diff --git a/krb5-1.6.2-post.dif b/krb5-1.6.2-post.dif new file mode 100644 index 0000000..b764654 --- /dev/null +++ b/krb5-1.6.2-post.dif @@ -0,0 +1,207 @@ +Index: src/lib/krb5/ccache/cc_file.c +=================================================================== +--- src/lib/krb5/ccache/cc_file.c (.../tags/krb5-1-6-2-final) (Revision 19755) ++++ src/lib/krb5/ccache/cc_file.c (.../branches/krb5-1-6) (Revision 19755) +@@ -1954,6 +1954,9 @@ + char scratch[sizeof(TKT_ROOT)+6+1]; /* +6 for the scratch part, +1 for + NUL */ + krb5_fcc_data *data; ++ krb5_int16 fcc_fvno = htons(context->fcc_default_format); ++ krb5_int16 fcc_flen = 0; ++ int errsave, cnt; + + /* Allocate memory */ + lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); +@@ -1968,13 +1971,20 @@ + ret = mkstemp(scratch); + if (ret == -1) { + return krb5_fcc_interpret(context, errno); +- } else close(ret); ++ } + #else /*HAVE_MKSTEMP*/ + mktemp(scratch); ++ /* Make sure the file name is reserved */ ++ ret = THREEPARAMOPEN(scratch, O_CREAT | O_EXCL | O_WRONLY | O_BINARY, 0); ++ if (ret == -1) { ++ return krb5_fcc_interpret(context, errno); ++ } + #endif + + lid->data = (krb5_pointer) malloc(sizeof(krb5_fcc_data)); + if (lid->data == NULL) { ++ close(ret); ++ unlink(scratch); + krb5_xfree(lid); + return KRB5_CC_NOMEM; + } +@@ -1982,6 +1992,8 @@ + ((krb5_fcc_data *) lid->data)->filename = (char *) + malloc(strlen(scratch) + 1); + if (((krb5_fcc_data *) lid->data)->filename == NULL) { ++ close(ret); ++ unlink(scratch); + krb5_xfree(((krb5_fcc_data *) lid->data)); + krb5_xfree(lid); + return KRB5_CC_NOMEM; +@@ -1996,63 +2008,54 @@ + data = (krb5_fcc_data *) lid->data; + + retcode = k5_mutex_init(&data->lock); +- if (retcode) ++ if (retcode) { ++ close(ret); ++ unlink(scratch); + goto err_out; ++ } + + /* Set up the filename */ + strcpy(((krb5_fcc_data *) lid->data)->filename, scratch); + +- /* Make sure the file name is reserved */ +- ret = THREEPARAMOPEN(((krb5_fcc_data *) lid->data)->filename, +- O_CREAT | O_EXCL | O_WRONLY | O_BINARY, 0); +- if (ret == -1) { +- retcode = krb5_fcc_interpret(context, errno); +- goto err_out; +- } else { +- krb5_int16 fcc_fvno = htons(context->fcc_default_format); +- krb5_int16 fcc_flen = 0; +- int errsave, cnt; +- +- /* Ignore user's umask, set mode = 0600 */ ++ /* Ignore user's umask, set mode = 0600 */ + #ifndef HAVE_FCHMOD + #ifdef HAVE_CHMOD +- chmod(((krb5_fcc_data *) lid->data)->filename, S_IRUSR | S_IWUSR); ++ chmod(((krb5_fcc_data *) lid->data)->filename, S_IRUSR | S_IWUSR); + #endif + #else +- fchmod(ret, S_IRUSR | S_IWUSR); ++ fchmod(ret, S_IRUSR | S_IWUSR); + #endif +- if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno))) +- != sizeof(fcc_fvno)) { +- errsave = errno; +- (void) close(ret); +- (void) unlink(((krb5_fcc_data *) lid->data)->filename); +- retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; +- goto err_out; ++ if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno))) ++ != sizeof(fcc_fvno)) { ++ errsave = errno; ++ (void) close(ret); ++ (void) unlink(((krb5_fcc_data *) lid->data)->filename); ++ retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; ++ goto err_out; ++ } ++ /* For version 4 we save a length for the rest of the header */ ++ if (context->fcc_default_format == KRB5_FCC_FVNO_4) { ++ if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen))) ++ != sizeof(fcc_flen)) { ++ errsave = errno; ++ (void) close(ret); ++ (void) unlink(((krb5_fcc_data *) lid->data)->filename); ++ retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; ++ goto err_out; + } +- /* For version 4 we save a length for the rest of the header */ +- if (context->fcc_default_format == KRB5_FCC_FVNO_4) { +- if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen))) +- != sizeof(fcc_flen)) { +- errsave = errno; +- (void) close(ret); +- (void) unlink(((krb5_fcc_data *) lid->data)->filename); +- retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; +- goto err_out; +- } +- } +- if (close(ret) == -1) { +- errsave = errno; +- (void) unlink(((krb5_fcc_data *) lid->data)->filename); +- retcode = krb5_fcc_interpret(context, errsave); +- goto err_out; +- } +- *id = lid; +- /* default to open/close on every trn - otherwise destroy +- will get as to state confused */ +- ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE; +- krb5_change_cache (); +- return KRB5_OK; + } ++ if (close(ret) == -1) { ++ errsave = errno; ++ (void) unlink(((krb5_fcc_data *) lid->data)->filename); ++ retcode = krb5_fcc_interpret(context, errsave); ++ goto err_out; ++ } ++ *id = lid; ++ /* default to open/close on every trn - otherwise destroy ++ will get as to state confused */ ++ ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE; ++ krb5_change_cache (); ++ return KRB5_OK; + + err_out: + krb5_xfree(((krb5_fcc_data *) lid->data)->filename); +Index: src/lib/krb5/krb/gc_frm_kdc.c +=================================================================== +--- src/lib/krb5/krb/gc_frm_kdc.c (.../tags/krb5-1-6-2-final) (Revision 19755) ++++ src/lib/krb5/krb/gc_frm_kdc.c (.../branches/krb5-1-6) (Revision 19755) +@@ -906,7 +906,6 @@ + /* Whether or not that succeeded, we're done. */ + goto cleanup; + } +- else { + /* Referral request succeeded; let's see what it is. */ + if (krb5_principal_compare(context, in_cred->server, + (*out_cred)->server)) { +@@ -914,8 +913,40 @@ + "for requested server principal\n")); + DUMP_PRINC("gc_from_kdc final referred reply", + in_cred->server); ++ ++ /* ++ * Check if the return enctype is one that we requested if ++ * needed. ++ */ ++ if (old_use_conf_ktypes || context->tgs_ktype_count == 0) + goto cleanup; ++ for (i = 0; i < context->tgs_ktype_count; i++) { ++ if ((*out_cred)->keyblock.enctype == context->tgs_ktypes[i]) { ++ /* Found an allowable etype, so we're done */ ++ goto cleanup; ++ } + } ++ /* ++ * We need to try again, but this time use the ++ * tgs_ktypes in the context. At this point we should ++ * have all the tgts to succeed. ++ */ ++ ++ /* Free "wrong" credential */ ++ krb5_free_creds(context, *out_cred); ++ *out_cred = NULL; ++ /* Re-establish tgs etypes */ ++ context->use_conf_ktypes = old_use_conf_ktypes; ++ retval = krb5_get_cred_via_tkt(context, tgtptr, ++ KDC_OPT_CANONICALIZE | ++ FLAGS2OPTS(tgtptr->ticket_flags) | ++ kdcopt | ++ (in_cred->second_ticket.length ? ++ KDC_OPT_ENC_TKT_IN_SKEY : 0), ++ tgtptr->addresses, ++ in_cred, out_cred); ++ goto cleanup; ++ } + else if (IS_TGS_PRINC(context, (*out_cred)->server)) { + krb5_data *r1, *r2; + +@@ -978,7 +1009,6 @@ + krb5_free_creds(context, *out_cred); + *out_cred = NULL; + break; +- } + } + } + + diff --git a/krb5-doc.spec b/krb5-doc.spec index ebba34c..6e5e188 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -13,7 +13,7 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive Version: 1.6.2 -Release: 1 +Release: 12 %define srcRoot krb5-1.6.2 Summary: MIT Kerberos5 Implementation--Documentation License: X11/MIT @@ -27,10 +27,10 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArchitectures: noarch %description -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of clear text passwords. This package includes extended -documentation for MIT Kerberos. +Kerberos V5 is a trusted-third-party network authentication +system,which can improve your network's security by eliminating the +insecurepractice of clear text passwords. This package includes +extended documentation for MIT Kerberos. diff --git a/krb5-plugins.changes b/krb5-plugins.changes index 1f012ed..5218979 100644 --- a/krb5-plugins.changes +++ b/krb5-plugins.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Tue Aug 7 11:59:05 CEST 2007 - mc@suse.de + +- add krb5-1.6.2-post.dif + * during the referrals loop, check to see if the + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but + the subsequent open(O_CREAT|O_EXCL) call fails because the file + was already created by mkstemp(). Apply patch from Apple to keep + the file descriptor open. + ------------------------------------------------------------------- Thu Jul 12 17:02:19 CEST 2007 - mc@suse.de diff --git a/krb5-plugins.spec b/krb5-plugins.spec index c3ccf3e..c89678d 100644 --- a/krb5-plugins.spec +++ b/krb5-plugins.spec @@ -13,7 +13,7 @@ Name: krb5-plugins Version: 1.6.2 -Release: 1 +Release: 2 BuildRequires: bison krb5-devel ncurses-devel openldap2-devel %define srcRoot krb5-1.6.2 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ @@ -31,6 +31,7 @@ Source4: EncryptWithMasterKey.c Patch1: krb5-1.5.1-fix-too-few-arguments.dif Patch2: krb5-1.6.1-compile_pie.dif Patch3: krb5-1.4-fix-segfault.dif +Patch4: krb5-1.6.2-post.dif Patch6: trunk-EncryptWithMasterKey.dif Patch14: warning-fix-lib-crypto-des.dif Patch15: warning-fix-lib-crypto-dk.dif @@ -95,6 +96,7 @@ fi %patch1 %patch2 %patch3 +%patch4 %patch6 %patch14 %patch15 @@ -205,6 +207,16 @@ rm -rf %{buildroot} %{_mandir}/man8/* %changelog +* Tue Aug 07 2007 - mc@suse.de +- add krb5-1.6.2-post.dif + * during the referrals loop, check to see if the + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but + the subsequent open(O_CREAT|O_EXCL) call fails because the file + was already created by mkstemp(). Apply patch from Apple to keep + the file descriptor open. * Thu Jul 12 2007 - mc@suse.de - update to version 1.6.2 - remove krb5-1.6.1-post.dif all fixes are included in this release diff --git a/krb5.changes b/krb5.changes index f0701f6..de6feff 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de + +- add krb5-1.6.2-post.dif + * during the referrals loop, check to see if the + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but + the subsequent open(O_CREAT|O_EXCL) call fails because the file + was already created by mkstemp(). Apply patch from Apple to keep + the file descriptor open. + ------------------------------------------------------------------- Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 5faaf9a..f53a7c9 100644 --- a/krb5.spec +++ b/krb5.spec @@ -12,7 +12,7 @@ Name: krb5 Version: 1.6.2 -Release: 1 +Release: 9 BuildRequires: bison libcom_err-devel ncurses-devel %if %{suse_version} > 1010 BuildRequires: keyutils keyutils-devel @@ -35,6 +35,7 @@ Source5: krb5-1.6.1-rpmlintrc Patch1: krb5-1.5.1-fix-too-few-arguments.dif Patch2: krb5-1.6.1-compile_pie.dif Patch3: krb5-1.4-fix-segfault.dif +Patch4: krb5-1.6.2-post.dif Patch6: trunk-EncryptWithMasterKey.dif Patch14: warning-fix-lib-crypto-des.dif Patch15: warning-fix-lib-crypto-dk.dif @@ -186,6 +187,7 @@ fi %patch1 %patch2 %patch3 +%patch4 %patch6 %patch14 %patch15 @@ -509,6 +511,16 @@ rm -rf %{buildroot} %{_mandir}/man1/krb5-config.1* %changelog +* Tue Aug 07 2007 - mc@suse.de +- add krb5-1.6.2-post.dif + * during the referrals loop, check to see if the + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but + the subsequent open(O_CREAT|O_EXCL) call fails because the file + was already created by mkstemp(). Apply patch from Apple to keep + the file descriptor open. * Thu Jul 12 2007 - mc@suse.de - update to version 1.6.2 - remove krb5-1.6.1-post.dif all fixes are included in this release