SHA256
1
0
forked from pool/krb5
OBS User unknown 2007-08-09 18:01:33 +00:00 committed by Git OBS Bridge
parent 8fb3d1a41f
commit 47047c041c
6 changed files with 264 additions and 7 deletions

207
krb5-1.6.2-post.dif Normal file
View File

@ -0,0 +1,207 @@
Index: src/lib/krb5/ccache/cc_file.c
===================================================================
--- src/lib/krb5/ccache/cc_file.c (.../tags/krb5-1-6-2-final) (Revision 19755)
+++ src/lib/krb5/ccache/cc_file.c (.../branches/krb5-1-6) (Revision 19755)
@@ -1954,6 +1954,9 @@
char scratch[sizeof(TKT_ROOT)+6+1]; /* +6 for the scratch part, +1 for
NUL */
krb5_fcc_data *data;
+ krb5_int16 fcc_fvno = htons(context->fcc_default_format);
+ krb5_int16 fcc_flen = 0;
+ int errsave, cnt;
/* Allocate memory */
lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache));
@@ -1968,13 +1971,20 @@
ret = mkstemp(scratch);
if (ret == -1) {
return krb5_fcc_interpret(context, errno);
- } else close(ret);
+ }
#else /*HAVE_MKSTEMP*/
mktemp(scratch);
+ /* Make sure the file name is reserved */
+ ret = THREEPARAMOPEN(scratch, O_CREAT | O_EXCL | O_WRONLY | O_BINARY, 0);
+ if (ret == -1) {
+ return krb5_fcc_interpret(context, errno);
+ }
#endif
lid->data = (krb5_pointer) malloc(sizeof(krb5_fcc_data));
if (lid->data == NULL) {
+ close(ret);
+ unlink(scratch);
krb5_xfree(lid);
return KRB5_CC_NOMEM;
}
@@ -1982,6 +1992,8 @@
((krb5_fcc_data *) lid->data)->filename = (char *)
malloc(strlen(scratch) + 1);
if (((krb5_fcc_data *) lid->data)->filename == NULL) {
+ close(ret);
+ unlink(scratch);
krb5_xfree(((krb5_fcc_data *) lid->data));
krb5_xfree(lid);
return KRB5_CC_NOMEM;
@@ -1996,63 +2008,54 @@
data = (krb5_fcc_data *) lid->data;
retcode = k5_mutex_init(&data->lock);
- if (retcode)
+ if (retcode) {
+ close(ret);
+ unlink(scratch);
goto err_out;
+ }
/* Set up the filename */
strcpy(((krb5_fcc_data *) lid->data)->filename, scratch);
- /* Make sure the file name is reserved */
- ret = THREEPARAMOPEN(((krb5_fcc_data *) lid->data)->filename,
- O_CREAT | O_EXCL | O_WRONLY | O_BINARY, 0);
- if (ret == -1) {
- retcode = krb5_fcc_interpret(context, errno);
- goto err_out;
- } else {
- krb5_int16 fcc_fvno = htons(context->fcc_default_format);
- krb5_int16 fcc_flen = 0;
- int errsave, cnt;
-
- /* Ignore user's umask, set mode = 0600 */
+ /* Ignore user's umask, set mode = 0600 */
#ifndef HAVE_FCHMOD
#ifdef HAVE_CHMOD
- chmod(((krb5_fcc_data *) lid->data)->filename, S_IRUSR | S_IWUSR);
+ chmod(((krb5_fcc_data *) lid->data)->filename, S_IRUSR | S_IWUSR);
#endif
#else
- fchmod(ret, S_IRUSR | S_IWUSR);
+ fchmod(ret, S_IRUSR | S_IWUSR);
#endif
- if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno)))
- != sizeof(fcc_fvno)) {
- errsave = errno;
- (void) close(ret);
- (void) unlink(((krb5_fcc_data *) lid->data)->filename);
- retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO;
- goto err_out;
+ if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno)))
+ != sizeof(fcc_fvno)) {
+ errsave = errno;
+ (void) close(ret);
+ (void) unlink(((krb5_fcc_data *) lid->data)->filename);
+ retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO;
+ goto err_out;
+ }
+ /* For version 4 we save a length for the rest of the header */
+ if (context->fcc_default_format == KRB5_FCC_FVNO_4) {
+ if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen)))
+ != sizeof(fcc_flen)) {
+ errsave = errno;
+ (void) close(ret);
+ (void) unlink(((krb5_fcc_data *) lid->data)->filename);
+ retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO;
+ goto err_out;
}
- /* For version 4 we save a length for the rest of the header */
- if (context->fcc_default_format == KRB5_FCC_FVNO_4) {
- if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen)))
- != sizeof(fcc_flen)) {
- errsave = errno;
- (void) close(ret);
- (void) unlink(((krb5_fcc_data *) lid->data)->filename);
- retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO;
- goto err_out;
- }
- }
- if (close(ret) == -1) {
- errsave = errno;
- (void) unlink(((krb5_fcc_data *) lid->data)->filename);
- retcode = krb5_fcc_interpret(context, errsave);
- goto err_out;
- }
- *id = lid;
- /* default to open/close on every trn - otherwise destroy
- will get as to state confused */
- ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE;
- krb5_change_cache ();
- return KRB5_OK;
}
+ if (close(ret) == -1) {
+ errsave = errno;
+ (void) unlink(((krb5_fcc_data *) lid->data)->filename);
+ retcode = krb5_fcc_interpret(context, errsave);
+ goto err_out;
+ }
+ *id = lid;
+ /* default to open/close on every trn - otherwise destroy
+ will get as to state confused */
+ ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE;
+ krb5_change_cache ();
+ return KRB5_OK;
err_out:
krb5_xfree(((krb5_fcc_data *) lid->data)->filename);
Index: src/lib/krb5/krb/gc_frm_kdc.c
===================================================================
--- src/lib/krb5/krb/gc_frm_kdc.c (.../tags/krb5-1-6-2-final) (Revision 19755)
+++ src/lib/krb5/krb/gc_frm_kdc.c (.../branches/krb5-1-6) (Revision 19755)
@@ -906,7 +906,6 @@
/* Whether or not that succeeded, we're done. */
goto cleanup;
}
- else {
/* Referral request succeeded; let's see what it is. */
if (krb5_principal_compare(context, in_cred->server,
(*out_cred)->server)) {
@@ -914,8 +913,40 @@
"for requested server principal\n"));
DUMP_PRINC("gc_from_kdc final referred reply",
in_cred->server);
+
+ /*
+ * Check if the return enctype is one that we requested if
+ * needed.
+ */
+ if (old_use_conf_ktypes || context->tgs_ktype_count == 0)
goto cleanup;
+ for (i = 0; i < context->tgs_ktype_count; i++) {
+ if ((*out_cred)->keyblock.enctype == context->tgs_ktypes[i]) {
+ /* Found an allowable etype, so we're done */
+ goto cleanup;
+ }
}
+ /*
+ * We need to try again, but this time use the
+ * tgs_ktypes in the context. At this point we should
+ * have all the tgts to succeed.
+ */
+
+ /* Free "wrong" credential */
+ krb5_free_creds(context, *out_cred);
+ *out_cred = NULL;
+ /* Re-establish tgs etypes */
+ context->use_conf_ktypes = old_use_conf_ktypes;
+ retval = krb5_get_cred_via_tkt(context, tgtptr,
+ KDC_OPT_CANONICALIZE |
+ FLAGS2OPTS(tgtptr->ticket_flags) |
+ kdcopt |
+ (in_cred->second_ticket.length ?
+ KDC_OPT_ENC_TKT_IN_SKEY : 0),
+ tgtptr->addresses,
+ in_cred, out_cred);
+ goto cleanup;
+ }
else if (IS_TGS_PRINC(context, (*out_cred)->server)) {
krb5_data *r1, *r2;
@@ -978,7 +1009,6 @@
krb5_free_creds(context, *out_cred);
*out_cred = NULL;
break;
- }
}
}

View File

@ -13,7 +13,7 @@
Name: krb5-doc Name: krb5-doc
BuildRequires: ghostscript-library latex2html texlive BuildRequires: ghostscript-library latex2html texlive
Version: 1.6.2 Version: 1.6.2
Release: 1 Release: 12
%define srcRoot krb5-1.6.2 %define srcRoot krb5-1.6.2
Summary: MIT Kerberos5 Implementation--Documentation Summary: MIT Kerberos5 Implementation--Documentation
License: X11/MIT License: X11/MIT
@ -27,10 +27,10 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArchitectures: noarch BuildArchitectures: noarch
%description %description
Kerberos V5 is a trusted-third-party network authentication system, Kerberos V5 is a trusted-third-party network authentication
which can improve your network's security by eliminating the insecure system,which can improve your network's security by eliminating the
practice of clear text passwords. This package includes extended insecurepractice of clear text passwords. This package includes
documentation for MIT Kerberos. extended documentation for MIT Kerberos.

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Tue Aug 7 11:59:05 CEST 2007 - mc@suse.de
- add krb5-1.6.2-post.dif
* during the referrals loop, check to see if the
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.
* If mkstemp() is available, the new ccache file gets created but
the subsequent open(O_CREAT|O_EXCL) call fails because the file
was already created by mkstemp(). Apply patch from Apple to keep
the file descriptor open.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jul 12 17:02:19 CEST 2007 - mc@suse.de Thu Jul 12 17:02:19 CEST 2007 - mc@suse.de

View File

@ -13,7 +13,7 @@
Name: krb5-plugins Name: krb5-plugins
Version: 1.6.2 Version: 1.6.2
Release: 1 Release: 2
BuildRequires: bison krb5-devel ncurses-devel openldap2-devel BuildRequires: bison krb5-devel ncurses-devel openldap2-devel
%define srcRoot krb5-1.6.2 %define srcRoot krb5-1.6.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
@ -31,6 +31,7 @@ Source4: EncryptWithMasterKey.c
Patch1: krb5-1.5.1-fix-too-few-arguments.dif Patch1: krb5-1.5.1-fix-too-few-arguments.dif
Patch2: krb5-1.6.1-compile_pie.dif Patch2: krb5-1.6.1-compile_pie.dif
Patch3: krb5-1.4-fix-segfault.dif Patch3: krb5-1.4-fix-segfault.dif
Patch4: krb5-1.6.2-post.dif
Patch6: trunk-EncryptWithMasterKey.dif Patch6: trunk-EncryptWithMasterKey.dif
Patch14: warning-fix-lib-crypto-des.dif Patch14: warning-fix-lib-crypto-des.dif
Patch15: warning-fix-lib-crypto-dk.dif Patch15: warning-fix-lib-crypto-dk.dif
@ -95,6 +96,7 @@ fi
%patch1 %patch1
%patch2 %patch2
%patch3 %patch3
%patch4
%patch6 %patch6
%patch14 %patch14
%patch15 %patch15
@ -205,6 +207,16 @@ rm -rf %{buildroot}
%{_mandir}/man8/* %{_mandir}/man8/*
%changelog %changelog
* Tue Aug 07 2007 - mc@suse.de
- add krb5-1.6.2-post.dif
* during the referrals loop, check to see if the
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.
* If mkstemp() is available, the new ccache file gets created but
the subsequent open(O_CREAT|O_EXCL) call fails because the file
was already created by mkstemp(). Apply patch from Apple to keep
the file descriptor open.
* Thu Jul 12 2007 - mc@suse.de * Thu Jul 12 2007 - mc@suse.de
- update to version 1.6.2 - update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release - remove krb5-1.6.1-post.dif all fixes are included in this release

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de
- add krb5-1.6.2-post.dif
* during the referrals loop, check to see if the
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.
* If mkstemp() is available, the new ccache file gets created but
the subsequent open(O_CREAT|O_EXCL) call fails because the file
was already created by mkstemp(). Apply patch from Apple to keep
the file descriptor open.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de

View File

@ -12,7 +12,7 @@
Name: krb5 Name: krb5
Version: 1.6.2 Version: 1.6.2
Release: 1 Release: 9
BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: bison libcom_err-devel ncurses-devel
%if %{suse_version} > 1010 %if %{suse_version} > 1010
BuildRequires: keyutils keyutils-devel BuildRequires: keyutils keyutils-devel
@ -35,6 +35,7 @@ Source5: krb5-1.6.1-rpmlintrc
Patch1: krb5-1.5.1-fix-too-few-arguments.dif Patch1: krb5-1.5.1-fix-too-few-arguments.dif
Patch2: krb5-1.6.1-compile_pie.dif Patch2: krb5-1.6.1-compile_pie.dif
Patch3: krb5-1.4-fix-segfault.dif Patch3: krb5-1.4-fix-segfault.dif
Patch4: krb5-1.6.2-post.dif
Patch6: trunk-EncryptWithMasterKey.dif Patch6: trunk-EncryptWithMasterKey.dif
Patch14: warning-fix-lib-crypto-des.dif Patch14: warning-fix-lib-crypto-des.dif
Patch15: warning-fix-lib-crypto-dk.dif Patch15: warning-fix-lib-crypto-dk.dif
@ -186,6 +187,7 @@ fi
%patch1 %patch1
%patch2 %patch2
%patch3 %patch3
%patch4
%patch6 %patch6
%patch14 %patch14
%patch15 %patch15
@ -509,6 +511,16 @@ rm -rf %{buildroot}
%{_mandir}/man1/krb5-config.1* %{_mandir}/man1/krb5-config.1*
%changelog %changelog
* Tue Aug 07 2007 - mc@suse.de
- add krb5-1.6.2-post.dif
* during the referrals loop, check to see if the
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.
* If mkstemp() is available, the new ccache file gets created but
the subsequent open(O_CREAT|O_EXCL) call fails because the file
was already created by mkstemp(). Apply patch from Apple to keep
the file descriptor open.
* Thu Jul 12 2007 - mc@suse.de * Thu Jul 12 2007 - mc@suse.de
- update to version 1.6.2 - update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release - remove krb5-1.6.1-post.dif all fixes are included in this release