ENTRY) { -+ /* Attribute SYSDB_SUDO_CACHE_AT_USER is missing but we can -+ * continue with next sudoRule. */ -+ continue; - } else if (ret != EOK) { - goto done; - } --- -2.11.0 - diff --git a/sssd/patches/0032-UTIL-Fix-implicit-declaration-of-function-htobe32.patch b/sssd/patches/0032-UTIL-Fix-implicit-declaration-of-function-htobe32.patch deleted file mode 100644 index 94172b23c..000000000 --- a/sssd/patches/0032-UTIL-Fix-implicit-declaration-of-function-htobe32.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 2d6fe5942218ee8f24eb6ccd8ffec5fab65c170b Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lukas.slebodnik@intrak.sk -Date: Fri, 18 Nov 2016 17:29:44 +0100 -Subject: [PATCH 32/39] UTIL: Fix implicit declaration of function 'htobe32' -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Include internal wrapper header file for endian related functions. -The "util/sss_endian.h" include available header file on different -platform or it provides compatible macros in the worst case. - -Breakage noticed when building SSSD on FreeBSD - - CC src/util/cert/nss/libsss_cert_la-cert.lo -src/util/cert/nss/cert.c: In function 'cert_to_ssh_key': -src/util/cert/nss/cert.c:358: error: implicit declaration of function 'htobe32' -gmake[2]: *** [Makefile:12421: src/util/cert/nss/libsss_cert_la-cert.lo] Error 1 -gmake[2]: Leaving directory '/root/sssd_from_git' -gmake[1]: *** [Makefile:20050: all-recursive] Error 1 -gmake[1]: Leaving directory '/root/sssd_from_git' -gmake: *** [Makefile:7116: all] Error 2 - -Reviewed-by: Fabiano Fidêncio fidencio@redhat.com -(cherry picked from commit 58aa8d645fa95641431a2828e985f80c7fc36465) -(cherry picked from commit a70351fddb9c26763b2bf658f56ff043a7b3db6f) ---- - src/util/cert/libcrypto/cert.c | 1 + - src/util/cert/nss/cert.c | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/src/util/cert/libcrypto/cert.c b/src/util/cert/libcrypto/cert.c -index aba598d7c..c54db86bb 100644 ---- a/src/util/cert/libcrypto/cert.c -+++ b/src/util/cert/libcrypto/cert.c -@@ -22,6 +22,7 @@ - #include <openssl/pem.h> - - #include "util/util.h" -+#include "util/sss_endian.h" - - errno_t sss_cert_der_to_pem(TALLOC_CTX *mem_ctx, const uint8_t *der_blob, - size_t der_size, char **pem, size_t *pem_size) -diff --git a/src/util/cert/nss/cert.c b/src/util/cert/nss/cert.c -index b5e0ff961..9d31cfe9b 100644 ---- a/src/util/cert/nss/cert.c -+++ b/src/util/cert/nss/cert.c -@@ -31,6 +31,7 @@ - #include "util/crypto/sss_crypto.h" - #include "util/crypto/nss/nss_util.h" - #include "util/cert.h" -+#include "util/sss_endian.h" - - #define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----" - #define NS_CERT_TRAILER "-----END CERTIFICATE-----" --- -2.11.0 - diff --git a/sssd/patches/0033-sssctl-Fix-missing-declaration.patch b/sssd/patches/0033-sssctl-Fix-missing-declaration.patch deleted file mode 100644 index 5a0eacd90..000000000 --- a/sssd/patches/0033-sssctl-Fix-missing-declaration.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 99b48ffa1a525c0736f67b89c81bfc867977a99c Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lukas.slebodnik@intrak.sk -Date: Fri, 18 Nov 2016 17:58:28 +0100 -Subject: [PATCH 33/39] sssctl: Fix missing declaration -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The WEXITSTATUS is defined in stdlib.h on linux. -There is a nice comment in stdlib.h: - /* Define the macros <sys/wait.h> also would define this way. */ - -It's better to not rely on this and use more platfom friendly -way with including "sys/wait.h". For example the libc on FreeBSD -does not provide WEXITSTATUS in stdlib.h. - -I found this macro mentioned only in the manual page for wait(2) -and there is mentioned just the "sys/wait.h" and not "stdlib.h" - -src/tools/sssctl/sssctl.c: In function 'sssctl_run_command': -src/tools/sssctl/sssctl.c:110: error: implicit declaration of function -'WEXITSTATUS' -gmake[2]: *** [Makefile:22383: src/tools/sssctl/sssctl-sssctl.o] Error 1 - -Reviewed-by: Fabiano Fidêncio fidencio@redhat.com -(cherry picked from commit 73c9330fa3de6912e45c1ab686d5290f143b8352) -(cherry picked from commit 161ddc1f24082c735801775802a483e96909152c) ---- - src/tools/sssctl/sssctl.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c -index ece1e6df1..e1cf46382 100644 ---- a/src/tools/sssctl/sssctl.c -+++ b/src/tools/sssctl/sssctl.c -@@ -20,6 +20,7 @@ - - #include <stdlib.h> - #include <stdio.h> -+#include <sys/wait.h> - - #include "util/util.h" - #include "tools/sssctl/sssctl.h" --- -2.11.0 - diff --git a/sssd/patches/0034-UTIL-Fix-compilation-of-sss_utf8-with-libunistring.patch b/sssd/patches/0034-UTIL-Fix-compilation-of-sss_utf8-with-libunistring.patch deleted file mode 100644 index d727c28ec..000000000 --- a/sssd/patches/0034-UTIL-Fix-compilation-of-sss_utf8-with-libunistring.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 6a3c115022b54bce155c04a1c090561cf626006a Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lukas.slebodnik@intrak.sk -Date: Fri, 18 Nov 2016 17:49:35 +0100 -Subject: [PATCH 34/39] UTIL: Fix compilation of sss_utf8 with libunistring -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The internal header file "util/util.h" was removed from sss_utf8.h -as part of commit de5fa34860886ad68fba5e739987e16c342e8f14. -It was neccessary to ensure libipa_hbac can be build with C90 -compatible compiler. - -This header file includes many system header file and after -this change caused missing declaration of the function free() - -src/util/sss_utf8.c: In function âsss_utf8_freeâ: -src/util/sss_utf8.c:40:12: error: implicit declaration of function âfreeâ - [-Werror=implicit-function-declaration] - return free(ptr); - ^~~~ -src/util/sss_utf8.c:40:12: warning: incompatible implicit declaration - of built-in function âfreeâ -src/util/sss_utf8.c:40:12: note: include â<stdlib.h>â or provide - a declaration of âfreeâ -cc1: some warnings being treated as errors - -Reviewed-by: Fabiano Fidêncio fidencio@redhat.com -(cherry picked from commit c101cb130df0705a9227dadce22554307eee54db) -(cherry picked from commit 76e2df701559d8723ea632722c94c8dfb820fc93) ---- - src/util/sss_utf8.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/util/sss_utf8.c b/src/util/sss_utf8.c -index 722f28d08..e62e9c6c9 100644 ---- a/src/util/sss_utf8.c -+++ b/src/util/sss_utf8.c -@@ -26,6 +26,7 @@ - #include <errno.h> - - #ifdef HAVE_LIBUNISTRING -+#include <stdlib.h> - #include <unistr.h> - #include <unicase.h> - #elif defined(HAVE_GLIB2) --- -2.11.0 - diff --git a/sssd/patches/0035-SIFP-Fix-warning-format-security.patch b/sssd/patches/0035-SIFP-Fix-warning-format-security.patch deleted file mode 100644 index 731de71bb..000000000 --- a/sssd/patches/0035-SIFP-Fix-warning-format-security.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 86fa0fa9543b4f21a152bcaedbcb3d5608567aa2 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lslebodn@redhat.com -Date: Thu, 1 Dec 2016 13:13:21 +0100 -Subject: [PATCH 35/39] SIFP: Fix warning format-security -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -dbus-1.11.8 added attributes for format string check to -few functions in public header files. And therefore there is a warning. - -src/lib/sifp/sss_sifp_utils.c: In function âsss_sifp_set_io_errorâ: -src/lib/sifp/sss_sifp_utils.c:44:5: error: format not a string literal -and no format arguments [-Werror=format-security] - dbus_set_error(ctx->io_error, error->name, error->message); - ^~~~~~~~~~~~~~ - -Reviewed-by: Pavel BÅezina pbrezina@redhat.com -(cherry picked from commit 8618716d6ed4eadca2743eb2dfbbb8d11c4fb22f) -(cherry picked from commit 043862847cee673084a56f387d195deb82386de7) ---- - src/lib/sifp/sss_sifp_utils.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lib/sifp/sss_sifp_utils.c b/src/lib/sifp/sss_sifp_utils.c -index ccd051838..dcac71f50 100644 ---- a/src/lib/sifp/sss_sifp_utils.c -+++ b/src/lib/sifp/sss_sifp_utils.c -@@ -41,7 +41,7 @@ void sss_sifp_set_io_error(sss_sifp_ctx *ctx, DBusError *error) - { - dbus_error_free(ctx->io_error); - dbus_error_init(ctx->io_error); -- dbus_set_error(ctx->io_error, error->name, error->message); -+ dbus_set_error(ctx->io_error, error->name, "%s", error->message); - } - - char * sss_sifp_strdup(sss_sifp_ctx *ctx, const char *str) --- -2.11.0 - diff --git a/sssd/patches/0036-SSH-Use-default_domain_suffix-for-users-authorized-k.patch b/sssd/patches/0036-SSH-Use-default_domain_suffix-for-users-authorized-k.patch deleted file mode 100644 index 168fd3f97..000000000 --- a/sssd/patches/0036-SSH-Use-default_domain_suffix-for-users-authorized-k.patch +++ /dev/null @@ -1,80 +0,0 @@ -From e1a01adb021f7d2b3674c4d8151797e265608c20 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek jhrozek@redhat.com -Date: Thu, 24 Nov 2016 18:07:56 +0100 -Subject: [PATCH 36/39] SSH: Use default_domain_suffix for users' authorized - keys - -In commit eeecc48d22a28bb69da56f6ffd8824163fc9bf00 we disabled -default_domain_suffix for the SSH responder, but in a wrong way -- we -disabled the functionality completely, also for users, not only for -computers. This might have been correct at the time, since SSH keys in ID -overrides are a relatively new feature, but it's definitely not correct -in general. - -Instead, this patch restores the use of default_domain_suffix, but only -for looking up public keys of users, not of computers. - -Resolves: -https://fedorahosted.org/sssd/ticket/3259 - -Reviewed-by: Petr Cech pcech@redhat.com -(cherry picked from commit ed71fba97dfcf5b3f0f1834c06660c481b9ab3ce) -(cherry picked from commit 2949fe58ac344c44d756ca309d4b2b7f3590cee3) ---- - src/responder/ssh/sshsrv_cmd.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c -index ab721d66e..2e64893df 100644 ---- a/src/responder/ssh/sshsrv_cmd.c -+++ b/src/responder/ssh/sshsrv_cmd.c -@@ -36,7 +36,8 @@ - #include "responder/ssh/sshsrv_private.h" - - static errno_t --ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx); -+ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx, -+ char *default_domain); - - static errno_t - ssh_user_pubkeys_search(struct ssh_cmd_ctx *cmd_ctx); -@@ -57,7 +58,7 @@ sss_ssh_cmd_get_user_pubkeys(struct cli_ctx *cctx) - cmd_ctx->cctx = cctx; - cmd_ctx->is_user = true; - -- ret = ssh_cmd_parse_request(cmd_ctx); -+ ret = ssh_cmd_parse_request(cmd_ctx, cctx->rctx->default_domain); - if (ret != EOK) { - goto done; - } -@@ -107,7 +108,7 @@ sss_ssh_cmd_get_host_pubkeys(struct cli_ctx *cctx) - cmd_ctx->cctx = cctx; - cmd_ctx->is_user = false; - -- ret = ssh_cmd_parse_request(cmd_ctx); -+ ret = ssh_cmd_parse_request(cmd_ctx, NULL); - if (ret != EOK) { - goto done; - } -@@ -681,7 +682,8 @@ done: - } - - static errno_t --ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx) -+ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx, -+ char *default_domain) - { - struct cli_protocol *pctx; - struct ssh_ctx *ssh_ctx; -@@ -754,6 +756,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx) - return EINVAL; - } - c += domain_len; -+ } else { -+ domain = default_domain; - } - - DEBUG(SSSDBG_TRACE_FUNC, --- -2.11.0 - diff --git a/sssd/patches/0037-Prevent-use-after-free-in-fd_input_available.patch b/sssd/patches/0037-Prevent-use-after-free-in-fd_input_available.patch deleted file mode 100644 index 5d821e530..000000000 --- a/sssd/patches/0037-Prevent-use-after-free-in-fd_input_available.patch +++ /dev/null @@ -1,72 +0,0 @@ -From d2f8e3876810cf99228827432ea4f4a59877448d Mon Sep 17 00:00:00 2001 -From: Carl Henrik Lunde chlunde@ifi.uio.no -Date: Thu, 1 Dec 2016 00:09:00 +0100 -Subject: [PATCH 37/39] Prevent use after free in fd_input_available - -When both TEVENT_FD_WRITE and TEVENT_FD_READ are set, and an error/EOF -occurs when reading from the socket, we will get a use after free -in the second call ares_process_fd. The first call will free the watch -structure via a callback. - -Prevent this by calling ares_process_fd only once. - -Invalid read of size 4 - at fd_input_available (async_resolv.c:147) - by epoll_event_loop (tevent_epoll.c:728) - by epoll_event_loop_once (tevent_epoll.c:926) - by std_event_loop_once (tevent_standard.c:114) - by _tevent_loop_once (tevent.c:533) - by tevent_common_loop_wait (tevent.c:637) - by std_event_loop_wait (tevent_standard.c:140) - by server_loop (server.c:702) - by main (data_provider_be.c:587) - Address ... is 112 bytes inside a block of size 136 free'd - at free (vg_replace_malloc.c:530) - by _talloc_free_internal (talloc.c:1116) - by _talloc_free (talloc.c:1647) - by ares__close_sockets (ares__close_sockets.c:50) - by handle_error (ares_process.c:679) - by read_tcp_data (ares_process.c:391) - by processfds (ares_process.c:138) - by fd_input_available (async_resolv.c:144) - by epoll_event_loop (tevent_epoll.c:728) - by epoll_event_loop_once (tevent_epoll.c:926) - by std_event_loop_once (tevent_standard.c:114) - by _tevent_loop_once (tevent.c:533) - by tevent_common_loop_wait (tevent.c:637) - by std_event_loop_wait (tevent_standard.c:140) - by server_loop (server.c:702) - -Resolves: -https://fedorahosted.org/sssd/ticket/3250 - -Reviewed-by: Jakub Hrozek jhrozek@redhat.com -(cherry picked from commit 9676b464dd428557ff5a648e1351a3972440396f) -(cherry picked from commit fefdd70237cbe82af7d8845131e45401e73b3b07) ---- - src/resolv/async_resolv.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/src/resolv/async_resolv.c b/src/resolv/async_resolv.c -index e85955677..47b4db7ec 100644 ---- a/src/resolv/async_resolv.c -+++ b/src/resolv/async_resolv.c -@@ -140,12 +140,9 @@ fd_input_available(struct tevent_context *ev, struct tevent_fd *fde, - return; - } - -- if (flags & TEVENT_FD_READ) { -- ares_process_fd(watch->ctx->channel, watch->fd, ARES_SOCKET_BAD); -- } -- if (flags & TEVENT_FD_WRITE) { -- ares_process_fd(watch->ctx->channel, ARES_SOCKET_BAD, watch->fd); -- } -+ ares_process_fd(watch->ctx->channel, -+ flags & TEVENT_FD_READ ? watch->fd : ARES_SOCKET_BAD, -+ flags & TEVENT_FD_WRITE ? watch->fd : ARES_SOCKET_BAD); - } - - static void --- -2.11.0 - diff --git a/sssd/patches/0038-STAP-Only-print-transaction-statistics-if-the-script.patch b/sssd/patches/0038-STAP-Only-print-transaction-statistics-if-the-script.patch deleted file mode 100644 index 9de970534..000000000 --- a/sssd/patches/0038-STAP-Only-print-transaction-statistics-if-the-script.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 39fe2093254db5d4cd223e7d9c228689ba6382ca Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek jhrozek@redhat.com -Date: Mon, 28 Nov 2016 08:44:04 +0100 -Subject: [PATCH 38/39] STAP: Only print transaction statistics if the script - caught some transactions -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the script measured an 'id' run from the cache, there would be no -transactions and dereferencing the aggrefate would throw an error. - -Reviewed-by: Fabiano Fidêncio fidencio@redhat.com -(cherry picked from commit 150a0cc8fe1936002af136e5552ef6cdd210956f) -(cherry picked from commit e6c74de2cbc9b0b713ed6dadbfef80c7c1b5cd51) ---- - contrib/systemtap/id_perf.stp | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/contrib/systemtap/id_perf.stp b/contrib/systemtap/id_perf.stp -index 0ad619506..a7789750f 100644 ---- a/contrib/systemtap/id_perf.stp -+++ b/contrib/systemtap/id_perf.stp -@@ -64,8 +64,10 @@ function print_report() - } - } - -- printf("The most expensive transaction breakdown, per transaction:\n") -- print(@hist_linear(bts[max_trans_time_bt], 0, 500, 50)) -+ if (max_trans_time > 0) { -+ printf("The most expensive transaction breakdown, per transaction:\n") -+ print(@hist_linear(bts[max_trans_time_bt], 0, 500, 50)) -+ } - } - - probe process("/usr/bin/id").begin --- -2.11.0 - diff --git a/sssd/patches/0039-sudo-do-not-store-usn-if-no-rules-are-found.patch b/sssd/patches/0039-sudo-do-not-store-usn-if-no-rules-are-found.patch deleted file mode 100644 index 9598b1d27..000000000 --- a/sssd/patches/0039-sudo-do-not-store-usn-if-no-rules-are-found.patch +++ /dev/null @@ -1,50 +0,0 @@ -From f2fe644510afd2d3bc989a4fea2ce2b2a1a69e9c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= pbrezina@redhat.com -Date: Mon, 5 Dec 2016 14:37:41 +0100 -Subject: [PATCH 39/39] sudo: do not store usn if no rules are found - -When ldap doesn't contain any sudorule during the initial full refresh, -usn is set to 1 instead of remaining unset and we are trying to -search modifyTimestamp>=1 during smart refresh which doesn't return any result -on openldap servers. - -Resolves: -https://fedorahosted.org/sssd/ticket/3257 - -Reviewed-by: Jakub Hrozek jhrozek@redhat.com -(cherry picked from commit 46703740e83a66909974a5ee8d47df6a6e5076e7) -(cherry picked from commit 76e97affaa05ce45709efd59d120595c5992aa21) ---- - src/providers/ldap/sdap_sudo_shared.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c -index 807226020..66b788702 100644 ---- a/src/providers/ldap/sdap_sudo_shared.c -+++ b/src/providers/ldap/sdap_sudo_shared.c -@@ -129,7 +129,7 @@ sdap_sudo_new_usn(TALLOC_CTX *mem_ctx, - char *newusn; - - /* We increment USN number so that we can later use simplify filter -- * (just usn >= last+1 instaed of usn >= last && usn != last). -+ * (just usn >= last+1 instead of usn >= last && usn != last). - */ - usn++; - -@@ -174,6 +174,13 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, - return; - } - -+ if (usn_number == 0) { -+ /* Zero means that there were no rules on the server, so we have -+ * nothing to store. */ -+ DEBUG(SSSDBG_TRACE_FUNC, "SUDO USN value is empty.\n"); -+ return; -+ } -+ - newusn = sdap_sudo_new_usn(srv_opts, usn_number, endptr); - if (newusn == NULL) { - return; --- -2.11.0 - diff --git a/sssd/patches/0501-Partially-revert-CONFIG-Use-default-config-when-none.patch b/sssd/patches/0501-Partially-revert-CONFIG-Use-default-config-when-none.patch deleted file mode 100644 index 40f0f43e9..000000000 --- a/sssd/patches/0501-Partially-revert-CONFIG-Use-default-config-when-none.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 829aa39dffbe35f58b34159b962a2dd8de85fd30 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lslebodn@redhat.com -Date: Mon, 12 Dec 2016 18:33:48 +0100 -Subject: [PATCH] Partially revert "CONFIG: Use default config when none - provided" - -This reverts part of commit 59744cff6edb106ae799b2321cb8731edadf409a. - -Removed is copying of default configuration into /etc/sssd/sssd.conf -Sample configurations is still part of installation. ---- - Makefile.am | 3 --- - src/confdb/confdb.h | 1 - - src/confdb/confdb_setup.c | 40 ++++------------------------------------ - 3 files changed, 4 insertions(+), 40 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index a15e68f682f6d8af301e11df8dcaef6d7f27e8c0..45d44146e737fc8460a2ed9ffc0171a6bb494b2b 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -462,7 +462,6 @@ AM_CPPFLAGS = \ - -DSSSDDATADIR="$(sssddatadir)" \ - -DSSSD_LIBEXEC_PATH="$(sssdlibexecdir)" \ - -DSSSD_CONF_DIR="$(sssdconfdir)" \ -- -DSSSD_DEFAULT_CONF_DIR="$(sssddefaultconfdir)" \ - -DSSS_NSS_MCACHE_DIR="$(mcpath)" \ - -DSSS_NSS_SOCKET_NAME="$(pipepath)/nss" \ - -DSSS_PAM_SOCKET_NAME="$(pipepath)/pam" \ -@@ -1232,8 +1231,6 @@ sssd_SOURCES = \ - src/confdb/confdb_setup.c \ - src/monitor/monitor_iface_generated.c \ - src/util/nscd.c \ -- src/tools/files.c \ -- src/tools/selinux.c \ - $(NULL) - sssd_LDADD = \ - $(SSSD_LIBS) \ -diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h -index 12beaabf8c949bd111abbe16cb98a205490fb08f..4813072bdafb5d6c9ec56a9ccaa5db6a1120112d 100644 ---- a/src/confdb/confdb.h -+++ b/src/confdb/confdb.h -@@ -40,7 +40,6 @@ - - #define CONFDB_DEFAULT_CFG_FILE_VER 2 - #define CONFDB_FILE "config.ldb" --#define SSSD_DEFAULT_CONFIG_FILE SSSD_DEFAULT_CONF_DIR"/sssd.conf" - #define SSSD_CONFIG_FILE SSSD_CONF_DIR"/sssd.conf" - #define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/conf.d" - #define SSSD_MIN_ID 1 -diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c -index d6feab9000d54d2c3761de6d8e990053ade7e85f..a71d9dd1202824b3c9a7e69f1d8fa905ac1b8c02 100644 ---- a/src/confdb/confdb_setup.c -+++ b/src/confdb/confdb_setup.c -@@ -21,14 +21,12 @@ - - #include "config.h" - #include <sys/stat.h> --#include <unistd.h> - #include "util/util.h" - #include "db/sysdb.h" - #include "confdb.h" - #include "confdb_private.h" - #include "confdb_setup.h" - #include "util/sss_ini.h" --#include "tools/tools_util.h" - - - static int confdb_test(struct confdb_ctx *cdb) -@@ -161,41 +159,11 @@ static int confdb_init_db(const char *config_file, const char *config_dir, - DEBUG(SSSDBG_TRACE_FUNC, - "sss_ini_config_file_open failed: %s [%d]\n", strerror(ret), - ret); -- if (ret != ENOENT) { -- /* Anything other than ENOENT is unrecoverable */ -- goto done; -- } else { -- /* Copy the default configuration file to the standard location -- * and then retry -- */ -- ret = copy_file_secure(SSSD_DEFAULT_CONFIG_FILE, -- SSSD_CONFIG_FILE, -- 0600, -- getuid(), -- getgid(), -- false); -- if (ret != EOK) { -- DEBUG(SSSDBG_FATAL_FAILURE, -- "Could not copy default configuration: %s", -- sss_strerror(ret)); -- /* sss specific error denoting missing configuration file */ -- ret = ERR_MISSING_CONF; -- goto done; -- } -- -- /* Try again */ -- ret = sss_ini_config_file_open(init_data, config_file); -- if (ret != EOK) { -- DEBUG(SSSDBG_TRACE_FUNC, -- "sss_ini_config_file_open(default) failed: %s [%d]\n", -- strerror(ret), ret); -- if (ret == ENOENT) { -- /* sss specific error denoting missing configuration file */ -- ret = ERR_MISSING_CONF; -- } -- goto done; -- } -+ if (ret == ENOENT) { -+ /* sss specific error denoting missing configuration file */ -+ ret = ERR_MISSING_CONF; - } -+ goto done; - } - - ret = sss_ini_config_access_check(init_data); --- -2.11.0 - diff --git a/sssd/patches/0502-SYSTEMD-Use-capabilities.patch b/sssd/patches/0502-SYSTEMD-Use-capabilities.patch deleted file mode 100644 index ef612ac94..000000000 --- a/sssd/patches/0502-SYSTEMD-Use-capabilities.patch +++ /dev/null @@ -1,25 +0,0 @@ -From cf3b1babdbd2221b46816d4c6d5cd90d9de069ec Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik lslebodn@redhat.com -Date: Mon, 12 Dec 2016 21:56:16 +0100 -Subject: [PATCH] SYSTEMD: Use capabilities - -copied from selinux policy ---- - src/sysv/systemd/sssd.service.in | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in -index a4f9125b58e72429cc3ac1e679271367ada27f3c..8c49c0415597b21ddcd85e0675580edc4d171a5f 100644 ---- a/src/sysv/systemd/sssd.service.in -+++ b/src/sysv/systemd/sssd.service.in -@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -D -f - # consult systemd.service(5) for more details - Type=forking - PIDFile=@localstatedir@/run/sssd.pid -+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND - - [Install] - WantedBy=multi-user.target --- -2.11.0 - diff --git a/sssd/patches/0503-sss_client-Defer-thread-cancellation-until-completio.patch b/sssd/patches/0503-sss_client-Defer-thread-cancellation-until-completio.patch deleted file mode 100644 index 396ebbe84..000000000 --- a/sssd/patches/0503-sss_client-Defer-thread-cancellation-until-completio.patch +++ /dev/null @@ -1,179 +0,0 @@ -From d2f93542650c2f9613043acfa8e2f368972a70cd Mon Sep 17 00:00:00 2001 -From: Howard Guo hguo@suse.com -Date: Tue, 11 Oct 2016 10:35:13 +0200 -Subject: [PATCH] sss_client: Defer thread cancellation until completion of - nss/pam operations - -The client code is not cancellation-safe, an application which -has cancelled an NSS operation will experience subtle bugs, -hence thread cancellation is deferred until completion of client -operations. - -Resolves: -https://fedorahosted.org/sssd/ticket/3156 - -Reviewed-by: Sumit Bose sbose@redhat.com -Reviewed-by: Florian Weimer fweimer@redhat.com ---- - Makefile.am | 4 --- - configure.ac | 8 ----- - src/sss_client/common.c | 80 +++++-------------------------------------------- - 3 files changed, 7 insertions(+), 85 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index e037930ff..9f1da4d1e 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -792,10 +792,6 @@ endif - - CLIENT_LIBS = $(LTLIBINTL) - --if HAVE_PTHREAD --CLIENT_LIBS += -lpthread --endif -- - if WITH_JOURNALD - SYSLOG_LIBS = $(JOURNALD_LIBS) - endif -diff --git a/configure.ac b/configure.ac -index d3ef1e162..230524bf3 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -62,14 +62,6 @@ AC_COMPILE_IFELSE( - - AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"]) - --SAVE_LIBS=$LIBS --LIBS="$LIBS -lpthread" --AC_CHECK_FUNCS([ pthread_mutexattr_setrobust \ -- pthread_mutex_consistent \ -- pthread_mutexattr_setrobust_np \ -- pthread_mutex_consistent_np ]) --LIBS=$SAVE_LIBS -- - # Check library for the timer_create function - SAVE_LIBS=$LIBS - LIBS= -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index 20106b1b6..b7a5ed760 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -1070,86 +1070,28 @@ typedef void (*sss_mutex_init)(void); - struct sss_mutex { - pthread_mutex_t mtx; - -- pthread_once_t once; -- sss_mutex_init init; -+ int old_cancel_state; - }; - --static void sss_nss_mt_init(void); --static void sss_pam_mt_init(void); --static void sss_nss_mc_mt_init(void); -+static struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; - --static struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER, -- .once = PTHREAD_ONCE_INIT, -- .init = sss_nss_mt_init }; -+static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; - --static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER, -- .once = PTHREAD_ONCE_INIT, -- .init = sss_pam_mt_init }; -- --static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER, -- .once = PTHREAD_ONCE_INIT, -- .init = sss_nss_mc_mt_init }; -- --/* Wrappers for robust mutex support */ --static int sss_mutexattr_setrobust (pthread_mutexattr_t *attr) --{ --#ifdef HAVE_PTHREAD_MUTEXATTR_SETROBUST -- return pthread_mutexattr_setrobust(attr, PTHREAD_MUTEX_ROBUST); --#elif defined(HAVE_PTHREAD_MUTEXATTR_SETROBUST_NP) -- return pthread_mutexattr_setrobust_np(attr, PTHREAD_MUTEX_ROBUST_NP); --#else --#warning Robust mutexes are not supported on this platform. -- return 0; --#endif --} -- --static int sss_mutex_consistent(pthread_mutex_t *mtx) --{ --#ifdef HAVE_PTHREAD_MUTEX_CONSISTENT -- return pthread_mutex_consistent(mtx); --#elif defined(HAVE_PTHREAD_MUTEX_CONSISTENT_NP) -- return pthread_mutex_consistent_np(mtx); --#else --#warning Robust mutexes are not supported on this platform. -- return 0; --#endif --} -- --/* Generic mutex init, lock, unlock functions */ --static void sss_mt_init(struct sss_mutex *m) --{ -- pthread_mutexattr_t attr; -- -- if (pthread_mutexattr_init(&attr) != 0) { -- return; -- } -- if (sss_mutexattr_setrobust(&attr) != 0) { -- return; -- } -- -- pthread_mutex_init(&m->mtx, &attr); -- pthread_mutexattr_destroy(&attr); --} -+static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; - - static void sss_mt_lock(struct sss_mutex *m) - { -- pthread_once(&m->once, m->init); -- if (pthread_mutex_lock(&m->mtx) == EOWNERDEAD) { -- sss_cli_close_socket(); -- sss_mutex_consistent(&m->mtx); -- } -+ pthread_mutex_lock(&m->mtx); -+ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state); - } - - static void sss_mt_unlock(struct sss_mutex *m) - { -+ pthread_setcancelstate(m->old_cancel_state, NULL); - pthread_mutex_unlock(&m->mtx); - } - - /* NSS mutex wrappers */ --static void sss_nss_mt_init(void) --{ -- sss_mt_init(&sss_nss_mtx); --} - void sss_nss_lock(void) - { - sss_mt_lock(&sss_nss_mtx); -@@ -1160,10 +1102,6 @@ void sss_nss_unlock(void) - } - - /* NSS mutex wrappers */ --static void sss_pam_mt_init(void) --{ -- sss_mt_init(&sss_pam_mtx); --} - void sss_pam_lock(void) - { - sss_mt_lock(&sss_pam_mtx); -@@ -1174,10 +1112,6 @@ void sss_pam_unlock(void) - } - - /* NSS mutex wrappers */ --static void sss_nss_mc_mt_init(void) --{ -- sss_mt_init(&sss_nss_mc_mtx); --} - void sss_nss_mc_lock(void) - { - sss_mt_lock(&sss_nss_mc_mtx); --- -2.11.0 - diff --git a/sssd/sssd.nm b/sssd/sssd.nm index 01aa8e982..140f5c5d3 100644 --- a/sssd/sssd.nm +++ b/sssd/sssd.nm @@ -4,7 +4,7 @@ ###############################################################################
name = sssd -version = 1.14.2 +version = 2.8.2 release = 1
groups = System/Tools @@ -19,7 +19,7 @@ description account sources. end
-source_dl = https://releases.pagure.org/SSSD/sssd/ +source_dl = https://github.com/SSSD/sssd/releases/download/%%7Bversion%7D/
build # The system security services daemon and many tools requires @@ -28,41 +28,40 @@ build
requires /usr/bin/nsupdate - autoconf - automake c-ares-devel cifs-utils-devel >= 6.6 + curl-devel cyrus-sasl-devel dbus-devel ding-libs-devel >= 0.6.1 docbook-xsl gettext-devel glib2-devel + jansson-devel + jose-devel krb5-devel >= 1.10.3 libcollection-devel libdhash-devel >= 0.6.1 libini_config-devel >= 0.6.1 - libldb-devel >= 1.1.20 + libldb-devel >= 1.6.1 libnl3-devel libnfsidmap-devel libtalloc-devel libtdb-devel libtevent-devel libtool + libunistring-devel openldap-devel openssl-devel + p11-kit-devel >= 0.23.3 pam-devel >= 1.1.6 pcre-devel popt-devel python3-devel - samba-devel >= 4.0.5 + samba-devel >= 4.17.5 systemd-devel end
- prepare_cmds - autoreconf -vfi - end - configure_options += \ --with-crypto=libcrypto \ --with-db-path=%{localstatedir}/sss/db \ @@ -96,14 +95,6 @@ build end end
-quality-agent - whitelist_rpath - %{libdir}/sssd - %{libdir}:%{libdir}/sssd - %{libdir}/sssd:%{libdir} - end -end - packages package %{name} groups += Base @@ -112,8 +103,6 @@ packages %{sysconfdir}/sssd/sssd.conf end
- prerequires += systemd-units - script postin systemctl daemon-reload >/dev/null 2>&1 || : end @@ -154,17 +143,6 @@ packages %{mandir}/man8/pam_sss.8* %{mandir}/man8/sssd_krb5*.8* end - - prerequires += \ - authconfig >= 6.2.5 - - script postin - authconfig --update --enableldap --enablesssd --enablesssdauth - end - - script postun - authconfig --update --disableldap --disablesssd --disablesssdauth - end end
package %{name}-tools diff --git a/systemd/systemd.nm b/systemd/systemd.nm index 98f1aa9cc..5e3d69cb2 100644 --- a/systemd/systemd.nm +++ b/systemd/systemd.nm @@ -225,8 +225,6 @@ end
packages package %{name} - prerequires += authconfig - requires dbus hwdata @@ -285,14 +283,6 @@ packages # Reexec systemd daemon. /usr/bin/systemctl daemon-reexec > /dev/null 2>&1 || :
- # Make sure pam_systemd is enabled - if ! grep -q pam_systemd /etc/pam.d/system-auth-ac ; then - authconfig --update --nostart >/dev/null 2>&1 || : - - # Try harder - grep -q pam_systemd /etc/pam.d/system-auth-ac || authconfig --updateall --nostart >/dev/null 2>&1 || : - fi - # Automatically spawn a getty on TTY1 /usr/bin/systemctl enable getty@.service >/dev/null 2>&1 || :
hooks/post-receive -- IPFire 3.x development tree