From 9b7065a839e1432764ba95d92bea5887946cd0a91010182ce5e6aad44c32a655 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Tue, 6 Apr 2010 12:16:20 +0000 Subject: [PATCH 1/6] - update krb5-1.8-POST.dif OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=16 --- krb5-1.8-POST.dif | 204 ++++++++++++++++++++++++++++++++++++++++++++++ krb5-mini.changes | 5 ++ krb5-mini.spec | 2 +- krb5.changes | 5 ++ 4 files changed, 215 insertions(+), 1 deletion(-) diff --git a/krb5-1.8-POST.dif b/krb5-1.8-POST.dif index 14ccdf3..d204efd 100644 --- a/krb5-1.8-POST.dif +++ b/krb5-1.8-POST.dif @@ -313,3 +313,207 @@ Index: src/lib/krb5/krb/gic_pwd.c goto cleanup; /* ok, we have an expired password. Give the user a few chances +Index: src/lib/gssapi/krb5/import_sec_context.c +=================================================================== +--- src/lib/gssapi/krb5/import_sec_context.c (Revision 23830) ++++ src/lib/gssapi/krb5/import_sec_context.c (Arbeitskopie) +@@ -106,12 +106,13 @@ + ibp = (krb5_octet *) interprocess_token->value; + blen = (size_t) interprocess_token->length; + kret = kg_ctx_internalize(context, (krb5_pointer *) &ctx, &ibp, &blen); +- krb5_free_context(context); + if (kret) { + *minor_status = (OM_uint32) kret; + save_error_info(*minor_status, context); ++ krb5_free_context(context); + return(GSS_S_FAILURE); + } ++ krb5_free_context(context); + + /* intern the context handle */ + if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { +Index: src/lib/gssapi/mechglue/deps +=================================================================== +--- src/lib/gssapi/mechglue/deps (Revision 23830) ++++ src/lib/gssapi/mechglue/deps (Arbeitskopie) +@@ -358,6 +358,14 @@ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ + ../generic/gssapi_err_generic.h g_set_name_attr.c mechglue.h \ + mglueP.h ++g_set_neg_mechs.so g_set_neg_mechs.po $(OUTPRE)g_set_neg_mechs.$(OBJEXT): \ ++ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ ++ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(COM_ERR_DEPS) \ ++ $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \ ++ $(srcdir)/../generic/gssapi_generic.h $(top_srcdir)/include/k5-buf.h \ ++ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ ++ ../generic/gssapi_err_generic.h g_set_neg_mechs.c mechglue.h \ ++ mglueP.h + g_sign.so g_sign.po $(OUTPRE)g_sign.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \ + $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ +Index: src/lib/krb5/krb/get_in_tkt.c +=================================================================== +--- src/lib/krb5/krb/get_in_tkt.c (Revision 23830) ++++ src/lib/krb5/krb/get_in_tkt.c (Arbeitskopie) +@@ -1083,7 +1083,7 @@ + &flags); + if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG && !tcp_only) + tcp_only = 1; +- else if (code != 0 || (flags & KRB5_INIT_CREDS_STEP_FLAG_COMPLETE)) ++ else if (code != 0 || (flags & 1) == 0) + break; + + krb5_free_data_contents(context, &reply); +@@ -2065,7 +2065,7 @@ + } + } + +- *flags = (ctx->flags & KRB5_INIT_CREDS_STEP_FLAG_COMPLETE); ++ *flags = (ctx->flags & KRB5_INIT_CREDS_STEP_FLAG_COMPLETE) ? 0 : 1; + + return code; + } +Index: src/lib/krb5/krb/deps +=================================================================== +--- src/lib/krb5/krb/deps (Revision 23830) ++++ src/lib/krb5/krb/deps (Arbeitskopie) +@@ -63,45 +63,10 @@ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ +- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h auth_con.h authdata.c \ +- authdata.h int-proto.h +-authdata_exp.so authdata_exp.po $(OUTPRE)authdata_exp.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ +- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h auth_con.h authdata.h \ +- authdata_exp.c int-proto.h +-authdata_enc.so authdata_enc.po $(OUTPRE)authdata_enc.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- authdata_enc.c +-authdata_dec.so authdata_dec.po $(OUTPRE)authdata_dec.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ +- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- authdata_dec.c int-proto.h ++ auth_con.h authdata.c authdata.h int-proto.h + bld_pr_ext.so bld_pr_ext.po $(OUTPRE)bld_pr_ext.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +@@ -190,7 +155,7 @@ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- copy_auth.c int-proto.h ++ copy_auth.c + copy_athctr.so copy_athctr.po $(OUTPRE)copy_athctr.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +@@ -201,7 +166,7 @@ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- auth_con.h copy_athctr.c ++ copy_athctr.c + copy_cksum.so copy_cksum.po $(OUTPRE)copy_cksum.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +@@ -669,17 +634,6 @@ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + authdata.h pac.c +-pac_sign.so pac_sign.po $(OUTPRE)pac_sign.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ +- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h authdata.h pac_sign.c + parse.so parse.po $(OUTPRE)parse.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ +@@ -722,17 +676,6 @@ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + fast.h int-proto.h preauth2.c +-gic_opt_set_pa.so gic_opt_set_pa.po $(OUTPRE)gic_opt_set_pa.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ +- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- gic_opt_set_pa.c int-proto.h + princ_comp.so princ_comp.po $(OUTPRE)princ_comp.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +@@ -805,11 +748,10 @@ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ +- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h auth_con.h authdata.h \ +- int-proto.h rd_req_dec.c ++ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ ++ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ ++ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ ++ auth_con.h authdata.h int-proto.h rd_req_dec.c + rd_safe.so rd_safe.po $(OUTPRE)rd_safe.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ +@@ -1038,7 +980,7 @@ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- int-proto.h valid_times.c ++ valid_times.c + vfy_increds.so vfy_increds.po $(OUTPRE)vfy_increds.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +Index: src/util/ss/deps +=================================================================== +--- src/util/ss/deps (Revision 23830) ++++ src/util/ss/deps (Arbeitskopie) +@@ -63,7 +63,7 @@ + ss_internal.h utils.c + options.so options.po $(OUTPRE)options.$(OBJEXT): $(BUILDTOP)/include/ss/ss_err.h \ + $(COM_ERR_DEPS) copyright.h options.c ss.h +-cmd_tbl.lex.o: cmd_tbl.lex.c ++cmd_tbl.lex.o: cmd_tbl.lex.c ct.tab.h + ct.tab.o: $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) \ + ct.tab.c ss.h + ss_err.so ss_err.po $(OUTPRE)ss_err.$(OBJEXT): $(COM_ERR_DEPS) \ + diff --git a/krb5-mini.changes b/krb5-mini.changes index c00c208..96a84a6 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de + +- update krb5-1.8-POST.dif + ------------------------------------------------------------------- Tue Mar 23 14:32:41 CET 2010 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index 8c1b700..598a537 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-mini (Version 1.8) +# spec file for package krb5 (Version 1.8) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # diff --git a/krb5.changes b/krb5.changes index c00c208..96a84a6 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de + +- update krb5-1.8-POST.dif + ------------------------------------------------------------------- Tue Mar 23 14:32:41 CET 2010 - mc@suse.de From 558c7472cd932071c6c3d44cdf1157bf5ef9969e549d272490327fdea98d8970 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Fri, 9 Apr 2010 10:47:38 +0000 Subject: [PATCH 2/6] - update to version 1.8.1 * include krb5-1.8-POST.dif * include MITKRB5-SA-2010-002 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=17 --- krb5-1.6.3-kpasswd_tcp.patch | 2 +- krb5-1.7-MITKRB5-SA-2010-002.dif | 71 ----- krb5-1.8-POST.dif | 519 ------------------------------- krb5-1.8.1.tar.bz2 | 3 + krb5-1.8.tar.bz2 | 3 - krb5-doc.changes | 5 + krb5-doc.spec | 10 +- krb5-mini.changes | 7 + krb5-mini.spec | 12 +- krb5.changes | 7 + krb5.spec | 12 +- 11 files changed, 35 insertions(+), 616 deletions(-) delete mode 100644 krb5-1.7-MITKRB5-SA-2010-002.dif delete mode 100644 krb5-1.8-POST.dif create mode 100644 krb5-1.8.1.tar.bz2 delete mode 100644 krb5-1.8.tar.bz2 diff --git a/krb5-1.6.3-kpasswd_tcp.patch b/krb5-1.6.3-kpasswd_tcp.patch index 360149f..1a74d6d 100644 --- a/krb5-1.6.3-kpasswd_tcp.patch +++ b/krb5-1.6.3-kpasswd_tcp.patch @@ -5,7 +5,7 @@ Index: src/lib/krb5/os/changepw.c =================================================================== --- src/lib/krb5/os/changepw.c.orig +++ src/lib/krb5/os/changepw.c -@@ -271,10 +271,22 @@ change_set_password(krb5_context context +@@ -280,10 +280,22 @@ change_set_password(krb5_context context NULL ))) { diff --git a/krb5-1.7-MITKRB5-SA-2010-002.dif b/krb5-1.7-MITKRB5-SA-2010-002.dif deleted file mode 100644 index 79c4e81..0000000 --- a/krb5-1.7-MITKRB5-SA-2010-002.dif +++ /dev/null @@ -1,71 +0,0 @@ -Index: src/lib/gssapi/spnego/spnego_mech.c -=================================================================== ---- src/lib/gssapi/spnego/spnego_mech.c.orig -+++ src/lib/gssapi/spnego/spnego_mech.c -@@ -1576,7 +1576,7 @@ spnego_gss_accept_sec_context( - spnego_gss_ctx_id_t sc = NULL; - spnego_gss_cred_id_t spcred = NULL; - OM_uint32 mechstat = GSS_S_FAILURE; -- int sendTokenInit = 0; -+ int sendTokenInit = 0, tmpret; - - mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER; - -@@ -1609,7 +1609,6 @@ spnego_gss_accept_sec_context( - if (delegated_cred_handle != NULL) - *delegated_cred_handle = GSS_C_NO_CREDENTIAL; - if (input_token->length == 0) { -- sendTokenInit = 1; - ret = acc_ctx_hints(minor_status, - context_handle, spcred, - &mic_out, -@@ -1617,6 +1616,7 @@ spnego_gss_accept_sec_context( - &return_token); - if (ret != GSS_S_COMPLETE) - goto cleanup; -+ sendTokenInit = 1; - ret = GSS_S_CONTINUE_NEEDED; - } else { - /* Can set negState to REQUEST_MIC */ -@@ -1664,27 +1664,21 @@ spnego_gss_accept_sec_context( - &negState, &return_token); - } - cleanup: -- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { -- /* For acceptor-sends-first send a tokenInit */ -- int tmpret; -- -+ if (return_token == INIT_TOKEN_SEND && sendTokenInit) { - assert(sc != NULL); -- -- if (sendTokenInit) { -- tmpret = make_spnego_tokenInit_msg(sc, -- 1, -- mic_out, -- 0, -- GSS_C_NO_BUFFER, -- return_token, -- output_token); -- } else { -- tmpret = make_spnego_tokenTarg_msg(negState, -- sc ? sc->internal_mech : GSS_C_NO_OID, -- &mechtok_out, mic_out, -- return_token, -- output_token); -- } -+ tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0, -+ GSS_C_NO_BUFFER, -+ return_token, output_token); -+ if (tmpret < 0) -+ ret = GSS_S_FAILURE; -+ } else if (return_token != NO_TOKEN_SEND && -+ return_token != CHECK_MIC) { -+ tmpret = make_spnego_tokenTarg_msg(negState, -+ sc ? sc->internal_mech : -+ GSS_C_NO_OID, -+ &mechtok_out, mic_out, -+ return_token, -+ output_token); - if (tmpret < 0) - ret = GSS_S_FAILURE; - } diff --git a/krb5-1.8-POST.dif b/krb5-1.8-POST.dif deleted file mode 100644 index d204efd..0000000 --- a/krb5-1.8-POST.dif +++ /dev/null @@ -1,519 +0,0 @@ -Index: doc/admin.texinfo -=================================================================== ---- doc/admin.texinfo.orig -+++ doc/admin.texinfo -@@ -516,13 +516,6 @@ DCE do not support the default cache as - Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on - DCE 1.1 systems. The default value is @value{DefaultCcacheType}. - --@ignore --@itemx tkt_lifetime --The default lifetime of a ticket. The default is --@value{DefaultTktLifetime}. This is currently not supported by the --code. --@end ignore -- - @itemx dns_lookup_kdc - Indicate whether DNS SRV records should be used to locate the KDCs and - other servers for a realm, if they are not listed in the information for -@@ -583,6 +576,11 @@ If this flag is set, then an attempt to - fail if the client machine does not have a keytab. The default for the - flag is @value{DefaultVerifyApReqNofail}. - -+@itemx ticket_lifetime -+The value of this tag is the default lifetime for -+initial tickets. The default value for the tag is -+@value{DefaultTktLifetime}. -+ - @itemx renew_lifetime - The value of this tag is the default renewable lifetime for - initial tickets. The default value for the tag is -Index: src/include/krb5/krb5.hin -=================================================================== ---- src/include/krb5/krb5.hin.orig -+++ src/include/krb5/krb5.hin -@@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context contex - #define KRB5_AUTHDATA_SESAME 65 - #define KRB5_AUTHDATA_WIN2K_PAC 128 - #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ --#define KRB5_AUTHDATA_SIGNTICKET 142 -+#define KRB5_AUTHDATA_SIGNTICKET 512 /* formerly 142 in krb5 1.8 */ - #define KRB5_AUTHDATA_FX_ARMOR 71 - /* password change constants */ - -@@ -1184,6 +1184,19 @@ typedef struct _krb5_pa_data { - krb5_octet *contents; - } krb5_pa_data; - -+/* typed data */ -+/* -+ * The FAST error handling logic currently assumes that this structure and -+ * krb5_pa_data * can be safely cast to each other if this structure changes, -+ * that code needs to be updated to copy. -+ */ -+typedef struct _krb5_typed_data { -+ krb5_magic magic; -+ krb5_int32 type; -+ unsigned int length; -+ krb5_octet *data; -+} krb5_typed_data; -+ - typedef struct _krb5_kdc_req { - krb5_magic magic; - krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */ -Index: src/include/k5-int-pkinit.h -=================================================================== ---- src/include/k5-int-pkinit.h.orig -+++ src/include/k5-int-pkinit.h -@@ -101,17 +101,6 @@ typedef struct _krb5_trusted_ca { - } u; - } krb5_trusted_ca; - --/* typed data */ --/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other -- * if this structure changes, that code needs to be updated to copy. -- */ --typedef struct _krb5_typed_data { -- krb5_magic magic; -- krb5_int32 type; -- unsigned int length; -- krb5_octet *data; --} krb5_typed_data; -- - /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ - typedef struct _krb5_pa_pk_as_req_draft9 { - krb5_octet_data signedAuthPack; -Index: src/kdc/kdc_authdata.c -=================================================================== ---- src/kdc/kdc_authdata.c.orig -+++ src/kdc/kdc_authdata.c -@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context contex - enc_sp.length = sp_authdata[0]->length; - - code = decode_krb5_ad_signedpath(&enc_sp, &sp); -- if (code != 0) -+ if (code != 0) { -+ /* Treat an invalid signedpath authdata element as a missing one, since -+ * we believe MS is using the same number for something else. */ -+ code = 0; - goto cleanup; -+ } - - code = verify_ad_signedpath_checksum(context, - krbtgt, -Index: src/kdc/do_tgs_req.c -=================================================================== ---- src/kdc/do_tgs_req.c.orig -+++ src/kdc/do_tgs_req.c -@@ -1215,6 +1215,7 @@ prep_reprocess_req(krb5_kdc_req *request - strlcpy(comp1_str,comp1->data,comp1->length+1); - - if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || -+ krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST || - (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN && - kdc_active_realm->realm_host_based_services != NULL && - (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, -Index: src/clients/kpasswd/kpasswd.c -=================================================================== ---- src/clients/kpasswd/kpasswd.c.orig -+++ src/clients/kpasswd/kpasswd.c -@@ -47,7 +47,7 @@ int main(int argc, char *argv[]) - { - krb5_error_code ret; - krb5_context context; -- krb5_principal princ; -+ krb5_principal princ = NULL; - char *pname; - krb5_ccache ccache; - krb5_get_init_creds_opt *opts = NULL; -@@ -84,23 +84,27 @@ int main(int argc, char *argv[]) - com_err(argv[0], ret, "parsing client name"); - exit(1); - } -- } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) { -- if (ret) { -+ } else { -+ ret = krb5_cc_default(context, &ccache); -+ if (ret != 0) { - com_err(argv[0], ret, "opening default ccache"); - exit(1); - } - -- if ((ret = krb5_cc_get_principal(context, ccache, &princ))) { -+ ret = krb5_cc_get_principal(context, ccache, &princ); -+ if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) { - com_err(argv[0], ret, "getting principal from ccache"); - exit(1); - } - -- if ((ret = krb5_cc_close(context, ccache))) { -+ ret = krb5_cc_close(context, ccache); -+ if (ret != 0) { - com_err(argv[0], ret, "closing ccache"); - exit(1); - } -- } else { -- get_name_from_passwd_file(argv[0], context, &princ); -+ -+ if (princ == NULL) -+ get_name_from_passwd_file(argv[0], context, &princ); - } - - if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) { -Index: src/config-files/krb5.conf.M -=================================================================== ---- src/config-files/krb5.conf.M.orig -+++ src/config-files/krb5.conf.M -@@ -220,6 +220,10 @@ If this flag is set, then an attempt to - fail if the client machine does not have a keytab. The default for the - flag is false. - -+.IP ticket_lifetime -+The value of this tag is the default lifetime for initial tickets. The -+default value for the tag is 1 day (1d). -+ - .IP renew_lifetime - The value of this tag is the default renewable lifetime for initial - tickets. The default value for the tag is 0. -Index: src/lib/gssapi/spnego/spnego_mech.c -=================================================================== ---- src/lib/gssapi/spnego/spnego_mech.c.orig -+++ src/lib/gssapi/spnego/spnego_mech.c -@@ -1687,6 +1687,7 @@ cleanup: - if (sc->internal_name != GSS_C_NO_NAME && - src_name != NULL) { - *src_name = sc->internal_name; -+ sc->internal_name = GSS_C_NO_NAME; - } - release_spnego_ctx(&sc); - } else if (ret != GSS_S_CONTINUE_NEEDED) { -@@ -2572,6 +2573,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t * - (void) generic_gss_release_oid(&minor_stat, - &context->internal_mech); - -+ (void) gss_release_name(&minor_stat, &context->internal_name); -+ - if (context->optionStr != NULL) { - free(context->optionStr); - context->optionStr = NULL; -Index: src/lib/kadm5/srv/svr_principal.c -=================================================================== ---- src/lib/kadm5/srv/svr_principal.c.orig -+++ src/lib/kadm5/srv/svr_principal.c -@@ -858,8 +858,8 @@ kadm5_get_principal(void *server_handle, - if (! (mask & KADM5_MOD_TIME)) - entry->mod_date = 0; - if (! (mask & KADM5_MOD_NAME)) { -- krb5_free_principal(handle->context, entry->principal); -- entry->principal = NULL; -+ krb5_free_principal(handle->context, entry->mod_name); -+ entry->mod_name = NULL; - } - } - -@@ -871,10 +871,12 @@ kadm5_get_principal(void *server_handle, - if (kdb.key_data[i].key_data_kvno > entry->kvno) - entry->kvno = kdb.key_data[i].key_data_kvno; - -- ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, -- &entry->mkvno); -- if (ret) -- goto done; -+ if (mask & KADM5_MKVNO) { -+ ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, -+ &entry->mkvno); -+ if (ret) -+ goto done; -+ } - - if (mask & KADM5_MAX_RLIFE) - entry->max_renewable_life = kdb.max_renewable_life; -Index: src/lib/krb5/os/changepw.c -=================================================================== ---- src/lib/krb5/os/changepw.c.orig -+++ src/lib/krb5/os/changepw.c -@@ -65,20 +65,23 @@ locate_kpasswd(krb5_context context, con - int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM); - - code = krb5int_locate_server (context, realm, addrlist, -- locate_service_kpasswd, sockType, AF_INET); -+ locate_service_kpasswd, sockType, AF_UNSPEC); - - if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) { - code = krb5int_locate_server (context, realm, addrlist, - locate_service_kadmin, SOCK_STREAM, -- AF_INET); -+ AF_UNSPEC); - if (!code) { - /* Success with admin_server but now we need to change the - port number to use DEFAULT_KPASSWD_PORT and the socktype. */ - size_t i; - for (i=0; inaddrs; i++) { - struct addrinfo *a = addrlist->addrs[i].ai; -+ krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT); - if (a->ai_family == AF_INET) -- sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT); -+ sa2sin (a->ai_addr)->sin_port = kpasswd_port; -+ if (a->ai_family == AF_INET6) -+ sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port; - if (sockType != SOCK_STREAM) - a->ai_socktype = sockType; - } -@@ -131,10 +134,16 @@ kpasswd_sendto_msg_callback(struct conn_ - /* some brain-dead OS's don't return useful information from - * the getsockname call. Namely, windows and solaris. */ - -- if (ss2sin(&local_addr)->sin_addr.s_addr != 0) { -+ if (local_addr.ss_family == AF_INET && -+ ss2sin(&local_addr)->sin_addr.s_addr != 0) { - local_kaddr.addrtype = ADDRTYPE_INET; - local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr); - local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr; -+ } else if (local_addr.ss_family == AF_INET6 && -+ ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) { -+ local_kaddr.addrtype = ADDRTYPE_INET6; -+ local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr); -+ local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr; - } else { - krb5_address **addrs; - -@@ -290,9 +299,19 @@ change_set_password(krb5_context context - break; - } - -- remote_kaddr.addrtype = ADDRTYPE_INET; -- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); -- remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; -+ if (remote_addr.ss_family == AF_INET) { -+ remote_kaddr.addrtype = ADDRTYPE_INET; -+ remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); -+ remote_kaddr.contents = -+ (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; -+ } else if (remote_addr.ss_family == AF_INET6) { -+ remote_kaddr.addrtype = ADDRTYPE_INET6; -+ remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr); -+ remote_kaddr.contents = -+ (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr; -+ } else { -+ break; -+ } - - if ((code = krb5_auth_con_setaddrs(callback_ctx.context, - callback_ctx.auth_context, -Index: src/lib/krb5/krb/gic_pwd.c -=================================================================== ---- src/lib/krb5/krb/gic_pwd.c.orig -+++ src/lib/krb5/krb/gic_pwd.c -@@ -218,7 +218,7 @@ krb5_get_init_creds_password(krb5_contex - * to prompt. Prompting is only disabled if the option has been set - * and the value has been set to false. - */ -- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) -+ if (options && !(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) - goto cleanup; - - /* ok, we have an expired password. Give the user a few chances -Index: src/lib/gssapi/krb5/import_sec_context.c -=================================================================== ---- src/lib/gssapi/krb5/import_sec_context.c (Revision 23830) -+++ src/lib/gssapi/krb5/import_sec_context.c (Arbeitskopie) -@@ -106,12 +106,13 @@ - ibp = (krb5_octet *) interprocess_token->value; - blen = (size_t) interprocess_token->length; - kret = kg_ctx_internalize(context, (krb5_pointer *) &ctx, &ibp, &blen); -- krb5_free_context(context); - if (kret) { - *minor_status = (OM_uint32) kret; - save_error_info(*minor_status, context); -+ krb5_free_context(context); - return(GSS_S_FAILURE); - } -+ krb5_free_context(context); - - /* intern the context handle */ - if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { -Index: src/lib/gssapi/mechglue/deps -=================================================================== ---- src/lib/gssapi/mechglue/deps (Revision 23830) -+++ src/lib/gssapi/mechglue/deps (Arbeitskopie) -@@ -358,6 +358,14 @@ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ - ../generic/gssapi_err_generic.h g_set_name_attr.c mechglue.h \ - mglueP.h -+g_set_neg_mechs.so g_set_neg_mechs.po $(OUTPRE)g_set_neg_mechs.$(OBJEXT): \ -+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ -+ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(COM_ERR_DEPS) \ -+ $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \ -+ $(srcdir)/../generic/gssapi_generic.h $(top_srcdir)/include/k5-buf.h \ -+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ -+ ../generic/gssapi_err_generic.h g_set_neg_mechs.c mechglue.h \ -+ mglueP.h - g_sign.so g_sign.po $(OUTPRE)g_sign.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \ - $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ -Index: src/lib/krb5/krb/get_in_tkt.c -=================================================================== ---- src/lib/krb5/krb/get_in_tkt.c (Revision 23830) -+++ src/lib/krb5/krb/get_in_tkt.c (Arbeitskopie) -@@ -1083,7 +1083,7 @@ - &flags); - if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG && !tcp_only) - tcp_only = 1; -- else if (code != 0 || (flags & KRB5_INIT_CREDS_STEP_FLAG_COMPLETE)) -+ else if (code != 0 || (flags & 1) == 0) - break; - - krb5_free_data_contents(context, &reply); -@@ -2065,7 +2065,7 @@ - } - } - -- *flags = (ctx->flags & KRB5_INIT_CREDS_STEP_FLAG_COMPLETE); -+ *flags = (ctx->flags & KRB5_INIT_CREDS_STEP_FLAG_COMPLETE) ? 0 : 1; - - return code; - } -Index: src/lib/krb5/krb/deps -=================================================================== ---- src/lib/krb5/krb/deps (Revision 23830) -+++ src/lib/krb5/krb/deps (Arbeitskopie) -@@ -63,45 +63,10 @@ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ -- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ -- $(top_srcdir)/include/socket-utils.h auth_con.h authdata.c \ -- authdata.h int-proto.h --authdata_exp.so authdata_exp.po $(OUTPRE)authdata_exp.$(OBJEXT): \ -- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ -- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ -- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ -- $(top_srcdir)/include/socket-utils.h auth_con.h authdata.h \ -- authdata_exp.c int-proto.h --authdata_enc.so authdata_enc.po $(OUTPRE)authdata_enc.$(OBJEXT): \ -- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ -- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- authdata_enc.c --authdata_dec.so authdata_dec.po $(OUTPRE)authdata_dec.$(OBJEXT): \ -- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ -- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- authdata_dec.c int-proto.h -+ auth_con.h authdata.c authdata.h int-proto.h - bld_pr_ext.so bld_pr_ext.po $(OUTPRE)bld_pr_ext.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -@@ -190,7 +155,7 @@ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- copy_auth.c int-proto.h -+ copy_auth.c - copy_athctr.so copy_athctr.po $(OUTPRE)copy_athctr.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -@@ -201,7 +166,7 @@ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- auth_con.h copy_athctr.c -+ copy_athctr.c - copy_cksum.so copy_cksum.po $(OUTPRE)copy_cksum.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -@@ -669,17 +634,6 @@ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - authdata.h pac.c --pac_sign.so pac_sign.po $(OUTPRE)pac_sign.$(OBJEXT): \ -- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ -- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ -- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ -- $(top_srcdir)/include/socket-utils.h authdata.h pac_sign.c - parse.so parse.po $(OUTPRE)parse.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ -@@ -722,17 +676,6 @@ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - fast.h int-proto.h preauth2.c --gic_opt_set_pa.so gic_opt_set_pa.po $(OUTPRE)gic_opt_set_pa.$(OBJEXT): \ -- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ -- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- gic_opt_set_pa.c int-proto.h - princ_comp.so princ_comp.po $(OUTPRE)princ_comp.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -@@ -805,11 +748,10 @@ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ -- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ -- $(top_srcdir)/include/socket-utils.h auth_con.h authdata.h \ -- int-proto.h rd_req_dec.c -+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ -+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -+ auth_con.h authdata.h int-proto.h rd_req_dec.c - rd_safe.so rd_safe.po $(OUTPRE)rd_safe.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ -@@ -1038,7 +980,7 @@ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- int-proto.h valid_times.c -+ valid_times.c - vfy_increds.so vfy_increds.po $(OUTPRE)vfy_increds.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -Index: src/util/ss/deps -=================================================================== ---- src/util/ss/deps (Revision 23830) -+++ src/util/ss/deps (Arbeitskopie) -@@ -63,7 +63,7 @@ - ss_internal.h utils.c - options.so options.po $(OUTPRE)options.$(OBJEXT): $(BUILDTOP)/include/ss/ss_err.h \ - $(COM_ERR_DEPS) copyright.h options.c ss.h --cmd_tbl.lex.o: cmd_tbl.lex.c -+cmd_tbl.lex.o: cmd_tbl.lex.c ct.tab.h - ct.tab.o: $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) \ - ct.tab.c ss.h - ss_err.so ss_err.po $(OUTPRE)ss_err.$(OBJEXT): $(COM_ERR_DEPS) \ - diff --git a/krb5-1.8.1.tar.bz2 b/krb5-1.8.1.tar.bz2 new file mode 100644 index 0000000..c5d6fed --- /dev/null +++ b/krb5-1.8.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:215e71364b4ac6e49cfb2629a109a2f473845d68643859eccc038834de1f4746 +size 9960127 diff --git a/krb5-1.8.tar.bz2 b/krb5-1.8.tar.bz2 deleted file mode 100644 index 771b1d5..0000000 --- a/krb5-1.8.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:10890ef19905e36e99d82cbe7caa6e8b0875b2a304f9a9e2d05137c87aff8212 -size 9958816 diff --git a/krb5-doc.changes b/krb5-doc.changes index 7ac797d..042615c 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Apr 9 12:45:30 CEST 2010 - mc@suse.de + +- update to version 1.8.1 + ------------------------------------------------------------------- Tue Mar 23 12:38:29 CET 2010 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index 86eface..e7fae99 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-doc (Version 1.8) +# spec file for package krb5-doc (Version 1.8.1) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -20,18 +20,17 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive -Version: 1.8 +Version: 1.8.1 Release: 2 -%define srcRoot krb5-1.8 +%define srcRoot krb5-1.8.1 Summary: MIT Kerberos5 Implementation--Documentation License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ Group: Documentation/Other -Source: krb5-1.8.tar.bz2 +Source: krb5-1.8.1.tar.bz2 Source3: %{name}-%{version}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif -Patch2: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -54,7 +53,6 @@ Authors: %setup -n %{srcRoot} %patch0 %patch1 -%patch2 %build diff --git a/krb5-mini.changes b/krb5-mini.changes index 96a84a6..11e8703 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de + +- update to version 1.8.1 + * include krb5-1.8-POST.dif + * include MITKRB5-SA-2010-002 + ------------------------------------------------------------------- Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index 598a537..4e29148 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5 (Version 1.8) +# spec file for package krb5 (Version 1.8.1) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 1 -%define srcRoot krb5-1.8 +%define srcRoot krb5-1.8.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,7 +27,7 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8 +Version: 1.8.1 Release: 2 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel @@ -42,7 +42,7 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.tar.bz2 +Source: krb5-1.8.1.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-%{version}-rpmlintrc @@ -55,8 +55,6 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif -Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif -Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -204,8 +202,6 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 -%patch47 -%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do diff --git a/krb5.changes b/krb5.changes index 96a84a6..11e8703 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de + +- update to version 1.8.1 + * include krb5-1.8-POST.dif + * include MITKRB5-SA-2010-002 + ------------------------------------------------------------------- Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 2196e63..6625ccf 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5 (Version 1.8) +# spec file for package krb5 (Version 1.8.1) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 0 -%define srcRoot krb5-1.8 +%define srcRoot krb5-1.8.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,7 +27,7 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8 +Version: 1.8.1 Release: 2 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel @@ -42,7 +42,7 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.tar.bz2 +Source: krb5-1.8.1.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-%{version}-rpmlintrc @@ -55,8 +55,6 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif -Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif -Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -204,8 +202,6 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 -%patch47 -%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do From 357e541b0fef30880ac618531f10c4cfa597b579db5ba541b64153489c30d864 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Fri, 9 Apr 2010 10:55:35 +0000 Subject: [PATCH 3/6] rename rpmlintrc OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=18 --- krb5-1.8-rpmlintrc => krb5-1.8.1-rpmlintrc | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename krb5-1.8-rpmlintrc => krb5-1.8.1-rpmlintrc (100%) diff --git a/krb5-1.8-rpmlintrc b/krb5-1.8.1-rpmlintrc similarity index 100% rename from krb5-1.8-rpmlintrc rename to krb5-1.8.1-rpmlintrc From b2c5cb8b2aac405e3b4775763f86b11674b8bfdfec35ad688c798fc030645210 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Wed, 14 Apr 2010 07:31:56 +0000 Subject: [PATCH 4/6] rename krb5-doc-1.8-rpmlintrc to krb5-doc-1.8.1-rpmlintrc OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=19 --- krb5-doc-1.8-rpmlintrc => krb5-doc-1.8.1-rpmlintrc | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename krb5-doc-1.8-rpmlintrc => krb5-doc-1.8.1-rpmlintrc (100%) diff --git a/krb5-doc-1.8-rpmlintrc b/krb5-doc-1.8.1-rpmlintrc similarity index 100% rename from krb5-doc-1.8-rpmlintrc rename to krb5-doc-1.8.1-rpmlintrc From 8f6bba81c799cb0c43e875c5e90564d7a71e4ca017f1fe8de6c9f6e51244526f Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Wed, 14 Apr 2010 13:16:16 +0000 Subject: [PATCH 5/6] Accepting request 37899 from network checked in (request 37899) OBS-URL: https://build.opensuse.org/request/show/37899 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=20 --- krb5-1.6.3-kpasswd_tcp.patch | 2 +- krb5-1.7-MITKRB5-SA-2010-002.dif | 71 ++++ krb5-1.8-POST.dif | 315 ++++++++++++++++++ krb5-1.8.1-rpmlintrc => krb5-1.8-rpmlintrc | 0 krb5-1.8.1.tar.bz2 | 3 - krb5-1.8.tar.bz2 | 3 + ...-1.8.1-rpmlintrc => krb5-doc-1.8-rpmlintrc | 0 krb5-doc.changes | 5 - krb5-doc.spec | 10 +- krb5-mini.changes | 12 - krb5-mini.spec | 12 +- krb5.changes | 12 - krb5.spec | 12 +- 13 files changed, 412 insertions(+), 45 deletions(-) create mode 100644 krb5-1.7-MITKRB5-SA-2010-002.dif create mode 100644 krb5-1.8-POST.dif rename krb5-1.8.1-rpmlintrc => krb5-1.8-rpmlintrc (100%) delete mode 100644 krb5-1.8.1.tar.bz2 create mode 100644 krb5-1.8.tar.bz2 rename krb5-doc-1.8.1-rpmlintrc => krb5-doc-1.8-rpmlintrc (100%) diff --git a/krb5-1.6.3-kpasswd_tcp.patch b/krb5-1.6.3-kpasswd_tcp.patch index 1a74d6d..360149f 100644 --- a/krb5-1.6.3-kpasswd_tcp.patch +++ b/krb5-1.6.3-kpasswd_tcp.patch @@ -5,7 +5,7 @@ Index: src/lib/krb5/os/changepw.c =================================================================== --- src/lib/krb5/os/changepw.c.orig +++ src/lib/krb5/os/changepw.c -@@ -280,10 +280,22 @@ change_set_password(krb5_context context +@@ -271,10 +271,22 @@ change_set_password(krb5_context context NULL ))) { diff --git a/krb5-1.7-MITKRB5-SA-2010-002.dif b/krb5-1.7-MITKRB5-SA-2010-002.dif new file mode 100644 index 0000000..79c4e81 --- /dev/null +++ b/krb5-1.7-MITKRB5-SA-2010-002.dif @@ -0,0 +1,71 @@ +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c.orig ++++ src/lib/gssapi/spnego/spnego_mech.c +@@ -1576,7 +1576,7 @@ spnego_gss_accept_sec_context( + spnego_gss_ctx_id_t sc = NULL; + spnego_gss_cred_id_t spcred = NULL; + OM_uint32 mechstat = GSS_S_FAILURE; +- int sendTokenInit = 0; ++ int sendTokenInit = 0, tmpret; + + mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER; + +@@ -1609,7 +1609,6 @@ spnego_gss_accept_sec_context( + if (delegated_cred_handle != NULL) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + if (input_token->length == 0) { +- sendTokenInit = 1; + ret = acc_ctx_hints(minor_status, + context_handle, spcred, + &mic_out, +@@ -1617,6 +1616,7 @@ spnego_gss_accept_sec_context( + &return_token); + if (ret != GSS_S_COMPLETE) + goto cleanup; ++ sendTokenInit = 1; + ret = GSS_S_CONTINUE_NEEDED; + } else { + /* Can set negState to REQUEST_MIC */ +@@ -1664,27 +1664,21 @@ spnego_gss_accept_sec_context( + &negState, &return_token); + } + cleanup: +- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { +- /* For acceptor-sends-first send a tokenInit */ +- int tmpret; +- ++ if (return_token == INIT_TOKEN_SEND && sendTokenInit) { + assert(sc != NULL); +- +- if (sendTokenInit) { +- tmpret = make_spnego_tokenInit_msg(sc, +- 1, +- mic_out, +- 0, +- GSS_C_NO_BUFFER, +- return_token, +- output_token); +- } else { +- tmpret = make_spnego_tokenTarg_msg(negState, +- sc ? sc->internal_mech : GSS_C_NO_OID, +- &mechtok_out, mic_out, +- return_token, +- output_token); +- } ++ tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0, ++ GSS_C_NO_BUFFER, ++ return_token, output_token); ++ if (tmpret < 0) ++ ret = GSS_S_FAILURE; ++ } else if (return_token != NO_TOKEN_SEND && ++ return_token != CHECK_MIC) { ++ tmpret = make_spnego_tokenTarg_msg(negState, ++ sc ? sc->internal_mech : ++ GSS_C_NO_OID, ++ &mechtok_out, mic_out, ++ return_token, ++ output_token); + if (tmpret < 0) + ret = GSS_S_FAILURE; + } diff --git a/krb5-1.8-POST.dif b/krb5-1.8-POST.dif new file mode 100644 index 0000000..14ccdf3 --- /dev/null +++ b/krb5-1.8-POST.dif @@ -0,0 +1,315 @@ +Index: doc/admin.texinfo +=================================================================== +--- doc/admin.texinfo.orig ++++ doc/admin.texinfo +@@ -516,13 +516,6 @@ DCE do not support the default cache as + Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on + DCE 1.1 systems. The default value is @value{DefaultCcacheType}. + +-@ignore +-@itemx tkt_lifetime +-The default lifetime of a ticket. The default is +-@value{DefaultTktLifetime}. This is currently not supported by the +-code. +-@end ignore +- + @itemx dns_lookup_kdc + Indicate whether DNS SRV records should be used to locate the KDCs and + other servers for a realm, if they are not listed in the information for +@@ -583,6 +576,11 @@ If this flag is set, then an attempt to + fail if the client machine does not have a keytab. The default for the + flag is @value{DefaultVerifyApReqNofail}. + ++@itemx ticket_lifetime ++The value of this tag is the default lifetime for ++initial tickets. The default value for the tag is ++@value{DefaultTktLifetime}. ++ + @itemx renew_lifetime + The value of this tag is the default renewable lifetime for + initial tickets. The default value for the tag is +Index: src/include/krb5/krb5.hin +=================================================================== +--- src/include/krb5/krb5.hin.orig ++++ src/include/krb5/krb5.hin +@@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context contex + #define KRB5_AUTHDATA_SESAME 65 + #define KRB5_AUTHDATA_WIN2K_PAC 128 + #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ +-#define KRB5_AUTHDATA_SIGNTICKET 142 ++#define KRB5_AUTHDATA_SIGNTICKET 512 /* formerly 142 in krb5 1.8 */ + #define KRB5_AUTHDATA_FX_ARMOR 71 + /* password change constants */ + +@@ -1184,6 +1184,19 @@ typedef struct _krb5_pa_data { + krb5_octet *contents; + } krb5_pa_data; + ++/* typed data */ ++/* ++ * The FAST error handling logic currently assumes that this structure and ++ * krb5_pa_data * can be safely cast to each other if this structure changes, ++ * that code needs to be updated to copy. ++ */ ++typedef struct _krb5_typed_data { ++ krb5_magic magic; ++ krb5_int32 type; ++ unsigned int length; ++ krb5_octet *data; ++} krb5_typed_data; ++ + typedef struct _krb5_kdc_req { + krb5_magic magic; + krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */ +Index: src/include/k5-int-pkinit.h +=================================================================== +--- src/include/k5-int-pkinit.h.orig ++++ src/include/k5-int-pkinit.h +@@ -101,17 +101,6 @@ typedef struct _krb5_trusted_ca { + } u; + } krb5_trusted_ca; + +-/* typed data */ +-/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other +- * if this structure changes, that code needs to be updated to copy. +- */ +-typedef struct _krb5_typed_data { +- krb5_magic magic; +- krb5_int32 type; +- unsigned int length; +- krb5_octet *data; +-} krb5_typed_data; +- + /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ + typedef struct _krb5_pa_pk_as_req_draft9 { + krb5_octet_data signedAuthPack; +Index: src/kdc/kdc_authdata.c +=================================================================== +--- src/kdc/kdc_authdata.c.orig ++++ src/kdc/kdc_authdata.c +@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context contex + enc_sp.length = sp_authdata[0]->length; + + code = decode_krb5_ad_signedpath(&enc_sp, &sp); +- if (code != 0) ++ if (code != 0) { ++ /* Treat an invalid signedpath authdata element as a missing one, since ++ * we believe MS is using the same number for something else. */ ++ code = 0; + goto cleanup; ++ } + + code = verify_ad_signedpath_checksum(context, + krbtgt, +Index: src/kdc/do_tgs_req.c +=================================================================== +--- src/kdc/do_tgs_req.c.orig ++++ src/kdc/do_tgs_req.c +@@ -1215,6 +1215,7 @@ prep_reprocess_req(krb5_kdc_req *request + strlcpy(comp1_str,comp1->data,comp1->length+1); + + if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || ++ krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST || + (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN && + kdc_active_realm->realm_host_based_services != NULL && + (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, +Index: src/clients/kpasswd/kpasswd.c +=================================================================== +--- src/clients/kpasswd/kpasswd.c.orig ++++ src/clients/kpasswd/kpasswd.c +@@ -47,7 +47,7 @@ int main(int argc, char *argv[]) + { + krb5_error_code ret; + krb5_context context; +- krb5_principal princ; ++ krb5_principal princ = NULL; + char *pname; + krb5_ccache ccache; + krb5_get_init_creds_opt *opts = NULL; +@@ -84,23 +84,27 @@ int main(int argc, char *argv[]) + com_err(argv[0], ret, "parsing client name"); + exit(1); + } +- } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) { +- if (ret) { ++ } else { ++ ret = krb5_cc_default(context, &ccache); ++ if (ret != 0) { + com_err(argv[0], ret, "opening default ccache"); + exit(1); + } + +- if ((ret = krb5_cc_get_principal(context, ccache, &princ))) { ++ ret = krb5_cc_get_principal(context, ccache, &princ); ++ if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) { + com_err(argv[0], ret, "getting principal from ccache"); + exit(1); + } + +- if ((ret = krb5_cc_close(context, ccache))) { ++ ret = krb5_cc_close(context, ccache); ++ if (ret != 0) { + com_err(argv[0], ret, "closing ccache"); + exit(1); + } +- } else { +- get_name_from_passwd_file(argv[0], context, &princ); ++ ++ if (princ == NULL) ++ get_name_from_passwd_file(argv[0], context, &princ); + } + + if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) { +Index: src/config-files/krb5.conf.M +=================================================================== +--- src/config-files/krb5.conf.M.orig ++++ src/config-files/krb5.conf.M +@@ -220,6 +220,10 @@ If this flag is set, then an attempt to + fail if the client machine does not have a keytab. The default for the + flag is false. + ++.IP ticket_lifetime ++The value of this tag is the default lifetime for initial tickets. The ++default value for the tag is 1 day (1d). ++ + .IP renew_lifetime + The value of this tag is the default renewable lifetime for initial + tickets. The default value for the tag is 0. +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c.orig ++++ src/lib/gssapi/spnego/spnego_mech.c +@@ -1687,6 +1687,7 @@ cleanup: + if (sc->internal_name != GSS_C_NO_NAME && + src_name != NULL) { + *src_name = sc->internal_name; ++ sc->internal_name = GSS_C_NO_NAME; + } + release_spnego_ctx(&sc); + } else if (ret != GSS_S_CONTINUE_NEEDED) { +@@ -2572,6 +2573,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t * + (void) generic_gss_release_oid(&minor_stat, + &context->internal_mech); + ++ (void) gss_release_name(&minor_stat, &context->internal_name); ++ + if (context->optionStr != NULL) { + free(context->optionStr); + context->optionStr = NULL; +Index: src/lib/kadm5/srv/svr_principal.c +=================================================================== +--- src/lib/kadm5/srv/svr_principal.c.orig ++++ src/lib/kadm5/srv/svr_principal.c +@@ -858,8 +858,8 @@ kadm5_get_principal(void *server_handle, + if (! (mask & KADM5_MOD_TIME)) + entry->mod_date = 0; + if (! (mask & KADM5_MOD_NAME)) { +- krb5_free_principal(handle->context, entry->principal); +- entry->principal = NULL; ++ krb5_free_principal(handle->context, entry->mod_name); ++ entry->mod_name = NULL; + } + } + +@@ -871,10 +871,12 @@ kadm5_get_principal(void *server_handle, + if (kdb.key_data[i].key_data_kvno > entry->kvno) + entry->kvno = kdb.key_data[i].key_data_kvno; + +- ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, +- &entry->mkvno); +- if (ret) +- goto done; ++ if (mask & KADM5_MKVNO) { ++ ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, ++ &entry->mkvno); ++ if (ret) ++ goto done; ++ } + + if (mask & KADM5_MAX_RLIFE) + entry->max_renewable_life = kdb.max_renewable_life; +Index: src/lib/krb5/os/changepw.c +=================================================================== +--- src/lib/krb5/os/changepw.c.orig ++++ src/lib/krb5/os/changepw.c +@@ -65,20 +65,23 @@ locate_kpasswd(krb5_context context, con + int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM); + + code = krb5int_locate_server (context, realm, addrlist, +- locate_service_kpasswd, sockType, AF_INET); ++ locate_service_kpasswd, sockType, AF_UNSPEC); + + if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) { + code = krb5int_locate_server (context, realm, addrlist, + locate_service_kadmin, SOCK_STREAM, +- AF_INET); ++ AF_UNSPEC); + if (!code) { + /* Success with admin_server but now we need to change the + port number to use DEFAULT_KPASSWD_PORT and the socktype. */ + size_t i; + for (i=0; inaddrs; i++) { + struct addrinfo *a = addrlist->addrs[i].ai; ++ krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT); + if (a->ai_family == AF_INET) +- sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT); ++ sa2sin (a->ai_addr)->sin_port = kpasswd_port; ++ if (a->ai_family == AF_INET6) ++ sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port; + if (sockType != SOCK_STREAM) + a->ai_socktype = sockType; + } +@@ -131,10 +134,16 @@ kpasswd_sendto_msg_callback(struct conn_ + /* some brain-dead OS's don't return useful information from + * the getsockname call. Namely, windows and solaris. */ + +- if (ss2sin(&local_addr)->sin_addr.s_addr != 0) { ++ if (local_addr.ss_family == AF_INET && ++ ss2sin(&local_addr)->sin_addr.s_addr != 0) { + local_kaddr.addrtype = ADDRTYPE_INET; + local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr); + local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr; ++ } else if (local_addr.ss_family == AF_INET6 && ++ ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) { ++ local_kaddr.addrtype = ADDRTYPE_INET6; ++ local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr); ++ local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr; + } else { + krb5_address **addrs; + +@@ -290,9 +299,19 @@ change_set_password(krb5_context context + break; + } + +- remote_kaddr.addrtype = ADDRTYPE_INET; +- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); +- remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; ++ if (remote_addr.ss_family == AF_INET) { ++ remote_kaddr.addrtype = ADDRTYPE_INET; ++ remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); ++ remote_kaddr.contents = ++ (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; ++ } else if (remote_addr.ss_family == AF_INET6) { ++ remote_kaddr.addrtype = ADDRTYPE_INET6; ++ remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr); ++ remote_kaddr.contents = ++ (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr; ++ } else { ++ break; ++ } + + if ((code = krb5_auth_con_setaddrs(callback_ctx.context, + callback_ctx.auth_context, +Index: src/lib/krb5/krb/gic_pwd.c +=================================================================== +--- src/lib/krb5/krb/gic_pwd.c.orig ++++ src/lib/krb5/krb/gic_pwd.c +@@ -218,7 +218,7 @@ krb5_get_init_creds_password(krb5_contex + * to prompt. Prompting is only disabled if the option has been set + * and the value has been set to false. + */ +- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) ++ if (options && !(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) + goto cleanup; + + /* ok, we have an expired password. Give the user a few chances diff --git a/krb5-1.8.1-rpmlintrc b/krb5-1.8-rpmlintrc similarity index 100% rename from krb5-1.8.1-rpmlintrc rename to krb5-1.8-rpmlintrc diff --git a/krb5-1.8.1.tar.bz2 b/krb5-1.8.1.tar.bz2 deleted file mode 100644 index c5d6fed..0000000 --- a/krb5-1.8.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:215e71364b4ac6e49cfb2629a109a2f473845d68643859eccc038834de1f4746 -size 9960127 diff --git a/krb5-1.8.tar.bz2 b/krb5-1.8.tar.bz2 new file mode 100644 index 0000000..771b1d5 --- /dev/null +++ b/krb5-1.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:10890ef19905e36e99d82cbe7caa6e8b0875b2a304f9a9e2d05137c87aff8212 +size 9958816 diff --git a/krb5-doc-1.8.1-rpmlintrc b/krb5-doc-1.8-rpmlintrc similarity index 100% rename from krb5-doc-1.8.1-rpmlintrc rename to krb5-doc-1.8-rpmlintrc diff --git a/krb5-doc.changes b/krb5-doc.changes index 042615c..7ac797d 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,8 +1,3 @@ -------------------------------------------------------------------- -Fri Apr 9 12:45:30 CEST 2010 - mc@suse.de - -- update to version 1.8.1 - ------------------------------------------------------------------- Tue Mar 23 12:38:29 CET 2010 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index e7fae99..86eface 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-doc (Version 1.8.1) +# spec file for package krb5-doc (Version 1.8) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -20,17 +20,18 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive -Version: 1.8.1 +Version: 1.8 Release: 2 -%define srcRoot krb5-1.8.1 +%define srcRoot krb5-1.8 Summary: MIT Kerberos5 Implementation--Documentation License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ Group: Documentation/Other -Source: krb5-1.8.1.tar.bz2 +Source: krb5-1.8.tar.bz2 Source3: %{name}-%{version}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif +Patch2: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -53,6 +54,7 @@ Authors: %setup -n %{srcRoot} %patch0 %patch1 +%patch2 %build diff --git a/krb5-mini.changes b/krb5-mini.changes index 11e8703..c00c208 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,15 +1,3 @@ -------------------------------------------------------------------- -Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de - -- update to version 1.8.1 - * include krb5-1.8-POST.dif - * include MITKRB5-SA-2010-002 - -------------------------------------------------------------------- -Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de - -- update krb5-1.8-POST.dif - ------------------------------------------------------------------- Tue Mar 23 14:32:41 CET 2010 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index 4e29148..8c1b700 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5 (Version 1.8.1) +# spec file for package krb5-mini (Version 1.8) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 1 -%define srcRoot krb5-1.8.1 +%define srcRoot krb5-1.8 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,7 +27,7 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8.1 +Version: 1.8 Release: 2 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel @@ -42,7 +42,7 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.1.tar.bz2 +Source: krb5-1.8.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-%{version}-rpmlintrc @@ -55,6 +55,8 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif +Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -202,6 +204,8 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 +%patch47 +%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do diff --git a/krb5.changes b/krb5.changes index 11e8703..c00c208 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,15 +1,3 @@ -------------------------------------------------------------------- -Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de - -- update to version 1.8.1 - * include krb5-1.8-POST.dif - * include MITKRB5-SA-2010-002 - -------------------------------------------------------------------- -Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de - -- update krb5-1.8-POST.dif - ------------------------------------------------------------------- Tue Mar 23 14:32:41 CET 2010 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 6625ccf..2196e63 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5 (Version 1.8.1) +# spec file for package krb5 (Version 1.8) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 0 -%define srcRoot krb5-1.8.1 +%define srcRoot krb5-1.8 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,7 +27,7 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8.1 +Version: 1.8 Release: 2 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel @@ -42,7 +42,7 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.1.tar.bz2 +Source: krb5-1.8.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-%{version}-rpmlintrc @@ -55,6 +55,8 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif +Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -202,6 +204,8 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 +%patch47 +%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do From 0d6b79cec0ad6720e0e1b985424721eae4be412f05c2838e08bf7f728ea7a6d5 Mon Sep 17 00:00:00 2001 From: OBS User buildservice-autocommit Date: Wed, 14 Apr 2010 13:16:17 +0000 Subject: [PATCH 6/6] Updating link to change in openSUSE:Factory/krb5 revision 49.0 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=ce934bf77d29ffcb7323f9a17cc82caf --- krb5-1.6.3-kpasswd_tcp.patch | 2 +- krb5-1.7-MITKRB5-SA-2010-002.dif | 71 ---- krb5-1.8-POST.dif | 315 ------------------ krb5-1.8-rpmlintrc => krb5-1.8.1-rpmlintrc | 0 krb5-1.8.1.tar.bz2 | 3 + krb5-1.8.tar.bz2 | 3 - ...-1.8-rpmlintrc => krb5-doc-1.8.1-rpmlintrc | 0 krb5-doc.changes | 5 + krb5-doc.spec | 12 +- krb5-mini.changes | 12 + krb5-mini.spec | 14 +- krb5.changes | 12 + krb5.spec | 14 +- 13 files changed, 48 insertions(+), 415 deletions(-) delete mode 100644 krb5-1.7-MITKRB5-SA-2010-002.dif delete mode 100644 krb5-1.8-POST.dif rename krb5-1.8-rpmlintrc => krb5-1.8.1-rpmlintrc (100%) create mode 100644 krb5-1.8.1.tar.bz2 delete mode 100644 krb5-1.8.tar.bz2 rename krb5-doc-1.8-rpmlintrc => krb5-doc-1.8.1-rpmlintrc (100%) diff --git a/krb5-1.6.3-kpasswd_tcp.patch b/krb5-1.6.3-kpasswd_tcp.patch index 360149f..1a74d6d 100644 --- a/krb5-1.6.3-kpasswd_tcp.patch +++ b/krb5-1.6.3-kpasswd_tcp.patch @@ -5,7 +5,7 @@ Index: src/lib/krb5/os/changepw.c =================================================================== --- src/lib/krb5/os/changepw.c.orig +++ src/lib/krb5/os/changepw.c -@@ -271,10 +271,22 @@ change_set_password(krb5_context context +@@ -280,10 +280,22 @@ change_set_password(krb5_context context NULL ))) { diff --git a/krb5-1.7-MITKRB5-SA-2010-002.dif b/krb5-1.7-MITKRB5-SA-2010-002.dif deleted file mode 100644 index 79c4e81..0000000 --- a/krb5-1.7-MITKRB5-SA-2010-002.dif +++ /dev/null @@ -1,71 +0,0 @@ -Index: src/lib/gssapi/spnego/spnego_mech.c -=================================================================== ---- src/lib/gssapi/spnego/spnego_mech.c.orig -+++ src/lib/gssapi/spnego/spnego_mech.c -@@ -1576,7 +1576,7 @@ spnego_gss_accept_sec_context( - spnego_gss_ctx_id_t sc = NULL; - spnego_gss_cred_id_t spcred = NULL; - OM_uint32 mechstat = GSS_S_FAILURE; -- int sendTokenInit = 0; -+ int sendTokenInit = 0, tmpret; - - mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER; - -@@ -1609,7 +1609,6 @@ spnego_gss_accept_sec_context( - if (delegated_cred_handle != NULL) - *delegated_cred_handle = GSS_C_NO_CREDENTIAL; - if (input_token->length == 0) { -- sendTokenInit = 1; - ret = acc_ctx_hints(minor_status, - context_handle, spcred, - &mic_out, -@@ -1617,6 +1616,7 @@ spnego_gss_accept_sec_context( - &return_token); - if (ret != GSS_S_COMPLETE) - goto cleanup; -+ sendTokenInit = 1; - ret = GSS_S_CONTINUE_NEEDED; - } else { - /* Can set negState to REQUEST_MIC */ -@@ -1664,27 +1664,21 @@ spnego_gss_accept_sec_context( - &negState, &return_token); - } - cleanup: -- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { -- /* For acceptor-sends-first send a tokenInit */ -- int tmpret; -- -+ if (return_token == INIT_TOKEN_SEND && sendTokenInit) { - assert(sc != NULL); -- -- if (sendTokenInit) { -- tmpret = make_spnego_tokenInit_msg(sc, -- 1, -- mic_out, -- 0, -- GSS_C_NO_BUFFER, -- return_token, -- output_token); -- } else { -- tmpret = make_spnego_tokenTarg_msg(negState, -- sc ? sc->internal_mech : GSS_C_NO_OID, -- &mechtok_out, mic_out, -- return_token, -- output_token); -- } -+ tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0, -+ GSS_C_NO_BUFFER, -+ return_token, output_token); -+ if (tmpret < 0) -+ ret = GSS_S_FAILURE; -+ } else if (return_token != NO_TOKEN_SEND && -+ return_token != CHECK_MIC) { -+ tmpret = make_spnego_tokenTarg_msg(negState, -+ sc ? sc->internal_mech : -+ GSS_C_NO_OID, -+ &mechtok_out, mic_out, -+ return_token, -+ output_token); - if (tmpret < 0) - ret = GSS_S_FAILURE; - } diff --git a/krb5-1.8-POST.dif b/krb5-1.8-POST.dif deleted file mode 100644 index 14ccdf3..0000000 --- a/krb5-1.8-POST.dif +++ /dev/null @@ -1,315 +0,0 @@ -Index: doc/admin.texinfo -=================================================================== ---- doc/admin.texinfo.orig -+++ doc/admin.texinfo -@@ -516,13 +516,6 @@ DCE do not support the default cache as - Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on - DCE 1.1 systems. The default value is @value{DefaultCcacheType}. - --@ignore --@itemx tkt_lifetime --The default lifetime of a ticket. The default is --@value{DefaultTktLifetime}. This is currently not supported by the --code. --@end ignore -- - @itemx dns_lookup_kdc - Indicate whether DNS SRV records should be used to locate the KDCs and - other servers for a realm, if they are not listed in the information for -@@ -583,6 +576,11 @@ If this flag is set, then an attempt to - fail if the client machine does not have a keytab. The default for the - flag is @value{DefaultVerifyApReqNofail}. - -+@itemx ticket_lifetime -+The value of this tag is the default lifetime for -+initial tickets. The default value for the tag is -+@value{DefaultTktLifetime}. -+ - @itemx renew_lifetime - The value of this tag is the default renewable lifetime for - initial tickets. The default value for the tag is -Index: src/include/krb5/krb5.hin -=================================================================== ---- src/include/krb5/krb5.hin.orig -+++ src/include/krb5/krb5.hin -@@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context contex - #define KRB5_AUTHDATA_SESAME 65 - #define KRB5_AUTHDATA_WIN2K_PAC 128 - #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ --#define KRB5_AUTHDATA_SIGNTICKET 142 -+#define KRB5_AUTHDATA_SIGNTICKET 512 /* formerly 142 in krb5 1.8 */ - #define KRB5_AUTHDATA_FX_ARMOR 71 - /* password change constants */ - -@@ -1184,6 +1184,19 @@ typedef struct _krb5_pa_data { - krb5_octet *contents; - } krb5_pa_data; - -+/* typed data */ -+/* -+ * The FAST error handling logic currently assumes that this structure and -+ * krb5_pa_data * can be safely cast to each other if this structure changes, -+ * that code needs to be updated to copy. -+ */ -+typedef struct _krb5_typed_data { -+ krb5_magic magic; -+ krb5_int32 type; -+ unsigned int length; -+ krb5_octet *data; -+} krb5_typed_data; -+ - typedef struct _krb5_kdc_req { - krb5_magic magic; - krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */ -Index: src/include/k5-int-pkinit.h -=================================================================== ---- src/include/k5-int-pkinit.h.orig -+++ src/include/k5-int-pkinit.h -@@ -101,17 +101,6 @@ typedef struct _krb5_trusted_ca { - } u; - } krb5_trusted_ca; - --/* typed data */ --/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other -- * if this structure changes, that code needs to be updated to copy. -- */ --typedef struct _krb5_typed_data { -- krb5_magic magic; -- krb5_int32 type; -- unsigned int length; -- krb5_octet *data; --} krb5_typed_data; -- - /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ - typedef struct _krb5_pa_pk_as_req_draft9 { - krb5_octet_data signedAuthPack; -Index: src/kdc/kdc_authdata.c -=================================================================== ---- src/kdc/kdc_authdata.c.orig -+++ src/kdc/kdc_authdata.c -@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context contex - enc_sp.length = sp_authdata[0]->length; - - code = decode_krb5_ad_signedpath(&enc_sp, &sp); -- if (code != 0) -+ if (code != 0) { -+ /* Treat an invalid signedpath authdata element as a missing one, since -+ * we believe MS is using the same number for something else. */ -+ code = 0; - goto cleanup; -+ } - - code = verify_ad_signedpath_checksum(context, - krbtgt, -Index: src/kdc/do_tgs_req.c -=================================================================== ---- src/kdc/do_tgs_req.c.orig -+++ src/kdc/do_tgs_req.c -@@ -1215,6 +1215,7 @@ prep_reprocess_req(krb5_kdc_req *request - strlcpy(comp1_str,comp1->data,comp1->length+1); - - if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || -+ krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST || - (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN && - kdc_active_realm->realm_host_based_services != NULL && - (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, -Index: src/clients/kpasswd/kpasswd.c -=================================================================== ---- src/clients/kpasswd/kpasswd.c.orig -+++ src/clients/kpasswd/kpasswd.c -@@ -47,7 +47,7 @@ int main(int argc, char *argv[]) - { - krb5_error_code ret; - krb5_context context; -- krb5_principal princ; -+ krb5_principal princ = NULL; - char *pname; - krb5_ccache ccache; - krb5_get_init_creds_opt *opts = NULL; -@@ -84,23 +84,27 @@ int main(int argc, char *argv[]) - com_err(argv[0], ret, "parsing client name"); - exit(1); - } -- } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) { -- if (ret) { -+ } else { -+ ret = krb5_cc_default(context, &ccache); -+ if (ret != 0) { - com_err(argv[0], ret, "opening default ccache"); - exit(1); - } - -- if ((ret = krb5_cc_get_principal(context, ccache, &princ))) { -+ ret = krb5_cc_get_principal(context, ccache, &princ); -+ if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) { - com_err(argv[0], ret, "getting principal from ccache"); - exit(1); - } - -- if ((ret = krb5_cc_close(context, ccache))) { -+ ret = krb5_cc_close(context, ccache); -+ if (ret != 0) { - com_err(argv[0], ret, "closing ccache"); - exit(1); - } -- } else { -- get_name_from_passwd_file(argv[0], context, &princ); -+ -+ if (princ == NULL) -+ get_name_from_passwd_file(argv[0], context, &princ); - } - - if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) { -Index: src/config-files/krb5.conf.M -=================================================================== ---- src/config-files/krb5.conf.M.orig -+++ src/config-files/krb5.conf.M -@@ -220,6 +220,10 @@ If this flag is set, then an attempt to - fail if the client machine does not have a keytab. The default for the - flag is false. - -+.IP ticket_lifetime -+The value of this tag is the default lifetime for initial tickets. The -+default value for the tag is 1 day (1d). -+ - .IP renew_lifetime - The value of this tag is the default renewable lifetime for initial - tickets. The default value for the tag is 0. -Index: src/lib/gssapi/spnego/spnego_mech.c -=================================================================== ---- src/lib/gssapi/spnego/spnego_mech.c.orig -+++ src/lib/gssapi/spnego/spnego_mech.c -@@ -1687,6 +1687,7 @@ cleanup: - if (sc->internal_name != GSS_C_NO_NAME && - src_name != NULL) { - *src_name = sc->internal_name; -+ sc->internal_name = GSS_C_NO_NAME; - } - release_spnego_ctx(&sc); - } else if (ret != GSS_S_CONTINUE_NEEDED) { -@@ -2572,6 +2573,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t * - (void) generic_gss_release_oid(&minor_stat, - &context->internal_mech); - -+ (void) gss_release_name(&minor_stat, &context->internal_name); -+ - if (context->optionStr != NULL) { - free(context->optionStr); - context->optionStr = NULL; -Index: src/lib/kadm5/srv/svr_principal.c -=================================================================== ---- src/lib/kadm5/srv/svr_principal.c.orig -+++ src/lib/kadm5/srv/svr_principal.c -@@ -858,8 +858,8 @@ kadm5_get_principal(void *server_handle, - if (! (mask & KADM5_MOD_TIME)) - entry->mod_date = 0; - if (! (mask & KADM5_MOD_NAME)) { -- krb5_free_principal(handle->context, entry->principal); -- entry->principal = NULL; -+ krb5_free_principal(handle->context, entry->mod_name); -+ entry->mod_name = NULL; - } - } - -@@ -871,10 +871,12 @@ kadm5_get_principal(void *server_handle, - if (kdb.key_data[i].key_data_kvno > entry->kvno) - entry->kvno = kdb.key_data[i].key_data_kvno; - -- ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, -- &entry->mkvno); -- if (ret) -- goto done; -+ if (mask & KADM5_MKVNO) { -+ ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, -+ &entry->mkvno); -+ if (ret) -+ goto done; -+ } - - if (mask & KADM5_MAX_RLIFE) - entry->max_renewable_life = kdb.max_renewable_life; -Index: src/lib/krb5/os/changepw.c -=================================================================== ---- src/lib/krb5/os/changepw.c.orig -+++ src/lib/krb5/os/changepw.c -@@ -65,20 +65,23 @@ locate_kpasswd(krb5_context context, con - int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM); - - code = krb5int_locate_server (context, realm, addrlist, -- locate_service_kpasswd, sockType, AF_INET); -+ locate_service_kpasswd, sockType, AF_UNSPEC); - - if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) { - code = krb5int_locate_server (context, realm, addrlist, - locate_service_kadmin, SOCK_STREAM, -- AF_INET); -+ AF_UNSPEC); - if (!code) { - /* Success with admin_server but now we need to change the - port number to use DEFAULT_KPASSWD_PORT and the socktype. */ - size_t i; - for (i=0; inaddrs; i++) { - struct addrinfo *a = addrlist->addrs[i].ai; -+ krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT); - if (a->ai_family == AF_INET) -- sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT); -+ sa2sin (a->ai_addr)->sin_port = kpasswd_port; -+ if (a->ai_family == AF_INET6) -+ sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port; - if (sockType != SOCK_STREAM) - a->ai_socktype = sockType; - } -@@ -131,10 +134,16 @@ kpasswd_sendto_msg_callback(struct conn_ - /* some brain-dead OS's don't return useful information from - * the getsockname call. Namely, windows and solaris. */ - -- if (ss2sin(&local_addr)->sin_addr.s_addr != 0) { -+ if (local_addr.ss_family == AF_INET && -+ ss2sin(&local_addr)->sin_addr.s_addr != 0) { - local_kaddr.addrtype = ADDRTYPE_INET; - local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr); - local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr; -+ } else if (local_addr.ss_family == AF_INET6 && -+ ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) { -+ local_kaddr.addrtype = ADDRTYPE_INET6; -+ local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr); -+ local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr; - } else { - krb5_address **addrs; - -@@ -290,9 +299,19 @@ change_set_password(krb5_context context - break; - } - -- remote_kaddr.addrtype = ADDRTYPE_INET; -- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); -- remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; -+ if (remote_addr.ss_family == AF_INET) { -+ remote_kaddr.addrtype = ADDRTYPE_INET; -+ remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); -+ remote_kaddr.contents = -+ (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; -+ } else if (remote_addr.ss_family == AF_INET6) { -+ remote_kaddr.addrtype = ADDRTYPE_INET6; -+ remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr); -+ remote_kaddr.contents = -+ (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr; -+ } else { -+ break; -+ } - - if ((code = krb5_auth_con_setaddrs(callback_ctx.context, - callback_ctx.auth_context, -Index: src/lib/krb5/krb/gic_pwd.c -=================================================================== ---- src/lib/krb5/krb/gic_pwd.c.orig -+++ src/lib/krb5/krb/gic_pwd.c -@@ -218,7 +218,7 @@ krb5_get_init_creds_password(krb5_contex - * to prompt. Prompting is only disabled if the option has been set - * and the value has been set to false. - */ -- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) -+ if (options && !(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) - goto cleanup; - - /* ok, we have an expired password. Give the user a few chances diff --git a/krb5-1.8-rpmlintrc b/krb5-1.8.1-rpmlintrc similarity index 100% rename from krb5-1.8-rpmlintrc rename to krb5-1.8.1-rpmlintrc diff --git a/krb5-1.8.1.tar.bz2 b/krb5-1.8.1.tar.bz2 new file mode 100644 index 0000000..c5d6fed --- /dev/null +++ b/krb5-1.8.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:215e71364b4ac6e49cfb2629a109a2f473845d68643859eccc038834de1f4746 +size 9960127 diff --git a/krb5-1.8.tar.bz2 b/krb5-1.8.tar.bz2 deleted file mode 100644 index 771b1d5..0000000 --- a/krb5-1.8.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:10890ef19905e36e99d82cbe7caa6e8b0875b2a304f9a9e2d05137c87aff8212 -size 9958816 diff --git a/krb5-doc-1.8-rpmlintrc b/krb5-doc-1.8.1-rpmlintrc similarity index 100% rename from krb5-doc-1.8-rpmlintrc rename to krb5-doc-1.8.1-rpmlintrc diff --git a/krb5-doc.changes b/krb5-doc.changes index 7ac797d..042615c 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Apr 9 12:45:30 CEST 2010 - mc@suse.de + +- update to version 1.8.1 + ------------------------------------------------------------------- Tue Mar 23 12:38:29 CET 2010 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index 86eface..63e4b59 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-doc (Version 1.8) +# spec file for package krb5-doc (Version 1.8.1) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -20,18 +20,17 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive -Version: 1.8 -Release: 2 -%define srcRoot krb5-1.8 +Version: 1.8.1 +Release: 1 +%define srcRoot krb5-1.8.1 Summary: MIT Kerberos5 Implementation--Documentation License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ Group: Documentation/Other -Source: krb5-1.8.tar.bz2 +Source: krb5-1.8.1.tar.bz2 Source3: %{name}-%{version}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif -Patch2: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -54,7 +53,6 @@ Authors: %setup -n %{srcRoot} %patch0 %patch1 -%patch2 %build diff --git a/krb5-mini.changes b/krb5-mini.changes index c00c208..11e8703 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de + +- update to version 1.8.1 + * include krb5-1.8-POST.dif + * include MITKRB5-SA-2010-002 + +------------------------------------------------------------------- +Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de + +- update krb5-1.8-POST.dif + ------------------------------------------------------------------- Tue Mar 23 14:32:41 CET 2010 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index 8c1b700..09d5318 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-mini (Version 1.8) +# spec file for package krb5-mini (Version 1.8.1) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 1 -%define srcRoot krb5-1.8 +%define srcRoot krb5-1.8.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,8 +27,8 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8 -Release: 2 +Version: 1.8.1 +Release: 1 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -42,7 +42,7 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.tar.bz2 +Source: krb5-1.8.1.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-%{version}-rpmlintrc @@ -55,8 +55,6 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif -Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif -Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -204,8 +202,6 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 -%patch47 -%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do diff --git a/krb5.changes b/krb5.changes index c00c208..11e8703 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de + +- update to version 1.8.1 + * include krb5-1.8-POST.dif + * include MITKRB5-SA-2010-002 + +------------------------------------------------------------------- +Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de + +- update krb5-1.8-POST.dif + ------------------------------------------------------------------- Tue Mar 23 14:32:41 CET 2010 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 2196e63..ec8384f 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5 (Version 1.8) +# spec file for package krb5 (Version 1.8.1) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 0 -%define srcRoot krb5-1.8 +%define srcRoot krb5-1.8.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,8 +27,8 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8 -Release: 2 +Version: 1.8.1 +Release: 1 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -42,7 +42,7 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.tar.bz2 +Source: krb5-1.8.1.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-%{version}-rpmlintrc @@ -55,8 +55,6 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif -Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif -Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -204,8 +202,6 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 -%patch47 -%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do